summaryrefslogtreecommitdiff
path: root/usr/src
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src')
-rw-r--r--usr/src/cmd/cmd-inet/usr.bin/netstat/netstat.c378
-rw-r--r--usr/src/cmd/cmd-inet/usr.lib/in.mpathd/mpd_main.c2
-rw-r--r--usr/src/cmd/cmd-inet/usr.lib/mdnsd/mDNSUNP.c9
-rw-r--r--usr/src/cmd/cmd-inet/usr.sbin/ifconfig/ifconfig.c18
-rw-r--r--usr/src/cmd/cmd-inet/usr.sbin/ping/ping.c51
-rw-r--r--usr/src/cmd/cmd-inet/usr.sbin/route.c47
-rw-r--r--usr/src/cmd/cmd-inet/usr.sbin/traceroute/traceroute.c20
-rw-r--r--usr/src/cmd/devfsadm/misc_link.c3
-rw-r--r--usr/src/cmd/mdb/common/modules/arp/arp.c665
-rw-r--r--usr/src/cmd/mdb/common/modules/genunix/genunix.c4
-rw-r--r--usr/src/cmd/mdb/common/modules/genunix/net.c195
-rw-r--r--usr/src/cmd/mdb/common/modules/genunix/net.h3
-rw-r--r--usr/src/cmd/mdb/common/modules/genunix/streams.c1
-rw-r--r--usr/src/cmd/mdb/common/modules/genunix/vfs.c44
-rw-r--r--usr/src/cmd/mdb/common/modules/ip/ip.c735
-rw-r--r--usr/src/cmd/mdb/common/modules/sctp/sctp.c212
-rw-r--r--usr/src/common/net/patricia/radix.c148
-rw-r--r--usr/src/lib/brand/native/zone/platform.xml2
-rw-r--r--usr/src/lib/brand/solaris10/zone/platform.xml2
-rw-r--r--usr/src/pkgdefs/SUNWckr/prototype_com1
-rw-r--r--usr/src/pkgdefs/SUNWckr/prototype_i3862
-rw-r--r--usr/src/pkgdefs/SUNWckr/prototype_sparc1
-rw-r--r--usr/src/pkgdefs/SUNWhea/prototype_com1
-rw-r--r--usr/src/pkgdefs/etc/exception_list_i3861
-rw-r--r--usr/src/pkgdefs/etc/exception_list_sparc1
-rw-r--r--usr/src/tools/scripts/bfu.sh6
-rw-r--r--usr/src/uts/common/Makefile.files14
-rw-r--r--usr/src/uts/common/fs/sockfs/sockcommon.h3
-rw-r--r--usr/src/uts/common/fs/sockfs/sockcommon_sops.c3
-rw-r--r--usr/src/uts/common/fs/sockfs/sockcommon_subr.c8
-rw-r--r--usr/src/uts/common/fs/sockfs/socktpi.c199
-rw-r--r--usr/src/uts/common/inet/Makefile4
-rw-r--r--usr/src/uts/common/inet/arp.h143
-rw-r--r--usr/src/uts/common/inet/arp/arp.c4883
-rw-r--r--usr/src/uts/common/inet/arp/arp_netinfo.c376
-rw-r--r--usr/src/uts/common/inet/arp/arpddi.c20
-rw-r--r--usr/src/uts/common/inet/arp_impl.h253
-rw-r--r--usr/src/uts/common/inet/ip.h2395
-rw-r--r--usr/src/uts/common/inet/ip/conn_opt.c2933
-rw-r--r--usr/src/uts/common/inet/ip/icmp.c6776
-rw-r--r--usr/src/uts/common/inet/ip/icmp_opt_data.c201
-rw-r--r--usr/src/uts/common/inet/ip/igmp.c763
-rw-r--r--usr/src/uts/common/inet/ip/ip.c24206
-rw-r--r--usr/src/uts/common/inet/ip/ip2mac.c254
-rw-r--r--usr/src/uts/common/inet/ip/ip6.c11729
-rw-r--r--usr/src/uts/common/inet/ip/ip6_asp.c16
-rw-r--r--usr/src/uts/common/inet/ip/ip6_if.c1782
-rw-r--r--usr/src/uts/common/inet/ip/ip6_input.c2749
-rw-r--r--usr/src/uts/common/inet/ip/ip6_ire.c3123
-rw-r--r--usr/src/uts/common/inet/ip/ip6_output.c1315
-rw-r--r--usr/src/uts/common/inet/ip/ip6_rts.c27
-rw-r--r--usr/src/uts/common/inet/ip/ip_arp.c2468
-rw-r--r--usr/src/uts/common/inet/ip/ip_attr.c1338
-rw-r--r--usr/src/uts/common/inet/ip/ip_dce.c873
-rw-r--r--usr/src/uts/common/inet/ip/ip_ftable.c2682
-rw-r--r--usr/src/uts/common/inet/ip/ip_helper_stream.c372
-rw-r--r--usr/src/uts/common/inet/ip/ip_if.c8230
-rw-r--r--usr/src/uts/common/inet/ip/ip_input.c3095
-rw-r--r--usr/src/uts/common/inet/ip/ip_ire.c6513
-rw-r--r--usr/src/uts/common/inet/ip/ip_mroute.c611
-rw-r--r--usr/src/uts/common/inet/ip/ip_multi.c3981
-rw-r--r--usr/src/uts/common/inet/ip/ip_ndp.c5399
-rw-r--r--usr/src/uts/common/inet/ip/ip_netinfo.c460
-rw-r--r--usr/src/uts/common/inet/ip/ip_opt_data.c301
-rw-r--r--usr/src/uts/common/inet/ip/ip_output.c2554
-rw-r--r--usr/src/uts/common/inet/ip/ip_rts.c923
-rw-r--r--usr/src/uts/common/inet/ip/ip_sadb.c189
-rw-r--r--usr/src/uts/common/inet/ip/ip_srcid.c8
-rw-r--r--usr/src/uts/common/inet/ip/ipclassifier.c1118
-rw-r--r--usr/src/uts/common/inet/ip/ipdrop.c114
-rw-r--r--usr/src/uts/common/inet/ip/ipmp.c462
-rw-r--r--usr/src/uts/common/inet/ip/ipsec_loader.c4
-rw-r--r--usr/src/uts/common/inet/ip/ipsecah.c1653
-rw-r--r--usr/src/uts/common/inet/ip/ipsecesp.c1604
-rw-r--r--usr/src/uts/common/inet/ip/keysock.c8
-rw-r--r--usr/src/uts/common/inet/ip/keysock_opt_data.c16
-rw-r--r--usr/src/uts/common/inet/ip/rts.c456
-rw-r--r--usr/src/uts/common/inet/ip/rts_opt_data.c30
-rw-r--r--usr/src/uts/common/inet/ip/sadb.c1065
-rw-r--r--usr/src/uts/common/inet/ip/spd.c2213
-rw-r--r--usr/src/uts/common/inet/ip/spdsock.c50
-rw-r--r--usr/src/uts/common/inet/ip/spdsock_opt_data.c9
-rw-r--r--usr/src/uts/common/inet/ip/tn_ipopt.c550
-rw-r--r--usr/src/uts/common/inet/ip/tnet.c311
-rw-r--r--usr/src/uts/common/inet/ip2mac_impl.h8
-rw-r--r--usr/src/uts/common/inet/ip6.h202
-rw-r--r--usr/src/uts/common/inet/ip_arp.h136
-rw-r--r--usr/src/uts/common/inet/ip_ftable.h22
-rw-r--r--usr/src/uts/common/inet/ip_if.h146
-rw-r--r--usr/src/uts/common/inet/ip_impl.h410
-rw-r--r--usr/src/uts/common/inet/ip_ire.h438
-rw-r--r--usr/src/uts/common/inet/ip_multi.h100
-rw-r--r--usr/src/uts/common/inet/ip_ndp.h390
-rw-r--r--usr/src/uts/common/inet/ip_netinfo.h5
-rw-r--r--usr/src/uts/common/inet/ip_rts.h11
-rw-r--r--usr/src/uts/common/inet/ip_stack.h156
-rw-r--r--usr/src/uts/common/inet/ipclassifier.h511
-rw-r--r--usr/src/uts/common/inet/ipdrop.h4
-rw-r--r--usr/src/uts/common/inet/ipp_common.h16
-rw-r--r--usr/src/uts/common/inet/ipsec_impl.h114
-rw-r--r--usr/src/uts/common/inet/ipsec_info.h257
-rw-r--r--usr/src/uts/common/inet/ipsecah.h9
-rw-r--r--usr/src/uts/common/inet/ipsecesp.h7
-rw-r--r--usr/src/uts/common/inet/iptun/iptun.c1180
-rw-r--r--usr/src/uts/common/inet/iptun/iptun_dev.c4
-rw-r--r--usr/src/uts/common/inet/iptun/iptun_impl.h39
-rw-r--r--usr/src/uts/common/inet/keysock.h6
-rw-r--r--usr/src/uts/common/inet/kssl/ksslrec.c2
-rw-r--r--usr/src/uts/common/inet/mi.c4
-rw-r--r--usr/src/uts/common/inet/mib2.h39
-rw-r--r--usr/src/uts/common/inet/optcom.c463
-rw-r--r--usr/src/uts/common/inet/optcom.h43
-rw-r--r--usr/src/uts/common/inet/proto_set.c31
-rw-r--r--usr/src/uts/common/inet/proto_set.h4
-rw-r--r--usr/src/uts/common/inet/rawip_impl.h76
-rw-r--r--usr/src/uts/common/inet/rts_impl.h28
-rw-r--r--usr/src/uts/common/inet/sadb.h123
-rw-r--r--usr/src/uts/common/inet/sctp/sctp.c988
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_addr.c71
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_addr.h5
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_asconf.c33
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_asconf.h6
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_bind.c95
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_common.c717
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_conn.c275
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_cookie.c234
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_error.c284
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_hash.c389
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_heartbeat.c35
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_impl.h186
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_init.c55
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_input.c683
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_ioc.c91
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_notify.c7
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_opt_data.c1203
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_output.c77
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_param.c11
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_shutdown.c151
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_snmp.c13
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_stack.h15
-rw-r--r--usr/src/uts/common/inet/sctp/sctp_timer.c22
-rw-r--r--usr/src/uts/common/inet/sctp_ip.h40
-rw-r--r--usr/src/uts/common/inet/sctp_itf.h4
-rw-r--r--usr/src/uts/common/inet/sockmods/socksctp.c14
-rw-r--r--usr/src/uts/common/inet/sockmods/socksctp.h2
-rw-r--r--usr/src/uts/common/inet/sockmods/socksctpsubr.c6
-rw-r--r--usr/src/uts/common/inet/spdsock.h4
-rw-r--r--usr/src/uts/common/inet/squeue.c112
-rw-r--r--usr/src/uts/common/inet/tcp.h271
-rw-r--r--usr/src/uts/common/inet/tcp/tcp.c12129
-rw-r--r--usr/src/uts/common/inet/tcp/tcp_fusion.c440
-rw-r--r--usr/src/uts/common/inet/tcp/tcp_kssl.c57
-rw-r--r--usr/src/uts/common/inet/tcp/tcp_opt_data.c144
-rw-r--r--usr/src/uts/common/inet/tcp_impl.h45
-rw-r--r--usr/src/uts/common/inet/tcp_stack.h43
-rw-r--r--usr/src/uts/common/inet/udp/udp.c7703
-rw-r--r--usr/src/uts/common/inet/udp/udp_opt_data.c185
-rw-r--r--usr/src/uts/common/inet/udp_impl.h187
-rw-r--r--usr/src/uts/common/io/dld/dld_proto.c2
-rw-r--r--usr/src/uts/common/io/ib/clients/rds/rds_opt.c11
-rw-r--r--usr/src/uts/common/io/ib/clients/rds/rdsddi.c6
-rw-r--r--usr/src/uts/common/io/ib/clients/rds/rdssubr.c21
-rw-r--r--usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp.c316
-rw-r--r--usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp_link.c731
-rw-r--r--usr/src/uts/common/io/mac/mac_util.c2
-rw-r--r--usr/src/uts/common/io/softmac/softmac_dev.c6
-rw-r--r--usr/src/uts/common/io/softmac/softmac_fp.c25
-rw-r--r--usr/src/uts/common/io/stream.c4
-rw-r--r--usr/src/uts/common/io/strplumb.c155
-rw-r--r--usr/src/uts/common/io/tl.c16
-rw-r--r--usr/src/uts/common/io/warlock/ibcm.wlcmd4
-rw-r--r--usr/src/uts/common/ipp/dlcosmk/dlcosmk.c8
-rw-r--r--usr/src/uts/common/ipp/ipgpc/classifierddi.c7
-rw-r--r--usr/src/uts/common/ktli/t_kutil.c6
-rw-r--r--usr/src/uts/common/net/route.h3
-rw-r--r--usr/src/uts/common/netinet/in.h1
-rw-r--r--usr/src/uts/common/netinet/ip_mroute.h13
-rw-r--r--usr/src/uts/common/os/ip_cksum.c8
-rw-r--r--usr/src/uts/common/os/strsubr.c4
-rw-r--r--usr/src/uts/common/sys/dld.h3
-rw-r--r--usr/src/uts/common/sys/dlpi.h43
-rw-r--r--usr/src/uts/common/sys/ib/mgt/ibcm/ibcm_arp.h21
-rw-r--r--usr/src/uts/common/sys/iphada.h144
-rw-r--r--usr/src/uts/common/sys/pattr.h7
-rw-r--r--usr/src/uts/common/sys/softmac_impl.h4
-rw-r--r--usr/src/uts/common/sys/squeue.h13
-rw-r--r--usr/src/uts/common/sys/squeue_impl.h6
-rw-r--r--usr/src/uts/common/sys/stream.h6
-rw-r--r--usr/src/uts/common/sys/tsol/tnet.h39
-rw-r--r--usr/src/uts/intel/Makefile.intel.shared1
-rw-r--r--usr/src/uts/intel/arp/Makefile6
-rw-r--r--usr/src/uts/intel/arp/arp.global-objs.debug649
-rw-r--r--usr/src/uts/intel/ia32/ml/modstubs.s3
-rw-r--r--usr/src/uts/intel/ip/ip.global-objs.debug6485
-rw-r--r--usr/src/uts/intel/ip/ip.global-objs.obj6480
-rw-r--r--usr/src/uts/sparc/Makefile.sparc.shared2
-rw-r--r--usr/src/uts/sparc/arp/Makefile6
-rw-r--r--usr/src/uts/sparc/arp/arp.global-objs.debug649
-rw-r--r--usr/src/uts/sparc/ip/ip.global-objs.debug6481
-rw-r--r--usr/src/uts/sparc/ip/ip.global-objs.obj6476
-rw-r--r--usr/src/uts/sparc/ml/modstubs.s3
201 files changed, 58700 insertions, 91699 deletions
diff --git a/usr/src/cmd/cmd-inet/usr.bin/netstat/netstat.c b/usr/src/cmd/cmd-inet/usr.bin/netstat/netstat.c
index 96bcec530c..1919d21356 100644
--- a/usr/src/cmd/cmd-inet/usr.bin/netstat/netstat.c
+++ b/usr/src/cmd/cmd-inet/usr.bin/netstat/netstat.c
@@ -196,6 +196,7 @@ static void ire_report(const mib_item_t *item);
static void tcp_report(const mib_item_t *item);
static void udp_report(const mib_item_t *item);
static void group_report(mib_item_t *item);
+static void dce_report(mib_item_t *item);
static void print_ip_stats(mib2_ip_t *ip);
static void print_icmp_stats(mib2_icmp_t *icmp);
static void print_ip6_stats(mib2_ipv6IfStatsEntry_t *ip6);
@@ -236,7 +237,7 @@ static void fatal(int errcode, char *str1, ...);
static boolean_t Aflag = B_FALSE; /* All sockets/ifs/rtng-tbls */
-static boolean_t Dflag = B_FALSE; /* Debug Info */
+static boolean_t Dflag = B_FALSE; /* DCE info */
static boolean_t Iflag = B_FALSE; /* IP Traffic Interfaces */
static boolean_t Mflag = B_FALSE; /* STREAMS Memory Statistics */
static boolean_t Nflag = B_FALSE; /* Numeric Network Addresses */
@@ -248,6 +249,7 @@ static boolean_t Pflag = B_FALSE; /* Net to Media Tables */
static boolean_t Gflag = B_FALSE; /* Multicast group membership */
static boolean_t MMflag = B_FALSE; /* Multicast routing table */
static boolean_t DHCPflag = B_FALSE; /* DHCP statistics */
+static boolean_t Xflag = B_FALSE; /* Debug Info */
static int v4compat = 0; /* Compatible printing format for status */
@@ -276,6 +278,8 @@ static int ipv6NetToMediaEntrySize;
static int ipv6MemberEntrySize;
static int ipv6GroupSourceEntrySize;
+static int ipDestEntrySize;
+
static int transportMLPSize;
static int tcpConnEntrySize;
static int tcp6ConnEntrySize;
@@ -298,7 +302,7 @@ static m_label_t *zone_security_label = NULL;
/* Flags on routes */
#define FLF_A 0x00000001
-#define FLF_B 0x00000002
+#define FLF_b 0x00000002
#define FLF_D 0x00000004
#define FLF_G 0x00000008
#define FLF_H 0x00000010
@@ -306,7 +310,12 @@ static m_label_t *zone_security_label = NULL;
#define FLF_U 0x00000040
#define FLF_M 0x00000080
#define FLF_S 0x00000100
-static const char flag_list[] = "ABDGHLUMS";
+#define FLF_C 0x00000200 /* IRE_IF_CLONE */
+#define FLF_I 0x00000400 /* RTF_INDIRECT */
+#define FLF_R 0x00000800 /* RTF_REJECT */
+#define FLF_B 0x00001000 /* RTF_BLACKHOLE */
+
+static const char flag_list[] = "AbDGHLUMSCIRB";
typedef struct filter_rule filter_t;
@@ -379,14 +388,15 @@ main(int argc, char **argv)
(void) setlocale(LC_ALL, "");
(void) textdomain(TEXT_DOMAIN);
- while ((c = getopt(argc, argv, "adimnrspMgvf:P:I:DRT:")) != -1) {
+ while ((c = getopt(argc, argv, "adimnrspMgvxf:P:I:DRT:")) != -1) {
switch ((char)c) {
case 'a': /* all connections */
Aflag = B_TRUE;
break;
- case 'd': /* turn on debugging */
+ case 'd': /* DCE info */
Dflag = B_TRUE;
+ IFLAGMOD(Iflag_only, 1, 0); /* see macro def'n */
break;
case 'i': /* interface (ill/ipif report) */
@@ -438,6 +448,10 @@ main(int argc, char **argv)
IFLAGMOD(Iflag_only, 1, 0); /* see macro def'n */
break;
+ case 'x': /* turn on debugging */
+ Xflag = B_TRUE;
+ break;
+
case 'f':
process_filter(optarg);
break;
@@ -603,7 +617,7 @@ main(int argc, char **argv)
mib_item_destroy(&previtem);
}
- if (!(Iflag || Rflag || Sflag || Mflag ||
+ if (!(Dflag || Iflag || Rflag || Sflag || Mflag ||
MMflag || Pflag || Gflag || DHCPflag)) {
if (protocol_selected(IPPROTO_UDP))
udp_report(item);
@@ -634,12 +648,14 @@ main(int argc, char **argv)
if (family_selected(AF_INET6))
ndp_report(item);
}
+ if (Dflag)
+ dce_report(item);
mib_item_destroy(&curritem);
}
/* netstat: AF_UNIX behaviour */
if (family_selected(AF_UNIX) &&
- (!(Iflag || Rflag || Sflag || Mflag ||
+ (!(Dflag || Iflag || Rflag || Sflag || Mflag ||
MMflag || Pflag || Gflag)))
unixpr(kc);
(void) kstat_close(kc);
@@ -729,7 +745,7 @@ mibget(int sd)
* us information concerning IRE_MARK_TESTHIDDEN routes.
*/
req = (struct opthdr *)&tor[1];
- req->level = EXPER_IP_AND_TESTHIDDEN;
+ req->level = EXPER_IP_AND_ALL_IRES;
req->name = 0;
req->len = 0;
@@ -755,7 +771,7 @@ mibget(int sd)
getcode = getmsg(sd, &ctlbuf, (struct strbuf *)0, &flags);
if (getcode == -1) {
perror("mibget getmsg(ctl) failed");
- if (Dflag) {
+ if (Xflag) {
(void) fputs("# level name len\n",
stderr);
i = 0;
@@ -774,7 +790,7 @@ mibget(int sd)
toa->PRIM_type == T_OPTMGMT_ACK &&
toa->MGMT_flags == T_SUCCESS &&
req->len == 0) {
- if (Dflag)
+ if (Xflag)
(void) printf("mibget getmsg() %d returned "
"EOD (level %ld, name %ld)\n",
j, req->level, req->name);
@@ -826,7 +842,7 @@ mibget(int sd)
last_item->valp = malloc((int)req->len);
if (last_item->valp == NULL)
goto error_exit;
- if (Dflag)
+ if (Xflag)
(void) printf("msg %d: group = %4d mib_id = %5d"
"length = %d\n",
j, last_item->group, last_item->mib_id,
@@ -1754,6 +1770,7 @@ mib_get_constants(mib_item_t *item)
ipGroupSourceEntrySize = ip->ipGroupSourceEntrySize;
ipRouteAttributeSize = ip->ipRouteAttributeSize;
transportMLPSize = ip->transportMLPSize;
+ ipDestEntrySize = ip->ipDestEntrySize;
assert(IS_P2ALIGNED(ipAddrEntrySize,
sizeof (mib2_ipAddrEntry_t *)));
assert(IS_P2ALIGNED(ipRouteEntrySize,
@@ -1850,7 +1867,7 @@ mib_get_constants(mib_item_t *item)
}
} /* 'for' loop 1 ends */
- if (Dflag) {
+ if (Xflag) {
(void) puts("mib_get_constants:");
(void) printf("\tipv6IfStatsEntrySize %d\n",
ipv6IfStatsEntrySize);
@@ -1872,6 +1889,7 @@ mib_get_constants(mib_item_t *item)
ipv6MemberEntrySize);
(void) printf("\tipv6IfIcmpEntrySize %d\n",
ipv6IfIcmpEntrySize);
+ (void) printf("\tipDestEntrySize %d\n", ipDestEntrySize);
(void) printf("\ttransportMLPSize %d\n", transportMLPSize);
(void) printf("\ttcpConnEntrySize %d\n", tcpConnEntrySize);
(void) printf("\ttcp6ConnEntrySize %d\n", tcp6ConnEntrySize);
@@ -1895,7 +1913,7 @@ stat_report(mib_item_t *item)
/* 'for' loop 1: */
for (; item; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -2542,7 +2560,7 @@ mrt_stat_report(mib_item_t *curritem)
for (tempitem = curritem;
tempitem;
tempitem = tempitem->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -2603,7 +2621,7 @@ if_report(mib_item_t *item, char *matchname,
/* 'for' loop 1: */
for (; item; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -2632,7 +2650,7 @@ if_report(mib_item_t *item, char *matchname,
boolean_t first = B_TRUE;
uint32_t new_ifindex;
- if (Dflag)
+ if (Xflag)
(void) printf("if_report: %d items\n",
(item->length)
/ sizeof (mib2_ipAddrEntry_t));
@@ -2944,7 +2962,7 @@ if_report(mib_item_t *item, char *matchname,
boolean_t first = B_TRUE;
uint32_t new_ifindex;
- if (Dflag)
+ if (Xflag)
(void) printf("if_report: %d items\n",
(item->length)
/ sizeof (mib2_ipv6AddrEntry_t));
@@ -3287,10 +3305,10 @@ if_report_ip4(mib2_ipAddrEntry_t *ap,
(void) pr_netaddr(ap->ipAdEntAddr, ap->ipAdEntNetMask,
abuf, sizeof (abuf));
- (void) printf("%-13s %-14s %-6llu %-5s %-6llu "
+ (void) printf("%-13s %-14s %-6llu %-5s %-6s "
"%-5s %-6s %-6llu\n", abuf,
pr_addr(ap->ipAdEntAddr, dstbuf, sizeof (dstbuf)),
- statptr->ipackets, "N/A", statptr->opackets, "N/A", "N/A",
+ statptr->ipackets, "N/A", "N/A", "N/A", "N/A",
0LL);
}
}
@@ -3337,11 +3355,10 @@ if_report_ip6(mib2_ipv6AddrEntry_t *ap6,
else
(void) pr_prefix6(&ap6->ipv6AddrAddress,
ap6->ipv6AddrPfxLength, abuf, sizeof (abuf));
- (void) printf("%-27s %-27s %-6llu %-5s %-6llu %-5s %-6s\n",
+ (void) printf("%-27s %-27s %-6llu %-5s %-6s %-5s %-6s\n",
abuf, pr_addr6(&ap6->ipv6AddrAddress, dstbuf,
sizeof (dstbuf)),
- statptr->ipackets, "N/A",
- statptr->opackets, "N/A", "N/A");
+ statptr->ipackets, "N/A", "N/A", "N/A", "N/A");
}
}
@@ -3490,7 +3507,7 @@ group_report(mib_item_t *item)
/* 'for' loop 1: */
for (; item; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -3501,12 +3518,12 @@ group_report(mib_item_t *item)
switch (item->mib_id) {
case EXPER_IP_GROUP_MEMBERSHIP:
v4grp = item;
- if (Dflag)
+ if (Xflag)
(void) printf("item is v4grp info\n");
break;
case EXPER_IP_GROUP_SOURCES:
v4src = item;
- if (Dflag)
+ if (Xflag)
(void) printf("item is v4src info\n");
break;
default:
@@ -3518,12 +3535,12 @@ group_report(mib_item_t *item)
switch (item->mib_id) {
case EXPER_IP6_GROUP_MEMBERSHIP:
v6grp = item;
- if (Dflag)
+ if (Xflag)
(void) printf("item is v6grp info\n");
break;
case EXPER_IP6_GROUP_SOURCES:
v6src = item;
- if (Dflag)
+ if (Xflag)
(void) printf("item is v6src info\n");
break;
default:
@@ -3533,7 +3550,7 @@ group_report(mib_item_t *item)
}
if (family_selected(AF_INET) && v4grp != NULL) {
- if (Dflag)
+ if (Xflag)
(void) printf("%u records for ipGroupMember:\n",
v4grp->length / sizeof (ip_member_t));
@@ -3564,7 +3581,7 @@ group_report(mib_item_t *item)
if (!Vflag || v4src == NULL)
continue;
- if (Dflag)
+ if (Xflag)
(void) printf("scanning %u ipGroupSource "
"records...\n",
v4src->length/sizeof (ip_grpsrc_t));
@@ -3609,7 +3626,7 @@ group_report(mib_item_t *item)
}
if (family_selected(AF_INET6) && v6grp != NULL) {
- if (Dflag)
+ if (Xflag)
(void) printf("%u records for ipv6GroupMember:\n",
v6grp->length / sizeof (ipv6_member_t));
@@ -3638,7 +3655,7 @@ group_report(mib_item_t *item)
if (!Vflag || v6src == NULL)
continue;
- if (Dflag)
+ if (Xflag)
(void) printf("scanning %u ipv6GroupSource "
"records...\n",
v6src->length/sizeof (ipv6_grpsrc_t));
@@ -3683,6 +3700,126 @@ group_report(mib_item_t *item)
(void) fflush(stdout);
}
+/* --------------------- DCE_REPORT (netstat -d) ------------------------- */
+
+#define FLBUFSIZE 8
+
+/* Assumes flbuf is at least 5 characters; callers use FLBUFSIZE */
+static char *
+dceflags2str(uint32_t flags, char *flbuf)
+{
+ char *str = flbuf;
+
+ if (flags & DCEF_DEFAULT)
+ *str++ = 'D';
+ if (flags & DCEF_PMTU)
+ *str++ = 'P';
+ if (flags & DCEF_UINFO)
+ *str++ = 'U';
+ if (flags & DCEF_TOO_SMALL_PMTU)
+ *str++ = 'S';
+ *str++ = '\0';
+ return (flbuf);
+}
+
+static void
+dce_report(mib_item_t *item)
+{
+ mib_item_t *v4dce = NULL;
+ mib_item_t *v6dce = NULL;
+ int jtemp = 0;
+ char ifname[LIFNAMSIZ + 1];
+ char abuf[MAXHOSTNAMELEN + 1];
+ char flbuf[FLBUFSIZE];
+ boolean_t first;
+ dest_cache_entry_t *dce;
+
+ /* 'for' loop 1: */
+ for (; item; item = item->next_item) {
+ if (Xflag) {
+ (void) printf("\n--- Entry %d ---\n", ++jtemp);
+ (void) printf("Group = %d, mib_id = %d, "
+ "length = %d, valp = 0x%p\n",
+ item->group, item->mib_id, item->length,
+ item->valp);
+ }
+ if (item->group == MIB2_IP && family_selected(AF_INET) &&
+ item->mib_id == EXPER_IP_DCE) {
+ v4dce = item;
+ if (Xflag)
+ (void) printf("item is v4dce info\n");
+ }
+ if (item->group == MIB2_IP6 && family_selected(AF_INET6) &&
+ item->mib_id == EXPER_IP_DCE) {
+ v6dce = item;
+ if (Xflag)
+ (void) printf("item is v6dce info\n");
+ }
+ }
+
+ if (family_selected(AF_INET) && v4dce != NULL) {
+ if (Xflag)
+ (void) printf("%u records for DestCacheEntry:\n",
+ v4dce->length / ipDestEntrySize);
+
+ first = B_TRUE;
+ for (dce = (dest_cache_entry_t *)v4dce->valp;
+ (char *)dce < (char *)v4dce->valp + v4dce->length;
+ /* LINTED: (note 1) */
+ dce = (dest_cache_entry_t *)((char *)dce +
+ ipDestEntrySize)) {
+ if (first) {
+ (void) putchar('\n');
+ (void) puts("Destination Cache Entries: IPv4");
+ (void) puts(
+ "Address PMTU Age Flags");
+ (void) puts(
+ "-------------------- ------ ----- -----");
+ first = B_FALSE;
+ }
+
+ (void) printf("%-20s %6u %5u %-5s\n",
+ pr_addr(dce->DestIpv4Address, abuf, sizeof (abuf)),
+ dce->DestPmtu, dce->DestAge,
+ dceflags2str(dce->DestFlags, flbuf));
+ }
+ }
+
+ if (family_selected(AF_INET6) && v6dce != NULL) {
+ if (Xflag)
+ (void) printf("%u records for DestCacheEntry:\n",
+ v6dce->length / ipDestEntrySize);
+
+ first = B_TRUE;
+ for (dce = (dest_cache_entry_t *)v6dce->valp;
+ (char *)dce < (char *)v6dce->valp + v6dce->length;
+ /* LINTED: (note 1) */
+ dce = (dest_cache_entry_t *)((char *)dce +
+ ipDestEntrySize)) {
+ if (first) {
+ (void) putchar('\n');
+ (void) puts("Destination Cache Entries: IPv6");
+ (void) puts(
+ "Address PMTU "
+ " Age Flags If ");
+ (void) puts(
+ "--------------------------- ------ "
+ "----- ----- ---");
+ first = B_FALSE;
+ }
+
+ (void) printf("%-27s %6u %5u %-5s %s\n",
+ pr_addr6(&dce->DestIpv6Address, abuf,
+ sizeof (abuf)),
+ dce->DestPmtu, dce->DestAge,
+ dceflags2str(dce->DestFlags, flbuf),
+ dce->DestIfindex == 0 ? "" :
+ ifindex2str(dce->DestIfindex, ifname));
+ }
+ }
+ (void) fflush(stdout);
+}
+
/* --------------------- ARP_REPORT (netstat -p) -------------------------- */
static void
@@ -3703,7 +3840,7 @@ arp_report(mib_item_t *item)
/* 'for' loop 1: */
for (; item; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -3713,7 +3850,7 @@ arp_report(mib_item_t *item)
if (!(item->group == MIB2_IP && item->mib_id == MIB2_IP_MEDIA))
continue; /* 'for' loop 1 */
- if (Dflag)
+ if (Xflag)
(void) printf("%u records for "
"ipNetToMediaEntryTable:\n",
item->length/sizeof (mib2_ipNetToMediaEntry_t));
@@ -3798,7 +3935,7 @@ ndp_report(mib_item_t *item)
/* 'for' loop 1: */
for (; item; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -3973,7 +4110,7 @@ ire_report(const mib_item_t *item)
v4a = v4_attrs;
v6a = v6_attrs;
for (; item != NULL; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -3991,7 +4128,7 @@ ire_report(const mib_item_t *item)
else if (item->group == MIB2_IP6 && !family_selected(AF_INET6))
continue; /* 'for' loop 1 */
- if (Dflag) {
+ if (Xflag) {
if (item->group == MIB2_IP) {
(void) printf("%u records for "
"ipRouteEntryTable:\n",
@@ -4161,29 +4298,29 @@ form_v4_route_flags(const mib2_ipRouteEntry_t *rp, char *flags)
flag_b = FLF_U;
(void) strcpy(flags, "U");
- if (rp->ipRouteInfo.re_ire_type == IRE_DEFAULT ||
- rp->ipRouteInfo.re_ire_type == IRE_PREFIX ||
- rp->ipRouteInfo.re_ire_type == IRE_HOST ||
- rp->ipRouteInfo.re_ire_type == IRE_HOST_REDIRECT) {
+ /* RTF_INDIRECT wins over RTF_GATEWAY - don't display both */
+ if (rp->ipRouteInfo.re_flags & RTF_INDIRECT) {
+ (void) strcat(flags, "I");
+ flag_b |= FLF_I;
+ } else if (rp->ipRouteInfo.re_ire_type & IRE_OFFLINK) {
(void) strcat(flags, "G");
flag_b |= FLF_G;
}
- if (rp->ipRouteMask == IP_HOST_MASK) {
+ /* IRE_IF_CLONE wins over RTF_HOST - don't display both */
+ if (rp->ipRouteInfo.re_ire_type & IRE_IF_CLONE) {
+ (void) strcat(flags, "C");
+ flag_b |= FLF_C;
+ } else if (rp->ipRouteMask == IP_HOST_MASK) {
(void) strcat(flags, "H");
flag_b |= FLF_H;
}
- if (rp->ipRouteInfo.re_ire_type == IRE_HOST_REDIRECT) {
+ if (rp->ipRouteInfo.re_flags & RTF_DYNAMIC) {
(void) strcat(flags, "D");
flag_b |= FLF_D;
}
- if (rp->ipRouteInfo.re_ire_type == IRE_CACHE) {
- /* Address resolution */
- (void) strcat(flags, "A");
- flag_b |= FLF_A;
- }
if (rp->ipRouteInfo.re_ire_type == IRE_BROADCAST) { /* Broadcast */
- (void) strcat(flags, "B");
- flag_b |= FLF_B;
+ (void) strcat(flags, "b");
+ flag_b |= FLF_b;
}
if (rp->ipRouteInfo.re_ire_type == IRE_LOCAL) { /* Local */
(void) strcat(flags, "L");
@@ -4197,6 +4334,14 @@ form_v4_route_flags(const mib2_ipRouteEntry_t *rp, char *flags)
(void) strcat(flags, "S"); /* Setsrc */
flag_b |= FLF_S;
}
+ if (rp->ipRouteInfo.re_flags & RTF_REJECT) {
+ (void) strcat(flags, "R");
+ flag_b |= FLF_R;
+ }
+ if (rp->ipRouteInfo.re_flags & RTF_BLACKHOLE) {
+ (void) strcat(flags, "B");
+ flag_b |= FLF_B;
+ }
return (flag_b);
}
@@ -4205,9 +4350,9 @@ static const char ire_hdr_v4[] =
static const char ire_hdr_v4_compat[] =
"\n%s Table:\n";
static const char ire_hdr_v4_verbose[] =
-" Destination Mask Gateway Device Mxfrg "
-"Rtt Ref Flg Out In/Fwd %s\n"
-"-------------------- --------------- -------------------- ------ ----- "
+" Destination Mask Gateway Device "
+" MTU Ref Flg Out In/Fwd %s\n"
+"-------------------- --------------- -------------------- ------ "
"----- --- --- ----- ------ %s\n";
static const char ire_hdr_v4_normal[] =
@@ -4226,8 +4371,10 @@ ire_report_item_v4(const mib2_ipRouteEntry_t *rp, boolean_t first,
char flags[10]; /* RTF_ flags */
uint_t flag_b;
- if (!(Aflag || (rp->ipRouteInfo.re_ire_type != IRE_CACHE &&
+ if (!(Aflag || (rp->ipRouteInfo.re_ire_type != IRE_IF_CLONE &&
rp->ipRouteInfo.re_ire_type != IRE_BROADCAST &&
+ rp->ipRouteInfo.re_ire_type != IRE_MULTICAST &&
+ rp->ipRouteInfo.re_ire_type != IRE_NOROUTE &&
rp->ipRouteInfo.re_ire_type != IRE_LOCAL))) {
return (first);
}
@@ -4253,15 +4400,13 @@ ire_report_item_v4(const mib2_ipRouteEntry_t *rp, boolean_t first,
dstbuf, sizeof (dstbuf));
}
if (Vflag) {
- (void) printf("%-20s %-15s %-20s %-6s %5u%c %4u %3u "
+ (void) printf("%-20s %-15s %-20s %-6s %5u %3u "
"%-4s%6u %6u %s\n",
dstbuf,
pr_mask(rp->ipRouteMask, maskbuf, sizeof (maskbuf)),
pr_addrnz(rp->ipRouteNextHop, gwbuf, sizeof (gwbuf)),
octetstr(&rp->ipRouteIfIndex, 'a', ifname, sizeof (ifname)),
rp->ipRouteInfo.re_max_frag,
- rp->ipRouteInfo.re_frag_flag ? '*' : ' ',
- rp->ipRouteInfo.re_rtt,
rp->ipRouteInfo.re_ref,
flags,
rp->ipRouteInfo.re_obpkt,
@@ -4391,58 +4536,39 @@ ire_filter_match_v6(const mib2_ipv6RouteEntry_t *rp6, uint_t flag_b)
return (B_TRUE);
}
-static const char ire_hdr_v6[] =
-"\n%s Table: IPv6\n";
-static const char ire_hdr_v6_verbose[] =
-" Destination/Mask Gateway If PMTU Rtt "
-"Ref Flags Out In/Fwd %s\n"
-"--------------------------- --------------------------- ----- ------ ----- "
-"--- ----- ------ ------ %s\n";
-static const char ire_hdr_v6_normal[] =
-" Destination/Mask Gateway Flags Ref Use "
-" If %s\n"
-"--------------------------- --------------------------- ----- --- ------- "
-"----- %s\n";
-
-static boolean_t
-ire_report_item_v6(const mib2_ipv6RouteEntry_t *rp6, boolean_t first,
- const sec_attr_list_t *attrs)
+/*
+ * Given an IPv6 MIB2 route entry, form the list of flags for the
+ * route.
+ */
+static uint_t
+form_v6_route_flags(const mib2_ipv6RouteEntry_t *rp6, char *flags)
{
- char dstbuf[MAXHOSTNAMELEN + 1];
- char gwbuf[MAXHOSTNAMELEN + 1];
- char ifname[LIFNAMSIZ + 1];
- char flags[10]; /* RTF_ flags */
- uint_t flag_b;
-
- if (!(Aflag || (rp6->ipv6RouteInfo.re_ire_type != IRE_CACHE &&
- rp6->ipv6RouteInfo.re_ire_type != IRE_LOCAL))) {
- return (first);
- }
+ uint_t flag_b;
flag_b = FLF_U;
(void) strcpy(flags, "U");
- if (rp6->ipv6RouteInfo.re_ire_type == IRE_DEFAULT ||
- rp6->ipv6RouteInfo.re_ire_type == IRE_PREFIX ||
- rp6->ipv6RouteInfo.re_ire_type == IRE_HOST ||
- rp6->ipv6RouteInfo.re_ire_type == IRE_HOST_REDIRECT) {
+ /* RTF_INDIRECT wins over RTF_GATEWAY - don't display both */
+ if (rp6->ipv6RouteInfo.re_flags & RTF_INDIRECT) {
+ (void) strcat(flags, "I");
+ flag_b |= FLF_I;
+ } else if (rp6->ipv6RouteInfo.re_ire_type & IRE_OFFLINK) {
(void) strcat(flags, "G");
flag_b |= FLF_G;
}
- if (rp6->ipv6RoutePfxLength == IPV6_ABITS) {
+ /* IRE_IF_CLONE wins over RTF_HOST - don't display both */
+ if (rp6->ipv6RouteInfo.re_ire_type & IRE_IF_CLONE) {
+ (void) strcat(flags, "C");
+ flag_b |= FLF_C;
+ } else if (rp6->ipv6RoutePfxLength == IPV6_ABITS) {
(void) strcat(flags, "H");
flag_b |= FLF_H;
}
- if (rp6->ipv6RouteInfo.re_ire_type == IRE_HOST_REDIRECT) {
+ if (rp6->ipv6RouteInfo.re_flags & RTF_DYNAMIC) {
(void) strcat(flags, "D");
flag_b |= FLF_D;
}
- if (rp6->ipv6RouteInfo.re_ire_type == IRE_CACHE) {
- /* Address resolution */
- (void) strcat(flags, "A");
- flag_b |= FLF_A;
- }
if (rp6->ipv6RouteInfo.re_ire_type == IRE_LOCAL) { /* Local */
(void) strcat(flags, "L");
flag_b |= FLF_L;
@@ -4455,6 +4581,48 @@ ire_report_item_v6(const mib2_ipv6RouteEntry_t *rp6, boolean_t first,
(void) strcat(flags, "S"); /* Setsrc */
flag_b |= FLF_S;
}
+ if (rp6->ipv6RouteInfo.re_flags & RTF_REJECT) {
+ (void) strcat(flags, "R");
+ flag_b |= FLF_R;
+ }
+ if (rp6->ipv6RouteInfo.re_flags & RTF_BLACKHOLE) {
+ (void) strcat(flags, "B");
+ flag_b |= FLF_B;
+ }
+ return (flag_b);
+}
+
+static const char ire_hdr_v6[] =
+"\n%s Table: IPv6\n";
+static const char ire_hdr_v6_verbose[] =
+" Destination/Mask Gateway If MTU "
+"Ref Flags Out In/Fwd %s\n"
+"--------------------------- --------------------------- ----- ----- "
+"--- ----- ------ ------ %s\n";
+static const char ire_hdr_v6_normal[] =
+" Destination/Mask Gateway Flags Ref Use "
+" If %s\n"
+"--------------------------- --------------------------- ----- --- ------- "
+"----- %s\n";
+
+static boolean_t
+ire_report_item_v6(const mib2_ipv6RouteEntry_t *rp6, boolean_t first,
+ const sec_attr_list_t *attrs)
+{
+ char dstbuf[MAXHOSTNAMELEN + 1];
+ char gwbuf[MAXHOSTNAMELEN + 1];
+ char ifname[LIFNAMSIZ + 1];
+ char flags[10]; /* RTF_ flags */
+ uint_t flag_b;
+
+ if (!(Aflag || (rp6->ipv6RouteInfo.re_ire_type != IRE_IF_CLONE &&
+ rp6->ipv6RouteInfo.re_ire_type != IRE_MULTICAST &&
+ rp6->ipv6RouteInfo.re_ire_type != IRE_NOROUTE &&
+ rp6->ipv6RouteInfo.re_ire_type != IRE_LOCAL))) {
+ return (first);
+ }
+
+ flag_b = form_v6_route_flags(rp6, flags);
if (!ire_filter_match_v6(rp6, flag_b))
return (first);
@@ -4468,7 +4636,7 @@ ire_report_item_v6(const mib2_ipv6RouteEntry_t *rp6, boolean_t first,
}
if (Vflag) {
- (void) printf("%-27s %-27s %-5s %5u%c %5u %3u "
+ (void) printf("%-27s %-27s %-5s %5u %3u "
"%-5s %6u %6u %s\n",
pr_prefix6(&rp6->ipv6RouteDest,
rp6->ipv6RoutePfxLength, dstbuf, sizeof (dstbuf)),
@@ -4478,8 +4646,6 @@ ire_report_item_v6(const mib2_ipv6RouteEntry_t *rp6, boolean_t first,
octetstr(&rp6->ipv6RouteIfIndex, 'a',
ifname, sizeof (ifname)),
rp6->ipv6RouteInfo.re_max_frag,
- rp6->ipv6RouteInfo.re_frag_flag ? '*' : ' ',
- rp6->ipv6RouteInfo.re_rtt,
rp6->ipv6RouteInfo.re_ref,
flags,
rp6->ipv6RouteInfo.re_obpkt,
@@ -4617,7 +4783,7 @@ tcp_report(const mib_item_t *item)
v4a = v4_attrs;
v6a = v6_attrs;
for (; item != NULL; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -4841,7 +5007,7 @@ udp_report(const mib_item_t *item)
v6a = v6_attrs;
/* 'for' loop 1: */
for (; item; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -4916,10 +5082,7 @@ udp_report_item_v4(const mib2_udpEntry_t *ude, boolean_t first,
"",
miudp_state(ude->udpEntryInfo.ue_state, attr));
- /*
- * UDP sockets don't have remote attributes, so there's no need to
- * print them here.
- */
+ print_transport_label(attr);
return (first);
}
@@ -4956,10 +5119,7 @@ udp_report_item_v6(const mib2_udp6Entry_t *ude6, boolean_t first,
miudp_state(ude6->udp6EntryInfo.ue_state, attr),
ifnamep == NULL ? "" : ifnamep);
- /*
- * UDP sockets don't have remote attributes, so there's no need to
- * print them here.
- */
+ print_transport_label(attr);
return (first);
}
@@ -5321,7 +5481,7 @@ mrt_report(mib_item_t *item)
/* 'for' loop 1: */
for (; item; item = item->next_item) {
- if (Dflag) {
+ if (Xflag) {
(void) printf("\n--- Entry %d ---\n", ++jtemp);
(void) printf("Group = %d, mib_id = %d, "
"length = %d, valp = 0x%p\n",
@@ -5334,7 +5494,7 @@ mrt_report(mib_item_t *item)
switch (item->mib_id) {
case EXPER_DVMRP_VIF:
- if (Dflag)
+ if (Xflag)
(void) printf("%u records for ipVifTable:\n",
item->length/sizeof (struct vifctl));
if (item->length/sizeof (struct vifctl) == 0) {
@@ -5377,7 +5537,7 @@ mrt_report(mib_item_t *item)
break;
case EXPER_DVMRP_MRT:
- if (Dflag)
+ if (Xflag)
(void) printf("%u records for ipMfcTable:\n",
item->length/sizeof (struct vifctl));
if (item->length/sizeof (struct vifctl) == 0) {
diff --git a/usr/src/cmd/cmd-inet/usr.lib/in.mpathd/mpd_main.c b/usr/src/cmd/cmd-inet/usr.lib/in.mpathd/mpd_main.c
index 28416c4d7f..c0621996d3 100644
--- a/usr/src/cmd/cmd-inet/usr.lib/in.mpathd/mpd_main.c
+++ b/usr/src/cmd/cmd-inet/usr.lib/in.mpathd/mpd_main.c
@@ -2875,7 +2875,7 @@ mibwalk(void (*proc)(mib_item_t *))
* us information concerning IRE_MARK_TESTHIDDEN routes.
*/
req = (struct opthdr *)&tor[1];
- req->level = EXPER_IP_AND_TESTHIDDEN;
+ req->level = EXPER_IP_AND_ALL_IRES;
req->name = 0;
req->len = 0;
diff --git a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/mDNSUNP.c b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/mDNSUNP.c
index b76341e303..2cea11b454 100644
--- a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/mDNSUNP.c
+++ b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/mDNSUNP.c
@@ -407,6 +407,15 @@ select_src_ifi_info_solaris(int sockfd, int numifs,
if (ifflags & (IFF_NOXMIT | IFF_NOLOCAL | IFF_PRIVATE))
continue;
+ /* A DHCP client will have IFF_UP set yet the address is zero. Ignore */
+ if (lifr->lifr_addr.ss_family == AF_INET) {
+ struct sockaddr_in *sinptr;
+
+ sinptr = (struct sockaddr_in *) &lifr->lifr_addr;
+ if (sinptr->sin_addr.s_addr == INADDR_ANY)
+ continue;
+ }
+
if (*best_lifr != NULL) {
/*
* Check if we found a better interface by checking
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/ifconfig/ifconfig.c b/usr/src/cmd/cmd-inet/usr.sbin/ifconfig/ifconfig.c
index 506b15a307..868f9ab5e2 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/ifconfig/ifconfig.c
+++ b/usr/src/cmd/cmd-inet/usr.sbin/ifconfig/ifconfig.c
@@ -3541,18 +3541,6 @@ ifplumb(const char *linkname, const char *ifname, boolean_t genppa, int af)
Perror2_exit("I_PUSH", IP_MOD_NAME);
/*
- * Push the ARP module onto the interface stream. IP uses
- * this to send resolution requests up to ARP. We need to
- * do this before the SLIFNAME ioctl is sent down because
- * the interface becomes publicly known as soon as the SLIFNAME
- * ioctl completes. Thus some other process trying to bring up
- * the interface after SLIFNAME but before we have pushed ARP
- * could hang. We pop the module again later if it is not needed.
- */
- if (ioctl(ip_fd, I_PUSH, ARP_MOD_NAME) == -1)
- Perror2_exit("I_PUSH", ARP_MOD_NAME);
-
- /*
* Prepare to set IFF_IPV4/IFF_IPV6 flags as part of SIOCSLIFNAME.
* (At this point in time the kernel also allows an override of the
* IFF_CANTCHANGE flags.)
@@ -3679,12 +3667,6 @@ ifplumb(const char *linkname, const char *ifname, boolean_t genppa, int af)
(void) putchar('\n');
}
- /* Check if arp is not actually needed */
- if (lifr.lifr_flags & (IFF_NOARP|IFF_IPV6)) {
- if (ioctl(ip_fd, I_POP, 0) == -1)
- Perror2_exit("I_POP", ARP_MOD_NAME);
- }
-
/*
* Open "/dev/udp" for use as a multiplexor to PLINK the
* interface stream under. We use "/dev/udp" instead of "/dev/ip"
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/ping/ping.c b/usr/src/cmd/cmd-inet/usr.sbin/ping/ping.c
index 2a4ff60d57..d851dce613 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/ping/ping.c
+++ b/usr/src/cmd/cmd-inet/usr.sbin/ping/ping.c
@@ -159,6 +159,7 @@ static int moptions; /* multicast options */
int npackets; /* number of packets to send */
static ushort_t tos; /* type-of-service value */
static int hoplimit = -1; /* time-to-live value */
+static int dontfrag; /* IP*_DONTFRAG */
static int timeout = TIMEOUT; /* timeout value (sec) for probes */
static struct if_entry out_if; /* interface argument */
int ident; /* ID for this ping run */
@@ -268,7 +269,7 @@ main(int argc, char *argv[])
setbuf(stdout, (char *)0);
while ((c = getopt(argc, argv,
- "abA:c:dF:G:g:I:i:LlnN:P:p:rRSsTt:UvX:x:Y0123?")) != -1) {
+ "abA:c:dDF:G:g:I:i:LlnN:P:p:rRSsTt:UvX:x:Y0123?")) != -1) {
switch ((char)c) {
case 'A':
if (strcmp(optarg, "inet") == 0) {
@@ -301,6 +302,10 @@ main(int argc, char *argv[])
options |= SO_DEBUG;
break;
+ case 'D':
+ dontfrag = 1;
+ break;
+
case 'b':
bypass = _B_TRUE;
break;
@@ -1303,8 +1308,6 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
}
}
- if (nexthop != NULL && !use_udp)
- set_nexthop(family, ai_nexthop, recv_sock);
/*
* We always receive on raw icmp socket. But the sending socket can be
* raw icmp or udp, depending on the use of -U flag.
@@ -1332,9 +1335,6 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
}
}
- if (nexthop != NULL)
- set_nexthop(family, ai_nexthop, send_sock);
-
/*
* In order to distinguish replies to our UDP probes from
* other pings', we need to know our source port number.
@@ -1368,6 +1368,9 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
send_sock = recv_sock;
}
+ if (nexthop != NULL)
+ set_nexthop(family, ai_nexthop, send_sock);
+
int_op = 48 * 1024;
if (int_op < datalen)
int_op = datalen;
@@ -1431,6 +1434,7 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
if (moptions & MULTICAST_TTL) {
char_op = hoplimit;
+ /* Applies to unicast and multicast. */
if (family == AF_INET) {
if (setsockopt(send_sock, IPPROTO_IP, IP_MULTICAST_TTL,
(char *)&char_op, sizeof (char)) == -1) {
@@ -1454,7 +1458,10 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
*/
}
- /* did the user specify an interface? */
+ /*
+ * did the user specify an interface?
+ * Applies to unicast, broadcast and multicast.
+ */
if (moptions & MULTICAST_IF) {
struct ifaddrlist *al = NULL; /* interface list */
struct ifaddrlist *my_if;
@@ -1496,6 +1503,8 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
}
if (family == AF_INET) {
+ struct in_pktinfo pktinfo;
+
if (setsockopt(send_sock, IPPROTO_IP, IP_MULTICAST_IF,
(char *)&my_if->addr.addr,
sizeof (struct in_addr)) == -1) {
@@ -1504,6 +1513,15 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
strerror(errno));
exit(EXIT_FAILURE);
}
+ bzero(&pktinfo, sizeof (pktinfo));
+ pktinfo.ipi_ifindex = my_if->index;
+ if (setsockopt(send_sock, IPPROTO_IP, IP_PKTINFO,
+ (char *)&pktinfo, sizeof (pktinfo)) == -1) {
+ Fprintf(stderr, "%s: setsockopt "
+ "IP_PKTINFO %s\n", progname,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
} else {
/*
* the outgoing interface is set in set_ancillary_data()
@@ -1525,6 +1543,23 @@ setup_socket(int family, int *send_sockp, int *recv_sockp, int *if_index,
}
}
+ /* We enable or disable to not depend on the kernel default */
+ if (family == AF_INET) {
+ if (setsockopt(send_sock, IPPROTO_IP, IP_DONTFRAG,
+ (char *)&dontfrag, sizeof (dontfrag)) == -1) {
+ Fprintf(stderr, "%s: setsockopt IP_DONTFRAG %s\n",
+ progname, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ } else {
+ if (setsockopt(send_sock, IPPROTO_IPV6, IPV6_DONTFRAG,
+ (char *)&dontfrag, sizeof (dontfrag)) == -1) {
+ Fprintf(stderr, "%s: setsockopt IPV6_DONTFRAG %s\n",
+ progname, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ }
+
/* receiving IPv6 extension headers in verbose mode */
if (verbose && family == AF_INET6) {
if (setsockopt(recv_sock, IPPROTO_IPV6, IPV6_RECVHOPOPTS,
@@ -2336,7 +2371,7 @@ usage(char *cmdname)
Fprintf(stderr, "usage: %s host [timeout]\n", cmdname);
Fprintf(stderr,
/* CSTYLED */
-"usage: %s -s [-l | U] [abdLnRrv] [-A addr_family] [-c traffic_class]\n\t"
+"usage: %s -s [-l | U] [abdDLnRrv] [-A addr_family] [-c traffic_class]\n\t"
"[-g gateway [-g gateway ...]] [-N nexthop] [-F flow_label] [-I interval]\n\t"
"[-i interface] [-P tos] [-p port] [-t ttl] host [data_size] [npackets]\n",
cmdname);
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/route.c b/usr/src/cmd/cmd-inet/usr.sbin/route.c
index b4b16d6755..aedef45409 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/route.c
+++ b/usr/src/cmd/cmd-inet/usr.sbin/route.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -45,8 +45,6 @@
* @(#)linkaddr.c 8.1 (Berkeley) 6/4/93
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/param.h>
#include <sys/file.h>
#include <sys/socket.h>
@@ -175,6 +173,8 @@ static struct keytab {
{"show", K_SHOW},
#define K_SECATTR 43
{"secattr", K_SECATTR},
+#define K_INDIRECT 44
+ {"indirect", K_INDIRECT},
{0, 0}
};
@@ -655,7 +655,7 @@ flushroutes(int argc, char *argv[])
(char *)rp < (char *)item->valp + item->length;
/* LINTED */
rp = (mib2_ipRouteEntry_t *)
- ((char *)rp + ipRouteEntrySize)) {
+ ((char *)rp + ipRouteEntrySize)) {
delRouteEntry(rp, NULL, seqno);
seqno++;
}
@@ -670,7 +670,7 @@ flushroutes(int argc, char *argv[])
if (item->group == MIB2_IP6) {
ipv6RouteEntrySize =
((mib2_ipv6IfStatsEntry_t *)item->valp)->
- ipv6RouteEntrySize;
+ ipv6RouteEntrySize;
assert(IS_P2ALIGNED(ipv6RouteEntrySize,
sizeof (mib2_ipv6RouteEntry_t *)));
break;
@@ -692,7 +692,7 @@ flushroutes(int argc, char *argv[])
(char *)rp6 < (char *)item->valp + item->length;
/* LINTED */
rp6 = (mib2_ipv6RouteEntry_t *)
- ((char *)rp6 + ipv6RouteEntrySize)) {
+ ((char *)rp6 + ipv6RouteEntrySize)) {
delRouteEntry(NULL, rp6, seqno);
seqno++;
}
@@ -812,7 +812,7 @@ delRouteEntry(mib2_ipRouteEntry_t *rp, mib2_ipv6RouteEntry_t *rp6, int seqno)
(void) printf("%-20.20s ",
rtm->rtm_flags & RTF_HOST ? routename(sa) :
- netname(sa));
+ netname(sa));
/* LINTED */
sa = (struct sockaddr *)(salen(sa) + (char *)sa);
(void) printf("%-20.20s ", routename(sa));
@@ -861,7 +861,7 @@ routename(const struct sockaddr *sa)
cp = "default";
if (cp == NULL && !nflag) {
hp = gethostbyaddr((char *)&in, sizeof (struct in_addr),
- AF_INET);
+ AF_INET);
if (hp != NULL) {
if (((cp = strchr(hp->h_name, '.')) != NULL) &&
(strcmp(cp + 1, domain) == 0))
@@ -892,7 +892,7 @@ routename(const struct sockaddr *sa)
cp = "default";
if (cp == NULL && !nflag) {
hp = getipnodebyaddr((char *)&in6,
- sizeof (struct in6_addr), AF_INET6, &error_num);
+ sizeof (struct in6_addr), AF_INET6, &error_num);
if (hp != NULL) {
if (((cp = strchr(hp->h_name, '.')) != NULL) &&
(strcmp(cp + 1, domain) == 0))
@@ -1120,8 +1120,8 @@ print_rtcmd_short(FILE *to, rtcmd_irep_t *rcip, boolean_t gw_good,
break;
case AF_INET6:
if (inet_ntop(AF_INET6,
- &rcip->ri_gate.sin6.sin6_addr, obuf,
- INET6_ADDRSTRLEN) != NULL) {
+ &rcip->ri_gate.sin6.sin6_addr, obuf,
+ INET6_ADDRSTRLEN) != NULL) {
if (nflag) {
(void) fprintf(to, ": gateway %s",
obuf);
@@ -1405,6 +1405,9 @@ args_to_rtcmd(rtcmd_irep_t *rcip, char **argv, char *cmd_string)
return (B_FALSE);
}
break;
+ case K_INDIRECT:
+ rcip->ri_flags |= RTF_INDIRECT;
+ break;
default:
if (dash_keyword) {
syntax_bad_keyword(tok + 1);
@@ -1479,8 +1482,8 @@ args_to_rtcmd(rtcmd_irep_t *rcip, char **argv, char *cmd_string)
}
if (rcip->ri_af == AF_INET6 &&
memcmp(&rcip->ri_mask.sin6.sin6_addr,
- &in6_host_mask,
- sizeof (struct in6_addr)) == 0) {
+ &in6_host_mask,
+ sizeof (struct in6_addr)) == 0) {
rcip->ri_flags |= RTF_HOST;
}
} else {
@@ -1853,8 +1856,8 @@ newroute(char **argv)
break;
case AF_INET6:
if (inet_ntop(AF_INET6,
- (void *)&newrt->ri_dst.sin6.sin6_addr,
- obuf, INET6_ADDRSTRLEN) != NULL) {
+ (void *)&newrt->ri_dst.sin6.sin6_addr,
+ obuf, INET6_ADDRSTRLEN) != NULL) {
(void) printf(" %s", obuf);
break;
}
@@ -2236,7 +2239,7 @@ in_getaddr(char *s, struct sockaddr_in *sin, int *plenp, int which,
inet_lnaof(sin->sin_addr) == INADDR_ANY)) {
/* This looks like a network address. */
inet_makenetandmask(rcip, ntohl(val),
- sin);
+ sin);
}
}
return (B_TRUE);
@@ -2562,7 +2565,7 @@ static char metricnames[] =
static char routeflags[] =
"\1UP\2GATEWAY\3HOST\4REJECT\5DYNAMIC\6MODIFIED\7DONE\010MASK_PRESENT"
"\011CLONING\012XRESOLVE\013LLINFO\014STATIC\015BLACKHOLE"
- "\016PRIVATE\017PROTO2\020PROTO1\021MULTIRT\022SETSRC";
+ "\016PRIVATE\017PROTO2\020PROTO1\021MULTIRT\022SETSRC\023INDIRECT";
static char ifnetflags[] =
"\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5PTP\6NOTRAILERS\7RUNNING\010NOARP"
"\011PPROMISC\012ALLMULTI\013INTELLIGENT\014MULTICAST"
@@ -2623,7 +2626,7 @@ print_rtmsg(struct rt_msghdr *rtm, int msglen)
break;
default:
(void) printf("pid: %ld, seq %d, errno %d, flags:",
- rtm->rtm_pid, rtm->rtm_seq, rtm->rtm_errno);
+ rtm->rtm_pid, rtm->rtm_seq, rtm->rtm_errno);
bprintf(stdout, rtm->rtm_flags, routeflags);
pmsg_common(rtm, msglen);
break;
@@ -2649,7 +2652,7 @@ print_getmsg(rtcmd_irep_t *req_rt, struct rt_msghdr *rtm, int msglen)
if (rtm->rtm_msglen > (ushort_t)msglen) {
(void) fprintf(stderr,
gettext("message length mismatch, in packet %d, "
- "returned %d\n"), rtm->rtm_msglen, msglen);
+ "returned %d\n"), rtm->rtm_msglen, msglen);
}
if (rtm->rtm_errno) {
(void) fprintf(stderr, "RTM_GET: %s (errno %d)\n",
@@ -2675,7 +2678,7 @@ print_getmsg(rtcmd_irep_t *req_rt, struct rt_msghdr *rtm, int msglen)
case RTA_IFP:
if (sa->sa_family == AF_LINK &&
((struct sockaddr_dl *)sa)->
- sdl_nlen != 0)
+ sdl_nlen != 0)
ifp = (struct sockaddr_dl *)sa;
break;
case RTA_SRC:
@@ -3122,8 +3125,8 @@ mibget(int sd)
(void) fprintf(stderr, gettext("mibget %d gives "
"T_ERROR_ACK: TLI_error = 0x%lx, UNIX_error = "
"0x%lx\n"), j, tea->TLI_error, tea->UNIX_error);
- errno = (tea->TLI_error == TSYSERR)
- ? tea->UNIX_error : EPROTO;
+ errno = (tea->TLI_error == TSYSERR) ?
+ tea->UNIX_error : EPROTO;
break;
}
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/traceroute/traceroute.c b/usr/src/cmd/cmd-inet/usr.sbin/traceroute/traceroute.c
index cae75df60d..b8b56259ad 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/traceroute/traceroute.c
+++ b/usr/src/cmd/cmd-inet/usr.sbin/traceroute/traceroute.c
@@ -166,6 +166,7 @@ boolean_t useicmp = _B_FALSE; /* use icmp echo instead of udp packets */
boolean_t docksum = _B_TRUE; /* calculate checksums */
static boolean_t collect_stat = _B_FALSE; /* print statistics */
boolean_t settos = _B_FALSE; /* set type-of-service field */
+int dontfrag = 0; /* IP*_DONTFRAG */
static int max_timeout = 5; /* quit after this consecutive timeouts */
static boolean_t probe_all = _B_FALSE; /* probe all the IFs of the target */
static boolean_t pick_src = _B_FALSE; /* traceroute picks the src address */
@@ -315,6 +316,7 @@ main(int argc, char **argv)
case 'F':
off = IP_DF;
+ dontfrag = 1;
break;
case 'g':
@@ -1361,6 +1363,24 @@ setup_socket(struct pr_set *pr, int packet_len)
exit(EXIT_FAILURE);
}
}
+
+ /* We enable or disable to not depend on the kernel default */
+ if (pr->family == AF_INET) {
+ if (setsockopt(ssock, IPPROTO_IP, IP_DONTFRAG,
+ (char *)&dontfrag, sizeof (dontfrag)) == -1) {
+ Fprintf(stderr, "%s: IP_DONTFRAG %s\n", prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ } else {
+ if (setsockopt(ssock, IPPROTO_IPV6, IPV6_DONTFRAG,
+ (char *)&dontfrag, sizeof (dontfrag)) == -1) {
+ Fprintf(stderr, "%s: IPV6_DONTFRAG %s\n", prog,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ }
+
if (pr->family == AF_INET) {
rcvsock4 = rsock;
sndsock4 = ssock;
diff --git a/usr/src/cmd/devfsadm/misc_link.c b/usr/src/cmd/devfsadm/misc_link.c
index 222699e479..84cdb42377 100644
--- a/usr/src/cmd/devfsadm/misc_link.c
+++ b/usr/src/cmd/devfsadm/misc_link.c
@@ -104,8 +104,7 @@ static devfsadm_create_t misc_cbt[] = {
"(^ip$)|(^tcp$)|(^udp$)|(^icmp$)|(^sctp$)|"
"(^ip6$)|(^tcp6$)|(^udp6$)|(^icmp6$)|(^sctp6$)|"
"(^rts$)|(^arp$)|(^ipsecah$)|(^ipsecesp$)|(^keysock$)|(^spdsock$)|"
- "(^nca$)|(^rds$)|(^sdp$)|(^ipnet$)|(^dlpistub$)|(^iptunq)|"
- "(^bpf$)",
+ "(^nca$)|(^rds$)|(^sdp$)|(^ipnet$)|(^dlpistub$)|(^bpf$)",
TYPE_EXACT | DRV_RE, ILEVEL_1, minor_name
},
{ "pseudo", "ddi_pseudo",
diff --git a/usr/src/cmd/mdb/common/modules/arp/arp.c b/usr/src/cmd/mdb/common/modules/arp/arp.c
index f36a81170e..f97cdaab42 100644
--- a/usr/src/cmd/mdb/common/modules/arp/arp.c
+++ b/usr/src/cmd/mdb/common/modules/arp/arp.c
@@ -19,12 +19,10 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <stdio.h>
#include <sys/types.h>
#include <sys/stropts.h>
@@ -36,7 +34,6 @@
#include <inet/common.h>
#include <inet/mi.h>
#include <inet/arp.h>
-#include <inet/arp_impl.h>
#include <inet/ip.h>
#include <netinet/arp.h>
@@ -50,541 +47,10 @@ typedef struct {
} arp_cmd_tbl;
/*
- * Table of ARP commands and structure types used for messages between ARP and
- * IP.
- */
-static const arp_cmd_tbl act_list[] = {
- { AR_ENTRY_ADD, "AR_ENTRY_ADD", "arp`area_t" },
- { AR_ENTRY_DELETE, "AR_ENTRY_DELETE", "arp`ared_t" },
- { AR_ENTRY_QUERY, "AR_ENTRY_QUERY", "arp`areq_t" },
- { AR_ENTRY_SQUERY, "AR_ENTRY_SQUERY", "arp`area_t" },
- { AR_MAPPING_ADD, "AR_MAPPING_ADD", "arp`arma_t" },
- { AR_CLIENT_NOTIFY, "AR_CLIENT_NOTIFY", "arp`arcn_t" },
- { AR_INTERFACE_UP, "AR_INTERFACE_UP", "arp`arc_t" },
- { AR_INTERFACE_DOWN, "AR_INTERFACE_DOWN", "arp`arc_t" },
- { AR_INTERFACE_ON, "AR_INTERFACE_ON", "arp`arc_t" },
- { AR_INTERFACE_OFF, "AR_INTERFACE_OFF", "arp`arc_t" },
- { AR_DLPIOP_DONE, "AR_DLPIOP_DONE", "arp`arc_t" },
- { AR_ARP_CLOSING, "AR_ARP_CLOSING", "arp`arc_t" },
- { AR_ARP_EXTEND, "AR_ARP_EXTEND", "arp`arc_t" },
- { 0, "unknown command", "arp`arc_t" }
-};
-
-/*
- * State information kept during walk over ACE hash table and unhashed mask
- * list.
- */
-typedef struct ace_walk_data {
- ace_t *awd_hash_tbl[ARP_HASH_SIZE];
- ace_t *awd_masks;
- int awd_idx;
-} ace_walk_data_t;
-
-/*
- * Given the kernel address of an arl_t, return the stackid
+ * removed all the ace/arl related stuff. The only thing that remains
+ * is code for dealing with ioctls and printing out arp header that
+ * should probably be moved into the ip/mdb module.
*/
-static int
-arl_to_stackid(uintptr_t addr)
-{
- arl_t arl;
- queue_t rq;
- ar_t ar;
- arp_stack_t ass;
- netstack_t nss;
-
- if (mdb_vread(&arl, sizeof (arl), addr) == -1) {
- mdb_warn("failed to read arl_t %p", addr);
- return (0);
- }
-
- addr = (uintptr_t)arl.arl_rq;
- if (mdb_vread(&rq, sizeof (rq), addr) == -1) {
- mdb_warn("failed to read queue_t %p", addr);
- return (0);
- }
-
- addr = (uintptr_t)rq.q_ptr;
- if (mdb_vread(&ar, sizeof (ar), addr) == -1) {
- mdb_warn("failed to read ar_t %p", addr);
- return (0);
- }
-
- addr = (uintptr_t)ar.ar_as;
- if (mdb_vread(&ass, sizeof (ass), addr) == -1) {
- mdb_warn("failed to read arp_stack_t %p", addr);
- return (0);
- }
- addr = (uintptr_t)ass.as_netstack;
- if (mdb_vread(&nss, sizeof (nss), addr) == -1) {
- mdb_warn("failed to read netstack_t %p", addr);
- return (0);
- }
- return (nss.netstack_stackid);
-}
-
-static int
-arp_stacks_walk_init(mdb_walk_state_t *wsp)
-{
- if (mdb_layered_walk("netstack", wsp) == -1) {
- mdb_warn("can't walk 'netstack'");
- return (WALK_ERR);
- }
- return (WALK_NEXT);
-}
-
-static int
-arp_stacks_walk_step(mdb_walk_state_t *wsp)
-{
- uintptr_t addr;
- netstack_t nss;
-
- if (mdb_vread(&nss, sizeof (nss), wsp->walk_addr) == -1) {
- mdb_warn("can't read netstack at %p", wsp->walk_addr);
- return (WALK_ERR);
- }
- addr = (uintptr_t)nss.netstack_modules[NS_ARP];
-
- return (wsp->walk_callback(addr, wsp->walk_layer, wsp->walk_cbdata));
-}
-
-static int
-arl_stack_walk_init(mdb_walk_state_t *wsp)
-{
- uintptr_t addr;
-
- if (wsp->walk_addr == NULL) {
- mdb_warn("arl_stack supports only local walks\n");
- return (WALK_ERR);
- }
-
- addr = wsp->walk_addr + OFFSETOF(arp_stack_t, as_arl_head);
- if (mdb_vread(&wsp->walk_addr, sizeof (wsp->walk_addr),
- addr) == -1) {
- mdb_warn("failed to read 'arl_g_head'");
- return (WALK_ERR);
- }
- return (WALK_NEXT);
-}
-
-static int
-arl_stack_walk_step(mdb_walk_state_t *wsp)
-{
- uintptr_t addr = wsp->walk_addr;
- arl_t arl;
-
- if (wsp->walk_addr == NULL)
- return (WALK_DONE);
-
- if (mdb_vread(&arl, sizeof (arl), addr) == -1) {
- mdb_warn("failed to read arl_t at %p", addr);
- return (WALK_ERR);
- }
-
- wsp->walk_addr = (uintptr_t)arl.arl_next;
-
- return ((*wsp->walk_callback)(addr, &arl, wsp->walk_cbdata));
-}
-
-static int
-arl_walk_init(mdb_walk_state_t *wsp)
-{
- if (mdb_layered_walk("arp_stacks", wsp) == -1) {
- mdb_warn("can't walk 'arp_stacks'");
- return (WALK_ERR);
- }
-
- return (WALK_NEXT);
-}
-
-static int
-arl_walk_step(mdb_walk_state_t *wsp)
-{
- if (mdb_pwalk("arl_stack", wsp->walk_callback,
- wsp->walk_cbdata, wsp->walk_addr) == -1) {
- mdb_warn("couldn't walk 'arl_stack' at %p", wsp->walk_addr);
- return (WALK_ERR);
- }
- return (WALK_NEXT);
-}
-
-/*
- * Called with walk_addr being the address of arp_stack_t
- */
-static int
-ace_stack_walk_init(mdb_walk_state_t *wsp)
-{
- ace_walk_data_t *aw;
- uintptr_t addr;
-
- if (wsp->walk_addr == NULL) {
- mdb_warn("ace_stack supports only local walks\n");
- return (WALK_ERR);
- }
-
- aw = mdb_alloc(sizeof (ace_walk_data_t), UM_SLEEP);
-
- addr = wsp->walk_addr + OFFSETOF(arp_stack_t, as_ce_hash_tbl);
- if (mdb_vread(aw->awd_hash_tbl, sizeof (aw->awd_hash_tbl),
- addr) == -1) {
- mdb_warn("failed to read 'as_ce_hash_tbl'");
- mdb_free(aw, sizeof (ace_walk_data_t));
- return (WALK_ERR);
- }
-
- addr = wsp->walk_addr + OFFSETOF(arp_stack_t, as_ce_mask_entries);
- if (mdb_vread(&aw->awd_masks, sizeof (aw->awd_masks),
- addr) == -1) {
- mdb_warn("failed to read 'as_ce_mask_entries'");
- mdb_free(aw, sizeof (ace_walk_data_t));
- return (WALK_ERR);
- }
-
- /* The step routine will start off by incrementing to index 0 */
- aw->awd_idx = -1;
- wsp->walk_addr = 0;
- wsp->walk_data = aw;
-
- return (WALK_NEXT);
-}
-
-static int
-ace_stack_walk_step(mdb_walk_state_t *wsp)
-{
- uintptr_t addr;
- ace_walk_data_t *aw = wsp->walk_data;
- ace_t ace;
-
- /*
- * If we're at the end of the previous list, then find the start of the
- * next list to process.
- */
- while (wsp->walk_addr == NULL) {
- if (aw->awd_idx == ARP_HASH_SIZE)
- return (WALK_DONE);
- if (++aw->awd_idx == ARP_HASH_SIZE) {
- wsp->walk_addr = (uintptr_t)aw->awd_masks;
- } else {
- wsp->walk_addr =
- (uintptr_t)aw->awd_hash_tbl[aw->awd_idx];
- }
- }
-
- addr = wsp->walk_addr;
- if (mdb_vread(&ace, sizeof (ace), addr) == -1) {
- mdb_warn("failed to read ace_t at %p", addr);
- return (WALK_ERR);
- }
-
- wsp->walk_addr = (uintptr_t)ace.ace_next;
-
- return (wsp->walk_callback(addr, &ace, wsp->walk_cbdata));
-}
-
-static void
-ace_stack_walk_fini(mdb_walk_state_t *wsp)
-{
- mdb_free(wsp->walk_data, sizeof (ace_walk_data_t));
-}
-
-static int
-ace_walk_init(mdb_walk_state_t *wsp)
-{
- if (mdb_layered_walk("arp_stacks", wsp) == -1) {
- mdb_warn("can't walk 'arp_stacks'");
- return (WALK_ERR);
- }
-
- return (WALK_NEXT);
-}
-
-static int
-ace_walk_step(mdb_walk_state_t *wsp)
-{
- if (mdb_pwalk("ace_stack", wsp->walk_callback,
- wsp->walk_cbdata, wsp->walk_addr) == -1) {
- mdb_warn("couldn't walk 'ace_stack' at %p", wsp->walk_addr);
- return (WALK_ERR);
- }
- return (WALK_NEXT);
-}
-
-
-/* Common routine to produce an 'ar' text description */
-static void
-ar_describe(const ar_t *ar, char *buf, size_t nbytes, boolean_t addmac)
-{
- if (ar->ar_arl == NULL) {
- queue_t wq, ipq;
- ill_t ill;
- char name[LIFNAMSIZ];
- GElf_Sym sym;
- boolean_t nextip;
-
- if (mdb_vread(&wq, sizeof (wq), (uintptr_t)ar->ar_wq) == -1 ||
- mdb_vread(&ipq, sizeof (ipq), (uintptr_t)wq.q_next) == -1)
- return;
-
- nextip =
- (mdb_lookup_by_obj("ip", "ipwinit", &sym) == 0 &&
- (uintptr_t)sym.st_value == (uintptr_t)ipq.q_qinfo);
-
- if (!ar->ar_on_ill_stream) {
- (void) strcpy(buf, nextip ? "Client" : "Unknown");
- return;
- }
-
- if (!nextip ||
- mdb_vread(&ill, sizeof (ill), (uintptr_t)ipq.q_ptr) == -1 ||
- mdb_readstr(name, sizeof (name),
- (uintptr_t)ill.ill_name) == -1) {
- return;
- }
- (void) mdb_snprintf(buf, nbytes, "IP %s", name);
- } else {
- arl_t arl;
- arlphy_t ap;
- ssize_t retv;
- uint32_t alen;
- uchar_t macaddr[ARP_MAX_ADDR_LEN];
-
- if (mdb_vread(&arl, sizeof (arl), (uintptr_t)ar->ar_arl) == -1)
- return;
- retv = mdb_snprintf(buf, nbytes, "ARP %s ", arl.arl_name);
- if (retv >= nbytes || !addmac)
- return;
- if (mdb_vread(&ap, sizeof (ap), (uintptr_t)arl.arl_phy) == -1)
- return;
- alen = ap.ap_hw_addrlen;
- if (ap.ap_hw_addr == NULL || alen == 0 ||
- alen > sizeof (macaddr))
- return;
- if (mdb_vread(macaddr, alen, (uintptr_t)ap.ap_hw_addr) == -1)
- return;
- mdb_mac_addr(macaddr, alen, buf + retv, nbytes - retv);
- }
-}
-
-/* ARGSUSED2 */
-static int
-ar_cb(uintptr_t addr, const void *arptr, void *dummy)
-{
- const ar_t *ar = arptr;
- char ardesc[sizeof ("ARP ") + LIFNAMSIZ];
-
- ar_describe(ar, ardesc, sizeof (ardesc), B_FALSE);
- mdb_printf("%?p %?p %?p %s\n", addr, ar->ar_wq, ar->ar_arl, ardesc);
- return (WALK_NEXT);
-}
-
-/*
- * Print out ARP client structures.
- */
-/* ARGSUSED2 */
-static int
-ar_cmd(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
-{
- ar_t ar;
-
- if (DCMD_HDRSPEC(flags) && !(flags & DCMD_PIPE_OUT)) {
- mdb_printf("%<u>%?s %?s %?s %s%</u>\n",
- "AR", "WQ", "ARL", "TYPE");
- }
-
- if (flags & DCMD_ADDRSPEC) {
- if (mdb_vread(&ar, sizeof (ar), addr) == -1) {
- mdb_warn("failed to read ar_t at %p", addr);
- return (DCMD_ERR);
- }
- (void) ar_cb(addr, &ar, NULL);
- } else {
- if (mdb_walk("ar", ar_cb, NULL) == -1) {
- mdb_warn("cannot walk ar_t structures");
- return (DCMD_ERR);
- }
- }
- return (DCMD_OK);
-}
-
-/* ARGSUSED2 */
-static int
-arl_cb(uintptr_t addr, const void *arlptr, void *dummy)
-{
- const arl_t *arl = arlptr;
- arlphy_t ap;
- uchar_t macaddr[ARP_MAX_ADDR_LEN];
- char macstr[ARP_MAX_ADDR_LEN*3];
- char flags[4];
- const char *primstr;
-
- mdb_printf("%?p ", addr);
- if (arl->arl_dlpi_pending == DL_PRIM_INVAL)
- mdb_printf("%16s", "--");
- else if ((primstr = mdb_dlpi_prim(arl->arl_dlpi_pending)) != NULL)
- mdb_printf("%16s", primstr);
- else
- mdb_printf("%16x", arl->arl_dlpi_pending);
-
- if (mdb_vread(&ap, sizeof (ap), (uintptr_t)arl->arl_phy) == -1 ||
- ap.ap_hw_addrlen == 0 || ap.ap_hw_addrlen > sizeof (macaddr)) {
- (void) strcpy(macstr, "--");
- } else if (mdb_vread(macaddr, ap.ap_hw_addrlen,
- (uintptr_t)ap.ap_hw_addr) == -1) {
- (void) strcpy(macstr, "?");
- } else {
- mdb_mac_addr(macaddr, ap.ap_hw_addrlen, macstr,
- sizeof (macstr));
- }
-
- /* Print both the link-layer state and the NOARP flag */
- flags[0] = '\0';
- if (arl->arl_flags & ARL_F_NOARP)
- (void) strcat(flags, "N");
- switch (arl->arl_state) {
- case ARL_S_DOWN:
- (void) strcat(flags, "d");
- break;
- case ARL_S_PENDING:
- (void) strcat(flags, "P");
- break;
- case ARL_S_UP:
- (void) strcat(flags, "U");
- break;
- default:
- (void) strcat(flags, "?");
- break;
- }
- mdb_printf(" %8d %-3s %-9s %-17s %5d\n",
- mdb_mblk_count(arl->arl_dlpi_deferred), flags, arl->arl_name,
- macstr, arl_to_stackid((uintptr_t)addr));
- return (WALK_NEXT);
-}
-
-/*
- * Print out ARP link-layer elements.
- */
-/* ARGSUSED2 */
-static int
-arl_cmd(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
-{
- arl_t arl;
-
- if (DCMD_HDRSPEC(flags) && !(flags & DCMD_PIPE_OUT)) {
- mdb_printf("%<u>%?s %16s %8s %3s %9s %-17s %5s%</u>\n",
- "ARL", "DLPI REQ", "DLPI CNT", "FLG", "INTERFACE",
- "HWADDR", "STACK");
- }
-
- if (flags & DCMD_ADDRSPEC) {
- if (mdb_vread(&arl, sizeof (arl), addr) == -1) {
- mdb_warn("failed to read arl_t at %p", addr);
- return (DCMD_ERR);
- }
- (void) arl_cb(addr, &arl, NULL);
- } else {
- if (mdb_walk("arl", arl_cb, NULL) == -1) {
- mdb_warn("cannot walk arl_t structures");
- return (DCMD_ERR);
- }
- }
- return (DCMD_OK);
-}
-
-/* ARGSUSED2 */
-static int
-ace_cb(uintptr_t addr, const void *aceptr, void *dummy)
-{
- const ace_t *ace = aceptr;
- uchar_t macaddr[ARP_MAX_ADDR_LEN];
- char macstr[ARP_MAX_ADDR_LEN*3];
- /* The %b format isn't compact enough for long listings */
- static const char ace_flags[] = "SPDRMLdA ofya";
- const char *cp;
- char flags[sizeof (ace_flags)], *fp;
- int flg;
- in_addr_t inaddr, mask;
- char addrstr[sizeof ("255.255.255.255/32")];
-
- /* Walk the list of flags and produce a string */
- cp = ace_flags;
- fp = flags;
- for (flg = 1; *cp != '\0'; flg <<= 1, cp++) {
- if ((flg & ace->ace_flags) && *cp != ' ')
- *fp++ = *cp;
- }
- *fp = '\0';
-
- /* If it's not resolved, then it has no hardware address */
- if (!(ace->ace_flags & ACE_F_RESOLVED) ||
- ace->ace_hw_addr_length == 0 ||
- ace->ace_hw_addr_length > sizeof (macaddr)) {
- (void) strcpy(macstr, "--");
- } else if (mdb_vread(macaddr, ace->ace_hw_addr_length,
- (uintptr_t)ace->ace_hw_addr) == -1) {
- (void) strcpy(macstr, "?");
- } else {
- mdb_mac_addr(macaddr, ace->ace_hw_addr_length, macstr,
- sizeof (macstr));
- }
-
- /*
- * Nothing other than IP uses ARP these days, so we don't try very hard
- * here to switch out on ARP protocol type. (Note that ARP protocol
- * types are roughly Ethertypes, but are allocated separately at IANA.)
- */
- if (ace->ace_proto != IP_ARP_PROTO_TYPE) {
- (void) mdb_snprintf(addrstr, sizeof (addrstr),
- "Unknown proto %x", ace->ace_proto);
- } else if (mdb_vread(&inaddr, sizeof (inaddr),
- (uintptr_t)ace->ace_proto_addr) != -1 &&
- mdb_vread(&mask, sizeof (mask), (uintptr_t)ace->ace_proto_mask) !=
- -1) {
- /*
- * If it's the standard host mask, then print it normally.
- * Otherwise, use "/n" notation.
- */
- if (mask == (in_addr_t)~0) {
- (void) mdb_snprintf(addrstr, sizeof (addrstr), "%I",
- inaddr);
- } else {
- (void) mdb_snprintf(addrstr, sizeof (addrstr), "%I/%d",
- inaddr, mask == 0 ? 0 : 33 - mdb_ffs(mask));
- }
- } else {
- (void) strcpy(addrstr, "?");
- }
- mdb_printf("%?p %-18s %-8s %-17s %5d\n", addr, addrstr, flags,
- macstr, arl_to_stackid((uintptr_t)ace->ace_arl));
- return (WALK_NEXT);
-}
-
-/*
- * Print out ARP cache entry (ace_t) elements.
- */
-/* ARGSUSED2 */
-static int
-ace_cmd(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
-{
- ace_t ace;
-
- if (DCMD_HDRSPEC(flags) && !(flags & DCMD_PIPE_OUT)) {
- mdb_printf("%<u>%?s %-18s %-8s %-17s %5s%</u>\n",
- "ACE", "PROTOADDR", "FLAGS", "HWADDR", "STACK");
- }
-
- if (flags & DCMD_ADDRSPEC) {
- if (mdb_vread(&ace, sizeof (ace), addr) == -1) {
- mdb_warn("failed to read ace_t at %p", addr);
- return (DCMD_ERR);
- }
- (void) ace_cb(addr, &ace, NULL);
- } else {
- if (mdb_walk("ace", ace_cb, NULL) == -1) {
- mdb_warn("cannot walk ace_t structures");
- return (DCMD_ERR);
- }
- }
- return (DCMD_OK);
-}
/*
* Print an ARP hardware and protocol address pair; used when printing an ARP
@@ -696,148 +162,25 @@ arphdr_cmd(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
return (DCMD_OK);
}
-/*
- * Print out an arp command formatted in a reasonable manner. This implements
- * the type switch used by ARP.
- *
- * It could also dump the data that follows the header (using offset and length
- * in the various structures), but it currently does not.
- */
-/* ARGSUSED2 */
-static int
-arpcmd_cmd(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
-{
- arc_t arc;
- const arp_cmd_tbl *tp;
- mdb_arg_t subargv;
-
- if (!(flags & DCMD_ADDRSPEC)) {
- mdb_warn("address required to print ARP command\n");
- return (DCMD_ERR);
- }
- if (mdb_vread(&arc, sizeof (arc), addr) == -1) {
- mdb_warn("unable to read arc_t at %p", addr);
- return (DCMD_ERR);
- }
- for (tp = act_list; tp->act_cmd != 0; tp++)
- if (tp->act_cmd == arc.arc_cmd)
- break;
- mdb_printf("%p %s (%s) = ", addr, tp->act_name, tp->act_type);
- subargv.a_type = MDB_TYPE_STRING;
- subargv.a_un.a_str = tp->act_type;
- if (mdb_call_dcmd("print", addr, DCMD_ADDRSPEC, 1, &subargv) == -1)
- return (DCMD_ERR);
- else
- return (DCMD_OK);
-}
-
-static size_t
-mi_osize(const queue_t *q)
-{
- /*
- * The code in common/inet/mi.c allocates an extra word to store the
- * size of the allocation. An mi_o_s is thus a size_t plus an mi_o_s.
- */
- struct mi_block {
- size_t mi_nbytes;
- struct mi_o_s mi_o;
- } m;
-
- if (mdb_vread(&m, sizeof (m), (uintptr_t)q->q_ptr - sizeof (m)) != -1)
- return (m.mi_nbytes - sizeof (m));
-
- return (0);
-}
-
-/*
- * This is called when ::stream is used and an ARP module is seen on the
- * stream. Determine what sort of ARP usage is involved and show an
- * appropriate message.
- */
-static void
-arp_qinfo(const queue_t *qp, char *buf, size_t nbytes)
-{
- size_t size = mi_osize(qp);
- ar_t ar;
-
- if (size != sizeof (ar_t))
- return;
- if (mdb_vread(&ar, sizeof (ar), (uintptr_t)qp->q_ptr) == -1)
- return;
- ar_describe(&ar, buf, nbytes, B_TRUE);
-}
-
-static uintptr_t
-arp_rnext(const queue_t *q)
-{
- size_t size = mi_osize(q);
- ar_t ar;
-
- if (size == sizeof (ar_t) && mdb_vread(&ar, sizeof (ar),
- (uintptr_t)q->q_ptr) != -1)
- return ((uintptr_t)ar.ar_rq);
-
- return (NULL);
-}
-
-static uintptr_t
-arp_wnext(const queue_t *q)
-{
- size_t size = mi_osize(q);
- ar_t ar;
-
- if (size == sizeof (ar_t) && mdb_vread(&ar, sizeof (ar),
- (uintptr_t)q->q_ptr) != -1)
- return ((uintptr_t)ar.ar_wq);
-
- return (NULL);
-}
-
static const mdb_dcmd_t dcmds[] = {
- { "ar", "?", "display ARP client streams for all stacks",
- ar_cmd, NULL },
- { "arl", "?", "display ARP link layers for all stacks", arl_cmd, NULL },
- { "ace", "?", "display ARP cache entries for all stacks",
- ace_cmd, NULL },
{ "arphdr", ":", "display an ARP header", arphdr_cmd, NULL },
- { "arpcmd", ":", "display an ARP command", arpcmd_cmd, NULL },
{ NULL }
};
/* Note: ar_t walker is in genunix.c and net.c; generic MI walker */
static const mdb_walker_t walkers[] = {
- { "arl", "walk list of arl_t links for all stacks",
- arl_walk_init, arl_walk_step, NULL },
- { "arl_stack", "walk list of arl_t links",
- arl_stack_walk_init, arl_stack_walk_step, NULL },
- { "ace", "walk list of ace_t entries for all stacks",
- ace_walk_init, ace_walk_step, NULL },
- { "ace_stack", "walk list of ace_t entries",
- ace_stack_walk_init, ace_stack_walk_step, ace_stack_walk_fini },
- { "arp_stacks", "walk all the arp_stack_t",
- arp_stacks_walk_init, arp_stacks_walk_step, NULL },
{ NULL }
};
-static const mdb_qops_t arp_qops = { arp_qinfo, arp_rnext, arp_wnext };
static const mdb_modinfo_t modinfo = { MDB_API_VERSION, dcmds, walkers };
const mdb_modinfo_t *
_mdb_init(void)
{
- GElf_Sym sym;
-
- if (mdb_lookup_by_obj("arp", "winit", &sym) == 0)
- mdb_qops_install(&arp_qops, (uintptr_t)sym.st_value);
-
return (&modinfo);
}
void
_mdb_fini(void)
{
- GElf_Sym sym;
-
- if (mdb_lookup_by_obj("arp", "winit", &sym) == 0)
- mdb_qops_remove(&arp_qops, (uintptr_t)sym.st_value);
}
diff --git a/usr/src/cmd/mdb/common/modules/genunix/genunix.c b/usr/src/cmd/mdb/common/modules/genunix/genunix.c
index 3e49d9a99c..e6fe3f7dcf 100644
--- a/usr/src/cmd/mdb/common/modules/genunix/genunix.c
+++ b/usr/src/cmd/mdb/common/modules/genunix/genunix.c
@@ -4770,8 +4770,6 @@ static const mdb_walker_t walkers[] = {
NULL, modchain_walk_step, NULL },
/* from net.c */
- { "ar", "walk ar_t structures using MI for all stacks",
- mi_payload_walk_init, mi_payload_walk_step, NULL, &mi_ar_arg },
{ "icmp", "walk ICMP control structures using MI for all stacks",
mi_payload_walk_init, mi_payload_walk_step, NULL,
&mi_icmp_arg },
@@ -4779,8 +4777,6 @@ static const mdb_walker_t walkers[] = {
mi_walk_init, mi_walk_step, mi_walk_fini, NULL },
{ "sonode", "given a sonode, walk its children",
sonode_walk_init, sonode_walk_step, sonode_walk_fini, NULL },
- { "ar_stacks", "walk all the ar_stack_t",
- ar_stacks_walk_init, ar_stacks_walk_step, NULL },
{ "icmp_stacks", "walk all the icmp_stack_t",
icmp_stacks_walk_init, icmp_stacks_walk_step, NULL },
{ "tcp_stacks", "walk all the tcp_stack_t",
diff --git a/usr/src/cmd/mdb/common/modules/genunix/net.c b/usr/src/cmd/mdb/common/modules/genunix/net.c
index d9f4717d7e..23d6202fff 100644
--- a/usr/src/cmd/mdb/common/modules/genunix/net.c
+++ b/usr/src/cmd/mdb/common/modules/genunix/net.c
@@ -45,7 +45,6 @@
#include <sys/socketvar.h>
#include <sys/cred_impl.h>
#include <inet/udp_impl.h>
-#include <inet/arp_impl.h>
#include <inet/rawip_impl.h>
#include <inet/mi.h>
#include <fs/sockfs/socktpi_impl.h>
@@ -71,31 +70,6 @@ typedef struct netstat_cb_data_s {
int af;
} netstat_cb_data_t;
-/* Walkers for various *_stack_t */
-int
-ar_stacks_walk_init(mdb_walk_state_t *wsp)
-{
- if (mdb_layered_walk("netstack", wsp) == -1) {
- mdb_warn("can't walk 'netstack'");
- return (WALK_ERR);
- }
- return (WALK_NEXT);
-}
-
-int
-ar_stacks_walk_step(mdb_walk_state_t *wsp)
-{
- uintptr_t kaddr;
- netstack_t nss;
-
- if (mdb_vread(&nss, sizeof (nss), wsp->walk_addr) == -1) {
- mdb_warn("can't read netstack at %p", wsp->walk_addr);
- return (WALK_ERR);
- }
- kaddr = (uintptr_t)nss.netstack_modules[NS_ARP];
- return (wsp->walk_callback(kaddr, wsp->walk_layer, wsp->walk_cbdata));
-}
-
int
icmp_stacks_walk_init(mdb_walk_state_t *wsp)
{
@@ -201,15 +175,15 @@ net_tcp_active(const tcp_t *tcp)
static int
net_tcp_ipv4(const tcp_t *tcp)
{
- return ((tcp->tcp_ipversion == IPV4_VERSION) ||
- (IN6_IS_ADDR_UNSPECIFIED(&tcp->tcp_ip_src_v6) &&
+ return ((tcp->tcp_connp->conn_ipversion == IPV4_VERSION) ||
+ (IN6_IS_ADDR_UNSPECIFIED(&tcp->tcp_connp->conn_laddr_v6) &&
(tcp->tcp_state <= TCPS_LISTEN)));
}
static int
net_tcp_ipv6(const tcp_t *tcp)
{
- return (tcp->tcp_ipversion == IPV6_VERSION);
+ return (tcp->tcp_connp->conn_ipversion == IPV6_VERSION);
}
static int
@@ -222,15 +196,15 @@ net_udp_active(const udp_t *udp)
static int
net_udp_ipv4(const udp_t *udp)
{
- return ((udp->udp_ipversion == IPV4_VERSION) ||
- (IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src) &&
+ return ((udp->udp_connp->conn_ipversion == IPV4_VERSION) ||
+ (IN6_IS_ADDR_UNSPECIFIED(&udp->udp_connp->conn_laddr_v6) &&
(udp->udp_state <= TS_IDLE)));
}
static int
net_udp_ipv6(const udp_t *udp)
{
- return (udp->udp_ipversion == IPV6_VERSION);
+ return (udp->udp_connp->conn_ipversion == IPV6_VERSION);
}
int
@@ -399,11 +373,6 @@ mi_payload_walk_step(mdb_walk_state_t *wsp)
return (WALK_NEXT);
}
-const mi_payload_walk_arg_t mi_ar_arg = {
- "ar_stacks", OFFSETOF(arp_stack_t, as_head), sizeof (ar_t),
- MI_PAYLOAD_DEVICE | MI_PAYLOAD_MODULE
-};
-
const mi_payload_walk_arg_t mi_icmp_arg = {
"icmp_stacks", OFFSETOF(icmp_stack_t, is_head), sizeof (icmp_t),
MI_PAYLOAD_DEVICE | MI_PAYLOAD_MODULE
@@ -632,7 +601,7 @@ netstat_tcp_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
tcp_kaddr = (uintptr_t)connp->conn_tcp;
if (mdb_vread(&tcps, sizeof (tcp_t), tcp_kaddr) == -1) {
- mdb_warn("failed to read tcp_t at %p", kaddr);
+ mdb_warn("failed to read tcp_t at %p", tcp_kaddr);
return (WALK_ERR);
}
@@ -648,13 +617,13 @@ netstat_tcp_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
mdb_printf("%0?p %2i ", tcp_kaddr, tcp->tcp_state);
if (af == AF_INET) {
- net_ipv4addrport_pr(&tcp->tcp_ip_src_v6, tcp->tcp_lport);
+ net_ipv4addrport_pr(&connp->conn_laddr_v6, connp->conn_lport);
mdb_printf(" ");
- net_ipv4addrport_pr(&tcp->tcp_remote_v6, tcp->tcp_fport);
+ net_ipv4addrport_pr(&connp->conn_faddr_v6, connp->conn_fport);
} else if (af == AF_INET6) {
- net_ipv6addrport_pr(&tcp->tcp_ip_src_v6, tcp->tcp_lport);
+ net_ipv6addrport_pr(&connp->conn_laddr_v6, connp->conn_lport);
mdb_printf(" ");
- net_ipv6addrport_pr(&tcp->tcp_remote_v6, tcp->tcp_fport);
+ net_ipv6addrport_pr(&connp->conn_faddr_v6, connp->conn_fport);
}
mdb_printf(" %5i", ns_to_stackid((uintptr_t)connp->conn_netstack));
mdb_printf(" %4i\n", connp->conn_zoneid);
@@ -687,6 +656,9 @@ netstat_udp_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
return (WALK_ERR);
}
+ connp->conn_udp = &udp;
+ udp.udp_connp = connp;
+
if (!((opts & NETSTAT_ALL) || net_udp_active(&udp)) ||
(af == AF_INET && !net_udp_ipv4(&udp)) ||
(af == AF_INET6 && !net_udp_ipv6(&udp))) {
@@ -704,13 +676,13 @@ netstat_udp_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
mdb_printf("%0?p %10s ", (uintptr_t)connp->conn_udp, state);
if (af == AF_INET) {
- net_ipv4addrport_pr(&udp.udp_v6src, udp.udp_port);
+ net_ipv4addrport_pr(&connp->conn_laddr_v6, connp->conn_lport);
mdb_printf(" ");
- net_ipv4addrport_pr(&udp.udp_v6dst, udp.udp_dstport);
+ net_ipv4addrport_pr(&connp->conn_faddr_v6, connp->conn_fport);
} else if (af == AF_INET6) {
- net_ipv6addrport_pr(&udp.udp_v6src, udp.udp_port);
+ net_ipv6addrport_pr(&connp->conn_laddr_v6, connp->conn_lport);
mdb_printf(" ");
- net_ipv6addrport_pr(&udp.udp_v6dst, udp.udp_dstport);
+ net_ipv6addrport_pr(&connp->conn_faddr_v6, connp->conn_fport);
}
mdb_printf(" %5i", ns_to_stackid((uintptr_t)connp->conn_netstack));
mdb_printf(" %4i\n", connp->conn_zoneid);
@@ -740,8 +712,11 @@ netstat_icmp_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
return (WALK_ERR);
}
- if ((af == AF_INET && icmp.icmp_ipversion != IPV4_VERSION) ||
- (af == AF_INET6 && icmp.icmp_ipversion != IPV6_VERSION)) {
+ connp->conn_icmp = &icmp;
+ icmp.icmp_connp = connp;
+
+ if ((af == AF_INET && connp->conn_ipversion != IPV4_VERSION) ||
+ (af == AF_INET6 && connp->conn_ipversion != IPV6_VERSION)) {
return (WALK_NEXT);
}
@@ -756,16 +731,16 @@ netstat_icmp_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
mdb_printf("%0?p %10s ", (uintptr_t)connp->conn_icmp, state);
if (af == AF_INET) {
- mdb_printf("%*I ", ADDR_V4_WIDTH,
- V4_PART_OF_V6((icmp.icmp_v6src)));
- mdb_printf("%*I ", ADDR_V4_WIDTH,
- V4_PART_OF_V6((icmp.icmp_v6dst.sin6_addr)));
+ net_ipv4addrport_pr(&connp->conn_laddr_v6, connp->conn_lport);
+ mdb_printf(" ");
+ net_ipv4addrport_pr(&connp->conn_faddr_v6, connp->conn_fport);
} else if (af == AF_INET6) {
- mdb_printf("%*N ", ADDR_V6_WIDTH, &icmp.icmp_v6src);
- mdb_printf("%*N ", ADDR_V6_WIDTH, &icmp.icmp_v6dst);
+ net_ipv6addrport_pr(&connp->conn_laddr_v6, connp->conn_lport);
+ mdb_printf(" ");
+ net_ipv6addrport_pr(&connp->conn_faddr_v6, connp->conn_fport);
}
mdb_printf(" %5i", ns_to_stackid((uintptr_t)connp->conn_netstack));
- mdb_printf(" %4i\n", icmp.icmp_zoneid);
+ mdb_printf(" %4i\n", connp->conn_zoneid);
return (WALK_NEXT);
}
@@ -881,57 +856,57 @@ get_ifname(const ire_t *ire, char *intf)
ill_t ill;
*intf = '\0';
- if (ire->ire_type == IRE_CACHE) {
- queue_t stq;
-
- if (mdb_vread(&stq, sizeof (stq), (uintptr_t)ire->ire_stq) ==
- -1)
- return;
- if (mdb_vread(&ill, sizeof (ill), (uintptr_t)stq.q_ptr) == -1)
+ if (ire->ire_ill != NULL) {
+ if (mdb_vread(&ill, sizeof (ill),
+ (uintptr_t)ire->ire_ill) == -1)
return;
(void) mdb_readstr(intf, MIN(LIFNAMSIZ, ill.ill_name_length),
(uintptr_t)ill.ill_name);
- } else if (ire->ire_ipif != NULL) {
- ipif_t ipif;
- char *cp;
-
- if (mdb_vread(&ipif, sizeof (ipif),
- (uintptr_t)ire->ire_ipif) == -1)
- return;
- if (mdb_vread(&ill, sizeof (ill), (uintptr_t)ipif.ipif_ill) ==
- -1)
- return;
- (void) mdb_readstr(intf, MIN(LIFNAMSIZ, ill.ill_name_length),
- (uintptr_t)ill.ill_name);
- if (ipif.ipif_id != 0) {
- cp = intf + strlen(intf);
- (void) mdb_snprintf(cp, LIFNAMSIZ + 1 - (cp - intf),
- ":%u", ipif.ipif_id);
- }
}
}
+const in6_addr_t ipv6_all_ones =
+ { 0xffffffffU, 0xffffffffU, 0xffffffffU, 0xffffffffU };
+
static void
-get_v4flags(const ire_t *ire, char *flags)
+get_ireflags(const ire_t *ire, char *flags)
{
(void) strcpy(flags, "U");
- if (ire->ire_type == IRE_DEFAULT || ire->ire_type == IRE_PREFIX ||
- ire->ire_type == IRE_HOST || ire->ire_type == IRE_HOST_REDIRECT)
+ /* RTF_INDIRECT wins over RTF_GATEWAY - don't display both */
+ if (ire->ire_flags & RTF_INDIRECT)
+ (void) strcat(flags, "I");
+ else if (ire->ire_type & IRE_OFFLINK)
(void) strcat(flags, "G");
- if (ire->ire_mask == IP_HOST_MASK)
- (void) strcat(flags, "H");
- if (ire->ire_type == IRE_HOST_REDIRECT)
+
+ /* IRE_IF_CLONE wins over RTF_HOST - don't display both */
+ if (ire->ire_type & IRE_IF_CLONE)
+ (void) strcat(flags, "C");
+ else if (ire->ire_ipversion == IPV4_VERSION) {
+ if (ire->ire_mask == IP_HOST_MASK)
+ (void) strcat(flags, "H");
+ } else {
+ if (IN6_ARE_ADDR_EQUAL(&ire->ire_mask_v6, &ipv6_all_ones))
+ (void) strcat(flags, "H");
+ }
+
+ if (ire->ire_flags & RTF_DYNAMIC)
(void) strcat(flags, "D");
- if (ire->ire_type == IRE_CACHE)
- (void) strcat(flags, "A");
if (ire->ire_type == IRE_BROADCAST)
- (void) strcat(flags, "B");
+ (void) strcat(flags, "b");
+ if (ire->ire_type == IRE_MULTICAST)
+ (void) strcat(flags, "m");
if (ire->ire_type == IRE_LOCAL)
(void) strcat(flags, "L");
+ if (ire->ire_type == IRE_NOROUTE)
+ (void) strcat(flags, "N");
if (ire->ire_flags & RTF_MULTIRT)
(void) strcat(flags, "M");
if (ire->ire_flags & RTF_SETSRC)
(void) strcat(flags, "S");
+ if (ire->ire_flags & RTF_REJECT)
+ (void) strcat(flags, "R");
+ if (ire->ire_flags & RTF_BLACKHOLE)
+ (void) strcat(flags, "B");
}
static int
@@ -945,8 +920,10 @@ netstat_irev4_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
if (ire->ire_ipversion != IPV4_VERSION)
return (WALK_NEXT);
- if (!(*opts & NETSTAT_ALL) && (ire->ire_type == IRE_CACHE ||
- ire->ire_type == IRE_BROADCAST || ire->ire_type == IRE_LOCAL))
+ /* Skip certain IREs by default */
+ if (!(*opts & NETSTAT_ALL) &&
+ (ire->ire_type &
+ (IRE_BROADCAST|IRE_LOCAL|IRE_MULTICAST|IRE_NOROUTE|IRE_IF_CLONE)))
return (WALK_NEXT);
if (*opts & NETSTAT_FIRST) {
@@ -966,10 +943,9 @@ netstat_irev4_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
}
}
- gate = (ire->ire_type & (IRE_INTERFACE|IRE_LOOPBACK|IRE_BROADCAST)) ?
- ire->ire_src_addr : ire->ire_gateway_addr;
+ gate = ire->ire_gateway_addr;
- get_v4flags(ire, flags);
+ get_ireflags(ire, flags);
get_ifname(ire, intf);
@@ -977,8 +953,8 @@ netstat_irev4_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
mdb_printf("%?p %-*I %-*I %-*I %-6s %5u%c %4u %3u %-3s %5u "
"%u\n", kaddr, ADDR_V4_WIDTH, ire->ire_addr, ADDR_V4_WIDTH,
ire->ire_mask, ADDR_V4_WIDTH, gate, intf,
- ire->ire_max_frag, ire->ire_frag_flag ? '*' : ' ',
- ire->ire_uinfo.iulp_rtt, ire->ire_refcnt, flags,
+ 0, ' ',
+ ire->ire_metrics.iulp_rtt, ire->ire_refcnt, flags,
ire->ire_ob_pkt_count, ire->ire_ib_pkt_count);
} else {
mdb_printf("%?p %-*I %-*I %-5s %4u %5u %s\n", kaddr,
@@ -1025,7 +1001,10 @@ netstat_irev6_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
if (ire->ire_ipversion != IPV6_VERSION)
return (WALK_NEXT);
- if (!(*opts & NETSTAT_ALL) && ire->ire_type == IRE_CACHE)
+ /* Skip certain IREs by default */
+ if (!(*opts & NETSTAT_ALL) &&
+ (ire->ire_type &
+ (IRE_BROADCAST|IRE_LOCAL|IRE_MULTICAST|IRE_NOROUTE|IRE_IF_CLONE)))
return (WALK_NEXT);
if (*opts & NETSTAT_FIRST) {
@@ -1045,37 +1024,21 @@ netstat_irev6_cb(uintptr_t kaddr, const void *walk_data, void *cb_data)
}
}
- gatep = (ire->ire_type & (IRE_INTERFACE|IRE_LOOPBACK)) ?
- &ire->ire_src_addr_v6 : &ire->ire_gateway_addr_v6;
+ gatep = &ire->ire_gateway_addr_v6;
masklen = ip_mask_to_plen_v6(&ire->ire_mask_v6);
(void) mdb_snprintf(deststr, sizeof (deststr), "%N/%d",
&ire->ire_addr_v6, masklen);
- (void) strcpy(flags, "U");
- if (ire->ire_type == IRE_DEFAULT || ire->ire_type == IRE_PREFIX ||
- ire->ire_type == IRE_HOST || ire->ire_type == IRE_HOST_REDIRECT)
- (void) strcat(flags, "G");
- if (masklen == IPV6_ABITS)
- (void) strcat(flags, "H");
- if (ire->ire_type == IRE_HOST_REDIRECT)
- (void) strcat(flags, "D");
- if (ire->ire_type == IRE_CACHE)
- (void) strcat(flags, "A");
- if (ire->ire_type == IRE_LOCAL)
- (void) strcat(flags, "L");
- if (ire->ire_flags & RTF_MULTIRT)
- (void) strcat(flags, "M");
- if (ire->ire_flags & RTF_SETSRC)
- (void) strcat(flags, "S");
+ get_ireflags(ire, flags);
get_ifname(ire, intf);
if (*opts & NETSTAT_VERBOSE) {
mdb_printf("%?p %-*s %-*N %-5s %5u%c %5u %3u %-5s %6u %u\n",
kaddr, ADDR_V6_WIDTH+4, deststr, ADDR_V6_WIDTH, gatep,
- intf, ire->ire_max_frag, ire->ire_frag_flag ? '*' : ' ',
- ire->ire_uinfo.iulp_rtt, ire->ire_refcnt,
+ intf, 0, ' ',
+ ire->ire_metrics.iulp_rtt, ire->ire_refcnt,
flags, ire->ire_ob_pkt_count, ire->ire_ib_pkt_count);
} else {
mdb_printf("%?p %-*s %-*N %-5s %3u %6u %s\n", kaddr,
diff --git a/usr/src/cmd/mdb/common/modules/genunix/net.h b/usr/src/cmd/mdb/common/modules/genunix/net.h
index f2d441e78c..f72d75f75a 100644
--- a/usr/src/cmd/mdb/common/modules/genunix/net.h
+++ b/usr/src/cmd/mdb/common/modules/genunix/net.h
@@ -30,7 +30,6 @@
extern "C" {
#endif
-extern struct mi_payload_walk_arg_s mi_ar_arg;
extern struct mi_payload_walk_arg_s mi_icmp_arg;
extern struct mi_payload_walk_arg_s mi_ill_arg;
@@ -42,8 +41,6 @@ extern int mi_walk_step(mdb_walk_state_t *);
extern void mi_walk_fini(mdb_walk_state_t *);
extern int mi_payload_walk_init(mdb_walk_state_t *);
extern int mi_payload_walk_step(mdb_walk_state_t *);
-extern int ar_stacks_walk_init(mdb_walk_state_t *);
-extern int ar_stacks_walk_step(mdb_walk_state_t *);
extern int icmp_stacks_walk_init(mdb_walk_state_t *);
extern int icmp_stacks_walk_step(mdb_walk_state_t *);
extern int tcp_stacks_walk_init(mdb_walk_state_t *);
diff --git a/usr/src/cmd/mdb/common/modules/genunix/streams.c b/usr/src/cmd/mdb/common/modules/genunix/streams.c
index 0458589309..d0095c7752 100644
--- a/usr/src/cmd/mdb/common/modules/genunix/streams.c
+++ b/usr/src/cmd/mdb/common/modules/genunix/streams.c
@@ -172,7 +172,6 @@ static const struct str_flags mbf[] = {
{ SF(0x08), "unused" },
{ SF(MSGMARKNEXT), "Private: b_next's first byte marked" },
{ SF(MSGNOTMARKNEXT), "Private: ... not marked" },
- { SF(MSGHASREF), "Private: msg has reference to owner" },
{ 0, NULL, NULL }
};
diff --git a/usr/src/cmd/mdb/common/modules/genunix/vfs.c b/usr/src/cmd/mdb/common/modules/genunix/vfs.c
index 45dc27af23..8001c41b3c 100644
--- a/usr/src/cmd/mdb/common/modules/genunix/vfs.c
+++ b/usr/src/cmd/mdb/common/modules/genunix/vfs.c
@@ -572,8 +572,9 @@ sctp_getsockaddr(sctp_t *sctp, struct sockaddr *addr)
sin_t *sin4;
int scanned = 0;
boolean_t skip_lback = B_FALSE;
+ conn_t *connp = sctp->sctp_connp;
- addr->sa_family = sctp->sctp_family;
+ addr->sa_family = connp->conn_family;
if (sctp->sctp_nsaddrs == 0)
goto done;
@@ -636,18 +637,18 @@ sctp_getsockaddr(sctp_t *sctp, struct sockaddr *addr)
continue;
}
- switch (sctp->sctp_family) {
+ switch (connp->conn_family) {
case AF_INET:
/* LINTED: alignment */
sin4 = (sin_t *)addr;
if ((sctp->sctp_state <= SCTPS_LISTEN) &&
sctp->sctp_bound_to_all) {
sin4->sin_addr.s_addr = INADDR_ANY;
- sin4->sin_port = sctp->sctp_lport;
+ sin4->sin_port = connp->conn_lport;
} else {
sin4 += added;
sin4->sin_family = AF_INET;
- sin4->sin_port = sctp->sctp_lport;
+ sin4->sin_port = connp->conn_lport;
IN6_V4MAPPED_TO_INADDR(&laddr,
&sin4->sin_addr);
}
@@ -660,15 +661,14 @@ sctp_getsockaddr(sctp_t *sctp, struct sockaddr *addr)
sctp->sctp_bound_to_all) {
bzero(&sin6->sin6_addr,
sizeof (sin6->sin6_addr));
- sin6->sin6_port = sctp->sctp_lport;
+ sin6->sin6_port = connp->conn_lport;
} else {
sin6 += added;
sin6->sin6_family = AF_INET6;
- sin6->sin6_port = sctp->sctp_lport;
+ sin6->sin6_port = connp->conn_lport;
sin6->sin6_addr = laddr;
}
- sin6->sin6_flowinfo = sctp->sctp_ip6h->ip6_vcf &
- ~IPV6_VERS_AND_FLOW_MASK;
+ sin6->sin6_flowinfo = connp->conn_flowinfo;
sin6->sin6_scope_id = 0;
sin6->__sin6_src_id = 0;
break;
@@ -712,11 +712,12 @@ sctp_getpeeraddr(sctp_t *sctp, struct sockaddr *addr)
struct sockaddr_in6 *sin6;
sctp_faddr_t sctp_primary;
in6_addr_t faddr;
+ conn_t *connp = sctp->sctp_connp;
if (sctp->sctp_faddrs == NULL)
return (-1);
- addr->sa_family = sctp->sctp_family;
+ addr->sa_family = connp->conn_family;
if (mdb_vread(&sctp_primary, sizeof (sctp_faddr_t),
(uintptr_t)sctp->sctp_primary) == -1) {
mdb_warn("failed to read sctp primary faddr");
@@ -724,12 +725,12 @@ sctp_getpeeraddr(sctp_t *sctp, struct sockaddr *addr)
}
faddr = sctp_primary.faddr;
- switch (sctp->sctp_family) {
+ switch (connp->conn_family) {
case AF_INET:
/* LINTED: alignment */
sin4 = (struct sockaddr_in *)addr;
IN6_V4MAPPED_TO_INADDR(&faddr, &sin4->sin_addr);
- sin4->sin_port = sctp->sctp_fport;
+ sin4->sin_port = connp->conn_fport;
sin4->sin_family = AF_INET;
break;
@@ -737,7 +738,7 @@ sctp_getpeeraddr(sctp_t *sctp, struct sockaddr *addr)
/* LINTED: alignment */
sin6 = (struct sockaddr_in6 *)addr;
sin6->sin6_addr = faddr;
- sin6->sin6_port = sctp->sctp_fport;
+ sin6->sin6_port = connp->conn_fport;
sin6->sin6_family = AF_INET6;
sin6->sin6_flowinfo = 0;
sin6->sin6_scope_id = 0;
@@ -797,7 +798,7 @@ tcpip_sock_print(struct sonode *socknode)
mdb_printf("socket: ");
mdb_nhconvert(&port, &conn_t.conn_lport, sizeof (port));
- mdb_printf("AF_INET %I %d ", conn_t.conn_src, port);
+ mdb_printf("AF_INET %I %d ", conn_t.conn_laddr_v4, port);
/*
* If this is a listening socket, we don't print
@@ -807,7 +808,8 @@ tcpip_sock_print(struct sonode *socknode)
IPCL_IS_UDP(&conn_t) && IPCL_IS_CONNECTED(&conn_t)) {
mdb_printf("remote: ");
mdb_nhconvert(&port, &conn_t.conn_fport, sizeof (port));
- mdb_printf("AF_INET %I %d ", conn_t.conn_rem, port);
+ mdb_printf("AF_INET %I %d ", conn_t.conn_faddr_v4,
+ port);
}
break;
@@ -826,7 +828,7 @@ tcpip_sock_print(struct sonode *socknode)
mdb_printf("socket: ");
mdb_nhconvert(&port, &conn_t.conn_lport, sizeof (port));
- mdb_printf("AF_INET6 %N %d ", &conn_t.conn_srcv6, port);
+ mdb_printf("AF_INET6 %N %d ", &conn_t.conn_laddr_v4, port);
/*
* If this is a listening socket, we don't print
@@ -836,7 +838,8 @@ tcpip_sock_print(struct sonode *socknode)
IPCL_IS_UDP(&conn_t) && IPCL_IS_CONNECTED(&conn_t)) {
mdb_printf("remote: ");
mdb_nhconvert(&port, &conn_t.conn_fport, sizeof (port));
- mdb_printf("AF_INET6 %N %d ", &conn_t.conn_remv6, port);
+ mdb_printf("AF_INET6 %N %d ", &conn_t.conn_faddr_v6,
+ port);
}
break;
@@ -854,6 +857,7 @@ static int
sctp_sock_print(struct sonode *socknode)
{
sctp_t sctp_t;
+ conn_t conns;
struct sockaddr *laddr = mdb_alloc(sizeof (struct sockaddr), UM_SLEEP);
struct sockaddr *faddr = mdb_alloc(sizeof (struct sockaddr), UM_SLEEP);
@@ -864,6 +868,14 @@ sctp_sock_print(struct sonode *socknode)
return (-1);
}
+ if (mdb_vread(&conns, sizeof (conn_t),
+ (uintptr_t)sctp_t.sctp_connp) == -1) {
+ mdb_warn("failed to read conn_t at %p",
+ (uintptr_t)sctp_t.sctp_connp);
+ return (-1);
+ }
+ sctp_t.sctp_connp = &conns;
+
if (sctp_getsockaddr(&sctp_t, laddr) == 0) {
mdb_printf("socket:");
pfiles_print_addr(laddr);
diff --git a/usr/src/cmd/mdb/common/modules/ip/ip.c b/usr/src/cmd/mdb/common/modules/ip/ip.c
index 28f21efe1f..da94942eae 100644
--- a/usr/src/cmd/mdb/common/modules/ip/ip.c
+++ b/usr/src/cmd/mdb/common/modules/ip/ip.c
@@ -52,6 +52,7 @@
#include <ilb/ilb_nat.h>
#include <ilb/ilb_conn.h>
#include <sys/dlpi.h>
+#include <sys/zone.h>
#include <mdb/mdb_modapi.h>
#include <mdb/mdb_ks.h>
@@ -84,15 +85,20 @@ typedef struct illif_walk_data {
ill_if_t ill_if;
} illif_walk_data_t;
-typedef struct nce_walk_data_s {
- struct ndp_g_s nce_ip_ndp;
- int nce_hash_tbl_index;
- nce_t nce;
-} nce_walk_data_t;
+typedef struct ncec_walk_data_s {
+ struct ndp_g_s ncec_ip_ndp;
+ int ncec_hash_tbl_index;
+ ncec_t ncec;
+} ncec_walk_data_t;
+
+typedef struct ncec_cbdata_s {
+ uintptr_t ncec_addr;
+ int ncec_ipversion;
+} ncec_cbdata_t;
typedef struct nce_cbdata_s {
- uintptr_t nce_addr;
- int nce_ipversion;
+ int nce_ipversion;
+ char nce_ill_name[LIFNAMSIZ];
} nce_cbdata_t;
typedef struct ire_cbdata_s {
@@ -100,6 +106,12 @@ typedef struct ire_cbdata_s {
boolean_t verbose;
} ire_cbdata_t;
+typedef struct zi_cbdata_s {
+ const char *zone_name;
+ ip_stack_t *ipst;
+ boolean_t shared_ip_zone;
+} zi_cbdata_t;
+
typedef struct th_walk_data {
uint_t thw_non_zero_only;
boolean_t thw_match;
@@ -122,6 +134,7 @@ typedef struct ill_walk_data_s {
typedef struct ill_cbdata_s {
uintptr_t ill_addr;
int ill_ipversion;
+ ip_stack_t *ill_ipst;
boolean_t verbose;
} ill_cbdata_t;
@@ -156,7 +169,7 @@ static hash_walk_arg_t bind_hash_arg = {
};
static hash_walk_arg_t proto_hash_arg = {
- OFFSETOF(ip_stack_t, ips_ipcl_proto_fanout),
+ OFFSETOF(ip_stack_t, ips_ipcl_proto_fanout_v4),
0
};
@@ -210,13 +223,15 @@ static void ip_list_walk_fini(mdb_walk_state_t *);
static int srcid_walk_step(mdb_walk_state_t *);
static int ire_format(uintptr_t addr, const void *, void *);
-static int nce_format(uintptr_t addr, const nce_t *nce, int ipversion);
-static int nce(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv);
-static int nce_walk_step(mdb_walk_state_t *wsp);
-static int nce_stack_walk_init(mdb_walk_state_t *wsp);
-static int nce_stack_walk_step(mdb_walk_state_t *wsp);
-static void nce_stack_walk_fini(mdb_walk_state_t *wsp);
-static int nce_cb(uintptr_t addr, const nce_walk_data_t *iw, nce_cbdata_t *id);
+static int ncec_format(uintptr_t addr, const ncec_t *ncec, int ipversion);
+static int ncec(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv);
+static int ncec_walk_step(mdb_walk_state_t *wsp);
+static int ncec_stack_walk_init(mdb_walk_state_t *wsp);
+static int ncec_stack_walk_step(mdb_walk_state_t *wsp);
+static void ncec_stack_walk_fini(mdb_walk_state_t *wsp);
+static int ncec_cb(uintptr_t addr, const ncec_walk_data_t *iw,
+ ncec_cbdata_t *id);
+static char *nce_l2_addr(const nce_t *, const ill_t *);
static int ipcl_hash_walk_init(mdb_walk_state_t *);
static int ipcl_hash_walk_step(mdb_walk_state_t *);
@@ -262,6 +277,69 @@ ips_to_stackid(uintptr_t kaddr)
return (nss.netstack_stackid);
}
+/* ARGSUSED */
+static int
+zone_to_ips_cb(uintptr_t addr, const void *zi_arg, void *zi_cb_arg)
+{
+ zi_cbdata_t *zi_cb = zi_cb_arg;
+ zone_t zone;
+ char zone_name[ZONENAME_MAX];
+ netstack_t ns;
+
+ if (mdb_vread(&zone, sizeof (zone_t), addr) == -1) {
+ mdb_warn("can't read zone at %p", addr);
+ return (WALK_ERR);
+ }
+
+ (void) mdb_readstr(zone_name, ZONENAME_MAX, (uintptr_t)zone.zone_name);
+
+ if (strcmp(zi_cb->zone_name, zone_name) != 0)
+ return (WALK_NEXT);
+
+ zi_cb->shared_ip_zone = (!(zone.zone_flags & ZF_NET_EXCL) &&
+ (strcmp(zone_name, "global") != 0));
+
+ if (mdb_vread(&ns, sizeof (netstack_t), (uintptr_t)zone.zone_netstack)
+ == -1) {
+ mdb_warn("can't read netstack at %p", zone.zone_netstack);
+ return (WALK_ERR);
+ }
+
+ zi_cb->ipst = ns.netstack_ip;
+ return (WALK_DONE);
+}
+
+static ip_stack_t *
+zone_to_ips(const char *zone_name)
+{
+ zi_cbdata_t zi_cb;
+
+ if (zone_name == NULL)
+ return (NULL);
+
+ zi_cb.zone_name = zone_name;
+ zi_cb.ipst = NULL;
+ zi_cb.shared_ip_zone = B_FALSE;
+
+ if (mdb_walk("zone", (mdb_walk_cb_t)zone_to_ips_cb, &zi_cb) == -1) {
+ mdb_warn("failed to walk zone");
+ return (NULL);
+ }
+
+ if (zi_cb.shared_ip_zone) {
+ mdb_warn("%s is a Shared-IP zone, try '-s global' instead\n",
+ zone_name);
+ return (NULL);
+ }
+
+ if (zi_cb.ipst == NULL) {
+ mdb_warn("failed to find zone %s\n", zone_name);
+ return (NULL);
+ }
+
+ return (zi_cb.ipst);
+}
+
int
ip_stacks_walk_init(mdb_walk_state_t *wsp)
{
@@ -529,10 +607,10 @@ illif_help(void)
}
int
-ire_walk_init(mdb_walk_state_t *wsp)
+nce_walk_init(mdb_walk_state_t *wsp)
{
- if (mdb_layered_walk("ire_cache", wsp) == -1) {
- mdb_warn("can't walk 'ire_cache'");
+ if (mdb_layered_walk("nce_cache", wsp) == -1) {
+ mdb_warn("can't walk 'nce_cache'");
return (WALK_ERR);
}
@@ -540,60 +618,129 @@ ire_walk_init(mdb_walk_state_t *wsp)
}
int
-ire_walk_step(mdb_walk_state_t *wsp)
+nce_walk_step(mdb_walk_state_t *wsp)
{
- ire_t ire;
+ nce_t nce;
- if (mdb_vread(&ire, sizeof (ire), wsp->walk_addr) == -1) {
- mdb_warn("can't read ire at %p", wsp->walk_addr);
+ if (mdb_vread(&nce, sizeof (nce), wsp->walk_addr) == -1) {
+ mdb_warn("can't read nce at %p", wsp->walk_addr);
return (WALK_ERR);
}
- return (wsp->walk_callback(wsp->walk_addr, &ire, wsp->walk_cbdata));
+ return (wsp->walk_callback(wsp->walk_addr, &nce, wsp->walk_cbdata));
}
+static int
+nce_format(uintptr_t addr, const nce_t *ncep, void *nce_cb_arg)
+{
+ nce_cbdata_t *nce_cb = nce_cb_arg;
+ ill_t ill;
+ char ill_name[LIFNAMSIZ];
+ ncec_t ncec;
+
+ if (mdb_vread(&ncec, sizeof (ncec),
+ (uintptr_t)ncep->nce_common) == -1) {
+ mdb_warn("can't read ncec at %p", ncep->nce_common);
+ return (WALK_NEXT);
+ }
+ if (nce_cb->nce_ipversion != 0 &&
+ ncec.ncec_ipversion != nce_cb->nce_ipversion)
+ return (WALK_NEXT);
+
+ if (mdb_vread(&ill, sizeof (ill), (uintptr_t)ncep->nce_ill) == -1) {
+ mdb_snprintf(ill_name, sizeof (ill_name), "--");
+ } else {
+ (void) mdb_readstr(ill_name,
+ MIN(LIFNAMSIZ, ill.ill_name_length),
+ (uintptr_t)ill.ill_name);
+ }
+
+ if (nce_cb->nce_ill_name[0] != '\0' &&
+ strncmp(nce_cb->nce_ill_name, ill_name, LIFNAMSIZ) != 0)
+ return (WALK_NEXT);
+
+ if (ncec.ncec_ipversion == IPV6_VERSION) {
+
+ mdb_printf("%?p %5s %-18s %?p %6d %N\n",
+ addr, ill_name,
+ nce_l2_addr(ncep, &ill),
+ ncep->nce_fp_mp,
+ ncep->nce_refcnt,
+ &ncep->nce_addr);
+
+ } else {
+ struct in_addr nceaddr;
+
+ IN6_V4MAPPED_TO_INADDR(&ncep->nce_addr, &nceaddr);
+ mdb_printf("%?p %5s %-18s %?p %6d %I\n",
+ addr, ill_name,
+ nce_l2_addr(ncep, &ill),
+ ncep->nce_fp_mp,
+ ncep->nce_refcnt,
+ nceaddr.s_addr);
+ }
+
+ return (WALK_NEXT);
+}
int
-ire_ctable_walk_step(mdb_walk_state_t *wsp)
+dce_walk_init(mdb_walk_state_t *wsp)
{
- uintptr_t kaddr;
- irb_t *irb;
- uint32_t cache_table_size;
- int i;
- ire_cbdata_t ire_cb;
+ wsp->walk_data = (void *)wsp->walk_addr;
- ire_cb.verbose = B_FALSE;
- ire_cb.ire_ipversion = 0;
+ if (mdb_layered_walk("dce_cache", wsp) == -1) {
+ mdb_warn("can't walk 'dce_cache'");
+ return (WALK_ERR);
+ }
+ return (WALK_NEXT);
+}
- kaddr = wsp->walk_addr + OFFSETOF(ip_stack_t, ips_ip_cache_table_size);
+int
+dce_walk_step(mdb_walk_state_t *wsp)
+{
+ dce_t dce;
- if (mdb_vread(&cache_table_size, sizeof (uint32_t), kaddr) == -1) {
- mdb_warn("can't read ips_ip_cache_table at %p", kaddr);
+ if (mdb_vread(&dce, sizeof (dce), wsp->walk_addr) == -1) {
+ mdb_warn("can't read dce at %p", wsp->walk_addr);
return (WALK_ERR);
}
- kaddr = wsp->walk_addr + OFFSETOF(ip_stack_t, ips_ip_cache_table);
- if (mdb_vread(&kaddr, sizeof (kaddr), kaddr) == -1) {
- mdb_warn("can't read ips_ip_cache_table at %p", kaddr);
+ /* If ip_stack_t is specified, skip DCEs that don't belong to it. */
+ if ((wsp->walk_data != NULL) && (wsp->walk_data != dce.dce_ipst))
+ return (WALK_NEXT);
+
+ return (wsp->walk_callback(wsp->walk_addr, &dce, wsp->walk_cbdata));
+}
+
+int
+ire_walk_init(mdb_walk_state_t *wsp)
+{
+ wsp->walk_data = (void *)wsp->walk_addr;
+
+ if (mdb_layered_walk("ire_cache", wsp) == -1) {
+ mdb_warn("can't walk 'ire_cache'");
return (WALK_ERR);
}
- irb = mdb_alloc(sizeof (irb_t) * cache_table_size, UM_SLEEP|UM_GC);
- if (mdb_vread(irb, sizeof (irb_t) * cache_table_size, kaddr) == -1) {
- mdb_warn("can't read irb at %p", kaddr);
+ return (WALK_NEXT);
+}
+
+int
+ire_walk_step(mdb_walk_state_t *wsp)
+{
+ ire_t ire;
+
+ if (mdb_vread(&ire, sizeof (ire), wsp->walk_addr) == -1) {
+ mdb_warn("can't read ire at %p", wsp->walk_addr);
return (WALK_ERR);
}
- for (i = 0; i < cache_table_size; i++) {
- kaddr = (uintptr_t)irb[i].irb_ire;
- if (mdb_pwalk("ire_next", ire_format, &ire_cb,
- kaddr) == -1) {
- mdb_warn("can't walk 'ire_next' for ire %p", kaddr);
- return (WALK_ERR);
- }
- }
- return (WALK_NEXT);
+ /* If ip_stack_t is specified, skip IREs that don't belong to it. */
+ if ((wsp->walk_data != NULL) && (wsp->walk_data != ire.ire_ipst))
+ return (WALK_NEXT);
+
+ return (wsp->walk_callback(wsp->walk_addr, &ire, wsp->walk_cbdata));
}
/* ARGSUSED */
@@ -633,6 +780,9 @@ ire_format(uintptr_t addr, const void *ire_arg, void *ire_cb_arg)
const ire_t *irep = ire_arg;
ire_cbdata_t *ire_cb = ire_cb_arg;
boolean_t verbose = ire_cb->verbose;
+ ill_t ill;
+ char ill_name[LIFNAMSIZ];
+ boolean_t condemned = irep->ire_generation == IRE_GENERATION_CONDEMNED;
static const mdb_bitmask_t tmasks[] = {
{ "BROADCAST", IRE_BROADCAST, IRE_BROADCAST },
@@ -640,22 +790,12 @@ ire_format(uintptr_t addr, const void *ire_arg, void *ire_cb_arg)
{ "LOCAL", IRE_LOCAL, IRE_LOCAL },
{ "LOOPBACK", IRE_LOOPBACK, IRE_LOOPBACK },
{ "PREFIX", IRE_PREFIX, IRE_PREFIX },
- { "CACHE", IRE_CACHE, IRE_CACHE },
+ { "MULTICAST", IRE_MULTICAST, IRE_MULTICAST },
+ { "NOROUTE", IRE_NOROUTE, IRE_NOROUTE },
{ "IF_NORESOLVER", IRE_IF_NORESOLVER, IRE_IF_NORESOLVER },
{ "IF_RESOLVER", IRE_IF_RESOLVER, IRE_IF_RESOLVER },
+ { "IF_CLONE", IRE_IF_CLONE, IRE_IF_CLONE },
{ "HOST", IRE_HOST, IRE_HOST },
- { "HOST_REDIRECT", IRE_HOST_REDIRECT, IRE_HOST_REDIRECT },
- { NULL, 0, 0 }
- };
-
- static const mdb_bitmask_t mmasks[] = {
- { "CONDEMNED", IRE_MARK_CONDEMNED, IRE_MARK_CONDEMNED },
- { "TESTHIDDEN", IRE_MARK_TESTHIDDEN, IRE_MARK_TESTHIDDEN },
- { "NOADD", IRE_MARK_NOADD, IRE_MARK_NOADD },
- { "TEMPORARY", IRE_MARK_TEMPORARY, IRE_MARK_TEMPORARY },
- { "USESRC", IRE_MARK_USESRC_CHECK, IRE_MARK_USESRC_CHECK },
- { "PRIVATE", IRE_MARK_PRIVATE_ADDR, IRE_MARK_PRIVATE_ADDR },
- { "UNCACHED", IRE_MARK_UNCACHED, IRE_MARK_UNCACHED },
{ NULL, 0, 0 }
};
@@ -678,6 +818,7 @@ ire_format(uintptr_t addr, const void *ire_arg, void *ire_cb_arg)
{ "PROTO1", RTF_PROTO1, RTF_PROTO1 },
{ "MULTIRT", RTF_MULTIRT, RTF_MULTIRT },
{ "SETSRC", RTF_SETSRC, RTF_SETSRC },
+ { "INDIRECT", RTF_INDIRECT, RTF_INDIRECT },
{ NULL, 0, 0 }
};
@@ -685,40 +826,53 @@ ire_format(uintptr_t addr, const void *ire_arg, void *ire_cb_arg)
irep->ire_ipversion != ire_cb->ire_ipversion)
return (WALK_NEXT);
+ if (mdb_vread(&ill, sizeof (ill), (uintptr_t)irep->ire_ill) == -1) {
+ mdb_snprintf(ill_name, sizeof (ill_name), "--");
+ } else {
+ (void) mdb_readstr(ill_name,
+ MIN(LIFNAMSIZ, ill.ill_name_length),
+ (uintptr_t)ill.ill_name);
+ }
+
if (irep->ire_ipversion == IPV6_VERSION && verbose) {
- mdb_printf("%<b>%?p%</b> %40N <%hb>\n"
- "%?s %40N <%hb>\n"
- "%?s %40d %4d <%hb>\n",
- addr, &irep->ire_src_addr_v6, irep->ire_type, tmasks,
- "", &irep->ire_addr_v6, (ushort_t)irep->ire_marks, mmasks,
+ mdb_printf("%<b>%?p%</b>%3s %40N <%hb%s>\n"
+ "%?s %40N\n"
+ "%?s %40d %4d <%hb> %s\n",
+ addr, condemned ? "(C)" : "", &irep->ire_setsrc_addr_v6,
+ irep->ire_type, tmasks,
+ (irep->ire_testhidden ? ", HIDDEN" : ""),
+ "", &irep->ire_addr_v6,
"", ips_to_stackid((uintptr_t)irep->ire_ipst),
irep->ire_zoneid,
- irep->ire_flags, fmasks);
+ irep->ire_flags, fmasks, ill_name);
} else if (irep->ire_ipversion == IPV6_VERSION) {
- mdb_printf("%?p %30N %30N %5d %4d\n",
- addr, &irep->ire_src_addr_v6,
+ mdb_printf("%?p%3s %30N %30N %5d %4d %s\n",
+ addr, condemned ? "(C)" : "", &irep->ire_setsrc_addr_v6,
&irep->ire_addr_v6,
ips_to_stackid((uintptr_t)irep->ire_ipst),
- irep->ire_zoneid);
+ irep->ire_zoneid, ill_name);
} else if (verbose) {
- mdb_printf("%<b>%?p%</b> %40I <%hb>\n"
- "%?s %40I <%hb>\n"
- "%?s %40d %4d <%hb>\n",
- addr, irep->ire_src_addr, irep->ire_type, tmasks,
- "", irep->ire_addr, (ushort_t)irep->ire_marks, mmasks,
+ mdb_printf("%<b>%?p%</b>%3s %40I <%hb%s>\n"
+ "%?s %40I\n"
+ "%?s %40d %4d <%hb> %s\n",
+ addr, condemned ? "(C)" : "", irep->ire_setsrc_addr,
+ irep->ire_type, tmasks,
+ (irep->ire_testhidden ? ", HIDDEN" : ""),
+ "", irep->ire_addr,
"", ips_to_stackid((uintptr_t)irep->ire_ipst),
- irep->ire_zoneid, irep->ire_flags, fmasks);
+ irep->ire_zoneid, irep->ire_flags, fmasks, ill_name);
} else {
- mdb_printf("%?p %30I %30I %5d %4d\n", addr, irep->ire_src_addr,
+ mdb_printf("%?p%3s %30I %30I %5d %4d %s\n", addr,
+ condemned ? "(C)" : "", irep->ire_setsrc_addr,
irep->ire_addr, ips_to_stackid((uintptr_t)irep->ire_ipst),
- irep->ire_zoneid);
+ irep->ire_zoneid, ill_name);
}
return (WALK_NEXT);
@@ -1040,6 +1194,140 @@ ip6hdr(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
}
int
+nce(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
+{
+ nce_t nce;
+ nce_cbdata_t nce_cb;
+ int ipversion = 0;
+ const char *opt_P = NULL, *opt_ill;
+
+ if (mdb_getopts(argc, argv,
+ 'i', MDB_OPT_STR, &opt_ill,
+ 'P', MDB_OPT_STR, &opt_P, NULL) != argc)
+ return (DCMD_USAGE);
+
+ if (opt_P != NULL) {
+ if (strcmp("v4", opt_P) == 0) {
+ ipversion = IPV4_VERSION;
+ } else if (strcmp("v6", opt_P) == 0) {
+ ipversion = IPV6_VERSION;
+ } else {
+ mdb_warn("invalid protocol '%s'\n", opt_P);
+ return (DCMD_USAGE);
+ }
+ }
+
+ if ((flags & DCMD_LOOPFIRST) || !(flags & DCMD_LOOP)) {
+ mdb_printf("%<u>%?s %5s %18s %?s %s %s %</u>\n",
+ "ADDR", "INTF", "LLADDR", "FP_MP", "REFCNT",
+ "NCE_ADDR");
+ }
+
+ bzero(&nce_cb, sizeof (nce_cb));
+ if (opt_ill != NULL) {
+ strcpy(nce_cb.nce_ill_name, opt_ill);
+ }
+ nce_cb.nce_ipversion = ipversion;
+
+ if (flags & DCMD_ADDRSPEC) {
+ (void) mdb_vread(&nce, sizeof (nce_t), addr);
+ (void) nce_format(addr, &nce, &nce_cb);
+ } else if (mdb_walk("nce", (mdb_walk_cb_t)nce_format, &nce_cb) == -1) {
+ mdb_warn("failed to walk ire table");
+ return (DCMD_ERR);
+ }
+
+ return (DCMD_OK);
+}
+
+/* ARGSUSED */
+static int
+dce_format(uintptr_t addr, const dce_t *dcep, void *dce_cb_arg)
+{
+ static const mdb_bitmask_t dmasks[] = {
+ { "D", DCEF_DEFAULT, DCEF_DEFAULT },
+ { "P", DCEF_PMTU, DCEF_PMTU },
+ { "U", DCEF_UINFO, DCEF_UINFO },
+ { "S", DCEF_TOO_SMALL_PMTU, DCEF_TOO_SMALL_PMTU },
+ { NULL, 0, 0 }
+ };
+ char flagsbuf[2 * A_CNT(dmasks)];
+ int ipversion = *(int *)dce_cb_arg;
+ boolean_t condemned = dcep->dce_generation == DCE_GENERATION_CONDEMNED;
+
+ if (ipversion != 0 && ipversion != dcep->dce_ipversion)
+ return (WALK_NEXT);
+
+ mdb_snprintf(flagsbuf, sizeof (flagsbuf), "%b", dcep->dce_flags,
+ dmasks);
+
+ switch (dcep->dce_ipversion) {
+ case IPV4_VERSION:
+ mdb_printf("%<u>%?p%3s %8s %8d %30I %</u>\n", addr, condemned ?
+ "(C)" : "", flagsbuf, dcep->dce_pmtu, &dcep->dce_v4addr);
+ break;
+ case IPV6_VERSION:
+ mdb_printf("%<u>%?p%3s %8s %8d %30N %</u>\n", addr, condemned ?
+ "(C)" : "", flagsbuf, dcep->dce_pmtu, &dcep->dce_v6addr);
+ break;
+ default:
+ mdb_printf("%<u>%?p%3s %8s %8d %30s %</u>\n", addr, condemned ?
+ "(C)" : "", flagsbuf, dcep->dce_pmtu, "");
+ }
+
+ return (WALK_NEXT);
+}
+
+int
+dce(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
+{
+ dce_t dce;
+ const char *opt_P = NULL;
+ const char *zone_name = NULL;
+ ip_stack_t *ipst = NULL;
+ int ipversion = 0;
+
+ if (mdb_getopts(argc, argv,
+ 's', MDB_OPT_STR, &zone_name,
+ 'P', MDB_OPT_STR, &opt_P, NULL) != argc)
+ return (DCMD_USAGE);
+
+ /* Follow the specified zone name to find a ip_stack_t*. */
+ if (zone_name != NULL) {
+ ipst = zone_to_ips(zone_name);
+ if (ipst == NULL)
+ return (DCMD_USAGE);
+ }
+
+ if (opt_P != NULL) {
+ if (strcmp("v4", opt_P) == 0) {
+ ipversion = IPV4_VERSION;
+ } else if (strcmp("v6", opt_P) == 0) {
+ ipversion = IPV6_VERSION;
+ } else {
+ mdb_warn("invalid protocol '%s'\n", opt_P);
+ return (DCMD_USAGE);
+ }
+ }
+
+ if ((flags & DCMD_LOOPFIRST) || !(flags & DCMD_LOOP)) {
+ mdb_printf("%<u>%?s%3s %8s %8s %30s %</u>\n",
+ "ADDR", "", "FLAGS", "PMTU", "DST_ADDR");
+ }
+
+ if (flags & DCMD_ADDRSPEC) {
+ (void) mdb_vread(&dce, sizeof (dce_t), addr);
+ (void) dce_format(addr, &dce, &ipversion);
+ } else if (mdb_pwalk("dce", (mdb_walk_cb_t)dce_format, &ipversion,
+ (uintptr_t)ipst) == -1) {
+ mdb_warn("failed to walk dce cache");
+ return (DCMD_ERR);
+ }
+
+ return (DCMD_OK);
+}
+
+int
ire(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
{
uint_t verbose = FALSE;
@@ -1047,12 +1335,22 @@ ire(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
ire_cbdata_t ire_cb;
int ipversion = 0;
const char *opt_P = NULL;
+ const char *zone_name = NULL;
+ ip_stack_t *ipst = NULL;
if (mdb_getopts(argc, argv,
'v', MDB_OPT_SETBITS, TRUE, &verbose,
+ 's', MDB_OPT_STR, &zone_name,
'P', MDB_OPT_STR, &opt_P, NULL) != argc)
return (DCMD_USAGE);
+ /* Follow the specified zone name to find a ip_stack_t*. */
+ if (zone_name != NULL) {
+ ipst = zone_to_ips(zone_name);
+ if (ipst == NULL)
+ return (DCMD_USAGE);
+ }
+
if (opt_P != NULL) {
if (strcmp("v4", opt_P) == 0) {
ipversion = IPV4_VERSION;
@@ -1069,13 +1367,13 @@ ire(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
if (verbose) {
mdb_printf("%?s %40s %-20s%\n"
"%?s %40s %-20s%\n"
- "%<u>%?s %40s %4s %-20s%</u>\n",
+ "%<u>%?s %40s %4s %-20s %s%</u>\n",
"ADDR", "SRC", "TYPE",
"", "DST", "MARKS",
- "", "STACK", "ZONE", "FLAGS");
+ "", "STACK", "ZONE", "FLAGS", "INTF");
} else {
- mdb_printf("%<u>%?s %30s %30s %5s %4s%</u>\n",
- "ADDR", "SRC", "DST", "STACK", "ZONE");
+ mdb_printf("%<u>%?s %30s %30s %5s %4s %s%</u>\n",
+ "ADDR", "SRC", "DST", "STACK", "ZONE", "INTF");
}
}
@@ -1085,7 +1383,8 @@ ire(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
if (flags & DCMD_ADDRSPEC) {
(void) mdb_vread(&ire, sizeof (ire_t), addr);
(void) ire_format(addr, &ire, &ire_cb);
- } else if (mdb_walk("ire", (mdb_walk_cb_t)ire_format, &ire_cb) == -1) {
+ } else if (mdb_pwalk("ire", (mdb_walk_cb_t)ire_format, &ire_cb,
+ (uintptr_t)ipst) == -1) {
mdb_warn("failed to walk ire table");
return (DCMD_ERR);
}
@@ -1338,7 +1637,7 @@ th_trace(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
static void
th_trace_help(void)
{
- mdb_printf("If given an address of an ill_t, ipif_t, ire_t, or nce_t, "
+ mdb_printf("If given an address of an ill_t, ipif_t, ire_t, or ncec_t, "
"print the\n"
"corresponding th_trace_t structure in detail. Otherwise, if no "
"address is\n"
@@ -1354,8 +1653,8 @@ static const mdb_dcmd_t dcmds[] = {
{ "srcid_status", ":",
"display connection structures from ipcl hash tables",
srcid_status },
- { "ill", "?[-v] [-P v4 | v6]", "display ill_t structures",
- ill, ill_help },
+ { "ill", "?[-v] [-P v4 | v6] [-s exclusive-ip-zone-name]",
+ "display ill_t structures", ill, ill_help },
{ "illif", "?[-P v4 | v6]",
"display or filter IP Lower Level InterFace structures", illif,
illif_help },
@@ -1363,10 +1662,14 @@ static const mdb_dcmd_t dcmds[] = {
{ "ip6hdr", ":[-vf]", "display an IPv6 header", ip6hdr },
{ "ipif", "?[-v] [-P v4 | v6]", "display ipif structures",
ipif, ipif_help },
- { "ire", "?[-v] [-P v4|v6]",
+ { "ire", "?[-v] [-P v4|v6] [-s exclusive-ip-zone-name]",
"display Internet Route Entry structures", ire },
- { "nce", "?[-P v4 | v6]", "display Neighbor Cache Entry structures",
- nce },
+ { "nce", "?[-P v4|v6] [-i <interface>]",
+ "display interface-specific Neighbor Cache structures", nce },
+ { "ncec", "?[-P v4 | v6]", "display Neighbor Cache Entry structures",
+ ncec },
+ { "dce", "?[-P v4|v6] [-s exclusive-ip-zone-name]",
+ "display Destination Cache Entry structures", dce },
{ "squeue", ":[-v]", "print core squeue_t info", squeue,
ip_squeue_help },
{ "tcphdr", ":", "display a TCP header", tcphdr },
@@ -1385,7 +1688,7 @@ static const mdb_walker_t walkers[] = {
{ "illif_stack", "walk list of ill interface types",
illif_stack_walk_init, illif_stack_walk_step,
illif_stack_walk_fini },
- { "ill", "walk list of nce structures for all stacks",
+ { "ill", "walk active ill_t structures for all stacks",
ill_walk_init, ill_walk_step, NULL },
{ "ipif", "walk list of ipif structures for all stacks",
ipif_walk_init, ipif_walk_step, NULL },
@@ -1400,19 +1703,21 @@ static const mdb_walker_t walkers[] = {
&srcid_walk_arg },
{ "ire", "walk active ire_t structures",
ire_walk_init, ire_walk_step, NULL },
- { "ire_ctable", "walk ire_t structures in the ctable",
- ip_stacks_common_walk_init, ire_ctable_walk_step, NULL },
{ "ire_next", "walk ire_t structures in the ctable",
ire_next_walk_init, ire_next_walk_step, NULL },
+ { "nce", "walk active nce_t structures",
+ nce_walk_init, nce_walk_step, NULL },
+ { "dce", "walk active dce_t structures",
+ dce_walk_init, dce_walk_step, NULL },
{ "ip_stacks", "walk all the ip_stack_t",
ip_stacks_walk_init, ip_stacks_walk_step, NULL },
{ "th_hash", "walk all the th_hash_t entries",
th_hash_walk_init, th_hash_walk_step, NULL },
- { "nce", "walk list of nce structures for all stacks",
- ip_stacks_common_walk_init, nce_walk_step, NULL },
- { "nce_stack", "walk list of nce structures",
- nce_stack_walk_init, nce_stack_walk_step,
- nce_stack_walk_fini},
+ { "ncec", "walk list of ncec structures for all stacks",
+ ip_stacks_common_walk_init, ncec_walk_step, NULL },
+ { "ncec_stack", "walk list of ncec structures",
+ ncec_stack_walk_init, ncec_stack_walk_step,
+ ncec_stack_walk_fini},
{ "udp_hash", "walk list of conn_t structures in ips_ipcl_udp_fanout",
ipcl_hash_walk_init, ipcl_hash_walk_step,
ipcl_hash_walk_fini, &udp_hash_arg},
@@ -1471,9 +1776,9 @@ _mdb_fini(void)
}
static char *
-nce_state(int nce_state)
+ncec_state(int ncec_state)
{
- switch (nce_state) {
+ switch (ncec_state) {
case ND_UNCHANGED:
return ("unchanged");
case ND_INCOMPLETE:
@@ -1496,36 +1801,61 @@ nce_state(int nce_state)
}
static char *
-nce_l2_addr(const nce_t *nce, const ill_t *ill)
+ncec_l2_addr(const ncec_t *ncec, const ill_t *ill)
{
uchar_t *h;
static char addr_buf[L2MAXADDRSTRLEN];
- mblk_t mp;
- size_t mblen;
- if (ill->ill_flags & ILLF_XRESOLV) {
- return ("XRESOLV");
+ if (ncec->ncec_lladdr == NULL) {
+ return ("None");
}
- if (nce->nce_res_mp == NULL) {
+ if (ill->ill_net_type == IRE_IF_RESOLVER) {
+
+ if (ill->ill_phys_addr_length == 0)
+ return ("None");
+ h = mdb_zalloc(ill->ill_phys_addr_length, UM_SLEEP);
+ if (mdb_vread(h, ill->ill_phys_addr_length,
+ (uintptr_t)ncec->ncec_lladdr) == -1) {
+ mdb_warn("failed to read hwaddr at %p",
+ ncec->ncec_lladdr);
+ return ("Unknown");
+ }
+ mdb_mac_addr(h, ill->ill_phys_addr_length,
+ addr_buf, sizeof (addr_buf));
+ } else {
return ("None");
}
+ mdb_free(h, ill->ill_phys_addr_length);
+ return (addr_buf);
+}
- if (ill->ill_net_type == IRE_IF_RESOLVER) {
+static char *
+nce_l2_addr(const nce_t *nce, const ill_t *ill)
+{
+ uchar_t *h;
+ static char addr_buf[L2MAXADDRSTRLEN];
+ mblk_t mp;
+ size_t mblen;
+
+ if (nce->nce_dlur_mp == NULL)
+ return ("None");
+ if (ill->ill_net_type == IRE_IF_RESOLVER) {
if (mdb_vread(&mp, sizeof (mblk_t),
- (uintptr_t)nce->nce_res_mp) == -1) {
- mdb_warn("failed to read nce_res_mp at %p",
- nce->nce_res_mp);
+ (uintptr_t)nce->nce_dlur_mp) == -1) {
+ mdb_warn("failed to read nce_dlur_mp at %p",
+ nce->nce_dlur_mp);
+ return ("None");
}
-
- if (ill->ill_nd_lla_len == 0)
+ if (ill->ill_phys_addr_length == 0)
return ("None");
mblen = mp.b_wptr - mp.b_rptr;
if (mblen > (sizeof (dl_unitdata_req_t) + MAX_SAP_LEN) ||
- ill->ill_nd_lla_len > MAX_SAP_LEN ||
- NCE_LL_ADDR_OFFSET(ill) + ill->ill_nd_lla_len > mblen) {
- return ("Truncated");
+ ill->ill_phys_addr_length > MAX_SAP_LEN ||
+ (NCE_LL_ADDR_OFFSET(ill) +
+ ill->ill_phys_addr_length) > mblen) {
+ return ("Unknown");
}
h = mdb_zalloc(mblen, UM_SLEEP);
if (mdb_vread(h, mblen, (uintptr_t)(mp.b_rptr)) == -1) {
@@ -1533,8 +1863,8 @@ nce_l2_addr(const nce_t *nce, const ill_t *ill)
mp.b_rptr + NCE_LL_ADDR_OFFSET(ill));
return ("Unknown");
}
- mdb_mac_addr(h + NCE_LL_ADDR_OFFSET(ill), ill->ill_nd_lla_len,
- addr_buf, sizeof (addr_buf));
+ mdb_mac_addr(h + NCE_LL_ADDR_OFFSET(ill),
+ ill->ill_phys_addr_length, addr_buf, sizeof (addr_buf));
} else {
return ("None");
}
@@ -1543,7 +1873,7 @@ nce_l2_addr(const nce_t *nce, const ill_t *ill)
}
static void
-nce_header(uint_t flags)
+ncec_header(uint_t flags)
{
if ((flags & DCMD_LOOPFIRST) || !(flags & DCMD_LOOP)) {
@@ -1553,10 +1883,10 @@ nce_header(uint_t flags)
}
int
-nce(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
+ncec(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
{
- nce_t nce;
- nce_cbdata_t id;
+ ncec_t ncec;
+ ncec_cbdata_t id;
int ipversion = 0;
const char *opt_P = NULL;
@@ -1577,23 +1907,23 @@ nce(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
if (flags & DCMD_ADDRSPEC) {
- if (mdb_vread(&nce, sizeof (nce_t), addr) == -1) {
- mdb_warn("failed to read nce at %p\n", addr);
+ if (mdb_vread(&ncec, sizeof (ncec_t), addr) == -1) {
+ mdb_warn("failed to read ncec at %p\n", addr);
return (DCMD_ERR);
}
- if (ipversion != 0 && nce.nce_ipversion != ipversion) {
+ if (ipversion != 0 && ncec.ncec_ipversion != ipversion) {
mdb_printf("IP Version mismatch\n");
return (DCMD_ERR);
}
- nce_header(flags);
- return (nce_format(addr, &nce, ipversion));
+ ncec_header(flags);
+ return (ncec_format(addr, &ncec, ipversion));
} else {
- id.nce_addr = addr;
- id.nce_ipversion = ipversion;
- nce_header(flags);
- if (mdb_walk("nce", (mdb_walk_cb_t)nce_cb, &id) == -1) {
- mdb_warn("failed to walk nce table\n");
+ id.ncec_addr = addr;
+ id.ncec_ipversion = ipversion;
+ ncec_header(flags);
+ if (mdb_walk("ncec", (mdb_walk_cb_t)ncec_cb, &id) == -1) {
+ mdb_warn("failed to walk ncec table\n");
return (DCMD_ERR);
}
}
@@ -1601,10 +1931,10 @@ nce(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
}
static int
-nce_format(uintptr_t addr, const nce_t *nce, int ipversion)
+ncec_format(uintptr_t addr, const ncec_t *ncec, int ipversion)
{
- static const mdb_bitmask_t nce_flags[] = {
- { "P", NCE_F_PERMANENT, NCE_F_PERMANENT },
+ static const mdb_bitmask_t ncec_flags[] = {
+ { "P", NCE_F_NONUD, NCE_F_NONUD },
{ "R", NCE_F_ISROUTER, NCE_F_ISROUTER },
{ "N", NCE_F_NONUD, NCE_F_NONUD },
{ "A", NCE_F_ANYCAST, NCE_F_ANYCAST },
@@ -1613,15 +1943,15 @@ nce_format(uintptr_t addr, const nce_t *nce, int ipversion)
{ "B", NCE_F_BCAST, NCE_F_BCAST },
{ NULL, 0, 0 }
};
-#define NCE_MAX_FLAGS (sizeof (nce_flags) / sizeof (mdb_bitmask_t))
+#define NCE_MAX_FLAGS (sizeof (ncec_flags) / sizeof (mdb_bitmask_t))
struct in_addr nceaddr;
ill_t ill;
char ill_name[LIFNAMSIZ];
char flagsbuf[NCE_MAX_FLAGS];
- if (mdb_vread(&ill, sizeof (ill), (uintptr_t)nce->nce_ill) == -1) {
- mdb_warn("failed to read nce_ill at %p",
- nce->nce_ill);
+ if (mdb_vread(&ill, sizeof (ill), (uintptr_t)ncec->ncec_ill) == -1) {
+ mdb_warn("failed to read ncec_ill at %p",
+ ncec->ncec_ill);
return (DCMD_ERR);
}
@@ -1629,33 +1959,33 @@ nce_format(uintptr_t addr, const nce_t *nce, int ipversion)
(uintptr_t)ill.ill_name);
mdb_snprintf(flagsbuf, sizeof (flagsbuf), "%hb",
- nce->nce_flags, nce_flags);
+ ncec->ncec_flags, ncec_flags);
- if (ipversion != 0 && nce->nce_ipversion != ipversion)
+ if (ipversion != 0 && ncec->ncec_ipversion != ipversion)
return (DCMD_OK);
- if (nce->nce_ipversion == IPV4_VERSION) {
- IN6_V4MAPPED_TO_INADDR(&nce->nce_addr, &nceaddr);
+ if (ncec->ncec_ipversion == IPV4_VERSION) {
+ IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &nceaddr);
mdb_printf("%?p %-20s %-10s "
"%-8s "
"%-5s %I\n",
- addr, nce_l2_addr(nce, &ill),
- nce_state(nce->nce_state),
+ addr, ncec_l2_addr(ncec, &ill),
+ ncec_state(ncec->ncec_state),
flagsbuf,
ill_name, nceaddr.s_addr);
} else {
mdb_printf("%?p %-20s %-10s %-8s %-5s %N\n",
- addr, nce_l2_addr(nce, &ill),
- nce_state(nce->nce_state),
+ addr, ncec_l2_addr(ncec, &ill),
+ ncec_state(ncec->ncec_state),
flagsbuf,
- ill_name, &nce->nce_addr);
+ ill_name, &ncec->ncec_addr);
}
return (DCMD_OK);
}
static uintptr_t
-nce_get_next_hash_tbl(uintptr_t start, int *index, struct ndp_g_s ndp)
+ncec_get_next_hash_tbl(uintptr_t start, int *index, struct ndp_g_s ndp)
{
uintptr_t addr = start;
int i = *index;
@@ -1671,7 +2001,7 @@ nce_get_next_hash_tbl(uintptr_t start, int *index, struct ndp_g_s ndp)
}
static int
-nce_walk_step(mdb_walk_state_t *wsp)
+ncec_walk_step(mdb_walk_state_t *wsp)
{
uintptr_t kaddr4, kaddr6;
@@ -1686,15 +2016,15 @@ nce_walk_step(mdb_walk_state_t *wsp)
mdb_warn("can't read ips_ip_cache_table at %p", kaddr6);
return (WALK_ERR);
}
- if (mdb_pwalk("nce_stack", wsp->walk_callback, wsp->walk_cbdata,
+ if (mdb_pwalk("ncec_stack", wsp->walk_callback, wsp->walk_cbdata,
kaddr4) == -1) {
- mdb_warn("couldn't walk 'nce_stack' for ips_ndp4 %p",
+ mdb_warn("couldn't walk 'ncec_stack' for ips_ndp4 %p",
kaddr4);
return (WALK_ERR);
}
- if (mdb_pwalk("nce_stack", wsp->walk_callback,
+ if (mdb_pwalk("ncec_stack", wsp->walk_callback,
wsp->walk_cbdata, kaddr6) == -1) {
- mdb_warn("couldn't walk 'nce_stack' for ips_ndp6 %p",
+ mdb_warn("couldn't walk 'ncec_stack' for ips_ndp6 %p",
kaddr6);
return (WALK_ERR);
}
@@ -1743,7 +2073,7 @@ ipcl_hash_walk_init(mdb_walk_state_t *wsp)
mdb_free(iw, sizeof (ipcl_hash_walk_data_t));
return (WALK_ERR);
}
- if (arg->tbl_off == OFFSETOF(ip_stack_t, ips_ipcl_proto_fanout) ||
+ if (arg->tbl_off == OFFSETOF(ip_stack_t, ips_ipcl_proto_fanout_v4) ||
arg->tbl_off == OFFSETOF(ip_stack_t, ips_ipcl_proto_fanout_v6)) {
iw->hash_tbl_size = IPPROTO_MAX;
} else {
@@ -1809,72 +2139,75 @@ ipcl_hash_walk_fini(mdb_walk_state_t *wsp)
* Called with walk_addr being the address of ips_ndp{4,6}
*/
static int
-nce_stack_walk_init(mdb_walk_state_t *wsp)
+ncec_stack_walk_init(mdb_walk_state_t *wsp)
{
- nce_walk_data_t *nw;
+ ncec_walk_data_t *nw;
if (wsp->walk_addr == NULL) {
- mdb_warn("nce_stack requires ndp_g_s address\n");
+ mdb_warn("ncec_stack requires ndp_g_s address\n");
return (WALK_ERR);
}
- nw = mdb_alloc(sizeof (nce_walk_data_t), UM_SLEEP);
+ nw = mdb_alloc(sizeof (ncec_walk_data_t), UM_SLEEP);
- if (mdb_vread(&nw->nce_ip_ndp, sizeof (struct ndp_g_s),
+ if (mdb_vread(&nw->ncec_ip_ndp, sizeof (struct ndp_g_s),
wsp->walk_addr) == -1) {
mdb_warn("failed to read 'ip_ndp' at %p",
wsp->walk_addr);
- mdb_free(nw, sizeof (nce_walk_data_t));
+ mdb_free(nw, sizeof (ncec_walk_data_t));
return (WALK_ERR);
}
- nw->nce_hash_tbl_index = 0;
- wsp->walk_addr = nce_get_next_hash_tbl(NULL,
- &nw->nce_hash_tbl_index, nw->nce_ip_ndp);
+ /*
+ * ncec_get_next_hash_tbl() starts at ++i , so initialize index to -1
+ */
+ nw->ncec_hash_tbl_index = -1;
+ wsp->walk_addr = ncec_get_next_hash_tbl(NULL,
+ &nw->ncec_hash_tbl_index, nw->ncec_ip_ndp);
wsp->walk_data = nw;
return (WALK_NEXT);
}
static int
-nce_stack_walk_step(mdb_walk_state_t *wsp)
+ncec_stack_walk_step(mdb_walk_state_t *wsp)
{
uintptr_t addr = wsp->walk_addr;
- nce_walk_data_t *nw = wsp->walk_data;
+ ncec_walk_data_t *nw = wsp->walk_data;
if (addr == NULL)
return (WALK_DONE);
- if (mdb_vread(&nw->nce, sizeof (nce_t), addr) == -1) {
- mdb_warn("failed to read nce_t at %p", addr);
+ if (mdb_vread(&nw->ncec, sizeof (ncec_t), addr) == -1) {
+ mdb_warn("failed to read ncec_t at %p", addr);
return (WALK_ERR);
}
- wsp->walk_addr = (uintptr_t)nw->nce.nce_next;
+ wsp->walk_addr = (uintptr_t)nw->ncec.ncec_next;
- wsp->walk_addr = nce_get_next_hash_tbl(wsp->walk_addr,
- &nw->nce_hash_tbl_index, nw->nce_ip_ndp);
+ wsp->walk_addr = ncec_get_next_hash_tbl(wsp->walk_addr,
+ &nw->ncec_hash_tbl_index, nw->ncec_ip_ndp);
return (wsp->walk_callback(addr, nw, wsp->walk_cbdata));
}
static void
-nce_stack_walk_fini(mdb_walk_state_t *wsp)
+ncec_stack_walk_fini(mdb_walk_state_t *wsp)
{
- mdb_free(wsp->walk_data, sizeof (nce_walk_data_t));
+ mdb_free(wsp->walk_data, sizeof (ncec_walk_data_t));
}
/* ARGSUSED */
static int
-nce_cb(uintptr_t addr, const nce_walk_data_t *iw, nce_cbdata_t *id)
+ncec_cb(uintptr_t addr, const ncec_walk_data_t *iw, ncec_cbdata_t *id)
{
- nce_t nce;
+ ncec_t ncec;
- if (mdb_vread(&nce, sizeof (nce_t), addr) == -1) {
- mdb_warn("failed to read nce at %p", addr);
+ if (mdb_vread(&ncec, sizeof (ncec_t), addr) == -1) {
+ mdb_warn("failed to read ncec at %p", addr);
return (WALK_NEXT);
}
- (void) nce_format(addr, &nce, id->nce_ipversion);
+ (void) ncec_format(addr, &ncec, id->ncec_ipversion);
return (WALK_NEXT);
}
@@ -1918,6 +2251,11 @@ ill_cb(uintptr_t addr, const ill_walk_data_t *iw, ill_cbdata_t *id)
mdb_warn("failed to read ill at %p", addr);
return (WALK_NEXT);
}
+
+ /* If ip_stack_t is specified, skip ILLs that don't belong to it. */
+ if (id->ill_ipst != NULL && ill.ill_ipst != id->ill_ipst)
+ return (WALK_NEXT);
+
return (ill_format((uintptr_t)addr, &ill, id));
}
@@ -2013,7 +2351,7 @@ ill_format(uintptr_t addr, const void *illptr, void *ill_cb_arg)
break;
}
cnt = ill->ill_refcnt + ill->ill_ire_cnt + ill->ill_nce_cnt +
- ill->ill_ilm_walker_cnt + ill->ill_ilm_cnt;
+ ill->ill_ilm_cnt + ill->ill_ncec_cnt;
mdb_printf("%-?p %-8s %-3s ",
addr, ill_name, ill->ill_isv6 ? "v6" : "v4");
if (typebuf != NULL)
@@ -2035,11 +2373,10 @@ ill_format(uintptr_t addr, const void *illptr, void *ill_cb_arg)
strlen(sbuf), "", ill->ill_ire_cnt, "ill_ire_cnt");
mdb_printf("%*s %7d %-18s nces referencing this ill\n",
strlen(sbuf), "", ill->ill_nce_cnt, "ill_nce_cnt");
+ mdb_printf("%*s %7d %-18s ncecs referencing this ill\n",
+ strlen(sbuf), "", ill->ill_ncec_cnt, "ill_ncec_cnt");
mdb_printf("%*s %7d %-18s ilms referencing this ill\n",
strlen(sbuf), "", ill->ill_ilm_cnt, "ill_ilm_cnt");
- mdb_printf("%*s %7d %-18s active ilm walkers\n\n",
- strlen(sbuf), "", ill->ill_ilm_walker_cnt,
- "ill_ilm_walker_cnt");
} else {
mdb_printf("%4d %-?p %-llb\n",
cnt, ill->ill_wq,
@@ -2054,14 +2391,24 @@ ill(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
ill_t ill_data;
ill_cbdata_t id;
int ipversion = 0;
+ const char *zone_name = NULL;
const char *opt_P = NULL;
uint_t verbose = FALSE;
+ ip_stack_t *ipst = NULL;
if (mdb_getopts(argc, argv,
'v', MDB_OPT_SETBITS, TRUE, &verbose,
+ 's', MDB_OPT_STR, &zone_name,
'P', MDB_OPT_STR, &opt_P, NULL) != argc)
return (DCMD_USAGE);
+ /* Follow the specified zone name to find a ip_stack_t*. */
+ if (zone_name != NULL) {
+ ipst = zone_to_ips(zone_name);
+ if (ipst == NULL)
+ return (DCMD_USAGE);
+ }
+
if (opt_P != NULL) {
if (strcmp("v4", opt_P) == 0) {
ipversion = IPV4_VERSION;
@@ -2076,6 +2423,7 @@ ill(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
id.verbose = verbose;
id.ill_addr = addr;
id.ill_ipversion = ipversion;
+ id.ill_ipst = ipst;
ill_header(verbose);
if (flags & DCMD_ADDRSPEC) {
@@ -2254,7 +2602,6 @@ ipif_format(uintptr_t addr, const void *ipifptr, void *ipif_cb_arg)
{ "CO", IPIF_CONDEMNED, IPIF_CONDEMNED},
{ "CH", IPIF_CHANGING, IPIF_CHANGING},
{ "SL", IPIF_SET_LINKLOCAL, IPIF_SET_LINKLOCAL},
- { "ZS", IPIF_ZERO_SOURCE, IPIF_ZERO_SOURCE},
{ NULL, 0, 0 }
};
static const mdb_bitmask_t fmasks[] = {
@@ -2299,16 +2646,14 @@ ipif_format(uintptr_t addr, const void *ipifptr, void *ipif_cb_arg)
}
mdb_snprintf(bitfields, sizeof (bitfields), "%s",
ipif->ipif_addr_ready ? ",ADR" : "",
- ipif->ipif_multicast_up ? ",MU" : "",
ipif->ipif_was_up ? ",WU" : "",
- ipif->ipif_was_dup ? ",WD" : "",
- ipif->ipif_joined_allhosts ? ",JA" : "");
+ ipif->ipif_was_dup ? ",WD" : "");
mdb_snprintf(flagsbuf, sizeof (flagsbuf), "%llb%s",
ipif->ipif_flags, fmasks, bitfields);
mdb_snprintf(sflagsbuf, sizeof (sflagsbuf), "%b",
ipif->ipif_state_flags, sfmasks);
- cnt = ipif->ipif_refcnt + ipif->ipif_ire_cnt + ipif->ipif_ilm_cnt;
+ cnt = ipif->ipif_refcnt;
if (ipifcb->ill.ill_isv6) {
mdb_snprintf(addrstr, sizeof (addrstr), "%N",
@@ -2329,12 +2674,6 @@ ipif_format(uintptr_t addr, const void *ipifptr, void *ipif_cb_arg)
mdb_printf("%s |\n%s +---> %4d %-15s "
"Active consistent reader cnt\n",
sbuf, sbuf, ipif->ipif_refcnt, "ipif_refcnt");
- mdb_printf("%*s %10d %-15s "
- "Number of ire's referencing this ipif\n",
- strlen(sbuf), "", ipif->ipif_ire_cnt, "ipif_ire_cnt");
- mdb_printf("%*s %10d %-15s "
- "Number of ilm's referencing this ipif\n\n",
- strlen(sbuf), "", ipif->ipif_ilm_cnt, "ipif_ilm_cnt");
mdb_printf("%-s/%d\n",
addrstr, mask_to_prefixlen(af, &ipif->ipif_v6net_mask));
if (ipifcb->ill.ill_isv6) {
@@ -2473,16 +2812,16 @@ conn_status_cb(uintptr_t addr, const void *walk_data,
mdb_printf("%-?p %-?p %?d %?d\n", addr, conn->conn_wq,
nss.netstack_stackid, conn->conn_zoneid);
- if (conn->conn_af_isv6) {
+ if (conn->conn_family == AF_INET6) {
mdb_snprintf(src_addrstr, sizeof (rem_addrstr), "%N",
- &conn->conn_srcv6);
+ &conn->conn_laddr_v6);
mdb_snprintf(rem_addrstr, sizeof (rem_addrstr), "%N",
- &conn->conn_remv6);
+ &conn->conn_faddr_v6);
} else {
mdb_snprintf(src_addrstr, sizeof (src_addrstr), "%I",
- V4_PART_OF_V6((conn->conn_srcv6)));
+ V4_PART_OF_V6((conn->conn_laddr_v6)));
mdb_snprintf(rem_addrstr, sizeof (rem_addrstr), "%I",
- V4_PART_OF_V6((conn->conn_remv6)));
+ V4_PART_OF_V6((conn->conn_faddr_v6)));
}
mdb_printf("%s:%-5d\n%s:%-5d\n",
src_addrstr, conn->conn_lport, rem_addrstr, conn->conn_fport);
@@ -2519,7 +2858,7 @@ conn_status_help(void)
{
mdb_printf("Prints conn_t structures from the following hash tables: "
"\n\tips_ipcl_udp_fanout\n\tips_ipcl_bind_fanout"
- "\n\tips_ipcl_conn_fanout\n\tips_ipcl_proto_fanout"
+ "\n\tips_ipcl_conn_fanout\n\tips_ipcl_proto_fanout_v4"
"\n\tips_ipcl_proto_fanout_v6\n");
}
diff --git a/usr/src/cmd/mdb/common/modules/sctp/sctp.c b/usr/src/cmd/mdb/common/modules/sctp/sctp.c
index 05f0c385c8..4165a56ca4 100644
--- a/usr/src/cmd/mdb/common/modules/sctp/sctp.c
+++ b/usr/src/cmd/mdb/common/modules/sctp/sctp.c
@@ -20,12 +20,10 @@
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/types.h>
#include <sys/stream.h>
#include <sys/mdb_modapi.h>
@@ -164,7 +162,7 @@ sctp_faddr(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
mdb_printf("lastactive\t%?ld\thb_secret\t%?#lx\n", fa->lastactive,
fa->hb_secret);
mdb_printf("rxt_unacked\t%?u\n", fa->rxt_unacked);
- mdb_printf("timer_mp\t%?p\tire\t\t%?p\n", fa->timer_mp, fa->ire);
+ mdb_printf("timer_mp\t%?p\tixa\t\t%?p\n", fa->timer_mp, fa->ixa);
mdb_printf("hb_enabled\t%?d\thb_pending\t%?d\n"
"timer_running\t%?d\tdf\t\t%?d\n"
"pmtu_discovered\t%?d\tisv4\t\t%?d\n"
@@ -566,11 +564,12 @@ show_sctp_flags(sctp_t *sctp)
{
mdb_printf("\tunderstands_asconf\t%d\n",
sctp->sctp_understands_asconf);
- mdb_printf("\tdebug\t\t\t%d\n", sctp->sctp_debug);
+ mdb_printf("\tdebug\t\t\t%d\n", sctp->sctp_connp->conn_debug);
mdb_printf("\tcchunk_pend\t\t%d\n", sctp->sctp_cchunk_pend);
- mdb_printf("\tdgram_errind\t\t%d\n", sctp->sctp_dgram_errind);
+ mdb_printf("\tdgram_errind\t\t%d\n",
+ sctp->sctp_connp->conn_dgram_errind);
- mdb_printf("\tlinger\t\t\t%d\n", sctp->sctp_linger);
+ mdb_printf("\tlinger\t\t\t%d\n", sctp->sctp_connp->conn_linger);
if (sctp->sctp_lingering)
return;
mdb_printf("\tlingering\t\t%d\n", sctp->sctp_lingering);
@@ -578,7 +577,8 @@ show_sctp_flags(sctp_t *sctp)
mdb_printf("\tforce_sack\t\t%d\n", sctp->sctp_force_sack);
mdb_printf("\tack_timer_runing\t%d\n", sctp->sctp_ack_timer_running);
- mdb_printf("\trecvdstaddr\t\t%d\n", sctp->sctp_recvdstaddr);
+ mdb_printf("\trecvdstaddr\t\t%d\n",
+ sctp->sctp_connp->conn_recv_ancillary.crb_recvdstaddr);
mdb_printf("\thwcksum\t\t\t%d\n", sctp->sctp_hwcksum);
mdb_printf("\tunderstands_addip\t%d\n", sctp->sctp_understands_addip);
@@ -654,8 +654,8 @@ print_saddr(uintptr_t ptr, const void *addr, void *cbdata)
if (saddr->saddr_ipif_delete_pending == 1)
mdb_printf("/DeletePending");
mdb_printf(")\n");
- mdb_printf("\t\t\tMTU %d id %d zoneid %d IPIF flags %x\n",
- ipif.sctp_ipif_mtu, ipif.sctp_ipif_id,
+ mdb_printf("\t\t\tid %d zoneid %d IPIF flags %x\n",
+ ipif.sctp_ipif_id,
ipif.sctp_ipif_zoneid, ipif.sctp_ipif_flags);
return (WALK_NEXT);
}
@@ -682,8 +682,8 @@ print_faddr(uintptr_t ptr, const void *addr, void *cbdata)
int
sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
{
- sctp_t sctp;
- conn_t connp;
+ sctp_t sctps, *sctp;
+ conn_t conns, *connp;
int i;
uint_t opts = 0;
uint_t paddr = 0;
@@ -692,16 +692,23 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
if (!(flags & DCMD_ADDRSPEC))
return (DCMD_USAGE);
- if (mdb_vread(&sctp, sizeof (sctp), addr) == -1) {
+ if (mdb_vread(&sctps, sizeof (sctps), addr) == -1) {
mdb_warn("failed to read sctp_t at: %p\n", addr);
return (DCMD_ERR);
}
- if (mdb_vread(&connp, sizeof (connp),
- (uintptr_t)sctp.sctp_connp) == -1) {
- mdb_warn("failed to read conn_t at: %p\n", sctp.sctp_connp);
+ sctp = &sctps;
+
+ if (mdb_vread(&conns, sizeof (conns),
+ (uintptr_t)sctp->sctp_connp) == -1) {
+ mdb_warn("failed to read conn_t at: %p\n", sctp->sctp_connp);
return (DCMD_ERR);
}
+ connp = &conns;
+
+ connp->conn_sctp = sctp;
+ sctp->sctp_connp = connp;
+
if (mdb_getopts(argc, argv,
'a', MDB_OPT_SETBITS, MDB_SCTP_SHOW_ALL, &opts,
'f', MDB_OPT_SETBITS, MDB_SCTP_SHOW_FLAGS, &opts,
@@ -726,7 +733,7 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
/* non-verbose faddrs, suitable for pipelines to sctp_faddr */
if (paddr != 0) {
sctp_faddr_t faddr, *fp;
- for (fp = sctp.sctp_faddrs; fp != NULL; fp = faddr.next) {
+ for (fp = sctp->sctp_faddrs; fp != NULL; fp = faddr.next) {
if (mdb_vread(&faddr, sizeof (faddr), (uintptr_t)fp)
== -1) {
mdb_warn("failed to read faddr at %p",
@@ -738,16 +745,16 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
return (DCMD_OK);
}
- mdb_nhconvert(&lport, &sctp.sctp_lport, sizeof (lport));
- mdb_nhconvert(&fport, &sctp.sctp_fport, sizeof (fport));
+ mdb_nhconvert(&lport, &connp->conn_lport, sizeof (lport));
+ mdb_nhconvert(&fport, &connp->conn_fport, sizeof (fport));
mdb_printf("%<u>%p% %22s S=%-6hu D=%-6hu% STACK=%d ZONE=%d%</u>", addr,
- state2str(&sctp), lport, fport,
- ns_to_stackid((uintptr_t)connp.conn_netstack), connp.conn_zoneid);
+ state2str(sctp), lport, fport,
+ ns_to_stackid((uintptr_t)connp->conn_netstack), connp->conn_zoneid);
- if (sctp.sctp_faddrs) {
+ if (sctp->sctp_faddrs) {
sctp_faddr_t faddr;
if (mdb_vread(&faddr, sizeof (faddr),
- (uintptr_t)sctp.sctp_faddrs) != -1)
+ (uintptr_t)sctp->sctp_faddrs) != -1)
mdb_printf("%<u> %N%</u>", &faddr.faddr);
}
mdb_printf("\n");
@@ -756,78 +763,78 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
mdb_printf("%<b>Local and Peer Addresses%</b>\n");
/* Display source addresses */
- mdb_printf("nsaddrs\t\t%?d\n", sctp.sctp_nsaddrs);
+ mdb_printf("nsaddrs\t\t%?d\n", sctp->sctp_nsaddrs);
(void) mdb_pwalk("sctp_walk_saddr", print_saddr, NULL, addr);
/* Display peer addresses */
- mdb_printf("nfaddrs\t\t%?d\n", sctp.sctp_nfaddrs);
+ mdb_printf("nfaddrs\t\t%?d\n", sctp->sctp_nfaddrs);
i = 1;
(void) mdb_pwalk("sctp_walk_faddr", print_faddr, &i, addr);
mdb_printf("lastfaddr\t%?p\tprimary\t\t%?p\n",
- sctp.sctp_lastfaddr, sctp.sctp_primary);
+ sctp->sctp_lastfaddr, sctp->sctp_primary);
mdb_printf("current\t\t%?p\tlastdata\t%?p\n",
- sctp.sctp_current, sctp.sctp_lastdata);
+ sctp->sctp_current, sctp->sctp_lastdata);
}
if (opts & MDB_SCTP_SHOW_OUT) {
mdb_printf("%<b>Outbound Data%</b>\n");
mdb_printf("xmit_head\t%?p\txmit_tail\t%?p\n",
- sctp.sctp_xmit_head, sctp.sctp_xmit_tail);
+ sctp->sctp_xmit_head, sctp->sctp_xmit_tail);
mdb_printf("xmit_unsent\t%?p\txmit_unsent_tail%?p\n",
- sctp.sctp_xmit_unsent, sctp.sctp_xmit_unsent_tail);
- mdb_printf("xmit_unacked\t%?p\n", sctp.sctp_xmit_unacked);
+ sctp->sctp_xmit_unsent, sctp->sctp_xmit_unsent_tail);
+ mdb_printf("xmit_unacked\t%?p\n", sctp->sctp_xmit_unacked);
mdb_printf("unacked\t\t%?u\tunsent\t\t%?ld\n",
- sctp.sctp_unacked, sctp.sctp_unsent);
+ sctp->sctp_unacked, sctp->sctp_unsent);
mdb_printf("ltsn\t\t%?x\tlastack_rxd\t%?x\n",
- sctp.sctp_ltsn, sctp.sctp_lastack_rxd);
+ sctp->sctp_ltsn, sctp->sctp_lastack_rxd);
mdb_printf("recovery_tsn\t%?x\tadv_pap\t\t%?x\n",
- sctp.sctp_recovery_tsn, sctp.sctp_adv_pap);
+ sctp->sctp_recovery_tsn, sctp->sctp_adv_pap);
mdb_printf("num_ostr\t%?hu\tostrcntrs\t%?p\n",
- sctp.sctp_num_ostr, sctp.sctp_ostrcntrs);
+ sctp->sctp_num_ostr, sctp->sctp_ostrcntrs);
mdb_printf("pad_mp\t\t%?p\terr_chunks\t%?p\n",
- sctp.sctp_pad_mp, sctp.sctp_err_chunks);
- mdb_printf("err_len\t\t%?u\n", sctp.sctp_err_len);
+ sctp->sctp_pad_mp, sctp->sctp_err_chunks);
+ mdb_printf("err_len\t\t%?u\n", sctp->sctp_err_len);
mdb_printf("%<b>Default Send Parameters%</b>\n");
mdb_printf("def_stream\t%?u\tdef_flags\t%?x\n",
- sctp.sctp_def_stream, sctp.sctp_def_flags);
+ sctp->sctp_def_stream, sctp->sctp_def_flags);
mdb_printf("def_ppid\t%?x\tdef_context\t%?x\n",
- sctp.sctp_def_ppid, sctp.sctp_def_context);
+ sctp->sctp_def_ppid, sctp->sctp_def_context);
mdb_printf("def_timetolive\t%?u\n",
- sctp.sctp_def_timetolive);
+ sctp->sctp_def_timetolive);
}
if (opts & MDB_SCTP_SHOW_IN) {
mdb_printf("%<b>Inbound Data%</b>\n");
mdb_printf("sack_info\t%?p\tsack_gaps\t%?d\n",
- sctp.sctp_sack_info, sctp.sctp_sack_gaps);
- dump_sack_info((uintptr_t)sctp.sctp_sack_info);
+ sctp->sctp_sack_info, sctp->sctp_sack_gaps);
+ dump_sack_info((uintptr_t)sctp->sctp_sack_info);
mdb_printf("ftsn\t\t%?x\tlastacked\t%?x\n",
- sctp.sctp_ftsn, sctp.sctp_lastacked);
+ sctp->sctp_ftsn, sctp->sctp_lastacked);
mdb_printf("istr_nmsgs\t%?d\tsack_toggle\t%?d\n",
- sctp.sctp_istr_nmsgs, sctp.sctp_sack_toggle);
- mdb_printf("ack_mp\t\t%?p\n", sctp.sctp_ack_mp);
+ sctp->sctp_istr_nmsgs, sctp->sctp_sack_toggle);
+ mdb_printf("ack_mp\t\t%?p\n", sctp->sctp_ack_mp);
mdb_printf("num_istr\t%?hu\tinstr\t\t%?p\n",
- sctp.sctp_num_istr, sctp.sctp_instr);
- mdb_printf("unord_reass\t%?p\n", sctp.sctp_uo_frags);
+ sctp->sctp_num_istr, sctp->sctp_instr);
+ mdb_printf("unord_reass\t%?p\n", sctp->sctp_uo_frags);
}
if (opts & MDB_SCTP_SHOW_RTT) {
mdb_printf("%<b>RTT Tracking%</b>\n");
mdb_printf("rtt_tsn\t\t%?x\tout_time\t%?ld\n",
- sctp.sctp_rtt_tsn, sctp.sctp_out_time);
+ sctp->sctp_rtt_tsn, sctp->sctp_out_time);
}
if (opts & MDB_SCTP_SHOW_FLOW) {
mdb_printf("%<b>Flow Control%</b>\n");
- mdb_printf("txmit_hiwater\t%?d\n"
- "xmit_lowater\t%?d\tfrwnd\t\t%?u\n"
+ mdb_printf("tconn_sndbuf\t%?d\n"
+ "conn_sndlowat\t%?d\tfrwnd\t\t%?u\n"
"rwnd\t\t%?u\tinitial rwnd\t%?u\n"
- "rxqueued\t%?u\tcwnd_max\t%?u\n", sctp.sctp_xmit_hiwater,
- sctp.sctp_xmit_lowater, sctp.sctp_frwnd,
- sctp.sctp_rwnd, sctp.sctp_irwnd, sctp.sctp_rxqueued,
- sctp.sctp_cwnd_max);
+ "rxqueued\t%?u\tcwnd_max\t%?u\n", connp->conn_sndbuf,
+ connp->conn_sndlowat, sctp->sctp_frwnd,
+ sctp->sctp_rwnd, sctp->sctp_irwnd, sctp->sctp_rxqueued,
+ sctp->sctp_cwnd_max);
}
if (opts & MDB_SCTP_SHOW_HDR) {
@@ -838,21 +845,21 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
"ipha\t\t%?p\tip6h\t\t%?p\n"
"ip_hdr_len\t%?d\tip_hdr6_len\t%?d\n"
"sctph\t\t%?p\tsctph6\t\t%?p\n"
- "lvtag\t\t%?x\tfvtag\t\t%?x\n", sctp.sctp_iphc,
- sctp.sctp_iphc6, sctp.sctp_iphc_len,
- sctp.sctp_iphc6_len, sctp.sctp_hdr_len,
- sctp.sctp_hdr6_len, sctp.sctp_ipha, sctp.sctp_ip6h,
- sctp.sctp_ip_hdr_len, sctp.sctp_ip_hdr6_len,
- sctp.sctp_sctph, sctp.sctp_sctph6, sctp.sctp_lvtag,
- sctp.sctp_fvtag);
+ "lvtag\t\t%?x\tfvtag\t\t%?x\n", sctp->sctp_iphc,
+ sctp->sctp_iphc6, sctp->sctp_iphc_len,
+ sctp->sctp_iphc6_len, sctp->sctp_hdr_len,
+ sctp->sctp_hdr6_len, sctp->sctp_ipha, sctp->sctp_ip6h,
+ sctp->sctp_ip_hdr_len, sctp->sctp_ip_hdr6_len,
+ sctp->sctp_sctph, sctp->sctp_sctph6, sctp->sctp_lvtag,
+ sctp->sctp_fvtag);
}
if (opts & MDB_SCTP_SHOW_PMTUD) {
mdb_printf("%<b>PMTUd%</b>\n");
mdb_printf("last_mtu_probe\t%?ld\tmtu_probe_intvl\t%?ld\n"
"mss\t\t%?u\n",
- sctp.sctp_last_mtu_probe, sctp.sctp_mtu_probe_intvl,
- sctp.sctp_mss);
+ sctp->sctp_last_mtu_probe, sctp->sctp_mtu_probe_intvl,
+ sctp->sctp_mss);
}
if (opts & MDB_SCTP_SHOW_RXT) {
@@ -862,33 +869,33 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
"pp_max_rxt\t%?d\trto_max\t\t%?u\n"
"rto_min\t\t%?u\trto_initial\t%?u\n"
"init_rto_max\t%?u\n"
- "rxt_nxttsn\t%?u\trxt_maxtsn\t%?u\n", sctp.sctp_cookie_mp,
- sctp.sctp_strikes, sctp.sctp_max_init_rxt,
- sctp.sctp_pa_max_rxt, sctp.sctp_pp_max_rxt,
- sctp.sctp_rto_max, sctp.sctp_rto_min,
- sctp.sctp_rto_initial, sctp.sctp_init_rto_max,
- sctp.sctp_rxt_nxttsn, sctp.sctp_rxt_maxtsn);
+ "rxt_nxttsn\t%?u\trxt_maxtsn\t%?u\n", sctp->sctp_cookie_mp,
+ sctp->sctp_strikes, sctp->sctp_max_init_rxt,
+ sctp->sctp_pa_max_rxt, sctp->sctp_pp_max_rxt,
+ sctp->sctp_rto_max, sctp->sctp_rto_min,
+ sctp->sctp_rto_initial, sctp->sctp_init_rto_max,
+ sctp->sctp_rxt_nxttsn, sctp->sctp_rxt_maxtsn);
}
if (opts & MDB_SCTP_SHOW_CONN) {
mdb_printf("%<b>Connection State%</b>\n");
mdb_printf("last_secret_update%?ld\n",
- sctp.sctp_last_secret_update);
+ sctp->sctp_last_secret_update);
mdb_printf("secret\t\t");
for (i = 0; i < SCTP_SECRET_LEN; i++) {
if (i % 2 == 0)
- mdb_printf("0x%02x", sctp.sctp_secret[i]);
+ mdb_printf("0x%02x", sctp->sctp_secret[i]);
else
- mdb_printf("%02x ", sctp.sctp_secret[i]);
+ mdb_printf("%02x ", sctp->sctp_secret[i]);
}
mdb_printf("\n");
mdb_printf("old_secret\t");
for (i = 0; i < SCTP_SECRET_LEN; i++) {
if (i % 2 == 0)
- mdb_printf("0x%02x", sctp.sctp_old_secret[i]);
+ mdb_printf("0x%02x", sctp->sctp_old_secret[i]);
else
- mdb_printf("%02x ", sctp.sctp_old_secret[i]);
+ mdb_printf("%02x ", sctp->sctp_old_secret[i]);
}
mdb_printf("\n");
}
@@ -901,40 +908,40 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
"T2expire\t%?lu\tT3expire\t%?lu\n"
"msgcount\t%?llu\tprsctpdrop\t%?llu\n"
"AssocStartTime\t%?lu\n",
- sctp.sctp_opkts, sctp.sctp_obchunks,
- sctp.sctp_odchunks, sctp.sctp_oudchunks,
- sctp.sctp_rxtchunks, sctp.sctp_T1expire,
- sctp.sctp_T2expire, sctp.sctp_T3expire,
- sctp.sctp_msgcount, sctp.sctp_prsctpdrop,
- sctp.sctp_assoc_start_time);
+ sctp->sctp_opkts, sctp->sctp_obchunks,
+ sctp->sctp_odchunks, sctp->sctp_oudchunks,
+ sctp->sctp_rxtchunks, sctp->sctp_T1expire,
+ sctp->sctp_T2expire, sctp->sctp_T3expire,
+ sctp->sctp_msgcount, sctp->sctp_prsctpdrop,
+ sctp->sctp_assoc_start_time);
mdb_printf("ipkts\t\t%?llu\tibchunks\t%?llu\n"
"idchunks\t%?llu\tiudchunks\t%?llu\n"
"fragdmsgs\t%?llu\treassmsgs\t%?llu\n",
- sctp.sctp_ipkts, sctp.sctp_ibchunks,
- sctp.sctp_idchunks, sctp.sctp_iudchunks,
- sctp.sctp_fragdmsgs, sctp.sctp_reassmsgs);
+ sctp->sctp_ipkts, sctp->sctp_ibchunks,
+ sctp->sctp_idchunks, sctp->sctp_iudchunks,
+ sctp->sctp_fragdmsgs, sctp->sctp_reassmsgs);
}
if (opts & MDB_SCTP_SHOW_HASH) {
mdb_printf("%<b>Hash Tables%</b>\n");
- mdb_printf("conn_hash_next\t%?p\t", sctp.sctp_conn_hash_next);
- mdb_printf("conn_hash_prev\t%?p\n", sctp.sctp_conn_hash_prev);
+ mdb_printf("conn_hash_next\t%?p\t", sctp->sctp_conn_hash_next);
+ mdb_printf("conn_hash_prev\t%?p\n", sctp->sctp_conn_hash_prev);
mdb_printf("listen_hash_next%?p\t",
- sctp.sctp_listen_hash_next);
+ sctp->sctp_listen_hash_next);
mdb_printf("listen_hash_prev%?p\n",
- sctp.sctp_listen_hash_prev);
- mdb_nhconvert(&lport, &sctp.sctp_lport, sizeof (lport));
+ sctp->sctp_listen_hash_prev);
+ mdb_nhconvert(&lport, &connp->conn_lport, sizeof (lport));
mdb_printf("[ listen_hash bucket\t%?d ]\n",
SCTP_LISTEN_HASH(lport));
- mdb_printf("conn_tfp\t%?p\t", sctp.sctp_conn_tfp);
- mdb_printf("listen_tfp\t%?p\n", sctp.sctp_listen_tfp);
+ mdb_printf("conn_tfp\t%?p\t", sctp->sctp_conn_tfp);
+ mdb_printf("listen_tfp\t%?p\n", sctp->sctp_listen_tfp);
mdb_printf("bind_hash\t%?p\tptpbhn\t\t%?p\n",
- sctp.sctp_bind_hash, sctp.sctp_ptpbhn);
+ sctp->sctp_bind_hash, sctp->sctp_ptpbhn);
mdb_printf("bind_lockp\t%?p\n",
- sctp.sctp_bind_lockp);
+ sctp->sctp_bind_lockp);
mdb_printf("[ bind_hash bucket\t%?d ]\n",
SCTP_BIND_HASH(lport));
}
@@ -943,8 +950,8 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
mdb_printf("%<b>Cleanup / Close%</b>\n");
mdb_printf("shutdown_faddr\t%?p\tclient_errno\t%?d\n"
"lingertime\t%?d\trefcnt\t\t%?hu\n",
- sctp.sctp_shutdown_faddr, sctp.sctp_client_errno,
- sctp.sctp_lingertime, sctp.sctp_refcnt);
+ sctp->sctp_shutdown_faddr, sctp->sctp_client_errno,
+ connp->conn_lingertime, sctp->sctp_refcnt);
}
if (opts & MDB_SCTP_SHOW_MISC) {
@@ -955,24 +962,25 @@ sctp(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
"active\t\t%?ld\ttx_adaptation_code%?x\n"
"rx_adaptation_code%?x\ttimer_mp\t%?p\n"
"partial_delivery_point\t%?d\n",
- sctp.sctp_bound_if, sctp.sctp_heartbeat_mp,
- sctp.sctp_family, sctp.sctp_ipversion,
- sctp.sctp_hb_interval, sctp.sctp_autoclose,
- sctp.sctp_active, sctp.sctp_tx_adaptation_code,
- sctp.sctp_rx_adaptation_code, sctp.sctp_timer_mp,
- sctp.sctp_pd_point);
+ connp->conn_bound_if, sctp->sctp_heartbeat_mp,
+ connp->conn_family,
+ connp->conn_ipversion,
+ sctp->sctp_hb_interval, sctp->sctp_autoclose,
+ sctp->sctp_active, sctp->sctp_tx_adaptation_code,
+ sctp->sctp_rx_adaptation_code, sctp->sctp_timer_mp,
+ sctp->sctp_pd_point);
}
if (opts & MDB_SCTP_SHOW_EXT) {
mdb_printf("%<b>Extensions and Reliable Ctl Chunks%</b>\n");
mdb_printf("cxmit_list\t%?p\tlcsn\t\t%?x\n"
- "fcsn\t\t%?x\n", sctp.sctp_cxmit_list, sctp.sctp_lcsn,
- sctp.sctp_fcsn);
+ "fcsn\t\t%?x\n", sctp->sctp_cxmit_list, sctp->sctp_lcsn,
+ sctp->sctp_fcsn);
}
if (opts & MDB_SCTP_SHOW_FLAGS) {
mdb_printf("%<b>Flags%</b>\n");
- show_sctp_flags(&sctp);
+ show_sctp_flags(sctp);
}
return (DCMD_OK);
diff --git a/usr/src/common/net/patricia/radix.c b/usr/src/common/net/patricia/radix.c
index 9a1d3f78ed..cf2085280f 100644
--- a/usr/src/common/net/patricia/radix.c
+++ b/usr/src/common/net/patricia/radix.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
* Copyright (c) 1988, 1989, 1993
@@ -367,8 +367,9 @@ rn_match_args(v_arg, head, rn_leaf_fn, rn_leaf_arg)
* is looking for some other criteria as well. Continue
* looking as if the exact match failed.
*/
- if (t->rn_parent->rn_flags & RNF_ROOT) {
- /* hit the top. have to give up */
+ if (t->rn_dupedkey == NULL &&
+ (t->rn_parent->rn_flags & RNF_ROOT)) {
+ /* no more dupedkeys and hit the top. have to give up */
return (NULL);
}
b = 0;
@@ -486,56 +487,70 @@ rn_insert(v_arg, head, dupentry, nodes)
{
caddr_t v = v_arg;
struct radix_node *top = head->rnh_treetop;
+ struct radix_node *p, *x;
int head_off = top->rn_offset, vlen = (int)LEN(v);
struct radix_node *t = rn_search(v_arg, top);
caddr_t cp = v + head_off;
int b;
struct radix_node *tt;
+ caddr_t cp2 = t->rn_key + head_off;
+ int cmp_res;
+ caddr_t cplim = v + vlen;
/*
* Find first bit at which v and t->rn_key differ
*/
- {
- caddr_t cp2 = t->rn_key + head_off;
- int cmp_res;
- caddr_t cplim = v + vlen;
-
- while (cp < cplim)
- if (*cp2++ != *cp++)
- goto on1;
- *dupentry = 1;
- return (t);
+ while (cp < cplim)
+ if (*cp2++ != *cp++)
+ goto on1;
+ *dupentry = 1;
+ return (t);
on1:
- *dupentry = 0;
- cmp_res = (cp[-1] ^ cp2[-1]) & 0xff;
- for (b = (cp - v) << 3; cmp_res; b--)
- cmp_res >>= 1;
- }
- {
- struct radix_node *p, *x = top;
- cp = v;
- do {
- p = x;
- if (cp[x->rn_offset] & x->rn_bmask)
- x = x->rn_right;
- else
- x = x->rn_left;
- } while (b > (unsigned)x->rn_bit);
- /* x->rn_bit < b && x->rn_bit >= 0 */
- t = rn_newpair(v_arg, b, nodes);
- tt = t->rn_left;
- if ((cp[p->rn_offset] & p->rn_bmask) == 0)
- p->rn_left = t;
+ *dupentry = 0;
+ cmp_res = (cp[-1] ^ cp2[-1]) & 0xff;
+ /*
+ * (cp - v) is the number of bytes where the match is relevant.
+ * Multiply by 8 to get number of bits. Then reduce this number
+ * by the trailing bits in the last byte where we have a match
+ * by looking at (cmp_res >> 1) in each iteration below.
+ * Note that v starts at the beginning of the key, so, when key
+ * is a sockaddr structure, the preliminary len/family/port bytes
+ * are accounted for.
+ */
+ for (b = (cp - v) << 3; cmp_res; b--)
+ cmp_res >>= 1;
+ cp = v;
+ x = top;
+ do {
+ p = x;
+ if (cp[x->rn_offset] & x->rn_bmask)
+ x = x->rn_right;
else
- p->rn_right = t;
- x->rn_parent = t;
- t->rn_parent = p;
- if ((cp[t->rn_offset] & t->rn_bmask) == 0) {
- t->rn_right = x;
- } else {
- t->rn_right = tt;
- t->rn_left = x;
- }
+ x = x->rn_left;
+ } while (b > (unsigned)x->rn_bit);
+ /* x->rn_bit < b && x->rn_bit >= 0 */
+ /*
+ * now the rightmost bit where v and rn_key differ (b) is <
+ * x->rn_bit.
+ *
+ * We will add a new branch at p. b cannot equal x->rn_bit
+ * because we know we didn't find a duplicated key.
+ * The tree will be re-adjusted so that t is inserted between p
+ * and x.
+ */
+ t = rn_newpair(v_arg, b, nodes);
+ tt = t->rn_left;
+ if ((cp[p->rn_offset] & p->rn_bmask) == 0)
+ p->rn_left = t;
+ else
+ p->rn_right = t;
+ x->rn_parent = t;
+ t->rn_parent = p;
+ if ((cp[t->rn_offset] & t->rn_bmask) == 0) {
+ t->rn_right = x;
+ } else {
+ t->rn_right = tt;
+ t->rn_left = x;
}
return (tt);
}
@@ -718,6 +733,8 @@ rn_addroute(v_arg, n_arg, head, treenodes)
* find it among possible duplicate key entries
* anyway, so the above test doesn't hurt.
*
+ * Insert treenodes before tt.
+ *
* We sort the masks for a duplicated key the same way as
* in a masklist -- most specific to least specific.
* This may require the unfortunate nuisance of relocating
@@ -758,22 +775,54 @@ rn_addroute(v_arg, n_arg, head, treenodes)
tt->rn_bit = x->rn_bit;
tt->rn_flags |= x->rn_flags & RNF_NORMAL;
}
+ /* BEGIN CSTYLED */
+ /*
+ * at this point the parent-child relationship for p, t, x, tt is
+ * one of the following:
+ * p p
+ * : (left/right child) :
+ * : :
+ * t t
+ * / \ / \
+ * x tt tt x
+ *
+ * tt == saved_tt returned by rn_insert().
+ */
+ /* END CSTYLED */
t = saved_tt->rn_parent;
if (keyduplicated)
goto key_exists;
b_leaf = -1 - t->rn_bit;
+ /*
+ * b_leaf is now normalized to be in the leaf rn_bit format
+ * (it is the rn_bit value of a leaf corresponding to netmask
+ * of t->rn_bit).
+ */
if (t->rn_right == saved_tt)
x = t->rn_left;
else
x = t->rn_right;
- /* Promote general routes from below */
+ /*
+ * Promote general routes from below.
+ * Identify the less specific netmasks and add them to t->rm_mklist
+ */
if (x->rn_bit < 0) {
- for (mp = &t->rn_mklist; x; x = x->rn_dupedkey)
- if (x->rn_mask && (x->rn_bit >= b_leaf) && x->rn_mklist == 0) {
- *mp = m = rn_new_radix_mask(x, 0);
- if (m)
- mp = &m->rm_mklist;
- }
+ /* x is the sibling node. it is a leaf node. */
+ for (mp = &t->rn_mklist; x; x = x->rn_dupedkey)
+ if (x->rn_mask && (x->rn_bit >= b_leaf) &&
+ x->rn_mklist == 0) {
+ /*
+ * x is the first node in the dupedkey chain
+ * without a mklist, and with a shorter mask
+ * than b_leaf. Create a radix_mask
+ * corresponding to x's mask and add it to
+ * t's rn_mklist. The mask list gets created
+ * in decreasing order of mask length.
+ */
+ *mp = m = rn_new_radix_mask(x, 0);
+ if (m)
+ mp = &m->rm_mklist;
+ }
} else if (x->rn_mklist) {
/*
* Skip over masks whose index is > that of new node
@@ -788,6 +837,7 @@ key_exists:
if ((netmask == 0) || (b > t->rn_bit))
return (tt); /* can't lift at all */
b_leaf = tt->rn_bit;
+ /* b is the index of the netmask */
do {
x = t;
t = t->rn_parent;
diff --git a/usr/src/lib/brand/native/zone/platform.xml b/usr/src/lib/brand/native/zone/platform.xml
index e988200bde..0225a51dc7 100644
--- a/usr/src/lib/brand/native/zone/platform.xml
+++ b/usr/src/lib/brand/native/zone/platform.xml
@@ -106,7 +106,6 @@
<device match="ipsecesp" ip-type="exclusive" />
<device match="ipstate" ip-type="exclusive" />
<device match="ipsync" ip-type="exclusive" />
- <device match="iptunq" ip-type="exclusive" />
<device match="keysock" ip-type="exclusive" />
<device match="rawip" ip-type="exclusive" />
<device match="rawip6" ip-type="exclusive" />
@@ -117,6 +116,7 @@
<device match="spdsock" ip-type="exclusive" />
<device match="sppp" ip-type="exclusive" />
<device match="sppptun" ip-type="exclusive" />
+ <device match="vni" ip-type="exclusive" />
<!-- Renamed devices to create under /dev -->
<device match="zcons/%z/zoneconsole" name="zconsole" />
diff --git a/usr/src/lib/brand/solaris10/zone/platform.xml b/usr/src/lib/brand/solaris10/zone/platform.xml
index fa396ec222..89f7035615 100644
--- a/usr/src/lib/brand/solaris10/zone/platform.xml
+++ b/usr/src/lib/brand/solaris10/zone/platform.xml
@@ -123,7 +123,6 @@
<device match="ipsecesp" ip-type="exclusive" />
<device match="ipstate" ip-type="exclusive" />
<device match="ipsync" ip-type="exclusive" />
- <device match="iptunq" ip-type="exclusive" />
<device match="keysock" ip-type="exclusive" />
<device match="rawip" ip-type="exclusive" />
<device match="rawip6" ip-type="exclusive" />
@@ -134,6 +133,7 @@
<device match="spdsock" ip-type="exclusive" />
<device match="sppp" ip-type="exclusive" />
<device match="sppptun" ip-type="exclusive" />
+ <device match="vni" ip-type="exclusive" />
<!-- Renamed devices to create under /dev -->
<device match="zcons/%z/zoneconsole" name="zconsole" />
diff --git a/usr/src/pkgdefs/SUNWckr/prototype_com b/usr/src/pkgdefs/SUNWckr/prototype_com
index 30679b7037..86489c1422 100644
--- a/usr/src/pkgdefs/SUNWckr/prototype_com
+++ b/usr/src/pkgdefs/SUNWckr/prototype_com
@@ -92,7 +92,6 @@ f none kernel/drv/ippctl.conf 644 root sys
f none kernel/drv/ipsecah.conf 644 root sys
f none kernel/drv/ipsecesp.conf 644 root sys
f none kernel/drv/iptun.conf 644 root sys
-f none kernel/drv/iptunq.conf 644 root sys
f none kernel/drv/iwscn.conf 644 root sys
f none kernel/drv/keysock.conf 644 root sys
f none kernel/drv/kmdb.conf 644 root sys
diff --git a/usr/src/pkgdefs/SUNWckr/prototype_i386 b/usr/src/pkgdefs/SUNWckr/prototype_i386
index 2a6676197e..5f886a8d60 100644
--- a/usr/src/pkgdefs/SUNWckr/prototype_i386
+++ b/usr/src/pkgdefs/SUNWckr/prototype_i386
@@ -103,7 +103,6 @@ f none kernel/drv/ippctl 755 root sys
f none kernel/drv/ipsecah 755 root sys
f none kernel/drv/ipsecesp 755 root sys
f none kernel/drv/iptun 755 root sys
-f none kernel/drv/iptunq 755 root sys
f none kernel/drv/iwscn 755 root sys
f none kernel/drv/kb8042 755 root sys
f none kernel/drv/keysock 755 root sys
@@ -326,7 +325,6 @@ f none kernel/drv/amd64/ippctl 755 root sys
f none kernel/drv/amd64/ipsecah 755 root sys
f none kernel/drv/amd64/ipsecesp 755 root sys
f none kernel/drv/amd64/iptun 755 root sys
-f none kernel/drv/amd64/iptunq 755 root sys
f none kernel/drv/amd64/iwscn 755 root sys
f none kernel/drv/amd64/kb8042 755 root sys
f none kernel/drv/amd64/keysock 755 root sys
diff --git a/usr/src/pkgdefs/SUNWckr/prototype_sparc b/usr/src/pkgdefs/SUNWckr/prototype_sparc
index e086c94862..c2824f989c 100644
--- a/usr/src/pkgdefs/SUNWckr/prototype_sparc
+++ b/usr/src/pkgdefs/SUNWckr/prototype_sparc
@@ -94,7 +94,6 @@ f none kernel/drv/sparcv9/ippctl 755 root sys
f none kernel/drv/sparcv9/ipsecah 755 root sys
f none kernel/drv/sparcv9/ipsecesp 755 root sys
f none kernel/drv/sparcv9/iptun 755 root sys
-f none kernel/drv/sparcv9/iptunq 755 root sys
f none kernel/drv/sparcv9/isp 755 root sys
f none kernel/drv/sparcv9/iwscn 755 root sys
f none kernel/drv/sparcv9/kb8042 755 root sys
diff --git a/usr/src/pkgdefs/SUNWhea/prototype_com b/usr/src/pkgdefs/SUNWhea/prototype_com
index 3129ef6be5..e3bfe3f348 100644
--- a/usr/src/pkgdefs/SUNWhea/prototype_com
+++ b/usr/src/pkgdefs/SUNWhea/prototype_com
@@ -242,6 +242,7 @@ d none usr/include/inet 755 root bin
f none usr/include/inet/arp.h 644 root bin
f none usr/include/inet/common.h 644 root bin
f none usr/include/inet/ip.h 644 root bin
+f none usr/include/inet/ip_arp.h 644 root bin
f none usr/include/inet/ip_if.h 644 root bin
f none usr/include/inet/ip_ire.h 644 root bin
f none usr/include/inet/ip_ftable.h 644 root bin
diff --git a/usr/src/pkgdefs/etc/exception_list_i386 b/usr/src/pkgdefs/etc/exception_list_i386
index 09514a0ecc..ee760eba55 100644
--- a/usr/src/pkgdefs/etc/exception_list_i386
+++ b/usr/src/pkgdefs/etc/exception_list_i386
@@ -365,7 +365,6 @@ usr/lib/amd64/llib-like.ln i386
usr/lib/amd64/libipsecutil.so i386
usr/lib/amd64/llib-lipsecutil.ln i386
#
-usr/include/inet/arp_impl.h i386
usr/include/inet/rawip_impl.h i386
usr/include/inet/udp_impl.h i386
usr/include/inet/tcp_impl.h i386
diff --git a/usr/src/pkgdefs/etc/exception_list_sparc b/usr/src/pkgdefs/etc/exception_list_sparc
index 5a32c55a05..533552b058 100644
--- a/usr/src/pkgdefs/etc/exception_list_sparc
+++ b/usr/src/pkgdefs/etc/exception_list_sparc
@@ -354,7 +354,6 @@ usr/share/lib/locale/com/sun/dhcpmgr/cli/dhcpconfig/ResourceBundle.properties sp
usr/share/lib/locale/com/sun/dhcpmgr/cli/dhtadm/ResourceBundle.properties sparc
usr/share/lib/locale/com/sun/dhcpmgr/cli/pntadm/ResourceBundle.properties sparc
#
-usr/include/inet/arp_impl.h sparc
usr/include/inet/rawip_impl.h sparc
usr/include/inet/udp_impl.h sparc
usr/include/inet/tcp_impl.h sparc
diff --git a/usr/src/tools/scripts/bfu.sh b/usr/src/tools/scripts/bfu.sh
index be820004e4..e4e9a36ab2 100644
--- a/usr/src/tools/scripts/bfu.sh
+++ b/usr/src/tools/scripts/bfu.sh
@@ -8010,6 +8010,12 @@ mondo_loop() {
rm -f $root/kernel/strmod/sparcv9/tun
rm -f $root/kernel/strmod/amd64/tun
+ # Remove obsolete iptunq
+ rm -f $root/kernel/drv/iptunq
+ rm -f $root/kernel/drv/iptunq.conf
+ rm -f $root/kernel/drv/amd64/iptunq
+ rm -f $root/kernel/drv/sparcv9/iptunq
+
#
# Remove libtopo platform XML files that have been replaced by propmap
# files.
diff --git a/usr/src/uts/common/Makefile.files b/usr/src/uts/common/Makefile.files
index 042685bc5a..550606f39c 100644
--- a/usr/src/uts/common/Makefile.files
+++ b/usr/src/uts/common/Makefile.files
@@ -514,7 +514,7 @@ TOKENMT_OBJS += tokenmt.o tokenmtddi.o
TSWTCL_OBJS += tswtcl.o tswtclddi.o
-ARP_OBJS += arpddi.o arp.o arp_netinfo.o
+ARP_OBJS += arpddi.o
ICMP_OBJS += icmpddi.o
@@ -535,13 +535,15 @@ IP_SCTP_OBJS = sctp.o sctp_opt_data.o sctp_output.o \
sctp_addr.o tn_ipopt.o tnet.o ip_netinfo.o
IP_ILB_OBJS = ilb.o ilb_nat.o ilb_conn.o ilb_alg_hash.o ilb_alg_rr.o
-IP_OBJS += igmp.o ipmp.o ip.o ip6.o ip6_asp.o ip6_if.o ip6_ire.o ip6_rts.o \
- ip_if.o ip_ire.o ip_listutils.o ip_mroute.o \
- ip_multi.o ip2mac.o ip_ndp.o ip_opt_data.o ip_rts.o ip_srcid.o \
+IP_OBJS += igmp.o ipmp.o ip.o ip6.o ip6_asp.o ip6_if.o ip6_ire.o \
+ ip6_rts.o ip_if.o ip_ire.o ip_listutils.o ip_mroute.o \
+ ip_multi.o ip2mac.o ip_ndp.o ip_rts.o ip_srcid.o \
ipddi.o ipdrop.o mi.o nd.o optcom.o snmpcom.o ipsec_loader.o \
spd.o ipclassifier.o inet_common.o ip_squeue.o squeue.o \
ip_sadb.o ip_ftable.o proto_set.o radix.o ip_dummy.o \
- ip_helper_stream.o iptunq.o \
+ ip_helper_stream.o \
+ ip_output.o ip_input.o ip6_input.o ip6_output.o ip_arp.o \
+ conn_opt.o ip_attr.o ip_dce.o \
$(IP_ICMP_OBJS) \
$(IP_RTS_OBJS) \
$(IP_TCP_OBJS) \
@@ -644,8 +646,6 @@ MAC_IB_OBJS += mac_ib.o
IPTUN_OBJS += iptun_dev.o iptun_ctl.o iptun.o
-IPTUNQ_OBJS += iptunq_ddi.o
-
AGGR_OBJS += aggr_dev.o aggr_ctl.o aggr_grp.o aggr_port.o \
aggr_send.o aggr_recv.o aggr_lacp.o
diff --git a/usr/src/uts/common/fs/sockfs/sockcommon.h b/usr/src/uts/common/fs/sockfs/sockcommon.h
index f3ffe456f1..fac10a8935 100644
--- a/usr/src/uts/common/fs/sockfs/sockcommon.h
+++ b/usr/src/uts/common/fs/sockfs/sockcommon.h
@@ -184,8 +184,7 @@ extern int so_dequeue_msg(struct sonode *, mblk_t **, struct uio *,
extern void so_enqueue_msg(struct sonode *, mblk_t *, size_t);
extern void so_process_new_message(struct sonode *, mblk_t *, mblk_t *);
-extern mblk_t *socopyinuio(uio_t *, ssize_t, size_t, ssize_t, size_t, int *,
- cred_t *);
+extern mblk_t *socopyinuio(uio_t *, ssize_t, size_t, ssize_t, size_t, int *);
extern mblk_t *socopyoutuio(mblk_t *, struct uio *, ssize_t, int *);
extern boolean_t somsghasdata(mblk_t *);
diff --git a/usr/src/uts/common/fs/sockfs/sockcommon_sops.c b/usr/src/uts/common/fs/sockfs/sockcommon_sops.c
index 48a3e37921..4521fdd352 100644
--- a/usr/src/uts/common/fs/sockfs/sockcommon_sops.c
+++ b/usr/src/uts/common/fs/sockfs/sockcommon_sops.c
@@ -470,8 +470,7 @@ so_sendmsg(struct sonode *so, struct nmsghdr *msg, struct uio *uiop,
so->so_proto_props.sopp_maxpsz,
so->so_proto_props.sopp_wroff,
so->so_proto_props.sopp_maxblk,
- so->so_proto_props.sopp_tail, &error,
- cr)) == NULL) {
+ so->so_proto_props.sopp_tail, &error)) == NULL) {
break;
}
ASSERT(uiop->uio_resid >= 0);
diff --git a/usr/src/uts/common/fs/sockfs/sockcommon_subr.c b/usr/src/uts/common/fs/sockfs/sockcommon_subr.c
index a244c65bc6..9b806d0a4a 100644
--- a/usr/src/uts/common/fs/sockfs/sockcommon_subr.c
+++ b/usr/src/uts/common/fs/sockfs/sockcommon_subr.c
@@ -471,7 +471,7 @@ socket_sendsig(struct sonode *so, int event)
/* Copy userdata into a new mblk_t */
mblk_t *
socopyinuio(uio_t *uiop, ssize_t iosize, size_t wroff, ssize_t maxblk,
- size_t tail_len, int *errorp, cred_t *cr)
+ size_t tail_len, int *errorp)
{
mblk_t *head = NULL, **tail = &head;
@@ -499,11 +499,7 @@ socopyinuio(uio_t *uiop, ssize_t iosize, size_t wroff, ssize_t maxblk,
blocksize = MIN(iosize, maxblk);
ASSERT(blocksize >= 0);
- if (is_system_labeled())
- mp = allocb_cred(wroff + blocksize + tail_len,
- cr, curproc->p_pid);
- else
- mp = allocb(wroff + blocksize + tail_len, BPRI_MED);
+ mp = allocb(wroff + blocksize + tail_len, BPRI_MED);
if (mp == NULL) {
*errorp = ENOMEM;
return (head);
diff --git a/usr/src/uts/common/fs/sockfs/socktpi.c b/usr/src/uts/common/fs/sockfs/socktpi.c
index b2a178fbcb..bfbd67ad81 100644
--- a/usr/src/uts/common/fs/sockfs/socktpi.c
+++ b/usr/src/uts/common/fs/sockfs/socktpi.c
@@ -5506,205 +5506,6 @@ sotpi_setsockopt(struct sonode *so, int level, int option_name,
so_lock_single(so); /* Set SOLOCKED */
mutex_exit(&so->so_lock);
- /*
- * For SOCKET or TCP level options, try to set it here itself
- * provided socket has not been popped and we know the tcp
- * structure (stored in so_priv).
- */
- if ((level == SOL_SOCKET || level == IPPROTO_TCP) &&
- (so->so_family == AF_INET || so->so_family == AF_INET6) &&
- (so->so_version == SOV_SOCKSTREAM) &&
- (so->so_proto_handle != NULL)) {
- tcp_t *tcp = (tcp_t *)so->so_proto_handle;
- boolean_t onoff;
-
-#define intvalue (*(int32_t *)optval)
-
- switch (level) {
- case SOL_SOCKET:
- switch (option_name) { /* Check length param */
- case SO_DEBUG:
- case SO_REUSEADDR:
- case SO_DONTROUTE:
- case SO_BROADCAST:
- case SO_USELOOPBACK:
- case SO_OOBINLINE:
- case SO_DGRAM_ERRIND:
- if (optlen != (t_uscalar_t)sizeof (int32_t)) {
- error = EINVAL;
- eprintsoline(so, error);
- mutex_enter(&so->so_lock);
- goto done2;
- }
- ASSERT(optval);
- onoff = intvalue != 0;
- handled = B_TRUE;
- break;
- case SO_SNDTIMEO:
- case SO_RCVTIMEO:
- if (get_udatamodel() == DATAMODEL_NONE ||
- get_udatamodel() == DATAMODEL_NATIVE) {
- if (optlen !=
- sizeof (struct timeval)) {
- error = EINVAL;
- eprintsoline(so, error);
- mutex_enter(&so->so_lock);
- goto done2;
- }
- } else {
- if (optlen !=
- sizeof (struct timeval32)) {
- error = EINVAL;
- eprintsoline(so, error);
- mutex_enter(&so->so_lock);
- goto done2;
- }
- }
- ASSERT(optval);
- handled = B_TRUE;
- break;
- case SO_LINGER:
- if (optlen !=
- (t_uscalar_t)sizeof (struct linger)) {
- error = EINVAL;
- eprintsoline(so, error);
- mutex_enter(&so->so_lock);
- goto done2;
- }
- ASSERT(optval);
- handled = B_TRUE;
- break;
- }
-
- switch (option_name) { /* Do actions */
- case SO_LINGER: {
- struct linger *lgr = (struct linger *)optval;
-
- if (lgr->l_onoff) {
- tcp->tcp_linger = 1;
- tcp->tcp_lingertime = lgr->l_linger;
- so->so_linger.l_onoff = SO_LINGER;
- so->so_options |= SO_LINGER;
- } else {
- tcp->tcp_linger = 0;
- tcp->tcp_lingertime = 0;
- so->so_linger.l_onoff = 0;
- so->so_options &= ~SO_LINGER;
- }
- so->so_linger.l_linger = lgr->l_linger;
- handled = B_TRUE;
- break;
- }
- case SO_SNDTIMEO:
- case SO_RCVTIMEO: {
- struct timeval tl;
- clock_t val;
-
- if (get_udatamodel() == DATAMODEL_NONE ||
- get_udatamodel() == DATAMODEL_NATIVE)
- bcopy(&tl, (struct timeval *)optval,
- sizeof (struct timeval));
- else
- TIMEVAL32_TO_TIMEVAL(&tl,
- (struct timeval32 *)optval);
- val = tl.tv_sec * 1000 * 1000 + tl.tv_usec;
- if (option_name == SO_RCVTIMEO)
- so->so_rcvtimeo = drv_usectohz(val);
- else
- so->so_sndtimeo = drv_usectohz(val);
- break;
- }
-
- case SO_DEBUG:
- tcp->tcp_debug = onoff;
-#ifdef SOCK_TEST
- if (intvalue & 2)
- sock_test_timelimit = 10 * hz;
- else
- sock_test_timelimit = 0;
-
- if (intvalue & 4)
- do_useracc = 0;
- else
- do_useracc = 1;
-#endif /* SOCK_TEST */
- break;
- case SO_DONTROUTE:
- /*
- * SO_DONTROUTE, SO_USELOOPBACK and
- * SO_BROADCAST are only of interest to IP.
- * We track them here only so
- * that we can report their current value.
- */
- tcp->tcp_dontroute = onoff;
- if (onoff)
- so->so_options |= option_name;
- else
- so->so_options &= ~option_name;
- break;
- case SO_USELOOPBACK:
- tcp->tcp_useloopback = onoff;
- if (onoff)
- so->so_options |= option_name;
- else
- so->so_options &= ~option_name;
- break;
- case SO_BROADCAST:
- tcp->tcp_broadcast = onoff;
- if (onoff)
- so->so_options |= option_name;
- else
- so->so_options &= ~option_name;
- break;
- case SO_REUSEADDR:
- tcp->tcp_reuseaddr = onoff;
- if (onoff)
- so->so_options |= option_name;
- else
- so->so_options &= ~option_name;
- break;
- case SO_OOBINLINE:
- tcp->tcp_oobinline = onoff;
- if (onoff)
- so->so_options |= option_name;
- else
- so->so_options &= ~option_name;
- break;
- case SO_DGRAM_ERRIND:
- tcp->tcp_dgram_errind = onoff;
- if (onoff)
- so->so_options |= option_name;
- else
- so->so_options &= ~option_name;
- break;
- }
- break;
- case IPPROTO_TCP:
- switch (option_name) {
- case TCP_NODELAY:
- if (optlen != (t_uscalar_t)sizeof (int32_t)) {
- error = EINVAL;
- eprintsoline(so, error);
- mutex_enter(&so->so_lock);
- goto done2;
- }
- ASSERT(optval);
- tcp->tcp_naglim = intvalue ? 1 : tcp->tcp_mss;
- handled = B_TRUE;
- break;
- }
- break;
- default:
- handled = B_FALSE;
- break;
- }
- }
-
- if (handled) {
- mutex_enter(&so->so_lock);
- goto done2;
- }
-
optmgmt_req.PRIM_type = T_SVR4_OPTMGMT_REQ;
optmgmt_req.MGMT_flags = T_NEGOTIATE;
optmgmt_req.OPT_length = (t_scalar_t)sizeof (oh) + optlen;
diff --git a/usr/src/uts/common/inet/Makefile b/usr/src/uts/common/inet/Makefile
index 052c010aea..3d45e4861c 100644
--- a/usr/src/uts/common/inet/Makefile
+++ b/usr/src/uts/common/inet/Makefile
@@ -28,12 +28,12 @@
# include global definitions
include ../../../Makefile.master
-HDRS= arp.h arp_impl.h common.h ipclassifier.h ip.h ip6.h ipdrop.h ipnet.h \
+HDRS= arp.h common.h ipclassifier.h ip.h ip6.h ipdrop.h ipnet.h \
ipsecah.h ipsecesp.h ipsec_info.h iptun.h ip6_asp.h ip_if.h ip_ire.h \
ip_multi.h ip_netinfo.h ip_ndp.h ip_rts.h ipsec_impl.h keysock.h \
led.h mi.h mib2.h nd.h optcom.h sadb.h sctp_itf.h snmpcom.h tcp.h \
tcp_sack.h tcp_stack.h udp_impl.h rawip_impl.h ipp_common.h \
- ip_ftable.h ip_impl.h ip_stack.h tcp_impl.h wifi_ioctl.h \
+ ip_ftable.h ip_impl.h ip_stack.h ip_arp.h tcp_impl.h wifi_ioctl.h \
ip2mac.h ip2mac_impl.h
ROOTDIRS= $(ROOT)/usr/include/inet
diff --git a/usr/src/uts/common/inet/arp.h b/usr/src/uts/common/inet/arp.h
index 4351c91666..de0602e1f7 100644
--- a/usr/src/uts/common/inet/arp.h
+++ b/usr/src/uts/common/inet/arp.h
@@ -28,7 +28,6 @@
#define _INET_ARP_H
#include <sys/types.h>
-#include <net/if.h>
#ifdef __cplusplus
extern "C" {
@@ -45,30 +44,7 @@ extern "C" {
#define RARP_REQUEST 3
#define RARP_RESPONSE 4
-#define AR_IOCTL (((unsigned)'A' & 0xFF)<<8)
-#define CMD_IN_PROGRESS 0x10000
-
-#define AR_ENTRY_ADD (AR_IOCTL + 1)
-#define AR_ENTRY_DELETE (AR_IOCTL + 2)
-#define AR_ENTRY_QUERY (AR_IOCTL + 3)
-#define AR_ENTRY_SQUERY (AR_IOCTL + 6)
-#define AR_MAPPING_ADD (AR_IOCTL + 7)
-#define AR_CLIENT_NOTIFY (AR_IOCTL + 8)
-#define AR_INTERFACE_UP (AR_IOCTL + 9)
-#define AR_INTERFACE_DOWN (AR_IOCTL + 10)
-#define AR_INTERFACE_ON (AR_IOCTL + 12)
-#define AR_INTERFACE_OFF (AR_IOCTL + 13)
-#define AR_DLPIOP_DONE (AR_IOCTL + 14)
-/*
- * This is not an ARP command per se, it is used to interface between
- * ARP and IP during close.
- */
-#define AR_ARP_CLOSING (AR_IOCTL + 16)
-#define AR_ARP_EXTEND (AR_IOCTL + 17)
-#define AR_IPMP_ACTIVATE (AR_IOCTL + 18)
-#define AR_IPMP_DEACTIVATE (AR_IOCTL + 19)
-
-/* Both ace_flags and area_flags; must also modify arp.c in mdb */
+/* Both ace_flags; must also modify arp.c in mdb */
#define ACE_F_PERMANENT 0x0001
#define ACE_F_PUBLISH 0x0002
#define ACE_F_DYING 0x0004
@@ -84,123 +60,6 @@ extern "C" {
#define ACE_F_DELAYED 0x0800 /* rescheduled on arp_defend_rate */
#define ACE_F_DAD_ABORTED 0x1000 /* DAD was aborted on link down */
-/* ared_flags */
-#define ARED_F_PRESERVE_PERM 0x0001 /* preserve permanent ace */
-
-/* ARP Command Structures */
-
-/* arc_t - Common command overlay */
-typedef struct ar_cmd_s {
- uint32_t arc_cmd;
- uint32_t arc_name_offset;
- uint32_t arc_name_length;
-} arc_t;
-
-/*
- * NOTE: when using area_t for an AR_ENTRY_SQUERY, the area_hw_addr_offset
- * field isn't what you might think. See comments in ip_multi.c where
- * the routine ill_create_squery() is called, and also in the routine
- * itself, to see how this field is used *only* when the area_t holds
- * an AR_ENTRY_SQUERY.
- */
-typedef struct ar_entry_add_s {
- uint32_t area_cmd;
- uint32_t area_name_offset;
- uint32_t area_name_length;
- uint32_t area_proto;
- uint32_t area_proto_addr_offset;
- uint32_t area_proto_addr_length;
- uint32_t area_proto_mask_offset;
- uint32_t area_flags; /* Same values as ace_flags */
- uint32_t area_hw_addr_offset;
- uint32_t area_hw_addr_length;
-} area_t;
-
-typedef struct ar_entry_delete_s {
- uint32_t ared_cmd;
- uint32_t ared_name_offset;
- uint32_t ared_name_length;
- uint32_t ared_proto;
- uint32_t ared_proto_addr_offset;
- uint32_t ared_proto_addr_length;
- uint32_t ared_flags;
-} ared_t;
-
-typedef struct ar_entry_query_s {
- uint32_t areq_cmd;
- uint32_t areq_name_offset;
- uint32_t areq_name_length;
- uint32_t areq_proto;
- uint32_t areq_target_addr_offset;
- uint32_t areq_target_addr_length;
- uint32_t areq_flags;
- uint32_t areq_sender_addr_offset;
- uint32_t areq_sender_addr_length;
- uint32_t areq_xmit_count; /* 0 ==> cache lookup only */
- uint32_t areq_xmit_interval; /* # of milliseconds; 0: default */
- /* # ofquests to buffer; 0: default */
- uint32_t areq_max_buffered;
- uchar_t areq_sap[8]; /* to insert in returned template */
-} areq_t;
-
-#define AR_EQ_DEFAULT_XMIT_COUNT 6
-#define AR_EQ_DEFAULT_XMIT_INTERVAL 1000
-#define AR_EQ_DEFAULT_MAX_BUFFERED 4
-
-/*
- * Structure used with AR_ENTRY_LLAQUERY to map from the link_addr
- * (in Neighbor Discovery option format excluding the option type and
- * length) to a hardware address.
- * The response has the same format as for an AR_ENTRY_SQUERY - an M_CTL with
- * arel_hw_addr updated.
- * An IPv6 address will be passed in AR_ENTRY_LLAQUERY so that atmip
- * can send it in AR_CLIENT_NOTIFY messages.
- */
-typedef struct ar_entry_llaquery_s {
- uint32_t arel_cmd;
- uint32_t arel_name_offset;
- uint32_t arel_name_length;
- uint32_t arel_link_addr_offset;
- uint32_t arel_link_addr_length;
- uint32_t arel_hw_addr_offset;
- uint32_t arel_hw_addr_length;
- uint32_t arel_ip_addr_offset;
- uint32_t arel_ip_addr_length;
-} arel_t;
-
-typedef struct ar_mapping_add_s {
- uint32_t arma_cmd;
- uint32_t arma_name_offset;
- uint32_t arma_name_length;
- uint32_t arma_proto;
- uint32_t arma_proto_addr_offset;
- uint32_t arma_proto_addr_length;
- uint32_t arma_proto_mask_offset;
- uint32_t arma_proto_extract_mask_offset;
- uint32_t arma_flags;
- uint32_t arma_hw_addr_offset;
- uint32_t arma_hw_addr_length;
- /* Offset were we start placing */
- uint32_t arma_hw_mapping_start;
- /* the mask&proto_addr */
-} arma_t;
-
-/* Structure used to notify ARP of changes to IPMP group topology */
-typedef struct ar_ipmp_event_s {
- uint32_t arie_cmd;
- uint32_t arie_name_offset;
- uint32_t arie_name_length;
- char arie_grifname[LIFNAMSIZ];
-} arie_t;
-
-/* Structure used to notify clients of interesting conditions. */
-typedef struct ar_client_notify_s {
- uint32_t arcn_cmd;
- uint32_t arcn_name_offset;
- uint32_t arcn_name_length;
- uint32_t arcn_code; /* Notification code. */
-} arcn_t;
-
/* Client Notification Codes */
#define AR_CN_BOGON 1
#define AR_CN_ANNOUNCE 2
diff --git a/usr/src/uts/common/inet/arp/arp.c b/usr/src/uts/common/inet/arp/arp.c
deleted file mode 100644
index abdbc39a47..0000000000
--- a/usr/src/uts/common/inet/arp/arp.c
+++ /dev/null
@@ -1,4883 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-/*
- * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
- */
-/* Copyright (c) 1990 Mentat Inc. */
-
-/* AR - Address Resolution Protocol */
-
-#include <sys/types.h>
-#include <sys/stream.h>
-#include <sys/stropts.h>
-#include <sys/strsubr.h>
-#include <sys/errno.h>
-#include <sys/strlog.h>
-#include <sys/dlpi.h>
-#include <sys/sockio.h>
-#define _SUN_TPI_VERSION 2
-#include <sys/tihdr.h>
-#include <sys/socket.h>
-#include <sys/ddi.h>
-#include <sys/sunddi.h>
-#include <sys/cmn_err.h>
-#include <sys/sdt.h>
-#include <sys/vtrace.h>
-#include <sys/strsun.h>
-#include <sys/policy.h>
-#include <sys/zone.h>
-#include <sys/ethernet.h>
-#include <sys/zone.h>
-#include <sys/random.h>
-#include <sys/sdt.h>
-#include <sys/hook_event.h>
-
-#include <inet/common.h>
-#include <inet/optcom.h>
-#include <inet/mi.h>
-#include <inet/nd.h>
-#include <inet/snmpcom.h>
-#include <net/if.h>
-#include <inet/arp.h>
-#include <netinet/ip6.h>
-#include <netinet/arp.h>
-#include <inet/ip.h>
-#include <inet/ip_ire.h>
-#include <inet/ip_ndp.h>
-#include <inet/mib2.h>
-#include <inet/arp_impl.h>
-
-/*
- * ARP entry life time and design notes
- * ------------------------------------
- *
- * ARP entries (ACEs) must last at least as long as IP knows about a given
- * MAC-IP translation (i.e., as long as the IRE cache entry exists). It's ok
- * if the ARP entry lasts longer, but not ok if it is removed before the IP
- * entry. The reason for this is that if ARP doesn't have an entry, we will be
- * unable to detect the difference between an ARP broadcast that represents no
- * change (same, known address of sender) and one that represents a change (new
- * address for existing entry). In the former case, we must not notify IP, or
- * we can suffer hurricane attack. In the latter case, we must notify IP, or
- * IP will drift out of sync with the network.
- *
- * Note that IP controls the lifetime of entries, not ARP.
- *
- * We don't attempt to reconfirm aging entries. If the system is no longer
- * talking to a given peer, then it doesn't matter if we have the right mapping
- * for that peer. It would be possible to send queries on aging entries that
- * are active, but this isn't done.
- *
- * IPMP Notes
- * ----------
- *
- * ARP is aware of IPMP. In particular, IP notifies ARP about all "active"
- * (able to transmit data packets) interfaces in a given group via
- * AR_IPMP_ACTIVATE and AR_IPMP_DEACTIVATE messages. These messages, combined
- * with the "IPMP arl_t" that ARP creates over the IPMP DLPI stub driver,
- * enable ARP to track all the arl_t's that are in the same group and thus
- * ensure that ACEs are shared across each group and the arl_t that ARP
- * chooses to transmit on for a given ACE is optimal.
- *
- * ARP relies on IP for hardware address updates. In particular, if the
- * hardware address of an interface changes (DL_NOTE_PHYS_ADDR), then IP will
- * bring the interface down and back up -- and as part of bringing it back
- * up, will send messages to ARP that allow it to update the affected arl's
- * with new hardware addresses.
- *
- * N.B.: One side-effect of this approach is that when an interface fails and
- * then starts to repair, it will temporarily populate the ARP cache with
- * addresses that are owned by it rather than the group's arl_t. To address
- * this, we could add more messages (e.g., AR_IPMP_JOIN and AR_IPMP_LEAVE),
- * but as the issue appears to be only cosmetic (redundant entries in the ARP
- * cache during interace repair), we've kept things simple for now.
- */
-
-/*
- * This is used when scanning for "old" (least recently broadcast) ACEs. We
- * don't want to have to walk the list for every single one, so we gather up
- * batches at a time.
- */
-#define ACE_RESCHED_LIST_LEN 8
-
-typedef struct {
- arl_t *art_arl;
- uint_t art_naces;
- ace_t *art_aces[ACE_RESCHED_LIST_LEN];
-} ace_resched_t;
-
-#define ACE_RESOLVED(ace) ((ace)->ace_flags & ACE_F_RESOLVED)
-#define ACE_NONPERM(ace) \
- (((ace)->ace_flags & (ACE_F_RESOLVED | ACE_F_PERMANENT)) == \
- ACE_F_RESOLVED)
-
-#define AR_DEF_XMIT_INTERVAL 500 /* time in milliseconds */
-#define AR_LL_HDR_SLACK 32 /* Leave the lower layer some room */
-
-#define AR_SNMP_MSG T_OPTMGMT_ACK
-#define AR_DRAINING (void *)0x11
-
-/*
- * The IPv4 Link Local address space is special; we do extra duplicate checking
- * there, as the entire assignment mechanism rests on random numbers.
- */
-#define IS_IPV4_LL_SPACE(ptr) (((uchar_t *)ptr)[0] == 169 && \
- ((uchar_t *)ptr)[1] == 254)
-
-/*
- * Check if the command needs to be enqueued by seeing if there are other
- * commands ahead of us or if some DLPI response is being awaited. Usually
- * there would be an enqueued command in the latter case, however if the
- * stream that originated the command has closed, the close would have
- * cleaned up the enqueued command. AR_DRAINING signifies that the command
- * at the head of the arl_queue has been internally dequeued on completion
- * of the previous command and is being called from ar_dlpi_done
- */
-#define CMD_NEEDS_QUEUEING(mp, arl) \
- (mp->b_prev != AR_DRAINING && (arl->arl_queue != NULL || \
- arl->arl_dlpi_pending != DL_PRIM_INVAL))
-
-#define ARH_FIXED_LEN 8
-
-/*
- * Macro used when creating ACEs to determine the arl that should own it.
- */
-#define OWNING_ARL(arl) \
- ((arl)->arl_ipmp_arl != NULL ? (arl)->arl_ipmp_arl : arl)
-
-/*
- * MAC-specific intelligence. Shouldn't be needed, but the DL_INFO_ACK
- * doesn't quite do it for us.
- */
-typedef struct ar_m_s {
- t_uscalar_t ar_mac_type;
- uint32_t ar_mac_arp_hw_type;
- t_scalar_t ar_mac_sap_length;
- uint32_t ar_mac_hw_addr_length;
-} ar_m_t;
-
-typedef struct msg2_args {
- mblk_t *m2a_mpdata;
- mblk_t *m2a_mptail;
-} msg2_args_t;
-
-static mblk_t *ar_alloc(uint32_t cmd, int);
-static int ar_ce_create(arl_t *arl, uint32_t proto, uchar_t *hw_addr,
- uint32_t hw_addr_len, uchar_t *proto_addr,
- uint32_t proto_addr_len, uchar_t *proto_mask,
- uchar_t *proto_extract_mask, uint32_t hw_extract_start,
- uchar_t *sender_addr, uint32_t flags);
-static void ar_ce_delete(ace_t *ace);
-static void ar_ce_delete_per_arl(ace_t *ace, void *arg);
-static ace_t **ar_ce_hash(arp_stack_t *as, uint32_t proto,
- const uchar_t *proto_addr, uint32_t proto_addr_length);
-static ace_t *ar_ce_lookup(arl_t *arl, uint32_t proto,
- const uchar_t *proto_addr, uint32_t proto_addr_length);
-static ace_t *ar_ce_lookup_entry(arl_t *arl, uint32_t proto,
- const uchar_t *proto_addr, uint32_t proto_addr_length);
-static ace_t *ar_ce_lookup_from_area(arp_stack_t *as, mblk_t *mp,
- ace_t *matchfn());
-static ace_t *ar_ce_lookup_mapping(arl_t *arl, uint32_t proto,
- const uchar_t *proto_addr, uint32_t proto_addr_length);
-static ace_t *ar_ce_lookup_permanent(arp_stack_t *as, uint32_t proto,
- uchar_t *proto_addr, uint32_t proto_addr_length);
-static boolean_t ar_ce_resolve(ace_t *ace, const uchar_t *hw_addr,
- uint32_t hw_addr_length);
-static void ar_ce_walk(arp_stack_t *as, void (*pfi)(ace_t *, void *),
- void *arg1);
-
-static void ar_client_notify(const arl_t *arl, mblk_t *mp, int code);
-static int ar_close(queue_t *q);
-static int ar_cmd_dispatch(queue_t *q, mblk_t *mp, boolean_t from_wput);
-static void ar_cmd_drain(arl_t *arl);
-static void ar_cmd_done(arl_t *arl);
-static mblk_t *ar_dlpi_comm(t_uscalar_t prim, size_t size);
-static void ar_dlpi_send(arl_t *, mblk_t *);
-static void ar_dlpi_done(arl_t *, t_uscalar_t);
-static int ar_entry_add(queue_t *q, mblk_t *mp);
-static int ar_entry_delete(queue_t *q, mblk_t *mp);
-static int ar_entry_query(queue_t *q, mblk_t *mp);
-static int ar_entry_squery(queue_t *q, mblk_t *mp);
-static int ar_interface_up(queue_t *q, mblk_t *mp);
-static int ar_interface_down(queue_t *q, mblk_t *mp);
-static int ar_interface_on(queue_t *q, mblk_t *mp);
-static int ar_interface_off(queue_t *q, mblk_t *mp);
-static int ar_ipmp_activate(queue_t *q, mblk_t *mp);
-static int ar_ipmp_deactivate(queue_t *q, mblk_t *mp);
-static void ar_ll_cleanup_arl_queue(queue_t *q);
-static void ar_ll_down(arl_t *arl);
-static arl_t *ar_ll_lookup_by_name(arp_stack_t *as, const char *name);
-static arl_t *ar_ll_lookup_from_mp(arp_stack_t *as, mblk_t *mp);
-static void ar_ll_init(arp_stack_t *, ar_t *, mblk_t *mp);
-static void ar_ll_set_defaults(arl_t *, mblk_t *mp);
-static void ar_ll_clear_defaults(arl_t *);
-static int ar_ll_up(arl_t *arl);
-static int ar_mapping_add(queue_t *q, mblk_t *mp);
-static boolean_t ar_mask_all_ones(uchar_t *mask, uint32_t mask_len);
-static ar_m_t *ar_m_lookup(t_uscalar_t mac_type);
-static int ar_nd_ioctl(queue_t *q, mblk_t *mp);
-static int ar_open(queue_t *q, dev_t *devp, int flag, int sflag,
- cred_t *credp);
-static int ar_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr);
-static boolean_t ar_param_register(IDP *ndp, arpparam_t *arppa, int cnt);
-static int ar_param_set(queue_t *q, mblk_t *mp, char *value,
- caddr_t cp, cred_t *cr);
-static void ar_query_delete(ace_t *ace, void *ar);
-static void ar_query_reply(ace_t *ace, int ret_val,
- uchar_t *proto_addr, uint32_t proto_addr_len);
-static clock_t ar_query_xmit(arp_stack_t *as, ace_t *ace);
-static void ar_rput(queue_t *q, mblk_t *mp_orig);
-static void ar_rput_dlpi(queue_t *q, mblk_t *mp);
-static void ar_set_address(ace_t *ace, uchar_t *addrpos,
- uchar_t *proto_addr, uint32_t proto_addr_len);
-static int ar_slifname(queue_t *q, mblk_t *mp);
-static int ar_set_ppa(queue_t *q, mblk_t *mp);
-static int ar_snmp_msg(queue_t *q, mblk_t *mp_orig);
-static void ar_snmp_msg2(ace_t *, void *);
-static void ar_wput(queue_t *q, mblk_t *mp);
-static void ar_wsrv(queue_t *q);
-static void ar_xmit(arl_t *arl, uint32_t operation, uint32_t proto,
- uint32_t plen, const uchar_t *haddr1, const uchar_t *paddr1,
- const uchar_t *haddr2, const uchar_t *paddr2, const uchar_t *dstaddr,
- arp_stack_t *as);
-static void ar_cmd_enqueue(arl_t *arl, mblk_t *mp, queue_t *q,
- ushort_t cmd, boolean_t);
-static mblk_t *ar_cmd_dequeue(arl_t *arl);
-
-static void *arp_stack_init(netstackid_t stackid, netstack_t *ns);
-static void arp_stack_fini(netstackid_t stackid, void *arg);
-static void arp_stack_shutdown(netstackid_t stackid, void *arg);
-
-boolean_t arp_no_defense = B_FALSE;
-
-/*
- * All of these are alterable, within the min/max values given,
- * at run time. arp_publish_interval and arp_publish_count are
- * set by default to 2 seconds and 5 respectively. This is
- * useful during FAILOVER/FAILBACK to make sure that the ARP
- * packets are not lost. Assumed that it does not affect the
- * normal operations.
- */
-static arpparam_t arp_param_arr[] = {
- /* min max value name */
- { 30000, 3600000, 300000, "arp_cleanup_interval"},
- { 1000, 20000, 2000, "arp_publish_interval"},
- { 1, 20, 5, "arp_publish_count"},
- { 0, 20000, 1000, "arp_probe_delay"},
- { 10, 20000, 1500, "arp_probe_interval"},
- { 0, 20, 3, "arp_probe_count"},
- { 0, 20000, 100, "arp_fastprobe_delay"},
- { 10, 20000, 150, "arp_fastprobe_interval"},
- { 0, 20, 3, "arp_fastprobe_count"},
- { 0, 3600000, 300000, "arp_defend_interval"},
- { 0, 20000, 100, "arp_defend_rate"},
- { 0, 3600000, 15000, "arp_broadcast_interval"},
- { 5, 86400, 3600, "arp_defend_period"}
-};
-#define as_cleanup_interval as_param_arr[0].arp_param_value
-#define as_publish_interval as_param_arr[1].arp_param_value
-#define as_publish_count as_param_arr[2].arp_param_value
-#define as_probe_delay as_param_arr[3].arp_param_value
-#define as_probe_interval as_param_arr[4].arp_param_value
-#define as_probe_count as_param_arr[5].arp_param_value
-#define as_fastprobe_delay as_param_arr[6].arp_param_value
-#define as_fastprobe_interval as_param_arr[7].arp_param_value
-#define as_fastprobe_count as_param_arr[8].arp_param_value
-#define as_defend_interval as_param_arr[9].arp_param_value
-#define as_defend_rate as_param_arr[10].arp_param_value
-#define as_broadcast_interval as_param_arr[11].arp_param_value
-#define as_defend_period as_param_arr[12].arp_param_value
-
-static struct module_info arp_mod_info = {
- 0, "arp", 0, INFPSZ, 512, 128
-};
-
-static struct qinit arprinit = {
- (pfi_t)ar_rput, NULL, ar_open, ar_close, NULL, &arp_mod_info
-};
-
-static struct qinit arpwinit = {
- (pfi_t)ar_wput, (pfi_t)ar_wsrv, ar_open, ar_close, NULL, &arp_mod_info
-};
-
-struct streamtab arpinfo = {
- &arprinit, &arpwinit
-};
-
-/*
- * TODO: we need a better mechanism to set the ARP hardware type since
- * the DLPI mac type does not include enough predefined values.
- */
-static ar_m_t ar_m_tbl[] = {
- { DL_CSMACD, ARPHRD_ETHER, -2, 6}, /* 802.3 */
- { DL_TPB, ARPHRD_IEEE802, -2, 6}, /* 802.4 */
- { DL_TPR, ARPHRD_IEEE802, -2, 6}, /* 802.5 */
- { DL_METRO, ARPHRD_IEEE802, -2, 6}, /* 802.6 */
- { DL_ETHER, ARPHRD_ETHER, -2, 6}, /* Ethernet */
- { DL_FDDI, ARPHRD_ETHER, -2, 6}, /* FDDI */
- { DL_IB, ARPHRD_IB, -2, 20}, /* Infiniband */
- { DL_OTHER, ARPHRD_ETHER, -2, 6}, /* unknown */
-};
-
-/*
- * Note that all routines which need to queue the message for later
- * processing have to be ioctl_aware to be able to queue the complete message.
- * Following are command entry flags in arct_flags
- */
-#define ARF_IOCTL_AWARE 0x1 /* Arp command can come down as M_IOCTL */
-#define ARF_ONLY_CMD 0x2 /* Command is exclusive to ARP */
-#define ARF_WPUT_OK 0x4 /* Command is allowed from ar_wput */
-
-/* ARP Cmd Table entry */
-typedef struct arct_s {
- int (*arct_pfi)(queue_t *, mblk_t *);
- uint32_t arct_cmd;
- int arct_min_len;
- uint32_t arct_flags;
- int arct_priv_req; /* Privilege required for this cmd */
- const char *arct_txt;
-} arct_t;
-
-/*
- * AR_ENTRY_ADD, QUERY and SQUERY are used by sdp, hence they need to
- * have ARF_WPUT_OK set.
- */
-static arct_t ar_cmd_tbl[] = {
- { ar_entry_add, AR_ENTRY_ADD, sizeof (area_t),
- ARF_IOCTL_AWARE | ARF_ONLY_CMD | ARF_WPUT_OK, OP_CONFIG,
- "AR_ENTRY_ADD" },
- { ar_entry_delete, AR_ENTRY_DELETE, sizeof (ared_t),
- ARF_IOCTL_AWARE | ARF_ONLY_CMD, OP_CONFIG, "AR_ENTRY_DELETE" },
- { ar_entry_query, AR_ENTRY_QUERY, sizeof (areq_t),
- ARF_IOCTL_AWARE | ARF_ONLY_CMD | ARF_WPUT_OK, OP_NP,
- "AR_ENTRY_QUERY" },
- { ar_entry_squery, AR_ENTRY_SQUERY, sizeof (area_t),
- ARF_IOCTL_AWARE | ARF_ONLY_CMD | ARF_WPUT_OK, OP_NP,
- "AR_ENTRY_SQUERY" },
- { ar_mapping_add, AR_MAPPING_ADD, sizeof (arma_t),
- ARF_IOCTL_AWARE | ARF_ONLY_CMD, OP_CONFIG, "AR_MAPPING_ADD" },
- { ar_interface_up, AR_INTERFACE_UP, sizeof (arc_t),
- ARF_ONLY_CMD, OP_CONFIG, "AR_INTERFACE_UP" },
- { ar_interface_down, AR_INTERFACE_DOWN, sizeof (arc_t),
- ARF_ONLY_CMD, OP_CONFIG, "AR_INTERFACE_DOWN" },
- { ar_interface_on, AR_INTERFACE_ON, sizeof (arc_t),
- ARF_ONLY_CMD, OP_CONFIG, "AR_INTERFACE_ON" },
- { ar_interface_off, AR_INTERFACE_OFF, sizeof (arc_t),
- ARF_ONLY_CMD, OP_CONFIG, "AR_INTERFACE_OFF" },
- { ar_ipmp_activate, AR_IPMP_ACTIVATE, sizeof (arie_t),
- ARF_ONLY_CMD, OP_CONFIG, "AR_IPMP_ACTIVATE" },
- { ar_ipmp_deactivate, AR_IPMP_DEACTIVATE, sizeof (arie_t),
- ARF_ONLY_CMD, OP_CONFIG, "AR_IPMP_DEACTIVATE" },
- { ar_set_ppa, (uint32_t)IF_UNITSEL, sizeof (int),
- ARF_IOCTL_AWARE | ARF_WPUT_OK, OP_CONFIG, "IF_UNITSEL" },
- { ar_nd_ioctl, ND_GET, 1,
- ARF_IOCTL_AWARE | ARF_WPUT_OK, OP_NP, "ND_GET" },
- { ar_nd_ioctl, ND_SET, 1,
- ARF_IOCTL_AWARE | ARF_WPUT_OK, OP_CONFIG, "ND_SET" },
- { ar_snmp_msg, AR_SNMP_MSG, sizeof (struct T_optmgmt_ack),
- ARF_IOCTL_AWARE | ARF_WPUT_OK | ARF_ONLY_CMD, OP_NP,
- "AR_SNMP_MSG" },
- { ar_slifname, (uint32_t)SIOCSLIFNAME, sizeof (struct lifreq),
- ARF_IOCTL_AWARE | ARF_WPUT_OK, OP_CONFIG, "SIOCSLIFNAME" }
-};
-
-/*
- * Lookup and return an arl appropriate for sending packets with either source
- * hardware address `hw_addr' or source protocol address `ip_addr', in that
- * order. If neither was specified or neither match, return any arl in the
- * same group as `arl'.
- */
-static arl_t *
-ar_ipmp_lookup_xmit_arl(arl_t *arl, uchar_t *hw_addr, uint_t hw_addrlen,
- uchar_t *ip_addr)
-{
- arlphy_t *ap;
- ace_t *src_ace;
- arl_t *xmit_arl = NULL;
- arp_stack_t *as = ARL_TO_ARPSTACK(arl);
-
- ASSERT(arl->arl_flags & ARL_F_IPMP);
-
- if (hw_addr != NULL && hw_addrlen != 0) {
- xmit_arl = as->as_arl_head;
- for (; xmit_arl != NULL; xmit_arl = xmit_arl->arl_next) {
- /*
- * There may be arls with the same HW address that are
- * not in our IPMP group; we don't want those.
- */
- if (xmit_arl->arl_ipmp_arl != arl)
- continue;
-
- ap = xmit_arl->arl_phy;
- if (ap != NULL && ap->ap_hw_addrlen == hw_addrlen &&
- bcmp(ap->ap_hw_addr, hw_addr, hw_addrlen) == 0)
- break;
- }
-
- DTRACE_PROBE4(xmit_arl_hwsrc, arl_t *, arl, arl_t *,
- xmit_arl, uchar_t *, hw_addr, uint_t, hw_addrlen);
- }
-
- if (xmit_arl == NULL && ip_addr != NULL) {
- src_ace = ar_ce_lookup_permanent(as, IP_ARP_PROTO_TYPE, ip_addr,
- IP_ADDR_LEN);
- if (src_ace != NULL)
- xmit_arl = src_ace->ace_xmit_arl;
-
- DTRACE_PROBE4(xmit_arl_ipsrc, arl_t *, arl, arl_t *,
- xmit_arl, uchar_t *, ip_addr, uint_t, IP_ADDR_LEN);
- }
-
- if (xmit_arl == NULL) {
- xmit_arl = as->as_arl_head;
- for (; xmit_arl != NULL; xmit_arl = xmit_arl->arl_next)
- if (xmit_arl->arl_ipmp_arl == arl && xmit_arl != arl)
- break;
-
- DTRACE_PROBE2(xmit_arl_any, arl_t *, arl, arl_t *, xmit_arl);
- }
-
- return (xmit_arl);
-}
-
-/*
- * ARP Cache Entry creation routine.
- * Cache entries are allocated within timer messages and inserted into
- * the global hash list based on protocol and protocol address.
- */
-static int
-ar_ce_create(arl_t *arl, uint_t proto, uchar_t *hw_addr, uint_t hw_addr_len,
- uchar_t *proto_addr, uint_t proto_addr_len, uchar_t *proto_mask,
- uchar_t *proto_extract_mask, uint_t hw_extract_start, uchar_t *sender_addr,
- uint_t flags)
-{
- static ace_t ace_null;
- ace_t *ace;
- ace_t **acep;
- uchar_t *dst;
- mblk_t *mp;
- arp_stack_t *as = ARL_TO_ARPSTACK(arl);
- arl_t *xmit_arl;
- arlphy_t *ap;
-
- if ((flags & ~ACE_EXTERNAL_FLAGS_MASK) || arl == NULL)
- return (EINVAL);
-
- if (proto_addr == NULL || proto_addr_len == 0 ||
- (proto == IP_ARP_PROTO_TYPE && proto_addr_len != IP_ADDR_LEN))
- return (EINVAL);
-
- if (flags & ACE_F_MYADDR)
- flags |= ACE_F_PUBLISH | ACE_F_AUTHORITY;
-
- /*
- * Latch a transmit arl for this ace.
- */
- if (arl->arl_flags & ARL_F_IPMP) {
- ASSERT(proto == IP_ARP_PROTO_TYPE);
- xmit_arl = ar_ipmp_lookup_xmit_arl(arl, hw_addr, hw_addr_len,
- sender_addr);
- } else {
- xmit_arl = arl;
- }
-
- if (xmit_arl == NULL || xmit_arl->arl_phy == NULL)
- return (EINVAL);
-
- ap = xmit_arl->arl_phy;
-
- if (!hw_addr && hw_addr_len == 0) {
- if (flags == ACE_F_PERMANENT) { /* Not publish */
- /* 224.0.0.0 to zero length address */
- flags |= ACE_F_RESOLVED;
- } else { /* local address and unresolved case */
- hw_addr = ap->ap_hw_addr;
- hw_addr_len = ap->ap_hw_addrlen;
- if (flags & ACE_F_PUBLISH)
- flags |= ACE_F_RESOLVED;
- }
- } else {
- flags |= ACE_F_RESOLVED;
- }
-
- /* Handle hw_addr_len == 0 for DL_ENABMULTI_REQ etc. */
- if (hw_addr_len != 0 && hw_addr == NULL)
- return (EINVAL);
- if (hw_addr_len < ap->ap_hw_addrlen && hw_addr_len != 0)
- return (EINVAL);
- if (!proto_extract_mask && (flags & ACE_F_MAPPING))
- return (EINVAL);
-
- /*
- * If the underlying link doesn't have reliable up/down notification or
- * if we're working with the IPv4 169.254.0.0/16 Link Local Address
- * space, then don't use the fast timers. Otherwise, use them.
- */
- if (ap->ap_notifies &&
- !(proto == IP_ARP_PROTO_TYPE && IS_IPV4_LL_SPACE(proto_addr))) {
- flags |= ACE_F_FAST;
- }
-
- /*
- * Allocate the timer block to hold the ace.
- * (ace + proto_addr + proto_addr_mask + proto_extract_mask + hw_addr)
- */
- mp = mi_timer_alloc(sizeof (ace_t) + proto_addr_len + proto_addr_len +
- proto_addr_len + hw_addr_len);
- if (!mp)
- return (ENOMEM);
- ace = (ace_t *)mp->b_rptr;
- *ace = ace_null;
- ace->ace_proto = proto;
- ace->ace_mp = mp;
- ace->ace_arl = arl;
- ace->ace_xmit_arl = xmit_arl;
-
- dst = (uchar_t *)&ace[1];
-
- ace->ace_proto_addr = dst;
- ace->ace_proto_addr_length = proto_addr_len;
- bcopy(proto_addr, dst, proto_addr_len);
- dst += proto_addr_len;
- /*
- * The proto_mask allows us to add entries which will let us respond
- * to requests for a group of addresses. This makes it easy to provide
- * proxy ARP service for machines that don't understand about the local
- * subnet structure, if, for example, there are BSD4.2 systems lurking.
- */
- ace->ace_proto_mask = dst;
- if (proto_mask != NULL) {
- bcopy(proto_mask, dst, proto_addr_len);
- dst += proto_addr_len;
- } else {
- while (proto_addr_len-- > 0)
- *dst++ = (uchar_t)~0;
- }
-
- if (proto_extract_mask != NULL) {
- ace->ace_proto_extract_mask = dst;
- bcopy(proto_extract_mask, dst, ace->ace_proto_addr_length);
- dst += ace->ace_proto_addr_length;
- } else {
- ace->ace_proto_extract_mask = NULL;
- }
- ace->ace_hw_extract_start = hw_extract_start;
- ace->ace_hw_addr_length = hw_addr_len;
- ace->ace_hw_addr = dst;
- if (hw_addr != NULL) {
- bcopy(hw_addr, dst, hw_addr_len);
- dst += hw_addr_len;
- }
-
- ace->ace_flags = flags;
- if (ar_mask_all_ones(ace->ace_proto_mask,
- ace->ace_proto_addr_length)) {
- acep = ar_ce_hash(as, ace->ace_proto, ace->ace_proto_addr,
- ace->ace_proto_addr_length);
- } else {
- acep = &as->as_ce_mask_entries;
- }
- if ((ace->ace_next = *acep) != NULL)
- ace->ace_next->ace_ptpn = &ace->ace_next;
- *acep = ace;
- ace->ace_ptpn = acep;
- return (0);
-}
-
-/* Delete a cache entry. */
-static void
-ar_ce_delete(ace_t *ace)
-{
- ace_t **acep;
-
- /* Get out of the hash list. */
- acep = ace->ace_ptpn;
- if (ace->ace_next)
- ace->ace_next->ace_ptpn = acep;
- acep[0] = ace->ace_next;
- /* Mark it dying in case we have a timer about to fire. */
- ace->ace_flags |= ACE_F_DYING;
- /* Complete any outstanding queries immediately. */
- ar_query_reply(ace, ENXIO, NULL, (uint32_t)0);
- /* Free the timer, immediately, or when it fires. */
- mi_timer_free(ace->ace_mp);
-}
-
-/*
- * ar_ce_walk routine. Delete the ace if it is associated with the arl
- * that is going away.
- */
-static void
-ar_ce_delete_per_arl(ace_t *ace, void *arl)
-{
- if (ace->ace_arl == arl || ace->ace_xmit_arl == arl) {
- ace->ace_flags &= ~ACE_F_PERMANENT;
- ar_ce_delete(ace);
- }
-}
-
-/*
- * ar_ce_walk routine used when deactivating an `arl' in a group. Deletes
- * `ace' if it was using `arl_arg' as its output interface.
- */
-static void
-ar_ce_ipmp_deactivate(ace_t *ace, void *arl_arg)
-{
- arl_t *arl = arl_arg;
-
- ASSERT(!(arl->arl_flags & ARL_F_IPMP));
-
- if (ace->ace_arl == arl) {
- ASSERT(ace->ace_xmit_arl == arl);
- /*
- * This ACE is tied to the arl leaving the group (e.g., an
- * ACE_F_PERMANENT for a test address) and is not used by the
- * group, so we can leave it be.
- */
- return;
- }
-
- if (ace->ace_xmit_arl != arl)
- return;
-
- ASSERT(ace->ace_arl == arl->arl_ipmp_arl);
-
- /*
- * IP should've already sent us messages asking us to move any
- * ACE_F_MYADDR entries to another arl, but there are two exceptions:
- *
- * 1. The group was misconfigured with interfaces that have duplicate
- * hardware addresses, but in.mpathd was unable to offline those
- * duplicate interfaces.
- *
- * 2. The messages from IP were lost or never created (e.g. due to
- * memory pressure).
- *
- * We handle the first case by just quietly deleting the ACE. Since
- * the second case cannot be distinguished from a more serious bug in
- * the IPMP framework, we ASSERT() that this can't happen on DEBUG
- * systems, but quietly delete the ACE on production systems (the
- * deleted ACE will render the IP address unreachable).
- */
- if (ace->ace_flags & ACE_F_MYADDR) {
- arlphy_t *ap = arl->arl_phy;
- uint_t hw_addrlen = ap->ap_hw_addrlen;
-
- ASSERT(hw_addrlen == ace->ace_hw_addr_length &&
- bcmp(ap->ap_hw_addr, ace->ace_hw_addr, hw_addrlen) == 0);
- }
-
- /*
- * NOTE: it's possible this arl got selected as the ace_xmit_arl when
- * creating an ACE_F_PERMANENT ACE on behalf of an SIOCS*ARP ioctl for
- * an IPMP IP interface. But it's still OK for us to delete such an
- * ACE since ipmp_illgrp_refresh_arpent() will ask us to recreate it
- * and we'll pick another arl then.
- */
- ar_ce_delete(ace);
-}
-
-/* Cache entry hash routine, based on protocol and protocol address. */
-static ace_t **
-ar_ce_hash(arp_stack_t *as, uint32_t proto, const uchar_t *proto_addr,
- uint32_t proto_addr_length)
-{
- const uchar_t *up = proto_addr;
- unsigned int hval = proto;
- int len = proto_addr_length;
-
- while (--len >= 0)
- hval ^= *up++;
- return (&as->as_ce_hash_tbl[hval % ARP_HASH_SIZE]);
-}
-
-/* Cache entry lookup. Try to find an ace matching the parameters passed. */
-ace_t *
-ar_ce_lookup(arl_t *arl, uint32_t proto, const uchar_t *proto_addr,
- uint32_t proto_addr_length)
-{
- ace_t *ace;
-
- ace = ar_ce_lookup_entry(arl, proto, proto_addr, proto_addr_length);
- if (!ace)
- ace = ar_ce_lookup_mapping(arl, proto, proto_addr,
- proto_addr_length);
- return (ace);
-}
-
-/*
- * Cache entry lookup. Try to find an ace matching the parameters passed.
- * Look only for exact entries (no mappings)
- */
-static ace_t *
-ar_ce_lookup_entry(arl_t *arl, uint32_t proto, const uchar_t *proto_addr,
- uint32_t proto_addr_length)
-{
- ace_t *ace;
- arp_stack_t *as = ARL_TO_ARPSTACK(arl);
-
- if (!proto_addr)
- return (NULL);
- ace = *ar_ce_hash(as, proto, proto_addr, proto_addr_length);
- for (; ace; ace = ace->ace_next) {
- if ((ace->ace_arl == arl ||
- ace->ace_arl == arl->arl_ipmp_arl) &&
- ace->ace_proto_addr_length == proto_addr_length &&
- ace->ace_proto == proto) {
- int i1 = proto_addr_length;
- uchar_t *ace_addr = ace->ace_proto_addr;
- uchar_t *mask = ace->ace_proto_mask;
- /*
- * Note that the ace_proto_mask is applied to the
- * proto_addr before comparing to the ace_addr.
- */
- do {
- if (--i1 < 0)
- return (ace);
- } while ((proto_addr[i1] & mask[i1]) == ace_addr[i1]);
- }
- }
- return (ace);
-}
-
-/*
- * Extract cache entry lookup parameters from an external command message, then
- * call the supplied match function.
- */
-static ace_t *
-ar_ce_lookup_from_area(arp_stack_t *as, mblk_t *mp, ace_t *matchfn())
-{
- uchar_t *proto_addr;
- area_t *area = (area_t *)mp->b_rptr;
-
- proto_addr = mi_offset_paramc(mp, area->area_proto_addr_offset,
- area->area_proto_addr_length);
- if (!proto_addr)
- return (NULL);
- return ((*matchfn)(ar_ll_lookup_from_mp(as, mp), area->area_proto,
- proto_addr, area->area_proto_addr_length));
-}
-
-/*
- * Cache entry lookup. Try to find an ace matching the parameters passed.
- * Look only for mappings.
- */
-static ace_t *
-ar_ce_lookup_mapping(arl_t *arl, uint32_t proto, const uchar_t *proto_addr,
- uint32_t proto_addr_length)
-{
- ace_t *ace;
- arp_stack_t *as = ARL_TO_ARPSTACK(arl);
-
- if (!proto_addr)
- return (NULL);
- ace = as->as_ce_mask_entries;
- for (; ace; ace = ace->ace_next) {
- if (ace->ace_arl == arl &&
- ace->ace_proto_addr_length == proto_addr_length &&
- ace->ace_proto == proto) {
- int i1 = proto_addr_length;
- uchar_t *ace_addr = ace->ace_proto_addr;
- uchar_t *mask = ace->ace_proto_mask;
- /*
- * Note that the ace_proto_mask is applied to the
- * proto_addr before comparing to the ace_addr.
- */
- do {
- if (--i1 < 0)
- return (ace);
- } while ((proto_addr[i1] & mask[i1]) == ace_addr[i1]);
- }
- }
- return (ace);
-}
-
-/*
- * Look for a permanent entry for proto_addr across all interfaces.
- */
-static ace_t *
-ar_ce_lookup_permanent(arp_stack_t *as, uint32_t proto, uchar_t *proto_addr,
- uint32_t proto_addr_length)
-{
- ace_t *ace;
-
- ace = *ar_ce_hash(as, proto, proto_addr, proto_addr_length);
- for (; ace != NULL; ace = ace->ace_next) {
- if (!(ace->ace_flags & ACE_F_PERMANENT))
- continue;
- if (ace->ace_proto_addr_length == proto_addr_length &&
- ace->ace_proto == proto) {
- int i1 = proto_addr_length;
- uchar_t *ace_addr = ace->ace_proto_addr;
- uchar_t *mask = ace->ace_proto_mask;
-
- /*
- * Note that the ace_proto_mask is applied to the
- * proto_addr before comparing to the ace_addr.
- */
- do {
- if (--i1 < 0)
- return (ace);
- } while ((proto_addr[i1] & mask[i1]) == ace_addr[i1]);
- }
- }
- return (ace);
-}
-
-/*
- * ar_ce_resolve is called when a response comes in to an outstanding request.
- * Returns 'true' if the address has changed and we need to tell the client.
- * (We don't need to tell the client if there's still an outstanding query.)
- */
-static boolean_t
-ar_ce_resolve(ace_t *ace, const uchar_t *hw_addr, uint32_t hw_addr_length)
-{
- boolean_t hwchanged;
-
- if (hw_addr_length == ace->ace_hw_addr_length) {
- ASSERT(ace->ace_hw_addr != NULL);
- hwchanged = bcmp(hw_addr, ace->ace_hw_addr,
- hw_addr_length) != 0;
- if (hwchanged)
- bcopy(hw_addr, ace->ace_hw_addr, hw_addr_length);
- /*
- * No need to bother with ar_query_reply if no queries are
- * waiting.
- */
- ace->ace_flags |= ACE_F_RESOLVED;
- if (ace->ace_query_mp != NULL)
- ar_query_reply(ace, 0, NULL, (uint32_t)0);
- if (hwchanged)
- return (B_TRUE);
- }
- return (B_FALSE);
-}
-
-/*
- * There are 2 functions performed by this function.
- * 1. Resolution of unresolved entries and update of resolved entries.
- * 2. Detection of nodes with our own IP address (duplicates).
- *
- * If the resolving ARL is in the same group as a matching ACE's ARL, then
- * update the ACE. Otherwise, make no updates.
- *
- * For all entries, we first check to see if this is a duplicate (probable
- * loopback) message. If so, then just ignore it.
- *
- * Next, check to see if the entry has completed DAD. If not, then we've
- * failed, because someone is already using the address. Notify IP of the DAD
- * failure and remove the broken ace.
- *
- * Next, we check if we're the authority for this address. If so, then it's
- * time to defend it, because the other node is a duplicate. Report it as a
- * 'bogon' and let IP decide how to defend.
- *
- * Finally, if it's unresolved or if the arls match, we just update the MAC
- * address. This allows a published 'static' entry to be updated by an ARP
- * request from the node for which we're a proxy ARP server.
- *
- * Note that this logic does not update published ARP entries for mismatched
- * arls, as for example when we proxy arp across 2 subnets with differing
- * subnet masks.
- *
- * Return Values below
- */
-
-#define AR_NOTFOUND 1 /* No matching ace found in cache */
-#define AR_MERGED 2 /* Matching ace updated (RFC 826 Merge_flag) */
-#define AR_LOOPBACK 3 /* Our own arp packet was received */
-#define AR_BOGON 4 /* Another host has our IP addr. */
-#define AR_FAILED 5 /* Duplicate Address Detection has failed */
-#define AR_CHANGED 6 /* Address has changed; tell IP (and merged) */
-
-static int
-ar_ce_resolve_all(arl_t *arl, uint32_t proto, const uchar_t *src_haddr,
- uint32_t hlen, const uchar_t *src_paddr, uint32_t plen, arl_t **ace_arlp)
-{
- ace_t *ace;
- ace_t *ace_next;
- int i1;
- const uchar_t *paddr;
- uchar_t *ace_addr;
- uchar_t *mask;
- int retv = AR_NOTFOUND;
- arp_stack_t *as = ARL_TO_ARPSTACK(arl);
-
- ace = *ar_ce_hash(as, proto, src_paddr, plen);
- for (; ace != NULL; ace = ace_next) {
-
- /* ar_ce_resolve may delete the ace; fetch next pointer now */
- ace_next = ace->ace_next;
-
- if (ace->ace_proto_addr_length != plen ||
- ace->ace_proto != proto) {
- continue;
- }
-
- /*
- * Note that the ace_proto_mask is applied to the proto_addr
- * before comparing to the ace_addr.
- */
- paddr = src_paddr;
- i1 = plen;
- ace_addr = ace->ace_proto_addr;
- mask = ace->ace_proto_mask;
- while (--i1 >= 0) {
- if ((*paddr++ & *mask++) != *ace_addr++)
- break;
- }
- if (i1 >= 0)
- continue;
-
- *ace_arlp = ace->ace_arl;
-
- /*
- * If the IP address is ours, and the hardware address matches
- * one of our own arls, then this is a broadcast packet
- * emitted by one of our interfaces, reflected by the switch
- * and received on another interface. We return AR_LOOPBACK.
- */
- if (ace->ace_flags & ACE_F_MYADDR) {
- arl_t *hw_arl = as->as_arl_head;
- arlphy_t *ap;
-
- for (; hw_arl != NULL; hw_arl = hw_arl->arl_next) {
- ap = hw_arl->arl_phy;
- if (ap != NULL && ap->ap_hw_addrlen == hlen &&
- bcmp(ap->ap_hw_addr, src_haddr, hlen) == 0)
- return (AR_LOOPBACK);
- }
- }
-
- /*
- * If the entry is unverified, then we've just verified that
- * someone else already owns this address, because this is a
- * message with the same protocol address but different
- * hardware address. NOTE: the ace_xmit_arl check ensures we
- * don't send duplicate AR_FAILEDs if arl is in an IPMP group.
- */
- if ((ace->ace_flags & ACE_F_UNVERIFIED) &&
- arl == ace->ace_xmit_arl) {
- ar_ce_delete(ace);
- return (AR_FAILED);
- }
-
- /*
- * If the IP address matches ours and we're authoritative for
- * this entry, then some other node is using our IP addr, so
- * return AR_BOGON. Also reset the transmit count to zero so
- * that, if we're currently in initial announcement mode, we
- * switch back to the lazier defense mode. Knowing that
- * there's at least one duplicate out there, we ought not
- * blindly announce. NOTE: the ace_xmit_arl check ensures we
- * don't send duplicate AR_BOGONs if arl is in an IPMP group.
- */
- if ((ace->ace_flags & ACE_F_AUTHORITY) &&
- arl == ace->ace_xmit_arl) {
- ace->ace_xmit_count = 0;
- return (AR_BOGON);
- }
-
- /*
- * Only update this ACE if it's on the same network -- i.e.,
- * it's for our ARL or another ARL in the same IPMP group.
- */
- if (ace->ace_arl == arl || ace->ace_arl == arl->arl_ipmp_arl) {
- if (ar_ce_resolve(ace, src_haddr, hlen))
- retv = AR_CHANGED;
- else if (retv == AR_NOTFOUND)
- retv = AR_MERGED;
- }
- }
-
- if (retv == AR_NOTFOUND)
- *ace_arlp = NULL;
- return (retv);
-}
-
-/* Pass arg1 to the pfi supplied, along with each ace in existence. */
-static void
-ar_ce_walk(arp_stack_t *as, void (*pfi)(ace_t *, void *), void *arg1)
-{
- ace_t *ace;
- ace_t *ace1;
- int i;
-
- for (i = 0; i < ARP_HASH_SIZE; i++) {
- /*
- * We walk the hash chain in a way that allows the current
- * ace to get blown off by the called routine.
- */
- for (ace = as->as_ce_hash_tbl[i]; ace; ace = ace1) {
- ace1 = ace->ace_next;
- (*pfi)(ace, arg1);
- }
- }
- for (ace = as->as_ce_mask_entries; ace; ace = ace1) {
- ace1 = ace->ace_next;
- (*pfi)(ace, arg1);
- }
-}
-
-/*
- * Send a copy of interesting packets to the corresponding IP instance.
- * The corresponding IP instance is the ARP-IP-DEV instance for this
- * DEV (i.e. ARL).
- */
-static void
-ar_client_notify(const arl_t *arl, mblk_t *mp, int code)
-{
- ar_t *ar = ((ar_t *)arl->arl_rq->q_ptr)->ar_arl_ip_assoc;
- arcn_t *arcn;
- mblk_t *mp1;
- int arl_namelen = strlen(arl->arl_name) + 1;
-
- /* Looks like the association disappeared */
- if (ar == NULL) {
- freemsg(mp);
- return;
- }
-
- /* ar is the corresponding ARP-IP instance for this ARL */
- ASSERT(ar->ar_arl == NULL && ar->ar_wq->q_next != NULL);
-
- mp1 = allocb(sizeof (arcn_t) + arl_namelen, BPRI_MED);
- if (mp1 == NULL) {
- freemsg(mp);
- return;
- }
- DB_TYPE(mp1) = M_CTL;
- mp1->b_cont = mp;
- arcn = (arcn_t *)mp1->b_rptr;
- mp1->b_wptr = (uchar_t *)&arcn[1] + arl_namelen;
- arcn->arcn_cmd = AR_CLIENT_NOTIFY;
- arcn->arcn_name_offset = sizeof (arcn_t);
- arcn->arcn_name_length = arl_namelen;
- arcn->arcn_code = code;
- bcopy(arl->arl_name, &arcn[1], arl_namelen);
-
- putnext(ar->ar_wq, mp1);
-}
-
-/*
- * Send a delete-notify message down to IP. We've determined that IP doesn't
- * have a cache entry for the IP address itself, but it may have other cache
- * entries with the same hardware address, and we don't want to see those grow
- * stale. (The alternative is sending down updates for every ARP message we
- * get that doesn't match an existing ace. That's much more expensive than an
- * occasional delete and reload.)
- */
-static void
-ar_delete_notify(const ace_t *ace)
-{
- const arl_t *arl = ace->ace_arl;
- const arlphy_t *ap = ace->ace_xmit_arl->arl_phy;
- mblk_t *mp;
- size_t len;
- arh_t *arh;
-
- len = sizeof (*arh) + 2 * ace->ace_proto_addr_length;
- mp = allocb(len, BPRI_MED);
- if (mp == NULL)
- return;
- arh = (arh_t *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)arh + len;
- U16_TO_BE16(ap->ap_arp_hw_type, arh->arh_hardware);
- U16_TO_BE16(ace->ace_proto, arh->arh_proto);
- arh->arh_hlen = 0;
- arh->arh_plen = ace->ace_proto_addr_length;
- U16_TO_BE16(ARP_RESPONSE, arh->arh_operation);
- bcopy(ace->ace_proto_addr, arh + 1, ace->ace_proto_addr_length);
- bcopy(ace->ace_proto_addr, (uchar_t *)(arh + 1) +
- ace->ace_proto_addr_length, ace->ace_proto_addr_length);
- ar_client_notify(arl, mp, AR_CN_ANNOUNCE);
-}
-
-/* ARP module close routine. */
-static int
-ar_close(queue_t *q)
-{
- ar_t *ar = (ar_t *)q->q_ptr;
- char name[LIFNAMSIZ];
- arl_t *arl, *xarl;
- arl_t **arlp;
- cred_t *cr;
- arc_t *arc;
- mblk_t *mp1;
- int index;
- arp_stack_t *as = ar->ar_as;
-
- TRACE_1(TR_FAC_ARP, TR_ARP_CLOSE,
- "arp_close: q %p", q);
-
- arl = ar->ar_arl;
- if (arl == NULL) {
- index = 0;
- /*
- * If this is the <ARP-IP-Driver> stream send down
- * a closing message to IP and wait for IP to send
- * an ack. This helps to make sure that messages
- * that are currently being sent up by IP are not lost.
- */
- if (ar->ar_on_ill_stream) {
- mp1 = allocb(sizeof (arc_t), BPRI_MED);
- if (mp1 != NULL) {
- DB_TYPE(mp1) = M_CTL;
- arc = (arc_t *)mp1->b_rptr;
- mp1->b_wptr = mp1->b_rptr + sizeof (arc_t);
- arc->arc_cmd = AR_ARP_CLOSING;
- putnext(WR(q), mp1);
- while (!ar->ar_ip_acked_close)
- /* If we are interrupted break out */
- if (qwait_sig(q) == 0)
- break;
- }
- }
- /* Delete all our pending queries, 'arl' is not dereferenced */
- ar_ce_walk(as, ar_query_delete, ar);
- /*
- * The request could be pending on some arl_queue also. This
- * happens if the arl is not yet bound, and bind is pending.
- */
- ar_ll_cleanup_arl_queue(q);
- } else {
- index = arl->arl_index;
- (void) strcpy(name, arl->arl_name);
- arl->arl_closing = 1;
- while (arl->arl_queue != NULL)
- qwait(arl->arl_rq);
-
- if (arl->arl_state == ARL_S_UP)
- ar_ll_down(arl);
-
- while (arl->arl_state != ARL_S_DOWN)
- qwait(arl->arl_rq);
-
- if (arl->arl_flags & ARL_F_IPMP) {
- /*
- * Though rude, someone could force the IPMP arl
- * closed without removing the underlying interfaces.
- * In that case, force the ARLs out of the group.
- */
- xarl = as->as_arl_head;
- for (; xarl != NULL; xarl = xarl->arl_next) {
- if (xarl->arl_ipmp_arl != arl || xarl == arl)
- continue;
- ar_ce_walk(as, ar_ce_ipmp_deactivate, xarl);
- xarl->arl_ipmp_arl = NULL;
- }
- }
-
- ar_ll_clear_defaults(arl);
- /*
- * If this is the control stream for an arl, delete anything
- * hanging off our arl.
- */
- ar_ce_walk(as, ar_ce_delete_per_arl, arl);
- /* Free any messages waiting for a bind_ack */
- /* Get the arl out of the chain. */
- rw_enter(&as->as_arl_lock, RW_WRITER);
- for (arlp = &as->as_arl_head; *arlp;
- arlp = &(*arlp)->arl_next) {
- if (*arlp == arl) {
- *arlp = arl->arl_next;
- break;
- }
- }
-
- ASSERT(arl->arl_dlpi_deferred == NULL);
- ar->ar_arl = NULL;
- rw_exit(&as->as_arl_lock);
-
- mi_free((char *)arl);
- }
- /* Let's break the association between an ARL and IP instance */
- if (ar->ar_arl_ip_assoc != NULL) {
- ASSERT(ar->ar_arl_ip_assoc->ar_arl_ip_assoc != NULL &&
- ar->ar_arl_ip_assoc->ar_arl_ip_assoc == ar);
- ar->ar_arl_ip_assoc->ar_arl_ip_assoc = NULL;
- ar->ar_arl_ip_assoc = NULL;
- }
- cr = ar->ar_credp;
- /* mi_close_comm frees the instance data. */
- (void) mi_close_comm(&as->as_head, q);
- qprocsoff(q);
- crfree(cr);
-
- if (index != 0) {
- hook_nic_event_t info;
-
- info.hne_nic = index;
- info.hne_lif = 0;
- info.hne_event = NE_UNPLUMB;
- info.hne_data = name;
- info.hne_datalen = strlen(name);
- (void) hook_run(as->as_net_data->netd_hooks,
- as->as_arpnicevents, (hook_data_t)&info);
- }
- netstack_rele(as->as_netstack);
- return (0);
-}
-
-/*
- * Dispatch routine for ARP commands. This routine can be called out of
- * either ar_wput or ar_rput, in response to IOCTLs or M_PROTO messages.
- */
-/* TODO: error reporting for M_PROTO case */
-static int
-ar_cmd_dispatch(queue_t *q, mblk_t *mp_orig, boolean_t from_wput)
-{
- arct_t *arct;
- uint32_t cmd;
- ssize_t len;
- mblk_t *mp = mp_orig;
- cred_t *cr = NULL;
-
- if (!mp)
- return (ENOENT);
-
- /* We get both M_PROTO and M_IOCTL messages, so watch out! */
- if (DB_TYPE(mp) == M_IOCTL) {
- struct iocblk *ioc;
- ioc = (struct iocblk *)mp->b_rptr;
- cmd = ioc->ioc_cmd;
- cr = ioc->ioc_cr;
- mp = mp->b_cont;
- if (!mp)
- return (ENOENT);
- } else {
- cr = msg_getcred(mp, NULL);
- /* For initial messages beteen IP and ARP, cr can be NULL */
- if (cr == NULL)
- cr = ((ar_t *)q->q_ptr)->ar_credp;
- }
- len = MBLKL(mp);
- if (len < sizeof (uint32_t) || !OK_32PTR(mp->b_rptr))
- return (ENOENT);
- if (mp_orig == mp)
- cmd = *(uint32_t *)mp->b_rptr;
- for (arct = ar_cmd_tbl; ; arct++) {
- if (arct >= A_END(ar_cmd_tbl))
- return (ENOENT);
- if (arct->arct_cmd == cmd)
- break;
- }
- if (len < arct->arct_min_len) {
- /*
- * If the command is exclusive to ARP, we return EINVAL,
- * else we need to pass the command downstream, so return
- * ENOENT
- */
- return ((arct->arct_flags & ARF_ONLY_CMD) ? EINVAL : ENOENT);
- }
- if (arct->arct_priv_req != OP_NP) {
- int error;
-
- if ((error = secpolicy_ip(cr, arct->arct_priv_req,
- B_FALSE)) != 0)
- return (error);
- }
- /* Disallow many commands except if from rput i.e. from IP */
- if (from_wput && !(arct->arct_flags & ARF_WPUT_OK)) {
- return (EINVAL);
- }
-
- if (arct->arct_flags & ARF_IOCTL_AWARE)
- mp = mp_orig;
-
- DTRACE_PROBE3(cmd_dispatch, queue_t *, q, mblk_t *, mp,
- arct_t *, arct);
- return (*arct->arct_pfi)(q, mp);
-}
-
-/* Allocate and do common initializations for DLPI messages. */
-static mblk_t *
-ar_dlpi_comm(t_uscalar_t prim, size_t size)
-{
- mblk_t *mp;
-
- if ((mp = allocb(size, BPRI_HI)) == NULL)
- return (NULL);
-
- /*
- * DLPIv2 says that DL_INFO_REQ and DL_TOKEN_REQ (the latter
- * of which we don't seem to use) are sent with M_PCPROTO, and
- * that other DLPI are M_PROTO.
- */
- DB_TYPE(mp) = (prim == DL_INFO_REQ) ? M_PCPROTO : M_PROTO;
-
- mp->b_wptr = mp->b_rptr + size;
- bzero(mp->b_rptr, size);
- ((union DL_primitives *)mp->b_rptr)->dl_primitive = prim;
-
- return (mp);
-}
-
-static void
-ar_dlpi_dispatch(arl_t *arl)
-{
- mblk_t *mp;
- t_uscalar_t primitive = DL_PRIM_INVAL;
-
- while (((mp = arl->arl_dlpi_deferred) != NULL) &&
- (arl->arl_dlpi_pending == DL_PRIM_INVAL)) {
- union DL_primitives *dlp = (union DL_primitives *)mp->b_rptr;
-
- DTRACE_PROBE2(dlpi_dispatch, arl_t *, arl, mblk_t *, mp);
-
- ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
- arl->arl_dlpi_deferred = mp->b_next;
- mp->b_next = NULL;
-
- /*
- * If this is a DL_NOTIFY_CONF, no ack is expected.
- */
- if ((primitive = dlp->dl_primitive) != DL_NOTIFY_CONF)
- arl->arl_dlpi_pending = dlp->dl_primitive;
- putnext(arl->arl_wq, mp);
- }
-
- if (arl->arl_dlpi_pending == DL_PRIM_INVAL) {
- /*
- * No pending DLPI operation.
- */
- ASSERT(mp == NULL);
- DTRACE_PROBE1(dlpi_idle, arl_t *, arl);
-
- /*
- * If the last DLPI message dispatched is DL_NOTIFY_CONF,
- * it is not assoicated with any pending cmd request, drain
- * the rest of pending cmd requests, otherwise call
- * ar_cmd_done() to finish up the current pending cmd
- * operation.
- */
- if (primitive == DL_NOTIFY_CONF)
- ar_cmd_drain(arl);
- else
- ar_cmd_done(arl);
- } else if (mp != NULL) {
- DTRACE_PROBE2(dlpi_defer, arl_t *, arl, mblk_t *, mp);
- }
-}
-
-/*
- * The following two functions serialize DLPI messages to the driver, much
- * along the lines of ill_dlpi_send and ill_dlpi_done in IP. Basically,
- * we wait for a DLPI message, sent downstream, to be acked before sending
- * the next. If there are DLPI messages that have not yet been sent, queue
- * this message (mp), else send it downstream.
- */
-static void
-ar_dlpi_send(arl_t *arl, mblk_t *mp)
-{
- mblk_t **mpp;
-
- ASSERT(arl != NULL);
- ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
-
- /* Always queue the message. Tail insertion */
- mpp = &arl->arl_dlpi_deferred;
- while (*mpp != NULL)
- mpp = &((*mpp)->b_next);
- *mpp = mp;
-
- ar_dlpi_dispatch(arl);
-}
-
-/*
- * Called when an DLPI control message has been acked; send down the next
- * queued message (if any).
- * The DLPI messages of interest being bind, attach, unbind and detach since
- * these are the only ones sent by ARP via ar_dlpi_send.
- */
-static void
-ar_dlpi_done(arl_t *arl, t_uscalar_t prim)
-{
- if (arl->arl_dlpi_pending != prim) {
- DTRACE_PROBE2(dlpi_done_unexpected, arl_t *, arl,
- t_uscalar_t, prim);
- return;
- }
-
- DTRACE_PROBE2(dlpi_done, arl_t *, arl, t_uscalar_t, prim);
- arl->arl_dlpi_pending = DL_PRIM_INVAL;
- ar_dlpi_dispatch(arl);
-}
-
-/*
- * Send a DL_NOTE_REPLUMB_DONE message down to the driver to indicate
- * the replumb process has already been done. Note that mp is either a
- * DL_NOTIFY_IND message or an AR_INTERFACE_DOWN message (comes from IP).
- */
-static void
-arp_replumb_done(arl_t *arl, mblk_t *mp)
-{
- ASSERT(arl->arl_state == ARL_S_DOWN && arl->arl_replumbing);
-
- mp = mexchange(NULL, mp, sizeof (dl_notify_conf_t), M_PROTO,
- DL_NOTIFY_CONF);
- ((dl_notify_conf_t *)(mp->b_rptr))->dl_notification =
- DL_NOTE_REPLUMB_DONE;
- arl->arl_replumbing = B_FALSE;
- ar_dlpi_send(arl, mp);
-}
-
-static void
-ar_cmd_drain(arl_t *arl)
-{
- mblk_t *mp;
- queue_t *q;
-
- /*
- * Run the commands that have been enqueued while we were waiting
- * for the last command (AR_INTERFACE_UP or AR_INTERFACE_DOWN)
- * to complete.
- */
- while ((mp = arl->arl_queue) != NULL) {
- if (((uintptr_t)mp->b_prev & CMD_IN_PROGRESS) != 0) {
- /*
- * The current command is an AR_INTERFACE_UP or
- * AR_INTERFACE_DOWN and is waiting for a DLPI ack
- * from the driver. Return. We can't make progress now.
- */
- break;
- }
-
- mp = ar_cmd_dequeue(arl);
- mp->b_prev = AR_DRAINING;
- q = mp->b_queue;
- mp->b_queue = NULL;
-
- /*
- * Don't call put(q, mp) since it can lead to reorder of
- * messages by sending the current messages to the end of
- * arp's syncq
- */
- if (q->q_flag & QREADR)
- ar_rput(q, mp);
- else
- ar_wput(q, mp);
- }
-}
-
-static void
-ar_cmd_done(arl_t *arl)
-{
- mblk_t *mp;
- int cmd;
- int err;
- mblk_t *mp1;
- mblk_t *dlpi_op_done_mp = NULL;
- queue_t *dlpi_op_done_q;
- ar_t *ar_arl;
- ar_t *ar_ip;
-
- ASSERT(arl->arl_state == ARL_S_UP || arl->arl_state == ARL_S_DOWN);
-
- /*
- * If the current operation was initiated by IP there must be
- * an op enqueued in arl_queue. But if ar_close has sent down
- * a detach/unbind, there is no command enqueued. Also if the IP-ARP
- * stream has closed the cleanup would be done and there won't be any mp
- */
- if ((mp = arl->arl_queue) == NULL)
- return;
-
- if ((cmd = (uintptr_t)mp->b_prev) & CMD_IN_PROGRESS) {
- mp1 = ar_cmd_dequeue(arl);
- ASSERT(mp == mp1);
-
- cmd &= ~CMD_IN_PROGRESS;
- if (cmd == AR_INTERFACE_UP) {
- /*
- * There is an ioctl waiting for us...
- */
- if (arl->arl_state == ARL_S_UP)
- err = 0;
- else
- err = EINVAL;
-
- dlpi_op_done_mp = ar_alloc(AR_DLPIOP_DONE, err);
- if (dlpi_op_done_mp != NULL) {
- /*
- * Better performance if we send the response
- * after the potential MAPPING_ADDs command
- * that are likely to follow. (Do it below the
- * while loop, instead of putnext right now)
- */
- dlpi_op_done_q = WR(mp->b_queue);
- }
-
- if (err == 0) {
- /*
- * Now that we have the ARL instance
- * corresponding to the IP instance let's make
- * the association here.
- */
- ar_ip = (ar_t *)mp->b_queue->q_ptr;
- ar_arl = (ar_t *)arl->arl_rq->q_ptr;
- ar_arl->ar_arl_ip_assoc = ar_ip;
- ar_ip->ar_arl_ip_assoc = ar_arl;
- }
-
- inet_freemsg(mp);
- } else if (cmd == AR_INTERFACE_DOWN && arl->arl_replumbing) {
- /*
- * The arl is successfully brought down and this is
- * a result of the DL_NOTE_REPLUMB process. Reset
- * mp->b_prev first (it keeps the 'cmd' information
- * at this point).
- */
- mp->b_prev = NULL;
- arp_replumb_done(arl, mp);
- } else {
- inet_freemsg(mp);
- }
- }
-
- ar_cmd_drain(arl);
-
- if (dlpi_op_done_mp != NULL) {
- DTRACE_PROBE3(cmd_done_next, arl_t *, arl,
- queue_t *, dlpi_op_done_q, mblk_t *, dlpi_op_done_mp);
- putnext(dlpi_op_done_q, dlpi_op_done_mp);
- }
-}
-
-/*
- * Queue all arp commands coming from clients. Typically these commands
- * come from IP, but could also come from other clients. The commands
- * are serviced in FIFO order. Some commands need to wait and restart
- * after the DLPI response from the driver is received. Typically
- * AR_INTERFACE_UP and AR_INTERFACE_DOWN. ar_dlpi_done restarts
- * the command and then dequeues the queue at arl_queue and calls ar_rput
- * or ar_wput for each enqueued command. AR_DRAINING is used to signify
- * that the command is being executed thru a drain from ar_dlpi_done.
- * Functions handling the individual commands such as ar_entry_add
- * check for this flag in b_prev to determine whether the command has
- * to be enqueued for later processing or must be processed now.
- *
- * b_next used to thread the enqueued command mblks
- * b_queue used to identify the queue of the originating request(client)
- * b_prev used to store the command itself for easy parsing.
- */
-static void
-ar_cmd_enqueue(arl_t *arl, mblk_t *mp, queue_t *q, ushort_t cmd,
- boolean_t tail_insert)
-{
- mp->b_queue = q;
- if (arl->arl_queue == NULL) {
- ASSERT(arl->arl_queue_tail == NULL);
- mp->b_prev = (void *)((uintptr_t)(cmd | CMD_IN_PROGRESS));
- mp->b_next = NULL;
- arl->arl_queue = mp;
- arl->arl_queue_tail = mp;
- } else if (tail_insert) {
- mp->b_prev = (void *)((uintptr_t)cmd);
- mp->b_next = NULL;
- arl->arl_queue_tail->b_next = mp;
- arl->arl_queue_tail = mp;
- } else {
- /* head insert */
- mp->b_prev = (void *)((uintptr_t)cmd | CMD_IN_PROGRESS);
- mp->b_next = arl->arl_queue;
- arl->arl_queue = mp;
- }
-}
-
-static mblk_t *
-ar_cmd_dequeue(arl_t *arl)
-{
- mblk_t *mp;
-
- if (arl->arl_queue == NULL) {
- ASSERT(arl->arl_queue_tail == NULL);
- return (NULL);
- }
- mp = arl->arl_queue;
- arl->arl_queue = mp->b_next;
- if (arl->arl_queue == NULL)
- arl->arl_queue_tail = NULL;
- mp->b_next = NULL;
- return (mp);
-}
-
-/*
- * Standard ACE timer handling: compute 'fuzz' around a central value or from 0
- * up to a value, and then set the timer. The randomization is necessary to
- * prevent groups of systems from falling into synchronization on the network
- * and producing ARP packet storms.
- */
-static void
-ace_set_timer(ace_t *ace, boolean_t initial_time)
-{
- clock_t intv, rnd, frac;
-
- (void) random_get_pseudo_bytes((uint8_t *)&rnd, sizeof (rnd));
- /* Note that clock_t is signed; must chop off bits */
- rnd &= (1ul << (NBBY * sizeof (rnd) - 1)) - 1;
- intv = ace->ace_xmit_interval;
- if (initial_time) {
- /* Set intv to be anywhere in the [1 .. intv] range */
- if (intv <= 0)
- intv = 1;
- else
- intv = (rnd % intv) + 1;
- } else {
- /* Compute 'frac' as 20% of the configured interval */
- if ((frac = intv / 5) <= 1)
- frac = 2;
- /* Set intv randomly in the range [intv-frac .. intv+frac] */
- if ((intv = intv - frac + rnd % (2 * frac + 1)) <= 0)
- intv = 1;
- }
- mi_timer(ace->ace_arl->arl_wq, ace->ace_mp, intv);
-}
-
-/*
- * Process entry add requests from external messages.
- * It is also called by ip_rput_dlpi_writer() through
- * ipif_resolver_up() to change hardware address when
- * an asynchronous hardware address change notification
- * arrives from the driver.
- */
-static int
-ar_entry_add(queue_t *q, mblk_t *mp_orig)
-{
- area_t *area;
- ace_t *ace;
- uchar_t *hw_addr;
- uint32_t hw_addr_len;
- uchar_t *proto_addr;
- uint32_t proto_addr_len;
- uchar_t *proto_mask;
- arl_t *arl;
- mblk_t *mp = mp_orig;
- int err;
- uint_t aflags;
- boolean_t unverified;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- /* We handle both M_IOCTL and M_PROTO messages. */
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL)
- return (EINVAL);
- /*
- * Newly received commands from clients go to the tail of the queue.
- */
- if (CMD_NEEDS_QUEUEING(mp_orig, arl)) {
- DTRACE_PROBE3(eadd_enqueued, queue_t *, q, mblk_t *, mp_orig,
- arl_t *, arl);
- ar_cmd_enqueue(arl, mp_orig, q, AR_ENTRY_ADD, B_TRUE);
- return (EINPROGRESS);
- }
- mp_orig->b_prev = NULL;
-
- area = (area_t *)mp->b_rptr;
- aflags = area->area_flags;
-
- /*
- * If the previous entry wasn't published and we are now going
- * to publish, then we need to do address verification. The previous
- * entry may have been a local unpublished address or even an external
- * address. If the entry we find was in an unverified state we retain
- * this.
- * If it's a new published entry, then we're obligated to do
- * duplicate address detection now.
- */
- ace = ar_ce_lookup_from_area(as, mp, ar_ce_lookup_entry);
- if (ace != NULL) {
- unverified = !(ace->ace_flags & ACE_F_PUBLISH) &&
- (aflags & ACE_F_PUBLISH);
- if (ace->ace_flags & ACE_F_UNVERIFIED)
- unverified = B_TRUE;
- ar_ce_delete(ace);
- } else {
- unverified = (aflags & ACE_F_PUBLISH) != 0;
- }
-
- /* Allow client to request DAD restart */
- if (aflags & ACE_F_UNVERIFIED)
- unverified = B_TRUE;
-
- /* Extract parameters from the message. */
- hw_addr_len = area->area_hw_addr_length;
- hw_addr = mi_offset_paramc(mp, area->area_hw_addr_offset, hw_addr_len);
- proto_addr_len = area->area_proto_addr_length;
- proto_addr = mi_offset_paramc(mp, area->area_proto_addr_offset,
- proto_addr_len);
- proto_mask = mi_offset_paramc(mp, area->area_proto_mask_offset,
- proto_addr_len);
- if (proto_mask == NULL) {
- DTRACE_PROBE2(eadd_bad_mask, arl_t *, arl, area_t *, area);
- return (EINVAL);
- }
- err = ar_ce_create(
- arl,
- area->area_proto,
- hw_addr,
- hw_addr_len,
- proto_addr,
- proto_addr_len,
- proto_mask,
- NULL,
- (uint32_t)0,
- NULL,
- aflags & ~ACE_F_MAPPING & ~ACE_F_UNVERIFIED & ~ACE_F_DEFEND);
- if (err != 0) {
- DTRACE_PROBE3(eadd_create_failed, arl_t *, arl, area_t *, area,
- int, err);
- return (err);
- }
-
- if (aflags & ACE_F_PUBLISH) {
- arlphy_t *ap;
-
- ace = ar_ce_lookup(arl, area->area_proto, proto_addr,
- proto_addr_len);
- ASSERT(ace != NULL);
-
- ap = ace->ace_xmit_arl->arl_phy;
-
- if (hw_addr == NULL || hw_addr_len == 0) {
- hw_addr = ap->ap_hw_addr;
- } else if (aflags & ACE_F_MYADDR) {
- /*
- * If hardware address changes, then make sure
- * that the hardware address and hardware
- * address length fields in arlphy_t get updated
- * too. Otherwise, they will continue carrying
- * the old hardware address information.
- */
- ASSERT((hw_addr != NULL) && (hw_addr_len != 0));
- bcopy(hw_addr, ap->ap_hw_addr, hw_addr_len);
- ap->ap_hw_addrlen = hw_addr_len;
- }
-
- if (ace->ace_flags & ACE_F_FAST) {
- ace->ace_xmit_count = as->as_fastprobe_count;
- ace->ace_xmit_interval = as->as_fastprobe_delay;
- } else {
- ace->ace_xmit_count = as->as_probe_count;
- ace->ace_xmit_interval = as->as_probe_delay;
- }
-
- /*
- * If the user has disabled duplicate address detection for
- * this kind of interface (fast or slow) by setting the probe
- * count to zero, then pretend as if we've verified the
- * address, and go right to address defense mode.
- */
- if (ace->ace_xmit_count == 0)
- unverified = B_FALSE;
-
- /*
- * If we need to do duplicate address detection, then kick that
- * off. Otherwise, send out a gratuitous ARP message in order
- * to update everyone's caches with the new hardware address.
- */
- if (unverified) {
- ace->ace_flags |= ACE_F_UNVERIFIED;
- if (ace->ace_xmit_interval == 0) {
- /*
- * User has configured us to send the first
- * probe right away. Do so, and set up for
- * the subsequent probes.
- */
- DTRACE_PROBE2(eadd_probe, ace_t *, ace,
- area_t *, area);
- ar_xmit(ace->ace_xmit_arl, ARP_REQUEST,
- area->area_proto, proto_addr_len,
- hw_addr, NULL, NULL, proto_addr, NULL, as);
- ace->ace_xmit_count--;
- ace->ace_xmit_interval =
- (ace->ace_flags & ACE_F_FAST) ?
- as->as_fastprobe_interval :
- as->as_probe_interval;
- ace_set_timer(ace, B_FALSE);
- } else {
- DTRACE_PROBE2(eadd_delay, ace_t *, ace,
- area_t *, area);
- /* Regular delay before initial probe */
- ace_set_timer(ace, B_TRUE);
- }
- } else {
- DTRACE_PROBE2(eadd_announce, ace_t *, ace,
- area_t *, area);
- ar_xmit(ace->ace_xmit_arl, ARP_REQUEST,
- area->area_proto, proto_addr_len, hw_addr,
- proto_addr, ap->ap_arp_addr, proto_addr, NULL, as);
- ace->ace_last_bcast = ddi_get_lbolt();
-
- /*
- * If AUTHORITY is set, it is not just a proxy arp
- * entry; we believe we're the authority for this
- * entry. In that case, and if we're not just doing
- * one-off defense of the address, we send more than
- * one copy, so we'll still have a good chance of
- * updating everyone even when there's a packet loss
- * or two.
- */
- if ((aflags & ACE_F_AUTHORITY) &&
- !(aflags & ACE_F_DEFEND) &&
- as->as_publish_count > 0) {
- /* Account for the xmit we just did */
- ace->ace_xmit_count = as->as_publish_count - 1;
- ace->ace_xmit_interval =
- as->as_publish_interval;
- if (ace->ace_xmit_count > 0)
- ace_set_timer(ace, B_FALSE);
- }
- }
- }
- return (0);
-}
-
-/* Process entry delete requests from external messages. */
-static int
-ar_entry_delete(queue_t *q, mblk_t *mp_orig)
-{
- ace_t *ace;
- arl_t *arl;
- mblk_t *mp = mp_orig;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- /* We handle both M_IOCTL and M_PROTO messages. */
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL)
- return (EINVAL);
- /*
- * Newly received commands from clients go to the tail of the queue.
- */
- if (CMD_NEEDS_QUEUEING(mp_orig, arl)) {
- DTRACE_PROBE3(edel_enqueued, queue_t *, q, mblk_t *, mp_orig,
- arl_t *, arl);
- ar_cmd_enqueue(arl, mp_orig, q, AR_ENTRY_DELETE, B_TRUE);
- return (EINPROGRESS);
- }
- mp_orig->b_prev = NULL;
-
- /*
- * Need to know if it is a mapping or an exact match. Check exact
- * match first.
- */
- ace = ar_ce_lookup_from_area(as, mp, ar_ce_lookup);
- if (ace != NULL) {
- ared_t *ared = (ared_t *)mp->b_rptr;
-
- /*
- * If it's a permanent entry, then the client is the one who
- * told us to delete it, so there's no reason to notify.
- */
- if (ACE_NONPERM(ace))
- ar_delete_notify(ace);
- /*
- * Only delete the ARP entry if it is non-permanent, or
- * ARED_F_PRESERVE_PERM flags is not set.
- */
- if (ACE_NONPERM(ace) ||
- !(ared->ared_flags & ARED_F_PRESERVE_PERM)) {
- ar_ce_delete(ace);
- }
- return (0);
- }
- return (ENXIO);
-}
-
-/*
- * Process entry query requests from external messages.
- * Bump up the ire_stats_freed for all errors except
- * EINPROGRESS - which means the packet has been queued.
- * For all other errors the packet is going to be freed
- * and hence we account for ire being freed if it
- * is a M_PROTO message.
- */
-static int
-ar_entry_query(queue_t *q, mblk_t *mp_orig)
-{
- ace_t *ace;
- areq_t *areq;
- arl_t *arl;
- int err;
- mblk_t *mp = mp_orig;
- uchar_t *proto_addr;
- uchar_t *sender_addr;
- uint32_t proto_addr_len;
- clock_t ms;
- boolean_t is_mproto = B_TRUE;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- /* We handle both M_IOCTL and M_PROTO messages. */
- if (DB_TYPE(mp) == M_IOCTL) {
- is_mproto = B_FALSE;
- mp = mp->b_cont;
- }
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL) {
- DTRACE_PROBE2(query_no_arl, queue_t *, q, mblk_t *, mp);
- err = EINVAL;
- goto err_ret;
- }
- /*
- * Newly received commands from clients go to the tail of the queue.
- */
- if (CMD_NEEDS_QUEUEING(mp_orig, arl)) {
- DTRACE_PROBE3(query_enqueued, queue_t *, q, mblk_t *, mp_orig,
- arl_t *, arl);
- ar_cmd_enqueue(arl, mp_orig, q, AR_ENTRY_QUERY, B_TRUE);
- return (EINPROGRESS);
- }
- mp_orig->b_prev = NULL;
-
- areq = (areq_t *)mp->b_rptr;
- proto_addr_len = areq->areq_target_addr_length;
- proto_addr = mi_offset_paramc(mp, areq->areq_target_addr_offset,
- proto_addr_len);
- if (proto_addr == NULL) {
- DTRACE_PROBE1(query_illegal_address, areq_t *, areq);
- err = EINVAL;
- goto err_ret;
- }
- /* Stash the reply queue pointer for later use. */
- mp->b_prev = (mblk_t *)OTHERQ(q);
- mp->b_next = NULL;
- if (areq->areq_xmit_interval == 0)
- areq->areq_xmit_interval = AR_DEF_XMIT_INTERVAL;
- ace = ar_ce_lookup(arl, areq->areq_proto, proto_addr, proto_addr_len);
- if (ace != NULL && (ace->ace_flags & ACE_F_OLD)) {
- /*
- * This is a potentially stale entry that IP's asking about.
- * Since IP is asking, it must not have an answer anymore,
- * either due to periodic ARP flush or due to SO_DONTROUTE.
- * Rather than go forward with what we've got, restart
- * resolution.
- */
- DTRACE_PROBE2(query_stale_ace, ace_t *, ace, areq_t *, areq);
- ar_ce_delete(ace);
- ace = NULL;
- }
- if (ace != NULL) {
- mblk_t **mpp;
- uint32_t count = 0;
-
- /*
- * There is already a cache entry. This means there is either
- * a permanent entry, or address resolution is in progress.
- * If the latter, there should be one or more queries queued
- * up. We link the current one in at the end, if there aren't
- * too many outstanding.
- */
- for (mpp = &ace->ace_query_mp; mpp[0]; mpp = &mpp[0]->b_next) {
- if (++count > areq->areq_max_buffered) {
- DTRACE_PROBE2(query_overflow, ace_t *, ace,
- areq_t *, areq);
- mp->b_prev = NULL;
- err = EALREADY;
- goto err_ret;
- }
- }
- /* Put us on the list. */
- mpp[0] = mp;
- if (count != 0) {
- /*
- * If a query was already queued up, then we must not
- * have an answer yet.
- */
- DTRACE_PROBE2(query_in_progress, ace_t *, ace,
- areq_t *, areq);
- return (EINPROGRESS);
- }
- if (ACE_RESOLVED(ace)) {
- /*
- * We have an answer already.
- * Keep a dup of mp since proto_addr points to it
- * and mp has been placed on the ace_query_mp list.
- */
- mblk_t *mp1;
-
- DTRACE_PROBE2(query_resolved, ace_t *, ace,
- areq_t *, areq);
- mp1 = dupmsg(mp);
- ar_query_reply(ace, 0, proto_addr, proto_addr_len);
- freemsg(mp1);
- return (EINPROGRESS);
- }
- if (ace->ace_flags & ACE_F_MAPPING) {
- /* Should never happen */
- DTRACE_PROBE2(query_unresolved_mapping, ace_t *, ace,
- areq_t *, areq);
- mpp[0] = mp->b_next;
- err = ENXIO;
- goto err_ret;
- }
- DTRACE_PROBE2(query_unresolved, ace_t, ace, areq_t *, areq);
- } else {
- /* No ace yet. Make one now. (This is the common case.) */
- if (areq->areq_xmit_count == 0) {
- DTRACE_PROBE2(query_template, arl_t *, arl,
- areq_t *, areq);
- mp->b_prev = NULL;
- err = ENXIO;
- goto err_ret;
- }
- /*
- * Check for sender addr being NULL or not before
- * we create the ace. It is easy to cleanup later.
- */
- sender_addr = mi_offset_paramc(mp,
- areq->areq_sender_addr_offset,
- areq->areq_sender_addr_length);
- if (sender_addr == NULL) {
- DTRACE_PROBE2(query_no_sender, arl_t *, arl,
- areq_t *, areq);
- mp->b_prev = NULL;
- err = EINVAL;
- goto err_ret;
- }
- err = ar_ce_create(OWNING_ARL(arl), areq->areq_proto, NULL, 0,
- proto_addr, proto_addr_len, NULL,
- NULL, (uint32_t)0, sender_addr,
- areq->areq_flags);
- if (err != 0) {
- DTRACE_PROBE3(query_create_failed, arl_t *, arl,
- areq_t *, areq, int, err);
- mp->b_prev = NULL;
- goto err_ret;
- }
- ace = ar_ce_lookup(arl, areq->areq_proto, proto_addr,
- proto_addr_len);
- if (ace == NULL || ace->ace_query_mp != NULL) {
- /* Shouldn't happen! */
- DTRACE_PROBE3(query_lookup_failed, arl_t *, arl,
- areq_t *, areq, ace_t *, ace);
- mp->b_prev = NULL;
- err = ENXIO;
- goto err_ret;
- }
- ace->ace_query_mp = mp;
- }
- ms = ar_query_xmit(as, ace);
- if (ms == 0) {
- /* Immediate reply requested. */
- ar_query_reply(ace, ENXIO, NULL, (uint32_t)0);
- } else {
- mi_timer(ace->ace_arl->arl_wq, ace->ace_mp, ms);
- }
- return (EINPROGRESS);
-err_ret:
- if (is_mproto) {
- ip_stack_t *ipst = as->as_netstack->netstack_ip;
-
- BUMP_IRE_STATS(ipst->ips_ire_stats_v4, ire_stats_freed);
- }
- return (err);
-}
-
-/* Handle simple query requests. */
-static int
-ar_entry_squery(queue_t *q, mblk_t *mp_orig)
-{
- ace_t *ace;
- area_t *area;
- arl_t *arl;
- uchar_t *hw_addr;
- uint32_t hw_addr_len;
- mblk_t *mp = mp_orig;
- uchar_t *proto_addr;
- int proto_addr_len;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL)
- return (EINVAL);
- /*
- * Newly received commands from clients go to the tail of the queue.
- */
- if (CMD_NEEDS_QUEUEING(mp_orig, arl)) {
- DTRACE_PROBE3(squery_enqueued, queue_t *, q, mblk_t *, mp_orig,
- arl_t *, arl);
- ar_cmd_enqueue(arl, mp_orig, q, AR_ENTRY_SQUERY, B_TRUE);
- return (EINPROGRESS);
- }
- mp_orig->b_prev = NULL;
-
- /* Extract parameters from the request message. */
- area = (area_t *)mp->b_rptr;
- proto_addr_len = area->area_proto_addr_length;
- proto_addr = mi_offset_paramc(mp, area->area_proto_addr_offset,
- proto_addr_len);
- hw_addr_len = area->area_hw_addr_length;
- hw_addr = mi_offset_paramc(mp, area->area_hw_addr_offset, hw_addr_len);
- if (proto_addr == NULL || hw_addr == NULL) {
- DTRACE_PROBE1(squery_illegal_address, area_t *, area);
- return (EINVAL);
- }
- ace = ar_ce_lookup(arl, area->area_proto, proto_addr, proto_addr_len);
- if (ace == NULL) {
- return (ENXIO);
- }
- if (hw_addr_len < ace->ace_hw_addr_length) {
- return (EINVAL);
- }
- if (ACE_RESOLVED(ace)) {
- /* Got it, prepare the response. */
- ASSERT(area->area_hw_addr_length == ace->ace_hw_addr_length);
- ar_set_address(ace, hw_addr, proto_addr, proto_addr_len);
- } else {
- /*
- * We have an incomplete entry. Set the length to zero and
- * just return out the flags.
- */
- area->area_hw_addr_length = 0;
- }
- area->area_flags = ace->ace_flags;
- if (mp == mp_orig) {
- /* Non-ioctl case */
- /* TODO: change message type? */
- DB_TYPE(mp) = M_CTL; /* Caught by ip_wput */
- DTRACE_PROBE3(squery_reply, queue_t *, q, mblk_t *, mp,
- arl_t *, arl);
- qreply(q, mp);
- return (EINPROGRESS);
- }
- return (0);
-}
-
-/* Process an interface down causing us to detach and unbind. */
-/* ARGSUSED */
-static int
-ar_interface_down(queue_t *q, mblk_t *mp)
-{
- arl_t *arl;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL || arl->arl_closing) {
- DTRACE_PROBE2(down_no_arl, queue_t *, q, mblk_t *, mp);
- return (EINVAL);
- }
-
- /*
- * Newly received commands from clients go to the tail of the queue.
- */
- if (CMD_NEEDS_QUEUEING(mp, arl)) {
- DTRACE_PROBE3(down_enqueued, queue_t *, q, mblk_t *, mp,
- arl_t *, arl);
- ar_cmd_enqueue(arl, mp, q, AR_INTERFACE_DOWN, B_TRUE);
- return (EINPROGRESS);
- }
- mp->b_prev = NULL;
- /*
- * The arl is already down, no work to do.
- */
- if (arl->arl_state == ARL_S_DOWN) {
- if (arl->arl_replumbing) {
- /*
- * The arl is already down and this is a result of
- * the DL_NOTE_REPLUMB process. Return EINPROGRESS
- * so this mp won't be freed by ar_rput().
- */
- arp_replumb_done(arl, mp);
- return (EINPROGRESS);
- } else {
- /* ar_rput frees the mp */
- return (0);
- }
- }
-
- /*
- * This command cannot complete in a single shot now itself.
- * It has to be restarted after the receipt of the ack from
- * the driver. So we need to enqueue the command (at the head).
- */
- ar_cmd_enqueue(arl, mp, q, AR_INTERFACE_DOWN, B_FALSE);
-
- ASSERT(arl->arl_state == ARL_S_UP);
-
- /* Free all arp entries for this interface */
- ar_ce_walk(as, ar_ce_delete_per_arl, arl);
-
- ar_ll_down(arl);
- /* Return EINPROGRESS so that ar_rput does not free the 'mp' */
- return (EINPROGRESS);
-}
-
-
-/* Process an interface up causing the info req sequence to start. */
-/* ARGSUSED */
-static int
-ar_interface_up(queue_t *q, mblk_t *mp)
-{
- arl_t *arl;
- int err;
- mblk_t *mp1;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL || arl->arl_closing) {
- DTRACE_PROBE2(up_no_arl, queue_t *, q, mblk_t *, mp);
- err = EINVAL;
- goto done;
- }
-
- /*
- * Newly received commands from clients go to the tail of the queue.
- */
- if (CMD_NEEDS_QUEUEING(mp, arl)) {
- DTRACE_PROBE3(up_enqueued, queue_t *, q, mblk_t *, mp,
- arl_t *, arl);
- ar_cmd_enqueue(arl, mp, q, AR_INTERFACE_UP, B_TRUE);
- return (EINPROGRESS);
- }
- mp->b_prev = NULL;
-
- /*
- * The arl is already up. No work to do.
- */
- if (arl->arl_state == ARL_S_UP) {
- err = 0;
- goto done;
- }
-
- /*
- * This command cannot complete in a single shot now itself.
- * It has to be restarted after the receipt of the ack from
- * the driver. So we need to enqueue the command (at the head).
- */
- ar_cmd_enqueue(arl, mp, q, AR_INTERFACE_UP, B_FALSE);
-
- err = ar_ll_up(arl);
-
- /* Return EINPROGRESS so that ar_rput does not free the 'mp' */
- return (EINPROGRESS);
-
-done:
- /* caller frees 'mp' */
-
- mp1 = ar_alloc(AR_DLPIOP_DONE, err);
- if (mp1 != NULL) {
- q = WR(q);
- DTRACE_PROBE3(up_send_err, queue_t *, q, mblk_t *, mp1,
- int, err);
- putnext(q, mp1);
- }
- return (err);
-}
-
-/*
- * Given an arie_t `mp', find the arl_t's that it names and return them
- * in `*arlp' and `*ipmp_arlp'. If they cannot be found, return B_FALSE.
- */
-static boolean_t
-ar_ipmp_lookup(arp_stack_t *as, mblk_t *mp, arl_t **arlp, arl_t **ipmp_arlp)
-{
- arie_t *arie = (arie_t *)mp->b_rptr;
-
- *arlp = ar_ll_lookup_from_mp(as, mp);
- if (*arlp == NULL) {
- DTRACE_PROBE1(ipmp_lookup_no_arl, mblk_t *, mp);
- return (B_FALSE);
- }
-
- arie->arie_grifname[LIFNAMSIZ - 1] = '\0';
- *ipmp_arlp = ar_ll_lookup_by_name(as, arie->arie_grifname);
- if (*ipmp_arlp == NULL) {
- DTRACE_PROBE1(ipmp_lookup_no_ipmp_arl, mblk_t *, mp);
- return (B_FALSE);
- }
-
- DTRACE_PROBE2(ipmp_lookup, arl_t *, *arlp, arl_t *, *ipmp_arlp);
- return (B_TRUE);
-}
-
-/*
- * Bind an arl_t to an IPMP group arl_t.
- */
-static int
-ar_ipmp_activate(queue_t *q, mblk_t *mp)
-{
- arl_t *arl, *ipmp_arl;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- if (!ar_ipmp_lookup(as, mp, &arl, &ipmp_arl))
- return (EINVAL);
-
- if (arl->arl_ipmp_arl != NULL) {
- DTRACE_PROBE1(ipmp_activated_already, arl_t *, arl);
- return (EALREADY);
- }
-
- DTRACE_PROBE2(ipmp_activate, arl_t *, arl, arl_t *, ipmp_arl);
- arl->arl_ipmp_arl = ipmp_arl;
- return (0);
-}
-
-/*
- * Unbind an arl_t from an IPMP group arl_t and update the ace_t's so
- * that it is no longer part of the group.
- */
-static int
-ar_ipmp_deactivate(queue_t *q, mblk_t *mp)
-{
- arl_t *arl, *ipmp_arl;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- if (!ar_ipmp_lookup(as, mp, &arl, &ipmp_arl))
- return (EINVAL);
-
- if (ipmp_arl != arl->arl_ipmp_arl) {
- DTRACE_PROBE2(ipmp_deactivate_notactive, arl_t *, arl, arl_t *,
- ipmp_arl);
- return (EINVAL);
- }
-
- DTRACE_PROBE2(ipmp_deactivate, arl_t *, arl, arl_t *,
- arl->arl_ipmp_arl);
- ar_ce_walk(as, ar_ce_ipmp_deactivate, arl);
- arl->arl_ipmp_arl = NULL;
- return (0);
-}
-
-/*
- * Enable an interface to process ARP_REQUEST and ARP_RESPONSE messages.
- */
-/* ARGSUSED */
-static int
-ar_interface_on(queue_t *q, mblk_t *mp)
-{
- arl_t *arl;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL) {
- DTRACE_PROBE2(on_no_arl, queue_t *, q, mblk_t *, mp);
- return (EINVAL);
- }
-
- DTRACE_PROBE3(on_intf, queue_t *, q, mblk_t *, mp, arl_t *, arl);
- arl->arl_flags &= ~ARL_F_NOARP;
- return (0);
-}
-
-/*
- * Disable an interface from processing
- * ARP_REQUEST and ARP_RESPONSE messages
- */
-/* ARGSUSED */
-static int
-ar_interface_off(queue_t *q, mblk_t *mp)
-{
- arl_t *arl;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL) {
- DTRACE_PROBE2(off_no_arl, queue_t *, q, mblk_t *, mp);
- return (EINVAL);
- }
-
- DTRACE_PROBE3(off_intf, queue_t *, q, mblk_t *, mp, arl_t *, arl);
- arl->arl_flags |= ARL_F_NOARP;
- return (0);
-}
-
-/*
- * The queue 'q' is closing. Walk all the arl's and free any message
- * pending in the arl_queue if it originated from the closing q.
- * Also cleanup the ip_pending_queue, if the arp-IP stream is closing.
- */
-static void
-ar_ll_cleanup_arl_queue(queue_t *q)
-{
- arl_t *arl;
- mblk_t *mp;
- mblk_t *mpnext;
- mblk_t *prev;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
- ip_stack_t *ipst = as->as_netstack->netstack_ip;
-
- for (arl = as->as_arl_head; arl != NULL; arl = arl->arl_next) {
- for (prev = NULL, mp = arl->arl_queue; mp != NULL;
- mp = mpnext) {
- mpnext = mp->b_next;
- if ((void *)mp->b_queue == (void *)q ||
- (void *)mp->b_queue == (void *)OTHERQ(q)) {
- if (prev == NULL)
- arl->arl_queue = mp->b_next;
- else
- prev->b_next = mp->b_next;
- if (arl->arl_queue_tail == mp)
- arl->arl_queue_tail = prev;
- if (DB_TYPE(mp) == M_PROTO &&
- *(uint32_t *)mp->b_rptr == AR_ENTRY_QUERY) {
- BUMP_IRE_STATS(ipst->ips_ire_stats_v4,
- ire_stats_freed);
- }
- inet_freemsg(mp);
- } else {
- prev = mp;
- }
- }
- }
-}
-
-/*
- * Look up a lower level tap by name.
- */
-static arl_t *
-ar_ll_lookup_by_name(arp_stack_t *as, const char *name)
-{
- arl_t *arl;
-
- for (arl = as->as_arl_head; arl; arl = arl->arl_next) {
- if (strcmp(arl->arl_name, name) == 0) {
- return (arl);
- }
- }
- return (NULL);
-}
-
-/*
- * Look up a lower level tap using parameters extracted from the common
- * portion of the ARP command.
- */
-static arl_t *
-ar_ll_lookup_from_mp(arp_stack_t *as, mblk_t *mp)
-{
- arc_t *arc = (arc_t *)mp->b_rptr;
- uint8_t *name;
- size_t namelen = arc->arc_name_length;
-
- name = mi_offset_param(mp, arc->arc_name_offset, namelen);
- if (name == NULL || name[namelen - 1] != '\0')
- return (NULL);
- return (ar_ll_lookup_by_name(as, (char *)name));
-}
-
-static void
-ar_ll_init(arp_stack_t *as, ar_t *ar, mblk_t *mp)
-{
- arl_t *arl;
- dl_info_ack_t *dlia = (dl_info_ack_t *)mp->b_rptr;
-
- ASSERT(ar->ar_arl == NULL);
-
- if ((arl = (arl_t *)mi_zalloc(sizeof (arl_t))) == NULL)
- return;
-
- if (dlia->dl_mac_type == SUNW_DL_IPMP) {
- arl->arl_flags |= ARL_F_IPMP;
- arl->arl_ipmp_arl = arl;
- }
-
- arl->arl_provider_style = dlia->dl_provider_style;
- arl->arl_rq = ar->ar_rq;
- arl->arl_wq = ar->ar_wq;
-
- arl->arl_dlpi_pending = DL_PRIM_INVAL;
-
- ar->ar_arl = arl;
-
- /*
- * If/when ARP gets pushed into the IP module then this code to make
- * a number uniquely identify an ARP instance can be removed and the
- * ifindex from IP used. Rather than try and reinvent or copy the
- * code used by IP for the purpose of allocating an index number
- * (and trying to keep the number small), just allocate it in an
- * ever increasing manner. This index number isn't ever exposed to
- * users directly, its only use is for providing the pfhooks interface
- * with a number it can use to uniquely identify an interface in time.
- *
- * Using a 32bit counter, over 136 plumbs would need to be done every
- * second of every day (non-leap year) for it to wrap around and the
- * for() loop below to kick in as a performance concern.
- */
- if (as->as_arp_counter_wrapped) {
- arl_t *arl1;
-
- do {
- for (arl1 = as->as_arl_head; arl1 != NULL;
- arl1 = arl1->arl_next)
- if (arl1->arl_index ==
- as->as_arp_index_counter) {
- as->as_arp_index_counter++;
- if (as->as_arp_index_counter == 0) {
- as->as_arp_counter_wrapped++;
- as->as_arp_index_counter = 1;
- }
- break;
- }
- } while (arl1 != NULL);
- } else {
- arl->arl_index = as->as_arp_index_counter;
- }
- as->as_arp_index_counter++;
- if (as->as_arp_index_counter == 0) {
- as->as_arp_counter_wrapped++;
- as->as_arp_index_counter = 1;
- }
-}
-
-/*
- * This routine is called during module initialization when the DL_INFO_ACK
- * comes back from the device. We set up defaults for all the device dependent
- * doo-dads we are going to need. This will leave us ready to roll if we are
- * attempting auto-configuration. Alternatively, these defaults can be
- * overridden by initialization procedures possessing higher intelligence.
- */
-static void
-ar_ll_set_defaults(arl_t *arl, mblk_t *mp)
-{
- ar_m_t *arm;
- dl_info_ack_t *dlia = (dl_info_ack_t *)mp->b_rptr;
- dl_unitdata_req_t *dlur;
- uchar_t *up;
- arlphy_t *ap;
-
- ASSERT(arl != NULL);
-
- /*
- * Clear any stale defaults that might exist.
- */
- ar_ll_clear_defaults(arl);
-
- if (arl->arl_flags & ARL_F_IPMP) {
- /*
- * If this is an IPMP arl_t, we have nothing to do,
- * since we will never transmit or receive.
- */
- return;
- }
-
- ap = kmem_zalloc(sizeof (arlphy_t), KM_NOSLEEP);
- if (ap == NULL)
- goto bad;
- arl->arl_phy = ap;
-
- if ((arm = ar_m_lookup(dlia->dl_mac_type)) == NULL)
- arm = ar_m_lookup(DL_OTHER);
- ASSERT(arm != NULL);
-
- /*
- * We initialize based on parameters in the (currently) not too
- * exhaustive ar_m_tbl.
- */
- if (dlia->dl_version == DL_VERSION_2) {
- /* XXX DLPI spec allows dl_sap_length of 0 before binding. */
- ap->ap_saplen = dlia->dl_sap_length;
- ap->ap_hw_addrlen = dlia->dl_brdcst_addr_length;
- } else {
- ap->ap_saplen = arm->ar_mac_sap_length;
- ap->ap_hw_addrlen = arm->ar_mac_hw_addr_length;
- }
- ap->ap_arp_hw_type = arm->ar_mac_arp_hw_type;
-
- /*
- * Allocate the hardware and ARP addresses; note that the hardware
- * address cannot be filled in until we see the DL_BIND_ACK.
- */
- ap->ap_hw_addr = kmem_zalloc(ap->ap_hw_addrlen, KM_NOSLEEP);
- ap->ap_arp_addr = kmem_alloc(ap->ap_hw_addrlen, KM_NOSLEEP);
- if (ap->ap_hw_addr == NULL || ap->ap_arp_addr == NULL)
- goto bad;
-
- if (dlia->dl_version == DL_VERSION_2) {
- if ((up = mi_offset_param(mp, dlia->dl_brdcst_addr_offset,
- ap->ap_hw_addrlen)) == NULL)
- goto bad;
- bcopy(up, ap->ap_arp_addr, ap->ap_hw_addrlen);
- } else {
- /*
- * No choice but to assume a broadcast address of all ones,
- * known to work on some popular networks.
- */
- (void) memset(ap->ap_arp_addr, ~0, ap->ap_hw_addrlen);
- }
-
- /*
- * Make us a template DL_UNITDATA_REQ message which we will use for
- * broadcasting resolution requests, and which we will clone to hand
- * back as responses to the protocols.
- */
- ap->ap_xmit_mp = ar_dlpi_comm(DL_UNITDATA_REQ, ap->ap_hw_addrlen +
- ABS(ap->ap_saplen) + sizeof (dl_unitdata_req_t));
- if (ap->ap_xmit_mp == NULL)
- goto bad;
-
- dlur = (dl_unitdata_req_t *)ap->ap_xmit_mp->b_rptr;
- dlur->dl_priority.dl_min = 0;
- dlur->dl_priority.dl_max = 0;
- dlur->dl_dest_addr_length = ap->ap_hw_addrlen + ABS(ap->ap_saplen);
- dlur->dl_dest_addr_offset = sizeof (dl_unitdata_req_t);
-
- /* NOTE: the destination address and sap offsets are permanently set */
- ap->ap_xmit_sapoff = dlur->dl_dest_addr_offset;
- ap->ap_xmit_addroff = dlur->dl_dest_addr_offset;
- if (ap->ap_saplen < 0)
- ap->ap_xmit_sapoff += ap->ap_hw_addrlen; /* sap last */
- else
- ap->ap_xmit_addroff += ap->ap_saplen; /* addr last */
-
- *(uint16_t *)((caddr_t)dlur + ap->ap_xmit_sapoff) = ETHERTYPE_ARP;
- return;
-bad:
- ar_ll_clear_defaults(arl);
-}
-
-static void
-ar_ll_clear_defaults(arl_t *arl)
-{
- arlphy_t *ap = arl->arl_phy;
-
- if (ap != NULL) {
- arl->arl_phy = NULL;
- if (ap->ap_hw_addr != NULL)
- kmem_free(ap->ap_hw_addr, ap->ap_hw_addrlen);
- if (ap->ap_arp_addr != NULL)
- kmem_free(ap->ap_arp_addr, ap->ap_hw_addrlen);
- freemsg(ap->ap_xmit_mp);
- kmem_free(ap, sizeof (arlphy_t));
- }
-}
-
-static void
-ar_ll_down(arl_t *arl)
-{
- mblk_t *mp;
- ar_t *ar;
-
- ASSERT(arl->arl_state == ARL_S_UP);
-
- /* Let's break the association between an ARL and IP instance */
- ar = (ar_t *)arl->arl_rq->q_ptr;
- if (ar->ar_arl_ip_assoc != NULL) {
- ASSERT(ar->ar_arl_ip_assoc->ar_arl_ip_assoc != NULL &&
- ar->ar_arl_ip_assoc->ar_arl_ip_assoc == ar);
- ar->ar_arl_ip_assoc->ar_arl_ip_assoc = NULL;
- ar->ar_arl_ip_assoc = NULL;
- }
-
- arl->arl_state = ARL_S_PENDING;
-
- mp = arl->arl_unbind_mp;
- ASSERT(mp != NULL);
- ar_dlpi_send(arl, mp);
- arl->arl_unbind_mp = NULL;
-
- if (arl->arl_provider_style == DL_STYLE2) {
- mp = arl->arl_detach_mp;
- ASSERT(mp != NULL);
- ar_dlpi_send(arl, mp);
- arl->arl_detach_mp = NULL;
- }
-}
-
-static int
-ar_ll_up(arl_t *arl)
-{
- mblk_t *attach_mp = NULL;
- mblk_t *bind_mp = NULL;
- mblk_t *detach_mp = NULL;
- mblk_t *unbind_mp = NULL;
- mblk_t *info_mp = NULL;
- mblk_t *notify_mp = NULL;
-
- ASSERT(arl->arl_state == ARL_S_DOWN);
-
- if (arl->arl_provider_style == DL_STYLE2) {
- attach_mp =
- ar_dlpi_comm(DL_ATTACH_REQ, sizeof (dl_attach_req_t));
- if (attach_mp == NULL)
- goto bad;
- ((dl_attach_req_t *)attach_mp->b_rptr)->dl_ppa =
- arl->arl_ppa;
-
- detach_mp =
- ar_dlpi_comm(DL_DETACH_REQ, sizeof (dl_detach_req_t));
- if (detach_mp == NULL)
- goto bad;
- }
-
- info_mp = ar_dlpi_comm(DL_INFO_REQ, sizeof (dl_info_req_t));
- if (info_mp == NULL)
- goto bad;
-
- /* Allocate and initialize a bind message. */
- bind_mp = ar_dlpi_comm(DL_BIND_REQ, sizeof (dl_bind_req_t));
- if (bind_mp == NULL)
- goto bad;
- ((dl_bind_req_t *)bind_mp->b_rptr)->dl_sap = ETHERTYPE_ARP;
- ((dl_bind_req_t *)bind_mp->b_rptr)->dl_service_mode = DL_CLDLS;
-
- unbind_mp = ar_dlpi_comm(DL_UNBIND_REQ, sizeof (dl_unbind_req_t));
- if (unbind_mp == NULL)
- goto bad;
-
- notify_mp = ar_dlpi_comm(DL_NOTIFY_REQ, sizeof (dl_notify_req_t));
- if (notify_mp == NULL)
- goto bad;
- ((dl_notify_req_t *)notify_mp->b_rptr)->dl_notifications =
- DL_NOTE_LINK_UP | DL_NOTE_LINK_DOWN | DL_NOTE_REPLUMB;
-
- arl->arl_state = ARL_S_PENDING;
- if (arl->arl_provider_style == DL_STYLE2) {
- ar_dlpi_send(arl, attach_mp);
- ASSERT(detach_mp != NULL);
- arl->arl_detach_mp = detach_mp;
- }
- ar_dlpi_send(arl, info_mp);
- ar_dlpi_send(arl, bind_mp);
- arl->arl_unbind_mp = unbind_mp;
- ar_dlpi_send(arl, notify_mp);
- return (0);
-
-bad:
- freemsg(attach_mp);
- freemsg(bind_mp);
- freemsg(detach_mp);
- freemsg(unbind_mp);
- freemsg(info_mp);
- freemsg(notify_mp);
- return (ENOMEM);
-}
-
-/* Process mapping add requests from external messages. */
-static int
-ar_mapping_add(queue_t *q, mblk_t *mp_orig)
-{
- arma_t *arma;
- mblk_t *mp = mp_orig;
- ace_t *ace;
- uchar_t *hw_addr;
- uint32_t hw_addr_len;
- uchar_t *proto_addr;
- uint32_t proto_addr_len;
- uchar_t *proto_mask;
- uchar_t *proto_extract_mask;
- uint32_t hw_extract_start;
- arl_t *arl;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- /* We handle both M_IOCTL and M_PROTO messages. */
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
- arl = ar_ll_lookup_from_mp(as, mp);
- if (arl == NULL)
- return (EINVAL);
- /*
- * Newly received commands from clients go to the tail of the queue.
- */
- if (CMD_NEEDS_QUEUEING(mp_orig, arl)) {
- DTRACE_PROBE3(madd_enqueued, queue_t *, q, mblk_t *, mp_orig,
- arl_t *, arl);
- ar_cmd_enqueue(arl, mp_orig, q, AR_MAPPING_ADD, B_TRUE);
- return (EINPROGRESS);
- }
- mp_orig->b_prev = NULL;
-
- arma = (arma_t *)mp->b_rptr;
- ace = ar_ce_lookup_from_area(as, mp, ar_ce_lookup_mapping);
- if (ace != NULL)
- ar_ce_delete(ace);
- hw_addr_len = arma->arma_hw_addr_length;
- hw_addr = mi_offset_paramc(mp, arma->arma_hw_addr_offset, hw_addr_len);
- proto_addr_len = arma->arma_proto_addr_length;
- proto_addr = mi_offset_paramc(mp, arma->arma_proto_addr_offset,
- proto_addr_len);
- proto_mask = mi_offset_paramc(mp, arma->arma_proto_mask_offset,
- proto_addr_len);
- proto_extract_mask = mi_offset_paramc(mp,
- arma->arma_proto_extract_mask_offset, proto_addr_len);
- hw_extract_start = arma->arma_hw_mapping_start;
- if (proto_mask == NULL || proto_extract_mask == NULL) {
- DTRACE_PROBE2(madd_illegal_mask, arl_t *, arl, arpa_t *, arma);
- return (EINVAL);
- }
- return (ar_ce_create(
- arl,
- arma->arma_proto,
- hw_addr,
- hw_addr_len,
- proto_addr,
- proto_addr_len,
- proto_mask,
- proto_extract_mask,
- hw_extract_start,
- NULL,
- arma->arma_flags | ACE_F_MAPPING));
-}
-
-static boolean_t
-ar_mask_all_ones(uchar_t *mask, uint32_t mask_len)
-{
- if (mask == NULL)
- return (B_TRUE);
-
- while (mask_len-- > 0) {
- if (*mask++ != 0xFF) {
- return (B_FALSE);
- }
- }
- return (B_TRUE);
-}
-
-/* Find an entry for a particular MAC type in the ar_m_tbl. */
-static ar_m_t *
-ar_m_lookup(t_uscalar_t mac_type)
-{
- ar_m_t *arm;
-
- for (arm = ar_m_tbl; arm < A_END(ar_m_tbl); arm++) {
- if (arm->ar_mac_type == mac_type)
- return (arm);
- }
- return (NULL);
-}
-
-/* Respond to Named Dispatch requests. */
-static int
-ar_nd_ioctl(queue_t *q, mblk_t *mp)
-{
- ar_t *ar = (ar_t *)q->q_ptr;
- arp_stack_t *as = ar->ar_as;
-
- if (DB_TYPE(mp) == M_IOCTL && nd_getset(q, as->as_nd, mp))
- return (0);
- return (ENOENT);
-}
-
-/* ARP module open routine. */
-static int
-ar_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
-{
- ar_t *ar;
- int err;
- queue_t *tmp_q;
- mblk_t *mp;
- netstack_t *ns;
- arp_stack_t *as;
-
- TRACE_1(TR_FAC_ARP, TR_ARP_OPEN,
- "arp_open: q %p", q);
- /* Allow a reopen. */
- if (q->q_ptr != NULL) {
- return (0);
- }
-
- ns = netstack_find_by_cred(credp);
- ASSERT(ns != NULL);
- as = ns->netstack_arp;
- ASSERT(as != NULL);
-
- /* mi_open_comm allocates the instance data structure, etc. */
- err = mi_open_comm(&as->as_head, sizeof (ar_t), q, devp, flag, sflag,
- credp);
- if (err) {
- netstack_rele(as->as_netstack);
- return (err);
- }
-
- /*
- * We are D_MTPERMOD so it is safe to do qprocson before
- * the instance data has been initialized.
- */
- qprocson(q);
-
- ar = (ar_t *)q->q_ptr;
- ar->ar_rq = q;
- q = WR(q);
- ar->ar_wq = q;
- crhold(credp);
- ar->ar_credp = credp;
- ar->ar_as = as;
-
- /*
- * Probe for the DLPI info if we are not pushed on IP or UDP. Wait for
- * the reply. In case of error call ar_close() which will take
- * care of doing everything required to close this instance, such
- * as freeing the arl, restarting the timer on a different queue etc.
- */
- if (strcmp(q->q_next->q_qinfo->qi_minfo->mi_idname, "ip") == 0 ||
- strcmp(q->q_next->q_qinfo->qi_minfo->mi_idname, "udp") == 0) {
- arc_t *arc;
-
- /*
- * We are pushed directly on top of IP or UDP. There is no need
- * to send down a DL_INFO_REQ. Return success. This could
- * either be an ill stream (i.e. <arp-IP-Driver> stream)
- * or a stream corresponding to an open of /dev/arp
- * (i.e. <arp-IP> stream). Note that we don't support
- * pushing some module in between arp and IP.
- *
- * Tell IP, though, that we're an extended implementation, so
- * it knows to expect a DAD response after bringing an
- * interface up. Old ATM drivers won't do this, and IP will
- * just bring the interface up immediately.
- */
- ar->ar_on_ill_stream = (q->q_next->q_next != NULL);
- if (!ar->ar_on_ill_stream || arp_no_defense)
- return (0);
- mp = allocb(sizeof (arc_t), BPRI_MED);
- if (mp == NULL) {
- (void) ar_close(RD(q));
- return (ENOMEM);
- }
- DB_TYPE(mp) = M_CTL;
- arc = (arc_t *)mp->b_rptr;
- mp->b_wptr = mp->b_rptr + sizeof (arc_t);
- arc->arc_cmd = AR_ARP_EXTEND;
- putnext(q, mp);
- return (0);
- }
- tmp_q = q;
- /* Get the driver's queue */
- while (tmp_q->q_next != NULL)
- tmp_q = tmp_q->q_next;
-
- ASSERT(tmp_q->q_qinfo->qi_minfo != NULL);
-
- if (strcmp(tmp_q->q_qinfo->qi_minfo->mi_idname, "ip") == 0 ||
- strcmp(tmp_q->q_qinfo->qi_minfo->mi_idname, "udp") == 0) {
- /*
- * We don't support pushing ARP arbitrarily on an IP or UDP
- * driver stream. ARP has to be pushed directly above IP or
- * UDP.
- */
- (void) ar_close(RD(q));
- return (ENOTSUP);
- } else {
- /*
- * Send down a DL_INFO_REQ so we can find out what we are
- * talking to.
- */
- mp = ar_dlpi_comm(DL_INFO_REQ, sizeof (dl_info_req_t));
- if (mp == NULL) {
- (void) ar_close(RD(q));
- return (ENOMEM);
- }
- putnext(ar->ar_wq, mp);
- while (ar->ar_arl == NULL) {
- if (!qwait_sig(ar->ar_rq)) {
- (void) ar_close(RD(q));
- return (EINTR);
- }
- }
- }
- return (0);
-}
-
-/* Get current value of Named Dispatch item. */
-/* ARGSUSED */
-static int
-ar_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr)
-{
- arpparam_t *arppa = (arpparam_t *)cp;
-
- (void) mi_mpprintf(mp, "%d", arppa->arp_param_value);
- return (0);
-}
-
-/*
- * Walk through the param array specified registering each element with the
- * named dispatch handler.
- */
-static boolean_t
-ar_param_register(IDP *ndp, arpparam_t *arppa, int cnt)
-{
- for (; cnt-- > 0; arppa++) {
- if (arppa->arp_param_name && arppa->arp_param_name[0]) {
- if (!nd_load(ndp, arppa->arp_param_name,
- ar_param_get, ar_param_set,
- (caddr_t)arppa)) {
- nd_free(ndp);
- return (B_FALSE);
- }
- }
- }
- return (B_TRUE);
-}
-
-/* Set new value of Named Dispatch item. */
-/* ARGSUSED */
-static int
-ar_param_set(queue_t *q, mblk_t *mp, char *value, caddr_t cp, cred_t *cr)
-{
- long new_value;
- arpparam_t *arppa = (arpparam_t *)cp;
-
- if (ddi_strtol(value, NULL, 10, &new_value) != 0 ||
- new_value < arppa->arp_param_min ||
- new_value > arppa->arp_param_max) {
- return (EINVAL);
- }
- arppa->arp_param_value = new_value;
- return (0);
-}
-
-/*
- * Process an I_PLINK ioctl. If the lower stream is an arp device stream,
- * append another mblk to the chain, that will carry the device name,
- * and the muxid. IP uses this info to lookup the corresponding ill, and
- * set the ill_arp_muxid atomically, as part of the I_PLINK, instead of
- * waiting for the SIOCSLIFMUXID. (which may never happen if ifconfig is
- * killed, and this has the bad effect of not being able to unplumb
- * subsequently)
- */
-static int
-ar_plink_send(queue_t *q, mblk_t *mp)
-{
- char *name;
- mblk_t *muxmp;
- mblk_t *mp1;
- ar_t *ar = (ar_t *)q->q_ptr;
- arp_stack_t *as = ar->ar_as;
- struct linkblk *li;
- struct ipmx_s *ipmxp;
- queue_t *arpwq;
-
- mp1 = mp->b_cont;
- ASSERT((mp1 != NULL) && (mp1->b_cont == NULL));
- li = (struct linkblk *)mp1->b_rptr;
- arpwq = li->l_qbot;
-
- /*
- * Allocate a new mblk which will hold an ipmx_s and chain it to
- * the M_IOCTL chain. The final chain will consist of 3 mblks,
- * namely the M_IOCTL, followed by the linkblk, followed by the ipmx_s
- */
- muxmp = allocb(sizeof (struct ipmx_s), BPRI_MED);
- if (muxmp == NULL)
- return (ENOMEM);
- ipmxp = (struct ipmx_s *)muxmp->b_wptr;
- ipmxp->ipmx_arpdev_stream = 0;
- muxmp->b_wptr += sizeof (struct ipmx_s);
- mp1->b_cont = muxmp;
-
- /*
- * The l_qbot represents the uppermost write queue of the
- * lower stream. Walk down this stream till we hit ARP.
- * We can safely walk, since STREAMS has made sure the stream
- * cannot close till the IOCACK goes up, and is not interruptible.
- */
- while (arpwq != NULL) {
- /*
- * Beware of broken modules like logsubr.c that
- * may not have a q_qinfo or qi_minfo.
- */
- if ((q->q_qinfo != NULL) && (q->q_qinfo->qi_minfo != NULL)) {
- name = arpwq->q_qinfo->qi_minfo->mi_idname;
- if (name != NULL && name[0] != NULL &&
- (strcmp(name, arp_mod_info.mi_idname) == 0))
- break;
- }
- arpwq = arpwq->q_next;
- }
-
- /*
- * Check if arpwq corresponds to an arp device stream, by walking
- * the mi list. If it does, then add the muxid and device name info
- * for use by IP. IP will send the M_IOCACK.
- */
- if (arpwq != NULL) {
- for (ar = (ar_t *)mi_first_ptr(&as->as_head); ar != NULL;
- ar = (ar_t *)mi_next_ptr(&as->as_head, (void *)ar)) {
- if ((ar->ar_wq == arpwq) && (ar->ar_arl != NULL)) {
- ipmxp->ipmx_arpdev_stream = 1;
- (void) strcpy((char *)ipmxp->ipmx_name,
- ar->ar_arl->arl_name);
- break;
- }
- }
- }
-
- putnext(q, mp);
- return (0);
-}
-
-/*
- * ar_ce_walk routine to delete any outstanding queries for an ar that is
- * going away.
- */
-static void
-ar_query_delete(ace_t *ace, void *arg)
-{
- ar_t *ar = arg;
- mblk_t **mpp = &ace->ace_query_mp;
- mblk_t *mp;
- arp_stack_t *as = ar->ar_as;
- ip_stack_t *ipst = as->as_netstack->netstack_ip;
-
- while ((mp = *mpp) != NULL) {
- /* The response queue was stored in the query b_prev. */
- if ((queue_t *)mp->b_prev == ar->ar_wq ||
- (queue_t *)mp->b_prev == ar->ar_rq) {
- *mpp = mp->b_next;
- if (DB_TYPE(mp) == M_PROTO &&
- *(uint32_t *)mp->b_rptr == AR_ENTRY_QUERY) {
- BUMP_IRE_STATS(ipst->ips_ire_stats_v4,
- ire_stats_freed);
- }
- inet_freemsg(mp);
- } else {
- mpp = &mp->b_next;
- }
- }
-}
-
-/*
- * This routine is called either when an address resolution has just been
- * found, or when it is time to give, or in some other error situation.
- * If a non-zero ret_val is provided, any outstanding queries for the
- * specified ace will be completed using that error value. Otherwise,
- * the completion status will depend on whether the address has been
- * resolved.
- */
-static void
-ar_query_reply(ace_t *ace, int ret_val, uchar_t *proto_addr,
- uint32_t proto_addr_len)
-{
- mblk_t *areq_mp;
- mblk_t *mp;
- mblk_t *xmit_mp;
- queue_t *arl_wq = ace->ace_arl->arl_wq;
- arp_stack_t *as = ARL_TO_ARPSTACK(ace->ace_arl);
- ip_stack_t *ipst = as->as_netstack->netstack_ip;
- arlphy_t *ap = ace->ace_xmit_arl->arl_phy;
-
- /*
- * On error or completion for a query, we need to shut down the timer.
- * However, the timer must not be stopped for an interface doing
- * Duplicate Address Detection, or it will never finish that phase.
- */
- if (!(ace->ace_flags & (ACE_F_UNVERIFIED | ACE_F_AUTHORITY)))
- mi_timer(arl_wq, ace->ace_mp, -1L);
-
- /* Establish the return value appropriate. */
- if (ret_val == 0) {
- if (!ACE_RESOLVED(ace) || ap == NULL)
- ret_val = ENXIO;
- }
- /* Terminate all outstanding queries. */
- while ((mp = ace->ace_query_mp) != 0) {
- /* The response queue was saved in b_prev. */
- queue_t *q = (queue_t *)mp->b_prev;
- mp->b_prev = NULL;
- ace->ace_query_mp = mp->b_next;
- mp->b_next = NULL;
- /*
- * If we have the answer, attempt to get a copy of the xmit
- * template to prepare for the client.
- */
- if (ret_val == 0 &&
- (xmit_mp = copyb(ap->ap_xmit_mp)) == NULL) {
- /* Too bad, buy more memory. */
- ret_val = ENOMEM;
- }
- /* Complete the response based on how the request arrived. */
- if (DB_TYPE(mp) == M_IOCTL) {
- struct iocblk *ioc = (struct iocblk *)mp->b_rptr;
-
- ioc->ioc_error = ret_val;
- if (ret_val != 0) {
- DB_TYPE(mp) = M_IOCNAK;
- ioc->ioc_count = 0;
- putnext(q, mp);
- continue;
- }
- /*
- * Return the xmit mp out with the successful IOCTL.
- */
- DB_TYPE(mp) = M_IOCACK;
- ioc->ioc_count = MBLKL(xmit_mp);
- /* Remove the areq mblk from the IOCTL. */
- areq_mp = mp->b_cont;
- mp->b_cont = areq_mp->b_cont;
- } else {
- if (ret_val != 0) {
- /* TODO: find some way to let the guy know? */
- inet_freemsg(mp);
- BUMP_IRE_STATS(ipst->ips_ire_stats_v4,
- ire_stats_freed);
- continue;
- }
- /*
- * In the M_PROTO case, the areq message is followed by
- * a message chain to be returned to the protocol. ARP
- * doesn't know (or care) what is in this chain, but in
- * the event that the reader is pondering the
- * relationship between ARP and IP (for example), the
- * areq is followed by an incipient IRE, and then the
- * original outbound packet. Here we detach the areq.
- */
- areq_mp = mp;
- mp = mp->b_cont;
- }
- ASSERT(ret_val == 0 && ap != NULL);
- if (ap->ap_saplen != 0) {
- /*
- * Copy the SAP type specified in the request into
- * the xmit mp.
- */
- areq_t *areq = (areq_t *)areq_mp->b_rptr;
- bcopy(areq->areq_sap, xmit_mp->b_rptr +
- ap->ap_xmit_sapoff, ABS(ap->ap_saplen));
- }
- /* Done with the areq message. */
- freeb(areq_mp);
- /*
- * Copy the resolved hardware address into the xmit mp
- * or perform the mapping operation.
- */
- ar_set_address(ace, xmit_mp->b_rptr + ap->ap_xmit_addroff,
- proto_addr, proto_addr_len);
- /*
- * Now insert the xmit mp after the response message. In
- * the M_IOCTL case, it will be the returned data block. In
- * the M_PROTO case, (again using IP as an example) it will
- * appear after the IRE and before the outbound packet.
- */
- xmit_mp->b_cont = mp->b_cont;
- mp->b_cont = xmit_mp;
- putnext(q, mp);
- }
-
- /*
- * Unless we are responding from a permanent cache entry, start the
- * cleanup timer or (on error) delete the entry.
- */
- if (!(ace->ace_flags & (ACE_F_PERMANENT | ACE_F_DYING))) {
- if (!ACE_RESOLVED(ace) || ap == NULL) {
- /*
- * No need to notify IP here, because the entry was
- * never resolved, so IP can't have any cached copies
- * of the address.
- */
- ar_ce_delete(ace);
- } else {
- mi_timer(arl_wq, ace->ace_mp, as->as_cleanup_interval);
- }
- }
-}
-
-/*
- * Returns number of milliseconds after which we should either rexmit or abort.
- * Return of zero means we should abort.
- */
-static clock_t
-ar_query_xmit(arp_stack_t *as, ace_t *ace)
-{
- areq_t *areq;
- mblk_t *mp;
- uchar_t *proto_addr;
- uchar_t *sender_addr;
- ace_t *src_ace;
- arl_t *xmit_arl = ace->ace_xmit_arl;
-
- mp = ace->ace_query_mp;
- /*
- * ar_query_delete may have just blown off the outstanding
- * ace_query_mp entries because the client who sent the query
- * went away. If this happens just before the ace_mp timer
- * goes off, we'd find a null ace_query_mp which is not an error.
- * The unresolved ace itself, and the timer, will be removed
- * when the arl stream goes away.
- */
- if (!mp)
- return (0);
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
- areq = (areq_t *)mp->b_rptr;
- if (areq->areq_xmit_count == 0)
- return (0);
- areq->areq_xmit_count--;
- proto_addr = mi_offset_paramc(mp, areq->areq_target_addr_offset,
- areq->areq_target_addr_length);
- sender_addr = mi_offset_paramc(mp, areq->areq_sender_addr_offset,
- areq->areq_sender_addr_length);
-
- /*
- * Get the ace for the sender address, so that we can verify that
- * we have one and that DAD has completed.
- */
- src_ace = ar_ce_lookup(xmit_arl, areq->areq_proto, sender_addr,
- areq->areq_sender_addr_length);
- if (src_ace == NULL) {
- DTRACE_PROBE3(xmit_no_source, ace_t *, ace, areq_t *, areq,
- uchar_t *, sender_addr);
- return (0);
- }
-
- /*
- * If we haven't yet finished duplicate address checking on this source
- * address, then do *not* use it on the wire. Doing so will corrupt
- * the world's caches. Just allow the timer to restart. Note that
- * duplicate address checking will eventually complete one way or the
- * other, so this cannot go on "forever."
- */
- if (src_ace->ace_flags & ACE_F_UNVERIFIED) {
- DTRACE_PROBE2(xmit_source_unverified, ace_t *, ace,
- ace_t *, src_ace);
- areq->areq_xmit_count++;
- return (areq->areq_xmit_interval);
- }
-
- DTRACE_PROBE3(xmit_send, ace_t *, ace, ace_t *, src_ace,
- areq_t *, areq);
-
- ar_xmit(xmit_arl, ARP_REQUEST, areq->areq_proto,
- areq->areq_sender_addr_length, xmit_arl->arl_phy->ap_hw_addr,
- sender_addr, xmit_arl->arl_phy->ap_arp_addr, proto_addr, NULL, as);
- src_ace->ace_last_bcast = ddi_get_lbolt();
- return (areq->areq_xmit_interval);
-}
-
-/* Our read side put procedure. */
-static void
-ar_rput(queue_t *q, mblk_t *mp)
-{
- arh_t *arh;
- arl_t *arl;
- arl_t *client_arl;
- ace_t *dst_ace;
- uchar_t *dst_paddr;
- int err;
- uint32_t hlen;
- struct iocblk *ioc;
- mblk_t *mp1;
- int op;
- uint32_t plen;
- uint32_t proto;
- uchar_t *src_haddr;
- uchar_t *src_paddr;
- uchar_t *dst_haddr;
- boolean_t is_probe;
- boolean_t is_unicast = B_FALSE;
- dl_unitdata_ind_t *dlindp;
- int i;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- TRACE_1(TR_FAC_ARP, TR_ARP_RPUT_START,
- "arp_rput_start: q %p", q);
-
- /*
- * We handle ARP commands from below both in M_IOCTL and M_PROTO
- * messages. Actual ARP requests and responses will show up as
- * M_PROTO messages containing DL_UNITDATA_IND blocks.
- */
- switch (DB_TYPE(mp)) {
- case M_IOCTL:
- err = ar_cmd_dispatch(q, mp, B_FALSE);
- switch (err) {
- case ENOENT:
- DB_TYPE(mp) = M_IOCNAK;
- if ((mp1 = mp->b_cont) != 0) {
- /*
- * Collapse the data as a note to the
- * originator.
- */
- mp1->b_wptr = mp1->b_rptr;
- }
- break;
- case EINPROGRESS:
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "ioctl/inprogress");
- return;
- default:
- DB_TYPE(mp) = M_IOCACK;
- break;
- }
- ioc = (struct iocblk *)mp->b_rptr;
- ioc->ioc_error = err;
- if ((mp1 = mp->b_cont) != 0)
- ioc->ioc_count = MBLKL(mp1);
- else
- ioc->ioc_count = 0;
- qreply(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "ioctl");
- return;
- case M_CTL:
- /*
- * IP is acking the AR_ARP_CLOSING message that we sent
- * in ar_close.
- */
- if (MBLKL(mp) == sizeof (arc_t)) {
- if (((arc_t *)mp->b_rptr)->arc_cmd == AR_ARP_CLOSING)
- ((ar_t *)q->q_ptr)->ar_ip_acked_close = 1;
- }
- freemsg(mp);
- return;
- case M_PCPROTO:
- case M_PROTO:
- dlindp = (dl_unitdata_ind_t *)mp->b_rptr;
- if (MBLKL(mp) >= sizeof (dl_unitdata_ind_t) &&
- dlindp->dl_primitive == DL_UNITDATA_IND) {
- is_unicast = (dlindp->dl_group_address == 0);
- arl = ((ar_t *)q->q_ptr)->ar_arl;
- if (arl != NULL && arl->arl_phy != NULL) {
- /* Real messages from the wire! */
- break;
- }
- putnext(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "default");
- return;
- }
- err = ar_cmd_dispatch(q, mp, B_FALSE);
- switch (err) {
- case ENOENT:
- /* Miscellaneous DLPI messages get shuffled off. */
- ar_rput_dlpi(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "proto/dlpi");
- break;
- case EINPROGRESS:
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "proto");
- break;
- default:
- inet_freemsg(mp);
- break;
- }
- return;
- default:
- putnext(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "default");
- return;
- }
- /*
- * If the IFF_NOARP flag is on, then do not process any
- * incoming ARP_REQUEST or incoming ARP_RESPONSE.
- */
- if (arl->arl_flags & ARL_F_NOARP) {
- freemsg(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "interface has IFF_NOARP set");
- return;
- }
-
- /*
- * What we should have at this point is a DL_UNITDATA_IND message
- * followed by an ARP packet. We do some initial checks and then
- * get to work.
- */
- mp1 = mp->b_cont;
- if (mp1 == NULL) {
- freemsg(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "baddlpi");
- return;
- }
- if (mp1->b_cont != NULL) {
- /* No fooling around with funny messages. */
- if (!pullupmsg(mp1, -1)) {
- freemsg(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "pullupmsgfail");
- return;
- }
- }
- arh = (arh_t *)mp1->b_rptr;
- hlen = arh->arh_hlen;
- plen = arh->arh_plen;
- if (MBLKL(mp1) < ARH_FIXED_LEN + 2 * hlen + 2 * plen) {
- freemsg(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "short");
- return;
- }
- /*
- * hlen 0 is used for RFC 1868 UnARP.
- *
- * Note that the rest of the code checks that hlen is what we expect
- * for this hardware address type, so might as well discard packets
- * here that don't match.
- */
- if ((hlen > 0 && hlen != arl->arl_phy->ap_hw_addrlen) || plen == 0) {
- DTRACE_PROBE2(rput_bogus, arl_t *, arl, mblk_t *, mp1);
- freemsg(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "hlenzero/plenzero");
- return;
- }
- /*
- * Historically, Solaris has been lenient about hardware type numbers.
- * We should check here, but don't.
- */
- DTRACE_PROBE2(rput_normal, arl_t *, arl, arh_t *, arh);
-
- DTRACE_PROBE3(arp__physical__in__start,
- arl_t *, arl, arh_t *, arh, mblk_t *, mp);
-
- ARP_HOOK_IN(as->as_arp_physical_in_event, as->as_arp_physical_in,
- arl->arl_index, arh, mp, mp1, as);
-
- DTRACE_PROBE1(arp__physical__in__end, mblk_t *, mp);
-
- if (mp == NULL)
- return;
-
- proto = (uint32_t)BE16_TO_U16(arh->arh_proto);
- src_haddr = (uchar_t *)arh;
- src_haddr = &src_haddr[ARH_FIXED_LEN];
- src_paddr = &src_haddr[hlen];
- dst_haddr = &src_haddr[hlen + plen];
- dst_paddr = &src_haddr[hlen + plen + hlen];
- op = BE16_TO_U16(arh->arh_operation);
-
- /* Determine if this is just a probe */
- for (i = 0; i < plen; i++)
- if (src_paddr[i] != 0)
- break;
- is_probe = i >= plen;
-
- /*
- * RFC 826: first check if the <protocol, sender protocol address> is
- * in the cache, if there is a sender protocol address. Note that this
- * step also handles resolutions based on source.
- *
- * Note that IP expects that each notification it receives will be
- * tied to the ill it received it on. Thus, we must talk to it over
- * the arl tied to the resolved IP address (if any), hence client_arl.
- */
- if (is_probe)
- err = AR_NOTFOUND;
- else
- err = ar_ce_resolve_all(arl, proto, src_haddr, hlen, src_paddr,
- plen, &client_arl);
-
- switch (err) {
- case AR_BOGON:
- ar_client_notify(client_arl, mp1, AR_CN_BOGON);
- mp1 = NULL;
- break;
- case AR_FAILED:
- ar_client_notify(client_arl, mp1, AR_CN_FAILED);
- mp1 = NULL;
- break;
- case AR_LOOPBACK:
- DTRACE_PROBE2(rput_loopback, arl_t *, arl, arh_t *, arh);
- freemsg(mp1);
- mp1 = NULL;
- break;
- }
- if (mp1 == NULL) {
- freeb(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "unneeded");
- return;
- }
-
- /*
- * Now look up the destination address. By RFC 826, we ignore the
- * packet at this step if the target isn't one of our addresses. This
- * is true even if the target is something we're trying to resolve and
- * the packet is a response. To avoid duplicate responses, we also
- * ignore the packet if it was multicast/broadcast to an arl that's in
- * an IPMP group but was not the designated xmit_arl for the ACE.
- *
- * Note that in order to do this correctly, we need to know when to
- * notify IP of a change implied by the source address of the ARP
- * message. That implies that the local ARP table has entries for all
- * of the resolved entries cached in the client. This is why we must
- * notify IP when we delete a resolved entry and we know that IP may
- * have cached answers.
- */
- dst_ace = ar_ce_lookup_entry(arl, proto, dst_paddr, plen);
- if (dst_ace == NULL || !ACE_RESOLVED(dst_ace) ||
- (dst_ace->ace_xmit_arl != arl && !is_unicast) ||
- !(dst_ace->ace_flags & ACE_F_PUBLISH)) {
- /*
- * Let the client know if the source mapping has changed, even
- * if the destination provides no useful information for the
- * client.
- */
- if (err == AR_CHANGED)
- ar_client_notify(client_arl, mp1, AR_CN_ANNOUNCE);
- else
- freemsg(mp1);
- freeb(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "nottarget");
- return;
- }
-
- /*
- * If the target is unverified by DAD, then one of two things is true:
- * either it's someone else claiming this address (on a probe or an
- * announcement) or it's just a regular request. The former is
- * failure, but a regular request is not.
- */
- if (dst_ace->ace_flags & ACE_F_UNVERIFIED) {
- /*
- * Check for a reflection. Some misbehaving bridges will
- * reflect our own transmitted packets back to us.
- */
- if (hlen == dst_ace->ace_hw_addr_length &&
- bcmp(src_haddr, dst_ace->ace_hw_addr, hlen) == 0) {
- DTRACE_PROBE3(rput_probe_reflected, arl_t *, arl,
- arh_t *, arh, ace_t *, dst_ace);
- freeb(mp);
- freemsg(mp1);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "reflection");
- return;
- }
-
- /*
- * Conflicts seen via the wrong interface may be bogus.
- * Multiple interfaces on the same segment imply any conflict
- * will also be seen via the correct interface, so we can ignore
- * anything not matching the arl from the ace.
- */
- if (arl != dst_ace->ace_arl) {
- DTRACE_PROBE3(rput_probe_misdirect, arl_t *, arl,
- arh_t *, arh, ace_t *, dst_ace);
- freeb(mp);
- freemsg(mp1);
- return;
- }
- /*
- * Responses targeting our HW address that are not responses to
- * our DAD probe must be ignored as they are related to requests
- * sent before DAD was restarted. Note: response to our DAD
- * probe will have been handled by ar_ce_resolve_all() above.
- */
- if (op == ARP_RESPONSE &&
- (bcmp(dst_haddr, dst_ace->ace_hw_addr, hlen) == 0)) {
- DTRACE_PROBE3(rput_probe_stale, arl_t *, arl,
- arh_t *, arh, ace_t *, dst_ace);
- freeb(mp);
- freemsg(mp1);
- return;
- }
- /*
- * Responses targeted to HW addresses which are not ours but
- * sent to our unverified proto address are also conflicts.
- * These may be reported by a proxy rather than the interface
- * with the conflicting address, dst_paddr is in conflict
- * rather than src_paddr. To ensure IP can locate the correct
- * ipif to take down, it is necessary to copy dst_paddr to
- * the src_paddr field before sending it to IP. The same is
- * required for probes, where src_paddr will be INADDR_ANY.
- */
- if (is_probe) {
- /*
- * In this case, client_arl will be invalid (e.g.,
- * since probes don't have a valid sender address).
- * But dst_ace has the appropriate arl.
- */
- bcopy(dst_paddr, src_paddr, plen);
- ar_client_notify(dst_ace->ace_arl, mp1, AR_CN_FAILED);
- ar_ce_delete(dst_ace);
- } else if (op == ARP_RESPONSE) {
- bcopy(dst_paddr, src_paddr, plen);
- ar_client_notify(client_arl, mp1, AR_CN_FAILED);
- ar_ce_delete(dst_ace);
- } else if (err == AR_CHANGED) {
- ar_client_notify(client_arl, mp1, AR_CN_ANNOUNCE);
- } else {
- DTRACE_PROBE3(rput_request_unverified, arl_t *, arl,
- arh_t *, arh, ace_t *, dst_ace);
- freemsg(mp1);
- }
- freeb(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "unverified");
- return;
- }
-
- /*
- * If it's a request, then we reply to this, and if we think the
- * sender's unknown, then we create an entry to avoid unnecessary ARPs.
- * The design assumption is that someone ARPing us is likely to send us
- * a packet soon, and that we'll want to reply to it.
- */
- if (op == ARP_REQUEST) {
- const uchar_t *dstaddr = src_haddr;
- clock_t now;
-
- /*
- * This implements periodic address defense based on a modified
- * version of the RFC 3927 requirements. Instead of sending a
- * broadcasted reply every time, as demanded by the RFC, we
- * send at most one broadcast reply per arp_broadcast_interval.
- */
- now = ddi_get_lbolt();
- if ((now - dst_ace->ace_last_bcast) >
- MSEC_TO_TICK(as->as_broadcast_interval)) {
- DTRACE_PROBE3(rput_bcast_reply, arl_t *, arl,
- arh_t *, arh, ace_t *, dst_ace);
- dst_ace->ace_last_bcast = now;
- dstaddr = arl->arl_phy->ap_arp_addr;
- /*
- * If this is one of the long-suffering entries, then
- * pull it out now. It no longer needs separate
- * defense, because we're doing now that with this
- * broadcasted reply.
- */
- dst_ace->ace_flags &= ~ACE_F_DELAYED;
- }
-
- ar_xmit(arl, ARP_RESPONSE, dst_ace->ace_proto, plen,
- dst_ace->ace_hw_addr, dst_ace->ace_proto_addr,
- src_haddr, src_paddr, dstaddr, as);
- if (!is_probe && err == AR_NOTFOUND &&
- ar_ce_create(OWNING_ARL(arl), proto, src_haddr, hlen,
- src_paddr, plen, NULL, NULL, 0, NULL, 0) == 0) {
- ace_t *ace;
-
- ace = ar_ce_lookup(arl, proto, src_paddr, plen);
- ASSERT(ace != NULL);
- mi_timer(ace->ace_arl->arl_wq, ace->ace_mp,
- as->as_cleanup_interval);
- }
- }
- if (err == AR_CHANGED) {
- freeb(mp);
- ar_client_notify(client_arl, mp1, AR_CN_ANNOUNCE);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "reqchange");
- } else {
- freemsg(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_RPUT_END,
- "arp_rput_end: q %p (%S)", q, "end");
- }
-}
-
-static void
-ar_ce_restart_dad(ace_t *ace, void *arl_arg)
-{
- arl_t *arl = arl_arg;
- arp_stack_t *as = ARL_TO_ARPSTACK(arl);
-
- if ((ace->ace_xmit_arl == arl) &&
- (ace->ace_flags & (ACE_F_UNVERIFIED|ACE_F_DAD_ABORTED)) ==
- (ACE_F_UNVERIFIED|ACE_F_DAD_ABORTED)) {
- /*
- * Slight cheat here: we don't use the initial probe delay
- * in this obscure case.
- */
- if (ace->ace_flags & ACE_F_FAST) {
- ace->ace_xmit_count = as->as_fastprobe_count;
- ace->ace_xmit_interval = as->as_fastprobe_interval;
- } else {
- ace->ace_xmit_count = as->as_probe_count;
- ace->ace_xmit_interval = as->as_probe_interval;
- }
- ace->ace_flags &= ~ACE_F_DAD_ABORTED;
- ace_set_timer(ace, B_FALSE);
- }
-}
-
-/* DLPI messages, other than DL_UNITDATA_IND are handled here. */
-static void
-ar_rput_dlpi(queue_t *q, mblk_t *mp)
-{
- ar_t *ar = q->q_ptr;
- arl_t *arl = ar->ar_arl;
- arlphy_t *ap = NULL;
- union DL_primitives *dlp;
- const char *err_str;
- arp_stack_t *as = ar->ar_as;
-
- if (arl != NULL)
- ap = arl->arl_phy;
-
- if (MBLKL(mp) < sizeof (dlp->dl_primitive)) {
- putnext(q, mp);
- return;
- }
- dlp = (union DL_primitives *)mp->b_rptr;
- switch (dlp->dl_primitive) {
- case DL_ERROR_ACK:
- /*
- * ce is confused about how DLPI works, so we have to interpret
- * an "error" on DL_NOTIFY_ACK (which we never could have sent)
- * as really meaning an error on DL_NOTIFY_REQ.
- *
- * Note that supporting DL_NOTIFY_REQ is optional, so printing
- * out an error message on the console isn't warranted except
- * for debug.
- */
- if (dlp->error_ack.dl_error_primitive == DL_NOTIFY_ACK ||
- dlp->error_ack.dl_error_primitive == DL_NOTIFY_REQ) {
- ar_dlpi_done(arl, DL_NOTIFY_REQ);
- freemsg(mp);
- return;
- }
- err_str = dl_primstr(dlp->error_ack.dl_error_primitive);
- DTRACE_PROBE2(rput_dl_error, arl_t *, arl,
- dl_error_ack_t *, &dlp->error_ack);
- switch (dlp->error_ack.dl_error_primitive) {
- case DL_UNBIND_REQ:
- if (arl->arl_provider_style == DL_STYLE1)
- arl->arl_state = ARL_S_DOWN;
- break;
- case DL_DETACH_REQ:
- case DL_BIND_REQ:
- arl->arl_state = ARL_S_DOWN;
- break;
- case DL_ATTACH_REQ:
- break;
- default:
- /* If it's anything else, we didn't send it. */
- putnext(q, mp);
- return;
- }
- ar_dlpi_done(arl, dlp->error_ack.dl_error_primitive);
- (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
- "ar_rput_dlpi: %s failed, dl_errno %d, dl_unix_errno %d",
- err_str, dlp->error_ack.dl_errno,
- dlp->error_ack.dl_unix_errno);
- break;
- case DL_INFO_ACK:
- DTRACE_PROBE2(rput_dl_info, arl_t *, arl,
- dl_info_ack_t *, &dlp->info_ack);
- if (arl != NULL && arl->arl_dlpi_pending == DL_INFO_REQ) {
- /*
- * We have a response back from the driver. Go set up
- * transmit defaults.
- */
- ar_ll_set_defaults(arl, mp);
- ar_dlpi_done(arl, DL_INFO_REQ);
- } else if (arl == NULL) {
- ar_ll_init(as, ar, mp);
- }
- /* Kick off any awaiting messages */
- qenable(WR(q));
- break;
- case DL_OK_ACK:
- DTRACE_PROBE2(rput_dl_ok, arl_t *, arl,
- dl_ok_ack_t *, &dlp->ok_ack);
- switch (dlp->ok_ack.dl_correct_primitive) {
- case DL_UNBIND_REQ:
- if (arl->arl_provider_style == DL_STYLE1)
- arl->arl_state = ARL_S_DOWN;
- break;
- case DL_DETACH_REQ:
- arl->arl_state = ARL_S_DOWN;
- break;
- case DL_ATTACH_REQ:
- break;
- default:
- putnext(q, mp);
- return;
- }
- ar_dlpi_done(arl, dlp->ok_ack.dl_correct_primitive);
- break;
- case DL_NOTIFY_ACK:
- DTRACE_PROBE2(rput_dl_notify, arl_t *, arl,
- dl_notify_ack_t *, &dlp->notify_ack);
- /*
- * We mostly care about interface-up transitions, as this is
- * when we need to redo duplicate address detection.
- */
- if (ap != NULL) {
- ap->ap_notifies = (dlp->notify_ack.dl_notifications &
- DL_NOTE_LINK_UP) != 0;
- }
- ar_dlpi_done(arl, DL_NOTIFY_REQ);
- break;
- case DL_BIND_ACK:
- DTRACE_PROBE2(rput_dl_bind, arl_t *, arl,
- dl_bind_ack_t *, &dlp->bind_ack);
- if (ap != NULL) {
- caddr_t hw_addr;
-
- hw_addr = (caddr_t)dlp + dlp->bind_ack.dl_addr_offset;
- if (ap->ap_saplen > 0)
- hw_addr += ap->ap_saplen;
- bcopy(hw_addr, ap->ap_hw_addr, ap->ap_hw_addrlen);
- }
- arl->arl_state = ARL_S_UP;
- ar_dlpi_done(arl, DL_BIND_REQ);
- break;
- case DL_NOTIFY_IND:
- DTRACE_PROBE2(rput_dl_notify_ind, arl_t *, arl,
- dl_notify_ind_t *, &dlp->notify_ind);
-
- if (dlp->notify_ind.dl_notification == DL_NOTE_REPLUMB) {
- arl->arl_replumbing = B_TRUE;
- if (arl->arl_state == ARL_S_DOWN) {
- arp_replumb_done(arl, mp);
- return;
- }
- break;
- }
-
- if (ap != NULL) {
- switch (dlp->notify_ind.dl_notification) {
- case DL_NOTE_LINK_UP:
- ap->ap_link_down = B_FALSE;
- ar_ce_walk(as, ar_ce_restart_dad, arl);
- break;
- case DL_NOTE_LINK_DOWN:
- ap->ap_link_down = B_TRUE;
- break;
- }
- }
- break;
- case DL_UDERROR_IND:
- DTRACE_PROBE2(rput_dl_uderror, arl_t *, arl,
- dl_uderror_ind_t *, &dlp->uderror_ind);
- (void) mi_strlog(q, 1, SL_ERROR | SL_TRACE,
- "ar_rput_dlpi: "
- "DL_UDERROR_IND, dl_dest_addr_length %d dl_errno %d",
- dlp->uderror_ind.dl_dest_addr_length,
- dlp->uderror_ind.dl_errno);
- putnext(q, mp);
- return;
- default:
- DTRACE_PROBE2(rput_dl_badprim, arl_t *, arl,
- union DL_primitives *, dlp);
- putnext(q, mp);
- return;
- }
- freemsg(mp);
-}
-
-static void
-ar_set_address(ace_t *ace, uchar_t *addrpos, uchar_t *proto_addr,
- uint32_t proto_addr_len)
-{
- uchar_t *mask, *to;
- int len;
-
- ASSERT(ace->ace_hw_addr != NULL);
-
- bcopy(ace->ace_hw_addr, addrpos, ace->ace_hw_addr_length);
- if (ace->ace_flags & ACE_F_MAPPING &&
- proto_addr != NULL &&
- ace->ace_proto_extract_mask) { /* careful */
- len = MIN((int)ace->ace_hw_addr_length
- - ace->ace_hw_extract_start,
- proto_addr_len);
- mask = ace->ace_proto_extract_mask;
- to = addrpos + ace->ace_hw_extract_start;
- while (len-- > 0)
- *to++ |= *mask++ & *proto_addr++;
- }
-}
-
-static int
-ar_slifname(queue_t *q, mblk_t *mp_orig)
-{
- ar_t *ar = q->q_ptr;
- arl_t *arl = ar->ar_arl;
- struct lifreq *lifr;
- mblk_t *mp = mp_orig;
- arl_t *old_arl;
- mblk_t *ioccpy;
- struct iocblk *iocp;
- hook_nic_event_t info;
- arp_stack_t *as = ar->ar_as;
-
- if (ar->ar_on_ill_stream) {
- /*
- * This command is for IP, since it is coming down
- * the <arp-IP-driver> stream. Return ENOENT so that
- * it will be sent downstream by the caller
- */
- return (ENOENT);
- }
- /* We handle both M_IOCTL and M_PROTO messages */
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
- if (q->q_next == NULL || arl == NULL) {
- /*
- * If the interface was just opened and
- * the info ack has not yet come back from the driver
- */
- DTRACE_PROBE2(slifname_no_arl, queue_t *, q,
- mblk_t *, mp_orig);
- (void) putq(q, mp_orig);
- return (EINPROGRESS);
- }
-
- if (MBLKL(mp) < sizeof (struct lifreq)) {
- DTRACE_PROBE2(slifname_malformed, queue_t *, q,
- mblk_t *, mp);
- }
-
- if (arl->arl_name[0] != '\0') {
- DTRACE_PROBE1(slifname_already, arl_t *, arl);
- return (EALREADY);
- }
-
- lifr = (struct lifreq *)mp->b_rptr;
-
- if (strlen(lifr->lifr_name) >= LIFNAMSIZ) {
- DTRACE_PROBE2(slifname_bad_name, arl_t *, arl,
- struct lifreq *, lifr);
- return (ENXIO);
- }
-
- /* Check whether the name is already in use. */
-
- old_arl = ar_ll_lookup_by_name(as, lifr->lifr_name);
- if (old_arl != NULL) {
- DTRACE_PROBE2(slifname_exists, arl_t *, arl, arl_t *, old_arl);
- return (EEXIST);
- }
-
- /* Make a copy of the message so we can send it downstream. */
- if ((ioccpy = allocb(sizeof (struct iocblk), BPRI_MED)) == NULL ||
- (ioccpy->b_cont = copymsg(mp)) == NULL) {
- if (ioccpy != NULL)
- freeb(ioccpy);
- return (ENOMEM);
- }
-
- (void) strlcpy(arl->arl_name, lifr->lifr_name, sizeof (arl->arl_name));
-
- /* The ppa is sent down by ifconfig */
- arl->arl_ppa = lifr->lifr_ppa;
-
- /*
- * A network device is not considered to be fully plumb'd until
- * its name has been set using SIOCSLIFNAME. Once it has
- * been set, it cannot be set again (see code above), so there
- * is currently no danger in this function causing two NE_PLUMB
- * events without an intervening NE_UNPLUMB.
- */
- info.hne_nic = arl->arl_index;
- info.hne_lif = 0;
- info.hne_event = NE_PLUMB;
- info.hne_data = arl->arl_name;
- info.hne_datalen = strlen(arl->arl_name);
- (void) hook_run(as->as_net_data->netd_hooks, as->as_arpnicevents,
- (hook_data_t)&info);
-
- /* Chain in the new arl. */
- rw_enter(&as->as_arl_lock, RW_WRITER);
- arl->arl_next = as->as_arl_head;
- as->as_arl_head = arl;
- rw_exit(&as->as_arl_lock);
- DTRACE_PROBE1(slifname_set, arl_t *, arl);
-
- /*
- * Send along a copy of the ioctl; this is just for hitbox. Use
- * M_CTL to avoid confusing anyone else who might be listening.
- */
- DB_TYPE(ioccpy) = M_CTL;
- iocp = (struct iocblk *)ioccpy->b_rptr;
- bzero(iocp, sizeof (*iocp));
- iocp->ioc_cmd = SIOCSLIFNAME;
- iocp->ioc_count = msgsize(ioccpy->b_cont);
- ioccpy->b_wptr = (uchar_t *)(iocp + 1);
- putnext(arl->arl_wq, ioccpy);
-
- return (0);
-}
-
-static int
-ar_set_ppa(queue_t *q, mblk_t *mp_orig)
-{
- ar_t *ar = (ar_t *)q->q_ptr;
- arl_t *arl = ar->ar_arl;
- int ppa;
- char *cp;
- mblk_t *mp = mp_orig;
- arl_t *old_arl;
- arp_stack_t *as = ar->ar_as;
-
- if (ar->ar_on_ill_stream) {
- /*
- * This command is for IP, since it is coming down
- * the <arp-IP-driver> stream. Return ENOENT so that
- * it will be sent downstream by the caller
- */
- return (ENOENT);
- }
-
- /* We handle both M_IOCTL and M_PROTO messages. */
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
- if (q->q_next == NULL || arl == NULL) {
- /*
- * If the interface was just opened and
- * the info ack has not yet come back from the driver.
- */
- DTRACE_PROBE2(setppa_no_arl, queue_t *, q,
- mblk_t *, mp_orig);
- (void) putq(q, mp_orig);
- return (EINPROGRESS);
- }
-
- if (arl->arl_name[0] != '\0') {
- DTRACE_PROBE1(setppa_already, arl_t *, arl);
- return (EALREADY);
- }
-
- do {
- q = q->q_next;
- } while (q->q_next != NULL);
- cp = q->q_qinfo->qi_minfo->mi_idname;
-
- ppa = *(int *)(mp->b_rptr);
- (void) snprintf(arl->arl_name, sizeof (arl->arl_name), "%s%d", cp, ppa);
-
- old_arl = ar_ll_lookup_by_name(as, arl->arl_name);
- if (old_arl != NULL) {
- DTRACE_PROBE2(setppa_exists, arl_t *, arl, arl_t *, old_arl);
- /* Make it a null string again */
- arl->arl_name[0] = '\0';
- return (EBUSY);
- }
-
- arl->arl_ppa = ppa;
- DTRACE_PROBE1(setppa_done, arl_t *, arl);
- /* Chain in the new arl. */
- rw_enter(&as->as_arl_lock, RW_WRITER);
- arl->arl_next = as->as_arl_head;
- as->as_arl_head = arl;
- rw_exit(&as->as_arl_lock);
-
- return (0);
-}
-
-static int
-ar_snmp_msg(queue_t *q, mblk_t *mp_orig)
-{
- mblk_t *mpdata, *mp = mp_orig;
- struct opthdr *optp;
- msg2_args_t args;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- if (mp == NULL)
- return (0);
- /*
- * ar_cmd_dispatch() already checked for us that "mp->b_cont" is valid
- * in case of an M_IOCTL message.
- */
- if (DB_TYPE(mp) == M_IOCTL)
- mp = mp->b_cont;
-
- optp = (struct opthdr *)(&mp->b_rptr[sizeof (struct T_optmgmt_ack)]);
- if (optp->level == MIB2_IP && optp->name == MIB2_IP_MEDIA) {
- /*
- * Put our ARP cache entries in the ipNetToMediaTable mp from
- * IP. Due to a historical side effect of IP's MIB code, it
- * always passes us a b_cont, but the b_cont should be empty.
- */
- if ((mpdata = mp->b_cont) == NULL || MBLKL(mpdata) != 0)
- return (EINVAL);
-
- args.m2a_mpdata = mpdata;
- args.m2a_mptail = NULL;
- ar_ce_walk(as, ar_snmp_msg2, &args);
- optp->len = msgdsize(mpdata);
- }
- putnext(q, mp_orig);
- return (EINPROGRESS); /* so that rput() exits doing nothing... */
-}
-
-static void
-ar_snmp_msg2(ace_t *ace, void *arg)
-{
- const char *name = "unknown";
- mib2_ipNetToMediaEntry_t ntme;
- msg2_args_t *m2ap = arg;
-
- ASSERT(ace != NULL && ace->ace_arl != NULL);
- if (ace->ace_arl != NULL)
- name = ace->ace_arl->arl_name;
-
- /*
- * Fill in ntme using the information in the ACE.
- */
- ntme.ipNetToMediaType = (ace->ace_flags & ACE_F_PERMANENT) ? 4 : 3;
- ntme.ipNetToMediaIfIndex.o_length = MIN(OCTET_LENGTH, strlen(name));
- bcopy(name, ntme.ipNetToMediaIfIndex.o_bytes,
- ntme.ipNetToMediaIfIndex.o_length);
-
- bcopy(ace->ace_proto_addr, &ntme.ipNetToMediaNetAddress,
- MIN(sizeof (uint32_t), ace->ace_proto_addr_length));
-
- ntme.ipNetToMediaInfo.ntm_mask.o_length =
- MIN(OCTET_LENGTH, ace->ace_proto_addr_length);
- bcopy(ace->ace_proto_mask, ntme.ipNetToMediaInfo.ntm_mask.o_bytes,
- ntme.ipNetToMediaInfo.ntm_mask.o_length);
- ntme.ipNetToMediaInfo.ntm_flags = ace->ace_flags;
-
- ntme.ipNetToMediaPhysAddress.o_length =
- MIN(OCTET_LENGTH, ace->ace_hw_addr_length);
- if ((ace->ace_flags & ACE_F_RESOLVED) == 0)
- ntme.ipNetToMediaPhysAddress.o_length = 0;
- bcopy(ace->ace_hw_addr, ntme.ipNetToMediaPhysAddress.o_bytes,
- ntme.ipNetToMediaPhysAddress.o_length);
-
- /*
- * All entries within the ARP cache are unique, and there are no
- * preexisting entries in the ipNetToMediaTable mp, so just add 'em.
- */
- (void) snmp_append_data2(m2ap->m2a_mpdata, &m2ap->m2a_mptail,
- (char *)&ntme, sizeof (ntme));
-}
-
-/* Write side put procedure. */
-static void
-ar_wput(queue_t *q, mblk_t *mp)
-{
- int err;
- struct iocblk *ioc;
- mblk_t *mp1;
-
- TRACE_1(TR_FAC_ARP, TR_ARP_WPUT_START,
- "arp_wput_start: q %p", q);
-
- /*
- * Here we handle ARP commands coming from controlling processes
- * either in the form of M_IOCTL messages, or M_PROTO messages.
- */
- switch (DB_TYPE(mp)) {
- case M_IOCTL:
- switch (err = ar_cmd_dispatch(q, mp, B_TRUE)) {
- case ENOENT:
- /*
- * If it is an I_PLINK, process it. Otherwise
- * we don't recognize it, so pass it down.
- * Since ARP is a module there is always someone
- * below.
- */
- ASSERT(q->q_next != NULL);
- ioc = (struct iocblk *)mp->b_rptr;
- if ((ioc->ioc_cmd != I_PLINK) &&
- (ioc->ioc_cmd != I_PUNLINK)) {
- putnext(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_WPUT_END,
- "arp_wput_end: q %p (%S)",
- q, "ioctl/enoent");
- return;
- }
- err = ar_plink_send(q, mp);
- if (err == 0) {
- return;
- }
- if ((mp1 = mp->b_cont) != 0)
- mp1->b_wptr = mp1->b_rptr;
- break;
- case EINPROGRESS:
- /*
- * If the request resulted in an attempt to resolve
- * an address, we return out here. The IOCTL will
- * be completed in ar_rput if something comes back,
- * or as a result of the timer expiring.
- */
- TRACE_2(TR_FAC_ARP, TR_ARP_WPUT_END,
- "arp_wput_end: q %p (%S)", q, "inprog");
- return;
- default:
- DB_TYPE(mp) = M_IOCACK;
- break;
- }
- ioc = (struct iocblk *)mp->b_rptr;
- if (err != 0)
- ioc->ioc_error = err;
- if (ioc->ioc_error != 0) {
- /*
- * Don't free b_cont as IP/IB needs
- * it to identify the request.
- */
- DB_TYPE(mp) = M_IOCNAK;
- }
- ioc->ioc_count = msgdsize(mp->b_cont);
- qreply(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_WPUT_END,
- "arp_wput_end: q %p (%S)", q, "ioctl");
- return;
- case M_FLUSH:
- if (*mp->b_rptr & FLUSHW)
- flushq(q, FLUSHDATA);
- if (*mp->b_rptr & FLUSHR) {
- flushq(RD(q), FLUSHDATA);
- *mp->b_rptr &= ~FLUSHW;
- qreply(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_WPUT_END,
- "arp_wput_end: q %p (%S)", q, "flush");
- return;
- }
- /*
- * The normal behavior of a STREAMS module should be
- * to pass down M_FLUSH messages. However there is a
- * complex sequence of events during plumb/unplumb that
- * can cause DLPI messages in the driver's queue to be
- * flushed. So we don't send down M_FLUSH. This has been
- * reported for some drivers (Eg. le) that send up an M_FLUSH
- * in response to unbind request which will eventually be
- * looped back at the mux head and sent down. Since IP
- * does not queue messages in a module instance queue
- * of IP, nothing is lost by not sending down the flush.
- */
- freemsg(mp);
- return;
- case M_PROTO:
- case M_PCPROTO:
- /*
- * Commands in the form of PROTO messages are handled very
- * much the same as IOCTLs, but no response is returned.
- */
- switch (err = ar_cmd_dispatch(q, mp, B_TRUE)) {
- case ENOENT:
- if (q->q_next) {
- putnext(q, mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_WPUT_END,
- "arp_wput_end: q %p (%S)", q,
- "proto/enoent");
- return;
- }
- break;
- case EINPROGRESS:
- TRACE_2(TR_FAC_ARP, TR_ARP_WPUT_END,
- "arp_wput_end: q %p (%S)", q, "proto/einprog");
- return;
- default:
- break;
- }
- break;
- case M_IOCDATA:
- /*
- * We pass M_IOCDATA downstream because it could be as a
- * result of a previous M_COPYIN/M_COPYOUT message sent
- * upstream.
- */
- /* FALLTHRU */
- case M_CTL:
- /*
- * We also send any M_CTL downstream as it could
- * contain control information for a module downstream.
- */
- putnext(q, mp);
- return;
- default:
- break;
- }
- /* Free any message we don't understand */
- freemsg(mp);
- TRACE_2(TR_FAC_ARP, TR_ARP_WPUT_END,
- "arp_wput_end: q %p (%S)", q, "end");
-}
-
-static boolean_t
-arp_say_ready(ace_t *ace)
-{
- mblk_t *mp;
- arl_t *arl = ace->ace_arl;
- arlphy_t *ap = ace->ace_xmit_arl->arl_phy;
- arh_t *arh;
- uchar_t *cp;
-
- mp = allocb(sizeof (*arh) + 2 * (ace->ace_hw_addr_length +
- ace->ace_proto_addr_length), BPRI_MED);
- if (mp == NULL) {
- /* skip a beat on allocation trouble */
- ace->ace_xmit_count = 1;
- ace_set_timer(ace, B_FALSE);
- return (B_FALSE);
- }
- /* Tell IP address is now usable */
- arh = (arh_t *)mp->b_rptr;
- U16_TO_BE16(ap->ap_arp_hw_type, arh->arh_hardware);
- U16_TO_BE16(ace->ace_proto, arh->arh_proto);
- arh->arh_hlen = ace->ace_hw_addr_length;
- arh->arh_plen = ace->ace_proto_addr_length;
- U16_TO_BE16(ARP_REQUEST, arh->arh_operation);
- cp = (uchar_t *)(arh + 1);
- bcopy(ace->ace_hw_addr, cp, ace->ace_hw_addr_length);
- cp += ace->ace_hw_addr_length;
- bcopy(ace->ace_proto_addr, cp, ace->ace_proto_addr_length);
- cp += ace->ace_proto_addr_length;
- bcopy(ace->ace_hw_addr, cp, ace->ace_hw_addr_length);
- cp += ace->ace_hw_addr_length;
- bcopy(ace->ace_proto_addr, cp, ace->ace_proto_addr_length);
- cp += ace->ace_proto_addr_length;
- mp->b_wptr = cp;
- ar_client_notify(arl, mp, AR_CN_READY);
- DTRACE_PROBE1(ready, ace_t *, ace);
- return (B_TRUE);
-}
-
-/*
- * Pick the longest-waiting aces for defense.
- */
-static void
-ace_reschedule(ace_t *ace, void *arg)
-{
- ace_resched_t *art = arg;
- ace_t **aces;
- ace_t **acemax;
- ace_t *atemp;
-
- if (ace->ace_xmit_arl != art->art_arl)
- return;
- /*
- * Only published entries that are ready for announcement are eligible.
- */
- if ((ace->ace_flags & (ACE_F_PUBLISH | ACE_F_UNVERIFIED | ACE_F_DYING |
- ACE_F_DELAYED)) != ACE_F_PUBLISH) {
- return;
- }
- if (art->art_naces < ACE_RESCHED_LIST_LEN) {
- art->art_aces[art->art_naces++] = ace;
- } else {
- aces = art->art_aces;
- acemax = aces + ACE_RESCHED_LIST_LEN;
- for (; aces < acemax; aces++) {
- if ((*aces)->ace_last_bcast > ace->ace_last_bcast) {
- atemp = *aces;
- *aces = ace;
- ace = atemp;
- }
- }
- }
-}
-
-/*
- * Reschedule the ARP defense of any long-waiting ACEs. It's assumed that this
- * doesn't happen very often (if at all), and thus it needn't be highly
- * optimized. (Note, though, that it's actually O(N) complexity, because the
- * outer loop is bounded by a constant rather than by the length of the list.)
- */
-static void
-arl_reschedule(arl_t *arl)
-{
- arlphy_t *ap = arl->arl_phy;
- ace_resched_t art;
- int i;
- ace_t *ace;
- arp_stack_t *as = ARL_TO_ARPSTACK(arl);
-
- i = ap->ap_defend_count;
- ap->ap_defend_count = 0;
- /* If none could be sitting around, then don't reschedule */
- if (i < as->as_defend_rate) {
- DTRACE_PROBE1(reschedule_none, arl_t *, arl);
- return;
- }
- art.art_arl = arl;
- while (ap->ap_defend_count < as->as_defend_rate) {
- art.art_naces = 0;
- ar_ce_walk(as, ace_reschedule, &art);
- for (i = 0; i < art.art_naces; i++) {
- ace = art.art_aces[i];
- ace->ace_flags |= ACE_F_DELAYED;
- ace_set_timer(ace, B_FALSE);
- if (++ap->ap_defend_count >= as->as_defend_rate)
- break;
- }
- if (art.art_naces < ACE_RESCHED_LIST_LEN)
- break;
- }
- DTRACE_PROBE1(reschedule, arl_t *, arl);
-}
-
-/*
- * Write side service routine. The only action here is delivery of transmit
- * timer events and delayed messages while waiting for the info_ack (ar_arl
- * not yet set).
- */
-static void
-ar_wsrv(queue_t *q)
-{
- ace_t *ace;
- arlphy_t *ap;
- mblk_t *mp;
- clock_t ms;
- arp_stack_t *as = ((ar_t *)q->q_ptr)->ar_as;
-
- TRACE_1(TR_FAC_ARP, TR_ARP_WSRV_START,
- "arp_wsrv_start: q %p", q);
-
- while ((mp = getq(q)) != NULL) {
- switch (DB_TYPE(mp)) {
- case M_PCSIG:
- if (!mi_timer_valid(mp))
- continue;
- ace = (ace_t *)mp->b_rptr;
- if (ace->ace_flags & ACE_F_DYING)
- continue;
- ap = ace->ace_xmit_arl->arl_phy;
- if (ace->ace_flags & ACE_F_UNVERIFIED) {
- ASSERT(ace->ace_flags & ACE_F_PUBLISH);
- ASSERT(ace->ace_query_mp == NULL);
- /*
- * If the link is down, give up for now. IP
- * will give us the go-ahead to try again when
- * the link restarts.
- */
- if (ap->ap_link_down) {
- DTRACE_PROBE1(timer_link_down,
- ace_t *, ace);
- ace->ace_flags |= ACE_F_DAD_ABORTED;
- continue;
- }
- if (ace->ace_xmit_count > 0) {
- DTRACE_PROBE1(timer_probe,
- ace_t *, ace);
- ace->ace_xmit_count--;
- ar_xmit(ace->ace_xmit_arl, ARP_REQUEST,
- ace->ace_proto,
- ace->ace_proto_addr_length,
- ace->ace_hw_addr, NULL, NULL,
- ace->ace_proto_addr, NULL, as);
- ace_set_timer(ace, B_FALSE);
- continue;
- }
- if (!arp_say_ready(ace))
- continue;
- DTRACE_PROBE1(timer_ready, ace_t *, ace);
- ace->ace_xmit_interval =
- as->as_publish_interval;
- ace->ace_xmit_count = as->as_publish_count;
- if (ace->ace_xmit_count == 0)
- ace->ace_xmit_count++;
- ace->ace_flags &= ~ACE_F_UNVERIFIED;
- }
- if (ace->ace_flags & ACE_F_PUBLISH) {
- clock_t now;
-
- /*
- * If an hour has passed, then free up the
- * entries that need defense by rescheduling
- * them.
- */
- now = ddi_get_lbolt();
- if (as->as_defend_rate > 0 &&
- now - ap->ap_defend_start >
- SEC_TO_TICK(as->as_defend_period)) {
- ap->ap_defend_start = now;
- arl_reschedule(ace->ace_xmit_arl);
- }
- /*
- * Finish the job that we started in
- * ar_entry_add. When we get to zero
- * announcement retransmits left, switch to
- * address defense.
- */
- ASSERT(ace->ace_query_mp == NULL);
- if (ace->ace_xmit_count > 0) {
- ace->ace_xmit_count--;
- DTRACE_PROBE1(timer_announce,
- ace_t *, ace);
- } else if (ace->ace_flags & ACE_F_DELAYED) {
- /*
- * This guy was rescheduled as one of
- * the really old entries needing
- * on-going defense. Let him through
- * now.
- */
- DTRACE_PROBE1(timer_send_delayed,
- ace_t *, ace);
- ace->ace_flags &= ~ACE_F_DELAYED;
- } else if (as->as_defend_rate > 0 &&
- (ap->ap_defend_count >=
- as->as_defend_rate ||
- ++ap->ap_defend_count >=
- as->as_defend_rate)) {
- /*
- * If we're no longer allowed to send
- * unbidden defense messages, then just
- * wait for rescheduling.
- */
- DTRACE_PROBE1(timer_excess_defense,
- ace_t *, ace);
- ace_set_timer(ace, B_FALSE);
- continue;
- } else {
- DTRACE_PROBE1(timer_defend,
- ace_t *, ace);
- }
- ar_xmit(ace->ace_xmit_arl, ARP_REQUEST,
- ace->ace_proto,
- ace->ace_proto_addr_length,
- ace->ace_hw_addr,
- ace->ace_proto_addr,
- ace->ace_xmit_arl->arl_phy->ap_arp_addr,
- ace->ace_proto_addr, NULL, as);
- ace->ace_last_bcast = now;
- if (ace->ace_xmit_count == 0)
- ace->ace_xmit_interval =
- as->as_defend_interval;
- if (ace->ace_xmit_interval != 0)
- ace_set_timer(ace, B_FALSE);
- continue;
- }
-
- /*
- * If this is a non-permanent (regular) resolved ARP
- * entry, then it's now time to check if it can be
- * retired. As an optimization, we check with IP
- * first, and just restart the timer if the address is
- * still in use.
- */
- if (ACE_NONPERM(ace)) {
- if (ace->ace_proto == IP_ARP_PROTO_TYPE &&
- ndp_lookup_ipaddr(*(ipaddr_t *)
- ace->ace_proto_addr, as->as_netstack)) {
- ace->ace_flags |= ACE_F_OLD;
- mi_timer(ace->ace_arl->arl_wq,
- ace->ace_mp,
- as->as_cleanup_interval);
- } else {
- ar_delete_notify(ace);
- ar_ce_delete(ace);
- }
- continue;
- }
-
- /*
- * ar_query_xmit returns the number of milliseconds to
- * wait following this transmit. If the number of
- * allowed transmissions has been exhausted, it will
- * return zero without transmitting. If that happens
- * we complete the operation with a failure indication.
- * Otherwise, we restart the timer.
- */
- ms = ar_query_xmit(as, ace);
- if (ms == 0)
- ar_query_reply(ace, ENXIO, NULL, (uint32_t)0);
- else
- mi_timer(q, mp, ms);
- continue;
- default:
- put(q, mp);
- continue;
- }
- }
- TRACE_1(TR_FAC_ARP, TR_ARP_WSRV_END,
- "arp_wsrv_end: q %p", q);
-}
-
-/* ar_xmit is called to transmit an ARP Request or Response. */
-static void
-ar_xmit(arl_t *arl, uint32_t operation, uint32_t proto, uint32_t plen,
- const uchar_t *haddr1, const uchar_t *paddr1, const uchar_t *haddr2,
- const uchar_t *paddr2, const uchar_t *dstaddr, arp_stack_t *as)
-{
- arh_t *arh;
- uint8_t *cp;
- uint_t hlen;
- mblk_t *mp;
- arlphy_t *ap = arl->arl_phy;
-
- ASSERT(!(arl->arl_flags & ARL_F_IPMP));
-
- if (ap == NULL) {
- DTRACE_PROBE1(xmit_no_arl_phy, arl_t *, arl);
- return;
- }
-
- /* IFF_NOARP flag is set or link down: do not send arp messages */
- if ((arl->arl_flags & ARL_F_NOARP) || ap->ap_link_down)
- return;
-
- hlen = ap->ap_hw_addrlen;
- if ((mp = copyb(ap->ap_xmit_mp)) == NULL)
- return;
-
- mp->b_cont = allocb(AR_LL_HDR_SLACK + ARH_FIXED_LEN + (hlen * 4) +
- plen + plen, BPRI_MED);
- if (mp->b_cont == NULL) {
- freeb(mp);
- return;
- }
-
- /* Get the L2 destination address for the message */
- if (haddr2 == NULL)
- dstaddr = ap->ap_arp_addr;
- else if (dstaddr == NULL)
- dstaddr = haddr2;
-
- /*
- * Figure out where the target hardware address goes in the
- * DL_UNITDATA_REQ header, and copy it in.
- */
- cp = mi_offset_param(mp, ap->ap_xmit_addroff, hlen);
- ASSERT(cp != NULL);
- if (cp == NULL) {
- freemsg(mp);
- return;
- }
- bcopy(dstaddr, cp, hlen);
-
- /* Fill in the ARP header. */
- cp = mp->b_cont->b_rptr + (AR_LL_HDR_SLACK + hlen + hlen);
- mp->b_cont->b_rptr = cp;
- arh = (arh_t *)cp;
- U16_TO_BE16(ap->ap_arp_hw_type, arh->arh_hardware);
- U16_TO_BE16(proto, arh->arh_proto);
- arh->arh_hlen = (uint8_t)hlen;
- arh->arh_plen = (uint8_t)plen;
- U16_TO_BE16(operation, arh->arh_operation);
- cp += ARH_FIXED_LEN;
- bcopy(haddr1, cp, hlen);
- cp += hlen;
- if (paddr1 == NULL)
- bzero(cp, plen);
- else
- bcopy(paddr1, cp, plen);
- cp += plen;
- if (haddr2 == NULL)
- bzero(cp, hlen);
- else
- bcopy(haddr2, cp, hlen);
- cp += hlen;
- bcopy(paddr2, cp, plen);
- cp += plen;
- mp->b_cont->b_wptr = cp;
-
- DTRACE_PROBE3(arp__physical__out__start,
- arl_t *, arl, arh_t *, arh, mblk_t *, mp);
-
- ARP_HOOK_OUT(as->as_arp_physical_out_event, as->as_arp_physical_out,
- arl->arl_index, arh, mp, mp->b_cont, as);
-
- DTRACE_PROBE1(arp__physical__out__end, mblk_t *, mp);
-
- if (mp == NULL)
- return;
-
- /* Ship it out. */
- if (canputnext(arl->arl_wq))
- putnext(arl->arl_wq, mp);
- else
- freemsg(mp);
-}
-
-static mblk_t *
-ar_alloc(uint32_t cmd, int err)
-{
- uint32_t len;
- mblk_t *mp;
- mblk_t *mp1;
- char *cp;
- arc_t *arc;
-
- /* For now only one type of command is accepted */
- if (cmd != AR_DLPIOP_DONE)
- return (NULL);
- len = sizeof (arc_t);
- mp = allocb(len, BPRI_HI);
- if (!mp)
- return (NULL);
-
- DB_TYPE(mp) = M_CTL;
- cp = (char *)mp->b_rptr;
- arc = (arc_t *)(mp->b_rptr);
- arc->arc_cmd = cmd;
- mp->b_wptr = (uchar_t *)&cp[len];
- len = sizeof (int);
- mp1 = allocb(len, BPRI_HI);
- if (!mp1) {
- freeb(mp);
- return (NULL);
- }
- cp = (char *)mp->b_rptr;
- /* Initialize the error code */
- *((int *)mp1->b_rptr) = err;
- mp1->b_wptr = (uchar_t *)&cp[len];
- linkb(mp, mp1);
- return (mp);
-}
-
-void
-arp_ddi_init(void)
-{
- /*
- * We want to be informed each time a stack is created or
- * destroyed in the kernel, so we can maintain the
- * set of arp_stack_t's.
- */
- netstack_register(NS_ARP, arp_stack_init, arp_stack_shutdown,
- arp_stack_fini);
-}
-
-void
-arp_ddi_destroy(void)
-{
- netstack_unregister(NS_ARP);
-}
-
-/*
- * Initialize the ARP stack instance.
- */
-/* ARGSUSED */
-static void *
-arp_stack_init(netstackid_t stackid, netstack_t *ns)
-{
- arp_stack_t *as;
- arpparam_t *pa;
-
- as = (arp_stack_t *)kmem_zalloc(sizeof (*as), KM_SLEEP);
- as->as_netstack = ns;
-
- pa = (arpparam_t *)kmem_alloc(sizeof (arp_param_arr), KM_SLEEP);
- as->as_param_arr = pa;
- bcopy(arp_param_arr, as->as_param_arr, sizeof (arp_param_arr));
-
- (void) ar_param_register(&as->as_nd,
- as->as_param_arr, A_CNT(arp_param_arr));
-
- as->as_arp_index_counter = 1;
- as->as_arp_counter_wrapped = 0;
-
- rw_init(&as->as_arl_lock, NULL, RW_DRIVER, NULL);
- arp_net_init(as, stackid);
- arp_hook_init(as);
-
- return (as);
-}
-
-/* ARGSUSED */
-static void
-arp_stack_shutdown(netstackid_t stackid, void *arg)
-{
- arp_stack_t *as = (arp_stack_t *)arg;
-
- arp_net_shutdown(as);
-}
-
-/*
- * Free the ARP stack instance.
- */
-/* ARGSUSED */
-static void
-arp_stack_fini(netstackid_t stackid, void *arg)
-{
- arp_stack_t *as = (arp_stack_t *)arg;
-
- arp_hook_destroy(as);
- arp_net_destroy(as);
- rw_destroy(&as->as_arl_lock);
- nd_free(&as->as_nd);
- kmem_free(as->as_param_arr, sizeof (arp_param_arr));
- as->as_param_arr = NULL;
- kmem_free(as, sizeof (*as));
-}
diff --git a/usr/src/uts/common/inet/arp/arp_netinfo.c b/usr/src/uts/common/inet/arp/arp_netinfo.c
deleted file mode 100644
index 9d9c6a5bbe..0000000000
--- a/usr/src/uts/common/inet/arp/arp_netinfo.c
+++ /dev/null
@@ -1,376 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
- */
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/systm.h>
-#include <sys/cmn_err.h>
-#include <sys/stream.h>
-#include <sys/sunddi.h>
-#include <sys/hook.h>
-#include <sys/hook_impl.h>
-#include <sys/netstack.h>
-#include <net/if.h>
-
-#include <sys/neti.h>
-#include <sys/hook_event.h>
-#include <inet/arp_impl.h>
-
-/*
- * ARP netinfo entry point declarations.
- */
-static int arp_getifname(net_handle_t, phy_if_t, char *, const size_t);
-static int arp_getmtu(net_handle_t, phy_if_t, lif_if_t);
-static int arp_getpmtuenabled(net_handle_t);
-static int arp_getlifaddr(net_handle_t, phy_if_t, lif_if_t, size_t,
- net_ifaddr_t [], void *);
-static int arp_getlifzone(net_handle_t, phy_if_t, lif_if_t, zoneid_t *);
-static int arp_getlifflags(net_handle_t, phy_if_t, lif_if_t, uint64_t *);
-static phy_if_t arp_phygetnext(net_handle_t, phy_if_t);
-static phy_if_t arp_phylookup(net_handle_t, const char *);
-static lif_if_t arp_lifgetnext(net_handle_t, phy_if_t, lif_if_t);
-static int arp_inject(net_handle_t, inject_t, net_inject_t *);
-static phy_if_t arp_routeto(net_handle_t, struct sockaddr *, struct sockaddr *);
-static int arp_ispartialchecksum(net_handle_t, mblk_t *);
-static int arp_isvalidchecksum(net_handle_t, mblk_t *);
-
-static net_protocol_t arp_netinfo = {
- NETINFO_VERSION,
- NHF_ARP,
- arp_getifname,
- arp_getmtu,
- arp_getpmtuenabled,
- arp_getlifaddr,
- arp_getlifzone,
- arp_getlifflags,
- arp_phygetnext,
- arp_phylookup,
- arp_lifgetnext,
- arp_inject,
- arp_routeto,
- arp_ispartialchecksum,
- arp_isvalidchecksum
-};
-
-/*
- * Register ARP netinfo functions.
- */
-void
-arp_net_init(arp_stack_t *as, netstackid_t stackid)
-{
- netid_t id;
-
- id = net_getnetidbynetstackid(stackid);
- ASSERT(id != -1);
-
- as->as_net_data = net_protocol_register(id, &arp_netinfo);
- ASSERT(as->as_net_data != NULL);
-}
-
-void
-arp_net_shutdown(arp_stack_t *as)
-{
- if (as->as_arpnicevents != NULL) {
- (void) net_event_shutdown(as->as_net_data,
- &as->as_arp_nic_events);
- }
-
- if (as->as_arp_physical_out != NULL) {
- (void) net_event_shutdown(as->as_net_data,
- &as->as_arp_physical_out_event);
- }
-
- if (as->as_arp_physical_in != NULL) {
- (void) net_event_shutdown(as->as_net_data,
- &as->as_arp_physical_in_event);
- }
-
- (void) net_family_shutdown(as->as_net_data, &as->as_arproot);
-}
-
-/*
- * Unregister ARP netinfo functions.
- */
-void
-arp_net_destroy(arp_stack_t *as)
-{
- if (net_protocol_unregister(as->as_net_data) == 0)
- as->as_net_data = NULL;
-}
-
-/*
- * Initialize ARP hook family and events
- */
-void
-arp_hook_init(arp_stack_t *as)
-{
- HOOK_FAMILY_INIT(&as->as_arproot, Hn_ARP);
- if (net_family_register(as->as_net_data, &as->as_arproot) != 0) {
- cmn_err(CE_NOTE, "arp_hook_init: "
- "net_family_register failed for arp");
- }
-
- HOOK_EVENT_INIT(&as->as_arp_physical_in_event, NH_PHYSICAL_IN);
- as->as_arp_physical_in = net_event_register(as->as_net_data,
- &as->as_arp_physical_in_event);
- if (as->as_arp_physical_in == NULL) {
- cmn_err(CE_NOTE, "arp_hook_init: "
- "net_event_register failed for arp/physical_in");
- }
-
- HOOK_EVENT_INIT(&as->as_arp_physical_out_event, NH_PHYSICAL_OUT);
- as->as_arp_physical_out = net_event_register(as->as_net_data,
- &as->as_arp_physical_out_event);
- if (as->as_arp_physical_out == NULL) {
- cmn_err(CE_NOTE, "arp_hook_init: "
- "net_event_register failed for arp/physical_out");
- }
-
- HOOK_EVENT_INIT(&as->as_arp_nic_events, NH_NIC_EVENTS);
- as->as_arpnicevents = net_event_register(as->as_net_data,
- &as->as_arp_nic_events);
- if (as->as_arpnicevents == NULL) {
- cmn_err(CE_NOTE, "arp_hook_init: "
- "net_event_register failed for arp/nic_events");
- }
-}
-
-void
-arp_hook_destroy(arp_stack_t *as)
-{
- if (as->as_arpnicevents != NULL) {
- if (net_event_unregister(as->as_net_data,
- &as->as_arp_nic_events) == 0)
- as->as_arpnicevents = NULL;
- }
-
- if (as->as_arp_physical_out != NULL) {
- if (net_event_unregister(as->as_net_data,
- &as->as_arp_physical_out_event) == 0)
- as->as_arp_physical_out = NULL;
- }
-
- if (as->as_arp_physical_in != NULL) {
- if (net_event_unregister(as->as_net_data,
- &as->as_arp_physical_in_event) == 0)
- as->as_arp_physical_in = NULL;
- }
-
- (void) net_family_unregister(as->as_net_data, &as->as_arproot);
-}
-
-/*
- * Determine the name of the lower level interface
- */
-static int
-arp_getifname(net_handle_t net, phy_if_t phy_ifdata, char *buffer,
- const size_t buflen)
-{
- arl_t *arl;
- arp_stack_t *as;
- netstack_t *ns = net->netd_stack->nts_netstack;
-
- ASSERT(buffer != NULL);
- ASSERT(ns != NULL);
-
- as = ns->netstack_arp;
- rw_enter(&as->as_arl_lock, RW_READER);
- for (arl = as->as_arl_head; arl != NULL; arl = arl->arl_next) {
- if (arl->arl_index == phy_ifdata) {
- (void) strlcpy(buffer, arl->arl_name, buflen);
- rw_exit(&as->as_arl_lock);
- return (0);
- }
- }
- rw_exit(&as->as_arl_lock);
-
- return (1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static int
-arp_getmtu(net_handle_t net, phy_if_t phy_ifdata, lif_if_t ifdata)
-{
- return (-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static int
-arp_getpmtuenabled(net_handle_t net)
-{
- return (-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static int
-arp_getlifaddr(net_handle_t net, phy_if_t phy_ifdata, lif_if_t ifdata,
- size_t nelem, net_ifaddr_t type[], void *storage)
-{
- return (-1);
-}
-
-/*
- * Determine the instance number of the next lower level interface
- */
-static phy_if_t
-arp_phygetnext(net_handle_t net, phy_if_t phy_ifdata)
-{
- arl_t *arl;
- int index;
- arp_stack_t *as;
- netstack_t *ns = net->netd_stack->nts_netstack;
-
- ASSERT(ns != NULL);
-
- as = ns->netstack_arp;
- rw_enter(&as->as_arl_lock, RW_READER);
- if (phy_ifdata == 0) {
- arl = as->as_arl_head;
- } else {
- for (arl = as->as_arl_head; arl != NULL;
- arl = arl->arl_next) {
- if (arl->arl_index == phy_ifdata) {
- arl = arl->arl_next;
- break;
- }
- }
- }
-
- index = (arl != NULL) ? arl->arl_index : 0;
-
- rw_exit(&as->as_arl_lock);
-
- return (index);
-}
-
-/*
- * Given a network interface name, find its ARP layer instance number.
- */
-static phy_if_t
-arp_phylookup(net_handle_t net, const char *name)
-{
- arl_t *arl;
- int index;
- arp_stack_t *as;
- netstack_t *ns = net->netd_stack->nts_netstack;
-
- ASSERT(name != NULL);
- ASSERT(ns != NULL);
-
- index = 0;
- as = ns->netstack_arp;
- rw_enter(&as->as_arl_lock, RW_READER);
- for (arl = as->as_arl_head; arl != NULL; arl = arl->arl_next) {
- if (strcmp(name, arl->arl_name) == 0) {
- index = arl->arl_index;
- break;
- }
- }
- rw_exit(&as->as_arl_lock);
-
- return (index);
-
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static lif_if_t
-arp_lifgetnext(net_handle_t net, phy_if_t ifp, lif_if_t lif)
-{
- return ((lif_if_t)-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static int
-arp_inject(net_handle_t net, inject_t injection, net_inject_t *neti)
-{
- return (-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static phy_if_t
-arp_routeto(net_handle_t net, struct sockaddr *addr, struct sockaddr *next)
-{
- return ((phy_if_t)-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-int
-arp_ispartialchecksum(net_handle_t net, mblk_t *mb)
-{
- return (-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static int
-arp_isvalidchecksum(net_handle_t net, mblk_t *mb)
-{
- return (-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static int
-arp_getlifzone(net_handle_t net, phy_if_t phy_ifdata, lif_if_t ifdata,
- zoneid_t *zoneid)
-{
- return (-1);
-}
-
-/*
- * Unsupported with ARP.
- */
-/*ARGSUSED*/
-static int
-arp_getlifflags(net_handle_t net, phy_if_t phy_ifdata, lif_if_t ifdata,
- uint64_t *flags)
-{
- return (-1);
-}
diff --git a/usr/src/uts/common/inet/arp/arpddi.c b/usr/src/uts/common/inet/arp/arpddi.c
index 2cc56b77fd..de8333295b 100644
--- a/usr/src/uts/common/inet/arp/arpddi.c
+++ b/usr/src/uts/common/inet/arp/arpddi.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 1990 Mentat Inc. */
@@ -27,10 +27,8 @@
#include <sys/types.h>
#include <sys/conf.h>
#include <sys/modctl.h>
-#include <sys/ksynch.h>
#include <inet/common.h>
#include <inet/ip.h>
-#include <inet/arp_impl.h>
#define INET_NAME "arp"
#define INET_MODDESC "ARP STREAMS module"
@@ -39,28 +37,16 @@
#define INET_DEVSTRTAB ipinfov4
#define INET_MODSTRTAB arpinfo
#define INET_DEVMTFLAGS IP_DEVMTFLAGS /* since as a driver we're ip */
-#define INET_MODMTFLAGS (D_MP | D_MTPERMOD)
+#define INET_MODMTFLAGS D_MP
#include "../inetddi.c"
-extern void arp_ddi_init(void);
-extern void arp_ddi_destroy(void);
-
int
_init(void)
{
int error;
- /*
- * Note: After mod_install succeeds, another thread can enter
- * therefore all initialization is done before it and any
- * de-initialization needed done if it fails.
- */
- arp_ddi_init();
error = mod_install(&modlinkage);
- if (error != 0)
- arp_ddi_destroy();
-
return (error);
}
@@ -70,8 +56,6 @@ _fini(void)
int error;
error = mod_remove(&modlinkage);
- if (error == 0)
- arp_ddi_destroy();
return (error);
}
diff --git a/usr/src/uts/common/inet/arp_impl.h b/usr/src/uts/common/inet/arp_impl.h
deleted file mode 100644
index 38d0d1ab65..0000000000
--- a/usr/src/uts/common/inet/arp_impl.h
+++ /dev/null
@@ -1,253 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-/*
- * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
- */
-
-#ifndef _ARP_IMPL_H
-#define _ARP_IMPL_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifdef _KERNEL
-
-#include <sys/types.h>
-#include <sys/stream.h>
-#include <net/if.h>
-#include <sys/netstack.h>
-
-/* ARP kernel hash size; used for mdb support */
-#define ARP_HASH_SIZE 256
-
-/* Named Dispatch Parameter Management Structure */
-typedef struct arpparam_s {
- uint32_t arp_param_min;
- uint32_t arp_param_max;
- uint32_t arp_param_value;
- char *arp_param_name;
-} arpparam_t;
-
-/* ARL Structure, one per link level device */
-typedef struct arl_s {
- struct arl_s *arl_next; /* ARL chain at arl_g_head */
- queue_t *arl_rq; /* Read queue pointer */
- queue_t *arl_wq; /* Write queue pointer */
- t_uscalar_t arl_ppa; /* DL_ATTACH parameter */
- char arl_name[LIFNAMSIZ]; /* Lower level name */
- mblk_t *arl_unbind_mp;
- mblk_t *arl_detach_mp;
- t_uscalar_t arl_provider_style; /* From DL_INFO_ACK */
- mblk_t *arl_queue; /* Queued commands head */
- mblk_t *arl_queue_tail; /* Queued commands tail */
- uint32_t arl_flags; /* ARL_F_* values below */
- t_uscalar_t arl_dlpi_pending; /* pending DLPI request */
- mblk_t *arl_dlpi_deferred; /* Deferred DLPI messages */
- uint_t arl_state; /* lower interface state */
- uint_t arl_closing : 1, /* stream is closing */
- arl_replumbing : 1; /* Wait for IP to bring down */
- uint32_t arl_index; /* instance number */
- struct arlphy_s *arl_phy; /* physical info, if any */
- struct arl_s *arl_ipmp_arl; /* pointer to group arl_t */
-} arl_t;
-
-/*
- * There is no field to get from an arl_t to an arp_stack_t, but this
- * macro does it.
- */
-#define ARL_TO_ARPSTACK(_arl) (((ar_t *)(_arl)->arl_rq->q_ptr)->ar_as)
-
-/* ARL physical info structure, one per physical link level device */
-typedef struct arlphy_s {
- uint32_t ap_arp_hw_type; /* hardware type */
- uchar_t *ap_arp_addr; /* multicast address to use */
- uchar_t *ap_hw_addr; /* hardware address */
- uint32_t ap_hw_addrlen; /* hardware address length */
- mblk_t *ap_xmit_mp; /* DL_UNITDATA_REQ template */
- t_uscalar_t ap_xmit_addroff; /* address offset in xmit_mp */
- t_uscalar_t ap_xmit_sapoff; /* sap offset in xmit_mp */
- t_scalar_t ap_saplen; /* sap length */
- clock_t ap_defend_start; /* start of 1-hour period */
- uint_t ap_defend_count; /* # of unbidden broadcasts */
- uint_t ap_notifies : 1, /* handles DL_NOTE_LINK */
- ap_link_down : 1; /* DL_NOTE status */
-} arlphy_t;
-
-/* ARP Cache Entry */
-typedef struct ace_s {
- struct ace_s *ace_next; /* Hash chain next pointer */
- struct ace_s **ace_ptpn; /* Pointer to previous next */
- struct arl_s *ace_arl; /* Associated arl */
- uint32_t ace_proto; /* Protocol for this ace */
- uint32_t ace_flags;
- uchar_t *ace_proto_addr;
- uint32_t ace_proto_addr_length;
- uchar_t *ace_proto_mask; /* Mask for matching addr */
- uchar_t *ace_proto_extract_mask; /* For mappings */
- uchar_t *ace_hw_addr;
- uint32_t ace_hw_addr_length;
- uint32_t ace_hw_extract_start; /* For mappings */
- mblk_t *ace_mp; /* mblk we are in */
- mblk_t *ace_query_mp; /* outstanding query chain */
- clock_t ace_last_bcast; /* last broadcast Response */
- clock_t ace_xmit_interval;
- int ace_xmit_count;
- arl_t *ace_xmit_arl; /* xmit on this arl */
-} ace_t;
-
-#define ARPHOOK_INTERESTED_PHYSICAL_IN(as) \
- (as->as_arp_physical_in_event.he_interested)
-#define ARPHOOK_INTERESTED_PHYSICAL_OUT(as) \
- (as->as_arp_physical_out_event.he_interested)
-
-#define ARP_HOOK_IN(_hook, _event, _ilp, _hdr, _fm, _m, as) \
- \
- if ((_hook).he_interested) { \
- hook_pkt_event_t info; \
- \
- info.hpe_protocol = as->as_net_data; \
- info.hpe_ifp = _ilp; \
- info.hpe_ofp = 0; \
- info.hpe_hdr = _hdr; \
- info.hpe_mp = &(_fm); \
- info.hpe_mb = _m; \
- if (hook_run(as->as_net_data->netd_hooks, \
- _event, (hook_data_t)&info) != 0) { \
- if (_fm != NULL) { \
- freemsg(_fm); \
- _fm = NULL; \
- } \
- _hdr = NULL; \
- _m = NULL; \
- } else { \
- _hdr = info.hpe_hdr; \
- _m = info.hpe_mb; \
- } \
- }
-
-#define ARP_HOOK_OUT(_hook, _event, _olp, _hdr, _fm, _m, as) \
- \
- if ((_hook).he_interested) { \
- hook_pkt_event_t info; \
- \
- info.hpe_protocol = as->as_net_data; \
- info.hpe_ifp = 0; \
- info.hpe_ofp = _olp; \
- info.hpe_hdr = _hdr; \
- info.hpe_mp = &(_fm); \
- info.hpe_mb = _m; \
- if (hook_run(as->as_net_data->netd_hooks, \
- _event, (hook_data_t)&info) != 0) { \
- if (_fm != NULL) { \
- freemsg(_fm); \
- _fm = NULL; \
- } \
- _hdr = NULL; \
- _m = NULL; \
- } else { \
- _hdr = info.hpe_hdr; \
- _m = info.hpe_mb; \
- } \
- }
-
-#define ACE_EXTERNAL_FLAGS_MASK \
- (ACE_F_PERMANENT | ACE_F_PUBLISH | ACE_F_MAPPING | ACE_F_MYADDR | \
- ACE_F_AUTHORITY)
-
-/*
- * ARP stack instances
- */
-struct arp_stack {
- netstack_t *as_netstack; /* Common netstack */
- void *as_head; /* AR Instance Data List Head */
- caddr_t as_nd; /* AR Named Dispatch Head */
- struct arl_s *as_arl_head; /* ARL List Head */
- arpparam_t *as_param_arr; /* ndd variable table */
-
- /* ARP Cache Entry Hash Table */
- ace_t *as_ce_hash_tbl[ARP_HASH_SIZE];
- ace_t *as_ce_mask_entries;
-
- /*
- * With the introduction of netinfo (neti kernel module),
- * it is now possible to access data structures in the ARP module
- * without the code being executed in the context of the IP module,
- * thus there is no locking being enforced through the use of STREAMS.
- * as_arl_lock is used to protect as_arl_head list.
- */
- krwlock_t as_arl_lock;
-
- uint32_t as_arp_index_counter;
- uint32_t as_arp_counter_wrapped;
-
- /* arp_neti.c */
- hook_family_t as_arproot;
-
- /*
- * Hooks for ARP
- */
- hook_event_t as_arp_physical_in_event;
- hook_event_t as_arp_physical_out_event;
- hook_event_t as_arp_nic_events;
-
- hook_event_token_t as_arp_physical_in;
- hook_event_token_t as_arp_physical_out;
- hook_event_token_t as_arpnicevents;
-
- net_handle_t as_net_data;
-};
-typedef struct arp_stack arp_stack_t;
-
-#define ARL_F_NOARP 0x01
-#define ARL_F_IPMP 0x02
-
-#define ARL_S_DOWN 0x00
-#define ARL_S_PENDING 0x01
-#define ARL_S_UP 0x02
-
-/* AR Structure, one per upper stream */
-typedef struct ar_s {
- queue_t *ar_rq; /* Read queue pointer */
- queue_t *ar_wq; /* Write queue pointer */
- arl_t *ar_arl; /* Associated arl */
- cred_t *ar_credp; /* Credentials associated w/ open */
- struct ar_s *ar_arl_ip_assoc; /* ARL - IP association */
- uint32_t
- ar_ip_acked_close : 1, /* IP has acked the close */
- ar_on_ill_stream : 1; /* Module below is IP */
- arp_stack_t *ar_as;
-} ar_t;
-
-extern void arp_hook_init(arp_stack_t *);
-extern void arp_hook_destroy(arp_stack_t *);
-extern void arp_net_init(arp_stack_t *, netstackid_t);
-extern void arp_net_shutdown(arp_stack_t *);
-extern void arp_net_destroy(arp_stack_t *);
-
-#endif /* _KERNEL */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _ARP_IMPL_H */
diff --git a/usr/src/uts/common/inet/ip.h b/usr/src/uts/common/inet/ip.h
index 5a7e05b210..88a14068bb 100644
--- a/usr/src/uts/common/inet/ip.h
+++ b/usr/src/uts/common/inet/ip.h
@@ -55,8 +55,6 @@ extern "C" {
#include <sys/squeue.h>
#include <net/route.h>
#include <sys/systm.h>
-#include <sys/multidata.h>
-#include <sys/list.h>
#include <net/radix.h>
#include <sys/modhash.h>
@@ -94,6 +92,7 @@ typedef uint32_t ipaddr_t;
/* Number of bits in an address */
#define IP_ABITS 32
+#define IPV4_ABITS IP_ABITS
#define IPV6_ABITS 128
#define IP_HOST_MASK (ipaddr_t)0xffffffffU
@@ -101,14 +100,6 @@ typedef uint32_t ipaddr_t;
#define IP_CSUM(mp, off, sum) (~ip_cksum(mp, off, sum) & 0xFFFF)
#define IP_CSUM_PARTIAL(mp, off, sum) ip_cksum(mp, off, sum)
#define IP_BCSUM_PARTIAL(bp, len, sum) bcksum(bp, len, sum)
-#define IP_MD_CSUM(pd, off, sum) (~ip_md_cksum(pd, off, sum) & 0xffff)
-#define IP_MD_CSUM_PARTIAL(pd, off, sum) ip_md_cksum(pd, off, sum)
-
-/*
- * Flag to IP write side to indicate that the appln has sent in a pre-built
- * IP header. Stored in ipha_ident (which is otherwise zero).
- */
-#define IP_HDR_INCLUDED 0xFFFF
#define ILL_FRAG_HASH_TBL_COUNT ((unsigned int)64)
#define ILL_FRAG_HASH_TBL_SIZE (ILL_FRAG_HASH_TBL_COUNT * sizeof (ipfb_t))
@@ -137,17 +128,12 @@ typedef uint32_t ipaddr_t;
#define UDPH_SIZE 8
-/* Leave room for ip_newroute to tack on the src and target addresses */
-#define OK_RESOLVER_MP(mp) \
- ((mp) && ((mp)->b_wptr - (mp)->b_rptr) >= (2 * IP_ADDR_LEN))
-
/*
* Constants and type definitions to support IP IOCTL commands
*/
#define IP_IOCTL (('i'<<8)|'p')
#define IP_IOC_IRE_DELETE 4
#define IP_IOC_IRE_DELETE_NO_REPLY 5
-#define IP_IOC_IRE_ADVISE_NO_REPLY 6
#define IP_IOC_RTS_REQUEST 7
/* Common definitions used by IP IOCTL data structures */
@@ -157,31 +143,6 @@ typedef struct ipllcmd_s {
uint_t ipllc_name_length;
} ipllc_t;
-/* IP IRE Change Command Structure. */
-typedef struct ipic_s {
- ipllc_t ipic_ipllc;
- uint_t ipic_ire_type;
- uint_t ipic_max_frag;
- uint_t ipic_addr_offset;
- uint_t ipic_addr_length;
- uint_t ipic_mask_offset;
- uint_t ipic_mask_length;
- uint_t ipic_src_addr_offset;
- uint_t ipic_src_addr_length;
- uint_t ipic_ll_hdr_offset;
- uint_t ipic_ll_hdr_length;
- uint_t ipic_gateway_addr_offset;
- uint_t ipic_gateway_addr_length;
- clock_t ipic_rtt;
- uint32_t ipic_ssthresh;
- clock_t ipic_rtt_sd;
- uchar_t ipic_ire_marks;
-} ipic_t;
-
-#define ipic_cmd ipic_ipllc.ipllc_cmd
-#define ipic_ll_name_length ipic_ipllc.ipllc_name_length
-#define ipic_ll_name_offset ipic_ipllc.ipllc_name_offset
-
/* IP IRE Delete Command Structure. */
typedef struct ipid_s {
ipllc_t ipid_ipllc;
@@ -257,16 +218,8 @@ typedef struct ipoptp_s
#define Q_TO_ICMP(q) (Q_TO_CONN((q))->conn_icmp)
#define Q_TO_RTS(q) (Q_TO_CONN((q))->conn_rts)
-/*
- * The following two macros are used by IP to get the appropriate
- * wq and rq for a conn. If it is a TCP conn, then we need
- * tcp_wq/tcp_rq else, conn_wq/conn_rq. IP can use conn_wq and conn_rq
- * from a conn directly if it knows that the conn is not TCP.
- */
-#define CONNP_TO_WQ(connp) \
- (IPCL_IS_TCP(connp) ? (connp)->conn_tcp->tcp_wq : (connp)->conn_wq)
-
-#define CONNP_TO_RQ(connp) RD(CONNP_TO_WQ(connp))
+#define CONNP_TO_WQ(connp) ((connp)->conn_wq)
+#define CONNP_TO_RQ(connp) ((connp)->conn_rq)
#define GRAB_CONN_LOCK(q) { \
if (q != NULL && CONN_Q(q)) \
@@ -278,9 +231,6 @@ typedef struct ipoptp_s
mutex_exit(&(Q_TO_CONN(q))->conn_lock); \
}
-/* "Congestion controlled" protocol */
-#define IP_FLOW_CONTROLLED_ULP(p) ((p) == IPPROTO_TCP || (p) == IPPROTO_SCTP)
-
/*
* Complete the pending operation. Usually an ioctl. Can also
* be a bind or option management request that got enqueued
@@ -295,63 +245,13 @@ typedef struct ipoptp_s
}
/*
- * Flags for the various ip_fanout_* routines.
- */
-#define IP_FF_SEND_ICMP 0x01 /* Send an ICMP error */
-#define IP_FF_HDR_COMPLETE 0x02 /* Call ip_hdr_complete if error */
-#define IP_FF_CKSUM 0x04 /* Recompute ipha_cksum if error */
-#define IP_FF_RAWIP 0x08 /* Use rawip mib variable */
-#define IP_FF_SRC_QUENCH 0x10 /* OK to send ICMP_SOURCE_QUENCH */
-#define IP_FF_SYN_ADDIRE 0x20 /* Add IRE if TCP syn packet */
-#define IP_FF_IPINFO 0x80 /* Used for both V4 and V6 */
-#define IP_FF_SEND_SLLA 0x100 /* Send source link layer info ? */
-#define IPV6_REACHABILITY_CONFIRMATION 0x200 /* Flags for ip_xmit_v6 */
-#define IP_FF_NO_MCAST_LOOP 0x400 /* No multicasts for sending zone */
-
-/*
- * Following flags are used by IPQoS to determine if policy processing is
- * required.
- */
-#define IP6_NO_IPPOLICY 0x800 /* Don't do IPQoS processing */
-#define IP6_IN_LLMCAST 0x1000 /* Multicast */
-
-#define IP_FF_LOOPBACK 0x2000 /* Loopback fanout */
-#define IP_FF_SCTP_CSUM_ERR 0x4000 /* sctp pkt has failed chksum */
-
-#ifndef IRE_DB_TYPE
-#define IRE_DB_TYPE M_SIG
-#endif
-
-#ifndef IRE_DB_REQ_TYPE
-#define IRE_DB_REQ_TYPE M_PCSIG
-#endif
-
-#ifndef IRE_ARPRESOLVE_TYPE
-#define IRE_ARPRESOLVE_TYPE M_EVENT
-#endif
-
-/*
* Values for squeue switch:
*/
-
#define IP_SQUEUE_ENTER_NODRAIN 1
#define IP_SQUEUE_ENTER 2
-/*
- * This is part of the interface between Transport provider and
- * IP which can be used to set policy information. This is usually
- * accompanied with O_T_BIND_REQ/T_BIND_REQ.ip_bind assumes that
- * only IPSEC_POLICY_SET is there when it is found in the chain.
- * The information contained is an struct ipsec_req_t. On success
- * or failure, either the T_BIND_ACK or the T_ERROR_ACK is returned.
- * IPSEC_POLICY_SET is never returned.
- */
-#define IPSEC_POLICY_SET M_SETOPTS
+#define IP_SQUEUE_FILL 3
-#define IRE_IS_LOCAL(ire) ((ire != NULL) && \
- ((ire)->ire_type & (IRE_LOCAL | IRE_LOOPBACK)))
-
-#define IRE_IS_TARGET(ire) ((ire != NULL) && \
- ((ire)->ire_type != IRE_BROADCAST))
+extern int ip_squeue_flag;
/* IP Fragmentation Reassembly Header */
typedef struct ipf_s {
@@ -387,71 +287,6 @@ typedef struct ipf_s {
#define ipf_src V4_PART_OF_V6(ipf_v6src)
#define ipf_dst V4_PART_OF_V6(ipf_v6dst)
-typedef enum {
- IB_PKT = 0x01,
- OB_PKT = 0x02
-} ip_pkt_t;
-
-#define UPDATE_IB_PKT_COUNT(ire)\
- { \
- (ire)->ire_ib_pkt_count++; \
- if ((ire)->ire_ipif != NULL) { \
- /* \
- * forwarding packet \
- */ \
- if ((ire)->ire_type & (IRE_LOCAL|IRE_BROADCAST)) \
- atomic_add_32(&(ire)->ire_ipif->ipif_ib_pkt_count, 1);\
- else \
- atomic_add_32(&(ire)->ire_ipif->ipif_fo_pkt_count, 1);\
- } \
- }
-
-#define UPDATE_OB_PKT_COUNT(ire)\
- { \
- (ire)->ire_ob_pkt_count++;\
- if ((ire)->ire_ipif != NULL) { \
- atomic_add_32(&(ire)->ire_ipif->ipif_ob_pkt_count, 1); \
- } \
- }
-
-#define IP_RPUT_LOCAL(q, mp, ipha, ire, recv_ill) \
-{ \
- switch (ipha->ipha_protocol) { \
- case IPPROTO_UDP: \
- ip_udp_input(q, mp, ipha, ire, recv_ill); \
- break; \
- default: \
- ip_proto_input(q, mp, ipha, ire, recv_ill, 0); \
- break; \
- } \
-}
-
-/*
- * NCE_EXPIRED is TRUE when we have a non-permanent nce that was
- * found to be REACHABLE more than ip_ire_arp_interval ms ago.
- * This macro is used to age existing nce_t entries. The
- * nce's will get cleaned up in the following circumstances:
- * - ip_ire_trash_reclaim will free nce's using ndp_cache_reclaim
- * when memory is low,
- * - ip_arp_news, when updates are received.
- * - if the nce is NCE_EXPIRED(), it will deleted, so that a new
- * arp request will need to be triggered from an ND_INITIAL nce.
- *
- * Note that the nce state transition follows the pattern:
- * ND_INITIAL -> ND_INCOMPLETE -> ND_REACHABLE
- * after which the nce is deleted when it has expired.
- *
- * nce_last is the timestamp that indicates when the nce_res_mp in the
- * nce_t was last updated to a valid link-layer address. nce_last gets
- * modified/updated :
- * - when the nce is created
- * - every time we get a sane arp response for the nce.
- */
-#define NCE_EXPIRED(nce, ipst) (nce->nce_last > 0 && \
- ((nce->nce_flags & NCE_F_PERMANENT) == 0) && \
- ((TICK_TO_MSEC(lbolt64) - nce->nce_last) > \
- (ipst)->ips_ip_ire_arp_interval))
-
#endif /* _KERNEL */
/* ICMP types */
@@ -560,7 +395,17 @@ typedef struct ipha_s {
#define IPH_DF 0x4000 /* Don't fragment */
#define IPH_MF 0x2000 /* More fragments to come */
#define IPH_OFFSET 0x1FFF /* Where the offset lives */
-#define IPH_FRAG_HDR 0x8000 /* IPv6 don't fragment bit */
+
+/* Byte-order specific values */
+#ifdef _BIG_ENDIAN
+#define IPH_DF_HTONS 0x4000 /* Don't fragment */
+#define IPH_MF_HTONS 0x2000 /* More fragments to come */
+#define IPH_OFFSET_HTONS 0x1FFF /* Where the offset lives */
+#else
+#define IPH_DF_HTONS 0x0040 /* Don't fragment */
+#define IPH_MF_HTONS 0x0020 /* More fragments to come */
+#define IPH_OFFSET_HTONS 0xFF1F /* Where the offset lives */
+#endif
/* ECN code points for IPv4 TOS byte and IPv6 traffic class octet. */
#define IPH_ECN_NECT 0x0 /* Not ECN-Capable Transport */
@@ -571,10 +416,8 @@ typedef struct ipha_s {
struct ill_s;
typedef void ip_v6intfid_func_t(struct ill_s *, in6_addr_t *);
-typedef boolean_t ip_v6mapinfo_func_t(uint_t, uint8_t *, uint8_t *, uint32_t *,
- in6_addr_t *);
-typedef boolean_t ip_v4mapinfo_func_t(uint_t, uint8_t *, uint8_t *, uint32_t *,
- ipaddr_t *);
+typedef void ip_v6mapinfo_func_t(struct ill_s *, uchar_t *, uchar_t *);
+typedef void ip_v4mapinfo_func_t(struct ill_s *, uchar_t *, uchar_t *);
/* IP Mac info structure */
typedef struct ip_m_s {
@@ -582,8 +425,8 @@ typedef struct ip_m_s {
int ip_m_type; /* From <net/if_types.h> */
t_uscalar_t ip_m_ipv4sap;
t_uscalar_t ip_m_ipv6sap;
- ip_v4mapinfo_func_t *ip_m_v4mapinfo;
- ip_v6mapinfo_func_t *ip_m_v6mapinfo;
+ ip_v4mapinfo_func_t *ip_m_v4mapping;
+ ip_v6mapinfo_func_t *ip_m_v6mapping;
ip_v6intfid_func_t *ip_m_v6intfid;
ip_v6intfid_func_t *ip_m_v6destintfid;
} ip_m_t;
@@ -591,20 +434,14 @@ typedef struct ip_m_s {
/*
* The following functions attempt to reduce the link layer dependency
* of the IP stack. The current set of link specific operations are:
- * a. map from IPv4 class D (224.0/4) multicast address range to the link
- * layer multicast address range.
- * b. map from IPv6 multicast address range (ff00::/8) to the link
- * layer multicast address range.
- * c. derive the default IPv6 interface identifier from the interface.
- * d. derive the default IPv6 destination interface identifier from
+ * a. map from IPv4 class D (224.0/4) multicast address range or the
+ * IPv6 multicast address range (ff00::/8) to the link layer multicast
+ * address.
+ * b. derive the default IPv6 interface identifier from the interface.
+ * c. derive the default IPv6 destination interface identifier from
* the interface (point-to-point only).
*/
-#define MEDIA_V4MINFO(ip_m, plen, bphys, maddr, hwxp, v4ptr) \
- (((ip_m)->ip_m_v4mapinfo != NULL) && \
- (*(ip_m)->ip_m_v4mapinfo)(plen, bphys, maddr, hwxp, v4ptr))
-#define MEDIA_V6MINFO(ip_m, plen, bphys, maddr, hwxp, v6ptr) \
- (((ip_m)->ip_m_v6mapinfo != NULL) && \
- (*(ip_m)->ip_m_v6mapinfo)(plen, bphys, maddr, hwxp, v6ptr))
+extern void ip_mcast_mapping(struct ill_s *, uchar_t *, uchar_t *);
/* ip_m_v6*intfid return void and are never NULL */
#define MEDIA_V6INTFID(ip_m, ill, v6ptr) (ip_m)->ip_m_v6intfid(ill, v6ptr)
#define MEDIA_V6DESTINTFID(ip_m, ill, v6ptr) \
@@ -616,107 +453,38 @@ typedef struct ip_m_s {
#define IRE_LOCAL 0x0004 /* Route entry for local address */
#define IRE_LOOPBACK 0x0008 /* Route entry for loopback address */
#define IRE_PREFIX 0x0010 /* Route entry for prefix routes */
+#ifndef _KERNEL
+/* Keep so user-level still compiles */
#define IRE_CACHE 0x0020 /* Cached Route entry */
+#endif
#define IRE_IF_NORESOLVER 0x0040 /* Route entry for local interface */
/* net without any address mapping. */
#define IRE_IF_RESOLVER 0x0080 /* Route entry for local interface */
/* net with resolver. */
#define IRE_HOST 0x0100 /* Host route entry */
+/* Keep so user-level still compiles */
#define IRE_HOST_REDIRECT 0x0200 /* only used for T_SVR4_OPTMGMT_REQ */
+#define IRE_IF_CLONE 0x0400 /* Per host clone of IRE_IF */
+#define IRE_MULTICAST 0x0800 /* Special - not in table */
+#define IRE_NOROUTE 0x1000 /* Special - not in table */
#define IRE_INTERFACE (IRE_IF_NORESOLVER | IRE_IF_RESOLVER)
-#define IRE_OFFSUBNET (IRE_DEFAULT | IRE_PREFIX | IRE_HOST)
-#define IRE_CACHETABLE (IRE_CACHE | IRE_BROADCAST | IRE_LOCAL | \
- IRE_LOOPBACK)
-#define IRE_FORWARDTABLE (IRE_INTERFACE | IRE_OFFSUBNET)
-
-/*
- * If an IRE is marked with IRE_MARK_CONDEMNED, the last walker of
- * the bucket should delete this IRE from this bucket.
- */
-#define IRE_MARK_CONDEMNED 0x0001
-
-/*
- * An IRE with IRE_MARK_PMTU has ire_max_frag set from an ICMP error.
- */
-#define IRE_MARK_PMTU 0x0002
-
-/*
- * An IRE with IRE_MARK_TESTHIDDEN is used by in.mpathd for test traffic. It
- * can only be looked up by requesting MATCH_IRE_MARK_TESTHIDDEN.
- */
-#define IRE_MARK_TESTHIDDEN 0x0004
-
-/*
- * An IRE with IRE_MARK_NOADD is created in ip_newroute_ipif when the outgoing
- * interface is specified by e.g. IP_PKTINFO. The IRE is not added to the IRE
- * cache table.
- */
-#define IRE_MARK_NOADD 0x0008 /* Mark not to add ire in cache */
-
-/*
- * IRE marked with IRE_MARK_TEMPORARY means that this IRE has been used
- * either for forwarding a packet or has not been used for sending
- * traffic on TCP connections terminated on this system. In both
- * cases, this IRE is the first to go when IRE is being cleaned up.
- */
-#define IRE_MARK_TEMPORARY 0x0010
-
-/*
- * IRE marked with IRE_MARK_USESRC_CHECK means that while adding an IRE with
- * this mark, additional atomic checks need to be performed. For eg: by the
- * time an IRE_CACHE is created, sent up to ARP and then comes back to IP; the
- * usesrc grouping could have changed in which case we want to fail adding
- * the IRE_CACHE entry
- */
-#define IRE_MARK_USESRC_CHECK 0x0020
-
-/*
- * IRE_MARK_PRIVATE_ADDR is used for IP_NEXTHOP. When IP_NEXTHOP is set, the
- * routing table lookup for the destination is bypassed and the packet is
- * sent directly to the specified nexthop. The associated IRE_CACHE entries
- * should be marked with IRE_MARK_PRIVATE_ADDR flag so that they don't show up
- * in regular ire cache lookups.
- */
-#define IRE_MARK_PRIVATE_ADDR 0x0040
+#define IRE_IF_ALL (IRE_IF_NORESOLVER | IRE_IF_RESOLVER | \
+ IRE_IF_CLONE)
+#define IRE_OFFSUBNET (IRE_DEFAULT | IRE_PREFIX | IRE_HOST)
+#define IRE_OFFLINK IRE_OFFSUBNET
/*
- * When we send an ARP resolution query for the nexthop gateway's ire,
- * we use esballoc to create the ire_t in the AR_ENTRY_QUERY mblk
- * chain, and mark its ire_marks with IRE_MARK_UNCACHED. This flag
- * indicates that information from ARP has not been transferred to a
- * permanent IRE_CACHE entry. The flag is reset only when the
- * information is successfully transferred to an ire_cache entry (in
- * ire_add()). Attempting to free the AR_ENTRY_QUERY mblk chain prior
- * to ire_add (e.g., from arp, or from ip`ip_wput_nondata) will
- * require that the resources (incomplete ire_cache and/or nce) must
- * be cleaned up. The free callback routine (ire_freemblk()) checks
- * for IRE_MARK_UNCACHED to see if any resources that are pinned down
- * will need to be cleaned up or not.
+ * Note that we view IRE_NOROUTE as ONLINK since we can "send" to them without
+ * going through a router; the result of sending will be an error/icmp error.
*/
-
-#define IRE_MARK_UNCACHED 0x0080
-
-/*
- * The comment below (and for other netstack_t references) refers
- * to the fact that we only do netstack_hold in particular cases,
- * such as the references from open streams (ill_t and conn_t's
- * pointers). Internally within IP we rely on IP's ability to cleanup e.g.
- * ire_t's when an ill goes away.
- */
-typedef struct ire_expire_arg_s {
- int iea_flush_flag;
- ip_stack_t *iea_ipst; /* Does not have a netstack_hold */
-} ire_expire_arg_t;
-
-/* Flags with ire_expire routine */
-#define FLUSH_ARP_TIME 0x0001 /* ARP info potentially stale timer */
-#define FLUSH_REDIRECT_TIME 0x0002 /* Redirects potentially stale */
-#define FLUSH_MTU_TIME 0x0004 /* Include path MTU per RFC 1191 */
+#define IRE_ONLINK (IRE_IF_ALL|IRE_LOCAL|IRE_LOOPBACK| \
+ IRE_BROADCAST|IRE_MULTICAST|IRE_NOROUTE)
/* Arguments to ire_flush_cache() */
#define IRE_FLUSH_DELETE 0
#define IRE_FLUSH_ADD 1
+#define IRE_FLUSH_GWCHANGE 2
/*
* Open/close synchronization flags.
@@ -724,31 +492,21 @@ typedef struct ire_expire_arg_s {
* depends on the atomic 32 bit access to that field.
*/
#define CONN_CLOSING 0x01 /* ip_close waiting for ip_wsrv */
-#define CONN_IPSEC_LOAD_WAIT 0x02 /* waiting for load */
-#define CONN_CONDEMNED 0x04 /* conn is closing, no more refs */
-#define CONN_INCIPIENT 0x08 /* conn not yet visible, no refs */
-#define CONN_QUIESCED 0x10 /* conn is now quiescent */
-
-/* Used to check connection state flags before caching the IRE */
-#define CONN_CACHE_IRE(connp) \
- (!((connp)->conn_state_flags & (CONN_CLOSING|CONN_CONDEMNED)))
-
-/*
- * Parameter to ip_output giving the identity of the caller.
- * IP_WSRV means the packet was enqueued in the STREAMS queue
- * due to flow control and is now being reprocessed in the context of
- * the STREAMS service procedure, consequent to flow control relief.
- * IRE_SEND means the packet is being reprocessed consequent to an
- * ire cache creation and addition and this may or may not be happening
- * in the service procedure context. Anything other than the above 2
- * cases is identified as IP_WPUT. Most commonly this is the case of
- * packets coming down from the application.
+#define CONN_CONDEMNED 0x02 /* conn is closing, no more refs */
+#define CONN_INCIPIENT 0x04 /* conn not yet visible, no refs */
+#define CONN_QUIESCED 0x08 /* conn is now quiescent */
+#define CONN_UPDATE_ILL 0x10 /* conn_update_ill in progress */
+
+/*
+ * Flags for dce_flags field. Specifies which information has been set.
+ * dce_ident is always present, but the other ones are identified by the flags.
*/
-#ifdef _KERNEL
-#define IP_WSRV 1 /* Called from ip_wsrv */
-#define IP_WPUT 2 /* Called from ip_wput */
-#define IRE_SEND 3 /* Called from ire_send */
+#define DCEF_DEFAULT 0x0001 /* Default DCE - no pmtu or uinfo */
+#define DCEF_PMTU 0x0002 /* Different than interface MTU */
+#define DCEF_UINFO 0x0004 /* dce_uinfo set */
+#define DCEF_TOO_SMALL_PMTU 0x0008 /* Smaller than IPv4/IPv6 MIN */
+#ifdef _KERNEL
/*
* Extra structures need for per-src-addr filtering (IGMPv3/MLDv2)
*/
@@ -786,90 +544,80 @@ typedef struct mrec_s {
} mrec_t;
/* Group membership list per upper conn */
+
/*
- * XXX add ilg info for ifaddr/ifindex.
- * XXX can we make ilg survive an ifconfig unplumb + plumb
- * by setting the ipif/ill to NULL and recover that later?
+ * We record the multicast information from the socket option in
+ * ilg_ifaddr/ilg_ifindex. This allows rejoining the group in the case when
+ * the ifaddr (or ifindex) disappears and later reappears, potentially on
+ * a different ill. The IPv6 multicast socket options and ioctls all specify
+ * the interface using an ifindex. For IPv4 some socket options/ioctls use
+ * the interface address and others use the index. We record here the method
+ * that was actually used (and leave the other of ilg_ifaddr or ilg_ifindex)
+ * at zero so that we can rejoin the way the application intended.
*
- * ilg_ipif is used by IPv4 as multicast groups are joined using an interface
- * address (ipif).
- * ilg_ill is used by IPv6 as multicast groups are joined using an interface
- * index (phyint->phyint_ifindex).
- * ilg_ill is NULL for IPv4 and ilg_ipif is NULL for IPv6.
+ * We track the ill on which we will or already have joined an ilm using
+ * ilg_ill. When we have succeeded joining the ilm and have a refhold on it
+ * then we set ilg_ilm. Thus intentionally there is a window where ilg_ill is
+ * set and ilg_ilm is not set. This allows clearing ilg_ill as a signal that
+ * the ill is being unplumbed and the ilm should be discarded.
*
* ilg records the state of multicast memberships of a socket end point.
* ilm records the state of multicast memberships with the driver and is
* maintained per interface.
*
- * There is no direct link between a given ilg and ilm. If the
- * application has joined a group G with ifindex I, we will have
- * an ilg with ilg_v6group and ilg_ill. There will be a corresponding
- * ilm with ilm_ill/ilm_v6addr recording the multicast membership.
- * To delete the membership:
- *
- * a) Search for ilg matching on G and I with ilg_v6group
- * and ilg_ill. Delete ilg_ill.
- * b) Search the corresponding ilm matching on G and I with
- * ilm_v6addr and ilm_ill. Delete ilm.
- *
- * For IPv4 the only difference is that we look using ipifs, not ills.
+ * The ilg state is protected by conn_ilg_lock.
+ * The ilg will not be freed until ilg_refcnt drops to zero.
*/
-
-/*
- * The ilg_t and ilm_t members are protected by ipsq. They can be changed only
- * by a thread executing in the ipsq. In other words add/delete of a
- * multicast group has to execute in the ipsq.
- */
-#define ILG_DELETED 0x1 /* ilg_flags */
typedef struct ilg_s {
+ struct ilg_s *ilg_next;
+ struct ilg_s **ilg_ptpn;
+ struct conn_s *ilg_connp; /* Back pointer to get lock */
in6_addr_t ilg_v6group;
- struct ipif_s *ilg_ipif; /* Logical interface we are member on */
- struct ill_s *ilg_ill; /* Used by IPv6 */
- uint_t ilg_flags;
+ ipaddr_t ilg_ifaddr; /* For some IPv4 cases */
+ uint_t ilg_ifindex; /* IPv6 and some other IPv4 cases */
+ struct ill_s *ilg_ill; /* Where ilm is joined. No refhold */
+ struct ilm_s *ilg_ilm; /* With ilm_refhold */
+ uint_t ilg_refcnt;
mcast_record_t ilg_fmode; /* MODE_IS_INCLUDE/MODE_IS_EXCLUDE */
slist_t *ilg_filter;
+ boolean_t ilg_condemned; /* Conceptually deleted */
} ilg_t;
/*
* Multicast address list entry for ill.
- * ilm_ipif is used by IPv4 as multicast groups are joined using ipif.
- * ilm_ill is used by IPv6 as multicast groups are joined using ill.
- * ilm_ill is NULL for IPv4 and ilm_ipif is NULL for IPv6.
+ * ilm_ill is used by IPv4 and IPv6
+ *
+ * The ilm state (and other multicast state on the ill) is protected by
+ * ill_mcast_lock. Operations that change state on both an ilg and ilm
+ * in addition use ill_mcast_serializer to ensure that we can't have
+ * interleaving between e.g., add and delete operations for the same conn_t,
+ * group, and ill.
*
* The comment below (and for other netstack_t references) refers
* to the fact that we only do netstack_hold in particular cases,
- * such as the references from open streams (ill_t and conn_t's
+ * such as the references from open endpoints (ill_t and conn_t's
* pointers). Internally within IP we rely on IP's ability to cleanup e.g.
* ire_t's when an ill goes away.
*/
-#define ILM_DELETED 0x1 /* ilm_flags */
typedef struct ilm_s {
in6_addr_t ilm_v6addr;
int ilm_refcnt;
uint_t ilm_timer; /* IGMP/MLD query resp timer, in msec */
- struct ipif_s *ilm_ipif; /* Back pointer to ipif for IPv4 */
struct ilm_s *ilm_next; /* Linked list for each ill */
uint_t ilm_state; /* state of the membership */
- struct ill_s *ilm_ill; /* Back pointer to ill for IPv6 */
- uint_t ilm_flags;
- boolean_t ilm_notify_driver; /* Need to notify the driver */
+ struct ill_s *ilm_ill; /* Back pointer to ill - ill_ilm_cnt */
zoneid_t ilm_zoneid;
int ilm_no_ilg_cnt; /* number of joins w/ no ilg */
mcast_record_t ilm_fmode; /* MODE_IS_INCLUDE/MODE_IS_EXCLUDE */
slist_t *ilm_filter; /* source filter list */
slist_t *ilm_pendsrcs; /* relevant src addrs for pending req */
rtx_state_t ilm_rtx; /* SCR retransmission state */
+ ipaddr_t ilm_ifaddr; /* For IPv4 netstat */
ip_stack_t *ilm_ipst; /* Does not have a netstack_hold */
} ilm_t;
#define ilm_addr V4_PART_OF_V6(ilm_v6addr)
-typedef struct ilm_walker {
- struct ill_s *ilw_ill; /* associated ill */
- struct ill_s *ilw_ipmp_ill; /* associated ipmp ill (if any) */
- struct ill_s *ilw_walk_ill; /* current ill being walked */
-} ilm_walker_t;
-
/*
* Soft reference to an IPsec SA.
*
@@ -898,40 +646,28 @@ typedef struct ipsa_ref_s
* In the presence of IPsec policy, fully-bound conn's bind a connection
* to more than just the 5-tuple, but also a specific IPsec action and
* identity-pair.
- *
- * As an optimization, we also cache soft references to IPsec SA's
- * here so that we can fast-path around most of the work needed for
+ * The identity pair is accessed from both the receive and transmit side
+ * hence it is maintained in the ipsec_latch_t structure. conn_latch and
+ * ixa_ipsec_latch points to it.
+ * The policy and actions are stored in conn_latch_in_policy and
+ * conn_latch_in_action for the inbound side, and in ixa_ipsec_policy and
+ * ixa_ipsec_action for the transmit side.
+ *
+ * As an optimization, we also cache soft references to IPsec SA's in
+ * ip_xmit_attr_t so that we can fast-path around most of the work needed for
* outbound IPsec SA selection.
- *
- * Were it not for TCP's detached connections, this state would be
- * in-line in conn_t; instead, this is in a separate structure so it
- * can be handed off to TCP when a connection is detached.
*/
typedef struct ipsec_latch_s
{
kmutex_t ipl_lock;
uint32_t ipl_refcnt;
- uint64_t ipl_unique;
- struct ipsec_policy_s *ipl_in_policy; /* latched policy (in) */
- struct ipsec_policy_s *ipl_out_policy; /* latched policy (out) */
- struct ipsec_action_s *ipl_in_action; /* latched action (in) */
- struct ipsec_action_s *ipl_out_action; /* latched action (out) */
- cred_t *ipl_local_id;
struct ipsid_s *ipl_local_cid;
struct ipsid_s *ipl_remote_cid;
unsigned int
- ipl_out_action_latched : 1,
- ipl_in_action_latched : 1,
- ipl_out_policy_latched : 1,
- ipl_in_policy_latched : 1,
-
ipl_ids_latched : 1,
- ipl_pad_to_bit_31 : 27;
-
- ipsa_ref_t ipl_ref[2]; /* 0: ESP, 1: AH */
-
+ ipl_pad_to_bit_31 : 31;
} ipsec_latch_t;
#define IPLATCH_REFHOLD(ipl) { \
@@ -939,97 +675,19 @@ typedef struct ipsec_latch_s
ASSERT((ipl)->ipl_refcnt != 0); \
}
-#define IPLATCH_REFRELE(ipl, ns) { \
+#define IPLATCH_REFRELE(ipl) { \
ASSERT((ipl)->ipl_refcnt != 0); \
membar_exit(); \
if (atomic_add_32_nv(&(ipl)->ipl_refcnt, -1) == 0) \
- iplatch_free(ipl, ns); \
+ iplatch_free(ipl); \
}
/*
* peer identity structure.
*/
-
typedef struct conn_s conn_t;
/*
- * The old IP client structure "ipc_t" is gone. All the data is stored in the
- * connection structure "conn_t" now. The mapping of old and new fields looks
- * like this:
- *
- * ipc_ulp conn_ulp
- * ipc_rq conn_rq
- * ipc_wq conn_wq
- *
- * ipc_laddr conn_src
- * ipc_faddr conn_rem
- * ipc_v6laddr conn_srcv6
- * ipc_v6faddr conn_remv6
- *
- * ipc_lport conn_lport
- * ipc_fport conn_fport
- * ipc_ports conn_ports
- *
- * ipc_policy conn_policy
- * ipc_latch conn_latch
- *
- * ipc_irc_lock conn_lock
- * ipc_ire_cache conn_ire_cache
- *
- * ipc_state_flags conn_state_flags
- * ipc_outgoing_ill conn_outgoing_ill
- *
- * ipc_dontroute conn_dontroute
- * ipc_loopback conn_loopback
- * ipc_broadcast conn_broadcast
- * ipc_reuseaddr conn_reuseaddr
- *
- * ipc_multicast_loop conn_multicast_loop
- * ipc_multi_router conn_multi_router
- * ipc_draining conn_draining
- *
- * ipc_did_putbq conn_did_putbq
- * ipc_unspec_src conn_unspec_src
- * ipc_policy_cached conn_policy_cached
- *
- * ipc_in_enforce_policy conn_in_enforce_policy
- * ipc_out_enforce_policy conn_out_enforce_policy
- * ipc_af_isv6 conn_af_isv6
- * ipc_pkt_isv6 conn_pkt_isv6
- *
- * ipc_ipv6_recvpktinfo conn_ipv6_recvpktinfo
- *
- * ipc_ipv6_recvhoplimit conn_ipv6_recvhoplimit
- * ipc_ipv6_recvhopopts conn_ipv6_recvhopopts
- * ipc_ipv6_recvdstopts conn_ipv6_recvdstopts
- *
- * ipc_ipv6_recvrthdr conn_ipv6_recvrthdr
- * ipc_ipv6_recvrtdstopts conn_ipv6_recvrtdstopts
- * ipc_fully_bound conn_fully_bound
- *
- * ipc_recvif conn_recvif
- *
- * ipc_recvslla conn_recvslla
- * ipc_acking_unbind conn_acking_unbind
- * ipc_pad_to_bit_31 conn_pad_to_bit_31
- *
- * ipc_proto conn_proto
- * ipc_incoming_ill conn_incoming_ill
- * ipc_pending_ill conn_pending_ill
- * ipc_unbind_mp conn_unbind_mp
- * ipc_ilg conn_ilg
- * ipc_ilg_allocated conn_ilg_allocated
- * ipc_ilg_inuse conn_ilg_inuse
- * ipc_ilg_walker_cnt conn_ilg_walker_cnt
- * ipc_refcv conn_refcv
- * ipc_multicast_ipif conn_multicast_ipif
- * ipc_multicast_ill conn_multicast_ill
- * ipc_drain_next conn_drain_next
- * ipc_drain_prev conn_drain_prev
- * ipc_idl conn_idl
- */
-
-/*
* This is used to match an inbound/outbound datagram with policy.
*/
typedef struct ipsec_selector {
@@ -1069,22 +727,6 @@ typedef struct ipsec_selector {
#define IPSEC_POLICY_MAX 5 /* Always max + 1. */
/*
- * Folowing macro is used whenever the code does not know whether there
- * is a M_CTL present in the front and it needs to examine the actual mp
- * i.e the IP header. As a M_CTL message could be in the front, this
- * extracts the packet into mp and the M_CTL mp into first_mp. If M_CTL
- * mp is not present, both first_mp and mp point to the same message.
- */
-#define EXTRACT_PKT_MP(mp, first_mp, mctl_present) \
- (first_mp) = (mp); \
- if ((mp)->b_datap->db_type == M_CTL) { \
- (mp) = (mp)->b_cont; \
- (mctl_present) = B_TRUE; \
- } else { \
- (mctl_present) = B_FALSE; \
- }
-
-/*
* Check with IPSEC inbound policy if
*
* 1) per-socket policy is present - indicated by conn_in_enforce_policy.
@@ -1113,11 +755,6 @@ typedef struct ipsec_selector {
/*
* Information cached in IRE for upper layer protocol (ULP).
- *
- * Notice that ire_max_frag is not included in the iulp_t structure, which
- * it may seem that it should. But ire_max_frag cannot really be cached. It
- * is fixed for each interface. For MTU found by PMTUd, we may want to cache
- * it. But currently, we do not do that.
*/
typedef struct iulp_s {
boolean_t iulp_set; /* Is any metric set? */
@@ -1128,17 +765,21 @@ typedef struct iulp_s {
uint32_t iulp_rpipe; /* Receive pipe size. */
uint32_t iulp_rtomax; /* Max round trip timeout. */
uint32_t iulp_sack; /* Use SACK option (TCP)? */
+ uint32_t iulp_mtu; /* Setable with routing sockets */
+
uint32_t
iulp_tstamp_ok : 1, /* Use timestamp option (TCP)? */
iulp_wscale_ok : 1, /* Use window scale option (TCP)? */
iulp_ecn_ok : 1, /* Enable ECN (for TCP)? */
iulp_pmtud_ok : 1, /* Enable PMTUd? */
- iulp_not_used : 28;
-} iulp_t;
+ /* These three are passed out by ip_set_destination */
+ iulp_localnet: 1, /* IRE_ONLINK */
+ iulp_loopback: 1, /* IRE_LOOPBACK */
+ iulp_local: 1, /* IRE_LOCAL */
-/* Zero iulp_t. */
-extern const iulp_t ire_uinfo_null;
+ iulp_not_used : 25;
+} iulp_t;
/*
* The conn drain list structure (idl_t).
@@ -1173,7 +814,6 @@ struct idl_tx_list_s {
struct idl_s {
conn_t *idl_conn; /* Head of drain list */
kmutex_t idl_lock; /* Lock for this list */
- conn_t *idl_conn_draining; /* conn that is draining */
uint32_t
idl_repeat : 1, /* Last conn must re-enable */
/* drain list again */
@@ -1182,36 +822,38 @@ struct idl_s {
};
#define CONN_DRAIN_LIST_LOCK(connp) (&((connp)->conn_idl->idl_lock))
+
/*
* Interface route structure which holds the necessary information to recreate
- * routes that are tied to an interface (namely where ire_ipif != NULL).
+ * routes that are tied to an interface i.e. have ire_ill set.
+ *
* These routes which were initially created via a routing socket or via the
* SIOCADDRT ioctl may be gateway routes (RTF_GATEWAY being set) or may be
- * traditional interface routes. When an interface comes back up after being
- * marked down, this information will be used to recreate the routes. These
- * are part of an mblk_t chain that hangs off of the IPIF (ipif_saved_ire_mp).
+ * traditional interface routes. When an ill comes back up after being
+ * down, this information will be used to recreate the routes. These
+ * are part of an mblk_t chain that hangs off of the ILL (ill_saved_ire_mp).
*/
typedef struct ifrt_s {
ushort_t ifrt_type; /* Type of IRE */
in6_addr_t ifrt_v6addr; /* Address IRE represents. */
- in6_addr_t ifrt_v6gateway_addr; /* Gateway if IRE_OFFSUBNET */
- in6_addr_t ifrt_v6src_addr; /* Src addr if RTF_SETSRC */
+ in6_addr_t ifrt_v6gateway_addr; /* Gateway if IRE_OFFLINK */
+ in6_addr_t ifrt_v6setsrc_addr; /* Src addr if RTF_SETSRC */
in6_addr_t ifrt_v6mask; /* Mask for matching IRE. */
uint32_t ifrt_flags; /* flags related to route */
- uint_t ifrt_max_frag; /* MTU (next hop or path). */
- iulp_t ifrt_iulp_info; /* Cached IRE ULP info. */
+ iulp_t ifrt_metrics; /* Routing socket metrics */
+ zoneid_t ifrt_zoneid; /* zoneid for route */
} ifrt_t;
#define ifrt_addr V4_PART_OF_V6(ifrt_v6addr)
#define ifrt_gateway_addr V4_PART_OF_V6(ifrt_v6gateway_addr)
-#define ifrt_src_addr V4_PART_OF_V6(ifrt_v6src_addr)
#define ifrt_mask V4_PART_OF_V6(ifrt_v6mask)
+#define ifrt_setsrc_addr V4_PART_OF_V6(ifrt_v6setsrc_addr)
/* Number of IP addresses that can be hosted on a physical interface */
#define MAX_ADDRS_PER_IF 8192
/*
* Number of Source addresses to be considered for source address
- * selection. Used by ipif_select_source[_v6].
+ * selection. Used by ipif_select_source_v4/v6.
*/
#define MAX_IPIF_SELECT_SOURCE 50
@@ -1245,16 +887,13 @@ typedef struct th_hash_s {
#define IPIF_CONDEMNED 0x1 /* The ipif is being removed */
#define IPIF_CHANGING 0x2 /* A critcal ipif field is changing */
#define IPIF_SET_LINKLOCAL 0x10 /* transient flag during bringup */
-#define IPIF_ZERO_SOURCE 0x20 /* transient flag during bringup */
/* IP interface structure, one per local address */
typedef struct ipif_s {
struct ipif_s *ipif_next;
struct ill_s *ipif_ill; /* Back pointer to our ill */
int ipif_id; /* Logical unit number */
- uint_t ipif_mtu; /* Starts at ipif_ill->ill_max_frag */
in6_addr_t ipif_v6lcl_addr; /* Local IP address for this if. */
- in6_addr_t ipif_v6src_addr; /* Source IP address for this if. */
in6_addr_t ipif_v6subnet; /* Subnet prefix for this if. */
in6_addr_t ipif_v6net_mask; /* Net mask for this interface. */
in6_addr_t ipif_v6brd_addr; /* Broadcast addr for this interface. */
@@ -1262,47 +901,29 @@ typedef struct ipif_s {
uint64_t ipif_flags; /* Interface flags. */
uint_t ipif_metric; /* BSD if metric, for compatibility. */
uint_t ipif_ire_type; /* IRE_LOCAL or IRE_LOOPBACK */
- mblk_t *ipif_arp_del_mp; /* Allocated at time arp comes up, to */
- /* prevent awkward out of mem */
- /* condition later */
- mblk_t *ipif_saved_ire_mp; /* Allocated for each extra */
- /* IRE_IF_NORESOLVER/IRE_IF_RESOLVER */
- /* on this interface so that they */
- /* can survive ifconfig down. */
- kmutex_t ipif_saved_ire_lock; /* Protects ipif_saved_ire_mp */
-
- mrec_t *ipif_igmp_rpt; /* List of group memberships which */
- /* will be reported on. Used when */
- /* handling an igmp timeout. */
/*
- * The packet counts in the ipif contain the sum of the
- * packet counts in dead IREs that were affiliated with
- * this ipif.
+ * The packet count in the ipif contain the sum of the
+ * packet counts in dead IRE_LOCAL/LOOPBACK for this ipif.
*/
- uint_t ipif_fo_pkt_count; /* Forwarded thru our dead IREs */
uint_t ipif_ib_pkt_count; /* Inbound packets for our dead IREs */
- uint_t ipif_ob_pkt_count; /* Outbound packets to our dead IREs */
+
/* Exclusive bit fields, protected by ipsq_t */
unsigned int
- ipif_multicast_up : 1, /* ipif_multicast_up() successful */
ipif_was_up : 1, /* ipif was up before */
ipif_addr_ready : 1, /* DAD is done */
ipif_was_dup : 1, /* DAD had failed */
-
- ipif_joined_allhosts : 1, /* allhosts joined */
ipif_added_nce : 1, /* nce added for local address */
- ipif_pad_to_31 : 26;
+
+ ipif_pad_to_31 : 28;
+
+ ilm_t *ipif_allhosts_ilm; /* For all-nodes join */
+ ilm_t *ipif_solmulti_ilm; /* For IPv6 solicited multicast join */
uint_t ipif_seqid; /* unique index across all ills */
uint_t ipif_state_flags; /* See IPIF_* flag defs above */
uint_t ipif_refcnt; /* active consistent reader cnt */
- /* Number of ire's and ilm's referencing this ipif */
- uint_t ipif_ire_cnt;
- uint_t ipif_ilm_cnt;
-
- uint_t ipif_saved_ire_cnt;
zoneid_t ipif_zoneid; /* zone ID number */
timeout_id_t ipif_recovery_id; /* Timer for DAD recovery */
boolean_t ipif_trace_disable; /* True when alloc fails */
@@ -1313,40 +934,12 @@ typedef struct ipif_s {
* part of a group will be pointed to, and an ill cannot disappear
* while it's in a group.
*/
- struct ill_s *ipif_bound_ill;
- struct ipif_s *ipif_bound_next; /* bound ipif chain */
- boolean_t ipif_bound; /* B_TRUE if we successfully bound */
-} ipif_t;
+ struct ill_s *ipif_bound_ill;
+ struct ipif_s *ipif_bound_next; /* bound ipif chain */
+ boolean_t ipif_bound; /* B_TRUE if we successfully bound */
-/*
- * IPIF_FREE_OK() means that there are no incoming references
- * to the ipif. Incoming refs would prevent the ipif from being freed.
- */
-#define IPIF_FREE_OK(ipif) \
- ((ipif)->ipif_ire_cnt == 0 && (ipif)->ipif_ilm_cnt == 0)
-/*
- * IPIF_DOWN_OK() determines whether the incoming pointer reference counts
- * would permit the ipif to be considered quiescent. In order for
- * an ipif or ill to be considered quiescent, the ire and nce references
- * to that ipif/ill must be zero.
- *
- * We do not require the ilm references to go to zero for quiescence
- * because the quiescence checks are done to ensure that
- * outgoing packets do not use addresses from the ipif/ill after it
- * has been marked down, and incoming packets to addresses on a
- * queiscent interface are rejected. This implies that all the
- * ire/nce's using that source address need to be deleted and future
- * creation of any ires using that source address must be prevented.
- * Similarly incoming unicast packets destined to the 'down' address
- * will not be accepted once that ire is gone. However incoming
- * multicast packets are not destined to the downed address.
- * They are only related to the ill in question. Furthermore
- * the current API behavior allows applications to join or leave
- * multicast groups, i.e., IP_ADD_MEMBERSHIP / LEAVE_MEMBERSHIP, using a
- * down address. Therefore the ilm references are not included in
- * the _DOWN_OK macros.
- */
-#define IPIF_DOWN_OK(ipif) ((ipif)->ipif_ire_cnt == 0)
+ struct ire_s *ipif_ire_local; /* Our IRE_LOCAL or LOOPBACK */
+} ipif_t;
/*
* The following table lists the protection levels of the various members
@@ -1371,9 +964,7 @@ typedef struct ipif_s {
* ill_g_lock ill_g_lock
* ipif_ill ipsq + down ipif write once
* ipif_id ipsq + down ipif write once
- * ipif_mtu ipsq
* ipif_v6lcl_addr ipsq + down ipif up ipif
- * ipif_v6src_addr ipsq + down ipif up ipif
* ipif_v6subnet ipsq + down ipif up ipif
* ipif_v6net_mask ipsq + down ipif up ipif
*
@@ -1383,28 +974,30 @@ typedef struct ipif_s {
* ipif_metric
* ipif_ire_type ipsq + down ill up ill
*
- * ipif_arp_del_mp ipsq ipsq
- * ipif_saved_ire_mp ipif_saved_ire_lock ipif_saved_ire_lock
- * ipif_igmp_rpt ipsq ipsq
- *
- * ipif_fo_pkt_count Approx
* ipif_ib_pkt_count Approx
- * ipif_ob_pkt_count Approx
*
* bit fields ill_lock ill_lock
*
+ * ipif_allhosts_ilm ipsq ipsq
+ * ipif_solmulti_ilm ipsq ipsq
+ *
* ipif_seqid ipsq Write once
*
* ipif_state_flags ill_lock ill_lock
* ipif_refcnt ill_lock ill_lock
- * ipif_ire_cnt ill_lock ill_lock
- * ipif_ilm_cnt ill_lock ill_lock
- * ipif_saved_ire_cnt
- *
* ipif_bound_ill ipsq + ipmp_lock ipsq OR ipmp_lock
* ipif_bound_next ipsq ipsq
* ipif_bound ipsq ipsq
+ *
+ * ipif_ire_local ipsq + ips_ill_g_lock ipsq OR ips_ill_g_lock
+ */
+
+/*
+ * Return values from ip_laddr_verify_{v4,v6}
*/
+typedef enum { IPVL_UNICAST_UP, IPVL_UNICAST_DOWN, IPVL_MCAST, IPVL_BCAST,
+ IPVL_BAD} ip_laddr_t;
+
#define IP_TR_HASH(tid) ((((uintptr_t)tid) >> 6) & (IP_TR_HASH_MAX - 1))
@@ -1422,18 +1015,12 @@ typedef struct ipif_s {
/* IPv4 compatibility macros */
#define ipif_lcl_addr V4_PART_OF_V6(ipif_v6lcl_addr)
-#define ipif_src_addr V4_PART_OF_V6(ipif_v6src_addr)
#define ipif_subnet V4_PART_OF_V6(ipif_v6subnet)
#define ipif_net_mask V4_PART_OF_V6(ipif_v6net_mask)
#define ipif_brd_addr V4_PART_OF_V6(ipif_v6brd_addr)
#define ipif_pp_dst_addr V4_PART_OF_V6(ipif_v6pp_dst_addr)
/* Macros for easy backreferences to the ill. */
-#define ipif_wq ipif_ill->ill_wq
-#define ipif_rq ipif_ill->ill_rq
-#define ipif_net_type ipif_ill->ill_net_type
-#define ipif_ipif_up_count ipif_ill->ill_ipif_up_count
-#define ipif_type ipif_ill->ill_type
#define ipif_isv6 ipif_ill->ill_isv6
#define SIOCLIFADDR_NDX 112 /* ndx of SIOCLIFADDR in the ndx ioctl table */
@@ -1524,7 +1111,7 @@ typedef struct ipxop_s {
boolean_t ipx_current_done; /* is the current operation done? */
int ipx_current_ioctl; /* current ioctl, or 0 if no ioctl */
ipif_t *ipx_current_ipif; /* ipif for current op */
- ipif_t *ipx_pending_ipif; /* ipif for ipsq_pending_mp */
+ ipif_t *ipx_pending_ipif; /* ipif for ipx_pending_mp */
mblk_t *ipx_pending_mp; /* current ioctl mp while waiting */
boolean_t ipx_forced; /* debugging aid */
#ifdef DEBUG
@@ -1642,24 +1229,62 @@ typedef struct irb {
krwlock_t irb_lock; /* Protect this bucket */
uint_t irb_refcnt; /* Protected by irb_lock */
uchar_t irb_marks; /* CONDEMNED ires in this bucket ? */
-#define IRB_MARK_CONDEMNED 0x0001
-#define IRB_MARK_FTABLE 0x0002
+#define IRB_MARK_CONDEMNED 0x0001 /* Contains some IRE_IS_CONDEMNED */
+#define IRB_MARK_DYNAMIC 0x0002 /* Dynamically allocated */
+ /* Once IPv6 uses radix then IRB_MARK_DYNAMIC will be always be set */
uint_t irb_ire_cnt; /* Num of active IRE in this bucket */
- uint_t irb_tmp_ire_cnt; /* Num of temporary IRE */
- struct ire_s *irb_rr_origin; /* origin for round-robin */
int irb_nire; /* Num of ftable ire's that ref irb */
ip_stack_t *irb_ipst; /* Does not have a netstack_hold */
} irb_t;
#define IRB2RT(irb) (rt_t *)((caddr_t)(irb) - offsetof(rt_t, rt_irb))
-/* The following are return values of ip_xmit_v4() */
-typedef enum {
- SEND_PASSED = 0, /* sent packet out on wire */
- SEND_FAILED, /* sending of packet failed */
- LOOKUP_IN_PROGRESS, /* ire cache found, ARP resolution in progress */
- LLHDR_RESLV_FAILED /* macaddr resl of onlink dst or nexthop failed */
-} ipxmit_state_t;
+/* Forward declarations */
+struct dce_s;
+typedef struct dce_s dce_t;
+struct ire_s;
+typedef struct ire_s ire_t;
+struct ncec_s;
+typedef struct ncec_s ncec_t;
+struct nce_s;
+typedef struct nce_s nce_t;
+struct ip_recv_attr_s;
+typedef struct ip_recv_attr_s ip_recv_attr_t;
+struct ip_xmit_attr_s;
+typedef struct ip_xmit_attr_s ip_xmit_attr_t;
+
+struct tsol_ire_gw_secattr_s;
+typedef struct tsol_ire_gw_secattr_s tsol_ire_gw_secattr_t;
+
+/*
+ * This is a structure for a one-element route cache that is passed
+ * by reference between ip_input and ill_inputfn.
+ */
+typedef struct {
+ ire_t *rtc_ire;
+ ipaddr_t rtc_ipaddr;
+ in6_addr_t rtc_ip6addr;
+} rtc_t;
+
+/*
+ * Note: Temporarily use 64 bits, and will probably go back to 32 bits after
+ * more cleanup work is done.
+ */
+typedef uint64_t iaflags_t;
+
+/* The ill input function pointer type */
+typedef void (*pfillinput_t)(mblk_t *, void *, void *, ip_recv_attr_t *,
+ rtc_t *);
+
+/* The ire receive function pointer type */
+typedef void (*pfirerecv_t)(ire_t *, mblk_t *, void *, ip_recv_attr_t *);
+
+/* The ire send and postfrag function pointer types */
+typedef int (*pfiresend_t)(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+typedef int (*pfirepostfrag_t)(mblk_t *, nce_t *, iaflags_t, uint_t, uint32_t,
+ zoneid_t, zoneid_t, uintptr_t *);
+
#define IP_V4_G_HEAD 0
#define IP_V6_G_HEAD 1
@@ -1733,26 +1358,12 @@ typedef union ill_g_head_u {
/*
* Capabilities, possible flags for ill_capabilities.
*/
-
-#define ILL_CAPAB_AH 0x01 /* IPsec AH acceleration */
-#define ILL_CAPAB_ESP 0x02 /* IPsec ESP acceleration */
-#define ILL_CAPAB_MDT 0x04 /* Multidata Transmit */
+#define ILL_CAPAB_LSO 0x04 /* Large Send Offload */
#define ILL_CAPAB_HCKSUM 0x08 /* Hardware checksumming */
#define ILL_CAPAB_ZEROCOPY 0x10 /* Zero-copy */
#define ILL_CAPAB_DLD 0x20 /* DLD capabilities */
#define ILL_CAPAB_DLD_POLL 0x40 /* Polling */
#define ILL_CAPAB_DLD_DIRECT 0x80 /* Direct function call */
-#define ILL_CAPAB_DLD_LSO 0x100 /* Large Segment Offload */
-
-/*
- * Per-ill Multidata Transmit capabilities.
- */
-typedef struct ill_mdt_capab_s ill_mdt_capab_t;
-
-/*
- * Per-ill IPsec capabilities.
- */
-typedef struct ill_ipsec_capab_s ill_ipsec_capab_t;
/*
* Per-ill Hardware Checksumming capbilities.
@@ -1775,15 +1386,18 @@ typedef struct ill_dld_capab_s ill_dld_capab_t;
typedef struct ill_rx_ring ill_rx_ring_t;
/*
- * Per-ill Large Segment Offload capabilities.
+ * Per-ill Large Send Offload capabilities.
*/
typedef struct ill_lso_capab_s ill_lso_capab_t;
/* The following are ill_state_flags */
#define ILL_LL_SUBNET_PENDING 0x01 /* Waiting for DL_INFO_ACK from drv */
#define ILL_CONDEMNED 0x02 /* No more new ref's to the ILL */
-#define ILL_CHANGING 0x04 /* ILL not globally visible */
-#define ILL_DL_UNBIND_IN_PROGRESS 0x08 /* UNBIND_REQ is sent */
+#define ILL_DL_UNBIND_IN_PROGRESS 0x04 /* UNBIND_REQ is sent */
+#define ILL_DOWN_IN_PROGRESS 0x08 /* ILL is going down - no new nce's */
+#define ILL_LL_BIND_PENDING 0x0020 /* XXX Reuse ILL_LL_SUBNET_PENDING ? */
+#define ILL_LL_UP 0x0040
+#define ILL_LL_DOWN 0x0080
/* Is this an ILL whose source address is used by other ILL's ? */
#define IS_USESRC_ILL(ill) \
@@ -1796,10 +1410,9 @@ typedef struct ill_lso_capab_s ill_lso_capab_t;
((ill)->ill_usesrc_grp_next != NULL))
/* Is this an virtual network interface (vni) ILL ? */
-#define IS_VNI(ill) \
- (((ill) != NULL) && \
+#define IS_VNI(ill) \
(((ill)->ill_phyint->phyint_flags & (PHYI_LOOPBACK|PHYI_VIRTUAL)) == \
- PHYI_VIRTUAL))
+ PHYI_VIRTUAL)
/* Is this a loopback ILL? */
#define IS_LOOPBACK(ill) \
@@ -1900,18 +1513,41 @@ typedef struct ipmp_grp_s {
* ARP up-to-date as the active set of interfaces in the group changes.
*/
typedef struct ipmp_arpent_s {
- mblk_t *ia_area_mp; /* AR_ENTRY_ADD pointer */
ipaddr_t ia_ipaddr; /* IP address for this entry */
boolean_t ia_proxyarp; /* proxy ARP entry? */
boolean_t ia_notified; /* ARP notified about this entry? */
list_node_t ia_node; /* next ARP entry in list */
+ uint16_t ia_flags; /* nce_flags for the address */
+ size_t ia_lladdr_len;
+ uchar_t *ia_lladdr;
} ipmp_arpent_t;
+struct arl_s;
+
+/*
+ * Per-ill capabilities.
+ */
+struct ill_hcksum_capab_s {
+ uint_t ill_hcksum_version; /* interface version */
+ uint_t ill_hcksum_txflags; /* capabilities on transmit */
+};
+
+struct ill_zerocopy_capab_s {
+ uint_t ill_zerocopy_version; /* interface version */
+ uint_t ill_zerocopy_flags; /* capabilities */
+};
+
+struct ill_lso_capab_s {
+ uint_t ill_lso_flags; /* capabilities */
+ uint_t ill_lso_max; /* maximum size of payload */
+};
+
/*
* IP Lower level Structure.
* Instance data structure in ip_open when there is a device below us.
*/
typedef struct ill_s {
+ pfillinput_t ill_inputfn; /* Fast input function selector */
ill_if_t *ill_ifptr; /* pointer to interface type */
queue_t *ill_rq; /* Read queue. */
queue_t *ill_wq; /* Write queue. */
@@ -1922,6 +1558,8 @@ typedef struct ill_s {
uint_t ill_ipif_up_count; /* Number of IPIFs currently up. */
uint_t ill_max_frag; /* Max IDU from DLPI. */
+ uint_t ill_current_frag; /* Current IDU from DLPI. */
+ uint_t ill_mtu; /* User-specified MTU; SIOCSLIFMTU */
char *ill_name; /* Our name. */
uint_t ill_ipif_dup_count; /* Number of duplicate addresses. */
uint_t ill_name_length; /* Name length, incl. terminator. */
@@ -1941,8 +1579,9 @@ typedef struct ill_s {
uint8_t *ill_frag_ptr; /* Reassembly state. */
timeout_id_t ill_frag_timer_id; /* timeout id for the frag timer */
ipfb_t *ill_frag_hash_tbl; /* Fragment hash list head. */
- ipif_t *ill_pending_ipif; /* IPIF waiting for DL operation. */
+ krwlock_t ill_mcast_lock; /* Protects multicast state */
+ kmutex_t ill_mcast_serializer; /* Serialize across ilg and ilm state */
ilm_t *ill_ilm; /* Multicast membership for ill */
uint_t ill_global_timer; /* for IGMPv3/MLDv2 general queries */
int ill_mcast_type; /* type of router which is querier */
@@ -1955,22 +1594,20 @@ typedef struct ill_s {
uint8_t ill_mcast_rv; /* IGMPv3/MLDv2 robustness variable */
int ill_mcast_qi; /* IGMPv3/MLDv2 query interval var */
- mblk_t *ill_pending_mp; /* IOCTL/DLPI awaiting completion. */
/*
* All non-NULL cells between 'ill_first_mp_to_free' and
* 'ill_last_mp_to_free' are freed in ill_delete.
*/
#define ill_first_mp_to_free ill_bcast_mp
mblk_t *ill_bcast_mp; /* DLPI header for broadcasts. */
- mblk_t *ill_resolver_mp; /* Resolver template. */
mblk_t *ill_unbind_mp; /* unbind mp from ill_dl_up() */
mblk_t *ill_promiscoff_mp; /* for ill_leave_allmulti() */
mblk_t *ill_dlpi_deferred; /* b_next chain of control messages */
- mblk_t *ill_ardeact_mp; /* deact mp from ipmp_ill_activate() */
mblk_t *ill_dest_addr_mp; /* mblk which holds ill_dest_addr */
mblk_t *ill_replumb_mp; /* replumb mp from ill_replumb() */
mblk_t *ill_phys_addr_mp; /* mblk which holds ill_phys_addr */
-#define ill_last_mp_to_free ill_phys_addr_mp
+ mblk_t *ill_mcast_deferred; /* b_next chain of IGMP/MLD packets */
+#define ill_last_mp_to_free ill_mcast_deferred
cred_t *ill_credp; /* opener's credentials */
uint8_t *ill_phys_addr; /* ill_phys_addr_mp->b_rptr + off */
@@ -1986,37 +1623,33 @@ typedef struct ill_s {
ill_dlpi_style_set : 1,
ill_ifname_pending : 1,
- ill_join_allmulti : 1,
ill_logical_down : 1,
ill_dl_up : 1,
-
ill_up_ipifs : 1,
+
ill_note_link : 1, /* supports link-up notification */
ill_capab_reneg : 1, /* capability renegotiation to be done */
ill_dld_capab_inprog : 1, /* direct dld capab call in prog */
-
ill_need_recover_multicast : 1,
- ill_pad_to_bit_31 : 19;
+
+ ill_replumbing : 1,
+ ill_arl_dlpi_pending : 1,
+
+ ill_pad_to_bit_31 : 18;
/* Following bit fields protected by ill_lock */
uint_t
ill_fragtimer_executing : 1,
ill_fragtimer_needrestart : 1,
- ill_ilm_cleanup_reqd : 1,
- ill_arp_closing : 1,
-
- ill_arp_bringup_pending : 1,
- ill_arp_extend : 1, /* ARP has DAD extensions */
ill_manual_token : 1, /* system won't override ill_token */
ill_manual_linklocal : 1, /* system won't auto-conf linklocal */
- ill_pad_bit_31 : 24;
+ ill_pad_bit_31 : 28;
/*
* Used in SIOCSIFMUXID and SIOCGIFMUXID for 'ifconfig unplumb'.
*/
- int ill_arp_muxid; /* muxid returned from plink for arp */
- int ill_ip_muxid; /* muxid returned from plink for ip */
+ int ill_muxid; /* muxid returned from plink */
/* Used for IP frag reassembly throttling on a per ILL basis. */
uint_t ill_ipf_gen; /* Generation of next fragment queue */
@@ -2033,20 +1666,13 @@ typedef struct ill_s {
uint_t ill_dlpi_capab_state; /* State of capability query, IDCS_* */
uint_t ill_capab_pending_cnt;
uint64_t ill_capabilities; /* Enabled capabilities, ILL_CAPAB_* */
- ill_mdt_capab_t *ill_mdt_capab; /* Multidata Transmit capabilities */
- ill_ipsec_capab_t *ill_ipsec_capab_ah; /* IPsec AH capabilities */
- ill_ipsec_capab_t *ill_ipsec_capab_esp; /* IPsec ESP capabilities */
ill_hcksum_capab_t *ill_hcksum_capab; /* H/W cksumming capabilities */
ill_zerocopy_capab_t *ill_zerocopy_capab; /* Zero-copy capabilities */
ill_dld_capab_t *ill_dld_capab; /* DLD capabilities */
ill_lso_capab_t *ill_lso_capab; /* Large Segment Offload capabilities */
mblk_t *ill_capab_reset_mp; /* Preallocated mblk for capab reset */
- /*
- * Fields for IPv6
- */
uint8_t ill_max_hops; /* Maximum hops for any logical interface */
- uint_t ill_max_mtu; /* Maximum MTU for any logical interface */
uint_t ill_user_mtu; /* User-specified MTU via SIOCSLIFLNKINFO */
uint32_t ill_reachable_time; /* Value for ND algorithm in msec */
uint32_t ill_reachable_retrans_time; /* Value for ND algorithm msec */
@@ -2057,20 +1683,6 @@ typedef struct ill_s {
uint32_t ill_xmit_count; /* ndp max multicast xmits */
mib2_ipIfStatsEntry_t *ill_ip_mib; /* ver indep. interface mib */
mib2_ipv6IfIcmpEntry_t *ill_icmp6_mib; /* Per interface mib */
- /*
- * Following two mblks are allocated common to all
- * the ipifs when the first interface is coming up.
- * It is sent up to arp when the last ipif is coming
- * down.
- */
- mblk_t *ill_arp_down_mp;
- mblk_t *ill_arp_del_mapping_mp;
- /*
- * Used for implementing IFF_NOARP. As IFF_NOARP is used
- * to turn off for all the logicals, it is here instead
- * of the ipif.
- */
- mblk_t *ill_arp_on_mp;
phyint_t *ill_phyint;
uint64_t ill_flags;
@@ -2094,11 +1706,11 @@ typedef struct ill_s {
*/
uint_t ill_ifname_pending_err;
avl_node_t ill_avl_byppa; /* avl node based on ppa */
- void *ill_fastpath_list; /* both ire and nce hang off this */
+ list_t ill_nce; /* pointer to nce_s list */
uint_t ill_refcnt; /* active refcnt by threads */
uint_t ill_ire_cnt; /* ires associated with this ill */
kcondvar_t ill_cv;
- uint_t ill_ilm_walker_cnt; /* snmp ilm walkers */
+ uint_t ill_ncec_cnt; /* ncecs associated with this ill */
uint_t ill_nce_cnt; /* nces associated with this ill */
uint_t ill_waiters; /* threads waiting in ipsq_enter */
/*
@@ -2119,6 +1731,17 @@ typedef struct ill_s {
void *ill_flownotify_mh; /* Tx flow ctl, mac cb handle */
uint_t ill_ilm_cnt; /* ilms referencing this ill */
uint_t ill_ipallmulti_cnt; /* ip_join_allmulti() calls */
+ ilm_t *ill_ipallmulti_ilm;
+
+ mblk_t *ill_saved_ire_mp; /* Allocated for each extra IRE */
+ /* with ire_ill set so they can */
+ /* survive the ill going down and up. */
+ kmutex_t ill_saved_ire_lock; /* Protects ill_saved_ire_mp, cnt */
+ uint_t ill_saved_ire_cnt; /* # entries */
+ struct arl_ill_common_s *ill_common;
+ ire_t *ill_ire_multicast; /* IRE_MULTICAST for ill */
+ clock_t ill_defend_start; /* start of 1 hour period */
+ uint_t ill_defend_count; /* # of announce/defends per ill */
/*
* IPMP fields.
*/
@@ -2131,6 +1754,8 @@ typedef struct ill_s {
uint_t ill_bound_cnt; /* # of data addresses bound to ill */
ipif_t *ill_bound_ipif; /* ipif chain bound to ill */
timeout_id_t ill_refresh_tid; /* ill refresh retry timeout id */
+
+ uint32_t ill_mrouter_cnt; /* mrouter allmulti joins */
} ill_t;
/*
@@ -2139,15 +1764,17 @@ typedef struct ill_s {
*/
#define ILL_FREE_OK(ill) \
((ill)->ill_ire_cnt == 0 && (ill)->ill_ilm_cnt == 0 && \
- (ill)->ill_nce_cnt == 0)
+ (ill)->ill_ncec_cnt == 0 && (ill)->ill_nce_cnt == 0)
/*
- * An ipif/ill can be marked down only when the ire and nce references
+ * An ipif/ill can be marked down only when the ire and ncec references
* to that ipif/ill goes to zero. ILL_DOWN_OK() is a necessary condition
* quiescence checks. See comments above IPIF_DOWN_OK for details
* on why ires and nces are selectively considered for this macro.
*/
-#define ILL_DOWN_OK(ill) (ill->ill_ire_cnt == 0 && ill->ill_nce_cnt == 0)
+#define ILL_DOWN_OK(ill) \
+ (ill->ill_ire_cnt == 0 && ill->ill_ncec_cnt == 0 && \
+ ill->ill_nce_cnt == 0)
/*
* The following table lists the protection levels of the various members
@@ -2162,7 +1789,8 @@ typedef struct ill_s {
* ill_error ipsq None
* ill_ipif ill_g_lock + ipsq ill_g_lock OR ipsq
* ill_ipif_up_count ill_lock + ipsq ill_lock OR ipsq
- * ill_max_frag ipsq Write once
+ * ill_max_frag ill_lock ill_lock
+ * ill_current_frag ill_lock ill_lock
*
* ill_name ill_g_lock + ipsq Write once
* ill_name_length ill_g_lock + ipsq Write once
@@ -2179,23 +1807,22 @@ typedef struct ill_s {
*
* ill_frag_timer_id ill_lock ill_lock
* ill_frag_hash_tbl ipsq up ill
- * ill_ilm ipsq + ill_lock ill_lock
- * ill_mcast_type ill_lock ill_lock
- * ill_mcast_v1_time ill_lock ill_lock
- * ill_mcast_v2_time ill_lock ill_lock
- * ill_mcast_v1_tset ill_lock ill_lock
- * ill_mcast_v2_tset ill_lock ill_lock
- * ill_mcast_rv ill_lock ill_lock
- * ill_mcast_qi ill_lock ill_lock
- * ill_pending_mp ill_lock ill_lock
- *
- * ill_bcast_mp ipsq ipsq
- * ill_resolver_mp ipsq only when ill is up
+ * ill_ilm ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_global_timer ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_mcast_type ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_mcast_v1_time ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_mcast_v2_time ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_mcast_v1_tset ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_mcast_v2_tset ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_mcast_rv ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ * ill_mcast_qi ill_mcast_lock(WRITER) ill_mcast_lock(READER)
+ *
* ill_down_mp ipsq ipsq
* ill_dlpi_deferred ill_lock ill_lock
* ill_dlpi_pending ipsq + ill_lock ipsq or ill_lock or
* absence of ipsq writer.
* ill_phys_addr_mp ipsq + down ill only when ill is up
+ * ill_mcast_deferred ill_lock ill_lock
* ill_phys_addr ipsq + down ill only when ill is up
* ill_dest_addr_mp ipsq + down ill only when ill is up
* ill_dest_addr ipsq + down ill only when ill is up
@@ -2204,8 +1831,7 @@ typedef struct ill_s {
* exclusive bit flags ipsq_t ipsq_t
* shared bit flags ill_lock ill_lock
*
- * ill_arp_muxid ipsq Not atomic
- * ill_ip_muxid ipsq Not atomic
+ * ill_muxid ipsq Not atomic
*
* ill_ipf_gen Not atomic
* ill_frag_count atomics atomics
@@ -2215,7 +1841,7 @@ typedef struct ill_s {
* ill_dlpi_capab_state ipsq ipsq
* ill_max_hops ipsq Not atomic
*
- * ill_max_mtu
+ * ill_mtu ill_lock None
*
* ill_user_mtu ipsq + ill_lock ill_lock
* ill_reachable_time ipsq + ill_lock ill_lock
@@ -2230,9 +1856,6 @@ typedef struct ill_s {
* ill_xmit_count ipsq + down ill write once
* ill_ip6_mib ipsq + down ill only when ill is up
* ill_icmp6_mib ipsq + down ill only when ill is up
- * ill_arp_down_mp ipsq ipsq
- * ill_arp_del_mapping_mp ipsq ipsq
- * ill_arp_on_mp ipsq ipsq
*
* ill_phyint ipsq, ill_g_lock, ill_lock Any of them
* ill_flags ill_lock ill_lock
@@ -2247,7 +1870,7 @@ typedef struct ill_s {
* ill_refcnt ill_lock ill_lock
* ill_ire_cnt ill_lock ill_lock
* ill_cv ill_lock ill_lock
- * ill_ilm_walker_cnt ill_lock ill_lock
+ * ill_ncec_cnt ill_lock ill_lock
* ill_nce_cnt ill_lock ill_lock
* ill_ilm_cnt ill_lock ill_lock
* ill_src_ipif ill_g_lock ill_g_lock
@@ -2256,8 +1879,12 @@ typedef struct ill_s {
* ill_dhcpinit atomics atomics
* ill_flownotify_mh write once write once
* ill_capab_pending_cnt ipsq ipsq
- *
- * ill_bound_cnt ipsq ipsq
+ * ill_ipallmulti_cnt ill_lock ill_lock
+ * ill_ipallmulti_ilm ill_lock ill_lock
+ * ill_saved_ire_mp ill_saved_ire_lock ill_saved_ire_lock
+ * ill_saved_ire_cnt ill_saved_ire_lock ill_saved_ire_lock
+ * ill_arl ??? ???
+ * ill_ire_multicast ipsq + quiescent none
* ill_bound_ipif ipsq ipsq
* ill_actnode ipsq + ipmp_lock ipsq OR ipmp_lock
* ill_grpnode ipsq + ill_g_lock ipsq OR ill_g_lock
@@ -2267,6 +1894,7 @@ typedef struct ill_s {
* ill_refresh_tid ill_lock ill_lock
* ill_grp (for IPMP ill) write once write once
* ill_grp (for underlying ill) ipsq + ill_g_lock ipsq OR ill_g_lock
+ * ill_mrouter_cnt atomics atomics
*
* NOTE: It's OK to make heuristic decisions on an underlying interface
* by using IS_UNDER_IPMP() or comparing ill_grp's raw pointer value.
@@ -2311,7 +1939,6 @@ enum { IF_CMD = 1, LIF_CMD, ARP_CMD, XARP_CMD, MSFILT_CMD, MISC_CMD };
#define IPI_GET_CMD 0x8 /* branch to mi_copyout on success */
/* unused 0x10 */
#define IPI_NULL_BCONT 0x20 /* ioctl has not data and hence no b_cont */
-#define IPI_PASS_DOWN 0x40 /* pass this ioctl down when a module only */
extern ip_ioctl_cmd_t ip_ndx_ioctl_table[];
extern ip_ioctl_cmd_t ip_misc_ioctl_table[];
@@ -2362,6 +1989,430 @@ typedef struct ipndp_s {
char *ip_ndp_name;
} ipndp_t;
+/* IXA Notification types */
+typedef enum {
+ IXAN_LSO, /* LSO capability change */
+ IXAN_PMTU, /* PMTU change */
+ IXAN_ZCOPY /* ZEROCOPY capability change */
+} ixa_notify_type_t;
+
+typedef uint_t ixa_notify_arg_t;
+
+typedef void (*ixa_notify_t)(void *, ip_xmit_attr_t *ixa, ixa_notify_type_t,
+ ixa_notify_arg_t);
+
+/*
+ * Attribute flags that are common to the transmit and receive attributes
+ */
+#define IAF_IS_IPV4 0x80000000 /* ipsec_*_v4 */
+#define IAF_TRUSTED_ICMP 0x40000000 /* ipsec_*_icmp_loopback */
+#define IAF_NO_LOOP_ZONEID_SET 0x20000000 /* Zone that shouldn't have */
+ /* a copy */
+#define IAF_LOOPBACK_COPY 0x10000000 /* For multi and broadcast */
+
+#define IAF_MASK 0xf0000000 /* Flags that are common */
+
+/*
+ * Transmit side attributes used between the transport protocols and IP as
+ * well as inside IP. It is also used to cache information in the conn_t i.e.
+ * replaces conn_ire and the IPsec caching in the conn_t.
+ */
+struct ip_xmit_attr_s {
+ iaflags_t ixa_flags; /* IXAF_*. See below */
+
+ uint32_t ixa_free_flags; /* IXA_FREE_*. See below */
+ uint32_t ixa_refcnt; /* Using atomics */
+
+ /*
+ * Always initialized independently of ixa_flags settings.
+ * Used by ip_xmit so we keep them up front for cache locality.
+ */
+ uint32_t ixa_xmit_hint; /* For ECMP and GLD TX ring fanout */
+ uint_t ixa_pktlen; /* Always set. For frag and stats */
+ zoneid_t ixa_zoneid; /* Assumed always set */
+
+ /* Always set for conn_ip_output(); might be stale */
+ /*
+ * Since TCP keeps the conn_t around past the process going away
+ * we need to use the "notr" (e.g, ire_refhold_notr) for ixa_ire,
+ * ixa_nce, and ixa_dce.
+ */
+ ire_t *ixa_ire; /* Forwarding table entry */
+ uint_t ixa_ire_generation;
+ nce_t *ixa_nce; /* Neighbor cache entry */
+ dce_t *ixa_dce; /* Destination cache entry */
+ uint_t ixa_dce_generation;
+ uint_t ixa_src_generation; /* If IXAF_VERIFY_SOURCE */
+
+ uint32_t ixa_src_preferences; /* prefs for src addr select */
+ uint32_t ixa_pmtu; /* IXAF_VERIFY_PMTU */
+
+ /* Set by ULP if IXAF_VERIFY_PMTU; otherwise set by IP */
+ uint32_t ixa_fragsize;
+
+ int8_t ixa_use_min_mtu; /* IXAF_USE_MIN_MTU values */
+
+ pfirepostfrag_t ixa_postfragfn; /* Set internally in IP */
+
+ in6_addr_t ixa_nexthop_v6; /* IXAF_NEXTHOP_SET */
+#define ixa_nexthop_v4 V4_PART_OF_V6(ixa_nexthop_v6)
+
+ zoneid_t ixa_no_loop_zoneid; /* IXAF_NO_LOOP_ZONEID_SET */
+
+ uint_t ixa_scopeid; /* For IPv6 link-locals */
+
+ uint_t ixa_broadcast_ttl; /* IXAF_BROACAST_TTL_SET */
+
+ uint_t ixa_multicast_ttl; /* Assumed set for multicast */
+ uint_t ixa_multicast_ifindex; /* Assumed set for multicast */
+ ipaddr_t ixa_multicast_ifaddr; /* Assumed set for multicast */
+
+ int ixa_raw_cksum_offset; /* If IXAF_SET_RAW_CKSUM */
+
+ uint32_t ixa_ident; /* For IPv6 fragment header */
+
+ /*
+ * Cached LSO information.
+ */
+ ill_lso_capab_t ixa_lso_capab; /* Valid when IXAF_LSO_CAPAB */
+
+ uint64_t ixa_ipsec_policy_gen; /* Generation from iph_gen */
+ /*
+ * The following IPsec fields are only initialized when
+ * IXAF_IPSEC_SECURE is set. Otherwise they contain garbage.
+ */
+ ipsec_latch_t *ixa_ipsec_latch; /* Just the ids */
+ struct ipsa_s *ixa_ipsec_ah_sa; /* Hard reference SA for AH */
+ struct ipsa_s *ixa_ipsec_esp_sa; /* Hard reference SA for ESP */
+ struct ipsec_policy_s *ixa_ipsec_policy; /* why are we here? */
+ struct ipsec_action_s *ixa_ipsec_action; /* For reflected packets */
+ ipsa_ref_t ixa_ipsec_ref[2]; /* Soft reference to SA */
+ /* 0: ESP, 1: AH */
+
+ /*
+ * The selectors here are potentially different than the SPD rule's
+ * selectors, and we need to have both available for IKEv2.
+ *
+ * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams. Ports can
+ * be zero, and the protocol number is needed to make the ports
+ * significant.
+ */
+ uint16_t ixa_ipsec_src_port; /* Source port number of d-gram. */
+ uint16_t ixa_ipsec_dst_port; /* Destination port number of d-gram. */
+ uint8_t ixa_ipsec_icmp_type; /* ICMP type of d-gram */
+ uint8_t ixa_ipsec_icmp_code; /* ICMP code of d-gram */
+
+ sa_family_t ixa_ipsec_inaf; /* Inner address family */
+#define IXA_MAX_ADDRLEN 4 /* Max addr len. (in 32-bit words) */
+ uint32_t ixa_ipsec_insrc[IXA_MAX_ADDRLEN]; /* Inner src address */
+ uint32_t ixa_ipsec_indst[IXA_MAX_ADDRLEN]; /* Inner dest address */
+ uint8_t ixa_ipsec_insrcpfx; /* Inner source prefix */
+ uint8_t ixa_ipsec_indstpfx; /* Inner destination prefix */
+
+ uint8_t ixa_ipsec_proto; /* IP protocol number for d-gram. */
+
+ /* Always initialized independently of ixa_flags settings */
+ uint_t ixa_ifindex; /* Assumed always set */
+ uint16_t ixa_ip_hdr_length; /* Points to ULP header */
+ uint8_t ixa_protocol; /* Protocol number for ULP cksum */
+ ts_label_t *ixa_tsl; /* Always set. NULL if not TX */
+ ip_stack_t *ixa_ipst; /* Always set */
+ uint32_t ixa_extra_ident; /* Set if LSO */
+ cred_t *ixa_cred; /* For getpeerucred */
+ pid_t ixa_cpid; /* For getpeerucred */
+
+#ifdef DEBUG
+ kthread_t *ixa_curthread; /* For serialization assert */
+#endif
+ squeue_t *ixa_sqp; /* Set from conn_sqp as a hint */
+ uintptr_t ixa_cookie; /* cookie to use for tx flow control */
+
+ /*
+ * Must be set by ULP if any of IXAF_VERIFY_LSO, IXAF_VERIFY_PMTU,
+ * or IXAF_VERIFY_ZCOPY is set.
+ */
+ ixa_notify_t ixa_notify; /* Registered upcall notify function */
+ void *ixa_notify_cookie; /* ULP cookie for ixa_notify */
+};
+
+/*
+ * Flags to indicate which transmit attributes are set.
+ * Split into "xxx_SET" ones which indicate that the "xxx" field it set, and
+ * single flags.
+ */
+#define IXAF_REACH_CONF 0x00000001 /* Reachability confirmation */
+#define IXAF_BROADCAST_TTL_SET 0x00000002 /* ixa_broadcast_ttl valid */
+#define IXAF_SET_SOURCE 0x00000004 /* Replace if broadcast */
+#define IXAF_USE_MIN_MTU 0x00000008 /* IPV6_USE_MIN_MTU */
+
+#define IXAF_DONTFRAG 0x00000010 /* IP*_DONTFRAG */
+#define IXAF_VERIFY_PMTU 0x00000020 /* ixa_pmtu/ixa_fragsize set */
+#define IXAF_PMTU_DISCOVERY 0x00000040 /* Create/use PMTU state */
+#define IXAF_MULTICAST_LOOP 0x00000080 /* IP_MULTICAST_LOOP */
+
+#define IXAF_IPSEC_SECURE 0x00000100 /* Need IPsec processing */
+#define IXAF_UCRED_TSL 0x00000200 /* ixa_tsl from SCM_UCRED */
+#define IXAF_DONTROUTE 0x00000400 /* SO_DONTROUTE */
+#define IXAF_NO_IPSEC 0x00000800 /* Ignore policy */
+
+#define IXAF_PMTU_TOO_SMALL 0x00001000 /* PMTU too small */
+#define IXAF_SET_ULP_CKSUM 0x00002000 /* Calculate ULP checksum */
+#define IXAF_VERIFY_SOURCE 0x00004000 /* Check that source is ok */
+#define IXAF_NEXTHOP_SET 0x00008000 /* ixa_nexthop set */
+
+#define IXAF_PMTU_IPV4_DF 0x00010000 /* Set IPv4 DF */
+#define IXAF_NO_DEV_FLOW_CTL 0x00020000 /* Protocol needs no flow ctl */
+#define IXAF_NO_TTL_CHANGE 0x00040000 /* Internal to IP */
+#define IXAF_IPV6_ADD_FRAGHDR 0x00080000 /* Add fragment header */
+
+#define IXAF_IPSEC_TUNNEL 0x00100000 /* Tunnel mode */
+#define IXAF_NO_PFHOOK 0x00200000 /* Skip xmit pfhook */
+#define IXAF_NO_TRACE 0x00400000 /* When back from ARP/ND */
+#define IXAF_SCOPEID_SET 0x00800000 /* ixa_scopeid set */
+
+#define IXAF_MULTIRT_MULTICAST 0x01000000 /* MULTIRT for multicast */
+#define IXAF_NO_HW_CKSUM 0x02000000 /* Force software cksum */
+#define IXAF_SET_RAW_CKSUM 0x04000000 /* Use ixa_raw_cksum_offset */
+#define IXAF_IPSEC_GLOBAL_POLICY 0x08000000 /* Policy came from global */
+
+/* Note the following uses bits 0x10000000 through 0x80000000 */
+#define IXAF_IS_IPV4 IAF_IS_IPV4
+#define IXAF_TRUSTED_ICMP IAF_TRUSTED_ICMP
+#define IXAF_NO_LOOP_ZONEID_SET IAF_NO_LOOP_ZONEID_SET
+#define IXAF_LOOPBACK_COPY IAF_LOOPBACK_COPY
+
+/* Note: use the upper 32 bits */
+#define IXAF_VERIFY_LSO 0x100000000 /* Check LSO capability */
+#define IXAF_LSO_CAPAB 0x200000000 /* Capable of LSO */
+#define IXAF_VERIFY_ZCOPY 0x400000000 /* Check Zero Copy capability */
+#define IXAF_ZCOPY_CAPAB 0x800000000 /* Capable of ZEROCOPY */
+
+/*
+ * The normal flags for sending packets e.g., icmp errors
+ */
+#define IXAF_BASIC_SIMPLE_V4 (IXAF_SET_ULP_CKSUM | IXAF_IS_IPV4)
+#define IXAF_BASIC_SIMPLE_V6 (IXAF_SET_ULP_CKSUM)
+
+/*
+ * Normally these fields do not have a hold. But in some cases they do, for
+ * instance when we've gone through ip_*_attr_to/from_mblk.
+ * We use ixa_free_flags to indicate that they have a hold and need to be
+ * released on cleanup.
+ */
+#define IXA_FREE_CRED 0x00000001 /* ixa_cred needs to be rele */
+#define IXA_FREE_TSL 0x00000002 /* ixa_tsl needs to be rele */
+
+/*
+ * Simplistic way to set the ixa_xmit_hint for locally generated traffic
+ * and forwarded traffic. The shift amount are based on the size of the
+ * structs to discard the low order bits which don't have much if any variation
+ * (coloring in kmem_cache_alloc might provide some variation).
+ *
+ * Basing the locally generated hint on the address of the conn_t means that
+ * the packets from the same socket/connection do not get reordered.
+ * Basing the hint for forwarded traffic on the ill_ring_t means that
+ * packets from the same NIC+ring are likely to use the same outbound ring
+ * hence we get low contention on the ring in the transmitting driver.
+ */
+#define CONN_TO_XMIT_HINT(connp) ((uint32_t)(((uintptr_t)connp) >> 11))
+#define ILL_RING_TO_XMIT_HINT(ring) ((uint32_t)(((uintptr_t)ring) >> 7))
+
+/*
+ * IP set Destination Flags used by function ip_set_destination,
+ * ip_attr_connect, and conn_connect.
+ */
+#define IPDF_ALLOW_MCBC 0x1 /* Allow multi/broadcast */
+#define IPDF_VERIFY_DST 0x2 /* Verify destination addr */
+#define IPDF_SELECT_SRC 0x4 /* Select source address */
+#define IPDF_LSO 0x8 /* Try LSO */
+#define IPDF_IPSEC 0x10 /* Set IPsec policy */
+#define IPDF_ZONE_IS_GLOBAL 0x20 /* From conn_zone_is_global */
+#define IPDF_ZCOPY 0x40 /* Try ZEROCOPY */
+#define IPDF_UNIQUE_DCE 0x80 /* Get a per-destination DCE */
+
+/*
+ * Receive side attributes used between the transport protocols and IP as
+ * well as inside IP.
+ */
+struct ip_recv_attr_s {
+ iaflags_t ira_flags; /* See below */
+
+ uint32_t ira_free_flags; /* IRA_FREE_*. See below */
+
+ /*
+ * This is a hint for TCP SYN packets.
+ * Always initialized independently of ira_flags settings
+ */
+ squeue_t *ira_sqp;
+ ill_rx_ring_t *ira_ring; /* Internal to IP */
+
+ /* For ip_accept_tcp when IRAF_TARGET_SQP is set */
+ squeue_t *ira_target_sqp;
+ mblk_t *ira_target_sqp_mp;
+
+ /* Always initialized independently of ira_flags settings */
+ uint32_t ira_xmit_hint; /* For ECMP and GLD TX ring fanout */
+ zoneid_t ira_zoneid; /* ALL_ZONES unless local delivery */
+ uint_t ira_pktlen; /* Always set. For frag and stats */
+ uint16_t ira_ip_hdr_length; /* Points to ULP header */
+ uint8_t ira_protocol; /* Protocol number for ULP cksum */
+ uint_t ira_rifindex; /* Received ifindex */
+ uint_t ira_ruifindex; /* Received upper ifindex */
+ ts_label_t *ira_tsl; /* Always set. NULL if not TX */
+ /*
+ * ira_rill and ira_ill is set inside IP, but not when conn_recv is
+ * called; ULPs should use ira_ruifindex instead.
+ */
+ ill_t *ira_rill; /* ill where packet came */
+ ill_t *ira_ill; /* ill where IP address hosted */
+ cred_t *ira_cred; /* For getpeerucred */
+ pid_t ira_cpid; /* For getpeerucred */
+
+ /* Used when IRAF_VERIFIED_SRC is set; this source was ok */
+ ipaddr_t ira_verified_src;
+
+ /*
+ * The following IPsec fields are only initialized when
+ * IRAF_IPSEC_SECURE is set. Otherwise they contain garbage.
+ */
+ struct ipsec_action_s *ira_ipsec_action; /* how we made it in.. */
+ struct ipsa_s *ira_ipsec_ah_sa; /* SA for AH */
+ struct ipsa_s *ira_ipsec_esp_sa; /* SA for ESP */
+
+ ipaddr_t ira_mroute_tunnel; /* IRAF_MROUTE_TUNNEL_SET */
+
+ zoneid_t ira_no_loop_zoneid; /* IRAF_NO_LOOP_ZONEID_SET */
+
+ uint32_t ira_esp_udp_ports; /* IRAF_ESP_UDP_PORTS */
+
+ /*
+ * For IP_RECVSLLA and ip_ndp_conflict/find_solicitation.
+ * Same size as max for sockaddr_dl
+ */
+#define IRA_L2SRC_SIZE 244
+ uint8_t ira_l2src[IRA_L2SRC_SIZE]; /* If IRAF_L2SRC_SET */
+
+ /*
+ * Local handle that we use to do lazy setting of ira_l2src.
+ * We defer setting l2src until needed but we do before any
+ * ip_input pullupmsg or copymsg.
+ */
+ struct mac_header_info_s *ira_mhip; /* Could be NULL */
+};
+
+/*
+ * Flags to indicate which receive attributes are set.
+ */
+#define IRAF_SYSTEM_LABELED 0x00000001 /* is_system_labeled() */
+#define IRAF_IPV4_OPTIONS 0x00000002 /* Performance */
+#define IRAF_MULTICAST 0x00000004 /* Was multicast at L3 */
+#define IRAF_BROADCAST 0x00000008 /* Was broadcast at L3 */
+#define IRAF_MULTIBROADCAST (IRAF_MULTICAST|IRAF_BROADCAST)
+
+#define IRAF_LOOPBACK 0x00000010 /* Looped back by IP */
+#define IRAF_VERIFY_IP_CKSUM 0x00000020 /* Need to verify IP */
+#define IRAF_VERIFY_ULP_CKSUM 0x00000040 /* Need to verify TCP,UDP,etc */
+#define IRAF_SCTP_CSUM_ERR 0x00000080 /* sctp pkt has failed chksum */
+
+#define IRAF_IPSEC_SECURE 0x00000100 /* Passed AH and/or ESP */
+#define IRAF_DHCP_UNICAST 0x00000200
+#define IRAF_IPSEC_DECAPS 0x00000400 /* Was packet decapsulated */
+ /* from a matching inner packet? */
+#define IRAF_TARGET_SQP 0x00000800 /* ira_target_sqp is set */
+#define IRAF_VERIFIED_SRC 0x00001000 /* ira_verified_src set */
+#define IRAF_RSVP 0x00002000 /* RSVP packet for rsvpd */
+#define IRAF_MROUTE_TUNNEL_SET 0x00004000 /* From ip_mroute_decap */
+#define IRAF_PIM_REGISTER 0x00008000 /* From register_mforward */
+
+#define IRAF_TX_MAC_EXEMPTABLE 0x00010000 /* Allow MAC_EXEMPT readdown */
+#define IRAF_TX_SHARED_ADDR 0x00020000 /* Arrived on ALL_ZONES addr */
+#define IRAF_ESP_UDP_PORTS 0x00040000 /* NAT-traversal packet */
+#define IRAF_NO_HW_CKSUM 0x00080000 /* Force software cksum */
+
+#define IRAF_ICMP_ERROR 0x00100000 /* Send to conn_recvicmp */
+#define IRAF_ROUTER_ALERT 0x00200000 /* IPv6 router alert */
+#define IRAF_L2SRC_SET 0x00400000 /* ira_l2src has been set */
+#define IRAF_L2SRC_LOOPBACK 0x00800000 /* Came from us */
+
+#define IRAF_L2DST_MULTICAST 0x01000000 /* Multicast at L2 */
+#define IRAF_L2DST_BROADCAST 0x02000000 /* Broadcast at L2 */
+/* Unused 0x04000000 */
+/* Unused 0x08000000 */
+
+/* Below starts with 0x10000000 */
+#define IRAF_IS_IPV4 IAF_IS_IPV4
+#define IRAF_TRUSTED_ICMP IAF_TRUSTED_ICMP
+#define IRAF_NO_LOOP_ZONEID_SET IAF_NO_LOOP_ZONEID_SET
+#define IRAF_LOOPBACK_COPY IAF_LOOPBACK_COPY
+
+/*
+ * Normally these fields do not have a hold. But in some cases they do, for
+ * instance when we've gone through ip_*_attr_to/from_mblk.
+ * We use ira_free_flags to indicate that they have a hold and need to be
+ * released on cleanup.
+ */
+#define IRA_FREE_CRED 0x00000001 /* ira_cred needs to be rele */
+#define IRA_FREE_TSL 0x00000002 /* ira_tsl needs to be rele */
+
+/*
+ * Optional destination cache entry for path MTU information,
+ * and ULP metrics.
+ */
+struct dce_s {
+ uint_t dce_generation; /* Changed since cached? */
+ uint_t dce_flags; /* See below */
+ uint_t dce_ipversion; /* IPv4/IPv6 version */
+ uint32_t dce_pmtu; /* Path MTU if DCEF_PMTU */
+ uint32_t dce_ident; /* Per destination IP ident. */
+ iulp_t dce_uinfo; /* Metrics if DCEF_UINFO */
+
+ struct dce_s *dce_next;
+ struct dce_s **dce_ptpn;
+ struct dcb_s *dce_bucket;
+
+ union {
+ in6_addr_t dceu_v6addr;
+ ipaddr_t dceu_v4addr;
+ } dce_u;
+#define dce_v4addr dce_u.dceu_v4addr
+#define dce_v6addr dce_u.dceu_v6addr
+ /* Note that for IPv6+IPMP we use the ifindex for the upper interface */
+ uint_t dce_ifindex; /* For IPv6 link-locals */
+
+ kmutex_t dce_lock;
+ uint_t dce_refcnt;
+ uint64_t dce_last_change_time; /* Path MTU. In seconds */
+
+ ip_stack_t *dce_ipst; /* Does not have a netstack_hold */
+};
+
+/*
+ * Values for dce_generation.
+ *
+ * If a DCE has DCE_GENERATION_CONDEMNED, the last dce_refrele should delete
+ * it.
+ *
+ * DCE_GENERATION_VERIFY is never stored in dce_generation but it is
+ * stored in places that cache DCE (such as ixa_dce_generation).
+ * It is used as a signal that the cache is stale and needs to be reverified.
+ */
+#define DCE_GENERATION_CONDEMNED 0
+#define DCE_GENERATION_VERIFY 1
+#define DCE_GENERATION_INITIAL 2
+#define DCE_IS_CONDEMNED(dce) \
+ ((dce)->dce_generation == DCE_GENERATION_CONDEMNED)
+
+
+/*
+ * Values for ips_src_generation.
+ *
+ * SRC_GENERATION_VERIFY is never stored in ips_src_generation but it is
+ * stored in places that cache IREs (ixa_src_generation). It is used as a
+ * signal that the cache is stale and needs to be reverified.
+ */
+#define SRC_GENERATION_VERIFY 0
+#define SRC_GENERATION_INITIAL 1
+
/*
* The kernel stores security attributes of all gateways in a database made
* up of one or more tsol_gcdb_t elements. Each tsol_gcdb_t contains the
@@ -2453,183 +2504,28 @@ extern kmutex_t gcgrp_lock;
*/
struct tsol_tnrhc;
-typedef struct tsol_ire_gw_secattr_s {
+struct tsol_ire_gw_secattr_s {
kmutex_t igsa_lock; /* lock to protect following */
struct tsol_tnrhc *igsa_rhc; /* host entry for gateway */
tsol_gc_t *igsa_gc; /* for prefix IREs */
- tsol_gcgrp_t *igsa_gcgrp; /* for cache IREs */
-} tsol_ire_gw_secattr_t;
-
-/*
- * Following are the macros to increment/decrement the reference
- * count of the IREs and IRBs (ire bucket).
- *
- * 1) We bump up the reference count of an IRE to make sure that
- * it does not get deleted and freed while we are using it.
- * Typically all the lookup functions hold the bucket lock,
- * and look for the IRE. If it finds an IRE, it bumps up the
- * reference count before dropping the lock. Sometimes we *may* want
- * to bump up the reference count after we *looked* up i.e without
- * holding the bucket lock. So, the IRE_REFHOLD macro does not assert
- * on the bucket lock being held. Any thread trying to delete from
- * the hash bucket can still do so but cannot free the IRE if
- * ire_refcnt is not 0.
- *
- * 2) We bump up the reference count on the bucket where the IRE resides
- * (IRB), when we want to prevent the IREs getting deleted from a given
- * hash bucket. This makes life easier for ire_walk type functions which
- * wants to walk the IRE list, call a function, but needs to drop
- * the bucket lock to prevent recursive rw_enters. While the
- * lock is dropped, the list could be changed by other threads or
- * the same thread could end up deleting the ire or the ire pointed by
- * ire_next. IRE_REFHOLDing the ire or ire_next is not sufficient as
- * a delete will still remove the ire from the bucket while we have
- * dropped the lock and hence the ire_next would be NULL. Thus, we
- * need a mechanism to prevent deletions from a given bucket.
- *
- * To prevent deletions, we bump up the reference count on the
- * bucket. If the bucket is held, ire_delete just marks IRE_MARK_CONDEMNED
- * both on the ire's ire_marks and the bucket's irb_marks. When the
- * reference count on the bucket drops to zero, all the CONDEMNED ires
- * are deleted. We don't have to bump up the reference count on the
- * bucket if we are walking the bucket and never have to drop the bucket
- * lock. Note that IRB_REFHOLD does not prevent addition of new ires
- * in the list. It is okay because addition of new ires will not cause
- * ire_next to point to freed memory. We do IRB_REFHOLD only when
- * all of the 3 conditions are true :
- *
- * 1) The code needs to walk the IRE bucket from start to end.
- * 2) It may have to drop the bucket lock sometimes while doing (1)
- * 3) It does not want any ires to be deleted meanwhile.
- */
-
-/*
- * Bump up the reference count on the IRE. We cannot assert that the
- * bucket lock is being held as it is legal to bump up the reference
- * count after the first lookup has returned the IRE without
- * holding the lock. Currently ip_wput does this for caching IRE_CACHEs.
- */
-
-#ifdef DEBUG
-#define IRE_UNTRACE_REF(ire) ire_untrace_ref(ire);
-#define IRE_TRACE_REF(ire) ire_trace_ref(ire);
-#else
-#define IRE_UNTRACE_REF(ire)
-#define IRE_TRACE_REF(ire)
-#endif
-
-#define IRE_REFHOLD_NOTR(ire) { \
- atomic_add_32(&(ire)->ire_refcnt, 1); \
- ASSERT((ire)->ire_refcnt != 0); \
-}
-
-#define IRE_REFHOLD(ire) { \
- IRE_REFHOLD_NOTR(ire); \
- IRE_TRACE_REF(ire); \
-}
-
-#define IRE_REFHOLD_LOCKED(ire) { \
- IRE_TRACE_REF(ire); \
- (ire)->ire_refcnt++; \
-}
-
-/*
- * Decrement the reference count on the IRE.
- * In architectures e.g sun4u, where atomic_add_32_nv is just
- * a cas, we need to maintain the right memory barrier semantics
- * as that of mutex_exit i.e all the loads and stores should complete
- * before the cas is executed. membar_exit() does that here.
- *
- * NOTE : This macro is used only in places where we want performance.
- * To avoid bloating the code, we use the function "ire_refrele"
- * which essentially calls the macro.
- */
-#define IRE_REFRELE_NOTR(ire) { \
- ASSERT((ire)->ire_refcnt != 0); \
- membar_exit(); \
- if (atomic_add_32_nv(&(ire)->ire_refcnt, -1) == 0) \
- ire_inactive(ire); \
-}
-
-#define IRE_REFRELE(ire) { \
- if (ire->ire_bucket != NULL) { \
- IRE_UNTRACE_REF(ire); \
- } \
- IRE_REFRELE_NOTR(ire); \
-}
-
-/*
- * Bump up the reference count on the hash bucket - IRB to
- * prevent ires from being deleted in this bucket.
- */
-#define IRB_REFHOLD(irb) { \
- rw_enter(&(irb)->irb_lock, RW_WRITER); \
- (irb)->irb_refcnt++; \
- ASSERT((irb)->irb_refcnt != 0); \
- rw_exit(&(irb)->irb_lock); \
-}
-#define IRB_REFHOLD_LOCKED(irb) { \
- ASSERT(RW_WRITE_HELD(&(irb)->irb_lock)); \
- (irb)->irb_refcnt++; \
- ASSERT((irb)->irb_refcnt != 0); \
-}
+};
void irb_refrele_ftable(irb_t *);
-/*
- * Note: when IRB_MARK_FTABLE (i.e., IRE_CACHETABLE entry), the irb_t
- * is statically allocated, so that when the irb_refcnt goes to 0,
- * we simply clean up the ire list and continue.
- */
-#define IRB_REFRELE(irb) { \
- if ((irb)->irb_marks & IRB_MARK_FTABLE) { \
- irb_refrele_ftable((irb)); \
- } else { \
- rw_enter(&(irb)->irb_lock, RW_WRITER); \
- ASSERT((irb)->irb_refcnt != 0); \
- if (--(irb)->irb_refcnt == 0 && \
- ((irb)->irb_marks & IRE_MARK_CONDEMNED)) { \
- ire_t *ire_list; \
- \
- ire_list = ire_unlink(irb); \
- rw_exit(&(irb)->irb_lock); \
- ASSERT(ire_list != NULL); \
- ire_cleanup(ire_list); \
- } else { \
- rw_exit(&(irb)->irb_lock); \
- } \
- } \
-}
extern struct kmem_cache *rt_entry_cache;
-/*
- * Lock the fast path mp for access, since the fp_mp can be deleted
- * due a DL_NOTE_FASTPATH_FLUSH in the case of IRE_BROADCAST
- */
-
-#define LOCK_IRE_FP_MP(ire) { \
- if ((ire)->ire_type == IRE_BROADCAST) \
- mutex_enter(&ire->ire_nce->nce_lock); \
- }
-#define UNLOCK_IRE_FP_MP(ire) { \
- if ((ire)->ire_type == IRE_BROADCAST) \
- mutex_exit(&ire->ire_nce->nce_lock); \
- }
-
typedef struct ire4 {
- ipaddr_t ire4_src_addr; /* Source address to use. */
ipaddr_t ire4_mask; /* Mask for matching this IRE. */
ipaddr_t ire4_addr; /* Address this IRE represents. */
- ipaddr_t ire4_gateway_addr; /* Gateway if IRE_CACHE/IRE_OFFSUBNET */
- ipaddr_t ire4_cmask; /* Mask from parent prefix route */
+ ipaddr_t ire4_gateway_addr; /* Gateway including for IRE_ONLINK */
+ ipaddr_t ire4_setsrc_addr; /* RTF_SETSRC */
} ire4_t;
typedef struct ire6 {
- in6_addr_t ire6_src_addr; /* Source address to use. */
in6_addr_t ire6_mask; /* Mask for matching this IRE. */
in6_addr_t ire6_addr; /* Address this IRE represents. */
- in6_addr_t ire6_gateway_addr; /* Gateway if IRE_CACHE/IRE_OFFSUBNET */
- in6_addr_t ire6_cmask; /* Mask from parent prefix route */
+ in6_addr_t ire6_gateway_addr; /* Gateway including for IRE_ONLINK */
+ in6_addr_t ire6_setsrc_addr; /* RTF_SETSRC */
} ire6_t;
typedef union ire_addr {
@@ -2637,115 +2533,131 @@ typedef union ire_addr {
ire4_t ire4_u;
} ire_addr_u_t;
-/* Internet Routing Entry */
-typedef struct ire_s {
+/*
+ * Internet Routing Entry
+ * When we have multiple identical IREs we logically add them by manipulating
+ * ire_identical_ref and ire_delete first decrements
+ * that and when it reaches 1 we know it is the last IRE.
+ * "identical" is defined as being the same for:
+ * ire_addr, ire_netmask, ire_gateway, ire_ill, ire_zoneid, and ire_type
+ * For instance, multiple IRE_BROADCASTs for the same subnet number are
+ * viewed as identical, and so are the IRE_INTERFACEs when there are
+ * multiple logical interfaces (on the same ill) with the same subnet prefix.
+ */
+struct ire_s {
struct ire_s *ire_next; /* The hash chain must be first. */
struct ire_s **ire_ptpn; /* Pointer to previous next. */
uint32_t ire_refcnt; /* Number of references */
- mblk_t *ire_mp; /* Non-null if allocated as mblk */
- queue_t *ire_rfq; /* recv from this queue */
- queue_t *ire_stq; /* send to this queue */
- union {
- uint_t *max_fragp; /* Used only during ire creation */
- uint_t max_frag; /* MTU (next hop or path). */
- } imf_u;
-#define ire_max_frag imf_u.max_frag
-#define ire_max_fragp imf_u.max_fragp
- uint32_t ire_frag_flag; /* IPH_DF or zero. */
- uint32_t ire_ident; /* Per IRE IP ident. */
- uint32_t ire_tire_mark; /* Used for reclaim of unused. */
+ ill_t *ire_ill;
+ uint32_t ire_identical_ref; /* IRE_INTERFACE, IRE_BROADCAST */
uchar_t ire_ipversion; /* IPv4/IPv6 version */
- uchar_t ire_marks; /* IRE_MARK_CONDEMNED etc. */
ushort_t ire_type; /* Type of IRE */
+ uint_t ire_generation; /* Generation including CONDEMNED */
uint_t ire_ib_pkt_count; /* Inbound packets for ire_addr */
uint_t ire_ob_pkt_count; /* Outbound packets to ire_addr */
- uint_t ire_ll_hdr_length; /* Non-zero if we do M_DATA prepends */
time_t ire_create_time; /* Time (in secs) IRE was created. */
- uint32_t ire_phandle; /* Associate prefix IREs to cache */
- uint32_t ire_ihandle; /* Associate interface IREs to cache */
- ipif_t *ire_ipif; /* the interface that this ire uses */
uint32_t ire_flags; /* flags related to route (RTF_*) */
/*
- * Neighbor Cache Entry for IPv6; arp info for IPv4
+ * ire_testhidden is TRUE for INTERFACE IREs of IS_UNDER_IPMP(ill)
+ * interfaces
*/
- struct nce_s *ire_nce;
+ boolean_t ire_testhidden;
+ pfirerecv_t ire_recvfn; /* Receive side handling */
+ pfiresend_t ire_sendfn; /* Send side handling */
+ pfirepostfrag_t ire_postfragfn; /* Bottom end of send handling */
+
uint_t ire_masklen; /* # bits in ire_mask{,_v6} */
ire_addr_u_t ire_u; /* IPv4/IPv6 address info. */
irb_t *ire_bucket; /* Hash bucket when ire_ptphn is set */
- iulp_t ire_uinfo; /* Upper layer protocol info. */
- /*
- * Protects ire_uinfo, ire_max_frag, and ire_frag_flag.
- */
kmutex_t ire_lock;
- uint_t ire_ipif_seqid; /* ipif_seqid of ire_ipif */
- uint_t ire_ipif_ifindex; /* ifindex associated with ipif */
- clock_t ire_last_used_time; /* Last used time */
+ clock_t ire_last_used_time; /* For IRE_LOCAL reception */
tsol_ire_gw_secattr_t *ire_gw_secattr; /* gateway security attributes */
- zoneid_t ire_zoneid; /* for local address discrimination */
+ zoneid_t ire_zoneid;
+
+ /*
+ * Cached information of where to send packets that match this route.
+ * The ire_dep_* information is used to determine when ire_nce_cache
+ * needs to be updated.
+ * ire_nce_cache is the fastpath for the Neighbor Cache Entry
+ * for IPv6; arp info for IPv4
+ * Since this is a cache setup and torn down independently of
+ * applications we need to use nce_ref{rele,hold}_notr for it.
+ */
+ nce_t *ire_nce_cache;
+
+ /*
+ * Quick check whether the ire_type and ire_masklen indicates
+ * that the IRE can have ire_nce_cache set i.e., whether it is
+ * IRE_ONLINK and for a single destination.
+ */
+ boolean_t ire_nce_capable;
+
/*
- * ire's that are embedded inside mblk_t and sent to the external
- * resolver use the ire_stq_ifindex to track the ifindex of the
- * ire_stq, so that the ill (if it exists) can be correctly recovered
- * for cleanup in the esbfree routine when arp failure occurs.
- * Similarly, the ire_stackid is used to recover the ip_stack_t.
+ * Dependency tracking so we can safely cache IRE and NCE pointers
+ * in offlink and onlink IREs.
+ * These are locked under the ips_ire_dep_lock rwlock. Write held
+ * when modifying the linkage.
+ * ire_dep_parent (Also chain towards IRE for nexthop)
+ * ire_dep_parent_generation: ire_generation of ire_dep_parent
+ * ire_dep_children (From parent to first child)
+ * ire_dep_sib_next (linked list of siblings)
+ * ire_dep_sib_ptpn (linked list of siblings)
+ *
+ * The parent has a ire_refhold on each child, and each child has
+ * an ire_refhold on its parent.
+ * Since ire_dep_parent is a cache setup and torn down independently of
+ * applications we need to use ire_ref{rele,hold}_notr for it.
*/
- uint_t ire_stq_ifindex;
- netstackid_t ire_stackid;
+ ire_t *ire_dep_parent;
+ ire_t *ire_dep_children;
+ ire_t *ire_dep_sib_next;
+ ire_t **ire_dep_sib_ptpn; /* Pointer to previous next */
+ uint_t ire_dep_parent_generation;
+
+ uint_t ire_badcnt; /* Number of times ND_UNREACHABLE */
+ uint64_t ire_last_badcnt; /* In seconds */
+
+ /* ire_defense* and ire_last_used_time are only used on IRE_LOCALs */
uint_t ire_defense_count; /* number of ARP conflicts */
uint_t ire_defense_time; /* last time defended (secs) */
+
boolean_t ire_trace_disable; /* True when alloc fails */
ip_stack_t *ire_ipst; /* Does not have a netstack_hold */
-} ire_t;
+ iulp_t ire_metrics;
+};
/* IPv4 compatibility macros */
-#define ire_src_addr ire_u.ire4_u.ire4_src_addr
#define ire_mask ire_u.ire4_u.ire4_mask
#define ire_addr ire_u.ire4_u.ire4_addr
#define ire_gateway_addr ire_u.ire4_u.ire4_gateway_addr
-#define ire_cmask ire_u.ire4_u.ire4_cmask
+#define ire_setsrc_addr ire_u.ire4_u.ire4_setsrc_addr
-#define ire_src_addr_v6 ire_u.ire6_u.ire6_src_addr
#define ire_mask_v6 ire_u.ire6_u.ire6_mask
#define ire_addr_v6 ire_u.ire6_u.ire6_addr
#define ire_gateway_addr_v6 ire_u.ire6_u.ire6_gateway_addr
-#define ire_cmask_v6 ire_u.ire6_u.ire6_cmask
-
-/* Convenient typedefs for sockaddrs */
-typedef struct sockaddr_in sin_t;
-typedef struct sockaddr_in6 sin6_t;
-
-/* Address structure used for internal bind with IP */
-typedef struct ipa_conn_s {
- ipaddr_t ac_laddr;
- ipaddr_t ac_faddr;
- uint16_t ac_fport;
- uint16_t ac_lport;
-} ipa_conn_t;
-
-typedef struct ipa6_conn_s {
- in6_addr_t ac6_laddr;
- in6_addr_t ac6_faddr;
- uint16_t ac6_fport;
- uint16_t ac6_lport;
-} ipa6_conn_t;
+#define ire_setsrc_addr_v6 ire_u.ire6_u.ire6_setsrc_addr
/*
- * Using ipa_conn_x_t or ipa6_conn_x_t allows us to modify the behavior of IP's
- * bind handler.
+ * Values for ire_generation.
+ *
+ * If an IRE is marked with IRE_IS_CONDEMNED, the last walker of
+ * the bucket should delete this IRE from this bucket.
+ *
+ * IRE_GENERATION_VERIFY is never stored in ire_generation but it is
+ * stored in places that cache IREs (such as ixa_ire_generation and
+ * ire_dep_parent_generation). It is used as a signal that the cache is
+ * stale and needs to be reverified.
*/
-typedef struct ipa_conn_extended_s {
- uint64_t acx_flags;
- ipa_conn_t acx_conn;
-} ipa_conn_x_t;
+#define IRE_GENERATION_CONDEMNED 0
+#define IRE_GENERATION_VERIFY 1
+#define IRE_GENERATION_INITIAL 2
+#define IRE_IS_CONDEMNED(ire) \
+ ((ire)->ire_generation == IRE_GENERATION_CONDEMNED)
-typedef struct ipa6_conn_extended_s {
- uint64_t ac6x_flags;
- ipa6_conn_t ac6x_conn;
-} ipa6_conn_x_t;
-
-/* flag values for ipa_conn_x_t and ipa6_conn_x_t. */
-#define ACX_VERIFY_DST 0x1ULL /* verify destination address is reachable */
+/* Convenient typedefs for sockaddrs */
+typedef struct sockaddr_in sin_t;
+typedef struct sockaddr_in6 sin6_t;
/* Name/Value Descriptor. */
typedef struct nv_s {
@@ -2784,110 +2696,83 @@ extern uint_t ip_max_frag_dups;
* to support the needs of such tools and private definitions moved to
* private headers.
*/
-struct ip6_pkt_s {
+struct ip_pkt_s {
uint_t ipp_fields; /* Which fields are valid */
- uint_t ipp_sticky_ignored; /* sticky fields to ignore */
- uint_t ipp_ifindex; /* pktinfo ifindex */
in6_addr_t ipp_addr; /* pktinfo src/dst addr */
- uint_t ipp_unicast_hops; /* IPV6_UNICAST_HOPS */
- uint_t ipp_multicast_hops; /* IPV6_MULTICAST_HOPS */
+#define ipp_addr_v4 V4_PART_OF_V6(ipp_addr)
+ uint_t ipp_unicast_hops; /* IPV6_UNICAST_HOPS, IP_TTL */
uint_t ipp_hoplimit; /* IPV6_HOPLIMIT */
uint_t ipp_hopoptslen;
- uint_t ipp_rtdstoptslen;
+ uint_t ipp_rthdrdstoptslen;
uint_t ipp_rthdrlen;
uint_t ipp_dstoptslen;
- uint_t ipp_pathmtulen;
uint_t ipp_fraghdrlen;
ip6_hbh_t *ipp_hopopts;
- ip6_dest_t *ipp_rtdstopts;
+ ip6_dest_t *ipp_rthdrdstopts;
ip6_rthdr_t *ipp_rthdr;
ip6_dest_t *ipp_dstopts;
ip6_frag_t *ipp_fraghdr;
- struct ip6_mtuinfo *ipp_pathmtu;
- in6_addr_t ipp_nexthop; /* Transmit only */
- uint8_t ipp_tclass;
- int8_t ipp_use_min_mtu;
+ uint8_t ipp_tclass; /* IPV6_TCLASS */
+ uint8_t ipp_type_of_service; /* IP_TOS */
+ uint_t ipp_ipv4_options_len; /* Len of IPv4 options */
+ uint8_t *ipp_ipv4_options; /* Ptr to IPv4 options */
+ uint_t ipp_label_len_v4; /* Len of TX label for IPv4 */
+ uint8_t *ipp_label_v4; /* TX label for IPv4 */
+ uint_t ipp_label_len_v6; /* Len of TX label for IPv6 */
+ uint8_t *ipp_label_v6; /* TX label for IPv6 */
};
-typedef struct ip6_pkt_s ip6_pkt_t;
-
-extern void ip6_pkt_free(ip6_pkt_t *); /* free storage inside ip6_pkt_t */
-
-/*
- * This struct is used by ULP_opt_set() functions to return value of IPv4
- * ancillary options. Currently this is only used by udp and icmp and only
- * IP_PKTINFO option is supported.
- */
-typedef struct ip4_pkt_s {
- uint_t ip4_ill_index; /* interface index */
- ipaddr_t ip4_addr; /* source address */
-} ip4_pkt_t;
-
-/*
- * Used by ULP's to pass options info to ip_output
- * currently only IP_PKTINFO is supported.
- */
-typedef struct ip_opt_info_s {
- uint_t ip_opt_ill_index;
- uint_t ip_opt_flags;
-} ip_opt_info_t;
-
-/*
- * value for ip_opt_flags
- */
-#define IP_VERIFY_SRC 0x1
+typedef struct ip_pkt_s ip_pkt_t;
-/*
- * This structure is used to convey information from IP and the ULP.
- * Currently used for the IP_RECVSLLA, IP_RECVIF and IP_RECVPKTINFO options.
- * The type of information field is set to IN_PKTINFO (i.e inbound pkt info)
- */
-typedef struct ip_pktinfo {
- uint32_t ip_pkt_ulp_type; /* type of info sent */
- uint32_t ip_pkt_flags; /* what is sent up by IP */
- uint32_t ip_pkt_ifindex; /* inbound interface index */
- struct sockaddr_dl ip_pkt_slla; /* has source link layer addr */
- struct in_addr ip_pkt_match_addr; /* matched address */
-} ip_pktinfo_t;
-
-/*
- * flags to tell UDP what IP is sending; in_pkt_flags
- */
-#define IPF_RECVIF 0x01 /* inbound interface index */
-#define IPF_RECVSLLA 0x02 /* source link layer address */
-/*
- * Inbound interface index + matched address.
- * Used only by IPV4.
- */
-#define IPF_RECVADDR 0x04
+extern void ip_pkt_free(ip_pkt_t *); /* free storage inside ip_pkt_t */
+extern ipaddr_t ip_pkt_source_route_v4(const ip_pkt_t *);
+extern in6_addr_t *ip_pkt_source_route_v6(const ip_pkt_t *);
+extern int ip_pkt_copy(ip_pkt_t *, ip_pkt_t *, int);
+extern void ip_pkt_source_route_reverse_v4(ip_pkt_t *);
/* ipp_fields values */
-#define IPPF_IFINDEX 0x0001 /* Part of in6_pktinfo: ifindex */
-#define IPPF_ADDR 0x0002 /* Part of in6_pktinfo: src/dst addr */
-#define IPPF_SCOPE_ID 0x0004 /* Add xmit ip6i_t for sin6_scope_id */
-#define IPPF_NO_CKSUM 0x0008 /* Add xmit ip6i_t for IP6I_NO_*_CKSUM */
-
-#define IPPF_RAW_CKSUM 0x0010 /* Add xmit ip6i_t for IP6I_RAW_CHECKSUM */
-#define IPPF_HOPLIMIT 0x0020
-#define IPPF_HOPOPTS 0x0040
-#define IPPF_RTHDR 0x0080
-
-#define IPPF_RTDSTOPTS 0x0100
-#define IPPF_DSTOPTS 0x0200
-#define IPPF_NEXTHOP 0x0400
-#define IPPF_PATHMTU 0x0800
-
-#define IPPF_TCLASS 0x1000
-#define IPPF_DONTFRAG 0x2000
-#define IPPF_USE_MIN_MTU 0x04000
-#define IPPF_MULTICAST_HOPS 0x08000
-
-#define IPPF_UNICAST_HOPS 0x10000
-#define IPPF_FRAGHDR 0x20000
-
-#define IPPF_HAS_IP6I \
- (IPPF_IFINDEX|IPPF_ADDR|IPPF_NEXTHOP|IPPF_SCOPE_ID| \
- IPPF_NO_CKSUM|IPPF_RAW_CKSUM|IPPF_HOPLIMIT|IPPF_DONTFRAG| \
- IPPF_USE_MIN_MTU|IPPF_MULTICAST_HOPS|IPPF_UNICAST_HOPS)
+#define IPPF_ADDR 0x0001 /* Part of in6_pktinfo: src/dst addr */
+#define IPPF_HOPLIMIT 0x0002 /* Overrides unicast and multicast */
+#define IPPF_TCLASS 0x0004 /* Overrides class in sin6_flowinfo */
+
+#define IPPF_HOPOPTS 0x0010 /* ipp_hopopts set */
+#define IPPF_RTHDR 0x0020 /* ipp_rthdr set */
+#define IPPF_RTHDRDSTOPTS 0x0040 /* ipp_rthdrdstopts set */
+#define IPPF_DSTOPTS 0x0080 /* ipp_dstopts set */
+
+#define IPPF_IPV4_OPTIONS 0x0100 /* ipp_ipv4_options set */
+#define IPPF_LABEL_V4 0x0200 /* ipp_label_v4 set */
+#define IPPF_LABEL_V6 0x0400 /* ipp_label_v6 set */
+
+#define IPPF_FRAGHDR 0x0800 /* Used for IPsec receive side */
+
+/*
+ * Data structure which is passed to conn_opt_get/set.
+ * The conn_t is included even though it can be inferred from queue_t.
+ * setsockopt and getsockopt use conn_ixa and conn_xmit_ipp. However,
+ * when handling ancillary data we use separate ixa and ipps.
+ */
+typedef struct conn_opt_arg_s {
+ conn_t *coa_connp;
+ ip_xmit_attr_t *coa_ixa;
+ ip_pkt_t *coa_ipp;
+ boolean_t coa_ancillary; /* Ancillary data and not setsockopt */
+ uint_t coa_changed; /* See below */
+} conn_opt_arg_t;
+
+/*
+ * Flags for what changed.
+ * If we want to be more efficient in the future we can have more fine
+ * grained flags e.g., a flag for just IP_TOS changing.
+ * For now we either call ip_set_destination (for "route changed")
+ * and/or conn_build_hdr_template/conn_prepend_hdr (for "header changed").
+ */
+#define COA_HEADER_CHANGED 0x0001
+#define COA_ROUTE_CHANGED 0x0002
+#define COA_RCVBUF_CHANGED 0x0004 /* SO_RCVBUF */
+#define COA_SNDBUF_CHANGED 0x0008 /* SO_SNDBUF */
+#define COA_WROFF_CHANGED 0x0010 /* Header size changed */
+#define COA_ICMP_BIND_NEEDED 0x0020
+#define COA_OOBINLINE_CHANGED 0x0040
#define TCP_PORTS_OFFSET 0
#define UDP_PORTS_OFFSET 0
@@ -2902,32 +2787,21 @@ typedef struct ip_pktinfo {
#define IPIF_LOOKUP_FAILED 2 /* Used as error code */
#define ILL_CAN_LOOKUP(ill) \
- (!((ill)->ill_state_flags & (ILL_CONDEMNED | ILL_CHANGING)) || \
+ (!((ill)->ill_state_flags & ILL_CONDEMNED) || \
IAM_WRITER_ILL(ill))
-#define ILL_CAN_WAIT(ill, q) \
- (((q) != NULL) && !((ill)->ill_state_flags & (ILL_CONDEMNED)))
+#define ILL_IS_CONDEMNED(ill) \
+ ((ill)->ill_state_flags & ILL_CONDEMNED)
#define IPIF_CAN_LOOKUP(ipif) \
- (!((ipif)->ipif_state_flags & (IPIF_CONDEMNED | IPIF_CHANGING)) || \
+ (!((ipif)->ipif_state_flags & IPIF_CONDEMNED) || \
IAM_WRITER_IPIF(ipif))
-/*
- * If the parameter 'q' is NULL, the caller is not interested in wait and
- * restart of the operation if the ILL or IPIF cannot be looked up when it is
- * marked as 'CHANGING'. Typically a thread that tries to send out data will
- * end up passing NULLs as the last 4 parameters to ill_lookup_on_ifindex and
- * in this case 'q' is NULL
- */
-#define IPIF_CAN_WAIT(ipif, q) \
- (((q) != NULL) && !((ipif)->ipif_state_flags & (IPIF_CONDEMNED)))
-
-#define IPIF_CAN_LOOKUP_WALKER(ipif) \
- (!((ipif)->ipif_state_flags & (IPIF_CONDEMNED)) || \
- IAM_WRITER_IPIF(ipif))
+#define IPIF_IS_CONDEMNED(ipif) \
+ ((ipif)->ipif_state_flags & IPIF_CONDEMNED)
-#define ILL_UNMARK_CHANGING(ill) \
- (ill)->ill_state_flags &= ~ILL_CHANGING;
+#define IPIF_IS_CHANGING(ipif) \
+ ((ipif)->ipif_state_flags & IPIF_CHANGING)
/* Macros used to assert that this thread is a writer */
#define IAM_WRITER_IPSQ(ipsq) ((ipsq)->ipsq_xop->ipx_writer == curthread)
@@ -2956,9 +2830,9 @@ typedef struct ip_pktinfo {
#define RELEASE_ILL_LOCKS(ill_1, ill_2) \
{ \
if (ill_1 != NULL) \
- mutex_exit(&(ill_1)->ill_lock); \
+ mutex_exit(&(ill_1)->ill_lock); \
if (ill_2 != NULL && ill_2 != ill_1) \
- mutex_exit(&(ill_2)->ill_lock); \
+ mutex_exit(&(ill_2)->ill_lock); \
}
/* Get the other protocol instance ill */
@@ -2975,20 +2849,13 @@ typedef struct cmd_info_s
struct lifreq *ci_lifr; /* the lifreq struct passed down */
} cmd_info_t;
-/*
- * List of AH and ESP IPsec acceleration capable ills
- */
-typedef struct ipsec_capab_ill_s {
- uint_t ill_index;
- boolean_t ill_isv6;
- struct ipsec_capab_ill_s *next;
-} ipsec_capab_ill_t;
-
extern struct kmem_cache *ire_cache;
extern ipaddr_t ip_g_all_ones;
-extern uint_t ip_loopback_mtu; /* /etc/system */
+extern uint_t ip_loopback_mtu; /* /etc/system */
+extern uint_t ip_loopback_mtuplus;
+extern uint_t ip_loopback_mtu_v6plus;
extern vmem_t *ip_minor_arena_sa;
extern vmem_t *ip_minor_arena_la;
@@ -3014,18 +2881,18 @@ extern vmem_t *ip_minor_arena_la;
#define ips_ip_g_send_redirects ips_param_arr[5].ip_param_value
#define ips_ip_g_forward_directed_bcast ips_param_arr[6].ip_param_value
#define ips_ip_mrtdebug ips_param_arr[7].ip_param_value
-#define ips_ip_timer_interval ips_param_arr[8].ip_param_value
-#define ips_ip_ire_arp_interval ips_param_arr[9].ip_param_value
-#define ips_ip_ire_redir_interval ips_param_arr[10].ip_param_value
+#define ips_ip_ire_reclaim_fraction ips_param_arr[8].ip_param_value
+#define ips_ip_nce_reclaim_fraction ips_param_arr[9].ip_param_value
+#define ips_ip_dce_reclaim_fraction ips_param_arr[10].ip_param_value
#define ips_ip_def_ttl ips_param_arr[11].ip_param_value
#define ips_ip_forward_src_routed ips_param_arr[12].ip_param_value
#define ips_ip_wroff_extra ips_param_arr[13].ip_param_value
-#define ips_ip_ire_pathmtu_interval ips_param_arr[14].ip_param_value
+#define ips_ip_pathmtu_interval ips_param_arr[14].ip_param_value
#define ips_ip_icmp_return ips_param_arr[15].ip_param_value
#define ips_ip_path_mtu_discovery ips_param_arr[16].ip_param_value
-#define ips_ip_ignore_delete_time ips_param_arr[17].ip_param_value
+#define ips_ip_pmtu_min ips_param_arr[17].ip_param_value
#define ips_ip_ignore_redirect ips_param_arr[18].ip_param_value
-#define ips_ip_output_queue ips_param_arr[19].ip_param_value
+#define ips_ip_arp_icmp_error ips_param_arr[19].ip_param_value
#define ips_ip_broadcast_ttl ips_param_arr[20].ip_param_value
#define ips_ip_icmp_err_interval ips_param_arr[21].ip_param_value
#define ips_ip_icmp_err_burst ips_param_arr[22].ip_param_value
@@ -3046,7 +2913,7 @@ extern vmem_t *ip_minor_arena_la;
#define ips_ipv6_send_redirects ips_param_arr[35].ip_param_value
#define ips_ipv6_ignore_redirect ips_param_arr[36].ip_param_value
#define ips_ipv6_strict_dst_multihoming ips_param_arr[37].ip_param_value
-#define ips_ip_ire_reclaim_fraction ips_param_arr[38].ip_param_value
+#define ips_src_check ips_param_arr[38].ip_param_value
#define ips_ipsec_policy_log_interval ips_param_arr[39].ip_param_value
#define ips_pim_accept_clear_messages ips_param_arr[40].ip_param_value
#define ips_ip_ndp_unsolicit_interval ips_param_arr[41].ip_param_value
@@ -3055,21 +2922,37 @@ extern vmem_t *ip_minor_arena_la;
/* Misc IP configuration knobs */
#define ips_ip_policy_mask ips_param_arr[44].ip_param_value
-#define ips_ip_multirt_resolution_interval ips_param_arr[45].ip_param_value
+#define ips_ip_ecmp_behavior ips_param_arr[45].ip_param_value
#define ips_ip_multirt_ttl ips_param_arr[46].ip_param_value
-#define ips_ip_multidata_outbound ips_param_arr[47].ip_param_value
-#define ips_ip_ndp_defense_interval ips_param_arr[48].ip_param_value
-#define ips_ip_max_temp_idle ips_param_arr[49].ip_param_value
-#define ips_ip_max_temp_defend ips_param_arr[50].ip_param_value
-#define ips_ip_max_defend ips_param_arr[51].ip_param_value
-#define ips_ip_defend_interval ips_param_arr[52].ip_param_value
-#define ips_ip_dup_recovery ips_param_arr[53].ip_param_value
-#define ips_ip_restrict_interzone_loopback ips_param_arr[54].ip_param_value
-#define ips_ip_lso_outbound ips_param_arr[55].ip_param_value
-#define ips_igmp_max_version ips_param_arr[56].ip_param_value
-#define ips_mld_max_version ips_param_arr[57].ip_param_value
-#define ips_ip_pmtu_min ips_param_arr[58].ip_param_value
-#define ips_ipv6_drop_inbound_icmpv6 ips_param_arr[59].ip_param_value
+#define ips_ip_ire_badcnt_lifetime ips_param_arr[47].ip_param_value
+#define ips_ip_max_temp_idle ips_param_arr[48].ip_param_value
+#define ips_ip_max_temp_defend ips_param_arr[49].ip_param_value
+#define ips_ip_max_defend ips_param_arr[50].ip_param_value
+#define ips_ip_defend_interval ips_param_arr[51].ip_param_value
+#define ips_ip_dup_recovery ips_param_arr[52].ip_param_value
+#define ips_ip_restrict_interzone_loopback ips_param_arr[53].ip_param_value
+#define ips_ip_lso_outbound ips_param_arr[54].ip_param_value
+#define ips_igmp_max_version ips_param_arr[55].ip_param_value
+#define ips_mld_max_version ips_param_arr[56].ip_param_value
+#define ips_ipv6_drop_inbound_icmpv6 ips_param_arr[57].ip_param_value
+#define ips_arp_probe_delay ips_param_arr[58].ip_param_value
+#define ips_arp_fastprobe_delay ips_param_arr[59].ip_param_value
+#define ips_arp_probe_interval ips_param_arr[60].ip_param_value
+#define ips_arp_fastprobe_interval ips_param_arr[61].ip_param_value
+#define ips_arp_probe_count ips_param_arr[62].ip_param_value
+#define ips_arp_fastprobe_count ips_param_arr[63].ip_param_value
+#define ips_ipv4_dad_announce_interval ips_param_arr[64].ip_param_value
+#define ips_ipv6_dad_announce_interval ips_param_arr[65].ip_param_value
+#define ips_arp_defend_interval ips_param_arr[66].ip_param_value
+#define ips_arp_defend_rate ips_param_arr[67].ip_param_value
+#define ips_ndp_defend_interval ips_param_arr[68].ip_param_value
+#define ips_ndp_defend_rate ips_param_arr[69].ip_param_value
+#define ips_arp_defend_period ips_param_arr[70].ip_param_value
+#define ips_ndp_defend_period ips_param_arr[71].ip_param_value
+#define ips_ipv4_icmp_return_pmtu ips_param_arr[72].ip_param_value
+#define ips_ipv6_icmp_return_pmtu ips_param_arr[73].ip_param_value
+#define ips_ip_arp_publish_count ips_param_arr[74].ip_param_value
+#define ips_ip_arp_publish_interval ips_param_arr[75].ip_param_value
extern int dohwcksum; /* use h/w cksum if supported by the h/w */
#ifdef ZC_TEST
@@ -3102,13 +2985,13 @@ extern struct module_info ip_mod_info;
((ipst)->ips_ip4_loopback_out_event.he_interested)
#define HOOKS6_INTERESTED_LOOPBACK_OUT(ipst) \
((ipst)->ips_ip6_loopback_out_event.he_interested)
-
/*
- * Hooks macros used inside of ip
+ * Hooks marcos used inside of ip
+ * The callers use the above INTERESTED macros first, hence
+ * the he_interested check is superflous.
*/
-#define FW_HOOKS(_hook, _event, _ilp, _olp, _iph, _fm, _m, _llm, ipst) \
- \
- if ((_hook).he_interested) { \
+#define FW_HOOKS(_hook, _event, _ilp, _olp, _iph, _fm, _m, _llm, ipst, _err) \
+ if ((_hook).he_interested) { \
hook_pkt_event_t info; \
\
_NOTE(CONSTCOND) \
@@ -3121,12 +3004,15 @@ extern struct module_info ip_mod_info;
info.hpe_mp = &(_fm); \
info.hpe_mb = _m; \
info.hpe_flags = _llm; \
- if (hook_run(ipst->ips_ipv4_net_data->netd_hooks, \
- _event, (hook_data_t)&info) != 0) { \
+ _err = hook_run(ipst->ips_ipv4_net_data->netd_hooks, \
+ _event, (hook_data_t)&info); \
+ if (_err != 0) { \
ip2dbg(("%s hook dropped mblk chain %p hdr %p\n",\
(_hook).he_name, (void *)_fm, (void *)_m)); \
- freemsg(_fm); \
- _fm = NULL; \
+ if (_fm != NULL) { \
+ freemsg(_fm); \
+ _fm = NULL; \
+ } \
_iph = NULL; \
_m = NULL; \
} else { \
@@ -3135,9 +3021,8 @@ extern struct module_info ip_mod_info;
} \
}
-#define FW_HOOKS6(_hook, _event, _ilp, _olp, _iph, _fm, _m, _llm, ipst) \
- \
- if ((_hook).he_interested) { \
+#define FW_HOOKS6(_hook, _event, _ilp, _olp, _iph, _fm, _m, _llm, ipst, _err) \
+ if ((_hook).he_interested) { \
hook_pkt_event_t info; \
\
_NOTE(CONSTCOND) \
@@ -3150,12 +3035,15 @@ extern struct module_info ip_mod_info;
info.hpe_mp = &(_fm); \
info.hpe_mb = _m; \
info.hpe_flags = _llm; \
- if (hook_run(ipst->ips_ipv6_net_data->netd_hooks, \
- _event, (hook_data_t)&info) != 0) { \
+ _err = hook_run(ipst->ips_ipv6_net_data->netd_hooks, \
+ _event, (hook_data_t)&info); \
+ if (_err != 0) { \
ip2dbg(("%s hook dropped mblk chain %p hdr %p\n",\
(_hook).he_name, (void *)_fm, (void *)_m)); \
- freemsg(_fm); \
- _fm = NULL; \
+ if (_fm != NULL) { \
+ freemsg(_fm); \
+ _fm = NULL; \
+ } \
_iph = NULL; \
_m = NULL; \
} else { \
@@ -3194,24 +3082,6 @@ extern struct module_info ip_mod_info;
#define IP_LOOPBACK_ADDR(addr) \
(((addr) & N_IN_CLASSA_NET == N_IN_LOOPBACK_NET))
-#ifdef DEBUG
-/* IPsec HW acceleration debugging support */
-
-#define IPSECHW_CAPAB 0x0001 /* capability negotiation */
-#define IPSECHW_SADB 0x0002 /* SADB exchange */
-#define IPSECHW_PKT 0x0004 /* general packet flow */
-#define IPSECHW_PKTIN 0x0008 /* driver in pkt processing details */
-#define IPSECHW_PKTOUT 0x0010 /* driver out pkt processing details */
-
-#define IPSECHW_DEBUG(f, x) if (ipsechw_debug & (f)) { (void) printf x; }
-#define IPSECHW_CALL(f, r, x) if (ipsechw_debug & (f)) { (void) r x; }
-
-extern uint32_t ipsechw_debug;
-#else
-#define IPSECHW_DEBUG(f, x) {}
-#define IPSECHW_CALL(f, r, x) {}
-#endif
-
extern int ip_debug;
extern uint_t ip_thread_data;
extern krwlock_t ip_thread_rwlock;
@@ -3235,8 +3105,6 @@ extern list_t ip_thread_list;
/* Default MAC-layer address string length for mac_colon_addr */
#define MAC_STR_LEN 128
-struct ipsec_out_s;
-
struct mac_header_info_s;
extern void ill_frag_timer(void *);
@@ -3252,86 +3120,173 @@ extern char *ip_dot_addr(ipaddr_t, char *);
extern const char *mac_colon_addr(const uint8_t *, size_t, char *, size_t);
extern void ip_lwput(queue_t *, mblk_t *);
extern boolean_t icmp_err_rate_limit(ip_stack_t *);
-extern void icmp_time_exceeded(queue_t *, mblk_t *, uint8_t, zoneid_t,
- ip_stack_t *);
-extern void icmp_unreachable(queue_t *, mblk_t *, uint8_t, zoneid_t,
- ip_stack_t *);
-extern mblk_t *ip_add_info(mblk_t *, ill_t *, uint_t, zoneid_t, ip_stack_t *);
-cred_t *ip_best_cred(mblk_t *, conn_t *, pid_t *);
-extern mblk_t *ip_bind_v4(queue_t *, mblk_t *, conn_t *);
-extern boolean_t ip_bind_ipsec_policy_set(conn_t *, mblk_t *);
-extern int ip_bind_laddr_v4(conn_t *, mblk_t **, uint8_t, ipaddr_t,
- uint16_t, boolean_t);
-extern int ip_proto_bind_laddr_v4(conn_t *, mblk_t **, uint8_t, ipaddr_t,
- uint16_t, boolean_t);
-extern int ip_proto_bind_connected_v4(conn_t *, mblk_t **,
- uint8_t, ipaddr_t *, uint16_t, ipaddr_t, uint16_t, boolean_t, boolean_t,
- cred_t *);
-extern int ip_bind_connected_v4(conn_t *, mblk_t **, uint8_t, ipaddr_t *,
- uint16_t, ipaddr_t, uint16_t, boolean_t, boolean_t, cred_t *);
+extern void icmp_frag_needed(mblk_t *, int, ip_recv_attr_t *);
+extern mblk_t *icmp_inbound_v4(mblk_t *, ip_recv_attr_t *);
+extern void icmp_time_exceeded(mblk_t *, uint8_t, ip_recv_attr_t *);
+extern void icmp_unreachable(mblk_t *, uint8_t, ip_recv_attr_t *);
+extern boolean_t ip_ipsec_policy_inherit(conn_t *, conn_t *, ip_recv_attr_t *);
+extern void *ip_pullup(mblk_t *, ssize_t, ip_recv_attr_t *);
+extern void ip_setl2src(mblk_t *, ip_recv_attr_t *, ill_t *);
+extern mblk_t *ip_check_and_align_header(mblk_t *, uint_t, ip_recv_attr_t *);
+extern mblk_t *ip_check_length(mblk_t *, uchar_t *, ssize_t, uint_t, uint_t,
+ ip_recv_attr_t *);
+extern mblk_t *ip_check_optlen(mblk_t *, ipha_t *, uint_t, uint_t,
+ ip_recv_attr_t *);
+extern mblk_t *ip_fix_dbref(mblk_t *, ip_recv_attr_t *);
extern uint_t ip_cksum(mblk_t *, int, uint32_t);
extern int ip_close(queue_t *, int);
extern uint16_t ip_csum_hdr(ipha_t *);
-extern void ip_proto_not_sup(queue_t *, mblk_t *, uint_t, zoneid_t,
- ip_stack_t *);
+extern void ip_forward_xmit_v4(nce_t *, ill_t *, mblk_t *, ipha_t *,
+ ip_recv_attr_t *, uint32_t, uint32_t);
+extern boolean_t ip_forward_options(mblk_t *, ipha_t *, ill_t *,
+ ip_recv_attr_t *);
+extern int ip_fragment_v4(mblk_t *, nce_t *, iaflags_t, uint_t, uint32_t,
+ uint32_t, zoneid_t, zoneid_t, pfirepostfrag_t postfragfn,
+ uintptr_t *cookie);
+extern void ip_proto_not_sup(mblk_t *, ip_recv_attr_t *);
extern void ip_ire_g_fini(void);
extern void ip_ire_g_init(void);
extern void ip_ire_fini(ip_stack_t *);
extern void ip_ire_init(ip_stack_t *);
+extern void ip_mdata_to_mhi(ill_t *, mblk_t *, struct mac_header_info_s *);
extern int ip_openv4(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp);
extern int ip_openv6(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp);
extern int ip_reassemble(mblk_t *, ipf_t *, uint_t, boolean_t, ill_t *,
size_t);
-extern int ip_opt_set_ill(conn_t *, int, boolean_t, boolean_t,
- int, int, mblk_t *);
extern void ip_rput(queue_t *, mblk_t *);
extern void ip_input(ill_t *, ill_rx_ring_t *, mblk_t *,
struct mac_header_info_s *);
+extern void ip_input_v6(ill_t *, ill_rx_ring_t *, mblk_t *,
+ struct mac_header_info_s *);
+extern mblk_t *ip_input_common_v4(ill_t *, ill_rx_ring_t *, mblk_t *,
+ struct mac_header_info_s *, squeue_t *, mblk_t **, uint_t *);
+extern mblk_t *ip_input_common_v6(ill_t *, ill_rx_ring_t *, mblk_t *,
+ struct mac_header_info_s *, squeue_t *, mblk_t **, uint_t *);
+extern void ill_input_full_v4(mblk_t *, void *, void *,
+ ip_recv_attr_t *, rtc_t *);
+extern void ill_input_short_v4(mblk_t *, void *, void *,
+ ip_recv_attr_t *, rtc_t *);
+extern void ill_input_full_v6(mblk_t *, void *, void *,
+ ip_recv_attr_t *, rtc_t *);
+extern void ill_input_short_v6(mblk_t *, void *, void *,
+ ip_recv_attr_t *, rtc_t *);
+extern ipaddr_t ip_input_options(ipha_t *, ipaddr_t, mblk_t *,
+ ip_recv_attr_t *, int *);
+extern boolean_t ip_input_local_options(mblk_t *, ipha_t *, ip_recv_attr_t *);
+extern mblk_t *ip_input_fragment(mblk_t *, ipha_t *, ip_recv_attr_t *);
+extern mblk_t *ip_input_fragment_v6(mblk_t *, ip6_t *, ip6_frag_t *, uint_t,
+ ip_recv_attr_t *);
+extern void ip_input_post_ipsec(mblk_t *, ip_recv_attr_t *);
+extern void ip_fanout_v4(mblk_t *, ipha_t *, ip_recv_attr_t *);
+extern void ip_fanout_v6(mblk_t *, ip6_t *, ip_recv_attr_t *);
+extern void ip_fanout_proto_conn(conn_t *, mblk_t *, ipha_t *, ip6_t *,
+ ip_recv_attr_t *);
+extern void ip_fanout_proto_v4(mblk_t *, ipha_t *, ip_recv_attr_t *);
+extern void ip_fanout_send_icmp_v4(mblk_t *, uint_t, uint_t,
+ ip_recv_attr_t *);
+extern void ip_fanout_udp_conn(conn_t *, mblk_t *, ipha_t *, ip6_t *,
+ ip_recv_attr_t *);
+extern void ip_fanout_udp_multi_v4(mblk_t *, ipha_t *, uint16_t, uint16_t,
+ ip_recv_attr_t *);
+extern mblk_t *zero_spi_check(mblk_t *, ip_recv_attr_t *);
+extern void ip_build_hdrs_v4(uchar_t *, uint_t, const ip_pkt_t *, uint8_t);
+extern int ip_find_hdr_v4(ipha_t *, ip_pkt_t *, boolean_t);
+extern int ip_total_hdrs_len_v4(const ip_pkt_t *);
+
extern mblk_t *ip_accept_tcp(ill_t *, ill_rx_ring_t *, squeue_t *,
mblk_t *, mblk_t **, uint_t *cnt);
-extern void ip_rput_dlpi(queue_t *, mblk_t *);
-extern void ip_rput_forward(ire_t *, ipha_t *, mblk_t *, ill_t *);
-extern void ip_rput_forward_multicast(ipaddr_t, mblk_t *, ipif_t *);
+extern void ip_rput_dlpi(ill_t *, mblk_t *);
+extern void ip_rput_notdata(ill_t *, mblk_t *);
extern void ip_mib2_add_ip_stats(mib2_ipIfStatsEntry_t *,
mib2_ipIfStatsEntry_t *);
extern void ip_mib2_add_icmp6_stats(mib2_ipv6IfIcmpEntry_t *,
mib2_ipv6IfIcmpEntry_t *);
-extern void ip_udp_input(queue_t *, mblk_t *, ipha_t *, ire_t *, ill_t *);
-extern void ip_proto_input(queue_t *, mblk_t *, ipha_t *, ire_t *, ill_t *,
- uint32_t);
extern void ip_rput_other(ipsq_t *, queue_t *, mblk_t *, void *);
extern ire_t *ip_check_multihome(void *, ire_t *, ill_t *);
-extern void ip_setpktversion(conn_t *, boolean_t, boolean_t, ip_stack_t *);
-extern void ip_trash_ire_reclaim(void *);
-extern void ip_trash_timer_expire(void *);
-extern void ip_wput(queue_t *, mblk_t *);
-extern void ip_output(void *, mblk_t *, void *, int);
-extern void ip_output_options(void *, mblk_t *, void *, int,
- ip_opt_info_t *);
-
-extern void ip_wput_ire(queue_t *, mblk_t *, ire_t *, conn_t *, int,
- zoneid_t);
-extern void ip_wput_local(queue_t *, ill_t *, ipha_t *, mblk_t *, ire_t *,
- int, zoneid_t);
-extern void ip_wput_multicast(queue_t *, mblk_t *, ipif_t *, zoneid_t);
-extern void ip_wput_nondata(ipsq_t *, queue_t *, mblk_t *, void *);
+extern void ip_send_potential_redirect_v4(mblk_t *, ipha_t *, ire_t *,
+ ip_recv_attr_t *);
+extern int ip_set_destination_v4(ipaddr_t *, ipaddr_t, ipaddr_t,
+ ip_xmit_attr_t *, iulp_t *, uint32_t, uint_t);
+extern int ip_set_destination_v6(in6_addr_t *, const in6_addr_t *,
+ const in6_addr_t *, ip_xmit_attr_t *, iulp_t *, uint32_t, uint_t);
+
+extern int ip_output_simple(mblk_t *, ip_xmit_attr_t *);
+extern int ip_output_simple_v4(mblk_t *, ip_xmit_attr_t *);
+extern int ip_output_simple_v6(mblk_t *, ip_xmit_attr_t *);
+extern int ip_output_options(mblk_t *, ipha_t *, ip_xmit_attr_t *,
+ ill_t *);
+extern void ip_output_local_options(ipha_t *, ip_stack_t *);
+
+extern ip_xmit_attr_t *conn_get_ixa(conn_t *, boolean_t);
+extern ip_xmit_attr_t *conn_get_ixa_tryhard(conn_t *, boolean_t);
+extern ip_xmit_attr_t *conn_replace_ixa(conn_t *, ip_xmit_attr_t *);
+extern ip_xmit_attr_t *conn_get_ixa_exclusive(conn_t *);
+extern ip_xmit_attr_t *ip_xmit_attr_duplicate(ip_xmit_attr_t *);
+extern void ip_xmit_attr_replace_tsl(ip_xmit_attr_t *, ts_label_t *);
+extern void ip_xmit_attr_restore_tsl(ip_xmit_attr_t *, cred_t *);
+boolean_t ip_recv_attr_replace_label(ip_recv_attr_t *, ts_label_t *);
+extern void ixa_inactive(ip_xmit_attr_t *);
+extern void ixa_refrele(ip_xmit_attr_t *);
+extern boolean_t ixa_check_drain_insert(conn_t *, ip_xmit_attr_t *);
+extern void ixa_cleanup(ip_xmit_attr_t *);
+extern void ira_cleanup(ip_recv_attr_t *, boolean_t);
+extern void ixa_safe_copy(ip_xmit_attr_t *, ip_xmit_attr_t *);
+
+extern int conn_ip_output(mblk_t *, ip_xmit_attr_t *);
+extern boolean_t ip_output_verify_local(ip_xmit_attr_t *);
+extern mblk_t *ip_output_process_local(mblk_t *, ip_xmit_attr_t *, boolean_t,
+ boolean_t, conn_t *);
+
+extern int conn_opt_get(conn_opt_arg_t *, t_scalar_t, t_scalar_t,
+ uchar_t *);
+extern int conn_opt_set(conn_opt_arg_t *, t_scalar_t, t_scalar_t, uint_t,
+ uchar_t *, boolean_t, cred_t *);
+extern boolean_t conn_same_as_last_v4(conn_t *, sin_t *);
+extern boolean_t conn_same_as_last_v6(conn_t *, sin6_t *);
+extern int conn_update_label(const conn_t *, const ip_xmit_attr_t *,
+ const in6_addr_t *, ip_pkt_t *);
+
+extern int ip_opt_set_multicast_group(conn_t *, t_scalar_t,
+ uchar_t *, boolean_t, boolean_t);
+extern int ip_opt_set_multicast_sources(conn_t *, t_scalar_t,
+ uchar_t *, boolean_t, boolean_t);
+extern int conn_getsockname(conn_t *, struct sockaddr *, uint_t *);
+extern int conn_getpeername(conn_t *, struct sockaddr *, uint_t *);
+
+extern int conn_build_hdr_template(conn_t *, uint_t, uint_t,
+ const in6_addr_t *, const in6_addr_t *, uint32_t);
+extern mblk_t *conn_prepend_hdr(ip_xmit_attr_t *, const ip_pkt_t *,
+ const in6_addr_t *, const in6_addr_t *, uint8_t, uint32_t, uint_t,
+ mblk_t *, uint_t, uint_t, uint32_t *, int *);
+extern void ip_attr_newdst(ip_xmit_attr_t *);
+extern void ip_attr_nexthop(const ip_pkt_t *, const ip_xmit_attr_t *,
+ const in6_addr_t *, in6_addr_t *);
+extern int conn_connect(conn_t *, iulp_t *, uint32_t);
+extern int ip_attr_connect(const conn_t *, ip_xmit_attr_t *,
+ const in6_addr_t *, const in6_addr_t *, const in6_addr_t *, in_port_t,
+ in6_addr_t *, iulp_t *, uint32_t);
+extern int conn_inherit_parent(conn_t *, conn_t *);
+
+extern void conn_ixa_cleanup(conn_t *connp, void *arg);
+
+extern boolean_t conn_wantpacket(conn_t *, ip_recv_attr_t *, ipha_t *);
+extern uint_t ip_type_v4(ipaddr_t, ip_stack_t *);
+extern uint_t ip_type_v6(const in6_addr_t *, ip_stack_t *);
+
+extern void ip_wput_nondata(queue_t *, mblk_t *);
extern void ip_wsrv(queue_t *);
extern char *ip_nv_lookup(nv_t *, int);
extern boolean_t ip_local_addr_ok_v6(const in6_addr_t *, const in6_addr_t *);
extern boolean_t ip_remote_addr_ok_v6(const in6_addr_t *, const in6_addr_t *);
extern ipaddr_t ip_massage_options(ipha_t *, netstack_t *);
extern ipaddr_t ip_net_mask(ipaddr_t);
-extern void ip_newroute(queue_t *, mblk_t *, ipaddr_t, conn_t *, zoneid_t,
- ip_stack_t *);
-extern ipxmit_state_t ip_xmit_v4(mblk_t *, ire_t *, struct ipsec_out_s *,
- boolean_t, conn_t *);
-extern int ip_hdr_complete(ipha_t *, zoneid_t, ip_stack_t *);
+extern void arp_bringup_done(ill_t *, int);
+extern void arp_replumb_done(ill_t *, int);
extern struct qinit iprinitv6;
-extern struct qinit ipwinitv6;
extern void ipmp_init(ip_stack_t *);
extern void ipmp_destroy(ip_stack_t *);
@@ -3347,12 +3302,11 @@ extern ill_t *ipmp_illgrp_add_ipif(ipmp_illgrp_t *, ipif_t *);
extern void ipmp_illgrp_del_ipif(ipmp_illgrp_t *, ipif_t *);
extern ill_t *ipmp_illgrp_next_ill(ipmp_illgrp_t *);
extern ill_t *ipmp_illgrp_hold_next_ill(ipmp_illgrp_t *);
-extern ill_t *ipmp_illgrp_cast_ill(ipmp_illgrp_t *);
extern ill_t *ipmp_illgrp_hold_cast_ill(ipmp_illgrp_t *);
extern ill_t *ipmp_illgrp_ipmp_ill(ipmp_illgrp_t *);
extern void ipmp_illgrp_refresh_mtu(ipmp_illgrp_t *);
-extern ipmp_arpent_t *ipmp_illgrp_create_arpent(ipmp_illgrp_t *, mblk_t *,
- boolean_t);
+extern ipmp_arpent_t *ipmp_illgrp_create_arpent(ipmp_illgrp_t *,
+ boolean_t, ipaddr_t, uchar_t *, size_t, uint16_t);
extern void ipmp_illgrp_destroy_arpent(ipmp_illgrp_t *, ipmp_arpent_t *);
extern ipmp_arpent_t *ipmp_illgrp_lookup_arpent(ipmp_illgrp_t *, ipaddr_t *);
extern void ipmp_illgrp_refresh_arpent(ipmp_illgrp_t *);
@@ -3373,19 +3327,25 @@ extern ill_t *ipmp_ipif_bound_ill(const ipif_t *);
extern ill_t *ipmp_ipif_hold_bound_ill(const ipif_t *);
extern boolean_t ipmp_ipif_is_dataaddr(const ipif_t *);
extern boolean_t ipmp_ipif_is_stubaddr(const ipif_t *);
+extern boolean_t ipmp_packet_is_probe(mblk_t *, ill_t *);
+extern ill_t *ipmp_ill_get_xmit_ill(ill_t *, boolean_t);
+extern void ipmp_ncec_flush_nce(ncec_t *);
+extern void ipmp_ncec_fastpath(ncec_t *, ill_t *);
extern void conn_drain_insert(conn_t *, idl_tx_list_t *);
+extern void conn_setqfull(conn_t *, boolean_t *);
+extern void conn_clrqfull(conn_t *, boolean_t *);
extern int conn_ipsec_length(conn_t *);
-extern void ip_wput_ipsec_out(queue_t *, mblk_t *, ipha_t *, ill_t *,
- ire_t *);
extern ipaddr_t ip_get_dst(ipha_t *);
-extern int ipsec_out_extra_length(mblk_t *);
-extern int ipsec_in_extra_length(mblk_t *);
-extern mblk_t *ipsec_in_alloc(boolean_t, netstack_t *);
-extern boolean_t ipsec_in_is_secure(mblk_t *);
-extern void ipsec_out_process(queue_t *, mblk_t *, ire_t *, uint_t);
-extern void ipsec_out_to_in(mblk_t *);
-extern void ip_fanout_proto_again(mblk_t *, ill_t *, ill_t *, ire_t *);
+extern uint_t ip_get_pmtu(ip_xmit_attr_t *);
+extern uint_t ip_get_base_mtu(ill_t *, ire_t *);
+extern mblk_t *ip_output_attach_policy(mblk_t *, ipha_t *, ip6_t *,
+ const conn_t *, ip_xmit_attr_t *);
+extern int ipsec_out_extra_length(ip_xmit_attr_t *);
+extern int ipsec_out_process(mblk_t *, ip_xmit_attr_t *);
+extern int ip_output_post_ipsec(mblk_t *, ip_xmit_attr_t *);
+extern void ipsec_out_to_in(ip_xmit_attr_t *, ill_t *ill,
+ ip_recv_attr_t *);
extern void ire_cleanup(ire_t *);
extern void ire_inactive(ire_t *);
@@ -3407,14 +3367,13 @@ extern uint_t ip_srcid_find_addr(const in6_addr_t *, zoneid_t, netstack_t *);
extern uint8_t ipoptp_next(ipoptp_t *);
extern uint8_t ipoptp_first(ipoptp_t *, ipha_t *);
-extern int ip_opt_get_user(const ipha_t *, uchar_t *);
+extern int ip_opt_get_user(conn_t *, uchar_t *);
extern int ipsec_req_from_conn(conn_t *, ipsec_req_t *, int);
extern int ip_snmp_get(queue_t *q, mblk_t *mctl, int level);
extern int ip_snmp_set(queue_t *q, int, int, uchar_t *, int);
extern void ip_process_ioctl(ipsq_t *, queue_t *, mblk_t *, void *);
extern void ip_quiesce_conn(conn_t *);
extern void ip_reprocess_ioctl(ipsq_t *, queue_t *, mblk_t *, void *);
-extern void ip_restart_optmgmt(ipsq_t *, queue_t *, mblk_t *, void *);
extern void ip_ioctl_finish(queue_t *, mblk_t *, int, int, ipsq_t *);
extern boolean_t ip_cmpbuf(const void *, uint_t, boolean_t, const void *,
@@ -3425,32 +3384,36 @@ extern void ip_savebuf(void **, uint_t *, boolean_t, const void *, uint_t);
extern boolean_t ipsq_pending_mp_cleanup(ill_t *, conn_t *);
extern void conn_ioctl_cleanup(conn_t *);
-extern ill_t *conn_get_held_ill(conn_t *, ill_t **, int *);
-
-struct tcp_stack;
-extern void ip_xmit_reset_serialize(mblk_t *, int, zoneid_t, struct tcp_stack *,
- conn_t *);
-
-struct multidata_s;
-struct pdesc_s;
-
-extern mblk_t *ip_mdinfo_alloc(ill_mdt_capab_t *);
-extern mblk_t *ip_mdinfo_return(ire_t *, conn_t *, char *, ill_mdt_capab_t *);
-extern mblk_t *ip_lsoinfo_alloc(ill_lso_capab_t *);
-extern mblk_t *ip_lsoinfo_return(ire_t *, conn_t *, char *,
- ill_lso_capab_t *);
-extern uint_t ip_md_cksum(struct pdesc_s *, int, uint_t);
-extern boolean_t ip_md_addr_attr(struct multidata_s *, struct pdesc_s *,
- const mblk_t *);
-extern boolean_t ip_md_hcksum_attr(struct multidata_s *, struct pdesc_s *,
- uint32_t, uint32_t, uint32_t, uint32_t);
-extern boolean_t ip_md_zcopy_attr(struct multidata_s *, struct pdesc_s *,
- uint_t);
+
extern void ip_unbind(conn_t *);
extern void tnet_init(void);
extern void tnet_fini(void);
+/*
+ * Hook functions to enable cluster networking
+ * On non-clustered systems these vectors must always be NULL.
+ */
+extern int (*cl_inet_isclusterwide)(netstackid_t stack_id, uint8_t protocol,
+ sa_family_t addr_family, uint8_t *laddrp, void *args);
+extern uint32_t (*cl_inet_ipident)(netstackid_t stack_id, uint8_t protocol,
+ sa_family_t addr_family, uint8_t *laddrp, uint8_t *faddrp,
+ void *args);
+extern int (*cl_inet_connect2)(netstackid_t stack_id, uint8_t protocol,
+ boolean_t is_outgoing, sa_family_t addr_family, uint8_t *laddrp,
+ in_port_t lport, uint8_t *faddrp, in_port_t fport, void *args);
+extern void (*cl_inet_getspi)(netstackid_t, uint8_t, uint8_t *, size_t,
+ void *);
+extern void (*cl_inet_getspi)(netstackid_t stack_id, uint8_t protocol,
+ uint8_t *ptr, size_t len, void *args);
+extern int (*cl_inet_checkspi)(netstackid_t stack_id, uint8_t protocol,
+ uint32_t spi, void *args);
+extern void (*cl_inet_deletespi)(netstackid_t stack_id, uint8_t protocol,
+ uint32_t spi, void *args);
+extern void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t,
+ sa_family_t, in6_addr_t, in6_addr_t, void *);
+
+
/* Hooks for CGTP (multirt routes) filtering module */
#define CGTP_FILTER_REV_1 1
#define CGTP_FILTER_REV_2 2
@@ -3491,73 +3454,6 @@ extern int ip_cgtp_filter_register(netstackid_t, cgtp_filter_ops_t *);
extern int ip_cgtp_filter_unregister(netstackid_t);
extern int ip_cgtp_filter_is_registered(netstackid_t);
-/* Flags for ire_multirt_lookup() */
-
-#define MULTIRT_USESTAMP 0x0001
-#define MULTIRT_SETSTAMP 0x0002
-#define MULTIRT_CACHEGW 0x0004
-
-/* Debug stuff for multirt route resolution. */
-#if defined(DEBUG) && !defined(__lint)
-/* Our "don't send, rather drop" flag. */
-#define MULTIRT_DEBUG_FLAG 0x8000
-
-#define MULTIRT_TRACE(x) ip2dbg(x)
-
-#define MULTIRT_DEBUG_TAG(mblk) \
- do { \
- ASSERT(mblk != NULL); \
- MULTIRT_TRACE(("%s[%d]: tagging mblk %p, tag was %d\n", \
- __FILE__, __LINE__, \
- (void *)(mblk), (mblk)->b_flag & MULTIRT_DEBUG_FLAG)); \
- (mblk)->b_flag |= MULTIRT_DEBUG_FLAG; \
- } while (0)
-
-#define MULTIRT_DEBUG_UNTAG(mblk) \
- do { \
- ASSERT(mblk != NULL); \
- MULTIRT_TRACE(("%s[%d]: untagging mblk %p, tag was %d\n", \
- __FILE__, __LINE__, \
- (void *)(mblk), (mblk)->b_flag & MULTIRT_DEBUG_FLAG)); \
- (mblk)->b_flag &= ~MULTIRT_DEBUG_FLAG; \
- } while (0)
-
-#define MULTIRT_DEBUG_TAGGED(mblk) \
- (((mblk)->b_flag & MULTIRT_DEBUG_FLAG) ? B_TRUE : B_FALSE)
-#else
-#define MULTIRT_DEBUG_TAG(mblk) ASSERT(mblk != NULL)
-#define MULTIRT_DEBUG_UNTAG(mblk) ASSERT(mblk != NULL)
-#define MULTIRT_DEBUG_TAGGED(mblk) B_FALSE
-#endif
-
-/*
- * Per-ILL Multidata Transmit capabilities.
- */
-struct ill_mdt_capab_s {
- uint_t ill_mdt_version; /* interface version */
- uint_t ill_mdt_on; /* on/off switch for MDT on this ILL */
- uint_t ill_mdt_hdr_head; /* leading header fragment extra space */
- uint_t ill_mdt_hdr_tail; /* trailing header fragment extra space */
- uint_t ill_mdt_max_pld; /* maximum payload buffers per Multidata */
- uint_t ill_mdt_span_limit; /* maximum payload span per packet */
-};
-
-struct ill_hcksum_capab_s {
- uint_t ill_hcksum_version; /* interface version */
- uint_t ill_hcksum_txflags; /* capabilities on transmit */
-};
-
-struct ill_zerocopy_capab_s {
- uint_t ill_zerocopy_version; /* interface version */
- uint_t ill_zerocopy_flags; /* capabilities */
-};
-
-struct ill_lso_capab_s {
- uint_t ill_lso_on; /* on/off switch for LSO on this ILL */
- uint_t ill_lso_flags; /* capabilities */
- uint_t ill_lso_max; /* maximum size of payload */
-};
-
/*
* rr_ring_state cycles in the order shown below from RR_FREE through
* RR_FREE_IN_PROG and back to RR_FREE.
@@ -3669,18 +3565,61 @@ extern void ip_squeue_clean_ring(ill_t *, ill_rx_ring_t *);
extern void ip_squeue_quiesce_ring(ill_t *, ill_rx_ring_t *);
extern void ip_squeue_restart_ring(ill_t *, ill_rx_ring_t *);
extern void ip_squeue_clean_all(ill_t *);
+extern boolean_t ip_source_routed(ipha_t *, ip_stack_t *);
extern void tcp_wput(queue_t *, mblk_t *);
-extern int ip_fill_mtuinfo(struct in6_addr *, in_port_t,
- struct ip6_mtuinfo *, netstack_t *);
-extern ipif_t *conn_get_held_ipif(conn_t *, ipif_t **, int *);
+extern int ip_fill_mtuinfo(conn_t *, ip_xmit_attr_t *,
+ struct ip6_mtuinfo *);
extern hook_t *ipobs_register_hook(netstack_t *, pfv_t);
extern void ipobs_unregister_hook(netstack_t *, hook_t *);
extern void ipobs_hook(mblk_t *, int, zoneid_t, zoneid_t, const ill_t *,
ip_stack_t *);
typedef void (*ipsq_func_t)(ipsq_t *, queue_t *, mblk_t *, void *);
+extern void dce_g_init(void);
+extern void dce_g_destroy(void);
+extern void dce_stack_init(ip_stack_t *);
+extern void dce_stack_destroy(ip_stack_t *);
+extern void dce_cleanup(uint_t, ip_stack_t *);
+extern dce_t *dce_get_default(ip_stack_t *);
+extern dce_t *dce_lookup_pkt(mblk_t *, ip_xmit_attr_t *, uint_t *);
+extern dce_t *dce_lookup_v4(ipaddr_t, ip_stack_t *, uint_t *);
+extern dce_t *dce_lookup_v6(const in6_addr_t *, uint_t, ip_stack_t *,
+ uint_t *);
+extern dce_t *dce_lookup_and_add_v4(ipaddr_t, ip_stack_t *);
+extern dce_t *dce_lookup_and_add_v6(const in6_addr_t *, uint_t,
+ ip_stack_t *);
+extern int dce_update_uinfo_v4(ipaddr_t, iulp_t *, ip_stack_t *);
+extern int dce_update_uinfo_v6(const in6_addr_t *, uint_t, iulp_t *,
+ ip_stack_t *);
+extern int dce_update_uinfo(const in6_addr_t *, uint_t, iulp_t *,
+ ip_stack_t *);
+extern void dce_increment_generation(dce_t *);
+extern void dce_increment_all_generations(boolean_t, ip_stack_t *);
+extern void dce_refrele(dce_t *);
+extern void dce_refhold(dce_t *);
+extern void dce_refrele_notr(dce_t *);
+extern void dce_refhold_notr(dce_t *);
+mblk_t *ip_snmp_get_mib2_ip_dce(queue_t *, mblk_t *, ip_stack_t *ipst);
+
+extern ip_laddr_t ip_laddr_verify_v4(ipaddr_t, zoneid_t,
+ ip_stack_t *, boolean_t);
+extern ip_laddr_t ip_laddr_verify_v6(const in6_addr_t *, zoneid_t,
+ ip_stack_t *, boolean_t, uint_t);
+extern int ip_laddr_fanout_insert(conn_t *);
+
+extern boolean_t ip_verify_src(mblk_t *, ip_xmit_attr_t *, uint_t *);
+extern int ip_verify_ire(mblk_t *, ip_xmit_attr_t *);
+
+extern mblk_t *ip_xmit_attr_to_mblk(ip_xmit_attr_t *);
+extern boolean_t ip_xmit_attr_from_mblk(mblk_t *, ip_xmit_attr_t *);
+extern mblk_t *ip_xmit_attr_free_mblk(mblk_t *);
+extern mblk_t *ip_recv_attr_to_mblk(ip_recv_attr_t *);
+extern boolean_t ip_recv_attr_from_mblk(mblk_t *, ip_recv_attr_t *);
+extern mblk_t *ip_recv_attr_free_mblk(mblk_t *);
+extern boolean_t ip_recv_attr_is_mblk(mblk_t *);
+
/*
* Squeue tags. Tags only need to be unique when the callback function is the
* same to distinguish between different calls, but we use unique tags for
@@ -3729,16 +3668,8 @@ typedef void (*ipsq_func_t)(ipsq_t *, queue_t *, mblk_t *, void *);
#define SQTAG_CONNECT_FINISH 41
#define SQTAG_SYNCHRONOUS_OP 42
#define SQTAG_TCP_SHUTDOWN_OUTPUT 43
-#define SQTAG_XMIT_EARLY_RESET 44
-
-#define NOT_OVER_IP(ip_wq) \
- (ip_wq->q_next != NULL || \
- (ip_wq->q_qinfo->qi_minfo->mi_idname) == NULL || \
- strcmp(ip_wq->q_qinfo->qi_minfo->mi_idname, \
- IP_MOD_NAME) != 0 || \
- ip_wq->q_qinfo->qi_minfo->mi_idnum != IP_MOD_ID)
+#define SQTAG_TCP_IXA_CLEANUP 44
-#define PROTO_FLOW_CNTRLD(connp) (connp->conn_flow_cntrld)
#endif /* _KERNEL */
#ifdef __cplusplus
diff --git a/usr/src/uts/common/inet/ip/conn_opt.c b/usr/src/uts/common/inet/ip/conn_opt.c
new file mode 100644
index 0000000000..a46d7c4cd0
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/conn_opt.c
@@ -0,0 +1,2933 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+/* Copyright (c) 1990 Mentat Inc. */
+
+#include <sys/types.h>
+#include <sys/stream.h>
+#include <sys/strsun.h>
+#define _SUN_TPI_VERSION 2
+#include <sys/tihdr.h>
+#include <sys/xti_inet.h>
+#include <sys/ucred.h>
+#include <sys/zone.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cmn_err.h>
+#include <sys/debug.h>
+#include <sys/atomic.h>
+#include <sys/policy.h>
+
+#include <sys/systm.h>
+#include <sys/param.h>
+#include <sys/kmem.h>
+#include <sys/sdt.h>
+#include <sys/socket.h>
+#include <sys/ethernet.h>
+#include <sys/mac.h>
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <sys/sockio.h>
+#include <netinet/in.h>
+#include <net/if_dl.h>
+
+#include <inet/common.h>
+#include <inet/mi.h>
+#include <inet/mib2.h>
+#include <inet/nd.h>
+#include <inet/arp.h>
+#include <inet/snmpcom.h>
+#include <inet/kstatcom.h>
+
+#include <netinet/igmp_var.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet/sctp.h>
+
+#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ip6.h>
+#include <inet/ip6_asp.h>
+#include <inet/tcp.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_ftable.h>
+#include <inet/ip_rts.h>
+#include <inet/optcom.h>
+#include <inet/ip_ndp.h>
+#include <inet/ip_listutils.h>
+#include <netinet/igmp.h>
+#include <netinet/ip_mroute.h>
+#include <netinet/udp.h>
+#include <inet/ipp_common.h>
+
+#include <net/pfkeyv2.h>
+#include <inet/sadb.h>
+#include <inet/ipsec_impl.h>
+#include <inet/ipdrop.h>
+#include <inet/ip_netinfo.h>
+
+#include <inet/ipclassifier.h>
+#include <inet/sctp_ip.h>
+#include <inet/sctp/sctp_impl.h>
+#include <inet/udp_impl.h>
+#include <sys/sunddi.h>
+
+#include <sys/tsol/label.h>
+#include <sys/tsol/tnet.h>
+
+static sin_t sin_null; /* Zero address for quick clears */
+static sin6_t sin6_null; /* Zero address for quick clears */
+
+/*
+ * Return how much size is needed for the different ancillary data items
+ */
+uint_t
+conn_recvancillary_size(conn_t *connp, crb_t recv_ancillary,
+ ip_recv_attr_t *ira, mblk_t *mp, ip_pkt_t *ipp)
+{
+ uint_t ancil_size;
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+
+ /*
+ * If IP_RECVDSTADDR is set we include the destination IP
+ * address as an option. With IP_RECVOPTS we include all
+ * the IP options.
+ */
+ ancil_size = 0;
+ if (recv_ancillary.crb_recvdstaddr &&
+ (ira->ira_flags & IRAF_IS_IPV4)) {
+ ancil_size += sizeof (struct T_opthdr) +
+ sizeof (struct in_addr);
+ IP_STAT(ipst, conn_in_recvdstaddr);
+ }
+
+ /*
+ * ip_recvpktinfo is used for both AF_INET and AF_INET6 but
+ * are different
+ */
+ if (recv_ancillary.crb_ip_recvpktinfo &&
+ connp->conn_family == AF_INET) {
+ ancil_size += sizeof (struct T_opthdr) +
+ sizeof (struct in_pktinfo);
+ IP_STAT(ipst, conn_in_recvpktinfo);
+ }
+
+ if ((recv_ancillary.crb_recvopts) &&
+ (ipp->ipp_fields & IPPF_IPV4_OPTIONS)) {
+ ancil_size += sizeof (struct T_opthdr) +
+ ipp->ipp_ipv4_options_len;
+ IP_STAT(ipst, conn_in_recvopts);
+ }
+
+ if (recv_ancillary.crb_recvslla) {
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ ill_t *ill;
+
+ /* Make sure ira_l2src is setup if not already */
+ if (!(ira->ira_flags & IRAF_L2SRC_SET)) {
+ ill = ill_lookup_on_ifindex(ira->ira_rifindex, B_FALSE,
+ ipst);
+ if (ill != NULL) {
+ ip_setl2src(mp, ira, ill);
+ ill_refrele(ill);
+ }
+ }
+ ancil_size += sizeof (struct T_opthdr) +
+ sizeof (struct sockaddr_dl);
+ IP_STAT(ipst, conn_in_recvslla);
+ }
+
+ if (recv_ancillary.crb_recvif) {
+ ancil_size += sizeof (struct T_opthdr) + sizeof (uint_t);
+ IP_STAT(ipst, conn_in_recvif);
+ }
+
+ /*
+ * ip_recvpktinfo is used for both AF_INET and AF_INET6 but
+ * are different
+ */
+ if (recv_ancillary.crb_ip_recvpktinfo &&
+ connp->conn_family == AF_INET6) {
+ ancil_size += sizeof (struct T_opthdr) +
+ sizeof (struct in6_pktinfo);
+ IP_STAT(ipst, conn_in_recvpktinfo);
+ }
+
+ if (recv_ancillary.crb_ipv6_recvhoplimit) {
+ ancil_size += sizeof (struct T_opthdr) + sizeof (int);
+ IP_STAT(ipst, conn_in_recvhoplimit);
+ }
+
+ if (recv_ancillary.crb_ipv6_recvtclass) {
+ ancil_size += sizeof (struct T_opthdr) + sizeof (int);
+ IP_STAT(ipst, conn_in_recvtclass);
+ }
+
+ if (recv_ancillary.crb_ipv6_recvhopopts &&
+ (ipp->ipp_fields & IPPF_HOPOPTS)) {
+ ancil_size += sizeof (struct T_opthdr) + ipp->ipp_hopoptslen;
+ IP_STAT(ipst, conn_in_recvhopopts);
+ }
+ /*
+ * To honor RFC3542 when an application asks for both IPV6_RECVDSTOPTS
+ * and IPV6_RECVRTHDR, we pass up the item rthdrdstopts (the destination
+ * options that appear before a routing header.
+ * We also pass them up if IPV6_RECVRTHDRDSTOPTS is set.
+ */
+ if (ipp->ipp_fields & IPPF_RTHDRDSTOPTS) {
+ if (recv_ancillary.crb_ipv6_recvrthdrdstopts ||
+ (recv_ancillary.crb_ipv6_recvdstopts &&
+ recv_ancillary.crb_ipv6_recvrthdr)) {
+ ancil_size += sizeof (struct T_opthdr) +
+ ipp->ipp_rthdrdstoptslen;
+ IP_STAT(ipst, conn_in_recvrthdrdstopts);
+ }
+ }
+ if ((recv_ancillary.crb_ipv6_recvrthdr) &&
+ (ipp->ipp_fields & IPPF_RTHDR)) {
+ ancil_size += sizeof (struct T_opthdr) + ipp->ipp_rthdrlen;
+ IP_STAT(ipst, conn_in_recvrthdr);
+ }
+ if ((recv_ancillary.crb_ipv6_recvdstopts ||
+ recv_ancillary.crb_old_ipv6_recvdstopts) &&
+ (ipp->ipp_fields & IPPF_DSTOPTS)) {
+ ancil_size += sizeof (struct T_opthdr) + ipp->ipp_dstoptslen;
+ IP_STAT(ipst, conn_in_recvdstopts);
+ }
+ if (recv_ancillary.crb_recvucred && ira->ira_cred != NULL) {
+ ancil_size += sizeof (struct T_opthdr) + ucredsize;
+ IP_STAT(ipst, conn_in_recvucred);
+ }
+
+ /*
+ * If SO_TIMESTAMP is set allocate the appropriate sized
+ * buffer. Since gethrestime() expects a pointer aligned
+ * argument, we allocate space necessary for extra
+ * alignment (even though it might not be used).
+ */
+ if (recv_ancillary.crb_timestamp) {
+ ancil_size += sizeof (struct T_opthdr) +
+ sizeof (timestruc_t) + _POINTER_ALIGNMENT;
+ IP_STAT(ipst, conn_in_timestamp);
+ }
+
+ /*
+ * If IP_RECVTTL is set allocate the appropriate sized buffer
+ */
+ if (recv_ancillary.crb_recvttl &&
+ (ira->ira_flags & IRAF_IS_IPV4)) {
+ ancil_size += sizeof (struct T_opthdr) + sizeof (uint8_t);
+ IP_STAT(ipst, conn_in_recvttl);
+ }
+
+ return (ancil_size);
+}
+
+/*
+ * Lay down the ancillary data items at "ancil_buf".
+ * Assumes caller has used conn_recvancillary_size to allocate a sufficiently
+ * large buffer - ancil_size.
+ */
+void
+conn_recvancillary_add(conn_t *connp, crb_t recv_ancillary,
+ ip_recv_attr_t *ira, ip_pkt_t *ipp, uchar_t *ancil_buf, uint_t ancil_size)
+{
+ /*
+ * Copy in destination address before options to avoid
+ * any padding issues.
+ */
+ if (recv_ancillary.crb_recvdstaddr &&
+ (ira->ira_flags & IRAF_IS_IPV4)) {
+ struct T_opthdr *toh;
+ ipaddr_t *dstptr;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IP;
+ toh->name = IP_RECVDSTADDR;
+ toh->len = sizeof (struct T_opthdr) + sizeof (ipaddr_t);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ dstptr = (ipaddr_t *)ancil_buf;
+ *dstptr = ipp->ipp_addr_v4;
+ ancil_buf += sizeof (ipaddr_t);
+ ancil_size -= toh->len;
+ }
+
+ /*
+ * ip_recvpktinfo is used for both AF_INET and AF_INET6 but
+ * are different
+ */
+ if (recv_ancillary.crb_ip_recvpktinfo &&
+ connp->conn_family == AF_INET) {
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ struct T_opthdr *toh;
+ struct in_pktinfo *pktinfop;
+ ill_t *ill;
+ ipif_t *ipif;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IP;
+ toh->name = IP_PKTINFO;
+ toh->len = sizeof (struct T_opthdr) + sizeof (*pktinfop);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ pktinfop = (struct in_pktinfo *)ancil_buf;
+
+ pktinfop->ipi_ifindex = ira->ira_ruifindex;
+ pktinfop->ipi_spec_dst.s_addr = INADDR_ANY;
+
+ /* Find a good address to report */
+ ill = ill_lookup_on_ifindex(ira->ira_ruifindex, B_FALSE, ipst);
+ if (ill != NULL) {
+ ipif = ipif_good_addr(ill, IPCL_ZONEID(connp));
+ if (ipif != NULL) {
+ pktinfop->ipi_spec_dst.s_addr =
+ ipif->ipif_lcl_addr;
+ ipif_refrele(ipif);
+ }
+ ill_refrele(ill);
+ }
+ pktinfop->ipi_addr.s_addr = ipp->ipp_addr_v4;
+ ancil_buf += sizeof (struct in_pktinfo);
+ ancil_size -= toh->len;
+ }
+
+ if ((recv_ancillary.crb_recvopts) &&
+ (ipp->ipp_fields & IPPF_IPV4_OPTIONS)) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IP;
+ toh->name = IP_RECVOPTS;
+ toh->len = sizeof (struct T_opthdr) + ipp->ipp_ipv4_options_len;
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ bcopy(ipp->ipp_ipv4_options, ancil_buf,
+ ipp->ipp_ipv4_options_len);
+ ancil_buf += ipp->ipp_ipv4_options_len;
+ ancil_size -= toh->len;
+ }
+
+ if (recv_ancillary.crb_recvslla) {
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ struct T_opthdr *toh;
+ struct sockaddr_dl *dstptr;
+ ill_t *ill;
+ int alen = 0;
+
+ ill = ill_lookup_on_ifindex(ira->ira_rifindex, B_FALSE, ipst);
+ if (ill != NULL)
+ alen = ill->ill_phys_addr_length;
+
+ /*
+ * For loopback multicast and broadcast the packet arrives
+ * with ira_ruifdex being the physical interface, but
+ * ira_l2src is all zero since ip_postfrag_loopback doesn't
+ * know our l2src. We don't report the address in that case.
+ */
+ if (ira->ira_flags & IRAF_LOOPBACK)
+ alen = 0;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IP;
+ toh->name = IP_RECVSLLA;
+ toh->len = sizeof (struct T_opthdr) +
+ sizeof (struct sockaddr_dl);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ dstptr = (struct sockaddr_dl *)ancil_buf;
+ dstptr->sdl_family = AF_LINK;
+ dstptr->sdl_index = ira->ira_ruifindex;
+ if (ill != NULL)
+ dstptr->sdl_type = ill->ill_type;
+ else
+ dstptr->sdl_type = 0;
+ dstptr->sdl_nlen = 0;
+ dstptr->sdl_alen = alen;
+ dstptr->sdl_slen = 0;
+ bcopy(ira->ira_l2src, dstptr->sdl_data, alen);
+ ancil_buf += sizeof (struct sockaddr_dl);
+ ancil_size -= toh->len;
+ if (ill != NULL)
+ ill_refrele(ill);
+ }
+
+ if (recv_ancillary.crb_recvif) {
+ struct T_opthdr *toh;
+ uint_t *dstptr;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IP;
+ toh->name = IP_RECVIF;
+ toh->len = sizeof (struct T_opthdr) + sizeof (uint_t);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ dstptr = (uint_t *)ancil_buf;
+ *dstptr = ira->ira_ruifindex;
+ ancil_buf += sizeof (uint_t);
+ ancil_size -= toh->len;
+ }
+
+ /*
+ * ip_recvpktinfo is used for both AF_INET and AF_INET6 but
+ * are different
+ */
+ if (recv_ancillary.crb_ip_recvpktinfo &&
+ connp->conn_family == AF_INET6) {
+ struct T_opthdr *toh;
+ struct in6_pktinfo *pkti;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IPV6;
+ toh->name = IPV6_PKTINFO;
+ toh->len = sizeof (struct T_opthdr) + sizeof (*pkti);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ pkti = (struct in6_pktinfo *)ancil_buf;
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ IN6_IPADDR_TO_V4MAPPED(ipp->ipp_addr_v4,
+ &pkti->ipi6_addr);
+ } else {
+ pkti->ipi6_addr = ipp->ipp_addr;
+ }
+ pkti->ipi6_ifindex = ira->ira_ruifindex;
+
+ ancil_buf += sizeof (*pkti);
+ ancil_size -= toh->len;
+ }
+ if (recv_ancillary.crb_ipv6_recvhoplimit) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IPV6;
+ toh->name = IPV6_HOPLIMIT;
+ toh->len = sizeof (struct T_opthdr) + sizeof (uint_t);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ *(uint_t *)ancil_buf = ipp->ipp_hoplimit;
+ ancil_buf += sizeof (uint_t);
+ ancil_size -= toh->len;
+ }
+ if (recv_ancillary.crb_ipv6_recvtclass) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IPV6;
+ toh->name = IPV6_TCLASS;
+ toh->len = sizeof (struct T_opthdr) + sizeof (uint_t);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+
+ if (ira->ira_flags & IRAF_IS_IPV4)
+ *(uint_t *)ancil_buf = ipp->ipp_type_of_service;
+ else
+ *(uint_t *)ancil_buf = ipp->ipp_tclass;
+ ancil_buf += sizeof (uint_t);
+ ancil_size -= toh->len;
+ }
+ if (recv_ancillary.crb_ipv6_recvhopopts &&
+ (ipp->ipp_fields & IPPF_HOPOPTS)) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IPV6;
+ toh->name = IPV6_HOPOPTS;
+ toh->len = sizeof (struct T_opthdr) + ipp->ipp_hopoptslen;
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ bcopy(ipp->ipp_hopopts, ancil_buf, ipp->ipp_hopoptslen);
+ ancil_buf += ipp->ipp_hopoptslen;
+ ancil_size -= toh->len;
+ }
+ /*
+ * To honor RFC3542 when an application asks for both IPV6_RECVDSTOPTS
+ * and IPV6_RECVRTHDR, we pass up the item rthdrdstopts (the destination
+ * options that appear before a routing header.
+ * We also pass them up if IPV6_RECVRTHDRDSTOPTS is set.
+ */
+ if (ipp->ipp_fields & IPPF_RTHDRDSTOPTS) {
+ if (recv_ancillary.crb_ipv6_recvrthdrdstopts ||
+ (recv_ancillary.crb_ipv6_recvdstopts &&
+ recv_ancillary.crb_ipv6_recvrthdr)) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IPV6;
+ toh->name = IPV6_DSTOPTS;
+ toh->len = sizeof (struct T_opthdr) +
+ ipp->ipp_rthdrdstoptslen;
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ bcopy(ipp->ipp_rthdrdstopts, ancil_buf,
+ ipp->ipp_rthdrdstoptslen);
+ ancil_buf += ipp->ipp_rthdrdstoptslen;
+ ancil_size -= toh->len;
+ }
+ }
+ if (recv_ancillary.crb_ipv6_recvrthdr &&
+ (ipp->ipp_fields & IPPF_RTHDR)) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IPV6;
+ toh->name = IPV6_RTHDR;
+ toh->len = sizeof (struct T_opthdr) + ipp->ipp_rthdrlen;
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ bcopy(ipp->ipp_rthdr, ancil_buf, ipp->ipp_rthdrlen);
+ ancil_buf += ipp->ipp_rthdrlen;
+ ancil_size -= toh->len;
+ }
+ if ((recv_ancillary.crb_ipv6_recvdstopts ||
+ recv_ancillary.crb_old_ipv6_recvdstopts) &&
+ (ipp->ipp_fields & IPPF_DSTOPTS)) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IPV6;
+ toh->name = IPV6_DSTOPTS;
+ toh->len = sizeof (struct T_opthdr) + ipp->ipp_dstoptslen;
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ bcopy(ipp->ipp_dstopts, ancil_buf, ipp->ipp_dstoptslen);
+ ancil_buf += ipp->ipp_dstoptslen;
+ ancil_size -= toh->len;
+ }
+
+ if (recv_ancillary.crb_recvucred && ira->ira_cred != NULL) {
+ struct T_opthdr *toh;
+ cred_t *rcr = connp->conn_cred;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = SOL_SOCKET;
+ toh->name = SCM_UCRED;
+ toh->len = sizeof (struct T_opthdr) + ucredsize;
+ toh->status = 0;
+ (void) cred2ucred(ira->ira_cred, ira->ira_cpid, &toh[1], rcr);
+ ancil_buf += toh->len;
+ ancil_size -= toh->len;
+ }
+ if (recv_ancillary.crb_timestamp) {
+ struct T_opthdr *toh;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = SOL_SOCKET;
+ toh->name = SCM_TIMESTAMP;
+ toh->len = sizeof (struct T_opthdr) +
+ sizeof (timestruc_t) + _POINTER_ALIGNMENT;
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ /* Align for gethrestime() */
+ ancil_buf = (uchar_t *)P2ROUNDUP((intptr_t)ancil_buf,
+ sizeof (intptr_t));
+ gethrestime((timestruc_t *)ancil_buf);
+ ancil_buf = (uchar_t *)toh + toh->len;
+ ancil_size -= toh->len;
+ }
+
+ /*
+ * CAUTION:
+ * Due to aligment issues
+ * Processing of IP_RECVTTL option
+ * should always be the last. Adding
+ * any option processing after this will
+ * cause alignment panic.
+ */
+ if (recv_ancillary.crb_recvttl &&
+ (ira->ira_flags & IRAF_IS_IPV4)) {
+ struct T_opthdr *toh;
+ uint8_t *dstptr;
+
+ toh = (struct T_opthdr *)ancil_buf;
+ toh->level = IPPROTO_IP;
+ toh->name = IP_RECVTTL;
+ toh->len = sizeof (struct T_opthdr) + sizeof (uint8_t);
+ toh->status = 0;
+ ancil_buf += sizeof (struct T_opthdr);
+ dstptr = (uint8_t *)ancil_buf;
+ *dstptr = ipp->ipp_hoplimit;
+ ancil_buf += sizeof (uint8_t);
+ ancil_size -= toh->len;
+ }
+
+ /* Consumed all of allocated space */
+ ASSERT(ancil_size == 0);
+
+}
+
+/*
+ * This routine retrieves the current status of socket options.
+ * It returns the size of the option retrieved, or -1.
+ */
+int
+conn_opt_get(conn_opt_arg_t *coa, t_scalar_t level, t_scalar_t name,
+ uchar_t *ptr)
+{
+ int *i1 = (int *)ptr;
+ conn_t *connp = coa->coa_connp;
+ ip_xmit_attr_t *ixa = coa->coa_ixa;
+ ip_pkt_t *ipp = coa->coa_ipp;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ uint_t len;
+
+ ASSERT(MUTEX_HELD(&coa->coa_connp->conn_lock));
+
+ switch (level) {
+ case SOL_SOCKET:
+ switch (name) {
+ case SO_DEBUG:
+ *i1 = connp->conn_debug ? SO_DEBUG : 0;
+ break; /* goto sizeof (int) option return */
+ case SO_KEEPALIVE:
+ *i1 = connp->conn_keepalive ? SO_KEEPALIVE : 0;
+ break;
+ case SO_LINGER: {
+ struct linger *lgr = (struct linger *)ptr;
+
+ lgr->l_onoff = connp->conn_linger ? SO_LINGER : 0;
+ lgr->l_linger = connp->conn_lingertime;
+ }
+ return (sizeof (struct linger));
+
+ case SO_OOBINLINE:
+ *i1 = connp->conn_oobinline ? SO_OOBINLINE : 0;
+ break;
+ case SO_REUSEADDR:
+ *i1 = connp->conn_reuseaddr ? SO_REUSEADDR : 0;
+ break; /* goto sizeof (int) option return */
+ case SO_TYPE:
+ *i1 = connp->conn_so_type;
+ break; /* goto sizeof (int) option return */
+ case SO_DONTROUTE:
+ *i1 = (ixa->ixa_flags & IXAF_DONTROUTE) ?
+ SO_DONTROUTE : 0;
+ break; /* goto sizeof (int) option return */
+ case SO_USELOOPBACK:
+ *i1 = connp->conn_useloopback ? SO_USELOOPBACK : 0;
+ break; /* goto sizeof (int) option return */
+ case SO_BROADCAST:
+ *i1 = connp->conn_broadcast ? SO_BROADCAST : 0;
+ break; /* goto sizeof (int) option return */
+
+ case SO_SNDBUF:
+ *i1 = connp->conn_sndbuf;
+ break; /* goto sizeof (int) option return */
+ case SO_RCVBUF:
+ *i1 = connp->conn_rcvbuf;
+ break; /* goto sizeof (int) option return */
+ case SO_RCVTIMEO:
+ case SO_SNDTIMEO:
+ /*
+ * Pass these two options in order for third part
+ * protocol usage. Here just return directly.
+ */
+ *i1 = 0;
+ break;
+ case SO_DGRAM_ERRIND:
+ *i1 = connp->conn_dgram_errind ? SO_DGRAM_ERRIND : 0;
+ break; /* goto sizeof (int) option return */
+ case SO_RECVUCRED:
+ *i1 = connp->conn_recv_ancillary.crb_recvucred;
+ break; /* goto sizeof (int) option return */
+ case SO_TIMESTAMP:
+ *i1 = connp->conn_recv_ancillary.crb_timestamp;
+ break; /* goto sizeof (int) option return */
+#ifdef SO_VRRP
+ case SO_VRRP:
+ *i1 = connp->conn_isvrrp;
+ break; /* goto sizeof (int) option return */
+#endif
+ case SO_ANON_MLP:
+ *i1 = connp->conn_anon_mlp;
+ break; /* goto sizeof (int) option return */
+ case SO_MAC_EXEMPT:
+ *i1 = (connp->conn_mac_mode == CONN_MAC_AWARE);
+ break; /* goto sizeof (int) option return */
+ case SO_MAC_IMPLICIT:
+ *i1 = (connp->conn_mac_mode == CONN_MAC_IMPLICIT);
+ break; /* goto sizeof (int) option return */
+ case SO_ALLZONES:
+ *i1 = connp->conn_allzones;
+ break; /* goto sizeof (int) option return */
+ case SO_EXCLBIND:
+ *i1 = connp->conn_exclbind ? SO_EXCLBIND : 0;
+ break;
+ case SO_PROTOTYPE:
+ *i1 = connp->conn_proto;
+ break;
+
+ case SO_DOMAIN:
+ *i1 = connp->conn_family;
+ break;
+ default:
+ return (-1);
+ }
+ break;
+ case IPPROTO_IP:
+ if (connp->conn_family != AF_INET)
+ return (-1);
+ switch (name) {
+ case IP_OPTIONS:
+ case T_IP_OPTIONS:
+ if (!(ipp->ipp_fields & IPPF_IPV4_OPTIONS))
+ return (0);
+
+ len = ipp->ipp_ipv4_options_len;
+ if (len > 0) {
+ bcopy(ipp->ipp_ipv4_options, ptr, len);
+ }
+ return (len);
+
+ case IP_PKTINFO: {
+ /*
+ * This also handles IP_RECVPKTINFO.
+ * IP_PKTINFO and IP_RECVPKTINFO have same value.
+ * Differentiation is based on the size of the
+ * argument passed in.
+ */
+ struct in_pktinfo *pktinfo;
+
+#ifdef notdef
+ /* optcom doesn't provide a length with "get" */
+ if (inlen == sizeof (int)) {
+ /* This is IP_RECVPKTINFO option. */
+ *i1 = connp->conn_recv_ancillary.
+ crb_ip_recvpktinfo;
+ return (sizeof (int));
+ }
+#endif
+ /* XXX assumes that caller has room for max size! */
+
+ pktinfo = (struct in_pktinfo *)ptr;
+ pktinfo->ipi_ifindex = ixa->ixa_ifindex;
+ if (ipp->ipp_fields & IPPF_ADDR)
+ pktinfo->ipi_spec_dst.s_addr = ipp->ipp_addr_v4;
+ else
+ pktinfo->ipi_spec_dst.s_addr = INADDR_ANY;
+ return (sizeof (struct in_pktinfo));
+ }
+ case IP_DONTFRAG:
+ *i1 = (ixa->ixa_flags & IXAF_DONTFRAG) != 0;
+ return (sizeof (int));
+ case IP_TOS:
+ case T_IP_TOS:
+ *i1 = (int)ipp->ipp_type_of_service;
+ break; /* goto sizeof (int) option return */
+ case IP_TTL:
+ *i1 = (int)ipp->ipp_unicast_hops;
+ break; /* goto sizeof (int) option return */
+ case IP_DHCPINIT_IF:
+ return (-1);
+ case IP_NEXTHOP:
+ if (ixa->ixa_flags & IXAF_NEXTHOP_SET) {
+ *(ipaddr_t *)ptr = ixa->ixa_nexthop_v4;
+ return (sizeof (ipaddr_t));
+ } else {
+ return (0);
+ }
+
+ case IP_MULTICAST_IF:
+ /* 0 address if not set */
+ *(ipaddr_t *)ptr = ixa->ixa_multicast_ifaddr;
+ return (sizeof (ipaddr_t));
+ case IP_MULTICAST_TTL:
+ *(uchar_t *)ptr = ixa->ixa_multicast_ttl;
+ return (sizeof (uchar_t));
+ case IP_MULTICAST_LOOP:
+ *ptr = (ixa->ixa_flags & IXAF_MULTICAST_LOOP) ? 1 : 0;
+ return (sizeof (uint8_t));
+ case IP_RECVOPTS:
+ *i1 = connp->conn_recv_ancillary.crb_recvopts;
+ break; /* goto sizeof (int) option return */
+ case IP_RECVDSTADDR:
+ *i1 = connp->conn_recv_ancillary.crb_recvdstaddr;
+ break; /* goto sizeof (int) option return */
+ case IP_RECVIF:
+ *i1 = connp->conn_recv_ancillary.crb_recvif;
+ break; /* goto sizeof (int) option return */
+ case IP_RECVSLLA:
+ *i1 = connp->conn_recv_ancillary.crb_recvslla;
+ break; /* goto sizeof (int) option return */
+ case IP_RECVTTL:
+ *i1 = connp->conn_recv_ancillary.crb_recvttl;
+ break; /* goto sizeof (int) option return */
+ case IP_ADD_MEMBERSHIP:
+ case IP_DROP_MEMBERSHIP:
+ case MCAST_JOIN_GROUP:
+ case MCAST_LEAVE_GROUP:
+ case IP_BLOCK_SOURCE:
+ case IP_UNBLOCK_SOURCE:
+ case IP_ADD_SOURCE_MEMBERSHIP:
+ case IP_DROP_SOURCE_MEMBERSHIP:
+ case MCAST_BLOCK_SOURCE:
+ case MCAST_UNBLOCK_SOURCE:
+ case MCAST_JOIN_SOURCE_GROUP:
+ case MCAST_LEAVE_SOURCE_GROUP:
+ case MRT_INIT:
+ case MRT_DONE:
+ case MRT_ADD_VIF:
+ case MRT_DEL_VIF:
+ case MRT_ADD_MFC:
+ case MRT_DEL_MFC:
+ /* cannot "get" the value for these */
+ return (-1);
+ case MRT_VERSION:
+ case MRT_ASSERT:
+ (void) ip_mrouter_get(name, connp, ptr);
+ return (sizeof (int));
+ case IP_SEC_OPT:
+ return (ipsec_req_from_conn(connp, (ipsec_req_t *)ptr,
+ IPSEC_AF_V4));
+ case IP_BOUND_IF:
+ /* Zero if not set */
+ *i1 = connp->conn_bound_if;
+ break; /* goto sizeof (int) option return */
+ case IP_UNSPEC_SRC:
+ *i1 = connp->conn_unspec_src;
+ break; /* goto sizeof (int) option return */
+ case IP_BROADCAST_TTL:
+ if (ixa->ixa_flags & IXAF_BROADCAST_TTL_SET)
+ *(uchar_t *)ptr = ixa->ixa_broadcast_ttl;
+ else
+ *(uchar_t *)ptr = ipst->ips_ip_broadcast_ttl;
+ return (sizeof (uchar_t));
+ default:
+ return (-1);
+ }
+ break;
+ case IPPROTO_IPV6:
+ if (connp->conn_family != AF_INET6)
+ return (-1);
+ switch (name) {
+ case IPV6_UNICAST_HOPS:
+ *i1 = (int)ipp->ipp_unicast_hops;
+ break; /* goto sizeof (int) option return */
+ case IPV6_MULTICAST_IF:
+ /* 0 index if not set */
+ *i1 = ixa->ixa_multicast_ifindex;
+ break; /* goto sizeof (int) option return */
+ case IPV6_MULTICAST_HOPS:
+ *i1 = ixa->ixa_multicast_ttl;
+ break; /* goto sizeof (int) option return */
+ case IPV6_MULTICAST_LOOP:
+ *i1 = (ixa->ixa_flags & IXAF_MULTICAST_LOOP) ? 1 : 0;
+ break; /* goto sizeof (int) option return */
+ case IPV6_JOIN_GROUP:
+ case IPV6_LEAVE_GROUP:
+ case MCAST_JOIN_GROUP:
+ case MCAST_LEAVE_GROUP:
+ case MCAST_BLOCK_SOURCE:
+ case MCAST_UNBLOCK_SOURCE:
+ case MCAST_JOIN_SOURCE_GROUP:
+ case MCAST_LEAVE_SOURCE_GROUP:
+ /* cannot "get" the value for these */
+ return (-1);
+ case IPV6_BOUND_IF:
+ /* Zero if not set */
+ *i1 = connp->conn_bound_if;
+ break; /* goto sizeof (int) option return */
+ case IPV6_UNSPEC_SRC:
+ *i1 = connp->conn_unspec_src;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVPKTINFO:
+ *i1 = connp->conn_recv_ancillary.crb_ip_recvpktinfo;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVTCLASS:
+ *i1 = connp->conn_recv_ancillary.crb_ipv6_recvtclass;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVPATHMTU:
+ *i1 = connp->conn_ipv6_recvpathmtu;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVHOPLIMIT:
+ *i1 = connp->conn_recv_ancillary.crb_ipv6_recvhoplimit;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVHOPOPTS:
+ *i1 = connp->conn_recv_ancillary.crb_ipv6_recvhopopts;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVDSTOPTS:
+ *i1 = connp->conn_recv_ancillary.crb_ipv6_recvdstopts;
+ break; /* goto sizeof (int) option return */
+ case _OLD_IPV6_RECVDSTOPTS:
+ *i1 =
+ connp->conn_recv_ancillary.crb_old_ipv6_recvdstopts;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVRTHDRDSTOPTS:
+ *i1 = connp->conn_recv_ancillary.
+ crb_ipv6_recvrthdrdstopts;
+ break; /* goto sizeof (int) option return */
+ case IPV6_RECVRTHDR:
+ *i1 = connp->conn_recv_ancillary.crb_ipv6_recvrthdr;
+ break; /* goto sizeof (int) option return */
+ case IPV6_PKTINFO: {
+ /* XXX assumes that caller has room for max size! */
+ struct in6_pktinfo *pkti;
+
+ pkti = (struct in6_pktinfo *)ptr;
+ pkti->ipi6_ifindex = ixa->ixa_ifindex;
+ if (ipp->ipp_fields & IPPF_ADDR)
+ pkti->ipi6_addr = ipp->ipp_addr;
+ else
+ pkti->ipi6_addr = ipv6_all_zeros;
+ return (sizeof (struct in6_pktinfo));
+ }
+ case IPV6_TCLASS:
+ *i1 = ipp->ipp_tclass;
+ break; /* goto sizeof (int) option return */
+ case IPV6_NEXTHOP: {
+ sin6_t *sin6 = (sin6_t *)ptr;
+
+ if (ixa->ixa_flags & IXAF_NEXTHOP_SET)
+ return (0);
+
+ *sin6 = sin6_null;
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_addr = ixa->ixa_nexthop_v6;
+
+ return (sizeof (sin6_t));
+ }
+ case IPV6_HOPOPTS:
+ if (!(ipp->ipp_fields & IPPF_HOPOPTS))
+ return (0);
+ bcopy(ipp->ipp_hopopts, ptr,
+ ipp->ipp_hopoptslen);
+ return (ipp->ipp_hopoptslen);
+ case IPV6_RTHDRDSTOPTS:
+ if (!(ipp->ipp_fields & IPPF_RTHDRDSTOPTS))
+ return (0);
+ bcopy(ipp->ipp_rthdrdstopts, ptr,
+ ipp->ipp_rthdrdstoptslen);
+ return (ipp->ipp_rthdrdstoptslen);
+ case IPV6_RTHDR:
+ if (!(ipp->ipp_fields & IPPF_RTHDR))
+ return (0);
+ bcopy(ipp->ipp_rthdr, ptr, ipp->ipp_rthdrlen);
+ return (ipp->ipp_rthdrlen);
+ case IPV6_DSTOPTS:
+ if (!(ipp->ipp_fields & IPPF_DSTOPTS))
+ return (0);
+ bcopy(ipp->ipp_dstopts, ptr, ipp->ipp_dstoptslen);
+ return (ipp->ipp_dstoptslen);
+ case IPV6_PATHMTU:
+ return (ip_fill_mtuinfo(connp, ixa,
+ (struct ip6_mtuinfo *)ptr));
+ case IPV6_SEC_OPT:
+ return (ipsec_req_from_conn(connp, (ipsec_req_t *)ptr,
+ IPSEC_AF_V6));
+ case IPV6_SRC_PREFERENCES:
+ return (ip6_get_src_preferences(ixa, (uint32_t *)ptr));
+ case IPV6_DONTFRAG:
+ *i1 = (ixa->ixa_flags & IXAF_DONTFRAG) != 0;
+ return (sizeof (int));
+ case IPV6_USE_MIN_MTU:
+ if (ixa->ixa_flags & IXAF_USE_MIN_MTU)
+ *i1 = ixa->ixa_use_min_mtu;
+ else
+ *i1 = IPV6_USE_MIN_MTU_MULTICAST;
+ break;
+ case IPV6_V6ONLY:
+ *i1 = connp->conn_ipv6_v6only;
+ return (sizeof (int));
+ default:
+ return (-1);
+ }
+ break;
+ case IPPROTO_UDP:
+ switch (name) {
+ case UDP_ANONPRIVBIND:
+ *i1 = connp->conn_anon_priv_bind;
+ break;
+ case UDP_EXCLBIND:
+ *i1 = connp->conn_exclbind ? UDP_EXCLBIND : 0;
+ break;
+ default:
+ return (-1);
+ }
+ break;
+ case IPPROTO_TCP:
+ switch (name) {
+ case TCP_RECVDSTADDR:
+ *i1 = connp->conn_recv_ancillary.crb_recvdstaddr;
+ break;
+ case TCP_ANONPRIVBIND:
+ *i1 = connp->conn_anon_priv_bind;
+ break;
+ case TCP_EXCLBIND:
+ *i1 = connp->conn_exclbind ? TCP_EXCLBIND : 0;
+ break;
+ default:
+ return (-1);
+ }
+ break;
+ default:
+ return (-1);
+ }
+ return (sizeof (int));
+}
+
+static int conn_opt_set_socket(conn_opt_arg_t *coa, t_scalar_t name,
+ uint_t inlen, uchar_t *invalp, boolean_t checkonly, cred_t *cr);
+static int conn_opt_set_ip(conn_opt_arg_t *coa, t_scalar_t name,
+ uint_t inlen, uchar_t *invalp, boolean_t checkonly, cred_t *cr);
+static int conn_opt_set_ipv6(conn_opt_arg_t *coa, t_scalar_t name,
+ uint_t inlen, uchar_t *invalp, boolean_t checkonly, cred_t *cr);
+static int conn_opt_set_udp(conn_opt_arg_t *coa, t_scalar_t name,
+ uint_t inlen, uchar_t *invalp, boolean_t checkonly, cred_t *cr);
+static int conn_opt_set_tcp(conn_opt_arg_t *coa, t_scalar_t name,
+ uint_t inlen, uchar_t *invalp, boolean_t checkonly, cred_t *cr);
+
+/*
+ * This routine sets the most common socket options including some
+ * that are transport/ULP specific.
+ * It returns errno or zero.
+ *
+ * For fixed length options, there is no sanity check
+ * of passed in length is done. It is assumed *_optcom_req()
+ * routines do the right thing.
+ */
+int
+conn_opt_set(conn_opt_arg_t *coa, t_scalar_t level, t_scalar_t name,
+ uint_t inlen, uchar_t *invalp, boolean_t checkonly, cred_t *cr)
+{
+ ASSERT(MUTEX_NOT_HELD(&coa->coa_connp->conn_lock));
+
+ /* We have different functions for different levels */
+ switch (level) {
+ case SOL_SOCKET:
+ return (conn_opt_set_socket(coa, name, inlen, invalp,
+ checkonly, cr));
+ case IPPROTO_IP:
+ return (conn_opt_set_ip(coa, name, inlen, invalp,
+ checkonly, cr));
+ case IPPROTO_IPV6:
+ return (conn_opt_set_ipv6(coa, name, inlen, invalp,
+ checkonly, cr));
+ case IPPROTO_UDP:
+ return (conn_opt_set_udp(coa, name, inlen, invalp,
+ checkonly, cr));
+ case IPPROTO_TCP:
+ return (conn_opt_set_tcp(coa, name, inlen, invalp,
+ checkonly, cr));
+ default:
+ return (0);
+ }
+}
+
+/*
+ * Handle SOL_SOCKET
+ * Note that we do not handle SO_PROTOTYPE here. The ULPs that support
+ * it implement their own checks and setting of conn_proto.
+ */
+/* ARGSUSED1 */
+static int
+conn_opt_set_socket(conn_opt_arg_t *coa, t_scalar_t name, uint_t inlen,
+ uchar_t *invalp, boolean_t checkonly, cred_t *cr)
+{
+ conn_t *connp = coa->coa_connp;
+ ip_xmit_attr_t *ixa = coa->coa_ixa;
+ int *i1 = (int *)invalp;
+ boolean_t onoff = (*i1 == 0) ? 0 : 1;
+
+ switch (name) {
+ case SO_ALLZONES:
+ if (IPCL_IS_BOUND(connp))
+ return (EINVAL);
+ break;
+#ifdef SO_VRRP
+ case SO_VRRP:
+ if (secpolicy_ip_config(cr, checkonly) != 0)
+ return (EACCES);
+ break;
+#endif
+ case SO_MAC_EXEMPT:
+ if (secpolicy_net_mac_aware(cr) != 0)
+ return (EACCES);
+ if (IPCL_IS_BOUND(connp))
+ return (EINVAL);
+ break;
+ case SO_MAC_IMPLICIT:
+ if (secpolicy_net_mac_implicit(cr) != 0)
+ return (EACCES);
+ break;
+ }
+ if (checkonly)
+ return (0);
+
+ mutex_enter(&connp->conn_lock);
+ /* Here we set the actual option value */
+ switch (name) {
+ case SO_DEBUG:
+ connp->conn_debug = onoff;
+ break;
+ case SO_KEEPALIVE:
+ connp->conn_keepalive = onoff;
+ break;
+ case SO_LINGER: {
+ struct linger *lgr = (struct linger *)invalp;
+
+ if (lgr->l_onoff) {
+ connp->conn_linger = 1;
+ connp->conn_lingertime = lgr->l_linger;
+ } else {
+ connp->conn_linger = 0;
+ connp->conn_lingertime = 0;
+ }
+ break;
+ }
+ case SO_OOBINLINE:
+ connp->conn_oobinline = onoff;
+ coa->coa_changed |= COA_OOBINLINE_CHANGED;
+ break;
+ case SO_REUSEADDR:
+ connp->conn_reuseaddr = onoff;
+ break;
+ case SO_DONTROUTE:
+ if (onoff)
+ ixa->ixa_flags |= IXAF_DONTROUTE;
+ else
+ ixa->ixa_flags &= ~IXAF_DONTROUTE;
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case SO_USELOOPBACK:
+ connp->conn_useloopback = onoff;
+ break;
+ case SO_BROADCAST:
+ connp->conn_broadcast = onoff;
+ break;
+ case SO_SNDBUF:
+ /* ULP has range checked the value */
+ connp->conn_sndbuf = *i1;
+ coa->coa_changed |= COA_SNDBUF_CHANGED;
+ break;
+ case SO_RCVBUF:
+ /* ULP has range checked the value */
+ connp->conn_rcvbuf = *i1;
+ coa->coa_changed |= COA_RCVBUF_CHANGED;
+ break;
+ case SO_RCVTIMEO:
+ case SO_SNDTIMEO:
+ /*
+ * Pass these two options in order for third part
+ * protocol usage.
+ */
+ break;
+ case SO_DGRAM_ERRIND:
+ connp->conn_dgram_errind = onoff;
+ break;
+ case SO_RECVUCRED:
+ connp->conn_recv_ancillary.crb_recvucred = onoff;
+ break;
+ case SO_ALLZONES:
+ connp->conn_allzones = onoff;
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ if (onoff)
+ ixa->ixa_zoneid = ALL_ZONES;
+ else
+ ixa->ixa_zoneid = connp->conn_zoneid;
+ break;
+ case SO_TIMESTAMP:
+ connp->conn_recv_ancillary.crb_timestamp = onoff;
+ break;
+#ifdef SO_VRRP
+ case SO_VRRP:
+ connp->conn_isvrrp = onoff;
+ break;
+#endif
+ case SO_ANON_MLP:
+ connp->conn_anon_mlp = onoff;
+ break;
+ case SO_MAC_EXEMPT:
+ connp->conn_mac_mode = onoff ?
+ CONN_MAC_AWARE : CONN_MAC_DEFAULT;
+ break;
+ case SO_MAC_IMPLICIT:
+ connp->conn_mac_mode = onoff ?
+ CONN_MAC_IMPLICIT : CONN_MAC_DEFAULT;
+ break;
+ case SO_EXCLBIND:
+ connp->conn_exclbind = onoff;
+ break;
+ }
+ mutex_exit(&connp->conn_lock);
+ return (0);
+}
+
+/* Handle IPPROTO_IP */
+static int
+conn_opt_set_ip(conn_opt_arg_t *coa, t_scalar_t name, uint_t inlen,
+ uchar_t *invalp, boolean_t checkonly, cred_t *cr)
+{
+ conn_t *connp = coa->coa_connp;
+ ip_xmit_attr_t *ixa = coa->coa_ixa;
+ ip_pkt_t *ipp = coa->coa_ipp;
+ int *i1 = (int *)invalp;
+ boolean_t onoff = (*i1 == 0) ? 0 : 1;
+ ipaddr_t addr = (ipaddr_t)*i1;
+ uint_t ifindex;
+ zoneid_t zoneid = IPCL_ZONEID(connp);
+ ipif_t *ipif;
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ int error;
+
+ if (connp->conn_family != AF_INET)
+ return (EINVAL);
+
+ switch (name) {
+ case IP_TTL:
+ /* Don't allow zero */
+ if (*i1 < 1 || *i1 > 255)
+ return (EINVAL);
+ break;
+ case IP_MULTICAST_IF:
+ if (addr == INADDR_ANY) {
+ /* Clear */
+ ifindex = 0;
+ break;
+ }
+ ipif = ipif_lookup_addr(addr, NULL, zoneid, ipst);
+ if (ipif == NULL)
+ return (EHOSTUNREACH);
+ /* not supported by the virtual network iface */
+ if (IS_VNI(ipif->ipif_ill)) {
+ ipif_refrele(ipif);
+ return (EINVAL);
+ }
+ ifindex = ipif->ipif_ill->ill_phyint->phyint_ifindex;
+ ipif_refrele(ipif);
+ break;
+ case IP_NEXTHOP: {
+ ire_t *ire;
+
+ if (addr == INADDR_ANY) {
+ /* Clear */
+ break;
+ }
+ /* Verify that the next-hop is on-link */
+ ire = ire_ftable_lookup_v4(addr, 0, 0, IRE_ONLINK, NULL, zoneid,
+ NULL, MATCH_IRE_TYPE, 0, ipst, NULL);
+ if (ire == NULL)
+ return (EHOSTUNREACH);
+ ire_refrele(ire);
+ break;
+ }
+ case IP_OPTIONS:
+ case T_IP_OPTIONS: {
+ uint_t newlen;
+
+ if (ipp->ipp_fields & IPPF_LABEL_V4)
+ newlen = inlen + (ipp->ipp_label_len_v4 + 3) & ~3;
+ else
+ newlen = inlen;
+ if ((inlen & 0x3) || newlen > IP_MAX_OPT_LENGTH) {
+ return (EINVAL);
+ }
+ break;
+ }
+ case IP_PKTINFO: {
+ struct in_pktinfo *pktinfo;
+
+ /* Two different valid lengths */
+ if (inlen != sizeof (int) &&
+ inlen != sizeof (struct in_pktinfo))
+ return (EINVAL);
+ if (inlen == sizeof (int))
+ break;
+
+ pktinfo = (struct in_pktinfo *)invalp;
+ if (pktinfo->ipi_spec_dst.s_addr != INADDR_ANY) {
+ switch (ip_laddr_verify_v4(pktinfo->ipi_spec_dst.s_addr,
+ zoneid, ipst, B_FALSE)) {
+ case IPVL_UNICAST_UP:
+ case IPVL_UNICAST_DOWN:
+ break;
+ default:
+ return (EADDRNOTAVAIL);
+ }
+ }
+ if (!ip_ifindex_valid(pktinfo->ipi_ifindex, B_FALSE, ipst))
+ return (ENXIO);
+ break;
+ }
+ case IP_BOUND_IF:
+ ifindex = *(uint_t *)i1;
+
+ /* Just check it is ok. */
+ if (!ip_ifindex_valid(ifindex, B_FALSE, ipst))
+ return (ENXIO);
+ break;
+ }
+ if (checkonly)
+ return (0);
+
+ /* Here we set the actual option value */
+ /*
+ * conn_lock protects the bitfields, and is used to
+ * set the fields atomically. Not needed for ixa settings since
+ * the caller has an exclusive copy of the ixa.
+ * We can not hold conn_lock across the multicast options though.
+ */
+ switch (name) {
+ case IP_OPTIONS:
+ case T_IP_OPTIONS:
+ /* Save options for use by IP. */
+ mutex_enter(&connp->conn_lock);
+ error = optcom_pkt_set(invalp, inlen,
+ (uchar_t **)&ipp->ipp_ipv4_options,
+ &ipp->ipp_ipv4_options_len);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ return (error);
+ }
+ if (ipp->ipp_ipv4_options_len == 0) {
+ ipp->ipp_fields &= ~IPPF_IPV4_OPTIONS;
+ } else {
+ ipp->ipp_fields |= IPPF_IPV4_OPTIONS;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_WROFF_CHANGED;
+ break;
+
+ case IP_TTL:
+ mutex_enter(&connp->conn_lock);
+ ipp->ipp_unicast_hops = *i1;
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ break;
+ case IP_TOS:
+ case T_IP_TOS:
+ mutex_enter(&connp->conn_lock);
+ if (*i1 == -1) {
+ ipp->ipp_type_of_service = 0;
+ } else {
+ ipp->ipp_type_of_service = *i1;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ break;
+ case IP_MULTICAST_IF:
+ ixa->ixa_multicast_ifindex = ifindex;
+ ixa->ixa_multicast_ifaddr = addr;
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IP_MULTICAST_TTL:
+ ixa->ixa_multicast_ttl = *invalp;
+ /* Handled automatically by ip_output */
+ break;
+ case IP_MULTICAST_LOOP:
+ if (*invalp != 0)
+ ixa->ixa_flags |= IXAF_MULTICAST_LOOP;
+ else
+ ixa->ixa_flags &= ~IXAF_MULTICAST_LOOP;
+ /* Handled automatically by ip_output */
+ break;
+ case IP_RECVOPTS:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_recvopts = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IP_RECVDSTADDR:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_recvdstaddr = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IP_RECVIF:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_recvif = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IP_RECVSLLA:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_recvslla = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IP_RECVTTL:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_recvttl = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IP_PKTINFO: {
+ /*
+ * This also handles IP_RECVPKTINFO.
+ * IP_PKTINFO and IP_RECVPKTINFO have same value.
+ * Differentiation is based on the size of the
+ * argument passed in.
+ */
+ struct in_pktinfo *pktinfo;
+
+ if (inlen == sizeof (int)) {
+ /* This is IP_RECVPKTINFO option. */
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ip_recvpktinfo =
+ onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ }
+
+ /* This is IP_PKTINFO option. */
+ mutex_enter(&connp->conn_lock);
+ pktinfo = (struct in_pktinfo *)invalp;
+ if (ipp->ipp_addr_v4 != INADDR_ANY) {
+ ipp->ipp_fields |= IPPF_ADDR;
+ IN6_INADDR_TO_V4MAPPED(&pktinfo->ipi_spec_dst,
+ &ipp->ipp_addr);
+ } else {
+ ipp->ipp_fields &= ~IPPF_ADDR;
+ ipp->ipp_addr = ipv6_all_zeros;
+ }
+ mutex_exit(&connp->conn_lock);
+ ixa->ixa_ifindex = pktinfo->ipi_ifindex;
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ break;
+ }
+ case IP_DONTFRAG:
+ if (onoff) {
+ ixa->ixa_flags |= (IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
+ ixa->ixa_flags &= ~IXAF_PMTU_DISCOVERY;
+ } else {
+ ixa->ixa_flags &= ~(IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
+ ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
+ }
+ /* Need to redo ip_attr_connect */
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IP_ADD_MEMBERSHIP:
+ case IP_DROP_MEMBERSHIP:
+ case MCAST_JOIN_GROUP:
+ case MCAST_LEAVE_GROUP:
+ return (ip_opt_set_multicast_group(connp, name,
+ invalp, B_FALSE, checkonly));
+
+ case IP_BLOCK_SOURCE:
+ case IP_UNBLOCK_SOURCE:
+ case IP_ADD_SOURCE_MEMBERSHIP:
+ case IP_DROP_SOURCE_MEMBERSHIP:
+ case MCAST_BLOCK_SOURCE:
+ case MCAST_UNBLOCK_SOURCE:
+ case MCAST_JOIN_SOURCE_GROUP:
+ case MCAST_LEAVE_SOURCE_GROUP:
+ return (ip_opt_set_multicast_sources(connp, name,
+ invalp, B_FALSE, checkonly));
+
+ case IP_SEC_OPT:
+ mutex_enter(&connp->conn_lock);
+ error = ipsec_set_req(cr, connp, (ipsec_req_t *)invalp);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0) {
+ return (error);
+ }
+ /* This is an IPsec policy change - redo ip_attr_connect */
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IP_NEXTHOP:
+ ixa->ixa_nexthop_v4 = addr;
+ if (addr != INADDR_ANY)
+ ixa->ixa_flags |= IXAF_NEXTHOP_SET;
+ else
+ ixa->ixa_flags &= ~IXAF_NEXTHOP_SET;
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+
+ case IP_BOUND_IF:
+ ixa->ixa_ifindex = ifindex; /* Send */
+ mutex_enter(&connp->conn_lock);
+ connp->conn_incoming_ifindex = ifindex; /* Receive */
+ connp->conn_bound_if = ifindex; /* getsockopt */
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IP_UNSPEC_SRC:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_unspec_src = onoff;
+ if (onoff)
+ ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
+ else
+ ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
+
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IP_BROADCAST_TTL:
+ ixa->ixa_broadcast_ttl = *invalp;
+ ixa->ixa_flags |= IXAF_BROADCAST_TTL_SET;
+ /* Handled automatically by ip_output */
+ break;
+ case MRT_INIT:
+ case MRT_DONE:
+ case MRT_ADD_VIF:
+ case MRT_DEL_VIF:
+ case MRT_ADD_MFC:
+ case MRT_DEL_MFC:
+ case MRT_ASSERT:
+ if ((error = secpolicy_ip_config(cr, B_FALSE)) != 0) {
+ return (error);
+ }
+ error = ip_mrouter_set((int)name, connp, checkonly,
+ (uchar_t *)invalp, inlen);
+ if (error) {
+ return (error);
+ }
+ return (0);
+
+ }
+ return (0);
+}
+
+/* Handle IPPROTO_IPV6 */
+static int
+conn_opt_set_ipv6(conn_opt_arg_t *coa, t_scalar_t name, uint_t inlen,
+ uchar_t *invalp, boolean_t checkonly, cred_t *cr)
+{
+ conn_t *connp = coa->coa_connp;
+ ip_xmit_attr_t *ixa = coa->coa_ixa;
+ ip_pkt_t *ipp = coa->coa_ipp;
+ int *i1 = (int *)invalp;
+ boolean_t onoff = (*i1 == 0) ? 0 : 1;
+ uint_t ifindex;
+ zoneid_t zoneid = IPCL_ZONEID(connp);
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ int error;
+
+ if (connp->conn_family != AF_INET6)
+ return (EINVAL);
+
+ switch (name) {
+ case IPV6_MULTICAST_IF:
+ /*
+ * The only possible error is EINVAL.
+ * We call this option on both V4 and V6
+ * If both fail, then this call returns
+ * EINVAL. If at least one of them succeeds we
+ * return success.
+ */
+ ifindex = *(uint_t *)i1;
+
+ if (!ip_ifindex_valid(ifindex, B_TRUE, ipst) &&
+ !ip_ifindex_valid(ifindex, B_FALSE, ipst))
+ return (EINVAL);
+ break;
+ case IPV6_UNICAST_HOPS:
+ /* Don't allow zero. -1 means to use default */
+ if (*i1 < -1 || *i1 == 0 || *i1 > IPV6_MAX_HOPS)
+ return (EINVAL);
+ break;
+ case IPV6_MULTICAST_HOPS:
+ /* -1 means use default */
+ if (*i1 < -1 || *i1 > IPV6_MAX_HOPS)
+ return (EINVAL);
+ break;
+ case IPV6_MULTICAST_LOOP:
+ if (*i1 != 0 && *i1 != 1)
+ return (EINVAL);
+ break;
+ case IPV6_BOUND_IF:
+ ifindex = *(uint_t *)i1;
+
+ if (!ip_ifindex_valid(ifindex, B_TRUE, ipst))
+ return (ENXIO);
+ break;
+ case IPV6_PKTINFO: {
+ struct in6_pktinfo *pkti;
+ boolean_t isv6;
+
+ if (inlen != 0 && inlen != sizeof (struct in6_pktinfo))
+ return (EINVAL);
+ if (inlen == 0)
+ break; /* Clear values below */
+
+ /*
+ * Verify the source address and ifindex. Privileged users
+ * can use any source address.
+ */
+ pkti = (struct in6_pktinfo *)invalp;
+
+ /*
+ * For link-local addresses we use the ipi6_ifindex when
+ * we verify the local address.
+ * If net_rawaccess then any source address can be used.
+ */
+ if (!IN6_IS_ADDR_UNSPECIFIED(&pkti->ipi6_addr) &&
+ secpolicy_net_rawaccess(cr) != 0) {
+ uint_t scopeid = 0;
+ in6_addr_t *v6src = &pkti->ipi6_addr;
+ ipaddr_t v4src;
+ ip_laddr_t laddr_type = IPVL_UNICAST_UP;
+
+ if (IN6_IS_ADDR_V4MAPPED(v6src)) {
+ IN6_V4MAPPED_TO_IPADDR(v6src, v4src);
+ if (v4src != INADDR_ANY) {
+ laddr_type = ip_laddr_verify_v4(v4src,
+ zoneid, ipst, B_FALSE);
+ }
+ } else {
+ if (IN6_IS_ADDR_LINKSCOPE(v6src))
+ scopeid = pkti->ipi6_ifindex;
+
+ laddr_type = ip_laddr_verify_v6(v6src, zoneid,
+ ipst, B_FALSE, scopeid);
+ }
+ switch (laddr_type) {
+ case IPVL_UNICAST_UP:
+ case IPVL_UNICAST_DOWN:
+ break;
+ default:
+ return (EADDRNOTAVAIL);
+ }
+ ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
+ } else if (!IN6_IS_ADDR_UNSPECIFIED(&pkti->ipi6_addr)) {
+ /* Allow any source */
+ ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
+ }
+ isv6 = !(IN6_IS_ADDR_V4MAPPED(&pkti->ipi6_addr));
+ if (!ip_ifindex_valid(pkti->ipi6_ifindex, isv6, ipst))
+ return (ENXIO);
+ break;
+ }
+ case IPV6_HOPLIMIT:
+ /* It is only allowed as ancilary data */
+ if (!coa->coa_ancillary)
+ return (EINVAL);
+
+ if (inlen != 0 && inlen != sizeof (int))
+ return (EINVAL);
+ if (inlen == sizeof (int)) {
+ if (*i1 > 255 || *i1 < -1 || *i1 == 0)
+ return (EINVAL);
+ }
+ break;
+ case IPV6_TCLASS:
+ if (inlen != 0 && inlen != sizeof (int))
+ return (EINVAL);
+ if (inlen == sizeof (int)) {
+ if (*i1 > 255 || *i1 < -1)
+ return (EINVAL);
+ }
+ break;
+ case IPV6_NEXTHOP:
+ if (inlen != 0 && inlen != sizeof (sin6_t))
+ return (EINVAL);
+ if (inlen == sizeof (sin6_t)) {
+ sin6_t *sin6 = (sin6_t *)invalp;
+ ire_t *ire;
+
+ if (sin6->sin6_family != AF_INET6)
+ return (EAFNOSUPPORT);
+ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
+ return (EADDRNOTAVAIL);
+
+ /* Verify that the next-hop is on-link */
+ ire = ire_ftable_lookup_v6(&sin6->sin6_addr,
+ 0, 0, IRE_ONLINK, NULL, zoneid,
+ NULL, MATCH_IRE_TYPE, 0, ipst, NULL);
+ if (ire == NULL)
+ return (EHOSTUNREACH);
+ ire_refrele(ire);
+ break;
+ }
+ break;
+ case IPV6_RTHDR:
+ case IPV6_DSTOPTS:
+ case IPV6_RTHDRDSTOPTS:
+ case IPV6_HOPOPTS: {
+ /* All have the length field in the same place */
+ ip6_hbh_t *hopts = (ip6_hbh_t *)invalp;
+ /*
+ * Sanity checks - minimum size, size a multiple of
+ * eight bytes, and matching size passed in.
+ */
+ if (inlen != 0 &&
+ inlen != (8 * (hopts->ip6h_len + 1)))
+ return (EINVAL);
+ break;
+ }
+ case IPV6_PATHMTU:
+ /* Can't be set */
+ return (EINVAL);
+
+ case IPV6_USE_MIN_MTU:
+ if (inlen != sizeof (int))
+ return (EINVAL);
+ if (*i1 < -1 || *i1 > 1)
+ return (EINVAL);
+ break;
+ case IPV6_SRC_PREFERENCES:
+ if (inlen != sizeof (uint32_t))
+ return (EINVAL);
+ break;
+ case IPV6_V6ONLY:
+ if (*i1 < 0 || *i1 > 1) {
+ return (EINVAL);
+ }
+ break;
+ }
+ if (checkonly)
+ return (0);
+
+ /* Here we set the actual option value */
+ /*
+ * conn_lock protects the bitfields, and is used to
+ * set the fields atomically. Not needed for ixa settings since
+ * the caller has an exclusive copy of the ixa.
+ * We can not hold conn_lock across the multicast options though.
+ */
+ ASSERT(MUTEX_NOT_HELD(&coa->coa_connp->conn_lock));
+ switch (name) {
+ case IPV6_MULTICAST_IF:
+ ixa->ixa_multicast_ifindex = ifindex;
+ /* Need to redo ip_attr_connect */
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IPV6_UNICAST_HOPS:
+ /* -1 means use default */
+ mutex_enter(&connp->conn_lock);
+ if (*i1 == -1) {
+ ipp->ipp_unicast_hops = connp->conn_default_ttl;
+ } else {
+ ipp->ipp_unicast_hops = (uint8_t)*i1;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ break;
+ case IPV6_MULTICAST_HOPS:
+ /* -1 means use default */
+ if (*i1 == -1) {
+ ixa->ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+ } else {
+ ixa->ixa_multicast_ttl = (uint8_t)*i1;
+ }
+ /* Handled automatically by ip_output */
+ break;
+ case IPV6_MULTICAST_LOOP:
+ if (*i1 != 0)
+ ixa->ixa_flags |= IXAF_MULTICAST_LOOP;
+ else
+ ixa->ixa_flags &= ~IXAF_MULTICAST_LOOP;
+ /* Handled automatically by ip_output */
+ break;
+ case IPV6_JOIN_GROUP:
+ case IPV6_LEAVE_GROUP:
+ case MCAST_JOIN_GROUP:
+ case MCAST_LEAVE_GROUP:
+ return (ip_opt_set_multicast_group(connp, name,
+ invalp, B_TRUE, checkonly));
+
+ case MCAST_BLOCK_SOURCE:
+ case MCAST_UNBLOCK_SOURCE:
+ case MCAST_JOIN_SOURCE_GROUP:
+ case MCAST_LEAVE_SOURCE_GROUP:
+ return (ip_opt_set_multicast_sources(connp, name,
+ invalp, B_TRUE, checkonly));
+
+ case IPV6_BOUND_IF:
+ ixa->ixa_ifindex = ifindex; /* Send */
+ mutex_enter(&connp->conn_lock);
+ connp->conn_incoming_ifindex = ifindex; /* Receive */
+ connp->conn_bound_if = ifindex; /* getsockopt */
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IPV6_UNSPEC_SRC:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_unspec_src = onoff;
+ if (onoff)
+ ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
+ else
+ ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVPKTINFO:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ip_recvpktinfo = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVTCLASS:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ipv6_recvtclass = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVPATHMTU:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_ipv6_recvpathmtu = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVHOPLIMIT:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ipv6_recvhoplimit =
+ onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVHOPOPTS:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ipv6_recvhopopts = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVDSTOPTS:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ipv6_recvdstopts = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case _OLD_IPV6_RECVDSTOPTS:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_old_ipv6_recvdstopts =
+ onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVRTHDRDSTOPTS:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts =
+ onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_RECVRTHDR:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_recv_ancillary.crb_ipv6_recvrthdr = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ case IPV6_PKTINFO:
+ mutex_enter(&connp->conn_lock);
+ if (inlen == 0) {
+ ipp->ipp_fields &= ~IPPF_ADDR;
+ ipp->ipp_addr = ipv6_all_zeros;
+ ixa->ixa_ifindex = 0;
+ } else {
+ struct in6_pktinfo *pkti;
+
+ pkti = (struct in6_pktinfo *)invalp;
+ ipp->ipp_addr = pkti->ipi6_addr;
+ if (!IN6_IS_ADDR_UNSPECIFIED(&ipp->ipp_addr))
+ ipp->ipp_fields |= IPPF_ADDR;
+ else
+ ipp->ipp_fields &= ~IPPF_ADDR;
+ ixa->ixa_ifindex = pkti->ipi6_ifindex;
+ }
+ mutex_exit(&connp->conn_lock);
+ /* Source and ifindex might have changed */
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IPV6_HOPLIMIT:
+ mutex_enter(&connp->conn_lock);
+ if (inlen == 0 || *i1 == -1) {
+ /* Revert to default */
+ ipp->ipp_fields &= ~IPPF_HOPLIMIT;
+ ixa->ixa_flags &= ~IXAF_NO_TTL_CHANGE;
+ } else {
+ ipp->ipp_hoplimit = *i1;
+ ipp->ipp_fields |= IPPF_HOPLIMIT;
+ /* Ensure that it sticks for multicast packets */
+ ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ break;
+ case IPV6_TCLASS:
+ /*
+ * IPV6_TCLASS accepts -1 as use kernel default
+ * and [0, 255] as the actualy traffic class.
+ */
+ mutex_enter(&connp->conn_lock);
+ if (inlen == 0 || *i1 == -1) {
+ ipp->ipp_tclass = 0;
+ ipp->ipp_fields &= ~IPPF_TCLASS;
+ } else {
+ ipp->ipp_tclass = *i1;
+ ipp->ipp_fields |= IPPF_TCLASS;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ break;
+ case IPV6_NEXTHOP:
+ if (inlen == 0) {
+ ixa->ixa_flags &= ~IXAF_NEXTHOP_SET;
+ } else {
+ sin6_t *sin6 = (sin6_t *)invalp;
+
+ ixa->ixa_nexthop_v6 = sin6->sin6_addr;
+ if (!IN6_IS_ADDR_UNSPECIFIED(&ixa->ixa_nexthop_v6))
+ ixa->ixa_flags |= IXAF_NEXTHOP_SET;
+ else
+ ixa->ixa_flags &= ~IXAF_NEXTHOP_SET;
+ }
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IPV6_HOPOPTS:
+ mutex_enter(&connp->conn_lock);
+ error = optcom_pkt_set(invalp, inlen,
+ (uchar_t **)&ipp->ipp_hopopts, &ipp->ipp_hopoptslen);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ return (error);
+ }
+ if (ipp->ipp_hopoptslen == 0) {
+ ipp->ipp_fields &= ~IPPF_HOPOPTS;
+ } else {
+ ipp->ipp_fields |= IPPF_HOPOPTS;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_WROFF_CHANGED;
+ break;
+ case IPV6_RTHDRDSTOPTS:
+ mutex_enter(&connp->conn_lock);
+ error = optcom_pkt_set(invalp, inlen,
+ (uchar_t **)&ipp->ipp_rthdrdstopts,
+ &ipp->ipp_rthdrdstoptslen);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ return (error);
+ }
+ if (ipp->ipp_rthdrdstoptslen == 0) {
+ ipp->ipp_fields &= ~IPPF_RTHDRDSTOPTS;
+ } else {
+ ipp->ipp_fields |= IPPF_RTHDRDSTOPTS;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_WROFF_CHANGED;
+ break;
+ case IPV6_DSTOPTS:
+ mutex_enter(&connp->conn_lock);
+ error = optcom_pkt_set(invalp, inlen,
+ (uchar_t **)&ipp->ipp_dstopts, &ipp->ipp_dstoptslen);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ return (error);
+ }
+ if (ipp->ipp_dstoptslen == 0) {
+ ipp->ipp_fields &= ~IPPF_DSTOPTS;
+ } else {
+ ipp->ipp_fields |= IPPF_DSTOPTS;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_WROFF_CHANGED;
+ break;
+ case IPV6_RTHDR:
+ mutex_enter(&connp->conn_lock);
+ error = optcom_pkt_set(invalp, inlen,
+ (uchar_t **)&ipp->ipp_rthdr, &ipp->ipp_rthdrlen);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ return (error);
+ }
+ if (ipp->ipp_rthdrlen == 0) {
+ ipp->ipp_fields &= ~IPPF_RTHDR;
+ } else {
+ ipp->ipp_fields |= IPPF_RTHDR;
+ }
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_WROFF_CHANGED;
+ break;
+
+ case IPV6_DONTFRAG:
+ if (onoff) {
+ ixa->ixa_flags |= IXAF_DONTFRAG;
+ ixa->ixa_flags &= ~IXAF_PMTU_DISCOVERY;
+ } else {
+ ixa->ixa_flags &= ~IXAF_DONTFRAG;
+ ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
+ }
+ /* Need to redo ip_attr_connect */
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+
+ case IPV6_USE_MIN_MTU:
+ ixa->ixa_flags |= IXAF_USE_MIN_MTU;
+ ixa->ixa_use_min_mtu = *i1;
+ /* Need to redo ip_attr_connect */
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+
+ case IPV6_SEC_OPT:
+ mutex_enter(&connp->conn_lock);
+ error = ipsec_set_req(cr, connp, (ipsec_req_t *)invalp);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0) {
+ return (error);
+ }
+ /* This is an IPsec policy change - redo ip_attr_connect */
+ coa->coa_changed |= COA_ROUTE_CHANGED;
+ break;
+ case IPV6_SRC_PREFERENCES:
+ /*
+ * This socket option only affects connected
+ * sockets that haven't already bound to a specific
+ * IPv6 address. In other words, sockets that
+ * don't call bind() with an address other than the
+ * unspecified address and that call connect().
+ * ip_set_destination_v6() passes these preferences
+ * to the ipif_select_source_v6() function.
+ */
+ mutex_enter(&connp->conn_lock);
+ error = ip6_set_src_preferences(ixa, *(uint32_t *)invalp);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0) {
+ return (error);
+ }
+ break;
+ case IPV6_V6ONLY:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_ipv6_v6only = onoff;
+ mutex_exit(&connp->conn_lock);
+ break;
+ }
+ return (0);
+}
+
+/* Handle IPPROTO_UDP */
+/* ARGSUSED1 */
+static int
+conn_opt_set_udp(conn_opt_arg_t *coa, t_scalar_t name, uint_t inlen,
+ uchar_t *invalp, boolean_t checkonly, cred_t *cr)
+{
+ conn_t *connp = coa->coa_connp;
+ int *i1 = (int *)invalp;
+ boolean_t onoff = (*i1 == 0) ? 0 : 1;
+ int error;
+
+ switch (name) {
+ case UDP_ANONPRIVBIND:
+ if ((error = secpolicy_net_privaddr(cr, 0, IPPROTO_UDP)) != 0) {
+ return (error);
+ }
+ break;
+ }
+ if (checkonly)
+ return (0);
+
+ /* Here we set the actual option value */
+ mutex_enter(&connp->conn_lock);
+ switch (name) {
+ case UDP_ANONPRIVBIND:
+ connp->conn_anon_priv_bind = onoff;
+ break;
+ case UDP_EXCLBIND:
+ connp->conn_exclbind = onoff;
+ break;
+ }
+ mutex_exit(&connp->conn_lock);
+ return (0);
+}
+
+/* Handle IPPROTO_TCP */
+/* ARGSUSED1 */
+static int
+conn_opt_set_tcp(conn_opt_arg_t *coa, t_scalar_t name, uint_t inlen,
+ uchar_t *invalp, boolean_t checkonly, cred_t *cr)
+{
+ conn_t *connp = coa->coa_connp;
+ int *i1 = (int *)invalp;
+ boolean_t onoff = (*i1 == 0) ? 0 : 1;
+ int error;
+
+ switch (name) {
+ case TCP_ANONPRIVBIND:
+ if ((error = secpolicy_net_privaddr(cr, 0, IPPROTO_TCP)) != 0) {
+ return (error);
+ }
+ break;
+ }
+ if (checkonly)
+ return (0);
+
+ /* Here we set the actual option value */
+ mutex_enter(&connp->conn_lock);
+ switch (name) {
+ case TCP_ANONPRIVBIND:
+ connp->conn_anon_priv_bind = onoff;
+ break;
+ case TCP_EXCLBIND:
+ connp->conn_exclbind = onoff;
+ break;
+ case TCP_RECVDSTADDR:
+ connp->conn_recv_ancillary.crb_recvdstaddr = onoff;
+ break;
+ }
+ mutex_exit(&connp->conn_lock);
+ return (0);
+}
+
+int
+conn_getsockname(conn_t *connp, struct sockaddr *sa, uint_t *salenp)
+{
+ sin_t *sin;
+ sin6_t *sin6;
+
+ if (connp->conn_family == AF_INET) {
+ if (*salenp < sizeof (sin_t))
+ return (EINVAL);
+
+ *salenp = sizeof (sin_t);
+ /* Fill zeroes and then initialize non-zero fields */
+ sin = (sin_t *)sa;
+ *sin = sin_null;
+ sin->sin_family = AF_INET;
+ if (!IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_saddr_v6) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&connp->conn_saddr_v6)) {
+ sin->sin_addr.s_addr = connp->conn_saddr_v4;
+ } else {
+ /*
+ * INADDR_ANY
+ * conn_saddr is not set, we might be bound to
+ * broadcast/multicast. Use conn_bound_addr as
+ * local address instead (that could
+ * also still be INADDR_ANY)
+ */
+ sin->sin_addr.s_addr = connp->conn_bound_addr_v4;
+ }
+ sin->sin_port = connp->conn_lport;
+ } else {
+ if (*salenp < sizeof (sin6_t))
+ return (EINVAL);
+
+ *salenp = sizeof (sin6_t);
+ /* Fill zeroes and then initialize non-zero fields */
+ sin6 = (sin6_t *)sa;
+ *sin6 = sin6_null;
+ sin6->sin6_family = AF_INET6;
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_saddr_v6)) {
+ sin6->sin6_addr = connp->conn_saddr_v6;
+ } else {
+ /*
+ * conn_saddr is not set, we might be bound to
+ * broadcast/multicast. Use conn_bound_addr as
+ * local address instead (which could
+ * also still be unspecified)
+ */
+ sin6->sin6_addr = connp->conn_bound_addr_v6;
+ }
+ sin6->sin6_port = connp->conn_lport;
+ if (IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr) &&
+ (connp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET))
+ sin6->sin6_scope_id = connp->conn_ixa->ixa_scopeid;
+ }
+ return (0);
+}
+
+int
+conn_getpeername(conn_t *connp, struct sockaddr *sa, uint_t *salenp)
+{
+ struct sockaddr_in *sin;
+ struct sockaddr_in6 *sin6;
+
+ if (connp->conn_family == AF_INET) {
+ if (*salenp < sizeof (sin_t))
+ return (EINVAL);
+
+ *salenp = sizeof (sin_t);
+ /* initialize */
+ sin = (sin_t *)sa;
+ *sin = sin_null;
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = connp->conn_faddr_v4;
+ sin->sin_port = connp->conn_fport;
+ } else {
+ if (*salenp < sizeof (sin6_t))
+ return (EINVAL);
+
+ *salenp = sizeof (sin6_t);
+ /* initialize */
+ sin6 = (sin6_t *)sa;
+ *sin6 = sin6_null;
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_addr = connp->conn_faddr_v6;
+ sin6->sin6_port = connp->conn_fport;
+ sin6->sin6_flowinfo = connp->conn_flowinfo;
+ if (IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr) &&
+ (connp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET))
+ sin6->sin6_scope_id = connp->conn_ixa->ixa_scopeid;
+ }
+ return (0);
+}
+
+static uint32_t cksum_massage_options_v4(ipha_t *, netstack_t *);
+static uint32_t cksum_massage_options_v6(ip6_t *, uint_t, netstack_t *);
+
+/*
+ * Allocate and fill in conn_ht_iphc based on the current information
+ * in the conn.
+ * Normally used when we bind() and connect().
+ * Returns failure if can't allocate memory, or if there is a problem
+ * with a routing header/option.
+ *
+ * We allocate space for the transport header (ulp_hdr_len + extra) and
+ * indicate the offset of the ulp header by setting ixa_ip_hdr_length.
+ * The extra is there for transports that want some spare room for future
+ * options. conn_ht_iphc_allocated is what was allocated; conn_ht_iphc_len
+ * excludes the extra part.
+ *
+ * We massage an routing option/header and store the ckecksum difference
+ * in conn_sum.
+ *
+ * Caller needs to update conn_wroff if desired.
+ */
+int
+conn_build_hdr_template(conn_t *connp, uint_t ulp_hdr_length, uint_t extra,
+ const in6_addr_t *v6src, const in6_addr_t *v6dst, uint32_t flowinfo)
+{
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
+ ip_pkt_t *ipp = &connp->conn_xmit_ipp;
+ uint_t ip_hdr_length;
+ uchar_t *hdrs;
+ uint_t hdrs_len;
+
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ip_hdr_length = ip_total_hdrs_len_v4(ipp);
+ /* In case of TX label and IP options it can be too much */
+ if (ip_hdr_length > IP_MAX_HDR_LENGTH) {
+ /* Preserves existing TX errno for this */
+ return (EHOSTUNREACH);
+ }
+ } else {
+ ip_hdr_length = ip_total_hdrs_len_v6(ipp);
+ }
+ ixa->ixa_ip_hdr_length = ip_hdr_length;
+ hdrs_len = ip_hdr_length + ulp_hdr_length + extra;
+ ASSERT(hdrs_len != 0);
+
+ if (hdrs_len != connp->conn_ht_iphc_allocated) {
+ /* Allocate new before we free any old */
+ hdrs = kmem_alloc(hdrs_len, KM_NOSLEEP);
+ if (hdrs == NULL)
+ return (ENOMEM);
+
+ if (connp->conn_ht_iphc != NULL) {
+ kmem_free(connp->conn_ht_iphc,
+ connp->conn_ht_iphc_allocated);
+ }
+ connp->conn_ht_iphc = hdrs;
+ connp->conn_ht_iphc_allocated = hdrs_len;
+ } else {
+ hdrs = connp->conn_ht_iphc;
+ }
+ hdrs_len -= extra;
+ connp->conn_ht_iphc_len = hdrs_len;
+
+ connp->conn_ht_ulp = hdrs + ip_hdr_length;
+ connp->conn_ht_ulp_len = ulp_hdr_length;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)hdrs;
+
+ IN6_V4MAPPED_TO_IPADDR(v6src, ipha->ipha_src);
+ IN6_V4MAPPED_TO_IPADDR(v6dst, ipha->ipha_dst);
+ ip_build_hdrs_v4(hdrs, ip_hdr_length, ipp, connp->conn_proto);
+ ipha->ipha_length = htons(hdrs_len);
+ if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF)
+ ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
+ else
+ ipha->ipha_fragment_offset_and_flags &= ~IPH_DF_HTONS;
+
+ if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
+ connp->conn_sum = cksum_massage_options_v4(ipha,
+ connp->conn_netstack);
+ } else {
+ connp->conn_sum = 0;
+ }
+ } else {
+ ip6_t *ip6h = (ip6_t *)hdrs;
+
+ ip6h->ip6_src = *v6src;
+ ip6h->ip6_dst = *v6dst;
+ ip_build_hdrs_v6(hdrs, ip_hdr_length, ipp, connp->conn_proto,
+ flowinfo);
+ ip6h->ip6_plen = htons(hdrs_len - IPV6_HDR_LEN);
+
+ if (ipp->ipp_fields & IPPF_RTHDR) {
+ connp->conn_sum = cksum_massage_options_v6(ip6h,
+ ip_hdr_length, connp->conn_netstack);
+
+ /*
+ * Verify that the first hop isn't a mapped address.
+ * Routers along the path need to do this verification
+ * for subsequent hops.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_dst))
+ return (EADDRNOTAVAIL);
+
+ } else {
+ connp->conn_sum = 0;
+ }
+ }
+ return (0);
+}
+
+/*
+ * Prepend a header template to data_mp based on the ip_pkt_t
+ * and the passed in source, destination and protocol.
+ *
+ * Returns failure if can't allocate memory, in which case data_mp is freed.
+ * We allocate space for the transport header (ulp_hdr_len) and
+ * indicate the offset of the ulp header by setting ixa_ip_hdr_length.
+ *
+ * We massage an routing option/header and return the ckecksum difference
+ * in *sump. This is in host byte order.
+ *
+ * Caller needs to update conn_wroff if desired.
+ */
+mblk_t *
+conn_prepend_hdr(ip_xmit_attr_t *ixa, const ip_pkt_t *ipp,
+ const in6_addr_t *v6src, const in6_addr_t *v6dst,
+ uint8_t protocol, uint32_t flowinfo, uint_t ulp_hdr_length, mblk_t *data_mp,
+ uint_t data_length, uint_t wroff_extra, uint32_t *sump, int *errorp)
+{
+ uint_t ip_hdr_length;
+ uchar_t *hdrs;
+ uint_t hdrs_len;
+ mblk_t *mp;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ip_hdr_length = ip_total_hdrs_len_v4(ipp);
+ ASSERT(ip_hdr_length <= IP_MAX_HDR_LENGTH);
+ } else {
+ ip_hdr_length = ip_total_hdrs_len_v6(ipp);
+ }
+ hdrs_len = ip_hdr_length + ulp_hdr_length;
+ ASSERT(hdrs_len != 0);
+
+ ixa->ixa_ip_hdr_length = ip_hdr_length;
+
+ /* Can we prepend to data_mp? */
+ if (data_mp != NULL &&
+ data_mp->b_rptr - data_mp->b_datap->db_base >= hdrs_len &&
+ data_mp->b_datap->db_ref == 1) {
+ hdrs = data_mp->b_rptr - hdrs_len;
+ data_mp->b_rptr = hdrs;
+ mp = data_mp;
+ } else {
+ mp = allocb(hdrs_len + wroff_extra, BPRI_MED);
+ if (mp == NULL) {
+ freemsg(data_mp);
+ *errorp = ENOMEM;
+ return (NULL);
+ }
+ mp->b_wptr = mp->b_datap->db_lim;
+ hdrs = mp->b_rptr = mp->b_wptr - hdrs_len;
+ mp->b_cont = data_mp;
+ }
+
+ /*
+ * Set the source in the header. ip_build_hdrs_v4/v6 will overwrite it
+ * if PKTINFO (aka IPPF_ADDR) was set.
+ */
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)hdrs;
+
+ ASSERT(IN6_IS_ADDR_V4MAPPED(v6dst));
+ IN6_V4MAPPED_TO_IPADDR(v6src, ipha->ipha_src);
+ IN6_V4MAPPED_TO_IPADDR(v6dst, ipha->ipha_dst);
+ ip_build_hdrs_v4(hdrs, ip_hdr_length, ipp, protocol);
+ ipha->ipha_length = htons(hdrs_len + data_length);
+ if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF)
+ ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
+ else
+ ipha->ipha_fragment_offset_and_flags &= ~IPH_DF_HTONS;
+
+ if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
+ *sump = cksum_massage_options_v4(ipha,
+ ixa->ixa_ipst->ips_netstack);
+ } else {
+ *sump = 0;
+ }
+ } else {
+ ip6_t *ip6h = (ip6_t *)hdrs;
+
+ ip6h->ip6_src = *v6src;
+ ip6h->ip6_dst = *v6dst;
+ ip_build_hdrs_v6(hdrs, ip_hdr_length, ipp, protocol, flowinfo);
+ ip6h->ip6_plen = htons(hdrs_len + data_length - IPV6_HDR_LEN);
+
+ if (ipp->ipp_fields & IPPF_RTHDR) {
+ *sump = cksum_massage_options_v6(ip6h,
+ ip_hdr_length, ixa->ixa_ipst->ips_netstack);
+
+ /*
+ * Verify that the first hop isn't a mapped address.
+ * Routers along the path need to do this verification
+ * for subsequent hops.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_dst)) {
+ *errorp = EADDRNOTAVAIL;
+ freemsg(mp);
+ return (NULL);
+ }
+ } else {
+ *sump = 0;
+ }
+ }
+ return (mp);
+}
+
+/*
+ * Massage a source route if any putting the first hop
+ * in ipha_dst. Compute a starting value for the checksum which
+ * takes into account that the original ipha_dst should be
+ * included in the checksum but that IP will include the
+ * first hop from the source route in the tcp checksum.
+ */
+static uint32_t
+cksum_massage_options_v4(ipha_t *ipha, netstack_t *ns)
+{
+ in_addr_t dst;
+ uint32_t cksum;
+
+ /* Get last hop then diff against first hop */
+ cksum = ip_massage_options(ipha, ns);
+ cksum = (cksum & 0xFFFF) + (cksum >> 16);
+ dst = ipha->ipha_dst;
+ cksum -= ((dst >> 16) + (dst & 0xffff));
+ if ((int)cksum < 0)
+ cksum--;
+ cksum = (cksum & 0xFFFF) + (cksum >> 16);
+ cksum = (cksum & 0xFFFF) + (cksum >> 16);
+ ASSERT(cksum < 0x10000);
+ return (ntohs(cksum));
+}
+
+static uint32_t
+cksum_massage_options_v6(ip6_t *ip6h, uint_t ip_hdr_len, netstack_t *ns)
+{
+ uint8_t *end;
+ ip6_rthdr_t *rth;
+ uint32_t cksum;
+
+ end = (uint8_t *)ip6h + ip_hdr_len;
+ rth = ip_find_rthdr_v6(ip6h, end);
+ if (rth == NULL)
+ return (0);
+
+ cksum = ip_massage_options_v6(ip6h, rth, ns);
+ cksum = (cksum & 0xFFFF) + (cksum >> 16);
+ ASSERT(cksum < 0x10000);
+ return (ntohs(cksum));
+}
+
+/*
+ * ULPs that change the destination address need to call this for each
+ * change to discard any state about a previous destination that might
+ * have been multicast or multirt.
+ */
+void
+ip_attr_newdst(ip_xmit_attr_t *ixa)
+{
+ ixa->ixa_flags &= ~(IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM |
+ IXAF_NO_TTL_CHANGE | IXAF_IPV6_ADD_FRAGHDR |
+ IXAF_NO_LOOP_ZONEID_SET);
+}
+
+/*
+ * Determine the nexthop which will be used.
+ * Normally this is just the destination, but if a IPv4 source route, or
+ * IPv6 routing header, is in the ip_pkt_t then we extract the nexthop from
+ * there.
+ */
+void
+ip_attr_nexthop(const ip_pkt_t *ipp, const ip_xmit_attr_t *ixa,
+ const in6_addr_t *dst, in6_addr_t *nexthop)
+{
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipaddr_t v4dst;
+ ipaddr_t v4nexthop;
+
+ IN6_V4MAPPED_TO_IPADDR(dst, v4dst);
+ v4nexthop = ip_pkt_source_route_v4(ipp);
+ if (v4nexthop == INADDR_ANY)
+ v4nexthop = v4dst;
+
+ IN6_IPADDR_TO_V4MAPPED(v4nexthop, nexthop);
+ } else {
+ const in6_addr_t *v6nexthop;
+
+ v6nexthop = ip_pkt_source_route_v6(ipp);
+ if (v6nexthop == NULL)
+ v6nexthop = dst;
+
+ *nexthop = *v6nexthop;
+ }
+}
+
+/*
+ * Update the ip_xmit_attr_t based the addresses, conn_xmit_ipp and conn_ixa.
+ * If IPDF_IPSEC is set we cache the IPsec policy to handle the unconnected
+ * case (connected latching is done in conn_connect).
+ * Note that IPsec policy lookup requires conn_proto and conn_laddr to be
+ * set, but doesn't otherwise use the conn_t.
+ *
+ * Caller must set/clear IXAF_IS_IPV4 as appropriately.
+ * Caller must use ip_attr_nexthop() to determine the nexthop argument.
+ *
+ * The caller must NOT hold conn_lock (to avoid problems with ill_refrele
+ * causing the squeue to run doing ipcl_walk grabbing conn_lock.)
+ *
+ * Updates laddrp and uinfo if they are non-NULL.
+ *
+ * TSOL notes: The callers if ip_attr_connect must check if the destination
+ * is different than before and in that case redo conn_update_label.
+ * The callers of conn_connect do not need that since conn_connect
+ * performs the conn_update_label.
+ */
+int
+ip_attr_connect(const conn_t *connp, ip_xmit_attr_t *ixa,
+ const in6_addr_t *v6src, const in6_addr_t *v6dst,
+ const in6_addr_t *v6nexthop, in_port_t dstport, in6_addr_t *laddrp,
+ iulp_t *uinfo, uint32_t flags)
+{
+ in6_addr_t laddr = *v6src;
+ int error;
+
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
+
+ if (connp->conn_zone_is_global)
+ flags |= IPDF_ZONE_IS_GLOBAL;
+ else
+ flags &= ~IPDF_ZONE_IS_GLOBAL;
+
+ /*
+ * Lookup the route to determine a source address and the uinfo.
+ * If the ULP has a source route option then the caller will
+ * have set v6nexthop to be the first hop.
+ */
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipaddr_t v4dst;
+ ipaddr_t v4src, v4nexthop;
+
+ IN6_V4MAPPED_TO_IPADDR(v6dst, v4dst);
+ IN6_V4MAPPED_TO_IPADDR(v6nexthop, v4nexthop);
+ IN6_V4MAPPED_TO_IPADDR(v6src, v4src);
+
+ if (connp->conn_unspec_src || v4src != INADDR_ANY)
+ flags &= ~IPDF_SELECT_SRC;
+ else
+ flags |= IPDF_SELECT_SRC;
+
+ error = ip_set_destination_v4(&v4src, v4dst, v4nexthop, ixa,
+ uinfo, flags, connp->conn_mac_mode);
+ IN6_IPADDR_TO_V4MAPPED(v4src, &laddr);
+ } else {
+ if (connp->conn_unspec_src || !IN6_IS_ADDR_UNSPECIFIED(v6src))
+ flags &= ~IPDF_SELECT_SRC;
+ else
+ flags |= IPDF_SELECT_SRC;
+
+ error = ip_set_destination_v6(&laddr, v6dst, v6nexthop, ixa,
+ uinfo, flags, connp->conn_mac_mode);
+ }
+ /* Pass out some address even if we hit a RTF_REJECT etc */
+ if (laddrp != NULL)
+ *laddrp = laddr;
+
+ if (error != 0)
+ return (error);
+
+ if (flags & IPDF_IPSEC) {
+ /*
+ * Set any IPsec policy in ixa. Routine also looks at ULP
+ * ports.
+ */
+ ipsec_cache_outbound_policy(connp, v6src, v6dst, dstport, ixa);
+ }
+ return (0);
+}
+
+/*
+ * Connect the conn based on the addresses, conn_xmit_ipp and conn_ixa.
+ * Assumes that conn_faddr and conn_fport are already set. As such it is not
+ * usable for SCTP, since SCTP has multiple faddrs.
+ *
+ * Caller must hold conn_lock to provide atomic constency between the
+ * conn_t's addresses and the ixa.
+ * NOTE: this function drops and reaquires conn_lock since it can't be
+ * held across ip_attr_connect/ip_set_destination.
+ *
+ * The caller needs to handle inserting in the receive-side fanout when
+ * appropriate after conn_connect returns.
+ */
+int
+conn_connect(conn_t *connp, iulp_t *uinfo, uint32_t flags)
+{
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
+ in6_addr_t nexthop;
+ in6_addr_t saddr, faddr;
+ in_port_t fport;
+ int error;
+
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+
+ if (connp->conn_ipversion == IPV4_VERSION)
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ else
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
+
+ /* We do IPsec latching below - hence no caching in ip_attr_connect */
+ flags &= ~IPDF_IPSEC;
+
+ /* In case we had previously done an ip_attr_connect */
+ ip_attr_newdst(ixa);
+
+ /*
+ * Determine the nexthop and copy the addresses before dropping
+ * conn_lock.
+ */
+ ip_attr_nexthop(&connp->conn_xmit_ipp, connp->conn_ixa,
+ &connp->conn_faddr_v6, &nexthop);
+ saddr = connp->conn_saddr_v6;
+ faddr = connp->conn_faddr_v6;
+ fport = connp->conn_fport;
+
+ mutex_exit(&connp->conn_lock);
+ error = ip_attr_connect(connp, ixa, &saddr, &faddr, &nexthop, fport,
+ &saddr, uinfo, flags | IPDF_VERIFY_DST);
+ mutex_enter(&connp->conn_lock);
+
+ /* Could have changed even if an error */
+ connp->conn_saddr_v6 = saddr;
+ if (error != 0)
+ return (error);
+
+ /*
+ * Check whether Trusted Solaris policy allows communication with this
+ * host, and pretend that the destination is unreachable if not.
+ * Compute any needed label and place it in ipp_label_v4/v6.
+ *
+ * Later conn_build_hdr_template() takes ipp_label_v4/v6 to form
+ * the packet.
+ *
+ * TSOL Note: Any concurrent threads would pick a different ixa
+ * (and ipp if they are to change the ipp) so we
+ * don't have to worry about concurrent threads.
+ */
+ if (is_system_labeled()) {
+ if (connp->conn_mlp_type != mlptSingle)
+ return (ECONNREFUSED);
+
+ /*
+ * conn_update_label will set ipp_label* which will later
+ * be used by conn_build_hdr_template.
+ */
+ error = conn_update_label(connp, ixa,
+ &connp->conn_faddr_v6, &connp->conn_xmit_ipp);
+ if (error != 0)
+ return (error);
+ }
+
+ /*
+ * Ensure that we match on the selected local address.
+ * This overrides conn_laddr in the case we had earlier bound to a
+ * multicast or broadcast address.
+ */
+ connp->conn_laddr_v6 = connp->conn_saddr_v6;
+
+ /*
+ * Allow setting new policies.
+ * The addresses/ports are already set, thus the IPsec policy calls
+ * can handle their passed-in conn's.
+ */
+ connp->conn_policy_cached = B_FALSE;
+
+ /*
+ * Cache IPsec policy in this conn. If we have per-socket policy,
+ * we'll cache that. If we don't, we'll inherit global policy.
+ *
+ * This is done before the caller inserts in the receive-side fanout.
+ * Note that conn_policy_cached is set by ipsec_conn_cache_policy() even
+ * for connections where we don't have a policy. This is to prevent
+ * global policy lookups in the inbound path.
+ *
+ * If we insert before we set conn_policy_cached,
+ * CONN_INBOUND_POLICY_PRESENT() check can still evaluate true
+ * because global policy cound be non-empty. We normally call
+ * ipsec_check_policy() for conn_policy_cached connections only if
+ * conn_in_enforce_policy is set. But in this case,
+ * conn_policy_cached can get set anytime since we made the
+ * CONN_INBOUND_POLICY_PRESENT() check and ipsec_check_policy() is
+ * called, which will make the above assumption false. Thus, we
+ * need to insert after we set conn_policy_cached.
+ */
+ error = ipsec_conn_cache_policy(connp,
+ connp->conn_ipversion == IPV4_VERSION);
+ if (error != 0)
+ return (error);
+
+ /*
+ * We defer to do LSO check until here since now we have better idea
+ * whether IPsec is present. If the underlying ill is LSO capable,
+ * copy its capability in so the ULP can decide whether to enable LSO
+ * on this connection. So far, only TCP/IPv4 is implemented, so won't
+ * claim LSO for IPv6.
+ *
+ * Currently, won't enable LSO for IRE_LOOPBACK or IRE_LOCAL, because
+ * the receiver can not handle it. Also not to enable LSO for MULTIRT.
+ */
+ ixa->ixa_flags &= ~IXAF_LSO_CAPAB;
+
+ ASSERT(ixa->ixa_ire != NULL);
+ if (ixa->ixa_ipst->ips_ip_lso_outbound && (flags & IPDF_LSO) &&
+ !(ixa->ixa_flags & IXAF_IPSEC_SECURE) &&
+ !(ixa->ixa_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) &&
+ !(ixa->ixa_ire->ire_flags & RTF_MULTIRT) &&
+ (ixa->ixa_nce != NULL) &&
+ ((ixa->ixa_flags & IXAF_IS_IPV4) ?
+ ILL_LSO_TCP_IPV4_USABLE(ixa->ixa_nce->nce_ill) :
+ ILL_LSO_TCP_IPV6_USABLE(ixa->ixa_nce->nce_ill))) {
+ ixa->ixa_lso_capab = *ixa->ixa_nce->nce_ill->ill_lso_capab;
+ ixa->ixa_flags |= IXAF_LSO_CAPAB;
+ }
+
+ /* Check whether ZEROCOPY capability is usable for this connection. */
+ ixa->ixa_flags &= ~IXAF_ZCOPY_CAPAB;
+
+ if ((flags & IPDF_ZCOPY) &&
+ !(ixa->ixa_flags & IXAF_IPSEC_SECURE) &&
+ !(ixa->ixa_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) &&
+ !(ixa->ixa_ire->ire_flags & RTF_MULTIRT) &&
+ (ixa->ixa_nce != NULL) &&
+ ILL_ZCOPY_USABLE(ixa->ixa_nce->nce_ill)) {
+ ixa->ixa_flags |= IXAF_ZCOPY_CAPAB;
+ }
+ return (0);
+}
+
+/*
+ * Predicates to check if the addresses match conn_last*
+ */
+
+/*
+ * Compare the conn against an address.
+ * If using mapped addresses on AF_INET6 sockets, use the _v6 function
+ */
+boolean_t
+conn_same_as_last_v4(conn_t *connp, sin_t *sin)
+{
+ ASSERT(connp->conn_family == AF_INET);
+ return (sin->sin_addr.s_addr == connp->conn_v4lastdst &&
+ sin->sin_port == connp->conn_lastdstport);
+}
+
+/*
+ * Compare, including for mapped addresses
+ */
+boolean_t
+conn_same_as_last_v6(conn_t *connp, sin6_t *sin6)
+{
+ return (IN6_ARE_ADDR_EQUAL(&connp->conn_v6lastdst, &sin6->sin6_addr) &&
+ sin6->sin6_port == connp->conn_lastdstport &&
+ sin6->sin6_flowinfo == connp->conn_lastflowinfo &&
+ sin6->sin6_scope_id == connp->conn_lastscopeid);
+}
+
+/*
+ * Compute a label and place it in the ip_packet_t.
+ * Handles IPv4 and IPv6.
+ * The caller should have a correct ixa_tsl and ixa_zoneid and have
+ * already called conn_connect or ip_attr_connect to ensure that tsol_check_dest
+ * has been called.
+ */
+int
+conn_update_label(const conn_t *connp, const ip_xmit_attr_t *ixa,
+ const in6_addr_t *v6dst, ip_pkt_t *ipp)
+{
+ int err;
+ ipaddr_t v4dst;
+
+ if (IN6_IS_ADDR_V4MAPPED(v6dst)) {
+ uchar_t opt_storage[IP_MAX_OPT_LENGTH];
+
+ IN6_V4MAPPED_TO_IPADDR(v6dst, v4dst);
+
+ err = tsol_compute_label_v4(ixa->ixa_tsl, ixa->ixa_zoneid,
+ v4dst, opt_storage, ixa->ixa_ipst);
+ if (err == 0) {
+ /* Length contained in opt_storage[IPOPT_OLEN] */
+ err = optcom_pkt_set(opt_storage,
+ opt_storage[IPOPT_OLEN],
+ (uchar_t **)&ipp->ipp_label_v4,
+ &ipp->ipp_label_len_v4);
+ }
+ if (err != 0) {
+ DTRACE_PROBE4(tx__ip__log__info__updatelabel,
+ char *, "conn(1) failed to update options(2) "
+ "on ixa(3)",
+ conn_t *, connp, char *, opt_storage,
+ ip_xmit_attr_t *, ixa);
+ }
+ if (ipp->ipp_label_len_v4 != 0)
+ ipp->ipp_fields |= IPPF_LABEL_V4;
+ else
+ ipp->ipp_fields &= ~IPPF_LABEL_V4;
+ } else {
+ uchar_t opt_storage[TSOL_MAX_IPV6_OPTION];
+ uint_t optlen;
+
+ err = tsol_compute_label_v6(ixa->ixa_tsl, ixa->ixa_zoneid,
+ v6dst, opt_storage, ixa->ixa_ipst);
+ if (err == 0) {
+ /*
+ * Note that ipp_label_v6 is just the option - not
+ * the hopopts extension header.
+ *
+ * Length contained in opt_storage[IPOPT_OLEN], but
+ * that doesn't include the two byte options header.
+ */
+ optlen = opt_storage[IPOPT_OLEN];
+ if (optlen != 0)
+ optlen += 2;
+
+ err = optcom_pkt_set(opt_storage, optlen,
+ (uchar_t **)&ipp->ipp_label_v6,
+ &ipp->ipp_label_len_v6);
+ }
+ if (err != 0) {
+ DTRACE_PROBE4(tx__ip__log__info__updatelabel,
+ char *, "conn(1) failed to update options(2) "
+ "on ixa(3)",
+ conn_t *, connp, char *, opt_storage,
+ ip_xmit_attr_t *, ixa);
+ }
+ if (ipp->ipp_label_len_v6 != 0)
+ ipp->ipp_fields |= IPPF_LABEL_V6;
+ else
+ ipp->ipp_fields &= ~IPPF_LABEL_V6;
+ }
+ return (err);
+}
+
+/*
+ * Inherit all options settings from the parent/listener to the eager.
+ * Returns zero on success; ENOMEM if memory allocation failed.
+ *
+ * We assume that the eager has not had any work done i.e., the conn_ixa
+ * and conn_xmit_ipp are all zero.
+ * Furthermore we assume that no other thread can access the eager (because
+ * it isn't inserted in any fanout list).
+ */
+int
+conn_inherit_parent(conn_t *lconnp, conn_t *econnp)
+{
+ cred_t *credp;
+ int err;
+ void *notify_cookie;
+
+ econnp->conn_family = lconnp->conn_family;
+ econnp->conn_ipv6_v6only = lconnp->conn_ipv6_v6only;
+ econnp->conn_wq = lconnp->conn_wq;
+ econnp->conn_rq = lconnp->conn_rq;
+
+ /*
+ * Make a safe copy of the transmit attributes.
+ * conn_connect will later be used by the caller to setup the ire etc.
+ */
+ ASSERT(econnp->conn_ixa->ixa_refcnt == 1);
+ ASSERT(econnp->conn_ixa->ixa_ire == NULL);
+ ASSERT(econnp->conn_ixa->ixa_dce == NULL);
+ ASSERT(econnp->conn_ixa->ixa_nce == NULL);
+
+ /* Preserve ixa_notify_cookie */
+ notify_cookie = econnp->conn_ixa->ixa_notify_cookie;
+ ixa_safe_copy(lconnp->conn_ixa, econnp->conn_ixa);
+ econnp->conn_ixa->ixa_notify_cookie = notify_cookie;
+
+ econnp->conn_bound_if = lconnp->conn_bound_if;
+ econnp->conn_incoming_ifindex = lconnp->conn_incoming_ifindex;
+
+ /* Inherit all RECV options */
+ econnp->conn_recv_ancillary = lconnp->conn_recv_ancillary;
+
+ err = ip_pkt_copy(&lconnp->conn_xmit_ipp, &econnp->conn_xmit_ipp,
+ KM_NOSLEEP);
+ if (err != 0)
+ return (err);
+
+ econnp->conn_zoneid = lconnp->conn_zoneid;
+ econnp->conn_allzones = lconnp->conn_allzones;
+
+ /* This is odd. Pick a flowlabel for each connection instead? */
+ econnp->conn_flowinfo = lconnp->conn_flowinfo;
+
+ econnp->conn_default_ttl = lconnp->conn_default_ttl;
+
+ /*
+ * TSOL: tsol_input_proc() needs the eager's cred before the
+ * eager is accepted
+ */
+ ASSERT(lconnp->conn_cred != NULL);
+ econnp->conn_cred = credp = lconnp->conn_cred;
+ crhold(credp);
+ econnp->conn_cpid = lconnp->conn_cpid;
+ econnp->conn_open_time = lbolt64;
+
+ /*
+ * Cache things in the ixa without any refhold.
+ * Listener might not have set up ixa_cred
+ */
+ econnp->conn_ixa->ixa_cred = econnp->conn_cred;
+ econnp->conn_ixa->ixa_cpid = econnp->conn_cpid;
+ if (is_system_labeled())
+ econnp->conn_ixa->ixa_tsl = crgetlabel(econnp->conn_cred);
+
+ /*
+ * If the caller has the process-wide flag set, then default to MAC
+ * exempt mode. This allows read-down to unlabeled hosts.
+ */
+ if (getpflags(NET_MAC_AWARE, credp) != 0)
+ econnp->conn_mac_mode = CONN_MAC_AWARE;
+
+ econnp->conn_zone_is_global = lconnp->conn_zone_is_global;
+
+ /*
+ * We eliminate the need for sockfs to send down a T_SVR4_OPTMGMT_REQ
+ * via soaccept()->soinheritoptions() which essentially applies
+ * all the listener options to the new connection. The options that we
+ * need to take care of are:
+ * SO_DEBUG, SO_REUSEADDR, SO_KEEPALIVE, SO_DONTROUTE, SO_BROADCAST,
+ * SO_USELOOPBACK, SO_OOBINLINE, SO_DGRAM_ERRIND, SO_LINGER,
+ * SO_SNDBUF, SO_RCVBUF.
+ *
+ * SO_RCVBUF: conn_rcvbuf is set.
+ * SO_SNDBUF: conn_sndbuf is set.
+ */
+
+ econnp->conn_sndbuf = lconnp->conn_sndbuf;
+ econnp->conn_rcvbuf = lconnp->conn_rcvbuf;
+ econnp->conn_sndlowat = lconnp->conn_sndlowat;
+ econnp->conn_rcvlowat = lconnp->conn_rcvlowat;
+ econnp->conn_dgram_errind = lconnp->conn_dgram_errind;
+ econnp->conn_oobinline = lconnp->conn_oobinline;
+ econnp->conn_debug = lconnp->conn_debug;
+ econnp->conn_keepalive = lconnp->conn_keepalive;
+ econnp->conn_linger = lconnp->conn_linger;
+ econnp->conn_lingertime = lconnp->conn_lingertime;
+
+ /* Set the IP options */
+ econnp->conn_broadcast = lconnp->conn_broadcast;
+ econnp->conn_useloopback = lconnp->conn_useloopback;
+ econnp->conn_reuseaddr = lconnp->conn_reuseaddr;
+ return (0);
+}
diff --git a/usr/src/uts/common/inet/ip/icmp.c b/usr/src/uts/common/inet/ip/icmp.c
index 7f6d4b621f..8222c866d0 100644
--- a/usr/src/uts/common/inet/ip/icmp.c
+++ b/usr/src/uts/common/inet/ip/icmp.c
@@ -35,65 +35,58 @@
#include <sys/ddi.h>
#include <sys/sunddi.h>
#include <sys/strsubr.h>
+#include <sys/suntpi.h>
+#include <sys/xti_inet.h>
#include <sys/cmn_err.h>
-#include <sys/debug.h>
#include <sys/kmem.h>
+#include <sys/cred_impl.h>
#include <sys/policy.h>
#include <sys/priv.h>
+#include <sys/ucred.h>
#include <sys/zone.h>
-#include <sys/time.h>
#include <sys/sockio.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
+#include <sys/vtrace.h>
+#include <sys/sdt.h>
+#include <sys/debug.h>
#include <sys/isa_defs.h>
-#include <sys/suntpi.h>
-#include <sys/xti_inet.h>
-#include <sys/netstack.h>
-
-#include <net/route.h>
-#include <net/if.h>
-
+#include <sys/random.h>
#include <netinet/in.h>
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
+#include <netinet/udp.h>
+
#include <inet/common.h>
#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ipsec_impl.h>
#include <inet/ip6.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_if.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_ndp.h>
#include <inet/proto_set.h>
+#include <inet/mib2.h>
#include <inet/nd.h>
#include <inet/optcom.h>
#include <inet/snmpcom.h>
#include <inet/kstatcom.h>
-#include <inet/rawip_impl.h>
-
-#include <netinet/ip_mroute.h>
-#include <inet/tcp.h>
-#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
#include <inet/ipclassifier.h>
#include <sys/tsol/label.h>
#include <sys/tsol/tnet.h>
-#include <inet/ip_ire.h>
-#include <inet/ip_if.h>
+#include <inet/rawip_impl.h>
-#include <inet/ip_impl.h>
#include <sys/disp.h>
/*
* Synchronization notes:
*
- * RAWIP is MT and uses the usual kernel synchronization primitives. There is
- * locks, which is icmp_rwlock. We also use conn_lock when updating things
- * which affect the IP classifier lookup.
- * The lock order is icmp_rwlock -> conn_lock.
- *
- * The icmp_rwlock:
- * This protects most of the other fields in the icmp_t. The exact list of
- * fields which are protected by each of the above locks is documented in
- * the icmp_t structure definition.
+ * RAWIP is MT and uses the usual kernel synchronization primitives. We use
+ * conn_lock to protect the icmp_t.
*
* Plumbing notes:
* ICMP is always a device driver. For compatibility with mibopen() code
@@ -103,27 +96,29 @@
static void icmp_addr_req(queue_t *q, mblk_t *mp);
static void icmp_tpi_bind(queue_t *q, mblk_t *mp);
-static int icmp_bind_proto(conn_t *connp);
-static int icmp_build_hdrs(icmp_t *icmp);
+static void icmp_bind_proto(icmp_t *icmp);
+static int icmp_build_hdr_template(conn_t *, const in6_addr_t *,
+ const in6_addr_t *, uint32_t);
static void icmp_capability_req(queue_t *q, mblk_t *mp);
static int icmp_close(queue_t *q, int flags);
+static void icmp_close_free(conn_t *);
static void icmp_tpi_connect(queue_t *q, mblk_t *mp);
static void icmp_tpi_disconnect(queue_t *q, mblk_t *mp);
static void icmp_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error,
- int sys_error);
+ int sys_error);
static void icmp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
- t_scalar_t t_error, int sys_error);
-static void icmp_icmp_error(conn_t *connp, mblk_t *mp);
-static void icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp);
+ t_scalar_t tlierr, int sys_error);
+static void icmp_icmp_input(void *arg1, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *);
+static void icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp,
+ ip_recv_attr_t *);
static void icmp_info_req(queue_t *q, mblk_t *mp);
-static void icmp_input(void *, mblk_t *, void *);
+static void icmp_input(void *, mblk_t *, void *, ip_recv_attr_t *);
static conn_t *icmp_open(int family, cred_t *credp, int *err, int flags);
static int icmp_openv4(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp);
static int icmp_openv6(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp);
-static int icmp_unitdata_opt_process(queue_t *q, mblk_t *mp,
- int *errorp, void *thisdg_attrs);
static boolean_t icmp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name);
int icmp_opt_set(conn_t *connp, uint_t optset_context,
int level, int name, uint_t inlen,
@@ -131,25 +126,26 @@ int icmp_opt_set(conn_t *connp, uint_t optset_context,
void *thisdg_attrs, cred_t *cr);
int icmp_opt_get(conn_t *connp, int level, int name,
uchar_t *ptr);
+static int icmp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin,
+ sin6_t *sin6, cred_t *cr, pid_t pid, ip_xmit_attr_t *ixa);
static int icmp_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr);
static boolean_t icmp_param_register(IDP *ndp, icmpparam_t *icmppa, int cnt);
static int icmp_param_set(queue_t *q, mblk_t *mp, char *value,
caddr_t cp, cred_t *cr);
+static mblk_t *icmp_prepend_hdr(conn_t *, ip_xmit_attr_t *, const ip_pkt_t *,
+ const in6_addr_t *, const in6_addr_t *, uint32_t, mblk_t *, int *);
+static mblk_t *icmp_prepend_header_template(conn_t *, ip_xmit_attr_t *,
+ mblk_t *, const in6_addr_t *, uint32_t, int *);
static int icmp_snmp_set(queue_t *q, t_scalar_t level, t_scalar_t name,
uchar_t *ptr, int len);
static void icmp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err);
static void icmp_tpi_unbind(queue_t *q, mblk_t *mp);
-static int icmp_update_label(icmp_t *icmp, mblk_t *mp, ipaddr_t dst);
static void icmp_wput(queue_t *q, mblk_t *mp);
static void icmp_wput_fallback(queue_t *q, mblk_t *mp);
-static int raw_ip_send_data_v6(queue_t *q, conn_t *connp, mblk_t *mp,
- sin6_t *sin6, ip6_pkt_t *ipp);
-static int raw_ip_send_data_v4(queue_t *q, conn_t *connp, mblk_t *mp,
- ipaddr_t v4dst, ip4_pkt_t *pktinfop);
static void icmp_wput_other(queue_t *q, mblk_t *mp);
static void icmp_wput_iocdata(queue_t *q, mblk_t *mp);
static void icmp_wput_restricted(queue_t *q, mblk_t *mp);
-static void icmp_ulp_recv(conn_t *, mblk_t *);
+static void icmp_ulp_recv(conn_t *, mblk_t *, uint_t);
static void *rawip_stack_init(netstackid_t stackid, netstack_t *ns);
static void rawip_stack_fini(netstackid_t stackid, void *arg);
@@ -158,10 +154,14 @@ static void *rawip_kstat_init(netstackid_t stackid);
static void rawip_kstat_fini(netstackid_t stackid, kstat_t *ksp);
static int rawip_kstat_update(kstat_t *kp, int rw);
static void rawip_stack_shutdown(netstackid_t stackid, void *arg);
-static int rawip_do_getsockname(icmp_t *icmp, struct sockaddr *sa,
- uint_t *salenp);
-static int rawip_do_getpeername(icmp_t *icmp, struct sockaddr *sa,
- uint_t *salenp);
+
+/* Common routines for TPI and socket module */
+static conn_t *rawip_do_open(int, cred_t *, int *, int);
+static void rawip_do_close(conn_t *);
+static int rawip_do_bind(conn_t *, struct sockaddr *, socklen_t);
+static int rawip_do_unbind(conn_t *);
+static int rawip_do_connect(conn_t *, const struct sockaddr *, socklen_t,
+ cred_t *, pid_t);
int rawip_getsockname(sock_lower_handle_t, struct sockaddr *,
socklen_t *, cred_t *);
@@ -185,7 +185,7 @@ static struct qinit icmprinitv6 = {
};
static struct qinit icmpwinit = {
- (pfi_t)icmp_wput, NULL, NULL, NULL, NULL, &icmp_mod_info
+ (pfi_t)icmp_wput, (pfi_t)ip_wsrv, NULL, NULL, NULL, &icmp_mod_info
};
/* ICMP entry point during fallback */
@@ -236,6 +236,8 @@ static icmpparam_t icmp_param_arr[] = {
{ 0, 65536, 1024, "icmp_xmit_lowat"},
{ 4096, 65536, 8192, "icmp_recv_hiwat"},
{ 65536, 1024*1024*1024, 256*1024, "icmp_max_buf"},
+ { 0, 1, 0, "icmp_pmtu_discovery" },
+ { 0, 1, 0, "icmp_sendto_ignerr" },
};
#define is_wroff_extra is_param_arr[0].icmp_param_value
#define is_ipv4_ttl is_param_arr[1].icmp_param_value
@@ -245,18 +247,17 @@ static icmpparam_t icmp_param_arr[] = {
#define is_xmit_lowat is_param_arr[5].icmp_param_value
#define is_recv_hiwat is_param_arr[6].icmp_param_value
#define is_max_buf is_param_arr[7].icmp_param_value
+#define is_pmtu_discovery is_param_arr[8].icmp_param_value
+#define is_sendto_ignerr is_param_arr[9].icmp_param_value
-static int rawip_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len);
-static int rawip_do_connect(conn_t *connp, const struct sockaddr *sa,
- socklen_t len, cred_t *cr);
-static void rawip_post_ip_bind_connect(icmp_t *icmp, mblk_t *ire_mp, int error);
+typedef union T_primitives *t_primp_t;
/*
* This routine is called to handle each O_T_BIND_REQ/T_BIND_REQ message
* passed to icmp_wput.
- * The O_T_BIND_REQ/T_BIND_REQ is passed downstream to ip with the ICMP
- * protocol type placed in the message following the address. A T_BIND_ACK
- * message is returned by ip_bind_v4/v6.
+ * It calls IP to verify the local IP address, and calls IP to insert
+ * the conn_t in the fanout table.
+ * If everything is ok it then sends the T_BIND_ACK back up.
*/
static void
icmp_tpi_bind(queue_t *q, mblk_t *mp)
@@ -297,17 +298,17 @@ icmp_tpi_bind(queue_t *q, mblk_t *mp)
if (icmp->icmp_state != TS_UNBND) {
(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
- "icmp_bind: bad state, %d", icmp->icmp_state);
+ "icmp_bind: bad state, %u", icmp->icmp_state);
icmp_err_ack(q, mp, TOUTSTATE, 0);
return;
}
/*
* Reallocate the message to make sure we have enough room for an
- * address and the protocol type.
+ * address.
*/
- mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t) + 1, 1);
- if (!mp1) {
+ mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t), 1);
+ if (mp1 == NULL) {
icmp_err_ack(q, mp, TSYSERR, ENOMEM);
return;
}
@@ -320,7 +321,7 @@ icmp_tpi_bind(queue_t *q, mblk_t *mp)
switch (len) {
case 0: /* request for a generic port */
tbr->ADDR_offset = sizeof (struct T_bind_req);
- if (icmp->icmp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
tbr->ADDR_length = sizeof (sin_t);
sin = (sin_t *)&tbr[1];
*sin = sin_null;
@@ -329,7 +330,7 @@ icmp_tpi_bind(queue_t *q, mblk_t *mp)
sa = (struct sockaddr *)sin;
len = sizeof (sin_t);
} else {
- ASSERT(icmp->icmp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
tbr->ADDR_length = sizeof (sin6_t);
sin6 = (sin6_t *)&tbr[1];
*sin6 = sin6_null;
@@ -352,14 +353,12 @@ icmp_tpi_bind(queue_t *q, mblk_t *mp)
default:
(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
- "icmp_bind: bad ADDR_length %d", tbr->ADDR_length);
+ "icmp_bind: bad ADDR_length %u", tbr->ADDR_length);
icmp_err_ack(q, mp, TBADADDR, 0);
return;
}
error = rawip_do_bind(connp, sa, len);
-done:
- ASSERT(mp->b_cont == NULL);
if (error != 0) {
if (error > 0) {
icmp_err_ack(q, mp, TSYSERR, error);
@@ -377,225 +376,208 @@ rawip_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len)
{
sin_t *sin;
sin6_t *sin6;
- icmp_t *icmp;
+ icmp_t *icmp = connp->conn_icmp;
int error = 0;
- mblk_t *ire_mp;
-
-
- icmp = connp->conn_icmp;
+ ip_laddr_t laddr_type = IPVL_UNICAST_UP; /* INADDR_ANY */
+ in_port_t lport; /* Network byte order */
+ ipaddr_t v4src; /* Set if AF_INET */
+ in6_addr_t v6src;
+ uint_t scopeid = 0;
+ zoneid_t zoneid = IPCL_ZONEID(connp);
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
if (sa == NULL || !OK_32PTR((char *)sa)) {
return (EINVAL);
}
- /*
- * The state must be TS_UNBND. TPI mandates that users must send
- * TPI primitives only 1 at a time and wait for the response before
- * sending the next primitive.
- */
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- if (icmp->icmp_state != TS_UNBND || icmp->icmp_pending_op != -1) {
- error = -TOUTSTATE;
- goto done;
- }
-
- ASSERT(len != 0);
switch (len) {
case sizeof (sin_t): /* Complete IPv4 address */
sin = (sin_t *)sa;
if (sin->sin_family != AF_INET ||
- icmp->icmp_family != AF_INET) {
+ connp->conn_family != AF_INET) {
/* TSYSERR, EAFNOSUPPORT */
- error = EAFNOSUPPORT;
- goto done;
+ return (EAFNOSUPPORT);
}
+ v4src = sin->sin_addr.s_addr;
+ IN6_IPADDR_TO_V4MAPPED(v4src, &v6src);
+ if (v4src != INADDR_ANY) {
+ laddr_type = ip_laddr_verify_v4(v4src, zoneid, ipst,
+ B_TRUE);
+ }
+ lport = sin->sin_port;
break;
case sizeof (sin6_t): /* Complete IPv6 address */
sin6 = (sin6_t *)sa;
if (sin6->sin6_family != AF_INET6 ||
- icmp->icmp_family != AF_INET6) {
+ connp->conn_family != AF_INET6) {
/* TSYSERR, EAFNOSUPPORT */
- error = EAFNOSUPPORT;
- goto done;
+ return (EAFNOSUPPORT);
}
/* No support for mapped addresses on raw sockets */
if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
/* TSYSERR, EADDRNOTAVAIL */
- error = EADDRNOTAVAIL;
- goto done;
+ return (EADDRNOTAVAIL);
}
+ v6src = sin6->sin6_addr;
+ if (!IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ if (IN6_IS_ADDR_LINKSCOPE(&v6src))
+ scopeid = sin6->sin6_scope_id;
+ laddr_type = ip_laddr_verify_v6(&v6src, zoneid, ipst,
+ B_TRUE, scopeid);
+ }
+ lport = sin6->sin6_port;
break;
default:
/* TBADADDR */
- error = EADDRNOTAVAIL;
- goto done;
+ return (EADDRNOTAVAIL);
}
- icmp->icmp_pending_op = T_BIND_REQ;
- icmp->icmp_state = TS_IDLE;
+ /* Is the local address a valid unicast, multicast, or broadcast? */
+ if (laddr_type == IPVL_BAD)
+ return (EADDRNOTAVAIL);
+
+ /*
+ * The state must be TS_UNBND.
+ */
+ mutex_enter(&connp->conn_lock);
+ if (icmp->icmp_state != TS_UNBND) {
+ mutex_exit(&connp->conn_lock);
+ return (-TOUTSTATE);
+ }
/*
* Copy the source address into our icmp structure. This address
* may still be zero; if so, ip will fill in the correct address
* each time an outbound packet is passed to it.
* If we are binding to a broadcast or multicast address then
- * rawip_post_ip_bind_connect will clear the source address.
+ * we just set the conn_bound_addr since we don't want to use
+ * that as the source address when sending.
*/
-
- if (icmp->icmp_family == AF_INET) {
- ASSERT(sin != NULL);
- ASSERT(icmp->icmp_ipversion == IPV4_VERSION);
- IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr,
- &icmp->icmp_v6src);
- icmp->icmp_max_hdr_len = IP_SIMPLE_HDR_LENGTH +
- icmp->icmp_ip_snd_options_len;
- icmp->icmp_bound_v6src = icmp->icmp_v6src;
+ connp->conn_bound_addr_v6 = v6src;
+ connp->conn_laddr_v6 = v6src;
+ if (scopeid != 0) {
+ connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ connp->conn_ixa->ixa_scopeid = scopeid;
+ connp->conn_incoming_ifindex = scopeid;
} else {
- int error;
-
- ASSERT(sin6 != NULL);
- ASSERT(icmp->icmp_ipversion == IPV6_VERSION);
- icmp->icmp_v6src = sin6->sin6_addr;
- icmp->icmp_max_hdr_len = icmp->icmp_sticky_hdrs_len;
- icmp->icmp_bound_v6src = icmp->icmp_v6src;
-
- /* Rebuild the header template */
- error = icmp_build_hdrs(icmp);
- if (error != 0) {
- icmp->icmp_pending_op = -1;
- /*
- * TSYSERR
- */
- goto done;
- }
+ connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
}
- ire_mp = NULL;
- if (!(V6_OR_V4_INADDR_ANY(icmp->icmp_v6src))) {
- /*
- * request an IRE if src not 0 (INADDR_ANY)
- */
- ire_mp = allocb(sizeof (ire_t), BPRI_HI);
- if (ire_mp == NULL) {
- icmp->icmp_pending_op = -1;
- error = ENOMEM;
- goto done;
- }
- DB_TYPE(ire_mp) = IRE_DB_REQ_TYPE;
+ switch (laddr_type) {
+ case IPVL_UNICAST_UP:
+ case IPVL_UNICAST_DOWN:
+ connp->conn_saddr_v6 = v6src;
+ connp->conn_mcbc_bind = B_FALSE;
+ break;
+ case IPVL_MCAST:
+ case IPVL_BCAST:
+ /* ip_set_destination will pick a source address later */
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_mcbc_bind = B_TRUE;
+ break;
}
-done:
- rw_exit(&icmp->icmp_rwlock);
- if (error != 0)
- return (error);
- if (icmp->icmp_family == AF_INET6) {
- error = ip_proto_bind_laddr_v6(connp, &ire_mp, icmp->icmp_proto,
- &sin6->sin6_addr, sin6->sin6_port, B_TRUE);
+ /* Any errors after this point should use late_error */
+
+ /*
+ * Use sin_port/sin6_port since applications like psh use SOCK_RAW
+ * with IPPROTO_TCP.
+ */
+ connp->conn_lport = lport;
+ connp->conn_fport = 0;
+
+ if (connp->conn_family == AF_INET) {
+ ASSERT(connp->conn_ipversion == IPV4_VERSION);
} else {
- error = ip_proto_bind_laddr_v4(connp, &ire_mp, icmp->icmp_proto,
- sin->sin_addr.s_addr, sin->sin_port, B_TRUE);
+ ASSERT(connp->conn_ipversion == IPV6_VERSION);
}
- rawip_post_ip_bind_connect(icmp, ire_mp, error);
- return (error);
-}
-static void
-rawip_post_ip_bind_connect(icmp_t *icmp, mblk_t *ire_mp, int error)
-{
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- if (icmp->icmp_state == TS_UNBND) {
- /*
- * not yet bound - bind sent by icmp_bind_proto.
- */
- rw_exit(&icmp->icmp_rwlock);
- return;
- }
- ASSERT(icmp->icmp_pending_op != -1);
- icmp->icmp_pending_op = -1;
+ icmp->icmp_state = TS_IDLE;
+ /*
+ * We create an initial header template here to make a subsequent
+ * sendto have a starting point. Since conn_last_dst is zero the
+ * first sendto will always follow the 'dst changed' code path.
+ * Note that we defer massaging options and the related checksum
+ * adjustment until we have a destination address.
+ */
+ error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_flowinfo);
if (error != 0) {
- if (icmp->icmp_state == TS_DATA_XFER) {
- /* Connect failed */
- /* Revert back to the bound source */
- icmp->icmp_v6src = icmp->icmp_bound_v6src;
- icmp->icmp_state = TS_IDLE;
- if (icmp->icmp_family == AF_INET6)
- (void) icmp_build_hdrs(icmp);
- } else {
- V6_SET_ZERO(icmp->icmp_v6src);
- V6_SET_ZERO(icmp->icmp_bound_v6src);
- icmp->icmp_state = TS_UNBND;
- if (icmp->icmp_family == AF_INET6)
- (void) icmp_build_hdrs(icmp);
- }
- } else {
- if (ire_mp != NULL && ire_mp->b_datap->db_type == IRE_DB_TYPE) {
- ire_t *ire;
-
- ire = (ire_t *)ire_mp->b_rptr;
- /*
- * If a broadcast/multicast address was bound set
- * the source address to 0.
- * This ensures no datagrams with broadcast address
- * as source address are emitted (which would violate
- * RFC1122 - Hosts requirements)
- * Note: we get IRE_BROADCAST for IPv6
- * to "mark" a multicast local address.
- */
+ mutex_exit(&connp->conn_lock);
+ goto late_error;
+ }
+ /* Just in case */
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
+ error = ip_laddr_fanout_insert(connp);
+ if (error != 0)
+ goto late_error;
- if (ire->ire_type == IRE_BROADCAST &&
- icmp->icmp_state != TS_DATA_XFER) {
- /*
- * This was just a local bind to a
- * MC/broadcast addr
- */
- V6_SET_ZERO(icmp->icmp_v6src);
- if (icmp->icmp_family == AF_INET6)
- (void) icmp_build_hdrs(icmp);
- }
- }
+ /* Bind succeeded */
+ return (0);
+late_error:
+ mutex_enter(&connp->conn_lock);
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_bound_addr_v6 = ipv6_all_zeros;
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ if (scopeid != 0) {
+ connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
}
- rw_exit(&icmp->icmp_rwlock);
- if (ire_mp != NULL)
- freeb(ire_mp);
+ icmp->icmp_state = TS_UNBND;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ connp->conn_lport = 0;
+
+ /* Restore the header that was built above - different source address */
+ (void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
+ return (error);
}
/*
- * Send message to IP to just bind to the protocol.
+ * Tell IP to just bind to the protocol.
*/
-static int
-icmp_bind_proto(conn_t *connp)
+static void
+icmp_bind_proto(icmp_t *icmp)
{
- icmp_t *icmp;
- int error;
-
- icmp = connp->conn_icmp;
+ conn_t *connp = icmp->icmp_connp;
- if (icmp->icmp_family == AF_INET6)
- error = ip_proto_bind_laddr_v6(connp, NULL, icmp->icmp_proto,
- &sin6_null.sin6_addr, 0, B_TRUE);
- else
- error = ip_proto_bind_laddr_v4(connp, NULL, icmp->icmp_proto,
- sin_null.sin_addr.s_addr, 0, B_TRUE);
+ mutex_enter(&connp->conn_lock);
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
- rawip_post_ip_bind_connect(icmp, NULL, error);
- return (error);
+ (void) ip_laddr_fanout_insert(connp);
}
+/*
+ * This routine handles each T_CONN_REQ message passed to icmp. It
+ * associates a default destination address with the stream.
+ *
+ * After various error checks are completed, icmp_connect() lays
+ * the target address and port into the composite header template.
+ * Then we ask IP for information, including a source address if we didn't
+ * already have one. Finally we send up the T_OK_ACK reply message.
+ */
static void
icmp_tpi_connect(queue_t *q, mblk_t *mp)
{
conn_t *connp = Q_TO_CONN(q);
struct T_conn_req *tcr;
- icmp_t *icmp;
struct sockaddr *sa;
socklen_t len;
int error;
cred_t *cr;
-
+ pid_t pid;
/*
* All Solaris components should pass a db_credp
* for this TPI message, hence we ASSERT.
@@ -603,14 +585,13 @@ icmp_tpi_connect(queue_t *q, mblk_t *mp)
* like a TPI message sent by some other kernel
* component, we check and return an error.
*/
- cr = msg_getcred(mp, NULL);
+ cr = msg_getcred(mp, &pid);
ASSERT(cr != NULL);
if (cr == NULL) {
icmp_err_ack(q, mp, TSYSERR, EINVAL);
return;
}
- icmp = connp->conn_icmp;
tcr = (struct T_conn_req *)mp->b_rptr;
/* Sanity checks */
if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_conn_req)) {
@@ -639,13 +620,13 @@ icmp_tpi_connect(queue_t *q, mblk_t *mp)
break;
}
- error = proto_verify_ip_addr(icmp->icmp_family, sa, len);
+ error = proto_verify_ip_addr(connp->conn_family, sa, len);
if (error != 0) {
icmp_err_ack(q, mp, TSYSERR, error);
return;
}
- error = rawip_do_connect(connp, sa, len, cr);
+ error = rawip_do_connect(connp, sa, len, cr, pid);
if (error != 0) {
if (error < 0) {
icmp_err_ack(q, mp, -error, 0);
@@ -659,11 +640,11 @@ icmp_tpi_connect(queue_t *q, mblk_t *mp)
* We have to send a connection confirmation to
* keep TLI happy.
*/
- if (icmp->icmp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
mp1 = mi_tpi_conn_con(NULL, (char *)sa,
sizeof (sin_t), NULL, 0);
} else {
- ASSERT(icmp->icmp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
mp1 = mi_tpi_conn_con(NULL, (char *)sa,
sizeof (sin6_t), NULL, 0);
}
@@ -688,15 +669,20 @@ icmp_tpi_connect(queue_t *q, mblk_t *mp)
static int
rawip_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
- cred_t *cr)
+ cred_t *cr, pid_t pid)
{
- icmp_t *icmp;
- sin_t *sin;
- sin6_t *sin6;
- mblk_t *ire_mp;
- int error;
+ icmp_t *icmp;
+ sin_t *sin;
+ sin6_t *sin6;
+ int error;
+ uint16_t dstport;
ipaddr_t v4dst;
in6_addr_t v6dst;
+ uint32_t flowinfo;
+ ip_xmit_attr_t *ixa;
+ uint_t scopeid = 0;
+ uint_t srcid = 0;
+ in6_addr_t v6src = connp->conn_saddr_v6;
icmp = connp->conn_icmp;
@@ -704,170 +690,199 @@ rawip_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
return (EINVAL);
}
- ire_mp = allocb(sizeof (ire_t), BPRI_HI);
- if (ire_mp == NULL)
- return (ENOMEM);
- DB_TYPE(ire_mp) = IRE_DB_REQ_TYPE;
-
-
ASSERT(sa != NULL && len != 0);
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- if (icmp->icmp_state == TS_UNBND || icmp->icmp_pending_op != -1) {
- rw_exit(&icmp->icmp_rwlock);
- freeb(ire_mp);
- return (-TOUTSTATE);
- }
-
+ /*
+ * Determine packet type based on type of address passed in
+ * the request should contain an IPv4 or IPv6 address.
+ * Make sure that address family matches the type of
+ * family of the address passed down.
+ */
switch (len) {
case sizeof (sin_t):
sin = (sin_t *)sa;
- ASSERT(icmp->icmp_family == AF_INET);
- ASSERT(icmp->icmp_ipversion == IPV4_VERSION);
-
v4dst = sin->sin_addr.s_addr;
- /*
- * Interpret a zero destination to mean loopback.
- * Update the T_CONN_REQ (sin/sin6) since it is used to
- * generate the T_CONN_CON.
- */
- if (v4dst == INADDR_ANY) {
- v4dst = htonl(INADDR_LOOPBACK);
- }
-
+ dstport = sin->sin_port;
IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
- ASSERT(icmp->icmp_ipversion == IPV4_VERSION);
- icmp->icmp_max_hdr_len = IP_SIMPLE_HDR_LENGTH +
- icmp->icmp_ip_snd_options_len;
- icmp->icmp_v6dst.sin6_addr = v6dst;
- icmp->icmp_v6dst.sin6_family = AF_INET6;
- icmp->icmp_v6dst.sin6_flowinfo = 0;
- icmp->icmp_v6dst.sin6_port = 0;
-
- /*
- * If the destination address is multicast and
- * an outgoing multicast interface has been set,
- * use the address of that interface as our
- * source address if no source address has been set.
- */
- if (V4_PART_OF_V6(icmp->icmp_v6src) == INADDR_ANY &&
- CLASSD(v4dst) &&
- icmp->icmp_multicast_if_addr != INADDR_ANY) {
- IN6_IPADDR_TO_V4MAPPED(icmp->icmp_multicast_if_addr,
- &icmp->icmp_v6src);
- }
+ ASSERT(connp->conn_ipversion == IPV4_VERSION);
break;
+
case sizeof (sin6_t):
sin6 = (sin6_t *)sa;
/* No support for mapped addresses on raw sockets */
if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
- rw_exit(&icmp->icmp_rwlock);
- freeb(ire_mp);
return (EADDRNOTAVAIL);
}
+ v6dst = sin6->sin6_addr;
+ dstport = sin6->sin6_port;
+ ASSERT(connp->conn_ipversion == IPV6_VERSION);
+ flowinfo = sin6->sin6_flowinfo;
+ if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+ scopeid = sin6->sin6_scope_id;
+ srcid = sin6->__sin6_src_id;
+ if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
+ }
+ break;
+ }
+
+ /*
+ * If there is a different thread using conn_ixa then we get a new
+ * copy and cut the old one loose from conn_ixa. Otherwise we use
+ * conn_ixa and prevent any other thread from using/changing it.
+ * Once connect() is done other threads can use conn_ixa since the
+ * refcnt will be back at one.
+ */
+ ixa = conn_get_ixa(connp, B_TRUE);
+ if (ixa == NULL)
+ return (ENOMEM);
- ASSERT(icmp->icmp_ipversion == IPV6_VERSION);
- ASSERT(icmp->icmp_family == AF_INET6);
+ ASSERT(ixa->ixa_refcnt >= 2);
+ ASSERT(ixa == connp->conn_ixa);
- icmp->icmp_max_hdr_len = icmp->icmp_sticky_hdrs_len;
+ mutex_enter(&connp->conn_lock);
+ /*
+ * This icmp_t must have bound already before doing a connect.
+ * Reject if a connect is in progress (we drop conn_lock during
+ * rawip_do_connect).
+ */
+ if (icmp->icmp_state == TS_UNBND || icmp->icmp_state == TS_WCON_CREQ) {
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(ixa);
+ return (-TOUTSTATE);
+ }
- icmp->icmp_v6dst = *sin6;
- icmp->icmp_v6dst.sin6_port = 0;
+ if (icmp->icmp_state == TS_DATA_XFER) {
+ /* Already connected - clear out state */
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ icmp->icmp_state = TS_IDLE;
+ }
+ /*
+ * Use sin_port/sin6_port since applications like psh use SOCK_RAW
+ * with IPPROTO_TCP.
+ */
+ connp->conn_fport = dstport;
+ if (connp->conn_ipversion == IPV4_VERSION) {
/*
* Interpret a zero destination to mean loopback.
* Update the T_CONN_REQ (sin/sin6) since it is used to
* generate the T_CONN_CON.
*/
- if (IN6_IS_ADDR_UNSPECIFIED(&icmp->icmp_v6dst.sin6_addr)) {
- icmp->icmp_v6dst.sin6_addr = ipv6_loopback;
+ if (v4dst == INADDR_ANY) {
+ v4dst = htonl(INADDR_LOOPBACK);
+ IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
+ ASSERT(connp->conn_family == AF_INET);
+ sin->sin_addr.s_addr = v4dst;
}
+ connp->conn_faddr_v6 = v6dst;
+ connp->conn_flowinfo = 0;
+ } else {
+ ASSERT(connp->conn_ipversion == IPV6_VERSION);
/*
- * If the destination address is multicast and
- * an outgoing multicast interface has been set,
- * then the ip bind logic will pick the correct source
- * address (i.e. matching the outgoing multicast interface).
+ * Interpret a zero destination to mean loopback.
+ * Update the T_CONN_REQ (sin/sin6) since it is used to
+ * generate the T_CONN_CON.
*/
- break;
+ if (IN6_IS_ADDR_UNSPECIFIED(&v6dst)) {
+ v6dst = ipv6_loopback;
+ sin6->sin6_addr = v6dst;
+ }
+ connp->conn_faddr_v6 = v6dst;
+ connp->conn_flowinfo = flowinfo;
}
- icmp->icmp_pending_op = T_CONN_REQ;
-
- if (icmp->icmp_state == TS_DATA_XFER) {
- /* Already connected - clear out state */
- icmp->icmp_v6src = icmp->icmp_bound_v6src;
- icmp->icmp_state = TS_IDLE;
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
}
- icmp->icmp_state = TS_DATA_XFER;
- rw_exit(&icmp->icmp_rwlock);
-
- if (icmp->icmp_family == AF_INET6) {
- error = ip_proto_bind_connected_v6(connp, &ire_mp,
- icmp->icmp_proto, &icmp->icmp_v6src, 0,
- &icmp->icmp_v6dst.sin6_addr,
- NULL, sin6->sin6_port, B_TRUE, B_TRUE, cr);
+ if (scopeid != 0) {
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ ixa->ixa_scopeid = scopeid;
+ connp->conn_incoming_ifindex = scopeid;
} else {
- error = ip_proto_bind_connected_v4(connp, &ire_mp,
- icmp->icmp_proto, &V4_PART_OF_V6(icmp->icmp_v6src), 0,
- V4_PART_OF_V6(icmp->icmp_v6dst.sin6_addr), sin->sin_port,
- B_TRUE, B_TRUE, cr);
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
}
- rawip_post_ip_bind_connect(icmp, ire_mp, error);
- return (error);
-}
-static void
-icmp_close_free(conn_t *connp)
-{
- icmp_t *icmp = connp->conn_icmp;
-
- /* If there are any options associated with the stream, free them. */
- if (icmp->icmp_ip_snd_options != NULL) {
- mi_free((char *)icmp->icmp_ip_snd_options);
- icmp->icmp_ip_snd_options = NULL;
- icmp->icmp_ip_snd_options_len = 0;
- }
+ /*
+ * conn_connect will drop conn_lock and reacquire it.
+ * To prevent a send* from messing with this icmp_t while the lock
+ * is dropped we set icmp_state and clear conn_v6lastdst.
+ * That will make all send* fail with EISCONN.
+ */
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ icmp->icmp_state = TS_WCON_CREQ;
- if (icmp->icmp_filter != NULL) {
- kmem_free(icmp->icmp_filter, sizeof (icmp6_filter_t));
- icmp->icmp_filter = NULL;
- }
+ error = conn_connect(connp, NULL, IPDF_ALLOW_MCBC);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0)
+ goto connect_failed;
- /* Free memory associated with sticky options */
- if (icmp->icmp_sticky_hdrs_len != 0) {
- kmem_free(icmp->icmp_sticky_hdrs,
- icmp->icmp_sticky_hdrs_len);
- icmp->icmp_sticky_hdrs = NULL;
- icmp->icmp_sticky_hdrs_len = 0;
- }
+ /*
+ * The addresses have been verified. Time to insert in
+ * the correct fanout list.
+ */
+ error = ipcl_conn_insert(connp);
+ if (error != 0)
+ goto connect_failed;
- if (icmp->icmp_last_cred != NULL) {
- crfree(icmp->icmp_last_cred);
- icmp->icmp_last_cred = NULL;
+ mutex_enter(&connp->conn_lock);
+ error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_flowinfo);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto connect_failed;
}
- if (icmp->icmp_effective_cred != NULL) {
- crfree(icmp->icmp_effective_cred);
- icmp->icmp_effective_cred = NULL;
- }
+ icmp->icmp_state = TS_DATA_XFER;
+ /* Record this as the "last" send even though we haven't sent any */
+ connp->conn_v6lastdst = connp->conn_faddr_v6;
+ connp->conn_lastipversion = connp->conn_ipversion;
+ connp->conn_lastdstport = connp->conn_fport;
+ connp->conn_lastflowinfo = connp->conn_flowinfo;
+ connp->conn_lastscopeid = scopeid;
+ connp->conn_lastsrcid = srcid;
+ /* Also remember a source to use together with lastdst */
+ connp->conn_v6lastsrc = v6src;
+ mutex_exit(&connp->conn_lock);
- ip6_pkt_free(&icmp->icmp_sticky_ipp);
+ ixa_refrele(ixa);
+ return (0);
- /*
- * Clear any fields which the kmem_cache constructor clears.
- * Only icmp_connp needs to be preserved.
- * TBD: We should make this more efficient to avoid clearing
- * everything.
- */
- ASSERT(icmp->icmp_connp == connp);
- bzero(icmp, sizeof (icmp_t));
- icmp->icmp_connp = connp;
+connect_failed:
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ mutex_enter(&connp->conn_lock);
+ icmp->icmp_state = TS_IDLE;
+ /* In case the source address was set above */
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ connp->conn_flowinfo = 0;
+
+ (void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
+ return (error);
}
-static int
+static void
rawip_do_close(conn_t *connp)
{
ASSERT(connp != NULL && IPCL_IS_RAWIP(connp));
@@ -878,8 +893,6 @@ rawip_do_close(conn_t *connp)
qprocsoff(connp->conn_rq);
}
- ASSERT(connp->conn_icmp->icmp_fallback_queue_head == NULL &&
- connp->conn_icmp->icmp_fallback_queue_tail == NULL);
icmp_close_free(connp);
/*
@@ -902,8 +915,6 @@ rawip_do_close(conn_t *connp)
connp->conn_ref--;
ipcl_conn_destroy(connp);
-
- return (0);
}
static int
@@ -928,60 +939,63 @@ done:
return (0);
}
+static void
+icmp_close_free(conn_t *connp)
+{
+ icmp_t *icmp = connp->conn_icmp;
+
+ if (icmp->icmp_filter != NULL) {
+ kmem_free(icmp->icmp_filter, sizeof (icmp6_filter_t));
+ icmp->icmp_filter = NULL;
+ }
+
+ /*
+ * Clear any fields which the kmem_cache constructor clears.
+ * Only icmp_connp needs to be preserved.
+ * TBD: We should make this more efficient to avoid clearing
+ * everything.
+ */
+ ASSERT(icmp->icmp_connp == connp);
+ bzero(icmp, sizeof (icmp_t));
+ icmp->icmp_connp = connp;
+}
+
/*
* This routine handles each T_DISCON_REQ message passed to icmp
* as an indicating that ICMP is no longer connected. This results
- * in sending a T_BIND_REQ to IP to restore the binding to just
- * the local address.
- *
- * The disconnect completes in rawip_post_ip_bind_connect.
+ * in telling IP to restore the binding to just the local address.
*/
static int
icmp_do_disconnect(conn_t *connp)
{
- icmp_t *icmp;
- mblk_t *ire_mp;
- int error;
+ icmp_t *icmp = connp->conn_icmp;
+ int error;
- icmp = connp->conn_icmp;
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- if (icmp->icmp_state != TS_DATA_XFER || icmp->icmp_pending_op != -1) {
- rw_exit(&icmp->icmp_rwlock);
+ mutex_enter(&connp->conn_lock);
+ if (icmp->icmp_state != TS_DATA_XFER) {
+ mutex_exit(&connp->conn_lock);
return (-TOUTSTATE);
}
- icmp->icmp_pending_op = T_DISCON_REQ;
- icmp->icmp_v6src = icmp->icmp_bound_v6src;
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
icmp->icmp_state = TS_IDLE;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ error = icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0)
+ return (error);
- if (icmp->icmp_family == AF_INET6) {
- /* Rebuild the header template */
- error = icmp_build_hdrs(icmp);
- if (error != 0) {
- icmp->icmp_pending_op = -1;
- rw_exit(&icmp->icmp_rwlock);
- return (error);
- }
- }
-
- rw_exit(&icmp->icmp_rwlock);
- ire_mp = allocb(sizeof (ire_t), BPRI_HI);
- if (ire_mp == NULL) {
- return (ENOMEM);
- }
-
- if (icmp->icmp_family == AF_INET6) {
- error = ip_proto_bind_laddr_v6(connp, &ire_mp, icmp->icmp_proto,
- &icmp->icmp_bound_v6src, 0, B_TRUE);
- } else {
-
- error = ip_proto_bind_laddr_v4(connp, &ire_mp, icmp->icmp_proto,
- V4_PART_OF_V6(icmp->icmp_bound_v6src), 0, B_TRUE);
- }
-
- rawip_post_ip_bind_connect(icmp, ire_mp, error);
-
- return (error);
+ /*
+ * Tell IP to remove the full binding and revert
+ * to the local address binding.
+ */
+ return (ip_laddr_fanout_insert(connp));
}
static void
@@ -1014,16 +1028,14 @@ icmp_tpi_disconnect(queue_t *q, mblk_t *mp)
ASSERT(mp != NULL);
qreply(q, mp);
}
-
}
static int
icmp_disconnect(conn_t *connp)
{
int error;
- icmp_t *icmp = connp->conn_icmp;
- icmp->icmp_dgram_errind = B_FALSE;
+ connp->conn_dgram_errind = B_FALSE;
error = icmp_do_disconnect(connp);
@@ -1058,22 +1070,22 @@ icmp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
}
/*
- * icmp_icmp_error is called by icmp_input to process ICMP
- * messages passed up by IP.
- * Generates the appropriate permanent (non-transient) errors.
- * Assumes that IP has pulled up everything up to and including
- * the ICMP header.
+ * icmp_icmp_input is called as conn_recvicmp to process ICMP messages.
+ * Generates the appropriate T_UDERROR_IND for permanent (non-transient) errors.
+ * Assumes that IP has pulled up everything up to and including the ICMP header.
*/
+/* ARGSUSED2 */
static void
-icmp_icmp_error(conn_t *connp, mblk_t *mp)
+icmp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
- icmph_t *icmph;
- ipha_t *ipha;
- int iph_hdr_length;
- sin_t sin;
- mblk_t *mp1;
- int error = 0;
- icmp_t *icmp = connp->conn_icmp;
+ conn_t *connp = (conn_t *)arg1;
+ icmp_t *icmp = connp->conn_icmp;
+ icmph_t *icmph;
+ ipha_t *ipha;
+ int iph_hdr_length;
+ sin_t sin;
+ mblk_t *mp1;
+ int error = 0;
ipha = (ipha_t *)mp->b_rptr;
@@ -1081,34 +1093,57 @@ icmp_icmp_error(conn_t *connp, mblk_t *mp)
if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
- icmp_icmp_error_ipv6(connp, mp);
+ icmp_icmp_error_ipv6(connp, mp, ira);
return;
}
-
- /*
- * icmp does not support v4 mapped addresses
- * so we can never be here for a V6 socket
- * i.e. icmp_family == AF_INET6
- */
- ASSERT((IPH_HDR_VERSION(ipha) == IPV4_VERSION) &&
- (icmp->icmp_family == AF_INET));
-
- ASSERT(icmp->icmp_family == AF_INET);
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
/* Skip past the outer IP and ICMP headers */
- iph_hdr_length = IPH_HDR_LENGTH(ipha);
- icmph = (icmph_t *)(&mp->b_rptr[iph_hdr_length]);
- ipha = (ipha_t *)&icmph[1];
+ ASSERT(IPH_HDR_LENGTH(ipha) == ira->ira_ip_hdr_length);
+ iph_hdr_length = ira->ira_ip_hdr_length;
+ icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
+ ipha = (ipha_t *)&icmph[1]; /* Inner IP header */
+
iph_hdr_length = IPH_HDR_LENGTH(ipha);
switch (icmph->icmph_type) {
case ICMP_DEST_UNREACHABLE:
switch (icmph->icmph_code) {
- case ICMP_FRAGMENTATION_NEEDED:
+ case ICMP_FRAGMENTATION_NEEDED: {
+ ipha_t *ipha;
+ ip_xmit_attr_t *ixa;
/*
* IP has already adjusted the path MTU.
+ * But we need to adjust DF for IPv4.
*/
+ if (connp->conn_ipversion != IPV4_VERSION)
+ break;
+
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL || ixa->ixa_ire == NULL) {
+ /*
+ * Some other thread holds conn_ixa. We will
+ * redo this on the next ICMP too big.
+ */
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ break;
+ }
+ (void) ip_get_pmtu(ixa);
+
+ mutex_enter(&connp->conn_lock);
+ ipha = (ipha_t *)connp->conn_ht_iphc;
+ if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
+ ipha->ipha_fragment_offset_and_flags |=
+ IPH_DF_HTONS;
+ } else {
+ ipha->ipha_fragment_offset_and_flags &=
+ ~IPH_DF_HTONS;
+ }
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(ixa);
break;
+ }
case ICMP_PORT_UNREACHABLE:
case ICMP_PROTOCOL_UNREACHABLE:
error = ECONNREFUSED;
@@ -1131,7 +1166,7 @@ icmp_icmp_error(conn_t *connp, mblk_t *mp)
* Deliver T_UDERROR_IND when the application has asked for it.
* The socket layer enables this automatically when connected.
*/
- if (!icmp->icmp_dgram_errind) {
+ if (!connp->conn_dgram_errind) {
freemsg(mp);
return;
}
@@ -1141,11 +1176,10 @@ icmp_icmp_error(conn_t *connp, mblk_t *mp)
sin.sin_addr.s_addr = ipha->ipha_dst;
if (IPCL_IS_NONSTR(connp)) {
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
if (icmp->icmp_state == TS_DATA_XFER) {
- if (sin.sin_addr.s_addr ==
- V4_PART_OF_V6(icmp->icmp_v6dst.sin6_addr)) {
- rw_exit(&icmp->icmp_rwlock);
+ if (sin.sin_addr.s_addr == connp->conn_faddr_v4) {
+ mutex_exit(&connp->conn_lock);
(*connp->conn_upcalls->su_set_error)
(connp->conn_upper_handle, error);
goto done;
@@ -1154,27 +1188,25 @@ icmp_icmp_error(conn_t *connp, mblk_t *mp)
icmp->icmp_delayed_error = error;
*((sin_t *)&icmp->icmp_delayed_addr) = sin;
}
- rw_exit(&icmp->icmp_rwlock);
+ mutex_exit(&connp->conn_lock);
} else {
- mp1 = mi_tpi_uderror_ind((char *)&sin, sizeof (sin_t), NULL,
- 0, error);
+ mp1 = mi_tpi_uderror_ind((char *)&sin, sizeof (sin_t), NULL, 0,
+ error);
if (mp1 != NULL)
putnext(connp->conn_rq, mp1);
}
done:
- ASSERT(!RW_ISWRITER(&icmp->icmp_rwlock));
freemsg(mp);
}
/*
- * icmp_icmp_error_ipv6 is called by icmp_icmp_error to process ICMPv6
- * for IPv6 packets.
- * Send permanent (non-transient) errors upstream.
- * Assumes that IP has pulled up all the extension headers as well
- * as the ICMPv6 header.
+ * icmp_icmp_error_ipv6 is called by icmp_icmp_error to process ICMP for IPv6.
+ * Generates the appropriate T_UDERROR_IND for permanent (non-transient) errors.
+ * Assumes that IP has pulled up all the extension headers as well as the
+ * ICMPv6 header.
*/
static void
-icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
+icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira)
{
icmp6_t *icmp6;
ip6_t *ip6h, *outer_ip6h;
@@ -1186,13 +1218,18 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
icmp_t *icmp = connp->conn_icmp;
outer_ip6h = (ip6_t *)mp->b_rptr;
+#ifdef DEBUG
if (outer_ip6h->ip6_nxt != IPPROTO_ICMPV6)
iph_hdr_length = ip_hdr_length_v6(mp, outer_ip6h);
else
iph_hdr_length = IPV6_HDR_LEN;
-
+ ASSERT(iph_hdr_length == ira->ira_ip_hdr_length);
+#endif
+ /* Skip past the outer IP and ICMP headers */
+ iph_hdr_length = ira->ira_ip_hdr_length;
icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
- ip6h = (ip6_t *)&icmp6[1];
+
+ ip6h = (ip6_t *)&icmp6[1]; /* Inner IP header */
if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp)) {
freemsg(mp);
return;
@@ -1229,7 +1266,7 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
* information, send up an empty message containing an
* IPV6_PATHMTU ancillary data item.
*/
- if (!icmp->icmp_ipv6_recvpathmtu)
+ if (!connp->conn_ipv6_recvpathmtu)
break;
udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t) +
@@ -1255,7 +1292,7 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
sin6 = (sin6_t *)&tudi[1];
bzero(sin6, sizeof (sin6_t));
sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = icmp->icmp_v6dst.sin6_addr;
+ sin6->sin6_addr = connp->conn_faddr_v6;
toh = (struct T_opthdr *)&sin6[1];
toh->level = IPPROTO_IPV6;
@@ -1273,8 +1310,7 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
* message. Free it, then send our empty message.
*/
freemsg(mp);
- icmp_ulp_recv(connp, newmp);
-
+ icmp_ulp_recv(connp, newmp, msgdsize(newmp));
return;
}
case ICMP6_TIME_EXCEEDED:
@@ -1299,7 +1335,7 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
* Deliver T_UDERROR_IND when the application has asked for it.
* The socket layer enables this automatically when connected.
*/
- if (!icmp->icmp_dgram_errind) {
+ if (!connp->conn_dgram_errind) {
freemsg(mp);
return;
}
@@ -1308,13 +1344,12 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
sin6.sin6_family = AF_INET6;
sin6.sin6_addr = ip6h->ip6_dst;
sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
-
if (IPCL_IS_NONSTR(connp)) {
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
if (icmp->icmp_state == TS_DATA_XFER) {
if (IN6_ARE_ADDR_EQUAL(&sin6.sin6_addr,
- &icmp->icmp_v6dst.sin6_addr)) {
- rw_exit(&icmp->icmp_rwlock);
+ &connp->conn_faddr_v6)) {
+ mutex_exit(&connp->conn_lock);
(*connp->conn_upcalls->su_set_error)
(connp->conn_upper_handle, error);
goto done;
@@ -1323,7 +1358,7 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
icmp->icmp_delayed_error = error;
*((sin6_t *)&icmp->icmp_delayed_addr) = sin6;
}
- rw_exit(&icmp->icmp_rwlock);
+ mutex_exit(&connp->conn_lock);
} else {
mp1 = mi_tpi_uderror_ind((char *)&sin6, sizeof (sin6_t),
NULL, 0, error);
@@ -1331,7 +1366,6 @@ icmp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
putnext(connp->conn_rq, mp1);
}
done:
- ASSERT(!RW_ISWRITER(&icmp->icmp_rwlock));
freemsg(mp);
}
@@ -1345,9 +1379,12 @@ done:
static void
icmp_addr_req(queue_t *q, mblk_t *mp)
{
- icmp_t *icmp = Q_TO_ICMP(q);
+ struct sockaddr *sa;
mblk_t *ackmp;
struct T_addr_ack *taa;
+ icmp_t *icmp = Q_TO_ICMP(q);
+ conn_t *connp = icmp->icmp_connp;
+ uint_t addrlen;
/* Make it large enough for worst case */
ackmp = reallocb(mp, sizeof (struct T_addr_ack) +
@@ -1363,65 +1400,39 @@ icmp_addr_req(queue_t *q, mblk_t *mp)
taa->PRIM_type = T_ADDR_ACK;
ackmp->b_datap->db_type = M_PCPROTO;
- rw_enter(&icmp->icmp_rwlock, RW_READER);
+
+ if (connp->conn_family == AF_INET)
+ addrlen = sizeof (sin_t);
+ else
+ addrlen = sizeof (sin6_t);
+
+ mutex_enter(&connp->conn_lock);
/*
* Note: Following code assumes 32 bit alignment of basic
* data structures like sin_t and struct T_addr_ack.
*/
if (icmp->icmp_state != TS_UNBND) {
/*
- * Fill in local address
+ * Fill in local address first
*/
taa->LOCADDR_offset = sizeof (*taa);
- if (icmp->icmp_family == AF_INET) {
- sin_t *sin;
-
- taa->LOCADDR_length = sizeof (sin_t);
- sin = (sin_t *)&taa[1];
- /* Fill zeroes and then intialize non-zero fields */
- *sin = sin_null;
- sin->sin_family = AF_INET;
- if (!IN6_IS_ADDR_V4MAPPED_ANY(&icmp->icmp_v6src) &&
- !IN6_IS_ADDR_UNSPECIFIED(&icmp->icmp_v6src)) {
- IN6_V4MAPPED_TO_IPADDR(&icmp->icmp_v6src,
- sin->sin_addr.s_addr);
- } else {
- /*
- * INADDR_ANY
- * icmp_v6src is not set, we might be bound to
- * broadcast/multicast. Use icmp_bound_v6src as
- * local address instead (that could
- * also still be INADDR_ANY)
- */
- IN6_V4MAPPED_TO_IPADDR(&icmp->icmp_bound_v6src,
- sin->sin_addr.s_addr);
- }
- ackmp->b_wptr = (uchar_t *)&sin[1];
- } else {
- sin6_t *sin6;
-
- ASSERT(icmp->icmp_family == AF_INET6);
- taa->LOCADDR_length = sizeof (sin6_t);
- sin6 = (sin6_t *)&taa[1];
- /* Fill zeroes and then intialize non-zero fields */
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- if (!IN6_IS_ADDR_UNSPECIFIED(&icmp->icmp_v6src)) {
- sin6->sin6_addr = icmp->icmp_v6src;
- } else {
- /*
- * UNSPECIFIED
- * icmp_v6src is not set, we might be bound to
- * broadcast/multicast. Use icmp_bound_v6src as
- * local address instead (that could
- * also still be UNSPECIFIED)
- */
- sin6->sin6_addr = icmp->icmp_bound_v6src;
- }
- ackmp->b_wptr = (uchar_t *)&sin6[1];
- }
+ taa->LOCADDR_length = addrlen;
+ sa = (struct sockaddr *)&taa[1];
+ (void) conn_getsockname(connp, sa, &addrlen);
+ ackmp->b_wptr += addrlen;
+ }
+ if (icmp->icmp_state == TS_DATA_XFER) {
+ /*
+ * connected, fill remote address too
+ */
+ taa->REMADDR_length = addrlen;
+ /* assumed 32-bit alignment */
+ taa->REMADDR_offset = taa->LOCADDR_offset + taa->LOCADDR_length;
+ sa = (struct sockaddr *)(ackmp->b_rptr + taa->REMADDR_offset);
+ (void) conn_getpeername(connp, sa, &addrlen);
+ ackmp->b_wptr += addrlen;
}
- rw_exit(&icmp->icmp_rwlock);
+ mutex_exit(&connp->conn_lock);
ASSERT(ackmp->b_wptr <= ackmp->b_datap->db_lim);
qreply(q, ackmp);
}
@@ -1429,9 +1440,11 @@ icmp_addr_req(queue_t *q, mblk_t *mp)
static void
icmp_copy_info(struct T_info_ack *tap, icmp_t *icmp)
{
+ conn_t *connp = icmp->icmp_connp;
+
*tap = icmp_g_t_info_ack;
- if (icmp->icmp_family == AF_INET6)
+ if (connp->conn_family == AF_INET6)
tap->ADDR_size = sizeof (sin6_t);
else
tap->ADDR_size = sizeof (sin_t);
@@ -1488,6 +1501,7 @@ icmp_info_req(queue_t *q, mblk_t *mp)
{
icmp_t *icmp = Q_TO_ICMP(q);
+ /* Create a T_INFO_ACK message. */
mp = tpi_ack_alloc(mp, sizeof (struct T_info_ack), M_PCPROTO,
T_INFO_ACK);
if (!mp)
@@ -1496,18 +1510,14 @@ icmp_info_req(queue_t *q, mblk_t *mp)
qreply(q, mp);
}
-/* For /dev/icmp aka AF_INET open */
static int
icmp_tpi_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
int family)
{
conn_t *connp;
dev_t conn_dev;
- icmp_stack_t *is;
int error;
- conn_dev = NULL;
-
/* If the stream is already open, return immediately. */
if (q->q_ptr != NULL)
return (0);
@@ -1534,9 +1544,9 @@ icmp_tpi_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
return (0);
}
- connp = icmp_open(family, credp, &error, KM_SLEEP);
+ connp = rawip_do_open(family, credp, &error, KM_SLEEP);
if (connp == NULL) {
- ASSERT(error != NULL);
+ ASSERT(error != 0);
inet_minor_free(ip_minor_arena_sa, connp->conn_dev);
return (error);
}
@@ -1545,8 +1555,6 @@ icmp_tpi_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
connp->conn_dev = conn_dev;
connp->conn_minor_arena = ip_minor_arena_sa;
- is = connp->conn_icmp->icmp_is;
-
/*
* Initialize the icmp_t structure for this stream.
*/
@@ -1555,38 +1563,25 @@ icmp_tpi_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
connp->conn_rq = q;
connp->conn_wq = WR(q);
- if (connp->conn_icmp->icmp_family == AF_INET6) {
- /* Build initial header template for transmit */
- rw_enter(&connp->conn_icmp->icmp_rwlock, RW_WRITER);
- if ((error = icmp_build_hdrs(connp->conn_icmp)) != 0) {
- rw_exit(&connp->conn_icmp->icmp_rwlock);
- inet_minor_free(ip_minor_arena_sa, connp->conn_dev);
- ipcl_conn_destroy(connp);
- return (error);
- }
- rw_exit(&connp->conn_icmp->icmp_rwlock);
- }
-
-
- q->q_hiwat = is->is_recv_hiwat;
- WR(q)->q_hiwat = is->is_xmit_hiwat;
- WR(q)->q_lowat = is->is_xmit_lowat;
+ WR(q)->q_hiwat = connp->conn_sndbuf;
+ WR(q)->q_lowat = connp->conn_sndlowat;
qprocson(q);
/* Set the Stream head write offset. */
- (void) proto_set_tx_wroff(q, connp,
- connp->conn_icmp->icmp_max_hdr_len + is->is_wroff_extra);
- (void) proto_set_rx_hiwat(connp->conn_rq, connp, q->q_hiwat);
+ (void) proto_set_tx_wroff(q, connp, connp->conn_wroff);
+ (void) proto_set_rx_hiwat(connp->conn_rq, connp, connp->conn_rcvbuf);
mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
mutex_exit(&connp->conn_lock);
+ icmp_bind_proto(connp->conn_icmp);
+
return (0);
}
-/* For /dev/icmp4 aka AF_INET open */
+/* For /dev/icmp aka AF_INET open */
static int
icmp_openv4(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
{
@@ -1604,15 +1599,15 @@ icmp_openv6(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
* This is the open routine for icmp. It allocates a icmp_t structure for
* the stream and, on the first open of the module, creates an ND table.
*/
-/* ARGSUSED */
static conn_t *
-icmp_open(int family, cred_t *credp, int *err, int flags)
+rawip_do_open(int family, cred_t *credp, int *err, int flags)
{
icmp_t *icmp;
conn_t *connp;
zoneid_t zoneid;
netstack_t *ns;
icmp_stack_t *is;
+ int len;
boolean_t isv6 = B_FALSE;
*err = secpolicy_net_icmpaccess(credp);
@@ -1621,6 +1616,7 @@ icmp_open(int family, cred_t *credp, int *err, int flags)
if (family == AF_INET6)
isv6 = B_TRUE;
+
ns = netstack_find_by_cred(credp);
ASSERT(ns != NULL);
is = ns->netstack_icmp;
@@ -1639,7 +1635,6 @@ icmp_open(int family, cred_t *credp, int *err, int flags)
connp = ipcl_conn_create(IPCL_RAWIPCONN, flags, ns);
icmp = connp->conn_icmp;
- icmp->icmp_v6dst = sin6_null;
/*
* ipcl_conn_create did a netstack_hold. Undo the hold that was
@@ -1647,35 +1642,52 @@ icmp_open(int family, cred_t *credp, int *err, int flags)
*/
netstack_rele(ns);
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- ASSERT(connp->conn_ulp == IPPROTO_ICMP);
+ /*
+ * Since this conn_t/icmp_t is not yet visible to anybody else we don't
+ * need to lock anything.
+ */
+ ASSERT(connp->conn_proto == IPPROTO_ICMP);
ASSERT(connp->conn_icmp == icmp);
ASSERT(icmp->icmp_connp == connp);
/* Set the initial state of the stream and the privilege status. */
icmp->icmp_state = TS_UNBND;
+ connp->conn_ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
if (isv6) {
- icmp->icmp_ipversion = IPV6_VERSION;
- icmp->icmp_family = AF_INET6;
- connp->conn_ulp = IPPROTO_ICMPV6;
+ connp->conn_family = AF_INET6;
+ connp->conn_ipversion = IPV6_VERSION;
+ connp->conn_ixa->ixa_flags &= ~IXAF_IS_IPV4;
+ connp->conn_proto = IPPROTO_ICMPV6;
/* May be changed by a SO_PROTOTYPE socket option. */
- icmp->icmp_proto = IPPROTO_ICMPV6;
- icmp->icmp_checksum_off = 2; /* Offset for icmp6_cksum */
- icmp->icmp_max_hdr_len = IPV6_HDR_LEN;
- icmp->icmp_ttl = (uint8_t)is->is_ipv6_hoplimit;
- connp->conn_af_isv6 = B_TRUE;
+ connp->conn_proto = IPPROTO_ICMPV6;
+ connp->conn_ixa->ixa_protocol = connp->conn_proto;
+ connp->conn_ixa->ixa_raw_cksum_offset = 2;
+ connp->conn_default_ttl = is->is_ipv6_hoplimit;
+ len = sizeof (ip6_t);
} else {
- icmp->icmp_ipversion = IPV4_VERSION;
- icmp->icmp_family = AF_INET;
+ connp->conn_family = AF_INET;
+ connp->conn_ipversion = IPV4_VERSION;
+ connp->conn_ixa->ixa_flags |= IXAF_IS_IPV4;
/* May be changed by a SO_PROTOTYPE socket option. */
- icmp->icmp_proto = IPPROTO_ICMP;
- icmp->icmp_max_hdr_len = IP_SIMPLE_HDR_LENGTH;
- icmp->icmp_ttl = (uint8_t)is->is_ipv4_ttl;
- connp->conn_af_isv6 = B_FALSE;
- }
- icmp->icmp_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
- icmp->icmp_pending_op = -1;
- connp->conn_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
+ connp->conn_proto = IPPROTO_ICMP;
+ connp->conn_ixa->ixa_protocol = connp->conn_proto;
+ connp->conn_default_ttl = is->is_ipv4_ttl;
+ len = sizeof (ipha_t);
+ }
+ connp->conn_xmit_ipp.ipp_unicast_hops = connp->conn_default_ttl;
+
+ connp->conn_ixa->ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+
+ /*
+ * For the socket of protocol IPPROTO_RAW or when IP_HDRINCL is set,
+ * the checksum is provided in the pre-built packet. We clear
+ * IXAF_SET_ULP_CKSUM to tell IP that the application has sent a
+ * complete IP header and not to compute the transport checksum.
+ */
+ connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_ULP_CKSUM;
+ /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
+ connp->conn_ixa->ixa_zoneid = zoneid;
+
connp->conn_zoneid = zoneid;
/*
@@ -1685,17 +1697,35 @@ icmp_open(int family, cred_t *credp, int *err, int flags)
if (getpflags(NET_MAC_AWARE, credp) != 0)
connp->conn_mac_mode = CONN_MAC_AWARE;
- connp->conn_ulp_labeled = is_system_labeled();
+ connp->conn_zone_is_global = (crgetzoneid(credp) == GLOBAL_ZONEID);
icmp->icmp_is = is;
+ connp->conn_rcvbuf = is->is_recv_hiwat;
+ connp->conn_sndbuf = is->is_xmit_hiwat;
+ connp->conn_sndlowat = is->is_xmit_lowat;
+ connp->conn_rcvlowat = icmp_mod_info.mi_lowat;
+
+ connp->conn_wroff = len + is->is_wroff_extra;
+ connp->conn_so_type = SOCK_RAW;
+
connp->conn_recv = icmp_input;
+ connp->conn_recvicmp = icmp_icmp_input;
crhold(credp);
connp->conn_cred = credp;
-
- rw_exit(&icmp->icmp_rwlock);
+ connp->conn_cpid = curproc->p_pid;
+ connp->conn_open_time = lbolt64;
+ /* Cache things in ixa without an extra refhold */
+ connp->conn_ixa->ixa_cred = connp->conn_cred;
+ connp->conn_ixa->ixa_cpid = connp->conn_cpid;
+ if (is_system_labeled())
+ connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
connp->conn_flow_cntrld = B_FALSE;
+
+ if (is->is_pmtu_discovery)
+ connp->conn_ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
+
return (connp);
}
@@ -1713,9 +1743,8 @@ icmp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name)
* This routine gets default values of certain options whose default
* values are maintained by protcol specific code
*/
-/* ARGSUSED */
int
-icmp_opt_default(queue_t *q, int level, int name, uchar_t *ptr)
+icmp_opt_default(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
{
icmp_t *icmp = Q_TO_ICMP(q);
icmp_stack_t *is = icmp->icmp_is;
@@ -1759,366 +1788,88 @@ icmp_opt_default(queue_t *q, int level, int name, uchar_t *ptr)
/*
* This routine retrieves the current status of socket options.
- * It returns the size of the option retrieved.
+ * It returns the size of the option retrieved, or -1.
*/
int
icmp_opt_get(conn_t *connp, int level, int name, uchar_t *ptr)
{
icmp_t *icmp = connp->conn_icmp;
- icmp_stack_t *is = icmp->icmp_is;
int *i1 = (int *)ptr;
- ip6_pkt_t *ipp = &icmp->icmp_sticky_ipp;
- int ret = 0;
+ conn_opt_arg_t coas;
+ int retval;
- ASSERT(RW_READ_HELD(&icmp->icmp_rwlock));
- switch (level) {
- case SOL_SOCKET:
- switch (name) {
- case SO_DEBUG:
- *i1 = icmp->icmp_debug;
- break;
- case SO_TYPE:
- *i1 = SOCK_RAW;
- break;
- case SO_PROTOTYPE:
- *i1 = icmp->icmp_proto;
- break;
- case SO_REUSEADDR:
- *i1 = icmp->icmp_reuseaddr;
- break;
-
- /*
- * The following three items are available here,
- * but are only meaningful to IP.
- */
- case SO_DONTROUTE:
- *i1 = icmp->icmp_dontroute;
- break;
- case SO_USELOOPBACK:
- *i1 = icmp->icmp_useloopback;
- break;
- case SO_BROADCAST:
- *i1 = icmp->icmp_broadcast;
- break;
-
- case SO_SNDBUF:
- ASSERT(icmp->icmp_xmit_hiwat <= INT_MAX);
- *i1 = icmp->icmp_xmit_hiwat;
- break;
- case SO_RCVBUF:
- ASSERT(icmp->icmp_recv_hiwat <= INT_MAX);
- *i1 = icmp->icmp_recv_hiwat;
- break;
- case SO_DGRAM_ERRIND:
- *i1 = icmp->icmp_dgram_errind;
- break;
- case SO_TIMESTAMP:
- *i1 = icmp->icmp_timestamp;
- break;
- case SO_MAC_EXEMPT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_AWARE);
- break;
- case SO_MAC_IMPLICIT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_IMPLICIT);
- break;
- case SO_DOMAIN:
- *i1 = icmp->icmp_family;
- break;
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ coas.coa_ancillary = B_FALSE;
+ coas.coa_changed = 0;
- /*
- * Following four not meaningful for icmp
- * Action is same as "default" to which we fallthrough
- * so we keep them in comments.
- * case SO_LINGER:
- * case SO_KEEPALIVE:
- * case SO_OOBINLINE:
- * case SO_ALLZONES:
- */
- default:
- ret = -1;
- goto done;
- }
- break;
+ /*
+ * We assume that the optcom framework has checked for the set
+ * of levels and names that are supported, hence we don't worry
+ * about rejecting based on that.
+ * First check for ICMP specific handling, then pass to common routine.
+ */
+ switch (level) {
case IPPROTO_IP:
/*
* Only allow IPv4 option processing on IPv4 sockets.
*/
- if (icmp->icmp_family != AF_INET) {
- ret = -1;
- goto done;
- }
+ if (connp->conn_family != AF_INET)
+ return (-1);
switch (name) {
case IP_OPTIONS:
case T_IP_OPTIONS:
/* Options are passed up with each packet */
- ret = 0;
- goto done;
+ return (0);
case IP_HDRINCL:
+ mutex_enter(&connp->conn_lock);
*i1 = (int)icmp->icmp_hdrincl;
- break;
- case IP_TOS:
- case T_IP_TOS:
- *i1 = (int)icmp->icmp_type_of_service;
- break;
- case IP_TTL:
- *i1 = (int)icmp->icmp_ttl;
- break;
- case IP_MULTICAST_IF:
- /* 0 address if not set */
- *(ipaddr_t *)ptr = icmp->icmp_multicast_if_addr;
- ret = sizeof (ipaddr_t);
- goto done;
- case IP_MULTICAST_TTL:
- *(uchar_t *)ptr = icmp->icmp_multicast_ttl;
- ret = sizeof (uchar_t);
- goto done;
- case IP_MULTICAST_LOOP:
- *ptr = connp->conn_multicast_loop;
- ret = sizeof (uint8_t);
- goto done;
- case IP_BOUND_IF:
- /* Zero if not set */
- *i1 = icmp->icmp_bound_if;
- break; /* goto sizeof (int) option return */
- case IP_UNSPEC_SRC:
- *ptr = icmp->icmp_unspec_source;
- break; /* goto sizeof (int) option return */
- case IP_RECVIF:
- *ptr = icmp->icmp_recvif;
- break; /* goto sizeof (int) option return */
- case IP_BROADCAST_TTL:
- *(uchar_t *)ptr = connp->conn_broadcast_ttl;
- return (sizeof (uchar_t));
- case IP_RECVPKTINFO:
- /*
- * This also handles IP_PKTINFO.
- * IP_PKTINFO and IP_RECVPKTINFO have the same value.
- * Differentiation is based on the size of the argument
- * passed in.
- * This option is handled in IP which will return an
- * error for IP_PKTINFO as it's not supported as a
- * sticky option.
- */
- ret = -EINVAL;
- goto done;
- /*
- * Cannot "get" the value of following options
- * at this level. Action is same as "default" to
- * which we fallthrough so we keep them in comments.
- *
- * case IP_ADD_MEMBERSHIP:
- * case IP_DROP_MEMBERSHIP:
- * case IP_BLOCK_SOURCE:
- * case IP_UNBLOCK_SOURCE:
- * case IP_ADD_SOURCE_MEMBERSHIP:
- * case IP_DROP_SOURCE_MEMBERSHIP:
- * case MCAST_JOIN_GROUP:
- * case MCAST_LEAVE_GROUP:
- * case MCAST_BLOCK_SOURCE:
- * case MCAST_UNBLOCK_SOURCE:
- * case MCAST_JOIN_SOURCE_GROUP:
- * case MCAST_LEAVE_SOURCE_GROUP:
- * case MRT_INIT:
- * case MRT_DONE:
- * case MRT_ADD_VIF:
- * case MRT_DEL_VIF:
- * case MRT_ADD_MFC:
- * case MRT_DEL_MFC:
- * case MRT_VERSION:
- * case MRT_ASSERT:
- * case IP_SEC_OPT:
- * case IP_NEXTHOP:
- */
- default:
- ret = -1;
- goto done;
+ mutex_exit(&connp->conn_lock);
+ return (sizeof (int));
}
break;
+
case IPPROTO_IPV6:
/*
* Only allow IPv6 option processing on native IPv6 sockets.
*/
- if (icmp->icmp_family != AF_INET6) {
- ret = -1;
- goto done;
- }
+ if (connp->conn_family != AF_INET6)
+ return (-1);
+
switch (name) {
- case IPV6_UNICAST_HOPS:
- *i1 = (unsigned int)icmp->icmp_ttl;
- break;
- case IPV6_MULTICAST_IF:
- /* 0 index if not set */
- *i1 = icmp->icmp_multicast_if_index;
- break;
- case IPV6_MULTICAST_HOPS:
- *i1 = icmp->icmp_multicast_ttl;
- break;
- case IPV6_MULTICAST_LOOP:
- *i1 = connp->conn_multicast_loop;
- break;
- case IPV6_BOUND_IF:
- /* Zero if not set */
- *i1 = icmp->icmp_bound_if;
- break;
- case IPV6_UNSPEC_SRC:
- *i1 = icmp->icmp_unspec_source;
- break;
case IPV6_CHECKSUM:
/*
* Return offset or -1 if no checksum offset.
* Does not apply to IPPROTO_ICMPV6
*/
- if (icmp->icmp_proto == IPPROTO_ICMPV6) {
- ret = -1;
- goto done;
- }
+ if (connp->conn_proto == IPPROTO_ICMPV6)
+ return (-1);
- if (icmp->icmp_raw_checksum) {
- *i1 = icmp->icmp_checksum_off;
- } else {
- *i1 = -1;
- }
- break;
- case IPV6_JOIN_GROUP:
- case IPV6_LEAVE_GROUP:
- case MCAST_JOIN_GROUP:
- case MCAST_LEAVE_GROUP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP:
- /* cannot "get" the value for these */
- ret = -1;
- goto done;
- case IPV6_RECVPKTINFO:
- *i1 = icmp->icmp_ip_recvpktinfo;
- break;
- case IPV6_RECVTCLASS:
- *i1 = icmp->icmp_ipv6_recvtclass;
- break;
- case IPV6_RECVPATHMTU:
- *i1 = icmp->icmp_ipv6_recvpathmtu;
- break;
- case IPV6_V6ONLY:
- *i1 = 1;
- break;
- case IPV6_RECVHOPLIMIT:
- *i1 = icmp->icmp_ipv6_recvhoplimit;
- break;
- case IPV6_RECVHOPOPTS:
- *i1 = icmp->icmp_ipv6_recvhopopts;
- break;
- case IPV6_RECVDSTOPTS:
- *i1 = icmp->icmp_ipv6_recvdstopts;
- break;
- case _OLD_IPV6_RECVDSTOPTS:
- *i1 = icmp->icmp_old_ipv6_recvdstopts;
- break;
- case IPV6_RECVRTHDRDSTOPTS:
- *i1 = icmp->icmp_ipv6_recvrtdstopts;
- break;
- case IPV6_RECVRTHDR:
- *i1 = icmp->icmp_ipv6_recvrthdr;
- break;
- case IPV6_PKTINFO: {
- /* XXX assumes that caller has room for max size! */
- struct in6_pktinfo *pkti;
-
- pkti = (struct in6_pktinfo *)ptr;
- if (ipp->ipp_fields & IPPF_IFINDEX)
- pkti->ipi6_ifindex = ipp->ipp_ifindex;
+ mutex_enter(&connp->conn_lock);
+ if (connp->conn_ixa->ixa_flags & IXAF_SET_RAW_CKSUM)
+ *i1 = connp->conn_ixa->ixa_raw_cksum_offset;
else
- pkti->ipi6_ifindex = 0;
- if (ipp->ipp_fields & IPPF_ADDR)
- pkti->ipi6_addr = ipp->ipp_addr;
- else
- pkti->ipi6_addr = ipv6_all_zeros;
- ret = sizeof (struct in6_pktinfo);
- goto done;
- }
- case IPV6_NEXTHOP: {
- sin6_t *sin6 = (sin6_t *)ptr;
-
- if (!(ipp->ipp_fields & IPPF_NEXTHOP))
- return (0);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = ipp->ipp_nexthop;
- ret = (sizeof (sin6_t));
- goto done;
- }
- case IPV6_HOPOPTS:
- if (!(ipp->ipp_fields & IPPF_HOPOPTS))
- return (0);
- if (ipp->ipp_hopoptslen <= icmp->icmp_label_len_v6)
- return (0);
- bcopy((char *)ipp->ipp_hopopts +
- icmp->icmp_label_len_v6, ptr,
- ipp->ipp_hopoptslen - icmp->icmp_label_len_v6);
- if (icmp->icmp_label_len_v6 > 0) {
- ptr[0] = ((char *)ipp->ipp_hopopts)[0];
- ptr[1] = (ipp->ipp_hopoptslen -
- icmp->icmp_label_len_v6 + 7) / 8 - 1;
- }
- ret = (ipp->ipp_hopoptslen - icmp->icmp_label_len_v6);
- goto done;
- case IPV6_RTHDRDSTOPTS:
- if (!(ipp->ipp_fields & IPPF_RTDSTOPTS))
- return (0);
- bcopy(ipp->ipp_rtdstopts, ptr, ipp->ipp_rtdstoptslen);
- ret = ipp->ipp_rtdstoptslen;
- goto done;
- case IPV6_RTHDR:
- if (!(ipp->ipp_fields & IPPF_RTHDR))
- return (0);
- bcopy(ipp->ipp_rthdr, ptr, ipp->ipp_rthdrlen);
- ret = ipp->ipp_rthdrlen;
- goto done;
- case IPV6_DSTOPTS:
- if (!(ipp->ipp_fields & IPPF_DSTOPTS)) {
- ret = 0;
- goto done;
- }
- bcopy(ipp->ipp_dstopts, ptr, ipp->ipp_dstoptslen);
- ret = ipp->ipp_dstoptslen;
- goto done;
- case IPV6_PATHMTU:
- if (!(ipp->ipp_fields & IPPF_PATHMTU)) {
- ret = 0;
- } else {
- ret = ip_fill_mtuinfo(
- &icmp->icmp_v6dst.sin6_addr, 0,
- (struct ip6_mtuinfo *)ptr,
- is->is_netstack);
- }
- goto done;
- case IPV6_TCLASS:
- if (ipp->ipp_fields & IPPF_TCLASS)
- *i1 = ipp->ipp_tclass;
- else
- *i1 = IPV6_FLOW_TCLASS(
- IPV6_DEFAULT_VERS_AND_FLOW);
- break;
- default:
- ret = -1;
- goto done;
+ *i1 = -1;
+ mutex_exit(&connp->conn_lock);
+ return (sizeof (int));
}
break;
+
case IPPROTO_ICMPV6:
/*
* Only allow IPv6 option processing on native IPv6 sockets.
*/
- if (icmp->icmp_family != AF_INET6) {
- ret = -1;
- }
+ if (connp->conn_family != AF_INET6)
+ return (-1);
- if (icmp->icmp_proto != IPPROTO_ICMPV6) {
- ret = -1;
- }
+ if (connp->conn_proto != IPPROTO_ICMPV6)
+ return (-1);
switch (name) {
case ICMP6_FILTER:
+ mutex_enter(&connp->conn_lock);
if (icmp->icmp_filter == NULL) {
/* Make it look like "pass all" */
ICMP6_FILTER_SETPASSALL((icmp6_filter_t *)ptr);
@@ -2126,501 +1877,149 @@ icmp_opt_get(conn_t *connp, int level, int name, uchar_t *ptr)
(void) bcopy(icmp->icmp_filter, ptr,
sizeof (icmp6_filter_t));
}
- ret = sizeof (icmp6_filter_t);
- goto done;
- default:
- ret = -1;
- goto done;
+ mutex_exit(&connp->conn_lock);
+ return (sizeof (icmp6_filter_t));
}
- default:
- ret = -1;
- goto done;
}
- ret = sizeof (int);
-done:
- return (ret);
+ mutex_enter(&connp->conn_lock);
+ retval = conn_opt_get(&coas, level, name, ptr);
+ mutex_exit(&connp->conn_lock);
+ return (retval);
}
/*
* This routine retrieves the current status of socket options.
- * It returns the size of the option retrieved.
+ * It returns the size of the option retrieved, or -1.
*/
int
icmp_tpi_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
{
- conn_t *connp = Q_TO_CONN(q);
- icmp_t *icmp = connp->conn_icmp;
- int err;
+ conn_t *connp = Q_TO_CONN(q);
+ int err;
- rw_enter(&icmp->icmp_rwlock, RW_READER);
err = icmp_opt_get(connp, level, name, ptr);
- rw_exit(&icmp->icmp_rwlock);
return (err);
}
+/*
+ * This routine sets socket options.
+ */
int
-icmp_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
- uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, cred_t *cr,
- void *thisdg_attrs, boolean_t checkonly)
+icmp_do_opt_set(conn_opt_arg_t *coa, int level, int name,
+ uint_t inlen, uchar_t *invalp, cred_t *cr, boolean_t checkonly)
{
+ conn_t *connp = coa->coa_connp;
+ ip_xmit_attr_t *ixa = coa->coa_ixa;
+ icmp_t *icmp = connp->conn_icmp;
+ icmp_stack_t *is = icmp->icmp_is;
+ int *i1 = (int *)invalp;
+ boolean_t onoff = (*i1 == 0) ? 0 : 1;
+ int error;
- int *i1 = (int *)invalp;
- boolean_t onoff = (*i1 == 0) ? 0 : 1;
- icmp_t *icmp = connp->conn_icmp;
- icmp_stack_t *is = icmp->icmp_is;
- int error;
+ ASSERT(MUTEX_NOT_HELD(&coa->coa_connp->conn_lock));
- ASSERT(RW_WRITE_HELD(&icmp->icmp_rwlock));
/*
* For fixed length options, no sanity check
* of passed in length is done. It is assumed *_optcom_req()
* routines do the right thing.
*/
+
switch (level) {
case SOL_SOCKET:
switch (name) {
- case SO_DEBUG:
- if (!checkonly)
- icmp->icmp_debug = onoff;
- break;
case SO_PROTOTYPE:
if ((*i1 & 0xFF) != IPPROTO_ICMP &&
(*i1 & 0xFF) != IPPROTO_ICMPV6 &&
secpolicy_net_rawaccess(cr) != 0) {
- *outlenp = 0;
return (EACCES);
}
- /* Can't use IPPROTO_RAW with IPv6 */
- if ((*i1 & 0xFF) == IPPROTO_RAW &&
- icmp->icmp_family == AF_INET6) {
- *outlenp = 0;
- return (EPROTONOSUPPORT);
- }
- if (checkonly) {
- /* T_CHECK case */
- *(int *)outvalp = (*i1 & 0xFF);
+ if (checkonly)
break;
- }
- icmp->icmp_proto = *i1 & 0xFF;
- if ((icmp->icmp_proto == IPPROTO_RAW ||
- icmp->icmp_proto == IPPROTO_IGMP) &&
- icmp->icmp_family == AF_INET)
+
+ mutex_enter(&connp->conn_lock);
+ connp->conn_proto = *i1 & 0xFF;
+ ixa->ixa_protocol = connp->conn_proto;
+ if ((connp->conn_proto == IPPROTO_RAW ||
+ connp->conn_proto == IPPROTO_IGMP) &&
+ connp->conn_family == AF_INET) {
icmp->icmp_hdrincl = 1;
- else
+ ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
+ } else if (connp->conn_proto == IPPROTO_UDP ||
+ connp->conn_proto == IPPROTO_TCP ||
+ connp->conn_proto == IPPROTO_SCTP) {
+ /* Used by test applications like psh */
icmp->icmp_hdrincl = 0;
-
- if (icmp->icmp_family == AF_INET6 &&
- icmp->icmp_proto == IPPROTO_ICMPV6) {
- /* Set offset for icmp6_cksum */
- icmp->icmp_raw_checksum = 0;
- icmp->icmp_checksum_off = 2;
- }
- if (icmp->icmp_proto == IPPROTO_UDP ||
- icmp->icmp_proto == IPPROTO_TCP ||
- icmp->icmp_proto == IPPROTO_SCTP) {
- icmp->icmp_no_tp_cksum = 1;
- icmp->icmp_sticky_ipp.ipp_fields |=
- IPPF_NO_CKSUM;
+ ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
} else {
- icmp->icmp_no_tp_cksum = 0;
- icmp->icmp_sticky_ipp.ipp_fields &=
- ~IPPF_NO_CKSUM;
+ icmp->icmp_hdrincl = 0;
+ ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
}
+ if (connp->conn_family == AF_INET6 &&
+ connp->conn_proto == IPPROTO_ICMPV6) {
+ /* Set offset for icmp6_cksum */
+ ixa->ixa_flags &= ~IXAF_SET_RAW_CKSUM;
+ ixa->ixa_raw_cksum_offset = 2;
+ }
if (icmp->icmp_filter != NULL &&
- icmp->icmp_proto != IPPROTO_ICMPV6) {
+ connp->conn_proto != IPPROTO_ICMPV6) {
kmem_free(icmp->icmp_filter,
sizeof (icmp6_filter_t));
icmp->icmp_filter = NULL;
}
+ mutex_exit(&connp->conn_lock);
- /* Rebuild the header template */
- error = icmp_build_hdrs(icmp);
- if (error != 0) {
- *outlenp = 0;
- return (error);
- }
-
+ coa->coa_changed |= COA_HEADER_CHANGED;
/*
* For SCTP, we don't use icmp_bind_proto() for
- * raw socket binding. Note that we do not need
- * to set *outlenp.
- * FIXME: how does SCTP work?
+ * raw socket binding.
*/
- if (icmp->icmp_proto == IPPROTO_SCTP)
+ if (connp->conn_proto == IPPROTO_SCTP)
return (0);
- *outlenp = sizeof (int);
- *(int *)outvalp = *i1 & 0xFF;
-
- /* Drop lock across the bind operation */
- rw_exit(&icmp->icmp_rwlock);
- (void) icmp_bind_proto(connp);
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
+ coa->coa_changed |= COA_ICMP_BIND_NEEDED;
return (0);
- case SO_REUSEADDR:
- if (!checkonly) {
- icmp->icmp_reuseaddr = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
-
- /*
- * The following three items are available here,
- * but are only meaningful to IP.
- */
- case SO_DONTROUTE:
- if (!checkonly) {
- icmp->icmp_dontroute = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case SO_USELOOPBACK:
- if (!checkonly) {
- icmp->icmp_useloopback = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case SO_BROADCAST:
- if (!checkonly) {
- icmp->icmp_broadcast = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
case SO_SNDBUF:
if (*i1 > is->is_max_buf) {
- *outlenp = 0;
return (ENOBUFS);
}
- if (!checkonly) {
- if (!IPCL_IS_NONSTR(connp)) {
- connp->conn_wq->q_hiwat = *i1;
- }
- icmp->icmp_xmit_hiwat = *i1;
- }
break;
case SO_RCVBUF:
if (*i1 > is->is_max_buf) {
- *outlenp = 0;
return (ENOBUFS);
}
- if (!checkonly) {
- icmp->icmp_recv_hiwat = *i1;
- rw_exit(&icmp->icmp_rwlock);
- (void) proto_set_rx_hiwat(connp->conn_rq, connp,
- *i1);
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- }
- break;
- case SO_DGRAM_ERRIND:
- if (!checkonly)
- icmp->icmp_dgram_errind = onoff;
break;
- case SO_ALLZONES:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- case SO_TIMESTAMP:
- if (!checkonly) {
- icmp->icmp_timestamp = onoff;
- }
- break;
- case SO_MAC_EXEMPT:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- case SO_RCVTIMEO:
- case SO_SNDTIMEO:
- /*
- * Pass these two options in order for third part
- * protocol usage. Here just return directly.
- */
- return (0);
- /*
- * Following three not meaningful for icmp
- * Action is same as "default" so we keep them
- * in comments.
- * case SO_LINGER:
- * case SO_KEEPALIVE:
- * case SO_OOBINLINE:
- */
- default:
- *outlenp = 0;
- return (EINVAL);
}
break;
+
case IPPROTO_IP:
/*
* Only allow IPv4 option processing on IPv4 sockets.
*/
- if (icmp->icmp_family != AF_INET) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- switch (name) {
- case IP_OPTIONS:
- case T_IP_OPTIONS:
- /* Save options for use by IP. */
- if ((inlen & 0x3) ||
- inlen + icmp->icmp_label_len > IP_MAX_OPT_LENGTH) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (checkonly)
- break;
-
- if (!tsol_option_set(&icmp->icmp_ip_snd_options,
- &icmp->icmp_ip_snd_options_len,
- icmp->icmp_label_len, invalp, inlen)) {
- *outlenp = 0;
- return (ENOMEM);
- }
+ if (connp->conn_family != AF_INET)
+ return (EINVAL);
- icmp->icmp_max_hdr_len = IP_SIMPLE_HDR_LENGTH +
- icmp->icmp_ip_snd_options_len;
- rw_exit(&icmp->icmp_rwlock);
- (void) proto_set_tx_wroff(connp->conn_rq == NULL ? NULL:
- RD(connp->conn_rq), connp,
- icmp->icmp_max_hdr_len + is->is_wroff_extra);
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- break;
+ switch (name) {
case IP_HDRINCL:
- if (!checkonly)
- icmp->icmp_hdrincl = onoff;
- break;
- case IP_TOS:
- case T_IP_TOS:
- if (!checkonly) {
- icmp->icmp_type_of_service = (uint8_t)*i1;
- }
- break;
- case IP_TTL:
if (!checkonly) {
- icmp->icmp_ttl = (uint8_t)*i1;
- }
- break;
- case IP_MULTICAST_IF:
- /*
- * TODO should check OPTMGMT reply and undo this if
- * there is an error.
- */
- if (!checkonly) {
- icmp->icmp_multicast_if_addr = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_MULTICAST_TTL:
- if (!checkonly)
- icmp->icmp_multicast_ttl = *invalp;
- break;
- case IP_MULTICAST_LOOP:
- if (!checkonly) {
- connp->conn_multicast_loop =
- (*invalp == 0) ? 0 : 1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_BOUND_IF:
- if (!checkonly) {
- icmp->icmp_bound_if = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_UNSPEC_SRC:
- if (!checkonly) {
- icmp->icmp_unspec_source = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_BROADCAST_TTL:
- if (!checkonly)
- connp->conn_broadcast_ttl = *invalp;
- break;
- case IP_RECVIF:
- if (!checkonly) {
- icmp->icmp_recvif = onoff;
- }
- /*
- * pass to ip
- */
- return (-EINVAL);
- case IP_PKTINFO: {
- /*
- * This also handles IP_RECVPKTINFO.
- * IP_PKTINFO and IP_RECVPKTINFO have the same value.
- * Differentiation is based on the size of the argument
- * passed in.
- */
- struct in_pktinfo *pktinfop;
- ip4_pkt_t *attr_pktinfop;
-
- if (checkonly)
- break;
-
- if (inlen == sizeof (int)) {
- /*
- * This is IP_RECVPKTINFO option.
- * Keep a local copy of wether this option is
- * set or not and pass it down to IP for
- * processing.
- */
- icmp->icmp_ip_recvpktinfo = onoff;
- return (-EINVAL);
- }
-
-
- if (inlen != sizeof (struct in_pktinfo)) {
- return (EINVAL);
- }
-
- if ((attr_pktinfop = (ip4_pkt_t *)thisdg_attrs)
- == NULL) {
- /*
- * sticky option is not supported
- */
- return (EINVAL);
- }
-
- pktinfop = (struct in_pktinfo *)invalp;
-
- /*
- * Atleast one of the values should be specified
- */
- if (pktinfop->ipi_ifindex == 0 &&
- pktinfop->ipi_spec_dst.s_addr == INADDR_ANY) {
- return (EINVAL);
+ mutex_enter(&connp->conn_lock);
+ icmp->icmp_hdrincl = onoff;
+ if (onoff)
+ ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
+ else
+ ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
+ mutex_exit(&connp->conn_lock);
}
-
- attr_pktinfop->ip4_addr = pktinfop->ipi_spec_dst.s_addr;
- attr_pktinfop->ip4_ill_index = pktinfop->ipi_ifindex;
- }
break;
- case IP_ADD_MEMBERSHIP:
- case IP_DROP_MEMBERSHIP:
- case IP_BLOCK_SOURCE:
- case IP_UNBLOCK_SOURCE:
- case IP_ADD_SOURCE_MEMBERSHIP:
- case IP_DROP_SOURCE_MEMBERSHIP:
- case MCAST_JOIN_GROUP:
- case MCAST_LEAVE_GROUP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP:
- case MRT_INIT:
- case MRT_DONE:
- case MRT_ADD_VIF:
- case MRT_DEL_VIF:
- case MRT_ADD_MFC:
- case MRT_DEL_MFC:
- case MRT_VERSION:
- case MRT_ASSERT:
- case IP_SEC_OPT:
- case IP_NEXTHOP:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- default:
- *outlenp = 0;
- return (EINVAL);
}
break;
- case IPPROTO_IPV6: {
- ip6_pkt_t *ipp;
- boolean_t sticky;
- if (icmp->icmp_family != AF_INET6) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- /*
- * Deal with both sticky options and ancillary data
- */
- if (thisdg_attrs == NULL) {
- /* sticky options, or none */
- ipp = &icmp->icmp_sticky_ipp;
- sticky = B_TRUE;
- } else {
- /* ancillary data */
- ipp = (ip6_pkt_t *)thisdg_attrs;
- sticky = B_FALSE;
- }
+ case IPPROTO_IPV6:
+ if (connp->conn_family != AF_INET6)
+ return (EINVAL);
switch (name) {
- case IPV6_MULTICAST_IF:
- if (!checkonly) {
- icmp->icmp_multicast_if_index = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_UNICAST_HOPS:
- /* -1 means use default */
- if (*i1 < -1 || *i1 > IPV6_MAX_HOPS) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (!checkonly) {
- if (*i1 == -1) {
- icmp->icmp_ttl = ipp->ipp_unicast_hops =
- is->is_ipv6_hoplimit;
- ipp->ipp_fields &= ~IPPF_UNICAST_HOPS;
- /* Pass modified value to IP. */
- *i1 = ipp->ipp_hoplimit;
- } else {
- icmp->icmp_ttl = ipp->ipp_unicast_hops =
- (uint8_t)*i1;
- ipp->ipp_fields |= IPPF_UNICAST_HOPS;
- }
- /* Rebuild the header template */
- error = icmp_build_hdrs(icmp);
- if (error != 0) {
- *outlenp = 0;
- return (error);
- }
- }
- break;
- case IPV6_MULTICAST_HOPS:
- /* -1 means use default */
- if (*i1 < -1 || *i1 > IPV6_MAX_HOPS) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (!checkonly) {
- if (*i1 == -1) {
- icmp->icmp_multicast_ttl =
- ipp->ipp_multicast_hops =
- IP_DEFAULT_MULTICAST_TTL;
- ipp->ipp_fields &= ~IPPF_MULTICAST_HOPS;
- /* Pass modified value to IP. */
- *i1 = icmp->icmp_multicast_ttl;
- } else {
- icmp->icmp_multicast_ttl =
- ipp->ipp_multicast_hops =
- (uint8_t)*i1;
- ipp->ipp_fields |= IPPF_MULTICAST_HOPS;
- }
- }
- break;
- case IPV6_MULTICAST_LOOP:
- if (*i1 != 0 && *i1 != 1) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (!checkonly) {
- connp->conn_multicast_loop = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
case IPV6_CHECKSUM:
/*
* Integer offset into the user data of where the
@@ -2628,517 +2027,93 @@ icmp_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
* Offset of -1 disables option.
* Does not apply to IPPROTO_ICMPV6.
*/
- if (icmp->icmp_proto == IPPROTO_ICMPV6 || !sticky) {
- *outlenp = 0;
+ if (connp->conn_proto == IPPROTO_ICMPV6 ||
+ coa->coa_ancillary) {
return (EINVAL);
}
if ((*i1 != -1) && ((*i1 < 0) || (*i1 & 0x1) != 0)) {
/* Negative or not 16 bit aligned offset */
- *outlenp = 0;
return (EINVAL);
}
if (checkonly)
break;
+ mutex_enter(&connp->conn_lock);
if (*i1 == -1) {
- icmp->icmp_raw_checksum = 0;
- ipp->ipp_fields &= ~IPPF_RAW_CKSUM;
+ ixa->ixa_flags &= ~IXAF_SET_RAW_CKSUM;
+ ixa->ixa_raw_cksum_offset = 0;
+ ixa->ixa_flags &= ~IXAF_SET_ULP_CKSUM;
} else {
- icmp->icmp_raw_checksum = 1;
- icmp->icmp_checksum_off = *i1;
- ipp->ipp_fields |= IPPF_RAW_CKSUM;
- }
- /* Rebuild the header template */
- error = icmp_build_hdrs(icmp);
- if (error != 0) {
- *outlenp = 0;
- return (error);
- }
- break;
- case IPV6_JOIN_GROUP:
- case IPV6_LEAVE_GROUP:
- case MCAST_JOIN_GROUP:
- case MCAST_LEAVE_GROUP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- case IPV6_BOUND_IF:
- if (!checkonly) {
- icmp->icmp_bound_if = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_UNSPEC_SRC:
- if (!checkonly) {
- icmp->icmp_unspec_source = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVTCLASS:
- if (!checkonly) {
- icmp->icmp_ipv6_recvtclass = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- /*
- * Set boolean switches for ancillary data delivery
- */
- case IPV6_RECVPKTINFO:
- if (!checkonly) {
- icmp->icmp_ip_recvpktinfo = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVPATHMTU:
- if (!checkonly) {
- icmp->icmp_ipv6_recvpathmtu = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVHOPLIMIT:
- if (!checkonly) {
- icmp->icmp_ipv6_recvhoplimit = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVHOPOPTS:
- if (!checkonly) {
- icmp->icmp_ipv6_recvhopopts = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVDSTOPTS:
- if (!checkonly) {
- icmp->icmp_ipv6_recvdstopts = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case _OLD_IPV6_RECVDSTOPTS:
- if (!checkonly)
- icmp->icmp_old_ipv6_recvdstopts = onoff;
- break;
- case IPV6_RECVRTHDRDSTOPTS:
- if (!checkonly) {
- icmp->icmp_ipv6_recvrtdstopts = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVRTHDR:
- if (!checkonly) {
- icmp->icmp_ipv6_recvrthdr = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- /*
- * Set sticky options or ancillary data.
- * If sticky options, (re)build any extension headers
- * that might be needed as a result.
- */
- case IPV6_PKTINFO:
- /*
- * The source address and ifindex are verified
- * in ip_opt_set(). For ancillary data the
- * source address is checked in ip_wput_v6.
- */
- if (inlen != 0 && inlen !=
- sizeof (struct in6_pktinfo)) {
- return (EINVAL);
- }
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~(IPPF_IFINDEX|IPPF_ADDR);
- ipp->ipp_sticky_ignored |=
- (IPPF_IFINDEX|IPPF_ADDR);
- } else {
- struct in6_pktinfo *pkti;
-
- pkti = (struct in6_pktinfo *)invalp;
- ipp->ipp_ifindex = pkti->ipi6_ifindex;
- ipp->ipp_addr = pkti->ipi6_addr;
- if (ipp->ipp_ifindex != 0)
- ipp->ipp_fields |= IPPF_IFINDEX;
- else
- ipp->ipp_fields &= ~IPPF_IFINDEX;
- if (!IN6_IS_ADDR_UNSPECIFIED(
- &ipp->ipp_addr))
- ipp->ipp_fields |= IPPF_ADDR;
- else
- ipp->ipp_fields &= ~IPPF_ADDR;
- }
- if (sticky) {
- error = icmp_build_hdrs(icmp);
- if (error != 0)
- return (error);
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_HOPLIMIT:
- /* This option can only be used as ancillary data. */
- if (sticky)
- return (EINVAL);
- if (inlen != 0 && inlen != sizeof (int))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_HOPLIMIT;
- ipp->ipp_sticky_ignored |= IPPF_HOPLIMIT;
- } else {
- if (*i1 > 255 || *i1 < -1)
- return (EINVAL);
- if (*i1 == -1)
- ipp->ipp_hoplimit =
- is->is_ipv6_hoplimit;
- else
- ipp->ipp_hoplimit = *i1;
- ipp->ipp_fields |= IPPF_HOPLIMIT;
- }
- break;
- case IPV6_TCLASS:
- /*
- * IPV6_RECVTCLASS accepts -1 as use kernel default
- * and [0, 255] as the actualy traffic class.
- */
- if (inlen != 0 && inlen != sizeof (int)) {
- return (EINVAL);
- }
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_TCLASS;
- ipp->ipp_sticky_ignored |= IPPF_TCLASS;
- } else {
- if (*i1 >= 256 || *i1 < -1)
- return (EINVAL);
- if (*i1 == -1) {
- ipp->ipp_tclass =
- IPV6_FLOW_TCLASS(
- IPV6_DEFAULT_VERS_AND_FLOW);
- } else {
- ipp->ipp_tclass = *i1;
- }
- ipp->ipp_fields |= IPPF_TCLASS;
- }
- if (sticky) {
- error = icmp_build_hdrs(icmp);
- if (error != 0)
- return (error);
- }
- break;
- case IPV6_NEXTHOP:
- /*
- * IP will verify that the nexthop is reachable
- * and fail for sticky options.
- */
- if (inlen != 0 && inlen != sizeof (sin6_t)) {
- return (EINVAL);
- }
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- ipp->ipp_sticky_ignored |= IPPF_NEXTHOP;
- } else {
- sin6_t *sin6 = (sin6_t *)invalp;
-
- if (sin6->sin6_family != AF_INET6) {
- return (EAFNOSUPPORT);
- }
- if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
- return (EADDRNOTAVAIL);
- }
- ipp->ipp_nexthop = sin6->sin6_addr;
- if (!IN6_IS_ADDR_UNSPECIFIED(
- &ipp->ipp_nexthop))
- ipp->ipp_fields |= IPPF_NEXTHOP;
- else
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- }
- if (sticky) {
- error = icmp_build_hdrs(icmp);
- if (error != 0)
- return (error);
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_HOPOPTS: {
- ip6_hbh_t *hopts = (ip6_hbh_t *)invalp;
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (hopts->ip6h_len + 1))) {
- return (EINVAL);
- }
-
- if (checkonly)
- break;
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_hopopts,
- &ipp->ipp_hopoptslen,
- sticky ? icmp->icmp_label_len_v6 : 0);
- if (error != 0)
- return (error);
- if (ipp->ipp_hopoptslen == 0) {
- ipp->ipp_fields &= ~IPPF_HOPOPTS;
- ipp->ipp_sticky_ignored |= IPPF_HOPOPTS;
- } else {
- ipp->ipp_fields |= IPPF_HOPOPTS;
- }
- if (sticky) {
- error = icmp_build_hdrs(icmp);
- if (error != 0)
- return (error);
+ ixa->ixa_flags |= IXAF_SET_RAW_CKSUM;
+ ixa->ixa_raw_cksum_offset = *i1;
+ ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
}
+ mutex_exit(&connp->conn_lock);
break;
}
- case IPV6_RTHDRDSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- if (inlen == 0) {
- if (sticky &&
- (ipp->ipp_fields & IPPF_RTDSTOPTS) != 0) {
- kmem_free(ipp->ipp_rtdstopts,
- ipp->ipp_rtdstoptslen);
- ipp->ipp_rtdstopts = NULL;
- ipp->ipp_rtdstoptslen = 0;
- }
- ipp->ipp_fields &= ~IPPF_RTDSTOPTS;
- ipp->ipp_sticky_ignored |= IPPF_RTDSTOPTS;
- } else {
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_rtdstopts,
- &ipp->ipp_rtdstoptslen, 0);
- if (error != 0)
- return (error);
- ipp->ipp_fields |= IPPF_RTDSTOPTS;
- }
- if (sticky) {
- error = icmp_build_hdrs(icmp);
- if (error != 0)
- return (error);
- }
- break;
- }
- case IPV6_DSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
+ break;
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1)))
- return (EINVAL);
+ case IPPROTO_ICMPV6:
+ /*
+ * Only allow IPv6 option processing on IPv6 sockets.
+ */
+ if (connp->conn_family != AF_INET6)
+ return (EINVAL);
+ if (connp->conn_proto != IPPROTO_ICMPV6)
+ return (EINVAL);
+ switch (name) {
+ case ICMP6_FILTER:
if (checkonly)
break;
- if (inlen == 0) {
- if (sticky &&
- (ipp->ipp_fields & IPPF_DSTOPTS) != 0) {
- kmem_free(ipp->ipp_dstopts,
- ipp->ipp_dstoptslen);
- ipp->ipp_dstopts = NULL;
- ipp->ipp_dstoptslen = 0;
- }
- ipp->ipp_fields &= ~IPPF_DSTOPTS;
- ipp->ipp_sticky_ignored |= IPPF_DSTOPTS;
- } else {
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_dstopts,
- &ipp->ipp_dstoptslen, 0);
- if (error != 0)
- return (error);
- ipp->ipp_fields |= IPPF_DSTOPTS;
- }
- if (sticky) {
- error = icmp_build_hdrs(icmp);
- if (error != 0)
- return (error);
- }
- break;
- }
- case IPV6_RTHDR: {
- ip6_rthdr_t *rt = (ip6_rthdr_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (rt->ip6r_len + 1)))
+ if ((inlen != 0) &&
+ (inlen != sizeof (icmp6_filter_t)))
return (EINVAL);
- if (checkonly)
- break;
-
+ mutex_enter(&connp->conn_lock);
if (inlen == 0) {
- if (sticky &&
- (ipp->ipp_fields & IPPF_RTHDR) != 0) {
- kmem_free(ipp->ipp_rthdr,
- ipp->ipp_rthdrlen);
- ipp->ipp_rthdr = NULL;
- ipp->ipp_rthdrlen = 0;
+ if (icmp->icmp_filter != NULL) {
+ kmem_free(icmp->icmp_filter,
+ sizeof (icmp6_filter_t));
+ icmp->icmp_filter = NULL;
}
- ipp->ipp_fields &= ~IPPF_RTHDR;
- ipp->ipp_sticky_ignored |= IPPF_RTHDR;
} else {
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_rthdr,
- &ipp->ipp_rthdrlen, 0);
- if (error != 0)
- return (error);
- ipp->ipp_fields |= IPPF_RTHDR;
- }
- if (sticky) {
- error = icmp_build_hdrs(icmp);
- if (error != 0)
- return (error);
- }
- break;
- }
-
- case IPV6_DONTFRAG:
- if (checkonly)
- break;
-
- if (onoff) {
- ipp->ipp_fields |= IPPF_DONTFRAG;
- } else {
- ipp->ipp_fields &= ~IPPF_DONTFRAG;
- }
- break;
-
- case IPV6_USE_MIN_MTU:
- if (inlen != sizeof (int))
- return (EINVAL);
-
- if (*i1 < -1 || *i1 > 1)
- return (EINVAL);
-
- if (checkonly)
- break;
-
- ipp->ipp_fields |= IPPF_USE_MIN_MTU;
- ipp->ipp_use_min_mtu = *i1;
- break;
-
- /*
- * This option can't be set. Its only returned via
- * getsockopt() or ancillary data.
- */
- case IPV6_PATHMTU:
- return (EINVAL);
-
- case IPV6_SEC_OPT:
- case IPV6_SRC_PREFERENCES:
- case IPV6_V6ONLY:
- /* Handled at IP level */
- return (-EINVAL);
- default:
- *outlenp = 0;
- return (EINVAL);
- }
- break;
- } /* end IPPROTO_IPV6 */
-
- case IPPROTO_ICMPV6:
- /*
- * Only allow IPv6 option processing on IPv6 sockets.
- */
- if (icmp->icmp_family != AF_INET6) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- if (icmp->icmp_proto != IPPROTO_ICMPV6) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- switch (name) {
- case ICMP6_FILTER:
- if (!checkonly) {
- if ((inlen != 0) &&
- (inlen != sizeof (icmp6_filter_t)))
- return (EINVAL);
-
- if (inlen == 0) {
- if (icmp->icmp_filter != NULL) {
- kmem_free(icmp->icmp_filter,
- sizeof (icmp6_filter_t));
- icmp->icmp_filter = NULL;
- }
- } else {
+ if (icmp->icmp_filter == NULL) {
+ icmp->icmp_filter = kmem_alloc(
+ sizeof (icmp6_filter_t),
+ KM_NOSLEEP);
if (icmp->icmp_filter == NULL) {
- icmp->icmp_filter = kmem_alloc(
- sizeof (icmp6_filter_t),
- KM_NOSLEEP);
- if (icmp->icmp_filter == NULL) {
- *outlenp = 0;
- return (ENOBUFS);
- }
+ mutex_exit(&connp->conn_lock);
+ return (ENOBUFS);
}
- (void) bcopy(invalp, icmp->icmp_filter,
- inlen);
}
+ (void) bcopy(invalp, icmp->icmp_filter, inlen);
}
+ mutex_exit(&connp->conn_lock);
break;
-
- default:
- *outlenp = 0;
- return (EINVAL);
}
break;
- default:
- *outlenp = 0;
- return (EINVAL);
- }
- /*
- * Common case of OK return with outval same as inval.
- */
- if (invalp != outvalp) {
- /* don't trust bcopy for identical src/dst */
- (void) bcopy(invalp, outvalp, inlen);
}
- *outlenp = inlen;
- return (0);
+ error = conn_opt_set(coa, level, name, inlen, invalp,
+ checkonly, cr);
+ return (error);
}
-/* This routine sets socket options. */
-/* ARGSUSED */
+/*
+ * This routine sets socket options.
+ */
int
icmp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
void *thisdg_attrs, cred_t *cr)
{
- boolean_t checkonly;
- int error;
+ icmp_t *icmp = connp->conn_icmp;
+ int err;
+ conn_opt_arg_t coas, *coa;
+ boolean_t checkonly;
+ icmp_stack_t *is = icmp->icmp_is;
- error = 0;
switch (optset_context) {
case SETFN_OPTCOM_CHECKONLY:
checkonly = B_TRUE;
@@ -3152,8 +2127,7 @@ icmp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
if (inlen == 0) {
*outlenp = 0;
- error = 0;
- goto done;
+ return (0);
}
break;
case SETFN_OPTCOM_NEGOTIATE:
@@ -3171,8 +2145,7 @@ icmp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
if (!icmp_opt_allow_udr_set(level, name)) {
*outlenp = 0;
- error = EINVAL;
- goto done;
+ return (EINVAL);
}
break;
default:
@@ -3180,105 +2153,265 @@ icmp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
* We should never get here
*/
*outlenp = 0;
- error = EINVAL;
- goto done;
+ return (EINVAL);
}
ASSERT((optset_context != SETFN_OPTCOM_CHECKONLY) ||
(optset_context == SETFN_OPTCOM_CHECKONLY && inlen != 0));
- error = icmp_do_opt_set(connp, level, name, inlen, invalp, outlenp,
- outvalp, cr, thisdg_attrs, checkonly);
-done:
- return (error);
+ if (thisdg_attrs != NULL) {
+ /* Options from T_UNITDATA_REQ */
+ coa = (conn_opt_arg_t *)thisdg_attrs;
+ ASSERT(coa->coa_connp == connp);
+ ASSERT(coa->coa_ixa != NULL);
+ ASSERT(coa->coa_ipp != NULL);
+ ASSERT(coa->coa_ancillary);
+ } else {
+ coa = &coas;
+ coas.coa_connp = connp;
+ /* Get a reference on conn_ixa to prevent concurrent mods */
+ coas.coa_ixa = conn_get_ixa(connp, B_TRUE);
+ if (coas.coa_ixa == NULL) {
+ *outlenp = 0;
+ return (ENOMEM);
+ }
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ coas.coa_ancillary = B_FALSE;
+ coas.coa_changed = 0;
+ }
+
+ err = icmp_do_opt_set(coa, level, name, inlen, invalp,
+ cr, checkonly);
+ if (err != 0) {
+errout:
+ if (!coa->coa_ancillary)
+ ixa_refrele(coa->coa_ixa);
+ *outlenp = 0;
+ return (err);
+ }
+
+ /*
+ * Common case of OK return with outval same as inval.
+ */
+ if (invalp != outvalp) {
+ /* don't trust bcopy for identical src/dst */
+ (void) bcopy(invalp, outvalp, inlen);
+ }
+ *outlenp = inlen;
+
+ /*
+ * If this was not ancillary data, then we rebuild the headers,
+ * update the IRE/NCE, and IPsec as needed.
+ * Since the label depends on the destination we go through
+ * ip_set_destination first.
+ */
+ if (coa->coa_ancillary) {
+ return (0);
+ }
+
+ if (coa->coa_changed & COA_ROUTE_CHANGED) {
+ in6_addr_t saddr, faddr, nexthop;
+ in_port_t fport;
+
+ /*
+ * We clear lastdst to make sure we pick up the change
+ * next time sending.
+ * If we are connected we re-cache the information.
+ * We ignore errors to preserve BSD behavior.
+ * Note that we don't redo IPsec policy lookup here
+ * since the final destination (or source) didn't change.
+ */
+ mutex_enter(&connp->conn_lock);
+ connp->conn_v6lastdst = ipv6_all_zeros;
+
+ ip_attr_nexthop(coa->coa_ipp, coa->coa_ixa,
+ &connp->conn_faddr_v6, &nexthop);
+ saddr = connp->conn_saddr_v6;
+ faddr = connp->conn_faddr_v6;
+ fport = connp->conn_fport;
+ mutex_exit(&connp->conn_lock);
+
+ if (!IN6_IS_ADDR_UNSPECIFIED(&faddr) &&
+ !IN6_IS_ADDR_V4MAPPED_ANY(&faddr)) {
+ (void) ip_attr_connect(connp, coa->coa_ixa,
+ &saddr, &faddr, &nexthop, fport, NULL, NULL,
+ IPDF_ALLOW_MCBC | IPDF_VERIFY_DST);
+ }
+ }
+
+ ixa_refrele(coa->coa_ixa);
+
+ if (coa->coa_changed & COA_HEADER_CHANGED) {
+ /*
+ * Rebuild the header template if we are connected.
+ * Otherwise clear conn_v6lastdst so we rebuild the header
+ * in the data path.
+ */
+ mutex_enter(&connp->conn_lock);
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) &&
+ !IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
+ err = icmp_build_hdr_template(connp,
+ &connp->conn_saddr_v6, &connp->conn_faddr_v6,
+ connp->conn_flowinfo);
+ if (err != 0) {
+ mutex_exit(&connp->conn_lock);
+ return (err);
+ }
+ } else {
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ }
+ mutex_exit(&connp->conn_lock);
+ }
+ if (coa->coa_changed & COA_RCVBUF_CHANGED) {
+ (void) proto_set_rx_hiwat(connp->conn_rq, connp,
+ connp->conn_rcvbuf);
+ }
+ if ((coa->coa_changed & COA_SNDBUF_CHANGED) && !IPCL_IS_NONSTR(connp)) {
+ connp->conn_wq->q_hiwat = connp->conn_sndbuf;
+ }
+ if (coa->coa_changed & COA_WROFF_CHANGED) {
+ /* Increase wroff if needed */
+ uint_t wroff;
+
+ mutex_enter(&connp->conn_lock);
+ wroff = connp->conn_ht_iphc_allocated + is->is_wroff_extra;
+ if (wroff > connp->conn_wroff) {
+ connp->conn_wroff = wroff;
+ mutex_exit(&connp->conn_lock);
+ (void) proto_set_tx_wroff(connp->conn_rq, connp, wroff);
+ } else {
+ mutex_exit(&connp->conn_lock);
+ }
+ }
+ if (coa->coa_changed & COA_ICMP_BIND_NEEDED) {
+ icmp_bind_proto(icmp);
+ }
+ return (err);
}
/* This routine sets socket options. */
-/* ARGSUSED */
int
icmp_tpi_opt_set(queue_t *q, uint_t optset_context, int level, int name,
uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ void *thisdg_attrs, cred_t *cr)
{
- conn_t *connp = Q_TO_CONN(q);
- icmp_t *icmp;
+ conn_t *connp = Q_TO_CONN(q);
int error;
- icmp = connp->conn_icmp;
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
error = icmp_opt_set(connp, optset_context, level, name, inlen, invalp,
outlenp, outvalp, thisdg_attrs, cr);
- rw_exit(&icmp->icmp_rwlock);
return (error);
}
/*
- * Update icmp_sticky_hdrs based on icmp_sticky_ipp, icmp_v6src, icmp_ttl,
- * icmp_proto, icmp_raw_checksum and icmp_no_tp_cksum.
- * The headers include ip6i_t (if needed), ip6_t, and any sticky extension
- * headers.
- * Returns failure if can't allocate memory.
+ * Setup IP headers.
+ *
+ * Note that IP_HDRINCL has ipha_protocol that is different than conn_proto,
+ * but icmp_output_hdrincl restores ipha_protocol once we return.
*/
-static int
-icmp_build_hdrs(icmp_t *icmp)
+mblk_t *
+icmp_prepend_hdr(conn_t *connp, ip_xmit_attr_t *ixa, const ip_pkt_t *ipp,
+ const in6_addr_t *v6src, const in6_addr_t *v6dst, uint32_t flowinfo,
+ mblk_t *data_mp, int *errorp)
{
- icmp_stack_t *is = icmp->icmp_is;
- uchar_t *hdrs;
- uint_t hdrs_len;
- ip6_t *ip6h;
- ip6i_t *ip6i;
- ip6_pkt_t *ipp = &icmp->icmp_sticky_ipp;
-
- ASSERT(RW_WRITE_HELD(&icmp->icmp_rwlock));
- hdrs_len = ip_total_hdrs_len_v6(ipp);
- ASSERT(hdrs_len != 0);
- if (hdrs_len != icmp->icmp_sticky_hdrs_len) {
- /* Need to reallocate */
- if (hdrs_len != 0) {
- hdrs = kmem_alloc(hdrs_len, KM_NOSLEEP);
- if (hdrs == NULL)
- return (ENOMEM);
- } else {
- hdrs = NULL;
- }
- if (icmp->icmp_sticky_hdrs_len != 0) {
- kmem_free(icmp->icmp_sticky_hdrs,
- icmp->icmp_sticky_hdrs_len);
- }
- icmp->icmp_sticky_hdrs = hdrs;
- icmp->icmp_sticky_hdrs_len = hdrs_len;
+ mblk_t *mp;
+ icmp_stack_t *is = connp->conn_netstack->netstack_icmp;
+ uint_t data_len;
+ uint32_t cksum;
+
+ data_len = msgdsize(data_mp);
+ mp = conn_prepend_hdr(ixa, ipp, v6src, v6dst, connp->conn_proto,
+ flowinfo, 0, data_mp, data_len, is->is_wroff_extra, &cksum, errorp);
+ if (mp == NULL) {
+ ASSERT(*errorp != 0);
+ return (NULL);
}
- ip_build_hdrs_v6(icmp->icmp_sticky_hdrs,
- icmp->icmp_sticky_hdrs_len, ipp, icmp->icmp_proto);
- /* Set header fields not in ipp */
- if (ipp->ipp_fields & IPPF_HAS_IP6I) {
- ip6i = (ip6i_t *)icmp->icmp_sticky_hdrs;
- ip6h = (ip6_t *)&ip6i[1];
+ ixa->ixa_pktlen = data_len + ixa->ixa_ip_hdr_length;
- if (ipp->ipp_fields & IPPF_RAW_CKSUM) {
- ip6i->ip6i_flags |= IP6I_RAW_CHECKSUM;
- ip6i->ip6i_checksum_off = icmp->icmp_checksum_off;
+ /*
+ * If there was a routing option/header then conn_prepend_hdr
+ * has massaged it and placed the pseudo-header checksum difference
+ * in the cksum argument.
+ *
+ * Prepare for ICMPv6 checksum done in IP.
+ *
+ * We make it easy for IP to include our pseudo header
+ * by putting our length (and any routing header adjustment)
+ * in the ICMPv6 checksum field.
+ * The IP source, destination, and length have already been set by
+ * conn_prepend_hdr.
+ */
+ cksum += data_len;
+ cksum = (cksum >> 16) + (cksum & 0xFFFF);
+ ASSERT(cksum < 0x10000);
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ASSERT(ntohs(ipha->ipha_length) == ixa->ixa_pktlen);
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ uint_t cksum_offset = 0;
+
+ ASSERT(ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN == ixa->ixa_pktlen);
+
+ if (ixa->ixa_flags & IXAF_SET_ULP_CKSUM) {
+ if (connp->conn_proto == IPPROTO_ICMPV6) {
+ cksum_offset = ixa->ixa_ip_hdr_length +
+ offsetof(icmp6_t, icmp6_cksum);
+ } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
+ cksum_offset = ixa->ixa_ip_hdr_length +
+ ixa->ixa_raw_cksum_offset;
+ }
}
- if (ipp->ipp_fields & IPPF_NO_CKSUM) {
- ip6i->ip6i_flags |= IP6I_NO_ULP_CKSUM;
+ if (cksum_offset != 0) {
+ uint16_t *ptr;
+
+ /* Make sure the checksum fits in the first mblk */
+ if (cksum_offset + sizeof (short) > MBLKL(mp)) {
+ mblk_t *mp1;
+
+ mp1 = msgpullup(mp,
+ cksum_offset + sizeof (short));
+ freemsg(mp);
+ if (mp1 == NULL) {
+ *errorp = ENOMEM;
+ return (NULL);
+ }
+ mp = mp1;
+ ip6h = (ip6_t *)mp->b_rptr;
+ }
+ ptr = (uint16_t *)(mp->b_rptr + cksum_offset);
+ *ptr = htons(cksum);
}
- } else {
- ip6h = (ip6_t *)icmp->icmp_sticky_hdrs;
}
- if (!(ipp->ipp_fields & IPPF_ADDR))
- ip6h->ip6_src = icmp->icmp_v6src;
+ /* Note that we don't try to update wroff due to ancillary data */
+ return (mp);
+}
+
+static int
+icmp_build_hdr_template(conn_t *connp, const in6_addr_t *v6src,
+ const in6_addr_t *v6dst, uint32_t flowinfo)
+{
+ int error;
- /* Try to get everything in a single mblk */
- if (hdrs_len > icmp->icmp_max_hdr_len) {
- icmp->icmp_max_hdr_len = hdrs_len;
- rw_exit(&icmp->icmp_rwlock);
- (void) proto_set_tx_wroff(icmp->icmp_connp->conn_rq,
- icmp->icmp_connp,
- icmp->icmp_max_hdr_len + is->is_wroff_extra);
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- }
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+ /*
+ * We clear lastdst to make sure we don't use the lastdst path
+ * next time sending since we might not have set v6dst yet.
+ */
+ connp->conn_v6lastdst = ipv6_all_zeros;
+
+ error = conn_build_hdr_template(connp, 0, 0, v6src, v6dst, flowinfo);
+ if (error != 0)
+ return (error);
+
+ /*
+ * Any routing header/option has been massaged. The checksum difference
+ * is stored in conn_sum.
+ */
return (0);
}
@@ -3370,16 +2503,15 @@ icmp_queue_fallback(icmp_t *icmp, mblk_t *mp)
* TPI, then we'll queue the mp for later processing.
*/
static void
-icmp_ulp_recv(conn_t *connp, mblk_t *mp)
+icmp_ulp_recv(conn_t *connp, mblk_t *mp, uint_t len)
{
-
if (IPCL_IS_NONSTR(connp)) {
icmp_t *icmp = connp->conn_icmp;
int error;
+ ASSERT(len == msgdsize(mp));
if ((*connp->conn_upcalls->su_recv)
- (connp->conn_upper_handle, mp, msgdsize(mp), 0, &error,
- NULL) < 0) {
+ (connp->conn_upper_handle, mp, len, 0, &error, NULL) < 0) {
mutex_enter(&icmp->icmp_recv_lock);
if (error == ENOSPC) {
/*
@@ -3409,115 +2541,74 @@ icmp_ulp_recv(conn_t *connp, mblk_t *mp)
}
}
-/*ARGSUSED2*/
+/*
+ * This is the inbound data path.
+ * IP has already pulled up the IP headers and verified alignment
+ * etc.
+ */
+/* ARGSUSED2 */
static void
-icmp_input(void *arg1, mblk_t *mp, void *arg2)
+icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
- conn_t *connp = (conn_t *)arg1;
+ conn_t *connp = (conn_t *)arg1;
struct T_unitdata_ind *tudi;
- uchar_t *rptr;
+ uchar_t *rptr; /* Pointer to IP header */
+ int ip_hdr_length;
+ int udi_size; /* Size of T_unitdata_ind */
+ int pkt_len;
icmp_t *icmp;
+ ip_pkt_t ipps;
+ ip6_t *ip6h;
+ mblk_t *mp1;
+ crb_t recv_ancillary;
icmp_stack_t *is;
sin_t *sin;
sin6_t *sin6;
- ip6_t *ip6h;
- ip6i_t *ip6i;
- mblk_t *mp1;
- int hdr_len;
ipha_t *ipha;
- int udi_size; /* Size of T_unitdata_ind */
- uint_t ipvers;
- ip6_pkt_t ipp;
- uint8_t nexthdr;
- ip_pktinfo_t *pinfo = NULL;
- mblk_t *options_mp = NULL;
- uint_t icmp_opt = 0;
- boolean_t icmp_ipv6_recvhoplimit = B_FALSE;
- uint_t hopstrip;
ASSERT(connp->conn_flags & IPCL_RAWIPCONN);
icmp = connp->conn_icmp;
is = icmp->icmp_is;
rptr = mp->b_rptr;
- ASSERT(DB_TYPE(mp) == M_DATA || DB_TYPE(mp) == M_CTL);
+
+ ASSERT(DB_TYPE(mp) == M_DATA);
ASSERT(OK_32PTR(rptr));
+ ASSERT(ira->ira_pktlen == msgdsize(mp));
+ pkt_len = ira->ira_pktlen;
/*
- * IP should have prepended the options data in an M_CTL
- * Check M_CTL "type" to make sure are not here bcos of
- * a valid ICMP message
+ * Get a snapshot of these and allow other threads to change
+ * them after that. We need the same recv_ancillary when determining
+ * the size as when adding the ancillary data items.
*/
- if (DB_TYPE(mp) == M_CTL) {
- /*
- * FIXME: does IP still do this?
- * IP sends up the IPSEC_IN message for handling IPSEC
- * policy at the TCP level. We don't need it here.
- */
- if (*(uint32_t *)(mp->b_rptr) == IPSEC_IN) {
- mp1 = mp->b_cont;
- freeb(mp);
- mp = mp1;
- rptr = mp->b_rptr;
- } else if (MBLKL(mp) == sizeof (ip_pktinfo_t) &&
- ((ip_pktinfo_t *)mp->b_rptr)->ip_pkt_ulp_type ==
- IN_PKTINFO) {
- /*
- * IP_RECVIF or IP_RECVSLLA or IPF_RECVADDR information
- * has been prepended to the packet by IP. We need to
- * extract the mblk and adjust the rptr
- */
- pinfo = (ip_pktinfo_t *)mp->b_rptr;
- options_mp = mp;
- mp = mp->b_cont;
- rptr = mp->b_rptr;
- } else {
- /*
- * ICMP messages.
- */
- icmp_icmp_error(connp, mp);
- return;
- }
- }
+ mutex_enter(&connp->conn_lock);
+ recv_ancillary = connp->conn_recv_ancillary;
+ mutex_exit(&connp->conn_lock);
- /*
- * Discard message if it is misaligned or smaller than the IP header.
- */
- if (!OK_32PTR(rptr) || (mp->b_wptr - rptr) < sizeof (ipha_t)) {
- freemsg(mp);
- if (options_mp != NULL)
- freeb(options_mp);
- BUMP_MIB(&is->is_rawip_mib, rawipInErrors);
- return;
- }
- ipvers = IPH_HDR_VERSION((ipha_t *)rptr);
+ ip_hdr_length = ira->ira_ip_hdr_length;
+ ASSERT(MBLKL(mp) >= ip_hdr_length); /* IP did a pullup */
+
+ /* Initialize regardless of IP version */
+ ipps.ipp_fields = 0;
+
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ ASSERT(IPH_HDR_VERSION(rptr) == IPV4_VERSION);
+ ASSERT(MBLKL(mp) >= sizeof (ipha_t));
+ ASSERT(ira->ira_ip_hdr_length == IPH_HDR_LENGTH(rptr));
+
+ ipha = (ipha_t *)mp->b_rptr;
+ if (recv_ancillary.crb_all != 0)
+ (void) ip_find_hdr_v4(ipha, &ipps, B_FALSE);
- /* Handle M_DATA messages containing IP packets messages */
- if (ipvers == IPV4_VERSION) {
/*
- * Special case where IP attaches
- * the IRE needs to be handled so that we don't send up
- * IRE to the user land.
+ * BSD for some reason adjusts ipha_length to exclude the
+ * IP header length. We do the same.
*/
- ipha = (ipha_t *)rptr;
- hdr_len = IPH_HDR_LENGTH(ipha);
-
- if (ipha->ipha_protocol == IPPROTO_TCP) {
- tcph_t *tcph = (tcph_t *)&mp->b_rptr[hdr_len];
-
- if (((tcph->th_flags[0] & (TH_SYN|TH_ACK)) ==
- TH_SYN) && mp->b_cont != NULL) {
- mp1 = mp->b_cont;
- if (mp1->b_datap->db_type == IRE_DB_TYPE) {
- freeb(mp1);
- mp->b_cont = NULL;
- }
- }
- }
if (is->is_bsd_compat) {
ushort_t len;
- len = ntohs(ipha->ipha_length);
+ len = ntohs(ipha->ipha_length);
if (mp->b_datap->db_ref > 1) {
/*
* Allocate a new IP header so that we can
@@ -3525,70 +2616,58 @@ icmp_input(void *arg1, mblk_t *mp, void *arg2)
*/
mblk_t *mp1;
- mp1 = allocb(hdr_len, BPRI_MED);
- if (!mp1) {
+ mp1 = allocb(ip_hdr_length, BPRI_MED);
+ if (mp1 == NULL) {
freemsg(mp);
- if (options_mp != NULL)
- freeb(options_mp);
BUMP_MIB(&is->is_rawip_mib,
rawipInErrors);
return;
}
- bcopy(rptr, mp1->b_rptr, hdr_len);
- mp->b_rptr = rptr + hdr_len;
+ bcopy(rptr, mp1->b_rptr, ip_hdr_length);
+ mp->b_rptr = rptr + ip_hdr_length;
rptr = mp1->b_rptr;
ipha = (ipha_t *)rptr;
mp1->b_cont = mp;
- mp1->b_wptr = rptr + hdr_len;
+ mp1->b_wptr = rptr + ip_hdr_length;
mp = mp1;
}
- len -= hdr_len;
+ len -= ip_hdr_length;
ipha->ipha_length = htons(len);
}
- }
- /*
- * This is the inbound data path. Packets are passed upstream as
- * T_UNITDATA_IND messages with full IP headers still attached.
- */
- if (icmp->icmp_family == AF_INET) {
- ASSERT(ipvers == IPV4_VERSION);
- udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin_t);
- if (icmp->icmp_recvif && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVIF)) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (uint_t);
- }
+ /*
+ * For RAW sockets we not pass ICMP/IPv4 packets to AF_INET6
+ * sockets. This is ensured by icmp_bind and the IP fanout code.
+ */
+ ASSERT(connp->conn_family == AF_INET);
- if (icmp->icmp_ip_recvpktinfo && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVADDR)) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (struct in_pktinfo);
- }
+ /*
+ * This is the inbound data path. Packets are passed upstream
+ * as T_UNITDATA_IND messages with full IPv4 headers still
+ * attached.
+ */
/*
- * If SO_TIMESTAMP is set allocate the appropriate sized
- * buffer. Since gethrestime() expects a pointer aligned
- * argument, we allocate space necessary for extra
- * alignment (even though it might not be used).
+ * Normally only send up the source address.
+ * If any ancillary data items are wanted we add those.
*/
- if (icmp->icmp_timestamp) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
+ udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin_t);
+ if (recv_ancillary.crb_all != 0) {
+ udi_size += conn_recvancillary_size(connp,
+ recv_ancillary, ira, mp, &ipps);
}
+
+ /* Allocate a message block for the T_UNITDATA_IND structure. */
mp1 = allocb(udi_size, BPRI_MED);
if (mp1 == NULL) {
freemsg(mp);
- if (options_mp != NULL)
- freeb(options_mp);
BUMP_MIB(&is->is_rawip_mib, rawipInErrors);
return;
}
mp1->b_cont = mp;
- mp = mp1;
- tudi = (struct T_unitdata_ind *)mp->b_rptr;
- mp->b_datap->db_type = M_PROTO;
- mp->b_wptr = (uchar_t *)tudi + udi_size;
+ tudi = (struct T_unitdata_ind *)mp1->b_rptr;
+ mp1->b_datap->db_type = M_PROTO;
+ mp1->b_wptr = (uchar_t *)tudi + udi_size;
tudi->PRIM_type = T_UNITDATA_IND;
tudi->SRC_length = sizeof (sin_t);
tudi->SRC_offset = sizeof (struct T_unitdata_ind);
@@ -3596,316 +2675,110 @@ icmp_input(void *arg1, mblk_t *mp, void *arg2)
*sin = sin_null;
sin->sin_family = AF_INET;
sin->sin_addr.s_addr = ipha->ipha_src;
+ *(uint32_t *)&sin->sin_zero[0] = 0;
+ *(uint32_t *)&sin->sin_zero[4] = 0;
tudi->OPT_offset = sizeof (struct T_unitdata_ind) +
sizeof (sin_t);
udi_size -= (sizeof (struct T_unitdata_ind) + sizeof (sin_t));
tudi->OPT_length = udi_size;
/*
- * Add options if IP_RECVIF is set
+ * Add options if IP_RECVIF etc is set
*/
if (udi_size != 0) {
- char *dstopt;
-
- dstopt = (char *)&sin[1];
- if (icmp->icmp_recvif && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVIF)) {
-
- struct T_opthdr *toh;
- uint_t *dstptr;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_RECVIF;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (uint_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- dstptr = (uint_t *)dstopt;
- *dstptr = pinfo->ip_pkt_ifindex;
- dstopt += sizeof (uint_t);
- udi_size -= toh->len;
- }
- if (icmp->icmp_timestamp) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = SOL_SOCKET;
- toh->name = SCM_TIMESTAMP;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- /* Align for gethrestime() */
- dstopt = (char *)P2ROUNDUP((intptr_t)dstopt,
- sizeof (intptr_t));
- gethrestime((timestruc_t *)dstopt);
- dstopt = (char *)toh + toh->len;
- udi_size -= toh->len;
- }
- if (icmp->icmp_ip_recvpktinfo && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVADDR)) {
- struct T_opthdr *toh;
- struct in_pktinfo *pktinfop;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_PKTINFO;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (in_pktinfo_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- pktinfop = (struct in_pktinfo *)dstopt;
- pktinfop->ipi_ifindex = pinfo->ip_pkt_ifindex;
- pktinfop->ipi_spec_dst =
- pinfo->ip_pkt_match_addr;
-
- pktinfop->ipi_addr.s_addr = ipha->ipha_dst;
-
- dstopt += sizeof (struct in_pktinfo);
- udi_size -= toh->len;
- }
-
- /* Consumed all of allocated space */
- ASSERT(udi_size == 0);
+ conn_recvancillary_add(connp, recv_ancillary, ira,
+ &ipps, (uchar_t *)&sin[1], udi_size);
}
-
- if (options_mp != NULL)
- freeb(options_mp);
-
- BUMP_MIB(&is->is_rawip_mib, rawipInDatagrams);
goto deliver;
}
+ ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
/*
- * We don't need options_mp in the IPv6 path.
+ * IPv6 packets can only be received by applications
+ * that are prepared to receive IPv6 addresses.
+ * The IP fanout must ensure this.
*/
- if (options_mp != NULL) {
- freeb(options_mp);
- options_mp = NULL;
- }
+ ASSERT(connp->conn_family == AF_INET6);
/*
- * Discard message if it is smaller than the IPv6 header
- * or if the header is malformed.
+ * Handle IPv6 packets. We don't pass up the IP headers with the
+ * payload for IPv6.
*/
- if ((mp->b_wptr - rptr) < sizeof (ip6_t) ||
- IPH_HDR_VERSION((ipha_t *)rptr) != IPV6_VERSION ||
- icmp->icmp_family != AF_INET6) {
- freemsg(mp);
- BUMP_MIB(&is->is_rawip_mib, rawipInErrors);
- return;
- }
-
- /* Initialize */
- ipp.ipp_fields = 0;
- hopstrip = 0;
ip6h = (ip6_t *)rptr;
- /*
- * Call on ip_find_hdr_v6 which gets the total hdr len
- * as well as individual lenghts of ext hdrs (and ptrs to
- * them).
- */
- if (ip6h->ip6_nxt != icmp->icmp_proto) {
- /* Look for ifindex information */
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- ip6i = (ip6i_t *)ip6h;
- if (ip6i->ip6i_flags & IP6I_IFINDEX) {
- ASSERT(ip6i->ip6i_ifindex != 0);
- ipp.ipp_fields |= IPPF_IFINDEX;
- ipp.ipp_ifindex = ip6i->ip6i_ifindex;
- }
- rptr = (uchar_t *)&ip6i[1];
- mp->b_rptr = rptr;
- if (rptr == mp->b_wptr) {
- mp1 = mp->b_cont;
- freeb(mp);
- mp = mp1;
- rptr = mp->b_rptr;
- }
- ASSERT(mp->b_wptr - rptr >= IPV6_HDR_LEN);
- ip6h = (ip6_t *)rptr;
- }
- hdr_len = ip_find_hdr_v6(mp, ip6h, &ipp, &nexthdr);
+ if (recv_ancillary.crb_all != 0) {
+ /*
+ * Call on ip_find_hdr_v6 which gets individual lenghts of
+ * extension headers (and pointers to them).
+ */
+ uint8_t nexthdr;
+
+ /* We don't care about the length or nextheader. */
+ (void) ip_find_hdr_v6(mp, ip6h, B_TRUE, &ipps, &nexthdr);
/*
- * We need to lie a bit to the user because users inside
- * labeled compartments should not see their own labels. We
- * assume that in all other respects IP has checked the label,
- * and that the label is always first among the options. (If
- * it's not first, then this code won't see it, and the option
- * will be passed along to the user.)
+ * We do not pass up hop-by-hop options or any other
+ * extension header as part of the packet. Applications
+ * that want to see them have to specify IPV6_RECV* socket
+ * options. And conn_recvancillary_size/add explicitly
+ * drops the TX option from IPV6_HOPOPTS as it does for UDP.
*
- * If we had multilevel ICMP sockets, then the following code
- * should be skipped for them to allow the user to see the
- * label.
- *
- * Alignment restrictions in the definition of IP options
- * (namely, the requirement that the 4-octet DOI goes on a
- * 4-octet boundary) mean that we know exactly where the option
- * should start, but we're lenient for other hosts.
- *
- * Note that there are no multilevel ICMP or raw IP sockets
- * yet, thus nobody ever sees the IP6OPT_LS option.
+ * If we had multilevel ICMP sockets, then we'd want to
+ * modify conn_recvancillary_size/add to
+ * allow the user to see the label.
*/
- if ((ipp.ipp_fields & IPPF_HOPOPTS) &&
- ipp.ipp_hopoptslen > 5 && is_system_labeled()) {
- const uchar_t *ucp =
- (const uchar_t *)ipp.ipp_hopopts + 2;
- int remlen = ipp.ipp_hopoptslen - 2;
-
- while (remlen > 0) {
- if (*ucp == IP6OPT_PAD1) {
- remlen--;
- ucp++;
- } else if (*ucp == IP6OPT_PADN) {
- remlen -= ucp[1] + 2;
- ucp += ucp[1] + 2;
- } else if (*ucp == ip6opt_ls) {
- hopstrip = (ucp -
- (const uchar_t *)ipp.ipp_hopopts) +
- ucp[1] + 2;
- hopstrip = (hopstrip + 7) & ~7;
- break;
- } else {
- /* label option must be first */
- break;
- }
- }
- }
- } else {
- hdr_len = IPV6_HDR_LEN;
- ip6i = NULL;
- nexthdr = ip6h->ip6_nxt;
- }
- /*
- * One special case where IP attaches the IRE needs to
- * be handled so that we don't send up IRE to the user land.
- */
- if (nexthdr == IPPROTO_TCP) {
- tcph_t *tcph = (tcph_t *)&mp->b_rptr[hdr_len];
-
- if (((tcph->th_flags[0] & (TH_SYN|TH_ACK)) == TH_SYN) &&
- mp->b_cont != NULL) {
- mp1 = mp->b_cont;
- if (mp1->b_datap->db_type == IRE_DB_TYPE) {
- freeb(mp1);
- mp->b_cont = NULL;
- }
- }
}
+
/*
* Check a filter for ICMPv6 types if needed.
* Verify raw checksums if needed.
*/
- if (icmp->icmp_filter != NULL || icmp->icmp_raw_checksum) {
- if (icmp->icmp_filter != NULL) {
- int type;
+ mutex_enter(&connp->conn_lock);
+ if (icmp->icmp_filter != NULL) {
+ int type;
- /* Assumes that IP has done the pullupmsg */
- type = mp->b_rptr[hdr_len];
+ /* Assumes that IP has done the pullupmsg */
+ type = mp->b_rptr[ip_hdr_length];
- ASSERT(mp->b_rptr + hdr_len <= mp->b_wptr);
- if (ICMP6_FILTER_WILLBLOCK(type, icmp->icmp_filter)) {
- freemsg(mp);
- return;
- }
- } else {
- /* Checksum */
- uint16_t *up;
- uint32_t sum;
- int remlen;
-
- up = (uint16_t *)&ip6h->ip6_src;
-
- remlen = msgdsize(mp) - hdr_len;
- sum = htons(icmp->icmp_proto + remlen)
- + up[0] + up[1] + up[2] + up[3]
- + up[4] + up[5] + up[6] + up[7]
- + up[8] + up[9] + up[10] + up[11]
- + up[12] + up[13] + up[14] + up[15];
- sum = (sum & 0xffff) + (sum >> 16);
- sum = IP_CSUM(mp, hdr_len, sum);
- if (sum != 0) {
- /* IPv6 RAW checksum failed */
- ip0dbg(("icmp_rput: RAW checksum "
- "failed %x\n", sum));
- freemsg(mp);
- BUMP_MIB(&is->is_rawip_mib,
- rawipInCksumErrs);
- return;
- }
+ ASSERT(mp->b_rptr + ip_hdr_length <= mp->b_wptr);
+ if (ICMP6_FILTER_WILLBLOCK(type, icmp->icmp_filter)) {
+ mutex_exit(&connp->conn_lock);
+ freemsg(mp);
+ return;
}
}
- /* Skip all the IPv6 headers per API */
- mp->b_rptr += hdr_len;
-
- udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t);
-
- /*
- * We use local variables icmp_opt and icmp_ipv6_recvhoplimit to
- * maintain state information, instead of relying on icmp_t
- * structure, since there arent any locks protecting these members
- * and there is a window where there might be a race between a
- * thread setting options on the write side and a thread reading
- * these options on the read size.
- */
- if (ipp.ipp_fields & (IPPF_HOPOPTS|IPPF_DSTOPTS|IPPF_RTDSTOPTS|
- IPPF_RTHDR|IPPF_IFINDEX)) {
- if (icmp->icmp_ipv6_recvhopopts &&
- (ipp.ipp_fields & IPPF_HOPOPTS) &&
- ipp.ipp_hopoptslen > hopstrip) {
- udi_size += sizeof (struct T_opthdr) +
- ipp.ipp_hopoptslen - hopstrip;
- icmp_opt |= IPPF_HOPOPTS;
- }
- if ((icmp->icmp_ipv6_recvdstopts ||
- icmp->icmp_old_ipv6_recvdstopts) &&
- (ipp.ipp_fields & IPPF_DSTOPTS)) {
- udi_size += sizeof (struct T_opthdr) +
- ipp.ipp_dstoptslen;
- icmp_opt |= IPPF_DSTOPTS;
- }
- if (((icmp->icmp_ipv6_recvdstopts &&
- icmp->icmp_ipv6_recvrthdr &&
- (ipp.ipp_fields & IPPF_RTHDR)) ||
- icmp->icmp_ipv6_recvrtdstopts) &&
- (ipp.ipp_fields & IPPF_RTDSTOPTS)) {
- udi_size += sizeof (struct T_opthdr) +
- ipp.ipp_rtdstoptslen;
- icmp_opt |= IPPF_RTDSTOPTS;
- }
- if (icmp->icmp_ipv6_recvrthdr &&
- (ipp.ipp_fields & IPPF_RTHDR)) {
- udi_size += sizeof (struct T_opthdr) +
- ipp.ipp_rthdrlen;
- icmp_opt |= IPPF_RTHDR;
- }
- if (icmp->icmp_ip_recvpktinfo &&
- (ipp.ipp_fields & IPPF_IFINDEX)) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (struct in6_pktinfo);
- icmp_opt |= IPPF_IFINDEX;
+ if (connp->conn_ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
+ /* Checksum */
+ uint16_t *up;
+ uint32_t sum;
+ int remlen;
+
+ up = (uint16_t *)&ip6h->ip6_src;
+
+ remlen = msgdsize(mp) - ip_hdr_length;
+ sum = htons(connp->conn_proto + remlen)
+ + up[0] + up[1] + up[2] + up[3]
+ + up[4] + up[5] + up[6] + up[7]
+ + up[8] + up[9] + up[10] + up[11]
+ + up[12] + up[13] + up[14] + up[15];
+ sum = (sum & 0xffff) + (sum >> 16);
+ sum = IP_CSUM(mp, ip_hdr_length, sum);
+ if (sum != 0) {
+ /* IPv6 RAW checksum failed */
+ ip0dbg(("icmp_rput: RAW checksum failed %x\n", sum));
+ mutex_exit(&connp->conn_lock);
+ freemsg(mp);
+ BUMP_MIB(&is->is_rawip_mib, rawipInCksumErrs);
+ return;
}
}
- if (icmp->icmp_ipv6_recvhoplimit) {
- udi_size += sizeof (struct T_opthdr) + sizeof (int);
- icmp_ipv6_recvhoplimit = B_TRUE;
- }
+ mutex_exit(&connp->conn_lock);
- if (icmp->icmp_ipv6_recvtclass)
- udi_size += sizeof (struct T_opthdr) + sizeof (int);
+ udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t);
- /*
- * If SO_TIMESTAMP is set allocate the appropriate sized
- * buffer. Since gethrestime() expects a pointer aligned
- * argument, we allocate space necessary for extra
- * alignment (even though it might not be used).
- */
- if (icmp->icmp_timestamp) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
+ if (recv_ancillary.crb_all != 0) {
+ udi_size += conn_recvancillary_size(connp,
+ recv_ancillary, ira, mp, &ipps);
}
mp1 = allocb(udi_size, BPRI_MED);
@@ -3915,10 +2788,9 @@ icmp_input(void *arg1, mblk_t *mp, void *arg2)
return;
}
mp1->b_cont = mp;
- mp = mp1;
- mp->b_datap->db_type = M_PROTO;
- tudi = (struct T_unitdata_ind *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)tudi + udi_size;
+ mp1->b_datap->db_type = M_PROTO;
+ tudi = (struct T_unitdata_ind *)mp1->b_rptr;
+ mp1->b_wptr = (uchar_t *)tudi + udi_size;
tudi->PRIM_type = T_UNITDATA_IND;
tudi->SRC_length = sizeof (sin6_t);
tudi->SRC_offset = sizeof (struct T_unitdata_ind);
@@ -3926,166 +2798,38 @@ icmp_input(void *arg1, mblk_t *mp, void *arg2)
udi_size -= (sizeof (struct T_unitdata_ind) + sizeof (sin6_t));
tudi->OPT_length = udi_size;
sin6 = (sin6_t *)&tudi[1];
+ *sin6 = sin6_null;
sin6->sin6_port = 0;
sin6->sin6_family = AF_INET6;
sin6->sin6_addr = ip6h->ip6_src;
/* No sin6_flowinfo per API */
sin6->sin6_flowinfo = 0;
- /* For link-scope source pass up scope id */
- if ((ipp.ipp_fields & IPPF_IFINDEX) &&
- IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src))
- sin6->sin6_scope_id = ipp.ipp_ifindex;
+ /* For link-scope pass up scope id */
+ if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src))
+ sin6->sin6_scope_id = ira->ira_ruifindex;
else
sin6->sin6_scope_id = 0;
-
sin6->__sin6_src_id = ip_srcid_find_addr(&ip6h->ip6_dst,
- icmp->icmp_zoneid, is->is_netstack);
+ IPCL_ZONEID(connp), is->is_netstack);
if (udi_size != 0) {
- uchar_t *dstopt;
-
- dstopt = (uchar_t *)&sin6[1];
- if (icmp_opt & IPPF_IFINDEX) {
- struct T_opthdr *toh;
- struct in6_pktinfo *pkti;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_PKTINFO;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (*pkti);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- pkti = (struct in6_pktinfo *)dstopt;
- pkti->ipi6_addr = ip6h->ip6_dst;
- pkti->ipi6_ifindex = ipp.ipp_ifindex;
- dstopt += sizeof (*pkti);
- udi_size -= toh->len;
- }
- if (icmp_ipv6_recvhoplimit) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_HOPLIMIT;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (uint_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- *(uint_t *)dstopt = ip6h->ip6_hops;
- dstopt += sizeof (uint_t);
- udi_size -= toh->len;
- }
- if (icmp->icmp_ipv6_recvtclass) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_TCLASS;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (uint_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- *(uint_t *)dstopt = IPV6_FLOW_TCLASS(ip6h->ip6_flow);
- dstopt += sizeof (uint_t);
- udi_size -= toh->len;
- }
- if (icmp->icmp_timestamp) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = SOL_SOCKET;
- toh->name = SCM_TIMESTAMP;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- /* Align for gethrestime() */
- dstopt = (uchar_t *)P2ROUNDUP((intptr_t)dstopt,
- sizeof (intptr_t));
- gethrestime((timestruc_t *)dstopt);
- dstopt = (uchar_t *)toh + toh->len;
- udi_size -= toh->len;
- }
-
- if (icmp_opt & IPPF_HOPOPTS) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_HOPOPTS;
- toh->len = sizeof (struct T_opthdr) +
- ipp.ipp_hopoptslen - hopstrip;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy((char *)ipp.ipp_hopopts + hopstrip, dstopt,
- ipp.ipp_hopoptslen - hopstrip);
- if (hopstrip > 0) {
- /* copy next header value and fake length */
- dstopt[0] = ((uchar_t *)ipp.ipp_hopopts)[0];
- dstopt[1] = ((uchar_t *)ipp.ipp_hopopts)[1] -
- hopstrip / 8;
- }
- dstopt += ipp.ipp_hopoptslen - hopstrip;
- udi_size -= toh->len;
- }
- if (icmp_opt & IPPF_RTDSTOPTS) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_DSTOPTS;
- toh->len = sizeof (struct T_opthdr) +
- ipp.ipp_rtdstoptslen;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy(ipp.ipp_rtdstopts, dstopt,
- ipp.ipp_rtdstoptslen);
- dstopt += ipp.ipp_rtdstoptslen;
- udi_size -= toh->len;
- }
- if (icmp_opt & IPPF_RTHDR) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_RTHDR;
- toh->len = sizeof (struct T_opthdr) +
- ipp.ipp_rthdrlen;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy(ipp.ipp_rthdr, dstopt, ipp.ipp_rthdrlen);
- dstopt += ipp.ipp_rthdrlen;
- udi_size -= toh->len;
- }
- if (icmp_opt & IPPF_DSTOPTS) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_DSTOPTS;
- toh->len = sizeof (struct T_opthdr) +
- ipp.ipp_dstoptslen;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy(ipp.ipp_dstopts, dstopt,
- ipp.ipp_dstoptslen);
- dstopt += ipp.ipp_dstoptslen;
- udi_size -= toh->len;
- }
- /* Consumed all of allocated space */
- ASSERT(udi_size == 0);
+ conn_recvancillary_add(connp, recv_ancillary, ira,
+ &ipps, (uchar_t *)&sin6[1], udi_size);
}
- BUMP_MIB(&is->is_rawip_mib, rawipInDatagrams);
-deliver:
- icmp_ulp_recv(connp, mp);
+ /* Skip all the IPv6 headers per API */
+ mp->b_rptr += ip_hdr_length;
+ pkt_len -= ip_hdr_length;
+deliver:
+ BUMP_MIB(&is->is_rawip_mib, rawipInDatagrams);
+ icmp_ulp_recv(connp, mp1, pkt_len);
}
/*
- * return SNMP stuff in buffer in mpdata
+ * return SNMP stuff in buffer in mpdata. We don't hold any lock and report
+ * information that can be changing beneath us.
*/
mblk_t *
icmp_snmp_get(queue_t *q, mblk_t *mpctl)
@@ -4146,51 +2890,70 @@ icmp_snmp_set(queue_t *q, t_scalar_t level, t_scalar_t name,
static void
icmp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err)
{
+ struct T_unitdata_req *tudr;
mblk_t *mp1;
- uchar_t *rptr = mp->b_rptr;
- struct T_unitdata_req *tudr = (struct T_unitdata_req *)rptr;
+ uchar_t *destaddr;
+ t_scalar_t destlen;
+ uchar_t *optaddr;
+ t_scalar_t optlen;
+
+ if ((mp->b_wptr < mp->b_rptr) ||
+ (MBLKL(mp)) < sizeof (struct T_unitdata_req)) {
+ goto done;
+ }
+ tudr = (struct T_unitdata_req *)mp->b_rptr;
+ destaddr = mp->b_rptr + tudr->DEST_offset;
+ if (destaddr < mp->b_rptr || destaddr >= mp->b_wptr ||
+ destaddr + tudr->DEST_length < mp->b_rptr ||
+ destaddr + tudr->DEST_length > mp->b_wptr) {
+ goto done;
+ }
+ optaddr = mp->b_rptr + tudr->OPT_offset;
+ if (optaddr < mp->b_rptr || optaddr >= mp->b_wptr ||
+ optaddr + tudr->OPT_length < mp->b_rptr ||
+ optaddr + tudr->OPT_length > mp->b_wptr) {
+ goto done;
+ }
+ destlen = tudr->DEST_length;
+ optlen = tudr->OPT_length;
- mp1 = mi_tpi_uderror_ind((char *)&rptr[tudr->DEST_offset],
- tudr->DEST_length, (char *)&rptr[tudr->OPT_offset],
- tudr->OPT_length, err);
- if (mp1)
+ mp1 = mi_tpi_uderror_ind((char *)destaddr, destlen,
+ (char *)optaddr, optlen, err);
+ if (mp1 != NULL)
qreply(q, mp1);
+
+done:
freemsg(mp);
}
-
static int
rawip_do_unbind(conn_t *connp)
{
- icmp_t *icmp = connp->conn_icmp;
+ icmp_t *icmp = connp->conn_icmp;
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
/* If a bind has not been done, we can't unbind. */
- if (icmp->icmp_state == TS_UNBND || icmp->icmp_pending_op != -1) {
- rw_exit(&icmp->icmp_rwlock);
+ if (icmp->icmp_state == TS_UNBND) {
+ mutex_exit(&connp->conn_lock);
return (-TOUTSTATE);
}
- icmp->icmp_pending_op = T_UNBIND_REQ;
- rw_exit(&icmp->icmp_rwlock);
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_bound_addr_v6 = ipv6_all_zeros;
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ connp->conn_mcbc_bind = B_FALSE;
+ connp->conn_lport = 0;
+ connp->conn_fport = 0;
+ /* In case we were also connected */
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_v6lastdst = ipv6_all_zeros;
- /*
- * Call ip to unbind
- */
+ icmp->icmp_state = TS_UNBND;
- ip_unbind(connp);
+ (void) icmp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
- /*
- * Once we're unbound from IP, the pending operation may be cleared
- * here.
- */
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
- V6_SET_ZERO(icmp->icmp_v6src);
- V6_SET_ZERO(icmp->icmp_bound_v6src);
- icmp->icmp_pending_op = -1;
- icmp->icmp_state = TS_UNBND;
- if (icmp->icmp_family == AF_INET6)
- (void) icmp_build_hdrs(icmp);
- rw_exit(&icmp->icmp_rwlock);
+ ip_unbind(connp);
return (0);
}
@@ -4230,42 +2993,86 @@ icmp_tpi_unbind(queue_t *q, mblk_t *mp)
qreply(q, mp);
}
-
/*
* Process IPv4 packets that already include an IP header.
* Used when IP_HDRINCL has been set (implicit for IPPROTO_RAW and
* IPPROTO_IGMP).
+ * In this case we ignore the address and any options in the T_UNITDATA_REQ.
+ *
+ * The packet is assumed to have a base (20 byte) IP header followed
+ * by the upper-layer protocol. We include any IP_OPTIONS including a
+ * CIPSO label but otherwise preserve the base IP header.
*/
static int
-icmp_wput_hdrincl(queue_t *q, conn_t *connp, mblk_t *mp, icmp_t *icmp,
- ip4_pkt_t *pktinfop)
+icmp_output_hdrincl(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid)
{
- icmp_stack_t *is = icmp->icmp_is;
- ipha_t *ipha;
- int ip_hdr_length;
- int tp_hdr_len;
- int error;
- uchar_t ip_snd_opt[IP_MAX_OPT_LENGTH];
- uint32_t ip_snd_opt_len = 0;
- mblk_t *mp1;
- uint_t pkt_len;
- ip_opt_info_t optinfo;
- pid_t cpid;
- cred_t *cr;
+ icmp_t *icmp = connp->conn_icmp;
+ icmp_stack_t *is = icmp->icmp_is;
+ ipha_t iphas;
+ ipha_t *ipha;
+ int ip_hdr_length;
+ int tp_hdr_len;
+ ip_xmit_attr_t *ixa;
+ ip_pkt_t *ipp;
+ in6_addr_t v6src;
+ in6_addr_t v6dst;
+ in6_addr_t v6nexthop;
+ int error;
+ boolean_t do_ipsec;
- rw_enter(&icmp->icmp_rwlock, RW_READER);
+ /*
+ * We need an exclusive copy of conn_ixa since the included IP
+ * header could have any destination.
+ * That copy has no pointers hence we
+ * need to set them up once we've parsed the ancillary data.
+ */
+ ixa = conn_get_ixa_exclusive(connp);
+ if (ixa == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return (ENOMEM);
+ }
+ ASSERT(cr != NULL);
+ /*
+ * Caller has a reference on cr; from db_credp or because we
+ * are running in process context.
+ */
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
+ }
+
+ /* In case previous destination was multicast or multirt */
+ ip_attr_newdst(ixa);
- optinfo.ip_opt_flags = 0;
- optinfo.ip_opt_ill_index = 0;
+ /* Get a copy of conn_xmit_ipp since the TX label might change it */
+ ipp = kmem_zalloc(sizeof (*ipp), KM_NOSLEEP);
+ if (ipp == NULL) {
+ ixa_refrele(ixa);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return (ENOMEM);
+ }
+ mutex_enter(&connp->conn_lock);
+ error = ip_pkt_copy(&connp->conn_xmit_ipp, ipp, KM_NOSLEEP);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ goto done;
+ }
+
+ /* Sanity check length of packet */
ipha = (ipha_t *)mp->b_rptr;
- ip_hdr_length = IP_SIMPLE_HDR_LENGTH + icmp->icmp_ip_snd_options_len;
+
+ ip_hdr_length = IP_SIMPLE_HDR_LENGTH;
if ((mp->b_wptr - mp->b_rptr) < IP_SIMPLE_HDR_LENGTH) {
if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
- ASSERT(icmp != NULL);
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
freemsg(mp);
- rw_exit(&icmp->icmp_rwlock);
- return (0);
+ goto done;
}
ipha = (ipha_t *)mp->b_rptr;
}
@@ -4273,1285 +3080,1541 @@ icmp_wput_hdrincl(queue_t *q, conn_t *connp, mblk_t *mp, icmp_t *icmp,
(IP_VERSION<<4) | (ip_hdr_length>>2);
/*
- * Check if our saved options are valid; update if not.
- * TSOL Note: Since we are not in WRITER mode, ICMP packets
- * to different destination may require different labels,
- * or worse, ICMP packets to same IP address may require
- * different labels due to use of shared all-zones address.
- * We use conn_lock to ensure that lastdst, ip_snd_options,
- * and ip_snd_options_len are consistent for the current
- * destination and are updated atomically.
- */
- mutex_enter(&connp->conn_lock);
- if (is_system_labeled()) {
- /*
- * Recompute the Trusted Extensions security label if
- * we're not going to the same destination as last
- * time or the cred attached to the received mblk
- * changed.
- */
- cr = msg_getcred(mp, &cpid);
- if (!IN6_IS_ADDR_V4MAPPED(&icmp->icmp_v6lastdst) ||
- V4_PART_OF_V6(icmp->icmp_v6lastdst) != ipha->ipha_dst ||
- cr != icmp->icmp_last_cred) {
- error = icmp_update_label(icmp, mp, ipha->ipha_dst);
- if (error != 0) {
- mutex_exit(&connp->conn_lock);
- rw_exit(&icmp->icmp_rwlock);
- return (error);
- }
- }
- /*
- * Apply credentials with modified security label if they
- * exist. icmp_update_label() may have generated these
- * credentials for packets to unlabeled remote nodes.
- */
- if (icmp->icmp_effective_cred != NULL)
- mblk_setcred(mp, icmp->icmp_effective_cred, cpid);
- }
-
- if (icmp->icmp_ip_snd_options_len > 0) {
- ip_snd_opt_len = icmp->icmp_ip_snd_options_len;
- bcopy(icmp->icmp_ip_snd_options, ip_snd_opt, ip_snd_opt_len);
- }
- mutex_exit(&connp->conn_lock);
-
- /*
- * For the socket of SOCK_RAW type, the checksum is provided in the
- * pre-built packet. We set the ipha_ident field to IP_HDR_INCLUDED to
- * tell IP that the application has sent a complete IP header and not
- * to compute the transport checksum nor change the DF flag.
+ * We set IXAF_DONTFRAG if the application set DF which makes
+ * IP not fragment.
*/
- ipha->ipha_ident = IP_HDR_INCLUDED;
- ipha->ipha_hdr_checksum = 0;
ipha->ipha_fragment_offset_and_flags &= htons(IPH_DF);
- /* Insert options if any */
- if (ip_hdr_length > IP_SIMPLE_HDR_LENGTH) {
- /*
- * Put the IP header plus any transport header that is
- * checksumed by ip_wput into the first mblk. (ip_wput assumes
- * that at least the checksum field is in the first mblk.)
- */
- switch (ipha->ipha_protocol) {
- case IPPROTO_UDP:
- tp_hdr_len = 8;
- break;
- case IPPROTO_TCP:
- tp_hdr_len = 20;
- break;
- default:
- tp_hdr_len = 0;
- break;
- }
- /*
- * The code below assumes that IP_SIMPLE_HDR_LENGTH plus
- * tp_hdr_len bytes will be in a single mblk.
- */
- if ((mp->b_wptr - mp->b_rptr) < (IP_SIMPLE_HDR_LENGTH +
- tp_hdr_len)) {
- if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH +
- tp_hdr_len)) {
- BUMP_MIB(&is->is_rawip_mib,
- rawipOutErrors);
- freemsg(mp);
- rw_exit(&icmp->icmp_rwlock);
- return (0);
- }
- ipha = (ipha_t *)mp->b_rptr;
- }
-
- /*
- * if the length is larger then the max allowed IP packet,
- * then send an error and abort the processing.
- */
- pkt_len = ntohs(ipha->ipha_length)
- + ip_snd_opt_len;
- if (pkt_len > IP_MAXPACKET) {
- rw_exit(&icmp->icmp_rwlock);
- return (EMSGSIZE);
- }
- if (!(mp1 = allocb(ip_hdr_length + is->is_wroff_extra +
- tp_hdr_len, BPRI_LO))) {
- rw_exit(&icmp->icmp_rwlock);
- return (ENOMEM);
- }
- mp1->b_rptr += is->is_wroff_extra;
- mp1->b_wptr = mp1->b_rptr + ip_hdr_length;
+ if (ipha->ipha_fragment_offset_and_flags & htons(IPH_DF))
+ ixa->ixa_flags |= (IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
+ else
+ ixa->ixa_flags &= ~(IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
- ipha->ipha_length = htons((uint16_t)pkt_len);
- bcopy(ipha, mp1->b_rptr, IP_SIMPLE_HDR_LENGTH);
+ /* Even for multicast and broadcast we honor the apps ttl */
+ ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
- /* Copy transport header if any */
- bcopy(&ipha[1], mp1->b_wptr, tp_hdr_len);
- mp1->b_wptr += tp_hdr_len;
+ if (ipha->ipha_dst == INADDR_ANY)
+ ipha->ipha_dst = htonl(INADDR_LOOPBACK);
- /* Add options */
- ipha = (ipha_t *)mp1->b_rptr;
- bcopy(ip_snd_opt, &ipha[1], ip_snd_opt_len);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &v6src);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &v6dst);
- /* Drop IP header and transport header from original */
- (void) adjmsg(mp, IP_SIMPLE_HDR_LENGTH + tp_hdr_len);
+ /* Defer IPsec if it might need to look at ICMP type/code */
+ do_ipsec = ipha->ipha_protocol != IPPROTO_ICMP;
+ ixa->ixa_flags |= IXAF_IS_IPV4;
- mp1->b_cont = mp;
- mp = mp1;
+ ip_attr_nexthop(ipp, ixa, &v6dst, &v6nexthop);
+ error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop,
+ connp->conn_fport, &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
+ (do_ipsec ? IPDF_IPSEC : 0));
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
/*
- * Massage source route putting first source
- * route in ipha_dst.
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
*/
- (void) ip_massage_options(ipha, is->is_netstack);
- }
-
- if (pktinfop != NULL) {
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
/*
- * Over write the source address provided in the header
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
*/
- if (pktinfop->ip4_addr != INADDR_ANY) {
- ipha->ipha_src = pktinfop->ip4_addr;
- optinfo.ip_opt_flags = IP_VERIFY_SRC;
- }
-
- if (pktinfop->ip4_ill_index != 0) {
- optinfo.ip_opt_ill_index = pktinfop->ip4_ill_index;
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
}
+ /* FALLTHRU */
+ default:
+ failed:
+ freemsg(mp);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ goto done;
}
-
- rw_exit(&icmp->icmp_rwlock);
-
- ip_output_options(connp, mp, q, IP_WPUT, &optinfo);
- return (0);
-}
-
-static int
-icmp_update_label(icmp_t *icmp, mblk_t *mp, ipaddr_t dst)
-{
- int err;
- uchar_t opt_storage[IP_MAX_OPT_LENGTH];
- icmp_stack_t *is = icmp->icmp_is;
- conn_t *connp = icmp->icmp_connp;
- cred_t *cred;
- cred_t *msg_cred;
- cred_t *effective_cred;
+ if (ipha->ipha_src == INADDR_ANY)
+ IN6_V4MAPPED_TO_IPADDR(&v6src, ipha->ipha_src);
/*
- * All Solaris components should pass a db_credp
- * for this message, hence we ASSERT.
- * On production kernels we return an error to be robust against
- * random streams modules sitting on top of us.
+ * We might be going to a different destination than last time,
+ * thus check that TX allows the communication and compute any
+ * needed label.
+ *
+ * TSOL Note: We have an exclusive ipp and ixa for this thread so we
+ * don't have to worry about concurrent threads.
*/
- cred = msg_cred = msg_getcred(mp, NULL);
- ASSERT(cred != NULL);
- if (cred == NULL)
- return (EINVAL);
+ if (is_system_labeled()) {
+ /*
+ * Check whether Trusted Solaris policy allows communication
+ * with this host, and pretend that the destination is
+ * unreachable if not.
+ * Compute any needed label and place it in ipp_label_v4/v6.
+ *
+ * Later conn_build_hdr_template/conn_prepend_hdr takes
+ * ipp_label_v4/v6 to form the packet.
+ *
+ * Tsol note: We have ipp structure local to this thread so
+ * no locking is needed.
+ */
+ error = conn_update_label(connp, ixa, &v6dst, ipp);
+ if (error != 0) {
+ freemsg(mp);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ goto done;
+ }
+ }
/*
- * Verify the destination is allowed to receive packets at
- * the security label of the message data. check_dest()
- * may create a new effective cred for this message
- * with a modified label or label flags.
+ * Save away a copy of the IPv4 header the application passed down
+ * and then prepend an IPv4 header complete with any IP options
+ * including label.
+ * We need a struct copy since icmp_prepend_hdr will reuse the available
+ * space in the mblk.
*/
- if ((err = tsol_check_dest(cred, &dst, IPV4_VERSION,
- connp->conn_mac_mode, &effective_cred)) != 0)
- goto done;
- if (effective_cred != NULL)
- cred = effective_cred;
+ iphas = *ipha;
+ mp->b_rptr += IP_SIMPLE_HDR_LENGTH;
- /*
- * Calculate the security label to be placed in the text
- * of the message (if any).
- */
- if ((err = tsol_compute_label(cred, dst, opt_storage,
- is->is_netstack->netstack_ip)) != 0)
+ mp = icmp_prepend_hdr(connp, ixa, ipp, &v6src, &v6dst, 0, mp, &error);
+ if (mp == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ ASSERT(error != 0);
goto done;
-
- /*
- * Insert the security label in the cached ip options,
- * removing any old label that may exist.
- */
- if ((err = tsol_update_options(&icmp->icmp_ip_snd_options,
- &icmp->icmp_ip_snd_options_len, &icmp->icmp_label_len,
- opt_storage)) != 0)
+ }
+ if (ixa->ixa_pktlen > IP_MAXPACKET) {
+ error = EMSGSIZE;
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
goto done;
+ }
+ /* Restore key parts of the header that the application passed down */
+ ipha = (ipha_t *)mp->b_rptr;
+ ipha->ipha_type_of_service = iphas.ipha_type_of_service;
+ ipha->ipha_ident = iphas.ipha_ident;
+ ipha->ipha_fragment_offset_and_flags =
+ iphas.ipha_fragment_offset_and_flags;
+ ipha->ipha_ttl = iphas.ipha_ttl;
+ ipha->ipha_protocol = iphas.ipha_protocol;
+ ipha->ipha_src = iphas.ipha_src;
+ ipha->ipha_dst = iphas.ipha_dst;
+
+ ixa->ixa_protocol = ipha->ipha_protocol;
/*
- * Save the destination address and cred we used to generate
- * the security label text.
+ * Make sure that the IP header plus any transport header that is
+ * checksumed by ip_output is in the first mblk. (ip_output assumes
+ * that at least the checksum field is in the first mblk.)
*/
- IN6_IPADDR_TO_V4MAPPED(dst, &icmp->icmp_v6lastdst);
- if (cred != icmp->icmp_effective_cred) {
- if (icmp->icmp_effective_cred != NULL)
- crfree(icmp->icmp_effective_cred);
- crhold(cred);
- icmp->icmp_effective_cred = cred;
+ switch (ipha->ipha_protocol) {
+ case IPPROTO_UDP:
+ tp_hdr_len = 8;
+ break;
+ case IPPROTO_TCP:
+ tp_hdr_len = 20;
+ break;
+ default:
+ tp_hdr_len = 0;
+ break;
+ }
+ ip_hdr_length = IPH_HDR_LENGTH(ipha);
+ if (mp->b_wptr - mp->b_rptr < ip_hdr_length + tp_hdr_len) {
+ if (!pullupmsg(mp, ip_hdr_length + tp_hdr_len)) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ if (mp->b_cont == NULL)
+ error = EINVAL;
+ else
+ error = ENOMEM;
+ freemsg(mp);
+ goto done;
+ }
}
- if (msg_cred != icmp->icmp_last_cred) {
- if (icmp->icmp_last_cred != NULL)
- crfree(icmp->icmp_last_cred);
- crhold(msg_cred);
- icmp->icmp_last_cred = msg_cred;
+ if (!do_ipsec) {
+ /* Policy might differ for different ICMP type/code */
+ if (ixa->ixa_ipsec_policy != NULL) {
+ IPPOL_REFRELE(ixa->ixa_ipsec_policy);
+ ixa->ixa_ipsec_policy = NULL;
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
+ }
+ mp = ip_output_attach_policy(mp, ipha, NULL, connp, ixa);
+ if (mp == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ error = EHOSTUNREACH; /* IPsec policy failure */
+ goto done;
+ }
}
+ /* We're done. Pass the packet to ip. */
+ BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
+
+ error = conn_ip_output(mp, ixa);
+ /* No rawipOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ break;
+ }
done:
- if (effective_cred != NULL)
- crfree(effective_cred);
+ ixa_refrele(ixa);
+ ip_pkt_free(ipp);
+ kmem_free(ipp, sizeof (*ipp));
+ return (error);
+}
- if (err != 0) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- DTRACE_PROBE4(
- tx__ip__log__drop__updatelabel__icmp,
- char *, "icmp(1) failed to update options(2) on mp(3)",
- icmp_t *, icmp, char *, opt_storage, mblk_t *, mp);
- return (err);
+static mblk_t *
+icmp_output_attach_policy(mblk_t *mp, conn_t *connp, ip_xmit_attr_t *ixa)
+{
+ ipha_t *ipha = NULL;
+ ip6_t *ip6h = NULL;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4)
+ ipha = (ipha_t *)mp->b_rptr;
+ else
+ ip6h = (ip6_t *)mp->b_rptr;
+
+ if (ixa->ixa_ipsec_policy != NULL) {
+ IPPOL_REFRELE(ixa->ixa_ipsec_policy);
+ ixa->ixa_ipsec_policy = NULL;
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
}
- return (0);
+ return (ip_output_attach_policy(mp, ipha, ip6h, connp, ixa));
}
/*
- * This routine handles all messages passed downstream. It either
- * consumes the message or passes it downstream; it never queues a
- * a message.
+ * Handle T_UNITDATA_REQ with options. Both IPv4 and IPv6
+ * Either tudr_mp or msg is set. If tudr_mp we take ancillary data from
+ * the TPI options, otherwise we take them from msg_control.
+ * If both sin and sin6 is set it is a connected socket and we use conn_faddr.
+ * Always consumes mp; never consumes tudr_mp.
*/
-static void
-icmp_wput(queue_t *q, mblk_t *mp)
+static int
+icmp_output_ancillary(conn_t *connp, sin_t *sin, sin6_t *sin6, mblk_t *mp,
+ mblk_t *tudr_mp, struct nmsghdr *msg, cred_t *cr, pid_t pid)
{
- uchar_t *rptr = mp->b_rptr;
- mblk_t *mp1;
-#define tudr ((struct T_unitdata_req *)rptr)
- size_t ip_len;
- conn_t *connp = Q_TO_CONN(q);
- icmp_t *icmp = connp->conn_icmp;
- icmp_stack_t *is = icmp->icmp_is;
- sin6_t *sin6;
- sin_t *sin;
- ipaddr_t v4dst;
- ip4_pkt_t pktinfo;
- ip4_pkt_t *pktinfop = &pktinfo;
- ip6_pkt_t ipp_s; /* For ancillary data options */
- ip6_pkt_t *ipp = &ipp_s;
- int error;
+ icmp_t *icmp = connp->conn_icmp;
+ icmp_stack_t *is = icmp->icmp_is;
+ int error;
+ ip_xmit_attr_t *ixa;
+ ip_pkt_t *ipp;
+ in6_addr_t v6src;
+ in6_addr_t v6dst;
+ in6_addr_t v6nexthop;
+ in_port_t dstport;
+ uint32_t flowinfo;
+ uint_t srcid;
+ int is_absreq_failure = 0;
+ conn_opt_arg_t coas, *coa;
- ipp->ipp_fields = 0;
- ipp->ipp_sticky_ignored = 0;
+ ASSERT(tudr_mp != NULL || msg != NULL);
- switch (mp->b_datap->db_type) {
- case M_DATA:
- if (icmp->icmp_hdrincl) {
- ASSERT(icmp->icmp_ipversion == IPV4_VERSION);
- error = icmp_wput_hdrincl(q, connp, mp, icmp, NULL);
- if (error != 0)
- icmp_ud_err(q, mp, error);
- return;
- }
+ /*
+ * Get ixa before checking state to handle a disconnect race.
+ *
+ * We need an exclusive copy of conn_ixa since the ancillary data
+ * options might modify it. That copy has no pointers hence we
+ * need to set them up once we've parsed the ancillary data.
+ */
+ ixa = conn_get_ixa_exclusive(connp);
+ if (ixa == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
freemsg(mp);
- return;
- case M_PROTO:
- case M_PCPROTO:
- ip_len = mp->b_wptr - rptr;
- if (ip_len >= sizeof (struct T_unitdata_req)) {
- /* Expedite valid T_UNITDATA_REQ to below the switch */
- if (((union T_primitives *)rptr)->type
- == T_UNITDATA_REQ)
- break;
- }
- /* FALLTHRU */
- default:
- icmp_wput_other(q, mp);
- return;
+ return (ENOMEM);
+ }
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
}
- /* Handle T_UNITDATA_REQ messages here. */
+ /* In case previous destination was multicast or multirt */
+ ip_attr_newdst(ixa);
- mp1 = mp->b_cont;
- if (mp1 == NULL) {
+ /* Get a copy of conn_xmit_ipp since the options might change it */
+ ipp = kmem_zalloc(sizeof (*ipp), KM_NOSLEEP);
+ if (ipp == NULL) {
+ ixa_refrele(ixa);
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- icmp_ud_err(q, mp, EPROTO);
- return;
+ freemsg(mp);
+ return (ENOMEM);
}
-
- if ((rptr + tudr->DEST_offset + tudr->DEST_length) > mp->b_wptr) {
+ mutex_enter(&connp->conn_lock);
+ error = ip_pkt_copy(&connp->conn_xmit_ipp, ipp, KM_NOSLEEP);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0) {
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- icmp_ud_err(q, mp, EADDRNOTAVAIL);
- return;
+ freemsg(mp);
+ goto done;
}
- switch (icmp->icmp_family) {
- case AF_INET6:
- sin6 = (sin6_t *)&rptr[tudr->DEST_offset];
- if (!OK_32PTR((char *)sin6) ||
- tudr->DEST_length != sizeof (sin6_t) ||
- sin6->sin6_family != AF_INET6) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- icmp_ud_err(q, mp, EADDRNOTAVAIL);
- return;
- }
+ /*
+ * Parse the options and update ixa and ipp as a result.
+ */
- /* No support for mapped addresses on raw sockets */
- if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- icmp_ud_err(q, mp, EADDRNOTAVAIL);
- return;
- }
+ coa = &coas;
+ coa->coa_connp = connp;
+ coa->coa_ixa = ixa;
+ coa->coa_ipp = ipp;
+ coa->coa_ancillary = B_TRUE;
+ coa->coa_changed = 0;
+ if (msg != NULL) {
+ error = process_auxiliary_options(connp, msg->msg_control,
+ msg->msg_controllen, coa, &icmp_opt_obj, icmp_opt_set, cr);
+ } else {
+ struct T_unitdata_req *tudr;
+
+ tudr = (struct T_unitdata_req *)tudr_mp->b_rptr;
+ ASSERT(tudr->PRIM_type == T_UNITDATA_REQ);
+ error = tpi_optcom_buf(connp->conn_wq, tudr_mp,
+ &tudr->OPT_length, tudr->OPT_offset, cr, &icmp_opt_obj,
+ coa, &is_absreq_failure);
+ }
+ if (error != 0) {
/*
- * Destination is a native IPv6 address.
- * Send out an IPv6 format packet.
+ * Note: No special action needed in this
+ * module for "is_absreq_failure"
*/
- if (tudr->OPT_length != 0) {
- int error;
-
- error = 0;
- if (icmp_unitdata_opt_process(q, mp, &error,
- (void *)ipp) < 0) {
- /* failure */
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- icmp_ud_err(q, mp, error);
- return;
- }
- ASSERT(error == 0);
- }
-
- error = raw_ip_send_data_v6(q, connp, mp1, sin6, ipp);
+ freemsg(mp);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
goto done;
-
- case AF_INET:
- sin = (sin_t *)&rptr[tudr->DEST_offset];
- if (!OK_32PTR((char *)sin) ||
- tudr->DEST_length != sizeof (sin_t) ||
- sin->sin_family != AF_INET) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- icmp_ud_err(q, mp, EADDRNOTAVAIL);
- return;
- }
- /* Extract and ipaddr */
- v4dst = sin->sin_addr.s_addr;
- break;
-
- default:
- ASSERT(0);
}
+ ASSERT(is_absreq_failure == 0);
- pktinfop->ip4_ill_index = 0;
- pktinfop->ip4_addr = INADDR_ANY;
-
+ mutex_enter(&connp->conn_lock);
/*
- * If options passed in, feed it for verification and handling
+ * If laddr is unspecified then we look at sin6_src_id.
+ * We will give precedence to a source address set with IPV6_PKTINFO
+ * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
+ * want ip_attr_connect to select a source (since it can fail) when
+ * IPV6_PKTINFO is specified.
+ * If this doesn't result in a source address then we get a source
+ * from ip_attr_connect() below.
*/
- if (tudr->OPT_length != 0) {
- int error;
-
- error = 0;
- if (icmp_unitdata_opt_process(q, mp, &error,
- (void *)pktinfop) < 0) {
- /* failure */
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- icmp_ud_err(q, mp, error);
- return;
+ v6src = connp->conn_saddr_v6;
+ if (sin != NULL) {
+ IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
+ dstport = sin->sin_port;
+ flowinfo = 0;
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ } else if (sin6 != NULL) {
+ v6dst = sin6->sin6_addr;
+ dstport = sin6->sin6_port;
+ flowinfo = sin6->sin6_flowinfo;
+ srcid = sin6->__sin6_src_id;
+ if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
+ ixa->ixa_scopeid = sin6->sin6_scope_id;
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ } else {
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
}
- ASSERT(error == 0);
- /*
- * Note: Success in processing options.
- * mp option buffer represented by
- * OPT_length/offset now potentially modified
- * and contain option setting results
- */
- }
-
- error = raw_ip_send_data_v4(q, connp, mp1, v4dst, pktinfop);
-done:
- if (error != 0) {
- icmp_ud_err(q, mp, error);
- return;
+ if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
+ }
+ if (IN6_IS_ADDR_V4MAPPED(&v6dst))
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ else
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
} else {
- mp->b_cont = NULL;
- freeb(mp);
+ /* Connected case */
+ v6dst = connp->conn_faddr_v6;
+ flowinfo = connp->conn_flowinfo;
+ }
+ mutex_exit(&connp->conn_lock);
+ /* Handle IPV6_PKTINFO setting source address. */
+ if (IN6_IS_ADDR_UNSPECIFIED(&v6src) &&
+ (ipp->ipp_fields & IPPF_ADDR)) {
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
+ } else {
+ if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
+ }
}
-}
-
-
-/* ARGSUSED */
-static void
-icmp_wput_fallback(queue_t *q, mblk_t *mp)
-{
-#ifdef DEBUG
- cmn_err(CE_CONT, "icmp_wput_fallback: Message during fallback \n");
-#endif
- freemsg(mp);
-}
-
-static int
-raw_ip_send_data_v4(queue_t *q, conn_t *connp, mblk_t *mp, ipaddr_t v4dst,
- ip4_pkt_t *pktinfop)
-{
- ipha_t *ipha;
- size_t ip_len;
- icmp_t *icmp = connp->conn_icmp;
- icmp_stack_t *is = icmp->icmp_is;
- int ip_hdr_length;
- ip_opt_info_t optinfo;
- uchar_t ip_snd_opt[IP_MAX_OPT_LENGTH];
- uint32_t ip_snd_opt_len = 0;
- pid_t cpid;
- cred_t *cr;
- optinfo.ip_opt_flags = 0;
- optinfo.ip_opt_ill_index = 0;
+ ip_attr_nexthop(ipp, ixa, &v6dst, &v6nexthop);
+ error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
+ &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST);
- if (icmp->icmp_state == TS_UNBND) {
- /* If a port has not been bound to the stream, fail. */
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
+ /*
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
+ */
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
+ }
+ /* FALLTHRU */
+ default:
+ failed:
+ freemsg(mp);
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- return (EPROTO);
+ goto done;
}
- if (v4dst == INADDR_ANY)
- v4dst = htonl(INADDR_LOOPBACK);
-
- /* Protocol 255 contains full IP headers */
- if (icmp->icmp_hdrincl)
- return (icmp_wput_hdrincl(q, connp, mp, icmp, pktinfop));
-
- rw_enter(&icmp->icmp_rwlock, RW_READER);
-
/*
- * Check if our saved options are valid; update if not.
- * TSOL Note: Since we are not in WRITER mode, ICMP packets
- * to different destination may require different labels,
- * or worse, ICMP packets to same IP address may require
- * different labels due to use of shared all-zones address.
- * We use conn_lock to ensure that lastdst, ip_snd_options,
- * and ip_snd_options_len are consistent for the current
- * destination and are updated atomically.
+ * We might be going to a different destination than last time,
+ * thus check that TX allows the communication and compute any
+ * needed label.
+ *
+ * TSOL Note: We have an exclusive ipp and ixa for this thread so we
+ * don't have to worry about concurrent threads.
*/
- mutex_enter(&connp->conn_lock);
if (is_system_labeled()) {
-
- /*
- * Recompute the Trusted Extensions security label if we're not
- * going to the same destination as last time or the cred
- * attached to the received mblk changed.
- */
- cr = msg_getcred(mp, &cpid);
- if (!IN6_IS_ADDR_V4MAPPED(&icmp->icmp_v6lastdst) ||
- V4_PART_OF_V6(icmp->icmp_v6lastdst) != v4dst ||
- cr != icmp->icmp_last_cred) {
- int error = icmp_update_label(icmp, mp, v4dst);
- if (error != 0) {
- mutex_exit(&connp->conn_lock);
- rw_exit(&icmp->icmp_rwlock);
- return (error);
- }
- }
/*
- * Apply credentials with modified security label if they
- * exist. icmp_update_label() may have generated these
- * credentials for packets to unlabeled remote nodes.
+ * Check whether Trusted Solaris policy allows communication
+ * with this host, and pretend that the destination is
+ * unreachable if not.
+ * Compute any needed label and place it in ipp_label_v4/v6.
+ *
+ * Later conn_build_hdr_template/conn_prepend_hdr takes
+ * ipp_label_v4/v6 to form the packet.
+ *
+ * Tsol note: We have ipp structure local to this thread so
+ * no locking is needed.
*/
- if (icmp->icmp_effective_cred != NULL)
- mblk_setcred(mp, icmp->icmp_effective_cred, cpid);
- }
-
- if (icmp->icmp_ip_snd_options_len > 0) {
- ip_snd_opt_len = icmp->icmp_ip_snd_options_len;
- bcopy(icmp->icmp_ip_snd_options, ip_snd_opt, ip_snd_opt_len);
- }
- mutex_exit(&connp->conn_lock);
-
- /* Add an IP header */
- ip_hdr_length = IP_SIMPLE_HDR_LENGTH + ip_snd_opt_len;
- ipha = (ipha_t *)&mp->b_rptr[-ip_hdr_length];
- if ((uchar_t *)ipha < mp->b_datap->db_base ||
- mp->b_datap->db_ref != 1 ||
- !OK_32PTR(ipha)) {
- mblk_t *mp1;
- if (!(mp1 = allocb(ip_hdr_length + is->is_wroff_extra,
- BPRI_LO))) {
+ error = conn_update_label(connp, ixa, &v6dst, ipp);
+ if (error != 0) {
+ freemsg(mp);
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- rw_exit(&icmp->icmp_rwlock);
- return (ENOMEM);
+ goto done;
}
- mp1->b_cont = mp;
- ipha = (ipha_t *)mp1->b_datap->db_lim;
- mp1->b_wptr = (uchar_t *)ipha;
- ipha = (ipha_t *)((uchar_t *)ipha - ip_hdr_length);
- mp = mp1;
}
-#ifdef _BIG_ENDIAN
- /* Set version, header length, and tos */
- *(uint16_t *)&ipha->ipha_version_and_hdr_length =
- ((((IP_VERSION << 4) | (ip_hdr_length>>2)) << 8) |
- icmp->icmp_type_of_service);
- /* Set ttl and protocol */
- *(uint16_t *)&ipha->ipha_ttl = (icmp->icmp_ttl << 8) | icmp->icmp_proto;
-#else
- /* Set version, header length, and tos */
- *(uint16_t *)&ipha->ipha_version_and_hdr_length =
- ((icmp->icmp_type_of_service << 8) |
- ((IP_VERSION << 4) | (ip_hdr_length>>2)));
- /* Set ttl and protocol */
- *(uint16_t *)&ipha->ipha_ttl = (icmp->icmp_proto << 8) | icmp->icmp_ttl;
-#endif
- if (pktinfop->ip4_addr != INADDR_ANY) {
- ipha->ipha_src = pktinfop->ip4_addr;
- optinfo.ip_opt_flags = IP_VERIFY_SRC;
- } else {
-
- /*
- * Copy our address into the packet. If this is zero,
- * ip will fill in the real source address.
- */
- IN6_V4MAPPED_TO_IPADDR(&icmp->icmp_v6src, ipha->ipha_src);
+ mp = icmp_prepend_hdr(connp, ixa, ipp, &v6src, &v6dst, flowinfo, mp,
+ &error);
+ if (mp == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ ASSERT(error != 0);
+ goto done;
}
-
- ipha->ipha_fragment_offset_and_flags = 0;
-
- if (pktinfop->ip4_ill_index != 0) {
- optinfo.ip_opt_ill_index = pktinfop->ip4_ill_index;
+ if (ixa->ixa_pktlen > IP_MAXPACKET) {
+ error = EMSGSIZE;
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ goto done;
}
-
- /*
- * For the socket of SOCK_RAW type, the checksum is provided in the
- * pre-built packet. We set the ipha_ident field to IP_HDR_INCLUDED to
- * tell IP that the application has sent a complete IP header and not
- * to compute the transport checksum nor change the DF flag.
- */
- ipha->ipha_ident = IP_HDR_INCLUDED;
-
- /* Finish common formatting of the packet. */
- mp->b_rptr = (uchar_t *)ipha;
-
- ip_len = mp->b_wptr - (uchar_t *)ipha;
- if (mp->b_cont != NULL)
- ip_len += msgdsize(mp->b_cont);
-
- /*
- * Set the length into the IP header.
- * If the length is greater than the maximum allowed by IP,
- * then free the message and return. Do not try and send it
- * as this can cause problems in layers below.
- */
- if (ip_len > IP_MAXPACKET) {
+ /* Policy might differ for different ICMP type/code */
+ mp = icmp_output_attach_policy(mp, connp, ixa);
+ if (mp == NULL) {
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- rw_exit(&icmp->icmp_rwlock);
- return (EMSGSIZE);
+ error = EHOSTUNREACH; /* IPsec policy failure */
+ goto done;
}
- ipha->ipha_length = htons((uint16_t)ip_len);
- /*
- * Copy in the destination address request
- */
- ipha->ipha_dst = v4dst;
- /*
- * Set ttl based on IP_MULTICAST_TTL to match IPv6 logic.
- */
- if (CLASSD(v4dst))
- ipha->ipha_ttl = icmp->icmp_multicast_ttl;
+ /* We're done. Pass the packet to ip. */
+ BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
- /* Copy in options if any */
- if (ip_hdr_length > IP_SIMPLE_HDR_LENGTH) {
- bcopy(ip_snd_opt,
- &ipha[1], ip_snd_opt_len);
+ /* Allow source not assigned to the system? */
+ ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
+ error = conn_ip_output(mp, ixa);
+ if (!connp->conn_unspec_src)
+ ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
+ /* No rawipOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
/*
- * Massage source route putting first source route in ipha_dst.
- * Ignore the destination in the T_unitdata_req.
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
*/
- (void) ip_massage_options(ipha, is->is_netstack);
+ error = ENETUNREACH;
+ /* FALLTHRU */
+ default:
+ mutex_enter(&connp->conn_lock);
+ /*
+ * Clear the source and v6lastdst so we call ip_attr_connect
+ * for the next packet and try to pick a better source.
+ */
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
+ break;
}
-
- rw_exit(&icmp->icmp_rwlock);
- BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
-
- ip_output_options(connp, mp, q, IP_WPUT, &optinfo);
- return (0);
+done:
+ ixa_refrele(ixa);
+ ip_pkt_free(ipp);
+ kmem_free(ipp, sizeof (*ipp));
+ return (error);
}
-static int
-icmp_update_label_v6(icmp_t *icmp, mblk_t *mp, in6_addr_t *dst)
+/*
+ * Handle sending an M_DATA for a connected socket.
+ * Handles both IPv4 and IPv6.
+ */
+int
+icmp_output_connected(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid)
{
- int err;
- uchar_t opt_storage[TSOL_MAX_IPV6_OPTION];
- icmp_stack_t *is = icmp->icmp_is;
- conn_t *connp = icmp->icmp_connp;
- cred_t *cred;
- cred_t *msg_cred;
- cred_t *effective_cred;
+ icmp_t *icmp = connp->conn_icmp;
+ icmp_stack_t *is = icmp->icmp_is;
+ int error;
+ ip_xmit_attr_t *ixa;
+ boolean_t do_ipsec;
/*
- * All Solaris components should pass a db_credp
- * for this message, hence we ASSERT.
- * On production kernels we return an error to be robust against
- * random streams modules sitting on top of us.
+ * If no other thread is using conn_ixa this just gets a reference to
+ * conn_ixa. Otherwise we get a safe copy of conn_ixa.
*/
- cred = msg_cred = msg_getcred(mp, NULL);
- ASSERT(cred != NULL);
- if (cred == NULL)
- return (EINVAL);
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return (ENOMEM);
+ }
- /*
- * Verify the destination is allowed to receive packets at
- * the security label of the message data. check_dest()
- * may create a new effective cred for this message
- * with a modified label or label flags.
- */
- if ((err = tsol_check_dest(cred, dst, IPV6_VERSION,
- connp->conn_mac_mode, &effective_cred)) != 0)
- goto done;
- if (effective_cred != NULL)
- cred = effective_cred;
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
- /*
- * Calculate the security label to be placed in the text
- * of the message (if any).
- */
- if ((err = tsol_compute_label_v6(cred, dst, opt_storage,
- is->is_netstack->netstack_ip)) != 0)
- goto done;
+ /* Defer IPsec if it might need to look at ICMP type/code */
+ switch (ixa->ixa_protocol) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ do_ipsec = B_FALSE;
+ break;
+ default:
+ do_ipsec = B_TRUE;
+ }
- /*
- * Insert the security label in the cached ip options,
- * removing any old label that may exist.
- */
- if ((err = tsol_update_sticky(&icmp->icmp_sticky_ipp,
- &icmp->icmp_label_len_v6, opt_storage)) != 0)
- goto done;
+ mutex_enter(&connp->conn_lock);
+ mp = icmp_prepend_header_template(connp, ixa, mp,
+ &connp->conn_saddr_v6, connp->conn_flowinfo, &error);
+
+ if (mp == NULL) {
+ ASSERT(error != 0);
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(ixa);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return (error);
+ }
+
+ if (!do_ipsec) {
+ /* Policy might differ for different ICMP type/code */
+ mp = icmp_output_attach_policy(mp, connp, ixa);
+ if (mp == NULL) {
+ mutex_exit(&connp->conn_lock);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ ixa_refrele(ixa);
+ return (EHOSTUNREACH); /* IPsec policy failure */
+ }
+ }
/*
- * Save the destination address and cred we used to generate
- * the security label text.
+ * In case we got a safe copy of conn_ixa, or if opt_set made us a new
+ * safe copy, then we need to fill in any pointers in it.
*/
- icmp->icmp_v6lastdst = *dst;
- if (cred != icmp->icmp_effective_cred) {
- if (icmp->icmp_effective_cred != NULL)
- crfree(icmp->icmp_effective_cred);
- crhold(cred);
- icmp->icmp_effective_cred = cred;
- }
+ if (ixa->ixa_ire == NULL) {
+ in6_addr_t faddr, saddr;
+ in6_addr_t nexthop;
+ in_port_t fport;
+
+ saddr = connp->conn_saddr_v6;
+ faddr = connp->conn_faddr_v6;
+ fport = connp->conn_fport;
+ ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &faddr, &nexthop);
+ mutex_exit(&connp->conn_lock);
- if (msg_cred != icmp->icmp_last_cred) {
- if (icmp->icmp_last_cred != NULL)
- crfree(icmp->icmp_last_cred);
- crhold(msg_cred);
- icmp->icmp_last_cred = msg_cred;
+ error = ip_attr_connect(connp, ixa, &saddr, &faddr, &nexthop,
+ fport, NULL, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
+ (do_ipsec ? IPDF_IPSEC : 0));
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
+ /*
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
+ */
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
+ }
+ /* FALLTHRU */
+ default:
+ failed:
+ ixa_refrele(ixa);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return (error);
+ }
+ } else {
+ /* Done with conn_t */
+ mutex_exit(&connp->conn_lock);
}
-done:
- if (effective_cred != NULL)
- crfree(effective_cred);
+ /* We're done. Pass the packet to ip. */
+ BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
- if (err != 0) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- DTRACE_PROBE4(
- tx__ip__log__drop__updatelabel__icmp6,
- char *, "icmp(1) failed to update options(2) on mp(3)",
- icmp_t *, icmp, char *, opt_storage, mblk_t *, mp);
- return (err);
+ error = conn_ip_output(mp, ixa);
+ /* No rawipOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ break;
}
- return (0);
+ ixa_refrele(ixa);
+ return (error);
}
/*
- * raw_ip_send_data_v6():
- * Assumes that icmp_wput did some sanity checking on the destination
- * address, but that the label may not yet be correct.
+ * Handle sending an M_DATA to the last destination.
+ * Handles both IPv4 and IPv6.
+ *
+ * NOTE: The caller must hold conn_lock and we drop it here.
*/
-static int
-raw_ip_send_data_v6(queue_t *q, conn_t *connp, mblk_t *mp, sin6_t *sin6,
- ip6_pkt_t *ipp)
+int
+icmp_output_lastdst(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid,
+ ip_xmit_attr_t *ixa)
{
- ip6_t *ip6h;
- ip6i_t *ip6i; /* mp->b_rptr even if no ip6i_t */
- int ip_hdr_len = IPV6_HDR_LEN;
- size_t ip_len;
- icmp_t *icmp = connp->conn_icmp;
- icmp_stack_t *is = icmp->icmp_is;
- ip6_pkt_t *tipp;
- ip6_hbh_t *hopoptsptr = NULL;
- uint_t hopoptslen = 0;
- uint32_t csum = 0;
- uint_t ignore = 0;
- uint_t option_exists = 0, is_sticky = 0;
- uint8_t *cp;
- uint8_t *nxthdr_ptr;
- in6_addr_t ip6_dst;
- pid_t cpid;
- cred_t *cr;
-
- rw_enter(&icmp->icmp_rwlock, RW_READER);
+ icmp_t *icmp = connp->conn_icmp;
+ icmp_stack_t *is = icmp->icmp_is;
+ int error;
+ boolean_t do_ipsec;
- /*
- * If the local address is a mapped address return
- * an error.
- * It would be possible to send an IPv6 packet but the
- * response would never make it back to the application
- * since it is bound to a mapped address.
- */
- if (IN6_IS_ADDR_V4MAPPED(&icmp->icmp_v6src)) {
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+ ASSERT(ixa != NULL);
+
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+
+ /* Defer IPsec if it might need to look at ICMP type/code */
+ switch (ixa->ixa_protocol) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ do_ipsec = B_FALSE;
+ break;
+ default:
+ do_ipsec = B_TRUE;
+ }
+
+
+ mp = icmp_prepend_header_template(connp, ixa, mp,
+ &connp->conn_v6lastsrc, connp->conn_lastflowinfo, &error);
+
+ if (mp == NULL) {
+ ASSERT(error != 0);
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(ixa);
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- rw_exit(&icmp->icmp_rwlock);
- return (EADDRNOTAVAIL);
+ freemsg(mp);
+ return (error);
}
- ignore = ipp->ipp_sticky_ignored;
- if (sin6->sin6_scope_id != 0 &&
- IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr)) {
- /*
- * IPPF_SCOPE_ID is special. It's neither a sticky
- * option nor ancillary data. It needs to be
- * explicitly set in options_exists.
- */
- option_exists |= IPPF_SCOPE_ID;
+ if (!do_ipsec) {
+ /* Policy might differ for different ICMP type/code */
+ mp = icmp_output_attach_policy(mp, connp, ixa);
+ if (mp == NULL) {
+ mutex_exit(&connp->conn_lock);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ ixa_refrele(ixa);
+ return (EHOSTUNREACH); /* IPsec policy failure */
+ }
}
/*
- * Compute the destination address
+ * In case we got a safe copy of conn_ixa, or if opt_set made us a new
+ * safe copy, then we need to fill in any pointers in it.
*/
- ip6_dst = sin6->sin6_addr;
- if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
- ip6_dst = ipv6_loopback;
+ if (ixa->ixa_ire == NULL) {
+ in6_addr_t lastdst, lastsrc;
+ in6_addr_t nexthop;
+ in_port_t lastport;
+
+ lastsrc = connp->conn_v6lastsrc;
+ lastdst = connp->conn_v6lastdst;
+ lastport = connp->conn_lastdstport;
+ ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &lastdst, &nexthop);
+ mutex_exit(&connp->conn_lock);
- /*
- * Check if our saved options are valid; update if not.
- * TSOL Note: Since we are not in WRITER mode, ICMP packets
- * to different destination may require different labels,
- * or worse, ICMP packets to same IP address may require
- * different labels due to use of shared all-zones address.
- * We use conn_lock to ensure that lastdst, sticky ipp_hopopts,
- * and sticky ipp_hopoptslen are consistent for the current
- * destination and are updated atomically.
- */
- mutex_enter(&connp->conn_lock);
- if (is_system_labeled()) {
- /*
- * Recompute the Trusted Extensions security label if we're
- * not going to the same destination as last time or the cred
- * attached to the received mblk changed. This is done in a
- * separate routine to avoid blowing up our stack here.
- */
- cr = msg_getcred(mp, &cpid);
- if (!IN6_ARE_ADDR_EQUAL(&icmp->icmp_v6lastdst, &ip6_dst) ||
- cr != icmp->icmp_last_cred) {
- int error = 0;
- error = icmp_update_label_v6(icmp, mp, &ip6_dst);
- if (error != 0) {
- mutex_exit(&connp->conn_lock);
- rw_exit(&icmp->icmp_rwlock);
- return (error);
+ error = ip_attr_connect(connp, ixa, &lastsrc, &lastdst,
+ &nexthop, lastport, NULL, NULL, IPDF_ALLOW_MCBC |
+ IPDF_VERIFY_DST | (do_ipsec ? IPDF_IPSEC : 0));
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
+ /*
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
+ */
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
}
+ /* FALLTHRU */
+ default:
+ failed:
+ ixa_refrele(ixa);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return (error);
}
+ } else {
+ /* Done with conn_t */
+ mutex_exit(&connp->conn_lock);
+ }
+ /* We're done. Pass the packet to ip. */
+ BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
+ error = conn_ip_output(mp, ixa);
+ /* No rawipOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ /* FALLTHRU */
+ default:
+ mutex_enter(&connp->conn_lock);
/*
- * Apply credentials with modified security label if they exist.
- * icmp_update_label_v6() may have generated these credentials
- * for MAC-Exempt connections.
+ * Clear the source and v6lastdst so we call ip_attr_connect
+ * for the next packet and try to pick a better source.
*/
- if (icmp->icmp_effective_cred != NULL)
- mblk_setcred(mp, icmp->icmp_effective_cred, cpid);
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
+ break;
}
+ ixa_refrele(ixa);
+ return (error);
+}
+
+
+/*
+ * Prepend the header template and then fill in the source and
+ * flowinfo. The caller needs to handle the destination address since
+ * it's setting is different if rthdr or source route.
+ *
+ * Returns NULL is allocation failed or if the packet would exceed IP_MAXPACKET.
+ * When it returns NULL it sets errorp.
+ */
+static mblk_t *
+icmp_prepend_header_template(conn_t *connp, ip_xmit_attr_t *ixa, mblk_t *mp,
+ const in6_addr_t *v6src, uint32_t flowinfo, int *errorp)
+{
+ icmp_t *icmp = connp->conn_icmp;
+ icmp_stack_t *is = icmp->icmp_is;
+ uint_t pktlen;
+ uint_t copylen;
+ uint8_t *iph;
+ uint_t ip_hdr_length;
+ uint32_t cksum;
+ ip_pkt_t *ipp;
+
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
/*
- * If there's a security label here, then we ignore any options the
- * user may try to set. We keep the peer's label as a hidden sticky
- * option.
+ * Copy the header template.
*/
- if (icmp->icmp_label_len_v6 > 0) {
- ignore &= ~IPPF_HOPOPTS;
- ipp->ipp_fields &= ~IPPF_HOPOPTS;
+ copylen = connp->conn_ht_iphc_len;
+ pktlen = copylen + msgdsize(mp);
+ if (pktlen > IP_MAXPACKET) {
+ freemsg(mp);
+ *errorp = EMSGSIZE;
+ return (NULL);
}
+ ixa->ixa_pktlen = pktlen;
- if ((icmp->icmp_sticky_ipp.ipp_fields == 0) &&
- (ipp->ipp_fields == 0)) {
- /* No sticky options nor ancillary data. */
- mutex_exit(&connp->conn_lock);
- goto no_options;
+ /* check/fix buffer config, setup pointers into it */
+ iph = mp->b_rptr - copylen;
+ if (DB_REF(mp) != 1 || iph < DB_BASE(mp) || !OK_32PTR(iph)) {
+ mblk_t *mp1;
+
+ mp1 = allocb(copylen + is->is_wroff_extra, BPRI_MED);
+ if (mp1 == NULL) {
+ freemsg(mp);
+ *errorp = ENOMEM;
+ return (NULL);
+ }
+ mp1->b_wptr = DB_LIM(mp1);
+ mp1->b_cont = mp;
+ mp = mp1;
+ iph = (mp->b_wptr - copylen);
}
+ mp->b_rptr = iph;
+ bcopy(connp->conn_ht_iphc, iph, copylen);
+ ip_hdr_length = (uint_t)(connp->conn_ht_ulp - connp->conn_ht_iphc);
+
+ ixa->ixa_ip_hdr_length = ip_hdr_length;
/*
- * Go through the options figuring out where each is going to
- * come from and build two masks. The first mask indicates if
- * the option exists at all. The second mask indicates if the
- * option is sticky or ancillary.
+ * Prepare for ICMPv6 checksum done in IP.
+ *
+ * icmp_build_hdr_template has already massaged any routing header
+ * and placed the result in conn_sum.
+ *
+ * We make it easy for IP to include our pseudo header
+ * by putting our length (and any routing header adjustment)
+ * in the ICMPv6 checksum field.
*/
- if (!(ignore & IPPF_HOPOPTS)) {
- if (ipp->ipp_fields & IPPF_HOPOPTS) {
- option_exists |= IPPF_HOPOPTS;
- ip_hdr_len += ipp->ipp_hopoptslen;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_HOPOPTS) {
- option_exists |= IPPF_HOPOPTS;
- is_sticky |= IPPF_HOPOPTS;
- ASSERT(icmp->icmp_sticky_ipp.ipp_hopoptslen != 0);
- hopoptsptr = kmem_alloc(
- icmp->icmp_sticky_ipp.ipp_hopoptslen, KM_NOSLEEP);
- if (hopoptsptr == NULL) {
- mutex_exit(&connp->conn_lock);
- rw_exit(&icmp->icmp_rwlock);
- return (ENOMEM);
- }
- hopoptslen = icmp->icmp_sticky_ipp.ipp_hopoptslen;
- bcopy(icmp->icmp_sticky_ipp.ipp_hopopts, hopoptsptr,
- hopoptslen);
- ip_hdr_len += hopoptslen;
- }
- }
- mutex_exit(&connp->conn_lock);
+ cksum = pktlen - ip_hdr_length;
- if (!(ignore & IPPF_RTHDR)) {
- if (ipp->ipp_fields & IPPF_RTHDR) {
- option_exists |= IPPF_RTHDR;
- ip_hdr_len += ipp->ipp_rthdrlen;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_RTHDR) {
- option_exists |= IPPF_RTHDR;
- is_sticky |= IPPF_RTHDR;
- ip_hdr_len += icmp->icmp_sticky_ipp.ipp_rthdrlen;
- }
- }
+ cksum += connp->conn_sum;
+ cksum = (cksum >> 16) + (cksum & 0xFFFF);
+ ASSERT(cksum < 0x10000);
- if (!(ignore & IPPF_RTDSTOPTS) && (option_exists & IPPF_RTHDR)) {
- /*
- * Need to have a router header to use these.
- */
- if (ipp->ipp_fields & IPPF_RTDSTOPTS) {
- option_exists |= IPPF_RTDSTOPTS;
- ip_hdr_len += ipp->ipp_rtdstoptslen;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_RTDSTOPTS) {
- option_exists |= IPPF_RTDSTOPTS;
- is_sticky |= IPPF_RTDSTOPTS;
- ip_hdr_len +=
- icmp->icmp_sticky_ipp.ipp_rtdstoptslen;
- }
- }
+ ipp = &connp->conn_xmit_ipp;
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)iph;
- if (!(ignore & IPPF_DSTOPTS)) {
- if (ipp->ipp_fields & IPPF_DSTOPTS) {
- option_exists |= IPPF_DSTOPTS;
- ip_hdr_len += ipp->ipp_dstoptslen;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_DSTOPTS) {
- option_exists |= IPPF_DSTOPTS;
- is_sticky |= IPPF_DSTOPTS;
- ip_hdr_len += icmp->icmp_sticky_ipp.ipp_dstoptslen;
- }
- }
+ ipha->ipha_length = htons((uint16_t)pktlen);
- if (!(ignore & IPPF_IFINDEX)) {
- if (ipp->ipp_fields & IPPF_IFINDEX) {
- option_exists |= IPPF_IFINDEX;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_IFINDEX) {
- option_exists |= IPPF_IFINDEX;
- is_sticky |= IPPF_IFINDEX;
+ /* if IP_PKTINFO specified an addres it wins over bind() */
+ if ((ipp->ipp_fields & IPPF_ADDR) &&
+ IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
+ ASSERT(ipp->ipp_addr_v4 != INADDR_ANY);
+ ipha->ipha_src = ipp->ipp_addr_v4;
+ } else {
+ IN6_V4MAPPED_TO_IPADDR(v6src, ipha->ipha_src);
}
- }
+ } else {
+ ip6_t *ip6h = (ip6_t *)iph;
+ uint_t cksum_offset = 0;
- if (!(ignore & IPPF_ADDR)) {
- if (ipp->ipp_fields & IPPF_ADDR) {
- option_exists |= IPPF_ADDR;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_ADDR) {
- option_exists |= IPPF_ADDR;
- is_sticky |= IPPF_ADDR;
- }
- }
+ ip6h->ip6_plen = htons((uint16_t)(pktlen - IPV6_HDR_LEN));
- if (!(ignore & IPPF_DONTFRAG)) {
- if (ipp->ipp_fields & IPPF_DONTFRAG) {
- option_exists |= IPPF_DONTFRAG;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_DONTFRAG) {
- option_exists |= IPPF_DONTFRAG;
- is_sticky |= IPPF_DONTFRAG;
+ /* if IP_PKTINFO specified an addres it wins over bind() */
+ if ((ipp->ipp_fields & IPPF_ADDR) &&
+ !IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ipp->ipp_addr));
+ ip6h->ip6_src = ipp->ipp_addr;
+ } else {
+ ip6h->ip6_src = *v6src;
}
- }
-
- if (!(ignore & IPPF_USE_MIN_MTU)) {
- if (ipp->ipp_fields & IPPF_USE_MIN_MTU) {
- option_exists |= IPPF_USE_MIN_MTU;
- } else if (icmp->icmp_sticky_ipp.ipp_fields &
- IPPF_USE_MIN_MTU) {
- option_exists |= IPPF_USE_MIN_MTU;
- is_sticky |= IPPF_USE_MIN_MTU;
+ ip6h->ip6_vcf =
+ (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
+ (flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
+ if (ipp->ipp_fields & IPPF_TCLASS) {
+ /* Overrides the class part of flowinfo */
+ ip6h->ip6_vcf = IPV6_TCLASS_FLOW(ip6h->ip6_vcf,
+ ipp->ipp_tclass);
+ }
+
+ if (ixa->ixa_flags & IXAF_SET_ULP_CKSUM) {
+ if (connp->conn_proto == IPPROTO_ICMPV6) {
+ cksum_offset = ixa->ixa_ip_hdr_length +
+ offsetof(icmp6_t, icmp6_cksum);
+ } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
+ cksum_offset = ixa->ixa_ip_hdr_length +
+ ixa->ixa_raw_cksum_offset;
+ }
}
- }
+ if (cksum_offset != 0) {
+ uint16_t *ptr;
+
+ /* Make sure the checksum fits in the first mblk */
+ if (cksum_offset + sizeof (short) > MBLKL(mp)) {
+ mblk_t *mp1;
- if (!(ignore & IPPF_NEXTHOP)) {
- if (ipp->ipp_fields & IPPF_NEXTHOP) {
- option_exists |= IPPF_NEXTHOP;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_NEXTHOP) {
- option_exists |= IPPF_NEXTHOP;
- is_sticky |= IPPF_NEXTHOP;
+ mp1 = msgpullup(mp,
+ cksum_offset + sizeof (short));
+ freemsg(mp);
+ if (mp1 == NULL) {
+ *errorp = ENOMEM;
+ return (NULL);
+ }
+ mp = mp1;
+ iph = mp->b_rptr;
+ ip6h = (ip6_t *)iph;
+ }
+ ptr = (uint16_t *)(mp->b_rptr + cksum_offset);
+ *ptr = htons(cksum);
}
}
- if (!(ignore & IPPF_HOPLIMIT) && (ipp->ipp_fields & IPPF_HOPLIMIT))
- option_exists |= IPPF_HOPLIMIT;
- /* IPV6_HOPLIMIT can never be sticky */
- ASSERT(!(icmp->icmp_sticky_ipp.ipp_fields & IPPF_HOPLIMIT));
+ return (mp);
+}
- if (!(ignore & IPPF_UNICAST_HOPS) &&
- (icmp->icmp_sticky_ipp.ipp_fields & IPPF_UNICAST_HOPS)) {
- option_exists |= IPPF_UNICAST_HOPS;
- is_sticky |= IPPF_UNICAST_HOPS;
- }
+/*
+ * This routine handles all messages passed downstream. It either
+ * consumes the message or passes it downstream; it never queues a
+ * a message.
+ */
+void
+icmp_wput(queue_t *q, mblk_t *mp)
+{
+ sin6_t *sin6;
+ sin_t *sin = NULL;
+ uint_t srcid;
+ conn_t *connp = Q_TO_CONN(q);
+ icmp_t *icmp = connp->conn_icmp;
+ int error = 0;
+ struct sockaddr *addr = NULL;
+ socklen_t addrlen;
+ icmp_stack_t *is = icmp->icmp_is;
+ struct T_unitdata_req *tudr;
+ mblk_t *data_mp;
+ cred_t *cr;
+ pid_t pid;
- if (!(ignore & IPPF_MULTICAST_HOPS) &&
- (icmp->icmp_sticky_ipp.ipp_fields & IPPF_MULTICAST_HOPS)) {
- option_exists |= IPPF_MULTICAST_HOPS;
- is_sticky |= IPPF_MULTICAST_HOPS;
- }
+ /*
+ * We directly handle several cases here: T_UNITDATA_REQ message
+ * coming down as M_PROTO/M_PCPROTO and M_DATA messages for connected
+ * socket.
+ */
+ switch (DB_TYPE(mp)) {
+ case M_DATA:
+ /* sockfs never sends down M_DATA */
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return;
- if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_NO_CKSUM) {
- /* This is a sticky socket option only */
- option_exists |= IPPF_NO_CKSUM;
- is_sticky |= IPPF_NO_CKSUM;
- }
+ case M_PROTO:
+ case M_PCPROTO:
+ tudr = (struct T_unitdata_req *)mp->b_rptr;
+ if (MBLKL(mp) < sizeof (*tudr) ||
+ ((t_primp_t)mp->b_rptr)->type != T_UNITDATA_REQ) {
+ icmp_wput_other(q, mp);
+ return;
+ }
+ break;
- if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_RAW_CKSUM) {
- /* This is a sticky socket option only */
- option_exists |= IPPF_RAW_CKSUM;
- is_sticky |= IPPF_RAW_CKSUM;
+ default:
+ icmp_wput_other(q, mp);
+ return;
}
- if (!(ignore & IPPF_TCLASS)) {
- if (ipp->ipp_fields & IPPF_TCLASS) {
- option_exists |= IPPF_TCLASS;
- } else if (icmp->icmp_sticky_ipp.ipp_fields & IPPF_TCLASS) {
- option_exists |= IPPF_TCLASS;
- is_sticky |= IPPF_TCLASS;
- }
+ /* Handle valid T_UNITDATA_REQ here */
+ data_mp = mp->b_cont;
+ if (data_mp == NULL) {
+ error = EPROTO;
+ goto ud_error2;
}
+ mp->b_cont = NULL;
-no_options:
+ if (!MBLKIN(mp, 0, tudr->DEST_offset + tudr->DEST_length)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
+ }
/*
- * If any options carried in the ip6i_t were specified, we
- * need to account for the ip6i_t in the data we'll be sending
- * down.
+ * All Solaris components should pass a db_credp
+ * for this message, hence we ASSERT.
+ * On production kernels we return an error to be robust against
+ * random streams modules sitting on top of us.
*/
- if (option_exists & IPPF_HAS_IP6I)
- ip_hdr_len += sizeof (ip6i_t);
+ cr = msg_getcred(mp, &pid);
+ ASSERT(cr != NULL);
+ if (cr == NULL) {
+ error = EINVAL;
+ goto ud_error2;
+ }
- /* check/fix buffer config, setup pointers into it */
- ip6h = (ip6_t *)&mp->b_rptr[-ip_hdr_len];
- if ((mp->b_datap->db_ref != 1) ||
- ((unsigned char *)ip6h < mp->b_datap->db_base) ||
- !OK_32PTR(ip6h)) {
- mblk_t *mp1;
-
- /* Try to get everything in a single mblk next time */
- if (ip_hdr_len > icmp->icmp_max_hdr_len) {
- icmp->icmp_max_hdr_len = ip_hdr_len;
-
- (void) proto_set_tx_wroff(q == NULL ? NULL:RD(q), connp,
- icmp->icmp_max_hdr_len + is->is_wroff_extra);
- }
- mp1 = allocb(ip_hdr_len + is->is_wroff_extra, BPRI_LO);
- if (!mp1) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- kmem_free(hopoptsptr, hopoptslen);
- rw_exit(&icmp->icmp_rwlock);
- return (ENOMEM);
- }
- mp1->b_cont = mp;
- mp1->b_wptr = mp1->b_datap->db_lim;
- ip6h = (ip6_t *)(mp1->b_wptr - ip_hdr_len);
- mp = mp1;
+ /*
+ * If a port has not been bound to the stream, fail.
+ * This is not a problem when sockfs is directly
+ * above us, because it will ensure that the socket
+ * is first bound before allowing data to be sent.
+ */
+ if (icmp->icmp_state == TS_UNBND) {
+ error = EPROTO;
+ goto ud_error2;
}
- mp->b_rptr = (unsigned char *)ip6h;
- ip6i = (ip6i_t *)ip6h;
-
-#define ANCIL_OR_STICKY_PTR(f) ((is_sticky & f) ? &icmp->icmp_sticky_ipp : ipp)
- if (option_exists & IPPF_HAS_IP6I) {
- ip6h = (ip6_t *)&ip6i[1];
- ip6i->ip6i_flags = 0;
- ip6i->ip6i_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
-
- /* sin6_scope_id takes precendence over IPPF_IFINDEX */
- if (option_exists & IPPF_SCOPE_ID) {
- ip6i->ip6i_flags |= IP6I_IFINDEX;
- ip6i->ip6i_ifindex = sin6->sin6_scope_id;
- } else if (option_exists & IPPF_IFINDEX) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_IFINDEX);
- ASSERT(tipp->ipp_ifindex != 0);
- ip6i->ip6i_flags |= IP6I_IFINDEX;
- ip6i->ip6i_ifindex = tipp->ipp_ifindex;
+ addr = (struct sockaddr *)&mp->b_rptr[tudr->DEST_offset];
+ addrlen = tudr->DEST_length;
+
+ switch (connp->conn_family) {
+ case AF_INET6:
+ sin6 = (sin6_t *)addr;
+ if (!OK_32PTR((char *)sin6) || (addrlen != sizeof (sin6_t)) ||
+ (sin6->sin6_family != AF_INET6)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
- if (option_exists & IPPF_RAW_CKSUM) {
- ip6i->ip6i_flags |= IP6I_RAW_CHECKSUM;
- ip6i->ip6i_checksum_off = icmp->icmp_checksum_off;
+ /* No support for mapped addresses on raw sockets */
+ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
+ srcid = sin6->__sin6_src_id;
- if (option_exists & IPPF_NO_CKSUM) {
- ip6i->ip6i_flags |= IP6I_NO_ULP_CKSUM;
+ /*
+ * If the local address is a mapped address return
+ * an error.
+ * It would be possible to send an IPv6 packet but the
+ * response would never make it back to the application
+ * since it is bound to a mapped address.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
- if (option_exists & IPPF_ADDR) {
+ if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
+ sin6->sin6_addr = ipv6_loopback;
+
+ if (tudr->OPT_length != 0) {
/*
- * Enable per-packet source address verification if
- * IPV6_PKTINFO specified the source address.
- * ip6_src is set in the transport's _wput function.
+ * If we are connected then the destination needs to be
+ * the same as the connected one.
*/
- ip6i->ip6i_flags |= IP6I_VERIFY_SRC;
- }
+ if (icmp->icmp_state == TS_DATA_XFER &&
+ !conn_same_as_last_v6(connp, sin6)) {
+ error = EISCONN;
+ goto ud_error2;
+ }
+ error = icmp_output_ancillary(connp, NULL, sin6,
+ data_mp, mp, NULL, cr, pid);
+ } else {
+ ip_xmit_attr_t *ixa;
- if (option_exists & IPPF_DONTFRAG) {
- ip6i->ip6i_flags |= IP6I_DONTFRAG;
+ /*
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've
+ * checked conn_same_as_last_v6 to handle concurrent
+ * send* calls on a socket.
+ */
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ error = ENOMEM;
+ goto ud_error2;
+ }
+ mutex_enter(&connp->conn_lock);
+
+ if (conn_same_as_last_v6(connp, sin6) &&
+ connp->conn_lastsrcid == srcid &&
+ ipsec_outbound_policy_current(ixa)) {
+ /* icmp_output_lastdst drops conn_lock */
+ error = icmp_output_lastdst(connp, data_mp, cr,
+ pid, ixa);
+ } else {
+ /* icmp_output_newdst drops conn_lock */
+ error = icmp_output_newdst(connp, data_mp, NULL,
+ sin6, cr, pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
}
+ if (error == 0) {
+ freeb(mp);
+ return;
+ }
+ break;
- if (option_exists & IPPF_USE_MIN_MTU) {
- ip6i->ip6i_flags = IP6I_API_USE_MIN_MTU(
- ip6i->ip6i_flags, ipp->ipp_use_min_mtu);
+ case AF_INET:
+ sin = (sin_t *)addr;
+ if ((!OK_32PTR((char *)sin) || addrlen != sizeof (sin_t)) ||
+ (sin->sin_family != AF_INET)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
+ if (sin->sin_addr.s_addr == INADDR_ANY)
+ sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- if (option_exists & IPPF_NEXTHOP) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_NEXTHOP);
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&tipp->ipp_nexthop));
- ip6i->ip6i_flags |= IP6I_NEXTHOP;
- ip6i->ip6i_nexthop = tipp->ipp_nexthop;
+ /* Protocol 255 contains full IP headers */
+ /* Read without holding lock */
+ if (icmp->icmp_hdrincl) {
+ if (MBLKL(data_mp) < IP_SIMPLE_HDR_LENGTH) {
+ if (!pullupmsg(data_mp, IP_SIMPLE_HDR_LENGTH)) {
+ error = EINVAL;
+ goto ud_error2;
+ }
+ }
+ error = icmp_output_hdrincl(connp, data_mp, cr, pid);
+ if (error == 0) {
+ freeb(mp);
+ return;
+ }
+ /* data_mp consumed above */
+ data_mp = NULL;
+ goto ud_error2;
}
- /*
- * tell IP this is an ip6i_t private header
- */
- ip6i->ip6i_nxt = IPPROTO_RAW;
- }
-
- /* Initialize IPv6 header */
- ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- bzero(&ip6h->ip6_src, sizeof (ip6h->ip6_src));
-
- /* Set the hoplimit of the outgoing packet. */
- if (option_exists & IPPF_HOPLIMIT) {
- /* IPV6_HOPLIMIT ancillary data overrides all other settings. */
- ip6h->ip6_hops = ipp->ipp_hoplimit;
- ip6i->ip6i_flags |= IP6I_HOPLIMIT;
- } else if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
- ip6h->ip6_hops = icmp->icmp_multicast_ttl;
- if (option_exists & IPPF_MULTICAST_HOPS)
- ip6i->ip6i_flags |= IP6I_HOPLIMIT;
- } else {
- ip6h->ip6_hops = icmp->icmp_ttl;
- if (option_exists & IPPF_UNICAST_HOPS)
- ip6i->ip6i_flags |= IP6I_HOPLIMIT;
- }
+ if (tudr->OPT_length != 0) {
+ /*
+ * If we are connected then the destination needs to be
+ * the same as the connected one.
+ */
+ if (icmp->icmp_state == TS_DATA_XFER &&
+ !conn_same_as_last_v4(connp, sin)) {
+ error = EISCONN;
+ goto ud_error2;
+ }
+ error = icmp_output_ancillary(connp, sin, NULL,
+ data_mp, mp, NULL, cr, pid);
+ } else {
+ ip_xmit_attr_t *ixa;
- if (option_exists & IPPF_ADDR) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_ADDR);
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&tipp->ipp_addr));
- ip6h->ip6_src = tipp->ipp_addr;
- } else {
- /*
- * The source address was not set using IPV6_PKTINFO.
- * First look at the bound source.
- * If unspecified fallback to __sin6_src_id.
- */
- ip6h->ip6_src = icmp->icmp_v6src;
- if (sin6->__sin6_src_id != 0 &&
- IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
- ip_srcid_find_id(sin6->__sin6_src_id,
- &ip6h->ip6_src, icmp->icmp_zoneid,
- is->is_netstack);
+ /*
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've
+ * checked conn_same_as_last_v4 to handle concurrent
+ * send* calls on a socket.
+ */
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ error = ENOMEM;
+ goto ud_error2;
+ }
+ mutex_enter(&connp->conn_lock);
+
+ if (conn_same_as_last_v4(connp, sin) &&
+ ipsec_outbound_policy_current(ixa)) {
+ /* icmp_output_lastdst drops conn_lock */
+ error = icmp_output_lastdst(connp, data_mp, cr,
+ pid, ixa);
+ } else {
+ /* icmp_output_newdst drops conn_lock */
+ error = icmp_output_newdst(connp, data_mp, sin,
+ NULL, cr, pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
+ }
+ if (error == 0) {
+ freeb(mp);
+ return;
}
+ break;
}
+ ASSERT(mp != NULL);
+ /* mp is freed by the following routine */
+ icmp_ud_err(q, mp, (t_scalar_t)error);
+ return;
- nxthdr_ptr = (uint8_t *)&ip6h->ip6_nxt;
- cp = (uint8_t *)&ip6h[1];
+ud_error2:
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(data_mp);
+ ASSERT(mp != NULL);
+ /* mp is freed by the following routine */
+ icmp_ud_err(q, mp, (t_scalar_t)error);
+}
+
+/*
+ * Handle the case of the IP address or flow label being different
+ * for both IPv4 and IPv6.
+ *
+ * NOTE: The caller must hold conn_lock and we drop it here.
+ */
+static int
+icmp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin, sin6_t *sin6,
+ cred_t *cr, pid_t pid, ip_xmit_attr_t *ixa)
+{
+ icmp_t *icmp = connp->conn_icmp;
+ icmp_stack_t *is = icmp->icmp_is;
+ int error;
+ ip_xmit_attr_t *oldixa;
+ boolean_t do_ipsec;
+ uint_t srcid;
+ uint32_t flowinfo;
+ in6_addr_t v6src;
+ in6_addr_t v6dst;
+ in6_addr_t v6nexthop;
+ in_port_t dstport;
+
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+ ASSERT(ixa != NULL);
/*
- * Here's where we have to start stringing together
- * any extension headers in the right order:
- * Hop-by-hop, destination, routing, and final destination opts.
+ * We hold conn_lock across all the use and modifications of
+ * the conn_lastdst, conn_ixa, and conn_xmit_ipp to ensure that they
+ * stay consistent.
*/
- if (option_exists & IPPF_HOPOPTS) {
- /* Hop-by-hop options */
- ip6_hbh_t *hbh = (ip6_hbh_t *)cp;
-
- *nxthdr_ptr = IPPROTO_HOPOPTS;
- nxthdr_ptr = &hbh->ip6h_nxt;
- if (hopoptslen == 0) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_HOPOPTS);
- bcopy(tipp->ipp_hopopts, cp, tipp->ipp_hopoptslen);
- cp += tipp->ipp_hopoptslen;
- } else {
- bcopy(hopoptsptr, cp, hopoptslen);
- cp += hopoptslen;
- kmem_free(hopoptsptr, hopoptslen);
- }
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
}
/*
- * En-route destination options
- * Only do them if there's a routing header as well
+ * If we are connected then the destination needs to be the
+ * same as the connected one, which is not the case here since we
+ * checked for that above.
*/
- if (option_exists & IPPF_RTDSTOPTS) {
- ip6_dest_t *dst = (ip6_dest_t *)cp;
- tipp = ANCIL_OR_STICKY_PTR(IPPF_RTDSTOPTS);
+ if (icmp->icmp_state == TS_DATA_XFER) {
+ mutex_exit(&connp->conn_lock);
+ error = EISCONN;
+ goto ud_error;
+ }
- *nxthdr_ptr = IPPROTO_DSTOPTS;
- nxthdr_ptr = &dst->ip6d_nxt;
+ /* In case previous destination was multicast or multirt */
+ ip_attr_newdst(ixa);
- bcopy(tipp->ipp_rtdstopts, cp, tipp->ipp_rtdstoptslen);
- cp += tipp->ipp_rtdstoptslen;
- }
/*
- * Routing header next
+ * If laddr is unspecified then we look at sin6_src_id.
+ * We will give precedence to a source address set with IPV6_PKTINFO
+ * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
+ * want ip_attr_connect to select a source (since it can fail) when
+ * IPV6_PKTINFO is specified.
+ * If this doesn't result in a source address then we get a source
+ * from ip_attr_connect() below.
*/
- if (option_exists & IPPF_RTHDR) {
- ip6_rthdr_t *rt = (ip6_rthdr_t *)cp;
- tipp = ANCIL_OR_STICKY_PTR(IPPF_RTHDR);
+ v6src = connp->conn_saddr_v6;
+ if (sin != NULL) {
+ IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
+ dstport = sin->sin_port;
+ flowinfo = 0;
+ srcid = 0;
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ if (srcid != 0 && V4_PART_OF_V6(&v6src) == INADDR_ANY) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
+ }
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ } else {
+ v6dst = sin6->sin6_addr;
+ dstport = sin6->sin6_port;
+ flowinfo = sin6->sin6_flowinfo;
+ srcid = sin6->__sin6_src_id;
+ if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
+ ixa->ixa_scopeid = sin6->sin6_scope_id;
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ } else {
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ }
+ if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
+ }
+ if (IN6_IS_ADDR_V4MAPPED(&v6dst))
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ else
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
+ }
+ /* Handle IPV6_PKTINFO setting source address. */
+ if (IN6_IS_ADDR_UNSPECIFIED(&v6src) &&
+ (connp->conn_xmit_ipp.ipp_fields & IPPF_ADDR)) {
+ ip_pkt_t *ipp = &connp->conn_xmit_ipp;
- *nxthdr_ptr = IPPROTO_ROUTING;
- nxthdr_ptr = &rt->ip6r_nxt;
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
+ } else {
+ if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
+ }
+ }
- bcopy(tipp->ipp_rthdr, cp, tipp->ipp_rthdrlen);
- cp += tipp->ipp_rthdrlen;
+ /* Defer IPsec if it might need to look at ICMP type/code */
+ switch (ixa->ixa_protocol) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ do_ipsec = B_FALSE;
+ break;
+ default:
+ do_ipsec = B_TRUE;
}
- /*
- * Do ultimate destination options
- */
- if (option_exists & IPPF_DSTOPTS) {
- ip6_dest_t *dest = (ip6_dest_t *)cp;
- tipp = ANCIL_OR_STICKY_PTR(IPPF_DSTOPTS);
- *nxthdr_ptr = IPPROTO_DSTOPTS;
- nxthdr_ptr = &dest->ip6d_nxt;
+ ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &v6dst, &v6nexthop);
+ mutex_exit(&connp->conn_lock);
- bcopy(tipp->ipp_dstopts, cp, tipp->ipp_dstoptslen);
- cp += tipp->ipp_dstoptslen;
+ error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
+ &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
+ (do_ipsec ? IPDF_IPSEC : 0));
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
+ /*
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
+ */
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
+ }
+ /* FALLTHRU */
+ default:
+ failed:
+ goto ud_error;
}
+ mutex_enter(&connp->conn_lock);
/*
- * Now set the last header pointer to the proto passed in
+ * While we dropped the lock some other thread might have connected
+ * this socket. If so we bail out with EISCONN to ensure that the
+ * connecting thread is the one that updates conn_ixa, conn_ht_*
+ * and conn_*last*.
*/
- ASSERT((int)(cp - (uint8_t *)ip6i) == ip_hdr_len);
- *nxthdr_ptr = icmp->icmp_proto;
+ if (icmp->icmp_state == TS_DATA_XFER) {
+ mutex_exit(&connp->conn_lock);
+ error = EISCONN;
+ goto ud_error;
+ }
/*
- * Copy in the destination address
+ * We need to rebuild the headers if
+ * - we are labeling packets (could be different for different
+ * destinations)
+ * - we have a source route (or routing header) since we need to
+ * massage that to get the pseudo-header checksum
+ * - a socket option with COA_HEADER_CHANGED has been set which
+ * set conn_v6lastdst to zero.
+ *
+ * Otherwise the prepend function will just update the src, dst,
+ * and flow label.
*/
- ip6h->ip6_dst = ip6_dst;
-
- ip6h->ip6_vcf =
- (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
- (sin6->sin6_flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
-
- if (option_exists & IPPF_TCLASS) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_TCLASS);
- ip6h->ip6_vcf = IPV6_TCLASS_FLOW(ip6h->ip6_vcf,
- tipp->ipp_tclass);
- }
- if (option_exists & IPPF_RTHDR) {
- ip6_rthdr_t *rth;
-
+ if (is_system_labeled()) {
+ /* TX MLP requires SCM_UCRED and don't have that here */
+ if (connp->conn_mlp_type != mlptSingle) {
+ mutex_exit(&connp->conn_lock);
+ error = ECONNREFUSED;
+ goto ud_error;
+ }
/*
- * Perform any processing needed for source routing.
- * We know that all extension headers will be in the same mblk
- * as the IPv6 header.
+ * Check whether Trusted Solaris policy allows communication
+ * with this host, and pretend that the destination is
+ * unreachable if not.
+ * Compute any needed label and place it in ipp_label_v4/v6.
+ *
+ * Later conn_build_hdr_template/conn_prepend_hdr takes
+ * ipp_label_v4/v6 to form the packet.
+ *
+ * Tsol note: Since we hold conn_lock we know no other
+ * thread manipulates conn_xmit_ipp.
*/
- rth = ip_find_rthdr_v6(ip6h, mp->b_wptr);
- if (rth != NULL && rth->ip6r_segleft != 0) {
- if (rth->ip6r_type != IPV6_RTHDR_TYPE_0) {
- /*
- * Drop packet - only support Type 0 routing.
- * Notify the application as well.
- */
- BUMP_MIB(&is->is_rawip_mib,
- rawipOutErrors);
- rw_exit(&icmp->icmp_rwlock);
- return (EPROTO);
- }
- /*
- * rth->ip6r_len is twice the number of
- * addresses in the header
- */
- if (rth->ip6r_len & 0x1) {
- BUMP_MIB(&is->is_rawip_mib,
- rawipOutErrors);
- rw_exit(&icmp->icmp_rwlock);
- return (EPROTO);
- }
- /*
- * Shuffle the routing header and ip6_dst
- * addresses, and get the checksum difference
- * between the first hop (in ip6_dst) and
- * the destination (in the last routing hdr entry).
- */
- csum = ip_massage_options_v6(ip6h, rth,
- is->is_netstack);
- /*
- * Verify that the first hop isn't a mapped address.
- * Routers along the path need to do this verification
- * for subsequent hops.
- */
- if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_dst)) {
- BUMP_MIB(&is->is_rawip_mib,
- rawipOutErrors);
- rw_exit(&icmp->icmp_rwlock);
- return (EADDRNOTAVAIL);
+ error = conn_update_label(connp, ixa, &v6dst,
+ &connp->conn_xmit_ipp);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto ud_error;
+ }
+ /* Rebuild the header template */
+ error = icmp_build_hdr_template(connp, &v6src, &v6dst,
+ flowinfo);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto ud_error;
+ }
+ } else if (connp->conn_xmit_ipp.ipp_fields &
+ (IPPF_IPV4_OPTIONS|IPPF_RTHDR) ||
+ IN6_IS_ADDR_UNSPECIFIED(&connp->conn_v6lastdst)) {
+ /* Rebuild the header template */
+ error = icmp_build_hdr_template(connp, &v6src, &v6dst,
+ flowinfo);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto ud_error;
+ }
+ } else {
+ /* Simply update the destination address if no source route */
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)connp->conn_ht_iphc;
+
+ IN6_V4MAPPED_TO_IPADDR(&v6dst, ipha->ipha_dst);
+ if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
+ ipha->ipha_fragment_offset_and_flags |=
+ IPH_DF_HTONS;
+ } else {
+ ipha->ipha_fragment_offset_and_flags &=
+ ~IPH_DF_HTONS;
}
+ } else {
+ ip6_t *ip6h = (ip6_t *)connp->conn_ht_iphc;
+ ip6h->ip6_dst = v6dst;
}
}
- ip_len = mp->b_wptr - (uchar_t *)ip6h - IPV6_HDR_LEN;
- if (mp->b_cont != NULL)
- ip_len += msgdsize(mp->b_cont);
-
/*
- * Set the length into the IP header.
- * If the length is greater than the maximum allowed by IP,
- * then free the message and return. Do not try and send it
- * as this can cause problems in layers below.
+ * Remember the dst etc which corresponds to the built header
+ * template and conn_ixa.
*/
- if (ip_len > IP_MAXPACKET) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- rw_exit(&icmp->icmp_rwlock);
- return (EMSGSIZE);
+ oldixa = conn_replace_ixa(connp, ixa);
+ connp->conn_v6lastdst = v6dst;
+ connp->conn_lastflowinfo = flowinfo;
+ connp->conn_lastscopeid = ixa->ixa_scopeid;
+ connp->conn_lastsrcid = srcid;
+ /* Also remember a source to use together with lastdst */
+ connp->conn_v6lastsrc = v6src;
+
+ data_mp = icmp_prepend_header_template(connp, ixa, data_mp, &v6src,
+ flowinfo, &error);
+
+ /* Done with conn_t */
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(oldixa);
+
+ if (data_mp == NULL) {
+ ASSERT(error != 0);
+ goto ud_error;
}
- if (icmp->icmp_proto == IPPROTO_ICMPV6 || icmp->icmp_raw_checksum) {
- uint_t cksum_off; /* From ip6i == mp->b_rptr */
- uint16_t *cksum_ptr;
- uint_t ext_hdrs_len;
- /* ICMPv6 must have an offset matching icmp6_cksum offset */
- ASSERT(icmp->icmp_proto != IPPROTO_ICMPV6 ||
- icmp->icmp_checksum_off == 2);
+ if (!do_ipsec) {
+ /* Policy might differ for different ICMP type/code */
+ data_mp = icmp_output_attach_policy(data_mp, connp, ixa);
+ if (data_mp == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ error = EHOSTUNREACH; /* IPsec policy failure */
+ goto done;
+ }
+ }
+ /* We're done. Pass the packet to ip. */
+ BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
+
+ error = conn_ip_output(data_mp, ixa);
+ /* No rawipOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
/*
- * We make it easy for IP to include our pseudo header
- * by putting our length in uh_checksum, modified (if
- * we have a routing header) by the checksum difference
- * between the ultimate destination and first hop addresses.
- * Note: ICMPv6 must always checksum the packet.
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
*/
- cksum_off = ip_hdr_len + icmp->icmp_checksum_off;
- if (cksum_off + sizeof (uint16_t) > mp->b_wptr - mp->b_rptr) {
- if (!pullupmsg(mp, cksum_off + sizeof (uint16_t))) {
- BUMP_MIB(&is->is_rawip_mib,
- rawipOutErrors);
- freemsg(mp);
- rw_exit(&icmp->icmp_rwlock);
- return (0);
- }
- ip6i = (ip6i_t *)mp->b_rptr;
- if (ip6i->ip6i_nxt == IPPROTO_RAW)
- ip6h = (ip6_t *)&ip6i[1];
- else
- ip6h = (ip6_t *)ip6i;
- }
- /* Add payload length to checksum */
- ext_hdrs_len = ip_hdr_len - IPV6_HDR_LEN -
- (int)((uchar_t *)ip6h - (uchar_t *)ip6i);
- csum += htons(ip_len - ext_hdrs_len);
-
- cksum_ptr = (uint16_t *)((uchar_t *)ip6i + cksum_off);
- csum = (csum & 0xFFFF) + (csum >> 16);
- *cksum_ptr = (uint16_t)csum;
+ error = ENETUNREACH;
+ /* FALLTHRU */
+ default:
+ mutex_enter(&connp->conn_lock);
+ /*
+ * Clear the source and v6lastdst so we call ip_attr_connect
+ * for the next packet and try to pick a better source.
+ */
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
+ break;
}
+done:
+ ixa_refrele(ixa);
+ return (error);
-#ifdef _LITTLE_ENDIAN
- ip_len = htons(ip_len);
-#endif
- ip6h->ip6_plen = (uint16_t)ip_len;
+ud_error:
+ if (ixa != NULL)
+ ixa_refrele(ixa);
- /* We're done. Pass the packet to IP */
- rw_exit(&icmp->icmp_rwlock);
- BUMP_MIB(&is->is_rawip_mib, rawipOutDatagrams);
- ip_output_v6(icmp->icmp_connp, mp, q, IP_WPUT);
- return (0);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(data_mp);
+ return (error);
+}
+
+/* ARGSUSED */
+static void
+icmp_wput_fallback(queue_t *q, mblk_t *mp)
+{
+#ifdef DEBUG
+ cmn_err(CE_CONT, "icmp_wput_fallback: Message during fallback \n");
+#endif
+ freemsg(mp);
}
static void
@@ -5559,7 +4622,6 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
{
uchar_t *rptr = mp->b_rptr;
struct iocblk *iocp;
-#define tudr ((struct T_unitdata_req *)rptr)
conn_t *connp = Q_TO_CONN(q);
icmp_t *icmp = connp->conn_icmp;
icmp_stack_t *is = icmp->icmp_is;
@@ -5576,7 +4638,7 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
freemsg(mp);
return;
}
- switch (((union T_primitives *)rptr)->type) {
+ switch (((t_primp_t)rptr)->type) {
case T_ADDR_REQ:
icmp_addr_req(q, mp);
return;
@@ -5596,15 +4658,14 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
case T_UNITDATA_REQ:
/*
* If a T_UNITDATA_REQ gets here, the address must
- * be bad. Valid T_UNITDATA_REQs are found above
- * and break to below this switch.
+ * be bad. Valid T_UNITDATA_REQs are handled
+ * in icmp_wput.
*/
icmp_ud_err(q, mp, EADDRNOTAVAIL);
return;
case T_UNBIND_REQ:
icmp_tpi_unbind(q, mp);
return;
-
case T_SVR4_OPTMGMT_REQ:
/*
* All Solaris components should pass a db_credp
@@ -5622,9 +4683,7 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
if (!snmpcom_req(q, mp, icmp_snmp_set, ip_snmp_get,
cr)) {
- /* Only IP can return anything meaningful */
- (void) svr4_optcom_req(q, mp, cr,
- &icmp_opt_obj, B_TRUE);
+ svr4_optcom_req(q, mp, cr, &icmp_opt_obj);
}
return;
@@ -5642,8 +4701,7 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
icmp_err_ack(q, mp, TSYSERR, EINVAL);
return;
}
- /* Only IP can return anything meaningful */
- (void) tpi_optcom_req(q, mp, cr, &icmp_opt_obj, B_TRUE);
+ tpi_optcom_req(q, mp, cr, &icmp_opt_obj);
return;
case T_DISCON_REQ:
@@ -5660,13 +4718,16 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
case T_DATA_REQ:
case T_EXDATA_REQ:
case T_ORDREL_REQ:
- freemsg(mp);
- (void) putctl1(RD(q), M_ERROR, EPROTO);
+ icmp_err_ack(q, mp, TNOTSUPPORT, 0);
return;
default:
break;
}
break;
+ case M_FLUSH:
+ if (*rptr & FLUSHW)
+ flushq(q, FLUSHDATA);
+ break;
case M_IOCTL:
iocp = (struct iocblk *)mp->b_rptr;
switch (iocp->ioc_cmd) {
@@ -5678,7 +4739,6 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
* don't know the peer's name.
*/
iocp->ioc_error = ENOTCONN;
- err_ret:;
iocp->ioc_count = 0;
mp->b_datap->db_type = M_IOCACK;
qreply(q, mp);
@@ -5696,22 +4756,13 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
return;
case ND_SET:
- /* nd_getset performs the necessary error checking */
+ /* nd_getset performs the necessary checking */
case ND_GET:
if (nd_getset(q, is->is_nd, mp)) {
qreply(q, mp);
return;
}
break;
- case _SIOCSOCKFALLBACK:
- /*
- * socket is falling back to be a
- * streams socket. Nothing to do
- */
- iocp->ioc_count = 0;
- iocp->ioc_rval = 0;
- qreply(q, mp);
- return;
default:
break;
}
@@ -5720,23 +4771,24 @@ icmp_wput_other(queue_t *q, mblk_t *mp)
icmp_wput_iocdata(q, mp);
return;
default:
+ /* Unrecognized messages are passed through without change. */
break;
}
- ip_wput(q, mp);
+ ip_wput_nondata(q, mp);
}
/*
- * icmp_wput_iocdata is called by icmp_wput_slow to handle all M_IOCDATA
+ * icmp_wput_iocdata is called by icmp_wput_other to handle all M_IOCDATA
* messages.
*/
static void
icmp_wput_iocdata(queue_t *q, mblk_t *mp)
{
- mblk_t *mp1;
+ mblk_t *mp1;
STRUCT_HANDLE(strbuf, sb);
- icmp_t *icmp;
- uint_t addrlen;
- uint_t error;
+ uint_t addrlen;
+ conn_t *connp = Q_TO_CONN(q);
+ icmp_t *icmp = connp->conn_icmp;
/* Make sure it is one of ours. */
switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
@@ -5744,10 +4796,10 @@ icmp_wput_iocdata(queue_t *q, mblk_t *mp)
case TI_GETPEERNAME:
break;
default:
- icmp = Q_TO_ICMP(q);
- ip_output(icmp->icmp_connp, mp, q, IP_WPUT);
+ ip_wput_nondata(q, mp);
return;
}
+
switch (mi_copy_state(q, mp, &mp1)) {
case -1:
return;
@@ -5776,6 +4828,7 @@ icmp_wput_iocdata(queue_t *q, mblk_t *mp)
mi_copy_done(q, mp, EPROTO);
return;
}
+
/*
* Now we have the strbuf structure for TI_GETMYNAME
* and TI_GETPEERNAME. Next we copyout the requested
@@ -5783,8 +4836,8 @@ icmp_wput_iocdata(queue_t *q, mblk_t *mp)
*/
STRUCT_SET_HANDLE(sb, ((struct iocblk *)mp->b_rptr)->ioc_flag,
(void *)mp1->b_rptr);
- icmp = Q_TO_ICMP(q);
- if (icmp->icmp_family == AF_INET)
+
+ if (connp->conn_family == AF_INET)
addrlen = sizeof (sin_t);
else
addrlen = sizeof (sin6_t);
@@ -5793,72 +4846,37 @@ icmp_wput_iocdata(queue_t *q, mblk_t *mp)
mi_copy_done(q, mp, EINVAL);
return;
}
-
+ switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
+ case TI_GETMYNAME:
+ break;
+ case TI_GETPEERNAME:
+ if (icmp->icmp_state != TS_DATA_XFER) {
+ mi_copy_done(q, mp, ENOTCONN);
+ return;
+ }
+ break;
+ default:
+ mi_copy_done(q, mp, EPROTO);
+ return;
+ }
mp1 = mi_copyout_alloc(q, mp, STRUCT_FGETP(sb, buf), addrlen, B_TRUE);
-
- if (mp1 == NULL)
+ if (!mp1)
return;
- rw_enter(&icmp->icmp_rwlock, RW_READER);
+ STRUCT_FSET(sb, len, addrlen);
switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
case TI_GETMYNAME:
- error = rawip_do_getsockname(icmp, (void *)mp1->b_rptr,
+ (void) conn_getsockname(connp, (struct sockaddr *)mp1->b_wptr,
&addrlen);
break;
case TI_GETPEERNAME:
- error = rawip_do_getpeername(icmp, (void *)mp1->b_rptr,
+ (void) conn_getpeername(connp, (struct sockaddr *)mp1->b_wptr,
&addrlen);
break;
}
- rw_exit(&icmp->icmp_rwlock);
-
- if (error != 0) {
- mi_copy_done(q, mp, error);
- } else {
- mp1->b_wptr += addrlen;
- STRUCT_FSET(sb, len, addrlen);
-
- /* Copy out the address */
- mi_copyout(q, mp);
- }
-}
-
-static int
-icmp_unitdata_opt_process(queue_t *q, mblk_t *mp, int *errorp,
- void *thisdg_attrs)
-{
- struct T_unitdata_req *udreqp;
- int is_absreq_failure;
- cred_t *cr;
-
- udreqp = (struct T_unitdata_req *)mp->b_rptr;
- *errorp = 0;
-
- /*
- * All Solaris components should pass a db_credp
- * for this TPI message, hence we ASSERT.
- * But in case there is some other M_PROTO that looks
- * like a TPI message sent by some other kernel
- * component, we check and return an error.
- */
- cr = msg_getcred(mp, NULL);
- ASSERT(cr != NULL);
- if (cr == NULL)
- return (-1);
-
- *errorp = tpi_optcom_buf(q, mp, &udreqp->OPT_length,
- udreqp->OPT_offset, cr, &icmp_opt_obj,
- thisdg_attrs, &is_absreq_failure);
-
- if (*errorp != 0) {
- /*
- * Note: No special action needed in this
- * module for "is_absreq_failure"
- */
- return (-1); /* failure */
- }
- ASSERT(is_absreq_failure == 0);
- return (0); /* success */
+ mp1->b_wptr += addrlen;
+ /* Copy out the address */
+ mi_copyout(q, mp);
}
void
@@ -6013,7 +5031,7 @@ rawip_bind(sock_lower_handle_t proto_handle, struct sockaddr *sa,
socklen_t len, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- int error;
+ int error;
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
@@ -6042,14 +5060,14 @@ rawip_implicit_bind(conn_t *connp)
socklen_t len;
int error;
- if (connp->conn_icmp->icmp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
len = sizeof (struct sockaddr_in);
sin = (sin_t *)&sin6addr;
*sin = sin_null;
sin->sin_family = AF_INET;
sin->sin_addr.s_addr = INADDR_ANY;
} else {
- ASSERT(connp->conn_icmp->icmp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
len = sizeof (sin6_t);
sin6 = (sin6_t *)&sin6addr;
*sin6 = sin6_null;
@@ -6081,7 +5099,6 @@ rawip_listen(sock_lower_handle_t proto_handle, int backlog, cred_t *cr)
return (EOPNOTSUPP);
}
-/* ARGSUSED */
int
rawip_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
socklen_t len, sock_connid_t *id, cred_t *cr)
@@ -6090,6 +5107,7 @@ rawip_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
icmp_t *icmp = connp->conn_icmp;
int error;
boolean_t did_bind = B_FALSE;
+ pid_t pid = curproc->p_pid;
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
@@ -6106,7 +5124,7 @@ rawip_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
return (error);
}
- error = proto_verify_ip_addr(icmp->icmp_family, sa, len);
+ error = proto_verify_ip_addr(connp->conn_family, sa, len);
if (error != 0)
return (error);
@@ -6126,10 +5144,9 @@ rawip_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
/*
* set SO_DGRAM_ERRIND
*/
- icmp->icmp_dgram_errind = B_TRUE;
-
- error = rawip_do_connect(connp, sa, len, cr);
+ connp->conn_dgram_errind = B_TRUE;
+ error = rawip_do_connect(connp, sa, len, cr, pid);
if (error != 0 && did_bind) {
int unbind_err;
@@ -6139,15 +5156,15 @@ rawip_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
if (error == 0) {
*id = 0;
- (*connp->conn_upcalls->su_connected)
- (connp->conn_upper_handle, 0, NULL, -1);
+ (*connp->conn_upcalls->su_connected)(connp->conn_upper_handle,
+ 0, NULL, -1);
} else if (error < 0) {
error = proto_tlitosyserr(-error);
}
return (error);
}
-/* ARGSUSED */
+/* ARGSUSED2 */
int
rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
boolean_t direct_sockfs, so_proto_quiesced_cb_t quiesced_cb)
@@ -6184,9 +5201,8 @@ rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
stropt_mp->b_wptr += sizeof (*stropt);
stropt = (struct stroptions *)stropt_mp->b_rptr;
stropt->so_flags = SO_WROFF | SO_HIWAT;
- stropt->so_wroff =
- (ushort_t)(icmp->icmp_max_hdr_len + icmp->icmp_is->is_wroff_extra);
- stropt->so_hiwat = icmp->icmp_recv_hiwat;
+ stropt->so_wroff = connp->conn_wroff;
+ stropt->so_hiwat = connp->conn_rcvbuf;
putnext(RD(q), stropt_mp);
/*
@@ -6207,9 +5223,9 @@ rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
if (error != 0)
faddrlen = 0;
opts = 0;
- if (icmp->icmp_dgram_errind)
+ if (connp->conn_dgram_errind)
opts |= SO_DGRAM_ERRIND;
- if (icmp->icmp_dontroute)
+ if (connp->conn_ixa->ixa_flags & IXAF_DONTROUTE)
opts |= SO_DONTROUTE;
(*quiesced_cb)(connp->conn_upper_handle, q, &tca,
@@ -6218,7 +5234,7 @@ rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
/*
* Attempts to send data up during fallback will result in it being
- * queued in udp_t. Now we push up any queued packets.
+ * queued in icmp_t. Now we push up any queued packets.
*/
mutex_enter(&icmp->icmp_recv_lock);
while (icmp->icmp_fallback_queue_head != NULL) {
@@ -6236,9 +5252,9 @@ rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
/*
* No longer a streams less socket
*/
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
connp->conn_flags &= ~IPCL_NONSTR;
- rw_exit(&icmp->icmp_rwlock);
+ mutex_exit(&connp->conn_lock);
mutex_exit(&icmp->icmp_recv_lock);
@@ -6250,7 +5266,7 @@ rawip_fallback(sock_lower_handle_t proto_handle, queue_t *q,
return (0);
}
-/* ARGSUSED */
+/* ARGSUSED2 */
sock_lower_handle_t
rawip_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
uint_t *smodep, int *errorp, int flags, cred_t *credp)
@@ -6262,35 +5278,10 @@ rawip_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
return (NULL);
}
- connp = icmp_open(family, credp, errorp, flags);
+ connp = rawip_do_open(family, credp, errorp, flags);
if (connp != NULL) {
- icmp_stack_t *is;
-
- is = connp->conn_icmp->icmp_is;
connp->conn_flags |= IPCL_NONSTR;
- if (connp->conn_icmp->icmp_family == AF_INET6) {
- /* Build initial header template for transmit */
- rw_enter(&connp->conn_icmp->icmp_rwlock, RW_WRITER);
- if ((*errorp =
- icmp_build_hdrs(connp->conn_icmp)) != 0) {
- rw_exit(&connp->conn_icmp->icmp_rwlock);
- ipcl_conn_destroy(connp);
- return (NULL);
- }
- rw_exit(&connp->conn_icmp->icmp_rwlock);
- }
-
- connp->conn_icmp->icmp_recv_hiwat = is->is_recv_hiwat;
- connp->conn_icmp->icmp_xmit_hiwat = is->is_xmit_hiwat;
-
- if ((*errorp = ip_create_helper_stream(connp,
- is->is_ldi_ident)) != 0) {
- cmn_err(CE_CONT, "create of IP helper stream failed\n");
- (void) rawip_do_close(connp);
- return (NULL);
- }
-
mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
mutex_exit(&connp->conn_lock);
@@ -6303,14 +5294,13 @@ rawip_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
return ((sock_lower_handle_t)connp);
}
-/* ARGSUSED */
+/* ARGSUSED3 */
void
rawip_activate(sock_lower_handle_t proto_handle,
sock_upper_handle_t sock_handle, sock_upcalls_t *sock_upcalls, int flags,
cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- icmp_stack_t *is = connp->conn_icmp->icmp_is;
struct sock_proto_props sopp;
/* All Solaris components should pass a cred for this operation. */
@@ -6321,10 +5311,9 @@ rawip_activate(sock_lower_handle_t proto_handle,
sopp.sopp_flags = SOCKOPT_WROFF | SOCKOPT_RCVHIWAT | SOCKOPT_RCVLOWAT |
SOCKOPT_MAXBLK | SOCKOPT_MAXPSZ | SOCKOPT_MINPSZ;
- sopp.sopp_wroff = connp->conn_icmp->icmp_max_hdr_len +
- is->is_wroff_extra;
- sopp.sopp_rxhiwat = is->is_recv_hiwat;
- sopp.sopp_rxlowat = icmp_mod_info.mi_lowat;
+ sopp.sopp_wroff = connp->conn_wroff;
+ sopp.sopp_rxhiwat = connp->conn_rcvbuf;
+ sopp.sopp_rxlowat = connp->conn_rcvlowat;
sopp.sopp_maxblk = INFPSZ;
sopp.sopp_maxpsz = IP_MAXPACKET;
sopp.sopp_minpsz = (icmp_mod_info.mi_minpsz == 1) ? 0 :
@@ -6332,113 +5321,11 @@ rawip_activate(sock_lower_handle_t proto_handle,
(*connp->conn_upcalls->su_set_proto_props)
(connp->conn_upper_handle, &sopp);
-}
-
-static int
-rawip_do_getsockname(icmp_t *icmp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- ASSERT(icmp != NULL);
- ASSERT(RW_LOCK_HELD(&icmp->icmp_rwlock));
- switch (icmp->icmp_family) {
- case AF_INET:
- ASSERT(icmp->icmp_ipversion == IPV4_VERSION);
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *salenp = sizeof (sin_t);
- *sin = sin_null;
- sin->sin_family = AF_INET;
- if (icmp->icmp_state == TS_UNBND) {
- break;
- }
-
- if (!IN6_IS_ADDR_V4MAPPED_ANY(&icmp->icmp_v6src) &&
- !IN6_IS_ADDR_UNSPECIFIED(&icmp->icmp_v6src)) {
- sin->sin_addr.s_addr = V4_PART_OF_V6(icmp->icmp_v6src);
- } else {
- /*
- * INADDR_ANY
- * icmp_v6src is not set, we might be bound to
- * broadcast/multicast. Use icmp_bound_v6src as
- * local address instead (that could
- * also still be INADDR_ANY)
- */
- sin->sin_addr.s_addr =
- V4_PART_OF_V6(icmp->icmp_bound_v6src);
- }
- break;
- case AF_INET6:
-
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *salenp = sizeof (sin6_t);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- if (icmp->icmp_state == TS_UNBND) {
- break;
- }
- if (!IN6_IS_ADDR_UNSPECIFIED(&icmp->icmp_v6src)) {
- sin6->sin6_addr = icmp->icmp_v6src;
- } else {
- /*
- * UNSPECIFIED
- * icmp_v6src is not set, we might be bound to
- * broadcast/multicast. Use icmp_bound_v6src as
- * local address instead (that could
- * also still be UNSPECIFIED)
- */
-
- sin6->sin6_addr = icmp->icmp_bound_v6src;
- }
- break;
- }
- return (0);
-}
-
-static int
-rawip_do_getpeername(icmp_t *icmp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- ASSERT(icmp != NULL);
- ASSERT(RW_LOCK_HELD(&icmp->icmp_rwlock));
-
- if (icmp->icmp_state != TS_DATA_XFER)
- return (ENOTCONN);
-
- sa->sa_family = icmp->icmp_family;
- switch (icmp->icmp_family) {
- case AF_INET:
- ASSERT(icmp->icmp_ipversion == IPV4_VERSION);
-
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *salenp = sizeof (sin_t);
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_addr.s_addr =
- V4_PART_OF_V6(icmp->icmp_v6dst.sin6_addr);
- break;
- case AF_INET6:
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *salenp = sizeof (sin6_t);
- *sin6 = sin6_null;
- *sin6 = icmp->icmp_v6dst;
- break;
- }
- return (0);
+ icmp_bind_proto(connp->conn_icmp);
}
-/* ARGSUSED */
+/* ARGSUSED3 */
int
rawip_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *sa,
socklen_t *salenp, cred_t *cr)
@@ -6450,36 +5337,29 @@ rawip_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *sa,
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- ASSERT(icmp != NULL);
-
- rw_enter(&icmp->icmp_rwlock, RW_READER);
-
- error = rawip_do_getpeername(icmp, sa, salenp);
-
- rw_exit(&icmp->icmp_rwlock);
-
+ mutex_enter(&connp->conn_lock);
+ if (icmp->icmp_state != TS_DATA_XFER)
+ error = ENOTCONN;
+ else
+ error = conn_getpeername(connp, sa, salenp);
+ mutex_exit(&connp->conn_lock);
return (error);
}
-/* ARGSUSED */
+/* ARGSUSED3 */
int
rawip_getsockname(sock_lower_handle_t proto_handle, struct sockaddr *sa,
socklen_t *salenp, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- icmp_t *icmp = connp->conn_icmp;
int error;
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- ASSERT(icmp != NULL);
- rw_enter(&icmp->icmp_rwlock, RW_READER);
-
- error = rawip_do_getsockname(icmp, sa, salenp);
-
- rw_exit(&icmp->icmp_rwlock);
-
+ mutex_enter(&connp->conn_lock);
+ error = conn_getsockname(connp, sa, salenp);
+ mutex_exit(&connp->conn_lock);
return (error);
}
@@ -6488,7 +5368,6 @@ rawip_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
const void *optvalp, socklen_t optlen, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- icmp_t *icmp = connp->conn_icmp;
int error;
/* All Solaris components should pass a cred for this operation. */
@@ -6497,7 +5376,6 @@ rawip_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, optlen, NULL,
icmp_opt_obj.odb_opt_des_arr,
icmp_opt_obj.odb_opt_arr_cnt,
- icmp_opt_obj.odb_topmost_tpiprovider,
B_TRUE, B_FALSE, cr);
if (error != 0) {
@@ -6510,19 +5388,9 @@ rawip_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
return (error);
}
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
error = icmp_opt_set(connp, SETFN_OPTCOM_NEGOTIATE, level,
option_name, optlen, (uchar_t *)optvalp, (uint_t *)&optlen,
(uchar_t *)optvalp, NULL, cr);
- rw_exit(&icmp->icmp_rwlock);
-
- if (error < 0) {
- /*
- * Pass on to ip
- */
- error = ip_set_options(connp, level, option_name, optvalp,
- optlen, cr);
- }
ASSERT(error >= 0);
@@ -6535,7 +5403,6 @@ rawip_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
{
int error;
conn_t *connp = (conn_t *)proto_handle;
- icmp_t *icmp = connp->conn_icmp;
t_uscalar_t max_optbuf_len;
void *optvalp_buf;
int len;
@@ -6546,7 +5413,6 @@ rawip_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, *optlen, &max_optbuf_len,
icmp_opt_obj.odb_opt_des_arr,
icmp_opt_obj.odb_opt_arr_cnt,
- icmp_opt_obj.odb_topmost_tpiprovider,
B_FALSE, B_TRUE, cr);
if (error != 0) {
@@ -6557,31 +5423,25 @@ rawip_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
}
optvalp_buf = kmem_alloc(max_optbuf_len, KM_SLEEP);
- rw_enter(&icmp->icmp_rwlock, RW_READER);
len = icmp_opt_get(connp, level, option_name, optvalp_buf);
- rw_exit(&icmp->icmp_rwlock);
-
- if (len < 0) {
- /*
- * Pass on to IP
- */
- kmem_free(optvalp_buf, max_optbuf_len);
- return (ip_get_options(connp, level, option_name, optvalp,
- optlen, cr));
- } else {
- /*
- * update optlen and copy option value
- */
- t_uscalar_t size = MIN(len, *optlen);
- bcopy(optvalp_buf, optvalp, size);
- bcopy(&size, optlen, sizeof (size));
-
+ if (len == -1) {
kmem_free(optvalp_buf, max_optbuf_len);
- return (0);
+ return (EINVAL);
}
+
+ /*
+ * update optlen and copy option value
+ */
+ t_uscalar_t size = MIN(len, *optlen);
+
+ bcopy(optvalp_buf, optvalp, size);
+ bcopy(&size, optlen, sizeof (size));
+
+ kmem_free(optvalp_buf, max_optbuf_len);
+ return (0);
}
-/* ARGSUSED */
+/* ARGSUSED1 */
int
rawip_close(sock_lower_handle_t proto_handle, int flags, cred_t *cr)
{
@@ -6594,7 +5454,7 @@ rawip_close(sock_lower_handle_t proto_handle, int flags, cred_t *cr)
return (0);
}
-/* ARGSUSED */
+/* ARGSUSED2 */
int
rawip_shutdown(sock_lower_handle_t proto_handle, int how, cred_t *cr)
{
@@ -6635,6 +5495,27 @@ rawip_ioctl(sock_lower_handle_t proto_handle, int cmd, intptr_t arg,
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
+ /*
+ * If we don't have a helper stream then create one.
+ * ip_create_helper_stream takes care of locking the conn_t,
+ * so this check for NULL is just a performance optimization.
+ */
+ if (connp->conn_helper_info == NULL) {
+ icmp_stack_t *is = connp->conn_icmp->icmp_is;
+
+ ASSERT(is->is_ldi_ident != NULL);
+
+ /*
+ * Create a helper stream for non-STREAMS socket.
+ */
+ error = ip_create_helper_stream(connp, is->is_ldi_ident);
+ if (error != 0) {
+ ip0dbg(("rawip_ioctl: create of IP helper stream "
+ "failed %d\n", error));
+ return (error);
+ }
+ }
+
switch (cmd) {
case ND_SET:
case ND_GET:
@@ -6658,25 +5539,25 @@ rawip_ioctl(sock_lower_handle_t proto_handle, int cmd, intptr_t arg,
return (error);
}
-/* ARGSUSED */
int
rawip_send(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
cred_t *cr)
{
- conn_t *connp = (conn_t *)proto_handle;
- icmp_t *icmp = connp->conn_icmp;
- icmp_stack_t *is = icmp->icmp_is;
- int error = 0;
- boolean_t bypass_dgram_errind = B_FALSE;
+ sin6_t *sin6;
+ sin_t *sin = NULL;
+ uint_t srcid;
+ conn_t *connp = (conn_t *)proto_handle;
+ icmp_t *icmp = connp->conn_icmp;
+ int error = 0;
+ icmp_stack_t *is = icmp->icmp_is;
+ pid_t pid = curproc->p_pid;
+ ip_xmit_attr_t *ixa;
ASSERT(DB_TYPE(mp) == M_DATA);
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- /* If labeled then sockfs should have already set db_credp */
- ASSERT(!is_system_labeled() || msg_getcred(mp, NULL) != NULL);
-
/* do an implicit bind if necessary */
if (icmp->icmp_state == TS_UNBND) {
error = rawip_implicit_bind(connp);
@@ -6691,170 +5572,191 @@ rawip_send(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
}
}
- rw_enter(&icmp->icmp_rwlock, RW_WRITER);
-
- if (msg->msg_name != NULL && icmp->icmp_state == TS_DATA_XFER) {
- error = EISCONN;
- goto done_lock;
- }
-
- switch (icmp->icmp_family) {
- case AF_INET6: {
- sin6_t *sin6;
- ip6_pkt_t ipp_s; /* For ancillary data options */
- ip6_pkt_t *ipp = &ipp_s;
-
- sin6 = (sin6_t *)msg->msg_name;
- if (sin6 != NULL) {
- error = proto_verify_ip_addr(icmp->icmp_family,
- (struct sockaddr *)msg->msg_name, msg->msg_namelen);
- if (error != 0) {
- bypass_dgram_errind = B_TRUE;
- goto done_lock;
+ /* Protocol 255 contains full IP headers */
+ /* Read without holding lock */
+ if (icmp->icmp_hdrincl) {
+ ASSERT(connp->conn_ipversion == IPV4_VERSION);
+ if (mp->b_wptr - mp->b_rptr < IP_SIMPLE_HDR_LENGTH) {
+ if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ freemsg(mp);
+ return (EINVAL);
}
- if (icmp->icmp_delayed_error != 0) {
- sin6_t *sin1 = (sin6_t *)msg->msg_name;
- sin6_t *sin2 = (sin6_t *)
- &icmp->icmp_delayed_addr;
-
- error = icmp->icmp_delayed_error;
- icmp->icmp_delayed_error = 0;
-
- /* Compare IP address and port */
+ }
+ error = icmp_output_hdrincl(connp, mp, cr, pid);
+ if (is->is_sendto_ignerr)
+ return (0);
+ else
+ return (error);
+ }
- if (sin1->sin6_port == sin2->sin6_port &&
- IN6_ARE_ADDR_EQUAL(&sin1->sin6_addr,
- &sin2->sin6_addr)) {
- goto done_lock;
- }
- }
+ /* Connected? */
+ if (msg->msg_name == NULL) {
+ if (icmp->icmp_state != TS_DATA_XFER) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ return (EDESTADDRREQ);
+ }
+ if (msg->msg_controllen != 0) {
+ error = icmp_output_ancillary(connp, NULL, NULL, mp,
+ NULL, msg, cr, pid);
} else {
- /*
- * Use connected address
- */
- if (icmp->icmp_state != TS_DATA_XFER) {
- BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- error = EDESTADDRREQ;
- bypass_dgram_errind = B_TRUE;
- goto done_lock;
- }
- sin6 = &icmp->icmp_v6dst;
+ error = icmp_output_connected(connp, mp, cr, pid);
}
+ if (is->is_sendto_ignerr)
+ return (0);
+ else
+ return (error);
+ }
+ if (icmp->icmp_state == TS_DATA_XFER) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ return (EISCONN);
+ }
+ error = proto_verify_ip_addr(connp->conn_family,
+ (struct sockaddr *)msg->msg_name, msg->msg_namelen);
+ if (error != 0) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ return (error);
+ }
+ switch (connp->conn_family) {
+ case AF_INET6:
+ sin6 = (sin6_t *)msg->msg_name;
/* No support for mapped addresses on raw sockets */
if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- error = EADDRNOTAVAIL;
- goto done_lock;
+ return (EADDRNOTAVAIL);
}
-
- ipp->ipp_fields = 0;
- ipp->ipp_sticky_ignored = 0;
+ srcid = sin6->__sin6_src_id;
/*
- * If options passed in, feed it for verification and handling
+ * If the local address is a mapped address return
+ * an error.
+ * It would be possible to send an IPv6 packet but the
+ * response would never make it back to the application
+ * since it is bound to a mapped address.
*/
- if (msg->msg_controllen != 0) {
- error = process_auxiliary_options(connp,
- msg->msg_control, msg->msg_controllen,
- ipp, &icmp_opt_obj, icmp_opt_set, cr);
- if (error != 0) {
- goto done_lock;
- }
+ if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ return (EADDRNOTAVAIL);
}
- rw_exit(&icmp->icmp_rwlock);
+ if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
+ sin6->sin6_addr = ipv6_loopback;
/*
- * Destination is a native IPv6 address.
- * Send out an IPv6 format packet.
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've check
+ * conn_same_as_last_v6 to handle concurrent send* calls on a
+ * socket.
*/
+ if (msg->msg_controllen == 0) {
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ return (ENOMEM);
+ }
+ } else {
+ ixa = NULL;
+ }
+ mutex_enter(&connp->conn_lock);
+ if (icmp->icmp_delayed_error != 0) {
+ sin6_t *sin2 = (sin6_t *)&icmp->icmp_delayed_addr;
- error = raw_ip_send_data_v6(connp->conn_wq, connp, mp, sin6,
- ipp);
- }
- break;
- case AF_INET: {
- sin_t *sin;
- ip4_pkt_t pktinfo;
- ip4_pkt_t *pktinfop = &pktinfo;
- ipaddr_t v4dst;
+ error = icmp->icmp_delayed_error;
+ icmp->icmp_delayed_error = 0;
- sin = (sin_t *)msg->msg_name;
- if (sin != NULL) {
- error = proto_verify_ip_addr(icmp->icmp_family,
- (struct sockaddr *)msg->msg_name, msg->msg_namelen);
- if (error != 0) {
- bypass_dgram_errind = B_TRUE;
- goto done_lock;
- }
- v4dst = sin->sin_addr.s_addr;
- if (icmp->icmp_delayed_error != 0) {
- sin_t *sin1 = (sin_t *)msg->msg_name;
- sin_t *sin2 = (sin_t *)&icmp->icmp_delayed_addr;
-
- error = icmp->icmp_delayed_error;
- icmp->icmp_delayed_error = 0;
-
- /* Compare IP address and port */
- if (sin1->sin_port == sin2->sin_port &&
- sin1->sin_addr.s_addr ==
- sin2->sin_addr.s_addr) {
- goto done_lock;
- }
+ /* Compare IP address and family */
- }
- } else {
- /*
- * Use connected address
- */
- if (icmp->icmp_state != TS_DATA_XFER) {
+ if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
+ &sin2->sin6_addr) &&
+ sin6->sin6_family == sin2->sin6_family) {
+ mutex_exit(&connp->conn_lock);
BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
- error = EDESTADDRREQ;
- bypass_dgram_errind = B_TRUE;
- goto done_lock;
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ return (error);
}
- v4dst = V4_PART_OF_V6(icmp->icmp_v6dst.sin6_addr);
}
+ if (msg->msg_controllen != 0) {
+ mutex_exit(&connp->conn_lock);
+ ASSERT(ixa == NULL);
+ error = icmp_output_ancillary(connp, NULL, sin6, mp,
+ NULL, msg, cr, pid);
+ } else if (conn_same_as_last_v6(connp, sin6) &&
+ connp->conn_lastsrcid == srcid &&
+ ipsec_outbound_policy_current(ixa)) {
+ /* icmp_output_lastdst drops conn_lock */
+ error = icmp_output_lastdst(connp, mp, cr, pid, ixa);
+ } else {
+ /* icmp_output_newdst drops conn_lock */
+ error = icmp_output_newdst(connp, mp, NULL, sin6, cr,
+ pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
+ if (is->is_sendto_ignerr)
+ return (0);
+ else
+ return (error);
+ case AF_INET:
+ sin = (sin_t *)msg->msg_name;
-
- pktinfop->ip4_ill_index = 0;
- pktinfop->ip4_addr = INADDR_ANY;
+ if (sin->sin_addr.s_addr == INADDR_ANY)
+ sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
/*
- * If options passed in, feed it for verification and handling
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've check
+ * conn_same_as_last_v6 to handle concurrent send* on a socket.
*/
- if (msg->msg_controllen != 0) {
- error = process_auxiliary_options(connp,
- msg->msg_control, msg->msg_controllen,
- pktinfop, &icmp_opt_obj, icmp_opt_set, cr);
- if (error != 0) {
- goto done_lock;
+ if (msg->msg_controllen == 0) {
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ return (ENOMEM);
}
+ } else {
+ ixa = NULL;
}
- rw_exit(&icmp->icmp_rwlock);
+ mutex_enter(&connp->conn_lock);
+ if (icmp->icmp_delayed_error != 0) {
+ sin_t *sin2 = (sin_t *)&icmp->icmp_delayed_addr;
- error = raw_ip_send_data_v4(connp->conn_wq, connp, mp,
- v4dst, pktinfop);
- break;
- }
+ error = icmp->icmp_delayed_error;
+ icmp->icmp_delayed_error = 0;
- default:
- ASSERT(0);
- }
+ /* Compare IP address */
- goto done;
+ if (sin->sin_addr.s_addr == sin2->sin_addr.s_addr) {
+ mutex_exit(&connp->conn_lock);
+ BUMP_MIB(&is->is_rawip_mib, rawipOutErrors);
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ return (error);
+ }
+ }
-done_lock:
- rw_exit(&icmp->icmp_rwlock);
- if (error != 0) {
- ASSERT(mp != NULL);
- freemsg(mp);
+ if (msg->msg_controllen != 0) {
+ mutex_exit(&connp->conn_lock);
+ ASSERT(ixa == NULL);
+ error = icmp_output_ancillary(connp, sin, NULL, mp,
+ NULL, msg, cr, pid);
+ } else if (conn_same_as_last_v4(connp, sin) &&
+ ipsec_outbound_policy_current(ixa)) {
+ /* icmp_output_lastdst drops conn_lock */
+ error = icmp_output_lastdst(connp, mp, cr, pid, ixa);
+ } else {
+ /* icmp_output_newdst drops conn_lock */
+ error = icmp_output_newdst(connp, mp, sin, NULL, cr,
+ pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
+ if (is->is_sendto_ignerr)
+ return (0);
+ else
+ return (error);
+ default:
+ return (EINVAL);
}
-done:
- if (bypass_dgram_errind)
- return (error);
- return (icmp->icmp_dgram_errind ? error : 0);
}
sock_downcalls_t sock_rawip_downcalls = {
diff --git a/usr/src/uts/common/inet/ip/icmp_opt_data.c b/usr/src/uts/common/inet/ip/icmp_opt_data.c
index 8bee9827db..ff0310de0c 100644
--- a/usr/src/uts/common/inet/ip/icmp_opt_data.c
+++ b/usr/src/uts/common/inet/ip/icmp_opt_data.c
@@ -36,23 +36,11 @@
#include <inet/common.h>
#include <netinet/ip6.h>
#include <inet/ip.h>
-/*
- * MK_XXX Following 2 includes temporary to import ip6_rthdr_t
- * definition. May not be needed if we fix ip6_dg_snd_attrs_t
- * to do all extension headers in identical manner.
- */
-#include <net/if.h>
-#include <inet/ip6.h>
#include <netinet/tcp.h>
#include <netinet/ip_mroute.h>
#include <inet/optcom.h>
-
-
-extern int icmp_opt_default(queue_t *, int, int, uchar_t *);
-extern int icmp_tpi_opt_get(queue_t *, int, int, uchar_t *);
-extern int icmp_tpi_opt_set(queue_t *, uint_t, int, int, uint_t, uchar_t *,
- uint_t *, uchar_t *, void *, cred_t *, mblk_t *);
+#include <inet/rawip_impl.h>
/*
* Table of all known options handled on a ICMP protocol stack.
@@ -63,250 +51,252 @@ extern int icmp_tpi_opt_set(queue_t *, uint_t, int, int, uint_t, uchar_t *,
*/
opdes_t icmp_opt_arr[] = {
-{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
#ifdef SO_PROTOTYPE
/*
* icmp will only allow IPPROTO_ICMP for non-privileged streams
* that check is made on an adhoc basis.
*/
-{ SO_PROTOTYPE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_PROTOTYPE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
#endif
-{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_DGRAM_ERRIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_DGRAM_ERRIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_TIMESTAMP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ SO_TIMESTAMP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_MAC_IMPLICIT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_MAC_IMPLICIT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, OP_PASSNEXT, sizeof (int),
+{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, 0, sizeof (int),
0 },
-{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
{ IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
{ T_IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
-{ IP_HDRINCL, IPPROTO_IP, OA_R, OA_RW, OP_RAW, OP_PASSNEXT,
+{ IP_HDRINCL, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0,
sizeof (int), 0 },
-{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ IP_MULTICAST_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IP_MULTICAST_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct in_addr), 0 /* INADDR_ANY */ },
-{ IP_MULTICAST_LOOP, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IP_MULTICAST_LOOP, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (uchar_t), -1 /* not initialized */},
-{ IP_MULTICAST_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IP_MULTICAST_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (uchar_t), -1 /* not initialized */ },
-{ IP_ADD_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_ADD_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq), -1 /* not initialized */ },
-{ IP_DROP_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_DROP_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq), 0 },
-{ IP_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq_source), -1 },
-{ IP_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq_source), -1 },
{ IP_ADD_SOURCE_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct ip_mreq_source), -1 },
+ OP_NODEFAULT, sizeof (struct ip_mreq_source), -1 },
{ IP_DROP_SOURCE_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct ip_mreq_source), -1 },
+ OP_NODEFAULT, sizeof (struct ip_mreq_source), -1 },
-{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
sizeof (ipsec_req_t), -1 /* not initialized */ },
-{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 /* no ifindex */ },
-{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, OP_PASSNEXT,
+{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0,
sizeof (int), 0 },
{ IP_BROADCAST_TTL, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0, sizeof (uchar_t),
0 /* disabled */ },
-{ IP_RECVIF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ IP_RECVIF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
{ IP_PKTINFO, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (struct in_pktinfo), -1 /* not initialized */ },
-{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, OP_PASSNEXT,
+{ IP_DONTFRAG, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+
+{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, 0,
sizeof (in_addr_t), -1 /* not initialized */ },
{ MRT_INIT, IPPROTO_IP, 0, OA_X, OP_CONFIG,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (int),
+ OP_NODEFAULT, sizeof (int),
-1 /* not initialized */ },
{ MRT_DONE, IPPROTO_IP, 0, OA_X, OP_CONFIG,
- (OP_PASSNEXT|OP_NODEFAULT), 0, -1 /* not initialized */ },
+ OP_NODEFAULT, 0, -1 /* not initialized */ },
-{ MRT_ADD_VIF, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_PASSNEXT|OP_NODEFAULT),
+{ MRT_ADD_VIF, IPPROTO_IP, 0, OA_X, OP_CONFIG, OP_NODEFAULT,
sizeof (struct vifctl), -1 /* not initialized */ },
-{ MRT_DEL_VIF, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_PASSNEXT|OP_NODEFAULT),
+{ MRT_DEL_VIF, IPPROTO_IP, 0, OA_X, OP_CONFIG, OP_NODEFAULT,
sizeof (vifi_t), -1 /* not initialized */ },
-{ MRT_ADD_MFC, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_PASSNEXT|OP_NODEFAULT),
+{ MRT_ADD_MFC, IPPROTO_IP, 0, OA_X, OP_CONFIG, OP_NODEFAULT,
sizeof (struct mfcctl), -1 /* not initialized */ },
-{ MRT_DEL_MFC, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_PASSNEXT|OP_NODEFAULT),
+{ MRT_DEL_MFC, IPPROTO_IP, 0, OA_X, OP_CONFIG, OP_NODEFAULT,
sizeof (struct mfcctl), -1 /* not initialized */ },
-{ MRT_VERSION, IPPROTO_IP, OA_R, OA_R, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ MRT_VERSION, IPPROTO_IP, OA_R, OA_R, OP_NP, OP_NODEFAULT,
sizeof (int), -1 /* not initialized */ },
{ MRT_ASSERT, IPPROTO_IP, 0, OA_RW, OP_CONFIG,
- (OP_PASSNEXT|OP_NODEFAULT),
+ OP_NODEFAULT,
sizeof (int), -1 /* not initialized */ },
{ MCAST_JOIN_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_JOIN_SOURCE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_SOURCE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
-{ IPV6_MULTICAST_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_MULTICAST_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
{ IPV6_MULTICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */ },
{ IPV6_MULTICAST_LOOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */},
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */},
-{ IPV6_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IPV6_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ipv6_mreq), -1 /* not initialized */ },
-{ IPV6_LEAVE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IPV6_LEAVE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ipv6_mreq), -1 /* not initialized */ },
-{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (int), -1 /* not initialized */ },
-{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 /* no ifindex */ },
-{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, OP_PASSNEXT,
+{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, 0,
sizeof (int), 0 },
-{ IPV6_CHECKSUM, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ IPV6_CHECKSUM, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
-1 },
{ ICMP6_FILTER, IPPROTO_ICMPV6, OA_RW, OA_RW, OP_NP, OP_DEF_FN|OP_VARLEN,
sizeof (icmp6_filter_t), 0 },
{ IPV6_PKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (struct in6_pktinfo), -1 /* not initialized */ },
{ IPV6_HOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (int), -1 /* not initialized */ },
{ IPV6_NEXTHOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (sin6_t), -1 /* not initialized */ },
{ IPV6_HOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_DSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_RTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_RTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_TCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (int), -1 /* not initialized */ },
-{ IPV6_PATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_PATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct ip6_mtuinfo), -1 },
-{ IPV6_DONTFRAG, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_DONTFRAG, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVPATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVPATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
sizeof (ipsec_req_t), -1 /* not initialized */ },
-{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (uint32_t), IPV6_PREFER_SRC_DEFAULT },
{ MCAST_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_BLOCK_SOURCE, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_UNBLOCK_SOURCE, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_JOIN_SOURCE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_SOURCE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
};
@@ -342,9 +332,8 @@ uint_t icmp_max_optsize; /* initialized when ICMP driver is loaded */
optdb_obj_t icmp_opt_obj = {
icmp_opt_default, /* ICMP default value function pointer */
- icmp_tpi_opt_get, /* ICMP get function pointer */
- icmp_tpi_opt_set, /* ICMP set function pointer */
- B_TRUE, /* ICMP is tpi provider */
+ icmp_tpi_opt_get, /* ICMP get function pointer */
+ icmp_tpi_opt_set, /* ICMP set function pointer */
ICMP_OPT_ARR_CNT, /* ICMP option database count of entries */
icmp_opt_arr, /* ICMP option database */
ICMP_VALID_LEVELS_CNT, /* ICMP valid level count of entries */
diff --git a/usr/src/uts/common/inet/ip/igmp.c b/usr/src/uts/common/inet/ip/igmp.c
index 5eff11af14..9e6b552a61 100644
--- a/usr/src/uts/common/inet/ip/igmp.c
+++ b/usr/src/uts/common/inet/ip/igmp.c
@@ -56,6 +56,7 @@
#include <netinet/igmp_var.h>
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
+#include <inet/ipsec_impl.h>
#include <inet/common.h>
#include <inet/mi.h>
@@ -66,9 +67,8 @@
#include <inet/ip_listutils.h>
#include <netinet/igmp.h>
+#include <inet/ip_ndp.h>
#include <inet/ip_if.h>
-#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
static uint_t igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill);
static uint_t igmpv3_query_in(igmp3qa_t *igmp3qa, ill_t *ill, int igmplen);
@@ -76,14 +76,13 @@ static uint_t mld_query_in(mld_hdr_t *mldh, ill_t *ill);
static uint_t mldv2_query_in(mld2q_t *mld2q, ill_t *ill, int mldlen);
static void igmp_sendpkt(ilm_t *ilm, uchar_t type, ipaddr_t addr);
static void mld_sendpkt(ilm_t *ilm, uchar_t type, const in6_addr_t *v6addr);
-static void igmpv3_sendrpt(ipif_t *ipif, mrec_t *reclist);
+static void igmpv3_sendrpt(ill_t *ill, mrec_t *reclist);
static void mldv2_sendrpt(ill_t *ill, mrec_t *reclist);
static mrec_t *mcast_bldmrec(mcast_record_t type, in6_addr_t *grp,
slist_t *srclist, mrec_t *next);
static void mcast_init_rtx(ill_t *ill, rtx_state_t *rtxp,
mcast_record_t rtype, slist_t *flist);
static mrec_t *mcast_merge_rtx(ilm_t *ilm, mrec_t *rp, slist_t *flist);
-static void mcast_signal_restart_thread(ip_stack_t *ipst);
/*
* Macros used to do timer len conversions. Timer values are always
@@ -122,11 +121,12 @@ static void mcast_signal_restart_thread(ip_stack_t *ipst);
* The first multicast join will trigger the igmp timers / mld timers
* The unit for next is milliseconds.
*/
-static void
+void
igmp_start_timers(unsigned next, ip_stack_t *ipst)
{
int time_left;
int ret;
+ timeout_id_t id;
ASSERT(next != 0 && next != INFINITY);
@@ -173,9 +173,10 @@ igmp_start_timers(unsigned next, ip_stack_t *ipst)
mutex_exit(&ipst->ips_igmp_timer_lock);
return;
}
+ id = ipst->ips_igmp_timeout_id;
mutex_exit(&ipst->ips_igmp_timer_lock);
- ret = untimeout(ipst->ips_igmp_timeout_id);
+ ret = untimeout(id);
mutex_enter(&ipst->ips_igmp_timer_lock);
/*
* The timeout was cancelled, or the timeout handler
@@ -207,11 +208,12 @@ igmp_start_timers(unsigned next, ip_stack_t *ipst)
* mld_start_timers:
* The unit for next is milliseconds.
*/
-static void
+void
mld_start_timers(unsigned next, ip_stack_t *ipst)
{
int time_left;
int ret;
+ timeout_id_t id;
ASSERT(next != 0 && next != INFINITY);
@@ -257,9 +259,10 @@ mld_start_timers(unsigned next, ip_stack_t *ipst)
mutex_exit(&ipst->ips_mld_timer_lock);
return;
}
+ id = ipst->ips_mld_timeout_id;
mutex_exit(&ipst->ips_mld_timer_lock);
- ret = untimeout(ipst->ips_mld_timeout_id);
+ ret = untimeout(id);
mutex_enter(&ipst->ips_mld_timer_lock);
/*
* The timeout was cancelled, or the timeout handler
@@ -294,9 +297,8 @@ mld_start_timers(unsigned next, ip_stack_t *ipst)
* Callers of igmp_input() may need to reinitialize variables that were copied
* from the mblk as this calls pullupmsg().
*/
-/* ARGSUSED */
mblk_t *
-igmp_input(queue_t *q, mblk_t *mp, ill_t *ill)
+igmp_input(mblk_t *mp, ip_recv_attr_t *ira)
{
igmpa_t *igmpa;
ipha_t *ipha = (ipha_t *)(mp->b_rptr);
@@ -304,22 +306,22 @@ igmp_input(queue_t *q, mblk_t *mp, ill_t *ill)
ilm_t *ilm;
uint32_t src, dst;
uint32_t group;
+ in6_addr_t v6group;
uint_t next;
ipif_t *ipif;
- ip_stack_t *ipst;
- ilm_walker_t ilw;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
- ASSERT(ill != NULL);
ASSERT(!ill->ill_isv6);
- ipst = ill->ill_ipst;
++ipst->ips_igmpstat.igps_rcv_total;
mblklen = MBLKL(mp);
- if (mblklen < 1 || mblklen < (iphlen = IPH_HDR_LENGTH(ipha))) {
+ iphlen = ira->ira_ip_hdr_length;
+ if (mblklen < 1 || mblklen < iphlen) {
++ipst->ips_igmpstat.igps_rcv_tooshort;
goto bad_pkt;
}
- igmplen = ntohs(ipha->ipha_length) - iphlen;
+ igmplen = ira->ira_pktlen - iphlen;
/*
* Since msg sizes are more variable with v3, just pullup the
* whole thing now.
@@ -342,13 +344,6 @@ igmp_input(queue_t *q, mblk_t *mp, ill_t *ill)
++ipst->ips_igmpstat.igps_rcv_tooshort;
goto bad_pkt;
}
- /*
- * Validate checksum
- */
- if (IP_CSUM(mp, iphlen, 0)) {
- ++ipst->ips_igmpstat.igps_rcv_badsum;
- goto bad_pkt;
- }
igmpa = (igmpa_t *)(&mp->b_rptr[iphlen]);
src = ipha->ipha_src;
@@ -400,9 +395,8 @@ igmp_input(queue_t *q, mblk_t *mp, ill_t *ill)
1,
SL_TRACE,
"igmp_input: we are only "
- "member src 0x%x ipif_local 0x%x",
- (int)ntohl(src),
- (int)ntohl(ipif->ipif_lcl_addr));
+ "member src 0x%x\n",
+ (int)ntohl(src));
}
mutex_exit(&ill->ill_lock);
return (mp);
@@ -445,15 +439,18 @@ igmp_input(queue_t *q, mblk_t *mp, ill_t *ill)
* terminology, stop our timer for that group and 'clear
* flag' i.e. mark as IGMP_OTHERMEMBER.
*/
- ilm = ilm_walker_start(&ilw, ill);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- if (ilm->ilm_addr == group) {
- ++ipst->ips_igmpstat.igps_rcv_ourreports;
- ilm->ilm_timer = INFINITY;
- ilm->ilm_state = IGMP_OTHERMEMBER;
- }
- }
- ilm_walker_finish(&ilw);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
+ IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
+ if (!IN6_ARE_ADDR_EQUAL(&ilm->ilm_v6addr, &v6group))
+ continue;
+
+ ++ipst->ips_igmpstat.igps_rcv_ourreports;
+ ilm->ilm_timer = INFINITY;
+ ilm->ilm_state = IGMP_OTHERMEMBER;
+ } /* for */
+ rw_exit(&ill->ill_mcast_lock);
+ ill_mcast_timer_start(ill->ill_ipst);
break;
case IGMP_V3_MEMBERSHIP_REPORT:
@@ -482,11 +479,11 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
int timer;
uint_t next, current;
ip_stack_t *ipst;
- ilm_walker_t ilw;
ipst = ill->ill_ipst;
++ipst->ips_igmpstat.igps_rcv_queries;
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
/*
* In the IGMPv2 specification, there are 3 states and a flag.
*
@@ -506,9 +503,6 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
* Remember that the querier on this interface is old,
* and set the timer to the value in RFC 1112.
*/
-
-
- mutex_enter(&ill->ill_lock);
ill->ill_mcast_v1_time = 0;
ill->ill_mcast_v1_tset = 1;
if (ill->ill_mcast_type != IGMP_V1_ROUTER) {
@@ -517,13 +511,14 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
atomic_add_16(&ill->ill_ifptr->illif_mcast_v1, 1);
ill->ill_mcast_type = IGMP_V1_ROUTER;
}
- mutex_exit(&ill->ill_lock);
timer = SEC_TO_MSEC(IGMP_MAX_HOST_REPORT_DELAY);
if (ipha->ipha_dst != htonl(INADDR_ALLHOSTS_GROUP) ||
igmpa->igmpa_group != 0) {
++ipst->ips_igmpstat.igps_rcv_badqueries;
+ rw_exit(&ill->ill_mcast_lock);
+ ill_mcast_timer_start(ill->ill_ipst);
return (0);
}
@@ -537,6 +532,8 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
group = igmpa->igmpa_group;
if (group != 0 && (!CLASSD(group))) {
++ipst->ips_igmpstat.igps_rcv_badqueries;
+ rw_exit(&ill->ill_mcast_lock);
+ ill_mcast_timer_start(ill->ill_ipst);
return (0);
}
@@ -545,7 +542,6 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
* ONLY IF current state is v3. Let things be if current
* state if v1 but do reset the v2-querier-present timer.
*/
- mutex_enter(&ill->ill_lock);
if (ill->ill_mcast_type == IGMP_V3_ROUTER) {
ip1dbg(("Received IGMPv2 Query on %s, switching mode "
"to IGMP_V2_ROUTER", ill->ill_name));
@@ -554,18 +550,15 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
}
ill->ill_mcast_v2_time = 0;
ill->ill_mcast_v2_tset = 1;
- mutex_exit(&ill->ill_lock);
timer = DSEC_TO_MSEC((int)igmpa->igmpa_code);
}
if (ip_debug > 1) {
- mutex_enter(&ill->ill_lock);
(void) mi_strlog(ill->ill_rq, 1, SL_TRACE,
"igmp_input: TIMER = igmp_code %d igmp_type 0x%x",
(int)ntohs(igmpa->igmpa_code),
(int)ntohs(igmpa->igmpa_type));
- mutex_exit(&ill->ill_lock);
}
/*
@@ -582,11 +575,9 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
*/
next = (unsigned)INFINITY;
- ilm = ilm_walker_start(&ilw, ill);
- mutex_enter(&ill->ill_lock);
current = CURRENT_MSTIME;
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
/*
* A multicast router joins INADDR_ANY address
* to enable promiscuous reception of all
@@ -608,8 +599,12 @@ igmp_query_in(ipha_t *ipha, igmpa_t *igmpa, ill_t *ill)
}
}
}
- mutex_exit(&ill->ill_lock);
- ilm_walker_finish(&ilw);
+ rw_exit(&ill->ill_mcast_lock);
+ /*
+ * No packets have been sent above - no
+ * ill_mcast_send_queued is needed.
+ */
+ ill_mcast_timer_start(ill->ill_ipst);
return (next);
}
@@ -623,7 +618,6 @@ igmpv3_query_in(igmp3qa_t *igmp3qa, ill_t *ill, int igmplen)
ipaddr_t *src_array;
uint8_t qrv;
ip_stack_t *ipst;
- ilm_walker_t ilw;
ipst = ill->ill_ipst;
/* make sure numsrc matches packet size */
@@ -636,6 +630,8 @@ igmpv3_query_in(igmp3qa_t *igmp3qa, ill_t *ill, int igmplen)
++ipst->ips_igmpstat.igps_rcv_queries;
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
+
if ((mrd = (uint_t)igmp3qa->igmp3qa_mxrc) >= IGMP_V3_MAXRT_FPMIN) {
uint_t hdrval, mant, exp;
hdrval = (uint_t)igmp3qa->igmp3qa_mxrc;
@@ -669,12 +665,11 @@ igmpv3_query_in(igmp3qa_t *igmp3qa, ill_t *ill, int igmplen)
* sooner than the delay we calculated for this response, then
* no action is required (RFC3376 section 5.2 rule 1)
*/
- mutex_enter(&ill->ill_lock);
if (ill->ill_global_timer < (current + delay)) {
- mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_mcast_lock);
+ ill_mcast_timer_start(ill->ill_ipst);
return (next);
}
- mutex_exit(&ill->ill_lock);
/*
* Now take action depending upon query type:
@@ -687,16 +682,11 @@ igmpv3_query_in(igmp3qa_t *igmp3qa, ill_t *ill, int igmplen)
* greater than our calculated delay, so reset it to
* our delay (random value in range [0, response time]).
*/
- mutex_enter(&ill->ill_lock);
ill->ill_global_timer = current + delay;
- mutex_exit(&ill->ill_lock);
next = delay;
-
} else {
/* group or group/source specific query */
- ilm = ilm_walker_start(&ilw, ill);
- mutex_enter(&ill->ill_lock);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
if (!IN6_IS_ADDR_V4MAPPED(&ilm->ilm_v6addr) ||
(ilm->ilm_addr == htonl(INADDR_ANY)) ||
(ilm->ilm_addr == htonl(INADDR_ALLHOSTS_GROUP)) ||
@@ -750,13 +740,21 @@ group_query:
next = ilm->ilm_timer;
ilm->ilm_timer += current;
}
- mutex_exit(&ill->ill_lock);
- ilm_walker_finish(&ilw);
}
+ rw_exit(&ill->ill_mcast_lock);
+ /*
+ * No packets have been sent above - no
+ * ill_mcast_send_queued is needed.
+ */
+ ill_mcast_timer_start(ill->ill_ipst);
return (next);
}
+/*
+ * Caller holds ill_mcast_lock. We queue the packet using ill_mcast_queue
+ * and it gets sent after the lock is dropped.
+ */
void
igmp_joingroup(ilm_t *ilm)
{
@@ -764,27 +762,21 @@ igmp_joingroup(ilm_t *ilm)
ill_t *ill;
ip_stack_t *ipst = ilm->ilm_ipst;
- ill = ilm->ilm_ipif->ipif_ill;
+ ill = ilm->ilm_ill;
- ASSERT(IAM_WRITER_ILL(ill));
- ASSERT(ilm->ilm_ill == NULL && !ilm->ilm_ipif->ipif_isv6);
+ ASSERT(!ill->ill_isv6);
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
- mutex_enter(&ill->ill_lock);
if (ilm->ilm_addr == htonl(INADDR_ALLHOSTS_GROUP)) {
ilm->ilm_rtx.rtx_timer = INFINITY;
ilm->ilm_state = IGMP_OTHERMEMBER;
- mutex_exit(&ill->ill_lock);
} else {
ip1dbg(("Querier mode %d, sending report, group %x\n",
ill->ill_mcast_type, htonl(ilm->ilm_addr)));
if (ill->ill_mcast_type == IGMP_V1_ROUTER) {
- mutex_exit(&ill->ill_lock);
igmp_sendpkt(ilm, IGMP_V1_MEMBERSHIP_REPORT, 0);
- mutex_enter(&ill->ill_lock);
} else if (ill->ill_mcast_type == IGMP_V2_ROUTER) {
- mutex_exit(&ill->ill_lock);
igmp_sendpkt(ilm, IGMP_V2_MEMBERSHIP_REPORT, 0);
- mutex_enter(&ill->ill_lock);
} else if (ill->ill_mcast_type == IGMP_V3_ROUTER) {
mrec_t *rp;
mcast_record_t rtype;
@@ -802,9 +794,7 @@ igmp_joingroup(ilm_t *ilm)
ALLOW_NEW_SOURCES : CHANGE_TO_EXCLUDE;
rp = mcast_bldmrec(rtype, &ilm->ilm_v6addr,
ilm->ilm_filter, NULL);
- mutex_exit(&ill->ill_lock);
- igmpv3_sendrpt(ilm->ilm_ipif, rp);
- mutex_enter(&ill->ill_lock);
+ igmpv3_sendrpt(ill, rp);
/*
* Set up retransmission state. Timer is set below,
* for both v3 and older versions.
@@ -820,35 +810,33 @@ igmp_joingroup(ilm_t *ilm)
timer = ilm->ilm_rtx.rtx_timer;
ilm->ilm_rtx.rtx_timer += CURRENT_MSTIME;
ilm->ilm_state = IGMP_IREPORTEDLAST;
- mutex_exit(&ill->ill_lock);
/*
- * We need to restart the IGMP timers, but we can't do it here
- * since we're inside the IPSQ and thus igmp_start_timers() ->
- * untimeout() (inside the IPSQ, waiting for a running timeout
- * to finish) could deadlock with igmp_timeout_handler() ->
- * ipsq_enter() (running the timeout, waiting to get inside
- * the IPSQ). We also can't just delay it until after we
- * ipsq_exit() since we could be inside more than one IPSQ and
- * thus still have the other IPSQs pinned after we exit -- and
- * igmp_start_timers() may be trying to enter one of those.
- * Instead, signal a dedicated thread that will do it for us.
+ * We are holding ill_mcast_lock here and the timeout
+ * handler (igmp_timeout_handler_per_ill) acquires that
+ * lock. Hence we can't call igmp_start_timer since it could
+ * deadlock in untimeout().
+ * Instead the thread which drops ill_mcast_lock will have
+ * to call ill_mcast_timer_start().
*/
mutex_enter(&ipst->ips_igmp_timer_lock);
ipst->ips_igmp_deferred_next = MIN(timer,
ipst->ips_igmp_deferred_next);
mutex_exit(&ipst->ips_igmp_timer_lock);
- mcast_signal_restart_thread(ipst);
}
if (ip_debug > 1) {
- (void) mi_strlog(ilm->ilm_ipif->ipif_ill->ill_rq, 1, SL_TRACE,
+ (void) mi_strlog(ilm->ilm_ill->ill_rq, 1, SL_TRACE,
"igmp_joingroup: multicast_type %d timer %d",
- (ilm->ilm_ipif->ipif_ill->ill_mcast_type),
+ (ilm->ilm_ill->ill_mcast_type),
(int)ntohl(timer));
}
}
+/*
+ * Caller holds ill_mcast_lock. We queue the packet using ill_mcast_queue
+ * and it gets sent after the lock is dropped.
+ */
void
mld_joingroup(ilm_t *ilm)
{
@@ -858,19 +846,16 @@ mld_joingroup(ilm_t *ilm)
ill = ilm->ilm_ill;
- ASSERT(IAM_WRITER_ILL(ill));
- ASSERT(ilm->ilm_ipif == NULL && ill->ill_isv6);
+ ASSERT(ill->ill_isv6);
+
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
- mutex_enter(&ill->ill_lock);
if (IN6_ARE_ADDR_EQUAL(&ipv6_all_hosts_mcast, &ilm->ilm_v6addr)) {
ilm->ilm_rtx.rtx_timer = INFINITY;
ilm->ilm_state = IGMP_OTHERMEMBER;
- mutex_exit(&ill->ill_lock);
} else {
if (ill->ill_mcast_type == MLD_V1_ROUTER) {
- mutex_exit(&ill->ill_lock);
mld_sendpkt(ilm, MLD_LISTENER_REPORT, NULL);
- mutex_enter(&ill->ill_lock);
} else {
mrec_t *rp;
mcast_record_t rtype;
@@ -888,9 +873,7 @@ mld_joingroup(ilm_t *ilm)
ALLOW_NEW_SOURCES : CHANGE_TO_EXCLUDE;
rp = mcast_bldmrec(rtype, &ilm->ilm_v6addr,
ilm->ilm_filter, NULL);
- mutex_exit(&ill->ill_lock);
mldv2_sendrpt(ill, rp);
- mutex_enter(&ill->ill_lock);
/*
* Set up retransmission state. Timer is set below,
* for both v2 and v1.
@@ -909,17 +892,19 @@ mld_joingroup(ilm_t *ilm)
timer = ilm->ilm_rtx.rtx_timer;
ilm->ilm_rtx.rtx_timer += CURRENT_MSTIME;
ilm->ilm_state = IGMP_IREPORTEDLAST;
- mutex_exit(&ill->ill_lock);
/*
- * Signal another thread to restart the timers. See the
- * comment in igmp_joingroup() for details.
+ * We are holding ill_mcast_lock here and the timeout
+ * handler (mld_timeout_handler_per_ill) acquires that
+ * lock. Hence we can't call mld_start_timer since it could
+ * deadlock in untimeout().
+ * Instead the thread which drops ill_mcast_lock will have
+ * to call ill_mcast_timer_start().
*/
mutex_enter(&ipst->ips_mld_timer_lock);
ipst->ips_mld_deferred_next = MIN(timer,
ipst->ips_mld_deferred_next);
mutex_exit(&ipst->ips_mld_timer_lock);
- mcast_signal_restart_thread(ipst);
}
if (ip_debug > 1) {
@@ -930,23 +915,26 @@ mld_joingroup(ilm_t *ilm)
}
}
+/*
+ * Caller holds ill_mcast_lock. We queue the packet using ill_mcast_queue
+ * and it gets sent after the lock is dropped.
+ */
void
igmp_leavegroup(ilm_t *ilm)
{
- ill_t *ill = ilm->ilm_ipif->ipif_ill;
+ ill_t *ill = ilm->ilm_ill;
- ASSERT(ilm->ilm_ill == NULL);
ASSERT(!ill->ill_isv6);
- mutex_enter(&ill->ill_lock);
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
if (ilm->ilm_state == IGMP_IREPORTEDLAST &&
ill->ill_mcast_type == IGMP_V2_ROUTER &&
(ilm->ilm_addr != htonl(INADDR_ALLHOSTS_GROUP))) {
- mutex_exit(&ill->ill_lock);
igmp_sendpkt(ilm, IGMP_V2_LEAVE_GROUP,
(htonl(INADDR_ALLRTRS_GROUP)));
return;
- } else if ((ill->ill_mcast_type == IGMP_V3_ROUTER) &&
+ }
+ if ((ill->ill_mcast_type == IGMP_V3_ROUTER) &&
(ilm->ilm_addr != htonl(INADDR_ALLHOSTS_GROUP))) {
mrec_t *rp;
/*
@@ -965,29 +953,30 @@ igmp_leavegroup(ilm_t *ilm)
rp = mcast_bldmrec(CHANGE_TO_INCLUDE, &ilm->ilm_v6addr,
NULL, NULL);
}
- mutex_exit(&ill->ill_lock);
- igmpv3_sendrpt(ilm->ilm_ipif, rp);
+ igmpv3_sendrpt(ill, rp);
return;
}
- mutex_exit(&ill->ill_lock);
}
+/*
+ * Caller holds ill_mcast_lock. We queue the packet using ill_mcast_queue
+ * and it gets sent after the lock is dropped.
+ */
void
mld_leavegroup(ilm_t *ilm)
{
ill_t *ill = ilm->ilm_ill;
- ASSERT(ilm->ilm_ipif == NULL);
ASSERT(ill->ill_isv6);
- mutex_enter(&ill->ill_lock);
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
if (ilm->ilm_state == IGMP_IREPORTEDLAST &&
ill->ill_mcast_type == MLD_V1_ROUTER &&
(!IN6_ARE_ADDR_EQUAL(&ipv6_all_hosts_mcast, &ilm->ilm_v6addr))) {
- mutex_exit(&ill->ill_lock);
mld_sendpkt(ilm, MLD_LISTENER_REDUCTION, &ipv6_all_rtrs_mcast);
return;
- } else if ((ill->ill_mcast_type == MLD_V2_ROUTER) &&
+ }
+ if ((ill->ill_mcast_type == MLD_V2_ROUTER) &&
(!IN6_ARE_ADDR_EQUAL(&ipv6_all_hosts_mcast, &ilm->ilm_v6addr))) {
mrec_t *rp;
/*
@@ -1006,13 +995,15 @@ mld_leavegroup(ilm_t *ilm)
rp = mcast_bldmrec(CHANGE_TO_INCLUDE, &ilm->ilm_v6addr,
NULL, NULL);
}
- mutex_exit(&ill->ill_lock);
mldv2_sendrpt(ill, rp);
return;
}
- mutex_exit(&ill->ill_lock);
}
+/*
+ * Caller holds ill_mcast_lock. We queue the packet using ill_mcast_queue
+ * and it gets sent after the lock is dropped.
+ */
void
igmp_statechange(ilm_t *ilm, mcast_record_t fmode, slist_t *flist)
{
@@ -1023,17 +1014,11 @@ igmp_statechange(ilm_t *ilm, mcast_record_t fmode, slist_t *flist)
ASSERT(ilm != NULL);
/* state change reports should only be sent if the router is v3 */
- if (ilm->ilm_ipif->ipif_ill->ill_mcast_type != IGMP_V3_ROUTER)
+ if (ilm->ilm_ill->ill_mcast_type != IGMP_V3_ROUTER)
return;
- if (ilm->ilm_ill == NULL) {
- ASSERT(ilm->ilm_ipif != NULL);
- ill = ilm->ilm_ipif->ipif_ill;
- } else {
- ill = ilm->ilm_ill;
- }
-
- mutex_enter(&ill->ill_lock);
+ ill = ilm->ilm_ill;
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
/*
* Compare existing(old) state with the new state and prepare
@@ -1089,8 +1074,7 @@ send_to_in:
/*
* Need to set up retransmission state; merge the new info with the
* current state (which may be null). If the timer is not currently
- * running, signal a thread to restart it -- see the comment in
- * igmp_joingroup() for details.
+ * running, the caller will start it when dropping ill_mcast_lock.
*/
rp = mcast_merge_rtx(ilm, rp, flist);
if (ilm->ilm_rtx.rtx_timer == INFINITY) {
@@ -1102,13 +1086,15 @@ send_to_in:
ilm->ilm_rtx.rtx_timer);
ilm->ilm_rtx.rtx_timer += CURRENT_MSTIME;
mutex_exit(&ipst->ips_igmp_timer_lock);
- mcast_signal_restart_thread(ipst);
}
- mutex_exit(&ill->ill_lock);
- igmpv3_sendrpt(ilm->ilm_ipif, rp);
+ igmpv3_sendrpt(ill, rp);
}
+/*
+ * Caller holds ill_mcast_lock. We queue the packet using ill_mcast_queue
+ * and it gets sent after the lock is dropped.
+ */
void
mld_statechange(ilm_t *ilm, mcast_record_t fmode, slist_t *flist)
{
@@ -1119,11 +1105,10 @@ mld_statechange(ilm_t *ilm, mcast_record_t fmode, slist_t *flist)
ASSERT(ilm != NULL);
ill = ilm->ilm_ill;
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
/* only need to send if we have an mldv2-capable router */
- mutex_enter(&ill->ill_lock);
if (ill->ill_mcast_type != MLD_V2_ROUTER) {
- mutex_exit(&ill->ill_lock);
return;
}
@@ -1179,8 +1164,7 @@ send_to_in:
/*
* Need to set up retransmission state; merge the new info with the
* current state (which may be null). If the timer is not currently
- * running, signal a thread to restart it -- see the comment in
- * igmp_joingroup() for details.
+ * running, the caller will start it when dropping ill_mcast_lock.
*/
rp = mcast_merge_rtx(ilm, rp, flist);
ASSERT(ilm->ilm_rtx.rtx_cnt > 0);
@@ -1193,10 +1177,8 @@ send_to_in:
MIN(ipst->ips_mld_deferred_next, ilm->ilm_rtx.rtx_timer);
ilm->ilm_rtx.rtx_timer += CURRENT_MSTIME;
mutex_exit(&ipst->ips_mld_timer_lock);
- mcast_signal_restart_thread(ipst);
}
- mutex_exit(&ill->ill_lock);
mldv2_sendrpt(ill, rp);
}
@@ -1205,15 +1187,12 @@ igmp_timeout_handler_per_ill(ill_t *ill)
{
uint_t next = INFINITY, current;
ilm_t *ilm;
- ipif_t *ipif;
mrec_t *rp = NULL;
mrec_t *rtxrp = NULL;
rtx_state_t *rtxp;
mcast_record_t rtype;
- ASSERT(IAM_WRITER_ILL(ill));
-
- mutex_enter(&ill->ill_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
current = CURRENT_MSTIME;
/* First check the global timer on this interface */
@@ -1230,10 +1209,8 @@ igmp_timeout_handler_per_ill(ill_t *ill)
for (ilm = ill->ill_ilm; ilm != NULL; ilm = ilm->ilm_next) {
if (ilm->ilm_addr == htonl(INADDR_ALLHOSTS_GROUP))
continue;
- ASSERT(ilm->ilm_ipif != NULL);
- ilm->ilm_ipif->ipif_igmp_rpt =
- mcast_bldmrec(ilm->ilm_fmode, &ilm->ilm_v6addr,
- ilm->ilm_filter, ilm->ilm_ipif->ipif_igmp_rpt);
+ rp = mcast_bldmrec(ilm->ilm_fmode, &ilm->ilm_v6addr,
+ ilm->ilm_filter, rp);
/*
* Since we're sending a report on this group, okay
* to delete pending group-specific timers. Note
@@ -1245,20 +1222,8 @@ igmp_timeout_handler_per_ill(ill_t *ill)
FREE_SLIST(ilm->ilm_pendsrcs);
ilm->ilm_pendsrcs = NULL;
}
- /*
- * We've built per-ipif mrec lists; walk the ill's ipif list
- * and send a report for each ipif that has an mrec list.
- */
- for (ipif = ill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
- if (ipif->ipif_igmp_rpt == NULL)
- continue;
- mutex_exit(&ill->ill_lock);
- igmpv3_sendrpt(ipif, ipif->ipif_igmp_rpt);
- mutex_enter(&ill->ill_lock);
- /* mrec list was freed by igmpv3_sendrpt() */
- ipif->ipif_igmp_rpt = NULL;
- }
+ igmpv3_sendrpt(ill, rp);
+ rp = NULL;
} else {
if ((ill->ill_global_timer - current) < next)
next = ill->ill_global_timer - current;
@@ -1288,13 +1253,9 @@ per_ilm_timer:
ilm->ilm_timer = INFINITY;
ilm->ilm_state = IGMP_IREPORTEDLAST;
if (ill->ill_mcast_type == IGMP_V1_ROUTER) {
- mutex_exit(&ill->ill_lock);
igmp_sendpkt(ilm, IGMP_V1_MEMBERSHIP_REPORT, 0);
- mutex_enter(&ill->ill_lock);
} else if (ill->ill_mcast_type == IGMP_V2_ROUTER) {
- mutex_exit(&ill->ill_lock);
igmp_sendpkt(ilm, IGMP_V2_MEMBERSHIP_REPORT, 0);
- mutex_enter(&ill->ill_lock);
} else {
slist_t *rsp;
if (!SLIST_IS_EMPTY(ilm->ilm_pendsrcs) &&
@@ -1325,9 +1286,7 @@ per_ilm_timer:
rp = mcast_bldmrec(ilm->ilm_fmode,
&ilm->ilm_v6addr, ilm->ilm_filter, rp);
}
- mutex_exit(&ill->ill_lock);
- igmpv3_sendrpt(ill->ill_ipif, rp);
- mutex_enter(&ill->ill_lock);
+ igmpv3_sendrpt(ill, rp);
rp = NULL;
}
@@ -1345,14 +1304,11 @@ per_ilm_rtxtimer:
rtxp->rtx_timer = INFINITY;
ilm->ilm_state = IGMP_IREPORTEDLAST;
if (ill->ill_mcast_type == IGMP_V1_ROUTER) {
- mutex_exit(&ill->ill_lock);
igmp_sendpkt(ilm, IGMP_V1_MEMBERSHIP_REPORT, 0);
- mutex_enter(&ill->ill_lock);
continue;
- } else if (ill->ill_mcast_type == IGMP_V2_ROUTER) {
- mutex_exit(&ill->ill_lock);
+ }
+ if (ill->ill_mcast_type == IGMP_V2_ROUTER) {
igmp_sendpkt(ilm, IGMP_V2_MEMBERSHIP_REPORT, 0);
- mutex_enter(&ill->ill_lock);
continue;
}
@@ -1393,13 +1349,14 @@ per_ilm_rtxtimer:
CLEAR_SLIST(rtxp->rtx_allow);
CLEAR_SLIST(rtxp->rtx_block);
}
- mutex_exit(&ill->ill_lock);
- igmpv3_sendrpt(ilm->ilm_ipif, rtxrp);
- mutex_enter(&ill->ill_lock);
+ igmpv3_sendrpt(ill, rtxrp);
rtxrp = NULL;
}
- mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_mcast_lock);
+ /* Send any deferred/queued IP packets */
+ ill_mcast_send_queued(ill);
+ /* Defer ill_mcast_timer_start() until the caller is done */
return (next);
}
@@ -1411,17 +1368,15 @@ per_ilm_rtxtimer:
*
* As part of multicast join and leave igmp we may need to send out an
* igmp request. The igmp related state variables in the ilm are protected
- * by ill_lock. A single global igmp timer is used to track igmp timeouts.
+ * by ill_mcast_lock. A single global igmp timer is used to track igmp timeouts.
* igmp_timer_lock protects the global igmp_timeout_id. igmp_start_timers
* starts the igmp timer if needed. It serializes multiple threads trying to
* simultaneously start the timer using the igmp_timer_setter_active flag.
*
* igmp_input() receives igmp queries and responds to the queries
* in a delayed fashion by posting a timer i.e. it calls igmp_start_timers().
- * Later the igmp_timer fires, the timeout handler igmp_timeout_handler()
- * performs the action exclusively after entering each ill's ipsq as writer.
- * (The need to enter the IPSQ is largely historical but there are still some
- * fields like ilm_filter that rely on it.)
+ * Later the igmp_timer fires, the timeout handler igmp_timerout_handler()
+ * performs the action exclusively after acquiring ill_mcast_lock.
*
* The igmp_slowtimeo() function is called thru another timer.
* igmp_slowtimeout_lock protects the igmp_slowtimeout_id
@@ -1433,12 +1388,12 @@ igmp_timeout_handler(void *arg)
uint_t global_next = INFINITY;
uint_t next;
ill_walk_context_t ctx;
- boolean_t success;
ip_stack_t *ipst = arg;
ASSERT(arg != NULL);
mutex_enter(&ipst->ips_igmp_timer_lock);
ASSERT(ipst->ips_igmp_timeout_id != 0);
+ ipst->ips_igmp_timeout_id = 0;
ipst->ips_igmp_timer_scheduled_last = 0;
ipst->ips_igmp_time_to_next = 0;
mutex_exit(&ipst->ips_igmp_timer_lock);
@@ -1447,31 +1402,17 @@ igmp_timeout_handler(void *arg)
ill = ILL_START_WALK_V4(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
ASSERT(!ill->ill_isv6);
- /*
- * We may not be able to refhold the ill if the ill/ipif
- * is changing. But we need to make sure that the ill will
- * not vanish. So we just bump up the ill_waiter count.
- */
- if (!ill_waiter_inc(ill))
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
continue;
rw_exit(&ipst->ips_ill_g_lock);
- success = ipsq_enter(ill, B_TRUE, NEW_OP);
- if (success) {
- next = igmp_timeout_handler_per_ill(ill);
- if (next < global_next)
- global_next = next;
- ipsq_exit(ill->ill_phyint->phyint_ipsq);
- }
+ next = igmp_timeout_handler_per_ill(ill);
+ if (next < global_next)
+ global_next = next;
+ ill_refrele(ill);
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- ill_waiter_dcr(ill);
}
rw_exit(&ipst->ips_ill_g_lock);
-
- mutex_enter(&ipst->ips_igmp_timer_lock);
- ASSERT(ipst->ips_igmp_timeout_id != 0);
- ipst->ips_igmp_timeout_id = 0;
- mutex_exit(&ipst->ips_igmp_timer_lock);
-
if (global_next != INFINITY)
igmp_start_timers(global_next, ipst);
}
@@ -1481,7 +1422,6 @@ igmp_timeout_handler(void *arg)
* Called when there are timeout events, every next (tick).
* Returns number of ticks to next event (or 0 if none).
*/
-/* ARGSUSED */
uint_t
mld_timeout_handler_per_ill(ill_t *ill)
{
@@ -1491,9 +1431,7 @@ mld_timeout_handler_per_ill(ill_t *ill)
rtx_state_t *rtxp;
mcast_record_t rtype;
- ASSERT(IAM_WRITER_ILL(ill));
-
- mutex_enter(&ill->ill_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
current = CURRENT_MSTIME;
/*
@@ -1528,9 +1466,7 @@ mld_timeout_handler_per_ill(ill_t *ill)
FREE_SLIST(ilm->ilm_pendsrcs);
ilm->ilm_pendsrcs = NULL;
}
- mutex_exit(&ill->ill_lock);
mldv2_sendrpt(ill, rp);
- mutex_enter(&ill->ill_lock);
} else {
if ((ill->ill_global_timer - current) < next)
next = ill->ill_global_timer - current;
@@ -1561,9 +1497,7 @@ per_ilm_timer:
ilm->ilm_timer = INFINITY;
ilm->ilm_state = IGMP_IREPORTEDLAST;
if (ill->ill_mcast_type == MLD_V1_ROUTER) {
- mutex_exit(&ill->ill_lock);
mld_sendpkt(ilm, MLD_LISTENER_REPORT, NULL);
- mutex_enter(&ill->ill_lock);
} else {
slist_t *rsp;
if (!SLIST_IS_EMPTY(ilm->ilm_pendsrcs) &&
@@ -1605,9 +1539,7 @@ per_ilm_rtxtimer:
rtxp->rtx_timer = INFINITY;
ilm->ilm_state = IGMP_IREPORTEDLAST;
if (ill->ill_mcast_type == MLD_V1_ROUTER) {
- mutex_exit(&ill->ill_lock);
mld_sendpkt(ilm, MLD_LISTENER_REPORT, NULL);
- mutex_enter(&ill->ill_lock);
continue;
}
@@ -1651,13 +1583,13 @@ per_ilm_rtxtimer:
}
if (ill->ill_mcast_type == MLD_V2_ROUTER) {
- mutex_exit(&ill->ill_lock);
mldv2_sendrpt(ill, rp);
mldv2_sendrpt(ill, rtxrp);
- return (next);
}
-
- mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_mcast_lock);
+ /* Send any deferred/queued IP packets */
+ ill_mcast_send_queued(ill);
+ /* Defer ill_mcast_timer_start() until the caller is done */
return (next);
}
@@ -1675,12 +1607,12 @@ mld_timeout_handler(void *arg)
uint_t global_next = INFINITY;
uint_t next;
ill_walk_context_t ctx;
- boolean_t success;
ip_stack_t *ipst = arg;
ASSERT(arg != NULL);
mutex_enter(&ipst->ips_mld_timer_lock);
ASSERT(ipst->ips_mld_timeout_id != 0);
+ ipst->ips_mld_timeout_id = 0;
ipst->ips_mld_timer_scheduled_last = 0;
ipst->ips_mld_time_to_next = 0;
mutex_exit(&ipst->ips_mld_timer_lock);
@@ -1689,31 +1621,17 @@ mld_timeout_handler(void *arg)
ill = ILL_START_WALK_V6(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
ASSERT(ill->ill_isv6);
- /*
- * We may not be able to refhold the ill if the ill/ipif
- * is changing. But we need to make sure that the ill will
- * not vanish. So we just bump up the ill_waiter count.
- */
- if (!ill_waiter_inc(ill))
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
continue;
rw_exit(&ipst->ips_ill_g_lock);
- success = ipsq_enter(ill, B_TRUE, NEW_OP);
- if (success) {
- next = mld_timeout_handler_per_ill(ill);
- if (next < global_next)
- global_next = next;
- ipsq_exit(ill->ill_phyint->phyint_ipsq);
- }
+ next = mld_timeout_handler_per_ill(ill);
+ if (next < global_next)
+ global_next = next;
+ ill_refrele(ill);
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- ill_waiter_dcr(ill);
}
rw_exit(&ipst->ips_ill_g_lock);
-
- mutex_enter(&ipst->ips_mld_timer_lock);
- ASSERT(ipst->ips_mld_timeout_id != 0);
- ipst->ips_mld_timeout_id = 0;
- mutex_exit(&ipst->ips_mld_timer_lock);
-
if (global_next != INFINITY)
mld_start_timers(global_next, ipst);
}
@@ -1743,8 +1661,6 @@ igmp_slowtimo(void *arg)
ip_stack_t *ipst = (ip_stack_t *)arg;
ASSERT(arg != NULL);
- /* Hold the ill_g_lock so that we can safely walk the ill list */
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
/*
* The ill_if_t list is circular, hence the odd loop parameters.
@@ -1754,6 +1670,7 @@ igmp_slowtimo(void *arg)
* structure (allowing us to skip if none of the instances have timers
* running).
*/
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
for (ifp = IP_V4_ILL_G_LIST(ipst);
ifp != (ill_if_t *)&IP_V4_ILL_G_LIST(ipst);
ifp = ifp->illif_next) {
@@ -1768,7 +1685,11 @@ igmp_slowtimo(void *arg)
avl_tree = &ifp->illif_avl_by_ppa;
for (ill = avl_first(avl_tree); ill != NULL;
ill = avl_walk(avl_tree, ill, AVL_AFTER)) {
- mutex_enter(&ill->ill_lock);
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
+ continue;
+ rw_exit(&ipst->ips_ill_g_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
if (ill->ill_mcast_v1_tset == 1)
ill->ill_mcast_v1_time++;
if (ill->ill_mcast_v2_tset == 1)
@@ -1808,10 +1729,13 @@ igmp_slowtimo(void *arg)
ill->ill_mcast_v2_tset = 0;
atomic_add_16(&ifp->illif_mcast_v2, -1);
}
- mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_mcast_lock);
+ ill_refrele(ill);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
}
}
rw_exit(&ipst->ips_ill_g_lock);
+ ill_mcast_timer_start(ipst);
mutex_enter(&ipst->ips_igmp_slowtimeout_lock);
ipst->ips_igmp_slowtimeout_id = timeout(igmp_slowtimo, (void *)ipst,
MSEC_TO_TICK(MCAST_SLOWTIMO_INTERVAL));
@@ -1826,7 +1750,6 @@ igmp_slowtimo(void *arg)
* Check for ips_mld_max_version ensures that we don't revert to a higher
* IGMP version than configured.
*/
-/* ARGSUSED */
void
mld_slowtimo(void *arg)
{
@@ -1847,7 +1770,11 @@ mld_slowtimo(void *arg)
avl_tree = &ifp->illif_avl_by_ppa;
for (ill = avl_first(avl_tree); ill != NULL;
ill = avl_walk(avl_tree, ill, AVL_AFTER)) {
- mutex_enter(&ill->ill_lock);
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
+ continue;
+ rw_exit(&ipst->ips_ill_g_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
if (ill->ill_mcast_v1_tset == 1)
ill->ill_mcast_v1_time++;
if ((ill->ill_mcast_type == MLD_V1_ROUTER) &&
@@ -1861,10 +1788,13 @@ mld_slowtimo(void *arg)
ill->ill_mcast_v1_tset = 0;
atomic_add_16(&ifp->illif_mcast_v1, -1);
}
- mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_mcast_lock);
+ ill_refrele(ill);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
}
}
rw_exit(&ipst->ips_ill_g_lock);
+ ill_mcast_timer_start(ipst);
mutex_enter(&ipst->ips_mld_slowtimeout_lock);
ipst->ips_mld_slowtimeout_id = timeout(mld_slowtimo, (void *)ipst,
MSEC_TO_TICK(MCAST_SLOWTIMO_INTERVAL));
@@ -1873,9 +1803,7 @@ mld_slowtimo(void *arg)
/*
* igmp_sendpkt:
- * This will send to ip_wput like icmp_inbound.
- * Note that the lower ill (on which the membership is kept) is used
- * as an upper ill to pass in the multicast parameters.
+ * This will send to ip_output_simple just like icmp_inbound.
*/
static void
igmp_sendpkt(ilm_t *ilm, uchar_t type, ipaddr_t addr)
@@ -1886,51 +1814,16 @@ igmp_sendpkt(ilm_t *ilm, uchar_t type, ipaddr_t addr)
ipha_t *ipha;
int hdrlen = sizeof (ipha_t) + RTRALERT_LEN;
size_t size = hdrlen + sizeof (igmpa_t);
- ipif_t *ipif = ilm->ilm_ipif;
- ill_t *ill = ipif->ipif_ill;
- mblk_t *first_mp;
- ipsec_out_t *io;
- zoneid_t zoneid;
+ ill_t *ill = ilm->ilm_ill;
ip_stack_t *ipst = ill->ill_ipst;
- /*
- * We need to make sure this packet goes out on an ipif. If
- * there is some global policy match in ip_wput_ire, we need
- * to get to the right interface after IPSEC processing.
- * To make sure this multicast packet goes out on the right
- * interface, we attach an ipsec_out and initialize ill_index
- * like we did in ip_wput. To make sure that this packet does
- * not get forwarded on other interfaces or looped back, we
- * set ipsec_out_dontroute to B_TRUE and ipsec_out_multicast_loop
- * to B_FALSE.
- */
- first_mp = allocb(sizeof (ipsec_info_t), BPRI_HI);
- if (first_mp == NULL)
- return;
-
- first_mp->b_datap->db_type = M_CTL;
- first_mp->b_wptr += sizeof (ipsec_info_t);
- bzero(first_mp->b_rptr, sizeof (ipsec_info_t));
- /* ipsec_out_secure is B_FALSE now */
- io = (ipsec_out_t *)first_mp->b_rptr;
- io->ipsec_out_type = IPSEC_OUT;
- io->ipsec_out_len = sizeof (ipsec_out_t);
- io->ipsec_out_use_global_policy = B_TRUE;
- io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex;
- io->ipsec_out_multicast_loop = B_FALSE;
- io->ipsec_out_dontroute = B_TRUE;
- if ((zoneid = ilm->ilm_zoneid) == ALL_ZONES)
- zoneid = GLOBAL_ZONEID;
- io->ipsec_out_zoneid = zoneid;
- io->ipsec_out_ns = ipst->ips_netstack; /* No netstack_hold */
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
mp = allocb(size, BPRI_HI);
if (mp == NULL) {
- freemsg(first_mp);
return;
}
mp->b_wptr = mp->b_rptr + size;
- first_mp->b_cont = mp;
ipha = (ipha_t *)mp->b_rptr;
rtralert = (uint8_t *)&(ipha[1]);
@@ -1956,53 +1849,38 @@ igmp_sendpkt(ilm_t *ilm, uchar_t type, ipaddr_t addr)
ipha->ipha_protocol = IPPROTO_IGMP;
ipha->ipha_hdr_checksum = 0;
ipha->ipha_dst = addr ? addr : igmpa->igmpa_group;
- ipha->ipha_src = ipif->ipif_src_addr;
- /*
- * Request loopback of the report if we are acting as a multicast
- * router, so that the process-level routing demon can hear it.
- */
- /*
- * This will run multiple times for the same group if there are members
- * on the same group for multiple ipif's on the same ill. The
- * igmp_input code will suppress this due to the loopback thus we
- * always loopback membership report.
- */
- ASSERT(ill->ill_rq != NULL);
- ip_multicast_loopback(ill->ill_rq, ill, first_mp, 0, ilm->ilm_zoneid);
+ ipha->ipha_src = INADDR_ANY;
- ip_wput_multicast(ill->ill_wq, first_mp, ipif, zoneid);
+ ill_mcast_queue(ill, mp);
++ipst->ips_igmpstat.igps_snd_reports;
}
/*
- * Sends an IGMP_V3_MEMBERSHIP_REPORT message out the ill associated
- * with the passed-in ipif. The report will contain one group record
+ * Sends an IGMP_V3_MEMBERSHIP_REPORT message out the ill.
+ * The report will contain one group record
* for each element of reclist. If this causes packet length to
- * exceed ipif->ipif_ill->ill_max_frag, multiple reports are sent.
+ * exceed ill->ill_mtu, multiple reports are sent.
* reclist is assumed to be made up of buffers allocated by mcast_bldmrec(),
* and those buffers are freed here.
*/
static void
-igmpv3_sendrpt(ipif_t *ipif, mrec_t *reclist)
+igmpv3_sendrpt(ill_t *ill, mrec_t *reclist)
{
- ipsec_out_t *io;
igmp3ra_t *igmp3ra;
grphdra_t *grphdr;
- mblk_t *first_mp, *mp;
+ mblk_t *mp;
ipha_t *ipha;
uint8_t *rtralert;
ipaddr_t *src_array;
int i, j, numrec, more_src_cnt;
size_t hdrsize, size, rsize;
- ill_t *ill = ipif->ipif_ill;
mrec_t *rp, *cur_reclist;
mrec_t *next_reclist = reclist;
boolean_t morepkts;
- zoneid_t zoneid;
ip_stack_t *ipst = ill->ill_ipst;
- ASSERT(IAM_WRITER_IPIF(ipif));
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
/* if there aren't any records, there's nothing to send */
if (reclist == NULL)
@@ -2018,7 +1896,7 @@ nextpkt:
for (rp = cur_reclist; rp != NULL; rp = rp->mrec_next) {
rsize = sizeof (grphdra_t) +
(rp->mrec_srcs.sl_numsrc * sizeof (ipaddr_t));
- if (size + rsize > ill->ill_max_frag) {
+ if (size + rsize > ill->ill_mtu) {
if (rp == cur_reclist) {
/*
* If the first mrec we looked at is too big
@@ -2029,7 +1907,7 @@ nextpkt:
* other types).
*/
int srcspace, srcsperpkt;
- srcspace = ill->ill_max_frag - (size +
+ srcspace = ill->ill_mtu - (size +
sizeof (grphdra_t));
/*
@@ -2082,37 +1960,12 @@ nextpkt:
numrec++;
}
- /*
- * See comments in igmp_sendpkt() about initializing for ipsec and
- * load balancing requirements.
- */
- first_mp = allocb(sizeof (ipsec_info_t), BPRI_HI);
- if (first_mp == NULL)
- goto free_reclist;
-
- first_mp->b_datap->db_type = M_CTL;
- first_mp->b_wptr += sizeof (ipsec_info_t);
- bzero(first_mp->b_rptr, sizeof (ipsec_info_t));
- /* ipsec_out_secure is B_FALSE now */
- io = (ipsec_out_t *)first_mp->b_rptr;
- io->ipsec_out_type = IPSEC_OUT;
- io->ipsec_out_len = sizeof (ipsec_out_t);
- io->ipsec_out_use_global_policy = B_TRUE;
- io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex;
- io->ipsec_out_multicast_loop = B_FALSE;
- io->ipsec_out_dontroute = B_TRUE;
- if ((zoneid = ipif->ipif_zoneid) == ALL_ZONES)
- zoneid = GLOBAL_ZONEID;
- io->ipsec_out_zoneid = zoneid;
-
mp = allocb(size, BPRI_HI);
if (mp == NULL) {
- freemsg(first_mp);
goto free_reclist;
}
bzero((char *)mp->b_rptr, size);
mp->b_wptr = (uchar_t *)(mp->b_rptr + size);
- first_mp->b_cont = mp;
ipha = (ipha_t *)mp->b_rptr;
rtralert = (uint8_t *)&(ipha[1]);
@@ -2149,21 +2002,9 @@ nextpkt:
ipha->ipha_ttl = IGMP_TTL;
ipha->ipha_protocol = IPPROTO_IGMP;
ipha->ipha_dst = htonl(INADDR_ALLRPTS_GROUP);
- ipha->ipha_src = ipif->ipif_src_addr;
+ ipha->ipha_src = INADDR_ANY;
- /*
- * Request loopback of the report if we are acting as a multicast
- * router, so that the process-level routing daemon can hear it.
- *
- * This will run multiple times for the same group if there are
- * members on the same group for multiple ipifs on the same ill.
- * The igmp_input code will suppress this due to the loopback;
- * thus we always loopback membership report.
- */
- ASSERT(ill->ill_rq != NULL);
- ip_multicast_loopback(ill->ill_rq, ill, mp, 0, ipif->ipif_zoneid);
-
- ip_wput_multicast(ill->ill_wq, first_mp, ipif, zoneid);
+ ill_mcast_queue(ill, mp);
++ipst->ips_igmpstat.igps_snd_reports;
@@ -2190,21 +2031,24 @@ free_reclist:
/*
* mld_input:
+ * Return NULL for a bad packet that is discarded here.
+ * Return mp if the message is OK and should be handed to "raw" receivers.
+ * Callers of mld_input() may need to reinitialize variables that were copied
+ * from the mblk as this calls pullupmsg().
*/
-/* ARGSUSED */
-void
-mld_input(queue_t *q, mblk_t *mp, ill_t *ill)
+mblk_t *
+mld_input(mblk_t *mp, ip_recv_attr_t *ira)
{
ip6_t *ip6h = (ip6_t *)(mp->b_rptr);
mld_hdr_t *mldh;
ilm_t *ilm;
ipif_t *ipif;
uint16_t hdr_length, exthdr_length;
- in6_addr_t *v6group_ptr, *lcladdr_ptr;
+ in6_addr_t *v6group_ptr;
uint_t next;
int mldlen;
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
- ilm_walker_t ilw;
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInGroupMembTotal);
@@ -2212,30 +2056,26 @@ mld_input(queue_t *q, mblk_t *mp, ill_t *ill)
if (!(IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src))) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
freemsg(mp);
- return;
+ return (NULL);
}
if (ip6h->ip6_hlim != 1) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpBadHoplimit);
freemsg(mp);
- return;
+ return (NULL);
}
/* Get to the icmp header part */
- if (ip6h->ip6_nxt != IPPROTO_ICMPV6) {
- hdr_length = ip_hdr_length_v6(mp, ip6h);
- exthdr_length = hdr_length - IPV6_HDR_LEN;
- } else {
- hdr_length = IPV6_HDR_LEN;
- exthdr_length = 0;
- }
+ hdr_length = ira->ira_ip_hdr_length;
+ exthdr_length = hdr_length - IPV6_HDR_LEN;
+
mldlen = ntohs(ip6h->ip6_plen) - exthdr_length;
/* An MLD packet must at least be 24 octets to be valid */
if (mldlen < MLD_MINLEN) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
freemsg(mp);
- return;
+ return (NULL);
}
mldh = (mld_hdr_t *)(&mp->b_rptr[hdr_length]);
@@ -2254,50 +2094,41 @@ mld_input(queue_t *q, mblk_t *mp, ill_t *ill)
} else {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
freemsg(mp);
- return;
+ return (NULL);
}
if (next == 0) {
- freemsg(mp);
- return;
+ return (mp);
}
if (next != INFINITY)
mld_start_timers(next, ipst);
break;
- case MLD_LISTENER_REPORT: {
-
- ASSERT(ill->ill_ipif != NULL);
+ case MLD_LISTENER_REPORT:
/*
* For fast leave to work, we have to know that we are the
* last person to send a report for this group. Reports
* generated by us are looped back since we could potentially
* be a multicast router, so discard reports sourced by me.
*/
- lcladdr_ptr = &(ill->ill_ipif->ipif_v6subnet);
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL;
ipif = ipif->ipif_next) {
if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr,
- lcladdr_ptr)) {
+ &ip6h->ip6_src)) {
if (ip_debug > 1) {
char buf1[INET6_ADDRSTRLEN];
- char buf2[INET6_ADDRSTRLEN];
(void) mi_strlog(ill->ill_rq,
1,
SL_TRACE,
"mld_input: we are only "
- "member src %s ipif_local %s",
- inet_ntop(AF_INET6, lcladdr_ptr,
- buf1, sizeof (buf1)),
- inet_ntop(AF_INET6,
- &ipif->ipif_v6lcl_addr,
- buf2, sizeof (buf2)));
+ "member src %s\n",
+ inet_ntop(AF_INET6, &ip6h->ip6_src,
+ buf1, sizeof (buf1)));
}
mutex_exit(&ill->ill_lock);
- freemsg(mp);
- return;
+ return (mp);
}
}
mutex_exit(&ill->ill_lock);
@@ -2308,9 +2139,10 @@ mld_input(queue_t *q, mblk_t *mp, ill_t *ill)
BUMP_MIB(ill->ill_icmp6_mib,
ipv6IfIcmpInGroupMembBadReports);
freemsg(mp);
- return;
+ return (NULL);
}
+
/*
* If we belong to the group being reported, and we are a
* 'Delaying member' per the RFC terminology, stop our timer
@@ -2319,8 +2151,8 @@ mld_input(queue_t *q, mblk_t *mp, ill_t *ill)
* membership entries for the same group address (one per zone)
* so we need to walk the ill_ilm list.
*/
- ilm = ilm_walker_start(&ilw, ill);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
+ for (ilm = ill->ill_ilm; ilm != NULL; ilm = ilm->ilm_next) {
if (!IN6_ARE_ADDR_EQUAL(&ilm->ilm_v6addr, v6group_ptr))
continue;
BUMP_MIB(ill->ill_icmp6_mib,
@@ -2329,23 +2161,19 @@ mld_input(queue_t *q, mblk_t *mp, ill_t *ill)
ilm->ilm_timer = INFINITY;
ilm->ilm_state = IGMP_OTHERMEMBER;
}
- ilm_walker_finish(&ilw);
+ rw_exit(&ill->ill_mcast_lock);
+ /*
+ * No packets have been sent above - no
+ * ill_mcast_send_queued is needed.
+ */
+ ill_mcast_timer_start(ill->ill_ipst);
break;
- }
+
case MLD_LISTENER_REDUCTION:
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInGroupMembReductions);
break;
}
- /*
- * All MLD packets have already been passed up to any
- * process(es) listening on a ICMP6 raw socket. This
- * has been accomplished in ip_deliver_local_v6 prior to
- * this function call. It is assumed that the multicast daemon
- * will have a SOCK_RAW IPPROTO_ICMPV6 (and presumbly use the
- * ICMP6_FILTER socket option to only receive the MLD messages)
- * Thus we can free the MLD message block here
- */
- freemsg(mp);
+ return (mp);
}
/*
@@ -2359,7 +2187,6 @@ mld_query_in(mld_hdr_t *mldh, ill_t *ill)
int timer;
uint_t next, current;
in6_addr_t *v6group;
- ilm_walker_t ilw;
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInGroupMembQueries);
@@ -2383,7 +2210,7 @@ mld_query_in(mld_hdr_t *mldh, ill_t *ill)
}
/* Need to do compatibility mode checking */
- mutex_enter(&ill->ill_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
ill->ill_mcast_v1_time = 0;
ill->ill_mcast_v1_tset = 1;
if (ill->ill_mcast_type == MLD_V2_ROUTER) {
@@ -2392,7 +2219,6 @@ mld_query_in(mld_hdr_t *mldh, ill_t *ill)
atomic_add_16(&ill->ill_ifptr->illif_mcast_v1, 1);
ill->ill_mcast_type = MLD_V1_ROUTER;
}
- mutex_exit(&ill->ill_lock);
timer = (int)ntohs(mldh->mld_maxdelay);
if (ip_debug > 1) {
@@ -2415,11 +2241,8 @@ mld_query_in(mld_hdr_t *mldh, ill_t *ill)
*/
next = INFINITY;
- ilm = ilm_walker_start(&ilw, ill);
- mutex_enter(&ill->ill_lock);
current = CURRENT_MSTIME;
-
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
+ for (ilm = ill->ill_ilm; ilm != NULL; ilm = ilm->ilm_next) {
ASSERT(!IN6_IS_ADDR_V4MAPPED(&ilm->ilm_v6addr));
if (IN6_IS_ADDR_UNSPECIFIED(&ilm->ilm_v6addr) ||
@@ -2434,9 +2257,7 @@ mld_query_in(mld_hdr_t *mldh, ill_t *ill)
/* Respond immediately */
ilm->ilm_timer = INFINITY;
ilm->ilm_state = IGMP_IREPORTEDLAST;
- mutex_exit(&ill->ill_lock);
mld_sendpkt(ilm, MLD_LISTENER_REPORT, NULL);
- mutex_enter(&ill->ill_lock);
break;
}
if (ilm->ilm_timer > timer) {
@@ -2448,8 +2269,10 @@ mld_query_in(mld_hdr_t *mldh, ill_t *ill)
break;
}
}
- mutex_exit(&ill->ill_lock);
- ilm_walker_finish(&ilw);
+ rw_exit(&ill->ill_mcast_lock);
+ /* Send any deferred/queued IP packets */
+ ill_mcast_send_queued(ill);
+ ill_mcast_timer_start(ill->ill_ipst);
return (next);
}
@@ -2466,7 +2289,6 @@ mldv2_query_in(mld2q_t *mld2q, ill_t *ill, int mldlen)
in6_addr_t *v6group, *src_array;
uint_t next, numsrc, i, mrd, delay, qqi, current;
uint8_t qrv;
- ilm_walker_t ilw;
v6group = &mld2q->mld2q_addr;
numsrc = ntohs(mld2q->mld2q_numsrc);
@@ -2514,12 +2336,11 @@ mldv2_query_in(mld2q_t *mld2q, ill_t *ill, int mldlen)
* sooner than the delay we calculated for this response, then
* no action is required (MLDv2 draft section 6.2 rule 1)
*/
- mutex_enter(&ill->ill_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
if (ill->ill_global_timer < (current + delay)) {
- mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_mcast_lock);
return (next);
}
- mutex_exit(&ill->ill_lock);
/*
* Now take action depending on query type: general,
@@ -2532,16 +2353,11 @@ mldv2_query_in(mld2q_t *mld2q, ill_t *ill, int mldlen)
* greater than our calculated delay, so reset it to
* our delay (random value in range [0, response time])
*/
- mutex_enter(&ill->ill_lock);
ill->ill_global_timer = current + delay;
- mutex_exit(&ill->ill_lock);
next = delay;
-
} else {
/* group or group/source specific query */
- ilm = ilm_walker_start(&ilw, ill);
- mutex_enter(&ill->ill_lock);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
+ for (ilm = ill->ill_ilm; ilm != NULL; ilm = ilm->ilm_next) {
if (IN6_IS_ADDR_UNSPECIFIED(&ilm->ilm_v6addr) ||
IN6_IS_ADDR_MC_NODELOCAL(&ilm->ilm_v6addr) ||
IN6_IS_ADDR_MC_RESERVED(&ilm->ilm_v6addr) ||
@@ -2595,9 +2411,13 @@ group_query:
ilm->ilm_timer += current;
break;
}
- mutex_exit(&ill->ill_lock);
- ilm_walker_finish(&ilw);
}
+ rw_exit(&ill->ill_mcast_lock);
+ /*
+ * No packets have been sent above - no
+ * ill_mcast_send_queued is needed.
+ */
+ ill_mcast_timer_start(ill->ill_ipst);
return (next);
}
@@ -2615,7 +2435,8 @@ mld_sendpkt(ilm_t *ilm, uchar_t type, const in6_addr_t *v6addr)
struct ip6_opt_router *ip6router;
size_t size = IPV6_HDR_LEN + sizeof (mld_hdr_t);
ill_t *ill = ilm->ilm_ill;
- ipif_t *ipif;
+
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
/*
* We need to place a router alert option in this packet. The length
@@ -2663,35 +2484,20 @@ mld_sendpkt(ilm_t *ilm, uchar_t type, const in6_addr_t *v6addr)
else
ip6h->ip6_dst = *v6addr;
- /* ipif returned by ipif_lookup_zoneid is link-local (if present) */
- if (ipif_lookup_zoneid(ill, ilm->ilm_zoneid, IPIF_UP, &ipif)) {
- ip6h->ip6_src = ipif->ipif_v6src_addr;
- ipif_refrele(ipif);
- } else {
- /* Otherwise, use IPv6 default address selection. */
- ip6h->ip6_src = ipv6_all_zeros;
- }
-
+ ip6h->ip6_src = ipv6_all_zeros;
/*
* Prepare for checksum by putting icmp length in the icmp
- * checksum field. The checksum is calculated in ip_wput_v6.
+ * checksum field. The checksum is calculated in ip_output.
*/
mldh->mld_cksum = htons(sizeof (*mldh));
- /*
- * ip_wput will automatically loopback the multicast packet to
- * the conn if multicast loopback is enabled.
- * The MIB stats corresponding to this outgoing MLD packet
- * will be accounted for in ip_wput->ip_wput_v6->ip_wput_ire_v6
- * ->icmp_update_out_mib_v6 function call.
- */
- (void) ip_output_v6(NULL, mp, ill->ill_wq, IP_WPUT);
+ ill_mcast_queue(ill, mp);
}
/*
* Sends an MLD_V2_LISTENER_REPORT message out the passed-in ill. The
* report will contain one multicast address record for each element of
- * reclist. If this causes packet length to exceed ill->ill_max_frag,
+ * reclist. If this causes packet length to exceed ill->ill_mtu,
* multiple reports are sent. reclist is assumed to be made up of
* buffers allocated by mcast_bldmrec(), and those buffers are freed here.
*/
@@ -2706,19 +2512,17 @@ mldv2_sendrpt(ill_t *ill, mrec_t *reclist)
ip6_hbh_t *ip6hbh;
struct ip6_opt_router *ip6router;
size_t size, optlen, padlen, icmpsize, rsize;
- ipif_t *ipif;
int i, numrec, more_src_cnt;
mrec_t *rp, *cur_reclist;
mrec_t *next_reclist = reclist;
boolean_t morepkts;
- ASSERT(IAM_WRITER_ILL(ill));
-
/* If there aren't any records, there's nothing to send */
if (reclist == NULL)
return;
ASSERT(ill->ill_isv6);
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
/*
* Total option length (optlen + padlen) must be a multiple of
@@ -2737,7 +2541,7 @@ nextpkt:
rp = rp->mrec_next, numrec++) {
rsize = sizeof (mld2mar_t) +
(rp->mrec_srcs.sl_numsrc * sizeof (in6_addr_t));
- if (size + rsize > ill->ill_max_frag) {
+ if (size + rsize > ill->ill_mtu) {
if (rp == cur_reclist) {
/*
* If the first mrec we looked at is too big
@@ -2748,7 +2552,7 @@ nextpkt:
* other types).
*/
int srcspace, srcsperpkt;
- srcspace = ill->ill_max_frag -
+ srcspace = ill->ill_mtu -
(size + sizeof (mld2mar_t));
/*
@@ -2819,14 +2623,7 @@ nextpkt:
ip6h->ip6_nxt = IPPROTO_HOPOPTS;
ip6h->ip6_hops = MLD_HOP_LIMIT;
ip6h->ip6_dst = ipv6_all_v2rtrs_mcast;
- /* ipif returned by ipif_lookup_zoneid is link-local (if present) */
- if (ipif_lookup_zoneid(ill, ALL_ZONES, IPIF_UP, &ipif)) {
- ip6h->ip6_src = ipif->ipif_v6src_addr;
- ipif_refrele(ipif);
- } else {
- /* otherwise, use IPv6 default address selection. */
- ip6h->ip6_src = ipv6_all_zeros;
- }
+ ip6h->ip6_src = ipv6_all_zeros;
ip6hbh->ip6h_nxt = IPPROTO_ICMPV6;
/*
@@ -2844,7 +2641,7 @@ nextpkt:
mld2r->mld2r_nummar = htons(numrec);
/*
* Prepare for the checksum by putting icmp length in the icmp
- * checksum field. The checksum is calculated in ip_wput_v6.
+ * checksum field. The checksum is calculated in ip_output_simple.
*/
mld2r->mld2r_cksum = htons(icmpsize);
@@ -2861,14 +2658,7 @@ nextpkt:
mld2mar = (mld2mar_t *)&(srcarray[i]);
}
- /*
- * ip_wput will automatically loopback the multicast packet to
- * the conn if multicast loopback is enabled.
- * The MIB stats corresponding to this outgoing MLD packet
- * will be accounted for in ip_wput->ip_wput_v6->ip_wput_ire_v6
- * ->icmp_update_out_mib_v6 function call.
- */
- (void) ip_output_v6(NULL, mp, ill->ill_wq, IP_WPUT);
+ ill_mcast_queue(ill, mp);
if (morepkts) {
if (more_src_cnt > 0) {
@@ -2997,7 +2787,7 @@ mcast_merge_rtx(ilm_t *ilm, mrec_t *mreclist, slist_t *flist)
mrec_t *rp, *rpnext, *rtnmrec;
boolean_t ovf;
- ill = (ilm->ilm_ill == NULL ? ilm->ilm_ipif->ipif_ill : ilm->ilm_ill);
+ ill = ilm->ilm_ill;
if (mreclist == NULL)
return (mreclist);
@@ -3100,64 +2890,3 @@ mcast_merge_rtx(ilm_t *ilm, mrec_t *mreclist, slist_t *flist)
return (rtnmrec);
}
-
-/*
- * Convenience routine to signal the restart-timer thread.
- */
-static void
-mcast_signal_restart_thread(ip_stack_t *ipst)
-{
- mutex_enter(&ipst->ips_mrt_lock);
- ipst->ips_mrt_flags |= IP_MRT_RUN;
- cv_signal(&ipst->ips_mrt_cv);
- mutex_exit(&ipst->ips_mrt_lock);
-}
-
-/*
- * Thread to restart IGMP/MLD timers. See the comment in igmp_joingroup() for
- * the story behind this unfortunate thread.
- */
-void
-mcast_restart_timers_thread(ip_stack_t *ipst)
-{
- int next;
- char name[64];
- callb_cpr_t cprinfo;
-
- (void) snprintf(name, sizeof (name), "mcast_restart_timers_thread_%d",
- ipst->ips_netstack->netstack_stackid);
- CALLB_CPR_INIT(&cprinfo, &ipst->ips_mrt_lock, callb_generic_cpr, name);
-
- for (;;) {
- mutex_enter(&ipst->ips_mrt_lock);
- while (!(ipst->ips_mrt_flags & (IP_MRT_STOP|IP_MRT_RUN))) {
- CALLB_CPR_SAFE_BEGIN(&cprinfo);
- cv_wait(&ipst->ips_mrt_cv, &ipst->ips_mrt_lock);
- CALLB_CPR_SAFE_END(&cprinfo, &ipst->ips_mrt_lock);
- }
- if (ipst->ips_mrt_flags & IP_MRT_STOP)
- break;
- ipst->ips_mrt_flags &= ~IP_MRT_RUN;
- mutex_exit(&ipst->ips_mrt_lock);
-
- mutex_enter(&ipst->ips_igmp_timer_lock);
- next = ipst->ips_igmp_deferred_next;
- ipst->ips_igmp_deferred_next = INFINITY;
- mutex_exit(&ipst->ips_igmp_timer_lock);
-
- if (next != INFINITY)
- igmp_start_timers(next, ipst);
-
- mutex_enter(&ipst->ips_mld_timer_lock);
- next = ipst->ips_mld_deferred_next;
- ipst->ips_mld_deferred_next = INFINITY;
- mutex_exit(&ipst->ips_mld_timer_lock);
- if (next != INFINITY)
- mld_start_timers(next, ipst);
- }
-
- ipst->ips_mrt_flags |= IP_MRT_DONE;
- cv_signal(&ipst->ips_mrt_done_cv);
- CALLB_CPR_EXIT(&cprinfo); /* drops ips_mrt_lock */
- thread_exit();
-}
diff --git a/usr/src/uts/common/inet/ip/ip.c b/usr/src/uts/common/inet/ip/ip.c
index ebb89e3172..b59087e9b1 100644
--- a/usr/src/uts/common/inet/ip/ip.c
+++ b/usr/src/uts/common/inet/ip/ip.c
@@ -38,6 +38,7 @@
#include <sys/tihdr.h>
#include <sys/xti_inet.h>
#include <sys/ddi.h>
+#include <sys/suntpi.h>
#include <sys/cmn_err.h>
#include <sys/debug.h>
#include <sys/kobj.h>
@@ -94,10 +95,8 @@
#include <inet/ipp_common.h>
#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
#include <inet/sadb.h>
#include <inet/ipsec_impl.h>
-#include <sys/iphada.h>
#include <inet/iptun/iptun_impl.h>
#include <inet/ipdrop.h>
#include <inet/ip_netinfo.h>
@@ -111,9 +110,7 @@
#include <ipp/ipp_impl.h>
#include <ipp/ipgpc/ipgpc.h>
-#include <sys/multidata.h>
#include <sys/pattr.h>
-
#include <inet/ipclassifier.h>
#include <inet/sctp_ip.h>
#include <inet/sctp/sctp_impl.h>
@@ -126,6 +123,7 @@
#include <rpc/pmap_prot.h>
#include <sys/squeue_impl.h>
+#include <inet/ip_arp.h>
/*
* Values for squeue switch:
@@ -133,10 +131,9 @@
* IP_SQUEUE_ENTER: SQ_PROCESS
* IP_SQUEUE_FILL: SQ_FILL
*/
-int ip_squeue_enter = 2; /* Setable in /etc/system */
+int ip_squeue_enter = IP_SQUEUE_ENTER; /* Setable in /etc/system */
int ip_squeue_flag;
-#define SET_BPREV_FLAG(x) ((mblk_t *)(uintptr_t)(x))
/*
* Setable in /etc/system
@@ -177,7 +174,8 @@ typedef struct iproutedata_s {
listptr_t ird_attrs; /* ipRouteAttributeTable */
} iproutedata_t;
-#define IRD_REPORT_TESTHIDDEN 0x01 /* include IRE_MARK_TESTHIDDEN routes */
+/* Include ire_testhidden and IRE_IF_CLONE routes */
+#define IRD_REPORT_ALL 0x01
/*
* Cluster specific hooks. These should be NULL when booted as a non-cluster
@@ -233,29 +231,26 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* MT level protection given by STREAMS. IP uses a combination of its own
* internal serialization mechanism and standard Solaris locking techniques.
* The internal serialization is per phyint. This is used to serialize
- * plumbing operations, certain multicast operations, most set ioctls,
- * igmp/mld timers etc.
+ * plumbing operations, IPMP operations, most set ioctls, etc.
*
* Plumbing is a long sequence of operations involving message
* exchanges between IP, ARP and device drivers. Many set ioctls are typically
* involved in plumbing operations. A natural model is to serialize these
* ioctls one per ill. For example plumbing of hme0 and qfe0 can go on in
* parallel without any interference. But various set ioctls on hme0 are best
- * serialized, along with multicast join/leave operations, igmp/mld timer
- * operations, and processing of DLPI control messages received from drivers
- * on a per phyint basis. This serialization is provided by the ipsq_t and
- * primitives operating on this. Details can be found in ip_if.c above the
- * core primitives operating on ipsq_t.
+ * serialized, along with IPMP operations and processing of DLPI control
+ * messages received from drivers on a per phyint basis. This serialization is
+ * provided by the ipsq_t and primitives operating on this. Details can
+ * be found in ip_if.c above the core primitives operating on ipsq_t.
*
* Lookups of an ipif or ill by a thread return a refheld ipif / ill.
* Simiarly lookup of an ire by a thread also returns a refheld ire.
* In addition ipif's and ill's referenced by the ire are also indirectly
- * refheld. Thus no ipif or ill can vanish nor can critical parameters like
- * the ipif's address or netmask change as long as an ipif is refheld
+ * refheld. Thus no ipif or ill can vanish as long as an ipif is refheld
* directly or indirectly. For example an SIOCSLIFADDR ioctl that changes the
* address of an ipif has to go through the ipsq_t. This ensures that only
- * 1 such exclusive operation proceeds at any time on the ipif. It then
- * deletes all ires associated with this ipif, and waits for all refcnts
+ * one such exclusive operation proceeds at any time on the ipif. It then
+ * waits for all refcnts
* associated with this ipif to come down to zero. The address is changed
* only after the ipif has been quiesced. Then the ipif is brought up again.
* More details are described above the comment in ip_sioctl_flags.
@@ -274,7 +269,7 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* - ire_lock to protect some of the fields of the ire, IRE tables
* (one lock per hash bucket). Refer to ip_ire.c for details.
*
- * - ndp_g_lock and nce_lock for protecting NCEs.
+ * - ndp_g_lock and ncec_lock for protecting NCEs.
*
* - ill_lock protects fields of the ill and ipif. Details in ip.h
*
@@ -312,12 +307,6 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* This lock is held in ipif_up_done and the ipif is marked IPIF_UP and the
* uniqueness check also done atomically.
*
- * - ipsec_capab_ills_lock: This readers/writer lock protects the global
- * lists of IPsec capable ills (ipsec_capab_ills_{ah,esp}). It is taken
- * as a writer when adding or deleting elements from these lists, and
- * as a reader when walking these lists to send a SADB update to the
- * IPsec capable ills.
- *
* - ill_g_usesrc_lock: This readers/writer lock protects the usesrc
* group list linked by ill_usesrc_grp_next. It also protects the
* ill_usesrc_ifindex field. It is taken as a writer when a member of the
@@ -357,20 +346,30 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
*
* ill_g_lock -> conn_lock -> ill_lock -> ipsq_lock -> ipx_lock
* ill_g_lock -> ill_lock(s) -> phyint_lock
- * ill_g_lock -> ndp_g_lock -> ill_lock -> nce_lock
+ * ill_g_lock -> ndp_g_lock -> ill_lock -> ncec_lock
* ill_g_lock -> ip_addr_avail_lock
* conn_lock -> irb_lock -> ill_lock -> ire_lock
* ill_g_lock -> ip_g_nd_lock
+ * ill_g_lock -> ips_ipmp_lock -> ill_lock -> nce_lock
+ * ill_g_lock -> ndp_g_lock -> ill_lock -> ncec_lock -> nce_lock
+ * arl_lock -> ill_lock
+ * ips_ire_dep_lock -> irb_lock
*
* When more than 1 ill lock is needed to be held, all ill lock addresses
* are sorted on address and locked starting from highest addressed lock
* downward.
*
+ * Multicast scenarios
+ * ips_ill_g_lock -> ill_mcast_lock
+ * conn_ilg_lock -> ips_ill_g_lock -> ill_lock
+ * ill_mcast_serializer -> ill_mcast_lock -> ips_ipmp_lock -> ill_lock
+ * ill_mcast_serializer -> ill_mcast_lock -> connf_lock -> conn_lock
+ * ill_mcast_serializer -> ill_mcast_lock -> conn_ilg_lock
+ * ill_mcast_serializer -> ill_mcast_lock -> ips_igmp_timer_lock
+ *
* IPsec scenarios
*
* ipsa_lock -> ill_g_lock -> ill_lock
- * ipsec_capab_ills_lock -> ill_g_lock -> ill_lock
- * ipsec_capab_ills_lock -> ipsa_lock
* ill_g_usesrc_lock -> ill_g_lock -> ill_lock
*
* Trusted Solaris scenarios
@@ -414,31 +413,30 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* Walker - Increment irb_refcnt before calling the walker callback. Hold the
* global tree lock (read mode) for traversal.
*
+ * IRE dependencies - In some cases we hold ips_ire_dep_lock across ire_refrele
+ * hence we will acquire irb_lock while holding ips_ire_dep_lock.
+ *
* IPsec notes :
*
- * IP interacts with the IPsec code (AH/ESP) by tagging a M_CTL message
- * in front of the actual packet. For outbound datagrams, the M_CTL
- * contains a ipsec_out_t (defined in ipsec_info.h), which has the
+ * IP interacts with the IPsec code (AH/ESP) by storing IPsec attributes
+ * in the ip_xmit_attr_t ip_recv_attr_t. For outbound datagrams, the
+ * ip_xmit_attr_t has the
* information used by the IPsec code for applying the right level of
- * protection. The information initialized by IP in the ipsec_out_t
+ * protection. The information initialized by IP in the ip_xmit_attr_t
* is determined by the per-socket policy or global policy in the system.
- * For inbound datagrams, the M_CTL contains a ipsec_in_t (defined in
- * ipsec_info.h) which starts out with nothing in it. It gets filled
+ * For inbound datagrams, the ip_recv_attr_t
+ * starts out with nothing in it. It gets filled
* with the right information if it goes through the AH/ESP code, which
* happens if the incoming packet is secure. The information initialized
- * by AH/ESP, is later used by IP(during fanouts to ULP) to see whether
+ * by AH/ESP, is later used by IP (during fanouts to ULP) to see whether
* the policy requirements needed by per-socket policy or global policy
* is met or not.
*
- * If there is both per-socket policy (set using setsockopt) and there
- * is also global policy match for the 5 tuples of the socket,
- * ipsec_override_policy() makes the decision of which one to use.
- *
* For fully connected sockets i.e dst, src [addr, port] is known,
* conn_policy_cached is set indicating that policy has been cached.
* conn_in_enforce_policy may or may not be set depending on whether
* there is a global policy match or per-socket policy match.
- * Policy inheriting happpens in ip_bind during the ipa_conn_t bind.
+ * Policy inheriting happpens in ip_policy_set once the destination is known.
* Once the right policy is set on the conn_t, policy cannot change for
* this socket. This makes life simpler for TCP (UDP ?) where
* re-transmissions go out with the same policy. For symmetry, policy
@@ -513,7 +511,8 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* idl_tx_list in ips_idl_tx_list[] array. Then conn_drain_insert() is
* called passing idl_tx_list. The connp gets inserted in a drain list
* pointed to by idl_tx_list. conn_drain_list() asserts flow control for
- * the sockets (non stream based) and sets QFULL condition for conn_wq.
+ * the sockets (non stream based) and sets QFULL condition on the conn_wq
+ * of streams sockets, or the su_txqfull for non-streams sockets.
* connp->conn_direct_blocked will be set to indicate the blocked
* condition.
*
@@ -521,46 +520,37 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* A cookie is passed in the call to ill_flow_enable() that identifies the
* blocked Tx ring. This cookie is used to get to the idl_tx_list that
* contains the blocked connp's. conn_walk_drain() uses the idl_tx_list_t
- * and goes through each of the drain list (q)enabling the conn_wq of the
- * first conn in each of the drain list. This causes ip_wsrv to run for the
+ * and goes through each conn in the drain list and calls conn_idl_remove
+ * for the conn to clear the qfull condition for the conn, as well as to
+ * remove the conn from the idl list. In addition, streams based sockets
+ * will have the conn_wq enabled, causing ip_wsrv to run for the
* conn. ip_wsrv drains the queued messages, and removes the conn from the
- * drain list, if all messages were drained. It also qenables the next conn
- * in the drain list to continue the drain process.
+ * drain list, if all messages were drained. It also notifies the
+ * conn_upcalls for the conn to signal that flow-control has opened up.
*
* In reality the drain list is not a single list, but a configurable number
- * of lists. conn_drain_walk() in the IP module, qenables the first conn in
- * each list. If the ip_wsrv of the next qenabled conn does not run, because
- * the stream closes, ip_close takes responsibility to qenable the next conn
- * in the drain list. conn_drain_insert and conn_drain_tail are the only
+ * of lists. conn_walk_drain() in the IP module, notifies the conn_upcalls for
+ * each conn in the list. conn_drain_insert and conn_drain_tail are the only
* functions that manipulate this drain list. conn_drain_insert is called in
- * ip_wput context itself (as opposed to from ip_wsrv context for STREAMS
+ * from the protocol layer when conn_ip_output returns EWOULDBLOCK.
+ * (as opposed to from ip_wsrv context for STREAMS
* case -- see below). The synchronization between drain insertion and flow
* control wakeup is handled by using idl_txl->txl_lock.
*
* Flow control using STREAMS:
* When ILL_DIRECT_CAPABLE() is not TRUE, STREAMS flow control mechanism
* is used. On the send side, if the packet cannot be sent down to the
- * driver by IP, because of a canput failure, IP does a putq on the conn_wq.
- * This will cause ip_wsrv to run on the conn_wq. ip_wsrv in turn, inserts
- * the conn in a list of conn's that need to be drained when the flow
- * control condition subsides. The blocked connps are put in first member
- * of ips_idl_tx_list[] array. Ultimately STREAMS backenables the ip_wsrv
- * on the IP module. It calls conn_walk_drain() passing ips_idl_tx_list[0].
- * ips_idl_tx_list[0] contains the drain lists of blocked conns. The
- * conn_wq of the first conn in the drain lists is (q)enabled to run.
- * ip_wsrv on this conn drains the queued messages, and removes the conn
- * from the drain list, if all messages were drained. It also qenables the
- * next conn in the drain list to continue the drain process.
- *
- * If the ip_wsrv of the next qenabled conn does not run, because the
- * stream closes, ip_close takes responsibility to qenable the next conn in
- * the drain list. The directly called ip_wput path always does a putq, if
- * it cannot putnext. Thus synchronization problems are handled between
- * ip_wsrv and ip_close. conn_drain_insert and conn_drain_tail are the only
- * functions that manipulate this drain list. Furthermore conn_drain_insert
- * is called only from ip_wsrv for the STREAMS case, and there can be only 1
- * instance of ip_wsrv running on a queue at any time. conn_drain_tail can
- * be simultaneously called from both ip_wsrv and ip_close.
+ * driver by IP, because of a canput failure, ip_xmit drops the packet
+ * and returns EWOULDBLOCK to the caller, who may then invoke
+ * ixa_check_drain_insert to insert the conn on the 0'th drain list.
+ * When ip_wsrv runs on the ill_wq because flow control has been relieved, the
+ * blocked conns in the * 0'th drain list is drained as with the
+ * non-STREAMS case.
+ *
+ * In both the STREAMS and non-STREAMS case, the sockfs upcall to set
+ * qfull is done when the conn is inserted into the drain list
+ * (conn_drain_insert()) and cleared when the conn is removed from the drain
+ * list (conn_idl_remove()).
*
* IPQOS notes:
*
@@ -579,14 +569,13 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* By default all the callout positions are enabled.
*
* Outbound (local_out)
- * Hooks are placed in ip_wput_ire and ipsec_out_process.
+ * Hooks are placed in ire_send_wire_v4 and ire_send_wire_v6.
*
* Inbound (local_in)
- * Hooks are placed in ip_proto_input, icmp_inbound, ip_fanout_proto and
- * TCP and UDP fanout routines.
+ * Hooks are placed in ip_fanout_v4 and ip_fanout_v6.
*
* Forwarding (in and out)
- * Hooks are placed in ip_rput_forward.
+ * Hooks are placed in ire_recv_forward_v4/v6.
*
* IP Policy Framework processing (IPPF processing)
* Policy processing for a packet is initiated by ip_process, which ascertains
@@ -596,16 +585,6 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* filters configured in ipgpc and resumes normal IP processing thereafter.
* An action instance can drop a packet in course of its processing.
*
- * A boolean variable, ip_policy, is used in all the fanout routines that can
- * invoke ip_process for a packet. This variable indicates if the packet should
- * to be sent for policy processing. The variable is set to B_TRUE by default,
- * i.e. when the routines are invoked in the normal ip procesing path for a
- * packet. The two exceptions being ip_wput_local and icmp_inbound_error_fanout;
- * ip_policy is set to B_FALSE for all the routines called in these two
- * functions because, in the former case, we don't process loopback traffic
- * currently while in the latter, the packets have already been processed in
- * icmp_inbound.
- *
* Zones notes:
*
* The partitioning rules for networking are as follows:
@@ -638,24 +617,18 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* IRE_LOCAL Exclusive (x)
* IRE_LOOPBACK Exclusive
* IRE_PREFIX (net routes) Shared (*)
- * IRE_CACHE Exclusive
* IRE_IF_NORESOLVER (interface routes) Exclusive
* IRE_IF_RESOLVER (interface routes) Exclusive
+ * IRE_IF_CLONE (interface routes) Exclusive
* IRE_HOST (host routes) Shared (*)
*
* (*) A zone can only use a default or off-subnet route if the gateway is
* directly reachable from the zone, that is, if the gateway's address matches
* one of the zone's logical interfaces.
*
- * (x) IRE_LOCAL are handled a bit differently, since for all other entries
- * in ire_ctable and IRE_INTERFACE, ire_src_addr is what can be used as source
- * when sending packets using the IRE. For IRE_LOCAL ire_src_addr is the IP
- * address of the zone itself (the destination). Since IRE_LOCAL is used
- * for communication between zones, ip_wput_ire has special logic to set
- * the right source address when sending using an IRE_LOCAL.
- *
- * Furthermore, when ip_restrict_interzone_loopback is set (the default),
- * ire_cache_lookup restricts loopback using an IRE_LOCAL
+ * (x) IRE_LOCAL are handled a bit differently.
+ * When ip_restrict_interzone_loopback is set (the default),
+ * ire_route_recursive restricts loopback using an IRE_LOCAL
* between zone to the case when L2 would have conceptually looped the packet
* back, i.e. the loopback which is required since neither Ethernet drivers
* nor Ethernet hardware loops them back. This is the case when the normal
@@ -669,17 +642,11 @@ void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t, sa_family_t,
* since some zones may not be on the 10.16.72/24 network. To handle this, each
* zone has its own set of IRE_BROADCAST entries; then, broadcast packets are
* sent to every zone that has an IRE_BROADCAST entry for the destination
- * address on the input ill, see conn_wantpacket().
+ * address on the input ill, see ip_input_broadcast().
*
* Applications in different zones can join the same multicast group address.
- * For IPv4, group memberships are per-logical interface, so they're already
- * inherently part of a zone. For IPv6, group memberships are per-physical
- * interface, so we distinguish IPv6 group memberships based on group address,
- * interface and zoneid. In both cases, received multicast packets are sent to
- * every zone for which a group membership entry exists. On IPv6 we need to
- * check that the target zone still has an address on the receiving physical
- * interface; it could have been removed since the application issued the
- * IPV6_JOIN_GROUP.
+ * The same logic applies for multicast as for broadcast. ip_input_multicast
+ * dispatches packets to all zones that have members on the physical interface.
*/
/*
@@ -694,62 +661,37 @@ boolean_t ip_squeue_fanout = 0;
*/
uint_t ip_max_frag_dups = 10;
-#define IS_SIMPLE_IPH(ipha) \
- ((ipha)->ipha_version_and_hdr_length == IP_SIMPLE_HDR_VERSION)
-
/* RFC 1122 Conformance */
#define IP_FORWARD_DEFAULT IP_FORWARD_NEVER
#define ILL_MAX_NAMELEN LIFNAMSIZ
-static int conn_set_held_ipif(conn_t *, ipif_t **, ipif_t *);
-
static int ip_open(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp, boolean_t isv6);
-static mblk_t *ip_wput_attach_llhdr(mblk_t *, ire_t *, ip_proc_t, uint32_t,
- ipha_t **);
+static mblk_t *ip_xmit_attach_llhdr(mblk_t *, nce_t *);
-static void icmp_frag_needed(queue_t *, mblk_t *, int, zoneid_t,
- ip_stack_t *);
-static void icmp_inbound(queue_t *, mblk_t *, boolean_t, ill_t *, int,
- uint32_t, boolean_t, boolean_t, ill_t *, zoneid_t);
-static ipaddr_t icmp_get_nexthop_addr(ipha_t *, ill_t *, zoneid_t, mblk_t *mp);
-static boolean_t icmp_inbound_too_big(icmph_t *, ipha_t *, ill_t *, zoneid_t,
- mblk_t *, int, ip_stack_t *);
-static void icmp_inbound_error_fanout(queue_t *, ill_t *, mblk_t *,
- icmph_t *, ipha_t *, int, int, boolean_t, boolean_t,
- ill_t *, zoneid_t);
+static boolean_t icmp_inbound_verify_v4(mblk_t *, icmph_t *, ip_recv_attr_t *);
+static void icmp_inbound_too_big_v4(icmph_t *, ip_recv_attr_t *);
+static void icmp_inbound_error_fanout_v4(mblk_t *, icmph_t *,
+ ip_recv_attr_t *);
static void icmp_options_update(ipha_t *);
-static void icmp_param_problem(queue_t *, mblk_t *, uint8_t, zoneid_t,
- ip_stack_t *);
-static void icmp_pkt(queue_t *, mblk_t *, void *, size_t, boolean_t,
- zoneid_t zoneid, ip_stack_t *);
-static mblk_t *icmp_pkt_err_ok(mblk_t *, ip_stack_t *);
-static void icmp_redirect(ill_t *, mblk_t *);
-static void icmp_send_redirect(queue_t *, mblk_t *, ipaddr_t,
- ip_stack_t *);
+static void icmp_param_problem(mblk_t *, uint8_t, ip_recv_attr_t *);
+static void icmp_pkt(mblk_t *, void *, size_t, ip_recv_attr_t *);
+static mblk_t *icmp_pkt_err_ok(mblk_t *, ip_recv_attr_t *);
+static void icmp_redirect_v4(mblk_t *mp, ipha_t *, icmph_t *,
+ ip_recv_attr_t *);
+static void icmp_send_redirect(mblk_t *, ipaddr_t, ip_recv_attr_t *);
+static void icmp_send_reply_v4(mblk_t *, ipha_t *, icmph_t *,
+ ip_recv_attr_t *);
-static void ip_arp_news(queue_t *, mblk_t *);
-static boolean_t ip_bind_get_ire_v4(mblk_t **, ire_t *, iulp_t *, ip_stack_t *);
mblk_t *ip_dlpi_alloc(size_t, t_uscalar_t);
char *ip_dot_addr(ipaddr_t, char *);
mblk_t *ip_carve_mp(mblk_t **, ssize_t);
int ip_close(queue_t *, int);
static char *ip_dot_saddr(uchar_t *, char *);
-static void ip_fanout_proto(queue_t *, mblk_t *, ill_t *, ipha_t *, uint_t,
- boolean_t, boolean_t, ill_t *, zoneid_t);
-static void ip_fanout_tcp(queue_t *, mblk_t *, ill_t *, ipha_t *, uint_t,
- boolean_t, boolean_t, zoneid_t);
-static void ip_fanout_udp(queue_t *, mblk_t *, ill_t *, ipha_t *, uint32_t,
- boolean_t, uint_t, boolean_t, boolean_t, ill_t *, zoneid_t);
static void ip_lrput(queue_t *, mblk_t *);
ipaddr_t ip_net_mask(ipaddr_t);
-void ip_newroute(queue_t *, mblk_t *, ipaddr_t, conn_t *, zoneid_t,
- ip_stack_t *);
-static void ip_newroute_ipif(queue_t *, mblk_t *, ipif_t *, ipaddr_t,
- conn_t *, uint32_t, zoneid_t, ip_opt_info_t *);
char *ip_nv_lookup(nv_t *, int);
-static boolean_t ip_check_for_ipsec_opt(queue_t *, mblk_t *);
static int ip_param_get(queue_t *, mblk_t *, caddr_t, cred_t *);
static int ip_param_generic_get(queue_t *, mblk_t *, caddr_t, cred_t *);
static boolean_t ip_param_register(IDP *ndp, ipparam_t *, size_t,
@@ -758,17 +700,6 @@ static int ip_param_set(queue_t *, mblk_t *, char *, caddr_t, cred_t *);
void ip_rput(queue_t *, mblk_t *);
static void ip_rput_dlpi_writer(ipsq_t *dummy_sq, queue_t *q, mblk_t *mp,
void *dummy_arg);
-void ip_rput_forward(ire_t *, ipha_t *, mblk_t *, ill_t *);
-static int ip_rput_forward_options(mblk_t *, ipha_t *, ire_t *,
- ip_stack_t *);
-static boolean_t ip_rput_local_options(queue_t *, mblk_t *, ipha_t *,
- ire_t *, ip_stack_t *);
-static boolean_t ip_rput_multimblk_ipoptions(queue_t *, ill_t *,
- mblk_t *, ipha_t **, ipaddr_t *, ip_stack_t *);
-static int ip_rput_options(queue_t *, mblk_t *, ipha_t *, ipaddr_t *,
- ip_stack_t *);
-static boolean_t ip_rput_fragment(ill_t *, ill_t *, mblk_t **, ipha_t *,
- uint32_t *, uint16_t *);
int ip_snmp_get(queue_t *, mblk_t *, int);
static mblk_t *ip_snmp_get_mib2_ip(queue_t *, mblk_t *,
mib2_ipIfStatsEntry_t *, ip_stack_t *);
@@ -801,49 +732,34 @@ static mblk_t *ip_snmp_get_mib2_ip6_route_media(queue_t *, mblk_t *, int,
ip_stack_t *ipst);
static void ip_snmp_get2_v4(ire_t *, iproutedata_t *);
static void ip_snmp_get2_v6_route(ire_t *, iproutedata_t *);
-static int ip_snmp_get2_v6_media(nce_t *, iproutedata_t *);
+static int ip_snmp_get2_v4_media(ncec_t *, iproutedata_t *);
+static int ip_snmp_get2_v6_media(ncec_t *, iproutedata_t *);
int ip_snmp_set(queue_t *, int, int, uchar_t *, int);
-static boolean_t ip_source_routed(ipha_t *, ip_stack_t *);
-static boolean_t ip_source_route_included(ipha_t *);
-static void ip_trash_ire_reclaim_stack(ip_stack_t *);
-static void ip_wput_frag(ire_t *, mblk_t *, ip_pkt_t, uint32_t, uint32_t,
- zoneid_t, ip_stack_t *, conn_t *);
-static mblk_t *ip_wput_frag_copyhdr(uchar_t *, int, int, ip_stack_t *,
+static mblk_t *ip_fragment_copyhdr(uchar_t *, int, int, ip_stack_t *,
mblk_t *);
-static void ip_wput_local_options(ipha_t *, ip_stack_t *);
-static int ip_wput_options(queue_t *, mblk_t *, ipha_t *, boolean_t,
- zoneid_t, ip_stack_t *);
static void conn_drain_init(ip_stack_t *);
static void conn_drain_fini(ip_stack_t *);
static void conn_drain_tail(conn_t *connp, boolean_t closing);
static void conn_walk_drain(ip_stack_t *, idl_tx_list_t *);
-static void conn_setqfull(conn_t *);
-static void conn_clrqfull(conn_t *);
+static void conn_walk_sctp(pfv_t, void *, zoneid_t, netstack_t *);
static void *ip_stack_init(netstackid_t stackid, netstack_t *ns);
static void ip_stack_shutdown(netstackid_t stackid, void *arg);
static void ip_stack_fini(netstackid_t stackid, void *arg);
-static boolean_t conn_wantpacket(conn_t *, ill_t *, ipha_t *, int,
- zoneid_t);
-static void ip_arp_done(ipsq_t *dummy_sq, queue_t *q, mblk_t *mp,
- void *dummy_arg);
-
static int ip_forward_set(queue_t *, mblk_t *, char *, caddr_t, cred_t *);
static int ip_multirt_apply_membership(int (*fn)(conn_t *, boolean_t,
- ipaddr_t, ipaddr_t, uint_t *, mcast_record_t, ipaddr_t, mblk_t *), ire_t *,
- conn_t *, boolean_t, ipaddr_t, mcast_record_t, ipaddr_t, mblk_t *);
-static void ip_multirt_bad_mtu(ire_t *, uint32_t);
+ const in6_addr_t *, ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *),
+ ire_t *, conn_t *, boolean_t, const in6_addr_t *, mcast_record_t,
+ const in6_addr_t *);
static int ip_cgtp_filter_get(queue_t *, mblk_t *, caddr_t, cred_t *);
static int ip_cgtp_filter_set(queue_t *, mblk_t *, char *,
caddr_t, cred_t *);
-extern int ip_helper_stream_setup(queue_t *, dev_t *, int, int,
- cred_t *, boolean_t);
static int ip_input_proc_set(queue_t *q, mblk_t *mp, char *value,
caddr_t cp, cred_t *cr);
static int ip_int_set(queue_t *, mblk_t *, char *, caddr_t,
@@ -859,30 +775,15 @@ static int icmp_kstat_update(kstat_t *kp, int rw);
static void *ip_kstat2_init(netstackid_t, ip_stat_t *);
static void ip_kstat2_fini(netstackid_t, kstat_t *);
-static mblk_t *ip_tcp_input(mblk_t *, ipha_t *, ill_t *, boolean_t,
- ire_t *, mblk_t *, uint_t, queue_t *, ill_rx_ring_t *);
+static void ipobs_init(ip_stack_t *);
+static void ipobs_fini(ip_stack_t *);
-static void ip_rput_process_forward(queue_t *, mblk_t *, ire_t *,
- ipha_t *, ill_t *, boolean_t, boolean_t);
-
-static void ipobs_init(ip_stack_t *);
-static void ipobs_fini(ip_stack_t *);
ipaddr_t ip_g_all_ones = IP_HOST_MASK;
/* How long, in seconds, we allow frags to hang around. */
#define IP_FRAG_TIMEOUT 15
#define IPV6_FRAG_TIMEOUT 60
-/*
- * Threshold which determines whether MDT should be used when
- * generating IP fragments; payload size must be greater than
- * this threshold for MDT to take place.
- */
-#define IP_WPUT_FRAG_MDT_MIN 32768
-
-/* Setable in /etc/system only */
-int ip_wput_frag_mdt_min = IP_WPUT_FRAG_MDT_MIN;
-
static long ip_rput_pullups;
int dohwcksum = 1; /* use h/w cksum if supported by the hardware */
@@ -891,24 +792,12 @@ vmem_t *ip_minor_arena_la; /* for minor nos. from 2^^18 thru 2^^32-1 */
int ip_debug;
-#ifdef DEBUG
-uint32_t ipsechw_debug = 0;
-#endif
-
/*
* Multirouting/CGTP stuff
*/
int ip_cgtp_filter_rev = CGTP_FILTER_REV; /* CGTP hooks version */
/*
- * XXX following really should only be in a header. Would need more
- * header and .c clean up first.
- */
-extern optdb_obj_t ip_opt_obj;
-
-ulong_t ip_squeue_enter_unbound = 0;
-
-/*
* Named Dispatch Parameter Table.
* All of these are alterable, within the min/max values given, at run time.
*/
@@ -922,18 +811,18 @@ static ipparam_t lcl_param_arr[] = {
{ 0, 1, 1, "ip_send_redirects"},
{ 0, 1, 0, "ip_forward_directed_broadcasts"},
{ 0, 10, 0, "ip_mrtdebug"},
- { 5000, 999999999, 60000, "ip_ire_timer_interval" },
- { 60000, 999999999, 1200000, "ip_ire_arp_interval" },
- { 60000, 999999999, 60000, "ip_ire_redirect_interval" },
+ { 1, 8, 3, "ip_ire_reclaim_fraction" },
+ { 1, 8, 3, "ip_nce_reclaim_fraction" },
+ { 1, 8, 3, "ip_dce_reclaim_fraction" },
{ 1, 255, 255, "ip_def_ttl" },
{ 0, 1, 0, "ip_forward_src_routed"},
{ 0, 256, 32, "ip_wroff_extra" },
- { 5000, 999999999, 600000, "ip_ire_pathmtu_interval" },
+ { 2, 999999999, 60*20, "ip_pathmtu_interval" }, /* In seconds */
{ 8, 65536, 64, "ip_icmp_return_data_bytes" },
{ 0, 1, 1, "ip_path_mtu_discovery" },
- { 0, 240, 30, "ip_ignore_delete_time" },
+ { 68, 65535, 576, "ip_pmtu_min" },
{ 0, 1, 0, "ip_ignore_redirect" },
- { 0, 1, 1, "ip_output_queue" },
+ { 0, 1, 0, "ip_arp_icmp_error" },
{ 1, 254, 1, "ip_broadcast_ttl" },
{ 0, 99999, 100, "ip_icmp_err_interval" },
{ 1, 99999, 10, "ip_icmp_err_burst" },
@@ -955,7 +844,7 @@ static ipparam_t lcl_param_arr[] = {
{ 0, 1, 0, "ip6_ignore_redirect" },
{ 0, 1, 0, "ip6_strict_dst_multihoming" },
- { 1, 8, 3, "ip_ire_reclaim_fraction" },
+ { 0, 2, 2, "ip_src_check" },
{ 0, 999999, 1000, "ipsec_policy_log_interval" },
@@ -964,12 +853,16 @@ static ipparam_t lcl_param_arr[] = {
{ 1, 20, 3, "ip_ndp_unsolicit_count" },
{ 0, 1, 1, "ip6_ignore_home_address_opt" },
{ 0, 15, 0, "ip_policy_mask" },
- { 1000, 60000, 1000, "ip_multirt_resolution_interval" },
+ { 0, 2, 2, "ip_ecmp_behavior" },
{ 0, 255, 1, "ip_multirt_ttl" },
- { 0, 1, 1, "ip_multidata_outbound" },
- { 0, 3600000, 300000, "ip_ndp_defense_interval" },
+ { 0, 3600, 60, "ip_ire_badcnt_lifetime" }, /* In seconds */
{ 0, 999999, 60*60*24, "ip_max_temp_idle" },
{ 0, 1000, 1, "ip_max_temp_defend" },
+ /*
+ * when a conflict of an active address is detected,
+ * defend up to ip_max_defend times, within any
+ * ip_defend_interval span.
+ */
{ 0, 1000, 3, "ip_max_defend" },
{ 0, 999999, 30, "ip_defend_interval" },
{ 0, 3600000, 300000, "ip_dup_recovery" },
@@ -977,12 +870,45 @@ static ipparam_t lcl_param_arr[] = {
{ 0, 1, 1, "ip_lso_outbound" },
{ IGMP_V1_ROUTER, IGMP_V3_ROUTER, IGMP_V3_ROUTER, "igmp_max_version" },
{ MLD_V1_ROUTER, MLD_V2_ROUTER, MLD_V2_ROUTER, "mld_max_version" },
- { 68, 65535, 576, "ip_pmtu_min" },
#ifdef DEBUG
{ 0, 1, 0, "ip6_drop_inbound_icmpv6" },
#else
{ 0, 0, 0, "" },
#endif
+ /* delay before sending first probe: */
+ { 0, 20000, 1000, "arp_probe_delay" },
+ { 0, 20000, 100, "arp_fastprobe_delay" },
+ /* interval at which DAD probes are sent: */
+ { 10, 20000, 1500, "arp_probe_interval" },
+ { 10, 20000, 150, "arp_fastprobe_interval" },
+ /* setting probe count to 0 will disable ARP probing for DAD. */
+ { 0, 20, 3, "arp_probe_count" },
+ { 0, 20, 3, "arp_fastprobe_count" },
+
+ { 0, 3600000, 15000, "ipv4_dad_announce_interval"},
+ { 0, 3600000, 15000, "ipv6_dad_announce_interval"},
+ /*
+ * Rate limiting parameters for DAD defense used in
+ * ill_defend_rate_limit():
+ * defend_rate : pkts/hour permitted
+ * defend_interval : time that can elapse before we send out a
+ * DAD defense.
+ * defend_period: denominator for defend_rate (in seconds).
+ */
+ { 0, 3600000, 300000, "arp_defend_interval"},
+ { 0, 20000, 100, "arp_defend_rate"},
+ { 0, 3600000, 300000, "ndp_defend_interval"},
+ { 0, 20000, 100, "ndp_defend_rate"},
+ { 5, 86400, 3600, "arp_defend_period"},
+ { 5, 86400, 3600, "ndp_defend_period"},
+ { 0, 1, 1, "ipv4_icmp_return_pmtu" },
+ { 0, 1, 1, "ipv6_icmp_return_pmtu" },
+ /*
+ * publish count/interval values used to announce local addresses
+ * for IPv4, IPv6.
+ */
+ { 1, 20, 5, "ip_arp_publish_count" },
+ { 1000, 20000, 2000, "ip_arp_publish_interval" },
};
/*
@@ -1336,11 +1262,11 @@ ip_ioctl_cmd_t ip_ndx_ioctl_table[] = {
ip_sioctl_get_lifsrcof, NULL },
/* 178 */ { SIOCGMSFILTER, sizeof (struct group_filter), IPI_GET_CMD,
MSFILT_CMD, ip_sioctl_msfilter, NULL },
- /* 179 */ { SIOCSMSFILTER, sizeof (struct group_filter), IPI_WR,
+ /* 179 */ { SIOCSMSFILTER, sizeof (struct group_filter), 0,
MSFILT_CMD, ip_sioctl_msfilter, NULL },
/* 180 */ { SIOCGIPMSFILTER, sizeof (struct ip_msfilter), IPI_GET_CMD,
MSFILT_CMD, ip_sioctl_msfilter, NULL },
- /* 181 */ { SIOCSIPMSFILTER, sizeof (struct ip_msfilter), IPI_WR,
+ /* 181 */ { SIOCSIPMSFILTER, sizeof (struct ip_msfilter), 0,
MSFILT_CMD, ip_sioctl_msfilter, NULL },
/* 182 */ { IPI_DONTCARE, 0, 0, 0, NULL, NULL },
/* SIOCSENABLESDP is handled by SDP */
@@ -1355,12 +1281,12 @@ ip_ioctl_cmd_t ip_ndx_ioctl_table[] = {
int ip_ndx_ioctl_count = sizeof (ip_ndx_ioctl_table) / sizeof (ip_ioctl_cmd_t);
ip_ioctl_cmd_t ip_misc_ioctl_table[] = {
- { I_LINK, 0, IPI_PRIV | IPI_WR | IPI_PASS_DOWN, 0, NULL, NULL },
- { I_UNLINK, 0, IPI_PRIV | IPI_WR | IPI_PASS_DOWN, 0, NULL, NULL },
- { I_PLINK, 0, IPI_PRIV | IPI_WR | IPI_PASS_DOWN, 0, NULL, NULL },
- { I_PUNLINK, 0, IPI_PRIV | IPI_WR | IPI_PASS_DOWN, 0, NULL, NULL },
- { ND_GET, 0, IPI_PASS_DOWN, 0, NULL, NULL },
- { ND_SET, 0, IPI_PRIV | IPI_WR | IPI_PASS_DOWN, 0, NULL, NULL },
+ { I_LINK, 0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
+ { I_UNLINK, 0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
+ { I_PLINK, 0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
+ { I_PUNLINK, 0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
+ { ND_GET, 0, 0, 0, NULL, NULL },
+ { ND_SET, 0, IPI_PRIV | IPI_WR, 0, NULL, NULL },
{ IP_IOCTL, 0, 0, 0, NULL, NULL },
{ SIOCGETVIFCNT, sizeof (struct sioc_vif_req), IPI_GET_CMD,
MISC_CMD, mrt_ioctl},
@@ -1384,12 +1310,14 @@ static nv_t ire_nv_arr[] = {
{ IRE_BROADCAST, "BROADCAST" },
{ IRE_LOCAL, "LOCAL" },
{ IRE_LOOPBACK, "LOOPBACK" },
- { IRE_CACHE, "CACHE" },
{ IRE_DEFAULT, "DEFAULT" },
{ IRE_PREFIX, "PREFIX" },
{ IRE_IF_NORESOLVER, "IF_NORESOL" },
{ IRE_IF_RESOLVER, "IF_RESOLV" },
+ { IRE_IF_CLONE, "IF_CLONE" },
{ IRE_HOST, "HOST" },
+ { IRE_MULTICAST, "MULTICAST" },
+ { IRE_NOROUTE, "NOROUTE" },
{ 0 }
};
@@ -1412,7 +1340,6 @@ struct module_info ip_mod_info = {
/*
* Entry points for IP as a device and as a module.
- * FIXME: down the road we might want a separate module and driver qinit.
* We have separate open functions for the /dev/ip and /dev/ip6 devices.
*/
static struct qinit iprinitv4 = {
@@ -1425,13 +1352,8 @@ struct qinit iprinitv6 = {
&ip_mod_info
};
-static struct qinit ipwinitv4 = {
- (pfi_t)ip_wput, (pfi_t)ip_wsrv, NULL, NULL, NULL,
- &ip_mod_info
-};
-
-struct qinit ipwinitv6 = {
- (pfi_t)ip_wput_v6, (pfi_t)ip_wsrv, NULL, NULL, NULL,
+static struct qinit ipwinit = {
+ (pfi_t)ip_wput_nondata, (pfi_t)ip_wsrv, NULL, NULL, NULL,
&ip_mod_info
};
@@ -1447,98 +1369,32 @@ static struct qinit iplwinit = {
/* For AF_INET aka /dev/ip */
struct streamtab ipinfov4 = {
- &iprinitv4, &ipwinitv4, &iplrinit, &iplwinit
+ &iprinitv4, &ipwinit, &iplrinit, &iplwinit
};
/* For AF_INET6 aka /dev/ip6 */
struct streamtab ipinfov6 = {
- &iprinitv6, &ipwinitv6, &iplrinit, &iplwinit
+ &iprinitv6, &ipwinit, &iplrinit, &iplwinit
};
#ifdef DEBUG
-static boolean_t skip_sctp_cksum = B_FALSE;
+boolean_t skip_sctp_cksum = B_FALSE;
#endif
/*
- * Prepend the zoneid using an ipsec_out_t for later use by functions like
- * ip_rput_v6(), ip_output(), etc. If the message
- * block already has a M_CTL at the front of it, then simply set the zoneid
- * appropriately.
- */
-mblk_t *
-ip_prepend_zoneid(mblk_t *mp, zoneid_t zoneid, ip_stack_t *ipst)
-{
- mblk_t *first_mp;
- ipsec_out_t *io;
-
- ASSERT(zoneid != ALL_ZONES);
- if (mp->b_datap->db_type == M_CTL) {
- io = (ipsec_out_t *)mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- io->ipsec_out_zoneid = zoneid;
- return (mp);
- }
-
- first_mp = ipsec_alloc_ipsec_out(ipst->ips_netstack);
- if (first_mp == NULL)
- return (NULL);
- io = (ipsec_out_t *)first_mp->b_rptr;
- /* This is not a secure packet */
- io->ipsec_out_secure = B_FALSE;
- io->ipsec_out_zoneid = zoneid;
- first_mp->b_cont = mp;
- return (first_mp);
-}
-
-/*
- * Copy an M_CTL-tagged message, preserving reference counts appropriately.
+ * Generate an ICMP fragmentation needed message.
+ * When called from ip_output side a minimal ip_recv_attr_t needs to be
+ * constructed by the caller.
*/
-mblk_t *
-ip_copymsg(mblk_t *mp)
-{
- mblk_t *nmp;
- ipsec_info_t *in;
-
- if (mp->b_datap->db_type != M_CTL)
- return (copymsg(mp));
-
- in = (ipsec_info_t *)mp->b_rptr;
-
- /*
- * Note that M_CTL is also used for delivering ICMP error messages
- * upstream to transport layers.
- */
- if (in->ipsec_info_type != IPSEC_OUT &&
- in->ipsec_info_type != IPSEC_IN)
- return (copymsg(mp));
-
- nmp = copymsg(mp->b_cont);
-
- if (in->ipsec_info_type == IPSEC_OUT) {
- return (ipsec_out_tag(mp, nmp,
- ((ipsec_out_t *)in)->ipsec_out_ns));
- } else {
- return (ipsec_in_tag(mp, nmp,
- ((ipsec_in_t *)in)->ipsec_in_ns));
- }
-}
-
-/* Generate an ICMP fragmentation needed message. */
-static void
-icmp_frag_needed(queue_t *q, mblk_t *mp, int mtu, zoneid_t zoneid,
- ip_stack_t *ipst)
+void
+icmp_frag_needed(mblk_t *mp, int mtu, ip_recv_attr_t *ira)
{
icmph_t icmph;
- mblk_t *first_mp;
- boolean_t mctl_present;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
-
- if (!(mp = icmp_pkt_err_ok(mp, ipst))) {
- if (mctl_present)
- freeb(first_mp);
+ mp = icmp_pkt_err_ok(mp, ira);
+ if (mp == NULL)
return;
- }
bzero(&icmph, sizeof (icmph_t));
icmph.icmph_type = ICMP_DEST_UNREACHABLE;
@@ -1546,29 +1402,29 @@ icmp_frag_needed(queue_t *q, mblk_t *mp, int mtu, zoneid_t zoneid,
icmph.icmph_du_mtu = htons((uint16_t)mtu);
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutFragNeeded);
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDestUnreachs);
- icmp_pkt(q, first_mp, &icmph, sizeof (icmph_t), mctl_present, zoneid,
- ipst);
+
+ icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
}
/*
- * icmp_inbound deals with ICMP messages in the following ways.
+ * icmp_inbound_v4 deals with ICMP messages that are handled by IP.
+ * If the ICMP message is consumed by IP, i.e., it should not be delivered
+ * to any IPPROTO_ICMP raw sockets, then it returns NULL.
+ * Likewise, if the ICMP error is misformed (too short, etc), then it
+ * returns NULL. The caller uses this to determine whether or not to send
+ * to raw sockets.
*
+ * All error messages are passed to the matching transport stream.
+ *
+ * The following cases are handled by icmp_inbound:
* 1) It needs to send a reply back and possibly delivering it
* to the "interested" upper clients.
- * 2) It needs to send it to the upper clients only.
+ * 2) Return the mblk so that the caller can pass it to the RAW socket clients.
* 3) It needs to change some values in IP only.
- * 4) It needs to change some values in IP and upper layers e.g TCP.
- *
- * We need to accomodate icmp messages coming in clear until we get
- * everything secure from the wire. If icmp_accept_clear_messages
- * is zero we check with the global policy and act accordingly. If
- * it is non-zero, we accept the message without any checks. But
- * *this does not mean* that this will be delivered to the upper
- * clients. By accepting we might send replies back, change our MTU
- * value etc. but delivery to the ULP/clients depends on their policy
- * dispositions.
+ * 4) It needs to change some values in IP and upper layers e.g TCP
+ * by delivering an error to the upper layers.
*
- * We handle the above 4 cases in the context of IPsec in the
+ * We handle the above three cases in the context of IPsec in the
* following way :
*
* 1) Send the reply back in the same way as the request came in.
@@ -1610,13 +1466,13 @@ icmp_frag_needed(queue_t *q, mblk_t *mp, int mtu, zoneid_t zoneid,
* come to a stop. This is solved by making similar decisions
* at both levels. Currently, when we are unable to deliver
* to the Upper Layer (due to policy failures) while IP has
- * adjusted ire_max_frag, the next outbound datagram would
+ * adjusted dce_pmtu, the next outbound datagram would
* generate a local ICMP_FRAGMENTATION_NEEDED message - which
* will be with the right level of protection. Thus the right
* value will be communicated even if we are not able to
* communicate when we get from the wire initially. But this
* assumes there would be at least one outbound datagram after
- * IP has adjusted its ire_max_frag value. To make things
+ * IP has adjusted its dce_pmtu value. To make things
* simpler, we accept in clear after the validation of
* AH/ESP headers.
*
@@ -1627,105 +1483,54 @@ icmp_frag_needed(queue_t *q, mblk_t *mp, int mtu, zoneid_t zoneid,
* should be accepted in clear when the Upper layer expects secure.
* Thus the communication may get aborted by some bad ICMP
* packets.
- *
- * IPQoS Notes:
- * The only instance when a packet is sent for processing is when there
- * isn't an ICMP client and if we are interested in it.
- * If there is a client, IPPF processing will take place in the
- * ip_fanout_proto routine.
- *
- * Zones notes:
- * The packet is only processed in the context of the specified zone: typically
- * only this zone will reply to an echo request, and only interested clients in
- * this zone will receive a copy of the packet. This means that the caller must
- * call icmp_inbound() for each relevant zone.
*/
-static void
-icmp_inbound(queue_t *q, mblk_t *mp, boolean_t broadcast, ill_t *ill,
- int sum_valid, uint32_t sum, boolean_t mctl_present, boolean_t ip_policy,
- ill_t *recv_ill, zoneid_t zoneid)
+mblk_t *
+icmp_inbound_v4(mblk_t *mp, ip_recv_attr_t *ira)
{
- icmph_t *icmph;
- ipha_t *ipha;
- int iph_hdr_length;
- int hdr_length;
+ icmph_t *icmph;
+ ipha_t *ipha; /* Outer header */
+ int ip_hdr_length; /* Outer header length */
boolean_t interested;
+ ipif_t *ipif;
uint32_t ts;
- uchar_t *wptr;
- ipif_t *ipif;
- mblk_t *first_mp;
- ipsec_in_t *ii;
- timestruc_t now;
- uint32_t ill_index;
- ip_stack_t *ipst;
-
- ASSERT(ill != NULL);
- ipst = ill->ill_ipst;
-
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- ASSERT(mp != NULL);
- }
+ uint32_t *tsp;
+ timestruc_t now;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ zoneid_t zoneid = ira->ira_zoneid;
+ int len_needed;
+ mblk_t *mp_ret = NULL;
ipha = (ipha_t *)mp->b_rptr;
- if (ipst->ips_icmp_accept_clear_messages == 0) {
- first_mp = ipsec_check_global_policy(first_mp, NULL,
- ipha, NULL, mctl_present, ipst->ips_netstack);
- if (first_mp == NULL)
- return;
- }
-
- /*
- * On a labeled system, we have to check whether the zone itself is
- * permitted to receive raw traffic.
- */
- if (is_system_labeled()) {
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- if (!tsol_can_accept_raw(mp, B_FALSE)) {
- ip1dbg(("icmp_inbound: zone %d can't receive raw",
- zoneid));
- BUMP_MIB(&ipst->ips_icmp_mib, icmpInErrors);
- freemsg(first_mp);
- return;
- }
- }
-
- /*
- * We have accepted the ICMP message. It means that we will
- * respond to the packet if needed. It may not be delivered
- * to the upper client depending on the policy constraints
- * and the disposition in ipsec_inbound_accept_clear.
- */
-
- ASSERT(ill != NULL);
BUMP_MIB(&ipst->ips_icmp_mib, icmpInMsgs);
- iph_hdr_length = IPH_HDR_LENGTH(ipha);
- if ((mp->b_wptr - mp->b_rptr) < (iph_hdr_length + ICMPH_SIZE)) {
+
+ ip_hdr_length = ira->ira_ip_hdr_length;
+ if ((mp->b_wptr - mp->b_rptr) < (ip_hdr_length + ICMPH_SIZE)) {
+ if (ira->ira_pktlen < (ip_hdr_length + ICMPH_SIZE)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
+ return (NULL);
+ }
/* Last chance to get real. */
- if (!pullupmsg(mp, iph_hdr_length + ICMPH_SIZE)) {
+ ipha = ip_pullup(mp, ip_hdr_length + ICMPH_SIZE, ira);
+ if (ipha == NULL) {
BUMP_MIB(&ipst->ips_icmp_mib, icmpInErrors);
- freemsg(first_mp);
- return;
+ freemsg(mp);
+ return (NULL);
}
- /* Refresh iph following the pullup. */
- ipha = (ipha_t *)mp->b_rptr;
- }
- /* ICMP header checksum, including checksum field, should be zero. */
- if (sum_valid ? (sum != 0 && sum != 0xFFFF) :
- IP_CSUM(mp, iph_hdr_length, 0)) {
- BUMP_MIB(&ipst->ips_icmp_mib, icmpInCksumErrs);
- freemsg(first_mp);
- return;
}
+
/* The IP header will always be a multiple of four bytes */
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ip2dbg(("icmp_inbound: type %d code %d\n", icmph->icmph_type,
+ icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
+ ip2dbg(("icmp_inbound_v4: type %d code %d\n", icmph->icmph_type,
icmph->icmph_code));
- wptr = (uchar_t *)icmph + ICMPH_SIZE;
- /* We will set "interested" to "true" if we want a copy */
+
+ /*
+ * We will set "interested" to "true" if we should pass a copy to
+ * the transport or if we handle the packet locally.
+ */
interested = B_FALSE;
switch (icmph->icmph_type) {
case ICMP_ECHO_REPLY:
@@ -1753,18 +1558,42 @@ icmp_inbound(queue_t *q, mblk_t *mp, boolean_t broadcast, ill_t *ill,
* (what isn't?). We aim to please, you pick it.
* Default is do it.
*/
- if (!broadcast && !CLASSD(ipha->ipha_dst)) {
- /* unicast: always respond */
- interested = B_TRUE;
- } else if (CLASSD(ipha->ipha_dst)) {
+ if (ira->ira_flags & IRAF_MULTICAST) {
/* multicast: respond based on tunable */
interested = ipst->ips_ip_g_resp_to_echo_mcast;
- } else if (broadcast) {
+ } else if (ira->ira_flags & IRAF_BROADCAST) {
/* broadcast: respond based on tunable */
interested = ipst->ips_ip_g_resp_to_echo_bcast;
+ } else {
+ /* unicast: always respond */
+ interested = B_TRUE;
}
BUMP_MIB(&ipst->ips_icmp_mib, icmpInEchos);
- break;
+ if (!interested) {
+ /* We never pass these to RAW sockets */
+ freemsg(mp);
+ return (NULL);
+ }
+
+ /* Check db_ref to make sure we can modify the packet. */
+ if (mp->b_datap->db_ref > 1) {
+ mblk_t *mp1;
+
+ mp1 = copymsg(mp);
+ freemsg(mp);
+ if (!mp1) {
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
+ return (NULL);
+ }
+ mp = mp1;
+ ipha = (ipha_t *)mp->b_rptr;
+ icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
+ }
+ icmph->icmph_type = ICMP_ECHO_REPLY;
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutEchoReps);
+ icmp_send_reply_v4(mp, ipha, icmph, ira);
+ return (NULL);
+
case ICMP_ROUTER_ADVERTISEMENT:
case ICMP_ROUTER_SOLICITATION:
break;
@@ -1778,28 +1607,63 @@ icmp_inbound(queue_t *q, mblk_t *mp, boolean_t broadcast, ill_t *ill,
break;
case ICMP_TIME_STAMP_REQUEST:
/* Response to Time Stamp Requests is local policy. */
- if (ipst->ips_ip_g_resp_to_timestamp &&
- /* So is whether to respond if it was an IP broadcast. */
- (!broadcast || ipst->ips_ip_g_resp_to_timestamp_bcast)) {
- int tstamp_len = 3 * sizeof (uint32_t);
-
- if (wptr + tstamp_len > mp->b_wptr) {
- if (!pullupmsg(mp, wptr + tstamp_len -
- mp->b_rptr)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- /* Refresh ipha following the pullup. */
- ipha = (ipha_t *)mp->b_rptr;
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- wptr = (uchar_t *)icmph + ICMPH_SIZE;
+ if (ipst->ips_ip_g_resp_to_timestamp) {
+ if (ira->ira_flags & IRAF_MULTIBROADCAST)
+ interested =
+ ipst->ips_ip_g_resp_to_timestamp_bcast;
+ else
+ interested = B_TRUE;
+ }
+ if (!interested) {
+ /* We never pass these to RAW sockets */
+ freemsg(mp);
+ return (NULL);
+ }
+
+ /* Make sure we have enough of the packet */
+ len_needed = ip_hdr_length + ICMPH_SIZE +
+ 3 * sizeof (uint32_t);
+
+ if (mp->b_wptr - mp->b_rptr < len_needed) {
+ ipha = ip_pullup(mp, len_needed, ira);
+ if (ipha == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - ip_pullup",
+ mp, ill);
+ freemsg(mp);
+ return (NULL);
}
- interested = B_TRUE;
+ /* Refresh following the pullup. */
+ icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
}
BUMP_MIB(&ipst->ips_icmp_mib, icmpInTimestamps);
- break;
+ /* Check db_ref to make sure we can modify the packet. */
+ if (mp->b_datap->db_ref > 1) {
+ mblk_t *mp1;
+
+ mp1 = copymsg(mp);
+ freemsg(mp);
+ if (!mp1) {
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
+ return (NULL);
+ }
+ mp = mp1;
+ ipha = (ipha_t *)mp->b_rptr;
+ icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
+ }
+ icmph->icmph_type = ICMP_TIME_STAMP_REPLY;
+ tsp = (uint32_t *)&icmph[1];
+ tsp++; /* Skip past 'originate time' */
+ /* Compute # of milliseconds since midnight */
+ gethrestime(&now);
+ ts = (now.tv_sec % (24 * 60 * 60)) * 1000 +
+ now.tv_nsec / (NANOSEC / MILLISEC);
+ *tsp++ = htonl(ts); /* Lay in 'receive time' */
+ *tsp++ = htonl(ts); /* Lay in 'send time' */
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutTimestampReps);
+ icmp_send_reply_v4(mp, ipha, icmph, ira);
+ return (NULL);
+
case ICMP_TIME_STAMP_REPLY:
BUMP_MIB(&ipst->ips_icmp_mib, icmpInTimestampReps);
break;
@@ -1808,14 +1672,68 @@ icmp_inbound(queue_t *q, mblk_t *mp, boolean_t broadcast, ill_t *ill,
case ICMP_INFO_REPLY:
break;
case ICMP_ADDRESS_MASK_REQUEST:
- if ((ipst->ips_ip_respond_to_address_mask_broadcast ||
- !broadcast) &&
- /* TODO m_pullup of complete header? */
- (mp->b_datap->db_lim - wptr) >= IP_ADDR_LEN) {
+ if (ira->ira_flags & IRAF_MULTIBROADCAST) {
+ interested =
+ ipst->ips_ip_respond_to_address_mask_broadcast;
+ } else {
interested = B_TRUE;
}
+ if (!interested) {
+ /* We never pass these to RAW sockets */
+ freemsg(mp);
+ return (NULL);
+ }
+ len_needed = ip_hdr_length + ICMPH_SIZE + IP_ADDR_LEN;
+ if (mp->b_wptr - mp->b_rptr < len_needed) {
+ ipha = ip_pullup(mp, len_needed, ira);
+ if (ipha == NULL) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp,
+ ill);
+ freemsg(mp);
+ return (NULL);
+ }
+ /* Refresh following the pullup. */
+ icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
+ }
BUMP_MIB(&ipst->ips_icmp_mib, icmpInAddrMasks);
- break;
+ /* Check db_ref to make sure we can modify the packet. */
+ if (mp->b_datap->db_ref > 1) {
+ mblk_t *mp1;
+
+ mp1 = copymsg(mp);
+ freemsg(mp);
+ if (!mp1) {
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
+ return (NULL);
+ }
+ mp = mp1;
+ ipha = (ipha_t *)mp->b_rptr;
+ icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
+ }
+ /*
+ * Need the ipif with the mask be the same as the source
+ * address of the mask reply. For unicast we have a specific
+ * ipif. For multicast/broadcast we only handle onlink
+ * senders, and use the source address to pick an ipif.
+ */
+ ipif = ipif_lookup_addr(ipha->ipha_dst, ill, zoneid, ipst);
+ if (ipif == NULL) {
+ /* Broadcast or multicast */
+ ipif = ipif_lookup_remote(ill, ipha->ipha_src, zoneid);
+ if (ipif == NULL) {
+ freemsg(mp);
+ return (NULL);
+ }
+ }
+ icmph->icmph_type = ICMP_ADDRESS_MASK_REPLY;
+ bcopy(&ipif->ipif_net_mask, &icmph[1], IP_ADDR_LEN);
+ ipif_refrele(ipif);
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutAddrMaskReps);
+ icmp_send_reply_v4(mp, ipha, icmph, ira);
+ return (NULL);
+
case ICMP_ADDRESS_MASK_REPLY:
BUMP_MIB(&ipst->ips_icmp_mib, icmpInAddrMaskReps);
break;
@@ -1824,206 +1742,103 @@ icmp_inbound(queue_t *q, mblk_t *mp, boolean_t broadcast, ill_t *ill,
BUMP_MIB(&ipst->ips_icmp_mib, icmpInUnknowns);
break;
}
- /* See if there is an ICMP client. */
- if (ipst->ips_ipcl_proto_fanout[IPPROTO_ICMP].connf_head != NULL) {
+ /*
+ * See if there is an ICMP client to avoid an extra copymsg/freemsg
+ * if there isn't one.
+ */
+ if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_ICMP].connf_head != NULL) {
/* If there is an ICMP client and we want one too, copy it. */
- mblk_t *first_mp1;
if (!interested) {
- ip_fanout_proto(q, first_mp, ill, ipha, 0, mctl_present,
- ip_policy, recv_ill, zoneid);
- return;
+ /* Caller will deliver to RAW sockets */
+ return (mp);
}
- first_mp1 = ip_copymsg(first_mp);
- if (first_mp1 != NULL) {
- ip_fanout_proto(q, first_mp1, ill, ipha,
- 0, mctl_present, ip_policy, recv_ill, zoneid);
+ mp_ret = copymsg(mp);
+ if (mp_ret == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - copymsg", mp, ill);
}
} else if (!interested) {
- freemsg(first_mp);
- return;
- } else {
- /*
- * Initiate policy processing for this packet if ip_policy
- * is true.
- */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst) && ip_policy) {
- ill_index = ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &mp, ill_index);
- if (mp == NULL) {
- if (mctl_present) {
- freeb(first_mp);
- }
- BUMP_MIB(&ipst->ips_icmp_mib, icmpInErrors);
- return;
- }
+ /* Neither we nor raw sockets are interested. Drop packet now */
+ freemsg(mp);
+ return (NULL);
+ }
+
+ /*
+ * ICMP error or redirect packet. Make sure we have enough of
+ * the header and that db_ref == 1 since we might end up modifying
+ * the packet.
+ */
+ if (mp->b_cont != NULL) {
+ if (ip_pullup(mp, -1, ira) == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - ip_pullup",
+ mp, ill);
+ freemsg(mp);
+ return (mp_ret);
}
}
- /* We want to do something with it. */
- /* Check db_ref to make sure we can modify the packet. */
+
if (mp->b_datap->db_ref > 1) {
- mblk_t *first_mp1;
+ mblk_t *mp1;
- first_mp1 = ip_copymsg(first_mp);
- freemsg(first_mp);
- if (!first_mp1) {
- BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
- return;
- }
- first_mp = first_mp1;
- if (mctl_present) {
- mp = first_mp->b_cont;
- ASSERT(mp != NULL);
- } else {
- mp = first_mp;
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - copymsg", mp, ill);
+ freemsg(mp);
+ return (mp_ret);
}
- ipha = (ipha_t *)mp->b_rptr;
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- wptr = (uchar_t *)icmph + ICMPH_SIZE;
+ freemsg(mp);
+ mp = mp1;
}
- switch (icmph->icmph_type) {
- case ICMP_ADDRESS_MASK_REQUEST:
- ipif = ipif_lookup_remote(ill, ipha->ipha_src, zoneid);
- if (ipif == NULL) {
- freemsg(first_mp);
- return;
- }
- /*
- * outging interface must be IPv4
- */
- ASSERT(ipif != NULL && !ipif->ipif_isv6);
- icmph->icmph_type = ICMP_ADDRESS_MASK_REPLY;
- bcopy(&ipif->ipif_net_mask, wptr, IP_ADDR_LEN);
- ipif_refrele(ipif);
- BUMP_MIB(&ipst->ips_icmp_mib, icmpOutAddrMaskReps);
- break;
- case ICMP_ECHO_REQUEST:
- icmph->icmph_type = ICMP_ECHO_REPLY;
- BUMP_MIB(&ipst->ips_icmp_mib, icmpOutEchoReps);
- break;
- case ICMP_TIME_STAMP_REQUEST: {
- uint32_t *tsp;
- icmph->icmph_type = ICMP_TIME_STAMP_REPLY;
- tsp = (uint32_t *)wptr;
- tsp++; /* Skip past 'originate time' */
- /* Compute # of milliseconds since midnight */
- gethrestime(&now);
- ts = (now.tv_sec % (24 * 60 * 60)) * 1000 +
- now.tv_nsec / (NANOSEC / MILLISEC);
- *tsp++ = htonl(ts); /* Lay in 'receive time' */
- *tsp++ = htonl(ts); /* Lay in 'send time' */
- BUMP_MIB(&ipst->ips_icmp_mib, icmpOutTimestampReps);
- break;
+ /*
+ * In case mp has changed, verify the message before any further
+ * processes.
+ */
+ ipha = (ipha_t *)mp->b_rptr;
+ icmph = (icmph_t *)&mp->b_rptr[ip_hdr_length];
+ if (!icmp_inbound_verify_v4(mp, icmph, ira)) {
+ freemsg(mp);
+ return (mp_ret);
}
- default:
- ipha = (ipha_t *)&icmph[1];
- if ((uchar_t *)&ipha[1] > mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)&ipha[1] - mp->b_rptr)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- }
- if ((IPH_HDR_VERSION(ipha) != IPV4_VERSION)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- hdr_length = IPH_HDR_LENGTH(ipha);
- if (hdr_length < sizeof (ipha_t)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- if ((uchar_t *)ipha + hdr_length > mp->b_wptr) {
- if (!pullupmsg(mp,
- (uchar_t *)ipha + hdr_length - mp->b_rptr)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- }
- switch (icmph->icmph_type) {
- case ICMP_REDIRECT:
- /*
- * As there is no upper client to deliver, we don't
- * need the first_mp any more.
- */
- if (mctl_present) {
- freeb(first_mp);
- }
- icmp_redirect(ill, mp);
- return;
- case ICMP_DEST_UNREACHABLE:
- if (icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED) {
- if (!icmp_inbound_too_big(icmph, ipha, ill,
- zoneid, mp, iph_hdr_length, ipst)) {
- freemsg(first_mp);
- return;
- }
- /*
- * icmp_inbound_too_big() may alter mp.
- * Resynch ipha and icmph accordingly.
- */
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- }
- /* FALLTHRU */
- default :
- /*
- * IPQoS notes: Since we have already done IPQoS
- * processing we don't want to do it again in
- * the fanout routines called by
- * icmp_inbound_error_fanout, hence the last
- * argument, ip_policy, is B_FALSE.
- */
- icmp_inbound_error_fanout(q, ill, first_mp, icmph,
- ipha, iph_hdr_length, hdr_length, mctl_present,
- B_FALSE, recv_ill, zoneid);
+
+ switch (icmph->icmph_type) {
+ case ICMP_REDIRECT:
+ icmp_redirect_v4(mp, ipha, icmph, ira);
+ break;
+ case ICMP_DEST_UNREACHABLE:
+ if (icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED) {
+ /* Update DCE and adjust MTU is icmp header if needed */
+ icmp_inbound_too_big_v4(icmph, ira);
}
- return;
+ /* FALLTHRU */
+ default:
+ icmp_inbound_error_fanout_v4(mp, icmph, ira);
+ break;
}
+ return (mp_ret);
+}
+
+/*
+ * Send an ICMP echo, timestamp or address mask reply.
+ * The caller has already updated the payload part of the packet.
+ * We handle the ICMP checksum, IP source address selection and feed
+ * the packet into ip_output_simple.
+ */
+static void
+icmp_send_reply_v4(mblk_t *mp, ipha_t *ipha, icmph_t *icmph,
+ ip_recv_attr_t *ira)
+{
+ uint_t ip_hdr_length = ira->ira_ip_hdr_length;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ip_xmit_attr_t ixas;
+
/* Send out an ICMP packet */
icmph->icmph_checksum = 0;
- icmph->icmph_checksum = IP_CSUM(mp, iph_hdr_length, 0);
- if (broadcast || CLASSD(ipha->ipha_dst)) {
- ipif_t *ipif_chosen;
- /*
- * Make it look like it was directed to us, so we don't look
- * like a fool with a broadcast or multicast source address.
- */
- ipif = ipif_lookup_remote(ill, ipha->ipha_src, zoneid);
- /*
- * Make sure that we haven't grabbed an interface that's DOWN.
- */
- if (ipif != NULL) {
- ipif_chosen = ipif_select_source(ipif->ipif_ill,
- ipha->ipha_src, zoneid);
- if (ipif_chosen != NULL) {
- ipif_refrele(ipif);
- ipif = ipif_chosen;
- }
- }
- if (ipif == NULL) {
- ip0dbg(("icmp_inbound: "
- "No source for broadcast/multicast:\n"
- "\tsrc 0x%x dst 0x%x ill %p "
- "ipif_lcl_addr 0x%x\n",
- ntohl(ipha->ipha_src), ntohl(ipha->ipha_dst),
- (void *)ill,
- ill->ill_ipif->ipif_lcl_addr));
- freemsg(first_mp);
- return;
- }
- ASSERT(ipif != NULL && !ipif->ipif_isv6);
- ipha->ipha_dst = ipif->ipif_src_addr;
- ipif_refrele(ipif);
- }
+ icmph->icmph_checksum = IP_CSUM(mp, ip_hdr_length, 0);
/* Reset time to live. */
ipha->ipha_ttl = ipst->ips_ip_def_ttl;
{
@@ -2038,138 +1853,159 @@ icmp_inbound(queue_t *q, mblk_t *mp, boolean_t broadcast, ill_t *ill,
if (!IS_SIMPLE_IPH(ipha))
icmp_options_update(ipha);
- if (!mctl_present) {
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
+ ixas.ixa_zoneid = ira->ira_zoneid;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = ira->ira_tsl; /* Behave as a multi-level responder */
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
/*
* This packet should go out the same way as it
- * came in i.e in clear. To make sure that global
- * policy will not be applied to this in ip_wput_ire,
- * we attach a IPSEC_IN mp and clear ipsec_in_secure.
+ * came in i.e in clear, independent of the IPsec policy
+ * for transmitting packets.
*/
- ASSERT(first_mp == mp);
- first_mp = ipsec_in_alloc(B_TRUE, ipst->ips_netstack);
- if (first_mp == NULL) {
+ ixas.ixa_flags |= IXAF_NO_IPSEC;
+ } else {
+ if (!ipsec_in_to_out(ira, &ixas, mp, ipha, NULL)) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(mp);
+ /* Note: mp already consumed and ip_drop_packet done */
return;
}
- ii = (ipsec_in_t *)first_mp->b_rptr;
-
- /* This is not a secure packet */
- ii->ipsec_in_secure = B_FALSE;
- first_mp->b_cont = mp;
- } else {
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ii->ipsec_in_ns = ipst->ips_netstack; /* No netstack_hold */
}
- if (!ipsec_in_to_out(first_mp, ipha, NULL, zoneid)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return;
+ if (ira->ira_flags & IRAF_MULTIBROADCAST) {
+ /*
+ * Not one or our addresses (IRE_LOCALs), thus we let
+ * ip_output_simple pick the source.
+ */
+ ipha->ipha_src = INADDR_ANY;
+ ixas.ixa_flags |= IXAF_SET_SOURCE;
+ }
+ /* Should we send with DF and use dce_pmtu? */
+ if (ipst->ips_ipv4_icmp_return_pmtu) {
+ ixas.ixa_flags |= IXAF_PMTU_DISCOVERY;
+ ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
}
+
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutMsgs);
- put(WR(q), first_mp);
+
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
}
-static ipaddr_t
-icmp_get_nexthop_addr(ipha_t *ipha, ill_t *ill, zoneid_t zoneid, mblk_t *mp)
+/*
+ * Verify the ICMP messages for either for ICMP error or redirect packet.
+ * The caller should have fully pulled up the message. If it's a redirect
+ * packet, only basic checks on IP header will be done; otherwise, verify
+ * the packet by looking at the included ULP header.
+ *
+ * Called before icmp_inbound_error_fanout_v4 is called.
+ */
+static boolean_t
+icmp_inbound_verify_v4(mblk_t *mp, icmph_t *icmph, ip_recv_attr_t *ira)
{
- conn_t *connp;
- connf_t *connfp;
- ipaddr_t nexthop_addr = INADDR_ANY;
- int hdr_length = IPH_HDR_LENGTH(ipha);
- uint16_t *up;
- uint32_t ports;
- ip_stack_t *ipst = ill->ill_ipst;
+ ill_t *ill = ira->ira_ill;
+ int hdr_length;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
+ conn_t *connp;
+ ipha_t *ipha; /* Inner IP header */
- up = (uint16_t *)((uchar_t *)ipha + hdr_length);
- switch (ipha->ipha_protocol) {
- case IPPROTO_TCP:
- {
- tcph_t *tcph;
-
- /* do a reverse lookup */
- tcph = (tcph_t *)((uchar_t *)ipha + hdr_length);
- connp = ipcl_tcp_lookup_reversed_ipv4(ipha, tcph,
- TCPS_LISTEN, ipst);
- break;
- }
- case IPPROTO_UDP:
- {
- uint32_t dstport, srcport;
+ ipha = (ipha_t *)&icmph[1];
+ if ((uchar_t *)ipha + IP_SIMPLE_HDR_LENGTH > mp->b_wptr)
+ goto truncated;
- ((uint16_t *)&ports)[0] = up[1];
- ((uint16_t *)&ports)[1] = up[0];
+ hdr_length = IPH_HDR_LENGTH(ipha);
- /* Extract ports in net byte order */
- dstport = htons(ntohl(ports) & 0xFFFF);
- srcport = htons(ntohl(ports) >> 16);
+ if ((IPH_HDR_VERSION(ipha) != IPV4_VERSION))
+ goto discard_pkt;
- connfp = &ipst->ips_ipcl_udp_fanout[
- IPCL_UDP_HASH(dstport, ipst)];
- mutex_enter(&connfp->connf_lock);
- connp = connfp->connf_head;
+ if (hdr_length < sizeof (ipha_t))
+ goto truncated;
- /* do a reverse lookup */
- while ((connp != NULL) &&
- (!IPCL_UDP_MATCH(connp, dstport,
- ipha->ipha_src, srcport, ipha->ipha_dst) ||
- !IPCL_ZONE_MATCH(connp, zoneid))) {
- connp = connp->conn_next;
- }
- if (connp != NULL)
- CONN_INC_REF(connp);
- mutex_exit(&connfp->connf_lock);
- break;
- }
- case IPPROTO_SCTP:
- {
- in6_addr_t map_src, map_dst;
+ if ((uchar_t *)ipha + hdr_length > mp->b_wptr)
+ goto truncated;
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &map_src);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &map_dst);
- ((uint16_t *)&ports)[0] = up[1];
- ((uint16_t *)&ports)[1] = up[0];
+ /*
+ * Stop here for ICMP_REDIRECT.
+ */
+ if (icmph->icmph_type == ICMP_REDIRECT)
+ return (B_TRUE);
- connp = sctp_find_conn(&map_src, &map_dst, ports,
- zoneid, ipst->ips_netstack->netstack_sctp);
- if (connp == NULL) {
- connp = ipcl_classify_raw(mp, IPPROTO_SCTP,
- zoneid, ports, ipha, ipst);
- } else {
- CONN_INC_REF(connp);
- SCTP_REFRELE(CONN2SCTP(connp));
- }
- break;
- }
- default:
- {
- ipha_t ripha;
+ /*
+ * ICMP errors only.
+ */
+ switch (ipha->ipha_protocol) {
+ case IPPROTO_UDP:
+ /*
+ * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
+ * transport header.
+ */
+ if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
+ mp->b_wptr)
+ goto truncated;
+ break;
+ case IPPROTO_TCP: {
+ tcpha_t *tcpha;
+
+ /*
+ * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
+ * transport header.
+ */
+ if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
+ mp->b_wptr)
+ goto truncated;
- ripha.ipha_src = ipha->ipha_dst;
- ripha.ipha_dst = ipha->ipha_src;
- ripha.ipha_protocol = ipha->ipha_protocol;
+ tcpha = (tcpha_t *)((uchar_t *)ipha + hdr_length);
+ connp = ipcl_tcp_lookup_reversed_ipv4(ipha, tcpha, TCPS_LISTEN,
+ ipst);
+ if (connp == NULL)
+ goto discard_pkt;
- connfp = &ipst->ips_ipcl_proto_fanout[
- ipha->ipha_protocol];
- mutex_enter(&connfp->connf_lock);
- connp = connfp->connf_head;
- for (connp = connfp->connf_head; connp != NULL;
- connp = connp->conn_next) {
- if (IPCL_PROTO_MATCH(connp,
- ipha->ipha_protocol, &ripha, ill,
- 0, zoneid)) {
- CONN_INC_REF(connp);
- break;
- }
- }
- mutex_exit(&connfp->connf_lock);
+ if ((connp->conn_verifyicmp != NULL) &&
+ !connp->conn_verifyicmp(connp, tcpha, icmph, NULL, ira)) {
+ CONN_DEC_REF(connp);
+ goto discard_pkt;
}
- }
- if (connp != NULL) {
- if (connp->conn_nexthop_set)
- nexthop_addr = connp->conn_nexthop_v4;
CONN_DEC_REF(connp);
+ break;
+ }
+ case IPPROTO_SCTP:
+ /*
+ * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
+ * transport header.
+ */
+ if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
+ mp->b_wptr)
+ goto truncated;
+ break;
+ case IPPROTO_ESP:
+ case IPPROTO_AH:
+ break;
+ case IPPROTO_ENCAP:
+ if ((uchar_t *)ipha + hdr_length + sizeof (ipha_t) >
+ mp->b_wptr)
+ goto truncated;
+ break;
+ default:
+ break;
}
- return (nexthop_addr);
+
+ return (B_TRUE);
+
+discard_pkt:
+ /* Bogus ICMP error. */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (B_FALSE);
+
+truncated:
+ /* We pulled up everthing already. Must be truncated */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ return (B_FALSE);
}
/* Table from RFC 1191 */
@@ -2178,64 +2014,52 @@ static int icmp_frag_size_table[] =
/*
* Process received ICMP Packet too big.
- * After updating any IRE it does the fanout to any matching transport streams.
- * Assumes the message has been pulled up till the IP header that caused
- * the error.
+ * Just handles the DCE create/update, including using the above table of
+ * PMTU guesses. The caller is responsible for validating the packet before
+ * passing it in and also to fanout the ICMP error to any matching transport
+ * conns. Assumes the message has been fully pulled up and verified.
+ *
+ * Before getting here, the caller has called icmp_inbound_verify_v4()
+ * that should have verified with ULP to prevent undoing the changes we're
+ * going to make to DCE. For example, TCP might have verified that the packet
+ * which generated error is in the send window.
*
- * Returns B_FALSE on failure and B_TRUE on success.
+ * In some cases modified this MTU in the ICMP header packet; the caller
+ * should pass to the matching ULP after this returns.
*/
-static boolean_t
-icmp_inbound_too_big(icmph_t *icmph, ipha_t *ipha, ill_t *ill,
- zoneid_t zoneid, mblk_t *mp, int iph_hdr_length,
- ip_stack_t *ipst)
+static void
+icmp_inbound_too_big_v4(icmph_t *icmph, ip_recv_attr_t *ira)
{
- ire_t *ire, *first_ire;
- int mtu, orig_mtu;
- int hdr_length;
- ipaddr_t nexthop_addr;
- boolean_t disable_pmtud;
+ dce_t *dce;
+ int old_mtu;
+ int mtu, orig_mtu;
+ ipaddr_t dst;
+ boolean_t disable_pmtud;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint_t hdr_length;
+ ipha_t *ipha;
+ /* Caller already pulled up everything. */
+ ipha = (ipha_t *)&icmph[1];
ASSERT(icmph->icmph_type == ICMP_DEST_UNREACHABLE &&
icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED);
ASSERT(ill != NULL);
hdr_length = IPH_HDR_LENGTH(ipha);
- /* Drop if the original packet contained a source route */
- if (ip_source_route_included(ipha)) {
- return (B_FALSE);
- }
/*
- * Verify we have at least ICMP_MIN_TP_HDR_LENGTH bytes of transport
- * header.
+ * We handle path MTU for source routed packets since the DCE
+ * is looked up using the final destination.
*/
- if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
- mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ipha + hdr_length +
- ICMP_MIN_TP_HDR_LEN - mp->b_rptr)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ip1dbg(("icmp_inbound_too_big: insufficient hdr\n"));
- return (B_FALSE);
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- }
- nexthop_addr = icmp_get_nexthop_addr(ipha, ill, zoneid, mp);
- if (nexthop_addr != INADDR_ANY) {
- /* nexthop set */
- first_ire = ire_ctable_lookup(ipha->ipha_dst,
- nexthop_addr, 0, NULL, ALL_ZONES, msg_getlabel(mp),
- MATCH_IRE_MARK_PRIVATE_ADDR | MATCH_IRE_GW, ipst);
- } else {
- /* nexthop not set */
- first_ire = ire_ctable_lookup(ipha->ipha_dst, 0, IRE_CACHE,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- }
+ dst = ip_get_dst(ipha);
- if (!first_ire) {
- ip1dbg(("icmp_inbound_too_big: no route for 0x%x\n",
- ntohl(ipha->ipha_dst)));
- return (B_FALSE);
+ dce = dce_lookup_and_add_v4(dst, ipst);
+ if (dce == NULL) {
+ /* Couldn't add a unique one - ENOMEM */
+ ip1dbg(("icmp_inbound_too_big_v4: no dce for 0x%x\n",
+ ntohl(dst)));
+ return;
}
/* Check for MTU discovery advice as described in RFC 1191 */
@@ -2243,149 +2067,112 @@ icmp_inbound_too_big(icmph_t *icmph, ipha_t *ipha, ill_t *ill,
orig_mtu = mtu;
disable_pmtud = B_FALSE;
- rw_enter(&first_ire->ire_bucket->irb_lock, RW_READER);
- for (ire = first_ire; ire != NULL && ire->ire_addr == ipha->ipha_dst;
- ire = ire->ire_next) {
- /*
- * Look for the connection to which this ICMP message is
- * directed. If it has the IP_NEXTHOP option set, then the
- * search is limited to IREs with the MATCH_IRE_PRIVATE
- * option. Else the search is limited to regular IREs.
- */
- if (((ire->ire_marks & IRE_MARK_PRIVATE_ADDR) &&
- (nexthop_addr != ire->ire_gateway_addr)) ||
- (!(ire->ire_marks & IRE_MARK_PRIVATE_ADDR) &&
- (nexthop_addr != INADDR_ANY)))
- continue;
+ mutex_enter(&dce->dce_lock);
+ if (dce->dce_flags & DCEF_PMTU)
+ old_mtu = dce->dce_pmtu;
+ else
+ old_mtu = ill->ill_mtu;
- mutex_enter(&ire->ire_lock);
- if (icmph->icmph_du_zero != 0 || mtu < ipst->ips_ip_pmtu_min) {
- uint32_t length;
- int i;
+ if (icmph->icmph_du_zero != 0 || mtu < ipst->ips_ip_pmtu_min) {
+ uint32_t length;
+ int i;
+ /*
+ * Use the table from RFC 1191 to figure out
+ * the next "plateau" based on the length in
+ * the original IP packet.
+ */
+ length = ntohs(ipha->ipha_length);
+ DTRACE_PROBE2(ip4__pmtu__guess, dce_t *, dce,
+ uint32_t, length);
+ if (old_mtu <= length &&
+ old_mtu >= length - hdr_length) {
/*
- * Use the table from RFC 1191 to figure out
- * the next "plateau" based on the length in
- * the original IP packet.
+ * Handle broken BSD 4.2 systems that
+ * return the wrong ipha_length in ICMP
+ * errors.
*/
- length = ntohs(ipha->ipha_length);
- DTRACE_PROBE2(ip4__pmtu__guess, ire_t *, ire,
- uint32_t, length);
- if (ire->ire_max_frag <= length &&
- ire->ire_max_frag >= length - hdr_length) {
- /*
- * Handle broken BSD 4.2 systems that
- * return the wrong iph_length in ICMP
- * errors.
- */
- length -= hdr_length;
- }
- for (i = 0; i < A_CNT(icmp_frag_size_table); i++) {
- if (length > icmp_frag_size_table[i])
- break;
- }
- if (i == A_CNT(icmp_frag_size_table)) {
- /* Smaller than 68! */
- disable_pmtud = B_TRUE;
+ ip1dbg(("Wrong mtu: sent %d, dce %d\n",
+ length, old_mtu));
+ length -= hdr_length;
+ }
+ for (i = 0; i < A_CNT(icmp_frag_size_table); i++) {
+ if (length > icmp_frag_size_table[i])
+ break;
+ }
+ if (i == A_CNT(icmp_frag_size_table)) {
+ /* Smaller than IP_MIN_MTU! */
+ ip1dbg(("Too big for packet size %d\n",
+ length));
+ disable_pmtud = B_TRUE;
+ mtu = ipst->ips_ip_pmtu_min;
+ } else {
+ mtu = icmp_frag_size_table[i];
+ ip1dbg(("Calculated mtu %d, packet size %d, "
+ "before %d\n", mtu, length, old_mtu));
+ if (mtu < ipst->ips_ip_pmtu_min) {
mtu = ipst->ips_ip_pmtu_min;
- } else {
- mtu = icmp_frag_size_table[i];
- if (mtu < ipst->ips_ip_pmtu_min) {
- mtu = ipst->ips_ip_pmtu_min;
- disable_pmtud = B_TRUE;
- }
+ disable_pmtud = B_TRUE;
}
- /* Fool the ULP into believing our guessed PMTU. */
- icmph->icmph_du_zero = 0;
- icmph->icmph_du_mtu = htons(mtu);
- }
- if (disable_pmtud)
- ire->ire_frag_flag = 0;
- /* Reduce the IRE max frag value as advised. */
- ire->ire_max_frag = MIN(ire->ire_max_frag, mtu);
- if (ire->ire_max_frag == mtu) {
- /* Decreased it */
- ire->ire_marks |= IRE_MARK_PMTU;
}
- mutex_exit(&ire->ire_lock);
- DTRACE_PROBE4(ip4__pmtu__change, icmph_t *, icmph, ire_t *,
- ire, int, orig_mtu, int, mtu);
}
- rw_exit(&first_ire->ire_bucket->irb_lock);
- ire_refrele(first_ire);
- return (B_TRUE);
+ if (disable_pmtud)
+ dce->dce_flags |= DCEF_TOO_SMALL_PMTU;
+ else
+ dce->dce_flags &= ~DCEF_TOO_SMALL_PMTU;
+
+ dce->dce_pmtu = MIN(old_mtu, mtu);
+ /* Prepare to send the new max frag size for the ULP. */
+ icmph->icmph_du_zero = 0;
+ icmph->icmph_du_mtu = htons((uint16_t)dce->dce_pmtu);
+ DTRACE_PROBE4(ip4__pmtu__change, icmph_t *, icmph, dce_t *,
+ dce, int, orig_mtu, int, mtu);
+
+ /* We now have a PMTU for sure */
+ dce->dce_flags |= DCEF_PMTU;
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ mutex_exit(&dce->dce_lock);
+ /*
+ * After dropping the lock the new value is visible to everyone.
+ * Then we bump the generation number so any cached values reinspect
+ * the dce_t.
+ */
+ dce_increment_generation(dce);
+ dce_refrele(dce);
}
/*
- * If the packet in error is Self-Encapsulated, icmp_inbound_error_fanout
+ * If the packet in error is Self-Encapsulated, icmp_inbound_error_fanout_v4
* calls this function.
*/
static mblk_t *
-icmp_inbound_self_encap_error(mblk_t *mp, int iph_hdr_length, int hdr_length)
+icmp_inbound_self_encap_error_v4(mblk_t *mp, ipha_t *ipha, ipha_t *in_ipha)
{
- ipha_t *ipha;
- icmph_t *icmph;
- ipha_t *in_ipha;
int length;
ASSERT(mp->b_datap->db_type == M_DATA);
- /*
- * For Self-encapsulated packets, we added an extra IP header
- * without the options. Inner IP header is the one from which
- * the outer IP header was formed. Thus, we need to remove the
- * outer IP header. To do this, we pullup the whole message
- * and overlay whatever follows the outer IP header over the
- * outer IP header.
- */
-
- if (!pullupmsg(mp, -1))
- return (NULL);
-
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- in_ipha = (ipha_t *)((uchar_t *)ipha + hdr_length);
+ /* icmp_inbound_v4 has already pulled up the whole error packet */
+ ASSERT(mp->b_cont == NULL);
/*
- * The length that we want to overlay is following the inner
- * IP header. Subtracting the IP header + icmp header + outer
- * IP header's length should give us the length that we want to
- * overlay.
+ * The length that we want to overlay is the inner header
+ * and what follows it.
*/
- length = msgdsize(mp) - iph_hdr_length - sizeof (icmph_t) -
- hdr_length;
+ length = msgdsize(mp) - ((uchar_t *)in_ipha - mp->b_rptr);
+
/*
- * Overlay whatever follows the inner header over the
+ * Overlay the inner header and whatever follows it over the
* outer header.
*/
bcopy((uchar_t *)in_ipha, (uchar_t *)ipha, length);
- /* Set the wptr to account for the outer header */
- mp->b_wptr -= hdr_length;
+ /* Adjust for what we removed */
+ mp->b_wptr -= (uchar_t *)in_ipha - (uchar_t *)ipha;
return (mp);
}
/*
- * Fanout for ICMP errors containing IP-in-IPv4 packets. Returns B_TRUE if a
- * tunnel consumed the message, and B_FALSE otherwise.
- */
-static boolean_t
-icmp_inbound_iptun_fanout(mblk_t *first_mp, ipha_t *ripha, ill_t *ill,
- ip_stack_t *ipst)
-{
- conn_t *connp;
-
- if ((connp = ipcl_iptun_classify_v4(&ripha->ipha_src, &ripha->ipha_dst,
- ipst)) == NULL)
- return (B_FALSE);
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- connp->conn_recv(connp, first_mp, NULL);
- CONN_DEC_REF(connp);
- return (B_TRUE);
-}
-
-/*
* Try to pass the ICMP message upstream in case the ULP cares.
*
* If the packet that caused the ICMP error is secure, we send
@@ -2400,25 +2187,22 @@ icmp_inbound_iptun_fanout(mblk_t *first_mp, ipha_t *ripha, ill_t *ill,
*
* IFN could have been generated locally or by some router.
*
- * LOCAL : *ip_wput_ire -> icmp_frag_needed could have generated this.
+ * LOCAL : ire_send_wire (before calling ipsec_out_process) can call
+ * icmp_frag_needed/icmp_pkt2big_v6 to generated a local IFN.
* This happens because IP adjusted its value of MTU on an
* earlier IFN message and could not tell the upper layer,
* the new adjusted value of MTU e.g. Packet was encrypted
* or there was not enough information to fanout to upper
- * layers. Thus on the next outbound datagram, ip_wput_ire
+ * layers. Thus on the next outbound datagram, ire_send_wire
* generates the IFN, where IPsec processing has *not* been
* done.
*
- * *ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed
- * could have generated this. This happens because ire_max_frag
- * value in IP was set to a new value, while the IPsec processing
- * was being done and after we made the fragmentation check in
- * ip_wput_ire. Thus on return from IPsec processing,
- * ip_wput_ipsec_out finds that the new length is > ire_max_frag
- * and generates the IFN. As IPsec processing is over, we fanout
- * to AH/ESP to remove the header.
+ * Note that we retain ixa_fragsize across IPsec thus once
+ * we have picking ixa_fragsize and entered ipsec_out_process we do
+ * no change the fragsize even if the path MTU changes before
+ * we reach ip_output_post_ipsec.
*
- * In both these cases, ipsec_in_loopback will be set indicating
+ * In the local case, IRAF_LOOPBACK will be set indicating
* that IFN was generated locally.
*
* ROUTER : IFN could be secure or non-secure.
@@ -2432,45 +2216,38 @@ icmp_inbound_iptun_fanout(mblk_t *first_mp, ipha_t *ripha, ill_t *ill,
* If the packet in error does not have AH/ESP, we handle it
* like any other case.
*
- * * NON_SECURE : If the packet in error has AH/ESP headers,
- * we attach a dummy ipsec_in and send it up to AH/ESP
- * for validation. AH/ESP will verify whether there is a
+ * * NON_SECURE : If the packet in error has AH/ESP headers, we send it
+ * up to AH/ESP for validation. AH/ESP will verify whether there is a
* valid SA or not and send it back. We will fanout again if
* we have more data in the packet.
*
* If the packet in error does not have AH/ESP, we handle it
* like any other case.
+ *
+ * The caller must have called icmp_inbound_verify_v4.
*/
static void
-icmp_inbound_error_fanout(queue_t *q, ill_t *ill, mblk_t *mp,
- icmph_t *icmph, ipha_t *ipha, int iph_hdr_length, int hdr_length,
- boolean_t mctl_present, boolean_t ip_policy, ill_t *recv_ill,
- zoneid_t zoneid)
-{
- uint16_t *up; /* Pointer to ports in ULP header */
- uint32_t ports; /* reversed ports for fanout */
- ipha_t ripha; /* With reversed addresses */
- mblk_t *first_mp;
- ipsec_in_t *ii;
- tcph_t *tcph;
- conn_t *connp;
- ip_stack_t *ipst;
-
- ASSERT(ill != NULL);
-
- ASSERT(recv_ill != NULL);
- ipst = recv_ill->ill_ipst;
+icmp_inbound_error_fanout_v4(mblk_t *mp, icmph_t *icmph, ip_recv_attr_t *ira)
+{
+ uint16_t *up; /* Pointer to ports in ULP header */
+ uint32_t ports; /* reversed ports for fanout */
+ ipha_t ripha; /* With reversed addresses */
+ ipha_t *ipha; /* Inner IP header */
+ uint_t hdr_length; /* Inner IP header length */
+ tcpha_t *tcpha;
+ conn_t *connp;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+ ill_t *rill = ira->ira_rill;
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- ASSERT(mp != NULL);
+ /* Caller already pulled up everything. */
+ ipha = (ipha_t *)&icmph[1];
+ ASSERT((uchar_t *)&ipha[1] <= mp->b_wptr);
+ ASSERT(mp->b_cont == NULL);
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- } else {
- ii = NULL;
- }
+ hdr_length = IPH_HDR_LENGTH(ipha);
+ ira->ira_protocol = ipha->ipha_protocol;
/*
* We need a separate IP header with the source and destination
@@ -2482,249 +2259,223 @@ icmp_inbound_error_fanout(queue_t *q, ill_t *ill, mblk_t *mp,
ripha.ipha_protocol = ipha->ipha_protocol;
ripha.ipha_version_and_hdr_length = ipha->ipha_version_and_hdr_length;
- ip2dbg(("icmp_inbound_error: proto %d %x to %x: %d/%d\n",
+ ip2dbg(("icmp_inbound_error_v4: proto %d %x to %x: %d/%d\n",
ripha.ipha_protocol, ntohl(ipha->ipha_src),
ntohl(ipha->ipha_dst),
icmph->icmph_type, icmph->icmph_code));
switch (ipha->ipha_protocol) {
case IPPROTO_UDP:
- /*
- * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
- * transport header.
- */
- if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
- mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ipha + hdr_length +
- ICMP_MIN_TP_HDR_LEN - mp->b_rptr)) {
- goto discard_pkt;
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- }
up = (uint16_t *)((uchar_t *)ipha + hdr_length);
/* Attempt to find a client stream based on port. */
- ((uint16_t *)&ports)[0] = up[1];
- ((uint16_t *)&ports)[1] = up[0];
- ip2dbg(("icmp_inbound_error: UDP ports %d to %d\n",
+ ip2dbg(("icmp_inbound_error_v4: UDP ports %d to %d\n",
ntohs(up[0]), ntohs(up[1])));
- /* Have to change db_type after any pullupmsg */
- DB_TYPE(mp) = M_CTL;
-
- ip_fanout_udp(q, first_mp, ill, &ripha, ports, B_FALSE, 0,
- mctl_present, ip_policy, recv_ill, zoneid);
+ /* Note that we send error to all matches. */
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ ip_fanout_udp_multi_v4(mp, &ripha, up[0], up[1], ira);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
case IPPROTO_TCP:
/*
- * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
- * transport header.
- */
- if ((uchar_t *)ipha + hdr_length + ICMP_MIN_TP_HDR_LEN >
- mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ipha + hdr_length +
- ICMP_MIN_TP_HDR_LEN - mp->b_rptr)) {
- goto discard_pkt;
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- }
- /*
* Find a TCP client stream for this packet.
* Note that we do a reverse lookup since the header is
* in the form we sent it out.
*/
- tcph = (tcph_t *)((uchar_t *)ipha + hdr_length);
- connp = ipcl_tcp_lookup_reversed_ipv4(ipha, tcph, TCPS_LISTEN,
+ tcpha = (tcpha_t *)((uchar_t *)ipha + hdr_length);
+ connp = ipcl_tcp_lookup_reversed_ipv4(ipha, tcpha, TCPS_LISTEN,
ipst);
if (connp == NULL)
goto discard_pkt;
- /* Have to change db_type after any pullupmsg */
- DB_TYPE(mp) = M_CTL;
- SQUEUE_ENTER_ONE(connp->conn_sqp, first_mp, tcp_input, connp,
- SQ_FILL, SQTAG_TCP_INPUT_ICMP_ERR);
+ if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) ||
+ (ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ mp = ipsec_check_inbound_policy(mp, connp,
+ ipha, NULL, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ CONN_DEC_REF(connp);
+ return;
+ }
+ }
+
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ ira->ira_ill = ira->ira_rill = NULL;
+ if (IPCL_IS_TCP(connp)) {
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
+ connp->conn_recvicmp, connp, ira, SQ_FILL,
+ SQTAG_TCP_INPUT_ICMP_ERR);
+ } else {
+ /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ }
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
case IPPROTO_SCTP:
- /*
- * Verify we have at least ICMP_MIN_SCTP_HDR_LEN bytes of
- * transport header, in the first mp.
- */
- if ((uchar_t *)ipha + hdr_length + ICMP_MIN_SCTP_HDR_LEN >
- mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ipha + hdr_length +
- ICMP_MIN_SCTP_HDR_LEN - mp->b_rptr)) {
- goto discard_pkt;
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- }
up = (uint16_t *)((uchar_t *)ipha + hdr_length);
/* Find a SCTP client stream for this packet. */
((uint16_t *)&ports)[0] = up[1];
((uint16_t *)&ports)[1] = up[0];
- /* Have to change db_type after any pullupmsg */
- DB_TYPE(mp) = M_CTL;
- ip_fanout_sctp(first_mp, recv_ill, &ripha, ports, 0,
- mctl_present, ip_policy, zoneid);
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ ip_fanout_sctp(mp, &ripha, NULL, ports, ira);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
case IPPROTO_ESP:
- case IPPROTO_AH: {
- int ipsec_rc;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- /*
- * We need a IPSEC_IN in the front to fanout to AH/ESP.
- * We will re-use the IPSEC_IN if it is already present as
- * AH/ESP will not affect any fields in the IPSEC_IN for
- * ICMP errors. If there is no IPSEC_IN, allocate a new
- * one and attach it in the front.
- */
- if (ii != NULL) {
- /*
- * ip_fanout_proto_again converts the ICMP errors
- * that come back from AH/ESP to M_DATA so that
- * if it is non-AH/ESP and we do a pullupmsg in
- * this function, it would work. Convert it back
- * to M_CTL before we send up as this is a ICMP
- * error. This could have been generated locally or
- * by some router. Validate the inner IPsec
- * headers.
- *
- * NOTE : ill_index is used by ip_fanout_proto_again
- * to locate the ill.
- */
- ASSERT(ill != NULL);
- ii->ipsec_in_ill_index =
- ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index =
- recv_ill->ill_phyint->phyint_ifindex;
- DB_TYPE(first_mp->b_cont) = M_CTL;
- } else {
- /*
- * IPSEC_IN is not present. We attach a ipsec_in
- * message and send up to IPsec for validating
- * and removing the IPsec headers. Clear
- * ipsec_in_secure so that when we return
- * from IPsec, we don't mistakenly think that this
- * is a secure packet came from the network.
- *
- * NOTE : ill_index is used by ip_fanout_proto_again
- * to locate the ill.
- */
- ASSERT(first_mp == mp);
- first_mp = ipsec_in_alloc(B_TRUE, ipst->ips_netstack);
- if (first_mp == NULL) {
- freemsg(mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return;
- }
- ii = (ipsec_in_t *)first_mp->b_rptr;
-
- /* This is not a secure packet */
- ii->ipsec_in_secure = B_FALSE;
- first_mp->b_cont = mp;
- DB_TYPE(mp) = M_CTL;
- ASSERT(ill != NULL);
- ii->ipsec_in_ill_index =
- ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index =
- recv_ill->ill_phyint->phyint_ifindex;
- }
-
+ case IPPROTO_AH:
if (!ipsec_loaded(ipss)) {
- ip_proto_not_sup(q, first_mp, 0, zoneid, ipst);
+ ip_proto_not_sup(mp, ira);
return;
}
if (ipha->ipha_protocol == IPPROTO_ESP)
- ipsec_rc = ipsecesp_icmp_error(first_mp);
+ mp = ipsecesp_icmp_error(mp, ira);
else
- ipsec_rc = ipsecah_icmp_error(first_mp);
- if (ipsec_rc == IPSEC_STATUS_FAILED)
+ mp = ipsecah_icmp_error(mp, ira);
+ if (mp == NULL)
+ return;
+
+ /* Just in case ipsec didn't preserve the NULL b_cont */
+ if (mp->b_cont != NULL) {
+ if (!pullupmsg(mp, -1))
+ goto discard_pkt;
+ }
+
+ /*
+ * Note that ira_pktlen and ira_ip_hdr_length are no longer
+ * correct, but we don't use them any more here.
+ *
+ * If succesful, the mp has been modified to not include
+ * the ESP/AH header so we can fanout to the ULP's icmp
+ * error handler.
+ */
+ if (mp->b_wptr - mp->b_rptr < IP_SIMPLE_HDR_LENGTH)
+ goto truncated;
+
+ /* Verify the modified message before any further processes. */
+ ipha = (ipha_t *)mp->b_rptr;
+ hdr_length = IPH_HDR_LENGTH(ipha);
+ icmph = (icmph_t *)&mp->b_rptr[hdr_length];
+ if (!icmp_inbound_verify_v4(mp, icmph, ira)) {
+ freemsg(mp);
return;
+ }
- ip_fanout_proto_again(first_mp, ill, recv_ill, NULL);
+ icmp_inbound_error_fanout_v4(mp, icmph, ira);
return;
- }
- case IPPROTO_ENCAP:
- case IPPROTO_IPV6:
- if (ipha->ipha_protocol == IPPROTO_ENCAP) {
- ipha_t *in_ipha;
- if ((uchar_t *)ipha + hdr_length + sizeof (ipha_t) >
- mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ipha +
- hdr_length + sizeof (ipha_t) -
- mp->b_rptr)) {
+ case IPPROTO_ENCAP: {
+ /* Look for self-encapsulated packets that caused an error */
+ ipha_t *in_ipha;
+
+ /*
+ * Caller has verified that length has to be
+ * at least the size of IP header.
+ */
+ ASSERT(hdr_length >= sizeof (ipha_t));
+ /*
+ * Check the sanity of the inner IP header like
+ * we did for the outer header.
+ */
+ in_ipha = (ipha_t *)((uchar_t *)ipha + hdr_length);
+ if ((IPH_HDR_VERSION(in_ipha) != IPV4_VERSION)) {
+ goto discard_pkt;
+ }
+ if (IPH_HDR_LENGTH(in_ipha) < sizeof (ipha_t)) {
+ goto discard_pkt;
+ }
+ /* Check for Self-encapsulated tunnels */
+ if (in_ipha->ipha_src == ipha->ipha_src &&
+ in_ipha->ipha_dst == ipha->ipha_dst) {
+
+ mp = icmp_inbound_self_encap_error_v4(mp, ipha,
+ in_ipha);
+ if (mp == NULL)
+ goto discard_pkt;
+
+ /*
+ * Just in case self_encap didn't preserve the NULL
+ * b_cont
+ */
+ if (mp->b_cont != NULL) {
+ if (!pullupmsg(mp, -1))
goto discard_pkt;
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
}
/*
- * Caller has verified that length has to be
- * at least the size of IP header.
+ * Note that ira_pktlen and ira_ip_hdr_length are no
+ * longer correct, but we don't use them any more here.
*/
- ASSERT(hdr_length >= sizeof (ipha_t));
+ if (mp->b_wptr - mp->b_rptr < IP_SIMPLE_HDR_LENGTH)
+ goto truncated;
+
/*
- * Check the sanity of the inner IP header like
- * we did for the outer header.
+ * Verify the modified message before any further
+ * processes.
*/
- in_ipha = (ipha_t *)((uchar_t *)ipha + hdr_length);
- if ((IPH_HDR_VERSION(in_ipha) != IPV4_VERSION) ||
- IPH_HDR_LENGTH(in_ipha) < sizeof (ipha_t))
- goto discard_pkt;
- /* Check for Self-encapsulated tunnels */
- if (in_ipha->ipha_src == ipha->ipha_src &&
- in_ipha->ipha_dst == ipha->ipha_dst) {
-
- mp = icmp_inbound_self_encap_error(mp,
- iph_hdr_length, hdr_length);
- if (mp == NULL)
- goto discard_pkt;
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- hdr_length = IPH_HDR_LENGTH(ipha);
- /*
- * The packet in error is self-encapsualted.
- * And we are finding it further encapsulated
- * which we could not have possibly generated.
- */
- if (ipha->ipha_protocol == IPPROTO_ENCAP) {
- goto discard_pkt;
- }
- icmp_inbound_error_fanout(q, ill, first_mp,
- icmph, ipha, iph_hdr_length, hdr_length,
- mctl_present, ip_policy, recv_ill, zoneid);
+ ipha = (ipha_t *)mp->b_rptr;
+ hdr_length = IPH_HDR_LENGTH(ipha);
+ icmph = (icmph_t *)&mp->b_rptr[hdr_length];
+ if (!icmp_inbound_verify_v4(mp, icmph, ira)) {
+ freemsg(mp);
return;
}
- }
- DB_TYPE(mp) = M_CTL;
- if (icmp_inbound_iptun_fanout(first_mp, &ripha, ill, ipst))
+ /*
+ * The packet in error is self-encapsualted.
+ * And we are finding it further encapsulated
+ * which we could not have possibly generated.
+ */
+ if (ipha->ipha_protocol == IPPROTO_ENCAP) {
+ goto discard_pkt;
+ }
+ icmp_inbound_error_fanout_v4(mp, icmph, ira);
return;
+ }
+ /* No self-encapsulated */
+ /* FALLTHRU */
+ }
+ case IPPROTO_IPV6:
+ if ((connp = ipcl_iptun_classify_v4(&ripha.ipha_src,
+ &ripha.ipha_dst, ipst)) != NULL) {
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ connp->conn_recvicmp(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
+ return;
+ }
/*
* No IP tunnel is interested, fallthrough and see
* if a raw socket will want it.
*/
/* FALLTHRU */
default:
- ip_fanout_proto(q, first_mp, ill, &ripha, 0, mctl_present,
- ip_policy, recv_ill, zoneid);
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ ip_fanout_proto_v4(mp, &ripha, ira);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
}
/* NOTREACHED */
discard_pkt:
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
-drop_pkt:;
- ip1dbg(("icmp_inbound_error_fanout: drop pkt\n"));
- freemsg(first_mp);
+ ip1dbg(("icmp_inbound_error_fanout_v4: drop pkt\n"));
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+
+truncated:
+ /* We pulled up everthing already. Must be truncated */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
}
/*
@@ -2747,6 +2498,16 @@ ipoptp_first(ipoptp_t *optp, ipha_t *ipha)
return (ipoptp_next(optp));
}
+/* Like above but without an ipha_t */
+uint8_t
+ipoptp_first2(ipoptp_t *optp, uint32_t totallen, uint8_t *opt)
+{
+ optp->ipoptp_next = opt;
+ optp->ipoptp_end = optp->ipoptp_next + totallen;
+ optp->ipoptp_flags = 0;
+ return (ipoptp_next(optp));
+}
+
/*
* Common IP options parser: extract next option.
*/
@@ -2858,38 +2619,55 @@ ipoptp_next(ipoptp_t *optp)
/*
* Use the outgoing IP header to create an IP_OPTIONS option the way
* it was passed down from the application.
+ *
+ * This is compatible with BSD in that it returns
+ * the reverse source route with the final destination
+ * as the last entry. The first 4 bytes of the option
+ * will contain the final destination.
*/
int
-ip_opt_get_user(const ipha_t *ipha, uchar_t *buf)
+ip_opt_get_user(conn_t *connp, uchar_t *buf)
{
ipoptp_t opts;
- const uchar_t *opt;
+ uchar_t *opt;
uint8_t optval;
uint8_t optlen;
uint32_t len = 0;
- uchar_t *buf1 = buf;
+ uchar_t *buf1 = buf;
+ uint32_t totallen;
+ ipaddr_t dst;
+ ip_pkt_t *ipp = &connp->conn_xmit_ipp;
+
+ if (!(ipp->ipp_fields & IPPF_IPV4_OPTIONS))
+ return (0);
+
+ totallen = ipp->ipp_ipv4_options_len;
+ if (totallen & 0x3)
+ return (0);
buf += IP_ADDR_LEN; /* Leave room for final destination */
len += IP_ADDR_LEN;
bzero(buf1, IP_ADDR_LEN);
- /*
- * OK to cast away const here, as we don't store through the returned
- * opts.ipoptp_cur pointer.
- */
- for (optval = ipoptp_first(&opts, (ipha_t *)ipha);
+ dst = connp->conn_faddr_v4;
+
+ for (optval = ipoptp_first2(&opts, totallen, ipp->ipp_ipv4_options);
optval != IPOPT_EOL;
optval = ipoptp_next(&opts)) {
int off;
opt = opts.ipoptp_cur;
+ if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
+ break;
+ }
optlen = opts.ipoptp_len;
+
switch (optval) {
case IPOPT_SSRR:
case IPOPT_LSRR:
/*
- * Insert ipha_dst as the first entry in the source
+ * Insert destination as the first entry in the source
* route and move down the entries on step.
* The last entry gets placed at buf1.
*/
@@ -2902,8 +2680,9 @@ ip_opt_get_user(const ipha_t *ipha, uchar_t *buf)
/* No entries in source route */
break;
}
- /* Last entry in source route */
- bcopy(opt + off, buf1, IP_ADDR_LEN);
+ /* Last entry in source route if not already set */
+ if (dst == INADDR_ANY)
+ bcopy(opt + off, buf1, IP_ADDR_LEN);
off -= IP_ADDR_LEN;
while (off > 0) {
@@ -2913,19 +2692,12 @@ ip_opt_get_user(const ipha_t *ipha, uchar_t *buf)
off -= IP_ADDR_LEN;
}
/* ipha_dst into first slot */
- bcopy(&ipha->ipha_dst,
- buf + off + IP_ADDR_LEN,
+ bcopy(&dst, buf + off + IP_ADDR_LEN,
IP_ADDR_LEN);
buf += optlen;
len += optlen;
break;
- case IPOPT_COMSEC:
- case IPOPT_SECURITY:
- /* if passing up a label is not ok, then remove */
- if (is_system_labeled())
- break;
- /* FALLTHROUGH */
default:
bcopy(opt, buf, optlen);
buf += optlen;
@@ -3007,57 +2779,46 @@ icmp_options_update(ipha_t *ipha)
/*
* Process received ICMP Redirect messages.
+ * Assumes the caller has verified that the headers are in the pulled up mblk.
+ * Consumes mp.
*/
static void
-icmp_redirect(ill_t *ill, mblk_t *mp)
+icmp_redirect_v4(mblk_t *mp, ipha_t *ipha, icmph_t *icmph, ip_recv_attr_t *ira)
{
- ipha_t *ipha;
- int iph_hdr_length;
- icmph_t *icmph;
- ipha_t *ipha_err;
- ire_t *ire;
- ire_t *prev_ire;
- ire_t *save_ire;
- ipaddr_t src, dst, gateway;
- iulp_t ulp_info = { 0 };
- int error;
- ip_stack_t *ipst;
+ ire_t *ire, *nire;
+ ire_t *prev_ire;
+ ipaddr_t src, dst, gateway;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
+ ipha_t *inner_ipha; /* Inner IP header */
- ASSERT(ill != NULL);
- ipst = ill->ill_ipst;
-
- ipha = (ipha_t *)mp->b_rptr;
- iph_hdr_length = IPH_HDR_LENGTH(ipha);
- if (((mp->b_wptr - mp->b_rptr) - iph_hdr_length) <
- sizeof (icmph_t) + IP_SIMPLE_HDR_LENGTH) {
- BUMP_MIB(&ipst->ips_icmp_mib, icmpInErrors);
- freemsg(mp);
- return;
- }
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha_err = (ipha_t *)&icmph[1];
+ /* Caller already pulled up everything. */
+ inner_ipha = (ipha_t *)&icmph[1];
src = ipha->ipha_src;
- dst = ipha_err->ipha_dst;
+ dst = inner_ipha->ipha_dst;
gateway = icmph->icmph_rd_gateway;
/* Make sure the new gateway is reachable somehow. */
- ire = ire_route_lookup(gateway, 0, 0, IRE_INTERFACE, NULL, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
+ ire = ire_ftable_lookup_v4(gateway, 0, 0, IRE_ONLINK, NULL,
+ ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst, NULL);
/*
* Make sure we had a route for the dest in question and that
* that route was pointing to the old gateway (the source of the
* redirect packet.)
+ * Note: this merely says that there is some IRE which matches that
+ * gateway; not that the longest match matches that gateway.
*/
- prev_ire = ire_route_lookup(dst, 0, src, 0, NULL, NULL, ALL_ZONES,
- NULL, MATCH_IRE_GW, ipst);
+ prev_ire = ire_ftable_lookup_v4(dst, 0, src, 0, NULL, ALL_ZONES,
+ NULL, MATCH_IRE_GW, 0, ipst, NULL);
/*
* Check that
* the redirect was not from ourselves
* the new gateway and the old gateway are directly reachable
*/
- if (!prev_ire ||
- !ire ||
- ire->ire_type == IRE_LOCAL) {
+ if (prev_ire == NULL || ire == NULL ||
+ (prev_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) ||
+ (prev_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
+ !(ire->ire_type & IRE_IF_ALL)) {
BUMP_MIB(&ipst->ips_icmp_mib, icmpInBadRedirects);
+ ip_drop_input("icmpInBadRedirects - ire", mp, ira->ira_ill);
freemsg(mp);
if (ire != NULL)
ire_refrele(ire);
@@ -3066,49 +2827,9 @@ icmp_redirect(ill_t *ill, mblk_t *mp)
return;
}
- /*
- * Should we use the old ULP info to create the new gateway? From
- * a user's perspective, we should inherit the info so that it
- * is a "smooth" transition. If we do not do that, then new
- * connections going thru the new gateway will have no route metrics,
- * which is counter-intuitive to user. From a network point of
- * view, this may or may not make sense even though the new gateway
- * is still directly connected to us so the route metrics should not
- * change much.
- *
- * But if the old ire_uinfo is not initialized, we do another
- * recursive lookup on the dest using the new gateway. There may
- * be a route to that. If so, use it to initialize the redirect
- * route.
- */
- if (prev_ire->ire_uinfo.iulp_set) {
- bcopy(&prev_ire->ire_uinfo, &ulp_info, sizeof (iulp_t));
- } else {
- ire_t *tmp_ire;
- ire_t *sire;
-
- tmp_ire = ire_ftable_lookup(dst, 0, gateway, 0, NULL, &sire,
- ALL_ZONES, 0, NULL,
- (MATCH_IRE_RECURSIVE | MATCH_IRE_GW | MATCH_IRE_DEFAULT),
- ipst);
- if (sire != NULL) {
- bcopy(&sire->ire_uinfo, &ulp_info, sizeof (iulp_t));
- /*
- * If sire != NULL, ire_ftable_lookup() should not
- * return a NULL value.
- */
- ASSERT(tmp_ire != NULL);
- ire_refrele(tmp_ire);
- ire_refrele(sire);
- } else if (tmp_ire != NULL) {
- bcopy(&tmp_ire->ire_uinfo, &ulp_info,
- sizeof (iulp_t));
- ire_refrele(tmp_ire);
- }
- }
- if (prev_ire->ire_type == IRE_CACHE)
- ire_delete(prev_ire);
ire_refrele(prev_ire);
+ ire_refrele(ire);
+
/*
* TODO: more precise handling for cases 0, 2, 3, the latter two
* require TOS routing
@@ -3121,47 +2842,42 @@ icmp_redirect(ill_t *ill, mblk_t *mp)
case 3:
break;
default:
- freemsg(mp);
BUMP_MIB(&ipst->ips_icmp_mib, icmpInBadRedirects);
- ire_refrele(ire);
+ ip_drop_input("icmpInBadRedirects - code", mp, ira->ira_ill);
+ freemsg(mp);
return;
}
/*
* Create a Route Association. This will allow us to remember that
* someone we believe told us to use the particular gateway.
*/
- save_ire = ire;
ire = ire_create(
(uchar_t *)&dst, /* dest addr */
(uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&save_ire->ire_src_addr, /* source addr */
(uchar_t *)&gateway, /* gateway addr */
- &save_ire->ire_max_frag, /* max frag */
- NULL, /* no src nce */
- NULL, /* no rfq */
- NULL, /* no stq */
IRE_HOST,
- NULL, /* ipif */
- 0, /* cmask */
- 0, /* phandle */
- 0, /* ihandle */
+ NULL, /* ill */
+ ALL_ZONES,
(RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST),
- &ulp_info,
NULL, /* tsol_gc_t */
- NULL, /* gcgrp */
ipst);
if (ire == NULL) {
freemsg(mp);
- ire_refrele(save_ire);
return;
}
- error = ire_add(&ire, NULL, NULL, NULL, B_FALSE);
- ire_refrele(save_ire);
- atomic_inc_32(&ipst->ips_ip_redirect_cnt);
+ nire = ire_add(ire);
+ /* Check if it was a duplicate entry */
+ if (nire != NULL && nire != ire) {
+ ASSERT(nire->ire_identical_ref > 1);
+ ire_delete(nire);
+ ire_refrele(nire);
+ nire = NULL;
+ }
+ ire = nire;
+ if (ire != NULL) {
+ ire_refrele(ire); /* Held in ire_add */
- if (error == 0) {
- ire_refrele(ire); /* Held in ire_add_v4 */
/* tell routing sockets that we received a redirect */
ip_rts_change(RTM_REDIRECT, dst, gateway, IP_HOST_MASK, 0, src,
(RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST), 0,
@@ -3173,8 +2889,8 @@ icmp_redirect(ill_t *ill, mblk_t *mp)
* This together with the added IRE has the effect of
* modifying an existing redirect.
*/
- prev_ire = ire_ftable_lookup(dst, 0, src, IRE_HOST, NULL, NULL,
- ALL_ZONES, 0, NULL, (MATCH_IRE_GW | MATCH_IRE_TYPE), ipst);
+ prev_ire = ire_ftable_lookup_v4(dst, 0, src, IRE_HOST, NULL,
+ ALL_ZONES, NULL, (MATCH_IRE_GW | MATCH_IRE_TYPE), 0, ipst, NULL);
if (prev_ire != NULL) {
if (prev_ire ->ire_flags & RTF_DYNAMIC)
ire_delete(prev_ire);
@@ -3186,29 +2902,24 @@ icmp_redirect(ill_t *ill, mblk_t *mp)
/*
* Generate an ICMP parameter problem message.
+ * When called from ip_output side a minimal ip_recv_attr_t needs to be
+ * constructed by the caller.
*/
static void
-icmp_param_problem(queue_t *q, mblk_t *mp, uint8_t ptr, zoneid_t zoneid,
- ip_stack_t *ipst)
+icmp_param_problem(mblk_t *mp, uint8_t ptr, ip_recv_attr_t *ira)
{
icmph_t icmph;
- boolean_t mctl_present;
- mblk_t *first_mp;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
-
- if (!(mp = icmp_pkt_err_ok(mp, ipst))) {
- if (mctl_present)
- freeb(first_mp);
+ mp = icmp_pkt_err_ok(mp, ira);
+ if (mp == NULL)
return;
- }
bzero(&icmph, sizeof (icmph_t));
icmph.icmph_type = ICMP_PARAM_PROBLEM;
icmph.icmph_pp_ptr = ptr;
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutParmProbs);
- icmp_pkt(q, first_mp, &icmph, sizeof (icmph_t), mctl_present, zoneid,
- ipst);
+ icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
}
/*
@@ -3217,15 +2928,11 @@ icmp_param_problem(queue_t *q, mblk_t *mp, uint8_t ptr, zoneid_t zoneid,
* Note: assumes that icmp_pkt_err_ok has been called to verify that
* an icmp error packet can be sent.
* Assigns an appropriate source address to the packet. If ipha_dst is
- * one of our addresses use it for source. Otherwise pick a source based
- * on a route lookup back to ipha_src.
- * Note that ipha_src must be set here since the
- * packet is likely to arrive on an ill queue in ip_wput() which will
- * not set a source address.
+ * one of our addresses use it for source. Otherwise let ip_output_simple
+ * pick the source address.
*/
static void
-icmp_pkt(queue_t *q, mblk_t *mp, void *stuff, size_t len,
- boolean_t mctl_present, zoneid_t zoneid, ip_stack_t *ipst)
+icmp_pkt(mblk_t *mp, void *stuff, size_t len, ip_recv_attr_t *ira)
{
ipaddr_t dst;
icmph_t *icmph;
@@ -3235,115 +2942,62 @@ icmp_pkt(queue_t *q, mblk_t *mp, void *stuff, size_t len,
mblk_t *mp1;
ipaddr_t src;
ire_t *ire;
- mblk_t *ipsec_mp;
- ipsec_out_t *io = NULL;
-
- if (mctl_present) {
- /*
- * If it is :
- *
- * 1) a IPSEC_OUT, then this is caused by outbound
- * datagram originating on this host. IPsec processing
- * may or may not have been done. Refer to comments above
- * icmp_inbound_error_fanout for details.
- *
- * 2) a IPSEC_IN if we are generating a icmp_message
- * for an incoming datagram destined for us i.e called
- * from ip_fanout_send_icmp.
- */
- ipsec_info_t *in;
- ipsec_mp = mp;
- mp = ipsec_mp->b_cont;
+ ip_xmit_attr_t ixas;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- in = (ipsec_info_t *)ipsec_mp->b_rptr;
- ipha = (ipha_t *)mp->b_rptr;
+ ipha = (ipha_t *)mp->b_rptr;
- ASSERT(in->ipsec_info_type == IPSEC_OUT ||
- in->ipsec_info_type == IPSEC_IN);
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
+ ixas.ixa_zoneid = ira->ira_zoneid;
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = ira->ira_tsl; /* Behave as a multi-level responder */
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
- if (in->ipsec_info_type == IPSEC_IN) {
- /*
- * Convert the IPSEC_IN to IPSEC_OUT.
- */
- if (!ipsec_in_to_out(ipsec_mp, ipha, NULL, zoneid)) {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutDiscards);
- return;
- }
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- } else {
- ASSERT(in->ipsec_info_type == IPSEC_OUT);
- io = (ipsec_out_t *)in;
- /*
- * Clear out ipsec_out_proc_begin, so we do a fresh
- * ire lookup.
- */
- io->ipsec_out_proc_begin = B_FALSE;
- }
- ASSERT(zoneid != ALL_ZONES);
- /*
- * The IPSEC_IN (now an IPSEC_OUT) didn't have its zoneid
- * initialized. We need to do that now.
- */
- io->ipsec_out_zoneid = zoneid;
- } else {
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
/*
- * This is in clear. The icmp message we are building
- * here should go out in clear.
+ * Apply IPsec based on how IPsec was applied to
+ * the packet that had the error.
*
- * Pardon the convolution of it all, but it's easier to
- * allocate a "use cleartext" IPSEC_IN message and convert
- * it than it is to allocate a new one.
+ * If it was an outbound packet that caused the ICMP
+ * error, then the caller will have setup the IRA
+ * appropriately.
*/
- ipsec_in_t *ii;
- ASSERT(DB_TYPE(mp) == M_DATA);
- ipsec_mp = ipsec_in_alloc(B_TRUE, ipst->ips_netstack);
- if (ipsec_mp == NULL) {
- freemsg(mp);
+ if (!ipsec_in_to_out(ira, &ixas, mp, ipha, NULL)) {
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ /* Note: mp already consumed and ip_drop_packet done */
return;
}
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
-
- /* This is not a secure packet */
- ii->ipsec_in_secure = B_FALSE;
- ipsec_mp->b_cont = mp;
- ipha = (ipha_t *)mp->b_rptr;
+ } else {
/*
- * Convert the IPSEC_IN to IPSEC_OUT.
+ * This is in clear. The icmp message we are building
+ * here should go out in clear, independent of our policy.
*/
- if (!ipsec_in_to_out(ipsec_mp, ipha, NULL, zoneid)) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- return;
- }
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
+ ixas.ixa_flags |= IXAF_NO_IPSEC;
}
/* Remember our eventual destination */
dst = ipha->ipha_src;
- ire = ire_route_lookup(ipha->ipha_dst, 0, 0, (IRE_LOCAL|IRE_LOOPBACK),
- NULL, NULL, zoneid, NULL, MATCH_IRE_TYPE, ipst);
- if (ire != NULL &&
- (ire->ire_zoneid == zoneid || ire->ire_zoneid == ALL_ZONES)) {
+ /*
+ * If the packet was for one of our unicast addresses, make
+ * sure we respond with that as the source. Otherwise
+ * have ip_output_simple pick the source address.
+ */
+ ire = ire_ftable_lookup_v4(ipha->ipha_dst, 0, 0,
+ (IRE_LOCAL|IRE_LOOPBACK), NULL, ira->ira_zoneid, NULL,
+ MATCH_IRE_TYPE|MATCH_IRE_ZONEONLY, 0, ipst, NULL);
+ if (ire != NULL) {
+ ire_refrele(ire);
src = ipha->ipha_dst;
} else {
- if (ire != NULL)
- ire_refrele(ire);
- ire = ire_route_lookup(dst, 0, 0, 0, NULL, NULL, zoneid, NULL,
- (MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE|MATCH_IRE_ZONEONLY),
- ipst);
- if (ire == NULL) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
- freemsg(ipsec_mp);
- return;
- }
- src = ire->ire_src_addr;
+ src = INADDR_ANY;
+ ixas.ixa_flags |= IXAF_SET_SOURCE;
}
- if (ire != NULL)
- ire_refrele(ire);
-
/*
* Check if we can send back more then 8 bytes in addition to
* the IP header. We try to send 64 bytes of data and the internal
@@ -3352,10 +3006,10 @@ icmp_pkt(queue_t *q, mblk_t *mp, void *stuff, size_t len,
len_needed = IPH_HDR_LENGTH(ipha);
if (ipha->ipha_protocol == IPPROTO_ENCAP ||
ipha->ipha_protocol == IPPROTO_IPV6) {
-
if (!pullupmsg(mp, -1)) {
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- freemsg(ipsec_mp);
+ ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
+ freemsg(mp);
return;
}
ipha = (ipha_t *)mp->b_rptr;
@@ -3376,28 +3030,23 @@ icmp_pkt(queue_t *q, mblk_t *mp, void *stuff, size_t len,
(void) adjmsg(mp, len_needed - msg_len);
msg_len = len_needed;
}
- /* Make sure we propagate the cred/label for TX */
- mp1 = allocb_tmpl(sizeof (icmp_ipha) + len, mp);
+ mp1 = allocb(sizeof (icmp_ipha) + len, BPRI_MED);
if (mp1 == NULL) {
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutErrors);
- freemsg(ipsec_mp);
+ freemsg(mp);
return;
}
mp1->b_cont = mp;
mp = mp1;
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL &&
- ipsec_mp->b_rptr == (uint8_t *)io &&
- io->ipsec_out_type == IPSEC_OUT);
- ipsec_mp->b_cont = mp;
/*
- * Set ipsec_out_icmp_loopback so we can let the ICMP messages this
+ * Set IXAF_TRUSTED_ICMP so we can let the ICMP messages this
* node generates be accepted in peace by all on-host destinations.
* If we do NOT assume that all on-host destinations trust
* self-generated ICMP messages, then rework here, ip6.c, and spd.c.
- * (Look for ipsec_out_icmp_loopback).
+ * (Look for IXAF_TRUSTED_ICMP).
*/
- io->ipsec_out_icmp_loopback = B_TRUE;
+ ixas.ixa_flags |= IXAF_TRUSTED_ICMP;
ipha = (ipha_t *)mp->b_rptr;
mp1->b_wptr = (uchar_t *)ipha + (sizeof (icmp_ipha) + len);
@@ -3416,7 +3065,9 @@ icmp_pkt(queue_t *q, mblk_t *mp, void *stuff, size_t len,
icmph->icmph_checksum = 0;
icmph->icmph_checksum = IP_CSUM(mp, (int32_t)sizeof (ipha_t), 0);
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutMsgs);
- put(q, ipsec_mp);
+
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
}
/*
@@ -3480,37 +3131,30 @@ icmp_err_rate_limit(ip_stack_t *ipst)
* ICMP error packet should be sent.
*/
static mblk_t *
-icmp_pkt_err_ok(mblk_t *mp, ip_stack_t *ipst)
+icmp_pkt_err_ok(mblk_t *mp, ip_recv_attr_t *ira)
{
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
icmph_t *icmph;
ipha_t *ipha;
uint_t len_needed;
- ire_t *src_ire;
- ire_t *dst_ire;
if (!mp)
return (NULL);
ipha = (ipha_t *)mp->b_rptr;
if (ip_csum_hdr(ipha)) {
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInCksumErrs);
+ ip_drop_input("ipIfStatsInCksumErrs", mp, NULL);
freemsg(mp);
return (NULL);
}
- src_ire = ire_ctable_lookup(ipha->ipha_dst, 0, IRE_BROADCAST,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- dst_ire = ire_ctable_lookup(ipha->ipha_src, 0, IRE_BROADCAST,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (src_ire != NULL || dst_ire != NULL ||
+ if (ip_type_v4(ipha->ipha_dst, ipst) == IRE_BROADCAST ||
+ ip_type_v4(ipha->ipha_src, ipst) == IRE_BROADCAST ||
CLASSD(ipha->ipha_dst) ||
CLASSD(ipha->ipha_src) ||
(ntohs(ipha->ipha_fragment_offset_and_flags) & IPH_OFFSET)) {
/* Note: only errors to the fragment with offset 0 */
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
freemsg(mp);
- if (src_ire != NULL)
- ire_refrele(src_ire);
- if (dst_ire != NULL)
- ire_refrele(dst_ire);
return (NULL);
}
if (ipha->ipha_protocol == IPPROTO_ICMP) {
@@ -3546,7 +3190,7 @@ icmp_pkt_err_ok(mblk_t *mp, ip_stack_t *ipst)
* If this is a labeled system, then check to see if we're allowed to
* send a response to this particular sender. If not, then just drop.
*/
- if (is_system_labeled() && !tsol_can_reply_error(mp)) {
+ if (is_system_labeled() && !tsol_can_reply_error(mp, ira)) {
ip2dbg(("icmp_pkt_err_ok: can't respond to packet\n"));
BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDrops);
freemsg(mp);
@@ -3565,956 +3209,178 @@ icmp_pkt_err_ok(mblk_t *mp, ip_stack_t *ipst)
}
/*
- * Generate an ICMP redirect message.
+ * Called when a packet was sent out the same link that it arrived on.
+ * Check if it is ok to send a redirect and then send it.
*/
-static void
-icmp_send_redirect(queue_t *q, mblk_t *mp, ipaddr_t gateway, ip_stack_t *ipst)
+void
+ip_send_potential_redirect_v4(mblk_t *mp, ipha_t *ipha, ire_t *ire,
+ ip_recv_attr_t *ira)
{
- icmph_t icmph;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
+ ipaddr_t src, nhop;
+ mblk_t *mp1;
+ ire_t *nhop_ire;
/*
- * We are called from ip_rput where we could
- * not have attached an IPSEC_IN.
- */
- ASSERT(mp->b_datap->db_type == M_DATA);
-
- if (!(mp = icmp_pkt_err_ok(mp, ipst))) {
+ * Check the source address to see if it originated
+ * on the same logical subnet it is going back out on.
+ * If so, we should be able to send it a redirect.
+ * Avoid sending a redirect if the destination
+ * is directly connected (i.e., we matched an IRE_ONLINK),
+ * or if the packet was source routed out this interface.
+ *
+ * We avoid sending a redirect if the
+ * destination is directly connected
+ * because it is possible that multiple
+ * IP subnets may have been configured on
+ * the link, and the source may not
+ * be on the same subnet as ip destination,
+ * even though they are on the same
+ * physical link.
+ */
+ if ((ire->ire_type & IRE_ONLINK) ||
+ ip_source_routed(ipha, ipst))
return;
- }
-
- bzero(&icmph, sizeof (icmph_t));
- icmph.icmph_type = ICMP_REDIRECT;
- icmph.icmph_code = 1;
- icmph.icmph_rd_gateway = gateway;
- BUMP_MIB(&ipst->ips_icmp_mib, icmpOutRedirects);
- /* Redirects sent by router, and router is global zone */
- icmp_pkt(q, mp, &icmph, sizeof (icmph_t), B_FALSE, GLOBAL_ZONEID, ipst);
-}
-/*
- * Generate an ICMP time exceeded message.
- */
-void
-icmp_time_exceeded(queue_t *q, mblk_t *mp, uint8_t code, zoneid_t zoneid,
- ip_stack_t *ipst)
-{
- icmph_t icmph;
- boolean_t mctl_present;
- mblk_t *first_mp;
-
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
-
- if (!(mp = icmp_pkt_err_ok(mp, ipst))) {
- if (mctl_present)
- freeb(first_mp);
+ nhop_ire = ire_nexthop(ire);
+ if (nhop_ire == NULL)
return;
- }
-
- bzero(&icmph, sizeof (icmph_t));
- icmph.icmph_type = ICMP_TIME_EXCEEDED;
- icmph.icmph_code = code;
- BUMP_MIB(&ipst->ips_icmp_mib, icmpOutTimeExcds);
- icmp_pkt(q, first_mp, &icmph, sizeof (icmph_t), mctl_present, zoneid,
- ipst);
-}
-/*
- * Generate an ICMP unreachable message.
- */
-void
-icmp_unreachable(queue_t *q, mblk_t *mp, uint8_t code, zoneid_t zoneid,
- ip_stack_t *ipst)
-{
- icmph_t icmph;
- mblk_t *first_mp;
- boolean_t mctl_present;
+ nhop = nhop_ire->ire_addr;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
+ if (nhop_ire->ire_type & IRE_IF_CLONE) {
+ ire_t *ire2;
- if (!(mp = icmp_pkt_err_ok(mp, ipst))) {
- if (mctl_present)
- freeb(first_mp);
- return;
+ /* Follow ire_dep_parent to find non-clone IRE_INTERFACE */
+ mutex_enter(&nhop_ire->ire_lock);
+ ire2 = nhop_ire->ire_dep_parent;
+ if (ire2 != NULL)
+ ire_refhold(ire2);
+ mutex_exit(&nhop_ire->ire_lock);
+ ire_refrele(nhop_ire);
+ nhop_ire = ire2;
}
-
- bzero(&icmph, sizeof (icmph_t));
- icmph.icmph_type = ICMP_DEST_UNREACHABLE;
- icmph.icmph_code = code;
- BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDestUnreachs);
- ip2dbg(("send icmp destination unreachable code %d\n", code));
- icmp_pkt(q, first_mp, (char *)&icmph, sizeof (icmph_t), mctl_present,
- zoneid, ipst);
-}
-
-/*
- * Attempt to start recovery of an IPv4 interface that's been shut down as a
- * duplicate. As long as someone else holds the address, the interface will
- * stay down. When that conflict goes away, the interface is brought back up.
- * This is done so that accidental shutdowns of addresses aren't made
- * permanent. Your server will recover from a failure.
- *
- * For DHCP, recovery is not done in the kernel. Instead, it's handled by a
- * user space process (dhcpagent).
- *
- * Recovery completes if ARP reports that the address is now ours (via
- * AR_CN_READY). In that case, we go to ip_arp_excl to finish the operation.
- *
- * This function is entered on a timer expiry; the ID is in ipif_recovery_id.
- */
-static void
-ipif_dup_recovery(void *arg)
-{
- ipif_t *ipif = arg;
- ill_t *ill = ipif->ipif_ill;
- mblk_t *arp_add_mp;
- mblk_t *arp_del_mp;
- ip_stack_t *ipst = ill->ill_ipst;
-
- ipif->ipif_recovery_id = 0;
-
- /*
- * No lock needed for moving or condemned check, as this is just an
- * optimization.
- */
- if (ill->ill_arp_closing || !(ipif->ipif_flags & IPIF_DUPLICATE) ||
- (ipif->ipif_flags & IPIF_POINTOPOINT) ||
- (ipif->ipif_state_flags & (IPIF_CONDEMNED))) {
- /* No reason to try to bring this address back. */
+ if (nhop_ire == NULL)
return;
- }
- /* ACE_F_UNVERIFIED restarts DAD */
- if ((arp_add_mp = ipif_area_alloc(ipif, ACE_F_UNVERIFIED)) == NULL)
- goto alloc_fail;
-
- if (ipif->ipif_arp_del_mp == NULL) {
- if ((arp_del_mp = ipif_ared_alloc(ipif)) == NULL)
- goto alloc_fail;
- ipif->ipif_arp_del_mp = arp_del_mp;
- }
+ ASSERT(!(nhop_ire->ire_type & IRE_IF_CLONE));
- putnext(ill->ill_rq, arp_add_mp);
- return;
+ src = ipha->ipha_src;
-alloc_fail:
/*
- * On allocation failure, just restart the timer. Note that the ipif
- * is down here, so no other thread could be trying to start a recovery
- * timer. The ill_lock protects the condemned flag and the recovery
- * timer ID.
+ * We look at the interface ire for the nexthop,
+ * to see if ipha_src is in the same subnet
+ * as the nexthop.
*/
- freemsg(arp_add_mp);
- mutex_enter(&ill->ill_lock);
- if (ipst->ips_ip_dup_recovery > 0 && ipif->ipif_recovery_id == 0 &&
- !(ipif->ipif_state_flags & IPIF_CONDEMNED)) {
- ipif->ipif_recovery_id = timeout(ipif_dup_recovery, ipif,
- MSEC_TO_TICK(ipst->ips_ip_dup_recovery));
- }
- mutex_exit(&ill->ill_lock);
-}
-
-/*
- * This is for exclusive changes due to ARP. Either tear down an interface due
- * to AR_CN_FAILED and AR_CN_BOGON, or bring one up for successful recovery.
- */
-/* ARGSUSED */
-static void
-ip_arp_excl(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
-{
- ill_t *ill = rq->q_ptr;
- arh_t *arh;
- ipaddr_t src;
- ipif_t *ipif;
- char ibuf[LIFNAMSIZ + 10]; /* 10 digits for logical i/f number */
- char hbuf[MAC_STR_LEN];
- char sbuf[INET_ADDRSTRLEN];
- const char *failtype;
- boolean_t bring_up;
- ip_stack_t *ipst = ill->ill_ipst;
-
- switch (((arcn_t *)mp->b_rptr)->arcn_code) {
- case AR_CN_READY:
- failtype = NULL;
- bring_up = B_TRUE;
- break;
- case AR_CN_FAILED:
- failtype = "in use";
- bring_up = B_FALSE;
- break;
- default:
- failtype = "claimed";
- bring_up = B_FALSE;
- break;
- }
-
- arh = (arh_t *)mp->b_cont->b_rptr;
- bcopy((char *)&arh[1] + arh->arh_hlen, &src, IP_ADDR_LEN);
-
- (void) mac_colon_addr((uint8_t *)(arh + 1), arh->arh_hlen, hbuf,
- sizeof (hbuf));
- (void) ip_dot_addr(src, sbuf);
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
-
- if ((ipif->ipif_flags & IPIF_POINTOPOINT) ||
- ipif->ipif_lcl_addr != src) {
- continue;
- }
-
- /*
- * If we failed on a recovery probe, then restart the timer to
- * try again later.
- */
- if (!bring_up && (ipif->ipif_flags & IPIF_DUPLICATE) &&
- !(ipif->ipif_flags & (IPIF_DHCPRUNNING|IPIF_TEMPORARY)) &&
- ill->ill_net_type == IRE_IF_RESOLVER &&
- !(ipif->ipif_state_flags & IPIF_CONDEMNED) &&
- ipst->ips_ip_dup_recovery > 0 &&
- ipif->ipif_recovery_id == 0) {
- ipif->ipif_recovery_id = timeout(ipif_dup_recovery,
- ipif, MSEC_TO_TICK(ipst->ips_ip_dup_recovery));
- continue;
- }
-
- /*
- * If what we're trying to do has already been done, then do
- * nothing.
- */
- if (bring_up == ((ipif->ipif_flags & IPIF_UP) != 0))
- continue;
-
- ipif_get_name(ipif, ibuf, sizeof (ibuf));
-
- if (failtype == NULL) {
- cmn_err(CE_NOTE, "recovered address %s on %s", sbuf,
- ibuf);
- } else {
- cmn_err(CE_WARN, "%s has duplicate address %s (%s "
- "by %s); disabled", ibuf, sbuf, failtype, hbuf);
- }
-
- if (bring_up) {
- ASSERT(ill->ill_dl_up);
- /*
- * Free up the ARP delete message so we can allocate
- * a fresh one through the normal path.
- */
- freemsg(ipif->ipif_arp_del_mp);
- ipif->ipif_arp_del_mp = NULL;
- if (ipif_resolver_up(ipif, Res_act_initial) !=
- EINPROGRESS) {
- ipif->ipif_addr_ready = 1;
- (void) ipif_up_done(ipif);
- ASSERT(ill->ill_move_ipif == NULL);
- }
- continue;
- }
-
- mutex_enter(&ill->ill_lock);
- ASSERT(!(ipif->ipif_flags & IPIF_DUPLICATE));
- ipif->ipif_flags |= IPIF_DUPLICATE;
- ill->ill_ipif_dup_count++;
- mutex_exit(&ill->ill_lock);
+ if ((src & nhop_ire->ire_mask) == (nhop & nhop_ire->ire_mask)) {
/*
- * Already exclusive on the ill; no need to handle deferred
- * processing here.
+ * The source is directly connected.
*/
- (void) ipif_down(ipif, NULL, NULL);
- ipif_down_tail(ipif);
- mutex_enter(&ill->ill_lock);
- if (!(ipif->ipif_flags & (IPIF_DHCPRUNNING|IPIF_TEMPORARY)) &&
- ill->ill_net_type == IRE_IF_RESOLVER &&
- !(ipif->ipif_state_flags & IPIF_CONDEMNED) &&
- ipst->ips_ip_dup_recovery > 0) {
- ASSERT(ipif->ipif_recovery_id == 0);
- ipif->ipif_recovery_id = timeout(ipif_dup_recovery,
- ipif, MSEC_TO_TICK(ipst->ips_ip_dup_recovery));
+ mp1 = copymsg(mp);
+ if (mp1 != NULL) {
+ icmp_send_redirect(mp1, nhop, ira);
}
- mutex_exit(&ill->ill_lock);
}
- freemsg(mp);
-}
-
-/* ARGSUSED */
-static void
-ip_arp_defend(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
-{
- ill_t *ill = rq->q_ptr;
- arh_t *arh;
- ipaddr_t src;
- ipif_t *ipif;
-
- arh = (arh_t *)mp->b_cont->b_rptr;
- bcopy((char *)&arh[1] + arh->arh_hlen, &src, IP_ADDR_LEN);
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if ((ipif->ipif_flags & IPIF_UP) && ipif->ipif_lcl_addr == src)
- (void) ipif_resolver_up(ipif, Res_act_defend);
- }
- freemsg(mp);
+ ire_refrele(nhop_ire);
}
/*
- * News from ARP. ARP sends notification of interesting events down
- * to its clients using M_CTL messages with the interesting ARP packet
- * attached via b_cont.
- * The interesting event from a device comes up the corresponding ARP-IP-DEV
- * queue as opposed to ARP sending the message to all the clients, i.e. all
- * its ARP-IP-DEV instances. Thus, for AR_CN_ANNOUNCE, we must walk the cache
- * table if a cache IRE is found to delete all the entries for the address in
- * the packet.
+ * Generate an ICMP redirect message.
*/
static void
-ip_arp_news(queue_t *q, mblk_t *mp)
+icmp_send_redirect(mblk_t *mp, ipaddr_t gateway, ip_recv_attr_t *ira)
{
- arcn_t *arcn;
- arh_t *arh;
- ire_t *ire = NULL;
- char hbuf[MAC_STR_LEN];
- char sbuf[INET_ADDRSTRLEN];
- ipaddr_t src;
- in6_addr_t v6src;
- boolean_t isv6 = B_FALSE;
- ipif_t *ipif;
- ill_t *ill;
- ip_stack_t *ipst;
-
- if (CONN_Q(q)) {
- conn_t *connp = Q_TO_CONN(q);
-
- ipst = connp->conn_netstack->netstack_ip;
- } else {
- ill_t *ill = (ill_t *)q->q_ptr;
-
- ipst = ill->ill_ipst;
- }
+ icmph_t icmph;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- if ((mp->b_wptr - mp->b_rptr) < sizeof (arcn_t) || !mp->b_cont) {
- if (q->q_next) {
- putnext(q, mp);
- } else
- freemsg(mp);
- return;
- }
- arh = (arh_t *)mp->b_cont->b_rptr;
- /* Is it one we are interested in? */
- if (BE16_TO_U16(arh->arh_proto) == ETHERTYPE_IPV6) {
- isv6 = B_TRUE;
- bcopy((char *)&arh[1] + (arh->arh_hlen & 0xFF), &v6src,
- IPV6_ADDR_LEN);
- } else if (BE16_TO_U16(arh->arh_proto) == IP_ARP_PROTO_TYPE) {
- bcopy((char *)&arh[1] + (arh->arh_hlen & 0xFF), &src,
- IP_ADDR_LEN);
- } else {
- freemsg(mp);
+ mp = icmp_pkt_err_ok(mp, ira);
+ if (mp == NULL)
return;
- }
-
- ill = q->q_ptr;
- arcn = (arcn_t *)mp->b_rptr;
- switch (arcn->arcn_code) {
- case AR_CN_BOGON:
- /*
- * Someone is sending ARP packets with a source protocol
- * address that we have published and for which we believe our
- * entry is authoritative and (when ill_arp_extend is set)
- * verified to be unique on the network.
- *
- * The ARP module internally handles the cases where the sender
- * is just probing (for DAD) and where the hardware address of
- * a non-authoritative entry has changed. Thus, these are the
- * real conflicts, and we have to do resolution.
- *
- * We back away quickly from the address if it's from DHCP or
- * otherwise temporary and hasn't been used recently (or at
- * all). We'd like to include "deprecated" addresses here as
- * well (as there's no real reason to defend something we're
- * discarding), but IPMP "reuses" this flag to mean something
- * other than the standard meaning.
- *
- * If the ARP module above is not extended (meaning that it
- * doesn't know how to defend the address), then we just log
- * the problem as we always did and continue on. It's not
- * right, but there's little else we can do, and those old ATM
- * users are going away anyway.
- */
- (void) mac_colon_addr((uint8_t *)(arh + 1), arh->arh_hlen,
- hbuf, sizeof (hbuf));
- (void) ip_dot_addr(src, sbuf);
- if (isv6) {
- ire = ire_cache_lookup_v6(&v6src, ALL_ZONES, NULL,
- ipst);
- } else {
- ire = ire_cache_lookup(src, ALL_ZONES, NULL, ipst);
- }
- if (ire != NULL && IRE_IS_LOCAL(ire)) {
- uint32_t now;
- uint32_t maxage;
- clock_t lused;
- uint_t maxdefense;
- uint_t defs;
-
- /*
- * First, figure out if this address hasn't been used
- * in a while. If it hasn't, then it's a better
- * candidate for abandoning.
- */
- ipif = ire->ire_ipif;
- ASSERT(ipif != NULL);
- now = gethrestime_sec();
- maxage = now - ire->ire_create_time;
- if (maxage > ipst->ips_ip_max_temp_idle)
- maxage = ipst->ips_ip_max_temp_idle;
- lused = drv_hztousec(ddi_get_lbolt() -
- ire->ire_last_used_time) / MICROSEC + 1;
- if (lused >= maxage && (ipif->ipif_flags &
- (IPIF_DHCPRUNNING | IPIF_TEMPORARY)))
- maxdefense = ipst->ips_ip_max_temp_defend;
- else
- maxdefense = ipst->ips_ip_max_defend;
-
- /*
- * Now figure out how many times we've defended
- * ourselves. Ignore defenses that happened long in
- * the past.
- */
- mutex_enter(&ire->ire_lock);
- if ((defs = ire->ire_defense_count) > 0 &&
- now - ire->ire_defense_time >
- ipst->ips_ip_defend_interval) {
- ire->ire_defense_count = defs = 0;
- }
- ire->ire_defense_count++;
- ire->ire_defense_time = now;
- mutex_exit(&ire->ire_lock);
- ill_refhold(ill);
- ire_refrele(ire);
-
- /*
- * If we've defended ourselves too many times already,
- * then give up and tear down the interface(s) using
- * this address. Otherwise, defend by sending out a
- * gratuitous ARP.
- */
- if (defs >= maxdefense && ill->ill_arp_extend) {
- qwriter_ip(ill, q, mp, ip_arp_excl, NEW_OP,
- B_FALSE);
- } else {
- cmn_err(CE_WARN,
- "node %s is using our IP address %s on %s",
- hbuf, sbuf, ill->ill_name);
- /*
- * If this is an old (ATM) ARP module, then
- * don't try to defend the address. Remain
- * compatible with the old behavior. Defend
- * only with new ARP.
- */
- if (ill->ill_arp_extend) {
- qwriter_ip(ill, q, mp, ip_arp_defend,
- NEW_OP, B_FALSE);
- } else {
- ill_refrele(ill);
- }
- }
- return;
- }
- cmn_err(CE_WARN,
- "proxy ARP problem? Node '%s' is using %s on %s",
- hbuf, sbuf, ill->ill_name);
- if (ire != NULL)
- ire_refrele(ire);
- break;
- case AR_CN_ANNOUNCE:
- if (isv6) {
- /*
- * For XRESOLV interfaces.
- * Delete the IRE cache entry and NCE for this
- * v6 address
- */
- ip_ire_clookup_and_delete_v6(&v6src, ipst);
- /*
- * If v6src is a non-zero, it's a router address
- * as below. Do the same sort of thing to clean
- * out off-net IRE_CACHE entries that go through
- * the router.
- */
- if (!IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
- ire_walk_v6(ire_delete_cache_gw_v6,
- (char *)&v6src, ALL_ZONES, ipst);
- }
- } else {
- nce_hw_map_t hwm;
-
- /*
- * ARP gives us a copy of any packet where it thinks
- * the address has changed, so that we can update our
- * caches. We're responsible for caching known answers
- * in the current design. We check whether the
- * hardware address really has changed in all of our
- * entries that have cached this mapping, and if so, we
- * blow them away. This way we will immediately pick
- * up the rare case of a host changing hardware
- * address.
- */
- if (src == 0)
- break;
- hwm.hwm_addr = src;
- hwm.hwm_hwlen = arh->arh_hlen;
- hwm.hwm_hwaddr = (uchar_t *)(arh + 1);
- NDP_HW_CHANGE_INCR(ipst->ips_ndp4);
- ndp_walk_common(ipst->ips_ndp4, NULL,
- (pfi_t)nce_delete_hw_changed, &hwm, ALL_ZONES);
- NDP_HW_CHANGE_DECR(ipst->ips_ndp4);
- }
- break;
- case AR_CN_READY:
- /* No external v6 resolver has a contract to use this */
- if (isv6)
- break;
- /* If the link is down, we'll retry this later */
- if (!(ill->ill_phyint->phyint_flags & PHYI_RUNNING))
- break;
- ipif = ipif_lookup_addr(src, ill, ALL_ZONES, NULL, NULL,
- NULL, NULL, ipst);
- if (ipif != NULL) {
- /*
- * If this is a duplicate recovery, then we now need to
- * go exclusive to bring this thing back up.
- */
- if ((ipif->ipif_flags & (IPIF_UP|IPIF_DUPLICATE)) ==
- IPIF_DUPLICATE) {
- ipif_refrele(ipif);
- ill_refhold(ill);
- qwriter_ip(ill, q, mp, ip_arp_excl, NEW_OP,
- B_FALSE);
- return;
- }
- /*
- * If this is the first notice that this address is
- * ready, then let the user know now.
- */
- if ((ipif->ipif_flags & IPIF_UP) &&
- !ipif->ipif_addr_ready) {
- ipif_mask_reply(ipif);
- ipif_up_notify(ipif);
- }
- ipif->ipif_addr_ready = 1;
- ipif_refrele(ipif);
- }
- ire = ire_cache_lookup(src, ALL_ZONES, msg_getlabel(mp), ipst);
- if (ire != NULL) {
- ire->ire_defense_count = 0;
- ire_refrele(ire);
- }
- break;
- case AR_CN_FAILED:
- /* No external v6 resolver has a contract to use this */
- if (isv6)
- break;
- if (!ill->ill_arp_extend) {
- (void) mac_colon_addr((uint8_t *)(arh + 1),
- arh->arh_hlen, hbuf, sizeof (hbuf));
- (void) ip_dot_addr(src, sbuf);
-
- cmn_err(CE_WARN,
- "node %s is using our IP address %s on %s",
- hbuf, sbuf, ill->ill_name);
- break;
- }
- ill_refhold(ill);
- qwriter_ip(ill, q, mp, ip_arp_excl, NEW_OP, B_FALSE);
- return;
- }
- freemsg(mp);
+ bzero(&icmph, sizeof (icmph_t));
+ icmph.icmph_type = ICMP_REDIRECT;
+ icmph.icmph_code = 1;
+ icmph.icmph_rd_gateway = gateway;
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutRedirects);
+ icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
}
/*
- * Create a mblk suitable for carrying the interface index and/or source link
- * address. This mblk is tagged as an M_CTL and is sent to ULP. This is used
- * when the IP_RECVIF and/or IP_RECVSLLA socket option is set by the user
- * application.
+ * Generate an ICMP time exceeded message.
*/
-mblk_t *
-ip_add_info(mblk_t *data_mp, ill_t *ill, uint_t flags, zoneid_t zoneid,
- ip_stack_t *ipst)
+void
+icmp_time_exceeded(mblk_t *mp, uint8_t code, ip_recv_attr_t *ira)
{
- mblk_t *mp;
- ip_pktinfo_t *pinfo;
- ipha_t *ipha;
- struct ether_header *pether;
- boolean_t ipmp_ill_held = B_FALSE;
-
- mp = allocb(sizeof (ip_pktinfo_t), BPRI_MED);
- if (mp == NULL) {
- ip1dbg(("ip_add_info: allocation failure.\n"));
- return (data_mp);
- }
-
- ipha = (ipha_t *)data_mp->b_rptr;
- pinfo = (ip_pktinfo_t *)mp->b_rptr;
- bzero(pinfo, sizeof (ip_pktinfo_t));
- pinfo->ip_pkt_flags = (uchar_t)flags;
- pinfo->ip_pkt_ulp_type = IN_PKTINFO; /* Tell ULP what type of info */
-
- pether = (struct ether_header *)((char *)ipha
- - sizeof (struct ether_header));
-
- /*
- * Make sure the interface is an ethernet type, since this option
- * is currently supported only on this type of interface. Also make
- * sure we are pointing correctly above db_base.
- */
- if ((flags & IPF_RECVSLLA) &&
- ((uchar_t *)pether >= data_mp->b_datap->db_base) &&
- (ill->ill_type == IFT_ETHER) &&
- (ill->ill_net_type == IRE_IF_RESOLVER)) {
- pinfo->ip_pkt_slla.sdl_type = IFT_ETHER;
- bcopy(pether->ether_shost.ether_addr_octet,
- pinfo->ip_pkt_slla.sdl_data, ETHERADDRL);
- } else {
- /*
- * Clear the bit. Indicate to upper layer that IP is not
- * sending this ancillary info.
- */
- pinfo->ip_pkt_flags = pinfo->ip_pkt_flags & ~IPF_RECVSLLA;
- }
-
- /*
- * If `ill' is in an IPMP group, use the IPMP ill to determine
- * IPF_RECVIF and IPF_RECVADDR. (This currently assumes that
- * IPF_RECVADDR support on test addresses is not needed.)
- *
- * Note that `ill' may already be an IPMP ill if e.g. we're
- * processing a packet looped back to an IPMP data address
- * (since those IRE_LOCALs are tied to IPMP ills).
- */
- if (IS_UNDER_IPMP(ill)) {
- if ((ill = ipmp_ill_hold_ipmp_ill(ill)) == NULL) {
- ip1dbg(("ip_add_info: cannot hold IPMP ill.\n"));
- freemsg(mp);
- return (data_mp);
- }
- ipmp_ill_held = B_TRUE;
- }
-
- if (flags & (IPF_RECVIF | IPF_RECVADDR))
- pinfo->ip_pkt_ifindex = ill->ill_phyint->phyint_ifindex;
- if (flags & IPF_RECVADDR) {
- ipif_t *ipif;
- ire_t *ire;
-
- /*
- * Only valid for V4
- */
- ASSERT((ipha->ipha_version_and_hdr_length & 0xf0) ==
- (IPV4_VERSION << 4));
-
- ipif = ipif_get_next_ipif(NULL, ill);
- if (ipif != NULL) {
- /*
- * Since a decision has already been made to deliver the
- * packet, there is no need to test for SECATTR and
- * ZONEONLY.
- * When a multicast packet is transmitted
- * a cache entry is created for the multicast address.
- * When delivering a copy of the packet or when new
- * packets are received we do not want to match on the
- * cached entry so explicitly match on
- * IRE_LOCAL and IRE_LOOPBACK
- */
- ire = ire_ctable_lookup(ipha->ipha_dst, 0,
- IRE_LOCAL | IRE_LOOPBACK,
- ipif, zoneid, NULL,
- MATCH_IRE_TYPE | MATCH_IRE_ILL, ipst);
- if (ire == NULL) {
- /*
- * packet must have come on a different
- * interface.
- * Since a decision has already been made to
- * deliver the packet, there is no need to test
- * for SECATTR and ZONEONLY.
- * Only match on local and broadcast ire's.
- * See detailed comment above.
- */
- ire = ire_ctable_lookup(ipha->ipha_dst, 0,
- IRE_LOCAL | IRE_LOOPBACK, ipif, zoneid,
- NULL, MATCH_IRE_TYPE, ipst);
- }
-
- if (ire == NULL) {
- /*
- * This is either a multicast packet or
- * the address has been removed since
- * the packet was received.
- * Return INADDR_ANY so that normal source
- * selection occurs for the response.
- */
-
- pinfo->ip_pkt_match_addr.s_addr = INADDR_ANY;
- } else {
- pinfo->ip_pkt_match_addr.s_addr =
- ire->ire_src_addr;
- ire_refrele(ire);
- }
- ipif_refrele(ipif);
- } else {
- pinfo->ip_pkt_match_addr.s_addr = INADDR_ANY;
- }
- }
-
- if (ipmp_ill_held)
- ill_refrele(ill);
+ icmph_t icmph;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- mp->b_datap->db_type = M_CTL;
- mp->b_wptr += sizeof (ip_pktinfo_t);
- mp->b_cont = data_mp;
+ mp = icmp_pkt_err_ok(mp, ira);
+ if (mp == NULL)
+ return;
- return (mp);
+ bzero(&icmph, sizeof (icmph_t));
+ icmph.icmph_type = ICMP_TIME_EXCEEDED;
+ icmph.icmph_code = code;
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutTimeExcds);
+ icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
}
/*
- * Used to determine the most accurate cred_t to use for TX.
- * First priority is SCM_UCRED having set the label in the message,
- * which is used for MLP on UDP. Second priority is the open credentials
- * with the peer's label (aka conn_effective_cred), which is needed for
- * MLP on TCP/SCTP and for MAC-Exempt. Last priority is the open credentials.
+ * Generate an ICMP unreachable message.
+ * When called from ip_output side a minimal ip_recv_attr_t needs to be
+ * constructed by the caller.
*/
-cred_t *
-ip_best_cred(mblk_t *mp, conn_t *connp, pid_t *pidp)
+void
+icmp_unreachable(mblk_t *mp, uint8_t code, ip_recv_attr_t *ira)
{
- cred_t *cr;
+ icmph_t icmph;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- cr = msg_getcred(mp, pidp);
- if (cr != NULL && crgetlabel(cr) != NULL)
- return (cr);
- *pidp = NOPID;
- return (CONN_CRED(connp));
+ mp = icmp_pkt_err_ok(mp, ira);
+ if (mp == NULL)
+ return;
+
+ bzero(&icmph, sizeof (icmph_t));
+ icmph.icmph_type = ICMP_DEST_UNREACHABLE;
+ icmph.icmph_code = code;
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpOutDestUnreachs);
+ icmp_pkt(mp, &icmph, sizeof (icmph_t), ira);
}
/*
- * Latch in the IPsec state for a stream based on the ipsec_in_t passed in as
- * part of the bind request.
+ * Latch in the IPsec state for a stream based the policy in the listener
+ * and the actions in the ip_recv_attr_t.
+ * Called directly from TCP and SCTP.
*/
-
boolean_t
-ip_bind_ipsec_policy_set(conn_t *connp, mblk_t *policy_mp)
+ip_ipsec_policy_inherit(conn_t *connp, conn_t *lconnp, ip_recv_attr_t *ira)
{
- ipsec_in_t *ii;
-
- ASSERT(policy_mp != NULL);
- ASSERT(policy_mp->b_datap->db_type == IPSEC_POLICY_SET);
+ ASSERT(lconnp->conn_policy != NULL);
+ ASSERT(connp->conn_policy == NULL);
- ii = (ipsec_in_t *)policy_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
+ IPPH_REFHOLD(lconnp->conn_policy);
+ connp->conn_policy = lconnp->conn_policy;
- connp->conn_policy = ii->ipsec_in_policy;
- ii->ipsec_in_policy = NULL;
-
- if (ii->ipsec_in_action != NULL) {
+ if (ira->ira_ipsec_action != NULL) {
if (connp->conn_latch == NULL) {
connp->conn_latch = iplatch_create();
if (connp->conn_latch == NULL)
return (B_FALSE);
}
- ipsec_latch_inbound(connp->conn_latch, ii);
+ ipsec_latch_inbound(connp, ira);
}
return (B_TRUE);
}
/*
- * Upper level protocols (ULP) pass through bind requests to IP for inspection
- * and to arrange for power-fanout assist. The ULP is identified by
- * adding a single byte at the end of the original bind message.
- * A ULP other than UDP or TCP that wishes to be recognized passes
- * down a bind with a zero length address.
- *
- * The binding works as follows:
- * - A zero byte address means just bind to the protocol.
- * - A four byte address is treated as a request to validate
- * that the address is a valid local address, appropriate for
- * an application to bind to. This does not affect any fanout
- * information in IP.
- * - A sizeof sin_t byte address is used to bind to only the local address
- * and port.
- * - A sizeof ipa_conn_t byte address contains complete fanout information
- * consisting of local and remote addresses and ports. In
- * this case, the addresses are both validated as appropriate
- * for this operation, and, if so, the information is retained
- * for use in the inbound fanout.
+ * Verify whether or not the IP address is a valid local address.
+ * Could be a unicast, including one for a down interface.
+ * If allow_mcbc then a multicast or broadcast address is also
+ * acceptable.
*
- * The ULP (except in the zero-length bind) can append an
- * additional mblk of db_type IRE_DB_REQ_TYPE or IPSEC_POLICY_SET to the
- * T_BIND_REQ/O_T_BIND_REQ. IRE_DB_REQ_TYPE indicates that the ULP wants
- * a copy of the source or destination IRE (source for local bind;
- * destination for complete bind). IPSEC_POLICY_SET indicates that the
- * policy information contained should be copied on to the conn.
- *
- * NOTE : Only one of IRE_DB_REQ_TYPE or IPSEC_POLICY_SET can be present.
- */
-mblk_t *
-ip_bind_v4(queue_t *q, mblk_t *mp, conn_t *connp)
-{
- ssize_t len;
- struct T_bind_req *tbr;
- sin_t *sin;
- ipa_conn_t *ac;
- uchar_t *ucp;
- int error = 0;
- int protocol;
- ipa_conn_x_t *acx;
- cred_t *cr;
-
- /*
- * All Solaris components should pass a db_credp
- * for this TPI message, hence we ASSERT.
- * But in case there is some other M_PROTO that looks
- * like a TPI message sent by some other kernel
- * component, we check and return an error.
- */
- cr = msg_getcred(mp, NULL);
- ASSERT(cr != NULL);
- if (cr == NULL) {
- error = EINVAL;
- goto bad_addr;
- }
-
- ASSERT(!connp->conn_af_isv6);
- connp->conn_pkt_isv6 = B_FALSE;
-
- len = MBLKL(mp);
- if (len < (sizeof (*tbr) + 1)) {
- (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
- "ip_bind: bogus msg, len %ld", len);
- /* XXX: Need to return something better */
- goto bad_addr;
- }
- /* Back up and extract the protocol identifier. */
- mp->b_wptr--;
- protocol = *mp->b_wptr & 0xFF;
- tbr = (struct T_bind_req *)mp->b_rptr;
- /* Reset the message type in preparation for shipping it back. */
- DB_TYPE(mp) = M_PCPROTO;
-
- connp->conn_ulp = (uint8_t)protocol;
-
- /*
- * Check for a zero length address. This is from a protocol that
- * wants to register to receive all packets of its type.
- */
- if (tbr->ADDR_length == 0) {
- /*
- * These protocols are now intercepted in ip_bind_v6().
- * Reject protocol-level binds here for now.
- *
- * For SCTP raw socket, ICMP sends down a bind with sin_t
- * so that the protocol type cannot be SCTP.
- */
- if (protocol == IPPROTO_TCP || protocol == IPPROTO_AH ||
- protocol == IPPROTO_ESP || protocol == IPPROTO_SCTP) {
- goto bad_addr;
- }
-
- /*
- *
- * The udp module never sends down a zero-length address,
- * and allowing this on a labeled system will break MLP
- * functionality.
- */
- if (is_system_labeled() && protocol == IPPROTO_UDP)
- goto bad_addr;
-
- if (connp->conn_mac_mode != CONN_MAC_DEFAULT)
- goto bad_addr;
-
- /* No hash here really. The table is big enough. */
- connp->conn_srcv6 = ipv6_all_zeros;
-
- ipcl_proto_insert(connp, protocol);
-
- tbr->PRIM_type = T_BIND_ACK;
- return (mp);
- }
-
- /* Extract the address pointer from the message. */
- ucp = (uchar_t *)mi_offset_param(mp, tbr->ADDR_offset,
- tbr->ADDR_length);
- if (ucp == NULL) {
- ip1dbg(("ip_bind: no address\n"));
- goto bad_addr;
- }
- if (!OK_32PTR(ucp)) {
- ip1dbg(("ip_bind: unaligned address\n"));
- goto bad_addr;
- }
-
- switch (tbr->ADDR_length) {
- default:
- ip1dbg(("ip_bind: bad address length %d\n",
- (int)tbr->ADDR_length));
- goto bad_addr;
-
- case IP_ADDR_LEN:
- /* Verification of local address only */
- error = ip_bind_laddr_v4(connp, &mp->b_cont, protocol,
- *(ipaddr_t *)ucp, 0, B_FALSE);
- break;
-
- case sizeof (sin_t):
- sin = (sin_t *)ucp;
- error = ip_bind_laddr_v4(connp, &mp->b_cont, protocol,
- sin->sin_addr.s_addr, sin->sin_port, B_TRUE);
- break;
-
- case sizeof (ipa_conn_t):
- ac = (ipa_conn_t *)ucp;
- /* For raw socket, the local port is not set. */
- if (ac->ac_lport == 0)
- ac->ac_lport = connp->conn_lport;
- /* Always verify destination reachability. */
- error = ip_bind_connected_v4(connp, &mp->b_cont, protocol,
- &ac->ac_laddr, ac->ac_lport, ac->ac_faddr, ac->ac_fport,
- B_TRUE, B_TRUE, cr);
- break;
-
- case sizeof (ipa_conn_x_t):
- acx = (ipa_conn_x_t *)ucp;
- /*
- * Whether or not to verify destination reachability depends
- * on the setting of the ACX_VERIFY_DST flag in acx->acx_flags.
- */
- error = ip_bind_connected_v4(connp, &mp->b_cont, protocol,
- &acx->acx_conn.ac_laddr, acx->acx_conn.ac_lport,
- acx->acx_conn.ac_faddr, acx->acx_conn.ac_fport,
- B_TRUE, (acx->acx_flags & ACX_VERIFY_DST) != 0, cr);
- break;
- }
- ASSERT(error != EINPROGRESS);
- if (error != 0)
- goto bad_addr;
-
- /* Send it home. */
- mp->b_datap->db_type = M_PCPROTO;
- tbr->PRIM_type = T_BIND_ACK;
- return (mp);
-
-bad_addr:
- /*
- * If error = -1 then we generate a TBADADDR - otherwise error is
- * a unix errno.
- */
- if (error > 0)
- mp = mi_tpi_err_ack_alloc(mp, TSYSERR, error);
- else
- mp = mi_tpi_err_ack_alloc(mp, TBADADDR, 0);
- return (mp);
-}
-
-/*
- * Here address is verified to be a valid local address.
- * If the IRE_DB_REQ_TYPE mp is present, a broadcast/multicast
- * address is also considered a valid local address.
* In the case of a broadcast/multicast address, however, the
* upper protocol is expected to reset the src address
- * to 0 if it sees a IRE_BROADCAST type returned so that
+ * to zero when we return IPVL_MCAST/IPVL_BCAST so that
* no packets are emitted with broadcast/multicast address as
* source address (that violates hosts requirements RFC 1122)
* The addresses valid for bind are:
@@ -4530,323 +3396,189 @@ bad_addr:
* application still has to issue an
* IP_ADD_MEMBERSHIP socket option.
*
- * On error, return -1 for TBADADDR otherwise pass the
- * errno with TSYSERR reply.
- *
* In all the above cases, the bound address must be valid in the current zone.
* When the address is loopback, multicast or broadcast, there might be many
* matching IREs so bind has to look up based on the zone.
- *
- * Note: lport is in network byte order.
- *
*/
-int
-ip_bind_laddr_v4(conn_t *connp, mblk_t **mpp, uint8_t protocol,
- ipaddr_t src_addr, uint16_t lport, boolean_t fanout_insert)
+ip_laddr_t
+ip_laddr_verify_v4(ipaddr_t src_addr, zoneid_t zoneid,
+ ip_stack_t *ipst, boolean_t allow_mcbc)
{
- int error = 0;
- ire_t *src_ire;
- zoneid_t zoneid;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- mblk_t *mp = NULL;
- boolean_t ire_requested = B_FALSE;
- boolean_t ipsec_policy_set = B_FALSE;
+ ire_t *src_ire;
- if (mpp)
- mp = *mpp;
+ ASSERT(src_addr != INADDR_ANY);
- if (mp != NULL) {
- ire_requested = (DB_TYPE(mp) == IRE_DB_REQ_TYPE);
- ipsec_policy_set = (DB_TYPE(mp) == IPSEC_POLICY_SET);
- }
+ src_ire = ire_ftable_lookup_v4(src_addr, 0, 0, 0,
+ NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, 0, ipst, NULL);
/*
- * If it was previously connected, conn_fully_bound would have
- * been set.
+ * If an address other than in6addr_any is requested,
+ * we verify that it is a valid address for bind
+ * Note: Following code is in if-else-if form for
+ * readability compared to a condition check.
*/
- connp->conn_fully_bound = B_FALSE;
-
- src_ire = NULL;
+ if (src_ire != NULL && (src_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK))) {
+ /*
+ * (2) Bind to address of local UP interface
+ */
+ ire_refrele(src_ire);
+ return (IPVL_UNICAST_UP);
+ } else if (src_ire != NULL && src_ire->ire_type & IRE_BROADCAST) {
+ /*
+ * (4) Bind to broadcast address
+ */
+ ire_refrele(src_ire);
+ if (allow_mcbc)
+ return (IPVL_BCAST);
+ else
+ return (IPVL_BAD);
+ } else if (CLASSD(src_addr)) {
+ /* (5) bind to multicast address. */
+ if (src_ire != NULL)
+ ire_refrele(src_ire);
- zoneid = IPCL_ZONEID(connp);
+ if (allow_mcbc)
+ return (IPVL_MCAST);
+ else
+ return (IPVL_BAD);
+ } else {
+ ipif_t *ipif;
- if (src_addr) {
- src_ire = ire_route_lookup(src_addr, 0, 0, 0,
- NULL, NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, ipst);
/*
- * If an address other than 0.0.0.0 is requested,
- * we verify that it is a valid address for bind
- * Note: Following code is in if-else-if form for
- * readability compared to a condition check.
+ * (3) Bind to address of local DOWN interface?
+ * (ipif_lookup_addr() looks up all interfaces
+ * but we do not get here for UP interfaces
+ * - case (2) above)
*/
- /* LINTED - statement has no consequence */
- if (IRE_IS_LOCAL(src_ire)) {
- /*
- * (2) Bind to address of local UP interface
- */
- } else if (src_ire && src_ire->ire_type == IRE_BROADCAST) {
- /*
- * (4) Bind to broadcast address
- * Note: permitted only from transports that
- * request IRE
- */
- if (!ire_requested)
- error = EADDRNOTAVAIL;
- } else {
- /*
- * (3) Bind to address of local DOWN interface
- * (ipif_lookup_addr() looks up all interfaces
- * but we do not get here for UP interfaces
- * - case (2) above)
- */
- /* LINTED - statement has no consequent */
- if (ip_addr_exists(src_addr, zoneid, ipst)) {
- /* The address exists */
- } else if (CLASSD(src_addr)) {
- error = 0;
- if (src_ire != NULL)
- ire_refrele(src_ire);
- /*
- * (5) bind to multicast address.
- * Fake out the IRE returned to upper
- * layer to be a broadcast IRE.
- */
- src_ire = ire_ctable_lookup(
- INADDR_BROADCAST, INADDR_ANY,
- IRE_BROADCAST, NULL, zoneid, NULL,
- (MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY),
- ipst);
- if (src_ire == NULL || !ire_requested)
- error = EADDRNOTAVAIL;
- } else {
- /*
- * Not a valid address for bind
- */
- error = EADDRNOTAVAIL;
- }
- }
- if (error) {
- /* Red Alert! Attempting to be a bogon! */
- ip1dbg(("ip_bind_laddr_v4: bad src address 0x%x\n",
- ntohl(src_addr)));
- goto bad_addr;
+ if (src_ire != NULL)
+ ire_refrele(src_ire);
+
+ ipif = ipif_lookup_addr(src_addr, NULL, zoneid, ipst);
+ if (ipif == NULL)
+ return (IPVL_BAD);
+
+ /* Not a useful source? */
+ if (ipif->ipif_flags & (IPIF_NOLOCAL | IPIF_ANYCAST)) {
+ ipif_refrele(ipif);
+ return (IPVL_BAD);
}
+ ipif_refrele(ipif);
+ return (IPVL_UNICAST_DOWN);
}
+}
+
+/*
+ * Insert in the bind fanout for IPv4 and IPv6.
+ * The caller should already have used ip_laddr_verify_v*() before calling
+ * this.
+ */
+int
+ip_laddr_fanout_insert(conn_t *connp)
+{
+ int error;
/*
- * Allow setting new policies. For example, disconnects come
- * down as ipa_t bind. As we would have set conn_policy_cached
+ * Allow setting new policies. For example, disconnects result
+ * in us being called. As we would have set conn_policy_cached
* to B_TRUE before, we should set it to B_FALSE, so that policy
* can change after the disconnect.
*/
connp->conn_policy_cached = B_FALSE;
- /*
- * If not fanout_insert this was just an address verification
- */
- if (fanout_insert) {
- /*
- * The addresses have been verified. Time to insert in
- * the correct fanout list.
- */
- IN6_IPADDR_TO_V4MAPPED(src_addr, &connp->conn_srcv6);
- IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &connp->conn_remv6);
- connp->conn_lport = lport;
- connp->conn_fport = 0;
- /*
- * Do we need to add a check to reject Multicast packets
- */
- error = ipcl_bind_insert(connp, protocol, src_addr, lport);
- }
-
- if (error == 0) {
- if (ire_requested) {
- if (!ip_bind_get_ire_v4(mpp, src_ire, NULL, ipst)) {
- error = -1;
- /* Falls through to bad_addr */
- }
- } else if (ipsec_policy_set) {
- if (!ip_bind_ipsec_policy_set(connp, mp)) {
- error = -1;
- /* Falls through to bad_addr */
- }
- }
- }
-bad_addr:
+ error = ipcl_bind_insert(connp);
if (error != 0) {
if (connp->conn_anon_port) {
(void) tsol_mlp_anon(crgetzone(connp->conn_cred),
- connp->conn_mlp_type, connp->conn_ulp, ntohs(lport),
- B_FALSE);
+ connp->conn_mlp_type, connp->conn_proto,
+ ntohs(connp->conn_lport), B_FALSE);
}
connp->conn_mlp_type = mlptSingle;
}
- if (src_ire != NULL)
- IRE_REFRELE(src_ire);
- return (error);
-}
-
-int
-ip_proto_bind_laddr_v4(conn_t *connp, mblk_t **ire_mpp, uint8_t protocol,
- ipaddr_t src_addr, uint16_t lport, boolean_t fanout_insert)
-{
- int error;
-
- ASSERT(!connp->conn_af_isv6);
- connp->conn_pkt_isv6 = B_FALSE;
- connp->conn_ulp = protocol;
-
- error = ip_bind_laddr_v4(connp, ire_mpp, protocol, src_addr, lport,
- fanout_insert);
- if (error < 0)
- error = -TBADADDR;
return (error);
}
/*
- * Verify that both the source and destination addresses
- * are valid. If verify_dst is false, then the destination address may be
- * unreachable, i.e. have no route to it. Protocols like TCP want to verify
- * destination reachability, while tunnels do not.
- * Note that we allow connect to broadcast and multicast
- * addresses when ire_requested is set. Thus the ULP
- * has to check for IRE_BROADCAST and multicast.
+ * Verify that both the source and destination addresses are valid. If
+ * IPDF_VERIFY_DST is not set, then the destination address may be unreachable,
+ * i.e. have no route to it. Protocols like TCP want to verify destination
+ * reachability, while tunnels do not.
*
- * Returns zero if ok.
- * On error: returns -1 to mean TBADADDR otherwise returns an errno
- * (for use with TSYSERR reply).
+ * Determine the route, the interface, and (optionally) the source address
+ * to use to reach a given destination.
+ * Note that we allow connect to broadcast and multicast addresses when
+ * IPDF_ALLOW_MCBC is set.
+ * first_hop and dst_addr are normally the same, but if source routing
+ * they will differ; in that case the first_hop is what we'll use for the
+ * routing lookup but the dce and label checks will be done on dst_addr,
*
- * Note: lport and fport are in network byte order.
+ * If uinfo is set, then we fill in the best available information
+ * we have for the destination. This is based on (in priority order) any
+ * metrics and path MTU stored in a dce_t, route metrics, and finally the
+ * ill_mtu.
+ *
+ * Tsol note: If we have a source route then dst_addr != firsthop. But we
+ * always do the label check on dst_addr.
*/
int
-ip_bind_connected_v4(conn_t *connp, mblk_t **mpp, uint8_t protocol,
- ipaddr_t *src_addrp, uint16_t lport, ipaddr_t dst_addr, uint16_t fport,
- boolean_t fanout_insert, boolean_t verify_dst, cred_t *cr)
+ip_set_destination_v4(ipaddr_t *src_addrp, ipaddr_t dst_addr, ipaddr_t firsthop,
+ ip_xmit_attr_t *ixa, iulp_t *uinfo, uint32_t flags, uint_t mac_mode)
{
-
- ire_t *src_ire;
- ire_t *dst_ire;
+ ire_t *ire = NULL;
int error = 0;
- ire_t *sire = NULL;
- ire_t *md_dst_ire = NULL;
- ire_t *lso_dst_ire = NULL;
+ ipaddr_t setsrc; /* RTF_SETSRC */
+ zoneid_t zoneid = ixa->ixa_zoneid; /* Honors SO_ALLZONES */
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ dce_t *dce;
+ uint_t pmtu;
+ uint_t generation;
+ nce_t *nce;
ill_t *ill = NULL;
- zoneid_t zoneid;
- ipaddr_t src_addr = *src_addrp;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- mblk_t *mp = NULL;
- boolean_t ire_requested = B_FALSE;
- boolean_t ipsec_policy_set = B_FALSE;
- ts_label_t *tsl = NULL;
- cred_t *effective_cred = NULL;
-
- if (mpp)
- mp = *mpp;
-
- if (mp != NULL) {
- ire_requested = (DB_TYPE(mp) == IRE_DB_REQ_TYPE);
- ipsec_policy_set = (DB_TYPE(mp) == IPSEC_POLICY_SET);
- }
+ boolean_t multirt = B_FALSE;
- src_ire = dst_ire = NULL;
+ ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
/*
- * If we never got a disconnect before, clear it now.
+ * We never send to zero; the ULPs map it to the loopback address.
+ * We can't allow it since we use zero to mean unitialized in some
+ * places.
*/
- connp->conn_fully_bound = B_FALSE;
+ ASSERT(dst_addr != INADDR_ANY);
- zoneid = IPCL_ZONEID(connp);
-
- /*
- * Check whether Trusted Solaris policy allows communication with this
- * host, and pretend that the destination is unreachable if not.
- *
- * This is never a problem for TCP, since that transport is known to
- * compute the label properly as part of the tcp_rput_other T_BIND_ACK
- * handling. If the remote is unreachable, it will be detected at that
- * point, so there's no reason to check it here.
- *
- * Note that for sendto (and other datagram-oriented friends), this
- * check is done as part of the data path label computation instead.
- * The check here is just to make non-TCP connect() report the right
- * error.
- */
- if (is_system_labeled() && !IPCL_IS_TCP(connp)) {
- if ((error = tsol_check_dest(cr, &dst_addr, IPV4_VERSION,
- connp->conn_mac_mode, &effective_cred)) != 0) {
- if (ip_debug > 2) {
- pr_addr_dbg(
- "ip_bind_connected_v4:"
- " no label for dst %s\n",
- AF_INET, &dst_addr);
- }
- goto bad_addr;
- }
+ if (is_system_labeled()) {
+ ts_label_t *tsl = NULL;
- /*
- * tsol_check_dest() may have created a new cred with
- * a modified security label. Use that cred if it exists
- * for ire lookups.
- */
- if (effective_cred == NULL) {
- tsl = crgetlabel(cr);
- } else {
- tsl = crgetlabel(effective_cred);
+ error = tsol_check_dest(ixa->ixa_tsl, &dst_addr, IPV4_VERSION,
+ mac_mode, (flags & IPDF_ZONE_IS_GLOBAL) != 0, &tsl);
+ if (error != 0)
+ return (error);
+ if (tsl != NULL) {
+ /* Update the label */
+ ip_xmit_attr_replace_tsl(ixa, tsl);
}
}
- if (CLASSD(dst_addr)) {
- /* Pick up an IRE_BROADCAST */
- dst_ire = ire_route_lookup(ip_g_all_ones, 0, 0, 0, NULL,
- NULL, zoneid, tsl,
- (MATCH_IRE_RECURSIVE |
- MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE |
- MATCH_IRE_SECATTR), ipst);
- } else {
- /*
- * If conn_dontroute is set or if conn_nexthop_set is set,
- * and onlink ipif is not found set ENETUNREACH error.
- */
- if (connp->conn_dontroute || connp->conn_nexthop_set) {
- ipif_t *ipif;
-
- ipif = ipif_lookup_onlink_addr(connp->conn_dontroute ?
- dst_addr : connp->conn_nexthop_v4, zoneid, ipst);
- if (ipif == NULL) {
- error = ENETUNREACH;
- goto bad_addr;
- }
- ipif_refrele(ipif);
- }
+ setsrc = INADDR_ANY;
+ /*
+ * Select a route; For IPMP interfaces, we would only select
+ * a "hidden" route (i.e., going through a specific under_ill)
+ * if ixa_ifindex has been specified.
+ */
+ ire = ip_select_route_v4(firsthop, ixa, &generation, &setsrc, &error,
+ &multirt);
+ ASSERT(ire != NULL); /* IRE_NOROUTE if none found */
+ if (error != 0)
+ goto bad_addr;
- if (connp->conn_nexthop_set) {
- dst_ire = ire_route_lookup(connp->conn_nexthop_v4, 0,
- 0, 0, NULL, NULL, zoneid, tsl,
- MATCH_IRE_SECATTR, ipst);
- } else {
- dst_ire = ire_route_lookup(dst_addr, 0, 0, 0, NULL,
- &sire, zoneid, tsl,
- (MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_PARENT | MATCH_IRE_RJ_BHOLE |
- MATCH_IRE_SECATTR), ipst);
- }
- }
/*
- * dst_ire can't be a broadcast when not ire_requested.
- * We also prevent ire's with src address INADDR_ANY to
- * be used, which are created temporarily for
- * sending out packets from endpoints that have
- * conn_unspec_src set. If verify_dst is true, the destination must be
- * reachable. If verify_dst is false, the destination needn't be
- * reachable.
+ * ire can't be a broadcast or multicast unless IPDF_ALLOW_MCBC is set.
+ * If IPDF_VERIFY_DST is set, the destination must be reachable;
+ * Otherwise the destination needn't be reachable.
*
* If we match on a reject or black hole, then we've got a
* local failure. May as well fail out the connect() attempt,
* since it's never going to succeed.
*/
- if (dst_ire == NULL || dst_ire->ire_src_addr == INADDR_ANY ||
- (dst_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
- ((dst_ire->ire_type & IRE_BROADCAST) && !ire_requested)) {
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
/*
* If we're verifying destination reachability, we always want
* to complain here.
@@ -4854,425 +3586,435 @@ ip_bind_connected_v4(conn_t *connp, mblk_t **mpp, uint8_t protocol,
* If we're not verifying destination reachability but the
* destination has a route, we still want to fail on the
* temporary address and broadcast address tests.
+ *
+ * In both cases do we let the code continue so some reasonable
+ * information is returned to the caller. That enables the
+ * caller to use (and even cache) the IRE. conn_ip_ouput will
+ * use the generation mismatch path to check for the unreachable
+ * case thereby avoiding any specific check in the main path.
*/
- if (verify_dst || (dst_ire != NULL)) {
- if (ip_debug > 2) {
- pr_addr_dbg("ip_bind_connected_v4:"
- "bad connected dst %s\n",
- AF_INET, &dst_addr);
- }
- if (dst_ire == NULL || !(dst_ire->ire_type & IRE_HOST))
+ ASSERT(generation == IRE_GENERATION_VERIFY);
+ if (flags & IPDF_VERIFY_DST) {
+ /*
+ * Set errno but continue to set up ixa_ire to be
+ * the RTF_REJECT|RTF_BLACKHOLE IRE.
+ * That allows callers to use ip_output to get an
+ * ICMP error back.
+ */
+ if (!(ire->ire_type & IRE_HOST))
error = ENETUNREACH;
else
error = EHOSTUNREACH;
- goto bad_addr;
+ }
+ }
+
+ if ((ire->ire_type & (IRE_BROADCAST|IRE_MULTICAST)) &&
+ !(flags & IPDF_ALLOW_MCBC)) {
+ ire_refrele(ire);
+ ire = ire_reject(ipst, B_FALSE);
+ generation = IRE_GENERATION_VERIFY;
+ error = ENETUNREACH;
+ }
+
+ /* Cache things */
+ if (ixa->ixa_ire != NULL)
+ ire_refrele_notr(ixa->ixa_ire);
+#ifdef DEBUG
+ ire_refhold_notr(ire);
+ ire_refrele(ire);
+#endif
+ ixa->ixa_ire = ire;
+ ixa->ixa_ire_generation = generation;
+
+ /*
+ * For multicast with multirt we have a flag passed back from
+ * ire_lookup_multi_ill_v4 since we don't have an IRE for each
+ * possible multicast address.
+ * We also need a flag for multicast since we can't check
+ * whether RTF_MULTIRT is set in ixa_ire for multicast.
+ */
+ if (multirt) {
+ ixa->ixa_postfragfn = ip_postfrag_multirt_v4;
+ ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
+ } else {
+ ixa->ixa_postfragfn = ire->ire_postfragfn;
+ ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
+ }
+ if (!(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
+ /* Get an nce to cache. */
+ nce = ire_to_nce(ire, firsthop, NULL);
+ if (nce == NULL) {
+ /* Allocation failure? */
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
+ } else {
+ if (ixa->ixa_nce != NULL)
+ nce_refrele(ixa->ixa_nce);
+ ixa->ixa_nce = nce;
}
}
/*
- * If the app does a connect(), it means that it will most likely
- * send more than 1 packet to the destination. It makes sense
- * to clear the temporary flag.
+ * We use use ire_nexthop_ill to avoid the under ipmp
+ * interface for source address selection. Note that for ipmp
+ * probe packets, ixa_ifindex would have been specified, and
+ * the ip_select_route() invocation would have picked an ire
+ * will ire_ill pointing at an under interface.
*/
- if (dst_ire != NULL && dst_ire->ire_type == IRE_CACHE &&
- (dst_ire->ire_marks & IRE_MARK_TEMPORARY)) {
- irb_t *irb = dst_ire->ire_bucket;
+ ill = ire_nexthop_ill(ire);
- rw_enter(&irb->irb_lock, RW_WRITER);
+ /*
+ * If the source address is a loopback address, the
+ * destination had best be local or multicast.
+ * If we are sending to an IRE_LOCAL using a loopback source then
+ * it had better be the same zoneid.
+ */
+ if (*src_addrp == htonl(INADDR_LOOPBACK)) {
+ if ((ire->ire_type & IRE_LOCAL) && ire->ire_zoneid != zoneid) {
+ ire = NULL; /* Stored in ixa_ire */
+ error = EADDRNOTAVAIL;
+ goto bad_addr;
+ }
+ if (!(ire->ire_type & (IRE_LOOPBACK|IRE_LOCAL|IRE_MULTICAST))) {
+ ire = NULL; /* Stored in ixa_ire */
+ error = EADDRNOTAVAIL;
+ goto bad_addr;
+ }
+ }
+ if (ire->ire_type & IRE_BROADCAST) {
/*
- * We need to recheck for IRE_MARK_TEMPORARY after acquiring
- * the lock to guarantee irb_tmp_ire_cnt.
+ * If the ULP didn't have a specified source, then we
+ * make sure we reselect the source when sending
+ * broadcasts out different interfaces.
*/
- if (dst_ire->ire_marks & IRE_MARK_TEMPORARY) {
- dst_ire->ire_marks &= ~IRE_MARK_TEMPORARY;
- irb->irb_tmp_ire_cnt--;
- }
- rw_exit(&irb->irb_lock);
+ if (flags & IPDF_SELECT_SRC)
+ ixa->ixa_flags |= IXAF_SET_SOURCE;
+ else
+ ixa->ixa_flags &= ~IXAF_SET_SOURCE;
}
/*
- * See if we should notify ULP about LSO/MDT; we do this whether or not
- * ire_requested is TRUE, in order to handle active connects; LSO/MDT
- * eligibility tests for passive connects are handled separately
- * through tcp_adapt_ire(). We do this before the source address
- * selection, because dst_ire may change after a call to
- * ipif_select_source(). This is a best-effort check, as the
- * packet for this connection may not actually go through
- * dst_ire->ire_stq, and the exact IRE can only be known after
- * calling ip_newroute(). This is why we further check on the
- * IRE during LSO/Multidata packet transmission in
- * tcp_lsosend()/tcp_multisend().
+ * Does the caller want us to pick a source address?
*/
- if (!ipsec_policy_set && dst_ire != NULL &&
- !(dst_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK | IRE_BROADCAST)) &&
- (ill = ire_to_ill(dst_ire), ill != NULL)) {
- if (ipst->ips_ip_lso_outbound && ILL_LSO_CAPABLE(ill)) {
- lso_dst_ire = dst_ire;
- IRE_REFHOLD(lso_dst_ire);
- } else if (ipst->ips_ip_multidata_outbound &&
- ILL_MDT_CAPABLE(ill)) {
- md_dst_ire = dst_ire;
- IRE_REFHOLD(md_dst_ire);
+ if (flags & IPDF_SELECT_SRC) {
+ ipaddr_t src_addr;
+
+ /* If unreachable we have no ill but need some source */
+ if (ill == NULL) {
+ src_addr = htonl(INADDR_LOOPBACK);
+ /* Make sure we look for a better source address */
+ generation = SRC_GENERATION_VERIFY;
+ } else {
+ error = ip_select_source_v4(ill, setsrc, dst_addr,
+ ixa->ixa_multicast_ifaddr, zoneid,
+ ipst, &src_addr, &generation, NULL);
+ if (error != 0) {
+ ire = NULL; /* Stored in ixa_ire */
+ goto bad_addr;
+ }
}
- }
- if (dst_ire != NULL && dst_ire->ire_type == IRE_LOCAL &&
- dst_ire->ire_zoneid != zoneid && dst_ire->ire_zoneid != ALL_ZONES) {
/*
- * If the IRE belongs to a different zone, look for a matching
- * route in the forwarding table and use the source address from
- * that route.
+ * We allow the source address to to down.
+ * However, we check that we don't use the loopback address
+ * as a source when sending out on the wire.
*/
- src_ire = ire_ftable_lookup(dst_addr, 0, 0, 0, NULL, NULL,
- zoneid, 0, NULL,
- MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_RJ_BHOLE, ipst);
- if (src_ire == NULL) {
- error = EHOSTUNREACH;
- goto bad_addr;
- } else if (src_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
- if (!(src_ire->ire_type & IRE_HOST))
- error = ENETUNREACH;
- else
- error = EHOSTUNREACH;
+ if ((src_addr == htonl(INADDR_LOOPBACK)) &&
+ !(ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK|IRE_MULTICAST)) &&
+ !(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
+ ire = NULL; /* Stored in ixa_ire */
+ error = EADDRNOTAVAIL;
goto bad_addr;
}
- if (src_addr == INADDR_ANY)
- src_addr = src_ire->ire_src_addr;
- ire_refrele(src_ire);
- src_ire = NULL;
- } else if ((src_addr == INADDR_ANY) && (dst_ire != NULL)) {
- if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) {
- src_addr = sire->ire_src_addr;
- ire_refrele(dst_ire);
- dst_ire = sire;
- sire = NULL;
- } else {
- /*
- * Pick a source address so that a proper inbound
- * load spreading would happen.
- */
- ill_t *ire_ill = dst_ire->ire_ipif->ipif_ill;
- ipif_t *src_ipif = NULL;
- ire_t *ipif_ire;
- /*
- * Supply a local source address such that inbound
- * load spreading happens.
- *
- * Determine the best source address on this ill for
- * the destination.
- *
- * 1) For broadcast, we should return a broadcast ire
- * found above so that upper layers know that the
- * destination address is a broadcast address.
- *
- * 2) If the ipif is DEPRECATED, select a better
- * source address. Similarly, if the ipif is on
- * the IPMP meta-interface, pick a source address
- * at random to improve inbound load spreading.
- *
- * 3) If the outgoing interface is part of a usesrc
- * group, then try selecting a source address from
- * the usesrc ILL.
- */
- if ((dst_ire->ire_zoneid != zoneid &&
- dst_ire->ire_zoneid != ALL_ZONES) ||
- (!(dst_ire->ire_flags & RTF_SETSRC)) &&
- (!(dst_ire->ire_type & IRE_BROADCAST) &&
- (IS_IPMP(ire_ill) ||
- (dst_ire->ire_ipif->ipif_flags & IPIF_DEPRECATED) ||
- (ire_ill->ill_usesrc_ifindex != 0)))) {
- /*
- * If the destination is reachable via a
- * given gateway, the selected source address
- * should be in the same subnet as the gateway.
- * Otherwise, the destination is not reachable.
- *
- * If there are no interfaces on the same subnet
- * as the destination, ipif_select_source gives
- * first non-deprecated interface which might be
- * on a different subnet than the gateway.
- * This is not desirable. Hence pass the dst_ire
- * source address to ipif_select_source.
- * It is sure that the destination is reachable
- * with the dst_ire source address subnet.
- * So passing dst_ire source address to
- * ipif_select_source will make sure that the
- * selected source will be on the same subnet
- * as dst_ire source address.
- */
- ipaddr_t saddr =
- dst_ire->ire_ipif->ipif_src_addr;
- src_ipif = ipif_select_source(ire_ill,
- saddr, zoneid);
- if (src_ipif != NULL) {
- if (IS_VNI(src_ipif->ipif_ill)) {
- /*
- * For VNI there is no
- * interface route
- */
- src_addr =
- src_ipif->ipif_src_addr;
- } else {
- ipif_ire =
- ipif_to_ire(src_ipif);
- if (ipif_ire != NULL) {
- IRE_REFRELE(dst_ire);
- dst_ire = ipif_ire;
- }
- src_addr =
- dst_ire->ire_src_addr;
- }
- ipif_refrele(src_ipif);
- } else {
- src_addr = dst_ire->ire_src_addr;
- }
- } else {
- src_addr = dst_ire->ire_src_addr;
- }
- }
+ *src_addrp = src_addr;
+ ixa->ixa_src_generation = generation;
}
+ if (flags & IPDF_UNIQUE_DCE) {
+ /* Fallback to the default dce if allocation fails */
+ dce = dce_lookup_and_add_v4(dst_addr, ipst);
+ if (dce != NULL)
+ generation = dce->dce_generation;
+ else
+ dce = dce_lookup_v4(dst_addr, ipst, &generation);
+ } else {
+ dce = dce_lookup_v4(dst_addr, ipst, &generation);
+ }
+ ASSERT(dce != NULL);
+ if (ixa->ixa_dce != NULL)
+ dce_refrele_notr(ixa->ixa_dce);
+#ifdef DEBUG
+ dce_refhold_notr(dce);
+ dce_refrele(dce);
+#endif
+ ixa->ixa_dce = dce;
+ ixa->ixa_dce_generation = generation;
+
/*
- * We do ire_route_lookup() here (and not
- * interface lookup as we assert that
- * src_addr should only come from an
- * UP interface for hard binding.
+ * Make sure we don't leave an unreachable ixa_nce in place
+ * since ip_select_route is used when we unplumb i.e., remove
+ * references on ixa_ire, ixa_nce, and ixa_dce.
*/
- ASSERT(src_ire == NULL);
- src_ire = ire_route_lookup(src_addr, 0, 0, 0, NULL,
- NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, ipst);
- /* src_ire must be a local|loopback */
- if (!IRE_IS_LOCAL(src_ire)) {
- if (ip_debug > 2) {
- pr_addr_dbg("ip_bind_connected_v4: bad connected "
- "src %s\n", AF_INET, &src_addr);
- }
- error = EADDRNOTAVAIL;
- goto bad_addr;
+ nce = ixa->ixa_nce;
+ if (nce != NULL && nce->nce_is_condemned) {
+ nce_refrele(nce);
+ ixa->ixa_nce = NULL;
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
}
/*
- * If the source address is a loopback address, the
- * destination had best be local or multicast.
- * The transports that can't handle multicast will reject
- * those addresses.
+ * The caller has set IXAF_PMTU_DISCOVERY if path MTU is desired.
+ * However, we can't do it for IPv4 multicast or broadcast.
*/
- if (src_ire->ire_type == IRE_LOOPBACK &&
- !(IRE_IS_LOCAL(dst_ire) || CLASSD(dst_addr))) {
- ip1dbg(("ip_bind_connected_v4: bad connected loopback\n"));
- error = -1;
- goto bad_addr;
- }
+ if (ire->ire_type & (IRE_BROADCAST|IRE_MULTICAST))
+ ixa->ixa_flags &= ~IXAF_PMTU_DISCOVERY;
/*
- * Allow setting new policies. For example, disconnects come
- * down as ipa_t bind. As we would have set conn_policy_cached
- * to B_TRUE before, we should set it to B_FALSE, so that policy
- * can change after the disconnect.
+ * Set initial value for fragmentation limit. Either conn_ip_output
+ * or ULP might updates it when there are routing changes.
+ * Handles a NULL ixa_ire->ire_ill or a NULL ixa_nce for RTF_REJECT.
*/
- connp->conn_policy_cached = B_FALSE;
+ pmtu = ip_get_pmtu(ixa);
+ ixa->ixa_fragsize = pmtu;
+ /* Make sure ixa_fragsize and ixa_pmtu remain identical */
+ if (ixa->ixa_flags & IXAF_VERIFY_PMTU)
+ ixa->ixa_pmtu = pmtu;
/*
- * Set the conn addresses/ports immediately, so the IPsec policy calls
- * can handle their passed-in conn's.
+ * Extract information useful for some transports.
+ * First we look for DCE metrics. Then we take what we have in
+ * the metrics in the route, where the offlink is used if we have
+ * one.
*/
+ if (uinfo != NULL) {
+ bzero(uinfo, sizeof (*uinfo));
- IN6_IPADDR_TO_V4MAPPED(src_addr, &connp->conn_srcv6);
- IN6_IPADDR_TO_V4MAPPED(dst_addr, &connp->conn_remv6);
- connp->conn_lport = lport;
- connp->conn_fport = fport;
- *src_addrp = src_addr;
+ if (dce->dce_flags & DCEF_UINFO)
+ *uinfo = dce->dce_uinfo;
- ASSERT(!(ipsec_policy_set && ire_requested));
- if (ire_requested) {
- iulp_t *ulp_info = NULL;
+ rts_merge_metrics(uinfo, &ire->ire_metrics);
- /*
- * Note that sire will not be NULL if this is an off-link
- * connection and there is not cache for that dest yet.
- *
- * XXX Because of an existing bug, if there are multiple
- * default routes, the IRE returned now may not be the actual
- * default route used (default routes are chosen in a
- * round robin fashion). So if the metrics for different
- * default routes are different, we may return the wrong
- * metrics. This will not be a problem if the existing
- * bug is fixed.
- */
- if (sire != NULL) {
- ulp_info = &(sire->ire_uinfo);
- }
- if (!ip_bind_get_ire_v4(mpp, dst_ire, ulp_info, ipst)) {
- error = -1;
- goto bad_addr;
- }
- mp = *mpp;
- } else if (ipsec_policy_set) {
- if (!ip_bind_ipsec_policy_set(connp, mp)) {
- error = -1;
- goto bad_addr;
- }
+ /* Allow ire_metrics to decrease the path MTU from above */
+ if (uinfo->iulp_mtu == 0 || uinfo->iulp_mtu > pmtu)
+ uinfo->iulp_mtu = pmtu;
+
+ uinfo->iulp_localnet = (ire->ire_type & IRE_ONLINK) != 0;
+ uinfo->iulp_loopback = (ire->ire_type & IRE_LOOPBACK) != 0;
+ uinfo->iulp_local = (ire->ire_type & IRE_LOCAL) != 0;
}
- /*
- * Cache IPsec policy in this conn. If we have per-socket policy,
- * we'll cache that. If we don't, we'll inherit global policy.
- *
- * We can't insert until the conn reflects the policy. Note that
- * conn_policy_cached is set by ipsec_conn_cache_policy() even for
- * connections where we don't have a policy. This is to prevent
- * global policy lookups in the inbound path.
- *
- * If we insert before we set conn_policy_cached,
- * CONN_INBOUND_POLICY_PRESENT() check can still evaluate true
- * because global policy cound be non-empty. We normally call
- * ipsec_check_policy() for conn_policy_cached connections only if
- * ipc_in_enforce_policy is set. But in this case,
- * conn_policy_cached can get set anytime since we made the
- * CONN_INBOUND_POLICY_PRESENT() check and ipsec_check_policy() is
- * called, which will make the above assumption false. Thus, we
- * need to insert after we set conn_policy_cached.
- */
- if ((error = ipsec_conn_cache_policy(connp, B_TRUE)) != 0)
- goto bad_addr;
+ if (ill != NULL)
+ ill_refrele(ill);
- if (fanout_insert) {
- /*
- * The addresses have been verified. Time to insert in
- * the correct fanout list.
- */
- error = ipcl_conn_insert(connp, protocol, src_addr,
- dst_addr, connp->conn_ports);
- }
+ return (error);
- if (error == 0) {
- connp->conn_fully_bound = B_TRUE;
- /*
- * Our initial checks for LSO/MDT have passed; the IRE is not
- * LOCAL/LOOPBACK/BROADCAST, and the link layer seems to
- * be supporting LSO/MDT. Pass the IRE, IPC and ILL into
- * ip_xxinfo_return(), which performs further checks
- * against them and upon success, returns the LSO/MDT info
- * mblk which we will attach to the bind acknowledgment.
- */
- if (lso_dst_ire != NULL) {
- mblk_t *lsoinfo_mp;
-
- ASSERT(ill->ill_lso_capab != NULL);
- if ((lsoinfo_mp = ip_lsoinfo_return(lso_dst_ire, connp,
- ill->ill_name, ill->ill_lso_capab)) != NULL) {
- if (mp == NULL) {
- *mpp = lsoinfo_mp;
- } else {
- linkb(mp, lsoinfo_mp);
- }
- }
- } else if (md_dst_ire != NULL) {
- mblk_t *mdinfo_mp;
-
- ASSERT(ill->ill_mdt_capab != NULL);
- if ((mdinfo_mp = ip_mdinfo_return(md_dst_ire, connp,
- ill->ill_name, ill->ill_mdt_capab)) != NULL) {
- if (mp == NULL) {
- *mpp = mdinfo_mp;
- } else {
- linkb(mp, mdinfo_mp);
- }
- }
- }
- }
bad_addr:
- if (ipsec_policy_set) {
- ASSERT(mp != NULL);
- freeb(mp);
- /*
- * As of now assume that nothing else accompanies
- * IPSEC_POLICY_SET.
- */
- *mpp = NULL;
+ if (ire != NULL)
+ ire_refrele(ire);
+
+ if (ill != NULL)
+ ill_refrele(ill);
+
+ /*
+ * Make sure we don't leave an unreachable ixa_nce in place
+ * since ip_select_route is used when we unplumb i.e., remove
+ * references on ixa_ire, ixa_nce, and ixa_dce.
+ */
+ nce = ixa->ixa_nce;
+ if (nce != NULL && nce->nce_is_condemned) {
+ nce_refrele(nce);
+ ixa->ixa_nce = NULL;
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
}
- if (src_ire != NULL)
- IRE_REFRELE(src_ire);
- if (dst_ire != NULL)
- IRE_REFRELE(dst_ire);
- if (sire != NULL)
- IRE_REFRELE(sire);
- if (md_dst_ire != NULL)
- IRE_REFRELE(md_dst_ire);
- if (lso_dst_ire != NULL)
- IRE_REFRELE(lso_dst_ire);
- if (effective_cred != NULL)
- crfree(effective_cred);
+
return (error);
}
-int
-ip_proto_bind_connected_v4(conn_t *connp, mblk_t **ire_mpp, uint8_t protocol,
- ipaddr_t *src_addrp, uint16_t lport, ipaddr_t dst_addr, uint16_t fport,
- boolean_t fanout_insert, boolean_t verify_dst, cred_t *cr)
+
+/*
+ * Get the base MTU for the case when path MTU discovery is not used.
+ * Takes the MTU of the IRE into account.
+ */
+uint_t
+ip_get_base_mtu(ill_t *ill, ire_t *ire)
{
- int error;
-
- ASSERT(!connp->conn_af_isv6);
- connp->conn_pkt_isv6 = B_FALSE;
- connp->conn_ulp = protocol;
-
- /* For raw socket, the local port is not set. */
- if (lport == 0)
- lport = connp->conn_lport;
- error = ip_bind_connected_v4(connp, ire_mpp, protocol,
- src_addrp, lport, dst_addr, fport, fanout_insert, verify_dst, cr);
- if (error < 0)
- error = -TBADADDR;
- return (error);
+ uint_t mtu = ill->ill_mtu;
+ uint_t iremtu = ire->ire_metrics.iulp_mtu;
+
+ if (iremtu != 0 && iremtu < mtu)
+ mtu = iremtu;
+
+ return (mtu);
}
/*
- * Get the ire in *mpp. Returns false if it fails (due to lack of space).
- * Prefers dst_ire over src_ire.
+ * Get the PMTU for the attributes. Handles both IPv4 and IPv6.
+ * Assumes that ixa_ire, dce, and nce have already been set up.
+ *
+ * The caller has set IXAF_PMTU_DISCOVERY if path MTU discovery is desired.
+ * We avoid path MTU discovery if it is disabled with ndd.
+ * Furtermore, if the path MTU is too small, then we don't set DF for IPv4.
+ *
+ * NOTE: We also used to turn it off for source routed packets. That
+ * is no longer required since the dce is per final destination.
*/
-static boolean_t
-ip_bind_get_ire_v4(mblk_t **mpp, ire_t *ire, iulp_t *ulp_info, ip_stack_t *ipst)
+uint_t
+ip_get_pmtu(ip_xmit_attr_t *ixa)
{
- mblk_t *mp = *mpp;
- ire_t *ret_ire;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ dce_t *dce;
+ nce_t *nce;
+ ire_t *ire;
+ uint_t pmtu;
- ASSERT(mp != NULL);
+ ire = ixa->ixa_ire;
+ dce = ixa->ixa_dce;
+ nce = ixa->ixa_nce;
- if (ire != NULL) {
- /*
- * mp initialized above to IRE_DB_REQ_TYPE
- * appended mblk. Its <upper protocol>'s
- * job to make sure there is room.
- */
- if ((mp->b_datap->db_lim - mp->b_rptr) < sizeof (ire_t))
- return (B_FALSE);
+ /*
+ * If path MTU discovery has been turned off by ndd, then we ignore
+ * any dce_pmtu and for IPv4 we will not set DF.
+ */
+ if (!ipst->ips_ip_path_mtu_discovery)
+ ixa->ixa_flags &= ~IXAF_PMTU_DISCOVERY;
- mp->b_datap->db_type = IRE_DB_TYPE;
- mp->b_wptr = mp->b_rptr + sizeof (ire_t);
- bcopy(ire, mp->b_rptr, sizeof (ire_t));
- ret_ire = (ire_t *)mp->b_rptr;
+ pmtu = IP_MAXPACKET;
+ /*
+ * Decide whether whether IPv4 sets DF
+ * For IPv6 "no DF" means to use the 1280 mtu
+ */
+ if (ixa->ixa_flags & IXAF_PMTU_DISCOVERY) {
+ ixa->ixa_flags |= IXAF_PMTU_IPV4_DF;
+ } else {
+ ixa->ixa_flags &= ~IXAF_PMTU_IPV4_DF;
+ if (!(ixa->ixa_flags & IXAF_IS_IPV4))
+ pmtu = IPV6_MIN_MTU;
+ }
+
+ /* Check if the PMTU is to old before we use it */
+ if ((dce->dce_flags & DCEF_PMTU) &&
+ TICK_TO_SEC(lbolt64) - dce->dce_last_change_time >
+ ipst->ips_ip_pathmtu_interval) {
/*
- * Pass the latest setting of the ip_path_mtu_discovery and
- * copy the ulp info if any.
+ * Older than 20 minutes. Drop the path MTU information.
*/
- ret_ire->ire_frag_flag |= (ipst->ips_ip_path_mtu_discovery) ?
- IPH_DF : 0;
- if (ulp_info != NULL) {
- bcopy(ulp_info, &(ret_ire->ire_uinfo),
- sizeof (iulp_t));
+ mutex_enter(&dce->dce_lock);
+ dce->dce_flags &= ~(DCEF_PMTU|DCEF_TOO_SMALL_PMTU);
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ mutex_exit(&dce->dce_lock);
+ dce_increment_generation(dce);
+ }
+
+ /* The metrics on the route can lower the path MTU */
+ if (ire->ire_metrics.iulp_mtu != 0 &&
+ ire->ire_metrics.iulp_mtu < pmtu)
+ pmtu = ire->ire_metrics.iulp_mtu;
+
+ /*
+ * If the path MTU is smaller than some minimum, we still use dce_pmtu
+ * above (would be 576 for IPv4 and 1280 for IPv6), but we clear
+ * IXAF_PMTU_IPV4_DF so that we avoid setting DF for IPv4.
+ */
+ if (ixa->ixa_flags & IXAF_PMTU_DISCOVERY) {
+ if (dce->dce_flags & DCEF_PMTU) {
+ if (dce->dce_pmtu < pmtu)
+ pmtu = dce->dce_pmtu;
+
+ if (dce->dce_flags & DCEF_TOO_SMALL_PMTU) {
+ ixa->ixa_flags |= IXAF_PMTU_TOO_SMALL;
+ ixa->ixa_flags &= ~IXAF_PMTU_IPV4_DF;
+ } else {
+ ixa->ixa_flags &= ~IXAF_PMTU_TOO_SMALL;
+ ixa->ixa_flags |= IXAF_PMTU_IPV4_DF;
+ }
+ } else {
+ ixa->ixa_flags &= ~IXAF_PMTU_TOO_SMALL;
+ ixa->ixa_flags |= IXAF_PMTU_IPV4_DF;
}
- ret_ire->ire_mp = mp;
- } else {
+ }
+
+ /*
+ * If we have an IRE_LOCAL we use the loopback mtu instead of
+ * the ill for going out the wire i.e., IRE_LOCAL gets the same
+ * mtu as IRE_LOOPBACK.
+ */
+ if (ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) {
+ uint_t loopback_mtu;
+
+ loopback_mtu = (ire->ire_ipversion == IPV6_VERSION) ?
+ ip_loopback_mtu_v6plus : ip_loopback_mtuplus;
+
+ if (loopback_mtu < pmtu)
+ pmtu = loopback_mtu;
+ } else if (nce != NULL) {
/*
- * No IRE was found. Remove IRE mblk.
+ * Make sure we don't exceed the interface MTU.
+ * In the case of RTF_REJECT or RTF_BLACKHOLE we might not have
+ * an ill. We'd use the above IP_MAXPACKET in that case just
+ * to tell the transport something larger than zero.
*/
- *mpp = mp->b_cont;
- freeb(mp);
+ if (nce->nce_common->ncec_ill->ill_mtu < pmtu)
+ pmtu = nce->nce_common->ncec_ill->ill_mtu;
+ if (nce->nce_common->ncec_ill != nce->nce_ill &&
+ nce->nce_ill->ill_mtu < pmtu) {
+ /*
+ * for interfaces in an IPMP group, the mtu of
+ * the nce_ill (under_ill) could be different
+ * from the mtu of the ncec_ill, so we take the
+ * min of the two.
+ */
+ pmtu = nce->nce_ill->ill_mtu;
+ }
}
- return (B_TRUE);
+
+ /*
+ * Handle the IPV6_USE_MIN_MTU socket option or ancillary data.
+ * Only applies to IPv6.
+ */
+ if (!(ixa->ixa_flags & IXAF_IS_IPV4)) {
+ if (ixa->ixa_flags & IXAF_USE_MIN_MTU) {
+ switch (ixa->ixa_use_min_mtu) {
+ case IPV6_USE_MIN_MTU_MULTICAST:
+ if (ire->ire_type & IRE_MULTICAST)
+ pmtu = IPV6_MIN_MTU;
+ break;
+ case IPV6_USE_MIN_MTU_ALWAYS:
+ pmtu = IPV6_MIN_MTU;
+ break;
+ case IPV6_USE_MIN_MTU_NEVER:
+ break;
+ }
+ } else {
+ /* Default is IPV6_USE_MIN_MTU_MULTICAST */
+ if (ire->ire_type & IRE_MULTICAST)
+ pmtu = IPV6_MIN_MTU;
+ }
+ }
+
+ /*
+ * After receiving an ICMPv6 "packet too big" message with a
+ * MTU < 1280, and for multirouted IPv6 packets, the IP layer
+ * will insert a 8-byte fragment header in every packet. We compensate
+ * for those cases by returning a smaller path MTU to the ULP.
+ *
+ * In the case of CGTP then ip_output will add a fragment header.
+ * Make sure there is room for it by telling a smaller number
+ * to the transport.
+ *
+ * When IXAF_IPV6_ADDR_FRAGHDR we subtract the frag hdr here
+ * so the ULPs consistently see a iulp_pmtu and ip_get_pmtu()
+ * which is the size of the packets it can send.
+ */
+ if (!(ixa->ixa_flags & IXAF_IS_IPV4)) {
+ if ((dce->dce_flags & DCEF_TOO_SMALL_PMTU) ||
+ (ire->ire_flags & RTF_MULTIRT) ||
+ (ixa->ixa_flags & IXAF_MULTIRT_MULTICAST)) {
+ pmtu -= sizeof (ip6_frag_t);
+ ixa->ixa_flags |= IXAF_IPV6_ADD_FRAGHDR;
+ }
+ }
+
+ return (pmtu);
}
/*
@@ -5386,6 +4128,7 @@ ip_modclose(ill_t *ill)
queue_t *q = ill->ill_rq;
ip_stack_t *ipst = ill->ill_ipst;
int i;
+ arl_ill_common_t *ai = ill->ill_common;
/*
* The punlink prior to this may have initiated a capability
@@ -5452,6 +4195,7 @@ ip_modclose(ill_t *ill)
mutex_enter(&ill->ill_lock);
while (!ill_is_freeable(ill))
cv_wait(&ill->ill_cv, &ill->ill_lock);
+
while (ill->ill_waiters)
cv_wait(&ill->ill_cv, &ill->ill_lock);
@@ -5466,12 +4210,16 @@ ip_modclose(ill_t *ill)
/* qprocsoff is done via ill_delete_tail */
ill_delete_tail(ill);
+ /*
+ * synchronously wait for arp stream to unbind. After this, we
+ * cannot get any data packets up from the driver.
+ */
+ arp_unbind_complete(ill);
ASSERT(ill->ill_ipst == NULL);
/*
- * Walk through all upper (conn) streams and qenable
- * those that have queued data.
- * close synchronization needs this to
+ * Walk through all conns and qenable those that have queued data.
+ * Close synchronization needs this to
* be done to ensure that all upper layers blocked
* due to flow control to the closing device
* get unblocked.
@@ -5481,6 +4229,25 @@ ip_modclose(ill_t *ill)
conn_walk_drain(ipst, &ipst->ips_idl_tx_list[i]);
}
+ /*
+ * ai can be null if this is an IPv6 ill, or if the IPv4
+ * stream is being torn down before ARP was plumbed (e.g.,
+ * /sbin/ifconfig plumbing a stream twice, and encountering
+ * an error
+ */
+ if (ai != NULL) {
+ ASSERT(!ill->ill_isv6);
+ mutex_enter(&ai->ai_lock);
+ ai->ai_ill = NULL;
+ if (ai->ai_arl == NULL) {
+ mutex_destroy(&ai->ai_lock);
+ kmem_free(ai, sizeof (*ai));
+ } else {
+ cv_signal(&ai->ai_ill_unplumb_done);
+ mutex_exit(&ai->ai_lock);
+ }
+ }
+
mutex_enter(&ipst->ips_ip_mi_lock);
mi_close_unlink(&ipst->ips_ip_g_head, (IDP)ill);
mutex_exit(&ipst->ips_ip_mi_lock);
@@ -5492,6 +4259,12 @@ ip_modclose(ill_t *ill)
if (ill->ill_credp != NULL)
crfree(ill->ill_credp);
+ mutex_destroy(&ill->ill_saved_ire_lock);
+ mutex_destroy(&ill->ill_lock);
+ rw_destroy(&ill->ill_mcast_lock);
+ mutex_destroy(&ill->ill_mcast_serializer);
+ list_destroy(&ill->ill_nce);
+
/*
* Now we are done with the module close pieces that
* need the netstack_t.
@@ -5525,11 +4298,8 @@ ip_quiesce_conn(conn_t *connp)
* Mark the conn as closing, and this conn must not be
* inserted in future into any list. Eg. conn_drain_insert(),
* won't insert this conn into the conn_drain_list.
- * Similarly ill_pending_mp_add() will not add any mp to
- * the pending mp list, after this conn has started closing.
*
- * conn_idl, conn_pending_ill, conn_down_pending_ill, conn_ilg
- * cannot get set henceforth.
+ * conn_idl, and conn_ilg cannot get set henceforth.
*/
mutex_enter(&connp->conn_lock);
ASSERT(!(connp->conn_state_flags & CONN_QUIESCED));
@@ -5541,9 +4311,10 @@ ip_quiesce_conn(conn_t *connp)
if (connp->conn_dhcpinit_ill != NULL) {
ASSERT(connp->conn_dhcpinit_ill->ill_dhcpinit != 0);
atomic_dec_32(&connp->conn_dhcpinit_ill->ill_dhcpinit);
+ ill_set_inputfn(connp->conn_dhcpinit_ill);
connp->conn_dhcpinit_ill = NULL;
}
- if (connp->conn_ilg_inuse != 0)
+ if (connp->conn_ilg != NULL)
ilg_cleanup_reqd = B_TRUE;
mutex_exit(&connp->conn_lock);
@@ -5552,7 +4323,7 @@ ip_quiesce_conn(conn_t *connp)
if (is_system_labeled() && connp->conn_anon_port) {
(void) tsol_mlp_anon(crgetzone(connp->conn_cred),
- connp->conn_mlp_type, connp->conn_ulp,
+ connp->conn_mlp_type, connp->conn_proto,
ntohs(connp->conn_lport), B_FALSE);
connp->conn_anon_port = 0;
}
@@ -5568,21 +4339,22 @@ ip_quiesce_conn(conn_t *connp)
/*
* Remove this conn from the drain list, and do
* any other cleanup that may be required.
- * (Only non-tcp streams may have a non-null conn_idl.
- * TCP streams are never flow controlled, and
+ * (Only non-tcp conns may have a non-null conn_idl.
+ * TCP conns are never flow controlled, and
* conn_idl will be null)
*/
- if (drain_cleanup_reqd)
+ if (drain_cleanup_reqd && connp->conn_idl != NULL) {
+ mutex_enter(&connp->conn_idl->idl_lock);
conn_drain_tail(connp, B_TRUE);
+ mutex_exit(&connp->conn_idl->idl_lock);
+ }
if (connp == ipst->ips_ip_g_mrouter)
- (void) ip_mrouter_done(NULL, ipst);
+ (void) ip_mrouter_done(ipst);
if (ilg_cleanup_reqd)
ilg_delete_all(connp);
- conn_delete_ire(connp, NULL);
-
/*
* Now conn refcnt can increase only thru CONN_INC_REF_LOCKED.
* callers from write side can't be there now because close
@@ -5603,8 +4375,6 @@ ip_close(queue_t *q, int flags)
{
conn_t *connp;
- TRACE_1(TR_FAC_IP, TR_IP_CLOSE, "ip_close: q %p", q);
-
/*
* Call the appropriate delete routine depending on whether this is
* a module or device.
@@ -5646,13 +4416,21 @@ ip_close(queue_t *q, int flags)
*/
/*ARGSUSED2*/
static void
-ip_conn_input(void *arg1, mblk_t *mp, void *arg2)
+ip_conn_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
conn_t *connp = (conn_t *)arg1;
putnext(connp->conn_rq, mp);
}
+/* Dummy in case ICMP error delivery is attempted to a /dev/ip instance */
+/* ARGSUSED */
+static void
+ip_conn_input_icmp(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
+{
+ freemsg(mp);
+}
+
/*
* Called when the module is about to be unloaded
*/
@@ -5667,6 +4445,7 @@ ip_ddi_destroy(void)
sctp_ddi_g_destroy();
tcp_ddi_g_destroy();
ilb_ddi_g_destroy();
+ dce_g_destroy();
ipsec_policy_g_destroy();
ipcl_g_destroy();
ip_net_g_destroy();
@@ -5709,16 +4488,12 @@ ip_stack_shutdown(netstackid_t stackid, void *arg)
*/
ipv4_hook_shutdown(ipst);
ipv6_hook_shutdown(ipst);
+ arp_hook_shutdown(ipst);
mutex_enter(&ipst->ips_capab_taskq_lock);
ipst->ips_capab_taskq_quit = B_TRUE;
cv_signal(&ipst->ips_capab_taskq_cv);
mutex_exit(&ipst->ips_capab_taskq_lock);
-
- mutex_enter(&ipst->ips_mrt_lock);
- ipst->ips_mrt_flags |= IP_MRT_STOP;
- cv_signal(&ipst->ips_mrt_cv);
- mutex_exit(&ipst->ips_mrt_lock);
}
/*
@@ -5741,18 +4516,12 @@ ip_stack_fini(netstackid_t stackid, void *arg)
ipobs_fini(ipst);
ipv4_hook_destroy(ipst);
ipv6_hook_destroy(ipst);
+ arp_hook_destroy(ipst);
ip_net_destroy(ipst);
mutex_destroy(&ipst->ips_capab_taskq_lock);
cv_destroy(&ipst->ips_capab_taskq_cv);
- mutex_enter(&ipst->ips_mrt_lock);
- while (!(ipst->ips_mrt_flags & IP_MRT_DONE))
- cv_wait(&ipst->ips_mrt_done_cv, &ipst->ips_mrt_lock);
- mutex_destroy(&ipst->ips_mrt_lock);
- cv_destroy(&ipst->ips_mrt_cv);
- cv_destroy(&ipst->ips_mrt_done_cv);
-
ipmp_destroy(ipst);
rw_destroy(&ipst->ips_srcid_lock);
@@ -5773,10 +4542,10 @@ ip_stack_fini(netstackid_t stackid, void *arg)
kmem_free(ipst->ips_ndp_arr, sizeof (lcl_ndp_arr));
ipst->ips_ndp_arr = NULL;
+ dce_stack_destroy(ipst);
ip_mrouter_stack_destroy(ipst);
mutex_destroy(&ipst->ips_ip_mi_lock);
- rw_destroy(&ipst->ips_ipsec_capab_ills_lock);
rw_destroy(&ipst->ips_ill_g_usesrc_lock);
rw_destroy(&ipst->ips_ip_g_nd_lock);
@@ -5808,13 +4577,6 @@ ip_stack_fini(netstackid_t stackid, void *arg)
ASSERT(ipst->ips_mld_slowtimeout_id != 0);
ipst->ips_mld_slowtimeout_id = 0;
}
- ret = untimeout(ipst->ips_ip_ire_expire_id);
- if (ret == -1) {
- ASSERT(ipst->ips_ip_ire_expire_id == 0);
- } else {
- ASSERT(ipst->ips_ip_ire_expire_id != 0);
- ipst->ips_ip_ire_expire_id = 0;
- }
mutex_destroy(&ipst->ips_igmp_timer_lock);
mutex_destroy(&ipst->ips_mld_timer_lock);
@@ -5915,6 +4677,10 @@ ip_ddi_init(void)
list_create(&ip_thread_list, sizeof (th_hash_t),
offsetof(th_hash_t, thh_link));
#endif
+ ipsec_policy_g_init();
+ tcp_ddi_g_init();
+ sctp_ddi_g_init();
+ dce_g_init();
/*
* We want to be informed each time a stack is created or
@@ -5924,10 +4690,6 @@ ip_ddi_init(void)
netstack_register(NS_IP, ip_stack_init, ip_stack_shutdown,
ip_stack_fini);
- ipsec_policy_g_init();
- tcp_ddi_g_init();
- sctp_ddi_g_init();
-
tnet_init();
udp_ddi_g_init();
@@ -5973,7 +4735,6 @@ ip_stack_init(netstackid_t stackid, netstack_t *ns)
mutex_init(&ipst->ips_ip_mi_lock, NULL, MUTEX_DEFAULT, NULL);
mutex_init(&ipst->ips_ip_addr_avail_lock, NULL, MUTEX_DEFAULT, NULL);
rw_init(&ipst->ips_ill_g_lock, NULL, RW_DEFAULT, NULL);
- rw_init(&ipst->ips_ipsec_capab_ills_lock, NULL, RW_DEFAULT, NULL);
rw_init(&ipst->ips_ill_g_usesrc_lock, NULL, RW_DEFAULT, NULL);
ipcl_init(ipst);
@@ -5982,6 +4743,7 @@ ip_stack_init(netstackid_t stackid, netstack_t *ns)
ipif_init(ipst);
conn_drain_init(ipst);
ip_mrouter_stack_init(ipst);
+ dce_stack_init(ipst);
ipst->ips_ip_g_frag_timeout = IP_FRAG_TIMEOUT;
ipst->ips_ip_g_frag_timo_ms = IP_FRAG_TIMEOUT * 1000;
@@ -6026,9 +4788,12 @@ ip_stack_init(netstackid_t stackid, netstack_t *ns)
ipst->ips_ip_src_id = 1;
rw_init(&ipst->ips_srcid_lock, NULL, RW_DEFAULT, NULL);
+ ipst->ips_src_generation = SRC_GENERATION_INITIAL;
+
ip_net_init(ipst, ns);
ipv4_hook_init(ipst);
ipv6_hook_init(ipst);
+ arp_hook_init(ipst);
ipmp_init(ipst);
ipobs_init(ipst);
@@ -6040,15 +4805,6 @@ ip_stack_init(netstackid_t stackid, netstack_t *ns)
mutex_init(&ipst->ips_capab_taskq_lock, NULL, MUTEX_DEFAULT, NULL);
cv_init(&ipst->ips_capab_taskq_cv, NULL, CV_DEFAULT, NULL);
- /*
- * Create the mcast_restart_timers_thread() worker thread.
- */
- mutex_init(&ipst->ips_mrt_lock, NULL, MUTEX_DEFAULT, NULL);
- cv_init(&ipst->ips_mrt_cv, NULL, CV_DEFAULT, NULL);
- cv_init(&ipst->ips_mrt_done_cv, NULL, CV_DEFAULT, NULL);
- ipst->ips_mrt_thread = thread_create(NULL, 0,
- mcast_restart_timers_thread, ipst, 0, &p0, TS_RUN, minclsyspri);
-
major = mod_name_to_major(INET_NAME);
(void) ldi_ident_from_major(major, &ipst->ips_ldi_ident);
return (ipst);
@@ -6161,37 +4917,26 @@ mac_colon_addr(const uint8_t *addr, size_t alen, char *buf, size_t buflen)
}
/*
- * Send an ICMP error after patching up the packet appropriately. Returns
- * non-zero if the appropriate MIB should be bumped; zero otherwise.
+ * Called when it is conceptually a ULP that would sent the packet
+ * e.g., port unreachable and protocol unreachable. Check that the packet
+ * would have passed the IPsec global policy before sending the error.
+ *
+ * Send an ICMP error after patching up the packet appropriately.
+ * Uses ip_drop_input and bumps the appropriate MIB.
*/
-static boolean_t
-ip_fanout_send_icmp(queue_t *q, mblk_t *mp, uint_t flags,
- uint_t icmp_type, uint_t icmp_code, boolean_t mctl_present,
- zoneid_t zoneid, ip_stack_t *ipst)
+void
+ip_fanout_send_icmp_v4(mblk_t *mp, uint_t icmp_type, uint_t icmp_code,
+ ip_recv_attr_t *ira)
{
- ipha_t *ipha;
- mblk_t *first_mp;
- boolean_t secure;
- unsigned char db_type;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+ ipha_t *ipha;
+ boolean_t secure;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+
+ secure = ira->ira_flags & IRAF_IPSEC_SECURE;
- first_mp = mp;
- if (mctl_present) {
- mp = mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- /*
- * If this is an ICMP error being reported - which goes
- * up as M_CTLs, we need to convert them to M_DATA till
- * we finish checking with global policy because
- * ipsec_check_global_policy() assumes M_DATA as clear
- * and M_CTL as secure.
- */
- db_type = DB_TYPE(mp);
- DB_TYPE(mp) = M_DATA;
- secure = B_FALSE;
- }
/*
* We are generating an icmp error for some inbound packet.
* Called from all ip_fanout_(udp, tcp, proto) functions.
@@ -6201,47 +4946,52 @@ ip_fanout_send_icmp(queue_t *q, mblk_t *mp, uint_t flags,
*/
ipha = (ipha_t *)mp->b_rptr;
if (secure || ipss->ipsec_inbound_v4_policy_present) {
- first_mp = ipsec_check_global_policy(first_mp, NULL,
- ipha, NULL, mctl_present, ipst->ips_netstack);
- if (first_mp == NULL)
- return (B_FALSE);
+ mp = ipsec_check_global_policy(mp, NULL, ipha, NULL, ira, ns);
+ if (mp == NULL)
+ return;
}
- if (!mctl_present)
- DB_TYPE(mp) = db_type;
+ /* We never send errors for protocols that we do implement */
+ if (ira->ira_protocol == IPPROTO_ICMP ||
+ ira->ira_protocol == IPPROTO_IGMP) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_fanout_send_icmp_v4", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /*
+ * Have to correct checksum since
+ * the packet might have been
+ * fragmented and the reassembly code in ip_rput
+ * does not restore the IP checksum.
+ */
+ ipha->ipha_hdr_checksum = 0;
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
- if (flags & IP_FF_SEND_ICMP) {
- if (flags & IP_FF_HDR_COMPLETE) {
- if (ip_hdr_complete(ipha, zoneid, ipst)) {
- freemsg(first_mp);
- return (B_TRUE);
- }
- }
- if (flags & IP_FF_CKSUM) {
- /*
- * Have to correct checksum since
- * the packet might have been
- * fragmented and the reassembly code in ip_rput
- * does not restore the IP checksum.
- */
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
- }
- switch (icmp_type) {
- case ICMP_DEST_UNREACHABLE:
- icmp_unreachable(WR(q), first_mp, icmp_code, zoneid,
- ipst);
+ switch (icmp_type) {
+ case ICMP_DEST_UNREACHABLE:
+ switch (icmp_code) {
+ case ICMP_PROTOCOL_UNREACHABLE:
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInUnknownProtos);
+ ip_drop_input("ipIfStatsInUnknownProtos", mp, ill);
break;
- default:
- freemsg(first_mp);
+ case ICMP_PORT_UNREACHABLE:
+ BUMP_MIB(ill->ill_ip_mib, udpIfStatsNoPorts);
+ ip_drop_input("ipIfStatsNoPorts", mp, ill);
break;
}
- } else {
- freemsg(first_mp);
- return (B_FALSE);
- }
- return (B_TRUE);
+ icmp_unreachable(mp, icmp_code, ira);
+ break;
+ default:
+#ifdef DEBUG
+ panic("ip_fanout_send_icmp_v4: wrong type");
+ /*NOTREACHED*/
+#else
+ freemsg(mp);
+ break;
+#endif
+ }
}
/*
@@ -6250,66 +5000,86 @@ ip_fanout_send_icmp(queue_t *q, mblk_t *mp, uint_t flags,
* is consumed by this function.
*/
void
-ip_proto_not_sup(queue_t *q, mblk_t *ipsec_mp, uint_t flags, zoneid_t zoneid,
- ip_stack_t *ipst)
+ip_proto_not_sup(mblk_t *mp, ip_recv_attr_t *ira)
{
- mblk_t *mp;
- ipha_t *ipha;
- ill_t *ill;
- ipsec_in_t *ii;
-
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
+ ipha_t *ipha;
- mp = ipsec_mp->b_cont;
- ipsec_mp->b_cont = NULL;
ipha = (ipha_t *)mp->b_rptr;
- /* Get ill from index in ipsec_in_t. */
- ill = ill_lookup_on_ifindex(ii->ipsec_in_ill_index,
- (IPH_HDR_VERSION(ipha) == IPV6_VERSION), NULL, NULL, NULL, NULL,
- ipst);
- if (ill != NULL) {
- if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
- if (ip_fanout_send_icmp(q, mp, flags,
- ICMP_DEST_UNREACHABLE,
- ICMP_PROTOCOL_UNREACHABLE, B_FALSE, zoneid, ipst)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInUnknownProtos);
- }
- } else {
- if (ip_fanout_send_icmp_v6(q, mp, flags,
- ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER,
- 0, B_FALSE, zoneid, ipst)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInUnknownProtos);
- }
- }
- ill_refrele(ill);
- } else { /* re-link for the freemsg() below. */
- ipsec_mp->b_cont = mp;
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ ASSERT(IPH_HDR_VERSION(ipha) == IP_VERSION);
+ ip_fanout_send_icmp_v4(mp, ICMP_DEST_UNREACHABLE,
+ ICMP_PROTOCOL_UNREACHABLE, ira);
+ } else {
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
+ ip_fanout_send_icmp_v6(mp, ICMP6_PARAM_PROB,
+ ICMP6_PARAMPROB_NEXTHEADER, ira);
}
-
- /* If ICMP delivered, ipsec_mp will be a singleton (b_cont == NULL). */
- freemsg(ipsec_mp);
}
/*
- * See if the inbound datagram has had IPsec processing applied to it.
+ * Deliver a rawip packet to the given conn, possibly applying ipsec policy.
+ * Handles IPv4 and IPv6.
+ * We are responsible for disposing of mp, such as by freemsg() or putnext()
+ * Caller is responsible for dropping references to the conn.
*/
-boolean_t
-ipsec_in_is_secure(mblk_t *ipsec_mp)
+void
+ip_fanout_proto_conn(conn_t *connp, mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
+ ip_recv_attr_t *ira)
{
- ipsec_in_t *ii;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+ boolean_t secure;
+ uint_t protocol = ira->ira_protocol;
+ iaflags_t iraflags = ira->ira_flags;
+ queue_t *rq;
+
+ secure = iraflags & IRAF_IPSEC_SECURE;
+
+ rq = connp->conn_rq;
+ if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld : !canputnext(rq)) {
+ switch (protocol) {
+ case IPPROTO_ICMPV6:
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInOverflows);
+ break;
+ case IPPROTO_ICMP:
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpInOverflows);
+ break;
+ default:
+ BUMP_MIB(ill->ill_ip_mib, rawipIfStatsInOverflows);
+ break;
+ }
+ freemsg(mp);
+ return;
+ }
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
+ ASSERT(!(IPCL_IS_IPTUN(connp)));
- if (ii->ipsec_in_loopback) {
- return (ii->ipsec_in_secure);
+ if (((iraflags & IRAF_IS_IPV4) ?
+ CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
+ CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
+ secure) {
+ mp = ipsec_check_inbound_policy(mp, connp, ipha,
+ ip6h, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ return;
+ }
+ }
+
+ if (iraflags & IRAF_ICMP_ERROR) {
+ (connp->conn_recvicmp)(connp, mp, NULL, ira);
} else {
- return (ii->ipsec_in_ah_sa != NULL ||
- ii->ipsec_in_esp_sa != NULL ||
- ii->ipsec_in_decaps);
+ ill_t *rill = ira->ira_rill;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ /* Send it upstream */
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
}
}
@@ -6336,65 +5106,33 @@ ipsec_in_is_secure(mblk_t *ipsec_mp)
* is used to negotiate SAs as SAs will be added only after
* verifying the policy.
*
- * IPQoS Notes:
- * Once we have determined the client, invoke IPPF processing.
- * Policy processing takes place only if the callout_position, IPP_LOCAL_IN,
- * is enabled. If we get here from icmp_inbound_error_fanout or ip_wput_local
- * ip_policy will be false.
- *
* Zones notes:
- * Currently only applications in the global zone can create raw sockets for
- * protocols other than ICMP. So unlike the broadcast / multicast case of
- * ip_fanout_udp(), we only send a copy of the packet to streams in the
- * specified zone. For ICMP, this is handled by the callers of icmp_inbound().
+ * Earlier in ip_input on a system with multiple shared-IP zones we
+ * duplicate the multicast and broadcast packets and send them up
+ * with each explicit zoneid that exists on that ill.
+ * This means that here we can match the zoneid with SO_ALLZONES being special.
*/
-static void
-ip_fanout_proto(queue_t *q, mblk_t *mp, ill_t *ill, ipha_t *ipha, uint_t flags,
- boolean_t mctl_present, boolean_t ip_policy, ill_t *recv_ill,
- zoneid_t zoneid)
+void
+ip_fanout_proto_v4(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
{
- queue_t *rq;
- mblk_t *mp1, *first_mp1;
- uint_t protocol = ipha->ipha_protocol;
- ipaddr_t dst;
- mblk_t *first_mp = mp;
- boolean_t secure;
- uint32_t ill_index;
- conn_t *connp, *first_connp, *next_connp;
- connf_t *connfp;
- boolean_t shared_addr;
- mib2_ipIfStatsEntry_t *mibptr;
- ip_stack_t *ipst = recv_ill->ill_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+ mblk_t *mp1;
+ ipaddr_t laddr;
+ conn_t *connp, *first_connp, *next_connp;
+ connf_t *connfp;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
- mibptr = (ill != NULL) ? ill->ill_ip_mib : &ipst->ips_ip_mib;
- if (mctl_present) {
- mp = first_mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- secure = B_FALSE;
- }
- dst = ipha->ipha_dst;
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * We don't allow multilevel ports for raw IP, so no need to
- * check for that here.
- */
- zoneid = tsol_packet_to_zoneid(mp);
- }
+ laddr = ipha->ipha_dst;
- connfp = &ipst->ips_ipcl_proto_fanout[protocol];
+ connfp = &ipst->ips_ipcl_proto_fanout_v4[ira->ira_protocol];
mutex_enter(&connfp->connf_lock);
connp = connfp->connf_head;
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
- if (IPCL_PROTO_MATCH(connp, protocol, ipha, ill, flags,
- zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV4_VERSION, shared_addr,
- connp))) {
+ /* Note: IPCL_PROTO_MATCH includes conn_wantpacket */
+ if (IPCL_PROTO_MATCH(connp, ira, ipha) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV4_VERSION, ira, connp))) {
break;
}
}
@@ -6406,40 +5144,12 @@ ip_fanout_proto(queue_t *q, mblk_t *mp, ill_t *ill, ipha_t *ipha, uint_t flags,
* unclaimed datagrams?
*/
mutex_exit(&connfp->connf_lock);
- /*
- * Check for IPPROTO_ENCAP...
- */
- if (protocol == IPPROTO_ENCAP && ipst->ips_ip_g_mrouter) {
- /*
- * If an IPsec mblk is here on a multicast
- * tunnel (using ip_mroute stuff), check policy here,
- * THEN ship off to ip_mroute_decap().
- *
- * BTW, If I match a configured IP-in-IP
- * tunnel, this path will not be reached, and
- * ip_mroute_decap will never be called.
- */
- first_mp = ipsec_check_global_policy(first_mp, connp,
- ipha, NULL, mctl_present, ipst->ips_netstack);
- if (first_mp != NULL) {
- if (mctl_present)
- freeb(first_mp);
- ip_mroute_decap(q, mp, ill);
- } /* Else we already freed everything! */
- } else {
- /*
- * Otherwise send an ICMP protocol unreachable.
- */
- if (ip_fanout_send_icmp(q, first_mp, flags,
- ICMP_DEST_UNREACHABLE, ICMP_PROTOCOL_UNREACHABLE,
- mctl_present, zoneid, ipst)) {
- BUMP_MIB(mibptr, ipIfStatsInUnknownProtos);
- }
- }
+ ip_fanout_send_icmp_v4(mp, ICMP_DEST_UNREACHABLE,
+ ICMP_PROTOCOL_UNREACHABLE, ira);
return;
}
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
+ ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
CONN_INC_REF(connp);
first_connp = connp;
@@ -6447,111 +5157,35 @@ ip_fanout_proto(queue_t *q, mblk_t *mp, ill_t *ill, ipha_t *ipha, uint_t flags,
for (;;) {
while (connp != NULL) {
- if (IPCL_PROTO_MATCH(connp, protocol, ipha, ill,
- flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV4_VERSION,
- shared_addr, connp)))
+ /* Note: IPCL_PROTO_MATCH includes conn_wantpacket */
+ if (IPCL_PROTO_MATCH(connp, ira, ipha) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV4_VERSION,
+ ira, connp)))
break;
connp = connp->conn_next;
}
- /*
- * Copy the packet.
- */
- if (connp == NULL ||
- (((first_mp1 = dupmsg(first_mp)) == NULL) &&
- ((first_mp1 = ip_copymsg(first_mp)) == NULL))) {
- /*
- * No more interested clients or memory
- * allocation failed
- */
+ if (connp == NULL) {
+ /* No more interested clients */
connp = first_connp;
break;
}
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
- mp1 = mctl_present ? first_mp1->b_cont : first_mp1;
+ if (((mp1 = dupmsg(mp)) == NULL) &&
+ ((mp1 = copymsg(mp)) == NULL)) {
+ /* Memory allocation failed */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ connp = first_connp;
+ break;
+ }
+
CONN_INC_REF(connp);
mutex_exit(&connfp->connf_lock);
- rq = connp->conn_rq;
- /*
- * Check flow control
- */
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && !canputnext(rq))) {
- if (flags & IP_FF_RAWIP) {
- BUMP_MIB(mibptr, rawipIfStatsInOverflows);
- } else {
- BUMP_MIB(&ipst->ips_icmp_mib, icmpInOverflows);
- }
+ ip_fanout_proto_conn(connp, mp1, (ipha_t *)mp1->b_rptr, NULL,
+ ira);
- freemsg(first_mp1);
- } else {
- /*
- * Enforce policy like any other conn_t. Note that
- * IP-in-IP packets don't come through here, but
- * through ip_iptun_input() or
- * icmp_inbound_iptun_fanout(). IPsec policy for such
- * packets is enforced in the iptun module.
- */
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) ||
- secure) {
- first_mp1 = ipsec_check_inbound_policy
- (first_mp1, connp, ipha, NULL,
- mctl_present);
- }
- if (first_mp1 != NULL) {
- int in_flags = 0;
- /*
- * ip_fanout_proto also gets called from
- * icmp_inbound_error_fanout, in which case
- * the msg type is M_CTL. Don't add info
- * in this case for the time being. In future
- * when there is a need for knowing the
- * inbound iface index for ICMP error msgs,
- * then this can be changed.
- */
- if (connp->conn_recvif)
- in_flags = IPF_RECVIF;
- /*
- * The ULP may support IP_RECVPKTINFO for both
- * IP v4 and v6 so pass the appropriate argument
- * based on conn IP version.
- */
- if (connp->conn_ip_recvpktinfo) {
- if (connp->conn_af_isv6) {
- /*
- * V6 only needs index
- */
- in_flags |= IPF_RECVIF;
- } else {
- /*
- * V4 needs index +
- * matching address.
- */
- in_flags |= IPF_RECVADDR;
- }
- }
- if ((in_flags != 0) &&
- (mp->b_datap->db_type != M_CTL)) {
- /*
- * the actual data will be
- * contained in b_cont upon
- * successful return of the
- * following call else
- * original mblk is returned
- */
- ASSERT(recv_ill != NULL);
- mp1 = ip_add_info(mp1, recv_ill,
- in_flags, IPCL_ZONEID(connp), ipst);
- }
- BUMP_MIB(mibptr, ipIfStatsHCInDelivers);
- if (mctl_present)
- freeb(first_mp1);
- (connp->conn_recv)(connp, mp1, NULL);
- }
- }
mutex_enter(&connfp->connf_lock);
/* Follow the next pointer before releasing the conn. */
next_connp = connp->conn_next;
@@ -6562,363 +5196,27 @@ ip_fanout_proto(queue_t *q, mblk_t *mp, ill_t *ill, ipha_t *ipha, uint_t flags,
/* Last one. Send it upstream. */
mutex_exit(&connfp->connf_lock);
- /*
- * If this packet is coming from icmp_inbound_error_fanout ip_policy
- * will be set to false.
- */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst) && ip_policy) {
- ill_index = ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &mp, ill_index);
- if (mp == NULL) {
- CONN_DEC_REF(connp);
- if (mctl_present) {
- freeb(first_mp);
- }
- return;
- }
- }
-
- rq = connp->conn_rq;
- /*
- * Check flow control
- */
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && !canputnext(rq))) {
- if (flags & IP_FF_RAWIP) {
- BUMP_MIB(mibptr, rawipIfStatsInOverflows);
- } else {
- BUMP_MIB(&ipst->ips_icmp_mib, icmpInOverflows);
- }
-
- freemsg(first_mp);
- } else {
- ASSERT(!IPCL_IS_IPTUN(connp));
-
- if ((CONN_INBOUND_POLICY_PRESENT(connp, ipss) || secure)) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp,
- ipha, NULL, mctl_present);
- }
-
- if (first_mp != NULL) {
- int in_flags = 0;
-
- /*
- * ip_fanout_proto also gets called
- * from icmp_inbound_error_fanout, in
- * which case the msg type is M_CTL.
- * Don't add info in this case for time
- * being. In future when there is a
- * need for knowing the inbound iface
- * index for ICMP error msgs, then this
- * can be changed
- */
- if (connp->conn_recvif)
- in_flags = IPF_RECVIF;
- if (connp->conn_ip_recvpktinfo) {
- if (connp->conn_af_isv6) {
- /*
- * V6 only needs index
- */
- in_flags |= IPF_RECVIF;
- } else {
- /*
- * V4 needs index +
- * matching address.
- */
- in_flags |= IPF_RECVADDR;
- }
- }
- if ((in_flags != 0) &&
- (mp->b_datap->db_type != M_CTL)) {
+ ip_fanout_proto_conn(connp, mp, ipha, NULL, ira);
- /*
- * the actual data will be contained in
- * b_cont upon successful return
- * of the following call else original
- * mblk is returned
- */
- ASSERT(recv_ill != NULL);
- mp = ip_add_info(mp, recv_ill,
- in_flags, IPCL_ZONEID(connp), ipst);
- }
- BUMP_MIB(mibptr, ipIfStatsHCInDelivers);
- (connp->conn_recv)(connp, mp, NULL);
- if (mctl_present)
- freeb(first_mp);
- }
- }
CONN_DEC_REF(connp);
}
/*
- * Serialize tcp resets by calling tcp_xmit_reset_serialize through
- * SQUEUE_ENTER_ONE(SQ_FILL). We do this to ensure the reset is handled on
- * the correct squeue, in this case the same squeue as a valid listener with
- * no current connection state for the packet we are processing. The function
- * is called for synchronizing both IPv4 and IPv6.
- */
-void
-ip_xmit_reset_serialize(mblk_t *mp, int hdrlen, zoneid_t zoneid,
- tcp_stack_t *tcps, conn_t *connp)
-{
- mblk_t *rst_mp;
- tcp_xmit_reset_event_t *eventp;
-
- rst_mp = allocb(sizeof (tcp_xmit_reset_event_t), BPRI_HI);
-
- if (rst_mp == NULL) {
- freemsg(mp);
- return;
- }
-
- rst_mp->b_datap->db_type = M_PROTO;
- rst_mp->b_wptr += sizeof (tcp_xmit_reset_event_t);
-
- eventp = (tcp_xmit_reset_event_t *)rst_mp->b_rptr;
- eventp->tcp_xre_event = TCP_XRE_EVENT_IP_FANOUT_TCP;
- eventp->tcp_xre_iphdrlen = hdrlen;
- eventp->tcp_xre_zoneid = zoneid;
- eventp->tcp_xre_tcps = tcps;
-
- rst_mp->b_cont = mp;
- mp = rst_mp;
-
- /*
- * Increment the connref, this ref will be released by the squeue
- * framework.
- */
- CONN_INC_REF(connp);
- SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_xmit_reset, connp,
- SQ_FILL, SQTAG_XMIT_EARLY_RESET);
-}
-
-/*
- * Fanout for TCP packets
- * The caller puts <fport, lport> in the ports parameter.
- *
- * IPQoS Notes
- * Before sending it to the client, invoke IPPF processing.
- * Policy processing takes place only if the callout_position, IPP_LOCAL_IN,
- * is enabled. If we get here from icmp_inbound_error_fanout or ip_wput_local
- * ip_policy is false.
- */
-static void
-ip_fanout_tcp(queue_t *q, mblk_t *mp, ill_t *recv_ill, ipha_t *ipha,
- uint_t flags, boolean_t mctl_present, boolean_t ip_policy, zoneid_t zoneid)
-{
- mblk_t *first_mp;
- boolean_t secure;
- uint32_t ill_index;
- int ip_hdr_len;
- tcph_t *tcph;
- boolean_t syn_present = B_FALSE;
- conn_t *connp;
- ip_stack_t *ipst = recv_ill->ill_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- ASSERT(recv_ill != NULL);
-
- first_mp = mp;
- if (mctl_present) {
- ASSERT(first_mp->b_datap->db_type == M_CTL);
- mp = first_mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- secure = B_FALSE;
- }
-
- ip_hdr_len = IPH_HDR_LENGTH(mp->b_rptr);
-
- if ((connp = ipcl_classify_v4(mp, IPPROTO_TCP, ip_hdr_len,
- zoneid, ipst)) == NULL) {
- /*
- * No connected connection or listener. Send a
- * TH_RST via tcp_xmit_listeners_reset.
- */
-
- /* Initiate IPPf processing, if needed. */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- uint32_t ill_index;
- ill_index = recv_ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &first_mp, ill_index);
- if (first_mp == NULL)
- return;
- }
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsHCInDelivers);
- ip2dbg(("ip_fanout_tcp: no listener; send reset to zone %d\n",
- zoneid));
- tcp_xmit_listeners_reset(first_mp, ip_hdr_len, zoneid,
- ipst->ips_netstack->netstack_tcp, NULL);
- return;
- }
-
- /*
- * Allocate the SYN for the TCP connection here itself
- */
- tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
- if ((tcph->th_flags[0] & (TH_SYN|TH_ACK|TH_RST|TH_URG)) == TH_SYN) {
- if (IPCL_IS_TCP(connp)) {
- squeue_t *sqp;
-
- /*
- * If the queue belongs to a conn, and fused tcp
- * loopback is enabled, assign the eager's squeue
- * to be that of the active connect's. Note that
- * we don't check for IP_FF_LOOPBACK here since this
- * routine gets called only for loopback (unlike the
- * IPv6 counterpart).
- */
- if (do_tcp_fusion &&
- CONN_Q(q) && IPCL_IS_TCP(Q_TO_CONN(q)) &&
- !CONN_INBOUND_POLICY_PRESENT(connp, ipss) &&
- !secure &&
- !IPP_ENABLED(IPP_LOCAL_IN, ipst) && !ip_policy) {
- ASSERT(Q_TO_CONN(q)->conn_sqp != NULL);
- sqp = Q_TO_CONN(q)->conn_sqp;
- } else {
- sqp = IP_SQUEUE_GET(lbolt);
- }
-
- mp->b_datap->db_struioflag |= STRUIO_EAGER;
- DB_CKSUMSTART(mp) = (intptr_t)sqp;
- syn_present = B_TRUE;
- }
- }
-
- if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp) && !syn_present) {
- uint_t flags = (unsigned int)tcph->th_flags[0] & 0xFF;
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsHCInDelivers);
- if ((flags & TH_RST) || (flags & TH_URG)) {
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return;
- }
- if (flags & TH_ACK) {
- ip_xmit_reset_serialize(first_mp, ip_hdr_len, zoneid,
- ipst->ips_netstack->netstack_tcp, connp);
- CONN_DEC_REF(connp);
- return;
- }
-
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return;
- }
-
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || secure) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp, ipha,
- NULL, mctl_present);
- if (first_mp == NULL) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- return;
- }
- if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp)) {
- ASSERT(syn_present);
- if (mctl_present) {
- ASSERT(first_mp != mp);
- first_mp->b_datap->db_struioflag |=
- STRUIO_POLICY;
- } else {
- ASSERT(first_mp == mp);
- mp->b_datap->db_struioflag &=
- ~STRUIO_EAGER;
- mp->b_datap->db_struioflag |=
- STRUIO_POLICY;
- }
- } else {
- /*
- * Discard first_mp early since we're dealing with a
- * fully-connected conn_t and tcp doesn't do policy in
- * this case.
- */
- if (mctl_present) {
- freeb(first_mp);
- mctl_present = B_FALSE;
- }
- first_mp = mp;
- }
- }
-
- /*
- * Initiate policy processing here if needed. If we get here from
- * icmp_inbound_error_fanout, ip_policy is false.
- */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst) && ip_policy) {
- ill_index = recv_ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &mp, ill_index);
- if (mp == NULL) {
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
-
- /* Handle socket options. */
- if (!syn_present &&
- connp->conn_ip_recvpktinfo && (flags & IP_FF_IPINFO)) {
- /* Add header */
- ASSERT(recv_ill != NULL);
- /*
- * Since tcp does not support IP_RECVPKTINFO for V4, only pass
- * IPF_RECVIF.
- */
- mp = ip_add_info(mp, recv_ill, IPF_RECVIF, IPCL_ZONEID(connp),
- ipst);
- if (mp == NULL) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- /*
- * ip_add_info might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsHCInDelivers);
- if (IPCL_IS_TCP(connp)) {
- /* do not drain, certain use cases can blow the stack */
- SQUEUE_ENTER_ONE(connp->conn_sqp, first_mp, connp->conn_recv,
- connp, SQ_NODRAIN, SQTAG_IP_FANOUT_TCP);
- } else {
- /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
- (connp->conn_recv)(connp, first_mp, NULL);
- CONN_DEC_REF(connp);
- }
-}
-
-/*
* If we have a IPsec NAT-Traversal packet, strip the zero-SPI or
- * pass it along to ESP if the SPI is non-zero. Returns TRUE if the mblk
+ * pass it along to ESP if the SPI is non-zero. Returns the mblk if the mblk
* is not consumed.
*
- * One of four things can happen, all of which affect the passed-in mblk:
- *
- * 1.) ICMP messages that go through here just get returned TRUE.
+ * One of three things can happen, all of which affect the passed-in mblk:
*
- * 2.) The packet is stock UDP and gets its zero-SPI stripped. Return TRUE.
+ * 1.) The packet is stock UDP and gets its zero-SPI stripped. Return mblk..
*
- * 3.) The packet is ESP-in-UDP, gets transformed into an equivalent
- * ESP packet, and is passed along to ESP for consumption. Return FALSE.
+ * 2.) The packet is ESP-in-UDP, gets transformed into an equivalent
+ * ESP packet, and is passed along to ESP for consumption. Return NULL.
*
- * 4.) The packet is an ESP-in-UDP Keepalive. Drop it and return FALSE.
+ * 3.) The packet is an ESP-in-UDP Keepalive. Drop it and return NULL.
*/
-static boolean_t
-zero_spi_check(queue_t *q, mblk_t *mp, ire_t *ire, ill_t *recv_ill,
- ipsec_stack_t *ipss)
+mblk_t *
+zero_spi_check(mblk_t *mp, ip_recv_attr_t *ira)
{
int shift, plen, iph_len;
ipha_t *ipha;
@@ -6926,28 +5224,12 @@ zero_spi_check(queue_t *q, mblk_t *mp, ire_t *ire, ill_t *recv_ill,
uint32_t *spi;
uint32_t esp_ports;
uint8_t *orptr;
- boolean_t free_ire;
-
- if (DB_TYPE(mp) == M_CTL) {
- /*
- * ICMP message with UDP inside. Don't bother stripping, just
- * send it up.
- *
- * NOTE: Any app with UDP_NAT_T_ENDPOINT set is probably going
- * to ignore errors set by ICMP anyway ('cause they might be
- * forged), but that's the app's decision, not ours.
- */
-
- /* Bunch of reality checks for DEBUG kernels... */
- ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
- ASSERT(((ipha_t *)mp->b_rptr)->ipha_protocol == IPPROTO_ICMP);
-
- return (B_TRUE);
- }
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
+ ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
ipha = (ipha_t *)mp->b_rptr;
- iph_len = IPH_HDR_LENGTH(ipha);
- plen = ntohs(ipha->ipha_length);
+ iph_len = ira->ira_ip_hdr_length;
+ plen = ira->ira_pktlen;
if (plen - iph_len - sizeof (udpha_t) < sizeof (uint32_t)) {
/*
@@ -6958,18 +5240,18 @@ zero_spi_check(queue_t *q, mblk_t *mp, ire_t *ire, ill_t *recv_ill,
* byte packets (keepalives are 1-byte), but we'll drop them
* also.
*/
- ip_drop_packet(mp, B_TRUE, recv_ill, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_nat_t_ka), &ipss->ipsec_dropper);
- return (B_FALSE);
+ return (NULL);
}
if (MBLKL(mp) < iph_len + sizeof (udpha_t) + sizeof (*spi)) {
/* might as well pull it all up - it might be ESP. */
if (!pullupmsg(mp, -1)) {
- ip_drop_packet(mp, B_TRUE, recv_ill, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_nomem),
&ipss->ipsec_dropper);
- return (B_FALSE);
+ return (NULL);
}
ipha = (ipha_t *)mp->b_rptr;
@@ -6985,7 +5267,8 @@ zero_spi_check(queue_t *q, mblk_t *mp, ire_t *ire, ill_t *recv_ill,
}
/* Fix IP header */
- ipha->ipha_length = htons(plen - shift);
+ ira->ira_pktlen = (plen - shift);
+ ipha->ipha_length = htons(ira->ira_pktlen);
ipha->ipha_hdr_checksum = 0;
orptr = mp->b_rptr;
@@ -7005,388 +5288,185 @@ zero_spi_check(queue_t *q, mblk_t *mp, ire_t *ire, ill_t *recv_ill,
if (esp_ports != 0) /* Punt up for ESP processing. */ {
ipha = (ipha_t *)(orptr + shift);
- free_ire = (ire == NULL);
- if (free_ire) {
- /* Re-acquire ire. */
- ire = ire_cache_lookup(ipha->ipha_dst, ALL_ZONES, NULL,
- ipss->ipsec_netstack->netstack_ip);
- if (ire == NULL || !(ire->ire_type & IRE_LOCAL)) {
- if (ire != NULL)
- ire_refrele(ire);
- /*
- * Do a regular freemsg(), as this is an IP
- * error (no local route) not an IPsec one.
- */
- freemsg(mp);
- }
- }
-
- ip_proto_input(q, mp, ipha, ire, recv_ill, esp_ports);
- if (free_ire)
- ire_refrele(ire);
+ ira->ira_flags |= IRAF_ESP_UDP_PORTS;
+ ira->ira_esp_udp_ports = esp_ports;
+ ip_fanout_v4(mp, ipha, ira);
+ return (NULL);
}
-
- return (esp_ports == 0);
+ return (mp);
}
/*
* Deliver a udp packet to the given conn, possibly applying ipsec policy.
+ * Handles IPv4 and IPv6.
* We are responsible for disposing of mp, such as by freemsg() or putnext()
- * Caller is responsible for dropping references to the conn, and freeing
- * first_mp.
- *
- * IPQoS Notes
- * Before sending it to the client, invoke IPPF processing. Policy processing
- * takes place only if the callout_position, IPP_LOCAL_IN, is enabled and
- * ip_policy is true. If we get here from icmp_inbound_error_fanout or
- * ip_wput_local, ip_policy is false.
+ * Caller is responsible for dropping references to the conn.
*/
-static void
-ip_fanout_udp_conn(conn_t *connp, mblk_t *first_mp, mblk_t *mp,
- boolean_t secure, ill_t *ill, ipha_t *ipha, uint_t flags, ill_t *recv_ill,
- boolean_t ip_policy)
+void
+ip_fanout_udp_conn(conn_t *connp, mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
+ ip_recv_attr_t *ira)
{
- boolean_t mctl_present = (first_mp != NULL);
- uint32_t in_flags = 0; /* set to IP_RECVSLLA and/or IP_RECVIF */
- uint32_t ill_index;
- ip_stack_t *ipst = recv_ill->ill_ipst;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+ boolean_t secure;
+ iaflags_t iraflags = ira->ira_flags;
- ASSERT(ill != NULL);
+ secure = iraflags & IRAF_IPSEC_SECURE;
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
-
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
+ if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld :
+ !canputnext(connp->conn_rq)) {
BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
- freemsg(first_mp);
+ freemsg(mp);
return;
}
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || secure) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp, ipha,
- NULL, mctl_present);
- /* Freed by ipsec_check_inbound_policy(). */
- if (first_mp == NULL) {
+ if (((iraflags & IRAF_IS_IPV4) ?
+ CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
+ CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
+ secure) {
+ mp = ipsec_check_inbound_policy(mp, connp, ipha,
+ ip6h, ira);
+ if (mp == NULL) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
return;
}
}
- if (mctl_present)
- freeb(first_mp);
-
- /* Let's hope the compilers utter "branch, predict-not-taken..." ;) */
- if (connp->conn_udp->udp_nat_t_endpoint) {
- if (mctl_present) {
- /* mctl_present *shouldn't* happen. */
- ip_drop_packet(mp, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_esp_nat_t_ipsec),
- &ipss->ipsec_dropper);
- return;
- }
-
- if (!zero_spi_check(ill->ill_rq, mp, NULL, recv_ill, ipss))
- return;
- }
- /* Handle options. */
- if (connp->conn_recvif)
- in_flags = IPF_RECVIF;
/*
- * UDP supports IP_RECVPKTINFO option for both v4 and v6 so the flag
- * passed to ip_add_info is based on IP version of connp.
+ * Since this code is not used for UDP unicast we don't need a NAT_T
+ * check. Only ip_fanout_v4 has that check.
*/
- if (connp->conn_ip_recvpktinfo && (flags & IP_FF_IPINFO)) {
- if (connp->conn_af_isv6) {
- /*
- * V6 only needs index
- */
- in_flags |= IPF_RECVIF;
- } else {
- /*
- * V4 needs index + matching address.
- */
- in_flags |= IPF_RECVADDR;
- }
- }
-
- if (connp->conn_recvslla && !(flags & IP_FF_SEND_SLLA))
- in_flags |= IPF_RECVSLLA;
+ if (ira->ira_flags & IRAF_ICMP_ERROR) {
+ (connp->conn_recvicmp)(connp, mp, NULL, ira);
+ } else {
+ ill_t *rill = ira->ira_rill;
- /*
- * Initiate IPPF processing here, if needed. Note first_mp won't be
- * freed if the packet is dropped. The caller will do so.
- */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst) && ip_policy) {
- ill_index = recv_ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &mp, ill_index);
- if (mp == NULL) {
- return;
- }
- }
- if ((in_flags != 0) &&
- (mp->b_datap->db_type != M_CTL)) {
- /*
- * The actual data will be contained in b_cont
- * upon successful return of the following call
- * else original mblk is returned
- */
- ASSERT(recv_ill != NULL);
- mp = ip_add_info(mp, recv_ill, in_flags, IPCL_ZONEID(connp),
- ipst);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ /* Send it upstream */
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
}
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- /* Send it upstream */
- (connp->conn_recv)(connp, mp, NULL);
}
/*
- * Fanout for UDP packets.
- * The caller puts <fport, lport> in the ports parameter.
+ * Fanout for UDP packets that are multicast or broadcast, and ICMP errors.
+ * (Unicast fanout is handled in ip_input_v4.)
*
* If SO_REUSEADDR is set all multicast and broadcast packets
- * will be delivered to all streams bound to the same port.
+ * will be delivered to all conns bound to the same port.
*
- * Zones notes:
- * Multicast and broadcast packets will be distributed to streams in all zones.
+ * If there is at least one matching AF_INET receiver, then we will
+ * ignore any AF_INET6 receivers.
* In the special case where an AF_INET socket binds to 0.0.0.0/<port> and an
* AF_INET6 socket binds to ::/<port>, only the AF_INET socket receives the IPv4
- * packets. To maintain this behavior with multiple zones, the conns are grouped
- * by zone and the SO_REUSEADDR flag is checked for the first matching conn in
- * each zone. If unset, all the following conns in the same zone are skipped.
+ * packets.
+ *
+ * Zones notes:
+ * Earlier in ip_input on a system with multiple shared-IP zones we
+ * duplicate the multicast and broadcast packets and send them up
+ * with each explicit zoneid that exists on that ill.
+ * This means that here we can match the zoneid with SO_ALLZONES being special.
*/
-static void
-ip_fanout_udp(queue_t *q, mblk_t *mp, ill_t *ill, ipha_t *ipha,
- uint32_t ports, boolean_t broadcast, uint_t flags, boolean_t mctl_present,
- boolean_t ip_policy, ill_t *recv_ill, zoneid_t zoneid)
+void
+ip_fanout_udp_multi_v4(mblk_t *mp, ipha_t *ipha, uint16_t lport, uint16_t fport,
+ ip_recv_attr_t *ira)
{
- uint32_t dstport, srcport;
- ipaddr_t dst;
- mblk_t *first_mp;
- boolean_t secure;
- in6_addr_t v6src;
+ ipaddr_t laddr;
+ in6_addr_t v6faddr;
conn_t *connp;
connf_t *connfp;
- conn_t *first_connp;
- conn_t *next_connp;
- mblk_t *mp1, *first_mp1;
- ipaddr_t src;
- zoneid_t last_zoneid;
- boolean_t reuseaddr;
- boolean_t shared_addr;
- boolean_t unlabeled;
- ip_stack_t *ipst;
-
- ASSERT(recv_ill != NULL);
- ipst = recv_ill->ill_ipst;
-
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- first_mp->b_cont = NULL;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- first_mp = NULL;
- secure = B_FALSE;
- }
+ ipaddr_t faddr;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
- /* Extract ports in net byte order */
- dstport = htons(ntohl(ports) & 0xFFFF);
- srcport = htons(ntohl(ports) >> 16);
- dst = ipha->ipha_dst;
- src = ipha->ipha_src;
+ ASSERT(ira->ira_flags & (IRAF_MULTIBROADCAST|IRAF_ICMP_ERROR));
- unlabeled = B_FALSE;
- if (is_system_labeled())
- /* Cred cannot be null on IPv4 */
- unlabeled = (msg_getlabel(mp)->tsl_flags &
- TSLF_UNLABELED) != 0;
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since ALL_ZONES
- * only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(IPPROTO_UDP, dstport);
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and
- * search for the zone based on the packet label.
- *
- * If there is such a zone, we prefer to find a
- * connection in it. Otherwise, we look for a
- * MAC-exempt connection in any zone whose label
- * dominates the default label on the packet.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- else
- unlabeled = B_FALSE;
- }
+ laddr = ipha->ipha_dst;
+ faddr = ipha->ipha_src;
- connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(dstport, ipst)];
+ connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
mutex_enter(&connfp->connf_lock);
connp = connfp->connf_head;
- if (!broadcast && !CLASSD(dst)) {
- /*
- * Not broadcast or multicast. Send to the one (first)
- * client we find. No need to check conn_wantpacket()
- * since IP_BOUND_IF/conn_incoming_ill does not apply to
- * IPv4 unicast packets.
- */
- while ((connp != NULL) &&
- (!IPCL_UDP_MATCH(connp, dstport, dst, srcport, src) ||
- (!IPCL_ZONE_MATCH(connp, zoneid) &&
- !(unlabeled && (connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
- shared_addr)))) {
- /*
- * We keep searching since the conn did not match,
- * or its zone did not match and it is not either
- * an allzones conn or a mac exempt conn (if the
- * sender is unlabeled.)
- */
- connp = connp->conn_next;
- }
-
- if (connp == NULL ||
- !IPCL_IS_NONSTR(connp) && connp->conn_upq == NULL)
- goto notfound;
-
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
-
- if (is_system_labeled() &&
- !tsol_receive_local(mp, &dst, IPV4_VERSION, shared_addr,
- connp))
- goto notfound;
-
- CONN_INC_REF(connp);
- mutex_exit(&connfp->connf_lock);
- ip_fanout_udp_conn(connp, first_mp, mp, secure, ill, ipha,
- flags, recv_ill, ip_policy);
- IP_STAT(ipst, ip_udp_fannorm);
- CONN_DEC_REF(connp);
- return;
- }
/*
- * Broadcast and multicast case
- *
- * Need to check conn_wantpacket().
* If SO_REUSEADDR has been set on the first we send the
* packet to all clients that have joined the group and
* match the port.
*/
-
while (connp != NULL) {
- if ((IPCL_UDP_MATCH(connp, dstport, dst, srcport, src)) &&
- conn_wantpacket(connp, ill, ipha, flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV4_VERSION, shared_addr,
- connp)))
+ if ((IPCL_UDP_MATCH(connp, lport, laddr, fport, faddr)) &&
+ conn_wantpacket(connp, ira, ipha) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV4_VERSION, ira, connp)))
break;
connp = connp->conn_next;
}
- if (connp == NULL ||
- !IPCL_IS_NONSTR(connp) && connp->conn_upq == NULL)
+ if (connp == NULL)
goto notfound;
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
+ CONN_INC_REF(connp);
- first_connp = connp;
- /*
- * When SO_REUSEADDR is not set, send the packet only to the first
- * matching connection in its zone by keeping track of the zoneid.
- */
- reuseaddr = first_connp->conn_reuseaddr;
- last_zoneid = first_connp->conn_zoneid;
+ if (connp->conn_reuseaddr) {
+ conn_t *first_connp = connp;
+ conn_t *next_connp;
+ mblk_t *mp1;
- CONN_INC_REF(connp);
- connp = connp->conn_next;
- for (;;) {
- while (connp != NULL) {
- if (IPCL_UDP_MATCH(connp, dstport, dst, srcport, src) &&
- (reuseaddr || connp->conn_zoneid != last_zoneid) &&
- conn_wantpacket(connp, ill, ipha, flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV4_VERSION,
- shared_addr, connp)))
+ connp = connp->conn_next;
+ for (;;) {
+ while (connp != NULL) {
+ if (IPCL_UDP_MATCH(connp, lport, laddr,
+ fport, faddr) &&
+ conn_wantpacket(connp, ira, ipha) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV4_VERSION,
+ ira, connp)))
+ break;
+ connp = connp->conn_next;
+ }
+ if (connp == NULL) {
+ /* No more interested clients */
+ connp = first_connp;
break;
- connp = connp->conn_next;
- }
- /*
- * Just copy the data part alone. The mctl part is
- * needed just for verifying policy and it is never
- * sent up.
- */
- if (connp == NULL || (((mp1 = dupmsg(mp)) == NULL) &&
- ((mp1 = copymsg(mp)) == NULL))) {
- /*
- * No more interested clients or memory
- * allocation failed
- */
- connp = first_connp;
- break;
- }
- if (connp->conn_zoneid != last_zoneid) {
- /*
- * Update the zoneid so that the packet isn't sent to
- * any more conns in the same zone unless SO_REUSEADDR
- * is set.
- */
- reuseaddr = connp->conn_reuseaddr;
- last_zoneid = connp->conn_zoneid;
- }
- if (first_mp != NULL) {
- ASSERT(((ipsec_info_t *)first_mp->b_rptr)->
- ipsec_info_type == IPSEC_IN);
- first_mp1 = ipsec_in_tag(first_mp, NULL,
- ipst->ips_netstack);
- if (first_mp1 == NULL) {
- freemsg(mp1);
+ }
+ if (((mp1 = dupmsg(mp)) == NULL) &&
+ ((mp1 = copymsg(mp)) == NULL)) {
+ /* Memory allocation failed */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
connp = first_connp;
break;
}
- } else {
- first_mp1 = NULL;
+ CONN_INC_REF(connp);
+ mutex_exit(&connfp->connf_lock);
+
+ IP_STAT(ipst, ip_udp_fanmb);
+ ip_fanout_udp_conn(connp, mp1, (ipha_t *)mp1->b_rptr,
+ NULL, ira);
+ mutex_enter(&connfp->connf_lock);
+ /* Follow the next pointer before releasing the conn */
+ next_connp = connp->conn_next;
+ CONN_DEC_REF(connp);
+ connp = next_connp;
}
- CONN_INC_REF(connp);
- mutex_exit(&connfp->connf_lock);
- /*
- * IPQoS notes: We don't send the packet for policy
- * processing here, will do it for the last one (below).
- * i.e. we do it per-packet now, but if we do policy
- * processing per-conn, then we would need to do it
- * here too.
- */
- ip_fanout_udp_conn(connp, first_mp1, mp1, secure, ill,
- ipha, flags, recv_ill, B_FALSE);
- mutex_enter(&connfp->connf_lock);
- /* Follow the next pointer before releasing the conn. */
- next_connp = connp->conn_next;
- IP_STAT(ipst, ip_udp_fanmb);
- CONN_DEC_REF(connp);
- connp = next_connp;
}
/* Last one. Send it upstream. */
mutex_exit(&connfp->connf_lock);
- ip_fanout_udp_conn(connp, first_mp, mp, secure, ill, ipha, flags,
- recv_ill, ip_policy);
IP_STAT(ipst, ip_udp_fanmb);
+ ip_fanout_udp_conn(connp, mp, ipha, NULL, ira);
CONN_DEC_REF(connp);
return;
notfound:
-
mutex_exit(&connfp->connf_lock);
- IP_STAT(ipst, ip_udp_fanothers);
/*
- * IPv6 endpoints bound to unicast or multicast IPv4-mapped addresses
+ * IPv6 endpoints bound to multicast IPv4-mapped addresses
* have already been matched above, since they live in the IPv4
* fanout tables. This implies we only need to
* check for IPv6 in6addr_any endpoints here.
@@ -7394,85 +5474,28 @@ notfound:
* address, except for the multicast group membership lookup which
* uses the IPv4 destination.
*/
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &v6src);
- connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(dstport, ipst)];
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &v6faddr);
+ connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
mutex_enter(&connfp->connf_lock);
connp = connfp->connf_head;
- if (!broadcast && !CLASSD(dst)) {
- while (connp != NULL) {
- if (IPCL_UDP_MATCH_V6(connp, dstport, ipv6_all_zeros,
- srcport, v6src) && IPCL_ZONE_MATCH(connp, zoneid) &&
- conn_wantpacket(connp, ill, ipha, flags, zoneid) &&
- !connp->conn_ipv6_v6only)
- break;
- connp = connp->conn_next;
- }
-
- if (connp != NULL && is_system_labeled() &&
- !tsol_receive_local(mp, &dst, IPV4_VERSION, shared_addr,
- connp))
- connp = NULL;
-
- if (connp == NULL ||
- !IPCL_IS_NONSTR(connp) && connp->conn_upq == NULL) {
- /*
- * No one bound to this port. Is
- * there a client that wants all
- * unclaimed datagrams?
- */
- mutex_exit(&connfp->connf_lock);
-
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
- if (ipst->ips_ipcl_proto_fanout[IPPROTO_UDP].
- connf_head != NULL) {
- ip_fanout_proto(q, first_mp, ill, ipha,
- flags | IP_FF_RAWIP, mctl_present,
- ip_policy, recv_ill, zoneid);
- } else {
- if (ip_fanout_send_icmp(q, first_mp, flags,
- ICMP_DEST_UNREACHABLE,
- ICMP_PORT_UNREACHABLE,
- mctl_present, zoneid, ipst)) {
- BUMP_MIB(ill->ill_ip_mib,
- udpIfStatsNoPorts);
- }
- }
- return;
- }
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
-
- CONN_INC_REF(connp);
- mutex_exit(&connfp->connf_lock);
- ip_fanout_udp_conn(connp, first_mp, mp, secure, ill, ipha,
- flags, recv_ill, ip_policy);
- CONN_DEC_REF(connp);
- return;
- }
/*
* IPv4 multicast packet being delivered to an AF_INET6
* in6addr_any endpoint.
* Need to check conn_wantpacket(). Note that we use conn_wantpacket()
* and not conn_wantpacket_v6() since any multicast membership is
* for an IPv4-mapped multicast address.
- * The packet is sent to all clients in all zones that have joined the
- * group and match the port.
*/
while (connp != NULL) {
- if (IPCL_UDP_MATCH_V6(connp, dstport, ipv6_all_zeros,
- srcport, v6src) &&
- conn_wantpacket(connp, ill, ipha, flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV4_VERSION, shared_addr,
- connp)))
+ if (IPCL_UDP_MATCH_V6(connp, lport, ipv6_all_zeros,
+ fport, v6faddr) &&
+ conn_wantpacket(connp, ira, ipha) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV4_VERSION, ira, connp)))
break;
connp = connp->conn_next;
}
- if (connp == NULL ||
- !IPCL_IS_NONSTR(connp) && connp->conn_upq == NULL) {
+ if (connp == NULL) {
/*
* No one bound to this port. Is
* there a client that wants all
@@ -7480,15 +5503,10 @@ notfound:
*/
mutex_exit(&connfp->connf_lock);
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
- if (ipst->ips_ipcl_proto_fanout[IPPROTO_UDP].connf_head !=
+ if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_UDP].connf_head !=
NULL) {
- ip_fanout_proto(q, first_mp, ill, ipha,
- flags | IP_FF_RAWIP, mctl_present, ip_policy,
- recv_ill, zoneid);
+ ASSERT(ira->ira_protocol == IPPROTO_UDP);
+ ip_fanout_proto_v4(mp, ipha, ira);
} else {
/*
* We used to attempt to send an icmp error here, but
@@ -7497,102 +5515,263 @@ notfound:
* multicast, just drop the packet and give up sooner.
*/
BUMP_MIB(ill->ill_ip_mib, udpIfStatsNoPorts);
- freemsg(first_mp);
+ freemsg(mp);
}
return;
}
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
+ ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
- first_connp = connp;
+ /*
+ * If SO_REUSEADDR has been set on the first we send the
+ * packet to all clients that have joined the group and
+ * match the port.
+ */
+ if (connp->conn_reuseaddr) {
+ conn_t *first_connp = connp;
+ conn_t *next_connp;
+ mblk_t *mp1;
- CONN_INC_REF(connp);
- connp = connp->conn_next;
- for (;;) {
- while (connp != NULL) {
- if (IPCL_UDP_MATCH_V6(connp, dstport,
- ipv6_all_zeros, srcport, v6src) &&
- conn_wantpacket(connp, ill, ipha, flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV4_VERSION,
- shared_addr, connp)))
+ CONN_INC_REF(connp);
+ connp = connp->conn_next;
+ for (;;) {
+ while (connp != NULL) {
+ if (IPCL_UDP_MATCH_V6(connp, lport,
+ ipv6_all_zeros, fport, v6faddr) &&
+ conn_wantpacket(connp, ira, ipha) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV4_VERSION,
+ ira, connp)))
+ break;
+ connp = connp->conn_next;
+ }
+ if (connp == NULL) {
+ /* No more interested clients */
+ connp = first_connp;
break;
- connp = connp->conn_next;
- }
- /*
- * Just copy the data part alone. The mctl part is
- * needed just for verifying policy and it is never
- * sent up.
- */
- if (connp == NULL || (((mp1 = dupmsg(mp)) == NULL) &&
- ((mp1 = copymsg(mp)) == NULL))) {
- /*
- * No more intested clients or memory
- * allocation failed
- */
- connp = first_connp;
- break;
- }
- if (first_mp != NULL) {
- ASSERT(((ipsec_info_t *)first_mp->b_rptr)->
- ipsec_info_type == IPSEC_IN);
- first_mp1 = ipsec_in_tag(first_mp, NULL,
- ipst->ips_netstack);
- if (first_mp1 == NULL) {
- freemsg(mp1);
+ }
+ if (((mp1 = dupmsg(mp)) == NULL) &&
+ ((mp1 = copymsg(mp)) == NULL)) {
+ /* Memory allocation failed */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
connp = first_connp;
break;
}
- } else {
- first_mp1 = NULL;
+ CONN_INC_REF(connp);
+ mutex_exit(&connfp->connf_lock);
+
+ IP_STAT(ipst, ip_udp_fanmb);
+ ip_fanout_udp_conn(connp, mp1, (ipha_t *)mp1->b_rptr,
+ NULL, ira);
+ mutex_enter(&connfp->connf_lock);
+ /* Follow the next pointer before releasing the conn */
+ next_connp = connp->conn_next;
+ CONN_DEC_REF(connp);
+ connp = next_connp;
}
- CONN_INC_REF(connp);
- mutex_exit(&connfp->connf_lock);
- /*
- * IPQoS notes: We don't send the packet for policy
- * processing here, will do it for the last one (below).
- * i.e. we do it per-packet now, but if we do policy
- * processing per-conn, then we would need to do it
- * here too.
- */
- ip_fanout_udp_conn(connp, first_mp1, mp1, secure, ill,
- ipha, flags, recv_ill, B_FALSE);
- mutex_enter(&connfp->connf_lock);
- /* Follow the next pointer before releasing the conn. */
- next_connp = connp->conn_next;
- CONN_DEC_REF(connp);
- connp = next_connp;
}
/* Last one. Send it upstream. */
mutex_exit(&connfp->connf_lock);
- ip_fanout_udp_conn(connp, first_mp, mp, secure, ill, ipha, flags,
- recv_ill, ip_policy);
+ IP_STAT(ipst, ip_udp_fanmb);
+ ip_fanout_udp_conn(connp, mp, ipha, NULL, ira);
CONN_DEC_REF(connp);
}
/*
- * Complete the ip_wput header so that it
- * is possible to generate ICMP
- * errors.
+ * Split an incoming packet's IPv4 options into the label and the other options.
+ * If 'allocate' is set it does memory allocation for the ip_pkt_t, including
+ * clearing out any leftover label or options.
+ * Otherwise it just makes ipp point into the packet.
+ *
+ * Returns zero if ok; ENOMEM if the buffer couldn't be allocated.
*/
int
-ip_hdr_complete(ipha_t *ipha, zoneid_t zoneid, ip_stack_t *ipst)
+ip_find_hdr_v4(ipha_t *ipha, ip_pkt_t *ipp, boolean_t allocate)
{
- ire_t *ire;
+ uchar_t *opt;
+ uint32_t totallen;
+ uint32_t optval;
+ uint32_t optlen;
- if (ipha->ipha_src == INADDR_ANY) {
- ire = ire_lookup_local(zoneid, ipst);
- if (ire == NULL) {
- ip1dbg(("ip_hdr_complete: no source IRE\n"));
- return (1);
+ ipp->ipp_fields |= IPPF_HOPLIMIT | IPPF_TCLASS | IPPF_ADDR;
+ ipp->ipp_hoplimit = ipha->ipha_ttl;
+ ipp->ipp_type_of_service = ipha->ipha_type_of_service;
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &ipp->ipp_addr);
+
+ /*
+ * Get length (in 4 byte octets) of IP header options.
+ */
+ totallen = ipha->ipha_version_and_hdr_length -
+ (uint8_t)((IP_VERSION << 4) + IP_SIMPLE_HDR_LENGTH_IN_WORDS);
+
+ if (totallen == 0) {
+ if (!allocate)
+ return (0);
+
+ /* Clear out anything from a previous packet */
+ if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
+ kmem_free(ipp->ipp_ipv4_options,
+ ipp->ipp_ipv4_options_len);
+ ipp->ipp_ipv4_options = NULL;
+ ipp->ipp_ipv4_options_len = 0;
+ ipp->ipp_fields &= ~IPPF_IPV4_OPTIONS;
}
- ipha->ipha_src = ire->ire_addr;
- ire_refrele(ire);
+ if (ipp->ipp_fields & IPPF_LABEL_V4) {
+ kmem_free(ipp->ipp_label_v4, ipp->ipp_label_len_v4);
+ ipp->ipp_label_v4 = NULL;
+ ipp->ipp_label_len_v4 = 0;
+ ipp->ipp_fields &= ~IPPF_LABEL_V4;
+ }
+ return (0);
}
- ipha->ipha_ttl = ipst->ips_ip_def_ttl;
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
- return (0);
+
+ totallen <<= 2;
+ opt = (uchar_t *)&ipha[1];
+ if (!is_system_labeled()) {
+
+ copyall:
+ if (!allocate) {
+ if (totallen != 0) {
+ ipp->ipp_ipv4_options = opt;
+ ipp->ipp_ipv4_options_len = totallen;
+ ipp->ipp_fields |= IPPF_IPV4_OPTIONS;
+ }
+ return (0);
+ }
+ /* Just copy all of options */
+ if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
+ if (totallen == ipp->ipp_ipv4_options_len) {
+ bcopy(opt, ipp->ipp_ipv4_options, totallen);
+ return (0);
+ }
+ kmem_free(ipp->ipp_ipv4_options,
+ ipp->ipp_ipv4_options_len);
+ ipp->ipp_ipv4_options = NULL;
+ ipp->ipp_ipv4_options_len = 0;
+ ipp->ipp_fields &= ~IPPF_IPV4_OPTIONS;
+ }
+ if (totallen == 0)
+ return (0);
+
+ ipp->ipp_ipv4_options = kmem_alloc(totallen, KM_NOSLEEP);
+ if (ipp->ipp_ipv4_options == NULL)
+ return (ENOMEM);
+ ipp->ipp_ipv4_options_len = totallen;
+ ipp->ipp_fields |= IPPF_IPV4_OPTIONS;
+ bcopy(opt, ipp->ipp_ipv4_options, totallen);
+ return (0);
+ }
+
+ if (allocate && (ipp->ipp_fields & IPPF_LABEL_V4)) {
+ kmem_free(ipp->ipp_label_v4, ipp->ipp_label_len_v4);
+ ipp->ipp_label_v4 = NULL;
+ ipp->ipp_label_len_v4 = 0;
+ ipp->ipp_fields &= ~IPPF_LABEL_V4;
+ }
+
+ /*
+ * Search for CIPSO option.
+ * We assume CIPSO is first in options if it is present.
+ * If it isn't, then ipp_opt_ipv4_options will not include the options
+ * prior to the CIPSO option.
+ */
+ while (totallen != 0) {
+ switch (optval = opt[IPOPT_OPTVAL]) {
+ case IPOPT_EOL:
+ return (0);
+ case IPOPT_NOP:
+ optlen = 1;
+ break;
+ default:
+ if (totallen <= IPOPT_OLEN)
+ return (EINVAL);
+ optlen = opt[IPOPT_OLEN];
+ if (optlen < 2)
+ return (EINVAL);
+ }
+ if (optlen > totallen)
+ return (EINVAL);
+
+ switch (optval) {
+ case IPOPT_COMSEC:
+ if (!allocate) {
+ ipp->ipp_label_v4 = opt;
+ ipp->ipp_label_len_v4 = optlen;
+ ipp->ipp_fields |= IPPF_LABEL_V4;
+ } else {
+ ipp->ipp_label_v4 = kmem_alloc(optlen,
+ KM_NOSLEEP);
+ if (ipp->ipp_label_v4 == NULL)
+ return (ENOMEM);
+ ipp->ipp_label_len_v4 = optlen;
+ ipp->ipp_fields |= IPPF_LABEL_V4;
+ bcopy(opt, ipp->ipp_label_v4, optlen);
+ }
+ totallen -= optlen;
+ opt += optlen;
+
+ /* Skip padding bytes until we get to a multiple of 4 */
+ while ((totallen & 3) != 0 && opt[0] == IPOPT_NOP) {
+ totallen--;
+ opt++;
+ }
+ /* Remaining as ipp_ipv4_options */
+ goto copyall;
+ }
+ totallen -= optlen;
+ opt += optlen;
+ }
+ /* No CIPSO found; return everything as ipp_ipv4_options */
+ totallen = ipha->ipha_version_and_hdr_length -
+ (uint8_t)((IP_VERSION << 4) + IP_SIMPLE_HDR_LENGTH_IN_WORDS);
+ totallen <<= 2;
+ opt = (uchar_t *)&ipha[1];
+ goto copyall;
+}
+
+/*
+ * Efficient versions of lookup for an IRE when we only
+ * match the address.
+ * For RTF_REJECT or BLACKHOLE we return IRE_NOROUTE.
+ * Does not handle multicast addresses.
+ */
+uint_t
+ip_type_v4(ipaddr_t addr, ip_stack_t *ipst)
+{
+ ire_t *ire;
+ uint_t result;
+
+ ire = ire_ftable_lookup_simple_v4(addr, 0, ipst, NULL);
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))
+ result = IRE_NOROUTE;
+ else
+ result = ire->ire_type;
+ ire_refrele(ire);
+ return (result);
+}
+
+/*
+ * Efficient versions of lookup for an IRE when we only
+ * match the address.
+ * For RTF_REJECT or BLACKHOLE we return IRE_NOROUTE.
+ * Does not handle multicast addresses.
+ */
+uint_t
+ip_type_v6(const in6_addr_t *addr, ip_stack_t *ipst)
+{
+ ire_t *ire;
+ uint_t result;
+
+ ire = ire_ftable_lookup_simple_v6(addr, 0, ipst, NULL);
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))
+ result = IRE_NOROUTE;
+ else
+ result = ire->ire_type;
+ ire_refrele(ire);
+ return (result);
}
/*
@@ -7602,8 +5781,6 @@ ip_hdr_complete(ipha_t *ipha, zoneid_t zoneid, ip_stack_t *ipst)
static void
ip_lrput(queue_t *q, mblk_t *mp)
{
- mblk_t *mp1;
-
switch (mp->b_datap->db_type) {
case M_FLUSH:
/* Turn around */
@@ -7614,9 +5791,6 @@ ip_lrput(queue_t *q, mblk_t *mp)
}
break;
}
- /* Could receive messages that passed through ar_rput */
- for (mp1 = mp; mp1; mp1 = mp1->b_cont)
- mp1->b_prev = mp1->b_next = NULL;
freemsg(mp);
}
@@ -7631,7 +5805,7 @@ ip_lwput(queue_t *q, mblk_t *mp)
/*
* Move the first hop in any source route to ipha_dst and remove that part of
* the source route. Called by other protocols. Errors in option formatting
- * are ignored - will be handled by ip_wput_options Return the final
+ * are ignored - will be handled by ip_output_options. Return the final
* destination (either ipha_dst or the last entry in a source route.)
*/
ipaddr_t
@@ -7643,7 +5817,6 @@ ip_massage_options(ipha_t *ipha, netstack_t *ns)
uint8_t optlen;
ipaddr_t dst;
int i;
- ire_t *ire;
ip_stack_t *ipst = ns->netstack_ip;
ip2dbg(("ip_massage_options\n"));
@@ -7679,10 +5852,7 @@ ip_massage_options(ipha_t *ipha, netstack_t *ns)
* XXX verify per-interface ip_forwarding
* for source route?
*/
- ire = ire_ctable_lookup(dst, 0, IRE_LOCAL, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (ire != NULL) {
- ire_refrele(ire);
+ if (ip_type_v4(dst, ipst) == IRE_LOCAL) {
off += IP_ADDR_LEN;
goto redo_srr;
}
@@ -7760,1843 +5930,41 @@ ip_net_mask(ipaddr_t addr)
return ((ipaddr_t)0);
}
-/*
- * Helper ill lookup function used by IPsec.
- */
-ill_t *
-ip_grab_ill(mblk_t *first_mp, int ifindex, boolean_t isv6, ip_stack_t *ipst)
+/* Name/Value Table Lookup Routine */
+char *
+ip_nv_lookup(nv_t *nv, int value)
{
- ill_t *ret_ill;
-
- ASSERT(ifindex != 0);
-
- ret_ill = ill_lookup_on_ifindex(ifindex, isv6, NULL, NULL, NULL, NULL,
- ipst);
- if (ret_ill == NULL) {
- if (isv6) {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
- ip1dbg(("ip_grab_ill (IPv6): bad ifindex %d.\n",
- ifindex));
- } else {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- ip1dbg(("ip_grab_ill (IPv4): bad ifindex %d.\n",
- ifindex));
- }
- freemsg(first_mp);
+ if (!nv)
return (NULL);
+ for (; nv->nv_name; nv++) {
+ if (nv->nv_value == value)
+ return (nv->nv_name);
}
- return (ret_ill);
-}
-
-/*
- * IPv4 -
- * ip_newroute is called by ip_rput or ip_wput whenever we need to send
- * out a packet to a destination address for which we do not have specific
- * (or sufficient) routing information.
- *
- * NOTE : These are the scopes of some of the variables that point at IRE,
- * which needs to be followed while making any future modifications
- * to avoid memory leaks.
- *
- * - ire and sire are the entries looked up initially by
- * ire_ftable_lookup.
- * - ipif_ire is used to hold the interface ire associated with
- * the new cache ire. But it's scope is limited, so we always REFRELE
- * it before branching out to error paths.
- * - save_ire is initialized before ire_create, so that ire returned
- * by ire_create will not over-write the ire. We REFRELE save_ire
- * before breaking out of the switch.
- *
- * Thus on failures, we have to REFRELE only ire and sire, if they
- * are not NULL.
- */
-void
-ip_newroute(queue_t *q, mblk_t *mp, ipaddr_t dst, conn_t *connp,
- zoneid_t zoneid, ip_stack_t *ipst)
-{
- areq_t *areq;
- ipaddr_t gw = 0;
- ire_t *ire = NULL;
- mblk_t *res_mp;
- ipaddr_t *addrp;
- ipaddr_t nexthop_addr;
- ipif_t *src_ipif = NULL;
- ill_t *dst_ill = NULL;
- ipha_t *ipha;
- ire_t *sire = NULL;
- mblk_t *first_mp;
- ire_t *save_ire;
- ushort_t ire_marks = 0;
- boolean_t mctl_present;
- ipsec_out_t *io;
- mblk_t *saved_mp;
- mblk_t *copy_mp = NULL;
- mblk_t *xmit_mp = NULL;
- ipaddr_t save_dst;
- uint32_t multirt_flags =
- MULTIRT_CACHEGW | MULTIRT_USESTAMP | MULTIRT_SETSTAMP;
- boolean_t multirt_is_resolvable;
- boolean_t multirt_resolve_next;
- boolean_t unspec_src;
- boolean_t ip_nexthop = B_FALSE;
- tsol_ire_gw_secattr_t *attrp = NULL;
- tsol_gcgrp_t *gcgrp = NULL;
- tsol_gcgrp_addr_t ga;
- int multirt_res_failures = 0;
- int multirt_res_attempts = 0;
- int multirt_already_resolved = 0;
- boolean_t multirt_no_icmp_error = B_FALSE;
-
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_newroute: dst %s\n", AF_INET, &dst);
- }
-
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
- if (mctl_present) {
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(zoneid == io->ipsec_out_zoneid);
- ASSERT(zoneid != ALL_ZONES);
- }
-
- ipha = (ipha_t *)mp->b_rptr;
-
- /* All multicast lookups come through ip_newroute_ipif() */
- if (CLASSD(dst)) {
- ip0dbg(("ip_newroute: CLASSD 0x%x (b_prev %p, b_next %p)\n",
- ntohl(dst), (void *)mp->b_prev, (void *)mp->b_next));
- freemsg(first_mp);
- return;
- }
-
- if (mctl_present && io->ipsec_out_ip_nexthop) {
- ip_nexthop = B_TRUE;
- nexthop_addr = io->ipsec_out_nexthop_addr;
- }
- /*
- * If this IRE is created for forwarding or it is not for
- * traffic for congestion controlled protocols, mark it as temporary.
- */
- if (mp->b_prev != NULL || !IP_FLOW_CONTROLLED_ULP(ipha->ipha_protocol))
- ire_marks |= IRE_MARK_TEMPORARY;
-
- /*
- * Get what we can from ire_ftable_lookup which will follow an IRE
- * chain until it gets the most specific information available.
- * For example, we know that there is no IRE_CACHE for this dest,
- * but there may be an IRE_OFFSUBNET which specifies a gateway.
- * ire_ftable_lookup will look up the gateway, etc.
- * Otherwise, given ire_ftable_lookup algorithm, only one among routes
- * to the destination, of equal netmask length in the forward table,
- * will be recursively explored. If no information is available
- * for the final gateway of that route, we force the returned ire
- * to be equal to sire using MATCH_IRE_PARENT.
- * At least, in this case we have a starting point (in the buckets)
- * to look for other routes to the destination in the forward table.
- * This is actually used only for multirouting, where a list
- * of routes has to be processed in sequence.
- *
- * In the process of coming up with the most specific information,
- * ire_ftable_lookup may end up with an incomplete IRE_CACHE entry
- * for the gateway (i.e., one for which the ire_nce->nce_state is
- * not yet ND_REACHABLE, and is in the middle of arp resolution).
- * Two caveats when handling incomplete ire's in ip_newroute:
- * - we should be careful when accessing its ire_nce (specifically
- * the nce_res_mp) ast it might change underneath our feet, and,
- * - not all legacy code path callers are prepared to handle
- * incomplete ire's, so we should not create/add incomplete
- * ire_cache entries here. (See discussion about temporary solution
- * further below).
- *
- * In order to minimize packet dropping, and to preserve existing
- * behavior, we treat this case as if there were no IRE_CACHE for the
- * gateway, and instead use the IF_RESOLVER ire to send out
- * another request to ARP (this is achieved by passing the
- * MATCH_IRE_COMPLETE flag to ire_ftable_lookup). When the
- * arp response comes back in ip_wput_nondata, we will create
- * a per-dst ire_cache that has an ND_COMPLETE ire.
- *
- * Note that this is a temporary solution; the correct solution is
- * to create an incomplete per-dst ire_cache entry, and send the
- * packet out when the gw's nce is resolved. In order to achieve this,
- * all packet processing must have been completed prior to calling
- * ire_add_then_send. Some legacy code paths (e.g. cgtp) would need
- * to be modified to accomodate this solution.
- */
- if (ip_nexthop) {
- /*
- * The first time we come here, we look for an IRE_INTERFACE
- * entry for the specified nexthop, set the dst to be the
- * nexthop address and create an IRE_CACHE entry for the
- * nexthop. The next time around, we are able to find an
- * IRE_CACHE entry for the nexthop, set the gateway to be the
- * nexthop address and create an IRE_CACHE entry for the
- * destination address via the specified nexthop.
- */
- ire = ire_cache_lookup(nexthop_addr, zoneid,
- msg_getlabel(mp), ipst);
- if (ire != NULL) {
- gw = nexthop_addr;
- ire_marks |= IRE_MARK_PRIVATE_ADDR;
- } else {
- ire = ire_ftable_lookup(nexthop_addr, 0, 0,
- IRE_INTERFACE, NULL, NULL, zoneid, 0,
- msg_getlabel(mp),
- MATCH_IRE_TYPE | MATCH_IRE_SECATTR,
- ipst);
- if (ire != NULL) {
- dst = nexthop_addr;
- }
- }
- } else {
- ire = ire_ftable_lookup(dst, 0, 0, 0,
- NULL, &sire, zoneid, 0, msg_getlabel(mp),
- MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_RJ_BHOLE | MATCH_IRE_PARENT |
- MATCH_IRE_SECATTR | MATCH_IRE_COMPLETE,
- ipst);
- }
-
- ip3dbg(("ip_newroute: ire_ftable_lookup() "
- "returned ire %p, sire %p\n", (void *)ire, (void *)sire));
-
- /*
- * This loop is run only once in most cases.
- * We loop to resolve further routes only when the destination
- * can be reached through multiple RTF_MULTIRT-flagged ires.
- */
- do {
- /* Clear the previous iteration's values */
- if (src_ipif != NULL) {
- ipif_refrele(src_ipif);
- src_ipif = NULL;
- }
- if (dst_ill != NULL) {
- ill_refrele(dst_ill);
- dst_ill = NULL;
- }
-
- multirt_resolve_next = B_FALSE;
- /*
- * We check if packets have to be multirouted.
- * In this case, given the current <ire, sire> couple,
- * we look for the next suitable <ire, sire>.
- * This check is done in ire_multirt_lookup(),
- * which applies various criteria to find the next route
- * to resolve. ire_multirt_lookup() leaves <ire, sire>
- * unchanged if it detects it has not been tried yet.
- */
- if ((sire != NULL) && (sire->ire_flags & RTF_MULTIRT)) {
- ip3dbg(("ip_newroute: starting next_resolution "
- "with first_mp %p, tag %d\n",
- (void *)first_mp,
- MULTIRT_DEBUG_TAGGED(first_mp)));
-
- ASSERT(sire != NULL);
- multirt_is_resolvable =
- ire_multirt_lookup(&ire, &sire, multirt_flags,
- &multirt_already_resolved, msg_getlabel(mp), ipst);
-
- ip3dbg(("ip_newroute: multirt_is_resolvable %d, "
- "multirt_already_resolved %d, "
- "multirt_res_attempts %d, multirt_res_failures %d, "
- "ire %p, sire %p\n", multirt_is_resolvable,
- multirt_already_resolved, multirt_res_attempts,
- multirt_res_failures, (void *)ire, (void *)sire));
-
- if (!multirt_is_resolvable) {
- /*
- * No more multirt route to resolve; give up
- * (all routes resolved or no more
- * resolvable routes).
- */
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
- /*
- * Generate ICMP error only if all attempts to
- * resolve multirt route failed and there is no
- * already resolved one. Don't generate ICMP
- * error when:
- *
- * 1) there was no attempt to resolve
- * 2) at least one attempt passed
- * 3) a multirt route is already resolved
- *
- * Case 1) may occur due to multiple
- * resolution attempts during single
- * ip_multirt_resolution_interval.
- *
- * Case 2-3) means that CGTP destination is
- * reachable via one link so we don't want to
- * generate ICMP host unreachable error.
- */
- if (multirt_res_attempts == 0 ||
- multirt_res_failures <
- multirt_res_attempts ||
- multirt_already_resolved > 0)
- multirt_no_icmp_error = B_TRUE;
- } else {
- ASSERT(sire != NULL);
- ASSERT(ire != NULL);
-
- multirt_res_attempts++;
- }
- }
-
- if (ire == NULL) {
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_newroute: "
- "can't resolve %s\n", AF_INET, &dst);
- }
- ip3dbg(("ip_newroute: "
- "ire %p, sire %p, multirt_no_icmp_error %d\n",
- (void *)ire, (void *)sire,
- (int)multirt_no_icmp_error));
-
- if (sire != NULL) {
- ire_refrele(sire);
- sire = NULL;
- }
-
- if (multirt_no_icmp_error) {
- /* There is no need to report an ICMP error. */
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- return;
- }
- ip_rts_change(RTM_MISS, dst, 0, 0, 0, 0, 0, 0,
- RTA_DST, ipst);
- goto icmp_err_ret;
- }
-
- /*
- * Verify that the returned IRE does not have either
- * the RTF_REJECT or RTF_BLACKHOLE flags set and that the IRE is
- * either an IRE_CACHE, IRE_IF_NORESOLVER or IRE_IF_RESOLVER.
- */
- if ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) ||
- (ire->ire_type & (IRE_CACHE | IRE_INTERFACE)) == 0) {
- goto icmp_err_ret;
- }
- /*
- * Increment the ire_ob_pkt_count field for ire if it is an
- * INTERFACE (IF_RESOLVER or IF_NORESOLVER) IRE type, and
- * increment the same for the parent IRE, sire, if it is some
- * sort of prefix IRE (which includes DEFAULT, PREFIX, and HOST)
- */
- if ((ire->ire_type & IRE_INTERFACE) != 0) {
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- }
-
- if (sire != NULL) {
- gw = sire->ire_gateway_addr;
- ASSERT((sire->ire_type & (IRE_CACHETABLE |
- IRE_INTERFACE)) == 0);
- UPDATE_OB_PKT_COUNT(sire);
- sire->ire_last_used_time = lbolt;
- }
- /*
- * We have a route to reach the destination. Find the
- * appropriate ill, then get a source address using
- * ipif_select_source().
- *
- * If we are here trying to create an IRE_CACHE for an offlink
- * destination and have an IRE_CACHE entry for VNI, then use
- * ire_stq instead since VNI's queue is a black hole.
- */
- if ((ire->ire_type == IRE_CACHE) &&
- IS_VNI(ire->ire_ipif->ipif_ill)) {
- dst_ill = ire->ire_stq->q_ptr;
- ill_refhold(dst_ill);
- } else {
- ill_t *ill = ire->ire_ipif->ipif_ill;
-
- if (IS_IPMP(ill)) {
- dst_ill =
- ipmp_illgrp_hold_next_ill(ill->ill_grp);
- } else {
- dst_ill = ill;
- ill_refhold(dst_ill);
- }
- }
-
- if (dst_ill == NULL) {
- if (ip_debug > 2) {
- pr_addr_dbg("ip_newroute: no dst "
- "ill for dst %s\n", AF_INET, &dst);
- }
- goto icmp_err_ret;
- }
- ip2dbg(("ip_newroute: dst_ill %s\n", dst_ill->ill_name));
-
- /*
- * Pick the best source address from dst_ill.
- *
- * 1) Try to pick the source address from the destination
- * route. Clustering assumes that when we have multiple
- * prefixes hosted on an interface, the prefix of the
- * source address matches the prefix of the destination
- * route. We do this only if the address is not
- * DEPRECATED.
- *
- * 2) If the conn is in a different zone than the ire, we
- * need to pick a source address from the right zone.
- */
- ASSERT(src_ipif == NULL);
- if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) {
- /*
- * The RTF_SETSRC flag is set in the parent ire (sire).
- * Check that the ipif matching the requested source
- * address still exists.
- */
- src_ipif = ipif_lookup_addr(sire->ire_src_addr, NULL,
- zoneid, NULL, NULL, NULL, NULL, ipst);
- }
-
- unspec_src = (connp != NULL && connp->conn_unspec_src);
-
- if (src_ipif == NULL &&
- (!unspec_src || ipha->ipha_src != INADDR_ANY)) {
- ire_marks |= IRE_MARK_USESRC_CHECK;
- if (!IS_UNDER_IPMP(ire->ire_ipif->ipif_ill) &&
- IS_IPMP(ire->ire_ipif->ipif_ill) ||
- (ire->ire_ipif->ipif_flags & IPIF_DEPRECATED) ||
- (connp != NULL && ire->ire_zoneid != zoneid &&
- ire->ire_zoneid != ALL_ZONES) ||
- (dst_ill->ill_usesrc_ifindex != 0)) {
- /*
- * If the destination is reachable via a
- * given gateway, the selected source address
- * should be in the same subnet as the gateway.
- * Otherwise, the destination is not reachable.
- *
- * If there are no interfaces on the same subnet
- * as the destination, ipif_select_source gives
- * first non-deprecated interface which might be
- * on a different subnet than the gateway.
- * This is not desirable. Hence pass the dst_ire
- * source address to ipif_select_source.
- * It is sure that the destination is reachable
- * with the dst_ire source address subnet.
- * So passing dst_ire source address to
- * ipif_select_source will make sure that the
- * selected source will be on the same subnet
- * as dst_ire source address.
- */
- ipaddr_t saddr = ire->ire_ipif->ipif_src_addr;
-
- src_ipif = ipif_select_source(dst_ill, saddr,
- zoneid);
- if (src_ipif == NULL) {
- /*
- * In the case of multirouting, it may
- * happen that ipif_select_source fails
- * as DAD may disallow use of the
- * particular source interface. Anyway,
- * we need to continue and attempt to
- * resolve other multirt routes.
- */
- if ((sire != NULL) &&
- (sire->ire_flags & RTF_MULTIRT)) {
- ire_refrele(ire);
- ire = NULL;
- multirt_resolve_next = B_TRUE;
- multirt_res_failures++;
- continue;
- }
-
- if (ip_debug > 2) {
- pr_addr_dbg("ip_newroute: "
- "no src for dst %s ",
- AF_INET, &dst);
- printf("on interface %s\n",
- dst_ill->ill_name);
- }
- goto icmp_err_ret;
- }
- } else {
- src_ipif = ire->ire_ipif;
- ASSERT(src_ipif != NULL);
- /* hold src_ipif for uniformity */
- ipif_refhold(src_ipif);
- }
- }
-
- /*
- * Assign a source address while we have the conn.
- * We can't have ip_wput_ire pick a source address when the
- * packet returns from arp since we need to look at
- * conn_unspec_src and conn_zoneid, and we lose the conn when
- * going through arp.
- *
- * NOTE : ip_newroute_v6 does not have this piece of code as
- * it uses ip6i to store this information.
- */
- if (ipha->ipha_src == INADDR_ANY && !unspec_src)
- ipha->ipha_src = src_ipif->ipif_src_addr;
-
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_newroute: first hop %s\n",
- AF_INET, &gw);
- }
- ip2dbg(("\tire type %s (%d)\n",
- ip_nv_lookup(ire_nv_tbl, ire->ire_type), ire->ire_type));
-
- /*
- * The TTL of multirouted packets is bounded by the
- * ip_multirt_ttl ndd variable.
- */
- if ((sire != NULL) && (sire->ire_flags & RTF_MULTIRT)) {
- /* Force TTL of multirouted packets */
- if ((ipst->ips_ip_multirt_ttl > 0) &&
- (ipha->ipha_ttl > ipst->ips_ip_multirt_ttl)) {
- ip2dbg(("ip_newroute: forcing multirt TTL "
- "to %d (was %d), dst 0x%08x\n",
- ipst->ips_ip_multirt_ttl, ipha->ipha_ttl,
- ntohl(sire->ire_addr)));
- ipha->ipha_ttl = ipst->ips_ip_multirt_ttl;
- }
- }
- /*
- * At this point in ip_newroute(), ire is either the
- * IRE_CACHE of the next-hop gateway for an off-subnet
- * destination or an IRE_INTERFACE type that should be used
- * to resolve an on-subnet destination or an on-subnet
- * next-hop gateway.
- *
- * In the IRE_CACHE case, we have the following :
- *
- * 1) src_ipif - used for getting a source address.
- *
- * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
- * means packets using this IRE_CACHE will go out on
- * dst_ill.
- *
- * 3) The IRE sire will point to the prefix that is the
- * longest matching route for the destination. These
- * prefix types include IRE_DEFAULT, IRE_PREFIX, IRE_HOST.
- *
- * The newly created IRE_CACHE entry for the off-subnet
- * destination is tied to both the prefix route and the
- * interface route used to resolve the next-hop gateway
- * via the ire_phandle and ire_ihandle fields,
- * respectively.
- *
- * In the IRE_INTERFACE case, we have the following :
- *
- * 1) src_ipif - used for getting a source address.
- *
- * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
- * means packets using the IRE_CACHE that we will build
- * here will go out on dst_ill.
- *
- * 3) sire may or may not be NULL. But, the IRE_CACHE that is
- * to be created will only be tied to the IRE_INTERFACE
- * that was derived from the ire_ihandle field.
- *
- * If sire is non-NULL, it means the destination is
- * off-link and we will first create the IRE_CACHE for the
- * gateway. Next time through ip_newroute, we will create
- * the IRE_CACHE for the final destination as described
- * above.
- *
- * In both cases, after the current resolution has been
- * completed (or possibly initialised, in the IRE_INTERFACE
- * case), the loop may be re-entered to attempt the resolution
- * of another RTF_MULTIRT route.
- *
- * When an IRE_CACHE entry for the off-subnet destination is
- * created, RTF_SETSRC and RTF_MULTIRT are inherited from sire,
- * for further processing in emission loops.
- */
- save_ire = ire;
- switch (ire->ire_type) {
- case IRE_CACHE: {
- ire_t *ipif_ire;
-
- ASSERT(save_ire->ire_nce->nce_state == ND_REACHABLE);
- if (gw == 0)
- gw = ire->ire_gateway_addr;
- /*
- * We need 3 ire's to create a new cache ire for an
- * off-link destination from the cache ire of the
- * gateway.
- *
- * 1. The prefix ire 'sire' (Note that this does
- * not apply to the conn_nexthop_set case)
- * 2. The cache ire of the gateway 'ire'
- * 3. The interface ire 'ipif_ire'
- *
- * We have (1) and (2). We lookup (3) below.
- *
- * If there is no interface route to the gateway,
- * it is a race condition, where we found the cache
- * but the interface route has been deleted.
- */
- if (ip_nexthop) {
- ipif_ire = ire_ihandle_lookup_onlink(ire);
- } else {
- ipif_ire =
- ire_ihandle_lookup_offlink(ire, sire);
- }
- if (ipif_ire == NULL) {
- ip1dbg(("ip_newroute: "
- "ire_ihandle_lookup_offlink failed\n"));
- goto icmp_err_ret;
- }
-
- /*
- * Check cached gateway IRE for any security
- * attributes; if found, associate the gateway
- * credentials group to the destination IRE.
- */
- if ((attrp = save_ire->ire_gw_secattr) != NULL) {
- mutex_enter(&attrp->igsa_lock);
- if ((gcgrp = attrp->igsa_gcgrp) != NULL)
- GCGRP_REFHOLD(gcgrp);
- mutex_exit(&attrp->igsa_lock);
- }
-
- /*
- * XXX For the source of the resolver mp,
- * we are using the same DL_UNITDATA_REQ
- * (from save_ire->ire_nce->nce_res_mp)
- * though the save_ire is not pointing at the same ill.
- * This is incorrect. We need to send it up to the
- * resolver to get the right res_mp. For ethernets
- * this may be okay (ill_type == DL_ETHER).
- */
-
- ire = ire_create(
- (uchar_t *)&dst, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- (uchar_t *)&gw, /* gateway address */
- &save_ire->ire_max_frag,
- save_ire->ire_nce, /* src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE, /* IRE type */
- src_ipif,
- (sire != NULL) ?
- sire->ire_mask : 0, /* Parent mask */
- (sire != NULL) ?
- sire->ire_phandle : 0, /* Parent handle */
- ipif_ire->ire_ihandle, /* Interface handle */
- (sire != NULL) ? (sire->ire_flags &
- (RTF_SETSRC | RTF_MULTIRT)) : 0, /* flags */
- (sire != NULL) ?
- &(sire->ire_uinfo) : &(save_ire->ire_uinfo),
- NULL,
- gcgrp,
- ipst);
-
- if (ire == NULL) {
- if (gcgrp != NULL) {
- GCGRP_REFRELE(gcgrp);
- gcgrp = NULL;
- }
- ire_refrele(ipif_ire);
- ire_refrele(save_ire);
- break;
- }
-
- /* reference now held by IRE */
- gcgrp = NULL;
-
- ire->ire_marks |= ire_marks;
-
- /*
- * Prevent sire and ipif_ire from getting deleted.
- * The newly created ire is tied to both of them via
- * the phandle and ihandle respectively.
- */
- if (sire != NULL) {
- IRB_REFHOLD(sire->ire_bucket);
- /* Has it been removed already ? */
- if (sire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(sire->ire_bucket);
- ire_refrele(ipif_ire);
- ire_refrele(save_ire);
- break;
- }
- }
-
- IRB_REFHOLD(ipif_ire->ire_bucket);
- /* Has it been removed already ? */
- if (ipif_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(ipif_ire->ire_bucket);
- if (sire != NULL)
- IRB_REFRELE(sire->ire_bucket);
- ire_refrele(ipif_ire);
- ire_refrele(save_ire);
- break;
- }
-
- xmit_mp = first_mp;
- /*
- * In the case of multirouting, a copy
- * of the packet is done before its sending.
- * The copy is used to attempt another
- * route resolution, in a next loop.
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- xmit_mp = copy_mp;
- MULTIRT_DEBUG_TAG(first_mp);
- }
- }
-
- ire_add_then_send(q, ire, xmit_mp);
- ire_refrele(save_ire);
-
- /* Assert that sire is not deleted yet. */
- if (sire != NULL) {
- ASSERT(sire->ire_ptpn != NULL);
- IRB_REFRELE(sire->ire_bucket);
- }
-
- /* Assert that ipif_ire is not deleted yet. */
- ASSERT(ipif_ire->ire_ptpn != NULL);
- IRB_REFRELE(ipif_ire->ire_bucket);
- ire_refrele(ipif_ire);
-
- /*
- * If copy_mp is not NULL, multirouting was
- * requested. We loop to initiate a next
- * route resolution attempt, starting from sire.
- */
- if (copy_mp != NULL) {
- /*
- * Search for the next unresolved
- * multirt route.
- */
- copy_mp = NULL;
- ipif_ire = NULL;
- ire = NULL;
- multirt_resolve_next = B_TRUE;
- continue;
- }
- if (sire != NULL)
- ire_refrele(sire);
- ipif_refrele(src_ipif);
- ill_refrele(dst_ill);
- return;
- }
- case IRE_IF_NORESOLVER: {
- if (dst_ill->ill_resolver_mp == NULL) {
- ip1dbg(("ip_newroute: dst_ill %p "
- "for IRE_IF_NORESOLVER ire %p has "
- "no ill_resolver_mp\n",
- (void *)dst_ill, (void *)ire));
- break;
- }
-
- /*
- * TSol note: We are creating the ire cache for the
- * destination 'dst'. If 'dst' is offlink, going
- * through the first hop 'gw', the security attributes
- * of 'dst' must be set to point to the gateway
- * credentials of gateway 'gw'. If 'dst' is onlink, it
- * is possible that 'dst' is a potential gateway that is
- * referenced by some route that has some security
- * attributes. Thus in the former case, we need to do a
- * gcgrp_lookup of 'gw' while in the latter case we
- * need to do gcgrp_lookup of 'dst' itself.
- */
- ga.ga_af = AF_INET;
- IN6_IPADDR_TO_V4MAPPED(gw != INADDR_ANY ? gw : dst,
- &ga.ga_addr);
- gcgrp = gcgrp_lookup(&ga, B_FALSE);
-
- ire = ire_create(
- (uchar_t *)&dst, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- (uchar_t *)&gw, /* gateway address */
- &save_ire->ire_max_frag,
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- save_ire->ire_mask, /* Parent mask */
- (sire != NULL) ? /* Parent handle */
- sire->ire_phandle : 0,
- save_ire->ire_ihandle, /* Interface handle */
- (sire != NULL) ? sire->ire_flags &
- (RTF_SETSRC | RTF_MULTIRT) : 0, /* flags */
- &(save_ire->ire_uinfo),
- NULL,
- gcgrp,
- ipst);
-
- if (ire == NULL) {
- if (gcgrp != NULL) {
- GCGRP_REFRELE(gcgrp);
- gcgrp = NULL;
- }
- ire_refrele(save_ire);
- break;
- }
-
- /* reference now held by IRE */
- gcgrp = NULL;
-
- ire->ire_marks |= ire_marks;
-
- /* Prevent save_ire from getting deleted */
- IRB_REFHOLD(save_ire->ire_bucket);
- /* Has it been removed already ? */
- if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- break;
- }
-
- /*
- * In the case of multirouting, a copy
- * of the packet is made before it is sent.
- * The copy is used in the next
- * loop to attempt another resolution.
- */
- xmit_mp = first_mp;
- if ((sire != NULL) &&
- (sire->ire_flags & RTF_MULTIRT)) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- xmit_mp = copy_mp;
- MULTIRT_DEBUG_TAG(first_mp);
- }
- }
- ire_add_then_send(q, ire, xmit_mp);
-
- /* Assert that it is not deleted yet. */
- ASSERT(save_ire->ire_ptpn != NULL);
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
-
- if (copy_mp != NULL) {
- /*
- * If we found a (no)resolver, we ignore any
- * trailing top priority IRE_CACHE in further
- * loops. This ensures that we do not omit any
- * (no)resolver.
- * This IRE_CACHE, if any, will be processed
- * by another thread entering ip_newroute().
- * IRE_CACHE entries, if any, will be processed
- * by another thread entering ip_newroute(),
- * (upon resolver response, for instance).
- * This aims to force parallel multirt
- * resolutions as soon as a packet must be sent.
- * In the best case, after the tx of only one
- * packet, all reachable routes are resolved.
- * Otherwise, the resolution of all RTF_MULTIRT
- * routes would require several emissions.
- */
- multirt_flags &= ~MULTIRT_CACHEGW;
-
- /*
- * Search for the next unresolved multirt
- * route.
- */
- copy_mp = NULL;
- save_ire = NULL;
- ire = NULL;
- multirt_resolve_next = B_TRUE;
- continue;
- }
-
- /*
- * Don't need sire anymore
- */
- if (sire != NULL)
- ire_refrele(sire);
-
- ipif_refrele(src_ipif);
- ill_refrele(dst_ill);
- return;
- }
- case IRE_IF_RESOLVER:
- /*
- * We can't build an IRE_CACHE yet, but at least we
- * found a resolver that can help.
- */
- res_mp = dst_ill->ill_resolver_mp;
- if (!OK_RESOLVER_MP(res_mp))
- break;
-
- /*
- * To be at this point in the code with a non-zero gw
- * means that dst is reachable through a gateway that
- * we have never resolved. By changing dst to the gw
- * addr we resolve the gateway first.
- * When ire_add_then_send() tries to put the IP dg
- * to dst, it will reenter ip_newroute() at which
- * time we will find the IRE_CACHE for the gw and
- * create another IRE_CACHE in case IRE_CACHE above.
- */
- if (gw != INADDR_ANY) {
- /*
- * The source ipif that was determined above was
- * relative to the destination address, not the
- * gateway's. If src_ipif was not taken out of
- * the IRE_IF_RESOLVER entry, we'll need to call
- * ipif_select_source() again.
- */
- if (src_ipif != ire->ire_ipif) {
- ipif_refrele(src_ipif);
- src_ipif = ipif_select_source(dst_ill,
- gw, zoneid);
- /*
- * In the case of multirouting, it may
- * happen that ipif_select_source fails
- * as DAD may disallow use of the
- * particular source interface. Anyway,
- * we need to continue and attempt to
- * resolve other multirt routes.
- */
- if (src_ipif == NULL) {
- if (sire != NULL &&
- (sire->ire_flags &
- RTF_MULTIRT)) {
- ire_refrele(ire);
- ire = NULL;
- multirt_resolve_next =
- B_TRUE;
- multirt_res_failures++;
- continue;
- }
- if (ip_debug > 2) {
- pr_addr_dbg(
- "ip_newroute: no "
- "src for gw %s ",
- AF_INET, &gw);
- printf("on "
- "interface %s\n",
- dst_ill->ill_name);
- }
- goto icmp_err_ret;
- }
- }
- save_dst = dst;
- dst = gw;
- gw = INADDR_ANY;
- }
-
- /*
- * We obtain a partial IRE_CACHE which we will pass
- * along with the resolver query. When the response
- * comes back it will be there ready for us to add.
- * The ire_max_frag is atomically set under the
- * irebucket lock in ire_add_v[46].
- */
-
- ire = ire_create_mp(
- (uchar_t *)&dst, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- (uchar_t *)&gw, /* gateway address */
- NULL, /* ire_max_frag */
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif, /* Interface ipif */
- save_ire->ire_mask, /* Parent mask */
- 0,
- save_ire->ire_ihandle, /* Interface handle */
- 0, /* flags if any */
- &(save_ire->ire_uinfo),
- NULL,
- NULL,
- ipst);
-
- if (ire == NULL) {
- ire_refrele(save_ire);
- break;
- }
-
- if ((sire != NULL) &&
- (sire->ire_flags & RTF_MULTIRT)) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL)
- MULTIRT_DEBUG_TAG(copy_mp);
- }
-
- ire->ire_marks |= ire_marks;
-
- /*
- * Construct message chain for the resolver
- * of the form:
- * ARP_REQ_MBLK-->IRE_MBLK-->Packet
- * Packet could contain a IPSEC_OUT mp.
- *
- * NOTE : ire will be added later when the response
- * comes back from ARP. If the response does not
- * come back, ARP frees the packet. For this reason,
- * we can't REFHOLD the bucket of save_ire to prevent
- * deletions. We may not be able to REFRELE the bucket
- * if the response never comes back. Thus, before
- * adding the ire, ire_add_v4 will make sure that the
- * interface route does not get deleted. This is the
- * only case unlike ip_newroute_v6, ip_newroute_ipif_v6
- * where we can always prevent deletions because of
- * the synchronous nature of adding IRES i.e
- * ire_add_then_send is called after creating the IRE.
- */
- ASSERT(ire->ire_mp != NULL);
- ire->ire_mp->b_cont = first_mp;
- /* Have saved_mp handy, for cleanup if canput fails */
- saved_mp = mp;
- mp = copyb(res_mp);
- if (mp == NULL) {
- /* Prepare for cleanup */
- mp = saved_mp; /* pkt */
- ire_delete(ire); /* ire_mp */
- ire = NULL;
- ire_refrele(save_ire);
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- }
- break;
- }
- linkb(mp, ire->ire_mp);
-
- /*
- * Fill in the source and dest addrs for the resolver.
- * NOTE: this depends on memory layouts imposed by
- * ill_init().
- */
- areq = (areq_t *)mp->b_rptr;
- addrp = (ipaddr_t *)((char *)areq +
- areq->areq_sender_addr_offset);
- *addrp = save_ire->ire_src_addr;
-
- ire_refrele(save_ire);
- addrp = (ipaddr_t *)((char *)areq +
- areq->areq_target_addr_offset);
- *addrp = dst;
- /* Up to the resolver. */
- if (canputnext(dst_ill->ill_rq) &&
- !(dst_ill->ill_arp_closing)) {
- putnext(dst_ill->ill_rq, mp);
- ire = NULL;
- if (copy_mp != NULL) {
- /*
- * If we found a resolver, we ignore
- * any trailing top priority IRE_CACHE
- * in the further loops. This ensures
- * that we do not omit any resolver.
- * IRE_CACHE entries, if any, will be
- * processed next time we enter
- * ip_newroute().
- */
- multirt_flags &= ~MULTIRT_CACHEGW;
- /*
- * Search for the next unresolved
- * multirt route.
- */
- first_mp = copy_mp;
- copy_mp = NULL;
- /* Prepare the next resolution loop. */
- mp = first_mp;
- EXTRACT_PKT_MP(mp, first_mp,
- mctl_present);
- if (mctl_present)
- io = (ipsec_out_t *)
- first_mp->b_rptr;
- ipha = (ipha_t *)mp->b_rptr;
-
- ASSERT(sire != NULL);
-
- dst = save_dst;
- multirt_resolve_next = B_TRUE;
- continue;
- }
-
- if (sire != NULL)
- ire_refrele(sire);
-
- /*
- * The response will come back in ip_wput
- * with db_type IRE_DB_TYPE.
- */
- ipif_refrele(src_ipif);
- ill_refrele(dst_ill);
- return;
- } else {
- /* Prepare for cleanup */
- DTRACE_PROBE1(ip__newroute__drop, mblk_t *,
- mp);
- mp->b_cont = NULL;
- freeb(mp); /* areq */
- /*
- * this is an ire that is not added to the
- * cache. ire_freemblk will handle the release
- * of any resources associated with the ire.
- */
- ire_delete(ire); /* ire_mp */
- mp = saved_mp; /* pkt */
- ire = NULL;
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- }
- break;
- }
- default:
- break;
- }
- } while (multirt_resolve_next);
-
- ip1dbg(("ip_newroute: dropped\n"));
- /* Did this packet originate externally? */
- if (mp->b_prev) {
- mp->b_next = NULL;
- mp->b_prev = NULL;
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
- } else {
- if (dst_ill != NULL) {
- BUMP_MIB(dst_ill->ill_ip_mib, ipIfStatsOutDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- }
- }
- ASSERT(copy_mp == NULL);
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- if (ire != NULL)
- ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- return;
-
-icmp_err_ret:
- ip1dbg(("ip_newroute: no route\n"));
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- if (sire != NULL)
- ire_refrele(sire);
- /* Did this packet originate externally? */
- if (mp->b_prev) {
- mp->b_next = NULL;
- mp->b_prev = NULL;
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInNoRoutes);
- q = WR(q);
- } else {
- /*
- * There is no outgoing ill, so just increment the
- * system MIB.
- */
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
- /*
- * Since ip_wput() isn't close to finished, we fill
- * in enough of the header for credible error reporting.
- */
- if (ip_hdr_complete(ipha, zoneid, ipst)) {
- /* Failed */
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- if (ire != NULL)
- ire_refrele(ire);
- return;
- }
- }
-
- /*
- * At this point we will have ire only if RTF_BLACKHOLE
- * or RTF_REJECT flags are set on the IRE. It will not
- * generate ICMP_HOST_UNREACHABLE if RTF_BLACKHOLE is set.
- */
- if (ire != NULL) {
- if (ire->ire_flags & RTF_BLACKHOLE) {
- ire_refrele(ire);
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- return;
- }
- ire_refrele(ire);
- }
- if (ip_source_routed(ipha, ipst)) {
- icmp_unreachable(q, first_mp, ICMP_SOURCE_ROUTE_FAILED,
- zoneid, ipst);
- return;
- }
- icmp_unreachable(q, first_mp, ICMP_HOST_UNREACHABLE, zoneid, ipst);
+ return ("unknown");
}
-ip_opt_info_t zero_info;
-
-/*
- * IPv4 -
- * ip_newroute_ipif is called by ip_wput_multicast and
- * ip_rput_forward_multicast whenever we need to send
- * out a packet to a destination address for which we do not have specific
- * routing information. It is used when the packet will be sent out
- * on a specific interface. It is also called by ip_wput() when IP_BOUND_IF
- * socket option is set or icmp error message wants to go out on a particular
- * interface for a unicast packet.
- *
- * In most cases, the destination address is resolved thanks to the ipif
- * intrinsic resolver. However, there are some cases where the call to
- * ip_newroute_ipif must take into account the potential presence of
- * RTF_SETSRC and/or RTF_MULITRT flags in an IRE_OFFSUBNET ire
- * that uses the interface. This is specified through flags,
- * which can be a combination of:
- * - RTF_SETSRC: if an IRE_OFFSUBNET ire exists that has the RTF_SETSRC
- * flag, the resulting ire will inherit the IRE_OFFSUBNET source address
- * and flags. Additionally, the packet source address has to be set to
- * the specified address. The caller is thus expected to set this flag
- * if the packet has no specific source address yet.
- * - RTF_MULTIRT: if an IRE_OFFSUBNET ire exists that has the RTF_MULTIRT
- * flag, the resulting ire will inherit the flag. All unresolved routes
- * to the destination must be explored in the same call to
- * ip_newroute_ipif().
- */
-static void
-ip_newroute_ipif(queue_t *q, mblk_t *mp, ipif_t *ipif, ipaddr_t dst,
- conn_t *connp, uint32_t flags, zoneid_t zoneid, ip_opt_info_t *infop)
+static int
+ip_wait_for_info_ack(ill_t *ill)
{
- areq_t *areq;
- ire_t *ire = NULL;
- mblk_t *res_mp;
- ipaddr_t *addrp;
- mblk_t *first_mp;
- ire_t *save_ire = NULL;
- ipif_t *src_ipif = NULL;
- ushort_t ire_marks = 0;
- ill_t *dst_ill = NULL;
- ipha_t *ipha;
- mblk_t *saved_mp;
- ire_t *fire = NULL;
- mblk_t *copy_mp = NULL;
- boolean_t multirt_resolve_next;
- boolean_t unspec_src;
- ipaddr_t ipha_dst;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- /*
- * CGTP goes in a loop which looks up a new ipif, do an ipif_refhold
- * here for uniformity
- */
- ipif_refhold(ipif);
-
- /*
- * This loop is run only once in most cases.
- * We loop to resolve further routes only when the destination
- * can be reached through multiple RTF_MULTIRT-flagged ires.
- */
- do {
- if (dst_ill != NULL) {
- ill_refrele(dst_ill);
- dst_ill = NULL;
- }
- if (src_ipif != NULL) {
- ipif_refrele(src_ipif);
- src_ipif = NULL;
- }
- multirt_resolve_next = B_FALSE;
-
- ip1dbg(("ip_newroute_ipif: dst 0x%x, if %s\n", ntohl(dst),
- ipif->ipif_ill->ill_name));
-
- first_mp = mp;
- if (DB_TYPE(mp) == M_CTL)
- mp = mp->b_cont;
- ipha = (ipha_t *)mp->b_rptr;
-
- /*
- * Save the packet destination address, we may need it after
- * the packet has been consumed.
- */
- ipha_dst = ipha->ipha_dst;
-
- /*
- * If the interface is a pt-pt interface we look for an
- * IRE_IF_RESOLVER or IRE_IF_NORESOLVER that matches both the
- * local_address and the pt-pt destination address. Otherwise
- * we just match the local address.
- * NOTE: dst could be different than ipha->ipha_dst in case
- * of sending igmp multicast packets over a point-to-point
- * connection.
- * Thus we must be careful enough to check ipha_dst to be a
- * multicast address, otherwise it will take xmit_if path for
- * multicast packets resulting into kernel stack overflow by
- * repeated calls to ip_newroute_ipif from ire_send().
- */
- if (CLASSD(ipha_dst) &&
- !(ipif->ipif_ill->ill_flags & ILLF_MULTICAST)) {
- goto err_ret;
- }
-
- /*
- * We check if an IRE_OFFSUBNET for the addr that goes through
- * ipif exists. We need it to determine if the RTF_SETSRC and/or
- * RTF_MULTIRT flags must be honored. This IRE_OFFSUBNET ire may
- * propagate its flags to the new ire.
- */
- if (CLASSD(ipha_dst) && (flags & (RTF_MULTIRT | RTF_SETSRC))) {
- fire = ipif_lookup_multi_ire(ipif, ipha_dst);
- ip2dbg(("ip_newroute_ipif: "
- "ipif_lookup_multi_ire("
- "ipif %p, dst %08x) = fire %p\n",
- (void *)ipif, ntohl(dst), (void *)fire));
- }
-
- /*
- * Note: While we pick a dst_ill we are really only
- * interested in the ill for load spreading. The source
- * ipif is determined by source address selection below.
- */
- if (IS_IPMP(ipif->ipif_ill)) {
- ipmp_illgrp_t *illg = ipif->ipif_ill->ill_grp;
-
- if (CLASSD(ipha_dst))
- dst_ill = ipmp_illgrp_hold_cast_ill(illg);
- else
- dst_ill = ipmp_illgrp_hold_next_ill(illg);
- } else {
- dst_ill = ipif->ipif_ill;
- ill_refhold(dst_ill);
- }
-
- if (dst_ill == NULL) {
- if (ip_debug > 2) {
- pr_addr_dbg("ip_newroute_ipif: no dst ill "
- "for dst %s\n", AF_INET, &dst);
- }
- goto err_ret;
- }
-
- /*
- * Pick a source address preferring non-deprecated ones.
- * Unlike ip_newroute, we don't do any source address
- * selection here since for multicast it really does not help
- * in inbound load spreading as in the unicast case.
- */
- if ((flags & RTF_SETSRC) && (fire != NULL) &&
- (fire->ire_flags & RTF_SETSRC)) {
- /*
- * As requested by flags, an IRE_OFFSUBNET was looked up
- * on that interface. This ire has RTF_SETSRC flag, so
- * the source address of the packet must be changed.
- * Check that the ipif matching the requested source
- * address still exists.
- */
- src_ipif = ipif_lookup_addr(fire->ire_src_addr, NULL,
- zoneid, NULL, NULL, NULL, NULL, ipst);
- }
-
- unspec_src = (connp != NULL && connp->conn_unspec_src);
-
- if (!IS_UNDER_IPMP(ipif->ipif_ill) &&
- (IS_IPMP(ipif->ipif_ill) ||
- (!ipif->ipif_isv6 && ipif->ipif_lcl_addr == INADDR_ANY) ||
- (ipif->ipif_flags & (IPIF_DEPRECATED|IPIF_UP)) != IPIF_UP ||
- (connp != NULL && ipif->ipif_zoneid != zoneid &&
- ipif->ipif_zoneid != ALL_ZONES)) &&
- (src_ipif == NULL) &&
- (!unspec_src || ipha->ipha_src != INADDR_ANY)) {
- src_ipif = ipif_select_source(dst_ill, dst, zoneid);
- if (src_ipif == NULL) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_newroute_ipif: "
- "no src for dst %s",
- AF_INET, &dst);
- }
- ip1dbg((" on interface %s\n",
- dst_ill->ill_name));
- goto err_ret;
- }
- ipif_refrele(ipif);
- ipif = src_ipif;
- ipif_refhold(ipif);
- }
- if (src_ipif == NULL) {
- src_ipif = ipif;
- ipif_refhold(src_ipif);
- }
-
- /*
- * Assign a source address while we have the conn.
- * We can't have ip_wput_ire pick a source address when the
- * packet returns from arp since conn_unspec_src might be set
- * and we lose the conn when going through arp.
- */
- if (ipha->ipha_src == INADDR_ANY && !unspec_src)
- ipha->ipha_src = src_ipif->ipif_src_addr;
-
- /*
- * In the case of IP_BOUND_IF and IP_PKTINFO, it is possible
- * that the outgoing interface does not have an interface ire.
- */
- if (CLASSD(ipha_dst) && (connp == NULL ||
- connp->conn_outgoing_ill == NULL) &&
- infop->ip_opt_ill_index == 0) {
- /* ipif_to_ire returns an held ire */
- ire = ipif_to_ire(ipif);
- if (ire == NULL)
- goto err_ret;
- if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))
- goto err_ret;
- save_ire = ire;
-
- ip2dbg(("ip_newroute_ipif: ire %p, ipif %p, "
- "flags %04x\n",
- (void *)ire, (void *)ipif, flags));
- if ((flags & RTF_MULTIRT) && (fire != NULL) &&
- (fire->ire_flags & RTF_MULTIRT)) {
- /*
- * As requested by flags, an IRE_OFFSUBNET was
- * looked up on that interface. This ire has
- * RTF_MULTIRT flag, so the resolution loop will
- * be re-entered to resolve additional routes on
- * other interfaces. For that purpose, a copy of
- * the packet is performed at this point.
- */
- fire->ire_last_used_time = lbolt;
- copy_mp = copymsg(first_mp);
- if (copy_mp) {
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- }
- if ((flags & RTF_SETSRC) && (fire != NULL) &&
- (fire->ire_flags & RTF_SETSRC)) {
- /*
- * As requested by flags, an IRE_OFFSUBET was
- * looked up on that interface. This ire has
- * RTF_SETSRC flag, so the source address of the
- * packet must be changed.
- */
- ipha->ipha_src = fire->ire_src_addr;
- }
- } else {
- /*
- * The only ways we can come here are:
- * 1) IP_BOUND_IF socket option is set
- * 2) SO_DONTROUTE socket option is set
- * 3) IP_PKTINFO option is passed in as ancillary data.
- * In all cases, the new ire will not be added
- * into cache table.
- */
- ASSERT(connp == NULL || connp->conn_dontroute ||
- connp->conn_outgoing_ill != NULL ||
- infop->ip_opt_ill_index != 0);
- ire_marks |= IRE_MARK_NOADD;
- }
-
- switch (ipif->ipif_net_type) {
- case IRE_IF_NORESOLVER: {
- /* We have what we need to build an IRE_CACHE. */
-
- if (dst_ill->ill_resolver_mp == NULL) {
- ip1dbg(("ip_newroute_ipif: dst_ill %p "
- "for IRE_IF_NORESOLVER ire %p has "
- "no ill_resolver_mp\n",
- (void *)dst_ill, (void *)ire));
- break;
- }
-
- /*
- * The new ire inherits the IRE_OFFSUBNET flags
- * and source address, if this was requested.
- */
- ire = ire_create(
- (uchar_t *)&dst, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- NULL, /* gateway address */
- &ipif->ipif_mtu,
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- (save_ire != NULL ? save_ire->ire_mask : 0),
- (fire != NULL) ? /* Parent handle */
- fire->ire_phandle : 0,
- (save_ire != NULL) ? /* Interface handle */
- save_ire->ire_ihandle : 0,
- (fire != NULL) ?
- (fire->ire_flags &
- (RTF_SETSRC | RTF_MULTIRT)) : 0,
- (save_ire == NULL ? &ire_uinfo_null :
- &save_ire->ire_uinfo),
- NULL,
- NULL,
- ipst);
-
- if (ire == NULL) {
- if (save_ire != NULL)
- ire_refrele(save_ire);
- break;
- }
-
- ire->ire_marks |= ire_marks;
-
- /*
- * If IRE_MARK_NOADD is set then we need to convert
- * the max_fragp to a useable value now. This is
- * normally done in ire_add_v[46]. We also need to
- * associate the ire with an nce (normally would be
- * done in ip_wput_nondata()).
- *
- * Note that IRE_MARK_NOADD packets created here
- * do not have a non-null ire_mp pointer. The null
- * value of ire_bucket indicates that they were
- * never added.
- */
- if (ire->ire_marks & IRE_MARK_NOADD) {
- uint_t max_frag;
-
- max_frag = *ire->ire_max_fragp;
- ire->ire_max_fragp = NULL;
- ire->ire_max_frag = max_frag;
-
- if ((ire->ire_nce = ndp_lookup_v4(
- ire_to_ill(ire),
- (ire->ire_gateway_addr != INADDR_ANY ?
- &ire->ire_gateway_addr : &ire->ire_addr),
- B_FALSE)) == NULL) {
- if (save_ire != NULL)
- ire_refrele(save_ire);
- break;
- }
- ASSERT(ire->ire_nce->nce_state ==
- ND_REACHABLE);
- NCE_REFHOLD_TO_REFHOLD_NOTR(ire->ire_nce);
- }
-
- /* Prevent save_ire from getting deleted */
- if (save_ire != NULL) {
- IRB_REFHOLD(save_ire->ire_bucket);
- /* Has it been removed already ? */
- if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- break;
- }
- }
-
- ire_add_then_send(q, ire, first_mp);
-
- /* Assert that save_ire is not deleted yet. */
- if (save_ire != NULL) {
- ASSERT(save_ire->ire_ptpn != NULL);
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- save_ire = NULL;
- }
- if (fire != NULL) {
- ire_refrele(fire);
- fire = NULL;
- }
-
- /*
- * the resolution loop is re-entered if this
- * was requested through flags and if we
- * actually are in a multirouting case.
- */
- if ((flags & RTF_MULTIRT) && (copy_mp != NULL)) {
- boolean_t need_resolve =
- ire_multirt_need_resolve(ipha_dst,
- msg_getlabel(copy_mp), ipst);
- if (!need_resolve) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- } else {
- /*
- * ipif_lookup_group() calls
- * ire_lookup_multi() that uses
- * ire_ftable_lookup() to find
- * an IRE_INTERFACE for the group.
- * In the multirt case,
- * ire_lookup_multi() then invokes
- * ire_multirt_lookup() to find
- * the next resolvable ire.
- * As a result, we obtain an new
- * interface, derived from the
- * next ire.
- */
- ipif_refrele(ipif);
- ipif = ipif_lookup_group(ipha_dst,
- zoneid, ipst);
- ip2dbg(("ip_newroute_ipif: "
- "multirt dst %08x, ipif %p\n",
- htonl(dst), (void *)ipif));
- if (ipif != NULL) {
- mp = copy_mp;
- copy_mp = NULL;
- multirt_resolve_next = B_TRUE;
- continue;
- } else {
- freemsg(copy_mp);
- }
- }
- }
- if (ipif != NULL)
- ipif_refrele(ipif);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
- }
- case IRE_IF_RESOLVER:
- /*
- * We can't build an IRE_CACHE yet, but at least
- * we found a resolver that can help.
- */
- res_mp = dst_ill->ill_resolver_mp;
- if (!OK_RESOLVER_MP(res_mp))
- break;
-
- /*
- * We obtain a partial IRE_CACHE which we will pass
- * along with the resolver query. When the response
- * comes back it will be there ready for us to add.
- * The new ire inherits the IRE_OFFSUBNET flags
- * and source address, if this was requested.
- * The ire_max_frag is atomically set under the
- * irebucket lock in ire_add_v[46]. Only in the
- * case of IRE_MARK_NOADD, we set it here itself.
- */
- ire = ire_create_mp(
- (uchar_t *)&dst, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- NULL, /* gateway address */
- (ire_marks & IRE_MARK_NOADD) ?
- ipif->ipif_mtu : 0, /* max_frag */
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- (save_ire != NULL ? save_ire->ire_mask : 0),
- (fire != NULL) ? /* Parent handle */
- fire->ire_phandle : 0,
- (save_ire != NULL) ? /* Interface handle */
- save_ire->ire_ihandle : 0,
- (fire != NULL) ? /* flags if any */
- (fire->ire_flags &
- (RTF_SETSRC | RTF_MULTIRT)) : 0,
- (save_ire == NULL ? &ire_uinfo_null :
- &save_ire->ire_uinfo),
- NULL,
- NULL,
- ipst);
-
- if (save_ire != NULL) {
- ire_refrele(save_ire);
- save_ire = NULL;
- }
- if (ire == NULL)
- break;
-
- ire->ire_marks |= ire_marks;
- /*
- * Construct message chain for the resolver of the
- * form:
- * ARP_REQ_MBLK-->IRE_MBLK-->Packet
- *
- * NOTE : ire will be added later when the response
- * comes back from ARP. If the response does not
- * come back, ARP frees the packet. For this reason,
- * we can't REFHOLD the bucket of save_ire to prevent
- * deletions. We may not be able to REFRELE the
- * bucket if the response never comes back.
- * Thus, before adding the ire, ire_add_v4 will make
- * sure that the interface route does not get deleted.
- * This is the only case unlike ip_newroute_v6,
- * ip_newroute_ipif_v6 where we can always prevent
- * deletions because ire_add_then_send is called after
- * creating the IRE.
- * If IRE_MARK_NOADD is set, then ire_add_then_send
- * does not add this IRE into the IRE CACHE.
- */
- ASSERT(ire->ire_mp != NULL);
- ire->ire_mp->b_cont = first_mp;
- /* Have saved_mp handy, for cleanup if canput fails */
- saved_mp = mp;
- mp = copyb(res_mp);
- if (mp == NULL) {
- /* Prepare for cleanup */
- mp = saved_mp; /* pkt */
- ire_delete(ire); /* ire_mp */
- ire = NULL;
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- }
- break;
- }
- linkb(mp, ire->ire_mp);
-
- /*
- * Fill in the source and dest addrs for the resolver.
- * NOTE: this depends on memory layouts imposed by
- * ill_init(). There are corner cases above where we
- * might've created the IRE with an INADDR_ANY source
- * address (e.g., if the zeroth ipif on an underlying
- * ill in an IPMP group is 0.0.0.0, but another ipif
- * on the ill has a usable test address). If so, tell
- * ARP to use ipha_src as its sender address.
- */
- areq = (areq_t *)mp->b_rptr;
- addrp = (ipaddr_t *)((char *)areq +
- areq->areq_sender_addr_offset);
- if (ire->ire_src_addr != INADDR_ANY)
- *addrp = ire->ire_src_addr;
- else
- *addrp = ipha->ipha_src;
- addrp = (ipaddr_t *)((char *)areq +
- areq->areq_target_addr_offset);
- *addrp = dst;
- /* Up to the resolver. */
- if (canputnext(dst_ill->ill_rq) &&
- !(dst_ill->ill_arp_closing)) {
- putnext(dst_ill->ill_rq, mp);
- /*
- * The response will come back in ip_wput
- * with db_type IRE_DB_TYPE.
- */
- } else {
- mp->b_cont = NULL;
- freeb(mp); /* areq */
- ire_delete(ire); /* ire_mp */
- saved_mp->b_next = NULL;
- saved_mp->b_prev = NULL;
- freemsg(first_mp); /* pkt */
- ip2dbg(("ip_newroute_ipif: dropped\n"));
- }
-
- if (fire != NULL) {
- ire_refrele(fire);
- fire = NULL;
- }
+ int err;
- /*
- * The resolution loop is re-entered if this was
- * requested through flags and we actually are
- * in a multirouting case.
- */
- if ((flags & RTF_MULTIRT) && (copy_mp != NULL)) {
- boolean_t need_resolve =
- ire_multirt_need_resolve(ipha_dst,
- msg_getlabel(copy_mp), ipst);
- if (!need_resolve) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- } else {
- /*
- * ipif_lookup_group() calls
- * ire_lookup_multi() that uses
- * ire_ftable_lookup() to find
- * an IRE_INTERFACE for the group.
- * In the multirt case,
- * ire_lookup_multi() then invokes
- * ire_multirt_lookup() to find
- * the next resolvable ire.
- * As a result, we obtain an new
- * interface, derived from the
- * next ire.
- */
- ipif_refrele(ipif);
- ipif = ipif_lookup_group(ipha_dst,
- zoneid, ipst);
- if (ipif != NULL) {
- mp = copy_mp;
- copy_mp = NULL;
- multirt_resolve_next = B_TRUE;
- continue;
- } else {
- freemsg(copy_mp);
- }
- }
- }
- if (ipif != NULL)
- ipif_refrele(ipif);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
- default:
- break;
- }
- } while (multirt_resolve_next);
-
-err_ret:
- ip2dbg(("ip_newroute_ipif: dropped\n"));
- if (fire != NULL)
- ire_refrele(fire);
- ipif_refrele(ipif);
- /* Did this packet originate externally? */
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (mp->b_prev || mp->b_next) {
- mp->b_next = NULL;
- mp->b_prev = NULL;
- } else {
+ mutex_enter(&ill->ill_lock);
+ while (ill->ill_state_flags & ILL_LL_SUBNET_PENDING) {
/*
- * Since ip_wput() isn't close to finished, we fill
- * in enough of the header for credible error reporting.
+ * Return value of 0 indicates a pending signal.
*/
- if (ip_hdr_complete((ipha_t *)mp->b_rptr, zoneid, ipst)) {
- /* Failed */
- freemsg(first_mp);
- if (ire != NULL)
- ire_refrele(ire);
- return;
+ err = cv_wait_sig(&ill->ill_cv, &ill->ill_lock);
+ if (err == 0) {
+ mutex_exit(&ill->ill_lock);
+ return (EINTR);
}
}
+ mutex_exit(&ill->ill_lock);
/*
- * At this point we will have ire only if RTF_BLACKHOLE
- * or RTF_REJECT flags are set on the IRE. It will not
- * generate ICMP_HOST_UNREACHABLE if RTF_BLACKHOLE is set.
+ * ip_rput_other could have set an error in ill_error on
+ * receipt of M_ERROR.
*/
- if (ire != NULL) {
- if (ire->ire_flags & RTF_BLACKHOLE) {
- ire_refrele(ire);
- freemsg(first_mp);
- return;
- }
- ire_refrele(ire);
- }
- icmp_unreachable(q, first_mp, ICMP_HOST_UNREACHABLE, zoneid, ipst);
-}
-
-/* Name/Value Table Lookup Routine */
-char *
-ip_nv_lookup(nv_t *nv, int value)
-{
- if (!nv)
- return (NULL);
- for (; nv->nv_name; nv++) {
- if (nv->nv_value == value)
- return (nv->nv_name);
- }
- return ("unknown");
+ return (ill->ill_error);
}
/*
@@ -9604,7 +5972,7 @@ ip_nv_lookup(nv_t *nv, int value)
* to a DLPI device. We allocate an ill_t as the instance data in
* this case.
*/
-int
+static int
ip_modopen(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
{
ill_t *ill;
@@ -9644,6 +6012,7 @@ ip_modopen(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
* down a DL_INFO_REQ after calling qprocson.
*/
err = ill_init(q, ill);
+
if (err != 0) {
mi_free(ill);
netstack_rele(ipst->ips_netstack);
@@ -9652,41 +6021,26 @@ ip_modopen(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
return (err);
}
- /* ill_init initializes the ipsq marking this thread as writer */
- ipsq_exit(ill->ill_phyint->phyint_ipsq);
- /* Wait for the DL_INFO_ACK */
- mutex_enter(&ill->ill_lock);
- while (ill->ill_state_flags & ILL_LL_SUBNET_PENDING) {
- /*
- * Return value of 0 indicates a pending signal.
- */
- err = cv_wait_sig(&ill->ill_cv, &ill->ill_lock);
- if (err == 0) {
- mutex_exit(&ill->ill_lock);
- (void) ip_close(q, 0);
- return (EINTR);
- }
- }
- mutex_exit(&ill->ill_lock);
-
/*
- * ip_rput_other could have set an error in ill_error on
- * receipt of M_ERROR.
+ * Wait for the DL_INFO_ACK if a DL_INFO_REQ was sent.
+ *
+ * ill_init initializes the ipsq marking this thread as
+ * writer
*/
+ ipsq_exit(ill->ill_phyint->phyint_ipsq);
+ err = ip_wait_for_info_ack(ill);
+ if (err == 0)
+ ill->ill_credp = credp;
+ else
+ goto fail;
- err = ill->ill_error;
- if (err != 0) {
- (void) ip_close(q, 0);
- return (err);
- }
-
- ill->ill_credp = credp;
crhold(credp);
mutex_enter(&ipst->ips_ip_mi_lock);
- err = mi_open_link(&ipst->ips_ip_g_head, (IDP)ill, devp, flag, sflag,
- credp);
+ err = mi_open_link(&ipst->ips_ip_g_head, (IDP)q->q_ptr, devp, flag,
+ sflag, credp);
mutex_exit(&ipst->ips_ip_mi_lock);
+fail:
if (err) {
(void) ip_close(q, 0);
return (err);
@@ -9719,8 +6073,6 @@ ip_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
netstack_t *ns;
ip_stack_t *ipst;
- TRACE_1(TR_FAC_IP, TR_IP_OPEN, "ip_open: q %p", q);
-
/* Allow reopen. */
if (q->q_ptr != NULL)
return (0);
@@ -9765,25 +6117,24 @@ ip_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
*/
netstack_rele(ipst->ips_netstack);
+ connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_ULP_CKSUM;
+ /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
+ connp->conn_ixa->ixa_zoneid = zoneid;
connp->conn_zoneid = zoneid;
- connp->conn_sqp = NULL;
- connp->conn_initial_sqp = NULL;
- connp->conn_final_sqp = NULL;
- connp->conn_upq = q;
+ connp->conn_rq = q;
q->q_ptr = WR(q)->q_ptr = connp;
- if (flag & SO_SOCKSTR)
- connp->conn_flags |= IPCL_SOCKET;
-
/* Minor tells us which /dev entry was opened */
if (isv6) {
- connp->conn_af_isv6 = B_TRUE;
- ip_setpktversion(connp, isv6, B_FALSE, ipst);
- connp->conn_src_preferences = IPV6_PREFER_SRC_DEFAULT;
+ connp->conn_family = AF_INET6;
+ connp->conn_ipversion = IPV6_VERSION;
+ connp->conn_ixa->ixa_flags &= ~IXAF_IS_IPV4;
+ connp->conn_ixa->ixa_src_preferences = IPV6_PREFER_SRC_DEFAULT;
} else {
- connp->conn_af_isv6 = B_FALSE;
- connp->conn_pkt_isv6 = B_FALSE;
+ connp->conn_family = AF_INET;
+ connp->conn_ipversion = IPV4_VERSION;
+ connp->conn_ixa->ixa_flags |= IXAF_IS_IPV4;
}
if ((ip_minor_arena_la != NULL) && (flag & SO_SOCKSTR) &&
@@ -9812,11 +6163,17 @@ ip_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
* connp->conn_cred is crfree()ed in ipcl_conn_destroy()
*/
connp->conn_cred = credp;
+ /* Cache things in ixa without an extra refhold */
+ connp->conn_ixa->ixa_cred = connp->conn_cred;
+ connp->conn_ixa->ixa_cpid = connp->conn_cpid;
+ if (is_system_labeled())
+ connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
/*
- * Handle IP_RTS_REQUEST and other ioctls which use conn_recv
+ * Handle IP_IOC_RTS_REQUEST and other ioctls which use conn_recv
*/
connp->conn_recv = ip_conn_input;
+ connp->conn_recvicmp = ip_conn_input_icmp;
crhold(connp->conn_cred);
@@ -9827,11 +6184,13 @@ ip_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
if (getpflags(NET_MAC_AWARE, credp) != 0)
connp->conn_mac_mode = CONN_MAC_AWARE;
+ connp->conn_zone_is_global = (crgetzoneid(credp) == GLOBAL_ZONEID);
+
connp->conn_rq = q;
connp->conn_wq = WR(q);
/* Non-zero default values */
- connp->conn_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
+ connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP;
/*
* Make the conn globally visible to walkers
@@ -9847,210 +6206,6 @@ ip_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
}
/*
- * Change the output format (IPv4 vs. IPv6) for a conn_t.
- * Note that there is no race since either ip_output function works - it
- * is just an optimization to enter the best ip_output routine directly.
- */
-void
-ip_setpktversion(conn_t *connp, boolean_t isv6, boolean_t bump_mib,
- ip_stack_t *ipst)
-{
- if (isv6) {
- if (bump_mib) {
- BUMP_MIB(&ipst->ips_ip6_mib,
- ipIfStatsOutSwitchIPVersion);
- }
- connp->conn_send = ip_output_v6;
- connp->conn_pkt_isv6 = B_TRUE;
- } else {
- if (bump_mib) {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutSwitchIPVersion);
- }
- connp->conn_send = ip_output;
- connp->conn_pkt_isv6 = B_FALSE;
- }
-
-}
-
-/*
- * See if IPsec needs loading because of the options in mp.
- */
-static boolean_t
-ipsec_opt_present(mblk_t *mp)
-{
- uint8_t *optcp, *next_optcp, *opt_endcp;
- struct opthdr *opt;
- struct T_opthdr *topt;
- int opthdr_len;
- t_uscalar_t optname, optlevel;
- struct T_optmgmt_req *tor = (struct T_optmgmt_req *)mp->b_rptr;
- ipsec_req_t *ipsr;
-
- /*
- * Walk through the mess, and find IP_SEC_OPT. If it's there,
- * return TRUE.
- */
-
- optcp = mi_offset_param(mp, tor->OPT_offset, tor->OPT_length);
- opt_endcp = optcp + tor->OPT_length;
- if (tor->PRIM_type == T_OPTMGMT_REQ) {
- opthdr_len = sizeof (struct T_opthdr);
- } else { /* O_OPTMGMT_REQ */
- ASSERT(tor->PRIM_type == T_SVR4_OPTMGMT_REQ);
- opthdr_len = sizeof (struct opthdr);
- }
- for (; optcp < opt_endcp; optcp = next_optcp) {
- if (optcp + opthdr_len > opt_endcp)
- return (B_FALSE); /* Not enough option header. */
- if (tor->PRIM_type == T_OPTMGMT_REQ) {
- topt = (struct T_opthdr *)optcp;
- optlevel = topt->level;
- optname = topt->name;
- next_optcp = optcp + _TPI_ALIGN_TOPT(topt->len);
- } else {
- opt = (struct opthdr *)optcp;
- optlevel = opt->level;
- optname = opt->name;
- next_optcp = optcp + opthdr_len +
- _TPI_ALIGN_OPT(opt->len);
- }
- if ((next_optcp < optcp) || /* wraparound pointer space */
- ((next_optcp >= opt_endcp) && /* last option bad len */
- ((next_optcp - opt_endcp) >= __TPI_ALIGN_SIZE)))
- return (B_FALSE); /* bad option buffer */
- if ((optlevel == IPPROTO_IP && optname == IP_SEC_OPT) ||
- (optlevel == IPPROTO_IPV6 && optname == IPV6_SEC_OPT)) {
- /*
- * Check to see if it's an all-bypass or all-zeroes
- * IPsec request. Don't bother loading IPsec if
- * the socket doesn't want to use it. (A good example
- * is a bypass request.)
- *
- * Basically, if any of the non-NEVER bits are set,
- * load IPsec.
- */
- ipsr = (ipsec_req_t *)(optcp + opthdr_len);
- if ((ipsr->ipsr_ah_req & ~IPSEC_PREF_NEVER) != 0 ||
- (ipsr->ipsr_esp_req & ~IPSEC_PREF_NEVER) != 0 ||
- (ipsr->ipsr_self_encap_req & ~IPSEC_PREF_NEVER)
- != 0)
- return (B_TRUE);
- }
- }
- return (B_FALSE);
-}
-
-/*
- * If conn is is waiting for ipsec to finish loading, kick it.
- */
-/* ARGSUSED */
-static void
-conn_restart_ipsec_waiter(conn_t *connp, void *arg)
-{
- t_scalar_t optreq_prim;
- mblk_t *mp;
- cred_t *cr;
- int err = 0;
-
- /*
- * This function is called, after ipsec loading is complete.
- * Since IP checks exclusively and atomically (i.e it prevents
- * ipsec load from completing until ip_optcom_req completes)
- * whether ipsec load is complete, there cannot be a race with IP
- * trying to set the CONN_IPSEC_LOAD_WAIT flag on any conn now.
- */
- mutex_enter(&connp->conn_lock);
- if (connp->conn_state_flags & CONN_IPSEC_LOAD_WAIT) {
- ASSERT(connp->conn_ipsec_opt_mp != NULL);
- mp = connp->conn_ipsec_opt_mp;
- connp->conn_ipsec_opt_mp = NULL;
- connp->conn_state_flags &= ~CONN_IPSEC_LOAD_WAIT;
- mutex_exit(&connp->conn_lock);
-
- /*
- * All Solaris components should pass a db_credp
- * for this TPI message, hence we ASSERT.
- * But in case there is some other M_PROTO that looks
- * like a TPI message sent by some other kernel
- * component, we check and return an error.
- */
- cr = msg_getcred(mp, NULL);
- ASSERT(cr != NULL);
- if (cr == NULL) {
- mp = mi_tpi_err_ack_alloc(mp, TSYSERR, EINVAL);
- if (mp != NULL)
- qreply(connp->conn_wq, mp);
- return;
- }
-
- ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
-
- optreq_prim = ((union T_primitives *)mp->b_rptr)->type;
- if (optreq_prim == T_OPTMGMT_REQ) {
- err = tpi_optcom_req(CONNP_TO_WQ(connp), mp, cr,
- &ip_opt_obj, B_FALSE);
- } else {
- ASSERT(optreq_prim == T_SVR4_OPTMGMT_REQ);
- err = svr4_optcom_req(CONNP_TO_WQ(connp), mp, cr,
- &ip_opt_obj, B_FALSE);
- }
- if (err != EINPROGRESS)
- CONN_OPER_PENDING_DONE(connp);
- return;
- }
- mutex_exit(&connp->conn_lock);
-}
-
-/*
- * Called from the ipsec_loader thread, outside any perimeter, to tell
- * ip qenable any of the queues waiting for the ipsec loader to
- * complete.
- */
-void
-ip_ipsec_load_complete(ipsec_stack_t *ipss)
-{
- netstack_t *ns = ipss->ipsec_netstack;
-
- ipcl_walk(conn_restart_ipsec_waiter, NULL, ns->netstack_ip);
-}
-
-/*
- * Can't be used. Need to call svr4* -> optset directly. the leaf routine
- * determines the grp on which it has to become exclusive, queues the mp
- * and IPSQ draining restarts the optmgmt
- */
-static boolean_t
-ip_check_for_ipsec_opt(queue_t *q, mblk_t *mp)
-{
- conn_t *connp = Q_TO_CONN(q);
- ipsec_stack_t *ipss = connp->conn_netstack->netstack_ipsec;
-
- /*
- * Take IPsec requests and treat them special.
- */
- if (ipsec_opt_present(mp)) {
- /* First check if IPsec is loaded. */
- mutex_enter(&ipss->ipsec_loader_lock);
- if (ipss->ipsec_loader_state != IPSEC_LOADER_WAIT) {
- mutex_exit(&ipss->ipsec_loader_lock);
- return (B_FALSE);
- }
- mutex_enter(&connp->conn_lock);
- connp->conn_state_flags |= CONN_IPSEC_LOAD_WAIT;
-
- ASSERT(connp->conn_ipsec_opt_mp == NULL);
- connp->conn_ipsec_opt_mp = mp;
- mutex_exit(&connp->conn_lock);
- mutex_exit(&ipss->ipsec_loader_lock);
-
- ipsec_loader_loadnow(ipss);
- return (B_TRUE);
- }
- return (B_FALSE);
-}
-
-/*
* Set IPsec policy from an ipsec_req_t. If the req is not "zero" and valid,
* all of them are copied to the conn_t. If the req is "zero", the policy is
* zeroed out. A "zero" policy has zero ipsr_{ah,req,self_encap}_req
@@ -10149,15 +6304,14 @@ ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
}
}
- mutex_enter(&connp->conn_lock);
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
/*
- * If we have already cached policies in ip_bind_connected*(), don't
+ * If we have already cached policies in conn_connect(), don't
* let them change now. We cache policies for connections
* whose src,dst [addr, port] is known.
*/
if (connp->conn_policy_cached) {
- mutex_exit(&connp->conn_lock);
return (EINVAL);
}
@@ -10171,10 +6325,8 @@ ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
IPPH_REFRELE(connp->conn_policy, ipst->ips_netstack);
connp->conn_policy = NULL;
}
- connp->conn_flags &= ~IPCL_CHECK_POLICY;
connp->conn_in_enforce_policy = B_FALSE;
connp->conn_out_enforce_policy = B_FALSE;
- mutex_exit(&connp->conn_lock);
return (0);
}
@@ -10203,7 +6355,7 @@ ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
* We're looking at a v6 socket, also insert the v6-specific
* entries.
*/
- if (connp->conn_af_isv6) {
+ if (connp->conn_family == AF_INET6) {
if (!ipsec_polhead_insert(ph, actp, nact, IPSEC_AF_V6,
IPSEC_TYPE_INBOUND, ns))
goto enomem;
@@ -10217,10 +6369,10 @@ ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
/*
* If the requests need security, set enforce_policy.
* If the requests are IPSEC_PREF_NEVER, one should
- * still set conn_out_enforce_policy so that an ipsec_out
- * gets attached in ip_wput. This is needed so that
- * for connections that we don't cache policy in ip_bind,
- * if global policy matches in ip_wput_attach_policy, we
+ * still set conn_out_enforce_policy so that ip_set_destination
+ * marks the ip_xmit_attr_t appropriatly. This is needed so that
+ * for connections that we don't cache policy in at connect time,
+ * if global policy matches in ip_output_attach_policy, we
* don't wrongly inherit global policy. Similarly, we need
* to set conn_in_enforce_policy also so that we don't verify
* policy wrongly.
@@ -10230,10 +6382,8 @@ ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
(se_req & REQ_MASK) != 0) {
connp->conn_in_enforce_policy = B_TRUE;
connp->conn_out_enforce_policy = B_TRUE;
- connp->conn_flags |= IPCL_CHECK_POLICY;
}
- mutex_exit(&connp->conn_lock);
return (error);
#undef REQ_MASK
@@ -10241,7 +6391,6 @@ ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
* Common memory-allocation-failure exit path.
*/
enomem:
- mutex_exit(&connp->conn_lock);
if (actp != NULL)
ipsec_actvec_free(actp, nact);
if (is_pol_inserted)
@@ -10250,1250 +6399,283 @@ enomem:
}
/*
- * Only for options that pass in an IP addr. Currently only V4 options
- * pass in an ipif. V6 options always pass an ifindex specifying the ill.
- * So this function assumes level is IPPROTO_IP
+ * Set socket options for joining and leaving multicast groups.
+ * Common to IPv4 and IPv6; inet6 indicates the type of socket.
+ * The caller has already check that the option name is consistent with
+ * the address family of the socket.
*/
int
-ip_opt_set_ipif(conn_t *connp, ipaddr_t addr, boolean_t checkonly, int option,
- mblk_t *first_mp)
+ip_opt_set_multicast_group(conn_t *connp, t_scalar_t name,
+ uchar_t *invalp, boolean_t inet6, boolean_t checkonly)
{
- ipif_t *ipif = NULL;
- int error;
- ill_t *ill;
- int zoneid;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ip2dbg(("ip_opt_set_ipif: ipaddr %X\n", addr));
-
- if (addr != INADDR_ANY || checkonly) {
- ASSERT(connp != NULL);
- zoneid = IPCL_ZONEID(connp);
- if (option == IP_NEXTHOP) {
- ipif = ipif_lookup_onlink_addr(addr,
- connp->conn_zoneid, ipst);
- } else {
- ipif = ipif_lookup_addr(addr, NULL, zoneid,
- CONNP_TO_WQ(connp), first_mp, ip_restart_optmgmt,
- &error, ipst);
- }
- if (ipif == NULL) {
- if (error == EINPROGRESS)
- return (error);
- if ((option == IP_MULTICAST_IF) ||
- (option == IP_NEXTHOP))
- return (EHOSTUNREACH);
- else
- return (EINVAL);
- } else if (checkonly) {
- if (option == IP_MULTICAST_IF) {
- ill = ipif->ipif_ill;
- /* not supported by the virtual network iface */
- if (IS_VNI(ill)) {
- ipif_refrele(ipif);
- return (EINVAL);
- }
- }
- ipif_refrele(ipif);
- return (0);
- }
- ill = ipif->ipif_ill;
- mutex_enter(&connp->conn_lock);
- mutex_enter(&ill->ill_lock);
- if ((ill->ill_state_flags & ILL_CONDEMNED) ||
- (ipif->ipif_state_flags & IPIF_CONDEMNED)) {
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- ipif_refrele(ipif);
- return (option == IP_MULTICAST_IF ?
- EHOSTUNREACH : EINVAL);
- }
- } else {
- mutex_enter(&connp->conn_lock);
- }
-
- /* None of the options below are supported on the VNI */
- if (ipif != NULL && IS_VNI(ipif->ipif_ill)) {
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- ipif_refrele(ipif);
- return (EINVAL);
- }
-
- switch (option) {
- case IP_MULTICAST_IF:
- connp->conn_multicast_ipif = ipif;
+ int *i1 = (int *)invalp;
+ int error = 0;
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ struct ip_mreq *v4_mreqp;
+ struct ipv6_mreq *v6_mreqp;
+ struct group_req *greqp;
+ ire_t *ire;
+ boolean_t done = B_FALSE;
+ ipaddr_t ifaddr;
+ in6_addr_t v6group;
+ uint_t ifindex;
+ boolean_t mcast_opt = B_TRUE;
+ mcast_record_t fmode;
+ int (*optfn)(conn_t *, boolean_t, const in6_addr_t *,
+ ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *);
+
+ switch (name) {
+ case IP_ADD_MEMBERSHIP:
+ case IPV6_JOIN_GROUP:
+ mcast_opt = B_FALSE;
+ /* FALLTHRU */
+ case MCAST_JOIN_GROUP:
+ fmode = MODE_IS_EXCLUDE;
+ optfn = ip_opt_add_group;
break;
- case IP_NEXTHOP:
- connp->conn_nexthop_v4 = addr;
- connp->conn_nexthop_set = B_TRUE;
+
+ case IP_DROP_MEMBERSHIP:
+ case IPV6_LEAVE_GROUP:
+ mcast_opt = B_FALSE;
+ /* FALLTHRU */
+ case MCAST_LEAVE_GROUP:
+ fmode = MODE_IS_INCLUDE;
+ optfn = ip_opt_delete_group;
break;
+ default:
+ ASSERT(0);
}
- if (ipif != NULL) {
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- ipif_refrele(ipif);
- return (0);
- }
- mutex_exit(&connp->conn_lock);
- /* We succeded in cleared the option */
- return (0);
-}
+ if (mcast_opt) {
+ struct sockaddr_in *sin;
+ struct sockaddr_in6 *sin6;
-/*
- * For options that pass in an ifindex specifying the ill. V6 options always
- * pass in an ill. Some v4 options also pass in ifindex specifying the ill.
- */
-int
-ip_opt_set_ill(conn_t *connp, int ifindex, boolean_t isv6, boolean_t checkonly,
- int level, int option, mblk_t *first_mp)
-{
- ill_t *ill = NULL;
- int error = 0;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ip2dbg(("ip_opt_set_ill: ifindex %d\n", ifindex));
- if (ifindex != 0) {
- ASSERT(connp != NULL);
- ill = ill_lookup_on_ifindex(ifindex, isv6, CONNP_TO_WQ(connp),
- first_mp, ip_restart_optmgmt, &error, ipst);
- if (ill != NULL) {
- if (checkonly) {
- /* not supported by the virtual network iface */
- if (IS_VNI(ill)) {
- ill_refrele(ill);
- return (EINVAL);
- }
- ill_refrele(ill);
- return (0);
- }
- if (!ipif_lookup_zoneid(ill, connp->conn_zoneid,
- 0, NULL)) {
- ill_refrele(ill);
- ill = NULL;
- mutex_enter(&connp->conn_lock);
- goto setit;
- }
- mutex_enter(&connp->conn_lock);
- mutex_enter(&ill->ill_lock);
- if (ill->ill_state_flags & ILL_CONDEMNED) {
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- ill_refrele(ill);
- ill = NULL;
- mutex_enter(&connp->conn_lock);
- }
- goto setit;
- } else if (error == EINPROGRESS) {
- return (error);
+ greqp = (struct group_req *)i1;
+ if (greqp->gr_group.ss_family == AF_INET) {
+ sin = (struct sockaddr_in *)&(greqp->gr_group);
+ IN6_INADDR_TO_V4MAPPED(&sin->sin_addr, &v6group);
} else {
- error = 0;
- }
+ if (!inet6)
+ return (EINVAL); /* Not on INET socket */
+
+ sin6 = (struct sockaddr_in6 *)&(greqp->gr_group);
+ v6group = sin6->sin6_addr;
+ }
+ ifaddr = INADDR_ANY;
+ ifindex = greqp->gr_interface;
+ } else if (inet6) {
+ v6_mreqp = (struct ipv6_mreq *)i1;
+ v6group = v6_mreqp->ipv6mr_multiaddr;
+ ifaddr = INADDR_ANY;
+ ifindex = v6_mreqp->ipv6mr_interface;
+ } else {
+ v4_mreqp = (struct ip_mreq *)i1;
+ IN6_INADDR_TO_V4MAPPED(&v4_mreqp->imr_multiaddr, &v6group);
+ ifaddr = (ipaddr_t)v4_mreqp->imr_interface.s_addr;
+ ifindex = 0;
}
- mutex_enter(&connp->conn_lock);
-setit:
- ASSERT((level == IPPROTO_IP || level == IPPROTO_IPV6));
/*
- * The options below assume that the ILL (if any) transmits and/or
- * receives traffic. Neither of which is true for the virtual network
- * interface, so fail setting these on a VNI.
+ * In the multirouting case, we need to replicate
+ * the request on all interfaces that will take part
+ * in replication. We do so because multirouting is
+ * reflective, thus we will probably receive multi-
+ * casts on those interfaces.
+ * The ip_multirt_apply_membership() succeeds if
+ * the operation succeeds on at least one interface.
*/
- if (IS_VNI(ill)) {
- ASSERT(ill != NULL);
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- ill_refrele(ill);
- return (EINVAL);
- }
-
- if (level == IPPROTO_IP) {
- switch (option) {
- case IP_BOUND_IF:
- connp->conn_incoming_ill = ill;
- connp->conn_outgoing_ill = ill;
- break;
-
- case IP_MULTICAST_IF:
- /*
- * This option is an internal special. The socket
- * level IP_MULTICAST_IF specifies an 'ipaddr' and
- * is handled in ip_opt_set_ipif. IPV6_MULTICAST_IF
- * specifies an ifindex and we try first on V6 ill's.
- * If we don't find one, we they try using on v4 ill's
- * intenally and we come here.
- */
- if (!checkonly && ill != NULL) {
- ipif_t *ipif;
- ipif = ill->ill_ipif;
-
- if (ipif->ipif_state_flags & IPIF_CONDEMNED) {
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- ill_refrele(ill);
- ill = NULL;
- mutex_enter(&connp->conn_lock);
- } else {
- connp->conn_multicast_ipif = ipif;
- }
- }
- break;
+ if (IN6_IS_ADDR_V4MAPPED(&v6group)) {
+ ipaddr_t group;
- case IP_DHCPINIT_IF:
- if (connp->conn_dhcpinit_ill != NULL) {
- /*
- * We've locked the conn so conn_cleanup_ill()
- * cannot clear conn_dhcpinit_ill -- so it's
- * safe to access the ill.
- */
- ill_t *oill = connp->conn_dhcpinit_ill;
+ IN6_V4MAPPED_TO_IPADDR(&v6group, group);
- ASSERT(oill->ill_dhcpinit != 0);
- atomic_dec_32(&oill->ill_dhcpinit);
- connp->conn_dhcpinit_ill = NULL;
- }
-
- if (ill != NULL) {
- connp->conn_dhcpinit_ill = ill;
- atomic_inc_32(&ill->ill_dhcpinit);
- }
- break;
- }
+ ire = ire_ftable_lookup_v4(group, IP_HOST_MASK, 0,
+ IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
+ MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
} else {
- switch (option) {
- case IPV6_BOUND_IF:
- connp->conn_incoming_ill = ill;
- connp->conn_outgoing_ill = ill;
- break;
-
- case IPV6_MULTICAST_IF:
- /*
- * Set conn_multicast_ill to be the IPv6 ill.
- * Set conn_multicast_ipif to be an IPv4 ipif
- * for ifindex to make IPv4 mapped addresses
- * on PF_INET6 sockets honor IPV6_MULTICAST_IF.
- * Even if no IPv6 ill exists for the ifindex
- * we need to check for an IPv4 ifindex in order
- * for this to work with mapped addresses. In that
- * case only set conn_multicast_ipif.
- */
- if (!checkonly) {
- if (ifindex == 0) {
- connp->conn_multicast_ill = NULL;
- connp->conn_multicast_ipif = NULL;
- } else if (ill != NULL) {
- connp->conn_multicast_ill = ill;
- }
- }
- break;
+ ire = ire_ftable_lookup_v6(&v6group, &ipv6_all_ones, 0,
+ IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
+ MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
+ }
+ if (ire != NULL) {
+ if (ire->ire_flags & RTF_MULTIRT) {
+ error = ip_multirt_apply_membership(optfn, ire, connp,
+ checkonly, &v6group, fmode, &ipv6_all_zeros);
+ done = B_TRUE;
}
+ ire_refrele(ire);
}
- if (ill != NULL) {
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- ill_refrele(ill);
- return (0);
+ if (!done) {
+ error = optfn(connp, checkonly, &v6group, ifaddr, ifindex,
+ fmode, &ipv6_all_zeros);
}
- mutex_exit(&connp->conn_lock);
- /*
- * We succeeded in clearing the option (ifindex == 0) or failed to
- * locate the ill and could not set the option (ifindex != 0)
- */
- return (ifindex == 0 ? 0 : EINVAL);
+ return (error);
}
-/* This routine sets socket options. */
-/* ARGSUSED */
+/*
+ * Set socket options for joining and leaving multicast groups
+ * for specific sources.
+ * Common to IPv4 and IPv6; inet6 indicates the type of socket.
+ * The caller has already check that the option name is consistent with
+ * the address family of the socket.
+ */
int
-ip_opt_set(queue_t *q, uint_t optset_context, int level, int name,
- uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *dummy, cred_t *cr, mblk_t *first_mp)
+ip_opt_set_multicast_sources(conn_t *connp, t_scalar_t name,
+ uchar_t *invalp, boolean_t inet6, boolean_t checkonly)
{
int *i1 = (int *)invalp;
- conn_t *connp = Q_TO_CONN(q);
int error = 0;
- boolean_t checkonly;
- ire_t *ire;
- boolean_t found;
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ struct ip_mreq_source *imreqp;
+ struct group_source_req *gsreqp;
+ in6_addr_t v6group, v6src;
+ uint32_t ifindex;
+ ipaddr_t ifaddr;
+ boolean_t mcast_opt = B_TRUE;
+ mcast_record_t fmode;
+ ire_t *ire;
+ boolean_t done = B_FALSE;
+ int (*optfn)(conn_t *, boolean_t, const in6_addr_t *,
+ ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *);
- switch (optset_context) {
-
- case SETFN_OPTCOM_CHECKONLY:
- checkonly = B_TRUE;
- /*
- * Note: Implies T_CHECK semantics for T_OPTCOM_REQ
- * inlen != 0 implies value supplied and
- * we have to "pretend" to set it.
- * inlen == 0 implies that there is no
- * value part in T_CHECK request and just validation
- * done elsewhere should be enough, we just return here.
- */
- if (inlen == 0) {
- *outlenp = 0;
- return (0);
- }
- break;
- case SETFN_OPTCOM_NEGOTIATE:
- case SETFN_UD_NEGOTIATE:
- case SETFN_CONN_NEGOTIATE:
- checkonly = B_FALSE;
+ switch (name) {
+ case IP_BLOCK_SOURCE:
+ mcast_opt = B_FALSE;
+ /* FALLTHRU */
+ case MCAST_BLOCK_SOURCE:
+ fmode = MODE_IS_EXCLUDE;
+ optfn = ip_opt_add_group;
break;
- default:
- /*
- * We should never get here
- */
- *outlenp = 0;
- return (EINVAL);
- }
-
- ASSERT((optset_context != SETFN_OPTCOM_CHECKONLY) ||
- (optset_context == SETFN_OPTCOM_CHECKONLY && inlen != 0));
- /*
- * For fixed length options, no sanity check
- * of passed in length is done. It is assumed *_optcom_req()
- * routines do the right thing.
- */
-
- switch (level) {
- case SOL_SOCKET:
- /*
- * conn_lock protects the bitfields, and is used to
- * set the fields atomically.
- */
- switch (name) {
- case SO_BROADCAST:
- if (!checkonly) {
- /* TODO: use value someplace? */
- mutex_enter(&connp->conn_lock);
- connp->conn_broadcast = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_USELOOPBACK:
- if (!checkonly) {
- /* TODO: use value someplace? */
- mutex_enter(&connp->conn_lock);
- connp->conn_loopback = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_DONTROUTE:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_dontroute = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_REUSEADDR:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_reuseaddr = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_PROTOTYPE:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_proto = *i1;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_ALLZONES:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- if (IPCL_IS_BOUND(connp)) {
- mutex_exit(&connp->conn_lock);
- return (EINVAL);
- }
- connp->conn_allzones = *i1 != 0 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_ANON_MLP:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_anon_mlp = *i1 != 0 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_MAC_EXEMPT:
- if (secpolicy_net_mac_aware(cr) != 0 ||
- IPCL_IS_BOUND(connp))
- return (EACCES);
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_mac_mode = *i1 != 0 ?
- CONN_MAC_AWARE : CONN_MAC_DEFAULT;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case SO_MAC_IMPLICIT:
- if (secpolicy_net_mac_implicit(cr) != 0)
- return (EACCES);
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_mac_mode = *i1 != 0 ?
- CONN_MAC_IMPLICIT : CONN_MAC_DEFAULT;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- default:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- }
+ case IP_UNBLOCK_SOURCE:
+ mcast_opt = B_FALSE;
+ /* FALLTHRU */
+ case MCAST_UNBLOCK_SOURCE:
+ fmode = MODE_IS_EXCLUDE;
+ optfn = ip_opt_delete_group;
break;
- case IPPROTO_IP:
- switch (name) {
- case IP_NEXTHOP:
- if (secpolicy_ip_config(cr, B_FALSE) != 0)
- return (EPERM);
- /* FALLTHRU */
- case IP_MULTICAST_IF: {
- ipaddr_t addr = *i1;
-
- error = ip_opt_set_ipif(connp, addr, checkonly, name,
- first_mp);
- if (error != 0)
- return (error);
- break; /* goto sizeof (int) option return */
- }
-
- case IP_MULTICAST_TTL:
- /* Recorded in transport above IP */
- *outvalp = *invalp;
- *outlenp = sizeof (uchar_t);
- return (0);
- case IP_MULTICAST_LOOP:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_multicast_loop = *invalp ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- *outvalp = *invalp;
- *outlenp = sizeof (uchar_t);
- return (0);
- case IP_ADD_MEMBERSHIP:
- case MCAST_JOIN_GROUP:
- case IP_DROP_MEMBERSHIP:
- case MCAST_LEAVE_GROUP: {
- struct ip_mreq *mreqp;
- struct group_req *greqp;
- ire_t *ire;
- boolean_t done = B_FALSE;
- ipaddr_t group, ifaddr;
- struct sockaddr_in *sin;
- uint32_t *ifindexp;
- boolean_t mcast_opt = B_TRUE;
- mcast_record_t fmode;
- int (*optfn)(conn_t *, boolean_t, ipaddr_t, ipaddr_t,
- uint_t *, mcast_record_t, ipaddr_t, mblk_t *);
-
- switch (name) {
- case IP_ADD_MEMBERSHIP:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_JOIN_GROUP:
- fmode = MODE_IS_EXCLUDE;
- optfn = ip_opt_add_group;
- break;
-
- case IP_DROP_MEMBERSHIP:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_LEAVE_GROUP:
- fmode = MODE_IS_INCLUDE;
- optfn = ip_opt_delete_group;
- break;
- }
-
- if (mcast_opt) {
- greqp = (struct group_req *)i1;
- sin = (struct sockaddr_in *)&greqp->gr_group;
- if (sin->sin_family != AF_INET) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- group = (ipaddr_t)sin->sin_addr.s_addr;
- ifaddr = INADDR_ANY;
- ifindexp = &greqp->gr_interface;
- } else {
- mreqp = (struct ip_mreq *)i1;
- group = (ipaddr_t)mreqp->imr_multiaddr.s_addr;
- ifaddr = (ipaddr_t)mreqp->imr_interface.s_addr;
- ifindexp = NULL;
- }
-
- /*
- * In the multirouting case, we need to replicate
- * the request on all interfaces that will take part
- * in replication. We do so because multirouting is
- * reflective, thus we will probably receive multi-
- * casts on those interfaces.
- * The ip_multirt_apply_membership() succeeds if the
- * operation succeeds on at least one interface.
- */
- ire = ire_ftable_lookup(group, IP_HOST_MASK, 0,
- IRE_HOST, NULL, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_MASK | MATCH_IRE_TYPE, ipst);
- if (ire != NULL) {
- if (ire->ire_flags & RTF_MULTIRT) {
- error = ip_multirt_apply_membership(
- optfn, ire, connp, checkonly, group,
- fmode, INADDR_ANY, first_mp);
- done = B_TRUE;
- }
- ire_refrele(ire);
- }
- if (!done) {
- error = optfn(connp, checkonly, group, ifaddr,
- ifindexp, fmode, INADDR_ANY, first_mp);
- }
- if (error) {
- /*
- * EINPROGRESS is a soft error, needs retry
- * so don't make *outlenp zero.
- */
- if (error != EINPROGRESS)
- *outlenp = 0;
- return (error);
- }
- /* OK return - copy input buffer into output buffer */
- if (invalp != outvalp) {
- /* don't trust bcopy for identical src/dst */
- bcopy(invalp, outvalp, inlen);
- }
- *outlenp = inlen;
- return (0);
- }
- case IP_BLOCK_SOURCE:
- case IP_UNBLOCK_SOURCE:
- case IP_ADD_SOURCE_MEMBERSHIP:
- case IP_DROP_SOURCE_MEMBERSHIP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP: {
- struct ip_mreq_source *imreqp;
- struct group_source_req *gsreqp;
- in_addr_t grp, src, ifaddr = INADDR_ANY;
- uint32_t ifindex = 0;
- mcast_record_t fmode;
- struct sockaddr_in *sin;
- ire_t *ire;
- boolean_t mcast_opt = B_TRUE, done = B_FALSE;
- int (*optfn)(conn_t *, boolean_t, ipaddr_t, ipaddr_t,
- uint_t *, mcast_record_t, ipaddr_t, mblk_t *);
-
- switch (name) {
- case IP_BLOCK_SOURCE:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_BLOCK_SOURCE:
- fmode = MODE_IS_EXCLUDE;
- optfn = ip_opt_add_group;
- break;
-
- case IP_UNBLOCK_SOURCE:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_UNBLOCK_SOURCE:
- fmode = MODE_IS_EXCLUDE;
- optfn = ip_opt_delete_group;
- break;
-
- case IP_ADD_SOURCE_MEMBERSHIP:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_JOIN_SOURCE_GROUP:
- fmode = MODE_IS_INCLUDE;
- optfn = ip_opt_add_group;
- break;
-
- case IP_DROP_SOURCE_MEMBERSHIP:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_LEAVE_SOURCE_GROUP:
- fmode = MODE_IS_INCLUDE;
- optfn = ip_opt_delete_group;
- break;
- }
-
- if (mcast_opt) {
- gsreqp = (struct group_source_req *)i1;
- if (gsreqp->gsr_group.ss_family != AF_INET) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- sin = (struct sockaddr_in *)&gsreqp->gsr_group;
- grp = (ipaddr_t)sin->sin_addr.s_addr;
- sin = (struct sockaddr_in *)&gsreqp->gsr_source;
- src = (ipaddr_t)sin->sin_addr.s_addr;
- ifindex = gsreqp->gsr_interface;
- } else {
- imreqp = (struct ip_mreq_source *)i1;
- grp = (ipaddr_t)imreqp->imr_multiaddr.s_addr;
- src = (ipaddr_t)imreqp->imr_sourceaddr.s_addr;
- ifaddr = (ipaddr_t)imreqp->imr_interface.s_addr;
- }
- /*
- * In the multirouting case, we need to replicate
- * the request as noted in the mcast cases above.
- */
- ire = ire_ftable_lookup(grp, IP_HOST_MASK, 0,
- IRE_HOST, NULL, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_MASK | MATCH_IRE_TYPE, ipst);
- if (ire != NULL) {
- if (ire->ire_flags & RTF_MULTIRT) {
- error = ip_multirt_apply_membership(
- optfn, ire, connp, checkonly, grp,
- fmode, src, first_mp);
- done = B_TRUE;
- }
- ire_refrele(ire);
- }
- if (!done) {
- error = optfn(connp, checkonly, grp, ifaddr,
- &ifindex, fmode, src, first_mp);
- }
- if (error != 0) {
- /*
- * EINPROGRESS is a soft error, needs retry
- * so don't make *outlenp zero.
- */
- if (error != EINPROGRESS)
- *outlenp = 0;
- return (error);
- }
- /* OK return - copy input buffer into output buffer */
- if (invalp != outvalp) {
- bcopy(invalp, outvalp, inlen);
- }
- *outlenp = inlen;
- return (0);
- }
- case IP_SEC_OPT:
- error = ipsec_set_req(cr, connp, (ipsec_req_t *)invalp);
- if (error != 0) {
- *outlenp = 0;
- return (error);
- }
- break;
- case IP_HDRINCL:
- case IP_OPTIONS:
- case T_IP_OPTIONS:
- case IP_TOS:
- case T_IP_TOS:
- case IP_TTL:
- case IP_RECVDSTADDR:
- case IP_RECVOPTS:
- /* OK return - copy input buffer into output buffer */
- if (invalp != outvalp) {
- /* don't trust bcopy for identical src/dst */
- bcopy(invalp, outvalp, inlen);
- }
- *outlenp = inlen;
- return (0);
- case IP_RECVIF:
- /* Retrieve the inbound interface index */
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_recvif = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IP_RECVPKTINFO:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_ip_recvpktinfo = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IP_RECVSLLA:
- /* Retrieve the source link layer address */
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_recvslla = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case MRT_INIT:
- case MRT_DONE:
- case MRT_ADD_VIF:
- case MRT_DEL_VIF:
- case MRT_ADD_MFC:
- case MRT_DEL_MFC:
- case MRT_ASSERT:
- if ((error = secpolicy_ip_config(cr, B_FALSE)) != 0) {
- *outlenp = 0;
- return (error);
- }
- error = ip_mrouter_set((int)name, q, checkonly,
- (uchar_t *)invalp, inlen, first_mp);
- if (error) {
- *outlenp = 0;
- return (error);
- }
- /* OK return - copy input buffer into output buffer */
- if (invalp != outvalp) {
- /* don't trust bcopy for identical src/dst */
- bcopy(invalp, outvalp, inlen);
- }
- *outlenp = inlen;
- return (0);
- case IP_BOUND_IF:
- case IP_DHCPINIT_IF:
- error = ip_opt_set_ill(connp, *i1, B_FALSE, checkonly,
- level, name, first_mp);
- if (error != 0)
- return (error);
- break; /* goto sizeof (int) option return */
-
- case IP_UNSPEC_SRC:
- /* Allow sending with a zero source address */
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_unspec_src = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- default:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- }
+ case IP_ADD_SOURCE_MEMBERSHIP:
+ mcast_opt = B_FALSE;
+ /* FALLTHRU */
+ case MCAST_JOIN_SOURCE_GROUP:
+ fmode = MODE_IS_INCLUDE;
+ optfn = ip_opt_add_group;
break;
- case IPPROTO_IPV6:
- switch (name) {
- case IPV6_BOUND_IF:
- error = ip_opt_set_ill(connp, *i1, B_TRUE, checkonly,
- level, name, first_mp);
- if (error != 0)
- return (error);
- break; /* goto sizeof (int) option return */
- case IPV6_MULTICAST_IF:
- /*
- * The only possible errors are EINPROGRESS and
- * EINVAL. EINPROGRESS will be restarted and is not
- * a hard error. We call this option on both V4 and V6
- * If both return EINVAL, then this call returns
- * EINVAL. If at least one of them succeeds we
- * return success.
- */
- found = B_FALSE;
- error = ip_opt_set_ill(connp, *i1, B_TRUE, checkonly,
- level, name, first_mp);
- if (error == EINPROGRESS)
- return (error);
- if (error == 0)
- found = B_TRUE;
- error = ip_opt_set_ill(connp, *i1, B_FALSE, checkonly,
- IPPROTO_IP, IP_MULTICAST_IF, first_mp);
- if (error == 0)
- found = B_TRUE;
- if (!found)
- return (error);
- break; /* goto sizeof (int) option return */
-
- case IPV6_MULTICAST_HOPS:
- /* Recorded in transport above IP */
- break; /* goto sizeof (int) option return */
- case IPV6_MULTICAST_LOOP:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_multicast_loop = *i1;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_JOIN_GROUP:
- case MCAST_JOIN_GROUP:
- case IPV6_LEAVE_GROUP:
- case MCAST_LEAVE_GROUP: {
- struct ipv6_mreq *ip_mreqp;
- struct group_req *greqp;
- ire_t *ire;
- boolean_t done = B_FALSE;
- in6_addr_t groupv6;
- uint32_t ifindex;
- boolean_t mcast_opt = B_TRUE;
- mcast_record_t fmode;
- int (*optfn)(conn_t *, boolean_t, const in6_addr_t *,
- int, mcast_record_t, const in6_addr_t *, mblk_t *);
-
- switch (name) {
- case IPV6_JOIN_GROUP:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_JOIN_GROUP:
- fmode = MODE_IS_EXCLUDE;
- optfn = ip_opt_add_group_v6;
- break;
-
- case IPV6_LEAVE_GROUP:
- mcast_opt = B_FALSE;
- /* FALLTHRU */
- case MCAST_LEAVE_GROUP:
- fmode = MODE_IS_INCLUDE;
- optfn = ip_opt_delete_group_v6;
- break;
- }
+ case IP_DROP_SOURCE_MEMBERSHIP:
+ mcast_opt = B_FALSE;
+ /* FALLTHRU */
+ case MCAST_LEAVE_SOURCE_GROUP:
+ fmode = MODE_IS_INCLUDE;
+ optfn = ip_opt_delete_group;
+ break;
+ default:
+ ASSERT(0);
+ }
- if (mcast_opt) {
- struct sockaddr_in *sin;
- struct sockaddr_in6 *sin6;
- greqp = (struct group_req *)i1;
- if (greqp->gr_group.ss_family == AF_INET) {
- sin = (struct sockaddr_in *)
- &(greqp->gr_group);
- IN6_INADDR_TO_V4MAPPED(&sin->sin_addr,
- &groupv6);
- } else {
- sin6 = (struct sockaddr_in6 *)
- &(greqp->gr_group);
- groupv6 = sin6->sin6_addr;
- }
- ifindex = greqp->gr_interface;
- } else {
- ip_mreqp = (struct ipv6_mreq *)i1;
- groupv6 = ip_mreqp->ipv6mr_multiaddr;
- ifindex = ip_mreqp->ipv6mr_interface;
- }
- /*
- * In the multirouting case, we need to replicate
- * the request on all interfaces that will take part
- * in replication. We do so because multirouting is
- * reflective, thus we will probably receive multi-
- * casts on those interfaces.
- * The ip_multirt_apply_membership_v6() succeeds if
- * the operation succeeds on at least one interface.
- */
- ire = ire_ftable_lookup_v6(&groupv6, &ipv6_all_ones, 0,
- IRE_HOST, NULL, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_MASK | MATCH_IRE_TYPE, ipst);
- if (ire != NULL) {
- if (ire->ire_flags & RTF_MULTIRT) {
- error = ip_multirt_apply_membership_v6(
- optfn, ire, connp, checkonly,
- &groupv6, fmode, &ipv6_all_zeros,
- first_mp);
- done = B_TRUE;
- }
- ire_refrele(ire);
- }
- if (!done) {
- error = optfn(connp, checkonly, &groupv6,
- ifindex, fmode, &ipv6_all_zeros, first_mp);
- }
- if (error) {
- /*
- * EINPROGRESS is a soft error, needs retry
- * so don't make *outlenp zero.
- */
- if (error != EINPROGRESS)
- *outlenp = 0;
- return (error);
- }
- /* OK return - copy input buffer into output buffer */
- if (invalp != outvalp) {
- /* don't trust bcopy for identical src/dst */
- bcopy(invalp, outvalp, inlen);
- }
- *outlenp = inlen;
- return (0);
- }
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP: {
- struct group_source_req *gsreqp;
- in6_addr_t v6grp, v6src;
- uint32_t ifindex;
- mcast_record_t fmode;
- ire_t *ire;
- boolean_t done = B_FALSE;
- int (*optfn)(conn_t *, boolean_t, const in6_addr_t *,
- int, mcast_record_t, const in6_addr_t *, mblk_t *);
-
- switch (name) {
- case MCAST_BLOCK_SOURCE:
- fmode = MODE_IS_EXCLUDE;
- optfn = ip_opt_add_group_v6;
- break;
- case MCAST_UNBLOCK_SOURCE:
- fmode = MODE_IS_EXCLUDE;
- optfn = ip_opt_delete_group_v6;
- break;
- case MCAST_JOIN_SOURCE_GROUP:
- fmode = MODE_IS_INCLUDE;
- optfn = ip_opt_add_group_v6;
- break;
- case MCAST_LEAVE_SOURCE_GROUP:
- fmode = MODE_IS_INCLUDE;
- optfn = ip_opt_delete_group_v6;
- break;
- }
+ if (mcast_opt) {
+ gsreqp = (struct group_source_req *)i1;
+ ifindex = gsreqp->gsr_interface;
+ if (gsreqp->gsr_group.ss_family == AF_INET) {
+ struct sockaddr_in *s;
+ s = (struct sockaddr_in *)&gsreqp->gsr_group;
+ IN6_INADDR_TO_V4MAPPED(&s->sin_addr, &v6group);
+ s = (struct sockaddr_in *)&gsreqp->gsr_source;
+ IN6_INADDR_TO_V4MAPPED(&s->sin_addr, &v6src);
+ } else {
+ struct sockaddr_in6 *s6;
- gsreqp = (struct group_source_req *)i1;
- ifindex = gsreqp->gsr_interface;
- if (gsreqp->gsr_group.ss_family == AF_INET) {
- struct sockaddr_in *s;
- s = (struct sockaddr_in *)&gsreqp->gsr_group;
- IN6_INADDR_TO_V4MAPPED(&s->sin_addr, &v6grp);
- s = (struct sockaddr_in *)&gsreqp->gsr_source;
- IN6_INADDR_TO_V4MAPPED(&s->sin_addr, &v6src);
- } else {
- struct sockaddr_in6 *s6;
- s6 = (struct sockaddr_in6 *)&gsreqp->gsr_group;
- v6grp = s6->sin6_addr;
- s6 = (struct sockaddr_in6 *)&gsreqp->gsr_source;
- v6src = s6->sin6_addr;
- }
+ if (!inet6)
+ return (EINVAL); /* Not on INET socket */
- /*
- * In the multirouting case, we need to replicate
- * the request as noted in the mcast cases above.
- */
- ire = ire_ftable_lookup_v6(&v6grp, &ipv6_all_ones, 0,
- IRE_HOST, NULL, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_MASK | MATCH_IRE_TYPE, ipst);
- if (ire != NULL) {
- if (ire->ire_flags & RTF_MULTIRT) {
- error = ip_multirt_apply_membership_v6(
- optfn, ire, connp, checkonly,
- &v6grp, fmode, &v6src, first_mp);
- done = B_TRUE;
- }
- ire_refrele(ire);
- }
- if (!done) {
- error = optfn(connp, checkonly, &v6grp,
- ifindex, fmode, &v6src, first_mp);
- }
- if (error != 0) {
- /*
- * EINPROGRESS is a soft error, needs retry
- * so don't make *outlenp zero.
- */
- if (error != EINPROGRESS)
- *outlenp = 0;
- return (error);
- }
- /* OK return - copy input buffer into output buffer */
- if (invalp != outvalp) {
- bcopy(invalp, outvalp, inlen);
- }
- *outlenp = inlen;
- return (0);
+ s6 = (struct sockaddr_in6 *)&gsreqp->gsr_group;
+ v6group = s6->sin6_addr;
+ s6 = (struct sockaddr_in6 *)&gsreqp->gsr_source;
+ v6src = s6->sin6_addr;
}
- case IPV6_UNICAST_HOPS:
- /* Recorded in transport above IP */
- break; /* goto sizeof (int) option return */
- case IPV6_UNSPEC_SRC:
- /* Allow sending with a zero source address */
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_unspec_src = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVPKTINFO:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_ip_recvpktinfo = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVTCLASS:
- if (!checkonly) {
- if (*i1 < 0 || *i1 > 1) {
- return (EINVAL);
- }
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_recvtclass = *i1;
- mutex_exit(&connp->conn_lock);
- }
- break;
- case IPV6_RECVPATHMTU:
- if (!checkonly) {
- if (*i1 < 0 || *i1 > 1) {
- return (EINVAL);
- }
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_recvpathmtu = *i1;
- mutex_exit(&connp->conn_lock);
- }
- break;
- case IPV6_RECVHOPLIMIT:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_recvhoplimit = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVHOPOPTS:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_recvhopopts = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVDSTOPTS:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_recvdstopts = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDR:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_recvrthdr = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDRDSTOPTS:
- if (!checkonly) {
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_recvrtdstopts = *i1 ? 1 : 0;
- mutex_exit(&connp->conn_lock);
- }
- break; /* goto sizeof (int) option return */
- case IPV6_PKTINFO:
- if (inlen == 0)
- return (-EINVAL); /* clearing option */
- error = ip6_set_pktinfo(cr, connp,
- (struct in6_pktinfo *)invalp);
- if (error != 0)
- *outlenp = 0;
- else
- *outlenp = inlen;
- return (error);
- case IPV6_NEXTHOP: {
- struct sockaddr_in6 *sin6;
-
- /* Verify that the nexthop is reachable */
- if (inlen == 0)
- return (-EINVAL); /* clearing option */
+ ifaddr = INADDR_ANY;
+ } else {
+ imreqp = (struct ip_mreq_source *)i1;
+ IN6_INADDR_TO_V4MAPPED(&imreqp->imr_multiaddr, &v6group);
+ IN6_INADDR_TO_V4MAPPED(&imreqp->imr_sourceaddr, &v6src);
+ ifaddr = (ipaddr_t)imreqp->imr_interface.s_addr;
+ ifindex = 0;
+ }
- sin6 = (struct sockaddr_in6 *)invalp;
- ire = ire_route_lookup_v6(&sin6->sin6_addr,
- 0, 0, 0, NULL, NULL, connp->conn_zoneid,
- NULL, MATCH_IRE_DEFAULT, ipst);
+ /*
+ * Handle src being mapped INADDR_ANY by changing it to unspecified.
+ */
+ if (IN6_IS_ADDR_V4MAPPED_ANY(&v6src))
+ v6src = ipv6_all_zeros;
- if (ire == NULL) {
- *outlenp = 0;
- return (EHOSTUNREACH);
- }
- ire_refrele(ire);
- return (-EINVAL);
- }
- case IPV6_SEC_OPT:
- error = ipsec_set_req(cr, connp, (ipsec_req_t *)invalp);
- if (error != 0) {
- *outlenp = 0;
- return (error);
- }
- break;
- case IPV6_SRC_PREFERENCES: {
- /*
- * This is implemented strictly in the ip module
- * (here and in tcp_opt_*() to accomodate tcp
- * sockets). Modules above ip pass this option
- * down here since ip is the only one that needs to
- * be aware of source address preferences.
- *
- * This socket option only affects connected
- * sockets that haven't already bound to a specific
- * IPv6 address. In other words, sockets that
- * don't call bind() with an address other than the
- * unspecified address and that call connect().
- * ip_bind_connected_v6() passes these preferences
- * to the ipif_select_source_v6() function.
- */
- if (inlen != sizeof (uint32_t))
- return (EINVAL);
- error = ip6_set_src_preferences(connp,
- *(uint32_t *)invalp);
- if (error != 0) {
- *outlenp = 0;
- return (error);
- } else {
- *outlenp = sizeof (uint32_t);
- }
- break;
- }
- case IPV6_V6ONLY:
- if (*i1 < 0 || *i1 > 1) {
- return (EINVAL);
- }
- mutex_enter(&connp->conn_lock);
- connp->conn_ipv6_v6only = *i1;
- mutex_exit(&connp->conn_lock);
- break;
- default:
- return (-EINVAL);
- }
- break;
- default:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- }
/*
- * Common case of return from an option that is sizeof (int)
+ * In the multirouting case, we need to replicate
+ * the request as noted in the mcast cases above.
*/
- *(int *)outvalp = *i1;
- *outlenp = sizeof (int);
- return (0);
-}
+ if (IN6_IS_ADDR_V4MAPPED(&v6group)) {
+ ipaddr_t group;
-/*
- * This routine gets default values of certain options whose default
- * values are maintained by protocol specific code
- */
-/* ARGSUSED */
-int
-ip_opt_default(queue_t *q, int level, int name, uchar_t *ptr)
-{
- int *i1 = (int *)ptr;
- ip_stack_t *ipst = CONNQ_TO_IPST(q);
+ IN6_V4MAPPED_TO_IPADDR(&v6group, group);
- switch (level) {
- case IPPROTO_IP:
- switch (name) {
- case IP_MULTICAST_TTL:
- *ptr = (uchar_t)IP_DEFAULT_MULTICAST_TTL;
- return (sizeof (uchar_t));
- case IP_MULTICAST_LOOP:
- *ptr = (uchar_t)IP_DEFAULT_MULTICAST_LOOP;
- return (sizeof (uchar_t));
- default:
- return (-1);
- }
- case IPPROTO_IPV6:
- switch (name) {
- case IPV6_UNICAST_HOPS:
- *i1 = ipst->ips_ipv6_def_hops;
- return (sizeof (int));
- case IPV6_MULTICAST_HOPS:
- *i1 = IP_DEFAULT_MULTICAST_TTL;
- return (sizeof (int));
- case IPV6_MULTICAST_LOOP:
- *i1 = IP_DEFAULT_MULTICAST_LOOP;
- return (sizeof (int));
- case IPV6_V6ONLY:
- *i1 = 1;
- return (sizeof (int));
- default:
- return (-1);
+ ire = ire_ftable_lookup_v4(group, IP_HOST_MASK, 0,
+ IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
+ MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
+ } else {
+ ire = ire_ftable_lookup_v6(&v6group, &ipv6_all_ones, 0,
+ IRE_HOST | IRE_INTERFACE, NULL, ALL_ZONES, NULL,
+ MATCH_IRE_MASK | MATCH_IRE_TYPE, 0, ipst, NULL);
+ }
+ if (ire != NULL) {
+ if (ire->ire_flags & RTF_MULTIRT) {
+ error = ip_multirt_apply_membership(optfn, ire, connp,
+ checkonly, &v6group, fmode, &v6src);
+ done = B_TRUE;
}
- default:
- return (-1);
+ ire_refrele(ire);
}
- /* NOTREACHED */
+ if (!done) {
+ error = optfn(connp, checkonly, &v6group, ifaddr, ifindex,
+ fmode, &v6src);
+ }
+ return (error);
}
/*
* Given a destination address and a pointer to where to put the information
* this routine fills in the mtuinfo.
+ * The socket must be connected.
+ * For sctp conn_faddr is the primary address.
*/
int
-ip_fill_mtuinfo(struct in6_addr *in6, in_port_t port,
- struct ip6_mtuinfo *mtuinfo, netstack_t *ns)
+ip_fill_mtuinfo(conn_t *connp, ip_xmit_attr_t *ixa, struct ip6_mtuinfo *mtuinfo)
{
- ire_t *ire;
- ip_stack_t *ipst = ns->netstack_ip;
+ uint32_t pmtu = IP_MAXPACKET;
+ uint_t scopeid;
- if (IN6_IS_ADDR_UNSPECIFIED(in6))
+ if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6))
return (-1);
+ /* In case we never sent or called ip_set_destination_v4/v6 */
+ if (ixa->ixa_ire != NULL)
+ pmtu = ip_get_pmtu(ixa);
+
+ if (ixa->ixa_flags & IXAF_SCOPEID_SET)
+ scopeid = ixa->ixa_scopeid;
+ else
+ scopeid = 0;
+
bzero(mtuinfo, sizeof (*mtuinfo));
mtuinfo->ip6m_addr.sin6_family = AF_INET6;
- mtuinfo->ip6m_addr.sin6_port = port;
- mtuinfo->ip6m_addr.sin6_addr = *in6;
+ mtuinfo->ip6m_addr.sin6_port = connp->conn_fport;
+ mtuinfo->ip6m_addr.sin6_addr = connp->conn_faddr_v6;
+ mtuinfo->ip6m_addr.sin6_scope_id = scopeid;
+ mtuinfo->ip6m_mtu = pmtu;
- ire = ire_cache_lookup_v6(in6, ALL_ZONES, NULL, ipst);
- if (ire != NULL) {
- mtuinfo->ip6m_mtu = ire->ire_max_frag;
- ire_refrele(ire);
- } else {
- mtuinfo->ip6m_mtu = IPV6_MIN_MTU;
- }
return (sizeof (struct ip6_mtuinfo));
}
-/*
- * This routine gets socket options. For MRT_VERSION and MRT_ASSERT, error
- * checking of cred and that ip_g_mrouter is set should be done and
- * isn't. This doesn't matter as the error checking is done properly for the
- * other MRT options coming in through ip_opt_set.
- */
-int
-ip_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
-{
- conn_t *connp = Q_TO_CONN(q);
- ipsec_req_t *req = (ipsec_req_t *)ptr;
-
- switch (level) {
- case IPPROTO_IP:
- switch (name) {
- case MRT_VERSION:
- case MRT_ASSERT:
- (void) ip_mrouter_get(name, q, ptr);
- return (sizeof (int));
- case IP_SEC_OPT:
- return (ipsec_req_from_conn(connp, req, IPSEC_AF_V4));
- case IP_NEXTHOP:
- if (connp->conn_nexthop_set) {
- *(ipaddr_t *)ptr = connp->conn_nexthop_v4;
- return (sizeof (ipaddr_t));
- } else
- return (0);
- case IP_RECVPKTINFO:
- *(int *)ptr = connp->conn_ip_recvpktinfo ? 1: 0;
- return (sizeof (int));
- default:
- break;
- }
- break;
- case IPPROTO_IPV6:
- switch (name) {
- case IPV6_SEC_OPT:
- return (ipsec_req_from_conn(connp, req, IPSEC_AF_V6));
- case IPV6_SRC_PREFERENCES: {
- return (ip6_get_src_preferences(connp,
- (uint32_t *)ptr));
- }
- case IPV6_V6ONLY:
- *(int *)ptr = connp->conn_ipv6_v6only ? 1 : 0;
- return (sizeof (int));
- case IPV6_PATHMTU:
- return (ip_fill_mtuinfo(&connp->conn_remv6, 0,
- (struct ip6_mtuinfo *)ptr, connp->conn_netstack));
- default:
- break;
- }
- break;
- default:
- break;
- }
- return (-1);
-}
/* Named Dispatch routine to get a current value out of our parameter table. */
/* ARGSUSED */
static int
@@ -11955,130 +7137,18 @@ ip_reassemble(mblk_t *mp, ipf_t *ipf, uint_t start, boolean_t more, ill_t *ill,
}
/*
- * ipsec processing for the fast path, used for input UDP Packets
- * Returns true if ready for passup to UDP.
- * Return false if packet is not passable to UDP (e.g. it failed IPsec policy,
- * was an ESP-in-UDP packet, etc.).
- */
-static boolean_t
-ip_udp_check(queue_t *q, conn_t *connp, ill_t *ill, ipha_t *ipha,
- mblk_t **mpp, mblk_t **first_mpp, boolean_t mctl_present, ire_t *ire)
-{
- uint32_t ill_index;
- uint_t in_flags; /* IPF_RECVSLLA and/or IPF_RECVIF */
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
- udp_t *udp = connp->conn_udp;
-
- ASSERT(ipha->ipha_protocol == IPPROTO_UDP);
- /* The ill_index of the incoming ILL */
- ill_index = ((ill_t *)q->q_ptr)->ill_phyint->phyint_ifindex;
-
- /* pass packet up to the transport */
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || mctl_present) {
- *first_mpp = ipsec_check_inbound_policy(*first_mpp, connp, ipha,
- NULL, mctl_present);
- if (*first_mpp == NULL) {
- return (B_FALSE);
- }
- }
-
- /* Initiate IPPF processing for fastpath UDP */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- ip_process(IPP_LOCAL_IN, mpp, ill_index);
- if (*mpp == NULL) {
- ip2dbg(("ip_input_ipsec_process: UDP pkt "
- "deferred/dropped during IPPF processing\n"));
- return (B_FALSE);
- }
- }
- /*
- * Remove 0-spi if it's 0, or move everything behind
- * the UDP header over it and forward to ESP via
- * ip_proto_input().
- */
- if (udp->udp_nat_t_endpoint) {
- if (mctl_present) {
- /* mctl_present *shouldn't* happen. */
- ip_drop_packet(*first_mpp, B_TRUE, NULL,
- NULL, DROPPER(ipss, ipds_esp_nat_t_ipsec),
- &ipss->ipsec_dropper);
- *first_mpp = NULL;
- return (B_FALSE);
- }
-
- /* "ill" is "recv_ill" in actuality. */
- if (!zero_spi_check(q, *mpp, ire, ill, ipss))
- return (B_FALSE);
-
- /* Else continue like a normal UDP packet. */
- }
-
- /*
- * We make the checks as below since we are in the fast path
- * and want to minimize the number of checks if the IP_RECVIF and/or
- * IP_RECVSLLA and/or IPV6_RECVPKTINFO options are not set
- */
- if (connp->conn_recvif || connp->conn_recvslla ||
- connp->conn_ip_recvpktinfo) {
- if (connp->conn_recvif) {
- in_flags = IPF_RECVIF;
- }
- /*
- * UDP supports IP_RECVPKTINFO option for both v4 and v6
- * so the flag passed to ip_add_info is based on IP version
- * of connp.
- */
- if (connp->conn_ip_recvpktinfo) {
- if (connp->conn_af_isv6) {
- /*
- * V6 only needs index
- */
- in_flags |= IPF_RECVIF;
- } else {
- /*
- * V4 needs index + matching address.
- */
- in_flags |= IPF_RECVADDR;
- }
- }
- if (connp->conn_recvslla) {
- in_flags |= IPF_RECVSLLA;
- }
- /*
- * since in_flags are being set ill will be
- * referenced in ip_add_info, so it better not
- * be NULL.
- */
- /*
- * the actual data will be contained in b_cont
- * upon successful return of the following call.
- * If the call fails then the original mblk is
- * returned.
- */
- *mpp = ip_add_info(*mpp, ill, in_flags, IPCL_ZONEID(connp),
- ipst);
- }
-
- return (B_TRUE);
-}
-
-/*
* Fragmentation reassembly. Each ILL has a hash table for
* queuing packets undergoing reassembly for all IPIFs
* associated with the ILL. The hash is based on the packet
* IP ident field. The ILL frag hash table was allocated
* as a timer block at the time the ILL was created. Whenever
* there is anything on the reassembly queue, the timer will
- * be running. Returns B_TRUE if successful else B_FALSE;
- * frees mp on failure.
+ * be running. Returns the reassembled packet if reassembly completes.
*/
-static boolean_t
-ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
- uint32_t *cksum_val, uint16_t *cksum_flags)
+mblk_t *
+ip_input_fragment(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
{
uint32_t frag_offset_flags;
- mblk_t *mp = *mpp;
mblk_t *t_mp;
ipaddr_t dst;
uint8_t proto = ipha->ipha_protocol;
@@ -12099,12 +7169,8 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
uint8_t ecn_info = 0;
uint32_t packet_size;
boolean_t pruned = B_FALSE;
- ip_stack_t *ipst = ill->ill_ipst;
-
- if (cksum_val != NULL)
- *cksum_val = 0;
- if (cksum_flags != NULL)
- *cksum_flags = 0;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
/*
* Drop the fragmented as early as possible, if
@@ -12112,13 +7178,13 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
*/
if (ipst->ips_ip_reass_queue_bytes == 0) {
freemsg(mp);
- return (B_FALSE);
+ return (NULL);
}
/* Check for fragmentation offset; return if there's none */
if ((frag_offset_flags = ntohs(ipha->ipha_fragment_offset_and_flags) &
(IPH_MF | IPH_OFFSET)) == 0)
- return (B_TRUE);
+ return (mp);
/*
* We utilize hardware computed checksum info only for UDP since
@@ -12126,8 +7192,9 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
* addition, checksum offload support for IP fragments carrying
* UDP payload is commonly implemented across network adapters.
*/
- ASSERT(recv_ill != NULL);
- if (proto == IPPROTO_UDP && dohwcksum && ILL_HCKSUM_CAPABLE(recv_ill) &&
+ ASSERT(ira->ira_rill != NULL);
+ if (proto == IPPROTO_UDP && dohwcksum &&
+ ILL_HCKSUM_CAPABLE(ira->ira_rill) &&
(DB_CKSUMFLAGS(mp) & (HCK_FULLCKSUM | HCK_PARTIALCKSUM))) {
mblk_t *mp1 = mp->b_cont;
int32_t len;
@@ -12178,7 +7245,7 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
/* If end == 0 then we have a packet with no data, so just free it */
if (end == 0) {
freemsg(mp);
- return (B_FALSE);
+ return (NULL);
}
/* Record the ECN field info. */
@@ -12192,16 +7259,25 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
end += offset;
}
- msg_len = MBLKSIZE(mp);
+ /* Handle vnic loopback of fragments */
+ if (mp->b_datap->db_ref > 2)
+ msg_len = 0;
+ else
+ msg_len = MBLKSIZE(mp);
+
tail_mp = mp;
while (tail_mp->b_cont != NULL) {
tail_mp = tail_mp->b_cont;
- msg_len += MBLKSIZE(tail_mp);
+ if (tail_mp->b_datap->db_ref <= 2)
+ msg_len += MBLKSIZE(tail_mp);
}
/* If the reassembly list for this ILL will get too big, prune it */
if ((msg_len + sizeof (*ipf) + ill->ill_frag_count) >=
ipst->ips_ip_reass_queue_bytes) {
+ DTRACE_PROBE3(ip_reass_queue_bytes, uint_t, msg_len,
+ uint_t, ill->ill_frag_count,
+ uint_t, ipst->ips_ip_reass_queue_bytes);
ill_frag_prune(ill,
(ipst->ips_ip_reass_queue_bytes < msg_len) ? 0 :
(ipst->ips_ip_reass_queue_bytes - msg_len));
@@ -12232,7 +7308,7 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
ill_frag_free_pkts(ill, ipfb, ipf, 1);
freemsg(mp);
mutex_exit(&ipfb->ipfb_lock);
- return (B_FALSE);
+ return (NULL);
}
/* Found it. */
break;
@@ -12254,7 +7330,7 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
if (pruned && offset != 0) {
mutex_exit(&ipfb->ipfb_lock);
freemsg(mp);
- return (B_FALSE);
+ return (NULL);
}
if (ipfb->ipfb_frag_pkts >= MAX_FRAG_PKTS(ipst)) {
@@ -12269,10 +7345,11 @@ ip_rput_fragment(ill_t *ill, ill_t *recv_ill, mblk_t **mpp, ipha_t *ipha,
mp1 = allocb(sizeof (*ipf), BPRI_MED);
if (mp1 == NULL) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
freemsg(mp);
reass_done:
mutex_exit(&ipfb->ipfb_lock);
- return (B_FALSE);
+ return (NULL);
}
BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmReqds);
@@ -12478,19 +7555,22 @@ reass_done:
/* Restore original IP length in header. */
packet_size = (uint32_t)msgdsize(mp);
if (packet_size > IP_MAXPACKET) {
- freemsg(mp);
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- return (B_FALSE);
+ ip_drop_input("Reassembled packet too large", mp, ill);
+ freemsg(mp);
+ return (NULL);
}
if (DB_REF(mp) > 1) {
mblk_t *mp2 = copymsg(mp);
- freemsg(mp);
if (mp2 == NULL) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return (B_FALSE);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return (NULL);
}
+ freemsg(mp);
mp = mp2;
}
ipha = (ipha_t *)mp->b_rptr;
@@ -12501,1187 +7581,239 @@ reass_done:
/* Record the ECN info. */
ipha->ipha_type_of_service &= 0xFC;
ipha->ipha_type_of_service |= ecn_info;
- *mpp = mp;
- /* Reassembly is successful; return checksum information if needed */
- if (cksum_val != NULL)
- *cksum_val = sum_val;
- if (cksum_flags != NULL)
- *cksum_flags = sum_flags;
+ /* Update the receive attributes */
+ ira->ira_pktlen = packet_size;
+ ira->ira_ip_hdr_length = IPH_HDR_LENGTH(ipha);
- return (B_TRUE);
+ /* Reassembly is successful; set checksum information in packet */
+ DB_CKSUM16(mp) = (uint16_t)sum_val;
+ DB_CKSUMFLAGS(mp) = sum_flags;
+ DB_CKSUMSTART(mp) = ira->ira_ip_hdr_length;
+
+ return (mp);
}
/*
- * Perform ip header check sum update local options.
- * return B_TRUE if all is well, else return B_FALSE and release
- * the mp. caller is responsible for decrementing ire ref cnt.
+ * Pullup function that should be used for IP input in order to
+ * ensure we do not loose the L2 source address; we need the l2 source
+ * address for IP_RECVSLLA and for ndp_input.
+ *
+ * We return either NULL or b_rptr.
*/
-static boolean_t
-ip_options_cksum(queue_t *q, ill_t *ill, mblk_t *mp, ipha_t *ipha, ire_t *ire,
- ip_stack_t *ipst)
+void *
+ip_pullup(mblk_t *mp, ssize_t len, ip_recv_attr_t *ira)
{
- mblk_t *first_mp;
- boolean_t mctl_present;
- uint16_t sum;
+ ill_t *ill = ira->ira_ill;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
- /*
- * Don't do the checksum if it has gone through AH/ESP
- * processing.
- */
- if (!mctl_present) {
- sum = ip_csum_hdr(ipha);
- if (sum != 0) {
- if (ill != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
- } else {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsInCksumErrs);
- }
- freemsg(first_mp);
- return (B_FALSE);
- }
+ if (ip_rput_pullups++ == 0) {
+ (void) mi_strlog(ill->ill_rq, 1, SL_ERROR|SL_TRACE,
+ "ip_pullup: %s forced us to "
+ " pullup pkt, hdr len %ld, hdr addr %p",
+ ill->ill_name, len, (void *)mp->b_rptr);
}
-
- if (!ip_rput_local_options(q, mp, ipha, ire, ipst)) {
- if (mctl_present)
- freeb(first_mp);
- return (B_FALSE);
- }
-
- return (B_TRUE);
+ if (!(ira->ira_flags & IRAF_L2SRC_SET))
+ ip_setl2src(mp, ira, ira->ira_rill);
+ ASSERT(ira->ira_flags & IRAF_L2SRC_SET);
+ if (!pullupmsg(mp, len))
+ return (NULL);
+ else
+ return (mp->b_rptr);
}
/*
- * All udp packet are delivered to the local host via this routine.
+ * Make sure ira_l2src has an address. If we don't have one fill with zeros.
+ * When called from the ULP ira_rill will be NULL hence the caller has to
+ * pass in the ill.
*/
+/* ARGSUSED */
void
-ip_udp_input(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
- ill_t *recv_ill)
+ip_setl2src(mblk_t *mp, ip_recv_attr_t *ira, ill_t *ill)
{
- uint32_t sum;
- uint32_t u1;
- boolean_t mctl_present;
- conn_t *connp;
- mblk_t *first_mp;
- uint16_t *up;
- ill_t *ill = (ill_t *)q->q_ptr;
- uint16_t reass_hck_flags = 0;
- ip_stack_t *ipst;
-
- ASSERT(recv_ill != NULL);
- ipst = recv_ill->ill_ipst;
+ const uchar_t *addr;
+ int alen;
-#define rptr ((uchar_t *)ipha)
+ if (ira->ira_flags & IRAF_L2SRC_SET)
+ return;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
- ASSERT(!mctl_present || ipsec_in_is_secure(first_mp));
- ASSERT(ipha->ipha_protocol == IPPROTO_UDP);
ASSERT(ill != NULL);
-
- /*
- * FAST PATH for udp packets
- */
-
- /* u1 is # words of IP options */
- u1 = ipha->ipha_version_and_hdr_length - (uchar_t)((IP_VERSION << 4) +
- IP_SIMPLE_HDR_LENGTH_IN_WORDS);
-
- /* IP options present */
- if (u1 != 0)
- goto ipoptions;
-
- /* Check the IP header checksum. */
- if (IS_IP_HDR_HWCKSUM(mctl_present, mp, recv_ill)) {
- /* Clear the IP header h/w cksum flag */
- DB_CKSUMFLAGS(mp) &= ~HCK_IPV4_HDRCKSUM;
- } else if (!mctl_present) {
- /*
- * Don't verify header checksum if this packet is coming
- * back from AH/ESP as we already did it.
- */
-#define uph ((uint16_t *)ipha)
- sum = uph[0] + uph[1] + uph[2] + uph[3] + uph[4] + uph[5] +
- uph[6] + uph[7] + uph[8] + uph[9];
-#undef uph
- /* finish doing IP checksum */
- sum = (sum & 0xFFFF) + (sum >> 16);
- sum = ~(sum + (sum >> 16)) & 0xFFFF;
- if (sum != 0 && sum != 0xFFFF) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
- freemsg(first_mp);
- return;
- }
- }
-
- /*
- * Count for SNMP of inbound packets for ire.
- * if mctl is present this might be a secure packet and
- * has already been counted for in ip_proto_input().
- */
- if (!mctl_present) {
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
+ alen = ill->ill_phys_addr_length;
+ ASSERT(alen <= sizeof (ira->ira_l2src));
+ if (ira->ira_mhip != NULL &&
+ (addr = ira->ira_mhip->mhi_saddr) != NULL) {
+ bcopy(addr, ira->ira_l2src, alen);
+ } else if ((ira->ira_flags & IRAF_L2SRC_LOOPBACK) &&
+ (addr = ill->ill_phys_addr) != NULL) {
+ bcopy(addr, ira->ira_l2src, alen);
+ } else {
+ bzero(ira->ira_l2src, alen);
}
+ ira->ira_flags |= IRAF_L2SRC_SET;
+}
- /* packet part of fragmented IP packet? */
- u1 = ntohs(ipha->ipha_fragment_offset_and_flags);
- if (u1 & (IPH_MF | IPH_OFFSET)) {
- goto fragmented;
- }
+/*
+ * check ip header length and align it.
+ */
+mblk_t *
+ip_check_and_align_header(mblk_t *mp, uint_t min_size, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ ssize_t len;
- /* u1 = IP header length (20 bytes) */
- u1 = IP_SIMPLE_HDR_LENGTH;
+ len = MBLKL(mp);
- /* packet does not contain complete IP & UDP headers */
- if ((mp->b_wptr - rptr) < (IP_SIMPLE_HDR_LENGTH + UDPH_SIZE))
- goto udppullup;
+ if (!OK_32PTR(mp->b_rptr))
+ IP_STAT(ill->ill_ipst, ip_notaligned);
+ else
+ IP_STAT(ill->ill_ipst, ip_recv_pullup);
- /* up points to UDP header */
- up = (uint16_t *)((uchar_t *)ipha + IP_SIMPLE_HDR_LENGTH);
-#define iphs ((uint16_t *)ipha)
+ /* Guard against bogus device drivers */
+ if (len < 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
+ freemsg(mp);
+ return (NULL);
+ }
- /* if udp hdr cksum != 0, then need to checksum udp packet */
- if (up[3] != 0) {
+ if (len == 0) {
+ /* GLD sometimes sends up mblk with b_rptr == b_wptr! */
mblk_t *mp1 = mp->b_cont;
- boolean_t cksum_err;
- uint16_t hck_flags = 0;
- /* Pseudo-header checksum */
- u1 = IP_UDP_CSUM_COMP + iphs[6] + iphs[7] + iphs[8] +
- iphs[9] + up[2];
+ if (!(ira->ira_flags & IRAF_L2SRC_SET))
+ ip_setl2src(mp, ira, ira->ira_rill);
+ ASSERT(ira->ira_flags & IRAF_L2SRC_SET);
- /*
- * Revert to software checksum calculation if the interface
- * isn't capable of checksum offload or if IPsec is present.
- */
- if (ILL_HCKSUM_CAPABLE(recv_ill) && !mctl_present && dohwcksum)
- hck_flags = DB_CKSUMFLAGS(mp);
-
- if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0)
- IP_STAT(ipst, ip_in_sw_cksum);
-
- IP_CKSUM_RECV(hck_flags, u1,
- (uchar_t *)(rptr + DB_CKSUMSTART(mp)),
- (int32_t)((uchar_t *)up - rptr),
- mp, mp1, cksum_err);
-
- if (cksum_err) {
- BUMP_MIB(ill->ill_ip_mib, udpIfStatsInCksumErrs);
- if (hck_flags & HCK_FULLCKSUM)
- IP_STAT(ipst, ip_udp_in_full_hw_cksum_err);
- else if (hck_flags & HCK_PARTIALCKSUM)
- IP_STAT(ipst, ip_udp_in_part_hw_cksum_err);
- else
- IP_STAT(ipst, ip_udp_in_sw_cksum_err);
+ freeb(mp);
+ mp = mp1;
+ if (mp == NULL)
+ return (NULL);
- freemsg(first_mp);
- return;
- }
+ if (OK_32PTR(mp->b_rptr) && MBLKL(mp) >= min_size)
+ return (mp);
}
-
- /* Non-fragmented broadcast or multicast packet? */
- if (ire->ire_type == IRE_BROADCAST)
- goto udpslowpath;
-
- if ((connp = ipcl_classify_v4(mp, IPPROTO_UDP, IP_SIMPLE_HDR_LENGTH,
- ire->ire_zoneid, ipst)) != NULL) {
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
- IP_STAT(ipst, ip_udp_fast_path);
-
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
- freemsg(mp);
- BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
+ if (ip_pullup(mp, min_size, ira) == NULL) {
+ if (msgdsize(mp) < min_size) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
} else {
- if (!mctl_present) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsHCInDelivers);
- }
- /*
- * mp and first_mp can change.
- */
- if (ip_udp_check(q, connp, recv_ill,
- ipha, &mp, &first_mp, mctl_present, ire)) {
- /* Send it upstream */
- (connp->conn_recv)(connp, mp, NULL);
- }
- }
- /*
- * freeb() cannot deal with null mblk being passed
- * in and first_mp can be set to null in the call
- * ipsec_input_fast_proc()->ipsec_check_inbound_policy.
- */
- if (mctl_present && first_mp != NULL) {
- freeb(first_mp);
- }
- CONN_DEC_REF(connp);
- return;
- }
-
- /*
- * if we got here we know the packet is not fragmented and
- * has no options. The classifier could not find a conn_t and
- * most likely its an icmp packet so send it through slow path.
- */
-
- goto udpslowpath;
-
-ipoptions:
- if (!ip_options_cksum(q, ill, mp, ipha, ire, ipst)) {
- goto slow_done;
- }
-
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- u1 = ntohs(ipha->ipha_fragment_offset_and_flags);
- if (u1 & (IPH_MF | IPH_OFFSET)) {
-fragmented:
- /*
- * "sum" and "reass_hck_flags" are non-zero if the
- * reassembled packet has a valid hardware computed
- * checksum information associated with it.
- */
- if (!ip_rput_fragment(ill, recv_ill, &mp, ipha, &sum,
- &reass_hck_flags)) {
- goto slow_done;
- }
-
- /*
- * Make sure that first_mp points back to mp as
- * the mp we came in with could have changed in
- * ip_rput_fragment().
- */
- ASSERT(!mctl_present);
- ipha = (ipha_t *)mp->b_rptr;
- first_mp = mp;
- }
-
- /* Now we have a complete datagram, destined for this machine. */
- u1 = IPH_HDR_LENGTH(ipha);
- /* Pull up the UDP header, if necessary. */
- if ((MBLKL(mp)) < (u1 + UDPH_SIZE)) {
-udppullup:
- if (!pullupmsg(mp, u1 + UDPH_SIZE)) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- goto slow_done;
- }
- ipha = (ipha_t *)mp->b_rptr;
- }
-
- /*
- * Validate the checksum for the reassembled packet; for the
- * pullup case we calculate the payload checksum in software.
- */
- up = (uint16_t *)((uchar_t *)ipha + u1 + UDP_PORTS_OFFSET);
- if (up[3] != 0) {
- boolean_t cksum_err;
-
- if ((reass_hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0)
- IP_STAT(ipst, ip_in_sw_cksum);
-
- IP_CKSUM_RECV_REASS(reass_hck_flags,
- (int32_t)((uchar_t *)up - (uchar_t *)ipha),
- IP_UDP_CSUM_COMP + iphs[6] + iphs[7] + iphs[8] +
- iphs[9] + up[2], sum, cksum_err);
-
- if (cksum_err) {
- BUMP_MIB(ill->ill_ip_mib, udpIfStatsInCksumErrs);
-
- if (reass_hck_flags & HCK_FULLCKSUM)
- IP_STAT(ipst, ip_udp_in_full_hw_cksum_err);
- else if (reass_hck_flags & HCK_PARTIALCKSUM)
- IP_STAT(ipst, ip_udp_in_part_hw_cksum_err);
- else
- IP_STAT(ipst, ip_udp_in_sw_cksum_err);
-
- freemsg(first_mp);
- goto slow_done;
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
}
+ freemsg(mp);
+ return (NULL);
}
-udpslowpath:
-
- /* Clear hardware checksum flag to be safe */
- DB_CKSUMFLAGS(mp) = 0;
-
- ip_fanout_udp(q, first_mp, ill, ipha, *(uint32_t *)up,
- (ire->ire_type == IRE_BROADCAST),
- IP_FF_SEND_ICMP | IP_FF_CKSUM | IP_FF_IPINFO,
- mctl_present, B_TRUE, recv_ill, ire->ire_zoneid);
-
-slow_done:
- IP_STAT(ipst, ip_udp_slow_path);
- return;
-
-#undef iphs
-#undef rptr
-}
-
-static boolean_t
-ip_iptun_input(mblk_t *ipsec_mp, mblk_t *data_mp, ipha_t *ipha, ill_t *ill,
- ire_t *ire, ip_stack_t *ipst)
-{
- conn_t *connp;
-
- ASSERT(ipsec_mp == NULL || ipsec_mp->b_cont == data_mp);
-
- if ((connp = ipcl_classify_v4(data_mp, ipha->ipha_protocol,
- IP_SIMPLE_HDR_LENGTH, ire->ire_zoneid, ipst)) != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- connp->conn_recv(connp, ipsec_mp != NULL ? ipsec_mp : data_mp,
- NULL);
- CONN_DEC_REF(connp);
- return (B_TRUE);
- }
- return (B_FALSE);
+ return (mp);
}
-/* ARGSUSED */
-static mblk_t *
-ip_tcp_input(mblk_t *mp, ipha_t *ipha, ill_t *recv_ill, boolean_t mctl_present,
- ire_t *ire, mblk_t *first_mp, uint_t flags, queue_t *q,
- ill_rx_ring_t *ill_ring)
+/*
+ * Common code for IPv4 and IPv6 to check and pullup multi-mblks
+ */
+mblk_t *
+ip_check_length(mblk_t *mp, uchar_t *rptr, ssize_t len, uint_t pkt_len,
+ uint_t min_size, ip_recv_attr_t *ira)
{
- conn_t *connp;
- uint32_t sum;
- uint32_t u1;
- uint16_t *up;
- int offset;
- ssize_t len;
- mblk_t *mp1;
- boolean_t syn_present = B_FALSE;
- tcph_t *tcph;
- uint_t tcph_flags;
- uint_t ip_hdr_len;
- ill_t *ill = (ill_t *)q->q_ptr;
- zoneid_t zoneid = ire->ire_zoneid;
- boolean_t cksum_err;
- uint16_t hck_flags = 0;
- ip_stack_t *ipst = recv_ill->ill_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
-#define rptr ((uchar_t *)ipha)
-
- ASSERT(ipha->ipha_protocol == IPPROTO_TCP);
- ASSERT(ill != NULL);
-
- /*
- * FAST PATH for tcp packets
- */
-
- /* u1 is # words of IP options */
- u1 = ipha->ipha_version_and_hdr_length - (uchar_t)((IP_VERSION << 4)
- + IP_SIMPLE_HDR_LENGTH_IN_WORDS);
-
- /* IP options present */
- if (u1) {
- goto ipoptions;
- } else if (!mctl_present) {
- /* Check the IP header checksum. */
- if (IS_IP_HDR_HWCKSUM(mctl_present, mp, recv_ill)) {
- /* Clear the IP header h/w cksum flag */
- DB_CKSUMFLAGS(mp) &= ~HCK_IPV4_HDRCKSUM;
- } else if (!mctl_present) {
- /*
- * Don't verify header checksum if this packet
- * is coming back from AH/ESP as we already did it.
- */
-#define uph ((uint16_t *)ipha)
- sum = uph[0] + uph[1] + uph[2] + uph[3] + uph[4] +
- uph[5] + uph[6] + uph[7] + uph[8] + uph[9];
-#undef uph
- /* finish doing IP checksum */
- sum = (sum & 0xFFFF) + (sum >> 16);
- sum = ~(sum + (sum >> 16)) & 0xFFFF;
- if (sum != 0 && sum != 0xFFFF) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInCksumErrs);
- goto error;
- }
- }
- }
-
- if (!mctl_present) {
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- }
-
- /* packet part of fragmented IP packet? */
- u1 = ntohs(ipha->ipha_fragment_offset_and_flags);
- if (u1 & (IPH_MF | IPH_OFFSET)) {
- goto fragmented;
- }
-
- /* u1 = IP header length (20 bytes) */
- u1 = ip_hdr_len = IP_SIMPLE_HDR_LENGTH;
-
- /* does packet contain IP+TCP headers? */
- len = mp->b_wptr - rptr;
- if (len < (IP_SIMPLE_HDR_LENGTH + TCP_MIN_HEADER_LENGTH)) {
- IP_STAT(ipst, ip_tcppullup);
- goto tcppullup;
- }
-
- /* TCP options present? */
- offset = ((uchar_t *)ipha)[IP_SIMPLE_HDR_LENGTH + 12] >> 4;
-
- /*
- * If options need to be pulled up, then goto tcpoptions.
- * otherwise we are still in the fast path
- */
- if (len < (offset << 2) + IP_SIMPLE_HDR_LENGTH) {
- IP_STAT(ipst, ip_tcpoptions);
- goto tcpoptions;
- }
-
- /* multiple mblks of tcp data? */
- if ((mp1 = mp->b_cont) != NULL) {
- IP_STAT(ipst, ip_multipkttcp);
- len += msgdsize(mp1);
- }
-
- up = (uint16_t *)(rptr + IP_SIMPLE_HDR_LENGTH + TCP_PORTS_OFFSET);
-
- /* part of pseudo checksum */
-
- /* TCP datagram length */
- u1 = len - IP_SIMPLE_HDR_LENGTH;
-
-#define iphs ((uint16_t *)ipha)
-
-#ifdef _BIG_ENDIAN
- u1 += IPPROTO_TCP;
-#else
- u1 = ((u1 >> 8) & 0xFF) + (((u1 & 0xFF) + IPPROTO_TCP) << 8);
-#endif
- u1 += iphs[6] + iphs[7] + iphs[8] + iphs[9];
-
- /*
- * Revert to software checksum calculation if the interface
- * isn't capable of checksum offload or if IPsec is present.
- */
- if (ILL_HCKSUM_CAPABLE(recv_ill) && !mctl_present && dohwcksum)
- hck_flags = DB_CKSUMFLAGS(mp);
-
- if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0)
- IP_STAT(ipst, ip_in_sw_cksum);
-
- IP_CKSUM_RECV(hck_flags, u1,
- (uchar_t *)(rptr + DB_CKSUMSTART(mp)),
- (int32_t)((uchar_t *)up - rptr),
- mp, mp1, cksum_err);
-
- if (cksum_err) {
- BUMP_MIB(ill->ill_ip_mib, tcpIfStatsInErrs);
-
- if (hck_flags & HCK_FULLCKSUM)
- IP_STAT(ipst, ip_tcp_in_full_hw_cksum_err);
- else if (hck_flags & HCK_PARTIALCKSUM)
- IP_STAT(ipst, ip_tcp_in_part_hw_cksum_err);
- else
- IP_STAT(ipst, ip_tcp_in_sw_cksum_err);
-
- goto error;
- }
-
-try_again:
-
- if ((connp = ipcl_classify_v4(mp, IPPROTO_TCP, ip_hdr_len,
- zoneid, ipst)) == NULL) {
- /* Send the TH_RST */
- goto no_conn;
- }
-
- tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
- tcph_flags = tcph->th_flags[0] & (TH_SYN|TH_ACK|TH_RST|TH_URG);
+ ill_t *ill = ira->ira_ill;
/*
- * TCP FAST PATH for AF_INET socket.
- *
- * TCP fast path to avoid extra work. An AF_INET socket type
- * does not have facility to receive extra information via
- * ip_process or ip_add_info. Also, when the connection was
- * established, we made a check if this connection is impacted
- * by any global IPsec policy or per connection policy (a
- * policy that comes in effect later will not apply to this
- * connection). Since all this can be determined at the
- * connection establishment time, a quick check of flags
- * can avoid extra work.
+ * Make sure we have data length consistent
+ * with the IP header.
*/
- if (IPCL_IS_TCP4_CONNECTED_NO_POLICY(connp) && !mctl_present &&
- !IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- ASSERT(first_mp == mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- if (tcph_flags != (TH_SYN | TH_ACK)) {
- SET_SQUEUE(mp, tcp_rput_data, connp);
- return (mp);
- }
- mp->b_datap->db_struioflag |= STRUIO_CONNECT;
- DB_CKSUMSTART(mp) = (intptr_t)ip_squeue_get(ill_ring);
- SET_SQUEUE(mp, tcp_input, connp);
- return (mp);
- }
-
- if (tcph_flags == TH_SYN) {
- if (IPCL_IS_TCP(connp)) {
- mp->b_datap->db_struioflag |= STRUIO_EAGER;
- DB_CKSUMSTART(mp) =
- (intptr_t)ip_squeue_get(ill_ring);
- if (IPCL_IS_FULLY_BOUND(connp) && !mctl_present &&
- !CONN_INBOUND_POLICY_PRESENT(connp, ipss)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsHCInDelivers);
- SET_SQUEUE(mp, connp->conn_recv, connp);
- return (mp);
- } else if (IPCL_IS_BOUND(connp) && !mctl_present &&
- !CONN_INBOUND_POLICY_PRESENT(connp, ipss)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsHCInDelivers);
- ip_squeue_enter_unbound++;
- SET_SQUEUE(mp, tcp_conn_request_unbound,
- connp);
- return (mp);
- }
- syn_present = B_TRUE;
- }
- }
-
- if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp) && !syn_present) {
- uint_t flags = (unsigned int)tcph->th_flags[0] & 0xFF;
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- /* No need to send this packet to TCP */
- if ((flags & TH_RST) || (flags & TH_URG)) {
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return (NULL);
- }
- if (flags & TH_ACK) {
- ip_xmit_reset_serialize(first_mp, ip_hdr_len, zoneid,
- ipst->ips_netstack->netstack_tcp, connp);
- CONN_DEC_REF(connp);
- return (NULL);
- }
-
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return (NULL);
- }
-
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || mctl_present) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp,
- ipha, NULL, mctl_present);
- if (first_mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
+ if (mp->b_cont == NULL) {
+ /* pkt_len is based on ipha_len, not the mblk length */
+ if (pkt_len < min_size) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
+ freemsg(mp);
return (NULL);
}
- if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp)) {
- ASSERT(syn_present);
- if (mctl_present) {
- ASSERT(first_mp != mp);
- first_mp->b_datap->db_struioflag |=
- STRUIO_POLICY;
- } else {
- ASSERT(first_mp == mp);
- mp->b_datap->db_struioflag &= ~STRUIO_EAGER;
- mp->b_datap->db_struioflag |= STRUIO_POLICY;
- }
- } else {
- /*
- * Discard first_mp early since we're dealing with a
- * fully-connected conn_t and tcp doesn't do policy in
- * this case.
- */
- if (mctl_present) {
- freeb(first_mp);
- mctl_present = B_FALSE;
- }
- first_mp = mp;
- }
- }
-
- /* Initiate IPPF processing for fastpath */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- uint32_t ill_index;
-
- ill_index = recv_ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &mp, ill_index);
- if (mp == NULL) {
- ip2dbg(("ip_input_ipsec_process: TCP pkt "
- "deferred/dropped during IPPF processing\n"));
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
+ if (len < 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
return (NULL);
- } else if (mctl_present) {
- /*
- * ip_process might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
}
-
- }
-
- if (!syn_present && connp->conn_ip_recvpktinfo) {
- /*
- * TCP does not support IP_RECVPKTINFO for v4 so lets
- * make sure IPF_RECVIF is passed to ip_add_info.
- */
- mp = ip_add_info(mp, recv_ill, flags|IPF_RECVIF,
- IPCL_ZONEID(connp), ipst);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
+ /* Drop any pad */
+ mp->b_wptr = rptr + pkt_len;
+ } else if ((len += msgdsize(mp->b_cont)) != 0) {
+ ASSERT(pkt_len >= min_size);
+ if (pkt_len < min_size) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
+ freemsg(mp);
return (NULL);
- } else if (mctl_present) {
- /*
- * ip_add_info might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
}
- }
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- if (IPCL_IS_TCP(connp)) {
- SET_SQUEUE(first_mp, connp->conn_recv, connp);
- return (first_mp);
- } else {
- /* SOCK_RAW, IPPROTO_TCP case */
- (connp->conn_recv)(connp, first_mp, NULL);
- CONN_DEC_REF(connp);
- return (NULL);
- }
-
-no_conn:
- /* Initiate IPPf processing, if needed. */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- uint32_t ill_index;
- ill_index = recv_ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &first_mp, ill_index);
- if (first_mp == NULL) {
+ if (len < 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
return (NULL);
}
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
-
- tcp_xmit_listeners_reset(first_mp, IPH_HDR_LENGTH(mp->b_rptr), zoneid,
- ipst->ips_netstack->netstack_tcp, NULL);
- return (NULL);
-ipoptions:
- if (!ip_options_cksum(q, ill, first_mp, ipha, ire, ipst)) {
- goto slow_done;
- }
-
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
-
- u1 = ntohs(ipha->ipha_fragment_offset_and_flags);
- if (u1 & (IPH_MF | IPH_OFFSET)) {
-fragmented:
- if (!ip_rput_fragment(ill, recv_ill, &mp, ipha, NULL, NULL)) {
- if (mctl_present)
- freeb(first_mp);
- goto slow_done;
- }
- /*
- * Make sure that first_mp points back to mp as
- * the mp we came in with could have changed in
- * ip_rput_fragment().
- */
- ASSERT(!mctl_present);
- ipha = (ipha_t *)mp->b_rptr;
- first_mp = mp;
- }
-
- /* Now we have a complete datagram, destined for this machine. */
- u1 = ip_hdr_len = IPH_HDR_LENGTH(ipha);
-
- len = mp->b_wptr - mp->b_rptr;
- /* Pull up a minimal TCP header, if necessary. */
- if (len < (u1 + 20)) {
-tcppullup:
- if (!pullupmsg(mp, u1 + 20)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- goto error;
- }
- ipha = (ipha_t *)mp->b_rptr;
- len = mp->b_wptr - mp->b_rptr;
- }
-
- /*
- * Extract the offset field from the TCP header. As usual, we
- * try to help the compiler more than the reader.
- */
- offset = ((uchar_t *)ipha)[u1 + 12] >> 4;
- if (offset != 5) {
-tcpoptions:
- if (offset < 5) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- goto error;
- }
- /*
- * There must be TCP options.
- * Make sure we can grab them.
- */
- offset <<= 2;
- offset += u1;
- if (len < offset) {
- if (!pullupmsg(mp, offset)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- goto error;
- }
- ipha = (ipha_t *)mp->b_rptr;
- len = mp->b_wptr - rptr;
- }
- }
-
- /* Get the total packet length in len, including headers. */
- if (mp->b_cont)
- len = msgdsize(mp);
-
- /*
- * Check the TCP checksum by pulling together the pseudo-
- * header checksum, and passing it to ip_csum to be added in
- * with the TCP datagram.
- *
- * Since we are not using the hwcksum if available we must
- * clear the flag. We may come here via tcppullup or tcpoptions.
- * If either of these fails along the way the mblk is freed.
- * If this logic ever changes and mblk is reused to say send
- * ICMP's back, then this flag may need to be cleared in
- * other places as well.
- */
- DB_CKSUMFLAGS(mp) = 0;
-
- up = (uint16_t *)(rptr + u1 + TCP_PORTS_OFFSET);
-
- u1 = (uint32_t)(len - u1); /* TCP datagram length. */
-#ifdef _BIG_ENDIAN
- u1 += IPPROTO_TCP;
-#else
- u1 = ((u1 >> 8) & 0xFF) + (((u1 & 0xFF) + IPPROTO_TCP) << 8);
-#endif
- u1 += iphs[6] + iphs[7] + iphs[8] + iphs[9];
- /*
- * Not M_DATA mblk or its a dup, so do the checksum now.
- */
- IP_STAT(ipst, ip_in_sw_cksum);
- if (IP_CSUM(mp, (int32_t)((uchar_t *)up - rptr), u1) != 0) {
- BUMP_MIB(ill->ill_ip_mib, tcpIfStatsInErrs);
- goto error;
- }
-
- IP_STAT(ipst, ip_tcp_slow_path);
- goto try_again;
-#undef iphs
-#undef rptr
-
-error:
- freemsg(first_mp);
-slow_done:
- return (NULL);
-}
-
-/* ARGSUSED */
-static void
-ip_sctp_input(mblk_t *mp, ipha_t *ipha, ill_t *recv_ill, boolean_t mctl_present,
- ire_t *ire, mblk_t *first_mp, uint_t flags, queue_t *q, ipaddr_t dst)
-{
- conn_t *connp;
- uint32_t sum;
- uint32_t u1;
- ssize_t len;
- sctp_hdr_t *sctph;
- zoneid_t zoneid = ire->ire_zoneid;
- uint32_t pktsum;
- uint32_t calcsum;
- uint32_t ports;
- in6_addr_t map_src, map_dst;
- ill_t *ill = (ill_t *)q->q_ptr;
- ip_stack_t *ipst;
- sctp_stack_t *sctps;
- boolean_t sctp_csum_err = B_FALSE;
-
- ASSERT(recv_ill != NULL);
- ipst = recv_ill->ill_ipst;
- sctps = ipst->ips_netstack->netstack_sctp;
-
-#define rptr ((uchar_t *)ipha)
-
- ASSERT(ipha->ipha_protocol == IPPROTO_SCTP);
- ASSERT(ill != NULL);
-
- /* u1 is # words of IP options */
- u1 = ipha->ipha_version_and_hdr_length - (uchar_t)((IP_VERSION << 4)
- + IP_SIMPLE_HDR_LENGTH_IN_WORDS);
-
- /* IP options present */
- if (u1 > 0) {
- goto ipoptions;
- } else {
- /* Check the IP header checksum. */
- if (!IS_IP_HDR_HWCKSUM(mctl_present, mp, recv_ill) &&
- !mctl_present) {
-#define uph ((uint16_t *)ipha)
- sum = uph[0] + uph[1] + uph[2] + uph[3] + uph[4] +
- uph[5] + uph[6] + uph[7] + uph[8] + uph[9];
-#undef uph
- /* finish doing IP checksum */
- sum = (sum & 0xFFFF) + (sum >> 16);
- sum = ~(sum + (sum >> 16)) & 0xFFFF;
- /*
- * Don't verify header checksum if this packet
- * is coming back from AH/ESP as we already did it.
- */
- if (sum != 0 && sum != 0xFFFF) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
- goto error;
- }
- }
+ /* Drop any pad */
+ (void) adjmsg(mp, -len);
/*
- * Since there is no SCTP h/w cksum support yet, just
- * clear the flag.
+ * adjmsg may have freed an mblk from the chain, hence
+ * invalidate any hw checksum here. This will force IP to
+ * calculate the checksum in sw, but only for this packet.
*/
DB_CKSUMFLAGS(mp) = 0;
+ IP_STAT(ill->ill_ipst, ip_multimblk);
}
-
- /*
- * Don't verify header checksum if this packet is coming
- * back from AH/ESP as we already did it.
- */
- if (!mctl_present) {
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- }
-
- /* packet part of fragmented IP packet? */
- u1 = ntohs(ipha->ipha_fragment_offset_and_flags);
- if (u1 & (IPH_MF | IPH_OFFSET))
- goto fragmented;
-
- /* u1 = IP header length (20 bytes) */
- u1 = IP_SIMPLE_HDR_LENGTH;
-
-find_sctp_client:
- /* Pullup if we don't have the sctp common header. */
- len = MBLKL(mp);
- if (len < (u1 + SCTP_COMMON_HDR_LENGTH)) {
- if (mp->b_cont == NULL ||
- !pullupmsg(mp, u1 + SCTP_COMMON_HDR_LENGTH)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- goto error;
- }
- ipha = (ipha_t *)mp->b_rptr;
- len = MBLKL(mp);
- }
-
- sctph = (sctp_hdr_t *)(rptr + u1);
-#ifdef DEBUG
- if (!skip_sctp_cksum) {
-#endif
- pktsum = sctph->sh_chksum;
- sctph->sh_chksum = 0;
- calcsum = sctp_cksum(mp, u1);
- sctph->sh_chksum = pktsum;
- if (calcsum != pktsum)
- sctp_csum_err = B_TRUE;
-#ifdef DEBUG /* skip_sctp_cksum */
- }
-#endif
- /* get the ports */
- ports = *(uint32_t *)&sctph->sh_sport;
-
- IRE_REFRELE(ire);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &map_dst);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &map_src);
- if (sctp_csum_err) {
- /*
- * No potential sctp checksum errors go to the Sun
- * sctp stack however they might be Adler-32 summed
- * packets a userland stack bound to a raw IP socket
- * could reasonably use. Note though that Adler-32 is
- * a long deprecated algorithm and customer sctp
- * networks should eventually migrate to CRC-32 at
- * which time this facility should be removed.
- */
- flags |= IP_FF_SCTP_CSUM_ERR;
- goto no_conn;
- }
- if ((connp = sctp_fanout(&map_src, &map_dst, ports, zoneid, mp,
- sctps)) == NULL) {
- /* Check for raw socket or OOTB handling */
- goto no_conn;
- }
-
- /* Found a client; up it goes */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- sctp_input(connp, ipha, mp, first_mp, recv_ill, B_TRUE, mctl_present);
- return;
-
-no_conn:
- ip_fanout_sctp_raw(first_mp, recv_ill, ipha, B_TRUE,
- ports, mctl_present, flags, B_TRUE, zoneid);
- return;
-
-ipoptions:
- DB_CKSUMFLAGS(mp) = 0;
- if (!ip_options_cksum(q, ill, first_mp, ipha, ire, ipst))
- goto slow_done;
-
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
-
- u1 = ntohs(ipha->ipha_fragment_offset_and_flags);
- if (u1 & (IPH_MF | IPH_OFFSET)) {
-fragmented:
- if (!ip_rput_fragment(ill, recv_ill, &mp, ipha, NULL, NULL))
- goto slow_done;
- /*
- * Make sure that first_mp points back to mp as
- * the mp we came in with could have changed in
- * ip_rput_fragment().
- */
- ASSERT(!mctl_present);
- ipha = (ipha_t *)mp->b_rptr;
- first_mp = mp;
- }
-
- /* Now we have a complete datagram, destined for this machine. */
- u1 = IPH_HDR_LENGTH(ipha);
- goto find_sctp_client;
-#undef iphs
-#undef rptr
-
-error:
- freemsg(first_mp);
-slow_done:
- IRE_REFRELE(ire);
+ return (mp);
}
-#define VER_BITS 0xF0
-#define VERSION_6 0x60
-
-static boolean_t
-ip_rput_multimblk_ipoptions(queue_t *q, ill_t *ill, mblk_t *mp, ipha_t **iphapp,
- ipaddr_t *dstp, ip_stack_t *ipst)
+/*
+ * Check that the IPv4 opt_len is consistent with the packet and pullup
+ * the options.
+ */
+mblk_t *
+ip_check_optlen(mblk_t *mp, ipha_t *ipha, uint_t opt_len, uint_t pkt_len,
+ ip_recv_attr_t *ira)
{
- uint_t opt_len;
- ipha_t *ipha;
+ ill_t *ill = ira->ira_ill;
ssize_t len;
- uint_t pkt_len;
- ASSERT(ill != NULL);
- IP_STAT(ipst, ip_ipoptions);
- ipha = *iphapp;
-
-#define rptr ((uchar_t *)ipha)
/* Assume no IPv6 packets arrive over the IPv4 queue */
- if (IPH_HDR_VERSION(ipha) == IPV6_VERSION) {
+ if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInWrongIPVersion);
- freemsg(mp);
- return (B_FALSE);
- }
-
- /* multiple mblk or too short */
- pkt_len = ntohs(ipha->ipha_length);
-
- /* Get the number of words of IP options in the IP header. */
- opt_len = ipha->ipha_version_and_hdr_length - IP_SIMPLE_HDR_VERSION;
- if (opt_len) {
- /* IP Options present! Validate and process. */
- if (opt_len > (15 - IP_SIMPLE_HDR_LENGTH_IN_WORDS)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- goto done;
- }
- /*
- * Recompute complete header length and make sure we
- * have access to all of it.
- */
- len = ((size_t)opt_len + IP_SIMPLE_HDR_LENGTH_IN_WORDS) << 2;
- if (len > (mp->b_wptr - rptr)) {
- if (len > pkt_len) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- goto done;
- }
- if (!pullupmsg(mp, len)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- goto done;
- }
- ipha = (ipha_t *)mp->b_rptr;
- }
- /*
- * Go off to ip_rput_options which returns the next hop
- * destination address, which may have been affected
- * by source routing.
- */
- IP_STAT(ipst, ip_opt);
- if (ip_rput_options(q, mp, ipha, dstp, ipst) == -1) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return (B_FALSE);
- }
- }
- *iphapp = ipha;
- return (B_TRUE);
-done:
- /* clear b_prev - used by ip_mroute_decap */
- mp->b_prev = NULL;
- freemsg(mp);
- return (B_FALSE);
-#undef rptr
-}
-
-/*
- * Deal with the fact that there is no ire for the destination.
- */
-static ire_t *
-ip_rput_noire(queue_t *q, mblk_t *mp, int ll_multicast, ipaddr_t dst)
-{
- ipha_t *ipha;
- ill_t *ill;
- ire_t *ire;
- ip_stack_t *ipst;
- enum ire_forward_action ret_action;
-
- ipha = (ipha_t *)mp->b_rptr;
- ill = (ill_t *)q->q_ptr;
-
- ASSERT(ill != NULL);
- ipst = ill->ill_ipst;
-
- /*
- * No IRE for this destination, so it can't be for us.
- * Unless we are forwarding, drop the packet.
- * We have to let source routed packets through
- * since we don't yet know if they are 'ping -l'
- * packets i.e. if they will go out over the
- * same interface as they came in on.
- */
- if (ll_multicast) {
+ ip_drop_input("IPvN packet on IPv4 ill", mp, ill);
freemsg(mp);
return (NULL);
}
- if (!(ill->ill_flags & ILLF_ROUTER) && !ip_source_routed(ipha, ipst)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+
+ if (opt_len > (15 - IP_SIMPLE_HDR_LENGTH_IN_WORDS)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
freemsg(mp);
return (NULL);
}
-
/*
- * Mark this packet as having originated externally.
- *
- * For non-forwarding code path, ire_send later double
- * checks this interface to see if it is still exists
- * post-ARP resolution.
- *
- * Also, IPQOS uses this to differentiate between
- * IPP_FWD_OUT and IPP_LOCAL_OUT for post-ARP
- * QOS packet processing in ip_wput_attach_llhdr().
- * The QoS module can mark the b_band for a fastpath message
- * or the dl_priority field in a unitdata_req header for
- * CoS marking. This info can only be found in
- * ip_wput_attach_llhdr().
+ * Recompute complete header length and make sure we
+ * have access to all of it.
*/
- mp->b_prev = (mblk_t *)(uintptr_t)ill->ill_phyint->phyint_ifindex;
- /*
- * Clear the indication that this may have a hardware checksum
- * as we are not using it
- */
- DB_CKSUMFLAGS(mp) = 0;
-
- ire = ire_forward(dst, &ret_action, NULL, NULL,
- msg_getlabel(mp), ipst);
-
- if (ire == NULL && ret_action == Forward_check_multirt) {
- /* Let ip_newroute handle CGTP */
- ip_newroute(q, mp, dst, NULL, GLOBAL_ZONEID, ipst);
- return (NULL);
- }
-
- if (ire != NULL)
- return (ire);
-
- mp->b_prev = mp->b_next = 0;
-
- if (ret_action == Forward_blackhole) {
- freemsg(mp);
- return (NULL);
- }
- /* send icmp unreachable */
- q = WR(q);
- /* Sent by forwarding path, and router is global zone */
- if (ip_source_routed(ipha, ipst)) {
- icmp_unreachable(q, mp, ICMP_SOURCE_ROUTE_FAILED,
- GLOBAL_ZONEID, ipst);
- } else {
- icmp_unreachable(q, mp, ICMP_HOST_UNREACHABLE, GLOBAL_ZONEID,
- ipst);
- }
-
- return (NULL);
-
-}
-
-/*
- * check ip header length and align it.
- */
-static boolean_t
-ip_check_and_align_header(queue_t *q, mblk_t *mp, ip_stack_t *ipst)
-{
- ssize_t len;
- ill_t *ill;
- ipha_t *ipha;
-
- len = MBLKL(mp);
-
- if (!OK_32PTR(mp->b_rptr) || len < IP_SIMPLE_HDR_LENGTH) {
- ill = (ill_t *)q->q_ptr;
-
- if (!OK_32PTR(mp->b_rptr))
- IP_STAT(ipst, ip_notaligned1);
- else
- IP_STAT(ipst, ip_notaligned2);
- /* Guard against bogus device drivers */
- if (len < 0) {
- /* clear b_prev - used by ip_mroute_decap */
- mp->b_prev = NULL;
+ len = ((size_t)opt_len + IP_SIMPLE_HDR_LENGTH_IN_WORDS) << 2;
+ if (len > (mp->b_wptr - mp->b_rptr)) {
+ if (len > pkt_len) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
freemsg(mp);
- return (B_FALSE);
- }
-
- if (ip_rput_pullups++ == 0) {
- ipha = (ipha_t *)mp->b_rptr;
- (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
- "ip_check_and_align_header: %s forced us to "
- " pullup pkt, hdr len %ld, hdr addr %p",
- ill->ill_name, len, (void *)ipha);
+ return (NULL);
}
- if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
- /* clear b_prev - used by ip_mroute_decap */
- mp->b_prev = NULL;
+ if (ip_pullup(mp, len, ira) == NULL) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
freemsg(mp);
- return (B_FALSE);
+ return (NULL);
}
}
- return (B_TRUE);
+ return (mp);
}
/*
- * Handle the situation where a packet came in on `ill' but matched an IRE
- * whose ire_rfq doesn't match `ill'. We return the IRE that should be used
- * for interface statistics.
+ * Returns a new ire, or the same ire, or NULL.
+ * If a different IRE is returned, then it is held; the caller
+ * needs to release it.
+ * In no case is there any hold/release on the ire argument.
*/
ire_t *
ip_check_multihome(void *addr, ire_t *ire, ill_t *ill)
@@ -13697,10 +7829,9 @@ ip_check_multihome(void *addr, ire_t *ire, ill_t *ill)
* issue (e.g. packet received on an underlying interface matched an
* IRE_LOCAL on its associated group interface).
*/
- if (ire->ire_rfq != NULL &&
- IS_IN_SAME_ILLGRP(ill, (ill_t *)ire->ire_rfq->q_ptr)) {
+ ASSERT(ire->ire_ill != NULL);
+ if (IS_IN_SAME_ILLGRP(ill, ire->ire_ill))
return (ire);
- }
/*
* Do another ire lookup here, using the ingress ill, to see if the
@@ -13711,25 +7842,24 @@ ip_check_multihome(void *addr, ire_t *ire, ill_t *ill)
* ip*_strict_dst_multihoming switch is on.
* We also need to check for IPIF_UNNUMBERED point2point interfaces
* where the local address may not be unique. In this case we were
- * at the mercy of the initial ire cache lookup and the IRE_LOCAL it
+ * at the mercy of the initial ire lookup and the IRE_LOCAL it
* actually returned. The new lookup, which is more specific, should
* only find the IRE_LOCAL associated with the ingress ill if one
* exists.
*/
-
if (ire->ire_ipversion == IPV4_VERSION) {
if (ipst->ips_ip_strict_dst_multihoming)
strict_check = B_TRUE;
- new_ire = ire_ctable_lookup(*((ipaddr_t *)addr), 0, IRE_LOCAL,
- ill->ill_ipif, ALL_ZONES, NULL,
- (MATCH_IRE_TYPE|MATCH_IRE_ILL), ipst);
+ new_ire = ire_ftable_lookup_v4(*((ipaddr_t *)addr), 0, 0,
+ IRE_LOCAL, ill, ALL_ZONES, NULL,
+ (MATCH_IRE_TYPE|MATCH_IRE_ILL), 0, ipst, NULL);
} else {
ASSERT(!IN6_IS_ADDR_MULTICAST((in6_addr_t *)addr));
if (ipst->ips_ipv6_strict_dst_multihoming)
strict_check = B_TRUE;
- new_ire = ire_ctable_lookup_v6((in6_addr_t *)addr, NULL,
- IRE_LOCAL, ill->ill_ipif, ALL_ZONES, NULL,
- (MATCH_IRE_TYPE|MATCH_IRE_ILL), ipst);
+ new_ire = ire_ftable_lookup_v6((in6_addr_t *)addr, NULL, NULL,
+ IRE_LOCAL, ill, ALL_ZONES, NULL,
+ (MATCH_IRE_TYPE|MATCH_IRE_ILL), 0, ipst, NULL);
}
/*
* If the same ire that was returned in ip_input() is found then this
@@ -13741,38 +7871,27 @@ ip_check_multihome(void *addr, ire_t *ire, ill_t *ill)
* order to have accurate interface statistics.
*/
if (new_ire != NULL) {
- if ((new_ire != ire) && (new_ire->ire_rfq != NULL)) {
- ire_refrele(ire);
- ire = new_ire;
- } else {
- ire_refrele(new_ire);
- }
- return (ire);
- } else if ((ire->ire_rfq == NULL) &&
- (ire->ire_ipversion == IPV4_VERSION)) {
- /*
- * The best match could have been the original ire which
- * was created against an IRE_LOCAL on lo0. In the IPv4 case
- * the strict multihoming checks are irrelevant as we consider
- * local addresses hosted on lo0 to be interface agnostic. We
- * only expect a null ire_rfq on IREs which are associated with
- * lo0 hence we can return now.
- */
+ /* Note: held in one case but not the other? Caller handles */
+ if (new_ire != ire)
+ return (new_ire);
+ /* Unchanged */
+ ire_refrele(new_ire);
return (ire);
}
/*
* Chase pointers once and store locally.
*/
- ire_ill = (ire->ire_rfq == NULL) ? NULL :
- (ill_t *)(ire->ire_rfq->q_ptr);
+ ASSERT(ire->ire_ill != NULL);
+ ire_ill = ire->ire_ill;
ifindex = ill->ill_usesrc_ifindex;
/*
* Check if it's a legal address on the 'usesrc' interface.
+ * For IPMP data addresses the IRE_LOCAL is the upper, hence we
+ * can just check phyint_ifindex.
*/
- if ((ifindex != 0) && (ire_ill != NULL) &&
- (ifindex == ire_ill->ill_phyint->phyint_ifindex)) {
+ if (ifindex != 0 && ifindex == ire_ill->ill_phyint->phyint_ifindex) {
return (ire);
}
@@ -13783,905 +7902,234 @@ ip_check_multihome(void *addr, ire_t *ire, ill_t *ill)
if (!(strict_check))
return (ire);
- if ((ill->ill_flags & ire->ire_ipif->ipif_ill->ill_flags &
- ILLF_ROUTER) != 0) {
+ if ((ill->ill_flags & ire->ire_ill->ill_flags & ILLF_ROUTER) != 0) {
return (ire);
}
-
- ire_refrele(ire);
return (NULL);
}
/*
+ * This function is used to construct a mac_header_info_s from a
+ * DL_UNITDATA_IND message.
+ * The address fields in the mhi structure points into the message,
+ * thus the caller can't use those fields after freeing the message.
*
- * This is the fast forward path. If we are here, we dont need to
- * worry about RSVP, CGTP, or TSol. Furthermore the ftable lookup
- * needed to find the nexthop in this case is much simpler
+ * We determine whether the packet received is a non-unicast packet
+ * and in doing so, determine whether or not it is broadcast vs multicast.
+ * For it to be a broadcast packet, we must have the appropriate mblk_t
+ * hanging off the ill_t. If this is either not present or doesn't match
+ * the destination mac address in the DL_UNITDATA_IND, the packet is deemed
+ * to be multicast. Thus NICs that have no broadcast address (or no
+ * capability for one, such as point to point links) cannot return as
+ * the packet being broadcast.
*/
-ire_t *
-ip_fast_forward(ire_t *ire, ipaddr_t dst, ill_t *ill, mblk_t *mp)
+void
+ip_dlur_to_mhi(ill_t *ill, mblk_t *mb, struct mac_header_info_s *mhip)
{
- ipha_t *ipha;
- ire_t *src_ire;
- ill_t *stq_ill;
- uint_t hlen;
- uint_t pkt_len;
- uint32_t sum;
- queue_t *dev_q;
- ip_stack_t *ipst = ill->ill_ipst;
- mblk_t *fpmp;
- enum ire_forward_action ret_action;
-
- ipha = (ipha_t *)mp->b_rptr;
-
- if (ire != NULL &&
- ire->ire_zoneid != GLOBAL_ZONEID &&
- ire->ire_zoneid != ALL_ZONES) {
- /*
- * Should only use IREs that are visible to the global
- * zone for forwarding.
- */
- ire_refrele(ire);
- ire = ire_cache_lookup(dst, GLOBAL_ZONEID, NULL, ipst);
- /*
- * ire_cache_lookup() can return ire of IRE_LOCAL in
- * transient cases. In such case, just drop the packet
- */
- if (ire != NULL && ire->ire_type != IRE_CACHE)
- goto indiscard;
- }
-
- /*
- * Martian Address Filtering [RFC 1812, Section 5.3.7]
- * The loopback address check for both src and dst has already
- * been checked in ip_input
- */
-
- if (dst == INADDR_ANY || CLASSD(ipha->ipha_src)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- goto drop;
- }
- src_ire = ire_ctable_lookup(ipha->ipha_src, 0, IRE_BROADCAST, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
-
- if (src_ire != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- ire_refrele(src_ire);
- goto drop;
- }
-
- /* No ire cache of nexthop. So first create one */
- if (ire == NULL) {
-
- ire = ire_forward_simple(dst, &ret_action, ipst);
+ dl_unitdata_ind_t *ind = (dl_unitdata_ind_t *)mb->b_rptr;
+ mblk_t *bmp;
+ uint_t extra_offset;
- /*
- * We only come to ip_fast_forward if ip_cgtp_filter
- * is not set. So ire_forward() should not return with
- * Forward_check_multirt as the next action.
- */
- ASSERT(ret_action != Forward_check_multirt);
- if (ire == NULL) {
- /* An attempt was made to forward the packet */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- mp->b_prev = mp->b_next = 0;
- /* send icmp unreachable */
- /* Sent by forwarding path, and router is global zone */
- if (ret_action == Forward_ret_icmp_err) {
- if (ip_source_routed(ipha, ipst)) {
- icmp_unreachable(ill->ill_wq, mp,
- ICMP_SOURCE_ROUTE_FAILED,
- GLOBAL_ZONEID, ipst);
- } else {
- icmp_unreachable(ill->ill_wq, mp,
- ICMP_HOST_UNREACHABLE,
- GLOBAL_ZONEID, ipst);
- }
- } else {
- freemsg(mp);
- }
- return (NULL);
- }
- }
+ bzero(mhip, sizeof (struct mac_header_info_s));
- /*
- * Forwarding fastpath exception case:
- * If any of the following are true, we take the slowpath:
- * o forwarding is not enabled
- * o incoming and outgoing interface are the same, or in the same
- * IPMP group.
- * o corresponding ire is in incomplete state
- * o packet needs fragmentation
- * o ARP cache is not resolved
- *
- * The codeflow from here on is thus:
- * ip_rput_process_forward->ip_rput_forward->ip_xmit_v4
- */
- pkt_len = ntohs(ipha->ipha_length);
- stq_ill = (ill_t *)ire->ire_stq->q_ptr;
- if (!(stq_ill->ill_flags & ILLF_ROUTER) ||
- (ill == stq_ill) || IS_IN_SAME_ILLGRP(ill, stq_ill) ||
- (ire->ire_nce == NULL) ||
- (pkt_len > ire->ire_max_frag) ||
- ((fpmp = ire->ire_nce->nce_fp_mp) == NULL) ||
- ((hlen = MBLKL(fpmp)) > MBLKHEAD(mp)) ||
- ipha->ipha_ttl <= 1) {
- ip_rput_process_forward(ill->ill_rq, mp, ire,
- ipha, ill, B_FALSE, B_TRUE);
- return (ire);
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
+ mhip->mhi_dsttype = MAC_ADDRTYPE_UNICAST;
- DTRACE_PROBE4(ip4__forwarding__start,
- ill_t *, ill, ill_t *, stq_ill, ipha_t *, ipha, mblk_t *, mp);
+ if (ill->ill_sap_length < 0)
+ extra_offset = 0;
+ else
+ extra_offset = ill->ill_sap_length;
- FW_HOOKS(ipst->ips_ip4_forwarding_event,
- ipst->ips_ipv4firewall_forwarding,
- ill, stq_ill, ipha, mp, mp, 0, ipst);
+ mhip->mhi_daddr = (uchar_t *)ind + ind->dl_dest_addr_offset +
+ extra_offset;
+ mhip->mhi_saddr = (uchar_t *)ind + ind->dl_src_addr_offset +
+ extra_offset;
- DTRACE_PROBE1(ip4__forwarding__end, mblk_t *, mp);
+ if (!ind->dl_group_address)
+ return;
- if (mp == NULL)
- goto drop;
+ /* Multicast or broadcast */
+ mhip->mhi_dsttype = MAC_ADDRTYPE_MULTICAST;
- mp->b_datap->db_struioun.cksum.flags = 0;
- /* Adjust the checksum to reflect the ttl decrement. */
- sum = (int)ipha->ipha_hdr_checksum + IP_HDR_CSUM_TTL_ADJUST;
- ipha->ipha_hdr_checksum = (uint16_t)(sum + (sum >> 16));
- ipha->ipha_ttl--;
+ if (ind->dl_dest_addr_offset > sizeof (*ind) &&
+ ind->dl_dest_addr_offset + ind->dl_dest_addr_length < MBLKL(mb) &&
+ (bmp = ill->ill_bcast_mp) != NULL) {
+ dl_unitdata_req_t *dlur;
+ uint8_t *bphys_addr;
- /*
- * Write the link layer header. We can do this safely here,
- * because we have already tested to make sure that the IP
- * policy is not set, and that we have a fast path destination
- * header.
- */
- mp->b_rptr -= hlen;
- bcopy(fpmp->b_rptr, mp->b_rptr, hlen);
-
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- BUMP_MIB(stq_ill->ill_ip_mib, ipIfStatsHCOutForwDatagrams);
- BUMP_MIB(stq_ill->ill_ip_mib, ipIfStatsHCOutTransmits);
- UPDATE_MIB(stq_ill->ill_ip_mib, ipIfStatsHCOutOctets, pkt_len);
-
- if (!ILL_DIRECT_CAPABLE(stq_ill) || DB_TYPE(mp) != M_DATA) {
- dev_q = ire->ire_stq->q_next;
- if (DEV_Q_FLOW_BLOCKED(dev_q))
- goto indiscard;
- }
-
- DTRACE_PROBE4(ip4__physical__out__start,
- ill_t *, NULL, ill_t *, stq_ill, ipha_t *, ipha, mblk_t *, mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, stq_ill, ipha, mp, mp, 0, ipst);
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, mp);
- DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
- ipha, __dtrace_ipsr_ill_t *, stq_ill, ipha_t *, ipha,
- ip6_t *, NULL, int, 0);
-
- if (mp != NULL) {
- if (ipst->ips_ip4_observe.he_interested) {
- zoneid_t szone;
+ dlur = (dl_unitdata_req_t *)bmp->b_rptr;
+ bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
+ extra_offset;
- /*
- * Both of these functions expect b_rptr to be
- * where the IP header starts, so advance past the
- * link layer header if present.
- */
- mp->b_rptr += hlen;
- szone = ip_get_zoneid_v4(ipha->ipha_src, mp,
- ipst, ALL_ZONES);
- ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone,
- ALL_ZONES, ill, ipst);
- mp->b_rptr -= hlen;
- }
- ILL_SEND_TX(stq_ill, ire, dst, mp, IP_DROP_ON_NO_DESC, NULL);
+ if (bcmp(mhip->mhi_daddr, bphys_addr,
+ ind->dl_dest_addr_length) == 0)
+ mhip->mhi_dsttype = MAC_ADDRTYPE_BROADCAST;
}
- return (ire);
-
-indiscard:
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
-drop:
- if (mp != NULL)
- freemsg(mp);
- return (ire);
-
}
/*
- * This function is called in the forwarding slowpath, when
- * either the ire lacks the link-layer address, or the packet needs
- * further processing(eg. fragmentation), before transmission.
+ * This function is used to construct a mac_header_info_s from a
+ * M_DATA fastpath message from a DLPI driver.
+ * The address fields in the mhi structure points into the message,
+ * thus the caller can't use those fields after freeing the message.
+ *
+ * We determine whether the packet received is a non-unicast packet
+ * and in doing so, determine whether or not it is broadcast vs multicast.
+ * For it to be a broadcast packet, we must have the appropriate mblk_t
+ * hanging off the ill_t. If this is either not present or doesn't match
+ * the destination mac address in the DL_UNITDATA_IND, the packet is deemed
+ * to be multicast. Thus NICs that have no broadcast address (or no
+ * capability for one, such as point to point links) cannot return as
+ * the packet being broadcast.
*/
-
-static void
-ip_rput_process_forward(queue_t *q, mblk_t *mp, ire_t *ire, ipha_t *ipha,
- ill_t *ill, boolean_t ll_multicast, boolean_t from_ip_fast_forward)
+void
+ip_mdata_to_mhi(ill_t *ill, mblk_t *mp, struct mac_header_info_s *mhip)
{
- queue_t *dev_q;
- ire_t *src_ire;
- ip_stack_t *ipst = ill->ill_ipst;
- boolean_t same_illgrp = B_FALSE;
-
- ASSERT(ire->ire_stq != NULL);
-
- mp->b_prev = NULL; /* ip_rput_noire sets incoming interface here */
- mp->b_next = NULL; /* ip_rput_noire sets dst here */
+ mblk_t *bmp;
+ struct ether_header *pether;
- /*
- * If the caller of this function is ip_fast_forward() skip the
- * next three checks as it does not apply.
- */
- if (from_ip_fast_forward)
- goto skip;
+ bzero(mhip, sizeof (struct mac_header_info_s));
- if (ll_multicast != 0) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- goto drop_pkt;
- }
+ mhip->mhi_dsttype = MAC_ADDRTYPE_UNICAST;
- /*
- * check if ipha_src is a broadcast address. Note that this
- * check is redundant when we get here from ip_fast_forward()
- * which has already done this check. However, since we can
- * also get here from ip_rput_process_broadcast() or, for
- * for the slow path through ip_fast_forward(), we perform
- * the check again for code-reusability
- */
- src_ire = ire_ctable_lookup(ipha->ipha_src, 0, IRE_BROADCAST, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (src_ire != NULL || ipha->ipha_dst == INADDR_ANY) {
- if (src_ire != NULL)
- ire_refrele(src_ire);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- ip2dbg(("ip_rput_process_forward: Received packet with"
- " bad src/dst address on %s\n", ill->ill_name));
- goto drop_pkt;
- }
+ pether = (struct ether_header *)((char *)mp->b_rptr
+ - sizeof (struct ether_header));
/*
- * Check if we want to forward this one at this time.
- * We allow source routed packets on a host provided that
- * they go out the same ill or illgrp as they came in on.
- *
- * XXX To be quicker, we may wish to not chase pointers to
- * get the ILLF_ROUTER flag and instead store the
- * forwarding policy in the ire. An unfortunate
- * side-effect of that would be requiring an ire flush
- * whenever the ILLF_ROUTER flag changes.
+ * Make sure the interface is an ethernet type, since we don't
+ * know the header format for anything but Ethernet. Also make
+ * sure we are pointing correctly above db_base.
*/
-skip:
- same_illgrp = IS_IN_SAME_ILLGRP(ill, (ill_t *)ire->ire_rfq->q_ptr);
-
- if (((ill->ill_flags &
- ((ill_t *)ire->ire_stq->q_ptr)->ill_flags & ILLF_ROUTER) == 0) &&
- !(ip_source_routed(ipha, ipst) &&
- (ire->ire_rfq == q || same_illgrp))) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- if (ip_source_routed(ipha, ipst)) {
- q = WR(q);
- /*
- * Clear the indication that this may have
- * hardware checksum as we are not using it.
- */
- DB_CKSUMFLAGS(mp) = 0;
- /* Sent by forwarding path, and router is global zone */
- icmp_unreachable(q, mp,
- ICMP_SOURCE_ROUTE_FAILED, GLOBAL_ZONEID, ipst);
- return;
- }
- goto drop_pkt;
- }
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
-
- /* Packet is being forwarded. Turning off hwcksum flag. */
- DB_CKSUMFLAGS(mp) = 0;
- if (ipst->ips_ip_g_send_redirects) {
- /*
- * Check whether the incoming interface and outgoing
- * interface is part of the same group. If so,
- * send redirects.
- *
- * Check the source address to see if it originated
- * on the same logical subnet it is going back out on.
- * If so, we should be able to send it a redirect.
- * Avoid sending a redirect if the destination
- * is directly connected (i.e., ipha_dst is the same
- * as ire_gateway_addr or the ire_addr of the
- * nexthop IRE_CACHE ), or if the packet was source
- * routed out this interface.
- */
- ipaddr_t src, nhop;
- mblk_t *mp1;
- ire_t *nhop_ire = NULL;
-
- /*
- * Check whether ire_rfq and q are from the same ill or illgrp.
- * If so, send redirects.
- */
- if ((ire->ire_rfq == q || same_illgrp) &&
- !ip_source_routed(ipha, ipst)) {
-
- nhop = (ire->ire_gateway_addr != 0 ?
- ire->ire_gateway_addr : ire->ire_addr);
-
- if (ipha->ipha_dst == nhop) {
- /*
- * We avoid sending a redirect if the
- * destination is directly connected
- * because it is possible that multiple
- * IP subnets may have been configured on
- * the link, and the source may not
- * be on the same subnet as ip destination,
- * even though they are on the same
- * physical link.
- */
- goto sendit;
- }
-
- src = ipha->ipha_src;
-
- /*
- * We look up the interface ire for the nexthop,
- * to see if ipha_src is in the same subnet
- * as the nexthop.
- *
- * Note that, if, in the future, IRE_CACHE entries
- * are obsoleted, this lookup will not be needed,
- * as the ire passed to this function will be the
- * same as the nhop_ire computed below.
- */
- nhop_ire = ire_ftable_lookup(nhop, 0, 0,
- IRE_INTERFACE, NULL, NULL, ALL_ZONES,
- 0, NULL, MATCH_IRE_TYPE, ipst);
-
- if (nhop_ire != NULL) {
- if ((src & nhop_ire->ire_mask) ==
- (nhop & nhop_ire->ire_mask)) {
- /*
- * The source is directly connected.
- * Just copy the ip header (which is
- * in the first mblk)
- */
- mp1 = copyb(mp);
- if (mp1 != NULL) {
- icmp_send_redirect(WR(q), mp1,
- nhop, ipst);
- }
- }
- ire_refrele(nhop_ire);
- }
- }
- }
-sendit:
- dev_q = ire->ire_stq->q_next;
- if (DEV_Q_FLOW_BLOCKED(dev_q)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(mp);
+ if (ill->ill_type != IFT_ETHER)
return;
- }
-
- ip_rput_forward(ire, ipha, mp, ill);
- return;
-
-drop_pkt:
- ip2dbg(("ip_rput_process_forward: drop pkt\n"));
- freemsg(mp);
-}
-
-ire_t *
-ip_rput_process_broadcast(queue_t **qp, mblk_t *mp, ire_t *ire, ipha_t *ipha,
- ill_t *ill, ipaddr_t dst, int cgtp_flt_pkt, int ll_multicast)
-{
- queue_t *q;
- uint16_t hcksumflags;
- ip_stack_t *ipst = ill->ill_ipst;
-
- q = *qp;
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInBcastPkts);
-
- /*
- * Clear the indication that this may have hardware
- * checksum as we are not using it for forwarding.
- */
- hcksumflags = DB_CKSUMFLAGS(mp);
- DB_CKSUMFLAGS(mp) = 0;
-
- /*
- * Directed broadcast forwarding: if the packet came in over a
- * different interface then it is routed out over we can forward it.
- */
- if (ipha->ipha_protocol == IPPROTO_TCP) {
- ire_refrele(ire);
- freemsg(mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return (NULL);
- }
- /*
- * For multicast we have set dst to be INADDR_BROADCAST
- * for delivering to all STREAMS.
- */
- if (!CLASSD(ipha->ipha_dst)) {
- ire_t *new_ire;
- ipif_t *ipif;
-
- ipif = ipif_get_next_ipif(NULL, ill);
- if (ipif == NULL) {
-discard: ire_refrele(ire);
- freemsg(mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return (NULL);
- }
- new_ire = ire_ctable_lookup(dst, 0, 0,
- ipif, ALL_ZONES, NULL, MATCH_IRE_ILL, ipst);
- ipif_refrele(ipif);
- if (new_ire != NULL) {
- /*
- * If the matching IRE_BROADCAST is part of an IPMP
- * group, then drop the packet unless our ill has been
- * nominated to receive for the group.
- */
- if (IS_IPMP(new_ire->ire_ipif->ipif_ill) &&
- new_ire->ire_rfq != q) {
- ire_refrele(new_ire);
- goto discard;
- }
-
- /*
- * In the special case of multirouted broadcast
- * packets, we unconditionally need to "gateway"
- * them to the appropriate interface here.
- * In the normal case, this cannot happen, because
- * there is no broadcast IRE tagged with the
- * RTF_MULTIRT flag.
- */
- if (new_ire->ire_flags & RTF_MULTIRT) {
- ire_refrele(new_ire);
- if (ire->ire_rfq != NULL) {
- q = ire->ire_rfq;
- *qp = q;
- }
- } else {
- ire_refrele(ire);
- ire = new_ire;
- }
- } else if (cgtp_flt_pkt == CGTP_IP_PKT_NOT_CGTP) {
- if (!ipst->ips_ip_g_forward_directed_bcast) {
- /*
- * Free the message if
- * ip_g_forward_directed_bcast is turned
- * off for non-local broadcast.
- */
- ire_refrele(ire);
- freemsg(mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return (NULL);
- }
- } else {
- /*
- * This CGTP packet successfully passed the
- * CGTP filter, but the related CGTP
- * broadcast IRE has not been found,
- * meaning that the redundant ipif is
- * probably down. However, if we discarded
- * this packet, its duplicate would be
- * filtered out by the CGTP filter so none
- * of them would get through. So we keep
- * going with this one.
- */
- ASSERT(cgtp_flt_pkt == CGTP_IP_PKT_PREMIUM);
- if (ire->ire_rfq != NULL) {
- q = ire->ire_rfq;
- *qp = q;
- }
- }
- }
- if (ipst->ips_ip_g_forward_directed_bcast && ll_multicast == 0) {
- /*
- * Verify that there are not more then one
- * IRE_BROADCAST with this broadcast address which
- * has ire_stq set.
- * TODO: simplify, loop over all IRE's
- */
- ire_t *ire1;
- int num_stq = 0;
- mblk_t *mp1;
-
- /* Find the first one with ire_stq set */
- rw_enter(&ire->ire_bucket->irb_lock, RW_READER);
- for (ire1 = ire; ire1 &&
- !ire1->ire_stq && ire1->ire_addr == ire->ire_addr;
- ire1 = ire1->ire_next)
- ;
- if (ire1) {
- ire_refrele(ire);
- ire = ire1;
- IRE_REFHOLD(ire);
- }
+retry:
+ if ((uchar_t *)pether < mp->b_datap->db_base)
+ return;
- /* Check if there are additional ones with stq set */
- for (ire1 = ire; ire1; ire1 = ire1->ire_next) {
- if (ire->ire_addr != ire1->ire_addr)
- break;
- if (ire1->ire_stq) {
- num_stq++;
- break;
- }
+ /* Is there a VLAN tag? */
+ if (ill->ill_isv6) {
+ if (pether->ether_type != htons(ETHERTYPE_IPV6)) {
+ pether = (struct ether_header *)((char *)pether - 4);
+ goto retry;
}
- rw_exit(&ire->ire_bucket->irb_lock);
- if (num_stq == 1 && ire->ire_stq != NULL) {
- ip1dbg(("ip_rput_process_broadcast: directed "
- "broadcast to 0x%x\n",
- ntohl(ire->ire_addr)));
- mp1 = copymsg(mp);
- if (mp1) {
- switch (ipha->ipha_protocol) {
- case IPPROTO_UDP:
- ip_udp_input(q, mp1, ipha, ire, ill);
- break;
- default:
- ip_proto_input(q, mp1, ipha, ire, ill,
- 0);
- break;
- }
- }
- /*
- * Adjust ttl to 2 (1+1 - the forward engine
- * will decrement it by one.
- */
- if (ip_csum_hdr(ipha)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
- ip2dbg(("ip_rput_broadcast:drop pkt\n"));
- freemsg(mp);
- ire_refrele(ire);
- return (NULL);
- }
- ipha->ipha_ttl = ipst->ips_ip_broadcast_ttl + 1;
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
- ip_rput_process_forward(q, mp, ire, ipha,
- ill, ll_multicast, B_FALSE);
- ire_refrele(ire);
- return (NULL);
+ } else {
+ if (pether->ether_type != htons(ETHERTYPE_IP)) {
+ pether = (struct ether_header *)((char *)pether - 4);
+ goto retry;
}
- ip1dbg(("ip_rput: NO directed broadcast to 0x%x\n",
- ntohl(ire->ire_addr)));
}
+ mhip->mhi_daddr = (uchar_t *)&pether->ether_dhost;
+ mhip->mhi_saddr = (uchar_t *)&pether->ether_shost;
- /* Restore any hardware checksum flags */
- DB_CKSUMFLAGS(mp) = hcksumflags;
- return (ire);
-}
-
-/* ARGSUSED */
-static boolean_t
-ip_rput_process_multicast(queue_t *q, mblk_t *mp, ill_t *ill, ipha_t *ipha,
- int *ll_multicast, ipaddr_t *dstp)
-{
- ip_stack_t *ipst = ill->ill_ipst;
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastPkts);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastOctets,
- ntohs(ipha->ipha_length));
+ if (!(mhip->mhi_daddr[0] & 0x01))
+ return;
- /*
- * So that we don't end up with dups, only one ill in an IPMP group is
- * nominated to receive multicast traffic.
- */
- if (IS_UNDER_IPMP(ill) && !ill->ill_nom_cast)
- goto drop_pkt;
+ /* Multicast or broadcast */
+ mhip->mhi_dsttype = MAC_ADDRTYPE_MULTICAST;
- /*
- * Forward packets only if we have joined the allmulti
- * group on this interface.
- */
- if (ipst->ips_ip_g_mrouter && ill->ill_join_allmulti) {
- int retval;
+ if ((bmp = ill->ill_bcast_mp) != NULL) {
+ dl_unitdata_req_t *dlur;
+ uint8_t *bphys_addr;
+ uint_t addrlen;
- /*
- * Clear the indication that this may have hardware
- * checksum as we are not using it.
- */
- DB_CKSUMFLAGS(mp) = 0;
- retval = ip_mforward(ill, ipha, mp);
- /* ip_mforward updates mib variables if needed */
- /* clear b_prev - used by ip_mroute_decap */
- mp->b_prev = NULL;
-
- switch (retval) {
- case 0:
- /*
- * pkt is okay and arrived on phyint.
- *
- * If we are running as a multicast router
- * we need to see all IGMP and/or PIM packets.
- */
- if ((ipha->ipha_protocol == IPPROTO_IGMP) ||
- (ipha->ipha_protocol == IPPROTO_PIM)) {
- goto done;
- }
- break;
- case -1:
- /* pkt is mal-formed, toss it */
- goto drop_pkt;
- case 1:
- /* pkt is okay and arrived on a tunnel */
- /*
- * If we are running a multicast router
- * we need to see all igmp packets.
- */
- if (ipha->ipha_protocol == IPPROTO_IGMP) {
- *dstp = INADDR_BROADCAST;
- *ll_multicast = 1;
- return (B_FALSE);
- }
-
- goto drop_pkt;
+ dlur = (dl_unitdata_req_t *)bmp->b_rptr;
+ addrlen = dlur->dl_dest_addr_length;
+ if (ill->ill_sap_length < 0) {
+ bphys_addr = (uchar_t *)dlur +
+ dlur->dl_dest_addr_offset;
+ addrlen += ill->ill_sap_length;
+ } else {
+ bphys_addr = (uchar_t *)dlur +
+ dlur->dl_dest_addr_offset +
+ ill->ill_sap_length;
+ addrlen -= ill->ill_sap_length;
}
+ if (bcmp(mhip->mhi_daddr, bphys_addr, addrlen) == 0)
+ mhip->mhi_dsttype = MAC_ADDRTYPE_BROADCAST;
}
-
- if (ilm_lookup_ill(ill, *dstp, ALL_ZONES) == NULL) {
- /*
- * This might just be caused by the fact that
- * multiple IP Multicast addresses map to the same
- * link layer multicast - no need to increment counter!
- */
- freemsg(mp);
- return (B_TRUE);
- }
-done:
- ip2dbg(("ip_rput: multicast for us: 0x%x\n", ntohl(*dstp)));
- /*
- * This assumes the we deliver to all streams for multicast
- * and broadcast packets.
- */
- *dstp = INADDR_BROADCAST;
- *ll_multicast = 1;
- return (B_FALSE);
-drop_pkt:
- ip2dbg(("ip_rput: drop pkt\n"));
- freemsg(mp);
- return (B_TRUE);
}
/*
- * This function is used to both return an indication of whether or not
- * the packet received is a non-unicast packet (by way of the DL_UNITDATA_IND)
- * and in doing so, determine whether or not it is broadcast vs multicast.
- * For it to be a broadcast packet, we must have the appropriate mblk_t
- * hanging off the ill_t. If this is either not present or doesn't match
- * the destination mac address in the DL_UNITDATA_IND, the packet is deemed
- * to be multicast. Thus NICs that have no broadcast address (or no
- * capability for one, such as point to point links) cannot return as
- * the packet being broadcast. The use of HPE_BROADCAST/HPE_MULTICAST as
- * the return values simplifies the current use of the return value of this
- * function, which is to pass through the multicast/broadcast characteristic
- * to consumers of the netinfo/pfhooks API. While this is not cast in stone,
- * changing the return value to some other symbol demands the appropriate
- * "translation" when hpe_flags is set prior to calling hook_run() for
- * packet events.
+ * Handle anything but M_DATA messages
+ * We see the DL_UNITDATA_IND which are part
+ * of the data path, and also the other messages from the driver.
*/
-int
-ip_get_dlpi_mbcast(ill_t *ill, mblk_t *mb)
-{
- dl_unitdata_ind_t *ind = (dl_unitdata_ind_t *)mb->b_rptr;
- mblk_t *bmp;
-
- if (ind->dl_group_address) {
- if (ind->dl_dest_addr_offset > sizeof (*ind) &&
- ind->dl_dest_addr_offset + ind->dl_dest_addr_length <
- MBLKL(mb) &&
- (bmp = ill->ill_bcast_mp) != NULL) {
- dl_unitdata_req_t *dlur;
- uint8_t *bphys_addr;
-
- dlur = (dl_unitdata_req_t *)bmp->b_rptr;
- if (ill->ill_sap_length < 0)
- bphys_addr = (uchar_t *)dlur +
- dlur->dl_dest_addr_offset;
- else
- bphys_addr = (uchar_t *)dlur +
- dlur->dl_dest_addr_offset +
- ill->ill_sap_length;
-
- if (bcmp(mb->b_rptr + ind->dl_dest_addr_offset,
- bphys_addr, ind->dl_dest_addr_length) == 0) {
- return (HPE_BROADCAST);
- }
- return (HPE_MULTICAST);
- }
- return (HPE_MULTICAST);
- }
- return (0);
-}
-
-static boolean_t
-ip_rput_process_notdata(queue_t *q, mblk_t **first_mpp, ill_t *ill,
- int *ll_multicast, mblk_t **mpp)
+void
+ip_rput_notdata(ill_t *ill, mblk_t *mp)
{
- mblk_t *mp1, *from_mp, *to_mp, *mp, *first_mp;
- boolean_t must_copy = B_FALSE;
+ mblk_t *first_mp;
struct iocblk *iocp;
- ipha_t *ipha;
- ip_stack_t *ipst = ill->ill_ipst;
-
-#define rptr ((uchar_t *)ipha)
-
- first_mp = *first_mpp;
- mp = *mpp;
+ struct mac_header_info_s mhi;
- ASSERT(first_mp == mp);
-
- /*
- * if db_ref > 1 then copymsg and free original. Packet may be
- * changed and do not want other entity who has a reference to this
- * message to trip over the changes. This is a blind change because
- * trying to catch all places that might change packet is too
- * difficult (since it may be a module above this one)
- *
- * This corresponds to the non-fast path case. We walk down the full
- * chain in this case, and check the db_ref count of all the dblks,
- * and do a copymsg if required. It is possible that the db_ref counts
- * of the data blocks in the mblk chain can be different.
- * For Example, we can get a DL_UNITDATA_IND(M_PROTO) with a db_ref
- * count of 1, followed by a M_DATA block with a ref count of 2, if
- * 'snoop' is running.
- */
- for (mp1 = mp; mp1 != NULL; mp1 = mp1->b_cont) {
- if (mp1->b_datap->db_ref > 1) {
- must_copy = B_TRUE;
- break;
- }
- }
-
- if (must_copy) {
- mp1 = copymsg(mp);
- if (mp1 == NULL) {
- for (mp1 = mp; mp1 != NULL;
- mp1 = mp1->b_cont) {
- mp1->b_next = NULL;
- mp1->b_prev = NULL;
- }
- freemsg(mp);
- if (ill != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsInDiscards);
- }
- return (B_TRUE);
- }
- for (from_mp = mp, to_mp = mp1; from_mp != NULL;
- from_mp = from_mp->b_cont, to_mp = to_mp->b_cont) {
- /* Copy b_prev - used by ip_mroute_decap */
- to_mp->b_prev = from_mp->b_prev;
- from_mp->b_prev = NULL;
- }
- *first_mpp = first_mp = mp1;
- freemsg(mp);
- mp = mp1;
- *mpp = mp1;
- }
-
- ipha = (ipha_t *)mp->b_rptr;
-
- /*
- * previous code has a case for M_DATA.
- * We want to check how that happens.
- */
- ASSERT(first_mp->b_datap->db_type != M_DATA);
- switch (first_mp->b_datap->db_type) {
+ switch (DB_TYPE(mp)) {
case M_PROTO:
- case M_PCPROTO:
- if (((dl_unitdata_ind_t *)rptr)->dl_primitive !=
+ case M_PCPROTO: {
+ if (((dl_unitdata_ind_t *)mp->b_rptr)->dl_primitive !=
DL_UNITDATA_IND) {
/* Go handle anything other than data elsewhere. */
- ip_rput_dlpi(q, mp);
- return (B_TRUE);
+ ip_rput_dlpi(ill, mp);
+ return;
}
- *ll_multicast = ip_get_dlpi_mbcast(ill, mp);
+ first_mp = mp;
+ mp = first_mp->b_cont;
+ first_mp->b_cont = NULL;
+
+ if (mp == NULL) {
+ freeb(first_mp);
+ return;
+ }
+ ip_dlur_to_mhi(ill, first_mp, &mhi);
+ if (ill->ill_isv6)
+ ip_input_v6(ill, NULL, mp, &mhi);
+ else
+ ip_input(ill, NULL, mp, &mhi);
+
/* Ditch the DLPI header. */
- mp1 = mp->b_cont;
- ASSERT(first_mp == mp);
- *first_mpp = mp1;
- freeb(mp);
- *mpp = mp1;
- return (B_FALSE);
+ freeb(first_mp);
+ return;
+ }
case M_IOCACK:
- ip1dbg(("got iocack "));
iocp = (struct iocblk *)mp->b_rptr;
switch (iocp->ioc_cmd) {
case DL_IOC_HDR_INFO:
- ill = (ill_t *)q->q_ptr;
ill_fastpath_ack(ill, mp);
- return (B_TRUE);
+ return;
default:
- putnext(q, mp);
- return (B_TRUE);
+ putnext(ill->ill_rq, mp);
+ return;
}
/* FALLTHRU */
case M_ERROR:
case M_HANGUP:
- /*
- * Since this is on the ill stream we unconditionally
- * bump up the refcount
- */
- ill_refhold(ill);
- qwriter_ip(ill, q, mp, ip_rput_other, CUR_OP, B_FALSE);
- return (B_TRUE);
- case M_CTL:
- if ((MBLKL(first_mp) >= sizeof (da_ipsec_t)) &&
- (((da_ipsec_t *)first_mp->b_rptr)->da_type ==
- IPHADA_M_CTL)) {
- /*
- * It's an IPsec accelerated packet.
- * Make sure that the ill from which we received the
- * packet has enabled IPsec hardware acceleration.
- */
- if (!(ill->ill_capabilities &
- (ILL_CAPAB_AH|ILL_CAPAB_ESP))) {
- /* IPsec kstats: bean counter */
- freemsg(mp);
- return (B_TRUE);
- }
-
- /*
- * Make mp point to the mblk following the M_CTL,
- * then process according to type of mp.
- * After this processing, first_mp will point to
- * the data-attributes and mp to the pkt following
- * the M_CTL.
- */
- mp = first_mp->b_cont;
- if (mp == NULL) {
- freemsg(first_mp);
- return (B_TRUE);
- }
- /*
- * A Hardware Accelerated packet can only be M_DATA
- * ESP or AH packet.
- */
- if (mp->b_datap->db_type != M_DATA) {
- /* non-M_DATA IPsec accelerated packet */
- IPSECHW_DEBUG(IPSECHW_PKT,
- ("non-M_DATA IPsec accelerated pkt\n"));
- freemsg(first_mp);
- return (B_TRUE);
- }
- ipha = (ipha_t *)mp->b_rptr;
- if (ipha->ipha_protocol != IPPROTO_AH &&
- ipha->ipha_protocol != IPPROTO_ESP) {
- IPSECHW_DEBUG(IPSECHW_PKT,
- ("non-M_DATA IPsec accelerated pkt\n"));
- freemsg(first_mp);
- return (B_TRUE);
- }
- *mpp = mp;
- return (B_FALSE);
+ mutex_enter(&ill->ill_lock);
+ if (ill->ill_state_flags & ILL_CONDEMNED) {
+ mutex_exit(&ill->ill_lock);
+ freemsg(mp);
+ return;
}
- putnext(q, mp);
- return (B_TRUE);
+ ill_refhold_locked(ill);
+ mutex_exit(&ill->ill_lock);
+ qwriter_ip(ill, ill->ill_rq, mp, ip_rput_other, CUR_OP,
+ B_FALSE);
+ return;
+ case M_CTL:
+ putnext(ill->ill_rq, mp);
+ return;
case M_IOCNAK:
ip1dbg(("got iocnak "));
iocp = (struct iocblk *)mp->b_rptr;
switch (iocp->ioc_cmd) {
case DL_IOC_HDR_INFO:
- ip_rput_other(NULL, q, mp, NULL);
- return (B_TRUE);
+ ip_rput_other(NULL, ill->ill_rq, mp, NULL);
+ return;
default:
break;
}
/* FALLTHRU */
default:
- putnext(q, mp);
- return (B_TRUE);
+ putnext(ill->ill_rq, mp);
+ return;
}
}
@@ -14692,8 +8140,6 @@ ip_rput(queue_t *q, mblk_t *mp)
ill_t *ill;
union DL_primitives *dl;
- TRACE_1(TR_FAC_IP, TR_IP_RPUT_START, "ip_rput_start: q %p", q);
-
ill = (ill_t *)q->q_ptr;
if (ill->ill_state_flags & (ILL_CONDEMNED | ILL_LL_SUBNET_PENDING)) {
@@ -14707,70 +8153,42 @@ ip_rput(queue_t *q, mblk_t *mp)
if (DB_TYPE(mp) != M_PCPROTO ||
dl->dl_primitive == DL_UNITDATA_IND) {
inet_freemsg(mp);
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_END,
- "ip_rput_end: q %p (%S)", q, "uninit");
return;
}
}
+ if (DB_TYPE(mp) == M_DATA) {
+ struct mac_header_info_s mhi;
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_END,
- "ip_rput_end: q %p (%S)", q, "end");
-
- ip_input(ill, NULL, mp, NULL);
+ ip_mdata_to_mhi(ill, mp, &mhi);
+ ip_input(ill, NULL, mp, &mhi);
+ } else {
+ ip_rput_notdata(ill, mp);
+ }
}
-static mblk_t *
-ip_fix_dbref(ill_t *ill, mblk_t *mp)
+/*
+ * Move the information to a copy.
+ */
+mblk_t *
+ip_fix_dbref(mblk_t *mp, ip_recv_attr_t *ira)
{
- mblk_t *mp1;
- boolean_t adjusted = B_FALSE;
- ip_stack_t *ipst = ill->ill_ipst;
+ mblk_t *mp1;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
IP_STAT(ipst, ip_db_ref);
- /*
- * The IP_RECVSLLA option depends on having the
- * link layer header. First check that:
- * a> the underlying device is of type ether,
- * since this option is currently supported only
- * over ethernet.
- * b> there is enough room to copy over the link
- * layer header.
- *
- * Once the checks are done, adjust rptr so that
- * the link layer header will be copied via
- * copymsg. Note that, IFT_ETHER may be returned
- * by some non-ethernet drivers but in this case
- * the second check will fail.
- */
- if (ill->ill_type == IFT_ETHER &&
- (mp->b_rptr - mp->b_datap->db_base) >=
- sizeof (struct ether_header)) {
- mp->b_rptr -= sizeof (struct ether_header);
- adjusted = B_TRUE;
- }
- mp1 = copymsg(mp);
+ /* Make sure we have ira_l2src before we loose the original mblk */
+ if (!(ira->ira_flags & IRAF_L2SRC_SET))
+ ip_setl2src(mp, ira, ira->ira_rill);
+
+ mp1 = copymsg(mp);
if (mp1 == NULL) {
- mp->b_next = NULL;
- /* clear b_prev - used by ip_mroute_decap */
- mp->b_prev = NULL;
- freemsg(mp);
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
return (NULL);
}
-
- if (adjusted) {
- /*
- * Copy is done. Restore the pointer in
- * the _new_ mblk
- */
- mp1->b_rptr += sizeof (struct ether_header);
- }
-
- /* Copy b_prev - used by ip_mroute_decap */
- mp1->b_prev = mp->b_prev;
- mp->b_prev = NULL;
-
/* preserve the hardware checksum flags and data, if present */
if (DB_CKSUMFLAGS(mp) != 0) {
DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
@@ -14779,888 +8197,10 @@ ip_fix_dbref(ill_t *ill, mblk_t *mp)
DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
DB_CKSUM16(mp1) = DB_CKSUM16(mp);
}
-
freemsg(mp);
return (mp1);
}
-#define ADD_TO_CHAIN(head, tail, cnt, mp) { \
- if (tail != NULL) \
- tail->b_next = mp; \
- else \
- head = mp; \
- tail = mp; \
- cnt++; \
-}
-
-/*
- * Direct read side procedure capable of dealing with chains. GLDv3 based
- * drivers call this function directly with mblk chains while STREAMS
- * read side procedure ip_rput() calls this for single packet with ip_ring
- * set to NULL to process one packet at a time.
- *
- * The ill will always be valid if this function is called directly from
- * the driver.
- *
- * If ip_input() is called from GLDv3:
- *
- * - This must be a non-VLAN IP stream.
- * - 'mp' is either an untagged or a special priority-tagged packet.
- * - Any VLAN tag that was in the MAC header has been stripped.
- *
- * If the IP header in packet is not 32-bit aligned, every message in the
- * chain will be aligned before further operations. This is required on SPARC
- * platform.
- */
-/* ARGSUSED */
-void
-ip_input(ill_t *ill, ill_rx_ring_t *ip_ring, mblk_t *mp_chain,
- struct mac_header_info_s *mhip)
-{
- ipaddr_t dst = NULL;
- ipaddr_t prev_dst;
- ire_t *ire = NULL;
- ipha_t *ipha;
- uint_t pkt_len;
- ssize_t len;
- uint_t opt_len;
- int ll_multicast;
- int cgtp_flt_pkt;
- queue_t *q = ill->ill_rq;
- squeue_t *curr_sqp = NULL;
- mblk_t *head = NULL;
- mblk_t *tail = NULL;
- mblk_t *first_mp;
- int cnt = 0;
- ip_stack_t *ipst = ill->ill_ipst;
- mblk_t *mp;
- mblk_t *dmp;
- uint8_t tag;
- ilb_stack_t *ilbs;
- ipaddr_t lb_dst;
-
- ASSERT(mp_chain != NULL);
- ASSERT(ill != NULL);
-
- TRACE_1(TR_FAC_IP, TR_IP_RPUT_START, "ip_input_start: q %p", q);
-
- tag = (ip_ring != NULL) ? SQTAG_IP_INPUT_RX_RING : SQTAG_IP_INPUT;
-
-#define rptr ((uchar_t *)ipha)
-
- ilbs = ipst->ips_netstack->netstack_ilb;
- while (mp_chain != NULL) {
- mp = mp_chain;
- mp_chain = mp_chain->b_next;
- mp->b_next = NULL;
- ll_multicast = 0;
-
- /*
- * We do ire caching from one iteration to
- * another. In the event the packet chain contains
- * all packets from the same dst, this caching saves
- * an ire_cache_lookup for each of the succeeding
- * packets in a packet chain.
- */
- prev_dst = dst;
-
- /*
- * if db_ref > 1 then copymsg and free original. Packet
- * may be changed and we do not want the other entity
- * who has a reference to this message to trip over the
- * changes. This is a blind change because trying to
- * catch all places that might change the packet is too
- * difficult.
- *
- * This corresponds to the fast path case, where we have
- * a chain of M_DATA mblks. We check the db_ref count
- * of only the 1st data block in the mblk chain. There
- * doesn't seem to be a reason why a device driver would
- * send up data with varying db_ref counts in the mblk
- * chain. In any case the Fast path is a private
- * interface, and our drivers don't do such a thing.
- * Given the above assumption, there is no need to walk
- * down the entire mblk chain (which could have a
- * potential performance problem)
- *
- * The "(DB_REF(mp) > 1)" check was moved from ip_rput()
- * to here because of exclusive ip stacks and vnics.
- * Packets transmitted from exclusive stack over vnic
- * can have db_ref > 1 and when it gets looped back to
- * another vnic in a different zone, you have ip_input()
- * getting dblks with db_ref > 1. So if someone
- * complains of TCP performance under this scenario,
- * take a serious look here on the impact of copymsg().
- */
-
- if (DB_REF(mp) > 1) {
- if ((mp = ip_fix_dbref(ill, mp)) == NULL)
- continue;
- }
-
- /*
- * Check and align the IP header.
- */
- first_mp = mp;
- if (DB_TYPE(mp) == M_DATA) {
- dmp = mp;
- } else if (DB_TYPE(mp) == M_PROTO &&
- *(t_uscalar_t *)mp->b_rptr == DL_UNITDATA_IND) {
- dmp = mp->b_cont;
- } else {
- dmp = NULL;
- }
- if (dmp != NULL) {
- /*
- * IP header ptr not aligned?
- * OR IP header not complete in first mblk
- */
- if (!OK_32PTR(dmp->b_rptr) ||
- MBLKL(dmp) < IP_SIMPLE_HDR_LENGTH) {
- if (!ip_check_and_align_header(q, dmp, ipst))
- continue;
- }
- }
-
- /*
- * ip_input fast path
- */
-
- /* mblk type is not M_DATA */
- if (DB_TYPE(mp) != M_DATA) {
- if (ip_rput_process_notdata(q, &first_mp, ill,
- &ll_multicast, &mp))
- continue;
-
- /*
- * The only way we can get here is if we had a
- * packet that was either a DL_UNITDATA_IND or
- * an M_CTL for an IPsec accelerated packet.
- *
- * In either case, the first_mp will point to
- * the leading M_PROTO or M_CTL.
- */
- ASSERT(first_mp != NULL);
- } else if (mhip != NULL) {
- /*
- * ll_multicast is set here so that it is ready
- * for easy use with FW_HOOKS(). ip_get_dlpi_mbcast
- * manipulates ll_multicast in the same fashion when
- * called from ip_rput_process_notdata.
- */
- switch (mhip->mhi_dsttype) {
- case MAC_ADDRTYPE_MULTICAST :
- ll_multicast = HPE_MULTICAST;
- break;
- case MAC_ADDRTYPE_BROADCAST :
- ll_multicast = HPE_BROADCAST;
- break;
- default :
- break;
- }
- }
-
- /* Only M_DATA can come here and it is always aligned */
- ASSERT(DB_TYPE(mp) == M_DATA);
- ASSERT(DB_REF(mp) == 1 && OK_32PTR(mp->b_rptr));
-
- ipha = (ipha_t *)mp->b_rptr;
- len = mp->b_wptr - rptr;
- pkt_len = ntohs(ipha->ipha_length);
-
- /*
- * We must count all incoming packets, even if they end
- * up being dropped later on.
- */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, pkt_len);
-
- /* multiple mblk or too short */
- len -= pkt_len;
- if (len != 0) {
- /*
- * Make sure we have data length consistent
- * with the IP header.
- */
- if (mp->b_cont == NULL) {
- if (len < 0 || pkt_len < IP_SIMPLE_HDR_LENGTH) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInHdrErrors);
- ip2dbg(("ip_input: drop pkt\n"));
- freemsg(mp);
- continue;
- }
- mp->b_wptr = rptr + pkt_len;
- } else if ((len += msgdsize(mp->b_cont)) != 0) {
- if (len < 0 || pkt_len < IP_SIMPLE_HDR_LENGTH) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInHdrErrors);
- ip2dbg(("ip_input: drop pkt\n"));
- freemsg(mp);
- continue;
- }
- (void) adjmsg(mp, -len);
- /*
- * adjmsg may have freed an mblk from the chain,
- * hence invalidate any hw checksum here. This
- * will force IP to calculate the checksum in
- * sw, but only for this packet.
- */
- DB_CKSUMFLAGS(mp) = 0;
- IP_STAT(ipst, ip_multimblk3);
- }
- }
-
- /* Obtain the dst of the current packet */
- dst = ipha->ipha_dst;
-
- DTRACE_IP7(receive, mblk_t *, first_mp, conn_t *, NULL,
- void_ip_t *, ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *,
- ipha, ip6_t *, NULL, int, 0);
-
- /*
- * The following test for loopback is faster than
- * IP_LOOPBACK_ADDR(), because it avoids any bitwise
- * operations.
- * Note that these addresses are always in network byte order
- */
- if (((*(uchar_t *)&ipha->ipha_dst) == 127) ||
- ((*(uchar_t *)&ipha->ipha_src) == 127)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
- freemsg(mp);
- continue;
- }
-
- /*
- * The event for packets being received from a 'physical'
- * interface is placed after validation of the source and/or
- * destination address as being local so that packets can be
- * redirected to loopback addresses using ipnat.
- */
- DTRACE_PROBE4(ip4__physical__in__start,
- ill_t *, ill, ill_t *, NULL,
- ipha_t *, ipha, mblk_t *, first_mp);
-
- FW_HOOKS(ipst->ips_ip4_physical_in_event,
- ipst->ips_ipv4firewall_physical_in,
- ill, NULL, ipha, first_mp, mp, ll_multicast, ipst);
-
- DTRACE_PROBE1(ip4__physical__in__end, mblk_t *, first_mp);
-
- if (first_mp == NULL) {
- continue;
- }
- dst = ipha->ipha_dst;
- /*
- * Attach any necessary label information to
- * this packet
- */
- if (is_system_labeled() &&
- !tsol_get_pkt_label(mp, IPV4_VERSION)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(mp);
- continue;
- }
-
- if (ipst->ips_ip4_observe.he_interested) {
- zoneid_t dzone;
-
- /*
- * On the inbound path the src zone will be unknown as
- * this packet has come from the wire.
- */
- dzone = ip_get_zoneid_v4(dst, mp, ipst, ALL_ZONES);
- ipobs_hook(mp, IPOBS_HOOK_INBOUND, ALL_ZONES, dzone,
- ill, ipst);
- }
-
- /*
- * Here we check to see if we machine is setup as
- * L3 loadbalancer and if the incoming packet is for a VIP
- *
- * Check the following:
- * - there is at least a rule
- * - protocol of the packet is supported
- */
- if (ilb_has_rules(ilbs) && ILB_SUPP_L4(ipha->ipha_protocol)) {
- int lb_ret;
-
- /* For convenience, we pull up the mblk. */
- if (mp->b_cont != NULL) {
- if (pullupmsg(mp, -1) == 0) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- continue;
- }
- ipha = (ipha_t *)mp->b_rptr;
- }
-
- /*
- * We just drop all fragments going to any VIP, at
- * least for now....
- */
- if (ntohs(ipha->ipha_fragment_offset_and_flags) &
- (IPH_MF | IPH_OFFSET)) {
- if (!ilb_rule_match_vip_v4(ilbs,
- ipha->ipha_dst, NULL)) {
- goto after_ilb;
- }
-
- ILB_KSTAT_UPDATE(ilbs, ip_frag_in, 1);
- ILB_KSTAT_UPDATE(ilbs, ip_frag_dropped, 1);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- continue;
- }
- lb_ret = ilb_check_v4(ilbs, ill, mp, ipha,
- ipha->ipha_protocol, (uint8_t *)ipha +
- IPH_HDR_LENGTH(ipha), &lb_dst);
-
- if (lb_ret == ILB_DROPPED) {
- /* Is this the right counter to increase? */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- continue;
- } else if (lb_ret == ILB_BALANCED) {
- /* Set the dst to that of the chosen server */
- dst = lb_dst;
- DB_CKSUMFLAGS(mp) = 0;
- }
- }
-
-after_ilb:
- /*
- * Reuse the cached ire only if the ipha_dst of the previous
- * packet is the same as the current packet AND it is not
- * INADDR_ANY.
- */
- if (!(dst == prev_dst && dst != INADDR_ANY) &&
- (ire != NULL)) {
- ire_refrele(ire);
- ire = NULL;
- }
-
- opt_len = ipha->ipha_version_and_hdr_length -
- IP_SIMPLE_HDR_VERSION;
-
- /*
- * Check to see if we can take the fastpath.
- * That is possible if the following conditions are met
- * o Tsol disabled
- * o CGTP disabled
- * o ipp_action_count is 0
- * o no options in the packet
- * o not a RSVP packet
- * o not a multicast packet
- * o ill not in IP_DHCPINIT_IF mode
- */
- if (!is_system_labeled() &&
- !ipst->ips_ip_cgtp_filter && ipp_action_count == 0 &&
- opt_len == 0 && ipha->ipha_protocol != IPPROTO_RSVP &&
- !ll_multicast && !CLASSD(dst) && ill->ill_dhcpinit == 0) {
- if (ire == NULL)
- ire = ire_cache_lookup_simple(dst, ipst);
- /*
- * Unless forwarding is enabled, dont call
- * ip_fast_forward(). Incoming packet is for forwarding
- */
- if ((ill->ill_flags & ILLF_ROUTER) &&
- (ire == NULL || (ire->ire_type & IRE_CACHE))) {
- ire = ip_fast_forward(ire, dst, ill, mp);
- continue;
- }
- /* incoming packet is for local consumption */
- if ((ire != NULL) && (ire->ire_type & IRE_LOCAL))
- goto local;
- }
-
- /*
- * Disable ire caching for anything more complex
- * than the simple fast path case we checked for above.
- */
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
-
- /*
- * Brutal hack for DHCPv4 unicast: RFC2131 allows a DHCP
- * server to unicast DHCP packets to a DHCP client using the
- * IP address it is offering to the client. This can be
- * disabled through the "broadcast bit", but not all DHCP
- * servers honor that bit. Therefore, to interoperate with as
- * many DHCP servers as possible, the DHCP client allows the
- * server to unicast, but we treat those packets as broadcast
- * here. Note that we don't rewrite the packet itself since
- * (a) that would mess up the checksums and (b) the DHCP
- * client conn is bound to INADDR_ANY so ip_fanout_udp() will
- * hand it the packet regardless.
- */
- if (ill->ill_dhcpinit != 0 &&
- IS_SIMPLE_IPH(ipha) && ipha->ipha_protocol == IPPROTO_UDP &&
- pullupmsg(mp, sizeof (ipha_t) + sizeof (udpha_t)) == 1) {
- udpha_t *udpha;
-
- /*
- * Reload ipha since pullupmsg() can change b_rptr.
- */
- ipha = (ipha_t *)mp->b_rptr;
- udpha = (udpha_t *)&ipha[1];
-
- if (ntohs(udpha->uha_dst_port) == IPPORT_BOOTPC) {
- DTRACE_PROBE2(ip4__dhcpinit__pkt, ill_t *, ill,
- mblk_t *, mp);
- dst = INADDR_BROADCAST;
- }
- }
-
- /* Full-blown slow path */
- if (opt_len != 0) {
- if (len != 0)
- IP_STAT(ipst, ip_multimblk4);
- else
- IP_STAT(ipst, ip_ipoptions);
- if (!ip_rput_multimblk_ipoptions(q, ill, mp, &ipha,
- &dst, ipst))
- continue;
- }
-
- /*
- * Invoke the CGTP (multirouting) filtering module to process
- * the incoming packet. Packets identified as duplicates
- * must be discarded. Filtering is active only if the
- * the ip_cgtp_filter ndd variable is non-zero.
- */
- cgtp_flt_pkt = CGTP_IP_PKT_NOT_CGTP;
- if (ipst->ips_ip_cgtp_filter &&
- ipst->ips_ip_cgtp_filter_ops != NULL) {
- netstackid_t stackid;
-
- stackid = ipst->ips_netstack->netstack_stackid;
- cgtp_flt_pkt =
- ipst->ips_ip_cgtp_filter_ops->cfo_filter(stackid,
- ill->ill_phyint->phyint_ifindex, mp);
- if (cgtp_flt_pkt == CGTP_IP_PKT_DUPLICATE) {
- freemsg(first_mp);
- continue;
- }
- }
-
- /*
- * If rsvpd is running, let RSVP daemon handle its processing
- * and forwarding of RSVP multicast/unicast packets.
- * If rsvpd is not running but mrouted is running, RSVP
- * multicast packets are forwarded as multicast traffic
- * and RSVP unicast packets are forwarded by unicast router.
- * If neither rsvpd nor mrouted is running, RSVP multicast
- * packets are not forwarded, but the unicast packets are
- * forwarded like unicast traffic.
- */
- if (ipha->ipha_protocol == IPPROTO_RSVP &&
- ipst->ips_ipcl_proto_fanout[IPPROTO_RSVP].connf_head !=
- NULL) {
- /* RSVP packet and rsvpd running. Treat as ours */
- ip2dbg(("ip_input: RSVP for us: 0x%x\n", ntohl(dst)));
- /*
- * This assumes that we deliver to all streams for
- * multicast and broadcast packets.
- * We have to force ll_multicast to 1 to handle the
- * M_DATA messages passed in from ip_mroute_decap.
- */
- dst = INADDR_BROADCAST;
- ll_multicast = 1;
- } else if (CLASSD(dst)) {
- /* packet is multicast */
- mp->b_next = NULL;
- if (ip_rput_process_multicast(q, mp, ill, ipha,
- &ll_multicast, &dst))
- continue;
- }
-
- if (ire == NULL) {
- ire = ire_cache_lookup(dst, ALL_ZONES,
- msg_getlabel(mp), ipst);
- }
-
- if (ire != NULL && ire->ire_stq != NULL &&
- ire->ire_zoneid != GLOBAL_ZONEID &&
- ire->ire_zoneid != ALL_ZONES) {
- /*
- * Should only use IREs that are visible from the
- * global zone for forwarding.
- */
- ire_refrele(ire);
- ire = ire_cache_lookup(dst, GLOBAL_ZONEID,
- msg_getlabel(mp), ipst);
- }
-
- if (ire == NULL) {
- /*
- * No IRE for this destination, so it can't be for us.
- * Unless we are forwarding, drop the packet.
- * We have to let source routed packets through
- * since we don't yet know if they are 'ping -l'
- * packets i.e. if they will go out over the
- * same interface as they came in on.
- */
- ire = ip_rput_noire(q, mp, ll_multicast, dst);
- if (ire == NULL)
- continue;
- }
-
- /*
- * Broadcast IRE may indicate either broadcast or
- * multicast packet
- */
- if (ire->ire_type == IRE_BROADCAST) {
- /*
- * Skip broadcast checks if packet is UDP multicast;
- * we'd rather not enter ip_rput_process_broadcast()
- * unless the packet is broadcast for real, since
- * that routine is a no-op for multicast.
- */
- if (ipha->ipha_protocol != IPPROTO_UDP ||
- !CLASSD(ipha->ipha_dst)) {
- ire = ip_rput_process_broadcast(&q, mp,
- ire, ipha, ill, dst, cgtp_flt_pkt,
- ll_multicast);
- if (ire == NULL)
- continue;
- }
- } else if (ire->ire_stq != NULL) {
- /* fowarding? */
- ip_rput_process_forward(q, mp, ire, ipha, ill,
- ll_multicast, B_FALSE);
- /* ip_rput_process_forward consumed the packet */
- continue;
- }
-
-local:
- /*
- * If the queue in the ire is different to the ingress queue
- * then we need to check to see if we can accept the packet.
- * Note that for multicast packets and broadcast packets sent
- * to a broadcast address which is shared between multiple
- * interfaces we should not do this since we just got a random
- * broadcast ire.
- */
- if ((ire->ire_rfq != q) && (ire->ire_type != IRE_BROADCAST)) {
- ire = ip_check_multihome(&ipha->ipha_dst, ire, ill);
- if (ire == NULL) {
- /* Drop packet */
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsForwProhibits);
- freemsg(mp);
- continue;
- }
- if (ire->ire_rfq != NULL)
- q = ire->ire_rfq;
- }
-
- switch (ipha->ipha_protocol) {
- case IPPROTO_TCP:
- ASSERT(first_mp == mp);
- if ((mp = ip_tcp_input(mp, ipha, ill, B_FALSE, ire,
- mp, 0, q, ip_ring)) != NULL) {
- if (curr_sqp == NULL) {
- curr_sqp = GET_SQUEUE(mp);
- ASSERT(cnt == 0);
- cnt++;
- head = tail = mp;
- } else if (curr_sqp == GET_SQUEUE(mp)) {
- ASSERT(tail != NULL);
- cnt++;
- tail->b_next = mp;
- tail = mp;
- } else {
- /*
- * A different squeue. Send the
- * chain for the previous squeue on
- * its way. This shouldn't happen
- * often unless interrupt binding
- * changes.
- */
- IP_STAT(ipst, ip_input_multi_squeue);
- SQUEUE_ENTER(curr_sqp, head,
- tail, cnt, SQ_PROCESS, tag);
- curr_sqp = GET_SQUEUE(mp);
- head = mp;
- tail = mp;
- cnt = 1;
- }
- }
- continue;
- case IPPROTO_UDP:
- ASSERT(first_mp == mp);
- ip_udp_input(q, mp, ipha, ire, ill);
- continue;
- case IPPROTO_SCTP:
- ASSERT(first_mp == mp);
- ip_sctp_input(mp, ipha, ill, B_FALSE, ire, mp, 0,
- q, dst);
- /* ire has been released by ip_sctp_input */
- ire = NULL;
- continue;
- case IPPROTO_ENCAP:
- case IPPROTO_IPV6:
- ASSERT(first_mp == mp);
- if (ip_iptun_input(NULL, mp, ipha, ill, ire, ipst))
- break;
- /*
- * If there was no IP tunnel data-link bound to
- * receive this packet, then we fall through to
- * allow potential raw sockets bound to either of
- * these protocols to pick it up.
- */
- default:
- ip_proto_input(q, first_mp, ipha, ire, ill, 0);
- continue;
- }
- }
-
- if (ire != NULL)
- ire_refrele(ire);
-
- if (head != NULL)
- SQUEUE_ENTER(curr_sqp, head, tail, cnt, SQ_PROCESS, tag);
-
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_END,
- "ip_input_end: q %p (%S)", q, "end");
-#undef rptr
-}
-
-/*
- * ip_accept_tcp() - This function is called by the squeue when it retrieves
- * a chain of packets in the poll mode. The packets have gone through the
- * data link processing but not IP processing. For performance and latency
- * reasons, the squeue wants to process the chain in line instead of feeding
- * it back via ip_input path.
- *
- * So this is a light weight function which checks to see if the packets
- * retrived are indeed TCP packets (TCP squeue always polls TCP soft ring
- * but we still do the paranoid check) meant for local machine and we don't
- * have labels etc enabled. Packets that meet the criterion are returned to
- * the squeue and processed inline while the rest go via ip_input path.
- */
-/*ARGSUSED*/
-mblk_t *
-ip_accept_tcp(ill_t *ill, ill_rx_ring_t *ip_ring, squeue_t *target_sqp,
- mblk_t *mp_chain, mblk_t **last, uint_t *cnt)
-{
- mblk_t *mp;
- ipaddr_t dst = NULL;
- ipaddr_t prev_dst;
- ire_t *ire = NULL;
- ipha_t *ipha;
- uint_t pkt_len;
- ssize_t len;
- uint_t opt_len;
- queue_t *q = ill->ill_rq;
- squeue_t *curr_sqp;
- mblk_t *ahead = NULL; /* Accepted head */
- mblk_t *atail = NULL; /* Accepted tail */
- uint_t acnt = 0; /* Accepted count */
- mblk_t *utail = NULL; /* Unaccepted head */
- mblk_t *uhead = NULL; /* Unaccepted tail */
- uint_t ucnt = 0; /* Unaccepted cnt */
- ip_stack_t *ipst = ill->ill_ipst;
- ilb_stack_t *ilbs = ipst->ips_netstack->netstack_ilb;
-
- *cnt = 0;
-
- ASSERT(ill != NULL);
- ASSERT(ip_ring != NULL);
-
- TRACE_1(TR_FAC_IP, TR_IP_RPUT_START, "ip_accept_tcp: q %p", q);
-
- /* If ILB is enabled, don't do fast processing. */
- if (ilb_has_rules(ilbs)) {
- uhead = mp_chain;
- goto all_reject;
- }
-
-#define rptr ((uchar_t *)ipha)
-
- while (mp_chain != NULL) {
- mp = mp_chain;
- mp_chain = mp_chain->b_next;
- mp->b_next = NULL;
-
- /*
- * We do ire caching from one iteration to
- * another. In the event the packet chain contains
- * all packets from the same dst, this caching saves
- * an ire_cache_lookup for each of the succeeding
- * packets in a packet chain.
- */
- prev_dst = dst;
-
- ipha = (ipha_t *)mp->b_rptr;
- len = mp->b_wptr - rptr;
-
- ASSERT(!MBLK_RX_FANOUT_SLOWPATH(mp, ipha));
-
- /*
- * If it is a non TCP packet, or doesn't have H/W cksum,
- * or doesn't have min len, reject.
- */
- if ((ipha->ipha_protocol != IPPROTO_TCP) || (len <
- (IP_SIMPLE_HDR_LENGTH + TCP_MIN_HEADER_LENGTH))) {
- ADD_TO_CHAIN(uhead, utail, ucnt, mp);
- continue;
- }
-
- pkt_len = ntohs(ipha->ipha_length);
- if (len != pkt_len) {
- if (len > pkt_len) {
- mp->b_wptr = rptr + pkt_len;
- } else {
- ADD_TO_CHAIN(uhead, utail, ucnt, mp);
- continue;
- }
- }
-
- opt_len = ipha->ipha_version_and_hdr_length -
- IP_SIMPLE_HDR_VERSION;
- dst = ipha->ipha_dst;
-
- /* IP version bad or there are IP options */
- if (opt_len && (!ip_rput_multimblk_ipoptions(q, ill,
- mp, &ipha, &dst, ipst)))
- continue;
-
- if (is_system_labeled() || (ill->ill_dhcpinit != 0) ||
- (ipst->ips_ip_cgtp_filter &&
- ipst->ips_ip_cgtp_filter_ops != NULL)) {
- ADD_TO_CHAIN(uhead, utail, ucnt, mp);
- continue;
- }
-
- /*
- * Reuse the cached ire only if the ipha_dst of the previous
- * packet is the same as the current packet AND it is not
- * INADDR_ANY.
- */
- if (!(dst == prev_dst && dst != INADDR_ANY) &&
- (ire != NULL)) {
- ire_refrele(ire);
- ire = NULL;
- }
-
- if (ire == NULL)
- ire = ire_cache_lookup_simple(dst, ipst);
-
- /*
- * Unless forwarding is enabled, dont call
- * ip_fast_forward(). Incoming packet is for forwarding
- */
- if ((ill->ill_flags & ILLF_ROUTER) &&
- (ire == NULL || (ire->ire_type & IRE_CACHE))) {
-
- DTRACE_PROBE4(ip4__physical__in__start,
- ill_t *, ill, ill_t *, NULL,
- ipha_t *, ipha, mblk_t *, mp);
-
- FW_HOOKS(ipst->ips_ip4_physical_in_event,
- ipst->ips_ipv4firewall_physical_in,
- ill, NULL, ipha, mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__physical__in__end, mblk_t *, mp);
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets,
- pkt_len);
-
- if (mp != NULL)
- ire = ip_fast_forward(ire, dst, ill, mp);
- continue;
- }
-
- /* incoming packet is for local consumption */
- if ((ire != NULL) && (ire->ire_type & IRE_LOCAL))
- goto local_accept;
-
- /*
- * Disable ire caching for anything more complex
- * than the simple fast path case we checked for above.
- */
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
-
- ire = ire_cache_lookup(dst, ALL_ZONES, msg_getlabel(mp),
- ipst);
- if (ire == NULL || ire->ire_type == IRE_BROADCAST ||
- ire->ire_stq != NULL) {
- ADD_TO_CHAIN(uhead, utail, ucnt, mp);
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
- continue;
- }
-
-local_accept:
-
- if (ire->ire_rfq != q) {
- ADD_TO_CHAIN(uhead, utail, ucnt, mp);
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
- continue;
- }
-
- /*
- * The event for packets being received from a 'physical'
- * interface is placed after validation of the source and/or
- * destination address as being local so that packets can be
- * redirected to loopback addresses using ipnat.
- */
- DTRACE_PROBE4(ip4__physical__in__start,
- ill_t *, ill, ill_t *, NULL,
- ipha_t *, ipha, mblk_t *, mp);
-
- FW_HOOKS(ipst->ips_ip4_physical_in_event,
- ipst->ips_ipv4firewall_physical_in,
- ill, NULL, ipha, mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__physical__in__end, mblk_t *, mp);
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, pkt_len);
-
- if (mp != NULL &&
- (mp = ip_tcp_input(mp, ipha, ill, B_FALSE, ire, mp,
- 0, q, ip_ring)) != NULL) {
- if ((curr_sqp = GET_SQUEUE(mp)) == target_sqp) {
- ADD_TO_CHAIN(ahead, atail, acnt, mp);
- } else {
- SQUEUE_ENTER(curr_sqp, mp, mp, 1,
- SQ_FILL, SQTAG_IP_INPUT);
- }
- }
- }
-
- if (ire != NULL)
- ire_refrele(ire);
-
-all_reject:
- if (uhead != NULL)
- ip_input(ill, ip_ring, uhead, NULL);
-
- if (ahead != NULL) {
- *last = atail;
- *cnt = acnt;
- return (ahead);
- }
-
- return (NULL);
-#undef rptr
-}
-
static void
ip_dlpi_error(ill_t *ill, t_uscalar_t prim, t_uscalar_t dl_err,
t_uscalar_t err)
@@ -15684,14 +8224,16 @@ ip_dlpi_error(ill_t *ill, t_uscalar_t prim, t_uscalar_t dl_err,
* ill_refhold before that, since qwriter_ip does an ill_refrele.
*/
void
-ip_rput_dlpi(queue_t *q, mblk_t *mp)
+ip_rput_dlpi(ill_t *ill, mblk_t *mp)
{
dl_ok_ack_t *dloa = (dl_ok_ack_t *)mp->b_rptr;
dl_error_ack_t *dlea = (dl_error_ack_t *)dloa;
- ill_t *ill = q->q_ptr;
+ queue_t *q = ill->ill_rq;
t_uscalar_t prim = dloa->dl_primitive;
t_uscalar_t reqprim = DL_PRIM_INVAL;
+ DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi",
+ char *, dl_primstr(prim), ill_t *, ill);
ip1dbg(("ip_rput_dlpi"));
/*
@@ -15721,9 +8263,6 @@ ip_rput_dlpi(queue_t *q, mblk_t *mp)
case DL_NOTIFY_ACK:
reqprim = DL_NOTIFY_REQ;
break;
- case DL_CONTROL_ACK:
- reqprim = DL_CONTROL_REQ;
- break;
case DL_CAPABILITY_ACK:
reqprim = DL_CAPABILITY_REQ;
break;
@@ -15781,7 +8320,7 @@ ip_rput_dlpi(queue_t *q, mblk_t *mp)
/*
* Handling of DLPI messages that require exclusive access to the ipsq.
*
- * Need to do ill_pending_mp_release on ioctl completion, which could
+ * Need to do ipsq_pending_mp_get on ioctl completion, which could
* happen here. (along with mi_copy_done)
*/
/* ARGSUSED */
@@ -15791,7 +8330,7 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
dl_ok_ack_t *dloa = (dl_ok_ack_t *)mp->b_rptr;
dl_error_ack_t *dlea = (dl_error_ack_t *)dloa;
int err = 0;
- ill_t *ill;
+ ill_t *ill = (ill_t *)q->q_ptr;
ipif_t *ipif = NULL;
mblk_t *mp1 = NULL;
conn_t *connp = NULL;
@@ -15800,15 +8339,14 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
boolean_t success;
boolean_t ioctl_aborted = B_FALSE;
boolean_t log = B_TRUE;
- ip_stack_t *ipst;
+
+ DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi_writer",
+ char *, dl_primstr(dloa->dl_primitive), ill_t *, ill);
ip1dbg(("ip_rput_dlpi_writer .."));
- ill = (ill_t *)q->q_ptr;
ASSERT(ipsq->ipsq_xop == ill->ill_phyint->phyint_ipsq->ipsq_xop);
ASSERT(IAM_WRITER_ILL(ill));
- ipst = ill->ill_ipst;
-
ipif = ipsq->ipsq_xop->ipx_pending_ipif;
/*
* The current ioctl could have been aborted by the user and a new
@@ -15823,6 +8361,10 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
ip1dbg(("ip_rput_dlpi_writer: got DL_ERROR_ACK for %s\n",
dl_primstr(dlea->dl_error_primitive)));
+ DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi_writer error",
+ char *, dl_primstr(dlea->dl_error_primitive),
+ ill_t *, ill);
+
switch (dlea->dl_error_primitive) {
case DL_DISABMULTI_REQ:
ill_dlpi_done(ill, dlea->dl_error_primitive);
@@ -15916,7 +8458,6 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
if (ill->ill_dlpi_multicast_state == IDS_INPROGRESS)
ill->ill_dlpi_multicast_state = IDS_FAILED;
if (ill->ill_dlpi_multicast_state == IDS_FAILED) {
- ipif_t *ipif;
printf("ip: joining multicasts failed (%d)"
" on %s - will use link layer "
@@ -15924,32 +8465,18 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
dlea->dl_errno, ill->ill_name);
/*
- * Set up the multicast mapping alone.
+ * Set up for multi_bcast; We are the
* writer, so ok to access ill->ill_ipif
* without any lock.
*/
- ipif = ill->ill_ipif;
mutex_enter(&ill->ill_phyint->phyint_lock);
ill->ill_phyint->phyint_flags |=
PHYI_MULTI_BCAST;
mutex_exit(&ill->ill_phyint->phyint_lock);
- if (!ill->ill_isv6) {
- (void) ipif_arp_setup_multicast(ipif,
- NULL);
- } else {
- (void) ipif_ndp_setup_multicast(ipif,
- NULL);
- }
}
freemsg(mp); /* Don't want to pass this up */
return;
- case DL_CONTROL_REQ:
- ip1dbg(("ip_rput_dlpi_writer: got DL_ERROR_ACK for "
- "DL_CONTROL_REQ\n"));
- ill_dlpi_done(ill, dlea->dl_error_primitive);
- freemsg(mp);
- return;
case DL_CAPABILITY_REQ:
ip1dbg(("ip_rput_dlpi_writer: got DL_ERROR_ACK for "
"DL_CAPABILITY REQ\n"));
@@ -16003,10 +8530,6 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
mp = NULL;
break;
- case DL_CONTROL_ACK:
- /* We treat all of these as "fire and forget" */
- ill_dlpi_done(ill, DL_CONTROL_REQ);
- break;
case DL_INFO_ACK:
/* Call a routine to handle this one. */
ill_dlpi_done(ill, DL_INFO_REQ);
@@ -16019,29 +8542,33 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
* sent by ill_dl_phys, in which case just return
*/
ill_dlpi_done(ill, DL_BIND_REQ);
- if (ill->ill_ifname_pending)
+ if (ill->ill_ifname_pending) {
+ DTRACE_PROBE2(ip__rput__dlpi__ifname__pending,
+ ill_t *, ill, mblk_t *, mp);
break;
-
+ }
if (!ioctl_aborted)
mp1 = ipsq_pending_mp_get(ipsq, &connp);
- if (mp1 == NULL)
+ if (mp1 == NULL) {
+ DTRACE_PROBE1(ip__rput__dlpi__no__mblk, ill_t *, ill);
break;
+ }
/*
* mp1 was added by ill_dl_up(). if that is a result of
* a DL_NOTE_REPLUMB notification, connp could be NULL.
*/
if (connp != NULL)
q = CONNP_TO_WQ(connp);
-
/*
* We are exclusive. So nothing can change even after
- * we get the pending mp. If need be we can put it back
- * and restart, as in calling ipif_arp_up() below.
+ * we get the pending mp.
*/
ip1dbg(("ip_rput_dlpi: bind_ack %s\n", ill->ill_name));
+ DTRACE_PROBE1(ip__rput__dlpi__bind__ack, ill_t *, ill);
mutex_enter(&ill->ill_lock);
ill->ill_dl_up = 1;
+ ill->ill_state_flags &= ~ILL_DOWN_IN_PROGRESS;
ill_nic_event_dispatch(ill, 0, NE_UP, NULL, 0);
mutex_exit(&ill->ill_lock);
@@ -16052,34 +8579,15 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
* ill_dl_up(), which stopped ipif_up()'s processing.
*/
if (ill->ill_isv6) {
- if (ill->ill_flags & ILLF_XRESOLV) {
- if (connp != NULL)
- mutex_enter(&connp->conn_lock);
- mutex_enter(&ill->ill_lock);
- success = ipsq_pending_mp_add(connp, ipif, q,
- mp1, 0);
- mutex_exit(&ill->ill_lock);
- if (connp != NULL)
- mutex_exit(&connp->conn_lock);
- if (success) {
- err = ipif_resolver_up(ipif,
- Res_act_initial);
- if (err == EINPROGRESS) {
- freemsg(mp);
- return;
- }
- ASSERT(err != 0);
- mp1 = ipsq_pending_mp_get(ipsq, &connp);
- ASSERT(mp1 != NULL);
- } else {
- /* conn has started closing */
- err = EINTR;
- }
- } else { /* Non XRESOLV interface */
- (void) ipif_resolver_up(ipif, Res_act_initial);
- if ((err = ipif_ndp_up(ipif, B_TRUE)) == 0)
- err = ipif_up_done_v6(ipif);
- }
+ /*
+ * v6 interfaces.
+ * Unlike ARP which has to do another bind
+ * and attach, once we get here we are
+ * done with NDP
+ */
+ (void) ipif_resolver_up(ipif, Res_act_initial);
+ if ((err = ipif_ndp_up(ipif, B_TRUE)) == 0)
+ err = ipif_up_done_v6(ipif);
} else if (ill->ill_net_type == IRE_IF_RESOLVER) {
/*
* ARP and other v4 external resolvers.
@@ -16099,7 +8607,7 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
freemsg(mp);
return;
}
- ASSERT(err != 0);
+ ASSERT(arp_no_defense || err != 0);
mp1 = ipsq_pending_mp_get(ipsq, &connp);
} else {
/* The conn has started closing */
@@ -16144,10 +8652,7 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
case DL_NOTIFY_IND: {
dl_notify_ind_t *notify = (dl_notify_ind_t *)mp->b_rptr;
- ire_t *ire;
uint_t orig_mtu;
- boolean_t need_ire_walk_v4 = B_FALSE;
- boolean_t need_ire_walk_v6 = B_FALSE;
switch (notify->dl_notification) {
case DL_NOTE_PHYS_ADDR:
@@ -16164,95 +8669,52 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
return;
case DL_NOTE_FASTPATH_FLUSH:
- ill_fastpath_flush(ill);
+ nce_flush(ill, B_FALSE);
break;
case DL_NOTE_SDU_SIZE:
/*
- * Change the MTU size of the interface, of all
- * attached ipif's, and of all relevant ire's. The
- * new value's a uint32_t at notify->dl_data.
- * Mtu change Vs. new ire creation - protocol below.
- *
- * a Mark the ipif as IPIF_CHANGING.
- * b Set the new mtu in the ipif.
- * c Change the ire_max_frag on all affected ires
- * d Unmark the IPIF_CHANGING
+ * The dce and fragmentation code can cope with
+ * this changing while packets are being sent.
+ * When packets are sent ip_output will discover
+ * a change.
*
- * To see how the protocol works, assume an interface
- * route is also being added simultaneously by
- * ip_rt_add and let 'ipif' be the ipif referenced by
- * the ire. If the ire is created before step a,
- * it will be cleaned up by step c. If the ire is
- * created after step d, it will see the new value of
- * ipif_mtu. Any attempt to create the ire between
- * steps a to d will fail because of the IPIF_CHANGING
- * flag. Note that ire_create() is passed a pointer to
- * the ipif_mtu, and not the value. During ire_add
- * under the bucket lock, the ire_max_frag of the
- * new ire being created is set from the ipif/ire from
- * which it is being derived.
+ * Change the MTU size of the interface.
*/
mutex_enter(&ill->ill_lock);
+ ill->ill_current_frag = (uint_t)notify->dl_data;
+ if (ill->ill_current_frag > ill->ill_max_frag)
+ ill->ill_max_frag = ill->ill_current_frag;
- orig_mtu = ill->ill_max_mtu;
- ill->ill_max_frag = (uint_t)notify->dl_data;
- ill->ill_max_mtu = (uint_t)notify->dl_data;
-
- /*
- * If ill_user_mtu was set (via SIOCSLIFLNKINFO),
- * clamp ill_max_mtu at it.
- */
- if (ill->ill_user_mtu != 0 &&
- ill->ill_user_mtu < ill->ill_max_mtu)
- ill->ill_max_mtu = ill->ill_user_mtu;
+ orig_mtu = ill->ill_mtu;
+ if (!(ill->ill_flags & ILLF_FIXEDMTU)) {
+ ill->ill_mtu = ill->ill_current_frag;
- /*
- * If the MTU is unchanged, we're done.
- */
- if (orig_mtu == ill->ill_max_mtu) {
- mutex_exit(&ill->ill_lock);
- break;
- }
-
- if (ill->ill_isv6) {
- if (ill->ill_max_mtu < IPV6_MIN_MTU)
- ill->ill_max_mtu = IPV6_MIN_MTU;
- } else {
- if (ill->ill_max_mtu < IP_MIN_MTU)
- ill->ill_max_mtu = IP_MIN_MTU;
- }
- for (ipif = ill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
/*
- * Don't override the mtu if the user
- * has explicitly set it.
+ * If ill_user_mtu was set (via
+ * SIOCSLIFLNKINFO), clamp ill_mtu at it.
*/
- if (ipif->ipif_flags & IPIF_FIXEDMTU)
- continue;
- ipif->ipif_mtu = (uint_t)notify->dl_data;
- if (ipif->ipif_isv6)
- ire = ipif_to_ire_v6(ipif);
- else
- ire = ipif_to_ire(ipif);
- if (ire != NULL) {
- ire->ire_max_frag = ipif->ipif_mtu;
- ire_refrele(ire);
- }
- if (ipif->ipif_flags & IPIF_UP) {
- if (ill->ill_isv6)
- need_ire_walk_v6 = B_TRUE;
- else
- need_ire_walk_v4 = B_TRUE;
+ if (ill->ill_user_mtu != 0 &&
+ ill->ill_user_mtu < ill->ill_mtu)
+ ill->ill_mtu = ill->ill_user_mtu;
+
+ if (ill->ill_isv6) {
+ if (ill->ill_mtu < IPV6_MIN_MTU)
+ ill->ill_mtu = IPV6_MIN_MTU;
+ } else {
+ if (ill->ill_mtu < IP_MIN_MTU)
+ ill->ill_mtu = IP_MIN_MTU;
}
}
mutex_exit(&ill->ill_lock);
- if (need_ire_walk_v4)
- ire_walk_v4(ill_mtu_change, (char *)ill,
- ALL_ZONES, ipst);
- if (need_ire_walk_v6)
- ire_walk_v6(ill_mtu_change, (char *)ill,
- ALL_ZONES, ipst);
+ /*
+ * Make sure all dce_generation checks find out
+ * that ill_mtu has changed.
+ */
+ if (orig_mtu != ill->ill_mtu) {
+ dce_increment_all_generations(ill->ill_isv6,
+ ill->ill_ipst);
+ }
/*
* Refresh IPMP meta-interface MTU if necessary.
@@ -16303,8 +8765,6 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
case DL_NOTE_PROMISC_ON_PHYS: {
phyint_t *phyint = ill->ill_phyint;
- IPSECHW_DEBUG(IPSECHW_PKT, ("ip_rput_dlpi_writer: "
- "got a DL_NOTE_PROMISC_ON_PHYS\n"));
mutex_enter(&phyint->phyint_lock);
phyint->phyint_flags |= PHYI_PROMISC;
mutex_exit(&phyint->phyint_lock);
@@ -16313,8 +8773,6 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
case DL_NOTE_PROMISC_OFF_PHYS: {
phyint_t *phyint = ill->ill_phyint;
- IPSECHW_DEBUG(IPSECHW_PKT, ("ip_rput_dlpi_writer: "
- "got a DL_NOTE_PROMISC_OFF_PHYS\n"));
mutex_enter(&phyint->phyint_lock);
phyint->phyint_flags &= ~PHYI_PROMISC;
mutex_exit(&phyint->phyint_lock);
@@ -16474,6 +8932,10 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
ip2dbg(("DL_OK_ACK %s (0x%x)\n",
dl_primstr((int)dloa->dl_correct_primitive),
dloa->dl_correct_primitive));
+ DTRACE_PROBE3(ill__dlpi, char *, "ip_rput_dlpi_writer ok",
+ char *, dl_primstr(dloa->dl_correct_primitive),
+ ill_t *, ill);
+
switch (dloa->dl_correct_primitive) {
case DL_ENABMULTI_REQ:
case DL_DISABMULTI_REQ:
@@ -16502,6 +8964,10 @@ ip_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
*/
ASSERT(err != EINPROGRESS);
+ DTRACE_PROBE4(ipif__ioctl, char *, "ip_rput_dlpi_writer finish",
+ int, ipsq->ipsq_xop->ipx_current_ioctl, ill_t *, ill,
+ ipif_t *, NULL);
+
switch (ipsq->ipsq_xop->ipx_current_ioctl) {
case 0:
ipsq_current_finish(ipsq);
@@ -16595,7 +9061,10 @@ ip_rput_other(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
if (ill->ill_dlpi_fastpath_state == IDS_INPROGRESS) {
ill->ill_dlpi_fastpath_state = IDS_FAILED;
mutex_exit(&ill->ill_lock);
- ill_fastpath_nack(ill);
+ /*
+ * don't flush the nce_t entries: we use them
+ * as an index to the ncec itself.
+ */
ip1dbg(("ip_rput: DLPI fastpath off on interface %s\n",
ill->ill_name));
} else {
@@ -16611,235 +9080,24 @@ ip_rput_other(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
}
/*
- * NOTE : This function does not ire_refrele the ire argument passed in.
- *
- * IPQoS notes
- * IP policy is invoked twice for a forwarded packet, once on the read side
- * and again on the write side if both, IPP_FWD_IN and IPP_FWD_OUT are
- * enabled. An additional parameter, in_ill, has been added for this purpose.
- * Note that in_ill could be NULL when called from ip_rput_forward_multicast
- * because ip_mroute drops this information.
- *
+ * Update any source route, record route or timestamp options
+ * When it fails it has consumed the message and BUMPed the MIB.
*/
-void
-ip_rput_forward(ire_t *ire, ipha_t *ipha, mblk_t *mp, ill_t *in_ill)
-{
- uint32_t old_pkt_len;
- uint32_t pkt_len;
- queue_t *q;
- uint32_t sum;
-#define rptr ((uchar_t *)ipha)
- uint32_t max_frag;
- uint32_t ill_index;
- ill_t *out_ill;
- mib2_ipIfStatsEntry_t *mibptr;
- ip_stack_t *ipst = ((ill_t *)(ire->ire_stq->q_ptr))->ill_ipst;
-
- /* Get the ill_index of the incoming ILL */
- ill_index = (in_ill != NULL) ? in_ill->ill_phyint->phyint_ifindex : 0;
- mibptr = (in_ill != NULL) ? in_ill->ill_ip_mib : &ipst->ips_ip_mib;
-
- /* Initiate Read side IPPF processing */
- if (IPP_ENABLED(IPP_FWD_IN, ipst)) {
- ip_process(IPP_FWD_IN, &mp, ill_index);
- if (mp == NULL) {
- ip2dbg(("ip_rput_forward: pkt dropped/deferred "\
- "during IPPF processing\n"));
- return;
- }
- }
-
- /* Adjust the checksum to reflect the ttl decrement. */
- sum = (int)ipha->ipha_hdr_checksum + IP_HDR_CSUM_TTL_ADJUST;
- ipha->ipha_hdr_checksum = (uint16_t)(sum + (sum >> 16));
-
- if (ipha->ipha_ttl-- <= 1) {
- if (ip_csum_hdr(ipha)) {
- BUMP_MIB(mibptr, ipIfStatsInCksumErrs);
- goto drop_pkt;
- }
- /*
- * Note: ire_stq this will be NULL for multicast
- * datagrams using the long path through arp (the IRE
- * is not an IRE_CACHE). This should not cause
- * problems since we don't generate ICMP errors for
- * multicast packets.
- */
- BUMP_MIB(mibptr, ipIfStatsForwProhibits);
- q = ire->ire_stq;
- if (q != NULL) {
- /* Sent by forwarding path, and router is global zone */
- icmp_time_exceeded(q, mp, ICMP_TTL_EXCEEDED,
- GLOBAL_ZONEID, ipst);
- } else
- freemsg(mp);
- return;
- }
-
- /*
- * Don't forward if the interface is down
- */
- if (ire->ire_ipif->ipif_ill->ill_ipif_up_count == 0) {
- BUMP_MIB(mibptr, ipIfStatsInDiscards);
- ip2dbg(("ip_rput_forward:interface is down\n"));
- goto drop_pkt;
- }
-
- /* Get the ill_index of the outgoing ILL */
- out_ill = ire_to_ill(ire);
- ill_index = out_ill->ill_phyint->phyint_ifindex;
-
- DTRACE_PROBE4(ip4__forwarding__start,
- ill_t *, in_ill, ill_t *, out_ill, ipha_t *, ipha, mblk_t *, mp);
-
- FW_HOOKS(ipst->ips_ip4_forwarding_event,
- ipst->ips_ipv4firewall_forwarding,
- in_ill, out_ill, ipha, mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__forwarding__end, mblk_t *, mp);
-
- if (mp == NULL)
- return;
- old_pkt_len = pkt_len = ntohs(ipha->ipha_length);
-
- if (is_system_labeled()) {
- mblk_t *mp1;
-
- if ((mp1 = tsol_ip_forward(ire, mp)) == NULL) {
- BUMP_MIB(mibptr, ipIfStatsForwProhibits);
- goto drop_pkt;
- }
- /* Size may have changed */
- mp = mp1;
- ipha = (ipha_t *)mp->b_rptr;
- pkt_len = ntohs(ipha->ipha_length);
- }
-
- /* Check if there are options to update */
- if (!IS_SIMPLE_IPH(ipha)) {
- if (ip_csum_hdr(ipha)) {
- BUMP_MIB(mibptr, ipIfStatsInCksumErrs);
- goto drop_pkt;
- }
- if (ip_rput_forward_options(mp, ipha, ire, ipst)) {
- BUMP_MIB(mibptr, ipIfStatsForwProhibits);
- return;
- }
-
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
- }
- max_frag = ire->ire_max_frag;
- if (pkt_len > max_frag) {
- /*
- * It needs fragging on its way out. We haven't
- * verified the header checksum yet. Since we
- * are going to put a surely good checksum in the
- * outgoing header, we have to make sure that it
- * was good coming in.
- */
- if (ip_csum_hdr(ipha)) {
- BUMP_MIB(mibptr, ipIfStatsInCksumErrs);
- goto drop_pkt;
- }
- /* Initiate Write side IPPF processing */
- if (IPP_ENABLED(IPP_FWD_OUT, ipst)) {
- ip_process(IPP_FWD_OUT, &mp, ill_index);
- if (mp == NULL) {
- ip2dbg(("ip_rput_forward: pkt dropped/deferred"\
- " during IPPF processing\n"));
- return;
- }
- }
- /*
- * Handle labeled packet resizing.
- *
- * If we have added a label, inform ip_wput_frag() of its
- * effect on the MTU for ICMP messages.
- */
- if (pkt_len > old_pkt_len) {
- uint32_t secopt_size;
-
- secopt_size = pkt_len - old_pkt_len;
- if (secopt_size < max_frag)
- max_frag -= secopt_size;
- }
-
- ip_wput_frag(ire, mp, IB_PKT, max_frag, 0,
- GLOBAL_ZONEID, ipst, NULL);
- ip2dbg(("ip_rput_forward:sent to ip_wput_frag\n"));
- return;
- }
-
- DTRACE_PROBE4(ip4__physical__out__start, ill_t *, NULL,
- ill_t *, out_ill, ipha_t *, ipha, mblk_t *, mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, out_ill, ipha, mp, mp, 0, ipst);
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, mp);
- if (mp == NULL)
- return;
-
- mp->b_prev = (mblk_t *)IPP_FWD_OUT;
- ip1dbg(("ip_rput_forward: Calling ip_xmit_v4\n"));
- (void) ip_xmit_v4(mp, ire, NULL, B_FALSE, NULL);
- /* ip_xmit_v4 always consumes the packet */
- return;
-
-drop_pkt:;
- ip1dbg(("ip_rput_forward: drop pkt\n"));
- freemsg(mp);
-#undef rptr
-}
-
-void
-ip_rput_forward_multicast(ipaddr_t dst, mblk_t *mp, ipif_t *ipif)
-{
- ire_t *ire;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- ASSERT(!ipif->ipif_isv6);
- /*
- * Find an IRE which matches the destination and the outgoing
- * queue in the cache table. All we need is an IRE_CACHE which
- * is pointing at ipif->ipif_ill.
- */
- if (ipif->ipif_flags & IPIF_POINTOPOINT)
- dst = ipif->ipif_pp_dst_addr;
-
- ire = ire_ctable_lookup(dst, 0, 0, ipif, ALL_ZONES, msg_getlabel(mp),
- MATCH_IRE_ILL | MATCH_IRE_SECATTR, ipst);
- if (ire == NULL) {
- /*
- * Mark this packet to make it be delivered to
- * ip_rput_forward after the new ire has been
- * created.
- */
- mp->b_prev = NULL;
- mp->b_next = mp;
- ip_newroute_ipif(ipif->ipif_ill->ill_wq, mp, ipif, dst,
- NULL, 0, GLOBAL_ZONEID, &zero_info);
- } else {
- ip_rput_forward(ire, (ipha_t *)mp->b_rptr, mp, NULL);
- IRE_REFRELE(ire);
- }
-}
-
-/* Update any source route, record route or timestamp options */
-static int
-ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
+boolean_t
+ip_forward_options(mblk_t *mp, ipha_t *ipha, ill_t *dst_ill,
+ ip_recv_attr_t *ira)
{
ipoptp_t opts;
uchar_t *opt;
uint8_t optval;
uint8_t optlen;
ipaddr_t dst;
+ ipaddr_t ifaddr;
uint32_t ts;
- ire_t *dst_ire = NULL;
- ire_t *tmp_ire = NULL;
timestruc_t now;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- ip2dbg(("ip_rput_forward_options\n"));
+ ip2dbg(("ip_forward_options\n"));
dst = ipha->ipha_dst;
for (optval = ipoptp_first(&opts, ipha);
optval != IPOPT_EOL;
@@ -16847,7 +9105,7 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
opt = opts.ipoptp_cur;
optlen = opts.ipoptp_len;
- ip2dbg(("ip_rput_forward_options: opt %d, len %d\n",
+ ip2dbg(("ip_forward_options: opt %d, len %d\n",
optval, opts.ipoptp_len));
switch (optval) {
uint32_t off;
@@ -16855,27 +9113,17 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
case IPOPT_LSRR:
/* Check if adminstratively disabled */
if (!ipst->ips_ip_forward_src_routed) {
- if (ire->ire_stq != NULL) {
- /*
- * Sent by forwarding path, and router
- * is global zone
- */
- icmp_unreachable(ire->ire_stq, mp,
- ICMP_SOURCE_ROUTE_FAILED,
- GLOBAL_ZONEID, ipst);
- } else {
- ip0dbg(("ip_rput_forward_options: "
- "unable to send unreach\n"));
- freemsg(mp);
- }
- return (-1);
+ BUMP_MIB(dst_ill->ill_ip_mib,
+ ipIfStatsForwProhibits);
+ ip_drop_input("ICMP_SOURCE_ROUTE_FAILED",
+ mp, dst_ill);
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED,
+ ira);
+ return (B_FALSE);
}
-
- dst_ire = ire_ctable_lookup(dst, 0, IRE_LOCAL,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (dst_ire == NULL) {
+ if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
/*
- * Must be partial since ip_rput_options
+ * Must be partial since ip_input_options
* checked for strict.
*/
break;
@@ -16887,31 +9135,33 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
off > optlen - IP_ADDR_LEN) {
/* End of source route */
ip1dbg((
- "ip_rput_forward_options: end of SR\n"));
- ire_refrele(dst_ire);
+ "ip_forward_options: end of SR\n"));
break;
}
+ /* Pick a reasonable address on the outbound if */
+ ASSERT(dst_ill != NULL);
+ if (ip_select_source_v4(dst_ill, INADDR_ANY, dst,
+ INADDR_ANY, ALL_ZONES, ipst, &ifaddr, NULL,
+ NULL) != 0) {
+ /* No source! Shouldn't happen */
+ ifaddr = INADDR_ANY;
+ }
bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
- bcopy(&ire->ire_src_addr, (char *)opt + off,
- IP_ADDR_LEN);
- ip1dbg(("ip_rput_forward_options: next hop 0x%x\n",
+ bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
+ ip1dbg(("ip_forward_options: next hop 0x%x\n",
ntohl(dst)));
/*
* Check if our address is present more than
* once as consecutive hops in source route.
*/
- tmp_ire = ire_ctable_lookup(dst, 0, IRE_LOCAL,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (tmp_ire != NULL) {
- ire_refrele(tmp_ire);
+ if (ip_type_v4(dst, ipst) == IRE_LOCAL) {
off += IP_ADDR_LEN;
opt[IPOPT_OFFSET] += IP_ADDR_LEN;
goto redo_srr;
}
ipha->ipha_dst = dst;
opt[IPOPT_OFFSET] += IP_ADDR_LEN;
- ire_refrele(dst_ire);
break;
case IPOPT_RR:
off = opt[IPOPT_OFFSET];
@@ -16920,11 +9170,18 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
off > optlen - IP_ADDR_LEN) {
/* No more room - ignore */
ip1dbg((
- "ip_rput_forward_options: end of RR\n"));
+ "ip_forward_options: end of RR\n"));
break;
}
- bcopy(&ire->ire_src_addr, (char *)opt + off,
- IP_ADDR_LEN);
+ /* Pick a reasonable address on the outbound if */
+ ASSERT(dst_ill != NULL);
+ if (ip_select_source_v4(dst_ill, INADDR_ANY, dst,
+ INADDR_ANY, ALL_ZONES, ipst, &ifaddr, NULL,
+ NULL) != 0) {
+ /* No source! Shouldn't happen */
+ ifaddr = INADDR_ANY;
+ }
+ bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
opt[IPOPT_OFFSET] += IP_ADDR_LEN;
break;
case IPOPT_TS:
@@ -16938,14 +9195,10 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
/* Verify that the address matched */
off = opt[IPOPT_OFFSET] - 1;
bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
- dst_ire = ire_ctable_lookup(dst, 0,
- IRE_LOCAL, NULL, ALL_ZONES, NULL,
- MATCH_IRE_TYPE, ipst);
- if (dst_ire == NULL) {
+ if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
/* Not for us */
break;
}
- ire_refrele(dst_ire);
/* FALLTHRU */
case IPOPT_TS_TSANDADDR:
off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
@@ -16955,9 +9208,9 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
* ip_*put_options should have already
* dropped this packet.
*/
- cmn_err(CE_PANIC, "ip_rput_forward_options: "
- "unknown IT - bug in ip_rput_options?\n");
- return (0); /* Keep "lint" happy */
+ cmn_err(CE_PANIC, "ip_forward_options: "
+ "unknown IT - bug in ip_input_options?\n");
+ return (B_TRUE); /* Keep "lint" happy */
}
if (opt[IPOPT_OFFSET] - 1 + off > optlen) {
/* Increase overflow counter */
@@ -16972,8 +9225,15 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
case IPOPT_TS_PRESPEC:
case IPOPT_TS_PRESPEC_RFC791:
case IPOPT_TS_TSANDADDR:
- bcopy(&ire->ire_src_addr,
- (char *)opt + off, IP_ADDR_LEN);
+ /* Pick a reasonable addr on the outbound if */
+ ASSERT(dst_ill != NULL);
+ if (ip_select_source_v4(dst_ill, INADDR_ANY,
+ dst, INADDR_ANY, ALL_ZONES, ipst, &ifaddr,
+ NULL, NULL) != 0) {
+ /* No source! Shouldn't happen */
+ ifaddr = INADDR_ANY;
+ }
+ bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
opt[IPOPT_OFFSET] += IP_ADDR_LEN;
/* FALLTHRU */
case IPOPT_TS_TSONLY:
@@ -16989,223 +9249,7 @@ ip_rput_forward_options(mblk_t *mp, ipha_t *ipha, ire_t *ire, ip_stack_t *ipst)
break;
}
}
- return (0);
-}
-
-/*
- * This is called after processing at least one of AH/ESP headers.
- *
- * NOTE: the ill corresponding to ipsec_in_ill_index may not be
- * the actual, physical interface on which the packet was received,
- * but, when ip_strict_dst_multihoming is set to 1, could be the
- * interface which had the ipha_dst configured when the packet went
- * through ip_rput. The ill_index corresponding to the recv_ill
- * is saved in ipsec_in_rill_index
- *
- * NOTE2: The "ire" argument is only used in IPv4 cases. This function
- * cannot assume "ire" points to valid data for any IPv6 cases.
- */
-void
-ip_fanout_proto_again(mblk_t *ipsec_mp, ill_t *ill, ill_t *recv_ill, ire_t *ire)
-{
- mblk_t *mp;
- ipaddr_t dst;
- in6_addr_t *v6dstp;
- ipha_t *ipha;
- ip6_t *ip6h;
- ipsec_in_t *ii;
- boolean_t ill_need_rele = B_FALSE;
- boolean_t rill_need_rele = B_FALSE;
- boolean_t ire_need_rele = B_FALSE;
- netstack_t *ns;
- ip_stack_t *ipst;
-
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ASSERT(ii->ipsec_in_ill_index != 0);
- ns = ii->ipsec_in_ns;
- ASSERT(ii->ipsec_in_ns != NULL);
- ipst = ns->netstack_ip;
-
- mp = ipsec_mp->b_cont;
- ASSERT(mp != NULL);
-
- if (ill == NULL) {
- ASSERT(recv_ill == NULL);
- /*
- * We need to get the original queue on which ip_rput_local
- * or ip_rput_data_v6 was called.
- */
- ill = ill_lookup_on_ifindex(ii->ipsec_in_ill_index,
- !ii->ipsec_in_v4, NULL, NULL, NULL, NULL, ipst);
- ill_need_rele = B_TRUE;
-
- if (ii->ipsec_in_ill_index != ii->ipsec_in_rill_index) {
- recv_ill = ill_lookup_on_ifindex(
- ii->ipsec_in_rill_index, !ii->ipsec_in_v4,
- NULL, NULL, NULL, NULL, ipst);
- rill_need_rele = B_TRUE;
- } else {
- recv_ill = ill;
- }
-
- if ((ill == NULL) || (recv_ill == NULL)) {
- ip0dbg(("ip_fanout_proto_again: interface "
- "disappeared\n"));
- if (ill != NULL)
- ill_refrele(ill);
- if (recv_ill != NULL)
- ill_refrele(recv_ill);
- freemsg(ipsec_mp);
- return;
- }
- }
-
- ASSERT(ill != NULL && recv_ill != NULL);
-
- if (mp->b_datap->db_type == M_CTL) {
- /*
- * AH/ESP is returning the ICMP message after
- * removing their headers. Fanout again till
- * it gets to the right protocol.
- */
- if (ii->ipsec_in_v4) {
- icmph_t *icmph;
- int iph_hdr_length;
- int hdr_length;
-
- ipha = (ipha_t *)mp->b_rptr;
- iph_hdr_length = IPH_HDR_LENGTH(ipha);
- icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
- hdr_length = IPH_HDR_LENGTH(ipha);
- /*
- * icmp_inbound_error_fanout may need to do pullupmsg.
- * Reset the type to M_DATA.
- */
- mp->b_datap->db_type = M_DATA;
- icmp_inbound_error_fanout(ill->ill_rq, ill, ipsec_mp,
- icmph, ipha, iph_hdr_length, hdr_length, B_TRUE,
- B_FALSE, ill, ii->ipsec_in_zoneid);
- } else {
- icmp6_t *icmp6;
- int hdr_length;
-
- ip6h = (ip6_t *)mp->b_rptr;
- /* Don't call hdr_length_v6() unless you have to. */
- if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
- hdr_length = ip_hdr_length_v6(mp, ip6h);
- else
- hdr_length = IPV6_HDR_LEN;
-
- icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
- /*
- * icmp_inbound_error_fanout_v6 may need to do
- * pullupmsg. Reset the type to M_DATA.
- */
- mp->b_datap->db_type = M_DATA;
- icmp_inbound_error_fanout_v6(ill->ill_rq, ipsec_mp,
- ip6h, icmp6, ill, recv_ill, B_TRUE,
- ii->ipsec_in_zoneid);
- }
- if (ill_need_rele)
- ill_refrele(ill);
- if (rill_need_rele)
- ill_refrele(recv_ill);
- return;
- }
-
- if (ii->ipsec_in_v4) {
- ipha = (ipha_t *)mp->b_rptr;
- dst = ipha->ipha_dst;
- if (CLASSD(dst)) {
- /*
- * Multicast has to be delivered to all streams.
- */
- dst = INADDR_BROADCAST;
- }
-
- if (ire == NULL) {
- ire = ire_cache_lookup(dst, ii->ipsec_in_zoneid,
- msg_getlabel(mp), ipst);
- if (ire == NULL) {
- if (ill_need_rele)
- ill_refrele(ill);
- if (rill_need_rele)
- ill_refrele(recv_ill);
- ip1dbg(("ip_fanout_proto_again: "
- "IRE not found"));
- freemsg(ipsec_mp);
- return;
- }
- ire_need_rele = B_TRUE;
- }
-
- switch (ipha->ipha_protocol) {
- case IPPROTO_UDP:
- ip_udp_input(ill->ill_rq, ipsec_mp, ipha, ire,
- recv_ill);
- if (ire_need_rele)
- ire_refrele(ire);
- break;
- case IPPROTO_TCP:
- if (!ire_need_rele)
- IRE_REFHOLD(ire);
- mp = ip_tcp_input(mp, ipha, ill, B_TRUE,
- ire, ipsec_mp, 0, ill->ill_rq, NULL);
- IRE_REFRELE(ire);
- if (mp != NULL) {
- SQUEUE_ENTER(GET_SQUEUE(mp), mp,
- mp, 1, SQ_PROCESS,
- SQTAG_IP_PROTO_AGAIN);
- }
- break;
- case IPPROTO_SCTP:
- if (!ire_need_rele)
- IRE_REFHOLD(ire);
- ip_sctp_input(mp, ipha, ill, B_TRUE, ire,
- ipsec_mp, 0, ill->ill_rq, dst);
- break;
- case IPPROTO_ENCAP:
- case IPPROTO_IPV6:
- if (ip_iptun_input(ipsec_mp, mp, ipha, ill, ire,
- ill->ill_ipst)) {
- /*
- * If we made it here, we don't need to worry
- * about the raw-socket/protocol fanout.
- */
- if (ire_need_rele)
- ire_refrele(ire);
- break;
- }
- /* else FALLTHRU */
- default:
- ip_proto_input(ill->ill_rq, ipsec_mp, ipha, ire,
- recv_ill, 0);
- if (ire_need_rele)
- ire_refrele(ire);
- break;
- }
- } else {
- uint32_t rput_flags = 0;
-
- ip6h = (ip6_t *)mp->b_rptr;
- v6dstp = &ip6h->ip6_dst;
- /*
- * XXX Assumes ip_rput_v6 sets ll_multicast only for multicast
- * address.
- *
- * Currently, we don't store that state in the IPSEC_IN
- * message, and we may need to.
- */
- rput_flags |= (IN6_IS_ADDR_MULTICAST(v6dstp) ?
- IP6_IN_LLMCAST : 0);
- ip_rput_data_v6(ill->ill_rq, ill, ipsec_mp, ip6h, rput_flags,
- NULL, NULL);
- }
- if (ill_need_rele)
- ill_refrele(ill);
- if (rill_need_rele)
- ill_refrele(recv_ill);
+ return (B_TRUE);
}
/*
@@ -17290,609 +9334,25 @@ ill_frag_timer_start(ill_t *ill)
}
/*
- * This routine is needed for loopback when forwarding multicasts.
- *
- * IPQoS Notes:
- * IPPF processing is done in fanout routines.
- * Policy processing is done only if IPP_lOCAL_IN is enabled. Further,
- * processing for IPsec packets is done when it comes back in clear.
- * NOTE : The callers of this function need to do the ire_refrele for the
- * ire that is being passed in.
- */
-void
-ip_proto_input(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
- ill_t *recv_ill, uint32_t esp_udp_ports)
-{
- boolean_t esp_in_udp_packet = (esp_udp_ports != 0);
- ill_t *ill = (ill_t *)q->q_ptr;
- uint32_t sum;
- uint32_t u1;
- uint32_t u2;
- int hdr_length;
- boolean_t mctl_present;
- mblk_t *first_mp = mp;
- mblk_t *hada_mp = NULL;
- ipha_t *inner_ipha;
- ip_stack_t *ipst;
-
- ASSERT(recv_ill != NULL);
- ipst = recv_ill->ill_ipst;
-
- TRACE_1(TR_FAC_IP, TR_IP_RPUT_LOCL_START,
- "ip_rput_locl_start: q %p", q);
-
- ASSERT(ire->ire_ipversion == IPV4_VERSION);
- ASSERT(ill != NULL);
-
-#define rptr ((uchar_t *)ipha)
-#define iphs ((uint16_t *)ipha)
-
- /*
- * no UDP or TCP packet should come here anymore.
- */
- ASSERT(ipha->ipha_protocol != IPPROTO_TCP &&
- ipha->ipha_protocol != IPPROTO_UDP);
-
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
- if (mctl_present &&
- ((da_ipsec_t *)first_mp->b_rptr)->da_type == IPHADA_M_CTL) {
- ASSERT(MBLKL(first_mp) >= sizeof (da_ipsec_t));
-
- /*
- * It's an IPsec accelerated packet.
- * Keep a pointer to the data attributes around until
- * we allocate the ipsec_info_t.
- */
- IPSECHW_DEBUG(IPSECHW_PKT,
- ("ip_rput_local: inbound HW accelerated IPsec pkt\n"));
- hada_mp = first_mp;
- hada_mp->b_cont = NULL;
- /*
- * Since it is accelerated, it comes directly from
- * the ill and the data attributes is followed by
- * the packet data.
- */
- ASSERT(mp->b_datap->db_type != M_CTL);
- first_mp = mp;
- mctl_present = B_FALSE;
- }
-
- /*
- * IF M_CTL is not present, then ipsec_in_is_secure
- * should return B_TRUE. There is a case where loopback
- * packets has an M_CTL in the front with all the
- * IPsec options set to IPSEC_PREF_NEVER - which means
- * ipsec_in_is_secure will return B_FALSE. As loopback
- * packets never comes here, it is safe to ASSERT the
- * following.
- */
- ASSERT(!mctl_present || ipsec_in_is_secure(first_mp));
-
- /*
- * Also, we should never have an mctl_present if this is an
- * ESP-in-UDP packet.
- */
- ASSERT(!mctl_present || !esp_in_udp_packet);
-
- /* u1 is # words of IP options */
- u1 = ipha->ipha_version_and_hdr_length - (uchar_t)((IP_VERSION << 4) +
- IP_SIMPLE_HDR_LENGTH_IN_WORDS);
-
- /*
- * Don't verify header checksum if we just removed UDP header or
- * packet is coming back from AH/ESP.
- */
- if (!esp_in_udp_packet && !mctl_present) {
- if (u1) {
- if (!ip_options_cksum(q, ill, mp, ipha, ire, ipst)) {
- if (hada_mp != NULL)
- freemsg(hada_mp);
- return;
- }
- } else {
- /* Check the IP header checksum. */
-#define uph ((uint16_t *)ipha)
- sum = uph[0] + uph[1] + uph[2] + uph[3] + uph[4] +
- uph[5] + uph[6] + uph[7] + uph[8] + uph[9];
-#undef uph
- /* finish doing IP checksum */
- sum = (sum & 0xFFFF) + (sum >> 16);
- sum = ~(sum + (sum >> 16)) & 0xFFFF;
- if (sum && sum != 0xFFFF) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
- goto drop_pkt;
- }
- }
- }
-
- /*
- * Count for SNMP of inbound packets for ire. As ip_proto_input
- * might be called more than once for secure packets, count only
- * the first time.
- */
- if (!mctl_present) {
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- }
-
- /* Check for fragmentation offset. */
- u2 = ntohs(ipha->ipha_fragment_offset_and_flags);
- u1 = u2 & (IPH_MF | IPH_OFFSET);
- if (u1) {
- /*
- * We re-assemble fragments before we do the AH/ESP
- * processing. Thus, M_CTL should not be present
- * while we are re-assembling.
- */
- ASSERT(!mctl_present);
- ASSERT(first_mp == mp);
- if (!ip_rput_fragment(ill, recv_ill, &mp, ipha, NULL, NULL))
- return;
-
- /*
- * Make sure that first_mp points back to mp as
- * the mp we came in with could have changed in
- * ip_rput_fragment().
- */
- ipha = (ipha_t *)mp->b_rptr;
- first_mp = mp;
- }
-
- /*
- * Clear hardware checksumming flag as it is currently only
- * used by TCP and UDP.
- */
- DB_CKSUMFLAGS(mp) = 0;
-
- /* Now we have a complete datagram, destined for this machine. */
- u1 = IPH_HDR_LENGTH(ipha);
- switch (ipha->ipha_protocol) {
- case IPPROTO_ICMP: {
- ire_t *ire_zone;
- ilm_t *ilm;
- mblk_t *mp1;
- zoneid_t last_zoneid;
- ilm_walker_t ilw;
-
- if (CLASSD(ipha->ipha_dst) && !IS_LOOPBACK(recv_ill)) {
- ASSERT(ire->ire_type == IRE_BROADCAST);
-
- /*
- * In the multicast case, applications may have joined
- * the group from different zones, so we need to deliver
- * the packet to each of them. Loop through the
- * multicast memberships structures (ilm) on the receive
- * ill and send a copy of the packet up each matching
- * one. However, we don't do this for multicasts sent on
- * the loopback interface (PHYI_LOOPBACK flag set) as
- * they must stay in the sender's zone.
- *
- * ilm_add_v6() ensures that ilms in the same zone are
- * contiguous in the ill_ilm list. We use this property
- * to avoid sending duplicates needed when two
- * applications in the same zone join the same group on
- * different logical interfaces: we ignore the ilm if
- * its zoneid is the same as the last matching one.
- * In addition, the sending of the packet for
- * ire_zoneid is delayed until all of the other ilms
- * have been exhausted.
- */
- last_zoneid = -1;
- ilm = ilm_walker_start(&ilw, recv_ill);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- if (ipha->ipha_dst != ilm->ilm_addr ||
- ilm->ilm_zoneid == last_zoneid ||
- ilm->ilm_zoneid == ire->ire_zoneid ||
- ilm->ilm_zoneid == ALL_ZONES ||
- !(ilm->ilm_ipif->ipif_flags & IPIF_UP))
- continue;
- mp1 = ip_copymsg(first_mp);
- if (mp1 == NULL)
- continue;
- icmp_inbound(q, mp1, B_TRUE, ilw.ilw_walk_ill,
- 0, sum, mctl_present, B_TRUE,
- recv_ill, ilm->ilm_zoneid);
- last_zoneid = ilm->ilm_zoneid;
- }
- ilm_walker_finish(&ilw);
- } else if (ire->ire_type == IRE_BROADCAST) {
- /*
- * In the broadcast case, there may be many zones
- * which need a copy of the packet delivered to them.
- * There is one IRE_BROADCAST per broadcast address
- * and per zone; we walk those using a helper function.
- * In addition, the sending of the packet for ire is
- * delayed until all of the other ires have been
- * processed.
- */
- IRB_REFHOLD(ire->ire_bucket);
- ire_zone = NULL;
- while ((ire_zone = ire_get_next_bcast_ire(ire_zone,
- ire)) != NULL) {
- mp1 = ip_copymsg(first_mp);
- if (mp1 == NULL)
- continue;
-
- UPDATE_IB_PKT_COUNT(ire_zone);
- ire_zone->ire_last_used_time = lbolt;
- icmp_inbound(q, mp1, B_TRUE, ill,
- 0, sum, mctl_present, B_TRUE,
- recv_ill, ire_zone->ire_zoneid);
- }
- IRB_REFRELE(ire->ire_bucket);
- }
- icmp_inbound(q, first_mp, (ire->ire_type == IRE_BROADCAST),
- ill, 0, sum, mctl_present, B_TRUE, recv_ill,
- ire->ire_zoneid);
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_LOCL_END,
- "ip_rput_locl_end: q %p (%S)", q, "icmp");
- return;
- }
- case IPPROTO_IGMP:
- /*
- * If we are not willing to accept IGMP packets in clear,
- * then check with global policy.
- */
- if (ipst->ips_igmp_accept_clear_messages == 0) {
- first_mp = ipsec_check_global_policy(first_mp, NULL,
- ipha, NULL, mctl_present, ipst->ips_netstack);
- if (first_mp == NULL)
- return;
- }
- if (is_system_labeled() && !tsol_can_accept_raw(mp, B_TRUE)) {
- freemsg(first_mp);
- ip1dbg(("ip_proto_input: zone all cannot accept raw"));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return;
- }
- if ((mp = igmp_input(q, mp, ill)) == NULL) {
- /* Bad packet - discarded by igmp_input */
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_LOCL_END,
- "ip_rput_locl_end: q %p (%S)", q, "igmp");
- if (mctl_present)
- freeb(first_mp);
- return;
- }
- /*
- * igmp_input() may have returned the pulled up message.
- * So first_mp and ipha need to be reinitialized.
- */
- ipha = (ipha_t *)mp->b_rptr;
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
- if (ipst->ips_ipcl_proto_fanout[ipha->ipha_protocol].
- connf_head != NULL) {
- /* No user-level listener for IGMP packets */
- goto drop_pkt;
- }
- /* deliver to local raw users */
- break;
- case IPPROTO_PIM:
- /*
- * If we are not willing to accept PIM packets in clear,
- * then check with global policy.
- */
- if (ipst->ips_pim_accept_clear_messages == 0) {
- first_mp = ipsec_check_global_policy(first_mp, NULL,
- ipha, NULL, mctl_present, ipst->ips_netstack);
- if (first_mp == NULL)
- return;
- }
- if (is_system_labeled() && !tsol_can_accept_raw(mp, B_TRUE)) {
- freemsg(first_mp);
- ip1dbg(("ip_proto_input: zone all cannot accept PIM"));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return;
- }
- if (pim_input(q, mp, ill) != 0) {
- /* Bad packet - discarded by pim_input */
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_LOCL_END,
- "ip_rput_locl_end: q %p (%S)", q, "pim");
- if (mctl_present)
- freeb(first_mp);
- return;
- }
-
- /*
- * pim_input() may have pulled up the message so ipha needs to
- * be reinitialized.
- */
- ipha = (ipha_t *)mp->b_rptr;
- if (ipst->ips_ipcl_proto_fanout[ipha->ipha_protocol].
- connf_head != NULL) {
- /* No user-level listener for PIM packets */
- goto drop_pkt;
- }
- /* deliver to local raw users */
- break;
- case IPPROTO_ENCAP:
- /*
- * Handle self-encapsulated packets (IP-in-IP where
- * the inner addresses == the outer addresses).
- */
- hdr_length = IPH_HDR_LENGTH(ipha);
- if ((uchar_t *)ipha + hdr_length + sizeof (ipha_t) >
- mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ipha + hdr_length +
- sizeof (ipha_t) - mp->b_rptr)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- ipha = (ipha_t *)mp->b_rptr;
- }
- inner_ipha = (ipha_t *)((uchar_t *)ipha + hdr_length);
- /*
- * Check the sanity of the inner IP header.
- */
- if ((IPH_HDR_VERSION(inner_ipha) != IPV4_VERSION)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- if (IPH_HDR_LENGTH(inner_ipha) < sizeof (ipha_t)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- if (inner_ipha->ipha_src == ipha->ipha_src &&
- inner_ipha->ipha_dst == ipha->ipha_dst) {
- ipsec_in_t *ii;
-
- /*
- * Self-encapsulated tunnel packet. Remove
- * the outer IP header and fanout again.
- * We also need to make sure that the inner
- * header is pulled up until options.
- */
- mp->b_rptr = (uchar_t *)inner_ipha;
- ipha = inner_ipha;
- hdr_length = IPH_HDR_LENGTH(ipha);
- if ((uchar_t *)ipha + hdr_length > mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ipha +
- + hdr_length - mp->b_rptr)) {
- freemsg(first_mp);
- return;
- }
- ipha = (ipha_t *)mp->b_rptr;
- }
- if (hdr_length > sizeof (ipha_t)) {
- /* We got options on the inner packet. */
- ipaddr_t dst = ipha->ipha_dst;
-
- if (ip_rput_options(q, mp, ipha, &dst, ipst) ==
- -1) {
- /* Bad options! */
- return;
- }
- if (dst != ipha->ipha_dst) {
- /*
- * Someone put a source-route in
- * the inside header of a self-
- * encapsulated packet. Drop it
- * with extreme prejudice and let
- * the sender know.
- */
- icmp_unreachable(q, first_mp,
- ICMP_SOURCE_ROUTE_FAILED,
- recv_ill->ill_zoneid, ipst);
- return;
- }
- }
- if (!mctl_present) {
- ASSERT(first_mp == mp);
- /*
- * This means that somebody is sending
- * Self-encapsualted packets without AH/ESP.
- * If AH/ESP was present, we would have already
- * allocated the first_mp.
- *
- * Send this packet to find a tunnel endpoint.
- * if I can't find one, an ICMP
- * PROTOCOL_UNREACHABLE will get sent.
- */
- goto fanout;
- }
- /*
- * We generally store the ill_index if we need to
- * do IPsec processing as we lose the ill queue when
- * we come back. But in this case, we never should
- * have to store the ill_index here as it should have
- * been stored previously when we processed the
- * AH/ESP header in this routine or for non-ipsec
- * cases, we still have the queue. But for some bad
- * packets from the wire, we can get to IPsec after
- * this and we better store the index for that case.
- */
- ill = (ill_t *)q->q_ptr;
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ii->ipsec_in_ill_index =
- ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index =
- recv_ill->ill_phyint->phyint_ifindex;
- if (ii->ipsec_in_decaps) {
- /*
- * This packet is self-encapsulated multiple
- * times. We don't want to recurse infinitely.
- * To keep it simple, drop the packet.
- */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- ii->ipsec_in_decaps = B_TRUE;
- ip_fanout_proto_again(first_mp, recv_ill, recv_ill,
- ire);
- return;
- }
- break;
- case IPPROTO_AH:
- case IPPROTO_ESP: {
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- /*
- * Fast path for AH/ESP. If this is the first time
- * we are sending a datagram to AH/ESP, allocate
- * a IPSEC_IN message and prepend it. Otherwise,
- * just fanout.
- */
-
- int ipsec_rc;
- ipsec_in_t *ii;
- netstack_t *ns = ipst->ips_netstack;
-
- IP_STAT(ipst, ipsec_proto_ahesp);
- if (!mctl_present) {
- ASSERT(first_mp == mp);
- first_mp = ipsec_in_alloc(B_TRUE, ns);
- if (first_mp == NULL) {
- ip1dbg(("ip_proto_input: IPSEC_IN "
- "allocation failure.\n"));
- freemsg(hada_mp); /* okay ifnull */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(mp);
- return;
- }
- /*
- * Store the ill_index so that when we come back
- * from IPsec we ride on the same queue.
- */
- ill = (ill_t *)q->q_ptr;
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ii->ipsec_in_ill_index =
- ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index =
- recv_ill->ill_phyint->phyint_ifindex;
- first_mp->b_cont = mp;
- /*
- * Cache hardware acceleration info.
- */
- if (hada_mp != NULL) {
- IPSECHW_DEBUG(IPSECHW_PKT,
- ("ip_rput_local: caching data attr.\n"));
- ii->ipsec_in_accelerated = B_TRUE;
- ii->ipsec_in_da = hada_mp;
- hada_mp = NULL;
- }
- } else {
- ii = (ipsec_in_t *)first_mp->b_rptr;
- }
-
- ii->ipsec_in_esp_udp_ports = esp_udp_ports;
-
- if (!ipsec_loaded(ipss)) {
- ip_proto_not_sup(q, first_mp, IP_FF_SEND_ICMP,
- ire->ire_zoneid, ipst);
- return;
- }
-
- ns = ipst->ips_netstack;
- /* select inbound SA and have IPsec process the pkt */
- if (ipha->ipha_protocol == IPPROTO_ESP) {
- esph_t *esph = ipsec_inbound_esp_sa(first_mp, ns);
- boolean_t esp_in_udp_sa;
- if (esph == NULL)
- return;
- ASSERT(ii->ipsec_in_esp_sa != NULL);
- ASSERT(ii->ipsec_in_esp_sa->ipsa_input_func != NULL);
- esp_in_udp_sa = ((ii->ipsec_in_esp_sa->ipsa_flags &
- IPSA_F_NATT) != 0);
- /*
- * The following is a fancy, but quick, way of saying:
- * ESP-in-UDP SA and Raw ESP packet --> drop
- * OR
- * ESP SA and ESP-in-UDP packet --> drop
- */
- if (esp_in_udp_sa != esp_in_udp_packet) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ip_drop_packet(first_mp, B_TRUE, ill, NULL,
- DROPPER(ns->netstack_ipsec, ipds_esp_no_sa),
- &ns->netstack_ipsec->ipsec_dropper);
- return;
- }
- ipsec_rc = ii->ipsec_in_esp_sa->ipsa_input_func(
- first_mp, esph);
- } else {
- ah_t *ah = ipsec_inbound_ah_sa(first_mp, ns);
- if (ah == NULL)
- return;
- ASSERT(ii->ipsec_in_ah_sa != NULL);
- ASSERT(ii->ipsec_in_ah_sa->ipsa_input_func != NULL);
- ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func(
- first_mp, ah);
- }
-
- switch (ipsec_rc) {
- case IPSEC_STATUS_SUCCESS:
- break;
- case IPSEC_STATUS_FAILED:
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- /* FALLTHRU */
- case IPSEC_STATUS_PENDING:
- return;
- }
- /* we're done with IPsec processing, send it up */
- ip_fanout_proto_again(first_mp, ill, recv_ill, ire);
- return;
- }
- default:
- break;
- }
- if (is_system_labeled() && !tsol_can_accept_raw(mp, B_FALSE)) {
- ip1dbg(("ip_proto_input: zone %d cannot accept raw IP",
- ire->ire_zoneid));
- goto drop_pkt;
- }
- /*
- * Handle protocols with which IP is less intimate. There
- * can be more than one stream bound to a particular
- * protocol. When this is the case, each one gets a copy
- * of any incoming packets.
- */
-fanout:
- ip_fanout_proto(q, first_mp, ill, ipha,
- IP_FF_SEND_ICMP | IP_FF_CKSUM | IP_FF_RAWIP, mctl_present,
- B_TRUE, recv_ill, ire->ire_zoneid);
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_LOCL_END,
- "ip_rput_locl_end: q %p (%S)", q, "ip_fanout_proto");
- return;
-
-drop_pkt:
- freemsg(first_mp);
- if (hada_mp != NULL)
- freeb(hada_mp);
- TRACE_2(TR_FAC_IP, TR_IP_RPUT_LOCL_END,
- "ip_rput_locl_end: q %p (%S)", q, "droppkt");
-#undef rptr
-#undef iphs
-
-}
-
-/*
* Update any source route, record route or timestamp options.
* Check that we are at end of strict source route.
- * The options have already been checked for sanity in ip_rput_options().
+ * The options have already been checked for sanity in ip_input_options().
*/
-static boolean_t
-ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
- ip_stack_t *ipst)
+boolean_t
+ip_input_local_options(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
{
ipoptp_t opts;
uchar_t *opt;
uint8_t optval;
uint8_t optlen;
ipaddr_t dst;
+ ipaddr_t ifaddr;
uint32_t ts;
- ire_t *dst_ire;
timestruc_t now;
- zoneid_t zoneid;
- ill_t *ill;
-
- ASSERT(ire->ire_ipversion == IPV4_VERSION);
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
- ip2dbg(("ip_rput_local_options\n"));
+ ip2dbg(("ip_input_local_options\n"));
for (optval = ipoptp_first(&opts, ipha);
optval != IPOPT_EOL;
@@ -17900,7 +9360,7 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
ASSERT((opts.ipoptp_flags & IPOPTP_ERROR) == 0);
opt = opts.ipoptp_cur;
optlen = opts.ipoptp_len;
- ip2dbg(("ip_rput_local_options: opt %d, len %d\n",
+ ip2dbg(("ip_input_local_options: opt %d, len %d\n",
optval, optlen));
switch (optval) {
uint32_t off;
@@ -17911,7 +9371,7 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
if (optlen < IP_ADDR_LEN ||
off > optlen - IP_ADDR_LEN) {
/* End of source route */
- ip1dbg(("ip_rput_local_options: end of SR\n"));
+ ip1dbg(("ip_input_local_options: end of SR\n"));
break;
}
/*
@@ -17920,7 +9380,7 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
* it is a packet with a loose source route which
* reaches us before consuming the whole source route
*/
- ip1dbg(("ip_rput_local_options: not end of SR\n"));
+ ip1dbg(("ip_input_local_options: not end of SR\n"));
if (optval == IPOPT_SSRR) {
goto bad_src_route;
}
@@ -17941,11 +9401,17 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
off > optlen - IP_ADDR_LEN) {
/* No more room - ignore */
ip1dbg((
- "ip_rput_local_options: end of RR\n"));
+ "ip_input_local_options: end of RR\n"));
break;
}
- bcopy(&ire->ire_src_addr, (char *)opt + off,
- IP_ADDR_LEN);
+ /* Pick a reasonable address on the outbound if */
+ if (ip_select_source_v4(ill, INADDR_ANY, ipha->ipha_dst,
+ INADDR_ANY, ALL_ZONES, ipst, &ifaddr, NULL,
+ NULL) != 0) {
+ /* No source! Shouldn't happen */
+ ifaddr = INADDR_ANY;
+ }
+ bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
opt[IPOPT_OFFSET] += IP_ADDR_LEN;
break;
case IPOPT_TS:
@@ -17959,14 +9425,10 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
/* Verify that the address matched */
off = opt[IPOPT_OFFSET] - 1;
bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
- dst_ire = ire_ctable_lookup(dst, 0, IRE_LOCAL,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE,
- ipst);
- if (dst_ire == NULL) {
+ if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
/* Not for us */
break;
}
- ire_refrele(dst_ire);
/* FALLTHRU */
case IPOPT_TS_TSANDADDR:
off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
@@ -17976,8 +9438,8 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
* ip_*put_options should have already
* dropped this packet.
*/
- cmn_err(CE_PANIC, "ip_rput_local_options: "
- "unknown IT - bug in ip_rput_options?\n");
+ cmn_err(CE_PANIC, "ip_input_local_options: "
+ "unknown IT - bug in ip_input_options?\n");
return (B_TRUE); /* Keep "lint" happy */
}
if (opt[IPOPT_OFFSET] - 1 + off > optlen) {
@@ -17993,8 +9455,14 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
case IPOPT_TS_PRESPEC:
case IPOPT_TS_PRESPEC_RFC791:
case IPOPT_TS_TSANDADDR:
- bcopy(&ire->ire_src_addr, (char *)opt + off,
- IP_ADDR_LEN);
+ /* Pick a reasonable addr on the outbound if */
+ if (ip_select_source_v4(ill, INADDR_ANY,
+ ipha->ipha_dst, INADDR_ANY, ALL_ZONES, ipst,
+ &ifaddr, NULL, NULL) != 0) {
+ /* No source! Shouldn't happen */
+ ifaddr = INADDR_ANY;
+ }
+ bcopy(&ifaddr, (char *)opt + off, IP_ADDR_LEN);
opt[IPOPT_OFFSET] += IP_ADDR_LEN;
/* FALLTHRU */
case IPOPT_TS_TSONLY:
@@ -18013,51 +9481,41 @@ ip_rput_local_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ire_t *ire,
return (B_TRUE);
bad_src_route:
- q = WR(q);
- if (q->q_next != NULL)
- ill = q->q_ptr;
- else
- ill = NULL;
-
/* make sure we clear any indication of a hardware checksum */
DB_CKSUMFLAGS(mp) = 0;
- zoneid = ipif_lookup_addr_zoneid(ipha->ipha_dst, ill, ipst);
- if (zoneid == ALL_ZONES)
- freemsg(mp);
- else
- icmp_unreachable(q, mp, ICMP_SOURCE_ROUTE_FAILED, zoneid, ipst);
+ ip_drop_input("ICMP_SOURCE_ROUTE_FAILED", mp, ill);
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, ira);
return (B_FALSE);
}
/*
- * Process IP options in an inbound packet. If an option affects the
- * effective destination address, return the next hop address via dstp.
- * Returns -1 if something fails in which case an ICMP error has been sent
+ * Process IP options in an inbound packet. Always returns the nexthop.
+ * Normally this is the passed in nexthop, but if there is an option
+ * that effects the nexthop (such as a source route) that will be returned.
+ * Sets *errorp if there is an error, in which case an ICMP error has been sent
* and mp freed.
*/
-static int
-ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
- ip_stack_t *ipst)
+ipaddr_t
+ip_input_options(ipha_t *ipha, ipaddr_t dst, mblk_t *mp,
+ ip_recv_attr_t *ira, int *errorp)
{
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
ipoptp_t opts;
uchar_t *opt;
uint8_t optval;
uint8_t optlen;
- ipaddr_t dst;
intptr_t code = 0;
- ire_t *ire = NULL;
- zoneid_t zoneid;
- ill_t *ill;
+ ire_t *ire;
- ip2dbg(("ip_rput_options\n"));
- dst = ipha->ipha_dst;
+ ip2dbg(("ip_input_options\n"));
+ *errorp = 0;
for (optval = ipoptp_first(&opts, ipha);
optval != IPOPT_EOL;
optval = ipoptp_next(&opts)) {
opt = opts.ipoptp_cur;
optlen = opts.ipoptp_len;
- ip2dbg(("ip_rput_options: opt %d, len %d\n",
+ ip2dbg(("ip_input_options: opt %d, len %d\n",
optval, optlen));
/*
* Note: we need to verify the checksum before we
@@ -18068,27 +9526,24 @@ ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
uint32_t off;
case IPOPT_SSRR:
case IPOPT_LSRR:
- ire = ire_ctable_lookup(dst, 0, IRE_LOCAL, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (ire == NULL) {
+ if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
if (optval == IPOPT_SSRR) {
- ip1dbg(("ip_rput_options: not next"
+ ip1dbg(("ip_input_options: not next"
" strict source route 0x%x\n",
ntohl(dst)));
code = (char *)&ipha->ipha_dst -
(char *)ipha;
goto param_prob; /* RouterReq's */
}
- ip2dbg(("ip_rput_options: "
+ ip2dbg(("ip_input_options: "
"not next source route 0x%x\n",
ntohl(dst)));
break;
}
- ire_refrele(ire);
if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
ip1dbg((
- "ip_rput_options: bad option offset\n"));
+ "ip_input_options: bad option offset\n"));
code = (char *)&opt[IPOPT_OLEN] -
(char *)ipha;
goto param_prob;
@@ -18099,11 +9554,11 @@ ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
if (optlen < IP_ADDR_LEN ||
off > optlen - IP_ADDR_LEN) {
/* End of source route */
- ip1dbg(("ip_rput_options: end of SR\n"));
+ ip1dbg(("ip_input_options: end of SR\n"));
break;
}
bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
- ip1dbg(("ip_rput_options: next hop 0x%x\n",
+ ip1dbg(("ip_input_options: next hop 0x%x\n",
ntohl(dst)));
/*
@@ -18112,17 +9567,13 @@ ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
* XXX verify per-interface ip_forwarding
* for source route?
*/
- ire = ire_ctable_lookup(dst, 0, IRE_LOCAL, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
-
- if (ire != NULL) {
- ire_refrele(ire);
+ if (ip_type_v4(dst, ipst) == IRE_LOCAL) {
off += IP_ADDR_LEN;
goto redo_srr;
}
if (dst == htonl(INADDR_LOOPBACK)) {
- ip1dbg(("ip_rput_options: loopback addr in "
+ ip1dbg(("ip_input_options: loopback addr in "
"source route!\n"));
goto bad_src_route;
}
@@ -18131,12 +9582,13 @@ ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
* reachable.
*/
if (optval == IPOPT_SSRR) {
- ire = ire_ftable_lookup(dst, 0, 0,
- IRE_INTERFACE, NULL, NULL, ALL_ZONES, 0,
- msg_getlabel(mp),
- MATCH_IRE_TYPE | MATCH_IRE_SECATTR, ipst);
+ ire = ire_ftable_lookup_v4(dst, 0, 0,
+ IRE_IF_ALL, NULL, ALL_ZONES,
+ ira->ira_tsl,
+ MATCH_IRE_TYPE | MATCH_IRE_SECATTR, 0, ipst,
+ NULL);
if (ire == NULL) {
- ip1dbg(("ip_rput_options: SSRR not "
+ ip1dbg(("ip_input_options: SSRR not "
"directly reachable: 0x%x\n",
ntohl(dst)));
goto bad_src_route;
@@ -18151,7 +9603,7 @@ ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
case IPOPT_RR:
if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
ip1dbg((
- "ip_rput_options: bad option offset\n"));
+ "ip_input_options: bad option offset\n"));
code = (char *)&opt[IPOPT_OLEN] -
(char *)ipha;
goto param_prob;
@@ -18169,7 +9621,7 @@ ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
}
if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
ip1dbg((
- "ip_rput_options: bad option offset\n"));
+ "ip_input_options: bad option offset\n"));
code = (char *)&opt[IPOPT_OFFSET] -
(char *)ipha;
goto param_prob;
@@ -18201,45 +9653,27 @@ ip_rput_options(queue_t *q, mblk_t *mp, ipha_t *ipha, ipaddr_t *dstp,
}
if ((opts.ipoptp_flags & IPOPTP_ERROR) == 0) {
- *dstp = dst;
- return (0);
+ return (dst);
}
- ip1dbg(("ip_rput_options: error processing IP options."));
+ ip1dbg(("ip_input_options: error processing IP options."));
code = (char *)&opt[IPOPT_OFFSET] - (char *)ipha;
param_prob:
- q = WR(q);
- if (q->q_next != NULL)
- ill = q->q_ptr;
- else
- ill = NULL;
-
/* make sure we clear any indication of a hardware checksum */
DB_CKSUMFLAGS(mp) = 0;
- /* Don't know whether this is for non-global or global/forwarding */
- zoneid = ipif_lookup_addr_zoneid(dst, ill, ipst);
- if (zoneid == ALL_ZONES)
- freemsg(mp);
- else
- icmp_param_problem(q, mp, (uint8_t)code, zoneid, ipst);
- return (-1);
+ ip_drop_input("ICMP_PARAM_PROBLEM", mp, ira->ira_ill);
+ icmp_param_problem(mp, (uint8_t)code, ira);
+ *errorp = -1;
+ return (dst);
bad_src_route:
- q = WR(q);
- if (q->q_next != NULL)
- ill = q->q_ptr;
- else
- ill = NULL;
-
/* make sure we clear any indication of a hardware checksum */
DB_CKSUMFLAGS(mp) = 0;
- zoneid = ipif_lookup_addr_zoneid(dst, ill, ipst);
- if (zoneid == ALL_ZONES)
- freemsg(mp);
- else
- icmp_unreachable(q, mp, ICMP_SOURCE_ROUTE_FAILED, zoneid, ipst);
- return (-1);
+ ip_drop_input("ICMP_SOURCE_ROUTE_FAILED", mp, ira->ira_ill);
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, ira);
+ *errorp = -1;
+ return (dst);
}
/*
@@ -18248,7 +9682,7 @@ bad_src_route:
* - icmp fixed part (mib2_icmp_t)
* - ipAddrEntryTable (ip 20) all IPv4 ipifs
* - ipRouteEntryTable (ip 21) all IPv4 IREs
- * - ipNetToMediaEntryTable (ip 22) [filled in by the arp module]
+ * - ipNetToMediaEntryTable (ip 22) all IPv4 Neighbor Cache entries
* - ipRouteAttributeTable (ip 102) labeled routes
* - ip multicast membership (ip_member_t)
* - ip multicast source filtering (ip_grpsrc_t)
@@ -18262,13 +9696,11 @@ bad_src_route:
* One per ill plus one generic
* - ipv6RouteEntry all IPv6 IREs
* - ipv6RouteAttributeTable (ip6 102) labeled routes
- * - ipv6NetToMediaEntry all Neighbor Cache entries
+ * - ipv6NetToMediaEntry all IPv6 Neighbor Cache entries
* - ipv6AddrEntry all IPv6 ipifs
* - ipv6 multicast membership (ipv6_member_t)
* - ipv6 multicast source filtering (ipv6_grpsrc_t)
*
- * MIB2_IP_MEDIA is filled in by the arp module with ARP cache entries.
- *
* NOTE: original mpctl is copied for msg's 2..N, since its ctl part is
* already filled in by the caller.
* Return value of 0 indicates that no messages were sent and caller
@@ -18387,6 +9819,9 @@ ip_snmp_get(queue_t *q, mblk_t *mpctl, int level)
if ((mpctl = sctp_snmp_get_mib2(q, mpctl, sctps)) == NULL) {
return (1);
}
+ if ((mpctl = ip_snmp_get_mib2_ip_dce(q, mpctl, ipst)) == NULL) {
+ return (1);
+ }
freemsg(mpctl);
return (1);
}
@@ -18426,6 +9861,7 @@ ip_snmp_get_mib2_ip(queue_t *q, mblk_t *mpctl, mib2_ipIfStatsEntry_t *ipmib,
SET_MIB(old_ip_mib.ipRouteAttributeSize,
sizeof (mib2_ipAttributeEntry_t));
SET_MIB(old_ip_mib.transportMLPSize, sizeof (mib2_transportMLPEntry_t));
+ SET_MIB(old_ip_mib.ipDestEntrySize, sizeof (dest_cache_entry_t));
/*
* Grab the statistics from the new IP MIB
@@ -18681,9 +10117,14 @@ ip_snmp_get_mib2_ip_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
if (ipif->ipif_zoneid != zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
continue;
+ /* Sum of count from dead IRE_LO* and our current */
mae.ipAdEntInfo.ae_ibcnt = ipif->ipif_ib_pkt_count;
- mae.ipAdEntInfo.ae_obcnt = ipif->ipif_ob_pkt_count;
- mae.ipAdEntInfo.ae_focnt = ipif->ipif_fo_pkt_count;
+ if (ipif->ipif_ire_local != NULL) {
+ mae.ipAdEntInfo.ae_ibcnt +=
+ ipif->ipif_ire_local->ire_ib_pkt_count;
+ }
+ mae.ipAdEntInfo.ae_obcnt = 0;
+ mae.ipAdEntInfo.ae_focnt = 0;
ipif_get_name(ipif, mae.ipAdEntIfIndex.o_bytes,
OCTET_LENGTH);
@@ -18694,7 +10135,7 @@ ip_snmp_get_mib2_ip_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
mae.ipAdEntInfo.ae_subnet = ipif->ipif_subnet;
mae.ipAdEntInfo.ae_subnet_len =
ip_mask_to_plen(ipif->ipif_net_mask);
- mae.ipAdEntInfo.ae_src_addr = ipif->ipif_src_addr;
+ mae.ipAdEntInfo.ae_src_addr = ipif->ipif_lcl_addr;
for (bitval = 1;
bitval &&
!(bitval & ipif->ipif_brd_addr);
@@ -18702,7 +10143,7 @@ ip_snmp_get_mib2_ip_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
noop;
mae.ipAdEntBcastAddr = bitval;
mae.ipAdEntReasmMaxSize = IP_MAXPACKET;
- mae.ipAdEntInfo.ae_mtu = ipif->ipif_mtu;
+ mae.ipAdEntInfo.ae_mtu = ipif->ipif_ill->ill_mtu;
mae.ipAdEntInfo.ae_metric = ipif->ipif_metric;
mae.ipAdEntInfo.ae_broadcast_addr =
ipif->ipif_brd_addr;
@@ -18710,7 +10151,8 @@ ip_snmp_get_mib2_ip_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
ipif->ipif_pp_dst_addr;
mae.ipAdEntInfo.ae_flags = ipif->ipif_flags |
ill->ill_flags | ill->ill_phyint->phyint_flags;
- mae.ipAdEntRetransmitTime = AR_EQ_DEFAULT_XMIT_INTERVAL;
+ mae.ipAdEntRetransmitTime =
+ ill->ill_reachable_retrans_time;
if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
(char *)&mae, (int)sizeof (mib2_ipAddrEntry_t))) {
@@ -18762,9 +10204,14 @@ ip_snmp_get_mib2_ip6_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
if (ipif->ipif_zoneid != zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
continue;
+ /* Sum of count from dead IRE_LO* and our current */
mae6.ipv6AddrInfo.ae_ibcnt = ipif->ipif_ib_pkt_count;
- mae6.ipv6AddrInfo.ae_obcnt = ipif->ipif_ob_pkt_count;
- mae6.ipv6AddrInfo.ae_focnt = ipif->ipif_fo_pkt_count;
+ if (ipif->ipif_ire_local != NULL) {
+ mae6.ipv6AddrInfo.ae_ibcnt +=
+ ipif->ipif_ire_local->ire_ib_pkt_count;
+ }
+ mae6.ipv6AddrInfo.ae_obcnt = 0;
+ mae6.ipv6AddrInfo.ae_focnt = 0;
ipif_get_name(ipif, mae6.ipv6AddrIfIndex.o_bytes,
OCTET_LENGTH);
@@ -18776,7 +10223,7 @@ ip_snmp_get_mib2_ip6_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
mae6.ipv6AddrInfo.ae_subnet = ipif->ipif_v6subnet;
mae6.ipv6AddrInfo.ae_subnet_len =
mae6.ipv6AddrPfxLength;
- mae6.ipv6AddrInfo.ae_src_addr = ipif->ipif_v6src_addr;
+ mae6.ipv6AddrInfo.ae_src_addr = ipif->ipif_v6lcl_addr;
/* Type: stateless(1), stateful(2), unknown(3) */
if (ipif->ipif_flags & IPIF_ADDRCONF)
@@ -18799,7 +10246,7 @@ ip_snmp_get_mib2_ip6_addr(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
mae6.ipv6AddrStatus = 2;
else
mae6.ipv6AddrStatus = 1;
- mae6.ipv6AddrInfo.ae_mtu = ipif->ipif_mtu;
+ mae6.ipv6AddrInfo.ae_mtu = ipif->ipif_ill->ill_mtu;
mae6.ipv6AddrInfo.ae_metric = ipif->ipif_metric;
mae6.ipv6AddrInfo.ae_pp_dst_addr =
ipif->ipif_v6pp_dst_addr;
@@ -18842,7 +10289,6 @@ ip_snmp_get_mib2_ip_group_mem(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
mblk_t *mp_tail = NULL;
ill_walk_context_t ctx;
zoneid_t zoneid;
- ilm_walker_t ilw;
/*
* make a copy of the original message
@@ -18859,36 +10305,49 @@ ip_snmp_get_mib2_ip_group_mem(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
ill = ILL_START_WALK_V4(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- if (IS_UNDER_IPMP(ill))
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
continue;
+ rw_exit(&ipst->ips_ill_g_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_READER);
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
+ if (ilm->ilm_zoneid != zoneid &&
+ ilm->ilm_zoneid != ALL_ZONES)
+ continue;
- ilm = ilm_walker_start(&ilw, ill);
- for (ipif = ill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
- if (ipif->ipif_zoneid != zoneid &&
- ipif->ipif_zoneid != ALL_ZONES)
- continue; /* not this zone */
- ipif_get_name(ipif, ipm.ipGroupMemberIfIndex.o_bytes,
- OCTET_LENGTH);
+ /* Is there an ipif for ilm_ifaddr? */
+ for (ipif = ill->ill_ipif; ipif != NULL;
+ ipif = ipif->ipif_next) {
+ if (!IPIF_IS_CONDEMNED(ipif) &&
+ ipif->ipif_lcl_addr == ilm->ilm_ifaddr &&
+ ilm->ilm_ifaddr != INADDR_ANY)
+ break;
+ }
+ if (ipif != NULL) {
+ ipif_get_name(ipif,
+ ipm.ipGroupMemberIfIndex.o_bytes,
+ OCTET_LENGTH);
+ } else {
+ ill_get_name(ill,
+ ipm.ipGroupMemberIfIndex.o_bytes,
+ OCTET_LENGTH);
+ }
ipm.ipGroupMemberIfIndex.o_length =
mi_strlen(ipm.ipGroupMemberIfIndex.o_bytes);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- ASSERT(ilm->ilm_ipif != NULL);
- ASSERT(ilm->ilm_ill == NULL);
- if (ilm->ilm_ipif != ipif)
- continue;
- ipm.ipGroupMemberAddress = ilm->ilm_addr;
- ipm.ipGroupMemberRefCnt = ilm->ilm_refcnt;
- ipm.ipGroupMemberFilterMode = ilm->ilm_fmode;
- if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
- (char *)&ipm, (int)sizeof (ipm))) {
- ip1dbg(("ip_snmp_get_mib2_ip_group: "
- "failed to allocate %u bytes\n",
- (uint_t)sizeof (ipm)));
- }
+
+ ipm.ipGroupMemberAddress = ilm->ilm_addr;
+ ipm.ipGroupMemberRefCnt = ilm->ilm_refcnt;
+ ipm.ipGroupMemberFilterMode = ilm->ilm_fmode;
+ if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
+ (char *)&ipm, (int)sizeof (ipm))) {
+ ip1dbg(("ip_snmp_get_mib2_ip_group: "
+ "failed to allocate %u bytes\n",
+ (uint_t)sizeof (ipm)));
}
}
- ilm_walker_finish(&ilw);
+ rw_exit(&ill->ill_mcast_lock);
+ ill_refrele(ill);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
}
rw_exit(&ipst->ips_ill_g_lock);
optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
@@ -18910,7 +10369,6 @@ ip_snmp_get_mib2_ip6_group_mem(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
mblk_t *mp_tail = NULL;
ill_walk_context_t ctx;
zoneid_t zoneid;
- ilm_walker_t ilw;
/*
* make a copy of the original message
@@ -18926,15 +10384,19 @@ ip_snmp_get_mib2_ip6_group_mem(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
ill = ILL_START_WALK_V6(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- if (IS_UNDER_IPMP(ill))
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
continue;
-
- ilm = ilm_walker_start(&ilw, ill);
+ rw_exit(&ipst->ips_ill_g_lock);
+ /*
+ * Normally we don't have any members on under IPMP interfaces.
+ * We report them as a debugging aid.
+ */
+ rw_enter(&ill->ill_mcast_lock, RW_READER);
ipm6.ipv6GroupMemberIfIndex = ill->ill_phyint->phyint_ifindex;
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- ASSERT(ilm->ilm_ipif == NULL);
- ASSERT(ilm->ilm_ill != NULL);
- if (ilm->ilm_zoneid != zoneid)
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
+ if (ilm->ilm_zoneid != zoneid &&
+ ilm->ilm_zoneid != ALL_ZONES)
continue; /* not this zone */
ipm6.ipv6GroupMemberAddress = ilm->ilm_v6addr;
ipm6.ipv6GroupMemberRefCnt = ilm->ilm_refcnt;
@@ -18947,7 +10409,9 @@ ip_snmp_get_mib2_ip6_group_mem(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
(uint_t)sizeof (ipm6)));
}
}
- ilm_walker_finish(&ilw);
+ rw_exit(&ill->ill_mcast_lock);
+ ill_refrele(ill);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
}
rw_exit(&ipst->ips_ill_g_lock);
@@ -18973,7 +10437,6 @@ ip_snmp_get_mib2_ip_group_src(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
zoneid_t zoneid;
int i;
slist_t *sl;
- ilm_walker_t ilw;
/*
* make a copy of the original message
@@ -18990,43 +10453,56 @@ ip_snmp_get_mib2_ip_group_src(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
ill = ILL_START_WALK_V4(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- if (IS_UNDER_IPMP(ill))
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
continue;
+ rw_exit(&ipst->ips_ill_g_lock);
+ rw_enter(&ill->ill_mcast_lock, RW_READER);
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
+ sl = ilm->ilm_filter;
+ if (ilm->ilm_zoneid != zoneid &&
+ ilm->ilm_zoneid != ALL_ZONES)
+ continue;
+ if (SLIST_IS_EMPTY(sl))
+ continue;
- ilm = ilm_walker_start(&ilw, ill);
- for (ipif = ill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
- if (ipif->ipif_zoneid != zoneid)
- continue; /* not this zone */
- ipif_get_name(ipif, ips.ipGroupSourceIfIndex.o_bytes,
- OCTET_LENGTH);
+ /* Is there an ipif for ilm_ifaddr? */
+ for (ipif = ill->ill_ipif; ipif != NULL;
+ ipif = ipif->ipif_next) {
+ if (!IPIF_IS_CONDEMNED(ipif) &&
+ ipif->ipif_lcl_addr == ilm->ilm_ifaddr &&
+ ilm->ilm_ifaddr != INADDR_ANY)
+ break;
+ }
+ if (ipif != NULL) {
+ ipif_get_name(ipif,
+ ips.ipGroupSourceIfIndex.o_bytes,
+ OCTET_LENGTH);
+ } else {
+ ill_get_name(ill,
+ ips.ipGroupSourceIfIndex.o_bytes,
+ OCTET_LENGTH);
+ }
ips.ipGroupSourceIfIndex.o_length =
mi_strlen(ips.ipGroupSourceIfIndex.o_bytes);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- ASSERT(ilm->ilm_ipif != NULL);
- ASSERT(ilm->ilm_ill == NULL);
- sl = ilm->ilm_filter;
- if (ilm->ilm_ipif != ipif || SLIST_IS_EMPTY(sl))
+
+ ips.ipGroupSourceGroup = ilm->ilm_addr;
+ for (i = 0; i < sl->sl_numsrc; i++) {
+ if (!IN6_IS_ADDR_V4MAPPED(&sl->sl_addr[i]))
continue;
- ips.ipGroupSourceGroup = ilm->ilm_addr;
- for (i = 0; i < sl->sl_numsrc; i++) {
- if (!IN6_IS_ADDR_V4MAPPED(
- &sl->sl_addr[i]))
- continue;
- IN6_V4MAPPED_TO_IPADDR(&sl->sl_addr[i],
- ips.ipGroupSourceAddress);
- if (snmp_append_data2(mpctl->b_cont,
- &mp_tail, (char *)&ips,
- (int)sizeof (ips)) == 0) {
- ip1dbg(("ip_snmp_get_mib2_"
- "ip_group_src: failed to "
- "allocate %u bytes\n",
- (uint_t)sizeof (ips)));
- }
+ IN6_V4MAPPED_TO_IPADDR(&sl->sl_addr[i],
+ ips.ipGroupSourceAddress);
+ if (snmp_append_data2(mpctl->b_cont, &mp_tail,
+ (char *)&ips, (int)sizeof (ips)) == 0) {
+ ip1dbg(("ip_snmp_get_mib2_ip_group_src:"
+ " failed to allocate %u bytes\n",
+ (uint_t)sizeof (ips)));
}
}
}
- ilm_walker_finish(&ilw);
+ rw_exit(&ill->ill_mcast_lock);
+ ill_refrele(ill);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
}
rw_exit(&ipst->ips_ill_g_lock);
optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
@@ -19050,7 +10526,6 @@ ip_snmp_get_mib2_ip6_group_src(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
zoneid_t zoneid;
int i;
slist_t *sl;
- ilm_walker_t ilw;
/*
* make a copy of the original message
@@ -19066,16 +10541,22 @@ ip_snmp_get_mib2_ip6_group_src(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
ill = ILL_START_WALK_V6(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- if (IS_UNDER_IPMP(ill))
+ /* Make sure the ill isn't going away. */
+ if (!ill_check_and_refhold(ill))
continue;
-
- ilm = ilm_walker_start(&ilw, ill);
+ rw_exit(&ipst->ips_ill_g_lock);
+ /*
+ * Normally we don't have any members on under IPMP interfaces.
+ * We report them as a debugging aid.
+ */
+ rw_enter(&ill->ill_mcast_lock, RW_READER);
ips6.ipv6GroupSourceIfIndex = ill->ill_phyint->phyint_ifindex;
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- ASSERT(ilm->ilm_ipif == NULL);
- ASSERT(ilm->ilm_ill != NULL);
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
sl = ilm->ilm_filter;
- if (ilm->ilm_zoneid != zoneid || SLIST_IS_EMPTY(sl))
+ if (ilm->ilm_zoneid != zoneid &&
+ ilm->ilm_zoneid != ALL_ZONES)
+ continue;
+ if (SLIST_IS_EMPTY(sl))
continue;
ips6.ipv6GroupSourceGroup = ilm->ilm_v6addr;
for (i = 0; i < sl->sl_numsrc; i++) {
@@ -19089,7 +10570,9 @@ ip_snmp_get_mib2_ip6_group_src(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
}
}
}
- ilm_walker_finish(&ilw);
+ rw_exit(&ill->ill_mcast_lock);
+ ill_refrele(ill);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
}
rw_exit(&ipst->ips_ill_g_lock);
@@ -19189,13 +10672,13 @@ ip_snmp_get_mib2_ip_route_media(queue_t *q, mblk_t *mpctl, int level,
ird.ird_netmedia.lp_head = mp3ctl->b_cont;
ird.ird_attrs.lp_head = mp4ctl->b_cont;
/*
- * If the level has been set the special EXPER_IP_AND_TESTHIDDEN
- * value, then also include IRE_MARK_TESTHIDDEN IREs. This is
+ * If the level has been set the special EXPER_IP_AND_ALL_IRES value,
+ * then also include ire_testhidden IREs and IRE_IF_CLONE. This is
* intended a temporary solution until a proper MIB API is provided
* that provides complete filtering/caller-opt-in.
*/
- if (level == EXPER_IP_AND_TESTHIDDEN)
- ird.ird_flags |= IRD_REPORT_TESTHIDDEN;
+ if (level == EXPER_IP_AND_ALL_IRES)
+ ird.ird_flags |= IRD_REPORT_ALL;
zoneid = Q_TO_CONN(q)->conn_zoneid;
ire_walk_v4(ip_snmp_get2_v4, &ird, zoneid, ipst);
@@ -19210,6 +10693,8 @@ ip_snmp_get_mib2_ip_route_media(queue_t *q, mblk_t *mpctl, int level,
qreply(q, mpctl);
/* ipNetToMediaEntryTable in mp3ctl */
+ ncec_walk(NULL, ip_snmp_get2_v4_media, &ird, ipst);
+
optp = (struct opthdr *)&mp3ctl->b_rptr[sizeof (struct T_optmgmt_ack)];
optp->level = MIB2_IP;
optp->name = MIB2_IP_MEDIA;
@@ -19272,13 +10757,13 @@ ip_snmp_get_mib2_ip6_route_media(queue_t *q, mblk_t *mpctl, int level,
ird.ird_netmedia.lp_head = mp3ctl->b_cont;
ird.ird_attrs.lp_head = mp4ctl->b_cont;
/*
- * If the level has been set the special EXPER_IP_AND_TESTHIDDEN
- * value, then also include IRE_MARK_TESTHIDDEN IREs. This is
+ * If the level has been set the special EXPER_IP_AND_ALL_IRES value,
+ * then also include ire_testhidden IREs and IRE_IF_CLONE. This is
* intended a temporary solution until a proper MIB API is provided
* that provides complete filtering/caller-opt-in.
*/
- if (level == EXPER_IP_AND_TESTHIDDEN)
- ird.ird_flags |= IRD_REPORT_TESTHIDDEN;
+ if (level == EXPER_IP_AND_ALL_IRES)
+ ird.ird_flags |= IRD_REPORT_ALL;
zoneid = Q_TO_CONN(q)->conn_zoneid;
ire_walk_v6(ip_snmp_get2_v6_route, &ird, zoneid, ipst);
@@ -19292,7 +10777,7 @@ ip_snmp_get_mib2_ip6_route_media(queue_t *q, mblk_t *mpctl, int level,
qreply(q, mpctl);
/* ipv6NetToMediaEntryTable in mp3ctl */
- ndp_walk(NULL, ip_snmp_get2_v6_media, &ird, ipst);
+ ncec_walk(NULL, ip_snmp_get2_v6_media, &ird, ipst);
optp = (struct opthdr *)&mp3ctl->b_rptr[sizeof (struct T_optmgmt_ack)];
optp->level = MIB2_IP6;
@@ -19487,21 +10972,20 @@ static void
ip_snmp_get2_v4(ire_t *ire, iproutedata_t *ird)
{
ill_t *ill;
- ipif_t *ipif;
mib2_ipRouteEntry_t *re;
- mib2_ipAttributeEntry_t *iae, *iaeptr;
- ipaddr_t gw_addr;
+ mib2_ipAttributeEntry_t iaes;
tsol_ire_gw_secattr_t *attrp;
tsol_gc_t *gc = NULL;
tsol_gcgrp_t *gcgrp = NULL;
- uint_t sacnt = 0;
- int i;
+ ip_stack_t *ipst = ire->ire_ipst;
ASSERT(ire->ire_ipversion == IPV4_VERSION);
- if (!(ird->ird_flags & IRD_REPORT_TESTHIDDEN) &&
- ire->ire_marks & IRE_MARK_TESTHIDDEN) {
- return;
+ if (!(ird->ird_flags & IRD_REPORT_ALL)) {
+ if (ire->ire_testhidden)
+ return;
+ if (ire->ire_type & IRE_IF_CLONE)
+ return;
}
if ((re = kmem_zalloc(sizeof (*re), KM_NOSLEEP)) == NULL)
@@ -19513,52 +10997,17 @@ ip_snmp_get2_v4(ire_t *ire, iproutedata_t *ird)
gcgrp = gc->gc_grp;
ASSERT(gcgrp != NULL);
rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- sacnt = 1;
- } else if ((gcgrp = attrp->igsa_gcgrp) != NULL) {
- rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- gc = gcgrp->gcgrp_head;
- sacnt = gcgrp->gcgrp_count;
}
mutex_exit(&attrp->igsa_lock);
-
- /* do nothing if there's no gc to report */
- if (gc == NULL) {
- ASSERT(sacnt == 0);
- if (gcgrp != NULL) {
- /* we might as well drop the lock now */
- rw_exit(&gcgrp->gcgrp_rwlock);
- gcgrp = NULL;
- }
- attrp = NULL;
- }
-
- ASSERT(gc == NULL || (gcgrp != NULL &&
- RW_LOCK_HELD(&gcgrp->gcgrp_rwlock)));
}
- ASSERT(sacnt == 0 || gc != NULL);
-
- if (sacnt != 0 &&
- (iae = kmem_alloc(sacnt * sizeof (*iae), KM_NOSLEEP)) == NULL) {
- kmem_free(re, sizeof (*re));
- rw_exit(&gcgrp->gcgrp_rwlock);
- return;
- }
-
/*
* Return all IRE types for route table... let caller pick and choose
*/
re->ipRouteDest = ire->ire_addr;
- ipif = ire->ire_ipif;
+ ill = ire->ire_ill;
re->ipRouteIfIndex.o_length = 0;
- if (ire->ire_type == IRE_CACHE) {
- ill = (ill_t *)ire->ire_stq->q_ptr;
- re->ipRouteIfIndex.o_length =
- ill->ill_name_length == 0 ? 0 :
- MIN(OCTET_LENGTH, ill->ill_name_length - 1);
- bcopy(ill->ill_name, re->ipRouteIfIndex.o_bytes,
- re->ipRouteIfIndex.o_length);
- } else if (ipif != NULL) {
- ipif_get_name(ipif, re->ipRouteIfIndex.o_bytes, OCTET_LENGTH);
+ if (ill != NULL) {
+ ill_get_name(ill, re->ipRouteIfIndex.o_bytes, OCTET_LENGTH);
re->ipRouteIfIndex.o_length =
mi_strlen(re->ipRouteIfIndex.o_bytes);
}
@@ -19567,30 +11016,45 @@ ip_snmp_get2_v4(ire_t *ire, iproutedata_t *ird)
re->ipRouteMetric3 = -1;
re->ipRouteMetric4 = -1;
- gw_addr = ire->ire_gateway_addr;
-
- if (ire->ire_type & (IRE_INTERFACE|IRE_LOOPBACK|IRE_BROADCAST))
- re->ipRouteNextHop = ire->ire_src_addr;
- else
- re->ipRouteNextHop = gw_addr;
+ re->ipRouteNextHop = ire->ire_gateway_addr;
/* indirect(4), direct(3), or invalid(2) */
if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))
re->ipRouteType = 2;
+ else if (ire->ire_type & IRE_ONLINK)
+ re->ipRouteType = 3;
else
- re->ipRouteType = (gw_addr != 0) ? 4 : 3;
+ re->ipRouteType = 4;
+
re->ipRouteProto = -1;
re->ipRouteAge = gethrestime_sec() - ire->ire_create_time;
re->ipRouteMask = ire->ire_mask;
re->ipRouteMetric5 = -1;
- re->ipRouteInfo.re_max_frag = ire->ire_max_frag;
- re->ipRouteInfo.re_frag_flag = ire->ire_frag_flag;
- re->ipRouteInfo.re_rtt = ire->ire_uinfo.iulp_rtt;
+ re->ipRouteInfo.re_max_frag = ire->ire_metrics.iulp_mtu;
+ if (ire->ire_ill != NULL && re->ipRouteInfo.re_max_frag == 0)
+ re->ipRouteInfo.re_max_frag = ire->ire_ill->ill_mtu;
+
+ re->ipRouteInfo.re_frag_flag = 0;
+ re->ipRouteInfo.re_rtt = 0;
+ re->ipRouteInfo.re_src_addr = 0;
re->ipRouteInfo.re_ref = ire->ire_refcnt;
- re->ipRouteInfo.re_src_addr = ire->ire_src_addr;
re->ipRouteInfo.re_obpkt = ire->ire_ob_pkt_count;
re->ipRouteInfo.re_ibpkt = ire->ire_ib_pkt_count;
re->ipRouteInfo.re_flags = ire->ire_flags;
+ /* Add the IRE_IF_CLONE's counters to their parent IRE_INTERFACE */
+ if (ire->ire_type & IRE_INTERFACE) {
+ ire_t *child;
+
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ child = ire->ire_dep_children;
+ while (child != NULL) {
+ re->ipRouteInfo.re_obpkt += child->ire_ob_pkt_count;
+ re->ipRouteInfo.re_ibpkt += child->ire_ib_pkt_count;
+ child = child->ire_dep_sib_next;
+ }
+ rw_exit(&ipst->ips_ire_dep_lock);
+ }
+
if (ire->ire_flags & RTF_DYNAMIC) {
re->ipRouteInfo.re_ire_type = IRE_HOST_REDIRECT;
} else {
@@ -19603,25 +11067,22 @@ ip_snmp_get2_v4(ire_t *ire, iproutedata_t *ird)
(uint_t)sizeof (*re)));
}
- for (iaeptr = iae, i = 0; i < sacnt; i++, iaeptr++, gc = gc->gc_next) {
- iaeptr->iae_routeidx = ird->ird_idx;
- iaeptr->iae_doi = gc->gc_db->gcdb_doi;
- iaeptr->iae_slrange = gc->gc_db->gcdb_slrange;
- }
+ if (gc != NULL) {
+ iaes.iae_routeidx = ird->ird_idx;
+ iaes.iae_doi = gc->gc_db->gcdb_doi;
+ iaes.iae_slrange = gc->gc_db->gcdb_slrange;
- if (!snmp_append_data2(ird->ird_attrs.lp_head, &ird->ird_attrs.lp_tail,
- (char *)iae, sacnt * sizeof (*iae))) {
- ip1dbg(("ip_snmp_get2_v4: failed to allocate %u bytes\n",
- (unsigned)(sacnt * sizeof (*iae))));
+ if (!snmp_append_data2(ird->ird_attrs.lp_head,
+ &ird->ird_attrs.lp_tail, (char *)&iaes, sizeof (iaes))) {
+ ip1dbg(("ip_snmp_get2_v4: failed to allocate %u "
+ "bytes\n", (uint_t)sizeof (iaes)));
+ }
}
/* bump route index for next pass */
ird->ird_idx++;
kmem_free(re, sizeof (*re));
- if (sacnt != 0)
- kmem_free(iae, sacnt * sizeof (*iae));
-
if (gcgrp != NULL)
rw_exit(&gcgrp->gcgrp_rwlock);
}
@@ -19633,21 +11094,20 @@ static void
ip_snmp_get2_v6_route(ire_t *ire, iproutedata_t *ird)
{
ill_t *ill;
- ipif_t *ipif;
mib2_ipv6RouteEntry_t *re;
- mib2_ipAttributeEntry_t *iae, *iaeptr;
- in6_addr_t gw_addr_v6;
+ mib2_ipAttributeEntry_t iaes;
tsol_ire_gw_secattr_t *attrp;
tsol_gc_t *gc = NULL;
tsol_gcgrp_t *gcgrp = NULL;
- uint_t sacnt = 0;
- int i;
+ ip_stack_t *ipst = ire->ire_ipst;
ASSERT(ire->ire_ipversion == IPV6_VERSION);
- if (!(ird->ird_flags & IRD_REPORT_TESTHIDDEN) &&
- ire->ire_marks & IRE_MARK_TESTHIDDEN) {
- return;
+ if (!(ird->ird_flags & IRD_REPORT_ALL)) {
+ if (ire->ire_testhidden)
+ return;
+ if (ire->ire_type & IRE_IF_CLONE)
+ return;
}
if ((re = kmem_zalloc(sizeof (*re), KM_NOSLEEP)) == NULL)
@@ -19659,37 +11119,9 @@ ip_snmp_get2_v6_route(ire_t *ire, iproutedata_t *ird)
gcgrp = gc->gc_grp;
ASSERT(gcgrp != NULL);
rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- sacnt = 1;
- } else if ((gcgrp = attrp->igsa_gcgrp) != NULL) {
- rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- gc = gcgrp->gcgrp_head;
- sacnt = gcgrp->gcgrp_count;
}
mutex_exit(&attrp->igsa_lock);
-
- /* do nothing if there's no gc to report */
- if (gc == NULL) {
- ASSERT(sacnt == 0);
- if (gcgrp != NULL) {
- /* we might as well drop the lock now */
- rw_exit(&gcgrp->gcgrp_rwlock);
- gcgrp = NULL;
- }
- attrp = NULL;
- }
-
- ASSERT(gc == NULL || (gcgrp != NULL &&
- RW_LOCK_HELD(&gcgrp->gcgrp_rwlock)));
- }
- ASSERT(sacnt == 0 || gc != NULL);
-
- if (sacnt != 0 &&
- (iae = kmem_alloc(sacnt * sizeof (*iae), KM_NOSLEEP)) == NULL) {
- kmem_free(re, sizeof (*re));
- rw_exit(&gcgrp->gcgrp_rwlock);
- return;
}
-
/*
* Return all IRE types for route table... let caller pick and choose
*/
@@ -19697,16 +11129,9 @@ ip_snmp_get2_v6_route(ire_t *ire, iproutedata_t *ird)
re->ipv6RoutePfxLength = ip_mask_to_plen_v6(&ire->ire_mask_v6);
re->ipv6RouteIndex = 0; /* Unique when multiple with same dest/plen */
re->ipv6RouteIfIndex.o_length = 0;
- ipif = ire->ire_ipif;
- if (ire->ire_type == IRE_CACHE) {
- ill = (ill_t *)ire->ire_stq->q_ptr;
- re->ipv6RouteIfIndex.o_length =
- ill->ill_name_length == 0 ? 0 :
- MIN(OCTET_LENGTH, ill->ill_name_length - 1);
- bcopy(ill->ill_name, re->ipv6RouteIfIndex.o_bytes,
- re->ipv6RouteIfIndex.o_length);
- } else if (ipif != NULL) {
- ipif_get_name(ipif, re->ipv6RouteIfIndex.o_bytes, OCTET_LENGTH);
+ ill = ire->ire_ill;
+ if (ill != NULL) {
+ ill_get_name(ill, re->ipv6RouteIfIndex.o_bytes, OCTET_LENGTH);
re->ipv6RouteIfIndex.o_length =
mi_strlen(re->ipv6RouteIfIndex.o_bytes);
}
@@ -19714,18 +11139,13 @@ ip_snmp_get2_v6_route(ire_t *ire, iproutedata_t *ird)
ASSERT(!(ire->ire_type & IRE_BROADCAST));
mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
+ re->ipv6RouteNextHop = ire->ire_gateway_addr_v6;
mutex_exit(&ire->ire_lock);
- if (ire->ire_type & (IRE_INTERFACE|IRE_LOOPBACK))
- re->ipv6RouteNextHop = ire->ire_src_addr_v6;
- else
- re->ipv6RouteNextHop = gw_addr_v6;
-
/* remote(4), local(3), or discard(2) */
if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))
re->ipv6RouteType = 2;
- else if (IN6_IS_ADDR_UNSPECIFIED(&gw_addr_v6))
+ else if (ire->ire_type & IRE_ONLINK)
re->ipv6RouteType = 3;
else
re->ipv6RouteType = 4;
@@ -19736,15 +11156,31 @@ ip_snmp_get2_v6_route(ire_t *ire, iproutedata_t *ird)
re->ipv6RouteNextHopRDI = 0;
re->ipv6RouteWeight = 0;
re->ipv6RouteMetric = 0;
- re->ipv6RouteInfo.re_max_frag = ire->ire_max_frag;
- re->ipv6RouteInfo.re_frag_flag = ire->ire_frag_flag;
- re->ipv6RouteInfo.re_rtt = ire->ire_uinfo.iulp_rtt;
- re->ipv6RouteInfo.re_src_addr = ire->ire_src_addr_v6;
+ re->ipv6RouteInfo.re_max_frag = ire->ire_metrics.iulp_mtu;
+ if (ire->ire_ill != NULL && re->ipv6RouteInfo.re_max_frag == 0)
+ re->ipv6RouteInfo.re_max_frag = ire->ire_ill->ill_mtu;
+
+ re->ipv6RouteInfo.re_frag_flag = 0;
+ re->ipv6RouteInfo.re_rtt = 0;
+ re->ipv6RouteInfo.re_src_addr = ipv6_all_zeros;
re->ipv6RouteInfo.re_obpkt = ire->ire_ob_pkt_count;
re->ipv6RouteInfo.re_ibpkt = ire->ire_ib_pkt_count;
re->ipv6RouteInfo.re_ref = ire->ire_refcnt;
re->ipv6RouteInfo.re_flags = ire->ire_flags;
+ /* Add the IRE_IF_CLONE's counters to their parent IRE_INTERFACE */
+ if (ire->ire_type & IRE_INTERFACE) {
+ ire_t *child;
+
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ child = ire->ire_dep_children;
+ while (child != NULL) {
+ re->ipv6RouteInfo.re_obpkt += child->ire_ob_pkt_count;
+ re->ipv6RouteInfo.re_ibpkt += child->ire_ib_pkt_count;
+ child = child->ire_dep_sib_next;
+ }
+ rw_exit(&ipst->ips_ire_dep_lock);
+ }
if (ire->ire_flags & RTF_DYNAMIC) {
re->ipv6RouteInfo.re_ire_type = IRE_HOST_REDIRECT;
} else {
@@ -19757,79 +11193,67 @@ ip_snmp_get2_v6_route(ire_t *ire, iproutedata_t *ird)
(uint_t)sizeof (*re)));
}
- for (iaeptr = iae, i = 0; i < sacnt; i++, iaeptr++, gc = gc->gc_next) {
- iaeptr->iae_routeidx = ird->ird_idx;
- iaeptr->iae_doi = gc->gc_db->gcdb_doi;
- iaeptr->iae_slrange = gc->gc_db->gcdb_slrange;
- }
+ if (gc != NULL) {
+ iaes.iae_routeidx = ird->ird_idx;
+ iaes.iae_doi = gc->gc_db->gcdb_doi;
+ iaes.iae_slrange = gc->gc_db->gcdb_slrange;
- if (!snmp_append_data2(ird->ird_attrs.lp_head, &ird->ird_attrs.lp_tail,
- (char *)iae, sacnt * sizeof (*iae))) {
- ip1dbg(("ip_snmp_get2_v6: failed to allocate %u bytes\n",
- (unsigned)(sacnt * sizeof (*iae))));
+ if (!snmp_append_data2(ird->ird_attrs.lp_head,
+ &ird->ird_attrs.lp_tail, (char *)&iaes, sizeof (iaes))) {
+ ip1dbg(("ip_snmp_get2_v6: failed to allocate %u "
+ "bytes\n", (uint_t)sizeof (iaes)));
+ }
}
/* bump route index for next pass */
ird->ird_idx++;
kmem_free(re, sizeof (*re));
- if (sacnt != 0)
- kmem_free(iae, sacnt * sizeof (*iae));
-
if (gcgrp != NULL)
rw_exit(&gcgrp->gcgrp_rwlock);
}
/*
- * ndp_walk routine to create ipv6NetToMediaEntryTable
+ * ncec_walk routine to create ipv6NetToMediaEntryTable
*/
static int
-ip_snmp_get2_v6_media(nce_t *nce, iproutedata_t *ird)
+ip_snmp_get2_v6_media(ncec_t *ncec, iproutedata_t *ird)
{
ill_t *ill;
mib2_ipv6NetToMediaEntry_t ntme;
- dl_unitdata_req_t *dl;
- ill = nce->nce_ill;
- if (ill->ill_isv6 == B_FALSE) /* skip arpce entry */
+ ill = ncec->ncec_ill;
+ /* skip arpce entries, and loopback ncec entries */
+ if (ill->ill_isv6 == B_FALSE || ill->ill_net_type == IRE_LOOPBACK)
return (0);
-
/*
* Neighbor cache entry attached to IRE with on-link
* destination.
+ * We report all IPMP groups on ncec_ill which is normally the upper.
*/
ntme.ipv6NetToMediaIfIndex = ill->ill_phyint->phyint_ifindex;
- ntme.ipv6NetToMediaNetAddress = nce->nce_addr;
- if ((ill->ill_flags & ILLF_XRESOLV) &&
- (nce->nce_res_mp != NULL)) {
- dl = (dl_unitdata_req_t *)(nce->nce_res_mp->b_rptr);
- ntme.ipv6NetToMediaPhysAddress.o_length =
- dl->dl_dest_addr_length;
- } else {
- ntme.ipv6NetToMediaPhysAddress.o_length =
- ill->ill_phys_addr_length;
- }
- if (nce->nce_res_mp != NULL) {
- bcopy((char *)nce->nce_res_mp->b_rptr +
- NCE_LL_ADDR_OFFSET(ill),
- ntme.ipv6NetToMediaPhysAddress.o_bytes,
+ ntme.ipv6NetToMediaNetAddress = ncec->ncec_addr;
+ ntme.ipv6NetToMediaPhysAddress.o_length = ill->ill_phys_addr_length;
+ if (ncec->ncec_lladdr != NULL) {
+ bcopy(ncec->ncec_lladdr, ntme.ipv6NetToMediaPhysAddress.o_bytes,
ntme.ipv6NetToMediaPhysAddress.o_length);
- } else {
- bzero(ntme.ipv6NetToMediaPhysAddress.o_bytes,
- ill->ill_phys_addr_length);
}
/*
* Note: Returns ND_* states. Should be:
* reachable(1), stale(2), delay(3), probe(4),
* invalid(5), unknown(6)
*/
- ntme.ipv6NetToMediaState = nce->nce_state;
+ ntme.ipv6NetToMediaState = ncec->ncec_state;
ntme.ipv6NetToMediaLastUpdated = 0;
/* other(1), dynamic(2), static(3), local(4) */
- if (IN6_IS_ADDR_LOOPBACK(&nce->nce_addr)) {
+ if (NCE_MYADDR(ncec)) {
ntme.ipv6NetToMediaType = 4;
- } else if (IN6_IS_ADDR_MULTICAST(&nce->nce_addr)) {
+ } else if (ncec->ncec_flags & NCE_F_PUBLISH) {
+ ntme.ipv6NetToMediaType = 1; /* proxy */
+ } else if (ncec->ncec_flags & NCE_F_STATIC) {
+ ntme.ipv6NetToMediaType = 3;
+ } else if (ncec->ncec_flags & (NCE_F_MCAST|NCE_F_BCAST)) {
ntme.ipv6NetToMediaType = 1;
} else {
ntme.ipv6NetToMediaType = 2;
@@ -19843,6 +11267,93 @@ ip_snmp_get2_v6_media(nce_t *nce, iproutedata_t *ird)
return (0);
}
+int
+nce2ace(ncec_t *ncec)
+{
+ int flags = 0;
+
+ if (NCE_ISREACHABLE(ncec))
+ flags |= ACE_F_RESOLVED;
+ if (ncec->ncec_flags & NCE_F_AUTHORITY)
+ flags |= ACE_F_AUTHORITY;
+ if (ncec->ncec_flags & NCE_F_PUBLISH)
+ flags |= ACE_F_PUBLISH;
+ if ((ncec->ncec_flags & NCE_F_NONUD) != 0)
+ flags |= ACE_F_PERMANENT;
+ if (NCE_MYADDR(ncec))
+ flags |= (ACE_F_MYADDR | ACE_F_AUTHORITY);
+ if (ncec->ncec_flags & NCE_F_UNVERIFIED)
+ flags |= ACE_F_UNVERIFIED;
+ if (ncec->ncec_flags & NCE_F_AUTHORITY)
+ flags |= ACE_F_AUTHORITY;
+ if (ncec->ncec_flags & NCE_F_DELAYED)
+ flags |= ACE_F_DELAYED;
+ return (flags);
+}
+
+/*
+ * ncec_walk routine to create ipNetToMediaEntryTable
+ */
+static int
+ip_snmp_get2_v4_media(ncec_t *ncec, iproutedata_t *ird)
+{
+ ill_t *ill;
+ mib2_ipNetToMediaEntry_t ntme;
+ const char *name = "unknown";
+ ipaddr_t ncec_addr;
+
+ ill = ncec->ncec_ill;
+ if (ill->ill_isv6 || (ncec->ncec_flags & NCE_F_BCAST) ||
+ ill->ill_net_type == IRE_LOOPBACK)
+ return (0);
+
+ /* We report all IPMP groups on ncec_ill which is normally the upper. */
+ name = ill->ill_name;
+ /* Based on RFC 4293: other(1), inval(2), dyn(3), stat(4) */
+ if (NCE_MYADDR(ncec)) {
+ ntme.ipNetToMediaType = 4;
+ } else if (ncec->ncec_flags & (NCE_F_MCAST|NCE_F_BCAST|NCE_F_PUBLISH)) {
+ ntme.ipNetToMediaType = 1;
+ } else {
+ ntme.ipNetToMediaType = 3;
+ }
+ ntme.ipNetToMediaIfIndex.o_length = MIN(OCTET_LENGTH, strlen(name));
+ bcopy(name, ntme.ipNetToMediaIfIndex.o_bytes,
+ ntme.ipNetToMediaIfIndex.o_length);
+
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, ncec_addr);
+ bcopy(&ncec_addr, &ntme.ipNetToMediaNetAddress, sizeof (ncec_addr));
+
+ ntme.ipNetToMediaInfo.ntm_mask.o_length = sizeof (ipaddr_t);
+ ncec_addr = INADDR_BROADCAST;
+ bcopy(&ncec_addr, ntme.ipNetToMediaInfo.ntm_mask.o_bytes,
+ sizeof (ncec_addr));
+ /*
+ * map all the flags to the ACE counterpart.
+ */
+ ntme.ipNetToMediaInfo.ntm_flags = nce2ace(ncec);
+
+ ntme.ipNetToMediaPhysAddress.o_length =
+ MIN(OCTET_LENGTH, ill->ill_phys_addr_length);
+
+ if (!NCE_ISREACHABLE(ncec))
+ ntme.ipNetToMediaPhysAddress.o_length = 0;
+ else {
+ if (ncec->ncec_lladdr != NULL) {
+ bcopy(ncec->ncec_lladdr,
+ ntme.ipNetToMediaPhysAddress.o_bytes,
+ ntme.ipNetToMediaPhysAddress.o_length);
+ }
+ }
+
+ if (!snmp_append_data2(ird->ird_netmedia.lp_head,
+ &ird->ird_netmedia.lp_tail, (char *)&ntme, sizeof (ntme))) {
+ ip1dbg(("ip_snmp_get2_v4_media: failed to allocate %u bytes\n",
+ (uint_t)sizeof (ntme)));
+ }
+ return (0);
+}
+
/*
* return (0) if invalid set request, 1 otherwise, including non-tcp requests
*/
@@ -19999,7 +11510,7 @@ ip_mib2_add_icmp6_stats(mib2_ipv6IfIcmpEntry_t *o1, mib2_ipv6IfIcmpEntry_t *o2)
* This routine assumes that the options are well formed i.e. that they
* have already been checked.
*/
-static boolean_t
+boolean_t
ip_source_routed(ipha_t *ipha, ip_stack_t *ipst)
{
ipoptp_t opts;
@@ -20007,7 +11518,6 @@ ip_source_routed(ipha_t *ipha, ip_stack_t *ipst)
uint8_t optval;
uint8_t optlen;
ipaddr_t dst;
- ire_t *ire;
if (IS_SIMPLE_IPH(ipha)) {
ip2dbg(("not source routed\n"));
@@ -20030,15 +11540,12 @@ ip_source_routed(ipha_t *ipha, ip_stack_t *ipst)
* If dst is one of our addresses and there are some
* entries left in the source route return (true).
*/
- ire = ire_ctable_lookup(dst, 0, IRE_LOCAL, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (ire == NULL) {
+ if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
ip2dbg(("ip_source_routed: not next"
" source route 0x%x\n",
ntohl(dst)));
return (B_FALSE);
}
- ire_refrele(ire);
off = opt[IPOPT_OFFSET];
off--;
if (optlen < IP_ADDR_LEN ||
@@ -20055,267 +11562,18 @@ ip_source_routed(ipha_t *ipha, ip_stack_t *ipst)
}
/*
- * Check if the packet contains any source route.
- */
-static boolean_t
-ip_source_route_included(ipha_t *ipha)
-{
- ipoptp_t opts;
- uint8_t optval;
-
- if (IS_SIMPLE_IPH(ipha))
- return (B_FALSE);
- for (optval = ipoptp_first(&opts, ipha);
- optval != IPOPT_EOL;
- optval = ipoptp_next(&opts)) {
- switch (optval) {
- case IPOPT_SSRR:
- case IPOPT_LSRR:
- return (B_TRUE);
- }
- }
- return (B_FALSE);
-}
-
-/*
- * Called when the IRE expiration timer fires.
- */
-void
-ip_trash_timer_expire(void *args)
-{
- int flush_flag = 0;
- ire_expire_arg_t iea;
- ip_stack_t *ipst = (ip_stack_t *)args;
-
- iea.iea_ipst = ipst; /* No netstack_hold */
-
- /*
- * ip_ire_expire_id is protected by ip_trash_timer_lock.
- * This lock makes sure that a new invocation of this function
- * that occurs due to an almost immediate timer firing will not
- * progress beyond this point until the current invocation is done
- */
- mutex_enter(&ipst->ips_ip_trash_timer_lock);
- ipst->ips_ip_ire_expire_id = 0;
- mutex_exit(&ipst->ips_ip_trash_timer_lock);
-
- /* Periodic timer */
- if (ipst->ips_ip_ire_arp_time_elapsed >=
- ipst->ips_ip_ire_arp_interval) {
- /*
- * Remove all IRE_CACHE entries since they might
- * contain arp information.
- */
- flush_flag |= FLUSH_ARP_TIME;
- ipst->ips_ip_ire_arp_time_elapsed = 0;
- IP_STAT(ipst, ip_ire_arp_timer_expired);
- }
- if (ipst->ips_ip_ire_rd_time_elapsed >=
- ipst->ips_ip_ire_redir_interval) {
- /* Remove all redirects */
- flush_flag |= FLUSH_REDIRECT_TIME;
- ipst->ips_ip_ire_rd_time_elapsed = 0;
- IP_STAT(ipst, ip_ire_redirect_timer_expired);
- }
- if (ipst->ips_ip_ire_pmtu_time_elapsed >=
- ipst->ips_ip_ire_pathmtu_interval) {
- /* Increase path mtu */
- flush_flag |= FLUSH_MTU_TIME;
- ipst->ips_ip_ire_pmtu_time_elapsed = 0;
- IP_STAT(ipst, ip_ire_pmtu_timer_expired);
- }
-
- /*
- * Optimize for the case when there are no redirects in the
- * ftable, that is, no need to walk the ftable in that case.
- */
- if (flush_flag & (FLUSH_MTU_TIME|FLUSH_ARP_TIME)) {
- iea.iea_flush_flag = flush_flag;
- ire_walk_ill_tables(MATCH_IRE_TYPE, IRE_CACHETABLE, ire_expire,
- (char *)(uintptr_t)&iea, IP_MASK_TABLE_SIZE, 0, NULL,
- ipst->ips_ip_cache_table_size, ipst->ips_ip_cache_table,
- NULL, ALL_ZONES, ipst);
- }
- if ((flush_flag & FLUSH_REDIRECT_TIME) &&
- ipst->ips_ip_redirect_cnt > 0) {
- iea.iea_flush_flag = flush_flag;
- ire_walk_ill_tables(MATCH_IRE_TYPE, IRE_FORWARDTABLE,
- ire_expire, (char *)(uintptr_t)&iea, IP_MASK_TABLE_SIZE,
- 0, NULL, 0, NULL, NULL, ALL_ZONES, ipst);
- }
- if (flush_flag & FLUSH_MTU_TIME) {
- /*
- * Walk all IPv6 IRE's and update them
- * Note that ARP and redirect timers are not
- * needed since NUD handles stale entries.
- */
- flush_flag = FLUSH_MTU_TIME;
- iea.iea_flush_flag = flush_flag;
- ire_walk_v6(ire_expire, (char *)(uintptr_t)&iea,
- ALL_ZONES, ipst);
- }
-
- ipst->ips_ip_ire_arp_time_elapsed += ipst->ips_ip_timer_interval;
- ipst->ips_ip_ire_rd_time_elapsed += ipst->ips_ip_timer_interval;
- ipst->ips_ip_ire_pmtu_time_elapsed += ipst->ips_ip_timer_interval;
-
- /*
- * Hold the lock to serialize timeout calls and prevent
- * stale values in ip_ire_expire_id. Otherwise it is possible
- * for the timer to fire and a new invocation of this function
- * to start before the return value of timeout has been stored
- * in ip_ire_expire_id by the current invocation.
- */
- mutex_enter(&ipst->ips_ip_trash_timer_lock);
- ipst->ips_ip_ire_expire_id = timeout(ip_trash_timer_expire,
- (void *)ipst, MSEC_TO_TICK(ipst->ips_ip_timer_interval));
- mutex_exit(&ipst->ips_ip_trash_timer_lock);
-}
-
-/*
- * Called by the memory allocator subsystem directly, when the system
- * is running low on memory.
- */
-/* ARGSUSED */
-void
-ip_trash_ire_reclaim(void *args)
-{
- netstack_handle_t nh;
- netstack_t *ns;
-
- netstack_next_init(&nh);
- while ((ns = netstack_next(&nh)) != NULL) {
- ip_trash_ire_reclaim_stack(ns->netstack_ip);
- netstack_rele(ns);
- }
- netstack_next_fini(&nh);
-}
-
-static void
-ip_trash_ire_reclaim_stack(ip_stack_t *ipst)
-{
- ire_cache_count_t icc;
- ire_cache_reclaim_t icr;
- ncc_cache_count_t ncc;
- nce_cache_reclaim_t ncr;
- uint_t delete_cnt;
- /*
- * Memory reclaim call back.
- * Count unused, offlink, pmtu, and onlink IRE_CACHE entries.
- * Then, with a target of freeing 1/Nth of IRE_CACHE
- * entries, determine what fraction to free for
- * each category of IRE_CACHE entries giving absolute priority
- * in the order of onlink, pmtu, offlink, unused (e.g. no pmtu
- * entry will be freed unless all offlink entries are freed).
- */
- icc.icc_total = 0;
- icc.icc_unused = 0;
- icc.icc_offlink = 0;
- icc.icc_pmtu = 0;
- icc.icc_onlink = 0;
- ire_walk(ire_cache_count, (char *)&icc, ipst);
-
- /*
- * Free NCEs for IPv6 like the onlink ires.
- */
- ncc.ncc_total = 0;
- ncc.ncc_host = 0;
- ndp_walk(NULL, (pfi_t)ndp_cache_count, (uchar_t *)&ncc, ipst);
-
- ASSERT(icc.icc_total == icc.icc_unused + icc.icc_offlink +
- icc.icc_pmtu + icc.icc_onlink);
- delete_cnt = icc.icc_total/ipst->ips_ip_ire_reclaim_fraction;
- IP_STAT(ipst, ip_trash_ire_reclaim_calls);
- if (delete_cnt == 0)
- return;
- IP_STAT(ipst, ip_trash_ire_reclaim_success);
- /* Always delete all unused offlink entries */
- icr.icr_ipst = ipst;
- icr.icr_unused = 1;
- if (delete_cnt <= icc.icc_unused) {
- /*
- * Only need to free unused entries. In other words,
- * there are enough unused entries to free to meet our
- * target number of freed ire cache entries.
- */
- icr.icr_offlink = icr.icr_pmtu = icr.icr_onlink = 0;
- ncr.ncr_host = 0;
- } else if (delete_cnt <= icc.icc_unused + icc.icc_offlink) {
- /*
- * Only need to free unused entries, plus a fraction of offlink
- * entries. It follows from the first if statement that
- * icc_offlink is non-zero, and that delete_cnt != icc_unused.
- */
- delete_cnt -= icc.icc_unused;
- /* Round up # deleted by truncating fraction */
- icr.icr_offlink = icc.icc_offlink / delete_cnt;
- icr.icr_pmtu = icr.icr_onlink = 0;
- ncr.ncr_host = 0;
- } else if (delete_cnt <=
- icc.icc_unused + icc.icc_offlink + icc.icc_pmtu) {
- /*
- * Free all unused and offlink entries, plus a fraction of
- * pmtu entries. It follows from the previous if statement
- * that icc_pmtu is non-zero, and that
- * delete_cnt != icc_unused + icc_offlink.
- */
- icr.icr_offlink = 1;
- delete_cnt -= icc.icc_unused + icc.icc_offlink;
- /* Round up # deleted by truncating fraction */
- icr.icr_pmtu = icc.icc_pmtu / delete_cnt;
- icr.icr_onlink = 0;
- ncr.ncr_host = 0;
- } else {
- /*
- * Free all unused, offlink, and pmtu entries, plus a fraction
- * of onlink entries. If we're here, then we know that
- * icc_onlink is non-zero, and that
- * delete_cnt != icc_unused + icc_offlink + icc_pmtu.
- */
- icr.icr_offlink = icr.icr_pmtu = 1;
- delete_cnt -= icc.icc_unused + icc.icc_offlink +
- icc.icc_pmtu;
- /* Round up # deleted by truncating fraction */
- icr.icr_onlink = icc.icc_onlink / delete_cnt;
- /* Using the same delete fraction as for onlink IREs */
- ncr.ncr_host = ncc.ncc_host / delete_cnt;
- }
-#ifdef DEBUG
- ip1dbg(("IP reclaim: target %d out of %d current %d/%d/%d/%d "
- "fractions %d/%d/%d/%d\n",
- icc.icc_total/ipst->ips_ip_ire_reclaim_fraction, icc.icc_total,
- icc.icc_unused, icc.icc_offlink,
- icc.icc_pmtu, icc.icc_onlink,
- icr.icr_unused, icr.icr_offlink,
- icr.icr_pmtu, icr.icr_onlink));
-#endif
- ire_walk(ire_cache_reclaim, (char *)&icr, ipst);
- if (ncr.ncr_host != 0)
- ndp_walk(NULL, (pfi_t)ndp_cache_reclaim,
- (uchar_t *)&ncr, ipst);
-#ifdef DEBUG
- icc.icc_total = 0; icc.icc_unused = 0; icc.icc_offlink = 0;
- icc.icc_pmtu = 0; icc.icc_onlink = 0;
- ire_walk(ire_cache_count, (char *)&icc, ipst);
- ip1dbg(("IP reclaim: result total %d %d/%d/%d/%d\n",
- icc.icc_total, icc.icc_unused, icc.icc_offlink,
- icc.icc_pmtu, icc.icc_onlink));
-#endif
-}
-
-/*
- * ip_unbind is called when a copy of an unbind request is received from the
- * upper level protocol. We remove this conn from any fanout hash list it is
- * on, and zero out the bind information. No reply is expected up above.
+ * ip_unbind is called by the transports to remove a conn from
+ * the fanout table.
*/
void
ip_unbind(conn_t *connp)
{
+
ASSERT(!MUTEX_HELD(&connp->conn_lock));
if (is_system_labeled() && connp->conn_anon_port) {
(void) tsol_mlp_anon(crgetzone(connp->conn_cred),
- connp->conn_mlp_type, connp->conn_ulp,
+ connp->conn_mlp_type, connp->conn_proto,
ntohs(connp->conn_lport), B_FALSE);
connp->conn_anon_port = 0;
}
@@ -20325,1489 +11583,6 @@ ip_unbind(conn_t *connp)
}
/*
- * Write side put procedure. Outbound data, IOCTLs, responses from
- * resolvers, etc, come down through here.
- *
- * arg2 is always a queue_t *.
- * When that queue is an ill_t (i.e. q_next != NULL), then arg must be
- * the zoneid.
- * When that queue is not an ill_t, then arg must be a conn_t pointer.
- */
-void
-ip_output(void *arg, mblk_t *mp, void *arg2, int caller)
-{
- ip_output_options(arg, mp, arg2, caller, &zero_info);
-}
-
-void
-ip_output_options(void *arg, mblk_t *mp, void *arg2, int caller,
- ip_opt_info_t *infop)
-{
- conn_t *connp = NULL;
- queue_t *q = (queue_t *)arg2;
- ipha_t *ipha;
-#define rptr ((uchar_t *)ipha)
- ire_t *ire = NULL;
- ire_t *sctp_ire = NULL;
- uint32_t v_hlen_tos_len;
- ipaddr_t dst;
- mblk_t *first_mp = NULL;
- boolean_t mctl_present;
- ipsec_out_t *io;
- int match_flags;
- ill_t *xmit_ill = NULL; /* IP_PKTINFO etc. */
- ipif_t *dst_ipif;
- boolean_t multirt_need_resolve = B_FALSE;
- mblk_t *copy_mp = NULL;
- int err = 0;
- zoneid_t zoneid;
- boolean_t need_decref = B_FALSE;
- boolean_t ignore_dontroute = B_FALSE;
- boolean_t ignore_nexthop = B_FALSE;
- boolean_t ip_nexthop = B_FALSE;
- ipaddr_t nexthop_addr;
- ip_stack_t *ipst;
-
-#ifdef _BIG_ENDIAN
-#define V_HLEN (v_hlen_tos_len >> 24)
-#else
-#define V_HLEN (v_hlen_tos_len & 0xFF)
-#endif
-
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_START,
- "ip_wput_start: q %p", q);
-
- /*
- * ip_wput fast path
- */
-
- /* is packet from ARP ? */
- if (q->q_next != NULL) {
- zoneid = (zoneid_t)(uintptr_t)arg;
- goto qnext;
- }
-
- connp = (conn_t *)arg;
- ASSERT(connp != NULL);
- zoneid = connp->conn_zoneid;
- ipst = connp->conn_netstack->netstack_ip;
- ASSERT(ipst != NULL);
-
- /* is queue flow controlled? */
- if ((q->q_first != NULL || connp->conn_draining) &&
- (caller == IP_WPUT)) {
- ASSERT(!need_decref);
- ASSERT(!IP_FLOW_CONTROLLED_ULP(connp->conn_ulp));
- (void) putq(q, mp);
- return;
- }
-
- /* Multidata transmit? */
- if (DB_TYPE(mp) == M_MULTIDATA) {
- /*
- * We should never get here, since all Multidata messages
- * originating from tcp should have been directed over to
- * tcp_multisend() in the first place.
- */
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- freemsg(mp);
- return;
- } else if (DB_TYPE(mp) != M_DATA)
- goto notdata;
-
- if (mp->b_flag & MSGHASREF) {
- ASSERT(connp->conn_ulp == IPPROTO_SCTP);
- mp->b_flag &= ~MSGHASREF;
- SCTP_EXTRACT_IPINFO(mp, sctp_ire);
- need_decref = B_TRUE;
- }
- ipha = (ipha_t *)mp->b_rptr;
-
- /* is IP header non-aligned or mblk smaller than basic IP header */
-#ifndef SAFETY_BEFORE_SPEED
- if (!OK_32PTR(rptr) ||
- (mp->b_wptr - rptr) < IP_SIMPLE_HDR_LENGTH)
- goto hdrtoosmall;
-#endif
-
- ASSERT(OK_32PTR(ipha));
-
- /*
- * This function assumes that mp points to an IPv4 packet. If it's the
- * wrong version, we'll catch it again in ip_output_v6.
- *
- * Note that this is *only* locally-generated output here, and never
- * forwarded data, and that we need to deal only with transports that
- * don't know how to label. (TCP, UDP, and ICMP/raw-IP all know how to
- * label.)
- */
- if (is_system_labeled() &&
- (ipha->ipha_version_and_hdr_length & 0xf0) == (IPV4_VERSION << 4) &&
- !connp->conn_ulp_labeled) {
- cred_t *credp;
- pid_t pid;
-
- credp = BEST_CRED(mp, connp, &pid);
- err = tsol_check_label(credp, &mp,
- connp->conn_mac_mode, ipst, pid);
- ipha = (ipha_t *)mp->b_rptr;
- if (err != 0) {
- first_mp = mp;
- if (err == EINVAL)
- goto icmp_parameter_problem;
- ip2dbg(("ip_wput: label check failed (%d)\n", err));
- goto discard_pkt;
- }
- }
-
- ASSERT(infop != NULL);
-
- if (infop->ip_opt_flags & IP_VERIFY_SRC) {
- /*
- * IP_PKTINFO ancillary option is present.
- * IPCL_ZONEID is used to honor IP_ALLZONES option which
- * allows using address of any zone as the source address.
- */
- ire = ire_ctable_lookup(ipha->ipha_src, 0,
- (IRE_LOCAL|IRE_LOOPBACK), NULL, IPCL_ZONEID(connp),
- NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, ipst);
- if (ire == NULL)
- goto drop_pkt;
- ire_refrele(ire);
- ire = NULL;
- }
-
- /*
- * IP_BOUND_IF has precedence over the ill index passed in IP_PKTINFO.
- */
- if (infop->ip_opt_ill_index != 0 && connp->conn_outgoing_ill == NULL) {
- xmit_ill = ill_lookup_on_ifindex(infop->ip_opt_ill_index,
- B_FALSE, NULL, NULL, NULL, NULL, ipst);
-
- if (xmit_ill == NULL || IS_VNI(xmit_ill))
- goto drop_pkt;
- /*
- * check that there is an ipif belonging
- * to our zone. IPCL_ZONEID is not used because
- * IP_ALLZONES option is valid only when the ill is
- * accessible from all zones i.e has a valid ipif in
- * all zones.
- */
- if (!ipif_lookup_zoneid(xmit_ill, zoneid, 0, NULL)) {
- goto drop_pkt;
- }
- }
-
- /*
- * If there is a policy, try to attach an ipsec_out in
- * the front. At the end, first_mp either points to a
- * M_DATA message or IPSEC_OUT message linked to a
- * M_DATA message. We have to do it now as we might
- * lose the "conn" if we go through ip_newroute.
- */
- if (connp->conn_out_enforce_policy || (connp->conn_latch != NULL)) {
- if (((mp = ipsec_attach_ipsec_out(&mp, connp, NULL,
- ipha->ipha_protocol, ipst->ips_netstack)) == NULL)) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ASSERT(mp->b_datap->db_type == M_CTL);
- first_mp = mp;
- mp = mp->b_cont;
- mctl_present = B_TRUE;
- } else {
- first_mp = mp;
- mctl_present = B_FALSE;
- }
-
- v_hlen_tos_len = ((uint32_t *)ipha)[0];
-
- /* is wrong version or IP options present */
- if (V_HLEN != IP_SIMPLE_HDR_VERSION)
- goto version_hdrlen_check;
- dst = ipha->ipha_dst;
-
- /* If IP_BOUND_IF has been set, use that ill. */
- if (connp->conn_outgoing_ill != NULL) {
- xmit_ill = conn_get_held_ill(connp,
- &connp->conn_outgoing_ill, &err);
- if (err == ILL_LOOKUP_FAILED)
- goto drop_pkt;
-
- goto send_from_ill;
- }
-
- /* is packet multicast? */
- if (CLASSD(dst))
- goto multicast;
-
- /*
- * If xmit_ill is set above due to index passed in ip_pkt_info. It
- * takes precedence over conn_dontroute and conn_nexthop_set
- */
- if (xmit_ill != NULL)
- goto send_from_ill;
-
- if (connp->conn_dontroute || connp->conn_nexthop_set) {
- /*
- * If the destination is a broadcast, local, or loopback
- * address, SO_DONTROUTE and IP_NEXTHOP go through the
- * standard path.
- */
- ire = ire_cache_lookup(dst, zoneid, msg_getlabel(mp), ipst);
- if ((ire == NULL) || (ire->ire_type &
- (IRE_BROADCAST | IRE_LOCAL | IRE_LOOPBACK)) == 0) {
- if (ire != NULL) {
- ire_refrele(ire);
- /* No more access to ire */
- ire = NULL;
- }
- /*
- * bypass routing checks and go directly to interface.
- */
- if (connp->conn_dontroute)
- goto dontroute;
-
- ASSERT(connp->conn_nexthop_set);
- ip_nexthop = B_TRUE;
- nexthop_addr = connp->conn_nexthop_v4;
- goto send_from_ill;
- }
-
- /* Must be a broadcast, a loopback or a local ire */
- ire_refrele(ire);
- /* No more access to ire */
- ire = NULL;
- }
-
- /*
- * We cache IRE_CACHEs to avoid lookups. We don't do
- * this for the tcp global queue and listen end point
- * as it does not really have a real destination to
- * talk to. This is also true for SCTP.
- */
- if (IP_FLOW_CONTROLLED_ULP(connp->conn_ulp) &&
- !connp->conn_fully_bound) {
- ire = ire_cache_lookup(dst, zoneid, msg_getlabel(mp), ipst);
- if (ire == NULL)
- goto noirefound;
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "end");
-
- /*
- * Check if the ire has the RTF_MULTIRT flag, inherited
- * from an IRE_OFFSUBNET ire entry in ip_newroute().
- */
- if (ire->ire_flags & RTF_MULTIRT) {
-
- /*
- * Force the TTL of multirouted packets if required.
- * The TTL of such packets is bounded by the
- * ip_multirt_ttl ndd variable.
- */
- if ((ipst->ips_ip_multirt_ttl > 0) &&
- (ipha->ipha_ttl > ipst->ips_ip_multirt_ttl)) {
- ip2dbg(("ip_wput: forcing multirt TTL to %d "
- "(was %d), dst 0x%08x\n",
- ipst->ips_ip_multirt_ttl, ipha->ipha_ttl,
- ntohl(ire->ire_addr)));
- ipha->ipha_ttl = ipst->ips_ip_multirt_ttl;
- }
- /*
- * We look at this point if there are pending
- * unresolved routes. ire_multirt_resolvable()
- * checks in O(n) that all IRE_OFFSUBNET ire
- * entries for the packet's destination and
- * flagged RTF_MULTIRT are currently resolved.
- * If some remain unresolved, we make a copy
- * of the current message. It will be used
- * to initiate additional route resolutions.
- */
- multirt_need_resolve =
- ire_multirt_need_resolve(ire->ire_addr,
- msg_getlabel(first_mp), ipst);
- ip2dbg(("ip_wput[TCP]: ire %p, "
- "multirt_need_resolve %d, first_mp %p\n",
- (void *)ire, multirt_need_resolve,
- (void *)first_mp));
- if (multirt_need_resolve) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- }
- }
-
- ip_wput_ire(q, first_mp, ire, connp, caller, zoneid);
-
- /*
- * Try to resolve another multiroute if
- * ire_multirt_need_resolve() deemed it necessary.
- */
- if (copy_mp != NULL)
- ip_newroute(q, copy_mp, dst, connp, zoneid, ipst);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
-
- /*
- * Access to conn_ire_cache. (protected by conn_lock)
- *
- * IRE_MARK_CONDEMNED is marked in ire_delete. We don't grab
- * the ire bucket lock here to check for CONDEMNED as it is okay to
- * send a packet or two with the IRE_CACHE that is going away.
- * Access to the ire requires an ire refhold on the ire prior to
- * its use since an interface unplumb thread may delete the cached
- * ire and release the refhold at any time.
- *
- * Caching an ire in the conn_ire_cache
- *
- * o Caching an ire pointer in the conn requires a strict check for
- * IRE_MARK_CONDEMNED. An interface unplumb thread deletes all relevant
- * ires before cleaning up the conns. So the caching of an ire pointer
- * in the conn is done after making sure under the bucket lock that the
- * ire has not yet been marked CONDEMNED. Otherwise we will end up
- * caching an ire after the unplumb thread has cleaned up the conn.
- * If the conn does not send a packet subsequently the unplumb thread
- * will be hanging waiting for the ire count to drop to zero.
- *
- * o We also need to atomically test for a null conn_ire_cache and
- * set the conn_ire_cache under the the protection of the conn_lock
- * to avoid races among concurrent threads trying to simultaneously
- * cache an ire in the conn_ire_cache.
- */
- mutex_enter(&connp->conn_lock);
- ire = sctp_ire != NULL ? sctp_ire : connp->conn_ire_cache;
-
- if (ire != NULL && ire->ire_addr == dst &&
- !(ire->ire_marks & IRE_MARK_CONDEMNED)) {
-
- IRE_REFHOLD(ire);
- mutex_exit(&connp->conn_lock);
-
- } else {
- boolean_t cached = B_FALSE;
- connp->conn_ire_cache = NULL;
- mutex_exit(&connp->conn_lock);
- /* Release the old ire */
- if (ire != NULL && sctp_ire == NULL)
- IRE_REFRELE_NOTR(ire);
-
- ire = ire_cache_lookup(dst, zoneid, msg_getlabel(mp), ipst);
- if (ire == NULL)
- goto noirefound;
- IRE_REFHOLD_NOTR(ire);
-
- mutex_enter(&connp->conn_lock);
- if (CONN_CACHE_IRE(connp) && connp->conn_ire_cache == NULL) {
- rw_enter(&ire->ire_bucket->irb_lock, RW_READER);
- if (!(ire->ire_marks & IRE_MARK_CONDEMNED)) {
- if (connp->conn_ulp == IPPROTO_TCP)
- TCP_CHECK_IREINFO(connp->conn_tcp, ire);
- connp->conn_ire_cache = ire;
- cached = B_TRUE;
- }
- rw_exit(&ire->ire_bucket->irb_lock);
- }
- mutex_exit(&connp->conn_lock);
-
- /*
- * We can continue to use the ire but since it was
- * not cached, we should drop the extra reference.
- */
- if (!cached)
- IRE_REFRELE_NOTR(ire);
- }
-
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "end");
-
- /*
- * Check if the ire has the RTF_MULTIRT flag, inherited
- * from an IRE_OFFSUBNET ire entry in ip_newroute().
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- /*
- * Force the TTL of multirouted packets if required.
- * The TTL of such packets is bounded by the
- * ip_multirt_ttl ndd variable.
- */
- if ((ipst->ips_ip_multirt_ttl > 0) &&
- (ipha->ipha_ttl > ipst->ips_ip_multirt_ttl)) {
- ip2dbg(("ip_wput: forcing multirt TTL to %d "
- "(was %d), dst 0x%08x\n",
- ipst->ips_ip_multirt_ttl, ipha->ipha_ttl,
- ntohl(ire->ire_addr)));
- ipha->ipha_ttl = ipst->ips_ip_multirt_ttl;
- }
-
- /*
- * At this point, we check to see if there are any pending
- * unresolved routes. ire_multirt_resolvable()
- * checks in O(n) that all IRE_OFFSUBNET ire
- * entries for the packet's destination and
- * flagged RTF_MULTIRT are currently resolved.
- * If some remain unresolved, we make a copy
- * of the current message. It will be used
- * to initiate additional route resolutions.
- */
- multirt_need_resolve = ire_multirt_need_resolve(ire->ire_addr,
- msg_getlabel(first_mp), ipst);
- ip2dbg(("ip_wput[not TCP]: ire %p, "
- "multirt_need_resolve %d, first_mp %p\n",
- (void *)ire, multirt_need_resolve, (void *)first_mp));
- if (multirt_need_resolve) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- }
- }
-
- ip_wput_ire(q, first_mp, ire, connp, caller, zoneid);
-
- /*
- * Try to resolve another multiroute if
- * ire_multirt_resolvable() deemed it necessary
- */
- if (copy_mp != NULL)
- ip_newroute(q, copy_mp, dst, connp, zoneid, ipst);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
-
-qnext:
- /*
- * Upper Level Protocols pass down complete IP datagrams
- * as M_DATA messages. Everything else is a sideshow.
- *
- * 1) We could be re-entering ip_wput because of ip_neworute
- * in which case we could have a IPSEC_OUT message. We
- * need to pass through ip_wput like other datagrams and
- * hence cannot branch to ip_wput_nondata.
- *
- * 2) ARP, AH, ESP, and other clients who are on the module
- * instance of IP stream, give us something to deal with.
- * We will handle AH and ESP here and rest in ip_wput_nondata.
- *
- * 3) ICMP replies also could come here.
- */
- ipst = ILLQ_TO_IPST(q);
-
- if (DB_TYPE(mp) != M_DATA) {
-notdata:
- if (DB_TYPE(mp) == M_CTL) {
- /*
- * M_CTL messages are used by ARP, AH and ESP to
- * communicate with IP. We deal with IPSEC_IN and
- * IPSEC_OUT here. ip_wput_nondata handles other
- * cases.
- */
- ipsec_info_t *ii = (ipsec_info_t *)mp->b_rptr;
- if (mp->b_cont && (mp->b_cont->b_flag & MSGHASREF)) {
- first_mp = mp->b_cont;
- first_mp->b_flag &= ~MSGHASREF;
- ASSERT(connp->conn_ulp == IPPROTO_SCTP);
- SCTP_EXTRACT_IPINFO(first_mp, sctp_ire);
- CONN_DEC_REF(connp);
- connp = NULL;
- }
- if (ii->ipsec_info_type == IPSEC_IN) {
- /*
- * Either this message goes back to
- * IPsec for further processing or to
- * ULP after policy checks.
- */
- ip_fanout_proto_again(mp, NULL, NULL, NULL);
- return;
- } else if (ii->ipsec_info_type == IPSEC_OUT) {
- io = (ipsec_out_t *)ii;
- if (io->ipsec_out_proc_begin) {
- /*
- * IPsec processing has already started.
- * Complete it.
- * IPQoS notes: We don't care what is
- * in ipsec_out_ill_index since this
- * won't be processed for IPQoS policies
- * in ipsec_out_process.
- */
- ipsec_out_process(q, mp, NULL,
- io->ipsec_out_ill_index);
- return;
- } else {
- connp = (q->q_next != NULL) ?
- NULL : Q_TO_CONN(q);
- first_mp = mp;
- mp = mp->b_cont;
- mctl_present = B_TRUE;
- }
- zoneid = io->ipsec_out_zoneid;
- ASSERT(zoneid != ALL_ZONES);
- } else if (ii->ipsec_info_type == IPSEC_CTL) {
- /*
- * It's an IPsec control message requesting
- * an SADB update to be sent to the IPsec
- * hardware acceleration capable ills.
- */
- ipsec_ctl_t *ipsec_ctl =
- (ipsec_ctl_t *)mp->b_rptr;
- ipsa_t *sa = (ipsa_t *)ipsec_ctl->ipsec_ctl_sa;
- uint_t satype = ipsec_ctl->ipsec_ctl_sa_type;
- mblk_t *cmp = mp->b_cont;
-
- ASSERT(MBLKL(mp) >= sizeof (ipsec_ctl_t));
- ASSERT(cmp != NULL);
-
- freeb(mp);
- ill_ipsec_capab_send_all(satype, cmp, sa,
- ipst->ips_netstack);
- return;
- } else {
- /*
- * This must be ARP or special TSOL signaling.
- */
- ip_wput_nondata(NULL, q, mp, NULL);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "nondata");
- return;
- }
- } else {
- /*
- * This must be non-(ARP/AH/ESP) messages.
- */
- ASSERT(!need_decref);
- ip_wput_nondata(NULL, q, mp, NULL);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "nondata");
- return;
- }
- } else {
- first_mp = mp;
- mctl_present = B_FALSE;
- }
-
- ASSERT(first_mp != NULL);
-
- if (mctl_present) {
- io = (ipsec_out_t *)first_mp->b_rptr;
- if (io->ipsec_out_ip_nexthop) {
- /*
- * We may have lost the conn context if we are
- * coming here from ip_newroute(). Copy the
- * nexthop information.
- */
- ip_nexthop = B_TRUE;
- nexthop_addr = io->ipsec_out_nexthop_addr;
-
- ipha = (ipha_t *)mp->b_rptr;
- dst = ipha->ipha_dst;
- goto send_from_ill;
- }
- }
-
- ASSERT(xmit_ill == NULL);
-
- /* We have a complete IP datagram heading outbound. */
- ipha = (ipha_t *)mp->b_rptr;
-
-#ifndef SPEED_BEFORE_SAFETY
- /*
- * Make sure we have a full-word aligned message and that at least
- * a simple IP header is accessible in the first message. If not,
- * try a pullup. For labeled systems we need to always take this
- * path as M_CTLs are "notdata" but have trailing data to process.
- */
- if (!OK_32PTR(rptr) ||
- (mp->b_wptr - rptr) < IP_SIMPLE_HDR_LENGTH || is_system_labeled()) {
-hdrtoosmall:
- if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "pullupfailed");
- if (first_mp == NULL)
- first_mp = mp;
- goto discard_pkt;
- }
-
- /* This function assumes that mp points to an IPv4 packet. */
- if (is_system_labeled() &&
- (*mp->b_rptr & 0xf0) == (IPV4_VERSION << 4) &&
- (connp == NULL || !connp->conn_ulp_labeled)) {
- cred_t *credp;
- pid_t pid;
-
- if (connp != NULL) {
- credp = BEST_CRED(mp, connp, &pid);
- err = tsol_check_label(credp, &mp,
- connp->conn_mac_mode, ipst, pid);
- } else if ((credp = msg_getcred(mp, &pid)) != NULL) {
- err = tsol_check_label(credp, &mp,
- CONN_MAC_DEFAULT, ipst, pid);
- }
- ipha = (ipha_t *)mp->b_rptr;
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
- if (err != 0) {
- if (err == EINVAL)
- goto icmp_parameter_problem;
- ip2dbg(("ip_wput: label check failed (%d)\n",
- err));
- goto discard_pkt;
- }
- }
-
- ipha = (ipha_t *)mp->b_rptr;
- if (first_mp == NULL) {
- ASSERT(xmit_ill == NULL);
- /*
- * If we got here because of "goto hdrtoosmall"
- * We need to attach a IPSEC_OUT.
- */
- if (connp->conn_out_enforce_policy) {
- if (((mp = ipsec_attach_ipsec_out(&mp, connp,
- NULL, ipha->ipha_protocol,
- ipst->ips_netstack)) == NULL)) {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutDiscards);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- } else {
- ASSERT(mp->b_datap->db_type == M_CTL);
- first_mp = mp;
- mp = mp->b_cont;
- mctl_present = B_TRUE;
- }
- } else {
- first_mp = mp;
- mctl_present = B_FALSE;
- }
- }
- }
-#endif
-
- /* Most of the code below is written for speed, not readability */
- v_hlen_tos_len = ((uint32_t *)ipha)[0];
-
- /*
- * If ip_newroute() fails, we're going to need a full
- * header for the icmp wraparound.
- */
- if (V_HLEN != IP_SIMPLE_HDR_VERSION) {
- uint_t v_hlen;
-version_hdrlen_check:
- ASSERT(first_mp != NULL);
- v_hlen = V_HLEN;
- /*
- * siphon off IPv6 packets coming down from transport
- * layer modules here.
- * Note: high-order bit carries NUD reachability confirmation
- */
- if (((v_hlen >> 4) & 0x7) == IPV6_VERSION) {
- /*
- * FIXME: assume that callers of ip_output* call
- * the right version?
- */
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutWrongIPVersion);
- ASSERT(xmit_ill == NULL);
- if (need_decref)
- mp->b_flag |= MSGHASREF;
- (void) ip_output_v6(arg, first_mp, arg2, caller);
- return;
- }
-
- if ((v_hlen >> 4) != IP_VERSION) {
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "badvers");
- goto discard_pkt;
- }
- /*
- * Is the header length at least 20 bytes?
- *
- * Are there enough bytes accessible in the header? If
- * not, try a pullup.
- */
- v_hlen &= 0xF;
- v_hlen <<= 2;
- if (v_hlen < IP_SIMPLE_HDR_LENGTH) {
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "badlen");
- goto discard_pkt;
- }
- if (v_hlen > (mp->b_wptr - rptr)) {
- if (!pullupmsg(mp, v_hlen)) {
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "badpullup2");
- goto discard_pkt;
- }
- ipha = (ipha_t *)mp->b_rptr;
- }
- /*
- * Move first entry from any source route into ipha_dst and
- * verify the options
- */
- if (ip_wput_options(q, first_mp, ipha, mctl_present,
- zoneid, ipst)) {
- ASSERT(xmit_ill == NULL);
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "badopts");
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- }
- dst = ipha->ipha_dst;
-
- /*
- * Try to get an IRE_CACHE for the destination address. If we can't,
- * we have to run the packet through ip_newroute which will take
- * the appropriate action to arrange for an IRE_CACHE, such as querying
- * a resolver, or assigning a default gateway, etc.
- */
- if (CLASSD(dst)) {
- ipif_t *ipif;
- uint32_t setsrc = 0;
-
-multicast:
- ASSERT(first_mp != NULL);
- ip2dbg(("ip_wput: CLASSD\n"));
- if (connp == NULL) {
- /*
- * Use the first good ipif on the ill.
- * XXX Should this ever happen? (Appears
- * to show up with just ppp and no ethernet due
- * to in.rdisc.)
- * However, ire_send should be able to
- * call ip_wput_ire directly.
- *
- * XXX Also, this can happen for ICMP and other packets
- * with multicast source addresses. Perhaps we should
- * fix things so that we drop the packet in question,
- * but for now, just run with it.
- */
- ill_t *ill = (ill_t *)q->q_ptr;
-
- ipif = ipif_select_source(ill, dst, GLOBAL_ZONEID);
- if (ipif == NULL) {
- if (need_decref)
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return;
- }
- ip1dbg(("ip_wput: CLASSD no CONN: dst 0x%x on %s\n",
- ntohl(dst), ill->ill_name));
- } else {
- /*
- * The order of precedence is IP_BOUND_IF, IP_PKTINFO
- * and IP_MULTICAST_IF. The block comment above this
- * function explains the locking mechanism used here.
- */
- if (xmit_ill == NULL) {
- xmit_ill = conn_get_held_ill(connp,
- &connp->conn_outgoing_ill, &err);
- if (err == ILL_LOOKUP_FAILED) {
- ip1dbg(("ip_wput: No ill for "
- "IP_BOUND_IF\n"));
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutNoRoutes);
- goto drop_pkt;
- }
- }
-
- if (xmit_ill == NULL) {
- ipif = conn_get_held_ipif(connp,
- &connp->conn_multicast_ipif, &err);
- if (err == IPIF_LOOKUP_FAILED) {
- ip1dbg(("ip_wput: No ipif for "
- "multicast\n"));
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutNoRoutes);
- goto drop_pkt;
- }
- }
- if (xmit_ill != NULL) {
- ipif = ipif_get_next_ipif(NULL, xmit_ill);
- if (ipif == NULL) {
- ip1dbg(("ip_wput: No ipif for "
- "xmit_ill\n"));
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutNoRoutes);
- goto drop_pkt;
- }
- } else if (ipif == NULL || ipif->ipif_isv6) {
- /*
- * We must do this ipif determination here
- * else we could pass through ip_newroute
- * and come back here without the conn context.
- *
- * Note: we do late binding i.e. we bind to
- * the interface when the first packet is sent.
- * For performance reasons we do not rebind on
- * each packet but keep the binding until the
- * next IP_MULTICAST_IF option.
- *
- * conn_multicast_{ipif,ill} are shared between
- * IPv4 and IPv6 and AF_INET6 sockets can
- * send both IPv4 and IPv6 packets. Hence
- * we have to check that "isv6" matches above.
- */
- if (ipif != NULL)
- ipif_refrele(ipif);
- ipif = ipif_lookup_group(dst, zoneid, ipst);
- if (ipif == NULL) {
- ip1dbg(("ip_wput: No ipif for "
- "multicast\n"));
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutNoRoutes);
- goto drop_pkt;
- }
- err = conn_set_held_ipif(connp,
- &connp->conn_multicast_ipif, ipif);
- if (err == IPIF_LOOKUP_FAILED) {
- ipif_refrele(ipif);
- ip1dbg(("ip_wput: No ipif for "
- "multicast\n"));
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutNoRoutes);
- goto drop_pkt;
- }
- }
- }
- ASSERT(!ipif->ipif_isv6);
- /*
- * As we may lose the conn by the time we reach ip_wput_ire,
- * we copy conn_multicast_loop and conn_dontroute on to an
- * ipsec_out. In case if this datagram goes out secure,
- * we need the ill_index also. Copy that also into the
- * ipsec_out.
- */
- if (mctl_present) {
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(first_mp->b_datap->db_type == M_CTL);
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- } else {
- ASSERT(mp == first_mp);
- if ((first_mp = allocb(sizeof (ipsec_info_t),
- BPRI_HI)) == NULL) {
- ipif_refrele(ipif);
- first_mp = mp;
- goto discard_pkt;
- }
- first_mp->b_datap->db_type = M_CTL;
- first_mp->b_wptr += sizeof (ipsec_info_t);
- /* ipsec_out_secure is B_FALSE now */
- bzero(first_mp->b_rptr, sizeof (ipsec_info_t));
- io = (ipsec_out_t *)first_mp->b_rptr;
- io->ipsec_out_type = IPSEC_OUT;
- io->ipsec_out_len = sizeof (ipsec_out_t);
- io->ipsec_out_use_global_policy = B_TRUE;
- io->ipsec_out_ns = ipst->ips_netstack;
- first_mp->b_cont = mp;
- mctl_present = B_TRUE;
- }
-
- match_flags = MATCH_IRE_ILL | MATCH_IRE_SECATTR;
- io->ipsec_out_ill_index =
- ipif->ipif_ill->ill_phyint->phyint_ifindex;
-
- if (connp != NULL) {
- io->ipsec_out_multicast_loop =
- connp->conn_multicast_loop;
- io->ipsec_out_dontroute = connp->conn_dontroute;
- io->ipsec_out_zoneid = connp->conn_zoneid;
- }
- /*
- * If the application uses IP_MULTICAST_IF with
- * different logical addresses of the same ILL, we
- * need to make sure that the soruce address of
- * the packet matches the logical IP address used
- * in the option. We do it by initializing ipha_src
- * here. This should keep IPsec also happy as
- * when we return from IPsec processing, we don't
- * have to worry about getting the right address on
- * the packet. Thus it is sufficient to look for
- * IRE_CACHE using MATCH_IRE_ILL rathen than
- * MATCH_IRE_IPIF.
- *
- * NOTE : We need to do it for non-secure case also as
- * this might go out secure if there is a global policy
- * match in ip_wput_ire.
- *
- * As we do not have the ire yet, it is possible that
- * we set the source address here and then later discover
- * that the ire implies the source address to be assigned
- * through the RTF_SETSRC flag.
- * In that case, the setsrc variable will remind us
- * that overwritting the source address by the one
- * of the RTF_SETSRC-flagged ire is allowed.
- */
- if (ipha->ipha_src == INADDR_ANY &&
- (connp == NULL || !connp->conn_unspec_src)) {
- ipha->ipha_src = ipif->ipif_src_addr;
- setsrc = RTF_SETSRC;
- }
- /*
- * Find an IRE which matches the destination and the outgoing
- * queue (i.e. the outgoing interface.)
- * For loopback use a unicast IP address for
- * the ire lookup.
- */
- if (IS_LOOPBACK(ipif->ipif_ill))
- dst = ipif->ipif_lcl_addr;
-
- /*
- * If xmit_ill is set, we branch out to ip_newroute_ipif.
- * We don't need to lookup ire in ctable as the packet
- * needs to be sent to the destination through the specified
- * ill irrespective of ires in the cache table.
- */
- ire = NULL;
- if (xmit_ill == NULL) {
- ire = ire_ctable_lookup(dst, 0, 0, ipif,
- zoneid, msg_getlabel(mp), match_flags, ipst);
- }
-
- if (ire == NULL) {
- /*
- * Multicast loopback and multicast forwarding is
- * done in ip_wput_ire.
- *
- * Mark this packet to make it be delivered to
- * ip_wput_ire after the new ire has been
- * created.
- *
- * The call to ip_newroute_ipif takes into account
- * the setsrc reminder. In any case, we take care
- * of the RTF_MULTIRT flag.
- */
- mp->b_prev = mp->b_next = NULL;
- if (xmit_ill == NULL ||
- xmit_ill->ill_ipif_up_count > 0) {
- ip_newroute_ipif(q, first_mp, ipif, dst, connp,
- setsrc | RTF_MULTIRT, zoneid, infop);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "noire");
- } else {
- freemsg(first_mp);
- }
- ipif_refrele(ipif);
- if (xmit_ill != NULL)
- ill_refrele(xmit_ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
-
- ipif_refrele(ipif);
- ipif = NULL;
- ASSERT(xmit_ill == NULL);
-
- /*
- * Honor the RTF_SETSRC flag for multicast packets,
- * if allowed by the setsrc reminder.
- */
- if ((ire->ire_flags & RTF_SETSRC) && setsrc) {
- ipha->ipha_src = ire->ire_src_addr;
- }
-
- /*
- * Unconditionally force the TTL to 1 for
- * multirouted multicast packets:
- * multirouted multicast should not cross
- * multicast routers.
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- if (ipha->ipha_ttl > 1) {
- ip2dbg(("ip_wput: forcing multicast "
- "multirt TTL to 1 (was %d), dst 0x%08x\n",
- ipha->ipha_ttl, ntohl(ire->ire_addr)));
- ipha->ipha_ttl = 1;
- }
- }
- } else {
- ire = ire_cache_lookup(dst, zoneid, msg_getlabel(mp), ipst);
- if ((ire != NULL) && (ire->ire_type &
- (IRE_BROADCAST | IRE_LOCAL | IRE_LOOPBACK))) {
- ignore_dontroute = B_TRUE;
- ignore_nexthop = B_TRUE;
- }
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
- /*
- * Guard against coming in from arp in which case conn is NULL.
- * Also guard against non M_DATA with dontroute set but
- * destined to local, loopback or broadcast addresses.
- */
- if (connp != NULL && connp->conn_dontroute &&
- !ignore_dontroute) {
-dontroute:
- /*
- * Set TTL to 1 if SO_DONTROUTE is set to prevent
- * routing protocols from seeing false direct
- * connectivity.
- */
- ipha->ipha_ttl = 1;
- /* If suitable ipif not found, drop packet */
- dst_ipif = ipif_lookup_onlink_addr(dst, zoneid, ipst);
- if (dst_ipif == NULL) {
-noroute:
- ip1dbg(("ip_wput: no route for dst using"
- " SO_DONTROUTE\n"));
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutNoRoutes);
- mp->b_prev = mp->b_next = NULL;
- if (first_mp == NULL)
- first_mp = mp;
- goto drop_pkt;
- } else {
- /*
- * If suitable ipif has been found, set
- * xmit_ill to the corresponding
- * ipif_ill because we'll be using the
- * send_from_ill logic below.
- */
- ASSERT(xmit_ill == NULL);
- xmit_ill = dst_ipif->ipif_ill;
- mutex_enter(&xmit_ill->ill_lock);
- if (!ILL_CAN_LOOKUP(xmit_ill)) {
- mutex_exit(&xmit_ill->ill_lock);
- xmit_ill = NULL;
- ipif_refrele(dst_ipif);
- goto noroute;
- }
- ill_refhold_locked(xmit_ill);
- mutex_exit(&xmit_ill->ill_lock);
- ipif_refrele(dst_ipif);
- }
- }
-
-send_from_ill:
- if (xmit_ill != NULL) {
- ipif_t *ipif;
-
- /*
- * Mark this packet as originated locally
- */
- mp->b_prev = mp->b_next = NULL;
-
- /*
- * Could be SO_DONTROUTE case also.
- * Verify that at least one ipif is up on the ill.
- */
- if (xmit_ill->ill_ipif_up_count == 0) {
- ip1dbg(("ip_output: xmit_ill %s is down\n",
- xmit_ill->ill_name));
- goto drop_pkt;
- }
-
- ipif = ipif_get_next_ipif(NULL, xmit_ill);
- if (ipif == NULL) {
- ip1dbg(("ip_output: xmit_ill %s NULL ipif\n",
- xmit_ill->ill_name));
- goto drop_pkt;
- }
-
- match_flags = 0;
- if (IS_UNDER_IPMP(xmit_ill))
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
-
- /*
- * Look for a ire that is part of the group,
- * if found use it else call ip_newroute_ipif.
- * IPCL_ZONEID is not used for matching because
- * IP_ALLZONES option is valid only when the
- * ill is accessible from all zones i.e has a
- * valid ipif in all zones.
- */
- match_flags |= MATCH_IRE_ILL | MATCH_IRE_SECATTR;
- ire = ire_ctable_lookup(dst, 0, 0, ipif, zoneid,
- msg_getlabel(mp), match_flags, ipst);
- /*
- * If an ire exists use it or else create
- * an ire but don't add it to the cache.
- * Adding an ire may cause issues with
- * asymmetric routing.
- * In case of multiroute always act as if
- * ire does not exist.
- */
- if (ire == NULL || ire->ire_flags & RTF_MULTIRT) {
- if (ire != NULL)
- ire_refrele(ire);
- ip_newroute_ipif(q, first_mp, ipif,
- dst, connp, 0, zoneid, infop);
- ipif_refrele(ipif);
- ip1dbg(("ip_output: xmit_ill via %s\n",
- xmit_ill->ill_name));
- ill_refrele(xmit_ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ipif_refrele(ipif);
- } else if (ip_nexthop || (connp != NULL &&
- (connp->conn_nexthop_set)) && !ignore_nexthop) {
- if (!ip_nexthop) {
- ip_nexthop = B_TRUE;
- nexthop_addr = connp->conn_nexthop_v4;
- }
- match_flags = MATCH_IRE_MARK_PRIVATE_ADDR |
- MATCH_IRE_GW;
- ire = ire_ctable_lookup(dst, nexthop_addr, 0,
- NULL, zoneid, msg_getlabel(mp), match_flags, ipst);
- } else {
- ire = ire_cache_lookup(dst, zoneid, msg_getlabel(mp),
- ipst);
- }
- if (!ire) {
- if (ip_nexthop && !ignore_nexthop) {
- if (mctl_present) {
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(first_mp->b_datap->db_type ==
- M_CTL);
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- } else {
- ASSERT(mp == first_mp);
- first_mp = allocb(
- sizeof (ipsec_info_t), BPRI_HI);
- if (first_mp == NULL) {
- first_mp = mp;
- goto discard_pkt;
- }
- first_mp->b_datap->db_type = M_CTL;
- first_mp->b_wptr +=
- sizeof (ipsec_info_t);
- /* ipsec_out_secure is B_FALSE now */
- bzero(first_mp->b_rptr,
- sizeof (ipsec_info_t));
- io = (ipsec_out_t *)first_mp->b_rptr;
- io->ipsec_out_type = IPSEC_OUT;
- io->ipsec_out_len =
- sizeof (ipsec_out_t);
- io->ipsec_out_use_global_policy =
- B_TRUE;
- io->ipsec_out_ns = ipst->ips_netstack;
- first_mp->b_cont = mp;
- mctl_present = B_TRUE;
- }
- io->ipsec_out_ip_nexthop = ip_nexthop;
- io->ipsec_out_nexthop_addr = nexthop_addr;
- }
-noirefound:
- /*
- * Mark this packet as having originated on
- * this machine. This will be noted in
- * ire_add_then_send, which needs to know
- * whether to run it back through ip_wput or
- * ip_rput following successful resolution.
- */
- mp->b_prev = NULL;
- mp->b_next = NULL;
- ip_newroute(q, first_mp, dst, connp, zoneid, ipst);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "newroute");
- if (xmit_ill != NULL)
- ill_refrele(xmit_ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- }
-
- /* We now know where we are going with it. */
-
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "end");
-
- /*
- * Check if the ire has the RTF_MULTIRT flag, inherited
- * from an IRE_OFFSUBNET ire entry in ip_newroute.
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- /*
- * Force the TTL of multirouted packets if required.
- * The TTL of such packets is bounded by the
- * ip_multirt_ttl ndd variable.
- */
- if ((ipst->ips_ip_multirt_ttl > 0) &&
- (ipha->ipha_ttl > ipst->ips_ip_multirt_ttl)) {
- ip2dbg(("ip_wput: forcing multirt TTL to %d "
- "(was %d), dst 0x%08x\n",
- ipst->ips_ip_multirt_ttl, ipha->ipha_ttl,
- ntohl(ire->ire_addr)));
- ipha->ipha_ttl = ipst->ips_ip_multirt_ttl;
- }
- /*
- * At this point, we check to see if there are any pending
- * unresolved routes. ire_multirt_resolvable()
- * checks in O(n) that all IRE_OFFSUBNET ire
- * entries for the packet's destination and
- * flagged RTF_MULTIRT are currently resolved.
- * If some remain unresolved, we make a copy
- * of the current message. It will be used
- * to initiate additional route resolutions.
- */
- multirt_need_resolve = ire_multirt_need_resolve(ire->ire_addr,
- msg_getlabel(first_mp), ipst);
- ip2dbg(("ip_wput[noirefound]: ire %p, "
- "multirt_need_resolve %d, first_mp %p\n",
- (void *)ire, multirt_need_resolve, (void *)first_mp));
- if (multirt_need_resolve) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- }
- }
-
- ip_wput_ire(q, first_mp, ire, connp, caller, zoneid);
- /*
- * Try to resolve another multiroute if
- * ire_multirt_resolvable() deemed it necessary.
- * At this point, we need to distinguish
- * multicasts from other packets. For multicasts,
- * we call ip_newroute_ipif() and request that both
- * multirouting and setsrc flags are checked.
- */
- if (copy_mp != NULL) {
- if (CLASSD(dst)) {
- ipif_t *ipif = ipif_lookup_group(dst, zoneid, ipst);
- if (ipif) {
- ASSERT(infop->ip_opt_ill_index == 0);
- ip_newroute_ipif(q, copy_mp, ipif, dst, connp,
- RTF_SETSRC | RTF_MULTIRT, zoneid, infop);
- ipif_refrele(ipif);
- } else {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- }
- } else {
- ip_newroute(q, copy_mp, dst, connp, zoneid, ipst);
- }
- }
- if (xmit_ill != NULL)
- ill_refrele(xmit_ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
-
-icmp_parameter_problem:
- /* could not have originated externally */
- ASSERT(mp->b_prev == NULL);
- if (ip_hdr_complete(ipha, zoneid, ipst) == 0) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
- /* it's the IP header length that's in trouble */
- icmp_param_problem(q, first_mp, 0, zoneid, ipst);
- first_mp = NULL;
- }
-
-discard_pkt:
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
-drop_pkt:
- ip1dbg(("ip_wput: dropped packet\n"));
- if (ire != NULL)
- ire_refrele(ire);
- if (need_decref)
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- if (xmit_ill != NULL)
- ill_refrele(xmit_ill);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
- "ip_wput_end: q %p (%S)", q, "droppkt");
-}
-
-/*
- * If this is a conn_t queue, then we pass in the conn. This includes the
- * zoneid.
- * Otherwise, this is a message coming back from ARP or for an ill_t queue,
- * in which case we use the global zoneid since those are all part of
- * the global zone.
- */
-void
-ip_wput(queue_t *q, mblk_t *mp)
-{
- if (CONN_Q(q))
- ip_output(Q_TO_CONN(q), mp, q, IP_WPUT);
- else
- ip_output(GLOBAL_ZONEID, mp, q, IP_WPUT);
-}
-
-/*
- *
- * The following rules must be observed when accessing any ipif or ill
- * that has been cached in the conn. Typically conn_outgoing_ill,
- * conn_multicast_ipif and conn_multicast_ill.
- *
- * Access: The ipif or ill pointed to from the conn can be accessed under
- * the protection of the conn_lock or after it has been refheld under the
- * protection of the conn lock. In addition the IPIF_CAN_LOOKUP or
- * ILL_CAN_LOOKUP macros must be used before actually doing the refhold.
- * The reason for this is that a concurrent unplumb could actually be
- * cleaning up these cached pointers by walking the conns and might have
- * finished cleaning up the conn in question. The macros check that an
- * unplumb has not yet started on the ipif or ill.
- *
- * Caching: An ipif or ill pointer may be cached in the conn only after
- * making sure that an unplumb has not started. So the caching is done
- * while holding both the conn_lock and the ill_lock and after using the
- * ILL_CAN_LOOKUP/IPIF_CAN_LOOKUP macro. An unplumb will set the ILL_CONDEMNED
- * flag before starting the cleanup of conns.
- *
- * The list of ipifs hanging off the ill is protected by ill_g_lock and ill_lock
- * On the other hand to access ipif->ipif_ill, we need one of either ill_g_lock
- * or a reference to the ipif or a reference to an ire that references the
- * ipif. An ipif only changes its ill when migrating from an underlying ill
- * to an IPMP ill in ipif_up().
- */
-ipif_t *
-conn_get_held_ipif(conn_t *connp, ipif_t **ipifp, int *err)
-{
- ipif_t *ipif;
- ill_t *ill;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- *err = 0;
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- mutex_enter(&connp->conn_lock);
- ipif = *ipifp;
- if (ipif != NULL) {
- ill = ipif->ipif_ill;
- mutex_enter(&ill->ill_lock);
- if (IPIF_CAN_LOOKUP(ipif)) {
- ipif_refhold_locked(ipif);
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- return (ipif);
- } else {
- *err = IPIF_LOOKUP_FAILED;
- }
- mutex_exit(&ill->ill_lock);
- }
- mutex_exit(&connp->conn_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- return (NULL);
-}
-
-ill_t *
-conn_get_held_ill(conn_t *connp, ill_t **illp, int *err)
-{
- ill_t *ill;
-
- *err = 0;
- mutex_enter(&connp->conn_lock);
- ill = *illp;
- if (ill != NULL) {
- mutex_enter(&ill->ill_lock);
- if (ILL_CAN_LOOKUP(ill)) {
- ill_refhold_locked(ill);
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- return (ill);
- } else {
- *err = ILL_LOOKUP_FAILED;
- }
- mutex_exit(&ill->ill_lock);
- }
- mutex_exit(&connp->conn_lock);
- return (NULL);
-}
-
-static int
-conn_set_held_ipif(conn_t *connp, ipif_t **ipifp, ipif_t *ipif)
-{
- ill_t *ill;
-
- ill = ipif->ipif_ill;
- mutex_enter(&connp->conn_lock);
- mutex_enter(&ill->ill_lock);
- if (IPIF_CAN_LOOKUP(ipif)) {
- *ipifp = ipif;
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- return (0);
- }
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
- return (IPIF_LOOKUP_FAILED);
-}
-
-/*
- * This is called if the outbound datagram needs fragmentation.
- *
- * NOTE : This function does not ire_refrele the ire argument passed in.
- */
-static void
-ip_wput_ire_fragmentit(mblk_t *ipsec_mp, ire_t *ire, zoneid_t zoneid,
- ip_stack_t *ipst, conn_t *connp)
-{
- ipha_t *ipha;
- mblk_t *mp;
- uint32_t v_hlen_tos_len;
- uint32_t max_frag;
- uint32_t frag_flag;
- boolean_t dont_use;
-
- if (ipsec_mp->b_datap->db_type == M_CTL) {
- mp = ipsec_mp->b_cont;
- } else {
- mp = ipsec_mp;
- }
-
- ipha = (ipha_t *)mp->b_rptr;
- v_hlen_tos_len = ((uint32_t *)ipha)[0];
-
-#ifdef _BIG_ENDIAN
-#define V_HLEN (v_hlen_tos_len >> 24)
-#define LENGTH (v_hlen_tos_len & 0xFFFF)
-#else
-#define V_HLEN (v_hlen_tos_len & 0xFF)
-#define LENGTH ((v_hlen_tos_len >> 24) | ((v_hlen_tos_len >> 8) & 0xFF00))
-#endif
-
-#ifndef SPEED_BEFORE_SAFETY
- /*
- * Check that ipha_length is consistent with
- * the mblk length
- */
- if (LENGTH != (mp->b_cont ? msgdsize(mp) : mp->b_wptr - rptr)) {
- ip0dbg(("Packet length mismatch: %d, %ld\n",
- LENGTH, msgdsize(mp)));
- freemsg(ipsec_mp);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_fragmentit: mp %p (%S)", mp,
- "packet length mismatch");
- return;
- }
-#endif
- /*
- * Don't use frag_flag if pre-built packet or source
- * routed or if multicast (since multicast packets do not solicit
- * ICMP "packet too big" messages). Get the values of
- * max_frag and frag_flag atomically by acquiring the
- * ire_lock.
- */
- mutex_enter(&ire->ire_lock);
- max_frag = ire->ire_max_frag;
- frag_flag = ire->ire_frag_flag;
- mutex_exit(&ire->ire_lock);
-
- dont_use = ((ipha->ipha_ident == IP_HDR_INCLUDED) ||
- (V_HLEN != IP_SIMPLE_HDR_VERSION &&
- ip_source_route_included(ipha)) || CLASSD(ipha->ipha_dst));
-
- ip_wput_frag(ire, ipsec_mp, OB_PKT, max_frag,
- (dont_use ? 0 : frag_flag), zoneid, ipst, connp);
-}
-
-/*
* Used for deciding the MSS size for the upper layer. Thus
* we need to check the outbound policy values in the conn.
*/
@@ -21820,10 +11595,10 @@ conn_ipsec_length(conn_t *connp)
if (ipl == NULL)
return (0);
- if (ipl->ipl_out_policy == NULL)
+ if (connp->conn_ixa->ixa_ipsec_policy == NULL)
return (0);
- return (ipl->ipl_out_policy->ipsp_act->ipa_ovhd);
+ return (connp->conn_ixa->ixa_ipsec_policy->ipsp_act->ipa_ovhd);
}
/*
@@ -21831,20 +11606,17 @@ conn_ipsec_length(conn_t *connp)
* we don't want to call into IPsec to get the exact size.
*/
int
-ipsec_out_extra_length(mblk_t *ipsec_mp)
+ipsec_out_extra_length(ip_xmit_attr_t *ixa)
{
- ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
ipsec_action_t *a;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- if (!io->ipsec_out_secure)
+ if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
return (0);
- a = io->ipsec_out_act;
-
+ a = ixa->ixa_ipsec_action;
if (a == NULL) {
- ASSERT(io->ipsec_out_policy != NULL);
- a = io->ipsec_out_policy->ipsp_act;
+ ASSERT(ixa->ixa_ipsec_policy != NULL);
+ a = ixa->ixa_ipsec_policy->ipsp_act;
}
ASSERT(a != NULL);
@@ -21852,22 +11624,6 @@ ipsec_out_extra_length(mblk_t *ipsec_mp)
}
/*
- * Returns an estimate of the IPsec headers size. This is used if
- * we don't want to call into IPsec to get the exact size.
- */
-int
-ipsec_in_extra_length(mblk_t *ipsec_mp)
-{
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ipsec_action_t *a;
-
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
-
- a = ii->ipsec_in_action;
- return (a == NULL ? 0 : a->ipa_ovhd);
-}
-
-/*
* If there are any source route options, return the true final
* destination. Otherwise, return the destination.
*/
@@ -21914,2257 +11670,70 @@ ip_get_dst(ipha_t *ipha)
return (dst);
}
-mblk_t *
-ip_wput_ire_parse_ipsec_out(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire,
- conn_t *connp, boolean_t unspec_src, zoneid_t zoneid)
-{
- ipsec_out_t *io;
- mblk_t *first_mp;
- boolean_t policy_present;
- ip_stack_t *ipst;
- ipsec_stack_t *ipss;
-
- ASSERT(ire != NULL);
- ipst = ire->ire_ipst;
- ipss = ipst->ips_netstack->netstack_ipsec;
-
- first_mp = mp;
- if (mp->b_datap->db_type == M_CTL) {
- io = (ipsec_out_t *)first_mp->b_rptr;
- /*
- * ip_wput[_v6] attaches an IPSEC_OUT in two cases.
- *
- * 1) There is per-socket policy (including cached global
- * policy) or a policy on the IP-in-IP tunnel.
- * 2) There is no per-socket policy, but it is
- * a multicast packet that needs to go out
- * on a specific interface. This is the case
- * where (ip_wput and ip_wput_multicast) attaches
- * an IPSEC_OUT and sets ipsec_out_secure B_FALSE.
- *
- * In case (2) we check with global policy to
- * see if there is a match and set the ill_index
- * appropriately so that we can lookup the ire
- * properly in ip_wput_ipsec_out.
- */
-
- /*
- * ipsec_out_use_global_policy is set to B_FALSE
- * in ipsec_in_to_out(). Refer to that function for
- * details.
- */
- if ((io->ipsec_out_latch == NULL) &&
- (io->ipsec_out_use_global_policy)) {
- return (ip_wput_attach_policy(first_mp, ipha, ip6h,
- ire, connp, unspec_src, zoneid));
- }
- if (!io->ipsec_out_secure) {
- /*
- * If this is not a secure packet, drop
- * the IPSEC_OUT mp and treat it as a clear
- * packet. This happens when we are sending
- * a ICMP reply back to a clear packet. See
- * ipsec_in_to_out() for details.
- */
- mp = first_mp->b_cont;
- freeb(first_mp);
- }
- return (mp);
- }
- /*
- * See whether we need to attach a global policy here. We
- * don't depend on the conn (as it could be null) for deciding
- * what policy this datagram should go through because it
- * should have happened in ip_wput if there was some
- * policy. This normally happens for connections which are not
- * fully bound preventing us from caching policies in
- * ip_bind. Packets coming from the TCP listener/global queue
- * - which are non-hard_bound - could also be affected by
- * applying policy here.
- *
- * If this packet is coming from tcp global queue or listener,
- * we will be applying policy here. This may not be *right*
- * if these packets are coming from the detached connection as
- * it could have gone in clear before. This happens only if a
- * TCP connection started when there is no policy and somebody
- * added policy before it became detached. Thus packets of the
- * detached connection could go out secure and the other end
- * would drop it because it will be expecting in clear. The
- * converse is not true i.e if somebody starts a TCP
- * connection and deletes the policy, all the packets will
- * still go out with the policy that existed before deleting
- * because ip_unbind sends up policy information which is used
- * by TCP on subsequent ip_wputs. The right solution is to fix
- * TCP to attach a dummy IPSEC_OUT and set
- * ipsec_out_use_global_policy to B_FALSE. As this might
- * affect performance for normal cases, we are not doing it.
- * Thus, set policy before starting any TCP connections.
- *
- * NOTE - We might apply policy even for a hard bound connection
- * - for which we cached policy in ip_bind - if somebody added
- * global policy after we inherited the policy in ip_bind.
- * This means that the packets that were going out in clear
- * previously would start going secure and hence get dropped
- * on the other side. To fix this, TCP attaches a dummy
- * ipsec_out and make sure that we don't apply global policy.
- */
- if (ipha != NULL)
- policy_present = ipss->ipsec_outbound_v4_policy_present;
- else
- policy_present = ipss->ipsec_outbound_v6_policy_present;
- if (!policy_present)
- return (mp);
-
- return (ip_wput_attach_policy(mp, ipha, ip6h, ire, connp, unspec_src,
- zoneid));
-}
-
-/*
- * This function does the ire_refrele of the ire passed in as the
- * argument. As this function looks up more ires i.e broadcast ires,
- * it needs to REFRELE them. Currently, for simplicity we don't
- * differentiate the one passed in and looked up here. We always
- * REFRELE.
- * IPQoS Notes:
- * IP policy is invoked if IPP_LOCAL_OUT is enabled. Processing for
- * IPsec packets are done in ipsec_out_process.
- */
-void
-ip_wput_ire(queue_t *q, mblk_t *mp, ire_t *ire, conn_t *connp, int caller,
- zoneid_t zoneid)
-{
- ipha_t *ipha;
-#define rptr ((uchar_t *)ipha)
- queue_t *stq;
-#define Q_TO_INDEX(stq) (((ill_t *)stq->q_ptr)->ill_phyint->phyint_ifindex)
- uint32_t v_hlen_tos_len;
- uint32_t ttl_protocol;
- ipaddr_t src;
- ipaddr_t dst;
- uint32_t cksum;
- ipaddr_t orig_src;
- ire_t *ire1;
- mblk_t *next_mp;
- uint_t hlen;
- uint16_t *up;
- uint32_t max_frag = ire->ire_max_frag;
- ill_t *ill = ire_to_ill(ire);
- int clusterwide;
- uint16_t ip_hdr_included; /* IP header included by ULP? */
- int ipsec_len;
- mblk_t *first_mp;
- ipsec_out_t *io;
- boolean_t conn_dontroute; /* conn value for multicast */
- boolean_t conn_multicast_loop; /* conn value for multicast */
- boolean_t multicast_forward; /* Should we forward ? */
- boolean_t unspec_src;
- ill_t *conn_outgoing_ill = NULL;
- ill_t *ire_ill;
- ill_t *ire1_ill;
- ill_t *out_ill;
- uint32_t ill_index = 0;
- boolean_t multirt_send = B_FALSE;
- int err;
- ipxmit_state_t pktxmit_state;
- ip_stack_t *ipst = ire->ire_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_IRE_START,
- "ip_wput_ire_start: q %p", q);
-
- multicast_forward = B_FALSE;
- unspec_src = (connp != NULL && connp->conn_unspec_src);
-
- if (ire->ire_flags & RTF_MULTIRT) {
- /*
- * Multirouting case. The bucket where ire is stored
- * probably holds other RTF_MULTIRT flagged ire
- * to the destination. In this call to ip_wput_ire,
- * we attempt to send the packet through all
- * those ires. Thus, we first ensure that ire is the
- * first RTF_MULTIRT ire in the bucket,
- * before walking the ire list.
- */
- ire_t *first_ire;
- irb_t *irb = ire->ire_bucket;
- ASSERT(irb != NULL);
-
- /* Make sure we do not omit any multiroute ire. */
- IRB_REFHOLD(irb);
- for (first_ire = irb->irb_ire;
- first_ire != NULL;
- first_ire = first_ire->ire_next) {
- if ((first_ire->ire_flags & RTF_MULTIRT) &&
- (first_ire->ire_addr == ire->ire_addr) &&
- !(first_ire->ire_marks &
- (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN)))
- break;
- }
-
- if ((first_ire != NULL) && (first_ire != ire)) {
- IRE_REFHOLD(first_ire);
- ire_refrele(ire);
- ire = first_ire;
- ill = ire_to_ill(ire);
- }
- IRB_REFRELE(irb);
- }
-
- /*
- * conn_outgoing_ill variable is used only in the broadcast loop.
- * for performance we don't grab the mutexs in the fastpath
- */
- if (ire->ire_type == IRE_BROADCAST && connp != NULL &&
- connp->conn_outgoing_ill != NULL) {
- conn_outgoing_ill = conn_get_held_ill(connp,
- &connp->conn_outgoing_ill, &err);
- if (err == ILL_LOOKUP_FAILED) {
- ire_refrele(ire);
- freemsg(mp);
- return;
- }
- }
-
- if (mp->b_datap->db_type != M_CTL) {
- ipha = (ipha_t *)mp->b_rptr;
- } else {
- io = (ipsec_out_t *)mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(zoneid == io->ipsec_out_zoneid);
- ASSERT(zoneid != ALL_ZONES);
- ipha = (ipha_t *)mp->b_cont->b_rptr;
- dst = ipha->ipha_dst;
- /*
- * For the multicast case, ipsec_out carries conn_dontroute and
- * conn_multicast_loop as conn may not be available here. We
- * need this for multicast loopback and forwarding which is done
- * later in the code.
- */
- if (CLASSD(dst)) {
- conn_dontroute = io->ipsec_out_dontroute;
- conn_multicast_loop = io->ipsec_out_multicast_loop;
- /*
- * If conn_dontroute is not set or conn_multicast_loop
- * is set, we need to do forwarding/loopback. For
- * datagrams from ip_wput_multicast, conn_dontroute is
- * set to B_TRUE and conn_multicast_loop is set to
- * B_FALSE so that we neither do forwarding nor
- * loopback.
- */
- if (!conn_dontroute || conn_multicast_loop)
- multicast_forward = B_TRUE;
- }
- }
-
- if (ire->ire_type == IRE_LOCAL && ire->ire_zoneid != zoneid &&
- ire->ire_zoneid != ALL_ZONES) {
- /*
- * When a zone sends a packet to another zone, we try to deliver
- * the packet under the same conditions as if the destination
- * was a real node on the network. To do so, we look for a
- * matching route in the forwarding table.
- * RTF_REJECT and RTF_BLACKHOLE are handled just like
- * ip_newroute() does.
- * Note that IRE_LOCAL are special, since they are used
- * when the zoneid doesn't match in some cases. This means that
- * we need to handle ipha_src differently since ire_src_addr
- * belongs to the receiving zone instead of the sending zone.
- * When ip_restrict_interzone_loopback is set, then
- * ire_cache_lookup() ensures that IRE_LOCAL are only used
- * for loopback between zones when the logical "Ethernet" would
- * have looped them back.
- */
- ire_t *src_ire;
-
- src_ire = ire_ftable_lookup(ipha->ipha_dst, 0, 0, 0,
- NULL, NULL, zoneid, 0, NULL, (MATCH_IRE_RECURSIVE |
- MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE), ipst);
- if (src_ire != NULL &&
- !(src_ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) &&
- (!ipst->ips_ip_restrict_interzone_loopback ||
- ire_local_same_lan(ire, src_ire))) {
- if (ipha->ipha_src == INADDR_ANY && !unspec_src)
- ipha->ipha_src = src_ire->ire_src_addr;
- ire_refrele(src_ire);
- } else {
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
- if (src_ire != NULL) {
- if (src_ire->ire_flags & RTF_BLACKHOLE) {
- ire_refrele(src_ire);
- freemsg(mp);
- return;
- }
- ire_refrele(src_ire);
- }
- if (ip_hdr_complete(ipha, zoneid, ipst)) {
- /* Failed */
- freemsg(mp);
- return;
- }
- icmp_unreachable(q, mp, ICMP_HOST_UNREACHABLE, zoneid,
- ipst);
- return;
- }
- }
-
- if (mp->b_datap->db_type == M_CTL ||
- ipss->ipsec_outbound_v4_policy_present) {
- mp = ip_wput_ire_parse_ipsec_out(mp, ipha, NULL, ire, connp,
- unspec_src, zoneid);
- if (mp == NULL) {
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
- /*
- * Trusted Extensions supports all-zones interfaces, so
- * zoneid == ALL_ZONES is valid, but IPsec maps ALL_ZONES to
- * the global zone.
- */
- if (zoneid == ALL_ZONES && mp->b_datap->db_type == M_CTL) {
- io = (ipsec_out_t *)mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- zoneid = io->ipsec_out_zoneid;
- }
- }
-
- first_mp = mp;
- ipsec_len = 0;
-
- if (first_mp->b_datap->db_type == M_CTL) {
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- mp = first_mp->b_cont;
- ipsec_len = ipsec_out_extra_length(first_mp);
- ASSERT(ipsec_len >= 0);
- if (zoneid == ALL_ZONES)
- zoneid = GLOBAL_ZONEID;
- /* We already picked up the zoneid from the M_CTL above */
- ASSERT(zoneid == io->ipsec_out_zoneid);
-
- /*
- * Drop M_CTL here if IPsec processing is not needed.
- * (Non-IPsec use of M_CTL extracted any information it
- * needed above).
- */
- if (ipsec_len == 0) {
- freeb(first_mp);
- first_mp = mp;
- }
- }
-
- /*
- * Fast path for ip_wput_ire
- */
-
- ipha = (ipha_t *)mp->b_rptr;
- v_hlen_tos_len = ((uint32_t *)ipha)[0];
- dst = ipha->ipha_dst;
-
- /*
- * ICMP(RAWIP) module should set the ipha_ident to IP_HDR_INCLUDED
- * if the socket is a SOCK_RAW type. The transport checksum should
- * be provided in the pre-built packet, so we don't need to compute it.
- * Also, other application set flags, like DF, should not be altered.
- * Other transport MUST pass down zero.
- */
- ip_hdr_included = ipha->ipha_ident;
- ASSERT(ipha->ipha_ident == 0 || ipha->ipha_ident == IP_HDR_INCLUDED);
-
- if (CLASSD(dst)) {
- ip1dbg(("ip_wput_ire: to 0x%x ire %s addr 0x%x\n",
- ntohl(dst),
- ip_nv_lookup(ire_nv_tbl, ire->ire_type),
- ntohl(ire->ire_addr)));
- }
-
-/* Macros to extract header fields from data already in registers */
-#ifdef _BIG_ENDIAN
-#define V_HLEN (v_hlen_tos_len >> 24)
-#define LENGTH (v_hlen_tos_len & 0xFFFF)
-#define PROTO (ttl_protocol & 0xFF)
-#else
-#define V_HLEN (v_hlen_tos_len & 0xFF)
-#define LENGTH ((v_hlen_tos_len >> 24) | ((v_hlen_tos_len >> 8) & 0xFF00))
-#define PROTO (ttl_protocol >> 8)
-#endif
-
- orig_src = src = ipha->ipha_src;
- /* (The loop back to "another" is explained down below.) */
-another:;
- /*
- * Assign an ident value for this packet. We assign idents on
- * a per destination basis out of the IRE. There could be
- * other threads targeting the same destination, so we have to
- * arrange for a atomic increment. Note that we use a 32-bit
- * atomic add because it has better performance than its
- * 16-bit sibling.
- *
- * If running in cluster mode and if the source address
- * belongs to a replicated service then vector through
- * cl_inet_ipident vector to allocate ip identifier
- * NOTE: This is a contract private interface with the
- * clustering group.
- */
- clusterwide = 0;
- if (cl_inet_ipident) {
- ASSERT(cl_inet_isclusterwide);
- netstackid_t stack_id = ipst->ips_netstack->netstack_stackid;
-
- if ((*cl_inet_isclusterwide)(stack_id, IPPROTO_IP,
- AF_INET, (uint8_t *)(uintptr_t)src, NULL)) {
- ipha->ipha_ident = (*cl_inet_ipident)(stack_id,
- IPPROTO_IP, AF_INET, (uint8_t *)(uintptr_t)src,
- (uint8_t *)(uintptr_t)dst, NULL);
- clusterwide = 1;
- }
- }
- if (!clusterwide) {
- ipha->ipha_ident =
- (uint16_t)atomic_add_32_nv(&ire->ire_ident, 1);
- }
-
-#ifndef _BIG_ENDIAN
- ipha->ipha_ident = (ipha->ipha_ident << 8) | (ipha->ipha_ident >> 8);
-#endif
-
- /*
- * Set source address unless sent on an ill or conn_unspec_src is set.
- * This is needed to obey conn_unspec_src when packets go through
- * ip_newroute + arp.
- * Assumes ip_newroute{,_multi} sets the source address as well.
- */
- if (src == INADDR_ANY && !unspec_src) {
- /*
- * Assign the appropriate source address from the IRE if none
- * was specified.
- */
- ASSERT(ire->ire_ipversion == IPV4_VERSION);
-
- src = ire->ire_src_addr;
- if (connp == NULL) {
- ip1dbg(("ip_wput_ire: no connp and no src "
- "address for dst 0x%x, using src 0x%x\n",
- ntohl(dst),
- ntohl(src)));
- }
- ipha->ipha_src = src;
- }
- stq = ire->ire_stq;
-
- /*
- * We only allow ire chains for broadcasts since there will
- * be multiple IRE_CACHE entries for the same multicast
- * address (one per ipif).
- */
- next_mp = NULL;
-
- /* broadcast packet */
- if (ire->ire_type == IRE_BROADCAST)
- goto broadcast;
-
- /* loopback ? */
- if (stq == NULL)
- goto nullstq;
-
- /* The ill_index for outbound ILL */
- ill_index = Q_TO_INDEX(stq);
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
- ttl_protocol = ((uint16_t *)ipha)[4];
-
- /* pseudo checksum (do it in parts for IP header checksum) */
- cksum = (dst >> 16) + (dst & 0xFFFF) + (src >> 16) + (src & 0xFFFF);
-
- if (!IP_FLOW_CONTROLLED_ULP(PROTO)) {
- queue_t *dev_q = stq->q_next;
-
- /*
- * For DIRECT_CAPABLE, we do flow control at
- * the time of sending the packet. See
- * ILL_SEND_TX().
- */
- if (!ILL_DIRECT_CAPABLE((ill_t *)stq->q_ptr) &&
- (DEV_Q_FLOW_BLOCKED(dev_q)))
- goto blocked;
-
- if ((PROTO == IPPROTO_UDP) &&
- (ip_hdr_included != IP_HDR_INCLUDED)) {
- hlen = (V_HLEN & 0xF) << 2;
- up = IPH_UDPH_CHECKSUMP(ipha, hlen);
- if (*up != 0) {
- IP_CKSUM_XMIT(ill, ire, mp, ipha, up, PROTO,
- hlen, LENGTH, max_frag, ipsec_len, cksum);
- /* Software checksum? */
- if (DB_CKSUMFLAGS(mp) == 0) {
- IP_STAT(ipst, ip_out_sw_cksum);
- IP_STAT_UPDATE(ipst,
- ip_udp_out_sw_cksum_bytes,
- LENGTH - hlen);
- }
- }
- }
- } else if (ip_hdr_included != IP_HDR_INCLUDED) {
- hlen = (V_HLEN & 0xF) << 2;
- if (PROTO == IPPROTO_TCP) {
- up = IPH_TCPH_CHECKSUMP(ipha, hlen);
- /*
- * The packet header is processed once and for all, even
- * in the multirouting case. We disable hardware
- * checksum if the packet is multirouted, as it will be
- * replicated via several interfaces, and not all of
- * them may have this capability.
- */
- IP_CKSUM_XMIT(ill, ire, mp, ipha, up, PROTO, hlen,
- LENGTH, max_frag, ipsec_len, cksum);
- /* Software checksum? */
- if (DB_CKSUMFLAGS(mp) == 0) {
- IP_STAT(ipst, ip_out_sw_cksum);
- IP_STAT_UPDATE(ipst, ip_tcp_out_sw_cksum_bytes,
- LENGTH - hlen);
- }
- } else {
- sctp_hdr_t *sctph;
-
- ASSERT(PROTO == IPPROTO_SCTP);
- ASSERT(MBLKL(mp) >= (hlen + sizeof (*sctph)));
- sctph = (sctp_hdr_t *)(mp->b_rptr + hlen);
- /*
- * Zero out the checksum field to ensure proper
- * checksum calculation.
- */
- sctph->sh_chksum = 0;
-#ifdef DEBUG
- if (!skip_sctp_cksum)
-#endif
- sctph->sh_chksum = sctp_cksum(mp, hlen);
- }
- }
-
- /*
- * If this is a multicast packet and originated from ip_wput
- * we need to do loopback and forwarding checks. If it comes
- * from ip_wput_multicast, we SHOULD not do this.
- */
- if (CLASSD(ipha->ipha_dst) && multicast_forward) goto multi_loopback;
-
- /* checksum */
- cksum += ttl_protocol;
-
- /* fragment the packet */
- if (max_frag < (uint_t)(LENGTH + ipsec_len))
- goto fragmentit;
- /*
- * Don't use frag_flag if packet is pre-built or source
- * routed or if multicast (since multicast packets do
- * not solicit ICMP "packet too big" messages).
- */
- if ((ip_hdr_included != IP_HDR_INCLUDED) &&
- (V_HLEN == IP_SIMPLE_HDR_VERSION ||
- !ip_source_route_included(ipha)) &&
- !CLASSD(ipha->ipha_dst))
- ipha->ipha_fragment_offset_and_flags |=
- htons(ire->ire_frag_flag);
-
- if (!(DB_CKSUMFLAGS(mp) & HCK_IPV4_HDRCKSUM)) {
- /* calculate IP header checksum */
- cksum += ipha->ipha_ident;
- cksum += (v_hlen_tos_len >> 16)+(v_hlen_tos_len & 0xFFFF);
- cksum += ipha->ipha_fragment_offset_and_flags;
-
- /* IP options present */
- hlen = (V_HLEN & 0xF) - IP_SIMPLE_HDR_LENGTH_IN_WORDS;
- if (hlen)
- goto checksumoptions;
-
- /* calculate hdr checksum */
- cksum = ((cksum & 0xFFFF) + (cksum >> 16));
- cksum = ~(cksum + (cksum >> 16));
- ipha->ipha_hdr_checksum = (uint16_t)cksum;
- }
- if (ipsec_len != 0) {
- /*
- * We will do the rest of the processing after
- * we come back from IPsec in ip_wput_ipsec_out().
- */
- ASSERT(MBLKL(first_mp) >= sizeof (ipsec_out_t));
-
- io = (ipsec_out_t *)first_mp->b_rptr;
- io->ipsec_out_ill_index =
- ire->ire_ipif->ipif_ill->ill_phyint->phyint_ifindex;
- ipsec_out_process(q, first_mp, ire, 0);
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
-
- /*
- * In most cases, the emission loop below is entered only
- * once. Only in the case where the ire holds the
- * RTF_MULTIRT flag, do we loop to process all RTF_MULTIRT
- * flagged ires in the bucket, and send the packet
- * through all crossed RTF_MULTIRT routes.
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- multirt_send = B_TRUE;
- }
- do {
- if (multirt_send) {
- irb_t *irb;
- /*
- * We are in a multiple send case, need to get
- * the next ire and make a duplicate of the packet.
- * ire1 holds here the next ire to process in the
- * bucket. If multirouting is expected,
- * any non-RTF_MULTIRT ire that has the
- * right destination address is ignored.
- */
- irb = ire->ire_bucket;
- ASSERT(irb != NULL);
-
- IRB_REFHOLD(irb);
- for (ire1 = ire->ire_next;
- ire1 != NULL;
- ire1 = ire1->ire_next) {
- if ((ire1->ire_flags & RTF_MULTIRT) == 0)
- continue;
- if (ire1->ire_addr != ire->ire_addr)
- continue;
- if (ire1->ire_marks &
- (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN))
- continue;
-
- /* Got one */
- IRE_REFHOLD(ire1);
- break;
- }
- IRB_REFRELE(irb);
-
- if (ire1 != NULL) {
- next_mp = copyb(mp);
- if ((next_mp == NULL) ||
- ((mp->b_cont != NULL) &&
- ((next_mp->b_cont =
- dupmsg(mp->b_cont)) == NULL))) {
- freemsg(next_mp);
- next_mp = NULL;
- ire_refrele(ire1);
- ire1 = NULL;
- }
- }
-
- /* Last multiroute ire; don't loop anymore. */
- if (ire1 == NULL) {
- multirt_send = B_FALSE;
- }
- }
-
- DTRACE_PROBE4(ip4__physical__out__start, ill_t *, NULL,
- ill_t *, ire->ire_ipif->ipif_ill, ipha_t *, ipha,
- mblk_t *, mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, ire->ire_ipif->ipif_ill, ipha, mp, mp, 0, ipst);
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, mp);
-
- if (mp == NULL)
- goto release_ire_and_ill;
-
- if (ipst->ips_ip4_observe.he_interested) {
- zoneid_t szone;
-
- /*
- * On the outbound path the destination zone will be
- * unknown as we're sending this packet out on the
- * wire.
- */
- szone = ip_get_zoneid_v4(ipha->ipha_src, mp, ipst,
- ALL_ZONES);
- ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone, ALL_ZONES,
- ire->ire_ipif->ipif_ill, ipst);
- }
- mp->b_prev = SET_BPREV_FLAG(IPP_LOCAL_OUT);
- DTRACE_PROBE2(ip__xmit__1, mblk_t *, mp, ire_t *, ire);
-
- pktxmit_state = ip_xmit_v4(mp, ire, NULL, B_TRUE, connp);
-
- if ((pktxmit_state == SEND_FAILED) ||
- (pktxmit_state == LLHDR_RESLV_FAILED)) {
- ip2dbg(("ip_wput_ire: ip_xmit_v4 failed"
- "- packet dropped\n"));
-release_ire_and_ill:
- ire_refrele(ire);
- if (next_mp != NULL) {
- freemsg(next_mp);
- ire_refrele(ire1);
- }
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
-
- if (CLASSD(dst)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutMcastPkts);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutMcastOctets,
- LENGTH);
- }
-
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "last copy out");
- IRE_REFRELE(ire);
-
- if (multirt_send) {
- ASSERT(ire1);
- /*
- * Proceed with the next RTF_MULTIRT ire,
- * Also set up the send-to queue accordingly.
- */
- ire = ire1;
- ire1 = NULL;
- stq = ire->ire_stq;
- mp = next_mp;
- next_mp = NULL;
- ipha = (ipha_t *)mp->b_rptr;
- ill_index = Q_TO_INDEX(stq);
- ill = (ill_t *)stq->q_ptr;
- }
- } while (multirt_send);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
-
- /*
- * ire->ire_type == IRE_BROADCAST (minimize diffs)
- */
-broadcast:
- {
- /*
- * To avoid broadcast storms, we usually set the TTL to 1 for
- * broadcasts. However, if SO_DONTROUTE isn't set, this value
- * can be overridden stack-wide through the ip_broadcast_ttl
- * ndd tunable, or on a per-connection basis through the
- * IP_BROADCAST_TTL socket option.
- *
- * In the event that we are replying to incoming ICMP packets,
- * connp could be NULL.
- */
- ipha->ipha_ttl = ipst->ips_ip_broadcast_ttl;
- if (connp != NULL) {
- if (connp->conn_dontroute)
- ipha->ipha_ttl = 1;
- else if (connp->conn_broadcast_ttl != 0)
- ipha->ipha_ttl = connp->conn_broadcast_ttl;
- }
-
- /*
- * Note that we are not doing a IRB_REFHOLD here.
- * Actually we don't care if the list changes i.e
- * if somebody deletes an IRE from the list while
- * we drop the lock, the next time we come around
- * ire_next will be NULL and hence we won't send
- * out multiple copies which is fine.
- */
- rw_enter(&ire->ire_bucket->irb_lock, RW_READER);
- ire1 = ire->ire_next;
- if (conn_outgoing_ill != NULL) {
- while (ire->ire_ipif->ipif_ill != conn_outgoing_ill) {
- ASSERT(ire1 == ire->ire_next);
- if (ire1 != NULL && ire1->ire_addr == dst) {
- ire_refrele(ire);
- ire = ire1;
- IRE_REFHOLD(ire);
- ire1 = ire->ire_next;
- continue;
- }
- rw_exit(&ire->ire_bucket->irb_lock);
- /* Did not find a matching ill */
- ip1dbg(("ip_wput_ire: broadcast with no "
- "matching IP_BOUND_IF ill %s dst %x\n",
- conn_outgoing_ill->ill_name, dst));
- freemsg(first_mp);
- if (ire != NULL)
- ire_refrele(ire);
- ill_refrele(conn_outgoing_ill);
- return;
- }
- } else if (ire1 != NULL && ire1->ire_addr == dst) {
- /*
- * If the next IRE has the same address and is not one
- * of the two copies that we need to send, try to see
- * whether this copy should be sent at all. This
- * assumes that we insert loopbacks first and then
- * non-loopbacks. This is acheived by inserting the
- * loopback always before non-loopback.
- * This is used to send a single copy of a broadcast
- * packet out all physical interfaces that have an
- * matching IRE_BROADCAST while also looping
- * back one copy (to ip_wput_local) for each
- * matching physical interface. However, we avoid
- * sending packets out different logical that match by
- * having ipif_up/ipif_down supress duplicate
- * IRE_BROADCASTS.
- *
- * This feature is currently used to get broadcasts
- * sent to multiple interfaces, when the broadcast
- * address being used applies to multiple interfaces.
- * For example, a whole net broadcast will be
- * replicated on every connected subnet of
- * the target net.
- *
- * Each zone has its own set of IRE_BROADCASTs, so that
- * we're able to distribute inbound packets to multiple
- * zones who share a broadcast address. We avoid looping
- * back outbound packets in different zones but on the
- * same ill, as the application would see duplicates.
- *
- * This logic assumes that ire_add_v4() groups the
- * IRE_BROADCAST entries so that those with the same
- * ire_addr are kept together.
- */
- ire_ill = ire->ire_ipif->ipif_ill;
- if (ire->ire_stq != NULL || ire1->ire_stq == NULL) {
- while (ire1 != NULL && ire1->ire_addr == dst) {
- ire1_ill = ire1->ire_ipif->ipif_ill;
- if (ire1_ill != ire_ill)
- break;
- ire1 = ire1->ire_next;
- }
- }
- }
- ASSERT(multirt_send == B_FALSE);
- if (ire1 != NULL && ire1->ire_addr == dst) {
- if ((ire->ire_flags & RTF_MULTIRT) &&
- (ire1->ire_flags & RTF_MULTIRT)) {
- /*
- * We are in the multirouting case.
- * The message must be sent at least
- * on both ires. These ires have been
- * inserted AFTER the standard ones
- * in ip_rt_add(). There are thus no
- * other ire entries for the destination
- * address in the rest of the bucket
- * that do not have the RTF_MULTIRT
- * flag. We don't process a copy
- * of the message here. This will be
- * done in the final sending loop.
- */
- multirt_send = B_TRUE;
- } else {
- next_mp = ip_copymsg(first_mp);
- if (next_mp != NULL)
- IRE_REFHOLD(ire1);
- }
- }
- rw_exit(&ire->ire_bucket->irb_lock);
- }
-
- if (stq) {
- /*
- * A non-NULL send-to queue means this packet is going
- * out of this machine.
- */
- out_ill = (ill_t *)stq->q_ptr;
-
- BUMP_MIB(out_ill->ill_ip_mib, ipIfStatsHCOutRequests);
- ttl_protocol = ((uint16_t *)ipha)[4];
- /*
- * We accumulate the pseudo header checksum in cksum.
- * This is pretty hairy code, so watch close. One
- * thing to keep in mind is that UDP and TCP have
- * stored their respective datagram lengths in their
- * checksum fields. This lines things up real nice.
- */
- cksum = (dst >> 16) + (dst & 0xFFFF) +
- (src >> 16) + (src & 0xFFFF);
- /*
- * We assume the udp checksum field contains the
- * length, so to compute the pseudo header checksum,
- * all we need is the protocol number and src/dst.
- */
- /* Provide the checksums for UDP and TCP. */
- if ((PROTO == IPPROTO_TCP) &&
- (ip_hdr_included != IP_HDR_INCLUDED)) {
- /* hlen gets the number of uchar_ts in the IP header */
- hlen = (V_HLEN & 0xF) << 2;
- up = IPH_TCPH_CHECKSUMP(ipha, hlen);
- IP_STAT(ipst, ip_out_sw_cksum);
- IP_STAT_UPDATE(ipst, ip_tcp_out_sw_cksum_bytes,
- LENGTH - hlen);
- *up = IP_CSUM(mp, hlen, cksum + IP_TCP_CSUM_COMP);
- } else if (PROTO == IPPROTO_SCTP &&
- (ip_hdr_included != IP_HDR_INCLUDED)) {
- sctp_hdr_t *sctph;
-
- hlen = (V_HLEN & 0xF) << 2;
- ASSERT(MBLKL(mp) >= (hlen + sizeof (*sctph)));
- sctph = (sctp_hdr_t *)(mp->b_rptr + hlen);
- sctph->sh_chksum = 0;
-#ifdef DEBUG
- if (!skip_sctp_cksum)
-#endif
- sctph->sh_chksum = sctp_cksum(mp, hlen);
- } else {
- queue_t *dev_q = stq->q_next;
-
- if (!ILL_DIRECT_CAPABLE((ill_t *)stq->q_ptr) &&
- (DEV_Q_FLOW_BLOCKED(dev_q))) {
-blocked:
- ipha->ipha_ident = ip_hdr_included;
- /*
- * If we don't have a conn to apply
- * backpressure, free the message.
- * In the ire_send path, we don't know
- * the position to requeue the packet. Rather
- * than reorder packets, we just drop this
- * packet.
- */
- if (ipst->ips_ip_output_queue &&
- connp != NULL &&
- caller != IRE_SEND) {
- if (caller == IP_WSRV) {
- idl_tx_list_t *idl_txl;
-
- idl_txl =
- &ipst->ips_idl_tx_list[0];
- connp->conn_did_putbq = 1;
- (void) putbq(connp->conn_wq,
- first_mp);
- conn_drain_insert(connp,
- idl_txl);
- /*
- * This is the service thread,
- * and the queue is already
- * noenabled. The check for
- * canput and the putbq is not
- * atomic. So we need to check
- * again.
- */
- if (canput(stq->q_next))
- connp->conn_did_putbq
- = 0;
- IP_STAT(ipst, ip_conn_flputbq);
- } else {
- /*
- * We are not the service proc.
- * ip_wsrv will be scheduled or
- * is already running.
- */
-
- (void) putq(connp->conn_wq,
- first_mp);
- }
- } else {
- out_ill = (ill_t *)stq->q_ptr;
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- freemsg(first_mp);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "discard");
- }
- ire_refrele(ire);
- if (next_mp) {
- ire_refrele(ire1);
- freemsg(next_mp);
- }
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
- if ((PROTO == IPPROTO_UDP) &&
- (ip_hdr_included != IP_HDR_INCLUDED)) {
- /*
- * hlen gets the number of uchar_ts in the
- * IP header
- */
- hlen = (V_HLEN & 0xF) << 2;
- up = IPH_UDPH_CHECKSUMP(ipha, hlen);
- max_frag = ire->ire_max_frag;
- if (*up != 0) {
- IP_CKSUM_XMIT(out_ill, ire, mp, ipha,
- up, PROTO, hlen, LENGTH, max_frag,
- ipsec_len, cksum);
- /* Software checksum? */
- if (DB_CKSUMFLAGS(mp) == 0) {
- IP_STAT(ipst, ip_out_sw_cksum);
- IP_STAT_UPDATE(ipst,
- ip_udp_out_sw_cksum_bytes,
- LENGTH - hlen);
- }
- }
- }
- }
- /*
- * Need to do this even when fragmenting. The local
- * loopback can be done without computing checksums
- * but forwarding out other interface must be done
- * after the IP checksum (and ULP checksums) have been
- * computed.
- *
- * NOTE : multicast_forward is set only if this packet
- * originated from ip_wput. For packets originating from
- * ip_wput_multicast, it is not set.
- */
- if (CLASSD(ipha->ipha_dst) && multicast_forward) {
-multi_loopback:
- ip2dbg(("ip_wput: multicast, loop %d\n",
- conn_multicast_loop));
-
- /* Forget header checksum offload */
- DB_CKSUMFLAGS(mp) &= ~HCK_IPV4_HDRCKSUM;
-
- /*
- * Local loopback of multicasts? Check the
- * ill.
- *
- * Note that the loopback function will not come
- * in through ip_rput - it will only do the
- * client fanout thus we need to do an mforward
- * as well. The is different from the BSD
- * logic.
- */
- if (ill != NULL) {
- if (ilm_lookup_ill(ill, ipha->ipha_dst,
- ALL_ZONES) != NULL) {
- /*
- * Pass along the virtual output q.
- * ip_wput_local() will distribute the
- * packet to all the matching zones,
- * except the sending zone when
- * IP_MULTICAST_LOOP is false.
- */
- ip_multicast_loopback(q, ill, first_mp,
- conn_multicast_loop ? 0 :
- IP_FF_NO_MCAST_LOOP, zoneid);
- }
- }
- if (ipha->ipha_ttl == 0) {
- /*
- * 0 => only to this host i.e. we are
- * done. We are also done if this was the
- * loopback interface since it is sufficient
- * to loopback one copy of a multicast packet.
- */
- freemsg(first_mp);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "loopback");
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
- /*
- * ILLF_MULTICAST is checked in ip_newroute
- * i.e. we don't need to check it here since
- * all IRE_CACHEs come from ip_newroute.
- * For multicast traffic, SO_DONTROUTE is interpreted
- * to mean only send the packet out the interface
- * (optionally specified with IP_MULTICAST_IF)
- * and do not forward it out additional interfaces.
- * RSVP and the rsvp daemon is an example of a
- * protocol and user level process that
- * handles it's own routing. Hence, it uses the
- * SO_DONTROUTE option to accomplish this.
- */
-
- if (ipst->ips_ip_g_mrouter && !conn_dontroute &&
- ill != NULL) {
- /* Unconditionally redo the checksum */
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
-
- /*
- * If this needs to go out secure, we need
- * to wait till we finish the IPsec
- * processing.
- */
- if (ipsec_len == 0 &&
- ip_mforward(ill, ipha, mp)) {
- freemsg(first_mp);
- ip1dbg(("ip_wput: mforward failed\n"));
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "mforward failed");
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
- }
- }
- max_frag = ire->ire_max_frag;
- cksum += ttl_protocol;
- if (max_frag >= (uint_t)(LENGTH + ipsec_len)) {
- /* No fragmentation required for this one. */
- /*
- * Don't use frag_flag if packet is pre-built or source
- * routed or if multicast (since multicast packets do
- * not solicit ICMP "packet too big" messages).
- */
- if ((ip_hdr_included != IP_HDR_INCLUDED) &&
- (V_HLEN == IP_SIMPLE_HDR_VERSION ||
- !ip_source_route_included(ipha)) &&
- !CLASSD(ipha->ipha_dst))
- ipha->ipha_fragment_offset_and_flags |=
- htons(ire->ire_frag_flag);
-
- if (!(DB_CKSUMFLAGS(mp) & HCK_IPV4_HDRCKSUM)) {
- /* Complete the IP header checksum. */
- cksum += ipha->ipha_ident;
- cksum += (v_hlen_tos_len >> 16)+
- (v_hlen_tos_len & 0xFFFF);
- cksum += ipha->ipha_fragment_offset_and_flags;
- hlen = (V_HLEN & 0xF) -
- IP_SIMPLE_HDR_LENGTH_IN_WORDS;
- if (hlen) {
-checksumoptions:
- /*
- * Account for the IP Options in the IP
- * header checksum.
- */
- up = (uint16_t *)(rptr+
- IP_SIMPLE_HDR_LENGTH);
- do {
- cksum += up[0];
- cksum += up[1];
- up += 2;
- } while (--hlen);
- }
- cksum = ((cksum & 0xFFFF) + (cksum >> 16));
- cksum = ~(cksum + (cksum >> 16));
- ipha->ipha_hdr_checksum = (uint16_t)cksum;
- }
- if (ipsec_len != 0) {
- ipsec_out_process(q, first_mp, ire, ill_index);
- if (!next_mp) {
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
- goto next;
- }
-
- /*
- * multirt_send has already been handled
- * for broadcast, but not yet for multicast
- * or IP options.
- */
- if (next_mp == NULL) {
- if (ire->ire_flags & RTF_MULTIRT) {
- multirt_send = B_TRUE;
- }
- }
-
- /*
- * In most cases, the emission loop below is
- * entered only once. Only in the case where
- * the ire holds the RTF_MULTIRT flag, do we loop
- * to process all RTF_MULTIRT ires in the bucket,
- * and send the packet through all crossed
- * RTF_MULTIRT routes.
- */
- do {
- if (multirt_send) {
- irb_t *irb;
-
- irb = ire->ire_bucket;
- ASSERT(irb != NULL);
- /*
- * We are in a multiple send case,
- * need to get the next IRE and make
- * a duplicate of the packet.
- */
- IRB_REFHOLD(irb);
- for (ire1 = ire->ire_next;
- ire1 != NULL;
- ire1 = ire1->ire_next) {
- if (!(ire1->ire_flags &
- RTF_MULTIRT))
- continue;
-
- if (ire1->ire_addr !=
- ire->ire_addr)
- continue;
-
- if (ire1->ire_marks &
- (IRE_MARK_CONDEMNED |
- IRE_MARK_TESTHIDDEN))
- continue;
-
- /* Got one */
- IRE_REFHOLD(ire1);
- break;
- }
- IRB_REFRELE(irb);
-
- if (ire1 != NULL) {
- next_mp = copyb(mp);
- if ((next_mp == NULL) ||
- ((mp->b_cont != NULL) &&
- ((next_mp->b_cont =
- dupmsg(mp->b_cont))
- == NULL))) {
- freemsg(next_mp);
- next_mp = NULL;
- ire_refrele(ire1);
- ire1 = NULL;
- }
- }
-
- /*
- * Last multiroute ire; don't loop
- * anymore. The emission is over
- * and next_mp is NULL.
- */
- if (ire1 == NULL) {
- multirt_send = B_FALSE;
- }
- }
-
- out_ill = ire_to_ill(ire);
- DTRACE_PROBE4(ip4__physical__out__start,
- ill_t *, NULL,
- ill_t *, out_ill,
- ipha_t *, ipha, mblk_t *, mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, out_ill, ipha, mp, mp, 0, ipst);
- DTRACE_PROBE1(ip4__physical__out__end,
- mblk_t *, mp);
- if (mp == NULL)
- goto release_ire_and_ill_2;
-
- ASSERT(ipsec_len == 0);
- mp->b_prev =
- SET_BPREV_FLAG(IPP_LOCAL_OUT);
- DTRACE_PROBE2(ip__xmit__2,
- mblk_t *, mp, ire_t *, ire);
- pktxmit_state = ip_xmit_v4(mp, ire,
- NULL, B_TRUE, connp);
- if ((pktxmit_state == SEND_FAILED) ||
- (pktxmit_state == LLHDR_RESLV_FAILED)) {
-release_ire_and_ill_2:
- if (next_mp) {
- freemsg(next_mp);
- ire_refrele(ire1);
- }
- ire_refrele(ire);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "discard MDATA");
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
-
- if (CLASSD(dst)) {
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutMcastPkts);
- UPDATE_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutMcastOctets,
- LENGTH);
- } else if (ire->ire_type == IRE_BROADCAST) {
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutBcastPkts);
- }
-
- if (multirt_send) {
- /*
- * We are in a multiple send case,
- * need to re-enter the sending loop
- * using the next ire.
- */
- ire_refrele(ire);
- ire = ire1;
- stq = ire->ire_stq;
- mp = next_mp;
- next_mp = NULL;
- ipha = (ipha_t *)mp->b_rptr;
- ill_index = Q_TO_INDEX(stq);
- }
- } while (multirt_send);
-
- if (!next_mp) {
- /*
- * Last copy going out (the ultra-common
- * case). Note that we intentionally replicate
- * the putnext rather than calling it before
- * the next_mp check in hopes of a little
- * tail-call action out of the compiler.
- */
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "last copy out(1)");
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
- /* More copies going out below. */
- } else {
- int offset;
-fragmentit:
- offset = ntohs(ipha->ipha_fragment_offset_and_flags);
- /*
- * If this would generate a icmp_frag_needed message,
- * we need to handle it before we do the IPsec
- * processing. Otherwise, we need to strip the IPsec
- * headers before we send up the message to the ULPs
- * which becomes messy and difficult.
- */
- if (ipsec_len != 0) {
- if ((max_frag < (unsigned int)(LENGTH +
- ipsec_len)) && (offset & IPH_DF)) {
- out_ill = (ill_t *)stq->q_ptr;
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutFragFails);
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutFragReqds);
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum =
- (uint16_t)ip_csum_hdr(ipha);
- icmp_frag_needed(ire->ire_stq, first_mp,
- max_frag, zoneid, ipst);
- if (!next_mp) {
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL) {
- ill_refrele(
- conn_outgoing_ill);
- }
- return;
- }
- } else {
- /*
- * This won't cause a icmp_frag_needed
- * message. to be generated. Send it on
- * the wire. Note that this could still
- * cause fragmentation and all we
- * do is the generation of the message
- * to the ULP if needed before IPsec.
- */
- if (!next_mp) {
- ipsec_out_process(q, first_mp,
- ire, ill_index);
- TRACE_2(TR_FAC_IP,
- TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p "
- "(%S)", q,
- "last ipsec_out_process");
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL) {
- ill_refrele(
- conn_outgoing_ill);
- }
- return;
- }
- ipsec_out_process(q, first_mp,
- ire, ill_index);
- }
- } else {
- /*
- * Initiate IPPF processing. For
- * fragmentable packets we finish
- * all QOS packet processing before
- * calling:
- * ip_wput_ire_fragmentit->ip_wput_frag
- */
-
- if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
- ip_process(IPP_LOCAL_OUT, &mp,
- ill_index);
- if (mp == NULL) {
- out_ill = (ill_t *)stq->q_ptr;
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- if (next_mp != NULL) {
- freemsg(next_mp);
- ire_refrele(ire1);
- }
- ire_refrele(ire);
- TRACE_2(TR_FAC_IP,
- TR_IP_WPUT_IRE_END,
- "ip_wput_ire: q %p (%S)",
- q, "discard MDATA");
- if (conn_outgoing_ill != NULL) {
- ill_refrele(
- conn_outgoing_ill);
- }
- return;
- }
- }
- if (!next_mp) {
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "last fragmentation");
- ip_wput_ire_fragmentit(mp, ire,
- zoneid, ipst, connp);
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
- ip_wput_ire_fragmentit(mp, ire,
- zoneid, ipst, connp);
- }
- }
- } else {
-nullstq:
- /* A NULL stq means the destination address is local. */
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- ASSERT(ire->ire_ipif != NULL);
- if (!next_mp) {
- /*
- * Is there an "in" and "out" for traffic local
- * to a host (loopback)? The code in Solaris doesn't
- * explicitly draw a line in its code for in vs out,
- * so we've had to draw a line in the sand: ip_wput_ire
- * is considered to be the "output" side and
- * ip_wput_local to be the "input" side.
- */
- out_ill = ire_to_ill(ire);
-
- /*
- * DTrace this as ip:::send. A blocked packet will
- * fire the send probe, but not the receive probe.
- */
- DTRACE_IP7(send, mblk_t *, first_mp, conn_t *, NULL,
- void_ip_t *, ipha, __dtrace_ipsr_ill_t *, out_ill,
- ipha_t *, ipha, ip6_t *, NULL, int, 1);
-
- DTRACE_PROBE4(ip4__loopback__out__start,
- ill_t *, NULL, ill_t *, out_ill,
- ipha_t *, ipha, mblk_t *, first_mp);
-
- FW_HOOKS(ipst->ips_ip4_loopback_out_event,
- ipst->ips_ipv4firewall_loopback_out,
- NULL, out_ill, ipha, first_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__loopback__out_end,
- mblk_t *, first_mp);
-
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_IRE_END,
- "ip_wput_ire_end: q %p (%S)",
- q, "local address");
-
- if (first_mp != NULL)
- ip_wput_local(q, out_ill, ipha,
- first_mp, ire, 0, ire->ire_zoneid);
- ire_refrele(ire);
- if (conn_outgoing_ill != NULL)
- ill_refrele(conn_outgoing_ill);
- return;
- }
-
- out_ill = ire_to_ill(ire);
-
- /*
- * DTrace this as ip:::send. A blocked packet will fire the
- * send probe, but not the receive probe.
- */
- DTRACE_IP7(send, mblk_t *, first_mp, conn_t *, NULL,
- void_ip_t *, ipha, __dtrace_ipsr_ill_t *, out_ill,
- ipha_t *, ipha, ip6_t *, NULL, int, 1);
-
- DTRACE_PROBE4(ip4__loopback__out__start,
- ill_t *, NULL, ill_t *, out_ill,
- ipha_t *, ipha, mblk_t *, first_mp);
-
- FW_HOOKS(ipst->ips_ip4_loopback_out_event,
- ipst->ips_ipv4firewall_loopback_out,
- NULL, out_ill, ipha, first_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__loopback__out__end, mblk_t *, first_mp);
-
- if (first_mp != NULL)
- ip_wput_local(q, out_ill, ipha,
- first_mp, ire, 0, ire->ire_zoneid);
- }
-next:
- /*
- * More copies going out to additional interfaces.
- * ire1 has already been held. We don't need the
- * "ire" anymore.
- */
- ire_refrele(ire);
- ire = ire1;
- ASSERT(ire != NULL && ire->ire_refcnt >= 1 && next_mp != NULL);
- mp = next_mp;
- ASSERT(ire->ire_ipversion == IPV4_VERSION);
- ill = ire_to_ill(ire);
- first_mp = mp;
- if (ipsec_len != 0) {
- ASSERT(first_mp->b_datap->db_type == M_CTL);
- mp = mp->b_cont;
- }
- dst = ire->ire_addr;
- ipha = (ipha_t *)mp->b_rptr;
- /*
- * Restore src so that we will pick up ire->ire_src_addr if src was 0.
- * Restore ipha_ident "no checksum" flag.
- */
- src = orig_src;
- ipha->ipha_ident = ip_hdr_included;
- goto another;
-
-#undef rptr
-#undef Q_TO_INDEX
-}
-
-/*
- * Routine to allocate a message that is used to notify the ULP about MDT.
- * The caller may provide a pointer to the link-layer MDT capabilities,
- * or NULL if MDT is to be disabled on the stream.
- */
-mblk_t *
-ip_mdinfo_alloc(ill_mdt_capab_t *isrc)
-{
- mblk_t *mp;
- ip_mdt_info_t *mdti;
- ill_mdt_capab_t *idst;
-
- if ((mp = allocb(sizeof (*mdti), BPRI_HI)) != NULL) {
- DB_TYPE(mp) = M_CTL;
- mp->b_wptr = mp->b_rptr + sizeof (*mdti);
- mdti = (ip_mdt_info_t *)mp->b_rptr;
- mdti->mdt_info_id = MDT_IOC_INFO_UPDATE;
- idst = &(mdti->mdt_capab);
-
- /*
- * If the caller provides us with the capability, copy
- * it over into our notification message; otherwise
- * we zero out the capability portion.
- */
- if (isrc != NULL)
- bcopy((caddr_t)isrc, (caddr_t)idst, sizeof (*idst));
- else
- bzero((caddr_t)idst, sizeof (*idst));
- }
- return (mp);
-}
-
-/*
- * Routine which determines whether MDT can be enabled on the destination
- * IRE and IPC combination, and if so, allocates and returns the MDT
- * notification mblk that may be used by ULP. We also check if we need to
- * turn MDT back to 'on' when certain restrictions prohibiting us to allow
- * MDT usage in the past have been lifted. This gets called during IP
- * and ULP binding.
- */
-mblk_t *
-ip_mdinfo_return(ire_t *dst_ire, conn_t *connp, char *ill_name,
- ill_mdt_capab_t *mdt_cap)
-{
- mblk_t *mp;
- boolean_t rc = B_FALSE;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(dst_ire != NULL);
- ASSERT(connp != NULL);
- ASSERT(mdt_cap != NULL);
-
- /*
- * Currently, we only support simple TCP/{IPv4,IPv6} with
- * Multidata, which is handled in tcp_multisend(). This
- * is the reason why we do all these checks here, to ensure
- * that we don't enable Multidata for the cases which we
- * can't handle at the moment.
- */
- do {
- /* Only do TCP at the moment */
- if (connp->conn_ulp != IPPROTO_TCP)
- break;
-
- /*
- * IPsec outbound policy present? Note that we get here
- * after calling ipsec_conn_cache_policy() where the global
- * policy checking is performed. conn_latch will be
- * non-NULL as long as there's a policy defined,
- * i.e. conn_out_enforce_policy may be NULL in such case
- * when the connection is non-secure, and hence we check
- * further if the latch refers to an outbound policy.
- */
- if (CONN_IPSEC_OUT_ENCAPSULATED(connp))
- break;
-
- /* CGTP (multiroute) is enabled? */
- if (dst_ire->ire_flags & RTF_MULTIRT)
- break;
-
- /* Outbound IPQoS enabled? */
- if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
- /*
- * In this case, we disable MDT for this and all
- * future connections going over the interface.
- */
- mdt_cap->ill_mdt_on = 0;
- break;
- }
-
- /* socket option(s) present? */
- if (!CONN_IS_LSO_MD_FASTPATH(connp))
- break;
-
- rc = B_TRUE;
- /* CONSTCOND */
- } while (0);
-
- /* Remember the result */
- connp->conn_mdt_ok = rc;
-
- if (!rc)
- return (NULL);
- else if (!mdt_cap->ill_mdt_on) {
- /*
- * If MDT has been previously turned off in the past, and we
- * currently can do MDT (due to IPQoS policy removal, etc.)
- * then enable it for this interface.
- */
- mdt_cap->ill_mdt_on = 1;
- ip1dbg(("ip_mdinfo_return: reenabling MDT for "
- "interface %s\n", ill_name));
- }
-
- /* Allocate the MDT info mblk */
- if ((mp = ip_mdinfo_alloc(mdt_cap)) == NULL) {
- ip0dbg(("ip_mdinfo_return: can't enable Multidata for "
- "conn %p on %s (ENOMEM)\n", (void *)connp, ill_name));
- return (NULL);
- }
- return (mp);
-}
-
-/*
- * Routine to allocate a message that is used to notify the ULP about LSO.
- * The caller may provide a pointer to the link-layer LSO capabilities,
- * or NULL if LSO is to be disabled on the stream.
- */
-mblk_t *
-ip_lsoinfo_alloc(ill_lso_capab_t *isrc)
-{
- mblk_t *mp;
- ip_lso_info_t *lsoi;
- ill_lso_capab_t *idst;
-
- if ((mp = allocb(sizeof (*lsoi), BPRI_HI)) != NULL) {
- DB_TYPE(mp) = M_CTL;
- mp->b_wptr = mp->b_rptr + sizeof (*lsoi);
- lsoi = (ip_lso_info_t *)mp->b_rptr;
- lsoi->lso_info_id = LSO_IOC_INFO_UPDATE;
- idst = &(lsoi->lso_capab);
-
- /*
- * If the caller provides us with the capability, copy
- * it over into our notification message; otherwise
- * we zero out the capability portion.
- */
- if (isrc != NULL)
- bcopy((caddr_t)isrc, (caddr_t)idst, sizeof (*idst));
- else
- bzero((caddr_t)idst, sizeof (*idst));
- }
- return (mp);
-}
-
-/*
- * Routine which determines whether LSO can be enabled on the destination
- * IRE and IPC combination, and if so, allocates and returns the LSO
- * notification mblk that may be used by ULP. We also check if we need to
- * turn LSO back to 'on' when certain restrictions prohibiting us to allow
- * LSO usage in the past have been lifted. This gets called during IP
- * and ULP binding.
- */
-mblk_t *
-ip_lsoinfo_return(ire_t *dst_ire, conn_t *connp, char *ill_name,
- ill_lso_capab_t *lso_cap)
-{
- mblk_t *mp;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(dst_ire != NULL);
- ASSERT(connp != NULL);
- ASSERT(lso_cap != NULL);
-
- connp->conn_lso_ok = B_TRUE;
-
- if ((connp->conn_ulp != IPPROTO_TCP) ||
- CONN_IPSEC_OUT_ENCAPSULATED(connp) ||
- (dst_ire->ire_flags & RTF_MULTIRT) ||
- !CONN_IS_LSO_MD_FASTPATH(connp) ||
- (IPP_ENABLED(IPP_LOCAL_OUT, ipst))) {
- connp->conn_lso_ok = B_FALSE;
- if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
- /*
- * Disable LSO for this and all future connections going
- * over the interface.
- */
- lso_cap->ill_lso_on = 0;
- }
- }
-
- if (!connp->conn_lso_ok)
- return (NULL);
- else if (!lso_cap->ill_lso_on) {
- /*
- * If LSO has been previously turned off in the past, and we
- * currently can do LSO (due to IPQoS policy removal, etc.)
- * then enable it for this interface.
- */
- lso_cap->ill_lso_on = 1;
- ip1dbg(("ip_mdinfo_return: reenabling LSO for interface %s\n",
- ill_name));
- }
-
- /* Allocate the LSO info mblk */
- if ((mp = ip_lsoinfo_alloc(lso_cap)) == NULL)
- ip0dbg(("ip_lsoinfo_return: can't enable LSO for "
- "conn %p on %s (ENOMEM)\n", (void *)connp, ill_name));
-
- return (mp);
-}
-
-/*
- * Create destination address attribute, and fill it with the physical
- * destination address and SAP taken from the template DL_UNITDATA_REQ
- * message block.
- */
-boolean_t
-ip_md_addr_attr(multidata_t *mmd, pdesc_t *pd, const mblk_t *dlmp)
-{
- dl_unitdata_req_t *dlurp;
- pattr_t *pa;
- pattrinfo_t pa_info;
- pattr_addr_t **das = (pattr_addr_t **)&pa_info.buf;
- uint_t das_len, das_off;
-
- ASSERT(dlmp != NULL);
-
- dlurp = (dl_unitdata_req_t *)dlmp->b_rptr;
- das_len = dlurp->dl_dest_addr_length;
- das_off = dlurp->dl_dest_addr_offset;
-
- pa_info.type = PATTR_DSTADDRSAP;
- pa_info.len = sizeof (**das) + das_len - 1;
-
- /* create and associate the attribute */
- pa = mmd_addpattr(mmd, pd, &pa_info, B_TRUE, KM_NOSLEEP);
- if (pa != NULL) {
- ASSERT(*das != NULL);
- (*das)->addr_is_group = 0;
- (*das)->addr_len = (uint8_t)das_len;
- bcopy((caddr_t)dlurp + das_off, (*das)->addr, das_len);
- }
-
- return (pa != NULL);
-}
-
-/*
- * Create hardware checksum attribute and fill it with the values passed.
- */
-boolean_t
-ip_md_hcksum_attr(multidata_t *mmd, pdesc_t *pd, uint32_t start_offset,
- uint32_t stuff_offset, uint32_t end_offset, uint32_t flags)
-{
- pattr_t *pa;
- pattrinfo_t pa_info;
-
- ASSERT(mmd != NULL);
-
- pa_info.type = PATTR_HCKSUM;
- pa_info.len = sizeof (pattr_hcksum_t);
-
- /* create and associate the attribute */
- pa = mmd_addpattr(mmd, pd, &pa_info, B_TRUE, KM_NOSLEEP);
- if (pa != NULL) {
- pattr_hcksum_t *hck = (pattr_hcksum_t *)pa_info.buf;
-
- hck->hcksum_start_offset = start_offset;
- hck->hcksum_stuff_offset = stuff_offset;
- hck->hcksum_end_offset = end_offset;
- hck->hcksum_flags = flags;
- }
- return (pa != NULL);
-}
-
-/*
- * Create zerocopy attribute and fill it with the specified flags
- */
-boolean_t
-ip_md_zcopy_attr(multidata_t *mmd, pdesc_t *pd, uint_t flags)
-{
- pattr_t *pa;
- pattrinfo_t pa_info;
-
- ASSERT(mmd != NULL);
- pa_info.type = PATTR_ZCOPY;
- pa_info.len = sizeof (pattr_zcopy_t);
-
- /* create and associate the attribute */
- pa = mmd_addpattr(mmd, pd, &pa_info, B_TRUE, KM_NOSLEEP);
- if (pa != NULL) {
- pattr_zcopy_t *zcopy = (pattr_zcopy_t *)pa_info.buf;
-
- zcopy->zcopy_flags = flags;
- }
- return (pa != NULL);
-}
-
-/*
- * Check if ip_wput_frag_mdt() and ip_wput_frag_mdt_v6() can handle a message
- * block chain. We could rewrite to handle arbitrary message block chains but
- * that would make the code complicated and slow. Right now there three
- * restrictions:
- *
- * 1. The first message block must contain the complete IP header and
- * at least 1 byte of payload data.
- * 2. At most MULTIDATA_MAX_PBUFS non-empty message blocks are allowed
- * so that we can use a single Multidata message.
- * 3. No frag must be distributed over two or more message blocks so
- * that we don't need more than two packet descriptors per frag.
- *
- * The above restrictions allow us to support userland applications (which
- * will send down a single message block) and NFS over UDP (which will
- * send down a chain of at most three message blocks).
- *
- * We also don't use MDT for payloads with less than or equal to
- * ip_wput_frag_mdt_min bytes because it would cause too much overhead.
- */
-boolean_t
-ip_can_frag_mdt(mblk_t *mp, ssize_t hdr_len, ssize_t len)
-{
- int blocks;
- ssize_t total, missing, size;
-
- ASSERT(mp != NULL);
- ASSERT(hdr_len > 0);
-
- size = MBLKL(mp) - hdr_len;
- if (size <= 0)
- return (B_FALSE);
-
- /* The first mblk contains the header and some payload. */
- blocks = 1;
- total = size;
- size %= len;
- missing = (size == 0) ? 0 : (len - size);
- mp = mp->b_cont;
-
- while (mp != NULL) {
- /*
- * Give up if we encounter a zero length message block.
- * In practice, this should rarely happen and therefore
- * not worth the trouble of freeing and re-linking the
- * mblk from the chain to handle such case.
- */
- if ((size = MBLKL(mp)) == 0)
- return (B_FALSE);
-
- /* Too many payload buffers for a single Multidata message? */
- if (++blocks > MULTIDATA_MAX_PBUFS)
- return (B_FALSE);
-
- total += size;
- /* Is a frag distributed over two or more message blocks? */
- if (missing > size)
- return (B_FALSE);
- size -= missing;
-
- size %= len;
- missing = (size == 0) ? 0 : (len - size);
-
- mp = mp->b_cont;
- }
-
- return (total > ip_wput_frag_mdt_min);
-}
-
-/*
- * Outbound IPv4 fragmentation routine using MDT.
- */
-static void
-ip_wput_frag_mdt(ire_t *ire, mblk_t *mp, ip_pkt_t pkt_type, int len,
- uint32_t frag_flag, int offset)
-{
- ipha_t *ipha_orig;
- int i1, ip_data_end;
- uint_t pkts, wroff, hdr_chunk_len, pbuf_idx;
- mblk_t *hdr_mp, *md_mp = NULL;
- unsigned char *hdr_ptr, *pld_ptr;
- multidata_t *mmd;
- ip_pdescinfo_t pdi;
- ill_t *ill;
- ip_stack_t *ipst = ire->ire_ipst;
-
- ASSERT(DB_TYPE(mp) == M_DATA);
- ASSERT(MBLKL(mp) > sizeof (ipha_t));
-
- ill = ire_to_ill(ire);
- ASSERT(ill != NULL);
-
- ipha_orig = (ipha_t *)mp->b_rptr;
- mp->b_rptr += sizeof (ipha_t);
-
- /* Calculate how many packets we will send out */
- i1 = (mp->b_cont == NULL) ? MBLKL(mp) : msgsize(mp);
- pkts = (i1 + len - 1) / len;
- ASSERT(pkts > 1);
-
- /* Allocate a message block which will hold all the IP Headers. */
- wroff = ipst->ips_ip_wroff_extra;
- hdr_chunk_len = wroff + IP_SIMPLE_HDR_LENGTH;
-
- i1 = pkts * hdr_chunk_len;
- /*
- * Create the header buffer, Multidata and destination address
- * and SAP attribute that should be associated with it.
- */
- if ((hdr_mp = allocb(i1, BPRI_HI)) == NULL ||
- ((hdr_mp->b_wptr += i1),
- (mmd = mmd_alloc(hdr_mp, &md_mp, KM_NOSLEEP)) == NULL) ||
- !ip_md_addr_attr(mmd, NULL, ire->ire_nce->nce_res_mp)) {
- freemsg(mp);
- if (md_mp == NULL) {
- freemsg(hdr_mp);
- } else {
-free_mmd: IP_STAT(ipst, ip_frag_mdt_discarded);
- freemsg(md_mp);
- }
- IP_STAT(ipst, ip_frag_mdt_allocfail);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
- return;
- }
- IP_STAT(ipst, ip_frag_mdt_allocd);
-
- /*
- * Add a payload buffer to the Multidata; this operation must not
- * fail, or otherwise our logic in this routine is broken. There
- * is no memory allocation done by the routine, so any returned
- * failure simply tells us that we've done something wrong.
- *
- * A failure tells us that either we're adding the same payload
- * buffer more than once, or we're trying to add more buffers than
- * allowed. None of the above cases should happen, and we panic
- * because either there's horrible heap corruption, and/or
- * programming mistake.
- */
- if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0)
- goto pbuf_panic;
-
- hdr_ptr = hdr_mp->b_rptr;
- pld_ptr = mp->b_rptr;
-
- /* Establish the ending byte offset, based on the starting offset. */
- offset <<= 3;
- ip_data_end = offset + ntohs(ipha_orig->ipha_length) -
- IP_SIMPLE_HDR_LENGTH;
-
- pdi.flags = PDESC_HBUF_REF | PDESC_PBUF_REF;
-
- while (pld_ptr < mp->b_wptr) {
- ipha_t *ipha;
- uint16_t offset_and_flags;
- uint16_t ip_len;
- int error;
-
- ASSERT((hdr_ptr + hdr_chunk_len) <= hdr_mp->b_wptr);
- ipha = (ipha_t *)(hdr_ptr + wroff);
- ASSERT(OK_32PTR(ipha));
- *ipha = *ipha_orig;
-
- if (ip_data_end - offset > len) {
- offset_and_flags = IPH_MF;
- } else {
- /*
- * Last frag. Set len to the length of this last piece.
- */
- len = ip_data_end - offset;
- /* A frag of a frag might have IPH_MF non-zero */
- offset_and_flags =
- ntohs(ipha->ipha_fragment_offset_and_flags) &
- IPH_MF;
- }
- offset_and_flags |= (uint16_t)(offset >> 3);
- offset_and_flags |= (uint16_t)frag_flag;
- /* Store the offset and flags in the IP header. */
- ipha->ipha_fragment_offset_and_flags = htons(offset_and_flags);
-
- /* Store the length in the IP header. */
- ip_len = (uint16_t)(len + IP_SIMPLE_HDR_LENGTH);
- ipha->ipha_length = htons(ip_len);
-
- /*
- * Set the IP header checksum. Note that mp is just
- * the header, so this is easy to pass to ip_csum.
- */
- ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
-
- DTRACE_IP7(send, mblk_t *, md_mp, conn_t *, NULL, void_ip_t *,
- ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, ip6_t *,
- NULL, int, 0);
-
- /*
- * Record offset and size of header and data of the next packet
- * in the multidata message.
- */
- PDESC_HDR_ADD(&pdi, hdr_ptr, wroff, IP_SIMPLE_HDR_LENGTH, 0);
- PDESC_PLD_INIT(&pdi);
- i1 = MIN(mp->b_wptr - pld_ptr, len);
- ASSERT(i1 > 0);
- PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, pld_ptr, i1);
- if (i1 == len) {
- pld_ptr += len;
- } else {
- i1 = len - i1;
- mp = mp->b_cont;
- ASSERT(mp != NULL);
- ASSERT(MBLKL(mp) >= i1);
- /*
- * Attach the next payload message block to the
- * multidata message.
- */
- if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0)
- goto pbuf_panic;
- PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, mp->b_rptr, i1);
- pld_ptr = mp->b_rptr + i1;
- }
-
- if ((mmd_addpdesc(mmd, (pdescinfo_t *)&pdi, &error,
- KM_NOSLEEP)) == NULL) {
- /*
- * Any failure other than ENOMEM indicates that we
- * have passed in invalid pdesc info or parameters
- * to mmd_addpdesc, which must not happen.
- *
- * EINVAL is a result of failure on boundary checks
- * against the pdesc info contents. It should not
- * happen, and we panic because either there's
- * horrible heap corruption, and/or programming
- * mistake.
- */
- if (error != ENOMEM) {
- cmn_err(CE_PANIC, "ip_wput_frag_mdt: "
- "pdesc logic error detected for "
- "mmd %p pinfo %p (%d)\n",
- (void *)mmd, (void *)&pdi, error);
- /* NOTREACHED */
- }
- IP_STAT(ipst, ip_frag_mdt_addpdescfail);
- /* Free unattached payload message blocks as well */
- md_mp->b_cont = mp->b_cont;
- goto free_mmd;
- }
-
- /* Advance fragment offset. */
- offset += len;
-
- /* Advance to location for next header in the buffer. */
- hdr_ptr += hdr_chunk_len;
-
- /* Did we reach the next payload message block? */
- if (pld_ptr == mp->b_wptr && mp->b_cont != NULL) {
- mp = mp->b_cont;
- /*
- * Attach the next message block with payload
- * data to the multidata message.
- */
- if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0)
- goto pbuf_panic;
- pld_ptr = mp->b_rptr;
- }
- }
-
- ASSERT(hdr_mp->b_wptr == hdr_ptr);
- ASSERT(mp->b_wptr == pld_ptr);
-
- /* Update IP statistics */
- IP_STAT_UPDATE(ipst, ip_frag_mdt_pkt_out, pkts);
-
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates, pkts);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragOKs);
-
- len = ntohs(ipha_orig->ipha_length) + (pkts - 1) * IP_SIMPLE_HDR_LENGTH;
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits, pkts);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets, len);
-
- if (pkt_type == OB_PKT) {
- ire->ire_ob_pkt_count += pkts;
- if (ire->ire_ipif != NULL)
- atomic_add_32(&ire->ire_ipif->ipif_ob_pkt_count, pkts);
- } else {
- /* The type is IB_PKT in the forwarding path. */
- ire->ire_ib_pkt_count += pkts;
- ASSERT(!IRE_IS_LOCAL(ire));
- if (ire->ire_type & IRE_BROADCAST) {
- atomic_add_32(&ire->ire_ipif->ipif_ib_pkt_count, pkts);
- } else {
- UPDATE_MIB(ill->ill_ip_mib,
- ipIfStatsHCOutForwDatagrams, pkts);
- atomic_add_32(&ire->ire_ipif->ipif_fo_pkt_count, pkts);
- }
- }
- ire->ire_last_used_time = lbolt;
- /* Send it down */
- putnext(ire->ire_stq, md_mp);
- return;
-
-pbuf_panic:
- cmn_err(CE_PANIC, "ip_wput_frag_mdt: payload buffer logic "
- "error for mmd %p pbuf %p (%d)", (void *)mmd, (void *)mp,
- pbuf_idx);
- /* NOTREACHED */
-}
-
/*
* Outbound IP fragmentation routine.
- *
- * NOTE : This routine does not ire_refrele the ire that is passed in
- * as the argument.
+ * Assumes the caller has checked whether or not fragmentation should
+ * be allowed. Here we copy the DF bit from the header to all the generated
+ * fragments.
*/
-static void
-ip_wput_frag(ire_t *ire, mblk_t *mp_orig, ip_pkt_t pkt_type, uint32_t max_frag,
- uint32_t frag_flag, zoneid_t zoneid, ip_stack_t *ipst, conn_t *connp)
+int
+ip_fragment_v4(mblk_t *mp_orig, nce_t *nce, iaflags_t ixaflags,
+ uint_t pkt_len, uint32_t max_frag, uint32_t xmit_hint, zoneid_t szone,
+ zoneid_t nolzid, pfirepostfrag_t postfragfn, uintptr_t *ixa_cookie)
{
int i1;
- mblk_t *ll_hdr_mp;
- int ll_hdr_len;
int hdr_len;
mblk_t *hdr_mp;
ipha_t *ipha;
int ip_data_end;
int len;
- mblk_t *mp = mp_orig, *mp1;
+ mblk_t *mp = mp_orig;
int offset;
- queue_t *q;
- uint32_t v_hlen_tos_len;
- mblk_t *first_mp;
- boolean_t mctl_present;
- ill_t *ill;
- ill_t *out_ill;
- mblk_t *xmit_mp;
+ ill_t *ill = nce->nce_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
mblk_t *carve_mp;
- ire_t *ire1 = NULL;
- ire_t *save_ire = NULL;
- mblk_t *next_mp = NULL;
- boolean_t last_frag = B_FALSE;
- boolean_t multirt_send = B_FALSE;
- ire_t *first_ire = NULL;
- irb_t *irb = NULL;
- mib2_ipIfStatsEntry_t *mibptr = NULL;
-
- ill = ire_to_ill(ire);
- mibptr = (ill != NULL) ? ill->ill_ip_mib : &ipst->ips_ip_mib;
+ uint32_t frag_flag;
+ uint_t priority = mp->b_band;
+ int error = 0;
- BUMP_MIB(mibptr, ipIfStatsOutFragReqds);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragReqds);
- if (max_frag == 0) {
- ip1dbg(("ip_wput_frag: ire frag size is 0"
- " - dropping packet\n"));
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
+ if (pkt_len != msgdsize(mp)) {
+ ip0dbg(("Packet length mismatch: %d, %ld\n",
+ pkt_len, msgdsize(mp)));
freemsg(mp);
- return;
+ return (EINVAL);
}
- /*
- * IPsec does not allow hw accelerated packets to be fragmented
- * This check is made in ip_wput_ipsec_out prior to coming here
- * via ip_wput_ire_fragmentit.
- *
- * If at this point we have an ire whose ARP request has not
- * been sent out, we call ip_xmit_v4->ire_arpresolve to trigger
- * sending of ARP query and change ire's state to ND_INCOMPLETE.
- * This packet and all fragmentable packets for this ire will
- * continue to get dropped while ire_nce->nce_state remains in
- * ND_INCOMPLETE. Post-ARP resolution, after ire's nce_state changes to
- * ND_REACHABLE, all subsquent large packets for this ire will
- * get fragemented and sent out by this function.
- */
- if (ire->ire_nce && ire->ire_nce->nce_state != ND_REACHABLE) {
- /* If nce_state is ND_INITIAL, trigger ARP query */
- (void) ip_xmit_v4(NULL, ire, NULL, B_FALSE, NULL);
- ip1dbg(("ip_wput_frag: mac address for ire is unresolved"
- " - dropping packet\n"));
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
+ if (max_frag == 0) {
+ ip1dbg(("ip_fragment_v4: max_frag is zero. Dropping packet\n"));
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: zero max_frag", mp, ill);
freemsg(mp);
- return;
- }
-
- TRACE_0(TR_FAC_IP, TR_IP_WPUT_FRAG_START,
- "ip_wput_frag_start:");
-
- if (mp->b_datap->db_type == M_CTL) {
- first_mp = mp;
- mp_orig = mp = mp->b_cont;
- mctl_present = B_TRUE;
- } else {
- first_mp = mp;
- mctl_present = B_FALSE;
+ return (EINVAL);
}
ASSERT(MBLKL(mp) >= sizeof (ipha_t));
ipha = (ipha_t *)mp->b_rptr;
+ ASSERT(ntohs(ipha->ipha_length) == pkt_len);
+ frag_flag = ntohs(ipha->ipha_fragment_offset_and_flags) & IPH_DF;
/*
- * If the Don't Fragment flag is on, generate an ICMP destination
- * unreachable, fragmentation needed.
- */
- offset = ntohs(ipha->ipha_fragment_offset_and_flags);
- if (offset & IPH_DF) {
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
- if (is_system_labeled()) {
- max_frag = tsol_pmtu_adjust(mp, ire->ire_max_frag,
- ire->ire_max_frag - max_frag, AF_INET);
- }
- /*
- * Need to compute hdr checksum if called from ip_wput_ire.
- * Note that ip_rput_forward verifies the checksum before
- * calling this routine so in that case this is a noop.
- */
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
- icmp_frag_needed(ire->ire_stq, first_mp, max_frag, zoneid,
- ipst);
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_FRAG_END,
- "ip_wput_frag_end:(%S)",
- "don't fragment");
- return;
- }
- /*
- * Labeled systems adjust max_frag if they add a label
- * to send the correct path mtu. We need the real mtu since we
- * are fragmenting the packet after label adjustment.
- */
- if (is_system_labeled())
- max_frag = ire->ire_max_frag;
- if (mctl_present)
- freeb(first_mp);
- /*
* Establish the starting offset. May not be zero if we are fragging
* a fragment that is being forwarded.
*/
- offset = offset & IPH_OFFSET;
+ offset = ntohs(ipha->ipha_fragment_offset_and_flags) & IPH_OFFSET;
/* TODO why is this test needed? */
- v_hlen_tos_len = ((uint32_t *)ipha)[0];
- if (((max_frag - LENGTH) & ~7) < 8) {
+ if (((max_frag - ntohs(ipha->ipha_length)) & ~7) < 8) {
/* TODO: notify ulp somehow */
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: bad starting offset", mp, ill);
freemsg(mp);
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_FRAG_END,
- "ip_wput_frag_end:(%S)",
- "len < 8");
- return;
+ return (EINVAL);
}
- hdr_len = (V_HLEN & 0xF) << 2;
-
+ hdr_len = IPH_HDR_LENGTH(ipha);
ipha->ipha_hdr_checksum = 0;
/*
@@ -24173,40 +11742,14 @@ ip_wput_frag(ire_t *ire, mblk_t *mp_orig, ip_pkt_t pkt_type, uint32_t max_frag,
*/
len = (max_frag - hdr_len) & ~7;
- /* Check if we can use MDT to send out the frags. */
- ASSERT(!IRE_IS_LOCAL(ire));
- if (hdr_len == IP_SIMPLE_HDR_LENGTH &&
- ipst->ips_ip_multidata_outbound &&
- !(ire->ire_flags & RTF_MULTIRT) &&
- !IPP_ENABLED(IPP_LOCAL_OUT, ipst) &&
- ill != NULL && ILL_MDT_CAPABLE(ill) &&
- IP_CAN_FRAG_MDT(mp, IP_SIMPLE_HDR_LENGTH, len)) {
- ASSERT(ill->ill_mdt_capab != NULL);
- if (!ill->ill_mdt_capab->ill_mdt_on) {
- /*
- * If MDT has been previously turned off in the past,
- * and we currently can do MDT (due to IPQoS policy
- * removal, etc.) then enable it for this interface.
- */
- ill->ill_mdt_capab->ill_mdt_on = 1;
- ip1dbg(("ip_wput_frag: enabled MDT for interface %s\n",
- ill->ill_name));
- }
- ip_wput_frag_mdt(ire, mp, pkt_type, len, frag_flag,
- offset);
- return;
- }
-
/* Get a copy of the header for the trailing frags */
- hdr_mp = ip_wput_frag_copyhdr((uchar_t *)ipha, hdr_len, offset, ipst,
+ hdr_mp = ip_fragment_copyhdr((uchar_t *)ipha, hdr_len, offset, ipst,
mp);
- if (!hdr_mp) {
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
+ if (hdr_mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: no hdr_mp", mp, ill);
freemsg(mp);
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_FRAG_END,
- "ip_wput_frag_end:(%S)",
- "couldn't copy hdr");
- return;
+ return (ENOBUFS);
}
/* Store the starting offset, with the MoreFrags flag. */
@@ -24233,279 +11776,28 @@ ip_wput_frag(ire_t *ire, mblk_t *mp_orig, ip_pkt_t pkt_type, uint32_t max_frag,
* original IP header.
*/
if (!(mp = ip_carve_mp(&mp_orig, i1))) {
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: could not carve mp", mp_orig, ill);
freeb(hdr_mp);
freemsg(mp_orig);
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_FRAG_END,
- "ip_wput_frag_end:(%S)",
- "couldn't carve first");
- return;
+ return (ENOBUFS);
}
- /*
- * Multirouting case. Each fragment is replicated
- * via all non-condemned RTF_MULTIRT routes
- * currently resolved.
- * We ensure that first_ire is the first RTF_MULTIRT
- * ire in the bucket.
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- irb = ire->ire_bucket;
- ASSERT(irb != NULL);
-
- multirt_send = B_TRUE;
-
- /* Make sure we do not omit any multiroute ire. */
- IRB_REFHOLD(irb);
- for (first_ire = irb->irb_ire;
- first_ire != NULL;
- first_ire = first_ire->ire_next) {
- if ((first_ire->ire_flags & RTF_MULTIRT) &&
- (first_ire->ire_addr == ire->ire_addr) &&
- !(first_ire->ire_marks &
- (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN)))
- break;
- }
-
- if (first_ire != NULL) {
- if (first_ire != ire) {
- IRE_REFHOLD(first_ire);
- /*
- * Do not release the ire passed in
- * as the argument.
- */
- ire = first_ire;
- } else {
- first_ire = NULL;
- }
- }
- IRB_REFRELE(irb);
-
- /*
- * Save the first ire; we will need to restore it
- * for the trailing frags.
- * We REFHOLD save_ire, as each iterated ire will be
- * REFRELEd.
- */
- save_ire = ire;
- IRE_REFHOLD(save_ire);
- }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates);
- /*
- * First fragment emission loop.
- * In most cases, the emission loop below is entered only
- * once. Only in the case where the ire holds the RTF_MULTIRT
- * flag, do we loop to process all RTF_MULTIRT ires in the
- * bucket, and send the fragment through all crossed
- * RTF_MULTIRT routes.
- */
- do {
- if (ire->ire_flags & RTF_MULTIRT) {
- /*
- * We are in a multiple send case, need to get
- * the next ire and make a copy of the packet.
- * ire1 holds here the next ire to process in the
- * bucket. If multirouting is expected,
- * any non-RTF_MULTIRT ire that has the
- * right destination address is ignored.
- *
- * We have to take into account the MTU of
- * each walked ire. max_frag is set by the
- * the caller and generally refers to
- * the primary ire entry. Here we ensure that
- * no route with a lower MTU will be used, as
- * fragments are carved once for all ires,
- * then replicated.
- */
- ASSERT(irb != NULL);
- IRB_REFHOLD(irb);
- for (ire1 = ire->ire_next;
- ire1 != NULL;
- ire1 = ire1->ire_next) {
- if ((ire1->ire_flags & RTF_MULTIRT) == 0)
- continue;
- if (ire1->ire_addr != ire->ire_addr)
- continue;
- if (ire1->ire_marks &
- (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN))
- continue;
- /*
- * Ensure we do not exceed the MTU
- * of the next route.
- */
- if (ire1->ire_max_frag < max_frag) {
- ip_multirt_bad_mtu(ire1, max_frag);
- continue;
- }
-
- /* Got one. */
- IRE_REFHOLD(ire1);
- break;
- }
- IRB_REFRELE(irb);
-
- if (ire1 != NULL) {
- next_mp = copyb(mp);
- if ((next_mp == NULL) ||
- ((mp->b_cont != NULL) &&
- ((next_mp->b_cont =
- dupmsg(mp->b_cont)) == NULL))) {
- freemsg(next_mp);
- next_mp = NULL;
- ire_refrele(ire1);
- ire1 = NULL;
- }
- }
-
- /* Last multiroute ire; don't loop anymore. */
- if (ire1 == NULL) {
- multirt_send = B_FALSE;
- }
- }
-
- ll_hdr_len = 0;
- LOCK_IRE_FP_MP(ire);
- ll_hdr_mp = ire->ire_nce->nce_fp_mp;
- if (ll_hdr_mp != NULL) {
- ASSERT(ll_hdr_mp->b_datap->db_type == M_DATA);
- ll_hdr_len = ll_hdr_mp->b_wptr - ll_hdr_mp->b_rptr;
- } else {
- ll_hdr_mp = ire->ire_nce->nce_res_mp;
- }
-
- /* If there is a transmit header, get a copy for this frag. */
- /*
- * TODO: should check db_ref before calling ip_carve_mp since
- * it might give us a dup.
- */
- if (!ll_hdr_mp) {
- /* No xmit header. */
- xmit_mp = mp;
-
- /* We have a link-layer header that can fit in our mblk. */
- } else if (mp->b_datap->db_ref == 1 &&
- ll_hdr_len != 0 &&
- ll_hdr_len <= mp->b_rptr - mp->b_datap->db_base) {
- /* M_DATA fastpath */
- mp->b_rptr -= ll_hdr_len;
- bcopy(ll_hdr_mp->b_rptr, mp->b_rptr, ll_hdr_len);
- xmit_mp = mp;
-
- /* Corner case if copyb has failed */
- } else if (!(xmit_mp = copyb(ll_hdr_mp))) {
- UNLOCK_IRE_FP_MP(ire);
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
- freeb(hdr_mp);
- freemsg(mp);
- freemsg(mp_orig);
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_FRAG_END,
- "ip_wput_frag_end:(%S)",
- "discard");
-
- if (multirt_send) {
- ASSERT(ire1);
- ASSERT(next_mp);
-
- freemsg(next_mp);
- ire_refrele(ire1);
- }
- if (save_ire != NULL)
- IRE_REFRELE(save_ire);
-
- if (first_ire != NULL)
- ire_refrele(first_ire);
- return;
-
- /*
- * Case of res_mp OR the fastpath mp can't fit
- * in the mblk
- */
- } else {
- xmit_mp->b_cont = mp;
-
- /*
- * Get priority marking, if any.
- * We propagate the CoS marking from the
- * original packet that went to QoS processing
- * in ip_wput_ire to the newly carved mp.
- */
- if (DB_TYPE(xmit_mp) == M_DATA)
- xmit_mp->b_band = mp->b_band;
- }
- UNLOCK_IRE_FP_MP(ire);
-
- q = ire->ire_stq;
- out_ill = (ill_t *)q->q_ptr;
-
- BUMP_MIB(out_ill->ill_ip_mib, ipIfStatsOutFragCreates);
-
- DTRACE_PROBE4(ip4__physical__out__start,
- ill_t *, NULL, ill_t *, out_ill,
- ipha_t *, ipha, mblk_t *, xmit_mp);
-
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, out_ill, ipha, xmit_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, xmit_mp);
-
- if (xmit_mp != NULL) {
- DTRACE_IP7(send, mblk_t *, xmit_mp, conn_t *, NULL,
- void_ip_t *, ipha, __dtrace_ipsr_ill_t *, out_ill,
- ipha_t *, ipha, ip6_t *, NULL, int, 0);
-
- ILL_SEND_TX(out_ill, ire, connp, xmit_mp, 0, connp);
-
- BUMP_MIB(out_ill->ill_ip_mib, ipIfStatsHCOutTransmits);
- UPDATE_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutOctets, i1);
-
- if (pkt_type != OB_PKT) {
- /*
- * Update the packet count and MIB stats
- * of trailing RTF_MULTIRT ires.
- */
- UPDATE_OB_PKT_COUNT(ire);
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutFragReqds);
- }
- }
-
- if (multirt_send) {
- /*
- * We are in a multiple send case; look for
- * the next ire and re-enter the loop.
- */
- ASSERT(ire1);
- ASSERT(next_mp);
- /* REFRELE the current ire before looping */
- ire_refrele(ire);
- ire = ire1;
- ire1 = NULL;
- mp = next_mp;
- next_mp = NULL;
- }
- } while (multirt_send);
-
- ASSERT(ire1 == NULL);
-
- /* Restore the original ire; we need it for the trailing frags */
- if (save_ire != NULL) {
- /* REFRELE the last iterated ire */
- ire_refrele(ire);
- /* save_ire has been REFHOLDed */
- ire = save_ire;
- save_ire = NULL;
- q = ire->ire_stq;
+ error = postfragfn(mp, nce, ixaflags, i1, xmit_hint, szone, nolzid,
+ ixa_cookie);
+ if (error != 0 && error != EWOULDBLOCK) {
+ /* No point in sending the other fragments */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: postfragfn failed", mp_orig, ill);
+ freeb(hdr_mp);
+ freemsg(mp_orig);
+ return (error);
}
- if (pkt_type == OB_PKT) {
- UPDATE_OB_PKT_COUNT(ire);
- } else {
- out_ill = (ill_t *)q->q_ptr;
- BUMP_MIB(out_ill->ill_ip_mib, ipIfStatsHCOutForwDatagrams);
- UPDATE_IB_PKT_COUNT(ire);
- }
+ /* No need to redo state machine in loop */
+ ixaflags &= ~IXAF_REACH_CONF;
/* Advance the offset to the second frag starting point. */
offset += len;
@@ -24547,7 +11839,7 @@ ip_wput_frag(ire_t *ire, mblk_t *mp_orig, ip_pkt_t pkt_type, uint32_t max_frag,
break;
}
/* Get priority marking, if any. */
- mp->b_band = carve_mp->b_band;
+ mp->b_band = priority;
mp->b_cont = carve_mp;
}
ipha = (ipha_t *)mp->b_rptr;
@@ -24581,7 +11873,7 @@ ip_wput_frag(ire_t *ire, mblk_t *mp_orig, ip_pkt_t pkt_type, uint32_t max_frag,
} else {
mp = hdr_mp;
/* Get priority marking, if any. */
- mp->b_band = carve_mp->b_band;
+ mp->b_band = priority;
mp->b_cont = carve_mp;
}
ipha = (ipha_t *)mp->b_rptr;
@@ -24605,254 +11897,40 @@ ip_wput_frag(ire_t *ire, mblk_t *mp_orig, ip_pkt_t pkt_type, uint32_t max_frag,
*/
ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
- /* Attach a transmit header, if any, and ship it. */
- if (pkt_type == OB_PKT) {
- UPDATE_OB_PKT_COUNT(ire);
- } else {
- out_ill = (ill_t *)q->q_ptr;
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutForwDatagrams);
- UPDATE_IB_PKT_COUNT(ire);
- }
-
- if (ire->ire_flags & RTF_MULTIRT) {
- irb = ire->ire_bucket;
- ASSERT(irb != NULL);
-
- multirt_send = B_TRUE;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates);
- /*
- * Save the original ire; we will need to restore it
- * for the tailing frags.
- */
- save_ire = ire;
- IRE_REFHOLD(save_ire);
+ error = postfragfn(mp, nce, ixaflags, ip_len, xmit_hint, szone,
+ nolzid, ixa_cookie);
+ /* All done if we just consumed the hdr_mp. */
+ if (mp == hdr_mp) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragOKs);
+ return (error);
}
- /*
- * Emission loop for this fragment, similar
- * to what is done for the first fragment.
- */
- do {
- if (multirt_send) {
- /*
- * We are in a multiple send case, need to get
- * the next ire and make a copy of the packet.
- */
- ASSERT(irb != NULL);
- IRB_REFHOLD(irb);
- for (ire1 = ire->ire_next;
- ire1 != NULL;
- ire1 = ire1->ire_next) {
- if (!(ire1->ire_flags & RTF_MULTIRT))
- continue;
- if (ire1->ire_addr != ire->ire_addr)
- continue;
- if (ire1->ire_marks &
- (IRE_MARK_CONDEMNED |
- IRE_MARK_TESTHIDDEN))
- continue;
- /*
- * Ensure we do not exceed the MTU
- * of the next route.
- */
- if (ire1->ire_max_frag < max_frag) {
- ip_multirt_bad_mtu(ire1,
- max_frag);
- continue;
- }
-
- /* Got one. */
- IRE_REFHOLD(ire1);
- break;
- }
- IRB_REFRELE(irb);
-
- if (ire1 != NULL) {
- next_mp = copyb(mp);
- if ((next_mp == NULL) ||
- ((mp->b_cont != NULL) &&
- ((next_mp->b_cont =
- dupmsg(mp->b_cont)) == NULL))) {
- freemsg(next_mp);
- next_mp = NULL;
- ire_refrele(ire1);
- ire1 = NULL;
- }
- }
-
- /* Last multiroute ire; don't loop anymore. */
- if (ire1 == NULL) {
- multirt_send = B_FALSE;
- }
- }
-
- /* Update transmit header */
- ll_hdr_len = 0;
- LOCK_IRE_FP_MP(ire);
- ll_hdr_mp = ire->ire_nce->nce_fp_mp;
- if (ll_hdr_mp != NULL) {
- ASSERT(ll_hdr_mp->b_datap->db_type == M_DATA);
- ll_hdr_len = MBLKL(ll_hdr_mp);
- } else {
- ll_hdr_mp = ire->ire_nce->nce_res_mp;
- }
-
- if (!ll_hdr_mp) {
- xmit_mp = mp;
-
- /*
- * We have link-layer header that can fit in
- * our mblk.
- */
- } else if (mp->b_datap->db_ref == 1 &&
- ll_hdr_len != 0 &&
- ll_hdr_len <= mp->b_rptr - mp->b_datap->db_base) {
- /* M_DATA fastpath */
- mp->b_rptr -= ll_hdr_len;
- bcopy(ll_hdr_mp->b_rptr, mp->b_rptr,
- ll_hdr_len);
- xmit_mp = mp;
-
- /*
- * Case of res_mp OR the fastpath mp can't fit
- * in the mblk
- */
- } else if ((xmit_mp = copyb(ll_hdr_mp)) != NULL) {
- xmit_mp->b_cont = mp;
- /* Get priority marking, if any. */
- if (DB_TYPE(xmit_mp) == M_DATA)
- xmit_mp->b_band = mp->b_band;
-
- /* Corner case if copyb failed */
- } else {
- /*
- * Exit both the replication and
- * fragmentation loops.
- */
- UNLOCK_IRE_FP_MP(ire);
- goto drop_pkt;
- }
- UNLOCK_IRE_FP_MP(ire);
-
- mp1 = mp;
- out_ill = (ill_t *)q->q_ptr;
-
- BUMP_MIB(out_ill->ill_ip_mib, ipIfStatsOutFragCreates);
-
- DTRACE_PROBE4(ip4__physical__out__start,
- ill_t *, NULL, ill_t *, out_ill,
- ipha_t *, ipha, mblk_t *, xmit_mp);
-
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, out_ill, ipha, xmit_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__physical__out__end,
- mblk_t *, xmit_mp);
-
- if (mp != mp1 && hdr_mp == mp1)
- hdr_mp = mp;
- if (mp != mp1 && mp_orig == mp1)
- mp_orig = mp;
-
- if (xmit_mp != NULL) {
- DTRACE_IP7(send, mblk_t *, xmit_mp, conn_t *,
- NULL, void_ip_t *, ipha,
- __dtrace_ipsr_ill_t *, out_ill, ipha_t *,
- ipha, ip6_t *, NULL, int, 0);
-
- ILL_SEND_TX(out_ill, ire, connp,
- xmit_mp, 0, connp);
-
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutTransmits);
- UPDATE_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutOctets, ip_len);
-
- if (pkt_type != OB_PKT) {
- /*
- * Update the packet count of trailing
- * RTF_MULTIRT ires.
- */
- UPDATE_OB_PKT_COUNT(ire);
- }
- }
-
- /* All done if we just consumed the hdr_mp. */
- if (mp == hdr_mp) {
- last_frag = B_TRUE;
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutFragOKs);
- }
-
- if (multirt_send) {
- /*
- * We are in a multiple send case; look for
- * the next ire and re-enter the loop.
- */
- ASSERT(ire1);
- ASSERT(next_mp);
- /* REFRELE the current ire before looping */
- ire_refrele(ire);
- ire = ire1;
- ire1 = NULL;
- q = ire->ire_stq;
- mp = next_mp;
- next_mp = NULL;
- }
- } while (multirt_send);
- /*
- * Restore the original ire; we need it for the
- * trailing frags
- */
- if (save_ire != NULL) {
- ASSERT(ire1 == NULL);
- /* REFRELE the last iterated ire */
- ire_refrele(ire);
- /* save_ire has been REFHOLDed */
- ire = save_ire;
- q = ire->ire_stq;
- save_ire = NULL;
+ if (error != 0 && error != EWOULDBLOCK) {
+ DTRACE_PROBE2(ip__xmit__frag__fail, ill_t *, ill,
+ mblk_t *, hdr_mp);
+ /* No point in sending the other fragments */
+ break;
}
- if (last_frag) {
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_FRAG_END,
- "ip_wput_frag_end:(%S)",
- "consumed hdr_mp");
-
- if (first_ire != NULL)
- ire_refrele(first_ire);
- return;
- }
/* Otherwise, advance and loop. */
offset += len;
}
-
-drop_pkt:
/* Clean up following allocation failure. */
- BUMP_MIB(mibptr, ipIfStatsOutFragFails);
- freemsg(mp);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: loop ended", NULL, ill);
if (mp != hdr_mp)
freeb(hdr_mp);
if (mp != mp_orig)
freemsg(mp_orig);
-
- if (save_ire != NULL)
- IRE_REFRELE(save_ire);
- if (first_ire != NULL)
- ire_refrele(first_ire);
-
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_FRAG_END,
- "ip_wput_frag_end:(%S)",
- "end--alloc failure");
+ return (error);
}
/*
* Copy the header plus those options which have the copy bit set
- * src is the template to make sure we preserve the cred for TX purposes.
*/
static mblk_t *
-ip_wput_frag_copyhdr(uchar_t *rptr, int hdr_len, int offset, ip_stack_t *ipst,
+ip_fragment_copyhdr(uchar_t *rptr, int hdr_len, int offset, ip_stack_t *ipst,
mblk_t *src)
{
mblk_t *mp;
@@ -24908,310 +11986,13 @@ ip_wput_frag_copyhdr(uchar_t *rptr, int hdr_len, int offset, ip_stack_t *ipst,
}
/*
- * Delivery to local recipients including fanout to multiple recipients.
- * Does not do checksumming of UDP/TCP.
- * Note: q should be the read side queue for either the ill or conn.
- * Note: rq should be the read side q for the lower (ill) stream.
- * We don't send packets to IPPF processing, thus the last argument
- * to all the fanout calls are B_FALSE.
- */
-void
-ip_wput_local(queue_t *q, ill_t *ill, ipha_t *ipha, mblk_t *mp, ire_t *ire,
- int fanout_flags, zoneid_t zoneid)
-{
- uint32_t protocol;
- mblk_t *first_mp;
- boolean_t mctl_present;
- int ire_type;
-#define rptr ((uchar_t *)ipha)
- ip_stack_t *ipst = ill->ill_ipst;
-
- TRACE_1(TR_FAC_IP, TR_IP_WPUT_LOCAL_START,
- "ip_wput_local_start: q %p", q);
-
- if (ire != NULL) {
- ire_type = ire->ire_type;
- } else {
- /*
- * Only ip_multicast_loopback() calls us with a NULL ire. If the
- * packet is not multicast, we can't tell the ire type.
- */
- ASSERT(CLASSD(ipha->ipha_dst));
- ire_type = IRE_BROADCAST;
- }
-
- first_mp = mp;
- if (first_mp->b_datap->db_type == M_CTL) {
- ipsec_out_t *io = (ipsec_out_t *)first_mp->b_rptr;
- if (!io->ipsec_out_secure) {
- /*
- * This ipsec_out_t was allocated in ip_wput
- * for multicast packets to store the ill_index.
- * As this is being delivered locally, we don't
- * need this anymore.
- */
- mp = first_mp->b_cont;
- freeb(first_mp);
- first_mp = mp;
- mctl_present = B_FALSE;
- } else {
- /*
- * Convert IPSEC_OUT to IPSEC_IN, preserving all
- * security properties for the looped-back packet.
- */
- mctl_present = B_TRUE;
- mp = first_mp->b_cont;
- ASSERT(mp != NULL);
- ipsec_out_to_in(first_mp);
- }
- } else {
- mctl_present = B_FALSE;
- }
-
- DTRACE_PROBE4(ip4__loopback__in__start,
- ill_t *, ill, ill_t *, NULL,
- ipha_t *, ipha, mblk_t *, first_mp);
-
- FW_HOOKS(ipst->ips_ip4_loopback_in_event,
- ipst->ips_ipv4firewall_loopback_in,
- ill, NULL, ipha, first_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__loopback__in__end, mblk_t *, first_mp);
-
- if (first_mp == NULL)
- return;
-
- if (ipst->ips_ip4_observe.he_interested) {
- zoneid_t szone, dzone, lookup_zoneid = ALL_ZONES;
- zoneid_t stackzoneid = netstackid_to_zoneid(
- ipst->ips_netstack->netstack_stackid);
-
- dzone = (stackzoneid == GLOBAL_ZONEID) ? zoneid : stackzoneid;
- /*
- * 127.0.0.1 is special, as we cannot lookup its zoneid by
- * address. Restrict the lookup below to the destination zone.
- */
- if (ipha->ipha_src == ntohl(INADDR_LOOPBACK))
- lookup_zoneid = zoneid;
- szone = ip_get_zoneid_v4(ipha->ipha_src, mp, ipst,
- lookup_zoneid);
- ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill, ipst);
- }
-
- DTRACE_IP7(receive, mblk_t *, first_mp, conn_t *, NULL, void_ip_t *,
- ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, ip6_t *, NULL,
- int, 1);
-
- ipst->ips_loopback_packets++;
-
- ip2dbg(("ip_wput_local: from 0x%x to 0x%x in zone %d\n",
- ntohl(ipha->ipha_src), ntohl(ipha->ipha_dst), zoneid));
- if (!IS_SIMPLE_IPH(ipha)) {
- ip_wput_local_options(ipha, ipst);
- }
-
- protocol = ipha->ipha_protocol;
- switch (protocol) {
- case IPPROTO_ICMP: {
- ire_t *ire_zone;
- ilm_t *ilm;
- mblk_t *mp1;
- zoneid_t last_zoneid;
- ilm_walker_t ilw;
-
- if (CLASSD(ipha->ipha_dst) && !IS_LOOPBACK(ill)) {
- ASSERT(ire_type == IRE_BROADCAST);
- /*
- * In the multicast case, applications may have joined
- * the group from different zones, so we need to deliver
- * the packet to each of them. Loop through the
- * multicast memberships structures (ilm) on the receive
- * ill and send a copy of the packet up each matching
- * one. However, we don't do this for multicasts sent on
- * the loopback interface (PHYI_LOOPBACK flag set) as
- * they must stay in the sender's zone.
- *
- * ilm_add_v6() ensures that ilms in the same zone are
- * contiguous in the ill_ilm list. We use this property
- * to avoid sending duplicates needed when two
- * applications in the same zone join the same group on
- * different logical interfaces: we ignore the ilm if
- * it's zoneid is the same as the last matching one.
- * In addition, the sending of the packet for
- * ire_zoneid is delayed until all of the other ilms
- * have been exhausted.
- */
- last_zoneid = -1;
- ilm = ilm_walker_start(&ilw, ill);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- if (ipha->ipha_dst != ilm->ilm_addr ||
- ilm->ilm_zoneid == last_zoneid ||
- ilm->ilm_zoneid == zoneid ||
- !(ilm->ilm_ipif->ipif_flags & IPIF_UP))
- continue;
- mp1 = ip_copymsg(first_mp);
- if (mp1 == NULL)
- continue;
- icmp_inbound(q, mp1, B_TRUE, ilw.ilw_walk_ill,
- 0, 0, mctl_present, B_FALSE, ill,
- ilm->ilm_zoneid);
- last_zoneid = ilm->ilm_zoneid;
- }
- ilm_walker_finish(&ilw);
- /*
- * Loopback case: the sending endpoint has
- * IP_MULTICAST_LOOP disabled, therefore we don't
- * dispatch the multicast packet to the sending zone.
- */
- if (fanout_flags & IP_FF_NO_MCAST_LOOP) {
- freemsg(first_mp);
- return;
- }
- } else if (ire_type == IRE_BROADCAST) {
- /*
- * In the broadcast case, there may be many zones
- * which need a copy of the packet delivered to them.
- * There is one IRE_BROADCAST per broadcast address
- * and per zone; we walk those using a helper function.
- * In addition, the sending of the packet for zoneid is
- * delayed until all of the other ires have been
- * processed.
- */
- IRB_REFHOLD(ire->ire_bucket);
- ire_zone = NULL;
- while ((ire_zone = ire_get_next_bcast_ire(ire_zone,
- ire)) != NULL) {
- mp1 = ip_copymsg(first_mp);
- if (mp1 == NULL)
- continue;
-
- UPDATE_IB_PKT_COUNT(ire_zone);
- ire_zone->ire_last_used_time = lbolt;
- icmp_inbound(q, mp1, B_TRUE, ill, 0, 0,
- mctl_present, B_FALSE, ill,
- ire_zone->ire_zoneid);
- }
- IRB_REFRELE(ire->ire_bucket);
- }
- icmp_inbound(q, first_mp, (ire_type == IRE_BROADCAST), ill, 0,
- 0, mctl_present, B_FALSE, ill, zoneid);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_LOCAL_END,
- "ip_wput_local_end: q %p (%S)",
- q, "icmp");
- return;
- }
- case IPPROTO_IGMP:
- if ((mp = igmp_input(q, mp, ill)) == NULL) {
- /* Bad packet - discarded by igmp_input */
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_LOCAL_END,
- "ip_wput_local_end: q %p (%S)",
- q, "igmp_input--bad packet");
- if (mctl_present)
- freeb(first_mp);
- return;
- }
- /*
- * igmp_input() may have returned the pulled up message.
- * So first_mp and ipha need to be reinitialized.
- */
- ipha = (ipha_t *)mp->b_rptr;
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
- /* deliver to local raw users */
- break;
- case IPPROTO_ENCAP:
- /*
- * This case is covered by either ip_fanout_proto, or by
- * the above security processing for self-tunneled packets.
- */
- break;
- case IPPROTO_UDP: {
- uint16_t *up;
- uint32_t ports;
-
- up = (uint16_t *)(rptr + IPH_HDR_LENGTH(ipha) +
- UDP_PORTS_OFFSET);
- /* Force a 'valid' checksum. */
- up[3] = 0;
-
- ports = *(uint32_t *)up;
- ip_fanout_udp(q, first_mp, ill, ipha, ports,
- (ire_type == IRE_BROADCAST),
- fanout_flags | IP_FF_SEND_ICMP | IP_FF_HDR_COMPLETE |
- IP_FF_SEND_SLLA | IP_FF_IPINFO, mctl_present, B_FALSE,
- ill, zoneid);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_LOCAL_END,
- "ip_wput_local_end: q %p (%S)", q, "ip_fanout_udp");
- return;
- }
- case IPPROTO_TCP: {
-
- /*
- * For TCP, discard broadcast packets.
- */
- if ((ushort_t)ire_type == IRE_BROADCAST) {
- freemsg(first_mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ip2dbg(("ip_wput_local: discard broadcast\n"));
- return;
- }
-
- if (mp->b_datap->db_type == M_DATA) {
- /*
- * M_DATA mblk, so init mblk (chain) for no struio().
- */
- mblk_t *mp1 = mp;
-
- do {
- mp1->b_datap->db_struioflag = 0;
- } while ((mp1 = mp1->b_cont) != NULL);
- }
- ASSERT((rptr + IPH_HDR_LENGTH(ipha) + TCP_PORTS_OFFSET + 4)
- <= mp->b_wptr);
- ip_fanout_tcp(q, first_mp, ill, ipha,
- fanout_flags | IP_FF_SEND_ICMP | IP_FF_HDR_COMPLETE |
- IP_FF_SYN_ADDIRE | IP_FF_IPINFO,
- mctl_present, B_FALSE, zoneid);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_LOCAL_END,
- "ip_wput_local_end: q %p (%S)", q, "ip_fanout_tcp");
- return;
- }
- case IPPROTO_SCTP:
- {
- uint32_t ports;
-
- bcopy(rptr + IPH_HDR_LENGTH(ipha), &ports, sizeof (ports));
- ip_fanout_sctp(first_mp, ill, ipha, ports,
- fanout_flags | IP_FF_SEND_ICMP | IP_FF_HDR_COMPLETE |
- IP_FF_IPINFO, mctl_present, B_FALSE, zoneid);
- return;
- }
-
- default:
- break;
- }
- /*
- * Find a client for some other protocol. We give
- * copies to multiple clients, if more than one is
- * bound.
- */
- ip_fanout_proto(q, first_mp, ill, ipha,
- fanout_flags | IP_FF_SEND_ICMP | IP_FF_HDR_COMPLETE | IP_FF_RAWIP,
- mctl_present, B_FALSE, ill, zoneid);
- TRACE_2(TR_FAC_IP, TR_IP_WPUT_LOCAL_END,
- "ip_wput_local_end: q %p (%S)", q, "ip_fanout_proto");
-#undef rptr
-}
-
-/*
- * Update any source route, record route, or timestamp options.
+ * Update any source route, record route, or timestamp options when
+ * sending a packet back to ourselves.
* Check that we are at end of strict source route.
- * The options have been sanity checked by ip_wput_options().
+ * The options have been sanity checked by ip_output_options().
*/
-static void
-ip_wput_local_options(ipha_t *ipha, ip_stack_t *ipst)
+void
+ip_output_local_options(ipha_t *ipha, ip_stack_t *ipst)
{
ipoptp_t opts;
uchar_t *opt;
@@ -25219,10 +12000,8 @@ ip_wput_local_options(ipha_t *ipha, ip_stack_t *ipst)
uint8_t optlen;
ipaddr_t dst;
uint32_t ts;
- ire_t *ire;
timestruc_t now;
- ip2dbg(("ip_wput_local_options\n"));
for (optval = ipoptp_first(&opts, ipha);
optval != IPOPT_EOL;
optval = ipoptp_next(&opts)) {
@@ -25246,7 +12025,7 @@ ip_wput_local_options(ipha_t *ipha, ip_stack_t *ipst)
* it is a packet with a loose source route which
* reaches us before consuming the whole source route
*/
- ip1dbg(("ip_wput_local_options: not end of SR\n"));
+
if (optval == IPOPT_SSRR) {
return;
}
@@ -25267,7 +12046,7 @@ ip_wput_local_options(ipha_t *ipha, ip_stack_t *ipst)
off > optlen - IP_ADDR_LEN) {
/* No more room - ignore */
ip1dbg((
- "ip_wput_forward_options: end of RR\n"));
+ "ip_output_local_options: end of RR\n"));
break;
}
dst = htonl(INADDR_LOOPBACK);
@@ -25285,14 +12064,10 @@ ip_wput_local_options(ipha_t *ipha, ip_stack_t *ipst)
/* Verify that the address matched */
off = opt[IPOPT_OFFSET] - 1;
bcopy((char *)opt + off, &dst, IP_ADDR_LEN);
- ire = ire_ctable_lookup(dst, 0, IRE_LOCAL,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE,
- ipst);
- if (ire == NULL) {
+ if (ip_type_v4(dst, ipst) != IRE_LOCAL) {
/* Not for us */
break;
}
- ire_refrele(ire);
/* FALLTHRU */
case IPOPT_TS_TSANDADDR:
off = IP_ADDR_LEN + IPOPT_TS_TIMELEN;
@@ -25302,8 +12077,8 @@ ip_wput_local_options(ipha_t *ipha, ip_stack_t *ipst)
* ip_*put_options should have already
* dropped this packet.
*/
- cmn_err(CE_PANIC, "ip_wput_local_options: "
- "unknown IT - bug in ip_wput_options?\n");
+ cmn_err(CE_PANIC, "ip_output_local_options: "
+ "unknown IT - bug in ip_output_options?\n");
return; /* Keep "lint" happy */
}
if (opt[IPOPT_OFFSET] - 1 + off > optlen) {
@@ -25339,1098 +12114,240 @@ ip_wput_local_options(ipha_t *ipha, ip_stack_t *ipst)
}
/*
- * Send out a multicast packet on interface ipif.
- * The sender does not have an conn.
- * Caller verifies that this isn't a PHYI_LOOPBACK.
- */
-void
-ip_wput_multicast(queue_t *q, mblk_t *mp, ipif_t *ipif, zoneid_t zoneid)
-{
- ipha_t *ipha;
- ire_t *ire;
- ipaddr_t dst;
- mblk_t *first_mp;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- /* igmp_sendpkt always allocates a ipsec_out_t */
- ASSERT(mp->b_datap->db_type == M_CTL);
- ASSERT(!ipif->ipif_isv6);
- ASSERT(!IS_LOOPBACK(ipif->ipif_ill));
-
- first_mp = mp;
- mp = first_mp->b_cont;
- ASSERT(mp->b_datap->db_type == M_DATA);
- ipha = (ipha_t *)mp->b_rptr;
-
- /*
- * Find an IRE which matches the destination and the outgoing
- * queue (i.e. the outgoing interface.)
- */
- if (ipif->ipif_flags & IPIF_POINTOPOINT)
- dst = ipif->ipif_pp_dst_addr;
- else
- dst = ipha->ipha_dst;
- /*
- * The source address has already been initialized by the
- * caller and hence matching on ILL (MATCH_IRE_ILL) would
- * be sufficient rather than MATCH_IRE_IPIF.
- *
- * This function is used for sending IGMP packets. For IPMP,
- * we sidestep IGMP snooping issues by sending all multicast
- * traffic on a single interface in the IPMP group.
- */
- ire = ire_ctable_lookup(dst, 0, 0, ipif, zoneid, NULL,
- MATCH_IRE_ILL, ipst);
- if (!ire) {
- /*
- * Mark this packet to make it be delivered to
- * ip_wput_ire after the new ire has been
- * created.
- */
- mp->b_prev = NULL;
- mp->b_next = NULL;
- ip_newroute_ipif(q, first_mp, ipif, dst, NULL, RTF_SETSRC,
- zoneid, &zero_info);
- return;
- }
-
- /*
- * Honor the RTF_SETSRC flag; this is the only case
- * where we force this addr whatever the current src addr is,
- * because this address is set by igmp_sendpkt(), and
- * cannot be specified by any user.
- */
- if (ire->ire_flags & RTF_SETSRC) {
- ipha->ipha_src = ire->ire_src_addr;
- }
-
- ip_wput_ire(q, first_mp, ire, NULL, B_FALSE, zoneid);
-}
-
-/*
- * NOTE : This function does not ire_refrele the ire argument passed in.
+ * Prepend an M_DATA fastpath header, and if none present prepend a
+ * DL_UNITDATA_REQ. Frees the mblk on failure.
+ *
+ * nce_dlur_mp and nce_fp_mp can not disappear once they have been set.
+ * If there is a change to them, the nce will be deleted (condemned) and
+ * a new nce_t will be created when packets are sent. Thus we need no locks
+ * to access those fields.
*
- * Copy the link layer header and do IPQoS if needed. Frees the mblk on
- * failure. The nce_fp_mp can vanish any time in the case of
- * IRE_BROADCAST due to DL_NOTE_FASTPATH_FLUSH. Hence we have to hold
- * the ire_lock to access the nce_fp_mp in this case.
- * IPQoS assumes that the first M_DATA contains the IP header. So, if we are
- * prepending a fastpath message IPQoS processing must precede it, we also set
- * the b_band of the fastpath message to that of the mblk returned by IPQoS
- * (IPQoS might have set the b_band for CoS marking).
- * However, if we are prepending DL_UNITDATA_REQ message, IPQoS processing
- * must follow it so that IPQoS can mark the dl_priority field for CoS
- * marking, if needed.
+ * We preserve b_band to support IPQoS. If a DL_UNITDATA_REQ is prepended
+ * we place b_band in dl_priority.dl_max.
*/
static mblk_t *
-ip_wput_attach_llhdr(mblk_t *mp, ire_t *ire, ip_proc_t proc,
- uint32_t ill_index, ipha_t **iphap)
+ip_xmit_attach_llhdr(mblk_t *mp, nce_t *nce)
{
uint_t hlen;
- ipha_t *ipha;
mblk_t *mp1;
- boolean_t qos_done = B_FALSE;
- uchar_t *ll_hdr;
- ip_stack_t *ipst = ire->ire_ipst;
+ uint_t priority;
+ uchar_t *rptr;
-#define rptr ((uchar_t *)ipha)
+ rptr = mp->b_rptr;
- ipha = (ipha_t *)mp->b_rptr;
- hlen = 0;
- LOCK_IRE_FP_MP(ire);
- if ((mp1 = ire->ire_nce->nce_fp_mp) != NULL) {
- ASSERT(DB_TYPE(mp1) == M_DATA);
- /* Initiate IPPF processing */
- if ((proc != 0) && IPP_ENABLED(proc, ipst)) {
- UNLOCK_IRE_FP_MP(ire);
- ip_process(proc, &mp, ill_index);
- if (mp == NULL)
- return (NULL);
+ ASSERT(DB_TYPE(mp) == M_DATA);
+ priority = mp->b_band;
- ipha = (ipha_t *)mp->b_rptr;
- LOCK_IRE_FP_MP(ire);
- if ((mp1 = ire->ire_nce->nce_fp_mp) == NULL) {
- qos_done = B_TRUE;
- goto no_fp_mp;
- }
- ASSERT(DB_TYPE(mp1) == M_DATA);
- }
+ ASSERT(nce != NULL);
+ if ((mp1 = nce->nce_fp_mp) != NULL) {
hlen = MBLKL(mp1);
/*
* Check if we have enough room to prepend fastpath
* header
*/
if (hlen != 0 && (rptr - mp->b_datap->db_base) >= hlen) {
- ll_hdr = rptr - hlen;
- bcopy(mp1->b_rptr, ll_hdr, hlen);
+ rptr -= hlen;
+ bcopy(mp1->b_rptr, rptr, hlen);
/*
* Set the b_rptr to the start of the link layer
* header
*/
- mp->b_rptr = ll_hdr;
- mp1 = mp;
- } else {
- mp1 = copyb(mp1);
- if (mp1 == NULL)
- goto unlock_err;
- mp1->b_band = mp->b_band;
- mp1->b_cont = mp;
- /*
- * XXX disable ICK_VALID and compute checksum
- * here; can happen if nce_fp_mp changes and
- * it can't be copied now due to insufficient
- * space. (unlikely, fp mp can change, but it
- * does not increase in length)
- */
+ mp->b_rptr = rptr;
+ return (mp);
}
- UNLOCK_IRE_FP_MP(ire);
- } else {
-no_fp_mp:
- mp1 = copyb(ire->ire_nce->nce_res_mp);
+ mp1 = copyb(mp1);
if (mp1 == NULL) {
-unlock_err:
- UNLOCK_IRE_FP_MP(ire);
+ ill_t *ill = nce->nce_ill;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
freemsg(mp);
return (NULL);
}
- UNLOCK_IRE_FP_MP(ire);
+ mp1->b_band = priority;
mp1->b_cont = mp;
- if (!qos_done && (proc != 0) && IPP_ENABLED(proc, ipst)) {
- ip_process(proc, &mp1, ill_index);
- if (mp1 == NULL)
- return (NULL);
-
- if (mp1->b_cont == NULL)
- ipha = NULL;
- else
- ipha = (ipha_t *)mp1->b_cont->b_rptr;
- }
- }
-
- *iphap = ipha;
- return (mp1);
-#undef rptr
-}
-
-/*
- * Finish the outbound IPsec processing for an IPv6 packet. This function
- * is called from ipsec_out_process() if the IPsec packet was processed
- * synchronously, or from {ah,esp}_kcf_callback() if it was processed
- * asynchronously.
- */
-void
-ip_wput_ipsec_out_v6(queue_t *q, mblk_t *ipsec_mp, ip6_t *ip6h, ill_t *ill,
- ire_t *ire_arg)
-{
- in6_addr_t *v6dstp;
- ire_t *ire;
- mblk_t *mp;
- ip6_t *ip6h1;
- uint_t ill_index;
- ipsec_out_t *io;
- boolean_t hwaccel;
- uint32_t flags = IP6_NO_IPPOLICY;
- int match_flags;
- zoneid_t zoneid;
- boolean_t ill_need_rele = B_FALSE;
- boolean_t ire_need_rele = B_FALSE;
- ip_stack_t *ipst;
-
- mp = ipsec_mp->b_cont;
- ip6h1 = (ip6_t *)mp->b_rptr;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- ASSERT(io->ipsec_out_ns != NULL);
- ipst = io->ipsec_out_ns->netstack_ip;
- ill_index = io->ipsec_out_ill_index;
- if (io->ipsec_out_reachable) {
- flags |= IPV6_REACHABILITY_CONFIRMATION;
- }
- hwaccel = io->ipsec_out_accelerated;
- zoneid = io->ipsec_out_zoneid;
- ASSERT(zoneid != ALL_ZONES);
- ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
- match_flags = MATCH_IRE_ILL | MATCH_IRE_SECATTR;
- /* Multicast addresses should have non-zero ill_index. */
- v6dstp = &ip6h->ip6_dst;
- ASSERT(ip6h->ip6_nxt != IPPROTO_RAW);
- ASSERT(!IN6_IS_ADDR_MULTICAST(v6dstp) || ill_index != 0);
-
- if (ill == NULL && ill_index != 0) {
- ill = ip_grab_ill(ipsec_mp, ill_index, B_TRUE, ipst);
- /* Failure case frees things for us. */
- if (ill == NULL)
- return;
-
- ill_need_rele = B_TRUE;
- }
- ASSERT(mp != NULL);
-
- if (IN6_IS_ADDR_MULTICAST(v6dstp)) {
- boolean_t unspec_src;
- ipif_t *ipif;
-
- /*
- * Use the ill_index to get the right ill.
- */
- unspec_src = io->ipsec_out_unspec_src;
- (void) ipif_lookup_zoneid(ill, zoneid, 0, &ipif);
- if (ipif == NULL) {
- if (ill_need_rele)
- ill_refrele(ill);
- freemsg(ipsec_mp);
- return;
- }
-
- if (ire_arg != NULL) {
- ire = ire_arg;
- } else {
- ire = ire_ctable_lookup_v6(v6dstp, 0, 0, ipif,
- zoneid, msg_getlabel(mp), match_flags, ipst);
- ire_need_rele = B_TRUE;
- }
- if (ire != NULL) {
- ipif_refrele(ipif);
- /*
- * XXX Do the multicast forwarding now, as the IPsec
- * processing has been done.
- */
- goto send;
- }
-
- ip0dbg(("ip_wput_ipsec_out_v6: multicast: IRE disappeared\n"));
- mp->b_prev = NULL;
- mp->b_next = NULL;
-
- /*
- * If the IPsec packet was processed asynchronously,
- * drop it now.
- */
- if (q == NULL) {
- if (ill_need_rele)
- ill_refrele(ill);
- freemsg(ipsec_mp);
- ipif_refrele(ipif);
- return;
- }
-
- ip_newroute_ipif_v6(q, ipsec_mp, ipif, v6dstp, &ip6h->ip6_src,
- unspec_src, zoneid);
- ipif_refrele(ipif);
- } else {
- if (ire_arg != NULL) {
- ire = ire_arg;
- } else {
- ire = ire_cache_lookup_v6(v6dstp, zoneid, NULL, ipst);
- ire_need_rele = B_TRUE;
- }
- if (ire != NULL)
- goto send;
- /*
- * ire disappeared underneath.
- *
- * What we need to do here is the ip_newroute
- * logic to get the ire without doing the IPsec
- * processing. Follow the same old path. But this
- * time, ip_wput or ire_add_then_send will call us
- * directly as all the IPsec operations are done.
- */
- ip1dbg(("ip_wput_ipsec_out_v6: IRE disappeared\n"));
- mp->b_prev = NULL;
- mp->b_next = NULL;
-
- /*
- * If the IPsec packet was processed asynchronously,
- * drop it now.
- */
- if (q == NULL) {
- if (ill_need_rele)
- ill_refrele(ill);
- freemsg(ipsec_mp);
- return;
- }
-
- ip_newroute_v6(q, ipsec_mp, v6dstp, &ip6h->ip6_src, ill,
- zoneid, ipst);
- }
- if (ill != NULL && ill_need_rele)
- ill_refrele(ill);
- return;
-send:
- if (ill != NULL && ill_need_rele)
- ill_refrele(ill);
-
- /* Local delivery */
- if (ire->ire_stq == NULL) {
- ill_t *out_ill;
- ASSERT(q != NULL);
-
- /* PFHooks: LOOPBACK_OUT */
- out_ill = ire_to_ill(ire);
-
+ DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
+ DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
+ DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
+ DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
+ DB_LSOMSS(mp1) = DB_LSOMSS(mp);
+ DTRACE_PROBE1(ip__xmit__copyb, (mblk_t *), mp1);
/*
- * DTrace this as ip:::send. A blocked packet will fire the
- * send probe, but not the receive probe.
+ * XXX disable ICK_VALID and compute checksum
+ * here; can happen if nce_fp_mp changes and
+ * it can't be copied now due to insufficient
+ * space. (unlikely, fp mp can change, but it
+ * does not increase in length)
*/
- DTRACE_IP7(send, mblk_t *, ipsec_mp, conn_t *, NULL,
- void_ip_t *, ip6h, __dtrace_ipsr_ill_t *, out_ill,
- ipha_t *, NULL, ip6_t *, ip6h, int, 1);
-
- DTRACE_PROBE4(ip6__loopback__out__start,
- ill_t *, NULL, ill_t *, out_ill,
- ip6_t *, ip6h1, mblk_t *, ipsec_mp);
-
- FW_HOOKS6(ipst->ips_ip6_loopback_out_event,
- ipst->ips_ipv6firewall_loopback_out,
- NULL, out_ill, ip6h1, ipsec_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, ipsec_mp);
-
- if (ipsec_mp != NULL) {
- ip_wput_local_v6(RD(q), out_ill,
- ip6h, ipsec_mp, ire, 0, zoneid);
- }
- if (ire_need_rele)
- ire_refrele(ire);
- return;
- }
- /*
- * Everything is done. Send it out on the wire.
- * We force the insertion of a fragment header using the
- * IPH_FRAG_HDR flag in two cases:
- * - after reception of an ICMPv6 "packet too big" message
- * with a MTU < 1280 (cf. RFC 2460 section 5)
- * - for multirouted IPv6 packets, so that the receiver can
- * discard duplicates according to their fragment identifier
- */
- /* XXX fix flow control problems. */
- if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN > ire->ire_max_frag ||
- (ire->ire_frag_flag & IPH_FRAG_HDR)) {
- if (hwaccel) {
- /*
- * hardware acceleration does not handle these
- * "slow path" cases.
- */
- /* IPsec KSTATS: should bump bean counter here. */
- if (ire_need_rele)
- ire_refrele(ire);
- freemsg(ipsec_mp);
- return;
- }
- if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN !=
- (mp->b_cont ? msgdsize(mp) :
- mp->b_wptr - (uchar_t *)ip6h)) {
- /* IPsec KSTATS: should bump bean counter here. */
- ip0dbg(("Packet length mismatch: %d, %ld\n",
- ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN,
- msgdsize(mp)));
- if (ire_need_rele)
- ire_refrele(ire);
- freemsg(ipsec_mp);
- return;
- }
- ASSERT(mp->b_prev == NULL);
- ip2dbg(("Fragmenting Size = %d, mtu = %d\n",
- ntohs(ip6h->ip6_plen) +
- IPV6_HDR_LEN, ire->ire_max_frag));
- ip_wput_frag_v6(mp, ire, flags, NULL, B_FALSE,
- ire->ire_max_frag);
- } else {
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- ip_xmit_v6(mp, ire, flags, NULL, B_FALSE, hwaccel ? io : NULL);
+ return (mp1);
}
- if (ire_need_rele)
- ire_refrele(ire);
- freeb(ipsec_mp);
-}
+ mp1 = copyb(nce->nce_dlur_mp);
-void
-ipsec_hw_putnext(queue_t *q, mblk_t *mp)
-{
- mblk_t *hada_mp; /* attributes M_CTL mblk */
- da_ipsec_t *hada; /* data attributes */
- ill_t *ill = (ill_t *)q->q_ptr;
-
- IPSECHW_DEBUG(IPSECHW_PKT, ("ipsec_hw_putnext: accelerated packet\n"));
+ if (mp1 == NULL) {
+ ill_t *ill = nce->nce_ill;
- if ((ill->ill_capabilities & (ILL_CAPAB_AH | ILL_CAPAB_ESP)) == 0) {
- /* IPsec KSTATS: Bump lose counter here! */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
freemsg(mp);
- return;
+ return (NULL);
}
-
- /*
- * It's an IPsec packet that must be
- * accelerated by the Provider, and the
- * outbound ill is IPsec acceleration capable.
- * Prepends the mblk with an IPHADA_M_CTL, and ship it
- * to the ill.
- * IPsec KSTATS: should bump packet counter here.
- */
-
- hada_mp = allocb(sizeof (da_ipsec_t), BPRI_HI);
- if (hada_mp == NULL) {
- /* IPsec KSTATS: should bump packet counter here. */
- freemsg(mp);
- return;
+ mp1->b_cont = mp;
+ if (priority != 0) {
+ mp1->b_band = priority;
+ ((dl_unitdata_req_t *)(mp1->b_rptr))->dl_priority.dl_max =
+ priority;
}
-
- hada_mp->b_datap->db_type = M_CTL;
- hada_mp->b_wptr = hada_mp->b_rptr + sizeof (*hada);
- hada_mp->b_cont = mp;
-
- hada = (da_ipsec_t *)hada_mp->b_rptr;
- bzero(hada, sizeof (da_ipsec_t));
- hada->da_type = IPHADA_M_CTL;
-
- putnext(q, hada_mp);
+ return (mp1);
+#undef rptr
}
/*
* Finish the outbound IPsec processing. This function is called from
* ipsec_out_process() if the IPsec packet was processed
- * synchronously, or from {ah,esp}_kcf_callback() if it was processed
+ * synchronously, or from {ah,esp}_kcf_callback_outbound() if it was processed
* asynchronously.
+ *
+ * This is common to IPv4 and IPv6.
*/
-void
-ip_wput_ipsec_out(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha, ill_t *ill,
- ire_t *ire_arg)
+int
+ip_output_post_ipsec(mblk_t *mp, ip_xmit_attr_t *ixa)
{
- uint32_t v_hlen_tos_len;
- ipaddr_t dst;
- ipif_t *ipif = NULL;
- ire_t *ire;
- ire_t *ire1 = NULL;
- mblk_t *next_mp = NULL;
- uint32_t max_frag;
- boolean_t multirt_send = B_FALSE;
- mblk_t *mp;
- ipha_t *ipha1;
- uint_t ill_index;
- ipsec_out_t *io;
- int match_flags;
- irb_t *irb = NULL;
- boolean_t ill_need_rele = B_FALSE, ire_need_rele = B_TRUE;
- zoneid_t zoneid;
- ipxmit_state_t pktxmit_state;
- ip_stack_t *ipst;
-
-#ifdef _BIG_ENDIAN
-#define LENGTH (v_hlen_tos_len & 0xFFFF)
-#else
-#define LENGTH ((v_hlen_tos_len >> 24) | ((v_hlen_tos_len >> 8) & 0xFF00))
-#endif
+ iaflags_t ixaflags = ixa->ixa_flags;
+ uint_t pktlen;
- mp = ipsec_mp->b_cont;
- ipha1 = (ipha_t *)mp->b_rptr;
- ASSERT(mp != NULL);
- v_hlen_tos_len = ((uint32_t *)ipha)[0];
- dst = ipha->ipha_dst;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- ill_index = io->ipsec_out_ill_index;
- zoneid = io->ipsec_out_zoneid;
- ASSERT(zoneid != ALL_ZONES);
- ipst = io->ipsec_out_ns->netstack_ip;
- ASSERT(io->ipsec_out_ns != NULL);
-
- match_flags = MATCH_IRE_ILL | MATCH_IRE_SECATTR;
- if (ill == NULL && ill_index != 0) {
- ill = ip_grab_ill(ipsec_mp, ill_index, B_FALSE, ipst);
- /* Failure case frees things for us. */
- if (ill == NULL)
- return;
+ /* AH/ESP don't update ixa_pktlen when they modify the packet */
+ if (ixaflags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
- ill_need_rele = B_TRUE;
- }
-
- if (CLASSD(dst)) {
- boolean_t conn_dontroute;
- /*
- * Use the ill_index to get the right ipif.
- */
- conn_dontroute = io->ipsec_out_dontroute;
- if (ill_index == 0)
- ipif = ipif_lookup_group(dst, zoneid, ipst);
- else
- (void) ipif_lookup_zoneid(ill, zoneid, 0, &ipif);
- if (ipif == NULL) {
- ip1dbg(("ip_wput_ipsec_out: No ipif for"
- " multicast\n"));
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
- freemsg(ipsec_mp);
- goto done;
- }
- /*
- * ipha_src has already been intialized with the
- * value of the ipif in ip_wput. All we need now is
- * an ire to send this downstream.
- */
- ire = ire_ctable_lookup(dst, 0, 0, ipif, zoneid,
- msg_getlabel(mp), match_flags, ipst);
- if (ire != NULL) {
- ill_t *ill1;
- /*
- * Do the multicast forwarding now, as the IPsec
- * processing has been done.
- */
- if (ipst->ips_ip_g_mrouter && !conn_dontroute &&
- (ill1 = ire_to_ill(ire))) {
- if (ip_mforward(ill1, ipha, mp)) {
- freemsg(ipsec_mp);
- ip1dbg(("ip_wput_ipsec_out: mforward "
- "failed\n"));
- ire_refrele(ire);
- goto done;
- }
- }
- goto send;
- }
-
- ip0dbg(("ip_wput_ipsec_out: multicast: IRE disappeared\n"));
- mp->b_prev = NULL;
- mp->b_next = NULL;
-
- /*
- * If the IPsec packet was processed asynchronously,
- * drop it now.
- */
- if (q == NULL) {
- freemsg(ipsec_mp);
- goto done;
- }
-
- /*
- * We may be using a wrong ipif to create the ire.
- * But it is okay as the source address is assigned
- * for the packet already. Next outbound packet would
- * create the IRE with the right IPIF in ip_wput.
- *
- * Also handle RTF_MULTIRT routes.
- */
- ip_newroute_ipif(q, ipsec_mp, ipif, dst, NULL, RTF_MULTIRT,
- zoneid, &zero_info);
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
+ pktlen = ntohs(ipha->ipha_length);
} else {
- if (ire_arg != NULL) {
- ire = ire_arg;
- ire_need_rele = B_FALSE;
- } else {
- ire = ire_cache_lookup(dst, zoneid,
- msg_getlabel(mp), ipst);
- }
- if (ire != NULL) {
- goto send;
- }
-
- /*
- * ire disappeared underneath.
- *
- * What we need to do here is the ip_newroute
- * logic to get the ire without doing the IPsec
- * processing. Follow the same old path. But this
- * time, ip_wput or ire_add_then_put will call us
- * directly as all the IPsec operations are done.
- */
- ip1dbg(("ip_wput_ipsec_out: IRE disappeared\n"));
- mp->b_prev = NULL;
- mp->b_next = NULL;
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
- /*
- * If the IPsec packet was processed asynchronously,
- * drop it now.
- */
- if (q == NULL) {
- freemsg(ipsec_mp);
- goto done;
- }
-
- /*
- * Since we're going through ip_newroute() again, we
- * need to make sure we don't:
- *
- * 1.) Trigger the ASSERT() with the ipha_ident
- * overloading.
- * 2.) Redo transport-layer checksumming, since we've
- * already done all that to get this far.
- *
- * The easiest way not do either of the above is to set
- * the ipha_ident field to IP_HDR_INCLUDED.
- */
- ipha->ipha_ident = IP_HDR_INCLUDED;
- ip_newroute(q, ipsec_mp, dst, (CONN_Q(q) ? Q_TO_CONN(q) : NULL),
- zoneid, ipst);
- }
- goto done;
-send:
- if (ire->ire_stq == NULL) {
- ill_t *out_ill;
- /*
- * Loopbacks go through ip_wput_local except for one case.
- * We come here if we generate a icmp_frag_needed message
- * after IPsec processing is over. When this function calls
- * ip_wput_ire_fragmentit, ip_wput_frag might end up calling
- * icmp_frag_needed. The message generated comes back here
- * through icmp_frag_needed -> icmp_pkt -> ip_wput ->
- * ipsec_out_process -> ip_wput_ipsec_out. We need to set the
- * source address as it is usually set in ip_wput_ire. As
- * ipsec_out_proc_begin is set, ip_wput calls ipsec_out_process
- * and we end up here. We can't enter ip_wput_ire once the
- * IPsec processing is over and hence we need to do it here.
- */
- ASSERT(q != NULL);
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- if (ipha->ipha_src == 0)
- ipha->ipha_src = ire->ire_src_addr;
-
- /* PFHooks: LOOPBACK_OUT */
- out_ill = ire_to_ill(ire);
-
- /*
- * DTrace this as ip:::send. A blocked packet will fire the
- * send probe, but not the receive probe.
- */
- DTRACE_IP7(send, mblk_t *, ipsec_mp, conn_t *, NULL,
- void_ip_t *, ipha, __dtrace_ipsr_ill_t *, out_ill,
- ipha_t *, ipha, ip6_t *, NULL, int, 1);
-
- DTRACE_PROBE4(ip4__loopback__out__start,
- ill_t *, NULL, ill_t *, out_ill,
- ipha_t *, ipha1, mblk_t *, ipsec_mp);
-
- FW_HOOKS(ipst->ips_ip4_loopback_out_event,
- ipst->ips_ipv4firewall_loopback_out,
- NULL, out_ill, ipha1, ipsec_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip4__loopback__out__end, mblk_t *, ipsec_mp);
-
- if (ipsec_mp != NULL)
- ip_wput_local(RD(q), out_ill,
- ipha, ipsec_mp, ire, 0, zoneid);
- if (ire_need_rele)
- ire_refrele(ire);
- goto done;
+ ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
+ pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
}
- if (ire->ire_max_frag < (unsigned int)LENGTH) {
- /*
- * We are through with IPsec processing.
- * Fragment this and send it on the wire.
- */
- if (io->ipsec_out_accelerated) {
- /*
- * The packet has been accelerated but must
- * be fragmented. This should not happen
- * since AH and ESP must not accelerate
- * packets that need fragmentation, however
- * the configuration could have changed
- * since the AH or ESP processing.
- * Drop packet.
- * IPsec KSTATS: bump bean counter here.
- */
- IPSECHW_DEBUG(IPSECHW_PKT, ("ipsec_wput_ipsec_out: "
- "fragmented accelerated packet!\n"));
- freemsg(ipsec_mp);
- } else {
- ip_wput_ire_fragmentit(ipsec_mp, ire,
- zoneid, ipst, NULL);
- }
- if (ire_need_rele)
- ire_refrele(ire);
- goto done;
- }
-
- ip2dbg(("ip_wput_ipsec_out: ipsec_mp %p, ire %p, ire_ipif %p, "
- "ipif %p\n", (void *)ipsec_mp, (void *)ire,
- (void *)ire->ire_ipif, (void *)ipif));
-
/*
- * Multiroute the secured packet.
+ * We release any hard reference on the SAs here to make
+ * sure the SAs can be garbage collected. ipsr_sa has a soft reference
+ * on the SAs.
+ * If in the future we want the hard latching of the SAs in the
+ * ip_xmit_attr_t then we should remove this.
*/
- if (ire->ire_flags & RTF_MULTIRT) {
- ire_t *first_ire;
- irb = ire->ire_bucket;
- ASSERT(irb != NULL);
- /*
- * This ire has been looked up as the one that
- * goes through the given ipif;
- * make sure we do not omit any other multiroute ire
- * that may be present in the bucket before this one.
- */
- IRB_REFHOLD(irb);
- for (first_ire = irb->irb_ire;
- first_ire != NULL;
- first_ire = first_ire->ire_next) {
- if ((first_ire->ire_flags & RTF_MULTIRT) &&
- (first_ire->ire_addr == ire->ire_addr) &&
- !(first_ire->ire_marks &
- (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN)))
- break;
- }
-
- if ((first_ire != NULL) && (first_ire != ire)) {
- /*
- * Don't change the ire if the packet must
- * be fragmented if sent via this new one.
- */
- if (first_ire->ire_max_frag >= (unsigned int)LENGTH) {
- IRE_REFHOLD(first_ire);
- if (ire_need_rele)
- ire_refrele(ire);
- else
- ire_need_rele = B_TRUE;
- ire = first_ire;
- }
- }
- IRB_REFRELE(irb);
-
- multirt_send = B_TRUE;
- max_frag = ire->ire_max_frag;
+ if (ixa->ixa_ipsec_esp_sa != NULL) {
+ IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
+ ixa->ixa_ipsec_esp_sa = NULL;
+ }
+ if (ixa->ixa_ipsec_ah_sa != NULL) {
+ IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
+ ixa->ixa_ipsec_ah_sa = NULL;
}
- /*
- * In most cases, the emission loop below is entered only once.
- * Only in the case where the ire holds the RTF_MULTIRT
- * flag, we loop to process all RTF_MULTIRT ires in the
- * bucket, and send the packet through all crossed
- * RTF_MULTIRT routes.
- */
- do {
- if (multirt_send) {
+ /* Do we need to fragment? */
+ if ((ixa->ixa_flags & IXAF_IPV6_ADD_FRAGHDR) ||
+ pktlen > ixa->ixa_fragsize) {
+ if (ixaflags & IXAF_IS_IPV4) {
+ ASSERT(!(ixa->ixa_flags & IXAF_IPV6_ADD_FRAGHDR));
/*
- * ire1 holds here the next ire to process in the
- * bucket. If multirouting is expected,
- * any non-RTF_MULTIRT ire that has the
- * right destination address is ignored.
+ * We check for the DF case in ipsec_out_process
+ * hence this only handles the non-DF case.
*/
- ASSERT(irb != NULL);
- IRB_REFHOLD(irb);
- for (ire1 = ire->ire_next;
- ire1 != NULL;
- ire1 = ire1->ire_next) {
- if ((ire1->ire_flags & RTF_MULTIRT) == 0)
- continue;
- if (ire1->ire_addr != ire->ire_addr)
- continue;
- if (ire1->ire_marks &
- (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN))
- continue;
- /* No loopback here */
- if (ire1->ire_stq == NULL)
- continue;
- /*
- * Ensure we do not exceed the MTU
- * of the next route.
- */
- if (ire1->ire_max_frag < (unsigned int)LENGTH) {
- ip_multirt_bad_mtu(ire1, max_frag);
- continue;
- }
-
- IRE_REFHOLD(ire1);
- break;
- }
- IRB_REFRELE(irb);
- if (ire1 != NULL) {
- /*
- * We are in a multiple send case, need to
- * make a copy of the packet.
- */
- next_mp = copymsg(ipsec_mp);
- if (next_mp == NULL) {
- ire_refrele(ire1);
- ire1 = NULL;
- }
+ return (ip_fragment_v4(mp, ixa->ixa_nce, ixa->ixa_flags,
+ pktlen, ixa->ixa_fragsize,
+ ixa->ixa_xmit_hint, ixa->ixa_zoneid,
+ ixa->ixa_no_loop_zoneid, ixa->ixa_postfragfn,
+ &ixa->ixa_cookie));
+ } else {
+ mp = ip_fraghdr_add_v6(mp, ixa->ixa_ident, ixa);
+ if (mp == NULL) {
+ /* MIB and ip_drop_output already done */
+ return (ENOMEM);
}
- }
- /*
- * Everything is done. Send it out on the wire
- *
- * ip_xmit_v4 will call ip_wput_attach_llhdr and then
- * either send it on the wire or, in the case of
- * HW acceleration, call ipsec_hw_putnext.
- */
- if (ire->ire_nce &&
- ire->ire_nce->nce_state != ND_REACHABLE) {
- DTRACE_PROBE2(ip__wput__ipsec__bail,
- (ire_t *), ire, (mblk_t *), ipsec_mp);
- /*
- * If ire's link-layer is unresolved (this
- * would only happen if the incomplete ire
- * was added to cachetable via forwarding path)
- * don't bother going to ip_xmit_v4. Just drop the
- * packet.
- * There is a slight risk here, in that, if we
- * have the forwarding path create an incomplete
- * IRE, then until the IRE is completed, any
- * transmitted IPsec packets will be dropped
- * instead of being queued waiting for resolution.
- *
- * But the likelihood of a forwarding packet and a wput
- * packet sending to the same dst at the same time
- * and there not yet be an ARP entry for it is small.
- * Furthermore, if this actually happens, it might
- * be likely that wput would generate multiple
- * packets (and forwarding would also have a train
- * of packets) for that destination. If this is
- * the case, some of them would have been dropped
- * anyway, since ARP only queues a few packets while
- * waiting for resolution
- *
- * NOTE: We should really call ip_xmit_v4,
- * and let it queue the packet and send the
- * ARP query and have ARP come back thus:
- * <ARP> ip_wput->ip_output->ip-wput_nondata->
- * ip_xmit_v4->ip_wput_attach_llhdr + ipsec
- * hw accel work. But it's too complex to get
- * the IPsec hw acceleration approach to fit
- * well with ip_xmit_v4 doing ARP without
- * doing IPsec simplification. For now, we just
- * poke ip_xmit_v4 to trigger the arp resolve, so
- * that we can continue with the send on the next
- * attempt.
- *
- * XXX THis should be revisited, when
- * the IPsec/IP interaction is cleaned up
- */
- ip1dbg(("ip_wput_ipsec_out: ire is incomplete"
- " - dropping packet\n"));
- freemsg(ipsec_mp);
- /*
- * Call ip_xmit_v4() to trigger ARP query
- * in case the nce_state is ND_INITIAL
- */
- (void) ip_xmit_v4(NULL, ire, NULL, B_FALSE, NULL);
- goto drop_pkt;
- }
-
- DTRACE_PROBE4(ip4__physical__out__start, ill_t *, NULL,
- ill_t *, ire->ire_ipif->ipif_ill, ipha_t *, ipha1,
- mblk_t *, ipsec_mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out, NULL,
- ire->ire_ipif->ipif_ill, ipha1, ipsec_mp, mp, 0, ipst);
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, ipsec_mp);
- if (ipsec_mp == NULL)
- goto drop_pkt;
-
- ip1dbg(("ip_wput_ipsec_out: calling ip_xmit_v4\n"));
- pktxmit_state = ip_xmit_v4(mp, ire,
- (io->ipsec_out_accelerated ? io : NULL), B_FALSE, NULL);
-
- if ((pktxmit_state == SEND_FAILED) ||
- (pktxmit_state == LLHDR_RESLV_FAILED)) {
-
- freeb(ipsec_mp); /* ip_xmit_v4 frees the mp */
-drop_pkt:
- BUMP_MIB(((ill_t *)ire->ire_stq->q_ptr)->ill_ip_mib,
- ipIfStatsOutDiscards);
- if (ire_need_rele)
- ire_refrele(ire);
- if (ire1 != NULL) {
- ire_refrele(ire1);
- freemsg(next_mp);
+ pktlen += sizeof (ip6_frag_t);
+ if (pktlen > ixa->ixa_fragsize) {
+ return (ip_fragment_v6(mp, ixa->ixa_nce,
+ ixa->ixa_flags, pktlen,
+ ixa->ixa_fragsize, ixa->ixa_xmit_hint,
+ ixa->ixa_zoneid, ixa->ixa_no_loop_zoneid,
+ ixa->ixa_postfragfn, &ixa->ixa_cookie));
}
- goto done;
}
-
- freeb(ipsec_mp);
- if (ire_need_rele)
- ire_refrele(ire);
-
- if (ire1 != NULL) {
- ire = ire1;
- ire_need_rele = B_TRUE;
- ASSERT(next_mp);
- ipsec_mp = next_mp;
- mp = ipsec_mp->b_cont;
- ire1 = NULL;
- next_mp = NULL;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- } else {
- multirt_send = B_FALSE;
- }
- } while (multirt_send);
-done:
- if (ill != NULL && ill_need_rele)
- ill_refrele(ill);
- if (ipif != NULL)
- ipif_refrele(ipif);
+ }
+ return ((ixa->ixa_postfragfn)(mp, ixa->ixa_nce, ixa->ixa_flags,
+ pktlen, ixa->ixa_xmit_hint, ixa->ixa_zoneid,
+ ixa->ixa_no_loop_zoneid, NULL));
}
/*
- * Get the ill corresponding to the specified ire, and compare its
- * capabilities with the protocol and algorithms specified by the
- * the SA obtained from ipsec_out. If they match, annotate the
- * ipsec_out structure to indicate that the packet needs acceleration.
- *
- *
- * A packet is eligible for outbound hardware acceleration if the
- * following conditions are satisfied:
- *
- * 1. the packet will not be fragmented
- * 2. the provider supports the algorithm
- * 3. there is no pending control message being exchanged
- * 4. snoop is not attached
- * 5. the destination address is not a broadcast or multicast address.
- *
- * Rationale:
- * - Hardware drivers do not support fragmentation with
- * the current interface.
- * - snoop, multicast, and broadcast may result in exposure of
- * a cleartext datagram.
- * We check all five of these conditions here.
+ * Finish the inbound IPsec processing. This function is called from
+ * ipsec_out_process() if the IPsec packet was processed
+ * synchronously, or from {ah,esp}_kcf_callback_outbound() if it was processed
+ * asynchronously.
*
- * XXX would like to nuke "ire_t *" parameter here; problem is that
- * IRE is only way to figure out if a v4 address is a broadcast and
- * thus ineligible for acceleration...
+ * This is common to IPv4 and IPv6.
*/
-static void
-ipsec_out_is_accelerated(mblk_t *ipsec_mp, ipsa_t *sa, ill_t *ill, ire_t *ire)
+void
+ip_input_post_ipsec(mblk_t *mp, ip_recv_attr_t *ira)
{
- ipsec_out_t *io;
- mblk_t *data_mp;
- uint_t plen, overhead;
- ip_stack_t *ipst;
- phyint_t *phyint;
-
- if ((sa->ipsa_flags & IPSA_F_HW) == 0)
- return;
-
- if (ill == NULL)
- return;
- ipst = ill->ill_ipst;
- phyint = ill->ill_phyint;
-
- /*
- * Destination address is a broadcast or multicast. Punt.
- */
- if ((ire != NULL) && (ire->ire_type & (IRE_BROADCAST|IRE_LOOPBACK|
- IRE_LOCAL)))
- return;
-
- data_mp = ipsec_mp->b_cont;
+ iaflags_t iraflags = ira->ira_flags;
- if (ill->ill_isv6) {
- ip6_t *ip6h = (ip6_t *)data_mp->b_rptr;
+ /* Length might have changed */
+ if (iraflags & IRAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst))
- return;
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
+ ira->ira_pktlen = ntohs(ipha->ipha_length);
+ ira->ira_ip_hdr_length = IPH_HDR_LENGTH(ipha);
+ ira->ira_protocol = ipha->ipha_protocol;
- plen = ip6h->ip6_plen;
+ ip_fanout_v4(mp, ipha, ira);
} else {
- ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
-
- if (CLASSD(ipha->ipha_dst))
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ uint8_t *nexthdrp;
+
+ ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
+ ira->ira_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ira->ira_ip_hdr_length,
+ &nexthdrp)) {
+ /* Malformed packet */
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ira->ira_ill);
+ freemsg(mp);
return;
-
- plen = ipha->ipha_length;
- }
- /*
- * Is there a pending DLPI control message being exchanged
- * between IP/IPsec and the DLS Provider? If there is, it
- * could be a SADB update, and the state of the DLS Provider
- * SADB might not be in sync with the SADB maintained by
- * IPsec. To avoid dropping packets or using the wrong keying
- * material, we do not accelerate this packet.
- */
- if (ill->ill_dlpi_pending != DL_PRIM_INVAL) {
- IPSECHW_DEBUG(IPSECHW_PKT, ("ipsec_out_check_is_accelerated: "
- "ill_dlpi_pending! don't accelerate packet\n"));
- return;
- }
-
- /*
- * Is the Provider in promiscous mode? If it does, we don't
- * accelerate the packet since it will bounce back up to the
- * listeners in the clear.
- */
- if (phyint->phyint_flags & PHYI_PROMISC) {
- IPSECHW_DEBUG(IPSECHW_PKT, ("ipsec_out_check_is_accelerated: "
- "ill in promiscous mode, don't accelerate packet\n"));
- return;
- }
-
- /*
- * Will the packet require fragmentation?
- */
-
- /*
- * IPsec ESP note: this is a pessimistic estimate, but the same
- * as is used elsewhere.
- * SPI + sequence + MAC + IV(blocksize) + padding(blocksize-1)
- * + 2-byte trailer
- */
- overhead = (sa->ipsa_type == SADB_SATYPE_AH) ? IPSEC_MAX_AH_HDR_SIZE :
- IPSEC_BASE_ESP_HDR_SIZE(sa);
-
- if ((plen + overhead) > ill->ill_max_mtu)
- return;
-
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
-
- /*
- * Can the ill accelerate this IPsec protocol and algorithm
- * specified by the SA?
- */
- if (!ipsec_capab_match(ill, io->ipsec_out_capab_ill_index,
- ill->ill_isv6, sa, ipst->ips_netstack)) {
- return;
+ }
+ ira->ira_protocol = *nexthdrp;
+ ip_fanout_v6(mp, ip6h, ira);
}
-
- /*
- * Tell AH or ESP that the outbound ill is capable of
- * accelerating this packet.
- */
- io->ipsec_out_is_capab_ill = B_TRUE;
}
/*
* Select which AH & ESP SA's to use (if any) for the outbound packet.
*
* If this function returns B_TRUE, the requested SA's have been filled
- * into the ipsec_out_*_sa pointers.
+ * into the ixa_ipsec_*_sa pointers.
*
* If the function returns B_FALSE, the packet has been "consumed", most
* likely by an ACQUIRE sent up via PF_KEY to a key management daemon.
*
* The SA references created by the protocol-specific "select"
- * function will be released when the ipsec_mp is freed, thanks to the
- * ipsec_out_free destructor -- see spd.c.
+ * function will be released in ip_output_post_ipsec.
*/
static boolean_t
-ipsec_out_select_sa(mblk_t *ipsec_mp)
+ipsec_out_select_sa(mblk_t *mp, ip_xmit_attr_t *ixa)
{
boolean_t need_ah_acquire = B_FALSE, need_esp_acquire = B_FALSE;
- ipsec_out_t *io;
ipsec_policy_t *pp;
ipsec_action_t *ap;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
- if (!io->ipsec_out_secure) {
- /*
- * We came here by mistake.
- * Don't bother with ipsec processing
- * We should "discourage" this path in the future.
- */
- ASSERT(io->ipsec_out_proc_begin == B_FALSE);
- return (B_FALSE);
- }
- ASSERT(io->ipsec_out_need_policy == B_FALSE);
- ASSERT((io->ipsec_out_policy != NULL) ||
- (io->ipsec_out_act != NULL));
+ ASSERT(ixa->ixa_flags & IXAF_IPSEC_SECURE);
+ ASSERT((ixa->ixa_ipsec_policy != NULL) ||
+ (ixa->ixa_ipsec_action != NULL));
- ASSERT(io->ipsec_out_failed == B_FALSE);
-
- /*
- * IPsec processing has started.
- */
- io->ipsec_out_proc_begin = B_TRUE;
- ap = io->ipsec_out_act;
+ ap = ixa->ixa_ipsec_action;
if (ap == NULL) {
- pp = io->ipsec_out_policy;
+ pp = ixa->ixa_ipsec_policy;
ASSERT(pp != NULL);
ap = pp->ipsp_act;
ASSERT(ap != NULL);
@@ -26438,22 +12355,23 @@ ipsec_out_select_sa(mblk_t *ipsec_mp)
/*
* We have an action. now, let's select SA's.
- * (In the future, we can cache this in the conn_t..)
+ * A side effect of setting ixa_ipsec_*_sa is that it will
+ * be cached in the conn_t.
*/
if (ap->ipa_want_esp) {
- if (io->ipsec_out_esp_sa == NULL) {
- need_esp_acquire = !ipsec_outbound_sa(ipsec_mp,
+ if (ixa->ixa_ipsec_esp_sa == NULL) {
+ need_esp_acquire = !ipsec_outbound_sa(mp, ixa,
IPPROTO_ESP);
}
- ASSERT(need_esp_acquire || io->ipsec_out_esp_sa != NULL);
+ ASSERT(need_esp_acquire || ixa->ixa_ipsec_esp_sa != NULL);
}
if (ap->ipa_want_ah) {
- if (io->ipsec_out_ah_sa == NULL) {
- need_ah_acquire = !ipsec_outbound_sa(ipsec_mp,
+ if (ixa->ixa_ipsec_ah_sa == NULL) {
+ need_ah_acquire = !ipsec_outbound_sa(mp, ixa,
IPPROTO_AH);
}
- ASSERT(need_ah_acquire || io->ipsec_out_ah_sa != NULL);
+ ASSERT(need_ah_acquire || ixa->ixa_ipsec_ah_sa != NULL);
/*
* The ESP and AH processing order needs to be preserved
* when both protocols are required (ESP should be applied
@@ -26471,16 +12389,16 @@ ipsec_out_select_sa(mblk_t *ipsec_mp)
* acquire _all_ of the SAs we need.
*/
if (need_ah_acquire || need_esp_acquire) {
- if (io->ipsec_out_ah_sa != NULL) {
- IPSA_REFRELE(io->ipsec_out_ah_sa);
- io->ipsec_out_ah_sa = NULL;
+ if (ixa->ixa_ipsec_ah_sa != NULL) {
+ IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
+ ixa->ixa_ipsec_ah_sa = NULL;
}
- if (io->ipsec_out_esp_sa != NULL) {
- IPSA_REFRELE(io->ipsec_out_esp_sa);
- io->ipsec_out_esp_sa = NULL;
+ if (ixa->ixa_ipsec_esp_sa != NULL) {
+ IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
+ ixa->ixa_ipsec_esp_sa = NULL;
}
- sadb_acquire(ipsec_mp, io, need_ah_acquire, need_esp_acquire);
+ sadb_acquire(mp, ixa, need_ah_acquire, need_esp_acquire);
return (B_FALSE);
}
@@ -26488,110 +12406,64 @@ ipsec_out_select_sa(mblk_t *ipsec_mp)
}
/*
- * Process an IPSEC_OUT message and see what you can
- * do with it.
- * IPQoS Notes:
- * We do IPPF processing if IPP_LOCAL_OUT is enabled before processing for
- * IPsec.
- * XXX would like to nuke ire_t.
- * XXX ill_index better be "real"
+ * Handle IPsec output processing.
+ * This function is only entered once for a given packet.
+ * We try to do things synchronously, but if we need to have user-level
+ * set up SAs, or ESP or AH uses asynchronous kEF, then the operation
+ * will be completed
+ * - when the SAs are added in esp_add_sa_finish/ah_add_sa_finish
+ * - when asynchronous ESP is done it will do AH
+ *
+ * In all cases we come back in ip_output_post_ipsec() to fragment and
+ * send out the packet.
*/
-void
-ipsec_out_process(queue_t *q, mblk_t *ipsec_mp, ire_t *ire, uint_t ill_index)
+int
+ipsec_out_process(mblk_t *mp, ip_xmit_attr_t *ixa)
{
- ipsec_out_t *io;
- ipsec_policy_t *pp;
- ipsec_action_t *ap;
- ipha_t *ipha;
- ip6_t *ip6h;
- mblk_t *mp;
- ill_t *ill;
- zoneid_t zoneid;
- ipsec_status_t ipsec_rc;
- boolean_t ill_need_rele = B_FALSE;
- ip_stack_t *ipst;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
+ ip_stack_t *ipst = ixa->ixa_ipst;
ipsec_stack_t *ipss;
+ ipsec_policy_t *pp;
+ ipsec_action_t *ap;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
- ipst = io->ipsec_out_ns->netstack_ip;
- mp = ipsec_mp->b_cont;
-
- /*
- * Initiate IPPF processing. We do it here to account for packets
- * coming here that don't have any policy (i.e. !io->ipsec_out_secure).
- * We can check for ipsec_out_proc_begin even for such packets, as
- * they will always be false (asserted below).
- */
- if (IPP_ENABLED(IPP_LOCAL_OUT, ipst) && !io->ipsec_out_proc_begin) {
- ip_process(IPP_LOCAL_OUT, &mp, io->ipsec_out_ill_index != 0 ?
- io->ipsec_out_ill_index : ill_index);
- if (mp == NULL) {
- ip2dbg(("ipsec_out_process: packet dropped "\
- "during IPPF processing\n"));
- freeb(ipsec_mp);
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- return;
- }
- }
+ ASSERT(ixa->ixa_flags & IXAF_IPSEC_SECURE);
- if (!io->ipsec_out_secure) {
- /*
- * We came here by mistake.
- * Don't bother with ipsec processing
- * Should "discourage" this path in the future.
- */
- ASSERT(io->ipsec_out_proc_begin == B_FALSE);
- goto done;
- }
- ASSERT(io->ipsec_out_need_policy == B_FALSE);
- ASSERT((io->ipsec_out_policy != NULL) ||
- (io->ipsec_out_act != NULL));
- ASSERT(io->ipsec_out_failed == B_FALSE);
+ ASSERT((ixa->ixa_ipsec_policy != NULL) ||
+ (ixa->ixa_ipsec_action != NULL));
ipss = ipst->ips_netstack->netstack_ipsec;
if (!ipsec_loaded(ipss)) {
- ipha = (ipha_t *)ipsec_mp->b_cont->b_rptr;
- if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
- }
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, ire,
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_packet(mp, B_TRUE, ill,
DROPPER(ipss, ipds_ip_ipsec_not_loaded),
&ipss->ipsec_dropper);
- return;
+ return (ENOTSUP);
}
- /*
- * IPsec processing has started.
- */
- io->ipsec_out_proc_begin = B_TRUE;
- ap = io->ipsec_out_act;
+ ap = ixa->ixa_ipsec_action;
if (ap == NULL) {
- pp = io->ipsec_out_policy;
+ pp = ixa->ixa_ipsec_policy;
ASSERT(pp != NULL);
ap = pp->ipsp_act;
ASSERT(ap != NULL);
}
- /*
- * Save the outbound ill index. When the packet comes back
- * from IPsec, we make sure the ill hasn't changed or disappeared
- * before sending it the accelerated packet.
- */
- if ((ire != NULL) && (io->ipsec_out_capab_ill_index == 0)) {
- ill = ire_to_ill(ire);
- io->ipsec_out_capab_ill_index = ill->ill_phyint->phyint_ifindex;
+ /* Handle explicit drop action and bypass. */
+ switch (ap->ipa_act.ipa_type) {
+ case IPSEC_ACT_DISCARD:
+ case IPSEC_ACT_REJECT:
+ ip_drop_packet(mp, B_FALSE, ill,
+ DROPPER(ipss, ipds_spd_explicit), &ipss->ipsec_spd_dropper);
+ return (EHOSTUNREACH); /* IPsec policy failure */
+ case IPSEC_ACT_BYPASS:
+ return (ip_output_post_ipsec(mp, ixa));
}
/*
* The order of processing is first insert a IP header if needed.
* Then insert the ESP header and then the AH header.
*/
- if ((io->ipsec_out_se_done == B_FALSE) &&
- (ap->ipa_want_se)) {
+ if ((ixa->ixa_flags & IXAF_IS_IPV4) && ap->ipa_want_se) {
/*
* First get the outer IP header before sending
* it to ESP.
@@ -26600,19 +12472,16 @@ ipsec_out_process(queue_t *q, mblk_t *ipsec_mp, ire_t *ire, uint_t ill_index)
mblk_t *outer_mp, *inner_mp;
if ((outer_mp = allocb(sizeof (ipha_t), BPRI_HI)) == NULL) {
- (void) mi_strlog(q, 0, SL_ERROR|SL_TRACE|SL_CONSOLE,
+ (void) mi_strlog(ill->ill_rq, 0,
+ SL_ERROR|SL_TRACE|SL_CONSOLE,
"ipsec_out_process: "
"Self-Encapsulation failed: Out of memory\n");
- freemsg(ipsec_mp);
- if (ill != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutDiscards);
- }
- return;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ freemsg(mp);
+ return (ENOBUFS);
}
- inner_mp = ipsec_mp->b_cont;
+ inner_mp = mp;
ASSERT(inner_mp->b_datap->db_type == M_DATA);
oipha = (ipha_t *)outer_mp->b_rptr;
iipha = (ipha_t *)inner_mp->b_rptr;
@@ -26626,139 +12495,51 @@ ipsec_out_process(queue_t *q, mblk_t *ipsec_mp, ire_t *ire, uint_t ill_index)
oipha->ipha_hdr_checksum = 0;
oipha->ipha_hdr_checksum = ip_csum_hdr(oipha);
outer_mp->b_cont = inner_mp;
- ipsec_mp->b_cont = outer_mp;
+ mp = outer_mp;
- io->ipsec_out_se_done = B_TRUE;
- io->ipsec_out_tunnel = B_TRUE;
+ ixa->ixa_flags |= IXAF_IPSEC_TUNNEL;
}
- if (((ap->ipa_want_ah && (io->ipsec_out_ah_sa == NULL)) ||
- (ap->ipa_want_esp && (io->ipsec_out_esp_sa == NULL))) &&
- !ipsec_out_select_sa(ipsec_mp))
- return;
+ /* If we need to wait for a SA then we can't return any errno */
+ if (((ap->ipa_want_ah && (ixa->ixa_ipsec_ah_sa == NULL)) ||
+ (ap->ipa_want_esp && (ixa->ixa_ipsec_esp_sa == NULL))) &&
+ !ipsec_out_select_sa(mp, ixa))
+ return (0);
/*
* By now, we know what SA's to use. Toss over to ESP & AH
* to do the heavy lifting.
*/
- zoneid = io->ipsec_out_zoneid;
- ASSERT(zoneid != ALL_ZONES);
- if ((io->ipsec_out_esp_done == B_FALSE) && (ap->ipa_want_esp)) {
- ASSERT(io->ipsec_out_esp_sa != NULL);
- io->ipsec_out_esp_done = B_TRUE;
- /*
- * Note that since hw accel can only apply one transform,
- * not two, we skip hw accel for ESP if we also have AH
- * This is an design limitation of the interface
- * which should be revisited.
- */
- ASSERT(ire != NULL);
- if (io->ipsec_out_ah_sa == NULL) {
- ill = (ill_t *)ire->ire_stq->q_ptr;
- ipsec_out_is_accelerated(ipsec_mp,
- io->ipsec_out_esp_sa, ill, ire);
- }
+ if (ap->ipa_want_esp) {
+ ASSERT(ixa->ixa_ipsec_esp_sa != NULL);
- ipsec_rc = io->ipsec_out_esp_sa->ipsa_output_func(ipsec_mp);
- switch (ipsec_rc) {
- case IPSEC_STATUS_SUCCESS:
- break;
- case IPSEC_STATUS_FAILED:
- if (ill != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutDiscards);
- }
- /* FALLTHRU */
- case IPSEC_STATUS_PENDING:
- return;
+ mp = ixa->ixa_ipsec_esp_sa->ipsa_output_func(mp, ixa);
+ if (mp == NULL) {
+ /*
+ * Either it failed or is pending. In the former case
+ * ipIfStatsInDiscards was increased.
+ */
+ return (0);
}
}
- if ((io->ipsec_out_ah_done == B_FALSE) && (ap->ipa_want_ah)) {
- ASSERT(io->ipsec_out_ah_sa != NULL);
- io->ipsec_out_ah_done = B_TRUE;
- if (ire == NULL) {
- int idx = io->ipsec_out_capab_ill_index;
- ill = ill_lookup_on_ifindex(idx, B_FALSE,
- NULL, NULL, NULL, NULL, ipst);
- ill_need_rele = B_TRUE;
- } else {
- ill = (ill_t *)ire->ire_stq->q_ptr;
- }
- ipsec_out_is_accelerated(ipsec_mp, io->ipsec_out_ah_sa, ill,
- ire);
+ if (ap->ipa_want_ah) {
+ ASSERT(ixa->ixa_ipsec_ah_sa != NULL);
- ipsec_rc = io->ipsec_out_ah_sa->ipsa_output_func(ipsec_mp);
- switch (ipsec_rc) {
- case IPSEC_STATUS_SUCCESS:
- break;
- case IPSEC_STATUS_FAILED:
- if (ill != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip_mib,
- ipIfStatsOutDiscards);
- }
- /* FALLTHRU */
- case IPSEC_STATUS_PENDING:
- if (ill != NULL && ill_need_rele)
- ill_refrele(ill);
- return;
+ mp = ixa->ixa_ipsec_ah_sa->ipsa_output_func(mp, ixa);
+ if (mp == NULL) {
+ /*
+ * Either it failed or is pending. In the former case
+ * ipIfStatsInDiscards was increased.
+ */
+ return (0);
}
}
/*
- * We are done with IPsec processing. Send it over the wire.
- */
-done:
- mp = ipsec_mp->b_cont;
- ipha = (ipha_t *)mp->b_rptr;
- if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
- ip_wput_ipsec_out(q, ipsec_mp, ipha, ire->ire_ipif->ipif_ill,
- ire);
- } else {
- ip6h = (ip6_t *)ipha;
- ip_wput_ipsec_out_v6(q, ipsec_mp, ip6h, ire->ire_ipif->ipif_ill,
- ire);
- }
- if (ill != NULL && ill_need_rele)
- ill_refrele(ill);
-}
-
-/* ARGSUSED */
-void
-ip_restart_optmgmt(ipsq_t *dummy_sq, queue_t *q, mblk_t *first_mp, void *dummy)
-{
- opt_restart_t *or;
- int err;
- conn_t *connp;
- cred_t *cr;
-
- ASSERT(CONN_Q(q));
- connp = Q_TO_CONN(q);
-
- ASSERT(first_mp->b_datap->db_type == M_CTL);
- or = (opt_restart_t *)first_mp->b_rptr;
- /*
- * We checked for a db_credp the first time svr4_optcom_req
- * was called (from ip_wput_nondata). So we can just ASSERT here.
+ * We are done with IPsec processing. Send it over
+ * the wire.
*/
- cr = msg_getcred(first_mp, NULL);
- ASSERT(cr != NULL);
-
- if (or->or_type == T_SVR4_OPTMGMT_REQ) {
- err = svr4_optcom_req(q, first_mp, cr,
- &ip_opt_obj, B_FALSE);
- } else {
- ASSERT(or->or_type == T_OPTMGMT_REQ);
- err = tpi_optcom_req(q, first_mp, cr,
- &ip_opt_obj, B_FALSE);
- }
- if (err != EINPROGRESS) {
- /* operation is done */
- CONN_OPER_PENDING_DONE(connp);
- }
+ return (ip_output_post_ipsec(mp, ixa));
}
/*
@@ -26811,6 +12592,11 @@ ip_reprocess_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
err = (*ipip->ipi_func_restart)(ipsq->ipsq_xop->ipx_current_ipif, sin,
q, mp, ipip, mp1->b_rptr);
+ DTRACE_PROBE4(ipif__ioctl, char *, "ip_reprocess_ioctl finish",
+ int, ipip->ipi_cmd,
+ ill_t *, ipsq->ipsq_xop->ipx_current_ipif->ipif_ill,
+ ipif_t *, ipsq->ipsq_xop->ipx_current_ipif);
+
ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), ipsq);
}
@@ -26865,12 +12651,16 @@ ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
*/
if (ipip->ipi_cmd == SIOCLIFADDIF) {
err = ip_sioctl_addif(NULL, NULL, q, mp, NULL, NULL);
+ DTRACE_PROBE4(ipif__ioctl, char *, "ip_process_ioctl finish",
+ int, ipip->ipi_cmd, ill_t *, NULL, ipif_t *, NULL);
ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
return;
}
ci.ci_ipif = NULL;
- if (ipip->ipi_cmd_type == MISC_CMD) {
+ switch (ipip->ipi_cmd_type) {
+ case MISC_CMD:
+ case MSFILT_CMD:
/*
* All MISC_CMD ioctls come in here -- e.g. SIOCGLIFCONF.
*/
@@ -26883,28 +12673,29 @@ ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
ci.ci_sin = NULL;
ci.ci_sin6 = NULL;
ci.ci_lifr = NULL;
- } else {
- switch (ipip->ipi_cmd_type) {
- case IF_CMD:
- case LIF_CMD:
- extract_funcp = ip_extract_lifreq;
- break;
+ extract_funcp = NULL;
+ break;
- case ARP_CMD:
- case XARP_CMD:
- extract_funcp = ip_extract_arpreq;
- break;
+ case IF_CMD:
+ case LIF_CMD:
+ extract_funcp = ip_extract_lifreq;
+ break;
- case MSFILT_CMD:
- extract_funcp = ip_extract_msfilter;
- break;
+ case ARP_CMD:
+ case XARP_CMD:
+ extract_funcp = ip_extract_arpreq;
+ break;
- default:
- ASSERT(0);
- }
+ default:
+ ASSERT(0);
+ }
- err = (*extract_funcp)(q, mp, ipip, &ci, ip_process_ioctl);
+ if (extract_funcp != NULL) {
+ err = (*extract_funcp)(q, mp, ipip, &ci);
if (err != 0) {
+ DTRACE_PROBE4(ipif__ioctl,
+ char *, "ip_process_ioctl finish err",
+ int, ipip->ipi_cmd, ill_t *, NULL, ipif_t *, NULL);
ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
return;
}
@@ -26923,8 +12714,17 @@ ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
*/
err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip,
ci.ci_lifr);
- if (ci.ci_ipif != NULL)
+ if (ci.ci_ipif != NULL) {
+ DTRACE_PROBE4(ipif__ioctl,
+ char *, "ip_process_ioctl finish RD",
+ int, ipip->ipi_cmd, ill_t *, ci.ci_ipif->ipif_ill,
+ ipif_t *, ci.ci_ipif);
ipif_refrele(ci.ci_ipif);
+ } else {
+ DTRACE_PROBE4(ipif__ioctl,
+ char *, "ip_process_ioctl finish RD",
+ int, ipip->ipi_cmd, ill_t *, NULL, ipif_t *, NULL);
+ }
ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
return;
}
@@ -26932,7 +12732,7 @@ ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
ASSERT(ci.ci_ipif != NULL);
/*
- * If ipsq is non-NULL, we are already being called exclusively.
+ * If ipsq is non-NULL, we are already being called exclusively
*/
ASSERT(ipsq == NULL || IAM_WRITER_IPSQ(ipsq));
if (ipsq == NULL) {
@@ -26944,7 +12744,6 @@ ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
}
entered_ipsq = B_TRUE;
}
-
/*
* Release the ipif so that ipif_down and friends that wait for
* references to go away are not misled about the current ipif_refcnt
@@ -26962,6 +12761,10 @@ ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
*/
err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip, ci.ci_lifr);
+ DTRACE_PROBE4(ipif__ioctl, char *, "ip_process_ioctl finish WR",
+ int, ipip->ipi_cmd,
+ ill_t *, ci.ci_ipif == NULL ? NULL : ci.ci_ipif->ipif_ill,
+ ipif_t *, ci.ci_ipif);
ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), ipsq);
if (entered_ipsq)
@@ -27012,31 +12815,21 @@ ip_ioctl_finish(queue_t *q, mblk_t *mp, int err, int mode, ipsq_t *ipsq)
ipsq_current_finish(ipsq);
}
-/* Called from ip_wput for all non data messages */
-/* ARGSUSED */
+/* Handles all non data messages */
void
-ip_wput_nondata(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
+ip_wput_nondata(queue_t *q, mblk_t *mp)
{
mblk_t *mp1;
- ire_t *ire, *fake_ire;
- ill_t *ill;
struct iocblk *iocp;
ip_ioctl_cmd_t *ipip;
- cred_t *cr;
conn_t *connp;
- int err;
- nce_t *nce;
- ipif_t *ipif;
- ip_stack_t *ipst;
+ cred_t *cr;
char *proto_str;
- if (CONN_Q(q)) {
+ if (CONN_Q(q))
connp = Q_TO_CONN(q);
- ipst = connp->conn_netstack->netstack_ip;
- } else {
+ else
connp = NULL;
- ipst = ILLQ_TO_IPST(q);
- }
switch (DB_TYPE(mp)) {
case M_IOCTL:
@@ -27064,17 +12857,10 @@ ip_wput_nondata(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
}
if ((q->q_next != NULL) && !(ipip->ipi_flags & IPI_MODOK)) {
/*
- * the ioctl is one we recognise, but is not
- * consumed by IP as a module, pass M_IOCDATA
- * for processing downstream, but only for
- * common Streams ioctls.
+ * The ioctl is one we recognise, but is not consumed
+ * by IP as a module and we are a module, so we drop
*/
- if (ipip->ipi_flags & IPI_PASS_DOWN) {
- putnext(q, mp);
- return;
- } else {
- goto nak;
- }
+ goto nak;
}
/* IOCTL continuation following copyin or copyout. */
@@ -27110,8 +12896,8 @@ ip_wput_nondata(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
/*
* Refhold the conn, till the ioctl completes. This is
* needed in case the ioctl ends up in the pending mp
- * list. Every mp in the ill_pending_mp list and
- * the ipx_pending_mp must have a refhold on the conn
+ * list. Every mp in the ipx_pending_mp list
+ * must have a refhold on the conn
* to resume processing. The refhold is released when
* the ioctl completes. (normally or abnormally)
* In all cases ip_ioctl_finish is called to finish
@@ -27119,7 +12905,6 @@ ip_wput_nondata(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
*/
if (connp != NULL) {
/* This is not a reentry */
- ASSERT(ipsq == NULL);
CONN_INC_REF(connp);
} else {
if (!(ipip->ipi_flags & IPI_MODOK)) {
@@ -27128,18 +12913,12 @@ ip_wput_nondata(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
}
}
- ip_process_ioctl(ipsq, q, mp, ipip);
+ ip_process_ioctl(NULL, q, mp, ipip);
} else {
mi_copyout(q, mp);
}
return;
-nak:
- iocp->ioc_error = EINVAL;
- mp->b_datap->db_type = M_IOCNAK;
- iocp->ioc_count = 0;
- qreply(q, mp);
- return;
case M_IOCNAK:
/*
@@ -27147,35 +12926,13 @@ nak:
* an IOCTL we sent it. This shouldn't happen.
*/
(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
- "ip_wput: unexpected M_IOCNAK, ioc_cmd 0x%x",
+ "ip_wput_nondata: unexpected M_IOCNAK, ioc_cmd 0x%x",
((struct iocblk *)mp->b_rptr)->ioc_cmd);
freemsg(mp);
return;
case M_IOCACK:
/* /dev/ip shouldn't see this */
- if (CONN_Q(q))
- goto nak;
-
- /*
- * Finish socket ioctls passed through to ARP. We use the
- * ioc_cmd values we set in ip_sioctl_arp() to decide whether
- * we need to become writer before calling ip_sioctl_iocack().
- * Note that qwriter_ip() will release the refhold, and that a
- * refhold is OK without ILL_CAN_LOOKUP() since we're on the
- * ill stream.
- */
- iocp = (struct iocblk *)mp->b_rptr;
- if (iocp->ioc_cmd == AR_ENTRY_SQUERY) {
- ip_sioctl_iocack(NULL, q, mp, NULL);
- return;
- }
-
- ASSERT(iocp->ioc_cmd == AR_ENTRY_DELETE ||
- iocp->ioc_cmd == AR_ENTRY_ADD);
- ill = q->q_ptr;
- ill_refhold(ill);
- qwriter_ip(ill, q, mp, ip_sioctl_iocack, CUR_OP, B_FALSE);
- return;
+ goto nak;
case M_FLUSH:
if (*mp->b_rptr & FLUSHW)
flushq(q, FLUSHALL);
@@ -27190,117 +12947,17 @@ nak:
}
freemsg(mp);
return;
- case IRE_DB_REQ_TYPE:
- if (connp == NULL) {
- proto_str = "IRE_DB_REQ_TYPE";
- goto protonak;
- }
- /* An Upper Level Protocol wants a copy of an IRE. */
- ip_ire_req(q, mp);
- return;
case M_CTL:
- if (mp->b_wptr - mp->b_rptr < sizeof (uint32_t))
- break;
-
- /* M_CTL messages are used by ARP to tell us things. */
- if ((mp->b_wptr - mp->b_rptr) < sizeof (arc_t))
- break;
- switch (((arc_t *)mp->b_rptr)->arc_cmd) {
- case AR_ENTRY_SQUERY:
- putnext(q, mp);
- return;
- case AR_CLIENT_NOTIFY:
- ip_arp_news(q, mp);
- return;
- case AR_DLPIOP_DONE:
- ASSERT(q->q_next != NULL);
- ill = (ill_t *)q->q_ptr;
- /* qwriter_ip releases the refhold */
- /* refhold on ill stream is ok without ILL_CAN_LOOKUP */
- ill_refhold(ill);
- qwriter_ip(ill, q, mp, ip_arp_done, CUR_OP, B_FALSE);
- return;
- case AR_ARP_CLOSING:
- /*
- * ARP (above us) is closing. If no ARP bringup is
- * currently pending, ack the message so that ARP
- * can complete its close. Also mark ill_arp_closing
- * so that new ARP bringups will fail. If any
- * ARP bringup is currently in progress, we will
- * ack this when the current ARP bringup completes.
- */
- ASSERT(q->q_next != NULL);
- ill = (ill_t *)q->q_ptr;
- mutex_enter(&ill->ill_lock);
- ill->ill_arp_closing = 1;
- if (!ill->ill_arp_bringup_pending) {
- mutex_exit(&ill->ill_lock);
- qreply(q, mp);
- } else {
- mutex_exit(&ill->ill_lock);
- freemsg(mp);
- }
- return;
- case AR_ARP_EXTEND:
- /*
- * The ARP module above us is capable of duplicate
- * address detection. Old ATM drivers will not send
- * this message.
- */
- ASSERT(q->q_next != NULL);
- ill = (ill_t *)q->q_ptr;
- ill->ill_arp_extend = B_TRUE;
- freemsg(mp);
- return;
- default:
- break;
- }
break;
case M_PROTO:
case M_PCPROTO:
/*
- * The only PROTO messages we expect are copies of option
- * negotiation acknowledgements, AH and ESP bind requests
- * are also expected.
+ * The only PROTO messages we expect are SNMP-related.
*/
switch (((union T_primitives *)mp->b_rptr)->type) {
- case O_T_BIND_REQ:
- case T_BIND_REQ: {
- /* Request can get queued in bind */
- if (connp == NULL) {
- proto_str = "O_T_BIND_REQ/T_BIND_REQ";
- goto protonak;
- }
- /*
- * The transports except SCTP call ip_bind_{v4,v6}()
- * directly instead of a a putnext. SCTP doesn't
- * generate any T_BIND_REQ since it has its own
- * fanout data structures. However, ESP and AH
- * come in for regular binds; all other cases are
- * bind retries.
- */
- ASSERT(!IPCL_IS_SCTP(connp));
-
- /* Don't increment refcnt if this is a re-entry */
- if (ipsq == NULL)
- CONN_INC_REF(connp);
-
- mp = connp->conn_af_isv6 ? ip_bind_v6(q, mp,
- connp, NULL) : ip_bind_v4(q, mp, connp);
- ASSERT(mp != NULL);
-
- ASSERT(!IPCL_IS_TCP(connp));
- ASSERT(!IPCL_IS_UDP(connp));
- ASSERT(!IPCL_IS_RAWIP(connp));
- ASSERT(!IPCL_IS_IPTUN(connp));
-
- /* The case of AH and ESP */
- qreply(q, mp);
- CONN_OPER_PENDING_DONE(connp);
- return;
- }
case T_SVR4_OPTMGMT_REQ:
- ip2dbg(("ip_wput: T_SVR4_OPTMGMT_REQ flags %x\n",
+ ip2dbg(("ip_wput_nondata: T_SVR4_OPTMGMT_REQ "
+ "flags %x\n",
((struct T_optmgmt_req *)mp->b_rptr)->MGMT_flags));
if (connp == NULL) {
@@ -27324,460 +12981,17 @@ nak:
return;
}
- if (!snmpcom_req(q, mp, ip_snmp_set,
- ip_snmp_get, cr)) {
- /*
- * Call svr4_optcom_req so that it can
- * generate the ack. We don't come here
- * if this operation is being restarted.
- * ip_restart_optmgmt will drop the conn ref.
- * In the case of ipsec option after the ipsec
- * load is complete conn_restart_ipsec_waiter
- * drops the conn ref.
- */
- ASSERT(ipsq == NULL);
- CONN_INC_REF(connp);
- if (ip_check_for_ipsec_opt(q, mp))
- return;
- err = svr4_optcom_req(q, mp, cr, &ip_opt_obj,
- B_FALSE);
- if (err != EINPROGRESS) {
- /* Operation is done */
- CONN_OPER_PENDING_DONE(connp);
- }
- }
- return;
- case T_OPTMGMT_REQ:
- ip2dbg(("ip_wput: T_OPTMGMT_REQ\n"));
- /*
- * Note: No snmpcom_req support through new
- * T_OPTMGMT_REQ.
- * Call tpi_optcom_req so that it can
- * generate the ack.
- */
- if (connp == NULL) {
- proto_str = "T_OPTMGMT_REQ";
- goto protonak;
- }
-
- /*
- * All Solaris components should pass a db_credp
- * for this TPI message, hence we ASSERT.
- * But in case there is some other M_PROTO that looks
- * like a TPI message sent by some other kernel
- * component, we check and return an error.
- */
- cr = msg_getcred(mp, NULL);
- ASSERT(cr != NULL);
- if (cr == NULL) {
- mp = mi_tpi_err_ack_alloc(mp, TSYSERR, EINVAL);
- if (mp != NULL)
- qreply(q, mp);
- return;
- }
- ASSERT(ipsq == NULL);
- /*
- * We don't come here for restart. ip_restart_optmgmt
- * will drop the conn ref. In the case of ipsec option
- * after the ipsec load is complete
- * conn_restart_ipsec_waiter drops the conn ref.
- */
- CONN_INC_REF(connp);
- if (ip_check_for_ipsec_opt(q, mp))
- return;
- err = tpi_optcom_req(q, mp, cr, &ip_opt_obj, B_FALSE);
- if (err != EINPROGRESS) {
- /* Operation is done */
- CONN_OPER_PENDING_DONE(connp);
- }
- return;
- case T_UNBIND_REQ:
- if (connp == NULL) {
- proto_str = "T_UNBIND_REQ";
+ if (!snmpcom_req(q, mp, ip_snmp_set, ip_snmp_get, cr)) {
+ proto_str = "Bad SNMPCOM request?";
goto protonak;
}
- ip_unbind(Q_TO_CONN(q));
- mp = mi_tpi_ok_ack_alloc(mp);
- qreply(q, mp);
return;
default:
- /*
- * Have to drop any DLPI messages coming down from
- * arp (such as an info_req which would cause ip
- * to receive an extra info_ack if it was passed
- * through.
- */
- ip1dbg(("ip_wput_nondata: dropping M_PROTO %d\n",
+ ip1dbg(("ip_wput_nondata: dropping M_PROTO prim %u\n",
(int)*(uint_t *)mp->b_rptr));
freemsg(mp);
return;
}
- /* NOTREACHED */
- case IRE_DB_TYPE: {
- nce_t *nce;
- ill_t *ill;
- in6_addr_t gw_addr_v6;
-
- /*
- * This is a response back from a resolver. It
- * consists of a message chain containing:
- * IRE_MBLK-->LL_HDR_MBLK->pkt
- * The IRE_MBLK is the one we allocated in ip_newroute.
- * The LL_HDR_MBLK is the DLPI header to use to get
- * the attached packet, and subsequent ones for the
- * same destination, transmitted.
- */
- if ((mp->b_wptr - mp->b_rptr) != sizeof (ire_t)) /* ire */
- break;
- /*
- * First, check to make sure the resolution succeeded.
- * If it failed, the second mblk will be empty.
- * If it is, free the chain, dropping the packet.
- * (We must ire_delete the ire; that frees the ire mblk)
- * We're doing this now to support PVCs for ATM; it's
- * a partial xresolv implementation. When we fully implement
- * xresolv interfaces, instead of freeing everything here
- * we'll initiate neighbor discovery.
- *
- * For v4 (ARP and other external resolvers) the resolver
- * frees the message, so no check is needed. This check
- * is required, though, for a full xresolve implementation.
- * Including this code here now both shows how external
- * resolvers can NACK a resolution request using an
- * existing design that has no specific provisions for NACKs,
- * and also takes into account that the current non-ARP
- * external resolver has been coded to use this method of
- * NACKing for all IPv6 (xresolv) cases,
- * whether our xresolv implementation is complete or not.
- *
- */
- ire = (ire_t *)mp->b_rptr;
- ill = ire_to_ill(ire);
- mp1 = mp->b_cont; /* dl_unitdata_req */
- if (mp1->b_rptr == mp1->b_wptr) {
- if (ire->ire_ipversion == IPV6_VERSION) {
- /*
- * XRESOLV interface.
- */
- ASSERT(ill->ill_flags & ILLF_XRESOLV);
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- if (IN6_IS_ADDR_UNSPECIFIED(&gw_addr_v6)) {
- nce = ndp_lookup_v6(ill, B_FALSE,
- &ire->ire_addr_v6, B_FALSE);
- } else {
- nce = ndp_lookup_v6(ill, B_FALSE,
- &gw_addr_v6, B_FALSE);
- }
- if (nce != NULL) {
- nce_resolv_failed(nce);
- ndp_delete(nce);
- NCE_REFRELE(nce);
- }
- }
- mp->b_cont = NULL;
- freemsg(mp1); /* frees the pkt as well */
- ASSERT(ire->ire_nce == NULL);
- ire_delete((ire_t *)mp->b_rptr);
- return;
- }
-
- /*
- * Split them into IRE_MBLK and pkt and feed it into
- * ire_add_then_send. Then in ire_add_then_send
- * the IRE will be added, and then the packet will be
- * run back through ip_wput. This time it will make
- * it to the wire.
- */
- mp->b_cont = NULL;
- mp = mp1->b_cont; /* now, mp points to pkt */
- mp1->b_cont = NULL;
- ip1dbg(("ip_wput_nondata: reply from external resolver \n"));
- if (ire->ire_ipversion == IPV6_VERSION) {
- /*
- * XRESOLV interface. Find the nce and put a copy
- * of the dl_unitdata_req in nce_res_mp
- */
- ASSERT(ill->ill_flags & ILLF_XRESOLV);
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- if (IN6_IS_ADDR_UNSPECIFIED(&gw_addr_v6)) {
- nce = ndp_lookup_v6(ill, B_FALSE,
- &ire->ire_addr_v6, B_FALSE);
- } else {
- nce = ndp_lookup_v6(ill, B_FALSE,
- &gw_addr_v6, B_FALSE);
- }
- if (nce != NULL) {
- /*
- * We have to protect nce_res_mp here
- * from being accessed by other threads
- * while we change the mblk pointer.
- * Other functions will also lock the nce when
- * accessing nce_res_mp.
- *
- * The reason we change the mblk pointer
- * here rather than copying the resolved address
- * into the template is that, unlike with
- * ethernet, we have no guarantee that the
- * resolved address length will be
- * smaller than or equal to the lla length
- * with which the template was allocated,
- * (for ethernet, they're equal)
- * so we have to use the actual resolved
- * address mblk - which holds the real
- * dl_unitdata_req with the resolved address.
- *
- * Doing this is the same behavior as was
- * previously used in the v4 ARP case.
- */
- mutex_enter(&nce->nce_lock);
- if (nce->nce_res_mp != NULL)
- freemsg(nce->nce_res_mp);
- nce->nce_res_mp = mp1;
- mutex_exit(&nce->nce_lock);
- /*
- * We do a fastpath probe here because
- * we have resolved the address without
- * using Neighbor Discovery.
- * In the non-XRESOLV v6 case, the fastpath
- * probe is done right after neighbor
- * discovery completes.
- */
- if (nce->nce_res_mp != NULL) {
- int res;
- nce_fastpath_list_add(nce);
- res = ill_fastpath_probe(ill,
- nce->nce_res_mp);
- if (res != 0 && res != EAGAIN)
- nce_fastpath_list_delete(nce);
- }
-
- ire_add_then_send(q, ire, mp);
- /*
- * Now we have to clean out any packets
- * that may have been queued on the nce
- * while it was waiting for address resolution
- * to complete.
- */
- mutex_enter(&nce->nce_lock);
- mp1 = nce->nce_qd_mp;
- nce->nce_qd_mp = NULL;
- mutex_exit(&nce->nce_lock);
- while (mp1 != NULL) {
- mblk_t *nxt_mp;
- queue_t *fwdq = NULL;
- ill_t *inbound_ill;
- uint_t ifindex;
-
- nxt_mp = mp1->b_next;
- mp1->b_next = NULL;
- /*
- * Retrieve ifindex stored in
- * ip_rput_data_v6()
- */
- ifindex =
- (uint_t)(uintptr_t)mp1->b_prev;
- inbound_ill =
- ill_lookup_on_ifindex(ifindex,
- B_TRUE, NULL, NULL, NULL,
- NULL, ipst);
- mp1->b_prev = NULL;
- if (inbound_ill != NULL)
- fwdq = inbound_ill->ill_rq;
-
- if (fwdq != NULL) {
- put(fwdq, mp1);
- ill_refrele(inbound_ill);
- } else
- put(WR(ill->ill_rq), mp1);
- mp1 = nxt_mp;
- }
- NCE_REFRELE(nce);
- } else { /* nce is NULL; clean up */
- ire_delete(ire);
- freemsg(mp);
- freemsg(mp1);
- return;
- }
- } else {
- nce_t *arpce;
- /*
- * Link layer resolution succeeded. Recompute the
- * ire_nce.
- */
- ASSERT(ire->ire_type & (IRE_CACHE|IRE_BROADCAST));
- if ((arpce = ndp_lookup_v4(ill,
- (ire->ire_gateway_addr != INADDR_ANY ?
- &ire->ire_gateway_addr : &ire->ire_addr),
- B_FALSE)) == NULL) {
- freeb(ire->ire_mp);
- freeb(mp1);
- freemsg(mp);
- return;
- }
- mutex_enter(&arpce->nce_lock);
- arpce->nce_last = TICK_TO_MSEC(lbolt64);
- if (arpce->nce_state == ND_REACHABLE) {
- /*
- * Someone resolved this before us;
- * cleanup the res_mp. Since ire has
- * not been added yet, the call to ire_add_v4
- * from ire_add_then_send (when a dup is
- * detected) will clean up the ire.
- */
- freeb(mp1);
- } else {
- ASSERT(arpce->nce_res_mp == NULL);
- arpce->nce_res_mp = mp1;
- arpce->nce_state = ND_REACHABLE;
- }
- mutex_exit(&arpce->nce_lock);
- if (ire->ire_marks & IRE_MARK_NOADD) {
- /*
- * this ire will not be added to the ire
- * cache table, so we can set the ire_nce
- * here, as there are no atomicity constraints.
- */
- ire->ire_nce = arpce;
- /*
- * We are associating this nce with the ire
- * so change the nce ref taken in
- * ndp_lookup_v4() from
- * NCE_REFHOLD to NCE_REFHOLD_NOTR
- */
- NCE_REFHOLD_TO_REFHOLD_NOTR(ire->ire_nce);
- } else {
- NCE_REFRELE(arpce);
- }
- ire_add_then_send(q, ire, mp);
- }
- return; /* All is well, the packet has been sent. */
- }
- case IRE_ARPRESOLVE_TYPE: {
-
- if ((mp->b_wptr - mp->b_rptr) != sizeof (ire_t)) /* fake_ire */
- break;
- mp1 = mp->b_cont; /* dl_unitdata_req */
- mp->b_cont = NULL;
- /*
- * First, check to make sure the resolution succeeded.
- * If it failed, the second mblk will be empty.
- */
- if (mp1->b_rptr == mp1->b_wptr) {
- /* cleanup the incomplete ire, free queued packets */
- freemsg(mp); /* fake ire */
- freeb(mp1); /* dl_unitdata response */
- return;
- }
-
- /*
- * Update any incomplete nce_t found. We search the ctable
- * and find the nce from the ire->ire_nce because we need
- * to pass the ire to ip_xmit_v4 later, and can find both
- * ire and nce in one lookup.
- */
- fake_ire = (ire_t *)mp->b_rptr;
-
- /*
- * By the time we come back here from ARP the logical outgoing
- * interface of the incomplete ire we added in ire_forward()
- * could have disappeared, causing the incomplete ire to also
- * disappear. So we need to retreive the proper ipif for the
- * ire before looking in ctable. In the case of IPMP, the
- * ipif may be on the IPMP ill, so look it up based on the
- * ire_ipif_ifindex we stashed back in ire_init_common().
- * Then, we can verify that ire_ipif_seqid still exists.
- */
- ill = ill_lookup_on_ifindex(fake_ire->ire_ipif_ifindex, B_FALSE,
- NULL, NULL, NULL, NULL, ipst);
- if (ill == NULL) {
- ip1dbg(("ill for incomplete ire vanished\n"));
- freemsg(mp); /* fake ire */
- freeb(mp1); /* dl_unitdata response */
- return;
- }
-
- /* Get the outgoing ipif */
- mutex_enter(&ill->ill_lock);
- ipif = ipif_lookup_seqid(ill, fake_ire->ire_ipif_seqid);
- if (ipif == NULL) {
- mutex_exit(&ill->ill_lock);
- ill_refrele(ill);
- ip1dbg(("logical intrf to incomplete ire vanished\n"));
- freemsg(mp); /* fake_ire */
- freeb(mp1); /* dl_unitdata response */
- return;
- }
-
- ipif_refhold_locked(ipif);
- mutex_exit(&ill->ill_lock);
- ill_refrele(ill);
- ire = ire_arpresolve_lookup(fake_ire->ire_addr,
- fake_ire->ire_gateway_addr, ipif, fake_ire->ire_zoneid,
- ipst, ((ill_t *)q->q_ptr)->ill_wq);
- ipif_refrele(ipif);
- if (ire == NULL) {
- /*
- * no ire was found; check if there is an nce
- * for this lookup; if it has no ire's pointing at it
- * cleanup.
- */
- if ((nce = ndp_lookup_v4(q->q_ptr,
- (fake_ire->ire_gateway_addr != INADDR_ANY ?
- &fake_ire->ire_gateway_addr : &fake_ire->ire_addr),
- B_FALSE)) != NULL) {
- /*
- * cleanup:
- * We check for refcnt 2 (one for the nce
- * hash list + 1 for the ref taken by
- * ndp_lookup_v4) to check that there are
- * no ire's pointing at the nce.
- */
- if (nce->nce_refcnt == 2)
- ndp_delete(nce);
- NCE_REFRELE(nce);
- }
- freeb(mp1); /* dl_unitdata response */
- freemsg(mp); /* fake ire */
- return;
- }
-
- nce = ire->ire_nce;
- DTRACE_PROBE2(ire__arpresolve__type,
- ire_t *, ire, nce_t *, nce);
- mutex_enter(&nce->nce_lock);
- nce->nce_last = TICK_TO_MSEC(lbolt64);
- if (nce->nce_state == ND_REACHABLE) {
- /*
- * Someone resolved this before us;
- * our response is not needed any more.
- */
- mutex_exit(&nce->nce_lock);
- freeb(mp1); /* dl_unitdata response */
- } else {
- ASSERT(nce->nce_res_mp == NULL);
- nce->nce_res_mp = mp1;
- nce->nce_state = ND_REACHABLE;
- mutex_exit(&nce->nce_lock);
- nce_fastpath(nce);
- }
- /*
- * The cached nce_t has been updated to be reachable;
- * Clear the IRE_MARK_UNCACHED flag and free the fake_ire.
- */
- fake_ire->ire_marks &= ~IRE_MARK_UNCACHED;
- freemsg(mp);
- /*
- * send out queued packets.
- */
- (void) ip_xmit_v4(NULL, ire, NULL, B_FALSE, NULL);
-
- IRE_REFRELE(ire);
- return;
- }
default:
break;
}
@@ -27787,6 +13001,13 @@ nak:
freemsg(mp);
return;
+nak:
+ iocp->ioc_error = EINVAL;
+ mp->b_datap->db_type = M_IOCNAK;
+ iocp->ioc_count = 0;
+ qreply(q, mp);
+ return;
+
protonak:
cmn_err(CE_NOTE, "IP doesn't process %s as a module", proto_str);
if ((mp = mi_tpi_err_ack_alloc(mp, TPROTO, EINVAL)) != NULL)
@@ -27794,14 +13015,15 @@ protonak:
}
/*
- * Process IP options in an outbound packet. Modify the destination if there
- * is a source route option.
+ * Process IP options in an outbound packet. Verify that the nexthop in a
+ * strict source route is onlink.
* Returns non-zero if something fails in which case an ICMP error has been
* sent and mp freed.
+ *
+ * Assumes the ULP has called ip_massage_options to move nexthop into ipha_dst.
*/
-static int
-ip_wput_options(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha,
- boolean_t mctl_present, zoneid_t zoneid, ip_stack_t *ipst)
+int
+ip_output_options(mblk_t *mp, ipha_t *ipha, ip_xmit_attr_t *ixa, ill_t *ill)
{
ipoptp_t opts;
uchar_t *opt;
@@ -27809,14 +13031,11 @@ ip_wput_options(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha,
uint8_t optlen;
ipaddr_t dst;
intptr_t code = 0;
- mblk_t *mp;
- ire_t *ire = NULL;
+ ire_t *ire;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ip_recv_attr_t iras;
- ip2dbg(("ip_wput_options\n"));
- mp = ipsec_mp;
- if (mctl_present) {
- mp = ipsec_mp->b_cont;
- }
+ ip2dbg(("ip_output_options\n"));
dst = ipha->ipha_dst;
for (optval = ipoptp_first(&opts, ipha);
@@ -27824,7 +13043,7 @@ ip_wput_options(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha,
optval = ipoptp_next(&opts)) {
opt = opts.ipoptp_cur;
optlen = opts.ipoptp_len;
- ip2dbg(("ip_wput_options: opt %d, len %d\n",
+ ip2dbg(("ip_output_options: opt %d, len %d\n",
optval, optlen));
switch (optval) {
uint32_t off;
@@ -27832,25 +13051,25 @@ ip_wput_options(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha,
case IPOPT_LSRR:
if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
ip1dbg((
- "ip_wput_options: bad option offset\n"));
+ "ip_output_options: bad option offset\n"));
code = (char *)&opt[IPOPT_OLEN] -
(char *)ipha;
goto param_prob;
}
off = opt[IPOPT_OFFSET];
- ip1dbg(("ip_wput_options: next hop 0x%x\n",
+ ip1dbg(("ip_output_options: next hop 0x%x\n",
ntohl(dst)));
/*
* For strict: verify that dst is directly
* reachable.
*/
if (optval == IPOPT_SSRR) {
- ire = ire_ftable_lookup(dst, 0, 0,
- IRE_INTERFACE, NULL, NULL, ALL_ZONES, 0,
- msg_getlabel(mp),
- MATCH_IRE_TYPE | MATCH_IRE_SECATTR, ipst);
+ ire = ire_ftable_lookup_v4(dst, 0, 0,
+ IRE_IF_ALL, NULL, ALL_ZONES, ixa->ixa_tsl,
+ MATCH_IRE_TYPE | MATCH_IRE_SECATTR, 0, ipst,
+ NULL);
if (ire == NULL) {
- ip1dbg(("ip_wput_options: SSRR not"
+ ip1dbg(("ip_output_options: SSRR not"
" directly reachable: 0x%x\n",
ntohl(dst)));
goto bad_src_route;
@@ -27861,7 +13080,7 @@ ip_wput_options(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha,
case IPOPT_RR:
if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
ip1dbg((
- "ip_wput_options: bad option offset\n"));
+ "ip_output_options: bad option offset\n"));
code = (char *)&opt[IPOPT_OLEN] -
(char *)ipha;
goto param_prob;
@@ -27879,7 +13098,7 @@ ip_wput_options(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha,
}
if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
ip1dbg((
- "ip_wput_options: bad option offset\n"));
+ "ip_output_options: bad option offset\n"));
code = (char *)&opt[IPOPT_OFFSET] -
(char *)ipha;
goto param_prob;
@@ -27913,33 +13132,31 @@ ip_wput_options(queue_t *q, mblk_t *ipsec_mp, ipha_t *ipha,
if ((opts.ipoptp_flags & IPOPTP_ERROR) == 0)
return (0);
- ip1dbg(("ip_wput_options: error processing IP options."));
+ ip1dbg(("ip_output_options: error processing IP options."));
code = (char *)&opt[IPOPT_OFFSET] - (char *)ipha;
param_prob:
- /*
- * Since ip_wput() isn't close to finished, we fill
- * in enough of the header for credible error reporting.
- */
- if (ip_hdr_complete((ipha_t *)mp->b_rptr, zoneid, ipst)) {
- /* Failed */
- freemsg(ipsec_mp);
- return (-1);
- }
- icmp_param_problem(q, ipsec_mp, (uint8_t)code, zoneid, ipst);
+ bzero(&iras, sizeof (iras));
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
+ iras.ira_flags = IRAF_IS_IPV4;
+
+ ip_drop_output("ip_output_options", mp, ill);
+ icmp_param_problem(mp, (uint8_t)code, &iras);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
return (-1);
bad_src_route:
- /*
- * Since ip_wput() isn't close to finished, we fill
- * in enough of the header for credible error reporting.
- */
- if (ip_hdr_complete((ipha_t *)mp->b_rptr, zoneid, ipst)) {
- /* Failed */
- freemsg(ipsec_mp);
- return (-1);
- }
- icmp_unreachable(q, ipsec_mp, ICMP_SOURCE_ROUTE_FAILED, zoneid, ipst);
+ bzero(&iras, sizeof (iras));
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
+ iras.ira_flags = IRAF_IS_IPV4;
+
+ ip_drop_input("ICMP_SOURCE_ROUTE_FAILED", mp, ill);
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, &iras);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
return (-1);
}
@@ -28082,29 +13299,60 @@ conn_drain_insert(conn_t *connp, idl_tx_list_t *tx_list)
/*
* For non streams based sockets assert flow control.
*/
- if (IPCL_IS_NONSTR(connp)) {
- DTRACE_PROBE1(su__txq__full, conn_t *, connp);
- (*connp->conn_upcalls->su_txq_full)
- (connp->conn_upper_handle, B_TRUE);
- } else {
- conn_setqfull(connp);
- noenable(connp->conn_wq);
- }
+ conn_setqfull(connp, NULL);
mutex_exit(CONN_DRAIN_LIST_LOCK(connp));
}
+static void
+conn_idl_remove(conn_t *connp)
+{
+ idl_t *idl = connp->conn_idl;
+
+ if (idl != NULL) {
+ /*
+ * Remove ourself from the drain list, if we did not do
+ * a putq, or if the conn is closing.
+ * Note: It is possible that q->q_first is non-null. It means
+ * that these messages landed after we did a enableok() in
+ * ip_wsrv. Thus STREAMS will call ip_wsrv once again to
+ * service them.
+ */
+ if (connp->conn_drain_next == connp) {
+ /* Singleton in the list */
+ ASSERT(connp->conn_drain_prev == connp);
+ idl->idl_conn = NULL;
+ } else {
+ connp->conn_drain_prev->conn_drain_next =
+ connp->conn_drain_next;
+ connp->conn_drain_next->conn_drain_prev =
+ connp->conn_drain_prev;
+ if (idl->idl_conn == connp)
+ idl->idl_conn = connp->conn_drain_next;
+ }
+ }
+ connp->conn_drain_next = NULL;
+ connp->conn_drain_prev = NULL;
+
+ conn_clrqfull(connp, NULL);
+ /*
+ * For streams based sockets open up flow control.
+ */
+ if (!IPCL_IS_NONSTR(connp))
+ enableok(connp->conn_wq);
+}
+
/*
* This conn is closing, and we are called from ip_close. OR
- * This conn has been serviced by ip_wsrv, and we need to do the tail
- * processing.
- * If this conn is part of the drain list, we may need to sustain the drain
- * process by qenabling the next conn in the drain list. We may also need to
- * remove this conn from the list, if it is done.
+ * this conn is draining because flow-control on the ill has been relieved.
+ *
+ * We must also need to remove conn's on this idl from the list, and also
+ * inform the sockfs upcalls about the change in flow-control.
*/
static void
conn_drain_tail(conn_t *connp, boolean_t closing)
{
idl_t *idl;
+ conn_t *next_connp;
/*
* connp->conn_idl is stable at this point, and no lock is needed
@@ -28116,24 +13364,21 @@ conn_drain_tail(conn_t *connp, boolean_t closing)
* instance of service trying to call conn_drain_insert on this conn
* now.
*/
- ASSERT(!closing || (connp->conn_idl != NULL));
+ ASSERT(!closing || connp == NULL || connp->conn_idl != NULL);
/*
* If connp->conn_idl is null, the conn has not been inserted into any
* drain list even once since creation of the conn. Just return.
*/
- if (connp->conn_idl == NULL)
+ if (connp == NULL || connp->conn_idl == NULL)
return;
- mutex_enter(CONN_DRAIN_LIST_LOCK(connp));
-
if (connp->conn_drain_prev == NULL) {
/* This conn is currently not in the drain list. */
- mutex_exit(CONN_DRAIN_LIST_LOCK(connp));
return;
}
idl = connp->conn_idl;
- if (idl->idl_conn_draining == connp) {
+ if (!closing) {
/*
* This conn is the current drainer. If this is the last conn
* in the drain list, we need to do more checks, in the 'if'
@@ -28141,186 +13386,45 @@ conn_drain_tail(conn_t *connp, boolean_t closing)
* to sustain the draining, and is handled in the 'else'
* below.
*/
- if (connp->conn_drain_next == idl->idl_conn) {
- /*
- * This conn is the last in this list. This round
- * of draining is complete. If idl_repeat is set,
- * it means another flow enabling has happened from
- * the driver/streams and we need to another round
- * of draining.
- * If there are more than 2 conns in the drain list,
- * do a left rotate by 1, so that all conns except the
- * conn at the head move towards the head by 1, and the
- * the conn at the head goes to the tail. This attempts
- * a more even share for all queues that are being
- * drained.
- */
- if ((connp->conn_drain_next != connp) &&
- (idl->idl_conn->conn_drain_next != connp)) {
- idl->idl_conn = idl->idl_conn->conn_drain_next;
- }
- if (idl->idl_repeat) {
- qenable(idl->idl_conn->conn_wq);
- idl->idl_conn_draining = idl->idl_conn;
- idl->idl_repeat = 0;
- } else {
- idl->idl_conn_draining = NULL;
- }
- } else {
- /*
- * If the next queue that we are now qenable'ing,
- * is closing, it will remove itself from this list
- * and qenable the subsequent queue in ip_close().
- * Serialization is acheived thru idl_lock.
- */
- qenable(connp->conn_drain_next->conn_wq);
- idl->idl_conn_draining = connp->conn_drain_next;
- }
- }
- if (!connp->conn_did_putbq || closing) {
- /*
- * Remove ourself from the drain list, if we did not do
- * a putbq, or if the conn is closing.
- * Note: It is possible that q->q_first is non-null. It means
- * that these messages landed after we did a enableok() in
- * ip_wsrv. Thus STREAMS will call ip_wsrv once again to
- * service them.
- */
- if (connp->conn_drain_next == connp) {
- /* Singleton in the list */
- ASSERT(connp->conn_drain_prev == connp);
- idl->idl_conn = NULL;
- idl->idl_conn_draining = NULL;
- } else {
- connp->conn_drain_prev->conn_drain_next =
- connp->conn_drain_next;
- connp->conn_drain_next->conn_drain_prev =
- connp->conn_drain_prev;
- if (idl->idl_conn == connp)
- idl->idl_conn = connp->conn_drain_next;
- ASSERT(idl->idl_conn_draining != connp);
-
- }
- connp->conn_drain_next = NULL;
- connp->conn_drain_prev = NULL;
+ next_connp = connp->conn_drain_next;
+ while (next_connp != connp) {
+ conn_t *delconnp = next_connp;
- /*
- * For non streams based sockets open up flow control.
- */
- if (IPCL_IS_NONSTR(connp)) {
- (*connp->conn_upcalls->su_txq_full)
- (connp->conn_upper_handle, B_FALSE);
- } else {
- conn_clrqfull(connp);
- enableok(connp->conn_wq);
+ next_connp = next_connp->conn_drain_next;
+ conn_idl_remove(delconnp);
}
+ ASSERT(connp->conn_drain_next == idl->idl_conn);
}
+ conn_idl_remove(connp);
- mutex_exit(CONN_DRAIN_LIST_LOCK(connp));
}
/*
* Write service routine. Shared perimeter entry point.
- * ip_wsrv can be called in any of the following ways.
- * 1. The device queue's messages has fallen below the low water mark
- * and STREAMS has backenabled the ill_wq. We walk thru all the
- * the drain lists and backenable the first conn in each list.
- * 2. The above causes STREAMS to run ip_wsrv on the conn_wq of the
- * qenabled non-tcp upper layers. We start dequeing messages and call
- * ip_wput for each message.
+ * The device queue's messages has fallen below the low water mark and STREAMS
+ * has backenabled the ill_wq. Send sockfs notification about flow-control onx
+ * each waiting conn.
*/
-
void
ip_wsrv(queue_t *q)
{
- conn_t *connp;
ill_t *ill;
- mblk_t *mp;
-
- if (q->q_next) {
- ill = (ill_t *)q->q_ptr;
- if (ill->ill_state_flags == 0) {
- ip_stack_t *ipst = ill->ill_ipst;
- /*
- * The device flow control has opened up.
- * Walk through conn drain lists and qenable the
- * first conn in each list. This makes sense only
- * if the stream is fully plumbed and setup.
- * Hence the if check above.
- */
- ip1dbg(("ip_wsrv: walking\n"));
- conn_walk_drain(ipst, &ipst->ips_idl_tx_list[0]);
- }
- return;
- }
-
- connp = Q_TO_CONN(q);
- ip1dbg(("ip_wsrv: %p %p\n", (void *)q, (void *)connp));
+ ill = (ill_t *)q->q_ptr;
+ if (ill->ill_state_flags == 0) {
+ ip_stack_t *ipst = ill->ill_ipst;
- /*
- * 1. Set conn_draining flag to signal that service is active.
- *
- * 2. ip_output determines whether it has been called from service,
- * based on the last parameter. If it is IP_WSRV it concludes it
- * has been called from service.
- *
- * 3. Message ordering is preserved by the following logic.
- * i. A directly called ip_output (i.e. not thru service) will queue
- * the message at the tail, if conn_draining is set (i.e. service
- * is running) or if q->q_first is non-null.
- *
- * ii. If ip_output is called from service, and if ip_output cannot
- * putnext due to flow control, it does a putbq.
- *
- * 4. noenable the queue so that a putbq from ip_wsrv does not reenable
- * (causing an infinite loop).
- */
- ASSERT(!connp->conn_did_putbq);
-
- while ((q->q_first != NULL) && !connp->conn_did_putbq) {
- connp->conn_draining = 1;
- noenable(q);
- while ((mp = getq(q)) != NULL) {
- ASSERT(CONN_Q(q));
-
- DTRACE_PROBE1(ip__wsrv__ip__output, conn_t *, connp);
- ip_output(Q_TO_CONN(q), mp, q, IP_WSRV);
- if (connp->conn_did_putbq) {
- /* ip_wput did a putbq */
- break;
- }
- }
/*
- * At this point, a thread coming down from top, calling
- * ip_wput, may end up queueing the message. We have not yet
- * enabled the queue, so ip_wsrv won't be called again.
- * To avoid this race, check q->q_first again (in the loop)
- * If the other thread queued the message before we call
- * enableok(), we will catch it in the q->q_first check.
- * If the other thread queues the message after we call
- * enableok(), ip_wsrv will be called again by STREAMS.
+ * The device flow control has opened up.
+ * Walk through conn drain lists and qenable the
+ * first conn in each list. This makes sense only
+ * if the stream is fully plumbed and setup.
+ * Hence the ill_state_flags check above.
*/
- connp->conn_draining = 0;
- enableok(q);
+ ip1dbg(("ip_wsrv: walking\n"));
+ conn_walk_drain(ipst, &ipst->ips_idl_tx_list[0]);
+ enableok(ill->ill_wq);
}
-
- /* Enable the next conn for draining */
- conn_drain_tail(connp, B_FALSE);
-
- /*
- * conn_direct_blocked is used to indicate blocked
- * condition for direct path (ILL_DIRECT_CAPABLE()).
- * This is the only place where it is set without
- * checking for ILL_DIRECT_CAPABLE() and setting it
- * to 0 is ok even if it is not ILL_DIRECT_CAPABLE().
- */
- if (!connp->conn_did_putbq && connp->conn_direct_blocked) {
- DTRACE_PROBE1(ip__wsrv__direct__blocked, conn_t *, connp);
- connp->conn_direct_blocked = B_FALSE;
- }
-
- connp->conn_did_putbq = 0;
}
/*
@@ -28369,21 +13473,7 @@ conn_walk_drain(ip_stack_t *ipst, idl_tx_list_t *tx_list)
for (i = 0; i < ipst->ips_conn_drain_list_cnt; i++) {
idl = &tx_list->txl_drain_list[i];
mutex_enter(&idl->idl_lock);
- if (idl->idl_conn == NULL) {
- mutex_exit(&idl->idl_lock);
- continue;
- }
- /*
- * If this list is not being drained currently by
- * an ip_wsrv thread, start the process.
- */
- if (idl->idl_conn_draining == NULL) {
- ASSERT(idl->idl_repeat == 0);
- qenable(idl->idl_conn->conn_wq);
- idl->idl_conn_draining = idl->idl_conn;
- } else {
- idl->idl_repeat = 1;
- }
+ conn_drain_tail(idl->idl_conn, B_FALSE);
mutex_exit(&idl->idl_lock);
}
}
@@ -28393,240 +13483,190 @@ conn_walk_drain(ip_stack_t *ipst, idl_tx_list_t *tx_list)
* "matches" the conn.
*/
boolean_t
-conn_wantpacket(conn_t *connp, ill_t *ill, ipha_t *ipha, int fanout_flags,
- zoneid_t zoneid)
+conn_wantpacket(conn_t *connp, ip_recv_attr_t *ira, ipha_t *ipha)
{
- ill_t *bound_ill;
- boolean_t found;
- ipif_t *ipif;
- ire_t *ire;
- ipaddr_t dst, src;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ ill_t *ill = ira->ira_rill;
+ zoneid_t zoneid = ira->ira_zoneid;
+ uint_t in_ifindex;
+ ipaddr_t dst, src;
dst = ipha->ipha_dst;
src = ipha->ipha_src;
/*
- * conn_incoming_ill is set by IP_BOUND_IF which limits
+ * conn_incoming_ifindex is set by IP_BOUND_IF which limits
* unicast, broadcast and multicast reception to
- * conn_incoming_ill. conn_wantpacket itself is called
- * only for BROADCAST and multicast.
+ * conn_incoming_ifindex.
+ * conn_wantpacket is called for unicast, broadcast and
+ * multicast packets.
*/
- bound_ill = connp->conn_incoming_ill;
- if (bound_ill != NULL) {
- if (IS_IPMP(bound_ill)) {
- if (bound_ill->ill_grp != ill->ill_grp)
- return (B_FALSE);
- } else {
- if (bound_ill != ill)
- return (B_FALSE);
- }
- }
+ in_ifindex = connp->conn_incoming_ifindex;
- if (!CLASSD(dst)) {
- if (IPCL_ZONE_MATCH(connp, zoneid))
- return (B_TRUE);
- /*
- * The conn is in a different zone; we need to check that this
- * broadcast address is configured in the application's zone.
- */
- ipif = ipif_get_next_ipif(NULL, ill);
- if (ipif == NULL)
+ /* mpathd can bind to the under IPMP interface, which we allow */
+ if (in_ifindex != 0 && in_ifindex != ill->ill_phyint->phyint_ifindex) {
+ if (!IS_UNDER_IPMP(ill))
return (B_FALSE);
- ire = ire_ctable_lookup(dst, 0, IRE_BROADCAST, ipif,
- connp->conn_zoneid, NULL,
- (MATCH_IRE_TYPE | MATCH_IRE_ILL), ipst);
- ipif_refrele(ipif);
- if (ire != NULL) {
- ire_refrele(ire);
- return (B_TRUE);
- } else {
+
+ if (in_ifindex != ipmp_ill_get_ipmp_ifindex(ill))
return (B_FALSE);
- }
}
- if ((fanout_flags & IP_FF_NO_MCAST_LOOP) &&
- connp->conn_zoneid == zoneid) {
- /*
- * Loopback case: the sending endpoint has IP_MULTICAST_LOOP
- * disabled, therefore we don't dispatch the multicast packet to
- * the sending zone.
- */
+ if (!IPCL_ZONE_MATCH(connp, zoneid))
return (B_FALSE);
- }
- if (IS_LOOPBACK(ill) && connp->conn_zoneid != zoneid) {
- /*
- * Multicast packet on the loopback interface: we only match
- * conns who joined the group in the specified zone.
- */
- return (B_FALSE);
- }
+ if (!(ira->ira_flags & IRAF_MULTICAST))
+ return (B_TRUE);
if (connp->conn_multi_router) {
/* multicast packet and multicast router socket: send up */
return (B_TRUE);
}
- mutex_enter(&connp->conn_lock);
- found = (ilg_lookup_ill_withsrc(connp, dst, src, ill) != NULL);
- mutex_exit(&connp->conn_lock);
- return (found);
+ if (ipha->ipha_protocol == IPPROTO_PIM ||
+ ipha->ipha_protocol == IPPROTO_RSVP)
+ return (B_TRUE);
+
+ return (conn_hasmembers_ill_withsrc_v4(connp, dst, src, ira->ira_ill));
}
-static void
-conn_setqfull(conn_t *connp)
+void
+conn_setqfull(conn_t *connp, boolean_t *flow_stopped)
{
- queue_t *q = connp->conn_wq;
+ if (IPCL_IS_NONSTR(connp)) {
+ (*connp->conn_upcalls->su_txq_full)
+ (connp->conn_upper_handle, B_TRUE);
+ if (flow_stopped != NULL)
+ *flow_stopped = B_TRUE;
+ } else {
+ queue_t *q = connp->conn_wq;
- if (!(q->q_flag & QFULL)) {
- mutex_enter(QLOCK(q));
+ ASSERT(q != NULL);
if (!(q->q_flag & QFULL)) {
- /* still need to set QFULL */
- q->q_flag |= QFULL;
- mutex_exit(QLOCK(q));
- } else {
- mutex_exit(QLOCK(q));
+ mutex_enter(QLOCK(q));
+ if (!(q->q_flag & QFULL)) {
+ /* still need to set QFULL */
+ q->q_flag |= QFULL;
+ /* set flow_stopped to true under QLOCK */
+ if (flow_stopped != NULL)
+ *flow_stopped = B_TRUE;
+ mutex_exit(QLOCK(q));
+ } else {
+ /* flow_stopped is left unchanged */
+ mutex_exit(QLOCK(q));
+ }
}
}
}
-static void
-conn_clrqfull(conn_t *connp)
+void
+conn_clrqfull(conn_t *connp, boolean_t *flow_stopped)
{
- queue_t *q = connp->conn_wq;
+ if (IPCL_IS_NONSTR(connp)) {
+ (*connp->conn_upcalls->su_txq_full)
+ (connp->conn_upper_handle, B_FALSE);
+ if (flow_stopped != NULL)
+ *flow_stopped = B_FALSE;
+ } else {
+ queue_t *q = connp->conn_wq;
- if (q->q_flag & QFULL) {
- mutex_enter(QLOCK(q));
+ ASSERT(q != NULL);
if (q->q_flag & QFULL) {
- q->q_flag &= ~QFULL;
- mutex_exit(QLOCK(q));
- if (q->q_flag & QWANTW)
- qbackenable(q, 0);
- } else {
- mutex_exit(QLOCK(q));
+ mutex_enter(QLOCK(q));
+ if (q->q_flag & QFULL) {
+ q->q_flag &= ~QFULL;
+ /* set flow_stopped to false under QLOCK */
+ if (flow_stopped != NULL)
+ *flow_stopped = B_FALSE;
+ mutex_exit(QLOCK(q));
+ if (q->q_flag & QWANTW)
+ qbackenable(q, 0);
+ } else {
+ /* flow_stopped is left unchanged */
+ mutex_exit(QLOCK(q));
+ }
}
}
+ connp->conn_direct_blocked = B_FALSE;
}
/*
- * Finish processing of "arp_up" when AR_DLPIOP_DONE is received from arp.
+ * Return the length in bytes of the IPv4 headers (base header, label, and
+ * other IP options) that will be needed based on the
+ * ip_pkt_t structure passed by the caller.
+ *
+ * The returned length does not include the length of the upper level
+ * protocol (ULP) header.
+ * The caller needs to check that the length doesn't exceed the max for IPv4.
*/
-/* ARGSUSED */
-static void
-ip_arp_done(ipsq_t *dummy_sq, queue_t *q, mblk_t *mp, void *dummy_arg)
+int
+ip_total_hdrs_len_v4(const ip_pkt_t *ipp)
{
- ill_t *ill = (ill_t *)q->q_ptr;
- mblk_t *mp1, *mp2;
- ipif_t *ipif;
- int err = 0;
- conn_t *connp = NULL;
- ipsq_t *ipsq;
- arc_t *arc;
-
- ip1dbg(("ip_arp_done(%s)\n", ill->ill_name));
-
- ASSERT((mp->b_wptr - mp->b_rptr) >= sizeof (arc_t));
- ASSERT(((arc_t *)mp->b_rptr)->arc_cmd == AR_DLPIOP_DONE);
-
- ASSERT(IAM_WRITER_ILL(ill));
- mp2 = mp->b_cont;
- mp->b_cont = NULL;
+ int len;
- /*
- * We have now received the arp bringup completion message
- * from ARP. Mark the arp bringup as done. Also if the arp
- * stream has already started closing, send up the AR_ARP_CLOSING
- * ack now since ARP is waiting in close for this ack.
- */
- mutex_enter(&ill->ill_lock);
- ill->ill_arp_bringup_pending = 0;
- if (ill->ill_arp_closing) {
- mutex_exit(&ill->ill_lock);
- /* Let's reuse the mp for sending the ack */
- arc = (arc_t *)mp->b_rptr;
- mp->b_wptr = mp->b_rptr + sizeof (arc_t);
- arc->arc_cmd = AR_ARP_CLOSING;
- qreply(q, mp);
- } else {
- mutex_exit(&ill->ill_lock);
- freeb(mp);
+ len = IP_SIMPLE_HDR_LENGTH;
+ if (ipp->ipp_fields & IPPF_LABEL_V4) {
+ ASSERT(ipp->ipp_label_len_v4 != 0);
+ /* We need to round up here */
+ len += (ipp->ipp_label_len_v4 + 3) & ~3;
}
- ipsq = ill->ill_phyint->phyint_ipsq;
- ipif = ipsq->ipsq_xop->ipx_pending_ipif;
- mp1 = ipsq_pending_mp_get(ipsq, &connp);
- ASSERT(!((mp1 != NULL) ^ (ipif != NULL)));
- if (mp1 == NULL) {
- /* bringup was aborted by the user */
- freemsg(mp2);
- return;
+ if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
+ ASSERT(ipp->ipp_ipv4_options_len != 0);
+ ASSERT((ipp->ipp_ipv4_options_len & 3) == 0);
+ len += ipp->ipp_ipv4_options_len;
}
+ return (len);
+}
- /*
- * If an IOCTL is waiting on this (ipx_current_ioctl != 0), then we
- * must have an associated conn_t. Otherwise, we're bringing this
- * interface back up as part of handling an asynchronous event (e.g.,
- * physical address change).
- */
- if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
- ASSERT(connp != NULL);
- q = CONNP_TO_WQ(connp);
- } else {
- ASSERT(connp == NULL);
- q = ill->ill_rq;
- }
+/*
+ * All-purpose routine to build an IPv4 header with options based
+ * on the abstract ip_pkt_t.
+ *
+ * The caller has to set the source and destination address as well as
+ * ipha_length. The caller has to massage any source route and compensate
+ * for the ULP pseudo-header checksum due to the source route.
+ */
+void
+ip_build_hdrs_v4(uchar_t *buf, uint_t buf_len, const ip_pkt_t *ipp,
+ uint8_t protocol)
+{
+ ipha_t *ipha = (ipha_t *)buf;
+ uint8_t *cp;
- /*
- * If the DL_BIND_REQ fails, it is noted
- * in arc_name_offset.
- */
- err = *((int *)mp2->b_rptr);
- if (err == 0) {
- if (ipif->ipif_isv6) {
- if ((err = ipif_up_done_v6(ipif)) != 0)
- ip0dbg(("ip_arp_done: init failed\n"));
- } else {
- if ((err = ipif_up_done(ipif)) != 0)
- ip0dbg(("ip_arp_done: init failed\n"));
- }
- } else {
- ip0dbg(("ip_arp_done: DL_BIND_REQ failed\n"));
- }
+ /* Initialize IPv4 header */
+ ipha->ipha_type_of_service = ipp->ipp_type_of_service;
+ ipha->ipha_length = 0; /* Caller will set later */
+ ipha->ipha_ident = 0;
+ ipha->ipha_fragment_offset_and_flags = 0;
+ ipha->ipha_ttl = ipp->ipp_unicast_hops;
+ ipha->ipha_protocol = protocol;
+ ipha->ipha_hdr_checksum = 0;
- freemsg(mp2);
+ if ((ipp->ipp_fields & IPPF_ADDR) &&
+ IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ ipha->ipha_src = ipp->ipp_addr_v4;
- if ((err == 0) && (ill->ill_up_ipifs)) {
- err = ill_up_ipifs(ill, q, mp1);
- if (err == EINPROGRESS)
- return;
+ cp = (uint8_t *)&ipha[1];
+ if (ipp->ipp_fields & IPPF_LABEL_V4) {
+ ASSERT(ipp->ipp_label_len_v4 != 0);
+ bcopy(ipp->ipp_label_v4, cp, ipp->ipp_label_len_v4);
+ cp += ipp->ipp_label_len_v4;
+ /* We need to round up here */
+ while ((uintptr_t)cp & 0x3) {
+ *cp++ = IPOPT_NOP;
+ }
}
- /*
- * If we have a moved ipif to bring up, and everything has succeeded
- * to this point, bring it up on the IPMP ill. Otherwise, leave it
- * down -- the admin can try to bring it up by hand if need be.
- */
- if (ill->ill_move_ipif != NULL) {
- ipif = ill->ill_move_ipif;
- ill->ill_move_ipif = NULL;
- if (err == 0) {
- err = ipif_up(ipif, q, mp1);
- if (err == EINPROGRESS)
- return;
- }
+ if (ipp->ipp_fields & IPPF_IPV4_OPTIONS) {
+ ASSERT(ipp->ipp_ipv4_options_len != 0);
+ ASSERT((ipp->ipp_ipv4_options_len & 3) == 0);
+ bcopy(ipp->ipp_ipv4_options, cp, ipp->ipp_ipv4_options_len);
+ cp += ipp->ipp_ipv4_options_len;
}
+ ipha->ipha_version_and_hdr_length =
+ (uint8_t)((IP_VERSION << 4) + buf_len / 4);
- /*
- * The operation must complete without EINPROGRESS since
- * ipsq_pending_mp_get() has removed the mblk. Otherwise, the
- * operation will be stuck forever in the ipsq.
- */
- ASSERT(err != EINPROGRESS);
- if (ipsq->ipsq_xop->ipx_current_ioctl != 0)
- ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
- else
- ipsq_current_finish(ipsq);
+ ASSERT((int)(cp - buf) == buf_len);
}
/* Allocate the private structure */
@@ -28659,47 +13699,43 @@ ip_priv_free(void *buf)
* which holds the state information for this packet and invokes the
* the classifier (via ipp_packet_process). The classification, depending on
* configured filters, results in a list of actions for this packet. Invoking
- * an action may cause the packet to be dropped, in which case the resulting
- * mblk (*mpp) is NULL. proc indicates the callout position for
- * this packet and ill_index is the interface this packet on or will leave
+ * an action may cause the packet to be dropped, in which case we return NULL.
+ * proc indicates the callout position for
+ * this packet and ill is the interface this packet arrived on or will leave
* on (inbound and outbound resp.).
+ *
+ * We do the processing on the rill (mapped to the upper if ipmp), but MIB
+ * on the ill corrsponding to the destination IP address.
*/
-void
-ip_process(ip_proc_t proc, mblk_t **mpp, uint32_t ill_index)
+mblk_t *
+ip_process(ip_proc_t proc, mblk_t *mp, ill_t *rill, ill_t *ill)
{
- mblk_t *mp;
ip_priv_t *priv;
ipp_action_id_t aid;
int rc = 0;
ipp_packet_t *pp;
-#define IP_CLASS "ip"
/* If the classifier is not loaded, return */
if ((aid = ipp_action_lookup(IPGPC_CLASSIFY)) == IPP_ACTION_INVAL) {
- return;
+ return (mp);
}
- mp = *mpp;
ASSERT(mp != NULL);
/* Allocate the packet structure */
- rc = ipp_packet_alloc(&pp, IP_CLASS, aid);
- if (rc != 0) {
- *mpp = NULL;
- freemsg(mp);
- return;
- }
+ rc = ipp_packet_alloc(&pp, "ip", aid);
+ if (rc != 0)
+ goto drop;
/* Allocate the private structure */
rc = ip_priv_alloc((void **)&priv);
if (rc != 0) {
- *mpp = NULL;
- freemsg(mp);
ipp_packet_free(pp);
- return;
+ goto drop;
}
priv->proc = proc;
- priv->ill_index = ill_index;
+ priv->ill_index = ill_get_upper_ifindex(rill);
+
ipp_packet_set_private(pp, priv, ip_priv_free);
ipp_packet_set_data(pp, mp);
@@ -28708,14 +13744,23 @@ ip_process(ip_proc_t proc, mblk_t **mpp, uint32_t ill_index)
if (pp != NULL) {
mp = ipp_packet_get_data(pp);
ipp_packet_free(pp);
- if (rc != 0) {
- freemsg(mp);
- *mpp = NULL;
- }
+ if (rc != 0)
+ goto drop;
+ return (mp);
} else {
- *mpp = NULL;
+ /* No mp to trace in ip_drop_input/ip_drop_output */
+ mp = NULL;
}
-#undef IP_CLASS
+drop:
+ if (proc == IPP_LOCAL_IN || proc == IPP_FWD_IN) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_process", mp, ill);
+ } else {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ip_process", mp, ill);
+ }
+ freemsg(mp);
+ return (NULL);
}
/*
@@ -28723,102 +13768,92 @@ ip_process(ip_proc_t proc, mblk_t **mpp, uint32_t ill_index)
* all the interfaces crossed by the related multirt routes.
* The call is considered successful if the operation succeeds
* on at least one interface.
+ *
+ * This assumes that a set of IRE_HOST/RTF_MULTIRT has been created for the
+ * multicast addresses with the ire argument being the first one.
+ * We walk the bucket to find all the of those.
+ *
+ * Common to IPv4 and IPv6.
*/
static int
-ip_multirt_apply_membership(int (*fn)(conn_t *, boolean_t, ipaddr_t, ipaddr_t,
- uint_t *, mcast_record_t, ipaddr_t, mblk_t *), ire_t *ire, conn_t *connp,
- boolean_t checkonly, ipaddr_t group, mcast_record_t fmode, ipaddr_t src,
- mblk_t *first_mp)
+ip_multirt_apply_membership(int (*fn)(conn_t *, boolean_t,
+ const in6_addr_t *, ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *),
+ ire_t *ire, conn_t *connp, boolean_t checkonly, const in6_addr_t *v6group,
+ mcast_record_t fmode, const in6_addr_t *v6src)
{
ire_t *ire_gw;
irb_t *irb;
+ int ifindex;
int error = 0;
- opt_restart_t *or;
+ int result;
ip_stack_t *ipst = ire->ire_ipst;
+ ipaddr_t group;
+ boolean_t isv6;
+ int match_flags;
+
+ if (IN6_IS_ADDR_V4MAPPED(v6group)) {
+ IN6_V4MAPPED_TO_IPADDR(v6group, group);
+ isv6 = B_FALSE;
+ } else {
+ isv6 = B_TRUE;
+ }
irb = ire->ire_bucket;
ASSERT(irb != NULL);
- ASSERT(DB_TYPE(first_mp) == M_CTL);
-
- or = (opt_restart_t *)first_mp->b_rptr;
- IRB_REFHOLD(irb);
+ result = 0;
+ irb_refhold(irb);
for (; ire != NULL; ire = ire->ire_next) {
if ((ire->ire_flags & RTF_MULTIRT) == 0)
continue;
- if (ire->ire_addr != group)
- continue;
- ire_gw = ire_ftable_lookup(ire->ire_gateway_addr, 0, 0,
- IRE_INTERFACE, NULL, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_RECURSIVE | MATCH_IRE_TYPE, ipst);
- /* No resolver exists for the gateway; skip this ire. */
+ /* We handle -ifp routes by matching on the ill if set */
+ match_flags = MATCH_IRE_TYPE;
+ if (ire->ire_ill != NULL)
+ match_flags |= MATCH_IRE_ILL;
+
+ if (isv6) {
+ if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6group))
+ continue;
+
+ ire_gw = ire_ftable_lookup_v6(&ire->ire_gateway_addr_v6,
+ 0, 0, IRE_INTERFACE, ire->ire_ill, ALL_ZONES, NULL,
+ match_flags, 0, ipst, NULL);
+ } else {
+ if (ire->ire_addr != group)
+ continue;
+
+ ire_gw = ire_ftable_lookup_v4(ire->ire_gateway_addr,
+ 0, 0, IRE_INTERFACE, ire->ire_ill, ALL_ZONES, NULL,
+ match_flags, 0, ipst, NULL);
+ }
+ /* No interface route exists for the gateway; skip this ire. */
if (ire_gw == NULL)
continue;
+ if (ire_gw->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ ire_refrele(ire_gw);
+ continue;
+ }
+ ASSERT(ire_gw->ire_ill != NULL); /* IRE_INTERFACE */
+ ifindex = ire_gw->ire_ill->ill_phyint->phyint_ifindex;
/*
- * This function can return EINPROGRESS. If so the operation
- * will be restarted from ip_restart_optmgmt which will
- * call ip_opt_set and option processing will restart for
- * this option. So we may end up calling 'fn' more than once.
- * This requires that 'fn' is idempotent except for the
- * return value. The operation is considered a success if
+ * The operation is considered a success if
* it succeeds at least once on any one interface.
*/
- error = fn(connp, checkonly, group, ire_gw->ire_src_addr,
- NULL, fmode, src, first_mp);
+ error = fn(connp, checkonly, v6group, INADDR_ANY, ifindex,
+ fmode, v6src);
if (error == 0)
- or->or_private = CGTP_MCAST_SUCCESS;
-
- if (ip_debug > 0) {
- ulong_t off;
- char *ksym;
- ksym = kobj_getsymname((uintptr_t)fn, &off);
- ip2dbg(("ip_multirt_apply_membership: "
- "called %s, multirt group 0x%08x via itf 0x%08x, "
- "error %d [success %u]\n",
- ksym ? ksym : "?",
- ntohl(group), ntohl(ire_gw->ire_src_addr),
- error, or->or_private));
- }
+ result = CGTP_MCAST_SUCCESS;
ire_refrele(ire_gw);
- if (error == EINPROGRESS) {
- IRB_REFRELE(irb);
- return (error);
- }
}
- IRB_REFRELE(irb);
+ irb_refrele(irb);
/*
* Consider the call as successful if we succeeded on at least
* one interface. Otherwise, return the last encountered error.
*/
- return (or->or_private == CGTP_MCAST_SUCCESS ? 0 : error);
-}
-
-/*
- * Issue a warning regarding a route crossing an interface with an
- * incorrect MTU. Only one message every 'ip_multirt_log_interval'
- * amount of time is logged.
- */
-static void
-ip_multirt_bad_mtu(ire_t *ire, uint32_t max_frag)
-{
- hrtime_t current = gethrtime();
- char buf[INET_ADDRSTRLEN];
- ip_stack_t *ipst = ire->ire_ipst;
-
- /* Convert interval in ms to hrtime in ns */
- if (ipst->ips_multirt_bad_mtu_last_time +
- ((hrtime_t)ipst->ips_ip_multirt_log_interval * (hrtime_t)1000000) <=
- current) {
- cmn_err(CE_WARN, "ip: ignoring multiroute "
- "to %s, incorrect MTU %u (expected %u)\n",
- ip_dot_addr(ire->ire_addr, buf),
- ire->ire_max_frag, max_frag);
-
- ipst->ips_multirt_bad_mtu_last_time = current;
- }
+ return (result == CGTP_MCAST_SUCCESS ? 0 : error);
}
/*
@@ -28882,6 +13917,7 @@ ip_cgtp_filter_set(queue_t *q, mblk_t *mp, char *value, caddr_t cp,
*ip_cgtp_filter_value = (boolean_t)new_value;
+ ill_set_inputfn_all(ipst);
return (0);
}
@@ -28919,6 +13955,9 @@ ip_cgtp_filter_register(netstackid_t stackid, cgtp_filter_ops_t *ops)
}
ipst->ips_ip_cgtp_filter_ops = ops;
+
+ ill_set_inputfn_all(ipst);
+
netstack_rele(ns);
return (0);
}
@@ -28950,6 +13989,9 @@ ip_cgtp_filter_unregister(netstackid_t stackid)
return (ENXIO);
}
ipst->ips_ip_cgtp_filter_ops = NULL;
+
+ ill_set_inputfn_all(ipst);
+
netstack_rele(ns);
return (0);
}
@@ -28984,7 +14026,7 @@ ip_cgtp_filter_is_registered(netstackid_t stackid)
static int
ip_squeue_switch(int val)
{
- int rval = SQ_FILL;
+ int rval;
switch (val) {
case IP_SQUEUE_ENTER_NODRAIN:
@@ -28993,7 +14035,9 @@ ip_squeue_switch(int val)
case IP_SQUEUE_ENTER:
rval = SQ_PROCESS;
break;
+ case IP_SQUEUE_FILL:
default:
+ rval = SQ_FILL;
break;
}
return (rval);
@@ -29046,52 +14090,45 @@ ip_kstat2_init(netstackid_t stackid, ip_stat_t *ip_statisticsp)
kstat_t *ksp;
ip_stat_t template = {
- { "ipsec_fanout_proto", KSTAT_DATA_UINT64 },
{ "ip_udp_fannorm", KSTAT_DATA_UINT64 },
{ "ip_udp_fanmb", KSTAT_DATA_UINT64 },
- { "ip_udp_fanothers", KSTAT_DATA_UINT64 },
- { "ip_udp_fast_path", KSTAT_DATA_UINT64 },
- { "ip_udp_slow_path", KSTAT_DATA_UINT64 },
- { "ip_udp_input_err", KSTAT_DATA_UINT64 },
- { "ip_tcppullup", KSTAT_DATA_UINT64 },
- { "ip_tcpoptions", KSTAT_DATA_UINT64 },
- { "ip_multipkttcp", KSTAT_DATA_UINT64 },
- { "ip_tcp_fast_path", KSTAT_DATA_UINT64 },
- { "ip_tcp_slow_path", KSTAT_DATA_UINT64 },
- { "ip_tcp_input_error", KSTAT_DATA_UINT64 },
+ { "ip_recv_pullup", KSTAT_DATA_UINT64 },
{ "ip_db_ref", KSTAT_DATA_UINT64 },
- { "ip_notaligned1", KSTAT_DATA_UINT64 },
- { "ip_notaligned2", KSTAT_DATA_UINT64 },
- { "ip_multimblk3", KSTAT_DATA_UINT64 },
- { "ip_multimblk4", KSTAT_DATA_UINT64 },
- { "ip_ipoptions", KSTAT_DATA_UINT64 },
- { "ip_classify_fail", KSTAT_DATA_UINT64 },
+ { "ip_notaligned", KSTAT_DATA_UINT64 },
+ { "ip_multimblk", KSTAT_DATA_UINT64 },
{ "ip_opt", KSTAT_DATA_UINT64 },
- { "ip_udp_rput_local", KSTAT_DATA_UINT64 },
{ "ipsec_proto_ahesp", KSTAT_DATA_UINT64 },
{ "ip_conn_flputbq", KSTAT_DATA_UINT64 },
{ "ip_conn_walk_drain", KSTAT_DATA_UINT64 },
{ "ip_out_sw_cksum", KSTAT_DATA_UINT64 },
+ { "ip_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
{ "ip_in_sw_cksum", KSTAT_DATA_UINT64 },
- { "ip_trash_ire_reclaim_calls", KSTAT_DATA_UINT64 },
- { "ip_trash_ire_reclaim_success", KSTAT_DATA_UINT64 },
- { "ip_ire_arp_timer_expired", KSTAT_DATA_UINT64 },
- { "ip_ire_redirect_timer_expired", KSTAT_DATA_UINT64 },
- { "ip_ire_pmtu_timer_expired", KSTAT_DATA_UINT64 },
- { "ip_input_multi_squeue", KSTAT_DATA_UINT64 },
+ { "ip_ire_reclaim_calls", KSTAT_DATA_UINT64 },
+ { "ip_ire_reclaim_deleted", KSTAT_DATA_UINT64 },
+ { "ip_nce_reclaim_calls", KSTAT_DATA_UINT64 },
+ { "ip_nce_reclaim_deleted", KSTAT_DATA_UINT64 },
+ { "ip_dce_reclaim_calls", KSTAT_DATA_UINT64 },
+ { "ip_dce_reclaim_deleted", KSTAT_DATA_UINT64 },
{ "ip_tcp_in_full_hw_cksum_err", KSTAT_DATA_UINT64 },
{ "ip_tcp_in_part_hw_cksum_err", KSTAT_DATA_UINT64 },
{ "ip_tcp_in_sw_cksum_err", KSTAT_DATA_UINT64 },
- { "ip_tcp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
{ "ip_udp_in_full_hw_cksum_err", KSTAT_DATA_UINT64 },
{ "ip_udp_in_part_hw_cksum_err", KSTAT_DATA_UINT64 },
- { "ip_udp_in_sw_cksum_err", KSTAT_DATA_UINT64 },
- { "ip_udp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
- { "ip_frag_mdt_pkt_out", KSTAT_DATA_UINT64 },
- { "ip_frag_mdt_discarded", KSTAT_DATA_UINT64 },
- { "ip_frag_mdt_allocfail", KSTAT_DATA_UINT64 },
- { "ip_frag_mdt_addpdescfail", KSTAT_DATA_UINT64 },
- { "ip_frag_mdt_allocd", KSTAT_DATA_UINT64 },
+ { "ip_udp_in_sw_cksum_err", KSTAT_DATA_UINT64 },
+ { "conn_in_recvdstaddr", KSTAT_DATA_UINT64 },
+ { "conn_in_recvopts", KSTAT_DATA_UINT64 },
+ { "conn_in_recvif", KSTAT_DATA_UINT64 },
+ { "conn_in_recvslla", KSTAT_DATA_UINT64 },
+ { "conn_in_recvucred", KSTAT_DATA_UINT64 },
+ { "conn_in_recvttl", KSTAT_DATA_UINT64 },
+ { "conn_in_recvhopopts", KSTAT_DATA_UINT64 },
+ { "conn_in_recvhoplimit", KSTAT_DATA_UINT64 },
+ { "conn_in_recvdstopts", KSTAT_DATA_UINT64 },
+ { "conn_in_recvrthdrdstopts", KSTAT_DATA_UINT64 },
+ { "conn_in_recvrthdr", KSTAT_DATA_UINT64 },
+ { "conn_in_recvpktinfo", KSTAT_DATA_UINT64 },
+ { "conn_in_recvtclass", KSTAT_DATA_UINT64 },
+ { "conn_in_timestamp", KSTAT_DATA_UINT64 },
};
ksp = kstat_create_netstack("ip", 0, "ipstat", "net",
@@ -29420,323 +14457,457 @@ icmp_kstat_update(kstat_t *kp, int rw)
* a port. This is assured in ipcl_sctp_hash_insert();
*/
void
-ip_fanout_sctp_raw(mblk_t *mp, ill_t *recv_ill, ipha_t *ipha, boolean_t isv4,
- uint32_t ports, boolean_t mctl_present, uint_t flags, boolean_t ip_policy,
- zoneid_t zoneid)
+ip_fanout_sctp_raw(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h, uint32_t ports,
+ ip_recv_attr_t *ira)
{
conn_t *connp;
queue_t *rq;
- mblk_t *first_mp;
boolean_t secure;
- ip6_t *ip6h;
- ip_stack_t *ipst = recv_ill->ill_ipst;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
sctp_stack_t *sctps = ipst->ips_netstack->netstack_sctp;
- boolean_t sctp_csum_err = B_FALSE;
+ iaflags_t iraflags = ira->ira_flags;
+ ill_t *rill = ira->ira_rill;
- if (flags & IP_FF_SCTP_CSUM_ERR) {
- sctp_csum_err = B_TRUE;
- flags &= ~IP_FF_SCTP_CSUM_ERR;
- }
+ secure = iraflags & IRAF_IPSEC_SECURE;
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- secure = B_FALSE;
- }
- ip6h = (isv4) ? NULL : (ip6_t *)ipha;
-
- connp = ipcl_classify_raw(mp, IPPROTO_SCTP, zoneid, ports, ipha, ipst);
+ connp = ipcl_classify_raw(mp, IPPROTO_SCTP, ports, ipha, ip6h,
+ ira, ipst);
if (connp == NULL) {
/*
* Although raw sctp is not summed, OOB chunks must be.
* Drop the packet here if the sctp checksum failed.
*/
- if (sctp_csum_err) {
+ if (iraflags & IRAF_SCTP_CSUM_ERR) {
BUMP_MIB(&sctps->sctps_mib, sctpChecksumError);
- freemsg(first_mp);
+ freemsg(mp);
return;
}
- sctp_ootb_input(first_mp, recv_ill, zoneid, mctl_present);
+ ira->ira_ill = ira->ira_rill = NULL;
+ sctp_ootb_input(mp, ira, ipst);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
return;
}
rq = connp->conn_rq;
- if (!canputnext(rq)) {
+ if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld : !canputnext(rq)) {
CONN_DEC_REF(connp);
- BUMP_MIB(recv_ill->ill_ip_mib, rawipIfStatsInOverflows);
- freemsg(first_mp);
+ BUMP_MIB(ill->ill_ip_mib, rawipIfStatsInOverflows);
+ freemsg(mp);
return;
}
- if ((isv4 ? CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
- CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) || secure) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp,
- (isv4 ? ipha : NULL), ip6h, mctl_present);
- if (first_mp == NULL) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
+ if (((iraflags & IRAF_IS_IPV4) ?
+ CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
+ CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
+ secure) {
+ mp = ipsec_check_inbound_policy(mp, connp, ipha,
+ ip6h, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
CONN_DEC_REF(connp);
return;
}
}
- /*
- * We probably should not send M_CTL message up to
- * raw socket.
- */
- if (mctl_present)
- freeb(first_mp);
- /* Initiate IPPF processing here if needed. */
- if ((isv4 && IPP_ENABLED(IPP_LOCAL_IN, ipst) && ip_policy) ||
- (!isv4 && IP6_IN_IPP(flags, ipst))) {
- ip_process(IPP_LOCAL_IN, &mp,
- recv_ill->ill_phyint->phyint_ifindex);
- if (mp == NULL) {
- CONN_DEC_REF(connp);
- return;
- }
+ if (iraflags & IRAF_ICMP_ERROR) {
+ (connp->conn_recvicmp)(connp, mp, NULL, ira);
+ } else {
+ ill_t *rill = ira->ira_rill;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ /* This is the SOCK_RAW, IPPROTO_SCTP case. */
+ ira->ira_ill = ira->ira_rill = NULL;
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
}
+ CONN_DEC_REF(connp);
+}
- if (connp->conn_recvif || connp->conn_recvslla ||
- ((connp->conn_ip_recvpktinfo ||
- (!isv4 && IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src))) &&
- (flags & IP_FF_IPINFO))) {
- int in_flags = 0;
+/*
+ * Free a packet that has the link-layer dl_unitdata_req_t or fast-path
+ * header before the ip payload.
+ */
+static void
+ip_xmit_flowctl_drop(ill_t *ill, mblk_t *mp, boolean_t is_fp_mp, int fp_mp_len)
+{
+ int len = (mp->b_wptr - mp->b_rptr);
+ mblk_t *ip_mp;
- /*
- * Since sctp does not support IP_RECVPKTINFO for v4, only pass
- * IPF_RECVIF.
- */
- if (connp->conn_recvif || connp->conn_ip_recvpktinfo) {
- in_flags = IPF_RECVIF;
- }
- if (connp->conn_recvslla) {
- in_flags |= IPF_RECVSLLA;
- }
- if (isv4) {
- mp = ip_add_info(mp, recv_ill, in_flags,
- IPCL_ZONEID(connp), ipst);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ if (is_fp_mp || len != fp_mp_len) {
+ if (len > fp_mp_len) {
+ /*
+ * fastpath header and ip header in the first mblk
+ */
+ mp->b_rptr += fp_mp_len;
} else {
- mp = ip_add_info_v6(mp, recv_ill, &ip6h->ip6_dst);
- if (mp == NULL) {
- BUMP_MIB(recv_ill->ill_ip_mib,
- ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- return;
- }
+ /*
+ * ip_xmit_attach_llhdr had to prepend an mblk to
+ * attach the fastpath header before ip header.
+ */
+ ip_mp = mp->b_cont;
+ freeb(mp);
+ mp = ip_mp;
+ mp->b_rptr += (fp_mp_len - len);
}
+ } else {
+ ip_mp = mp->b_cont;
+ freeb(mp);
+ mp = ip_mp;
}
-
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsHCInDelivers);
- /*
- * We are sending the IPSEC_IN message also up. Refer
- * to comments above this function.
- * This is the SOCK_RAW, IPPROTO_SCTP case.
- */
- (connp->conn_recv)(connp, mp, NULL);
- CONN_DEC_REF(connp);
+ ip_drop_output("ipIfStatsOutDiscards - flow ctl", mp, ill);
+ freemsg(mp);
}
-#define UPDATE_IP_MIB_OB_COUNTERS(ill, len) \
-{ \
- BUMP_MIB((ill)->ill_ip_mib, ipIfStatsHCOutTransmits); \
- UPDATE_MIB((ill)->ill_ip_mib, ipIfStatsHCOutOctets, (len)); \
-}
/*
- * This function should be called only if all packet processing
- * including fragmentation is complete. Callers of this function
- * must set mp->b_prev to one of these values:
- * {0, IPP_FWD_OUT, IPP_LOCAL_OUT}
- * prior to handing over the mp as first argument to this function.
+ * Normal post fragmentation function.
+ *
+ * Send a packet using the passed in nce. This handles both IPv4 and IPv6
+ * using the same state machine.
*
- * If the ire passed by caller is incomplete, this function
+ * We return an error on failure. In particular we return EWOULDBLOCK
+ * when the driver flow controls. In that case this ensures that ip_wsrv runs
+ * (currently by canputnext failure resulting in backenabling from GLD.)
+ * This allows the callers of conn_ip_output() to use EWOULDBLOCK as an
+ * indication that they can flow control until ip_wsrv() tells then to restart.
+ *
+ * If the nce passed by caller is incomplete, this function
* queues the packet and if necessary, sends ARP request and bails.
- * If the ire passed is fully resolved, we simply prepend
+ * If the Neighbor Cache passed is fully resolved, we simply prepend
* the link-layer header to the packet, do ipsec hw acceleration
* work if necessary, and send the packet out on the wire.
- *
- * NOTE: IPsec will only call this function with fully resolved
- * ires if hw acceleration is involved.
- * TODO list :
- * a Handle M_MULTIDATA so that
- * tcp_multisend->tcp_multisend_data can
- * call ip_xmit_v4 directly
- * b Handle post-ARP work for fragments so that
- * ip_wput_frag can call this function.
*/
-ipxmit_state_t
-ip_xmit_v4(mblk_t *mp, ire_t *ire, ipsec_out_t *io,
- boolean_t flow_ctl_enabled, conn_t *connp)
+/* ARGSUSED6 */
+int
+ip_xmit(mblk_t *mp, nce_t *nce, iaflags_t ixaflags, uint_t pkt_len,
+ uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid, uintptr_t *ixacookie)
{
- nce_t *arpce;
- ipha_t *ipha;
- queue_t *q;
- int ill_index;
- mblk_t *nxt_mp, *first_mp;
- boolean_t xmit_drop = B_FALSE;
- ip_proc_t proc;
- ill_t *out_ill;
- int pkt_len;
+ queue_t *wq;
+ ill_t *ill = nce->nce_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint64_t delta;
+ boolean_t isv6 = ill->ill_isv6;
+ boolean_t fp_mp;
+ ncec_t *ncec = nce->nce_common;
- arpce = ire->ire_nce;
- ASSERT(arpce != NULL);
+ DTRACE_PROBE1(ip__xmit, nce_t *, nce);
- DTRACE_PROBE2(ip__xmit__v4, ire_t *, ire, nce_t *, arpce);
+ ASSERT(mp != NULL);
+ ASSERT(mp->b_datap->db_type == M_DATA);
+ ASSERT(pkt_len == msgdsize(mp));
- mutex_enter(&arpce->nce_lock);
- switch (arpce->nce_state) {
- case ND_REACHABLE:
- /* If there are other queued packets, queue this packet */
- if (arpce->nce_qd_mp != NULL) {
- if (mp != NULL)
- nce_queue_mp_common(arpce, mp, B_FALSE);
- mp = arpce->nce_qd_mp;
+ /*
+ * If we have already been here and are coming back after ARP/ND.
+ * the IXAF_NO_TRACE flag is set. We skip FW_HOOKS, DTRACE and ipobs
+ * in that case since they have seen the packet when it came here
+ * the first time.
+ */
+ if (ixaflags & IXAF_NO_TRACE)
+ goto sendit;
+
+ if (ixaflags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ASSERT(!isv6);
+ ASSERT(pkt_len == ntohs(((ipha_t *)mp->b_rptr)->ipha_length));
+ if (HOOKS4_INTERESTED_PHYSICAL_OUT(ipst) &&
+ !(ixaflags & IXAF_NO_PFHOOK)) {
+ int error;
+
+ FW_HOOKS(ipst->ips_ip4_physical_out_event,
+ ipst->ips_ipv4firewall_physical_out,
+ NULL, ill, ipha, mp, mp, 0, ipst, error);
+ DTRACE_PROBE1(ip4__physical__out__end,
+ mblk_t *, mp);
+ if (mp == NULL)
+ return (error);
+
+ /* The length could have changed */
+ pkt_len = msgdsize(mp);
+ }
+ if (ipst->ips_ip4_observe.he_interested) {
+ /*
+ * Note that for TX the zoneid is the sending
+ * zone, whether or not MLP is in play.
+ * Since the szone argument is the IP zoneid (i.e.,
+ * zero for exclusive-IP zones) and ipobs wants
+ * the system zoneid, we map it here.
+ */
+ szone = IP_REAL_ZONEID(szone, ipst);
+
+ /*
+ * On the outbound path the destination zone will be
+ * unknown as we're sending this packet out on the
+ * wire.
+ */
+ ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone, ALL_ZONES,
+ ill, ipst);
+ }
+ DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL,
+ void_ip_t *, ipha, __dtrace_ipsr_ill_t *, ill,
+ ipha_t *, ipha, ip6_t *, NULL, int, 0);
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ ASSERT(isv6);
+ ASSERT(pkt_len ==
+ ntohs(((ip6_t *)mp->b_rptr)->ip6_plen) + IPV6_HDR_LEN);
+ if (HOOKS6_INTERESTED_PHYSICAL_OUT(ipst) &&
+ !(ixaflags & IXAF_NO_PFHOOK)) {
+ int error;
+
+ FW_HOOKS6(ipst->ips_ip6_physical_out_event,
+ ipst->ips_ipv6firewall_physical_out,
+ NULL, ill, ip6h, mp, mp, 0, ipst, error);
+ DTRACE_PROBE1(ip6__physical__out__end,
+ mblk_t *, mp);
+ if (mp == NULL)
+ return (error);
+
+ /* The length could have changed */
+ pkt_len = msgdsize(mp);
+ }
+ if (ipst->ips_ip6_observe.he_interested) {
+ /* See above */
+ szone = IP_REAL_ZONEID(szone, ipst);
+
+ ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone, ALL_ZONES,
+ ill, ipst);
}
- arpce->nce_qd_mp = NULL;
- mutex_exit(&arpce->nce_lock);
+ DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL,
+ void_ip_t *, ip6h, __dtrace_ipsr_ill_t *, ill,
+ ipha_t *, NULL, ip6_t *, ip6h, int, 0);
+ }
+sendit:
+ /*
+ * We check the state without a lock because the state can never
+ * move "backwards" to initial or incomplete.
+ */
+ switch (ncec->ncec_state) {
+ case ND_REACHABLE:
+ case ND_STALE:
+ case ND_DELAY:
+ case ND_PROBE:
+ mp = ip_xmit_attach_llhdr(mp, nce);
+ if (mp == NULL) {
+ /*
+ * ip_xmit_attach_llhdr has increased
+ * ipIfStatsOutDiscards and called ip_drop_output()
+ */
+ return (ENOBUFS);
+ }
/*
- * Flush the queue. In the common case, where the
- * ARP is already resolved, it will go through the
- * while loop only once.
+ * check if nce_fastpath completed and we tagged on a
+ * copy of nce_fp_mp in ip_xmit_attach_llhdr().
*/
- while (mp != NULL) {
+ fp_mp = (mp->b_datap->db_type == M_DATA);
- nxt_mp = mp->b_next;
- mp->b_next = NULL;
- ASSERT(mp->b_datap->db_type != M_CTL);
- pkt_len = ntohs(((ipha_t *)mp->b_rptr)->ipha_length);
+ if (fp_mp &&
+ (ill->ill_capabilities & ILL_CAPAB_DLD_DIRECT)) {
+ ill_dld_direct_t *idd;
+
+ idd = &ill->ill_dld_capab->idc_direct;
/*
- * This info is needed for IPQOS to do COS marking
- * in ip_wput_attach_llhdr->ip_process.
+ * Send the packet directly to DLD, where it
+ * may be queued depending on the availability
+ * of transmit resources at the media layer.
+ * Return value should be taken into
+ * account and flow control the TCP.
*/
- proc = (ip_proc_t)(uintptr_t)mp->b_prev;
- mp->b_prev = NULL;
-
- /* set up ill index for outbound qos processing */
- out_ill = ire_to_ill(ire);
- ill_index = out_ill->ill_phyint->phyint_ifindex;
- first_mp = ip_wput_attach_llhdr(mp, ire, proc,
- ill_index, &ipha);
- if (first_mp == NULL) {
- xmit_drop = B_TRUE;
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- goto next_mp;
- }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits);
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
+ pkt_len);
- /* non-ipsec hw accel case */
- if (io == NULL || !io->ipsec_out_accelerated) {
- /* send it */
- q = ire->ire_stq;
- if (proc == IPP_FWD_OUT) {
- UPDATE_IB_PKT_COUNT(ire);
- } else {
- UPDATE_OB_PKT_COUNT(ire);
- }
- ire->ire_last_used_time = lbolt;
+ if (ixaflags & IXAF_NO_DEV_FLOW_CTL) {
+ (void) idd->idd_tx_df(idd->idd_tx_dh, mp,
+ (uintptr_t)xmit_hint, IP_DROP_ON_NO_DESC);
+ } else {
+ uintptr_t cookie;
- if (flow_ctl_enabled || canputnext(q)) {
- if (proc == IPP_FWD_OUT) {
+ if ((cookie = idd->idd_tx_df(idd->idd_tx_dh,
+ mp, (uintptr_t)xmit_hint, 0)) != 0) {
+ if (ixacookie != NULL)
+ *ixacookie = cookie;
+ return (EWOULDBLOCK);
+ }
+ }
+ } else {
+ wq = ill->ill_wq;
+
+ if (!(ixaflags & IXAF_NO_DEV_FLOW_CTL) &&
+ !canputnext(wq)) {
+ if (ixacookie != NULL)
+ *ixacookie = 0;
+ ip_xmit_flowctl_drop(ill, mp, fp_mp,
+ nce->nce_fp_mp != NULL ?
+ MBLKL(nce->nce_fp_mp) : 0);
+ return (EWOULDBLOCK);
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits);
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
+ pkt_len);
+ putnext(wq, mp);
+ }
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsHCOutForwDatagrams);
+ /*
+ * The rest of this function implements Neighbor Unreachability
+ * detection. Determine if the ncec is eligible for NUD.
+ */
+ if (ncec->ncec_flags & NCE_F_NONUD)
+ return (0);
- }
- UPDATE_IP_MIB_OB_COUNTERS(out_ill,
- pkt_len);
+ ASSERT(ncec->ncec_state != ND_INCOMPLETE);
- DTRACE_IP7(send, mblk_t *, first_mp,
- conn_t *, NULL, void_ip_t *, ipha,
- __dtrace_ipsr_ill_t *, out_ill,
- ipha_t *, ipha, ip6_t *, NULL, int,
- 0);
+ /*
+ * Check for upper layer advice
+ */
+ if (ixaflags & IXAF_REACH_CONF) {
+ timeout_id_t tid;
- ILL_SEND_TX(out_ill,
- ire, connp, first_mp, 0, connp);
- } else {
- BUMP_MIB(out_ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- xmit_drop = B_TRUE;
- freemsg(first_mp);
+ /*
+ * It should be o.k. to check the state without
+ * a lock here, at most we lose an advice.
+ */
+ ncec->ncec_last = TICK_TO_MSEC(lbolt64);
+ if (ncec->ncec_state != ND_REACHABLE) {
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_state = ND_REACHABLE;
+ tid = ncec->ncec_timeout_id;
+ ncec->ncec_timeout_id = 0;
+ mutex_exit(&ncec->ncec_lock);
+ (void) untimeout(tid);
+ if (ip_debug > 2) {
+ /* ip1dbg */
+ pr_addr_dbg("ip_xmit: state"
+ " for %s changed to"
+ " REACHABLE\n", AF_INET6,
+ &ncec->ncec_addr);
}
- } else {
+ }
+ return (0);
+ }
+
+ delta = TICK_TO_MSEC(lbolt64) - ncec->ncec_last;
+ ip1dbg(("ip_xmit: delta = %" PRId64
+ " ill_reachable_time = %d \n", delta,
+ ill->ill_reachable_time));
+ if (delta > (uint64_t)ill->ill_reachable_time) {
+ mutex_enter(&ncec->ncec_lock);
+ switch (ncec->ncec_state) {
+ case ND_REACHABLE:
+ ASSERT((ncec->ncec_flags & NCE_F_NONUD) == 0);
+ /* FALLTHROUGH */
+ case ND_STALE:
/*
- * Safety Pup says: make sure this
- * is going to the right interface!
+ * ND_REACHABLE is identical to
+ * ND_STALE in this specific case. If
+ * reachable time has expired for this
+ * neighbor (delta is greater than
+ * reachable time), conceptually, the
+ * neighbor cache is no longer in
+ * REACHABLE state, but already in
+ * STALE state. So the correct
+ * transition here is to ND_DELAY.
*/
- ill_t *ill1 =
- (ill_t *)ire->ire_stq->q_ptr;
- int ifindex =
- ill1->ill_phyint->phyint_ifindex;
- if (ifindex !=
- io->ipsec_out_capab_ill_index) {
- xmit_drop = B_TRUE;
- freemsg(mp);
- } else {
- UPDATE_IP_MIB_OB_COUNTERS(ill1,
- pkt_len);
-
- DTRACE_IP7(send, mblk_t *, first_mp,
- conn_t *, NULL, void_ip_t *, ipha,
- __dtrace_ipsr_ill_t *, ill1,
- ipha_t *, ipha, ip6_t *, NULL,
- int, 0);
-
- ipsec_hw_putnext(ire->ire_stq, mp);
+ ncec->ncec_state = ND_DELAY;
+ mutex_exit(&ncec->ncec_lock);
+ nce_restart_timer(ncec,
+ ipst->ips_delay_first_probe_time);
+ if (ip_debug > 3) {
+ /* ip2dbg */
+ pr_addr_dbg("ip_xmit: state"
+ " for %s changed to"
+ " DELAY\n", AF_INET6,
+ &ncec->ncec_addr);
}
+ break;
+ case ND_DELAY:
+ case ND_PROBE:
+ mutex_exit(&ncec->ncec_lock);
+ /* Timers have already started */
+ break;
+ case ND_UNREACHABLE:
+ /*
+ * nce_timer has detected that this ncec
+ * is unreachable and initiated deleting
+ * this ncec.
+ * This is a harmless race where we found the
+ * ncec before it was deleted and have
+ * just sent out a packet using this
+ * unreachable ncec.
+ */
+ mutex_exit(&ncec->ncec_lock);
+ break;
+ default:
+ ASSERT(0);
+ mutex_exit(&ncec->ncec_lock);
}
-next_mp:
- mp = nxt_mp;
- } /* while (mp != NULL) */
- if (xmit_drop)
- return (SEND_FAILED);
- else
- return (SEND_PASSED);
+ }
+ return (0);
- case ND_INITIAL:
case ND_INCOMPLETE:
-
/*
- * While we do send off packets to dests that
- * use fully-resolved CGTP routes, we do not
- * handle unresolved CGTP routes.
+ * the state could have changed since we didn't hold the lock.
+ * Re-verify state under lock.
*/
- ASSERT(!(ire->ire_flags & RTF_MULTIRT));
- ASSERT(io == NULL || !io->ipsec_out_accelerated);
-
- if (mp != NULL) {
- /* queue the packet */
- nce_queue_mp_common(arpce, mp, B_FALSE);
+ mutex_enter(&ncec->ncec_lock);
+ if (NCE_ISREACHABLE(ncec)) {
+ mutex_exit(&ncec->ncec_lock);
+ goto sendit;
}
+ /* queue the packet */
+ nce_queue_mp(ncec, mp, ipmp_packet_is_probe(mp, nce->nce_ill));
+ mutex_exit(&ncec->ncec_lock);
+ DTRACE_PROBE2(ip__xmit__incomplete,
+ (ncec_t *), ncec, (mblk_t *), mp);
+ return (0);
- if (arpce->nce_state == ND_INCOMPLETE) {
- mutex_exit(&arpce->nce_lock);
- DTRACE_PROBE3(ip__xmit__incomplete,
- (ire_t *), ire, (mblk_t *), mp,
- (ipsec_out_t *), io);
- return (LOOKUP_IN_PROGRESS);
+ case ND_INITIAL:
+ /*
+ * State could have changed since we didn't hold the lock, so
+ * re-verify state.
+ */
+ mutex_enter(&ncec->ncec_lock);
+ if (NCE_ISREACHABLE(ncec)) {
+ mutex_exit(&ncec->ncec_lock);
+ goto sendit;
+ }
+ nce_queue_mp(ncec, mp, ipmp_packet_is_probe(mp, nce->nce_ill));
+ if (ncec->ncec_state == ND_INITIAL) {
+ ncec->ncec_state = ND_INCOMPLETE;
+ mutex_exit(&ncec->ncec_lock);
+ /*
+ * figure out the source we want to use
+ * and resolve it.
+ */
+ ip_ndp_resolve(ncec);
+ } else {
+ mutex_exit(&ncec->ncec_lock);
}
+ return (0);
- arpce->nce_state = ND_INCOMPLETE;
- mutex_exit(&arpce->nce_lock);
+ case ND_UNREACHABLE:
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - ND_UNREACHABLE",
+ mp, ill);
+ freemsg(mp);
+ return (0);
- /*
- * Note that ire_add() (called from ire_forward())
- * holds a ref on the ire until ARP is completed.
- */
- ire_arpresolve(ire);
- return (LOOKUP_IN_PROGRESS);
default:
ASSERT(0);
- mutex_exit(&arpce->nce_lock);
- return (LLHDR_RESLV_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - ND_other",
+ mp, ill);
+ freemsg(mp);
+ return (ENETUNREACH);
}
}
-#undef UPDATE_IP_MIB_OB_COUNTERS
-
/*
* Return B_TRUE if the buffers differ in length or content.
* This is used for comparing extension header buffers.
@@ -29803,52 +14974,300 @@ ip_savebuf(void **dstp, uint_t *dstlenp, boolean_t src_valid,
}
/*
- * Free the storage pointed to by the members of an ip6_pkt_t.
+ * Free the storage pointed to by the members of an ip_pkt_t.
*/
void
-ip6_pkt_free(ip6_pkt_t *ipp)
+ip_pkt_free(ip_pkt_t *ipp)
{
- ASSERT(ipp->ipp_pathmtu == NULL && !(ipp->ipp_fields & IPPF_PATHMTU));
+ uint_t fields = ipp->ipp_fields;
- if (ipp->ipp_fields & IPPF_HOPOPTS) {
+ if (fields & IPPF_HOPOPTS) {
kmem_free(ipp->ipp_hopopts, ipp->ipp_hopoptslen);
ipp->ipp_hopopts = NULL;
ipp->ipp_hopoptslen = 0;
}
- if (ipp->ipp_fields & IPPF_RTDSTOPTS) {
- kmem_free(ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen);
- ipp->ipp_rtdstopts = NULL;
- ipp->ipp_rtdstoptslen = 0;
+ if (fields & IPPF_RTHDRDSTOPTS) {
+ kmem_free(ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
+ ipp->ipp_rthdrdstopts = NULL;
+ ipp->ipp_rthdrdstoptslen = 0;
}
- if (ipp->ipp_fields & IPPF_DSTOPTS) {
+ if (fields & IPPF_DSTOPTS) {
kmem_free(ipp->ipp_dstopts, ipp->ipp_dstoptslen);
ipp->ipp_dstopts = NULL;
ipp->ipp_dstoptslen = 0;
}
- if (ipp->ipp_fields & IPPF_RTHDR) {
+ if (fields & IPPF_RTHDR) {
kmem_free(ipp->ipp_rthdr, ipp->ipp_rthdrlen);
ipp->ipp_rthdr = NULL;
ipp->ipp_rthdrlen = 0;
}
- ipp->ipp_fields &= ~(IPPF_HOPOPTS | IPPF_RTDSTOPTS | IPPF_DSTOPTS |
- IPPF_RTHDR);
+ if (fields & IPPF_IPV4_OPTIONS) {
+ kmem_free(ipp->ipp_ipv4_options, ipp->ipp_ipv4_options_len);
+ ipp->ipp_ipv4_options = NULL;
+ ipp->ipp_ipv4_options_len = 0;
+ }
+ if (fields & IPPF_LABEL_V4) {
+ kmem_free(ipp->ipp_label_v4, ipp->ipp_label_len_v4);
+ ipp->ipp_label_v4 = NULL;
+ ipp->ipp_label_len_v4 = 0;
+ }
+ if (fields & IPPF_LABEL_V6) {
+ kmem_free(ipp->ipp_label_v6, ipp->ipp_label_len_v6);
+ ipp->ipp_label_v6 = NULL;
+ ipp->ipp_label_len_v6 = 0;
+ }
+ ipp->ipp_fields &= ~(IPPF_HOPOPTS | IPPF_RTHDRDSTOPTS | IPPF_DSTOPTS |
+ IPPF_RTHDR | IPPF_IPV4_OPTIONS | IPPF_LABEL_V4 | IPPF_LABEL_V6);
+}
+
+/*
+ * Copy from src to dst and allocate as needed.
+ * Returns zero or ENOMEM.
+ *
+ * The caller must initialize dst to zero.
+ */
+int
+ip_pkt_copy(ip_pkt_t *src, ip_pkt_t *dst, int kmflag)
+{
+ uint_t fields = src->ipp_fields;
+
+ /* Start with fields that don't require memory allocation */
+ dst->ipp_fields = fields &
+ ~(IPPF_HOPOPTS | IPPF_RTHDRDSTOPTS | IPPF_DSTOPTS |
+ IPPF_RTHDR | IPPF_IPV4_OPTIONS | IPPF_LABEL_V4 | IPPF_LABEL_V6);
+
+ dst->ipp_addr = src->ipp_addr;
+ dst->ipp_unicast_hops = src->ipp_unicast_hops;
+ dst->ipp_hoplimit = src->ipp_hoplimit;
+ dst->ipp_tclass = src->ipp_tclass;
+ dst->ipp_type_of_service = src->ipp_type_of_service;
+
+ if (fields & IPPF_HOPOPTS) {
+ dst->ipp_hopopts = kmem_alloc(src->ipp_hopoptslen, kmflag);
+ if (dst->ipp_hopopts == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_HOPOPTS;
+ bcopy(src->ipp_hopopts, dst->ipp_hopopts,
+ src->ipp_hopoptslen);
+ dst->ipp_hopoptslen = src->ipp_hopoptslen;
+ }
+ if (fields & IPPF_RTHDRDSTOPTS) {
+ dst->ipp_rthdrdstopts = kmem_alloc(src->ipp_rthdrdstoptslen,
+ kmflag);
+ if (dst->ipp_rthdrdstopts == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_RTHDRDSTOPTS;
+ bcopy(src->ipp_rthdrdstopts, dst->ipp_rthdrdstopts,
+ src->ipp_rthdrdstoptslen);
+ dst->ipp_rthdrdstoptslen = src->ipp_rthdrdstoptslen;
+ }
+ if (fields & IPPF_DSTOPTS) {
+ dst->ipp_dstopts = kmem_alloc(src->ipp_dstoptslen, kmflag);
+ if (dst->ipp_dstopts == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_DSTOPTS;
+ bcopy(src->ipp_dstopts, dst->ipp_dstopts,
+ src->ipp_dstoptslen);
+ dst->ipp_dstoptslen = src->ipp_dstoptslen;
+ }
+ if (fields & IPPF_RTHDR) {
+ dst->ipp_rthdr = kmem_alloc(src->ipp_rthdrlen, kmflag);
+ if (dst->ipp_rthdr == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_RTHDR;
+ bcopy(src->ipp_rthdr, dst->ipp_rthdr,
+ src->ipp_rthdrlen);
+ dst->ipp_rthdrlen = src->ipp_rthdrlen;
+ }
+ if (fields & IPPF_IPV4_OPTIONS) {
+ dst->ipp_ipv4_options = kmem_alloc(src->ipp_ipv4_options_len,
+ kmflag);
+ if (dst->ipp_ipv4_options == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_IPV4_OPTIONS;
+ bcopy(src->ipp_ipv4_options, dst->ipp_ipv4_options,
+ src->ipp_ipv4_options_len);
+ dst->ipp_ipv4_options_len = src->ipp_ipv4_options_len;
+ }
+ if (fields & IPPF_LABEL_V4) {
+ dst->ipp_label_v4 = kmem_alloc(src->ipp_label_len_v4, kmflag);
+ if (dst->ipp_label_v4 == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_LABEL_V4;
+ bcopy(src->ipp_label_v4, dst->ipp_label_v4,
+ src->ipp_label_len_v4);
+ dst->ipp_label_len_v4 = src->ipp_label_len_v4;
+ }
+ if (fields & IPPF_LABEL_V6) {
+ dst->ipp_label_v6 = kmem_alloc(src->ipp_label_len_v6, kmflag);
+ if (dst->ipp_label_v6 == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_LABEL_V6;
+ bcopy(src->ipp_label_v6, dst->ipp_label_v6,
+ src->ipp_label_len_v6);
+ dst->ipp_label_len_v6 = src->ipp_label_len_v6;
+ }
+ if (fields & IPPF_FRAGHDR) {
+ dst->ipp_fraghdr = kmem_alloc(src->ipp_fraghdrlen, kmflag);
+ if (dst->ipp_fraghdr == NULL) {
+ ip_pkt_free(dst);
+ return (ENOMEM);
+ }
+ dst->ipp_fields |= IPPF_FRAGHDR;
+ bcopy(src->ipp_fraghdr, dst->ipp_fraghdr,
+ src->ipp_fraghdrlen);
+ dst->ipp_fraghdrlen = src->ipp_fraghdrlen;
+ }
+ return (0);
+}
+
+/*
+ * Returns INADDR_ANY if no source route
+ */
+ipaddr_t
+ip_pkt_source_route_v4(const ip_pkt_t *ipp)
+{
+ ipaddr_t nexthop = INADDR_ANY;
+ ipoptp_t opts;
+ uchar_t *opt;
+ uint8_t optval;
+ uint8_t optlen;
+ uint32_t totallen;
+
+ if (!(ipp->ipp_fields & IPPF_IPV4_OPTIONS))
+ return (INADDR_ANY);
+
+ totallen = ipp->ipp_ipv4_options_len;
+ if (totallen & 0x3)
+ return (INADDR_ANY);
+
+ for (optval = ipoptp_first2(&opts, totallen, ipp->ipp_ipv4_options);
+ optval != IPOPT_EOL;
+ optval = ipoptp_next(&opts)) {
+ opt = opts.ipoptp_cur;
+ switch (optval) {
+ uint8_t off;
+ case IPOPT_SSRR:
+ case IPOPT_LSRR:
+ if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
+ break;
+ }
+ optlen = opts.ipoptp_len;
+ off = opt[IPOPT_OFFSET];
+ off--;
+ if (optlen < IP_ADDR_LEN ||
+ off > optlen - IP_ADDR_LEN) {
+ /* End of source route */
+ break;
+ }
+ bcopy((char *)opt + off, &nexthop, IP_ADDR_LEN);
+ if (nexthop == htonl(INADDR_LOOPBACK)) {
+ /* Ignore */
+ nexthop = INADDR_ANY;
+ break;
+ }
+ break;
+ }
+ }
+ return (nexthop);
+}
+
+/*
+ * Reverse a source route.
+ */
+void
+ip_pkt_source_route_reverse_v4(ip_pkt_t *ipp)
+{
+ ipaddr_t tmp;
+ ipoptp_t opts;
+ uchar_t *opt;
+ uint8_t optval;
+ uint32_t totallen;
+
+ if (!(ipp->ipp_fields & IPPF_IPV4_OPTIONS))
+ return;
+
+ totallen = ipp->ipp_ipv4_options_len;
+ if (totallen & 0x3)
+ return;
+
+ for (optval = ipoptp_first2(&opts, totallen, ipp->ipp_ipv4_options);
+ optval != IPOPT_EOL;
+ optval = ipoptp_next(&opts)) {
+ uint8_t off1, off2;
+
+ opt = opts.ipoptp_cur;
+ switch (optval) {
+ case IPOPT_SSRR:
+ case IPOPT_LSRR:
+ if ((opts.ipoptp_flags & IPOPTP_ERROR) != 0) {
+ break;
+ }
+ off1 = IPOPT_MINOFF_SR - 1;
+ off2 = opt[IPOPT_OFFSET] - IP_ADDR_LEN - 1;
+ while (off2 > off1) {
+ bcopy(opt + off2, &tmp, IP_ADDR_LEN);
+ bcopy(opt + off1, opt + off2, IP_ADDR_LEN);
+ bcopy(&tmp, opt + off2, IP_ADDR_LEN);
+ off2 -= IP_ADDR_LEN;
+ off1 += IP_ADDR_LEN;
+ }
+ opt[IPOPT_OFFSET] = IPOPT_MINOFF_SR;
+ break;
+ }
+ }
+}
+
+/*
+ * Returns NULL if no routing header
+ */
+in6_addr_t *
+ip_pkt_source_route_v6(const ip_pkt_t *ipp)
+{
+ in6_addr_t *nexthop = NULL;
+ ip6_rthdr0_t *rthdr;
+
+ if (!(ipp->ipp_fields & IPPF_RTHDR))
+ return (NULL);
+
+ rthdr = (ip6_rthdr0_t *)ipp->ipp_rthdr;
+ if (rthdr->ip6r0_segleft == 0)
+ return (NULL);
+
+ nexthop = (in6_addr_t *)((char *)rthdr + sizeof (*rthdr));
+ return (nexthop);
}
zoneid_t
-ip_get_zoneid_v4(ipaddr_t addr, mblk_t *mp, ip_stack_t *ipst,
+ip_get_zoneid_v4(ipaddr_t addr, mblk_t *mp, ip_recv_attr_t *ira,
zoneid_t lookup_zoneid)
{
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
ire_t *ire;
int ire_flags = MATCH_IRE_TYPE;
zoneid_t zoneid = ALL_ZONES;
- if (is_system_labeled() && !tsol_can_accept_raw(mp, B_FALSE))
+ if (is_system_labeled() && !tsol_can_accept_raw(mp, ira, B_FALSE))
return (ALL_ZONES);
if (lookup_zoneid != ALL_ZONES)
ire_flags |= MATCH_IRE_ZONEONLY;
- ire = ire_ctable_lookup(addr, NULL, IRE_LOCAL | IRE_LOOPBACK, NULL,
- lookup_zoneid, NULL, ire_flags, ipst);
+ ire = ire_ftable_lookup_v4(addr, NULL, NULL, IRE_LOCAL | IRE_LOOPBACK,
+ NULL, lookup_zoneid, NULL, ire_flags, 0, ipst, NULL);
if (ire != NULL) {
zoneid = IP_REAL_ZONEID(ire->ire_zoneid, ipst);
ire_refrele(ire);
@@ -29858,24 +15277,23 @@ ip_get_zoneid_v4(ipaddr_t addr, mblk_t *mp, ip_stack_t *ipst,
zoneid_t
ip_get_zoneid_v6(in6_addr_t *addr, mblk_t *mp, const ill_t *ill,
- ip_stack_t *ipst, zoneid_t lookup_zoneid)
+ ip_recv_attr_t *ira, zoneid_t lookup_zoneid)
{
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
ire_t *ire;
int ire_flags = MATCH_IRE_TYPE;
zoneid_t zoneid = ALL_ZONES;
- ipif_t *ipif_arg = NULL;
- if (is_system_labeled() && !tsol_can_accept_raw(mp, B_FALSE))
+ if (is_system_labeled() && !tsol_can_accept_raw(mp, ira, B_FALSE))
return (ALL_ZONES);
- if (IN6_IS_ADDR_LINKLOCAL(addr)) {
+ if (IN6_IS_ADDR_LINKLOCAL(addr))
ire_flags |= MATCH_IRE_ILL;
- ipif_arg = ill->ill_ipif;
- }
+
if (lookup_zoneid != ALL_ZONES)
ire_flags |= MATCH_IRE_ZONEONLY;
- ire = ire_ctable_lookup_v6(addr, NULL, IRE_LOCAL | IRE_LOOPBACK,
- ipif_arg, lookup_zoneid, NULL, ire_flags, ipst);
+ ire = ire_ftable_lookup_v6(addr, NULL, NULL, IRE_LOCAL | IRE_LOOPBACK,
+ ill, lookup_zoneid, NULL, ire_flags, 0, ipst, NULL);
if (ire != NULL) {
zoneid = IP_REAL_ZONEID(ire->ire_zoneid, ipst);
ire_refrele(ire);
@@ -29964,3 +15382,29 @@ ipobs_hook(mblk_t *mp, int htype, zoneid_t zsrc, zoneid_t zdst,
imp->b_cont = NULL;
freemsg(imp);
}
+
+/*
+ * Utility routine that checks if `v4srcp' is a valid address on underlying
+ * interface `ill'. If `ipifp' is non-NULL, it's set to a held ipif
+ * associated with `v4srcp' on success. NOTE: if this is not called from
+ * inside the IPSQ (ill_g_lock is not held), `ill' may be removed from the
+ * group during or after this lookup.
+ */
+boolean_t
+ipif_lookup_testaddr_v4(ill_t *ill, const in_addr_t *v4srcp, ipif_t **ipifp)
+{
+ ipif_t *ipif;
+
+ ipif = ipif_lookup_addr_exact(*v4srcp, ill, ill->ill_ipst);
+ if (ipif != NULL) {
+ if (ipifp != NULL)
+ *ipifp = ipif;
+ else
+ ipif_refrele(ipif);
+ return (B_TRUE);
+ }
+
+ ip1dbg(("ipif_lookup_testaddr_v4: cannot find ipif for src %x\n",
+ *v4srcp));
+ return (B_FALSE);
+}
diff --git a/usr/src/uts/common/inet/ip/ip2mac.c b/usr/src/uts/common/inet/ip/ip2mac.c
index e232a5bb63..55a17f762a 100644
--- a/usr/src/uts/common/inet/ip/ip2mac.c
+++ b/usr/src/uts/common/inet/ip/ip2mac.c
@@ -18,6 +18,7 @@
*
* CDDL HEADER END
*/
+
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
@@ -29,7 +30,6 @@
#include <inet/ip2mac.h>
#include <inet/ip2mac_impl.h>
#include <sys/zone.h>
-#include <sys/dlpi.h>
#include <inet/ip_ndp.h>
#include <inet/ip_if.h>
#include <inet/ip6.h>
@@ -38,18 +38,18 @@
* dispatch pending callbacks.
*/
void
-nce_cb_dispatch(nce_t *nce)
+ncec_cb_dispatch(ncec_t *ncec)
{
- nce_cb_t *nce_cb = list_head(&nce->nce_cb);
+ ncec_cb_t *ncec_cb;
ip2mac_t ip2m;
- mutex_enter(&nce->nce_lock);
- if (list_is_empty(&nce->nce_cb)) {
- mutex_exit(&nce->nce_lock);
+ mutex_enter(&ncec->ncec_lock);
+ if (list_is_empty(&ncec->ncec_cb)) {
+ mutex_exit(&ncec->ncec_lock);
return;
}
- nce_ip2mac_response(&ip2m, nce);
- nce_cb_refhold_locked(nce);
+ ncec_ip2mac_response(&ip2m, ncec);
+ ncec_cb_refhold_locked(ncec);
/*
* IP does not hold internal locks like nce_lock across calls to
* other subsystems for fear of recursive lock entry and lock
@@ -58,75 +58,82 @@ nce_cb_dispatch(nce_t *nce)
* across calls into another subsystem, especially if calls can
* happen in either direction).
*/
- nce_cb = list_head(&nce->nce_cb);
- for (; nce_cb != NULL; nce_cb = list_next(&nce->nce_cb, nce_cb)) {
- if (nce_cb->nce_cb_flags & NCE_CB_DISPATCHED)
+ ncec_cb = list_head(&ncec->ncec_cb);
+ for (; ncec_cb != NULL; ncec_cb = list_next(&ncec->ncec_cb, ncec_cb)) {
+ if (ncec_cb->ncec_cb_flags & NCE_CB_DISPATCHED)
continue;
- nce_cb->nce_cb_flags |= NCE_CB_DISPATCHED;
- mutex_exit(&nce->nce_lock);
- (*nce_cb->nce_cb_func)(&ip2m, nce_cb->nce_cb_arg);
- mutex_enter(&nce->nce_lock);
+ ncec_cb->ncec_cb_flags |= NCE_CB_DISPATCHED;
+ mutex_exit(&ncec->ncec_lock);
+ (*ncec_cb->ncec_cb_func)(&ip2m, ncec_cb->ncec_cb_arg);
+ mutex_enter(&ncec->ncec_lock);
}
- nce_cb_refrele(nce);
- mutex_exit(&nce->nce_lock);
+ ncec_cb_refrele(ncec);
+ mutex_exit(&ncec->ncec_lock);
}
/*
* fill up the ip2m response fields with inforamation from the nce.
*/
void
-nce_ip2mac_response(ip2mac_t *ip2m, nce_t *nce)
+ncec_ip2mac_response(ip2mac_t *ip2m, ncec_t *ncec)
{
- boolean_t isv6 = (nce->nce_ipversion == IPV6_VERSION);
+ boolean_t isv6 = (ncec->ncec_ipversion == IPV6_VERSION);
+ sin_t *sin;
sin6_t *sin6;
struct sockaddr_dl *sdl;
- uchar_t *nce_lladdr;
- ASSERT(MUTEX_HELD(&nce->nce_lock));
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
bzero(ip2m, sizeof (*ip2m));
- if (NCE_ISREACHABLE(nce) && (nce->nce_flags & NCE_F_CONDEMNED) == 0)
+ if (NCE_ISREACHABLE(ncec) && !NCE_ISCONDEMNED(ncec))
ip2m->ip2mac_err = 0;
else
ip2m->ip2mac_err = ESRCH;
if (isv6) {
sin6 = (sin6_t *)&ip2m->ip2mac_pa;
sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = nce->nce_addr;
+ sin6->sin6_addr = ncec->ncec_addr;
+ } else {
+ sin = (sin_t *)&ip2m->ip2mac_pa;
+ sin->sin_family = AF_INET;
+ IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &sin->sin_addr);
}
if (ip2m->ip2mac_err == 0) {
sdl = &ip2m->ip2mac_ha;
sdl->sdl_family = AF_LINK;
- sdl->sdl_type = nce->nce_ill->ill_type;
+ sdl->sdl_type = ncec->ncec_ill->ill_type;
+ /*
+ * should we put ncec_ill->ill_name in there? why?
+ * likewise for the sdl_index
+ */
sdl->sdl_nlen = 0;
- sdl->sdl_alen = nce->nce_ill->ill_phys_addr_length;
- nce_lladdr = nce->nce_res_mp->b_rptr +
- NCE_LL_ADDR_OFFSET(nce->nce_ill);
- bcopy(nce_lladdr, LLADDR(sdl), sdl->sdl_alen);
+ sdl->sdl_alen = ncec->ncec_ill->ill_phys_addr_length;
+ if (ncec->ncec_lladdr != NULL)
+ bcopy(ncec->ncec_lladdr, LLADDR(sdl), sdl->sdl_alen);
}
}
void
-nce_cb_refhold_locked(nce_t *nce)
+ncec_cb_refhold_locked(ncec_t *ncec)
{
- ASSERT(MUTEX_HELD(&nce->nce_lock));
- nce->nce_cb_walker_cnt++;
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
+ ncec->ncec_cb_walker_cnt++;
}
void
-nce_cb_refrele(nce_t *nce)
+ncec_cb_refrele(ncec_t *ncec)
{
- nce_cb_t *nce_cb, *nce_cb_next = NULL;
+ ncec_cb_t *ncec_cb, *ncec_cb_next = NULL;
- ASSERT(MUTEX_HELD(&nce->nce_lock));
- if (--nce->nce_cb_walker_cnt == 0) {
- for (nce_cb = list_head(&nce->nce_cb); nce_cb != NULL;
- nce_cb = nce_cb_next) {
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
+ if (--ncec->ncec_cb_walker_cnt == 0) {
+ for (ncec_cb = list_head(&ncec->ncec_cb); ncec_cb != NULL;
+ ncec_cb = ncec_cb_next) {
- nce_cb_next = list_next(&nce->nce_cb, nce_cb);
- if ((nce_cb->nce_cb_flags & NCE_CB_DISPATCHED) == 0)
+ ncec_cb_next = list_next(&ncec->ncec_cb, ncec_cb);
+ if ((ncec_cb->ncec_cb_flags & NCE_CB_DISPATCHED) == 0)
continue;
- list_remove(&nce->nce_cb, nce_cb);
- kmem_free(nce_cb, sizeof (*nce_cb));
+ list_remove(&ncec->ncec_cb, ncec_cb);
+ kmem_free(ncec_cb, sizeof (*ncec_cb));
}
}
}
@@ -136,25 +143,25 @@ nce_cb_refrele(nce_t *nce)
* after address resolution succeeds/fails.
*/
static ip2mac_id_t
-nce_add_cb(nce_t *nce, ip2mac_callback_t *cb, void *cbarg)
+ncec_add_cb(ncec_t *ncec, ip2mac_callback_t *cb, void *cbarg)
{
- nce_cb_t *nce_cb;
+ ncec_cb_t *nce_cb;
ip2mac_id_t ip2mid = NULL;
- ASSERT(MUTEX_HELD(&nce->nce_lock));
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
if ((nce_cb = kmem_zalloc(sizeof (*nce_cb), KM_NOSLEEP)) == NULL)
return (ip2mid);
- nce_cb->nce_cb_func = cb;
- nce_cb->nce_cb_arg = cbarg;
+ nce_cb->ncec_cb_func = cb;
+ nce_cb->ncec_cb_arg = cbarg;
/*
- * We identify the nce_cb_t during cancellation by the address
+ * We identify the ncec_cb_t during cancellation by the address
* of the nce_cb_t itself, and, as a short-cut for eliminating
- * clear mismatches, only look in the callback list of nce's
+ * clear mismatches, only look in the callback list of ncec's
* whose address is equal to the nce_cb_id.
*/
- nce_cb->nce_cb_id = nce; /* no refs! just an address */
- list_insert_tail(&nce->nce_cb, nce_cb);
- ip2mid = nce; /* this is the id to be used in ip2mac_cancel */
+ nce_cb->ncec_cb_id = ncec; /* no refs! just an address */
+ list_insert_tail(&ncec->ncec_cb, nce_cb);
+ ip2mid = ncec; /* this is the id to be used in ip2mac_cancel */
return (nce_cb);
}
@@ -167,29 +174,24 @@ nce_add_cb(nce_t *nce, ip2mac_callback_t *cb, void *cbarg)
* the resolution completes.
*/
ip2mac_id_t
-ip2mac(uint_t flags, ip2mac_t *ip2m, ip2mac_callback_t *cb, void *cbarg,
+ip2mac(uint_t op, ip2mac_t *ip2m, ip2mac_callback_t *cb, void *cbarg,
zoneid_t zoneid)
{
- nce_t *nce;
+ ncec_t *ncec;
+ nce_t *nce = NULL;
boolean_t isv6;
ill_t *ill;
netstack_t *ns;
ip_stack_t *ipst;
ip2mac_id_t ip2mid = NULL;
+ sin_t *sin;
sin6_t *sin6;
int err;
uint64_t delta;
+ boolean_t need_resolve = B_FALSE;
isv6 = (ip2m->ip2mac_pa.ss_family == AF_INET6);
- if (!isv6) {
- /*
- * IPv4 is not currently supported.
- */
- ip2m->ip2mac_err = ENOTSUP;
- return (NULL);
- }
-
ns = netstack_find_by_zoneid(zoneid);
if (ns == NULL) {
ip2m->ip2mac_err = EINVAL;
@@ -205,8 +207,7 @@ ip2mac(uint_t flags, ip2mac_t *ip2m, ip2mac_callback_t *cb, void *cbarg,
/*
* find the ill from the ip2m->ip2mac_ifindex
*/
- ill = ill_lookup_on_ifindex(ip2m->ip2mac_ifindex, isv6, NULL,
- NULL, NULL, NULL, ipst);
+ ill = ill_lookup_on_ifindex(ip2m->ip2mac_ifindex, isv6, ipst);
if (ill == NULL) {
ip2m->ip2mac_err = ENXIO;
netstack_rele(ns);
@@ -214,32 +215,39 @@ ip2mac(uint_t flags, ip2mac_t *ip2m, ip2mac_callback_t *cb, void *cbarg,
}
if (isv6) {
sin6 = (sin6_t *)&ip2m->ip2mac_pa;
- if (flags == IP2MAC_LOOKUP) {
- nce = ndp_lookup_v6(ill, B_FALSE, &sin6->sin6_addr,
- B_FALSE);
+ if (op == IP2MAC_LOOKUP) {
+ nce = nce_lookup_v6(ill, &sin6->sin6_addr);
} else {
- err = ndp_lookup_then_add_v6(ill, B_FALSE, NULL,
- &sin6->sin6_addr, &ipv6_all_ones, &ipv6_all_zeros,
- 0, 0, ND_INCOMPLETE, &nce);
+ err = nce_lookup_then_add_v6(ill, NULL,
+ ill->ill_phys_addr_length,
+ &sin6->sin6_addr, 0, ND_UNCHANGED, &nce);
}
} else {
- ip2m->ip2mac_err = ENOTSUP; /* yet. */
- goto done;
+ sin = (sin_t *)&ip2m->ip2mac_pa;
+ if (op == IP2MAC_LOOKUP) {
+ nce = nce_lookup_v4(ill, &sin->sin_addr.s_addr);
+ } else {
+ err = nce_lookup_then_add_v4(ill, NULL,
+ ill->ill_phys_addr_length,
+ &sin->sin_addr.s_addr, 0, ND_UNCHANGED, &nce);
+ }
}
- if (flags == IP2MAC_LOOKUP) {
+ if (op == IP2MAC_LOOKUP) {
if (nce == NULL) {
ip2m->ip2mac_err = ESRCH;
goto done;
}
- mutex_enter(&nce->nce_lock);
- if (NCE_ISREACHABLE(nce)) {
- nce_ip2mac_response(ip2m, nce);
+ ncec = nce->nce_common;
+ delta = TICK_TO_MSEC(lbolt64) - ncec->ncec_last;
+ mutex_enter(&ncec->ncec_lock);
+ if (NCE_ISREACHABLE(ncec) &&
+ delta < (uint64_t)ill->ill_reachable_time) {
+ ncec_ip2mac_response(ip2m, ncec);
ip2m->ip2mac_err = 0;
} else {
ip2m->ip2mac_err = ESRCH;
}
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
+ mutex_exit(&ncec->ncec_lock);
goto done;
} else {
if (err != 0 && err != EEXIST) {
@@ -247,13 +255,20 @@ ip2mac(uint_t flags, ip2mac_t *ip2m, ip2mac_callback_t *cb, void *cbarg,
goto done;
}
}
- delta = TICK_TO_MSEC(lbolt64) - nce->nce_last;
- mutex_enter(&nce->nce_lock);
- if (nce->nce_flags & NCE_F_CONDEMNED) {
+ ncec = nce->nce_common;
+ delta = TICK_TO_MSEC(lbolt64) - ncec->ncec_last;
+ mutex_enter(&ncec->ncec_lock);
+ if (NCE_ISCONDEMNED(ncec)) {
ip2m->ip2mac_err = ESRCH;
- } else if (!NCE_ISREACHABLE(nce) ||
- delta > (uint64_t)ill->ill_reachable_time) {
- if (NCE_ISREACHABLE(nce)) {
+ } else {
+ if (NCE_ISREACHABLE(ncec)) {
+ if (NCE_MYADDR(ncec) ||
+ delta < (uint64_t)ill->ill_reachable_time) {
+ ncec_ip2mac_response(ip2m, ncec);
+ ip2m->ip2mac_err = 0;
+ mutex_exit(&ncec->ncec_lock);
+ goto done;
+ }
/*
* Since we do not control the packet output
* path for ip2mac() callers, we need to verify
@@ -268,39 +283,48 @@ ip2mac(uint_t flags, ip2mac_t *ip2m, ip2mac_callback_t *cb, void *cbarg,
* so that we can return the stale information but
* also update the caller if the lladdr changes.
*/
- nce->nce_rcnt = ill->ill_xmit_count;
- nce->nce_state = ND_PROBE;
- err = 0; /* treat this nce as a new one */
+ ncec->ncec_rcnt = ill->ill_xmit_count;
+ ncec->ncec_state = ND_PROBE;
+ need_resolve = B_TRUE; /* reachable but very old nce */
+ } else if (ncec->ncec_state == ND_INITIAL) {
+ need_resolve = B_TRUE; /* ND_INITIAL nce */
+ ncec->ncec_state = ND_INCOMPLETE;
}
- if (nce->nce_rcnt > 0) {
+ /*
+ * NCE not known to be reachable in the recent past. We must
+ * reconfirm the information before returning it to the caller
+ */
+ if (ncec->ncec_rcnt > 0) {
/*
- * Still resolving this nce, so we can
- * queue the callback information in nce->nce_cb
+ * Still resolving this ncec, so we can queue the
+ * callback information in ncec->ncec_cb
*/
- ip2mid = nce_add_cb(nce, cb, cbarg);
+ ip2mid = ncec_add_cb(ncec, cb, cbarg);
ip2m->ip2mac_err = EINPROGRESS;
} else {
/*
- * Resolution failed.
+ * No more retransmits allowed -- resolution failed.
*/
ip2m->ip2mac_err = ESRCH;
}
- } else {
- nce_ip2mac_response(ip2m, nce);
- ip2m->ip2mac_err = 0;
}
- if (ip2m->ip2mac_err == EINPROGRESS && err != EEXIST)
- ip_ndp_resolve(nce);
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
+ mutex_exit(&ncec->ncec_lock);
done:
+ /*
+ * if NCE_ISREACHABLE(ncec) but very old, or if it is ND_INITIAL,
+ * trigger resolve.
+ */
+ if (need_resolve)
+ ip_ndp_resolve(ncec);
+ if (nce != NULL)
+ nce_refrele(nce);
netstack_rele(ns);
ill_refrele(ill);
return (ip2mid);
}
/*
- * data passed to nce_walk for canceling outstanding callbacks.
+ * data passed to ncec_walk for canceling outstanding callbacks.
*/
typedef struct ip2mac_cancel_data_s {
ip2mac_id_t ip2m_cancel_id;
@@ -308,23 +332,23 @@ typedef struct ip2mac_cancel_data_s {
} ip2mac_cancel_data_t;
/*
- * callback invoked for each active nce. If the ip2mac_id_t corresponds
- * to an active nce_cb_t in the nce's callback list, we want to remove
+ * callback invoked for each active ncec. If the ip2mac_id_t corresponds
+ * to an active nce_cb_t in the ncec's callback list, we want to remove
* the callback (if there are no walkers) or return EBUSY to the caller
*/
static int
-ip2mac_cancel_callback(nce_t *nce, void *arg)
+ip2mac_cancel_callback(ncec_t *ncec, void *arg)
{
ip2mac_cancel_data_t *ip2m_wdata = arg;
- nce_cb_t *ip2m_nce_cb = ip2m_wdata->ip2m_cancel_id;
- nce_cb_t *nce_cb;
+ ncec_cb_t *ip2m_nce_cb = ip2m_wdata->ip2m_cancel_id;
+ ncec_cb_t *ncec_cb;
- if (ip2m_nce_cb->nce_cb_id != nce)
+ if (ip2m_nce_cb->ncec_cb_id != ncec)
return (0);
- mutex_enter(&nce->nce_lock);
- if (list_is_empty(&nce->nce_cb)) {
- mutex_exit(&nce->nce_lock);
+ mutex_enter(&ncec->ncec_lock);
+ if (list_is_empty(&ncec->ncec_cb)) {
+ mutex_exit(&ncec->ncec_lock);
return (0);
}
/*
@@ -335,22 +359,22 @@ ip2mac_cancel_callback(nce_t *nce, void *arg)
* across calls into another subsystem, especially if calls can
* happen in either direction).
*/
- nce_cb = list_head(&nce->nce_cb);
- for (; nce_cb != NULL; nce_cb = list_next(&nce->nce_cb, nce_cb)) {
- if (nce_cb != ip2m_nce_cb)
+ ncec_cb = list_head(&ncec->ncec_cb);
+ for (; ncec_cb != NULL; ncec_cb = list_next(&ncec->ncec_cb, ncec_cb)) {
+ if (ncec_cb != ip2m_nce_cb)
continue;
/*
* If there are no walkers we can remove the nce_cb.
* Otherwise the exiting walker will clean up.
*/
- if (nce->nce_cb_walker_cnt == 0) {
- list_remove(&nce->nce_cb, nce_cb);
+ if (ncec->ncec_cb_walker_cnt == 0) {
+ list_remove(&ncec->ncec_cb, ncec_cb);
} else {
ip2m_wdata->ip2m_cancel_err = EBUSY;
}
break;
}
- mutex_exit(&nce->nce_lock);
+ mutex_exit(&ncec->ncec_lock);
return (0);
}
@@ -379,7 +403,7 @@ ip2mac_cancel(ip2mac_id_t ip2mid, zoneid_t zoneid)
ip2m_wdata.ip2m_cancel_id = ip2mid;
ip2m_wdata.ip2m_cancel_err = 0;
- ndp_walk(NULL, ip2mac_cancel_callback, &ip2m_wdata, ipst);
+ ncec_walk(NULL, ip2mac_cancel_callback, &ip2m_wdata, ipst);
/*
* We may return EBUSY if a walk to dispatch callbacks is
* in progress, in which case the caller needs to synchronize
diff --git a/usr/src/uts/common/inet/ip/ip6.c b/usr/src/uts/common/inet/ip/ip6.c
index 38fe7b2562..ed54c08884 100644
--- a/usr/src/uts/common/inet/ip/ip6.c
+++ b/usr/src/uts/common/inet/ip/ip6.c
@@ -53,8 +53,8 @@
#include <sys/vtrace.h>
#include <sys/isa_defs.h>
#include <sys/atomic.h>
-#include <sys/iphada.h>
#include <sys/policy.h>
+#include <sys/mac.h>
#include <net/if.h>
#include <net/if_types.h>
#include <net/route.h>
@@ -79,9 +79,7 @@
#include <inet/tcp.h>
#include <inet/tcp_impl.h>
#include <inet/udp_impl.h>
-#include <inet/sctp/sctp_impl.h>
#include <inet/ipp_common.h>
-#include <inet/ilb_ip.h>
#include <inet/ip_multi.h>
#include <inet/ip_if.h>
@@ -89,7 +87,6 @@
#include <inet/ip_rts.h>
#include <inet/ip_ndp.h>
#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
#include <inet/sadb.h>
#include <inet/ipsec_impl.h>
#include <inet/iptun/iptun_impl.h>
@@ -110,8 +107,6 @@
/* Temporary; for CR 6451644 work-around */
#include <sys/ethernet.h>
-extern int ip_squeue_flag;
-
/*
* Naming conventions:
* These rules should be judiciously applied
@@ -179,154 +174,75 @@ const in6_addr_t ipv6_solicited_node_mcast =
{ 0x000002ffU, 0, 0x01000000U, 0x000000ffU };
#endif /* _BIG_ENDIAN */
-/* Leave room for ip_newroute to tack on the src and target addresses */
-#define OK_RESOLVER_MP_V6(mp) \
- ((mp) && ((mp)->b_wptr - (mp)->b_rptr) >= (2 * IPV6_ADDR_LEN))
-
-#define IP6_MBLK_OK 0
-#define IP6_MBLK_HDR_ERR 1
-#define IP6_MBLK_LEN_ERR 2
-
-static void icmp_inbound_too_big_v6(queue_t *, mblk_t *, ill_t *, ill_t *,
- boolean_t, zoneid_t);
-static void icmp_pkt_v6(queue_t *, mblk_t *, void *, size_t,
- const in6_addr_t *, boolean_t, zoneid_t, ip_stack_t *);
-static void icmp_redirect_v6(queue_t *, mblk_t *, ill_t *ill);
-static int ip_bind_connected_v6(conn_t *, mblk_t **, uint8_t, in6_addr_t *,
- uint16_t, const in6_addr_t *, ip6_pkt_t *, uint16_t,
- boolean_t, boolean_t, cred_t *);
-static boolean_t ip_bind_get_ire_v6(mblk_t **, ire_t *, const in6_addr_t *,
- iulp_t *, ip_stack_t *);
-static int ip_bind_laddr_v6(conn_t *, mblk_t **, uint8_t,
- const in6_addr_t *, uint16_t, boolean_t);
-static void ip_fanout_proto_v6(queue_t *, mblk_t *, ip6_t *, ill_t *,
- ill_t *, uint8_t, uint_t, uint_t, boolean_t, zoneid_t);
-static void ip_fanout_tcp_v6(queue_t *, mblk_t *, ip6_t *, ill_t *,
- ill_t *, uint_t, uint_t, boolean_t, zoneid_t);
-static void ip_fanout_udp_v6(queue_t *, mblk_t *, ip6_t *, uint32_t,
- ill_t *, ill_t *, uint_t, boolean_t, zoneid_t);
-static int ip_process_options_v6(queue_t *, mblk_t *, ip6_t *,
- uint8_t *, uint_t, uint8_t, ip_stack_t *);
-static mblk_t *ip_rput_frag_v6(ill_t *, ill_t *, mblk_t *, ip6_t *,
- ip6_frag_t *, uint_t, uint_t *, uint32_t *, uint16_t *);
+static boolean_t icmp_inbound_verify_v6(mblk_t *, icmp6_t *, ip_recv_attr_t *);
+static void icmp_inbound_too_big_v6(icmp6_t *, ip_recv_attr_t *);
+static void icmp_pkt_v6(mblk_t *, void *, size_t, const in6_addr_t *,
+ ip_recv_attr_t *);
+static void icmp_redirect_v6(mblk_t *, ip6_t *, nd_redirect_t *,
+ ip_recv_attr_t *);
+static void icmp_send_redirect_v6(mblk_t *, in6_addr_t *,
+ in6_addr_t *, ip_recv_attr_t *);
+static void icmp_send_reply_v6(mblk_t *, ip6_t *, icmp6_t *,
+ ip_recv_attr_t *);
static boolean_t ip_source_routed_v6(ip6_t *, mblk_t *, ip_stack_t *);
-static void ip_wput_ire_v6(queue_t *, mblk_t *, ire_t *, int, int,
- conn_t *, int, int, zoneid_t);
-static boolean_t ipif_lookup_testaddr_v6(ill_t *, const in6_addr_t *,
- ipif_t **);
-
-/*
- * A template for an IPv6 AR_ENTRY_QUERY
- */
-static areq_t ipv6_areq_template = {
- AR_ENTRY_QUERY, /* cmd */
- sizeof (areq_t)+(2*IPV6_ADDR_LEN), /* name offset */
- sizeof (areq_t), /* name len (filled by ill_arp_alloc) */
- ETHERTYPE_IPV6, /* protocol, from arps perspective */
- sizeof (areq_t), /* target addr offset */
- IPV6_ADDR_LEN, /* target addr_length */
- 0, /* flags */
- sizeof (areq_t) + IPV6_ADDR_LEN, /* sender addr offset */
- IPV6_ADDR_LEN, /* sender addr length */
- 6, /* xmit_count */
- 1000, /* (re)xmit_interval in milliseconds */
- 4 /* max # of requests to buffer */
- /* anything else filled in by the code */
-};
/*
- * Handle IPv6 ICMP packets sent to us. Consume the mblk passed in.
- * The message has already been checksummed and if needed,
- * a copy has been made to be sent any interested ICMP client (conn)
- * Note that this is different than icmp_inbound() which does the fanout
- * to conn's as well as local processing of the ICMP packets.
+ * icmp_inbound_v6 deals with ICMP messages that are handled by IP.
+ * If the ICMP message is consumed by IP, i.e., it should not be delivered
+ * to any IPPROTO_ICMP raw sockets, then it returns NULL.
+ * Likewise, if the ICMP error is misformed (too short, etc), then it
+ * returns NULL. The caller uses this to determine whether or not to send
+ * to raw sockets.
*
* All error messages are passed to the matching transport stream.
*
- * Zones notes:
- * The packet is only processed in the context of the specified zone: typically
- * only this zone will reply to an echo request. This means that the caller must
- * call icmp_inbound_v6() for each relevant zone.
+ * See comment for icmp_inbound_v4() on how IPsec is handled.
*/
-static void
-icmp_inbound_v6(queue_t *q, mblk_t *mp, ill_t *ill, ill_t *inill,
- uint_t hdr_length, boolean_t mctl_present, uint_t flags, zoneid_t zoneid,
- mblk_t *dl_mp)
+mblk_t *
+icmp_inbound_v6(mblk_t *mp, ip_recv_attr_t *ira)
{
icmp6_t *icmp6;
- ip6_t *ip6h;
+ ip6_t *ip6h; /* Outer header */
+ int ip_hdr_length; /* Outer header length */
boolean_t interested;
- in6_addr_t origsrc;
- mblk_t *first_mp;
- ipsec_in_t *ii;
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
-
- ASSERT(ill != NULL);
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- ASSERT(mp != NULL);
-
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- }
+ mblk_t *mp_ret = NULL;
ip6h = (ip6_t *)mp->b_rptr;
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs);
- if ((mp->b_wptr - mp->b_rptr) < (hdr_length + ICMP6_MINLEN)) {
- if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) {
- ip1dbg(("icmp_inbound_v6: pullupmsg failed\n"));
- BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- if (ipst->ips_icmp_accept_clear_messages == 0) {
- first_mp = ipsec_check_global_policy(first_mp, NULL,
- NULL, ip6h, mctl_present, ipst->ips_netstack);
- if (first_mp == NULL)
- return;
- }
+ /* Make sure ira_l2src is set for ndp_input */
+ if (!(ira->ira_flags & IRAF_L2SRC_SET))
+ ip_setl2src(mp, ira, ira->ira_rill);
- /*
- * On a labeled system, we have to check whether the zone itself is
- * permitted to receive raw traffic.
- */
- if (is_system_labeled()) {
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- if (!tsol_can_accept_raw(mp, B_FALSE)) {
- ip1dbg(("icmp_inbound_v6: zone %d can't receive raw",
- zoneid));
+ ip_hdr_length = ira->ira_ip_hdr_length;
+ if ((mp->b_wptr - mp->b_rptr) < (ip_hdr_length + ICMP6_MINLEN)) {
+ if (ira->ira_pktlen < (ip_hdr_length + ICMP6_MINLEN)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
+ return (NULL);
+ }
+ ip6h = ip_pullup(mp, ip_hdr_length + ICMP6_MINLEN, ira);
+ if (ip6h == NULL) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
- freemsg(first_mp);
- return;
+ freemsg(mp);
+ return (NULL);
}
}
- icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
+ icmp6 = (icmp6_t *)(&mp->b_rptr[ip_hdr_length]);
+ DTRACE_PROBE2(icmp__inbound__v6, ip6_t *, ip6h, icmp6_t *, icmp6);
ip2dbg(("icmp_inbound_v6: type %d code %d\n", icmp6->icmp6_type,
icmp6->icmp6_code));
- interested = !(icmp6->icmp6_type & ICMP6_INFOMSG_MASK);
- /* Initiate IPPF processing here */
- if (IP6_IN_IPP(flags, ipst)) {
-
- /*
- * If the ifindex changes due to SIOCSLIFINDEX
- * packet may return to IP on the wrong ill.
- */
- ip_process(IPP_LOCAL_IN, &mp, ill->ill_phyint->phyint_ifindex);
- if (mp == NULL) {
- if (mctl_present) {
- freeb(first_mp);
- }
- return;
- }
- }
+ /*
+ * We will set "interested" to "true" if we should pass a copy to
+ * the transport i.e., if it is an error message.
+ */
+ interested = !(icmp6->icmp6_type & ICMP6_INFOMSG_MASK);
switch (icmp6->icmp6_type) {
case ICMP6_DST_UNREACH:
@@ -344,9 +260,9 @@ icmp_inbound_v6(queue_t *q, mblk_t *mp, ill_t *ill, ill_t *inill,
break;
case ICMP6_PACKET_TOO_BIG:
- icmp_inbound_too_big_v6(q, first_mp, ill, inill, mctl_present,
- zoneid);
- return;
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInPktTooBigs);
+ break;
+
case ICMP6_ECHO_REQUEST:
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInEchos);
if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) &&
@@ -362,93 +278,22 @@ icmp_inbound_v6(queue_t *q, mblk_t *mp, ill_t *ill, ill_t *inill,
mblk_t *mp1;
mp1 = copymsg(mp);
- freemsg(mp);
if (mp1 == NULL) {
- BUMP_MIB(ill->ill_icmp6_mib,
- ipv6IfIcmpInErrors);
- if (mctl_present)
- freeb(first_mp);
- return;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - copymsg",
+ mp, ill);
+ freemsg(mp);
+ return (NULL);
}
+ freemsg(mp);
mp = mp1;
ip6h = (ip6_t *)mp->b_rptr;
- icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
+ icmp6 = (icmp6_t *)(&mp->b_rptr[ip_hdr_length]);
}
- /*
- * Turn the echo into an echo reply.
- * Remove any extension headers (do not reverse a source route)
- * and clear the flow id (keep traffic class for now).
- */
- if (hdr_length != IPV6_HDR_LEN) {
- int i;
-
- for (i = 0; i < IPV6_HDR_LEN; i++)
- mp->b_rptr[hdr_length - i - 1] =
- mp->b_rptr[IPV6_HDR_LEN - i - 1];
- mp->b_rptr += (hdr_length - IPV6_HDR_LEN);
- ip6h = (ip6_t *)mp->b_rptr;
- ip6h->ip6_nxt = IPPROTO_ICMPV6;
- hdr_length = IPV6_HDR_LEN;
- }
- ip6h->ip6_vcf &= ~IPV6_FLOWINFO_FLOWLABEL;
icmp6->icmp6_type = ICMP6_ECHO_REPLY;
-
- ip6h->ip6_plen =
- htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN));
- origsrc = ip6h->ip6_src;
- /*
- * Reverse the source and destination addresses.
- * If the return address is a multicast, zero out the source
- * (ip_wput_v6 will set an address).
- */
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- ip6h->ip6_src = ipv6_all_zeros;
- ip6h->ip6_dst = origsrc;
- } else {
- ip6h->ip6_src = ip6h->ip6_dst;
- ip6h->ip6_dst = origsrc;
- }
-
- /* set the hop limit */
- ip6h->ip6_hops = ipst->ips_ipv6_def_hops;
-
- /*
- * Prepare for checksum by putting icmp length in the icmp
- * checksum field. The checksum is calculated in ip_wput_v6.
- */
- icmp6->icmp6_cksum = ip6h->ip6_plen;
-
- if (!mctl_present) {
- /*
- * This packet should go out the same way as it
- * came in i.e in clear. To make sure that global
- * policy will not be applied to this in ip_wput,
- * we attach a IPSEC_IN mp and clear ipsec_in_secure.
- */
- ASSERT(first_mp == mp);
- first_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
- if (first_mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(mp);
- return;
- }
- ii = (ipsec_in_t *)first_mp->b_rptr;
-
- /* This is not a secure packet */
- ii->ipsec_in_secure = B_FALSE;
- first_mp->b_cont = mp;
- }
- if (!ipsec_in_to_out(first_mp, NULL, ip6h, zoneid)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return;
- }
- put(WR(q), first_mp);
- return;
+ icmp_send_reply_v6(mp, ip6h, icmp6, ira);
+ return (NULL);
case ICMP6_ECHO_REPLY:
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInEchoReplies);
@@ -464,343 +309,478 @@ icmp_inbound_v6(queue_t *q, mblk_t *mp, ill_t *ill, ill_t *inill,
case ND_NEIGHBOR_SOLICIT:
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInNeighborSolicits);
- if (mctl_present)
- freeb(first_mp);
- /* XXX may wish to pass first_mp up to ndp_input someday. */
- ndp_input(inill, mp, dl_mp);
- return;
+ ndp_input(mp, ira);
+ return (NULL);
case ND_NEIGHBOR_ADVERT:
BUMP_MIB(ill->ill_icmp6_mib,
ipv6IfIcmpInNeighborAdvertisements);
- if (mctl_present)
- freeb(first_mp);
- /* XXX may wish to pass first_mp up to ndp_input someday. */
- ndp_input(inill, mp, dl_mp);
- return;
+ ndp_input(mp, ira);
+ return (NULL);
- case ND_REDIRECT: {
+ case ND_REDIRECT:
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInRedirects);
if (ipst->ips_ipv6_ignore_redirect)
break;
- /*
- * As there is no upper client to deliver, we don't
- * need the first_mp any more.
- */
- if (mctl_present)
- freeb(first_mp);
- if (!pullupmsg(mp, -1)) {
- BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
- break;
- }
- icmp_redirect_v6(q, mp, ill);
- return;
- }
+ /* We now allow a RAW socket to receive this. */
+ interested = B_TRUE;
+ break;
/*
* The next three icmp messages will be handled by MLD.
* Pass all valid MLD packets up to any process(es)
- * listening on a raw ICMP socket. MLD messages are
- * freed by mld_input function.
+ * listening on a raw ICMP socket.
*/
case MLD_LISTENER_QUERY:
case MLD_LISTENER_REPORT:
case MLD_LISTENER_REDUCTION:
- if (mctl_present)
- freeb(first_mp);
- mld_input(q, mp, ill);
- return;
+ mp = mld_input(mp, ira);
+ return (mp);
default:
break;
}
- if (interested) {
- icmp_inbound_error_fanout_v6(q, first_mp, ip6h, icmp6, ill,
- inill, mctl_present, zoneid);
- } else {
- freemsg(first_mp);
- }
-}
+ /*
+ * See if there is an ICMP client to avoid an extra copymsg/freemsg
+ * if there isn't one.
+ */
+ if (ipst->ips_ipcl_proto_fanout_v6[IPPROTO_ICMPV6].connf_head != NULL) {
+ /* If there is an ICMP client and we want one too, copy it. */
-/*
- * Process received IPv6 ICMP Packet too big.
- * After updating any IRE it does the fanout to any matching transport streams.
- * Assumes the IPv6 plus ICMPv6 headers have been pulled up but nothing else.
- */
-/* ARGSUSED */
-static void
-icmp_inbound_too_big_v6(queue_t *q, mblk_t *mp, ill_t *ill, ill_t *inill,
- boolean_t mctl_present, zoneid_t zoneid)
-{
- ip6_t *ip6h;
- ip6_t *inner_ip6h;
- icmp6_t *icmp6;
- uint16_t hdr_length;
- uint32_t mtu;
- ire_t *ire, *first_ire;
- mblk_t *first_mp;
- ip_stack_t *ipst = ill->ill_ipst;
+ if (!interested) {
+ /* Caller will deliver to RAW sockets */
+ return (mp);
+ }
+ mp_ret = copymsg(mp);
+ if (mp_ret == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - copymsg", mp, ill);
+ }
+ } else if (!interested) {
+ /* Neither we nor raw sockets are interested. Drop packet now */
+ freemsg(mp);
+ return (NULL);
+ }
- first_mp = mp;
- if (mctl_present)
- mp = first_mp->b_cont;
/*
- * We must have exclusive use of the mblk to update the MTU
- * in the packet.
- * If not, we copy it.
- *
- * If there's an M_CTL present, we know that allocated first_mp
- * earlier in this function, so we know first_mp has refcnt of one.
+ * ICMP error or redirect packet. Make sure we have enough of
+ * the header and that db_ref == 1 since we might end up modifying
+ * the packet.
*/
- ASSERT(!mctl_present || first_mp->b_datap->db_ref == 1);
+ if (mp->b_cont != NULL) {
+ if (ip_pullup(mp, -1, ira) == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - ip_pullup",
+ mp, ill);
+ freemsg(mp);
+ return (mp_ret);
+ }
+ }
+
if (mp->b_datap->db_ref > 1) {
mblk_t *mp1;
mp1 = copymsg(mp);
- freemsg(mp);
if (mp1 == NULL) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- if (mctl_present)
- freeb(first_mp);
- return;
+ ip_drop_input("ipIfStatsInDiscards - copymsg", mp, ill);
+ freemsg(mp);
+ return (mp_ret);
}
+ freemsg(mp);
mp = mp1;
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
}
+
+ /*
+ * In case mp has changed, verify the message before any further
+ * processes.
+ */
ip6h = (ip6_t *)mp->b_rptr;
- if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
- hdr_length = ip_hdr_length_v6(mp, ip6h);
- else
- hdr_length = IPV6_HDR_LEN;
+ icmp6 = (icmp6_t *)(&mp->b_rptr[ip_hdr_length]);
+ if (!icmp_inbound_verify_v6(mp, icmp6, ira)) {
+ freemsg(mp);
+ return (mp_ret);
+ }
- icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
- ASSERT((size_t)(mp->b_wptr - mp->b_rptr) >= hdr_length + ICMP6_MINLEN);
- inner_ip6h = (ip6_t *)&icmp6[1]; /* Packet in error */
- if ((uchar_t *)&inner_ip6h[1] > mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)&inner_ip6h[1] - mp->b_rptr)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
+ switch (icmp6->icmp6_type) {
+ case ND_REDIRECT:
+ icmp_redirect_v6(mp, ip6h, (nd_redirect_t *)icmp6, ira);
+ break;
+ case ICMP6_PACKET_TOO_BIG:
+ /* Update DCE and adjust MTU is icmp header if needed */
+ icmp_inbound_too_big_v6(icmp6, ira);
+ /* FALLTHRU */
+ default:
+ icmp_inbound_error_fanout_v6(mp, icmp6, ira);
+ break;
+ }
+
+ return (mp_ret);
+}
+
+/*
+ * Send an ICMP echo reply.
+ * The caller has already updated the payload part of the packet.
+ * We handle the ICMP checksum, IP source address selection and feed
+ * the packet into ip_output_simple.
+ */
+static void
+icmp_send_reply_v6(mblk_t *mp, ip6_t *ip6h, icmp6_t *icmp6,
+ ip_recv_attr_t *ira)
+{
+ uint_t ip_hdr_length = ira->ira_ip_hdr_length;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ip_xmit_attr_t ixas;
+ in6_addr_t origsrc;
+
+ /*
+ * Remove any extension headers (do not reverse a source route)
+ * and clear the flow id (keep traffic class for now).
+ */
+ if (ip_hdr_length != IPV6_HDR_LEN) {
+ int i;
+
+ for (i = 0; i < IPV6_HDR_LEN; i++) {
+ mp->b_rptr[ip_hdr_length - i - 1] =
+ mp->b_rptr[IPV6_HDR_LEN - i - 1];
}
+ mp->b_rptr += (ip_hdr_length - IPV6_HDR_LEN);
ip6h = (ip6_t *)mp->b_rptr;
- icmp6 = (icmp6_t *)&mp->b_rptr[hdr_length];
- inner_ip6h = (ip6_t *)&icmp6[1];
+ ip6h->ip6_nxt = IPPROTO_ICMPV6;
+ i = ntohs(ip6h->ip6_plen);
+ i -= (ip_hdr_length - IPV6_HDR_LEN);
+ ip6h->ip6_plen = htons(i);
+ ip_hdr_length = IPV6_HDR_LEN;
+ ASSERT(ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN == msgdsize(mp));
}
+ ip6h->ip6_vcf &= ~IPV6_FLOWINFO_FLOWLABEL;
+
+ /* Reverse the source and destination addresses. */
+ origsrc = ip6h->ip6_src;
+ ip6h->ip6_src = ip6h->ip6_dst;
+ ip6h->ip6_dst = origsrc;
+
+ /* set the hop limit */
+ ip6h->ip6_hops = ipst->ips_ipv6_def_hops;
/*
- * For link local destinations matching simply on IRE type is not
- * sufficient. Same link local addresses for different ILL's is
- * possible.
+ * Prepare for checksum by putting icmp length in the icmp
+ * checksum field. The checksum is calculated in ip_output
*/
- if (IN6_IS_ADDR_LINKLOCAL(&inner_ip6h->ip6_dst)) {
- first_ire = ire_ctable_lookup_v6(&inner_ip6h->ip6_dst, NULL,
- IRE_CACHE, ill->ill_ipif, ALL_ZONES, NULL,
- MATCH_IRE_TYPE | MATCH_IRE_ILL, ipst);
-
- if (first_ire == NULL) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("icmp_inbound_too_big_v6:"
- "no ire for dst %s\n", AF_INET6,
- &inner_ip6h->ip6_dst);
- }
- freemsg(first_mp);
- return;
- }
+ icmp6->icmp6_cksum = ip6h->ip6_plen;
- mtu = ntohl(icmp6->icmp6_mtu);
- rw_enter(&first_ire->ire_bucket->irb_lock, RW_READER);
- for (ire = first_ire; ire != NULL &&
- IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &inner_ip6h->ip6_dst);
- ire = ire->ire_next) {
- mutex_enter(&ire->ire_lock);
- if (mtu < IPV6_MIN_MTU) {
- ip1dbg(("Received mtu less than IPv6 "
- "min mtu %d: %d\n", IPV6_MIN_MTU, mtu));
- mtu = IPV6_MIN_MTU;
- /*
- * If an mtu less than IPv6 min mtu is received,
- * we must include a fragment header in
- * subsequent packets.
- */
- ire->ire_frag_flag |= IPH_FRAG_HDR;
- }
- ip1dbg(("Received mtu from router: %d\n", mtu));
- ire->ire_max_frag = MIN(ire->ire_max_frag, mtu);
- if (ire->ire_max_frag == mtu) {
- /* Decreased it */
- ire->ire_marks |= IRE_MARK_PMTU;
- }
- /* Record the new max frag size for the ULP. */
- if (ire->ire_frag_flag & IPH_FRAG_HDR) {
- /*
- * If we need a fragment header in every packet
- * (above case or multirouting), make sure the
- * ULP takes it into account when computing the
- * payload size.
- */
- icmp6->icmp6_mtu = htonl(ire->ire_max_frag -
- sizeof (ip6_frag_t));
- } else {
- icmp6->icmp6_mtu = htonl(ire->ire_max_frag);
- }
- mutex_exit(&ire->ire_lock);
- }
- rw_exit(&first_ire->ire_bucket->irb_lock);
- ire_refrele(first_ire);
- } else {
- irb_t *irb = NULL;
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
+ ixas.ixa_zoneid = ira->ira_zoneid;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = ira->ira_tsl; /* Behave as a multi-level responder */
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
/*
- * for non-link local destinations we match only on the IRE type
+ * This packet should go out the same way as it
+ * came in i.e in clear, independent of the IPsec
+ * policy for transmitting packets.
*/
- ire = ire_ctable_lookup_v6(&inner_ip6h->ip6_dst, NULL,
- IRE_CACHE, ill->ill_ipif, ALL_ZONES, NULL, MATCH_IRE_TYPE,
- ipst);
- if (ire == NULL) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("icmp_inbound_too_big_v6:"
- "no ire for dst %s\n",
- AF_INET6, &inner_ip6h->ip6_dst);
- }
- freemsg(first_mp);
+ ixas.ixa_flags |= IXAF_NO_IPSEC;
+ } else {
+ if (!ipsec_in_to_out(ira, &ixas, mp, NULL, ip6h)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note: mp already consumed and ip_drop_packet done */
return;
}
- irb = ire->ire_bucket;
- ire_refrele(ire);
- rw_enter(&irb->irb_lock, RW_READER);
- for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6,
- &inner_ip6h->ip6_dst)) {
- mtu = ntohl(icmp6->icmp6_mtu);
- mutex_enter(&ire->ire_lock);
- if (mtu < IPV6_MIN_MTU) {
- ip1dbg(("Received mtu less than IPv6"
- "min mtu %d: %d\n",
- IPV6_MIN_MTU, mtu));
- mtu = IPV6_MIN_MTU;
- /*
- * If an mtu less than IPv6 min mtu is
- * received, we must include a fragment
- * header in subsequent packets.
- */
- ire->ire_frag_flag |= IPH_FRAG_HDR;
- }
+ }
- ip1dbg(("Received mtu from router: %d\n", mtu));
- ire->ire_max_frag = MIN(ire->ire_max_frag, mtu);
- if (ire->ire_max_frag == mtu) {
- /* Decreased it */
- ire->ire_marks |= IRE_MARK_PMTU;
- }
- /* Record the new max frag size for the ULP. */
- if (ire->ire_frag_flag & IPH_FRAG_HDR) {
- /*
- * If we need a fragment header in
- * every packet (above case or
- * multirouting), make sure the ULP
- * takes it into account when computing
- * the payload size.
- */
- icmp6->icmp6_mtu =
- htonl(ire->ire_max_frag -
- sizeof (ip6_frag_t));
- } else {
- icmp6->icmp6_mtu =
- htonl(ire->ire_max_frag);
- }
- mutex_exit(&ire->ire_lock);
- }
- }
- rw_exit(&irb->irb_lock);
+ /* Was the destination (now source) link-local? Send out same group */
+ if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src)) {
+ ixas.ixa_flags |= IXAF_SCOPEID_SET;
+ if (IS_UNDER_IPMP(ill))
+ ixas.ixa_scopeid = ill_get_upper_ifindex(ill);
+ else
+ ixas.ixa_scopeid = ill->ill_phyint->phyint_ifindex;
+ }
+
+ if (ira->ira_flags & IRAF_MULTIBROADCAST) {
+ /*
+ * Not one or our addresses (IRE_LOCALs), thus we let
+ * ip_output_simple pick the source.
+ */
+ ip6h->ip6_src = ipv6_all_zeros;
+ ixas.ixa_flags |= IXAF_SET_SOURCE;
}
- icmp_inbound_error_fanout_v6(q, first_mp, ip6h, icmp6, ill, inill,
- mctl_present, zoneid);
+
+ /* Should we send using dce_pmtu? */
+ if (ipst->ips_ipv6_icmp_return_pmtu)
+ ixas.ixa_flags |= IXAF_PMTU_DISCOVERY;
+
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
+
}
/*
- * Fanout for ICMPv6 errors containing IP-in-IPv6 packets. Returns B_TRUE if a
- * tunnel consumed the message, and B_FALSE otherwise.
+ * Verify the ICMP messages for either for ICMP error or redirect packet.
+ * The caller should have fully pulled up the message. If it's a redirect
+ * packet, only basic checks on IP header will be done; otherwise, verify
+ * the packet by looking at the included ULP header.
+ *
+ * Called before icmp_inbound_error_fanout_v6 is called.
*/
static boolean_t
-icmp_inbound_iptun_fanout_v6(mblk_t *first_mp, ip6_t *rip6h, ill_t *ill,
- ip_stack_t *ipst)
+icmp_inbound_verify_v6(mblk_t *mp, icmp6_t *icmp6, ip_recv_attr_t *ira)
{
- conn_t *connp;
+ ill_t *ill = ira->ira_ill;
+ uint16_t hdr_length;
+ uint8_t *nexthdrp;
+ uint8_t nexthdr;
+ ip_stack_t *ipst = ill->ill_ipst;
+ conn_t *connp;
+ ip6_t *ip6h; /* Inner header */
- if ((connp = ipcl_iptun_classify_v6(&rip6h->ip6_src, &rip6h->ip6_dst,
- ipst)) == NULL)
- return (B_FALSE);
+ ip6h = (ip6_t *)&icmp6[1];
+ if ((uchar_t *)ip6h + IPV6_HDR_LEN > mp->b_wptr)
+ goto truncated;
+
+ if (icmp6->icmp6_type == ND_REDIRECT) {
+ hdr_length = sizeof (nd_redirect_t);
+ } else {
+ if ((IPH_HDR_VERSION(ip6h) != IPV6_VERSION))
+ goto discard_pkt;
+ hdr_length = IPV6_HDR_LEN;
+ }
+
+ if ((uchar_t *)ip6h + hdr_length > mp->b_wptr)
+ goto truncated;
+
+ /*
+ * Stop here for ICMP_REDIRECT.
+ */
+ if (icmp6->icmp6_type == ND_REDIRECT)
+ return (B_TRUE);
+
+ /*
+ * ICMP errors only.
+ */
+ if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_length, &nexthdrp))
+ goto discard_pkt;
+ nexthdr = *nexthdrp;
+
+ /* Try to pass the ICMP message to clients who need it */
+ switch (nexthdr) {
+ case IPPROTO_UDP:
+ /*
+ * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
+ * transport header.
+ */
+ if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
+ mp->b_wptr)
+ goto truncated;
+ break;
+ case IPPROTO_TCP: {
+ tcpha_t *tcpha;
+
+ /*
+ * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
+ * transport header.
+ */
+ if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
+ mp->b_wptr)
+ goto truncated;
+
+ tcpha = (tcpha_t *)((uchar_t *)ip6h + hdr_length);
+ /*
+ * With IPMP we need to match across group, which we do
+ * since we have the upper ill from ira_ill.
+ */
+ connp = ipcl_tcp_lookup_reversed_ipv6(ip6h, tcpha, TCPS_LISTEN,
+ ill->ill_phyint->phyint_ifindex, ipst);
+ if (connp == NULL)
+ goto discard_pkt;
+
+ if ((connp->conn_verifyicmp != NULL) &&
+ !connp->conn_verifyicmp(connp, tcpha, NULL, icmp6, ira)) {
+ CONN_DEC_REF(connp);
+ goto discard_pkt;
+ }
+ CONN_DEC_REF(connp);
+ break;
+ }
+ case IPPROTO_SCTP:
+ /*
+ * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
+ * transport header.
+ */
+ if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
+ mp->b_wptr)
+ goto truncated;
+ break;
+ case IPPROTO_ESP:
+ case IPPROTO_AH:
+ break;
+ case IPPROTO_ENCAP:
+ case IPPROTO_IPV6: {
+ /* Look for self-encapsulated packets that caused an error */
+ ip6_t *in_ip6h;
+
+ in_ip6h = (ip6_t *)((uint8_t *)ip6h + hdr_length);
+ if ((uint8_t *)in_ip6h + (nexthdr == IPPROTO_ENCAP ?
+ sizeof (ipha_t) : sizeof (ip6_t)) > mp->b_wptr)
+ goto truncated;
+ break;
+ }
+ default:
+ break;
+ }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- connp->conn_recv(connp, first_mp, NULL);
- CONN_DEC_REF(connp);
return (B_TRUE);
+
+discard_pkt:
+ /* Bogus ICMP error. */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (B_FALSE);
+
+truncated:
+ /* We pulled up everthing already. Must be truncated */
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
+ return (B_FALSE);
}
/*
- * Fanout received ICMPv6 error packets to the transports.
- * Assumes the IPv6 plus ICMPv6 headers have been pulled up but nothing else.
+ * Process received IPv6 ICMP Packet too big.
+ * The caller is responsible for validating the packet before passing it in
+ * and also to fanout the ICMP error to any matching transport conns. Assumes
+ * the message has been fully pulled up.
+ *
+ * Before getting here, the caller has called icmp_inbound_verify_v6()
+ * that should have verified with ULP to prevent undoing the changes we're
+ * going to make to DCE. For example, TCP might have verified that the packet
+ * which generated error is in the send window.
+ *
+ * In some cases modified this MTU in the ICMP header packet; the caller
+ * should pass to the matching ULP after this returns.
*/
-void
-icmp_inbound_error_fanout_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
- icmp6_t *icmp6, ill_t *ill, ill_t *inill, boolean_t mctl_present,
- zoneid_t zoneid)
+static void
+icmp_inbound_too_big_v6(icmp6_t *icmp6, ip_recv_attr_t *ira)
{
- uint16_t *up; /* Pointer to ports in ULP header */
- uint32_t ports; /* reversed ports for fanout */
- ip6_t rip6h; /* With reversed addresses */
- uint16_t hdr_length;
- uint8_t *nexthdrp;
- uint8_t nexthdr;
- mblk_t *first_mp;
- ipsec_in_t *ii;
- tcpha_t *tcpha;
- conn_t *connp;
+ uint32_t mtu;
+ dce_t *dce;
+ ill_t *ill = ira->ira_ill; /* Upper ill if IPMP */
ip_stack_t *ipst = ill->ill_ipst;
+ int old_max_frag;
+ in6_addr_t final_dst;
+ ip6_t *ip6h; /* Inner IP header */
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- ASSERT(mp != NULL);
+ /* Caller has already pulled up everything. */
+ ip6h = (ip6_t *)&icmp6[1];
+ final_dst = ip_get_dst_v6(ip6h, NULL, NULL);
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
+ /*
+ * For link local destinations matching simply on address is not
+ * sufficient. Same link local addresses for different ILL's is
+ * possible.
+ */
+ if (IN6_IS_ADDR_LINKSCOPE(&final_dst)) {
+ dce = dce_lookup_and_add_v6(&final_dst,
+ ill->ill_phyint->phyint_ifindex, ipst);
} else {
- ii = NULL;
+ dce = dce_lookup_and_add_v6(&final_dst, 0, ipst);
+ }
+ if (dce == NULL) {
+ /* Couldn't add a unique one - ENOMEM */
+ if (ip_debug > 2) {
+ /* ip1dbg */
+ pr_addr_dbg("icmp_inbound_too_big_v6:"
+ "no dce for dst %s\n", AF_INET6,
+ &final_dst);
+ }
+ return;
}
- hdr_length = (uint16_t)((uchar_t *)icmp6 - (uchar_t *)ip6h);
- ASSERT((size_t)(mp->b_wptr - (uchar_t *)icmp6) >= ICMP6_MINLEN);
+ mtu = ntohl(icmp6->icmp6_mtu);
+ mutex_enter(&dce->dce_lock);
+ if (dce->dce_flags & DCEF_PMTU)
+ old_max_frag = dce->dce_pmtu;
+ else
+ old_max_frag = ill->ill_mtu;
+
+ if (mtu < IPV6_MIN_MTU) {
+ ip1dbg(("Received mtu less than IPv6 "
+ "min mtu %d: %d\n", IPV6_MIN_MTU, mtu));
+ mtu = IPV6_MIN_MTU;
+ /*
+ * If an mtu less than IPv6 min mtu is received,
+ * we must include a fragment header in
+ * subsequent packets.
+ */
+ dce->dce_flags |= DCEF_TOO_SMALL_PMTU;
+ } else {
+ dce->dce_flags &= ~DCEF_TOO_SMALL_PMTU;
+ }
+ ip1dbg(("Received mtu from router: %d\n", mtu));
+ dce->dce_pmtu = MIN(old_max_frag, mtu);
+
+ /* Prepare to send the new max frag size for the ULP. */
+ if (dce->dce_flags & DCEF_TOO_SMALL_PMTU) {
+ /*
+ * If we need a fragment header in every packet
+ * (above case or multirouting), make sure the
+ * ULP takes it into account when computing the
+ * payload size.
+ */
+ icmp6->icmp6_mtu = htonl(dce->dce_pmtu - sizeof (ip6_frag_t));
+ } else {
+ icmp6->icmp6_mtu = htonl(dce->dce_pmtu);
+ }
+ /* We now have a PMTU for sure */
+ dce->dce_flags |= DCEF_PMTU;
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ mutex_exit(&dce->dce_lock);
/*
- * Need to pullup everything in order to use
- * ip_hdr_length_nexthdr_v6()
+ * After dropping the lock the new value is visible to everyone.
+ * Then we bump the generation number so any cached values reinspect
+ * the dce_t.
*/
- if (mp->b_cont != NULL) {
- if (!pullupmsg(mp, -1)) {
- ip1dbg(("icmp_inbound_error_fanout_v6: "
- "pullupmsg failed\n"));
- goto drop_pkt;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
- }
+ dce_increment_generation(dce);
+ dce_refrele(dce);
+}
- ip6h = (ip6_t *)&icmp6[1]; /* Packet in error */
- if ((uchar_t *)&ip6h[1] > mp->b_wptr)
- goto drop_pkt;
+/*
+ * Fanout received ICMPv6 error packets to the transports.
+ * Assumes the IPv6 plus ICMPv6 headers have been pulled up but nothing else.
+ *
+ * The caller must have called icmp_inbound_verify_v6.
+ */
+void
+icmp_inbound_error_fanout_v6(mblk_t *mp, icmp6_t *icmp6, ip_recv_attr_t *ira)
+{
+ uint16_t *up; /* Pointer to ports in ULP header */
+ uint32_t ports; /* reversed ports for fanout */
+ ip6_t rip6h; /* With reversed addresses */
+ ip6_t *ip6h; /* Inner IP header */
+ uint16_t hdr_length; /* Inner IP header length */
+ uint8_t *nexthdrp;
+ uint8_t nexthdr;
+ tcpha_t *tcpha;
+ conn_t *connp;
+ ill_t *ill = ira->ira_ill; /* Upper in the case of IPMP */
+ ip_stack_t *ipst = ill->ill_ipst;
+ ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+
+ /* Caller has already pulled up everything. */
+ ip6h = (ip6_t *)&icmp6[1];
+ ASSERT(mp->b_cont == NULL);
+ ASSERT((uchar_t *)&ip6h[1] <= mp->b_wptr);
if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_length, &nexthdrp))
goto drop_pkt;
nexthdr = *nexthdrp;
-
- /* Set message type, must be done after pullups */
- mp->b_datap->db_type = M_CTL;
+ ira->ira_protocol = nexthdr;
/*
* We need a separate IP header with the source and destination
@@ -814,174 +794,128 @@ icmp_inbound_error_fanout_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
/* Try to pass the ICMP message to clients who need it */
switch (nexthdr) {
case IPPROTO_UDP: {
- /*
- * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
- * UDP header to get the port information.
- */
- if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
- mp->b_wptr) {
- break;
- }
/* Attempt to find a client stream based on port. */
up = (uint16_t *)((uchar_t *)ip6h + hdr_length);
- ((uint16_t *)&ports)[0] = up[1];
- ((uint16_t *)&ports)[1] = up[0];
- ip_fanout_udp_v6(q, first_mp, &rip6h, ports, ill, inill,
- IP6_NO_IPPOLICY, mctl_present, zoneid);
+ /* Note that we send error to all matches. */
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ ip_fanout_udp_multi_v6(mp, &rip6h, up[0], up[1], ira);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
}
case IPPROTO_TCP: {
/*
- * Verify we have at least ICMP_MIN_TP_HDR_LEN bytes of
- * the TCP header to get the port information.
- */
- if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_TP_HDR_LEN >
- mp->b_wptr) {
- break;
- }
-
- /*
* Attempt to find a client stream based on port.
* Note that we do a reverse lookup since the header is
* in the form we sent it out.
*/
- tcpha = (tcpha_t *)((char *)ip6h + hdr_length);
+ tcpha = (tcpha_t *)((uchar_t *)ip6h + hdr_length);
+ /*
+ * With IPMP we need to match across group, which we do
+ * since we have the upper ill from ira_ill.
+ */
connp = ipcl_tcp_lookup_reversed_ipv6(ip6h, tcpha,
TCPS_LISTEN, ill->ill_phyint->phyint_ifindex, ipst);
if (connp == NULL) {
goto drop_pkt;
}
- SQUEUE_ENTER_ONE(connp->conn_sqp, first_mp, tcp_input, connp,
- SQ_FILL, SQTAG_TCP6_INPUT_ICMP_ERR);
+ if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
+ (ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ mp = ipsec_check_inbound_policy(mp, connp,
+ NULL, ip6h, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ CONN_DEC_REF(connp);
+ return;
+ }
+ }
+
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ if (IPCL_IS_TCP(connp)) {
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
+ connp->conn_recvicmp, connp, ira, SQ_FILL,
+ SQTAG_TCP6_INPUT_ICMP_ERR);
+ } else {
+ /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
+ ill_t *rill = ira->ira_rill;
+
+ ira->ira_ill = ira->ira_rill = NULL;
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ }
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
}
case IPPROTO_SCTP:
- /*
- * Verify we have at least ICMP_MIN_SCTP_HDR_LEN bytes of
- * transport header to get the port information.
- */
- if ((uchar_t *)ip6h + hdr_length + ICMP_MIN_SCTP_HDR_LEN >
- mp->b_wptr) {
- if (!pullupmsg(mp, (uchar_t *)ip6h + hdr_length +
- ICMP_MIN_SCTP_HDR_LEN - mp->b_rptr)) {
- goto drop_pkt;
- }
- }
-
up = (uint16_t *)((uchar_t *)ip6h + hdr_length);
+ /* Find a SCTP client stream for this packet. */
((uint16_t *)&ports)[0] = up[1];
((uint16_t *)&ports)[1] = up[0];
- ip_fanout_sctp(first_mp, inill, (ipha_t *)ip6h, ports, 0,
- mctl_present, IP6_NO_IPPOLICY, zoneid);
- return;
- case IPPROTO_ESP:
- case IPPROTO_AH: {
- int ipsec_rc;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
- /*
- * We need a IPSEC_IN in the front to fanout to AH/ESP.
- * We will re-use the IPSEC_IN if it is already present as
- * AH/ESP will not affect any fields in the IPSEC_IN for
- * ICMP errors. If there is no IPSEC_IN, allocate a new
- * one and attach it in the front.
- */
- if (ii != NULL) {
- /*
- * ip_fanout_proto_again converts the ICMP errors
- * that come back from AH/ESP to M_DATA so that
- * if it is non-AH/ESP and we do a pullupmsg in
- * this function, it would work. Convert it back
- * to M_CTL before we send up as this is a ICMP
- * error. This could have been generated locally or
- * by some router. Validate the inner IPSEC
- * headers.
- *
- * NOTE : ill_index is used by ip_fanout_proto_again
- * to locate the ill.
- */
- ASSERT(ill != NULL);
- ii->ipsec_in_ill_index =
- ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index =
- inill->ill_phyint->phyint_ifindex;
- first_mp->b_cont->b_datap->db_type = M_CTL;
- } else {
- /*
- * IPSEC_IN is not present. We attach a ipsec_in
- * message and send up to IPSEC for validating
- * and removing the IPSEC headers. Clear
- * ipsec_in_secure so that when we return
- * from IPSEC, we don't mistakenly think that this
- * is a secure packet came from the network.
- *
- * NOTE : ill_index is used by ip_fanout_proto_again
- * to locate the ill.
- */
- ASSERT(first_mp == mp);
- first_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
- ASSERT(ill != NULL);
- if (first_mp == NULL) {
- freemsg(mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return;
- }
- ii = (ipsec_in_t *)first_mp->b_rptr;
-
- /* This is not a secure packet */
- ii->ipsec_in_secure = B_FALSE;
- first_mp->b_cont = mp;
- mp->b_datap->db_type = M_CTL;
- ii->ipsec_in_ill_index =
- ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index =
- inill->ill_phyint->phyint_ifindex;
- }
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ ip_fanout_sctp(mp, NULL, &rip6h, ports, ira);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
+ return;
+ case IPPROTO_ESP:
+ case IPPROTO_AH:
if (!ipsec_loaded(ipss)) {
- ip_proto_not_sup(q, first_mp, 0, zoneid, ipst);
+ ip_proto_not_sup(mp, ira);
return;
}
if (nexthdr == IPPROTO_ESP)
- ipsec_rc = ipsecesp_icmp_error(first_mp);
+ mp = ipsecesp_icmp_error(mp, ira);
else
- ipsec_rc = ipsecah_icmp_error(first_mp);
- if (ipsec_rc == IPSEC_STATUS_FAILED)
+ mp = ipsecah_icmp_error(mp, ira);
+ if (mp == NULL)
return;
- ip_fanout_proto_again(first_mp, ill, inill, NULL);
- return;
- }
- case IPPROTO_ENCAP:
- case IPPROTO_IPV6:
- if ((uint8_t *)ip6h + hdr_length +
- (nexthdr == IPPROTO_ENCAP ? sizeof (ipha_t) :
- sizeof (ip6_t)) > mp->b_wptr) {
+ /* Just in case ipsec didn't preserve the NULL b_cont */
+ if (mp->b_cont != NULL) {
+ if (!pullupmsg(mp, -1))
+ goto drop_pkt;
+ }
+
+ /*
+ * If succesful, the mp has been modified to not include
+ * the ESP/AH header so we can fanout to the ULP's icmp
+ * error handler.
+ */
+ if (mp->b_wptr - mp->b_rptr < IPV6_HDR_LEN)
goto drop_pkt;
+
+ ip6h = (ip6_t *)mp->b_rptr;
+ /* Don't call hdr_length_v6() unless you have to. */
+ if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
+ hdr_length = ip_hdr_length_v6(mp, ip6h);
+ else
+ hdr_length = IPV6_HDR_LEN;
+
+ /* Verify the modified message before any further processes. */
+ icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
+ if (!icmp_inbound_verify_v6(mp, icmp6, ira)) {
+ freemsg(mp);
+ return;
}
- if (nexthdr == IPPROTO_ENCAP ||
- !IN6_ARE_ADDR_EQUAL(
- &((ip6_t *)(((uint8_t *)ip6h) + hdr_length))->ip6_src,
- &ip6h->ip6_src) ||
- !IN6_ARE_ADDR_EQUAL(
- &((ip6_t *)(((uint8_t *)ip6h) + hdr_length))->ip6_dst,
- &ip6h->ip6_dst)) {
- /*
- * For tunnels that have used IPsec protection,
- * we need to adjust the MTU to take into account
- * the IPsec overhead.
- */
- if (ii != NULL) {
- icmp6->icmp6_mtu = htonl(
- ntohl(icmp6->icmp6_mtu) -
- ipsec_in_extra_length(first_mp));
- }
- } else {
+ icmp_inbound_error_fanout_v6(mp, icmp6, ira);
+ return;
+
+ case IPPROTO_IPV6: {
+ /* Look for self-encapsulated packets that caused an error */
+ ip6_t *in_ip6h;
+
+ in_ip6h = (ip6_t *)((uint8_t *)ip6h + hdr_length);
+
+ if (IN6_ARE_ADDR_EQUAL(&in_ip6h->ip6_src, &ip6h->ip6_src) &&
+ IN6_ARE_ADDR_EQUAL(&in_ip6h->ip6_dst, &ip6h->ip6_dst)) {
/*
* Self-encapsulated case. As in the ipv4 case,
* we need to strip the 2nd IP header. Since mp
@@ -989,126 +923,124 @@ icmp_inbound_error_fanout_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
* the 3rd header + data over the 2nd header.
*/
uint16_t unused_len;
- ip6_t *inner_ip6h = (ip6_t *)
- ((uchar_t *)ip6h + hdr_length);
/*
* Make sure we don't do recursion more than once.
*/
- if (!ip_hdr_length_nexthdr_v6(mp, inner_ip6h,
+ if (!ip_hdr_length_nexthdr_v6(mp, in_ip6h,
&unused_len, &nexthdrp) ||
*nexthdrp == IPPROTO_IPV6) {
goto drop_pkt;
}
/*
- * We are about to modify the packet. Make a copy if
- * someone else has a reference to it.
- */
- if (DB_REF(mp) > 1) {
- mblk_t *mp1;
- uint16_t icmp6_offset;
-
- mp1 = copymsg(mp);
- if (mp1 == NULL) {
- goto drop_pkt;
- }
- icmp6_offset = (uint16_t)
- ((uchar_t *)icmp6 - mp->b_rptr);
- freemsg(mp);
- mp = mp1;
-
- icmp6 = (icmp6_t *)(mp->b_rptr + icmp6_offset);
- ip6h = (ip6_t *)&icmp6[1];
- inner_ip6h = (ip6_t *)
- ((uchar_t *)ip6h + hdr_length);
-
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
- }
-
- /*
- * Need to set db_type back to M_DATA before
- * refeeding mp into this function.
- */
- DB_TYPE(mp) = M_DATA;
-
- /*
* Copy the 3rd header + remaining data on top
* of the 2nd header.
*/
- bcopy(inner_ip6h, ip6h,
- mp->b_wptr - (uchar_t *)inner_ip6h);
+ bcopy(in_ip6h, ip6h, mp->b_wptr - (uchar_t *)in_ip6h);
/*
* Subtract length of the 2nd header.
*/
mp->b_wptr -= hdr_length;
+ ip6h = (ip6_t *)mp->b_rptr;
+ /* Don't call hdr_length_v6() unless you have to. */
+ if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
+ hdr_length = ip_hdr_length_v6(mp, ip6h);
+ else
+ hdr_length = IPV6_HDR_LEN;
+
+ /*
+ * Verify the modified message before any further
+ * processes.
+ */
+ icmp6 = (icmp6_t *)(&mp->b_rptr[hdr_length]);
+ if (!icmp_inbound_verify_v6(mp, icmp6, ira)) {
+ freemsg(mp);
+ return;
+ }
+
/*
* Now recurse, and see what I _really_ should be
* doing here.
*/
- icmp_inbound_error_fanout_v6(q, first_mp,
- (ip6_t *)mp->b_rptr, icmp6, ill, inill,
- mctl_present, zoneid);
+ icmp_inbound_error_fanout_v6(mp, icmp6, ira);
return;
}
- if (icmp_inbound_iptun_fanout_v6(first_mp, &rip6h, ill, ipst))
+ /* FALLTHRU */
+ }
+ case IPPROTO_ENCAP:
+ if ((connp = ipcl_iptun_classify_v6(&rip6h.ip6_src,
+ &rip6h.ip6_dst, ipst)) != NULL) {
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ connp->conn_recvicmp(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
+ }
/*
- * No IP tunnel is associated with this error. Perhaps a raw
- * socket will want it.
+ * No IP tunnel is interested, fallthrough and see
+ * if a raw socket will want it.
*/
/* FALLTHRU */
default:
- ip_fanout_proto_v6(q, first_mp, &rip6h, ill, inill, nexthdr, 0,
- IP6_NO_IPPOLICY, mctl_present, zoneid);
+ ira->ira_flags |= IRAF_ICMP_ERROR;
+ ASSERT(ira->ira_protocol == nexthdr);
+ ip_fanout_proto_v6(mp, &rip6h, ira);
+ ira->ira_flags &= ~IRAF_ICMP_ERROR;
return;
}
/* NOTREACHED */
drop_pkt:
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
ip1dbg(("icmp_inbound_error_fanout_v6: drop pkt\n"));
- freemsg(first_mp);
+ freemsg(mp);
}
/*
* Process received IPv6 ICMP Redirect messages.
+ * Assumes the caller has verified that the headers are in the pulled up mblk.
+ * Consumes mp.
*/
/* ARGSUSED */
static void
-icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
+icmp_redirect_v6(mblk_t *mp, ip6_t *ip6h, nd_redirect_t *rd,
+ ip_recv_attr_t *ira)
{
- ip6_t *ip6h;
- uint16_t hdr_length;
- nd_redirect_t *rd;
- ire_t *ire;
- ire_t *prev_ire;
+ ire_t *ire, *nire;
+ ire_t *prev_ire = NULL;
ire_t *redir_ire;
in6_addr_t *src, *dst, *gateway;
nd_opt_hdr_t *opt;
nce_t *nce;
- int nce_flags = 0;
+ int ncec_flags = 0;
int err = 0;
boolean_t redirect_to_router = B_FALSE;
int len;
int optlen;
- iulp_t ulp_info = { 0 };
- ill_t *prev_ire_ill;
- ipif_t *ipif;
+ ill_t *ill = ira->ira_rill;
+ ill_t *rill = ira->ira_rill;
ip_stack_t *ipst = ill->ill_ipst;
- ip6h = (ip6_t *)mp->b_rptr;
- if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
- hdr_length = ip_hdr_length_v6(mp, ip6h);
- else
- hdr_length = IPV6_HDR_LEN;
+ /*
+ * Since ira_ill is where the IRE_LOCAL was hosted we use ira_rill
+ * and make it be the IPMP upper so avoid being confused by a packet
+ * addressed to a unicast address on a different ill.
+ */
+ if (IS_UNDER_IPMP(rill)) {
+ rill = ipmp_ill_hold_ipmp_ill(rill);
+ if (rill == NULL) {
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
+ ip_drop_input("ipv6IfIcmpInBadRedirects - IPMP ill",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ASSERT(rill != ira->ira_rill);
+ }
- rd = (nd_redirect_t *)&mp->b_rptr[hdr_length];
- len = mp->b_wptr - mp->b_rptr - hdr_length;
+ len = mp->b_wptr - (uchar_t *)rd;
src = &ip6h->ip6_src;
dst = &rd->nd_rd_dst;
gateway = &rd->nd_rd_target;
@@ -1121,37 +1053,35 @@ icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
(IN6_IS_ADDR_V4MAPPED(dst)) ||
(IN6_IS_ADDR_MULTICAST(dst))) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
- freemsg(mp);
- return;
+ ip_drop_input("ipv6IfIcmpInBadRedirects - addr/len", mp, ill);
+ goto fail_redirect;
}
if (!(IN6_IS_ADDR_LINKLOCAL(gateway) ||
IN6_ARE_ADDR_EQUAL(gateway, dst))) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
- freemsg(mp);
- return;
+ ip_drop_input("ipv6IfIcmpInBadRedirects - bad gateway",
+ mp, ill);
+ goto fail_redirect;
}
- if (len > sizeof (nd_redirect_t)) {
- if (!ndp_verify_optlen((nd_opt_hdr_t *)&rd[1],
- len - sizeof (nd_redirect_t))) {
+ optlen = len - sizeof (nd_redirect_t);
+ if (optlen != 0) {
+ if (!ndp_verify_optlen((nd_opt_hdr_t *)&rd[1], optlen)) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
- freemsg(mp);
- return;
+ ip_drop_input("ipv6IfIcmpInBadRedirects - options",
+ mp, ill);
+ goto fail_redirect;
}
}
if (!IN6_ARE_ADDR_EQUAL(gateway, dst)) {
redirect_to_router = B_TRUE;
- nce_flags |= NCE_F_ISROUTER;
+ ncec_flags |= NCE_F_ISROUTER;
+ } else {
+ gateway = dst; /* Add nce for dst */
}
- /* ipif will be refreleased afterwards */
- ipif = ipif_get_next_ipif(NULL, ill);
- if (ipif == NULL) {
- freemsg(mp);
- return;
- }
/*
* Verify that the IP source address of the redirect is
@@ -1160,10 +1090,11 @@ icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
* Also, Make sure we had a route for the dest in question and
* that route was pointing to the old gateway (the source of the
* redirect packet.)
+ * Note: this merely says that there is some IRE which matches that
+ * gateway; not that the longest match matches that gateway.
*/
-
- prev_ire = ire_route_lookup_v6(dst, 0, src, 0, ipif, NULL, ALL_ZONES,
- NULL, MATCH_IRE_GW | MATCH_IRE_ILL | MATCH_IRE_DEFAULT, ipst);
+ prev_ire = ire_ftable_lookup_v6(dst, 0, src, 0, rill,
+ ALL_ZONES, NULL, MATCH_IRE_GW | MATCH_IRE_ILL, 0, ipst, NULL);
/*
* Check that
@@ -1171,92 +1102,44 @@ icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
* old gateway is still directly reachable
*/
if (prev_ire == NULL ||
- prev_ire->ire_type == IRE_LOCAL) {
+ (prev_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) ||
+ (prev_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
- ipif_refrele(ipif);
+ ip_drop_input("ipv6IfIcmpInBadRedirects - ire", mp, ill);
goto fail_redirect;
}
- prev_ire_ill = ire_to_ill(prev_ire);
- ASSERT(prev_ire_ill != NULL);
- if (prev_ire_ill->ill_flags & ILLF_NONUD)
- nce_flags |= NCE_F_NONUD;
-
- /*
- * Should we use the old ULP info to create the new gateway? From
- * a user's perspective, we should inherit the info so that it
- * is a "smooth" transition. If we do not do that, then new
- * connections going thru the new gateway will have no route metrics,
- * which is counter-intuitive to user. From a network point of
- * view, this may or may not make sense even though the new gateway
- * is still directly connected to us so the route metrics should not
- * change much.
- *
- * But if the old ire_uinfo is not initialized, we do another
- * recursive lookup on the dest using the new gateway. There may
- * be a route to that. If so, use it to initialize the redirect
- * route.
- */
- if (prev_ire->ire_uinfo.iulp_set) {
- bcopy(&prev_ire->ire_uinfo, &ulp_info, sizeof (iulp_t));
- } else if (redirect_to_router) {
- /*
- * Only do the following if the redirection is really to
- * a router.
- */
- ire_t *tmp_ire;
- ire_t *sire;
- tmp_ire = ire_ftable_lookup_v6(dst, 0, gateway, 0, NULL, &sire,
- ALL_ZONES, 0, NULL,
- (MATCH_IRE_RECURSIVE | MATCH_IRE_GW | MATCH_IRE_DEFAULT),
- ipst);
- if (sire != NULL) {
- bcopy(&sire->ire_uinfo, &ulp_info, sizeof (iulp_t));
- ASSERT(tmp_ire != NULL);
- ire_refrele(tmp_ire);
- ire_refrele(sire);
- } else if (tmp_ire != NULL) {
- bcopy(&tmp_ire->ire_uinfo, &ulp_info,
- sizeof (iulp_t));
- ire_refrele(tmp_ire);
- }
- }
+ ASSERT(prev_ire->ire_ill != NULL);
+ if (prev_ire->ire_ill->ill_flags & ILLF_NONUD)
+ ncec_flags |= NCE_F_NONUD;
- optlen = mp->b_wptr - mp->b_rptr - hdr_length - sizeof (nd_redirect_t);
opt = (nd_opt_hdr_t *)&rd[1];
opt = ndp_get_option(opt, optlen, ND_OPT_TARGET_LINKADDR);
if (opt != NULL) {
- err = ndp_lookup_then_add_v6(ill,
- B_FALSE, /* don't match across illgrp */
+ err = nce_lookup_then_add_v6(rill,
(uchar_t *)&opt[1], /* Link layer address */
- gateway,
- &ipv6_all_ones, /* prefix mask */
- &ipv6_all_zeros, /* Mapping mask */
- 0,
- nce_flags,
- ND_STALE,
- &nce);
+ rill->ill_phys_addr_length,
+ gateway, ncec_flags, ND_STALE, &nce);
switch (err) {
case 0:
- NCE_REFRELE(nce);
+ nce_refrele(nce);
break;
case EEXIST:
/*
* Check to see if link layer address has changed and
- * process the nce_state accordingly.
+ * process the ncec_state accordingly.
*/
- ndp_process(nce, (uchar_t *)&opt[1], 0, B_FALSE);
- NCE_REFRELE(nce);
+ nce_process(nce->nce_common,
+ (uchar_t *)&opt[1], 0, B_FALSE);
+ nce_refrele(nce);
break;
default:
ip1dbg(("icmp_redirect_v6: NCE create failed %d\n",
err));
- ipif_refrele(ipif);
goto fail_redirect;
}
}
if (redirect_to_router) {
- /* icmp_redirect_ok_v6() must have already verified this */
ASSERT(IN6_IS_ADDR_LINKLOCAL(gateway));
/*
@@ -1266,65 +1149,68 @@ icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
ire = ire_create_v6(
dst,
&ipv6_all_ones, /* mask */
- &prev_ire->ire_src_addr_v6, /* source addr */
gateway, /* gateway addr */
- &prev_ire->ire_max_frag, /* max frag */
- NULL, /* no src nce */
- NULL, /* no rfq */
- NULL, /* no stq */
IRE_HOST,
- prev_ire->ire_ipif,
- NULL,
- 0,
- 0,
+ prev_ire->ire_ill,
+ ALL_ZONES,
(RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST),
- &ulp_info,
- NULL,
NULL,
ipst);
} else {
- queue_t *stq;
-
- stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
- ? ipif->ipif_rq : ipif->ipif_wq;
+ ipif_t *ipif;
+ in6_addr_t gw;
/*
* Just create an on link entry, i.e. interface route.
+ * The gateway field is our link-local on the ill.
*/
+ mutex_enter(&rill->ill_lock);
+ for (ipif = rill->ill_ipif; ipif != NULL;
+ ipif = ipif->ipif_next) {
+ if (!(ipif->ipif_state_flags & IPIF_CONDEMNED) &&
+ IN6_IS_ADDR_LINKLOCAL(&ipif->ipif_v6lcl_addr))
+ break;
+ }
+ if (ipif == NULL) {
+ /* We have no link-local address! */
+ mutex_exit(&rill->ill_lock);
+ goto fail_redirect;
+ }
+ gw = ipif->ipif_v6lcl_addr;
+ mutex_exit(&rill->ill_lock);
+
ire = ire_create_v6(
dst, /* gateway == dst */
&ipv6_all_ones, /* mask */
- &prev_ire->ire_src_addr_v6, /* source addr */
- &ipv6_all_zeros, /* gateway addr */
- &prev_ire->ire_max_frag, /* max frag */
- NULL, /* no src nce */
- NULL, /* ire rfq */
- stq, /* ire stq */
- ipif->ipif_net_type, /* IF_[NO]RESOLVER */
- prev_ire->ire_ipif,
- &ipv6_all_ones,
- 0,
- 0,
+ &gw, /* gateway addr */
+ rill->ill_net_type, /* IF_[NO]RESOLVER */
+ prev_ire->ire_ill,
+ ALL_ZONES,
(RTF_DYNAMIC | RTF_HOST),
- &ulp_info,
- NULL,
NULL,
ipst);
}
- /* Release reference from earlier ipif_get_next_ipif() */
- ipif_refrele(ipif);
-
if (ire == NULL)
goto fail_redirect;
- if (ire_add(&ire, NULL, NULL, NULL, B_FALSE) == 0) {
+ nire = ire_add(ire);
+ /* Check if it was a duplicate entry */
+ if (nire != NULL && nire != ire) {
+ ASSERT(nire->ire_identical_ref > 1);
+ ire_delete(nire);
+ ire_refrele(nire);
+ nire = NULL;
+ }
+ ire = nire;
+ if (ire != NULL) {
+ ire_refrele(ire); /* Held in ire_add */
/* tell routing sockets that we received a redirect */
ip_rts_change_v6(RTM_REDIRECT,
&rd->nd_rd_dst,
&rd->nd_rd_target,
- &ipv6_all_ones, 0, &ire->ire_src_addr_v6,
+ &ipv6_all_ones, 0, src,
(RTF_DYNAMIC | RTF_GATEWAY | RTF_HOST), 0,
(RTA_DST | RTA_GATEWAY | RTA_NETMASK | RTA_AUTHOR), ipst);
@@ -1334,10 +1220,9 @@ icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
* modifying an existing redirect.
*/
redir_ire = ire_ftable_lookup_v6(dst, 0, src, IRE_HOST,
- ire->ire_ipif, NULL, ALL_ZONES, 0, NULL,
- (MATCH_IRE_GW | MATCH_IRE_TYPE | MATCH_IRE_ILL), ipst);
-
- ire_refrele(ire); /* Held in ire_add_v6 */
+ prev_ire->ire_ill, ALL_ZONES, NULL,
+ (MATCH_IRE_GW | MATCH_IRE_TYPE | MATCH_IRE_ILL), 0, ipst,
+ NULL);
if (redir_ire != NULL) {
if (redir_ire->ire_flags & RTF_DYNAMIC)
@@ -1346,8 +1231,6 @@ icmp_redirect_v6(queue_t *q, mblk_t *mp, ill_t *ill)
}
}
- if (prev_ire->ire_type == IRE_CACHE)
- ire_delete(prev_ire);
ire_refrele(prev_ire);
prev_ire = NULL;
@@ -1355,101 +1238,8 @@ fail_redirect:
if (prev_ire != NULL)
ire_refrele(prev_ire);
freemsg(mp);
-}
-
-static ill_t *
-ip_queue_to_ill_v6(queue_t *q, ip_stack_t *ipst)
-{
- ill_t *ill;
-
- ASSERT(WR(q) == q);
-
- if (q->q_next != NULL) {
- ill = (ill_t *)q->q_ptr;
- if (ILL_CAN_LOOKUP(ill))
- ill_refhold(ill);
- else
- ill = NULL;
- } else {
- ill = ill_lookup_on_name(ipif_loopback_name, B_FALSE, B_TRUE,
- NULL, NULL, NULL, NULL, NULL, ipst);
- }
- if (ill == NULL)
- ip0dbg(("ip_queue_to_ill_v6: no ill\n"));
- return (ill);
-}
-
-/*
- * Assigns an appropriate source address to the packet.
- * If origdst is one of our IP addresses that use it as the source.
- * If the queue is an ill queue then select a source from that ill.
- * Otherwise pick a source based on a route lookup back to the origsrc.
- *
- * src is the return parameter. Returns a pointer to src or NULL if failure.
- */
-static in6_addr_t *
-icmp_pick_source_v6(queue_t *wq, in6_addr_t *origsrc, in6_addr_t *origdst,
- in6_addr_t *src, zoneid_t zoneid, ip_stack_t *ipst)
-{
- ill_t *ill;
- ire_t *ire;
- ipif_t *ipif;
-
- ASSERT(!(wq->q_flag & QREADR));
- if (wq->q_next != NULL) {
- ill = (ill_t *)wq->q_ptr;
- } else {
- ill = NULL;
- }
-
- ire = ire_route_lookup_v6(origdst, 0, 0, (IRE_LOCAL|IRE_LOOPBACK),
- NULL, NULL, zoneid, NULL, (MATCH_IRE_TYPE|MATCH_IRE_ZONEONLY),
- ipst);
- if (ire != NULL) {
- /* Destined to one of our addresses */
- *src = *origdst;
- ire_refrele(ire);
- return (src);
- }
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
- if (ill == NULL) {
- /* What is the route back to the original source? */
- ire = ire_route_lookup_v6(origsrc, 0, 0, 0,
- NULL, NULL, zoneid, NULL,
- (MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE), ipst);
- if (ire == NULL) {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutNoRoutes);
- return (NULL);
- }
- ASSERT(ire->ire_ipif != NULL);
- ill = ire->ire_ipif->ipif_ill;
- ire_refrele(ire);
- }
- ipif = ipif_select_source_v6(ill, origsrc, B_FALSE,
- IPV6_PREFER_SRC_DEFAULT, zoneid);
- if (ipif != NULL) {
- *src = ipif->ipif_v6src_addr;
- ipif_refrele(ipif);
- return (src);
- }
- /*
- * Unusual case - can't find a usable source address to reach the
- * original source. Use what in the route to the source.
- */
- ire = ire_route_lookup_v6(origsrc, 0, 0, 0,
- NULL, NULL, zoneid, NULL,
- (MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE), ipst);
- if (ire == NULL) {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutNoRoutes);
- return (NULL);
- }
- ASSERT(ire != NULL);
- *src = ire->ire_src_addr_v6;
- ire_refrele(ire);
- return (src);
+ if (rill != ira->ira_rill)
+ ill_refrele(rill);
}
/*
@@ -1459,17 +1249,12 @@ icmp_pick_source_v6(queue_t *wq, in6_addr_t *origsrc, in6_addr_t *origdst,
* Note: assumes that icmp_pkt_err_ok_v6 has been called to
* verify that an icmp error packet can be sent.
*
- * If q is an ill write side queue (which is the case when packets
- * arrive from ip_rput) then ip_wput code will ensure that packets to
- * link-local destinations are sent out that ill.
- *
* If v6src_ptr is set use it as a source. Otherwise select a reasonable
* source address (see above function).
*/
static void
-icmp_pkt_v6(queue_t *q, mblk_t *mp, void *stuff, size_t len,
- const in6_addr_t *v6src_ptr, boolean_t mctl_present, zoneid_t zoneid,
- ip_stack_t *ipst)
+icmp_pkt_v6(mblk_t *mp, void *stuff, size_t len,
+ const in6_addr_t *v6src_ptr, ip_recv_attr_t *ira)
{
ip6_t *ip6h;
in6_addr_t v6dst;
@@ -1477,98 +1262,82 @@ icmp_pkt_v6(queue_t *q, mblk_t *mp, void *stuff, size_t len,
size_t msg_len;
mblk_t *mp1;
icmp6_t *icmp6;
- ill_t *ill;
in6_addr_t v6src;
- mblk_t *ipsec_mp;
- ipsec_out_t *io;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ip_xmit_attr_t ixas;
- ill = ip_queue_to_ill_v6(q, ipst);
- if (ill == NULL) {
- freemsg(mp);
- return;
+ ip6h = (ip6_t *)mp->b_rptr;
+
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
+ ixas.ixa_zoneid = ira->ira_zoneid;
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = ira->ira_tsl; /* Behave as a multi-level responder */
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+
+ /*
+ * If the source of the original packet was link-local, then
+ * make sure we send on the same ill (group) as we received it on.
+ */
+ if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src)) {
+ ixas.ixa_flags |= IXAF_SCOPEID_SET;
+ if (IS_UNDER_IPMP(ill))
+ ixas.ixa_scopeid = ill_get_upper_ifindex(ill);
+ else
+ ixas.ixa_scopeid = ill->ill_phyint->phyint_ifindex;
}
- if (mctl_present) {
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
/*
- * If it is :
- *
- * 1) a IPSEC_OUT, then this is caused by outbound
- * datagram originating on this host. IPSEC processing
- * may or may not have been done. Refer to comments above
- * icmp_inbound_error_fanout for details.
+ * Apply IPsec based on how IPsec was applied to
+ * the packet that had the error.
*
- * 2) a IPSEC_IN if we are generating a icmp_message
- * for an incoming datagram destined for us i.e called
- * from ip_fanout_send_icmp.
+ * If it was an outbound packet that caused the ICMP
+ * error, then the caller will have setup the IRA
+ * appropriately.
*/
- ipsec_info_t *in;
-
- ipsec_mp = mp;
- mp = ipsec_mp->b_cont;
-
- in = (ipsec_info_t *)ipsec_mp->b_rptr;
- ip6h = (ip6_t *)mp->b_rptr;
-
- ASSERT(in->ipsec_info_type == IPSEC_OUT ||
- in->ipsec_info_type == IPSEC_IN);
-
- if (in->ipsec_info_type == IPSEC_IN) {
- /*
- * Convert the IPSEC_IN to IPSEC_OUT.
- */
- if (!ipsec_in_to_out(ipsec_mp, NULL, ip6h, zoneid)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ill_refrele(ill);
- return;
- }
- } else {
- ASSERT(in->ipsec_info_type == IPSEC_OUT);
- io = (ipsec_out_t *)in;
- /*
- * Clear out ipsec_out_proc_begin, so we do a fresh
- * ire lookup.
- */
- io->ipsec_out_proc_begin = B_FALSE;
+ if (!ipsec_in_to_out(ira, &ixas, mp, NULL, ip6h)) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ /* Note: mp already consumed and ip_drop_packet done */
+ return;
}
} else {
/*
* This is in clear. The icmp message we are building
- * here should go out in clear.
- */
- ipsec_in_t *ii;
- ASSERT(mp->b_datap->db_type == M_DATA);
- ipsec_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
- if (ipsec_mp == NULL) {
- freemsg(mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ill_refrele(ill);
- return;
- }
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
-
- /* This is not a secure packet */
- ii->ipsec_in_secure = B_FALSE;
- ipsec_mp->b_cont = mp;
- ip6h = (ip6_t *)mp->b_rptr;
- /*
- * Convert the IPSEC_IN to IPSEC_OUT.
+ * here should go out in clear, independent of our policy.
*/
- if (!ipsec_in_to_out(ipsec_mp, NULL, ip6h, zoneid)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ill_refrele(ill);
- return;
- }
+ ixas.ixa_flags |= IXAF_NO_IPSEC;
}
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
+ /*
+ * If the caller specified the source we use that.
+ * Otherwise, if the packet was for one of our unicast addresses, make
+ * sure we respond with that as the source. Otherwise
+ * have ip_output_simple pick the source address.
+ */
if (v6src_ptr != NULL) {
v6src = *v6src_ptr;
} else {
- if (icmp_pick_source_v6(q, &ip6h->ip6_src, &ip6h->ip6_dst,
- &v6src, zoneid, ipst) == NULL) {
- freemsg(ipsec_mp);
- ill_refrele(ill);
- return;
+ ire_t *ire;
+ uint_t match_flags = MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY;
+
+ if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src) ||
+ IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst))
+ match_flags |= MATCH_IRE_ILL;
+
+ ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0,
+ (IRE_LOCAL|IRE_LOOPBACK), ill, ira->ira_zoneid, NULL,
+ match_flags, 0, ipst, NULL);
+ if (ire != NULL) {
+ v6src = ip6h->ip6_dst;
+ ire_refrele(ire);
+ } else {
+ v6src = ipv6_all_zeros;
+ ixas.ixa_flags |= IXAF_SET_SOURCE;
}
}
v6dst = ip6h->ip6_src;
@@ -1577,34 +1346,28 @@ icmp_pkt_v6(queue_t *q, mblk_t *mp, void *stuff, size_t len,
if (msg_len > len_needed) {
if (!adjmsg(mp, len_needed - msg_len)) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors);
- freemsg(ipsec_mp);
- ill_refrele(ill);
+ freemsg(mp);
return;
}
msg_len = len_needed;
}
- mp1 = allocb_tmpl(IPV6_HDR_LEN + len, mp);
+ mp1 = allocb(IPV6_HDR_LEN + len, BPRI_MED);
if (mp1 == NULL) {
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors);
- freemsg(ipsec_mp);
- ill_refrele(ill);
+ freemsg(mp);
return;
}
- ill_refrele(ill);
mp1->b_cont = mp;
mp = mp1;
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL &&
- io->ipsec_out_type == IPSEC_OUT);
- ipsec_mp->b_cont = mp;
/*
- * Set ipsec_out_icmp_loopback so we can let the ICMP messages this
+ * Set IXAF_TRUSTED_ICMP so we can let the ICMP messages this
* node generates be accepted in peace by all on-host destinations.
* If we do NOT assume that all on-host destinations trust
- * self-generated ICMP messages, then rework here, ip.c, and spd.c.
- * (Look for ipsec_out_icmp_loopback).
+ * self-generated ICMP messages, then rework here, ip6.c, and spd.c.
+ * (Look for IXAF_TRUSTED_ICMP).
*/
- io->ipsec_out_icmp_loopback = B_TRUE;
+ ixas.ixa_flags |= IXAF_TRUSTED_ICMP;
ip6h = (ip6_t *)mp->b_rptr;
mp1->b_wptr = (uchar_t *)ip6h + (IPV6_HDR_LEN + len);
@@ -1624,20 +1387,21 @@ icmp_pkt_v6(queue_t *q, mblk_t *mp, void *stuff, size_t len,
bcopy(stuff, (char *)icmp6, len);
/*
* Prepare for checksum by putting icmp length in the icmp
- * checksum field. The checksum is calculated in ip_wput_v6.
+ * checksum field. The checksum is calculated in ip_output_wire_v6.
*/
icmp6->icmp6_cksum = ip6h->ip6_plen;
if (icmp6->icmp6_type == ND_REDIRECT) {
ip6h->ip6_hops = IPV6_MAX_HOPS;
}
- /* Send to V6 writeside put routine */
- put(q, ipsec_mp);
+
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
}
/*
* Update the output mib when ICMPv6 packets are sent.
*/
-static void
+void
icmp_update_out_mib_v6(ill_t *ill, icmp6_t *icmp6)
{
BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutMsgs);
@@ -1712,14 +1476,19 @@ icmp_update_out_mib_v6(ill_t *ill, icmp6_t *icmp6)
* ICMP error packet should be sent.
*/
static mblk_t *
-icmp_pkt_err_ok_v6(queue_t *q, mblk_t *mp,
- boolean_t llbcast, boolean_t mcast_ok, ip_stack_t *ipst)
+icmp_pkt_err_ok_v6(mblk_t *mp, boolean_t mcast_ok, ip_recv_attr_t *ira)
{
- ip6_t *ip6h;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ boolean_t llbcast;
+ ip6_t *ip6h;
if (!mp)
return (NULL);
+ /* We view multicast and broadcast as the same.. */
+ llbcast = (ira->ira_flags &
+ (IRAF_L2DST_MULTICAST|IRAF_L2DST_BROADCAST)) != 0;
ip6h = (ip6_t *)mp->b_rptr;
/* Check if source address uniquely identifies the host */
@@ -1737,17 +1506,8 @@ icmp_pkt_err_ok_v6(queue_t *q, mblk_t *mp,
if (mp->b_wptr - mp->b_rptr < len_needed) {
if (!pullupmsg(mp, len_needed)) {
- ill_t *ill;
-
- ill = ip_queue_to_ill_v6(q, ipst);
- if (ill == NULL) {
- BUMP_MIB(&ipst->ips_icmp6_mib,
- ipv6IfIcmpInErrors);
- } else {
- BUMP_MIB(ill->ill_icmp6_mib,
- ipv6IfIcmpInErrors);
- ill_refrele(ill);
- }
+ BUMP_MIB(ill->ill_icmp6_mib,
+ ipv6IfIcmpInErrors);
freemsg(mp);
return (NULL);
}
@@ -1771,6 +1531,16 @@ icmp_pkt_err_ok_v6(queue_t *q, mblk_t *mp,
freemsg(mp);
return (NULL);
}
+ /*
+ * If this is a labeled system, then check to see if we're allowed to
+ * send a response to this particular sender. If not, then just drop.
+ */
+ if (is_system_labeled() && !tsol_can_reply_error(mp, ira)) {
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors);
+ freemsg(mp);
+ return (NULL);
+ }
+
if (icmp_err_rate_limit(ipst)) {
/*
* Only send ICMP error packets every so often.
@@ -1784,37 +1554,117 @@ icmp_pkt_err_ok_v6(queue_t *q, mblk_t *mp,
}
/*
+ * Called when a packet was sent out the same link that it arrived on.
+ * Check if it is ok to send a redirect and then send it.
+ */
+void
+ip_send_potential_redirect_v6(mblk_t *mp, ip6_t *ip6h, ire_t *ire,
+ ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ in6_addr_t *v6targ;
+ ire_t *src_ire_v6 = NULL;
+ mblk_t *mp1;
+ ire_t *nhop_ire = NULL;
+
+ /*
+ * Don't send a redirect when forwarding a source
+ * routed packet.
+ */
+ if (ip_source_routed_v6(ip6h, mp, ipst))
+ return;
+
+ if (ire->ire_type & IRE_ONLINK) {
+ /* Target is directly connected */
+ v6targ = &ip6h->ip6_dst;
+ } else {
+ /* Determine the most specific IRE used to send the packets */
+ nhop_ire = ire_nexthop(ire);
+ if (nhop_ire == NULL)
+ return;
+
+ /*
+ * We won't send redirects to a router
+ * that doesn't have a link local
+ * address, but will forward.
+ */
+ if (!IN6_IS_ADDR_LINKLOCAL(&nhop_ire->ire_addr_v6)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ ire_refrele(nhop_ire);
+ return;
+ }
+ v6targ = &nhop_ire->ire_addr_v6;
+ }
+ src_ire_v6 = ire_ftable_lookup_v6(&ip6h->ip6_src,
+ NULL, NULL, IRE_INTERFACE, ire->ire_ill, ALL_ZONES, NULL,
+ MATCH_IRE_ILL | MATCH_IRE_TYPE, 0, ipst, NULL);
+
+ if (src_ire_v6 == NULL) {
+ if (nhop_ire != NULL)
+ ire_refrele(nhop_ire);
+ return;
+ }
+
+ /*
+ * The source is directly connected.
+ */
+ mp1 = copymsg(mp);
+ if (mp1 != NULL)
+ icmp_send_redirect_v6(mp1, v6targ, &ip6h->ip6_dst, ira);
+
+ if (nhop_ire != NULL)
+ ire_refrele(nhop_ire);
+ ire_refrele(src_ire_v6);
+}
+
+/*
* Generate an ICMPv6 redirect message.
* Include target link layer address option if it exits.
* Always include redirect header.
*/
static void
-icmp_send_redirect_v6(queue_t *q, mblk_t *mp, in6_addr_t *targetp,
- in6_addr_t *dest, ill_t *ill, boolean_t llbcast)
+icmp_send_redirect_v6(mblk_t *mp, in6_addr_t *targetp, in6_addr_t *dest,
+ ip_recv_attr_t *ira)
{
nd_redirect_t *rd;
nd_opt_rd_hdr_t *rdh;
uchar_t *buf;
- nce_t *nce = NULL;
+ ncec_t *ncec = NULL;
nd_opt_hdr_t *opt;
int len;
int ll_opt_len = 0;
int max_redir_hdr_data_len;
int pkt_len;
in6_addr_t *srcp;
- ip_stack_t *ipst = ill->ill_ipst;
-
- /*
- * We are called from ip_rput where we could
- * not have attached an IPSEC_IN.
- */
- ASSERT(mp->b_datap->db_type == M_DATA);
+ ill_t *ill;
+ boolean_t need_refrele;
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
- mp = icmp_pkt_err_ok_v6(q, mp, llbcast, B_FALSE, ipst);
+ mp = icmp_pkt_err_ok_v6(mp, B_FALSE, ira);
if (mp == NULL)
return;
- nce = ndp_lookup_v6(ill, B_TRUE, targetp, B_FALSE);
- if (nce != NULL && nce->nce_state != ND_INCOMPLETE) {
+
+ if (IS_UNDER_IPMP(ira->ira_ill)) {
+ ill = ipmp_ill_hold_ipmp_ill(ira->ira_ill);
+ if (ill == NULL) {
+ ill = ira->ira_ill;
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInBadRedirects);
+ ip_drop_output("no IPMP ill for sending redirect",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ need_refrele = B_TRUE;
+ } else {
+ ill = ira->ira_ill;
+ need_refrele = B_FALSE;
+ }
+
+ ncec = ncec_lookup_illgrp_v6(ill, targetp);
+ if (ncec != NULL && ncec->ncec_state != ND_INCOMPLETE &&
+ ncec->ncec_lladdr != NULL) {
ll_opt_len = (sizeof (nd_opt_hdr_t) +
ill->ill_phys_addr_length + 7)/8 * 8;
}
@@ -1822,8 +1672,10 @@ icmp_send_redirect_v6(queue_t *q, mblk_t *mp, in6_addr_t *targetp,
ASSERT(len % 4 == 0);
buf = kmem_alloc(len, KM_NOSLEEP);
if (buf == NULL) {
- if (nce != NULL)
- NCE_REFRELE(nce);
+ if (ncec != NULL)
+ ncec_refrele(ncec);
+ if (need_refrele)
+ ill_refrele(ill);
freemsg(mp);
return;
}
@@ -1836,15 +1688,14 @@ icmp_send_redirect_v6(queue_t *q, mblk_t *mp, in6_addr_t *targetp,
rd->nd_rd_dst = *dest;
opt = (nd_opt_hdr_t *)(buf + sizeof (nd_redirect_t));
- if (nce != NULL && ll_opt_len != 0) {
+ if (ncec != NULL && ll_opt_len != 0) {
opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
opt->nd_opt_len = ll_opt_len/8;
- bcopy((char *)nce->nce_res_mp->b_rptr +
- NCE_LL_ADDR_OFFSET(ill), &opt[1],
+ bcopy((char *)ncec->ncec_lladdr, &opt[1],
ill->ill_phys_addr_length);
}
- if (nce != NULL)
- NCE_REFRELE(nce);
+ if (ncec != NULL)
+ ncec_refrele(ncec);
rdh = (nd_opt_rd_hdr_t *)(buf + sizeof (nd_redirect_t) + ll_opt_len);
rdh->nd_opt_rh_type = (uint8_t)ND_OPT_REDIRECTED_HEADER;
/* max_redir_hdr_data_len and nd_opt_rh_len must be multiple of 8 */
@@ -1862,321 +1713,136 @@ icmp_send_redirect_v6(queue_t *q, mblk_t *mp, in6_addr_t *targetp,
}
rdh->nd_opt_rh_reserved1 = 0;
rdh->nd_opt_rh_reserved2 = 0;
- /* ipif_v6src_addr contains the link-local source address */
- srcp = &ill->ill_ipif->ipif_v6src_addr;
+ /* ipif_v6lcl_addr contains the link-local source address */
+ srcp = &ill->ill_ipif->ipif_v6lcl_addr;
/* Redirects sent by router, and router is global zone */
- icmp_pkt_v6(q, mp, buf, len, srcp, B_FALSE, GLOBAL_ZONEID, ipst);
+ ASSERT(ira->ira_zoneid == ALL_ZONES);
+ ira->ira_zoneid = GLOBAL_ZONEID;
+ icmp_pkt_v6(mp, buf, len, srcp, ira);
kmem_free(buf, len);
+ if (need_refrele)
+ ill_refrele(ill);
}
/* Generate an ICMP time exceeded message. (May be called as writer.) */
void
-icmp_time_exceeded_v6(queue_t *q, mblk_t *mp, uint8_t code,
- boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid,
- ip_stack_t *ipst)
+icmp_time_exceeded_v6(mblk_t *mp, uint8_t code, boolean_t mcast_ok,
+ ip_recv_attr_t *ira)
{
icmp6_t icmp6;
- boolean_t mctl_present;
- mblk_t *first_mp;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
-
- mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok, ipst);
- if (mp == NULL) {
- if (mctl_present)
- freeb(first_mp);
+ mp = icmp_pkt_err_ok_v6(mp, mcast_ok, ira);
+ if (mp == NULL)
return;
- }
+
bzero(&icmp6, sizeof (icmp6_t));
icmp6.icmp6_type = ICMP6_TIME_EXCEEDED;
icmp6.icmp6_code = code;
- icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
- zoneid, ipst);
+ icmp_pkt_v6(mp, &icmp6, sizeof (icmp6_t), NULL, ira);
}
/*
* Generate an ICMP unreachable message.
+ * When called from ip_output side a minimal ip_recv_attr_t needs to be
+ * constructed by the caller.
*/
void
-icmp_unreachable_v6(queue_t *q, mblk_t *mp, uint8_t code,
- boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid,
- ip_stack_t *ipst)
+icmp_unreachable_v6(mblk_t *mp, uint8_t code, boolean_t mcast_ok,
+ ip_recv_attr_t *ira)
{
icmp6_t icmp6;
- boolean_t mctl_present;
- mblk_t *first_mp;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
-
- mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok, ipst);
- if (mp == NULL) {
- if (mctl_present)
- freeb(first_mp);
+ mp = icmp_pkt_err_ok_v6(mp, mcast_ok, ira);
+ if (mp == NULL)
return;
- }
+
bzero(&icmp6, sizeof (icmp6_t));
icmp6.icmp6_type = ICMP6_DST_UNREACH;
icmp6.icmp6_code = code;
- icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
- zoneid, ipst);
+ icmp_pkt_v6(mp, &icmp6, sizeof (icmp6_t), NULL, ira);
}
/*
* Generate an ICMP pkt too big message.
+ * When called from ip_output side a minimal ip_recv_attr_t needs to be
+ * constructed by the caller.
*/
-static void
-icmp_pkt2big_v6(queue_t *q, mblk_t *mp, uint32_t mtu,
- boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid, ip_stack_t *ipst)
+void
+icmp_pkt2big_v6(mblk_t *mp, uint32_t mtu, boolean_t mcast_ok,
+ ip_recv_attr_t *ira)
{
icmp6_t icmp6;
- mblk_t *first_mp;
- boolean_t mctl_present;
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
-
- mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok, ipst);
- if (mp == NULL) {
- if (mctl_present)
- freeb(first_mp);
+ mp = icmp_pkt_err_ok_v6(mp, mcast_ok, ira);
+ if (mp == NULL)
return;
- }
+
bzero(&icmp6, sizeof (icmp6_t));
icmp6.icmp6_type = ICMP6_PACKET_TOO_BIG;
icmp6.icmp6_code = 0;
icmp6.icmp6_mtu = htonl(mtu);
- icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
- zoneid, ipst);
+ icmp_pkt_v6(mp, &icmp6, sizeof (icmp6_t), NULL, ira);
}
/*
* Generate an ICMP parameter problem message. (May be called as writer.)
* 'offset' is the offset from the beginning of the packet in error.
+ * When called from ip_output side a minimal ip_recv_attr_t needs to be
+ * constructed by the caller.
*/
static void
-icmp_param_problem_v6(queue_t *q, mblk_t *mp, uint8_t code,
- uint32_t offset, boolean_t llbcast, boolean_t mcast_ok, zoneid_t zoneid,
- ip_stack_t *ipst)
+icmp_param_problem_v6(mblk_t *mp, uint8_t code, uint32_t offset,
+ boolean_t mcast_ok, ip_recv_attr_t *ira)
{
icmp6_t icmp6;
- boolean_t mctl_present;
- mblk_t *first_mp;
-
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
- mp = icmp_pkt_err_ok_v6(q, mp, llbcast, mcast_ok, ipst);
- if (mp == NULL) {
- if (mctl_present)
- freeb(first_mp);
+ mp = icmp_pkt_err_ok_v6(mp, mcast_ok, ira);
+ if (mp == NULL)
return;
- }
+
bzero((char *)&icmp6, sizeof (icmp6_t));
icmp6.icmp6_type = ICMP6_PARAM_PROB;
icmp6.icmp6_code = code;
icmp6.icmp6_pptr = htonl(offset);
- icmp_pkt_v6(q, first_mp, &icmp6, sizeof (icmp6_t), NULL, mctl_present,
- zoneid, ipst);
+ icmp_pkt_v6(mp, &icmp6, sizeof (icmp6_t), NULL, ira);
}
-/*
- * This code will need to take into account the possibility of binding
- * to a link local address on a multi-homed host, in which case the
- * outgoing interface (from the conn) will need to be used when getting
- * an ire for the dst. Going through proper outgoing interface and
- * choosing the source address corresponding to the outgoing interface
- * is necessary when the destination address is a link-local address and
- * IPV6_BOUND_IF or IPV6_PKTINFO or scope_id has been set.
- * This can happen when active connection is setup; thus ipp pointer
- * is passed here from tcp_connect_*() routines, in non-TCP cases NULL
- * pointer is passed as ipp pointer.
- */
-mblk_t *
-ip_bind_v6(queue_t *q, mblk_t *mp, conn_t *connp, ip6_pkt_t *ipp)
+void
+icmp_param_problem_nexthdr_v6(mblk_t *mp, boolean_t mcast_ok,
+ ip_recv_attr_t *ira)
{
- ssize_t len;
- int protocol;
- struct T_bind_req *tbr;
- sin6_t *sin6;
- ipa6_conn_t *ac6;
- in6_addr_t *v6srcp;
- in6_addr_t *v6dstp;
- uint16_t lport;
- uint16_t fport;
- uchar_t *ucp;
- int error = 0;
- boolean_t local_bind;
- ipa6_conn_x_t *acx6;
- boolean_t verify_dst;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- cred_t *cr;
-
- /*
- * All Solaris components should pass a db_credp
- * for this TPI message, hence we ASSERT.
- * But in case there is some other M_PROTO that looks
- * like a TPI message sent by some other kernel
- * component, we check and return an error.
- */
- cr = msg_getcred(mp, NULL);
- ASSERT(cr != NULL);
- if (cr == NULL) {
- error = EINVAL;
- goto bad_addr;
- }
-
- ASSERT(connp->conn_af_isv6);
- len = mp->b_wptr - mp->b_rptr;
- if (len < (sizeof (*tbr) + 1)) {
- (void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
- "ip_bind_v6: bogus msg, len %ld", len);
- goto bad_addr;
- }
- /* Back up and extract the protocol identifier. */
- mp->b_wptr--;
- tbr = (struct T_bind_req *)mp->b_rptr;
- /* Reset the message type in preparation for shipping it back. */
- mp->b_datap->db_type = M_PCPROTO;
-
- protocol = *mp->b_wptr & 0xFF;
- connp->conn_ulp = (uint8_t)protocol;
-
- /*
- * Check for a zero length address. This is from a protocol that
- * wants to register to receive all packets of its type.
- */
- if (tbr->ADDR_length == 0) {
- if ((protocol == IPPROTO_TCP || protocol == IPPROTO_SCTP ||
- protocol == IPPROTO_ESP || protocol == IPPROTO_AH) &&
- ipst->ips_ipcl_proto_fanout_v6[protocol].connf_head !=
- NULL) {
- /*
- * TCP, SCTP, AH, and ESP have single protocol fanouts.
- * Do not allow others to bind to these.
- */
- goto bad_addr;
- }
-
- /*
- *
- * The udp module never sends down a zero-length address,
- * and allowing this on a labeled system will break MLP
- * functionality.
- */
- if (is_system_labeled() && protocol == IPPROTO_UDP)
- goto bad_addr;
-
- /* Allow ipsec plumbing */
- if ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
- (protocol != IPPROTO_AH) && (protocol != IPPROTO_ESP))
- goto bad_addr;
-
- connp->conn_srcv6 = ipv6_all_zeros;
- ipcl_proto_insert_v6(connp, protocol);
-
- tbr->PRIM_type = T_BIND_ACK;
- return (mp);
- }
-
- /* Extract the address pointer from the message. */
- ucp = (uchar_t *)mi_offset_param(mp, tbr->ADDR_offset,
- tbr->ADDR_length);
- if (ucp == NULL) {
- ip1dbg(("ip_bind_v6: no address\n"));
- goto bad_addr;
- }
- if (!OK_32PTR(ucp)) {
- ip1dbg(("ip_bind_v6: unaligned address\n"));
- goto bad_addr;
- }
-
- switch (tbr->ADDR_length) {
- default:
- ip1dbg(("ip_bind_v6: bad address length %d\n",
- (int)tbr->ADDR_length));
- goto bad_addr;
-
- case IPV6_ADDR_LEN:
- /* Verification of local address only */
- v6srcp = (in6_addr_t *)ucp;
- lport = 0;
- local_bind = B_TRUE;
- break;
-
- case sizeof (sin6_t):
- sin6 = (sin6_t *)ucp;
- v6srcp = &sin6->sin6_addr;
- lport = sin6->sin6_port;
- local_bind = B_TRUE;
- break;
-
- case sizeof (ipa6_conn_t):
- /*
- * Verify that both the source and destination addresses
- * are valid.
- */
- ac6 = (ipa6_conn_t *)ucp;
- v6srcp = &ac6->ac6_laddr;
- v6dstp = &ac6->ac6_faddr;
- fport = ac6->ac6_fport;
- /* For raw socket, the local port is not set. */
- lport = ac6->ac6_lport != 0 ? ac6->ac6_lport :
- connp->conn_lport;
- local_bind = B_FALSE;
- /* Always verify destination reachability. */
- verify_dst = B_TRUE;
- break;
-
- case sizeof (ipa6_conn_x_t):
- /*
- * Verify that the source address is valid.
- */
- acx6 = (ipa6_conn_x_t *)ucp;
- ac6 = &acx6->ac6x_conn;
- v6srcp = &ac6->ac6_laddr;
- v6dstp = &ac6->ac6_faddr;
- fport = ac6->ac6_fport;
- lport = ac6->ac6_lport;
- local_bind = B_FALSE;
- /*
- * Client that passed ipa6_conn_x_t to us specifies whether to
- * verify destination reachability.
- */
- verify_dst = (acx6->ac6x_flags & ACX_VERIFY_DST) != 0;
- break;
- }
- if (local_bind) {
- error = ip_proto_bind_laddr_v6(connp, &mp->b_cont, protocol,
- v6srcp, lport, tbr->ADDR_length != IPV6_ADDR_LEN);
- } else {
- error = ip_proto_bind_connected_v6(connp, &mp->b_cont, protocol,
- v6srcp, lport, v6dstp, ipp, fport, B_TRUE, verify_dst, cr);
- }
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ uint16_t hdr_length;
+ uint8_t *nexthdrp;
+ uint32_t offset;
+ ill_t *ill = ira->ira_ill;
- if (error == 0) {
- /* Send it home. */
- mp->b_datap->db_type = M_PCPROTO;
- tbr->PRIM_type = T_BIND_ACK;
- return (mp);
+ /* Determine the offset of the bad nexthdr value */
+ if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_length, &nexthdrp)) {
+ /* Malformed packet */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
}
-bad_addr:
- ASSERT(error != EINPROGRESS);
- if (error > 0)
- mp = mi_tpi_err_ack_alloc(mp, TSYSERR, error);
- else
- mp = mi_tpi_err_ack_alloc(mp, TBADADDR, 0);
- return (mp);
+ offset = nexthdrp - mp->b_rptr;
+ icmp_param_problem_v6(mp, ICMP6_PARAMPROB_NEXTHEADER, offset,
+ mcast_ok, ira);
}
/*
- * Here address is verified to be a valid local address.
- * If the IRE_DB_REQ_TYPE mp is present, a multicast
- * address is also considered a valid local address.
+ * Verify whether or not the IP address is a valid local address.
+ * Could be a unicast, including one for a down interface.
+ * If allow_mcbc then a multicast or broadcast address is also
+ * acceptable.
+ *
* In the case of a multicast address, however, the
* upper protocol is expected to reset the src address
- * to 0 if it sees an ire with IN6_IS_ADDR_MULTICAST returned so that
+ * to zero when we return IPVL_MCAST so that
* no packets are emitted with multicast address as
* source address.
* The addresses valid for bind are:
@@ -2193,855 +1859,418 @@ bad_addr:
* When the address is loopback or multicast, there might be many matching IREs
* so bind has to look up based on the zone.
*/
-/*
- * Verify the local IP address. Does not change the conn_t except
- * conn_fully_bound and conn_policy_cached.
- */
-static int
-ip_bind_laddr_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
- const in6_addr_t *v6src, uint16_t lport, boolean_t fanout_insert)
+ip_laddr_t
+ip_laddr_verify_v6(const in6_addr_t *v6src, zoneid_t zoneid,
+ ip_stack_t *ipst, boolean_t allow_mcbc, uint_t scopeid)
{
- int error = 0;
- ire_t *src_ire = NULL;
- zoneid_t zoneid;
- mblk_t *mp = NULL;
- boolean_t ire_requested;
- boolean_t ipsec_policy_set;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- if (mpp)
- mp = *mpp;
-
- ire_requested = (mp != NULL && DB_TYPE(mp) == IRE_DB_REQ_TYPE);
- ipsec_policy_set = (mp != NULL && DB_TYPE(mp) == IPSEC_POLICY_SET);
-
- /*
- * If it was previously connected, conn_fully_bound would have
- * been set.
- */
- connp->conn_fully_bound = B_FALSE;
-
- zoneid = IPCL_ZONEID(connp);
+ ire_t *src_ire;
+ uint_t match_flags;
+ ill_t *ill = NULL;
- if (!IN6_IS_ADDR_UNSPECIFIED(v6src)) {
- src_ire = ire_route_lookup_v6(v6src, 0, 0,
- 0, NULL, NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, ipst);
- /*
- * If an address other than in6addr_any is requested,
- * we verify that it is a valid address for bind
- * Note: Following code is in if-else-if form for
- * readability compared to a condition check.
- */
- ASSERT(src_ire == NULL || !(src_ire->ire_type & IRE_BROADCAST));
- /* LINTED - statement has no consequent */
- if (IRE_IS_LOCAL(src_ire)) {
- /*
- * (2) Bind to address of local UP interface
- */
- } else if (IN6_IS_ADDR_MULTICAST(v6src)) {
- ipif_t *multi_ipif = NULL;
- ire_t *save_ire;
- /*
- * (4) bind to multicast address.
- * Fake out the IRE returned to upper
- * layer to be a broadcast IRE in
- * ip_bind_insert_ire_v6().
- * Pass other information that matches
- * the ipif (e.g. the source address).
- * conn_multicast_ill is only used for
- * IPv6 packets
- */
- mutex_enter(&connp->conn_lock);
- if (connp->conn_multicast_ill != NULL) {
- (void) ipif_lookup_zoneid(
- connp->conn_multicast_ill, zoneid, 0,
- &multi_ipif);
- } else {
- /*
- * Look for default like
- * ip_wput_v6
- */
- multi_ipif = ipif_lookup_group_v6(
- &ipv6_unspecified_group, zoneid, ipst);
- }
- mutex_exit(&connp->conn_lock);
- save_ire = src_ire;
- src_ire = NULL;
- if (multi_ipif == NULL || !ire_requested ||
- (src_ire = ipif_to_ire_v6(multi_ipif)) == NULL) {
- src_ire = save_ire;
- error = EADDRNOTAVAIL;
- } else {
- ASSERT(src_ire != NULL);
- if (save_ire != NULL)
- ire_refrele(save_ire);
- }
- if (multi_ipif != NULL)
- ipif_refrele(multi_ipif);
- } else {
- if (!ip_addr_exists_v6(v6src, zoneid, ipst)) {
- /*
- * Not a valid address for bind
- */
- error = EADDRNOTAVAIL;
- }
- }
+ ASSERT(!IN6_IS_ADDR_V4MAPPED(v6src));
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(v6src));
- if (error != 0) {
- /* Red Alert! Attempting to be a bogon! */
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_bind_laddr_v6: bad src"
- " address %s\n", AF_INET6, v6src);
- }
- goto bad_addr;
- }
+ match_flags = MATCH_IRE_ZONEONLY;
+ if (scopeid != 0) {
+ ill = ill_lookup_on_ifindex(scopeid, B_TRUE, ipst);
+ if (ill == NULL)
+ return (IPVL_BAD);
+ match_flags |= MATCH_IRE_ILL;
}
+ src_ire = ire_ftable_lookup_v6(v6src, NULL, NULL, 0,
+ ill, zoneid, NULL, match_flags, 0, ipst, NULL);
+ if (ill != NULL)
+ ill_refrele(ill);
+
/*
- * Allow setting new policies. For example, disconnects come
- * down as ipa_t bind. As we would have set conn_policy_cached
- * to B_TRUE before, we should set it to B_FALSE, so that policy
- * can change after the disconnect.
+ * If an address other than in6addr_any is requested,
+ * we verify that it is a valid address for bind
+ * Note: Following code is in if-else-if form for
+ * readability compared to a condition check.
*/
- connp->conn_policy_cached = B_FALSE;
-
- /* If not fanout_insert this was just an address verification */
- if (fanout_insert) {
+ if (src_ire != NULL && (src_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK))) {
/*
- * The addresses have been verified. Time to insert in
- * the correct fanout list.
+ * (2) Bind to address of local UP interface
*/
- connp->conn_srcv6 = *v6src;
- connp->conn_remv6 = ipv6_all_zeros;
- connp->conn_lport = lport;
- connp->conn_fport = 0;
- error = ipcl_bind_insert_v6(connp, protocol, v6src, lport);
- }
- if (error == 0) {
- if (ire_requested) {
- if (!ip_bind_get_ire_v6(mpp, src_ire, v6src, NULL,
- ipst)) {
- error = -1;
- goto bad_addr;
- }
- mp = *mpp;
- } else if (ipsec_policy_set) {
- if (!ip_bind_ipsec_policy_set(connp, mp)) {
- error = -1;
- goto bad_addr;
- }
- }
- }
-bad_addr:
- if (error != 0) {
- if (connp->conn_anon_port) {
- (void) tsol_mlp_anon(crgetzone(connp->conn_cred),
- connp->conn_mlp_type, connp->conn_ulp, ntohs(lport),
- B_FALSE);
- }
- connp->conn_mlp_type = mlptSingle;
- }
-
- if (src_ire != NULL)
ire_refrele(src_ire);
+ return (IPVL_UNICAST_UP);
+ } else if (IN6_IS_ADDR_MULTICAST(v6src)) {
+ /* (4) bind to multicast address. */
+ if (src_ire != NULL)
+ ire_refrele(src_ire);
- if (ipsec_policy_set) {
- ASSERT(mp != NULL);
- freeb(mp);
/*
- * As of now assume that nothing else accompanies
- * IPSEC_POLICY_SET.
+ * Note: caller should take IPV6_MULTICAST_IF
+ * into account when selecting a real source address.
*/
- *mpp = NULL;
- }
-
- return (error);
-}
-int
-ip_proto_bind_laddr_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
- const in6_addr_t *v6srcp, uint16_t lport, boolean_t fanout_insert)
-{
- int error;
- boolean_t orig_pkt_isv6 = connp->conn_pkt_isv6;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(connp->conn_af_isv6);
- connp->conn_ulp = protocol;
+ if (allow_mcbc)
+ return (IPVL_MCAST);
+ else
+ return (IPVL_BAD);
+ } else {
+ ipif_t *ipif;
- if (IN6_IS_ADDR_V4MAPPED(v6srcp) && !connp->conn_ipv6_v6only) {
- /* Bind to IPv4 address */
- ipaddr_t v4src;
+ /*
+ * (3) Bind to address of local DOWN interface?
+ * (ipif_lookup_addr() looks up all interfaces
+ * but we do not get here for UP interfaces
+ * - case (2) above)
+ */
+ if (src_ire != NULL)
+ ire_refrele(src_ire);
- IN6_V4MAPPED_TO_IPADDR(v6srcp, v4src);
+ ipif = ipif_lookup_addr_v6(v6src, NULL, zoneid, ipst);
+ if (ipif == NULL)
+ return (IPVL_BAD);
- error = ip_bind_laddr_v4(connp, mpp, protocol, v4src, lport,
- fanout_insert);
- if (error != 0)
- goto bad_addr;
- connp->conn_pkt_isv6 = B_FALSE;
- } else {
- if (IN6_IS_ADDR_V4MAPPED(v6srcp)) {
- error = 0;
- goto bad_addr;
+ /* Not a useful source? */
+ if (ipif->ipif_flags & (IPIF_NOLOCAL | IPIF_ANYCAST)) {
+ ipif_refrele(ipif);
+ return (IPVL_BAD);
}
- error = ip_bind_laddr_v6(connp, mpp, protocol, v6srcp,
- lport, fanout_insert);
- if (error != 0)
- goto bad_addr;
- connp->conn_pkt_isv6 = B_TRUE;
+ ipif_refrele(ipif);
+ return (IPVL_UNICAST_DOWN);
}
-
- if (orig_pkt_isv6 != connp->conn_pkt_isv6)
- ip_setpktversion(connp, connp->conn_pkt_isv6, B_TRUE, ipst);
- return (0);
-
-bad_addr:
- if (error < 0)
- error = -TBADADDR;
- return (error);
}
/*
- * Verify that both the source and destination addresses
- * are valid. If verify_dst, then destination address must also be reachable,
- * i.e. have a route. Protocols like TCP want this. Tunnels do not.
- * It takes ip6_pkt_t * as one of the arguments to determine correct
- * source address when IPV6_PKTINFO or scope_id is set along with a link-local
- * destination address. Note that parameter ipp is only useful for TCP connect
- * when scope_id is set or IPV6_PKTINFO option is set with an ifindex. For all
- * non-TCP cases, it is NULL and for all other tcp cases it is not useful.
+ * Verify that both the source and destination addresses are valid. If
+ * IPDF_VERIFY_DST is not set, then the destination address may be unreachable,
+ * i.e. have no route to it. Protocols like TCP want to verify destination
+ * reachability, while tunnels do not.
+ *
+ * Determine the route, the interface, and (optionally) the source address
+ * to use to reach a given destination.
+ * Note that we allow connect to broadcast and multicast addresses when
+ * IPDF_ALLOW_MCBC is set.
+ * first_hop and dst_addr are normally the same, but if source routing
+ * they will differ; in that case the first_hop is what we'll use for the
+ * routing lookup but the dce and label checks will be done on dst_addr,
+ *
+ * If uinfo is set, then we fill in the best available information
+ * we have for the destination. This is based on (in priority order) any
+ * metrics and path MTU stored in a dce_t, route metrics, and finally the
+ * ill_mtu.
+ *
+ * Tsol note: If we have a source route then dst_addr != firsthop. But we
+ * always do the label check on dst_addr.
*
+ * Assumes that the caller has set ixa_scopeid for link-local communication.
*/
int
-ip_bind_connected_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
- in6_addr_t *v6src, uint16_t lport, const in6_addr_t *v6dst,
- ip6_pkt_t *ipp, uint16_t fport, boolean_t fanout_insert,
- boolean_t verify_dst, cred_t *cr)
+ip_set_destination_v6(in6_addr_t *src_addrp, const in6_addr_t *dst_addr,
+ const in6_addr_t *firsthop, ip_xmit_attr_t *ixa, iulp_t *uinfo,
+ uint32_t flags, uint_t mac_mode)
{
- ire_t *src_ire;
- ire_t *dst_ire;
+ ire_t *ire;
int error = 0;
- ire_t *sire = NULL;
- ire_t *md_dst_ire = NULL;
- ill_t *md_ill = NULL;
- ill_t *dst_ill = NULL;
- ipif_t *src_ipif = NULL;
- zoneid_t zoneid;
- boolean_t ill_held = B_FALSE;
- mblk_t *mp = NULL;
- boolean_t ire_requested = B_FALSE;
- boolean_t ipsec_policy_set = B_FALSE;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- ts_label_t *tsl = NULL;
- cred_t *effective_cred = NULL;
-
- if (mpp)
- mp = *mpp;
-
- if (mp != NULL) {
- ire_requested = (DB_TYPE(mp) == IRE_DB_REQ_TYPE);
- ipsec_policy_set = (DB_TYPE(mp) == IPSEC_POLICY_SET);
- }
-
- src_ire = dst_ire = NULL;
- /*
- * If we never got a disconnect before, clear it now.
- */
- connp->conn_fully_bound = B_FALSE;
+ in6_addr_t setsrc; /* RTF_SETSRC */
+ zoneid_t zoneid = ixa->ixa_zoneid; /* Honors SO_ALLZONES */
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ dce_t *dce;
+ uint_t pmtu;
+ uint_t ifindex;
+ uint_t generation;
+ nce_t *nce;
+ ill_t *ill = NULL;
+ boolean_t multirt = B_FALSE;
+
+ ASSERT(!IN6_IS_ADDR_V4MAPPED(dst_addr));
- zoneid = connp->conn_zoneid;
+ ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
/*
- * Check whether Trusted Solaris policy allows communication with this
- * host, and pretend that the destination is unreachable if not.
- *
- * This is never a problem for TCP, since that transport is known to
- * compute the label properly as part of the tcp_rput_other T_BIND_ACK
- * handling. If the remote is unreachable, it will be detected at that
- * point, so there's no reason to check it here.
- *
- * Note that for sendto (and other datagram-oriented friends), this
- * check is done as part of the data path label computation instead.
- * The check here is just to make non-TCP connect() report the right
- * error.
+ * We never send to zero; the ULPs map it to the loopback address.
+ * We can't allow it since we use zero to mean unitialized in some
+ * places.
*/
- if (is_system_labeled() && !IPCL_IS_TCP(connp)) {
- if ((error = tsol_check_dest(cr, v6dst, IPV6_VERSION,
- connp->conn_mac_mode, &effective_cred)) != 0) {
- if (ip_debug > 2) {
- pr_addr_dbg(
- "ip_bind_connected: no label for dst %s\n",
- AF_INET6, v6dst);
- }
- goto bad_addr;
- }
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(dst_addr));
- /*
- * tsol_check_dest() may have created a new cred with
- * a modified security label. Use that cred if it exists
- * for ire lookups.
- */
- if (effective_cred == NULL) {
- tsl = crgetlabel(cr);
- } else {
- tsl = crgetlabel(effective_cred);
+ if (is_system_labeled()) {
+ ts_label_t *tsl = NULL;
+
+ error = tsol_check_dest(ixa->ixa_tsl, dst_addr, IPV6_VERSION,
+ mac_mode, (flags & IPDF_ZONE_IS_GLOBAL) != 0, &tsl);
+ if (error != 0)
+ return (error);
+ if (tsl != NULL) {
+ /* Update the label */
+ ip_xmit_attr_replace_tsl(ixa, tsl);
}
}
- if (IN6_IS_ADDR_MULTICAST(v6dst)) {
- ipif_t *ipif;
+ setsrc = ipv6_all_zeros;
+ /*
+ * Select a route; For IPMP interfaces, we would only select
+ * a "hidden" route (i.e., going through a specific under_ill)
+ * if ixa_ifindex has been specified.
+ */
+ ire = ip_select_route_v6(firsthop, ixa, &generation, &setsrc, &error,
+ &multirt);
+ ASSERT(ire != NULL); /* IRE_NOROUTE if none found */
+ if (error != 0)
+ goto bad_addr;
+ /*
+ * ire can't be a broadcast or multicast unless IPDF_ALLOW_MCBC is set.
+ * If IPDF_VERIFY_DST is set, the destination must be reachable.
+ * Otherwise the destination needn't be reachable.
+ *
+ * If we match on a reject or black hole, then we've got a
+ * local failure. May as well fail out the connect() attempt,
+ * since it's never going to succeed.
+ */
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
/*
- * Use an "emulated" IRE_BROADCAST to tell the transport it
- * is a multicast.
- * Pass other information that matches
- * the ipif (e.g. the source address).
+ * If we're verifying destination reachability, we always want
+ * to complain here.
*
- * conn_multicast_ill is only used for IPv6 packets
- */
- mutex_enter(&connp->conn_lock);
- if (connp->conn_multicast_ill != NULL) {
- (void) ipif_lookup_zoneid(connp->conn_multicast_ill,
- zoneid, 0, &ipif);
- } else {
- /* Look for default like ip_wput_v6 */
- ipif = ipif_lookup_group_v6(v6dst, zoneid, ipst);
- }
- mutex_exit(&connp->conn_lock);
- if (ipif == NULL || ire_requested ||
- (dst_ire = ipif_to_ire_v6(ipif)) == NULL) {
- if (ipif != NULL)
- ipif_refrele(ipif);
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_bind_connected_v6: bad "
- "connected multicast %s\n", AF_INET6,
- v6dst);
- }
- error = ENETUNREACH;
- goto bad_addr;
- }
- if (ipif != NULL)
- ipif_refrele(ipif);
- } else {
- dst_ire = ire_route_lookup_v6(v6dst, NULL, NULL, 0,
- NULL, &sire, zoneid, tsl,
- MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_PARENT | MATCH_IRE_RJ_BHOLE | MATCH_IRE_SECATTR,
- ipst);
- /*
- * We also prevent ire's with src address INADDR_ANY to
- * be used, which are created temporarily for
- * sending out packets from endpoints that have
- * conn_unspec_src set.
+ * If we're not verifying destination reachability but the
+ * destination has a route, we still want to fail on the
+ * temporary address and broadcast address tests.
+ *
+ * In both cases do we let the code continue so some reasonable
+ * information is returned to the caller. That enables the
+ * caller to use (and even cache) the IRE. conn_ip_ouput will
+ * use the generation mismatch path to check for the unreachable
+ * case thereby avoiding any specific check in the main path.
*/
- if (dst_ire == NULL ||
- (dst_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
- IN6_IS_ADDR_UNSPECIFIED(&dst_ire->ire_src_addr_v6)) {
+ ASSERT(generation == IRE_GENERATION_VERIFY);
+ if (flags & IPDF_VERIFY_DST) {
/*
- * When verifying destination reachability, we always
- * complain.
- *
- * When not verifying destination reachability but we
- * found an IRE, i.e. the destination is reachable,
- * then the other tests still apply and we complain.
+ * Set errno but continue to set up ixa_ire to be
+ * the RTF_REJECT|RTF_BLACKHOLE IRE.
+ * That allows callers to use ip_output to get an
+ * ICMP error back.
*/
- if (verify_dst || (dst_ire != NULL)) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_bind_connected_v6: bad"
- " connected dst %s\n", AF_INET6,
- v6dst);
- }
- if (dst_ire == NULL ||
- !(dst_ire->ire_type & IRE_HOST)) {
- error = ENETUNREACH;
- } else {
- error = EHOSTUNREACH;
- }
- goto bad_addr;
- }
+ if (!(ire->ire_type & IRE_HOST))
+ error = ENETUNREACH;
+ else
+ error = EHOSTUNREACH;
}
}
- /*
- * If the app does a connect(), it means that it will most likely
- * send more than 1 packet to the destination. It makes sense
- * to clear the temporary flag.
- */
- if (dst_ire != NULL && dst_ire->ire_type == IRE_CACHE &&
- (dst_ire->ire_marks & IRE_MARK_TEMPORARY)) {
- irb_t *irb = dst_ire->ire_bucket;
-
- rw_enter(&irb->irb_lock, RW_WRITER);
- /*
- * We need to recheck for IRE_MARK_TEMPORARY after acquiring
- * the lock in order to guarantee irb_tmp_ire_cnt.
- */
- if (dst_ire->ire_marks & IRE_MARK_TEMPORARY) {
- dst_ire->ire_marks &= ~IRE_MARK_TEMPORARY;
- irb->irb_tmp_ire_cnt--;
- }
- rw_exit(&irb->irb_lock);
+ if ((ire->ire_type & (IRE_BROADCAST|IRE_MULTICAST)) &&
+ !(flags & IPDF_ALLOW_MCBC)) {
+ ire_refrele(ire);
+ ire = ire_reject(ipst, B_FALSE);
+ generation = IRE_GENERATION_VERIFY;
+ error = ENETUNREACH;
}
- ASSERT(dst_ire == NULL || dst_ire->ire_ipversion == IPV6_VERSION);
+ /* Cache things */
+ if (ixa->ixa_ire != NULL)
+ ire_refrele_notr(ixa->ixa_ire);
+#ifdef DEBUG
+ ire_refhold_notr(ire);
+ ire_refrele(ire);
+#endif
+ ixa->ixa_ire = ire;
+ ixa->ixa_ire_generation = generation;
/*
- * See if we should notify ULP about MDT; we do this whether or not
- * ire_requested is TRUE, in order to handle active connects; MDT
- * eligibility tests for passive connects are handled separately
- * through tcp_adapt_ire(). We do this before the source address
- * selection, because dst_ire may change after a call to
- * ipif_select_source_v6(). This is a best-effort check, as the
- * packet for this connection may not actually go through
- * dst_ire->ire_stq, and the exact IRE can only be known after
- * calling ip_newroute_v6(). This is why we further check on the
- * IRE during Multidata packet transmission in tcp_multisend().
+ * For multicast with multirt we have a flag passed back from
+ * ire_lookup_multi_ill_v6 since we don't have an IRE for each
+ * possible multicast address.
+ * We also need a flag for multicast since we can't check
+ * whether RTF_MULTIRT is set in ixa_ire for multicast.
*/
- if (ipst->ips_ip_multidata_outbound && !ipsec_policy_set &&
- dst_ire != NULL &&
- !(dst_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK | IRE_BROADCAST)) &&
- (md_ill = ire_to_ill(dst_ire), md_ill != NULL) &&
- ILL_MDT_CAPABLE(md_ill)) {
- md_dst_ire = dst_ire;
- IRE_REFHOLD(md_dst_ire);
- }
-
- if (dst_ire != NULL &&
- dst_ire->ire_type == IRE_LOCAL &&
- dst_ire->ire_zoneid != zoneid &&
- dst_ire->ire_zoneid != ALL_ZONES) {
- src_ire = ire_ftable_lookup_v6(v6dst, 0, 0, 0, NULL, NULL,
- zoneid, 0, NULL,
- MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_RJ_BHOLE, ipst);
- if (src_ire == NULL) {
- error = EHOSTUNREACH;
- goto bad_addr;
- } else if (src_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
- if (!(src_ire->ire_type & IRE_HOST))
- error = ENETUNREACH;
- else
- error = EHOSTUNREACH;
- goto bad_addr;
- }
- if (IN6_IS_ADDR_UNSPECIFIED(v6src)) {
- src_ipif = src_ire->ire_ipif;
- ipif_refhold(src_ipif);
- *v6src = src_ipif->ipif_v6lcl_addr;
- }
- ire_refrele(src_ire);
- src_ire = NULL;
- } else if (IN6_IS_ADDR_UNSPECIFIED(v6src) && dst_ire != NULL) {
- if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) {
- *v6src = sire->ire_src_addr_v6;
- ire_refrele(dst_ire);
- dst_ire = sire;
- sire = NULL;
- } else if (dst_ire->ire_type == IRE_CACHE &&
- (dst_ire->ire_flags & RTF_SETSRC)) {
- ASSERT(dst_ire->ire_zoneid == zoneid ||
- dst_ire->ire_zoneid == ALL_ZONES);
- *v6src = dst_ire->ire_src_addr_v6;
+ if (multirt) {
+ ixa->ixa_postfragfn = ip_postfrag_multirt_v6;
+ ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
+ } else {
+ ixa->ixa_postfragfn = ire->ire_postfragfn;
+ ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
+ }
+ if (!(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
+ /* Get an nce to cache. */
+ nce = ire_to_nce(ire, NULL, firsthop);
+ if (nce == NULL) {
+ /* Allocation failure? */
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
} else {
- /*
- * Pick a source address so that a proper inbound load
- * spreading would happen. Use dst_ill specified by the
- * app. when socket option or scopeid is set.
- */
- int err;
-
- if (ipp != NULL && ipp->ipp_ifindex != 0) {
- uint_t if_index;
-
- /*
- * Scope id or IPV6_PKTINFO
- */
-
- if_index = ipp->ipp_ifindex;
- dst_ill = ill_lookup_on_ifindex(
- if_index, B_TRUE, NULL, NULL, NULL, NULL,
- ipst);
- if (dst_ill == NULL) {
- ip1dbg(("ip_bind_connected_v6:"
- " bad ifindex %d\n", if_index));
- error = EADDRNOTAVAIL;
- goto bad_addr;
- }
- ill_held = B_TRUE;
- } else if (connp->conn_outgoing_ill != NULL) {
- /*
- * For IPV6_BOUND_IF socket option,
- * conn_outgoing_ill should be set
- * already in TCP or UDP/ICMP.
- */
- dst_ill = conn_get_held_ill(connp,
- &connp->conn_outgoing_ill, &err);
- if (err == ILL_LOOKUP_FAILED) {
- ip1dbg(("ip_bind_connected_v6:"
- "no ill for bound_if\n"));
- error = EADDRNOTAVAIL;
- goto bad_addr;
- }
- ill_held = B_TRUE;
- } else if (dst_ire->ire_stq != NULL) {
- /* No need to hold ill here */
- dst_ill = (ill_t *)dst_ire->ire_stq->q_ptr;
- } else {
- /* No need to hold ill here */
- dst_ill = dst_ire->ire_ipif->ipif_ill;
- }
- if (ip6_asp_can_lookup(ipst)) {
- src_ipif = ipif_select_source_v6(dst_ill,
- v6dst, B_FALSE, connp->conn_src_preferences,
- zoneid);
- ip6_asp_table_refrele(ipst);
- if (src_ipif == NULL) {
- pr_addr_dbg("ip_bind_connected_v6: "
- "no usable source address for "
- "connection to %s\n",
- AF_INET6, v6dst);
- error = EADDRNOTAVAIL;
- goto bad_addr;
- }
- *v6src = src_ipif->ipif_v6lcl_addr;
- } else {
- error = EADDRNOTAVAIL;
- goto bad_addr;
- }
+ if (ixa->ixa_nce != NULL)
+ nce_refrele(ixa->ixa_nce);
+ ixa->ixa_nce = nce;
}
}
/*
- * We do ire_route_lookup_v6() here (and not an interface lookup)
- * as we assert that v6src should only come from an
- * UP interface for hard binding.
+ * We use use ire_nexthop_ill to avoid the under ipmp
+ * interface for source address selection. Note that for ipmp
+ * probe packets, ixa_ifindex would have been specified, and
+ * the ip_select_route() invocation would have picked an ire
+ * will ire_ill pointing at an under interface.
*/
- src_ire = ire_route_lookup_v6(v6src, 0, 0, 0, NULL,
- NULL, zoneid, NULL, MATCH_IRE_ZONEONLY, ipst);
-
- /* src_ire must be a local|loopback */
- if (!IRE_IS_LOCAL(src_ire)) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_bind_connected_v6: bad "
- "connected src %s\n", AF_INET6, v6src);
- }
- error = EADDRNOTAVAIL;
- goto bad_addr;
- }
+ ill = ire_nexthop_ill(ire);
/*
* If the source address is a loopback address, the
* destination had best be local or multicast.
- * The transports that can't handle multicast will reject
- * those addresses.
+ * If we are sending to an IRE_LOCAL using a loopback source then
+ * it had better be the same zoneid.
*/
- if (src_ire->ire_type == IRE_LOOPBACK &&
- !(IRE_IS_LOCAL(dst_ire) || IN6_IS_ADDR_MULTICAST(v6dst) ||
- IN6_IS_ADDR_V4MAPPED_CLASSD(v6dst))) {
- ip1dbg(("ip_bind_connected_v6: bad connected loopback\n"));
- error = -1;
- goto bad_addr;
+ if (IN6_IS_ADDR_LOOPBACK(src_addrp)) {
+ if ((ire->ire_type & IRE_LOCAL) && ire->ire_zoneid != zoneid) {
+ ire = NULL; /* Stored in ixa_ire */
+ error = EADDRNOTAVAIL;
+ goto bad_addr;
+ }
+ if (!(ire->ire_type & (IRE_LOOPBACK|IRE_LOCAL|IRE_MULTICAST))) {
+ ire = NULL; /* Stored in ixa_ire */
+ error = EADDRNOTAVAIL;
+ goto bad_addr;
+ }
}
- /*
- * Allow setting new policies. For example, disconnects come
- * down as ipa_t bind. As we would have set conn_policy_cached
- * to B_TRUE before, we should set it to B_FALSE, so that policy
- * can change after the disconnect.
- */
- connp->conn_policy_cached = B_FALSE;
/*
- * The addresses have been verified. Initialize the conn
- * before calling the policy as they expect the conns
- * initialized.
+ * Does the caller want us to pick a source address?
*/
- connp->conn_srcv6 = *v6src;
- connp->conn_remv6 = *v6dst;
- connp->conn_lport = lport;
- connp->conn_fport = fport;
-
- ASSERT(!(ipsec_policy_set && ire_requested));
- if (ire_requested) {
- iulp_t *ulp_info = NULL;
+ if (flags & IPDF_SELECT_SRC) {
+ in6_addr_t src_addr;
+
+ /* If unreachable we have no ill but need some source */
+ if (ill == NULL) {
+ src_addr = ipv6_loopback;
+ /* Make sure we look for a better source address */
+ generation = SRC_GENERATION_VERIFY;
+ } else {
+ error = ip_select_source_v6(ill, &setsrc, dst_addr,
+ zoneid, ipst, B_FALSE, ixa->ixa_src_preferences,
+ &src_addr, &generation, NULL);
+ if (error != 0) {
+ ire = NULL; /* Stored in ixa_ire */
+ goto bad_addr;
+ }
+ }
/*
- * Note that sire will not be NULL if this is an off-link
- * connection and there is not cache for that dest yet.
- *
- * XXX Because of an existing bug, if there are multiple
- * default routes, the IRE returned now may not be the actual
- * default route used (default routes are chosen in a
- * round robin fashion). So if the metrics for different
- * default routes are different, we may return the wrong
- * metrics. This will not be a problem if the existing
- * bug is fixed.
+ * We allow the source address to to down.
+ * However, we check that we don't use the loopback address
+ * as a source when sending out on the wire.
*/
- if (sire != NULL)
- ulp_info = &(sire->ire_uinfo);
-
- if (!ip_bind_get_ire_v6(mpp, dst_ire, v6dst, ulp_info,
- ipst)) {
- error = -1;
- goto bad_addr;
- }
- } else if (ipsec_policy_set) {
- if (!ip_bind_ipsec_policy_set(connp, mp)) {
- error = -1;
+ if (IN6_IS_ADDR_LOOPBACK(&src_addr) &&
+ !(ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK|IRE_MULTICAST)) &&
+ !(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
+ ire = NULL; /* Stored in ixa_ire */
+ error = EADDRNOTAVAIL;
goto bad_addr;
}
+
+ *src_addrp = src_addr;
+ ixa->ixa_src_generation = generation;
}
/*
- * Cache IPsec policy in this conn. If we have per-socket policy,
- * we'll cache that. If we don't, we'll inherit global policy.
- *
- * We can't insert until the conn reflects the policy. Note that
- * conn_policy_cached is set by ipsec_conn_cache_policy() even for
- * connections where we don't have a policy. This is to prevent
- * global policy lookups in the inbound path.
- *
- * If we insert before we set conn_policy_cached,
- * CONN_INBOUND_POLICY_PRESENT_V6() check can still evaluate true
- * because global policy cound be non-empty. We normally call
- * ipsec_check_policy() for conn_policy_cached connections only if
- * conn_in_enforce_policy is set. But in this case,
- * conn_policy_cached can get set anytime since we made the
- * CONN_INBOUND_POLICY_PRESENT_V6() check and ipsec_check_policy()
- * is called, which will make the above assumption false. Thus, we
- * need to insert after we set conn_policy_cached.
+ * Make sure we don't leave an unreachable ixa_nce in place
+ * since ip_select_route is used when we unplumb i.e., remove
+ * references on ixa_ire, ixa_nce, and ixa_dce.
*/
- if ((error = ipsec_conn_cache_policy(connp, B_FALSE)) != 0)
- goto bad_addr;
+ nce = ixa->ixa_nce;
+ if (nce != NULL && nce->nce_is_condemned) {
+ nce_refrele(nce);
+ ixa->ixa_nce = NULL;
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
+ }
- /* If not fanout_insert this was just an address verification */
- if (fanout_insert) {
- /*
- * The addresses have been verified. Time to insert in
- * the correct fanout list.
- */
- error = ipcl_conn_insert_v6(connp, protocol, v6src, v6dst,
- connp->conn_ports,
- IPCL_IS_TCP(connp) ? connp->conn_tcp->tcp_bound_if : 0);
+
+ ifindex = 0;
+ if (IN6_IS_ADDR_LINKSCOPE(dst_addr)) {
+ /* If we are creating a DCE we'd better have an ifindex */
+ if (ill != NULL)
+ ifindex = ill->ill_phyint->phyint_ifindex;
+ else
+ flags &= ~IPDF_UNIQUE_DCE;
}
- if (error == 0) {
- connp->conn_fully_bound = B_TRUE;
- /*
- * Our initial checks for MDT have passed; the IRE is not
- * LOCAL/LOOPBACK/BROADCAST, and the link layer seems to
- * be supporting MDT. Pass the IRE, IPC and ILL into
- * ip_mdinfo_return(), which performs further checks
- * against them and upon success, returns the MDT info
- * mblk which we will attach to the bind acknowledgment.
- */
- if (md_dst_ire != NULL) {
- mblk_t *mdinfo_mp;
-
- ASSERT(md_ill != NULL);
- ASSERT(md_ill->ill_mdt_capab != NULL);
- if ((mdinfo_mp = ip_mdinfo_return(md_dst_ire, connp,
- md_ill->ill_name, md_ill->ill_mdt_capab)) != NULL) {
- if (mp == NULL) {
- *mpp = mdinfo_mp;
- } else {
- linkb(mp, mdinfo_mp);
- }
- }
+
+ if (flags & IPDF_UNIQUE_DCE) {
+ /* Fallback to the default dce if allocation fails */
+ dce = dce_lookup_and_add_v6(dst_addr, ifindex, ipst);
+ if (dce != NULL) {
+ generation = dce->dce_generation;
+ } else {
+ dce = dce_lookup_v6(dst_addr, ifindex, ipst,
+ &generation);
}
+ } else {
+ dce = dce_lookup_v6(dst_addr, ifindex, ipst, &generation);
}
-bad_addr:
- if (ipsec_policy_set) {
- ASSERT(mp != NULL);
- freeb(mp);
- /*
- * As of now assume that nothing else accompanies
- * IPSEC_POLICY_SET.
- */
- *mpp = NULL;
- }
-refrele_and_quit:
- if (src_ire != NULL)
- IRE_REFRELE(src_ire);
- if (dst_ire != NULL)
- IRE_REFRELE(dst_ire);
- if (sire != NULL)
- IRE_REFRELE(sire);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (md_dst_ire != NULL)
- IRE_REFRELE(md_dst_ire);
- if (ill_held && dst_ill != NULL)
- ill_refrele(dst_ill);
- if (effective_cred != NULL)
- crfree(effective_cred);
- return (error);
-}
-
-/* ARGSUSED */
-int
-ip_proto_bind_connected_v6(conn_t *connp, mblk_t **mpp, uint8_t protocol,
- in6_addr_t *v6srcp, uint16_t lport, const in6_addr_t *v6dstp,
- ip6_pkt_t *ipp, uint16_t fport, boolean_t fanout_insert,
- boolean_t verify_dst, cred_t *cr)
-{
- int error = 0;
- boolean_t orig_pkt_isv6 = connp->conn_pkt_isv6;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(connp->conn_af_isv6);
- connp->conn_ulp = protocol;
+ ASSERT(dce != NULL);
+ if (ixa->ixa_dce != NULL)
+ dce_refrele_notr(ixa->ixa_dce);
+#ifdef DEBUG
+ dce_refhold_notr(dce);
+ dce_refrele(dce);
+#endif
+ ixa->ixa_dce = dce;
+ ixa->ixa_dce_generation = generation;
- /* For raw socket, the local port is not set. */
- lport = lport != 0 ? lport : connp->conn_lport;
+ /*
+ * Note that IPv6 multicast supports PMTU discovery unlike IPv4
+ * multicast. But pmtu discovery is only enabled for connected
+ * sockets in general.
+ */
/*
- * Bind to local and remote address. Local might be
- * unspecified in which case it will be extracted from
- * ire_src_addr_v6
+ * Set initial value for fragmentation limit. Either conn_ip_output
+ * or ULP might updates it when there are routing changes.
+ * Handles a NULL ixa_ire->ire_ill or a NULL ixa_nce for RTF_REJECT.
*/
- if (IN6_IS_ADDR_V4MAPPED(v6dstp) && !connp->conn_ipv6_v6only) {
- /* Connect to IPv4 address */
- ipaddr_t v4src;
- ipaddr_t v4dst;
-
- /* Is the source unspecified or mapped? */
- if (!IN6_IS_ADDR_V4MAPPED(v6srcp) &&
- !IN6_IS_ADDR_UNSPECIFIED(v6srcp)) {
- ip1dbg(("ip_proto_bind_connected_v6: "
- "dst is mapped, but not the src\n"));
- goto bad_addr;
- }
- IN6_V4MAPPED_TO_IPADDR(v6srcp, v4src);
- IN6_V4MAPPED_TO_IPADDR(v6dstp, v4dst);
+ pmtu = ip_get_pmtu(ixa);
+ ixa->ixa_fragsize = pmtu;
+ /* Make sure ixa_fragsize and ixa_pmtu remain identical */
+ if (ixa->ixa_flags & IXAF_VERIFY_PMTU)
+ ixa->ixa_pmtu = pmtu;
- /* Always verify destination reachability. */
- error = ip_bind_connected_v4(connp, mpp, protocol, &v4src,
- lport, v4dst, fport, B_TRUE, B_TRUE, cr);
- if (error != 0)
- goto bad_addr;
- IN6_IPADDR_TO_V4MAPPED(v4src, v6srcp);
- connp->conn_pkt_isv6 = B_FALSE;
- } else if (IN6_IS_ADDR_V4MAPPED(v6srcp)) {
- ip1dbg(("ip_proto_bind_connected_v6: "
- "src is mapped, but not the dst\n"));
- goto bad_addr;
- } else {
- error = ip_bind_connected_v6(connp, mpp, protocol, v6srcp,
- lport, v6dstp, ipp, fport, B_TRUE, verify_dst, cr);
- if (error != 0)
- goto bad_addr;
- connp->conn_pkt_isv6 = B_TRUE;
- }
+ /*
+ * Extract information useful for some transports.
+ * First we look for DCE metrics. Then we take what we have in
+ * the metrics in the route, where the offlink is used if we have
+ * one.
+ */
+ if (uinfo != NULL) {
+ bzero(uinfo, sizeof (*uinfo));
- if (orig_pkt_isv6 != connp->conn_pkt_isv6)
- ip_setpktversion(connp, connp->conn_pkt_isv6, B_TRUE, ipst);
+ if (dce->dce_flags & DCEF_UINFO)
+ *uinfo = dce->dce_uinfo;
- /* Send it home. */
- return (0);
+ rts_merge_metrics(uinfo, &ire->ire_metrics);
-bad_addr:
- if (error == 0)
- error = -TBADADDR;
- return (error);
-}
+ /* Allow ire_metrics to decrease the path MTU from above */
+ if (uinfo->iulp_mtu == 0 || uinfo->iulp_mtu > pmtu)
+ uinfo->iulp_mtu = pmtu;
-/*
- * Get the ire in *mpp. Returns false if it fails (due to lack of space).
- * Makes the IRE be IRE_BROADCAST if dst is a multicast address.
- */
-/* ARGSUSED4 */
-static boolean_t
-ip_bind_get_ire_v6(mblk_t **mpp, ire_t *ire, const in6_addr_t *dst,
- iulp_t *ulp_info, ip_stack_t *ipst)
-{
- mblk_t *mp = *mpp;
- ire_t *ret_ire;
+ uinfo->iulp_localnet = (ire->ire_type & IRE_ONLINK) != 0;
+ uinfo->iulp_loopback = (ire->ire_type & IRE_LOOPBACK) != 0;
+ uinfo->iulp_local = (ire->ire_type & IRE_LOCAL) != 0;
+ }
- ASSERT(mp != NULL);
+ if (ill != NULL)
+ ill_refrele(ill);
- if (ire != NULL) {
- /*
- * mp initialized above to IRE_DB_REQ_TYPE
- * appended mblk. Its <upper protocol>'s
- * job to make sure there is room.
- */
- if ((mp->b_datap->db_lim - mp->b_rptr) < sizeof (ire_t))
- return (B_FALSE);
+ return (error);
- mp->b_datap->db_type = IRE_DB_TYPE;
- mp->b_wptr = mp->b_rptr + sizeof (ire_t);
- bcopy(ire, mp->b_rptr, sizeof (ire_t));
- ret_ire = (ire_t *)mp->b_rptr;
- if (IN6_IS_ADDR_MULTICAST(dst) ||
- IN6_IS_ADDR_V4MAPPED_CLASSD(dst)) {
- ret_ire->ire_type = IRE_BROADCAST;
- ret_ire->ire_addr_v6 = *dst;
- }
- if (ulp_info != NULL) {
- bcopy(ulp_info, &(ret_ire->ire_uinfo),
- sizeof (iulp_t));
- }
- ret_ire->ire_mp = mp;
- } else {
- /*
- * No IRE was found. Remove IRE mblk.
- */
- *mpp = mp->b_cont;
- freeb(mp);
- }
- return (B_TRUE);
-}
+bad_addr:
+ if (ire != NULL)
+ ire_refrele(ire);
-/*
- * Add an ip6i_t header to the front of the mblk.
- * Inline if possible else allocate a separate mblk containing only the ip6i_t.
- * Returns NULL if allocation fails (and frees original message).
- * Used in outgoing path when going through ip_newroute_*v6().
- * Used in incoming path to pass ifindex to transports.
- */
-mblk_t *
-ip_add_info_v6(mblk_t *mp, ill_t *ill, const in6_addr_t *dst)
-{
- mblk_t *mp1;
- ip6i_t *ip6i;
- ip6_t *ip6h;
+ if (ill != NULL)
+ ill_refrele(ill);
- ip6h = (ip6_t *)mp->b_rptr;
- ip6i = (ip6i_t *)(mp->b_rptr - sizeof (ip6i_t));
- if ((uchar_t *)ip6i < mp->b_datap->db_base ||
- mp->b_datap->db_ref > 1) {
- mp1 = allocb(sizeof (ip6i_t), BPRI_MED);
- if (mp1 == NULL) {
- freemsg(mp);
- return (NULL);
- }
- mp1->b_wptr = mp1->b_rptr = mp1->b_datap->db_lim;
- mp1->b_cont = mp;
- mp = mp1;
- ip6i = (ip6i_t *)(mp->b_rptr - sizeof (ip6i_t));
- }
- mp->b_rptr = (uchar_t *)ip6i;
- ip6i->ip6i_vcf = ip6h->ip6_vcf;
- ip6i->ip6i_nxt = IPPROTO_RAW;
- if (ill != NULL) {
- ip6i->ip6i_flags = IP6I_IFINDEX;
- /*
- * If `ill' is in an IPMP group, make sure we use the IPMP
- * interface index so that e.g. IPV6_RECVPKTINFO will get the
- * IPMP interface index and not an underlying interface index.
- */
- if (IS_UNDER_IPMP(ill))
- ip6i->ip6i_ifindex = ipmp_ill_get_ipmp_ifindex(ill);
- else
- ip6i->ip6i_ifindex = ill->ill_phyint->phyint_ifindex;
- } else {
- ip6i->ip6i_flags = 0;
+ /*
+ * Make sure we don't leave an unreachable ixa_nce in place
+ * since ip_select_route is used when we unplumb i.e., remove
+ * references on ixa_ire, ixa_nce, and ixa_dce.
+ */
+ nce = ixa->ixa_nce;
+ if (nce != NULL && nce->nce_is_condemned) {
+ nce_refrele(nce);
+ ixa->ixa_nce = NULL;
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
}
- ip6i->ip6i_nexthop = *dst;
- return (mp);
+
+ return (error);
}
/*
@@ -3051,53 +2280,29 @@ ip_add_info_v6(mblk_t *mp, ill_t *ill, const in6_addr_t *dst)
* of any incoming packets.
*
* Zones notes:
- * Packets will be distributed to streams in all zones. This is really only
+ * Packets will be distributed to conns in all zones. This is really only
* useful for ICMPv6 as only applications in the global zone can create raw
* sockets for other protocols.
*/
-static void
-ip_fanout_proto_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill,
- ill_t *inill, uint8_t nexthdr, uint_t nexthdr_offset, uint_t flags,
- boolean_t mctl_present, zoneid_t zoneid)
+void
+ip_fanout_proto_v6(mblk_t *mp, ip6_t *ip6h, ip_recv_attr_t *ira)
{
- queue_t *rq;
- mblk_t *mp1, *first_mp1;
- in6_addr_t dst = ip6h->ip6_dst;
- in6_addr_t src = ip6h->ip6_src;
- mblk_t *first_mp = mp;
- boolean_t secure, shared_addr;
- conn_t *connp, *first_connp, *next_connp;
- connf_t *connfp;
- ip_stack_t *ipst = inill->ill_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- if (mctl_present) {
- mp = first_mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- secure = B_FALSE;
- }
-
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * We don't allow multilevel ports for raw IP, so no need to
- * check for that here.
- */
- zoneid = tsol_packet_to_zoneid(mp);
- }
+ mblk_t *mp1;
+ in6_addr_t laddr = ip6h->ip6_dst;
+ conn_t *connp, *first_connp, *next_connp;
+ connf_t *connfp;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
- connfp = &ipst->ips_ipcl_proto_fanout_v6[nexthdr];
+ connfp = &ipst->ips_ipcl_proto_fanout_v6[ira->ira_protocol];
mutex_enter(&connfp->connf_lock);
connp = connfp->connf_head;
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
- if (IPCL_PROTO_MATCH_V6(connp, nexthdr, ip6h, ill, flags,
- zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV6_VERSION, shared_addr,
- connp)))
+ /* Note: IPCL_PROTO_MATCH_V6 includes conn_wantpacket */
+ if (IPCL_PROTO_MATCH_V6(connp, ira, ip6h) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV6_VERSION, ira, connp)))
break;
}
@@ -3108,96 +2313,52 @@ ip_fanout_proto_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill,
* unclaimed datagrams?
*/
mutex_exit(&connfp->connf_lock);
- if (ip_fanout_send_icmp_v6(q, first_mp, flags,
- ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER,
- nexthdr_offset, mctl_present, zoneid, ipst)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInUnknownProtos);
- }
-
+ ip_fanout_send_icmp_v6(mp, ICMP6_PARAM_PROB,
+ ICMP6_PARAMPROB_NEXTHEADER, ira);
return;
}
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_upq != NULL);
+ ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
CONN_INC_REF(connp);
first_connp = connp;
/*
* XXX: Fix the multiple protocol listeners case. We should not
- * be walking the conn->next list here.
+ * be walking the conn->conn_next list here.
*/
connp = connp->conn_next;
for (;;) {
while (connp != NULL) {
- if (IPCL_PROTO_MATCH_V6(connp, nexthdr, ip6h, ill,
- flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV6_VERSION,
- shared_addr, connp)))
+ /* Note: IPCL_PROTO_MATCH_V6 includes conn_wantpacket */
+ if (IPCL_PROTO_MATCH_V6(connp, ira, ip6h) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV6_VERSION,
+ ira, connp)))
break;
connp = connp->conn_next;
}
- /*
- * Just copy the data part alone. The mctl part is
- * needed just for verifying policy and it is never
- * sent up.
- */
- if (connp == NULL ||
- (((first_mp1 = dupmsg(first_mp)) == NULL) &&
- ((first_mp1 = ip_copymsg(first_mp)) == NULL))) {
- /*
- * No more intested clients or memory
- * allocation failed
- */
+ if (connp == NULL) {
+ /* No more interested clients */
+ connp = first_connp;
+ break;
+ }
+ if (((mp1 = dupmsg(mp)) == NULL) &&
+ ((mp1 = copymsg(mp)) == NULL)) {
+ /* Memory allocation failed */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
connp = first_connp;
break;
}
- ASSERT(IPCL_IS_NONSTR(connp) || connp->conn_rq != NULL);
- mp1 = mctl_present ? first_mp1->b_cont : first_mp1;
+
CONN_INC_REF(connp);
mutex_exit(&connfp->connf_lock);
- rq = connp->conn_rq;
- /*
- * For link-local always add ifindex so that transport can set
- * sin6_scope_id. Avoid it for ICMP error fanout.
- */
- if ((connp->conn_ip_recvpktinfo ||
- IN6_IS_ADDR_LINKLOCAL(&src)) &&
- (flags & IP_FF_IPINFO)) {
- /* Add header */
- mp1 = ip_add_info_v6(mp1, inill, &dst);
- }
- if (mp1 == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- } else if (
- (IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && !canputnext(rq))) {
- if (flags & IP_FF_RAWIP) {
- BUMP_MIB(ill->ill_ip_mib,
- rawipIfStatsInOverflows);
- } else {
- BUMP_MIB(ill->ill_icmp6_mib,
- ipv6IfIcmpInOverflows);
- }
- freemsg(mp1);
- } else {
- ASSERT(!IPCL_IS_IPTUN(connp));
+ ip_fanout_proto_conn(connp, mp1, NULL, (ip6_t *)mp1->b_rptr,
+ ira);
- if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
- secure) {
- first_mp1 = ipsec_check_inbound_policy(
- first_mp1, connp, NULL, ip6h, mctl_present);
- }
- if (first_mp1 != NULL) {
- if (mctl_present)
- freeb(first_mp1);
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsHCInDelivers);
- (connp->conn_recv)(connp, mp1, NULL);
- }
- }
mutex_enter(&connfp->connf_lock);
/* Follow the next pointer before releasing the conn. */
next_connp = connp->conn_next;
@@ -3208,105 +2369,33 @@ ip_fanout_proto_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill,
/* Last one. Send it upstream. */
mutex_exit(&connfp->connf_lock);
- /* Initiate IPPF processing */
- if (IP6_IN_IPP(flags, ipst)) {
- uint_t ifindex;
-
- mutex_enter(&ill->ill_lock);
- ifindex = ill->ill_phyint->phyint_ifindex;
- mutex_exit(&ill->ill_lock);
- ip_process(IPP_LOCAL_IN, &mp, ifindex);
- if (mp == NULL) {
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- }
- }
-
- /*
- * For link-local always add ifindex so that transport can set
- * sin6_scope_id. Avoid it for ICMP error fanout.
- */
- if ((connp->conn_ip_recvpktinfo || IN6_IS_ADDR_LINKLOCAL(&src)) &&
- (flags & IP_FF_IPINFO)) {
- /* Add header */
- mp = ip_add_info_v6(mp, inill, &dst);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
-
- rq = connp->conn_rq;
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && !canputnext(rq))) {
-
- if (flags & IP_FF_RAWIP) {
- BUMP_MIB(ill->ill_ip_mib, rawipIfStatsInOverflows);
- } else {
- BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInOverflows);
- }
-
- freemsg(first_mp);
- } else {
- ASSERT(!IPCL_IS_IPTUN(connp));
+ ip_fanout_proto_conn(connp, mp, NULL, ip6h, ira);
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || secure) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp,
- NULL, ip6h, mctl_present);
- if (first_mp == NULL) {
- CONN_DEC_REF(connp);
- return;
- }
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- (connp->conn_recv)(connp, mp, NULL);
- if (mctl_present)
- freeb(first_mp);
- }
CONN_DEC_REF(connp);
}
/*
- * Send an ICMP error after patching up the packet appropriately. Returns
- * non-zero if the appropriate MIB should be bumped; zero otherwise.
+ * Called when it is conceptually a ULP that would sent the packet
+ * e.g., port unreachable and nexthdr unknown. Check that the packet
+ * would have passed the IPsec global policy before sending the error.
+ *
+ * Send an ICMP error after patching up the packet appropriately.
+ * Uses ip_drop_input and bumps the appropriate MIB.
+ * For ICMP6_PARAMPROB_NEXTHEADER we determine the offset to use.
*/
-int
-ip_fanout_send_icmp_v6(queue_t *q, mblk_t *mp, uint_t flags,
- uint_t icmp_type, uint8_t icmp_code, uint_t nexthdr_offset,
- boolean_t mctl_present, zoneid_t zoneid, ip_stack_t *ipst)
+void
+ip_fanout_send_icmp_v6(mblk_t *mp, uint_t icmp_type, uint8_t icmp_code,
+ ip_recv_attr_t *ira)
{
- ip6_t *ip6h;
- mblk_t *first_mp;
- boolean_t secure;
- unsigned char db_type;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+ ip6_t *ip6h;
+ boolean_t secure;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+
+ secure = ira->ira_flags & IRAF_IPSEC_SECURE;
- first_mp = mp;
- if (mctl_present) {
- mp = mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- /*
- * If this is an ICMP error being reported - which goes
- * up as M_CTLs, we need to convert them to M_DATA till
- * we finish checking with global policy because
- * ipsec_check_global_policy() assumes M_DATA as clear
- * and M_CTL as secure.
- */
- db_type = mp->b_datap->db_type;
- mp->b_datap->db_type = M_DATA;
- secure = B_FALSE;
- }
/*
* We are generating an icmp error for some inbound packet.
* Called from all ip_fanout_(udp, tcp, proto) functions.
@@ -3316,572 +2405,155 @@ ip_fanout_send_icmp_v6(queue_t *q, mblk_t *mp, uint_t flags,
*/
ip6h = (ip6_t *)mp->b_rptr;
if (secure || ipss->ipsec_inbound_v6_policy_present) {
- first_mp = ipsec_check_global_policy(first_mp, NULL,
- NULL, ip6h, mctl_present, ipst->ips_netstack);
- if (first_mp == NULL)
- return (0);
- }
-
- if (!mctl_present)
- mp->b_datap->db_type = db_type;
-
- if (flags & IP_FF_SEND_ICMP) {
- if (flags & IP_FF_HDR_COMPLETE) {
- if (ip_hdr_complete_v6(ip6h, zoneid, ipst)) {
- freemsg(first_mp);
- return (1);
- }
- }
- switch (icmp_type) {
- case ICMP6_DST_UNREACH:
- icmp_unreachable_v6(WR(q), first_mp, icmp_code,
- B_FALSE, B_FALSE, zoneid, ipst);
- break;
- case ICMP6_PARAM_PROB:
- icmp_param_problem_v6(WR(q), first_mp, icmp_code,
- nexthdr_offset, B_FALSE, B_FALSE, zoneid, ipst);
- break;
- default:
-#ifdef DEBUG
- panic("ip_fanout_send_icmp_v6: wrong type");
- /*NOTREACHED*/
-#else
- freemsg(first_mp);
- break;
-#endif
- }
- } else {
- freemsg(first_mp);
- return (0);
- }
-
- return (1);
-}
-
-/*
- * Fanout for TCP packets
- * The caller puts <fport, lport> in the ports parameter.
- */
-static void
-ip_fanout_tcp_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, ill_t *ill, ill_t *inill,
- uint_t flags, uint_t hdr_len, boolean_t mctl_present, zoneid_t zoneid)
-{
- mblk_t *first_mp;
- boolean_t secure;
- conn_t *connp;
- tcph_t *tcph;
- boolean_t syn_present = B_FALSE;
- ip_stack_t *ipst = inill->ill_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- secure = B_FALSE;
- }
-
- connp = ipcl_classify_v6(mp, IPPROTO_TCP, hdr_len, zoneid, ipst);
-
- if (connp == NULL ||
- !conn_wantpacket_v6(connp, ill, ip6h, flags, zoneid)) {
- /*
- * No hard-bound match. Send Reset.
- */
- dblk_t *dp = mp->b_datap;
- uint32_t ill_index;
-
- ASSERT((dp->db_struioflag & STRUIO_IP) == 0);
-
- /* Initiate IPPf processing, if needed. */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst) &&
- (flags & IP6_NO_IPPOLICY)) {
- ill_index = ill->ill_phyint->phyint_ifindex;
- ip_process(IPP_LOCAL_IN, &first_mp, ill_index);
- if (first_mp == NULL) {
- if (connp != NULL)
- CONN_DEC_REF(connp);
- return;
- }
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- if (connp != NULL) {
- ip_xmit_reset_serialize(first_mp, hdr_len, zoneid,
- ipst->ips_netstack->netstack_tcp, connp);
- CONN_DEC_REF(connp);
- } else {
- tcp_xmit_listeners_reset(first_mp, hdr_len, zoneid,
- ipst->ips_netstack->netstack_tcp, NULL);
- }
-
- return;
- }
-
- tcph = (tcph_t *)&mp->b_rptr[hdr_len];
- if ((tcph->th_flags[0] & (TH_SYN|TH_ACK|TH_RST|TH_URG)) == TH_SYN) {
- if (IPCL_IS_TCP(connp)) {
- squeue_t *sqp;
-
- /*
- * If the queue belongs to a conn, and fused tcp
- * loopback is enabled, assign the eager's squeue
- * to be that of the active connect's.
- */
- if ((flags & IP_FF_LOOPBACK) && do_tcp_fusion &&
- CONN_Q(q) && IPCL_IS_TCP(Q_TO_CONN(q)) &&
- !CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) &&
- !secure &&
- !IP6_IN_IPP(flags, ipst)) {
- ASSERT(Q_TO_CONN(q)->conn_sqp != NULL);
- sqp = Q_TO_CONN(q)->conn_sqp;
- } else {
- sqp = IP_SQUEUE_GET(lbolt);
- }
-
- mp->b_datap->db_struioflag |= STRUIO_EAGER;
- DB_CKSUMSTART(mp) = (intptr_t)sqp;
-
- /*
- * db_cksumstuff is unused in the incoming
- * path; Thus store the ifindex here. It will
- * be cleared in tcp_conn_create_v6().
- */
- DB_CKSUMSTUFF(mp) =
- (intptr_t)ill->ill_phyint->phyint_ifindex;
- syn_present = B_TRUE;
- }
- }
-
- if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp) && !syn_present) {
- uint_t flags = (unsigned int)tcph->th_flags[0] & 0xFF;
- if ((flags & TH_RST) || (flags & TH_URG)) {
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return;
- }
- if (flags & TH_ACK) {
- ip_xmit_reset_serialize(first_mp, hdr_len, zoneid,
- ipst->ips_netstack->netstack_tcp, connp);
- CONN_DEC_REF(connp);
+ mp = ipsec_check_global_policy(mp, NULL, NULL, ip6h, ira, ns);
+ if (mp == NULL)
return;
- }
+ }
- CONN_DEC_REF(connp);
- freemsg(first_mp);
+ /* We never send errors for protocols that we do implement */
+ if (ira->ira_protocol == IPPROTO_ICMPV6) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_fanout_send_icmp_v6", mp, ill);
+ freemsg(mp);
return;
}
- if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp,
- NULL, ip6h, mctl_present);
- if (first_mp == NULL) {
- CONN_DEC_REF(connp);
- return;
- }
- if (IPCL_IS_TCP(connp) && IPCL_IS_BOUND(connp)) {
- ASSERT(syn_present);
- if (mctl_present) {
- ASSERT(first_mp != mp);
- first_mp->b_datap->db_struioflag |=
- STRUIO_POLICY;
- } else {
- ASSERT(first_mp == mp);
- mp->b_datap->db_struioflag &=
- ~STRUIO_EAGER;
- mp->b_datap->db_struioflag |=
- STRUIO_POLICY;
- }
- } else {
- /*
- * Discard first_mp early since we're dealing with a
- * fully-connected conn_t and tcp doesn't do policy in
- * this case. Also, if someone is bound to IPPROTO_TCP
- * over raw IP, they don't expect to see a M_CTL.
- */
- if (mctl_present) {
- freeb(first_mp);
- mctl_present = B_FALSE;
- }
- first_mp = mp;
- }
- }
+ switch (icmp_type) {
+ case ICMP6_DST_UNREACH:
+ ASSERT(icmp_code == ICMP6_DST_UNREACH_NOPORT);
- /* Initiate IPPF processing */
- if (IP6_IN_IPP(flags, ipst)) {
- uint_t ifindex;
+ BUMP_MIB(ill->ill_ip_mib, udpIfStatsNoPorts);
+ ip_drop_input("ipIfStatsNoPorts", mp, ill);
- mutex_enter(&ill->ill_lock);
- ifindex = ill->ill_phyint->phyint_ifindex;
- mutex_exit(&ill->ill_lock);
- ip_process(IPP_LOCAL_IN, &mp, ifindex);
- if (mp == NULL) {
- CONN_DEC_REF(connp);
- if (mctl_present) {
- freeb(first_mp);
- }
- return;
- } else if (mctl_present) {
- /*
- * ip_add_info_v6 might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
+ icmp_unreachable_v6(mp, icmp_code, B_FALSE, ira);
+ break;
+ case ICMP6_PARAM_PROB:
+ ASSERT(icmp_code == ICMP6_PARAMPROB_NEXTHEADER);
- /*
- * For link-local always add ifindex so that TCP can bind to that
- * interface. Avoid it for ICMP error fanout.
- */
- if (!syn_present && ((connp->conn_ip_recvpktinfo ||
- IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) &&
- (flags & IP_FF_IPINFO))) {
- /* Add header */
- mp = ip_add_info_v6(mp, inill, &ip6h->ip6_dst);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInUnknownProtos);
+ ip_drop_input("ipIfStatsInUnknownProtos", mp, ill);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- if (IPCL_IS_TCP(connp)) {
- SQUEUE_ENTER_ONE(connp->conn_sqp, first_mp, connp->conn_recv,
- connp, ip_squeue_flag, SQTAG_IP6_TCP_INPUT);
- } else {
- /* SOCK_RAW, IPPROTO_TCP case */
- (connp->conn_recv)(connp, first_mp, NULL);
- CONN_DEC_REF(connp);
+ /* Let the system determine the offset for this one */
+ icmp_param_problem_nexthdr_v6(mp, B_FALSE, ira);
+ break;
+ default:
+#ifdef DEBUG
+ panic("ip_fanout_send_icmp_v6: wrong type");
+ /*NOTREACHED*/
+#else
+ freemsg(mp);
+ break;
+#endif
}
}
/*
+ * Fanout for UDP packets that are multicast or ICMP errors.
+ * (Unicast fanout is handled in ip_input_v6.)
+ *
+ * If SO_REUSEADDR is set all multicast packets
+ * will be delivered to all conns bound to the same port.
+ *
* Fanout for UDP packets.
* The caller puts <fport, lport> in the ports parameter.
* ire_type must be IRE_BROADCAST for multicast and broadcast packets.
*
* If SO_REUSEADDR is set all multicast and broadcast packets
- * will be delivered to all streams bound to the same port.
+ * will be delivered to all conns bound to the same port.
*
* Zones notes:
- * Multicast packets will be distributed to streams in all zones.
+ * Earlier in ip_input on a system with multiple shared-IP zones we
+ * duplicate the multicast and broadcast packets and send them up
+ * with each explicit zoneid that exists on that ill.
+ * This means that here we can match the zoneid with SO_ALLZONES being special.
*/
-static void
-ip_fanout_udp_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h, uint32_t ports,
- ill_t *ill, ill_t *inill, uint_t flags, boolean_t mctl_present,
- zoneid_t zoneid)
+void
+ip_fanout_udp_multi_v6(mblk_t *mp, ip6_t *ip6h, uint16_t lport, uint16_t fport,
+ ip_recv_attr_t *ira)
{
- uint32_t dstport, srcport;
- in6_addr_t dst;
- mblk_t *first_mp;
- boolean_t secure;
+ in6_addr_t laddr;
conn_t *connp;
connf_t *connfp;
- conn_t *first_conn;
- conn_t *next_conn;
- mblk_t *mp1, *first_mp1;
- in6_addr_t src;
- boolean_t shared_addr;
- ip_stack_t *ipst = inill->ill_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- secure = ipsec_in_is_secure(first_mp);
- ASSERT(mp != NULL);
- } else {
- secure = B_FALSE;
- }
+ in6_addr_t faddr;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
- /* Extract ports in net byte order */
- dstport = htons(ntohl(ports) & 0xFFFF);
- srcport = htons(ntohl(ports) >> 16);
- dst = ip6h->ip6_dst;
- src = ip6h->ip6_src;
+ ASSERT(ira->ira_flags & (IRAF_MULTIBROADCAST|IRAF_ICMP_ERROR));
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since ALL_ZONES
- * only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(IPPROTO_UDP, dstport);
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and
- * search for the zone based on the packet label.
- * That will also return ALL_ZONES on failure, but
- * we never allow conn_zoneid to be set to ALL_ZONES.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- }
+ laddr = ip6h->ip6_dst;
+ faddr = ip6h->ip6_src;
/* Attempt to find a client stream based on destination port. */
- connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(dstport, ipst)];
+ connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
mutex_enter(&connfp->connf_lock);
connp = connfp->connf_head;
- if (!IN6_IS_ADDR_MULTICAST(&dst)) {
- /*
- * Not multicast. Send to the one (first) client we find.
- */
- while (connp != NULL) {
- if (IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport,
- src) && IPCL_ZONE_MATCH(connp, zoneid) &&
- conn_wantpacket_v6(connp, ill, ip6h,
- flags, zoneid)) {
- break;
- }
- connp = connp->conn_next;
- }
- if (connp == NULL || connp->conn_upq == NULL)
- goto notfound;
-
- if (is_system_labeled() &&
- !tsol_receive_local(mp, &dst, IPV6_VERSION, shared_addr,
- connp))
- goto notfound;
-
- /* Found a client */
- CONN_INC_REF(connp);
- mutex_exit(&connfp->connf_lock);
-
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
- freemsg(first_mp);
- CONN_DEC_REF(connp);
- return;
- }
- if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
- first_mp = ipsec_check_inbound_policy(first_mp,
- connp, NULL, ip6h, mctl_present);
- if (first_mp == NULL) {
- CONN_DEC_REF(connp);
- return;
- }
- }
- /* Initiate IPPF processing */
- if (IP6_IN_IPP(flags, ipst)) {
- uint_t ifindex;
-
- mutex_enter(&ill->ill_lock);
- ifindex = ill->ill_phyint->phyint_ifindex;
- mutex_exit(&ill->ill_lock);
- ip_process(IPP_LOCAL_IN, &mp, ifindex);
- if (mp == NULL) {
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- }
- }
- /*
- * For link-local always add ifindex so that
- * transport can set sin6_scope_id. Avoid it for
- * ICMP error fanout.
- */
- if ((connp->conn_ip_recvpktinfo ||
- IN6_IS_ADDR_LINKLOCAL(&src)) &&
- (flags & IP_FF_IPINFO)) {
- /* Add header */
- mp = ip_add_info_v6(mp, inill, &dst);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
-
- /* Send it upstream */
- (connp->conn_recv)(connp, mp, NULL);
-
- IP6_STAT(ipst, ip6_udp_fannorm);
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- }
-
while (connp != NULL) {
- if ((IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport, src)) &&
- conn_wantpacket_v6(connp, ill, ip6h, flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV6_VERSION, shared_addr,
- connp)))
+ if ((IPCL_UDP_MATCH_V6(connp, lport, laddr, fport, faddr)) &&
+ conn_wantpacket_v6(connp, ira, ip6h) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV6_VERSION, ira, connp)))
break;
connp = connp->conn_next;
}
- if (connp == NULL || connp->conn_upq == NULL)
+ if (connp == NULL)
goto notfound;
- first_conn = connp;
-
CONN_INC_REF(connp);
- connp = connp->conn_next;
- for (;;) {
- while (connp != NULL) {
- if (IPCL_UDP_MATCH_V6(connp, dstport, dst, srcport,
- src) && conn_wantpacket_v6(connp, ill, ip6h,
- flags, zoneid) &&
- (!is_system_labeled() ||
- tsol_receive_local(mp, &dst, IPV6_VERSION,
- shared_addr, connp)))
- break;
- connp = connp->conn_next;
- }
- /*
- * Just copy the data part alone. The mctl part is
- * needed just for verifying policy and it is never
- * sent up.
- */
- if (connp == NULL ||
- (((first_mp1 = dupmsg(first_mp)) == NULL) &&
- ((first_mp1 = ip_copymsg(first_mp)) == NULL))) {
- /*
- * No more interested clients or memory
- * allocation failed
- */
- connp = first_conn;
- break;
- }
- mp1 = mctl_present ? first_mp1->b_cont : first_mp1;
- CONN_INC_REF(connp);
- mutex_exit(&connfp->connf_lock);
- /*
- * For link-local always add ifindex so that transport
- * can set sin6_scope_id. Avoid it for ICMP error
- * fanout.
- */
- if ((connp->conn_ip_recvpktinfo ||
- IN6_IS_ADDR_LINKLOCAL(&src)) &&
- (flags & IP_FF_IPINFO)) {
- /* Add header */
- mp1 = ip_add_info_v6(mp1, inill, &dst);
- }
- /* mp1 could have changed */
- if (mctl_present)
- first_mp1->b_cont = mp1;
- else
- first_mp1 = mp1;
- if (mp1 == NULL) {
- if (mctl_present)
- freeb(first_mp1);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- goto next_one;
- }
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
- BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
- freemsg(first_mp1);
- goto next_one;
- }
- if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
- first_mp1 = ipsec_check_inbound_policy
- (first_mp1, connp, NULL, ip6h,
- mctl_present);
- }
- if (first_mp1 != NULL) {
- if (mctl_present)
- freeb(first_mp1);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ if (connp->conn_reuseaddr) {
+ conn_t *first_connp = connp;
+ conn_t *next_connp;
+ mblk_t *mp1;
- /* Send it upstream */
- (connp->conn_recv)(connp, mp1, NULL);
- }
-next_one:
- mutex_enter(&connfp->connf_lock);
- /* Follow the next pointer before releasing the conn. */
- next_conn = connp->conn_next;
- IP6_STAT(ipst, ip6_udp_fanmb);
- CONN_DEC_REF(connp);
- connp = next_conn;
- }
+ connp = connp->conn_next;
+ for (;;) {
+ while (connp != NULL) {
+ if (IPCL_UDP_MATCH_V6(connp, lport, laddr,
+ fport, faddr) &&
+ conn_wantpacket_v6(connp, ira, ip6h) &&
+ (!(ira->ira_flags & IRAF_SYSTEM_LABELED) ||
+ tsol_receive_local(mp, &laddr, IPV6_VERSION,
+ ira, connp)))
+ break;
+ connp = connp->conn_next;
+ }
+ if (connp == NULL) {
+ /* No more interested clients */
+ connp = first_connp;
+ break;
+ }
+ if (((mp1 = dupmsg(mp)) == NULL) &&
+ ((mp1 = copymsg(mp)) == NULL)) {
+ /* Memory allocation failed */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ connp = first_connp;
+ break;
+ }
- /* Last one. Send it upstream. */
- mutex_exit(&connfp->connf_lock);
+ CONN_INC_REF(connp);
+ mutex_exit(&connfp->connf_lock);
- /* Initiate IPPF processing */
- if (IP6_IN_IPP(flags, ipst)) {
- uint_t ifindex;
+ IP6_STAT(ipst, ip6_udp_fanmb);
+ ip_fanout_udp_conn(connp, mp1, NULL,
+ (ip6_t *)mp1->b_rptr, ira);
- mutex_enter(&ill->ill_lock);
- ifindex = ill->ill_phyint->phyint_ifindex;
- mutex_exit(&ill->ill_lock);
- ip_process(IPP_LOCAL_IN, &mp, ifindex);
- if (mp == NULL) {
+ mutex_enter(&connfp->connf_lock);
+ /* Follow the next pointer before releasing the conn. */
+ next_connp = connp->conn_next;
+ IP6_STAT(ipst, ip6_udp_fanmb);
CONN_DEC_REF(connp);
- if (mctl_present) {
- freeb(first_mp);
- }
- return;
+ connp = next_connp;
}
}
- /*
- * For link-local always add ifindex so that transport can set
- * sin6_scope_id. Avoid it for ICMP error fanout.
- */
- if ((connp->conn_ip_recvpktinfo ||
- IN6_IS_ADDR_LINKLOCAL(&src)) && (flags & IP_FF_IPINFO)) {
- /* Add header */
- mp = ip_add_info_v6(mp, inill, &dst);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
- BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
- freemsg(mp);
- } else {
- if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) || secure) {
- first_mp = ipsec_check_inbound_policy(first_mp,
- connp, NULL, ip6h, mctl_present);
- if (first_mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- return;
- }
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ /* Last one. Send it upstream. */
+ mutex_exit(&connfp->connf_lock);
- /* Send it upstream */
- (connp->conn_recv)(connp, mp, NULL);
- }
IP6_STAT(ipst, ip6_udp_fanmb);
+ ip_fanout_udp_conn(connp, mp, NULL, ip6h, ira);
CONN_DEC_REF(connp);
- if (mctl_present)
- freeb(first_mp);
return;
notfound:
@@ -3892,28 +2564,26 @@ notfound:
* unclaimed datagrams?
*/
if (ipst->ips_ipcl_proto_fanout_v6[IPPROTO_UDP].connf_head != NULL) {
- ip_fanout_proto_v6(q, first_mp, ip6h, ill, inill, IPPROTO_UDP,
- 0, flags | IP_FF_RAWIP | IP_FF_IPINFO, mctl_present,
- zoneid);
+ ASSERT(ira->ira_protocol == IPPROTO_UDP);
+ ip_fanout_proto_v6(mp, ip6h, ira);
} else {
- if (ip_fanout_send_icmp_v6(q, first_mp, flags,
- ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0,
- mctl_present, zoneid, ipst)) {
- BUMP_MIB(ill->ill_ip_mib, udpIfStatsNoPorts);
- }
+ ip_fanout_send_icmp_v6(mp, ICMP6_DST_UNREACH,
+ ICMP6_DST_UNREACH_NOPORT, ira);
}
}
/*
* int ip_find_hdr_v6()
*
- * This routine is used by the upper layer protocols and the IP tunnel
- * module to:
+ * This routine is used by the upper layer protocols, iptun, and IPsec:
* - Set extension header pointers to appropriate locations
* - Determine IPv6 header length and return it
* - Return a pointer to the last nexthdr value
*
* The caller must initialize ipp_fields.
+ * The upper layer protocols normally set label_separate which makes the
+ * routine put the TX label in ipp_label_v6. If this is not set then
+ * the hop-by-hop options including the label are placed in ipp_hopopts.
*
* NOTE: If multiple extension headers of the same type are present,
* ip_find_hdr_v6() will set the respective extension header pointers
@@ -3923,7 +2593,8 @@ notfound:
* malformed part.
*/
int
-ip_find_hdr_v6(mblk_t *mp, ip6_t *ip6h, ip6_pkt_t *ipp, uint8_t *nexthdrp)
+ip_find_hdr_v6(mblk_t *mp, ip6_t *ip6h, boolean_t label_separate, ip_pkt_t *ipp,
+ uint8_t *nexthdrp)
{
uint_t length, ehdrlen;
uint8_t nexthdr;
@@ -3933,6 +2604,11 @@ ip_find_hdr_v6(mblk_t *mp, ip6_t *ip6h, ip6_pkt_t *ipp, uint8_t *nexthdrp)
ip6_hbh_t *tmphopopts;
ip6_frag_t *tmpfraghdr;
+ ipp->ipp_fields |= IPPF_HOPLIMIT | IPPF_TCLASS | IPPF_ADDR;
+ ipp->ipp_hoplimit = ip6h->ip6_hops;
+ ipp->ipp_tclass = IPV6_FLOW_TCLASS(ip6h->ip6_flow);
+ ipp->ipp_addr = ip6h->ip6_dst;
+
length = IPV6_HDR_LEN;
whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */
endptr = mp->b_wptr;
@@ -3944,19 +2620,48 @@ ip_find_hdr_v6(mblk_t *mp, ip6_t *ip6h, ip6_pkt_t *ipp, uint8_t *nexthdrp)
goto done;
switch (nexthdr) {
- case IPPROTO_HOPOPTS:
+ case IPPROTO_HOPOPTS: {
+ /* We check for any CIPSO */
+ uchar_t *secopt;
+ boolean_t hbh_needed;
+ uchar_t *after_secopt;
+
tmphopopts = (ip6_hbh_t *)whereptr;
ehdrlen = 8 * (tmphopopts->ip6h_len + 1);
if ((uchar_t *)tmphopopts + ehdrlen > endptr)
goto done;
nexthdr = tmphopopts->ip6h_nxt;
+
+ if (!label_separate) {
+ secopt = NULL;
+ after_secopt = whereptr;
+ } else {
+ /*
+ * We have dropped packets with bad options in
+ * ip6_input. No need to check return value
+ * here.
+ */
+ (void) tsol_find_secopt_v6(whereptr, ehdrlen,
+ &secopt, &after_secopt, &hbh_needed);
+ }
+ if (secopt != NULL && after_secopt - whereptr > 0) {
+ ipp->ipp_fields |= IPPF_LABEL_V6;
+ ipp->ipp_label_v6 = secopt;
+ ipp->ipp_label_len_v6 = after_secopt - whereptr;
+ } else {
+ ipp->ipp_label_len_v6 = 0;
+ after_secopt = whereptr;
+ hbh_needed = B_TRUE;
+ }
/* return only 1st hbh */
- if (!(ipp->ipp_fields & IPPF_HOPOPTS)) {
+ if (hbh_needed && !(ipp->ipp_fields & IPPF_HOPOPTS)) {
ipp->ipp_fields |= IPPF_HOPOPTS;
- ipp->ipp_hopopts = tmphopopts;
- ipp->ipp_hopoptslen = ehdrlen;
+ ipp->ipp_hopopts = (ip6_hbh_t *)after_secopt;
+ ipp->ipp_hopoptslen = ehdrlen -
+ ipp->ipp_label_len_v6;
}
break;
+ }
case IPPROTO_DSTOPTS:
tmpdstopts = (ip6_dest_t *)whereptr;
ehdrlen = 8 * (tmpdstopts->ip6d_len + 1);
@@ -3993,10 +2698,10 @@ ip_find_hdr_v6(mblk_t *mp, ip6_t *ip6h, ip6_pkt_t *ipp, uint8_t *nexthdrp)
*/
if (ipp->ipp_fields & IPPF_DSTOPTS) {
ipp->ipp_fields &= ~IPPF_DSTOPTS;
- ipp->ipp_fields |= IPPF_RTDSTOPTS;
- ipp->ipp_rtdstopts = ipp->ipp_dstopts;
+ ipp->ipp_fields |= IPPF_RTHDRDSTOPTS;
+ ipp->ipp_rthdrdstopts = ipp->ipp_dstopts;
ipp->ipp_dstopts = NULL;
- ipp->ipp_rtdstoptslen = ipp->ipp_dstoptslen;
+ ipp->ipp_rthdrdstoptslen = ipp->ipp_dstoptslen;
ipp->ipp_dstoptslen = 0;
}
break;
@@ -4025,25 +2730,6 @@ done:
return (length);
}
-int
-ip_hdr_complete_v6(ip6_t *ip6h, zoneid_t zoneid, ip_stack_t *ipst)
-{
- ire_t *ire;
-
- if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
- ire = ire_lookup_local_v6(zoneid, ipst);
- if (ire == NULL) {
- ip1dbg(("ip_hdr_complete_v6: no source IRE\n"));
- return (1);
- }
- ip6h->ip6_src = ire->ire_addr_v6;
- ire_refrele(ire);
- }
- ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- ip6h->ip6_hops = ipst->ips_ipv6_def_hops;
- return (0);
-}
-
/*
* Try to determine where and what are the IPv6 header length and
* pointer to nexthdr value for the upper layer protocol (or an
@@ -4066,7 +2752,7 @@ ip_hdr_length_nexthdr_v6(mblk_t *mp, ip6_t *ip6h, uint16_t *hdr_length_ptr,
ip6_rthdr_t *rthdr;
ip6_frag_t *fraghdr;
- ASSERT((IPH_HDR_VERSION(ip6h) & ~IP_FORWARD_PROG_BIT) == IPV6_VERSION);
+ ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
length = IPV6_HDR_LEN;
whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */
endptr = mp->b_wptr;
@@ -4151,1905 +2837,6 @@ ip_hdr_length_v6(mblk_t *mp, ip6_t *ip6h)
}
/*
- * IPv6 -
- * ip_newroute_v6 is called by ip_rput_data_v6 or ip_wput_v6 whenever we need
- * to send out a packet to a destination address for which we do not have
- * specific routing information.
- *
- * Handle non-multicast packets. If ill is non-NULL the match is done
- * for that ill.
- *
- * When a specific ill is specified (using IPV6_PKTINFO,
- * IPV6_MULTICAST_IF, or IPV6_BOUND_IF) we will only match
- * on routing entries (ftable and ctable) that have a matching
- * ire->ire_ipif->ipif_ill. Thus this can only be used
- * for destinations that are on-link for the specific ill
- * and that can appear on multiple links. Thus it is useful
- * for multicast destinations, link-local destinations, and
- * at some point perhaps for site-local destinations (if the
- * node sits at a site boundary).
- * We create the cache entries in the regular ctable since
- * it can not "confuse" things for other destinations.
- *
- * NOTE : These are the scopes of some of the variables that point at IRE,
- * which needs to be followed while making any future modifications
- * to avoid memory leaks.
- *
- * - ire and sire are the entries looked up initially by
- * ire_ftable_lookup_v6.
- * - ipif_ire is used to hold the interface ire associated with
- * the new cache ire. But it's scope is limited, so we always REFRELE
- * it before branching out to error paths.
- * - save_ire is initialized before ire_create, so that ire returned
- * by ire_create will not over-write the ire. We REFRELE save_ire
- * before breaking out of the switch.
- *
- * Thus on failures, we have to REFRELE only ire and sire, if they
- * are not NULL.
- */
-/* ARGSUSED */
-void
-ip_newroute_v6(queue_t *q, mblk_t *mp, const in6_addr_t *v6dstp,
- const in6_addr_t *v6srcp, ill_t *ill, zoneid_t zoneid, ip_stack_t *ipst)
-{
- in6_addr_t v6gw;
- in6_addr_t dst;
- ire_t *ire = NULL;
- ipif_t *src_ipif = NULL;
- ill_t *dst_ill = NULL;
- ire_t *sire = NULL;
- ire_t *save_ire;
- ip6_t *ip6h;
- int err = 0;
- mblk_t *first_mp;
- ipsec_out_t *io;
- ushort_t ire_marks = 0;
- int match_flags;
- ire_t *first_sire = NULL;
- mblk_t *copy_mp = NULL;
- mblk_t *xmit_mp = NULL;
- in6_addr_t save_dst;
- uint32_t multirt_flags =
- MULTIRT_CACHEGW | MULTIRT_USESTAMP | MULTIRT_SETSTAMP;
- boolean_t multirt_is_resolvable;
- boolean_t multirt_resolve_next;
- boolean_t need_rele = B_FALSE;
- boolean_t ip6_asp_table_held = B_FALSE;
- tsol_ire_gw_secattr_t *attrp = NULL;
- tsol_gcgrp_t *gcgrp = NULL;
- tsol_gcgrp_addr_t ga;
-
- ASSERT(!IN6_IS_ADDR_MULTICAST(v6dstp));
-
- first_mp = mp;
- if (mp->b_datap->db_type == M_CTL) {
- mp = mp->b_cont;
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- } else {
- io = NULL;
- }
-
- ip6h = (ip6_t *)mp->b_rptr;
-
- if (IN6_IS_ADDR_LOOPBACK(v6dstp)) {
- ip1dbg(("ip_newroute_v6: dst with loopback addr\n"));
- goto icmp_err_ret;
- } else if (IN6_IS_ADDR_LOOPBACK(v6srcp)) {
- ip1dbg(("ip_newroute_v6: src with loopback addr\n"));
- goto icmp_err_ret;
- }
-
- /*
- * If this IRE is created for forwarding or it is not for
- * TCP traffic, mark it as temporary.
- *
- * Is it sufficient just to check the next header??
- */
- if (mp->b_prev != NULL || !IP_FLOW_CONTROLLED_ULP(ip6h->ip6_nxt))
- ire_marks |= IRE_MARK_TEMPORARY;
-
- /*
- * Get what we can from ire_ftable_lookup_v6 which will follow an IRE
- * chain until it gets the most specific information available.
- * For example, we know that there is no IRE_CACHE for this dest,
- * but there may be an IRE_OFFSUBNET which specifies a gateway.
- * ire_ftable_lookup_v6 will look up the gateway, etc.
- */
-
- if (ill == NULL) {
- match_flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_PARENT | MATCH_IRE_RJ_BHOLE | MATCH_IRE_SECATTR;
- ire = ire_ftable_lookup_v6(v6dstp, 0, 0, 0,
- NULL, &sire, zoneid, 0, msg_getlabel(mp),
- match_flags, ipst);
- } else {
- match_flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_RJ_BHOLE | MATCH_IRE_ILL;
- match_flags |= MATCH_IRE_PARENT | MATCH_IRE_SECATTR;
-
- /*
- * Because nce_xmit() calls ip_output_v6() and NCEs are always
- * tied to an underlying interface, IS_UNDER_IPMP() may be
- * true even when building IREs that will be used for data
- * traffic. As such, use the packet's source address to
- * determine whether the traffic is test traffic, and set
- * MATCH_IRE_MARK_TESTHIDDEN if so.
- */
- if (IS_UNDER_IPMP(ill) && !IN6_IS_ADDR_UNSPECIFIED(v6srcp)) {
- if (ipif_lookup_testaddr_v6(ill, v6srcp, NULL))
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
- }
-
- ire = ire_ftable_lookup_v6(v6dstp, NULL, NULL, 0, ill->ill_ipif,
- &sire, zoneid, 0, msg_getlabel(mp), match_flags, ipst);
- }
-
- ip3dbg(("ip_newroute_v6: ire_ftable_lookup_v6() "
- "returned ire %p, sire %p\n", (void *)ire, (void *)sire));
-
- /*
- * We enter a loop that will be run only once in most cases.
- * The loop is re-entered in the case where the destination
- * can be reached through multiple RTF_MULTIRT-flagged routes.
- * The intention is to compute multiple routes to a single
- * destination in a single ip_newroute_v6 call.
- * The information is contained in sire->ire_flags.
- */
- do {
- multirt_resolve_next = B_FALSE;
-
- if (dst_ill != NULL) {
- ill_refrele(dst_ill);
- dst_ill = NULL;
- }
- if (src_ipif != NULL) {
- ipif_refrele(src_ipif);
- src_ipif = NULL;
- }
- if ((sire != NULL) && sire->ire_flags & RTF_MULTIRT) {
- ip3dbg(("ip_newroute_v6: starting new resolution "
- "with first_mp %p, tag %d\n",
- (void *)first_mp, MULTIRT_DEBUG_TAGGED(first_mp)));
-
- /*
- * We check if there are trailing unresolved routes for
- * the destination contained in sire.
- */
- multirt_is_resolvable = ire_multirt_lookup_v6(&ire,
- &sire, multirt_flags, msg_getlabel(mp), ipst);
-
- ip3dbg(("ip_newroute_v6: multirt_is_resolvable %d, "
- "ire %p, sire %p\n",
- multirt_is_resolvable, (void *)ire, (void *)sire));
-
- if (!multirt_is_resolvable) {
- /*
- * No more multirt routes to resolve; give up
- * (all routes resolved or no more resolvable
- * routes).
- */
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
- } else {
- ASSERT(sire != NULL);
- ASSERT(ire != NULL);
- /*
- * We simply use first_sire as a flag that
- * indicates if a resolvable multirt route has
- * already been found during the preceding
- * loops. If it is not the case, we may have
- * to send an ICMP error to report that the
- * destination is unreachable. We do not
- * IRE_REFHOLD first_sire.
- */
- if (first_sire == NULL) {
- first_sire = sire;
- }
- }
- }
- if ((ire == NULL) || (ire == sire)) {
- /*
- * either ire == NULL (the destination cannot be
- * resolved) or ire == sire (the gateway cannot be
- * resolved). At this point, there are no more routes
- * to resolve for the destination, thus we exit.
- */
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_newroute_v6: "
- "can't resolve %s\n", AF_INET6, v6dstp);
- }
- ip3dbg(("ip_newroute_v6: "
- "ire %p, sire %p, first_sire %p\n",
- (void *)ire, (void *)sire, (void *)first_sire));
-
- if (sire != NULL) {
- ire_refrele(sire);
- sire = NULL;
- }
-
- if (first_sire != NULL) {
- /*
- * At least one multirt route has been found
- * in the same ip_newroute() call; there is no
- * need to report an ICMP error.
- * first_sire was not IRE_REFHOLDed.
- */
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- return;
- }
- ip_rts_change_v6(RTM_MISS, v6dstp, 0, 0, 0, 0, 0, 0,
- RTA_DST, ipst);
- goto icmp_err_ret;
- }
-
- ASSERT(ire->ire_ipversion == IPV6_VERSION);
-
- /*
- * Verify that the returned IRE does not have either the
- * RTF_REJECT or RTF_BLACKHOLE flags set and that the IRE is
- * either an IRE_CACHE, IRE_IF_NORESOLVER or IRE_IF_RESOLVER.
- */
- if ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) ||
- (ire->ire_type & (IRE_CACHE | IRE_INTERFACE)) == 0)
- goto icmp_err_ret;
-
- /*
- * Increment the ire_ob_pkt_count field for ire if it is an
- * INTERFACE (IF_RESOLVER or IF_NORESOLVER) IRE type, and
- * increment the same for the parent IRE, sire, if it is some
- * sort of prefix IRE (which includes DEFAULT, PREFIX, and HOST)
- */
- if ((ire->ire_type & IRE_INTERFACE) != 0) {
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- }
-
- if (sire != NULL) {
- mutex_enter(&sire->ire_lock);
- v6gw = sire->ire_gateway_addr_v6;
- mutex_exit(&sire->ire_lock);
- ASSERT((sire->ire_type & (IRE_CACHETABLE |
- IRE_INTERFACE)) == 0);
- UPDATE_OB_PKT_COUNT(sire);
- sire->ire_last_used_time = lbolt;
- } else {
- v6gw = ipv6_all_zeros;
- }
-
- /*
- * We have a route to reach the destination. Find the
- * appropriate ill, then get a source address that matches the
- * right scope via ipif_select_source_v6().
- *
- * If we are here trying to create an IRE_CACHE for an offlink
- * destination and have an IRE_CACHE entry for VNI, then use
- * ire_stq instead since VNI's queue is a black hole.
- *
- * Note: While we pick a dst_ill we are really only interested
- * in the ill for load spreading. The source ipif is
- * determined by source address selection below.
- */
- if ((ire->ire_type == IRE_CACHE) &&
- IS_VNI(ire->ire_ipif->ipif_ill)) {
- dst_ill = ire->ire_stq->q_ptr;
- ill_refhold(dst_ill);
- } else {
- ill_t *ill = ire->ire_ipif->ipif_ill;
-
- if (IS_IPMP(ill)) {
- dst_ill =
- ipmp_illgrp_hold_next_ill(ill->ill_grp);
- } else {
- dst_ill = ill;
- ill_refhold(dst_ill);
- }
- }
-
- if (dst_ill == NULL) {
- if (ip_debug > 2) {
- pr_addr_dbg("ip_newroute_v6 : no dst "
- "ill for dst %s\n", AF_INET6, v6dstp);
- }
- goto icmp_err_ret;
- }
-
- if (ill != NULL && dst_ill != ill &&
- !IS_IN_SAME_ILLGRP(dst_ill, ill)) {
- /*
- * We should have found a route matching "ill"
- * as we called ire_ftable_lookup_v6 with
- * MATCH_IRE_ILL. Rather than asserting when
- * there is a mismatch, we just drop the packet.
- */
- ip0dbg(("ip_newroute_v6: BOUND_IF failed: "
- "dst_ill %s ill %s\n", dst_ill->ill_name,
- ill->ill_name));
- goto icmp_err_ret;
- }
-
- /*
- * Pick a source address which matches the scope of the
- * destination address.
- * For RTF_SETSRC routes, the source address is imposed by the
- * parent ire (sire).
- */
- ASSERT(src_ipif == NULL);
-
- /*
- * Because nce_xmit() calls ip_output_v6() and NCEs are always
- * tied to the underlying interface, IS_UNDER_IPMP() may be
- * true even when building IREs that will be used for data
- * traffic. As such, see if the packet's source address is a
- * test address, and if so use that test address's ipif for
- * the IRE so that the logic that sets IRE_MARK_TESTHIDDEN in
- * ire_add_v6() can work properly.
- */
- if (ill != NULL && IS_UNDER_IPMP(ill))
- (void) ipif_lookup_testaddr_v6(ill, v6srcp, &src_ipif);
-
- if (src_ipif == NULL && ire->ire_type == IRE_IF_RESOLVER &&
- !IN6_IS_ADDR_UNSPECIFIED(&v6gw) &&
- ip6_asp_can_lookup(ipst)) {
- /*
- * The ire cache entry we're adding is for the
- * gateway itself. The source address in this case
- * is relative to the gateway's address.
- */
- ip6_asp_table_held = B_TRUE;
- src_ipif = ipif_select_source_v6(dst_ill, &v6gw,
- B_TRUE, IPV6_PREFER_SRC_DEFAULT, zoneid);
- if (src_ipif != NULL)
- ire_marks |= IRE_MARK_USESRC_CHECK;
- } else if (src_ipif == NULL) {
- if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) {
- /*
- * Check that the ipif matching the requested
- * source address still exists.
- */
- src_ipif = ipif_lookup_addr_v6(
- &sire->ire_src_addr_v6, NULL, zoneid,
- NULL, NULL, NULL, NULL, ipst);
- }
- if (src_ipif == NULL && ip6_asp_can_lookup(ipst)) {
- ip6_asp_table_held = B_TRUE;
- src_ipif = ipif_select_source_v6(dst_ill,
- v6dstp, B_FALSE,
- IPV6_PREFER_SRC_DEFAULT, zoneid);
- if (src_ipif != NULL)
- ire_marks |= IRE_MARK_USESRC_CHECK;
- }
- }
-
- if (src_ipif == NULL) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_newroute_v6: no src for "
- "dst %s\n", AF_INET6, v6dstp);
- printf("ip_newroute_v6: interface name %s\n",
- dst_ill->ill_name);
- }
- goto icmp_err_ret;
- }
-
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_newroute_v6: first hop %s\n",
- AF_INET6, &v6gw);
- }
- ip2dbg(("\tire type %s (%d)\n",
- ip_nv_lookup(ire_nv_tbl, ire->ire_type), ire->ire_type));
-
- /*
- * At this point in ip_newroute_v6(), ire is either the
- * IRE_CACHE of the next-hop gateway for an off-subnet
- * destination or an IRE_INTERFACE type that should be used
- * to resolve an on-subnet destination or an on-subnet
- * next-hop gateway.
- *
- * In the IRE_CACHE case, we have the following :
- *
- * 1) src_ipif - used for getting a source address.
- *
- * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
- * means packets using this IRE_CACHE will go out on dst_ill.
- *
- * 3) The IRE sire will point to the prefix that is the longest
- * matching route for the destination. These prefix types
- * include IRE_DEFAULT, IRE_PREFIX, IRE_HOST.
- *
- * The newly created IRE_CACHE entry for the off-subnet
- * destination is tied to both the prefix route and the
- * interface route used to resolve the next-hop gateway
- * via the ire_phandle and ire_ihandle fields, respectively.
- *
- * In the IRE_INTERFACE case, we have the following :
- *
- * 1) src_ipif - used for getting a source address.
- *
- * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
- * means packets using the IRE_CACHE that we will build
- * here will go out on dst_ill.
- *
- * 3) sire may or may not be NULL. But, the IRE_CACHE that is
- * to be created will only be tied to the IRE_INTERFACE that
- * was derived from the ire_ihandle field.
- *
- * If sire is non-NULL, it means the destination is off-link
- * and we will first create the IRE_CACHE for the gateway.
- * Next time through ip_newroute_v6, we will create the
- * IRE_CACHE for the final destination as described above.
- */
- save_ire = ire;
- switch (ire->ire_type) {
- case IRE_CACHE: {
- ire_t *ipif_ire;
-
- ASSERT(sire != NULL);
- if (IN6_IS_ADDR_UNSPECIFIED(&v6gw)) {
- mutex_enter(&ire->ire_lock);
- v6gw = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- }
- /*
- * We need 3 ire's to create a new cache ire for an
- * off-link destination from the cache ire of the
- * gateway.
- *
- * 1. The prefix ire 'sire'
- * 2. The cache ire of the gateway 'ire'
- * 3. The interface ire 'ipif_ire'
- *
- * We have (1) and (2). We lookup (3) below.
- *
- * If there is no interface route to the gateway,
- * it is a race condition, where we found the cache
- * but the inteface route has been deleted.
- */
- ipif_ire = ire_ihandle_lookup_offlink_v6(ire, sire);
- if (ipif_ire == NULL) {
- ip1dbg(("ip_newroute_v6:"
- "ire_ihandle_lookup_offlink_v6 failed\n"));
- goto icmp_err_ret;
- }
-
- /*
- * Note: the new ire inherits RTF_SETSRC
- * and RTF_MULTIRT to propagate these flags from prefix
- * to cache.
- */
-
- /*
- * Check cached gateway IRE for any security
- * attributes; if found, associate the gateway
- * credentials group to the destination IRE.
- */
- if ((attrp = save_ire->ire_gw_secattr) != NULL) {
- mutex_enter(&attrp->igsa_lock);
- if ((gcgrp = attrp->igsa_gcgrp) != NULL)
- GCGRP_REFHOLD(gcgrp);
- mutex_exit(&attrp->igsa_lock);
- }
-
- ire = ire_create_v6(
- v6dstp, /* dest address */
- &ipv6_all_ones, /* mask */
- &src_ipif->ipif_v6src_addr, /* source address */
- &v6gw, /* gateway address */
- &save_ire->ire_max_frag,
- NULL, /* src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- &sire->ire_mask_v6, /* Parent mask */
- sire->ire_phandle, /* Parent handle */
- ipif_ire->ire_ihandle, /* Interface handle */
- sire->ire_flags & /* flags if any */
- (RTF_SETSRC | RTF_MULTIRT),
- &(sire->ire_uinfo),
- NULL,
- gcgrp,
- ipst);
-
- if (ire == NULL) {
- if (gcgrp != NULL) {
- GCGRP_REFRELE(gcgrp);
- gcgrp = NULL;
- }
- ire_refrele(save_ire);
- ire_refrele(ipif_ire);
- break;
- }
-
- /* reference now held by IRE */
- gcgrp = NULL;
-
- ire->ire_marks |= ire_marks;
-
- /*
- * Prevent sire and ipif_ire from getting deleted. The
- * newly created ire is tied to both of them via the
- * phandle and ihandle respectively.
- */
- IRB_REFHOLD(sire->ire_bucket);
- /* Has it been removed already ? */
- if (sire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(sire->ire_bucket);
- ire_refrele(ipif_ire);
- ire_refrele(save_ire);
- break;
- }
-
- IRB_REFHOLD(ipif_ire->ire_bucket);
- /* Has it been removed already ? */
- if (ipif_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(ipif_ire->ire_bucket);
- IRB_REFRELE(sire->ire_bucket);
- ire_refrele(ipif_ire);
- ire_refrele(save_ire);
- break;
- }
-
- xmit_mp = first_mp;
- if (ire->ire_flags & RTF_MULTIRT) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- xmit_mp = copy_mp;
- MULTIRT_DEBUG_TAG(first_mp);
- }
- }
- ire_add_then_send(q, ire, xmit_mp);
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
- ire_refrele(save_ire);
-
- /* Assert that sire is not deleted yet. */
- ASSERT(sire->ire_ptpn != NULL);
- IRB_REFRELE(sire->ire_bucket);
-
- /* Assert that ipif_ire is not deleted yet. */
- ASSERT(ipif_ire->ire_ptpn != NULL);
- IRB_REFRELE(ipif_ire->ire_bucket);
- ire_refrele(ipif_ire);
-
- if (copy_mp != NULL) {
- /*
- * Search for the next unresolved
- * multirt route.
- */
- copy_mp = NULL;
- ipif_ire = NULL;
- ire = NULL;
- /* re-enter the loop */
- multirt_resolve_next = B_TRUE;
- continue;
- }
- ire_refrele(sire);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
- }
- case IRE_IF_NORESOLVER:
- /*
- * We have what we need to build an IRE_CACHE.
- *
- * handle the Gated case, where we create
- * a NORESOLVER route for loopback.
- */
- if (dst_ill->ill_net_type != IRE_IF_NORESOLVER)
- break;
- /*
- * TSol note: We are creating the ire cache for the
- * destination 'dst'. If 'dst' is offlink, going
- * through the first hop 'gw', the security attributes
- * of 'dst' must be set to point to the gateway
- * credentials of gateway 'gw'. If 'dst' is onlink, it
- * is possible that 'dst' is a potential gateway that is
- * referenced by some route that has some security
- * attributes. Thus in the former case, we need to do a
- * gcgrp_lookup of 'gw' while in the latter case we
- * need to do gcgrp_lookup of 'dst' itself.
- */
- ga.ga_af = AF_INET6;
- if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw))
- ga.ga_addr = v6gw;
- else
- ga.ga_addr = *v6dstp;
- gcgrp = gcgrp_lookup(&ga, B_FALSE);
-
- /*
- * Note: the new ire inherits sire flags RTF_SETSRC
- * and RTF_MULTIRT to propagate those rules from prefix
- * to cache.
- */
- ire = ire_create_v6(
- v6dstp, /* dest address */
- &ipv6_all_ones, /* mask */
- &src_ipif->ipif_v6src_addr, /* source address */
- &v6gw, /* gateway address */
- &save_ire->ire_max_frag,
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- &save_ire->ire_mask_v6, /* Parent mask */
- (sire != NULL) ? /* Parent handle */
- sire->ire_phandle : 0,
- save_ire->ire_ihandle, /* Interface handle */
- (sire != NULL) ? /* flags if any */
- sire->ire_flags &
- (RTF_SETSRC | RTF_MULTIRT) : 0,
- &(save_ire->ire_uinfo),
- NULL,
- gcgrp,
- ipst);
-
- if (ire == NULL) {
- if (gcgrp != NULL) {
- GCGRP_REFRELE(gcgrp);
- gcgrp = NULL;
- }
- ire_refrele(save_ire);
- break;
- }
-
- /* reference now held by IRE */
- gcgrp = NULL;
-
- ire->ire_marks |= ire_marks;
-
- if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw))
- dst = v6gw;
- else
- dst = *v6dstp;
- err = ndp_noresolver(dst_ill, &dst);
- if (err != 0) {
- ire_refrele(save_ire);
- break;
- }
-
- /* Prevent save_ire from getting deleted */
- IRB_REFHOLD(save_ire->ire_bucket);
- /* Has it been removed already ? */
- if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- break;
- }
-
- xmit_mp = first_mp;
- /*
- * In case of MULTIRT, a copy of the current packet
- * to send is made to further re-enter the
- * loop and attempt another route resolution
- */
- if ((sire != NULL) && sire->ire_flags & RTF_MULTIRT) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- xmit_mp = copy_mp;
- MULTIRT_DEBUG_TAG(first_mp);
- }
- }
- ire_add_then_send(q, ire, xmit_mp);
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
-
- /* Assert that it is not deleted yet. */
- ASSERT(save_ire->ire_ptpn != NULL);
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
-
- if (copy_mp != NULL) {
- /*
- * If we found a (no)resolver, we ignore any
- * trailing top priority IRE_CACHE in
- * further loops. This ensures that we do not
- * omit any (no)resolver despite the priority
- * in this call.
- * IRE_CACHE, if any, will be processed
- * by another thread entering ip_newroute(),
- * (on resolver response, for example).
- * We use this to force multiple parallel
- * resolution as soon as a packet needs to be
- * sent. The result is, after one packet
- * emission all reachable routes are generally
- * resolved.
- * Otherwise, complete resolution of MULTIRT
- * routes would require several emissions as
- * side effect.
- */
- multirt_flags &= ~MULTIRT_CACHEGW;
-
- /*
- * Search for the next unresolved multirt
- * route.
- */
- copy_mp = NULL;
- save_ire = NULL;
- ire = NULL;
- /* re-enter the loop */
- multirt_resolve_next = B_TRUE;
- continue;
- }
-
- /* Don't need sire anymore */
- if (sire != NULL)
- ire_refrele(sire);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
-
- case IRE_IF_RESOLVER:
- /*
- * We can't build an IRE_CACHE yet, but at least we
- * found a resolver that can help.
- */
- dst = *v6dstp;
-
- /*
- * To be at this point in the code with a non-zero gw
- * means that dst is reachable through a gateway that
- * we have never resolved. By changing dst to the gw
- * addr we resolve the gateway first. When
- * ire_add_then_send() tries to put the IP dg to dst,
- * it will reenter ip_newroute() at which time we will
- * find the IRE_CACHE for the gw and create another
- * IRE_CACHE above (for dst itself).
- */
- if (!IN6_IS_ADDR_UNSPECIFIED(&v6gw)) {
- save_dst = dst;
- dst = v6gw;
- v6gw = ipv6_all_zeros;
- }
- if (dst_ill->ill_flags & ILLF_XRESOLV) {
- /*
- * Ask the external resolver to do its thing.
- * Make an mblk chain in the following form:
- * ARQ_REQ_MBLK-->IRE_MBLK-->packet
- */
- mblk_t *ire_mp;
- mblk_t *areq_mp;
- areq_t *areq;
- in6_addr_t *addrp;
-
- ip1dbg(("ip_newroute_v6:ILLF_XRESOLV\n"));
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
- ire = ire_create_mp_v6(
- &dst, /* dest address */
- &ipv6_all_ones, /* mask */
- &src_ipif->ipif_v6src_addr,
- /* source address */
- &v6gw, /* gateway address */
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- &save_ire->ire_mask_v6, /* Parent mask */
- 0,
- save_ire->ire_ihandle,
- /* Interface handle */
- 0, /* flags if any */
- &(save_ire->ire_uinfo),
- NULL,
- NULL,
- ipst);
-
- ire_refrele(save_ire);
- if (ire == NULL) {
- ip1dbg(("ip_newroute_v6:"
- "ire is NULL\n"));
- break;
- }
-
- if ((sire != NULL) &&
- (sire->ire_flags & RTF_MULTIRT)) {
- /*
- * processing a copy of the packet to
- * send for further resolution loops
- */
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL)
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- ire->ire_marks |= ire_marks;
- ire_mp = ire->ire_mp;
- /*
- * Now create or find an nce for this interface.
- * The hw addr will need to to be set from
- * the reply to the AR_ENTRY_QUERY that
- * we're about to send. This will be done in
- * ire_add_v6().
- */
- err = ndp_resolver(dst_ill, &dst, mp, zoneid);
- switch (err) {
- case 0:
- /*
- * New cache entry created.
- * Break, then ask the external
- * resolver.
- */
- break;
- case EINPROGRESS:
- /*
- * Resolution in progress;
- * packet has been queued by
- * ndp_resolver().
- */
- ire_delete(ire);
- ire = NULL;
- /*
- * Check if another multirt
- * route must be resolved.
- */
- if (copy_mp != NULL) {
- /*
- * If we found a resolver, we
- * ignore any trailing top
- * priority IRE_CACHE in
- * further loops. The reason is
- * the same as for noresolver.
- */
- multirt_flags &=
- ~MULTIRT_CACHEGW;
- /*
- * Search for the next
- * unresolved multirt route.
- */
- first_mp = copy_mp;
- copy_mp = NULL;
- mp = first_mp;
- if (mp->b_datap->db_type ==
- M_CTL) {
- mp = mp->b_cont;
- }
- ASSERT(sire != NULL);
- dst = save_dst;
- /*
- * re-enter the loop
- */
- multirt_resolve_next =
- B_TRUE;
- continue;
- }
-
- if (sire != NULL)
- ire_refrele(sire);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
- default:
- /*
- * Transient error; packet will be
- * freed.
- */
- ire_delete(ire);
- ire = NULL;
- break;
- }
- if (err != 0)
- break;
- /*
- * Now set up the AR_ENTRY_QUERY and send it.
- */
- areq_mp = ill_arp_alloc(dst_ill,
- (uchar_t *)&ipv6_areq_template,
- (caddr_t)&dst);
- if (areq_mp == NULL) {
- ip1dbg(("ip_newroute_v6:"
- "areq_mp is NULL\n"));
- freemsg(ire_mp);
- break;
- }
- areq = (areq_t *)areq_mp->b_rptr;
- addrp = (in6_addr_t *)((char *)areq +
- areq->areq_target_addr_offset);
- *addrp = dst;
- addrp = (in6_addr_t *)((char *)areq +
- areq->areq_sender_addr_offset);
- *addrp = src_ipif->ipif_v6src_addr;
- /*
- * link the chain, then send up to the resolver.
- */
- linkb(areq_mp, ire_mp);
- linkb(areq_mp, mp);
- ip1dbg(("ip_newroute_v6:"
- "putnext to resolver\n"));
- putnext(dst_ill->ill_rq, areq_mp);
- /*
- * Check if another multirt route
- * must be resolved.
- */
- ire = NULL;
- if (copy_mp != NULL) {
- /*
- * If we find a resolver, we ignore any
- * trailing top priority IRE_CACHE in
- * further loops. The reason is the
- * same as for noresolver.
- */
- multirt_flags &= ~MULTIRT_CACHEGW;
- /*
- * Search for the next unresolved
- * multirt route.
- */
- first_mp = copy_mp;
- copy_mp = NULL;
- mp = first_mp;
- if (mp->b_datap->db_type == M_CTL) {
- mp = mp->b_cont;
- }
- ASSERT(sire != NULL);
- dst = save_dst;
- /*
- * re-enter the loop
- */
- multirt_resolve_next = B_TRUE;
- continue;
- }
-
- if (sire != NULL)
- ire_refrele(sire);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
- }
- /*
- * Non-external resolver case.
- *
- * TSol note: Please see the note above the
- * IRE_IF_NORESOLVER case.
- */
- ga.ga_af = AF_INET6;
- ga.ga_addr = dst;
- gcgrp = gcgrp_lookup(&ga, B_FALSE);
-
- ire = ire_create_v6(
- &dst, /* dest address */
- &ipv6_all_ones, /* mask */
- &src_ipif->ipif_v6src_addr, /* source address */
- &v6gw, /* gateway address */
- &save_ire->ire_max_frag,
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- &save_ire->ire_mask_v6, /* Parent mask */
- 0,
- save_ire->ire_ihandle, /* Interface handle */
- 0, /* flags if any */
- &(save_ire->ire_uinfo),
- NULL,
- gcgrp,
- ipst);
-
- if (ire == NULL) {
- if (gcgrp != NULL) {
- GCGRP_REFRELE(gcgrp);
- gcgrp = NULL;
- }
- ire_refrele(save_ire);
- break;
- }
-
- /* reference now held by IRE */
- gcgrp = NULL;
-
- if ((sire != NULL) &&
- (sire->ire_flags & RTF_MULTIRT)) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL)
- MULTIRT_DEBUG_TAG(copy_mp);
- }
-
- ire->ire_marks |= ire_marks;
- err = ndp_resolver(dst_ill, &dst, first_mp, zoneid);
- switch (err) {
- case 0:
- /* Prevent save_ire from getting deleted */
- IRB_REFHOLD(save_ire->ire_bucket);
- /* Has it been removed already ? */
- if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- break;
- }
-
- /*
- * We have a resolved cache entry,
- * add in the IRE.
- */
- ire_add_then_send(q, ire, first_mp);
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
-
- /* Assert that it is not deleted yet. */
- ASSERT(save_ire->ire_ptpn != NULL);
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- /*
- * Check if another multirt route
- * must be resolved.
- */
- ire = NULL;
- if (copy_mp != NULL) {
- /*
- * If we find a resolver, we ignore any
- * trailing top priority IRE_CACHE in
- * further loops. The reason is the
- * same as for noresolver.
- */
- multirt_flags &= ~MULTIRT_CACHEGW;
- /*
- * Search for the next unresolved
- * multirt route.
- */
- first_mp = copy_mp;
- copy_mp = NULL;
- mp = first_mp;
- if (mp->b_datap->db_type == M_CTL) {
- mp = mp->b_cont;
- }
- ASSERT(sire != NULL);
- dst = save_dst;
- /*
- * re-enter the loop
- */
- multirt_resolve_next = B_TRUE;
- continue;
- }
-
- if (sire != NULL)
- ire_refrele(sire);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
-
- case EINPROGRESS:
- /*
- * mp was consumed - presumably queued.
- * No need for ire, presumably resolution is
- * in progress, and ire will be added when the
- * address is resolved.
- */
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
- ASSERT(ire->ire_nce == NULL);
- ire_delete(ire);
- ire_refrele(save_ire);
- /*
- * Check if another multirt route
- * must be resolved.
- */
- ire = NULL;
- if (copy_mp != NULL) {
- /*
- * If we find a resolver, we ignore any
- * trailing top priority IRE_CACHE in
- * further loops. The reason is the
- * same as for noresolver.
- */
- multirt_flags &= ~MULTIRT_CACHEGW;
- /*
- * Search for the next unresolved
- * multirt route.
- */
- first_mp = copy_mp;
- copy_mp = NULL;
- mp = first_mp;
- if (mp->b_datap->db_type == M_CTL) {
- mp = mp->b_cont;
- }
- ASSERT(sire != NULL);
- dst = save_dst;
- /*
- * re-enter the loop
- */
- multirt_resolve_next = B_TRUE;
- continue;
- }
- if (sire != NULL)
- ire_refrele(sire);
- ill_refrele(dst_ill);
- ipif_refrele(src_ipif);
- return;
- default:
- /* Some transient error */
- ASSERT(ire->ire_nce == NULL);
- ire_refrele(save_ire);
- break;
- }
- break;
- default:
- break;
- }
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
- } while (multirt_resolve_next);
-
-err_ret:
- ip1dbg(("ip_newroute_v6: dropped\n"));
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (dst_ill != NULL) {
- need_rele = B_TRUE;
- ill = dst_ill;
- }
- if (ill != NULL) {
- if (mp->b_prev != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- } else {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
- }
-
- if (need_rele)
- ill_refrele(ill);
- } else {
- if (mp->b_prev != NULL) {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsInDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
- }
- }
- /* Did this packet originate externally? */
- if (mp->b_prev) {
- mp->b_next = NULL;
- mp->b_prev = NULL;
- }
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- }
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- if (ire != NULL)
- ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
- return;
-
-icmp_err_ret:
- if (ip6_asp_table_held)
- ip6_asp_table_refrele(ipst);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (dst_ill != NULL) {
- need_rele = B_TRUE;
- ill = dst_ill;
- }
- ip1dbg(("ip_newroute_v6: no route\n"));
- if (sire != NULL)
- ire_refrele(sire);
- /*
- * We need to set sire to NULL to avoid double freeing if we
- * ever goto err_ret from below.
- */
- sire = NULL;
- ip6h = (ip6_t *)mp->b_rptr;
- /* Skip ip6i_t header if present */
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- /* Make sure the IPv6 header is present */
- if ((mp->b_wptr - (uchar_t *)ip6h) <
- sizeof (ip6i_t) + IPV6_HDR_LEN) {
- if (!pullupmsg(mp, sizeof (ip6i_t) + IPV6_HDR_LEN)) {
- ip1dbg(("ip_newroute_v6: pullupmsg failed\n"));
- goto err_ret;
- }
- }
- mp->b_rptr += sizeof (ip6i_t);
- ip6h = (ip6_t *)mp->b_rptr;
- }
- /* Did this packet originate externally? */
- if (mp->b_prev) {
- if (ill != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInNoRoutes);
- } else {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsInNoRoutes);
- }
- mp->b_next = NULL;
- mp->b_prev = NULL;
- q = WR(q);
- } else {
- if (ill != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutNoRoutes);
- } else {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutNoRoutes);
- }
- if (ip_hdr_complete_v6(ip6h, zoneid, ipst)) {
- /* Failed */
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- }
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- if (ire != NULL)
- ire_refrele(ire);
- if (need_rele)
- ill_refrele(ill);
- return;
- }
- }
-
- if (need_rele)
- ill_refrele(ill);
-
- /*
- * At this point we will have ire only if RTF_BLACKHOLE
- * or RTF_REJECT flags are set on the IRE. It will not
- * generate ICMP6_DST_UNREACH_NOROUTE if RTF_BLACKHOLE is set.
- */
- if (ire != NULL) {
- if (ire->ire_flags & RTF_BLACKHOLE) {
- ire_refrele(ire);
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- }
- MULTIRT_DEBUG_UNTAG(first_mp);
- freemsg(first_mp);
- return;
- }
- ire_refrele(ire);
- }
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_newroute_v6: no route to %s\n",
- AF_INET6, v6dstp);
- }
- icmp_unreachable_v6(WR(q), first_mp, ICMP6_DST_UNREACH_NOROUTE,
- B_FALSE, B_FALSE, zoneid, ipst);
-}
-
-/*
- * ip_newroute_ipif_v6 is called by ip_wput_v6 and ip_wput_ipsec_out_v6 whenever
- * we need to send out a packet to a destination address for which we do not
- * have specific routing information. It is only used for multicast packets.
- *
- * If unspec_src we allow creating an IRE with source address zero.
- * ire_send_v6() will delete it after the packet is sent.
- */
-void
-ip_newroute_ipif_v6(queue_t *q, mblk_t *mp, ipif_t *ipif,
- const in6_addr_t *v6dstp, const in6_addr_t *v6srcp, int unspec_src,
- zoneid_t zoneid)
-{
- ire_t *ire = NULL;
- ipif_t *src_ipif = NULL;
- int err = 0;
- ill_t *dst_ill = NULL;
- ire_t *save_ire;
- ipsec_out_t *io;
- ill_t *ill;
- mblk_t *first_mp;
- ire_t *fire = NULL;
- mblk_t *copy_mp = NULL;
- const in6_addr_t *ire_v6srcp;
- boolean_t probe = B_FALSE;
- boolean_t multirt_resolve_next;
- boolean_t ipif_held = B_FALSE;
- boolean_t ill_held = B_FALSE;
- boolean_t ip6_asp_table_held = B_FALSE;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- /*
- * This loop is run only once in most cases.
- * We loop to resolve further routes only when the destination
- * can be reached through multiple RTF_MULTIRT-flagged ires.
- */
- do {
- multirt_resolve_next = B_FALSE;
- if (dst_ill != NULL) {
- ill_refrele(dst_ill);
- dst_ill = NULL;
- }
-
- if (src_ipif != NULL) {
- ipif_refrele(src_ipif);
- src_ipif = NULL;
- }
- ASSERT(ipif != NULL);
- ill = ipif->ipif_ill;
-
- ASSERT(!IN6_IS_ADDR_V4MAPPED(v6dstp));
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_newroute_ipif_v6: v6dst %s\n",
- AF_INET6, v6dstp);
- printf("ip_newroute_ipif_v6: if %s, v6 %d\n",
- ill->ill_name, ipif->ipif_isv6);
- }
-
- first_mp = mp;
- if (mp->b_datap->db_type == M_CTL) {
- mp = mp->b_cont;
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- } else {
- io = NULL;
- }
-
- /*
- * If the interface is a pt-pt interface we look for an
- * IRE_IF_RESOLVER or IRE_IF_NORESOLVER that matches both the
- * local_address and the pt-pt destination address.
- * Otherwise we just match the local address.
- */
- if (!(ill->ill_flags & ILLF_MULTICAST)) {
- goto err_ret;
- }
-
- /*
- * We check if an IRE_OFFSUBNET for the addr that goes through
- * ipif exists. We need it to determine if the RTF_SETSRC and/or
- * RTF_MULTIRT flags must be honored.
- */
- fire = ipif_lookup_multi_ire_v6(ipif, v6dstp);
- ip2dbg(("ip_newroute_ipif_v6: "
- "ipif_lookup_multi_ire_v6("
- "ipif %p, dst %08x) = fire %p\n",
- (void *)ipif, ntohl(V4_PART_OF_V6((*v6dstp))),
- (void *)fire));
-
- ASSERT(src_ipif == NULL);
-
- /*
- * Because nce_xmit() calls ip_output_v6() and NCEs are always
- * tied to the underlying interface, IS_UNDER_IPMP() may be
- * true even when building IREs that will be used for data
- * traffic. As such, see if the packet's source address is a
- * test address, and if so use that test address's ipif for
- * the IRE so that the logic that sets IRE_MARK_TESTHIDDEN in
- * ire_add_v6() can work properly.
- */
- if (IS_UNDER_IPMP(ill))
- probe = ipif_lookup_testaddr_v6(ill, v6srcp, &src_ipif);
-
- /*
- * Determine the outbound (destination) ill for this route.
- * If IPMP is not in use, that's the same as our ill. If IPMP
- * is in-use and we're on the IPMP interface, or we're on an
- * underlying ill but sending data traffic, use a suitable
- * destination ill from the group. The latter case covers a
- * subtle edge condition with multicast: when we bring up an
- * IPv6 data address, we will create an NCE on an underlying
- * interface, and send solitications to ff02::1, which would
- * take us through here, and cause us to create an IRE for
- * ff02::1. To meet our defined semantics for multicast (and
- * ensure there aren't unexpected echoes), that IRE needs to
- * use the IPMP group's nominated multicast interface.
- *
- * Note: the source ipif is determined by source address
- * selection later.
- */
- if (IS_IPMP(ill) || (IS_UNDER_IPMP(ill) && !probe)) {
- ill_t *ipmp_ill;
- ipmp_illgrp_t *illg;
-
- if (IS_UNDER_IPMP(ill)) {
- ipmp_ill = ipmp_ill_hold_ipmp_ill(ill);
- } else {
- ipmp_ill = ill;
- ill_refhold(ipmp_ill); /* for symmetry */
- }
-
- if (ipmp_ill == NULL)
- goto err_ret;
-
- illg = ipmp_ill->ill_grp;
- if (IN6_IS_ADDR_MULTICAST(v6dstp))
- dst_ill = ipmp_illgrp_hold_cast_ill(illg);
- else
- dst_ill = ipmp_illgrp_hold_next_ill(illg);
-
- ill_refrele(ipmp_ill);
- } else {
- dst_ill = ill;
- ill_refhold(dst_ill); /* for symmetry */
- }
-
- if (dst_ill == NULL) {
- if (ip_debug > 2) {
- pr_addr_dbg("ip_newroute_ipif_v6: "
- "no dst ill for dst %s\n",
- AF_INET6, v6dstp);
- }
- goto err_ret;
- }
-
- /*
- * Pick a source address which matches the scope of the
- * destination address.
- * For RTF_SETSRC routes, the source address is imposed by the
- * parent ire (fire).
- */
-
- if (src_ipif == NULL && fire != NULL &&
- (fire->ire_flags & RTF_SETSRC)) {
- /*
- * Check that the ipif matching the requested source
- * address still exists.
- */
- src_ipif = ipif_lookup_addr_v6(&fire->ire_src_addr_v6,
- NULL, zoneid, NULL, NULL, NULL, NULL, ipst);
- }
-
- if (src_ipif == NULL && ip6_asp_can_lookup(ipst)) {
- ip6_asp_table_held = B_TRUE;
- src_ipif = ipif_select_source_v6(dst_ill, v6dstp,
- B_FALSE, IPV6_PREFER_SRC_DEFAULT, zoneid);
- }
-
- if (src_ipif == NULL) {
- if (!unspec_src) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_newroute_ipif_v6: "
- "no src for dst %s\n",
- AF_INET6, v6dstp);
- printf(" through interface %s\n",
- dst_ill->ill_name);
- }
- goto err_ret;
- }
- ire_v6srcp = &ipv6_all_zeros;
- src_ipif = ipif;
- ipif_refhold(src_ipif);
- } else {
- ire_v6srcp = &src_ipif->ipif_v6src_addr;
- }
-
- ire = ipif_to_ire_v6(ipif);
- if (ire == NULL) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_newroute_ipif_v6: v6src %s\n",
- AF_INET6, &ipif->ipif_v6lcl_addr);
- printf("ip_newroute_ipif_v6: "
- "if %s\n", dst_ill->ill_name);
- }
- goto err_ret;
- }
- if (ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE))
- goto err_ret;
-
- ASSERT(ire->ire_ipversion == IPV6_VERSION);
-
- ip1dbg(("ip_newroute_ipif_v6: interface type %s (%d),",
- ip_nv_lookup(ire_nv_tbl, ire->ire_type), ire->ire_type));
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg(" address %s\n",
- AF_INET6, &ire->ire_src_addr_v6);
- }
- save_ire = ire;
- ip2dbg(("ip_newroute_ipif: ire %p, ipif %p\n",
- (void *)ire, (void *)ipif));
-
- if ((fire != NULL) && (fire->ire_flags & RTF_MULTIRT)) {
- /*
- * an IRE_OFFSUBET was looked up
- * on that interface.
- * this ire has RTF_MULTIRT flag,
- * so the resolution loop
- * will be re-entered to resolve
- * additional routes on other
- * interfaces. For that purpose,
- * a copy of the packet is
- * made at this point.
- */
- fire->ire_last_used_time = lbolt;
- copy_mp = copymsg(first_mp);
- if (copy_mp) {
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- }
-
- switch (ire->ire_type) {
- case IRE_IF_NORESOLVER: {
- /*
- * We have what we need to build an IRE_CACHE.
- *
- * handle the Gated case, where we create
- * a NORESOLVER route for loopback.
- */
- if (dst_ill->ill_net_type != IRE_IF_NORESOLVER)
- break;
- /*
- * The newly created ire will inherit the flags of the
- * parent ire, if any.
- */
- ire = ire_create_v6(
- v6dstp, /* dest address */
- &ipv6_all_ones, /* mask */
- ire_v6srcp, /* source address */
- NULL, /* gateway address */
- &save_ire->ire_max_frag,
- NULL, /* no src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- NULL,
- (fire != NULL) ? /* Parent handle */
- fire->ire_phandle : 0,
- save_ire->ire_ihandle, /* Interface handle */
- (fire != NULL) ?
- (fire->ire_flags & (RTF_SETSRC | RTF_MULTIRT)) :
- 0,
- &ire_uinfo_null,
- NULL,
- NULL,
- ipst);
-
- if (ire == NULL) {
- ire_refrele(save_ire);
- break;
- }
-
- err = ndp_noresolver(dst_ill, v6dstp);
- if (err != 0) {
- ire_refrele(save_ire);
- break;
- }
-
- /* Prevent save_ire from getting deleted */
- IRB_REFHOLD(save_ire->ire_bucket);
- /* Has it been removed already ? */
- if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- break;
- }
-
- ire_add_then_send(q, ire, first_mp);
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
-
- /* Assert that it is not deleted yet. */
- ASSERT(save_ire->ire_ptpn != NULL);
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- if (fire != NULL) {
- ire_refrele(fire);
- fire = NULL;
- }
-
- /*
- * The resolution loop is re-entered if we
- * actually are in a multirouting case.
- */
- if (copy_mp != NULL) {
- boolean_t need_resolve =
- ire_multirt_need_resolve_v6(v6dstp,
- msg_getlabel(copy_mp), ipst);
- if (!need_resolve) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- } else {
- /*
- * ipif_lookup_group_v6() calls
- * ire_lookup_multi_v6() that uses
- * ire_ftable_lookup_v6() to find
- * an IRE_INTERFACE for the group.
- * In the multirt case,
- * ire_lookup_multi_v6() then invokes
- * ire_multirt_lookup_v6() to find
- * the next resolvable ire.
- * As a result, we obtain a new
- * interface, derived from the
- * next ire.
- */
- if (ipif_held) {
- ipif_refrele(ipif);
- ipif_held = B_FALSE;
- }
- ipif = ipif_lookup_group_v6(v6dstp,
- zoneid, ipst);
- ip2dbg(("ip_newroute_ipif: "
- "multirt dst %08x, ipif %p\n",
- ntohl(V4_PART_OF_V6((*v6dstp))),
- (void *)ipif));
- if (ipif != NULL) {
- ipif_held = B_TRUE;
- mp = copy_mp;
- copy_mp = NULL;
- multirt_resolve_next =
- B_TRUE;
- continue;
- } else {
- freemsg(copy_mp);
- }
- }
- }
- ill_refrele(dst_ill);
- if (ipif_held) {
- ipif_refrele(ipif);
- ipif_held = B_FALSE;
- }
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- return;
- }
- case IRE_IF_RESOLVER: {
-
- ASSERT(dst_ill->ill_isv6);
-
- /*
- * We obtain a partial IRE_CACHE which we will pass
- * along with the resolver query. When the response
- * comes back it will be there ready for us to add.
- */
- /*
- * the newly created ire will inherit the flags of the
- * parent ire, if any.
- */
- ire = ire_create_v6(
- v6dstp, /* dest address */
- &ipv6_all_ones, /* mask */
- ire_v6srcp, /* source address */
- NULL, /* gateway address */
- &save_ire->ire_max_frag,
- NULL, /* src nce */
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE,
- src_ipif,
- NULL,
- (fire != NULL) ? /* Parent handle */
- fire->ire_phandle : 0,
- save_ire->ire_ihandle, /* Interface handle */
- (fire != NULL) ?
- (fire->ire_flags & (RTF_SETSRC | RTF_MULTIRT)) :
- 0,
- &ire_uinfo_null,
- NULL,
- NULL,
- ipst);
-
- if (ire == NULL) {
- ire_refrele(save_ire);
- break;
- }
-
- /* Resolve and add ire to the ctable */
- err = ndp_resolver(dst_ill, v6dstp, first_mp, zoneid);
- switch (err) {
- case 0:
- /* Prevent save_ire from getting deleted */
- IRB_REFHOLD(save_ire->ire_bucket);
- /* Has it been removed already ? */
- if (save_ire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- break;
- }
- /*
- * We have a resolved cache entry,
- * add in the IRE.
- */
- ire_add_then_send(q, ire, first_mp);
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
-
- /* Assert that it is not deleted yet. */
- ASSERT(save_ire->ire_ptpn != NULL);
- IRB_REFRELE(save_ire->ire_bucket);
- ire_refrele(save_ire);
- if (fire != NULL) {
- ire_refrele(fire);
- fire = NULL;
- }
-
- /*
- * The resolution loop is re-entered if we
- * actually are in a multirouting case.
- */
- if (copy_mp != NULL) {
- boolean_t need_resolve =
- ire_multirt_need_resolve_v6(v6dstp,
- msg_getlabel(copy_mp), ipst);
- if (!need_resolve) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- } else {
- /*
- * ipif_lookup_group_v6() calls
- * ire_lookup_multi_v6() that
- * uses ire_ftable_lookup_v6()
- * to find an IRE_INTERFACE for
- * the group. In the multirt
- * case, ire_lookup_multi_v6()
- * then invokes
- * ire_multirt_lookup_v6() to
- * find the next resolvable ire.
- * As a result, we obtain a new
- * interface, derived from the
- * next ire.
- */
- if (ipif_held) {
- ipif_refrele(ipif);
- ipif_held = B_FALSE;
- }
- ipif = ipif_lookup_group_v6(
- v6dstp, zoneid, ipst);
- ip2dbg(("ip_newroute_ipif: "
- "multirt dst %08x, "
- "ipif %p\n",
- ntohl(V4_PART_OF_V6(
- (*v6dstp))),
- (void *)ipif));
- if (ipif != NULL) {
- ipif_held = B_TRUE;
- mp = copy_mp;
- copy_mp = NULL;
- multirt_resolve_next =
- B_TRUE;
- continue;
- } else {
- freemsg(copy_mp);
- }
- }
- }
- ill_refrele(dst_ill);
- if (ipif_held) {
- ipif_refrele(ipif);
- ipif_held = B_FALSE;
- }
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- return;
-
- case EINPROGRESS:
- /*
- * mp was consumed - presumably queued.
- * No need for ire, presumably resolution is
- * in progress, and ire will be added when the
- * address is resolved.
- */
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
- ire_delete(ire);
- ire_refrele(save_ire);
- if (fire != NULL) {
- ire_refrele(fire);
- fire = NULL;
- }
-
- /*
- * The resolution loop is re-entered if we
- * actually are in a multirouting case.
- */
- if (copy_mp != NULL) {
- boolean_t need_resolve =
- ire_multirt_need_resolve_v6(v6dstp,
- msg_getlabel(copy_mp), ipst);
- if (!need_resolve) {
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- copy_mp = NULL;
- } else {
- /*
- * ipif_lookup_group_v6() calls
- * ire_lookup_multi_v6() that
- * uses ire_ftable_lookup_v6()
- * to find an IRE_INTERFACE for
- * the group. In the multirt
- * case, ire_lookup_multi_v6()
- * then invokes
- * ire_multirt_lookup_v6() to
- * find the next resolvable ire.
- * As a result, we obtain a new
- * interface, derived from the
- * next ire.
- */
- if (ipif_held) {
- ipif_refrele(ipif);
- ipif_held = B_FALSE;
- }
- ipif = ipif_lookup_group_v6(
- v6dstp, zoneid, ipst);
- ip2dbg(("ip_newroute_ipif: "
- "multirt dst %08x, "
- "ipif %p\n",
- ntohl(V4_PART_OF_V6(
- (*v6dstp))),
- (void *)ipif));
- if (ipif != NULL) {
- ipif_held = B_TRUE;
- mp = copy_mp;
- copy_mp = NULL;
- multirt_resolve_next =
- B_TRUE;
- continue;
- } else {
- freemsg(copy_mp);
- }
- }
- }
- ill_refrele(dst_ill);
- if (ipif_held) {
- ipif_refrele(ipif);
- ipif_held = B_FALSE;
- }
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- return;
- default:
- /* Some transient error */
- ire_refrele(save_ire);
- break;
- }
- break;
- }
- default:
- break;
- }
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
- } while (multirt_resolve_next);
-
-err_ret:
- if (ip6_asp_table_held)
- ip6_asp_table_refrele(ipst);
- if (ire != NULL)
- ire_refrele(ire);
- if (fire != NULL)
- ire_refrele(fire);
- if (ipif != NULL && ipif_held)
- ipif_refrele(ipif);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
-
- /* Multicast - no point in trying to generate ICMP error */
- if (dst_ill != NULL) {
- ill = dst_ill;
- ill_held = B_TRUE;
- }
- if (mp->b_prev || mp->b_next) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- } else {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
- }
- ip1dbg(("ip_newroute_ipif_v6: dropped\n"));
- mp->b_next = NULL;
- mp->b_prev = NULL;
- freemsg(first_mp);
- if (ill_held)
- ill_refrele(ill);
-}
-
-/*
* Parse and process any hop-by-hop or destination options.
*
* Assumes that q is an ill read queue so that ICMP errors for link-local
@@ -6067,23 +2854,16 @@ err_ret:
* Current code checks for each opt_type (other than pads) if it is in
* the expected nexthdr (hbh or dest)
*/
-static int
-ip_process_options_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
- uint8_t *optptr, uint_t optlen, uint8_t hdr_type, ip_stack_t *ipst)
+int
+ip_process_options_v6(mblk_t *mp, ip6_t *ip6h,
+ uint8_t *optptr, uint_t optlen, uint8_t hdr_type, ip_recv_attr_t *ira)
{
uint8_t opt_type;
uint_t optused;
int ret = 0;
- mblk_t *first_mp;
const char *errtype;
- zoneid_t zoneid;
- ill_t *ill = q->q_ptr;
- ipif_t *ipif;
-
- first_mp = mp;
- if (mp->b_datap->db_type == M_CTL) {
- mp = mp->b_cont;
- }
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
while (optlen != 0) {
opt_type = *optptr;
@@ -6178,13 +2958,9 @@ ip_process_options_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
* around (i.e. before AH processing).
* If we've done AH... stop now.
*/
- if (first_mp != mp) {
- ipsec_in_t *ii;
-
- ii = (ipsec_in_t *)first_mp->b_rptr;
- if (ii->ipsec_in_ah_sa != NULL)
- break;
- }
+ if ((ira->ira_flags & IRAF_IPSEC_SECURE) &&
+ ira->ira_ipsec_ah_sa != NULL)
+ break;
oh = (struct ip6_opt_home_address *)optptr;
/* Check total length and alignment */
@@ -6217,8 +2993,6 @@ ip_process_options_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
/* FALLTHROUGH */
opt_error:
/* Determine which zone should send error */
- zoneid = ipif_lookup_addr_zoneid_v6(
- &ip6h->ip6_dst, ill, ipst);
switch (IP6OPT_TYPE(opt_type)) {
case IP6OPT_TYPE_SKIP:
optused = 2 + optptr[1];
@@ -6232,48 +3006,33 @@ ip_process_options_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
ip1dbg(("ip_process_options_v6: %s "
"opt 0x%x; packet dropped\n",
errtype, opt_type));
- freemsg(first_mp);
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors",
+ mp, ill);
+ freemsg(mp);
return (-1);
case IP6OPT_TYPE_ICMP:
- if (zoneid == ALL_ZONES) {
- freemsg(first_mp);
- return (-1);
- }
- icmp_param_problem_v6(WR(q), first_mp,
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors",
+ mp, ill);
+ icmp_param_problem_v6(mp,
ICMP6_PARAMPROB_OPTION,
(uint32_t)(optptr -
(uint8_t *)ip6h),
- B_FALSE, B_FALSE, zoneid, ipst);
+ B_FALSE, ira);
return (-1);
case IP6OPT_TYPE_FORCEICMP:
- /*
- * If we don't have a zone and the dst
- * addr is multicast, then pick a zone
- * based on the inbound interface.
- */
- if (zoneid == ALL_ZONES &&
- IN6_IS_ADDR_MULTICAST(
- &ip6h->ip6_dst)) {
- ipif = ipif_select_source_v6(
- ill, &ip6h->ip6_src,
- B_TRUE,
- IPV6_PREFER_SRC_DEFAULT,
- ALL_ZONES);
- if (ipif != NULL) {
- zoneid =
- ipif->ipif_zoneid;
- ipif_refrele(ipif);
- }
- }
- if (zoneid == ALL_ZONES) {
- freemsg(first_mp);
- return (-1);
- }
- icmp_param_problem_v6(WR(q), first_mp,
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors",
+ mp, ill);
+ icmp_param_problem_v6(mp,
ICMP6_PARAMPROB_OPTION,
(uint32_t)(optptr -
(uint8_t *)ip6h),
- B_FALSE, B_TRUE, zoneid, ipst);
+ B_TRUE, ira);
return (-1);
default:
ASSERT(0);
@@ -6287,14 +3046,10 @@ ip_process_options_v6(queue_t *q, mblk_t *mp, ip6_t *ip6h,
bad_opt:
/* Determine which zone should send error */
- zoneid = ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst, ill, ipst);
- if (zoneid == ALL_ZONES) {
- freemsg(first_mp);
- } else {
- icmp_param_problem_v6(WR(q), first_mp, ICMP6_PARAMPROB_OPTION,
- (uint32_t)(optptr - (uint8_t *)ip6h),
- B_FALSE, B_FALSE, zoneid, ipst);
- }
+ ip_drop_input("ICMP_PARAM_PROBLEM", mp, ill);
+ icmp_param_problem_v6(mp, ICMP6_PARAMPROB_OPTION,
+ (uint32_t)(optptr - (uint8_t *)ip6h),
+ B_FALSE, ira);
return (-1);
}
@@ -6302,10 +3057,11 @@ bad_opt:
* Process a routing header that is not yet empty.
* Because of RFC 5095, we now reject all route headers.
*/
-static void
-ip_process_rthdr(queue_t *q, mblk_t *mp, ip6_t *ip6h, ip6_rthdr_t *rth,
- ill_t *ill, mblk_t *hada_mp)
+void
+ip_process_rthdr(mblk_t *mp, ip6_t *ip6h, ip6_rthdr_t *rth,
+ ip_recv_attr_t *ira)
{
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
ASSERT(rth->ip6r_segleft != 0);
@@ -6314,19 +3070,15 @@ ip_process_rthdr(queue_t *q, mblk_t *mp, ip6_t *ip6h, ip6_rthdr_t *rth,
/* XXX Check for source routed out same interface? */
BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
- freemsg(hada_mp);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
freemsg(mp);
return;
}
- if (hada_mp != NULL) {
- freemsg(hada_mp);
- freemsg(mp);
- return;
- }
- /* Sent by forwarding path, and router is global zone */
- icmp_param_problem_v6(WR(q), mp, ICMP6_PARAMPROB_HEADER,
- (uint32_t)((uchar_t *)&rth->ip6r_type - (uchar_t *)ip6h), B_FALSE,
- B_FALSE, GLOBAL_ZONEID, ipst);
+
+ ip_drop_input("ICMP_PARAM_PROBLEM", mp, ill);
+ icmp_param_problem_v6(mp, ICMP6_PARAMPROB_HEADER,
+ (uint32_t)((uchar_t *)&rth->ip6r_type - (uchar_t *)ip6h),
+ B_FALSE, ira);
}
/*
@@ -6335,21 +3087,10 @@ ip_process_rthdr(queue_t *q, mblk_t *mp, ip6_t *ip6h, ip6_rthdr_t *rth,
void
ip_rput_v6(queue_t *q, mblk_t *mp)
{
- mblk_t *first_mp;
- mblk_t *hada_mp = NULL;
- ip6_t *ip6h;
- boolean_t ll_multicast = B_FALSE;
- boolean_t mctl_present = B_FALSE;
ill_t *ill;
- struct iocblk *iocp;
- uint_t flags = 0;
- mblk_t *dl_mp;
- ip_stack_t *ipst;
- int check;
ill = (ill_t *)q->q_ptr;
- ipst = ill->ill_ipst;
- if (ill->ill_state_flags & ILL_CONDEMNED) {
+ if (ill->ill_state_flags & (ILL_CONDEMNED | ILL_LL_SUBNET_PENDING)) {
union DL_primitives *dl;
dl = (union DL_primitives *)mp->b_rptr;
@@ -6367,241 +3108,14 @@ ip_rput_v6(queue_t *q, mblk_t *mp)
return;
}
}
+ if (DB_TYPE(mp) == M_DATA) {
+ struct mac_header_info_s mhi;
- dl_mp = NULL;
- switch (mp->b_datap->db_type) {
- case M_DATA: {
- int hlen;
- uchar_t *ucp;
- struct ether_header *eh;
- dl_unitdata_ind_t *dui;
-
- /*
- * This is a work-around for CR 6451644, a bug in Nemo. It
- * should be removed when that problem is fixed.
- */
- if (ill->ill_mactype == DL_ETHER &&
- (hlen = MBLKHEAD(mp)) >= sizeof (struct ether_header) &&
- (ucp = mp->b_rptr)[-1] == (ETHERTYPE_IPV6 & 0xFF) &&
- ucp[-2] == (ETHERTYPE_IPV6 >> 8)) {
- if (hlen >= sizeof (struct ether_vlan_header) &&
- ucp[-5] == 0 && ucp[-6] == 0x81)
- ucp -= sizeof (struct ether_vlan_header);
- else
- ucp -= sizeof (struct ether_header);
- /*
- * If it's a group address, then fabricate a
- * DL_UNITDATA_IND message.
- */
- if ((ll_multicast = (ucp[0] & 1)) != 0 &&
- (dl_mp = allocb(DL_UNITDATA_IND_SIZE + 16,
- BPRI_HI)) != NULL) {
- eh = (struct ether_header *)ucp;
- dui = (dl_unitdata_ind_t *)dl_mp->b_rptr;
- DB_TYPE(dl_mp) = M_PROTO;
- dl_mp->b_wptr = (uchar_t *)(dui + 1) + 16;
- dui->dl_primitive = DL_UNITDATA_IND;
- dui->dl_dest_addr_length = 8;
- dui->dl_dest_addr_offset = DL_UNITDATA_IND_SIZE;
- dui->dl_src_addr_length = 8;
- dui->dl_src_addr_offset = DL_UNITDATA_IND_SIZE +
- 8;
- dui->dl_group_address = 1;
- ucp = (uchar_t *)(dui + 1);
- if (ill->ill_sap_length > 0)
- ucp += ill->ill_sap_length;
- bcopy(&eh->ether_dhost, ucp, 6);
- bcopy(&eh->ether_shost, ucp + 8, 6);
- ucp = (uchar_t *)(dui + 1);
- if (ill->ill_sap_length < 0)
- ucp += 8 + ill->ill_sap_length;
- bcopy(&eh->ether_type, ucp, 2);
- bcopy(&eh->ether_type, ucp + 8, 2);
- }
- }
- break;
- }
-
- case M_PROTO:
- case M_PCPROTO:
- if (((dl_unitdata_ind_t *)mp->b_rptr)->dl_primitive !=
- DL_UNITDATA_IND) {
- /* Go handle anything other than data elsewhere. */
- ip_rput_dlpi(q, mp);
- return;
- }
- ll_multicast = ip_get_dlpi_mbcast(ill, mp);
-
- /* Save the DLPI header. */
- dl_mp = mp;
- mp = mp->b_cont;
- dl_mp->b_cont = NULL;
- break;
- case M_BREAK:
- panic("ip_rput_v6: got an M_BREAK");
- /*NOTREACHED*/
- case M_IOCACK:
- iocp = (struct iocblk *)mp->b_rptr;
- switch (iocp->ioc_cmd) {
- case DL_IOC_HDR_INFO:
- ill = (ill_t *)q->q_ptr;
- ill_fastpath_ack(ill, mp);
- return;
- default:
- putnext(q, mp);
- return;
- }
- /* FALLTHRU */
- case M_ERROR:
- case M_HANGUP:
- mutex_enter(&ill->ill_lock);
- if (ill->ill_state_flags & ILL_CONDEMNED) {
- mutex_exit(&ill->ill_lock);
- freemsg(mp);
- return;
- }
- ill_refhold_locked(ill);
- mutex_exit(&ill->ill_lock);
- qwriter_ip(ill, q, mp, ip_rput_other, CUR_OP, B_FALSE);
- return;
- case M_CTL:
- if ((MBLKL(mp) > sizeof (int)) &&
- ((da_ipsec_t *)mp->b_rptr)->da_type == IPHADA_M_CTL) {
- ASSERT(MBLKL(mp) >= sizeof (da_ipsec_t));
- mctl_present = B_TRUE;
- break;
- }
- putnext(q, mp);
- return;
- case M_IOCNAK:
- iocp = (struct iocblk *)mp->b_rptr;
- switch (iocp->ioc_cmd) {
- case DL_IOC_HDR_INFO:
- ip_rput_other(NULL, q, mp, NULL);
- return;
- default:
- break;
- }
- /* FALLTHRU */
- default:
- putnext(q, mp);
- return;
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets,
- (mp->b_cont == NULL) ? MBLKL(mp) : msgdsize(mp));
- /*
- * if db_ref > 1 then copymsg and free original. Packet may be
- * changed and do not want other entity who has a reference to this
- * message to trip over the changes. This is a blind change because
- * trying to catch all places that might change packet is too
- * difficult (since it may be a module above this one).
- */
- if (mp->b_datap->db_ref > 1) {
- mblk_t *mp1;
-
- mp1 = copymsg(mp);
- freemsg(mp);
- if (mp1 == NULL) {
- first_mp = NULL;
- goto discard;
- }
- mp = mp1;
- }
- first_mp = mp;
- if (mctl_present) {
- hada_mp = first_mp;
- mp = first_mp->b_cont;
- }
-
- if ((check = ip_check_v6_mblk(mp, ill)) == IP6_MBLK_HDR_ERR) {
- freemsg(mp);
- return;
- }
-
- ip6h = (ip6_t *)mp->b_rptr;
-
- /*
- * ip:::receive must see ipv6 packets with a full header,
- * and so is placed after the IP6_MBLK_HDR_ERR check.
- */
- DTRACE_IP7(receive, mblk_t *, first_mp, conn_t *, NULL, void_ip_t *,
- ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
- int, 0);
-
- if (check != IP6_MBLK_OK) {
- freemsg(mp);
- return;
- }
-
- DTRACE_PROBE4(ip6__physical__in__start,
- ill_t *, ill, ill_t *, NULL,
- ip6_t *, ip6h, mblk_t *, first_mp);
-
- FW_HOOKS6(ipst->ips_ip6_physical_in_event,
- ipst->ips_ipv6firewall_physical_in,
- ill, NULL, ip6h, first_mp, mp, ll_multicast, ipst);
-
- DTRACE_PROBE1(ip6__physical__in__end, mblk_t *, first_mp);
-
- if (first_mp == NULL)
- return;
-
- /*
- * Attach any necessary label information to this packet.
- */
- if (is_system_labeled() && !tsol_get_pkt_label(mp, IPV6_VERSION)) {
- if (ip6opt_ls != 0)
- ip0dbg(("tsol_get_pkt_label v6 failed\n"));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- goto discard;
- }
-
- /* IP observability hook. */
- if (ipst->ips_ip6_observe.he_interested) {
- zoneid_t dzone;
-
- dzone = ip_get_zoneid_v6(&ip6h->ip6_dst, mp, ill, ipst,
- ALL_ZONES);
- ipobs_hook(mp, IPOBS_HOOK_INBOUND, ALL_ZONES, dzone,
- ill, ipst);
- }
-
- if ((ip6h->ip6_vcf & IPV6_VERS_AND_FLOW_MASK) ==
- IPV6_DEFAULT_VERS_AND_FLOW) {
- /*
- * It may be a bit too expensive to do this mapped address
- * check here, but in the interest of robustness, it seems
- * like the correct place.
- * TODO: Avoid this check for e.g. connected TCP sockets
- */
- if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_src)) {
- ip1dbg(("ip_rput_v6: pkt with mapped src addr\n"));
- goto discard;
- }
-
- if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_src)) {
- ip1dbg(("ip_rput_v6: pkt with loopback src"));
- goto discard;
- } else if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_dst)) {
- ip1dbg(("ip_rput_v6: pkt with loopback dst"));
- goto discard;
- }
-
- flags |= (ll_multicast ? IP6_IN_LLMCAST : 0);
- ip_rput_data_v6(q, ill, mp, ip6h, flags, hada_mp, dl_mp);
+ ip_mdata_to_mhi(ill, mp, &mhi);
+ ip_input_v6(ill, NULL, mp, &mhi);
} else {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInWrongIPVersion);
- goto discard;
+ ip_rput_notdata(ill, mp);
}
- freemsg(dl_mp);
- return;
-
-discard:
- if (dl_mp != NULL)
- freeb(dl_mp);
- freemsg(first_mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
}
/*
@@ -6703,1507 +3217,72 @@ ipsec_needs_processing_v6(mblk_t *mp, uint8_t *nexthdr)
}
/*
- * Path for AH if options are present. If this is the first time we are
- * sending a datagram to AH, allocate a IPSEC_IN message and prepend it.
- * Otherwise, just fanout. Return value answers the boolean question:
- * "Did I consume the mblk you sent me?"
+ * Path for AH if options are present.
+ * Returns NULL if the mblk was consumed.
*
* Sometimes AH needs to be done before other IPv6 headers for security
* reasons. This function (and its ipsec_needs_processing_v6() above)
* indicates if that is so, and fans out to the appropriate IPsec protocol
* for the datagram passed in.
*/
-static boolean_t
-ipsec_early_ah_v6(queue_t *q, mblk_t *first_mp, boolean_t mctl_present,
- ill_t *ill, ill_t *inill, mblk_t *hada_mp, zoneid_t zoneid)
+mblk_t *
+ipsec_early_ah_v6(mblk_t *mp, ip_recv_attr_t *ira)
{
- mblk_t *mp;
uint8_t nexthdr;
- ipsec_in_t *ii = NULL;
ah_t *ah;
- ipsec_status_t ipsec_rc;
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
- netstack_t *ns = ipst->ips_netstack;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
-
- ASSERT((hada_mp == NULL) || (!mctl_present));
+ ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
- switch (ipsec_needs_processing_v6(
- (mctl_present ? first_mp->b_cont : first_mp), &nexthdr)) {
+ switch (ipsec_needs_processing_v6(mp, &nexthdr)) {
case IPSEC_MEMORY_ERROR:
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(hada_mp);
- freemsg(first_mp);
- return (B_TRUE);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return (NULL);
case IPSEC_HDR_DONT_PROCESS:
- return (B_FALSE);
+ return (mp);
}
/* Default means send it to AH! */
ASSERT(nexthdr == IPPROTO_AH);
- if (!mctl_present) {
- mp = first_mp;
- first_mp = ipsec_in_alloc(B_FALSE, ipst->ips_netstack);
- if (first_mp == NULL) {
- ip1dbg(("ipsec_early_ah_v6: IPSEC_IN "
- "allocation failure.\n"));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(hada_mp);
- freemsg(mp);
- return (B_TRUE);
- }
- /*
- * Store the ill_index so that when we come back
- * from IPSEC we ride on the same queue.
- */
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ii->ipsec_in_ill_index = ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index = inill->ill_phyint->phyint_ifindex;
- first_mp->b_cont = mp;
- }
- /*
- * Cache hardware acceleration info.
- */
- if (hada_mp != NULL) {
- ASSERT(ii != NULL);
- IPSECHW_DEBUG(IPSECHW_PKT, ("ipsec_early_ah_v6: "
- "caching data attr.\n"));
- ii->ipsec_in_accelerated = B_TRUE;
- ii->ipsec_in_da = hada_mp;
- }
if (!ipsec_loaded(ipss)) {
- ip_proto_not_sup(q, first_mp, IP_FF_SEND_ICMP, zoneid, ipst);
- return (B_TRUE);
- }
-
- ah = ipsec_inbound_ah_sa(first_mp, ns);
- if (ah == NULL)
- return (B_TRUE);
- ASSERT(ii->ipsec_in_ah_sa != NULL);
- ASSERT(ii->ipsec_in_ah_sa->ipsa_input_func != NULL);
- ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func(first_mp, ah);
-
- switch (ipsec_rc) {
- case IPSEC_STATUS_SUCCESS:
- /* we're done with IPsec processing, send it up */
- ip_fanout_proto_again(first_mp, ill, inill, NULL);
- break;
- case IPSEC_STATUS_FAILED:
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsInDiscards);
- break;
- case IPSEC_STATUS_PENDING:
- /* no action needed */
- break;
- }
- return (B_TRUE);
-}
-
-static boolean_t
-ip_iptun_input_v6(mblk_t *ipsec_mp, mblk_t *data_mp,
- size_t hdr_len, uint8_t nexthdr, zoneid_t zoneid, ill_t *ill,
- ip_stack_t *ipst)
-{
- conn_t *connp;
-
- ASSERT(ipsec_mp == NULL || ipsec_mp->b_cont == data_mp);
-
- connp = ipcl_classify_v6(data_mp, nexthdr, hdr_len, zoneid, ipst);
- if (connp != NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- connp->conn_recv(connp, ipsec_mp != NULL ? ipsec_mp : data_mp,
- NULL);
- CONN_DEC_REF(connp);
- return (B_TRUE);
- }
- return (B_FALSE);
-}
-
-/*
- * Validate the IPv6 mblk for alignment.
- */
-int
-ip_check_v6_mblk(mblk_t *mp, ill_t *ill)
-{
- int pkt_len, ip6_len;
- ip6_t *ip6h = (ip6_t *)mp->b_rptr;
-
- /* check for alignment and full IPv6 header */
- if (!OK_32PTR((uchar_t *)ip6h) ||
- (mp->b_wptr - (uchar_t *)ip6h) < IPV6_HDR_LEN) {
- if (!pullupmsg(mp, IPV6_HDR_LEN)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ip1dbg(("ip_rput_v6: pullupmsg failed\n"));
- return (IP6_MBLK_HDR_ERR);
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
-
- ASSERT(OK_32PTR((uchar_t *)ip6h) &&
- (mp->b_wptr - (uchar_t *)ip6h) >= IPV6_HDR_LEN);
-
- if (mp->b_cont == NULL)
- pkt_len = mp->b_wptr - mp->b_rptr;
- else
- pkt_len = msgdsize(mp);
- ip6_len = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
-
- /*
- * Check for bogus (too short packet) and packet which
- * was padded by the link layer.
- */
- if (ip6_len != pkt_len) {
- ssize_t diff;
-
- if (ip6_len > pkt_len) {
- ip1dbg(("ip_rput_data_v6: packet too short %d %d\n",
- ip6_len, pkt_len));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
- return (IP6_MBLK_LEN_ERR);
- }
- diff = (ssize_t)(pkt_len - ip6_len);
-
- if (!adjmsg(mp, -diff)) {
- ip1dbg(("ip_rput_data_v6: adjmsg failed\n"));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return (IP6_MBLK_LEN_ERR);
- }
-
- /*
- * adjmsg may have freed an mblk from the chain, hence
- * invalidate any hw checksum here. This will force IP to
- * calculate the checksum in sw, but only for this packet.
- */
- DB_CKSUMFLAGS(mp) = 0;
- }
- return (IP6_MBLK_OK);
-}
-
-/*
- * ip_rput_data_v6 -- received IPv6 packets in M_DATA messages show up here.
- * ip_rput_v6 has already verified alignment, the min length, the version,
- * and db_ref = 1.
- *
- * The ill passed in (the arg named inill) is the ill that the packet
- * actually arrived on. We need to remember this when saving the
- * input interface index into potential IPV6_PKTINFO data in
- * ip_add_info_v6().
- *
- * This routine doesn't free dl_mp; that's the caller's responsibility on
- * return. (Note that the callers are complex enough that there's no tail
- * recursion here anyway.)
- */
-void
-ip_rput_data_v6(queue_t *q, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
- uint_t flags, mblk_t *hada_mp, mblk_t *dl_mp)
-{
- ire_t *ire = NULL;
- ill_t *ill = inill;
- ill_t *outill;
- uint8_t *whereptr;
- uint8_t nexthdr;
- uint16_t remlen;
- uint_t prev_nexthdr_offset;
- uint_t used;
- size_t old_pkt_len;
- size_t pkt_len;
- uint16_t ip6_len;
- uint_t hdr_len;
- boolean_t mctl_present;
- mblk_t *first_mp;
- mblk_t *first_mp1;
- boolean_t no_forward;
- ip6_hbh_t *hbhhdr;
- boolean_t ll_multicast = (flags & IP6_IN_LLMCAST);
- conn_t *connp;
- uint32_t ports;
- zoneid_t zoneid = GLOBAL_ZONEID;
- uint16_t hck_flags, reass_hck_flags;
- uint32_t reass_sum;
- boolean_t cksum_err;
- mblk_t *mp1;
- ip_stack_t *ipst = inill->ill_ipst;
- ilb_stack_t *ilbs = ipst->ips_netstack->netstack_ilb;
- in6_addr_t lb_dst;
- int lb_ret = ILB_PASSED;
-
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
-
- if (hada_mp != NULL) {
- /*
- * It's an IPsec accelerated packet.
- * Keep a pointer to the data attributes around until
- * we allocate the ipsecinfo structure.
- */
- IPSECHW_DEBUG(IPSECHW_PKT,
- ("ip_rput_data_v6: inbound HW accelerated IPsec pkt\n"));
- hada_mp->b_cont = NULL;
- /*
- * Since it is accelerated, it came directly from
- * the ill.
- */
- ASSERT(mctl_present == B_FALSE);
- ASSERT(mp->b_datap->db_type != M_CTL);
- }
-
- ip6h = (ip6_t *)mp->b_rptr;
- ip6_len = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
- old_pkt_len = pkt_len = ip6_len;
-
- if (ILL_HCKSUM_CAPABLE(ill) && !mctl_present && dohwcksum)
- hck_flags = DB_CKSUMFLAGS(mp);
- else
- hck_flags = 0;
-
- /* Clear checksum flags in case we need to forward */
- DB_CKSUMFLAGS(mp) = 0;
- reass_sum = reass_hck_flags = 0;
-
- nexthdr = ip6h->ip6_nxt;
-
- prev_nexthdr_offset = (uint_t)((uchar_t *)&ip6h->ip6_nxt -
- (uchar_t *)ip6h);
- whereptr = (uint8_t *)&ip6h[1];
- remlen = pkt_len - IPV6_HDR_LEN; /* Track how much is left */
-
- /* Process hop by hop header options */
- if (nexthdr == IPPROTO_HOPOPTS) {
- uint_t ehdrlen;
- uint8_t *optptr;
-
- if (remlen < MIN_EHDR_LEN)
- goto pkt_too_short;
- if (mp->b_cont != NULL &&
- whereptr + MIN_EHDR_LEN > mp->b_wptr) {
- if (!pullupmsg(mp, IPV6_HDR_LEN + MIN_EHDR_LEN)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + pkt_len - remlen;
- }
- hbhhdr = (ip6_hbh_t *)whereptr;
- nexthdr = hbhhdr->ip6h_nxt;
- prev_nexthdr_offset = (uint_t)(whereptr - (uint8_t *)ip6h);
- ehdrlen = 8 * (hbhhdr->ip6h_len + 1);
-
- if (remlen < ehdrlen)
- goto pkt_too_short;
- if (mp->b_cont != NULL &&
- whereptr + ehdrlen > mp->b_wptr) {
- if (!pullupmsg(mp, IPV6_HDR_LEN + ehdrlen)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + pkt_len - remlen;
- hbhhdr = (ip6_hbh_t *)whereptr;
- }
-
- optptr = whereptr + 2;
- whereptr += ehdrlen;
- remlen -= ehdrlen;
- switch (ip_process_options_v6(q, first_mp, ip6h, optptr,
- ehdrlen - 2, IPPROTO_HOPOPTS, ipst)) {
- case -1:
- /*
- * Packet has been consumed and any
- * needed ICMP messages sent.
- */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- freemsg(hada_mp);
- return;
- case 0:
- /* no action needed */
- break;
- case 1:
- /* Known router alert */
- goto ipv6forus;
- }
- }
-
- /*
- * On incoming v6 multicast packets we will bypass the ire table,
- * and assume that the read queue corresponds to the targetted
- * interface.
- *
- * The effect of this is the same as the IPv4 original code, but is
- * much cleaner I think. See ip_rput for how that was done.
- */
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastPkts);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastOctets, pkt_len);
-
- /*
- * So that we don't end up with dups, only one ill in an IPMP
- * group is nominated to receive multicast data traffic.
- * However, link-locals on any underlying interfaces will have
- * joined their solicited-node multicast addresses and we must
- * accept those packets. (We don't attempt to precisely
- * filter out duplicate solicited-node multicast packets since
- * e.g. an IPMP interface and underlying interface may have
- * the same solicited-node multicast address.) Note that we
- * won't generally have duplicates because we only issue a
- * DL_ENABMULTI_REQ on one interface in a group; the exception
- * is when PHYI_MULTI_BCAST is set.
- */
- if (IS_UNDER_IPMP(ill) && !ill->ill_nom_cast &&
- !IN6_IS_ADDR_MC_SOLICITEDNODE(&ip6h->ip6_dst)) {
- goto drop_pkt;
- }
-
- /*
- * XXX TODO Give to mrouted to for multicast forwarding.
- */
- if (ilm_lookup_ill_v6(ill, &ip6h->ip6_dst, B_FALSE,
- ALL_ZONES) == NULL) {
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_rput_data_v6: got mcast packet"
- " which is not for us: %s\n", AF_INET6,
- &ip6h->ip6_dst);
- }
-drop_pkt: BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_rput_data_v6: multicast for us: %s\n",
- AF_INET6, &ip6h->ip6_dst);
- }
- zoneid = GLOBAL_ZONEID;
- goto ipv6forus;
- }
-
- /*
- * Find an ire that matches destination. For link-local addresses
- * we have to match the ill.
- * TBD for site local addresses.
- */
- if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst)) {
- ire = ire_ctable_lookup_v6(&ip6h->ip6_dst, NULL,
- IRE_CACHE|IRE_LOCAL, ill->ill_ipif, ALL_ZONES, NULL,
- MATCH_IRE_TYPE | MATCH_IRE_ILL, ipst);
- } else {
- if (ilb_has_rules(ilbs) && ILB_SUPP_L4(nexthdr)) {
- /* For convenience, we just pull up the mblk. */
- if (mp->b_cont != NULL) {
- if (pullupmsg(mp, -1) == 0) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- hdr_len = pkt_len - remlen;
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + hdr_len;
- }
- lb_ret = ilb_check_v6(ilbs, ill, mp, ip6h, nexthdr,
- whereptr, &lb_dst);
- if (lb_ret == ILB_DROPPED) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- }
-
- ire = ire_cache_lookup_v6((lb_ret == ILB_BALANCED) ? &lb_dst :
- &ip6h->ip6_dst, ALL_ZONES, msg_getlabel(mp), ipst);
-
- if (ire != NULL && ire->ire_stq != NULL &&
- ire->ire_zoneid != GLOBAL_ZONEID &&
- ire->ire_zoneid != ALL_ZONES) {
- /*
- * Should only use IREs that are visible from the
- * global zone for forwarding.
- */
- ire_refrele(ire);
- ire = ire_cache_lookup_v6(&ip6h->ip6_dst,
- GLOBAL_ZONEID, msg_getlabel(mp), ipst);
- }
- }
-
- if (ire == NULL) {
- /*
- * No matching IRE found. Mark this packet as having
- * originated externally.
- */
- if (!(ill->ill_flags & ILLF_ROUTER) || ll_multicast) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- if (!(ill->ill_flags & ILLF_ROUTER)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInAddrErrors);
- }
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- if (ip6h->ip6_hops <= 1) {
- if (hada_mp != NULL)
- goto hada_drop;
- /* Sent by forwarding path, and router is global zone */
- icmp_time_exceeded_v6(WR(q), first_mp,
- ICMP6_TIME_EXCEED_TRANSIT, ll_multicast, B_FALSE,
- GLOBAL_ZONEID, ipst);
- return;
- }
- /*
- * Per RFC 3513 section 2.5.2, we must not forward packets with
- * an unspecified source address.
- */
- if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- mp->b_prev = (mblk_t *)(uintptr_t)
- ill->ill_phyint->phyint_ifindex;
- ip_newroute_v6(q, mp, (lb_ret == ILB_BALANCED) ? &lb_dst :
- &ip6h->ip6_dst, &ip6h->ip6_src,
- IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst) ? ill : NULL,
- GLOBAL_ZONEID, ipst);
- return;
+ ip_proto_not_sup(mp, ira);
+ return (NULL);
}
- /* we have a matching IRE */
- if (ire->ire_stq != NULL) {
- /*
- * To be quicker, we may wish not to chase pointers
- * (ire->ire_ipif->ipif_ill...) and instead store the
- * forwarding policy in the ire. An unfortunate side-
- * effect of this would be requiring an ire flush whenever
- * the ILLF_ROUTER flag changes. For now, chase pointers
- * once and store in the boolean no_forward.
- *
- * This appears twice to keep it out of the non-forwarding,
- * yes-it's-for-us-on-the-right-interface case.
- */
- no_forward = ((ill->ill_flags &
- ire->ire_ipif->ipif_ill->ill_flags & ILLF_ROUTER) == 0);
- ASSERT(first_mp == mp);
- /*
- * This ire has a send-to queue - forward the packet.
- */
- if (no_forward || ll_multicast || (hada_mp != NULL)) {
- freemsg(hada_mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- if (no_forward) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInAddrErrors);
- }
- freemsg(mp);
- ire_refrele(ire);
- return;
- }
- /*
- * ipIfStatsHCInForwDatagrams should only be increment if there
- * will be an attempt to forward the packet, which is why we
- * increment after the above condition has been checked.
- */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
- if (ip6h->ip6_hops <= 1) {
- ip1dbg(("ip_rput_data_v6: hop limit expired.\n"));
- /* Sent by forwarding path, and router is global zone */
- icmp_time_exceeded_v6(WR(q), mp,
- ICMP6_TIME_EXCEED_TRANSIT, ll_multicast, B_FALSE,
- GLOBAL_ZONEID, ipst);
- ire_refrele(ire);
- return;
- }
- /*
- * Per RFC 3513 section 2.5.2, we must not forward packets with
- * an unspecified source address.
- */
- if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- freemsg(mp);
- ire_refrele(ire);
- return;
- }
-
- if (is_system_labeled()) {
- mblk_t *mp1;
-
- if ((mp1 = tsol_ip_forward(ire, mp)) == NULL) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsForwProhibits);
- freemsg(mp);
- ire_refrele(ire);
- return;
- }
- /* Size may have changed */
- mp = mp1;
- ip6h = (ip6_t *)mp->b_rptr;
- pkt_len = msgdsize(mp);
- }
-
- if (pkt_len > ire->ire_max_frag) {
- int max_frag = ire->ire_max_frag;
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTooBigErrors);
- /*
- * Handle labeled packet resizing.
- */
- if (is_system_labeled()) {
- max_frag = tsol_pmtu_adjust(mp, max_frag,
- pkt_len - old_pkt_len, AF_INET6);
- }
-
- /* Sent by forwarding path, and router is global zone */
- icmp_pkt2big_v6(WR(q), mp, max_frag,
- ll_multicast, B_TRUE, GLOBAL_ZONEID, ipst);
- ire_refrele(ire);
- return;
- }
+ mp = ipsec_inbound_ah_sa(mp, ira, &ah);
+ if (mp == NULL)
+ return (NULL);
+ ASSERT(ah != NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_ah_sa != NULL);
+ ASSERT(ira->ira_ipsec_ah_sa->ipsa_input_func != NULL);
+ mp = ira->ira_ipsec_ah_sa->ipsa_input_func(mp, ah, ira);
+ if (mp == NULL) {
/*
- * Check to see if we're forwarding the packet to a
- * different link from which it came. If so, check the
- * source and destination addresses since routers must not
- * forward any packets with link-local source or
- * destination addresses to other links. Otherwise (if
- * we're forwarding onto the same link), conditionally send
- * a redirect message.
+ * Either it failed or is pending. In the former case
+ * ipIfStatsInDiscards was increased.
*/
- if (ire->ire_rfq != q &&
- !IS_IN_SAME_ILLGRP(ill, (ill_t *)ire->ire_rfq->q_ptr)) {
- if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst) ||
- IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInAddrErrors);
- freemsg(mp);
- ire_refrele(ire);
- return;
- }
- /* TBD add site-local check at site boundary? */
- } else if (ipst->ips_ipv6_send_redirects) {
- in6_addr_t *v6targ;
- in6_addr_t gw_addr_v6;
- ire_t *src_ire_v6 = NULL;
-
- /*
- * Don't send a redirect when forwarding a source
- * routed packet.
- */
- if (ip_source_routed_v6(ip6h, mp, ipst))
- goto forward;
-
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- if (!IN6_IS_ADDR_UNSPECIFIED(&gw_addr_v6)) {
- v6targ = &gw_addr_v6;
- /*
- * We won't send redirects to a router
- * that doesn't have a link local
- * address, but will forward.
- */
- if (!IN6_IS_ADDR_LINKLOCAL(v6targ)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInAddrErrors);
- goto forward;
- }
- } else {
- v6targ = &ip6h->ip6_dst;
- }
-
- src_ire_v6 = ire_ftable_lookup_v6(&ip6h->ip6_src,
- NULL, NULL, IRE_INTERFACE, ire->ire_ipif, NULL,
- GLOBAL_ZONEID, 0, NULL,
- MATCH_IRE_IPIF | MATCH_IRE_TYPE,
- ipst);
-
- if (src_ire_v6 != NULL) {
- /*
- * The source is directly connected.
- */
- mp1 = copymsg(mp);
- if (mp1 != NULL) {
- icmp_send_redirect_v6(WR(q),
- mp1, v6targ, &ip6h->ip6_dst,
- ill, B_FALSE);
- }
- ire_refrele(src_ire_v6);
- }
- }
-
-forward:
- /* Hoplimit verified above */
- ip6h->ip6_hops--;
-
- outill = ire->ire_ipif->ipif_ill;
-
- DTRACE_PROBE4(ip6__forwarding__start,
- ill_t *, inill, ill_t *, outill,
- ip6_t *, ip6h, mblk_t *, mp);
-
- FW_HOOKS6(ipst->ips_ip6_forwarding_event,
- ipst->ips_ipv6firewall_forwarding,
- inill, outill, ip6h, mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip6__forwarding__end, mblk_t *, mp);
-
- if (mp != NULL) {
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutForwDatagrams);
- ip_xmit_v6(mp, ire, 0, NULL, B_FALSE, NULL);
- }
- IRE_REFRELE(ire);
- return;
- }
-
- /*
- * Need to put on correct queue for reassembly to find it.
- * No need to use put() since reassembly has its own locks.
- * Note: multicast packets and packets destined to addresses
- * assigned to loopback (ire_rfq is NULL) will be reassembled on
- * the arriving ill. Unlike the IPv4 case, enabling strict
- * destination multihoming will prevent accepting packets
- * addressed to an IRE_LOCAL on lo0.
- */
- if (ire->ire_rfq != q) {
- if ((ire = ip_check_multihome(&ip6h->ip6_dst, ire, ill))
- == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
- }
- if (ire->ire_rfq != NULL) {
- q = ire->ire_rfq;
- ill = (ill_t *)q->q_ptr;
- ASSERT(ill != NULL);
- }
- }
-
- zoneid = ire->ire_zoneid;
- UPDATE_IB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- /* Don't use the ire after this point, we'll NULL it out to be sure. */
- ire_refrele(ire);
- ire = NULL;
-ipv6forus:
- /*
- * Looks like this packet is for us one way or another.
- * This is where we'll process destination headers etc.
- */
- for (; ; ) {
- switch (nexthdr) {
- case IPPROTO_TCP: {
- uint16_t *up;
- uint32_t sum;
- int offset;
-
- hdr_len = pkt_len - remlen;
-
- if (hada_mp != NULL) {
- ip0dbg(("tcp hada drop\n"));
- goto hada_drop;
- }
-
-
- /* TCP needs all of the TCP header */
- if (remlen < TCP_MIN_HEADER_LENGTH)
- goto pkt_too_short;
- if (mp->b_cont != NULL &&
- whereptr + TCP_MIN_HEADER_LENGTH > mp->b_wptr) {
- if (!pullupmsg(mp,
- hdr_len + TCP_MIN_HEADER_LENGTH)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- hck_flags = 0;
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + hdr_len;
- }
- /*
- * Extract the offset field from the TCP header.
- */
- offset = ((uchar_t *)ip6h)[hdr_len + 12] >> 4;
- if (offset != 5) {
- if (offset < 5) {
- ip1dbg(("ip_rput_data_v6: short "
- "TCP data offset"));
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- /*
- * There must be TCP options.
- * Make sure we can grab them.
- */
- offset <<= 2;
- if (remlen < offset)
- goto pkt_too_short;
- if (mp->b_cont != NULL &&
- whereptr + offset > mp->b_wptr) {
- if (!pullupmsg(mp,
- hdr_len + offset)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- hck_flags = 0;
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + hdr_len;
- }
- }
-
- up = (uint16_t *)&ip6h->ip6_src;
- /*
- * TCP checksum calculation. First sum up the
- * pseudo-header fields:
- * - Source IPv6 address
- * - Destination IPv6 address
- * - TCP payload length
- * - TCP protocol ID
- */
- sum = htons(IPPROTO_TCP + remlen) +
- up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
-
- /* Fold initial sum */
- sum = (sum & 0xffff) + (sum >> 16);
-
- mp1 = mp->b_cont;
-
- if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0)
- IP6_STAT(ipst, ip6_in_sw_cksum);
-
- IP_CKSUM_RECV(hck_flags, sum, (uchar_t *)
- ((uchar_t *)mp->b_rptr + DB_CKSUMSTART(mp)),
- (int32_t)(whereptr - (uchar_t *)mp->b_rptr),
- mp, mp1, cksum_err);
-
- if (cksum_err) {
- BUMP_MIB(ill->ill_ip_mib, tcpIfStatsInErrs);
-
- if (hck_flags & HCK_FULLCKSUM) {
- IP6_STAT(ipst,
- ip6_tcp_in_full_hw_cksum_err);
- } else if (hck_flags & HCK_PARTIALCKSUM) {
- IP6_STAT(ipst,
- ip6_tcp_in_part_hw_cksum_err);
- } else {
- IP6_STAT(ipst, ip6_tcp_in_sw_cksum_err);
- }
- freemsg(first_mp);
- return;
- }
-tcp_fanout:
- ip_fanout_tcp_v6(q, first_mp, ip6h, ill, inill,
- (flags|IP_FF_SEND_ICMP|IP_FF_SYN_ADDIRE|
- IP_FF_IPINFO), hdr_len, mctl_present, zoneid);
- return;
- }
- case IPPROTO_SCTP:
- {
- sctp_hdr_t *sctph;
- uint32_t calcsum, pktsum;
- uint_t hdr_len = pkt_len - remlen;
- sctp_stack_t *sctps;
-
- sctps = inill->ill_ipst->ips_netstack->netstack_sctp;
-
- /* SCTP needs all of the SCTP header */
- if (remlen < sizeof (*sctph)) {
- goto pkt_too_short;
- }
- if (whereptr + sizeof (*sctph) > mp->b_wptr) {
- ASSERT(mp->b_cont != NULL);
- if (!pullupmsg(mp, hdr_len + sizeof (*sctph))) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + hdr_len;
- }
-
- sctph = (sctp_hdr_t *)(mp->b_rptr + hdr_len);
- /* checksum */
- pktsum = sctph->sh_chksum;
- sctph->sh_chksum = 0;
- calcsum = sctp_cksum(mp, hdr_len);
- if (calcsum != pktsum) {
- BUMP_MIB(&sctps->sctps_mib, sctpChecksumError);
- freemsg(mp);
- return;
- }
- sctph->sh_chksum = pktsum;
- ports = *(uint32_t *)(mp->b_rptr + hdr_len);
- if ((connp = sctp_fanout(&ip6h->ip6_src, &ip6h->ip6_dst,
- ports, zoneid, mp, sctps)) == NULL) {
- ip_fanout_sctp_raw(first_mp, ill,
- (ipha_t *)ip6h, B_FALSE, ports,
- mctl_present,
- (flags|IP_FF_SEND_ICMP|IP_FF_IPINFO),
- B_TRUE, zoneid);
- return;
- }
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- sctp_input(connp, (ipha_t *)ip6h, mp, first_mp, ill,
- B_FALSE, mctl_present);
- return;
- }
- case IPPROTO_UDP: {
- uint16_t *up;
- uint32_t sum;
-
- hdr_len = pkt_len - remlen;
-
- if (hada_mp != NULL) {
- ip0dbg(("udp hada drop\n"));
- goto hada_drop;
- }
-
- /* Verify that at least the ports are present */
- if (remlen < UDPH_SIZE)
- goto pkt_too_short;
- if (mp->b_cont != NULL &&
- whereptr + UDPH_SIZE > mp->b_wptr) {
- if (!pullupmsg(mp, hdr_len + UDPH_SIZE)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- return;
- }
- hck_flags = 0;
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + hdr_len;
- }
-
- /*
- * Before going through the regular checksum
- * calculation, make sure the received checksum
- * is non-zero. RFC 2460 says, a 0x0000 checksum
- * in a UDP packet (within IPv6 packet) is invalid
- * and should be replaced by 0xffff. This makes
- * sense as regular checksum calculation will
- * pass for both the cases i.e. 0x0000 and 0xffff.
- * Removing one of the case makes error detection
- * stronger.
- */
-
- if (((udpha_t *)whereptr)->uha_checksum == 0) {
- /* 0x0000 checksum is invalid */
- ip1dbg(("ip_rput_data_v6: Invalid UDP "
- "checksum value 0x0000\n"));
- BUMP_MIB(ill->ill_ip_mib,
- udpIfStatsInCksumErrs);
- freemsg(first_mp);
- return;
- }
-
- up = (uint16_t *)&ip6h->ip6_src;
-
- /*
- * UDP checksum calculation. First sum up the
- * pseudo-header fields:
- * - Source IPv6 address
- * - Destination IPv6 address
- * - UDP payload length
- * - UDP protocol ID
- */
-
- sum = htons(IPPROTO_UDP + remlen) +
- up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
-
- /* Fold initial sum */
- sum = (sum & 0xffff) + (sum >> 16);
-
- if (reass_hck_flags != 0) {
- hck_flags = reass_hck_flags;
-
- IP_CKSUM_RECV_REASS(hck_flags,
- (int32_t)(whereptr - (uchar_t *)mp->b_rptr),
- sum, reass_sum, cksum_err);
- } else {
- mp1 = mp->b_cont;
-
- IP_CKSUM_RECV(hck_flags, sum, (uchar_t *)
- ((uchar_t *)mp->b_rptr + DB_CKSUMSTART(mp)),
- (int32_t)(whereptr - (uchar_t *)mp->b_rptr),
- mp, mp1, cksum_err);
- }
-
- if ((hck_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) == 0)
- IP6_STAT(ipst, ip6_in_sw_cksum);
-
- if (cksum_err) {
- BUMP_MIB(ill->ill_ip_mib,
- udpIfStatsInCksumErrs);
-
- if (hck_flags & HCK_FULLCKSUM)
- IP6_STAT(ipst,
- ip6_udp_in_full_hw_cksum_err);
- else if (hck_flags & HCK_PARTIALCKSUM)
- IP6_STAT(ipst,
- ip6_udp_in_part_hw_cksum_err);
- else
- IP6_STAT(ipst, ip6_udp_in_sw_cksum_err);
-
- freemsg(first_mp);
- return;
- }
- goto udp_fanout;
- }
- case IPPROTO_ICMPV6: {
- uint16_t *up;
- uint32_t sum;
- uint_t hdr_len = pkt_len - remlen;
-
- if (hada_mp != NULL) {
- ip0dbg(("icmp hada drop\n"));
- goto hada_drop;
- }
-
- up = (uint16_t *)&ip6h->ip6_src;
- sum = htons(IPPROTO_ICMPV6 + remlen) +
- up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
- sum = (sum & 0xffff) + (sum >> 16);
- sum = IP_CSUM(mp, hdr_len, sum);
- if (sum != 0) {
- /* IPv6 ICMP checksum failed */
- ip1dbg(("ip_rput_data_v6: ICMPv6 checksum "
- "failed %x\n",
- sum));
- BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs);
- BUMP_MIB(ill->ill_icmp6_mib,
- ipv6IfIcmpInErrors);
- freemsg(first_mp);
- return;
- }
-
- icmp_fanout:
- /* Check variable for testing applications */
- if (ipst->ips_ipv6_drop_inbound_icmpv6) {
- freemsg(first_mp);
- return;
- }
- /*
- * Assume that there is always at least one conn for
- * ICMPv6 (in.ndpd) i.e. don't optimize the case
- * where there is no conn.
- */
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- ilm_t *ilm;
- ilm_walker_t ilw;
-
- ASSERT(!IS_LOOPBACK(ill));
- /*
- * In the multicast case, applications may have
- * joined the group from different zones, so we
- * need to deliver the packet to each of them.
- * Loop through the multicast memberships
- * structures (ilm) on the receive ill and send
- * a copy of the packet up each matching one.
- */
- ilm = ilm_walker_start(&ilw, inill);
- for (; ilm != NULL;
- ilm = ilm_walker_step(&ilw, ilm)) {
- if (!IN6_ARE_ADDR_EQUAL(
- &ilm->ilm_v6addr, &ip6h->ip6_dst))
- continue;
- if (!ipif_lookup_zoneid(
- ilw.ilw_walk_ill, ilm->ilm_zoneid,
- IPIF_UP, NULL))
- continue;
-
- first_mp1 = ip_copymsg(first_mp);
- if (first_mp1 == NULL)
- continue;
- icmp_inbound_v6(q, first_mp1,
- ilw.ilw_walk_ill, inill,
- hdr_len, mctl_present, 0,
- ilm->ilm_zoneid, dl_mp);
- }
- ilm_walker_finish(&ilw);
- } else {
- first_mp1 = ip_copymsg(first_mp);
- if (first_mp1 != NULL)
- icmp_inbound_v6(q, first_mp1, ill,
- inill, hdr_len, mctl_present, 0,
- zoneid, dl_mp);
- }
- goto proto_fanout;
- }
- case IPPROTO_ENCAP:
- case IPPROTO_IPV6:
- if (ip_iptun_input_v6(mctl_present ? first_mp : NULL,
- mp, pkt_len - remlen, nexthdr, zoneid, ill, ipst)) {
- return;
- }
- /*
- * If there was no IP tunnel data-link bound to
- * receive this packet, then we fall through to
- * allow potential raw sockets bound to either of
- * these protocols to pick it up.
- */
- /* FALLTHRU */
-proto_fanout:
- default: {
- /*
- * Handle protocols with which IPv6 is less intimate.
- */
- uint_t proto_flags = IP_FF_RAWIP|IP_FF_IPINFO;
-
- if (hada_mp != NULL) {
- ip0dbg(("default hada drop\n"));
- goto hada_drop;
- }
-
- /*
- * Enable sending ICMP for "Unknown" nexthdr
- * case. i.e. where we did not FALLTHRU from
- * IPPROTO_ICMPV6 processing case above.
- * If we did FALLTHRU, then the packet has already been
- * processed for IPPF, don't process it again in
- * ip_fanout_proto_v6; set IP6_NO_IPPOLICY in the
- * flags
- */
- if (nexthdr != IPPROTO_ICMPV6)
- proto_flags |= IP_FF_SEND_ICMP;
- else
- proto_flags |= IP6_NO_IPPOLICY;
-
- ip_fanout_proto_v6(q, first_mp, ip6h, ill, inill,
- nexthdr, prev_nexthdr_offset, (flags|proto_flags),
- mctl_present, zoneid);
- return;
- }
-
- case IPPROTO_DSTOPTS: {
- uint_t ehdrlen;
- uint8_t *optptr;
- ip6_dest_t *desthdr;
-
- /* If packet is too short, look no further */
- if (remlen < MIN_EHDR_LEN)
- goto pkt_too_short;
-
- /* Check if AH is present. */
- if (ipsec_early_ah_v6(q, first_mp, mctl_present, ill,
- inill, hada_mp, zoneid)) {
- return;
- }
-
- /*
- * Reinitialize pointers, as ipsec_early_ah_v6() does
- * complete pullups. We don't have to do more pullups
- * as a result.
- */
- whereptr = (uint8_t *)((uintptr_t)mp->b_rptr +
- (uintptr_t)(whereptr - ((uint8_t *)ip6h)));
- ip6h = (ip6_t *)mp->b_rptr;
-
- desthdr = (ip6_dest_t *)whereptr;
- nexthdr = desthdr->ip6d_nxt;
- prev_nexthdr_offset = (uint_t)(whereptr -
- (uint8_t *)ip6h);
- ehdrlen = 8 * (desthdr->ip6d_len + 1);
- if (remlen < ehdrlen)
- goto pkt_too_short;
- optptr = whereptr + 2;
- /*
- * Note: XXX This code does not seem to make
- * distinction between Destination Options Header
- * being before/after Routing Header which can
- * happen if we are at the end of source route.
- * This may become significant in future.
- * (No real significant Destination Options are
- * defined/implemented yet ).
- */
- switch (ip_process_options_v6(q, first_mp, ip6h, optptr,
- ehdrlen - 2, IPPROTO_DSTOPTS, ipst)) {
- case -1:
- /*
- * Packet has been consumed and any needed
- * ICMP errors sent.
- */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- freemsg(hada_mp);
- return;
- case 0:
- /* No action needed continue */
- break;
- case 1:
- /*
- * Unnexpected return value
- * (Router alert is a Hop-by-Hop option)
- */
-#ifdef DEBUG
- panic("ip_rput_data_v6: router "
- "alert hbh opt indication in dest opt");
- /*NOTREACHED*/
-#else
- freemsg(hada_mp);
- freemsg(first_mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- return;
-#endif
- }
- used = ehdrlen;
- break;
- }
- case IPPROTO_FRAGMENT: {
- ip6_frag_t *fraghdr;
- size_t no_frag_hdr_len;
-
- if (hada_mp != NULL) {
- ip0dbg(("frag hada drop\n"));
- goto hada_drop;
- }
-
- ASSERT(first_mp == mp);
- if (remlen < sizeof (ip6_frag_t))
- goto pkt_too_short;
-
- if (mp->b_cont != NULL &&
- whereptr + sizeof (ip6_frag_t) > mp->b_wptr) {
- if (!pullupmsg(mp,
- pkt_len - remlen + sizeof (ip6_frag_t))) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(mp);
- return;
- }
- hck_flags = 0;
- ip6h = (ip6_t *)mp->b_rptr;
- whereptr = (uint8_t *)ip6h + pkt_len - remlen;
- }
-
- fraghdr = (ip6_frag_t *)whereptr;
- used = (uint_t)sizeof (ip6_frag_t);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmReqds);
-
- /*
- * Invoke the CGTP (multirouting) filtering module to
- * process the incoming packet. Packets identified as
- * duplicates must be discarded. Filtering is active
- * only if the the ip_cgtp_filter ndd variable is
- * non-zero.
- */
- if (ipst->ips_ip_cgtp_filter &&
- ipst->ips_ip_cgtp_filter_ops != NULL) {
- int cgtp_flt_pkt;
- netstackid_t stackid;
-
- stackid = ipst->ips_netstack->netstack_stackid;
-
- cgtp_flt_pkt =
- ipst->ips_ip_cgtp_filter_ops->cfo_filter_v6(
- stackid, inill->ill_phyint->phyint_ifindex,
- ip6h, fraghdr);
- if (cgtp_flt_pkt == CGTP_IP_PKT_DUPLICATE) {
- freemsg(mp);
- return;
- }
- }
-
- /* Restore the flags */
- DB_CKSUMFLAGS(mp) = hck_flags;
-
- mp = ip_rput_frag_v6(ill, inill, mp, ip6h, fraghdr,
- remlen - used, &prev_nexthdr_offset,
- &reass_sum, &reass_hck_flags);
- if (mp == NULL) {
- /* Reassembly is still pending */
- return;
- }
- /* The first mblk are the headers before the frag hdr */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmOKs);
-
- first_mp = mp; /* mp has most likely changed! */
- no_frag_hdr_len = mp->b_wptr - mp->b_rptr;
- ip6h = (ip6_t *)mp->b_rptr;
- nexthdr = ((char *)ip6h)[prev_nexthdr_offset];
- whereptr = mp->b_rptr + no_frag_hdr_len;
- remlen = ntohs(ip6h->ip6_plen) +
- (uint16_t)(IPV6_HDR_LEN - no_frag_hdr_len);
- pkt_len = msgdsize(mp);
- used = 0;
- break;
- }
- case IPPROTO_HOPOPTS: {
- if (hada_mp != NULL) {
- ip0dbg(("hop hada drop\n"));
- goto hada_drop;
- }
- /*
- * Illegal header sequence.
- * (Hop-by-hop headers are processed above
- * and required to immediately follow IPv6 header)
- */
- icmp_param_problem_v6(WR(q), first_mp,
- ICMP6_PARAMPROB_NEXTHEADER,
- prev_nexthdr_offset,
- B_FALSE, B_FALSE, zoneid, ipst);
- return;
- }
- case IPPROTO_ROUTING: {
- uint_t ehdrlen;
- ip6_rthdr_t *rthdr;
-
- /* If packet is too short, look no further */
- if (remlen < MIN_EHDR_LEN)
- goto pkt_too_short;
-
- /* Check if AH is present. */
- if (ipsec_early_ah_v6(q, first_mp, mctl_present, ill,
- inill, hada_mp, zoneid)) {
- return;
- }
-
- /*
- * Reinitialize pointers, as ipsec_early_ah_v6() does
- * complete pullups. We don't have to do more pullups
- * as a result.
- */
- whereptr = (uint8_t *)((uintptr_t)mp->b_rptr +
- (uintptr_t)(whereptr - ((uint8_t *)ip6h)));
- ip6h = (ip6_t *)mp->b_rptr;
-
- rthdr = (ip6_rthdr_t *)whereptr;
- nexthdr = rthdr->ip6r_nxt;
- prev_nexthdr_offset = (uint_t)(whereptr -
- (uint8_t *)ip6h);
- ehdrlen = 8 * (rthdr->ip6r_len + 1);
- if (remlen < ehdrlen)
- goto pkt_too_short;
- if (rthdr->ip6r_segleft != 0) {
- /* Not end of source route */
- if (ll_multicast) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsForwProhibits);
- freemsg(hada_mp);
- freemsg(mp);
- return;
- }
- ip_process_rthdr(q, mp, ip6h, rthdr, ill,
- hada_mp);
- return;
- }
- used = ehdrlen;
- break;
- }
- case IPPROTO_AH:
- case IPPROTO_ESP: {
- /*
- * Fast path for AH/ESP. If this is the first time
- * we are sending a datagram to AH/ESP, allocate
- * a IPSEC_IN message and prepend it. Otherwise,
- * just fanout.
- */
-
- ipsec_in_t *ii;
- int ipsec_rc;
- ipsec_stack_t *ipss;
-
- ipss = ipst->ips_netstack->netstack_ipsec;
- if (!mctl_present) {
- ASSERT(first_mp == mp);
- first_mp = ipsec_in_alloc(B_FALSE,
- ipst->ips_netstack);
- if (first_mp == NULL) {
- ip1dbg(("ip_rput_data_v6: IPSEC_IN "
- "allocation failure.\n"));
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(mp);
- return;
- }
- /*
- * Store the ill_index so that when we come back
- * from IPSEC we ride on the same queue.
- */
- ii = (ipsec_in_t *)first_mp->b_rptr;
- ii->ipsec_in_ill_index =
- ill->ill_phyint->phyint_ifindex;
- ii->ipsec_in_rill_index =
- inill->ill_phyint->phyint_ifindex;
- first_mp->b_cont = mp;
- /*
- * Cache hardware acceleration info.
- */
- if (hada_mp != NULL) {
- IPSECHW_DEBUG(IPSECHW_PKT,
- ("ip_rput_data_v6: "
- "caching data attr.\n"));
- ii->ipsec_in_accelerated = B_TRUE;
- ii->ipsec_in_da = hada_mp;
- hada_mp = NULL;
- }
- } else {
- ii = (ipsec_in_t *)first_mp->b_rptr;
- }
-
- if (!ipsec_loaded(ipss)) {
- ip_proto_not_sup(q, first_mp, IP_FF_SEND_ICMP,
- zoneid, ipst);
- return;
- }
-
- /* select inbound SA and have IPsec process the pkt */
- if (nexthdr == IPPROTO_ESP) {
- esph_t *esph = ipsec_inbound_esp_sa(first_mp,
- ipst->ips_netstack);
- if (esph == NULL)
- return;
- ASSERT(ii->ipsec_in_esp_sa != NULL);
- ASSERT(ii->ipsec_in_esp_sa->ipsa_input_func !=
- NULL);
- ipsec_rc = ii->ipsec_in_esp_sa->ipsa_input_func(
- first_mp, esph);
- } else {
- ah_t *ah = ipsec_inbound_ah_sa(first_mp,
- ipst->ips_netstack);
- if (ah == NULL)
- return;
- ASSERT(ii->ipsec_in_ah_sa != NULL);
- ASSERT(ii->ipsec_in_ah_sa->ipsa_input_func !=
- NULL);
- ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func(
- first_mp, ah);
- }
-
- switch (ipsec_rc) {
- case IPSEC_STATUS_SUCCESS:
- break;
- case IPSEC_STATUS_FAILED:
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- /* FALLTHRU */
- case IPSEC_STATUS_PENDING:
- return;
- }
- /* we're done with IPsec processing, send it up */
- ip_fanout_proto_again(first_mp, ill, inill, NULL);
- return;
- }
- case IPPROTO_NONE:
- /* All processing is done. Count as "delivered". */
- freemsg(hada_mp);
- freemsg(first_mp);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
- return;
- }
- whereptr += used;
- ASSERT(remlen >= used);
- remlen -= used;
- }
- /* NOTREACHED */
-
-pkt_too_short:
- ip1dbg(("ip_rput_data_v6: packet too short %d %lu %d\n",
- ip6_len, pkt_len, remlen));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
- freemsg(hada_mp);
- freemsg(first_mp);
- return;
-udp_fanout:
- if (mctl_present || IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- connp = NULL;
- } else {
- connp = ipcl_classify_v6(mp, IPPROTO_UDP, hdr_len, zoneid,
- ipst);
- if ((connp != NULL) && (connp->conn_upq == NULL)) {
- CONN_DEC_REF(connp);
- connp = NULL;
- }
- }
-
- if (connp == NULL) {
- uint32_t ports;
-
- ports = *(uint32_t *)(mp->b_rptr + hdr_len +
- UDP_PORTS_OFFSET);
- IP6_STAT(ipst, ip6_udp_slow_path);
- ip_fanout_udp_v6(q, first_mp, ip6h, ports, ill, inill,
- (flags|IP_FF_SEND_ICMP|IP_FF_IPINFO), mctl_present,
- zoneid);
- return;
- }
-
- if ((IPCL_IS_NONSTR(connp) && PROTO_FLOW_CNTRLD(connp)) ||
- (!IPCL_IS_NONSTR(connp) && CONN_UDP_FLOWCTLD(connp))) {
- freemsg(first_mp);
- BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
- CONN_DEC_REF(connp);
- return;
- }
-
- /* Initiate IPPF processing */
- if (IP6_IN_IPP(flags, ipst)) {
- ip_process(IPP_LOCAL_IN, &mp, ill->ill_phyint->phyint_ifindex);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- return;
- }
- }
-
- if (connp->conn_ip_recvpktinfo ||
- IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) {
- mp = ip_add_info_v6(mp, inill, &ip6h->ip6_dst);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- CONN_DEC_REF(connp);
- return;
- }
+ return (NULL);
}
- IP6_STAT(ipst, ip6_udp_fast_path);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
-
- /* Send it upstream */
- (connp->conn_recv)(connp, mp, NULL);
-
- CONN_DEC_REF(connp);
- freemsg(hada_mp);
- return;
-
-hada_drop:
- ip1dbg(("ip_rput_data_v6: malformed accelerated packet\n"));
- /* IPsec kstats: bump counter here */
- freemsg(hada_mp);
- freemsg(first_mp);
+ /* we're done with IPsec processing, send it up */
+ ip_input_post_ipsec(mp, ira);
+ return (NULL);
}
/*
* Reassemble fragment.
* When it returns a completed message the first mblk will only contain
- * the headers prior to the fragment header.
- *
- * prev_nexthdr_offset is an offset indication of where the nexthdr field is
- * of the preceding header. This is needed to patch the previous header's
- * nexthdr field when reassembly completes.
+ * the headers prior to the fragment header, with the nexthdr value updated
+ * to be the header after the fragment header.
*/
-static mblk_t *
-ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
- ip6_frag_t *fraghdr, uint_t remlen, uint_t *prev_nexthdr_offset,
- uint32_t *cksum_val, uint16_t *cksum_flags)
+mblk_t *
+ip_input_fragment_v6(mblk_t *mp, ip6_t *ip6h,
+ ip6_frag_t *fraghdr, uint_t remlen, ip_recv_attr_t *ira)
{
uint32_t ident = ntohl(fraghdr->ip6f_ident);
uint16_t offset;
@@ -8225,12 +3304,12 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
boolean_t pruned = B_FALSE;
uint32_t sum_val;
uint16_t sum_flags;
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
-
- if (cksum_val != NULL)
- *cksum_val = 0;
- if (cksum_flags != NULL)
- *cksum_flags = 0;
+ uint_t prev_nexthdr_offset;
+ uint8_t prev_nexthdr;
+ uint8_t *ptr;
+ uint32_t packet_size;
/*
* We utilize hardware computed checksum info only for UDP since
@@ -8238,8 +3317,9 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
* addition, checksum offload support for IP fragments carrying
* UDP payload is commonly implemented across network adapters.
*/
- ASSERT(inill != NULL);
- if (nexthdr == IPPROTO_UDP && dohwcksum && ILL_HCKSUM_CAPABLE(inill) &&
+ ASSERT(ira->ira_rill != NULL);
+ if (nexthdr == IPPROTO_UDP && dohwcksum &&
+ ILL_HCKSUM_CAPABLE(ira->ira_rill) &&
(DB_CKSUMFLAGS(mp) & (HCK_FULLCKSUM | HCK_PARTIALCKSUM))) {
mblk_t *mp1 = mp->b_cont;
int32_t len;
@@ -8253,8 +3333,8 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
if ((sum_flags & HCK_PARTIALCKSUM) &&
(mp1 == NULL || mp1->b_cont == NULL) &&
- offset >= (uint16_t)DB_CKSUMSTART(mp) &&
- ((len = offset - (uint16_t)DB_CKSUMSTART(mp)) & 1) == 0) {
+ offset >= DB_CKSUMSTART(mp) &&
+ ((len = offset - DB_CKSUMSTART(mp)) & 1) == 0) {
uint32_t adj;
/*
* Partial checksum has been calculated by hardware
@@ -8281,6 +3361,59 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
DB_CKSUMFLAGS(mp) = 0;
/*
+ * Determine the offset (from the begining of the IP header)
+ * of the nexthdr value which has IPPROTO_FRAGMENT. We use
+ * this when removing the fragment header from the packet.
+ * This packet consists of the IPv6 header, a potential
+ * hop-by-hop options header, a potential pre-routing-header
+ * destination options header, and a potential routing header.
+ */
+ prev_nexthdr_offset = (uint8_t *)&ip6h->ip6_nxt - (uint8_t *)ip6h;
+ prev_nexthdr = ip6h->ip6_nxt;
+ ptr = (uint8_t *)&ip6h[1];
+
+ if (prev_nexthdr == IPPROTO_HOPOPTS) {
+ ip6_hbh_t *hbh_hdr;
+ uint_t hdr_len;
+
+ hbh_hdr = (ip6_hbh_t *)ptr;
+ hdr_len = 8 * (hbh_hdr->ip6h_len + 1);
+ prev_nexthdr = hbh_hdr->ip6h_nxt;
+ prev_nexthdr_offset = (uint8_t *)&hbh_hdr->ip6h_nxt
+ - (uint8_t *)ip6h;
+ ptr += hdr_len;
+ }
+ if (prev_nexthdr == IPPROTO_DSTOPTS) {
+ ip6_dest_t *dest_hdr;
+ uint_t hdr_len;
+
+ dest_hdr = (ip6_dest_t *)ptr;
+ hdr_len = 8 * (dest_hdr->ip6d_len + 1);
+ prev_nexthdr = dest_hdr->ip6d_nxt;
+ prev_nexthdr_offset = (uint8_t *)&dest_hdr->ip6d_nxt
+ - (uint8_t *)ip6h;
+ ptr += hdr_len;
+ }
+ if (prev_nexthdr == IPPROTO_ROUTING) {
+ ip6_rthdr_t *rthdr;
+ uint_t hdr_len;
+
+ rthdr = (ip6_rthdr_t *)ptr;
+ prev_nexthdr = rthdr->ip6r_nxt;
+ prev_nexthdr_offset = (uint8_t *)&rthdr->ip6r_nxt
+ - (uint8_t *)ip6h;
+ hdr_len = 8 * (rthdr->ip6r_len + 1);
+ ptr += hdr_len;
+ }
+ if (prev_nexthdr != IPPROTO_FRAGMENT) {
+ /* Can't handle other headers before the fragment header */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
+ freemsg(mp);
+ return (NULL);
+ }
+
+ /*
* Note: Fragment offset in header is in 8-octet units.
* Clearing least significant 3 bits not only extracts
* it but also gets it in units of octets.
@@ -8293,17 +3426,10 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
* of eight?
*/
if (more_frags && (ntohs(ip6h->ip6_plen) & 7)) {
- zoneid_t zoneid;
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- zoneid = ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst, ill, ipst);
- if (zoneid == ALL_ZONES) {
- freemsg(mp);
- return (NULL);
- }
- icmp_param_problem_v6(ill->ill_wq, mp, ICMP6_PARAMPROB_HEADER,
+ ip_drop_input("ICMP_PARAM_PROBLEM", mp, ill);
+ icmp_param_problem_v6(mp, ICMP6_PARAMPROB_HEADER,
(uint32_t)((char *)&ip6h->ip6_plen -
- (char *)ip6h), B_FALSE, B_FALSE, zoneid, ipst);
+ (char *)ip6h), B_FALSE, ira);
return (NULL);
}
@@ -8319,17 +3445,11 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
* greater than IP_MAXPACKET - the max payload size?
*/
if (end > IP_MAXPACKET) {
- zoneid_t zoneid;
-
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- zoneid = ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst, ill, ipst);
- if (zoneid == ALL_ZONES) {
- freemsg(mp);
- return (NULL);
- }
- icmp_param_problem_v6(ill->ill_wq, mp, ICMP6_PARAMPROB_HEADER,
+ ip_drop_input("Reassembled packet too large", mp, ill);
+ icmp_param_problem_v6(mp, ICMP6_PARAMPROB_HEADER,
(uint32_t)((char *)&fraghdr->ip6f_offlg -
- (char *)ip6h), B_FALSE, B_FALSE, zoneid, ipst);
+ (char *)ip6h), B_FALSE, ira);
return (NULL);
}
@@ -8368,11 +3488,17 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
* there is anything on the reassembly queue, the timer will
* be running.
*/
- msg_len = MBLKSIZE(mp);
+ /* Handle vnic loopback of fragments */
+ if (mp->b_datap->db_ref > 2)
+ msg_len = 0;
+ else
+ msg_len = MBLKSIZE(mp);
+
tail_mp = mp;
while (tail_mp->b_cont != NULL) {
tail_mp = tail_mp->b_cont;
- msg_len += MBLKSIZE(tail_mp);
+ if (tail_mp->b_datap->db_ref <= 2)
+ msg_len += MBLKSIZE(tail_mp);
}
/*
* If the reassembly list for this ILL will get too big
@@ -8381,6 +3507,9 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
if ((msg_len + sizeof (*ipf) + ill->ill_frag_count) >=
ipst->ips_ip_reass_queue_bytes) {
+ DTRACE_PROBE3(ip_reass_queue_bytes, uint_t, msg_len,
+ uint_t, ill->ill_frag_count,
+ uint_t, ipst->ips_ip_reass_queue_bytes);
ill_frag_prune(ill,
(ipst->ips_ip_reass_queue_bytes < msg_len) ? 0 :
(ipst->ips_ip_reass_queue_bytes - msg_len));
@@ -8443,6 +3572,7 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
mp1 = allocb(sizeof (*ipf), BPRI_MED);
if (!mp1) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
freemsg(mp);
partial_reass_done:
mutex_exit(&ipfb->ipfb_lock);
@@ -8512,7 +3642,7 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
*/
ipf->ipf_end = end;
ipf->ipf_nf_hdr_len = hdr_length;
- ipf->ipf_prev_nexthdr_offset = *prev_nexthdr_offset;
+ ipf->ipf_prev_nexthdr_offset = prev_nexthdr_offset;
} else {
/* Hard case, hole at the beginning. */
ipf->ipf_tail_mp = NULL;
@@ -8603,7 +3733,7 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
if (ipf->ipf_prev_nexthdr_offset == 0) {
ipf->ipf_nf_hdr_len = hdr_length;
ipf->ipf_prev_nexthdr_offset =
- *prev_nexthdr_offset;
+ prev_nexthdr_offset;
}
}
/* Save current byte count */
@@ -8654,7 +3784,7 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
* header
*/
nexthdr = ipf->ipf_protocol;
- *prev_nexthdr_offset = ipf->ipf_prev_nexthdr_offset;
+ prev_nexthdr_offset = ipf->ipf_prev_nexthdr_offset;
ipfp = ipf->ipf_ptphn;
/* We need to supply these to caller */
@@ -8685,7 +3815,8 @@ ip_rput_frag_v6(ill_t *ill, ill_t *inill, mblk_t *mp, ip6_t *ip6h,
reass_done:
if (hdr_length < sizeof (ip6_frag_t)) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
- ip1dbg(("ip_rput_frag_v6: bad packet\n"));
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
+ ip1dbg(("ip_input_fragment_v6: bad packet\n"));
freemsg(mp);
return (NULL);
}
@@ -8708,8 +3839,9 @@ reass_done:
mblk_t *nmp;
if (!(nmp = dupb(mp))) {
+ ip1dbg(("ip_input_fragment_v6: dupb failed\n"));
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
- ip1dbg(("ip_rput_frag_v6: dupb failed\n"));
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
freemsg(mp);
return (NULL);
}
@@ -8720,19 +3852,24 @@ reass_done:
mp->b_wptr = mp->b_rptr + hdr_length - sizeof (ip6_frag_t);
ip6h = (ip6_t *)mp->b_rptr;
- ((char *)ip6h)[*prev_nexthdr_offset] = nexthdr;
+ ((char *)ip6h)[prev_nexthdr_offset] = nexthdr;
/* Restore original IP length in header. */
- ip6h->ip6_plen = htons((uint16_t)(msgdsize(mp) - IPV6_HDR_LEN));
+ packet_size = msgdsize(mp);
+ ip6h->ip6_plen = htons((uint16_t)(packet_size - IPV6_HDR_LEN));
/* Record the ECN info. */
ip6h->ip6_vcf &= htonl(0xFFCFFFFF);
ip6h->ip6_vcf |= htonl(ecn_info << 20);
- /* Reassembly is successful; return checksum information if needed */
- if (cksum_val != NULL)
- *cksum_val = sum_val;
- if (cksum_flags != NULL)
- *cksum_flags = sum_flags;
+ /* Update the receive attributes */
+ ira->ira_pktlen = packet_size;
+ ira->ira_ip_hdr_length = hdr_length - sizeof (ip6_frag_t);
+ ira->ira_protocol = nexthdr;
+
+ /* Reassembly is successful; set checksum information in packet */
+ DB_CKSUM16(mp) = (uint16_t)sum_val;
+ DB_CKSUMFLAGS(mp) = sum_flags;
+ DB_CKSUMSTART(mp) = ira->ira_ip_hdr_length;
return (mp);
}
@@ -8742,7 +3879,7 @@ reass_done:
* header.
*/
static in6_addr_t
-pluck_out_dst(mblk_t *mp, uint8_t *whereptr, in6_addr_t oldrv)
+pluck_out_dst(const mblk_t *mp, uint8_t *whereptr, in6_addr_t oldrv)
{
ip6_rthdr0_t *rt0;
int segleft, numaddr;
@@ -8758,7 +3895,7 @@ pluck_out_dst(mblk_t *mp, uint8_t *whereptr, in6_addr_t oldrv)
numaddr = rt0->ip6r0_len / 2;
if ((rt0->ip6r0_len & 0x1) ||
- whereptr + (rt0->ip6r0_len + 1) * 8 > mp->b_wptr ||
+ (mp != NULL && whereptr + (rt0->ip6r0_len + 1) * 8 > mp->b_wptr) ||
(segleft > rt0->ip6r0_len / 2)) {
/*
* Corrupt packet. Either the routing header length is odd
@@ -8784,11 +3921,13 @@ pluck_out_dst(mblk_t *mp, uint8_t *whereptr, in6_addr_t oldrv)
* Walk through the options to see if there is a routing header.
* If present get the destination which is the last address of
* the option.
+ * mp needs to be provided in cases when the extension headers might span
+ * b_cont; mp is never modified by this function.
*/
in6_addr_t
-ip_get_dst_v6(ip6_t *ip6h, mblk_t *mp, boolean_t *is_fragment)
+ip_get_dst_v6(ip6_t *ip6h, const mblk_t *mp, boolean_t *is_fragment)
{
- mblk_t *current_mp = mp;
+ const mblk_t *current_mp = mp;
uint8_t nexthdr;
uint8_t *whereptr;
int ehdrlen;
@@ -8798,7 +3937,8 @@ ip_get_dst_v6(ip6_t *ip6h, mblk_t *mp, boolean_t *is_fragment)
ehdrlen = sizeof (ip6_t);
/* We assume at least the IPv6 base header is within one mblk. */
- ASSERT(mp->b_rptr <= whereptr && mp->b_wptr >= whereptr + ehdrlen);
+ ASSERT(mp == NULL ||
+ (mp->b_rptr <= whereptr && mp->b_wptr >= whereptr + ehdrlen));
rv = ip6h->ip6_dst;
nexthdr = ip6h->ip6_nxt;
@@ -8819,7 +3959,8 @@ ip_get_dst_v6(ip6_t *ip6h, mblk_t *mp, boolean_t *is_fragment)
* All IPv6 extension headers have the next-header in byte
* 0, and the (length - 8) in 8-byte-words.
*/
- while (whereptr + ehdrlen >= current_mp->b_wptr) {
+ while (current_mp != NULL &&
+ whereptr + ehdrlen >= current_mp->b_wptr) {
ehdrlen -= (current_mp->b_wptr - whereptr);
current_mp = current_mp->b_cont;
if (current_mp == NULL) {
@@ -8833,7 +3974,7 @@ ip_get_dst_v6(ip6_t *ip6h, mblk_t *mp, boolean_t *is_fragment)
whereptr += ehdrlen;
nexthdr = *whereptr;
- ASSERT(whereptr + 1 < current_mp->b_wptr);
+ ASSERT(current_mp == NULL || whereptr + 1 < current_mp->b_wptr);
ehdrlen = (*(whereptr + 1) + 1) * 8;
}
@@ -8845,7 +3986,7 @@ done:
/*
* ip_source_routed_v6:
- * This function is called by redirect code in ip_rput_data_v6 to
+ * This function is called by redirect code (called from ip_input_v6) to
* know whether this packet is source routed through this node i.e
* whether this node (router) is part of the journey. This
* function is called under two cases :
@@ -8922,22 +4063,14 @@ ip_source_routed_v6(ip6_t *ip6h, mblk_t *mp, ip_stack_t *ipst)
*/
if (rthdr->ip6r0_segleft > 0 ||
rthdr->ip6r0_segleft == 0) {
- ire_t *ire = NULL;
-
numaddr = rthdr->ip6r0_len / 2;
addrptr = (in6_addr_t *)((char *)rthdr +
sizeof (*rthdr));
addrptr += (numaddr - (rthdr->ip6r0_segleft + 1));
if (addrptr != NULL) {
- ire = ire_ctable_lookup_v6(addrptr, NULL,
- IRE_LOCAL, NULL, ALL_ZONES, NULL,
- MATCH_IRE_TYPE,
- ipst);
- if (ire != NULL) {
- ire_refrele(ire);
+ if (ip_type_v6(addrptr, ipst) == IRE_LOCAL)
return (B_TRUE);
- }
- ip1dbg(("ip_source_routed_v6: No ire found\n"));
+ ip1dbg(("ip_source_routed_v6: Not local\n"));
}
}
/* FALLTHRU */
@@ -8948,2387 +4081,19 @@ ip_source_routed_v6(ip6_t *ip6h, mblk_t *mp, ip_stack_t *ipst)
}
/*
- * ip_wput_v6 -- Packets sent down from transport modules show up here.
- * Assumes that the following set of headers appear in the first
- * mblk:
- * ip6i_t (if present) CAN also appear as a separate mblk.
- * ip6_t
- * Any extension headers
- * TCP/UDP/SCTP header (if present)
- * The routine can handle an ICMPv6 header that is not in the first mblk.
- *
- * The order to determine the outgoing interface is as follows:
- * 1. If an ip6i_t with IP6I_IFINDEX set then use that ill.
- * 2. If q is an ill queue and (link local or multicast destination) then
- * use that ill.
- * 3. If IPV6_BOUND_IF has been set use that ill.
- * 4. For multicast: if IPV6_MULTICAST_IF has been set use it. Otherwise
- * look for the best IRE match for the unspecified group to determine
- * the ill.
- * 5. For unicast: Just do an IRE lookup for the best match.
- *
- * arg2 is always a queue_t *.
- * When that queue is an ill_t (i.e. q_next != NULL), then arg must be
- * the zoneid.
- * When that queue is not an ill_t, then arg must be a conn_t pointer.
- */
-void
-ip_output_v6(void *arg, mblk_t *mp, void *arg2, int caller)
-{
- conn_t *connp = NULL;
- queue_t *q = (queue_t *)arg2;
- ire_t *ire = NULL;
- ire_t *sctp_ire = NULL;
- ip6_t *ip6h;
- in6_addr_t *v6dstp;
- ill_t *ill = NULL;
- ipif_t *ipif;
- ip6i_t *ip6i;
- int cksum_request; /* -1 => normal. */
- /* 1 => Skip TCP/UDP/SCTP checksum */
- /* Otherwise contains insert offset for checksum */
- int unspec_src;
- boolean_t do_outrequests; /* Increment OutRequests? */
- mib2_ipIfStatsEntry_t *mibptr;
- int match_flags = MATCH_IRE_ILL;
- mblk_t *first_mp;
- boolean_t mctl_present;
- ipsec_out_t *io;
- boolean_t multirt_need_resolve = B_FALSE;
- mblk_t *copy_mp = NULL;
- int err = 0;
- int ip6i_flags = 0;
- zoneid_t zoneid;
- ill_t *saved_ill = NULL;
- boolean_t conn_lock_held;
- boolean_t need_decref = B_FALSE;
- ip_stack_t *ipst;
-
- if (q->q_next != NULL) {
- ill = (ill_t *)q->q_ptr;
- ipst = ill->ill_ipst;
- } else {
- connp = (conn_t *)arg;
- ASSERT(connp != NULL);
- ipst = connp->conn_netstack->netstack_ip;
- }
-
- /*
- * Highest bit in version field is Reachability Confirmation bit
- * used by NUD in ip_xmit_v6().
- */
-#ifdef _BIG_ENDIAN
-#define IPVER(ip6h) ((((uint32_t *)ip6h)[0] >> 28) & 0x7)
-#else
-#define IPVER(ip6h) ((((uint32_t *)ip6h)[0] >> 4) & 0x7)
-#endif
-
- /*
- * M_CTL comes from 5 places
- *
- * 1) TCP sends down IPSEC_OUT(M_CTL) for detached connections
- * both V4 and V6 datagrams.
- *
- * 2) AH/ESP sends down M_CTL after doing their job with both
- * V4 and V6 datagrams.
- *
- * 3) NDP callbacks when nce is resolved and IPSEC_OUT has been
- * attached.
- *
- * 4) Notifications from an external resolver (for XRESOLV ifs)
- *
- * 5) AH/ESP send down IPSEC_CTL(M_CTL) to be relayed to hardware for
- * IPsec hardware acceleration support.
- *
- * We need to handle (1)'s IPv6 case and (3) here. For the
- * IPv4 case in (1), and (2), IPSEC processing has already
- * started. The code in ip_wput() already knows how to handle
- * continuing IPSEC processing (for IPv4 and IPv6). All other
- * M_CTLs (including case (4)) are passed on to ip_wput_nondata()
- * for handling.
- */
- first_mp = mp;
- mctl_present = B_FALSE;
- io = NULL;
-
- /* Multidata transmit? */
- if (DB_TYPE(mp) == M_MULTIDATA) {
- /*
- * We should never get here, since all Multidata messages
- * originating from tcp should have been directed over to
- * tcp_multisend() in the first place.
- */
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
- freemsg(mp);
- return;
- } else if (DB_TYPE(mp) == M_CTL) {
- uint32_t mctltype = 0;
- uint32_t mlen = MBLKL(first_mp);
-
- mp = mp->b_cont;
- mctl_present = B_TRUE;
- io = (ipsec_out_t *)first_mp->b_rptr;
-
- /*
- * Validate this M_CTL message. The only three types of
- * M_CTL messages we expect to see in this code path are
- * ipsec_out_t or ipsec_in_t structures (allocated as
- * ipsec_info_t unions), or ipsec_ctl_t structures.
- * The ipsec_out_type and ipsec_in_type overlap in the two
- * data structures, and they are either set to IPSEC_OUT
- * or IPSEC_IN depending on which data structure it is.
- * ipsec_ctl_t is an IPSEC_CTL.
- *
- * All other M_CTL messages are sent to ip_wput_nondata()
- * for handling.
- */
- if (mlen >= sizeof (io->ipsec_out_type))
- mctltype = io->ipsec_out_type;
-
- if ((mlen == sizeof (ipsec_ctl_t)) &&
- (mctltype == IPSEC_CTL)) {
- ip_output(arg, first_mp, arg2, caller);
- return;
- }
-
- if ((mlen < sizeof (ipsec_info_t)) ||
- (mctltype != IPSEC_OUT && mctltype != IPSEC_IN) ||
- mp == NULL) {
- ip_wput_nondata(NULL, q, first_mp, NULL);
- return;
- }
- /* NDP callbacks have q_next non-NULL. That's case #3. */
- if (q->q_next == NULL) {
- ip6h = (ip6_t *)mp->b_rptr;
- /*
- * For a freshly-generated TCP dgram that needs IPV6
- * processing, don't call ip_wput immediately. We can
- * tell this by the ipsec_out_proc_begin. In-progress
- * IPSEC_OUT messages have proc_begin set to TRUE,
- * and we want to send all IPSEC_IN messages to
- * ip_wput() for IPsec processing or finishing.
- */
- if (mctltype == IPSEC_IN ||
- IPVER(ip6h) != IPV6_VERSION ||
- io->ipsec_out_proc_begin) {
- mibptr = &ipst->ips_ip6_mib;
- goto notv6;
- }
- }
- } else if (DB_TYPE(mp) != M_DATA) {
- ip_wput_nondata(NULL, q, mp, NULL);
- return;
- }
-
- ip6h = (ip6_t *)mp->b_rptr;
-
- if (IPVER(ip6h) != IPV6_VERSION) {
- mibptr = &ipst->ips_ip6_mib;
- goto notv6;
- }
-
- if (is_system_labeled() && DB_TYPE(mp) == M_DATA &&
- (connp == NULL || !connp->conn_ulp_labeled)) {
- cred_t *cr;
- pid_t pid;
-
- if (connp != NULL) {
- ASSERT(CONN_CRED(connp) != NULL);
- cr = BEST_CRED(mp, connp, &pid);
- err = tsol_check_label_v6(cr, &mp,
- connp->conn_mac_mode, ipst, pid);
- } else if ((cr = msg_getcred(mp, &pid)) != NULL) {
- err = tsol_check_label_v6(cr, &mp, CONN_MAC_DEFAULT,
- ipst, pid);
- }
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
- if (err != 0) {
- DTRACE_PROBE3(
- tsol_ip_log_drop_checklabel_ip6, char *,
- "conn(1), failed to check/update mp(2)",
- conn_t, connp, mblk_t, mp);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- if (q->q_next != NULL) {
- /*
- * We don't know if this ill will be used for IPv6
- * until the ILLF_IPV6 flag is set via SIOCSLIFNAME.
- * ipif_set_values() sets the ill_isv6 flag to true if
- * ILLF_IPV6 is set. If the ill_isv6 flag isn't true,
- * just drop the packet.
- */
- if (!ill->ill_isv6) {
- ip1dbg(("ip_wput_v6: Received an IPv6 packet before "
- "ILLF_IPV6 was set\n"));
- freemsg(first_mp);
- return;
- }
- /* For uniformity do a refhold */
- mutex_enter(&ill->ill_lock);
- if (!ILL_CAN_LOOKUP(ill)) {
- mutex_exit(&ill->ill_lock);
- freemsg(first_mp);
- return;
- }
- ill_refhold_locked(ill);
- mutex_exit(&ill->ill_lock);
- mibptr = ill->ill_ip_mib;
-
- ASSERT(mibptr != NULL);
- unspec_src = 0;
- BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
- do_outrequests = B_FALSE;
- zoneid = (zoneid_t)(uintptr_t)arg;
- } else {
- ASSERT(connp != NULL);
- zoneid = connp->conn_zoneid;
-
- /* is queue flow controlled? */
- if ((q->q_first || connp->conn_draining) &&
- (caller == IP_WPUT)) {
- /*
- * 1) TCP sends down M_CTL for detached connections.
- * 2) AH/ESP sends down M_CTL.
- *
- * We don't flow control either of the above. Only
- * UDP and others are flow controlled for which we
- * can't have a M_CTL.
- */
- ASSERT(first_mp == mp);
- (void) putq(q, mp);
- return;
- }
- mibptr = &ipst->ips_ip6_mib;
- unspec_src = connp->conn_unspec_src;
- do_outrequests = B_TRUE;
- if (mp->b_flag & MSGHASREF) {
- mp->b_flag &= ~MSGHASREF;
- ASSERT(connp->conn_ulp == IPPROTO_SCTP);
- SCTP_EXTRACT_IPINFO(mp, sctp_ire);
- need_decref = B_TRUE;
- }
-
- /*
- * If there is a policy, try to attach an ipsec_out in
- * the front. At the end, first_mp either points to a
- * M_DATA message or IPSEC_OUT message linked to a
- * M_DATA message. We have to do it now as we might
- * lose the "conn" if we go through ip_newroute.
- */
- if (!mctl_present &&
- (connp->conn_out_enforce_policy ||
- connp->conn_latch != NULL)) {
- ASSERT(first_mp == mp);
- /* XXX Any better way to get the protocol fast ? */
- if (((mp = ipsec_attach_ipsec_out(&mp, connp, NULL,
- connp->conn_ulp, ipst->ips_netstack)) == NULL)) {
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- } else {
- ASSERT(mp->b_datap->db_type == M_CTL);
- first_mp = mp;
- mp = mp->b_cont;
- mctl_present = B_TRUE;
- io = (ipsec_out_t *)first_mp->b_rptr;
- }
- }
- }
-
- /* check for alignment and full IPv6 header */
- if (!OK_32PTR((uchar_t *)ip6h) ||
- (mp->b_wptr - (uchar_t *)ip6h) < IPV6_HDR_LEN) {
- ip0dbg(("ip_wput_v6: bad alignment or length\n"));
- if (do_outrequests)
- BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- if (ill != NULL)
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- v6dstp = &ip6h->ip6_dst;
- cksum_request = -1;
- ip6i = NULL;
-
- /*
- * Once neighbor discovery has completed, ndp_process() will provide
- * locally generated packets for which processing can be reattempted.
- * In these cases, connp is NULL and the original zone is part of a
- * prepended ipsec_out_t.
- */
- if (io != NULL) {
- /*
- * When coming from icmp_input_v6, the zoneid might not match
- * for the loopback case, because inside icmp_input_v6 the
- * queue_t is a conn queue from the sending side.
- */
- zoneid = io->ipsec_out_zoneid;
- ASSERT(zoneid != ALL_ZONES);
- }
-
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- /*
- * This is an ip6i_t header followed by an ip6_hdr.
- * Check which fields are set.
- *
- * When the packet comes from a transport we should have
- * all needed headers in the first mblk. However, when
- * going through ip_newroute*_v6 the ip6i might be in
- * a separate mblk when we return here. In that case
- * we pullup everything to ensure that extension and transport
- * headers "stay" in the first mblk.
- */
- ip6i = (ip6i_t *)ip6h;
- ip6i_flags = ip6i->ip6i_flags;
-
- ASSERT((mp->b_wptr - (uchar_t *)ip6i) == sizeof (ip6i_t) ||
- ((mp->b_wptr - (uchar_t *)ip6i) >=
- sizeof (ip6i_t) + IPV6_HDR_LEN));
-
- if ((mp->b_wptr - (uchar_t *)ip6i) == sizeof (ip6i_t)) {
- if (!pullupmsg(mp, -1)) {
- ip1dbg(("ip_wput_v6: pullupmsg failed\n"));
- if (do_outrequests) {
- BUMP_MIB(mibptr,
- ipIfStatsHCOutRequests);
- }
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- if (ill != NULL)
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- v6dstp = &ip6h->ip6_dst;
- ip6i = (ip6i_t *)ip6h;
- }
- ip6h = (ip6_t *)&ip6i[1];
-
- /*
- * Advance rptr past the ip6i_t to get ready for
- * transmitting the packet. However, if the packet gets
- * passed to ip_newroute*_v6 then rptr is moved back so
- * that the ip6i_t header can be inspected when the
- * packet comes back here after passing through
- * ire_add_then_send.
- */
- mp->b_rptr = (uchar_t *)ip6h;
-
- if (ip6i->ip6i_flags & IP6I_IFINDEX) {
- ASSERT(ip6i->ip6i_ifindex != 0);
- if (ill != NULL)
- ill_refrele(ill);
- ill = ill_lookup_on_ifindex(ip6i->ip6i_ifindex, 1,
- NULL, NULL, NULL, NULL, ipst);
- if (ill == NULL) {
- if (do_outrequests) {
- BUMP_MIB(mibptr,
- ipIfStatsHCOutRequests);
- }
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- ip1dbg(("ip_wput_v6: bad ifindex %d\n",
- ip6i->ip6i_ifindex));
- if (need_decref)
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return;
- }
- mibptr = ill->ill_ip_mib;
- /*
- * Preserve the index so that when we return from
- * IPSEC processing, we know where to send the packet.
- */
- if (mctl_present) {
- ASSERT(io != NULL);
- io->ipsec_out_ill_index = ip6i->ip6i_ifindex;
- }
- }
- if (ip6i->ip6i_flags & IP6I_VERIFY_SRC) {
- cred_t *cr = msg_getcred(mp, NULL);
-
- /* rpcmod doesn't send down db_credp for UDP packets */
- if (cr == NULL) {
- if (connp != NULL)
- cr = connp->conn_cred;
- else
- cr = ill->ill_credp;
- }
-
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src));
- if (secpolicy_net_rawaccess(cr) != 0) {
- /*
- * Use IPCL_ZONEID to honor SO_ALLZONES.
- */
- ire = ire_route_lookup_v6(&ip6h->ip6_src,
- 0, 0, (IRE_LOCAL|IRE_LOOPBACK), NULL,
- NULL, connp != NULL ?
- IPCL_ZONEID(connp) : zoneid, NULL,
- MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, ipst);
- if (ire == NULL) {
- if (do_outrequests)
- BUMP_MIB(mibptr,
- ipIfStatsHCOutRequests);
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- ip1dbg(("ip_wput_v6: bad source "
- "addr\n"));
- freemsg(first_mp);
- if (ill != NULL)
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ire_refrele(ire);
- }
- /* No need to verify again when using ip_newroute */
- ip6i->ip6i_flags &= ~IP6I_VERIFY_SRC;
- }
- if (!(ip6i->ip6i_flags & IP6I_NEXTHOP)) {
- /*
- * Make sure they match since ip_newroute*_v6 etc might
- * (unknown to them) inspect ip6i_nexthop when
- * they think they access ip6_dst.
- */
- ip6i->ip6i_nexthop = ip6h->ip6_dst;
- }
- if (ip6i->ip6i_flags & IP6I_NO_ULP_CKSUM)
- cksum_request = 1;
- if (ip6i->ip6i_flags & IP6I_RAW_CHECKSUM)
- cksum_request = ip6i->ip6i_checksum_off;
- if (ip6i->ip6i_flags & IP6I_UNSPEC_SRC)
- unspec_src = 1;
-
- if (do_outrequests && ill != NULL) {
- BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
- do_outrequests = B_FALSE;
- }
- /*
- * Store ip6i_t info that we need after we come back
- * from IPSEC processing.
- */
- if (mctl_present) {
- ASSERT(io != NULL);
- io->ipsec_out_unspec_src = unspec_src;
- }
- }
- if (connp != NULL && connp->conn_dontroute)
- ip6h->ip6_hops = 1;
-
- if (IN6_IS_ADDR_MULTICAST(v6dstp))
- goto ipv6multicast;
-
- /* 1. If an ip6i_t with IP6I_IFINDEX set then use that ill. */
- if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_IFINDEX)) {
- ASSERT(ill != NULL);
- goto send_from_ill;
- }
-
- /*
- * 2. If q is an ill queue and there's a link-local destination
- * then use that ill.
- */
- if (ill != NULL && IN6_IS_ADDR_LINKLOCAL(v6dstp))
- goto send_from_ill;
-
- /* 3. If IPV6_BOUND_IF has been set use that ill. */
- if (connp != NULL && connp->conn_outgoing_ill != NULL) {
- ill_t *conn_outgoing_ill;
-
- conn_outgoing_ill = conn_get_held_ill(connp,
- &connp->conn_outgoing_ill, &err);
- if (err == ILL_LOOKUP_FAILED) {
- if (ill != NULL)
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- freemsg(first_mp);
- return;
- }
- if (ill != NULL)
- ill_refrele(ill);
- ill = conn_outgoing_ill;
- mibptr = ill->ill_ip_mib;
- goto send_from_ill;
- }
-
- /*
- * 4. For unicast: Just do an IRE lookup for the best match.
- * If we get here for a link-local address it is rather random
- * what interface we pick on a multihomed host.
- * *If* there is an IRE_CACHE (and the link-local address
- * isn't duplicated on multi links) this will find the IRE_CACHE.
- * Otherwise it will use one of the matching IRE_INTERFACE routes
- * for the link-local prefix. Hence, applications
- * *should* be encouraged to specify an outgoing interface when sending
- * to a link local address.
- */
- if (connp == NULL || (IP_FLOW_CONTROLLED_ULP(connp->conn_ulp) &&
- !connp->conn_fully_bound)) {
- /*
- * We cache IRE_CACHEs to avoid lookups. We don't do
- * this for the tcp global queue and listen end point
- * as it does not really have a real destination to
- * talk to.
- */
- ire = ire_cache_lookup_v6(v6dstp, zoneid, msg_getlabel(mp),
- ipst);
- } else {
- /*
- * IRE_MARK_CONDEMNED is marked in ire_delete. We don't
- * grab a lock here to check for CONDEMNED as it is okay
- * to send a packet or two with the IRE_CACHE that is going
- * away.
- */
- mutex_enter(&connp->conn_lock);
- ire = sctp_ire != NULL ? sctp_ire : connp->conn_ire_cache;
- if (ire != NULL &&
- IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6dstp) &&
- !(ire->ire_marks & IRE_MARK_CONDEMNED)) {
-
- IRE_REFHOLD(ire);
- mutex_exit(&connp->conn_lock);
-
- } else {
- boolean_t cached = B_FALSE;
-
- connp->conn_ire_cache = NULL;
- mutex_exit(&connp->conn_lock);
- /* Release the old ire */
- if (ire != NULL && sctp_ire == NULL)
- IRE_REFRELE_NOTR(ire);
-
- ire = ire_cache_lookup_v6(v6dstp, zoneid,
- msg_getlabel(mp), ipst);
- if (ire != NULL) {
- IRE_REFHOLD_NOTR(ire);
-
- mutex_enter(&connp->conn_lock);
- if (CONN_CACHE_IRE(connp) &&
- (connp->conn_ire_cache == NULL)) {
- rw_enter(&ire->ire_bucket->irb_lock,
- RW_READER);
- if (!(ire->ire_marks &
- IRE_MARK_CONDEMNED)) {
- connp->conn_ire_cache = ire;
- cached = B_TRUE;
- }
- rw_exit(&ire->ire_bucket->irb_lock);
- }
- mutex_exit(&connp->conn_lock);
-
- /*
- * We can continue to use the ire but since it
- * was not cached, we should drop the extra
- * reference.
- */
- if (!cached)
- IRE_REFRELE_NOTR(ire);
- }
- }
- }
-
- if (ire != NULL) {
- if (do_outrequests) {
- /* Handle IRE_LOCAL's that might appear here */
- if (ire->ire_type == IRE_CACHE) {
- mibptr = ((ill_t *)ire->ire_stq->q_ptr)->
- ill_ip_mib;
- } else {
- mibptr = ire->ire_ipif->ipif_ill->ill_ip_mib;
- }
- BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
- }
-
- /*
- * Check if the ire has the RTF_MULTIRT flag, inherited
- * from an IRE_OFFSUBNET ire entry in ip_newroute().
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- /*
- * Force hop limit of multirouted packets if required.
- * The hop limit of such packets is bounded by the
- * ip_multirt_ttl ndd variable.
- * NDP packets must have a hop limit of 255; don't
- * change the hop limit in that case.
- */
- if ((ipst->ips_ip_multirt_ttl > 0) &&
- (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl) &&
- (ip6h->ip6_hops != IPV6_MAX_HOPS)) {
- if (ip_debug > 3) {
- ip2dbg(("ip_wput_v6: forcing multirt "
- "hop limit to %d (was %d) ",
- ipst->ips_ip_multirt_ttl,
- ip6h->ip6_hops));
- pr_addr_dbg("v6dst %s\n", AF_INET6,
- &ire->ire_addr_v6);
- }
- ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
- }
-
- /*
- * We look at this point if there are pending
- * unresolved routes. ire_multirt_need_resolve_v6()
- * checks in O(n) that all IRE_OFFSUBNET ire
- * entries for the packet's destination and
- * flagged RTF_MULTIRT are currently resolved.
- * If some remain unresolved, we do a copy
- * of the current message. It will be used
- * to initiate additional route resolutions.
- */
- multirt_need_resolve =
- ire_multirt_need_resolve_v6(&ire->ire_addr_v6,
- msg_getlabel(first_mp), ipst);
- ip2dbg(("ip_wput_v6: ire %p, "
- "multirt_need_resolve %d, first_mp %p\n",
- (void *)ire, multirt_need_resolve,
- (void *)first_mp));
- if (multirt_need_resolve) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- }
- }
- ip_wput_ire_v6(q, first_mp, ire, unspec_src, cksum_request,
- connp, caller, ip6i_flags, zoneid);
- if (need_decref) {
- CONN_DEC_REF(connp);
- connp = NULL;
- }
- IRE_REFRELE(ire);
-
- /*
- * Try to resolve another multiroute if
- * ire_multirt_need_resolve_v6() deemed it necessary.
- * copy_mp will be consumed (sent or freed) by
- * ip_newroute_v6().
- */
- if (copy_mp != NULL) {
- if (mctl_present) {
- ip6h = (ip6_t *)copy_mp->b_cont->b_rptr;
- } else {
- ip6h = (ip6_t *)copy_mp->b_rptr;
- }
- ip_newroute_v6(q, copy_mp, &ip6h->ip6_dst,
- &ip6h->ip6_src, NULL, zoneid, ipst);
- }
- if (ill != NULL)
- ill_refrele(ill);
- return;
- }
-
- /*
- * No full IRE for this destination. Send it to
- * ip_newroute_v6 to see if anything else matches.
- * Mark this packet as having originated on this
- * machine.
- * Update rptr if there was an ip6i_t header.
- */
- mp->b_prev = NULL;
- mp->b_next = NULL;
- if (ip6i != NULL)
- mp->b_rptr -= sizeof (ip6i_t);
-
- if (unspec_src) {
- if (ip6i == NULL) {
- /*
- * Add ip6i_t header to carry unspec_src
- * until the packet comes back in ip_wput_v6.
- */
- mp = ip_add_info_v6(mp, NULL, v6dstp);
- if (mp == NULL) {
- if (do_outrequests)
- BUMP_MIB(mibptr,
- ipIfStatsHCOutRequests);
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- if (mctl_present)
- freeb(first_mp);
- if (ill != NULL)
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ip6i = (ip6i_t *)mp->b_rptr;
-
- if (mctl_present) {
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
-
- if ((mp->b_wptr - (uchar_t *)ip6i) ==
- sizeof (ip6i_t)) {
- /*
- * ndp_resolver called from ip_newroute_v6
- * expects pulled up message.
- */
- if (!pullupmsg(mp, -1)) {
- ip1dbg(("ip_wput_v6: pullupmsg"
- " failed\n"));
- if (do_outrequests) {
- BUMP_MIB(mibptr,
- ipIfStatsHCOutRequests);
- }
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- if (ill != NULL)
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ip6i = (ip6i_t *)mp->b_rptr;
- }
- ip6h = (ip6_t *)&ip6i[1];
- v6dstp = &ip6h->ip6_dst;
- }
- ip6i->ip6i_flags |= IP6I_UNSPEC_SRC;
- if (mctl_present) {
- ASSERT(io != NULL);
- io->ipsec_out_unspec_src = unspec_src;
- }
- }
- if (do_outrequests)
- BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
- if (need_decref)
- CONN_DEC_REF(connp);
- ip_newroute_v6(q, first_mp, v6dstp, &ip6h->ip6_src, NULL, zoneid, ipst);
- if (ill != NULL)
- ill_refrele(ill);
- return;
-
-
- /*
- * Handle multicast packets with or without an conn.
- * Assumes that the transports set ip6_hops taking
- * IPV6_MULTICAST_HOPS (and the other ways to set the hoplimit)
- * into account.
- */
-ipv6multicast:
- ip2dbg(("ip_wput_v6: multicast\n"));
-
- /*
- * Hold the conn_lock till we refhold the ill of interest that is
- * pointed to from the conn. Since we cannot do an ill/ipif_refrele
- * while holding any locks, postpone the refrele until after the
- * conn_lock is dropped.
- */
- if (connp != NULL) {
- mutex_enter(&connp->conn_lock);
- conn_lock_held = B_TRUE;
- } else {
- conn_lock_held = B_FALSE;
- }
- if (ip6i != NULL && (ip6i->ip6i_flags & IP6I_IFINDEX)) {
- /* 1. If an ip6i_t with IP6I_IFINDEX set then use that ill. */
- ASSERT(ill != NULL);
- } else if (ill != NULL) {
- /*
- * 2. If q is an ill queue and (link local or multicast
- * destination) then use that ill.
- * We don't need the ipif initialization here.
- * This useless assert below is just to prevent lint from
- * reporting a null body if statement.
- */
- ASSERT(ill != NULL);
- } else if (connp != NULL) {
- /*
- * 3. If IPV6_BOUND_IF has been set use that ill.
- *
- * 4. For multicast: if IPV6_MULTICAST_IF has been set use it.
- * Otherwise look for the best IRE match for the unspecified
- * group to determine the ill.
- *
- * conn_multicast_ill is used for only IPv6 packets.
- * conn_multicast_ipif is used for only IPv4 packets.
- * Thus a PF_INET6 socket send both IPv4 and IPv6
- * multicast packets using different IP*_MULTICAST_IF
- * interfaces.
- */
- if (connp->conn_outgoing_ill != NULL) {
- err = ill_check_and_refhold(connp->conn_outgoing_ill);
- if (err == ILL_LOOKUP_FAILED) {
- ip1dbg(("ip_output_v6: multicast"
- " conn_outgoing_ill no ipif\n"));
-multicast_discard:
- ASSERT(saved_ill == NULL);
- if (conn_lock_held)
- mutex_exit(&connp->conn_lock);
- if (ill != NULL)
- ill_refrele(ill);
- freemsg(first_mp);
- if (do_outrequests)
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ill = connp->conn_outgoing_ill;
- } else if (connp->conn_multicast_ill != NULL) {
- err = ill_check_and_refhold(connp->conn_multicast_ill);
- if (err == ILL_LOOKUP_FAILED) {
- ip1dbg(("ip_output_v6: multicast"
- " conn_multicast_ill no ipif\n"));
- goto multicast_discard;
- }
- ill = connp->conn_multicast_ill;
- } else {
- mutex_exit(&connp->conn_lock);
- conn_lock_held = B_FALSE;
- ipif = ipif_lookup_group_v6(v6dstp, zoneid, ipst);
- if (ipif == NULL) {
- ip1dbg(("ip_output_v6: multicast no ipif\n"));
- goto multicast_discard;
- }
- /*
- * We have a ref to this ipif, so we can safely
- * access ipif_ill.
- */
- ill = ipif->ipif_ill;
- mutex_enter(&ill->ill_lock);
- if (!ILL_CAN_LOOKUP(ill)) {
- mutex_exit(&ill->ill_lock);
- ipif_refrele(ipif);
- ill = NULL;
- ip1dbg(("ip_output_v6: multicast no ipif\n"));
- goto multicast_discard;
- }
- ill_refhold_locked(ill);
- mutex_exit(&ill->ill_lock);
- ipif_refrele(ipif);
- /*
- * Save binding until IPV6_MULTICAST_IF
- * changes it
- */
- mutex_enter(&connp->conn_lock);
- connp->conn_multicast_ill = ill;
- mutex_exit(&connp->conn_lock);
- }
- }
- if (conn_lock_held)
- mutex_exit(&connp->conn_lock);
-
- if (saved_ill != NULL)
- ill_refrele(saved_ill);
-
- ASSERT(ill != NULL);
- /*
- * For multicast loopback interfaces replace the multicast address
- * with a unicast address for the ire lookup.
- */
- if (IS_LOOPBACK(ill))
- v6dstp = &ill->ill_ipif->ipif_v6lcl_addr;
-
- mibptr = ill->ill_ip_mib;
- if (do_outrequests) {
- BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
- do_outrequests = B_FALSE;
- }
- BUMP_MIB(mibptr, ipIfStatsHCOutMcastPkts);
- UPDATE_MIB(mibptr, ipIfStatsHCOutMcastOctets,
- ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN);
-
- /*
- * As we may lose the conn by the time we reach ip_wput_ire_v6
- * we copy conn_multicast_loop and conn_dontroute on to an
- * ipsec_out. In case if this datagram goes out secure,
- * we need the ill_index also. Copy that also into the
- * ipsec_out.
- */
- if (mctl_present) {
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(first_mp->b_datap->db_type == M_CTL);
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- } else {
- ASSERT(mp == first_mp);
- if ((first_mp = ipsec_alloc_ipsec_out(ipst->ips_netstack)) ==
- NULL) {
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(mp);
- if (ill != NULL)
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- io = (ipsec_out_t *)first_mp->b_rptr;
- /* This is not a secure packet */
- io->ipsec_out_secure = B_FALSE;
- io->ipsec_out_use_global_policy = B_TRUE;
- io->ipsec_out_zoneid =
- (zoneid != ALL_ZONES ? zoneid : GLOBAL_ZONEID);
- first_mp->b_cont = mp;
- mctl_present = B_TRUE;
- }
- io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex;
- io->ipsec_out_unspec_src = unspec_src;
- if (connp != NULL)
- io->ipsec_out_dontroute = connp->conn_dontroute;
-
-send_from_ill:
- ASSERT(ill != NULL);
- ASSERT(mibptr == ill->ill_ip_mib);
-
- if (do_outrequests) {
- BUMP_MIB(mibptr, ipIfStatsHCOutRequests);
- do_outrequests = B_FALSE;
- }
-
- /*
- * Because nce_xmit() calls ip_output_v6() and NCEs are always tied to
- * an underlying interface, IS_UNDER_IPMP() may be true even when
- * building IREs that will be used for data traffic. As such, use the
- * packet's source address to determine whether the traffic is test
- * traffic, and set MATCH_IRE_MARK_TESTHIDDEN if so.
- *
- * Separately, we also need to mark probe packets so that ND can
- * process them specially; see the comments in nce_queue_mp_common().
- */
- if (IS_UNDER_IPMP(ill) && !IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) &&
- ipif_lookup_testaddr_v6(ill, &ip6h->ip6_src, NULL)) {
- if (ip6i == NULL) {
- if ((mp = ip_add_info_v6(mp, NULL, v6dstp)) == NULL) {
- if (mctl_present)
- freeb(first_mp);
- goto discard;
- }
-
- if (mctl_present)
- first_mp->b_cont = mp;
- else
- first_mp = mp;
-
- /* ndp_resolver() expects a pulled-up message */
- if (MBLKL(mp) == sizeof (ip6i_t) &&
- pullupmsg(mp, -1) == 0) {
- ip1dbg(("ip_output_v6: pullupmsg failed\n"));
-discard: BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- ill_refrele(ill);
- if (need_decref)
- CONN_DEC_REF(connp);
- return;
- }
- ip6i = (ip6i_t *)mp->b_rptr;
- ip6h = (ip6_t *)&ip6i[1];
- v6dstp = &ip6h->ip6_dst;
- mp->b_rptr = (uchar_t *)ip6h; /* rewound below */
- }
- ip6i->ip6i_flags |= IP6I_IPMP_PROBE;
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
- }
-
- if (io != NULL)
- io->ipsec_out_ill_index = ill->ill_phyint->phyint_ifindex;
-
- /*
- * When a specific ill is specified (using IPV6_PKTINFO,
- * IPV6_MULTICAST_IF, or IPV6_BOUND_IF) we will only match
- * on routing entries (ftable and ctable) that have a matching
- * ire->ire_ipif->ipif_ill. Thus this can only be used
- * for destinations that are on-link for the specific ill
- * and that can appear on multiple links. Thus it is useful
- * for multicast destinations, link-local destinations, and
- * at some point perhaps for site-local destinations (if the
- * node sits at a site boundary).
- * We create the cache entries in the regular ctable since
- * it can not "confuse" things for other destinations.
- * table.
- *
- * NOTE : conn_ire_cache is not used for caching ire_ctable_lookups.
- * It is used only when ire_cache_lookup is used above.
- */
- ire = ire_ctable_lookup_v6(v6dstp, 0, 0, ill->ill_ipif,
- zoneid, msg_getlabel(mp), match_flags, ipst);
- if (ire != NULL) {
- /*
- * Check if the ire has the RTF_MULTIRT flag, inherited
- * from an IRE_OFFSUBNET ire entry in ip_newroute().
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- /*
- * Force hop limit of multirouted packets if required.
- * The hop limit of such packets is bounded by the
- * ip_multirt_ttl ndd variable.
- * NDP packets must have a hop limit of 255; don't
- * change the hop limit in that case.
- */
- if ((ipst->ips_ip_multirt_ttl > 0) &&
- (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl) &&
- (ip6h->ip6_hops != IPV6_MAX_HOPS)) {
- if (ip_debug > 3) {
- ip2dbg(("ip_wput_v6: forcing multirt "
- "hop limit to %d (was %d) ",
- ipst->ips_ip_multirt_ttl,
- ip6h->ip6_hops));
- pr_addr_dbg("v6dst %s\n", AF_INET6,
- &ire->ire_addr_v6);
- }
- ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
- }
-
- /*
- * We look at this point if there are pending
- * unresolved routes. ire_multirt_need_resolve_v6()
- * checks in O(n) that all IRE_OFFSUBNET ire
- * entries for the packet's destination and
- * flagged RTF_MULTIRT are currently resolved.
- * If some remain unresolved, we make a copy
- * of the current message. It will be used
- * to initiate additional route resolutions.
- */
- multirt_need_resolve =
- ire_multirt_need_resolve_v6(&ire->ire_addr_v6,
- msg_getlabel(first_mp), ipst);
- ip2dbg(("ip_wput_v6[send_from_ill]: ire %p, "
- "multirt_need_resolve %d, first_mp %p\n",
- (void *)ire, multirt_need_resolve,
- (void *)first_mp));
- if (multirt_need_resolve) {
- copy_mp = copymsg(first_mp);
- if (copy_mp != NULL) {
- MULTIRT_DEBUG_TAG(copy_mp);
- }
- }
- }
-
- ip1dbg(("ip_wput_v6: send on %s, ire = %p, ill index = %d\n",
- ill->ill_name, (void *)ire,
- ill->ill_phyint->phyint_ifindex));
- ip_wput_ire_v6(q, first_mp, ire, unspec_src, cksum_request,
- connp, caller, ip6i_flags, zoneid);
- ire_refrele(ire);
- if (need_decref) {
- CONN_DEC_REF(connp);
- connp = NULL;
- }
-
- /*
- * Try to resolve another multiroute if
- * ire_multirt_need_resolve_v6() deemed it necessary.
- * copy_mp will be consumed (sent or freed) by
- * ip_newroute_[ipif_]v6().
- */
- if (copy_mp != NULL) {
- if (mctl_present) {
- ip6h = (ip6_t *)copy_mp->b_cont->b_rptr;
- } else {
- ip6h = (ip6_t *)copy_mp->b_rptr;
- }
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- ipif = ipif_lookup_group_v6(&ip6h->ip6_dst,
- zoneid, ipst);
- if (ipif == NULL) {
- ip1dbg(("ip_wput_v6: No ipif for "
- "multicast\n"));
- MULTIRT_DEBUG_UNTAG(copy_mp);
- freemsg(copy_mp);
- return;
- }
- ip_newroute_ipif_v6(q, copy_mp, ipif,
- &ip6h->ip6_dst, &ip6h->ip6_src, unspec_src,
- zoneid);
- ipif_refrele(ipif);
- } else {
- ip_newroute_v6(q, copy_mp, &ip6h->ip6_dst,
- &ip6h->ip6_src, ill, zoneid, ipst);
- }
- }
- ill_refrele(ill);
- return;
- }
- if (need_decref) {
- CONN_DEC_REF(connp);
- connp = NULL;
- }
-
- /* Update rptr if there was an ip6i_t header. */
- if (ip6i != NULL)
- mp->b_rptr -= sizeof (ip6i_t);
- if (unspec_src) {
- if (ip6i == NULL) {
- /*
- * Add ip6i_t header to carry unspec_src
- * until the packet comes back in ip_wput_v6.
- */
- if (mctl_present) {
- first_mp->b_cont =
- ip_add_info_v6(mp, NULL, v6dstp);
- mp = first_mp->b_cont;
- if (mp == NULL)
- freeb(first_mp);
- } else {
- first_mp = mp = ip_add_info_v6(mp, NULL,
- v6dstp);
- }
- if (mp == NULL) {
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- ill_refrele(ill);
- return;
- }
- ip6i = (ip6i_t *)mp->b_rptr;
- if ((mp->b_wptr - (uchar_t *)ip6i) ==
- sizeof (ip6i_t)) {
- /*
- * ndp_resolver called from ip_newroute_v6
- * expects a pulled up message.
- */
- if (!pullupmsg(mp, -1)) {
- ip1dbg(("ip_wput_v6: pullupmsg"
- " failed\n"));
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- ip6i = (ip6i_t *)mp->b_rptr;
- }
- ip6h = (ip6_t *)&ip6i[1];
- v6dstp = &ip6h->ip6_dst;
- }
- ip6i->ip6i_flags |= IP6I_UNSPEC_SRC;
- if (mctl_present) {
- ASSERT(io != NULL);
- io->ipsec_out_unspec_src = unspec_src;
- }
- }
- if (IN6_IS_ADDR_MULTICAST(v6dstp)) {
- ip_newroute_ipif_v6(q, first_mp, ill->ill_ipif, v6dstp,
- &ip6h->ip6_src, unspec_src, zoneid);
- } else {
- ip_newroute_v6(q, first_mp, v6dstp, &ip6h->ip6_src, ill,
- zoneid, ipst);
- }
- ill_refrele(ill);
- return;
-
-notv6:
- /* FIXME?: assume the caller calls the right version of ip_output? */
- if (q->q_next == NULL) {
- connp = Q_TO_CONN(q);
-
- /*
- * We can change conn_send for all types of conn, even
- * though only TCP uses it right now.
- * FIXME: sctp could use conn_send but doesn't currently.
- */
- ip_setpktversion(connp, B_FALSE, B_TRUE, ipst);
- }
- BUMP_MIB(mibptr, ipIfStatsOutWrongIPVersion);
- (void) ip_output(arg, first_mp, arg2, caller);
- if (ill != NULL)
- ill_refrele(ill);
-}
-
-/*
- * If this is a conn_t queue, then we pass in the conn. This includes the
- * zoneid.
- * Otherwise, this is a message for an ill_t queue,
- * in which case we use the global zoneid since those are all part of
- * the global zone.
- */
-void
-ip_wput_v6(queue_t *q, mblk_t *mp)
-{
- if (CONN_Q(q))
- ip_output_v6(Q_TO_CONN(q), mp, q, IP_WPUT);
- else
- ip_output_v6(GLOBAL_ZONEID, mp, q, IP_WPUT);
-}
-
-/*
- * NULL send-to queue - packet is to be delivered locally.
- */
-void
-ip_wput_local_v6(queue_t *q, ill_t *ill, ip6_t *ip6h, mblk_t *first_mp,
- ire_t *ire, int fanout_flags, zoneid_t zoneid)
-{
- uint32_t ports;
- mblk_t *mp = first_mp, *first_mp1;
- boolean_t mctl_present;
- uint8_t nexthdr;
- uint16_t hdr_length;
- ipsec_out_t *io;
- mib2_ipIfStatsEntry_t *mibptr;
- ilm_t *ilm;
- uint_t nexthdr_offset;
- ip_stack_t *ipst = ill->ill_ipst;
-
- if (DB_TYPE(mp) == M_CTL) {
- io = (ipsec_out_t *)mp->b_rptr;
- if (!io->ipsec_out_secure) {
- mp = mp->b_cont;
- freeb(first_mp);
- first_mp = mp;
- mctl_present = B_FALSE;
- } else {
- mctl_present = B_TRUE;
- mp = first_mp->b_cont;
- ipsec_out_to_in(first_mp);
- }
- } else {
- mctl_present = B_FALSE;
- }
-
- /*
- * Remove reachability confirmation bit from version field
- * before passing the packet on to any firewall hooks or
- * looping back the packet.
- */
- if (ip6h->ip6_vcf & IP_FORWARD_PROG)
- ip6h->ip6_vcf &= ~IP_FORWARD_PROG;
-
- DTRACE_PROBE4(ip6__loopback__in__start,
- ill_t *, ill, ill_t *, NULL,
- ip6_t *, ip6h, mblk_t *, first_mp);
-
- FW_HOOKS6(ipst->ips_ip6_loopback_in_event,
- ipst->ips_ipv6firewall_loopback_in,
- ill, NULL, ip6h, first_mp, mp, 0, ipst);
-
- DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, first_mp);
-
- if (first_mp == NULL)
- return;
-
- if (ipst->ips_ip6_observe.he_interested) {
- zoneid_t szone, dzone, lookup_zoneid = ALL_ZONES;
- zoneid_t stackzoneid = netstackid_to_zoneid(
- ipst->ips_netstack->netstack_stackid);
-
- szone = (stackzoneid == GLOBAL_ZONEID) ? zoneid : stackzoneid;
- /*
- * ::1 is special, as we cannot lookup its zoneid by
- * address. For this case, restrict the lookup to the
- * source zone.
- */
- if (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_dst))
- lookup_zoneid = zoneid;
- dzone = ip_get_zoneid_v6(&ip6h->ip6_dst, mp, ill, ipst,
- lookup_zoneid);
- ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill, ipst);
- }
-
- DTRACE_IP7(receive, mblk_t *, first_mp, conn_t *, NULL, void_ip_t *,
- ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
- int, 1);
-
- nexthdr = ip6h->ip6_nxt;
- mibptr = ill->ill_ip_mib;
-
- /* Fastpath */
- switch (nexthdr) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_ICMPV6:
- case IPPROTO_SCTP:
- hdr_length = IPV6_HDR_LEN;
- nexthdr_offset = (uint_t)((uchar_t *)&ip6h->ip6_nxt -
- (uchar_t *)ip6h);
- break;
- default: {
- uint8_t *nexthdrp;
-
- if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
- &hdr_length, &nexthdrp)) {
- /* Malformed packet */
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- nexthdr = *nexthdrp;
- nexthdr_offset = nexthdrp - (uint8_t *)ip6h;
- break;
- }
- }
-
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
-
- switch (nexthdr) {
- case IPPROTO_TCP:
- if (DB_TYPE(mp) == M_DATA) {
- /*
- * M_DATA mblk, so init mblk (chain) for
- * no struio().
- */
- mblk_t *mp1 = mp;
-
- do {
- mp1->b_datap->db_struioflag = 0;
- } while ((mp1 = mp1->b_cont) != NULL);
- }
- ports = *(uint32_t *)(mp->b_rptr + hdr_length +
- TCP_PORTS_OFFSET);
- ip_fanout_tcp_v6(q, first_mp, ip6h, ill, ill,
- fanout_flags|IP_FF_SEND_ICMP|IP_FF_SYN_ADDIRE|
- IP_FF_IPINFO|IP6_NO_IPPOLICY|IP_FF_LOOPBACK,
- hdr_length, mctl_present, ire->ire_zoneid);
- return;
-
- case IPPROTO_UDP:
- ports = *(uint32_t *)(mp->b_rptr + hdr_length +
- UDP_PORTS_OFFSET);
- ip_fanout_udp_v6(q, first_mp, ip6h, ports, ill, ill,
- fanout_flags|IP_FF_SEND_ICMP|IP_FF_IPINFO|
- IP6_NO_IPPOLICY, mctl_present, ire->ire_zoneid);
- return;
-
- case IPPROTO_SCTP:
- {
- ports = *(uint32_t *)(mp->b_rptr + hdr_length);
- ip_fanout_sctp(first_mp, ill, (ipha_t *)ip6h, ports,
- fanout_flags|IP_FF_SEND_ICMP|IP_FF_IPINFO,
- mctl_present, IP6_NO_IPPOLICY, ire->ire_zoneid);
- return;
- }
- case IPPROTO_ICMPV6: {
- icmp6_t *icmp6;
-
- /* check for full IPv6+ICMPv6 header */
- if ((mp->b_wptr - mp->b_rptr) <
- (hdr_length + ICMP6_MINLEN)) {
- if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) {
- ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg"
- " failed\n"));
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- icmp6 = (icmp6_t *)((uchar_t *)ip6h + hdr_length);
-
- /* Update output mib stats */
- icmp_update_out_mib_v6(ill, icmp6);
-
- /* Check variable for testing applications */
- if (ipst->ips_ipv6_drop_inbound_icmpv6) {
- freemsg(first_mp);
- return;
- }
- /*
- * Assume that there is always at least one conn for
- * ICMPv6 (in.ndpd) i.e. don't optimize the case
- * where there is no conn.
- */
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) &&
- !IS_LOOPBACK(ill)) {
- ilm_walker_t ilw;
-
- /*
- * In the multicast case, applications may have
- * joined the group from different zones, so we
- * need to deliver the packet to each of them.
- * Loop through the multicast memberships
- * structures (ilm) on the receive ill and send
- * a copy of the packet up each matching one.
- * However, we don't do this for multicasts sent
- * on the loopback interface (PHYI_LOOPBACK flag
- * set) as they must stay in the sender's zone.
- */
- ilm = ilm_walker_start(&ilw, ill);
- for (; ilm != NULL;
- ilm = ilm_walker_step(&ilw, ilm)) {
- if (!IN6_ARE_ADDR_EQUAL(
- &ilm->ilm_v6addr, &ip6h->ip6_dst))
- continue;
- if ((fanout_flags &
- IP_FF_NO_MCAST_LOOP) &&
- ilm->ilm_zoneid == ire->ire_zoneid)
- continue;
- if (!ipif_lookup_zoneid(
- ilw.ilw_walk_ill, ilm->ilm_zoneid,
- IPIF_UP, NULL))
- continue;
-
- first_mp1 = ip_copymsg(first_mp);
- if (first_mp1 == NULL)
- continue;
- icmp_inbound_v6(q, first_mp1,
- ilw.ilw_walk_ill, ill, hdr_length,
- mctl_present, IP6_NO_IPPOLICY,
- ilm->ilm_zoneid, NULL);
- }
- ilm_walker_finish(&ilw);
- } else {
- first_mp1 = ip_copymsg(first_mp);
- if (first_mp1 != NULL)
- icmp_inbound_v6(q, first_mp1, ill, ill,
- hdr_length, mctl_present,
- IP6_NO_IPPOLICY, ire->ire_zoneid,
- NULL);
- }
- }
- /* FALLTHRU */
- default: {
- /*
- * Handle protocols with which IPv6 is less intimate.
- */
- fanout_flags |= IP_FF_RAWIP|IP_FF_IPINFO;
-
- /*
- * Enable sending ICMP for "Unknown" nexthdr
- * case. i.e. where we did not FALLTHRU from
- * IPPROTO_ICMPV6 processing case above.
- */
- if (nexthdr != IPPROTO_ICMPV6)
- fanout_flags |= IP_FF_SEND_ICMP;
- /*
- * Note: There can be more than one stream bound
- * to a particular protocol. When this is the case,
- * each one gets a copy of any incoming packets.
- */
- ip_fanout_proto_v6(q, first_mp, ip6h, ill, ill, nexthdr,
- nexthdr_offset, fanout_flags|IP6_NO_IPPOLICY,
- mctl_present, ire->ire_zoneid);
- return;
- }
- }
-}
-
-/*
- * Send packet using IRE.
- * Checksumming is controlled by cksum_request:
- * -1 => normal i.e. TCP/UDP/SCTP/ICMPv6 are checksummed and nothing else.
- * 1 => Skip TCP/UDP/SCTP checksum
- * Otherwise => checksum_request contains insert offset for checksum
- *
- * Assumes that the following set of headers appear in the first
- * mblk:
- * ip6_t
- * Any extension headers
- * TCP/UDP/SCTP header (if present)
- * The routine can handle an ICMPv6 header that is not in the first mblk.
- *
- * NOTE : This function does not ire_refrele the ire passed in as the
- * argument unlike ip_wput_ire where the REFRELE is done.
- * Refer to ip_wput_ire for more on this.
- */
-static void
-ip_wput_ire_v6(queue_t *q, mblk_t *mp, ire_t *ire, int unspec_src,
- int cksum_request, conn_t *connp, int caller, int flags, zoneid_t zoneid)
-{
- ip6_t *ip6h;
- uint8_t nexthdr;
- uint16_t hdr_length;
- uint_t reachable = 0x0;
- ill_t *ill;
- mib2_ipIfStatsEntry_t *mibptr;
- mblk_t *first_mp;
- boolean_t mctl_present;
- ipsec_out_t *io;
- boolean_t conn_dontroute; /* conn value for multicast */
- boolean_t conn_multicast_loop; /* conn value for multicast */
- boolean_t multicast_forward; /* Should we forward ? */
- int max_frag;
- ip_stack_t *ipst = ire->ire_ipst;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
-
- ill = ire_to_ill(ire);
- first_mp = mp;
- multicast_forward = B_FALSE;
-
- if (mp->b_datap->db_type != M_CTL) {
- ip6h = (ip6_t *)first_mp->b_rptr;
- } else {
- io = (ipsec_out_t *)first_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- /*
- * Grab the zone id now because the M_CTL can be discarded by
- * ip_wput_ire_parse_ipsec_out() below.
- */
- ASSERT(zoneid == io->ipsec_out_zoneid);
- ASSERT(zoneid != ALL_ZONES);
- ip6h = (ip6_t *)first_mp->b_cont->b_rptr;
- /*
- * For the multicast case, ipsec_out carries conn_dontroute and
- * conn_multicast_loop as conn may not be available here. We
- * need this for multicast loopback and forwarding which is done
- * later in the code.
- */
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- conn_dontroute = io->ipsec_out_dontroute;
- conn_multicast_loop = io->ipsec_out_multicast_loop;
- /*
- * If conn_dontroute is not set or conn_multicast_loop
- * is set, we need to do forwarding/loopback. For
- * datagrams from ip_wput_multicast, conn_dontroute is
- * set to B_TRUE and conn_multicast_loop is set to
- * B_FALSE so that we neither do forwarding nor
- * loopback.
- */
- if (!conn_dontroute || conn_multicast_loop)
- multicast_forward = B_TRUE;
- }
- }
-
- /*
- * If the sender didn't supply the hop limit and there is a default
- * unicast hop limit associated with the output interface, we use
- * that if the packet is unicast. Interface specific unicast hop
- * limits as set via the SIOCSLIFLNKINFO ioctl.
- */
- if (ill->ill_max_hops != 0 && !(flags & IP6I_HOPLIMIT) &&
- !(IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst))) {
- ip6h->ip6_hops = ill->ill_max_hops;
- }
-
- if (ire->ire_type == IRE_LOCAL && ire->ire_zoneid != zoneid &&
- ire->ire_zoneid != ALL_ZONES) {
- /*
- * When a zone sends a packet to another zone, we try to deliver
- * the packet under the same conditions as if the destination
- * was a real node on the network. To do so, we look for a
- * matching route in the forwarding table.
- * RTF_REJECT and RTF_BLACKHOLE are handled just like
- * ip_newroute_v6() does.
- * Note that IRE_LOCAL are special, since they are used
- * when the zoneid doesn't match in some cases. This means that
- * we need to handle ipha_src differently since ire_src_addr
- * belongs to the receiving zone instead of the sending zone.
- * When ip_restrict_interzone_loopback is set, then
- * ire_cache_lookup_v6() ensures that IRE_LOCAL are only used
- * for loopback between zones when the logical "Ethernet" would
- * have looped them back.
- */
- ire_t *src_ire;
-
- src_ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0, 0,
- NULL, NULL, zoneid, 0, NULL, (MATCH_IRE_RECURSIVE |
- MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE), ipst);
- if (src_ire != NULL &&
- !(src_ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) &&
- (!ipst->ips_ip_restrict_interzone_loopback ||
- ire_local_same_lan(ire, src_ire))) {
- if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) &&
- !unspec_src) {
- ip6h->ip6_src = src_ire->ire_src_addr_v6;
- }
- ire_refrele(src_ire);
- } else {
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutNoRoutes);
- if (src_ire != NULL) {
- if (src_ire->ire_flags & RTF_BLACKHOLE) {
- ire_refrele(src_ire);
- freemsg(first_mp);
- return;
- }
- ire_refrele(src_ire);
- }
- if (ip_hdr_complete_v6(ip6h, zoneid, ipst)) {
- /* Failed */
- freemsg(first_mp);
- return;
- }
- icmp_unreachable_v6(q, first_mp,
- ICMP6_DST_UNREACH_NOROUTE, B_FALSE, B_FALSE,
- zoneid, ipst);
- return;
- }
- }
-
- if (mp->b_datap->db_type == M_CTL ||
- ipss->ipsec_outbound_v6_policy_present) {
- mp = ip_wput_ire_parse_ipsec_out(first_mp, NULL, ip6h, ire,
- connp, unspec_src, zoneid);
- if (mp == NULL) {
- return;
- }
- }
-
- first_mp = mp;
- if (mp->b_datap->db_type == M_CTL) {
- io = (ipsec_out_t *)mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- mp = mp->b_cont;
- mctl_present = B_TRUE;
- } else {
- mctl_present = B_FALSE;
- }
-
- ip6h = (ip6_t *)mp->b_rptr;
- nexthdr = ip6h->ip6_nxt;
- mibptr = ill->ill_ip_mib;
-
- if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) && !unspec_src) {
- ipif_t *ipif;
-
- /*
- * Select the source address using ipif_select_source_v6.
- */
- ipif = ipif_select_source_v6(ill, &ip6h->ip6_dst, B_FALSE,
- IPV6_PREFER_SRC_DEFAULT, zoneid);
- if (ipif == NULL) {
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_wput_ire_v6: no src for "
- "dst %s\n", AF_INET6, &ip6h->ip6_dst);
- printf("through interface %s\n", ill->ill_name);
- }
- freemsg(first_mp);
- return;
- }
- ip6h->ip6_src = ipif->ipif_v6src_addr;
- ipif_refrele(ipif);
- }
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- if ((connp != NULL && connp->conn_multicast_loop) ||
- !IS_LOOPBACK(ill)) {
- if (ilm_lookup_ill_v6(ill, &ip6h->ip6_dst, B_FALSE,
- ALL_ZONES) != NULL) {
- mblk_t *nmp;
- int fanout_flags = 0;
-
- if (connp != NULL &&
- !connp->conn_multicast_loop) {
- fanout_flags |= IP_FF_NO_MCAST_LOOP;
- }
- ip1dbg(("ip_wput_ire_v6: "
- "Loopback multicast\n"));
- nmp = ip_copymsg(first_mp);
- if (nmp != NULL) {
- ip6_t *nip6h;
- mblk_t *mp_ip6h;
-
- if (mctl_present) {
- nip6h = (ip6_t *)
- nmp->b_cont->b_rptr;
- mp_ip6h = nmp->b_cont;
- } else {
- nip6h = (ip6_t *)nmp->b_rptr;
- mp_ip6h = nmp;
- }
-
- DTRACE_PROBE4(
- ip6__loopback__out__start,
- ill_t *, NULL,
- ill_t *, ill,
- ip6_t *, nip6h,
- mblk_t *, nmp);
-
- FW_HOOKS6(
- ipst->ips_ip6_loopback_out_event,
- ipst->ips_ipv6firewall_loopback_out,
- NULL, ill, nip6h, nmp, mp_ip6h,
- 0, ipst);
-
- DTRACE_PROBE1(
- ip6__loopback__out__end,
- mblk_t *, nmp);
-
- /*
- * DTrace this as ip:::send. A blocked
- * packet will fire the send probe, but
- * not the receive probe.
- */
- DTRACE_IP7(send, mblk_t *, nmp,
- conn_t *, NULL, void_ip_t *, nip6h,
- __dtrace_ipsr_ill_t *, ill,
- ipha_t *, NULL, ip6_t *, nip6h,
- int, 1);
-
- if (nmp != NULL) {
- /*
- * Deliver locally and to
- * every local zone, except
- * the sending zone when
- * IPV6_MULTICAST_LOOP is
- * disabled.
- */
- ip_wput_local_v6(RD(q), ill,
- nip6h, nmp, ire,
- fanout_flags, zoneid);
- }
- } else {
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- ip1dbg(("ip_wput_ire_v6: "
- "copymsg failed\n"));
- }
- }
- }
- if (ip6h->ip6_hops == 0 ||
- IN6_IS_ADDR_MC_NODELOCAL(&ip6h->ip6_dst) ||
- IS_LOOPBACK(ill)) {
- /*
- * Local multicast or just loopback on loopback
- * interface.
- */
- BUMP_MIB(mibptr, ipIfStatsHCOutMcastPkts);
- UPDATE_MIB(mibptr, ipIfStatsHCOutMcastOctets,
- ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN);
- ip1dbg(("ip_wput_ire_v6: local multicast only\n"));
- freemsg(first_mp);
- return;
- }
- }
-
- if (ire->ire_stq != NULL) {
- uint32_t sum;
- uint_t ill_index = ((ill_t *)ire->ire_stq->q_ptr)->
- ill_phyint->phyint_ifindex;
- queue_t *dev_q = ire->ire_stq->q_next;
-
- /*
- * non-NULL send-to queue - packet is to be sent
- * out an interface.
- */
-
- /* Driver is flow-controlling? */
- if (!IP_FLOW_CONTROLLED_ULP(nexthdr) &&
- DEV_Q_FLOW_BLOCKED(dev_q)) {
- /*
- * Queue packet if we have an conn to give back
- * pressure. We can't queue packets intended for
- * hardware acceleration since we've tossed that
- * state already. If the packet is being fed back
- * from ire_send_v6, we don't know the position in
- * the queue to enqueue the packet and we discard
- * the packet.
- */
- if (ipst->ips_ip_output_queue && connp != NULL &&
- !mctl_present && caller != IRE_SEND) {
- if (caller == IP_WSRV) {
- idl_tx_list_t *idl_txl;
-
- idl_txl = &ipst->ips_idl_tx_list[0];
- connp->conn_did_putbq = 1;
- (void) putbq(connp->conn_wq, mp);
- conn_drain_insert(connp, idl_txl);
- /*
- * caller == IP_WSRV implies we are
- * the service thread, and the
- * queue is already noenabled.
- * The check for canput and
- * the putbq is not atomic.
- * So we need to check again.
- */
- if (canput(dev_q))
- connp->conn_did_putbq = 0;
- } else {
- (void) putq(connp->conn_wq, mp);
- }
- return;
- }
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
-
- /*
- * Look for reachability confirmations from the transport.
- */
- if (ip6h->ip6_vcf & IP_FORWARD_PROG) {
- reachable |= IPV6_REACHABILITY_CONFIRMATION;
- ip6h->ip6_vcf &= ~IP_FORWARD_PROG;
- if (mctl_present)
- io->ipsec_out_reachable = B_TRUE;
- }
- /* Fastpath */
- switch (nexthdr) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_ICMPV6:
- case IPPROTO_SCTP:
- hdr_length = IPV6_HDR_LEN;
- break;
- default: {
- uint8_t *nexthdrp;
-
- if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
- &hdr_length, &nexthdrp)) {
- /* Malformed packet */
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- nexthdr = *nexthdrp;
- break;
- }
- }
-
- if (cksum_request != -1 && nexthdr != IPPROTO_ICMPV6) {
- uint16_t *up;
- uint16_t *insp;
-
- /*
- * The packet header is processed once for all, even
- * in the multirouting case. We disable hardware
- * checksum if the packet is multirouted, as it will be
- * replicated via several interfaces, and not all of
- * them may have this capability.
- */
- if (cksum_request == 1 &&
- !(ire->ire_flags & RTF_MULTIRT)) {
- /* Skip the transport checksum */
- goto cksum_done;
- }
- /*
- * Do user-configured raw checksum.
- * Compute checksum and insert at offset "cksum_request"
- */
-
- /* check for enough headers for checksum */
- cksum_request += hdr_length; /* offset from rptr */
- if ((mp->b_wptr - mp->b_rptr) <
- (cksum_request + sizeof (int16_t))) {
- if (!pullupmsg(mp,
- cksum_request + sizeof (int16_t))) {
- ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg"
- " failed\n"));
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- insp = (uint16_t *)((uchar_t *)ip6h + cksum_request);
- ASSERT(((uintptr_t)insp & 0x1) == 0);
- up = (uint16_t *)&ip6h->ip6_src;
- /*
- * icmp has placed length and routing
- * header adjustment in *insp.
- */
- sum = htons(nexthdr) +
- up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
- sum = (sum & 0xffff) + (sum >> 16);
- *insp = IP_CSUM(mp, hdr_length, sum);
- } else if (nexthdr == IPPROTO_TCP) {
- uint16_t *up;
-
- /*
- * Check for full IPv6 header + enough TCP header
- * to get at the checksum field.
- */
- if ((mp->b_wptr - mp->b_rptr) <
- (hdr_length + TCP_CHECKSUM_OFFSET +
- TCP_CHECKSUM_SIZE)) {
- if (!pullupmsg(mp, hdr_length +
- TCP_CHECKSUM_OFFSET + TCP_CHECKSUM_SIZE)) {
- ip1dbg(("ip_wput_v6: TCP hdr pullupmsg"
- " failed\n"));
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
-
- up = (uint16_t *)&ip6h->ip6_src;
- /*
- * Note: The TCP module has stored the length value
- * into the tcp checksum field, so we don't
- * need to explicitly sum it in here.
- */
- sum = up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
-
- /* Fold the initial sum */
- sum = (sum & 0xffff) + (sum >> 16);
-
- up = (uint16_t *)(((uchar_t *)ip6h) +
- hdr_length + TCP_CHECKSUM_OFFSET);
-
- IP_CKSUM_XMIT(ill, ire, mp, ip6h, up, IPPROTO_TCP,
- hdr_length, ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN,
- ire->ire_max_frag, mctl_present, sum);
-
- /* Software checksum? */
- if (DB_CKSUMFLAGS(mp) == 0) {
- IP6_STAT(ipst, ip6_out_sw_cksum);
- IP6_STAT_UPDATE(ipst,
- ip6_tcp_out_sw_cksum_bytes,
- (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN) -
- hdr_length);
- }
- } else if (nexthdr == IPPROTO_UDP) {
- uint16_t *up;
-
- /*
- * check for full IPv6 header + enough UDP header
- * to get at the UDP checksum field
- */
- if ((mp->b_wptr - mp->b_rptr) < (hdr_length +
- UDP_CHECKSUM_OFFSET + UDP_CHECKSUM_SIZE)) {
- if (!pullupmsg(mp, hdr_length +
- UDP_CHECKSUM_OFFSET + UDP_CHECKSUM_SIZE)) {
- ip1dbg(("ip_wput_v6: UDP hdr pullupmsg"
- " failed\n"));
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- up = (uint16_t *)&ip6h->ip6_src;
- /*
- * Note: The UDP module has stored the length value
- * into the udp checksum field, so we don't
- * need to explicitly sum it in here.
- */
- sum = up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
-
- /* Fold the initial sum */
- sum = (sum & 0xffff) + (sum >> 16);
-
- up = (uint16_t *)(((uchar_t *)ip6h) +
- hdr_length + UDP_CHECKSUM_OFFSET);
-
- IP_CKSUM_XMIT(ill, ire, mp, ip6h, up, IPPROTO_UDP,
- hdr_length, ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN,
- ire->ire_max_frag, mctl_present, sum);
-
- /* Software checksum? */
- if (DB_CKSUMFLAGS(mp) == 0) {
- IP6_STAT(ipst, ip6_out_sw_cksum);
- IP6_STAT_UPDATE(ipst,
- ip6_udp_out_sw_cksum_bytes,
- (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN) -
- hdr_length);
- }
- } else if (nexthdr == IPPROTO_ICMPV6) {
- uint16_t *up;
- icmp6_t *icmp6;
-
- /* check for full IPv6+ICMPv6 header */
- if ((mp->b_wptr - mp->b_rptr) <
- (hdr_length + ICMP6_MINLEN)) {
- if (!pullupmsg(mp, hdr_length + ICMP6_MINLEN)) {
- ip1dbg(("ip_wput_v6: ICMP hdr pullupmsg"
- " failed\n"));
- BUMP_MIB(mibptr, ipIfStatsOutDiscards);
- freemsg(first_mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- icmp6 = (icmp6_t *)((uchar_t *)ip6h + hdr_length);
- up = (uint16_t *)&ip6h->ip6_src;
- /*
- * icmp has placed length and routing
- * header adjustment in icmp6_cksum.
- */
- sum = htons(IPPROTO_ICMPV6) +
- up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
- sum = (sum & 0xffff) + (sum >> 16);
- icmp6->icmp6_cksum = IP_CSUM(mp, hdr_length, sum);
-
- /* Update output mib stats */
- icmp_update_out_mib_v6(ill, icmp6);
- } else if (nexthdr == IPPROTO_SCTP) {
- sctp_hdr_t *sctph;
-
- if (MBLKL(mp) < (hdr_length + sizeof (*sctph))) {
- if (!pullupmsg(mp, hdr_length +
- sizeof (*sctph))) {
- ip1dbg(("ip_wput_v6: SCTP hdr pullupmsg"
- " failed\n"));
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- freemsg(mp);
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- sctph = (sctp_hdr_t *)(mp->b_rptr + hdr_length);
- sctph->sh_chksum = 0;
- sctph->sh_chksum = sctp_cksum(mp, hdr_length);
- }
-
- cksum_done:
- /*
- * We force the insertion of a fragment header using the
- * IPH_FRAG_HDR flag in two cases:
- * - after reception of an ICMPv6 "packet too big" message
- * with a MTU < 1280 (cf. RFC 2460 section 5)
- * - for multirouted IPv6 packets, so that the receiver can
- * discard duplicates according to their fragment identifier
- *
- * Two flags modifed from the API can modify this behavior.
- * The first is IPV6_USE_MIN_MTU. With this API the user
- * can specify how to manage PMTUD for unicast and multicast.
- *
- * IPV6_DONTFRAG disallows fragmentation.
- */
- max_frag = ire->ire_max_frag;
- switch (IP6I_USE_MIN_MTU_API(flags)) {
- case IPV6_USE_MIN_MTU_DEFAULT:
- case IPV6_USE_MIN_MTU_UNICAST:
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- max_frag = IPV6_MIN_MTU;
- }
- break;
-
- case IPV6_USE_MIN_MTU_NEVER:
- max_frag = IPV6_MIN_MTU;
- break;
- }
- if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN > max_frag ||
- (ire->ire_frag_flag & IPH_FRAG_HDR)) {
- if (connp != NULL && (flags & IP6I_DONTFRAG)) {
- icmp_pkt2big_v6(ire->ire_stq, first_mp,
- max_frag, B_FALSE, B_TRUE, zoneid, ipst);
- return;
- }
-
- if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN !=
- (mp->b_cont ? msgdsize(mp) :
- mp->b_wptr - (uchar_t *)ip6h)) {
- ip0dbg(("Packet length mismatch: %d, %ld\n",
- ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN,
- msgdsize(mp)));
- freemsg(first_mp);
- return;
- }
- /* Do IPSEC processing first */
- if (mctl_present) {
- ipsec_out_process(q, first_mp, ire, ill_index);
- return;
- }
- ASSERT(mp->b_prev == NULL);
- ip2dbg(("Fragmenting Size = %d, mtu = %d\n",
- ntohs(ip6h->ip6_plen) +
- IPV6_HDR_LEN, max_frag));
- ASSERT(mp == first_mp);
- /* Initiate IPPF processing */
- if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
- ip_process(IPP_LOCAL_OUT, &mp, ill_index);
- if (mp == NULL) {
- return;
- }
- }
- ip_wput_frag_v6(mp, ire, reachable, connp,
- caller, max_frag);
- return;
- }
- /* Do IPSEC processing first */
- if (mctl_present) {
- int extra_len = ipsec_out_extra_length(first_mp);
-
- if (ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN + extra_len >
- max_frag && connp != NULL &&
- (flags & IP6I_DONTFRAG)) {
- /*
- * IPsec headers will push the packet over the
- * MTU limit. Issue an ICMPv6 Packet Too Big
- * message for this packet if the upper-layer
- * that issued this packet will be able to
- * react to the icmp_pkt2big_v6() that we'll
- * generate.
- */
- icmp_pkt2big_v6(ire->ire_stq, first_mp,
- max_frag, B_FALSE, B_TRUE, zoneid, ipst);
- return;
- }
- ipsec_out_process(q, first_mp, ire, ill_index);
- return;
- }
- /*
- * XXX multicast: add ip_mforward_v6() here.
- * Check conn_dontroute
- */
-#ifdef lint
- /*
- * XXX The only purpose of this statement is to avoid lint
- * errors. See the above "XXX multicast". When that gets
- * fixed, remove this whole #ifdef lint section.
- */
- ip3dbg(("multicast forward is %s.\n",
- (multicast_forward ? "TRUE" : "FALSE")));
-#endif
-
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- ASSERT(mp == first_mp);
- ip_xmit_v6(mp, ire, reachable, connp, caller, NULL);
- } else {
- /*
- * DTrace this as ip:::send. A blocked packet will fire the
- * send probe, but not the receive probe.
- */
- DTRACE_IP7(send, mblk_t *, first_mp, conn_t *, NULL,
- void_ip_t *, ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *,
- NULL, ip6_t *, ip6h, int, 1);
- DTRACE_PROBE4(ip6__loopback__out__start,
- ill_t *, NULL, ill_t *, ill,
- ip6_t *, ip6h, mblk_t *, first_mp);
- FW_HOOKS6(ipst->ips_ip6_loopback_out_event,
- ipst->ips_ipv6firewall_loopback_out,
- NULL, ill, ip6h, first_mp, mp, 0, ipst);
- DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, first_mp);
- if (first_mp != NULL) {
- ip_wput_local_v6(RD(q), ill, ip6h, first_mp, ire, 0,
- zoneid);
- }
- }
-}
-
-/*
- * Outbound IPv6 fragmentation routine using MDT.
- */
-static void
-ip_wput_frag_mdt_v6(mblk_t *mp, ire_t *ire, size_t max_chunk,
- size_t unfragmentable_len, uint8_t nexthdr, uint_t prev_nexthdr_offset)
-{
- ip6_t *ip6h = (ip6_t *)mp->b_rptr;
- uint_t pkts, wroff, hdr_chunk_len, pbuf_idx;
- mblk_t *hdr_mp, *md_mp = NULL;
- int i1;
- multidata_t *mmd;
- unsigned char *hdr_ptr, *pld_ptr;
- ip_pdescinfo_t pdi;
- uint32_t ident;
- size_t len;
- uint16_t offset;
- queue_t *stq = ire->ire_stq;
- ill_t *ill = (ill_t *)stq->q_ptr;
- ip_stack_t *ipst = ill->ill_ipst;
-
- ASSERT(DB_TYPE(mp) == M_DATA);
- ASSERT(MBLKL(mp) > unfragmentable_len);
-
- /*
- * Move read ptr past unfragmentable portion, we don't want this part
- * of the data in our fragments.
- */
- mp->b_rptr += unfragmentable_len;
-
- /* Calculate how many packets we will send out */
- i1 = (mp->b_cont == NULL) ? MBLKL(mp) : msgsize(mp);
- pkts = (i1 + max_chunk - 1) / max_chunk;
- ASSERT(pkts > 1);
-
- /* Allocate a message block which will hold all the IP Headers. */
- wroff = ipst->ips_ip_wroff_extra;
- hdr_chunk_len = wroff + unfragmentable_len + sizeof (ip6_frag_t);
-
- i1 = pkts * hdr_chunk_len;
- /*
- * Create the header buffer, Multidata and destination address
- * and SAP attribute that should be associated with it.
- */
- if ((hdr_mp = allocb(i1, BPRI_HI)) == NULL ||
- ((hdr_mp->b_wptr += i1),
- (mmd = mmd_alloc(hdr_mp, &md_mp, KM_NOSLEEP)) == NULL) ||
- !ip_md_addr_attr(mmd, NULL, ire->ire_nce->nce_res_mp)) {
- freemsg(mp);
- if (md_mp == NULL) {
- freemsg(hdr_mp);
- } else {
-free_mmd: IP6_STAT(ipst, ip6_frag_mdt_discarded);
- freemsg(md_mp);
- }
- IP6_STAT(ipst, ip6_frag_mdt_allocfail);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
- return;
- }
- IP6_STAT(ipst, ip6_frag_mdt_allocd);
-
- /*
- * Add a payload buffer to the Multidata; this operation must not
- * fail, or otherwise our logic in this routine is broken. There
- * is no memory allocation done by the routine, so any returned
- * failure simply tells us that we've done something wrong.
- *
- * A failure tells us that either we're adding the same payload
- * buffer more than once, or we're trying to add more buffers than
- * allowed. None of the above cases should happen, and we panic
- * because either there's horrible heap corruption, and/or
- * programming mistake.
- */
- if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0) {
- goto pbuf_panic;
- }
-
- hdr_ptr = hdr_mp->b_rptr;
- pld_ptr = mp->b_rptr;
-
- pdi.flags = PDESC_HBUF_REF | PDESC_PBUF_REF;
-
- ident = htonl(atomic_add_32_nv(&ire->ire_ident, 1));
-
- /*
- * len is the total length of the fragmentable data in this
- * datagram. For each fragment sent, we will decrement len
- * by the amount of fragmentable data sent in that fragment
- * until len reaches zero.
- */
- len = ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN);
-
- offset = 0;
- prev_nexthdr_offset += wroff;
-
- while (len != 0) {
- size_t mlen;
- ip6_t *fip6h;
- ip6_frag_t *fraghdr;
- int error;
-
- ASSERT((hdr_ptr + hdr_chunk_len) <= hdr_mp->b_wptr);
- mlen = MIN(len, max_chunk);
- len -= mlen;
-
- fip6h = (ip6_t *)(hdr_ptr + wroff);
- ASSERT(OK_32PTR(fip6h));
- bcopy(ip6h, fip6h, unfragmentable_len);
- hdr_ptr[prev_nexthdr_offset] = IPPROTO_FRAGMENT;
-
- fip6h->ip6_plen = htons((uint16_t)(mlen +
- unfragmentable_len - IPV6_HDR_LEN + sizeof (ip6_frag_t)));
-
- fraghdr = (ip6_frag_t *)((unsigned char *)fip6h +
- unfragmentable_len);
- fraghdr->ip6f_nxt = nexthdr;
- fraghdr->ip6f_reserved = 0;
- fraghdr->ip6f_offlg = htons(offset) |
- ((len != 0) ? IP6F_MORE_FRAG : 0);
- fraghdr->ip6f_ident = ident;
-
- /*
- * Record offset and size of header and data of the next packet
- * in the multidata message.
- */
- PDESC_HDR_ADD(&pdi, hdr_ptr, wroff,
- unfragmentable_len + sizeof (ip6_frag_t), 0);
- PDESC_PLD_INIT(&pdi);
- i1 = MIN(mp->b_wptr - pld_ptr, mlen);
- ASSERT(i1 > 0);
- PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, pld_ptr, i1);
- if (i1 == mlen) {
- pld_ptr += mlen;
- } else {
- i1 = mlen - i1;
- mp = mp->b_cont;
- ASSERT(mp != NULL);
- ASSERT(MBLKL(mp) >= i1);
- /*
- * Attach the next payload message block to the
- * multidata message.
- */
- if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0)
- goto pbuf_panic;
- PDESC_PLD_SPAN_ADD(&pdi, pbuf_idx, mp->b_rptr, i1);
- pld_ptr = mp->b_rptr + i1;
- }
-
- if ((mmd_addpdesc(mmd, (pdescinfo_t *)&pdi, &error,
- KM_NOSLEEP)) == NULL) {
- /*
- * Any failure other than ENOMEM indicates that we
- * have passed in invalid pdesc info or parameters
- * to mmd_addpdesc, which must not happen.
- *
- * EINVAL is a result of failure on boundary checks
- * against the pdesc info contents. It should not
- * happen, and we panic because either there's
- * horrible heap corruption, and/or programming
- * mistake.
- */
- if (error != ENOMEM) {
- cmn_err(CE_PANIC, "ip_wput_frag_mdt_v6: "
- "pdesc logic error detected for "
- "mmd %p pinfo %p (%d)\n",
- (void *)mmd, (void *)&pdi, error);
- /* NOTREACHED */
- }
- IP6_STAT(ipst, ip6_frag_mdt_addpdescfail);
- /* Free unattached payload message blocks as well */
- md_mp->b_cont = mp->b_cont;
- goto free_mmd;
- }
-
- /* Advance fragment offset. */
- offset += mlen;
-
- /* Advance to location for next header in the buffer. */
- hdr_ptr += hdr_chunk_len;
-
- /* Did we reach the next payload message block? */
- if (pld_ptr == mp->b_wptr && mp->b_cont != NULL) {
- mp = mp->b_cont;
- /*
- * Attach the next message block with payload
- * data to the multidata message.
- */
- if ((pbuf_idx = mmd_addpldbuf(mmd, mp)) < 0)
- goto pbuf_panic;
- pld_ptr = mp->b_rptr;
- }
- }
-
- ASSERT(hdr_mp->b_wptr == hdr_ptr);
- ASSERT(mp->b_wptr == pld_ptr);
-
- /* Update IP statistics */
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates, pkts);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragOKs);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits, pkts);
- /*
- * The ipv6 header len is accounted for in unfragmentable_len so
- * when calculating the fragmentation overhead just add the frag
- * header len.
- */
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
- (ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN)) +
- pkts * (unfragmentable_len + sizeof (ip6_frag_t)));
- IP6_STAT_UPDATE(ipst, ip6_frag_mdt_pkt_out, pkts);
-
- ire->ire_ob_pkt_count += pkts;
- if (ire->ire_ipif != NULL)
- atomic_add_32(&ire->ire_ipif->ipif_ob_pkt_count, pkts);
-
- ire->ire_last_used_time = lbolt;
- /* Send it down */
- putnext(stq, md_mp);
- return;
-
-pbuf_panic:
- cmn_err(CE_PANIC, "ip_wput_frag_mdt_v6: payload buffer logic "
- "error for mmd %p pbuf %p (%d)", (void *)mmd, (void *)mp,
- pbuf_idx);
- /* NOTREACHED */
-}
-
-/*
* IPv6 fragmentation. Essentially the same as IPv4 fragmentation.
* We have not optimized this in terms of number of mblks
* allocated. For instance, for each fragment sent we always allocate a
* mblk to hold the IPv6 header and fragment header.
*
- * Assumes that all the extension headers are contained in the first mblk.
- *
- * The fragment header is inserted after an hop-by-hop options header
- * and after [an optional destinations header followed by] a routing header.
- *
- * NOTE : This function does not ire_refrele the ire passed in as
- * the argument.
+ * Assumes that all the extension headers are contained in the first mblk
+ * and that the fragment header has has already been added by calling
+ * ip_fraghdr_add_v6.
*/
-void
-ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
- int caller, int max_frag)
+int
+ip_fragment_v6(mblk_t *mp, nce_t *nce, iaflags_t ixaflags, uint_t pkt_len,
+ uint32_t max_frag, uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid,
+ pfirepostfrag_t postfragfn, uintptr_t *ixa_cookie)
{
ip6_t *ip6h = (ip6_t *)mp->b_rptr;
ip6_t *fip6h;
@@ -11337,27 +4102,31 @@ ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
mblk_t *dmp;
ip6_frag_t *fraghdr;
size_t unfragmentable_len;
- size_t len;
size_t mlen;
size_t max_chunk;
- uint32_t ident;
uint16_t off_flags;
uint16_t offset = 0;
- ill_t *ill;
+ ill_t *ill = nce->nce_ill;
uint8_t nexthdr;
- uint_t prev_nexthdr_offset;
uint8_t *ptr;
- ip_stack_t *ipst = ire->ire_ipst;
-
- ASSERT(ire->ire_type == IRE_CACHE);
- ill = (ill_t *)ire->ire_stq->q_ptr;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint_t priority = mp->b_band;
+ int error = 0;
- if (max_frag <= 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragReqds);
+ if (max_frag == 0) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: zero max_frag", mp, ill);
freemsg(mp);
- return;
+ return (EINVAL);
}
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragReqds);
+
+ /*
+ * Caller should have added fraghdr_t to pkt_len, and also
+ * updated ip6_plen.
+ */
+ ASSERT(ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN == pkt_len);
+ ASSERT(msgdsize(mp) == pkt_len);
/*
* Determine the length of the unfragmentable portion of this
@@ -11366,7 +4135,6 @@ ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
* destination options header, and a potential routing header.
*/
nexthdr = ip6h->ip6_nxt;
- prev_nexthdr_offset = (uint8_t *)&ip6h->ip6_nxt - (uint8_t *)ip6h;
ptr = (uint8_t *)&ip6h[1];
if (nexthdr == IPPROTO_HOPOPTS) {
@@ -11376,8 +4144,6 @@ ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
hbh_hdr = (ip6_hbh_t *)ptr;
hdr_len = 8 * (hbh_hdr->ip6h_len + 1);
nexthdr = hbh_hdr->ip6h_nxt;
- prev_nexthdr_offset = (uint8_t *)&hbh_hdr->ip6h_nxt
- - (uint8_t *)ip6h;
ptr += hdr_len;
}
if (nexthdr == IPPROTO_DSTOPTS) {
@@ -11388,8 +4154,6 @@ ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
if (dest_hdr->ip6d_nxt == IPPROTO_ROUTING) {
hdr_len = 8 * (dest_hdr->ip6d_len + 1);
nexthdr = dest_hdr->ip6d_nxt;
- prev_nexthdr_offset = (uint8_t *)&dest_hdr->ip6d_nxt
- - (uint8_t *)ip6h;
ptr += hdr_len;
}
}
@@ -11399,82 +4163,73 @@ ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
rthdr = (ip6_rthdr_t *)ptr;
nexthdr = rthdr->ip6r_nxt;
- prev_nexthdr_offset = (uint8_t *)&rthdr->ip6r_nxt
- - (uint8_t *)ip6h;
hdr_len = 8 * (rthdr->ip6r_len + 1);
ptr += hdr_len;
}
+ if (nexthdr != IPPROTO_FRAGMENT) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: bad nexthdr", mp, ill);
+ freemsg(mp);
+ return (EINVAL);
+ }
unfragmentable_len = (uint_t)(ptr - (uint8_t *)ip6h);
+ unfragmentable_len += sizeof (ip6_frag_t);
- max_chunk = (min(max_frag, ire->ire_max_frag) - unfragmentable_len -
- sizeof (ip6_frag_t)) & ~7;
-
- /* Check if we can use MDT to send out the frags. */
- ASSERT(!IRE_IS_LOCAL(ire));
- if (ipst->ips_ip_multidata_outbound && reachable == 0 &&
- !(ire->ire_flags & RTF_MULTIRT) && ILL_MDT_CAPABLE(ill) &&
- IP_CAN_FRAG_MDT(mp, unfragmentable_len, max_chunk)) {
- ip_wput_frag_mdt_v6(mp, ire, max_chunk, unfragmentable_len,
- nexthdr, prev_nexthdr_offset);
- return;
- }
+ max_chunk = (max_frag - unfragmentable_len) & ~7;
/*
* Allocate an mblk with enough room for the link-layer
- * header, the unfragmentable part of the datagram, and the
- * fragment header. This (or a copy) will be used as the
+ * header and the unfragmentable part of the datagram, which includes
+ * the fragment header. This (or a copy) will be used as the
* first mblk for each fragment we send.
*/
- hmp = allocb_tmpl(unfragmentable_len + sizeof (ip6_frag_t) +
- ipst->ips_ip_wroff_extra, mp);
+ hmp = allocb_tmpl(unfragmentable_len + ipst->ips_ip_wroff_extra, mp);
if (hmp == NULL) {
BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: no hmp", mp, ill);
freemsg(mp);
- return;
+ return (ENOBUFS);
}
hmp->b_rptr += ipst->ips_ip_wroff_extra;
- hmp->b_wptr = hmp->b_rptr + unfragmentable_len + sizeof (ip6_frag_t);
+ hmp->b_wptr = hmp->b_rptr + unfragmentable_len;
fip6h = (ip6_t *)hmp->b_rptr;
- fraghdr = (ip6_frag_t *)(hmp->b_rptr + unfragmentable_len);
-
bcopy(ip6h, fip6h, unfragmentable_len);
- hmp->b_rptr[prev_nexthdr_offset] = IPPROTO_FRAGMENT;
-
- ident = atomic_add_32_nv(&ire->ire_ident, 1);
-
- fraghdr->ip6f_nxt = nexthdr;
- fraghdr->ip6f_reserved = 0;
- fraghdr->ip6f_offlg = 0;
- fraghdr->ip6f_ident = htonl(ident);
/*
- * len is the total length of the fragmentable data in this
- * datagram. For each fragment sent, we will decrement len
+ * pkt_len is set to the total length of the fragmentable data in this
+ * datagram. For each fragment sent, we will decrement pkt_len
* by the amount of fragmentable data sent in that fragment
* until len reaches zero.
*/
- len = ntohs(ip6h->ip6_plen) - (unfragmentable_len - IPV6_HDR_LEN);
+ pkt_len -= unfragmentable_len;
/*
* Move read ptr past unfragmentable portion, we don't want this part
* of the data in our fragments.
*/
mp->b_rptr += unfragmentable_len;
+ if (mp->b_rptr == mp->b_wptr) {
+ mblk_t *mp1 = mp->b_cont;
+ freeb(mp);
+ mp = mp1;
+ }
- while (len != 0) {
- mlen = MIN(len, max_chunk);
- len -= mlen;
- if (len != 0) {
+ while (pkt_len != 0) {
+ mlen = MIN(pkt_len, max_chunk);
+ pkt_len -= mlen;
+ if (pkt_len != 0) {
/* Not last */
hmp0 = copyb(hmp);
if (hmp0 == NULL) {
- freeb(hmp);
- freemsg(mp);
BUMP_MIB(ill->ill_ip_mib,
ipIfStatsOutFragFails);
- ip1dbg(("ip_wput_frag_v6: copyb failed\n"));
- return;
+ ip_drop_output("FragFails: copyb failed",
+ mp, ill);
+ freeb(hmp);
+ freemsg(mp);
+ ip1dbg(("ip_fragment_v6: copyb failed\n"));
+ return (ENOBUFS);
}
off_flags = IP6F_MORE_FRAG;
} else {
@@ -11484,10 +4239,11 @@ ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
off_flags = 0;
}
fip6h = (ip6_t *)(hmp0->b_rptr);
- fraghdr = (ip6_frag_t *)(hmp0->b_rptr + unfragmentable_len);
+ fraghdr = (ip6_frag_t *)(hmp0->b_rptr + unfragmentable_len -
+ sizeof (ip6_frag_t));
fip6h->ip6_plen = htons((uint16_t)(mlen +
- unfragmentable_len - IPV6_HDR_LEN + sizeof (ip6_frag_t)));
+ unfragmentable_len - IPV6_HDR_LEN));
/*
* Note: Optimization alert.
* In IPv6 (and IPv4) protocol header, Fragment Offset
@@ -11504,654 +4260,197 @@ ip_wput_frag_v6(mblk_t *mp, ire_t *ire, uint_t reachable, conn_t *connp,
if (!(dmp = ip_carve_mp(&mp, mlen))) {
/* mp has already been freed by ip_carve_mp() */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: could not carve mp",
+ hmp0, ill);
if (hmp != NULL)
freeb(hmp);
freeb(hmp0);
ip1dbg(("ip_carve_mp: failed\n"));
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
- return;
+ return (ENOBUFS);
}
hmp0->b_cont = dmp;
/* Get the priority marking, if any */
- hmp0->b_band = dmp->b_band;
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- ip_xmit_v6(hmp0, ire, reachable | IP6_NO_IPPOLICY, connp,
- caller, NULL);
- reachable = 0; /* No need to redo state machine in loop */
+ hmp0->b_band = priority;
+
BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragCreates);
+
+ error = postfragfn(hmp0, nce, ixaflags,
+ mlen + unfragmentable_len, xmit_hint, szone, nolzid,
+ ixa_cookie);
+ if (error != 0 && error != EWOULDBLOCK && hmp != NULL) {
+ /* No point in sending the other fragments */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("FragFails: postfragfn failed",
+ hmp, ill);
+ freeb(hmp);
+ freemsg(mp);
+ return (error);
+ }
+ /* No need to redo state machine in loop */
+ ixaflags &= ~IXAF_REACH_CONF;
+
offset += mlen;
}
BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutFragOKs);
+ return (error);
}
/*
- * Determine if the ill and multicast aspects of that packets
- * "matches" the conn.
+ * Add a fragment header to an IPv6 packet.
+ * Assumes that all the extension headers are contained in the first mblk.
+ *
+ * The fragment header is inserted after an hop-by-hop options header
+ * and after [an optional destinations header followed by] a routing header.
*/
-boolean_t
-conn_wantpacket_v6(conn_t *connp, ill_t *ill, ip6_t *ip6h, int fanout_flags,
- zoneid_t zoneid)
+mblk_t *
+ip_fraghdr_add_v6(mblk_t *mp, uint32_t ident, ip_xmit_attr_t *ixa)
{
- ill_t *bound_ill;
- boolean_t wantpacket;
- in6_addr_t *v6dst_ptr = &ip6h->ip6_dst;
- in6_addr_t *v6src_ptr = &ip6h->ip6_src;
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ ip6_t *fip6h;
+ mblk_t *hmp;
+ ip6_frag_t *fraghdr;
+ size_t unfragmentable_len;
+ uint8_t nexthdr;
+ uint_t prev_nexthdr_offset;
+ uint8_t *ptr;
+ uint_t priority = mp->b_band;
+ ip_stack_t *ipst = ixa->ixa_ipst;
/*
- * conn_incoming_ill is set by IPV6_BOUND_IF which limits
- * unicast and multicast reception to conn_incoming_ill.
- * conn_wantpacket_v6 is called both for unicast and
- * multicast.
+ * Determine the length of the unfragmentable portion of this
+ * datagram. This consists of the IPv6 header, a potential
+ * hop-by-hop options header, a potential pre-routing-header
+ * destination options header, and a potential routing header.
*/
- bound_ill = connp->conn_incoming_ill;
- if (bound_ill != NULL) {
- if (IS_IPMP(bound_ill)) {
- if (bound_ill->ill_grp != ill->ill_grp)
- return (B_FALSE);
- } else {
- if (bound_ill != ill)
- return (B_FALSE);
- }
- }
+ nexthdr = ip6h->ip6_nxt;
+ prev_nexthdr_offset = (uint8_t *)&ip6h->ip6_nxt - (uint8_t *)ip6h;
+ ptr = (uint8_t *)&ip6h[1];
- if (connp->conn_multi_router)
- return (B_TRUE);
+ if (nexthdr == IPPROTO_HOPOPTS) {
+ ip6_hbh_t *hbh_hdr;
+ uint_t hdr_len;
- if (!IN6_IS_ADDR_MULTICAST(v6dst_ptr) &&
- !IN6_IS_ADDR_V4MAPPED_CLASSD(v6dst_ptr)) {
- /*
- * Unicast case: we match the conn only if it's in the specified
- * zone.
- */
- return (IPCL_ZONE_MATCH(connp, zoneid));
+ hbh_hdr = (ip6_hbh_t *)ptr;
+ hdr_len = 8 * (hbh_hdr->ip6h_len + 1);
+ nexthdr = hbh_hdr->ip6h_nxt;
+ prev_nexthdr_offset = (uint8_t *)&hbh_hdr->ip6h_nxt
+ - (uint8_t *)ip6h;
+ ptr += hdr_len;
}
+ if (nexthdr == IPPROTO_DSTOPTS) {
+ ip6_dest_t *dest_hdr;
+ uint_t hdr_len;
- if ((fanout_flags & IP_FF_NO_MCAST_LOOP) &&
- (connp->conn_zoneid == zoneid || zoneid == ALL_ZONES)) {
- /*
- * Loopback case: the sending endpoint has IP_MULTICAST_LOOP
- * disabled, therefore we don't dispatch the multicast packet to
- * the sending zone.
- */
- return (B_FALSE);
+ dest_hdr = (ip6_dest_t *)ptr;
+ if (dest_hdr->ip6d_nxt == IPPROTO_ROUTING) {
+ hdr_len = 8 * (dest_hdr->ip6d_len + 1);
+ nexthdr = dest_hdr->ip6d_nxt;
+ prev_nexthdr_offset = (uint8_t *)&dest_hdr->ip6d_nxt
+ - (uint8_t *)ip6h;
+ ptr += hdr_len;
+ }
}
+ if (nexthdr == IPPROTO_ROUTING) {
+ ip6_rthdr_t *rthdr;
+ uint_t hdr_len;
- if (IS_LOOPBACK(ill) && connp->conn_zoneid != zoneid &&
- zoneid != ALL_ZONES) {
- /*
- * Multicast packet on the loopback interface: we only match
- * conns who joined the group in the specified zone.
- */
- return (B_FALSE);
+ rthdr = (ip6_rthdr_t *)ptr;
+ nexthdr = rthdr->ip6r_nxt;
+ prev_nexthdr_offset = (uint8_t *)&rthdr->ip6r_nxt
+ - (uint8_t *)ip6h;
+ hdr_len = 8 * (rthdr->ip6r_len + 1);
+ ptr += hdr_len;
}
+ unfragmentable_len = (uint_t)(ptr - (uint8_t *)ip6h);
- mutex_enter(&connp->conn_lock);
- wantpacket =
- ilg_lookup_ill_withsrc_v6(connp, v6dst_ptr, v6src_ptr, ill) != NULL;
- mutex_exit(&connp->conn_lock);
-
- return (wantpacket);
-}
-
-
-/*
- * Transmit a packet and update any NUD state based on the flags
- * XXX need to "recover" any ip6i_t when doing putq!
- *
- * NOTE : This function does not ire_refrele the ire passed in as the
- * argument.
- */
-void
-ip_xmit_v6(mblk_t *mp, ire_t *ire, uint_t flags, conn_t *connp,
- int caller, ipsec_out_t *io)
-{
- mblk_t *mp1;
- nce_t *nce = ire->ire_nce;
- ill_t *ill;
- ill_t *out_ill;
- uint64_t delta;
- ip6_t *ip6h;
- queue_t *stq = ire->ire_stq;
- ire_t *ire1 = NULL;
- ire_t *save_ire = ire;
- boolean_t multirt_send = B_FALSE;
- mblk_t *next_mp = NULL;
- ip_stack_t *ipst = ire->ire_ipst;
- boolean_t fp_prepend = B_FALSE;
- uint32_t hlen;
+ /*
+ * Allocate an mblk with enough room for the link-layer
+ * header, the unfragmentable part of the datagram, and the
+ * fragment header.
+ */
+ hmp = allocb_tmpl(unfragmentable_len + sizeof (ip6_frag_t) +
+ ipst->ips_ip_wroff_extra, mp);
+ if (hmp == NULL) {
+ ill_t *ill = ixa->ixa_nce->nce_ill;
- ip6h = (ip6_t *)mp->b_rptr;
- ASSERT(!IN6_IS_ADDR_V4MAPPED(&ire->ire_addr_v6));
- ASSERT(ire->ire_ipversion == IPV6_VERSION);
- ASSERT(nce != NULL);
- ASSERT(mp->b_datap->db_type == M_DATA);
- ASSERT(stq != NULL);
-
- ill = ire_to_ill(ire);
- if (!ill) {
- ip0dbg(("ip_xmit_v6: ire_to_ill failed\n"));
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards: allocb failure", mp, ill);
freemsg(mp);
- return;
+ return (NULL);
}
+ hmp->b_rptr += ipst->ips_ip_wroff_extra;
+ hmp->b_wptr = hmp->b_rptr + unfragmentable_len + sizeof (ip6_frag_t);
- /* Flow-control check has been done in ip_wput_ire_v6 */
- if (IP_FLOW_CONTROLLED_ULP(ip6h->ip6_nxt) || caller == IP_WPUT ||
- caller == IP_WSRV || canput(stq->q_next)) {
- uint32_t ill_index;
-
- /*
- * In most cases, the emission loop below is entered only
- * once. Only in the case where the ire holds the
- * RTF_MULTIRT flag, do we loop to process all RTF_MULTIRT
- * flagged ires in the bucket, and send the packet
- * through all crossed RTF_MULTIRT routes.
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- /*
- * Multirouting case. The bucket where ire is stored
- * probably holds other RTF_MULTIRT flagged ires
- * to the destination. In this call to ip_xmit_v6,
- * we attempt to send the packet through all
- * those ires. Thus, we first ensure that ire is the
- * first RTF_MULTIRT ire in the bucket,
- * before walking the ire list.
- */
- ire_t *first_ire;
- irb_t *irb = ire->ire_bucket;
- ASSERT(irb != NULL);
- multirt_send = B_TRUE;
-
- /* Make sure we do not omit any multiroute ire. */
- IRB_REFHOLD(irb);
- for (first_ire = irb->irb_ire;
- first_ire != NULL;
- first_ire = first_ire->ire_next) {
- if ((first_ire->ire_flags & RTF_MULTIRT) &&
- (IN6_ARE_ADDR_EQUAL(&first_ire->ire_addr_v6,
- &ire->ire_addr_v6)) &&
- !(first_ire->ire_marks &
- (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN)))
- break;
- }
-
- if ((first_ire != NULL) && (first_ire != ire)) {
- IRE_REFHOLD(first_ire);
- /* ire will be released by the caller */
- ire = first_ire;
- nce = ire->ire_nce;
- stq = ire->ire_stq;
- ill = ire_to_ill(ire);
- }
- IRB_REFRELE(irb);
- } else if (connp != NULL && IPCL_IS_TCP(connp) &&
- connp->conn_mdt_ok && !connp->conn_tcp->tcp_mdt &&
- ILL_MDT_USABLE(ill)) {
- /*
- * This tcp connection was marked as MDT-capable, but
- * it has been turned off due changes in the interface.
- * Now that the interface support is back, turn it on
- * by notifying tcp. We don't directly modify tcp_mdt,
- * since we leave all the details to the tcp code that
- * knows better.
- */
- mblk_t *mdimp = ip_mdinfo_alloc(ill->ill_mdt_capab);
-
- if (mdimp == NULL) {
- ip0dbg(("ip_xmit_v6: can't re-enable MDT for "
- "connp %p (ENOMEM)\n", (void *)connp));
- } else {
- CONN_INC_REF(connp);
- SQUEUE_ENTER_ONE(connp->conn_sqp, mdimp,
- tcp_input, connp, SQ_FILL,
- SQTAG_TCP_INPUT_MCTL);
- }
- }
-
- do {
- mblk_t *mp_ip6h;
-
- if (multirt_send) {
- irb_t *irb;
- /*
- * We are in a multiple send case, need to get
- * the next ire and make a duplicate of the
- * packet. ire1 holds here the next ire to
- * process in the bucket. If multirouting is
- * expected, any non-RTF_MULTIRT ire that has
- * the right destination address is ignored.
- */
- irb = ire->ire_bucket;
- ASSERT(irb != NULL);
-
- IRB_REFHOLD(irb);
- for (ire1 = ire->ire_next;
- ire1 != NULL;
- ire1 = ire1->ire_next) {
- if (!(ire1->ire_flags & RTF_MULTIRT))
- continue;
- if (!IN6_ARE_ADDR_EQUAL(
- &ire1->ire_addr_v6,
- &ire->ire_addr_v6))
- continue;
- if (ire1->ire_marks &
- IRE_MARK_CONDEMNED)
- continue;
-
- /* Got one */
- if (ire1 != save_ire) {
- IRE_REFHOLD(ire1);
- }
- break;
- }
- IRB_REFRELE(irb);
-
- if (ire1 != NULL) {
- next_mp = copyb(mp);
- if ((next_mp == NULL) ||
- ((mp->b_cont != NULL) &&
- ((next_mp->b_cont =
- dupmsg(mp->b_cont)) == NULL))) {
- freemsg(next_mp);
- next_mp = NULL;
- ire_refrele(ire1);
- ire1 = NULL;
- }
- }
-
- /* Last multiroute ire; don't loop anymore. */
- if (ire1 == NULL) {
- multirt_send = B_FALSE;
- }
- }
-
- ill_index =
- ((ill_t *)stq->q_ptr)->ill_phyint->phyint_ifindex;
-
- /* Initiate IPPF processing */
- if (IP6_OUT_IPP(flags, ipst)) {
- ip_process(IPP_LOCAL_OUT, &mp, ill_index);
- if (mp == NULL) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- if (next_mp != NULL)
- freemsg(next_mp);
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- return;
- }
- ip6h = (ip6_t *)mp->b_rptr;
- }
- mp_ip6h = mp;
-
- /*
- * Check for fastpath, we need to hold nce_lock to
- * prevent fastpath update from chaining nce_fp_mp.
- */
-
- ASSERT(nce->nce_ipversion != IPV4_VERSION);
- mutex_enter(&nce->nce_lock);
- if ((mp1 = nce->nce_fp_mp) != NULL) {
- uchar_t *rptr;
-
- hlen = MBLKL(mp1);
- rptr = mp->b_rptr - hlen;
- /*
- * make sure there is room for the fastpath
- * datalink header
- */
- if (rptr < mp->b_datap->db_base) {
- mp1 = copyb(mp1);
- mutex_exit(&nce->nce_lock);
- if (mp1 == NULL) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- freemsg(mp);
- if (next_mp != NULL)
- freemsg(next_mp);
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- return;
- }
- mp1->b_cont = mp;
-
- /* Get the priority marking, if any */
- mp1->b_band = mp->b_band;
- mp = mp1;
- } else {
- mp->b_rptr = rptr;
- /*
- * fastpath - pre-pend datalink
- * header
- */
- bcopy(mp1->b_rptr, rptr, hlen);
- mutex_exit(&nce->nce_lock);
- fp_prepend = B_TRUE;
- }
- } else {
- /*
- * Get the DL_UNITDATA_REQ.
- */
- mp1 = nce->nce_res_mp;
- if (mp1 == NULL) {
- mutex_exit(&nce->nce_lock);
- ip1dbg(("ip_xmit_v6: No resolution "
- "block ire = %p\n", (void *)ire));
- freemsg(mp);
- if (next_mp != NULL)
- freemsg(next_mp);
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- return;
- }
- /*
- * Prepend the DL_UNITDATA_REQ.
- */
- mp1 = copyb(mp1);
- mutex_exit(&nce->nce_lock);
- if (mp1 == NULL) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsOutDiscards);
- freemsg(mp);
- if (next_mp != NULL)
- freemsg(next_mp);
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- return;
- }
- mp1->b_cont = mp;
-
- /* Get the priority marking, if any */
- mp1->b_band = mp->b_band;
- mp = mp1;
- }
-
- out_ill = (ill_t *)stq->q_ptr;
-
- DTRACE_PROBE4(ip6__physical__out__start,
- ill_t *, NULL, ill_t *, out_ill,
- ip6_t *, ip6h, mblk_t *, mp);
+ fip6h = (ip6_t *)hmp->b_rptr;
+ fraghdr = (ip6_frag_t *)(hmp->b_rptr + unfragmentable_len);
- FW_HOOKS6(ipst->ips_ip6_physical_out_event,
- ipst->ips_ipv6firewall_physical_out,
- NULL, out_ill, ip6h, mp, mp_ip6h, 0, ipst);
+ bcopy(ip6h, fip6h, unfragmentable_len);
+ fip6h->ip6_plen = htons(ntohs(fip6h->ip6_plen) + sizeof (ip6_frag_t));
+ hmp->b_rptr[prev_nexthdr_offset] = IPPROTO_FRAGMENT;
- DTRACE_PROBE1(ip6__physical__out__end, mblk_t *, mp);
+ fraghdr->ip6f_nxt = nexthdr;
+ fraghdr->ip6f_reserved = 0;
+ fraghdr->ip6f_offlg = 0;
+ fraghdr->ip6f_ident = htonl(ident);
- if (mp == NULL) {
- if (multirt_send) {
- ASSERT(ire1 != NULL);
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- /*
- * Proceed with the next RTF_MULTIRT
- * ire, also set up the send-to queue
- * accordingly.
- */
- ire = ire1;
- ire1 = NULL;
- stq = ire->ire_stq;
- nce = ire->ire_nce;
- ill = ire_to_ill(ire);
- mp = next_mp;
- next_mp = NULL;
- continue;
- } else {
- ASSERT(next_mp == NULL);
- ASSERT(ire1 == NULL);
- break;
- }
- }
+ /* Get the priority marking, if any */
+ hmp->b_band = priority;
- if (ipst->ips_ip6_observe.he_interested) {
- zoneid_t szone;
+ /*
+ * Move read ptr past unfragmentable portion, we don't want this part
+ * of the data in our fragments.
+ */
+ mp->b_rptr += unfragmentable_len;
+ hmp->b_cont = mp;
+ return (hmp);
+}
- /*
- * Both of these functions expect b_rptr to
- * be where the IPv6 header starts, so advance
- * past the link layer header.
- */
- if (fp_prepend)
- mp_ip6h->b_rptr += hlen;
- szone = ip_get_zoneid_v6(&ip6h->ip6_src,
- mp_ip6h, out_ill, ipst, ALL_ZONES);
- ipobs_hook(mp_ip6h, IPOBS_HOOK_OUTBOUND, szone,
- ALL_ZONES, out_ill, ipst);
- if (fp_prepend)
- mp_ip6h->b_rptr -= hlen;
- }
+/*
+ * Determine if the ill and multicast aspects of that packets
+ * "matches" the conn.
+ */
+boolean_t
+conn_wantpacket_v6(conn_t *connp, ip_recv_attr_t *ira, ip6_t *ip6h)
+{
+ ill_t *ill = ira->ira_rill;
+ zoneid_t zoneid = ira->ira_zoneid;
+ uint_t in_ifindex;
+ in6_addr_t *v6dst_ptr = &ip6h->ip6_dst;
+ in6_addr_t *v6src_ptr = &ip6h->ip6_src;
- /*
- * Update ire and MIB counters; for save_ire, this has
- * been done by the caller.
- */
- if (ire != save_ire) {
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
+ /*
+ * conn_incoming_ifindex is set by IPV6_BOUND_IF and as link-local
+ * scopeid. This is used to limit
+ * unicast and multicast reception to conn_incoming_ifindex.
+ * conn_wantpacket_v6 is called both for unicast and
+ * multicast packets.
+ */
+ in_ifindex = connp->conn_incoming_ifindex;
- if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst)) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsHCOutMcastPkts);
- UPDATE_MIB(ill->ill_ip_mib,
- ipIfStatsHCOutMcastOctets,
- ntohs(ip6h->ip6_plen) +
- IPV6_HDR_LEN);
- }
- }
+ /* mpathd can bind to the under IPMP interface, which we allow */
+ if (in_ifindex != 0 && in_ifindex != ill->ill_phyint->phyint_ifindex) {
+ if (!IS_UNDER_IPMP(ill))
+ return (B_FALSE);
- /*
- * Send it down. XXX Do we want to flow control AH/ESP
- * packets that carry TCP payloads? We don't flow
- * control TCP packets, but we should also not
- * flow-control TCP packets that have been protected.
- * We don't have an easy way to find out if an AH/ESP
- * packet was originally TCP or not currently.
- */
- if (io == NULL) {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsHCOutTransmits);
- UPDATE_MIB(ill->ill_ip_mib,
- ipIfStatsHCOutOctets,
- ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN);
- DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL,
- void_ip_t *, ip6h, __dtrace_ipsr_ill_t *,
- out_ill, ipha_t *, NULL, ip6_t *, ip6h,
- int, 0);
-
- putnext(stq, mp);
- } else {
- /*
- * Safety Pup says: make sure this is
- * going to the right interface!
- */
- if (io->ipsec_out_capab_ill_index !=
- ill_index) {
- /* IPsec kstats: bump lose counter */
- freemsg(mp1);
- } else {
- BUMP_MIB(ill->ill_ip_mib,
- ipIfStatsHCOutTransmits);
- UPDATE_MIB(ill->ill_ip_mib,
- ipIfStatsHCOutOctets,
- ntohs(ip6h->ip6_plen) +
- IPV6_HDR_LEN);
- DTRACE_IP7(send, mblk_t *, mp,
- conn_t *, NULL, void_ip_t *, ip6h,
- __dtrace_ipsr_ill_t *, out_ill,
- ipha_t *, NULL, ip6_t *, ip6h, int,
- 0);
- ipsec_hw_putnext(stq, mp);
- }
- }
+ if (in_ifindex != ipmp_ill_get_ipmp_ifindex(ill))
+ return (B_FALSE);
+ }
- if (nce->nce_flags & (NCE_F_NONUD|NCE_F_PERMANENT)) {
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- if (multirt_send) {
- ASSERT(ire1 != NULL);
- /*
- * Proceed with the next RTF_MULTIRT
- * ire, also set up the send-to queue
- * accordingly.
- */
- ire = ire1;
- ire1 = NULL;
- stq = ire->ire_stq;
- nce = ire->ire_nce;
- ill = ire_to_ill(ire);
- mp = next_mp;
- next_mp = NULL;
- continue;
- }
- ASSERT(next_mp == NULL);
- ASSERT(ire1 == NULL);
- return;
- }
+ if (!IPCL_ZONE_MATCH(connp, zoneid))
+ return (B_FALSE);
- ASSERT(nce->nce_state != ND_INCOMPLETE);
+ if (!(ira->ira_flags & IRAF_MULTICAST))
+ return (B_TRUE);
- /*
- * Check for upper layer advice
- */
- if (flags & IPV6_REACHABILITY_CONFIRMATION) {
- /*
- * It should be o.k. to check the state without
- * a lock here, at most we lose an advice.
- */
- nce->nce_last = TICK_TO_MSEC(lbolt64);
- if (nce->nce_state != ND_REACHABLE) {
-
- mutex_enter(&nce->nce_lock);
- nce->nce_state = ND_REACHABLE;
- nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT;
- mutex_exit(&nce->nce_lock);
- (void) untimeout(nce->nce_timeout_id);
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ip_xmit_v6: state"
- " for %s changed to"
- " REACHABLE\n", AF_INET6,
- &ire->ire_addr_v6);
- }
- }
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- if (multirt_send) {
- ASSERT(ire1 != NULL);
- /*
- * Proceed with the next RTF_MULTIRT
- * ire, also set up the send-to queue
- * accordingly.
- */
- ire = ire1;
- ire1 = NULL;
- stq = ire->ire_stq;
- nce = ire->ire_nce;
- ill = ire_to_ill(ire);
- mp = next_mp;
- next_mp = NULL;
- continue;
- }
- ASSERT(next_mp == NULL);
- ASSERT(ire1 == NULL);
- return;
- }
+ if (connp->conn_multi_router)
+ return (B_TRUE);
- delta = TICK_TO_MSEC(lbolt64) - nce->nce_last;
- ip1dbg(("ip_xmit_v6: delta = %" PRId64
- " ill_reachable_time = %d \n", delta,
- ill->ill_reachable_time));
- if (delta > (uint64_t)ill->ill_reachable_time) {
- nce = ire->ire_nce;
- mutex_enter(&nce->nce_lock);
- switch (nce->nce_state) {
- case ND_REACHABLE:
- case ND_STALE:
- /*
- * ND_REACHABLE is identical to
- * ND_STALE in this specific case. If
- * reachable time has expired for this
- * neighbor (delta is greater than
- * reachable time), conceptually, the
- * neighbor cache is no longer in
- * REACHABLE state, but already in
- * STALE state. So the correct
- * transition here is to ND_DELAY.
- */
- nce->nce_state = ND_DELAY;
- mutex_exit(&nce->nce_lock);
- NDP_RESTART_TIMER(nce,
- ipst->ips_delay_first_probe_time);
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("ip_xmit_v6: state"
- " for %s changed to"
- " DELAY\n", AF_INET6,
- &ire->ire_addr_v6);
- }
- break;
- case ND_DELAY:
- case ND_PROBE:
- mutex_exit(&nce->nce_lock);
- /* Timers have already started */
- break;
- case ND_UNREACHABLE:
- /*
- * ndp timer has detected that this nce
- * is unreachable and initiated deleting
- * this nce and all its associated IREs.
- * This is a race where we found the
- * ire before it was deleted and have
- * just sent out a packet using this
- * unreachable nce.
- */
- mutex_exit(&nce->nce_lock);
- break;
- default:
- ASSERT(0);
- }
- }
+ if (ira->ira_protocol == IPPROTO_RSVP)
+ return (B_TRUE);
- if (multirt_send) {
- ASSERT(ire1 != NULL);
- /*
- * Proceed with the next RTF_MULTIRT ire,
- * Also set up the send-to queue accordingly.
- */
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- ire = ire1;
- ire1 = NULL;
- stq = ire->ire_stq;
- nce = ire->ire_nce;
- ill = ire_to_ill(ire);
- mp = next_mp;
- next_mp = NULL;
- }
- } while (multirt_send);
- /*
- * In the multirouting case, release the last ire used for
- * emission. save_ire will be released by the caller.
- */
- if (ire != save_ire) {
- ire_refrele(ire);
- }
- } else {
- /*
- * Can't apply backpressure, just discard the packet.
- */
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
- freemsg(mp);
- return;
- }
+ return (conn_hasmembers_ill_withsrc_v6(connp, v6dst_ptr, v6src_ptr,
+ ira->ira_ill));
}
/*
@@ -12189,37 +4488,52 @@ pr_addr_dbg(char *fmt1, int af, const void *addr)
/*
- * Return the length in bytes of the IPv6 headers (base header, ip6i_t
- * if needed and extension headers) that will be needed based on the
- * ip6_pkt_t structure passed by the caller.
+ * Return the length in bytes of the IPv6 headers (base header
+ * extension headers) that will be needed based on the
+ * ip_pkt_t structure passed by the caller.
*
* The returned length does not include the length of the upper level
* protocol (ULP) header.
*/
int
-ip_total_hdrs_len_v6(ip6_pkt_t *ipp)
+ip_total_hdrs_len_v6(const ip_pkt_t *ipp)
{
int len;
len = IPV6_HDR_LEN;
- if (ipp->ipp_fields & IPPF_HAS_IP6I)
- len += sizeof (ip6i_t);
- if (ipp->ipp_fields & IPPF_HOPOPTS) {
+
+ /*
+ * If there's a security label here, then we ignore any hop-by-hop
+ * options the user may try to set.
+ */
+ if (ipp->ipp_fields & IPPF_LABEL_V6) {
+ uint_t hopoptslen;
+ /*
+ * Note that ipp_label_len_v6 is just the option - not
+ * the hopopts extension header. It also needs to be padded
+ * to a multiple of 8 bytes.
+ */
+ ASSERT(ipp->ipp_label_len_v6 != 0);
+ hopoptslen = ipp->ipp_label_len_v6 + sizeof (ip6_hbh_t);
+ hopoptslen = (hopoptslen + 7)/8 * 8;
+ len += hopoptslen;
+ } else if (ipp->ipp_fields & IPPF_HOPOPTS) {
ASSERT(ipp->ipp_hopoptslen != 0);
len += ipp->ipp_hopoptslen;
}
- if (ipp->ipp_fields & IPPF_RTHDR) {
- ASSERT(ipp->ipp_rthdrlen != 0);
- len += ipp->ipp_rthdrlen;
- }
+
/*
* En-route destination options
* Only do them if there's a routing header as well
*/
- if ((ipp->ipp_fields & (IPPF_RTDSTOPTS|IPPF_RTHDR)) ==
- (IPPF_RTDSTOPTS|IPPF_RTHDR)) {
- ASSERT(ipp->ipp_rtdstoptslen != 0);
- len += ipp->ipp_rtdstoptslen;
+ if ((ipp->ipp_fields & (IPPF_RTHDRDSTOPTS|IPPF_RTHDR)) ==
+ (IPPF_RTHDRDSTOPTS|IPPF_RTHDR)) {
+ ASSERT(ipp->ipp_rthdrdstoptslen != 0);
+ len += ipp->ipp_rthdrdstoptslen;
+ }
+ if (ipp->ipp_fields & IPPF_RTHDR) {
+ ASSERT(ipp->ipp_rthdrlen != 0);
+ len += ipp->ipp_rthdrlen;
}
if (ipp->ipp_fields & IPPF_DSTOPTS) {
ASSERT(ipp->ipp_dstoptslen != 0);
@@ -12230,80 +4544,40 @@ ip_total_hdrs_len_v6(ip6_pkt_t *ipp)
/*
* All-purpose routine to build a header chain of an IPv6 header
- * followed by any required extension headers and a proto header,
- * preceeded (where necessary) by an ip6i_t private header.
+ * followed by any required extension headers and a proto header.
*
- * The fields of the IPv6 header that are derived from the ip6_pkt_t
- * will be filled in appropriately.
- * Thus the caller must fill in the rest of the IPv6 header, such as
- * traffic class/flowid, source address (if not set here), hoplimit (if not
- * set here) and destination address.
+ * The caller has to set the source and destination address as well as
+ * ip6_plen. The caller has to massage any routing header and compensate
+ * for the ULP pseudo-header checksum due to the source route.
*
- * The extension headers and ip6i_t header will all be fully filled in.
+ * The extension headers will all be fully filled in.
*/
void
-ip_build_hdrs_v6(uchar_t *ext_hdrs, uint_t ext_hdrs_len,
- ip6_pkt_t *ipp, uint8_t protocol)
+ip_build_hdrs_v6(uchar_t *buf, uint_t buf_len, const ip_pkt_t *ipp,
+ uint8_t protocol, uint32_t flowinfo)
{
uint8_t *nxthdr_ptr;
uint8_t *cp;
- ip6i_t *ip6i;
- ip6_t *ip6h = (ip6_t *)ext_hdrs;
+ ip6_t *ip6h = (ip6_t *)buf;
- /*
- * If sending private ip6i_t header down (checksum info, nexthop,
- * or ifindex), adjust ip header pointer and set ip6i_t header pointer,
- * then fill it in. (The checksum info will be filled in by icmp).
- */
- if (ipp->ipp_fields & IPPF_HAS_IP6I) {
- ip6i = (ip6i_t *)ip6h;
- ip6h = (ip6_t *)&ip6i[1];
-
- ip6i->ip6i_flags = 0;
- ip6i->ip6i_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- if (ipp->ipp_fields & IPPF_IFINDEX ||
- ipp->ipp_fields & IPPF_SCOPE_ID) {
- ASSERT(ipp->ipp_ifindex != 0);
- ip6i->ip6i_flags |= IP6I_IFINDEX;
- ip6i->ip6i_ifindex = ipp->ipp_ifindex;
- }
- if (ipp->ipp_fields & IPPF_ADDR) {
- /*
- * Enable per-packet source address verification if
- * IPV6_PKTINFO specified the source address.
- * ip6_src is set in the transport's _wput function.
- */
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(
- &ipp->ipp_addr));
- ip6i->ip6i_flags |= IP6I_VERIFY_SRC;
- }
- if (ipp->ipp_fields & IPPF_UNICAST_HOPS) {
- ip6h->ip6_hops = ipp->ipp_unicast_hops;
- /*
- * We need to set this flag so that IP doesn't
- * rewrite the IPv6 header's hoplimit with the
- * current default value.
- */
- ip6i->ip6i_flags |= IP6I_HOPLIMIT;
- }
- if (ipp->ipp_fields & IPPF_NEXTHOP) {
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(
- &ipp->ipp_nexthop));
- ip6i->ip6i_flags |= IP6I_NEXTHOP;
- ip6i->ip6i_nexthop = ipp->ipp_nexthop;
- }
- /*
- * tell IP this is an ip6i_t private header
- */
- ip6i->ip6i_nxt = IPPROTO_RAW;
- }
/* Initialize IPv6 header */
- ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
+ ip6h->ip6_vcf =
+ (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
+ (flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
+
if (ipp->ipp_fields & IPPF_TCLASS) {
- ip6h->ip6_vcf = (ip6h->ip6_vcf & ~IPV6_FLOWINFO_TCLASS) |
- (ipp->ipp_tclass << 20);
+ /* Overrides the class part of flowinfo */
+ ip6h->ip6_vcf = IPV6_TCLASS_FLOW(ip6h->ip6_vcf,
+ ipp->ipp_tclass);
}
- if (ipp->ipp_fields & IPPF_ADDR)
+
+ if (ipp->ipp_fields & IPPF_HOPLIMIT)
+ ip6h->ip6_hops = ipp->ipp_hoplimit;
+ else
+ ip6h->ip6_hops = ipp->ipp_unicast_hops;
+
+ if ((ipp->ipp_fields & IPPF_ADDR) &&
+ !IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
ip6h->ip6_src = ipp->ipp_addr;
nxthdr_ptr = (uint8_t *)&ip6h->ip6_nxt;
@@ -12313,7 +4587,47 @@ ip_build_hdrs_v6(uchar_t *ext_hdrs, uint_t ext_hdrs_len,
* any extension headers in the right order:
* Hop-by-hop, destination, routing, and final destination opts.
*/
- if (ipp->ipp_fields & IPPF_HOPOPTS) {
+ /*
+ * If there's a security label here, then we ignore any hop-by-hop
+ * options the user may try to set.
+ */
+ if (ipp->ipp_fields & IPPF_LABEL_V6) {
+ /*
+ * Hop-by-hop options with the label.
+ * Note that ipp_label_v6 is just the option - not
+ * the hopopts extension header. It also needs to be padded
+ * to a multiple of 8 bytes.
+ */
+ ip6_hbh_t *hbh = (ip6_hbh_t *)cp;
+ uint_t hopoptslen;
+ uint_t padlen;
+
+ padlen = ipp->ipp_label_len_v6 + sizeof (ip6_hbh_t);
+ hopoptslen = (padlen + 7)/8 * 8;
+ padlen = hopoptslen - padlen;
+
+ *nxthdr_ptr = IPPROTO_HOPOPTS;
+ nxthdr_ptr = &hbh->ip6h_nxt;
+ hbh->ip6h_len = hopoptslen/8 - 1;
+ cp += sizeof (ip6_hbh_t);
+ bcopy(ipp->ipp_label_v6, cp, ipp->ipp_label_len_v6);
+ cp += ipp->ipp_label_len_v6;
+
+ ASSERT(padlen <= 7);
+ switch (padlen) {
+ case 0:
+ break;
+ case 1:
+ cp[0] = IP6OPT_PAD1;
+ break;
+ default:
+ cp[0] = IP6OPT_PADN;
+ cp[1] = padlen - 2;
+ bzero(&cp[2], padlen - 2);
+ break;
+ }
+ cp += padlen;
+ } else if (ipp->ipp_fields & IPPF_HOPOPTS) {
/* Hop-by-hop options */
ip6_hbh_t *hbh = (ip6_hbh_t *)cp;
@@ -12327,15 +4641,15 @@ ip_build_hdrs_v6(uchar_t *ext_hdrs, uint_t ext_hdrs_len,
* En-route destination options
* Only do them if there's a routing header as well
*/
- if ((ipp->ipp_fields & (IPPF_RTDSTOPTS|IPPF_RTHDR)) ==
- (IPPF_RTDSTOPTS|IPPF_RTHDR)) {
+ if ((ipp->ipp_fields & (IPPF_RTHDRDSTOPTS|IPPF_RTHDR)) ==
+ (IPPF_RTHDRDSTOPTS|IPPF_RTHDR)) {
ip6_dest_t *dst = (ip6_dest_t *)cp;
*nxthdr_ptr = IPPROTO_DSTOPTS;
nxthdr_ptr = &dst->ip6d_nxt;
- bcopy(ipp->ipp_rtdstopts, cp, ipp->ipp_rtdstoptslen);
- cp += ipp->ipp_rtdstoptslen;
+ bcopy(ipp->ipp_rthdrdstopts, cp, ipp->ipp_rthdrdstoptslen);
+ cp += ipp->ipp_rthdrdstoptslen;
}
/*
* Routing header next
@@ -12365,7 +4679,7 @@ ip_build_hdrs_v6(uchar_t *ext_hdrs, uint_t ext_hdrs_len,
* Now set the last header pointer to the proto passed in
*/
*nxthdr_ptr = protocol;
- ASSERT((int)(cp - ext_hdrs) == ext_hdrs_len);
+ ASSERT((int)(cp - buf) == buf_len);
}
/*
@@ -12509,108 +4823,28 @@ ip_massage_options_v6(ip6_t *ip6h, ip6_rthdr_t *rth, netstack_t *ns)
return (cksm);
}
-/*
- * Propagate a multicast group membership operation (join/leave) (*fn) on
- * all interfaces crossed by the related multirt routes.
- * The call is considered successful if the operation succeeds
- * on at least one interface.
- * The function is called if the destination address in the packet to send
- * is multirouted.
- */
-int
-ip_multirt_apply_membership_v6(int (*fn)(conn_t *, boolean_t,
- const in6_addr_t *, int, mcast_record_t, const in6_addr_t *, mblk_t *),
- ire_t *ire, conn_t *connp, boolean_t checkonly, const in6_addr_t *v6grp,
- mcast_record_t fmode, const in6_addr_t *v6src, mblk_t *first_mp)
-{
- ire_t *ire_gw;
- irb_t *irb;
- int index, error = 0;
- opt_restart_t *or;
- ip_stack_t *ipst = ire->ire_ipst;
-
- irb = ire->ire_bucket;
- ASSERT(irb != NULL);
-
- ASSERT(DB_TYPE(first_mp) == M_CTL);
- or = (opt_restart_t *)first_mp->b_rptr;
-
- IRB_REFHOLD(irb);
- for (; ire != NULL; ire = ire->ire_next) {
- if ((ire->ire_flags & RTF_MULTIRT) == 0)
- continue;
- if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6grp))
- continue;
-
- ire_gw = ire_ftable_lookup_v6(&ire->ire_gateway_addr_v6, 0, 0,
- IRE_INTERFACE, NULL, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_RECURSIVE | MATCH_IRE_TYPE, ipst);
- /* No resolver exists for the gateway; skip this ire. */
- if (ire_gw == NULL)
- continue;
- index = ire_gw->ire_ipif->ipif_ill->ill_phyint->phyint_ifindex;
- /*
- * A resolver exists: we can get the interface on which we have
- * to apply the operation.
- */
- error = fn(connp, checkonly, v6grp, index, fmode, v6src,
- first_mp);
- if (error == 0)
- or->or_private = CGTP_MCAST_SUCCESS;
-
- if (ip_debug > 0) {
- ulong_t off;
- char *ksym;
-
- ksym = kobj_getsymname((uintptr_t)fn, &off);
- ip2dbg(("ip_multirt_apply_membership_v6: "
- "called %s, multirt group 0x%08x via itf 0x%08x, "
- "error %d [success %u]\n",
- ksym ? ksym : "?",
- ntohl(V4_PART_OF_V6((*v6grp))),
- ntohl(V4_PART_OF_V6(ire_gw->ire_src_addr_v6)),
- error, or->or_private));
- }
-
- ire_refrele(ire_gw);
- if (error == EINPROGRESS) {
- IRB_REFRELE(irb);
- return (error);
- }
- }
- IRB_REFRELE(irb);
- /*
- * Consider the call as successful if we succeeded on at least
- * one interface. Otherwise, return the last encountered error.
- */
- return (or->or_private == CGTP_MCAST_SUCCESS ? 0 : error);
-}
-
void
*ip6_kstat_init(netstackid_t stackid, ip6_stat_t *ip6_statisticsp)
{
kstat_t *ksp;
ip6_stat_t template = {
- { "ip6_udp_fast_path", KSTAT_DATA_UINT64 },
- { "ip6_udp_slow_path", KSTAT_DATA_UINT64 },
{ "ip6_udp_fannorm", KSTAT_DATA_UINT64 },
{ "ip6_udp_fanmb", KSTAT_DATA_UINT64 },
+ { "ip6_recv_pullup", KSTAT_DATA_UINT64 },
+ { "ip6_db_ref", KSTAT_DATA_UINT64 },
+ { "ip6_notaligned", KSTAT_DATA_UINT64 },
+ { "ip6_multimblk", KSTAT_DATA_UINT64 },
+ { "ipsec_proto_ahesp", KSTAT_DATA_UINT64 },
{ "ip6_out_sw_cksum", KSTAT_DATA_UINT64 },
+ { "ip6_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
{ "ip6_in_sw_cksum", KSTAT_DATA_UINT64 },
{ "ip6_tcp_in_full_hw_cksum_err", KSTAT_DATA_UINT64 },
{ "ip6_tcp_in_part_hw_cksum_err", KSTAT_DATA_UINT64 },
{ "ip6_tcp_in_sw_cksum_err", KSTAT_DATA_UINT64 },
- { "ip6_tcp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
{ "ip6_udp_in_full_hw_cksum_err", KSTAT_DATA_UINT64 },
{ "ip6_udp_in_part_hw_cksum_err", KSTAT_DATA_UINT64 },
{ "ip6_udp_in_sw_cksum_err", KSTAT_DATA_UINT64 },
- { "ip6_udp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
- { "ip6_frag_mdt_pkt_out", KSTAT_DATA_UINT64 },
- { "ip6_frag_mdt_discarded", KSTAT_DATA_UINT64 },
- { "ip6_frag_mdt_allocfail", KSTAT_DATA_UINT64 },
- { "ip6_frag_mdt_addpdescfail", KSTAT_DATA_UINT64 },
- { "ip6_frag_mdt_allocd", KSTAT_DATA_UINT64 },
};
ksp = kstat_create_netstack("ip", 0, "ip6stat", "net",
KSTAT_TYPE_NAMED, sizeof (template) / sizeof (kstat_named_t),
@@ -12641,7 +4875,7 @@ ip6_kstat_fini(netstackid_t stackid, kstat_t *ksp)
* IPV6_SRC_PREFERENCES socket option.
*/
int
-ip6_set_src_preferences(conn_t *connp, uint32_t prefs)
+ip6_set_src_preferences(ip_xmit_attr_t *ixa, uint32_t prefs)
{
/*
* We only support preferences that are covered by
@@ -12675,47 +4909,15 @@ ip6_set_src_preferences(conn_t *connp, uint32_t prefs)
return (EINVAL);
}
- connp->conn_src_preferences = prefs;
+ ixa->ixa_src_preferences = prefs;
return (0);
}
size_t
-ip6_get_src_preferences(conn_t *connp, uint32_t *val)
+ip6_get_src_preferences(ip_xmit_attr_t *ixa, uint32_t *val)
{
- *val = connp->conn_src_preferences;
- return (sizeof (connp->conn_src_preferences));
-}
-
-int
-ip6_set_pktinfo(cred_t *cr, conn_t *connp, struct in6_pktinfo *pkti)
-{
- ire_t *ire;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- /*
- * Verify the source address and ifindex. Privileged users can use
- * any source address. For ancillary data the source address is
- * checked in ip_wput_v6.
- */
- if (pkti->ipi6_ifindex != 0) {
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- if (!phyint_exists(pkti->ipi6_ifindex, ipst)) {
- rw_exit(&ipst->ips_ill_g_lock);
- return (ENXIO);
- }
- rw_exit(&ipst->ips_ill_g_lock);
- }
- if (!IN6_IS_ADDR_UNSPECIFIED(&pkti->ipi6_addr) &&
- secpolicy_net_rawaccess(cr) != 0) {
- ire = ire_route_lookup_v6(&pkti->ipi6_addr, 0, 0,
- (IRE_LOCAL|IRE_LOOPBACK), NULL, NULL,
- connp->conn_zoneid, NULL, MATCH_IRE_TYPE, ipst);
- if (ire != NULL)
- ire_refrele(ire);
- else
- return (ENXIO);
- }
- return (0);
+ *val = ixa->ixa_src_preferences;
+ return (sizeof (ixa->ixa_src_preferences));
}
/*
@@ -12743,7 +4945,7 @@ ipsec_ah_get_hdr_size_v6(mblk_t *mp, boolean_t till_ah)
whereptr = (uint8_t *)&ip6h[1];
for (;;) {
/* Assume IP has already stripped it */
- ASSERT(nexthdr != IPPROTO_FRAGMENT && nexthdr != IPPROTO_RAW);
+ ASSERT(nexthdr != IPPROTO_FRAGMENT);
switch (nexthdr) {
case IPPROTO_HOPOPTS:
hbhhdr = (ip6_hbh_t *)whereptr;
@@ -12815,11 +5017,12 @@ ipsec_ah_get_hdr_size_v6(mblk_t *mp, boolean_t till_ah)
* inside the IPSQ (ill_g_lock is not held), `ill' may be removed from the
* group during or after this lookup.
*/
-static boolean_t
+boolean_t
ipif_lookup_testaddr_v6(ill_t *ill, const in6_addr_t *v6srcp, ipif_t **ipifp)
{
ipif_t *ipif;
+
ipif = ipif_lookup_addr_exact_v6(v6srcp, ill, ill->ill_ipst);
if (ipif != NULL) {
if (ipifp != NULL)
diff --git a/usr/src/uts/common/inet/ip/ip6_asp.c b/usr/src/uts/common/inet/ip/ip6_asp.c
index d54e821359..5c499e6526 100644
--- a/usr/src/uts/common/inet/ip/ip6_asp.c
+++ b/usr/src/uts/common/inet/ip/ip6_asp.c
@@ -19,12 +19,10 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ksynch.h>
@@ -41,6 +39,7 @@
#include <inet/ip6.h>
#include <inet/ip6_asp.h>
#include <inet/ip_ire.h>
+#include <inet/ip_if.h>
#include <inet/ipclassifier.h>
#define IN6ADDR_MASK128_INIT \
@@ -415,18 +414,13 @@ ip6_asp_replace(mblk_t *mp, ip6_asp_t *new_table, size_t new_size,
ipst->ips_ip6_asp_table = tmp_table;
ipst->ips_ip6_asp_table_count = count;
- /*
- * The user has changed the address selection policy table. IPv6
- * source address selection for existing IRE_CACHE and
- * RTF_DYNAMIC entries used the old table, so we need to
- * clear the cache.
- */
- ire_walk_v6(ire_delete_cache_v6, NULL, ALL_ZONES, ipst);
-
unlock_end:
ipst->ips_ip6_asp_uip = B_FALSE;
mutex_exit(&ipst->ips_ip6_asp_lock);
+ /* Let conn_ixa caching know that source address selection changed */
+ ip_update_source_selection(ipst);
+
replace_end:
/* Reply to the ioctl */
q = (queue_t *)mp->b_prev;
diff --git a/usr/src/uts/common/inet/ip/ip6_if.c b/usr/src/uts/common/inet/ip/ip6_if.c
index a986a755ac..364a44b9d4 100644
--- a/usr/src/uts/common/inet/ip/ip6_if.c
+++ b/usr/src/uts/common/inet/ip/ip6_if.c
@@ -76,12 +76,13 @@ static in6_addr_t ipv6_ll_template =
static ipif_t *
ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
- queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst);
+ ip_stack_t *ipst);
+
+static int ipif_add_ires_v6(ipif_t *, boolean_t);
/*
- * These two functions, ipif_lookup_group_v6() and ill_lookup_group_v6(),
- * are called when an application does not specify an interface to be
- * used for multicast traffic. It calls ire_lookup_multi_v6() to look
+ * This function is called when an application does not specify an interface
+ * to be used for multicast traffic. It calls ire_lookup_multi_v6() to look
* for an interface route for the specified multicast group. Doing
* this allows the administrator to add prefix routes for multicast to
* indicate which interface to be used for multicast traffic in the above
@@ -89,47 +90,21 @@ ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
* multicast group (a /128 route) or anything in between. If there is no
* such multicast route, we just find any multicast capable interface and
* return it.
+ *
+ * We support MULTIRT and RTF_SETSRC on the multicast routes added to the
+ * unicast table. This is used by CGTP.
*/
-ipif_t *
-ipif_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst)
-{
- ire_t *ire;
- ipif_t *ipif;
-
- ire = ire_lookup_multi_v6(group, zoneid, ipst);
- if (ire != NULL) {
- ipif = ire->ire_ipif;
- ipif_refhold(ipif);
- ire_refrele(ire);
- return (ipif);
- }
-
- return (ipif_lookup_multicast(ipst, zoneid, B_TRUE));
-}
-
ill_t *
-ill_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst)
+ill_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst,
+ boolean_t *multirtp, in6_addr_t *setsrcp)
{
- ire_t *ire;
ill_t *ill;
- ipif_t *ipif;
- ire = ire_lookup_multi_v6(group, zoneid, ipst);
- if (ire != NULL) {
- ill = ire->ire_ipif->ipif_ill;
- ill_refhold(ill);
- ire_refrele(ire);
+ ill = ire_lookup_multi_ill_v6(group, zoneid, ipst, multirtp, setsrcp);
+ if (ill != NULL)
return (ill);
- }
-
- ipif = ipif_lookup_multicast(ipst, zoneid, B_TRUE);
- if (ipif == NULL)
- return (NULL);
- ill = ipif->ipif_ill;
- ill_refhold(ill);
- ipif_refrele(ipif);
- return (ill);
+ return (ill_lookup_multicast(ipst, zoneid, B_TRUE));
}
/*
@@ -138,16 +113,12 @@ ill_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst)
*/
static ipif_t *
ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
- queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst)
+ ip_stack_t *ipst)
{
ipif_t *ipif;
ill_t *ill;
- ipsq_t *ipsq;
ill_walk_context_t ctx;
- if (error != NULL)
- *error = 0;
-
/*
* First match all the point-to-point interfaces
* before looking at non-point-to-point interfaces.
@@ -157,7 +128,6 @@ ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
ill = ILL_START_WALK_V6(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- GRAB_CONN_LOCK(q);
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL;
ipif = ipif->ipif_next) {
@@ -167,36 +137,19 @@ ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
if_addr)) &&
(IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr,
dst))) {
- if (IPIF_CAN_LOOKUP(ipif)) {
+ if (!IPIF_IS_CONDEMNED(ipif)) {
ipif_refhold_locked(ipif);
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
rw_exit(&ipst->ips_ill_g_lock);
return (ipif);
- } else if (IPIF_CAN_WAIT(ipif, q)) {
- ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- ipsq_enq(ipsq, q, mp, func, NEW_OP,
- ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- RELEASE_CONN_LOCK(q);
- if (error != NULL)
- *error = EINPROGRESS;
- return (NULL);
}
}
}
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
}
rw_exit(&ipst->ips_ill_g_lock);
/* lookup the ipif based on interface address */
- ipif = ipif_lookup_addr_v6(if_addr, NULL, ALL_ZONES, q, mp, func,
- error, ipst);
+ ipif = ipif_lookup_addr_v6(if_addr, NULL, ALL_ZONES, ipst);
ASSERT(ipif == NULL || ipif->ipif_isv6);
return (ipif);
}
@@ -206,17 +159,14 @@ ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
*/
static ipif_t *
ipif_lookup_addr_common_v6(const in6_addr_t *addr, ill_t *match_ill,
- boolean_t match_illgrp, zoneid_t zoneid, queue_t *q, mblk_t *mp,
- ipsq_func_t func, int *error, ip_stack_t *ipst)
+ uint32_t match_flags, zoneid_t zoneid, ip_stack_t *ipst)
{
ipif_t *ipif;
ill_t *ill;
boolean_t ptp = B_FALSE;
- ipsq_t *ipsq;
ill_walk_context_t ctx;
-
- if (error != NULL)
- *error = 0;
+ boolean_t match_illgrp = (match_flags & IPIF_MATCH_ILLGRP);
+ boolean_t no_duplicate = (match_flags & IPIF_MATCH_NONDUP);
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
/*
@@ -230,7 +180,6 @@ repeat:
(!match_illgrp || !IS_IN_SAME_ILLGRP(ill, match_ill))) {
continue;
}
- GRAB_CONN_LOCK(q);
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL;
ipif = ipif->ipif_next) {
@@ -238,6 +187,12 @@ repeat:
ipif->ipif_zoneid != zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
continue;
+
+ if (no_duplicate &&
+ !(ipif->ipif_flags & IPIF_UP)) {
+ continue;
+ }
+
/* Allow the ipif to be down */
if ((!ptp && (IN6_ARE_ADDR_EQUAL(
&ipif->ipif_v6lcl_addr, addr) &&
@@ -245,82 +200,26 @@ repeat:
(ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) &&
IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr,
addr))) {
- if (IPIF_CAN_LOOKUP(ipif)) {
+ if (!IPIF_IS_CONDEMNED(ipif)) {
ipif_refhold_locked(ipif);
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
rw_exit(&ipst->ips_ill_g_lock);
return (ipif);
- } else if (IPIF_CAN_WAIT(ipif, q)) {
- ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- ipsq_enq(ipsq, q, mp, func, NEW_OP,
- ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- RELEASE_CONN_LOCK(q);
- if (error != NULL)
- *error = EINPROGRESS;
- return (NULL);
}
}
}
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
}
/* If we already did the ptp case, then we are done */
if (ptp) {
rw_exit(&ipst->ips_ill_g_lock);
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
ptp = B_TRUE;
goto repeat;
}
-boolean_t
-ip_addr_exists_v6(const in6_addr_t *addr, zoneid_t zoneid,
- ip_stack_t *ipst)
-{
- ipif_t *ipif;
- ill_t *ill;
- ill_walk_context_t ctx;
-
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
-
- ill = ILL_START_WALK_V6(&ctx, ipst);
- for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- mutex_enter(&ill->ill_lock);
- for (ipif = ill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
- if (zoneid != ALL_ZONES &&
- ipif->ipif_zoneid != zoneid &&
- ipif->ipif_zoneid != ALL_ZONES)
- continue;
- /* Allow the ipif to be down */
- if (((IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr,
- addr) &&
- (ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
- ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
- IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr,
- addr))) {
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- return (B_TRUE);
- }
- }
- mutex_exit(&ill->ill_lock);
- }
-
- rw_exit(&ipst->ips_ill_g_lock);
- return (B_FALSE);
-}
-
/*
* Lookup an ipif with the specified address. For point-to-point links we
* look for matches on either the destination address or the local address,
@@ -330,10 +229,24 @@ ip_addr_exists_v6(const in6_addr_t *addr, zoneid_t zoneid,
*/
ipif_t *
ipif_lookup_addr_v6(const in6_addr_t *addr, ill_t *match_ill, zoneid_t zoneid,
- queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst)
+ ip_stack_t *ipst)
{
- return (ipif_lookup_addr_common_v6(addr, match_ill, B_TRUE, zoneid, q,
- mp, func, error, ipst));
+ return (ipif_lookup_addr_common_v6(addr, match_ill, IPIF_MATCH_ILLGRP,
+ zoneid, ipst));
+}
+
+/*
+ * Lookup an ipif with the specified address. Similar to ipif_lookup_addr,
+ * except that we will only return an address if it is not marked as
+ * IPIF_DUPLICATE
+ */
+ipif_t *
+ipif_lookup_addr_nondup_v6(const in6_addr_t *addr, ill_t *match_ill,
+ zoneid_t zoneid, ip_stack_t *ipst)
+{
+ return (ipif_lookup_addr_common_v6(addr, match_ill,
+ (IPIF_MATCH_ILLGRP | IPIF_MATCH_NONDUP), zoneid,
+ ipst));
}
/*
@@ -346,8 +259,8 @@ ipif_lookup_addr_exact_v6(const in6_addr_t *addr, ill_t *match_ill,
ip_stack_t *ipst)
{
ASSERT(match_ill != NULL);
- return (ipif_lookup_addr_common_v6(addr, match_ill, B_FALSE, ALL_ZONES,
- NULL, NULL, NULL, NULL, ipst));
+ return (ipif_lookup_addr_common_v6(addr, match_ill, 0, ALL_ZONES,
+ ipst));
}
/*
@@ -473,23 +386,22 @@ ip_remote_addr_ok_v6(const in6_addr_t *addr, const in6_addr_t *subnet_mask)
/*
* ip_rt_add_v6 is called to add an IPv6 route to the forwarding table.
- * ipif_arg is passed in to associate it with the correct interface
+ * ill is passed in to associate it with the correct interface
* (for link-local destinations and gateways).
+ * If ire_arg is set, then we return the held IRE in that location.
*/
/* ARGSUSED1 */
int
ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
const in6_addr_t *gw_addr, const in6_addr_t *src_addr, int flags,
- ipif_t *ipif_arg, ire_t **ire_arg, queue_t *q, mblk_t *mp, ipsq_func_t func,
- struct rtsa_s *sp, ip_stack_t *ipst)
+ ill_t *ill, ire_t **ire_arg, struct rtsa_s *sp, ip_stack_t *ipst,
+ zoneid_t zoneid)
{
- ire_t *ire;
+ ire_t *ire, *nire;
ire_t *gw_ire = NULL;
ipif_t *ipif;
- boolean_t ipif_refheld = B_FALSE;
uint_t type;
int match_flags = MATCH_IRE_TYPE;
- int error;
tsol_gc_t *gc = NULL;
tsol_gcgrp_t *gcgrp = NULL;
boolean_t gcgrp_xtraref = B_FALSE;
@@ -514,14 +426,19 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
/*
* Get the ipif, if any, corresponding to the gw_addr
+ * If -ifp was specified we restrict ourselves to the ill, otherwise
+ * we match on the gatway and destination to handle unnumbered pt-pt
+ * interfaces.
*/
- ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, q, mp, func,
- &error, ipst);
- if (ipif != NULL)
- ipif_refheld = B_TRUE;
- else if (error == EINPROGRESS) {
- ip1dbg(("ip_rt_add_v6: null and EINPROGRESS"));
- return (error);
+ if (ill != NULL)
+ ipif = ipif_lookup_addr_v6(gw_addr, ill, ALL_ZONES, ipst);
+ else
+ ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, ipst);
+ if (ipif != NULL) {
+ if (IS_VNI(ipif->ipif_ill)) {
+ ipif_refrele(ipif);
+ return (EINVAL);
+ }
}
/*
@@ -535,57 +452,74 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
if (IN6_ARE_ADDR_EQUAL(gw_addr, &ipv6_loopback) &&
IN6_ARE_ADDR_EQUAL(dst_addr, &ipv6_loopback) &&
IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones)) {
- ire = ire_ctable_lookup_v6(dst_addr, 0, IRE_LOOPBACK,
- ipif, ALL_ZONES, NULL, match_flags, ipst);
+ ire = ire_ftable_lookup_v6(dst_addr, 0, 0, IRE_LOOPBACK,
+ NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst,
+ NULL);
if (ire != NULL) {
ire_refrele(ire);
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
return (EEXIST);
}
- ip1dbg(("ipif_up_done: 0x%p creating IRE 0x%x"
+ ip1dbg(("ip_rt_add_v6: 0x%p creating IRE 0x%x"
"for 0x%x\n", (void *)ipif,
ipif->ipif_ire_type,
ntohl(ipif->ipif_lcl_addr)));
ire = ire_create_v6(
dst_addr,
mask,
- &ipif->ipif_v6src_addr,
- NULL,
- &ipif->ipif_mtu,
- NULL,
- NULL,
- NULL,
- ipif->ipif_net_type,
- ipif,
- NULL,
- 0,
- 0,
- flags,
- &ire_uinfo_null,
NULL,
+ ipif->ipif_ire_type, /* LOOPBACK */
+ ipif->ipif_ill,
+ zoneid,
+ (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
NULL,
ipst);
+
if (ire == NULL) {
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
+ return (ENOMEM);
+ }
+ /* src address assigned by the caller? */
+ if ((flags & RTF_SETSRC) &&
+ !IN6_IS_ADDR_UNSPECIFIED(src_addr))
+ ire->ire_setsrc_addr_v6 = *src_addr;
+
+ nire = ire_add(ire);
+ if (nire == NULL) {
+ /*
+ * In the result of failure, ire_add() will have
+ * already deleted the ire in question, so there
+ * is no need to do that here.
+ */
+ ipif_refrele(ipif);
return (ENOMEM);
}
- error = ire_add(&ire, q, mp, func, B_FALSE);
- if (error == 0)
- goto save_ire;
/*
- * In the result of failure, ire_add() will have already
- * deleted the ire in question, so there is no need to
- * do that here.
+ * Check if it was a duplicate entry. This handles
+ * the case of two racing route adds for the same route
*/
- if (ipif_refheld)
+ if (nire != ire) {
+ ASSERT(nire->ire_identical_ref > 1);
+ ire_delete(nire);
+ ire_refrele(nire);
ipif_refrele(ipif);
- return (error);
+ return (EEXIST);
+ }
+ ire = nire;
+ goto save_ire;
}
}
/*
+ * The routes for multicast with CGTP are quite special in that
+ * the gateway is the local interface address, yet RTF_GATEWAY
+ * is set. We turn off RTF_GATEWAY to provide compatibility with
+ * this undocumented and unusual use of multicast routes.
+ */
+ if ((flags & RTF_MULTIRT) && ipif != NULL)
+ flags &= ~RTF_GATEWAY;
+
+ /*
* Traditionally, interface routes are ones where RTF_GATEWAY isn't set
* and the gateway address provided is one of the system's interface
* addresses. By using the routing socket interface and supplying an
@@ -619,8 +553,8 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
* logical interfaces
*
* 192.0.2.32 255.255.255.224 192.0.2.33 U if0
- * 192.0.2.32 255.255.255.224 192.0.2.34 U if0:1
- * 192.0.2.32 255.255.255.224 192.0.2.35 U if0:2
+ * 192.0.2.32 255.255.255.224 192.0.2.34 U if0
+ * 192.0.2.32 255.255.255.224 192.0.2.35 U if0
*
* the ipif's corresponding to each of these interface routes can be
* uniquely identified by the "gateway" (actually interface address).
@@ -635,90 +569,68 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
/* RTF_GATEWAY not set */
if (!(flags & RTF_GATEWAY)) {
- queue_t *stq;
-
if (sp != NULL) {
ip2dbg(("ip_rt_add_v6: gateway security attributes "
"cannot be set with interface route\n"));
- if (ipif_refheld)
+ if (ipif != NULL)
ipif_refrele(ipif);
return (EINVAL);
}
/*
- * As the interface index specified with the RTA_IFP sockaddr is
- * the same for all ipif's off of an ill, the matching logic
- * below uses MATCH_IRE_ILL if such an index was specified.
- * This means that routes sharing the same prefix when added
- * using a RTA_IFP sockaddr must have distinct interface
- * indices (namely, they must be on distinct ill's).
- *
- * On the other hand, since the gateway address will usually be
- * different for each ipif on the system, the matching logic
- * uses MATCH_IRE_IPIF in the case of a traditional interface
- * route. This means that interface routes for the same prefix
- * can be created if they belong to distinct ipif's and if a
- * RTA_IFP sockaddr is not present.
+ * Whether or not ill (RTA_IFP) is set, we require that
+ * the gateway is one of our local addresses.
*/
- if (ipif_arg != NULL) {
- if (ipif_refheld) {
- ipif_refrele(ipif);
- ipif_refheld = B_FALSE;
- }
- ipif = ipif_arg;
- match_flags |= MATCH_IRE_ILL;
- } else {
- /*
- * Check the ipif corresponding to the gw_addr
- */
- if (ipif == NULL)
- return (ENETUNREACH);
- match_flags |= MATCH_IRE_IPIF;
+ if (ipif == NULL)
+ return (ENETUNREACH);
+
+ /*
+ * We use MATCH_IRE_ILL here. If the caller specified an
+ * interface (from the RTA_IFP sockaddr) we use it, otherwise
+ * we use the ill derived from the gateway address.
+ * We can always match the gateway address since we record it
+ * in ire_gateway_addr.
+ * We don't allow RTA_IFP to specify a different ill than the
+ * one matching the ipif to make sure we can delete the route.
+ */
+ match_flags |= MATCH_IRE_GW | MATCH_IRE_ILL;
+ if (ill == NULL) {
+ ill = ipif->ipif_ill;
+ } else if (ill != ipif->ipif_ill) {
+ ipif_refrele(ipif);
+ return (EINVAL);
}
- ASSERT(ipif != NULL);
/*
* We check for an existing entry at this point.
*/
match_flags |= MATCH_IRE_MASK;
- ire = ire_ftable_lookup_v6(dst_addr, mask, 0, IRE_INTERFACE,
- ipif, NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
+ ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr,
+ IRE_INTERFACE, ill, ALL_ZONES, NULL, match_flags, 0, ipst,
+ NULL);
if (ire != NULL) {
ire_refrele(ire);
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
return (EEXIST);
}
- stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
- ? ipif->ipif_rq : ipif->ipif_wq;
-
/*
* Create a copy of the IRE_LOOPBACK, IRE_IF_NORESOLVER or
- * IRE_IF_RESOLVER with the modified address and netmask.
+ * IRE_IF_RESOLVER with the modified address, netmask, and
+ * gateway.
*/
ire = ire_create_v6(
dst_addr,
mask,
- &ipif->ipif_v6src_addr,
- NULL,
- &ipif->ipif_mtu,
- NULL,
- NULL,
- stq,
- ipif->ipif_net_type,
- ipif,
- NULL,
- 0,
- 0,
+ gw_addr,
+ ill->ill_net_type,
+ ill,
+ zoneid,
flags,
- &ire_uinfo_null,
- NULL,
NULL,
ipst);
if (ire == NULL) {
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
return (ENOMEM);
}
@@ -731,32 +643,44 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
* RTF_BLACKHOLE flag as these interface routes, by
* definition, can only be that.
*
- * If the IRE type (as defined by ipif->ipif_net_type) is
+ * If the IRE type (as defined by ill->ill_net_type) is
* IRE_LOOPBACK, then we map the request into a
* IRE_IF_NORESOLVER.
*
* Needless to say, the real IRE_LOOPBACK is NOT created by this
* routine, but rather using ire_create_v6() directly.
*/
- if (ipif->ipif_net_type == IRE_LOOPBACK) {
+ if (ill->ill_net_type == IRE_LOOPBACK) {
ire->ire_type = IRE_IF_NORESOLVER;
ire->ire_flags |= RTF_BLACKHOLE;
}
- error = ire_add(&ire, q, mp, func, B_FALSE);
- if (error == 0)
- goto save_ire;
+ /* src address assigned by the caller? */
+ if ((flags & RTF_SETSRC) && !IN6_IS_ADDR_UNSPECIFIED(src_addr))
+ ire->ire_setsrc_addr_v6 = *src_addr;
+
+ nire = ire_add(ire);
+ if (nire == NULL) {
+ /*
+ * In the result of failure, ire_add() will have
+ * already deleted the ire in question, so there
+ * is no need to do that here.
+ */
+ ipif_refrele(ipif);
+ return (ENOMEM);
+ }
/*
- * In the result of failure, ire_add() will have already
- * deleted the ire in question, so there is no need to
- * do that here.
+ * Check if it was a duplicate entry. This handles
+ * the case of two racing route adds for the same route
*/
- if (ipif_refheld)
+ if (nire != ire) {
+ ASSERT(nire->ire_identical_ref > 1);
+ ire_delete(nire);
+ ire_refrele(nire);
ipif_refrele(ipif);
- return (error);
- }
- if (ipif_refheld) {
- ipif_refrele(ipif);
- ipif_refheld = B_FALSE;
+ return (EEXIST);
+ }
+ ire = nire;
+ goto save_ire;
}
/*
@@ -764,14 +688,23 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
* If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
* gateway, it is currently unreachable and we fail the request
* accordingly.
+ * If RTA_IFP was specified we look on that particular ill.
*/
- ipif = ipif_arg;
- if (ipif_arg != NULL)
+ if (ill != NULL)
match_flags |= MATCH_IRE_ILL;
- gw_ire = ire_ftable_lookup_v6(gw_addr, 0, 0, IRE_INTERFACE, ipif_arg,
- NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
- if (gw_ire == NULL)
+
+ /* Check whether the gateway is reachable. */
+ type = IRE_INTERFACE;
+ if (flags & RTF_INDIRECT)
+ type |= IRE_OFFLINK;
+
+ gw_ire = ire_ftable_lookup_v6(gw_addr, 0, 0, type, ill,
+ ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
+ if (gw_ire == NULL) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
return (ENETUNREACH);
+ }
/*
* We create one of three types of IREs as a result of this request
@@ -789,10 +722,12 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
type = IRE_PREFIX;
/* check for a duplicate entry */
- ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type, ipif_arg,
- NULL, ALL_ZONES, 0, NULL,
- match_flags | MATCH_IRE_MASK | MATCH_IRE_GW, ipst);
+ ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type, ill,
+ ALL_ZONES, NULL,
+ match_flags | MATCH_IRE_MASK | MATCH_IRE_GW, 0, ipst, NULL);
if (ire != NULL) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
ire_refrele(ire);
return (EEXIST);
@@ -809,6 +744,8 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
/* we hold reference to it upon success */
gcgrp = gcgrp_lookup(&ga, B_TRUE);
if (gcgrp == NULL) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
return (ENOMEM);
}
@@ -824,6 +761,8 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
if (gc == NULL) {
/* release reference held by gcgrp_lookup */
GCGRP_REFRELE(gcgrp);
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
return (ENOMEM);
}
@@ -833,23 +772,12 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
ire = ire_create_v6(
dst_addr, /* dest address */
mask, /* mask */
- /* src address assigned by the caller? */
- (((flags & RTF_SETSRC) && !IN6_IS_ADDR_UNSPECIFIED(src_addr)) ?
- src_addr : NULL),
gw_addr, /* gateway address */
- &gw_ire->ire_max_frag,
- NULL, /* no src nce */
- NULL, /* no recv-from queue */
- NULL, /* no send-to queue */
(ushort_t)type, /* IRE type */
- ipif_arg,
- NULL,
- 0,
- 0,
+ ill,
+ zoneid,
flags,
- &gw_ire->ire_uinfo, /* Inherit ULP info from gw */
gc, /* security attribute */
- NULL,
ipst);
/*
@@ -862,26 +790,48 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
if (ire == NULL) {
if (gc != NULL)
GC_REFRELE(gc);
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
return (ENOMEM);
}
+ /* src address assigned by the caller? */
+ if ((flags & RTF_SETSRC) && !IN6_IS_ADDR_UNSPECIFIED(src_addr))
+ ire->ire_setsrc_addr_v6 = *src_addr;
+
/*
* POLICY: should we allow an RTF_HOST with address INADDR_ANY?
* SUN/OS socket stuff does but do we really want to allow ::0 ?
*/
/* Add the new IRE. */
- error = ire_add(&ire, q, mp, func, B_FALSE);
+ nire = ire_add(ire);
+ if (nire == NULL) {
+ /*
+ * In the result of failure, ire_add() will have
+ * already deleted the ire in question, so there
+ * is no need to do that here.
+ */
+ if (ipif != NULL)
+ ipif_refrele(ipif);
+ ire_refrele(gw_ire);
+ return (ENOMEM);
+ }
/*
- * In the result of failure, ire_add() will have already
- * deleted the ire in question, so there is no need to
- * do that here.
+ * Check if it was a duplicate entry. This handles
+ * the case of two racing route adds for the same route
*/
- if (error != 0) {
+ if (nire != ire) {
+ ASSERT(nire->ire_identical_ref > 1);
+ ire_delete(nire);
+ ire_refrele(nire);
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
- return (error);
+ return (EEXIST);
}
+ ire = nire;
if (flags & RTF_MULTIRT) {
/*
@@ -896,70 +846,51 @@ ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
if (ipst->ips_ip_cgtp_filter_ops != NULL &&
!IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6))) {
int res;
-
- res = ipst->ips_ip_cgtp_filter_ops->cfo_add_dest_v6(
- ipst->ips_netstack->netstack_stackid,
- &ire->ire_addr_v6,
- &ire->ire_gateway_addr_v6,
- &ire->ire_src_addr_v6,
- &gw_ire->ire_src_addr_v6);
+ ipif_t *src_ipif;
+
+ /* Find the source address corresponding to gw_ire */
+ src_ipif = ipif_lookup_addr_v6(
+ &gw_ire->ire_gateway_addr_v6, NULL, zoneid, ipst);
+ if (src_ipif != NULL) {
+ res = ipst->ips_ip_cgtp_filter_ops->
+ cfo_add_dest_v6(
+ ipst->ips_netstack->netstack_stackid,
+ &ire->ire_addr_v6,
+ &ire->ire_gateway_addr_v6,
+ &ire->ire_setsrc_addr_v6,
+ &src_ipif->ipif_v6lcl_addr);
+ ipif_refrele(src_ipif);
+ } else {
+ res = EADDRNOTAVAIL;
+ }
if (res != 0) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
ire_delete(ire);
+ ire_refrele(ire); /* Held in ire_add */
return (res);
}
}
}
- /*
- * Now that the prefix IRE entry has been created, delete any
- * existing gateway IRE cache entries as well as any IRE caches
- * using the gateway, and force them to be created through
- * ip_newroute_v6.
- */
- if (gc != NULL) {
- ASSERT(gcgrp != NULL);
- ire_clookup_delete_cache_gw_v6(gw_addr, ALL_ZONES, ipst);
- }
-
save_ire:
if (gw_ire != NULL) {
ire_refrele(gw_ire);
+ gw_ire = NULL;
}
- if (ipif != NULL) {
- mblk_t *save_mp;
-
+ if (ire->ire_ill != NULL) {
/*
* Save enough information so that we can recreate the IRE if
- * the interface goes down and then up. The metrics associated
+ * the ILL goes down and then up. The metrics associated
* with the route will be saved as well when rts_setmetrics() is
* called after the IRE has been created. In the case where
* memory cannot be allocated, none of this information will be
* saved.
*/
- save_mp = allocb(sizeof (ifrt_t), BPRI_MED);
- if (save_mp != NULL) {
- ifrt_t *ifrt;
-
- save_mp->b_wptr += sizeof (ifrt_t);
- ifrt = (ifrt_t *)save_mp->b_rptr;
- bzero(ifrt, sizeof (ifrt_t));
- ifrt->ifrt_type = ire->ire_type;
- ifrt->ifrt_v6addr = ire->ire_addr_v6;
- mutex_enter(&ire->ire_lock);
- ifrt->ifrt_v6gateway_addr = ire->ire_gateway_addr_v6;
- ifrt->ifrt_v6src_addr = ire->ire_src_addr_v6;
- mutex_exit(&ire->ire_lock);
- ifrt->ifrt_v6mask = ire->ire_mask_v6;
- ifrt->ifrt_flags = ire->ire_flags;
- ifrt->ifrt_max_frag = ire->ire_max_frag;
- mutex_enter(&ipif->ipif_saved_ire_lock);
- save_mp->b_cont = ipif->ipif_saved_ire_mp;
- ipif->ipif_saved_ire_mp = save_mp;
- ipif->ipif_saved_ire_cnt++;
- mutex_exit(&ipif->ipif_saved_ire_lock);
- }
+ ill_save_ire(ire->ire_ill, ire);
}
+
if (ire_arg != NULL) {
/*
* Store the ire that was successfully added into where ire_arg
@@ -971,28 +902,27 @@ save_ire:
} else {
ire_refrele(ire); /* Held in ire_add */
}
- if (ipif_refheld)
+ if (ipif != NULL)
ipif_refrele(ipif);
return (0);
}
/*
* ip_rt_delete_v6 is called to delete an IPv6 route.
- * ipif_arg is passed in to associate it with the correct interface
+ * ill is passed in to associate it with the correct interface.
* (for link-local destinations and gateways).
*/
/* ARGSUSED4 */
int
ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
- const in6_addr_t *gw_addr, uint_t rtm_addrs, int flags, ipif_t *ipif_arg,
- queue_t *q, mblk_t *mp, ipsq_func_t func, ip_stack_t *ipst)
+ const in6_addr_t *gw_addr, uint_t rtm_addrs, int flags, ill_t *ill,
+ ip_stack_t *ipst, zoneid_t zoneid)
{
ire_t *ire = NULL;
ipif_t *ipif;
uint_t type;
uint_t match_flags = MATCH_IRE_TYPE;
int err = 0;
- boolean_t ipif_refheld = B_FALSE;
/*
* If this is the case of RTF_HOST being set, then we set the netmask
@@ -1012,49 +942,49 @@ ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
*
* This makes it possible to delete an original
* IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1.
+ * However, we have RTF_KERNEL set on the ones created by ipif_up
+ * and those can not be deleted here.
*
- * As the interface index specified with the RTA_IFP sockaddr is the
- * same for all ipif's off of an ill, the matching logic below uses
- * MATCH_IRE_ILL if such an index was specified. This means a route
- * sharing the same prefix and interface index as the the route
- * intended to be deleted might be deleted instead if a RTA_IFP sockaddr
- * is specified in the request.
- *
- * On the other hand, since the gateway address will usually be
- * different for each ipif on the system, the matching logic
- * uses MATCH_IRE_IPIF in the case of a traditional interface
- * route. This means that interface routes for the same prefix can be
- * uniquely identified if they belong to distinct ipif's and if a
- * RTA_IFP sockaddr is not present.
+ * We use MATCH_IRE_ILL if we know the interface. If the caller
+ * specified an interface (from the RTA_IFP sockaddr) we use it,
+ * otherwise we use the ill derived from the gateway address.
+ * We can always match the gateway address since we record it
+ * in ire_gateway_addr.
*
* For more detail on specifying routes by gateway address and by
* interface index, see the comments in ip_rt_add_v6().
*/
- ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, q, mp, func, &err,
- ipst);
+ ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, ipst);
if (ipif != NULL) {
- ipif_refheld = B_TRUE;
- if (ipif_arg != NULL) {
- ipif_refrele(ipif);
- ipif_refheld = B_FALSE;
- ipif = ipif_arg;
- match_flags |= MATCH_IRE_ILL;
- } else {
- match_flags |= MATCH_IRE_IPIF;
+ ill_t *ill_match;
+
+ if (ill != NULL)
+ ill_match = ill;
+ else
+ ill_match = ipif->ipif_ill;
+
+ match_flags |= MATCH_IRE_ILL;
+ if (ipif->ipif_ire_type == IRE_LOOPBACK) {
+ ire = ire_ftable_lookup_v6(dst_addr, 0, 0, IRE_LOOPBACK,
+ ill_match, ALL_ZONES, NULL, match_flags, 0, ipst,
+ NULL);
+ }
+ if (ire == NULL) {
+ match_flags |= MATCH_IRE_GW;
+ ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr,
+ IRE_INTERFACE, ill_match, ALL_ZONES, NULL,
+ match_flags, 0, ipst, NULL);
+ }
+ /* Avoid deleting routes created by kernel from an ipif */
+ if (ire != NULL && (ire->ire_flags & RTF_KERNEL)) {
+ ire_refrele(ire);
+ ire = NULL;
}
- if (ipif->ipif_ire_type == IRE_LOOPBACK)
- ire = ire_ctable_lookup_v6(dst_addr, 0, IRE_LOOPBACK,
- ipif, ALL_ZONES, NULL, match_flags, ipst);
- if (ire == NULL)
- ire = ire_ftable_lookup_v6(dst_addr, mask, 0,
- IRE_INTERFACE, ipif, NULL, ALL_ZONES, 0, NULL,
- match_flags, ipst);
- } else if (err == EINPROGRESS) {
- return (err);
- } else {
- err = 0;
+ /* Restore in case we didn't find a match */
+ match_flags &= ~(MATCH_IRE_GW|MATCH_IRE_ILL);
}
+
if (ire == NULL) {
/*
* At this point, the gateway address is not one of our own
@@ -1062,15 +992,11 @@ ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
* set the IRE type to lookup based on whether
* this is a host route, a default route or just a prefix.
*
- * If an ipif_arg was passed in, then the lookup is based on an
+ * If an ill was passed in, then the lookup is based on an
* interface index so MATCH_IRE_ILL is added to match_flags.
- * In any case, MATCH_IRE_IPIF is cleared and MATCH_IRE_GW is
- * set as the route being looked up is not a traditional
- * interface route.
*/
- match_flags &= ~MATCH_IRE_IPIF;
match_flags |= MATCH_IRE_GW;
- if (ipif_arg != NULL)
+ if (ill != NULL)
match_flags |= MATCH_IRE_ILL;
if (IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones))
type = IRE_HOST;
@@ -1079,12 +1005,12 @@ ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
else
type = IRE_PREFIX;
ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type,
- ipif_arg, NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
+ ill, ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
}
- if (ipif_refheld) {
+ if (ipif != NULL) {
ipif_refrele(ipif);
- ipif_refheld = B_FALSE;
+ ipif = NULL;
}
if (ire == NULL)
return (ESRCH);
@@ -1103,42 +1029,9 @@ ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
}
}
- ipif = ire->ire_ipif;
- if (ipif != NULL) {
- mblk_t **mpp;
- mblk_t *mp;
- ifrt_t *ifrt;
- in6_addr_t gw_addr_v6;
-
- /* Remove from ipif_saved_ire_mp list if it is there */
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- mutex_enter(&ipif->ipif_saved_ire_lock);
- for (mpp = &ipif->ipif_saved_ire_mp; *mpp != NULL;
- mpp = &(*mpp)->b_cont) {
- /*
- * On a given ipif, the triple of address, gateway and
- * mask is unique for each saved IRE (in the case of
- * ordinary interface routes, the gateway address is
- * all-zeroes).
- */
- mp = *mpp;
- ifrt = (ifrt_t *)mp->b_rptr;
- if (IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6addr,
- &ire->ire_addr_v6) &&
- IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6gateway_addr,
- &gw_addr_v6) &&
- IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6mask,
- &ire->ire_mask_v6)) {
- *mpp = mp->b_cont;
- ipif->ipif_saved_ire_cnt--;
- freeb(mp);
- break;
- }
- }
- mutex_exit(&ipif->ipif_saved_ire_lock);
- }
+ ill = ire->ire_ill;
+ if (ill != NULL)
+ ill_remove_saved_ire(ill, ire);
ire_delete(ire);
ire_refrele(ire);
return (err);
@@ -1197,7 +1090,6 @@ ipif_set6to4addr(ipif_t *ipif)
(void) ip_plen_to_mask_v6(16, &ipif->ipif_v6net_mask);
bcopy(ill->ill_phys_addr, &v4phys, sizeof (struct in_addr));
IN6_V4ADDR_TO_6TO4(&v4phys, &ipif->ipif_v6lcl_addr);
- ipif->ipif_v6src_addr = ipif->ipif_v6lcl_addr;
V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
ipif->ipif_v6subnet);
}
@@ -1260,11 +1152,6 @@ ipif_setlinklocal(ipif_t *ipif)
ipif->ipif_v6subnet);
}
- if (ipif->ipif_flags & IPIF_NOLOCAL) {
- ipif->ipif_v6src_addr = ipv6_all_zeros;
- } else {
- ipif->ipif_v6src_addr = ipif->ipif_v6lcl_addr;
- }
}
/*
@@ -1280,123 +1167,15 @@ ipif_setdestlinklocal(ipif_t *ipif)
ASSERT(IAM_WRITER_ILL(ill));
if (IN6_IS_ADDR_UNSPECIFIED(&ill->ill_dest_token))
return;
+ /* Skip if we've already set the pp_dst_addr */
+ if (!IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6pp_dst_addr))
+ return;
+
ipif_get_linklocal(&ipif->ipif_v6pp_dst_addr, &ill->ill_dest_token);
ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
}
/*
- * This function sets up the multicast mappings in NDP.
- * Unlike ARP, there are no mapping_mps here. We delete the
- * mapping nces and add a new one.
- *
- * Returns non-zero on error and 0 on success.
- */
-int
-ipif_ndp_setup_multicast(ipif_t *ipif, nce_t **ret_nce)
-{
- ill_t *ill = ipif->ipif_ill;
- in6_addr_t v6_mcast_addr = {(uint32_t)V6_MCAST, 0, 0, 0};
- in6_addr_t v6_mcast_mask = {(uint32_t)V6_MCAST, 0, 0, 0};
- in6_addr_t v6_extract_mask;
- uchar_t *phys_addr, *bphys_addr, *alloc_phys;
- nce_t *mnce = NULL;
- int err = 0;
- phyint_t *phyi = ill->ill_phyint;
- uint32_t hw_extract_start;
- dl_unitdata_req_t *dlur;
- ip_stack_t *ipst = ill->ill_ipst;
-
- if (ret_nce != NULL)
- *ret_nce = NULL;
-
- if (ipif->ipif_flags & IPIF_POINTOPOINT)
- return (0);
-
- /*
- * IPMP meta-interfaces don't have any inherent multicast mappings,
- * and instead use the ones on the underlying interfaces.
- */
- if (IS_IPMP(ill))
- return (0);
-
- /*
- * Delete the mapping nce. Normally these should not exist
- * as a previous ipif_down -> ipif_ndp_down should have deleted
- * all the nces. But they can exist if ip_rput_dlpi_writer
- * calls this when PHYI_MULTI_BCAST is set. Mappings are always
- * tied to the underlying ill, so don't match across the illgrp.
- */
- mnce = ndp_lookup_v6(ill, B_FALSE, &v6_mcast_addr, B_FALSE);
- if (mnce != NULL) {
- ndp_delete(mnce);
- NCE_REFRELE(mnce);
- mnce = NULL;
- }
-
- /*
- * Get media specific v6 mapping information. Note that
- * nd_lla_len can be 0 for tunnels.
- */
- alloc_phys = kmem_alloc(ill->ill_nd_lla_len, KM_NOSLEEP);
- if ((alloc_phys == NULL) && (ill->ill_nd_lla_len != 0))
- return (ENOMEM);
- /*
- * Determine the broadcast address.
- */
- dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
- if (ill->ill_sap_length < 0)
- bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
- else
- bphys_addr = (uchar_t *)dlur +
- dlur->dl_dest_addr_offset + ill->ill_sap_length;
-
- /*
- * Check PHYI_MULTI_BCAST and possible length of physical
- * address to determine if we use the mapping or the
- * broadcast address.
- */
- if ((phyi->phyint_flags & PHYI_MULTI_BCAST) ||
- (!MEDIA_V6MINFO(ill->ill_media, ill->ill_nd_lla_len,
- bphys_addr, alloc_phys, &hw_extract_start,
- &v6_extract_mask))) {
- if (ill->ill_phys_addr_length > IP_MAX_HW_LEN) {
- kmem_free(alloc_phys, ill->ill_nd_lla_len);
- return (E2BIG);
- }
- /* Use the link-layer broadcast address for MULTI_BCAST */
- phys_addr = bphys_addr;
- bzero(&v6_extract_mask, sizeof (v6_extract_mask));
- hw_extract_start = ill->ill_nd_lla_len;
- } else {
- phys_addr = alloc_phys;
- }
- if ((ipif->ipif_flags & IPIF_BROADCAST) ||
- (ill->ill_flags & ILLF_MULTICAST) ||
- (phyi->phyint_flags & PHYI_MULTI_BCAST)) {
- mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
- err = ndp_add_v6(ill,
- phys_addr,
- &v6_mcast_addr, /* v6 address */
- &v6_mcast_mask, /* v6 mask */
- &v6_extract_mask,
- hw_extract_start,
- NCE_F_MAPPING | NCE_F_PERMANENT | NCE_F_NONUD,
- ND_REACHABLE,
- &mnce);
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- if (err == 0) {
- if (ret_nce != NULL) {
- *ret_nce = mnce;
- } else {
- NCE_REFRELE(mnce);
- }
- }
- }
- kmem_free(alloc_phys, ill->ill_nd_lla_len);
- return (err);
-}
-
-/*
* Get the resolver set up for a new ipif. (Always called as writer.)
*/
int
@@ -1405,50 +1184,28 @@ ipif_ndp_up(ipif_t *ipif, boolean_t initial)
ill_t *ill = ipif->ipif_ill;
int err = 0;
nce_t *nce = NULL;
- nce_t *mnce = NULL;
boolean_t added_ipif = B_FALSE;
- ASSERT(IAM_WRITER_ILL(ill));
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_ndp_up",
+ ill_t *, ill, ipif_t *, ipif);
ip1dbg(("ipif_ndp_up(%s:%u)\n", ill->ill_name, ipif->ipif_id));
- /*
- * ND not supported on XRESOLV interfaces. If ND support (multicast)
- * added later, take out this check.
- */
- if ((ill->ill_flags & ILLF_XRESOLV) ||
- IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) ||
+ if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) ||
(!(ill->ill_net_type & IRE_INTERFACE))) {
ipif->ipif_addr_ready = 1;
return (0);
}
- /*
- * Need to setup multicast mapping only when the first
- * interface is coming UP.
- */
- if (ill->ill_ipif_up_count == 0 &&
- (ill->ill_flags & ILLF_MULTICAST)) {
- /*
- * We set the multicast before setting up the mapping for
- * local address because ipif_ndp_setup_multicast does
- * ndp_walk to delete nces which will delete the mapping
- * for local address also if we added the mapping for
- * local address first.
- */
- err = ipif_ndp_setup_multicast(ipif, &mnce);
- if (err != 0)
- return (err);
- }
-
if ((ipif->ipif_flags & (IPIF_UNNUMBERED|IPIF_NOLOCAL)) == 0) {
uint16_t flags;
uint16_t state;
- uchar_t *hw_addr = NULL;
+ uchar_t *hw_addr;
ill_t *bound_ill;
ipmp_illgrp_t *illg = ill->ill_grp;
+ uint_t hw_addr_len;
- /* Permanent entries don't need NUD */
- flags = NCE_F_PERMANENT | NCE_F_NONUD;
+ flags = NCE_F_MYADDR | NCE_F_NONUD | NCE_F_PUBLISH |
+ NCE_F_AUTHORITY;
if (ill->ill_flags & ILLF_ROUTER)
flags |= NCE_F_ISROUTER;
@@ -1483,10 +1240,16 @@ ipif_ndp_up(ipif_t *ipif, boolean_t initial)
added_ipif = B_TRUE;
}
hw_addr = bound_ill->ill_nd_lla;
+ hw_addr_len = bound_ill->ill_phys_addr_length;
} else {
bound_ill = ill;
- if (ill->ill_net_type == IRE_IF_RESOLVER)
+ if (ill->ill_net_type == IRE_IF_RESOLVER) {
hw_addr = ill->ill_nd_lla;
+ hw_addr_len = ill->ill_phys_addr_length;
+ } else {
+ hw_addr = NULL;
+ hw_addr_len = 0;
+ }
}
/*
@@ -1496,28 +1259,16 @@ ipif_ndp_up(ipif_t *ipif, boolean_t initial)
* unsolicited advertisements to inform others.
*/
if (initial || !ipif->ipif_addr_ready) {
+ /* Causes Duplicate Address Detection to run */
state = ND_PROBE;
} else {
state = ND_REACHABLE;
flags |= NCE_F_UNSOL_ADV;
}
+
retry:
- /*
- * Create an nce for the local address. We pass a match_illgrp
- * of B_TRUE because the local address must be unique across
- * the illgrp, and the existence of an nce with nce_ill set
- * to any ill in the group is indicative of a duplicate address
- */
- err = ndp_lookup_then_add_v6(bound_ill,
- B_TRUE,
- hw_addr,
- &ipif->ipif_v6lcl_addr,
- &ipv6_all_ones,
- &ipv6_all_zeros,
- 0,
- flags,
- state,
- &nce);
+ err = nce_lookup_then_add_v6(ill, hw_addr, hw_addr_len,
+ &ipif->ipif_v6lcl_addr, flags, state, &nce);
switch (err) {
case 0:
ip1dbg(("ipif_ndp_up: NCE created for %s\n",
@@ -1535,14 +1286,21 @@ retry:
case EEXIST:
ip1dbg(("ipif_ndp_up: NCE already exists for %s\n",
ill->ill_name));
- if (!(nce->nce_flags & NCE_F_PERMANENT)) {
- ndp_delete(nce);
- NCE_REFRELE(nce);
+ if (!NCE_MYADDR(nce->nce_common)) {
+ /*
+ * A leftover nce from before this address
+ * existed
+ */
+ ncec_delete(nce->nce_common);
+ nce_refrele(nce);
nce = NULL;
goto retry;
}
if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
- NCE_REFRELE(nce);
+ nce_refrele(nce);
+ nce = NULL;
+ ip1dbg(("ipif_ndp_up: NCE already exists "
+ "for %s\n", ill->ill_name));
goto fail;
}
/*
@@ -1557,6 +1315,7 @@ retry:
ipif->ipif_addr_ready = 1;
ipif->ipif_added_nce = 1;
nce->nce_ipif_cnt++;
+ err = 0;
break;
default:
ip1dbg(("ipif_ndp_up: NCE creation failed for %s\n",
@@ -1568,15 +1327,9 @@ retry:
ipif->ipif_addr_ready = 1;
}
if (nce != NULL)
- NCE_REFRELE(nce);
- if (mnce != NULL)
- NCE_REFRELE(mnce);
+ nce_refrele(nce);
return (0);
fail:
- if (mnce != NULL) {
- ndp_delete(mnce);
- NCE_REFRELE(mnce);
- }
if (added_ipif)
ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
@@ -1587,181 +1340,7 @@ fail:
void
ipif_ndp_down(ipif_t *ipif)
{
- nce_t *nce;
- ill_t *ill = ipif->ipif_ill;
-
- ASSERT(IAM_WRITER_ILL(ill));
-
- if (ipif->ipif_isv6) {
- if (ipif->ipif_added_nce) {
- /*
- * For IPMP, `ill' can be the IPMP ill but the NCE will
- * always be tied to an underlying IP interface, so we
- * match across the illgrp. This is safe since we
- * ensure uniqueness across the group in ipif_ndp_up().
- */
- nce = ndp_lookup_v6(ill, B_TRUE, &ipif->ipif_v6lcl_addr,
- B_FALSE);
- if (nce != NULL) {
- if (--nce->nce_ipif_cnt == 0)
- ndp_delete(nce); /* last ipif for nce */
- NCE_REFRELE(nce);
- }
- ipif->ipif_added_nce = 0;
- }
-
- /*
- * Make IPMP aware of the deleted data address.
- */
- if (IS_IPMP(ill))
- ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
- }
-
- /*
- * Remove mapping and all other nces dependent on this ill
- * when the last ipif is going away.
- */
- if (ill->ill_ipif_up_count == 0)
- ndp_walk(ill, (pfi_t)ndp_delete_per_ill, ill, ill->ill_ipst);
-}
-
-/*
- * Used when an interface comes up to recreate any extra routes on this
- * interface.
- */
-static ire_t **
-ipif_recover_ire_v6(ipif_t *ipif)
-{
- mblk_t *mp;
- ire_t **ipif_saved_irep;
- ire_t **irep;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- ip1dbg(("ipif_recover_ire_v6(%s:%u)", ipif->ipif_ill->ill_name,
- ipif->ipif_id));
-
- ASSERT(ipif->ipif_isv6);
-
- mutex_enter(&ipif->ipif_saved_ire_lock);
- ipif_saved_irep = (ire_t **)kmem_zalloc(sizeof (ire_t *) *
- ipif->ipif_saved_ire_cnt, KM_NOSLEEP);
- if (ipif_saved_irep == NULL) {
- mutex_exit(&ipif->ipif_saved_ire_lock);
- return (NULL);
- }
-
- irep = ipif_saved_irep;
-
- for (mp = ipif->ipif_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
- ire_t *ire;
- queue_t *rfq;
- queue_t *stq;
- ifrt_t *ifrt;
- in6_addr_t *src_addr;
- in6_addr_t *gateway_addr;
- char buf[INET6_ADDRSTRLEN];
- ushort_t type;
-
- /*
- * When the ire was initially created and then added in
- * ip_rt_add_v6(), it was created either using
- * ipif->ipif_net_type in the case of a traditional interface
- * route, or as one of the IRE_OFFSUBNET types (with the
- * exception of IRE_HOST type redirect ire which is created by
- * icmp_redirect_v6() and which we don't need to save or
- * recover). In the case where ipif->ipif_net_type was
- * IRE_LOOPBACK, ip_rt_add_v6() will update the ire_type to
- * IRE_IF_NORESOLVER before calling ire_add_v6() to satisfy
- * software like GateD and Sun Cluster which creates routes
- * using the the loopback interface's address as a gateway.
- *
- * As ifrt->ifrt_type reflects the already updated ire_type,
- * ire_create_v6() will be called in the same way here as in
- * ip_rt_add_v6(), namely using ipif->ipif_net_type when the
- * route looks like a traditional interface route (where
- * ifrt->ifrt_type & IRE_INTERFACE is true) and otherwise
- * using the saved ifrt->ifrt_type. This means that in
- * the case where ipif->ipif_net_type is IRE_LOOPBACK,
- * the ire created by ire_create_v6() will be an IRE_LOOPBACK,
- * it will then be turned into an IRE_IF_NORESOLVER and then
- * added by ire_add_v6().
- */
- ifrt = (ifrt_t *)mp->b_rptr;
- if (ifrt->ifrt_type & IRE_INTERFACE) {
- rfq = NULL;
- stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
- ? ipif->ipif_rq : ipif->ipif_wq;
- src_addr = (ifrt->ifrt_flags & RTF_SETSRC)
- ? &ifrt->ifrt_v6src_addr
- : &ipif->ipif_v6src_addr;
- gateway_addr = NULL;
- type = ipif->ipif_net_type;
- } else {
- rfq = NULL;
- stq = NULL;
- src_addr = (ifrt->ifrt_flags & RTF_SETSRC)
- ? &ifrt->ifrt_v6src_addr : NULL;
- gateway_addr = &ifrt->ifrt_v6gateway_addr;
- type = ifrt->ifrt_type;
- }
-
- /*
- * Create a copy of the IRE with the saved address and netmask.
- */
- ip1dbg(("ipif_recover_ire_v6: creating IRE %s (%d) for %s/%d\n",
- ip_nv_lookup(ire_nv_tbl, ifrt->ifrt_type), ifrt->ifrt_type,
- inet_ntop(AF_INET6, &ifrt->ifrt_v6addr, buf, sizeof (buf)),
- ip_mask_to_plen_v6(&ifrt->ifrt_v6mask)));
- ire = ire_create_v6(
- &ifrt->ifrt_v6addr,
- &ifrt->ifrt_v6mask,
- src_addr,
- gateway_addr,
- &ifrt->ifrt_max_frag,
- NULL,
- rfq,
- stq,
- type,
- ipif,
- NULL,
- 0,
- 0,
- ifrt->ifrt_flags,
- &ifrt->ifrt_iulp_info,
- NULL,
- NULL,
- ipst);
- if (ire == NULL) {
- mutex_exit(&ipif->ipif_saved_ire_lock);
- kmem_free(ipif_saved_irep,
- ipif->ipif_saved_ire_cnt * sizeof (ire_t *));
- return (NULL);
- }
-
- /*
- * Some software (for example, GateD and Sun Cluster) attempts
- * to create (what amount to) IRE_PREFIX routes with the
- * loopback address as the gateway. This is primarily done to
- * set up prefixes with the RTF_REJECT flag set (for example,
- * when generating aggregate routes.)
- *
- * If the IRE type (as defined by ipif->ipif_net_type) is
- * IRE_LOOPBACK, then we map the request into a
- * IRE_IF_NORESOLVER.
- */
- if (ipif->ipif_net_type == IRE_LOOPBACK)
- ire->ire_type = IRE_IF_NORESOLVER;
- /*
- * ire held by ire_add, will be refreled' in ipif_up_done
- * towards the end
- */
- (void) ire_add(&ire, NULL, NULL, NULL, B_FALSE);
- *irep = ire;
- irep++;
- ip1dbg(("ipif_recover_ire_v6: added ire %p\n", (void *)ire));
- }
- mutex_exit(&ipif->ipif_saved_ire_lock);
- return (ipif_saved_irep);
+ ipif_nce_down(ipif);
}
/*
@@ -1826,8 +1405,7 @@ ip_common_prefix_v6(const in6_addr_t *a1, const in6_addr_t *a2)
#define IPIF_VALID_IPV6_SOURCE(ipif) \
(((ipif)->ipif_flags & IPIF_UP) && \
- !((ipif)->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST)) && \
- (ipif)->ipif_addr_ready)
+ !((ipif)->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST)))
/* source address candidate */
typedef struct candidate {
@@ -2195,13 +1773,6 @@ rule_addr_type(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo,
static rule_res_t
rule_prefix(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, ip_stack_t *ipst)
{
- /*
- * For IPMP, we always want to choose a random source address from
- * among any equally usable addresses, so always report a tie.
- */
- if (IS_IPMP(dstinfo->dst_ill))
- return (CAND_TIE);
-
if (!bc->cand_common_pref_set) {
bc->cand_common_pref = ip_common_prefix_v6(&bc->cand_srcaddr,
dstinfo->dst_addr);
@@ -2252,14 +1823,15 @@ rule_must_be_last(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo,
*
* src_prefs is the caller's set of source address preferences. If source
* address selection is being called to determine the source address of a
- * connected socket (from ip_bind_connected_v6()), then the preferences are
- * taken from conn_src_preferences. These preferences can be set on a
+ * connected socket (from ip_set_destination_v6()), then the preferences are
+ * taken from conn_ixa->ixa_src_preferences. These preferences can be set on a
* per-socket basis using the IPV6_SRC_PREFERENCES socket option. The only
* preference currently implemented is for rfc3041 temporary addresses.
*/
ipif_t *
ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst,
- boolean_t restrict_ill, uint32_t src_prefs, zoneid_t zoneid)
+ boolean_t restrict_ill, uint32_t src_prefs, zoneid_t zoneid,
+ boolean_t allow_usesrc, boolean_t *notreadyp)
{
dstinfo_t dstinfo;
char dstr[INET6_ADDRSTRLEN];
@@ -2306,10 +1878,10 @@ ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst,
* usesrc ifindex. This has higher precedence since it is
* finer grained (i.e per interface) v/s being system wide.
*/
- if (dstill->ill_usesrc_ifindex != 0) {
+ if (dstill->ill_usesrc_ifindex != 0 && allow_usesrc) {
if ((usesrc_ill =
ill_lookup_on_ifindex(dstill->ill_usesrc_ifindex, B_TRUE,
- NULL, NULL, NULL, NULL, ipst)) != NULL) {
+ ipst)) != NULL) {
dstinfo.dst_ill = usesrc_ill;
} else {
return (NULL);
@@ -2412,6 +1984,12 @@ ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst,
if (!IPIF_VALID_IPV6_SOURCE(ipif))
continue;
+ if (!ipif->ipif_addr_ready) {
+ if (notreadyp != NULL)
+ *notreadyp = B_TRUE;
+ continue;
+ }
+
if (zoneid != ALL_ZONES &&
ipif->ipif_zoneid != zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
@@ -2505,7 +2083,7 @@ ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst,
if (IS_IPMP(ill) && ipif != NULL) {
mutex_enter(&ipif->ipif_ill->ill_lock);
next_ipif = ipif->ipif_next;
- if (next_ipif != NULL && IPIF_CAN_LOOKUP(next_ipif))
+ if (next_ipif != NULL && !IPIF_IS_CONDEMNED(next_ipif))
ill->ill_src_ipif = next_ipif;
else
ill->ill_src_ipif = NULL;
@@ -2541,7 +2119,7 @@ ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst,
}
mutex_enter(&ipif->ipif_ill->ill_lock);
- if (IPIF_CAN_LOOKUP(ipif)) {
+ if (!IPIF_IS_CONDEMNED(ipif)) {
ipif_refhold_locked(ipif);
mutex_exit(&ipif->ipif_ill->ill_lock);
rw_exit(&ipst->ips_ill_g_lock);
@@ -2556,187 +2134,72 @@ ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst,
}
/*
- * If old_ipif is not NULL, see if ipif was derived from old
- * ipif and if so, recreate the interface route by re-doing
- * source address selection. This happens when ipif_down ->
- * ipif_update_other_ipifs calls us.
+ * Pick a source address based on the destination ill and an optional setsrc
+ * address.
+ * The result is stored in srcp. If generation is set, then put the source
+ * generation number there before we look for the source address (to avoid
+ * missing changes in the set of source addresses.
+ * If flagsp is set, then us it to pass back ipif_flags.
+ *
+ * If the caller wants to cache the returned source address and detect when
+ * that might be stale, the caller should pass in a generation argument,
+ * which the caller can later compare against ips_src_generation
+ *
+ * The precedence order for selecting an IPv6 source address is:
+ * - RTF_SETSRC on the first ire in the recursive lookup always wins.
+ * - If usrsrc is set, swap the ill to be the usesrc one.
+ * - If IPMP is used on the ill, select a random address from the most
+ * preferred ones below:
+ * That is followed by the long list of IPv6 source address selection rules
+ * starting with rule_isdst(), rule_scope(), etc.
*
- * If old_ipif is NULL, just redo the source address selection
- * if needed. This happens when ipif_up_done_v6 calls us.
+ * We have lower preference for ALL_ZONES IP addresses,
+ * as they pose problems with unlabeled destinations.
+ *
+ * Note that when multiple IP addresses match e.g., with rule_scope() we pick
+ * the first one if IPMP is not in use. With IPMP we randomize.
*/
-void
-ipif_recreate_interface_routes_v6(ipif_t *old_ipif, ipif_t *ipif)
+int
+ip_select_source_v6(ill_t *ill, const in6_addr_t *setsrc, const in6_addr_t *dst,
+ zoneid_t zoneid, ip_stack_t *ipst, uint_t restrict_ill, uint32_t src_prefs,
+ in6_addr_t *srcp, uint32_t *generation, uint64_t *flagsp)
{
- ire_t *ire;
- ire_t *ipif_ire;
- queue_t *stq;
- ill_t *ill;
- ipif_t *nipif = NULL;
- boolean_t nipif_refheld = B_FALSE;
- boolean_t ip6_asp_table_held = B_FALSE;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- ill = ipif->ipif_ill;
-
- if (!(ipif->ipif_flags &
- (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED))) {
- /*
- * Can't possibly have borrowed the source
- * from old_ipif.
- */
- return;
- }
+ ipif_t *ipif;
+ boolean_t notready = B_FALSE; /* Set if !ipif_addr_ready found */
- /*
- * Is there any work to be done? No work if the address
- * is INADDR_ANY, loopback or NOLOCAL or ANYCAST (
- * ipif_select_source_v6() does not borrow addresses from
- * NOLOCAL and ANYCAST interfaces).
- */
- if ((old_ipif != NULL) &&
- ((IN6_IS_ADDR_UNSPECIFIED(&old_ipif->ipif_v6lcl_addr)) ||
- (old_ipif->ipif_ill->ill_wq == NULL) ||
- (old_ipif->ipif_flags &
- (IPIF_NOLOCAL|IPIF_ANYCAST)))) {
- return;
- }
+ if (flagsp != NULL)
+ *flagsp = 0;
/*
- * Perform the same checks as when creating the
- * IRE_INTERFACE in ipif_up_done_v6.
+ * Need to grab the generation number before we check to
+ * avoid a race with a change to the set of local addresses.
+ * No lock needed since the thread which updates the set of local
+ * addresses use ipif/ill locks and exit those (hence a store memory
+ * barrier) before doing the atomic increase of ips_src_generation.
*/
- if (!(ipif->ipif_flags & IPIF_UP))
- return;
-
- if ((ipif->ipif_flags & IPIF_NOXMIT))
- return;
-
- if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet) &&
- IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))
- return;
-
- /*
- * We know that ipif uses some other source for its
- * IRE_INTERFACE. Is it using the source of this
- * old_ipif?
- */
- ipif_ire = ipif_to_ire_v6(ipif);
- if (ipif_ire == NULL)
- return;
-
- if (old_ipif != NULL &&
- !IN6_ARE_ADDR_EQUAL(&old_ipif->ipif_v6lcl_addr,
- &ipif_ire->ire_src_addr_v6)) {
- ire_refrele(ipif_ire);
- return;
- }
-
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ipif_recreate_interface_routes_v6: deleting IRE"
- " for src %s\n", AF_INET6, &ipif_ire->ire_src_addr_v6);
- }
-
- stq = ipif_ire->ire_stq;
-
- /*
- * Can't use our source address. Select a different source address
- * for the IRE_INTERFACE. We restrict interface route source
- * address selection to ipif's assigned to the same link as the
- * interface.
- */
- if (ip6_asp_can_lookup(ipst)) {
- ip6_asp_table_held = B_TRUE;
- nipif = ipif_select_source_v6(ill, &ipif->ipif_v6subnet,
- B_TRUE, IPV6_PREFER_SRC_DEFAULT, ipif->ipif_zoneid);
- }
- if (nipif == NULL) {
- /* Last resort - all ipif's have IPIF_NOLOCAL */
- nipif = ipif;
- } else {
- nipif_refheld = B_TRUE;
+ if (generation != NULL) {
+ *generation = ipst->ips_src_generation;
}
- ire = ire_create_v6(
- &ipif->ipif_v6subnet, /* dest pref */
- &ipif->ipif_v6net_mask, /* mask */
- &nipif->ipif_v6src_addr, /* src addr */
- NULL, /* no gateway */
- &ipif->ipif_mtu, /* max frag */
- NULL, /* no src nce */
- NULL, /* no recv from queue */
- stq, /* send-to queue */
- ill->ill_net_type, /* IF_[NO]RESOLVER */
- ipif,
- NULL,
- 0,
- 0,
- 0,
- &ire_uinfo_null,
- NULL,
- NULL,
- ipst);
-
- if (ire != NULL) {
- ire_t *ret_ire;
- int error;
-
- /*
- * We don't need ipif_ire anymore. We need to delete
- * before we add so that ire_add does not detect
- * duplicates.
- */
- ire_delete(ipif_ire);
- ret_ire = ire;
- error = ire_add(&ret_ire, NULL, NULL, NULL, B_FALSE);
- ASSERT(error == 0);
- ASSERT(ret_ire == ire);
- if (ret_ire != NULL) {
- /* Held in ire_add */
- ire_refrele(ret_ire);
- }
+ /* Was RTF_SETSRC set on the first IRE in the recursive lookup? */
+ if (setsrc != NULL && !IN6_IS_ADDR_UNSPECIFIED(setsrc)) {
+ *srcp = *setsrc;
+ return (0);
}
- /*
- * Either we are falling through from above or could not
- * allocate a replacement.
- */
- ire_refrele(ipif_ire);
- if (ip6_asp_table_held)
- ip6_asp_table_refrele(ipst);
- if (nipif_refheld)
- ipif_refrele(nipif);
-}
-
-/*
- * This old_ipif is going away.
- *
- * Determine if any other ipif's are using our address as
- * ipif_v6lcl_addr (due to those being IPIF_NOLOCAL, IPIF_ANYCAST, or
- * IPIF_DEPRECATED).
- * Find the IRE_INTERFACE for such ipif's and recreate them
- * to use an different source address following the rules in
- * ipif_up_done_v6.
- */
-void
-ipif_update_other_ipifs_v6(ipif_t *old_ipif)
-{
- ipif_t *ipif;
- ill_t *ill;
- char buf[INET6_ADDRSTRLEN];
-
- ASSERT(IAM_WRITER_IPIF(old_ipif));
-
- ill = old_ipif->ipif_ill;
-
- ip1dbg(("ipif_update_other_ipifs_v6(%s, %s)\n",
- ill->ill_name,
- inet_ntop(AF_INET6, &old_ipif->ipif_v6lcl_addr,
- buf, sizeof (buf))));
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (ipif != old_ipif)
- ipif_recreate_interface_routes_v6(old_ipif, ipif);
+ ipif = ipif_select_source_v6(ill, dst, restrict_ill, src_prefs, zoneid,
+ B_TRUE, &notready);
+ if (ipif == NULL) {
+ if (notready)
+ return (ENETDOWN);
+ else
+ return (EADDRNOTAVAIL);
}
+ *srcp = ipif->ipif_v6lcl_addr;
+ if (flagsp != NULL)
+ *flagsp = ipif->ipif_flags;
+ ipif_refrele(ipif);
+ return (0);
}
/*
@@ -2744,11 +2207,10 @@ ipif_update_other_ipifs_v6(ipif_t *old_ipif)
* the physical device.
* q and mp represents an ioctl which will be queued waiting for
* completion of the DLPI message exchange.
- * MUST be called on an ill queue. Can not set conn_pending_ill for that
- * reason thus the DL_PHYS_ADDR_ACK code does not assume ill_pending_q.
+ * MUST be called on an ill queue.
*
- * Returns EINPROGRESS when mp has been consumed by queueing it on
- * ill_pending_mp and the ioctl will complete in ip_rput.
+ * Returns EINPROGRESS when mp has been consumed by queueing it.
+ * The ioctl will complete in ip_rput.
*/
int
ill_dl_phys(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
@@ -2888,6 +2350,7 @@ bad:
return (ENOMEM);
}
+/* Add room for tcp+ip headers */
uint_t ip_loopback_mtu_v6plus = IP_LOOPBACK_MTU + IPV6_HDR_LEN + 20;
/*
@@ -2899,28 +2362,14 @@ uint_t ip_loopback_mtu_v6plus = IP_LOOPBACK_MTU + IPV6_HDR_LEN + 20;
int
ipif_up_done_v6(ipif_t *ipif)
{
- ire_t *ire_array[20];
- ire_t **irep = ire_array;
- ire_t **irep1;
ill_t *ill = ipif->ipif_ill;
- queue_t *stq;
- in6_addr_t v6addr;
- in6_addr_t route_mask;
- ipif_t *src_ipif = NULL;
- ipif_t *tmp_ipif;
- boolean_t flush_ire_cache = B_TRUE;
int err;
- char buf[INET6_ADDRSTRLEN];
- ire_t **ipif_saved_irep = NULL;
- int ipif_saved_ire_cnt;
- int cnt;
- boolean_t src_ipif_held = B_FALSE;
boolean_t loopback = B_FALSE;
- boolean_t ip6_asp_table_held = B_FALSE;
- ip_stack_t *ipst = ill->ill_ipst;
ip1dbg(("ipif_up_done_v6(%s:%u)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id));
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_up_done_v6",
+ ill_t *, ill, ipif_t *, ipif);
/* Check if this is a loopback interface */
if (ipif->ipif_ill->ill_wq == NULL)
@@ -2929,46 +2378,10 @@ ipif_up_done_v6(ipif_t *ipif)
ASSERT(ipif->ipif_isv6);
ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
- /*
- * If all other interfaces for this ill are down or DEPRECATED,
- * or otherwise unsuitable for source address selection, remove
- * any IRE_CACHE entries for this ill to make sure source
- * address selection gets to take this new ipif into account.
- * No need to hold ill_lock while traversing the ipif list since
- * we are writer
- */
- for (tmp_ipif = ill->ill_ipif; tmp_ipif;
- tmp_ipif = tmp_ipif->ipif_next) {
- if (((tmp_ipif->ipif_flags &
- (IPIF_NOXMIT|IPIF_ANYCAST|IPIF_NOLOCAL|IPIF_DEPRECATED)) ||
- !(tmp_ipif->ipif_flags & IPIF_UP)) ||
- (tmp_ipif == ipif))
- continue;
- /* first useable pre-existing interface */
- flush_ire_cache = B_FALSE;
- break;
- }
- if (flush_ire_cache)
- ire_walk_ill_v6(MATCH_IRE_ILL | MATCH_IRE_TYPE,
- IRE_CACHE, ill_ipif_cache_delete, ill, ill);
+ if (IS_LOOPBACK(ill) || ill->ill_net_type == IRE_IF_NORESOLVER) {
+ nce_t *loop_nce = NULL;
+ uint16_t flags = (NCE_F_MYADDR | NCE_F_NONUD | NCE_F_AUTHORITY);
- /*
- * Figure out which way the send-to queue should go. Only
- * IRE_IF_RESOLVER or IRE_IF_NORESOLVER should show up here.
- */
- switch (ill->ill_net_type) {
- case IRE_IF_RESOLVER:
- stq = ill->ill_rq;
- break;
- case IRE_IF_NORESOLVER:
- case IRE_LOOPBACK:
- stq = ill->ill_wq;
- break;
- default:
- return (EINVAL);
- }
-
- if (IS_LOOPBACK(ill)) {
/*
* lo0:1 and subsequent ipifs were marked IRE_LOCAL in
* ipif_lookup_on_name(), but in the case of zones we can have
@@ -2979,29 +2392,99 @@ ipif_up_done_v6(ipif_t *ipif)
ipif->ipif_ire_type = IRE_LOOPBACK;
else
ipif->ipif_ire_type = IRE_LOCAL;
+ if (ill->ill_net_type != IRE_LOOPBACK)
+ flags |= NCE_F_PUBLISH;
+ err = nce_lookup_then_add_v6(ill, NULL,
+ ill->ill_phys_addr_length,
+ &ipif->ipif_v6lcl_addr, flags, ND_REACHABLE, &loop_nce);
+
+ /* A shared-IP zone sees EEXIST for lo0:N */
+ if (err == 0 || err == EEXIST) {
+ ipif->ipif_added_nce = 1;
+ loop_nce->nce_ipif_cnt++;
+ nce_refrele(loop_nce);
+ err = 0;
+ } else {
+ ASSERT(loop_nce == NULL);
+ return (err);
+ }
}
- if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST) ||
- ((ipif->ipif_flags & IPIF_DEPRECATED) &&
- !(ipif->ipif_flags & IPIF_NOFAILOVER))) {
+ err = ipif_add_ires_v6(ipif, loopback);
+ if (err != 0) {
/*
- * Can't use our source address. Select a different
- * source address for the IRE_INTERFACE and IRE_LOCAL
+ * See comments about return value from
+ * ipif_addr_availability_check() in ipif_add_ires_v6().
*/
- if (ip6_asp_can_lookup(ipst)) {
- ip6_asp_table_held = B_TRUE;
- src_ipif = ipif_select_source_v6(ipif->ipif_ill,
- &ipif->ipif_v6subnet, B_FALSE,
- IPV6_PREFER_SRC_DEFAULT, ipif->ipif_zoneid);
+ if (err != EADDRINUSE) {
+ ipif_ndp_down(ipif);
+ } else {
+ /*
+ * Make IPMP aware of the deleted ipif so that
+ * the needed ipmp cleanup (e.g., of ipif_bound_ill)
+ * can be completed. Note that we do not want to
+ * destroy the nce that was created on the ipmp_ill
+ * for the active copy of the duplicate address in
+ * use.
+ */
+ if (IS_IPMP(ill))
+ ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
+ err = EADDRNOTAVAIL;
}
- if (src_ipif == NULL)
- src_ipif = ipif; /* Last resort */
- else
- src_ipif_held = B_TRUE;
- } else {
- src_ipif = ipif;
+ return (err);
+ }
+
+ if (ill->ill_ipif_up_count == 1 && !loopback) {
+ /* Recover any additional IREs entries for this ill */
+ (void) ill_recover_saved_ire(ill);
}
+ if (ill->ill_need_recover_multicast) {
+ /*
+ * Need to recover all multicast memberships in the driver.
+ * This had to be deferred until we had attached.
+ */
+ ill_recover_multicast(ill);
+ }
+
+ if (ill->ill_ipif_up_count == 1) {
+ /*
+ * Since the interface is now up, it may now be active.
+ */
+ if (IS_UNDER_IPMP(ill))
+ ipmp_ill_refresh_active(ill);
+ }
+
+ /* Join the allhosts multicast address and the solicited node MC */
+ ipif_multicast_up(ipif);
+
+ /* Perhaps ilgs should use this ill */
+ update_conn_ill(NULL, ill->ill_ipst);
+
+ if (ipif->ipif_addr_ready)
+ ipif_up_notify(ipif);
+
+ return (0);
+}
+
+/*
+ * Add the IREs associated with the ipif.
+ * Those MUST be explicitly removed in ipif_delete_ires_v6.
+ */
+static int
+ipif_add_ires_v6(ipif_t *ipif, boolean_t loopback)
+{
+ ill_t *ill = ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ire_t *ire_array[20];
+ ire_t **irep = ire_array;
+ ire_t **irep1;
+ in6_addr_t v6addr;
+ in6_addr_t route_mask;
+ int err;
+ char buf[INET6_ADDRSTRLEN];
+ ire_t *ire_local = NULL; /* LOCAL or LOOPBACK */
+
if (!IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) &&
!(ipif->ipif_flags & IPIF_NOLOCAL)) {
@@ -3024,45 +2507,38 @@ ipif_up_done_v6(ipif_t *ipif)
err = ip_srcid_insert(&ipif->ipif_v6lcl_addr,
ipif->ipif_zoneid, ipst);
if (err != 0) {
- ip0dbg(("ipif_up_done_v6: srcid_insert %d\n", err));
- if (src_ipif_held)
- ipif_refrele(src_ipif);
- if (ip6_asp_table_held)
- ip6_asp_table_refrele(ipst);
+ ip0dbg(("ipif_add_ires_v6: srcid_insert %d\n", err));
return (err);
}
/*
* If the interface address is set, create the LOCAL
* or LOOPBACK IRE.
*/
- ip1dbg(("ipif_up_done_v6: creating IRE %d for %s\n",
+ ip1dbg(("ipif_add_ires_v6: creating IRE %d for %s\n",
ipif->ipif_ire_type,
inet_ntop(AF_INET6, &ipif->ipif_v6lcl_addr,
buf, sizeof (buf))));
- *irep++ = ire_create_v6(
+ ire_local = ire_create_v6(
&ipif->ipif_v6lcl_addr, /* dest address */
&ipv6_all_ones, /* mask */
- &src_ipif->ipif_v6src_addr, /* source address */
NULL, /* no gateway */
- &ip_loopback_mtu_v6plus, /* max frag size */
- NULL,
- ipif->ipif_rq, /* recv-from queue */
- NULL, /* no send-to queue */
ipif->ipif_ire_type, /* LOCAL or LOOPBACK */
- ipif, /* interface */
- NULL,
- 0,
- 0,
- (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
- &ire_uinfo_null,
- NULL,
+ ipif->ipif_ill, /* interface */
+ ipif->ipif_zoneid,
+ ((ipif->ipif_flags & IPIF_PRIVATE) ?
+ RTF_PRIVATE : 0) | RTF_KERNEL,
NULL,
ipst);
+ if (ire_local == NULL) {
+ ip1dbg(("ipif_up_done_v6: NULL ire_local\n"));
+ err = ENOMEM;
+ goto bad;
+ }
}
/* Set up the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate. */
- if (stq != NULL && !(ipif->ipif_flags & IPIF_NOXMIT) &&
+ if (!loopback && !(ipif->ipif_flags & IPIF_NOXMIT) &&
!(IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet) &&
IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))) {
/* ipif_v6subnet is ipif_v6pp_dst_addr for pt-pt */
@@ -3074,27 +2550,19 @@ ipif_up_done_v6(ipif_t *ipif)
route_mask = ipif->ipif_v6net_mask;
}
- ip1dbg(("ipif_up_done_v6: creating if IRE %d for %s\n",
+ ip1dbg(("ipif_add_ires_v6: creating if IRE %d for %s\n",
ill->ill_net_type,
inet_ntop(AF_INET6, &v6addr, buf, sizeof (buf))));
*irep++ = ire_create_v6(
&v6addr, /* dest pref */
&route_mask, /* mask */
- &src_ipif->ipif_v6src_addr, /* src addr */
- NULL, /* no gateway */
- &ipif->ipif_mtu, /* max frag */
- NULL, /* no src nce */
- NULL, /* no recv from queue */
- stq, /* send-to queue */
+ &ipif->ipif_v6lcl_addr, /* gateway */
ill->ill_net_type, /* IF_[NO]RESOLVER */
- ipif,
- NULL,
- 0,
- 0,
- (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
- &ire_uinfo_null,
- NULL,
+ ipif->ipif_ill,
+ ipif->ipif_zoneid,
+ ((ipif->ipif_flags & IPIF_PRIVATE) ?
+ RTF_PRIVATE : 0) | RTF_KERNEL,
NULL,
ipst);
}
@@ -3103,15 +2571,13 @@ ipif_up_done_v6(ipif_t *ipif)
for (irep1 = irep; irep1 > ire_array; ) {
irep1--;
if (*irep1 == NULL) {
- ip1dbg(("ipif_up_done_v6: NULL ire found in"
+ ip1dbg(("ipif_add_ires_v6: NULL ire found in"
" ire_array\n"));
err = ENOMEM;
goto bad;
}
}
- ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
-
/*
* Need to atomically check for IP address availability under
* ip_addr_avail_lock. ill_g_lock is held as reader to ensure no new
@@ -3132,20 +2598,12 @@ ipif_up_done_v6(ipif_t *ipif)
* the other ipif. So we don't want to delete it (otherwise the
* other ipif would be unable to send packets).
* ip_addr_availability_check() identifies this case for us and
- * returns EADDRINUSE; we need to turn it into EADDRNOTAVAIL
+ * returns EADDRINUSE; Caller must turn it into EADDRNOTAVAIL
* which is the expected error code.
*
- * Note that, for the non-XRESOLV case, ipif_ndp_down() will
- * only delete the nce in the case when the nce_ipif_cnt drops
- * to 0.
+ * Note that ipif_ndp_down() will only delete the nce in the
+ * case when the nce_ipif_cnt drops to 0.
*/
- if (err == EADDRINUSE) {
- if (ipif->ipif_ill->ill_flags & ILLF_XRESOLV) {
- freemsg(ipif->ipif_arp_del_mp);
- ipif->ipif_arp_del_mp = NULL;
- }
- err = EADDRNOTAVAIL;
- }
ill->ill_ipif_up_count--;
ipif->ipif_flags &= ~IPIF_UP;
goto bad;
@@ -3153,91 +2611,42 @@ ipif_up_done_v6(ipif_t *ipif)
/*
* Add in all newly created IREs.
- *
- * NOTE : We refrele the ire though we may branch to "bad"
- * later on where we do ire_delete. This is okay
- * because nobody can delete it as we are running
- * exclusively.
*/
+ if (ire_local != NULL) {
+ ire_local = ire_add(ire_local);
+#ifdef DEBUG
+ if (ire_local != NULL) {
+ ire_refhold_notr(ire_local);
+ ire_refrele(ire_local);
+ }
+#endif
+ }
+ rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
+ if (ire_local != NULL)
+ ipif->ipif_ire_local = ire_local;
+ rw_exit(&ipst->ips_ill_g_lock);
+ ire_local = NULL;
+
for (irep1 = irep; irep1 > ire_array; ) {
irep1--;
/* Shouldn't be adding any bcast ire's */
ASSERT((*irep1)->ire_type != IRE_BROADCAST);
ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
- /*
- * refheld by ire_add. refele towards the end of the func
- */
- (void) ire_add(irep1, NULL, NULL, NULL, B_FALSE);
- }
- if (ip6_asp_table_held) {
- ip6_asp_table_refrele(ipst);
- ip6_asp_table_held = B_FALSE;
- }
-
- /* Recover any additional IRE_IF_[NO]RESOLVER entries for this ipif */
- ipif_saved_ire_cnt = ipif->ipif_saved_ire_cnt;
- ipif_saved_irep = ipif_recover_ire_v6(ipif);
-
- if (ill->ill_need_recover_multicast) {
- /*
- * Need to recover all multicast memberships in the driver.
- * This had to be deferred until we had attached.
- */
- ill_recover_multicast(ill);
- }
-
- if (ill->ill_ipif_up_count == 1) {
- /*
- * Since the interface is now up, it may now be active.
- */
- if (IS_UNDER_IPMP(ill))
- ipmp_ill_refresh_active(ill);
- }
-
- /* Join the allhosts multicast address and the solicited node MC */
- ipif_multicast_up(ipif);
-
- /*
- * See if anybody else would benefit from our new ipif.
- */
- if (!loopback &&
- !(ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED))) {
- ill_update_source_selection(ill);
- }
-
- for (irep1 = irep; irep1 > ire_array; ) {
- irep1--;
+ /* refheld by ire_add */
+ *irep1 = ire_add(*irep1);
if (*irep1 != NULL) {
- /* was held in ire_add */
- ire_refrele(*irep1);
- }
- }
-
- cnt = ipif_saved_ire_cnt;
- for (irep1 = ipif_saved_irep; cnt > 0; irep1++, cnt--) {
- if (*irep1 != NULL) {
- /* was held in ire_add */
ire_refrele(*irep1);
+ *irep1 = NULL;
}
}
if (ipif->ipif_addr_ready)
ipif_up_notify(ipif);
-
- if (ipif_saved_irep != NULL) {
- kmem_free(ipif_saved_irep,
- ipif_saved_ire_cnt * sizeof (ire_t *));
- }
-
- if (src_ipif_held)
- ipif_refrele(src_ipif);
-
return (0);
bad:
- if (ip6_asp_table_held)
- ip6_asp_table_refrele(ipst);
-
+ if (ire_local != NULL)
+ ire_delete(ire_local);
while (irep > ire_array) {
irep--;
if (*irep != NULL)
@@ -3245,21 +2654,85 @@ bad:
}
(void) ip_srcid_remove(&ipif->ipif_v6lcl_addr, ipif->ipif_zoneid, ipst);
- if (ipif_saved_irep != NULL) {
- kmem_free(ipif_saved_irep,
- ipif_saved_ire_cnt * sizeof (ire_t *));
+ return (err);
+}
+
+/* Remove all the IREs created by ipif_add_ires_v6 */
+void
+ipif_delete_ires_v6(ipif_t *ipif)
+{
+ ill_t *ill = ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ in6_addr_t v6addr;
+ in6_addr_t route_mask;
+ ire_t *ire;
+ int match_args;
+ boolean_t loopback;
+
+ /* Check if this is a loopback interface */
+ loopback = (ipif->ipif_ill->ill_wq == NULL);
+
+ match_args = MATCH_IRE_TYPE | MATCH_IRE_ILL | MATCH_IRE_MASK |
+ MATCH_IRE_ZONEONLY;
+
+ rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
+ if ((ire = ipif->ipif_ire_local) != NULL) {
+ ipif->ipif_ire_local = NULL;
+ rw_exit(&ipst->ips_ill_g_lock);
+ /*
+ * Move count to ipif so we don't loose the count due to
+ * a down/up dance.
+ */
+ atomic_add_32(&ipif->ipif_ib_pkt_count, ire->ire_ib_pkt_count);
+
+ ire_delete(ire);
+ ire_refrele_notr(ire);
+ } else {
+ rw_exit(&ipst->ips_ill_g_lock);
}
- if (src_ipif_held)
- ipif_refrele(src_ipif);
- ipif_ndp_down(ipif);
- ipif_resolver_down(ipif);
+ match_args |= MATCH_IRE_GW;
- return (err);
+ /*
+ * Delete the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate.
+ * Note that atun interfaces have an all-zero ipif_v6subnet.
+ * Thus we allow a zero subnet as long as the mask is non-zero.
+ */
+ if (IS_UNDER_IPMP(ill))
+ match_args |= MATCH_IRE_TESTHIDDEN;
+
+ if (!loopback && !(ipif->ipif_flags & IPIF_NOXMIT) &&
+ !(IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet) &&
+ IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))) {
+ /* ipif_v6subnet is ipif_v6pp_dst_addr for pt-pt */
+ v6addr = ipif->ipif_v6subnet;
+
+ if (ipif->ipif_flags & IPIF_POINTOPOINT) {
+ route_mask = ipv6_all_ones;
+ } else {
+ route_mask = ipif->ipif_v6net_mask;
+ }
+
+ ire = ire_ftable_lookup_v6(
+ &v6addr, /* dest pref */
+ &route_mask, /* mask */
+ &ipif->ipif_v6lcl_addr, /* gateway */
+ ill->ill_net_type, /* IF_[NO]RESOLVER */
+ ipif->ipif_ill,
+ ipif->ipif_zoneid,
+ NULL,
+ match_args,
+ 0,
+ ipst,
+ NULL);
+ ASSERT(ire != NULL);
+ ire_delete(ire);
+ ire_refrele(ire);
+ }
}
/*
- * Delete an ND entry and the corresponding IRE_CACHE entry if it exists.
+ * Delete an ND entry if it exists.
*/
/* ARGSUSED */
int
@@ -3267,11 +2740,10 @@ ip_siocdelndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
{
sin6_t *sin6;
- nce_t *nce;
struct lifreq *lifr;
lif_nd_req_t *lnr;
ill_t *ill = ipif->ipif_ill;
- ire_t *ire;
+ nce_t *nce;
lifr = (struct lifreq *)mp->b_cont->b_cont->b_rptr;
lnr = &lifr->lifr_nd;
@@ -3289,29 +2761,27 @@ ip_siocdelndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
/*
* Since ND mappings must be consistent across an IPMP group, prohibit
- * deleting ND mappings on underlying interfaces. Also, since ND
- * mappings for IPMP data addresses are owned by IP itself, prohibit
- * deleting them.
+ * deleting ND mappings on underlying interfaces.
+ * Don't allow deletion of mappings for local addresses.
*/
if (IS_UNDER_IPMP(ill))
return (EPERM);
- if (IS_IPMP(ill)) {
- ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL, IRE_LOCAL,
- ipif, ALL_ZONES, NULL, MATCH_IRE_TYPE | MATCH_IRE_ILL,
- ill->ill_ipst);
- if (ire != NULL) {
- ire_refrele(ire);
- return (EPERM);
- }
- }
-
- /* See comment in ndp_query() regarding IS_IPMP(ill) usage */
- nce = ndp_lookup_v6(ill, IS_IPMP(ill), &sin6->sin6_addr, B_FALSE);
+ nce = nce_lookup_v6(ill, &sin6->sin6_addr);
if (nce == NULL)
return (ESRCH);
- ndp_delete(nce);
- NCE_REFRELE(nce);
+
+ if (NCE_MYADDR(nce->nce_common)) {
+ nce_refrele(nce);
+ return (EPERM);
+ }
+
+ /*
+ * delete the nce_common which will also delete the nces on any
+ * under_ill in the case of ipmp.
+ */
+ ncec_delete(nce->nce_common);
+ nce_refrele(nce);
return (0);
}
@@ -3383,9 +2853,9 @@ ip_siocsetndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
return (EPERM);
if (IS_IPMP(ill)) {
- ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL, IRE_LOCAL,
- ipif, ALL_ZONES, NULL, MATCH_IRE_TYPE | MATCH_IRE_ILL,
- ill->ill_ipst);
+ ire = ire_ftable_lookup_v6(&sin6->sin6_addr, NULL, NULL,
+ IRE_LOCAL, ill, ALL_ZONES, NULL,
+ MATCH_IRE_TYPE | MATCH_IRE_ILL, 0, ill->ill_ipst, NULL);
if (ire != NULL) {
ire_refrele(ire);
return (EPERM);
diff --git a/usr/src/uts/common/inet/ip/ip6_input.c b/usr/src/uts/common/inet/ip/ip6_input.c
new file mode 100644
index 0000000000..cee5344bf6
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/ip6_input.c
@@ -0,0 +1,2749 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+/* Copyright (c) 1990 Mentat Inc. */
+
+#include <sys/types.h>
+#include <sys/stream.h>
+#include <sys/dlpi.h>
+#include <sys/stropts.h>
+#include <sys/sysmacros.h>
+#include <sys/strsubr.h>
+#include <sys/strlog.h>
+#include <sys/strsun.h>
+#include <sys/zone.h>
+#define _SUN_TPI_VERSION 2
+#include <sys/tihdr.h>
+#include <sys/xti_inet.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cmn_err.h>
+#include <sys/debug.h>
+#include <sys/kobj.h>
+#include <sys/modctl.h>
+#include <sys/atomic.h>
+#include <sys/policy.h>
+#include <sys/priv.h>
+
+#include <sys/systm.h>
+#include <sys/param.h>
+#include <sys/kmem.h>
+#include <sys/sdt.h>
+#include <sys/socket.h>
+#include <sys/vtrace.h>
+#include <sys/isa_defs.h>
+#include <sys/mac.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <sys/sockio.h>
+#include <netinet/in.h>
+#include <net/if_dl.h>
+
+#include <inet/common.h>
+#include <inet/mi.h>
+#include <inet/mib2.h>
+#include <inet/nd.h>
+#include <inet/arp.h>
+#include <inet/snmpcom.h>
+#include <inet/kstatcom.h>
+
+#include <netinet/igmp_var.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet/sctp.h>
+
+#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ip6.h>
+#include <inet/ip6_asp.h>
+#include <inet/optcom.h>
+#include <inet/tcp.h>
+#include <inet/tcp_impl.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_ftable.h>
+#include <inet/ip_rts.h>
+#include <inet/ip_ndp.h>
+#include <inet/ip_listutils.h>
+#include <netinet/igmp.h>
+#include <netinet/ip_mroute.h>
+#include <inet/ipp_common.h>
+
+#include <net/pfkeyv2.h>
+#include <inet/sadb.h>
+#include <inet/ipsec_impl.h>
+#include <inet/ipdrop.h>
+#include <inet/ip_netinfo.h>
+#include <inet/ilb_ip.h>
+#include <sys/squeue_impl.h>
+#include <sys/squeue.h>
+
+#include <sys/ethernet.h>
+#include <net/if_types.h>
+#include <sys/cpuvar.h>
+
+#include <ipp/ipp.h>
+#include <ipp/ipp_impl.h>
+#include <ipp/ipgpc/ipgpc.h>
+
+#include <sys/pattr.h>
+#include <inet/ipclassifier.h>
+#include <inet/sctp_ip.h>
+#include <inet/sctp/sctp_impl.h>
+#include <inet/udp_impl.h>
+#include <sys/sunddi.h>
+
+#include <sys/tsol/label.h>
+#include <sys/tsol/tnet.h>
+
+#include <rpc/pmap_prot.h>
+
+#ifdef DEBUG
+extern boolean_t skip_sctp_cksum;
+#endif
+
+static void ip_input_local_v6(ire_t *, mblk_t *, ip6_t *, ip_recv_attr_t *);
+
+static void ip_input_multicast_v6(ire_t *, mblk_t *, ip6_t *,
+ ip_recv_attr_t *);
+
+#pragma inline(ip_input_common_v6, ip_input_local_v6, ip_forward_xmit_v6)
+
+/*
+ * Direct read side procedure capable of dealing with chains. GLDv3 based
+ * drivers call this function directly with mblk chains while STREAMS
+ * read side procedure ip_rput() calls this for single packet with ip_ring
+ * set to NULL to process one packet at a time.
+ *
+ * The ill will always be valid if this function is called directly from
+ * the driver.
+ *
+ * If ip_input_v6() is called from GLDv3:
+ *
+ * - This must be a non-VLAN IP stream.
+ * - 'mp' is either an untagged or a special priority-tagged packet.
+ * - Any VLAN tag that was in the MAC header has been stripped.
+ *
+ * If the IP header in packet is not 32-bit aligned, every message in the
+ * chain will be aligned before further operations. This is required on SPARC
+ * platform.
+ */
+void
+ip_input_v6(ill_t *ill, ill_rx_ring_t *ip_ring, mblk_t *mp_chain,
+ struct mac_header_info_s *mhip)
+{
+ (void) ip_input_common_v6(ill, ip_ring, mp_chain, mhip, NULL, NULL,
+ NULL);
+}
+
+/*
+ * ip_accept_tcp_v6() - This function is called by the squeue when it retrieves
+ * a chain of packets in the poll mode. The packets have gone through the
+ * data link processing but not IP processing. For performance and latency
+ * reasons, the squeue wants to process the chain in line instead of feeding
+ * it back via ip_input path.
+ *
+ * We set up the ip_recv_attr_t with IRAF_TARGET_SQP to that ip_fanout_v6
+ * will pass back any TCP packets matching the target sqp to
+ * ip_input_common_v6 using ira_target_sqp_mp. Other packets are handled by
+ * ip_input_v6 and ip_fanout_v6 as normal.
+ * The TCP packets that match the target squeue are returned to the caller
+ * as a b_next chain after each packet has been prepend with an mblk
+ * from ip_recv_attr_to_mblk.
+ */
+mblk_t *
+ip_accept_tcp_v6(ill_t *ill, ill_rx_ring_t *ip_ring, squeue_t *target_sqp,
+ mblk_t *mp_chain, mblk_t **last, uint_t *cnt)
+{
+ return (ip_input_common_v6(ill, ip_ring, mp_chain, NULL, target_sqp,
+ last, cnt));
+}
+
+/*
+ * Used by ip_input_v6 and ip_accept_tcp_v6
+ * The last three arguments are only used by ip_accept_tcp_v6, and mhip is
+ * only used by ip_input_v6.
+ */
+mblk_t *
+ip_input_common_v6(ill_t *ill, ill_rx_ring_t *ip_ring, mblk_t *mp_chain,
+ struct mac_header_info_s *mhip, squeue_t *target_sqp,
+ mblk_t **last, uint_t *cnt)
+{
+ mblk_t *mp;
+ ip6_t *ip6h;
+ ip_recv_attr_t iras; /* Receive attributes */
+ rtc_t rtc;
+ iaflags_t chain_flags = 0; /* Fixed for chain */
+ mblk_t *ahead = NULL; /* Accepted head */
+ mblk_t *atail = NULL; /* Accepted tail */
+ uint_t acnt = 0; /* Accepted count */
+
+ ASSERT(mp_chain != NULL);
+ ASSERT(ill != NULL);
+
+ /* These ones do not change as we loop over packets */
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
+ iras.ira_sqp = NULL;
+ iras.ira_ring = ip_ring;
+ /* For ECMP and outbound transmit ring selection */
+ iras.ira_xmit_hint = ILL_RING_TO_XMIT_HINT(ip_ring);
+
+ iras.ira_target_sqp = target_sqp;
+ iras.ira_target_sqp_mp = NULL;
+ if (target_sqp != NULL)
+ chain_flags |= IRAF_TARGET_SQP;
+
+ /*
+ * We try to have a mhip pointer when possible, but
+ * it might be NULL in some cases. In those cases we
+ * have to assume unicast.
+ */
+ iras.ira_mhip = mhip;
+ iras.ira_flags = 0;
+ if (mhip != NULL) {
+ switch (mhip->mhi_dsttype) {
+ case MAC_ADDRTYPE_MULTICAST :
+ chain_flags |= IRAF_L2DST_MULTICAST;
+ break;
+ case MAC_ADDRTYPE_BROADCAST :
+ chain_flags |= IRAF_L2DST_BROADCAST;
+ break;
+ }
+ }
+
+ /*
+ * Initialize the one-element route cache.
+ *
+ * We do ire caching from one iteration to
+ * another. In the event the packet chain contains
+ * all packets from the same dst, this caching saves
+ * an ire_route_recursive for each of the succeeding
+ * packets in a packet chain.
+ */
+ rtc.rtc_ire = NULL;
+ rtc.rtc_ip6addr = ipv6_all_zeros;
+
+ /* Loop over b_next */
+ for (mp = mp_chain; mp != NULL; mp = mp_chain) {
+ mp_chain = mp->b_next;
+ mp->b_next = NULL;
+
+ /*
+ * if db_ref > 1 then copymsg and free original. Packet
+ * may be changed and we do not want the other entity
+ * who has a reference to this message to trip over the
+ * changes. This is a blind change because trying to
+ * catch all places that might change the packet is too
+ * difficult.
+ *
+ * This corresponds to the fast path case, where we have
+ * a chain of M_DATA mblks. We check the db_ref count
+ * of only the 1st data block in the mblk chain. There
+ * doesn't seem to be a reason why a device driver would
+ * send up data with varying db_ref counts in the mblk
+ * chain. In any case the Fast path is a private
+ * interface, and our drivers don't do such a thing.
+ * Given the above assumption, there is no need to walk
+ * down the entire mblk chain (which could have a
+ * potential performance problem)
+ *
+ * The "(DB_REF(mp) > 1)" check was moved from ip_rput()
+ * to here because of exclusive ip stacks and vnics.
+ * Packets transmitted from exclusive stack over vnic
+ * can have db_ref > 1 and when it gets looped back to
+ * another vnic in a different zone, you have ip_input()
+ * getting dblks with db_ref > 1. So if someone
+ * complains of TCP performance under this scenario,
+ * take a serious look here on the impact of copymsg().
+ */
+ if (DB_REF(mp) > 1) {
+ if ((mp = ip_fix_dbref(mp, &iras)) == NULL)
+ continue;
+ }
+
+ /*
+ * IP header ptr not aligned?
+ * OR IP header not complete in first mblk
+ */
+ ip6h = (ip6_t *)mp->b_rptr;
+ if (!OK_32PTR(ip6h) || MBLKL(mp) < IPV6_HDR_LEN) {
+ mp = ip_check_and_align_header(mp, IPV6_HDR_LEN, &iras);
+ if (mp == NULL)
+ continue;
+ ip6h = (ip6_t *)mp->b_rptr;
+ }
+
+ /* Protect against a mix of Ethertypes and IP versions */
+ if (IPH_HDR_VERSION(ip6h) != IPV6_VERSION) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
+ freemsg(mp);
+ /* mhip might point into 1st packet in the chain. */
+ iras.ira_mhip = NULL;
+ continue;
+ }
+
+ /*
+ * Check for Martian addrs; we have to explicitly
+ * test for for zero dst since this is also used as
+ * an indication that the rtc is not used.
+ */
+ if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_dst)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ /* mhip might point into 1st packet in the chain. */
+ iras.ira_mhip = NULL;
+ continue;
+ }
+ /*
+ * Keep L2SRC from a previous packet in chain since mhip
+ * might point into an earlier packet in the chain.
+ */
+ chain_flags |= (iras.ira_flags & IRAF_L2SRC_SET);
+
+ iras.ira_flags = IRAF_VERIFY_ULP_CKSUM | chain_flags;
+ iras.ira_free_flags = 0;
+ iras.ira_cred = NULL;
+ iras.ira_cpid = NOPID;
+ iras.ira_tsl = NULL;
+ iras.ira_zoneid = ALL_ZONES; /* Default for forwarding */
+
+ /*
+ * We must count all incoming packets, even if they end
+ * up being dropped later on. Defer counting bytes until
+ * we have the whole IP header in first mblk.
+ */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
+
+ iras.ira_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets,
+ iras.ira_pktlen);
+
+ /*
+ * Call one of:
+ * ill_input_full_v6
+ * ill_input_short_v6
+ * The former is used in the case of TX. See ill_set_inputfn().
+ */
+ (*ill->ill_inputfn)(mp, ip6h, &ip6h->ip6_dst, &iras, &rtc);
+
+ /* Any references to clean up? No hold on ira_ill */
+ if (iras.ira_flags & (IRAF_IPSEC_SECURE|IRAF_SYSTEM_LABELED))
+ ira_cleanup(&iras, B_FALSE);
+
+ if (iras.ira_target_sqp_mp != NULL) {
+ /* Better be called from ip_accept_tcp */
+ ASSERT(target_sqp != NULL);
+
+ /* Found one packet to accept */
+ mp = iras.ira_target_sqp_mp;
+ iras.ira_target_sqp_mp = NULL;
+ ASSERT(ip_recv_attr_is_mblk(mp));
+
+ if (atail != NULL)
+ atail->b_next = mp;
+ else
+ ahead = mp;
+ atail = mp;
+ acnt++;
+ mp = NULL;
+ }
+ /* mhip might point into 1st packet in the chain. */
+ iras.ira_mhip = NULL;
+ }
+ /* Any remaining references to the route cache? */
+ if (rtc.rtc_ire != NULL) {
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&rtc.rtc_ip6addr));
+ ire_refrele(rtc.rtc_ire);
+ }
+
+ if (ahead != NULL) {
+ /* Better be called from ip_accept_tcp */
+ ASSERT(target_sqp != NULL);
+ *last = atail;
+ *cnt = acnt;
+ return (ahead);
+ }
+
+ return (NULL);
+}
+
+/*
+ * This input function is used when
+ * - is_system_labeled()
+ *
+ * Note that for IPv6 CGTP filtering is handled only when receiving fragment
+ * headers, and RSVP uses router alert options, thus we don't need anything
+ * extra for them.
+ */
+void
+ill_input_full_v6(mblk_t *mp, void *iph_arg, void *nexthop_arg,
+ ip_recv_attr_t *ira, rtc_t *rtc)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ in6_addr_t *nexthop = (in6_addr_t *)nexthop_arg;
+ ill_t *ill = ira->ira_ill;
+
+ ASSERT(ira->ira_tsl == NULL);
+
+ /*
+ * Attach any necessary label information to
+ * this packet
+ */
+ if (is_system_labeled()) {
+ ira->ira_flags |= IRAF_SYSTEM_LABELED;
+
+ /*
+ * This updates ira_cred, ira_tsl and ira_free_flags based
+ * on the label.
+ */
+ if (!tsol_get_pkt_label(mp, IPV6_VERSION, ira)) {
+ if (ip6opt_ls != 0)
+ ip0dbg(("tsol_get_pkt_label v6 failed\n"));
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /* Note that ira_tsl can be NULL here. */
+
+ /* tsol_get_pkt_label sometimes does pullupmsg */
+ ip6h = (ip6_t *)mp->b_rptr;
+ }
+ ill_input_short_v6(mp, ip6h, nexthop, ira, rtc);
+}
+
+/*
+ * Check for IPv6 addresses that should not appear on the wire
+ * as either source or destination.
+ * If we ever implement Stateless IPv6 Translators (SIIT) we'd have
+ * to revisit the IPv4-mapped part.
+ */
+static boolean_t
+ip6_bad_address(in6_addr_t *addr, boolean_t is_src)
+{
+ if (IN6_IS_ADDR_V4MAPPED(addr)) {
+ ip1dbg(("ip_input_v6: pkt with IPv4-mapped addr"));
+ return (B_TRUE);
+ }
+ if (IN6_IS_ADDR_LOOPBACK(addr)) {
+ ip1dbg(("ip_input_v6: pkt with loopback addr"));
+ return (B_TRUE);
+ }
+ if (!is_src && IN6_IS_ADDR_UNSPECIFIED(addr)) {
+ /*
+ * having :: in the src is ok: it's used for DAD.
+ */
+ ip1dbg(("ip_input_v6: pkt with unspecified addr"));
+ return (B_TRUE);
+ }
+ return (B_FALSE);
+}
+
+/*
+ * Routing lookup for IPv6 link-locals.
+ * First we look on the inbound interface, then we check for IPMP and
+ * look on the upper interface.
+ * We update ira_ruifindex if we find the IRE on the upper interface.
+ */
+static ire_t *
+ire_linklocal(const in6_addr_t *nexthop, ill_t *ill, ip_recv_attr_t *ira,
+ boolean_t allocate, ip_stack_t *ipst)
+{
+ int match_flags = MATCH_IRE_SECATTR | MATCH_IRE_ILL;
+ ire_t *ire;
+
+ ASSERT(IN6_IS_ADDR_LINKLOCAL(nexthop));
+ ire = ire_route_recursive_v6(nexthop, 0, ill, ALL_ZONES, ira->ira_tsl,
+ match_flags, allocate, ira->ira_xmit_hint, ipst, NULL, NULL, NULL);
+ if (!(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
+ !IS_UNDER_IPMP(ill))
+ return (ire);
+
+ /*
+ * When we are using IMP we need to look for an IRE on both the
+ * under and upper interfaces since there are different
+ * link-local addresses for the under and upper.
+ */
+ ill = ipmp_ill_hold_ipmp_ill(ill);
+ if (ill == NULL)
+ return (ire);
+
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+
+ ire_refrele(ire);
+ ire = ire_route_recursive_v6(nexthop, 0, ill, ALL_ZONES, ira->ira_tsl,
+ match_flags, allocate, ira->ira_xmit_hint, ipst, NULL, NULL, NULL);
+ ill_refrele(ill);
+ return (ire);
+}
+
+/*
+ * This is the tail-end of the full receive side packet handling.
+ * It can be used directly when the configuration is simple.
+ */
+void
+ill_input_short_v6(mblk_t *mp, void *iph_arg, void *nexthop_arg,
+ ip_recv_attr_t *ira, rtc_t *rtc)
+{
+ ire_t *ire;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint_t pkt_len;
+ ssize_t len;
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ in6_addr_t nexthop = *(in6_addr_t *)nexthop_arg;
+ ilb_stack_t *ilbs = ipst->ips_netstack->netstack_ilb;
+#define rptr ((uchar_t *)ip6h)
+
+ ASSERT(DB_TYPE(mp) == M_DATA);
+
+ /*
+ * Check for source/dest being a bad address: loopback, any, or
+ * v4mapped. All of them start with a 64 bits of zero.
+ */
+ if (ip6h->ip6_src.s6_addr32[0] == 0 &&
+ ip6h->ip6_src.s6_addr32[1] == 0) {
+ if (ip6_bad_address(&ip6h->ip6_src, B_TRUE)) {
+ ip1dbg(("ip_input_v6: pkt with bad src addr\n"));
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ if (ip6h->ip6_dst.s6_addr32[0] == 0 &&
+ ip6h->ip6_dst.s6_addr32[1] == 0) {
+ if (ip6_bad_address(&ip6h->ip6_dst, B_FALSE)) {
+ ip1dbg(("ip_input_v6: pkt with bad dst addr\n"));
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+
+ len = mp->b_wptr - rptr;
+ pkt_len = ira->ira_pktlen;
+
+ /* multiple mblk or too short */
+ len -= pkt_len;
+ if (len != 0) {
+ mp = ip_check_length(mp, rptr, len, pkt_len, IPV6_HDR_LEN, ira);
+ if (mp == NULL)
+ return;
+ ip6h = (ip6_t *)mp->b_rptr;
+ }
+
+ DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
+ int, 0);
+ /*
+ * The event for packets being received from a 'physical'
+ * interface is placed after validation of the source and/or
+ * destination address as being local so that packets can be
+ * redirected to loopback addresses using ipnat.
+ */
+ DTRACE_PROBE4(ip6__physical__in__start,
+ ill_t *, ill, ill_t *, NULL,
+ ip6_t *, ip6h, mblk_t *, mp);
+
+ if (HOOKS6_INTERESTED_PHYSICAL_IN(ipst)) {
+ int ll_multicast = 0;
+ int error;
+ in6_addr_t orig_dst = ip6h->ip6_dst;
+
+ if (ira->ira_flags & IRAF_L2DST_MULTICAST)
+ ll_multicast = HPE_MULTICAST;
+ else if (ira->ira_flags & IRAF_L2DST_BROADCAST)
+ ll_multicast = HPE_BROADCAST;
+
+ FW_HOOKS6(ipst->ips_ip6_physical_in_event,
+ ipst->ips_ipv6firewall_physical_in,
+ ill, NULL, ip6h, mp, mp, ll_multicast, ipst, error);
+
+ DTRACE_PROBE1(ip6__physical__in__end, mblk_t *, mp);
+
+ if (mp == NULL)
+ return;
+
+ /* The length could have changed */
+ ip6h = (ip6_t *)mp->b_rptr;
+ ira->ira_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ pkt_len = ira->ira_pktlen;
+
+ /*
+ * In case the destination changed we override any previous
+ * change to nexthop.
+ */
+ if (!IN6_ARE_ADDR_EQUAL(&orig_dst, &ip6h->ip6_dst))
+ nexthop = ip6h->ip6_dst;
+
+ if (IN6_IS_ADDR_UNSPECIFIED(&nexthop)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ }
+
+ if (ipst->ips_ip6_observe.he_interested) {
+ zoneid_t dzone;
+
+ /*
+ * On the inbound path the src zone will be unknown as
+ * this packet has come from the wire.
+ */
+ dzone = ip_get_zoneid_v6(&nexthop, mp, ill, ira, ALL_ZONES);
+ ipobs_hook(mp, IPOBS_HOOK_INBOUND, ALL_ZONES, dzone, ill, ipst);
+ }
+
+ if ((ip6h->ip6_vcf & IPV6_VERS_AND_FLOW_MASK) !=
+ IPV6_DEFAULT_VERS_AND_FLOW) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInWrongIPVersion);
+ ip_drop_input("ipIfStatsInWrongIPVersion", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ /*
+ * For IPv6 we update ira_ip_hdr_length and ira_protocol as
+ * we parse the headers, starting with the hop-by-hop options header.
+ */
+ ira->ira_ip_hdr_length = IPV6_HDR_LEN;
+ if ((ira->ira_protocol = ip6h->ip6_nxt) == IPPROTO_HOPOPTS) {
+ ip6_hbh_t *hbhhdr;
+ uint_t ehdrlen;
+ uint8_t *optptr;
+
+ if (pkt_len < IPV6_HDR_LEN + MIN_EHDR_LEN) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (mp->b_cont != NULL &&
+ rptr + IPV6_HDR_LEN + MIN_EHDR_LEN > mp->b_wptr) {
+ ip6h = ip_pullup(mp, IPV6_HDR_LEN + MIN_EHDR_LEN, ira);
+ if (ip6h == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ hbhhdr = (ip6_hbh_t *)&ip6h[1];
+ ehdrlen = 8 * (hbhhdr->ip6h_len + 1);
+
+ if (pkt_len < IPV6_HDR_LEN + ehdrlen) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (mp->b_cont != NULL &&
+ rptr + IPV6_HDR_LEN + ehdrlen > mp->b_wptr) {
+ ip6h = ip_pullup(mp, IPV6_HDR_LEN + ehdrlen, ira);
+ if (ip6h == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ hbhhdr = (ip6_hbh_t *)&ip6h[1];
+ }
+
+ /*
+ * Update ira_ip_hdr_length to skip the hop-by-hop header
+ * once we get to ip_fanout_v6
+ */
+ ira->ira_ip_hdr_length += ehdrlen;
+ ira->ira_protocol = hbhhdr->ip6h_nxt;
+
+ optptr = (uint8_t *)&hbhhdr[1];
+ switch (ip_process_options_v6(mp, ip6h, optptr,
+ ehdrlen - 2, IPPROTO_HOPOPTS, ira)) {
+ case -1:
+ /*
+ * Packet has been consumed and any
+ * needed ICMP messages sent.
+ */
+ return;
+ case 0:
+ /* no action needed */
+ break;
+ case 1:
+ /*
+ * Known router alert. Make use handle it as local
+ * by setting the nexthop to be the all-host multicast
+ * address, and skip multicast membership filter by
+ * marking as a router alert.
+ */
+ ira->ira_flags |= IRAF_ROUTER_ALERT;
+ nexthop = ipv6_all_hosts_mcast;
+ break;
+ }
+ }
+
+ /*
+ * Here we check to see if we machine is setup as
+ * L3 loadbalancer and if the incoming packet is for a VIP
+ *
+ * Check the following:
+ * - there is at least a rule
+ * - protocol of the packet is supported
+ *
+ * We don't load balance IPv6 link-locals.
+ */
+ if (ilb_has_rules(ilbs) && ILB_SUPP_L4(ira->ira_protocol) &&
+ !IN6_IS_ADDR_LINKLOCAL(&nexthop)) {
+ in6_addr_t lb_dst;
+ int lb_ret;
+
+ /* For convenience, we just pull up the mblk. */
+ if (mp->b_cont != NULL) {
+ if (pullupmsg(mp, -1) == 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - pullupmsg",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ip6h = (ip6_t *)mp->b_rptr;
+ }
+ lb_ret = ilb_check_v6(ilbs, ill, mp, ip6h, ira->ira_protocol,
+ (uint8_t *)ip6h + ira->ira_ip_hdr_length, &lb_dst);
+ if (lb_ret == ILB_DROPPED) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ILB_DROPPED", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (lb_ret == ILB_BALANCED) {
+ /* Set the dst to that of the chosen server */
+ nexthop = lb_dst;
+ DB_CKSUMFLAGS(mp) = 0;
+ }
+ }
+
+ /* Can not use route cache with TX since the labels can differ */
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ if (IN6_IS_ADDR_MULTICAST(&nexthop)) {
+ ire = ire_multicast(ill);
+ } else if (IN6_IS_ADDR_LINKLOCAL(&nexthop)) {
+ ire = ire_linklocal(&nexthop, ill, ira,
+ (ill->ill_flags & ILLF_ROUTER), ipst);
+ } else {
+ /* Match destination and label */
+ ire = ire_route_recursive_v6(&nexthop, 0, NULL,
+ ALL_ZONES, ira->ira_tsl, MATCH_IRE_SECATTR,
+ (ill->ill_flags & ILLF_ROUTER), ira->ira_xmit_hint,
+ ipst, NULL, NULL, NULL);
+ }
+ /* Update the route cache so we do the ire_refrele */
+ ASSERT(ire != NULL);
+ if (rtc->rtc_ire != NULL)
+ ire_refrele(rtc->rtc_ire);
+ rtc->rtc_ire = ire;
+ rtc->rtc_ip6addr = nexthop;
+ } else if (IN6_ARE_ADDR_EQUAL(&nexthop, &rtc->rtc_ip6addr)) {
+ /* Use the route cache */
+ ASSERT(rtc->rtc_ire != NULL);
+ ire = rtc->rtc_ire;
+ } else {
+ /* Update the route cache */
+ if (IN6_IS_ADDR_MULTICAST(&nexthop)) {
+ ire = ire_multicast(ill);
+ } else if (IN6_IS_ADDR_LINKLOCAL(&nexthop)) {
+ ire = ire_linklocal(&nexthop, ill, ira,
+ (ill->ill_flags & ILLF_ROUTER), ipst);
+ } else {
+ ire = ire_route_recursive_dstonly_v6(&nexthop,
+ (ill->ill_flags & ILLF_ROUTER), ira->ira_xmit_hint,
+ ipst);
+ }
+ ASSERT(ire != NULL);
+ if (rtc->rtc_ire != NULL)
+ ire_refrele(rtc->rtc_ire);
+ rtc->rtc_ire = ire;
+ rtc->rtc_ip6addr = nexthop;
+ }
+
+ ire->ire_ib_pkt_count++;
+
+ /*
+ * Based on ire_type and ire_flags call one of:
+ * ire_recv_local_v6 - for IRE_LOCAL
+ * ire_recv_loopback_v6 - for IRE_LOOPBACK
+ * ire_recv_multirt_v6 - if RTF_MULTIRT
+ * ire_recv_noroute_v6 - if RTF_REJECT or RTF_BLACHOLE
+ * ire_recv_multicast_v6 - for IRE_MULTICAST
+ * ire_recv_noaccept_v6 - for ire_noaccept ones
+ * ire_recv_forward_v6 - for the rest.
+ */
+
+ (*ire->ire_recvfn)(ire, mp, ip6h, ira);
+}
+#undef rptr
+
+/*
+ * ire_recvfn for IREs that need forwarding
+ */
+void
+ire_recv_forward_v6(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ iaflags_t iraflags = ira->ira_flags;
+ ill_t *dst_ill;
+ nce_t *nce;
+ uint32_t added_tx_len;
+ uint32_t mtu, iremtu;
+
+ if (iraflags & (IRAF_L2DST_MULTICAST|IRAF_L2DST_BROADCAST)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("l2 multicast not forwarded", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ if (!(ill->ill_flags & ILLF_ROUTER)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsForwProhibits", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ /*
+ * Either ire_nce_capable or ire_dep_parent would be set for the IRE
+ * when it is found by ire_route_recursive, but that some other thread
+ * could have changed the routes with the effect of clearing
+ * ire_dep_parent. In that case we'd end up dropping the packet, or
+ * finding a new nce below.
+ * Get, allocate, or update the nce.
+ * We get a refhold on ire_nce_cache as a result of this to avoid races
+ * where ire_nce_cache is deleted.
+ *
+ * This ensures that we don't forward if the interface is down since
+ * ipif_down removes all the nces.
+ */
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ if (nce == NULL) {
+ /* Not yet set up - try to set one up */
+ mutex_exit(&ire->ire_lock);
+ (void) ire_revalidate_nce(ire);
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ if (nce == NULL) {
+ mutex_exit(&ire->ire_lock);
+ /* The ire_dep_parent chain went bad, or no memory */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("No ire_dep_parent", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ nce_refhold(nce);
+ mutex_exit(&ire->ire_lock);
+
+ if (nce->nce_is_condemned) {
+ nce_t *nce1;
+
+ nce1 = ire_handle_condemned_nce(nce, ire, NULL, ip6h, B_FALSE);
+ nce_refrele(nce);
+ if (nce1 == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("No nce", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ nce = nce1;
+ }
+ dst_ill = nce->nce_ill;
+
+ /*
+ * Unless we are forwarding, drop the packet.
+ * Unlike IPv4 we don't allow source routed packets out the same
+ * interface when we are not a router.
+ * Note that ill_forward_set() will set the ILLF_ROUTER on
+ * all the group members when it gets an ipmp-ill or under-ill.
+ */
+ if (!(dst_ill->ill_flags & ILLF_ROUTER)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsForwProhibits", mp, ill);
+ freemsg(mp);
+ nce_refrele(nce);
+ return;
+ }
+
+ if (ire->ire_zoneid != GLOBAL_ZONEID && ire->ire_zoneid != ALL_ZONES) {
+ ire->ire_ib_pkt_count--;
+ /*
+ * Should only use IREs that are visible from the
+ * global zone for forwarding.
+ * For IPv6 any source route would have already been
+ * advanced in ip_fanout_v6
+ */
+ ire = ire_route_recursive_v6(&ip6h->ip6_dst, 0, NULL,
+ GLOBAL_ZONEID, ira->ira_tsl, MATCH_IRE_SECATTR,
+ (ill->ill_flags & ILLF_ROUTER), ira->ira_xmit_hint, ipst,
+ NULL, NULL, NULL);
+ ire->ire_ib_pkt_count++;
+ (*ire->ire_recvfn)(ire, mp, ip6h, ira);
+ ire_refrele(ire);
+ nce_refrele(nce);
+ return;
+ }
+ /*
+ * ipIfStatsHCInForwDatagrams should only be increment if there
+ * will be an attempt to forward the packet, which is why we
+ * increment after the above condition has been checked.
+ */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
+
+ /* Initiate Read side IPPF processing */
+ if (IPP_ENABLED(IPP_FWD_IN, ipst)) {
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_FWD_IN, mp, ill, ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ ip2dbg(("ire_recv_forward_v6: pkt dropped/deferred "
+ "during IPPF processing\n"));
+ nce_refrele(nce);
+ return;
+ }
+ }
+
+ DTRACE_PROBE4(ip6__forwarding__start,
+ ill_t *, ill, ill_t *, dst_ill, ip6_t *, ip6h, mblk_t *, mp);
+
+ if (HOOKS6_INTERESTED_FORWARDING(ipst)) {
+ int error;
+
+ FW_HOOKS(ipst->ips_ip6_forwarding_event,
+ ipst->ips_ipv6firewall_forwarding,
+ ill, dst_ill, ip6h, mp, mp, 0, ipst, error);
+
+ DTRACE_PROBE1(ip6__forwarding__end, mblk_t *, mp);
+
+ if (mp == NULL) {
+ nce_refrele(nce);
+ return;
+ }
+ /*
+ * Even if the destination was changed by the filter we use the
+ * forwarding decision that was made based on the address
+ * in ip_input.
+ */
+
+ /* Might have changed */
+ ip6h = (ip6_t *)mp->b_rptr;
+ ira->ira_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ }
+
+ /* Packet is being forwarded. Turning off hwcksum flag. */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ /*
+ * Per RFC 3513 section 2.5.2, we must not forward packets with
+ * an unspecified source address.
+ * The loopback address check for both src and dst has already
+ * been checked in ip_input_v6
+ * In the future one can envision adding RPF checks using number 3.
+ */
+ switch (ipst->ips_src_check) {
+ case 0:
+ break;
+ case 1:
+ case 2:
+ if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) ||
+ IN6_IS_ADDR_MULTICAST(&ip6h->ip6_src)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ nce_refrele(nce);
+ freemsg(mp);
+ return;
+ }
+ break;
+ }
+
+ /*
+ * Check to see if we're forwarding the packet to a
+ * different link from which it came. If so, check the
+ * source and destination addresses since routers must not
+ * forward any packets with link-local source or
+ * destination addresses to other links. Otherwise (if
+ * we're forwarding onto the same link), conditionally send
+ * a redirect message.
+ */
+ if (!IS_ON_SAME_LAN(dst_ill, ill)) {
+ if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst) ||
+ IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ nce_refrele(nce);
+ return;
+ }
+ /* TBD add site-local check at site boundary? */
+ } else if (ipst->ips_ipv6_send_redirects) {
+ ip_send_potential_redirect_v6(mp, ip6h, ire, ira);
+ }
+
+ added_tx_len = 0;
+ if (iraflags & IRAF_SYSTEM_LABELED) {
+ mblk_t *mp1;
+ uint32_t old_pkt_len = ira->ira_pktlen;
+
+ /*
+ * Check if it can be forwarded and add/remove
+ * CIPSO options as needed.
+ */
+ if ((mp1 = tsol_ip_forward(ire, mp, ira)) == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("tsol_ip_forward", mp, ill);
+ freemsg(mp);
+ nce_refrele(nce);
+ return;
+ }
+ /*
+ * Size may have changed. Remember amount added in case
+ * ip_fragment needs to send an ICMP too big.
+ */
+ mp = mp1;
+ ip6h = (ip6_t *)mp->b_rptr;
+ ira->ira_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ ira->ira_ip_hdr_length = IPV6_HDR_LEN;
+ if (ira->ira_pktlen > old_pkt_len)
+ added_tx_len = ira->ira_pktlen - old_pkt_len;
+ }
+
+ mtu = dst_ill->ill_mtu;
+ if ((iremtu = ire->ire_metrics.iulp_mtu) != 0 && iremtu < mtu)
+ mtu = iremtu;
+ ip_forward_xmit_v6(nce, mp, ip6h, ira, mtu, added_tx_len);
+ nce_refrele(nce);
+ return;
+
+}
+
+/*
+ * Used for sending out unicast and multicast packets that are
+ * forwarded.
+ */
+void
+ip_forward_xmit_v6(nce_t *nce, mblk_t *mp, ip6_t *ip6h, ip_recv_attr_t *ira,
+ uint32_t mtu, uint32_t added_tx_len)
+{
+ ill_t *dst_ill = nce->nce_ill;
+ uint32_t pkt_len;
+ iaflags_t iraflags = ira->ira_flags;
+ ip_stack_t *ipst = dst_ill->ill_ipst;
+
+ if (ip6h->ip6_hops-- <= 1) {
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ICMP6_TIME_EXCEED_TRANSIT", mp, ira->ira_ill);
+ icmp_time_exceeded_v6(mp, ICMP6_TIME_EXCEED_TRANSIT, B_FALSE,
+ ira);
+ return;
+ }
+
+ /* Initiate Write side IPPF processing before any fragmentation */
+ if (IPP_ENABLED(IPP_FWD_OUT, ipst)) {
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_FWD_OUT, mp, dst_ill, dst_ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ ip2dbg(("ire_recv_forward_v6: pkt dropped/deferred" \
+ " during IPPF processing\n"));
+ return;
+ }
+ }
+
+ pkt_len = ira->ira_pktlen;
+
+ BUMP_MIB(dst_ill->ill_ip_mib, ipIfStatsHCOutForwDatagrams);
+
+ if (pkt_len > mtu) {
+ BUMP_MIB(dst_ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("ipIfStatsOutFragFails", mp, dst_ill);
+ if (iraflags & IRAF_SYSTEM_LABELED) {
+ /*
+ * Remove any CIPSO option added by
+ * tsol_ip_forward, and make sure we report
+ * a path MTU so that there
+ * is room to add such a CIPSO option for future
+ * packets.
+ */
+ mtu = tsol_pmtu_adjust(mp, mtu, added_tx_len, AF_INET6);
+ }
+ icmp_pkt2big_v6(mp, mtu, B_TRUE, ira);
+ return;
+ }
+
+ ASSERT(pkt_len ==
+ ntohs(((ip6_t *)mp->b_rptr)->ip6_plen) + IPV6_HDR_LEN);
+
+ if (iraflags & IRAF_LOOPBACK_COPY) {
+ /*
+ * IXAF_NO_LOOP_ZONEID is not set hence 6th arg
+ * is don't care
+ */
+ (void) ip_postfrag_loopcheck(mp, nce,
+ (IXAF_LOOPBACK_COPY | IXAF_NO_DEV_FLOW_CTL),
+ pkt_len, ira->ira_xmit_hint, GLOBAL_ZONEID, 0, NULL);
+ } else {
+ (void) ip_xmit(mp, nce, IXAF_NO_DEV_FLOW_CTL,
+ pkt_len, ira->ira_xmit_hint, GLOBAL_ZONEID, 0, NULL);
+ }
+}
+
+/*
+ * ire_recvfn for RTF_REJECT and RTF_BLACKHOLE routes, including IRE_NOROUTE,
+ * which is what ire_route_recursive returns when there is no matching ire.
+ * Send ICMP unreachable unless blackhole.
+ */
+void
+ire_recv_noroute_v6(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ /* Would we have forwarded this packet if we had a route? */
+ if (ira->ira_flags & (IRAF_L2DST_MULTICAST|IRAF_L2DST_BROADCAST)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("l2 multicast not forwarded", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ if (!(ill->ill_flags & ILLF_ROUTER)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsForwProhibits", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /*
+ * If we had a route this could have been forwarded. Count as such.
+ *
+ * ipIfStatsHCInForwDatagrams should only be increment if there
+ * will be an attempt to forward the packet, which is why we
+ * increment after the above condition has been checked.
+ */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInNoRoutes);
+
+ ip_rts_change_v6(RTM_MISS, &ip6h->ip6_dst, 0, 0, 0, 0, 0, 0, RTA_DST,
+ ipst);
+
+ if (ire->ire_flags & RTF_BLACKHOLE) {
+ ip_drop_input("ipIfStatsInNoRoutes RTF_BLACKHOLE", mp, ill);
+ freemsg(mp);
+ } else {
+ ip_drop_input("ipIfStatsInNoRoutes RTF_REJECT", mp, ill);
+
+ icmp_unreachable_v6(mp, ICMP6_DST_UNREACH_NOROUTE, B_FALSE,
+ ira);
+ }
+}
+
+/*
+ * ire_recvfn for IRE_LOCALs marked with ire_noaccept. Such IREs are used for
+ * VRRP when in noaccept mode.
+ * We silently drop packets except for Neighbor Solicitations and
+ * Neighbor Advertisements.
+ */
+void
+ire_recv_noaccept_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_recv_attr_t *ira)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ icmp6_t *icmp6;
+ int ip_hdr_length;
+
+ if (ip6h->ip6_nxt != IPPROTO_ICMPV6) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - noaccept", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ip_hdr_length = ira->ira_ip_hdr_length;
+ if ((mp->b_wptr - mp->b_rptr) < (ip_hdr_length + ICMP6_MINLEN)) {
+ if (ira->ira_pktlen < (ip_hdr_length + ICMP6_MINLEN)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ip6h = ip_pullup(mp, ip_hdr_length + ICMP6_MINLEN, ira);
+ if (ip6h == NULL) {
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
+ freemsg(mp);
+ return;
+ }
+ }
+ icmp6 = (icmp6_t *)(&mp->b_rptr[ip_hdr_length]);
+
+ if (icmp6->icmp6_type != ND_NEIGHBOR_SOLICIT &&
+ icmp6->icmp6_type != ND_NEIGHBOR_ADVERT) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - noaccept", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ire_recv_local_v6(ire, mp, ip6h, ira);
+}
+
+/*
+ * ire_recvfn for IRE_MULTICAST.
+ */
+void
+ire_recv_multicast_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_recv_attr_t *ira)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+
+ ASSERT(ire->ire_ill == ira->ira_ill);
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastPkts);
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastOctets, ira->ira_pktlen);
+
+ /* Tag for higher-level protocols */
+ ira->ira_flags |= IRAF_MULTICAST;
+
+ /*
+ * So that we don't end up with dups, only one ill an IPMP group is
+ * nominated to receive multicast traffic.
+ * If we have no cast_ill we are liberal and accept everything.
+ */
+ if (IS_UNDER_IPMP(ill)) {
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ /* For an under ill_grp can change under lock */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (!ill->ill_nom_cast && ill->ill_grp != NULL &&
+ ill->ill_grp->ig_cast_ill != NULL) {
+ rw_exit(&ipst->ips_ill_g_lock);
+ ip_drop_input("not on cast ill", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+ /*
+ * We switch to the upper ill so that mrouter and hasmembers
+ * can operate on upper here and in ip_input_multicast.
+ */
+ ill = ipmp_ill_hold_ipmp_ill(ill);
+ if (ill != NULL) {
+ ASSERT(ill != ira->ira_ill);
+ ASSERT(ire->ire_ill == ira->ira_ill);
+ ira->ira_ill = ill;
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ } else {
+ ill = ira->ira_ill;
+ }
+ }
+
+#ifdef notdef
+ /*
+ * Check if we are a multicast router - send ip_mforward a copy of
+ * the packet.
+ * Due to mroute_decap tunnels we consider forwarding packets even if
+ * mrouted has not joined the allmulti group on this interface.
+ */
+ if (ipst->ips_ip_g_mrouter) {
+ int retval;
+
+ /*
+ * Clear the indication that this may have hardware
+ * checksum as we are not using it for forwarding.
+ */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ /*
+ * ip_mforward helps us make these distinctions: If received
+ * on tunnel and not IGMP, then drop.
+ * If IGMP packet, then don't check membership
+ * If received on a phyint and IGMP or PIM, then
+ * don't check membership
+ */
+ retval = ip_mforward_v6(mp, ira);
+ /* ip_mforward updates mib variables if needed */
+
+ switch (retval) {
+ case 0:
+ /*
+ * pkt is okay and arrived on phyint.
+ */
+ break;
+ case -1:
+ /* pkt is mal-formed, toss it */
+ freemsg(mp);
+ goto done;
+ case 1:
+ /*
+ * pkt is okay and arrived on a tunnel
+ *
+ * If we are running a multicast router
+ * we need to see all mld packets, which
+ * are marked with router alerts.
+ */
+ if (ira->ira_flags & IRAF_ROUTER_ALERT)
+ goto forus;
+ ip_drop_input("Multicast on tunnel ignored", mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+ }
+#endif /* notdef */
+
+ /*
+ * If this was a router alert we skip the group membership check.
+ */
+ if (ira->ira_flags & IRAF_ROUTER_ALERT)
+ goto forus;
+
+ /*
+ * Check if we have members on this ill. This is not necessary for
+ * correctness because even if the NIC/GLD had a leaky filter, we
+ * filter before passing to each conn_t.
+ */
+ if (!ill_hasmembers_v6(ill, &ip6h->ip6_dst)) {
+ /*
+ * Nobody interested
+ *
+ * This might just be caused by the fact that
+ * multiple IP Multicast addresses map to the same
+ * link layer multicast - no need to increment counter!
+ */
+ ip_drop_input("Multicast with no members", mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+forus:
+ ip2dbg(("ire_recv_multicast_v6: multicast for us\n"));
+
+ /*
+ * After reassembly and IPsec we will need to duplicate the
+ * multicast packet for all matching zones on the ill.
+ */
+ ira->ira_zoneid = ALL_ZONES;
+
+ /* Reassemble on the ill on which the packet arrived */
+ ip_input_local_v6(ire, mp, ip6h, ira);
+done:
+ if (ill != ire->ire_ill) {
+ ill_refrele(ill);
+ ira->ira_ill = ire->ire_ill;
+ ira->ira_ruifindex = ira->ira_ill->ill_phyint->phyint_ifindex;
+ }
+}
+
+/*
+ * ire_recvfn for IRE_OFFLINK with RTF_MULTIRT.
+ * Drop packets since we don't forward out multirt routes.
+ */
+/* ARGSUSED */
+void
+ire_recv_multirt_v6(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInNoRoutes);
+ ip_drop_input("Not forwarding out MULTIRT", mp, ill);
+ freemsg(mp);
+}
+
+/*
+ * ire_recvfn for IRE_LOOPBACK. This is only used when a FW_HOOK
+ * has rewritten the packet to have a loopback destination address (We
+ * filter out packet with a loopback destination from arriving over the wire).
+ * We don't know what zone to use, thus we always use the GLOBAL_ZONEID.
+ */
+void
+ire_recv_loopback_v6(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ill_t *ire_ill = ire->ire_ill;
+
+ ira->ira_zoneid = GLOBAL_ZONEID;
+
+ /* Switch to the lo0 ill for further processing */
+ if (ire_ill != ill) {
+ /*
+ * Update ira_ill to be the ILL on which the IP address
+ * is hosted.
+ * No need to hold the ill since we have a hold on the ire
+ */
+ ASSERT(ira->ira_ill == ira->ira_rill);
+ ira->ira_ill = ire_ill;
+
+ ip_input_local_v6(ire, mp, ip6h, ira);
+
+ /* Restore */
+ ASSERT(ira->ira_ill == ire_ill);
+ ira->ira_ill = ill;
+ return;
+
+ }
+ ip_input_local_v6(ire, mp, ip6h, ira);
+}
+
+/*
+ * ire_recvfn for IRE_LOCAL.
+ */
+void
+ire_recv_local_v6(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ill_t *ire_ill = ire->ire_ill;
+
+ /* Make a note for DAD that this address is in use */
+ ire->ire_last_used_time = lbolt;
+
+ /* Only target the IRE_LOCAL with the right zoneid. */
+ ira->ira_zoneid = ire->ire_zoneid;
+
+ /*
+ * If the packet arrived on the wrong ill, we check that
+ * this is ok.
+ * If it is, then we ensure that we do the reassembly on
+ * the ill on which the address is hosted. We keep ira_rill as
+ * the one on which the packet arrived, so that IP_PKTINFO and
+ * friends can report this.
+ */
+ if (ire_ill != ill) {
+ ire_t *new_ire;
+
+ new_ire = ip_check_multihome(&ip6h->ip6_dst, ire, ill);
+ if (new_ire == NULL) {
+ /* Drop packet */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsInForwProhibits", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /*
+ * Update ira_ill to be the ILL on which the IP address
+ * is hosted. No need to hold the ill since we have a
+ * hold on the ire. Note that we do the switch even if
+ * new_ire == ire (for IPMP, ire would be the one corresponding
+ * to the IPMP ill).
+ */
+ ASSERT(ira->ira_ill == ira->ira_rill);
+ ira->ira_ill = new_ire->ire_ill;
+
+ /* ira_ruifindex tracks the upper for ira_rill */
+ if (IS_UNDER_IPMP(ill))
+ ira->ira_ruifindex = ill_get_upper_ifindex(ill);
+
+ ip_input_local_v6(new_ire, mp, ip6h, ira);
+
+ /* Restore */
+ ASSERT(ira->ira_ill == new_ire->ire_ill);
+ ira->ira_ill = ill;
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+
+ if (new_ire != ire)
+ ire_refrele(new_ire);
+ return;
+ }
+
+ ip_input_local_v6(ire, mp, ip6h, ira);
+}
+
+/*
+ * Common function for packets arriving for the host. Handles
+ * checksum verification, reassembly checks, etc.
+ */
+static void
+ip_input_local_v6(ire_t *ire, mblk_t *mp, ip6_t *ip6h, ip_recv_attr_t *ira)
+{
+ iaflags_t iraflags = ira->ira_flags;
+
+ /*
+ * For multicast we need some extra work before
+ * we call ip_fanout_v6(), since in the case of shared-IP zones
+ * we need to pretend that a packet arrived for each zoneid.
+ */
+ if (iraflags & IRAF_MULTICAST) {
+ ip_input_multicast_v6(ire, mp, ip6h, ira);
+ return;
+ }
+ ip_fanout_v6(mp, ip6h, ira);
+}
+
+/*
+ * Handle multiple zones which want to receive the same multicast packets
+ * on this ill by delivering a packet to each of them.
+ *
+ * Note that for packets delivered to transports we could instead do this
+ * as part of the fanout code, but since we need to handle icmp_inbound
+ * it is simpler to have multicast work the same as IPv4 broadcast.
+ *
+ * The ip_fanout matching for multicast matches based on ilm independent of
+ * zoneid since the zoneid restriction is applied when joining a multicast
+ * group.
+ */
+/* ARGSUSED */
+static void
+ip_input_multicast_v6(ire_t *ire, mblk_t *mp, ip6_t *ip6h, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ iaflags_t iraflags = ira->ira_flags;
+ ip_stack_t *ipst = ill->ill_ipst;
+ netstack_t *ns = ipst->ips_netstack;
+ zoneid_t zoneid;
+ mblk_t *mp1;
+ ip6_t *ip6h1;
+
+ /* ire_recv_multicast has switched to the upper ill for IPMP */
+ ASSERT(!IS_UNDER_IPMP(ill));
+
+ /*
+ * If we don't have more than one shared-IP zone, or if
+ * there are no members in anything but the global zone,
+ * then just set the zoneid and proceed.
+ */
+ if (ns->netstack_numzones == 1 ||
+ !ill_hasmembers_otherzones_v6(ill, &ip6h->ip6_dst,
+ GLOBAL_ZONEID)) {
+ ira->ira_zoneid = GLOBAL_ZONEID;
+
+ /* If sender didn't want this zone to receive it, drop */
+ if ((iraflags & IRAF_NO_LOOP_ZONEID_SET) &&
+ ira->ira_no_loop_zoneid == ira->ira_zoneid) {
+ ip_drop_input("Multicast but wrong zoneid", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ip_fanout_v6(mp, ip6h, ira);
+ return;
+ }
+
+ /*
+ * Here we loop over all zoneids that have members in the group
+ * and deliver a packet to ip_fanout for each zoneid.
+ *
+ * First find any members in the lowest numeric zoneid by looking for
+ * first zoneid larger than -1 (ALL_ZONES).
+ * We terminate the loop when we receive -1 (ALL_ZONES).
+ */
+ zoneid = ill_hasmembers_nextzone_v6(ill, &ip6h->ip6_dst, ALL_ZONES);
+ for (; zoneid != ALL_ZONES;
+ zoneid = ill_hasmembers_nextzone_v6(ill, &ip6h->ip6_dst, zoneid)) {
+ /*
+ * Avoid an extra copymsg/freemsg by skipping global zone here
+ * and doing that at the end.
+ */
+ if (zoneid == GLOBAL_ZONEID)
+ continue;
+
+ ira->ira_zoneid = zoneid;
+
+ /* If sender didn't want this zone to receive it, skip */
+ if ((iraflags & IRAF_NO_LOOP_ZONEID_SET) &&
+ ira->ira_no_loop_zoneid == ira->ira_zoneid)
+ continue;
+
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ /* Failed to deliver to one zone */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ continue;
+ }
+ ip6h1 = (ip6_t *)mp1->b_rptr;
+ ip_fanout_v6(mp1, ip6h1, ira);
+ }
+
+ /* Do the main ire */
+ ira->ira_zoneid = GLOBAL_ZONEID;
+ /* If sender didn't want this zone to receive it, drop */
+ if ((iraflags & IRAF_NO_LOOP_ZONEID_SET) &&
+ ira->ira_no_loop_zoneid == ira->ira_zoneid) {
+ ip_drop_input("Multicast but wrong zoneid", mp, ill);
+ freemsg(mp);
+ } else {
+ ip_fanout_v6(mp, ip6h, ira);
+ }
+}
+
+
+/*
+ * Determine the zoneid and IRAF_TX_MAC_EXEMPTABLE if trusted extensions
+ * is in use. Updates ira_zoneid and ira_flags as a result.
+ */
+static void
+ip_fanout_tx_v6(mblk_t *mp, ip6_t *ip6h, uint8_t protocol, uint_t ip_hdr_length,
+ ip_recv_attr_t *ira)
+{
+ uint16_t *up;
+ uint16_t lport;
+ zoneid_t zoneid;
+
+ ASSERT(ira->ira_flags & IRAF_SYSTEM_LABELED);
+
+ /*
+ * If the packet is unlabeled we might allow read-down
+ * for MAC_EXEMPT. Below we clear this if it is a multi-level
+ * port (MLP).
+ * Note that ira_tsl can be NULL here.
+ */
+ if (ira->ira_tsl != NULL && ira->ira_tsl->tsl_flags & TSLF_UNLABELED)
+ ira->ira_flags |= IRAF_TX_MAC_EXEMPTABLE;
+
+ if (ira->ira_zoneid != ALL_ZONES)
+ return;
+
+ ira->ira_flags |= IRAF_TX_SHARED_ADDR;
+
+ up = (uint16_t *)((uchar_t *)ip6h + ip_hdr_length);
+ switch (protocol) {
+ case IPPROTO_TCP:
+ case IPPROTO_SCTP:
+ case IPPROTO_UDP:
+ /* Caller ensures this */
+ ASSERT(((uchar_t *)ip6h) + ip_hdr_length +4 <= mp->b_wptr);
+
+ /*
+ * Only these transports support MLP.
+ * We know their destination port numbers is in
+ * the same place in the header.
+ */
+ lport = up[1];
+
+ /*
+ * No need to handle exclusive-stack zones
+ * since ALL_ZONES only applies to the shared IP instance.
+ */
+ zoneid = tsol_mlp_findzone(protocol, lport);
+ /*
+ * If no shared MLP is found, tsol_mlp_findzone returns
+ * ALL_ZONES. In that case, we assume it's SLP, and
+ * search for the zone based on the packet label.
+ *
+ * If there is such a zone, we prefer to find a
+ * connection in it. Otherwise, we look for a
+ * MAC-exempt connection in any zone whose label
+ * dominates the default label on the packet.
+ */
+ if (zoneid == ALL_ZONES)
+ zoneid = tsol_attr_to_zoneid(ira);
+ else
+ ira->ira_flags &= ~IRAF_TX_MAC_EXEMPTABLE;
+ break;
+ default:
+ /* Handle shared address for other protocols */
+ zoneid = tsol_attr_to_zoneid(ira);
+ break;
+ }
+ ira->ira_zoneid = zoneid;
+}
+
+/*
+ * Increment checksum failure statistics
+ */
+static void
+ip_input_cksum_err_v6(uint8_t protocol, uint16_t hck_flags, ill_t *ill)
+{
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+ BUMP_MIB(ill->ill_ip_mib, tcpIfStatsInErrs);
+
+ if (hck_flags & HCK_FULLCKSUM)
+ IP6_STAT(ipst, ip6_tcp_in_full_hw_cksum_err);
+ else if (hck_flags & HCK_PARTIALCKSUM)
+ IP6_STAT(ipst, ip6_tcp_in_part_hw_cksum_err);
+ else
+ IP6_STAT(ipst, ip6_tcp_in_sw_cksum_err);
+ break;
+ case IPPROTO_UDP:
+ BUMP_MIB(ill->ill_ip_mib, udpIfStatsInCksumErrs);
+ if (hck_flags & HCK_FULLCKSUM)
+ IP6_STAT(ipst, ip6_udp_in_full_hw_cksum_err);
+ else if (hck_flags & HCK_PARTIALCKSUM)
+ IP6_STAT(ipst, ip6_udp_in_part_hw_cksum_err);
+ else
+ IP6_STAT(ipst, ip6_udp_in_sw_cksum_err);
+ break;
+ case IPPROTO_ICMPV6:
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs);
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInErrors);
+ break;
+ default:
+ ASSERT(0);
+ break;
+ }
+}
+
+/* Calculate the IPv6 pseudo-header checksum for TCP, UDP, and ICMPV6 */
+uint32_t
+ip_input_cksum_pseudo_v6(ip6_t *ip6h, ip_recv_attr_t *ira)
+{
+ uint_t ulp_len;
+ uint32_t cksum;
+ uint8_t protocol = ira->ira_protocol;
+ uint16_t ip_hdr_length = ira->ira_ip_hdr_length;
+
+#define iphs ((uint16_t *)ip6h)
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+ ulp_len = ira->ira_pktlen - ip_hdr_length;
+
+ /* Protocol and length */
+ cksum = htons(ulp_len) + IP_TCP_CSUM_COMP;
+ /* IP addresses */
+ cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
+ iphs[8] + iphs[9] + iphs[10] + iphs[11] +
+ iphs[12] + iphs[13] + iphs[14] + iphs[15] +
+ iphs[16] + iphs[17] + iphs[18] + iphs[19];
+ break;
+
+ case IPPROTO_UDP: {
+ udpha_t *udpha;
+
+ udpha = (udpha_t *)((uchar_t *)ip6h + ip_hdr_length);
+
+ /* Protocol and length */
+ cksum = udpha->uha_length + IP_UDP_CSUM_COMP;
+ /* IP addresses */
+ cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
+ iphs[8] + iphs[9] + iphs[10] + iphs[11] +
+ iphs[12] + iphs[13] + iphs[14] + iphs[15] +
+ iphs[16] + iphs[17] + iphs[18] + iphs[19];
+ break;
+ }
+ case IPPROTO_ICMPV6:
+ ulp_len = ira->ira_pktlen - ip_hdr_length;
+
+ /* Protocol and length */
+ cksum = htons(ulp_len) + IP_ICMPV6_CSUM_COMP;
+ /* IP addresses */
+ cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
+ iphs[8] + iphs[9] + iphs[10] + iphs[11] +
+ iphs[12] + iphs[13] + iphs[14] + iphs[15] +
+ iphs[16] + iphs[17] + iphs[18] + iphs[19];
+ break;
+ default:
+ cksum = 0;
+ break;
+ }
+#undef iphs
+ return (cksum);
+}
+
+
+/*
+ * Software verification of the ULP checksums.
+ * Returns B_TRUE if ok.
+ * Increments statistics of failed.
+ */
+static boolean_t
+ip_input_sw_cksum_v6(mblk_t *mp, ip6_t *ip6h, ip_recv_attr_t *ira)
+{
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
+ uint32_t cksum;
+ uint8_t protocol = ira->ira_protocol;
+ uint16_t ip_hdr_length = ira->ira_ip_hdr_length;
+
+ IP6_STAT(ipst, ip6_in_sw_cksum);
+
+ ASSERT(protocol == IPPROTO_TCP || protocol == IPPROTO_UDP ||
+ protocol == IPPROTO_ICMPV6);
+
+ cksum = ip_input_cksum_pseudo_v6(ip6h, ira);
+ cksum = IP_CSUM(mp, ip_hdr_length, cksum);
+ if (cksum == 0)
+ return (B_TRUE);
+
+ ip_input_cksum_err_v6(protocol, 0, ira->ira_ill);
+ return (B_FALSE);
+}
+
+/*
+ * Verify the ULP checksums.
+ * Returns B_TRUE if ok, or if the ULP doesn't have a well-defined checksum
+ * algorithm.
+ * Increments statistics if failed.
+ */
+static boolean_t
+ip_input_cksum_v6(iaflags_t iraflags, mblk_t *mp, ip6_t *ip6h,
+ ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_rill;
+ uint16_t hck_flags;
+ uint32_t cksum;
+ mblk_t *mp1;
+ uint_t len;
+ uint8_t protocol = ira->ira_protocol;
+ uint16_t ip_hdr_length = ira->ira_ip_hdr_length;
+
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+ case IPPROTO_ICMPV6:
+ break;
+
+ case IPPROTO_UDP: {
+ udpha_t *udpha;
+
+ udpha = (udpha_t *)((uchar_t *)ip6h + ip_hdr_length);
+ /*
+ * Before going through the regular checksum
+ * calculation, make sure the received checksum
+ * is non-zero. RFC 2460 says, a 0x0000 checksum
+ * in a UDP packet (within IPv6 packet) is invalid
+ * and should be replaced by 0xffff. This makes
+ * sense as regular checksum calculation will
+ * pass for both the cases i.e. 0x0000 and 0xffff.
+ * Removing one of the case makes error detection
+ * stronger.
+ */
+ if (udpha->uha_checksum == 0) {
+ /* 0x0000 checksum is invalid */
+ BUMP_MIB(ill->ill_ip_mib, udpIfStatsInCksumErrs);
+ return (B_FALSE);
+ }
+ break;
+ }
+ case IPPROTO_SCTP: {
+ sctp_hdr_t *sctph;
+ uint32_t pktsum;
+
+ sctph = (sctp_hdr_t *)((uchar_t *)ip6h + ip_hdr_length);
+#ifdef DEBUG
+ if (skip_sctp_cksum)
+ return (B_TRUE);
+#endif
+ pktsum = sctph->sh_chksum;
+ sctph->sh_chksum = 0;
+ cksum = sctp_cksum(mp, ip_hdr_length);
+ sctph->sh_chksum = pktsum;
+ if (cksum == pktsum)
+ return (B_TRUE);
+
+ /*
+ * Defer until later whether a bad checksum is ok
+ * in order to allow RAW sockets to use Adler checksum
+ * with SCTP.
+ */
+ ira->ira_flags |= IRAF_SCTP_CSUM_ERR;
+ return (B_TRUE);
+ }
+
+ default:
+ /* No ULP checksum to verify. */
+ return (B_TRUE);
+ }
+
+ /*
+ * Revert to software checksum calculation if the interface
+ * isn't capable of checksum offload.
+ * We clear DB_CKSUMFLAGS when going through IPsec in ip_fanout.
+ * Note: IRAF_NO_HW_CKSUM is not currently used.
+ */
+ ASSERT(!IS_IPMP(ill));
+ if ((iraflags & IRAF_NO_HW_CKSUM) || !ILL_HCKSUM_CAPABLE(ill) ||
+ !dohwcksum) {
+ return (ip_input_sw_cksum_v6(mp, ip6h, ira));
+ }
+
+ /*
+ * We apply this for all ULP protocols. Does the HW know to
+ * not set the flags for SCTP and other protocols.
+ */
+
+ hck_flags = DB_CKSUMFLAGS(mp);
+
+ if (hck_flags & HCK_FULLCKSUM) {
+ /*
+ * Full checksum has been computed by the hardware
+ * and has been attached. If the driver wants us to
+ * verify the correctness of the attached value, in
+ * order to protect against faulty hardware, compare
+ * it against -0 (0xFFFF) to see if it's valid.
+ */
+ if (hck_flags & HCK_FULLCKSUM_OK)
+ return (B_TRUE);
+
+ cksum = DB_CKSUM16(mp);
+ if (cksum == 0xFFFF)
+ return (B_TRUE);
+ ip_input_cksum_err_v6(protocol, hck_flags, ira->ira_ill);
+ return (B_FALSE);
+ }
+
+ mp1 = mp->b_cont;
+ if ((hck_flags & HCK_PARTIALCKSUM) &&
+ (mp1 == NULL || mp1->b_cont == NULL) &&
+ ip_hdr_length >= DB_CKSUMSTART(mp) &&
+ ((len = ip_hdr_length - DB_CKSUMSTART(mp)) & 1) == 0) {
+ uint32_t adj;
+ uchar_t *cksum_start;
+
+ cksum = ip_input_cksum_pseudo_v6(ip6h, ira);
+
+ cksum_start = ((uchar_t *)ip6h + DB_CKSUMSTART(mp));
+
+ /*
+ * Partial checksum has been calculated by hardware
+ * and attached to the packet; in addition, any
+ * prepended extraneous data is even byte aligned,
+ * and there are at most two mblks associated with
+ * the packet. If any such data exists, we adjust
+ * the checksum; also take care any postpended data.
+ */
+ IP_ADJCKSUM_PARTIAL(cksum_start, mp, mp1, len, adj);
+ /*
+ * One's complement subtract extraneous checksum
+ */
+ cksum += DB_CKSUM16(mp);
+ if (adj >= cksum)
+ cksum = ~(adj - cksum) & 0xFFFF;
+ else
+ cksum -= adj;
+ cksum = (cksum & 0xFFFF) + ((int)cksum >> 16);
+ cksum = (cksum & 0xFFFF) + ((int)cksum >> 16);
+ if (!(~cksum & 0xFFFF))
+ return (B_TRUE);
+
+ ip_input_cksum_err_v6(protocol, hck_flags, ira->ira_ill);
+ return (B_FALSE);
+ }
+ return (ip_input_sw_cksum_v6(mp, ip6h, ira));
+}
+
+
+/*
+ * Handle fanout of received packets.
+ * Unicast packets that are looped back (from ire_send_local_v6) and packets
+ * from the wire are differentiated by checking IRAF_VERIFY_ULP_CKSUM.
+ *
+ * IPQoS Notes
+ * Before sending it to the client, invoke IPPF processing. Policy processing
+ * takes place only if the callout_position, IPP_LOCAL_IN, is enabled.
+ */
+void
+ip_fanout_v6(mblk_t *mp, ip6_t *ip6h, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ iaflags_t iraflags = ira->ira_flags;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint8_t protocol;
+ conn_t *connp;
+#define rptr ((uchar_t *)ip6h)
+ uint_t ip_hdr_length;
+ uint_t min_ulp_header_length;
+ int offset;
+ ssize_t len;
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ill_t *rill = ira->ira_rill;
+
+ ASSERT(ira->ira_pktlen == ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN);
+
+ /*
+ * We repeat this as we parse over destination options header and
+ * fragment headers (earlier we've handled any hop-by-hop options
+ * header.)
+ * We update ira_protocol and ira_ip_hdr_length as we skip past
+ * the intermediate headers; they already point past any
+ * hop-by-hop header.
+ */
+repeat:
+ protocol = ira->ira_protocol;
+ ip_hdr_length = ira->ira_ip_hdr_length;
+
+ /*
+ * Time for IPP once we've done reassembly and IPsec.
+ * We skip this for loopback packets since we don't do IPQoS
+ * on loopback.
+ */
+ if (IPP_ENABLED(IPP_LOCAL_IN, ipst) &&
+ !(iraflags & IRAF_LOOPBACK) &&
+ (protocol != IPPROTO_ESP || protocol != IPPROTO_AH ||
+ protocol != IPPROTO_DSTOPTS || protocol != IPPROTO_ROUTING ||
+ protocol != IPPROTO_FRAGMENT)) {
+ /*
+ * Use the interface on which the packet arrived - not where
+ * the IP address is hosted.
+ */
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_LOCAL_IN, mp, rill, ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ return;
+ }
+ }
+
+ /* Determine the minimum required size of the upper-layer header */
+ /* Need to do this for at least the set of ULPs that TX handles. */
+ switch (protocol) {
+ case IPPROTO_TCP:
+ min_ulp_header_length = TCP_MIN_HEADER_LENGTH;
+ break;
+ case IPPROTO_SCTP:
+ min_ulp_header_length = SCTP_COMMON_HDR_LENGTH;
+ break;
+ case IPPROTO_UDP:
+ min_ulp_header_length = UDPH_SIZE;
+ break;
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ min_ulp_header_length = ICMPH_SIZE;
+ break;
+ case IPPROTO_FRAGMENT:
+ case IPPROTO_DSTOPTS:
+ case IPPROTO_ROUTING:
+ min_ulp_header_length = MIN_EHDR_LEN;
+ break;
+ default:
+ min_ulp_header_length = 0;
+ break;
+ }
+ /* Make sure we have the min ULP header length */
+ len = mp->b_wptr - rptr;
+ if (len < ip_hdr_length + min_ulp_header_length) {
+ if (ira->ira_pktlen < ip_hdr_length + min_ulp_header_length)
+ goto pkt_too_short;
+
+ IP6_STAT(ipst, ip6_recv_pullup);
+ ip6h = ip_pullup(mp, ip_hdr_length + min_ulp_header_length,
+ ira);
+ if (ip6h == NULL)
+ goto discard;
+ len = mp->b_wptr - rptr;
+ }
+
+ /*
+ * If trusted extensions then determine the zoneid and TX specific
+ * ira_flags.
+ */
+ if (iraflags & IRAF_SYSTEM_LABELED) {
+ /* This can update ira->ira_flags and ira->ira_zoneid */
+ ip_fanout_tx_v6(mp, ip6h, protocol, ip_hdr_length, ira);
+ iraflags = ira->ira_flags;
+ }
+
+
+ /* Verify ULP checksum. Handles TCP, UDP, and SCTP */
+ if (iraflags & IRAF_VERIFY_ULP_CKSUM) {
+ if (!ip_input_cksum_v6(iraflags, mp, ip6h, ira)) {
+ /* Bad checksum. Stats are already incremented */
+ ip_drop_input("Bad ULP checksum", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /* IRAF_SCTP_CSUM_ERR could have been set */
+ iraflags = ira->ira_flags;
+ }
+ switch (protocol) {
+ case IPPROTO_TCP:
+ /* For TCP, discard multicast packets. */
+ if (iraflags & IRAF_MULTIBROADCAST)
+ goto discard;
+
+ /* First mblk contains IP+TCP headers per above check */
+ ASSERT(len >= ip_hdr_length + TCP_MIN_HEADER_LENGTH);
+
+ /* TCP options present? */
+ offset = ((uchar_t *)ip6h)[ip_hdr_length + 12] >> 4;
+ if (offset != 5) {
+ if (offset < 5)
+ goto discard;
+
+ /*
+ * There must be TCP options.
+ * Make sure we can grab them.
+ */
+ offset <<= 2;
+ offset += ip_hdr_length;
+ if (len < offset) {
+ if (ira->ira_pktlen < offset)
+ goto pkt_too_short;
+
+ IP6_STAT(ipst, ip6_recv_pullup);
+ ip6h = ip_pullup(mp, offset, ira);
+ if (ip6h == NULL)
+ goto discard;
+ len = mp->b_wptr - rptr;
+ }
+ }
+
+ /*
+ * Pass up a squeue hint to tcp.
+ * If ira_sqp is already set (this is loopback) we leave it
+ * alone.
+ */
+ if (ira->ira_sqp == NULL) {
+ ira->ira_sqp = ip_squeue_get(ira->ira_ring);
+ }
+
+ /* Look for AF_INET or AF_INET6 that matches */
+ connp = ipcl_classify_v6(mp, IPPROTO_TCP, ip_hdr_length,
+ ira, ipst);
+ if (connp == NULL) {
+ /* Send the TH_RST */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ tcp_xmit_listeners_reset(mp, ira, ipst, NULL);
+ return;
+ }
+ if (connp->conn_incoming_ifindex != 0 &&
+ connp->conn_incoming_ifindex != ira->ira_ruifindex) {
+ CONN_DEC_REF(connp);
+
+ /* Send the TH_RST */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ tcp_xmit_listeners_reset(mp, ira, ipst, NULL);
+ return;
+ }
+ if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
+ (iraflags & IRAF_IPSEC_SECURE)) {
+ mp = ipsec_check_inbound_policy(mp, connp,
+ NULL, ip6h, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ CONN_DEC_REF(connp);
+ return;
+ }
+ }
+ /* Found a client; up it goes */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ if (!IPCL_IS_TCP(connp)) {
+ /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+ }
+
+ /*
+ * We do different processing whether called from
+ * ip_accept_tcp and we match the target, don't match
+ * the target, and when we are called by ip_input.
+ */
+ if (iraflags & IRAF_TARGET_SQP) {
+ if (ira->ira_target_sqp == connp->conn_sqp) {
+ mblk_t *attrmp;
+
+ attrmp = ip_recv_attr_to_mblk(ira);
+ if (attrmp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards",
+ mp, ill);
+ freemsg(mp);
+ CONN_DEC_REF(connp);
+ } else {
+ SET_SQUEUE(attrmp, connp->conn_recv,
+ connp);
+ attrmp->b_cont = mp;
+ ASSERT(ira->ira_target_sqp_mp == NULL);
+ ira->ira_target_sqp_mp = attrmp;
+ /*
+ * Conn ref release when drained from
+ * the squeue.
+ */
+ }
+ } else {
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
+ connp->conn_recv, connp, ira, SQ_FILL,
+ SQTAG_IP6_TCP_INPUT);
+ }
+ } else {
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv,
+ connp, ira, ip_squeue_flag, SQTAG_IP6_TCP_INPUT);
+ }
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+
+ case IPPROTO_SCTP: {
+ sctp_hdr_t *sctph;
+ uint32_t ports; /* Source and destination ports */
+ sctp_stack_t *sctps = ipst->ips_netstack->netstack_sctp;
+
+ /* For SCTP, discard multicast packets. */
+ if (iraflags & IRAF_MULTIBROADCAST)
+ goto discard;
+
+ /*
+ * Since there is no SCTP h/w cksum support yet, just
+ * clear the flag.
+ */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ /* Length ensured above */
+ ASSERT(MBLKL(mp) >= ip_hdr_length + SCTP_COMMON_HDR_LENGTH);
+ sctph = (sctp_hdr_t *)(rptr + ip_hdr_length);
+
+ /* get the ports */
+ ports = *(uint32_t *)&sctph->sh_sport;
+
+ if (iraflags & IRAF_SCTP_CSUM_ERR) {
+ /*
+ * No potential sctp checksum errors go to the Sun
+ * sctp stack however they might be Adler-32 summed
+ * packets a userland stack bound to a raw IP socket
+ * could reasonably use. Note though that Adler-32 is
+ * a long deprecated algorithm and customer sctp
+ * networks should eventually migrate to CRC-32 at
+ * which time this facility should be removed.
+ */
+ ip_fanout_sctp_raw(mp, NULL, ip6h, ports, ira);
+ return;
+ }
+ connp = sctp_fanout(&ip6h->ip6_src, &ip6h->ip6_dst, ports,
+ ira, mp, sctps);
+ if (connp == NULL) {
+ /* Check for raw socket or OOTB handling */
+ ip_fanout_sctp_raw(mp, NULL, ip6h, ports, ira);
+ return;
+ }
+ if (connp->conn_incoming_ifindex != 0 &&
+ connp->conn_incoming_ifindex != ira->ira_ruifindex) {
+ CONN_DEC_REF(connp);
+
+ /* Check for raw socket or OOTB handling */
+ ip_fanout_sctp_raw(mp, NULL, ip6h, ports, ira);
+ return;
+ }
+
+ /* Found a client; up it goes */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ sctp_input(connp, NULL, ip6h, mp, ira);
+ /* sctp_input does a rele of the sctp_t */
+ return;
+ }
+
+ case IPPROTO_UDP:
+ /* First mblk contains IP+UDP headers as checked above */
+ ASSERT(MBLKL(mp) >= ip_hdr_length + UDPH_SIZE);
+
+ if (iraflags & IRAF_MULTIBROADCAST) {
+ uint16_t *up; /* Pointer to ports in ULP header */
+
+ up = (uint16_t *)((uchar_t *)ip6h + ip_hdr_length);
+
+ ip_fanout_udp_multi_v6(mp, ip6h, up[1], up[0], ira);
+ return;
+ }
+
+ /* Look for AF_INET or AF_INET6 that matches */
+ connp = ipcl_classify_v6(mp, IPPROTO_UDP, ip_hdr_length,
+ ira, ipst);
+ if (connp == NULL) {
+ no_udp_match:
+ if (ipst->ips_ipcl_proto_fanout_v6[IPPROTO_UDP].
+ connf_head != NULL) {
+ ASSERT(ira->ira_protocol == IPPROTO_UDP);
+ ip_fanout_proto_v6(mp, ip6h, ira);
+ } else {
+ ip_fanout_send_icmp_v6(mp, ICMP6_DST_UNREACH,
+ ICMP6_DST_UNREACH_NOPORT, ira);
+ }
+ return;
+
+ }
+ if (connp->conn_incoming_ifindex != 0 &&
+ connp->conn_incoming_ifindex != ira->ira_ruifindex) {
+ CONN_DEC_REF(connp);
+ goto no_udp_match;
+ }
+ if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld :
+ !canputnext(connp->conn_rq)) {
+ CONN_DEC_REF(connp);
+ BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
+ ip_drop_input("udpIfStatsInOverflows", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
+ (iraflags & IRAF_IPSEC_SECURE)) {
+ mp = ipsec_check_inbound_policy(mp, connp,
+ NULL, ip6h, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ CONN_DEC_REF(connp);
+ return;
+ }
+ }
+
+ /* Found a client; up it goes */
+ IP6_STAT(ipst, ip6_udp_fannorm);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+ default:
+ break;
+ }
+
+ /*
+ * Clear hardware checksumming flag as it is currently only
+ * used by TCP and UDP.
+ */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ switch (protocol) {
+ case IPPROTO_ICMPV6:
+ BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpInMsgs);
+
+ /* Check variable for testing applications */
+ if (ipst->ips_ipv6_drop_inbound_icmpv6) {
+ ip_drop_input("ipv6_drop_inbound_icmpv6", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /*
+ * We need to accomodate icmp messages coming in clear
+ * until we get everything secure from the wire. If
+ * icmp_accept_clear_messages is zero we check with
+ * the global policy and act accordingly. If it is
+ * non-zero, we accept the message without any checks.
+ * But *this does not mean* that this will be delivered
+ * to RAW socket clients. By accepting we might send
+ * replies back, change our MTU value etc.,
+ * but delivery to the ULP/clients depends on their
+ * policy dispositions.
+ */
+ if (ipst->ips_icmp_accept_clear_messages == 0) {
+ mp = ipsec_check_global_policy(mp, NULL,
+ NULL, ip6h, ira, ns);
+ if (mp == NULL)
+ return;
+ }
+
+ /*
+ * On a labeled system, we have to check whether the zone
+ * itself is permitted to receive raw traffic.
+ */
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ if (!tsol_can_accept_raw(mp, ira, B_FALSE)) {
+ BUMP_MIB(ill->ill_icmp6_mib,
+ ipv6IfIcmpInErrors);
+ ip_drop_input("tsol_can_accept_raw", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ mp = icmp_inbound_v6(mp, ira);
+ if (mp == NULL) {
+ /* No need to pass to RAW sockets */
+ return;
+ }
+ break;
+
+ case IPPROTO_DSTOPTS: {
+ ip6_dest_t *desthdr;
+ uint_t ehdrlen;
+ uint8_t *optptr;
+
+ /* We already check for MIN_EHDR_LEN above */
+
+ /* Check if AH is present and needs to be processed. */
+ mp = ipsec_early_ah_v6(mp, ira);
+ if (mp == NULL)
+ return;
+
+ /*
+ * Reinitialize pointers, as ipsec_early_ah_v6() does
+ * complete pullups. We don't have to do more pullups
+ * as a result.
+ */
+ ip6h = (ip6_t *)mp->b_rptr;
+
+ if (ira->ira_pktlen - ip_hdr_length < MIN_EHDR_LEN)
+ goto pkt_too_short;
+
+ if (mp->b_cont != NULL &&
+ rptr + ip_hdr_length + MIN_EHDR_LEN > mp->b_wptr) {
+ ip6h = ip_pullup(mp, ip_hdr_length + MIN_EHDR_LEN, ira);
+ if (ip6h == NULL)
+ goto discard;
+ }
+ desthdr = (ip6_dest_t *)(rptr + ip_hdr_length);
+ ehdrlen = 8 * (desthdr->ip6d_len + 1);
+ if (ira->ira_pktlen - ip_hdr_length < ehdrlen)
+ goto pkt_too_short;
+ if (mp->b_cont != NULL &&
+ rptr + IPV6_HDR_LEN + ehdrlen > mp->b_wptr) {
+ ip6h = ip_pullup(mp, IPV6_HDR_LEN + ehdrlen, ira);
+ if (ip6h == NULL)
+ goto discard;
+
+ desthdr = (ip6_dest_t *)(rptr + ip_hdr_length);
+ }
+ optptr = (uint8_t *)&desthdr[1];
+
+ /*
+ * Update ira_ip_hdr_length to skip the destination header
+ * when we repeat.
+ */
+ ira->ira_ip_hdr_length += ehdrlen;
+
+ ira->ira_protocol = desthdr->ip6d_nxt;
+
+ /*
+ * Note: XXX This code does not seem to make
+ * distinction between Destination Options Header
+ * being before/after Routing Header which can
+ * happen if we are at the end of source route.
+ * This may become significant in future.
+ * (No real significant Destination Options are
+ * defined/implemented yet ).
+ */
+ switch (ip_process_options_v6(mp, ip6h, optptr,
+ ehdrlen - 2, IPPROTO_DSTOPTS, ira)) {
+ case -1:
+ /*
+ * Packet has been consumed and any needed
+ * ICMP errors sent.
+ */
+ return;
+ case 0:
+ /* No action needed continue */
+ break;
+ case 1:
+ /*
+ * Unnexpected return value
+ * (Router alert is a Hop-by-Hop option)
+ */
+#ifdef DEBUG
+ panic("ip_fanout_v6: router "
+ "alert hbh opt indication in dest opt");
+ /*NOTREACHED*/
+#else
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+#endif
+ }
+ goto repeat;
+ }
+ case IPPROTO_FRAGMENT: {
+ ip6_frag_t *fraghdr;
+
+ if (ira->ira_pktlen - ip_hdr_length < sizeof (ip6_frag_t))
+ goto pkt_too_short;
+
+ if (mp->b_cont != NULL &&
+ rptr + ip_hdr_length + sizeof (ip6_frag_t) > mp->b_wptr) {
+ ip6h = ip_pullup(mp,
+ ip_hdr_length + sizeof (ip6_frag_t), ira);
+ if (ip6h == NULL)
+ goto discard;
+ }
+
+ fraghdr = (ip6_frag_t *)(rptr + ip_hdr_length);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmReqds);
+
+ /*
+ * Invoke the CGTP (multirouting) filtering module to
+ * process the incoming packet. Packets identified as
+ * duplicates must be discarded. Filtering is active
+ * only if the ip_cgtp_filter ndd variable is
+ * non-zero.
+ */
+ if (ipst->ips_ip_cgtp_filter &&
+ ipst->ips_ip_cgtp_filter_ops != NULL) {
+ int cgtp_flt_pkt;
+ netstackid_t stackid;
+
+ stackid = ipst->ips_netstack->netstack_stackid;
+
+ /*
+ * CGTP and IPMP are mutually exclusive so
+ * phyint_ifindex is fine here.
+ */
+ cgtp_flt_pkt =
+ ipst->ips_ip_cgtp_filter_ops->cfo_filter_v6(
+ stackid, ill->ill_phyint->phyint_ifindex,
+ ip6h, fraghdr);
+ if (cgtp_flt_pkt == CGTP_IP_PKT_DUPLICATE) {
+ ip_drop_input("CGTP_IP_PKT_DUPLICATE", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+
+ /*
+ * Update ip_hdr_length to skip the frag header
+ * ip_input_fragment_v6 will determine the extension header
+ * prior to the fragment header and update its nexthdr value,
+ * and also set ira_protocol to the nexthdr that follows the
+ * completed fragment.
+ */
+ ip_hdr_length += sizeof (ip6_frag_t);
+
+ /*
+ * Make sure we have ira_l2src before we loose the original
+ * mblk
+ */
+ if (!(ira->ira_flags & IRAF_L2SRC_SET))
+ ip_setl2src(mp, ira, ira->ira_rill);
+
+ mp = ip_input_fragment_v6(mp, ip6h, fraghdr,
+ ira->ira_pktlen - ip_hdr_length, ira);
+ if (mp == NULL) {
+ /* Reassembly is still pending */
+ return;
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmOKs);
+
+ /*
+ * The mblk chain has the frag header removed and
+ * ira_protocol, ira_pktlen, ira_ip_hdr_length as well as the
+ * IP header has been updated to refleact the result.
+ */
+ ip6h = (ip6_t *)mp->b_rptr;
+ ip_hdr_length = ira->ira_ip_hdr_length;
+ goto repeat;
+ }
+ case IPPROTO_HOPOPTS:
+ /*
+ * Illegal header sequence.
+ * (Hop-by-hop headers are processed above
+ * and required to immediately follow IPv6 header)
+ */
+ ip_drop_input("ICMP_PARAM_PROBLEM", mp, ill);
+ icmp_param_problem_nexthdr_v6(mp, B_FALSE, ira);
+ return;
+
+ case IPPROTO_ROUTING: {
+ uint_t ehdrlen;
+ ip6_rthdr_t *rthdr;
+
+ /* Check if AH is present and needs to be processed. */
+ mp = ipsec_early_ah_v6(mp, ira);
+ if (mp == NULL)
+ return;
+
+ /*
+ * Reinitialize pointers, as ipsec_early_ah_v6() does
+ * complete pullups. We don't have to do more pullups
+ * as a result.
+ */
+ ip6h = (ip6_t *)mp->b_rptr;
+
+ if (ira->ira_pktlen - ip_hdr_length < MIN_EHDR_LEN)
+ goto pkt_too_short;
+
+ if (mp->b_cont != NULL &&
+ rptr + ip_hdr_length + MIN_EHDR_LEN > mp->b_wptr) {
+ ip6h = ip_pullup(mp, ip_hdr_length + MIN_EHDR_LEN, ira);
+ if (ip6h == NULL)
+ goto discard;
+ }
+ rthdr = (ip6_rthdr_t *)(rptr + ip_hdr_length);
+ protocol = ira->ira_protocol = rthdr->ip6r_nxt;
+ ehdrlen = 8 * (rthdr->ip6r_len + 1);
+ if (ira->ira_pktlen - ip_hdr_length < ehdrlen)
+ goto pkt_too_short;
+ if (mp->b_cont != NULL &&
+ rptr + IPV6_HDR_LEN + ehdrlen > mp->b_wptr) {
+ ip6h = ip_pullup(mp, IPV6_HDR_LEN + ehdrlen, ira);
+ if (ip6h == NULL)
+ goto discard;
+ rthdr = (ip6_rthdr_t *)(rptr + ip_hdr_length);
+ }
+ if (rthdr->ip6r_segleft != 0) {
+ /* Not end of source route */
+ if (ira->ira_flags &
+ (IRAF_L2DST_MULTICAST|IRAF_L2DST_BROADCAST)) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsInForwProhibits",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ip_process_rthdr(mp, ip6h, rthdr, ira);
+ return;
+ }
+ ira->ira_ip_hdr_length += ehdrlen;
+ goto repeat;
+ }
+
+ case IPPROTO_AH:
+ case IPPROTO_ESP: {
+ /*
+ * Fast path for AH/ESP.
+ */
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+
+ IP_STAT(ipst, ipsec_proto_ahesp);
+
+ if (!ipsec_loaded(ipss)) {
+ ip_proto_not_sup(mp, ira);
+ return;
+ }
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ /* select inbound SA and have IPsec process the pkt */
+ if (protocol == IPPROTO_ESP) {
+ esph_t *esph;
+
+ mp = ipsec_inbound_esp_sa(mp, ira, &esph);
+ if (mp == NULL)
+ return;
+
+ ASSERT(esph != NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_esp_sa != NULL);
+ ASSERT(ira->ira_ipsec_esp_sa->ipsa_input_func != NULL);
+
+ mp = ira->ira_ipsec_esp_sa->ipsa_input_func(mp, esph,
+ ira);
+ } else {
+ ah_t *ah;
+
+ mp = ipsec_inbound_ah_sa(mp, ira, &ah);
+ if (mp == NULL)
+ return;
+
+ ASSERT(ah != NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_ah_sa != NULL);
+ ASSERT(ira->ira_ipsec_ah_sa->ipsa_input_func != NULL);
+ mp = ira->ira_ipsec_ah_sa->ipsa_input_func(mp, ah,
+ ira);
+ }
+
+ if (mp == NULL) {
+ /*
+ * Either it failed or is pending. In the former case
+ * ipIfStatsInDiscards was increased.
+ */
+ return;
+ }
+ /* we're done with IPsec processing, send it up */
+ ip_input_post_ipsec(mp, ira);
+ return;
+ }
+ case IPPROTO_NONE:
+ /* All processing is done. Count as "delivered". */
+ freemsg(mp);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ return;
+
+ case IPPROTO_ENCAP:
+ case IPPROTO_IPV6:
+ /* iptun will verify trusted label */
+ connp = ipcl_classify_v6(mp, protocol, ip_hdr_length,
+ ira, ipst);
+ if (connp != NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ connp->conn_recv(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+ }
+ /* FALLTHRU */
+ default:
+ /*
+ * On a labeled system, we have to check whether the zone
+ * itself is permitted to receive raw traffic.
+ */
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ if (!tsol_can_accept_raw(mp, ira, B_FALSE)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ break;
+ }
+
+ /*
+ * The above input functions may have returned the pulled up message.
+ * So ip6h need to be reinitialized.
+ */
+ ip6h = (ip6_t *)mp->b_rptr;
+ ira->ira_protocol = protocol;
+ if (ipst->ips_ipcl_proto_fanout_v6[protocol].connf_head == NULL) {
+ /* No user-level listener for these packets packets */
+ ip_proto_not_sup(mp, ira);
+ return;
+ }
+
+ /*
+ * Handle fanout to raw sockets. There
+ * can be more than one stream bound to a particular
+ * protocol. When this is the case, each one gets a copy
+ * of any incoming packets.
+ */
+ ASSERT(ira->ira_protocol == protocol);
+ ip_fanout_proto_v6(mp, ip6h, ira);
+ return;
+
+pkt_too_short:
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
+ return;
+
+discard:
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+#undef rptr
+}
diff --git a/usr/src/uts/common/inet/ip/ip6_ire.c b/usr/src/uts/common/inet/ip/ip6_ire.c
index c13a66fcc2..7697ca20c7 100644
--- a/usr/src/uts/common/inet/ip/ip6_ire.c
+++ b/usr/src/uts/common/inet/ip/ip6_ire.c
@@ -60,122 +60,122 @@
#include <sys/tsol/label.h>
#include <sys/tsol/tnet.h>
+#define IS_DEFAULT_ROUTE_V6(ire) \
+ (((ire)->ire_type & IRE_DEFAULT) || \
+ (((ire)->ire_type & IRE_INTERFACE) && \
+ (IN6_IS_ADDR_UNSPECIFIED(&(ire)->ire_addr_v6))))
+
static ire_t ire_null;
-static ire_t *ire_ihandle_lookup_onlink_v6(ire_t *cire);
-static boolean_t ire_match_args_v6(ire_t *ire, const in6_addr_t *addr,
- const in6_addr_t *mask, const in6_addr_t *gateway, int type,
- const ipif_t *ipif, zoneid_t zoneid, uint32_t ihandle,
- const ts_label_t *tsl, int match_flags);
-static ire_t *ire_init_v6(ire_t *, const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, const in6_addr_t *, uint_t *, queue_t *, queue_t *,
- ushort_t, ipif_t *, const in6_addr_t *, uint32_t, uint32_t, uint_t,
- const iulp_t *, tsol_gc_t *, tsol_gcgrp_t *, ip_stack_t *);
-static ire_t *ip6_ctable_lookup_impl(ire_ctable_args_t *);
+static ire_t *
+ire_ftable_lookup_impl_v6(const in6_addr_t *addr, const in6_addr_t *mask,
+ const in6_addr_t *gateway, int type, const ill_t *ill,
+ zoneid_t zoneid, const ts_label_t *tsl, int flags,
+ ip_stack_t *ipst);
/*
* Initialize the ire that is specific to IPv6 part and call
* ire_init_common to finish it.
+ * Returns zero or errno.
*/
-static ire_t *
+int
ire_init_v6(ire_t *ire, const in6_addr_t *v6addr, const in6_addr_t *v6mask,
- const in6_addr_t *v6src_addr, const in6_addr_t *v6gateway,
- uint_t *max_fragp, queue_t *rfq, queue_t *stq, ushort_t type,
- ipif_t *ipif, const in6_addr_t *v6cmask, uint32_t phandle,
- uint32_t ihandle, uint_t flags, const iulp_t *ulp_info, tsol_gc_t *gc,
- tsol_gcgrp_t *gcgrp, ip_stack_t *ipst)
+ const in6_addr_t *v6gateway, ushort_t type, ill_t *ill,
+ zoneid_t zoneid, uint_t flags, tsol_gc_t *gc, ip_stack_t *ipst)
{
+ int error;
/*
- * Reject IRE security attribute creation/initialization
+ * Reject IRE security attmakeribute creation/initialization
* if system is not running in Trusted mode.
*/
- if ((gc != NULL || gcgrp != NULL) && !is_system_labeled())
- return (NULL);
-
+ if (gc != NULL && !is_system_labeled())
+ return (EINVAL);
BUMP_IRE_STATS(ipst->ips_ire_stats_v6, ire_stats_alloced);
- ire->ire_addr_v6 = *v6addr;
-
- if (v6src_addr != NULL)
- ire->ire_src_addr_v6 = *v6src_addr;
- if (v6mask != NULL) {
- ire->ire_mask_v6 = *v6mask;
- ire->ire_masklen = ip_mask_to_plen_v6(&ire->ire_mask_v6);
- }
+ if (v6addr != NULL)
+ ire->ire_addr_v6 = *v6addr;
if (v6gateway != NULL)
ire->ire_gateway_addr_v6 = *v6gateway;
- if (type == IRE_CACHE && v6cmask != NULL)
- ire->ire_cmask_v6 = *v6cmask;
-
- /*
- * Multirouted packets need to have a fragment header added so that
- * the receiver is able to discard duplicates according to their
- * fragment identifier.
- */
- if (type == IRE_CACHE && (flags & RTF_MULTIRT)) {
- ire->ire_frag_flag = IPH_FRAG_HDR;
+ /* Make sure we don't have stray values in some fields */
+ switch (type) {
+ case IRE_LOOPBACK:
+ ire->ire_gateway_addr_v6 = ire->ire_addr_v6;
+ /* FALLTHRU */
+ case IRE_HOST:
+ case IRE_LOCAL:
+ case IRE_IF_CLONE:
+ ire->ire_mask_v6 = ipv6_all_ones;
+ ire->ire_masklen = IPV6_ABITS;
+ break;
+ case IRE_PREFIX:
+ case IRE_DEFAULT:
+ case IRE_IF_RESOLVER:
+ case IRE_IF_NORESOLVER:
+ if (v6mask != NULL) {
+ ire->ire_mask_v6 = *v6mask;
+ ire->ire_masklen =
+ ip_mask_to_plen_v6(&ire->ire_mask_v6);
+ }
+ break;
+ case IRE_MULTICAST:
+ case IRE_NOROUTE:
+ ASSERT(v6mask == NULL);
+ break;
+ default:
+ ASSERT(0);
+ return (EINVAL);
}
- /* ire_init_common will free the mblks upon encountering any failure */
- if (!ire_init_common(ire, max_fragp, NULL, rfq, stq, type, ipif,
- phandle, ihandle, flags, IPV6_VERSION, ulp_info, gc, gcgrp, ipst))
- return (NULL);
-
- return (ire);
-}
-
-/*
- * Similar to ire_create_v6 except that it is called only when
- * we want to allocate ire as an mblk e.g. we have a external
- * resolver. Do we need this in IPv6 ?
- *
- * IPv6 initializes the ire_nce in ire_add_v6, which expects to
- * find the ire_nce to be null when it is called. So, although
- * we have a src_nce parameter (in the interest of matching up with
- * the argument list of the v4 version), we ignore the src_nce
- * argument here.
- */
-/* ARGSUSED */
-ire_t *
-ire_create_mp_v6(const in6_addr_t *v6addr, const in6_addr_t *v6mask,
- const in6_addr_t *v6src_addr, const in6_addr_t *v6gateway,
- nce_t *src_nce, queue_t *rfq, queue_t *stq, ushort_t type,
- ipif_t *ipif, const in6_addr_t *v6cmask,
- uint32_t phandle, uint32_t ihandle, uint_t flags, const iulp_t *ulp_info,
- tsol_gc_t *gc, tsol_gcgrp_t *gcgrp, ip_stack_t *ipst)
-{
- ire_t *ire;
- ire_t *ret_ire;
- mblk_t *mp;
+ error = ire_init_common(ire, type, ill, zoneid, flags, IPV6_VERSION,
+ gc, ipst);
+ if (error != NULL)
+ return (error);
- ASSERT(!IN6_IS_ADDR_V4MAPPED(v6addr));
+ /* Determine which function pointers to use */
+ ire->ire_postfragfn = ip_xmit; /* Common case */
- /* Allocate the new IRE. */
- mp = allocb(sizeof (ire_t), BPRI_MED);
- if (mp == NULL) {
- ip1dbg(("ire_create_mp_v6: alloc failed\n"));
- return (NULL);
+ switch (ire->ire_type) {
+ case IRE_LOCAL:
+ ire->ire_sendfn = ire_send_local_v6;
+ ire->ire_recvfn = ire_recv_local_v6;
+#ifdef SO_VRRP
+ ASSERT(ire->ire_ill != NULL);
+ if (ire->ire_ill->ill_flags & ILLF_NOACCEPT) {
+ ire->ire_noaccept = B_TRUE;
+ ire->ire_recvfn = ire_recv_noaccept_v6;
+ }
+#endif
+ break;
+ case IRE_LOOPBACK:
+ ire->ire_sendfn = ire_send_local_v6;
+ ire->ire_recvfn = ire_recv_loopback_v6;
+ break;
+ case IRE_MULTICAST:
+ ire->ire_postfragfn = ip_postfrag_loopcheck;
+ ire->ire_sendfn = ire_send_multicast_v6;
+ ire->ire_recvfn = ire_recv_multicast_v6;
+ break;
+ default:
+ /*
+ * For IRE_IF_ALL and IRE_OFFLINK we forward received
+ * packets by default.
+ */
+ ire->ire_sendfn = ire_send_wire_v6;
+ ire->ire_recvfn = ire_recv_forward_v6;
+ break;
}
-
- ire = (ire_t *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)&ire[1];
-
- /* Start clean. */
- *ire = ire_null;
- ire->ire_mp = mp;
- mp->b_datap->db_type = IRE_DB_TYPE;
-
- ret_ire = ire_init_v6(ire, v6addr, v6mask, v6src_addr, v6gateway,
- NULL, rfq, stq, type, ipif, v6cmask, phandle,
- ihandle, flags, ulp_info, gc, gcgrp, ipst);
-
- if (ret_ire == NULL) {
- freeb(ire->ire_mp);
- return (NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ ire->ire_sendfn = ire_send_noroute_v6;
+ ire->ire_recvfn = ire_recv_noroute_v6;
+ } else if (ire->ire_flags & RTF_MULTIRT) {
+ ire->ire_postfragfn = ip_postfrag_multirt_v6;
+ ire->ire_sendfn = ire_send_multirt_v6;
+ ire->ire_recvfn = ire_recv_multirt_v6;
}
- return (ire);
+ ire->ire_nce_capable = ire_determine_nce_capable(ire);
+ return (0);
}
/*
@@ -183,153 +183,76 @@ ire_create_mp_v6(const in6_addr_t *v6addr, const in6_addr_t *v6mask,
*
* NOTE : This is called as writer sometimes though not required
* by this function.
- *
- * See comments above ire_create_mp_v6() for the rationale behind the
- * unused src_nce argument.
*/
/* ARGSUSED */
ire_t *
ire_create_v6(const in6_addr_t *v6addr, const in6_addr_t *v6mask,
- const in6_addr_t *v6src_addr, const in6_addr_t *v6gateway,
- uint_t *max_fragp, nce_t *src_nce, queue_t *rfq, queue_t *stq,
- ushort_t type, ipif_t *ipif, const in6_addr_t *v6cmask,
- uint32_t phandle, uint32_t ihandle, uint_t flags, const iulp_t *ulp_info,
- tsol_gc_t *gc, tsol_gcgrp_t *gcgrp, ip_stack_t *ipst)
+ const in6_addr_t *v6gateway, ushort_t type, ill_t *ill, zoneid_t zoneid,
+ uint_t flags, tsol_gc_t *gc, ip_stack_t *ipst)
{
ire_t *ire;
- ire_t *ret_ire;
+ int error;
ASSERT(!IN6_IS_ADDR_V4MAPPED(v6addr));
ire = kmem_cache_alloc(ire_cache, KM_NOSLEEP);
if (ire == NULL) {
- ip1dbg(("ire_create_v6: alloc failed\n"));
+ DTRACE_PROBE(kmem__cache__alloc);
return (NULL);
}
*ire = ire_null;
- ret_ire = ire_init_v6(ire, v6addr, v6mask, v6src_addr, v6gateway,
- max_fragp, rfq, stq, type, ipif, v6cmask, phandle,
- ihandle, flags, ulp_info, gc, gcgrp, ipst);
+ error = ire_init_v6(ire, v6addr, v6mask, v6gateway,
+ type, ill, zoneid, flags, gc, ipst);
- if (ret_ire == NULL) {
+ if (error != 0) {
+ DTRACE_PROBE2(ire__init__v6, ire_t *, ire, int, error);
kmem_cache_free(ire_cache, ire);
return (NULL);
}
- ASSERT(ret_ire == ire);
return (ire);
}
/*
- * Find an IRE_INTERFACE for the multicast group.
+ * Find the ill matching a multicast group.
* Allows different routes for multicast addresses
* in the unicast routing table (akin to FF::0/8 but could be more specific)
* which point at different interfaces. This is used when IPV6_MULTICAST_IF
* isn't specified (when sending) and when IPV6_JOIN_GROUP doesn't
* specify the interface to join on.
*
- * Supports link-local addresses by following the ipif/ill when recursing.
+ * Supports link-local addresses by using ire_route_recursive which follows
+ * the ill when recursing.
+ *
+ * To handle CGTP, since we don't have a separate IRE_MULTICAST for each group
+ * and the MULTIRT property can be different for different groups, we
+ * extract RTF_MULTIRT from the special unicast route added for a group
+ * with CGTP and pass that back in the multirtp argument.
+ * This is used in ip_set_destination etc to set ixa_postfragfn for multicast.
+ * We have a setsrcp argument for the same reason.
*/
-ire_t *
-ire_lookup_multi_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst)
+ill_t *
+ire_lookup_multi_ill_v6(const in6_addr_t *group, zoneid_t zoneid,
+ ip_stack_t *ipst, boolean_t *multirtp, in6_addr_t *setsrcp)
{
ire_t *ire;
- ipif_t *ipif = NULL;
- int match_flags = MATCH_IRE_TYPE;
- in6_addr_t gw_addr_v6;
-
- ire = ire_ftable_lookup_v6(group, 0, 0, 0, NULL, NULL,
- zoneid, 0, NULL, MATCH_IRE_DEFAULT, ipst);
+ ill_t *ill;
- /* We search a resolvable ire in case of multirouting. */
- if ((ire != NULL) && (ire->ire_flags & RTF_MULTIRT)) {
- ire_t *cire = NULL;
- /*
- * If the route is not resolvable, the looked up ire
- * may be changed here. In that case, ire_multirt_lookup_v6()
- * IRE_REFRELE the original ire and change it.
- */
- (void) ire_multirt_lookup_v6(&cire, &ire, MULTIRT_CACHEGW,
- NULL, ipst);
- if (cire != NULL)
- ire_refrele(cire);
- }
- if (ire == NULL)
- return (NULL);
- /*
- * Make sure we follow ire_ipif.
- *
- * We need to determine the interface route through
- * which the gateway will be reached.
- */
- if (ire->ire_ipif != NULL) {
- ipif = ire->ire_ipif;
- match_flags |= MATCH_IRE_ILL;
- }
+ ire = ire_route_recursive_v6(group, 0, NULL, zoneid, NULL,
+ MATCH_IRE_DSTONLY, B_FALSE, 0, ipst, setsrcp, NULL, NULL);
+ ASSERT(ire != NULL);
- switch (ire->ire_type) {
- case IRE_DEFAULT:
- case IRE_PREFIX:
- case IRE_HOST:
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- ire_refrele(ire);
- ire = ire_ftable_lookup_v6(&gw_addr_v6, 0, 0,
- IRE_INTERFACE, ipif, NULL, zoneid, 0,
- NULL, match_flags, ipst);
- return (ire);
- case IRE_IF_NORESOLVER:
- case IRE_IF_RESOLVER:
- return (ire);
- default:
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
ire_refrele(ire);
return (NULL);
}
-}
-/*
- * Return any local address. We use this to target ourselves
- * when the src address was specified as 'default'.
- * Preference for IRE_LOCAL entries.
- */
-ire_t *
-ire_lookup_local_v6(zoneid_t zoneid, ip_stack_t *ipst)
-{
- ire_t *ire;
- irb_t *irb;
- ire_t *maybe = NULL;
- int i;
+ if (multirtp != NULL)
+ *multirtp = (ire->ire_flags & RTF_MULTIRT) != 0;
- for (i = 0; i < ipst->ips_ip6_cache_table_size; i++) {
- irb = &ipst->ips_ip_cache_table_v6[i];
- if (irb->irb_ire == NULL)
- continue;
- rw_enter(&irb->irb_lock, RW_READER);
- for (ire = irb->irb_ire; ire; ire = ire->ire_next) {
- if ((ire->ire_marks & IRE_MARK_CONDEMNED) ||
- ire->ire_zoneid != zoneid &&
- ire->ire_zoneid != ALL_ZONES)
- continue;
- switch (ire->ire_type) {
- case IRE_LOOPBACK:
- if (maybe == NULL) {
- IRE_REFHOLD(ire);
- maybe = ire;
- }
- break;
- case IRE_LOCAL:
- if (maybe != NULL) {
- ire_refrele(maybe);
- }
- IRE_REFHOLD(ire);
- rw_exit(&irb->irb_lock);
- return (ire);
- }
- }
- rw_exit(&irb->irb_lock);
- }
- return (maybe);
+ ill = ire_nexthop_ill(ire);
+ ire_refrele(ire);
+ return (ill);
}
/*
@@ -369,6 +292,8 @@ ip_plen_to_mask_v6(uint_t plen, in6_addr_t *bitmask)
if (plen < 0 || plen > IPV6_ABITS)
return (NULL);
*bitmask = ipv6_all_zeros;
+ if (plen == 0)
+ return (bitmask);
ptr = (uint32_t *)bitmask;
while (plen > 32) {
@@ -380,196 +305,78 @@ ip_plen_to_mask_v6(uint_t plen, in6_addr_t *bitmask)
}
/*
- * Add a fully initialized IRE to an appropriate
- * table based on ire_type.
- *
- * The forward table contains IRE_PREFIX/IRE_HOST/IRE_HOST and
- * IRE_IF_RESOLVER/IRE_IF_NORESOLVER and IRE_DEFAULT.
- *
- * The cache table contains IRE_BROADCAST/IRE_LOCAL/IRE_LOOPBACK
- * and IRE_CACHE.
- *
- * NOTE : This function is called as writer though not required
- * by this function.
+ * Add a fully initialized IPv6 IRE to the forwarding table.
+ * This returns NULL on failure, or a held IRE on success.
+ * Normally the returned IRE is the same as the argument. But a different
+ * IRE will be returned if the added IRE is deemed identical to an existing
+ * one. In that case ire_identical_ref will be increased.
+ * The caller always needs to do an ire_refrele() on the returned IRE.
*/
-int
-ire_add_v6(ire_t **ire_p, queue_t *q, mblk_t *mp, ipsq_func_t func)
+ire_t *
+ire_add_v6(ire_t *ire)
{
ire_t *ire1;
int mask_table_index;
irb_t *irb_ptr;
ire_t **irep;
- int flags;
- ire_t *pire = NULL;
- ill_t *stq_ill;
- boolean_t ndp_g_lock_held = B_FALSE;
- ire_t *ire = *ire_p;
+ int match_flags;
int error;
ip_stack_t *ipst = ire->ire_ipst;
- uint_t marks = 0;
ASSERT(ire->ire_ipversion == IPV6_VERSION);
- ASSERT(ire->ire_mp == NULL); /* Calls should go through ire_add */
- ASSERT(ire->ire_nce == NULL);
-
- /*
- * IREs with source addresses hosted on interfaces that are under IPMP
- * should be hidden so that applications don't accidentally end up
- * sending packets with test addresses as their source addresses, or
- * sending out interfaces that are e.g. IFF_INACTIVE. Hide them here.
- * (We let IREs with unspecified source addresses slip through since
- * ire_send_v6() will delete them automatically.)
- */
- if (ire->ire_ipif != NULL && IS_UNDER_IPMP(ire->ire_ipif->ipif_ill) &&
- !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_src_addr_v6)) {
- DTRACE_PROBE1(ipmp__mark__testhidden, ire_t *, ire);
- marks |= IRE_MARK_TESTHIDDEN;
- }
-
- /* Find the appropriate list head. */
- switch (ire->ire_type) {
- case IRE_HOST:
- ire->ire_mask_v6 = ipv6_all_ones;
- ire->ire_masklen = IPV6_ABITS;
- ire->ire_marks |= marks;
- if ((ire->ire_flags & RTF_SETSRC) == 0)
- ire->ire_src_addr_v6 = ipv6_all_zeros;
- break;
- case IRE_CACHE:
- ire->ire_mask_v6 = ipv6_all_ones;
- ire->ire_masklen = IPV6_ABITS;
- ire->ire_marks |= marks;
- break;
- case IRE_LOCAL:
- case IRE_LOOPBACK:
- ire->ire_mask_v6 = ipv6_all_ones;
- ire->ire_masklen = IPV6_ABITS;
- break;
- case IRE_PREFIX:
- case IRE_DEFAULT:
- ire->ire_marks |= marks;
- if ((ire->ire_flags & RTF_SETSRC) == 0)
- ire->ire_src_addr_v6 = ipv6_all_zeros;
- break;
- case IRE_IF_RESOLVER:
- case IRE_IF_NORESOLVER:
- ire->ire_marks |= marks;
- break;
- default:
- printf("ire_add_v6: ire %p has unrecognized IRE type (%d)\n",
- (void *)ire, ire->ire_type);
- ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
- }
/* Make sure the address is properly masked. */
V6_MASK_COPY(ire->ire_addr_v6, ire->ire_mask_v6, ire->ire_addr_v6);
- if ((ire->ire_type & IRE_CACHETABLE) == 0) {
- /* IRE goes into Forward Table */
- mask_table_index = ip_mask_to_plen_v6(&ire->ire_mask_v6);
- if ((ipst->ips_ip_forwarding_table_v6[mask_table_index]) ==
- NULL) {
- irb_t *ptr;
- int i;
-
- ptr = (irb_t *)mi_zalloc((
- ipst->ips_ip6_ftable_hash_size * sizeof (irb_t)));
- if (ptr == NULL) {
- ire_delete(ire);
- *ire_p = NULL;
- return (ENOMEM);
- }
- for (i = 0; i < ipst->ips_ip6_ftable_hash_size; i++) {
- rw_init(&ptr[i].irb_lock, NULL,
- RW_DEFAULT, NULL);
- }
- mutex_enter(&ipst->ips_ire_ft_init_lock);
- if (ipst->ips_ip_forwarding_table_v6[
- mask_table_index] == NULL) {
- ipst->ips_ip_forwarding_table_v6[
- mask_table_index] = ptr;
- mutex_exit(&ipst->ips_ire_ft_init_lock);
- } else {
- /*
- * Some other thread won the race in
- * initializing the forwarding table at the
- * same index.
- */
- mutex_exit(&ipst->ips_ire_ft_init_lock);
- for (i = 0; i < ipst->ips_ip6_ftable_hash_size;
- i++) {
- rw_destroy(&ptr[i].irb_lock);
- }
- mi_free(ptr);
- }
- }
- irb_ptr = &(ipst->ips_ip_forwarding_table_v6[mask_table_index][
- IRE_ADDR_MASK_HASH_V6(ire->ire_addr_v6, ire->ire_mask_v6,
- ipst->ips_ip6_ftable_hash_size)]);
- } else {
- irb_ptr = &(ipst->ips_ip_cache_table_v6[IRE_ADDR_HASH_V6(
- ire->ire_addr_v6, ipst->ips_ip6_cache_table_size)]);
- }
- /*
- * For xresolv interfaces (v6 interfaces with an external
- * address resolver), ip_newroute_v6/ip_newroute_ipif_v6
- * are unable to prevent the deletion of the interface route
- * while adding an IRE_CACHE for an on-link destination
- * in the IRE_IF_RESOLVER case, since the ire has to go to
- * the external resolver and return. We can't do a REFHOLD on the
- * associated interface ire for fear of the message being freed
- * if the external resolver can't resolve the address.
- * Here we look up the interface ire in the forwarding table
- * and make sure that the interface route has not been deleted.
- */
- if (ire->ire_type == IRE_CACHE &&
- IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6) &&
- (((ill_t *)ire->ire_stq->q_ptr)->ill_net_type == IRE_IF_RESOLVER) &&
- (((ill_t *)ire->ire_stq->q_ptr)->ill_flags & ILLF_XRESOLV)) {
+ mask_table_index = ip_mask_to_plen_v6(&ire->ire_mask_v6);
+ if ((ipst->ips_ip_forwarding_table_v6[mask_table_index]) == NULL) {
+ irb_t *ptr;
+ int i;
- pire = ire_ihandle_lookup_onlink_v6(ire);
- if (pire == NULL) {
+ ptr = (irb_t *)mi_zalloc((ipst->ips_ip6_ftable_hash_size *
+ sizeof (irb_t)));
+ if (ptr == NULL) {
ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
+ return (NULL);
}
- /* Prevent pire from getting deleted */
- IRB_REFHOLD(pire->ire_bucket);
- /* Has it been removed already? */
- if (pire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
+ for (i = 0; i < ipst->ips_ip6_ftable_hash_size; i++) {
+ rw_init(&ptr[i].irb_lock, NULL, RW_DEFAULT, NULL);
+ }
+ mutex_enter(&ipst->ips_ire_ft_init_lock);
+ if (ipst->ips_ip_forwarding_table_v6[mask_table_index] ==
+ NULL) {
+ ipst->ips_ip_forwarding_table_v6[mask_table_index] =
+ ptr;
+ mutex_exit(&ipst->ips_ire_ft_init_lock);
+ } else {
+ /*
+ * Some other thread won the race in
+ * initializing the forwarding table at the
+ * same index.
+ */
+ mutex_exit(&ipst->ips_ire_ft_init_lock);
+ for (i = 0; i < ipst->ips_ip6_ftable_hash_size; i++) {
+ rw_destroy(&ptr[i].irb_lock);
+ }
+ mi_free(ptr);
}
}
+ irb_ptr = &(ipst->ips_ip_forwarding_table_v6[mask_table_index][
+ IRE_ADDR_MASK_HASH_V6(ire->ire_addr_v6, ire->ire_mask_v6,
+ ipst->ips_ip6_ftable_hash_size)]);
- flags = (MATCH_IRE_MASK | MATCH_IRE_TYPE | MATCH_IRE_GW);
+ match_flags = (MATCH_IRE_MASK | MATCH_IRE_TYPE | MATCH_IRE_GW);
+ if (ire->ire_ill != NULL)
+ match_flags |= MATCH_IRE_ILL;
/*
- * For IRE_CACHES, MATCH_IRE_IPIF is not enough to check
- * for duplicates because :
- *
- * 1) ire_ipif->ipif_ill and ire_stq->q_ptr could be
- * pointing at different ills. A real duplicate is
- * a match on both ire_ipif and ire_stq.
- *
- * 2) We could have multiple packets trying to create
- * an IRE_CACHE for the same ill.
- *
- * Rather than looking at the packet, we depend on the above for
- * MATCH_IRE_ILL here.
- *
- * Unlike IPv4, MATCH_IRE_IPIF is needed here as we could have
- * multiple IRE_CACHES for an ill for the same destination
- * with various scoped addresses i.e represented by ipifs.
- *
- * MATCH_IRE_ILL is done implicitly below for IRE_CACHES.
+ * Start the atomic add of the ire. Grab the bucket lock and the
+ * ill lock. Check for condemned.
*/
- if (ire->ire_ipif != NULL)
- flags |= MATCH_IRE_IPIF;
+ error = ire_atomic_start(irb_ptr, ire);
+ if (error != 0) {
+ ire_delete(ire);
+ return (NULL);
+ }
/*
* If we are creating a hidden IRE, make sure we search for
@@ -577,103 +384,36 @@ ire_add_v6(ire_t **ire_p, queue_t *q, mblk_t *mp, ipsq_func_t func)
* Otherwise, we might find an IRE on some other interface
* that's not marked hidden.
*/
- if (ire->ire_marks & IRE_MARK_TESTHIDDEN)
- flags |= MATCH_IRE_MARK_TESTHIDDEN;
-
- /*
- * Start the atomic add of the ire. Grab the ill locks,
- * ill_g_usesrc_lock and the bucket lock. Check for condemned.
- * To avoid lock order problems, get the ndp6.ndp_g_lock now itself.
- */
- if (ire->ire_type == IRE_CACHE) {
- mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
- ndp_g_lock_held = B_TRUE;
- }
-
- /*
- * If ipif or ill is changing ire_atomic_start() may queue the
- * request and return EINPROGRESS.
- */
-
- error = ire_atomic_start(irb_ptr, ire, q, mp, func);
- if (error != 0) {
- if (ndp_g_lock_held)
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- /*
- * We don't know whether it is a valid ipif or not.
- * So, set it to NULL. This assumes that the ire has not added
- * a reference to the ipif.
- */
- ire->ire_ipif = NULL;
- ire_delete(ire);
- if (pire != NULL) {
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
- *ire_p = NULL;
- return (error);
- }
- /*
- * To avoid creating ires having stale values for the ire_max_frag
- * we get the latest value atomically here. For more details
- * see the block comment in ip_sioctl_mtu and in DL_NOTE_SDU_CHANGE
- * in ip_rput_dlpi_writer
- */
- if (ire->ire_max_fragp == NULL) {
- if (IN6_IS_ADDR_MULTICAST(&ire->ire_addr_v6))
- ire->ire_max_frag = ire->ire_ipif->ipif_mtu;
- else
- ire->ire_max_frag = pire->ire_max_frag;
- } else {
- uint_t max_frag;
-
- max_frag = *ire->ire_max_fragp;
- ire->ire_max_fragp = NULL;
- ire->ire_max_frag = max_frag;
- }
+ if (ire->ire_testhidden)
+ match_flags |= MATCH_IRE_TESTHIDDEN;
/*
* Atomically check for duplicate and insert in the table.
*/
for (ire1 = irb_ptr->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
- if (ire1->ire_marks & IRE_MARK_CONDEMNED)
+ if (IRE_IS_CONDEMNED(ire1))
continue;
-
- if (ire->ire_type == IRE_CACHE) {
- /*
- * We do MATCH_IRE_ILL implicitly here for IRE_CACHES.
- * As ire_ipif and ire_stq could point to two
- * different ills, we can't pass just ire_ipif to
- * ire_match_args and get a match on both ills.
- * This is just needed for duplicate checks here and
- * so we don't add an extra argument to
- * ire_match_args for this. Do it locally.
- *
- * NOTE : Currently there is no part of the code
- * that asks for both MATH_IRE_IPIF and MATCH_IRE_ILL
- * match for IRE_CACHEs. Thus we don't want to
- * extend the arguments to ire_match_args_v6.
- */
- if (ire1->ire_stq != ire->ire_stq)
- continue;
- /*
- * Multiroute IRE_CACHEs for a given destination can
- * have the same ire_ipif, typically if their source
- * address is forced using RTF_SETSRC, and the same
- * send-to queue. We differentiate them using the parent
- * handle.
- */
- if ((ire1->ire_flags & RTF_MULTIRT) &&
- (ire->ire_flags & RTF_MULTIRT) &&
- (ire1->ire_phandle != ire->ire_phandle))
- continue;
- }
+ /*
+ * Here we need an exact match on zoneid, i.e.,
+ * ire_match_args doesn't fit.
+ */
if (ire1->ire_zoneid != ire->ire_zoneid)
continue;
+
+ if (ire1->ire_type != ire->ire_type)
+ continue;
+
+ /*
+ * Note: We do not allow multiple routes that differ only
+ * in the gateway security attributes; such routes are
+ * considered duplicates.
+ * To change that we explicitly have to treat them as
+ * different here.
+ */
if (ire_match_args_v6(ire1, &ire->ire_addr_v6,
&ire->ire_mask_v6, &ire->ire_gateway_addr_v6,
- ire->ire_type, ire->ire_ipif, ire->ire_zoneid, 0, NULL,
- flags)) {
+ ire->ire_type, ire->ire_ill, ire->ire_zoneid, NULL,
+ match_flags)) {
/*
* Return the old ire after doing a REFHOLD.
* As most of the callers continue to use the IRE
@@ -683,141 +423,25 @@ ire_add_v6(ire_t **ire_p, queue_t *q, mblk_t *mp, ipsq_func_t func)
*/
ip1dbg(("found dup ire existing %p new %p",
(void *)ire1, (void *)ire));
- IRE_REFHOLD(ire1);
- if (ndp_g_lock_held)
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
+ ire_refhold(ire1);
+ atomic_add_32(&ire1->ire_identical_ref, 1);
ire_atomic_end(irb_ptr, ire);
ire_delete(ire);
- if (pire != NULL) {
- /*
- * Assert that it is
- * not yet removed from the list.
- */
- ASSERT(pire->ire_ptpn != NULL);
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
- *ire_p = ire1;
- return (0);
+ return (ire1);
}
}
- if (ire->ire_type == IRE_CACHE) {
- const in6_addr_t *addr_v6;
- ill_t *ill = ire_to_ill(ire);
- char buf[INET6_ADDRSTRLEN];
- nce_t *nce;
- /*
- * All IRE_CACHE types must have a nce. If this is
- * not the case the entry will not be added. We need
- * to make sure that if somebody deletes the nce
- * after we looked up, they will find this ire and
- * delete the ire. To delete this ire one needs the
- * bucket lock which we are still holding here. So,
- * even if the nce gets deleted after we looked up,
- * this ire will get deleted.
- *
- * NOTE : Don't need the ire_lock for accessing
- * ire_gateway_addr_v6 as it is appearing first
- * time on the list and rts_setgwr_v6 could not
- * be changing this.
- */
- addr_v6 = &ire->ire_gateway_addr_v6;
- if (IN6_IS_ADDR_UNSPECIFIED(addr_v6))
- addr_v6 = &ire->ire_addr_v6;
-
- /* nce fastpath is per-ill; don't match across illgrp */
- nce = ndp_lookup_v6(ill, B_FALSE, addr_v6, B_TRUE);
- if (nce == NULL)
- goto failed;
-
- /* Pair of refhold, refrele just to get the tracing right */
- NCE_REFHOLD_TO_REFHOLD_NOTR(nce);
- /*
- * Atomically make sure that new IREs don't point
- * to an NCE that is logically deleted (CONDEMNED).
- * ndp_delete() first marks the NCE CONDEMNED.
- * This ensures that the nce_refcnt won't increase
- * due to new nce_lookups or due to addition of new IREs
- * pointing to this NCE. Then ndp_delete() cleans up
- * existing references. If we don't do it atomically here,
- * ndp_delete() -> nce_ire_delete() will not be able to
- * clean up the IRE list completely, and the nce_refcnt
- * won't go down to zero.
- */
- mutex_enter(&nce->nce_lock);
- if (ill->ill_flags & ILLF_XRESOLV) {
- /*
- * If we used an external resolver, we may not
- * have gone through neighbor discovery to get here.
- * Must update the nce_state before the next check.
- */
- if (nce->nce_state == ND_INCOMPLETE)
- nce->nce_state = ND_REACHABLE;
- }
- if (nce->nce_state == ND_INCOMPLETE ||
- (nce->nce_flags & NCE_F_CONDEMNED) ||
- (nce->nce_state == ND_UNREACHABLE)) {
-failed:
- if (ndp_g_lock_held)
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- if (nce != NULL)
- mutex_exit(&nce->nce_lock);
- ire_atomic_end(irb_ptr, ire);
- ip1dbg(("ire_add_v6: No nce for dst %s \n",
- inet_ntop(AF_INET6, &ire->ire_addr_v6,
- buf, sizeof (buf))));
- ire_delete(ire);
- if (pire != NULL) {
- /*
- * Assert that it is
- * not yet removed from the list.
- */
- ASSERT(pire->ire_ptpn != NULL);
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
- if (nce != NULL)
- NCE_REFRELE_NOTR(nce);
- *ire_p = NULL;
- return (EINVAL);
- } else {
- ire->ire_nce = nce;
- }
- mutex_exit(&nce->nce_lock);
- }
/*
- * Find the first entry that matches ire_addr - provides
- * tail insertion. *irep will be null if no match.
+ * Normally we do head insertion since most things do not care about
+ * the order of the IREs in the bucket.
+ * However, due to shared-IP zones (and restrict_interzone_loopback)
+ * we can have an IRE_LOCAL as well as IRE_IF_CLONE for the same
+ * address. For that reason we do tail insertion for IRE_IF_CLONE.
*/
irep = (ire_t **)irb_ptr;
- while ((ire1 = *irep) != NULL &&
- !IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &ire1->ire_addr_v6))
- irep = &ire1->ire_next;
- ASSERT(!(ire->ire_type & IRE_BROADCAST));
-
- if (*irep != NULL) {
- /*
- * Find the last ire which matches ire_addr_v6.
- * Needed to do tail insertion among entries with the same
- * ire_addr_v6.
- */
- while (IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6,
- &ire1->ire_addr_v6)) {
+ if (ire->ire_type & IRE_IF_CLONE) {
+ while ((ire1 = *irep) != NULL)
irep = &ire1->ire_next;
- ire1 = *irep;
- if (ire1 == NULL)
- break;
- }
- }
-
- if (ire->ire_type == IRE_DEFAULT) {
- /*
- * We keep a count of default gateways which is used when
- * assigning them as routes.
- */
- ipst->ips_ipv6_ire_default_count++;
- ASSERT(ipst->ips_ipv6_ire_default_count != 0); /* Wraparound */
}
/* Insert at *irep */
ire1 = *irep;
@@ -852,62 +476,22 @@ failed:
* in the list for the first time and no one else can bump
* up the reference count on this yet.
*/
- IRE_REFHOLD_LOCKED(ire);
+ ire_refhold_locked(ire);
BUMP_IRE_STATS(ipst->ips_ire_stats_v6, ire_stats_inserted);
irb_ptr->irb_ire_cnt++;
- if (ire->ire_marks & IRE_MARK_TEMPORARY)
- irb_ptr->irb_tmp_ire_cnt++;
- if (ire->ire_ipif != NULL) {
- DTRACE_PROBE3(ipif__incr__cnt, (ipif_t *), ire->ire_ipif,
+ if (ire->ire_ill != NULL) {
+ DTRACE_PROBE3(ill__incr__cnt, (ill_t *), ire->ire_ill,
(char *), "ire", (void *), ire);
- ire->ire_ipif->ipif_ire_cnt++;
- if (ire->ire_stq != NULL) {
- stq_ill = (ill_t *)ire->ire_stq->q_ptr;
- DTRACE_PROBE3(ill__incr__cnt, (ill_t *), stq_ill,
- (char *), "ire", (void *), ire);
- stq_ill->ill_ire_cnt++;
- }
- } else {
- ASSERT(ire->ire_stq == NULL);
+ ire->ire_ill->ill_ire_cnt++;
+ ASSERT(ire->ire_ill->ill_ire_cnt != 0); /* Wraparound */
}
-
- if (ndp_g_lock_held)
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
ire_atomic_end(irb_ptr, ire);
- if (pire != NULL) {
- /* Assert that it is not removed from the list yet */
- ASSERT(pire->ire_ptpn != NULL);
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
-
- if (ire->ire_type != IRE_CACHE) {
- /*
- * For ire's with with host mask see if there is an entry
- * in the cache. If there is one flush the whole cache as
- * there might be multiple entries due to RTF_MULTIRT (CGTP).
- * If no entry is found than there is no need to flush the
- * cache.
- */
-
- if (ip_mask_to_plen_v6(&ire->ire_mask_v6) == IPV6_ABITS) {
- ire_t *lire;
- lire = ire_ctable_lookup_v6(&ire->ire_addr_v6, NULL,
- IRE_CACHE, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE,
- ipst);
- if (lire != NULL) {
- ire_refrele(lire);
- ire_flush_cache_v6(ire, IRE_FLUSH_ADD);
- }
- } else {
- ire_flush_cache_v6(ire, IRE_FLUSH_ADD);
- }
- }
+ /* Make any caching of the IREs be notified or updated */
+ ire_flush_cache_v6(ire, IRE_FLUSH_ADD);
- *ire_p = ire;
- return (0);
+ return (ire);
}
/*
@@ -931,7 +515,7 @@ ire_delete_host_redirects_v6(const in6_addr_t *gateway, ip_stack_t *ipst)
return;
for (i = 0; (i < ipst->ips_ip6_ftable_hash_size); i++) {
irb = &irb_ptr[i];
- IRB_REFHOLD(irb);
+ irb_refhold(irb);
for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
if (!(ire->ire_flags & RTF_DYNAMIC))
continue;
@@ -941,50 +525,11 @@ ire_delete_host_redirects_v6(const in6_addr_t *gateway, ip_stack_t *ipst)
if (IN6_ARE_ADDR_EQUAL(&gw_addr_v6, gateway))
ire_delete(ire);
}
- IRB_REFRELE(irb);
+ irb_refrele(irb);
}
}
/*
- * Delete all the cache entries with this 'addr'. This is the IPv6 counterpart
- * of ip_ire_clookup_and_delete. The difference being this function does not
- * return any value. IPv6 processing of a gratuitous ARP, as it stands, is
- * different than IPv4 in that, regardless of the presence of a cache entry
- * for this address, an ire_walk_v6 is done. Another difference is that unlike
- * in the case of IPv4 this does not take an ipif_t argument, since it is only
- * called by ip_arp_news and the match is always only on the address.
- */
-void
-ip_ire_clookup_and_delete_v6(const in6_addr_t *addr, ip_stack_t *ipst)
-{
- irb_t *irb;
- ire_t *cire;
- boolean_t found = B_FALSE;
-
- irb = &ipst->ips_ip_cache_table_v6[IRE_ADDR_HASH_V6(*addr,
- ipst->ips_ip6_cache_table_size)];
- IRB_REFHOLD(irb);
- for (cire = irb->irb_ire; cire != NULL; cire = cire->ire_next) {
- if (cire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
- if (IN6_ARE_ADDR_EQUAL(&cire->ire_addr_v6, addr)) {
-
- /* This signifies start of a match */
- if (!found)
- found = B_TRUE;
- if (cire->ire_type == IRE_CACHE) {
- if (cire->ire_nce != NULL)
- ndp_delete(cire->ire_nce);
- ire_delete_v6(cire);
- }
- /* End of the match */
- } else if (found)
- break;
- }
- IRB_REFRELE(irb);
-}
-
-/*
* Delete the specified IRE.
* All calls should use ire_delete().
* Sometimes called as writer though not required by this function.
@@ -998,11 +543,20 @@ ire_delete_v6(ire_t *ire)
in6_addr_t gw_addr_v6;
ip_stack_t *ipst = ire->ire_ipst;
+ /*
+ * Make sure ire_generation increases from ire_flush_cache happen
+ * after any lookup/reader has read ire_generation.
+ * Since the rw_enter makes us wait until any lookup/reader has
+ * completed we can exit the lock immediately.
+ */
+ rw_enter(&ipst->ips_ip6_ire_head_lock, RW_WRITER);
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
+
ASSERT(ire->ire_refcnt >= 1);
ASSERT(ire->ire_ipversion == IPV6_VERSION);
- if (ire->ire_type != IRE_CACHE)
- ire_flush_cache_v6(ire, IRE_FLUSH_DELETE);
+ ire_flush_cache_v6(ire, IRE_FLUSH_DELETE);
+
if (ire->ire_type == IRE_DEFAULT) {
/*
* when a default gateway is going away
@@ -1014,368 +568,284 @@ ire_delete_v6(ire_t *ire)
mutex_exit(&ire->ire_lock);
ire_delete_host_redirects_v6(&gw_addr_v6, ipst);
}
-}
-
-/*
- * ire_walk routine to delete all IRE_CACHE and IRE_HOST type redirect
- * entries.
- */
-/*ARGSUSED1*/
-void
-ire_delete_cache_v6(ire_t *ire, char *arg)
-{
- char addrstr1[INET6_ADDRSTRLEN];
- char addrstr2[INET6_ADDRSTRLEN];
-
- if ((ire->ire_type & IRE_CACHE) ||
- (ire->ire_flags & RTF_DYNAMIC)) {
- ip1dbg(("ire_delete_cache_v6: deleted %s type %d through %s\n",
- inet_ntop(AF_INET6, &ire->ire_addr_v6,
- addrstr1, sizeof (addrstr1)),
- ire->ire_type,
- inet_ntop(AF_INET6, &ire->ire_gateway_addr_v6,
- addrstr2, sizeof (addrstr2))));
- ire_delete(ire);
- }
-
-}
-/*
- * ire_walk routine to delete all IRE_CACHE/IRE_HOST type redirect entries
- * that have a given gateway address.
- */
-void
-ire_delete_cache_gw_v6(ire_t *ire, char *addr)
-{
- in6_addr_t *gw_addr = (in6_addr_t *)addr;
- char buf1[INET6_ADDRSTRLEN];
- char buf2[INET6_ADDRSTRLEN];
- in6_addr_t ire_gw_addr_v6;
-
- if (!(ire->ire_type & IRE_CACHE) &&
- !(ire->ire_flags & RTF_DYNAMIC))
- return;
-
- mutex_enter(&ire->ire_lock);
- ire_gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
+ /*
+ * If we are deleting an IRE_INTERFACE then we make sure we also
+ * delete any IRE_IF_CLONE that has been created from it.
+ * Those are always in ire_dep_children.
+ */
+ if ((ire->ire_type & IRE_INTERFACE) && ire->ire_dep_children != 0)
+ ire_dep_delete_if_clone(ire);
- if (IN6_ARE_ADDR_EQUAL(&ire_gw_addr_v6, gw_addr)) {
- ip1dbg(("ire_delete_cache_gw_v6: deleted %s type %d to %s\n",
- inet_ntop(AF_INET6, &ire->ire_src_addr_v6,
- buf1, sizeof (buf1)),
- ire->ire_type,
- inet_ntop(AF_INET6, &ire_gw_addr_v6,
- buf2, sizeof (buf2))));
- ire_delete(ire);
+ /* Remove from parent dependencies and child */
+ rw_enter(&ipst->ips_ire_dep_lock, RW_WRITER);
+ if (ire->ire_dep_parent != NULL) {
+ ire_dep_remove(ire);
}
+ while (ire->ire_dep_children != NULL)
+ ire_dep_remove(ire->ire_dep_children);
+ rw_exit(&ipst->ips_ire_dep_lock);
}
/*
- * Remove all IRE_CACHE entries that match
- * the ire specified. (Sometimes called
- * as writer though not required by this function.)
- *
- * The flag argument indicates if the
- * flush request is due to addition
- * of new route (IRE_FLUSH_ADD) or deletion of old
- * route (IRE_FLUSH_DELETE).
+ * When an IRE is added or deleted this routine is called to make sure
+ * any caching of IRE information is notified or updated.
*
- * This routine takes only the IREs from the forwarding
- * table and flushes the corresponding entries from
- * the cache table.
- *
- * When flushing due to the deletion of an old route, it
- * just checks the cache handles (ire_phandle and ire_ihandle) and
- * deletes the ones that match.
- *
- * When flushing due to the creation of a new route, it checks
- * if a cache entry's address matches the one in the IRE and
- * that the cache entry's parent has a less specific mask than the
- * one in IRE. The destination of such a cache entry could be the
- * gateway for other cache entries, so we need to flush those as
- * well by looking for gateway addresses matching the IRE's address.
+ * The flag argument indicates if the flush request is due to addition
+ * of new route (IRE_FLUSH_ADD), deletion of old route (IRE_FLUSH_DELETE),
+ * or a change to ire_gateway_addr (IRE_FLUSH_GWCHANGE).
*/
void
ire_flush_cache_v6(ire_t *ire, int flag)
{
- int i;
- ire_t *cire;
- irb_t *irb;
- ip_stack_t *ipst = ire->ire_ipst;
+ ip_stack_t *ipst = ire->ire_ipst;
- if (ire->ire_type & IRE_CACHE)
+ /*
+ * IRE_IF_CLONE ire's don't provide any new information
+ * than the parent from which they are cloned, so don't
+ * perturb the generation numbers.
+ */
+ if (ire->ire_type & IRE_IF_CLONE)
return;
/*
- * If a default is just created, there is no point
- * in going through the cache, as there will not be any
- * cached ires.
+ * Ensure that an ire_add during a lookup serializes the updates of
+ * the generation numbers under ire_head_lock so that the lookup gets
+ * either the old ire and old generation number, or a new ire and new
+ * generation number.
+ */
+ rw_enter(&ipst->ips_ip6_ire_head_lock, RW_WRITER);
+
+ /*
+ * If a route was just added, we need to notify everybody that
+ * has cached an IRE_NOROUTE since there might now be a better
+ * route for them.
*/
- if (ire->ire_type == IRE_DEFAULT && flag == IRE_FLUSH_ADD)
- return;
if (flag == IRE_FLUSH_ADD) {
+ ire_increment_generation(ipst->ips_ire_reject_v6);
+ ire_increment_generation(ipst->ips_ire_blackhole_v6);
+ }
+
+ /* Adding a default can't otherwise provide a better route */
+ if (ire->ire_type == IRE_DEFAULT && flag == IRE_FLUSH_ADD) {
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
+ return;
+ }
+
+ switch (flag) {
+ case IRE_FLUSH_DELETE:
+ case IRE_FLUSH_GWCHANGE:
/*
- * This selective flush is
- * due to the addition of
- * new IRE.
+ * Update ire_generation for all ire_dep_children chains
+ * starting with this IRE
*/
- for (i = 0; i < ipst->ips_ip6_cache_table_size; i++) {
- irb = &ipst->ips_ip_cache_table_v6[i];
- if ((cire = irb->irb_ire) == NULL)
- continue;
- IRB_REFHOLD(irb);
- for (cire = irb->irb_ire; cire != NULL;
- cire = cire->ire_next) {
- if (cire->ire_type != IRE_CACHE)
- continue;
- /*
- * If 'cire' belongs to the same subnet
- * as the new ire being added, and 'cire'
- * is derived from a prefix that is less
- * specific than the new ire being added,
- * we need to flush 'cire'; for instance,
- * when a new interface comes up.
- */
- if ((V6_MASK_EQ_2(cire->ire_addr_v6,
- ire->ire_mask_v6, ire->ire_addr_v6) &&
- (ip_mask_to_plen_v6(&cire->ire_cmask_v6) <=
- ire->ire_masklen))) {
- ire_delete(cire);
- continue;
- }
- /*
- * This is the case when the ire_gateway_addr
- * of 'cire' belongs to the same subnet as
- * the new ire being added.
- * Flushing such ires is sometimes required to
- * avoid misrouting: say we have a machine with
- * two interfaces (I1 and I2), a default router
- * R on the I1 subnet, and a host route to an
- * off-link destination D with a gateway G on
- * the I2 subnet.
- * Under normal operation, we will have an
- * on-link cache entry for G and an off-link
- * cache entry for D with G as ire_gateway_addr,
- * traffic to D will reach its destination
- * through gateway G.
- * If the administrator does 'ifconfig I2 down',
- * the cache entries for D and G will be
- * flushed. However, G will now be resolved as
- * an off-link destination using R (the default
- * router) as gateway. Then D will also be
- * resolved as an off-link destination using G
- * as gateway - this behavior is due to
- * compatibility reasons, see comment in
- * ire_ihandle_lookup_offlink(). Traffic to D
- * will go to the router R and probably won't
- * reach the destination.
- * The administrator then does 'ifconfig I2 up'.
- * Since G is on the I2 subnet, this routine
- * will flush its cache entry. It must also
- * flush the cache entry for D, otherwise
- * traffic will stay misrouted until the IRE
- * times out.
- */
- if (V6_MASK_EQ_2(cire->ire_gateway_addr_v6,
- ire->ire_mask_v6, ire->ire_addr_v6)) {
- ire_delete(cire);
- continue;
- }
- }
- IRB_REFRELE(irb);
- }
- } else {
+ ire_dep_incr_generation(ire);
+ break;
+ case IRE_FLUSH_ADD: {
+ in6_addr_t addr;
+ in6_addr_t mask;
+ ip_stack_t *ipst = ire->ire_ipst;
+ uint_t masklen;
+
/*
- * delete the cache entries based on
- * handle in the IRE as this IRE is
- * being deleted/changed.
+ * Find an IRE which is a shorter match than the ire to be added
+ * For any such IRE (which we repeat) we update the
+ * ire_generation the same way as in the delete case.
*/
- for (i = 0; i < ipst->ips_ip6_cache_table_size; i++) {
- irb = &ipst->ips_ip_cache_table_v6[i];
- if ((cire = irb->irb_ire) == NULL)
- continue;
- IRB_REFHOLD(irb);
- for (cire = irb->irb_ire; cire != NULL;
- cire = cire->ire_next) {
- if (cire->ire_type != IRE_CACHE)
- continue;
- if ((cire->ire_phandle == 0 ||
- cire->ire_phandle != ire->ire_phandle) &&
- (cire->ire_ihandle == 0 ||
- cire->ire_ihandle != ire->ire_ihandle))
- continue;
- ire_delete(cire);
- }
- IRB_REFRELE(irb);
+ addr = ire->ire_addr_v6;
+ mask = ire->ire_mask_v6;
+ masklen = ip_mask_to_plen_v6(&mask);
+
+ ire = ire_ftable_lookup_impl_v6(&addr, &mask, NULL, 0, NULL,
+ ALL_ZONES, NULL, MATCH_IRE_SHORTERMASK, ipst);
+ while (ire != NULL) {
+ /* We need to handle all in the same bucket */
+ irb_increment_generation(ire->ire_bucket);
+
+ mask = ire->ire_mask_v6;
+ ASSERT(masklen > ip_mask_to_plen_v6(&mask));
+ masklen = ip_mask_to_plen_v6(&mask);
+ ire_refrele(ire);
+ ire = ire_ftable_lookup_impl_v6(&addr, &mask, NULL, 0,
+ NULL, ALL_ZONES, NULL, MATCH_IRE_SHORTERMASK, ipst);
+ }
}
+ break;
}
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
}
/*
* Matches the arguments passed with the values in the ire.
*
- * Note: for match types that match using "ipif" passed in, ipif
+ * Note: for match types that match using "ill" passed in, ill
* must be checked for non-NULL before calling this routine.
*/
-static boolean_t
+boolean_t
ire_match_args_v6(ire_t *ire, const in6_addr_t *addr, const in6_addr_t *mask,
- const in6_addr_t *gateway, int type, const ipif_t *ipif, zoneid_t zoneid,
- uint32_t ihandle, const ts_label_t *tsl, int match_flags)
+ const in6_addr_t *gateway, int type, const ill_t *ill, zoneid_t zoneid,
+ const ts_label_t *tsl, int match_flags)
{
in6_addr_t masked_addr;
in6_addr_t gw_addr_v6;
ill_t *ire_ill = NULL, *dst_ill;
- ill_t *ipif_ill = NULL;
- ipif_t *src_ipif;
+ ip_stack_t *ipst = ire->ire_ipst;
ASSERT(ire->ire_ipversion == IPV6_VERSION);
ASSERT(addr != NULL);
ASSERT(mask != NULL);
ASSERT((!(match_flags & MATCH_IRE_GW)) || gateway != NULL);
ASSERT((!(match_flags & MATCH_IRE_ILL)) ||
- (ipif != NULL && ipif->ipif_isv6));
+ (ill != NULL && ill->ill_isv6));
/*
- * If MATCH_IRE_MARK_TESTHIDDEN is set, then only return the IRE if it
- * is in fact hidden, to ensure the caller gets the right one. One
- * exception: if the caller passed MATCH_IRE_IHANDLE, then they
- * already know the identity of the given IRE_INTERFACE entry and
- * there's no point trying to hide it from them.
+ * If MATCH_IRE_TESTHIDDEN is set, then only return the IRE if it
+ * is in fact hidden, to ensure the caller gets the right one.
*/
- if (ire->ire_marks & IRE_MARK_TESTHIDDEN) {
- if (match_flags & MATCH_IRE_IHANDLE)
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
-
- if (!(match_flags & MATCH_IRE_MARK_TESTHIDDEN))
+ if (ire->ire_testhidden) {
+ if (!(match_flags & MATCH_IRE_TESTHIDDEN))
return (B_FALSE);
}
if (zoneid != ALL_ZONES && zoneid != ire->ire_zoneid &&
ire->ire_zoneid != ALL_ZONES) {
/*
- * If MATCH_IRE_ZONEONLY has been set and the supplied zoneid is
- * valid and does not match that of ire_zoneid, a failure to
+ * If MATCH_IRE_ZONEONLY has been set and the supplied zoneid
+ * does not match that of ire_zoneid, a failure to
* match is reported at this point. Otherwise, since some IREs
* that are available in the global zone can be used in local
* zones, additional checks need to be performed:
*
- * IRE_CACHE and IRE_LOOPBACK entries should
- * never be matched in this situation.
+ * IRE_LOOPBACK
+ * entries should never be matched in this situation.
+ * Each zone has its own IRE_LOOPBACK.
*
- * IRE entries that have an interface associated with them
- * should in general not match unless they are an IRE_LOCAL
- * or in the case when MATCH_IRE_DEFAULT has been set in
- * the caller. In the case of the former, checking of the
- * other fields supplied should take place.
+ * IRE_LOCAL
+ * We allow them for any zoneid. ire_route_recursive
+ * does additional checks when
+ * ip_restrict_interzone_loopback is set.
*
- * In the case where MATCH_IRE_DEFAULT has been set,
- * all of the ipif's associated with the IRE's ill are
- * checked to see if there is a matching zoneid. If any
- * one ipif has a matching zoneid, this IRE is a
- * potential candidate so checking of the other fields
- * takes place.
+ * If ill_usesrc_ifindex is set
+ * Then we check if the zone has a valid source address
+ * on the usesrc ill.
*
- * In the case where the IRE_INTERFACE has a usable source
- * address (indicated by ill_usesrc_ifindex) in the
- * correct zone then it's permitted to return this IRE
+ * If ire_ill is set, then check that the zone has an ipif
+ * on that ill.
+ *
+ * Outside of this function (in ire_round_robin) we check
+ * that any IRE_OFFLINK has a gateway that reachable from the
+ * zone when we have multiple choices (ECMP).
*/
if (match_flags & MATCH_IRE_ZONEONLY)
return (B_FALSE);
- if (ire->ire_type & (IRE_CACHE | IRE_LOOPBACK))
+ if (ire->ire_type & IRE_LOOPBACK)
return (B_FALSE);
+
+ if (ire->ire_type & IRE_LOCAL)
+ goto matchit;
+
/*
- * Note, IRE_INTERFACE can have the stq as NULL. For
- * example, if the default multicast route is tied to
- * the loopback address.
+ * The normal case of IRE_ONLINK has a matching zoneid.
+ * Here we handle the case when shared-IP zones have been
+ * configured with IP addresses on vniN. In that case it
+ * is ok for traffic from a zone to use IRE_ONLINK routes
+ * if the ill has a usesrc pointing at vniN
+ * Applies to IRE_INTERFACE.
*/
- if ((ire->ire_type & IRE_INTERFACE) &&
- (ire->ire_stq != NULL)) {
- dst_ill = (ill_t *)ire->ire_stq->q_ptr;
+ dst_ill = ire->ire_ill;
+ if (ire->ire_type & IRE_ONLINK) {
+ uint_t ifindex;
+
+ /*
+ * Note there is no IRE_INTERFACE on vniN thus
+ * can't do an IRE lookup for a matching route.
+ */
+ ifindex = dst_ill->ill_usesrc_ifindex;
+ if (ifindex == 0)
+ return (B_FALSE);
+
/*
* If there is a usable source address in the
- * zone, then it's ok to return an
- * IRE_INTERFACE
+ * zone, then it's ok to return this IRE_INTERFACE
*/
- if ((dst_ill->ill_usesrc_ifindex != 0) &&
- (src_ipif = ipif_select_source_v6(dst_ill, addr,
- B_FALSE, IPV6_PREFER_SRC_DEFAULT, zoneid))
- != NULL) {
- ip3dbg(("ire_match_args: src_ipif %p"
- " dst_ill %p", (void *)src_ipif,
- (void *)dst_ill));
- ipif_refrele(src_ipif);
- } else {
- ip3dbg(("ire_match_args: src_ipif NULL"
+ if (!ipif_zone_avail(ifindex, dst_ill->ill_isv6,
+ zoneid, ipst)) {
+ ip3dbg(("ire_match_args: no usrsrc for zone"
" dst_ill %p\n", (void *)dst_ill));
return (B_FALSE);
}
}
- if (ire->ire_ipif != NULL && ire->ire_type != IRE_LOCAL &&
- !(ire->ire_type & IRE_INTERFACE)) {
+ /*
+ * For exampe, with
+ * route add 11.0.0.0 gw1 -ifp bge0
+ * route add 11.0.0.0 gw2 -ifp bge1
+ * this code would differentiate based on
+ * where the sending zone has addresses.
+ * Only if the zone has an address on bge0 can it use the first
+ * route. It isn't clear if this behavior is documented
+ * anywhere.
+ */
+ if (dst_ill != NULL && (ire->ire_type & IRE_OFFLINK)) {
ipif_t *tipif;
- if ((match_flags & MATCH_IRE_DEFAULT) == 0)
- return (B_FALSE);
- mutex_enter(&ire->ire_ipif->ipif_ill->ill_lock);
- for (tipif = ire->ire_ipif->ipif_ill->ill_ipif;
+ mutex_enter(&dst_ill->ill_lock);
+ for (tipif = dst_ill->ill_ipif;
tipif != NULL; tipif = tipif->ipif_next) {
- if (IPIF_CAN_LOOKUP(tipif) &&
+ if (!IPIF_IS_CONDEMNED(tipif) &&
(tipif->ipif_flags & IPIF_UP) &&
(tipif->ipif_zoneid == zoneid ||
tipif->ipif_zoneid == ALL_ZONES))
break;
}
- mutex_exit(&ire->ire_ipif->ipif_ill->ill_lock);
+ mutex_exit(&dst_ill->ill_lock);
if (tipif == NULL)
return (B_FALSE);
}
}
+matchit:
if (match_flags & MATCH_IRE_GW) {
mutex_enter(&ire->ire_lock);
gw_addr_v6 = ire->ire_gateway_addr_v6;
mutex_exit(&ire->ire_lock);
}
-
- /*
- * For IRE_CACHE entries, MATCH_IRE_ILL means that somebody wants to
- * send out ire_stq (ire_ipif for IRE_CACHE entries is just the means
- * of getting a source address -- i.e., ire_src_addr_v6 ==
- * ire->ire_ipif->ipif_v6src_addr). ire_to_ill() handles this.
- *
- * NOTE: For IPMP, MATCH_IRE_ILL usually matches any ill in the group.
- * However, if MATCH_IRE_MARK_TESTHIDDEN is set (i.e., the IRE is for
- * IPMP test traffic), then the ill must match exactly.
- */
if (match_flags & MATCH_IRE_ILL) {
- ire_ill = ire_to_ill(ire);
- ipif_ill = ipif->ipif_ill;
- }
+ ire_ill = ire->ire_ill;
+ /*
+ * If asked to match an ill, we *must* match
+ * on the ire_ill for ipmp test addresses, or
+ * any of the ill in the group for data addresses.
+ * If we don't, we may as well fail.
+ * However, we need an exception for IRE_LOCALs to ensure
+ * we loopback packets even sent to test addresses on different
+ * interfaces in the group.
+ */
+ if ((match_flags & MATCH_IRE_TESTHIDDEN) &&
+ !(ire->ire_type & IRE_LOCAL)) {
+ if (ire->ire_ill != ill)
+ return (B_FALSE);
+ } else {
+ match_flags &= ~MATCH_IRE_TESTHIDDEN;
+ /*
+ * We know that ill is not NULL, but ire_ill could be
+ * NULL
+ */
+ if (ire_ill == NULL || !IS_ON_SAME_LAN(ill, ire_ill))
+ return (B_FALSE);
+ }
+ }
/* No ire_addr_v6 bits set past the mask */
ASSERT(V6_MASK_EQ(ire->ire_addr_v6, ire->ire_mask_v6,
ire->ire_addr_v6));
V6_MASK_COPY(*addr, *mask, masked_addr);
-
if (V6_MASK_EQ(*addr, *mask, ire->ire_addr_v6) &&
((!(match_flags & MATCH_IRE_GW)) ||
IN6_ARE_ADDR_EQUAL(&gw_addr_v6, gateway)) &&
- ((!(match_flags & MATCH_IRE_TYPE)) ||
- (ire->ire_type & type)) &&
- ((!(match_flags & MATCH_IRE_SRC)) ||
- IN6_ARE_ADDR_EQUAL(&ire->ire_src_addr_v6,
- &ipif->ipif_v6src_addr)) &&
- ((!(match_flags & MATCH_IRE_IPIF)) ||
- (ire->ire_ipif == ipif)) &&
- ((!(match_flags & MATCH_IRE_MARK_TESTHIDDEN)) ||
- (ire->ire_marks & IRE_MARK_TESTHIDDEN)) &&
- ((!(match_flags & MATCH_IRE_ILL)) ||
- (ire_ill == ipif_ill ||
- (!(match_flags & MATCH_IRE_MARK_TESTHIDDEN) &&
- ire_ill != NULL && IS_IN_SAME_ILLGRP(ipif_ill, ire_ill)))) &&
- ((!(match_flags & MATCH_IRE_IHANDLE)) ||
- (ire->ire_ihandle == ihandle)) &&
+ ((!(match_flags & MATCH_IRE_TYPE)) || (ire->ire_type & type)) &&
+ ((!(match_flags & MATCH_IRE_TESTHIDDEN)) || ire->ire_testhidden) &&
+ ((!(match_flags & MATCH_IRE_MASK)) ||
+ (IN6_ARE_ADDR_EQUAL(&ire->ire_mask_v6, mask))) &&
((!(match_flags & MATCH_IRE_SECATTR)) ||
(!is_system_labeled()) ||
(tsol_ire_match_gwattr(ire, tsl) == 0))) {
@@ -1386,41 +856,38 @@ ire_match_args_v6(ire_t *ire, const in6_addr_t *addr, const in6_addr_t *mask,
}
/*
- * Lookup for a route in all the tables
+ * Check if the zoneid (not ALL_ZONES) has an IRE_INTERFACE for the specified
+ * gateway address. If ill is non-NULL we also match on it.
+ * The caller must hold a read lock on RADIX_NODE_HEAD if lock_held is set.
*/
-ire_t *
-ire_route_lookup_v6(const in6_addr_t *addr, const in6_addr_t *mask,
- const in6_addr_t *gateway, int type, const ipif_t *ipif, ire_t **pire,
- zoneid_t zoneid, const ts_label_t *tsl, int flags, ip_stack_t *ipst)
+boolean_t
+ire_gateway_ok_zone_v6(const in6_addr_t *gateway, zoneid_t zoneid, ill_t *ill,
+ const ts_label_t *tsl, ip_stack_t *ipst, boolean_t lock_held)
{
- ire_t *ire = NULL;
+ ire_t *ire;
+ uint_t match_flags;
- /*
- * ire_match_args_v6() will dereference ipif MATCH_IRE_SRC or
- * MATCH_IRE_ILL is set.
- */
- if ((flags & (MATCH_IRE_SRC | MATCH_IRE_ILL)) && (ipif == NULL))
- return (NULL);
+ if (lock_held)
+ ASSERT(RW_READ_HELD(&ipst->ips_ip6_ire_head_lock));
+ else
+ rw_enter(&ipst->ips_ip6_ire_head_lock, RW_READER);
- /*
- * might be asking for a cache lookup,
- * This is not best way to lookup cache,
- * user should call ire_cache_lookup directly.
- *
- * If MATCH_IRE_TYPE was set, first lookup in the cache table and then
- * in the forwarding table, if the applicable type flags were set.
- */
- if ((flags & MATCH_IRE_TYPE) == 0 || (type & IRE_CACHETABLE) != 0) {
- ire = ire_ctable_lookup_v6(addr, gateway, type, ipif, zoneid,
- tsl, flags, ipst);
- if (ire != NULL)
- return (ire);
- }
- if ((flags & MATCH_IRE_TYPE) == 0 || (type & IRE_FORWARDTABLE) != 0) {
- ire = ire_ftable_lookup_v6(addr, mask, gateway, type, ipif,
- pire, zoneid, 0, tsl, flags, ipst);
+ match_flags = MATCH_IRE_TYPE | MATCH_IRE_SECATTR;
+ if (ill != NULL)
+ match_flags |= MATCH_IRE_ILL;
+
+ ire = ire_ftable_lookup_impl_v6(gateway, &ipv6_all_zeros,
+ &ipv6_all_zeros, IRE_INTERFACE, ill, zoneid, tsl, match_flags,
+ ipst);
+
+ if (!lock_held)
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
+ if (ire != NULL) {
+ ire_refrele(ire);
+ return (B_TRUE);
+ } else {
+ return (B_FALSE);
}
- return (ire);
}
/*
@@ -1429,63 +896,121 @@ ire_route_lookup_v6(const in6_addr_t *addr, const in6_addr_t *mask,
* required parameters and indicating the
* match required in flag field.
*
- * Looking for default route can be done in three ways
- * 1) pass mask as ipv6_all_zeros and set MATCH_IRE_MASK in flags field
- * along with other matches.
- * 2) pass type as IRE_DEFAULT and set MATCH_IRE_TYPE in flags
- * field along with other matches.
- * 3) if the destination and mask are passed as zeros.
- *
- * A request to return a default route if no route
- * is found, can be specified by setting MATCH_IRE_DEFAULT
- * in flags.
- *
- * It does not support recursion more than one level. It
- * will do recursive lookup only when the lookup maps to
- * a prefix or default route and MATCH_IRE_RECURSIVE flag is passed.
- *
- * If the routing table is setup to allow more than one level
- * of recursion, the cleaning up cache table will not work resulting
- * in invalid routing.
- *
* Supports link-local addresses by following the ipif/ill when recursing.
- *
- * NOTE : When this function returns NULL, pire has already been released.
- * pire is valid only when this function successfully returns an
- * ire.
*/
ire_t *
ire_ftable_lookup_v6(const in6_addr_t *addr, const in6_addr_t *mask,
- const in6_addr_t *gateway, int type, const ipif_t *ipif, ire_t **pire,
- zoneid_t zoneid, uint32_t ihandle, const ts_label_t *tsl, int flags,
- ip_stack_t *ipst)
+ const in6_addr_t *gateway, int type, const ill_t *ill,
+ zoneid_t zoneid, const ts_label_t *tsl, int flags,
+ uint32_t xmit_hint, ip_stack_t *ipst, uint_t *generationp)
{
- irb_t *irb_ptr;
- ire_t *rire;
ire_t *ire = NULL;
- ire_t *saved_ire;
- nce_t *nce;
- int i;
- in6_addr_t gw_addr_v6;
ASSERT(addr != NULL);
ASSERT((!(flags & MATCH_IRE_MASK)) || mask != NULL);
ASSERT((!(flags & MATCH_IRE_GW)) || gateway != NULL);
- ASSERT(ipif == NULL || ipif->ipif_isv6);
+ ASSERT(ill == NULL || ill->ill_isv6);
+
+ ASSERT(!IN6_IS_ADDR_V4MAPPED(addr));
/*
- * When we return NULL from this function, we should make
- * sure that *pire is NULL so that the callers will not
- * wrongly REFRELE the pire.
+ * ire_match_args_v6() will dereference ill if MATCH_IRE_ILL
+ * is set.
*/
- if (pire != NULL)
- *pire = NULL;
+ if ((flags & (MATCH_IRE_ILL)) && (ill == NULL))
+ return (NULL);
+
+ rw_enter(&ipst->ips_ip6_ire_head_lock, RW_READER);
+ ire = ire_ftable_lookup_impl_v6(addr, mask, gateway, type, ill, zoneid,
+ tsl, flags, ipst);
+ if (ire == NULL) {
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
+ return (NULL);
+ }
+
/*
- * ire_match_args_v6() will dereference ipif MATCH_IRE_SRC or
- * MATCH_IRE_ILL is set.
+ * round-robin only if we have more than one route in the bucket.
+ * ips_ip_ecmp_behavior controls when we do ECMP
+ * 2: always
+ * 1: for IRE_DEFAULT and /0 IRE_INTERFACE
+ * 0: never
+ *
+ * Note: if we found an IRE_IF_CLONE we won't look at the bucket with
+ * other ECMP IRE_INTERFACEs since the IRE_IF_CLONE is a /128 match
+ * and the IRE_INTERFACESs are likely to be shorter matches.
*/
- if ((flags & (MATCH_IRE_SRC | MATCH_IRE_ILL)) && (ipif == NULL))
- return (NULL);
+ if (ire->ire_bucket->irb_ire_cnt > 1 && !(flags & MATCH_IRE_GW)) {
+ if (ipst->ips_ip_ecmp_behavior == 2 ||
+ (ipst->ips_ip_ecmp_behavior == 1 &&
+ IS_DEFAULT_ROUTE_V6(ire))) {
+ ire_t *next_ire;
+ ire_ftable_args_t margs;
+
+ (void) memset(&margs, 0, sizeof (margs));
+ margs.ift_addr_v6 = *addr;
+ if (mask != NULL)
+ margs.ift_mask_v6 = *mask;
+ if (gateway != NULL)
+ margs.ift_gateway_v6 = *gateway;
+ margs.ift_type = type;
+ margs.ift_ill = ill;
+ margs.ift_zoneid = zoneid;
+ margs.ift_tsl = tsl;
+ margs.ift_flags = flags;
+
+ next_ire = ire_round_robin(ire->ire_bucket, &margs,
+ xmit_hint, ire, ipst);
+ if (next_ire == NULL) {
+ /* keep ire if next_ire is null */
+ goto done;
+ }
+ ire_refrele(ire);
+ ire = next_ire;
+ }
+ }
+
+done:
+ /* Return generation before dropping lock */
+ if (generationp != NULL)
+ *generationp = ire->ire_generation;
+
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
+
+ /*
+ * For shared-IP zones we need additional checks to what was
+ * done in ire_match_args to make sure IRE_LOCALs are handled.
+ *
+ * When ip_restrict_interzone_loopback is set, then
+ * we ensure that IRE_LOCAL are only used for loopback
+ * between zones when the logical "Ethernet" would
+ * have looped them back. That is, if in the absense of
+ * the IRE_LOCAL we would have sent to packet out the
+ * same ill.
+ */
+ if ((ire->ire_type & IRE_LOCAL) && zoneid != ALL_ZONES &&
+ ire->ire_zoneid != zoneid && ire->ire_zoneid != ALL_ZONES &&
+ ipst->ips_ip_restrict_interzone_loopback) {
+ ire = ire_alt_local(ire, zoneid, tsl, ill, generationp);
+ ASSERT(ire != NULL);
+ }
+
+ return (ire);
+}
+
+/*
+ * Look up a single ire. The caller holds either the read or write lock.
+ */
+ire_t *
+ire_ftable_lookup_impl_v6(const in6_addr_t *addr, const in6_addr_t *mask,
+ const in6_addr_t *gateway, int type, const ill_t *ill,
+ zoneid_t zoneid, const ts_label_t *tsl, int flags,
+ ip_stack_t *ipst)
+{
+ irb_t *irb_ptr;
+ ire_t *ire = NULL;
+ int i;
+
+ ASSERT(RW_LOCK_HELD(&ipst->ips_ip6_ire_head_lock));
/*
* If the mask is known, the lookup
@@ -1496,28 +1021,41 @@ ire_ftable_lookup_v6(const in6_addr_t *addr, const in6_addr_t *mask,
uint_t masklen;
masklen = ip_mask_to_plen_v6(mask);
- if (ipst->ips_ip_forwarding_table_v6[masklen] == NULL)
+ if (ipst->ips_ip_forwarding_table_v6[masklen] == NULL) {
return (NULL);
+ }
irb_ptr = &(ipst->ips_ip_forwarding_table_v6[masklen][
IRE_ADDR_MASK_HASH_V6(*addr, *mask,
ipst->ips_ip6_ftable_hash_size)]);
rw_enter(&irb_ptr->irb_lock, RW_READER);
for (ire = irb_ptr->irb_ire; ire != NULL;
ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
+ if (IRE_IS_CONDEMNED(ire))
continue;
if (ire_match_args_v6(ire, addr, mask, gateway, type,
- ipif, zoneid, ihandle, tsl, flags))
+ ill, zoneid, tsl, flags))
goto found_ire;
}
rw_exit(&irb_ptr->irb_lock);
} else {
+ uint_t masklen;
+
/*
* In this case we don't know the mask, we need to
* search the table assuming different mask sizes.
- * we start with 128 bit mask, we don't allow default here.
*/
- for (i = (IP6_MASK_TABLE_SIZE - 1); i > 0; i--) {
+ if (flags & MATCH_IRE_SHORTERMASK) {
+ masklen = ip_mask_to_plen_v6(mask);
+ if (masklen == 0) {
+ /* Nothing shorter than zero */
+ return (NULL);
+ }
+ masklen--;
+ } else {
+ masklen = IP6_MASK_TABLE_SIZE - 1;
+ }
+
+ for (i = masklen; i >= 0; i--) {
in6_addr_t tmpmask;
if ((ipst->ips_ip_forwarding_table_v6[i]) == NULL)
@@ -1529,1334 +1067,415 @@ ire_ftable_lookup_v6(const in6_addr_t *addr, const in6_addr_t *mask,
rw_enter(&irb_ptr->irb_lock, RW_READER);
for (ire = irb_ptr->irb_ire; ire != NULL;
ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
+ if (IRE_IS_CONDEMNED(ire))
continue;
if (ire_match_args_v6(ire, addr,
- &ire->ire_mask_v6, gateway, type, ipif,
- zoneid, ihandle, tsl, flags))
+ &ire->ire_mask_v6, gateway, type, ill,
+ zoneid, tsl, flags))
goto found_ire;
}
rw_exit(&irb_ptr->irb_lock);
}
}
-
- /*
- * We come here if no route has yet been found.
- *
- * Handle the case where default route is
- * requested by specifying type as one of the possible
- * types for that can have a zero mask (IRE_DEFAULT and IRE_INTERFACE).
- *
- * If MATCH_IRE_MASK is specified, then the appropriate default route
- * would have been found above if it exists so it isn't looked up here.
- * If MATCH_IRE_DEFAULT was also specified, then a default route will be
- * searched for later.
- */
- if ((flags & (MATCH_IRE_TYPE | MATCH_IRE_MASK)) == MATCH_IRE_TYPE &&
- (type & (IRE_DEFAULT | IRE_INTERFACE))) {
- if (ipst->ips_ip_forwarding_table_v6[0] != NULL) {
- /* addr & mask is zero for defaults */
- irb_ptr = &ipst->ips_ip_forwarding_table_v6[0][
- IRE_ADDR_HASH_V6(ipv6_all_zeros,
- ipst->ips_ip6_ftable_hash_size)];
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire != NULL;
- ire = ire->ire_next) {
-
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
-
- if (ire_match_args_v6(ire, addr,
- &ipv6_all_zeros, gateway, type, ipif,
- zoneid, ihandle, tsl, flags))
- goto found_ire;
- }
- rw_exit(&irb_ptr->irb_lock);
- }
- }
- /*
- * We come here only if no route is found.
- * see if the default route can be used which is allowed
- * only if the default matching criteria is specified.
- * The ipv6_ire_default_count tracks the number of IRE_DEFAULT
- * entries. However, the ip_forwarding_table_v6[0] also contains
- * interface routes thus the count can be zero.
- */
- saved_ire = NULL;
- if ((flags & (MATCH_IRE_DEFAULT | MATCH_IRE_MASK)) ==
- MATCH_IRE_DEFAULT) {
- ire_t *ire_origin;
- uint_t g_index;
- uint_t index;
-
- if (ipst->ips_ip_forwarding_table_v6[0] == NULL)
- return (NULL);
- irb_ptr = &(ipst->ips_ip_forwarding_table_v6[0])[0];
-
- /*
- * Keep a tab on the bucket while looking the IRE_DEFAULT
- * entries. We need to keep track of a particular IRE
- * (ire_origin) so this ensures that it will not be unlinked
- * from the hash list during the recursive lookup below.
- */
- IRB_REFHOLD(irb_ptr);
- ire = irb_ptr->irb_ire;
- if (ire == NULL) {
- IRB_REFRELE(irb_ptr);
- return (NULL);
- }
-
- /*
- * Get the index first, since it can be changed by other
- * threads. Then get to the right default route skipping
- * default interface routes if any. As we hold a reference on
- * the IRE bucket, ipv6_ire_default_count can only increase so
- * we can't reach the end of the hash list unexpectedly.
- */
- if (ipst->ips_ipv6_ire_default_count != 0) {
- g_index = ipst->ips_ipv6_ire_default_index++;
- index = g_index % ipst->ips_ipv6_ire_default_count;
- while (index != 0) {
- if (!(ire->ire_type & IRE_INTERFACE))
- index--;
- ire = ire->ire_next;
- }
- ASSERT(ire != NULL);
- } else {
- /*
- * No default route, so we only have default interface
- * routes: don't enter the first loop.
- */
- ire = NULL;
- }
-
- /*
- * Round-robin the default routers list looking for a neighbor
- * that matches the passed in parameters and is reachable. If
- * none found, just return a route from the default router list
- * if it exists. If we can't find a default route (IRE_DEFAULT),
- * look for interface default routes.
- * We start with the ire we found above and we walk the hash
- * list until we're back where we started, see
- * ire_get_next_default_ire(). It doesn't matter if default
- * routes are added or deleted by other threads - we know this
- * ire will stay in the list because we hold a reference on the
- * ire bucket.
- * NB: if we only have interface default routes, ire is NULL so
- * we don't even enter this loop (see above).
- */
- ire_origin = ire;
- for (; ire != NULL;
- ire = ire_get_next_default_ire(ire, ire_origin)) {
-
- if (ire_match_args_v6(ire, addr,
- &ipv6_all_zeros, gateway, type, ipif,
- zoneid, ihandle, tsl, flags)) {
- int match_flags;
-
- /*
- * We have something to work with.
- * If we can find a resolved/reachable
- * entry, we will use this. Otherwise
- * we'll try to find an entry that has
- * a resolved cache entry. We will fallback
- * on this if we don't find anything else.
- */
- if (saved_ire == NULL)
- saved_ire = ire;
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- match_flags = MATCH_IRE_ILL | MATCH_IRE_SECATTR;
- rire = ire_ctable_lookup_v6(&gw_addr_v6, NULL,
- 0, ire->ire_ipif, zoneid, tsl, match_flags,
- ipst);
- if (rire != NULL) {
- nce = rire->ire_nce;
- if (nce != NULL &&
- NCE_ISREACHABLE(nce) &&
- nce->nce_flags & NCE_F_ISROUTER) {
- ire_refrele(rire);
- IRE_REFHOLD(ire);
- IRB_REFRELE(irb_ptr);
- goto found_ire_held;
- } else if (nce != NULL &&
- !(nce->nce_flags &
- NCE_F_ISROUTER)) {
- /*
- * Make sure we don't use
- * this ire
- */
- if (saved_ire == ire)
- saved_ire = NULL;
- }
- ire_refrele(rire);
- } else if (ipst->
- ips_ipv6_ire_default_count > 1 &&
- zoneid != GLOBAL_ZONEID) {
- /*
- * When we're in a local zone, we're
- * only interested in default routers
- * that are reachable through ipifs
- * within our zone.
- * The potentially expensive call to
- * ire_route_lookup_v6() is avoided when
- * we have only one default route.
- */
- int ire_match_flags = MATCH_IRE_TYPE |
- MATCH_IRE_SECATTR;
-
- if (ire->ire_ipif != NULL) {
- ire_match_flags |=
- MATCH_IRE_ILL;
- }
- rire = ire_route_lookup_v6(&gw_addr_v6,
- NULL, NULL, IRE_INTERFACE,
- ire->ire_ipif, NULL,
- zoneid, tsl, ire_match_flags, ipst);
- if (rire != NULL) {
- ire_refrele(rire);
- saved_ire = ire;
- } else if (saved_ire == ire) {
- /*
- * Make sure we don't use
- * this ire
- */
- saved_ire = NULL;
- }
- }
- }
- }
- if (saved_ire != NULL) {
- ire = saved_ire;
- IRE_REFHOLD(ire);
- IRB_REFRELE(irb_ptr);
- goto found_ire_held;
- } else {
- /*
- * Look for a interface default route matching the
- * args passed in. No round robin here. Just pick
- * the right one.
- */
- for (ire = irb_ptr->irb_ire; ire != NULL;
- ire = ire->ire_next) {
-
- if (!(ire->ire_type & IRE_INTERFACE))
- continue;
-
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
-
- if (ire_match_args_v6(ire, addr,
- &ipv6_all_zeros, gateway, type, ipif,
- zoneid, ihandle, tsl, flags)) {
- IRE_REFHOLD(ire);
- IRB_REFRELE(irb_ptr);
- goto found_ire_held;
- }
- }
- IRB_REFRELE(irb_ptr);
- }
- }
ASSERT(ire == NULL);
ip1dbg(("ire_ftable_lookup_v6: returning NULL ire"));
return (NULL);
+
found_ire:
- ASSERT((ire->ire_marks & IRE_MARK_CONDEMNED) == 0);
- IRE_REFHOLD(ire);
+ ire_refhold(ire);
rw_exit(&irb_ptr->irb_lock);
-
-found_ire_held:
- if ((flags & MATCH_IRE_RJ_BHOLE) &&
- (ire->ire_flags & (RTF_BLACKHOLE | RTF_REJECT))) {
- return (ire);
- }
- /*
- * At this point, IRE that was found must be an IRE_FORWARDTABLE
- * or IRE_CACHETABLE type. If this is a recursive lookup and an
- * IRE_INTERFACE type was found, return that. If it was some other
- * IRE_FORWARDTABLE type of IRE (one of the prefix types), then it
- * is necessary to fill in the parent IRE pointed to by pire, and
- * then lookup the gateway address of the parent. For backwards
- * compatiblity, if this lookup returns an
- * IRE other than a IRE_CACHETABLE or IRE_INTERFACE, then one more level
- * of lookup is done.
- */
- if (flags & MATCH_IRE_RECURSIVE) {
- const ipif_t *gw_ipif;
- int match_flags = MATCH_IRE_DSTONLY;
-
- if (ire->ire_type & IRE_INTERFACE)
- return (ire);
- if (pire != NULL)
- *pire = ire;
- /*
- * If we can't find an IRE_INTERFACE or the caller has not
- * asked for pire, we need to REFRELE the saved_ire.
- */
- saved_ire = ire;
-
- if (ire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
-
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
-
- ire = ire_route_lookup_v6(&gw_addr_v6, NULL, NULL, 0,
- ire->ire_ipif, NULL, zoneid, tsl, match_flags, ipst);
- if (ire == NULL) {
- /*
- * In this case we have to deal with the
- * MATCH_IRE_PARENT flag, which means the
- * parent has to be returned if ire is NULL.
- * The aim of this is to have (at least) a starting
- * ire when we want to look at all of the ires in a
- * bucket aimed at a single destination (as is the
- * case in ip_newroute_v6 for the RTF_MULTIRT
- * flagged routes).
- */
- if (flags & MATCH_IRE_PARENT) {
- if (pire != NULL) {
- /*
- * Need an extra REFHOLD, if the
- * parent ire is returned via both
- * ire and pire.
- */
- IRE_REFHOLD(saved_ire);
- }
- ire = saved_ire;
- } else {
- ire_refrele(saved_ire);
- if (pire != NULL)
- *pire = NULL;
- }
- return (ire);
- }
- if (ire->ire_type & (IRE_CACHETABLE | IRE_INTERFACE)) {
- /*
- * If the caller did not ask for pire, release
- * it now.
- */
- if (pire == NULL) {
- ire_refrele(saved_ire);
- }
- return (ire);
- }
- match_flags |= MATCH_IRE_TYPE;
- mutex_enter(&ire->ire_lock);
- gw_addr_v6 = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- gw_ipif = ire->ire_ipif;
- ire_refrele(ire);
- ire = ire_route_lookup_v6(&gw_addr_v6, NULL, NULL,
- (IRE_CACHETABLE | IRE_INTERFACE), gw_ipif, NULL, zoneid,
- NULL, match_flags, ipst);
- if (ire == NULL) {
- /*
- * In this case we have to deal with the
- * MATCH_IRE_PARENT flag, which means the
- * parent has to be returned if ire is NULL.
- * The aim of this is to have (at least) a starting
- * ire when we want to look at all of the ires in a
- * bucket aimed at a single destination (as is the
- * case in ip_newroute_v6 for the RTF_MULTIRT
- * flagged routes).
- */
- if (flags & MATCH_IRE_PARENT) {
- if (pire != NULL) {
- /*
- * Need an extra REFHOLD, if the
- * parent ire is returned via both
- * ire and pire.
- */
- IRE_REFHOLD(saved_ire);
- }
- ire = saved_ire;
- } else {
- ire_refrele(saved_ire);
- if (pire != NULL)
- *pire = NULL;
- }
- return (ire);
- } else if (pire == NULL) {
- /*
- * If the caller did not ask for pire, release
- * it now.
- */
- ire_refrele(saved_ire);
- }
- return (ire);
- }
-
- ASSERT(pire == NULL || *pire == NULL);
return (ire);
}
-/*
- * Delete the IRE cache for the gateway and all IRE caches whose
- * ire_gateway_addr_v6 points to this gateway, and allow them to
- * be created on demand by ip_newroute_v6.
- */
-void
-ire_clookup_delete_cache_gw_v6(const in6_addr_t *addr, zoneid_t zoneid,
- ip_stack_t *ipst)
-{
- irb_t *irb;
- ire_t *ire;
-
- irb = &ipst->ips_ip_cache_table_v6[IRE_ADDR_HASH_V6(*addr,
- ipst->ips_ip6_cache_table_size)];
- IRB_REFHOLD(irb);
- for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
-
- ASSERT(IN6_ARE_ADDR_EQUAL(&ire->ire_mask_v6, &ipv6_all_ones));
- if (ire_match_args_v6(ire, addr, &ire->ire_mask_v6, 0,
- IRE_CACHE, NULL, zoneid, 0, NULL, MATCH_IRE_TYPE)) {
- ire_delete(ire);
- }
- }
- IRB_REFRELE(irb);
-
- ire_walk_v6(ire_delete_cache_gw_v6, (char *)addr, zoneid, ipst);
-}
-
-/*
- * Looks up cache table for a route.
- * specific lookup can be indicated by
- * passing the MATCH_* flags and the
- * necessary parameters.
- */
-ire_t *
-ire_ctable_lookup_v6(const in6_addr_t *addr, const in6_addr_t *gateway,
- int type, const ipif_t *ipif, zoneid_t zoneid, const ts_label_t *tsl,
- int flags, ip_stack_t *ipst)
-{
- ire_ctable_args_t margs;
-
- margs.ict_addr = (void *)addr;
- margs.ict_gateway = (void *)gateway;
- margs.ict_type = type;
- margs.ict_ipif = ipif;
- margs.ict_zoneid = zoneid;
- margs.ict_tsl = tsl;
- margs.ict_flags = flags;
- margs.ict_ipst = ipst;
- margs.ict_wq = NULL;
-
- return (ip6_ctable_lookup_impl(&margs));
-}
/*
- * Lookup cache.
+ * This function is called by
+ * ip_input/ire_route_recursive when doing a route lookup on only the
+ * destination address.
*
- * In general the zoneid has to match (where ALL_ZONES match all of them).
- * But for IRE_LOCAL we also need to handle the case where L2 should
- * conceptually loop back the packet. This is necessary since neither
- * Ethernet drivers nor Ethernet hardware loops back packets sent to their
- * own MAC address. This loopback is needed when the normal
- * routes (ignoring IREs with different zoneids) would send out the packet on
- * the same ill as the ill with which this IRE_LOCAL is associated.
+ * The optimizations of this function over ire_ftable_lookup are:
+ * o removing unnecessary flag matching
+ * o doing longest prefix match instead of overloading it further
+ * with the unnecessary "best_prefix_match"
*
- * Earlier versions of this code always matched an IRE_LOCAL independently of
- * the zoneid. We preserve that earlier behavior when
- * ip_restrict_interzone_loopback is turned off.
+ * If no route is found we return IRE_NOROUTE.
*/
ire_t *
-ire_cache_lookup_v6(const in6_addr_t *addr, zoneid_t zoneid,
- const ts_label_t *tsl, ip_stack_t *ipst)
-{
- irb_t *irb_ptr;
- ire_t *ire;
-
- irb_ptr = &ipst->ips_ip_cache_table_v6[IRE_ADDR_HASH_V6(*addr,
- ipst->ips_ip6_cache_table_size)];
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire; ire = ire->ire_next) {
- if (ire->ire_marks & (IRE_MARK_CONDEMNED|IRE_MARK_TESTHIDDEN))
- continue;
- if (IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, addr)) {
- /*
- * Finally, check if the security policy has any
- * restriction on using this route for the specified
- * message.
- */
- if (tsl != NULL &&
- ire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(ire, tsl) != 0) {
- continue;
- }
-
- if (zoneid == ALL_ZONES || ire->ire_zoneid == zoneid ||
- ire->ire_zoneid == ALL_ZONES) {
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
- }
-
- if (ire->ire_type == IRE_LOCAL) {
- if (ipst->ips_ip_restrict_interzone_loopback &&
- !ire_local_ok_across_zones(ire, zoneid,
- (void *)addr, tsl, ipst))
- continue;
-
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
- }
- }
- }
- rw_exit(&irb_ptr->irb_lock);
- return (NULL);
-}
-
-/*
- * Locate the interface ire that is tied to the cache ire 'cire' via
- * cire->ire_ihandle.
- *
- * We are trying to create the cache ire for an onlink destn. or
- * gateway in 'cire'. We are called from ire_add_v6() in the IRE_IF_RESOLVER
- * case for xresolv interfaces, after the ire has come back from
- * an external resolver.
- */
-static ire_t *
-ire_ihandle_lookup_onlink_v6(ire_t *cire)
+ire_ftable_lookup_simple_v6(const in6_addr_t *addr, uint32_t xmit_hint,
+ ip_stack_t *ipst, uint_t *generationp)
{
ire_t *ire;
- int match_flags;
- int i;
- int j;
- irb_t *irb_ptr;
- ip_stack_t *ipst = cire->ire_ipst;
-
- ASSERT(cire != NULL);
- match_flags = MATCH_IRE_TYPE | MATCH_IRE_IHANDLE | MATCH_IRE_MASK;
- /*
- * We know that the mask of the interface ire equals cire->ire_cmask.
- * (When ip_newroute_v6() created 'cire' for an on-link destn.
- * it set its cmask from the interface ire's mask)
- */
- ire = ire_ftable_lookup_v6(&cire->ire_addr_v6, &cire->ire_cmask_v6,
- NULL, IRE_INTERFACE, NULL, NULL, ALL_ZONES, cire->ire_ihandle,
- NULL, match_flags, ipst);
- if (ire != NULL)
- return (ire);
- /*
- * If we didn't find an interface ire above, we can't declare failure.
- * For backwards compatibility, we need to support prefix routes
- * pointing to next hop gateways that are not on-link.
- *
- * In the resolver/noresolver case, ip_newroute_v6() thinks
- * it is creating the cache ire for an onlink destination in 'cire'.
- * But 'cire' is not actually onlink, because ire_ftable_lookup_v6()
- * cheated it, by doing ire_route_lookup_v6() twice and returning an
- * interface ire.
- *
- * Eg. default - gw1 (line 1)
- * gw1 - gw2 (line 2)
- * gw2 - hme0 (line 3)
- *
- * In the above example, ip_newroute_v6() tried to create the cache ire
- * 'cire' for gw1, based on the interface route in line 3. The
- * ire_ftable_lookup_v6() above fails, because there is
- * no interface route to reach gw1. (it is gw2). We fall thru below.
- *
- * Do a brute force search based on the ihandle in a subset of the
- * forwarding tables, corresponding to cire->ire_cmask_v6. Otherwise
- * things become very complex, since we don't have 'pire' in this
- * case. (Also note that this method is not possible in the offlink
- * case because we don't know the mask)
- */
- i = ip_mask_to_plen_v6(&cire->ire_cmask_v6);
- if ((ipst->ips_ip_forwarding_table_v6[i]) == NULL)
- return (NULL);
- for (j = 0; j < ipst->ips_ip6_ftable_hash_size; j++) {
- irb_ptr = &ipst->ips_ip_forwarding_table_v6[i][j];
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire != NULL;
- ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
- if ((ire->ire_type & IRE_INTERFACE) &&
- (ire->ire_ihandle == cire->ire_ihandle)) {
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
- }
- }
- rw_exit(&irb_ptr->irb_lock);
+ ire = ire_ftable_lookup_v6(addr, NULL, NULL, 0, NULL, ALL_ZONES, NULL,
+ MATCH_IRE_DSTONLY, xmit_hint, ipst, generationp);
+ if (ire == NULL) {
+ ire = ire_reject(ipst, B_TRUE);
+ if (generationp != NULL)
+ *generationp = IRE_GENERATION_VERIFY;
}
- return (NULL);
+ /* ftable_lookup did round robin */
+ return (ire);
}
-
-/*
- * Locate the interface ire that is tied to the cache ire 'cire' via
- * cire->ire_ihandle.
- *
- * We are trying to create the cache ire for an offlink destn based
- * on the cache ire of the gateway in 'cire'. 'pire' is the prefix ire
- * as found by ip_newroute_v6(). We are called from ip_newroute_v6() in
- * the IRE_CACHE case.
- */
ire_t *
-ire_ihandle_lookup_offlink_v6(ire_t *cire, ire_t *pire)
+ip_select_route_v6(const in6_addr_t *dst, ip_xmit_attr_t *ixa,
+ uint_t *generationp, in6_addr_t *setsrcp, int *errorp, boolean_t *multirtp)
{
- ire_t *ire;
- int match_flags;
- in6_addr_t gw_addr;
- ipif_t *gw_ipif;
- ip_stack_t *ipst = cire->ire_ipst;
-
- ASSERT(cire != NULL && pire != NULL);
+ ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
- match_flags = MATCH_IRE_TYPE | MATCH_IRE_IHANDLE | MATCH_IRE_MASK;
- if (pire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
- /*
- * We know that the mask of the interface ire equals cire->ire_cmask.
- * (When ip_newroute_v6() created 'cire' for an on-link destn. it set
- * its cmask from the interface ire's mask)
- */
- ire = ire_ftable_lookup_v6(&cire->ire_addr_v6, &cire->ire_cmask_v6, 0,
- IRE_INTERFACE, pire->ire_ipif, NULL, ALL_ZONES, cire->ire_ihandle,
- NULL, match_flags, ipst);
- if (ire != NULL)
- return (ire);
- /*
- * If we didn't find an interface ire above, we can't declare failure.
- * For backwards compatibility, we need to support prefix routes
- * pointing to next hop gateways that are not on-link.
- *
- * Assume we are trying to ping some offlink destn, and we have the
- * routing table below.
- *
- * Eg. default - gw1 <--- pire (line 1)
- * gw1 - gw2 (line 2)
- * gw2 - hme0 (line 3)
- *
- * If we already have a cache ire for gw1 in 'cire', the
- * ire_ftable_lookup_v6 above would have failed, since there is no
- * interface ire to reach gw1. We will fallthru below.
- *
- * Here we duplicate the steps that ire_ftable_lookup_v6() did in
- * getting 'cire' from 'pire', in the MATCH_IRE_RECURSIVE case.
- * The differences are the following
- * i. We want the interface ire only, so we call
- * ire_ftable_lookup_v6() instead of ire_route_lookup_v6()
- * ii. We look for only prefix routes in the 1st call below.
- * ii. We want to match on the ihandle in the 2nd call below.
- */
- match_flags = MATCH_IRE_TYPE;
- if (pire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
-
- mutex_enter(&pire->ire_lock);
- gw_addr = pire->ire_gateway_addr_v6;
- mutex_exit(&pire->ire_lock);
- ire = ire_ftable_lookup_v6(&gw_addr, 0, 0, IRE_OFFSUBNET,
- pire->ire_ipif, NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
- if (ire == NULL)
- return (NULL);
- /*
- * At this point 'ire' corresponds to the entry shown in line 2.
- * gw_addr is 'gw2' in the example above.
- */
- mutex_enter(&ire->ire_lock);
- gw_addr = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- gw_ipif = ire->ire_ipif;
- ire_refrele(ire);
-
- match_flags |= MATCH_IRE_IHANDLE;
- ire = ire_ftable_lookup_v6(&gw_addr, 0, 0, IRE_INTERFACE,
- gw_ipif, NULL, ALL_ZONES, cire->ire_ihandle,
- NULL, match_flags, ipst);
- return (ire);
+ return (ip_select_route(dst, ixa, generationp, setsrcp, errorp,
+ multirtp));
}
/*
- * Return the IRE_LOOPBACK, IRE_IF_RESOLVER or IRE_IF_NORESOLVER
- * ire associated with the specified ipif.
+ * Recursively look for a route to the destination. Can also match on
+ * the zoneid, ill, and label. Used for the data paths. See also
+ * ire_route_recursive_dstonly.
*
- * This might occasionally be called when IPIF_UP is not set since
- * the IPV6_MULTICAST_IF as well as creating interface routes
- * allows specifying a down ipif (ipif_lookup* match ipifs that are down).
+ * If ill is set this means we will match it by adding MATCH_IRE_ILL.
*
- * Note that if IPIF_NOLOCAL, IPIF_NOXMIT, or IPIF_DEPRECATED is set on
- * the ipif this routine might return NULL.
- * (Sometimes called as writer though not required by this function.)
+ * If allocate is not set then we will only inspect the existing IREs; never
+ * create an IRE_IF_CLONE. This is used on the receive side when we are not
+ * forwarding.
+ *
+ * Note that this function never returns NULL. It returns an IRE_NOROUTE
+ * instead.
+ *
+ * If we find any IRE_LOCAL|BROADCAST etc past the first iteration it
+ * is an error.
+ * Allow at most one RTF_INDIRECT.
*/
ire_t *
-ipif_to_ire_v6(const ipif_t *ipif)
+ire_route_recursive_impl_v6(ire_t *ire,
+ const in6_addr_t *nexthop, uint_t ire_type, const ill_t *ill_arg,
+ zoneid_t zoneid, const ts_label_t *tsl, uint_t match_args,
+ boolean_t allocate, uint32_t xmit_hint, ip_stack_t *ipst,
+ in6_addr_t *setsrcp, tsol_ire_gw_secattr_t **gwattrp, uint_t *generationp)
{
- ire_t *ire;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
- uint_t match_flags = MATCH_IRE_TYPE | MATCH_IRE_IPIF;
+ int i, j;
+ in6_addr_t v6nexthop = *nexthop;
+ ire_t *ires[MAX_IRE_RECURSION];
+ uint_t generation;
+ uint_t generations[MAX_IRE_RECURSION];
+ boolean_t need_refrele = B_FALSE;
+ boolean_t invalidate = B_FALSE;
+ int prefs[MAX_IRE_RECURSION];
+ ill_t *ill = NULL;
+
+ if (setsrcp != NULL)
+ ASSERT(IN6_IS_ADDR_UNSPECIFIED(setsrcp));
+ if (gwattrp != NULL)
+ ASSERT(*gwattrp == NULL);
+
+ if (ill_arg != NULL)
+ match_args |= MATCH_IRE_ILL;
/*
- * IRE_INTERFACE entries for ills under IPMP are IRE_MARK_TESTHIDDEN
- * so that they aren't accidentally returned. However, if the
- * caller's ipif is on an ill under IPMP, there's no need to hide 'em.
+ * We iterate up to three times to resolve a route, even though
+ * we have four slots in the array. The extra slot is for an
+ * IRE_IF_CLONE we might need to create.
*/
- if (IS_UNDER_IPMP(ipif->ipif_ill))
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
-
- ASSERT(ipif->ipif_isv6);
- if (ipif->ipif_ire_type == IRE_LOOPBACK) {
- ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, NULL,
- IRE_LOOPBACK, ipif, ALL_ZONES, NULL, match_flags, ipst);
- } else if (ipif->ipif_flags & IPIF_POINTOPOINT) {
- /* In this case we need to lookup destination address. */
- ire = ire_ftable_lookup_v6(&ipif->ipif_v6pp_dst_addr,
- &ipv6_all_ones, NULL, IRE_INTERFACE, ipif, NULL, ALL_ZONES,
- 0, NULL, (match_flags | MATCH_IRE_MASK), ipst);
- } else {
- ire = ire_ftable_lookup_v6(&ipif->ipif_v6subnet,
- &ipif->ipif_v6net_mask, NULL, IRE_INTERFACE, ipif, NULL,
- ALL_ZONES, 0, NULL, (match_flags | MATCH_IRE_MASK), ipst);
- }
- return (ire);
-}
-
-/*
- * Return B_TRUE if a multirt route is resolvable
- * (or if no route is resolved yet), B_FALSE otherwise.
- * This only works in the global zone.
- */
-boolean_t
-ire_multirt_need_resolve_v6(const in6_addr_t *v6dstp, const ts_label_t *tsl,
- ip_stack_t *ipst)
-{
- ire_t *first_fire;
- ire_t *first_cire;
- ire_t *fire;
- ire_t *cire;
- irb_t *firb;
- irb_t *cirb;
- int unres_cnt = 0;
- boolean_t resolvable = B_FALSE;
-
- /* Retrieve the first IRE_HOST that matches the destination */
- first_fire = ire_ftable_lookup_v6(v6dstp, &ipv6_all_ones, 0, IRE_HOST,
- NULL, NULL, ALL_ZONES, 0, tsl, MATCH_IRE_MASK | MATCH_IRE_TYPE |
- MATCH_IRE_SECATTR, ipst);
-
- /* No route at all */
- if (first_fire == NULL) {
- return (B_TRUE);
- }
-
- firb = first_fire->ire_bucket;
- ASSERT(firb);
-
- /* Retrieve the first IRE_CACHE ire for that destination. */
- first_cire = ire_cache_lookup_v6(v6dstp, GLOBAL_ZONEID, tsl, ipst);
-
- /* No resolved route. */
- if (first_cire == NULL) {
- ire_refrele(first_fire);
- return (B_TRUE);
- }
-
- /* At least one route is resolved. */
-
- cirb = first_cire->ire_bucket;
- ASSERT(cirb);
-
- /* Count the number of routes to that dest that are declared. */
- IRB_REFHOLD(firb);
- for (fire = first_fire; fire != NULL; fire = fire->ire_next) {
- if (!(fire->ire_flags & RTF_MULTIRT))
- continue;
- if (!IN6_ARE_ADDR_EQUAL(&fire->ire_addr_v6, v6dstp))
- continue;
- unres_cnt++;
- }
- IRB_REFRELE(firb);
-
-
- /* Then subtract the number of routes to that dst that are resolved */
- IRB_REFHOLD(cirb);
- for (cire = first_cire; cire != NULL; cire = cire->ire_next) {
- if (!(cire->ire_flags & RTF_MULTIRT))
- continue;
- if (!IN6_ARE_ADDR_EQUAL(&cire->ire_addr_v6, v6dstp))
- continue;
- if (cire->ire_marks & (IRE_MARK_CONDEMNED|IRE_MARK_TESTHIDDEN))
- continue;
- unres_cnt--;
- }
- IRB_REFRELE(cirb);
-
- /* At least one route is unresolved; search for a resolvable route. */
- if (unres_cnt > 0)
- resolvable = ire_multirt_lookup_v6(&first_cire, &first_fire,
- MULTIRT_USESTAMP|MULTIRT_CACHEGW, tsl, ipst);
-
- if (first_fire)
- ire_refrele(first_fire);
-
- if (first_cire)
- ire_refrele(first_cire);
-
- return (resolvable);
-}
-
-
-/*
- * Return B_TRUE and update *ire_arg and *fire_arg
- * if at least one resolvable route is found.
- * Return B_FALSE otherwise (all routes are resolved or
- * the remaining unresolved routes are all unresolvable).
- * This only works in the global zone.
- */
-boolean_t
-ire_multirt_lookup_v6(ire_t **ire_arg, ire_t **fire_arg, uint32_t flags,
- const ts_label_t *tsl, ip_stack_t *ipst)
-{
- clock_t delta;
- ire_t *best_fire = NULL;
- ire_t *best_cire = NULL;
- ire_t *first_fire;
- ire_t *first_cire;
- ire_t *fire;
- ire_t *cire;
- irb_t *firb = NULL;
- irb_t *cirb = NULL;
- ire_t *gw_ire;
- boolean_t already_resolved;
- boolean_t res;
- in6_addr_t v6dst;
- in6_addr_t v6gw;
-
- ip2dbg(("ire_multirt_lookup_v6: *ire_arg %p, *fire_arg %p, "
- "flags %04x\n", (void *)*ire_arg, (void *)*fire_arg, flags));
-
- ASSERT(ire_arg);
- ASSERT(fire_arg);
-
- /* Not an IRE_HOST ire; give up. */
- if ((*fire_arg == NULL) ||
- ((*fire_arg)->ire_type != IRE_HOST)) {
- return (B_FALSE);
- }
+ i = 0;
+ while (i < MAX_IRE_RECURSION - 1) {
+ /* ire_ftable_lookup handles round-robin/ECMP */
+ if (ire == NULL) {
+ ire = ire_ftable_lookup_v6(&v6nexthop, 0, 0, ire_type,
+ (ill_arg != NULL ? ill_arg : ill), zoneid, tsl,
+ match_args, xmit_hint, ipst, &generation);
+ } else {
+ /* Caller passed it; extra hold since we will rele */
+ ire_refhold(ire);
+ if (generationp != NULL)
+ generation = *generationp;
+ else
+ generation = IRE_GENERATION_VERIFY;
+ }
- /* This is the first IRE_HOST ire for that destination. */
- first_fire = *fire_arg;
- firb = first_fire->ire_bucket;
- ASSERT(firb);
+ if (ire == NULL)
+ ire = ire_reject(ipst, B_TRUE);
- mutex_enter(&first_fire->ire_lock);
- v6dst = first_fire->ire_addr_v6;
- mutex_exit(&first_fire->ire_lock);
+ /* Need to return the ire with RTF_REJECT|BLACKHOLE */
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))
+ goto error;
- ip2dbg(("ire_multirt_lookup_v6: dst %08x\n",
- ntohl(V4_PART_OF_V6(v6dst))));
+ ASSERT(!(ire->ire_type & IRE_MULTICAST)); /* Not in ftable */
- /*
- * Retrieve the first IRE_CACHE ire for that destination;
- * if we don't find one, no route for that dest is
- * resolved yet.
- */
- first_cire = ire_cache_lookup_v6(&v6dst, GLOBAL_ZONEID, tsl, ipst);
- if (first_cire) {
- cirb = first_cire->ire_bucket;
- }
-
- ip2dbg(("ire_multirt_lookup_v6: first_cire %p\n", (void *)first_cire));
+ prefs[i] = ire_pref(ire);
+ if (i != 0) {
+ /*
+ * Don't allow anything unusual past the first
+ * iteration.
+ */
+ if ((ire->ire_type &
+ (IRE_LOCAL|IRE_LOOPBACK|IRE_BROADCAST)) ||
+ prefs[i] <= prefs[i-1]) {
+ ire_refrele(ire);
+ ire = ire_reject(ipst, B_TRUE);
+ goto error;
+ }
+ }
+ /* We have a usable IRE */
+ ires[i] = ire;
+ generations[i] = generation;
+ i++;
+
+ /* The first RTF_SETSRC address is passed back if setsrcp */
+ if ((ire->ire_flags & RTF_SETSRC) &&
+ setsrcp != NULL && IN6_IS_ADDR_UNSPECIFIED(setsrcp)) {
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(
+ &ire->ire_setsrc_addr_v6));
+ *setsrcp = ire->ire_setsrc_addr_v6;
+ }
- /*
- * Search for a resolvable route, giving the top priority
- * to routes that can be resolved without any call to the resolver.
- */
- IRB_REFHOLD(firb);
+ /* The first ire_gw_secattr is passed back if gwattrp */
+ if (ire->ire_gw_secattr != NULL &&
+ gwattrp != NULL && *gwattrp == NULL)
+ *gwattrp = ire->ire_gw_secattr;
- if (!IN6_IS_ADDR_MULTICAST(&v6dst)) {
/*
- * For all multiroute IRE_HOST ires for that destination,
- * check if the route via the IRE_HOST's gateway is
- * resolved yet.
+ * Check if we have a short-cut pointer to an IRE for this
+ * destination, and that the cached dependency isn't stale.
+ * In that case we've rejoined an existing tree towards a
+ * parent, thus we don't need to continue the loop to
+ * discover the rest of the tree.
*/
- for (fire = first_fire; fire != NULL; fire = fire->ire_next) {
-
- if (!(fire->ire_flags & RTF_MULTIRT))
- continue;
- if (!IN6_ARE_ADDR_EQUAL(&fire->ire_addr_v6, &v6dst))
- continue;
-
- if (fire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(fire, tsl) != 0) {
- continue;
- }
-
- mutex_enter(&fire->ire_lock);
- v6gw = fire->ire_gateway_addr_v6;
- mutex_exit(&fire->ire_lock);
-
- ip2dbg(("ire_multirt_lookup_v6: fire %p, "
- "ire_addr %08x, ire_gateway_addr %08x\n",
- (void *)fire,
- ntohl(V4_PART_OF_V6(fire->ire_addr_v6)),
- ntohl(V4_PART_OF_V6(v6gw))));
+ mutex_enter(&ire->ire_lock);
+ if (ire->ire_dep_parent != NULL &&
+ ire->ire_dep_parent->ire_generation ==
+ ire->ire_dep_parent_generation) {
+ mutex_exit(&ire->ire_lock);
+ ire = NULL;
+ goto done;
+ }
+ mutex_exit(&ire->ire_lock);
- already_resolved = B_FALSE;
+ /*
+ * If this type should have an ire_nce_cache (even if it
+ * doesn't yet have one) then we are done. Includes
+ * IRE_INTERFACE with a full 128 bit mask.
+ */
+ if (ire->ire_nce_capable) {
+ ire = NULL;
+ goto done;
+ }
- if (first_cire) {
- ASSERT(cirb);
+ ASSERT(!(ire->ire_type & IRE_IF_CLONE));
+ /*
+ * For an IRE_INTERFACE we create an IRE_IF_CLONE for this
+ * particular destination
+ */
+ if (ire->ire_type & IRE_INTERFACE) {
+ ire_t *clone;
- IRB_REFHOLD(cirb);
- /*
- * For all IRE_CACHE ires for that
- * destination.
- */
- for (cire = first_cire;
- cire != NULL;
- cire = cire->ire_next) {
-
- if (!(cire->ire_flags & RTF_MULTIRT))
- continue;
- if (!IN6_ARE_ADDR_EQUAL(
- &cire->ire_addr_v6, &v6dst))
- continue;
- if (cire->ire_marks &
- (IRE_MARK_CONDEMNED|
- IRE_MARK_TESTHIDDEN))
- continue;
-
- if (cire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(cire,
- tsl) != 0) {
- continue;
- }
-
- /*
- * Check if the IRE_CACHE's gateway
- * matches the IRE_HOST's gateway.
- */
- if (IN6_ARE_ADDR_EQUAL(
- &cire->ire_gateway_addr_v6,
- &v6gw)) {
- already_resolved = B_TRUE;
- break;
- }
- }
- IRB_REFRELE(cirb);
- }
+ ASSERT(ire->ire_masklen != IPV6_ABITS);
/*
- * This route is already resolved;
- * proceed with next one.
+ * In the case of ip_input and ILLF_FORWARDING not
+ * being set, and in the case of RTM_GET,
+ * there is no point in allocating
+ * an IRE_IF_CLONE. We return the IRE_INTERFACE.
+ * Note that !allocate can result in a ire_dep_parent
+ * which is IRE_IF_* without an IRE_IF_CLONE.
+ * We recover from that when we need to send packets
+ * by ensuring that the generations become
+ * IRE_GENERATION_VERIFY in this case.
*/
- if (already_resolved) {
- ip2dbg(("ire_multirt_lookup_v6: found cire %p, "
- "already resolved\n", (void *)cire));
- continue;
+ if (!allocate) {
+ invalidate = B_TRUE;
+ ire = NULL;
+ goto done;
}
- /*
- * The route is unresolved; is it actually
- * resolvable, i.e. is there a cache or a resolver
- * for the gateway?
- */
- gw_ire = ire_route_lookup_v6(&v6gw, 0, 0, 0, NULL, NULL,
- ALL_ZONES, tsl, MATCH_IRE_RECURSIVE |
- MATCH_IRE_SECATTR, ipst);
-
- ip2dbg(("ire_multirt_lookup_v6: looked up gw_ire %p\n",
- (void *)gw_ire));
-
- /*
- * This route can be resolved without any call to the
- * resolver; if the MULTIRT_CACHEGW flag is set,
- * give the top priority to this ire and exit the
- * loop.
- * This occurs when an resolver reply is processed
- * through ip_wput_nondata()
- */
- if ((flags & MULTIRT_CACHEGW) &&
- (gw_ire != NULL) &&
- (gw_ire->ire_type & IRE_CACHETABLE)) {
+ clone = ire_create_if_clone(ire, &v6nexthop,
+ &generation);
+ if (clone == NULL) {
/*
- * Release the resolver associated to the
- * previous candidate best ire, if any.
+ * Temporary failure - no memory.
+ * Don't want caller to cache IRE_NOROUTE.
*/
- if (best_cire) {
- ire_refrele(best_cire);
- ASSERT(best_fire);
- }
-
- best_fire = fire;
- best_cire = gw_ire;
-
- ip2dbg(("ire_multirt_lookup_v6: found top prio "
- "best_fire %p, best_cire %p\n",
- (void *)best_fire, (void *)best_cire));
- break;
+ invalidate = B_TRUE;
+ ire = ire_blackhole(ipst, B_TRUE);
+ goto error;
}
-
/*
- * Compute the time elapsed since our preceding
- * attempt to resolve that route.
- * If the MULTIRT_USESTAMP flag is set, we take that
- * route into account only if this time interval
- * exceeds ip_multirt_resolution_interval;
- * this prevents us from attempting to resolve a
- * broken route upon each sending of a packet.
+ * Make clone next to last entry and the
+ * IRE_INTERFACE the last in the dependency
+ * chain since the clone depends on the
+ * IRE_INTERFACE.
*/
- delta = lbolt - fire->ire_last_used_time;
- delta = TICK_TO_MSEC(delta);
-
- res = (boolean_t)
- ((delta > ipst->
- ips_ip_multirt_resolution_interval) ||
- (!(flags & MULTIRT_USESTAMP)));
+ ASSERT(i >= 1);
+ ASSERT(i < MAX_IRE_RECURSION);
- ip2dbg(("ire_multirt_lookup_v6: fire %p, delta %lu, "
- "res %d\n",
- (void *)fire, delta, res));
-
- if (res) {
- /*
- * A resolver exists for the gateway: save
- * the current IRE_HOST ire as a candidate
- * best ire. If we later discover that a
- * top priority ire exists (i.e. no need to
- * call the resolver), then this new ire
- * will be preferred to the current one.
- */
- if (gw_ire != NULL) {
- if (best_fire == NULL) {
- ASSERT(best_cire == NULL);
-
- best_fire = fire;
- best_cire = gw_ire;
-
- ip2dbg(("ire_multirt_lookup_v6:"
- "found candidate "
- "best_fire %p, "
- "best_cire %p\n",
- (void *)best_fire,
- (void *)best_cire));
-
- /*
- * If MULTIRT_CACHEGW is not
- * set, we ignore the top
- * priority ires that can
- * be resolved without any
- * call to the resolver;
- * In that case, there is
- * actually no need
- * to continue the loop.
- */
- if (!(flags &
- MULTIRT_CACHEGW)) {
- break;
- }
- continue;
- }
- } else {
- /*
- * No resolver for the gateway: the
- * route is not resolvable.
- * If the MULTIRT_SETSTAMP flag is
- * set, we stamp the IRE_HOST ire,
- * so we will not select it again
- * during this resolution interval.
- */
- if (flags & MULTIRT_SETSTAMP)
- fire->ire_last_used_time =
- lbolt;
- }
- }
+ ires[i] = ires[i-1];
+ generations[i] = generations[i-1];
+ ires[i-1] = clone;
+ generations[i-1] = generation;
+ i++;
- if (gw_ire != NULL)
- ire_refrele(gw_ire);
+ ire = NULL;
+ goto done;
}
- } else { /* IN6_IS_ADDR_MULTICAST(&v6dst) */
- for (fire = first_fire;
- fire != NULL;
- fire = fire->ire_next) {
-
- if (!(fire->ire_flags & RTF_MULTIRT))
- continue;
- if (!IN6_ARE_ADDR_EQUAL(&fire->ire_addr_v6, &v6dst))
- continue;
-
- if (fire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(fire, tsl) != 0) {
- continue;
- }
-
- already_resolved = B_FALSE;
-
- mutex_enter(&fire->ire_lock);
- v6gw = fire->ire_gateway_addr_v6;
- mutex_exit(&fire->ire_lock);
-
- gw_ire = ire_ftable_lookup_v6(&v6gw, 0, 0,
- IRE_INTERFACE, NULL, NULL, ALL_ZONES, 0, tsl,
- MATCH_IRE_RECURSIVE | MATCH_IRE_TYPE |
- MATCH_IRE_SECATTR, ipst);
-
- /* No resolver for the gateway; we skip this ire. */
- if (gw_ire == NULL) {
- continue;
- }
+ /*
+ * We only match on the type and optionally ILL when
+ * recursing. The type match is used by some callers
+ * to exclude certain types (such as IRE_IF_CLONE or
+ * IRE_LOCAL|IRE_LOOPBACK).
+ */
+ match_args &= MATCH_IRE_TYPE;
+ v6nexthop = ire->ire_gateway_addr_v6;
+ if (ill == NULL && ire->ire_ill != NULL) {
+ ill = ire->ire_ill;
+ need_refrele = B_TRUE;
+ ill_refhold(ill);
+ match_args |= MATCH_IRE_ILL;
+ }
- if (first_cire) {
+ ire = NULL;
+ }
+ ASSERT(ire == NULL);
+ ire = ire_reject(ipst, B_TRUE);
- IRB_REFHOLD(cirb);
- /*
- * For all IRE_CACHE ires for that
- * destination.
- */
- for (cire = first_cire;
- cire != NULL;
- cire = cire->ire_next) {
-
- if (!(cire->ire_flags & RTF_MULTIRT))
- continue;
- if (!IN6_ARE_ADDR_EQUAL(
- &cire->ire_addr_v6, &v6dst))
- continue;
- if (cire->ire_marks &
- IRE_MARK_CONDEMNED)
- continue;
-
- if (cire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(cire,
- tsl) != 0) {
- continue;
- }
-
- /*
- * Cache entries are linked to the
- * parent routes using the parent handle
- * (ire_phandle). If no cache entry has
- * the same handle as fire, fire is
- * still unresolved.
- */
- ASSERT(cire->ire_phandle != 0);
- if (cire->ire_phandle ==
- fire->ire_phandle) {
- already_resolved = B_TRUE;
- break;
- }
- }
- IRB_REFRELE(cirb);
- }
+error:
+ ASSERT(ire != NULL);
+ if (need_refrele)
+ ill_refrele(ill);
- /*
- * This route is already resolved; proceed with
- * next one.
- */
- if (already_resolved) {
- ire_refrele(gw_ire);
- continue;
- }
+ /*
+ * In the case of MULTIRT we want to try a different IRE the next
+ * time. We let the next packet retry in that case.
+ */
+ if (i > 0 && (ires[0]->ire_flags & RTF_MULTIRT))
+ (void) ire_no_good(ires[0]);
- /*
- * Compute the time elapsed since our preceding
- * attempt to resolve that route.
- * If the MULTIRT_USESTAMP flag is set, we take
- * that route into account only if this time
- * interval exceeds ip_multirt_resolution_interval;
- * this prevents us from attempting to resolve a
- * broken route upon each sending of a packet.
- */
- delta = lbolt - fire->ire_last_used_time;
- delta = TICK_TO_MSEC(delta);
-
- res = (boolean_t)
- ((delta > ipst->
- ips_ip_multirt_resolution_interval) ||
- (!(flags & MULTIRT_USESTAMP)));
-
- ip3dbg(("ire_multirt_lookup_v6: fire %p, delta %lx, "
- "flags %04x, res %d\n",
- (void *)fire, delta, flags, res));
-
- if (res) {
- if (best_cire) {
- /*
- * Release the resolver associated
- * to the preceding candidate best
- * ire, if any.
- */
- ire_refrele(best_cire);
- ASSERT(best_fire);
- }
- best_fire = fire;
- best_cire = gw_ire;
- continue;
- }
+cleanup:
+ /* cleanup ires[i] */
+ ire_dep_unbuild(ires, i);
+ for (j = 0; j < i; j++)
+ ire_refrele(ires[j]);
- ire_refrele(gw_ire);
- }
- }
+ ASSERT(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE));
+ /*
+ * Use IRE_GENERATION_VERIFY to ensure that ip_output will redo the
+ * ip_select_route since the reject or lack of memory might be gone.
+ */
+ if (generationp != NULL)
+ *generationp = IRE_GENERATION_VERIFY;
+ return (ire);
- if (best_fire) {
- IRE_REFHOLD(best_fire);
+done:
+ ASSERT(ire == NULL);
+ if (need_refrele)
+ ill_refrele(ill);
+
+ /* Build dependencies */
+ if (!ire_dep_build(ires, generations, i)) {
+ /* Something in chain was condemned; tear it apart */
+ ire = ire_blackhole(ipst, B_TRUE);
+ goto cleanup;
}
- IRB_REFRELE(firb);
- /* Release the first IRE_CACHE we initially looked up, if any. */
- if (first_cire)
- ire_refrele(first_cire);
-
- /* Found a resolvable route. */
- if (best_fire) {
- ASSERT(best_cire);
-
- if (*fire_arg)
- ire_refrele(*fire_arg);
- if (*ire_arg)
- ire_refrele(*ire_arg);
+ /*
+ * Release all refholds except the one for ires[0] that we
+ * will return to the caller.
+ */
+ for (j = 1; j < i; j++)
+ ire_refrele(ires[j]);
+ if (invalidate) {
/*
- * Update the passed arguments with the
- * resolvable multirt route we found
+ * Since we needed to allocate but couldn't we need to make
+ * sure that the dependency chain is rebuilt the next time.
*/
- *fire_arg = best_fire;
- *ire_arg = best_cire;
-
- ip2dbg(("ire_multirt_lookup_v6: returning B_TRUE, "
- "*fire_arg %p, *ire_arg %p\n",
- (void *)best_fire, (void *)best_cire));
-
- return (B_TRUE);
+ ire_dep_invalidate_generations(ires[0]);
+ generation = IRE_GENERATION_VERIFY;
+ } else {
+ /*
+ * IREs can have been added or deleted while we did the
+ * recursive lookup and we can't catch those until we've built
+ * the dependencies. We verify the stored
+ * ire_dep_parent_generation to catch any such changes and
+ * return IRE_GENERATION_VERIFY (which will cause
+ * ip_select_route to be called again so we can redo the
+ * recursive lookup next time we send a packet.
+ */
+ generation = ire_dep_validate_generations(ires[0]);
+ if (generations[0] != ires[0]->ire_generation) {
+ /* Something changed at the top */
+ generation = IRE_GENERATION_VERIFY;
+ }
}
+ if (generationp != NULL)
+ *generationp = generation;
- ASSERT(best_cire == NULL);
-
- ip2dbg(("ire_multirt_lookup_v6: returning B_FALSE, *fire_arg %p, "
- "*ire_arg %p\n",
- (void *)*fire_arg, (void *)*ire_arg));
-
- /* No resolvable route. */
- return (B_FALSE);
+ return (ires[0]);
}
-
-/*
- * Find an IRE_OFFSUBNET IRE entry for the multicast address 'v6dstp'
- * that goes through 'ipif'. As a fallback, a route that goes through
- * ipif->ipif_ill can be returned.
- */
ire_t *
-ipif_lookup_multi_ire_v6(ipif_t *ipif, const in6_addr_t *v6dstp)
+ire_route_recursive_v6(const in6_addr_t *nexthop, uint_t ire_type,
+ const ill_t *ill, zoneid_t zoneid, const ts_label_t *tsl, uint_t match_args,
+ boolean_t allocate, uint32_t xmit_hint, ip_stack_t *ipst,
+ in6_addr_t *setsrcp, tsol_ire_gw_secattr_t **gwattrp, uint_t *generationp)
{
- ire_t *ire;
- ire_t *save_ire = NULL;
- ire_t *gw_ire;
- irb_t *irb;
- in6_addr_t v6gw;
- int match_flags = MATCH_IRE_TYPE | MATCH_IRE_ILL;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- ire = ire_ftable_lookup_v6(v6dstp, 0, 0, 0, NULL, NULL, ALL_ZONES, 0,
- NULL, MATCH_IRE_DEFAULT, ipst);
-
- if (ire == NULL)
- return (NULL);
-
- irb = ire->ire_bucket;
- ASSERT(irb);
-
- IRB_REFHOLD(irb);
- ire_refrele(ire);
- for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, v6dstp) ||
- (ipif->ipif_zoneid != ire->ire_zoneid &&
- ire->ire_zoneid != ALL_ZONES)) {
- continue;
- }
-
- switch (ire->ire_type) {
- case IRE_DEFAULT:
- case IRE_PREFIX:
- case IRE_HOST:
- mutex_enter(&ire->ire_lock);
- v6gw = ire->ire_gateway_addr_v6;
- mutex_exit(&ire->ire_lock);
- gw_ire = ire_ftable_lookup_v6(&v6gw, 0, 0,
- IRE_INTERFACE, ipif, NULL, ALL_ZONES, 0,
- NULL, match_flags, ipst);
-
- if (gw_ire != NULL) {
- if (save_ire != NULL) {
- ire_refrele(save_ire);
- }
- IRE_REFHOLD(ire);
- if (gw_ire->ire_ipif == ipif) {
- ire_refrele(gw_ire);
-
- IRB_REFRELE(irb);
- return (ire);
- }
- ire_refrele(gw_ire);
- save_ire = ire;
- }
- break;
- case IRE_IF_NORESOLVER:
- case IRE_IF_RESOLVER:
- if (ire->ire_ipif == ipif) {
- if (save_ire != NULL) {
- ire_refrele(save_ire);
- }
- IRE_REFHOLD(ire);
-
- IRB_REFRELE(irb);
- return (ire);
- }
- break;
- }
- }
- IRB_REFRELE(irb);
-
- return (save_ire);
+ return (ire_route_recursive_impl_v6(NULL, nexthop, ire_type, ill,
+ zoneid, tsl, match_args, allocate, xmit_hint, ipst, setsrcp,
+ gwattrp, generationp));
}
/*
- * This is the implementation of the IPv6 IRE cache lookup procedure.
- * Separating the interface from the implementation allows additional
- * flexibility when specifying search criteria.
+ * Recursively look for a route to the destination.
+ * We only handle a destination match here, yet we have the same arguments
+ * as the full match to allow function pointers to select between the two.
+ *
+ * Note that this function never returns NULL. It returns an IRE_NOROUTE
+ * instead.
+ *
+ * If we find any IRE_LOCAL|BROADCAST etc past the first iteration it
+ * is an error.
+ * Allow at most one RTF_INDIRECT.
*/
-static ire_t *
-ip6_ctable_lookup_impl(ire_ctable_args_t *margs)
+ire_t *
+ire_route_recursive_dstonly_v6(const in6_addr_t *nexthop, boolean_t allocate,
+ uint32_t xmit_hint, ip_stack_t *ipst)
{
- irb_t *irb_ptr;
- ire_t *ire;
- ip_stack_t *ipst = margs->ict_ipst;
+ ire_t *ire;
+ ire_t *ire1;
+ uint_t generation;
- if ((margs->ict_flags & (MATCH_IRE_SRC | MATCH_IRE_ILL)) &&
- (margs->ict_ipif == NULL)) {
- return (NULL);
- }
+ /* ire_ftable_lookup handles round-robin/ECMP */
+ ire = ire_ftable_lookup_simple_v6(nexthop, xmit_hint, ipst,
+ &generation);
+ ASSERT(ire != NULL);
- irb_ptr = &ipst->ips_ip_cache_table_v6[IRE_ADDR_HASH_V6(
- *((in6_addr_t *)(margs->ict_addr)),
- ipst->ips_ip6_cache_table_size)];
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
- ASSERT(IN6_ARE_ADDR_EQUAL(&ire->ire_mask_v6, &ipv6_all_ones));
- if (ire_match_args_v6(ire, (in6_addr_t *)margs->ict_addr,
- &ire->ire_mask_v6, (in6_addr_t *)margs->ict_gateway,
- margs->ict_type, margs->ict_ipif, margs->ict_zoneid, 0,
- margs->ict_tsl, margs->ict_flags)) {
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
- }
+ /*
+ * If this type should have an ire_nce_cache (even if it
+ * doesn't yet have one) then we are done. Includes
+ * IRE_INTERFACE with a full 128 bit mask.
+ */
+ if (ire->ire_nce_capable)
+ return (ire);
+
+ /*
+ * If the IRE has a current cached parent we know that the whole
+ * parent chain is current, hence we don't need to discover and
+ * build any dependencies by doing a recursive lookup.
+ */
+ mutex_enter(&ire->ire_lock);
+ if (ire->ire_dep_parent != NULL &&
+ ire->ire_dep_parent->ire_generation ==
+ ire->ire_dep_parent_generation) {
+ mutex_exit(&ire->ire_lock);
+ return (ire);
}
+ mutex_exit(&ire->ire_lock);
- rw_exit(&irb_ptr->irb_lock);
- return (NULL);
+ /*
+ * Fallback to loop in the normal code starting with the ire
+ * we found. Normally this would return the same ire.
+ */
+ ire1 = ire_route_recursive_impl_v6(ire, nexthop, 0, NULL, ALL_ZONES,
+ NULL, MATCH_IRE_DSTONLY, allocate, xmit_hint, ipst, NULL, NULL,
+ &generation);
+ ire_refrele(ire);
+ return (ire1);
}
diff --git a/usr/src/uts/common/inet/ip/ip6_output.c b/usr/src/uts/common/inet/ip/ip6_output.c
new file mode 100644
index 0000000000..3e06050781
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/ip6_output.c
@@ -0,0 +1,1315 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+/* Copyright (c) 1990 Mentat Inc. */
+
+#include <sys/types.h>
+#include <sys/stream.h>
+#include <sys/strsubr.h>
+#include <sys/dlpi.h>
+#include <sys/strsun.h>
+#include <sys/zone.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cmn_err.h>
+#include <sys/debug.h>
+#include <sys/atomic.h>
+
+#include <sys/systm.h>
+#include <sys/param.h>
+#include <sys/kmem.h>
+#include <sys/sdt.h>
+#include <sys/socket.h>
+#include <sys/mac.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <sys/sockio.h>
+#include <netinet/in.h>
+#include <net/if_dl.h>
+
+#include <inet/common.h>
+#include <inet/mi.h>
+#include <inet/mib2.h>
+#include <inet/nd.h>
+#include <inet/arp.h>
+#include <inet/snmpcom.h>
+#include <inet/kstatcom.h>
+
+#include <netinet/igmp_var.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet/sctp.h>
+
+#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ip6.h>
+#include <inet/ip6_asp.h>
+#include <inet/tcp.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_ftable.h>
+#include <inet/ip_rts.h>
+#include <inet/optcom.h>
+#include <inet/ip_ndp.h>
+#include <inet/ip_listutils.h>
+#include <netinet/igmp.h>
+#include <netinet/ip_mroute.h>
+#include <inet/ipp_common.h>
+
+#include <net/pfkeyv2.h>
+#include <inet/sadb.h>
+#include <inet/ipsec_impl.h>
+#include <inet/ipdrop.h>
+#include <inet/ip_netinfo.h>
+
+#include <sys/pattr.h>
+#include <inet/ipclassifier.h>
+#include <inet/sctp_ip.h>
+#include <inet/sctp/sctp_impl.h>
+#include <inet/udp_impl.h>
+#include <sys/sunddi.h>
+
+#include <sys/tsol/label.h>
+#include <sys/tsol/tnet.h>
+
+#ifdef DEBUG
+extern boolean_t skip_sctp_cksum;
+#endif
+
+int
+ip_output_simple_v6(mblk_t *mp, ip_xmit_attr_t *ixa)
+{
+ ip6_t *ip6h;
+ in6_addr_t firsthop; /* In IP header */
+ in6_addr_t dst; /* End of source route, or ip6_dst if none */
+ ire_t *ire;
+ in6_addr_t setsrc;
+ int error;
+ ill_t *ill = NULL;
+ dce_t *dce = NULL;
+ nce_t *nce;
+ iaflags_t ixaflags = ixa->ixa_flags;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ uint8_t *nexthdrp;
+ boolean_t repeat = B_FALSE;
+ boolean_t multirt = B_FALSE;
+ uint_t ifindex;
+
+ ip6h = (ip6_t *)mp->b_rptr;
+ ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
+
+ ASSERT(ixa->ixa_nce == NULL);
+
+ ixa->ixa_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ ASSERT(ixa->ixa_pktlen == msgdsize(mp));
+ if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ixa->ixa_ip_hdr_length,
+ &nexthdrp)) {
+ /* Malformed packet */
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
+ freemsg(mp);
+ return (EINVAL);
+ }
+ ixa->ixa_protocol = *nexthdrp;
+
+ /*
+ * Assumes that source routed packets have already been massaged by
+ * the ULP (ip_massage_options_v6) and as a result ip6_dst is the next
+ * hop in the source route. The final destination is used for IPsec
+ * policy and DCE lookup.
+ */
+ firsthop = ip6h->ip6_dst;
+ dst = ip_get_dst_v6(ip6h, mp, NULL);
+
+repeat_ire:
+ error = 0;
+ setsrc = ipv6_all_zeros;
+ ire = ip_select_route_v6(&firsthop, ixa, NULL, &setsrc, &error,
+ &multirt);
+ ASSERT(ire != NULL); /* IRE_NOROUTE if none found */
+ if (error != 0) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
+ freemsg(mp);
+ goto done;
+ }
+
+ if (ire->ire_flags & (RTF_BLACKHOLE|RTF_REJECT)) {
+ /* ire_ill might be NULL hence need to skip some code */
+ if (ixaflags & IXAF_SET_SOURCE)
+ ip6h->ip6_src = ipv6_loopback;
+ ixa->ixa_fragsize = IP_MAXPACKET;
+ ire->ire_ob_pkt_count++;
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ /* No dce yet; use default one */
+ error = (ire->ire_sendfn)(ire, mp, ip6h, ixa,
+ &ipst->ips_dce_default->dce_ident);
+ goto done;
+ }
+
+ /* Note that ip6_dst is only used for IRE_MULTICAST */
+ nce = ire_to_nce(ire, INADDR_ANY, &ip6h->ip6_dst);
+ if (nce == NULL) {
+ /* Allocation failure? */
+ ip_drop_output("ire_to_nce", mp, ill);
+ freemsg(mp);
+ error = ENOBUFS;
+ goto done;
+ }
+ if (nce->nce_is_condemned) {
+ nce_t *nce1;
+
+ nce1 = ire_handle_condemned_nce(nce, ire, NULL, ip6h, B_TRUE);
+ nce_refrele(nce);
+ if (nce1 == NULL) {
+ if (!repeat) {
+ /* Try finding a better IRE */
+ repeat = B_TRUE;
+ ire_refrele(ire);
+ goto repeat_ire;
+ }
+ /* Tried twice - drop packet */
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("No nce", mp, ill);
+ freemsg(mp);
+ error = ENOBUFS;
+ goto done;
+ }
+ nce = nce1;
+ }
+ /*
+ * For multicast with multirt we have a flag passed back from
+ * ire_lookup_multi_ill_v6 since we don't have an IRE for each
+ * possible multicast address.
+ * We also need a flag for multicast since we can't check
+ * whether RTF_MULTIRT is set in ixa_ire for multicast.
+ */
+ if (multirt) {
+ ixa->ixa_postfragfn = ip_postfrag_multirt_v6;
+ ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
+ } else {
+ ixa->ixa_postfragfn = ire->ire_postfragfn;
+ ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
+ }
+ ASSERT(ixa->ixa_nce == NULL);
+ ixa->ixa_nce = nce;
+
+ /*
+ * Check for a dce_t with a path mtu.
+ */
+ ifindex = 0;
+ if (IN6_IS_ADDR_LINKSCOPE(&dst))
+ ifindex = nce->nce_common->ncec_ill->ill_phyint->phyint_ifindex;
+
+ dce = dce_lookup_v6(&dst, ifindex, ipst, NULL);
+ ASSERT(dce != NULL);
+
+ if (!(ixaflags & IXAF_PMTU_DISCOVERY)) {
+ ixa->ixa_fragsize = IPV6_MIN_MTU;
+ } else if (dce->dce_flags & DCEF_PMTU) {
+ /*
+ * To avoid a periodic timer to increase the path MTU we
+ * look at dce_last_change_time each time we send a packet.
+ */
+ if (TICK_TO_SEC(lbolt64) - dce->dce_last_change_time >
+ ipst->ips_ip_pathmtu_interval) {
+ /*
+ * Older than 20 minutes. Drop the path MTU information.
+ */
+ mutex_enter(&dce->dce_lock);
+ dce->dce_flags &= ~(DCEF_PMTU|DCEF_TOO_SMALL_PMTU);
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ mutex_exit(&dce->dce_lock);
+ dce_increment_generation(dce);
+ ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
+ } else {
+ uint_t fragsize;
+
+ fragsize = ip_get_base_mtu(nce->nce_ill, ire);
+ if (fragsize > dce->dce_pmtu)
+ fragsize = dce->dce_pmtu;
+ ixa->ixa_fragsize = fragsize;
+ }
+ } else {
+ ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
+ }
+
+ /*
+ * We use use ire_nexthop_ill (and not ncec_ill) to avoid the under ipmp
+ * interface for source address selection.
+ */
+ ill = ire_nexthop_ill(ire);
+
+ if (ixaflags & IXAF_SET_SOURCE) {
+ in6_addr_t src;
+
+ /*
+ * We use the final destination to get
+ * correct selection for source routed packets
+ */
+
+ /* If unreachable we have no ill but need some source */
+ if (ill == NULL) {
+ src = ipv6_loopback;
+ error = 0;
+ } else {
+ error = ip_select_source_v6(ill, &setsrc, &dst,
+ ixa->ixa_zoneid, ipst, B_FALSE,
+ ixa->ixa_src_preferences, &src, NULL, NULL);
+ }
+ if (error != 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - no source",
+ mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+ ip6h->ip6_src = src;
+ } else if (ixaflags & IXAF_VERIFY_SOURCE) {
+ /* Check if the IP source is assigned to the host. */
+ if (!ip_verify_src(mp, ixa, NULL)) {
+ /* Don't send a packet with a source that isn't ours */
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - invalid source",
+ mp, ill);
+ freemsg(mp);
+ error = EADDRNOTAVAIL;
+ goto done;
+ }
+ }
+
+ /*
+ * Check against global IPsec policy to set the AH/ESP attributes.
+ * IPsec will set IXAF_IPSEC_* and ixa_ipsec_* as appropriate.
+ */
+ if (!(ixaflags & (IXAF_NO_IPSEC|IXAF_IPSEC_SECURE))) {
+ ASSERT(ixa->ixa_ipsec_policy == NULL);
+ mp = ip_output_attach_policy(mp, NULL, ip6h, NULL, ixa);
+ if (mp == NULL) {
+ /* MIB and ip_drop_packet already done */
+ return (EHOSTUNREACH); /* IPsec policy failure */
+ }
+ }
+
+ if (ill != NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
+ } else {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ }
+
+ /*
+ * We update the statistics on the most specific IRE i.e., the first
+ * one we found.
+ * We don't have an IRE when we fragment, hence ire_ob_pkt_count
+ * can only count the use prior to fragmentation. However the MIB
+ * counters on the ill will be incremented in post fragmentation.
+ */
+ ire->ire_ob_pkt_count++;
+
+ /*
+ * Based on ire_type and ire_flags call one of:
+ * ire_send_local_v6 - for IRE_LOCAL and IRE_LOOPBACK
+ * ire_send_multirt_v6 - if RTF_MULTIRT
+ * ire_send_noroute_v6 - if RTF_REJECT or RTF_BLACHOLE
+ * ire_send_multicast_v6 - for IRE_MULTICAST
+ * ire_send_wire_v6 - for the rest.
+ */
+ error = (ire->ire_sendfn)(ire, mp, ip6h, ixa, &dce->dce_ident);
+done:
+ ire_refrele(ire);
+ if (dce != NULL)
+ dce_refrele(dce);
+ if (ill != NULL)
+ ill_refrele(ill);
+ if (ixa->ixa_nce != NULL)
+ nce_refrele(ixa->ixa_nce);
+ ixa->ixa_nce = NULL;
+ return (error);
+}
+
+/*
+ * ire_sendfn() functions.
+ * These functions use the following xmit_attr:
+ * - ixa_fragsize - read to determine whether or not to fragment
+ * - IXAF_IPSEC_SECURE - to determine whether or not to invoke IPsec
+ * - ixa_ipsec_* are used inside IPsec
+ * - IXAF_LOOPBACK_COPY - for multicast
+ */
+
+
+/*
+ * ire_sendfn for IRE_LOCAL and IRE_LOOPBACK
+ *
+ * The checks for restrict_interzone_loopback are done in ire_route_recursive.
+ */
+/* ARGSUSED4 */
+int
+ire_send_local_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ill_t *ill = ire->ire_ill;
+ ip_recv_attr_t iras; /* NOTE: No bzero for performance */
+ uint_t pktlen = ixa->ixa_pktlen;
+
+ /*
+ * No fragmentation, no nce, and no application of IPsec.
+ *
+ *
+ * Note different order between IP provider and FW_HOOKS than in
+ * send_wire case.
+ */
+
+ /*
+ * DTrace this as ip:::send. A packet blocked by FW_HOOKS will fire the
+ * send probe, but not the receive probe.
+ */
+ DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
+ int, 1);
+
+ DTRACE_PROBE4(ip6__loopback__out__start,
+ ill_t *, NULL, ill_t *, ill,
+ ip6_t *, ip6h, mblk_t *, mp);
+
+ if (HOOKS6_INTERESTED_LOOPBACK_OUT(ipst)) {
+ int error;
+
+ FW_HOOKS(ipst->ips_ip6_loopback_out_event,
+ ipst->ips_ipv6firewall_loopback_out,
+ NULL, ill, ip6h, mp, mp, 0, ipst, error);
+
+ DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, mp);
+ if (mp == NULL)
+ return (error);
+
+ /*
+ * Even if the destination was changed by the filter we use the
+ * forwarding decision that was made based on the address
+ * in ip_output/ip_set_destination.
+ */
+ /* Length could be different */
+ ip6h = (ip6_t *)mp->b_rptr;
+ pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ }
+
+ /*
+ * If a callback is enabled then we need to know the
+ * source and destination zoneids for the packet. We already
+ * have those handy.
+ */
+ if (ipst->ips_ip6_observe.he_interested) {
+ zoneid_t szone, dzone;
+ zoneid_t stackzoneid;
+
+ stackzoneid = netstackid_to_zoneid(
+ ipst->ips_netstack->netstack_stackid);
+
+ if (stackzoneid == GLOBAL_ZONEID) {
+ /* Shared-IP zone */
+ dzone = ire->ire_zoneid;
+ szone = ixa->ixa_zoneid;
+ } else {
+ szone = dzone = stackzoneid;
+ }
+ ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill, ipst);
+ }
+
+ /* Handle lo0 stats */
+ ipst->ips_loopback_packets++;
+
+ /*
+ * Update output mib stats. Note that we can't move into the icmp
+ * sender (icmp_output etc) since they don't know the ill and the
+ * stats are per ill.
+ */
+ if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
+ icmp6_t *icmp6;
+
+ icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
+ icmp_update_out_mib_v6(ill, icmp6);
+ }
+
+ DTRACE_PROBE4(ip6__loopback__in__start,
+ ill_t *, ill, ill_t *, NULL,
+ ip6_t *, ip6h, mblk_t *, mp);
+
+ if (HOOKS6_INTERESTED_LOOPBACK_IN(ipst)) {
+ int error;
+
+ FW_HOOKS(ipst->ips_ip6_loopback_in_event,
+ ipst->ips_ipv6firewall_loopback_in,
+ ill, NULL, ip6h, mp, mp, 0, ipst, error);
+
+ DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, mp);
+ if (mp == NULL)
+ return (error);
+
+ /*
+ * Even if the destination was changed by the filter we use the
+ * forwarding decision that was made based on the address
+ * in ip_output/ip_set_destination.
+ */
+ /* Length could be different */
+ ip6h = (ip6_t *)mp->b_rptr;
+ pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ }
+
+ DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
+ int, 1);
+
+ /* Map ixa to ira including IPsec policies */
+ ipsec_out_to_in(ixa, ill, &iras);
+ iras.ira_pktlen = pktlen;
+
+ ire->ire_ib_pkt_count++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, pktlen);
+
+ /* Destined to ire_zoneid - use that for fanout */
+ iras.ira_zoneid = ire->ire_zoneid;
+
+ if (is_system_labeled()) {
+ iras.ira_flags |= IRAF_SYSTEM_LABELED;
+
+ /*
+ * This updates ira_cred, ira_tsl and ira_free_flags based
+ * on the label. We don't expect this to ever fail for
+ * loopback packets, so we silently drop the packet should it
+ * fail.
+ */
+ if (!tsol_get_pkt_label(mp, IPV6_VERSION, &iras)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("tsol_get_pkt_label", mp, ill);
+ freemsg(mp);
+ return (0);
+ }
+ ASSERT(iras.ira_tsl != NULL);
+
+ /* tsol_get_pkt_label sometimes does pullupmsg */
+ ip6h = (ip6_t *)mp->b_rptr;
+ }
+
+ ip_fanout_v6(mp, ip6h, &iras);
+
+ /* We moved any IPsec refs from ixa to iras */
+ ira_cleanup(&iras, B_FALSE);
+ return (0);
+}
+
+static void
+multirt_check_v6(ire_t *ire, ip6_t *ip6h, ip_xmit_attr_t *ixa)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+
+ /* Limit the TTL on multirt packets. Do this even if IPV6_HOPLIMIT */
+ if (ire->ire_type & IRE_MULTICAST) {
+ if (ip6h->ip6_hops > 1) {
+ ip2dbg(("ire_send_multirt_v6: forcing multicast "
+ "multirt TTL to 1 (was %d)\n", ip6h->ip6_hops));
+ ip6h->ip6_hops = 1;
+ }
+ ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
+ } else if ((ipst->ips_ip_multirt_ttl > 0) &&
+ (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl)) {
+ ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
+ /*
+ * Need to ensure we don't increase the ttl should we go through
+ * ire_send_multicast.
+ */
+ ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
+ }
+
+ /* For IPv6 this also needs to insert a fragment header */
+ ixa->ixa_flags |= IXAF_IPV6_ADD_FRAGHDR;
+}
+
+/*
+ * ire_sendfn for IRE_MULTICAST
+ *
+ * Note that we do path MTU discovery by default for IPv6 multicast. But
+ * since unconnected UDP and RAW sockets don't set IXAF_PMTU_DISCOVERY
+ * only connected sockets get this by default.
+ */
+int
+ire_send_multicast_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ill_t *ill = ire->ire_ill;
+ iaflags_t ixaflags = ixa->ixa_flags;
+
+ /*
+ * The IRE_MULTICAST is the same whether or not multirt is in use.
+ * Hence we need special-case code.
+ */
+ if (ixaflags & IXAF_MULTIRT_MULTICAST)
+ multirt_check_v6(ire, ip6h, ixa);
+
+ /*
+ * Check if anything in ip_input_v6 wants a copy of the transmitted
+ * packet (after IPsec and fragmentation)
+ *
+ * 1. Multicast routers always need a copy unless SO_DONTROUTE is set
+ * RSVP and the rsvp daemon is an example of a
+ * protocol and user level process that
+ * handles it's own routing. Hence, it uses the
+ * SO_DONTROUTE option to accomplish this.
+ * 2. If the sender has set IP_MULTICAST_LOOP, then we just
+ * check whether there are any receivers for the group on the ill
+ * (ignoring the zoneid).
+ * 3. If IP_MULTICAST_LOOP is not set, then we check if there are
+ * any members in other shared-IP zones.
+ * If such members exist, then we indicate that the sending zone
+ * shouldn't get a loopback copy to preserve the IP_MULTICAST_LOOP
+ * behavior.
+ *
+ * When we loopback we skip hardware checksum to make sure loopback
+ * copy is checksumed.
+ *
+ * Note that ire_ill is the upper in the case of IPMP.
+ */
+ ixa->ixa_flags &= ~(IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM);
+ if (ipst->ips_ip_g_mrouter && ill->ill_mrouter_cnt > 0 &&
+ !(ixaflags & IXAF_DONTROUTE)) {
+ ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
+ } else if (ixaflags & IXAF_MULTICAST_LOOP) {
+ /*
+ * If this zone or any other zone has members then loopback
+ * a copy.
+ */
+ if (ill_hasmembers_v6(ill, &ip6h->ip6_dst))
+ ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
+ } else if (ipst->ips_netstack->netstack_numzones > 1) {
+ /*
+ * This zone should not have a copy. But there are some other
+ * zones which might have members.
+ */
+ if (ill_hasmembers_otherzones_v6(ill, &ip6h->ip6_dst,
+ ixa->ixa_zoneid)) {
+ ixa->ixa_flags |= IXAF_NO_LOOP_ZONEID_SET;
+ ixa->ixa_no_loop_zoneid = ixa->ixa_zoneid;
+ ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
+ }
+ }
+
+ /*
+ * Unless IPV6_HOPLIMIT or ire_send_multirt_v6 already set a ttl,
+ * force the ttl to the IP_MULTICAST_TTL value
+ */
+ if (!(ixaflags & IXAF_NO_TTL_CHANGE)) {
+ ip6h->ip6_hops = ixa->ixa_multicast_ttl;
+ }
+
+ return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
+}
+
+/*
+ * ire_sendfn for IREs with RTF_MULTIRT
+ */
+int
+ire_send_multirt_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+
+ multirt_check_v6(ire, ip6h, ixa);
+
+ if (ire->ire_type & IRE_MULTICAST)
+ return (ire_send_multicast_v6(ire, mp, ip6h, ixa, identp));
+ else
+ return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
+}
+
+/*
+ * ire_sendfn for IREs with RTF_REJECT/RTF_BLACKHOLE, including IRE_NOROUTE
+ */
+/* ARGSUSED4 */
+int
+ire_send_noroute_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ill_t *ill;
+ ip_recv_attr_t iras;
+ boolean_t dummy;
+
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
+
+ if (ire->ire_type & IRE_NOROUTE) {
+ /* A lack of a route as opposed to RTF_REJECT|BLACKHOLE */
+ ip_rts_change_v6(RTM_MISS, &ip6h->ip6_dst, 0, 0, 0, 0, 0, 0,
+ RTA_DST, ipst);
+ }
+
+ if (ire->ire_flags & RTF_BLACKHOLE) {
+ ip_drop_output("ipIfStatsOutNoRoutes RTF_BLACKHOLE", mp, NULL);
+ freemsg(mp);
+ /* No error even for local senders - silent blackhole */
+ return (0);
+ }
+ ip_drop_output("ipIfStatsOutNoRoutes RTF_REJECT", mp, NULL);
+
+ /*
+ * We need an ill_t for the ip_recv_attr_t even though this packet
+ * was never received and icmp_unreachable doesn't currently use
+ * ira_ill.
+ */
+ ill = ill_lookup_on_name("lo0", B_FALSE,
+ !(ixa->ixa_flags & IRAF_IS_IPV4), &dummy, ipst);
+ if (ill == NULL) {
+ freemsg(mp);
+ return (EHOSTUNREACH);
+ }
+
+ bzero(&iras, sizeof (iras));
+ /* Map ixa to ira including IPsec policies */
+ ipsec_out_to_in(ixa, ill, &iras);
+
+ icmp_unreachable_v6(mp, ICMP6_DST_UNREACH_NOROUTE, B_FALSE, &iras);
+ /* We moved any IPsec refs from ixa to iras */
+ ira_cleanup(&iras, B_FALSE);
+
+ ill_refrele(ill);
+ return (EHOSTUNREACH);
+}
+
+/*
+ * Calculate a checksum ignoring any hardware capabilities
+ *
+ * Returns B_FALSE if the packet was too short for the checksum. Caller
+ * should free and do stats.
+ */
+static boolean_t
+ip_output_sw_cksum_v6(mblk_t *mp, ip6_t *ip6h, ip_xmit_attr_t *ixa)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ uint_t pktlen = ixa->ixa_pktlen;
+ uint16_t *cksump;
+ uint32_t cksum;
+ uint8_t protocol = ixa->ixa_protocol;
+ uint16_t ip_hdr_length = ixa->ixa_ip_hdr_length;
+
+#define iphs ((uint16_t *)ip6h)
+
+ /* Just in case it contained garbage */
+ DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
+
+ /*
+ * Calculate ULP checksum
+ */
+ if (protocol == IPPROTO_TCP) {
+ cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
+ cksum = IP_TCP_CSUM_COMP;
+ } else if (protocol == IPPROTO_UDP) {
+ cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
+ cksum = IP_UDP_CSUM_COMP;
+ } else if (protocol == IPPROTO_SCTP) {
+ sctp_hdr_t *sctph;
+
+ ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
+ sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
+ /*
+ * Zero out the checksum field to ensure proper
+ * checksum calculation.
+ */
+ sctph->sh_chksum = 0;
+#ifdef DEBUG
+ if (!skip_sctp_cksum)
+#endif
+ sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
+ return (B_TRUE);
+ } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
+ /*
+ * icmp has placed length and routing
+ * header adjustment in the checksum field.
+ */
+ cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
+ ixa->ixa_raw_cksum_offset);
+ cksum = htons(protocol);
+ } else if (protocol == IPPROTO_ICMPV6) {
+ cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
+ cksum = IP_ICMPV6_CSUM_COMP; /* Pseudo-header cksum */
+ } else {
+ return (B_TRUE);
+ }
+
+ /* ULP puts the checksum field is in the first mblk */
+ ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
+
+ /*
+ * We accumulate the pseudo header checksum in cksum.
+ * This is pretty hairy code, so watch close. One
+ * thing to keep in mind is that UDP and TCP have
+ * stored their respective datagram lengths in their
+ * checksum fields. This lines things up real nice.
+ */
+ cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
+ iphs[8] + iphs[9] + iphs[10] + iphs[11] +
+ iphs[12] + iphs[13] + iphs[14] + iphs[15] +
+ iphs[16] + iphs[17] + iphs[18] + iphs[19];
+ cksum = IP_CSUM(mp, ip_hdr_length, cksum);
+
+ /*
+ * For UDP/IPv6 a zero UDP checksum is not allowed.
+ * Change to 0xffff
+ */
+ if (protocol == IPPROTO_UDP && cksum == 0)
+ *cksump = ~cksum;
+ else
+ *cksump = cksum;
+
+ IP6_STAT(ipst, ip6_out_sw_cksum);
+ IP6_STAT_UPDATE(ipst, ip6_out_sw_cksum_bytes, pktlen);
+
+ /* No IP header checksum for IPv6 */
+
+ return (B_TRUE);
+#undef iphs
+}
+
+/* There are drivers that can't do partial checksum for ICMPv6 */
+int nxge_cksum_workaround = 1;
+
+/*
+ * Calculate the ULP checksum - try to use hardware.
+ * In the case of MULTIRT or multicast the
+ * IXAF_NO_HW_CKSUM is set in which case we use software.
+ *
+ * Returns B_FALSE if the packet was too short for the checksum. Caller
+ * should free and do stats.
+ */
+static boolean_t
+ip_output_cksum_v6(iaflags_t ixaflags, mblk_t *mp, ip6_t *ip6h,
+ ip_xmit_attr_t *ixa, ill_t *ill)
+{
+ uint_t pktlen = ixa->ixa_pktlen;
+ uint16_t *cksump;
+ uint16_t hck_flags;
+ uint32_t cksum;
+ uint8_t protocol = ixa->ixa_protocol;
+ uint16_t ip_hdr_length = ixa->ixa_ip_hdr_length;
+
+#define iphs ((uint16_t *)ip6h)
+
+ if ((ixaflags & IXAF_NO_HW_CKSUM) || !ILL_HCKSUM_CAPABLE(ill) ||
+ !dohwcksum) {
+ return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
+ }
+
+ /*
+ * Calculate ULP checksum. Note that we don't use cksump and cksum
+ * if the ill has FULL support.
+ */
+ if (protocol == IPPROTO_TCP) {
+ cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
+ cksum = IP_TCP_CSUM_COMP; /* Pseudo-header cksum */
+ } else if (protocol == IPPROTO_UDP) {
+ cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
+ cksum = IP_UDP_CSUM_COMP; /* Pseudo-header cksum */
+ } else if (protocol == IPPROTO_SCTP) {
+ sctp_hdr_t *sctph;
+
+ ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
+ sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
+ /*
+ * Zero out the checksum field to ensure proper
+ * checksum calculation.
+ */
+ sctph->sh_chksum = 0;
+#ifdef DEBUG
+ if (!skip_sctp_cksum)
+#endif
+ sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
+ goto ip_hdr_cksum;
+ } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
+ /*
+ * icmp has placed length and routing
+ * header adjustment in the checksum field.
+ */
+ cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
+ ixa->ixa_raw_cksum_offset);
+ cksum = htons(protocol);
+ } else if (protocol == IPPROTO_ICMPV6) {
+ cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
+ cksum = IP_ICMPV6_CSUM_COMP; /* Pseudo-header cksum */
+ } else {
+ ip_hdr_cksum:
+ /* No IP header checksum for IPv6 */
+ return (B_TRUE);
+ }
+
+ /* ULP puts the checksum field is in the first mblk */
+ ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
+
+ /*
+ * Underlying interface supports hardware checksum offload for
+ * the payload; leave the payload checksum for the hardware to
+ * calculate. N.B: We only need to set up checksum info on the
+ * first mblk.
+ */
+ hck_flags = ill->ill_hcksum_capab->ill_hcksum_txflags;
+
+ DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
+ if (hck_flags & HCKSUM_INET_FULL_V6) {
+ /*
+ * Hardware calculates pseudo-header, header and the
+ * payload checksums, so clear the checksum field in
+ * the protocol header.
+ */
+ *cksump = 0;
+ DB_CKSUMFLAGS(mp) |= HCK_FULLCKSUM;
+ return (B_TRUE);
+ }
+ if (((hck_flags) & HCKSUM_INET_PARTIAL) &&
+ (protocol != IPPROTO_ICMPV6 || !nxge_cksum_workaround)) {
+ /*
+ * Partial checksum offload has been enabled. Fill
+ * the checksum field in the protocol header with the
+ * pseudo-header checksum value.
+ *
+ * We accumulate the pseudo header checksum in cksum.
+ * This is pretty hairy code, so watch close. One
+ * thing to keep in mind is that UDP and TCP have
+ * stored their respective datagram lengths in their
+ * checksum fields. This lines things up real nice.
+ */
+ cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
+ iphs[8] + iphs[9] + iphs[10] + iphs[11] +
+ iphs[12] + iphs[13] + iphs[14] + iphs[15] +
+ iphs[16] + iphs[17] + iphs[18] + iphs[19];
+ cksum += *(cksump);
+ cksum = (cksum & 0xFFFF) + (cksum >> 16);
+ *(cksump) = (cksum & 0xFFFF) + (cksum >> 16);
+
+ /*
+ * Offsets are relative to beginning of IP header.
+ */
+ DB_CKSUMSTART(mp) = ip_hdr_length;
+ DB_CKSUMSTUFF(mp) = (uint8_t *)cksump - (uint8_t *)ip6h;
+ DB_CKSUMEND(mp) = pktlen;
+ DB_CKSUMFLAGS(mp) |= HCK_PARTIALCKSUM;
+ return (B_TRUE);
+ }
+ /* Hardware capabilities include neither full nor partial IPv6 */
+ return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
+#undef iphs
+}
+
+/*
+ * ire_sendfn for offlink and onlink destinations.
+ * Also called from the multicast, and multirt send functions.
+ *
+ * Assumes that the caller has a hold on the ire.
+ *
+ * This function doesn't care if the IRE just became condemned since that
+ * can happen at any time.
+ */
+/* ARGSUSED */
+int
+ire_send_wire_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ip6_t *ip6h = (ip6_t *)iph_arg;
+ iaflags_t ixaflags = ixa->ixa_flags;
+ ill_t *ill;
+ uint32_t pktlen = ixa->ixa_pktlen;
+
+ ASSERT(ixa->ixa_nce != NULL);
+ ill = ixa->ixa_nce->nce_ill;
+
+ /*
+ * Update output mib stats. Note that we can't move into the icmp
+ * sender (icmp_output etc) since they don't know the ill and the
+ * stats are per ill.
+ *
+ * With IPMP we record the stats on the upper ill.
+ */
+ if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
+ icmp6_t *icmp6;
+
+ icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
+ icmp_update_out_mib_v6(ixa->ixa_nce->nce_common->ncec_ill,
+ icmp6);
+ }
+
+ if (ixaflags & IXAF_DONTROUTE)
+ ip6h->ip6_hops = 1;
+
+ /*
+ * This might set b_band, thus the IPsec and fragmentation
+ * code in IP ensures that b_band is updated in the first mblk.
+ */
+ if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_LOCAL_OUT, mp, ill, ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ return (0); /* Might just be delayed */
+ }
+ }
+
+ /*
+ * To handle IPsec/iptun's labeling needs we need to tag packets
+ * while we still have ixa_tsl
+ */
+ if (is_system_labeled() && ixa->ixa_tsl != NULL &&
+ (ill->ill_mactype == DL_6TO4 || ill->ill_mactype == DL_IPV4 ||
+ ill->ill_mactype == DL_IPV6)) {
+ cred_t *newcr;
+
+ newcr = copycred_from_tslabel(ixa->ixa_cred, ixa->ixa_tsl,
+ KM_NOSLEEP);
+ if (newcr == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - newcr",
+ mp, ill);
+ freemsg(mp);
+ return (ENOBUFS);
+ }
+ mblk_setcred(mp, newcr, NOPID);
+ crfree(newcr); /* mblk_setcred did its own crhold */
+ }
+
+ /*
+ * IXAF_IPV6_ADD_FRAGHDR is set for CGTP so that we will add a
+ * fragment header without fragmenting. CGTP on the receiver will
+ * filter duplicates on the ident field.
+ */
+ if (pktlen > ixa->ixa_fragsize ||
+ (ixaflags & (IXAF_IPSEC_SECURE|IXAF_IPV6_ADD_FRAGHDR))) {
+ uint32_t ident;
+
+ if (ixaflags & IXAF_IPSEC_SECURE)
+ pktlen += ipsec_out_extra_length(ixa);
+
+ if (pktlen > IP_MAXPACKET)
+ return (EMSGSIZE);
+
+ if (ixaflags & IXAF_SET_ULP_CKSUM) {
+ /*
+ * Compute ULP checksum using software
+ */
+ if (!ip_output_sw_cksum_v6(mp, ip6h, ixa)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ freemsg(mp);
+ return (EINVAL);
+ }
+ /* Avoid checksum again below if we only add fraghdr */
+ ixaflags &= ~IXAF_SET_ULP_CKSUM;
+ }
+
+ /*
+ * If we need a fragment header, pick the ident and insert
+ * the header before IPsec to we have a place to store
+ * the ident value.
+ */
+ if ((ixaflags & IXAF_IPV6_ADD_FRAGHDR) ||
+ pktlen > ixa->ixa_fragsize) {
+ /*
+ * If this packet would generate a icmp_frag_needed
+ * message, we need to handle it before we do the IPsec
+ * processing. Otherwise, we need to strip the IPsec
+ * headers before we send up the message to the ULPs
+ * which becomes messy and difficult.
+ */
+ if ((pktlen > ixa->ixa_fragsize) &&
+ (ixaflags & IXAF_DONTFRAG)) {
+ /* Generate ICMP and return error */
+ ip_recv_attr_t iras;
+
+ DTRACE_PROBE4(ip6__fragsize__fail,
+ uint_t, pktlen, uint_t, ixa->ixa_fragsize,
+ uint_t, ixa->ixa_pktlen,
+ uint_t, ixa->ixa_pmtu);
+
+ bzero(&iras, sizeof (iras));
+ /* Map ixa to ira including IPsec policies */
+ ipsec_out_to_in(ixa, ill, &iras);
+
+ ip_drop_output("ICMP6_PKT_TOO_BIG", mp, ill);
+ icmp_pkt2big_v6(mp, ixa->ixa_fragsize, B_TRUE,
+ &iras);
+ /* We moved any IPsec refs from ixa to iras */
+ ira_cleanup(&iras, B_FALSE);
+ return (EMSGSIZE);
+ }
+ DTRACE_PROBE4(ip6__fragsize__ok, uint_t, pktlen,
+ uint_t, ixa->ixa_fragsize, uint_t, ixa->ixa_pktlen,
+ uint_t, ixa->ixa_pmtu);
+ /*
+ * Assign an ident value for this packet. There could
+ * be other threads targeting the same destination, so
+ * we have to arrange for a atomic increment.
+ * Normally ixa_extra_ident is 0, but in the case of
+ * LSO it will be the number of TCP segments that the
+ * driver/hardware will extraly construct.
+ *
+ * Note that cl_inet_ipident has only been used for
+ * IPv4. We don't use it here.
+ */
+ ident = atomic_add_32_nv(identp, ixa->ixa_extra_ident +
+ 1);
+#ifndef _BIG_ENDIAN
+ ident = htonl(ident);
+#endif
+ ixa->ixa_ident = ident; /* In case we do IPsec */
+ }
+ if (ixaflags & IXAF_IPSEC_SECURE) {
+ /*
+ * Pass in sufficient information so that
+ * IPsec can determine whether to fragment, and
+ * which function to call after fragmentation.
+ */
+ return (ipsec_out_process(mp, ixa));
+ }
+
+ mp = ip_fraghdr_add_v6(mp, ident, ixa);
+ if (mp == NULL) {
+ /* MIB and ip_drop_output already done */
+ return (ENOMEM);
+ }
+ ASSERT(pktlen == ixa->ixa_pktlen);
+ pktlen += sizeof (ip6_frag_t);
+
+ if (pktlen > ixa->ixa_fragsize) {
+ return (ip_fragment_v6(mp, ixa->ixa_nce, ixaflags,
+ pktlen, ixa->ixa_fragsize,
+ ixa->ixa_xmit_hint, ixa->ixa_zoneid,
+ ixa->ixa_no_loop_zoneid, ixa->ixa_postfragfn,
+ &ixa->ixa_cookie));
+ }
+ }
+ if (ixaflags & IXAF_SET_ULP_CKSUM) {
+ /* Compute ULP checksum and IP header checksum */
+ /* An IS_UNDER_IPMP ill is ok here */
+ if (!ip_output_cksum_v6(ixaflags, mp, ip6h, ixa, ill)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ freemsg(mp);
+ return (EINVAL);
+ }
+ }
+ return ((ixa->ixa_postfragfn)(mp, ixa->ixa_nce, ixaflags,
+ pktlen, ixa->ixa_xmit_hint, ixa->ixa_zoneid,
+ ixa->ixa_no_loop_zoneid, &ixa->ixa_cookie));
+}
+
+/*
+ * Post fragmentation function for RTF_MULTIRT routes.
+ * Since IRE_MULTICASTs might have RTF_MULTIRT, this function
+ * checks IXAF_LOOPBACK_COPY.
+ *
+ * If no packet is sent due to failures then we return an errno, but if at
+ * least one succeeded we return zero.
+ */
+int
+ip_postfrag_multirt_v6(mblk_t *mp, nce_t *nce, iaflags_t ixaflags,
+ uint_t pkt_len, uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid,
+ uintptr_t *ixacookie)
+{
+ irb_t *irb;
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ ire_t *ire;
+ ire_t *ire1;
+ mblk_t *mp1;
+ nce_t *nce1;
+ ill_t *ill = nce->nce_ill;
+ ill_t *ill1;
+ ip_stack_t *ipst = ill->ill_ipst;
+ int error = 0;
+ int num_sent = 0;
+ int err;
+ uint_t ire_type;
+ in6_addr_t nexthop;
+
+ ASSERT(!(ixaflags & IXAF_IS_IPV4));
+
+ /* Check for IXAF_LOOPBACK_COPY */
+ if (ixaflags & IXAF_LOOPBACK_COPY) {
+ mblk_t *mp1;
+
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ /* Failed to deliver the loopback copy. */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ error = ENOBUFS;
+ } else {
+ ip_postfrag_loopback(mp1, nce, ixaflags, pkt_len,
+ nolzid);
+ }
+ }
+
+ /*
+ * Loop over RTF_MULTIRT for ip6_dst in the same bucket. Send
+ * a copy to each one.
+ * Use the nce (nexthop) and ip6_dst to find the ire.
+ *
+ * MULTIRT is not designed to work with shared-IP zones thus we don't
+ * need to pass a zoneid or a label to the IRE lookup.
+ */
+ if (IN6_ARE_ADDR_EQUAL(&nce->nce_addr, &ip6h->ip6_dst)) {
+ /* Broadcast and multicast case */
+ ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0, 0, NULL,
+ ALL_ZONES, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
+ } else {
+ /* Unicast case */
+ ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, &nce->nce_addr,
+ 0, NULL, ALL_ZONES, NULL, MATCH_IRE_GW, 0, ipst, NULL);
+ }
+
+ if (ire == NULL ||
+ (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
+ !(ire->ire_flags & RTF_MULTIRT)) {
+ /* Drop */
+ ip_drop_output("ip_postfrag_multirt didn't find route",
+ mp, nce->nce_ill);
+ if (ire != NULL)
+ ire_refrele(ire);
+ return (ENETUNREACH);
+ }
+
+ irb = ire->ire_bucket;
+ irb_refhold(irb);
+ for (ire1 = irb->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
+ if (IRE_IS_CONDEMNED(ire1) ||
+ !(ire1->ire_flags & RTF_MULTIRT))
+ continue;
+
+ /* Note: When IPv6 uses radix tree we don't need this check */
+ if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &ire1->ire_addr_v6))
+ continue;
+
+ /* Do the ire argument one after the loop */
+ if (ire1 == ire)
+ continue;
+
+ ill1 = ire_nexthop_ill(ire1);
+ if (ill1 == NULL) {
+ /*
+ * This ire might not have been picked by
+ * ire_route_recursive, in which case ire_dep might
+ * not have been setup yet.
+ * We kick ire_route_recursive to try to resolve
+ * starting at ire1.
+ */
+ ire_t *ire2;
+
+ ire2 = ire_route_recursive_impl_v6(ire1,
+ &ire1->ire_addr_v6, ire1->ire_type, ire1->ire_ill,
+ ire1->ire_zoneid, NULL, MATCH_IRE_DSTONLY,
+ B_TRUE, 0, ipst, NULL, NULL, NULL);
+ if (ire2 != NULL)
+ ire_refrele(ire2);
+ ill1 = ire_nexthop_ill(ire1);
+ }
+ if (ill1 == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - no ill",
+ mp, ill);
+ error = ENETUNREACH;
+ continue;
+ }
+ /* Pick the addr and type to use for ndp_nce_init */
+ if (nce->nce_common->ncec_flags & NCE_F_MCAST) {
+ ire_type = IRE_MULTICAST;
+ nexthop = ip6h->ip6_dst;
+ } else {
+ ire_type = ire1->ire_type; /* Doesn't matter */
+ nexthop = ire1->ire_gateway_addr_v6;
+ }
+
+ /* If IPMP meta or under, then we just drop */
+ if (ill1->ill_grp != NULL) {
+ BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - IPMP",
+ mp, ill1);
+ ill_refrele(ill1);
+ error = ENETUNREACH;
+ continue;
+ }
+
+ nce1 = ndp_nce_init(ill1, &nexthop, ire_type);
+ if (nce1 == NULL) {
+ BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - no nce",
+ mp, ill1);
+ ill_refrele(ill1);
+ error = ENOBUFS;
+ continue;
+ }
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill1);
+ nce_refrele(nce1);
+ ill_refrele(ill1);
+ error = ENOBUFS;
+ continue;
+ }
+ /* Preserve HW checksum for this copy */
+ DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
+ DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
+ DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
+ DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
+ DB_LSOMSS(mp1) = DB_LSOMSS(mp);
+
+ ire1->ire_ob_pkt_count++;
+ err = ip_xmit(mp1, nce1, ixaflags, pkt_len, xmit_hint, szone,
+ 0, ixacookie);
+ if (err == 0)
+ num_sent++;
+ else
+ error = err;
+ nce_refrele(nce1);
+ ill_refrele(ill1);
+ }
+ irb_refrele(irb);
+ ire_refrele(ire);
+ /* Finally, the main one */
+ err = ip_xmit(mp, nce, ixaflags, pkt_len, xmit_hint, szone, 0,
+ ixacookie);
+ if (err == 0)
+ num_sent++;
+ else
+ error = err;
+ if (num_sent > 0)
+ return (0);
+ else
+ return (error);
+}
diff --git a/usr/src/uts/common/inet/ip/ip6_rts.c b/usr/src/uts/common/inet/ip/ip6_rts.c
index dcf429c8ba..38b43cdf60 100644
--- a/usr/src/uts/common/inet/ip/ip6_rts.c
+++ b/usr/src/uts/common/inet/ip/ip6_rts.c
@@ -80,8 +80,8 @@ void
rts_fill_msg_v6(int type, int rtm_addrs, const in6_addr_t *dst,
const in6_addr_t *mask, const in6_addr_t *gateway,
const in6_addr_t *src_addr, const in6_addr_t *brd_addr,
- const in6_addr_t *author, const ipif_t *ipif, mblk_t *mp,
- uint_t sacnt, const tsol_gc_t *gc)
+ const in6_addr_t *author, const in6_addr_t *ifaddr, const ill_t *ill,
+ mblk_t *mp, const tsol_gc_t *gc)
{
rt_msghdr_t *rtm;
sin6_t *sin6;
@@ -90,7 +90,6 @@ rts_fill_msg_v6(int type, int rtm_addrs, const in6_addr_t *dst,
int i;
ASSERT(mp != NULL);
- ASSERT(sacnt == 0 || gc != NULL);
/*
* First find the type of the message
* and its length.
@@ -100,7 +99,7 @@ rts_fill_msg_v6(int type, int rtm_addrs, const in6_addr_t *dst,
* Now find the size of the data
* that follows the message header.
*/
- data_size = rts_data_msg_size(rtm_addrs, AF_INET6, sacnt);
+ data_size = rts_data_msg_size(rtm_addrs, AF_INET6, gc != NULL ? 1 : 0);
rtm = (rt_msghdr_t *)mp->b_rptr;
mp->b_wptr = &mp->b_rptr[header_size];
@@ -125,13 +124,17 @@ rts_fill_msg_v6(int type, int rtm_addrs, const in6_addr_t *dst,
cp += sizeof (sin6_t);
break;
case RTA_IFA:
+ sin6->sin6_addr = *ifaddr;
+ sin6->sin6_family = AF_INET6;
+ cp += sizeof (sin6_t);
+ break;
case RTA_SRC:
sin6->sin6_addr = *src_addr;
sin6->sin6_family = AF_INET6;
cp += sizeof (sin6_t);
break;
case RTA_IFP:
- cp += ill_dls_info((struct sockaddr_dl *)cp, ipif);
+ cp += ill_dls_info((struct sockaddr_dl *)cp, ill);
break;
case RTA_AUTHOR:
sin6->sin6_addr = *author;
@@ -154,24 +157,20 @@ rts_fill_msg_v6(int type, int rtm_addrs, const in6_addr_t *dst,
rtm_ext_t *rtm_ext;
struct rtsa_s *rp_dst;
tsol_rtsecattr_t *rsap;
- int i;
ASSERT(gc->gc_grp != NULL);
ASSERT(RW_LOCK_HELD(&gc->gc_grp->gcgrp_rwlock));
- ASSERT(sacnt > 0);
rtm_ext = (rtm_ext_t *)cp;
rtm_ext->rtmex_type = RTMEX_GATEWAY_SECATTR;
- rtm_ext->rtmex_len = TSOL_RTSECATTR_SIZE(sacnt);
+ rtm_ext->rtmex_len = TSOL_RTSECATTR_SIZE(1);
rsap = (tsol_rtsecattr_t *)(rtm_ext + 1);
- rsap->rtsa_cnt = sacnt;
+ rsap->rtsa_cnt = 1;
rp_dst = rsap->rtsa_attr;
- for (i = 0; i < sacnt; i++, gc = gc->gc_next, rp_dst++) {
- ASSERT(gc->gc_db != NULL);
- bcopy(&gc->gc_db->gcdb_attr, rp_dst, sizeof (*rp_dst));
- }
+ ASSERT(gc->gc_db != NULL);
+ bcopy(&gc->gc_db->gcdb_attr, rp_dst, sizeof (*rp_dst));
cp = (uchar_t *)rp_dst;
}
@@ -208,7 +207,7 @@ ip_rts_change_v6(int type, const in6_addr_t *dst_addr,
if (mp == NULL)
return;
rts_fill_msg_v6(type, rtm_addrs, dst_addr, net_mask, gw_addr, source,
- &ipv6_all_zeros, author, NULL, mp, 0, NULL);
+ &ipv6_all_zeros, &ipv6_all_zeros, author, NULL, mp, NULL);
rtm = (rt_msghdr_t *)mp->b_rptr;
rtm->rtm_flags = flags;
rtm->rtm_errno = error;
diff --git a/usr/src/uts/common/inet/ip/ip_arp.c b/usr/src/uts/common/inet/ip/ip_arp.c
new file mode 100644
index 0000000000..489d59dbf6
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/ip_arp.c
@@ -0,0 +1,2468 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <inet/ip_arp.h>
+#include <inet/ip_ndp.h>
+#include <net/if_arp.h>
+#include <netinet/if_ether.h>
+#include <sys/strsubr.h>
+#include <inet/ip6.h>
+#include <inet/ip.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_if.h>
+#include <sys/dlpi.h>
+#include <sys/sunddi.h>
+#include <sys/strsun.h>
+#include <sys/sdt.h>
+#include <inet/mi.h>
+#include <inet/arp.h>
+#include <inet/ipdrop.h>
+#include <sys/sockio.h>
+#include <inet/ip_impl.h>
+#include <sys/policy.h>
+
+#define ARL_LL_ADDR_OFFSET(arl) (((arl)->arl_sap_length) < 0 ? \
+ (sizeof (dl_unitdata_req_t)) : \
+ ((sizeof (dl_unitdata_req_t)) + (ABS((arl)->arl_sap_length))))
+
+/*
+ * MAC-specific intelligence. Shouldn't be needed, but the DL_INFO_ACK
+ * doesn't quite do it for us.
+ */
+typedef struct arp_m_s {
+ t_uscalar_t arp_mac_type;
+ uint32_t arp_mac_arp_hw_type;
+ t_scalar_t arp_mac_sap_length;
+ uint32_t arp_mac_hw_addr_length;
+} arp_m_t;
+
+static int arp_close(queue_t *, int);
+static void arp_rput(queue_t *, mblk_t *);
+static void arp_wput(queue_t *, mblk_t *);
+static arp_m_t *arp_m_lookup(t_uscalar_t mac_type);
+static void arp_notify(ipaddr_t, mblk_t *, uint32_t, ip_recv_attr_t *,
+ ncec_t *);
+static int arp_output(ill_t *, uint32_t, const uchar_t *, const uchar_t *,
+ const uchar_t *, const uchar_t *, uchar_t *);
+static int arp_modclose(arl_t *);
+static void arp_mod_close_tail(arl_t *);
+static mblk_t *arl_unbind(arl_t *);
+static void arp_process_packet(ill_t *, mblk_t *);
+static void arp_excl(ipsq_t *, queue_t *, mblk_t *, void *);
+static void arp_drop_packet(const char *str, mblk_t *, ill_t *);
+static int arp_open(queue_t *, dev_t *, int, int, cred_t *);
+static int ip_sioctl_ifunitsel_arp(queue_t *, int *);
+static int ip_sioctl_slifname_arp(queue_t *, void *);
+static void arp_dlpi_send(arl_t *, mblk_t *);
+static void arl_defaults_common(arl_t *, mblk_t *);
+static int arp_modopen(queue_t *, dev_t *, int, int, cred_t *);
+static void arp_ifname_notify(arl_t *);
+static void arp_rput_dlpi_writer(ipsq_t *, queue_t *, mblk_t *, void *);
+static arl_t *ill_to_arl(ill_t *);
+
+#define DL_PRIM(mp) (((union DL_primitives *)(mp)->b_rptr)->dl_primitive)
+#define IS_DLPI_DATA(mp) \
+ ((DB_TYPE(mp) == M_PROTO) && \
+ MBLKL(mp) >= sizeof (dl_unitdata_ind_t) && \
+ (DL_PRIM(mp) == DL_UNITDATA_IND))
+
+#define AR_NOTFOUND 1 /* No matching ace found in cache */
+#define AR_MERGED 2 /* Matching ace updated (RFC 826 Merge_flag) */
+#define AR_LOOPBACK 3 /* Our own arp packet was received */
+#define AR_BOGON 4 /* Another host has our IP addr. */
+#define AR_FAILED 5 /* Duplicate Address Detection has failed */
+#define AR_CHANGED 6 /* Address has changed; tell IP (and merged) */
+
+boolean_t arp_no_defense;
+
+struct module_info arp_mod_info = {
+ IP_MOD_ID, "arpip", 1, INFPSZ, 65536, 1024
+};
+static struct qinit rinit_arp = {
+ (pfi_t)arp_rput, NULL, arp_open, arp_close, NULL, &arp_mod_info
+};
+static struct qinit winit_arp = {
+ (pfi_t)arp_wput, NULL, arp_open, arp_close, NULL,
+ &arp_mod_info
+};
+struct streamtab arpinfo = {
+ &rinit_arp, &winit_arp
+};
+#define ARH_FIXED_LEN 8
+#define AR_LL_HDR_SLACK 32
+
+/*
+ * pfhooks for ARP.
+ */
+#define ARP_HOOK_IN(_hook, _event, _ilp, _hdr, _fm, _m, ipst) \
+ \
+ if ((_hook).he_interested) { \
+ hook_pkt_event_t info; \
+ \
+ info.hpe_protocol = ipst->ips_arp_net_data; \
+ info.hpe_ifp = _ilp; \
+ info.hpe_ofp = 0; \
+ info.hpe_hdr = _hdr; \
+ info.hpe_mp = &(_fm); \
+ info.hpe_mb = _m; \
+ if (hook_run(ipst->ips_arp_net_data->netd_hooks, \
+ _event, (hook_data_t)&info) != 0) { \
+ if (_fm != NULL) { \
+ freemsg(_fm); \
+ _fm = NULL; \
+ } \
+ _hdr = NULL; \
+ _m = NULL; \
+ } else { \
+ _hdr = info.hpe_hdr; \
+ _m = info.hpe_mb; \
+ } \
+ }
+
+#define ARP_HOOK_OUT(_hook, _event, _olp, _hdr, _fm, _m, ipst) \
+ \
+ if ((_hook).he_interested) { \
+ hook_pkt_event_t info; \
+ \
+ info.hpe_protocol = ipst->ips_arp_net_data; \
+ info.hpe_ifp = 0; \
+ info.hpe_ofp = _olp; \
+ info.hpe_hdr = _hdr; \
+ info.hpe_mp = &(_fm); \
+ info.hpe_mb = _m; \
+ if (hook_run(ipst->ips_arp_net_data->netd_hooks, \
+ _event, (hook_data_t)&info) != 0) { \
+ if (_fm != NULL) { \
+ freemsg(_fm); \
+ _fm = NULL; \
+ } \
+ _hdr = NULL; \
+ _m = NULL; \
+ } else { \
+ _hdr = info.hpe_hdr; \
+ _m = info.hpe_mb; \
+ } \
+ }
+
+static arp_m_t arp_m_tbl[] = {
+ { DL_CSMACD, ARPHRD_ETHER, -2, 6}, /* 802.3 */
+ { DL_TPB, ARPHRD_IEEE802, -2, 6}, /* 802.4 */
+ { DL_TPR, ARPHRD_IEEE802, -2, 6}, /* 802.5 */
+ { DL_METRO, ARPHRD_IEEE802, -2, 6}, /* 802.6 */
+ { DL_ETHER, ARPHRD_ETHER, -2, 6}, /* Ethernet */
+ { DL_FDDI, ARPHRD_ETHER, -2, 6}, /* FDDI */
+ { DL_IB, ARPHRD_IB, -2, 20}, /* Infiniband */
+ { DL_OTHER, ARPHRD_ETHER, -2, 6} /* unknown */
+};
+
+static void
+arl_refhold_locked(arl_t *arl)
+{
+ ASSERT(MUTEX_HELD(&arl->arl_lock));
+ arl->arl_refcnt++;
+ ASSERT(arl->arl_refcnt != 0);
+}
+
+static void
+arl_refrele(arl_t *arl)
+{
+ mutex_enter(&arl->arl_lock);
+ ASSERT(arl->arl_refcnt != 0);
+ arl->arl_refcnt--;
+ if (arl->arl_refcnt > 1) {
+ mutex_exit(&arl->arl_lock);
+ return;
+ }
+
+ /* ill_close or arp_unbind_complete may be waiting */
+ cv_broadcast(&arl->arl_cv);
+ mutex_exit(&arl->arl_lock);
+}
+
+/*
+ * wake up any pending ip ioctls.
+ */
+static void
+arp_cmd_done(ill_t *ill, int err, t_uscalar_t lastprim)
+{
+ if (lastprim == DL_UNBIND_REQ && ill->ill_replumbing)
+ arp_replumb_done(ill, 0);
+ else
+ arp_bringup_done(ill, err);
+}
+
+static int
+ip_nce_resolve_all(ill_t *ill, uchar_t *src_haddr, uint32_t hlen,
+ const in_addr_t *src_paddr, ncec_t **sncec, int op)
+{
+ int retv;
+ ncec_t *ncec;
+ boolean_t ll_changed;
+ uchar_t *lladdr = NULL;
+ int new_state;
+
+ ASSERT(ill != NULL);
+
+ ncec = ncec_lookup_illgrp_v4(ill, src_paddr);
+ *sncec = ncec;
+
+ if (ncec == NULL) {
+ retv = AR_NOTFOUND;
+ goto done;
+ }
+
+ mutex_enter(&ncec->ncec_lock);
+ /*
+ * IP addr and hardware address match what we already
+ * have, then this is a broadcast packet emitted by one of our
+ * interfaces, reflected by the switch and received on another
+ * interface. We return AR_LOOPBACK.
+ */
+ lladdr = ncec->ncec_lladdr;
+ if (NCE_MYADDR(ncec) && hlen == ncec->ncec_ill->ill_phys_addr_length &&
+ bcmp(lladdr, src_haddr, hlen) == 0) {
+ mutex_exit(&ncec->ncec_lock);
+ retv = AR_LOOPBACK;
+ goto done;
+ }
+ /*
+ * If the entry is unverified, then we've just verified that
+ * someone else already owns this address, because this is a
+ * message with the same protocol address but different
+ * hardware address.
+ */
+ if (ncec->ncec_flags & NCE_F_UNVERIFIED) {
+ mutex_exit(&ncec->ncec_lock);
+ ncec_delete(ncec);
+ ncec_refrele(ncec);
+ *sncec = NULL;
+ retv = AR_FAILED;
+ goto done;
+ }
+
+ /*
+ * If the IP address matches ours and we're authoritative for
+ * this entry, then some other node is using our IP addr, so
+ * return AR_BOGON. Also reset the transmit count to zero so
+ * that, if we're currently in initial announcement mode, we
+ * switch back to the lazier defense mode. Knowing that
+ * there's at least one duplicate out there, we ought not
+ * blindly announce.
+ *
+ * NCE_F_AUTHORITY is set in one of two ways:
+ * 1. /sbin/arp told us so, via the "permanent" flag.
+ * 2. This is one of my addresses.
+ */
+ if (ncec->ncec_flags & NCE_F_AUTHORITY) {
+ ncec->ncec_unsolicit_count = 0;
+ mutex_exit(&ncec->ncec_lock);
+ retv = AR_BOGON;
+ goto done;
+ }
+
+ /*
+ * No address conflict was detected, and we are getting
+ * ready to update the ncec's hwaddr. The nce MUST NOT be on an
+ * under interface, because all dynamic nce's are created on the
+ * native interface (in the non-IPMP case) or on the IPMP
+ * meta-interface (in the IPMP case)
+ */
+ ASSERT(!IS_UNDER_IPMP(ncec->ncec_ill));
+
+ /*
+ * update ncec with src_haddr, hlen.
+ *
+ * We are trying to resolve this ncec_addr/src_paddr and we
+ * got a REQUEST/RESPONSE from the ncec_addr/src_paddr.
+ * So the new_state is at least "STALE". If, in addition,
+ * this a solicited, unicast ARP_RESPONSE, we can transition
+ * to REACHABLE.
+ */
+ new_state = ND_STALE;
+ ip1dbg(("got info for ncec %p from addr %x\n",
+ (void *)ncec, *src_paddr));
+ retv = AR_MERGED;
+ if (ncec->ncec_state == ND_INCOMPLETE ||
+ ncec->ncec_state == ND_INITIAL) {
+ ll_changed = B_TRUE;
+ } else {
+ ll_changed = nce_cmp_ll_addr(ncec, src_haddr, hlen);
+ if (!ll_changed)
+ new_state = ND_UNCHANGED;
+ else
+ retv = AR_CHANGED;
+ }
+ /*
+ * We don't have the equivalent of the IPv6 'S' flag indicating
+ * a solicited response, so we assume that if we are in
+ * INCOMPLETE, or got back an unchanged lladdr in PROBE state,
+ * and this is an ARP_RESPONSE, it must be a
+ * solicited response allowing us to transtion to REACHABLE.
+ */
+ if (op == ARP_RESPONSE) {
+ switch (ncec->ncec_state) {
+ case ND_PROBE:
+ new_state = (ll_changed ? ND_STALE : ND_REACHABLE);
+ break;
+ case ND_INCOMPLETE:
+ new_state = ND_REACHABLE;
+ break;
+ }
+ }
+ /*
+ * Call nce_update() to refresh fastpath information on any
+ * dependent nce_t entries.
+ */
+ nce_update(ncec, new_state, (ll_changed ? src_haddr : NULL));
+ mutex_exit(&ncec->ncec_lock);
+ nce_resolv_ok(ncec);
+done:
+ return (retv);
+}
+
+/* Find an entry for a particular MAC type in the arp_m_tbl. */
+static arp_m_t *
+arp_m_lookup(t_uscalar_t mac_type)
+{
+ arp_m_t *arm;
+
+ for (arm = arp_m_tbl; arm < A_END(arp_m_tbl); arm++) {
+ if (arm->arp_mac_type == mac_type)
+ return (arm);
+ }
+ return (NULL);
+}
+
+static uint32_t
+arp_hw_type(t_uscalar_t mactype)
+{
+ arp_m_t *arm;
+
+ if ((arm = arp_m_lookup(mactype)) == NULL)
+ arm = arp_m_lookup(DL_OTHER);
+ return (arm->arp_mac_arp_hw_type);
+}
+
+/*
+ * Called when an DLPI control message has been acked; send down the next
+ * queued message (if any).
+ * The DLPI messages of interest being bind, attach and unbind since
+ * these are the only ones sent by ARP via arp_dlpi_send.
+ */
+static void
+arp_dlpi_done(arl_t *arl, ill_t *ill)
+{
+ mblk_t *mp;
+ int err;
+ t_uscalar_t prim;
+
+ mutex_enter(&arl->arl_lock);
+ prim = arl->arl_dlpi_pending;
+
+ if ((mp = arl->arl_dlpi_deferred) == NULL) {
+ arl->arl_dlpi_pending = DL_PRIM_INVAL;
+ if (arl->arl_state_flags & ARL_LL_DOWN)
+ err = ENETDOWN;
+ else
+ err = 0;
+ mutex_exit(&arl->arl_lock);
+
+ mutex_enter(&ill->ill_lock);
+ ill->ill_arl_dlpi_pending = 0;
+ mutex_exit(&ill->ill_lock);
+ arp_cmd_done(ill, err, prim);
+ return;
+ }
+
+ arl->arl_dlpi_deferred = mp->b_next;
+ mp->b_next = NULL;
+
+ ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
+
+ arl->arl_dlpi_pending = DL_PRIM(mp);
+ mutex_exit(&arl->arl_lock);
+
+ mutex_enter(&ill->ill_lock);
+ ill->ill_arl_dlpi_pending = 1;
+ mutex_exit(&ill->ill_lock);
+
+ putnext(arl->arl_wq, mp);
+}
+
+/*
+ * This routine is called during module initialization when the DL_INFO_ACK
+ * comes back from the device. We set up defaults for all the device dependent
+ * doo-dads we are going to need. This will leave us ready to roll if we are
+ * attempting auto-configuration. Alternatively, these defaults can be
+ * overridden by initialization procedures possessing higher intelligence.
+ *
+ * Caller will free the mp.
+ */
+static void
+arp_ll_set_defaults(arl_t *arl, mblk_t *mp)
+{
+ arp_m_t *arm;
+ dl_info_ack_t *dlia = (dl_info_ack_t *)mp->b_rptr;
+
+ if ((arm = arp_m_lookup(dlia->dl_mac_type)) == NULL)
+ arm = arp_m_lookup(DL_OTHER);
+ ASSERT(arm != NULL);
+
+ /*
+ * We initialize based on parameters in the (currently) not too
+ * exhaustive arp_m_tbl.
+ */
+ if (dlia->dl_version == DL_VERSION_2) {
+ arl->arl_sap_length = dlia->dl_sap_length;
+ arl->arl_phys_addr_length = dlia->dl_brdcst_addr_length;
+ if (dlia->dl_provider_style == DL_STYLE2)
+ arl->arl_needs_attach = 1;
+ } else {
+ arl->arl_sap_length = arm->arp_mac_sap_length;
+ arl->arl_phys_addr_length = arm->arp_mac_hw_addr_length;
+ }
+ /*
+ * Note: the arp_hw_type in the arp header may be derived from
+ * the ill_mac_type and arp_m_lookup().
+ */
+ arl->arl_sap = ETHERTYPE_ARP;
+ arl_defaults_common(arl, mp);
+}
+
+static void
+arp_wput(queue_t *q, mblk_t *mp)
+{
+ int err = EINVAL;
+ struct iocblk *ioc;
+ mblk_t *mp1;
+
+ switch (DB_TYPE(mp)) {
+ case M_IOCTL:
+ ASSERT(q->q_next != NULL);
+ ioc = (struct iocblk *)mp->b_rptr;
+ if (ioc->ioc_cmd != SIOCSLIFNAME &&
+ ioc->ioc_cmd != IF_UNITSEL) {
+ DTRACE_PROBE4(arl__dlpi, char *, "arp_wput",
+ char *, "<some ioctl>", char *, "-",
+ arl_t *, (arl_t *)q->q_ptr);
+ putnext(q, mp);
+ return;
+ }
+ if ((mp1 = mp->b_cont) == 0)
+ err = EINVAL;
+ else if (ioc->ioc_cmd == SIOCSLIFNAME)
+ err = ip_sioctl_slifname_arp(q, mp1->b_rptr);
+ else if (ioc->ioc_cmd == IF_UNITSEL)
+ err = ip_sioctl_ifunitsel_arp(q, (int *)mp1->b_rptr);
+ if (err == 0)
+ miocack(q, mp, 0, 0);
+ else
+ miocnak(q, mp, 0, err);
+ return;
+ default:
+ DTRACE_PROBE4(arl__dlpi, char *, "arp_wput default",
+ char *, "default mblk", char *, "-",
+ arl_t *, (arl_t *)q->q_ptr);
+ putnext(q, mp);
+ return;
+ }
+}
+
+/*
+ * similar to ill_dlpi_pending(): verify that the received DLPI response
+ * matches the one that is pending for the arl.
+ */
+static boolean_t
+arl_dlpi_pending(arl_t *arl, t_uscalar_t prim)
+{
+ t_uscalar_t pending;
+
+ mutex_enter(&arl->arl_lock);
+ if (arl->arl_dlpi_pending == prim) {
+ mutex_exit(&arl->arl_lock);
+ return (B_TRUE);
+ }
+
+ if (arl->arl_state_flags & ARL_CONDEMNED) {
+ mutex_exit(&arl->arl_lock);
+ return (B_FALSE);
+ }
+ pending = arl->arl_dlpi_pending;
+ mutex_exit(&arl->arl_lock);
+
+ if (pending == DL_PRIM_INVAL) {
+ ip0dbg(("arl_dlpi_pending unsolicited ack for %s on %s",
+ dl_primstr(prim), arl->arl_name));
+ } else {
+ ip0dbg(("arl_dlpi_pending ack for %s on %s expect %s",
+ dl_primstr(prim), arl->arl_name, dl_primstr(pending)));
+ }
+ return (B_FALSE);
+}
+
+/* DLPI messages, other than DL_UNITDATA_IND are handled here. */
+static void
+arp_rput_dlpi(queue_t *q, mblk_t *mp)
+{
+ arl_t *arl = (arl_t *)q->q_ptr;
+ union DL_primitives *dlp;
+ t_uscalar_t prim;
+ t_uscalar_t reqprim = DL_PRIM_INVAL;
+ ill_t *ill;
+
+ if ((mp->b_wptr - mp->b_rptr) < sizeof (dlp->dl_primitive)) {
+ putnext(q, mp);
+ return;
+ }
+ dlp = (union DL_primitives *)mp->b_rptr;
+ prim = dlp->dl_primitive;
+
+ /*
+ * If we received an ACK but didn't send a request for it, then it
+ * can't be part of any pending operation; discard up-front.
+ */
+ switch (prim) {
+ case DL_ERROR_ACK:
+ /*
+ * ce is confused about how DLPI works, so we have to interpret
+ * an "error" on DL_NOTIFY_ACK (which we never could have sent)
+ * as really meaning an error on DL_NOTIFY_REQ.
+ *
+ * Note that supporting DL_NOTIFY_REQ is optional, so printing
+ * out an error message on the console isn't warranted except
+ * for debug.
+ */
+ if (dlp->error_ack.dl_error_primitive == DL_NOTIFY_ACK ||
+ dlp->error_ack.dl_error_primitive == DL_NOTIFY_REQ) {
+ reqprim = DL_NOTIFY_REQ;
+ } else {
+ reqprim = dlp->error_ack.dl_error_primitive;
+ }
+ break;
+ case DL_INFO_ACK:
+ reqprim = DL_INFO_REQ;
+ break;
+ case DL_OK_ACK:
+ reqprim = dlp->ok_ack.dl_correct_primitive;
+ break;
+ case DL_BIND_ACK:
+ reqprim = DL_BIND_REQ;
+ break;
+ default:
+ DTRACE_PROBE2(rput_dl_badprim, arl_t *, arl,
+ union DL_primitives *, dlp);
+ putnext(q, mp);
+ return;
+ }
+ if (reqprim == DL_PRIM_INVAL || !arl_dlpi_pending(arl, reqprim)) {
+ freemsg(mp);
+ return;
+ }
+ DTRACE_PROBE4(arl__dlpi, char *, "arp_rput_dlpi received",
+ char *, dl_primstr(prim), char *, dl_primstr(reqprim),
+ arl_t *, arl);
+
+ ASSERT(prim != DL_NOTIFY_IND);
+
+ ill = arl_to_ill(arl);
+
+ switch (reqprim) {
+ case DL_INFO_REQ:
+ /*
+ * ill has not been set up yet for this case. This is the
+ * DL_INFO_ACK for the first DL_INFO_REQ sent from
+ * arp_modopen(). There should be no other arl_dlpi_deferred
+ * messages pending. We initialize the arl here.
+ */
+ ASSERT(!arl->arl_dlpi_style_set);
+ ASSERT(arl->arl_dlpi_pending == DL_INFO_REQ);
+ ASSERT(arl->arl_dlpi_deferred == NULL);
+ arl->arl_dlpi_pending = DL_PRIM_INVAL;
+ arp_ll_set_defaults(arl, mp);
+ freemsg(mp);
+ return;
+ case DL_UNBIND_REQ:
+ mutex_enter(&arl->arl_lock);
+ arl->arl_state_flags &= ~ARL_DL_UNBIND_IN_PROGRESS;
+ /*
+ * This is not an error, so we don't set ARL_LL_DOWN
+ */
+ arl->arl_state_flags &= ~ARL_LL_UP;
+ arl->arl_state_flags |= ARL_LL_UNBOUND;
+ if (arl->arl_state_flags & ARL_CONDEMNED) {
+ /*
+ * if this is part of the unplumb the arl may
+ * vaporize any moment after we cv_signal the
+ * arl_cv so we reset arl_dlpi_pending here.
+ * All other cases (including replumb) will
+ * have the arl_dlpi_pending reset in
+ * arp_dlpi_done.
+ */
+ arl->arl_dlpi_pending = DL_PRIM_INVAL;
+ }
+ cv_signal(&arl->arl_cv);
+ mutex_exit(&arl->arl_lock);
+ break;
+ }
+ if (ill != NULL) {
+ /*
+ * ill ref obtained by arl_to_ill() will be released
+ * by qwriter_ip()
+ */
+ qwriter_ip(ill, ill->ill_wq, mp, arp_rput_dlpi_writer,
+ CUR_OP, B_TRUE);
+ return;
+ }
+ freemsg(mp);
+}
+
+/*
+ * Handling of DLPI messages that require exclusive access to the ipsq.
+ */
+/* ARGSUSED */
+static void
+arp_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
+{
+ union DL_primitives *dlp = (union DL_primitives *)mp->b_rptr;
+ ill_t *ill = (ill_t *)q->q_ptr;
+ arl_t *arl = ill_to_arl(ill);
+
+ if (arl == NULL) {
+ /*
+ * happens as a result arp_modclose triggering unbind.
+ * arp_rput_dlpi will cv_signal the arl_cv and the modclose
+ * will complete, but when it does ipsq_exit, the waiting
+ * qwriter_ip gets into the ipsq but will find the arl null.
+ * There should be no deferred messages in this case, so
+ * just complete and exit.
+ */
+ arp_cmd_done(ill, 0, DL_UNBIND_REQ);
+ freemsg(mp);
+ return;
+ }
+ switch (dlp->dl_primitive) {
+ case DL_ERROR_ACK:
+ switch (dlp->error_ack.dl_error_primitive) {
+ case DL_UNBIND_REQ:
+ mutex_enter(&arl->arl_lock);
+ arl->arl_state_flags &= ~ARL_DL_UNBIND_IN_PROGRESS;
+ arl->arl_state_flags &= ~ARL_LL_UP;
+ arl->arl_state_flags |= ARL_LL_UNBOUND;
+ arl->arl_state_flags |= ARL_LL_DOWN;
+ cv_signal(&arl->arl_cv);
+ mutex_exit(&arl->arl_lock);
+ break;
+ case DL_BIND_REQ:
+ mutex_enter(&arl->arl_lock);
+ arl->arl_state_flags &= ~ARL_LL_UP;
+ arl->arl_state_flags |= ARL_LL_DOWN;
+ arl->arl_state_flags |= ARL_LL_UNBOUND;
+ cv_signal(&arl->arl_cv);
+ mutex_exit(&arl->arl_lock);
+ break;
+ case DL_ATTACH_REQ:
+ break;
+ default:
+ /* If it's anything else, we didn't send it. */
+ arl_refrele(arl);
+ putnext(q, mp);
+ return;
+ }
+ break;
+ case DL_OK_ACK:
+ DTRACE_PROBE4(arl__dlpi, char *, "arp_rput_dlpi_writer ok",
+ char *, dl_primstr(dlp->ok_ack.dl_correct_primitive),
+ char *, dl_primstr(dlp->ok_ack.dl_correct_primitive),
+ arl_t *, arl);
+ mutex_enter(&arl->arl_lock);
+ switch (dlp->ok_ack.dl_correct_primitive) {
+ case DL_UNBIND_REQ:
+ case DL_ATTACH_REQ:
+ break;
+ default:
+ ip0dbg(("Dropping unrecognized DL_OK_ACK for %s",
+ dl_primstr(dlp->ok_ack.dl_correct_primitive)));
+ mutex_exit(&arl->arl_lock);
+ arl_refrele(arl);
+ freemsg(mp);
+ return;
+ }
+ mutex_exit(&arl->arl_lock);
+ break;
+ case DL_BIND_ACK:
+ DTRACE_PROBE2(rput_dl_bind, arl_t *, arl,
+ dl_bind_ack_t *, &dlp->bind_ack);
+
+ mutex_enter(&arl->arl_lock);
+ ASSERT(arl->arl_state_flags & ARL_LL_BIND_PENDING);
+ arl->arl_state_flags &=
+ ~(ARL_LL_BIND_PENDING|ARL_LL_DOWN|ARL_LL_UNBOUND);
+ arl->arl_state_flags |= ARL_LL_UP;
+ mutex_exit(&arl->arl_lock);
+ break;
+ case DL_UDERROR_IND:
+ DTRACE_PROBE2(rput_dl_uderror, arl_t *, arl,
+ dl_uderror_ind_t *, &dlp->uderror_ind);
+ arl_refrele(arl);
+ putnext(q, mp);
+ return;
+ default:
+ DTRACE_PROBE2(rput_dl_badprim, arl_t *, arl,
+ union DL_primitives *, dlp);
+ arl_refrele(arl);
+ putnext(q, mp);
+ return;
+ }
+ arp_dlpi_done(arl, ill);
+ arl_refrele(arl);
+ freemsg(mp);
+}
+
+void
+arp_rput(queue_t *q, mblk_t *mp)
+{
+ arl_t *arl = q->q_ptr;
+ boolean_t need_refrele = B_FALSE;
+
+ mutex_enter(&arl->arl_lock);
+ if (((arl->arl_state_flags &
+ (ARL_CONDEMNED | ARL_LL_REPLUMBING)) != 0)) {
+ /*
+ * Only allow high priority DLPI messages during unplumb or
+ * replumb, and we don't take an arl_refcnt for that case.
+ */
+ if (DB_TYPE(mp) != M_PCPROTO) {
+ mutex_exit(&arl->arl_lock);
+ freemsg(mp);
+ return;
+ }
+ } else {
+ arl_refhold_locked(arl);
+ need_refrele = B_TRUE;
+ }
+ mutex_exit(&arl->arl_lock);
+
+ switch (DB_TYPE(mp)) {
+ case M_PCPROTO:
+ case M_PROTO: {
+ ill_t *ill;
+
+ /*
+ * could be one of
+ * (i) real message from the wire, (DLPI_DATA)
+ * (ii) DLPI message
+ * Take a ref on the ill associated with this arl to
+ * prevent the ill from being unplumbed until this thread
+ * is done.
+ */
+ if (IS_DLPI_DATA(mp)) {
+ ill = arl_to_ill(arl);
+ if (ill == NULL) {
+ arp_drop_packet("No ill", mp, ill);
+ break;
+ }
+ arp_process_packet(ill, mp);
+ ill_refrele(ill);
+ break;
+ }
+ /* Miscellaneous DLPI messages get shuffled off. */
+ arp_rput_dlpi(q, mp);
+ break;
+ }
+ case M_ERROR:
+ case M_HANGUP:
+ if (mp->b_rptr < mp->b_wptr)
+ arl->arl_error = (int)(*mp->b_rptr & 0xFF);
+ if (arl->arl_error == 0)
+ arl->arl_error = ENXIO;
+ freemsg(mp);
+ break;
+ default:
+ ip1dbg(("arp_rput other db type %x\n", DB_TYPE(mp)));
+ putnext(q, mp);
+ break;
+ }
+ if (need_refrele)
+ arl_refrele(arl);
+}
+
+static void
+arp_process_packet(ill_t *ill, mblk_t *mp)
+{
+ mblk_t *mp1;
+ arh_t *arh;
+ in_addr_t src_paddr, dst_paddr;
+ uint32_t hlen, plen;
+ boolean_t is_probe;
+ int op;
+ ncec_t *dst_ncec, *src_ncec = NULL;
+ uchar_t *src_haddr, *arhp, *dst_haddr, *dp, *sp;
+ int err;
+ ip_stack_t *ipst;
+ boolean_t need_ill_refrele = B_FALSE;
+ nce_t *nce;
+ uchar_t *src_lladdr;
+ dl_unitdata_ind_t *dlui;
+ ip_recv_attr_t iras;
+
+ ASSERT(ill != NULL);
+ if (ill->ill_flags & ILLF_NOARP) {
+ arp_drop_packet("Interface does not support ARP", mp, ill);
+ return;
+ }
+ ipst = ill->ill_ipst;
+ /*
+ * What we should have at this point is a DL_UNITDATA_IND message
+ * followed by an ARP packet. We do some initial checks and then
+ * get to work.
+ */
+ dlui = (dl_unitdata_ind_t *)mp->b_rptr;
+ if (dlui->dl_group_address == 1) {
+ /*
+ * multicast or broadcast packet. Only accept on the ipmp
+ * nominated interface for multicasts ('cast_ill').
+ * If we have no cast_ill we are liberal and accept everything.
+ */
+ if (IS_UNDER_IPMP(ill)) {
+ /* For an under ill_grp can change under lock */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (!ill->ill_nom_cast && ill->ill_grp != NULL &&
+ ill->ill_grp->ig_cast_ill != NULL) {
+ rw_exit(&ipst->ips_ill_g_lock);
+ arp_drop_packet("Interface is not nominated "
+ "for multicast sends and receives",
+ mp, ill);
+ return;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+ }
+ }
+ mp1 = mp->b_cont;
+ if (mp1 == NULL) {
+ arp_drop_packet("Missing ARP packet", mp, ill);
+ return;
+ }
+ if (mp1->b_cont != NULL) {
+ /* No fooling around with funny messages. */
+ if (!pullupmsg(mp1, -1)) {
+ arp_drop_packet("Funny message: pullup failed",
+ mp, ill);
+ return;
+ }
+ }
+ arh = (arh_t *)mp1->b_rptr;
+ hlen = arh->arh_hlen;
+ plen = arh->arh_plen;
+ if (MBLKL(mp1) < ARH_FIXED_LEN + 2 * hlen + 2 * plen) {
+ arp_drop_packet("mblk len too small", mp, ill);
+ return;
+ }
+ /*
+ * hlen 0 is used for RFC 1868 UnARP.
+ *
+ * Note that the rest of the code checks that hlen is what we expect
+ * for this hardware address type, so might as well discard packets
+ * here that don't match.
+ */
+ if ((hlen > 0 && hlen != ill->ill_phys_addr_length) || plen == 0) {
+ DTRACE_PROBE2(rput_bogus, ill_t *, ill, mblk_t *, mp1);
+ arp_drop_packet("Bogus hlen or plen", mp, ill);
+ return;
+ }
+ /*
+ * Historically, Solaris has been lenient about hardware type numbers.
+ * We should check here, but don't.
+ */
+ DTRACE_PROBE3(arp__physical__in__start, ill_t *, ill, arh_t *, arh,
+ mblk_t *, mp);
+ /*
+ * If ill is in an ipmp group, it will be the under ill. If we want
+ * to report the packet as coming up the IPMP interface, we should
+ * convert it to the ipmp ill.
+ */
+ ARP_HOOK_IN(ipst->ips_arp_physical_in_event, ipst->ips_arp_physical_in,
+ ill->ill_phyint->phyint_ifindex, arh, mp, mp1, ipst);
+ DTRACE_PROBE1(arp__physical__in__end, mblk_t *, mp);
+ if (mp == NULL)
+ return;
+ arhp = (uchar_t *)arh + ARH_FIXED_LEN;
+ src_haddr = arhp; /* ar$sha */
+ arhp += hlen;
+ bcopy(arhp, &src_paddr, IP_ADDR_LEN); /* ar$spa */
+ sp = arhp;
+ arhp += IP_ADDR_LEN;
+ dst_haddr = arhp; /* ar$dha */
+ arhp += hlen;
+ bcopy(arhp, &dst_paddr, IP_ADDR_LEN); /* ar$tpa */
+ dp = arhp;
+ op = BE16_TO_U16(arh->arh_operation);
+
+ DTRACE_PROBE2(ip__arp__input, (in_addr_t), src_paddr,
+ (in_addr_t), dst_paddr);
+
+ /* Determine if this is just a probe */
+ is_probe = (src_paddr == INADDR_ANY);
+
+ /*
+ * ira_ill is the only field used down the arp_notify path.
+ */
+ bzero(&iras, sizeof (iras));
+ iras.ira_ill = iras.ira_rill = ill;
+ /*
+ * RFC 826: first check if the <protocol, sender protocol address> is
+ * in the cache, if there is a sender protocol address. Note that this
+ * step also handles resolutions based on source.
+ */
+ /* Note: after here we need to freeb(mp) and freemsg(mp1) separately */
+ mp->b_cont = NULL;
+ if (is_probe) {
+ err = AR_NOTFOUND;
+ } else {
+ if (plen != 4) {
+ arp_drop_packet("bad protocol len", mp, ill);
+ return;
+ }
+ err = ip_nce_resolve_all(ill, src_haddr, hlen, &src_paddr,
+ &src_ncec, op);
+ switch (err) {
+ case AR_BOGON:
+ ASSERT(src_ncec != NULL);
+ arp_notify(src_paddr, mp1, AR_CN_BOGON,
+ &iras, src_ncec);
+ break;
+ case AR_FAILED:
+ arp_notify(src_paddr, mp1, AR_CN_FAILED, &iras,
+ src_ncec);
+ break;
+ case AR_LOOPBACK:
+ DTRACE_PROBE2(rput_loopback, ill_t *, ill, arh_t *,
+ arh);
+ freemsg(mp1);
+ break;
+ default:
+ goto update;
+ }
+ freemsg(mp);
+ if (src_ncec != NULL)
+ ncec_refrele(src_ncec);
+ return;
+ }
+update:
+ /*
+ * Now look up the destination address. By RFC 826, we ignore the
+ * packet at this step if the target isn't one of our addresses (i.e.,
+ * one we have been asked to PUBLISH). This is true even if the
+ * target is something we're trying to resolve and the packet
+ * is a response.
+ */
+ dst_ncec = ncec_lookup_illgrp_v4(ill, &dst_paddr);
+ if (dst_ncec == NULL || !NCE_PUBLISH(dst_ncec)) {
+ /*
+ * Let the client know if the source mapping has changed, even
+ * if the destination provides no useful information for the
+ * client.
+ */
+ if (err == AR_CHANGED) {
+ arp_notify(src_paddr, mp1, AR_CN_ANNOUNCE, &iras,
+ NULL);
+ freemsg(mp);
+ } else {
+ freemsg(mp);
+ arp_drop_packet("Target is not interesting", mp1, ill);
+ }
+ if (dst_ncec != NULL)
+ ncec_refrele(dst_ncec);
+ if (src_ncec != NULL)
+ ncec_refrele(src_ncec);
+ return;
+ }
+
+ if (dst_ncec->ncec_flags & NCE_F_UNVERIFIED) {
+ /*
+ * Check for a reflection. Some misbehaving bridges will
+ * reflect our own transmitted packets back to us.
+ */
+ ASSERT(NCE_PUBLISH(dst_ncec));
+ if (hlen != dst_ncec->ncec_ill->ill_phys_addr_length) {
+ ncec_refrele(dst_ncec);
+ if (src_ncec != NULL)
+ ncec_refrele(src_ncec);
+ freemsg(mp);
+ arp_drop_packet("bad arh_len", mp1, ill);
+ return;
+ }
+ if (!nce_cmp_ll_addr(dst_ncec, src_haddr, hlen)) {
+ DTRACE_PROBE3(rput_probe_reflected, ill_t *, ill,
+ arh_t *, arh, ncec_t *, dst_ncec);
+ ncec_refrele(dst_ncec);
+ if (src_ncec != NULL)
+ ncec_refrele(src_ncec);
+ freemsg(mp);
+ arp_drop_packet("Reflected probe", mp1, ill);
+ return;
+ }
+ /*
+ * Responses targeting our HW address that are not responses to
+ * our DAD probe must be ignored as they are related to requests
+ * sent before DAD was restarted.
+ */
+ if (op == ARP_RESPONSE &&
+ (nce_cmp_ll_addr(dst_ncec, dst_haddr, hlen) == 0)) {
+ ncec_refrele(dst_ncec);
+ if (src_ncec != NULL)
+ ncec_refrele(src_ncec);
+ freemsg(mp);
+ arp_drop_packet(
+ "Response to request that was sent before DAD",
+ mp1, ill);
+ return;
+ }
+ /*
+ * Responses targeted to HW addresses which are not ours but
+ * sent to our unverified proto address are also conflicts.
+ * These may be reported by a proxy rather than the interface
+ * with the conflicting address, dst_paddr is in conflict
+ * rather than src_paddr. To ensure IP can locate the correct
+ * ipif to take down, it is necessary to copy dst_paddr to
+ * the src_paddr field before sending it to IP. The same is
+ * required for probes, where src_paddr will be INADDR_ANY.
+ */
+ if (is_probe || op == ARP_RESPONSE) {
+ bcopy(dp, sp, plen);
+ arp_notify(src_paddr, mp1, AR_CN_FAILED, &iras,
+ NULL);
+ ncec_delete(dst_ncec);
+ } else if (err == AR_CHANGED) {
+ arp_notify(src_paddr, mp1, AR_CN_ANNOUNCE, &iras,
+ NULL);
+ } else {
+ DTRACE_PROBE3(rput_request_unverified,
+ ill_t *, ill, arh_t *, arh, ncec_t *, dst_ncec);
+ arp_drop_packet("Unverified request", mp1, ill);
+ }
+ freemsg(mp);
+ ncec_refrele(dst_ncec);
+ if (src_ncec != NULL)
+ ncec_refrele(src_ncec);
+ return;
+ }
+ /*
+ * If it's a request, then we reply to this, and if we think the
+ * sender's unknown, then we create an entry to avoid unnecessary ARPs.
+ * The design assumption is that someone ARPing us is likely to send us
+ * a packet soon, and that we'll want to reply to it.
+ */
+ if (op == ARP_REQUEST) {
+ const uchar_t *nce_hwaddr;
+ struct in_addr nce_paddr;
+ clock_t now;
+ ill_t *under_ill = ill;
+ boolean_t send_unicast = B_TRUE;
+
+ ASSERT(NCE_PUBLISH(dst_ncec));
+
+ if ((dst_ncec->ncec_flags & (NCE_F_BCAST|NCE_F_MCAST)) != 0) {
+ /*
+ * Ignore senders who are deliberately or accidentally
+ * confused.
+ */
+ goto bail;
+ }
+
+ if (!is_probe && err == AR_NOTFOUND) {
+ ASSERT(src_ncec == NULL);
+
+ if (IS_UNDER_IPMP(under_ill)) {
+ /*
+ * create the ncec for the sender on ipmp_ill.
+ * We pass in the ipmp_ill itself to avoid
+ * creating an nce_t on the under_ill.
+ */
+ ill = ipmp_ill_hold_ipmp_ill(under_ill);
+ if (ill == NULL)
+ ill = under_ill;
+ else
+ need_ill_refrele = B_TRUE;
+ }
+
+ err = nce_lookup_then_add_v4(ill, src_haddr, hlen,
+ &src_paddr, 0, ND_STALE, &nce);
+
+ switch (err) {
+ case 0:
+ case EEXIST:
+ ip1dbg(("added ncec %p in state %d ill %s\n",
+ (void *)src_ncec, src_ncec->ncec_state,
+ ill->ill_name));
+ src_ncec = nce->nce_common;
+ break;
+ default:
+ /*
+ * Either no memory, or the outgoing interface
+ * is in the process of down/unplumb. In the
+ * latter case, we will fail the send anyway,
+ * and in the former case, we should try to send
+ * the ARP response.
+ */
+ src_lladdr = src_haddr;
+ goto send_response;
+ }
+ ncec_refhold(src_ncec);
+ nce_refrele(nce);
+ /* set up cleanup interval on ncec */
+ }
+
+ /*
+ * This implements periodic address defense based on a modified
+ * version of the RFC 3927 requirements. Instead of sending a
+ * broadcasted reply every time, as demanded by the RFC, we
+ * send at most one broadcast reply per arp_broadcast_interval.
+ */
+ now = ddi_get_lbolt();
+ if ((now - dst_ncec->ncec_last_time_defended) >
+ MSEC_TO_TICK(ipst->ips_ipv4_dad_announce_interval)) {
+ dst_ncec->ncec_last_time_defended = now;
+ /*
+ * If this is one of the long-suffering entries,
+ * pull it out now. It no longer needs separate
+ * defense, because we're now doing that with this
+ * broadcasted reply.
+ */
+ dst_ncec->ncec_flags &= ~NCE_F_DELAYED;
+ send_unicast = B_FALSE;
+ }
+ if (src_ncec != NULL && send_unicast) {
+ src_lladdr = src_ncec->ncec_lladdr;
+ } else {
+ src_lladdr = under_ill->ill_bcast_mp->b_rptr +
+ NCE_LL_ADDR_OFFSET(under_ill);
+ }
+send_response:
+ nce_hwaddr = dst_ncec->ncec_lladdr;
+ IN6_V4MAPPED_TO_INADDR(&dst_ncec->ncec_addr, &nce_paddr);
+
+ (void) arp_output(under_ill, ARP_RESPONSE,
+ nce_hwaddr, (uchar_t *)&nce_paddr, src_haddr,
+ (uchar_t *)&src_paddr, src_lladdr);
+ }
+bail:
+ if (dst_ncec != NULL) {
+ ncec_refrele(dst_ncec);
+ }
+ if (src_ncec != NULL) {
+ ncec_refrele(src_ncec);
+ }
+ if (err == AR_CHANGED) {
+ mp->b_cont = NULL;
+ arp_notify(src_paddr, mp1, AR_CN_ANNOUNCE, &iras, NULL);
+ mp1 = NULL;
+ }
+ if (need_ill_refrele)
+ ill_refrele(ill);
+done:
+ freemsg(mp);
+ freemsg(mp1);
+}
+
+/*
+ * Basic initialization of the arl_t and the arl_common structure shared with
+ * the ill_t that is done after SLIFNAME/IF_UNITSEL.
+ */
+static int
+arl_ill_init(arl_t *arl, char *ill_name)
+{
+ ill_t *ill;
+ arl_ill_common_t *ai;
+
+ ill = ill_lookup_on_name(ill_name, B_FALSE, B_FALSE, B_FALSE,
+ arl->arl_ipst);
+
+ if (ill == NULL)
+ return (ENXIO);
+
+ /*
+ * By the time we set up the arl, we expect the ETHERTYPE_IP
+ * stream to be fully bound and attached. So we copy/verify
+ * relevant information as possible from/against the ill.
+ *
+ * The following should have been set up in arp_ll_set_defaults()
+ * after the first DL_INFO_ACK was received.
+ */
+ ASSERT(arl->arl_phys_addr_length == ill->ill_phys_addr_length);
+ ASSERT(arl->arl_sap == ETHERTYPE_ARP);
+ ASSERT(arl->arl_mactype == ill->ill_mactype);
+ ASSERT(arl->arl_sap_length == ill->ill_sap_length);
+
+ ai = kmem_zalloc(sizeof (*ai), KM_SLEEP);
+ mutex_enter(&ill->ill_lock);
+ /* First ensure that the ill is not CONDEMNED. */
+ if (ill->ill_state_flags & ILL_CONDEMNED) {
+ mutex_exit(&ill->ill_lock);
+ ill_refrele(ill);
+ kmem_free(ai, sizeof (*ai));
+ return (ENXIO);
+ }
+ if (ill->ill_common != NULL || arl->arl_common != NULL) {
+ mutex_exit(&ill->ill_lock);
+ ip0dbg(("%s: PPA already exists", ill->ill_name));
+ ill_refrele(ill);
+ kmem_free(ai, sizeof (*ai));
+ return (EEXIST);
+ }
+ mutex_init(&ai->ai_lock, NULL, MUTEX_DEFAULT, NULL);
+ ai->ai_arl = arl;
+ ai->ai_ill = ill;
+ ill->ill_common = ai;
+ arl->arl_common = ai;
+ mutex_exit(&ill->ill_lock);
+ (void) strlcpy(arl->arl_name, ill->ill_name, LIFNAMSIZ);
+ arl->arl_name_length = ill->ill_name_length;
+ ill_refrele(ill);
+ arp_ifname_notify(arl);
+ return (0);
+}
+
+/* Allocate and do common initializations for DLPI messages. */
+static mblk_t *
+ip_ar_dlpi_comm(t_uscalar_t prim, size_t size)
+{
+ mblk_t *mp;
+
+ if ((mp = allocb(size, BPRI_HI)) == NULL)
+ return (NULL);
+
+ /*
+ * DLPIv2 says that DL_INFO_REQ and DL_TOKEN_REQ (the latter
+ * of which we don't seem to use) are sent with M_PCPROTO, and
+ * that other DLPI are M_PROTO.
+ */
+ DB_TYPE(mp) = (prim == DL_INFO_REQ) ? M_PCPROTO : M_PROTO;
+
+ mp->b_wptr = mp->b_rptr + size;
+ bzero(mp->b_rptr, size);
+ DL_PRIM(mp) = prim;
+ return (mp);
+}
+
+
+int
+ip_sioctl_ifunitsel_arp(queue_t *q, int *ppa)
+{
+ arl_t *arl;
+ char *cp, ill_name[LIFNAMSIZ];
+
+ if (q->q_next == NULL)
+ return (EINVAL);
+
+ do {
+ q = q->q_next;
+ } while (q->q_next != NULL);
+ cp = q->q_qinfo->qi_minfo->mi_idname;
+
+ arl = (arl_t *)q->q_ptr;
+ (void) snprintf(ill_name, sizeof (ill_name), "%s%d", cp, *ppa);
+ arl->arl_ppa = *ppa;
+ return (arl_ill_init(arl, ill_name));
+}
+
+int
+ip_sioctl_slifname_arp(queue_t *q, void *lifreq)
+{
+ arl_t *arl;
+ struct lifreq *lifr = lifreq;
+
+ /* ioctl not valid when IP opened as a device */
+ if (q->q_next == NULL)
+ return (EINVAL);
+
+ arl = (arl_t *)q->q_ptr;
+ arl->arl_ppa = lifr->lifr_ppa;
+ return (arl_ill_init(arl, lifr->lifr_name));
+}
+
+arl_t *
+ill_to_arl(ill_t *ill)
+{
+ arl_ill_common_t *ai = ill->ill_common;
+ arl_t *arl = NULL;
+
+ if (ai == NULL)
+ return (NULL);
+ /*
+ * Find the arl_t that corresponds to this ill_t from the shared
+ * ill_common structure. We can safely access the ai here as it
+ * will only be freed in arp_modclose() after we have become
+ * single-threaded.
+ */
+ mutex_enter(&ai->ai_lock);
+ if ((arl = ai->ai_arl) != NULL) {
+ mutex_enter(&arl->arl_lock);
+ if (!(arl->arl_state_flags & ARL_CONDEMNED)) {
+ arl_refhold_locked(arl);
+ mutex_exit(&arl->arl_lock);
+ } else {
+ mutex_exit(&arl->arl_lock);
+ arl = NULL;
+ }
+ }
+ mutex_exit(&ai->ai_lock);
+ return (arl);
+}
+
+ill_t *
+arl_to_ill(arl_t *arl)
+{
+ arl_ill_common_t *ai = arl->arl_common;
+ ill_t *ill = NULL;
+
+ if (ai == NULL) {
+ /*
+ * happens when the arp stream is just being opened, and
+ * arl_ill_init has not been executed yet.
+ */
+ return (NULL);
+ }
+ /*
+ * Find the ill_t that corresponds to this arl_t from the shared
+ * arl_common structure. We can safely access the ai here as it
+ * will only be freed in arp_modclose() after we have become
+ * single-threaded.
+ */
+ mutex_enter(&ai->ai_lock);
+ if ((ill = ai->ai_ill) != NULL) {
+ mutex_enter(&ill->ill_lock);
+ if (!ILL_IS_CONDEMNED(ill)) {
+ ill_refhold_locked(ill);
+ mutex_exit(&ill->ill_lock);
+ } else {
+ mutex_exit(&ill->ill_lock);
+ ill = NULL;
+ }
+ }
+ mutex_exit(&ai->ai_lock);
+ return (ill);
+}
+
+int
+arp_ll_up(ill_t *ill)
+{
+ mblk_t *attach_mp = NULL;
+ mblk_t *bind_mp = NULL;
+ mblk_t *unbind_mp = NULL;
+ arl_t *arl;
+
+ ASSERT(IAM_WRITER_ILL(ill));
+ arl = ill_to_arl(ill);
+
+ DTRACE_PROBE2(ill__downup, char *, "arp_ll_up", ill_t *, ill);
+ if (arl == NULL)
+ return (ENXIO);
+ DTRACE_PROBE2(arl__downup, char *, "arp_ll_up", arl_t *, arl);
+ if ((arl->arl_state_flags & ARL_LL_UP) != 0) {
+ arl_refrele(arl);
+ return (0);
+ }
+ if (arl->arl_needs_attach) { /* DL_STYLE2 */
+ attach_mp =
+ ip_ar_dlpi_comm(DL_ATTACH_REQ, sizeof (dl_attach_req_t));
+ if (attach_mp == NULL)
+ goto bad;
+ ((dl_attach_req_t *)attach_mp->b_rptr)->dl_ppa = arl->arl_ppa;
+ }
+
+ /* Allocate and initialize a bind message. */
+ bind_mp = ip_ar_dlpi_comm(DL_BIND_REQ, sizeof (dl_bind_req_t));
+ if (bind_mp == NULL)
+ goto bad;
+ ((dl_bind_req_t *)bind_mp->b_rptr)->dl_sap = ETHERTYPE_ARP;
+ ((dl_bind_req_t *)bind_mp->b_rptr)->dl_service_mode = DL_CLDLS;
+
+ unbind_mp = ip_ar_dlpi_comm(DL_UNBIND_REQ, sizeof (dl_unbind_req_t));
+ if (unbind_mp == NULL)
+ goto bad;
+ if (arl->arl_needs_attach) {
+ arp_dlpi_send(arl, attach_mp);
+ }
+ arl->arl_unbind_mp = unbind_mp;
+
+ arl->arl_state_flags |= ARL_LL_BIND_PENDING;
+ arp_dlpi_send(arl, bind_mp);
+ arl_refrele(arl);
+ return (EINPROGRESS);
+
+bad:
+ freemsg(attach_mp);
+ freemsg(bind_mp);
+ freemsg(unbind_mp);
+ arl_refrele(arl);
+ return (ENOMEM);
+}
+
+/*
+ * consumes/frees mp
+ */
+static void
+arp_notify(in_addr_t src, mblk_t *mp, uint32_t arcn_code,
+ ip_recv_attr_t *ira, ncec_t *ncec)
+{
+ char hbuf[MAC_STR_LEN];
+ char sbuf[INET_ADDRSTRLEN];
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ arh_t *arh = (arh_t *)mp->b_rptr;
+
+ switch (arcn_code) {
+ case AR_CN_BOGON:
+ /*
+ * Someone is sending ARP packets with a source protocol
+ * address that we have published and for which we believe our
+ * entry is authoritative and verified to be unique on
+ * the network.
+ *
+ * arp_process_packet() sends AR_CN_FAILED for the case when
+ * a DAD probe is received and the hardware address of a
+ * non-authoritative entry has changed. Thus, AR_CN_BOGON
+ * indicates a real conflict, and we have to do resolution.
+ *
+ * We back away quickly from the address if it's from DHCP or
+ * otherwise temporary and hasn't been used recently (or at
+ * all). We'd like to include "deprecated" addresses here as
+ * well (as there's no real reason to defend something we're
+ * discarding), but IPMP "reuses" this flag to mean something
+ * other than the standard meaning.
+ */
+ if (ip_nce_conflict(mp, ira, ncec)) {
+ (void) mac_colon_addr((uint8_t *)(arh + 1),
+ arh->arh_hlen, hbuf, sizeof (hbuf));
+ (void) ip_dot_addr(src, sbuf);
+ cmn_err(CE_WARN,
+ "proxy ARP problem? Node '%s' is using %s on %s",
+ hbuf, sbuf, ill->ill_name);
+ if (!arp_no_defense)
+ (void) arp_announce(ncec);
+ /*
+ * ncec_last_time_defended has been adjusted in
+ * ip_nce_conflict.
+ */
+ } else {
+ ncec_delete(ncec);
+ }
+ freemsg(mp);
+ break;
+ case AR_CN_ANNOUNCE: {
+ nce_hw_map_t hwm;
+ /*
+ * ARP gives us a copy of any packet where it thinks
+ * the address has changed, so that we can update our
+ * caches. We're responsible for caching known answers
+ * in the current design. We check whether the
+ * hardware address really has changed in all of our
+ * entries that have cached this mapping, and if so, we
+ * blow them away. This way we will immediately pick
+ * up the rare case of a host changing hardware
+ * address.
+ */
+ if (src == 0) {
+ freemsg(mp);
+ break;
+ }
+ hwm.hwm_addr = src;
+ hwm.hwm_hwlen = arh->arh_hlen;
+ hwm.hwm_hwaddr = (uchar_t *)(arh + 1);
+ hwm.hwm_flags = 0;
+ ncec_walk_common(ipst->ips_ndp4, NULL,
+ (pfi_t)nce_update_hw_changed, &hwm, B_TRUE);
+ freemsg(mp);
+ break;
+ }
+ case AR_CN_FAILED:
+ if (arp_no_defense) {
+ (void) mac_colon_addr((uint8_t *)(arh + 1),
+ arh->arh_hlen, hbuf, sizeof (hbuf));
+ (void) ip_dot_addr(src, sbuf);
+
+ cmn_err(CE_WARN,
+ "node %s is using our IP address %s on %s",
+ hbuf, sbuf, ill->ill_name);
+ freemsg(mp);
+ break;
+ }
+ /*
+ * mp will be freed by arp_excl.
+ */
+ ill_refhold(ill);
+ qwriter_ip(ill, ill->ill_rq, mp, arp_excl, NEW_OP, B_FALSE);
+ return;
+ default:
+ ASSERT(0);
+ freemsg(mp);
+ break;
+ }
+}
+
+/*
+ * arp_output is called to transmit an ARP Request or Response. The mapping
+ * to RFC 826 variables is:
+ * haddr1 == ar$sha
+ * paddr1 == ar$spa
+ * haddr2 == ar$tha
+ * paddr2 == ar$tpa
+ * The ARP frame is sent to the ether_dst in dst_lladdr.
+ */
+static int
+arp_output(ill_t *ill, uint32_t operation,
+ const uchar_t *haddr1, const uchar_t *paddr1, const uchar_t *haddr2,
+ const uchar_t *paddr2, uchar_t *dst_lladdr)
+{
+ arh_t *arh;
+ uint8_t *cp;
+ uint_t hlen;
+ uint32_t plen = IPV4_ADDR_LEN; /* ar$pln from RFC 826 */
+ uint32_t proto = IP_ARP_PROTO_TYPE;
+ mblk_t *mp;
+ arl_t *arl;
+
+ ASSERT(dst_lladdr != NULL);
+ hlen = ill->ill_phys_addr_length; /* ar$hln from RFC 826 */
+ mp = ill_dlur_gen(dst_lladdr, hlen, ETHERTYPE_ARP, ill->ill_sap_length);
+
+ if (mp == NULL)
+ return (ENOMEM);
+
+ /* IFF_NOARP flag is set or link down: do not send arp messages */
+ if ((ill->ill_flags & ILLF_NOARP) || !ill->ill_dl_up) {
+ freemsg(mp);
+ return (ENXIO);
+ }
+
+ mp->b_cont = allocb(AR_LL_HDR_SLACK + ARH_FIXED_LEN + (hlen * 4) +
+ plen + plen, BPRI_MED);
+ if (mp->b_cont == NULL) {
+ freeb(mp);
+ return (ENOMEM);
+ }
+
+ /* Fill in the ARP header. */
+ cp = mp->b_cont->b_rptr + (AR_LL_HDR_SLACK + hlen + hlen);
+ mp->b_cont->b_rptr = cp;
+ arh = (arh_t *)cp;
+ U16_TO_BE16(arp_hw_type(ill->ill_mactype), arh->arh_hardware);
+ U16_TO_BE16(proto, arh->arh_proto);
+ arh->arh_hlen = (uint8_t)hlen;
+ arh->arh_plen = (uint8_t)plen;
+ U16_TO_BE16(operation, arh->arh_operation);
+ cp += ARH_FIXED_LEN;
+ bcopy(haddr1, cp, hlen);
+ cp += hlen;
+ if (paddr1 == NULL)
+ bzero(cp, plen);
+ else
+ bcopy(paddr1, cp, plen);
+ cp += plen;
+ if (haddr2 == NULL)
+ bzero(cp, hlen);
+ else
+ bcopy(haddr2, cp, hlen);
+ cp += hlen;
+ bcopy(paddr2, cp, plen);
+ cp += plen;
+ mp->b_cont->b_wptr = cp;
+
+ DTRACE_PROBE3(arp__physical__out__start,
+ ill_t *, ill, arh_t *, arh, mblk_t *, mp);
+ ARP_HOOK_OUT(ill->ill_ipst->ips_arp_physical_out_event,
+ ill->ill_ipst->ips_arp_physical_out,
+ ill->ill_phyint->phyint_ifindex, arh, mp, mp->b_cont,
+ ill->ill_ipst);
+ DTRACE_PROBE1(arp__physical__out__end, mblk_t *, mp);
+ if (mp == NULL)
+ return (0);
+
+ /* Ship it out. */
+ arl = ill_to_arl(ill);
+ if (arl == NULL) {
+ freemsg(mp);
+ return (0);
+ }
+ if (canputnext(arl->arl_wq))
+ putnext(arl->arl_wq, mp);
+ else
+ freemsg(mp);
+ arl_refrele(arl);
+ return (0);
+}
+
+/*
+ * Process resolve requests.
+ * If we are not yet reachable then we check and decrease ncec_rcnt; otherwise
+ * we leave it alone (the caller will check and manage ncec_pcnt in those
+ * cases.)
+ */
+int
+arp_request(ncec_t *ncec, in_addr_t sender, ill_t *ill)
+{
+ int err;
+ const uchar_t *target_hwaddr;
+ struct in_addr nce_paddr;
+ uchar_t *dst_lladdr;
+ boolean_t use_rcnt = !NCE_ISREACHABLE(ncec);
+
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
+ ASSERT(!IS_IPMP(ill));
+
+ if (use_rcnt && ncec->ncec_rcnt == 0) {
+ /* not allowed any more retransmits. */
+ return (0);
+ }
+
+ if ((ill->ill_flags & ILLF_NOARP) != 0)
+ return (0);
+
+ IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &nce_paddr);
+
+ target_hwaddr =
+ ill->ill_bcast_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);
+
+ if (NCE_ISREACHABLE(ncec)) {
+ dst_lladdr = ncec->ncec_lladdr;
+ } else {
+ dst_lladdr = ill->ill_bcast_mp->b_rptr +
+ NCE_LL_ADDR_OFFSET(ill);
+ }
+
+ mutex_exit(&ncec->ncec_lock);
+ err = arp_output(ill, ARP_REQUEST,
+ ill->ill_phys_addr, (uchar_t *)&sender, target_hwaddr,
+ (uchar_t *)&nce_paddr, dst_lladdr);
+ mutex_enter(&ncec->ncec_lock);
+
+ if (err != 0) {
+ /*
+ * Some transient error such as ENOMEM or a down link was
+ * encountered. If the link has been taken down permanently,
+ * the ncec will eventually be cleaned up (ipif_down_tail()
+ * will call ipif_nce_down() and flush the ncec), to terminate
+ * recurring attempts to send ARP requests. In all other cases,
+ * allow the caller another chance at success next time.
+ */
+ return (ncec->ncec_ill->ill_reachable_retrans_time);
+ }
+
+ if (use_rcnt)
+ ncec->ncec_rcnt--;
+
+ return (ncec->ncec_ill->ill_reachable_retrans_time);
+}
+
+/* return B_TRUE if dropped */
+boolean_t
+arp_announce(ncec_t *ncec)
+{
+ ill_t *ill;
+ int err;
+ uchar_t *sphys_addr, *bcast_addr;
+ struct in_addr ncec_addr;
+ boolean_t need_refrele = B_FALSE;
+
+ ASSERT((ncec->ncec_flags & NCE_F_BCAST) == 0);
+ ASSERT((ncec->ncec_flags & NCE_F_MCAST) == 0);
+
+ if (IS_IPMP(ncec->ncec_ill)) {
+ /* sent on the cast_ill */
+ ill = ipmp_ill_get_xmit_ill(ncec->ncec_ill, B_FALSE);
+ if (ill == NULL)
+ return (B_TRUE);
+ need_refrele = B_TRUE;
+ } else {
+ ill = ncec->ncec_ill;
+ }
+
+ /*
+ * broadcast an announce to ill_bcast address.
+ */
+ IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &ncec_addr);
+
+ sphys_addr = ncec->ncec_lladdr;
+ bcast_addr = ill->ill_bcast_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);
+
+ err = arp_output(ill, ARP_REQUEST,
+ sphys_addr, (uchar_t *)&ncec_addr, bcast_addr,
+ (uchar_t *)&ncec_addr, bcast_addr);
+
+ if (need_refrele)
+ ill_refrele(ill);
+ return (err != 0);
+}
+
+/* return B_TRUE if dropped */
+boolean_t
+arp_probe(ncec_t *ncec)
+{
+ ill_t *ill;
+ int err;
+ struct in_addr ncec_addr;
+ uchar_t *sphys_addr, *dst_lladdr;
+
+ if (IS_IPMP(ncec->ncec_ill)) {
+ ill = ipmp_ill_get_xmit_ill(ncec->ncec_ill, B_FALSE);
+ if (ill == NULL)
+ return (B_TRUE);
+ } else {
+ ill = ncec->ncec_ill;
+ }
+
+ IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &ncec_addr);
+
+ sphys_addr = ncec->ncec_lladdr;
+ dst_lladdr = ill->ill_bcast_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);
+ err = arp_output(ill, ARP_REQUEST,
+ sphys_addr, NULL, NULL, (uchar_t *)&ncec_addr, dst_lladdr);
+
+ if (IS_IPMP(ncec->ncec_ill))
+ ill_refrele(ill);
+ return (err != 0);
+}
+
+static mblk_t *
+arl_unbind(arl_t *arl)
+{
+ mblk_t *mp;
+
+ if ((mp = arl->arl_unbind_mp) != NULL) {
+ arl->arl_unbind_mp = NULL;
+ arl->arl_state_flags |= ARL_DL_UNBIND_IN_PROGRESS;
+ }
+ return (mp);
+}
+
+int
+arp_ll_down(ill_t *ill)
+{
+ arl_t *arl;
+ mblk_t *unbind_mp;
+ int err = 0;
+ boolean_t replumb = (ill->ill_replumbing == 1);
+
+ DTRACE_PROBE2(ill__downup, char *, "arp_ll_down", ill_t *, ill);
+ if ((arl = ill_to_arl(ill)) == NULL)
+ return (ENXIO);
+ DTRACE_PROBE2(arl__downup, char *, "arp_ll_down", arl_t *, arl);
+ mutex_enter(&arl->arl_lock);
+ unbind_mp = arl_unbind(arl);
+ if (unbind_mp != NULL) {
+ ASSERT(arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS);
+ DTRACE_PROBE2(arp__unbinding, mblk_t *, unbind_mp,
+ arl_t *, arl);
+ err = EINPROGRESS;
+ if (replumb)
+ arl->arl_state_flags |= ARL_LL_REPLUMBING;
+ }
+ mutex_exit(&arl->arl_lock);
+ if (unbind_mp != NULL)
+ arp_dlpi_send(arl, unbind_mp);
+ arl_refrele(arl);
+ return (err);
+}
+
+/* ARGSUSED */
+int
+arp_close(queue_t *q, int flags)
+{
+ if (WR(q)->q_next != NULL) {
+ /* This is a module close */
+ return (arp_modclose(q->q_ptr));
+ }
+ qprocsoff(q);
+ q->q_ptr = WR(q)->q_ptr = NULL;
+ return (0);
+}
+
+static int
+arp_modclose(arl_t *arl)
+{
+ arl_ill_common_t *ai = arl->arl_common;
+ ill_t *ill;
+ queue_t *q = arl->arl_rq;
+ mblk_t *mp, *nextmp;
+ ipsq_t *ipsq = NULL;
+
+ ill = arl_to_ill(arl);
+ if (ill != NULL) {
+ if (!ill_waiter_inc(ill)) {
+ ill_refrele(ill);
+ } else {
+ ill_refrele(ill);
+ if (ipsq_enter(ill, B_FALSE, NEW_OP))
+ ipsq = ill->ill_phyint->phyint_ipsq;
+ ill_waiter_dcr(ill);
+ }
+ if (ipsq == NULL) {
+ /*
+ * could not enter the ipsq because ill is already
+ * marked CONDEMNED.
+ */
+ ill = NULL;
+ }
+ }
+ if (ai != NULL && ipsq == NULL) {
+ /*
+ * Either we did not get an ill because it was marked CONDEMNED
+ * or we could not enter the ipsq because it was unplumbing.
+ * In both cases, wait for the ill to complete ip_modclose().
+ *
+ * If the arp_modclose happened even before SLIFNAME, the ai
+ * itself would be NULL, in which case we can complete the close
+ * without waiting.
+ */
+ mutex_enter(&ai->ai_lock);
+ while (ai->ai_ill != NULL)
+ cv_wait(&ai->ai_ill_unplumb_done, &ai->ai_lock);
+ mutex_exit(&ai->ai_lock);
+ }
+ ASSERT(ill == NULL || IAM_WRITER_ILL(ill));
+
+ mutex_enter(&arl->arl_lock);
+ /*
+ * If the ill had completed unplumbing before arp_modclose(), there
+ * would be no ill (and therefore, no ipsq) to serialize arp_modclose()
+ * so that we need to explicitly check for ARL_CONDEMNED and back off
+ * if it is set.
+ */
+ if ((arl->arl_state_flags & ARL_CONDEMNED) != 0) {
+ mutex_exit(&arl->arl_lock);
+ ASSERT(ipsq == NULL);
+ return (0);
+ }
+ arl->arl_state_flags |= ARL_CONDEMNED;
+
+ /*
+ * send out all pending dlpi messages, don't wait for the ack (which
+ * will be ignored in arp_rput when CONDEMNED is set)
+ *
+ * We have to check for pending DL_UNBIND_REQ because, in the case
+ * that ip_modclose() executed before arp_modclose(), the call to
+ * ill_delete_tail->ipif_arp_down() would have triggered a
+ * DL_UNBIND_REQ. When arp_modclose() executes ipsq_enter() will fail
+ * (since ip_modclose() is in the ipsq) but the DL_UNBIND_ACK may not
+ * have been processed yet. In this scenario, we cannot reset
+ * arl_dlpi_pending, because the setting/clearing of arl_state_flags
+ * related to unbind, and the associated cv_waits must be allowed to
+ * continue.
+ */
+ if (arl->arl_dlpi_pending != DL_UNBIND_REQ)
+ arl->arl_dlpi_pending = DL_PRIM_INVAL;
+ mp = arl->arl_dlpi_deferred;
+ arl->arl_dlpi_deferred = NULL;
+ mutex_exit(&arl->arl_lock);
+
+ for (; mp != NULL; mp = nextmp) {
+ nextmp = mp->b_next;
+ mp->b_next = NULL;
+ putnext(arl->arl_wq, mp);
+ }
+
+ /* Wait for data paths to quiesce */
+ mutex_enter(&arl->arl_lock);
+ while (arl->arl_refcnt != 0)
+ cv_wait(&arl->arl_cv, &arl->arl_lock);
+
+ /*
+ * unbind, so that nothing else can come up from driver.
+ */
+ mp = arl_unbind(arl);
+ mutex_exit(&arl->arl_lock);
+ if (mp != NULL)
+ arp_dlpi_send(arl, mp);
+ mutex_enter(&arl->arl_lock);
+
+ /* wait for unbind ack */
+ while (arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS)
+ cv_wait(&arl->arl_cv, &arl->arl_lock);
+ mutex_exit(&arl->arl_lock);
+
+ qprocsoff(q);
+
+ if (ill != NULL) {
+ mutex_enter(&ill->ill_lock);
+ ill->ill_arl_dlpi_pending = 0;
+ mutex_exit(&ill->ill_lock);
+ }
+
+ if (ai != NULL) {
+ mutex_enter(&ai->ai_lock);
+ ai->ai_arl = NULL;
+ if (ai->ai_ill == NULL) {
+ mutex_destroy(&ai->ai_lock);
+ kmem_free(ai, sizeof (*ai));
+ } else {
+ mutex_exit(&ai->ai_lock);
+ }
+ }
+
+ /* free up the rest */
+ arp_mod_close_tail(arl);
+
+ q->q_ptr = WR(q)->q_ptr = NULL;
+
+ if (ipsq != NULL)
+ ipsq_exit(ipsq);
+
+ return (0);
+}
+
+static void
+arp_mod_close_tail(arl_t *arl)
+{
+ ip_stack_t *ipst = arl->arl_ipst;
+ mblk_t **mpp;
+
+ netstack_hold(ipst->ips_netstack);
+
+ mutex_enter(&ipst->ips_ip_mi_lock);
+ mi_close_unlink(&ipst->ips_arp_g_head, (IDP)arl);
+ mutex_exit(&ipst->ips_ip_mi_lock);
+
+ /*
+ * credp could be null if the open didn't succeed and ip_modopen
+ * itself calls ip_close.
+ */
+ if (arl->arl_credp != NULL)
+ crfree(arl->arl_credp);
+
+ /* Free all retained control messages. */
+ mpp = &arl->arl_first_mp_to_free;
+ do {
+ while (mpp[0]) {
+ mblk_t *mp;
+ mblk_t *mp1;
+
+ mp = mpp[0];
+ mpp[0] = mp->b_next;
+ for (mp1 = mp; mp1 != NULL; mp1 = mp1->b_cont) {
+ mp1->b_next = NULL;
+ mp1->b_prev = NULL;
+ }
+ freemsg(mp);
+ }
+ } while (mpp++ != &arl->arl_last_mp_to_free);
+
+ netstack_rele(ipst->ips_netstack);
+ mi_free(arl->arl_name);
+ mi_close_free((IDP)arl);
+}
+
+/*
+ * DAD failed. Tear down ipifs with the specified srce address. Note that
+ * tearing down the ipif also meas deleting the ncec through ipif_down,
+ * so it is not possible to use nce_timer for recovery. Instead we start
+ * a timer on the ipif. Caller has to free the mp.
+ */
+void
+arp_failure(mblk_t *mp, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+
+ if ((mp = copymsg(mp)) != NULL) {
+ ill_refhold(ill);
+ qwriter_ip(ill, ill->ill_rq, mp, arp_excl, NEW_OP, B_FALSE);
+ }
+}
+
+/*
+ * This is for exclusive changes due to ARP. Tear down an interface due
+ * to AR_CN_FAILED and AR_CN_BOGON.
+ */
+/* ARGSUSED */
+static void
+arp_excl(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
+{
+ ill_t *ill = rq->q_ptr;
+ arh_t *arh;
+ ipaddr_t src;
+ ipif_t *ipif;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uchar_t *haddr;
+ uint_t haddrlen;
+
+ /* first try src = ar$spa */
+ arh = (arh_t *)mp->b_rptr;
+ bcopy((char *)&arh[1] + arh->arh_hlen, &src, IP_ADDR_LEN);
+
+ haddrlen = arh->arh_hlen;
+ haddr = (uint8_t *)(arh + 1);
+
+ if (haddrlen == ill->ill_phys_addr_length) {
+ /*
+ * Ignore conflicts generated by misbehaving switches that
+ * just reflect our own messages back to us. For IPMP, we may
+ * see reflections across any ill in the illgrp.
+ */
+ /* For an under ill_grp can change under lock */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (bcmp(haddr, ill->ill_phys_addr, haddrlen) == 0 ||
+ IS_UNDER_IPMP(ill) && ill->ill_grp != NULL &&
+ ipmp_illgrp_find_ill(ill->ill_grp, haddr,
+ haddrlen) != NULL) {
+ rw_exit(&ipst->ips_ill_g_lock);
+ goto ignore_conflict;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+ }
+
+ /*
+ * Look up the appropriate ipif.
+ */
+ ipif = ipif_lookup_addr(src, ill, ALL_ZONES, ipst);
+ if (ipif == NULL)
+ goto ignore_conflict;
+
+ /* Reload the ill to match the ipif */
+ ill = ipif->ipif_ill;
+
+ /* If it's already duplicate or ineligible, then don't do anything. */
+ if (ipif->ipif_flags & (IPIF_POINTOPOINT|IPIF_DUPLICATE)) {
+ ipif_refrele(ipif);
+ goto ignore_conflict;
+ }
+
+ /*
+ * If we failed on a recovery probe, then restart the timer to
+ * try again later.
+ */
+ if (!ipif->ipif_was_dup) {
+ char hbuf[MAC_STR_LEN];
+ char sbuf[INET_ADDRSTRLEN];
+ char ibuf[LIFNAMSIZ];
+
+ (void) mac_colon_addr(haddr, haddrlen, hbuf, sizeof (hbuf));
+ (void) ip_dot_addr(src, sbuf);
+ ipif_get_name(ipif, ibuf, sizeof (ibuf));
+
+ cmn_err(CE_WARN, "%s has duplicate address %s (in use by %s);"
+ " disabled", ibuf, sbuf, hbuf);
+ }
+ mutex_enter(&ill->ill_lock);
+ ASSERT(!(ipif->ipif_flags & IPIF_DUPLICATE));
+ ipif->ipif_flags |= IPIF_DUPLICATE;
+ ill->ill_ipif_dup_count++;
+ mutex_exit(&ill->ill_lock);
+ (void) ipif_down(ipif, NULL, NULL);
+ (void) ipif_down_tail(ipif);
+ mutex_enter(&ill->ill_lock);
+ if (!(ipif->ipif_flags & (IPIF_DHCPRUNNING|IPIF_TEMPORARY)) &&
+ ill->ill_net_type == IRE_IF_RESOLVER &&
+ !(ipif->ipif_state_flags & IPIF_CONDEMNED) &&
+ ipst->ips_ip_dup_recovery > 0) {
+ ASSERT(ipif->ipif_recovery_id == 0);
+ ipif->ipif_recovery_id = timeout(ipif_dup_recovery,
+ ipif, MSEC_TO_TICK(ipst->ips_ip_dup_recovery));
+ }
+ mutex_exit(&ill->ill_lock);
+ ipif_refrele(ipif);
+
+ignore_conflict:
+ freemsg(mp);
+}
+
+/*
+ * This is a place for a dtrace hook.
+ * Note that mp can be either the DL_UNITDATA_IND with a b_cont payload,
+ * or just the ARP packet payload as an M_DATA.
+ */
+/* ARGSUSED */
+static void
+arp_drop_packet(const char *str, mblk_t *mp, ill_t *ill)
+{
+ freemsg(mp);
+}
+
+static boolean_t
+arp_over_driver(queue_t *q)
+{
+ queue_t *qnext = STREAM(q)->sd_wrq->q_next;
+
+ /*
+ * check if first module below stream head is IP or UDP.
+ */
+ ASSERT(qnext != NULL);
+ if (strcmp(Q2NAME(qnext), "ip") != 0 &&
+ strcmp(Q2NAME(qnext), "udp") != 0) {
+ /*
+ * module below is not ip or udp, so arp has been pushed
+ * on the driver.
+ */
+ return (B_TRUE);
+ }
+ return (B_FALSE);
+}
+
+static int
+arp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
+{
+ int err;
+
+ ASSERT(sflag & MODOPEN);
+ if (!arp_over_driver(q)) {
+ q->q_qinfo = dummymodinfo.st_rdinit;
+ WR(q)->q_qinfo = dummymodinfo.st_wrinit;
+ return ((*dummymodinfo.st_rdinit->qi_qopen)(q, devp, flag,
+ sflag, credp));
+ }
+ err = arp_modopen(q, devp, flag, sflag, credp);
+ return (err);
+}
+
+/*
+ * In most cases we must be a writer on the IP stream before coming to
+ * arp_dlpi_send(), to serialize DLPI sends to the driver. The exceptions
+ * when we are not a writer are very early duing initialization (in
+ * arl_init, before the arl has done a SLIFNAME, so that we don't yet know
+ * the associated ill) or during arp_mod_close, when we could not enter the
+ * ipsq because the ill has already unplumbed.
+ */
+static void
+arp_dlpi_send(arl_t *arl, mblk_t *mp)
+{
+ mblk_t **mpp;
+ t_uscalar_t prim;
+ arl_ill_common_t *ai;
+
+ ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
+
+#ifdef DEBUG
+ ai = arl->arl_common;
+ if (ai != NULL) {
+ mutex_enter(&ai->ai_lock);
+ if (ai->ai_ill != NULL)
+ ASSERT(IAM_WRITER_ILL(ai->ai_ill));
+ mutex_exit(&ai->ai_lock);
+ }
+#endif /* DEBUG */
+
+ mutex_enter(&arl->arl_lock);
+ if (arl->arl_dlpi_pending != DL_PRIM_INVAL) {
+ /* Must queue message. Tail insertion */
+ mpp = &arl->arl_dlpi_deferred;
+ while (*mpp != NULL)
+ mpp = &((*mpp)->b_next);
+
+ *mpp = mp;
+ mutex_exit(&arl->arl_lock);
+ return;
+ }
+ mutex_exit(&arl->arl_lock);
+ if ((prim = ((union DL_primitives *)mp->b_rptr)->dl_primitive)
+ == DL_BIND_REQ) {
+ ASSERT((arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS) == 0);
+ }
+ /*
+ * No need to take the arl_lock to examine ARL_CONDEMNED at this point
+ * because the only thread that can see ARL_CONDEMNED here is the
+ * closing arp_modclose() thread which sets the flag after becoming a
+ * writer on the ipsq. Threads from IP must have finished and
+ * cannot be active now.
+ */
+ if (!(arl->arl_state_flags & ARL_CONDEMNED) ||
+ (prim == DL_UNBIND_REQ)) {
+ if (prim != DL_NOTIFY_CONF) {
+ ill_t *ill = arl_to_ill(arl);
+
+ arl->arl_dlpi_pending = prim;
+ if (ill != NULL) {
+ mutex_enter(&ill->ill_lock);
+ ill->ill_arl_dlpi_pending = 1;
+ mutex_exit(&ill->ill_lock);
+ ill_refrele(ill);
+ }
+ }
+ }
+ DTRACE_PROBE4(arl__dlpi, char *, "arp_dlpi_send",
+ char *, dl_primstr(prim), char *, "-", arl_t *, arl);
+ putnext(arl->arl_wq, mp);
+}
+
+static void
+arl_defaults_common(arl_t *arl, mblk_t *mp)
+{
+ dl_info_ack_t *dlia = (dl_info_ack_t *)mp->b_rptr;
+ /*
+ * Till the ill is fully up the ill is not globally visible.
+ * So no need for a lock.
+ */
+ arl->arl_mactype = dlia->dl_mac_type;
+ arl->arl_sap_length = dlia->dl_sap_length;
+
+ if (!arl->arl_dlpi_style_set) {
+ if (dlia->dl_provider_style == DL_STYLE2)
+ arl->arl_needs_attach = 1;
+ mutex_enter(&arl->arl_lock);
+ ASSERT(arl->arl_dlpi_style_set == 0);
+ arl->arl_dlpi_style_set = 1;
+ arl->arl_state_flags &= ~ARL_LL_SUBNET_PENDING;
+ cv_broadcast(&arl->arl_cv);
+ mutex_exit(&arl->arl_lock);
+ }
+}
+
+int
+arl_init(queue_t *q, arl_t *arl)
+{
+ mblk_t *info_mp;
+ dl_info_req_t *dlir;
+
+ /* subset of ill_init */
+ mutex_init(&arl->arl_lock, NULL, MUTEX_DEFAULT, 0);
+
+ arl->arl_rq = q;
+ arl->arl_wq = WR(q);
+
+ info_mp = allocb(MAX(sizeof (dl_info_req_t), sizeof (dl_info_ack_t)),
+ BPRI_HI);
+ if (info_mp == NULL)
+ return (ENOMEM);
+ /*
+ * allocate sufficient space to contain device name.
+ */
+ arl->arl_name = (char *)(mi_zalloc(2 * LIFNAMSIZ));
+ arl->arl_ppa = UINT_MAX;
+ arl->arl_state_flags |= (ARL_LL_SUBNET_PENDING | ARL_LL_UNBOUND);
+
+ /* Send down the Info Request to the driver. */
+ info_mp->b_datap->db_type = M_PCPROTO;
+ dlir = (dl_info_req_t *)info_mp->b_rptr;
+ info_mp->b_wptr = (uchar_t *)&dlir[1];
+ dlir->dl_primitive = DL_INFO_REQ;
+ arl->arl_dlpi_pending = DL_PRIM_INVAL;
+ qprocson(q);
+
+ arp_dlpi_send(arl, info_mp);
+ return (0);
+}
+
+int
+arl_wait_for_info_ack(arl_t *arl)
+{
+ int err;
+
+ mutex_enter(&arl->arl_lock);
+ while (arl->arl_state_flags & ARL_LL_SUBNET_PENDING) {
+ /*
+ * Return value of 0 indicates a pending signal.
+ */
+ err = cv_wait_sig(&arl->arl_cv, &arl->arl_lock);
+ if (err == 0) {
+ mutex_exit(&arl->arl_lock);
+ return (EINTR);
+ }
+ }
+ mutex_exit(&arl->arl_lock);
+ /*
+ * ip_rput_other could have set an error in ill_error on
+ * receipt of M_ERROR.
+ */
+ return (arl->arl_error);
+}
+
+void
+arl_set_muxid(ill_t *ill, int muxid)
+{
+ arl_t *arl;
+
+ arl = ill_to_arl(ill);
+ if (arl != NULL) {
+ arl->arl_muxid = muxid;
+ arl_refrele(arl);
+ }
+}
+
+int
+arl_get_muxid(ill_t *ill)
+{
+ arl_t *arl;
+ int muxid = 0;
+
+ arl = ill_to_arl(ill);
+ if (arl != NULL) {
+ muxid = arl->arl_muxid;
+ arl_refrele(arl);
+ }
+ return (muxid);
+}
+
+static int
+arp_modopen(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
+{
+ int err;
+ zoneid_t zoneid;
+ netstack_t *ns;
+ ip_stack_t *ipst;
+ arl_t *arl = NULL;
+
+ /*
+ * Prevent unprivileged processes from pushing IP so that
+ * they can't send raw IP.
+ */
+ if (secpolicy_net_rawaccess(credp) != 0)
+ return (EPERM);
+
+ ns = netstack_find_by_cred(credp);
+ ASSERT(ns != NULL);
+ ipst = ns->netstack_ip;
+ ASSERT(ipst != NULL);
+
+ /*
+ * For exclusive stacks we set the zoneid to zero
+ * to make IP operate as if in the global zone.
+ */
+ if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
+ zoneid = GLOBAL_ZONEID;
+ else
+ zoneid = crgetzoneid(credp);
+
+ arl = (arl_t *)mi_open_alloc_sleep(sizeof (arl_t));
+ q->q_ptr = WR(q)->q_ptr = arl;
+ arl->arl_ipst = ipst;
+ arl->arl_zoneid = zoneid;
+ err = arl_init(q, arl);
+
+ if (err != 0) {
+ mi_free(arl->arl_name);
+ mi_free(arl);
+ netstack_rele(ipst->ips_netstack);
+ q->q_ptr = NULL;
+ WR(q)->q_ptr = NULL;
+ return (err);
+ }
+
+ /*
+ * Wait for the DL_INFO_ACK if a DL_INFO_REQ was sent.
+ */
+ err = arl_wait_for_info_ack(arl);
+ if (err == 0)
+ arl->arl_credp = credp;
+ else
+ goto fail;
+
+ crhold(credp);
+
+ mutex_enter(&ipst->ips_ip_mi_lock);
+ err = mi_open_link(&ipst->ips_arp_g_head, (IDP)q->q_ptr, devp, flag,
+ sflag, credp);
+ mutex_exit(&ipst->ips_ip_mi_lock);
+fail:
+ if (err) {
+ (void) arp_close(q, 0);
+ return (err);
+ }
+ return (0);
+}
+
+/*
+ * Notify any downstream modules (esp softmac and hitbox) of the name
+ * of this interface using an M_CTL.
+ */
+static void
+arp_ifname_notify(arl_t *arl)
+{
+ mblk_t *mp1, *mp2;
+ struct iocblk *iocp;
+ struct lifreq *lifr;
+
+ if ((mp1 = mkiocb(SIOCSLIFNAME)) == NULL)
+ return;
+ if ((mp2 = allocb(sizeof (struct lifreq), BPRI_HI)) == NULL) {
+ freemsg(mp1);
+ return;
+ }
+
+ lifr = (struct lifreq *)mp2->b_rptr;
+ mp2->b_wptr += sizeof (struct lifreq);
+ bzero(lifr, sizeof (struct lifreq));
+
+ (void) strncpy(lifr->lifr_name, arl->arl_name, LIFNAMSIZ);
+ lifr->lifr_ppa = arl->arl_ppa;
+ lifr->lifr_flags = ILLF_IPV4;
+
+ /* Use M_CTL to avoid confusing anyone else who might be listening. */
+ DB_TYPE(mp1) = M_CTL;
+ mp1->b_cont = mp2;
+ iocp = (struct iocblk *)mp1->b_rptr;
+ iocp->ioc_count = msgsize(mp1->b_cont);
+ DTRACE_PROBE4(arl__dlpi, char *, "arp_ifname_notify",
+ char *, "SIOCSLIFNAME", char *, "-", arl_t *, arl);
+ putnext(arl->arl_wq, mp1);
+}
+
+void
+arp_send_replumb_conf(ill_t *ill)
+{
+ mblk_t *mp;
+ arl_t *arl = ill_to_arl(ill);
+
+ if (arl == NULL)
+ return;
+ /*
+ * arl_got_replumb and arl_got_unbind to be cleared after we complete
+ * arp_cmd_done.
+ */
+ mp = mexchange(NULL, NULL, sizeof (dl_notify_conf_t), M_PROTO,
+ DL_NOTIFY_CONF);
+ ((dl_notify_conf_t *)(mp->b_rptr))->dl_notification =
+ DL_NOTE_REPLUMB_DONE;
+ arp_dlpi_send(arl, mp);
+ mutex_enter(&arl->arl_lock);
+ arl->arl_state_flags &= ~ARL_LL_REPLUMBING;
+ mutex_exit(&arl->arl_lock);
+ arl_refrele(arl);
+}
+
+/*
+ * The unplumb code paths call arp_unbind_complete() to make sure that it is
+ * safe to tear down the ill. We wait for DL_UNBIND_ACK to complete, and also
+ * for the arl_refcnt to fall to one so that, when we return from
+ * arp_unbind_complete(), we know for certain that there are no threads in
+ * arp_rput() that might access the arl_ill.
+ */
+void
+arp_unbind_complete(ill_t *ill)
+{
+ arl_t *arl = ill_to_arl(ill);
+
+ if (arl == NULL)
+ return;
+ mutex_enter(&arl->arl_lock);
+ /*
+ * wait for unbind ack and arl_refcnt to drop to 1. Note that the
+ * quiescent arl_refcnt for this function is 1 (and not 0) because
+ * ill_to_arl() will itself return after taking a ref on the arl_t.
+ */
+ while (arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS)
+ cv_wait(&arl->arl_cv, &arl->arl_lock);
+ while (arl->arl_refcnt != 1)
+ cv_wait(&arl->arl_cv, &arl->arl_lock);
+ mutex_exit(&arl->arl_lock);
+ arl_refrele(arl);
+}
diff --git a/usr/src/uts/common/inet/ip/ip_attr.c b/usr/src/uts/common/inet/ip/ip_attr.c
new file mode 100644
index 0000000000..a46a82c85f
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/ip_attr.c
@@ -0,0 +1,1338 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+/* Copyright (c) 1990 Mentat Inc. */
+
+#include <sys/types.h>
+#include <sys/stream.h>
+#include <sys/strsun.h>
+#include <sys/zone.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cmn_err.h>
+#include <sys/debug.h>
+#include <sys/atomic.h>
+
+#include <sys/systm.h>
+#include <sys/param.h>
+#include <sys/kmem.h>
+#include <sys/sdt.h>
+#include <sys/socket.h>
+#include <sys/mac.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <sys/sockio.h>
+#include <netinet/in.h>
+#include <net/if_dl.h>
+
+#include <inet/common.h>
+#include <inet/mi.h>
+#include <inet/mib2.h>
+#include <inet/nd.h>
+#include <inet/arp.h>
+#include <inet/snmpcom.h>
+#include <inet/kstatcom.h>
+
+#include <netinet/igmp_var.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet/sctp.h>
+
+#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ip6.h>
+#include <inet/ip6_asp.h>
+#include <inet/tcp.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_ftable.h>
+#include <inet/ip_rts.h>
+#include <inet/optcom.h>
+#include <inet/ip_ndp.h>
+#include <inet/ip_listutils.h>
+#include <netinet/igmp.h>
+#include <netinet/ip_mroute.h>
+#include <inet/ipp_common.h>
+
+#include <net/pfkeyv2.h>
+#include <inet/sadb.h>
+#include <inet/ipsec_impl.h>
+#include <inet/ipdrop.h>
+#include <inet/ip_netinfo.h>
+#include <sys/squeue_impl.h>
+#include <sys/squeue.h>
+
+#include <inet/ipclassifier.h>
+#include <inet/sctp_ip.h>
+#include <inet/sctp/sctp_impl.h>
+#include <inet/udp_impl.h>
+#include <sys/sunddi.h>
+
+#include <sys/tsol/label.h>
+#include <sys/tsol/tnet.h>
+
+/*
+ * Release a reference on ip_xmit_attr.
+ * The reference is acquired by conn_get_ixa()
+ */
+#define IXA_REFRELE(ixa) \
+{ \
+ if (atomic_add_32_nv(&(ixa)->ixa_refcnt, -1) == 0) \
+ ixa_inactive(ixa); \
+}
+
+#define IXA_REFHOLD(ixa) \
+{ \
+ ASSERT((ixa)->ixa_refcnt != 0); \
+ atomic_add_32(&(ixa)->ixa_refcnt, 1); \
+}
+
+/*
+ * When we need to handle a transmit side asynchronous operation, then we need
+ * to save sufficient information so that we can call the fragment and postfrag
+ * functions. That information is captured in an mblk containing this structure.
+ *
+ * Since this is currently only used for IPsec, we include information for
+ * the kernel crypto framework.
+ */
+typedef struct ixamblk_s {
+ boolean_t ixm_inbound; /* B_FALSE */
+ iaflags_t ixm_flags; /* ixa_flags */
+ netstackid_t ixm_stackid; /* Verify it didn't go away */
+ uint_t ixm_ifindex; /* Used to find the nce */
+ in6_addr_t ixm_nceaddr_v6; /* Used to find nce */
+#define ixm_nceaddr_v4 V4_PART_OF_V6(ixm_nceaddr_v6)
+ uint32_t ixm_fragsize;
+ uint_t ixm_pktlen;
+ uint16_t ixm_ip_hdr_length; /* Points to ULP header */
+ uint8_t ixm_protocol; /* Protocol number for ULP cksum */
+ pfirepostfrag_t ixm_postfragfn;
+
+ zoneid_t ixm_zoneid; /* Needed for ipobs */
+ zoneid_t ixm_no_loop_zoneid; /* IXAF_NO_LOOP_ZONEID_SET */
+
+ uint_t ixm_scopeid; /* For IPv6 link-locals */
+
+ uint32_t ixm_ident; /* For IPv6 fragment header */
+ uint32_t ixm_xmit_hint;
+
+ cred_t *ixm_cred; /* For getpeerucred - refhold if set */
+ pid_t ixm_cpid; /* For getpeerucred */
+
+ ts_label_t *ixm_tsl; /* Refhold if set. */
+
+ /*
+ * When the pointers below are set they have a refhold on the struct.
+ */
+ ipsec_latch_t *ixm_ipsec_latch;
+ struct ipsa_s *ixm_ipsec_ah_sa; /* SA for AH */
+ struct ipsa_s *ixm_ipsec_esp_sa; /* SA for ESP */
+ struct ipsec_policy_s *ixm_ipsec_policy; /* why are we here? */
+ struct ipsec_action_s *ixm_ipsec_action; /* For reflected packets */
+
+ ipsa_ref_t ixm_ipsec_ref[2]; /* Soft reference to SA */
+
+ /* Need these while waiting for SA */
+ uint16_t ixm_ipsec_src_port; /* Source port number of d-gram. */
+ uint16_t ixm_ipsec_dst_port; /* Destination port number of d-gram. */
+ uint8_t ixm_ipsec_icmp_type; /* ICMP type of d-gram */
+ uint8_t ixm_ipsec_icmp_code; /* ICMP code of d-gram */
+
+ sa_family_t ixm_ipsec_inaf; /* Inner address family */
+ uint32_t ixm_ipsec_insrc[IXA_MAX_ADDRLEN]; /* Inner src address */
+ uint32_t ixm_ipsec_indst[IXA_MAX_ADDRLEN]; /* Inner dest address */
+ uint8_t ixm_ipsec_insrcpfx; /* Inner source prefix */
+ uint8_t ixm_ipsec_indstpfx; /* Inner destination prefix */
+
+ uint8_t ixm_ipsec_proto; /* IP protocol number for d-gram. */
+} ixamblk_t;
+
+
+/*
+ * When we need to handle a receive side asynchronous operation, then we need
+ * to save sufficient information so that we can call ip_fanout.
+ * That information is captured in an mblk containing this structure.
+ *
+ * Since this is currently only used for IPsec, we include information for
+ * the kernel crypto framework.
+ */
+typedef struct iramblk_s {
+ boolean_t irm_inbound; /* B_TRUE */
+ iaflags_t irm_flags; /* ira_flags */
+ netstackid_t irm_stackid; /* Verify it didn't go away */
+ uint_t irm_ifindex; /* To find ira_ill */
+
+ uint_t irm_rifindex; /* ira_rifindex */
+ uint_t irm_ruifindex; /* ira_ruifindex */
+ uint_t irm_pktlen;
+ uint16_t irm_ip_hdr_length; /* Points to ULP header */
+ uint8_t irm_protocol; /* Protocol number for ULP cksum */
+ zoneid_t irm_zoneid; /* ALL_ZONES unless local delivery */
+
+ squeue_t *irm_sqp;
+ ill_rx_ring_t *irm_ring;
+
+ ipaddr_t irm_mroute_tunnel; /* IRAF_MROUTE_TUNNEL_SET */
+ zoneid_t irm_no_loop_zoneid; /* IRAF_NO_LOOP_ZONEID_SET */
+ uint32_t irm_esp_udp_ports; /* IRAF_ESP_UDP_PORTS */
+
+ char irm_l2src[IRA_L2SRC_SIZE]; /* If IRAF_L2SRC_SET */
+
+ cred_t *irm_cred; /* For getpeerucred - refhold if set */
+ pid_t irm_cpid; /* For getpeerucred */
+
+ ts_label_t *irm_tsl; /* Refhold if set. */
+
+ /*
+ * When set these correspond to a refhold on the object.
+ */
+ struct ipsa_s *irm_ipsec_ah_sa; /* SA for AH */
+ struct ipsa_s *irm_ipsec_esp_sa; /* SA for ESP */
+ struct ipsec_action_s *irm_ipsec_action; /* For reflected packets */
+} iramblk_t;
+
+
+/*
+ * Take the information in ip_xmit_attr_t and stick it in an mblk
+ * that can later be passed to ip_xmit_attr_from_mblk to recreate the
+ * ip_xmit_attr_t.
+ *
+ * Returns NULL on memory allocation failure.
+ */
+mblk_t *
+ip_xmit_attr_to_mblk(ip_xmit_attr_t *ixa)
+{
+ mblk_t *ixamp;
+ ixamblk_t *ixm;
+ nce_t *nce = ixa->ixa_nce;
+
+ ASSERT(nce != NULL);
+ ixamp = allocb(sizeof (*ixm), BPRI_MED);
+ if (ixamp == NULL)
+ return (NULL);
+
+ ixamp->b_datap->db_type = M_BREAK;
+ ixamp->b_wptr += sizeof (*ixm);
+ ixm = (ixamblk_t *)ixamp->b_rptr;
+
+ bzero(ixm, sizeof (*ixm));
+ ixm->ixm_inbound = B_FALSE;
+ ixm->ixm_flags = ixa->ixa_flags;
+ ixm->ixm_stackid = ixa->ixa_ipst->ips_netstack->netstack_stackid;
+ ixm->ixm_ifindex = nce->nce_ill->ill_phyint->phyint_ifindex;
+ ixm->ixm_nceaddr_v6 = nce->nce_addr;
+ ixm->ixm_fragsize = ixa->ixa_fragsize;
+ ixm->ixm_pktlen = ixa->ixa_pktlen;
+ ixm->ixm_ip_hdr_length = ixa->ixa_ip_hdr_length;
+ ixm->ixm_protocol = ixa->ixa_protocol;
+ ixm->ixm_postfragfn = ixa->ixa_postfragfn;
+ ixm->ixm_zoneid = ixa->ixa_zoneid;
+ ixm->ixm_no_loop_zoneid = ixa->ixa_no_loop_zoneid;
+ ixm->ixm_scopeid = ixa->ixa_scopeid;
+ ixm->ixm_ident = ixa->ixa_ident;
+ ixm->ixm_xmit_hint = ixa->ixa_xmit_hint;
+
+ if (ixa->ixa_tsl != NULL) {
+ ixm->ixm_tsl = ixa->ixa_tsl;
+ label_hold(ixm->ixm_tsl);
+ }
+ if (ixa->ixa_cred != NULL) {
+ ixm->ixm_cred = ixa->ixa_cred;
+ crhold(ixa->ixa_cred);
+ }
+ ixm->ixm_cpid = ixa->ixa_cpid;
+
+ if (ixa->ixa_flags & IXAF_IPSEC_SECURE) {
+ if (ixa->ixa_ipsec_ah_sa != NULL) {
+ ixm->ixm_ipsec_ah_sa = ixa->ixa_ipsec_ah_sa;
+ IPSA_REFHOLD(ixa->ixa_ipsec_ah_sa);
+ }
+ if (ixa->ixa_ipsec_esp_sa != NULL) {
+ ixm->ixm_ipsec_esp_sa = ixa->ixa_ipsec_esp_sa;
+ IPSA_REFHOLD(ixa->ixa_ipsec_esp_sa);
+ }
+ if (ixa->ixa_ipsec_policy != NULL) {
+ ixm->ixm_ipsec_policy = ixa->ixa_ipsec_policy;
+ IPPOL_REFHOLD(ixa->ixa_ipsec_policy);
+ }
+ if (ixa->ixa_ipsec_action != NULL) {
+ ixm->ixm_ipsec_action = ixa->ixa_ipsec_action;
+ IPACT_REFHOLD(ixa->ixa_ipsec_action);
+ }
+ if (ixa->ixa_ipsec_latch != NULL) {
+ ixm->ixm_ipsec_latch = ixa->ixa_ipsec_latch;
+ IPLATCH_REFHOLD(ixa->ixa_ipsec_latch);
+ }
+ ixm->ixm_ipsec_ref[0] = ixa->ixa_ipsec_ref[0];
+ ixm->ixm_ipsec_ref[1] = ixa->ixa_ipsec_ref[1];
+ ixm->ixm_ipsec_src_port = ixa->ixa_ipsec_src_port;
+ ixm->ixm_ipsec_dst_port = ixa->ixa_ipsec_dst_port;
+ ixm->ixm_ipsec_icmp_type = ixa->ixa_ipsec_icmp_type;
+ ixm->ixm_ipsec_icmp_code = ixa->ixa_ipsec_icmp_code;
+ ixm->ixm_ipsec_inaf = ixa->ixa_ipsec_inaf;
+ ixm->ixm_ipsec_insrc[0] = ixa->ixa_ipsec_insrc[0];
+ ixm->ixm_ipsec_insrc[1] = ixa->ixa_ipsec_insrc[1];
+ ixm->ixm_ipsec_insrc[2] = ixa->ixa_ipsec_insrc[2];
+ ixm->ixm_ipsec_insrc[3] = ixa->ixa_ipsec_insrc[3];
+ ixm->ixm_ipsec_indst[0] = ixa->ixa_ipsec_indst[0];
+ ixm->ixm_ipsec_indst[1] = ixa->ixa_ipsec_indst[1];
+ ixm->ixm_ipsec_indst[2] = ixa->ixa_ipsec_indst[2];
+ ixm->ixm_ipsec_indst[3] = ixa->ixa_ipsec_indst[3];
+ ixm->ixm_ipsec_insrcpfx = ixa->ixa_ipsec_insrcpfx;
+ ixm->ixm_ipsec_indstpfx = ixa->ixa_ipsec_indstpfx;
+ ixm->ixm_ipsec_proto = ixa->ixa_ipsec_proto;
+ }
+ return (ixamp);
+}
+
+/*
+ * Extract the ip_xmit_attr_t from the mblk, checking that the
+ * ip_stack_t, ill_t, and nce_t still exist. Returns B_FALSE if that is
+ * not the case.
+ *
+ * Otherwise ixa is updated.
+ * Caller needs to release references on the ixa by calling ixa_refrele()
+ * which will imediately call ixa_inactive to release the references.
+ */
+boolean_t
+ip_xmit_attr_from_mblk(mblk_t *ixamp, ip_xmit_attr_t *ixa)
+{
+ ixamblk_t *ixm;
+ netstack_t *ns;
+ ip_stack_t *ipst;
+ ill_t *ill;
+ nce_t *nce;
+
+ /* We assume the caller hasn't initialized ixa */
+ bzero(ixa, sizeof (*ixa));
+
+ ASSERT(DB_TYPE(ixamp) == M_BREAK);
+ ASSERT(ixamp->b_cont == NULL);
+
+ ixm = (ixamblk_t *)ixamp->b_rptr;
+ ASSERT(!ixm->ixm_inbound);
+
+ /* Verify the netstack is still around */
+ ns = netstack_find_by_stackid(ixm->ixm_stackid);
+ if (ns == NULL) {
+ /* Disappeared on us */
+ (void) ip_xmit_attr_free_mblk(ixamp);
+ return (B_FALSE);
+ }
+ ipst = ns->netstack_ip;
+
+ /* Verify the ill is still around */
+ ill = ill_lookup_on_ifindex(ixm->ixm_ifindex,
+ !(ixm->ixm_flags & IXAF_IS_IPV4), ipst);
+
+ /* We have the ill, hence the netstack can't go away */
+ netstack_rele(ns);
+ if (ill == NULL) {
+ /* Disappeared on us */
+ (void) ip_xmit_attr_free_mblk(ixamp);
+ return (B_FALSE);
+ }
+ /*
+ * Find the nce. We don't load-spread (only lookup nce's on the ill)
+ * because we want to find the same nce as the one we had when
+ * ip_xmit_attr_to_mblk was called.
+ */
+ if (ixm->ixm_flags & IXAF_IS_IPV4) {
+ nce = nce_lookup_v4(ill, &ixm->ixm_nceaddr_v4);
+ } else {
+ nce = nce_lookup_v6(ill, &ixm->ixm_nceaddr_v6);
+ }
+
+ /* We have the nce, hence the ill can't go away */
+ ill_refrele(ill);
+ if (nce == NULL) {
+ /*
+ * Since this is unusual and we don't know what type of
+ * nce it was, we drop the packet.
+ */
+ (void) ip_xmit_attr_free_mblk(ixamp);
+ return (B_FALSE);
+ }
+
+ ixa->ixa_flags = ixm->ixm_flags;
+ ixa->ixa_refcnt = 1;
+ ixa->ixa_ipst = ipst;
+ ixa->ixa_fragsize = ixm->ixm_fragsize;
+ ixa->ixa_pktlen = ixm->ixm_pktlen;
+ ixa->ixa_ip_hdr_length = ixm->ixm_ip_hdr_length;
+ ixa->ixa_protocol = ixm->ixm_protocol;
+ ixa->ixa_nce = nce;
+ ixa->ixa_postfragfn = ixm->ixm_postfragfn;
+ ixa->ixa_zoneid = ixm->ixm_zoneid;
+ ixa->ixa_no_loop_zoneid = ixm->ixm_no_loop_zoneid;
+ ixa->ixa_scopeid = ixm->ixm_scopeid;
+ ixa->ixa_ident = ixm->ixm_ident;
+ ixa->ixa_xmit_hint = ixm->ixm_xmit_hint;
+
+ if (ixm->ixm_tsl != NULL) {
+ ixa->ixa_tsl = ixm->ixm_tsl;
+ ixa->ixa_free_flags |= IXA_FREE_TSL;
+ }
+ if (ixm->ixm_cred != NULL) {
+ ixa->ixa_cred = ixm->ixm_cred;
+ ixa->ixa_free_flags |= IXA_FREE_CRED;
+ }
+ ixa->ixa_cpid = ixm->ixm_cpid;
+
+ ixa->ixa_ipsec_ah_sa = ixm->ixm_ipsec_ah_sa;
+ ixa->ixa_ipsec_esp_sa = ixm->ixm_ipsec_esp_sa;
+ ixa->ixa_ipsec_policy = ixm->ixm_ipsec_policy;
+ ixa->ixa_ipsec_action = ixm->ixm_ipsec_action;
+ ixa->ixa_ipsec_latch = ixm->ixm_ipsec_latch;
+
+ ixa->ixa_ipsec_ref[0] = ixm->ixm_ipsec_ref[0];
+ ixa->ixa_ipsec_ref[1] = ixm->ixm_ipsec_ref[1];
+ ixa->ixa_ipsec_src_port = ixm->ixm_ipsec_src_port;
+ ixa->ixa_ipsec_dst_port = ixm->ixm_ipsec_dst_port;
+ ixa->ixa_ipsec_icmp_type = ixm->ixm_ipsec_icmp_type;
+ ixa->ixa_ipsec_icmp_code = ixm->ixm_ipsec_icmp_code;
+ ixa->ixa_ipsec_inaf = ixm->ixm_ipsec_inaf;
+ ixa->ixa_ipsec_insrc[0] = ixm->ixm_ipsec_insrc[0];
+ ixa->ixa_ipsec_insrc[1] = ixm->ixm_ipsec_insrc[1];
+ ixa->ixa_ipsec_insrc[2] = ixm->ixm_ipsec_insrc[2];
+ ixa->ixa_ipsec_insrc[3] = ixm->ixm_ipsec_insrc[3];
+ ixa->ixa_ipsec_indst[0] = ixm->ixm_ipsec_indst[0];
+ ixa->ixa_ipsec_indst[1] = ixm->ixm_ipsec_indst[1];
+ ixa->ixa_ipsec_indst[2] = ixm->ixm_ipsec_indst[2];
+ ixa->ixa_ipsec_indst[3] = ixm->ixm_ipsec_indst[3];
+ ixa->ixa_ipsec_insrcpfx = ixm->ixm_ipsec_insrcpfx;
+ ixa->ixa_ipsec_indstpfx = ixm->ixm_ipsec_indstpfx;
+ ixa->ixa_ipsec_proto = ixm->ixm_ipsec_proto;
+
+ freeb(ixamp);
+ return (B_TRUE);
+}
+
+/*
+ * Free the ixm mblk and any references it holds
+ * Returns b_cont.
+ */
+mblk_t *
+ip_xmit_attr_free_mblk(mblk_t *ixamp)
+{
+ ixamblk_t *ixm;
+ mblk_t *mp;
+
+ /* Consume mp */
+ ASSERT(DB_TYPE(ixamp) == M_BREAK);
+ mp = ixamp->b_cont;
+
+ ixm = (ixamblk_t *)ixamp->b_rptr;
+ ASSERT(!ixm->ixm_inbound);
+
+ if (ixm->ixm_ipsec_ah_sa != NULL) {
+ IPSA_REFRELE(ixm->ixm_ipsec_ah_sa);
+ ixm->ixm_ipsec_ah_sa = NULL;
+ }
+ if (ixm->ixm_ipsec_esp_sa != NULL) {
+ IPSA_REFRELE(ixm->ixm_ipsec_esp_sa);
+ ixm->ixm_ipsec_esp_sa = NULL;
+ }
+ if (ixm->ixm_ipsec_policy != NULL) {
+ IPPOL_REFRELE(ixm->ixm_ipsec_policy);
+ ixm->ixm_ipsec_policy = NULL;
+ }
+ if (ixm->ixm_ipsec_action != NULL) {
+ IPACT_REFRELE(ixm->ixm_ipsec_action);
+ ixm->ixm_ipsec_action = NULL;
+ }
+ if (ixm->ixm_ipsec_latch) {
+ IPLATCH_REFRELE(ixm->ixm_ipsec_latch);
+ ixm->ixm_ipsec_latch = NULL;
+ }
+
+ if (ixm->ixm_tsl != NULL) {
+ label_rele(ixm->ixm_tsl);
+ ixm->ixm_tsl = NULL;
+ }
+ if (ixm->ixm_cred != NULL) {
+ crfree(ixm->ixm_cred);
+ ixm->ixm_cred = NULL;
+ }
+ freeb(ixamp);
+ return (mp);
+}
+
+/*
+ * Take the information in ip_recv_attr_t and stick it in an mblk
+ * that can later be passed to ip_recv_attr_from_mblk to recreate the
+ * ip_recv_attr_t.
+ *
+ * Returns NULL on memory allocation failure.
+ */
+mblk_t *
+ip_recv_attr_to_mblk(ip_recv_attr_t *ira)
+{
+ mblk_t *iramp;
+ iramblk_t *irm;
+ ill_t *ill = ira->ira_ill;
+
+ ASSERT(ira->ira_ill != NULL || ira->ira_ruifindex != 0);
+
+ iramp = allocb(sizeof (*irm), BPRI_MED);
+ if (iramp == NULL)
+ return (NULL);
+
+ iramp->b_datap->db_type = M_BREAK;
+ iramp->b_wptr += sizeof (*irm);
+ irm = (iramblk_t *)iramp->b_rptr;
+
+ bzero(irm, sizeof (*irm));
+ irm->irm_inbound = B_TRUE;
+ irm->irm_flags = ira->ira_flags;
+ if (ill != NULL) {
+ /* Internal to IP - preserve ip_stack_t, ill and rill */
+ irm->irm_stackid =
+ ill->ill_ipst->ips_netstack->netstack_stackid;
+ irm->irm_ifindex = ira->ira_ill->ill_phyint->phyint_ifindex;
+ ASSERT(ira->ira_rill->ill_phyint->phyint_ifindex ==
+ ira->ira_rifindex);
+ } else {
+ /* Let ip_recv_attr_from_stackid know there isn't one */
+ irm->irm_stackid = -1;
+ }
+ irm->irm_rifindex = ira->ira_rifindex;
+ irm->irm_ruifindex = ira->ira_ruifindex;
+ irm->irm_pktlen = ira->ira_pktlen;
+ irm->irm_ip_hdr_length = ira->ira_ip_hdr_length;
+ irm->irm_protocol = ira->ira_protocol;
+
+ irm->irm_sqp = ira->ira_sqp;
+ irm->irm_ring = ira->ira_ring;
+
+ irm->irm_zoneid = ira->ira_zoneid;
+ irm->irm_mroute_tunnel = ira->ira_mroute_tunnel;
+ irm->irm_no_loop_zoneid = ira->ira_no_loop_zoneid;
+ irm->irm_esp_udp_ports = ira->ira_esp_udp_ports;
+
+ if (ira->ira_tsl != NULL) {
+ irm->irm_tsl = ira->ira_tsl;
+ label_hold(irm->irm_tsl);
+ }
+ if (ira->ira_cred != NULL) {
+ irm->irm_cred = ira->ira_cred;
+ crhold(ira->ira_cred);
+ }
+ irm->irm_cpid = ira->ira_cpid;
+
+ if (ira->ira_flags & IRAF_L2SRC_SET)
+ bcopy(ira->ira_l2src, irm->irm_l2src, IRA_L2SRC_SIZE);
+
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ if (ira->ira_ipsec_ah_sa != NULL) {
+ irm->irm_ipsec_ah_sa = ira->ira_ipsec_ah_sa;
+ IPSA_REFHOLD(ira->ira_ipsec_ah_sa);
+ }
+ if (ira->ira_ipsec_esp_sa != NULL) {
+ irm->irm_ipsec_esp_sa = ira->ira_ipsec_esp_sa;
+ IPSA_REFHOLD(ira->ira_ipsec_esp_sa);
+ }
+ if (ira->ira_ipsec_action != NULL) {
+ irm->irm_ipsec_action = ira->ira_ipsec_action;
+ IPACT_REFHOLD(ira->ira_ipsec_action);
+ }
+ }
+ return (iramp);
+}
+
+/*
+ * Extract the ip_recv_attr_t from the mblk. If we are used inside IP
+ * then irm_stackid is not -1, in which case we check that the
+ * ip_stack_t and ill_t still exist. Returns B_FALSE if that is
+ * not the case.
+ * If irm_stackid is zero then we are used by an ULP (e.g., squeue_enter)
+ * and we just proceed with ira_ill and ira_rill as NULL.
+ *
+ * The caller needs to release any references on the pointers inside the ire
+ * by calling ira_cleanup.
+ */
+boolean_t
+ip_recv_attr_from_mblk(mblk_t *iramp, ip_recv_attr_t *ira)
+{
+ iramblk_t *irm;
+ netstack_t *ns;
+ ip_stack_t *ipst = NULL;
+ ill_t *ill = NULL, *rill = NULL;
+
+ /* We assume the caller hasn't initialized ira */
+ bzero(ira, sizeof (*ira));
+
+ ASSERT(DB_TYPE(iramp) == M_BREAK);
+ ASSERT(iramp->b_cont == NULL);
+
+ irm = (iramblk_t *)iramp->b_rptr;
+ ASSERT(irm->irm_inbound);
+
+ if (irm->irm_stackid != -1) {
+ /* Verify the netstack is still around */
+ ns = netstack_find_by_stackid(irm->irm_stackid);
+ if (ns == NULL) {
+ /* Disappeared on us */
+ (void) ip_recv_attr_free_mblk(iramp);
+ return (B_FALSE);
+ }
+ ipst = ns->netstack_ip;
+
+ /* Verify the ill is still around */
+ ill = ill_lookup_on_ifindex(irm->irm_ifindex,
+ !(irm->irm_flags & IRAF_IS_IPV4), ipst);
+
+ if (irm->irm_ifindex == irm->irm_rifindex) {
+ rill = ill;
+ } else {
+ rill = ill_lookup_on_ifindex(irm->irm_rifindex,
+ !(irm->irm_flags & IRAF_IS_IPV4), ipst);
+ }
+
+ /* We have the ill, hence the netstack can't go away */
+ netstack_rele(ns);
+ if (ill == NULL || rill == NULL) {
+ /* Disappeared on us */
+ if (ill != NULL)
+ ill_refrele(ill);
+ if (rill != NULL && rill != ill)
+ ill_refrele(rill);
+ (void) ip_recv_attr_free_mblk(iramp);
+ return (B_FALSE);
+ }
+ }
+
+ ira->ira_flags = irm->irm_flags;
+ /* Caller must ill_refele(ira_ill) by using ira_cleanup() */
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+
+ ira->ira_rifindex = irm->irm_rifindex;
+ ira->ira_ruifindex = irm->irm_ruifindex;
+ ira->ira_pktlen = irm->irm_pktlen;
+ ira->ira_ip_hdr_length = irm->irm_ip_hdr_length;
+ ira->ira_protocol = irm->irm_protocol;
+
+ ira->ira_sqp = irm->irm_sqp;
+ /* The rest of IP assumes that the rings never go away. */
+ ira->ira_ring = irm->irm_ring;
+
+ ira->ira_zoneid = irm->irm_zoneid;
+ ira->ira_mroute_tunnel = irm->irm_mroute_tunnel;
+ ira->ira_no_loop_zoneid = irm->irm_no_loop_zoneid;
+ ira->ira_esp_udp_ports = irm->irm_esp_udp_ports;
+
+ if (irm->irm_tsl != NULL) {
+ ira->ira_tsl = irm->irm_tsl;
+ ira->ira_free_flags |= IRA_FREE_TSL;
+ }
+ if (irm->irm_cred != NULL) {
+ ira->ira_cred = irm->irm_cred;
+ ira->ira_free_flags |= IRA_FREE_CRED;
+ }
+ ira->ira_cpid = irm->irm_cpid;
+
+ if (ira->ira_flags & IRAF_L2SRC_SET)
+ bcopy(irm->irm_l2src, ira->ira_l2src, IRA_L2SRC_SIZE);
+
+ ira->ira_ipsec_ah_sa = irm->irm_ipsec_ah_sa;
+ ira->ira_ipsec_esp_sa = irm->irm_ipsec_esp_sa;
+ ira->ira_ipsec_action = irm->irm_ipsec_action;
+
+ freeb(iramp);
+ return (B_TRUE);
+}
+
+/*
+ * Free the irm mblk and any references it holds
+ * Returns b_cont.
+ */
+mblk_t *
+ip_recv_attr_free_mblk(mblk_t *iramp)
+{
+ iramblk_t *irm;
+ mblk_t *mp;
+
+ /* Consume mp */
+ ASSERT(DB_TYPE(iramp) == M_BREAK);
+ mp = iramp->b_cont;
+
+ irm = (iramblk_t *)iramp->b_rptr;
+ ASSERT(irm->irm_inbound);
+
+ if (irm->irm_ipsec_ah_sa != NULL) {
+ IPSA_REFRELE(irm->irm_ipsec_ah_sa);
+ irm->irm_ipsec_ah_sa = NULL;
+ }
+ if (irm->irm_ipsec_esp_sa != NULL) {
+ IPSA_REFRELE(irm->irm_ipsec_esp_sa);
+ irm->irm_ipsec_esp_sa = NULL;
+ }
+ if (irm->irm_ipsec_action != NULL) {
+ IPACT_REFRELE(irm->irm_ipsec_action);
+ irm->irm_ipsec_action = NULL;
+ }
+ if (irm->irm_tsl != NULL) {
+ label_rele(irm->irm_tsl);
+ irm->irm_tsl = NULL;
+ }
+ if (irm->irm_cred != NULL) {
+ crfree(irm->irm_cred);
+ irm->irm_cred = NULL;
+ }
+
+ freeb(iramp);
+ return (mp);
+}
+
+/*
+ * Returns true if the mblk contains an ip_recv_attr_t
+ * For now we just check db_type.
+ */
+boolean_t
+ip_recv_attr_is_mblk(mblk_t *mp)
+{
+ /*
+ * Need to handle the various forms of tcp_timermp which are tagged
+ * with b_wptr and might have a NULL b_datap.
+ */
+ if (mp->b_wptr == NULL || mp->b_wptr == (uchar_t *)-1)
+ return (B_FALSE);
+
+#ifdef DEBUG
+ iramblk_t *irm;
+
+ if (DB_TYPE(mp) != M_BREAK)
+ return (B_FALSE);
+
+ irm = (iramblk_t *)mp->b_rptr;
+ ASSERT(irm->irm_inbound);
+ return (B_TRUE);
+#else
+ return (DB_TYPE(mp) == M_BREAK);
+#endif
+}
+
+static ip_xmit_attr_t *
+conn_get_ixa_impl(conn_t *connp, boolean_t replace, int kmflag)
+{
+ ip_xmit_attr_t *ixa;
+ ip_xmit_attr_t *oldixa;
+
+ mutex_enter(&connp->conn_lock);
+ ixa = connp->conn_ixa;
+
+ /* At least one references for the conn_t */
+ ASSERT(ixa->ixa_refcnt >= 1);
+ if (atomic_add_32_nv(&ixa->ixa_refcnt, 1) == 2) {
+ /* No other thread using conn_ixa */
+ mutex_exit(&connp->conn_lock);
+ return (ixa);
+ }
+ ixa = kmem_alloc(sizeof (*ixa), kmflag);
+ if (ixa == NULL) {
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(connp->conn_ixa);
+ return (NULL);
+ }
+ ixa_safe_copy(connp->conn_ixa, ixa);
+
+ /* Make sure we drop conn_lock before any refrele */
+ if (replace) {
+ ixa->ixa_refcnt++; /* No atomic needed - not visible */
+ oldixa = connp->conn_ixa;
+ connp->conn_ixa = ixa;
+ mutex_exit(&connp->conn_lock);
+ IXA_REFRELE(oldixa); /* Undo refcnt from conn_t */
+ } else {
+ oldixa = connp->conn_ixa;
+ mutex_exit(&connp->conn_lock);
+ }
+ IXA_REFRELE(oldixa); /* Undo above atomic_add_32_nv */
+
+ return (ixa);
+}
+
+/*
+ * Return an ip_xmit_attr_t to use with a conn_t that ensures that only
+ * the caller can access the ip_xmit_attr_t.
+ *
+ * If nobody else is using conn_ixa we return it.
+ * Otherwise we make a "safe" copy of conn_ixa
+ * and return it. The "safe" copy has the pointers set to NULL
+ * (since the pointers might be changed by another thread using
+ * conn_ixa). The caller needs to check for NULL pointers to see
+ * if ip_set_destination needs to be called to re-establish the pointers.
+ *
+ * If 'replace' is set then we replace conn_ixa with the new ip_xmit_attr_t.
+ * That is used when we connect() the ULP.
+ */
+ip_xmit_attr_t *
+conn_get_ixa(conn_t *connp, boolean_t replace)
+{
+ return (conn_get_ixa_impl(connp, replace, KM_NOSLEEP));
+}
+
+/*
+ * Used only when the option is to have the kernel hang due to not
+ * cleaning up ixa references on ills etc.
+ */
+ip_xmit_attr_t *
+conn_get_ixa_tryhard(conn_t *connp, boolean_t replace)
+{
+ return (conn_get_ixa_impl(connp, replace, KM_SLEEP));
+}
+
+/*
+ * Replace conn_ixa with the ixa argument.
+ *
+ * The caller must hold conn_lock.
+ *
+ * We return the old ixa; the caller must ixa_refrele that after conn_lock
+ * has been dropped.
+ */
+ip_xmit_attr_t *
+conn_replace_ixa(conn_t *connp, ip_xmit_attr_t *ixa)
+{
+ ip_xmit_attr_t *oldixa;
+
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+
+ oldixa = connp->conn_ixa;
+ IXA_REFHOLD(ixa);
+ connp->conn_ixa = ixa;
+ return (oldixa);
+}
+
+/*
+ * Return a ip_xmit_attr_t to use with a conn_t that is based on but
+ * separate from conn_ixa.
+ *
+ * This "safe" copy has the pointers set to NULL
+ * (since the pointers might be changed by another thread using
+ * conn_ixa). The caller needs to check for NULL pointers to see
+ * if ip_set_destination needs to be called to re-establish the pointers.
+ */
+ip_xmit_attr_t *
+conn_get_ixa_exclusive(conn_t *connp)
+{
+ ip_xmit_attr_t *ixa;
+
+ mutex_enter(&connp->conn_lock);
+ ixa = connp->conn_ixa;
+
+ /* At least one references for the conn_t */
+ ASSERT(ixa->ixa_refcnt >= 1);
+
+ /* Make sure conn_ixa doesn't disappear while we copy it */
+ atomic_add_32(&ixa->ixa_refcnt, 1);
+
+ ixa = kmem_alloc(sizeof (*ixa), KM_NOSLEEP);
+ if (ixa == NULL) {
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(connp->conn_ixa);
+ return (NULL);
+ }
+ ixa_safe_copy(connp->conn_ixa, ixa);
+ mutex_exit(&connp->conn_lock);
+ IXA_REFRELE(connp->conn_ixa);
+ return (ixa);
+}
+
+void
+ixa_safe_copy(ip_xmit_attr_t *src, ip_xmit_attr_t *ixa)
+{
+ bcopy(src, ixa, sizeof (*ixa));
+ ixa->ixa_refcnt = 1;
+ /*
+ * Clear any pointers that have references and might be changed
+ * by ip_set_destination or the ULP
+ */
+ ixa->ixa_ire = NULL;
+ ixa->ixa_nce = NULL;
+ ixa->ixa_dce = NULL;
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
+ ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+#ifdef DEBUG
+ ixa->ixa_curthread = NULL;
+#endif
+ /* Clear all the IPsec pointers and the flag as well. */
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
+
+ ixa->ixa_ipsec_latch = NULL;
+ ixa->ixa_ipsec_ah_sa = NULL;
+ ixa->ixa_ipsec_esp_sa = NULL;
+ ixa->ixa_ipsec_policy = NULL;
+ ixa->ixa_ipsec_action = NULL;
+
+ /*
+ * We leave ixa_tsl unchanged, but if it has a refhold we need
+ * to get an extra refhold.
+ */
+ if (ixa->ixa_free_flags & IXA_FREE_TSL)
+ label_hold(ixa->ixa_tsl);
+
+ /*
+ * We leave ixa_cred unchanged, but if it has a refhold we need
+ * to get an extra refhold.
+ */
+ if (ixa->ixa_free_flags & IXA_FREE_CRED)
+ crhold(ixa->ixa_cred);
+}
+
+/*
+ * Duplicate an ip_xmit_attr_t.
+ * Assumes that the caller controls the ixa, hence we do not need to use
+ * a safe copy. We just have to increase the refcnt on any pointers.
+ */
+ip_xmit_attr_t *
+ip_xmit_attr_duplicate(ip_xmit_attr_t *src_ixa)
+{
+ ip_xmit_attr_t *ixa;
+
+ ixa = kmem_alloc(sizeof (*ixa), KM_NOSLEEP);
+ if (ixa == NULL)
+ return (NULL);
+ bcopy(src_ixa, ixa, sizeof (*ixa));
+ ixa->ixa_refcnt = 1;
+
+ if (ixa->ixa_ire != NULL)
+ ire_refhold_notr(ixa->ixa_ire);
+ if (ixa->ixa_nce != NULL)
+ nce_refhold(ixa->ixa_nce);
+ if (ixa->ixa_dce != NULL)
+ dce_refhold_notr(ixa->ixa_dce);
+
+#ifdef DEBUG
+ ixa->ixa_curthread = NULL;
+#endif
+
+ if (ixa->ixa_ipsec_latch != NULL)
+ IPLATCH_REFHOLD(ixa->ixa_ipsec_latch);
+ if (ixa->ixa_ipsec_ah_sa != NULL)
+ IPSA_REFHOLD(ixa->ixa_ipsec_ah_sa);
+ if (ixa->ixa_ipsec_esp_sa != NULL)
+ IPSA_REFHOLD(ixa->ixa_ipsec_esp_sa);
+ if (ixa->ixa_ipsec_policy != NULL)
+ IPPOL_REFHOLD(ixa->ixa_ipsec_policy);
+ if (ixa->ixa_ipsec_action != NULL)
+ IPACT_REFHOLD(ixa->ixa_ipsec_action);
+
+ if (ixa->ixa_tsl != NULL) {
+ label_hold(ixa->ixa_tsl);
+ ixa->ixa_free_flags |= IXA_FREE_TSL;
+ }
+ if (ixa->ixa_cred != NULL) {
+ crhold(ixa->ixa_cred);
+ ixa->ixa_free_flags |= IXA_FREE_CRED;
+ }
+ return (ixa);
+}
+
+/*
+ * Used to replace the ixa_label field.
+ * The caller should have a reference on the label, which we transfer to
+ * the attributes so that when the attribute is freed/cleaned up
+ * we will release that reference.
+ */
+void
+ip_xmit_attr_replace_tsl(ip_xmit_attr_t *ixa, ts_label_t *tsl)
+{
+ ASSERT(tsl != NULL);
+
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ } else {
+ ixa->ixa_free_flags |= IXA_FREE_TSL;
+ }
+ ixa->ixa_tsl = tsl;
+}
+
+/*
+ * Replace the ip_recv_attr_t's label.
+ * Due to kernel RPC's use of db_credp we also need to replace ira_cred;
+ * TCP/UDP uses ira_cred to set db_credp for non-socket users.
+ * This can fail (and return B_FALSE) due to lack of memory.
+ */
+boolean_t
+ip_recv_attr_replace_label(ip_recv_attr_t *ira, ts_label_t *tsl)
+{
+ cred_t *newcr;
+
+ if (ira->ira_free_flags & IRA_FREE_TSL) {
+ ASSERT(ira->ira_tsl != NULL);
+ label_rele(ira->ira_tsl);
+ }
+ label_hold(tsl);
+ ira->ira_tsl = tsl;
+ ira->ira_free_flags |= IRA_FREE_TSL;
+
+ /*
+ * Reset zoneid if we have a shared address. That allows
+ * ip_fanout_tx_v4/v6 to determine the zoneid again.
+ */
+ if (ira->ira_flags & IRAF_TX_SHARED_ADDR)
+ ira->ira_zoneid = ALL_ZONES;
+
+ /* We update ira_cred for RPC */
+ newcr = copycred_from_tslabel(ira->ira_cred, ira->ira_tsl, KM_NOSLEEP);
+ if (newcr == NULL)
+ return (B_FALSE);
+ if (ira->ira_free_flags & IRA_FREE_CRED)
+ crfree(ira->ira_cred);
+ ira->ira_cred = newcr;
+ ira->ira_free_flags |= IRA_FREE_CRED;
+ return (B_TRUE);
+}
+
+/*
+ * This needs to be called after ip_set_destination/tsol_check_dest might
+ * have changed ixa_tsl to be specific for a destination, and we now want to
+ * send to a different destination.
+ * We have to restart with crgetlabel() since ip_set_destination/
+ * tsol_check_dest will start with ixa_tsl.
+ */
+void
+ip_xmit_attr_restore_tsl(ip_xmit_attr_t *ixa, cred_t *cr)
+{
+ if (!is_system_labeled())
+ return;
+
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ ixa->ixa_free_flags &= ~IXA_FREE_TSL;
+ }
+ ixa->ixa_tsl = crgetlabel(cr);
+}
+
+void
+ixa_refrele(ip_xmit_attr_t *ixa)
+{
+ IXA_REFRELE(ixa);
+}
+
+void
+ixa_inactive(ip_xmit_attr_t *ixa)
+{
+ ASSERT(ixa->ixa_refcnt == 0);
+
+ ixa_cleanup(ixa);
+ kmem_free(ixa, sizeof (*ixa));
+}
+
+/*
+ * Release any references contained in the ixa.
+ * Also clear any fields that are not controlled by ixa_flags.
+ */
+void
+ixa_cleanup(ip_xmit_attr_t *ixa)
+{
+ if (ixa->ixa_ire != NULL) {
+ ire_refrele_notr(ixa->ixa_ire);
+ ixa->ixa_ire = NULL;
+ }
+ if (ixa->ixa_dce != NULL) {
+ dce_refrele_notr(ixa->ixa_dce);
+ ixa->ixa_dce = NULL;
+ }
+ if (ixa->ixa_nce != NULL) {
+ nce_refrele(ixa->ixa_nce);
+ ixa->ixa_nce = NULL;
+ }
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
+ ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+ if (ixa->ixa_flags & IXAF_IPSEC_SECURE) {
+ ipsec_out_release_refs(ixa);
+ }
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ ixa->ixa_tsl = NULL;
+ ixa->ixa_free_flags &= ~IXA_FREE_TSL;
+ }
+ if (ixa->ixa_free_flags & IXA_FREE_CRED) {
+ ASSERT(ixa->ixa_cred != NULL);
+ crfree(ixa->ixa_cred);
+ ixa->ixa_cred = NULL;
+ ixa->ixa_free_flags &= ~IXA_FREE_CRED;
+ }
+ ixa->ixa_src_preferences = 0;
+ ixa->ixa_ifindex = 0;
+ ixa->ixa_multicast_ifindex = 0;
+ ixa->ixa_multicast_ifaddr = INADDR_ANY;
+}
+
+/*
+ * Release any references contained in the ira.
+ * Callers which use ip_recv_attr_from_mblk() would pass B_TRUE as the second
+ * argument.
+ */
+void
+ira_cleanup(ip_recv_attr_t *ira, boolean_t refrele_ill)
+{
+ if (ira->ira_ill != NULL) {
+ if (ira->ira_rill != ira->ira_ill) {
+ /* Caused by async processing */
+ ill_refrele(ira->ira_rill);
+ }
+ if (refrele_ill)
+ ill_refrele(ira->ira_ill);
+ }
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ ipsec_in_release_refs(ira);
+ }
+ if (ira->ira_free_flags & IRA_FREE_TSL) {
+ ASSERT(ira->ira_tsl != NULL);
+ label_rele(ira->ira_tsl);
+ ira->ira_tsl = NULL;
+ ira->ira_free_flags &= ~IRA_FREE_TSL;
+ }
+ if (ira->ira_free_flags & IRA_FREE_CRED) {
+ ASSERT(ira->ira_cred != NULL);
+ crfree(ira->ira_cred);
+ ira->ira_cred = NULL;
+ ira->ira_free_flags &= ~IRA_FREE_CRED;
+ }
+}
+
+/*
+ * Function to help release any IRE, NCE, or DCEs that
+ * have been deleted and are marked as condemned.
+ * The caller is responsible for any serialization which is different
+ * for TCP, SCTP, and others.
+ */
+static void
+ixa_cleanup_stale(ip_xmit_attr_t *ixa)
+{
+ ire_t *ire;
+ nce_t *nce;
+ dce_t *dce;
+
+ ire = ixa->ixa_ire;
+ nce = ixa->ixa_nce;
+ dce = ixa->ixa_dce;
+
+ if (ire != NULL && IRE_IS_CONDEMNED(ire)) {
+ ire_refrele_notr(ire);
+ ire = ire_blackhole(ixa->ixa_ipst,
+ !(ixa->ixa_flags & IXAF_IS_IPV4));
+ ASSERT(ire != NULL);
+#ifdef DEBUG
+ ire_refhold_notr(ire);
+ ire_refrele(ire);
+#endif
+ ixa->ixa_ire = ire;
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
+ }
+ if (nce != NULL && nce->nce_is_condemned) {
+ /* Can make it NULL as long as we set IRE_GENERATION_VERIFY */
+ nce_refrele(nce);
+ ixa->ixa_nce = NULL;
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
+ }
+ if (dce != NULL && DCE_IS_CONDEMNED(dce)) {
+ dce_refrele_notr(dce);
+ dce = dce_get_default(ixa->ixa_ipst);
+ ASSERT(dce != NULL);
+#ifdef DEBUG
+ dce_refhold_notr(dce);
+ dce_refrele(dce);
+#endif
+ ixa->ixa_dce = dce;
+ ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+ }
+}
+
+/*
+ * Used to run ixa_cleanup_stale inside the tcp squeue.
+ * When done we hand the mp back by assigning it to tcps_ixa_cleanup_mp
+ * and waking up the caller.
+ */
+/* ARGSUSED2 */
+static void
+tcp_ixa_cleanup(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy)
+{
+ conn_t *connp = (conn_t *)arg;
+ tcp_stack_t *tcps;
+
+ tcps = connp->conn_netstack->netstack_tcp;
+
+ ixa_cleanup_stale(connp->conn_ixa);
+
+ mutex_enter(&tcps->tcps_ixa_cleanup_lock);
+ ASSERT(tcps->tcps_ixa_cleanup_mp == NULL);
+ tcps->tcps_ixa_cleanup_mp = mp;
+ cv_signal(&tcps->tcps_ixa_cleanup_cv);
+ mutex_exit(&tcps->tcps_ixa_cleanup_lock);
+}
+
+
+/*
+ * ipcl_walk() function to help release any IRE, NCE, or DCEs that
+ * have been deleted and are marked as condemned.
+ * Note that we can't cleanup the pointers since there can be threads
+ * in conn_ip_output() sending while we are called.
+ */
+void
+conn_ixa_cleanup(conn_t *connp, void *arg)
+{
+ boolean_t tryhard = (boolean_t)arg;
+
+ if (IPCL_IS_TCP(connp)) {
+ mblk_t *mp;
+ tcp_stack_t *tcps;
+
+ tcps = connp->conn_netstack->netstack_tcp;
+
+ mutex_enter(&tcps->tcps_ixa_cleanup_lock);
+ while ((mp = tcps->tcps_ixa_cleanup_mp) == NULL) {
+ /*
+ * Multiple concurrent cleanups; need to have the last
+ * one run since it could be an unplumb.
+ */
+ cv_wait(&tcps->tcps_ixa_cleanup_cv,
+ &tcps->tcps_ixa_cleanup_lock);
+ }
+ tcps->tcps_ixa_cleanup_mp = NULL;
+ mutex_exit(&tcps->tcps_ixa_cleanup_lock);
+
+ if (connp->conn_sqp->sq_run == curthread) {
+ /* Already on squeue */
+ tcp_ixa_cleanup(connp, mp, NULL, NULL);
+ } else {
+ CONN_INC_REF(connp);
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_ixa_cleanup,
+ connp, NULL, SQ_PROCESS, SQTAG_TCP_IXA_CLEANUP);
+
+ /* Wait until tcp_ixa_cleanup has run */
+ mutex_enter(&tcps->tcps_ixa_cleanup_lock);
+ while (tcps->tcps_ixa_cleanup_mp == NULL) {
+ cv_wait(&tcps->tcps_ixa_cleanup_cv,
+ &tcps->tcps_ixa_cleanup_lock);
+ }
+ mutex_exit(&tcps->tcps_ixa_cleanup_lock);
+ }
+ } else if (IPCL_IS_SCTP(connp)) {
+ sctp_t *sctp;
+ sctp_faddr_t *fp;
+
+ sctp = CONN2SCTP(connp);
+ RUN_SCTP(sctp);
+ ixa_cleanup_stale(connp->conn_ixa);
+ for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next)
+ ixa_cleanup_stale(fp->ixa);
+ WAKE_SCTP(sctp);
+ } else {
+ ip_xmit_attr_t *ixa;
+
+ /*
+ * If there is a different thread using conn_ixa then we get a
+ * new copy and cut the old one loose from conn_ixa. Otherwise
+ * we use conn_ixa and prevent any other thread from
+ * using/changing it. Anybody using conn_ixa (e.g., a thread in
+ * conn_ip_output) will do an ixa_refrele which will remove any
+ * references on the ire etc.
+ *
+ * Once we are done other threads can use conn_ixa since the
+ * refcnt will be back at one.
+ *
+ * We are called either because an ill is going away, or
+ * due to memory reclaim. In the former case we wait for
+ * memory since we must remove the refcnts on the ill.
+ */
+ if (tryhard) {
+ ixa = conn_get_ixa_tryhard(connp, B_TRUE);
+ ASSERT(ixa != NULL);
+ } else {
+ ixa = conn_get_ixa(connp, B_TRUE);
+ if (ixa == NULL) {
+ /*
+ * Somebody else was using it and kmem_alloc
+ * failed! Next memory reclaim will try to
+ * clean up.
+ */
+ DTRACE_PROBE1(conn__ixa__cleanup__bail,
+ conn_t *, connp);
+ return;
+ }
+ }
+ ixa_cleanup_stale(ixa);
+ ixa_refrele(ixa);
+ }
+}
+
+/*
+ * ixa needs to be an exclusive copy so that no one changes the cookie
+ * or the ixa_nce.
+ */
+boolean_t
+ixa_check_drain_insert(conn_t *connp, ip_xmit_attr_t *ixa)
+{
+ uintptr_t cookie = ixa->ixa_cookie;
+ ill_dld_direct_t *idd;
+ idl_tx_list_t *idl_txl;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
+ boolean_t inserted = B_FALSE;
+
+ idd = &(ill)->ill_dld_capab->idc_direct;
+ idl_txl = &ixa->ixa_ipst->ips_idl_tx_list[IDLHASHINDEX(cookie)];
+ if (cookie == 0) {
+ /*
+ * ip_xmit failed the canputnext check
+ */
+ connp->conn_did_putbq = 1;
+ ASSERT(cookie == 0);
+ conn_drain_insert(connp, idl_txl);
+ if (!IPCL_IS_NONSTR(connp))
+ noenable(connp->conn_wq);
+ return (B_TRUE);
+ }
+ ASSERT(ILL_DIRECT_CAPABLE(ill));
+ mutex_enter(&idl_txl->txl_lock);
+ if (connp->conn_direct_blocked ||
+ (idd->idd_tx_fctl_df(idd->idd_tx_fctl_dh, cookie) == 0)) {
+ DTRACE_PROBE1(ill__tx__not__blocked, boolean,
+ connp->conn_direct_blocked);
+ } else if (idl_txl->txl_cookie != NULL &&
+ idl_txl->txl_cookie != ixa->ixa_cookie) {
+ DTRACE_PROBE2(ill__send__tx__collision, uintptr_t, cookie,
+ uintptr_t, idl_txl->txl_cookie);
+ /* bump kstat for cookie collision */
+ } else {
+ connp->conn_direct_blocked = B_TRUE;
+ idl_txl->txl_cookie = cookie;
+ conn_drain_insert(connp, idl_txl);
+ if (!IPCL_IS_NONSTR(connp))
+ noenable(connp->conn_wq);
+ inserted = B_TRUE;
+ }
+ mutex_exit(&idl_txl->txl_lock);
+ return (inserted);
+}
diff --git a/usr/src/uts/common/inet/ip/ip_dce.c b/usr/src/uts/common/inet/ip/ip_dce.c
new file mode 100644
index 0000000000..839c5ae0d0
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/ip_dce.c
@@ -0,0 +1,873 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <sys/types.h>
+#include <sys/stream.h>
+#include <sys/strsun.h>
+#include <sys/zone.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cmn_err.h>
+#include <sys/debug.h>
+#include <sys/atomic.h>
+#define _SUN_TPI_VERSION 2
+#include <sys/tihdr.h>
+
+#include <inet/common.h>
+#include <inet/mi.h>
+#include <inet/mib2.h>
+#include <inet/snmpcom.h>
+
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+
+#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ip6.h>
+#include <inet/ip6_asp.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_ftable.h>
+#include <inet/ip_rts.h>
+#include <inet/ip_ndp.h>
+#include <inet/ipclassifier.h>
+#include <inet/ip_listutils.h>
+
+#include <sys/sunddi.h>
+
+/*
+ * Routines for handling destination cache entries.
+ * There is always one DCEF_DEFAULT for each ip_stack_t created at init time.
+ * That entry holds both the IP ident value and the dce generation number.
+ *
+ * Any time a DCE is changed significantly (different path MTU, but NOT
+ * different ULP info!), the dce_generation number is increased.
+ * Also, when a new DCE is created, the dce_generation number in the default
+ * DCE is bumped. That allows the dce_t information to be cached efficiently
+ * as long as the entity caching the dce_t also caches the dce_generation,
+ * and compares the cached generation to detect any changes.
+ * Furthermore, when a DCE is deleted, if there are any outstanding references
+ * to the DCE it will be marked as condemned. The condemned mark is
+ * a designated generation number which is never otherwise used, hence
+ * the single comparison with the generation number captures that as well.
+ *
+ * An example of code which caches is as follows:
+ *
+ * if (mystruct->my_dce_generation != mystruct->my_dce->dce_generation) {
+ * The DCE has changed
+ * mystruct->my_dce = dce_lookup_pkt(mp, ixa,
+ * &mystruct->my_dce_generation);
+ * Not needed in practice, since we have the default DCE:
+ * if (DCE_IS_CONDEMNED(mystruct->my_dce))
+ * return failure;
+ * }
+ *
+ * Note that for IPv6 link-local addresses we record the ifindex since the
+ * link-locals are not globally unique.
+ */
+
+/*
+ * Hash bucket structure for DCEs
+ */
+typedef struct dcb_s {
+ krwlock_t dcb_lock;
+ uint32_t dcb_cnt;
+ dce_t *dcb_dce;
+} dcb_t;
+
+static void dce_delete_locked(dcb_t *, dce_t *);
+static void dce_make_condemned(dce_t *);
+
+static kmem_cache_t *dce_cache;
+
+
+/* Operates on a uint64_t */
+#define RANDOM_HASH(p) ((p) ^ ((p)>>16) ^ ((p)>>32) ^ ((p)>>48))
+
+/*
+ * Reclaim a fraction of dce's in the dcb.
+ * For now we have a higher probability to delete DCEs without DCE_PMTU.
+ */
+static void
+dcb_reclaim(dcb_t *dcb, ip_stack_t *ipst, uint_t fraction)
+{
+ uint_t fraction_pmtu = fraction*4;
+ uint_t hash;
+ dce_t *dce, *nextdce;
+
+ rw_enter(&dcb->dcb_lock, RW_WRITER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = nextdce) {
+ nextdce = dce->dce_next;
+ /* Clear DCEF_PMTU if the pmtu is too old */
+ mutex_enter(&dce->dce_lock);
+ if ((dce->dce_flags & DCEF_PMTU) &&
+ TICK_TO_SEC(lbolt64) - dce->dce_last_change_time >
+ ipst->ips_ip_pathmtu_interval) {
+ dce->dce_flags &= ~DCEF_PMTU;
+ mutex_exit(&dce->dce_lock);
+ dce_increment_generation(dce);
+ } else {
+ mutex_exit(&dce->dce_lock);
+ }
+ hash = RANDOM_HASH((uint64_t)(uintptr_t)dce);
+ if (dce->dce_flags & DCEF_PMTU) {
+ if (hash % fraction_pmtu != 0)
+ continue;
+ } else {
+ if (hash % fraction != 0)
+ continue;
+ }
+
+ IP_STAT(ipst, ip_dce_reclaim_deleted);
+ dce_delete_locked(dcb, dce);
+ dce_refrele(dce);
+ }
+ rw_exit(&dcb->dcb_lock);
+}
+
+/*
+ * kmem_cache callback to free up memory.
+ *
+ */
+static void
+ip_dce_reclaim_stack(ip_stack_t *ipst)
+{
+ int i;
+
+ IP_STAT(ipst, ip_dce_reclaim_calls);
+ for (i = 0; i < ipst->ips_dce_hashsize; i++) {
+ dcb_reclaim(&ipst->ips_dce_hash_v4[i], ipst,
+ ipst->ips_ip_dce_reclaim_fraction);
+
+ dcb_reclaim(&ipst->ips_dce_hash_v6[i], ipst,
+ ipst->ips_ip_dce_reclaim_fraction);
+ }
+
+ /*
+ * Walk all CONNs that can have a reference on an ire, nce or dce.
+ * Get them to update any stale references to drop any refholds they
+ * have.
+ */
+ ipcl_walk(conn_ixa_cleanup, (void *)B_FALSE, ipst);
+}
+
+/*
+ * Called by the memory allocator subsystem directly, when the system
+ * is running low on memory.
+ */
+/* ARGSUSED */
+void
+ip_dce_reclaim(void *args)
+{
+ netstack_handle_t nh;
+ netstack_t *ns;
+
+ netstack_next_init(&nh);
+ while ((ns = netstack_next(&nh)) != NULL) {
+ ip_dce_reclaim_stack(ns->netstack_ip);
+ netstack_rele(ns);
+ }
+ netstack_next_fini(&nh);
+}
+
+void
+dce_g_init(void)
+{
+ dce_cache = kmem_cache_create("dce_cache",
+ sizeof (dce_t), 0, NULL, NULL, ip_dce_reclaim, NULL, NULL, 0);
+}
+
+void
+dce_g_destroy(void)
+{
+ kmem_cache_destroy(dce_cache);
+}
+
+
+/*
+ * Allocate a default DCE and a hash table for per-IP address DCEs
+ */
+void
+dce_stack_init(ip_stack_t *ipst)
+{
+ int i;
+
+ ipst->ips_dce_default = kmem_cache_alloc(dce_cache, KM_SLEEP);
+ bzero(ipst->ips_dce_default, sizeof (dce_t));
+ ipst->ips_dce_default->dce_flags = DCEF_DEFAULT;
+ ipst->ips_dce_default->dce_generation = DCE_GENERATION_INITIAL;
+ ipst->ips_dce_default->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ ipst->ips_dce_default->dce_refcnt = 1; /* Should never go away */
+ ipst->ips_dce_default->dce_ipst = ipst;
+
+ /* This must be a power of two since we are using IRE_ADDR_HASH macro */
+ ipst->ips_dce_hashsize = 256;
+ ipst->ips_dce_hash_v4 = kmem_zalloc(ipst->ips_dce_hashsize *
+ sizeof (dcb_t), KM_SLEEP);
+ ipst->ips_dce_hash_v6 = kmem_zalloc(ipst->ips_dce_hashsize *
+ sizeof (dcb_t), KM_SLEEP);
+ for (i = 0; i < ipst->ips_dce_hashsize; i++) {
+ rw_init(&ipst->ips_dce_hash_v4[i].dcb_lock, NULL, RW_DEFAULT,
+ NULL);
+ rw_init(&ipst->ips_dce_hash_v6[i].dcb_lock, NULL, RW_DEFAULT,
+ NULL);
+ }
+}
+
+void
+dce_stack_destroy(ip_stack_t *ipst)
+{
+ int i;
+ for (i = 0; i < ipst->ips_dce_hashsize; i++) {
+ rw_destroy(&ipst->ips_dce_hash_v4[i].dcb_lock);
+ rw_destroy(&ipst->ips_dce_hash_v6[i].dcb_lock);
+ }
+ kmem_free(ipst->ips_dce_hash_v4,
+ ipst->ips_dce_hashsize * sizeof (dcb_t));
+ ipst->ips_dce_hash_v4 = NULL;
+ kmem_free(ipst->ips_dce_hash_v6,
+ ipst->ips_dce_hashsize * sizeof (dcb_t));
+ ipst->ips_dce_hash_v6 = NULL;
+ ipst->ips_dce_hashsize = 0;
+
+ ASSERT(ipst->ips_dce_default->dce_refcnt == 1);
+ kmem_cache_free(dce_cache, ipst->ips_dce_default);
+ ipst->ips_dce_default = NULL;
+}
+
+/* When any DCE is good enough */
+dce_t *
+dce_get_default(ip_stack_t *ipst)
+{
+ dce_t *dce;
+
+ dce = ipst->ips_dce_default;
+ dce_refhold(dce);
+ return (dce);
+}
+
+/*
+ * Generic for IPv4 and IPv6.
+ *
+ * Used by callers that need to cache e.g., the datapath
+ * Returns the generation number in the last argument.
+ */
+dce_t *
+dce_lookup_pkt(mblk_t *mp, ip_xmit_attr_t *ixa, uint_t *generationp)
+{
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ /*
+ * If we have a source route we need to look for the final
+ * destination in the source route option.
+ */
+ ipaddr_t final_dst;
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ final_dst = ip_get_dst(ipha);
+ return (dce_lookup_v4(final_dst, ixa->ixa_ipst, generationp));
+ } else {
+ uint_t ifindex;
+ /*
+ * If we have a routing header we need to look for the final
+ * destination in the routing extension header.
+ */
+ in6_addr_t final_dst;
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ final_dst = ip_get_dst_v6(ip6h, mp, NULL);
+ ifindex = 0;
+ if (IN6_IS_ADDR_LINKSCOPE(&final_dst) && ixa->ixa_nce != NULL) {
+ ifindex = ixa->ixa_nce->nce_common->ncec_ill->
+ ill_phyint->phyint_ifindex;
+ }
+ return (dce_lookup_v6(&final_dst, ifindex, ixa->ixa_ipst,
+ generationp));
+ }
+}
+
+/*
+ * Used by callers that need to cache e.g., the datapath
+ * Returns the generation number in the last argument.
+ */
+dce_t *
+dce_lookup_v4(ipaddr_t dst, ip_stack_t *ipst, uint_t *generationp)
+{
+ uint_t hash;
+ dcb_t *dcb;
+ dce_t *dce;
+
+ /* Set *generationp before dropping the lock(s) that allow additions */
+ if (generationp != NULL)
+ *generationp = ipst->ips_dce_default->dce_generation;
+
+ hash = IRE_ADDR_HASH(dst, ipst->ips_dce_hashsize);
+ dcb = &ipst->ips_dce_hash_v4[hash];
+ rw_enter(&dcb->dcb_lock, RW_READER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = dce->dce_next) {
+ if (dce->dce_v4addr == dst) {
+ mutex_enter(&dce->dce_lock);
+ if (!DCE_IS_CONDEMNED(dce)) {
+ dce_refhold(dce);
+ if (generationp != NULL)
+ *generationp = dce->dce_generation;
+ mutex_exit(&dce->dce_lock);
+ rw_exit(&dcb->dcb_lock);
+ return (dce);
+ }
+ mutex_exit(&dce->dce_lock);
+ }
+ }
+ rw_exit(&dcb->dcb_lock);
+ /* Not found */
+ dce = ipst->ips_dce_default;
+ dce_refhold(dce);
+ return (dce);
+}
+
+/*
+ * Used by callers that need to cache e.g., the datapath
+ * Returns the generation number in the last argument.
+ * ifindex should only be set for link-locals
+ */
+dce_t *
+dce_lookup_v6(const in6_addr_t *dst, uint_t ifindex, ip_stack_t *ipst,
+ uint_t *generationp)
+{
+ uint_t hash;
+ dcb_t *dcb;
+ dce_t *dce;
+
+ /* Set *generationp before dropping the lock(s) that allow additions */
+ if (generationp != NULL)
+ *generationp = ipst->ips_dce_default->dce_generation;
+
+ hash = IRE_ADDR_HASH_V6(*dst, ipst->ips_dce_hashsize);
+ dcb = &ipst->ips_dce_hash_v6[hash];
+ rw_enter(&dcb->dcb_lock, RW_READER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = dce->dce_next) {
+ if (IN6_ARE_ADDR_EQUAL(&dce->dce_v6addr, dst) &&
+ dce->dce_ifindex == ifindex) {
+ mutex_enter(&dce->dce_lock);
+ if (!DCE_IS_CONDEMNED(dce)) {
+ dce_refhold(dce);
+ if (generationp != NULL)
+ *generationp = dce->dce_generation;
+ mutex_exit(&dce->dce_lock);
+ rw_exit(&dcb->dcb_lock);
+ return (dce);
+ }
+ mutex_exit(&dce->dce_lock);
+ }
+ }
+ rw_exit(&dcb->dcb_lock);
+ /* Not found */
+ dce = ipst->ips_dce_default;
+ dce_refhold(dce);
+ return (dce);
+}
+
+/*
+ * Atomically looks for a non-default DCE, and if not found tries to create one.
+ * If there is no memory it returns NULL.
+ * When an entry is created we increase the generation number on
+ * the default DCE so that conn_ip_output will detect there is a new DCE.
+ */
+dce_t *
+dce_lookup_and_add_v4(ipaddr_t dst, ip_stack_t *ipst)
+{
+ uint_t hash;
+ dcb_t *dcb;
+ dce_t *dce;
+
+ hash = IRE_ADDR_HASH(dst, ipst->ips_dce_hashsize);
+ dcb = &ipst->ips_dce_hash_v4[hash];
+ rw_enter(&dcb->dcb_lock, RW_WRITER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = dce->dce_next) {
+ if (dce->dce_v4addr == dst) {
+ mutex_enter(&dce->dce_lock);
+ if (!DCE_IS_CONDEMNED(dce)) {
+ dce_refhold(dce);
+ mutex_exit(&dce->dce_lock);
+ rw_exit(&dcb->dcb_lock);
+ return (dce);
+ }
+ mutex_exit(&dce->dce_lock);
+ }
+ }
+ dce = kmem_cache_alloc(dce_cache, KM_NOSLEEP);
+ if (dce == NULL) {
+ rw_exit(&dcb->dcb_lock);
+ return (NULL);
+ }
+ bzero(dce, sizeof (dce_t));
+ dce->dce_ipst = ipst; /* No netstack_hold */
+ dce->dce_v4addr = dst;
+ dce->dce_generation = DCE_GENERATION_INITIAL;
+ dce->dce_ipversion = IPV4_VERSION;
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ dce_refhold(dce); /* For the hash list */
+
+ /* Link into list */
+ if (dcb->dcb_dce != NULL)
+ dcb->dcb_dce->dce_ptpn = &dce->dce_next;
+ dce->dce_next = dcb->dcb_dce;
+ dce->dce_ptpn = &dcb->dcb_dce;
+ dcb->dcb_dce = dce;
+ dce->dce_bucket = dcb;
+ dce_refhold(dce); /* For the caller */
+ rw_exit(&dcb->dcb_lock);
+
+ /* Initialize dce_ident to be different than for the last packet */
+ dce->dce_ident = ipst->ips_dce_default->dce_ident + 1;
+
+ dce_increment_generation(ipst->ips_dce_default);
+ return (dce);
+}
+
+/*
+ * Atomically looks for a non-default DCE, and if not found tries to create one.
+ * If there is no memory it returns NULL.
+ * When an entry is created we increase the generation number on
+ * the default DCE so that conn_ip_output will detect there is a new DCE.
+ * ifindex should only be used with link-local addresses.
+ */
+dce_t *
+dce_lookup_and_add_v6(const in6_addr_t *dst, uint_t ifindex, ip_stack_t *ipst)
+{
+ uint_t hash;
+ dcb_t *dcb;
+ dce_t *dce;
+
+ /* We should not create entries for link-locals w/o an ifindex */
+ ASSERT(!(IN6_IS_ADDR_LINKSCOPE(dst)) || ifindex != 0);
+
+ hash = IRE_ADDR_HASH_V6(*dst, ipst->ips_dce_hashsize);
+ dcb = &ipst->ips_dce_hash_v6[hash];
+ rw_enter(&dcb->dcb_lock, RW_WRITER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = dce->dce_next) {
+ if (IN6_ARE_ADDR_EQUAL(&dce->dce_v6addr, dst) &&
+ dce->dce_ifindex == ifindex) {
+ mutex_enter(&dce->dce_lock);
+ if (!DCE_IS_CONDEMNED(dce)) {
+ dce_refhold(dce);
+ mutex_exit(&dce->dce_lock);
+ rw_exit(&dcb->dcb_lock);
+ return (dce);
+ }
+ mutex_exit(&dce->dce_lock);
+ }
+ }
+
+ dce = kmem_cache_alloc(dce_cache, KM_NOSLEEP);
+ if (dce == NULL) {
+ rw_exit(&dcb->dcb_lock);
+ return (NULL);
+ }
+ bzero(dce, sizeof (dce_t));
+ dce->dce_ipst = ipst; /* No netstack_hold */
+ dce->dce_v6addr = *dst;
+ dce->dce_ifindex = ifindex;
+ dce->dce_generation = DCE_GENERATION_INITIAL;
+ dce->dce_ipversion = IPV6_VERSION;
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ dce_refhold(dce); /* For the hash list */
+
+ /* Link into list */
+ if (dcb->dcb_dce != NULL)
+ dcb->dcb_dce->dce_ptpn = &dce->dce_next;
+ dce->dce_next = dcb->dcb_dce;
+ dce->dce_ptpn = &dcb->dcb_dce;
+ dcb->dcb_dce = dce;
+ dce->dce_bucket = dcb;
+ atomic_add_32(&dcb->dcb_cnt, 1);
+ dce_refhold(dce); /* For the caller */
+ rw_exit(&dcb->dcb_lock);
+
+ /* Initialize dce_ident to be different than for the last packet */
+ dce->dce_ident = ipst->ips_dce_default->dce_ident + 1;
+ dce_increment_generation(ipst->ips_dce_default);
+ return (dce);
+}
+
+/*
+ * Set/update uinfo. Creates a per-destination dce if none exists.
+ *
+ * Note that we do not bump the generation number here.
+ * New connections will find the new uinfo.
+ *
+ * The only use of this (tcp, sctp using iulp_t) is to set rtt+rtt_sd.
+ */
+static void
+dce_setuinfo(dce_t *dce, iulp_t *uinfo)
+{
+ /*
+ * Update the round trip time estimate and/or the max frag size
+ * and/or the slow start threshold.
+ *
+ * We serialize multiple advises using dce_lock.
+ */
+ mutex_enter(&dce->dce_lock);
+ /* Gard against setting to zero */
+ if (uinfo->iulp_rtt != 0) {
+ /*
+ * If there is no old cached values, initialize them
+ * conservatively. Set them to be (1.5 * new value).
+ */
+ if (dce->dce_uinfo.iulp_rtt != 0) {
+ dce->dce_uinfo.iulp_rtt = (dce->dce_uinfo.iulp_rtt +
+ uinfo->iulp_rtt) >> 1;
+ } else {
+ dce->dce_uinfo.iulp_rtt = uinfo->iulp_rtt +
+ (uinfo->iulp_rtt >> 1);
+ }
+ if (dce->dce_uinfo.iulp_rtt_sd != 0) {
+ dce->dce_uinfo.iulp_rtt_sd =
+ (dce->dce_uinfo.iulp_rtt_sd +
+ uinfo->iulp_rtt_sd) >> 1;
+ } else {
+ dce->dce_uinfo.iulp_rtt_sd = uinfo->iulp_rtt_sd +
+ (uinfo->iulp_rtt_sd >> 1);
+ }
+ }
+ if (uinfo->iulp_mtu != 0) {
+ if (dce->dce_flags & DCEF_PMTU) {
+ dce->dce_pmtu = MIN(uinfo->iulp_mtu, dce->dce_pmtu);
+ } else {
+ dce->dce_pmtu = MIN(uinfo->iulp_mtu, IP_MAXPACKET);
+ dce->dce_flags |= DCEF_PMTU;
+ }
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ }
+ if (uinfo->iulp_ssthresh != 0) {
+ if (dce->dce_uinfo.iulp_ssthresh != 0)
+ dce->dce_uinfo.iulp_ssthresh =
+ (uinfo->iulp_ssthresh +
+ dce->dce_uinfo.iulp_ssthresh) >> 1;
+ else
+ dce->dce_uinfo.iulp_ssthresh = uinfo->iulp_ssthresh;
+ }
+ /* We have uinfo for sure */
+ dce->dce_flags |= DCEF_UINFO;
+ mutex_exit(&dce->dce_lock);
+}
+
+
+int
+dce_update_uinfo_v4(ipaddr_t dst, iulp_t *uinfo, ip_stack_t *ipst)
+{
+ dce_t *dce;
+
+ dce = dce_lookup_and_add_v4(dst, ipst);
+ if (dce == NULL)
+ return (ENOMEM);
+
+ dce_setuinfo(dce, uinfo);
+ dce_refrele(dce);
+ return (0);
+}
+
+int
+dce_update_uinfo_v6(const in6_addr_t *dst, uint_t ifindex, iulp_t *uinfo,
+ ip_stack_t *ipst)
+{
+ dce_t *dce;
+
+ dce = dce_lookup_and_add_v6(dst, ifindex, ipst);
+ if (dce == NULL)
+ return (ENOMEM);
+
+ dce_setuinfo(dce, uinfo);
+ dce_refrele(dce);
+ return (0);
+}
+
+/* Common routine for IPv4 and IPv6 */
+int
+dce_update_uinfo(const in6_addr_t *dst, uint_t ifindex, iulp_t *uinfo,
+ ip_stack_t *ipst)
+{
+ ipaddr_t dst4;
+
+ if (IN6_IS_ADDR_V4MAPPED_ANY(dst)) {
+ IN6_V4MAPPED_TO_IPADDR(dst, dst4);
+ return (dce_update_uinfo_v4(dst4, uinfo, ipst));
+ } else {
+ return (dce_update_uinfo_v6(dst, ifindex, uinfo, ipst));
+ }
+}
+
+static void
+dce_make_condemned(dce_t *dce)
+{
+ ip_stack_t *ipst = dce->dce_ipst;
+
+ mutex_enter(&dce->dce_lock);
+ ASSERT(!DCE_IS_CONDEMNED(dce));
+ dce->dce_generation = DCE_GENERATION_CONDEMNED;
+ mutex_exit(&dce->dce_lock);
+ /* Count how many condemned dces for kmem_cache callback */
+ atomic_add_32(&ipst->ips_num_dce_condemned, 1);
+}
+
+/*
+ * Increment the generation avoiding the special condemned value
+ */
+void
+dce_increment_generation(dce_t *dce)
+{
+ uint_t generation;
+
+ mutex_enter(&dce->dce_lock);
+ if (!DCE_IS_CONDEMNED(dce)) {
+ generation = dce->dce_generation + 1;
+ if (generation == DCE_GENERATION_CONDEMNED)
+ generation = DCE_GENERATION_INITIAL;
+ ASSERT(generation != DCE_GENERATION_VERIFY);
+ dce->dce_generation = generation;
+ }
+ mutex_exit(&dce->dce_lock);
+}
+
+/*
+ * Increment the generation number on all dces that have a path MTU and
+ * the default DCE. Used when ill_mtu changes.
+ */
+void
+dce_increment_all_generations(boolean_t isv6, ip_stack_t *ipst)
+{
+ int i;
+ dcb_t *dcb;
+ dce_t *dce;
+
+ for (i = 0; i < ipst->ips_dce_hashsize; i++) {
+ if (isv6)
+ dcb = &ipst->ips_dce_hash_v6[i];
+ else
+ dcb = &ipst->ips_dce_hash_v4[i];
+ rw_enter(&dcb->dcb_lock, RW_WRITER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = dce->dce_next) {
+ if (DCE_IS_CONDEMNED(dce))
+ continue;
+ dce_increment_generation(dce);
+ }
+ rw_exit(&dcb->dcb_lock);
+ }
+ dce_increment_generation(ipst->ips_dce_default);
+}
+
+/*
+ * Caller needs to do a dce_refrele since we can't do the
+ * dce_refrele under dcb_lock.
+ */
+static void
+dce_delete_locked(dcb_t *dcb, dce_t *dce)
+{
+ dce->dce_bucket = NULL;
+ *dce->dce_ptpn = dce->dce_next;
+ if (dce->dce_next != NULL)
+ dce->dce_next->dce_ptpn = dce->dce_ptpn;
+ dce->dce_ptpn = NULL;
+ dce->dce_next = NULL;
+ atomic_add_32(&dcb->dcb_cnt, -1);
+ dce_make_condemned(dce);
+}
+
+static void
+dce_inactive(dce_t *dce)
+{
+ ip_stack_t *ipst = dce->dce_ipst;
+
+ ASSERT(!(dce->dce_flags & DCEF_DEFAULT));
+ ASSERT(dce->dce_ptpn == NULL);
+ ASSERT(dce->dce_bucket == NULL);
+
+ /* Count how many condemned dces for kmem_cache callback */
+ if (DCE_IS_CONDEMNED(dce))
+ atomic_add_32(&ipst->ips_num_dce_condemned, -1);
+
+ kmem_cache_free(dce_cache, dce);
+}
+
+void
+dce_refrele(dce_t *dce)
+{
+ ASSERT(dce->dce_refcnt != 0);
+ if (atomic_add_32_nv(&dce->dce_refcnt, -1) == 0)
+ dce_inactive(dce);
+}
+
+void
+dce_refhold(dce_t *dce)
+{
+ atomic_add_32(&dce->dce_refcnt, 1);
+ ASSERT(dce->dce_refcnt != 0);
+}
+
+/* No tracing support yet hence the same as the above functions */
+void
+dce_refrele_notr(dce_t *dce)
+{
+ ASSERT(dce->dce_refcnt != 0);
+ if (atomic_add_32_nv(&dce->dce_refcnt, -1) == 0)
+ dce_inactive(dce);
+}
+
+void
+dce_refhold_notr(dce_t *dce)
+{
+ atomic_add_32(&dce->dce_refcnt, 1);
+ ASSERT(dce->dce_refcnt != 0);
+}
+
+/* Report both the IPv4 and IPv6 DCEs. */
+mblk_t *
+ip_snmp_get_mib2_ip_dce(queue_t *q, mblk_t *mpctl, ip_stack_t *ipst)
+{
+ struct opthdr *optp;
+ mblk_t *mp2ctl;
+ dest_cache_entry_t dest_cache;
+ mblk_t *mp_tail = NULL;
+ dce_t *dce;
+ dcb_t *dcb;
+ int i;
+ uint64_t current_time;
+
+ current_time = TICK_TO_SEC(lbolt64);
+
+ /*
+ * make a copy of the original message
+ */
+ mp2ctl = copymsg(mpctl);
+
+ /* First we do IPv4 entries */
+ optp = (struct opthdr *)&mpctl->b_rptr[
+ sizeof (struct T_optmgmt_ack)];
+ optp->level = MIB2_IP;
+ optp->name = EXPER_IP_DCE;
+
+ for (i = 0; i < ipst->ips_dce_hashsize; i++) {
+ dcb = &ipst->ips_dce_hash_v4[i];
+ rw_enter(&dcb->dcb_lock, RW_READER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = dce->dce_next) {
+ dest_cache.DestIpv4Address = dce->dce_v4addr;
+ dest_cache.DestFlags = dce->dce_flags;
+ if (dce->dce_flags & DCEF_PMTU)
+ dest_cache.DestPmtu = dce->dce_pmtu;
+ else
+ dest_cache.DestPmtu = 0;
+ dest_cache.DestIdent = dce->dce_ident;
+ dest_cache.DestIfindex = 0;
+ dest_cache.DestAge = current_time -
+ dce->dce_last_change_time;
+ if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
+ (char *)&dest_cache, (int)sizeof (dest_cache))) {
+ ip1dbg(("ip_snmp_get_mib2_ip_dce: "
+ "failed to allocate %u bytes\n",
+ (uint_t)sizeof (dest_cache)));
+ }
+ }
+ rw_exit(&dcb->dcb_lock);
+ }
+ optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
+ ip3dbg(("ip_snmp_get: level %d, name %d, len %d\n",
+ (int)optp->level, (int)optp->name, (int)optp->len));
+ qreply(q, mpctl);
+
+ if (mp2ctl == NULL) {
+ /* Copymsg failed above */
+ return (NULL);
+ }
+
+ /* Now for IPv6 */
+ mpctl = mp2ctl;
+ mp_tail = NULL;
+ mp2ctl = copymsg(mpctl);
+ optp = (struct opthdr *)&mpctl->b_rptr[
+ sizeof (struct T_optmgmt_ack)];
+ optp->level = MIB2_IP6;
+ optp->name = EXPER_IP_DCE;
+
+ for (i = 0; i < ipst->ips_dce_hashsize; i++) {
+ dcb = &ipst->ips_dce_hash_v6[i];
+ rw_enter(&dcb->dcb_lock, RW_READER);
+ for (dce = dcb->dcb_dce; dce != NULL; dce = dce->dce_next) {
+ dest_cache.DestIpv6Address = dce->dce_v6addr;
+ dest_cache.DestFlags = dce->dce_flags;
+ if (dce->dce_flags & DCEF_PMTU)
+ dest_cache.DestPmtu = dce->dce_pmtu;
+ else
+ dest_cache.DestPmtu = 0;
+ dest_cache.DestIdent = dce->dce_ident;
+ if (IN6_IS_ADDR_LINKSCOPE(&dce->dce_v6addr))
+ dest_cache.DestIfindex = dce->dce_ifindex;
+ else
+ dest_cache.DestIfindex = 0;
+ dest_cache.DestAge = current_time -
+ dce->dce_last_change_time;
+ if (!snmp_append_data2(mpctl->b_cont, &mp_tail,
+ (char *)&dest_cache, (int)sizeof (dest_cache))) {
+ ip1dbg(("ip_snmp_get_mib2_ip_dce: "
+ "failed to allocate %u bytes\n",
+ (uint_t)sizeof (dest_cache)));
+ }
+ }
+ rw_exit(&dcb->dcb_lock);
+ }
+ optp->len = (t_uscalar_t)msgdsize(mpctl->b_cont);
+ ip3dbg(("ip_snmp_get: level %d, name %d, len %d\n",
+ (int)optp->level, (int)optp->name, (int)optp->len));
+ qreply(q, mpctl);
+
+ return (mp2ctl);
+}
+
+/*
+ * Remove IPv6 DCEs which refer to an ifindex that is going away.
+ * This is not required for correctness, but it avoids netstat -d
+ * showing stale stuff that will never be used.
+ */
+void
+dce_cleanup(uint_t ifindex, ip_stack_t *ipst)
+{
+ uint_t i;
+ dcb_t *dcb;
+ dce_t *dce, *nextdce;
+
+ for (i = 0; i < ipst->ips_dce_hashsize; i++) {
+ dcb = &ipst->ips_dce_hash_v6[i];
+ rw_enter(&dcb->dcb_lock, RW_WRITER);
+
+ for (dce = dcb->dcb_dce; dce != NULL; dce = nextdce) {
+ nextdce = dce->dce_next;
+ if (dce->dce_ifindex == ifindex) {
+ dce_delete_locked(dcb, dce);
+ dce_refrele(dce);
+ }
+ }
+ rw_exit(&dcb->dcb_lock);
+ }
+}
diff --git a/usr/src/uts/common/inet/ip/ip_ftable.c b/usr/src/uts/common/inet/ip/ip_ftable.c
index 9e228c2925..771dd9f62f 100644
--- a/usr/src/uts/common/inet/ip/ip_ftable.c
+++ b/usr/src/uts/common/inet/ip/ip_ftable.c
@@ -42,7 +42,6 @@
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/strsubr.h>
-#include <sys/pattr.h>
#include <net/if.h>
#include <net/route.h>
#include <netinet/in.h>
@@ -50,6 +49,7 @@
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
+#include <inet/ipsec_impl.h>
#include <inet/common.h>
#include <inet/mi.h>
#include <inet/mib2.h>
@@ -65,7 +65,6 @@
#include <inet/nd.h>
#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
#include <inet/sadb.h>
#include <inet/tcp.h>
#include <inet/ipclassifier.h>
@@ -78,87 +77,34 @@
(((ire)->ire_type & IRE_DEFAULT) || \
(((ire)->ire_type & IRE_INTERFACE) && ((ire)->ire_addr == 0)))
-/*
- * structure for passing args between ire_ftable_lookup and ire_find_best_route
- */
-typedef struct ire_ftable_args_s {
- ipaddr_t ift_addr;
- ipaddr_t ift_mask;
- ipaddr_t ift_gateway;
- int ift_type;
- const ipif_t *ift_ipif;
- zoneid_t ift_zoneid;
- uint32_t ift_ihandle;
- const ts_label_t *ift_tsl;
- int ift_flags;
- ire_t *ift_best_ire;
-} ire_ftable_args_t;
-
static ire_t *route_to_dst(const struct sockaddr *, zoneid_t, ip_stack_t *);
-static ire_t *ire_round_robin(irb_t *, zoneid_t, ire_ftable_args_t *,
- ip_stack_t *);
-static void ire_del_host_redir(ire_t *, char *);
-static boolean_t ire_find_best_route(struct radix_node *, void *);
-static int ip_send_align_hcksum_flags(mblk_t *, ill_t *);
-static ire_t *ire_ftable_lookup_simple(ipaddr_t,
- ire_t **, zoneid_t, int, ip_stack_t *);
+static void ire_del_host_redir(ire_t *, char *);
+static boolean_t ire_find_best_route(struct radix_node *, void *);
/*
* Lookup a route in forwarding table. A specific lookup is indicated by
* passing the required parameters and indicating the match required in the
* flag field.
*
- * Looking for default route can be done in three ways
- * 1) pass mask as 0 and set MATCH_IRE_MASK in flags field
- * along with other matches.
- * 2) pass type as IRE_DEFAULT and set MATCH_IRE_TYPE in flags
- * field along with other matches.
- * 3) if the destination and mask are passed as zeros.
- *
- * A request to return a default route if no route
- * is found, can be specified by setting MATCH_IRE_DEFAULT
- * in flags.
- *
- * It does not support recursion more than one level. It
- * will do recursive lookup only when the lookup maps to
- * a prefix or default route and MATCH_IRE_RECURSIVE flag is passed.
- *
- * If the routing table is setup to allow more than one level
- * of recursion, the cleaning up cache table will not work resulting
- * in invalid routing.
- *
* Supports IP_BOUND_IF by following the ipif/ill when recursing.
- *
- * NOTE : When this function returns NULL, pire has already been released.
- * pire is valid only when this function successfully returns an
- * ire.
*/
ire_t *
-ire_ftable_lookup(ipaddr_t addr, ipaddr_t mask, ipaddr_t gateway,
- int type, const ipif_t *ipif, ire_t **pire, zoneid_t zoneid,
- uint32_t ihandle, const ts_label_t *tsl, int flags, ip_stack_t *ipst)
+ire_ftable_lookup_v4(ipaddr_t addr, ipaddr_t mask, ipaddr_t gateway,
+ int type, const ill_t *ill, zoneid_t zoneid, const ts_label_t *tsl,
+ int flags, uint32_t xmit_hint, ip_stack_t *ipst, uint_t *generationp)
{
- ire_t *ire = NULL;
- ipaddr_t gw_addr;
+ ire_t *ire;
struct rt_sockaddr rdst, rmask;
struct rt_entry *rt;
ire_ftable_args_t margs;
- boolean_t found_incomplete = B_FALSE;
- ASSERT(ipif == NULL || !ipif->ipif_isv6);
+ ASSERT(ill == NULL || !ill->ill_isv6);
/*
- * When we return NULL from this function, we should make
- * sure that *pire is NULL so that the callers will not
- * wrongly REFRELE the pire.
- */
- if (pire != NULL)
- *pire = NULL;
- /*
- * ire_match_args() will dereference ipif MATCH_IRE_SRC or
- * MATCH_IRE_ILL is set.
+ * ire_match_args() will dereference ill if MATCH_IRE_ILL
+ * is set.
*/
- if ((flags & (MATCH_IRE_SRC | MATCH_IRE_ILL)) && (ipif == NULL))
+ if ((flags & MATCH_IRE_ILL) && (ill == NULL))
return (NULL);
(void) memset(&rdst, 0, sizeof (rdst));
@@ -176,9 +122,8 @@ ire_ftable_lookup(ipaddr_t addr, ipaddr_t mask, ipaddr_t gateway,
margs.ift_mask = mask;
margs.ift_gateway = gateway;
margs.ift_type = type;
- margs.ift_ipif = ipif;
+ margs.ift_ill = ill;
margs.ift_zoneid = zoneid;
- margs.ift_ihandle = ihandle;
margs.ift_tsl = tsl;
margs.ift_flags = flags;
@@ -191,232 +136,93 @@ ire_ftable_lookup(ipaddr_t addr, ipaddr_t mask, ipaddr_t gateway,
* each matching leaf in the radix tree. ire_match_args is
* invoked by the callback function ire_find_best_route()
* We hold the global tree lock in read mode when calling
- * rn_match_args.Before dropping the global tree lock, ensure
+ * rn_match_args. Before dropping the global tree lock, ensure
* that the radix node can't be deleted by incrementing ire_refcnt.
*/
RADIX_NODE_HEAD_RLOCK(ipst->ips_ip_ftable);
rt = (struct rt_entry *)ipst->ips_ip_ftable->rnh_matchaddr_args(&rdst,
ipst->ips_ip_ftable, ire_find_best_route, &margs);
ire = margs.ift_best_ire;
- RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
-
if (rt == NULL) {
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
return (NULL);
- } else {
- ASSERT(ire != NULL);
}
+ ASSERT(ire != NULL);
DTRACE_PROBE2(ire__found, ire_ftable_args_t *, &margs, ire_t *, ire);
- if (!IS_DEFAULT_ROUTE(ire))
- goto found_ire_held;
- /*
- * If default route is found, see if default matching criteria
- * are satisfied.
- */
- if (flags & MATCH_IRE_MASK) {
- /*
- * we were asked to match a 0 mask, and came back with
- * a default route. Ok to return it.
- */
- goto found_default_ire;
- }
- if ((flags & MATCH_IRE_TYPE) &&
- (type & (IRE_DEFAULT | IRE_INTERFACE))) {
- /*
- * we were asked to match a default ire type. Ok to return it.
- */
- goto found_default_ire;
- }
- if (flags & MATCH_IRE_DEFAULT) {
- goto found_default_ire;
- }
- /*
- * we found a default route, but default matching criteria
- * are not specified and we are not explicitly looking for
- * default.
- */
- IRE_REFRELE(ire);
- return (NULL);
-found_default_ire:
/*
* round-robin only if we have more than one route in the bucket.
+ * ips_ip_ecmp_behavior controls when we do ECMP
+ * 2: always
+ * 1: for IRE_DEFAULT and /0 IRE_INTERFACE
+ * 0: never
*/
- if ((ire->ire_bucket->irb_ire_cnt > 1) &&
- IS_DEFAULT_ROUTE(ire) &&
- ((flags & (MATCH_IRE_DEFAULT | MATCH_IRE_MASK)) ==
- MATCH_IRE_DEFAULT)) {
- ire_t *next_ire;
-
- next_ire = ire_round_robin(ire->ire_bucket, zoneid, &margs,
- ipst);
- IRE_REFRELE(ire);
- if (next_ire != NULL) {
+ if (ire->ire_bucket->irb_ire_cnt > 1 && !(flags & MATCH_IRE_GW)) {
+ if (ipst->ips_ip_ecmp_behavior == 2 ||
+ (ipst->ips_ip_ecmp_behavior == 1 &&
+ IS_DEFAULT_ROUTE(ire))) {
+ ire_t *next_ire;
+
+ margs.ift_best_ire = NULL;
+ next_ire = ire_round_robin(ire->ire_bucket, &margs,
+ xmit_hint, ire, ipst);
+ if (next_ire == NULL) {
+ /* keep ire if next_ire is null */
+ goto done;
+ }
+ ire_refrele(ire);
ire = next_ire;
- } else {
- /* no route */
- return (NULL);
}
}
-found_ire_held:
- if ((flags & MATCH_IRE_RJ_BHOLE) &&
- (ire->ire_flags & (RTF_BLACKHOLE | RTF_REJECT))) {
- return (ire);
- }
- /*
- * At this point, IRE that was found must be an IRE_FORWARDTABLE
- * type. If this is a recursive lookup and an IRE_INTERFACE type was
- * found, return that. If it was some other IRE_FORWARDTABLE type of
- * IRE (one of the prefix types), then it is necessary to fill in the
- * parent IRE pointed to by pire, and then lookup the gateway address of
- * the parent. For backwards compatiblity, if this lookup returns an
- * IRE other than a IRE_CACHETABLE or IRE_INTERFACE, then one more level
- * of lookup is done.
- */
- if (flags & MATCH_IRE_RECURSIVE) {
- ipif_t *gw_ipif;
- int match_flags = MATCH_IRE_DSTONLY;
- ire_t *save_ire;
- if (ire->ire_type & IRE_INTERFACE)
- return (ire);
- if (pire != NULL)
- *pire = ire;
- /*
- * If we can't find an IRE_INTERFACE or the caller has not
- * asked for pire, we need to REFRELE the save_ire.
- */
- save_ire = ire;
+done:
+ /* Return generation before dropping lock */
+ if (generationp != NULL)
+ *generationp = ire->ire_generation;
- if (ire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
- /*
- * ire_ftable_lookup may end up with an incomplete IRE_CACHE
- * entry for the gateway (i.e., one for which the
- * ire_nce->nce_state is not yet ND_REACHABLE). If the caller
- * has specified MATCH_IRE_COMPLETE, such entries will not
- * be returned; instead, we return the IF_RESOLVER ire.
- */
- ire = ire_route_lookup(ire->ire_gateway_addr, 0, 0, 0,
- ire->ire_ipif, NULL, zoneid, tsl, match_flags, ipst);
- DTRACE_PROBE2(ftable__route__lookup1, (ire_t *), ire,
- (ire_t *), save_ire);
- if (ire == NULL ||
- ((ire->ire_type & IRE_CACHE) && ire->ire_nce &&
- ire->ire_nce->nce_state != ND_REACHABLE &&
- (flags & MATCH_IRE_COMPLETE))) {
- /*
- * Do not release the parent ire if MATCH_IRE_PARENT
- * is set. Also return it via ire.
- */
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- found_incomplete = B_TRUE;
- }
- if (flags & MATCH_IRE_PARENT) {
- if (pire != NULL) {
- /*
- * Need an extra REFHOLD, if the parent
- * ire is returned via both ire and
- * pire.
- */
- IRE_REFHOLD(save_ire);
- }
- ire = save_ire;
- } else {
- ire_refrele(save_ire);
- if (pire != NULL)
- *pire = NULL;
- }
- if (!found_incomplete)
- return (ire);
- }
- if (ire->ire_type & (IRE_CACHETABLE | IRE_INTERFACE)) {
- /*
- * If the caller did not ask for pire, release
- * it now.
- */
- if (pire == NULL) {
- ire_refrele(save_ire);
- }
- return (ire);
- }
- match_flags |= MATCH_IRE_TYPE;
- gw_addr = ire->ire_gateway_addr;
- gw_ipif = ire->ire_ipif;
- ire_refrele(ire);
- ire = ire_route_lookup(gw_addr, 0, 0,
- (found_incomplete? IRE_INTERFACE :
- (IRE_CACHETABLE | IRE_INTERFACE)),
- gw_ipif, NULL, zoneid, tsl, match_flags, ipst);
- DTRACE_PROBE2(ftable__route__lookup2, (ire_t *), ire,
- (ire_t *), save_ire);
- if (ire == NULL ||
- ((ire->ire_type & IRE_CACHE) && ire->ire_nce &&
- ire->ire_nce->nce_state != ND_REACHABLE &&
- (flags & MATCH_IRE_COMPLETE))) {
- /*
- * Do not release the parent ire if MATCH_IRE_PARENT
- * is set. Also return it via ire.
- */
- if (ire != NULL) {
- ire_refrele(ire);
- ire = NULL;
- }
- if (flags & MATCH_IRE_PARENT) {
- if (pire != NULL) {
- /*
- * Need an extra REFHOLD, if the
- * parent ire is returned via both
- * ire and pire.
- */
- IRE_REFHOLD(save_ire);
- }
- ire = save_ire;
- } else {
- ire_refrele(save_ire);
- if (pire != NULL)
- *pire = NULL;
- }
- return (ire);
- } else if (pire == NULL) {
- /*
- * If the caller did not ask for pire, release
- * it now.
- */
- ire_refrele(save_ire);
- }
- return (ire);
+ /*
+ * For shared-IP zones we need additional checks to what was
+ * done in ire_match_args to make sure IRE_LOCALs are handled.
+ *
+ * When ip_restrict_interzone_loopback is set, then
+ * we ensure that IRE_LOCAL are only used for loopback
+ * between zones when the logical "Ethernet" would
+ * have looped them back. That is, if in the absense of
+ * the IRE_LOCAL we would have sent to packet out the
+ * same ill.
+ */
+ if ((ire->ire_type & IRE_LOCAL) && zoneid != ALL_ZONES &&
+ ire->ire_zoneid != zoneid && ire->ire_zoneid != ALL_ZONES &&
+ ipst->ips_ip_restrict_interzone_loopback) {
+ ire = ire_alt_local(ire, zoneid, tsl, ill, generationp);
+ ASSERT(ire != NULL);
}
- ASSERT(pire == NULL || *pire == NULL);
return (ire);
}
/*
* This function is called by
- * ip_fast_forward->ire_forward_simple
+ * ip_input/ire_route_recursive when doing a route lookup on only the
+ * destination address.
+ *
* The optimizations of this function over ire_ftable_lookup are:
* o removing unnecessary flag matching
* o doing longest prefix match instead of overloading it further
* with the unnecessary "best_prefix_match"
- * o Does not do round robin of default route for every packet
- * o inlines code of ire_ctable_lookup to look for nexthop cache
- * entry before calling ire_route_lookup
+ *
+ * If no route is found we return IRE_NOROUTE.
*/
-static ire_t *
-ire_ftable_lookup_simple(ipaddr_t addr,
- ire_t **pire, zoneid_t zoneid, int flags,
- ip_stack_t *ipst)
+ire_t *
+ire_ftable_lookup_simple_v4(ipaddr_t addr, uint32_t xmit_hint, ip_stack_t *ipst,
+ uint_t *generationp)
{
- ire_t *ire = NULL;
- ire_t *tmp_ire = NULL;
+ ire_t *ire;
struct rt_sockaddr rdst;
struct rt_entry *rt;
- irb_t *irb_ptr;
- ire_t *save_ire;
- int match_flags;
+ irb_t *irb;
rdst.rt_sin_len = sizeof (rdst);
rdst.rt_sin_family = AF_INET;
@@ -430,263 +236,125 @@ ire_ftable_lookup_simple(ipaddr_t addr,
rt = (struct rt_entry *)ipst->ips_ip_ftable->rnh_matchaddr_args(&rdst,
ipst->ips_ip_ftable, NULL, NULL);
- if (rt == NULL) {
- RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
- return (NULL);
- }
- irb_ptr = &rt->rt_irb;
- if (irb_ptr == NULL || irb_ptr->irb_ire_cnt == 0) {
- RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
- return (NULL);
- }
+ if (rt == NULL)
+ goto bad;
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_zoneid == zoneid)
- break;
- }
+ irb = &rt->rt_irb;
+ if (irb->irb_ire_cnt == 0)
+ goto bad;
- if (ire == NULL || (ire->ire_marks & IRE_MARK_CONDEMNED)) {
- rw_exit(&irb_ptr->irb_lock);
- RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
- return (NULL);
+ rw_enter(&irb->irb_lock, RW_READER);
+ ire = irb->irb_ire;
+ if (ire == NULL) {
+ rw_exit(&irb->irb_lock);
+ goto bad;
}
- /* we have a ire that matches */
- if (ire != NULL)
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
-
- if ((flags & MATCH_IRE_RJ_BHOLE) &&
- (ire->ire_flags & (RTF_BLACKHOLE | RTF_REJECT))) {
- return (ire);
+ while (IRE_IS_CONDEMNED(ire)) {
+ ire = ire->ire_next;
+ if (ire == NULL) {
+ rw_exit(&irb->irb_lock);
+ goto bad;
+ }
}
- /*
- * At this point, IRE that was found must be an IRE_FORWARDTABLE
- * type. If this is a recursive lookup and an IRE_INTERFACE type was
- * found, return that. If it was some other IRE_FORWARDTABLE type of
- * IRE (one of the prefix types), then it is necessary to fill in the
- * parent IRE pointed to by pire, and then lookup the gateway address of
- * the parent. For backwards compatiblity, if this lookup returns an
- * IRE other than a IRE_CACHETABLE or IRE_INTERFACE, then one more level
- * of lookup is done.
- */
- match_flags = MATCH_IRE_DSTONLY;
- if (ire->ire_type & IRE_INTERFACE)
- return (ire);
- *pire = ire;
- /*
- * If we can't find an IRE_INTERFACE or the caller has not
- * asked for pire, we need to REFRELE the save_ire.
- */
- save_ire = ire;
+ /* we have a ire that matches */
+ ire_refhold(ire);
+ rw_exit(&irb->irb_lock);
/*
- * Currently MATCH_IRE_ILL is never used with
- * (MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT) while
- * sending out packets as MATCH_IRE_ILL is used only
- * for communicating with on-link hosts. We can't assert
- * that here as RTM_GET calls this function with
- * MATCH_IRE_ILL | MATCH_IRE_DEFAULT | MATCH_IRE_RECURSIVE.
- * We have already used the MATCH_IRE_ILL in determining
- * the right prefix route at this point. To match the
- * behavior of how we locate routes while sending out
- * packets, we don't want to use MATCH_IRE_ILL below
- * while locating the interface route.
+ * round-robin only if we have more than one route in the bucket.
+ * ips_ip_ecmp_behavior controls when we do ECMP
+ * 2: always
+ * 1: for IRE_DEFAULT and /0 IRE_INTERFACE
+ * 0: never
*
- * ire_ftable_lookup may end up with an incomplete IRE_CACHE
- * entry for the gateway (i.e., one for which the
- * ire_nce->nce_state is not yet ND_REACHABLE). If the caller
- * has specified MATCH_IRE_COMPLETE, such entries will not
- * be returned; instead, we return the IF_RESOLVER ire.
+ * Note: if we found an IRE_IF_CLONE we won't look at the bucket with
+ * other ECMP IRE_INTERFACEs since the IRE_IF_CLONE is a /128 match
+ * and the IRE_INTERFACESs are likely to be shorter matches.
*/
-
- if (ire->ire_ipif == NULL) {
- tmp_ire = ire;
- /*
- * Look to see if the nexthop entry is in the cachetable
- */
- ire = ire_cache_lookup(ire->ire_gateway_addr, zoneid, NULL,
- ipst);
- if (ire == NULL) {
- /* Try ire_route_lookup */
- ire = tmp_ire;
- } else {
- goto solved;
- }
- }
- if (ire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
-
- ire = ire_route_lookup(ire->ire_gateway_addr, 0,
- 0, 0, ire->ire_ipif, NULL, zoneid, NULL, match_flags, ipst);
-solved:
- DTRACE_PROBE2(ftable__route__lookup1, (ire_t *), ire,
- (ire_t *), save_ire);
- if (ire == NULL) {
- /*
- * Do not release the parent ire if MATCH_IRE_PARENT
- * is set. Also return it via ire.
- */
- ire_refrele(save_ire);
- *pire = NULL;
- return (ire);
- }
- if (ire->ire_type & (IRE_CACHETABLE | IRE_INTERFACE)) {
- /*
- * If the caller did not ask for pire, release
- * it now.
- */
- if (pire == NULL) {
- ire_refrele(save_ire);
+ if (ire->ire_bucket->irb_ire_cnt > 1) {
+ if (ipst->ips_ip_ecmp_behavior == 2 ||
+ (ipst->ips_ip_ecmp_behavior == 1 &&
+ IS_DEFAULT_ROUTE(ire))) {
+ ire_t *next_ire;
+ ire_ftable_args_t margs;
+
+ (void) memset(&margs, 0, sizeof (margs));
+ margs.ift_addr = addr;
+ margs.ift_zoneid = ALL_ZONES;
+
+ next_ire = ire_round_robin(ire->ire_bucket, &margs,
+ xmit_hint, ire, ipst);
+ if (next_ire == NULL) {
+ /* keep ire if next_ire is null */
+ if (generationp != NULL)
+ *generationp = ire->ire_generation;
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
+ return (ire);
+ }
+ ire_refrele(ire);
+ ire = next_ire;
}
}
- return (ire);
-}
-
-/*
- * Find an IRE_OFFSUBNET IRE entry for the multicast address 'group'
- * that goes through 'ipif'. As a fallback, a route that goes through
- * ipif->ipif_ill can be returned.
- */
-ire_t *
-ipif_lookup_multi_ire(ipif_t *ipif, ipaddr_t group)
-{
- ire_t *ire;
- ire_t *save_ire = NULL;
- ire_t *gw_ire;
- irb_t *irb;
- ipaddr_t gw_addr;
- int match_flags = MATCH_IRE_TYPE | MATCH_IRE_ILL;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- ASSERT(CLASSD(group));
-
- ire = ire_ftable_lookup(group, 0, 0, 0, NULL, NULL, ALL_ZONES, 0,
- NULL, MATCH_IRE_DEFAULT, ipst);
-
- if (ire == NULL)
- return (NULL);
+ /* Return generation before dropping lock */
+ if (generationp != NULL)
+ *generationp = ire->ire_generation;
- irb = ire->ire_bucket;
- ASSERT(irb);
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
- IRB_REFHOLD(irb);
- ire_refrele(ire);
- for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_addr != group ||
- ipif->ipif_zoneid != ire->ire_zoneid &&
- ire->ire_zoneid != ALL_ZONES) {
- continue;
- }
+ /*
+ * Since we only did ALL_ZONES matches there is no special handling
+ * of IRE_LOCALs needed here. ire_ftable_lookup_v4 has to handle that.
+ */
+ return (ire);
- switch (ire->ire_type) {
- case IRE_DEFAULT:
- case IRE_PREFIX:
- case IRE_HOST:
- gw_addr = ire->ire_gateway_addr;
- gw_ire = ire_ftable_lookup(gw_addr, 0, 0, IRE_INTERFACE,
- ipif, NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
-
- if (gw_ire != NULL) {
- if (save_ire != NULL) {
- ire_refrele(save_ire);
- }
- IRE_REFHOLD(ire);
- if (gw_ire->ire_ipif == ipif) {
- ire_refrele(gw_ire);
-
- IRB_REFRELE(irb);
- return (ire);
- }
- ire_refrele(gw_ire);
- save_ire = ire;
- }
- break;
- case IRE_IF_NORESOLVER:
- case IRE_IF_RESOLVER:
- if (ire->ire_ipif == ipif) {
- if (save_ire != NULL) {
- ire_refrele(save_ire);
- }
- IRE_REFHOLD(ire);
-
- IRB_REFRELE(irb);
- return (ire);
- }
- break;
- }
- }
- IRB_REFRELE(irb);
+bad:
+ if (generationp != NULL)
+ *generationp = IRE_GENERATION_VERIFY;
- return (save_ire);
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
+ return (ire_reject(ipst, B_FALSE));
}
/*
- * Find an IRE_INTERFACE for the multicast group.
+ * Find the ill matching a multicast group.
* Allows different routes for multicast addresses
* in the unicast routing table (akin to 224.0.0.0 but could be more specific)
* which point at different interfaces. This is used when IP_MULTICAST_IF
* isn't specified (when sending) and when IP_ADD_MEMBERSHIP doesn't
* specify the interface to join on.
*
- * Supports IP_BOUND_IF by following the ipif/ill when recursing.
+ * Supports link-local addresses by using ire_route_recursive which follows
+ * the ill when recursing.
+ *
+ * To handle CGTP, since we don't have a separate IRE_MULTICAST for each group
+ * and the MULTIRT property can be different for different groups, we
+ * extract RTF_MULTIRT from the special unicast route added for a group
+ * with CGTP and pass that back in the multirtp argument.
+ * This is used in ip_set_destination etc to set ixa_postfragfn for multicast.
+ * We have a setsrcp argument for the same reason.
*/
-ire_t *
-ire_lookup_multi(ipaddr_t group, zoneid_t zoneid, ip_stack_t *ipst)
+ill_t *
+ire_lookup_multi_ill_v4(ipaddr_t group, zoneid_t zoneid, ip_stack_t *ipst,
+ boolean_t *multirtp, ipaddr_t *setsrcp)
{
ire_t *ire;
- ipif_t *ipif = NULL;
- int match_flags = MATCH_IRE_TYPE;
- ipaddr_t gw_addr;
-
- ire = ire_ftable_lookup(group, 0, 0, 0, NULL, NULL, zoneid,
- 0, NULL, MATCH_IRE_DEFAULT, ipst);
+ ill_t *ill;
- /* We search a resolvable ire in case of multirouting. */
- if ((ire != NULL) && (ire->ire_flags & RTF_MULTIRT)) {
- ire_t *cire = NULL;
- /*
- * If the route is not resolvable, the looked up ire
- * may be changed here. In that case, ire_multirt_lookup()
- * IRE_REFRELE the original ire and change it.
- */
- (void) ire_multirt_lookup(&cire, &ire, MULTIRT_CACHEGW, NULL,
- NULL, ipst);
- if (cire != NULL)
- ire_refrele(cire);
- }
- if (ire == NULL)
- return (NULL);
- /*
- * Make sure we follow ire_ipif.
- *
- * We need to determine the interface route through
- * which the gateway will be reached.
- */
- if (ire->ire_ipif != NULL) {
- ipif = ire->ire_ipif;
- match_flags |= MATCH_IRE_ILL;
- }
-
- switch (ire->ire_type) {
- case IRE_DEFAULT:
- case IRE_PREFIX:
- case IRE_HOST:
- gw_addr = ire->ire_gateway_addr;
- ire_refrele(ire);
- ire = ire_ftable_lookup(gw_addr, 0, 0,
- IRE_INTERFACE, ipif, NULL, zoneid, 0,
- NULL, match_flags, ipst);
- return (ire);
- case IRE_IF_NORESOLVER:
- case IRE_IF_RESOLVER:
- return (ire);
- default:
+ ire = ire_route_recursive_v4(group, 0, NULL, zoneid, NULL,
+ MATCH_IRE_DSTONLY, B_FALSE, 0, ipst, setsrcp, NULL, NULL);
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
ire_refrele(ire);
return (NULL);
}
+
+ if (multirtp != NULL)
+ *multirtp = (ire->ire_flags & RTF_MULTIRT) != 0;
+
+ ill = ire_nexthop_ill(ire);
+ ire_refrele(ire);
+ return (ill);
}
/*
@@ -701,7 +369,7 @@ ire_del_host_redir(ire_t *ire, char *gateway)
}
/*
- * Search for all HOST REDIRECT routes that are
+ * Search for all IRE_HOST RTF_DYNAMIC (aka redirect) routes that are
* pointing at the specified gateway and
* delete them. This routine is called only
* when a default gateway is going away.
@@ -718,732 +386,6 @@ ire_delete_host_redirects(ipaddr_t gateway, ip_stack_t *ipst)
rtfunc, &rtfarg, irb_refhold_rn, irb_refrele_rn);
}
-struct ihandle_arg {
- uint32_t ihandle;
- ire_t *ire;
-};
-
-static int
-ire_ihandle_onlink_match(struct radix_node *rn, void *arg)
-{
- struct rt_entry *rt;
- irb_t *irb;
- ire_t *ire;
- struct ihandle_arg *ih = arg;
-
- rt = (struct rt_entry *)rn;
- ASSERT(rt != NULL);
- irb = &rt->rt_irb;
- for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
- if ((ire->ire_type & IRE_INTERFACE) &&
- (ire->ire_ihandle == ih->ihandle)) {
- ih->ire = ire;
- IRE_REFHOLD(ire);
- return (1);
- }
- }
- return (0);
-}
-
-/*
- * Locate the interface ire that is tied to the cache ire 'cire' via
- * cire->ire_ihandle.
- *
- * We are trying to create the cache ire for an onlink destn. or
- * gateway in 'cire'. We are called from ire_add_v4() in the IRE_IF_RESOLVER
- * case, after the ire has come back from ARP.
- */
-ire_t *
-ire_ihandle_lookup_onlink(ire_t *cire)
-{
- ire_t *ire;
- int match_flags;
- struct ihandle_arg ih;
- ip_stack_t *ipst;
-
- ASSERT(cire != NULL);
- ipst = cire->ire_ipst;
-
- /*
- * We don't need to specify the zoneid to ire_ftable_lookup() below
- * because the ihandle refers to an ipif which can be in only one zone.
- */
- match_flags = MATCH_IRE_TYPE | MATCH_IRE_IHANDLE | MATCH_IRE_MASK;
- /*
- * We know that the mask of the interface ire equals cire->ire_cmask.
- * (When ip_newroute() created 'cire' for an on-link destn. it set its
- * cmask from the interface ire's mask)
- */
- ire = ire_ftable_lookup(cire->ire_addr, cire->ire_cmask, 0,
- IRE_INTERFACE, NULL, NULL, ALL_ZONES, cire->ire_ihandle,
- NULL, match_flags, ipst);
- if (ire != NULL)
- return (ire);
- /*
- * If we didn't find an interface ire above, we can't declare failure.
- * For backwards compatibility, we need to support prefix routes
- * pointing to next hop gateways that are not on-link.
- *
- * In the resolver/noresolver case, ip_newroute() thinks it is creating
- * the cache ire for an onlink destination in 'cire'. But 'cire' is
- * not actually onlink, because ire_ftable_lookup() cheated it, by
- * doing ire_route_lookup() twice and returning an interface ire.
- *
- * Eg. default - gw1 (line 1)
- * gw1 - gw2 (line 2)
- * gw2 - hme0 (line 3)
- *
- * In the above example, ip_newroute() tried to create the cache ire
- * 'cire' for gw1, based on the interface route in line 3. The
- * ire_ftable_lookup() above fails, because there is no interface route
- * to reach gw1. (it is gw2). We fall thru below.
- *
- * Do a brute force search based on the ihandle in a subset of the
- * forwarding tables, corresponding to cire->ire_cmask. Otherwise
- * things become very complex, since we don't have 'pire' in this
- * case. (Also note that this method is not possible in the offlink
- * case because we don't know the mask)
- */
- (void) memset(&ih, 0, sizeof (ih));
- ih.ihandle = cire->ire_ihandle;
- (void) ipst->ips_ip_ftable->rnh_walktree_mt(ipst->ips_ip_ftable,
- ire_ihandle_onlink_match, &ih, irb_refhold_rn, irb_refrele_rn);
- return (ih.ire);
-}
-
-/*
- * IRE iterator used by ire_ftable_lookup[_v6]() to process multiple default
- * routes. Given a starting point in the hash list (ire_origin), walk the IREs
- * in the bucket skipping default interface routes and deleted entries.
- * Returns the next IRE (unheld), or NULL when we're back to the starting point.
- * Assumes that the caller holds a reference on the IRE bucket.
- */
-ire_t *
-ire_get_next_default_ire(ire_t *ire, ire_t *ire_origin)
-{
- ASSERT(ire_origin->ire_bucket != NULL);
- ASSERT(ire != NULL);
-
- do {
- ire = ire->ire_next;
- if (ire == NULL)
- ire = ire_origin->ire_bucket->irb_ire;
- if (ire == ire_origin)
- return (NULL);
- } while ((ire->ire_type & IRE_INTERFACE) ||
- (ire->ire_marks & IRE_MARK_CONDEMNED));
- ASSERT(ire != NULL);
- return (ire);
-}
-
-static ipif_t *
-ire_forward_src_ipif(ipaddr_t dst, ire_t *sire, ire_t *ire,
- int zoneid, ushort_t *marks)
-{
- ipif_t *src_ipif;
- ill_t *ill = ire->ire_ipif->ipif_ill;
- ip_stack_t *ipst = ill->ill_ipst;
-
- /*
- * Pick the best source address from ill.
- *
- * 1) Try to pick the source address from the destination
- * route. Clustering assumes that when we have multiple
- * prefixes hosted on an interface, the prefix of the
- * source address matches the prefix of the destination
- * route. We do this only if the address is not
- * DEPRECATED.
- *
- * 2) If the conn is in a different zone than the ire, we
- * need to pick a source address from the right zone.
- */
- if ((sire != NULL) && (sire->ire_flags & RTF_SETSRC)) {
- /*
- * The RTF_SETSRC flag is set in the parent ire (sire).
- * Check that the ipif matching the requested source
- * address still exists.
- */
- src_ipif = ipif_lookup_addr(sire->ire_src_addr, NULL,
- zoneid, NULL, NULL, NULL, NULL, ipst);
- return (src_ipif);
- }
- *marks |= IRE_MARK_USESRC_CHECK;
- if (IS_IPMP(ill) ||
- (ire->ire_ipif->ipif_flags & IPIF_DEPRECATED) ||
- (ill->ill_usesrc_ifindex != 0)) {
- src_ipif = ipif_select_source(ill, dst, zoneid);
- } else {
- src_ipif = ire->ire_ipif;
- ASSERT(src_ipif != NULL);
- /* hold src_ipif for uniformity */
- ipif_refhold(src_ipif);
- }
- return (src_ipif);
-}
-
-/*
- * This function is called by ip_rput_noire() and ip_fast_forward()
- * to resolve the route of incoming packet that needs to be forwarded.
- * If the ire of the nexthop is not already in the cachetable, this
- * routine will insert it to the table, but won't trigger ARP resolution yet.
- * Thus unlike ip_newroute, this function adds incomplete ires to
- * the cachetable. ARP resolution for these ires are delayed until
- * after all of the packet processing is completed and its ready to
- * be sent out on the wire, Eventually, the packet transmit routine
- * ip_xmit_v4() attempts to send a packet to the driver. If it finds
- * that there is no link layer information, it will do the arp
- * resolution and queue the packet in ire->ire_nce->nce_qd_mp and
- * then send it out once the arp resolution is over
- * (see ip_xmit_v4()->ire_arpresolve()). This scheme is similar to
- * the model of BSD/SunOS 4
- *
- * In future, the insertion of incomplete ires in the cachetable should
- * be implemented in hostpath as well, as doing so will greatly reduce
- * the existing complexity for code paths that depend on the context of
- * the sender (such as IPsec).
- *
- * Thus this scheme of adding incomplete ires in cachetable in forwarding
- * path can be used as a template for simplifying the hostpath.
- */
-
-ire_t *
-ire_forward(ipaddr_t dst, enum ire_forward_action *ret_action,
- ire_t *supplied_ire, ire_t *supplied_sire, const struct ts_label_s *tsl,
- ip_stack_t *ipst)
-{
- ipaddr_t gw = 0;
- ire_t *ire = NULL;
- ire_t *sire = NULL, *save_ire;
- ill_t *dst_ill = NULL;
- int error;
- zoneid_t zoneid;
- ipif_t *src_ipif = NULL;
- mblk_t *res_mp;
- ushort_t ire_marks = 0;
- tsol_gcgrp_t *gcgrp = NULL;
- tsol_gcgrp_addr_t ga;
-
- zoneid = GLOBAL_ZONEID;
-
- if (supplied_ire != NULL) {
- /* We have arrived here from ipfil_sendpkt */
- ire = supplied_ire;
- sire = supplied_sire;
- goto create_irecache;
- }
-
- ire = ire_ftable_lookup(dst, 0, 0, 0, NULL, &sire, zoneid, 0,
- tsl, MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_RJ_BHOLE | MATCH_IRE_PARENT|MATCH_IRE_SECATTR, ipst);
-
- if (ire == NULL) {
- ip_rts_change(RTM_MISS, dst, 0, 0, 0, 0, 0, 0, RTA_DST, ipst);
- goto icmp_err_ret;
- }
-
- /*
- * If we encounter CGTP, we should have the caller use
- * ip_newroute to resolve multirt instead of this function.
- * CGTP specs explicitly state that it can't be used with routers.
- * This essentially prevents insertion of incomplete RTF_MULTIRT
- * ires in cachetable.
- */
- if (ipst->ips_ip_cgtp_filter &&
- ((ire->ire_flags & RTF_MULTIRT) ||
- ((sire != NULL) && (sire->ire_flags & RTF_MULTIRT)))) {
- ip3dbg(("ire_forward: packet is to be multirouted- "
- "handing it to ip_newroute\n"));
- if (sire != NULL)
- ire_refrele(sire);
- ire_refrele(ire);
- /*
- * Inform caller about encountering of multirt so that
- * ip_newroute() can be called.
- */
- *ret_action = Forward_check_multirt;
- return (NULL);
- }
-
- /*
- * Verify that the returned IRE does not have either
- * the RTF_REJECT or RTF_BLACKHOLE flags set and that the IRE is
- * either an IRE_CACHE, IRE_IF_NORESOLVER or IRE_IF_RESOLVER.
- */
- if ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) ||
- (ire->ire_type & (IRE_CACHE | IRE_INTERFACE)) == 0) {
- ip3dbg(("ire 0x%p is not cache/resolver/noresolver\n",
- (void *)ire));
- goto icmp_err_ret;
- }
-
- /*
- * If we already have a fully resolved IRE CACHE of the
- * nexthop router, just hand over the cache entry
- * and we are done.
- */
-
- if (ire->ire_type & IRE_CACHE) {
-
- /*
- * If we are using this ire cache entry as a
- * gateway to forward packets, chances are we
- * will be using it again. So turn off
- * the temporary flag, thus reducing its
- * chances of getting deleted frequently.
- */
- if (ire->ire_marks & IRE_MARK_TEMPORARY) {
- irb_t *irb = ire->ire_bucket;
- rw_enter(&irb->irb_lock, RW_WRITER);
- /*
- * We need to recheck for IRE_MARK_TEMPORARY after
- * acquiring the lock in order to guarantee
- * irb_tmp_ire_cnt
- */
- if (ire->ire_marks & IRE_MARK_TEMPORARY) {
- ire->ire_marks &= ~IRE_MARK_TEMPORARY;
- irb->irb_tmp_ire_cnt--;
- }
- rw_exit(&irb->irb_lock);
- }
-
- if (sire != NULL) {
- UPDATE_OB_PKT_COUNT(sire);
- sire->ire_last_used_time = lbolt;
- ire_refrele(sire);
- }
- *ret_action = Forward_ok;
- return (ire);
- }
-create_irecache:
- /*
- * Increment the ire_ob_pkt_count field for ire if it is an
- * INTERFACE (IF_RESOLVER or IF_NORESOLVER) IRE type, and
- * increment the same for the parent IRE, sire, if it is some
- * sort of prefix IRE (which includes DEFAULT, PREFIX, and HOST).
- */
- if ((ire->ire_type & IRE_INTERFACE) != 0) {
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- }
-
- /*
- * sire must be either IRE_CACHETABLE OR IRE_INTERFACE type
- */
- if (sire != NULL) {
- gw = sire->ire_gateway_addr;
- ASSERT((sire->ire_type &
- (IRE_CACHETABLE | IRE_INTERFACE)) == 0);
- UPDATE_OB_PKT_COUNT(sire);
- sire->ire_last_used_time = lbolt;
- }
-
- dst_ill = ire->ire_ipif->ipif_ill;
- if (IS_IPMP(dst_ill))
- dst_ill = ipmp_illgrp_hold_next_ill(dst_ill->ill_grp);
- else
- ill_refhold(dst_ill);
-
- if (dst_ill == NULL) {
- ip2dbg(("ire_forward no dst ill; ire 0x%p\n", (void *)ire));
- goto icmp_err_ret;
- }
-
- ASSERT(src_ipif == NULL);
- /* Now obtain the src_ipif */
- src_ipif = ire_forward_src_ipif(dst, sire, ire, zoneid, &ire_marks);
- if (src_ipif == NULL)
- goto icmp_err_ret;
-
- switch (ire->ire_type) {
- case IRE_IF_NORESOLVER:
- /* create ire_cache for ire_addr endpoint */
- if (dst_ill->ill_resolver_mp == NULL) {
- ip1dbg(("ire_forward: dst_ill %p "
- "for IRE_IF_NORESOLVER ire %p has "
- "no ill_resolver_mp\n",
- (void *)dst_ill, (void *)ire));
- goto icmp_err_ret;
- }
- /* FALLTHRU */
- case IRE_IF_RESOLVER:
- /*
- * We have the IRE_IF_RESOLVER of the nexthop gateway
- * and now need to build a IRE_CACHE for it.
- * In this case, we have the following :
- *
- * 1) src_ipif - used for getting a source address.
- *
- * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
- * means packets using the IRE_CACHE that we will build
- * here will go out on dst_ill.
- *
- * 3) sire may or may not be NULL. But, the IRE_CACHE that is
- * to be created will only be tied to the IRE_INTERFACE
- * that was derived from the ire_ihandle field.
- *
- * If sire is non-NULL, it means the destination is
- * off-link and we will first create the IRE_CACHE for the
- * gateway.
- */
- res_mp = dst_ill->ill_resolver_mp;
- if (ire->ire_type == IRE_IF_RESOLVER &&
- (!OK_RESOLVER_MP(res_mp))) {
- goto icmp_err_ret;
- }
- /*
- * To be at this point in the code with a non-zero gw
- * means that dst is reachable through a gateway that
- * we have never resolved. By changing dst to the gw
- * addr we resolve the gateway first.
- */
- if (gw != INADDR_ANY) {
- /*
- * The source ipif that was determined above was
- * relative to the destination address, not the
- * gateway's. If src_ipif was not taken out of
- * the IRE_IF_RESOLVER entry, we'll need to call
- * ipif_select_source() again.
- */
- if (src_ipif != ire->ire_ipif) {
- ipif_refrele(src_ipif);
- src_ipif = ipif_select_source(dst_ill,
- gw, zoneid);
- if (src_ipif == NULL)
- goto icmp_err_ret;
- }
- dst = gw;
- gw = INADDR_ANY;
- }
- /*
- * dst has been set to the address of the nexthop.
- *
- * TSol note: get security attributes of the nexthop;
- * Note that the nexthop may either be a gateway, or the
- * packet destination itself; Detailed explanation of
- * issues involved is provided in the IRE_IF_NORESOLVER
- * logic in ip_newroute().
- */
- ga.ga_af = AF_INET;
- IN6_IPADDR_TO_V4MAPPED(dst, &ga.ga_addr);
- gcgrp = gcgrp_lookup(&ga, B_FALSE);
-
- if (ire->ire_type == IRE_IF_NORESOLVER)
- dst = ire->ire_addr; /* ire_cache for tunnel endpoint */
-
- save_ire = ire;
- /*
- * create an incomplete IRE_CACHE.
- * An areq_mp will be generated in ire_arpresolve() for
- * RESOLVER interfaces.
- */
- ire = ire_create(
- (uchar_t *)&dst, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- (uchar_t *)&gw, /* gateway address */
- (save_ire->ire_type == IRE_IF_RESOLVER ? NULL:
- &save_ire->ire_max_frag),
- NULL,
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE, /* IRE type */
- src_ipif,
- ire->ire_mask, /* Parent mask */
- 0,
- ire->ire_ihandle, /* Interface handle */
- 0,
- &(ire->ire_uinfo),
- NULL,
- gcgrp,
- ipst);
- ip1dbg(("incomplete ire_cache 0x%p\n", (void *)ire));
- if (ire != NULL) {
- gcgrp = NULL; /* reference now held by IRE */
- ire->ire_marks |= ire_marks;
- /* add the incomplete ire: */
- error = ire_add(&ire, NULL, NULL, NULL, B_TRUE);
- if (error == 0 && ire != NULL) {
- ire->ire_max_frag = save_ire->ire_max_frag;
- ip1dbg(("setting max_frag to %d in ire 0x%p\n",
- ire->ire_max_frag, (void *)ire));
- } else {
- ire_refrele(save_ire);
- goto icmp_err_ret;
- }
- } else {
- if (gcgrp != NULL) {
- GCGRP_REFRELE(gcgrp);
- gcgrp = NULL;
- }
- }
-
- ire_refrele(save_ire);
- break;
- default:
- break;
- }
-
- *ret_action = Forward_ok;
- if (sire != NULL)
- ire_refrele(sire);
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- return (ire);
-icmp_err_ret:
- *ret_action = Forward_ret_icmp_err;
- if (sire != NULL)
- ire_refrele(sire);
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (ire != NULL) {
- if (ire->ire_flags & RTF_BLACKHOLE)
- *ret_action = Forward_blackhole;
- ire_refrele(ire);
- }
- return (NULL);
-}
-
-/*
- * Since caller is ip_fast_forward, there is no CGTP or Tsol test
- * Also we dont call ftable lookup with MATCH_IRE_PARENT
- */
-
-ire_t *
-ire_forward_simple(ipaddr_t dst, enum ire_forward_action *ret_action,
- ip_stack_t *ipst)
-{
- ipaddr_t gw = 0;
- ire_t *ire = NULL;
- ire_t *sire = NULL, *save_ire;
- ill_t *dst_ill = NULL;
- int error;
- zoneid_t zoneid = GLOBAL_ZONEID;
- ipif_t *src_ipif = NULL;
- mblk_t *res_mp;
- ushort_t ire_marks = 0;
-
- ire = ire_ftable_lookup_simple(dst, &sire, zoneid,
- MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE, ipst);
- if (ire == NULL) {
- ip_rts_change(RTM_MISS, dst, 0, 0, 0, 0, 0, 0, RTA_DST, ipst);
- goto icmp_err_ret;
- }
-
- /*
- * Verify that the returned IRE does not have either
- * the RTF_REJECT or RTF_BLACKHOLE flags set and that the IRE is
- * either an IRE_CACHE, IRE_IF_NORESOLVER or IRE_IF_RESOLVER.
- */
- if ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) ||
- ((ire->ire_type & (IRE_CACHE | IRE_INTERFACE)) == 0)) {
- ip3dbg(("ire 0x%p is not cache/resolver/noresolver\n",
- (void *)ire));
- goto icmp_err_ret;
- }
-
- /*
- * If we already have a fully resolved IRE CACHE of the
- * nexthop router, just hand over the cache entry
- * and we are done.
- */
- if (ire->ire_type & IRE_CACHE) {
- /*
- * If we are using this ire cache entry as a
- * gateway to forward packets, chances are we
- * will be using it again. So turn off
- * the temporary flag, thus reducing its
- * chances of getting deleted frequently.
- */
- if (ire->ire_marks & IRE_MARK_TEMPORARY) {
- irb_t *irb = ire->ire_bucket;
- rw_enter(&irb->irb_lock, RW_WRITER);
- ire->ire_marks &= ~IRE_MARK_TEMPORARY;
- irb->irb_tmp_ire_cnt--;
- rw_exit(&irb->irb_lock);
- }
-
- if (sire != NULL) {
- UPDATE_OB_PKT_COUNT(sire);
- ire_refrele(sire);
- }
- *ret_action = Forward_ok;
- return (ire);
- }
- /*
- * Increment the ire_ob_pkt_count field for ire if it is an
- * INTERFACE (IF_RESOLVER or IF_NORESOLVER) IRE type, and
- * increment the same for the parent IRE, sire, if it is some
- * sort of prefix IRE (which includes DEFAULT, PREFIX, and HOST).
- */
- if ((ire->ire_type & IRE_INTERFACE) != 0) {
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- }
-
- /*
- * sire must be either IRE_CACHETABLE OR IRE_INTERFACE type
- */
- if (sire != NULL) {
- gw = sire->ire_gateway_addr;
- ASSERT((sire->ire_type &
- (IRE_CACHETABLE | IRE_INTERFACE)) == 0);
- UPDATE_OB_PKT_COUNT(sire);
- }
-
- dst_ill = ire->ire_ipif->ipif_ill;
- if (IS_IPMP(dst_ill))
- dst_ill = ipmp_illgrp_hold_next_ill(dst_ill->ill_grp);
- else
- ill_refhold(dst_ill); /* for symmetry */
-
- if (dst_ill == NULL) {
- ip2dbg(("ire_forward_simple: no dst ill; ire 0x%p\n",
- (void *)ire));
- goto icmp_err_ret;
- }
-
- ASSERT(src_ipif == NULL);
- /* Now obtain the src_ipif */
- src_ipif = ire_forward_src_ipif(dst, sire, ire, zoneid, &ire_marks);
- if (src_ipif == NULL)
- goto icmp_err_ret;
-
- switch (ire->ire_type) {
- case IRE_IF_NORESOLVER:
- /* create ire_cache for ire_addr endpoint */
- case IRE_IF_RESOLVER:
- /*
- * We have the IRE_IF_RESOLVER of the nexthop gateway
- * and now need to build a IRE_CACHE for it.
- * In this case, we have the following :
- *
- * 1) src_ipif - used for getting a source address.
- *
- * 2) dst_ill - from which we derive ire_stq/ire_rfq. This
- * means packets using the IRE_CACHE that we will build
- * here will go out on dst_ill.
- *
- * 3) sire may or may not be NULL. But, the IRE_CACHE that is
- * to be created will only be tied to the IRE_INTERFACE
- * that was derived from the ire_ihandle field.
- *
- * If sire is non-NULL, it means the destination is
- * off-link and we will first create the IRE_CACHE for the
- * gateway.
- */
- res_mp = dst_ill->ill_resolver_mp;
- if (ire->ire_type == IRE_IF_RESOLVER &&
- (!OK_RESOLVER_MP(res_mp))) {
- ire_refrele(ire);
- ire = NULL;
- goto out;
- }
- /*
- * To be at this point in the code with a non-zero gw
- * means that dst is reachable through a gateway that
- * we have never resolved. By changing dst to the gw
- * addr we resolve the gateway first.
- */
- if (gw != INADDR_ANY) {
- /*
- * The source ipif that was determined above was
- * relative to the destination address, not the
- * gateway's. If src_ipif was not taken out of
- * the IRE_IF_RESOLVER entry, we'll need to call
- * ipif_select_source() again.
- */
- if (src_ipif != ire->ire_ipif) {
- ipif_refrele(src_ipif);
- src_ipif = ipif_select_source(dst_ill,
- gw, zoneid);
- if (src_ipif == NULL)
- goto icmp_err_ret;
- }
- dst = gw;
- gw = INADDR_ANY;
- }
-
- if (ire->ire_type == IRE_IF_NORESOLVER)
- dst = ire->ire_addr; /* ire_cache for tunnel endpoint */
-
- save_ire = ire;
- /*
- * create an incomplete IRE_CACHE.
- * An areq_mp will be generated in ire_arpresolve() for
- * RESOLVER interfaces.
- */
- ire = ire_create(
- (uchar_t *)&dst, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- (uchar_t *)&gw, /* gateway address */
- (save_ire->ire_type == IRE_IF_RESOLVER ? NULL:
- &save_ire->ire_max_frag),
- NULL,
- dst_ill->ill_rq, /* recv-from queue */
- dst_ill->ill_wq, /* send-to queue */
- IRE_CACHE, /* IRE type */
- src_ipif,
- ire->ire_mask, /* Parent mask */
- 0,
- ire->ire_ihandle, /* Interface handle */
- 0,
- &(ire->ire_uinfo),
- NULL,
- NULL,
- ipst);
- ip1dbg(("incomplete ire_cache 0x%p\n", (void *)ire));
- if (ire != NULL) {
- ire->ire_marks |= ire_marks;
- /* add the incomplete ire: */
- error = ire_add(&ire, NULL, NULL, NULL, B_TRUE);
- if (error == 0 && ire != NULL) {
- ire->ire_max_frag = save_ire->ire_max_frag;
- ip1dbg(("setting max_frag to %d in ire 0x%p\n",
- ire->ire_max_frag, (void *)ire));
- } else {
- ire_refrele(save_ire);
- goto icmp_err_ret;
- }
- }
-
- ire_refrele(save_ire);
- break;
- default:
- break;
- }
-
-out:
- *ret_action = Forward_ok;
- if (sire != NULL)
- ire_refrele(sire);
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- return (ire);
-icmp_err_ret:
- *ret_action = Forward_ret_icmp_err;
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- if (sire != NULL)
- ire_refrele(sire);
- if (ire != NULL) {
- if (ire->ire_flags & RTF_BLACKHOLE)
- *ret_action = Forward_blackhole;
- ire_refrele(ire);
- }
- /* caller needs to send icmp error message */
- return (NULL);
-
-}
-
/*
* Obtain the rt_entry and rt_irb for the route to be added to
* the ips_ip_ftable.
@@ -1489,7 +431,7 @@ ire_get_bucket(ire_t *ire)
rt->rt_nodes->rn_key = (char *)&rt->rt_dst;
rt->rt_dst = rdst;
irb = &rt->rt_irb;
- irb->irb_marks |= IRB_MARK_FTABLE; /* dynamically allocated/freed */
+ irb->irb_marks |= IRB_MARK_DYNAMIC; /* dynamically allocated/freed */
irb->irb_ipst = ipst;
rw_init(&irb->irb_lock, NULL, RW_DEFAULT, NULL);
RADIX_NODE_HEAD_WLOCK(ipst->ips_ip_ftable);
@@ -1510,7 +452,7 @@ ire_get_bucket(ire_t *ire)
}
if (rt != NULL) {
irb = &rt->rt_irb;
- IRB_REFHOLD(irb);
+ irb_refhold(irb);
}
RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
return (irb);
@@ -1551,10 +493,12 @@ ifindex_lookup(const struct sockaddr *ipaddr, zoneid_t zoneid)
ASSERT(ipaddr->sa_family == AF_INET || ipaddr->sa_family == AF_INET6);
- if ((ire = route_to_dst(ipaddr, zoneid, ipst)) != NULL) {
- ill = ire_to_ill(ire);
- if (ill != NULL)
+ if ((ire = route_to_dst(ipaddr, zoneid, ipst)) != NULL) {
+ ill = ire_nexthop_ill(ire);
+ if (ill != NULL) {
ifindex = ill->ill_phyint->phyint_ifindex;
+ ill_refrele(ill);
+ }
ire_refrele(ire);
}
netstack_rele(ns);
@@ -1563,7 +507,7 @@ ifindex_lookup(const struct sockaddr *ipaddr, zoneid_t zoneid)
/*
* Routine to find the route to a destination. If a ifindex is supplied
- * it tries to match the the route to the corresponding ipif for the ifindex
+ * it tries to match the route to the corresponding ipif for the ifindex
*/
static ire_t *
route_to_dst(const struct sockaddr *dst_addr, zoneid_t zoneid, ip_stack_t *ipst)
@@ -1571,27 +515,33 @@ route_to_dst(const struct sockaddr *dst_addr, zoneid_t zoneid, ip_stack_t *ipst)
ire_t *ire = NULL;
int match_flags;
- match_flags = (MATCH_IRE_DSTONLY | MATCH_IRE_DEFAULT |
- MATCH_IRE_RECURSIVE | MATCH_IRE_RJ_BHOLE);
+ match_flags = MATCH_IRE_DSTONLY;
/* XXX pass NULL tsl for now */
if (dst_addr->sa_family == AF_INET) {
- ire = ire_route_lookup(
- ((struct sockaddr_in *)dst_addr)->sin_addr.s_addr,
- 0, 0, 0, NULL, NULL, zoneid, NULL, match_flags, ipst);
+ ire = ire_route_recursive_v4(
+ ((struct sockaddr_in *)dst_addr)->sin_addr.s_addr, 0, NULL,
+ zoneid, NULL, match_flags, B_TRUE, 0, ipst, NULL, NULL,
+ NULL);
} else {
- ire = ire_route_lookup_v6(
- &((struct sockaddr_in6 *)dst_addr)->sin6_addr,
- 0, 0, 0, NULL, NULL, zoneid, NULL, match_flags, ipst);
+ ire = ire_route_recursive_v6(
+ &((struct sockaddr_in6 *)dst_addr)->sin6_addr, 0, NULL,
+ zoneid, NULL, match_flags, B_TRUE, 0, ipst, NULL, NULL,
+ NULL);
+ }
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ ire_refrele(ire);
+ return (NULL);
}
return (ire);
}
/*
* This routine is called by IP Filter to send a packet out on the wire
- * to a specified V4 dst (which may be onlink or offlink). The ifindex may or
- * may not be 0. A non-null ifindex indicates IP Filter has stipulated
+ * to a specified dstination (which may be onlink or offlink). The ifindex may
+ * or may not be 0. A non-null ifindex indicates IP Filter has stipulated
* an outgoing interface and requires the nexthop to be on that interface.
* IP WILL NOT DO the following to the data packet before sending it out:
* a. manipulate ttl
@@ -1611,21 +561,18 @@ route_to_dst(const struct sockaddr *dst_addr, zoneid_t zoneid, ip_stack_t *ipst)
* of the offlink dst's nexthop needs to get
* resolved before packet can be sent to dst.
* Thus transmission is not guaranteed.
- *
+ * Note: No longer have visibility to the ARP queue
+ * hence no EINPROGRESS.
*/
-
int
ipfil_sendpkt(const struct sockaddr *dst_addr, mblk_t *mp, uint_t ifindex,
zoneid_t zoneid)
{
- ire_t *ire = NULL, *sire = NULL;
- ire_t *ire_cache = NULL;
- int value;
- int match_flags;
- ipaddr_t dst;
+ ipaddr_t nexthop;
netstack_t *ns;
ip_stack_t *ipst;
- enum ire_forward_action ret_action;
+ ip_xmit_attr_t ixas;
+ int error;
ASSERT(mp != NULL);
@@ -1646,429 +593,57 @@ ipfil_sendpkt(const struct sockaddr *dst_addr, mblk_t *mp, uint_t ifindex,
ASSERT(dst_addr->sa_family == AF_INET ||
dst_addr->sa_family == AF_INET6);
- if (dst_addr->sa_family == AF_INET) {
- dst = ((struct sockaddr_in *)dst_addr)->sin_addr.s_addr;
- } else {
- /*
- * We dont have support for V6 yet. It will be provided
- * once RFE 6399103 has been delivered.
- * Until then, for V6 dsts, IP Filter will not call
- * this function. Instead the netinfo framework provides
- * its own code path, in ip_inject_impl(), to achieve
- * what it needs to do, for the time being.
- */
- ip1dbg(("ipfil_sendpkt: no V6 support \n"));
- value = ECOMM;
- freemsg(mp);
- goto discard;
- }
-
- /*
- * Lets get the ire. We might get the ire cache entry,
- * or the ire,sire pair needed to create the cache entry.
- * XXX pass NULL tsl for now.
- */
-
- if (ifindex == 0) {
- /* There is no supplied index. So use the FIB info */
-
- match_flags = (MATCH_IRE_DSTONLY | MATCH_IRE_DEFAULT |
- MATCH_IRE_RECURSIVE | MATCH_IRE_RJ_BHOLE);
- ire = ire_route_lookup(dst,
- 0, 0, 0, NULL, &sire, zoneid, msg_getlabel(mp),
- match_flags, ipst);
- } else {
- ipif_t *supplied_ipif;
- ill_t *ill;
-
- match_flags = (MATCH_IRE_DSTONLY | MATCH_IRE_DEFAULT |
- MATCH_IRE_RECURSIVE| MATCH_IRE_RJ_BHOLE|
- MATCH_IRE_SECATTR | MATCH_IRE_ILL);
-
- /*
- * If supplied ifindex is non-null, the only valid
- * nexthop is one off of the interface corresponding
- * to the specified ifindex.
- */
- ill = ill_lookup_on_ifindex(ifindex, B_FALSE,
- NULL, NULL, NULL, NULL, ipst);
- if (ill == NULL) {
- ip1dbg(("ipfil_sendpkt: Could not find"
- " route to dst\n"));
- value = ECOMM;
- freemsg(mp);
- goto discard;
- }
-
- supplied_ipif = ipif_get_next_ipif(NULL, ill);
- ire = ire_route_lookup(dst, 0, 0, 0, supplied_ipif,
- &sire, zoneid, msg_getlabel(mp), match_flags, ipst);
- if (supplied_ipif != NULL)
- ipif_refrele(supplied_ipif);
- ill_refrele(ill);
- }
-
+ bzero(&ixas, sizeof (ixas));
/*
- * Verify that the returned IRE is non-null and does
- * not have either the RTF_REJECT or RTF_BLACKHOLE
- * flags set and that the IRE is either an IRE_CACHE,
- * IRE_IF_NORESOLVER or IRE_IF_RESOLVER.
+ * No IPsec, no fragmentation, and don't let any hooks see
+ * the packet.
*/
- if (ire == NULL ||
- ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) ||
- (ire->ire_type & (IRE_CACHE | IRE_INTERFACE)) == 0)) {
- /*
- * Either ire could not be found or we got
- * an invalid one
- */
- ip1dbg(("ipfil_sendpkt: Could not find route to dst\n"));
- value = ENONET;
- freemsg(mp);
- goto discard;
- }
-
- /* IP Filter and CGTP dont mix. So bail out if CGTP is on */
- if (ipst->ips_ip_cgtp_filter &&
- ((ire->ire_flags & RTF_MULTIRT) ||
- ((sire != NULL) && (sire->ire_flags & RTF_MULTIRT)))) {
- ip1dbg(("ipfil_sendpkt: IPFilter does not work with CGTP\n"));
- value = ECOMM;
- freemsg(mp);
- goto discard;
- }
+ ixas.ixa_flags = IXAF_NO_IPSEC | IXAF_DONTFRAG | IXAF_NO_PFHOOK;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = NULL;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_ifindex = ifindex;
- ASSERT(ire->ire_type != IRE_CACHE || ire->ire_nce != NULL);
-
- /*
- * If needed, we will create the ire cache entry for the
- * nexthop, resolve its link-layer address and then send
- * the packet out without ttl or IPSec processing.
- */
- switch (ire->ire_type) {
- case IRE_CACHE:
- if (sire != NULL) {
- UPDATE_OB_PKT_COUNT(sire);
- sire->ire_last_used_time = lbolt;
- ire_refrele(sire);
- }
- ire_cache = ire;
- break;
- case IRE_IF_NORESOLVER:
- case IRE_IF_RESOLVER:
- /*
- * Call ire_forward(). This function
- * will, create the ire cache entry of the
- * the nexthop and adds this incomplete ire
- * to the ire cache table
- */
- ire_cache = ire_forward(dst, &ret_action, ire, sire,
- msg_getlabel(mp), ipst);
- if (ire_cache == NULL) {
- ip1dbg(("ipfil_sendpkt: failed to create the"
- " ire cache entry \n"));
- value = ENONET;
- freemsg(mp);
- sire = NULL;
- ire = NULL;
- goto discard;
- }
- break;
- }
-
- if (DB_CKSUMFLAGS(mp)) {
- if (ip_send_align_hcksum_flags(mp, ire_to_ill(ire_cache)))
- goto cleanup;
- }
-
- /*
- * Now that we have the ire cache entry of the nexthop, call
- * ip_xmit_v4() to trigger mac addr resolution
- * if necessary and send it once ready.
- */
-
- value = ip_xmit_v4(mp, ire_cache, NULL, B_FALSE, NULL);
-cleanup:
- ire_refrele(ire_cache);
- /*
- * At this point, the reference for these have already been
- * released within ire_forward() and/or ip_xmit_v4(). So we set
- * them to NULL to make sure we dont drop the references
- * again in case ip_xmit_v4() returns with either SEND_FAILED
- * or LLHDR_RESLV_FAILED
- */
- sire = NULL;
- ire = NULL;
-
- switch (value) {
- case SEND_FAILED:
- ip1dbg(("ipfil_sendpkt: Send failed\n"));
- value = ECOMM;
- break;
- case LLHDR_RESLV_FAILED:
- ip1dbg(("ipfil_sendpkt: Link-layer resolution"
- " failed\n"));
- value = ECOMM;
- break;
- case LOOKUP_IN_PROGRESS:
- netstack_rele(ns);
- return (EINPROGRESS);
- case SEND_PASSED:
- netstack_rele(ns);
- return (0);
- }
-discard:
if (dst_addr->sa_family == AF_INET) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- } else {
- BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
- }
- if (ire != NULL)
- ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
- netstack_rele(ns);
- return (value);
-}
-
-
-/*
- * We don't check for dohwcksum in here because it should be being used
- * elsewhere to control what flags are being set on the mblk. That is,
- * if DB_CKSUMFLAGS() is non-zero then we assume dohwcksum to be true
- * for this packet.
- *
- * This function assumes that it is *only* being called for TCP or UDP
- * packets and nothing else.
- */
-static int
-ip_send_align_hcksum_flags(mblk_t *mp, ill_t *ill)
-{
- int illhckflags;
- int mbhckflags;
- uint16_t *up;
- uint32_t cksum;
- ipha_t *ipha;
- ip6_t *ip6;
- int proto;
- int ipversion;
- int length;
- int start;
- ip6_pkt_t ipp;
-
- mbhckflags = DB_CKSUMFLAGS(mp);
- ASSERT(mbhckflags != 0);
- ASSERT(mp->b_datap->db_type == M_DATA);
- /*
- * Since this function only knows how to manage the hardware checksum
- * issue, reject and packets that have flags set on the aside from
- * checksum related attributes as we cannot necessarily safely map
- * that packet onto the new NIC. Packets that can be potentially
- * dropped here include those marked for LSO.
- */
- if ((mbhckflags &
- ~(HCK_FULLCKSUM|HCK_PARTIALCKSUM|HCK_IPV4_HDRCKSUM)) != 0) {
- DTRACE_PROBE2(pbr__incapable, (mblk_t *), mp, (ill_t *), ill);
- freemsg(mp);
- return (-1);
- }
-
- ipha = (ipha_t *)mp->b_rptr;
-
- /*
- * Find out what the new NIC is capable of, if anything, and
- * only allow it to be used with M_DATA mblks being sent out.
- */
- if (ILL_HCKSUM_CAPABLE(ill)) {
- illhckflags = ill->ill_hcksum_capab->ill_hcksum_txflags;
- } else {
- /*
- * No capabilities, so turn off everything.
- */
- illhckflags = 0;
- (void) hcksum_assoc(mp, NULL, NULL, 0, 0, 0, 0, 0, 0);
- mp->b_datap->db_struioflag &= ~STRUIO_IP;
- }
-
- DTRACE_PROBE4(pbr__info__a, (mblk_t *), mp, (ill_t *), ill,
- uint32_t, illhckflags, uint32_t, mbhckflags);
- /*
- * This block of code that looks for the position of the TCP/UDP
- * checksum is early in this function because we need to know
- * what needs to be blanked out for the hardware checksum case.
- *
- * That we're in this function implies that the packet is either
- * TCP or UDP on Solaris, so checks are made for one protocol and
- * if that fails, the other is therefore implied.
- */
- ipversion = IPH_HDR_VERSION(ipha);
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
- if (ipversion == IPV4_VERSION) {
- proto = ipha->ipha_protocol;
- if (proto == IPPROTO_TCP) {
- up = IPH_TCPH_CHECKSUMP(ipha, IP_SIMPLE_HDR_LENGTH);
- } else {
- up = IPH_UDPH_CHECKSUMP(ipha, IP_SIMPLE_HDR_LENGTH);
+ ixas.ixa_flags |= IXAF_IS_IPV4;
+ nexthop = ((struct sockaddr_in *)dst_addr)->sin_addr.s_addr;
+ if (nexthop != ipha->ipha_dst) {
+ ixas.ixa_flags |= IXAF_NEXTHOP_SET;
+ ixas.ixa_nexthop_v4 = nexthop;
}
+ ixas.ixa_multicast_ttl = ipha->ipha_ttl;
} else {
- uint8_t lasthdr;
-
- /*
- * Nothing I've seen indicates that IPv6 checksum'ing
- * precludes the presence of extension headers, so we
- * can't just look at the next header value in the IPv6
- * packet header to see if it is TCP/UDP.
- */
- ip6 = (ip6_t *)ipha;
- (void) memset(&ipp, 0, sizeof (ipp));
- start = ip_find_hdr_v6(mp, ip6, &ipp, &lasthdr);
- proto = lasthdr;
-
- if (proto == IPPROTO_TCP) {
- up = IPH_TCPH_CHECKSUMP(ipha, start);
- } else {
- up = IPH_UDPH_CHECKSUMP(ipha, start);
- }
- }
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ in6_addr_t *nexthop6;
- /*
- * The first case here is easiest:
- * mblk hasn't asked for full checksum, but the card supports it.
- *
- * In addition, check for IPv4 header capability. Note that only
- * the mblk flag is checked and not ipversion.
- */
- if ((((illhckflags & HCKSUM_INET_FULL_V4) && (ipversion == 4)) ||
- (((illhckflags & HCKSUM_INET_FULL_V6) && (ipversion == 6)))) &&
- ((mbhckflags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) != 0)) {
- int newflags = HCK_FULLCKSUM;
-
- if ((mbhckflags & HCK_IPV4_HDRCKSUM) != 0) {
- if ((illhckflags & HCKSUM_IPHDRCKSUM) != 0) {
- newflags |= HCK_IPV4_HDRCKSUM;
- } else {
- /*
- * Rather than call a function, just inline
- * the computation of the basic IPv4 header.
- */
- cksum = (ipha->ipha_dst >> 16) +
- (ipha->ipha_dst & 0xFFFF) +
- (ipha->ipha_src >> 16) +
- (ipha->ipha_src & 0xFFFF);
- IP_HDR_CKSUM(ipha, cksum,
- ((uint32_t *)ipha)[0],
- ((uint16_t *)ipha)[4]);
- }
+ nexthop6 = &((struct sockaddr_in6 *)dst_addr)->sin6_addr;
+ if (!IN6_ARE_ADDR_EQUAL(nexthop6, &ip6h->ip6_dst)) {
+ ixas.ixa_flags |= IXAF_NEXTHOP_SET;
+ ixas.ixa_nexthop_v6 = *nexthop6;
}
-
- *up = 0;
- (void) hcksum_assoc(mp, NULL, NULL, 0, 0, 0, 0,
- newflags, 0);
- return (0);
- }
-
- DTRACE_PROBE2(pbr__info__b, int, ipversion, int, proto);
-
- /*
- * Start calculating the pseudo checksum over the IP packet header.
- * Although the final pseudo checksum used by TCP/UDP consists of
- * more than just the address fields, we can use the result of
- * adding those together a little bit further down for IPv4.
- */
- if (ipversion == IPV4_VERSION) {
- cksum = (ipha->ipha_dst >> 16) + (ipha->ipha_dst & 0xFFFF) +
- (ipha->ipha_src >> 16) + (ipha->ipha_src & 0xFFFF);
- start = IP_SIMPLE_HDR_LENGTH;
- length = ntohs(ipha->ipha_length);
- DTRACE_PROBE3(pbr__info__e, uint32_t, ipha->ipha_src,
- uint32_t, ipha->ipha_dst, int, cksum);
- } else {
- uint16_t *pseudo;
-
- pseudo = (uint16_t *)&ip6->ip6_src;
-
- /* calculate pseudo-header checksum */
- cksum = pseudo[0] + pseudo[1] + pseudo[2] + pseudo[3] +
- pseudo[4] + pseudo[5] + pseudo[6] + pseudo[7] +
- pseudo[8] + pseudo[9] + pseudo[10] + pseudo[11] +
- pseudo[12] + pseudo[13] + pseudo[14] + pseudo[15];
-
- length = ntohs(ip6->ip6_plen) + sizeof (ip6_t);
- }
-
- /* Fold the initial sum */
- cksum = (cksum & 0xffff) + (cksum >> 16);
-
- /*
- * If the packet was asking for an IPv4 header checksum to be
- * calculated but the interface doesn't support that, fill it in
- * using our pseudo checksum as a starting point.
- */
- if (((mbhckflags & HCK_IPV4_HDRCKSUM) != 0) &&
- ((illhckflags & HCKSUM_IPHDRCKSUM) == 0)) {
- /*
- * IP_HDR_CKSUM uses the 2rd arg to the macro in a destructive
- * way so pass in a copy of the checksum calculated thus far.
- */
- uint32_t ipsum = cksum;
-
- DB_CKSUMFLAGS(mp) &= ~HCK_IPV4_HDRCKSUM;
-
- IP_HDR_CKSUM(ipha, ipsum, ((uint32_t *)ipha)[0],
- ((uint16_t *)ipha)[4]);
- }
-
- DTRACE_PROBE3(pbr__info__c, int, start, int, length, int, cksum);
-
- if (proto == IPPROTO_TCP) {
- cksum += IP_TCP_CSUM_COMP;
- } else {
- cksum += IP_UDP_CSUM_COMP;
+ ixas.ixa_multicast_ttl = ip6h->ip6_hops;
}
- cksum += htons(length - start);
- cksum = (cksum & 0xffff) + (cksum >> 16);
-
- /*
- * For TCP/UDP, we either want to setup the packet for partial
- * checksum or we want to do it all ourselves because the NIC
- * offers no support for either partial or full checksum.
- */
- if ((illhckflags & HCKSUM_INET_PARTIAL) != 0) {
- /*
- * The only case we care about here is if the mblk was
- * previously set for full checksum offload. If it was
- * marked for partial (and the NIC does partial), then
- * we have nothing to do. Similarly if the packet was
- * not set for partial or full, we do nothing as this
- * is cheaper than more work to set something up.
- */
- if ((mbhckflags & HCK_FULLCKSUM) != 0) {
- uint32_t offset;
-
- if (proto == IPPROTO_TCP) {
- offset = TCP_CHECKSUM_OFFSET;
- } else {
- offset = UDP_CHECKSUM_OFFSET;
- }
- *up = cksum;
-
- DTRACE_PROBE3(pbr__info__f, int, length - start, int,
- cksum, int, offset);
+ error = ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
- (void) hcksum_assoc(mp, NULL, NULL, start,
- start + offset, length, 0,
- DB_CKSUMFLAGS(mp) | HCK_PARTIALCKSUM, 0);
- }
+ netstack_rele(ns);
+ switch (error) {
+ case 0:
+ break;
- } else if (mbhckflags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)) {
- DB_CKSUMFLAGS(mp) &= ~(HCK_PARTIALCKSUM|HCK_FULLCKSUM);
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ error = ENONET;
+ break;
- *up = 0;
- *up = IP_CSUM(mp, start, cksum);
+ default:
+ error = ECOMM;
+ break;
}
-
- DTRACE_PROBE4(pbr__info__d, (mblk_t *), mp, (ipha_t *), ipha,
- (uint16_t *), up, int, cksum);
- return (0);
+ return (error);
}
/*
@@ -2094,18 +669,18 @@ ire_find_best_route(struct radix_node *rn, void *arg)
rw_enter(&irb_ptr->irb_lock, RW_READER);
for (ire = irb_ptr->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
+ if (IRE_IS_CONDEMNED(ire))
continue;
- if (margs->ift_flags & MATCH_IRE_MASK)
+ if (margs->ift_flags & (MATCH_IRE_MASK|MATCH_IRE_SHORTERMASK))
match_mask = margs->ift_mask;
else
match_mask = ire->ire_mask;
if (ire_match_args(ire, margs->ift_addr, match_mask,
- margs->ift_gateway, margs->ift_type, margs->ift_ipif,
- margs->ift_zoneid, margs->ift_ihandle, margs->ift_tsl,
- margs->ift_flags, NULL)) {
- IRE_REFHOLD(ire);
+ margs->ift_gateway, margs->ift_type, margs->ift_ill,
+ margs->ift_zoneid, margs->ift_tsl,
+ margs->ift_flags)) {
+ ire_refhold(ire);
rw_exit(&irb_ptr->irb_lock);
margs->ift_best_ire = ire;
return (B_TRUE);
@@ -2198,107 +773,182 @@ irb_refrele_ftable(irb_t *irb)
}
/*
- * IRE iterator used by ire_ftable_lookup() to process multiple default
- * routes. Given a starting point in the hash list (ire_origin), walk the IREs
- * in the bucket skipping default interface routes and deleted entries.
- * Returns the next IRE (unheld), or NULL when we're back to the starting point.
- * Assumes that the caller holds a reference on the IRE bucket.
+ * IRE iterator used by ire_ftable_lookup to process multiple equal
+ * routes. Given a starting point in the hash list (hash), walk the IREs
+ * in the bucket skipping deleted entries. We treat the bucket as a circular
+ * list for the purposes of walking it.
+ * Returns the IRE (held) that corresponds to the hash value. If that IRE is
+ * not applicable (ire_match_args failed) then it returns a subsequent one.
+ * If we fail to find an IRE we return NULL.
*
- * In the absence of good IRE_DEFAULT routes, this function will return
- * the first IRE_INTERFACE route found (if any).
+ * Assumes that the caller holds a reference on the IRE bucket and a read lock
+ * on the radix_node_head (for IPv4) or the ip6_ire_head (for IPv6).
+ *
+ * Applies to IPv4 and IPv6.
+ *
+ * For CGTP, where an IRE_BROADCAST and IRE_HOST can exist for the same
+ * address and bucket, we compare against ire_type for the orig_ire. We also
+ * have IRE_BROADCASTs with and without RTF_MULTIRT, with the former being
+ * first in the bucket. Thus we compare that ire_flags match the orig_ire.
+ *
+ * Due to shared-IP zones we check that an IRE_OFFLINK has a gateway that is
+ * reachable from the zone i.e., that the ire_gateway_addr is in a subnet
+ * in which the zone has an IP address. We check this for the global zone
+ * even if no shared-IP zones are configured.
*/
ire_t *
-ire_round_robin(irb_t *irb_ptr, zoneid_t zoneid, ire_ftable_args_t *margs,
- ip_stack_t *ipst)
+ire_round_robin(irb_t *irb_ptr, ire_ftable_args_t *margs, uint_t hash,
+ ire_t *orig_ire, ip_stack_t *ipst)
{
- ire_t *ire_origin;
- ire_t *ire, *maybe_ire = NULL;
+ ire_t *ire, *maybe_ire = NULL;
+ uint_t maybe_badcnt;
+ uint_t maxwalk;
- rw_enter(&irb_ptr->irb_lock, RW_WRITER);
- ire_origin = irb_ptr->irb_rr_origin;
- if (ire_origin != NULL) {
- ire_origin = ire_origin->ire_next;
- IRE_FIND_NEXT_ORIGIN(ire_origin);
- }
+ /* Fold in more bits from the hint/hash */
+ hash = hash ^ (hash >> 8) ^ (hash >> 16);
- if (ire_origin == NULL) {
- /*
- * first time through routine, or we dropped off the end
- * of list.
- */
- ire_origin = irb_ptr->irb_ire;
- IRE_FIND_NEXT_ORIGIN(ire_origin);
- }
- irb_ptr->irb_rr_origin = ire_origin;
- IRB_REFHOLD_LOCKED(irb_ptr);
+ rw_enter(&irb_ptr->irb_lock, RW_WRITER);
+ maxwalk = irb_ptr->irb_ire_cnt; /* Excludes condemned */
+ hash %= maxwalk;
+ irb_refhold_locked(irb_ptr);
rw_exit(&irb_ptr->irb_lock);
- DTRACE_PROBE2(ire__rr__origin, (irb_t *), irb_ptr,
- (ire_t *), ire_origin);
-
/*
* Round-robin the routers list looking for a route that
* matches the passed in parameters.
- * We start with the ire we found above and we walk the hash
- * list until we're back where we started. It doesn't matter if
- * routes are added or deleted by other threads - we know this
- * ire will stay in the list because we hold a reference on the
- * ire bucket.
+ * First we skip "hash" number of non-condemned IREs.
+ * Then we match the IRE.
+ * If we find an ire which has a non-zero ire_badcnt then we remember
+ * it and keep on looking for a lower ire_badcnt.
+ * If we come to the end of the list we continue (treat the
+ * bucket list as a circular list) but we match less than "max"
+ * entries.
*/
- ire = ire_origin;
- while (ire != NULL) {
- int match_flags = MATCH_IRE_TYPE | MATCH_IRE_SECATTR;
- ire_t *rire;
+ ire = irb_ptr->irb_ire;
+ while (maxwalk > 0) {
+ if (IRE_IS_CONDEMNED(ire))
+ goto next_ire_skip;
+
+ /* Skip the first "hash" entries to do ECMP */
+ if (hash != 0) {
+ hash--;
+ goto next_ire_skip;
+ }
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
+ /* See CGTP comment above */
+ if (ire->ire_type != orig_ire->ire_type ||
+ ire->ire_flags != orig_ire->ire_flags)
goto next_ire;
- if (!ire_match_args(ire, margs->ift_addr, (ipaddr_t)0,
- margs->ift_gateway, margs->ift_type, margs->ift_ipif,
- margs->ift_zoneid, margs->ift_ihandle, margs->ift_tsl,
- margs->ift_flags, NULL))
+ /*
+ * Note: Since IPv6 has hash buckets instead of radix
+ * buckers we need to explicitly compare the addresses.
+ * That makes this less efficient since we will be called
+ * even if there is no alternatives just because the
+ * bucket has multiple IREs for different addresses.
+ */
+ if (ire->ire_ipversion == IPV6_VERSION) {
+ if (!IN6_ARE_ADDR_EQUAL(&orig_ire->ire_addr_v6,
+ &ire->ire_addr_v6))
+ goto next_ire;
+ }
+
+ /*
+ * For some reason find_best_route uses ire_mask. We do
+ * the same.
+ */
+ if (ire->ire_ipversion == IPV4_VERSION ?
+ !ire_match_args(ire, margs->ift_addr,
+ ire->ire_mask, margs->ift_gateway,
+ margs->ift_type, margs->ift_ill, margs->ift_zoneid,
+ margs->ift_tsl, margs->ift_flags) :
+ !ire_match_args_v6(ire, &margs->ift_addr_v6,
+ &ire->ire_mask_v6, &margs->ift_gateway_v6,
+ margs->ift_type, margs->ift_ill, margs->ift_zoneid,
+ margs->ift_tsl, margs->ift_flags))
goto next_ire;
- if (ire->ire_type & IRE_INTERFACE) {
+ if (margs->ift_zoneid != ALL_ZONES &&
+ (ire->ire_type & IRE_OFFLINK)) {
/*
- * keep looking to see if there is a non-interface
- * default ire, but save this one as a last resort.
+ * When we're in a zone, we're only
+ * interested in routers that are
+ * reachable through ipifs within our zone.
*/
- if (maybe_ire == NULL)
- maybe_ire = ire;
- goto next_ire;
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ if (!ire_gateway_ok_zone_v4(
+ ire->ire_gateway_addr, margs->ift_zoneid,
+ ire->ire_ill, margs->ift_tsl, ipst,
+ B_TRUE))
+ goto next_ire;
+ } else {
+ if (!ire_gateway_ok_zone_v6(
+ &ire->ire_gateway_addr_v6,
+ margs->ift_zoneid, ire->ire_ill,
+ margs->ift_tsl, ipst, B_TRUE))
+ goto next_ire;
+ }
}
-
- if (zoneid == ALL_ZONES) {
- IRE_REFHOLD(ire);
- IRB_REFRELE(irb_ptr);
+ mutex_enter(&ire->ire_lock);
+ /* Look for stale ire_badcnt and clear */
+ if (ire->ire_badcnt != 0 &&
+ (TICK_TO_SEC(lbolt64) - ire->ire_last_badcnt >
+ ipst->ips_ip_ire_badcnt_lifetime))
+ ire->ire_badcnt = 0;
+ mutex_exit(&ire->ire_lock);
+
+ if (ire->ire_badcnt == 0) {
+ /* We found one with a zero badcnt; done */
+ ire_refhold(ire);
+ /*
+ * Care needed since irb_refrele grabs WLOCK to free
+ * the irb_t.
+ */
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
+ irb_refrele(irb_ptr);
+ RADIX_NODE_HEAD_RLOCK(ipst->ips_ip_ftable);
+ } else {
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
+ irb_refrele(irb_ptr);
+ rw_enter(&ipst->ips_ip6_ire_head_lock,
+ RW_READER);
+ }
return (ire);
}
/*
- * When we're in a non-global zone, we're only
- * interested in routers that are
- * reachable through ipifs within our zone.
+ * keep looking to see if there is a better (lower
+ * badcnt) matching IRE, but save this one as a last resort.
+ * If we find a lower badcnt pick that one as the last* resort.
*/
- if (ire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
-
- rire = ire_route_lookup(ire->ire_gateway_addr, 0, 0,
- IRE_INTERFACE, ire->ire_ipif, NULL, zoneid, margs->ift_tsl,
- match_flags, ipst);
- if (rire != NULL) {
- ire_refrele(rire);
- IRE_REFHOLD(ire);
- IRB_REFRELE(irb_ptr);
- return (ire);
+ if (maybe_ire == NULL) {
+ maybe_ire = ire;
+ maybe_badcnt = ire->ire_badcnt;
+ } else if (ire->ire_badcnt < maybe_badcnt) {
+ maybe_ire = ire;
+ maybe_badcnt = ire->ire_badcnt;
}
+
next_ire:
- ire = (ire->ire_next ? ire->ire_next : irb_ptr->irb_ire);
- if (ire == ire_origin)
- break;
+ maxwalk--;
+next_ire_skip:
+ ire = ire->ire_next;
+ if (ire == NULL)
+ ire = irb_ptr->irb_ire;
}
if (maybe_ire != NULL)
- IRE_REFHOLD(maybe_ire);
- IRB_REFRELE(irb_ptr);
+ ire_refhold(maybe_ire);
+
+ /* Care needed since irb_refrele grabs WLOCK to free the irb_t. */
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
+ irb_refrele(irb_ptr);
+ RADIX_NODE_HEAD_RLOCK(ipst->ips_ip_ftable);
+ } else {
+ rw_exit(&ipst->ips_ip6_ire_head_lock);
+ irb_refrele(irb_ptr);
+ rw_enter(&ipst->ips_ip6_ire_head_lock, RW_READER);
+ }
return (maybe_ire);
}
@@ -2306,7 +956,7 @@ void
irb_refhold_rn(struct radix_node *rn)
{
if ((rn->rn_flags & RNF_ROOT) == 0)
- IRB_REFHOLD(&((rt_t *)(rn))->rt_irb);
+ irb_refhold(&((rt_t *)(rn))->rt_irb);
}
void
@@ -2315,3 +965,587 @@ irb_refrele_rn(struct radix_node *rn)
if ((rn->rn_flags & RNF_ROOT) == 0)
irb_refrele_ftable(&((rt_t *)(rn))->rt_irb);
}
+
+/*
+ * Select a route for IPv4 and IPv6. Except for multicast, loopback and reject
+ * routes this routine sets up a ire_nce_cache as well. The caller needs to
+ * lookup an nce for the multicast case.
+ */
+ire_t *
+ip_select_route(const in6_addr_t *v6dst, ip_xmit_attr_t *ixa,
+ uint_t *generationp, in6_addr_t *setsrcp, int *errorp, boolean_t *multirtp)
+{
+ uint_t match_args;
+ uint_t ire_type;
+ ill_t *ill;
+ ire_t *ire;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ipaddr_t v4dst;
+ in6_addr_t v6nexthop;
+ iaflags_t ixaflags = ixa->ixa_flags;
+ nce_t *nce;
+
+ match_args = MATCH_IRE_SECATTR;
+ IN6_V4MAPPED_TO_IPADDR(v6dst, v4dst);
+ if (setsrcp != NULL)
+ ASSERT(IN6_IS_ADDR_UNSPECIFIED(setsrcp));
+ if (errorp != NULL)
+ ASSERT(*errorp == 0);
+
+ /*
+ * The content of the ixa will be different if IP_NEXTHOP,
+ * SO_DONTROUTE, IP_BOUND_IF, IP_PKTINFO etc are set
+ */
+
+ if ((ixaflags & IXAF_IS_IPV4) ? CLASSD(v4dst) :
+ IN6_IS_ADDR_MULTICAST(v6dst)) {
+ /* Pick up the IRE_MULTICAST for the ill */
+ if (ixa->ixa_multicast_ifindex != 0) {
+ ill = ill_lookup_on_ifindex(ixa->ixa_multicast_ifindex,
+ !(ixaflags & IXAF_IS_IPV4), ipst);
+ } else if (ixaflags & IXAF_SCOPEID_SET) {
+ /* sin6_scope_id takes precedence over ixa_ifindex */
+ ASSERT(ixa->ixa_scopeid != 0);
+ ill = ill_lookup_on_ifindex(ixa->ixa_scopeid,
+ !(ixaflags & IXAF_IS_IPV4), ipst);
+ } else if (ixa->ixa_ifindex != 0) {
+ /*
+ * In the ipmp case, the ixa_ifindex is set to
+ * point at an under_ill and we would return the
+ * ire_multicast() corresponding to that under_ill.
+ */
+ ill = ill_lookup_on_ifindex(ixa->ixa_ifindex,
+ !(ixaflags & IXAF_IS_IPV4), ipst);
+ } else if (ixaflags & IXAF_IS_IPV4) {
+ ipaddr_t v4setsrc = INADDR_ANY;
+
+ ill = ill_lookup_group_v4(v4dst, ixa->ixa_zoneid, ipst,
+ multirtp, &v4setsrc);
+ if (setsrcp != NULL)
+ IN6_IPADDR_TO_V4MAPPED(v4setsrc, setsrcp);
+ } else {
+ ill = ill_lookup_group_v6(v6dst, ixa->ixa_zoneid, ipst,
+ multirtp, setsrcp);
+ }
+ if (ill != NULL && IS_VNI(ill)) {
+ ill_refrele(ill);
+ ill = NULL;
+ }
+ if (ill == NULL) {
+ if (errorp != NULL)
+ *errorp = ENXIO;
+ /* Get a hold on the IRE_NOROUTE */
+ ire = ire_reject(ipst, !(ixaflags & IXAF_IS_IPV4));
+ return (ire);
+ }
+ if (!(ill->ill_flags & ILLF_MULTICAST)) {
+ ill_refrele(ill);
+ if (errorp != NULL)
+ *errorp = EHOSTUNREACH;
+ /* Get a hold on the IRE_NOROUTE */
+ ire = ire_reject(ipst, !(ixaflags & IXAF_IS_IPV4));
+ return (ire);
+ }
+ /* Get a refcnt on the single IRE_MULTICAST per ill */
+ ire = ire_multicast(ill);
+ ill_refrele(ill);
+ if (generationp != NULL)
+ *generationp = ire->ire_generation;
+ if (errorp != NULL &&
+ (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
+ *errorp = EHOSTUNREACH;
+ }
+ return (ire);
+ }
+
+ if (ixa->ixa_ifindex != 0 || (ixaflags & IXAF_SCOPEID_SET)) {
+ if (ixaflags & IXAF_SCOPEID_SET) {
+ /* sin6_scope_id takes precedence over ixa_ifindex */
+ ASSERT(ixa->ixa_scopeid != 0);
+ ill = ill_lookup_on_ifindex(ixa->ixa_scopeid,
+ !(ixaflags & IXAF_IS_IPV4), ipst);
+ } else {
+ ASSERT(ixa->ixa_ifindex != 0);
+ ill = ill_lookup_on_ifindex(ixa->ixa_ifindex,
+ !(ixaflags & IXAF_IS_IPV4), ipst);
+ }
+ if (ill != NULL && IS_VNI(ill)) {
+ ill_refrele(ill);
+ ill = NULL;
+ }
+ if (ill == NULL) {
+ if (errorp != NULL)
+ *errorp = ENXIO;
+ /* Get a hold on the IRE_NOROUTE */
+ ire = ire_reject(ipst, !(ixaflags & IXAF_IS_IPV4));
+ return (ire);
+ }
+ /*
+ * icmp_send_reply_v6 uses scopeid, and mpathd sets IP*_BOUND_IF
+ * so for both of them we need to be able look for an under
+ * interface.
+ */
+ if (IS_UNDER_IPMP(ill))
+ match_args |= MATCH_IRE_TESTHIDDEN;
+ } else {
+ ill = NULL;
+ }
+
+ if (ixaflags & IXAF_NEXTHOP_SET) {
+ /* IP_NEXTHOP was set */
+ v6nexthop = ixa->ixa_nexthop_v6;
+ } else {
+ v6nexthop = *v6dst;
+ }
+
+ ire_type = 0;
+ /* If ill is null then ire_route_recursive will set MATCH_IRE_ILL */
+
+ /*
+ * If SO_DONTROUTE is set or if IP_NEXTHOP is set, then
+ * we only look for an onlink IRE.
+ */
+ if (ixaflags & (IXAF_DONTROUTE|IXAF_NEXTHOP_SET)) {
+ match_args |= MATCH_IRE_TYPE;
+ ire_type = IRE_ONLINK;
+ }
+
+ if (ixaflags & IXAF_IS_IPV4) {
+ ipaddr_t v4nexthop;
+ ipaddr_t v4setsrc = INADDR_ANY;
+
+ IN6_V4MAPPED_TO_IPADDR(&v6nexthop, v4nexthop);
+ ire = ire_route_recursive_v4(v4nexthop, ire_type, ill,
+ ixa->ixa_zoneid, ixa->ixa_tsl, match_args, B_TRUE,
+ ixa->ixa_xmit_hint, ipst, &v4setsrc, NULL, generationp);
+ if (setsrcp != NULL)
+ IN6_IPADDR_TO_V4MAPPED(v4setsrc, setsrcp);
+ } else {
+ ire = ire_route_recursive_v6(&v6nexthop, ire_type, ill,
+ ixa->ixa_zoneid, ixa->ixa_tsl, match_args, B_TRUE,
+ ixa->ixa_xmit_hint, ipst, setsrcp, NULL, generationp);
+ }
+
+#ifdef DEBUG
+ if (match_args & MATCH_IRE_TESTHIDDEN) {
+ ip3dbg(("looking for hidden; dst %x ire %p\n",
+ v4dst, (void *)ire));
+ }
+#endif
+
+ if (ill != NULL)
+ ill_refrele(ill);
+
+ if ((ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
+ (ire->ire_type & IRE_MULTICAST)) {
+ /* No ire_nce_cache */
+ return (ire);
+ }
+
+ /* Setup ire_nce_cache if it doesn't exist or is condemned. */
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ if (nce == NULL || nce->nce_is_condemned) {
+ mutex_exit(&ire->ire_lock);
+ (void) ire_revalidate_nce(ire);
+ } else {
+ mutex_exit(&ire->ire_lock);
+ }
+ return (ire);
+}
+
+/*
+ * Find a route given some xmit attributes and a packet.
+ * Generic for IPv4 and IPv6
+ *
+ * This never returns NULL. But when it returns the IRE_NOROUTE
+ * it might set errorp.
+ */
+ire_t *
+ip_select_route_pkt(mblk_t *mp, ip_xmit_attr_t *ixa, uint_t *generationp,
+ int *errorp, boolean_t *multirtp)
+{
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+ in6_addr_t v6dst;
+
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &v6dst);
+
+ return (ip_select_route(&v6dst, ixa, generationp,
+ NULL, errorp, multirtp));
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ return (ip_select_route(&ip6h->ip6_dst, ixa, generationp,
+ NULL, errorp, multirtp));
+ }
+}
+
+ire_t *
+ip_select_route_v4(ipaddr_t dst, ip_xmit_attr_t *ixa, uint_t *generationp,
+ ipaddr_t *v4setsrcp, int *errorp, boolean_t *multirtp)
+{
+ in6_addr_t v6dst;
+ ire_t *ire;
+ in6_addr_t setsrc;
+
+ ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
+
+ IN6_IPADDR_TO_V4MAPPED(dst, &v6dst);
+
+ setsrc = ipv6_all_zeros;
+ ire = ip_select_route(&v6dst, ixa, generationp, &setsrc, errorp,
+ multirtp);
+ if (v4setsrcp != NULL)
+ IN6_V4MAPPED_TO_IPADDR(&setsrc, *v4setsrcp);
+ return (ire);
+}
+
+/*
+ * Recursively look for a route to the destination. Can also match on
+ * the zoneid, ill, and label. Used for the data paths. See also
+ * ire_route_recursive.
+ *
+ * If ill is set this means we will match it by adding MATCH_IRE_ILL.
+ *
+ * Note that this function never returns NULL. It returns an IRE_NOROUTE
+ * instead.
+ *
+ * If we find any IRE_LOCAL|BROADCAST etc past the first iteration it
+ * is an error.
+ * Allow at most one RTF_INDIRECT.
+ */
+ire_t *
+ire_route_recursive_impl_v4(ire_t *ire,
+ ipaddr_t nexthop, uint_t ire_type, const ill_t *ill_arg,
+ zoneid_t zoneid, const ts_label_t *tsl, uint_t match_args,
+ boolean_t allocate, uint32_t xmit_hint, ip_stack_t *ipst, ipaddr_t *setsrcp,
+ tsol_ire_gw_secattr_t **gwattrp, uint_t *generationp)
+{
+ int i, j;
+ ire_t *ires[MAX_IRE_RECURSION];
+ uint_t generation;
+ uint_t generations[MAX_IRE_RECURSION];
+ boolean_t need_refrele = B_FALSE;
+ boolean_t invalidate = B_FALSE;
+ int prefs[MAX_IRE_RECURSION];
+ ill_t *ill = NULL;
+
+ if (setsrcp != NULL)
+ ASSERT(*setsrcp == INADDR_ANY);
+ if (gwattrp != NULL)
+ ASSERT(*gwattrp == NULL);
+
+ if (ill_arg != NULL)
+ match_args |= MATCH_IRE_ILL;
+
+ /*
+ * We iterate up to three times to resolve a route, even though
+ * we have four slots in the array. The extra slot is for an
+ * IRE_IF_CLONE we might need to create.
+ */
+ i = 0;
+ while (i < MAX_IRE_RECURSION - 1) {
+ /* ire_ftable_lookup handles round-robin/ECMP */
+ if (ire == NULL) {
+ ire = ire_ftable_lookup_v4(nexthop, 0, 0, ire_type,
+ (ill_arg != NULL ? ill_arg : ill), zoneid, tsl,
+ match_args, xmit_hint, ipst, &generation);
+ } else {
+ /* Caller passed it; extra hold since we will rele */
+ ire_refhold(ire);
+ if (generationp != NULL)
+ generation = *generationp;
+ else
+ generation = IRE_GENERATION_VERIFY;
+ }
+ if (ire == NULL)
+ ire = ire_reject(ipst, B_FALSE);
+
+ /* Need to return the ire with RTF_REJECT|BLACKHOLE */
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))
+ goto error;
+
+ ASSERT(!(ire->ire_type & IRE_MULTICAST)); /* Not in ftable */
+
+ prefs[i] = ire_pref(ire);
+ if (i != 0) {
+ /*
+ * Don't allow anything unusual past the first
+ * iteration.
+ */
+ if ((ire->ire_type &
+ (IRE_LOCAL|IRE_LOOPBACK|IRE_BROADCAST)) ||
+ prefs[i] <= prefs[i-1]) {
+ ire_refrele(ire);
+ ire = ire_reject(ipst, B_FALSE);
+ goto error;
+ }
+ }
+ /* We have a usable IRE */
+ ires[i] = ire;
+ generations[i] = generation;
+ i++;
+
+ /* The first RTF_SETSRC address is passed back if setsrcp */
+ if ((ire->ire_flags & RTF_SETSRC) &&
+ setsrcp != NULL && *setsrcp == INADDR_ANY) {
+ ASSERT(ire->ire_setsrc_addr != INADDR_ANY);
+ *setsrcp = ire->ire_setsrc_addr;
+ }
+
+ /* The first ire_gw_secattr is passed back if gwattrp */
+ if (ire->ire_gw_secattr != NULL &&
+ gwattrp != NULL && *gwattrp == NULL)
+ *gwattrp = ire->ire_gw_secattr;
+
+ /*
+ * Check if we have a short-cut pointer to an IRE for this
+ * destination, and that the cached dependency isn't stale.
+ * In that case we've rejoined an existing tree towards a
+ * parent, thus we don't need to continue the loop to
+ * discover the rest of the tree.
+ */
+ mutex_enter(&ire->ire_lock);
+ if (ire->ire_dep_parent != NULL &&
+ ire->ire_dep_parent->ire_generation ==
+ ire->ire_dep_parent_generation) {
+ mutex_exit(&ire->ire_lock);
+ ire = NULL;
+ goto done;
+ }
+ mutex_exit(&ire->ire_lock);
+
+ /*
+ * If this type should have an ire_nce_cache (even if it
+ * doesn't yet have one) then we are done. Includes
+ * IRE_INTERFACE with a full 32 bit mask.
+ */
+ if (ire->ire_nce_capable) {
+ ire = NULL;
+ goto done;
+ }
+ ASSERT(!(ire->ire_type & IRE_IF_CLONE));
+ /*
+ * For an IRE_INTERFACE we create an IRE_IF_CLONE for this
+ * particular destination
+ */
+ if (ire->ire_type & IRE_INTERFACE) {
+ in6_addr_t v6nexthop;
+ ire_t *clone;
+
+ ASSERT(ire->ire_masklen != IPV4_ABITS);
+
+ /*
+ * In the case of ip_input and ILLF_FORWARDING not
+ * being set, and in the case of RTM_GET,
+ * there is no point in allocating
+ * an IRE_IF_CLONE. We return the IRE_INTERFACE.
+ * Note that !allocate can result in a ire_dep_parent
+ * which is IRE_IF_* without an IRE_IF_CLONE.
+ * We recover from that when we need to send packets
+ * by ensuring that the generations become
+ * IRE_GENERATION_VERIFY in this case.
+ */
+ if (!allocate) {
+ invalidate = B_TRUE;
+ ire = NULL;
+ goto done;
+ }
+
+ IN6_IPADDR_TO_V4MAPPED(nexthop, &v6nexthop);
+
+ clone = ire_create_if_clone(ire, &v6nexthop,
+ &generation);
+ if (clone == NULL) {
+ /*
+ * Temporary failure - no memory.
+ * Don't want caller to cache IRE_NOROUTE.
+ */
+ invalidate = B_TRUE;
+ ire = ire_blackhole(ipst, B_FALSE);
+ goto error;
+ }
+ /*
+ * Make clone next to last entry and the
+ * IRE_INTERFACE the last in the dependency
+ * chain since the clone depends on the
+ * IRE_INTERFACE.
+ */
+ ASSERT(i >= 1);
+ ASSERT(i < MAX_IRE_RECURSION);
+
+ ires[i] = ires[i-1];
+ generations[i] = generations[i-1];
+ ires[i-1] = clone;
+ generations[i-1] = generation;
+ i++;
+
+ ire = NULL;
+ goto done;
+ }
+
+ /*
+ * We only match on the type and optionally ILL when
+ * recursing. The type match is used by some callers
+ * to exclude certain types (such as IRE_IF_CLONE or
+ * IRE_LOCAL|IRE_LOOPBACK).
+ */
+ match_args &= MATCH_IRE_TYPE;
+ nexthop = ire->ire_gateway_addr;
+ if (ill == NULL && ire->ire_ill != NULL) {
+ ill = ire->ire_ill;
+ need_refrele = B_TRUE;
+ ill_refhold(ill);
+ match_args |= MATCH_IRE_ILL;
+ }
+ ire = NULL;
+ }
+ ASSERT(ire == NULL);
+ ire = ire_reject(ipst, B_FALSE);
+
+error:
+ ASSERT(ire != NULL);
+ if (need_refrele)
+ ill_refrele(ill);
+
+ /*
+ * In the case of MULTIRT we want to try a different IRE the next
+ * time. We let the next packet retry in that case.
+ */
+ if (i > 0 && (ires[0]->ire_flags & RTF_MULTIRT))
+ (void) ire_no_good(ires[0]);
+
+cleanup:
+ /* cleanup ires[i] */
+ ire_dep_unbuild(ires, i);
+ for (j = 0; j < i; j++)
+ ire_refrele(ires[j]);
+
+ ASSERT(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE));
+ /*
+ * Use IRE_GENERATION_VERIFY to ensure that ip_output will redo the
+ * ip_select_route since the reject or lack of memory might be gone.
+ */
+ if (generationp != NULL)
+ *generationp = IRE_GENERATION_VERIFY;
+ return (ire);
+
+done:
+ ASSERT(ire == NULL);
+ if (need_refrele) {
+ ill_refrele(ill);
+ ill = NULL;
+ }
+
+ /* Build dependencies */
+ if (!ire_dep_build(ires, generations, i)) {
+ /* Something in chain was condemned; tear it apart */
+ ire = ire_reject(ipst, B_FALSE);
+ goto cleanup;
+ }
+
+ /*
+ * Release all refholds except the one for ires[0] that we
+ * will return to the caller.
+ */
+ for (j = 1; j < i; j++)
+ ire_refrele(ires[j]);
+
+ if (invalidate) {
+ /*
+ * Since we needed to allocate but couldn't we need to make
+ * sure that the dependency chain is rebuilt the next time.
+ */
+ ire_dep_invalidate_generations(ires[0]);
+ generation = IRE_GENERATION_VERIFY;
+ } else {
+ /*
+ * IREs can have been added or deleted while we did the
+ * recursive lookup and we can't catch those until we've built
+ * the dependencies. We verify the stored
+ * ire_dep_parent_generation to catch any such changes and
+ * return IRE_GENERATION_VERIFY (which will cause
+ * ip_select_route to be called again so we can redo the
+ * recursive lookup next time we send a packet.
+ */
+ generation = ire_dep_validate_generations(ires[0]);
+ if (generations[0] != ires[0]->ire_generation) {
+ /* Something changed at the top */
+ generation = IRE_GENERATION_VERIFY;
+ }
+ }
+ if (generationp != NULL)
+ *generationp = generation;
+
+ return (ires[0]);
+}
+
+ire_t *
+ire_route_recursive_v4(ipaddr_t nexthop, uint_t ire_type, const ill_t *ill,
+ zoneid_t zoneid, const ts_label_t *tsl, uint_t match_args,
+ boolean_t allocate, uint32_t xmit_hint, ip_stack_t *ipst, ipaddr_t *setsrcp,
+ tsol_ire_gw_secattr_t **gwattrp, uint_t *generationp)
+{
+ return (ire_route_recursive_impl_v4(NULL, nexthop, ire_type, ill,
+ zoneid, tsl, match_args, allocate, xmit_hint, ipst, setsrcp,
+ gwattrp, generationp));
+}
+
+/*
+ * Recursively look for a route to the destination.
+ * We only handle a destination match here, yet we have the same arguments
+ * as the full match to allow function pointers to select between the two.
+ *
+ * Note that this function never returns NULL. It returns an IRE_NOROUTE
+ * instead.
+ *
+ * If we find any IRE_LOCAL|BROADCAST etc past the first iteration it
+ * is an error.
+ * Allow at most one RTF_INDIRECT.
+ */
+ire_t *
+ire_route_recursive_dstonly_v4(ipaddr_t nexthop, boolean_t allocate,
+ uint32_t xmit_hint, ip_stack_t *ipst)
+{
+ ire_t *ire;
+ ire_t *ire1;
+ uint_t generation;
+
+ /* ire_ftable_lookup handles round-robin/ECMP */
+ ire = ire_ftable_lookup_simple_v4(nexthop, xmit_hint, ipst,
+ &generation);
+ ASSERT(ire != NULL);
+
+ /*
+ * If this type should have an ire_nce_cache (even if it
+ * doesn't yet have one) then we are done. Includes
+ * IRE_INTERFACE with a full 32 bit mask.
+ */
+ if (ire->ire_nce_capable)
+ return (ire);
+
+ /*
+ * If the IRE has a current cached parent we know that the whole
+ * parent chain is current, hence we don't need to discover and
+ * build any dependencies by doing a recursive lookup.
+ */
+ mutex_enter(&ire->ire_lock);
+ if (ire->ire_dep_parent != NULL &&
+ ire->ire_dep_parent->ire_generation ==
+ ire->ire_dep_parent_generation) {
+ mutex_exit(&ire->ire_lock);
+ return (ire);
+ }
+ mutex_exit(&ire->ire_lock);
+
+ /*
+ * Fallback to loop in the normal code starting with the ire
+ * we found. Normally this would return the same ire.
+ */
+ ire1 = ire_route_recursive_impl_v4(ire, nexthop, 0, NULL, ALL_ZONES,
+ NULL, MATCH_IRE_DSTONLY, allocate, xmit_hint, ipst, NULL, NULL,
+ &generation);
+ ire_refrele(ire);
+ return (ire1);
+}
diff --git a/usr/src/uts/common/inet/ip/ip_helper_stream.c b/usr/src/uts/common/inet/ip/ip_helper_stream.c
index 6f5608e950..3fa6364417 100644
--- a/usr/src/uts/common/inet/ip/ip_helper_stream.c
+++ b/usr/src/uts/common/inet/ip/ip_helper_stream.c
@@ -58,14 +58,14 @@ static struct qinit ip_helper_stream_winit = {
&ip_helper_stream_info, NULL, NULL, NULL, STRUIOT_NONE
};
-#define IP_USE_HELPER_CACHE (ip_helper_stream_cache != NULL)
-
/*
* set the q_ptr of the 'q' to the conn_t pointer passed in
*/
static void
ip_helper_share_conn(queue_t *q, mblk_t *mp, cred_t *crp)
{
+ conn_t *connp = *((conn_t **)mp->b_cont->b_rptr);
+
/*
* This operation is allowed only on helper streams with kcred
*/
@@ -75,24 +75,12 @@ ip_helper_share_conn(queue_t *q, mblk_t *mp, cred_t *crp)
return;
}
- if (IP_USE_HELPER_CACHE) {
- ip_helper_stream_info_t *ip_helper_info;
-
- ip_helper_info = *((ip_helper_stream_info_t **)
- mp->b_cont->b_rptr);
- ip_helper_info->iphs_minfo = q->q_ptr;
- ip_helper_info->iphs_rq = RD(q);
- ip_helper_info->iphs_wq = WR(q);
- } else {
- conn_t *connp = *((conn_t **)mp->b_cont->b_rptr);
-
- connp->conn_helper_info->iphs_minfo = q->q_ptr;
- connp->conn_helper_info->iphs_rq = RD(q);
- connp->conn_helper_info->iphs_wq = WR(q);
- WR(q)->q_ptr = RD(q)->q_ptr = (void *)connp;
- connp->conn_rq = RD(q);
- connp->conn_wq = WR(q);
- }
+ connp->conn_helper_info->iphs_minfo = q->q_ptr;
+ connp->conn_helper_info->iphs_rq = RD(q);
+ connp->conn_helper_info->iphs_wq = WR(q);
+ WR(q)->q_ptr = RD(q)->q_ptr = (void *)connp;
+ connp->conn_rq = RD(q);
+ connp->conn_wq = WR(q);
miocack(q, mp, 0, 0);
}
@@ -104,17 +92,13 @@ ip_helper_wput(queue_t *q, mblk_t *mp)
iocp->ioc_cmd == SIOCSQPTR) {
ip_helper_share_conn(q, mp, iocp->ioc_cr);
} else {
- conn_t *connp = (conn_t *)q->q_ptr;
-
- if (connp->conn_af_isv6) {
- ip_wput_v6(q, mp);
- } else {
- ip_wput(q, mp);
- }
+ /* We only handle ioctl related messages here */
+ ASSERT(DB_TYPE(mp) != M_DATA);
+ ip_wput_nondata(q, mp);
}
}
-/* ARGSUSED */
+/* ARGSUSED3 */
int
ip_helper_stream_setup(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp, boolean_t isv6)
@@ -126,10 +110,8 @@ ip_helper_stream_setup(queue_t *q, dev_t *devp, int flag, int sflag,
ASSERT(RD(q) == q);
- ip_minfop = kmem_alloc(sizeof (ip_helper_minfo_t), KM_NOSLEEP);
- if (ip_minfop == NULL) {
- return (ENOMEM);
- }
+ ip_minfop = kmem_alloc(sizeof (ip_helper_minfo_t), KM_SLEEP);
+ ASSERT(ip_minfop != NULL);
ip_minfop->ip_minfo_dev = 0;
ip_minfop->ip_minfo_arena = NULL;
@@ -171,7 +153,7 @@ ip_helper_stream_setup(queue_t *q, dev_t *devp, int flag, int sflag,
return (0);
}
-/* ARGSUSED */
+/* ARGSUSED1 */
static int
ip_helper_stream_close(queue_t *q, int flag)
{
@@ -189,305 +171,91 @@ ip_helper_stream_close(queue_t *q, int flag)
/*
* Public interface for creating an IP stream with shared conn_t
+ * Handles multiple callers in parallel by using conn_lock.
+ * Note that we allocate the helper stream without any locks, which means
+ * we might need to free it if we had two threads doing this concurrently
+ * for the conn_t.
*/
-/* ARGSUSED */
int
ip_create_helper_stream(conn_t *connp, ldi_ident_t li)
{
+ ip_helper_stream_info_t *helper;
int error;
int ret;
ASSERT(!servicing_interrupt());
- error = 0;
- if (IP_USE_HELPER_CACHE) {
- connp->conn_helper_info = kmem_cache_alloc(
- ip_helper_stream_cache, KM_NOSLEEP);
- if (connp->conn_helper_info == NULL)
- return (EAGAIN);
- connp->conn_rq = connp->conn_helper_info->iphs_rq;
- connp->conn_wq = connp->conn_helper_info->iphs_wq;
- /*
- * Doesn't need to hold the QLOCK for there is no one else
- * should have a pointer to this queue.
- */
- connp->conn_rq->q_flag |= QWANTR;
- connp->conn_wq->q_flag |= QWANTR;
-
- connp->conn_rq->q_ptr = connp;
- connp->conn_wq->q_ptr = connp;
- } else {
- ASSERT(connp->conn_helper_info == NULL);
- connp->conn_helper_info = kmem_alloc(
- sizeof (ip_helper_stream_info_t), KM_SLEEP);
- /*
- * open ip device via the layered interface.
- * pass in kcred as some threads do not have the
- * priviledge to open /dev/ip and the check in
- * secpolicy_spec_open() will fail the open
- */
- error = ldi_open_by_name(connp->conn_af_isv6 ?
- DEV_IP6 : DEV_IP, IP_HELPER_STR,
- kcred, &connp->conn_helper_info->iphs_handle, li);
-
- if (error != 0) {
- kmem_free(connp->conn_helper_info,
- (sizeof (ip_helper_stream_info_t)));
- connp->conn_helper_info = NULL;
- return (error);
- }
- /*
- * Share connp with the helper stream
- */
- error = ldi_ioctl(connp->conn_helper_info->iphs_handle,
- SIOCSQPTR, (intptr_t)connp, FKIOCTL, kcred, &ret);
-
- if (error != 0) {
- /*
- * Passing in a zero flag indicates that an error
- * occured and stream was not shared
- */
- (void) ldi_close(connp->conn_helper_info->iphs_handle,
- 0, kcred);
- kmem_free(connp->conn_helper_info,
- (sizeof (ip_helper_stream_info_t)));
- connp->conn_helper_info = NULL;
- }
+ if (connp->conn_helper_info != NULL) {
+ /* Already allocated */
+ return (0);
}
- return (error);
-}
-
-/*
- * Public interface for freeing IP helper stream
- */
-/* ARGSUSED */
-void
-ip_free_helper_stream(conn_t *connp)
-{
- ASSERT(!servicing_interrupt());
- if (IP_USE_HELPER_CACHE) {
-
- if (connp->conn_helper_info == NULL)
- return;
- ASSERT(connp->conn_helper_info->iphs_rq != NULL);
- ASSERT(connp->conn_helper_info->iphs_wq != NULL);
-
- /* Prevent service procedures from being called */
- disable_svc(connp->conn_helper_info->iphs_rq);
-
- /* Wait until service procedure of each queue is run */
- wait_svc(connp->conn_helper_info->iphs_rq);
-
- /* Cleanup any pending ioctls */
- conn_ioctl_cleanup(connp);
-
- /* Allow service procedures to be called again */
- enable_svc(connp->conn_helper_info->iphs_rq);
-
- /* Flush the queues */
- flushq(connp->conn_helper_info->iphs_rq, FLUSHALL);
- flushq(connp->conn_helper_info->iphs_wq, FLUSHALL);
-
- connp->conn_helper_info->iphs_rq->q_ptr = NULL;
- connp->conn_helper_info->iphs_wq->q_ptr = NULL;
-
- kmem_cache_free(ip_helper_stream_cache,
- connp->conn_helper_info);
- } else {
- ASSERT(
- connp->conn_helper_info->iphs_handle != NULL);
-
- connp->conn_helper_info->iphs_rq->q_ptr =
- connp->conn_helper_info->iphs_wq->q_ptr =
- connp->conn_helper_info->iphs_minfo;
- (void) ldi_close(connp->conn_helper_info->iphs_handle,
- IP_HELPER_STR, kcred);
- kmem_free(connp->conn_helper_info,
- sizeof (ip_helper_stream_info_t));
- }
- connp->conn_helper_info = NULL;
-}
-
-/*
- * create a T_SVR4_OPTMGMT_REQ TPI message and send down the IP stream
- */
-static int
-ip_send_option_request(conn_t *connp, uint_t optset_context, int level,
- int option_name, const void *optval, t_uscalar_t optlen, cred_t *cr)
-{
- struct T_optmgmt_req *optmgmt_reqp;
- struct opthdr *ohp;
- ssize_t size;
- mblk_t *mp;
-
- size = sizeof (struct T_optmgmt_req) + sizeof (struct opthdr) + optlen;
- /* Not used to generate UCRED, thus don't need correct pid */
- mp = allocb_cred(size, cr, NOPID);
- if (mp == NULL)
- return (ENOMEM);
-
- mp->b_datap->db_type = M_PROTO;
- optmgmt_reqp = (struct T_optmgmt_req *)mp->b_wptr;
-
- optmgmt_reqp->PRIM_type = T_SVR4_OPTMGMT_REQ;
- optmgmt_reqp->MGMT_flags = optset_context;
- optmgmt_reqp->OPT_length = (t_scalar_t)sizeof (struct opthdr) + optlen;
- optmgmt_reqp->OPT_offset = (t_scalar_t)sizeof (struct T_optmgmt_req);
-
- mp->b_wptr += sizeof (struct T_optmgmt_req);
-
- ohp = (struct opthdr *)mp->b_wptr;
- ohp->level = level;
- ohp->name = option_name;
- ohp->len = optlen;
-
- mp->b_wptr += sizeof (struct opthdr);
-
- if (optval != NULL) {
- bcopy(optval, mp->b_wptr, optlen);
- } else {
- bzero(mp->b_wptr, optlen);
- }
- mp->b_wptr += optlen;
+ error = 0;
+ helper = kmem_alloc(sizeof (ip_helper_stream_info_t), KM_SLEEP);
/*
- * Send down the primitive
+ * open ip device via the layered interface.
+ * pass in kcred as some threads do not have the
+ * priviledge to open /dev/ip and the check in
+ * secpolicy_spec_open() will fail the open
*/
- return (ldi_putmsg(connp->conn_helper_info->iphs_handle, mp));
-}
+ error = ldi_open_by_name((connp->conn_family == AF_INET6 ? DEV_IP6 :
+ DEV_IP), IP_HELPER_STR, kcred, &helper->iphs_handle, li);
-/*
- * wait/process the response to T_SVR4_OPTMGMT_REQ TPI message
- */
-static int
-ip_get_option_response(conn_t *connp, uint_t optset_context, void *optval,
- t_uscalar_t *optlenp)
-{
- union T_primitives *tpr;
- int error;
- mblk_t *mp;
-
- mp = NULL;
-
- ASSERT(optset_context == T_CHECK || optset_context == T_NEGOTIATE);
- error = ldi_getmsg(connp->conn_helper_info->iphs_handle, &mp, NULL);
if (error != 0) {
+ kmem_free(helper, sizeof (ip_helper_stream_info_t));
return (error);
}
-
- if (DB_TYPE(mp) != M_PCPROTO || MBLKL(mp) < sizeof (tpr->type)) {
- error = EPROTO;
- goto done;
- }
-
- tpr = (union T_primitives *)mp->b_rptr;
-
- switch (tpr->type) {
- case T_OPTMGMT_ACK:
- if (MBLKL(mp) < TOPTMGMTACKSZ)
- error = EPROTO;
- break;
- case T_ERROR_ACK:
- if (MBLKL(mp) < TERRORACKSZ) {
- error = EPROTO;
- break;
- }
-
- if (tpr->error_ack.TLI_error == TSYSERR)
- error = tpr->error_ack.UNIX_error;
- else
- error = proto_tlitosyserr(tpr->error_ack.TLI_error);
- break;
- default:
- error = EPROTO;
- break;
+ /* Make sure we are the only one */
+ mutex_enter(&connp->conn_lock);
+ if (connp->conn_helper_info != NULL) {
+ /* Some other thread won - discard this stream */
+ mutex_exit(&connp->conn_lock);
+ (void) ldi_close(helper->iphs_handle, 0, kcred);
+ kmem_free(helper, sizeof (ip_helper_stream_info_t));
+ return (0);
}
+ connp->conn_helper_info = helper;
+ /*
+ * Share connp with the helper stream. We hold conn_lock across this
+ * operation.
+ */
+ error = ldi_ioctl(helper->iphs_handle, SIOCSQPTR, (intptr_t)connp,
+ FKIOCTL, kcred, &ret);
- if ((optset_context == T_CHECK) && (error == 0)) {
- struct opthdr *opt_res;
- t_uscalar_t len;
- t_uscalar_t size;
- t_uscalar_t maxlen = *optlenp;
- void *option;
- struct T_optmgmt_ack *optmgmt_ack;
-
- optmgmt_ack = (struct T_optmgmt_ack *)mp->b_rptr;
- opt_res = (struct opthdr *)
- ((uintptr_t)mp->b_rptr + optmgmt_ack->OPT_offset);
- /*
- * Check mblk boundary
- */
- if (!MBLKIN(mp, optmgmt_ack->OPT_offset,
- optmgmt_ack->OPT_length)) {
- error = EPROTO;
- goto done;
- }
-
- /*
- * Check alignment
- */
- if ((((uintptr_t)opt_res) & (__TPI_ALIGN_SIZE - 1)) != 0) {
- error = EPROTO;
- goto done;
- }
-
- option = &opt_res[1];
-
- /* check to ensure that the option is within bounds */
- if ((((uintptr_t)option + opt_res->len) < (uintptr_t)option) ||
- !MBLKIN(mp, sizeof (struct opthdr), opt_res->len)) {
- error = EPROTO;
- goto done;
- }
-
- len = opt_res->len;
- size = MIN(len, maxlen);
-
+ if (error != 0) {
/*
- * Copy data
+ * Passing in a zero flag indicates that an error
+ * occured and stream was not shared
*/
- bcopy(option, optval, size);
- bcopy(&size, optlenp, sizeof (size));
+ (void) ldi_close(helper->iphs_handle, 0, kcred);
+ kmem_free(helper, sizeof (ip_helper_stream_info_t));
+ connp->conn_helper_info = NULL;
}
-
-done:
- freemsg(mp);
+ mutex_exit(&connp->conn_lock);
return (error);
}
/*
- * Public interface to get socketoptions via the ip helper stream.
- */
-int
-ip_get_options(conn_t *connp, int level, int option_name, void *optval,
- t_uscalar_t *optlenp, cred_t *cr)
-{
- int error;
-
- error = ip_send_option_request(connp, T_CHECK, level, option_name, NULL,
- *optlenp, cr);
- if (error)
- return (error);
-
- return (ip_get_option_response(connp, T_CHECK, optval, optlenp));
-}
-
-/*
- * Public interface to set socket options via the ip helper stream.
+ * Public interface for freeing IP helper stream
+ * Caller must ensure no concurrent use of the conn_t, which is normally
+ * done by calling this from the close routine when the conn_t is quiesced.
*/
-int
-ip_set_options(conn_t *connp, int level, int option_name, const void *optval,
- t_uscalar_t optlen, cred_t *cr)
+void
+ip_free_helper_stream(conn_t *connp)
{
+ ASSERT(!servicing_interrupt());
- int error;
+ if (connp->conn_helper_info == NULL)
+ return;
- error = ip_send_option_request(connp, T_NEGOTIATE, level, option_name,
- optval, optlen, cr);
- if (error)
- return (error);
+ ASSERT(connp->conn_helper_info->iphs_handle != NULL);
- return (ip_get_option_response(connp, T_NEGOTIATE, (void *)optval,
- &optlen));
+ connp->conn_helper_info->iphs_rq->q_ptr =
+ connp->conn_helper_info->iphs_wq->q_ptr =
+ connp->conn_helper_info->iphs_minfo;
+ (void) ldi_close(connp->conn_helper_info->iphs_handle,
+ IP_HELPER_STR, kcred);
+ kmem_free(connp->conn_helper_info, sizeof (ip_helper_stream_info_t));
+ connp->conn_helper_info = NULL;
}
diff --git a/usr/src/uts/common/inet/ip/ip_if.c b/usr/src/uts/common/inet/ip/ip_if.c
index b175f4530f..6066da35b4 100644
--- a/usr/src/uts/common/inet/ip/ip_if.c
+++ b/usr/src/uts/common/inet/ip/ip_if.c
@@ -72,6 +72,7 @@
#include <inet/mi.h>
#include <inet/nd.h>
#include <inet/arp.h>
+#include <inet/ip_arp.h>
#include <inet/mib2.h>
#include <inet/ip.h>
#include <inet/ip6.h>
@@ -88,12 +89,6 @@
#include <inet/ip_netinfo.h>
#include <inet/ilb_ip.h>
-#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
-#include <inet/sadb.h>
-#include <inet/ipsec_impl.h>
-#include <sys/iphada.h>
-
#include <netinet/igmp.h>
#include <inet/ip_listutils.h>
#include <inet/ipclassifier.h>
@@ -119,15 +114,6 @@ typedef struct ipft_s {
#define IPFT_F_NO_REPLY 0x1 /* IP ioctl does not expect any reply */
#define IPFT_F_SELF_REPLY 0x2 /* ioctl callee does the ioctl reply */
-typedef struct ip_sock_ar_s {
- union {
- area_t ip_sock_area;
- ared_t ip_sock_ared;
- areq_t ip_sock_areq;
- } ip_sock_ar_u;
- queue_t *ip_sock_ar_q;
-} ip_sock_ar_t;
-
static int nd_ill_forward_get(queue_t *, mblk_t *, caddr_t, cred_t *);
static int nd_ill_forward_set(queue_t *q, mblk_t *mp,
char *value, caddr_t cp, cred_t *ioc_cr);
@@ -148,7 +134,7 @@ static int ip_sioctl_netmask_tail(ipif_t *ipif, sin_t *sin, queue_t *q,
static int ip_sioctl_subnet_tail(ipif_t *ipif, in6_addr_t, in6_addr_t,
queue_t *q, mblk_t *mp, boolean_t need_up);
static int ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp,
- int ioccmd, struct linkblk *li, boolean_t doconsist);
+ int ioccmd, struct linkblk *li);
static ipaddr_t ip_subnet_mask(ipaddr_t addr, ipif_t **, ip_stack_t *);
static void ip_wput_ioctl(queue_t *q, mblk_t *mp);
static void ipsq_flush(ill_t *ill);
@@ -159,17 +145,14 @@ static void ipsq_delete(ipsq_t *);
static ipif_t *ipif_allocate(ill_t *ill, int id, uint_t ire_type,
boolean_t initialize, boolean_t insert);
-static void ipif_check_bcast_ires(ipif_t *test_ipif);
static ire_t **ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep);
+static void ipif_delete_bcast_ires(ipif_t *ipif);
+static int ipif_add_ires_v4(ipif_t *, boolean_t);
static boolean_t ipif_comp_multi(ipif_t *old_ipif, ipif_t *new_ipif,
boolean_t isv6);
-static void ipif_down_delete_ire(ire_t *ire, char *ipif);
-static void ipif_delete_cache_ire(ire_t *, char *);
static int ipif_logical_down(ipif_t *ipif, queue_t *q, mblk_t *mp);
static void ipif_free(ipif_t *ipif);
static void ipif_free_tail(ipif_t *ipif);
-static void ipif_mtu_change(ire_t *ire, char *ipif_arg);
-static void ipif_recreate_interface_routes(ipif_t *old_ipif, ipif_t *ipif);
static void ipif_set_default(ipif_t *ipif);
static int ipif_set_values(queue_t *q, mblk_t *mp,
char *interf_name, uint_t *ppa);
@@ -177,17 +160,13 @@ static int ipif_set_values_tail(ill_t *ill, ipif_t *ipif, mblk_t *mp,
queue_t *q);
static ipif_t *ipif_lookup_on_name(char *name, size_t namelen,
boolean_t do_alloc, boolean_t *exists, boolean_t isv6, zoneid_t zoneid,
- queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *);
-static void ipif_update_other_ipifs(ipif_t *old_ipif);
+ ip_stack_t *);
static int ill_alloc_ppa(ill_if_t *, ill_t *);
-static int ill_arp_off(ill_t *ill);
-static int ill_arp_on(ill_t *ill);
static void ill_delete_interface_type(ill_if_t *);
static int ill_dl_up(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q);
static void ill_dl_down(ill_t *ill);
static void ill_down(ill_t *ill);
-static void ill_downi(ire_t *ire, char *ill_arg);
static void ill_free_mib(ill_t *ill);
static void ill_glist_delete(ill_t *);
static void ill_phyint_reinit(ill_t *ill);
@@ -199,38 +178,22 @@ static ip_v6intfid_func_t ip_ether_v6intfid, ip_ib_v6intfid;
static ip_v6intfid_func_t ip_ipv4_v6intfid, ip_ipv6_v6intfid;
static ip_v6intfid_func_t ip_ipmp_v6intfid, ip_nodef_v6intfid;
static ip_v6intfid_func_t ip_ipv4_v6destintfid, ip_ipv6_v6destintfid;
-static ip_v6mapinfo_func_t ip_ether_v6mapinfo, ip_ib_v6mapinfo;
-static ip_v6mapinfo_func_t ip_nodef_v6mapinfo;
-static ip_v4mapinfo_func_t ip_ether_v4mapinfo, ip_ib_v4mapinfo;
-static ip_v4mapinfo_func_t ip_nodef_v4mapinfo;
-static void ipif_save_ire(ipif_t *, ire_t *);
-static void ipif_remove_ire(ipif_t *, ire_t *);
-static void ip_cgtp_bcast_add(ire_t *, ire_t *, ip_stack_t *);
+static ip_v4mapinfo_func_t ip_ether_v4_mapping;
+static ip_v6mapinfo_func_t ip_ether_v6_mapping;
+static ip_v4mapinfo_func_t ip_ib_v4_mapping;
+static ip_v6mapinfo_func_t ip_ib_v6_mapping;
+static ip_v4mapinfo_func_t ip_mbcast_mapping;
+static void ip_cgtp_bcast_add(ire_t *, ip_stack_t *);
static void ip_cgtp_bcast_delete(ire_t *, ip_stack_t *);
static void phyint_free(phyint_t *);
-/*
- * Per-ill IPsec capabilities management.
- */
-static ill_ipsec_capab_t *ill_ipsec_capab_alloc(void);
-static void ill_ipsec_capab_free(ill_ipsec_capab_t *);
-static void ill_ipsec_capab_add(ill_t *, uint_t, boolean_t);
-static void ill_ipsec_capab_delete(ill_t *, uint_t);
-static boolean_t ill_ipsec_capab_resize_algparm(ill_ipsec_capab_t *, int);
-static void ill_capability_dispatch(ill_t *, mblk_t *, dl_capability_sub_t *,
- boolean_t);
+static void ill_capability_dispatch(ill_t *, mblk_t *, dl_capability_sub_t *);
static void ill_capability_id_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
-static void ill_capability_mdt_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
-static void ill_capability_mdt_reset_fill(ill_t *, mblk_t *);
-static void ill_capability_ipsec_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
-static void ill_capability_ipsec_reset_fill(ill_t *, mblk_t *);
static void ill_capability_hcksum_ack(ill_t *, mblk_t *, dl_capability_sub_t *);
static void ill_capability_hcksum_reset_fill(ill_t *, mblk_t *);
static void ill_capability_zerocopy_ack(ill_t *, mblk_t *,
dl_capability_sub_t *);
static void ill_capability_zerocopy_reset_fill(ill_t *, mblk_t *);
-static int ill_capability_ipsec_reset_size(ill_t *, int *, int *, int *,
- int *);
static void ill_capability_dld_reset_fill(ill_t *, mblk_t *);
static void ill_capability_dld_ack(ill_t *, mblk_t *,
dl_capability_sub_t *);
@@ -242,11 +205,11 @@ static void ill_capability_send(ill_t *, mblk_t *);
static ill_t *ill_prev_usesrc(ill_t *);
static int ill_relink_usesrc_ills(ill_t *, ill_t *, uint_t);
static void ill_disband_usesrc_group(ill_t *);
-static void conn_cleanup_stale_ire(conn_t *, caddr_t);
+static void ip_sioctl_garp_reply(mblk_t *, ill_t *, void *, int);
#ifdef DEBUG
-static void ill_trace_cleanup(const ill_t *);
-static void ipif_trace_cleanup(const ipif_t *);
+static void ill_trace_cleanup(const ill_t *);
+static void ipif_trace_cleanup(const ipif_t *);
#endif
/*
@@ -255,182 +218,10 @@ static void ipif_trace_cleanup(const ipif_t *);
*/
int ip_min_frag_prune_time = 0;
-/*
- * max # of IPsec algorithms supported. Limited to 1 byte by PF_KEY
- * and the IPsec DOI
- */
-#define MAX_IPSEC_ALGS 256
-
-#define BITSPERBYTE 8
-#define BITS(type) (BITSPERBYTE * (long)sizeof (type))
-
-#define IPSEC_ALG_ENABLE(algs, algid) \
- ((algs)[(algid) / BITS(ipsec_capab_elem_t)] |= \
- (1 << ((algid) % BITS(ipsec_capab_elem_t))))
-
-#define IPSEC_ALG_IS_ENABLED(algid, algs) \
- ((algs)[(algid) / BITS(ipsec_capab_elem_t)] & \
- (1 << ((algid) % BITS(ipsec_capab_elem_t))))
-
-typedef uint8_t ipsec_capab_elem_t;
-
-/*
- * Per-algorithm parameters. Note that at present, only encryption
- * algorithms have variable keysize (IKE does not provide a way to negotiate
- * auth algorithm keysize).
- *
- * All sizes here are in bits.
- */
-typedef struct
-{
- uint16_t minkeylen;
- uint16_t maxkeylen;
-} ipsec_capab_algparm_t;
-
-/*
- * Per-ill capabilities.
- */
-struct ill_ipsec_capab_s {
- ipsec_capab_elem_t *encr_hw_algs;
- ipsec_capab_elem_t *auth_hw_algs;
- uint32_t algs_size; /* size of _hw_algs in bytes */
- /* algorithm key lengths */
- ipsec_capab_algparm_t *encr_algparm;
- uint32_t encr_algparm_size;
- uint32_t encr_algparm_end;
-};
-
-/*
- * The field values are larger than strictly necessary for simple
- * AR_ENTRY_ADDs but the padding lets us accomodate the socket ioctls.
- */
-static area_t ip_area_template = {
- AR_ENTRY_ADD, /* area_cmd */
- sizeof (ip_sock_ar_t) + (IP_ADDR_LEN*2) + sizeof (struct sockaddr_dl),
- /* area_name_offset */
- /* area_name_length temporarily holds this structure length */
- sizeof (area_t), /* area_name_length */
- IP_ARP_PROTO_TYPE, /* area_proto */
- sizeof (ip_sock_ar_t), /* area_proto_addr_offset */
- IP_ADDR_LEN, /* area_proto_addr_length */
- sizeof (ip_sock_ar_t) + IP_ADDR_LEN,
- /* area_proto_mask_offset */
- 0, /* area_flags */
- sizeof (ip_sock_ar_t) + IP_ADDR_LEN + IP_ADDR_LEN,
- /* area_hw_addr_offset */
- /* Zero length hw_addr_length means 'use your idea of the address' */
- 0 /* area_hw_addr_length */
-};
-
-/*
- * AR_ENTRY_ADD/DELETE templates have been added for IPv6 external resolver
- * support
- */
-static area_t ip6_area_template = {
- AR_ENTRY_ADD, /* area_cmd */
- sizeof (ip_sock_ar_t) + (IPV6_ADDR_LEN*2) + sizeof (sin6_t),
- /* area_name_offset */
- /* area_name_length temporarily holds this structure length */
- sizeof (area_t), /* area_name_length */
- IP_ARP_PROTO_TYPE, /* area_proto */
- sizeof (ip_sock_ar_t), /* area_proto_addr_offset */
- IPV6_ADDR_LEN, /* area_proto_addr_length */
- sizeof (ip_sock_ar_t) + IPV6_ADDR_LEN,
- /* area_proto_mask_offset */
- 0, /* area_flags */
- sizeof (ip_sock_ar_t) + IPV6_ADDR_LEN + IPV6_ADDR_LEN,
- /* area_hw_addr_offset */
- /* Zero length hw_addr_length means 'use your idea of the address' */
- 0 /* area_hw_addr_length */
-};
-
-static ared_t ip_ared_template = {
- AR_ENTRY_DELETE,
- sizeof (ared_t) + IP_ADDR_LEN,
- sizeof (ared_t),
- IP_ARP_PROTO_TYPE,
- sizeof (ared_t),
- IP_ADDR_LEN,
- 0
-};
-
-static ared_t ip6_ared_template = {
- AR_ENTRY_DELETE,
- sizeof (ared_t) + IPV6_ADDR_LEN,
- sizeof (ared_t),
- IP_ARP_PROTO_TYPE,
- sizeof (ared_t),
- IPV6_ADDR_LEN,
- 0
-};
-
-/*
- * A template for an IPv6 AR_ENTRY_QUERY template has not been created, as
- * as the areq doesn't include an IP address in ill_dl_up() (the only place a
- * areq is used).
- */
-static areq_t ip_areq_template = {
- AR_ENTRY_QUERY, /* cmd */
- sizeof (areq_t)+(2*IP_ADDR_LEN), /* name offset */
- sizeof (areq_t), /* name len (filled by ill_arp_alloc) */
- IP_ARP_PROTO_TYPE, /* protocol, from arps perspective */
- sizeof (areq_t), /* target addr offset */
- IP_ADDR_LEN, /* target addr_length */
- 0, /* flags */
- sizeof (areq_t) + IP_ADDR_LEN, /* sender addr offset */
- IP_ADDR_LEN, /* sender addr length */
- AR_EQ_DEFAULT_XMIT_COUNT, /* xmit_count */
- AR_EQ_DEFAULT_XMIT_INTERVAL, /* (re)xmit_interval in milliseconds */
- AR_EQ_DEFAULT_MAX_BUFFERED /* max # of requests to buffer */
- /* anything else filled in by the code */
-};
-
-static arc_t ip_aru_template = {
- AR_INTERFACE_UP,
- sizeof (arc_t), /* Name offset */
- sizeof (arc_t) /* Name length (set by ill_arp_alloc) */
-};
-
-static arc_t ip_ard_template = {
- AR_INTERFACE_DOWN,
- sizeof (arc_t), /* Name offset */
- sizeof (arc_t) /* Name length (set by ill_arp_alloc) */
-};
-
-static arc_t ip_aron_template = {
- AR_INTERFACE_ON,
- sizeof (arc_t), /* Name offset */
- sizeof (arc_t) /* Name length (set by ill_arp_alloc) */
-};
-
-static arc_t ip_aroff_template = {
- AR_INTERFACE_OFF,
- sizeof (arc_t), /* Name offset */
- sizeof (arc_t) /* Name length (set by ill_arp_alloc) */
-};
-
-static arma_t ip_arma_multi_template = {
- AR_MAPPING_ADD,
- sizeof (arma_t) + 3*IP_ADDR_LEN + IP_MAX_HW_LEN,
- /* Name offset */
- sizeof (arma_t), /* Name length (set by ill_arp_alloc) */
- IP_ARP_PROTO_TYPE,
- sizeof (arma_t), /* proto_addr_offset */
- IP_ADDR_LEN, /* proto_addr_length */
- sizeof (arma_t) + IP_ADDR_LEN, /* proto_mask_offset */
- sizeof (arma_t) + 2*IP_ADDR_LEN, /* proto_extract_mask_offset */
- ACE_F_PERMANENT | ACE_F_MAPPING, /* flags */
- sizeof (arma_t) + 3*IP_ADDR_LEN, /* hw_addr_offset */
- IP_MAX_HW_LEN, /* hw_addr_length */
- 0, /* hw_mapping_start */
-};
-
static ipft_t ip_ioctl_ftbl[] = {
{ IP_IOC_IRE_DELETE, ip_ire_delete, sizeof (ipid_t), 0 },
{ IP_IOC_IRE_DELETE_NO_REPLY, ip_ire_delete, sizeof (ipid_t),
IPFT_F_NO_REPLY },
- { IP_IOC_IRE_ADVISE_NO_REPLY, ip_ire_advise, sizeof (ipic_t),
- IPFT_F_NO_REPLY },
{ IP_IOC_RTS_REQUEST, ip_rts_request, 0, IPFT_F_SELF_REPLY },
{ 0 }
};
@@ -444,35 +235,38 @@ static uchar_t ip_six_byte_all_ones[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
static ip_m_t ip_m_tbl[] = {
{ DL_ETHER, IFT_ETHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
- ip_ether_v4mapinfo, ip_ether_v6mapinfo, ip_ether_v6intfid,
+ ip_ether_v4_mapping, ip_ether_v6_mapping, ip_ether_v6intfid,
ip_nodef_v6intfid },
{ DL_CSMACD, IFT_ISO88023, ETHERTYPE_IP, ETHERTYPE_IPV6,
- ip_ether_v4mapinfo, ip_ether_v6mapinfo, ip_nodef_v6intfid,
+ ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
ip_nodef_v6intfid },
{ DL_TPB, IFT_ISO88024, ETHERTYPE_IP, ETHERTYPE_IPV6,
- ip_ether_v4mapinfo, ip_ether_v6mapinfo, ip_nodef_v6intfid,
+ ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
ip_nodef_v6intfid },
{ DL_TPR, IFT_ISO88025, ETHERTYPE_IP, ETHERTYPE_IPV6,
- ip_ether_v4mapinfo, ip_ether_v6mapinfo, ip_nodef_v6intfid,
+ ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
ip_nodef_v6intfid },
{ DL_FDDI, IFT_FDDI, ETHERTYPE_IP, ETHERTYPE_IPV6,
- ip_ether_v4mapinfo, ip_ether_v6mapinfo, ip_ether_v6intfid,
+ ip_ether_v4_mapping, ip_ether_v6_mapping, ip_ether_v6intfid,
ip_nodef_v6intfid },
{ DL_IB, IFT_IB, ETHERTYPE_IP, ETHERTYPE_IPV6,
- ip_ib_v4mapinfo, ip_ib_v6mapinfo, ip_ib_v6intfid,
+ ip_ib_v4_mapping, ip_ib_v6_mapping, ip_ib_v6intfid,
+ ip_nodef_v6intfid },
+ { DL_IPV4, IFT_IPV4, IPPROTO_ENCAP, IPPROTO_IPV6,
+ ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv4_v6intfid,
+ ip_ipv4_v6destintfid },
+ { DL_IPV6, IFT_IPV6, IPPROTO_ENCAP, IPPROTO_IPV6,
+ ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv6_v6intfid,
+ ip_ipv6_v6destintfid },
+ { DL_6TO4, IFT_6TO4, IPPROTO_ENCAP, IPPROTO_IPV6,
+ ip_mbcast_mapping, ip_mbcast_mapping, ip_ipv4_v6intfid,
ip_nodef_v6intfid },
- { DL_IPV4, IFT_IPV4, IPPROTO_ENCAP, IPPROTO_IPV6, ip_nodef_v4mapinfo,
- ip_nodef_v6mapinfo, ip_ipv4_v6intfid, ip_ipv4_v6destintfid },
- { DL_IPV6, IFT_IPV6, IPPROTO_ENCAP, IPPROTO_IPV6, ip_nodef_v4mapinfo,
- ip_nodef_v6mapinfo, ip_ipv6_v6intfid, ip_ipv6_v6destintfid },
- { DL_6TO4, IFT_6TO4, IPPROTO_ENCAP, IPPROTO_IPV6, ip_nodef_v4mapinfo,
- ip_nodef_v6mapinfo, ip_ipv4_v6intfid, ip_nodef_v6intfid },
{ SUNW_DL_VNI, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
NULL, NULL, ip_nodef_v6intfid, ip_nodef_v6intfid },
{ SUNW_DL_IPMP, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
NULL, NULL, ip_ipmp_v6intfid, ip_nodef_v6intfid },
{ DL_OTHER, IFT_OTHER, ETHERTYPE_IP, ETHERTYPE_IPV6,
- ip_ether_v4mapinfo, ip_ether_v6mapinfo, ip_nodef_v6intfid,
+ ip_ether_v4_mapping, ip_ether_v6_mapping, ip_nodef_v6intfid,
ip_nodef_v6intfid }
};
@@ -567,149 +361,6 @@ ill_allocate_mibs(ill_t *ill)
}
/*
- * Common code for preparation of ARP commands. Two points to remember:
- * 1) The ill_name is tacked on at the end of the allocated space so
- * the templates name_offset field must contain the total space
- * to allocate less the name length.
- *
- * 2) The templates name_length field should contain the *template*
- * length. We use it as a parameter to bcopy() and then write
- * the real ill_name_length into the name_length field of the copy.
- * (Always called as writer.)
- */
-mblk_t *
-ill_arp_alloc(ill_t *ill, const uchar_t *template, caddr_t addr)
-{
- arc_t *arc = (arc_t *)template;
- char *cp;
- int len;
- mblk_t *mp;
- uint_t name_length = ill->ill_name_length;
- uint_t template_len = arc->arc_name_length;
-
- len = arc->arc_name_offset + name_length;
- mp = allocb(len, BPRI_HI);
- if (mp == NULL)
- return (NULL);
- cp = (char *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)&cp[len];
- if (template_len)
- bcopy(template, cp, template_len);
- if (len > template_len)
- bzero(&cp[template_len], len - template_len);
- mp->b_datap->db_type = M_PROTO;
-
- arc = (arc_t *)cp;
- arc->arc_name_length = name_length;
- cp = (char *)arc + arc->arc_name_offset;
- bcopy(ill->ill_name, cp, name_length);
-
- if (addr) {
- area_t *area = (area_t *)mp->b_rptr;
-
- cp = (char *)area + area->area_proto_addr_offset;
- bcopy(addr, cp, area->area_proto_addr_length);
- if (area->area_cmd == AR_ENTRY_ADD) {
- cp = (char *)area;
- len = area->area_proto_addr_length;
- if (area->area_proto_mask_offset)
- cp += area->area_proto_mask_offset;
- else
- cp += area->area_proto_addr_offset + len;
- while (len-- > 0)
- *cp++ = (char)~0;
- }
- }
- return (mp);
-}
-
-mblk_t *
-ipif_area_alloc(ipif_t *ipif, uint_t optflags)
-{
- caddr_t addr;
- mblk_t *mp;
- area_t *area;
- uchar_t *areap;
- ill_t *ill = ipif->ipif_ill;
-
- if (ill->ill_isv6) {
- ASSERT(ill->ill_flags & ILLF_XRESOLV);
- addr = (caddr_t)&ipif->ipif_v6lcl_addr;
- areap = (uchar_t *)&ip6_area_template;
- } else {
- addr = (caddr_t)&ipif->ipif_lcl_addr;
- areap = (uchar_t *)&ip_area_template;
- }
-
- if ((mp = ill_arp_alloc(ill, areap, addr)) == NULL)
- return (NULL);
-
- /*
- * IPMP requires that the hardware address be included in all
- * AR_ENTRY_ADD requests so that ARP can deduce the arl to send on.
- * If there are no active underlying ills in the group (and thus no
- * hardware address, DAD will be deferred until an underlying ill
- * becomes active.
- */
- if (IS_IPMP(ill)) {
- if ((ill = ipmp_ipif_hold_bound_ill(ipif)) == NULL) {
- freemsg(mp);
- return (NULL);
- }
- } else {
- ill_refhold(ill);
- }
-
- area = (area_t *)mp->b_rptr;
- area->area_flags = ACE_F_PERMANENT | ACE_F_PUBLISH | ACE_F_MYADDR;
- area->area_flags |= optflags;
- area->area_hw_addr_length = ill->ill_phys_addr_length;
- bcopy(ill->ill_phys_addr, mp->b_rptr + area->area_hw_addr_offset,
- area->area_hw_addr_length);
-
- ill_refrele(ill);
- return (mp);
-}
-
-mblk_t *
-ipif_ared_alloc(ipif_t *ipif)
-{
- caddr_t addr;
- uchar_t *aredp;
-
- if (ipif->ipif_ill->ill_isv6) {
- ASSERT(ipif->ipif_ill->ill_flags & ILLF_XRESOLV);
- addr = (caddr_t)&ipif->ipif_v6lcl_addr;
- aredp = (uchar_t *)&ip6_ared_template;
- } else {
- addr = (caddr_t)&ipif->ipif_lcl_addr;
- aredp = (uchar_t *)&ip_ared_template;
- }
-
- return (ill_arp_alloc(ipif->ipif_ill, aredp, addr));
-}
-
-mblk_t *
-ill_ared_alloc(ill_t *ill, ipaddr_t addr)
-{
- return (ill_arp_alloc(ill, (uchar_t *)&ip_ared_template,
- (char *)&addr));
-}
-
-mblk_t *
-ill_arie_alloc(ill_t *ill, const char *grifname, const void *template)
-{
- mblk_t *mp = ill_arp_alloc(ill, template, 0);
- arie_t *arie;
-
- if (mp != NULL) {
- arie = (arie_t *)mp->b_rptr;
- (void) strlcpy(arie->arie_grifname, grifname, LIFNAMSIZ);
- }
- return (mp);
-}
-
-/*
* Completely vaporize a lower level tap and all associated interfaces.
* ill_delete is called only out of ip_close when the device control
* stream is being closed.
@@ -735,8 +386,8 @@ ill_delete(ill_t *ill)
* remove it from the list, and free the data structure.
* Walk down the ipif list and remove the logical interfaces
* first before removing the main ipif. We can't unplumb
- * zeroth interface first in the case of IPv6 as reset_conn_ill
- * -> ip_ll_delmulti_v6 de-references ill_ipif for checking
+ * zeroth interface first in the case of IPv6 as update_conn_ill
+ * -> ip_ll_multireq de-references ill_ipif for checking
* POINTOPOINT.
*
* If ill_ipif was not properly initialized (i.e low on memory),
@@ -747,22 +398,15 @@ ill_delete(ill_t *ill)
ipif_free(ipif);
/*
- * Used only by ill_arp_on and ill_arp_off, which are writers.
- * So nobody can be using this mp now. Free the mp allocated for
- * honoring ILLF_NOARP
+ * clean out all the nce_t entries that depend on this
+ * ill for the ill_phys_addr.
*/
- freemsg(ill->ill_arp_on_mp);
- ill->ill_arp_on_mp = NULL;
+ nce_flush(ill, B_TRUE);
/* Clean up msgs on pending upcalls for mrouted */
reset_mrt_ill(ill);
- /*
- * ipif_free -> reset_conn_ipif will remove all multicast
- * references for IPv4. For IPv6, we need to do it here as
- * it points only at ills.
- */
- reset_conn_ill(ill);
+ update_conn_ill(ill, ipst);
/*
* Remove multicast references added as a result of calls to
@@ -786,6 +430,16 @@ ill_delete(ill_t *ill)
sctp_update_ill(ill, SCTP_ILL_REMOVE);
/*
+ * Walk all CONNs that can have a reference on an ire or nce for this
+ * ill (we actually walk all that now have stale references).
+ */
+ ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ipst);
+
+ /* With IPv6 we have dce_ifindex. Cleanup for neatness */
+ if (ill->ill_isv6)
+ dce_cleanup(ill->ill_phyint->phyint_ifindex, ipst);
+
+ /*
* If an address on this ILL is being used as a source address then
* clear out the pointers in other ILLs that point to this ILL.
*/
@@ -828,12 +482,10 @@ ill_delete_tail(ill_t *ill)
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
ipif_non_duplicate(ipif);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
}
- ASSERT(ill->ill_ipif_dup_count == 0 &&
- ill->ill_arp_down_mp == NULL &&
- ill->ill_arp_del_mapping_mp == NULL);
+ ASSERT(ill->ill_ipif_dup_count == 0);
/*
* If polling capability is enabled (which signifies direct
@@ -864,23 +516,6 @@ ill_delete_tail(ill_t *ill)
/*
* Free capabilities.
*/
- if (ill->ill_ipsec_capab_ah != NULL) {
- ill_ipsec_capab_delete(ill, DL_CAPAB_IPSEC_AH);
- ill_ipsec_capab_free(ill->ill_ipsec_capab_ah);
- ill->ill_ipsec_capab_ah = NULL;
- }
-
- if (ill->ill_ipsec_capab_esp != NULL) {
- ill_ipsec_capab_delete(ill, DL_CAPAB_IPSEC_ESP);
- ill_ipsec_capab_free(ill->ill_ipsec_capab_esp);
- ill->ill_ipsec_capab_esp = NULL;
- }
-
- if (ill->ill_mdt_capab != NULL) {
- kmem_free(ill->ill_mdt_capab, sizeof (ill_mdt_capab_t));
- ill->ill_mdt_capab = NULL;
- }
-
if (ill->ill_hcksum_capab != NULL) {
kmem_free(ill->ill_hcksum_capab, sizeof (ill_hcksum_capab_t));
ill->ill_hcksum_capab = NULL;
@@ -911,11 +546,10 @@ ill_delete_tail(ill_t *ill)
*
* We don't walk conns, mrts and ires because
*
- * 1) reset_conn_ill and reset_mrt_ill cleans up conns and mrts.
+ * 1) update_conn_ill and reset_mrt_ill cleans up conns and mrts.
* 2) ill_down ->ill_downi walks all the ires and cleans up
* ill references.
*/
- ASSERT(ilm_walk_ill(ill) == 0);
/*
* If this ill is an IPMP meta-interface, blow away the illgrp. This
@@ -974,6 +608,9 @@ ill_delete_tail(ill_t *ill)
ill_trace_cleanup(ill);
#endif
+ /* The default multicast interface might have changed */
+ ire_increment_multicast_generation(ipst, ill->ill_isv6);
+
/* Drop refcnt here */
netstack_rele(ill->ill_ipst->ips_netstack);
ill->ill_ipst = NULL;
@@ -1077,97 +714,6 @@ ill_dlur_gen(uchar_t *addr, uint_t addr_length, t_uscalar_t sap,
}
/*
- * Add the 'mp' to the list of pending mp's headed by ill_pending_mp. Return
- * an error if we already have 1 or more ioctls in progress. This is only
- * needed for SIOCG*ARP.
- */
-boolean_t
-ill_pending_mp_add(ill_t *ill, conn_t *connp, mblk_t *add_mp)
-{
- ASSERT(MUTEX_HELD(&ill->ill_lock));
- ASSERT((add_mp->b_next == NULL) && (add_mp->b_prev == NULL));
- /* We should only see M_IOCDATA arp ioctls here. */
- ASSERT(add_mp->b_datap->db_type == M_IOCDATA);
-
- ASSERT(MUTEX_HELD(&connp->conn_lock));
- /*
- * Return error if the conn has started closing. The conn
- * could have finished cleaning up the pending mp list,
- * If so we should not add another mp to the list negating
- * the cleanup.
- */
- if (connp->conn_state_flags & CONN_CLOSING)
- return (B_FALSE);
- /*
- * Add the pending mp to the head of the list, chained by b_next.
- * Note down the conn on which the ioctl request came, in b_prev.
- * This will be used to later get the conn, when we get a response
- * on the ill queue, from some other module (typically arp)
- */
- add_mp->b_next = (void *)ill->ill_pending_mp;
- add_mp->b_queue = CONNP_TO_WQ(connp);
- ill->ill_pending_mp = add_mp;
- if (connp != NULL)
- connp->conn_oper_pending_ill = ill;
- return (B_TRUE);
-}
-
-/*
- * Retrieve the ill_pending_mp and return it. We have to walk the list
- * of mblks starting at ill_pending_mp, and match based on the ioc_id.
- */
-mblk_t *
-ill_pending_mp_get(ill_t *ill, conn_t **connpp, uint_t ioc_id)
-{
- mblk_t *prev = NULL;
- mblk_t *curr = NULL;
- uint_t id;
- conn_t *connp;
-
- /*
- * When the conn closes, conn_ioctl_cleanup needs to clean
- * up the pending mp, but it does not know the ioc_id and
- * passes in a zero for it.
- */
- mutex_enter(&ill->ill_lock);
- if (ioc_id != 0)
- *connpp = NULL;
-
- /* Search the list for the appropriate ioctl based on ioc_id */
- for (prev = NULL, curr = ill->ill_pending_mp; curr != NULL;
- prev = curr, curr = curr->b_next) {
- id = ((struct iocblk *)curr->b_rptr)->ioc_id;
- connp = Q_TO_CONN(curr->b_queue);
- /* Match based on the ioc_id or based on the conn */
- if ((id == ioc_id) || (ioc_id == 0 && connp == *connpp))
- break;
- }
-
- if (curr != NULL) {
- /* Unlink the mblk from the pending mp list */
- if (prev != NULL) {
- prev->b_next = curr->b_next;
- } else {
- ASSERT(ill->ill_pending_mp == curr);
- ill->ill_pending_mp = curr->b_next;
- }
-
- /*
- * conn refcnt must have been bumped up at the start of
- * the ioctl. So we can safely access the conn.
- */
- ASSERT(CONN_Q(curr->b_queue));
- *connpp = Q_TO_CONN(curr->b_queue);
- curr->b_next = NULL;
- curr->b_queue = NULL;
- }
-
- mutex_exit(&ill->ill_lock);
-
- return (curr);
-}
-
-/*
* Add the pending mp to the list. There can be only 1 pending mp
* in the list. Any exclusive ioctl that needs to wait for a response
* from another module or driver needs to use this function to set
@@ -1283,6 +829,7 @@ ipsq_pending_mp_cleanup(ill_t *ill, conn_t *connp)
ipxop_t *ipx;
queue_t *q;
ipif_t *ipif;
+ int cmd;
ASSERT(IAM_WRITER_ILL(ill));
ipx = ill->ill_phyint->phyint_ipsq->ipsq_xop;
@@ -1312,11 +859,16 @@ ipsq_pending_mp_cleanup(ill_t *ill, conn_t *connp)
ipx->ipx_pending_ipif = NULL;
ipx->ipx_waitfor = 0;
ipx->ipx_current_ipif = NULL;
+ cmd = ipx->ipx_current_ioctl;
ipx->ipx_current_ioctl = 0;
ipx->ipx_current_done = B_TRUE;
mutex_exit(&ipx->ipx_lock);
if (DB_TYPE(mp) == M_IOCTL || DB_TYPE(mp) == M_IOCDATA) {
+ DTRACE_PROBE4(ipif__ioctl,
+ char *, "ipsq_pending_mp_cleanup",
+ int, cmd, ill_t *, ipif == NULL ? NULL : ipif->ipif_ill,
+ ipif_t *, ipif);
if (connp == NULL) {
ip_ioctl_finish(q, mp, ENXIO, NO_COPYOUT, NULL);
} else {
@@ -1337,43 +889,6 @@ ipsq_pending_mp_cleanup(ill_t *ill, conn_t *connp)
}
/*
- * The ill is closing. Cleanup all the pending mps. Called exclusively
- * towards the end of ill_delete. The refcount has gone to 0. So nobody
- * knows this ill, and hence nobody can add an mp to this list
- */
-static void
-ill_pending_mp_cleanup(ill_t *ill)
-{
- mblk_t *mp;
- queue_t *q;
-
- ASSERT(IAM_WRITER_ILL(ill));
-
- mutex_enter(&ill->ill_lock);
- /*
- * Every mp on the pending mp list originating from an ioctl
- * added 1 to the conn refcnt, at the start of the ioctl.
- * So bump it down now. See comments in ip_wput_nondata()
- */
- while (ill->ill_pending_mp != NULL) {
- mp = ill->ill_pending_mp;
- ill->ill_pending_mp = mp->b_next;
- mutex_exit(&ill->ill_lock);
-
- q = mp->b_queue;
- ASSERT(CONN_Q(q));
- mp->b_next = NULL;
- mp->b_prev = NULL;
- mp->b_queue = NULL;
- ip_ioctl_finish(q, mp, ENXIO, NO_COPYOUT, NULL);
- mutex_enter(&ill->ill_lock);
- }
- ill->ill_pending_ipif = NULL;
-
- mutex_exit(&ill->ill_lock);
-}
-
-/*
* Called in the conn close path and ill delete path
*/
static void
@@ -1435,6 +950,9 @@ ipsq_xopq_mp_cleanup(ill_t *ill, conn_t *connp)
curr->b_prev = NULL;
curr->b_queue = NULL;
if (DB_TYPE(curr) == M_IOCTL || DB_TYPE(curr) == M_IOCDATA) {
+ DTRACE_PROBE4(ipif__ioctl,
+ char *, "ipsq_xopq_mp_cleanup",
+ int, 0, ill_t *, NULL, ipif_t *, NULL);
ip_ioctl_finish(q, curr, ENXIO, connp != NULL ?
CONN_CLOSE : NO_COPYOUT, NULL);
} else {
@@ -1455,7 +973,6 @@ ipsq_xopq_mp_cleanup(ill_t *ill, conn_t *connp)
void
conn_ioctl_cleanup(conn_t *connp)
{
- mblk_t *curr;
ipsq_t *ipsq;
ill_t *ill;
boolean_t refheld;
@@ -1476,13 +993,6 @@ conn_ioctl_cleanup(conn_t *connp)
return;
}
- curr = ill_pending_mp_get(ill, &connp, 0);
- if (curr != NULL) {
- mutex_exit(&connp->conn_lock);
- CONN_DEC_REF(connp);
- inet_freemsg(curr);
- return;
- }
/*
* We may not be able to refhold the ill if the ill/ipif
* is changing. But we need to make sure that the ill will
@@ -1522,58 +1032,43 @@ conn_ioctl_cleanup(conn_t *connp)
/*
* ipcl_walk function for cleaning up conn_*_ill fields.
+ * Note that we leave ixa_multicast_ifindex, conn_incoming_ifindex, and
+ * conn_bound_if in place. We prefer dropping
+ * packets instead of sending them out the wrong interface, or accepting
+ * packets from the wrong ifindex.
*/
static void
conn_cleanup_ill(conn_t *connp, caddr_t arg)
{
ill_t *ill = (ill_t *)arg;
- ire_t *ire;
mutex_enter(&connp->conn_lock);
- if (connp->conn_multicast_ill == ill) {
- /* Revert to late binding */
- connp->conn_multicast_ill = NULL;
- }
- if (connp->conn_incoming_ill == ill)
- connp->conn_incoming_ill = NULL;
- if (connp->conn_outgoing_ill == ill)
- connp->conn_outgoing_ill = NULL;
if (connp->conn_dhcpinit_ill == ill) {
connp->conn_dhcpinit_ill = NULL;
ASSERT(ill->ill_dhcpinit != 0);
atomic_dec_32(&ill->ill_dhcpinit);
- }
- if (connp->conn_ire_cache != NULL) {
- ire = connp->conn_ire_cache;
- /*
- * Source address selection makes it possible for IRE_CACHE
- * entries to be created with ire_stq coming from interface X
- * and ipif coming from interface Y. Thus whenever interface
- * X goes down, remove all references to it by checking both
- * on ire_ipif and ire_stq.
- */
- if ((ire->ire_ipif != NULL && ire->ire_ipif->ipif_ill == ill) ||
- (ire->ire_type == IRE_CACHE &&
- ire->ire_stq == ill->ill_wq)) {
- connp->conn_ire_cache = NULL;
- mutex_exit(&connp->conn_lock);
- ire_refrele_notr(ire);
- return;
- }
+ ill_set_inputfn(ill);
}
mutex_exit(&connp->conn_lock);
}
-static void
+static int
ill_down_ipifs_tail(ill_t *ill)
{
ipif_t *ipif;
+ int err;
ASSERT(IAM_WRITER_ILL(ill));
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
ipif_non_duplicate(ipif);
- ipif_down_tail(ipif);
+ /*
+ * ipif_down_tail will call arp_ll_down on the last ipif
+ * and typically return EINPROGRESS when the DL_UNBIND is sent.
+ */
+ if ((err = ipif_down_tail(ipif)) != 0)
+ return (err);
}
+ return (0);
}
/* ARGSUSED */
@@ -1581,7 +1076,7 @@ void
ipif_all_down_tail(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
{
ASSERT(IAM_WRITER_IPSQ(ipsq));
- ill_down_ipifs_tail(q->q_ptr);
+ (void) ill_down_ipifs_tail(q->q_ptr);
freemsg(mp);
ipsq_current_finish(ipsq);
}
@@ -1598,12 +1093,27 @@ ill_down_start(queue_t *q, mblk_t *mp)
ipif_t *ipif;
ASSERT(IAM_WRITER_ILL(ill));
+ mutex_enter(&ill->ill_lock);
+ ill->ill_state_flags |= ILL_DOWN_IN_PROGRESS;
+ /* no more nce addition allowed */
+ mutex_exit(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next)
(void) ipif_down(ipif, NULL, NULL);
ill_down(ill);
+ /*
+ * Walk all CONNs that can have a reference on an ire or nce for this
+ * ill (we actually walk all that now have stale references).
+ */
+ ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ill->ill_ipst);
+
+ /* With IPv6 we have dce_ifindex. Cleanup for neatness */
+ if (ill->ill_isv6)
+ dce_cleanup(ill->ill_phyint->phyint_ifindex, ill->ill_ipst);
+
+
(void) ipsq_pending_mp_cleanup(ill, NULL);
ipsq_current_start(ill->ill_phyint->phyint_ipsq, ill->ill_ipif, 0);
@@ -1626,44 +1136,68 @@ ill_down_start(queue_t *q, mblk_t *mp)
static void
ill_down(ill_t *ill)
{
+ mblk_t *mp;
ip_stack_t *ipst = ill->ill_ipst;
- /* Blow off any IREs dependent on this ILL. */
- ire_walk(ill_downi, ill, ipst);
+ /*
+ * Blow off any IREs dependent on this ILL.
+ * The caller needs to handle conn_ixa_cleanup
+ */
+ ill_delete_ires(ill);
+
+ ire_walk_ill(0, 0, ill_downi, ill, ill);
/* Remove any conn_*_ill depending on this ill */
ipcl_walk(conn_cleanup_ill, (caddr_t)ill, ipst);
+
+ /*
+ * Free state for additional IREs.
+ */
+ mutex_enter(&ill->ill_saved_ire_lock);
+ mp = ill->ill_saved_ire_mp;
+ ill->ill_saved_ire_mp = NULL;
+ ill->ill_saved_ire_cnt = 0;
+ mutex_exit(&ill->ill_saved_ire_lock);
+ freemsg(mp);
}
/*
- * ire_walk routine used to delete every IRE that depends on queues
- * associated with 'ill'. (Always called as writer.)
+ * ire_walk routine used to delete every IRE that depends on
+ * 'ill'. (Always called as writer.)
+ *
+ * Note: since the routes added by the kernel are deleted separately,
+ * this will only be 1) IRE_IF_CLONE and 2) manually added IRE_INTERFACE.
+ *
+ * We also remove references on ire_nce_cache entries that refer to the ill.
*/
-static void
+void
ill_downi(ire_t *ire, char *ill_arg)
{
ill_t *ill = (ill_t *)ill_arg;
+ nce_t *nce;
- /*
- * Source address selection makes it possible for IRE_CACHE
- * entries to be created with ire_stq coming from interface X
- * and ipif coming from interface Y. Thus whenever interface
- * X goes down, remove all references to it by checking both
- * on ire_ipif and ire_stq.
- */
- if ((ire->ire_ipif != NULL && ire->ire_ipif->ipif_ill == ill) ||
- (ire->ire_type == IRE_CACHE && ire->ire_stq == ill->ill_wq)) {
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ if (nce != NULL && nce->nce_ill == ill)
+ ire->ire_nce_cache = NULL;
+ else
+ nce = NULL;
+ mutex_exit(&ire->ire_lock);
+ if (nce != NULL)
+ nce_refrele(nce);
+ if (ire->ire_ill == ill)
ire_delete(ire);
- }
}
-/*
- * Remove ire/nce from the fastpath list.
- */
+/* Remove IRE_IF_CLONE on this ill */
void
-ill_fastpath_nack(ill_t *ill)
+ill_downi_if_clone(ire_t *ire, char *ill_arg)
{
- nce_fastpath_list_dispatch(ill, NULL, NULL);
+ ill_t *ill = (ill_t *)ill_arg;
+
+ ASSERT(ire->ire_type & IRE_IF_CLONE);
+ if (ire->ire_ill == ill)
+ ire_delete(ire);
}
/* Consume an M_IOCACK of the fastpath probe. */
@@ -1685,20 +1219,11 @@ ill_fastpath_ack(ill_t *ill, mblk_t *mp)
freeb(mp1);
if (mp == NULL)
return;
- if (mp->b_cont != NULL) {
- /*
- * Update all IRE's or NCE's that are waiting for
- * fastpath update.
- */
- nce_fastpath_list_dispatch(ill, ndp_fastpath_update, mp);
- mp1 = mp->b_cont;
- freeb(mp);
- mp = mp1;
- } else {
+ if (mp->b_cont != NULL)
+ nce_fastpath_update(ill, mp);
+ else
ip0dbg(("ill_fastpath_ack: no b_cont\n"));
- }
-
- freeb(mp);
+ freemsg(mp);
}
/*
@@ -1745,6 +1270,8 @@ ill_fastpath_probe(ill_t *ill, mblk_t *dlur_mp)
ioc = (struct iocblk *)mp->b_rptr;
ioc->ioc_count = msgdsize(mp->b_cont);
+ DTRACE_PROBE3(ill__dlpi, char *, "ill_fastpath_probe",
+ char *, "DL_IOC_HDR_INFO", ill_t *, ill);
putnext(ill->ill_wq, mp);
return (0);
}
@@ -1797,8 +1324,7 @@ ill_capability_reset(ill_t *ill, boolean_t reneg)
* direct function call capabilities viz. ILL_CAPAB_DLD*
* which will be turned off by the corresponding reset functions.
*/
- ill->ill_capabilities &= ~(ILL_CAPAB_MDT | ILL_CAPAB_HCKSUM |
- ILL_CAPAB_ZEROCOPY | ILL_CAPAB_AH | ILL_CAPAB_ESP);
+ ill->ill_capabilities &= ~(ILL_CAPAB_HCKSUM | ILL_CAPAB_ZEROCOPY);
}
static void
@@ -1812,9 +1338,6 @@ ill_capability_reset_alloc(ill_t *ill)
ASSERT(IAM_WRITER_ILL(ill));
ASSERT(ill->ill_capab_reset_mp == NULL);
- if (ILL_MDT_CAPABLE(ill))
- size += sizeof (dl_capability_sub_t) + sizeof (dl_capab_mdt_t);
-
if (ILL_HCKSUM_CAPABLE(ill)) {
size += sizeof (dl_capability_sub_t) +
sizeof (dl_capab_hcksum_t);
@@ -1825,12 +1348,6 @@ ill_capability_reset_alloc(ill_t *ill)
sizeof (dl_capab_zerocopy_t);
}
- if (ill->ill_capabilities & (ILL_CAPAB_AH | ILL_CAPAB_ESP)) {
- size += sizeof (dl_capability_sub_t);
- size += ill_capability_ipsec_reset_size(ill, NULL, NULL,
- NULL, NULL);
- }
-
if (ill->ill_capabilities & ILL_CAPAB_DLD) {
size += sizeof (dl_capability_sub_t) +
sizeof (dl_capab_dld_t);
@@ -1853,10 +1370,8 @@ ill_capability_reset_alloc(ill_t *ill)
* Each handler fills in the corresponding dl_capability_sub_t
* inside the mblk,
*/
- ill_capability_mdt_reset_fill(ill, mp);
ill_capability_hcksum_reset_fill(ill, mp);
ill_capability_zerocopy_reset_fill(ill, mp);
- ill_capability_ipsec_reset_fill(ill, mp);
ill_capability_dld_reset_fill(ill, mp);
ill->ill_capab_reset_mp = mp;
@@ -1906,162 +1421,7 @@ ill_capability_id_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *outers)
}
/* Process the encapsulated sub-capability */
- ill_capability_dispatch(ill, mp, inners, B_TRUE);
-}
-
-/*
- * Process Multidata Transmit capability negotiation ack received from a
- * DLS Provider. isub must point to the sub-capability (DL_CAPAB_MDT) of a
- * DL_CAPABILITY_ACK message.
- */
-static void
-ill_capability_mdt_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
-{
- mblk_t *nmp = NULL;
- dl_capability_req_t *oc;
- dl_capab_mdt_t *mdt_ic, *mdt_oc;
- ill_mdt_capab_t **ill_mdt_capab;
- uint_t sub_dl_cap = isub->dl_cap;
- uint8_t *capend;
-
- ASSERT(sub_dl_cap == DL_CAPAB_MDT);
-
- ill_mdt_capab = (ill_mdt_capab_t **)&ill->ill_mdt_capab;
-
- /*
- * Note: range checks here are not absolutely sufficient to
- * make us robust against malformed messages sent by drivers;
- * this is in keeping with the rest of IP's dlpi handling.
- * (Remember, it's coming from something else in the kernel
- * address space)
- */
-
- capend = (uint8_t *)(isub + 1) + isub->dl_length;
- if (capend > mp->b_wptr) {
- cmn_err(CE_WARN, "ill_capability_mdt_ack: "
- "malformed sub-capability too long for mblk");
- return;
- }
-
- mdt_ic = (dl_capab_mdt_t *)(isub + 1);
-
- if (mdt_ic->mdt_version != MDT_VERSION_2) {
- cmn_err(CE_CONT, "ill_capability_mdt_ack: "
- "unsupported MDT sub-capability (version %d, expected %d)",
- mdt_ic->mdt_version, MDT_VERSION_2);
- return;
- }
-
- if (!dlcapabcheckqid(&mdt_ic->mdt_mid, ill->ill_lmod_rq)) {
- ip1dbg(("ill_capability_mdt_ack: mid token for MDT "
- "capability isn't as expected; pass-thru module(s) "
- "detected, discarding capability\n"));
- return;
- }
-
- if (mdt_ic->mdt_flags & DL_CAPAB_MDT_ENABLE) {
-
- if (*ill_mdt_capab == NULL) {
- *ill_mdt_capab = kmem_zalloc(sizeof (ill_mdt_capab_t),
- KM_NOSLEEP);
- if (*ill_mdt_capab == NULL) {
- cmn_err(CE_WARN, "ill_capability_mdt_ack: "
- "could not enable MDT version %d "
- "for %s (ENOMEM)\n", MDT_VERSION_2,
- ill->ill_name);
- return;
- }
- }
-
- ip1dbg(("ill_capability_mdt_ack: interface %s supports "
- "MDT version %d (%d bytes leading, %d bytes trailing "
- "header spaces, %d max pld bufs, %d span limit)\n",
- ill->ill_name, MDT_VERSION_2,
- mdt_ic->mdt_hdr_head, mdt_ic->mdt_hdr_tail,
- mdt_ic->mdt_max_pld, mdt_ic->mdt_span_limit));
-
- (*ill_mdt_capab)->ill_mdt_version = MDT_VERSION_2;
- (*ill_mdt_capab)->ill_mdt_on = 1;
- /*
- * Round the following values to the nearest 32-bit; ULP
- * may further adjust them to accomodate for additional
- * protocol headers. We pass these values to ULP during
- * bind time.
- */
- (*ill_mdt_capab)->ill_mdt_hdr_head =
- roundup(mdt_ic->mdt_hdr_head, 4);
- (*ill_mdt_capab)->ill_mdt_hdr_tail =
- roundup(mdt_ic->mdt_hdr_tail, 4);
- (*ill_mdt_capab)->ill_mdt_max_pld = mdt_ic->mdt_max_pld;
- (*ill_mdt_capab)->ill_mdt_span_limit = mdt_ic->mdt_span_limit;
-
- ill->ill_capabilities |= ILL_CAPAB_MDT;
- } else {
- uint_t size;
- uchar_t *rptr;
-
- size = sizeof (dl_capability_req_t) +
- sizeof (dl_capability_sub_t) + sizeof (dl_capab_mdt_t);
-
- if ((nmp = ip_dlpi_alloc(size, DL_CAPABILITY_REQ)) == NULL) {
- cmn_err(CE_WARN, "ill_capability_mdt_ack: "
- "could not enable MDT for %s (ENOMEM)\n",
- ill->ill_name);
- return;
- }
-
- rptr = nmp->b_rptr;
- /* initialize dl_capability_req_t */
- oc = (dl_capability_req_t *)nmp->b_rptr;
- oc->dl_sub_offset = sizeof (dl_capability_req_t);
- oc->dl_sub_length = sizeof (dl_capability_sub_t) +
- sizeof (dl_capab_mdt_t);
- nmp->b_rptr += sizeof (dl_capability_req_t);
-
- /* initialize dl_capability_sub_t */
- bcopy(isub, nmp->b_rptr, sizeof (*isub));
- nmp->b_rptr += sizeof (*isub);
-
- /* initialize dl_capab_mdt_t */
- mdt_oc = (dl_capab_mdt_t *)nmp->b_rptr;
- bcopy(mdt_ic, mdt_oc, sizeof (*mdt_ic));
-
- nmp->b_rptr = rptr;
-
- ip1dbg(("ill_capability_mdt_ack: asking interface %s "
- "to enable MDT version %d\n", ill->ill_name,
- MDT_VERSION_2));
-
- /* set ENABLE flag */
- mdt_oc->mdt_flags |= DL_CAPAB_MDT_ENABLE;
-
- /* nmp points to a DL_CAPABILITY_REQ message to enable MDT */
- ill_capability_send(ill, nmp);
- }
-}
-
-static void
-ill_capability_mdt_reset_fill(ill_t *ill, mblk_t *mp)
-{
- dl_capab_mdt_t *mdt_subcap;
- dl_capability_sub_t *dl_subcap;
-
- if (!ILL_MDT_CAPABLE(ill))
- return;
-
- ASSERT(ill->ill_mdt_capab != NULL);
-
- dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
- dl_subcap->dl_cap = DL_CAPAB_MDT;
- dl_subcap->dl_length = sizeof (*mdt_subcap);
-
- mdt_subcap = (dl_capab_mdt_t *)(dl_subcap + 1);
- mdt_subcap->mdt_version = ill->ill_mdt_capab->ill_mdt_version;
- mdt_subcap->mdt_flags = 0;
- mdt_subcap->mdt_hdr_head = 0;
- mdt_subcap->mdt_hdr_tail = 0;
-
- mp->b_wptr += sizeof (*dl_subcap) + sizeof (*mdt_subcap);
+ ill_capability_dispatch(ill, mp, inners);
}
static void
@@ -2083,503 +1443,10 @@ ill_capability_dld_reset_fill(ill_t *ill, mblk_t *mp)
mp->b_wptr += sizeof (dl_capability_sub_t) + sizeof (dl_capab_dld_t);
}
-/*
- * Allocate an IPsec capability request which will be filled by our
- * caller to turn on support for one or more algorithms.
- */
-/* ARGSUSED */
-static mblk_t *
-ill_alloc_ipsec_cap_req(ill_t *ill, dl_capability_sub_t *isub)
-{
- mblk_t *nmp;
- dl_capability_req_t *ocap;
- dl_capab_ipsec_t *ocip;
- dl_capab_ipsec_t *icip;
- uint8_t *ptr;
- icip = (dl_capab_ipsec_t *)(isub + 1);
-
- /*
- * Allocate new mblk which will contain a new capability
- * request to enable the capabilities.
- */
-
- nmp = ip_dlpi_alloc(sizeof (dl_capability_req_t) +
- sizeof (dl_capability_sub_t) + isub->dl_length, DL_CAPABILITY_REQ);
- if (nmp == NULL)
- return (NULL);
-
- ptr = nmp->b_rptr;
-
- /* initialize dl_capability_req_t */
- ocap = (dl_capability_req_t *)ptr;
- ocap->dl_sub_offset = sizeof (dl_capability_req_t);
- ocap->dl_sub_length = sizeof (dl_capability_sub_t) + isub->dl_length;
- ptr += sizeof (dl_capability_req_t);
-
- /* initialize dl_capability_sub_t */
- bcopy(isub, ptr, sizeof (*isub));
- ptr += sizeof (*isub);
-
- /* initialize dl_capab_ipsec_t */
- ocip = (dl_capab_ipsec_t *)ptr;
- bcopy(icip, ocip, sizeof (*icip));
-
- nmp->b_wptr = (uchar_t *)(&ocip->cip_data[0]);
- return (nmp);
-}
-
-/*
- * Process an IPsec capability negotiation ack received from a DLS Provider.
- * isub must point to the sub-capability (DL_CAPAB_IPSEC_AH or
- * DL_CAPAB_IPSEC_ESP) of a DL_CAPABILITY_ACK message.
- */
static void
-ill_capability_ipsec_ack(ill_t *ill, mblk_t *mp, dl_capability_sub_t *isub)
-{
- dl_capab_ipsec_t *icip;
- dl_capab_ipsec_alg_t *ialg; /* ptr to input alg spec. */
- dl_capab_ipsec_alg_t *oalg; /* ptr to output alg spec. */
- uint_t cipher, nciphers;
- mblk_t *nmp;
- uint_t alg_len;
- boolean_t need_sadb_dump;
- uint_t sub_dl_cap = isub->dl_cap;
- ill_ipsec_capab_t **ill_capab;
- uint64_t ill_capab_flag;
- uint8_t *capend, *ciphend;
- boolean_t sadb_resync;
-
- ASSERT(sub_dl_cap == DL_CAPAB_IPSEC_AH ||
- sub_dl_cap == DL_CAPAB_IPSEC_ESP);
-
- if (sub_dl_cap == DL_CAPAB_IPSEC_AH) {
- ill_capab = (ill_ipsec_capab_t **)&ill->ill_ipsec_capab_ah;
- ill_capab_flag = ILL_CAPAB_AH;
- } else {
- ill_capab = (ill_ipsec_capab_t **)&ill->ill_ipsec_capab_esp;
- ill_capab_flag = ILL_CAPAB_ESP;
- }
-
- /*
- * If the ill capability structure exists, then this incoming
- * DL_CAPABILITY_ACK is a response to a "renegotiation" cycle.
- * If this is so, then we'd need to resynchronize the SADB
- * after re-enabling the offloaded ciphers.
- */
- sadb_resync = (*ill_capab != NULL);
-
- /*
- * Note: range checks here are not absolutely sufficient to
- * make us robust against malformed messages sent by drivers;
- * this is in keeping with the rest of IP's dlpi handling.
- * (Remember, it's coming from something else in the kernel
- * address space)
- */
-
- capend = (uint8_t *)(isub + 1) + isub->dl_length;
- if (capend > mp->b_wptr) {
- cmn_err(CE_WARN, "ill_capability_ipsec_ack: "
- "malformed sub-capability too long for mblk");
- return;
- }
-
- /*
- * There are two types of acks we process here:
- * 1. acks in reply to a (first form) generic capability req
- * (no ENABLE flag set)
- * 2. acks in reply to a ENABLE capability req.
- * (ENABLE flag set)
- *
- * We process the subcapability passed as argument as follows:
- * 1 do initializations
- * 1.1 initialize nmp = NULL
- * 1.2 set need_sadb_dump to B_FALSE
- * 2 for each cipher in subcapability:
- * 2.1 if ENABLE flag is set:
- * 2.1.1 update per-ill ipsec capabilities info
- * 2.1.2 set need_sadb_dump to B_TRUE
- * 2.2 if ENABLE flag is not set:
- * 2.2.1 if nmp is NULL:
- * 2.2.1.1 allocate and initialize nmp
- * 2.2.1.2 init current pos in nmp
- * 2.2.2 copy current cipher to current pos in nmp
- * 2.2.3 set ENABLE flag in nmp
- * 2.2.4 update current pos
- * 3 if nmp is not equal to NULL, send enable request
- * 3.1 send capability request
- * 4 if need_sadb_dump is B_TRUE
- * 4.1 enable promiscuous on/off notifications
- * 4.2 call ill_dlpi_send(isub->dlcap) to send all
- * AH or ESP SA's to interface.
- */
-
- nmp = NULL;
- oalg = NULL;
- need_sadb_dump = B_FALSE;
- icip = (dl_capab_ipsec_t *)(isub + 1);
- ialg = (dl_capab_ipsec_alg_t *)(&icip->cip_data[0]);
-
- nciphers = icip->cip_nciphers;
- ciphend = (uint8_t *)(ialg + icip->cip_nciphers);
-
- if (ciphend > capend) {
- cmn_err(CE_WARN, "ill_capability_ipsec_ack: "
- "too many ciphers for sub-capability len");
- return;
- }
-
- for (cipher = 0; cipher < nciphers; cipher++) {
- alg_len = sizeof (dl_capab_ipsec_alg_t);
-
- if (ialg->alg_flag & DL_CAPAB_ALG_ENABLE) {
- /*
- * TBD: when we provide a way to disable capabilities
- * from above, need to manage the request-pending state
- * and fail if we were not expecting this ACK.
- */
- IPSECHW_DEBUG(IPSECHW_CAPAB,
- ("ill_capability_ipsec_ack: got ENABLE ACK\n"));
-
- /*
- * Update IPsec capabilities for this ill
- */
-
- if (*ill_capab == NULL) {
- IPSECHW_DEBUG(IPSECHW_CAPAB,
- ("ill_capability_ipsec_ack: "
- "allocating ipsec_capab for ill\n"));
- *ill_capab = ill_ipsec_capab_alloc();
-
- if (*ill_capab == NULL) {
- cmn_err(CE_WARN,
- "ill_capability_ipsec_ack: "
- "could not enable IPsec Hardware "
- "acceleration for %s (ENOMEM)\n",
- ill->ill_name);
- return;
- }
- }
-
- ASSERT(ialg->alg_type == DL_CAPAB_IPSEC_ALG_AUTH ||
- ialg->alg_type == DL_CAPAB_IPSEC_ALG_ENCR);
-
- if (ialg->alg_prim >= MAX_IPSEC_ALGS) {
- cmn_err(CE_WARN,
- "ill_capability_ipsec_ack: "
- "malformed IPsec algorithm id %d",
- ialg->alg_prim);
- continue;
- }
-
- if (ialg->alg_type == DL_CAPAB_IPSEC_ALG_AUTH) {
- IPSEC_ALG_ENABLE((*ill_capab)->auth_hw_algs,
- ialg->alg_prim);
- } else {
- ipsec_capab_algparm_t *alp;
-
- IPSEC_ALG_ENABLE((*ill_capab)->encr_hw_algs,
- ialg->alg_prim);
- if (!ill_ipsec_capab_resize_algparm(*ill_capab,
- ialg->alg_prim)) {
- cmn_err(CE_WARN,
- "ill_capability_ipsec_ack: "
- "no space for IPsec alg id %d",
- ialg->alg_prim);
- continue;
- }
- alp = &((*ill_capab)->encr_algparm[
- ialg->alg_prim]);
- alp->minkeylen = ialg->alg_minbits;
- alp->maxkeylen = ialg->alg_maxbits;
- }
- ill->ill_capabilities |= ill_capab_flag;
- /*
- * indicate that a capability was enabled, which
- * will be used below to kick off a SADB dump
- * to the ill.
- */
- need_sadb_dump = B_TRUE;
- } else {
- IPSECHW_DEBUG(IPSECHW_CAPAB,
- ("ill_capability_ipsec_ack: enabling alg 0x%x\n",
- ialg->alg_prim));
-
- if (nmp == NULL) {
- nmp = ill_alloc_ipsec_cap_req(ill, isub);
- if (nmp == NULL) {
- /*
- * Sending the PROMISC_ON/OFF
- * notification request failed.
- * We cannot enable the algorithms
- * since the Provider will not
- * notify IP of promiscous mode
- * changes, which could lead
- * to leakage of packets.
- */
- cmn_err(CE_WARN,
- "ill_capability_ipsec_ack: "
- "could not enable IPsec Hardware "
- "acceleration for %s (ENOMEM)\n",
- ill->ill_name);
- return;
- }
- /* ptr to current output alg specifier */
- oalg = (dl_capab_ipsec_alg_t *)nmp->b_wptr;
- }
-
- /*
- * Copy current alg specifier, set ENABLE
- * flag, and advance to next output alg.
- * For now we enable all IPsec capabilities.
- */
- ASSERT(oalg != NULL);
- bcopy(ialg, oalg, alg_len);
- oalg->alg_flag |= DL_CAPAB_ALG_ENABLE;
- nmp->b_wptr += alg_len;
- oalg = (dl_capab_ipsec_alg_t *)nmp->b_wptr;
- }
-
- /* move to next input algorithm specifier */
- ialg = (dl_capab_ipsec_alg_t *)
- ((char *)ialg + alg_len);
- }
-
- if (nmp != NULL)
- /*
- * nmp points to a DL_CAPABILITY_REQ message to enable
- * IPsec hardware acceleration.
- */
- ill_capability_send(ill, nmp);
-
- if (need_sadb_dump)
- /*
- * An acknowledgement corresponding to a request to
- * enable acceleration was received, notify SADB.
- */
- ill_ipsec_capab_add(ill, sub_dl_cap, sadb_resync);
-}
-
-/*
- * Given an mblk with enough space in it, create sub-capability entries for
- * DL_CAPAB_IPSEC_{AH,ESP} types which consist of previously-advertised
- * offloaded ciphers (both AUTH and ENCR) with their enable flags cleared,
- * in preparation for the reset the DL_CAPABILITY_REQ message.
- */
-static void
-ill_fill_ipsec_reset(uint_t nciphers, int stype, uint_t slen,
- ill_ipsec_capab_t *ill_cap, mblk_t *mp)
-{
- dl_capab_ipsec_t *oipsec;
- dl_capab_ipsec_alg_t *oalg;
- dl_capability_sub_t *dl_subcap;
- int i, k;
-
- ASSERT(nciphers > 0);
- ASSERT(ill_cap != NULL);
- ASSERT(mp != NULL);
- ASSERT(MBLKTAIL(mp) >= sizeof (*dl_subcap) + sizeof (*oipsec) + slen);
-
- /* dl_capability_sub_t for "stype" */
- dl_subcap = (dl_capability_sub_t *)mp->b_wptr;
- dl_subcap->dl_cap = stype;
- dl_subcap->dl_length = sizeof (dl_capab_ipsec_t) + slen;
- mp->b_wptr += sizeof (dl_capability_sub_t);
-
- /* dl_capab_ipsec_t for "stype" */
- oipsec = (dl_capab_ipsec_t *)mp->b_wptr;
- oipsec->cip_version = 1;
- oipsec->cip_nciphers = nciphers;
- mp->b_wptr = (uchar_t *)&oipsec->cip_data[0];
-
- /* create entries for "stype" AUTH ciphers */
- for (i = 0; i < ill_cap->algs_size; i++) {
- for (k = 0; k < BITSPERBYTE; k++) {
- if ((ill_cap->auth_hw_algs[i] & (1 << k)) == 0)
- continue;
-
- oalg = (dl_capab_ipsec_alg_t *)mp->b_wptr;
- bzero((void *)oalg, sizeof (*oalg));
- oalg->alg_type = DL_CAPAB_IPSEC_ALG_AUTH;
- oalg->alg_prim = k + (BITSPERBYTE * i);
- mp->b_wptr += sizeof (dl_capab_ipsec_alg_t);
- }
- }
- /* create entries for "stype" ENCR ciphers */
- for (i = 0; i < ill_cap->algs_size; i++) {
- for (k = 0; k < BITSPERBYTE; k++) {
- if ((ill_cap->encr_hw_algs[i] & (1 << k)) == 0)
- continue;
-
- oalg = (dl_capab_ipsec_alg_t *)mp->b_wptr;
- bzero((void *)oalg, sizeof (*oalg));
- oalg->alg_type = DL_CAPAB_IPSEC_ALG_ENCR;
- oalg->alg_prim = k + (BITSPERBYTE * i);
- mp->b_wptr += sizeof (dl_capab_ipsec_alg_t);
- }
- }
-}
-
-/*
- * Macro to count number of 1s in a byte (8-bit word). The total count is
- * accumulated into the passed-in argument (sum). We could use SPARCv9's
- * POPC instruction, but our macro is more flexible for an arbitrary length
- * of bytes, such as {auth,encr}_hw_algs. These variables are currently
- * 256-bits long (MAX_IPSEC_ALGS), so if we know for sure that the length
- * stays that way, we can reduce the number of iterations required.
- */
-#define COUNT_1S(val, sum) { \
- uint8_t x = val & 0xff; \
- x = (x & 0x55) + ((x >> 1) & 0x55); \
- x = (x & 0x33) + ((x >> 2) & 0x33); \
- sum += (x & 0xf) + ((x >> 4) & 0xf); \
-}
-
-/* ARGSUSED */
-static int
-ill_capability_ipsec_reset_size(ill_t *ill, int *ah_cntp, int *ah_lenp,
- int *esp_cntp, int *esp_lenp)
-{
- ill_ipsec_capab_t *cap_ah = ill->ill_ipsec_capab_ah;
- ill_ipsec_capab_t *cap_esp = ill->ill_ipsec_capab_esp;
- uint64_t ill_capabilities = ill->ill_capabilities;
- int ah_cnt = 0, esp_cnt = 0;
- int ah_len = 0, esp_len = 0;
- int i, size = 0;
-
- if (!(ill_capabilities & (ILL_CAPAB_AH | ILL_CAPAB_ESP)))
- return (0);
-
- ASSERT(cap_ah != NULL || !(ill_capabilities & ILL_CAPAB_AH));
- ASSERT(cap_esp != NULL || !(ill_capabilities & ILL_CAPAB_ESP));
-
- /* Find out the number of ciphers for AH */
- if (cap_ah != NULL) {
- for (i = 0; i < cap_ah->algs_size; i++) {
- COUNT_1S(cap_ah->auth_hw_algs[i], ah_cnt);
- COUNT_1S(cap_ah->encr_hw_algs[i], ah_cnt);
- }
- if (ah_cnt > 0) {
- size += sizeof (dl_capability_sub_t) +
- sizeof (dl_capab_ipsec_t);
- /* dl_capab_ipsec_t contains one dl_capab_ipsec_alg_t */
- ah_len = (ah_cnt - 1) * sizeof (dl_capab_ipsec_alg_t);
- size += ah_len;
- }
- }
-
- /* Find out the number of ciphers for ESP */
- if (cap_esp != NULL) {
- for (i = 0; i < cap_esp->algs_size; i++) {
- COUNT_1S(cap_esp->auth_hw_algs[i], esp_cnt);
- COUNT_1S(cap_esp->encr_hw_algs[i], esp_cnt);
- }
- if (esp_cnt > 0) {
- size += sizeof (dl_capability_sub_t) +
- sizeof (dl_capab_ipsec_t);
- /* dl_capab_ipsec_t contains one dl_capab_ipsec_alg_t */
- esp_len = (esp_cnt - 1) * sizeof (dl_capab_ipsec_alg_t);
- size += esp_len;
- }
- }
-
- if (ah_cntp != NULL)
- *ah_cntp = ah_cnt;
- if (ah_lenp != NULL)
- *ah_lenp = ah_len;
- if (esp_cntp != NULL)
- *esp_cntp = esp_cnt;
- if (esp_lenp != NULL)
- *esp_lenp = esp_len;
-
- return (size);
-}
-
-/* ARGSUSED */
-static void
-ill_capability_ipsec_reset_fill(ill_t *ill, mblk_t *mp)
+ill_capability_dispatch(ill_t *ill, mblk_t *mp, dl_capability_sub_t *subp)
{
- ill_ipsec_capab_t *cap_ah = ill->ill_ipsec_capab_ah;
- ill_ipsec_capab_t *cap_esp = ill->ill_ipsec_capab_esp;
- int ah_cnt = 0, esp_cnt = 0;
- int ah_len = 0, esp_len = 0;
- int size;
-
- size = ill_capability_ipsec_reset_size(ill, &ah_cnt, &ah_len,
- &esp_cnt, &esp_len);
- if (size == 0)
- return;
-
- /*
- * Clear the capability flags for IPsec HA but retain the ill
- * capability structures since it's possible that another thread
- * is still referring to them. The structures only get deallocated
- * when we destroy the ill.
- *
- * Various places check the flags to see if the ill is capable of
- * hardware acceleration, and by clearing them we ensure that new
- * outbound IPsec packets are sent down encrypted.
- */
-
- /* Fill in DL_CAPAB_IPSEC_AH sub-capability entries */
- if (ah_cnt > 0) {
- ill_fill_ipsec_reset(ah_cnt, DL_CAPAB_IPSEC_AH, ah_len,
- cap_ah, mp);
- }
-
- /* Fill in DL_CAPAB_IPSEC_ESP sub-capability entries */
- if (esp_cnt > 0) {
- ill_fill_ipsec_reset(esp_cnt, DL_CAPAB_IPSEC_ESP, esp_len,
- cap_esp, mp);
- }
-
- /*
- * At this point we've composed a bunch of sub-capabilities to be
- * encapsulated in a DL_CAPABILITY_REQ and later sent downstream
- * by the caller. Upon receiving this reset message, the driver
- * must stop inbound decryption (by destroying all inbound SAs)
- * and let the corresponding packets come in encrypted.
- */
-}
-
-static void
-ill_capability_dispatch(ill_t *ill, mblk_t *mp, dl_capability_sub_t *subp,
- boolean_t encapsulated)
-{
- boolean_t legacy = B_FALSE;
-
- /*
- * Note that only the following two sub-capabilities may be
- * considered as "legacy", since their original definitions
- * do not incorporate the dl_mid_t module ID token, and hence
- * may require the use of the wrapper sub-capability.
- */
switch (subp->dl_cap) {
- case DL_CAPAB_IPSEC_AH:
- case DL_CAPAB_IPSEC_ESP:
- legacy = B_TRUE;
- break;
- }
-
- /*
- * For legacy sub-capabilities which don't incorporate a queue_t
- * pointer in their structures, discard them if we detect that
- * there are intermediate modules in between IP and the driver.
- */
- if (!encapsulated && legacy && ill->ill_lmod_cnt > 1) {
- ip1dbg(("ill_capability_dispatch: unencapsulated capab type "
- "%d discarded; %d module(s) present below IP\n",
- subp->dl_cap, ill->ill_lmod_cnt));
- return;
- }
-
- switch (subp->dl_cap) {
- case DL_CAPAB_IPSEC_AH:
- case DL_CAPAB_IPSEC_ESP:
- ill_capability_ipsec_ack(ill, mp, subp);
- break;
- case DL_CAPAB_MDT:
- ill_capability_mdt_ack(ill, mp, subp);
- break;
case DL_CAPAB_HCKSUM:
ill_capability_hcksum_ack(ill, mp, subp);
break;
@@ -3104,7 +1971,7 @@ ill_capability_lso_enable(ill_t *ill)
DLD_ENABLE)) == 0) {
ill->ill_lso_capab->ill_lso_flags = lso.lso_flags;
ill->ill_lso_capab->ill_lso_max = lso.lso_max;
- ill->ill_capabilities |= ILL_CAPAB_DLD_LSO;
+ ill->ill_capabilities |= ILL_CAPAB_LSO;
ip1dbg(("ill_capability_lso_enable: interface %s "
"has enabled LSO\n ", ill->ill_name));
} else {
@@ -3180,7 +2047,7 @@ ill_capability_dld_disable(ill_t *ill)
NULL, DLD_DISABLE);
}
- if ((ill->ill_capabilities & ILL_CAPAB_DLD_LSO) != 0) {
+ if ((ill->ill_capabilities & ILL_CAPAB_LSO) != 0) {
ASSERT(ill->ill_lso_capab != NULL);
/*
* Clear the capability flag for LSO but retain the
@@ -3189,7 +2056,7 @@ ill_capability_dld_disable(ill_t *ill)
* deallocated when we destroy the ill.
*/
- ill->ill_capabilities &= ~ILL_CAPAB_DLD_LSO;
+ ill->ill_capabilities &= ~ILL_CAPAB_LSO;
(void) idc->idc_capab_df(idc->idc_capab_dh, DLD_CAPAB_LSO,
NULL, DLD_DISABLE);
}
@@ -3335,7 +2202,7 @@ ill_capability_ack_thr(void *arg)
ill_capability_id_ack(ill, mp, subp);
break;
default:
- ill_capability_dispatch(ill, mp, subp, B_FALSE);
+ ill_capability_dispatch(ill, mp, subp);
break;
}
}
@@ -3410,8 +2277,14 @@ ill_frag_timeout(ill_t *ill, time_t dead_interval)
uint32_t hdr_length;
mblk_t *send_icmp_head;
mblk_t *send_icmp_head_v6;
- zoneid_t zoneid;
ip_stack_t *ipst = ill->ill_ipst;
+ ip_recv_attr_t iras;
+
+ bzero(&iras, sizeof (iras));
+ iras.ira_flags = 0;
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
ipfb = ill->ill_frag_hash_tbl;
if (ipfb == NULL)
@@ -3483,6 +2356,7 @@ ill_frag_timeout(ill_t *ill, time_t dead_interval)
}
}
BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmFails);
+ ip_drop_input("ipIfStatsReasmFails", ipf->ipf_mp, ill);
freeb(ipf->ipf_mp);
}
mutex_exit(&ipfb->ipfb_lock);
@@ -3496,19 +2370,21 @@ ill_frag_timeout(ill_t *ill, time_t dead_interval)
mp = send_icmp_head_v6;
send_icmp_head_v6 = send_icmp_head_v6->b_next;
mp->b_next = NULL;
- if (mp->b_datap->db_type == M_CTL)
- ip6h = (ip6_t *)mp->b_cont->b_rptr;
- else
- ip6h = (ip6_t *)mp->b_rptr;
- zoneid = ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst,
+ ip6h = (ip6_t *)mp->b_rptr;
+ iras.ira_flags = 0;
+ /*
+ * This will result in an incorrect ALL_ZONES zoneid
+ * for multicast packets, but we
+ * don't send ICMP errors for those in any case.
+ */
+ iras.ira_zoneid =
+ ipif_lookup_addr_zoneid_v6(&ip6h->ip6_dst,
ill, ipst);
- if (zoneid == ALL_ZONES) {
- freemsg(mp);
- } else {
- icmp_time_exceeded_v6(ill->ill_wq, mp,
- ICMP_REASSEMBLY_TIME_EXCEEDED, B_FALSE,
- B_FALSE, zoneid, ipst);
- }
+ ip_drop_input("ICMP_TIME_EXCEEDED reass", mp, ill);
+ icmp_time_exceeded_v6(mp,
+ ICMP_REASSEMBLY_TIME_EXCEEDED, B_FALSE,
+ &iras);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
}
while (send_icmp_head != NULL) {
ipaddr_t dst;
@@ -3517,19 +2393,20 @@ ill_frag_timeout(ill_t *ill, time_t dead_interval)
send_icmp_head = send_icmp_head->b_next;
mp->b_next = NULL;
- if (mp->b_datap->db_type == M_CTL)
- dst = ((ipha_t *)mp->b_cont->b_rptr)->ipha_dst;
- else
- dst = ((ipha_t *)mp->b_rptr)->ipha_dst;
+ dst = ((ipha_t *)mp->b_rptr)->ipha_dst;
- zoneid = ipif_lookup_addr_zoneid(dst, ill, ipst);
- if (zoneid == ALL_ZONES) {
- freemsg(mp);
- } else {
- icmp_time_exceeded(ill->ill_wq, mp,
- ICMP_REASSEMBLY_TIME_EXCEEDED, zoneid,
- ipst);
- }
+ iras.ira_flags = IRAF_IS_IPV4;
+ /*
+ * This will result in an incorrect ALL_ZONES zoneid
+ * for broadcast and multicast packets, but we
+ * don't send ICMP errors for those in any case.
+ */
+ iras.ira_zoneid = ipif_lookup_addr_zoneid(dst,
+ ill, ipst);
+ ip_drop_input("ICMP_TIME_EXCEEDED reass", mp, ill);
+ icmp_time_exceeded(mp,
+ ICMP_REASSEMBLY_TIME_EXCEEDED, &iras);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
}
}
/*
@@ -3647,8 +2524,9 @@ ill_frag_free_pkts(ill_t *ill, ipfb_t *ipfb, ipf_t *ipf, int free_cnt)
ipfb->ipfb_count -= count;
ASSERT(ipfb->ipfb_frag_pkts > 0);
ipfb->ipfb_frag_pkts--;
- freemsg(mp);
BUMP_MIB(ill->ill_ip_mib, ipIfStatsReasmFails);
+ ip_drop_input("ipIfStatsReasmFails", mp, ill);
+ freemsg(mp);
}
if (ipf)
@@ -3776,6 +2654,7 @@ static void
ill_set_nce_router_flags(ill_t *ill, boolean_t enable)
{
ipif_t *ipif;
+ ncec_t *ncec;
nce_t *nce;
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
@@ -3784,16 +2663,16 @@ ill_set_nce_router_flags(ill_t *ill, boolean_t enable)
* addresses on IPMP interfaces have an nce_ill that points to
* the bound underlying ill.
*/
- nce = ndp_lookup_v6(ill, B_TRUE, &ipif->ipif_v6lcl_addr,
- B_FALSE);
+ nce = nce_lookup_v6(ill, &ipif->ipif_v6lcl_addr);
if (nce != NULL) {
- mutex_enter(&nce->nce_lock);
+ ncec = nce->nce_common;
+ mutex_enter(&ncec->ncec_lock);
if (enable)
- nce->nce_flags |= NCE_F_ISROUTER;
+ ncec->ncec_flags |= NCE_F_ISROUTER;
else
- nce->nce_flags &= ~NCE_F_ISROUTER;
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
+ ncec->ncec_flags &= ~NCE_F_ISROUTER;
+ mutex_exit(&ncec->ncec_lock);
+ nce_refrele(nce);
}
}
}
@@ -3986,8 +2865,7 @@ ill_get_ppa_ptr(char *name)
* use avl tree to locate the ill.
*/
static ill_t *
-ill_find_by_name(char *name, boolean_t isv6, queue_t *q, mblk_t *mp,
- ipsq_func_t func, int *error, ip_stack_t *ipst)
+ill_find_by_name(char *name, boolean_t isv6, ip_stack_t *ipst)
{
char *ppa_ptr = NULL;
int len;
@@ -3995,10 +2873,6 @@ ill_find_by_name(char *name, boolean_t isv6, queue_t *q, mblk_t *mp,
ill_t *ill = NULL;
ill_if_t *ifp;
int list;
- ipsq_t *ipsq;
-
- if (error != NULL)
- *error = 0;
/*
* get ppa ptr
@@ -4009,8 +2883,6 @@ ill_find_by_name(char *name, boolean_t isv6, queue_t *q, mblk_t *mp,
list = IP_V4_G_HEAD;
if ((ppa_ptr = ill_get_ppa_ptr(name)) == NULL) {
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
@@ -4038,42 +2910,19 @@ ill_find_by_name(char *name, boolean_t isv6, queue_t *q, mblk_t *mp,
/*
* Even the interface type does not exist.
*/
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
ill = avl_find(&ifp->illif_avl_by_ppa, (void *) &ppa, NULL);
if (ill != NULL) {
- /*
- * The block comment at the start of ipif_down
- * explains the use of the macros used below
- */
- GRAB_CONN_LOCK(q);
mutex_enter(&ill->ill_lock);
if (ILL_CAN_LOOKUP(ill)) {
ill_refhold_locked(ill);
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
return (ill);
- } else if (ILL_CAN_WAIT(ill, q)) {
- ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ill->ill_lock);
- ipsq_enq(ipsq, q, mp, func, NEW_OP, ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- RELEASE_CONN_LOCK(q);
- if (error != NULL)
- *error = EINPROGRESS;
- return (NULL);
}
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
}
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
@@ -4474,6 +3323,8 @@ ill_init(queue_t *q, ill_t *ill)
* ip_open(), before we reach here.
*/
mutex_init(&ill->ill_lock, NULL, MUTEX_DEFAULT, 0);
+ mutex_init(&ill->ill_saved_ire_lock, NULL, MUTEX_DEFAULT, NULL);
+ ill->ill_saved_ire_cnt = 0;
ill->ill_rq = q;
ill->ill_wq = WR(q);
@@ -4521,7 +3372,9 @@ ill_init(queue_t *q, ill_t *ill)
*/
ill->ill_phyint->phyint_illv4 = ill;
ill->ill_ppa = UINT_MAX;
- ill->ill_fastpath_list = &ill->ill_fastpath_list;
+ list_create(&ill->ill_nce, sizeof (nce_t), offsetof(nce_t, nce_node));
+
+ ill_set_inputfn(ill);
if (!ipsq_init(ill, B_TRUE)) {
freemsg(info_mp);
@@ -4536,6 +3389,8 @@ ill_init(queue_t *q, ill_t *ill)
ill->ill_frag_count = 0;
ill->ill_ipf_gen = 0;
+ rw_init(&ill->ill_mcast_lock, NULL, RW_DEFAULT, NULL);
+ mutex_init(&ill->ill_mcast_serializer, NULL, MUTEX_DEFAULT, NULL);
ill->ill_global_timer = INFINITY;
ill->ill_mcast_v1_time = ill->ill_mcast_v2_time = 0;
ill->ill_mcast_v1_tset = ill->ill_mcast_v2_tset = 0;
@@ -4550,7 +3405,6 @@ ill_init(queue_t *q, ill_t *ill)
* IPv6.
*/
ill->ill_reachable_time = ND_REACHABLE_TIME;
- ill->ill_reachable_retrans_time = ND_RETRANS_TIMER;
ill->ill_xmit_count = ND_MAX_MULTICAST_SOLICIT;
ill->ill_max_buf = ND_MAX_Q;
ill->ill_refcnt = 0;
@@ -4574,15 +3428,14 @@ ill_init(queue_t *q, ill_t *ill)
* creates datalink socket info from the device.
*/
int
-ill_dls_info(struct sockaddr_dl *sdl, const ipif_t *ipif)
+ill_dls_info(struct sockaddr_dl *sdl, const ill_t *ill)
{
size_t len;
- ill_t *ill = ipif->ipif_ill;
sdl->sdl_family = AF_LINK;
- sdl->sdl_index = ill->ill_phyint->phyint_ifindex;
+ sdl->sdl_index = ill_get_upper_ifindex(ill);
sdl->sdl_type = ill->ill_type;
- ipif_get_name(ipif, sdl->sdl_data, sizeof (sdl->sdl_data));
+ ill_get_name(ill, sdl->sdl_data, sizeof (sdl->sdl_data));
len = strlen(sdl->sdl_data);
ASSERT(len < 256);
sdl->sdl_nlen = (uchar_t)len;
@@ -4604,7 +3457,7 @@ ill_xarp_info(struct sockaddr_dl *sdl, ill_t *ill)
sdl->sdl_family = AF_LINK;
sdl->sdl_index = ill->ill_phyint->phyint_ifindex;
sdl->sdl_type = ill->ill_type;
- ipif_get_name(ill->ill_ipif, sdl->sdl_data, sizeof (sdl->sdl_data));
+ ill_get_name(ill, sdl->sdl_data, sizeof (sdl->sdl_data));
sdl->sdl_nlen = (uchar_t)mi_strlen(sdl->sdl_data);
sdl->sdl_alen = ill->ill_phys_addr_length;
sdl->sdl_slen = 0;
@@ -4646,7 +3499,7 @@ loopback_kstat_update(kstat_t *ksp, int rw)
/*
* Has ifindex been plumbed already?
*/
-boolean_t
+static boolean_t
phyint_exists(uint_t index, ip_stack_t *ipst)
{
ASSERT(index != 0);
@@ -4749,8 +3602,7 @@ phyint_flags_init(phyint_t *phyi, t_uscalar_t mactype)
*/
ill_t *
ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
- queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, boolean_t *did_alloc,
- ip_stack_t *ipst)
+ boolean_t *did_alloc, ip_stack_t *ipst)
{
ill_t *ill;
ipif_t *ipif;
@@ -4762,9 +3614,9 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
isloopback = mi_strcmp(name, ipif_loopback_name) == 0;
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- ill = ill_find_by_name(name, isv6, q, mp, func, error, ipst);
+ ill = ill_find_by_name(name, isv6, ipst);
rw_exit(&ipst->ips_ill_g_lock);
- if (ill != NULL || (error != NULL && *error == EINPROGRESS))
+ if (ill != NULL)
return (ill);
/*
@@ -4775,9 +3627,8 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
return (NULL);
rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
-
- ill = ill_find_by_name(name, isv6, q, mp, func, error, ipst);
- if (ill != NULL || (error != NULL && *error == EINPROGRESS)) {
+ ill = ill_find_by_name(name, isv6, ipst);
+ if (ill != NULL) {
rw_exit(&ipst->ips_ill_g_lock);
return (ill);
}
@@ -4791,6 +3642,7 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
*ill = ill_null;
mutex_init(&ill->ill_lock, NULL, MUTEX_DEFAULT, NULL);
ill->ill_ipst = ipst;
+ list_create(&ill->ill_nce, sizeof (nce_t), offsetof(nce_t, nce_node));
netstack_hold(ipst->ips_netstack);
/*
* For exclusive stacks we set the zoneid to zero
@@ -4809,17 +3661,16 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
mutex_init(&ill->ill_phyint->phyint_lock, NULL, MUTEX_DEFAULT, 0);
phyint_flags_init(ill->ill_phyint, DL_LOOP);
- ill->ill_max_frag = IP_LOOPBACK_MTU;
- /* Add room for tcp+ip headers */
if (isv6) {
ill->ill_isv6 = B_TRUE;
- ill->ill_max_frag += IPV6_HDR_LEN + 20; /* for TCP */
+ ill->ill_max_frag = ip_loopback_mtu_v6plus;
} else {
- ill->ill_max_frag += IP_SIMPLE_HDR_LENGTH + 20;
+ ill->ill_max_frag = ip_loopback_mtuplus;
}
if (!ill_allocate_mibs(ill))
goto done;
- ill->ill_max_mtu = ill->ill_max_frag;
+ ill->ill_current_frag = ill->ill_max_frag;
+ ill->ill_mtu = ill->ill_max_frag; /* Initial value */
/*
* ipif_loopback_name can't be pointed at directly because its used
* by both the ipv4 and ipv6 interfaces. When the ill is removed
@@ -4832,6 +3683,8 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
/* Set ill_dlpi_pending for ipsq_current_finish() to work properly */
ill->ill_dlpi_pending = DL_PRIM_INVAL;
+ rw_init(&ill->ill_mcast_lock, NULL, RW_DEFAULT, NULL);
+ mutex_init(&ill->ill_mcast_serializer, NULL, MUTEX_DEFAULT, NULL);
ill->ill_global_timer = INFINITY;
ill->ill_mcast_v1_time = ill->ill_mcast_v2_time = 0;
ill->ill_mcast_v1_tset = ill->ill_mcast_v2_tset = 0;
@@ -4857,14 +3710,12 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
ipaddr_t inaddr_loopback = htonl(INADDR_LOOPBACK);
IN6_IPADDR_TO_V4MAPPED(inaddr_loopback, &ipif->ipif_v6lcl_addr);
- ipif->ipif_v6src_addr = ipif->ipif_v6lcl_addr;
V4MASK_TO_V6(htonl(IN_CLASSA_NET), ipif->ipif_v6net_mask);
V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
ipif->ipif_v6subnet);
ill->ill_flags |= ILLF_IPV4;
} else {
ipif->ipif_v6lcl_addr = ipv6_loopback;
- ipif->ipif_v6src_addr = ipif->ipif_v6lcl_addr;
ipif->ipif_v6net_mask = ipv6_all_ones;
V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
ipif->ipif_v6subnet);
@@ -4884,6 +3735,8 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
ipsq = ill->ill_phyint->phyint_ipsq;
+ ill_set_inputfn(ill);
+
if (ill_glist_insert(ill, "lo", isv6) != 0)
cmn_err(CE_PANIC, "cannot insert loopback interface");
@@ -4924,8 +3777,6 @@ ill_lookup_on_name(char *name, boolean_t do_alloc, boolean_t isv6,
}
}
- if (error != NULL)
- *error = 0;
*did_alloc = B_TRUE;
rw_exit(&ipst->ips_ill_g_lock);
ill_nic_event_dispatch(ill, MAP_IPIF_ID(ill->ill_ipif->ipif_id),
@@ -4947,8 +3798,6 @@ done:
mi_free(ill);
}
rw_exit(&ipst->ips_ill_g_lock);
- if (error != NULL)
- *error = ENOMEM;
return (NULL);
}
@@ -4956,8 +3805,7 @@ done:
* For IPP calls - use the ip_stack_t for global stack.
*/
ill_t *
-ill_lookup_on_ifindex_global_instance(uint_t index, boolean_t isv6,
- queue_t *q, mblk_t *mp, ipsq_func_t func, int *err)
+ill_lookup_on_ifindex_global_instance(uint_t index, boolean_t isv6)
{
ip_stack_t *ipst;
ill_t *ill;
@@ -4968,7 +3816,7 @@ ill_lookup_on_ifindex_global_instance(uint_t index, boolean_t isv6,
return (NULL);
}
- ill = ill_lookup_on_ifindex(index, isv6, q, mp, func, err, ipst);
+ ill = ill_lookup_on_ifindex(index, isv6, ipst);
netstack_rele(ipst->ips_netstack);
return (ill);
}
@@ -4977,19 +3825,11 @@ ill_lookup_on_ifindex_global_instance(uint_t index, boolean_t isv6,
* Return a pointer to the ill which matches the index and IP version type.
*/
ill_t *
-ill_lookup_on_ifindex(uint_t index, boolean_t isv6, queue_t *q, mblk_t *mp,
- ipsq_func_t func, int *err, ip_stack_t *ipst)
+ill_lookup_on_ifindex(uint_t index, boolean_t isv6, ip_stack_t *ipst)
{
ill_t *ill;
- ipsq_t *ipsq;
phyint_t *phyi;
- ASSERT((q == NULL && mp == NULL && func == NULL && err == NULL) ||
- (q != NULL && mp != NULL && func != NULL && err != NULL));
-
- if (err != NULL)
- *err = 0;
-
/*
* Indexes are stored in the phyint - a common structure
* to both IPv4 and IPv6.
@@ -5000,43 +3840,45 @@ ill_lookup_on_ifindex(uint_t index, boolean_t isv6, queue_t *q, mblk_t *mp,
if (phyi != NULL) {
ill = isv6 ? phyi->phyint_illv6: phyi->phyint_illv4;
if (ill != NULL) {
- /*
- * The block comment at the start of ipif_down
- * explains the use of the macros used below
- */
- GRAB_CONN_LOCK(q);
mutex_enter(&ill->ill_lock);
- if (ILL_CAN_LOOKUP(ill)) {
+ if (!ILL_IS_CONDEMNED(ill)) {
ill_refhold_locked(ill);
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
rw_exit(&ipst->ips_ill_g_lock);
return (ill);
- } else if (ILL_CAN_WAIT(ill, q)) {
- ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- mutex_exit(&ill->ill_lock);
- ipsq_enq(ipsq, q, mp, func, NEW_OP, ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- RELEASE_CONN_LOCK(q);
- if (err != NULL)
- *err = EINPROGRESS;
- return (NULL);
}
- RELEASE_CONN_LOCK(q);
mutex_exit(&ill->ill_lock);
}
}
rw_exit(&ipst->ips_ill_g_lock);
- if (err != NULL)
- *err = ENXIO;
return (NULL);
}
/*
+ * Verify whether or not an interface index is valid.
+ * It can be zero (meaning "reset") or an interface index assigned
+ * to a non-VNI interface. (We don't use VNI interface to send packets.)
+ */
+boolean_t
+ip_ifindex_valid(uint_t ifindex, boolean_t isv6, ip_stack_t *ipst)
+{
+ ill_t *ill;
+
+ if (ifindex == 0)
+ return (B_TRUE);
+
+ ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
+ if (ill == NULL)
+ return (B_FALSE);
+ if (IS_VNI(ill)) {
+ ill_refrele(ill);
+ return (B_FALSE);
+ }
+ ill_refrele(ill);
+ return (B_TRUE);
+}
+
+/*
* Return the ifindex next in sequence after the passed in ifindex.
* If there is no next ifindex for the given protocol, return 0.
*/
@@ -5118,6 +3960,20 @@ ill_get_ifindex_by_name(char *name, ip_stack_t *ipst)
}
/*
+ * Return the ifindex to be used by upper layer protocols for instance
+ * for IPV6_RECVPKTINFO. If IPMP this is the one for the upper ill.
+ */
+uint_t
+ill_get_upper_ifindex(const ill_t *ill)
+{
+ if (IS_UNDER_IPMP(ill))
+ return (ipmp_ill_get_ipmp_ifindex(ill));
+ else
+ return (ill->ill_phyint->phyint_ifindex);
+}
+
+
+/*
* Obtain a reference to the ill. The ill_refcnt is a dynamic refcnt
* that gives a running thread a reference to the ill. This reference must be
* released by the thread when it is done accessing the ill and related
@@ -5145,17 +4001,18 @@ ill_refhold_locked(ill_t *ill)
ILL_TRACE_REF(ill);
}
-int
+/* Returns true if we managed to get a refhold */
+boolean_t
ill_check_and_refhold(ill_t *ill)
{
mutex_enter(&ill->ill_lock);
- if (ILL_CAN_LOOKUP(ill)) {
+ if (!ILL_IS_CONDEMNED(ill)) {
ill_refhold_locked(ill);
mutex_exit(&ill->ill_lock);
- return (0);
+ return (B_TRUE);
}
mutex_exit(&ill->ill_lock);
- return (ILL_LOOKUP_FAILED);
+ return (B_FALSE);
}
/*
@@ -5234,8 +4091,8 @@ ip_ll_subnet_defaults(ill_t *ill, mblk_t *mp)
ASSERT(IAM_WRITER_ILL(ill));
/*
- * Till the ill is fully up ILL_CHANGING will be set and
- * the ill is not globally visible. So no need for a lock.
+ * Till the ill is fully up the ill is not globally visible.
+ * So no need for a lock.
*/
dlia = (dl_info_ack_t *)mp->b_rptr;
ill->ill_mactype = dlia->dl_mac_type;
@@ -5279,8 +4136,9 @@ ip_ll_subnet_defaults(ill_t *ill, mblk_t *mp)
* IP will fly apart otherwise.
*/
min_mtu = ill->ill_isv6 ? IPV6_MIN_MTU : IP_MIN_MTU;
- ill->ill_max_frag = MAX(min_mtu, dlia->dl_max_sdu);
- ill->ill_max_mtu = ill->ill_max_frag;
+ ill->ill_max_frag = MAX(min_mtu, dlia->dl_max_sdu);
+ ill->ill_current_frag = ill->ill_max_frag;
+ ill->ill_mtu = ill->ill_max_frag;
ill->ill_type = ipm->ip_m_type;
@@ -5320,14 +4178,6 @@ ip_ll_subnet_defaults(ill_t *ill, mblk_t *mp)
*/
ill->ill_sap = (ill->ill_isv6) ? ipm->ip_m_ipv6sap : ipm->ip_m_ipv4sap;
/*
- * Set ipif_mtu which is used to set the IRE's
- * ire_max_frag value. The driver could have sent
- * a different mtu from what it sent last time. No
- * need to call ipif_mtu_change because IREs have
- * not yet been created.
- */
- ill->ill_ipif->ipif_mtu = ill->ill_max_mtu;
- /*
* Clear all the flags that were set based on ill_bcast_addr_length
* and ill_phys_addr_length (in ipif_set_values) as these could have
* changed now and we need to re-evaluate.
@@ -5336,8 +4186,7 @@ ip_ll_subnet_defaults(ill_t *ill, mblk_t *mp)
ill->ill_ipif->ipif_flags &= ~(IPIF_BROADCAST | IPIF_POINTOPOINT);
/*
- * Free ill_resolver_mp and ill_bcast_mp as things could have
- * changed now.
+ * Free ill_bcast_mp as things could have changed now.
*
* NOTE: The IPMP meta-interface is special-cased because it starts
* with no underlying interfaces (and thus an unknown broadcast
@@ -5345,19 +4194,14 @@ ip_ll_subnet_defaults(ill_t *ill, mblk_t *mp)
* capable as part of allowing it to join a group.
*/
if (ill->ill_bcast_addr_length == 0 && !IS_IPMP(ill)) {
- if (ill->ill_resolver_mp != NULL)
- freemsg(ill->ill_resolver_mp);
if (ill->ill_bcast_mp != NULL)
freemsg(ill->ill_bcast_mp);
- if (ill->ill_flags & ILLF_XRESOLV)
- ill->ill_net_type = IRE_IF_RESOLVER;
- else
- ill->ill_net_type = IRE_IF_NORESOLVER;
- ill->ill_resolver_mp = ill_dlur_gen(NULL,
+ ill->ill_net_type = IRE_IF_NORESOLVER;
+
+ ill->ill_bcast_mp = ill_dlur_gen(NULL,
ill->ill_phys_addr_length,
ill->ill_sap,
ill->ill_sap_length);
- ill->ill_bcast_mp = copymsg(ill->ill_resolver_mp);
if (ill->ill_isv6)
/*
@@ -5520,7 +4364,7 @@ ipif_comp_multi(ipif_t *old_ipif, ipif_t *new_ipif, boolean_t isv6)
* 3b. link local, but deprecated
* 4. loopback.
*/
-ipif_t *
+static ipif_t *
ipif_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
{
ill_t *ill;
@@ -5537,7 +4381,8 @@ ipif_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
mutex_enter(&ill->ill_lock);
- if (IS_VNI(ill) || IS_UNDER_IPMP(ill) || !ILL_CAN_LOOKUP(ill) ||
+ if (IS_VNI(ill) || IS_UNDER_IPMP(ill) ||
+ ILL_IS_CONDEMNED(ill) ||
!(ill->ill_flags & ILLF_MULTICAST)) {
mutex_exit(&ill->ill_lock);
continue;
@@ -5550,7 +4395,7 @@ ipif_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
continue;
}
if (!(ipif->ipif_flags & IPIF_UP) ||
- !IPIF_CAN_LOOKUP(ipif)) {
+ IPIF_IS_CONDEMNED(ipif)) {
continue;
}
@@ -5618,6 +4463,22 @@ ipif_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
}
}
+ill_t *
+ill_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
+{
+ ipif_t *ipif;
+ ill_t *ill;
+
+ ipif = ipif_lookup_multicast(ipst, zoneid, isv6);
+ if (ipif == NULL)
+ return (NULL);
+
+ ill = ipif->ipif_ill;
+ ill_refhold(ill);
+ ipif_refrele(ipif);
+ return (ill);
+}
+
/*
* This function is called when an application does not specify an interface
* to be used for multicast traffic (joining a group/sending data). It
@@ -5629,22 +4490,21 @@ ipif_lookup_multicast(ip_stack_t *ipst, zoneid_t zoneid, boolean_t isv6)
* anything in between. If there is no such multicast route, we just find
* any multicast capable interface and return it. The returned ipif
* is refhold'ed.
+ *
+ * We support MULTIRT and RTF_SETSRC on the multicast routes added to the
+ * unicast table. This is used by CGTP.
*/
-ipif_t *
-ipif_lookup_group(ipaddr_t group, zoneid_t zoneid, ip_stack_t *ipst)
+ill_t *
+ill_lookup_group_v4(ipaddr_t group, zoneid_t zoneid, ip_stack_t *ipst,
+ boolean_t *multirtp, ipaddr_t *setsrcp)
{
- ire_t *ire;
- ipif_t *ipif;
+ ill_t *ill;
- ire = ire_lookup_multi(group, zoneid, ipst);
- if (ire != NULL) {
- ipif = ire->ire_ipif;
- ipif_refhold(ipif);
- ire_refrele(ire);
- return (ipif);
- }
+ ill = ire_lookup_multi_ill_v4(group, zoneid, ipst, multirtp, setsrcp);
+ if (ill != NULL)
+ return (ill);
- return (ipif_lookup_multicast(ipst, zoneid, B_FALSE));
+ return (ill_lookup_multicast(ipst, zoneid, B_FALSE));
}
/*
@@ -5652,16 +4512,11 @@ ipif_lookup_group(ipaddr_t group, zoneid_t zoneid, ip_stack_t *ipst)
* The destination address is used only for matching point-to-point interfaces.
*/
ipif_t *
-ipif_lookup_interface(ipaddr_t if_addr, ipaddr_t dst, queue_t *q, mblk_t *mp,
- ipsq_func_t func, int *error, ip_stack_t *ipst)
+ipif_lookup_interface(ipaddr_t if_addr, ipaddr_t dst, ip_stack_t *ipst)
{
ipif_t *ipif;
ill_t *ill;
ill_walk_context_t ctx;
- ipsq_t *ipsq;
-
- if (error != NULL)
- *error = 0;
/*
* First match all the point-to-point interfaces
@@ -5672,7 +4527,6 @@ ipif_lookup_interface(ipaddr_t if_addr, ipaddr_t dst, queue_t *q, mblk_t *mp,
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
ill = ILL_START_WALK_V4(&ctx, ipst);
for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- GRAB_CONN_LOCK(q);
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL;
ipif = ipif->ipif_next) {
@@ -5680,41 +4534,20 @@ ipif_lookup_interface(ipaddr_t if_addr, ipaddr_t dst, queue_t *q, mblk_t *mp,
if ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
(ipif->ipif_lcl_addr == if_addr) &&
(ipif->ipif_pp_dst_addr == dst)) {
- /*
- * The block comment at the start of ipif_down
- * explains the use of the macros used below
- */
- if (IPIF_CAN_LOOKUP(ipif)) {
+ if (!IPIF_IS_CONDEMNED(ipif)) {
ipif_refhold_locked(ipif);
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
rw_exit(&ipst->ips_ill_g_lock);
return (ipif);
- } else if (IPIF_CAN_WAIT(ipif, q)) {
- ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- ipsq_enq(ipsq, q, mp, func, NEW_OP,
- ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- RELEASE_CONN_LOCK(q);
- if (error != NULL)
- *error = EINPROGRESS;
- return (NULL);
}
}
}
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
}
rw_exit(&ipst->ips_ill_g_lock);
/* lookup the ipif based on interface address */
- ipif = ipif_lookup_addr(if_addr, NULL, ALL_ZONES, q, mp, func, error,
- ipst);
+ ipif = ipif_lookup_addr(if_addr, NULL, ALL_ZONES, ipst);
ASSERT(ipif == NULL || !ipif->ipif_isv6);
return (ipif);
}
@@ -5723,18 +4556,15 @@ ipif_lookup_interface(ipaddr_t if_addr, ipaddr_t dst, queue_t *q, mblk_t *mp,
* Common function for ipif_lookup_addr() and ipif_lookup_addr_exact().
*/
static ipif_t *
-ipif_lookup_addr_common(ipaddr_t addr, ill_t *match_ill, boolean_t match_illgrp,
- zoneid_t zoneid, queue_t *q, mblk_t *mp, ipsq_func_t func, int *error,
- ip_stack_t *ipst)
+ipif_lookup_addr_common(ipaddr_t addr, ill_t *match_ill, uint32_t match_flags,
+ zoneid_t zoneid, ip_stack_t *ipst)
{
ipif_t *ipif;
ill_t *ill;
boolean_t ptp = B_FALSE;
- ipsq_t *ipsq;
ill_walk_context_t ctx;
-
- if (error != NULL)
- *error = 0;
+ boolean_t match_illgrp = (match_flags & IPIF_MATCH_ILLGRP);
+ boolean_t no_duplicate = (match_flags & IPIF_MATCH_NONDUP);
rw_enter(&ipst->ips_ill_g_lock, RW_READER);
/*
@@ -5748,7 +4578,6 @@ repeat:
(!match_illgrp || !IS_IN_SAME_ILLGRP(ill, match_ill))) {
continue;
}
- GRAB_CONN_LOCK(q);
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL;
ipif = ipif->ipif_next) {
@@ -5756,47 +4585,29 @@ repeat:
zoneid != ipif->ipif_zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
continue;
+
+ if (no_duplicate && !(ipif->ipif_flags & IPIF_UP))
+ continue;
+
/* Allow the ipif to be down */
if ((!ptp && (ipif->ipif_lcl_addr == addr) &&
((ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
(ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) &&
(ipif->ipif_pp_dst_addr == addr))) {
- /*
- * The block comment at the start of ipif_down
- * explains the use of the macros used below
- */
- if (IPIF_CAN_LOOKUP(ipif)) {
+ if (!IPIF_IS_CONDEMNED(ipif)) {
ipif_refhold_locked(ipif);
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
rw_exit(&ipst->ips_ill_g_lock);
return (ipif);
- } else if (IPIF_CAN_WAIT(ipif, q)) {
- ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- ipsq_enq(ipsq, q, mp, func, NEW_OP,
- ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- RELEASE_CONN_LOCK(q);
- if (error != NULL)
- *error = EINPROGRESS;
- return (NULL);
}
}
}
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
}
/* If we already did the ptp case, then we are done */
if (ptp) {
rw_exit(&ipst->ips_ill_g_lock);
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
ptp = B_TRUE;
@@ -5804,55 +4615,6 @@ repeat:
}
/*
- * Check if the address exists in the system.
- * We don't hold the conn_lock as we will not perform defered ipsqueue
- * operation.
- */
-boolean_t
-ip_addr_exists(ipaddr_t addr, zoneid_t zoneid, ip_stack_t *ipst)
-{
- ipif_t *ipif;
- ill_t *ill;
- ill_walk_context_t ctx;
-
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
-
- ill = ILL_START_WALK_V4(&ctx, ipst);
- for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- mutex_enter(&ill->ill_lock);
- for (ipif = ill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
- if (zoneid != ALL_ZONES &&
- zoneid != ipif->ipif_zoneid &&
- ipif->ipif_zoneid != ALL_ZONES)
- continue;
- /* Allow the ipif to be down */
- /*
- * XXX Different from ipif_lookup_addr(), we don't do
- * twice lookups. As from bind()'s point of view, we
- * may return once we find a match.
- */
- if (((ipif->ipif_lcl_addr == addr) &&
- ((ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
- ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
- (ipif->ipif_pp_dst_addr == addr))) {
- /*
- * Allow bind() to be successful even if the
- * ipif is with IPIF_CHANGING bit set.
- */
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- return (B_TRUE);
- }
- }
- mutex_exit(&ill->ill_lock);
- }
-
- rw_exit(&ipst->ips_ill_g_lock);
- return (B_FALSE);
-}
-
-/*
* Lookup an ipif with the specified address. For point-to-point links we
* look for matches on either the destination address or the local address,
* but we skip the local address check if IPIF_UNNUMBERED is set. If the
@@ -5860,11 +4622,25 @@ ip_addr_exists(ipaddr_t addr, zoneid_t zoneid, ip_stack_t *ipst)
* (or illgrp if `match_ill' is in an IPMP group).
*/
ipif_t *
-ipif_lookup_addr(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid, queue_t *q,
- mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst)
+ipif_lookup_addr(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid,
+ ip_stack_t *ipst)
+{
+ return (ipif_lookup_addr_common(addr, match_ill, IPIF_MATCH_ILLGRP,
+ zoneid, ipst));
+}
+
+/*
+ * Lookup an ipif with the specified address. Similar to ipif_lookup_addr,
+ * except that we will only return an address if it is not marked as
+ * IPIF_DUPLICATE
+ */
+ipif_t *
+ipif_lookup_addr_nondup(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid,
+ ip_stack_t *ipst)
{
- return (ipif_lookup_addr_common(addr, match_ill, B_TRUE, zoneid, q, mp,
- func, error, ipst));
+ return (ipif_lookup_addr_common(addr, match_ill,
+ (IPIF_MATCH_ILLGRP | IPIF_MATCH_NONDUP),
+ zoneid, ipst));
}
/*
@@ -5872,12 +4648,12 @@ ipif_lookup_addr(ipaddr_t addr, ill_t *match_ill, zoneid_t zoneid, queue_t *q,
* `match_ill' across the IPMP group. This function is only needed in some
* corner-cases; almost everything should use ipif_lookup_addr().
*/
-static ipif_t *
+ipif_t *
ipif_lookup_addr_exact(ipaddr_t addr, ill_t *match_ill, ip_stack_t *ipst)
{
ASSERT(match_ill != NULL);
- return (ipif_lookup_addr_common(addr, match_ill, B_FALSE, ALL_ZONES,
- NULL, NULL, NULL, NULL, ipst));
+ return (ipif_lookup_addr_common(addr, match_ill, 0, ALL_ZONES,
+ ipst));
}
/*
@@ -5951,13 +4727,13 @@ repeat:
* IRE lookup and pick the first ipif corresponding to the source address in the
* ire.
* Returns: held ipif
+ *
+ * This is only used for ICMP_ADDRESS_MASK_REQUESTs
*/
ipif_t *
ipif_lookup_remote(ill_t *ill, ipaddr_t addr, zoneid_t zoneid)
{
ipif_t *ipif;
- ire_t *ire;
- ip_stack_t *ipst = ill->ill_ipst;
ASSERT(!ill->ill_isv6);
@@ -5970,7 +4746,7 @@ ipif_lookup_remote(ill_t *ill, ipaddr_t addr, zoneid_t zoneid)
*/
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (!IPIF_CAN_LOOKUP(ipif))
+ if (IPIF_IS_CONDEMNED(ipif))
continue;
if (zoneid != ALL_ZONES && zoneid != ipif->ipif_zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
@@ -5991,24 +4767,11 @@ ipif_lookup_remote(ill_t *ill, ipaddr_t addr, zoneid_t zoneid)
}
}
mutex_exit(&ill->ill_lock);
- ire = ire_route_lookup(addr, 0, 0, 0, NULL, NULL, zoneid,
- NULL, MATCH_IRE_RECURSIVE, ipst);
- if (ire != NULL) {
- /*
- * The callers of this function wants to know the
- * interface on which they have to send the replies
- * back. For IREs that have ire_stq and ire_ipif
- * derived from different ills, we really don't care
- * what we return here.
- */
- ipif = ire->ire_ipif;
- if (ipif != NULL) {
- ipif_refhold(ipif);
- ire_refrele(ire);
- return (ipif);
- }
- ire_refrele(ire);
- }
+ /*
+ * For a remote destination it isn't possible to nail down a particular
+ * ipif.
+ */
+
/* Pick the first interface */
ipif = ipif_get_next_ipif(NULL, ill);
return (ipif);
@@ -6027,9 +4790,8 @@ ill_is_quiescent(ill_t *ill)
ASSERT(MUTEX_HELD(&ill->ill_lock));
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (ipif->ipif_refcnt != 0 || !IPIF_DOWN_OK(ipif)) {
+ if (ipif->ipif_refcnt != 0)
return (B_FALSE);
- }
}
if (!ILL_DOWN_OK(ill) || ill->ill_refcnt != 0) {
return (B_FALSE);
@@ -6045,7 +4807,7 @@ ill_is_freeable(ill_t *ill)
ASSERT(MUTEX_HELD(&ill->ill_lock));
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (ipif->ipif_refcnt != 0 || !IPIF_FREE_OK(ipif)) {
+ if (ipif->ipif_refcnt != 0) {
return (B_FALSE);
}
}
@@ -6067,9 +4829,8 @@ ipif_is_quiescent(ipif_t *ipif)
ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
- if (ipif->ipif_refcnt != 0 || !IPIF_DOWN_OK(ipif)) {
+ if (ipif->ipif_refcnt != 0)
return (B_FALSE);
- }
ill = ipif->ipif_ill;
if (ill->ill_ipif_up_count != 0 || ill->ill_ipif_dup_count != 0 ||
@@ -6078,7 +4839,7 @@ ipif_is_quiescent(ipif_t *ipif)
}
/* This is the last ipif going down or being deleted on this ill */
- if (!ILL_DOWN_OK(ill) || ill->ill_refcnt != 0) {
+ if (ill->ill_ire_cnt != 0 || ill->ill_refcnt != 0) {
return (B_FALSE);
}
@@ -6087,14 +4848,14 @@ ipif_is_quiescent(ipif_t *ipif)
/*
* return true if the ipif can be destroyed: the ipif has to be quiescent
- * with zero references from ire/nce/ilm to it.
+ * with zero references from ire/ilm to it.
*/
static boolean_t
ipif_is_freeable(ipif_t *ipif)
{
ASSERT(MUTEX_HELD(&ipif->ipif_ill->ill_lock));
ASSERT(ipif->ipif_id != 0);
- return (ipif->ipif_refcnt == 0 && IPIF_FREE_OK(ipif));
+ return (ipif->ipif_refcnt == 0);
}
/*
@@ -6275,7 +5036,7 @@ th_trace_gethash(ip_stack_t *ipst)
* block.
*/
objsize = MAX(MAX(sizeof (ill_t), sizeof (ipif_t)),
- MAX(sizeof (ire_t), sizeof (nce_t)));
+ MAX(sizeof (ire_t), sizeof (ncec_t)));
rshift = highbit(objsize);
mh = mod_hash_create_extended(name, 64, mod_hash_null_keydtor,
th_trace_free, mod_hash_byptr, (void *)rshift,
@@ -6509,7 +5270,7 @@ ipif_get_next_ipif(ipif_t *curr, ill_t *ill)
mutex_enter(&ill->ill_lock);
for (ipif = (curr == NULL ? ill->ill_ipif : curr->ipif_next);
ipif != NULL; ipif = ipif->ipif_next) {
- if (!IPIF_CAN_LOOKUP(ipif))
+ if (IPIF_IS_CONDEMNED(ipif))
continue;
ipif_refhold_locked(ipif);
mutex_exit(&ill->ill_lock);
@@ -6535,28 +5296,53 @@ ip_m_lookup(t_uscalar_t mac_type)
}
/*
+ * Make a link layer address from the multicast IP address *addr.
+ * To form the link layer address, invoke the ip_m_v*mapping function
+ * associated with the link-layer type.
+ */
+void
+ip_mcast_mapping(ill_t *ill, uchar_t *addr, uchar_t *hwaddr)
+{
+ ip_m_t *ipm;
+
+ if (ill->ill_net_type == IRE_IF_NORESOLVER)
+ return;
+
+ ASSERT(addr != NULL);
+
+ ipm = ip_m_lookup(ill->ill_mactype);
+ if (ipm == NULL ||
+ (ill->ill_isv6 && ipm->ip_m_v6mapping == NULL) ||
+ (!ill->ill_isv6 && ipm->ip_m_v4mapping == NULL)) {
+ ip0dbg(("no mapping for ill %s mactype 0x%x\n",
+ ill->ill_name, ill->ill_mactype));
+ return;
+ }
+ if (ill->ill_isv6)
+ (*ipm->ip_m_v6mapping)(ill, addr, hwaddr);
+ else
+ (*ipm->ip_m_v4mapping)(ill, addr, hwaddr);
+}
+
+/*
* ip_rt_add is called to add an IPv4 route to the forwarding table.
- * ipif_arg is passed in to associate it with the correct interface.
- * We may need to restart this operation if the ipif cannot be looked up
- * due to an exclusive operation that is currently in progress. The restart
- * entry point is specified by 'func'
+ * ill is passed in to associate it with the correct interface.
+ * If ire_arg is set, then we return the held IRE in that location.
*/
int
ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
- ipaddr_t src_addr, int flags, ipif_t *ipif_arg, ire_t **ire_arg,
- boolean_t ioctl_msg, queue_t *q, mblk_t *mp, ipsq_func_t func,
- struct rtsa_s *sp, ip_stack_t *ipst)
+ ipaddr_t src_addr, int flags, ill_t *ill, ire_t **ire_arg,
+ boolean_t ioctl_msg, struct rtsa_s *sp, ip_stack_t *ipst, zoneid_t zoneid)
{
- ire_t *ire;
+ ire_t *ire, *nire;
ire_t *gw_ire = NULL;
ipif_t *ipif = NULL;
- boolean_t ipif_refheld = B_FALSE;
uint_t type;
int match_flags = MATCH_IRE_TYPE;
- int error;
tsol_gc_t *gc = NULL;
tsol_gcgrp_t *gcgrp = NULL;
boolean_t gcgrp_xtraref = B_FALSE;
+ boolean_t cgtp_broadcast;
ip1dbg(("ip_rt_add:"));
@@ -6579,27 +5365,19 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
return (ENETUNREACH);
/*
* Get the ipif, if any, corresponding to the gw_addr
+ * If -ifp was specified we restrict ourselves to the ill, otherwise
+ * we match on the gatway and destination to handle unnumbered pt-pt
+ * interfaces.
*/
- ipif = ipif_lookup_interface(gw_addr, dst_addr, q, mp, func, &error,
- ipst);
+ if (ill != NULL)
+ ipif = ipif_lookup_addr(gw_addr, ill, ALL_ZONES, ipst);
+ else
+ ipif = ipif_lookup_interface(gw_addr, dst_addr, ipst);
if (ipif != NULL) {
if (IS_VNI(ipif->ipif_ill)) {
ipif_refrele(ipif);
return (EINVAL);
}
- ipif_refheld = B_TRUE;
- } else if (error == EINPROGRESS) {
- ip1dbg(("ip_rt_add: null and EINPROGRESS"));
- return (EINPROGRESS);
- } else {
- error = 0;
- }
-
- if (ipif != NULL) {
- ip1dbg(("ip_rt_add: ipif_lookup_interface done ipif nonnull"));
- ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
- } else {
- ip1dbg(("ip_rt_add: ipif_lookup_interface done ipif is null"));
}
/*
@@ -6612,12 +5390,12 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
flags &= ~RTF_GATEWAY;
if (gw_addr == INADDR_LOOPBACK && dst_addr == INADDR_LOOPBACK &&
mask == IP_HOST_MASK) {
- ire = ire_ctable_lookup(dst_addr, 0, IRE_LOOPBACK, ipif,
- ALL_ZONES, NULL, match_flags, ipst);
+ ire = ire_ftable_lookup_v4(dst_addr, 0, 0, IRE_LOOPBACK,
+ NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst,
+ NULL);
if (ire != NULL) {
ire_refrele(ire);
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
return (EEXIST);
}
ip1dbg(("ip_rt_add: 0x%p creating IRE 0x%x"
@@ -6627,40 +5405,58 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
ire = ire_create(
(uchar_t *)&dst_addr, /* dest address */
(uchar_t *)&mask, /* mask */
- (uchar_t *)&ipif->ipif_src_addr,
NULL, /* no gateway */
- &ipif->ipif_mtu,
- NULL,
- ipif->ipif_rq, /* recv-from queue */
- NULL, /* no send-to queue */
ipif->ipif_ire_type, /* LOOPBACK */
- ipif,
- 0,
- 0,
- 0,
- (ipif->ipif_flags & IPIF_PRIVATE) ?
- RTF_PRIVATE : 0,
- &ire_uinfo_null,
- NULL,
+ ipif->ipif_ill,
+ zoneid,
+ (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
NULL,
ipst);
if (ire == NULL) {
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
return (ENOMEM);
}
- error = ire_add(&ire, q, mp, func, B_FALSE);
- if (error == 0)
- goto save_ire;
- if (ipif_refheld)
- ipif_refrele(ipif);
- return (error);
+ /* src address assigned by the caller? */
+ if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
+ ire->ire_setsrc_addr = src_addr;
+ nire = ire_add(ire);
+ if (nire == NULL) {
+ /*
+ * In the result of failure, ire_add() will have
+ * already deleted the ire in question, so there
+ * is no need to do that here.
+ */
+ ipif_refrele(ipif);
+ return (ENOMEM);
+ }
+ /*
+ * Check if it was a duplicate entry. This handles
+ * the case of two racing route adds for the same route
+ */
+ if (nire != ire) {
+ ASSERT(nire->ire_identical_ref > 1);
+ ire_delete(nire);
+ ire_refrele(nire);
+ ipif_refrele(ipif);
+ return (EEXIST);
+ }
+ ire = nire;
+ goto save_ire;
}
}
/*
+ * The routes for multicast with CGTP are quite special in that
+ * the gateway is the local interface address, yet RTF_GATEWAY
+ * is set. We turn off RTF_GATEWAY to provide compatibility with
+ * this undocumented and unusual use of multicast routes.
+ */
+ if ((flags & RTF_MULTIRT) && ipif != NULL)
+ flags &= ~RTF_GATEWAY;
+
+ /*
* Traditionally, interface routes are ones where RTF_GATEWAY isn't set
* and the gateway address provided is one of the system's interface
* addresses. By using the routing socket interface and supplying an
@@ -6694,8 +5490,8 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
* logical interfaces
*
* 192.0.2.32 255.255.255.224 192.0.2.33 U if0
- * 192.0.2.32 255.255.255.224 192.0.2.34 U if0:1
- * 192.0.2.32 255.255.255.224 192.0.2.35 U if0:2
+ * 192.0.2.32 255.255.255.224 192.0.2.34 U if0
+ * 192.0.2.32 255.255.255.224 192.0.2.35 U if0
*
* the ipif's corresponding to each of these interface routes can be
* uniquely identified by the "gateway" (actually interface address).
@@ -6710,47 +5506,37 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
/* RTF_GATEWAY not set */
if (!(flags & RTF_GATEWAY)) {
- queue_t *stq;
-
if (sp != NULL) {
ip2dbg(("ip_rt_add: gateway security attributes "
"cannot be set with interface route\n"));
- if (ipif_refheld)
+ if (ipif != NULL)
ipif_refrele(ipif);
return (EINVAL);
}
/*
- * As the interface index specified with the RTA_IFP sockaddr is
- * the same for all ipif's off of an ill, the matching logic
- * below uses MATCH_IRE_ILL if such an index was specified.
- * This means that routes sharing the same prefix when added
- * using a RTA_IFP sockaddr must have distinct interface
- * indices (namely, they must be on distinct ill's).
- *
- * On the other hand, since the gateway address will usually be
- * different for each ipif on the system, the matching logic
- * uses MATCH_IRE_IPIF in the case of a traditional interface
- * route. This means that interface routes for the same prefix
- * can be created if they belong to distinct ipif's and if a
- * RTA_IFP sockaddr is not present.
+ * Whether or not ill (RTA_IFP) is set, we require that
+ * the gateway is one of our local addresses.
*/
- if (ipif_arg != NULL) {
- if (ipif_refheld) {
- ipif_refrele(ipif);
- ipif_refheld = B_FALSE;
- }
- ipif = ipif_arg;
- match_flags |= MATCH_IRE_ILL;
- } else {
- /*
- * Check the ipif corresponding to the gw_addr
- */
- if (ipif == NULL)
- return (ENETUNREACH);
- match_flags |= MATCH_IRE_IPIF;
+ if (ipif == NULL)
+ return (ENETUNREACH);
+
+ /*
+ * We use MATCH_IRE_ILL here. If the caller specified an
+ * interface (from the RTA_IFP sockaddr) we use it, otherwise
+ * we use the ill derived from the gateway address.
+ * We can always match the gateway address since we record it
+ * in ire_gateway_addr.
+ * We don't allow RTA_IFP to specify a different ill than the
+ * one matching the ipif to make sure we can delete the route.
+ */
+ match_flags |= MATCH_IRE_GW | MATCH_IRE_ILL;
+ if (ill == NULL) {
+ ill = ipif->ipif_ill;
+ } else if (ill != ipif->ipif_ill) {
+ ipif_refrele(ipif);
+ return (EINVAL);
}
- ASSERT(ipif != NULL);
/*
* We check for an existing entry at this point.
@@ -6761,45 +5547,32 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
*/
if (!ioctl_msg)
match_flags |= MATCH_IRE_MASK;
- ire = ire_ftable_lookup(dst_addr, mask, 0, IRE_INTERFACE, ipif,
- NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
+ ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr,
+ IRE_INTERFACE, ill, ALL_ZONES, NULL, match_flags, 0, ipst,
+ NULL);
if (ire != NULL) {
ire_refrele(ire);
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
return (EEXIST);
}
- stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
- ? ipif->ipif_rq : ipif->ipif_wq;
-
/*
- * Create a copy of the IRE_LOOPBACK,
- * IRE_IF_NORESOLVER or IRE_IF_RESOLVER with
- * the modified address and netmask.
+ * Create a copy of the IRE_LOOPBACK, IRE_IF_NORESOLVER or
+ * IRE_IF_RESOLVER with the modified address, netmask, and
+ * gateway.
*/
ire = ire_create(
(uchar_t *)&dst_addr,
(uint8_t *)&mask,
- (uint8_t *)&ipif->ipif_src_addr,
- NULL,
- &ipif->ipif_mtu,
- NULL,
- NULL,
- stq,
- ipif->ipif_net_type,
- ipif,
- 0,
- 0,
- 0,
+ (uint8_t *)&gw_addr,
+ ill->ill_net_type,
+ ill,
+ zoneid,
flags,
- &ire_uinfo_null,
- NULL,
NULL,
ipst);
if (ire == NULL) {
- if (ipif_refheld)
- ipif_refrele(ipif);
+ ipif_refrele(ipif);
return (ENOMEM);
}
@@ -6810,7 +5583,7 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
* set up prefixes with the RTF_REJECT flag set (for example,
* when generating aggregate routes.)
*
- * If the IRE type (as defined by ipif->ipif_net_type) is
+ * If the IRE type (as defined by ill->ill_net_type) is
* IRE_LOOPBACK, then we map the request into a
* IRE_IF_NORESOLVER. We also OR in the RTF_BLACKHOLE flag as
* these interface routes, by definition, can only be that.
@@ -6819,27 +5592,37 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
* routine, but rather using ire_create() directly.
*
*/
- if (ipif->ipif_net_type == IRE_LOOPBACK) {
+ if (ill->ill_net_type == IRE_LOOPBACK) {
ire->ire_type = IRE_IF_NORESOLVER;
ire->ire_flags |= RTF_BLACKHOLE;
}
- error = ire_add(&ire, q, mp, func, B_FALSE);
- if (error == 0)
- goto save_ire;
+ /* src address assigned by the caller? */
+ if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
+ ire->ire_setsrc_addr = src_addr;
+ nire = ire_add(ire);
+ if (nire == NULL) {
+ /*
+ * In the result of failure, ire_add() will have
+ * already deleted the ire in question, so there
+ * is no need to do that here.
+ */
+ ipif_refrele(ipif);
+ return (ENOMEM);
+ }
/*
- * In the result of failure, ire_add() will have already
- * deleted the ire in question, so there is no need to
- * do that here.
+ * Check if it was a duplicate entry. This handles
+ * the case of two racing route adds for the same route
*/
- if (ipif_refheld)
+ if (nire != ire) {
+ ire_delete(nire);
+ ire_refrele(nire);
ipif_refrele(ipif);
- return (error);
- }
- if (ipif_refheld) {
- ipif_refrele(ipif);
- ipif_refheld = B_FALSE;
+ return (EEXIST);
+ }
+ ire = nire;
+ goto save_ire;
}
/*
@@ -6847,13 +5630,19 @@ ip_rt_add(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
* If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
* gateway, it is currently unreachable and we fail the request
* accordingly.
+ * If RTA_IFP was specified we look on that particular ill.
*/
- ipif = ipif_arg;
- if (ipif_arg != NULL)
+ if (ill != NULL)
match_flags |= MATCH_IRE_ILL;
+
+ /* Check whether the gateway is reachable. */
again:
- gw_ire = ire_ftable_lookup(gw_addr, 0, 0, IRE_INTERFACE, ipif_arg, NULL,
- ALL_ZONES, 0, NULL, match_flags, ipst);
+ type = IRE_INTERFACE;
+ if (flags & RTF_INDIRECT)
+ type |= IRE_OFFLINK;
+
+ gw_ire = ire_ftable_lookup_v4(gw_addr, 0, 0, type, ill,
+ ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
if (gw_ire == NULL) {
/*
* With IPMP, we allow host routes to influence in.mpathd's
@@ -6862,10 +5651,13 @@ again:
* underlying IRE_INTERFACEs are marked hidden. So allow
* hidden test IREs to be found and try again.
*/
- if (!(match_flags & MATCH_IRE_MARK_TESTHIDDEN)) {
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
+ if (!(match_flags & MATCH_IRE_TESTHIDDEN)) {
+ match_flags |= MATCH_IRE_TESTHIDDEN;
goto again;
}
+
+ if (ipif != NULL)
+ ipif_refrele(ipif);
return (ENETUNREACH);
}
@@ -6885,10 +5677,12 @@ again:
type = IRE_PREFIX;
/* check for a duplicate entry */
- ire = ire_ftable_lookup(dst_addr, mask, gw_addr, type, ipif_arg,
- NULL, ALL_ZONES, 0, NULL,
- match_flags | MATCH_IRE_MASK | MATCH_IRE_GW, ipst);
+ ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr, type, ill,
+ ALL_ZONES, NULL, match_flags | MATCH_IRE_MASK | MATCH_IRE_GW,
+ 0, ipst, NULL);
if (ire != NULL) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
ire_refrele(ire);
return (EEXIST);
@@ -6905,6 +5699,8 @@ again:
/* we hold reference to it upon success */
gcgrp = gcgrp_lookup(&ga, B_TRUE);
if (gcgrp == NULL) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
return (ENOMEM);
}
@@ -6918,6 +5714,8 @@ again:
*/
gc = gc_create(sp, gcgrp, &gcgrp_xtraref);
if (gc == NULL) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
/* release reference held by gcgrp_lookup */
GCGRP_REFRELE(gcgrp);
ire_refrele(gw_ire);
@@ -6929,23 +5727,12 @@ again:
ire = ire_create(
(uchar_t *)&dst_addr, /* dest address */
(uchar_t *)&mask, /* mask */
- /* src address assigned by the caller? */
- (uchar_t *)(((src_addr != INADDR_ANY) &&
- (flags & RTF_SETSRC)) ? &src_addr : NULL),
(uchar_t *)&gw_addr, /* gateway address */
- &gw_ire->ire_max_frag,
- NULL, /* no src nce */
- NULL, /* no recv-from queue */
- NULL, /* no send-to queue */
(ushort_t)type, /* IRE type */
- ipif_arg,
- 0,
- 0,
- 0,
+ ill,
+ zoneid,
flags,
- &gw_ire->ire_uinfo, /* Inherit ULP info from gw */
gc, /* security attribute */
- NULL,
ipst);
/*
@@ -6958,26 +5745,51 @@ again:
if (ire == NULL) {
if (gc != NULL)
GC_REFRELE(gc);
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
return (ENOMEM);
}
+ /* Before we add, check if an extra CGTP broadcast is needed */
+ cgtp_broadcast = ((flags & RTF_MULTIRT) &&
+ ip_type_v4(ire->ire_addr, ipst) == IRE_BROADCAST);
+
+ /* src address assigned by the caller? */
+ if ((src_addr != INADDR_ANY) && (flags & RTF_SETSRC))
+ ire->ire_setsrc_addr = src_addr;
+
/*
* POLICY: should we allow an RTF_HOST with address INADDR_ANY?
* SUN/OS socket stuff does but do we really want to allow 0.0.0.0?
*/
/* Add the new IRE. */
- error = ire_add(&ire, q, mp, func, B_FALSE);
- if (error != 0) {
+ nire = ire_add(ire);
+ if (nire == NULL) {
/*
- * In the result of failure, ire_add() will have already
- * deleted the ire in question, so there is no need to
- * do that here.
+ * In the result of failure, ire_add() will have
+ * already deleted the ire in question, so there
+ * is no need to do that here.
*/
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
- return (error);
+ return (ENOMEM);
+ }
+ /*
+ * Check if it was a duplicate entry. This handles
+ * the case of two racing route adds for the same route
+ */
+ if (nire != ire) {
+ ire_delete(nire);
+ ire_refrele(nire);
+ if (ipif != NULL)
+ ipif_refrele(ipif);
+ ire_refrele(gw_ire);
+ return (EEXIST);
}
+ ire = nire;
if (flags & RTF_MULTIRT) {
/*
@@ -6990,45 +5802,47 @@ again:
* because an IP source address cannot be a broadcast
* or a multicast.
*/
- ire_t *ire_dst = ire_ctable_lookup(ire->ire_addr, 0,
- IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (ire_dst != NULL) {
- ip_cgtp_bcast_add(ire, ire_dst, ipst);
- ire_refrele(ire_dst);
+ if (cgtp_broadcast) {
+ ip_cgtp_bcast_add(ire, ipst);
goto save_ire;
}
if (ipst->ips_ip_cgtp_filter_ops != NULL &&
!CLASSD(ire->ire_addr)) {
- int res = ipst->ips_ip_cgtp_filter_ops->cfo_add_dest_v4(
- ipst->ips_netstack->netstack_stackid,
- ire->ire_addr,
- ire->ire_gateway_addr,
- ire->ire_src_addr,
- gw_ire->ire_src_addr);
+ int res;
+ ipif_t *src_ipif;
+
+ /* Find the source address corresponding to gw_ire */
+ src_ipif = ipif_lookup_addr(gw_ire->ire_gateway_addr,
+ NULL, zoneid, ipst);
+ if (src_ipif != NULL) {
+ res = ipst->ips_ip_cgtp_filter_ops->
+ cfo_add_dest_v4(
+ ipst->ips_netstack->netstack_stackid,
+ ire->ire_addr,
+ ire->ire_gateway_addr,
+ ire->ire_setsrc_addr,
+ src_ipif->ipif_lcl_addr);
+ ipif_refrele(src_ipif);
+ } else {
+ res = EADDRNOTAVAIL;
+ }
if (res != 0) {
+ if (ipif != NULL)
+ ipif_refrele(ipif);
ire_refrele(gw_ire);
ire_delete(ire);
+ ire_refrele(ire); /* Held in ire_add */
return (res);
}
}
}
- /*
- * Now that the prefix IRE entry has been created, delete any
- * existing gateway IRE cache entries as well as any IRE caches
- * using the gateway, and force them to be created through
- * ip_newroute.
- */
- if (gc != NULL) {
- ASSERT(gcgrp != NULL);
- ire_clookup_delete_cache_gw(gw_addr, ALL_ZONES, ipst);
- }
-
save_ire:
if (gw_ire != NULL) {
ire_refrele(gw_ire);
+ gw_ire = NULL;
}
- if (ipif != NULL) {
+ if (ill != NULL) {
/*
* Save enough information so that we can recreate the IRE if
* the interface goes down and then up. The metrics associated
@@ -7037,7 +5851,7 @@ save_ire:
* memory cannot be allocated, none of this information will be
* saved.
*/
- ipif_save_ire(ipif, ire);
+ ill_save_ire(ill, ire);
}
if (ioctl_msg)
ip_rts_rtmsg(RTM_OLDADD, ire, 0, ipst);
@@ -7052,27 +5866,23 @@ save_ire:
} else {
ire_refrele(ire); /* Held in ire_add */
}
- if (ipif_refheld)
+ if (ipif != NULL)
ipif_refrele(ipif);
return (0);
}
/*
* ip_rt_delete is called to delete an IPv4 route.
- * ipif_arg is passed in to associate it with the correct interface.
- * We may need to restart this operation if the ipif cannot be looked up
- * due to an exclusive operation that is currently in progress. The restart
- * entry point is specified by 'func'
+ * ill is passed in to associate it with the correct interface.
*/
/* ARGSUSED4 */
int
ip_rt_delete(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
- uint_t rtm_addrs, int flags, ipif_t *ipif_arg, boolean_t ioctl_msg,
- queue_t *q, mblk_t *mp, ipsq_func_t func, ip_stack_t *ipst)
+ uint_t rtm_addrs, int flags, ill_t *ill, boolean_t ioctl_msg,
+ ip_stack_t *ipst, zoneid_t zoneid)
{
ire_t *ire = NULL;
ipif_t *ipif;
- boolean_t ipif_refheld = B_FALSE;
uint_t type;
uint_t match_flags = MATCH_IRE_TYPE;
int err = 0;
@@ -7096,52 +5906,47 @@ ip_rt_delete(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
*
* This makes it possible to delete an original
* IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1.
+ * However, we have RTF_KERNEL set on the ones created by ipif_up
+ * and those can not be deleted here.
*
- * As the interface index specified with the RTA_IFP sockaddr is the
- * same for all ipif's off of an ill, the matching logic below uses
- * MATCH_IRE_ILL if such an index was specified. This means a route
- * sharing the same prefix and interface index as the the route
- * intended to be deleted might be deleted instead if a RTA_IFP sockaddr
- * is specified in the request.
- *
- * On the other hand, since the gateway address will usually be
- * different for each ipif on the system, the matching logic
- * uses MATCH_IRE_IPIF in the case of a traditional interface
- * route. This means that interface routes for the same prefix can be
- * uniquely identified if they belong to distinct ipif's and if a
- * RTA_IFP sockaddr is not present.
+ * We use MATCH_IRE_ILL if we know the interface. If the caller
+ * specified an interface (from the RTA_IFP sockaddr) we use it,
+ * otherwise we use the ill derived from the gateway address.
+ * We can always match the gateway address since we record it
+ * in ire_gateway_addr.
*
* For more detail on specifying routes by gateway address and by
* interface index, see the comments in ip_rt_add().
*/
- ipif = ipif_lookup_interface(gw_addr, dst_addr, q, mp, func, &err,
- ipst);
- if (ipif != NULL)
- ipif_refheld = B_TRUE;
- else if (err == EINPROGRESS)
- return (err);
- else
- err = 0;
+ ipif = ipif_lookup_interface(gw_addr, dst_addr, ipst);
if (ipif != NULL) {
- if (ipif_arg != NULL) {
- if (ipif_refheld) {
- ipif_refrele(ipif);
- ipif_refheld = B_FALSE;
- }
- ipif = ipif_arg;
- match_flags |= MATCH_IRE_ILL;
- } else {
- match_flags |= MATCH_IRE_IPIF;
- }
+ ill_t *ill_match;
+
+ if (ill != NULL)
+ ill_match = ill;
+ else
+ ill_match = ipif->ipif_ill;
+
+ match_flags |= MATCH_IRE_ILL;
if (ipif->ipif_ire_type == IRE_LOOPBACK) {
- ire = ire_ctable_lookup(dst_addr, 0, IRE_LOOPBACK, ipif,
- ALL_ZONES, NULL, match_flags, ipst);
+ ire = ire_ftable_lookup_v4(dst_addr, 0, 0, IRE_LOOPBACK,
+ ill_match, ALL_ZONES, NULL, match_flags, 0, ipst,
+ NULL);
}
if (ire == NULL) {
- ire = ire_ftable_lookup(dst_addr, mask, 0,
- IRE_INTERFACE, ipif, NULL, ALL_ZONES, 0, NULL,
- match_flags, ipst);
+ match_flags |= MATCH_IRE_GW;
+ ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr,
+ IRE_INTERFACE, ill_match, ALL_ZONES, NULL,
+ match_flags, 0, ipst, NULL);
}
+ /* Avoid deleting routes created by kernel from an ipif */
+ if (ire != NULL && (ire->ire_flags & RTF_KERNEL)) {
+ ire_refrele(ire);
+ ire = NULL;
+ }
+
+ /* Restore in case we didn't find a match */
+ match_flags &= ~(MATCH_IRE_GW|MATCH_IRE_ILL);
}
if (ire == NULL) {
@@ -7151,15 +5956,11 @@ ip_rt_delete(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
* set the IRE type to lookup based on whether
* this is a host route, a default route or just a prefix.
*
- * If an ipif_arg was passed in, then the lookup is based on an
+ * If an ill was passed in, then the lookup is based on an
* interface index so MATCH_IRE_ILL is added to match_flags.
- * In any case, MATCH_IRE_IPIF is cleared and MATCH_IRE_GW is
- * set as the route being looked up is not a traditional
- * interface route.
*/
- match_flags &= ~MATCH_IRE_IPIF;
match_flags |= MATCH_IRE_GW;
- if (ipif_arg != NULL)
+ if (ill != NULL)
match_flags |= MATCH_IRE_ILL;
if (mask == IP_HOST_MASK)
type = IRE_HOST;
@@ -7167,14 +5968,15 @@ ip_rt_delete(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
type = IRE_DEFAULT;
else
type = IRE_PREFIX;
- ire = ire_ftable_lookup(dst_addr, mask, gw_addr, type, ipif_arg,
- NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
+ ire = ire_ftable_lookup_v4(dst_addr, mask, gw_addr, type, ill,
+ ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
}
- if (ipif_refheld)
+ if (ipif != NULL) {
ipif_refrele(ipif);
+ ipif = NULL;
+ }
- /* ipif is not refheld anymore */
if (ire == NULL)
return (ESRCH);
@@ -7193,9 +5995,9 @@ ip_rt_delete(ipaddr_t dst_addr, ipaddr_t mask, ipaddr_t gw_addr,
ip_cgtp_bcast_delete(ire, ipst);
}
- ipif = ire->ire_ipif;
- if (ipif != NULL)
- ipif_remove_ire(ipif, ire);
+ ill = ire->ire_ill;
+ if (ill != NULL)
+ ill_remove_saved_ire(ill, ire);
if (ioctl_msg)
ip_rts_rtmsg(RTM_OLDDEL, ire, 0, ipst);
ire_delete(ire);
@@ -7249,7 +6051,7 @@ ip_siocaddrt(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
}
error = ip_rt_add(dst_addr, mask, gw_addr, 0, rt->rt_flags, NULL, NULL,
- B_TRUE, q, mp, ip_process_ioctl, NULL, ipst);
+ B_TRUE, NULL, ipst, ALL_ZONES);
if (ipif != NULL)
ipif_refrele(ipif);
return (error);
@@ -7301,8 +6103,8 @@ ip_siocdelrt(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
}
error = ip_rt_delete(dst_addr, mask, gw_addr,
- RTA_DST | RTA_GATEWAY | RTA_NETMASK, rt->rt_flags, NULL, B_TRUE, q,
- mp, ip_process_ioctl, ipst);
+ RTA_DST | RTA_GATEWAY | RTA_NETMASK, rt->rt_flags, NULL, B_TRUE,
+ ipst, ALL_ZONES);
if (ipif != NULL)
ipif_refrele(ipif);
return (error);
@@ -7655,7 +6457,8 @@ ipsq_dlpi_done(ipsq_t *ipsq)
if (phyi != NULL) {
ill = phyi->phyint_illv4;
if (ill != NULL &&
- ill->ill_dlpi_pending != DL_PRIM_INVAL)
+ (ill->ill_dlpi_pending != DL_PRIM_INVAL ||
+ ill->ill_arl_dlpi_pending))
return (B_FALSE);
ill = phyi->phyint_illv6;
@@ -7819,8 +6622,8 @@ ipsq_try_enter_internal(ill_t *ill, queue_t *q, mblk_t *mp, ipsq_func_t func,
/*
* The ipsq_t (ipsq) is the synchronization data structure used to serialize
- * certain critical operations like plumbing (i.e. most set ioctls), multicast
- * joins, igmp/mld timers, etc. There is one ipsq per phyint. The ipsq
+ * certain critical operations like plumbing (i.e. most set ioctls), etc.
+ * There is one ipsq per phyint. The ipsq
* serializes exclusive ioctls issued by applications on a per ipsq basis in
* ipsq_xopq_mphead. It also protects against multiple threads executing in
* the ipsq. Responses from the driver pertain to the current ioctl (say a
@@ -7838,7 +6641,7 @@ ipsq_try_enter_internal(ill_t *ill, queue_t *q, mblk_t *mp, ipsq_func_t func,
* proceeds to dequeue the next ioctl in ipsq_xopq_mphead and start the next
* ioctl if the current ioctl has completed. If the current ioctl is still
* in progress it simply returns. The current ioctl could be waiting for
- * a response from another module (arp or the driver or could be waiting for
+ * a response from another module (the driver or could be waiting for
* the ipif/ill/ire refcnts to drop to zero. In such a case the ipx_pending_mp
* and ipx_pending_ipif are set. ipx_current_ipif is set throughout the
* execution of the ioctl and ipsq_exit does not start the next ioctl unless
@@ -7959,6 +6762,38 @@ ipsq_exit(ipsq_t *ipsq)
}
/*
+ * Used to start any igmp or mld timers that could not be started
+ * while holding ill_mcast_lock. The timers can't be started while holding
+ * the lock, since mld/igmp_start_timers may need to call untimeout()
+ * which can't be done while holding the lock which the timeout handler
+ * acquires. Otherwise
+ * there could be a deadlock since the timeout handlers
+ * mld_timeout_handler_per_ill/igmp_timeout_handler_per_ill also acquire
+ * ill_mcast_lock.
+ */
+void
+ill_mcast_timer_start(ip_stack_t *ipst)
+{
+ int next;
+
+ mutex_enter(&ipst->ips_igmp_timer_lock);
+ next = ipst->ips_igmp_deferred_next;
+ ipst->ips_igmp_deferred_next = INFINITY;
+ mutex_exit(&ipst->ips_igmp_timer_lock);
+
+ if (next != INFINITY)
+ igmp_start_timers(next, ipst);
+
+ mutex_enter(&ipst->ips_mld_timer_lock);
+ next = ipst->ips_mld_deferred_next;
+ ipst->ips_mld_deferred_next = INFINITY;
+ mutex_exit(&ipst->ips_mld_timer_lock);
+
+ if (next != INFINITY)
+ mld_start_timers(next, ipst);
+}
+
+/*
* Start the current exclusive operation on `ipsq'; associate it with `ipif'
* and `ioccmd'.
*/
@@ -8101,7 +6936,6 @@ ipsq_flush(ill_t *ill)
mutex_exit(&ipx->ipx_lock);
(void) ipsq_pending_mp_cleanup(ill, NULL);
ipsq_xopq_mp_cleanup(ill, NULL);
- ill_pending_mp_cleanup(ill);
}
/*
@@ -8114,7 +6948,7 @@ ipsq_flush(ill_t *ill)
*/
int
ip_extract_lifreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
- cmd_info_t *ci, ipsq_func_t func)
+ cmd_info_t *ci)
{
char *name;
struct ifreq *ifr;
@@ -8124,7 +6958,6 @@ ip_extract_lifreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
conn_t *connp;
boolean_t isv6;
boolean_t exists;
- int err;
mblk_t *mp1;
zoneid_t zoneid;
ip_stack_t *ipst;
@@ -8138,7 +6971,7 @@ ip_extract_lifreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
} else {
ill = NULL;
connp = Q_TO_CONN(q);
- isv6 = connp->conn_af_isv6;
+ isv6 = (connp->conn_family == AF_INET6);
zoneid = connp->conn_zoneid;
if (zoneid == GLOBAL_ZONEID) {
/* global zone can access ipifs in all zones */
@@ -8195,13 +7028,38 @@ ip_extract_lifreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
ipif_refhold(ipif);
} else {
ipif = ipif_lookup_on_name(name, mi_strlen(name), B_FALSE,
- &exists, isv6, zoneid,
- (connp == NULL) ? q : CONNP_TO_WQ(connp), mp, func, &err,
- ipst);
- if (ipif == NULL) {
- if (err == EINPROGRESS)
- return (err);
- err = 0; /* Ensure we don't use it below */
+ &exists, isv6, zoneid, ipst);
+
+ /*
+ * Ensure that get ioctls don't see any internal state changes
+ * caused by set ioctls by deferring them if IPIF_CHANGING is
+ * set.
+ */
+ if (ipif != NULL && !(ipip->ipi_flags & IPI_WR) &&
+ !IAM_WRITER_IPIF(ipif)) {
+ ipsq_t *ipsq;
+
+ if (connp != NULL)
+ mutex_enter(&connp->conn_lock);
+ mutex_enter(&ipif->ipif_ill->ill_lock);
+ if (IPIF_IS_CHANGING(ipif) &&
+ !IPIF_IS_CONDEMNED(ipif)) {
+ ipsq = ipif->ipif_ill->ill_phyint->phyint_ipsq;
+ mutex_enter(&ipsq->ipsq_lock);
+ mutex_enter(&ipsq->ipsq_xop->ipx_lock);
+ mutex_exit(&ipif->ipif_ill->ill_lock);
+ ipsq_enq(ipsq, q, mp, ip_process_ioctl,
+ NEW_OP, ipif->ipif_ill);
+ mutex_exit(&ipsq->ipsq_xop->ipx_lock);
+ mutex_exit(&ipsq->ipsq_lock);
+ if (connp != NULL)
+ mutex_exit(&connp->conn_lock);
+ ipif_refrele(ipif);
+ return (EINPROGRESS);
+ }
+ mutex_exit(&ipif->ipif_ill->ill_lock);
+ if (connp != NULL)
+ mutex_exit(&connp->conn_lock);
}
}
@@ -8226,6 +7084,9 @@ ip_extract_lifreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
if (ipif == NULL)
return (ENXIO);
+ DTRACE_PROBE4(ipif__ioctl, char *, "ip_extract_lifreq",
+ int, ipip->ipi_cmd, ill_t *, ipif->ipif_ill, ipif_t *, ipif);
+
ci->ci_ipif = ipif;
return (0);
}
@@ -8544,7 +7405,6 @@ ip_sioctl_get_lifsrcof(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
uint_t ifindex;
zoneid_t zoneid;
- int err = 0;
boolean_t isv6 = B_FALSE;
struct sockaddr_in *sin;
struct sockaddr_in6 *sin6;
@@ -8571,13 +7431,12 @@ ip_sioctl_get_lifsrcof(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q,
return (EINVAL);
ifindex = STRUCT_FGET(lifs, lifs_ifindex);
- isv6 = (Q_TO_CONN(q))->conn_af_isv6;
- ipif = ipif_lookup_on_ifindex(ifindex, isv6, zoneid, q, mp,
- ip_process_ioctl, &err, ipst);
+ isv6 = (Q_TO_CONN(q))->conn_family == AF_INET6;
+ ipif = ipif_lookup_on_ifindex(ifindex, isv6, zoneid, ipst);
if (ipif == NULL) {
ip1dbg(("ip_sioctl_get_lifsrcof: no ipif for ifindex %d\n",
ifindex));
- return (err);
+ return (ENXIO);
}
/* Allocate a buffer to hold requested information */
@@ -8943,17 +7802,19 @@ ip_sioctl_dstinfo(queue_t *q, mblk_t *mp)
in6_addr_t *daddr, *saddr;
ipaddr_t v4daddr;
ire_t *ire;
+ ipaddr_t v4setsrc;
+ in6_addr_t v6setsrc;
char *slabel, *dlabel;
boolean_t isipv4;
int match_ire;
ill_t *dst_ill;
- ipif_t *src_ipif, *ire_ipif;
struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
- zoneid_t zoneid;
- ip_stack_t *ipst = CONNQ_TO_IPST(q);
+ conn_t *connp = Q_TO_CONN(q);
+ zoneid_t zoneid = IPCL_ZONEID(connp);
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ uint64_t ipif_flags;
ASSERT(q->q_next == NULL); /* this ioctl not allowed if ip is module */
- zoneid = Q_TO_CONN(q)->conn_zoneid;
/*
* This ioctl is I_STR only, and must have a
@@ -8976,7 +7837,7 @@ ip_sioctl_dstinfo(queue_t *q, mblk_t *mp)
data_mp = new_data_mp;
mp->b_cont = data_mp;
}
- match_ire = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT | MATCH_IRE_PARENT;
+ match_ire = MATCH_IRE_DSTONLY;
for (cur = data_mp->b_rptr, end = data_mp->b_wptr;
end - cur >= sizeof (struct dstinforeq);
@@ -8987,8 +7848,8 @@ ip_sioctl_dstinfo(queue_t *q, mblk_t *mp)
/*
* ip_addr_scope_v6() and ip6_asp_lookup() handle
- * v4 mapped addresses; ire_ftable_lookup[_v6]()
- * and ipif_select_source[_v6]() do not.
+ * v4 mapped addresses; ire_ftable_lookup_v6()
+ * and ip_select_source_v6() do not.
*/
dir->dir_dscope = ip_addr_scope_v6(daddr);
dlabel = ip6_asp_lookup(daddr, &dir->dir_precedence, ipst);
@@ -8996,13 +7857,19 @@ ip_sioctl_dstinfo(queue_t *q, mblk_t *mp)
isipv4 = IN6_IS_ADDR_V4MAPPED(daddr);
if (isipv4) {
IN6_V4MAPPED_TO_IPADDR(daddr, v4daddr);
- ire = ire_ftable_lookup(v4daddr, NULL, NULL,
- 0, NULL, NULL, zoneid, 0, NULL, match_ire, ipst);
+ v4setsrc = INADDR_ANY;
+ ire = ire_route_recursive_v4(v4daddr, 0, NULL, zoneid,
+ NULL, match_ire, B_TRUE, 0, ipst, &v4setsrc, NULL,
+ NULL);
} else {
- ire = ire_ftable_lookup_v6(daddr, NULL, NULL,
- 0, NULL, NULL, zoneid, 0, NULL, match_ire, ipst);
+ v6setsrc = ipv6_all_zeros;
+ ire = ire_route_recursive_v6(daddr, 0, NULL, zoneid,
+ NULL, match_ire, B_TRUE, 0, ipst, &v6setsrc, NULL,
+ NULL);
}
- if (ire == NULL) {
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ ire_refrele(ire);
dir->dir_dreachable = 0;
/* move on to next dst addr */
@@ -9010,36 +7877,40 @@ ip_sioctl_dstinfo(queue_t *q, mblk_t *mp)
}
dir->dir_dreachable = 1;
- ire_ipif = ire->ire_ipif;
- if (ire_ipif == NULL)
- goto next_dst;
+ dst_ill = ire_nexthop_ill(ire);
+ if (dst_ill == NULL) {
+ ire_refrele(ire);
+ continue;
+ }
- /*
- * We expect to get back an interface ire or a
- * gateway ire cache entry. For both types, the
- * output interface is ire_ipif->ipif_ill.
- */
- dst_ill = ire_ipif->ipif_ill;
+ /* With ipmp we most likely look at the ipmp ill here */
dir->dir_dmactype = dst_ill->ill_mactype;
if (isipv4) {
- src_ipif = ipif_select_source(dst_ill, v4daddr, zoneid);
+ ipaddr_t v4saddr;
+
+ if (ip_select_source_v4(dst_ill, v4setsrc, v4daddr,
+ connp->conn_ixa->ixa_multicast_ifaddr, zoneid, ipst,
+ &v4saddr, NULL, &ipif_flags) != 0) {
+ v4saddr = INADDR_ANY;
+ ipif_flags = 0;
+ }
+ IN6_IPADDR_TO_V4MAPPED(v4saddr, saddr);
} else {
- src_ipif = ipif_select_source_v6(dst_ill,
- daddr, B_FALSE, IPV6_PREFER_SRC_DEFAULT, zoneid);
+ if (ip_select_source_v6(dst_ill, &v6setsrc, daddr,
+ zoneid, ipst, B_FALSE, IPV6_PREFER_SRC_DEFAULT,
+ saddr, NULL, &ipif_flags) != 0) {
+ *saddr = ipv6_all_zeros;
+ ipif_flags = 0;
+ }
}
- if (src_ipif == NULL)
- goto next_dst;
- *saddr = src_ipif->ipif_v6lcl_addr;
dir->dir_sscope = ip_addr_scope_v6(saddr);
slabel = ip6_asp_lookup(saddr, NULL, ipst);
dir->dir_labelmatch = ip6_asp_labelcmp(dlabel, slabel);
- dir->dir_sdeprecated =
- (src_ipif->ipif_flags & IPIF_DEPRECATED) ? 1 : 0;
- ipif_refrele(src_ipif);
-next_dst:
+ dir->dir_sdeprecated = (ipif_flags & IPIF_DEPRECATED) ? 1 : 0;
ire_refrele(ire);
+ ill_refrele(dst_ill);
}
miocack(q, mp, iocp->ioc_count, 0);
}
@@ -9088,16 +7959,16 @@ ip_sioctl_tmyaddr(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr,
v4_addr);
- ire = ire_ctable_lookup(v4_addr, 0,
- IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid,
- NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, ipst);
+ ire = ire_ftable_lookup_v4(v4_addr, 0, 0,
+ IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid, NULL,
+ MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
} else {
in6_addr_t v6addr;
v6addr = sin6->sin6_addr;
- ire = ire_ctable_lookup_v6(&v6addr, 0,
- IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid,
- NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, ipst);
+ ire = ire_ftable_lookup_v6(&v6addr, 0, 0,
+ IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid, NULL,
+ MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
}
break;
}
@@ -9105,9 +7976,9 @@ ip_sioctl_tmyaddr(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
ipaddr_t v4addr;
v4addr = sin->sin_addr.s_addr;
- ire = ire_ctable_lookup(v4addr, 0,
+ ire = ire_ftable_lookup_v4(v4addr, 0, 0,
IRE_LOCAL|IRE_LOOPBACK, NULL, zoneid,
- NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, ipst);
+ NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY, 0, ipst, NULL);
break;
}
default:
@@ -9160,9 +8031,8 @@ ip_sioctl_tonlink(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
sin = (sin_t *)&sia->sa_addr;
/*
- * Match addresses with a zero gateway field to avoid
- * routes going through a router.
- * Exclude broadcast and multicast addresses.
+ * We check for IRE_ONLINK and exclude IRE_BROADCAST|IRE_MULTICAST
+ * to make sure we only look at on-link unicast address.
*/
switch (sin->sin_family) {
case AF_INET6: {
@@ -9174,20 +8044,18 @@ ip_sioctl_tonlink(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr,
v4_addr);
if (!CLASSD(v4_addr)) {
- ire = ire_route_lookup(v4_addr, 0, 0, 0,
- NULL, NULL, zoneid, NULL,
- MATCH_IRE_GW, ipst);
+ ire = ire_ftable_lookup_v4(v4_addr, 0, 0, 0,
+ NULL, zoneid, NULL, MATCH_IRE_DSTONLY,
+ 0, ipst, NULL);
}
} else {
in6_addr_t v6addr;
- in6_addr_t v6gw;
v6addr = sin6->sin6_addr;
- v6gw = ipv6_all_zeros;
if (!IN6_IS_ADDR_MULTICAST(&v6addr)) {
- ire = ire_route_lookup_v6(&v6addr, 0,
- &v6gw, 0, NULL, NULL, zoneid,
- NULL, MATCH_IRE_GW, ipst);
+ ire = ire_ftable_lookup_v6(&v6addr, 0, 0, 0,
+ NULL, zoneid, NULL, MATCH_IRE_DSTONLY, 0,
+ ipst, NULL);
}
}
break;
@@ -9197,9 +8065,8 @@ ip_sioctl_tonlink(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
v4addr = sin->sin_addr.s_addr;
if (!CLASSD(v4addr)) {
- ire = ire_route_lookup(v4addr, 0, 0, 0,
- NULL, NULL, zoneid, NULL,
- MATCH_IRE_GW, ipst);
+ ire = ire_ftable_lookup_v4(v4addr, 0, 0, 0, NULL,
+ zoneid, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
}
break;
}
@@ -9208,10 +8075,11 @@ ip_sioctl_tonlink(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
}
sia->sa_res = 0;
if (ire != NULL) {
- if (ire->ire_type & (IRE_INTERFACE|IRE_CACHE|
- IRE_LOCAL|IRE_LOOPBACK)) {
+ ASSERT(!(ire->ire_type & IRE_MULTICAST));
+
+ if ((ire->ire_type & IRE_ONLINK) &&
+ !(ire->ire_type & IRE_BROADCAST))
sia->sa_res = 1;
- }
ire_refrele(ire);
}
return (0);
@@ -9228,54 +8096,40 @@ ip_sioctl_tmysite(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
return (ENXIO);
}
-/*
- * ARP IOCTLs.
- * How does IP get in the business of fronting ARP configuration/queries?
- * Well it's like this, the Berkeley ARP IOCTLs (SIOCGARP, SIOCDARP, SIOCSARP)
- * are by tradition passed in through a datagram socket. That lands in IP.
- * As it happens, this is just as well since the interface is quite crude in
- * that it passes in no information about protocol or hardware types, or
- * interface association. After making the protocol assumption, IP is in
- * the position to look up the name of the ILL, which ARP will need, and
- * format a request that can be handled by ARP. The request is passed up
- * stream to ARP, and the original IOCTL is completed by IP when ARP passes
- * back a response. ARP supports its own set of more general IOCTLs, in
- * case anyone is interested.
- */
+/* ARP IOCTLs. */
/* ARGSUSED */
int
ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
{
- mblk_t *mp1;
- mblk_t *mp2;
- mblk_t *pending_mp;
- ipaddr_t ipaddr;
- area_t *area;
- struct iocblk *iocp;
- conn_t *connp;
- struct arpreq *ar;
- struct xarpreq *xar;
- int flags, alength;
- uchar_t *lladdr;
- ire_t *ire;
- ip_stack_t *ipst;
- ill_t *ill = ipif->ipif_ill;
- ill_t *proxy_ill = NULL;
- ipmp_arpent_t *entp = NULL;
- boolean_t if_arp_ioctl = B_FALSE;
- boolean_t proxyarp = B_FALSE;
+ int err;
+ ipaddr_t ipaddr;
+ struct iocblk *iocp;
+ conn_t *connp;
+ struct arpreq *ar;
+ struct xarpreq *xar;
+ int arp_flags, flags, alength;
+ uchar_t *lladdr;
+ ip_stack_t *ipst;
+ ill_t *ill = ipif->ipif_ill;
+ ill_t *proxy_ill = NULL;
+ ipmp_arpent_t *entp = NULL;
+ boolean_t proxyarp = B_FALSE;
+ boolean_t if_arp_ioctl = B_FALSE;
+ ncec_t *ncec = NULL;
+ nce_t *nce;
ASSERT(!(q->q_flag & QREADR) && q->q_next == NULL);
connp = Q_TO_CONN(q);
ipst = connp->conn_netstack->netstack_ip;
+ iocp = (struct iocblk *)mp->b_rptr;
if (ipip->ipi_cmd_type == XARP_CMD) {
/* We have a chain - M_IOCTL-->MI_COPY_MBLK-->XARPREQ_MBLK */
xar = (struct xarpreq *)mp->b_cont->b_cont->b_rptr;
ar = NULL;
- flags = xar->xarp_flags;
+ arp_flags = xar->xarp_flags;
lladdr = (uchar_t *)LLADDR(&xar->xarp_ha);
if_arp_ioctl = (xar->xarp_ha.sdl_nlen != 0);
/*
@@ -9294,7 +8148,7 @@ ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ar = (struct arpreq *)mp->b_cont->b_cont->b_rptr;
xar = NULL;
- flags = ar->arp_flags;
+ arp_flags = ar->arp_flags;
lladdr = (uchar_t *)ar->arp_ha.sa_data;
/*
* Theoretically, the sa_family could tell us what link
@@ -9315,7 +8169,14 @@ ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
}
}
- ipaddr = sin->sin_addr.s_addr;
+ /* Translate ATF* flags to NCE* flags */
+ flags = 0;
+ if (arp_flags & ATF_AUTHORITY)
+ flags |= NCE_F_AUTHORITY;
+ if (arp_flags & ATF_PERM)
+ flags |= NCE_F_NONUD; /* not subject to aging */
+ if (arp_flags & ATF_PUBL)
+ flags |= NCE_F_PUBLISH;
/*
* IPMP ARP special handling:
@@ -9349,171 +8210,120 @@ ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
lladdr = proxy_ill->ill_phys_addr;
}
/* FALLTHRU */
- case SIOCDARP:
- case SIOCDXARP:
- ire = ire_ctable_lookup(ipaddr, 0, IRE_LOCAL, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (ire != NULL) {
- ire_refrele(ire);
- return (EPERM);
- }
}
}
+ ipaddr = sin->sin_addr.s_addr;
/*
- * We are going to pass up to ARP a packet chain that looks
- * like:
- *
- * M_IOCTL-->ARP_op_MBLK-->ORIG_M_IOCTL-->MI_COPY_MBLK-->[X]ARPREQ_MBLK
- *
- * Get a copy of the original IOCTL mblk to head the chain,
- * to be sent up (in mp1). Also get another copy to store
- * in the ill_pending_mp list, for matching the response
- * when it comes back from ARP.
- */
- mp1 = copyb(mp);
- pending_mp = copymsg(mp);
- if (mp1 == NULL || pending_mp == NULL) {
- if (mp1 != NULL)
- freeb(mp1);
- if (pending_mp != NULL)
- inet_freemsg(pending_mp);
- return (ENOMEM);
- }
-
- mp2 = ill_arp_alloc(ill, (uchar_t *)&ip_area_template,
- (caddr_t)&ipaddr);
- if (mp2 == NULL) {
- freeb(mp1);
- inet_freemsg(pending_mp);
- return (ENOMEM);
- }
- /* Put together the chain. */
- mp1->b_cont = mp2;
- mp1->b_datap->db_type = M_IOCTL;
- mp2->b_cont = mp;
- mp2->b_datap->db_type = M_DATA;
-
- iocp = (struct iocblk *)mp1->b_rptr;
-
- /*
- * An M_IOCDATA's payload (struct copyresp) is mostly the same as an
- * M_IOCTL's payload (struct iocblk), but 'struct copyresp' has a
- * cp_private field (or cp_rval on 32-bit systems) in place of the
- * ioc_count field; set ioc_count to be correct.
+ * don't match across illgrp per case (1) and (2).
+ * XXX use IS_IPMP(ill) like ndp_sioc_update?
*/
- iocp->ioc_count = MBLKL(mp1->b_cont);
+ nce = nce_lookup_v4(ill, &ipaddr);
+ if (nce != NULL)
+ ncec = nce->nce_common;
- /*
- * Set the proper command in the ARP message.
- * Convert the SIOC{G|S|D}ARP calls into our
- * AR_ENTRY_xxx calls.
- */
- area = (area_t *)mp2->b_rptr;
switch (iocp->ioc_cmd) {
case SIOCDARP:
- case SIOCDXARP:
+ case SIOCDXARP: {
/*
- * We defer deleting the corresponding IRE until
- * we return from arp.
+ * Delete the NCE if any.
+ */
+ if (ncec == NULL) {
+ iocp->ioc_error = ENXIO;
+ break;
+ }
+ /* Don't allow changes to arp mappings of local addresses. */
+ if (NCE_MYADDR(ncec)) {
+ nce_refrele(nce);
+ return (ENOTSUP);
+ }
+ iocp->ioc_error = 0;
+
+ /*
+ * Delete the nce_common which has ncec_ill set to ipmp_ill.
+ * This will delete all the nce entries on the under_ills.
+ */
+ ncec_delete(ncec);
+ /*
+ * Once the NCE has been deleted, then the ire_dep* consistency
+ * mechanism will find any IRE which depended on the now
+ * condemned NCE (as part of sending packets).
+ * That mechanism handles redirects by deleting redirects
+ * that refer to UNREACHABLE nces.
*/
- area->area_cmd = AR_ENTRY_DELETE;
- area->area_proto_mask_offset = 0;
break;
+ }
case SIOCGARP:
case SIOCGXARP:
- area->area_cmd = AR_ENTRY_SQUERY;
- area->area_proto_mask_offset = 0;
+ if (ncec != NULL) {
+ lladdr = ncec->ncec_lladdr;
+ flags = ncec->ncec_flags;
+ iocp->ioc_error = 0;
+ ip_sioctl_garp_reply(mp, ncec->ncec_ill, lladdr, flags);
+ } else {
+ iocp->ioc_error = ENXIO;
+ }
break;
case SIOCSARP:
case SIOCSXARP:
- /*
- * Delete the corresponding ire to make sure IP will
- * pick up any change from arp.
- */
+ /* Don't allow changes to arp mappings of local addresses. */
+ if (ncec != NULL && NCE_MYADDR(ncec)) {
+ nce_refrele(nce);
+ return (ENOTSUP);
+ }
+
+ /* static arp entries will undergo NUD if ATF_PERM is not set */
+ flags |= NCE_F_STATIC;
if (!if_arp_ioctl) {
- (void) ip_ire_clookup_and_delete(ipaddr, NULL, ipst);
+ ip_nce_lookup_and_update(&ipaddr, NULL, ipst,
+ lladdr, alength, flags);
} else {
ipif_t *ipif = ipif_get_next_ipif(NULL, ill);
if (ipif != NULL) {
- (void) ip_ire_clookup_and_delete(ipaddr, ipif,
- ipst);
+ ip_nce_lookup_and_update(&ipaddr, ipif, ipst,
+ lladdr, alength, flags);
ipif_refrele(ipif);
}
}
- break;
- }
- iocp->ioc_cmd = area->area_cmd;
-
- /*
- * Fill in the rest of the ARP operation fields.
- */
- area->area_hw_addr_length = alength;
- bcopy(lladdr, (char *)area + area->area_hw_addr_offset, alength);
-
- /* Translate the flags. */
- if (flags & ATF_PERM)
- area->area_flags |= ACE_F_PERMANENT;
- if (flags & ATF_PUBL)
- area->area_flags |= ACE_F_PUBLISH;
- if (flags & ATF_AUTHORITY)
- area->area_flags |= ACE_F_AUTHORITY;
-
- /*
- * If this is a permanent AR_ENTRY_ADD on the IPMP interface, track it
- * so that IP can update ARP as the active ills in the group change.
- */
- if (IS_IPMP(ill) && area->area_cmd == AR_ENTRY_ADD &&
- (area->area_flags & ACE_F_PERMANENT)) {
- entp = ipmp_illgrp_create_arpent(ill->ill_grp, mp2, proxyarp);
-
+ if (nce != NULL) {
+ nce_refrele(nce);
+ nce = NULL;
+ }
/*
- * The second part of the conditional below handles a corner
- * case: if this is proxy ARP and the IPMP group has no active
- * interfaces, we can't send the request to ARP now since it
- * won't be able to build an ACE. So we return success and
- * notify ARP about the proxy ARP entry once an interface
- * becomes active.
+ * NCE_F_STATIC entries will be added in state ND_REACHABLE
+ * by nce_add_common()
*/
- if (entp == NULL || (proxyarp && proxy_ill == NULL)) {
- mp2->b_cont = NULL;
- inet_freemsg(mp1);
- inet_freemsg(pending_mp);
- return (entp == NULL ? ENOMEM : 0);
+ err = nce_lookup_then_add_v4(ill, lladdr,
+ ill->ill_phys_addr_length, &ipaddr, flags, ND_UNCHANGED,
+ &nce);
+ if (err == EEXIST) {
+ ncec = nce->nce_common;
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_state = ND_REACHABLE;
+ ncec->ncec_flags = flags;
+ nce_update(ncec, ND_UNCHANGED, lladdr);
+ mutex_exit(&ncec->ncec_lock);
+ err = 0;
+ }
+ if (nce != NULL) {
+ nce_refrele(nce);
+ nce = NULL;
+ }
+ if (IS_IPMP(ill) && err == 0) {
+ entp = ipmp_illgrp_create_arpent(ill->ill_grp,
+ proxyarp, ipaddr, lladdr, ill->ill_phys_addr_length,
+ flags);
+ if (entp == NULL || (proxyarp && proxy_ill == NULL)) {
+ iocp->ioc_error = (entp == NULL ? ENOMEM : 0);
+ break;
+ }
}
+ iocp->ioc_error = err;
}
- /*
- * Before sending 'mp' to ARP, we have to clear the b_next
- * and b_prev. Otherwise if STREAMS encounters such a message
- * in freemsg(), (because ARP can close any time) it can cause
- * a panic. But mi code needs the b_next and b_prev values of
- * mp->b_cont, to complete the ioctl. So we store it here
- * in pending_mp->bcont, and restore it in ip_sioctl_iocack()
- * when the response comes down from ARP.
- */
- pending_mp->b_cont->b_next = mp->b_cont->b_next;
- pending_mp->b_cont->b_prev = mp->b_cont->b_prev;
- mp->b_cont->b_next = NULL;
- mp->b_cont->b_prev = NULL;
-
- mutex_enter(&connp->conn_lock);
- mutex_enter(&ill->ill_lock);
- /* conn has not yet started closing, hence this can't fail */
- if (ipip->ipi_flags & IPI_WR) {
- VERIFY(ipsq_pending_mp_add(connp, ipif, CONNP_TO_WQ(connp),
- pending_mp, 0) != 0);
- } else {
- VERIFY(ill_pending_mp_add(ill, connp, pending_mp) != 0);
+ if (nce != NULL) {
+ nce_refrele(nce);
}
- mutex_exit(&ill->ill_lock);
- mutex_exit(&connp->conn_lock);
-
- /*
- * Up to ARP it goes. The response will come back in ip_wput() as an
- * M_IOCACK, and will be handed to ip_sioctl_iocack() for completion.
- */
- putnext(ill->ill_rq, mp1);
/*
* If we created an IPMP ARP entry, mark that we've notified ARP.
@@ -9521,7 +8331,7 @@ ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
if (entp != NULL)
ipmp_illgrp_mark_arpent(ill->ill_grp, entp);
- return (EINPROGRESS);
+ return (iocp->ioc_error);
}
/*
@@ -9530,10 +8340,9 @@ ip_sioctl_arp(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
*/
int
ip_extract_arpreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
- cmd_info_t *ci, ipsq_func_t func)
+ cmd_info_t *ci)
{
mblk_t *mp1;
- int err;
sin_t *sin;
conn_t *connp;
ipif_t *ipif;
@@ -9548,7 +8357,7 @@ ip_extract_arpreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
/* ioctl comes down on a conn */
ASSERT(!(q->q_flag & QREADR) && q->q_next == NULL);
connp = Q_TO_CONN(q);
- if (connp->conn_af_isv6)
+ if (connp->conn_family == AF_INET6)
return (ENXIO);
ipst = connp->conn_netstack->netstack_ip;
@@ -9575,10 +8384,9 @@ ip_extract_arpreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
if (ipip->ipi_cmd_type == XARP_CMD && sdl->sdl_nlen != 0) {
ipif = ipif_lookup_on_name(sdl->sdl_data, sdl->sdl_nlen,
- B_FALSE, &exists, B_FALSE, ALL_ZONES, CONNP_TO_WQ(connp),
- mp, func, &err, ipst);
+ B_FALSE, &exists, B_FALSE, ALL_ZONES, ipst);
if (ipif == NULL)
- return (err);
+ return (ENXIO);
if (ipif->ipif_id != 0) {
ipif_refrele(ipif);
return (ENXIO);
@@ -9591,23 +8399,24 @@ ip_extract_arpreq(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
* find the wrong ill, so we first do an ipif_lookup_addr().
*/
ipif = ipif_lookup_addr(sin->sin_addr.s_addr, NULL, ALL_ZONES,
- CONNP_TO_WQ(connp), mp, func, &err, ipst);
+ ipst);
if (ipif == NULL) {
- ire = ire_ftable_lookup(sin->sin_addr.s_addr, 0, 0,
- IRE_IF_RESOLVER, NULL, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_TYPE, ipst);
- if (ire == NULL || ((ill = ire_to_ill(ire)) == NULL)) {
+ ire = ire_ftable_lookup_v4(sin->sin_addr.s_addr,
+ 0, 0, IRE_IF_RESOLVER, NULL, ALL_ZONES,
+ NULL, MATCH_IRE_TYPE, 0, ipst, NULL);
+ if (ire == NULL || ((ill = ire->ire_ill) == NULL)) {
if (ire != NULL)
ire_refrele(ire);
return (ENXIO);
}
+ ASSERT(ire != NULL && ill != NULL);
ipif = ill->ill_ipif;
ipif_refhold(ipif);
ire_refrele(ire);
}
}
- if (ipif->ipif_net_type != IRE_IF_RESOLVER) {
+ if (ipif->ipif_ill->ill_net_type != IRE_IF_RESOLVER) {
ipif_refrele(ipif);
return (ENXIO);
}
@@ -9700,123 +8509,20 @@ ip_sioctl_plink_ipmp(ill_t *ill, int ioccmd)
void
ip_sioctl_plink(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
{
- mblk_t *mp1, *mp2;
+ mblk_t *mp1;
struct linkblk *li;
- struct ipmx_s *ipmxp;
- ill_t *ill;
int ioccmd = ((struct iocblk *)mp->b_rptr)->ioc_cmd;
int err = 0;
- boolean_t entered_ipsq = B_FALSE;
- boolean_t islink;
- ip_stack_t *ipst;
-
- if (CONN_Q(q))
- ipst = CONNQ_TO_IPST(q);
- else
- ipst = ILLQ_TO_IPST(q);
ASSERT(ioccmd == I_PLINK || ioccmd == I_PUNLINK ||
ioccmd == I_LINK || ioccmd == I_UNLINK);
- islink = (ioccmd == I_PLINK || ioccmd == I_LINK);
-
mp1 = mp->b_cont; /* This is the linkblk info */
li = (struct linkblk *)mp1->b_rptr;
- /*
- * ARP has added this special mblk, and the utility is asking us
- * to perform consistency checks, and also atomically set the
- * muxid. Ifconfig is an example. It achieves this by using
- * /dev/arp as the mux to plink the arp stream, and pushes arp on
- * to /dev/udp[6] stream for use as the mux when plinking the IP
- * stream. SIOCSLIFMUXID is not required. See ifconfig.c, arp.c
- * and other comments in this routine for more details.
- */
- mp2 = mp1->b_cont; /* This is added by ARP */
-
- /*
- * If I_{P}LINK/I_{P}UNLINK is issued by a utility other than
- * ifconfig which didn't push ARP on top of the dummy mux, we won't
- * get the special mblk above. For backward compatibility, we
- * request ip_sioctl_plink_ipmod() to skip the consistency checks.
- * The utility will use SIOCSLIFMUXID to store the muxids. This is
- * not atomic, and can leave the streams unplumbable if the utility
- * is interrupted before it does the SIOCSLIFMUXID.
- */
- if (mp2 == NULL) {
- err = ip_sioctl_plink_ipmod(ipsq, q, mp, ioccmd, li, B_FALSE);
- if (err == EINPROGRESS)
- return;
- goto done;
- }
-
- /*
- * This is an I_{P}LINK sent down by ifconfig through the ARP module;
- * ARP has appended this last mblk to tell us whether the lower stream
- * is an arp-dev stream or an IP module stream.
- */
- ipmxp = (struct ipmx_s *)mp2->b_rptr;
- if (ipmxp->ipmx_arpdev_stream) {
- /*
- * The lower stream is the arp-dev stream.
- */
- ill = ill_lookup_on_name(ipmxp->ipmx_name, B_FALSE, B_FALSE,
- q, mp, ip_sioctl_plink, &err, NULL, ipst);
- if (ill == NULL) {
- if (err == EINPROGRESS)
- return;
- err = EINVAL;
- goto done;
- }
-
- if (ipsq == NULL) {
- ipsq = ipsq_try_enter(NULL, ill, q, mp, ip_sioctl_plink,
- NEW_OP, B_FALSE);
- if (ipsq == NULL) {
- ill_refrele(ill);
- return;
- }
- entered_ipsq = B_TRUE;
- }
- ASSERT(IAM_WRITER_ILL(ill));
- ill_refrele(ill);
-
- /*
- * To ensure consistency between IP and ARP, the following
- * LIFO scheme is used in plink/punlink. (IP first, ARP last).
- * This is because the muxid's are stored in the IP stream on
- * the ill.
- *
- * I_{P}LINK: ifconfig plinks the IP stream before plinking
- * the ARP stream. On an arp-dev stream, IP checks that it is
- * not yet plinked, and it also checks that the corresponding
- * IP stream is already plinked.
- *
- * I_{P}UNLINK: ifconfig punlinks the ARP stream before
- * punlinking the IP stream. IP does not allow punlink of the
- * IP stream unless the arp stream has been punlinked.
- */
- if ((islink &&
- (ill->ill_arp_muxid != 0 || ill->ill_ip_muxid == 0)) ||
- (!islink && ill->ill_arp_muxid != li->l_index)) {
- err = EINVAL;
- goto done;
- }
-
- if (IS_IPMP(ill) &&
- (err = ip_sioctl_plink_ipmp(ill, ioccmd)) != 0)
- goto done;
-
- ill->ill_arp_muxid = islink ? li->l_index : 0;
- } else {
- /*
- * The lower stream is probably an IP module stream. Do
- * consistency checking.
- */
- err = ip_sioctl_plink_ipmod(ipsq, q, mp, ioccmd, li, B_TRUE);
- if (err == EINPROGRESS)
- return;
- }
+ err = ip_sioctl_plink_ipmod(ipsq, q, mp, ioccmd, li);
+ if (err == EINPROGRESS)
+ return;
done:
if (err == 0)
miocack(q, mp, 0, 0);
@@ -9826,21 +8532,19 @@ done:
/* Conn was refheld in ip_sioctl_copyin_setup */
if (CONN_Q(q))
CONN_OPER_PENDING_DONE(Q_TO_CONN(q));
- if (entered_ipsq)
- ipsq_exit(ipsq);
}
/*
* Process I_{P}LINK and I_{P}UNLINK requests named by `ioccmd' and pointed to
* by `mp' and `li' for the IP module stream (if li->q_bot is in fact an IP
* module stream). If `doconsist' is set, then do the extended consistency
- * checks requested by ifconfig(1M) and (atomically) set ill_ip_muxid here.
+ * checks requested by ifconfig(1M) and (atomically) set ill_muxid here.
* Returns zero on success, EINPROGRESS if the operation is still pending, or
* an error code on failure.
*/
static int
ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp, int ioccmd,
- struct linkblk *li, boolean_t doconsist)
+ struct linkblk *li)
{
int err = 0;
ill_t *ill;
@@ -9849,6 +8553,8 @@ ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp, int ioccmd,
struct qinit *qinfo;
boolean_t islink = (ioccmd == I_PLINK || ioccmd == I_LINK);
boolean_t entered_ipsq = B_FALSE;
+ boolean_t is_ip = B_FALSE;
+ arl_t *arl;
/*
* Walk the lower stream to verify it's the IP module stream.
@@ -9861,6 +8567,11 @@ ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp, int ioccmd,
name = qinfo->qi_minfo->mi_idname;
if (name != NULL && strcmp(name, ip_mod_info.mi_idname) == 0 &&
qinfo->qi_putp != (pfi_t)ip_lwput && ipwq->q_next != NULL) {
+ is_ip = B_TRUE;
+ break;
+ }
+ if (name != NULL && strcmp(name, arp_mod_info.mi_idname) == 0 &&
+ qinfo->qi_putp != (pfi_t)ip_lwput && ipwq->q_next != NULL) {
break;
}
}
@@ -9871,30 +8582,46 @@ ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp, int ioccmd,
if (ipwq == NULL)
return (0);
- ill = ipwq->q_ptr;
+ if (!is_ip) {
+ arl = (arl_t *)ipwq->q_ptr;
+ ill = arl_to_ill(arl);
+ if (ill == NULL)
+ return (0);
+ } else {
+ ill = ipwq->q_ptr;
+ }
ASSERT(ill != NULL);
if (ipsq == NULL) {
ipsq = ipsq_try_enter(NULL, ill, q, mp, ip_sioctl_plink,
NEW_OP, B_FALSE);
- if (ipsq == NULL)
+ if (ipsq == NULL) {
+ if (!is_ip)
+ ill_refrele(ill);
return (EINPROGRESS);
+ }
entered_ipsq = B_TRUE;
}
ASSERT(IAM_WRITER_ILL(ill));
-
- if (doconsist) {
- /*
- * Consistency checking requires that I_{P}LINK occurs
- * prior to setting ill_ip_muxid, and that I_{P}UNLINK
- * occurs prior to clearing ill_arp_muxid.
- */
- if ((islink && ill->ill_ip_muxid != 0) ||
- (!islink && ill->ill_arp_muxid != 0)) {
- err = EINVAL;
- goto done;
+ mutex_enter(&ill->ill_lock);
+ if (!is_ip) {
+ if (islink && ill->ill_muxid == 0) {
+ /*
+ * Plumbing has to be done with IP plumbed first, arp
+ * second, but here we have arp being plumbed first.
+ */
+ mutex_exit(&ill->ill_lock);
+ ipsq_exit(ipsq);
+ ill_refrele(ill);
+ return (EINVAL);
}
}
+ mutex_exit(&ill->ill_lock);
+ if (!is_ip) {
+ arl->arl_muxid = islink ? li->l_index : 0;
+ ill_refrele(ill);
+ goto done;
+ }
if (IS_IPMP(ill) && (err = ip_sioctl_plink_ipmp(ill, ioccmd)) != 0)
goto done;
@@ -9912,8 +8639,7 @@ ip_sioctl_plink_ipmod(ipsq_t *ipsq, queue_t *q, mblk_t *mp, int ioccmd,
ill->ill_lmod_cnt++;
}
- if (doconsist)
- ill->ill_ip_muxid = islink ? li->l_index : 0;
+ ill->ill_muxid = islink ? li->l_index : 0;
/*
* Mark the ipsq busy until the capability operations initiated below
@@ -9997,11 +8723,11 @@ ip_sioctl_copyin_resume(ipsq_t *dummy_ipsq, queue_t *q, mblk_t *mp,
}
/*
- * ip_sioctl_copyin_setup is called by ip_wput with any M_IOCTL message
+ * ip_sioctl_copyin_setup is called by ip_wput_nondata with any M_IOCTL message
* that arrives. Most of the IOCTLs are "socket" IOCTLs which we handle
* in either I_STR or TRANSPARENT form, using the mi_copy facility.
* We establish here the size of the block to be copied in. mi_copyin
- * arranges for this to happen, an processing continues in ip_wput with
+ * arranges for this to happen, an processing continues in ip_wput_nondata with
* an M_IOCDATA message.
*/
void
@@ -10054,17 +8780,7 @@ ip_sioctl_copyin_setup(queue_t *q, mblk_t *mp)
* will fail all ioctls).
*/
if ((q->q_next != NULL) && !(ipip->ipi_flags & IPI_MODOK)) {
- if (ipip->ipi_flags & IPI_PASS_DOWN) {
- /*
- * Pass common Streams ioctls which the IP
- * module does not own or consume along to
- * be processed down stream.
- */
- putnext(q, mp);
- return;
- } else {
- goto nak;
- }
+ goto nak;
}
/* Make sure we have ioctl data to process. */
@@ -10216,286 +8932,62 @@ nak:
qreply(q, mp);
}
-/* ip_wput hands off ARP IOCTL responses to us */
-/* ARGSUSED3 */
-void
-ip_sioctl_iocack(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
+static void
+ip_sioctl_garp_reply(mblk_t *mp, ill_t *ill, void *hwaddr, int flags)
{
struct arpreq *ar;
struct xarpreq *xar;
- area_t *area;
- mblk_t *area_mp;
+ mblk_t *tmp;
struct iocblk *iocp;
- mblk_t *orig_ioc_mp, *tmp;
- struct iocblk *orig_iocp;
- ill_t *ill;
- conn_t *connp = NULL;
- mblk_t *pending_mp;
- int x_arp_ioctl = B_FALSE, ifx_arp_ioctl = B_FALSE;
+ int x_arp_ioctl = B_FALSE;
int *flagsp;
char *storage = NULL;
- sin_t *sin;
- ipaddr_t addr;
- int err;
- ip_stack_t *ipst;
- ASSERT(ipsq == NULL || IAM_WRITER_IPSQ(ipsq));
- ill = q->q_ptr;
ASSERT(ill != NULL);
- ipst = ill->ill_ipst;
-
- /*
- * We should get back from ARP a packet chain that looks like:
- * M_IOCACK-->ARP_op_MBLK-->ORIG_M_IOCTL-->MI_COPY_MBLK-->[X]ARPREQ_MBLK
- */
- if (!(area_mp = mp->b_cont) ||
- (area_mp->b_wptr - area_mp->b_rptr) < sizeof (ip_sock_ar_t) ||
- !(orig_ioc_mp = area_mp->b_cont) ||
- !orig_ioc_mp->b_cont || !orig_ioc_mp->b_cont->b_cont) {
- freemsg(mp);
- return;
- }
- orig_iocp = (struct iocblk *)orig_ioc_mp->b_rptr;
+ iocp = (struct iocblk *)mp->b_rptr;
+ ASSERT(iocp->ioc_cmd == SIOCGXARP || iocp->ioc_cmd == SIOCGARP);
- tmp = (orig_ioc_mp->b_cont)->b_cont;
- if ((orig_iocp->ioc_cmd == SIOCGXARP) ||
- (orig_iocp->ioc_cmd == SIOCSXARP) ||
- (orig_iocp->ioc_cmd == SIOCDXARP)) {
+ tmp = (mp->b_cont)->b_cont; /* xarpreq/arpreq */
+ if ((iocp->ioc_cmd == SIOCGXARP) ||
+ (iocp->ioc_cmd == SIOCSXARP)) {
x_arp_ioctl = B_TRUE;
xar = (struct xarpreq *)tmp->b_rptr;
- sin = (sin_t *)&xar->xarp_pa;
flagsp = &xar->xarp_flags;
storage = xar->xarp_ha.sdl_data;
- if (xar->xarp_ha.sdl_nlen != 0)
- ifx_arp_ioctl = B_TRUE;
} else {
ar = (struct arpreq *)tmp->b_rptr;
- sin = (sin_t *)&ar->arp_pa;
flagsp = &ar->arp_flags;
storage = ar->arp_ha.sa_data;
}
- iocp = (struct iocblk *)mp->b_rptr;
-
- /*
- * Find the pending message; if we're exclusive, it'll be on our IPSQ.
- * Otherwise, we can find it from our ioc_id.
- */
- if (ipsq != NULL)
- pending_mp = ipsq_pending_mp_get(ipsq, &connp);
- else
- pending_mp = ill_pending_mp_get(ill, &connp, iocp->ioc_id);
-
- if (pending_mp == NULL) {
- ASSERT(connp == NULL);
- inet_freemsg(mp);
- return;
- }
- ASSERT(connp != NULL);
- q = CONNP_TO_WQ(connp);
-
- /* Uncouple the internally generated IOCTL from the original one */
- area = (area_t *)area_mp->b_rptr;
- area_mp->b_cont = NULL;
-
- /*
- * Restore the b_next and b_prev used by mi code. This is needed
- * to complete the ioctl using mi* functions. We stored them in
- * the pending mp prior to sending the request to ARP.
- */
- orig_ioc_mp->b_cont->b_next = pending_mp->b_cont->b_next;
- orig_ioc_mp->b_cont->b_prev = pending_mp->b_cont->b_prev;
- inet_freemsg(pending_mp);
-
/*
- * We're done if there was an error or if this is not an SIOCG{X}ARP
- * Catch the case where there is an IRE_CACHE by no entry in the
- * arp table.
- */
- addr = sin->sin_addr.s_addr;
- if (iocp->ioc_error && iocp->ioc_cmd == AR_ENTRY_SQUERY) {
- ire_t *ire;
- dl_unitdata_req_t *dlup;
- mblk_t *llmp;
- int addr_len;
- ill_t *ipsqill = NULL;
-
- if (ifx_arp_ioctl) {
- /*
- * There's no need to lookup the ill, since
- * we've already done that when we started
- * processing the ioctl and sent the message
- * to ARP on that ill. So use the ill that
- * is stored in q->q_ptr.
- */
- ipsqill = ill;
- ire = ire_ctable_lookup(addr, 0, IRE_CACHE,
- ipsqill->ill_ipif, ALL_ZONES,
- NULL, MATCH_IRE_TYPE | MATCH_IRE_ILL, ipst);
- } else {
- ire = ire_ctable_lookup(addr, 0, IRE_CACHE,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (ire != NULL)
- ipsqill = ire_to_ill(ire);
- }
-
- if ((x_arp_ioctl) && (ipsqill != NULL))
- storage += ill_xarp_info(&xar->xarp_ha, ipsqill);
-
- if (ire != NULL) {
- /*
- * Since the ire obtained from cachetable is used for
- * mac addr copying below, treat an incomplete ire as if
- * as if we never found it.
- */
- if (ire->ire_nce != NULL &&
- ire->ire_nce->nce_state != ND_REACHABLE) {
- ire_refrele(ire);
- ire = NULL;
- ipsqill = NULL;
- goto errack;
- }
- *flagsp = ATF_INUSE;
- llmp = (ire->ire_nce != NULL ?
- ire->ire_nce->nce_res_mp : NULL);
- if (llmp != NULL && ipsqill != NULL) {
- uchar_t *macaddr;
-
- addr_len = ipsqill->ill_phys_addr_length;
- if (x_arp_ioctl && ((addr_len +
- ipsqill->ill_name_length) >
- sizeof (xar->xarp_ha.sdl_data))) {
- ire_refrele(ire);
- freemsg(mp);
- ip_ioctl_finish(q, orig_ioc_mp,
- EINVAL, NO_COPYOUT, ipsq);
- return;
- }
- *flagsp |= ATF_COM;
- dlup = (dl_unitdata_req_t *)llmp->b_rptr;
- if (ipsqill->ill_sap_length < 0)
- macaddr = llmp->b_rptr +
- dlup->dl_dest_addr_offset;
- else
- macaddr = llmp->b_rptr +
- dlup->dl_dest_addr_offset +
- ipsqill->ill_sap_length;
- /*
- * For SIOCGARP, MAC address length
- * validation has already been done
- * before the ioctl was issued to ARP to
- * allow it to progress only on 6 byte
- * addressable (ethernet like) media. Thus
- * the mac address copying can not overwrite
- * the sa_data area below.
- */
- bcopy(macaddr, storage, addr_len);
- }
- /* Ditch the internal IOCTL. */
- freemsg(mp);
- ire_refrele(ire);
- ip_ioctl_finish(q, orig_ioc_mp, 0, COPYOUT, ipsq);
- return;
- }
- }
-
- /*
- * If this was a failed AR_ENTRY_ADD or a successful AR_ENTRY_DELETE
- * on the IPMP meta-interface, ensure any ARP entries added in
- * ip_sioctl_arp() are deleted.
- */
- if (IS_IPMP(ill) &&
- ((iocp->ioc_error != 0 && iocp->ioc_cmd == AR_ENTRY_ADD) ||
- ((iocp->ioc_error == 0 && iocp->ioc_cmd == AR_ENTRY_DELETE)))) {
- ipmp_illgrp_t *illg = ill->ill_grp;
- ipmp_arpent_t *entp;
-
- if ((entp = ipmp_illgrp_lookup_arpent(illg, &addr)) != NULL)
- ipmp_illgrp_destroy_arpent(illg, entp);
- }
-
- /*
- * Delete the coresponding IRE_CACHE if any.
- * Reset the error if there was one (in case there was no entry
- * in arp.)
- */
- if (iocp->ioc_cmd == AR_ENTRY_DELETE) {
- ipif_t *ipintf = NULL;
-
- if (ifx_arp_ioctl) {
- /*
- * There's no need to lookup the ill, since
- * we've already done that when we started
- * processing the ioctl and sent the message
- * to ARP on that ill. So use the ill that
- * is stored in q->q_ptr.
- */
- ipintf = ill->ill_ipif;
- }
- if (ip_ire_clookup_and_delete(addr, ipintf, ipst)) {
- /*
- * The address in "addr" may be an entry for a
- * router. If that's true, then any off-net
- * IRE_CACHE entries that go through the router
- * with address "addr" must be clobbered. Use
- * ire_walk to achieve this goal.
- */
- if (ifx_arp_ioctl)
- ire_walk_ill_v4(MATCH_IRE_ILL, 0,
- ire_delete_cache_gw, (char *)&addr, ill);
- else
- ire_walk_v4(ire_delete_cache_gw, (char *)&addr,
- ALL_ZONES, ipst);
- iocp->ioc_error = 0;
- }
- }
-errack:
- if (iocp->ioc_error || iocp->ioc_cmd != AR_ENTRY_SQUERY) {
- err = iocp->ioc_error;
- freemsg(mp);
- ip_ioctl_finish(q, orig_ioc_mp, err, NO_COPYOUT, ipsq);
- return;
- }
-
- /*
- * Completion of an SIOCG{X}ARP. Translate the information from
- * the area_t into the struct {x}arpreq.
+ * We're done if this is not an SIOCG{X}ARP
*/
if (x_arp_ioctl) {
storage += ill_xarp_info(&xar->xarp_ha, ill);
if ((ill->ill_phys_addr_length + ill->ill_name_length) >
sizeof (xar->xarp_ha.sdl_data)) {
- freemsg(mp);
- ip_ioctl_finish(q, orig_ioc_mp, EINVAL, NO_COPYOUT,
- ipsq);
+ iocp->ioc_error = EINVAL;
return;
}
}
*flagsp = ATF_INUSE;
- if (area->area_flags & ACE_F_PERMANENT)
- *flagsp |= ATF_PERM;
- if (area->area_flags & ACE_F_PUBLISH)
- *flagsp |= ATF_PUBL;
- if (area->area_flags & ACE_F_AUTHORITY)
+ /*
+ * If /sbin/arp told us we are the authority using the "permanent"
+ * flag, or if this is one of my addresses print "permanent"
+ * in the /sbin/arp output.
+ */
+ if ((flags & NCE_F_MYADDR) || (flags & NCE_F_AUTHORITY))
*flagsp |= ATF_AUTHORITY;
- if (area->area_hw_addr_length != 0) {
+ if (flags & NCE_F_NONUD)
+ *flagsp |= ATF_PERM; /* not subject to aging */
+ if (flags & NCE_F_PUBLISH)
+ *flagsp |= ATF_PUBL;
+ if (hwaddr != NULL) {
*flagsp |= ATF_COM;
- /*
- * For SIOCGARP, MAC address length validation has
- * already been done before the ioctl was issued to ARP
- * to allow it to progress only on 6 byte addressable
- * (ethernet like) media. Thus the mac address copying
- * can not overwrite the sa_data area below.
- */
- bcopy((char *)area + area->area_hw_addr_offset,
- storage, area->area_hw_addr_length);
+ bcopy((char *)hwaddr, storage, ill->ill_phys_addr_length);
}
-
- /* Ditch the internal IOCTL. */
- freemsg(mp);
- /* Complete the original. */
- ip_ioctl_finish(q, orig_ioc_mp, 0, COPYOUT, ipsq);
}
/*
@@ -10552,7 +9044,7 @@ ip_sioctl_addif(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
name = lifr->lifr_name;
ASSERT(CONN_Q(q));
connp = Q_TO_CONN(q);
- isv6 = connp->conn_af_isv6;
+ isv6 = (connp->conn_family == AF_INET6);
zoneid = connp->conn_zoneid;
namelen = mi_strlen(name);
if (namelen == 0)
@@ -10567,7 +9059,7 @@ ip_sioctl_addif(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
* for the last 4 args to ipif_lookup_name.
*/
ipif = ipif_lookup_on_name(lifr->lifr_name, namelen, B_TRUE,
- &exists, isv6, zoneid, NULL, NULL, NULL, NULL, ipst);
+ &exists, isv6, zoneid, ipst);
/* Prevent any further action */
if (ipif == NULL) {
return (ENOBUFS);
@@ -10605,12 +9097,11 @@ ip_sioctl_addif(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
break;
}
}
- ill = ill_lookup_on_name(name, B_FALSE, isv6,
- CONNP_TO_WQ(connp), mp, ip_process_ioctl, &err, NULL, ipst);
+ ill = ill_lookup_on_name(name, B_FALSE, isv6, NULL, ipst);
if (found_sep)
*cp = IPIF_SEPARATOR_CHAR;
if (ill == NULL)
- return (err);
+ return (ENXIO);
}
ipsq = ipsq_try_enter(NULL, ill, q, mp, ip_process_ioctl, NEW_OP,
@@ -10687,7 +9178,7 @@ ip_sioctl_removeif(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ASSERT(q->q_next == NULL);
ip1dbg(("ip_sioctl_remove_if(%s:%u %p)\n",
- ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
+ ill->ill_name, ipif->ipif_id, (void *)ipif));
ASSERT(IAM_WRITER_IPIF(ipif));
connp = Q_TO_CONN(q);
@@ -10703,7 +9194,7 @@ ip_sioctl_removeif(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
* same as any other interface (meaning it skips the code directly
* below).
*/
- if (ipif->ipif_id == 0 && ipif->ipif_net_type == IRE_LOOPBACK) {
+ if (ipif->ipif_id == 0 && ill->ill_net_type == IRE_LOOPBACK) {
if (sin->sin_family == AF_UNSPEC &&
(IN6_IS_ADDR_UNSPECIFIED(&((sin6_t *)sin)->sin6_addr))) {
/*
@@ -10802,7 +9293,7 @@ ip_sioctl_removeif(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
mutex_exit(&ill->ill_lock);
mutex_exit(&connp->conn_lock);
ipif_non_duplicate(ipif);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
ipif_free_tail(ipif); /* frees ipif */
return (0);
}
@@ -10833,7 +9324,7 @@ ip_sioctl_removeif_restart(ipif_t *ipif, sin_t *dummy_sin, queue_t *q,
ip1dbg(("ip_sioctl_removeif_restart(%s:%u %p)\n",
ill->ill_name, ipif->ipif_id, (void *)ipif));
- if (ipif->ipif_id == 0 && ipif->ipif_net_type == IRE_LOOPBACK) {
+ if (ipif->ipif_id == 0 && ill->ill_net_type == IRE_LOOPBACK) {
ASSERT(ill->ill_state_flags & ILL_CONDEMNED);
ill_delete_tail(ill);
mi_free(ill);
@@ -10841,10 +9332,9 @@ ip_sioctl_removeif_restart(ipif_t *ipif, sin_t *dummy_sin, queue_t *q,
}
ipif_non_duplicate(ipif);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
ipif_free_tail(ipif);
- ILL_UNMARK_CHANGING(ill);
return (0);
}
@@ -10930,8 +9420,6 @@ ip_sioctl_addr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
* we have net and subnet bcast ire's for
* the old address if we need them.
*/
- if (!ipif->ipif_isv6)
- ipif_check_bcast_ires(ipif);
/*
* If the interface is already marked up,
* we call ipif_down which will take care
@@ -10941,7 +9429,7 @@ ip_sioctl_addr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
err = ipif_logical_down(ipif, q, mp);
if (err == EINPROGRESS)
return (err);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
need_up = 1;
}
@@ -10988,11 +9476,6 @@ ip_sioctl_addr_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ov6addr = ipif->ipif_v6lcl_addr;
ipif->ipif_v6lcl_addr = v6addr;
sctp_update_ipif_addr(ipif, ov6addr);
- if (ipif->ipif_flags & (IPIF_ANYCAST | IPIF_NOLOCAL)) {
- ipif->ipif_v6src_addr = ipv6_all_zeros;
- } else {
- ipif->ipif_v6src_addr = v6addr;
- }
ipif->ipif_addr_ready = 0;
/*
@@ -11050,12 +9533,22 @@ ip_sioctl_addr_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
* ip_rput_dlpi when we see the DL_BIND_ACK.
*/
err = ipif_up(ipif, q, mp);
+ } else {
+ /* Perhaps ilgs should use this ill */
+ update_conn_ill(NULL, ill->ill_ipst);
}
if (need_dl_down)
ill_dl_down(ill);
- if (need_arp_down)
- ipif_resolver_down(ipif);
+
+ if (need_arp_down && !ill->ill_isv6)
+ (void) ipif_arp_down(ipif);
+
+ /*
+ * The default multicast interface might have changed (for
+ * instance if the IPv6 scope of the address changed)
+ */
+ ire_increment_multicast_generation(ill->ill_ipst, ill->ill_isv6);
return (err);
}
@@ -11072,7 +9565,7 @@ ip_sioctl_addr_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip1dbg(("ip_sioctl_addr_restart(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
ASSERT(IAM_WRITER_IPIF(ipif));
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
return (ip_sioctl_addr_tail(ipif, sin, q, mp, B_TRUE));
}
@@ -11162,7 +9655,7 @@ ip_sioctl_dstaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
err = ipif_logical_down(ipif, q, mp);
if (err == EINPROGRESS)
return (err);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
need_up = B_TRUE;
}
/*
@@ -11254,8 +9747,8 @@ ip_sioctl_dstaddr_tail(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
if (need_dl_down)
ill_dl_down(ill);
- if (need_arp_down)
- ipif_resolver_down(ipif);
+ if (need_arp_down && !ipif->ipif_isv6)
+ (void) ipif_arp_down(ipif);
return (err);
}
@@ -11271,7 +9764,7 @@ ip_sioctl_dstaddr_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
{
ip1dbg(("ip_sioctl_dstaddr_restart(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
return (ip_sioctl_dstaddr_tail(ipif, sin, q, mp, B_TRUE));
}
@@ -11333,7 +9826,6 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
struct ifreq *ifr;
struct lifreq *lifr;
boolean_t set_linklocal = B_FALSE;
- boolean_t zero_source = B_FALSE;
ip1dbg(("ip_sioctl_flags(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
@@ -11345,7 +9837,7 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
if (ipip->ipi_cmd_type == IF_CMD) {
ifr = (struct ifreq *)if_req;
- flags = (uint64_t)(ifr->ifr_flags & 0x0000ffff);
+ flags = (uint64_t)(ifr->ifr_flags & 0x0000ffff);
} else {
lifr = (struct lifreq *)if_req;
flags = lifr->lifr_flags;
@@ -11425,10 +9917,10 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
}
/*
- * Only allow the IFF_XRESOLV and IFF_TEMPORARY flags to be set on
+ * Only allow IFF_TEMPORARY flag to be set on
* IPv6 interfaces.
*/
- if ((turn_on & (IFF_XRESOLV|IFF_TEMPORARY)) && !(ipif->ipif_isv6))
+ if ((turn_on & IFF_TEMPORARY) && !(ipif->ipif_isv6))
return (EINVAL);
/*
@@ -11444,9 +9936,6 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
if ((turn_on & IFF_ROUTER) && (phyi->phyint_flags & PHYI_LOOPBACK))
return (EINVAL);
- if (flags & (IFF_NOLOCAL|IFF_ANYCAST))
- zero_source = B_TRUE;
-
/*
* For IPv6 ipif_id 0, don't allow the interface to be up without
* a link local address if IFF_NOLOCAL or IFF_ANYCAST are not set.
@@ -11454,7 +9943,7 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
* set later on in this function.
*/
if (ipif->ipif_id == 0 && ipif->ipif_isv6 &&
- (flags & IFF_UP) && !zero_source &&
+ (flags & IFF_UP) && !(flags & (IFF_NOLOCAL|IFF_ANYCAST)) &&
IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr)) {
if (ipif_cant_setlinklocal(ipif))
return (EINVAL);
@@ -11560,13 +10049,15 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ill_ipif, RTSQ_DEFAULT);
}
}
+ /* The default multicast interface might have changed */
+ ire_increment_multicast_generation(ill->ill_ipst,
+ ill->ill_isv6);
+
return (0);
- } else if (set_linklocal || zero_source) {
+ } else if (set_linklocal) {
mutex_enter(&ill->ill_lock);
if (set_linklocal)
ipif->ipif_state_flags |= IPIF_SET_LINKLOCAL;
- if (zero_source)
- ipif->ipif_state_flags |= IPIF_ZERO_SOURCE;
mutex_exit(&ill->ill_lock);
}
@@ -11610,13 +10101,10 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ILLF_NONUD|IPIF_PRIVATE|IPIF_ANYCAST|IPIF_PREFERRED|
IPIF_NOFAILOVER)) {
/*
- * Taking this ipif down, make sure we have
- * valid net and subnet bcast ire's for other
- * logical interfaces, if we need them.
+ * ipif_down() will ire_delete bcast ire's for the subnet,
+ * while the ire_identical_ref tracks the case of IRE_BROADCAST
+ * entries shared between multiple ipifs on the same subnet.
*/
- if (!ipif->ipif_isv6)
- ipif_check_bcast_ires(ipif);
-
if (((ipif->ipif_flags | turn_on) & IPIF_UP) &&
!(turn_off & IPIF_UP)) {
if (ipif->ipif_flags & IPIF_UP)
@@ -11627,7 +10115,7 @@ ip_sioctl_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip1dbg(("ipif_down returns %d err ", err));
if (err == EINPROGRESS)
return (err);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
}
return (ip_sioctl_flags_tail(ipif, flags, q, mp));
}
@@ -11642,7 +10130,6 @@ ip_sioctl_flags_tail(ipif_t *ipif, uint64_t flags, queue_t *q, mblk_t *mp)
boolean_t phyint_flags_modified = B_FALSE;
int err = 0;
boolean_t set_linklocal = B_FALSE;
- boolean_t zero_source = B_FALSE;
ip1dbg(("ip_sioctl_flags_tail(%s:%u)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id));
@@ -11680,21 +10167,13 @@ ip_sioctl_flags_tail(ipif_t *ipif, uint64_t flags, queue_t *q, mblk_t *mp)
set_linklocal = B_TRUE;
ipif->ipif_state_flags &= ~IPIF_SET_LINKLOCAL;
}
- if (ipif->ipif_state_flags & IPIF_ZERO_SOURCE) {
- zero_source = B_TRUE;
- ipif->ipif_state_flags &= ~IPIF_ZERO_SOURCE;
- }
+
mutex_exit(&ill->ill_lock);
mutex_exit(&phyi->phyint_lock);
if (set_linklocal)
(void) ipif_setlinklocal(ipif);
- if (zero_source)
- ipif->ipif_v6src_addr = ipv6_all_zeros;
- else
- ipif->ipif_v6src_addr = ipif->ipif_v6lcl_addr;
-
/*
* PHYI_FAILED, PHYI_INACTIVE, and PHYI_OFFLINE are all the same to
* the kernel: if any of them has been set by userland, the interface
@@ -11744,6 +10223,9 @@ ip_sioctl_flags_tail(ipif_t *ipif, uint64_t flags, queue_t *q, mblk_t *mp)
*/
sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
}
+
+ /* The default multicast interface might have changed */
+ ire_increment_multicast_generation(ill->ill_ipst, ill->ill_isv6);
return (err);
}
@@ -11762,7 +10244,7 @@ ip_sioctl_flags_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip1dbg(("ip_sioctl_flags_restart(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
if (ipip->ipi_cmd_type == IF_CMD) {
/* cast to uint16_t prevents unwanted sign extension */
flags = (uint16_t)ifr->ifr_flags;
@@ -11814,6 +10296,10 @@ ip_sioctl_get_flags(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
return (0);
}
+/*
+ * We allow the MTU to be set on an ILL, but not have it be different
+ * for different IPIFs since we don't actually send packets on IPIFs.
+ */
/* ARGSUSED */
int
ip_sioctl_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
@@ -11823,8 +10309,7 @@ ip_sioctl_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
int ip_min_mtu;
struct ifreq *ifr;
struct lifreq *lifr;
- ire_t *ire;
- ip_stack_t *ipst;
+ ill_t *ill;
ip1dbg(("ip_sioctl_mtu(%s:%u %p)\n", ipif->ipif_ill->ill_name,
ipif->ipif_id, (void *)ipif));
@@ -11835,48 +10320,35 @@ ip_sioctl_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
lifr = (struct lifreq *)if_req;
mtu = lifr->lifr_mtu;
}
+ /* Only allow for logical unit zero i.e. not on "bge0:17" */
+ if (ipif->ipif_id != 0)
+ return (EINVAL);
+ ill = ipif->ipif_ill;
if (ipif->ipif_isv6)
ip_min_mtu = IPV6_MIN_MTU;
else
ip_min_mtu = IP_MIN_MTU;
- if (mtu > ipif->ipif_ill->ill_max_frag || mtu < ip_min_mtu)
+ mutex_enter(&ill->ill_lock);
+ if (mtu > ill->ill_max_frag || mtu < ip_min_mtu) {
+ mutex_exit(&ill->ill_lock);
return (EINVAL);
+ }
+ /*
+ * The dce and fragmentation code can handle changes to ill_mtu
+ * concurrent with sending/fragmenting packets.
+ */
+ ill->ill_mtu = mtu;
+ ill->ill_flags |= ILLF_FIXEDMTU;
+ mutex_exit(&ill->ill_lock);
/*
- * Change the MTU size in all relevant ire's.
- * Mtu change Vs. new ire creation - protocol below.
- * First change ipif_mtu and the ire_max_frag of the
- * interface ire. Then do an ire walk and change the
- * ire_max_frag of all affected ires. During ire_add
- * under the bucket lock, set the ire_max_frag of the
- * new ire being created from the ipif/ire from which
- * it is being derived. If an mtu change happens after
- * the ire is added, the new ire will be cleaned up.
- * Conversely if the mtu change happens before the ire
- * is added, ire_add will see the new value of the mtu.
+ * Make sure all dce_generation checks find out
+ * that ill_mtu has changed.
*/
- ipif->ipif_mtu = mtu;
- ipif->ipif_flags |= IPIF_FIXEDMTU;
+ dce_increment_all_generations(ill->ill_isv6, ill->ill_ipst);
- if (ipif->ipif_isv6)
- ire = ipif_to_ire_v6(ipif);
- else
- ire = ipif_to_ire(ipif);
- if (ire != NULL) {
- ire->ire_max_frag = ipif->ipif_mtu;
- ire_refrele(ire);
- }
- ipst = ipif->ipif_ill->ill_ipst;
- if (ipif->ipif_flags & IPIF_UP) {
- if (ipif->ipif_isv6)
- ire_walk_v6(ipif_mtu_change, (char *)ipif, ALL_ZONES,
- ipst);
- else
- ire_walk_v4(ipif_mtu_change, (char *)ipif, ALL_ZONES,
- ipst);
- }
/* Update the MTU in SCTP's list */
sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
return (0);
@@ -11893,12 +10365,17 @@ ip_sioctl_get_mtu(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip1dbg(("ip_sioctl_get_mtu(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
+
+ /*
+ * We allow a get on any logical interface even though the set
+ * can only be done on logical unit 0.
+ */
if (ipip->ipi_cmd_type == IF_CMD) {
ifr = (struct ifreq *)if_req;
- ifr->ifr_metric = ipif->ipif_mtu;
+ ifr->ifr_metric = ipif->ipif_ill->ill_mtu;
} else {
lifr = (struct lifreq *)if_req;
- lifr->lifr_mtu = ipif->ipif_mtu;
+ lifr->lifr_mtu = ipif->ipif_ill->ill_mtu;
}
return (0);
}
@@ -11911,9 +10388,10 @@ ip_sioctl_brdaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
{
ipaddr_t addr;
ire_t *ire;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
+ ill_t *ill = ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
- ip1dbg(("ip_sioctl_brdaddr(%s:%u)\n", ipif->ipif_ill->ill_name,
+ ip1dbg(("ip_sioctl_brdaddr(%s:%u)\n", ill->ill_name,
ipif->ipif_id));
ASSERT(IAM_WRITER_IPIF(ipif));
@@ -11931,12 +10409,10 @@ ip_sioctl_brdaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
* If we are already up, make sure the new
* broadcast address makes sense. If it does,
* there should be an IRE for it already.
- * Don't match on ipif, only on the ill
- * since we are sharing these now.
*/
- ire = ire_ctable_lookup(addr, 0, IRE_BROADCAST,
- ipif, ALL_ZONES, NULL,
- (MATCH_IRE_ILL | MATCH_IRE_TYPE), ipst);
+ ire = ire_ftable_lookup_v4(addr, 0, 0, IRE_BROADCAST,
+ ill, ipif->ipif_zoneid, NULL,
+ (MATCH_IRE_ILL | MATCH_IRE_TYPE), 0, ipst, NULL);
if (ire == NULL) {
return (EINVAL);
} else {
@@ -11944,13 +10420,13 @@ ip_sioctl_brdaddr(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
}
}
/*
- * Changing the broadcast addr for this ipif.
- * Make sure we have valid net and subnet bcast
- * ire's for other logical interfaces, if needed.
+ * Changing the broadcast addr for this ipif. Since the IRE_BROADCAST
+ * needs to already exist we never need to change the set of
+ * IRE_BROADCASTs when we are UP.
*/
if (addr != ipif->ipif_brd_addr)
- ipif_check_bcast_ires(ipif);
- IN6_IPADDR_TO_V4MAPPED(addr, &ipif->ipif_v6brd_addr);
+ IN6_IPADDR_TO_V4MAPPED(addr, &ipif->ipif_v6brd_addr);
+
return (0);
}
@@ -12026,13 +10502,10 @@ ip_sioctl_netmask(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
* Make sure we have valid net and subnet broadcast ire's
* for the old netmask, if needed by other logical interfaces.
*/
- if (!ipif->ipif_isv6)
- ipif_check_bcast_ires(ipif);
-
err = ipif_logical_down(ipif, q, mp);
if (err == EINPROGRESS)
return (err);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
err = ip_sioctl_netmask_tail(ipif, sin, q, mp);
return (err);
}
@@ -12087,7 +10560,7 @@ ip_sioctl_netmask_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
{
ip1dbg(("ip_sioctl_netmask_restart(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
return (ip_sioctl_netmask_tail(ipif, sin, q, mp));
}
@@ -12188,6 +10661,7 @@ int
ip_sioctl_muxid(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip_ioctl_cmd_t *ipip, void *if_req)
{
+ int arp_muxid;
ip1dbg(("ip_sioctl_muxid(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
@@ -12197,14 +10671,15 @@ ip_sioctl_muxid(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
if (ipip->ipi_cmd_type == IF_CMD) {
struct ifreq *ifr = (struct ifreq *)if_req;
- ipif->ipif_ill->ill_ip_muxid = ifr->ifr_ip_muxid;
- ipif->ipif_ill->ill_arp_muxid = ifr->ifr_arp_muxid;
+ ipif->ipif_ill->ill_muxid = ifr->ifr_ip_muxid;
+ arp_muxid = ifr->ifr_arp_muxid;
} else {
struct lifreq *lifr = (struct lifreq *)if_req;
- ipif->ipif_ill->ill_ip_muxid = lifr->lifr_ip_muxid;
- ipif->ipif_ill->ill_arp_muxid = lifr->lifr_arp_muxid;
+ ipif->ipif_ill->ill_muxid = lifr->lifr_ip_muxid;
+ arp_muxid = lifr->lifr_arp_muxid;
}
+ arl_set_muxid(ipif->ipif_ill, arp_muxid);
return (0);
}
@@ -12213,22 +10688,24 @@ int
ip_sioctl_get_muxid(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip_ioctl_cmd_t *ipip, void *if_req)
{
+ int arp_muxid = 0;
ip1dbg(("ip_sioctl_get_muxid(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
/*
* Get the muxid saved in ill for I_PUNLINK.
*/
+ arp_muxid = arl_get_muxid(ipif->ipif_ill);
if (ipip->ipi_cmd_type == IF_CMD) {
struct ifreq *ifr = (struct ifreq *)if_req;
- ifr->ifr_ip_muxid = ipif->ipif_ill->ill_ip_muxid;
- ifr->ifr_arp_muxid = ipif->ipif_ill->ill_arp_muxid;
+ ifr->ifr_ip_muxid = ipif->ipif_ill->ill_muxid;
+ ifr->ifr_arp_muxid = arp_muxid;
} else {
struct lifreq *lifr = (struct lifreq *)if_req;
- lifr->lifr_ip_muxid = ipif->ipif_ill->ill_ip_muxid;
- lifr->lifr_arp_muxid = ipif->ipif_ill->ill_arp_muxid;
+ lifr->lifr_ip_muxid = ipif->ipif_ill->ill_muxid;
+ lifr->lifr_arp_muxid = arp_muxid;
}
return (0);
}
@@ -12298,7 +10775,7 @@ ip_sioctl_subnet(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
err = ipif_logical_down(ipif, q, mp);
if (err == EINPROGRESS)
return (err);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
need_up = B_TRUE;
}
@@ -12353,7 +10830,7 @@ ip_sioctl_subnet_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip1dbg(("ip_sioctl_subnet_restart(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
addrlen = lifr->lifr_addrlen;
if (ipif->ipif_isv6) {
@@ -12454,7 +10931,7 @@ ip_sioctl_token(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
err = ipif_logical_down(ipif, q, mp);
if (err == EINPROGRESS)
return (err);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
need_up = B_TRUE;
}
err = ip_sioctl_token_tail(ipif, sin6, addrlen, q, mp, need_up);
@@ -12538,24 +11015,6 @@ ip_sioctl_get_token(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
/*
* Set (hardware) link specific information that might override
* what was acquired through the DL_INFO_ACK.
- * The logic is as follows.
- *
- * become exclusive
- * set CHANGING flag
- * change mtu on affected IREs
- * clear CHANGING flag
- *
- * An ire add that occurs before the CHANGING flag is set will have its mtu
- * changed by the ip_sioctl_lnkinfo.
- *
- * During the time the CHANGING flag is set, no new ires will be added to the
- * bucket, and ire add will fail (due the CHANGING flag).
- *
- * An ire add that occurs after the CHANGING flag is set will have the right mtu
- * before it is added to the bucket.
- *
- * Obviously only 1 thread can set the CHANGING flag and we need to become
- * exclusive to set the flag.
*/
/* ARGSUSED */
int
@@ -12563,19 +11022,16 @@ ip_sioctl_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip_ioctl_cmd_t *ipi, void *if_req)
{
ill_t *ill = ipif->ipif_ill;
- ipif_t *nipif;
int ip_min_mtu;
- boolean_t mtu_walk = B_FALSE;
struct lifreq *lifr = (struct lifreq *)if_req;
lif_ifinfo_req_t *lir;
- ire_t *ire;
ip1dbg(("ip_sioctl_lnkinfo(%s:%u %p)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id, (void *)ipif));
lir = &lifr->lifr_ifinfo;
ASSERT(IAM_WRITER_IPIF(ipif));
- /* Only allow for logical unit zero i.e. not on "le0:17" */
+ /* Only allow for logical unit zero i.e. not on "bge0:17" */
if (ipif->ipif_id != 0)
return (EINVAL);
@@ -12588,9 +11044,20 @@ ip_sioctl_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
/*
* Verify values before we set anything. Allow zero to
* mean unspecified.
+ *
+ * XXX We should be able to set the user-defined lir_mtu to some value
+ * that is greater than ill_current_frag but less than ill_max_frag- the
+ * ill_max_frag value tells us the max MTU that can be handled by the
+ * datalink, whereas the ill_current_frag is dynamically computed for
+ * some link-types like tunnels, based on the tunnel PMTU. However,
+ * since there is currently no way of distinguishing between
+ * administratively fixed link mtu values (e.g., those set via
+ * /sbin/dladm) and dynamically discovered MTUs (e.g., those discovered
+ * for tunnels) we conservatively choose the ill_current_frag as the
+ * upper-bound.
*/
if (lir->lir_maxmtu != 0 &&
- (lir->lir_maxmtu > ill->ill_max_frag ||
+ (lir->lir_maxmtu > ill->ill_current_frag ||
lir->lir_maxmtu < ip_min_mtu))
return (EINVAL);
if (lir->lir_reachtime != 0 &&
@@ -12601,18 +11068,12 @@ ip_sioctl_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
return (EINVAL);
mutex_enter(&ill->ill_lock);
- ill->ill_state_flags |= ILL_CHANGING;
- for (nipif = ill->ill_ipif; nipif != NULL;
- nipif = nipif->ipif_next) {
- nipif->ipif_state_flags |= IPIF_CHANGING;
- }
-
- if (lir->lir_maxmtu != 0) {
- ill->ill_max_mtu = lir->lir_maxmtu;
+ /*
+ * The dce and fragmentation code can handle changes to ill_mtu
+ * concurrent with sending/fragmenting packets.
+ */
+ if (lir->lir_maxmtu != 0)
ill->ill_user_mtu = lir->lir_maxmtu;
- mtu_walk = B_TRUE;
- }
- mutex_exit(&ill->ill_lock);
if (lir->lir_reachtime != 0)
ill->ill_reachable_time = lir->lir_reachtime;
@@ -12621,47 +11082,29 @@ ip_sioctl_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ill->ill_reachable_retrans_time = lir->lir_reachretrans;
ill->ill_max_hops = lir->lir_maxhops;
-
ill->ill_max_buf = ND_MAX_Q;
-
- if (mtu_walk) {
+ if (!(ill->ill_flags & ILLF_FIXEDMTU) && ill->ill_user_mtu != 0) {
/*
- * Set the MTU on all ipifs associated with this ill except
- * for those whose MTU was fixed via SIOCSLIFMTU.
+ * ill_mtu is the actual interface MTU, obtained as the min
+ * of user-configured mtu and the value announced by the
+ * driver (via DL_NOTE_SDU_SIZE/DL_INFO_ACK). Note that since
+ * we have already made the choice of requiring
+ * ill_user_mtu < ill_current_frag by the time we get here,
+ * the ill_mtu effectively gets assigned to the ill_user_mtu
+ * here.
*/
- for (nipif = ill->ill_ipif; nipif != NULL;
- nipif = nipif->ipif_next) {
- if (nipif->ipif_flags & IPIF_FIXEDMTU)
- continue;
-
- nipif->ipif_mtu = ill->ill_max_mtu;
-
- if (!(nipif->ipif_flags & IPIF_UP))
- continue;
-
- if (nipif->ipif_isv6)
- ire = ipif_to_ire_v6(nipif);
- else
- ire = ipif_to_ire(nipif);
- if (ire != NULL) {
- ire->ire_max_frag = ipif->ipif_mtu;
- ire_refrele(ire);
- }
-
- ire_walk_ill(MATCH_IRE_ILL, 0, ipif_mtu_change,
- nipif, ill);
- }
- }
-
- mutex_enter(&ill->ill_lock);
- for (nipif = ill->ill_ipif; nipif != NULL;
- nipif = nipif->ipif_next) {
- nipif->ipif_state_flags &= ~IPIF_CHANGING;
+ ill->ill_mtu = MIN(ill->ill_current_frag, ill->ill_user_mtu);
}
- ILL_UNMARK_CHANGING(ill);
mutex_exit(&ill->ill_lock);
/*
+ * Make sure all dce_generation checks find out
+ * that ill_mtu has changed.
+ */
+ if (!(ill->ill_flags & ILLF_FIXEDMTU) && (lir->lir_maxmtu != 0))
+ dce_increment_all_generations(ill->ill_isv6, ill->ill_ipst);
+
+ /*
* Refresh IPMP meta-interface MTU if necessary.
*/
if (IS_UNDER_IPMP(ill))
@@ -12687,7 +11130,7 @@ ip_sioctl_get_lnkinfo(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
lir->lir_maxhops = ill->ill_max_hops;
lir->lir_reachtime = ill->ill_reachable_time;
lir->lir_reachretrans = ill->ill_reachable_retrans_time;
- lir->lir_maxmtu = ill->ill_max_mtu;
+ lir->lir_maxmtu = ill->ill_mtu;
return (0);
}
@@ -12722,7 +11165,7 @@ ip_subnet_mask(ipaddr_t addr, ipif_t **ipifp, ip_stack_t *ipst)
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL;
ipif = ipif->ipif_next) {
- if (!IPIF_CAN_LOOKUP(ipif))
+ if (IPIF_IS_CONDEMNED(ipif))
continue;
if (!(ipif->ipif_flags & IPIF_UP))
continue;
@@ -12848,29 +11291,9 @@ done:
}
/*
- * Lookup an ipif using the sequence id (ipif_seqid)
+ * Assign a unique id for the ipif. This is used by sctp_addr.c
+ * Note: remove if sctp_addr.c is redone to not shadow ill/ipif data structures.
*/
-ipif_t *
-ipif_lookup_seqid(ill_t *ill, uint_t seqid)
-{
- ipif_t *ipif;
-
- ASSERT(MUTEX_HELD(&ill->ill_lock));
-
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (ipif->ipif_seqid == seqid && IPIF_CAN_LOOKUP(ipif))
- return (ipif);
- }
- return (NULL);
-}
-
-/*
- * Assign a unique id for the ipif. This is used later when we send
- * IRES to ARP for resolution where we initialize ire_ipif_seqid
- * to the value pointed by ire_ipif->ipif_seqid. Later when the
- * IRE is added, we verify that ipif has not disappeared.
- */
-
static void
ipif_assign_seqid(ipif_t *ipif)
{
@@ -12893,41 +11316,21 @@ ipif_clone(const ipif_t *sipif, ipif_t *dipif)
ASSERT(!(sipif->ipif_flags & (IPIF_UP|IPIF_DUPLICATE)));
ASSERT(!(dipif->ipif_flags & (IPIF_UP|IPIF_DUPLICATE)));
ASSERT(sipif->ipif_ire_type == dipif->ipif_ire_type);
- ASSERT(sipif->ipif_arp_del_mp == NULL);
- ASSERT(dipif->ipif_arp_del_mp == NULL);
- ASSERT(sipif->ipif_igmp_rpt == NULL);
- ASSERT(dipif->ipif_igmp_rpt == NULL);
- ASSERT(sipif->ipif_multicast_up == 0);
- ASSERT(dipif->ipif_multicast_up == 0);
- ASSERT(sipif->ipif_joined_allhosts == 0);
- ASSERT(dipif->ipif_joined_allhosts == 0);
-
- dipif->ipif_mtu = sipif->ipif_mtu;
+
dipif->ipif_flags = sipif->ipif_flags;
dipif->ipif_metric = sipif->ipif_metric;
dipif->ipif_zoneid = sipif->ipif_zoneid;
dipif->ipif_v6subnet = sipif->ipif_v6subnet;
dipif->ipif_v6lcl_addr = sipif->ipif_v6lcl_addr;
- dipif->ipif_v6src_addr = sipif->ipif_v6src_addr;
dipif->ipif_v6net_mask = sipif->ipif_v6net_mask;
dipif->ipif_v6brd_addr = sipif->ipif_v6brd_addr;
dipif->ipif_v6pp_dst_addr = sipif->ipif_v6pp_dst_addr;
/*
- * While dipif is down right now, it might've been up before. Since
- * it's changing identity, its packet counters need to be reset.
- */
- dipif->ipif_ib_pkt_count = 0;
- dipif->ipif_ob_pkt_count = 0;
- dipif->ipif_fo_pkt_count = 0;
-
- /*
* As per the comment atop the function, we assume that these sipif
* fields will be changed before sipif is unlocked.
*/
dipif->ipif_seqid = sipif->ipif_seqid;
- dipif->ipif_saved_ire_mp = sipif->ipif_saved_ire_mp;
- dipif->ipif_saved_ire_cnt = sipif->ipif_saved_ire_cnt;
dipif->ipif_state_flags = sipif->ipif_state_flags;
}
@@ -12951,13 +11354,6 @@ ipif_transfer(ipif_t *sipif, ipif_t *dipif, ipif_t *virgipif)
* Grab all of the locks that protect the ipif in a defined order.
*/
GRAB_ILL_LOCKS(sipif->ipif_ill, dipif->ipif_ill);
- if (sipif > dipif) {
- mutex_enter(&sipif->ipif_saved_ire_lock);
- mutex_enter(&dipif->ipif_saved_ire_lock);
- } else {
- mutex_enter(&dipif->ipif_saved_ire_lock);
- mutex_enter(&sipif->ipif_saved_ire_lock);
- }
ipif_clone(sipif, dipif);
if (virgipif != NULL) {
@@ -12965,8 +11361,6 @@ ipif_transfer(ipif_t *sipif, ipif_t *dipif, ipif_t *virgipif)
mi_free(virgipif);
}
- mutex_exit(&sipif->ipif_saved_ire_lock);
- mutex_exit(&dipif->ipif_saved_ire_lock);
RELEASE_ILL_LOCKS(sipif->ipif_ill, dipif->ipif_ill);
/*
@@ -13115,10 +11509,7 @@ ipif_allocate(ill_t *ill, int id, uint_t ire_type, boolean_t initialize,
*/
ipif->ipif_zoneid = ill->ill_zoneid;
- mutex_init(&ipif->ipif_saved_ire_lock, NULL, MUTEX_DEFAULT, NULL);
-
ipif->ipif_refcnt = 0;
- ipif->ipif_saved_ire_cnt = 0;
if (insert) {
if (ipif_insert(ipif, ire_type != IRE_LOOPBACK) != 0) {
@@ -13171,8 +11562,6 @@ ipif_allocate(ill_t *ill, int id, uint_t ire_type, boolean_t initialize,
IN6_IPADDR_TO_V4MAPPED(inaddr_any,
&ipif->ipif_v6lcl_addr);
IN6_IPADDR_TO_V4MAPPED(inaddr_any,
- &ipif->ipif_v6src_addr);
- IN6_IPADDR_TO_V4MAPPED(inaddr_any,
&ipif->ipif_v6subnet);
IN6_IPADDR_TO_V4MAPPED(inaddr_any,
&ipif->ipif_v6net_mask);
@@ -13189,8 +11578,6 @@ ipif_allocate(ill_t *ill, int id, uint_t ire_type, boolean_t initialize,
if (!initialize)
goto out;
- ipif->ipif_mtu = ill->ill_max_mtu;
-
/*
* NOTE: The IPMP meta-interface is special-cased because it starts
* with no underlying interfaces (and thus an unknown broadcast
@@ -13236,207 +11623,47 @@ out:
}
/*
- * If appropriate, send a message up to the resolver delete the entry
- * for the address of this interface which is going out of business.
- * (Always called as writer).
- *
- * NOTE : We need to check for NULL mps as some of the fields are
- * initialized only for some interface types. See ipif_resolver_up()
- * for details.
+ * Remove the neighbor cache entries associated with this logical
+ * interface.
*/
-void
-ipif_resolver_down(ipif_t *ipif)
+int
+ipif_arp_down(ipif_t *ipif)
{
- mblk_t *mp;
ill_t *ill = ipif->ipif_ill;
+ int err = 0;
- ip1dbg(("ipif_resolver_down(%s:%u)\n", ill->ill_name, ipif->ipif_id));
+ ip1dbg(("ipif_arp_down(%s:%u)\n", ill->ill_name, ipif->ipif_id));
ASSERT(IAM_WRITER_IPIF(ipif));
- if (ill->ill_isv6 && !(ill->ill_flags & ILLF_XRESOLV))
- return;
-
- /* Delete the mapping for the local address */
- mp = ipif->ipif_arp_del_mp;
- if (mp != NULL) {
- ip1dbg(("ipif_resolver_down: arp cmd %x for %s:%u\n",
- *(unsigned *)mp->b_rptr, ill->ill_name, ipif->ipif_id));
- putnext(ill->ill_rq, mp);
- ipif->ipif_arp_del_mp = NULL;
- }
-
- /*
- * Make IPMP aware of the deleted data address.
- */
- if (IS_IPMP(ill))
- ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_down",
+ ill_t *, ill, ipif_t *, ipif);
+ ipif_nce_down(ipif);
/*
* If this is the last ipif that is going down and there are no
* duplicate addresses we may yet attempt to re-probe, then we need to
* clean up ARP completely.
*/
- if (ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0) {
+ if (ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0 &&
+ !ill->ill_logical_down && ill->ill_net_type == IRE_IF_RESOLVER) {
/*
* If this was the last ipif on an IPMP interface, purge any
- * IPMP ARP entries associated with it.
+ * static ARP entries associated with it.
*/
if (IS_IPMP(ill))
ipmp_illgrp_refresh_arpent(ill->ill_grp);
- /* Send up AR_INTERFACE_DOWN message */
- mp = ill->ill_arp_down_mp;
- if (mp != NULL) {
- ip1dbg(("ipif_resolver_down: arp cmd %x for %s:%u\n",
- *(unsigned *)mp->b_rptr, ill->ill_name,
- ipif->ipif_id));
- putnext(ill->ill_rq, mp);
- ill->ill_arp_down_mp = NULL;
- }
-
- /* Tell ARP to delete the multicast mappings */
- mp = ill->ill_arp_del_mapping_mp;
- if (mp != NULL) {
- ip1dbg(("ipif_resolver_down: arp cmd %x for %s:%u\n",
- *(unsigned *)mp->b_rptr, ill->ill_name,
- ipif->ipif_id));
- putnext(ill->ill_rq, mp);
- ill->ill_arp_del_mapping_mp = NULL;
- }
+ /* UNBIND, DETACH */
+ err = arp_ll_down(ill);
}
-}
-
-/*
- * Set up the multicast mappings for `ipif' in ARP. If `arp_add_mapping_mp'
- * is non-NULL, then upon success it will contain an mblk that can be passed
- * to ARP to create the mapping. Otherwise, if it's NULL, upon success ARP
- * will have already been notified to create the mapping. Returns zero on
- * success, -1 upon failure.
- */
-int
-ipif_arp_setup_multicast(ipif_t *ipif, mblk_t **arp_add_mapping_mp)
-{
- mblk_t *del_mp = NULL;
- mblk_t *add_mp = NULL;
- mblk_t *mp;
- ill_t *ill = ipif->ipif_ill;
- phyint_t *phyi = ill->ill_phyint;
- ipaddr_t addr, mask, extract_mask = 0;
- arma_t *arma;
- uint8_t *maddr, *bphys_addr;
- uint32_t hw_start;
- dl_unitdata_req_t *dlur;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
- if (ipif->ipif_flags & IPIF_POINTOPOINT)
- return (0);
-
- /*
- * IPMP meta-interfaces don't have any inherent multicast mappings,
- * and instead use the ones on the underlying interfaces.
- */
- if (IS_IPMP(ill))
- return (0);
-
- /*
- * Delete the existing mapping from ARP. Normally, ipif_down() ->
- * ipif_resolver_down() will send this up to ARP, but it may be that
- * we are enabling PHYI_MULTI_BCAST via ip_rput_dlpi_writer().
- */
- mp = ill->ill_arp_del_mapping_mp;
- if (mp != NULL) {
- ip1dbg(("ipif_arp_setup_multicast: arp cmd %x for %s:%u\n",
- *(unsigned *)mp->b_rptr, ill->ill_name, ipif->ipif_id));
- putnext(ill->ill_rq, mp);
- ill->ill_arp_del_mapping_mp = NULL;
- }
-
- if (arp_add_mapping_mp != NULL)
- *arp_add_mapping_mp = NULL;
-
- /*
- * Check that the address is not to long for the constant
- * length reserved in the template arma_t.
- */
- if (ill->ill_phys_addr_length > IP_MAX_HW_LEN)
- return (-1);
-
- /* Add mapping mblk */
- addr = (ipaddr_t)htonl(INADDR_UNSPEC_GROUP);
- mask = (ipaddr_t)htonl(IN_CLASSD_NET);
- add_mp = ill_arp_alloc(ill, (uchar_t *)&ip_arma_multi_template,
- (caddr_t)&addr);
- if (add_mp == NULL)
- return (-1);
- arma = (arma_t *)add_mp->b_rptr;
- maddr = (uint8_t *)arma + arma->arma_hw_addr_offset;
- bcopy(&mask, (char *)arma + arma->arma_proto_mask_offset, IP_ADDR_LEN);
- arma->arma_hw_addr_length = ill->ill_phys_addr_length;
- /*
- * Determine the broadcast address.
- */
- dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
- if (ill->ill_sap_length < 0)
- bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
- else
- bphys_addr = (uchar_t *)dlur +
- dlur->dl_dest_addr_offset + ill->ill_sap_length;
- /*
- * Check PHYI_MULTI_BCAST and length of physical
- * address to determine if we use the mapping or the
- * broadcast address.
- */
- if (!(phyi->phyint_flags & PHYI_MULTI_BCAST))
- if (!MEDIA_V4MINFO(ill->ill_media, ill->ill_phys_addr_length,
- bphys_addr, maddr, &hw_start, &extract_mask))
- phyi->phyint_flags |= PHYI_MULTI_BCAST;
-
- if ((phyi->phyint_flags & PHYI_MULTI_BCAST) ||
- (ill->ill_flags & ILLF_MULTICAST)) {
- /* Make sure this will not match the "exact" entry. */
- addr = (ipaddr_t)htonl(INADDR_ALLHOSTS_GROUP);
- del_mp = ill_arp_alloc(ill, (uchar_t *)&ip_ared_template,
- (caddr_t)&addr);
- if (del_mp == NULL) {
- freemsg(add_mp);
- return (-1);
- }
- bcopy(&extract_mask, (char *)arma +
- arma->arma_proto_extract_mask_offset, IP_ADDR_LEN);
- if (phyi->phyint_flags & PHYI_MULTI_BCAST) {
- /* Use link-layer broadcast address for MULTI_BCAST */
- bcopy(bphys_addr, maddr, ill->ill_phys_addr_length);
- ip2dbg(("ipif_arp_setup_multicast: adding"
- " MULTI_BCAST ARP setup for %s\n", ill->ill_name));
- } else {
- arma->arma_hw_mapping_start = hw_start;
- ip2dbg(("ipif_arp_setup_multicast: adding multicast"
- " ARP setup for %s\n", ill->ill_name));
- }
- } else {
- freemsg(add_mp);
- ASSERT(del_mp == NULL);
- /* It is neither MULTICAST nor MULTI_BCAST */
- return (0);
- }
- ASSERT(add_mp != NULL && del_mp != NULL);
- ASSERT(ill->ill_arp_del_mapping_mp == NULL);
- ill->ill_arp_del_mapping_mp = del_mp;
- if (arp_add_mapping_mp != NULL) {
- /* The caller just wants the mblks allocated */
- *arp_add_mapping_mp = add_mp;
- } else {
- /* The caller wants us to send it to arp */
- putnext(ill->ill_rq, add_mp);
- }
- return (0);
+ return (err);
}
/*
* Get the resolver set up for a new IP address. (Always called as writer.)
- * Called both for IPv4 and IPv6 interfaces, though it only sets up the
- * resolver for v6 if it's an ILLF_XRESOLV interface. Honors ILLF_NOARP.
+ * Called both for IPv4 and IPv6 interfaces, though it only does some
+ * basic DAD related initialization for IPv6. Honors ILLF_NOARP.
*
* The enumerated value res_act tunes the behavior:
* * Res_act_initial: set up all the resolver structures for a new
@@ -13451,17 +11678,9 @@ ipif_arp_setup_multicast(ipif_t *ipif, mblk_t **arp_add_mapping_mp)
int
ipif_resolver_up(ipif_t *ipif, enum ip_resolver_action res_act)
{
- mblk_t *arp_up_mp = NULL;
- mblk_t *arp_down_mp = NULL;
- mblk_t *arp_add_mp = NULL;
- mblk_t *arp_del_mp = NULL;
- mblk_t *arp_add_mapping_mp = NULL;
- mblk_t *arp_del_mapping_mp = NULL;
- ill_t *ill = ipif->ipif_ill;
- int err = ENOMEM;
- boolean_t added_ipif = B_FALSE;
- boolean_t publish;
- boolean_t was_dup;
+ ill_t *ill = ipif->ipif_ill;
+ int err;
+ boolean_t was_dup;
ip1dbg(("ipif_resolver_up(%s:%u) flags 0x%x\n",
ill->ill_name, ipif->ipif_id, (uint_t)ipif->ipif_flags));
@@ -13490,231 +11709,55 @@ ipif_resolver_up(ipif_t *ipif, enum ip_resolver_action res_act)
return (0);
}
/* NDP will set the ipif_addr_ready flag when it's ready */
- if (ill->ill_isv6 && !(ill->ill_flags & ILLF_XRESOLV))
+ if (ill->ill_isv6)
return (0);
- if (ill->ill_isv6) {
- /*
- * External resolver for IPv6
- */
- ASSERT(res_act == Res_act_initial);
- publish = !IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr);
- } else {
- /*
- * IPv4 arp case. If the ARP stream has already started
- * closing, fail this request for ARP bringup. Else
- * record the fact that an ARP bringup is pending.
- */
- mutex_enter(&ill->ill_lock);
- if (ill->ill_arp_closing) {
- mutex_exit(&ill->ill_lock);
- err = EINVAL;
- goto failed;
- } else {
- if (ill->ill_ipif_up_count == 0 &&
- ill->ill_ipif_dup_count == 0 && !was_dup)
- ill->ill_arp_bringup_pending = 1;
- mutex_exit(&ill->ill_lock);
- }
- publish = (ipif->ipif_lcl_addr != INADDR_ANY);
- }
-
- if (IS_IPMP(ill) && publish) {
- /*
- * If we're here via ipif_up(), then the ipif won't be bound
- * yet -- add it to the group, which will bind it if possible.
- * (We would add it in ipif_up(), but deleting on failure
- * there is gruesome.) If we're here via ipmp_ill_bind_ipif(),
- * then the ipif has already been added to the group and we
- * just need to use the binding.
- */
- if (ipmp_ipif_bound_ill(ipif) == NULL) {
- if (ipmp_illgrp_add_ipif(ill->ill_grp, ipif) == NULL) {
- /*
- * We couldn't bind the ipif to an ill yet,
- * so we have nothing to publish.
- */
- publish = B_FALSE;
- }
- added_ipif = B_TRUE;
- }
- }
-
- /*
- * Add an entry for the local address in ARP only if it
- * is not UNNUMBERED and it is suitable for publishing.
- */
- if (!(ipif->ipif_flags & IPIF_UNNUMBERED) && publish) {
- if (res_act == Res_act_defend) {
- arp_add_mp = ipif_area_alloc(ipif, ACE_F_DEFEND);
- if (arp_add_mp == NULL)
- goto failed;
- /*
- * If we're just defending our address now, then
- * there's no need to set up ARP multicast mappings.
- * The publish command is enough.
- */
- goto done;
- }
-
- /*
- * Allocate an ARP add message and an ARP delete message (the
- * latter is saved for use when the address goes down).
- */
- if ((arp_add_mp = ipif_area_alloc(ipif, 0)) == NULL)
- goto failed;
-
- if ((arp_del_mp = ipif_ared_alloc(ipif)) == NULL)
- goto failed;
-
- if (res_act != Res_act_initial)
- goto arp_setup_multicast;
- } else {
- if (res_act != Res_act_initial)
- goto done;
- }
- /*
- * Need to bring up ARP or setup multicast mapping only
- * when the first interface is coming UP.
- */
- if (ill->ill_ipif_up_count + ill->ill_ipif_dup_count > 0 || was_dup)
- goto done;
-
- /*
- * Allocate an ARP down message (to be saved) and an ARP up message.
- */
- arp_down_mp = ill_arp_alloc(ill, (uchar_t *)&ip_ard_template, 0);
- if (arp_down_mp == NULL)
- goto failed;
-
- arp_up_mp = ill_arp_alloc(ill, (uchar_t *)&ip_aru_template, 0);
- if (arp_up_mp == NULL)
- goto failed;
-
- if (ipif->ipif_flags & IPIF_POINTOPOINT)
- goto done;
-
-arp_setup_multicast:
- /*
- * Setup the multicast mappings. This function initializes
- * ill_arp_del_mapping_mp also. This does not need to be done for
- * IPv6, or for the IPMP interface (since it has no link-layer).
- */
- if (!ill->ill_isv6 && !IS_IPMP(ill)) {
- err = ipif_arp_setup_multicast(ipif, &arp_add_mapping_mp);
- if (err != 0)
- goto failed;
- ASSERT(ill->ill_arp_del_mapping_mp != NULL);
- ASSERT(arp_add_mapping_mp != NULL);
- }
-done:
- if (arp_up_mp != NULL) {
- ip1dbg(("ipif_resolver_up: ARP_UP for %s:%u\n",
- ill->ill_name, ipif->ipif_id));
- putnext(ill->ill_rq, arp_up_mp);
- arp_up_mp = NULL;
- }
- if (arp_add_mp != NULL) {
- ip1dbg(("ipif_resolver_up: ARP_ADD for %s:%u\n",
- ill->ill_name, ipif->ipif_id));
- /*
- * If it's an extended ARP implementation, then we'll wait to
- * hear that DAD has finished before using the interface.
- */
- if (!ill->ill_arp_extend)
- ipif->ipif_addr_ready = 1;
- putnext(ill->ill_rq, arp_add_mp);
- arp_add_mp = NULL;
- } else {
- ipif->ipif_addr_ready = 1;
- }
- if (arp_add_mapping_mp != NULL) {
- ip1dbg(("ipif_resolver_up: MAPPING_ADD for %s:%u\n",
- ill->ill_name, ipif->ipif_id));
- putnext(ill->ill_rq, arp_add_mapping_mp);
- arp_add_mapping_mp = NULL;
- }
-
- if (res_act == Res_act_initial) {
- if (ill->ill_flags & ILLF_NOARP)
- err = ill_arp_off(ill);
- else
- err = ill_arp_on(ill);
- if (err != 0) {
- ip0dbg(("ipif_resolver_up: arp_on/off failed %d\n",
- err));
- goto failed;
- }
- }
-
- if (arp_del_mp != NULL) {
- ASSERT(ipif->ipif_arp_del_mp == NULL);
- ipif->ipif_arp_del_mp = arp_del_mp;
- }
- if (arp_down_mp != NULL) {
- ASSERT(ill->ill_arp_down_mp == NULL);
- ill->ill_arp_down_mp = arp_down_mp;
- }
- if (arp_del_mapping_mp != NULL) {
- ASSERT(ill->ill_arp_del_mapping_mp == NULL);
- ill->ill_arp_del_mapping_mp = arp_del_mapping_mp;
- }
-
- return ((ill->ill_ipif_up_count != 0 || was_dup ||
- ill->ill_ipif_dup_count != 0) ? 0 : EINPROGRESS);
-failed:
- ip1dbg(("ipif_resolver_up: FAILED\n"));
- if (added_ipif)
- ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
- freemsg(arp_add_mp);
- freemsg(arp_del_mp);
- freemsg(arp_add_mapping_mp);
- freemsg(arp_up_mp);
- freemsg(arp_down_mp);
- ill->ill_arp_bringup_pending = 0;
+ err = ipif_arp_up(ipif, res_act, was_dup);
return (err);
}
/*
- * This routine restarts IPv4 duplicate address detection (DAD) when a link has
- * just gone back up.
+ * This routine restarts IPv4/IPv6 duplicate address detection (DAD)
+ * when a link has just gone back up.
*/
static void
-ipif_arp_start_dad(ipif_t *ipif)
+ipif_nce_start_dad(ipif_t *ipif)
{
+ ncec_t *ncec;
ill_t *ill = ipif->ipif_ill;
- mblk_t *arp_add_mp;
+ boolean_t isv6 = ill->ill_isv6;
- /* ACE_F_UNVERIFIED restarts DAD */
- if (ill->ill_net_type != IRE_IF_RESOLVER || ill->ill_arp_closing ||
- (ipif->ipif_flags & IPIF_UNNUMBERED) ||
- ipif->ipif_lcl_addr == INADDR_ANY ||
- (arp_add_mp = ipif_area_alloc(ipif, ACE_F_UNVERIFIED)) == NULL) {
- /*
- * If we can't contact ARP for some reason, that's not really a
- * problem. Just send out the routing socket notification that
- * DAD completion would have done, and continue.
- */
- ipif_mask_reply(ipif);
- ipif_up_notify(ipif);
- ipif->ipif_addr_ready = 1;
- return;
- }
+ if (isv6) {
+ ncec = ncec_lookup_illgrp_v6(ipif->ipif_ill,
+ &ipif->ipif_v6lcl_addr);
+ } else {
+ ipaddr_t v4addr;
- putnext(ill->ill_rq, arp_add_mp);
-}
+ if (ill->ill_net_type != IRE_IF_RESOLVER ||
+ (ipif->ipif_flags & IPIF_UNNUMBERED) ||
+ ipif->ipif_lcl_addr == INADDR_ANY) {
+ /*
+ * If we can't contact ARP for some reason,
+ * that's not really a problem. Just send
+ * out the routing socket notification that
+ * DAD completion would have done, and continue.
+ */
+ ipif_mask_reply(ipif);
+ ipif_up_notify(ipif);
+ ipif->ipif_addr_ready = 1;
+ return;
+ }
-static void
-ipif_ndp_start_dad(ipif_t *ipif)
-{
- nce_t *nce;
+ IN6_V4MAPPED_TO_IPADDR(&ipif->ipif_v6lcl_addr, v4addr);
+ ncec = ncec_lookup_illgrp_v4(ipif->ipif_ill, &v4addr);
+ }
- nce = ndp_lookup_v6(ipif->ipif_ill, B_TRUE, &ipif->ipif_v6lcl_addr,
- B_FALSE);
- if (nce == NULL)
+ if (ncec == NULL) {
+ ip1dbg(("couldn't find ncec for ipif %p leaving !ready\n",
+ (void *)ipif));
return;
-
- if (!ndp_restart_dad(nce)) {
+ }
+ if (!nce_restart_dad(ncec)) {
/*
* If we can't restart DAD for some reason, that's not really a
* problem. Just send out the routing socket notification that
@@ -13723,7 +11766,7 @@ ipif_ndp_start_dad(ipif_t *ipif)
ipif_up_notify(ipif);
ipif->ipif_addr_ready = 1;
}
- NCE_REFRELE(nce);
+ ncec_refrele(ncec);
}
/*
@@ -13749,30 +11792,21 @@ ill_restart_dad(ill_t *ill, boolean_t went_up)
* If layer two doesn't support duplicate address detection, then just
* send the routing socket message now and be done with it.
*/
- if ((ill->ill_isv6 && (ill->ill_flags & ILLF_XRESOLV)) ||
- (!ill->ill_isv6 && !ill->ill_arp_extend)) {
+ if (!ill->ill_isv6 && arp_no_defense) {
ip_rts_ifmsg(ill->ill_ipif, RTSQ_DEFAULT);
return;
}
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
if (went_up) {
+
if (ipif->ipif_flags & IPIF_UP) {
- if (ill->ill_isv6)
- ipif_ndp_start_dad(ipif);
- else
- ipif_arp_start_dad(ipif);
- } else if (ill->ill_isv6 &&
- (ipif->ipif_flags & IPIF_DUPLICATE)) {
+ ipif_nce_start_dad(ipif);
+ } else if (ipif->ipif_flags & IPIF_DUPLICATE) {
/*
- * For IPv4, the ARP module itself will
- * automatically start the DAD process when it
- * sees DL_NOTE_LINK_UP. We respond to the
- * AR_CN_READY at the completion of that task.
- * For IPv6, we must kick off the bring-up
- * process now.
+ * kick off the bring-up process now.
*/
- ndp_do_recovery(ipif);
+ ipif_do_recovery(ipif);
} else {
/*
* Unfortunately, the first ipif is "special"
@@ -13822,7 +11856,7 @@ ipsq_delete(ipsq_t *ipsq)
static int
ill_up_ipifs_on_ill(ill_t *ill, queue_t *q, mblk_t *mp)
{
- int err;
+ int err = 0;
ipif_t *ipif;
if (ill == NULL)
@@ -13841,9 +11875,6 @@ ill_up_ipifs_on_ill(ill_t *ill, queue_t *q, mblk_t *mp)
}
}
}
- mutex_enter(&ill->ill_lock);
- ill->ill_state_flags &= ~ILL_CHANGING;
- mutex_exit(&ill->ill_lock);
ill->ill_up_ipifs = B_FALSE;
return (0);
}
@@ -13859,6 +11890,15 @@ ill_up_ipifs(ill_t *ill, queue_t *q, mblk_t *mp)
ASSERT(IAM_WRITER_ILL(ill));
+ if (ill->ill_replumbing) {
+ ill->ill_replumbing = 0;
+ /*
+ * Send down REPLUMB_DONE notification followed by the
+ * BIND_REQ on the arp stream.
+ */
+ if (!ill->ill_isv6)
+ arp_send_replumb_conf(ill);
+ }
err = ill_up_ipifs_on_ill(ill->ill_phyint->phyint_illv4, q, mp);
if (err != 0)
return (err);
@@ -13887,16 +11927,10 @@ ill_down_ipifs(ill_t *ill, boolean_t logical)
if (ipif->ipif_flags & IPIF_UP)
ipif->ipif_was_up = B_TRUE;
- /*
- * Need to re-create net/subnet bcast ires if
- * they are dependent on ipif.
- */
- if (!ipif->ipif_isv6)
- ipif_check_bcast_ires(ipif);
if (logical) {
(void) ipif_logical_down(ipif, NULL, NULL);
ipif_non_duplicate(ipif);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
} else {
(void) ipif_down(ipif, NULL, NULL);
}
@@ -13904,29 +11938,18 @@ ill_down_ipifs(ill_t *ill, boolean_t logical)
}
/*
- * Redo source address selection. This is called when a
- * non-NOLOCAL/DEPRECATED/ANYCAST ipif comes up.
+ * Redo source address selection. This makes IXAF_VERIFY_SOURCE take
+ * a look again at valid source addresses.
+ * This should be called each time after the set of source addresses has been
+ * changed.
*/
void
-ill_update_source_selection(ill_t *ill)
+ip_update_source_selection(ip_stack_t *ipst)
{
- ipif_t *ipif;
-
- ASSERT(IAM_WRITER_ILL(ill));
-
- /*
- * Underlying interfaces are only used for test traffic and thus
- * should always send with their (deprecated) source addresses.
- */
- if (IS_UNDER_IPMP(ill))
- return;
-
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (ill->ill_isv6)
- ipif_recreate_interface_routes_v6(NULL, ipif);
- else
- ipif_recreate_interface_routes(NULL, ipif);
- }
+ /* We skip past SRC_GENERATION_VERIFY */
+ if (atomic_add_32_nv(&ipst->ips_src_generation, 1) ==
+ SRC_GENERATION_VERIFY)
+ atomic_add_32(&ipst->ips_src_generation, 1);
}
/*
@@ -14154,6 +12177,8 @@ ip_sioctl_groupinfo(ipif_t *dummy_ipif, sin_t *sin, queue_t *q, mblk_t *mp,
static void
ill_dl_down(ill_t *ill)
{
+ DTRACE_PROBE2(ill__downup, char *, "ill_dl_down", ill_t *, ill);
+
/*
* The ill is down; unbind but stay attached since we're still
* associated with a PPA. If we have negotiated DLPI capabilites
@@ -14167,6 +12192,13 @@ ill_dl_down(ill_t *ill)
ip1dbg(("ill_dl_down(%s)\n", ill->ill_name));
+ if (!ill->ill_replumbing) {
+ /* Free all ilms for this ill */
+ update_conn_ill(ill, ill->ill_ipst);
+ } else {
+ ill_leave_multicast(ill);
+ }
+
ill->ill_unbind_mp = NULL;
if (mp != NULL) {
ip1dbg(("ill_dl_down: %s (%u) for %s\n",
@@ -14191,23 +12223,13 @@ ill_dl_down(ill_t *ill)
ill_capability_reset(ill, B_FALSE);
ill_dlpi_send(ill, mp);
}
-
- /*
- * Toss all of our multicast memberships. We could keep them, but
- * then we'd have to do bookkeeping of any joins and leaves performed
- * by the application while the the interface is down (we can't just
- * issue them because arp cannot currently process AR_ENTRY_SQUERY's
- * on a downed interface).
- */
- ill_leave_multicast(ill);
-
mutex_enter(&ill->ill_lock);
ill->ill_dl_up = 0;
ill_nic_event_dispatch(ill, 0, NE_DOWN, NULL, 0);
mutex_exit(&ill->ill_lock);
}
-static void
+void
ill_dlpi_dispatch(ill_t *ill, mblk_t *mp)
{
union DL_primitives *dlp;
@@ -14249,6 +12271,8 @@ ill_dlpi_dispatch(ill_t *ill, mblk_t *mp)
}
mutex_exit(&ill->ill_lock);
+ DTRACE_PROBE3(ill__dlpi, char *, "ill_dlpi_dispatch",
+ char *, dl_primstr(prim), ill_t *, ill);
putnext(ill->ill_wq, mp);
/*
@@ -14301,8 +12325,9 @@ ill_dlpi_send(ill_t *ill, mblk_t *mp)
while (*mpp != NULL)
mpp = &((*mpp)->b_next);
- ip1dbg(("ill_dlpi_send: deferring request for %s\n",
- ill->ill_name));
+ ip1dbg(("ill_dlpi_send: deferring request for %s "
+ "while %s pending\n", ill->ill_name,
+ dl_primstr(ill->ill_dlpi_pending)));
*mpp = mp;
mutex_exit(&ill->ill_lock);
@@ -14437,51 +12462,237 @@ ill_dlpi_done(ill_t *ill, t_uscalar_t prim)
ill_dlpi_dispatch(ill, mp);
}
+/*
+ * Queue a (multicast) DLPI control message to be sent to the driver by
+ * later calling ill_dlpi_send_queued.
+ * We queue them while holding a lock (ill_mcast_lock) to ensure that they
+ * are sent in order i.e., prevent a DL_DISABMULTI_REQ and DL_ENABMULTI_REQ
+ * for the same group to race.
+ * We send DLPI control messages in order using ill_lock.
+ * For IPMP we should be called on the cast_ill.
+ */
void
-conn_delete_ire(conn_t *connp, caddr_t arg)
+ill_dlpi_queue(ill_t *ill, mblk_t *mp)
{
- ipif_t *ipif = (ipif_t *)arg;
- ire_t *ire;
+ mblk_t **mpp;
- /*
- * Look at the cached ires on conns which has pointers to ipifs.
- * We just call ire_refrele which clears up the reference
- * to ire. Called when a conn closes. Also called from ipif_free
- * to cleanup indirect references to the stale ipif via the cached ire.
- */
- mutex_enter(&connp->conn_lock);
- ire = connp->conn_ire_cache;
- if (ire != NULL && (ipif == NULL || ire->ire_ipif == ipif)) {
- connp->conn_ire_cache = NULL;
- mutex_exit(&connp->conn_lock);
- IRE_REFRELE_NOTR(ire);
- return;
+ ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);
+
+ mutex_enter(&ill->ill_lock);
+ /* Must queue message. Tail insertion */
+ mpp = &ill->ill_dlpi_deferred;
+ while (*mpp != NULL)
+ mpp = &((*mpp)->b_next);
+
+ *mpp = mp;
+ mutex_exit(&ill->ill_lock);
+}
+
+/*
+ * Send the messages that were queued. Make sure there is only
+ * one outstanding message. ip_rput_dlpi_writer calls ill_dlpi_done()
+ * when an ACK or a NAK is received to process the next queued message.
+ * For IPMP we are called on the upper ill, but when send what is queued
+ * on the cast_ill.
+ */
+void
+ill_dlpi_send_queued(ill_t *ill)
+{
+ mblk_t *mp;
+ union DL_primitives *dlp;
+ t_uscalar_t prim;
+ ill_t *release_ill = NULL;
+
+ if (IS_IPMP(ill)) {
+ /* On the upper IPMP ill. */
+ release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
+ if (release_ill == NULL) {
+ /* Avoid ever sending anything down to the ipmpstub */
+ return;
+ }
+ ill = release_ill;
}
- mutex_exit(&connp->conn_lock);
+ mutex_enter(&ill->ill_lock);
+ while ((mp = ill->ill_dlpi_deferred) != NULL) {
+ if (ill->ill_dlpi_pending != DL_PRIM_INVAL) {
+ /* Can't send. Somebody else will send it */
+ mutex_exit(&ill->ill_lock);
+ goto done;
+ }
+ ill->ill_dlpi_deferred = mp->b_next;
+ mp->b_next = NULL;
+ if (!ill->ill_dl_up) {
+ /*
+ * Nobody there. All multicast addresses will be
+ * re-joined when we get the DL_BIND_ACK bringing the
+ * interface up.
+ */
+ freemsg(mp);
+ continue;
+ }
+ dlp = (union DL_primitives *)mp->b_rptr;
+ prim = dlp->dl_primitive;
+
+ if (!(ill->ill_state_flags & ILL_CONDEMNED) ||
+ (prim == DL_UNBIND_REQ)) {
+ ill->ill_dlpi_pending = prim;
+ }
+ mutex_exit(&ill->ill_lock);
+ DTRACE_PROBE3(ill__dlpi, char *, "ill_dlpi_send_queued",
+ char *, dl_primstr(prim), ill_t *, ill);
+ putnext(ill->ill_wq, mp);
+ mutex_enter(&ill->ill_lock);
+ }
+ mutex_exit(&ill->ill_lock);
+done:
+ if (release_ill != NULL)
+ ill_refrele(release_ill);
}
/*
- * Some operations (e.g., ipif_down()) conditionally delete a number
- * of IREs. Those IREs may have been previously cached in the conn structure.
- * This ipcl_walk() walker function releases all references to such IREs based
- * on the condemned flag.
+ * Queue an IP (IGMP/MLD) message to be sent by IP from
+ * ill_mcast_send_queued
+ * We queue them while holding a lock (ill_mcast_lock) to ensure that they
+ * are sent in order i.e., prevent a IGMP leave and IGMP join for the same
+ * group to race.
+ * We send them in order using ill_lock.
+ * For IPMP we are called on the upper ill, but we queue on the cast_ill.
*/
-/* ARGSUSED */
void
-conn_cleanup_stale_ire(conn_t *connp, caddr_t arg)
+ill_mcast_queue(ill_t *ill, mblk_t *mp)
{
- ire_t *ire;
+ mblk_t **mpp;
+ ill_t *release_ill = NULL;
- mutex_enter(&connp->conn_lock);
- ire = connp->conn_ire_cache;
- if (ire != NULL && (ire->ire_marks & IRE_MARK_CONDEMNED)) {
- connp->conn_ire_cache = NULL;
- mutex_exit(&connp->conn_lock);
- IRE_REFRELE_NOTR(ire);
- return;
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
+
+ if (IS_IPMP(ill)) {
+ /* On the upper IPMP ill. */
+ release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
+ if (release_ill == NULL) {
+ /* Discard instead of queuing for the ipmp interface */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - no cast_ill",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ill = release_ill;
}
- mutex_exit(&connp->conn_lock);
+
+ mutex_enter(&ill->ill_lock);
+ /* Must queue message. Tail insertion */
+ mpp = &ill->ill_mcast_deferred;
+ while (*mpp != NULL)
+ mpp = &((*mpp)->b_next);
+
+ *mpp = mp;
+ mutex_exit(&ill->ill_lock);
+ if (release_ill != NULL)
+ ill_refrele(release_ill);
+}
+
+/*
+ * Send the IP packets that were queued by ill_mcast_queue.
+ * These are IGMP/MLD packets.
+ *
+ * For IPMP we are called on the upper ill, but when send what is queued
+ * on the cast_ill.
+ *
+ * Request loopback of the report if we are acting as a multicast
+ * router, so that the process-level routing demon can hear it.
+ * This will run multiple times for the same group if there are members
+ * on the same group for multiple ipif's on the same ill. The
+ * igmp_input/mld_input code will suppress this due to the loopback thus we
+ * always loopback membership report.
+ *
+ * We also need to make sure that this does not get load balanced
+ * by IPMP. We do this by passing an ill to ip_output_simple.
+ */
+void
+ill_mcast_send_queued(ill_t *ill)
+{
+ mblk_t *mp;
+ ip_xmit_attr_t ixas;
+ ill_t *release_ill = NULL;
+
+ if (IS_IPMP(ill)) {
+ /* On the upper IPMP ill. */
+ release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
+ if (release_ill == NULL) {
+ /*
+ * We should have no messages on the ipmp interface
+ * but no point in trying to send them.
+ */
+ return;
+ }
+ ill = release_ill;
+ }
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_zoneid = ALL_ZONES;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = NULL;
+ /*
+ * Here we set ixa_ifindex. If IPMP it will be the lower ill which
+ * makes ip_select_route pick the IRE_MULTICAST for the cast_ill.
+ * That is necessary to handle IGMP/MLD snooping switches.
+ */
+ ixas.ixa_ifindex = ill->ill_phyint->phyint_ifindex;
+ ixas.ixa_ipst = ill->ill_ipst;
+
+ mutex_enter(&ill->ill_lock);
+ while ((mp = ill->ill_mcast_deferred) != NULL) {
+ ill->ill_mcast_deferred = mp->b_next;
+ mp->b_next = NULL;
+ if (!ill->ill_dl_up) {
+ /*
+ * Nobody there. Just drop the ip packets.
+ * IGMP/MLD will resend later, if this is a replumb.
+ */
+ freemsg(mp);
+ continue;
+ }
+ mutex_enter(&ill->ill_phyint->phyint_lock);
+ if (IS_UNDER_IPMP(ill) && !ipmp_ill_is_active(ill)) {
+ /*
+ * When the ill is getting deactivated, we only want to
+ * send the DLPI messages, so drop IGMP/MLD packets.
+ * DLPI messages are handled by ill_dlpi_send_queued()
+ */
+ mutex_exit(&ill->ill_phyint->phyint_lock);
+ freemsg(mp);
+ continue;
+ }
+ mutex_exit(&ill->ill_phyint->phyint_lock);
+ mutex_exit(&ill->ill_lock);
+
+ /* Check whether we are sending IPv4 or IPv6. */
+ if (ill->ill_isv6) {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ ixas.ixa_multicast_ttl = ip6h->ip6_hops;
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
+ } else {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ixas.ixa_multicast_ttl = ipha->ipha_ttl;
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
+ ixas.ixa_flags &= ~IXAF_SET_ULP_CKSUM;
+ }
+
+ ixas.ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_SOURCE;
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
+
+ mutex_enter(&ill->ill_lock);
+ }
+ mutex_exit(&ill->ill_lock);
+
+done:
+ if (release_ill != NULL)
+ ill_refrele(release_ill);
}
/*
@@ -14494,7 +12705,7 @@ conn_cleanup_stale_ire(conn_t *connp, caddr_t arg)
* that both Solaris and 4.3 BSD have exhibited this behaviour for a long
* time. We go thru the cleanup in order to remove these routes.
* b. The bringup of the interface could fail in ill_dl_up i.e. we get
- * DL_ERROR_ACK in response to the the DL_BIND request. The interface is
+ * DL_ERROR_ACK in response to the DL_BIND request. The interface is
* down, but we need to cleanup i.e. do ill_dl_down and
* ip_rput_dlpi_writer (DL_ERROR_ACK) -> ipif_down.
*
@@ -14504,12 +12715,11 @@ conn_cleanup_stale_ire(conn_t *connp, caddr_t arg)
*
* The following members in ipif_t track references to the ipif.
* int ipif_refcnt; Active reference count
- * uint_t ipif_ire_cnt; Number of ire's referencing this ipif
- * uint_t ipif_ilm_cnt; Number of ilms's references this ipif.
*
* The following members in ill_t track references to the ill.
* int ill_refcnt; active refcnt
* uint_t ill_ire_cnt; Number of ires referencing ill
+ * uint_t ill_ncec_cnt; Number of ncecs referencing ill
* uint_t ill_nce_cnt; Number of nces referencing ill
* uint_t ill_ilm_cnt; Number of ilms referencing ill
*
@@ -14525,21 +12735,25 @@ conn_cleanup_stale_ire(conn_t *connp, caddr_t arg)
* references to the ipif / ill. Pointers from other structures do not
* count towards this reference count.
*
- * ipif_ire_cnt/ill_ire_cnt is the number of ire's
- * associated with the ipif/ill. This is incremented whenever a new
- * ire is created referencing the ipif/ill. This is done atomically inside
- * ire_add_v[46] where the ire is actually added to the ire hash table.
- * The count is decremented in ire_inactive where the ire is destroyed.
+ * ill_ire_cnt is the number of ire's associated with the
+ * ill. This is incremented whenever a new ire is created referencing the
+ * ill. This is done atomically inside ire_add_v[46] where the ire is
+ * actually added to the ire hash table. The count is decremented in
+ * ire_inactive where the ire is destroyed.
*
- * nce's reference ill's thru nce_ill and the count of nce's associated with
- * an ill is recorded in ill_nce_cnt. This is incremented atomically in
+ * ill_ncec_cnt is the number of ncec's referencing the ill thru ncec_ill.
+ * This is incremented atomically in
* ndp_add_v4()/ndp_add_v6() where the nce is actually added to the
- * table. Similarly it is decremented in ndp_inactive() where the nce
+ * table. Similarly it is decremented in ncec_inactive() where the ncec
+ * is destroyed.
+ *
+ * ill_nce_cnt is the number of nce's referencing the ill thru nce_ill. This is
+ * incremented atomically in nce_add() where the nce is actually added to the
+ * ill_nce. Similarly it is decremented in nce_inactive() where the nce
* is destroyed.
*
- * ilm's reference to the ipif (for IPv4 ilm's) or the ill (for IPv6 ilm's)
- * is incremented in ilm_add_v6() and decremented before the ilm is freed
- * in ilm_walker_cleanup() or ilm_delete().
+ * ill_ilm_cnt is the ilm's reference to the ill. It is incremented in
+ * ilm_add() and decremented before the ilm is freed in ilm_delete().
*
* Flow of ioctls involving interface down/up
*
@@ -14555,50 +12769,22 @@ conn_cleanup_stale_ire(conn_t *connp, caddr_t arg)
* to the above. All the *tail functions are called after the refcounts have
* dropped to the appropriate values.
*
- * The mechanism to quiesce an ipif is as follows.
- *
- * Mark the ipif as IPIF_CHANGING. No more lookups will be allowed
- * on the ipif. Callers either pass a flag requesting wait or the lookup
- * functions will return NULL.
- *
- * Delete all ires referencing this ipif
+ * SIOC ioctls during the IPIF_CHANGING interval.
*
- * Any thread attempting to do an ipif_refhold on an ipif that has been
- * obtained thru a cached pointer will first make sure that
- * the ipif can be refheld using the macro IPIF_CAN_LOOKUP and only then
- * increment the refcount.
- *
- * The above guarantees that the ipif refcount will eventually come down to
- * zero and the ipif will quiesce, once all threads that currently hold a
- * reference to the ipif refrelease the ipif. The ipif is quiescent after the
- * ipif_refcount has dropped to zero and all ire's associated with this ipif
- * have also been ire_inactive'd. i.e. when ipif_{ire, ill}_cnt and
- * ipif_refcnt both drop to zero. See also: comments above IPIF_DOWN_OK()
- * in ip.h
- *
- * Lookups during the IPIF_CHANGING/ILL_CHANGING interval.
- *
- * Threads trying to lookup an ipif or ill can pass a flag requesting
- * wait and restart if the ipif / ill cannot be looked up currently.
- * For eg. bind, and route operations (Eg. route add / delete) cannot return
- * failure if the ipif is currently undergoing an exclusive operation, and
- * hence pass the flag. The mblk is then enqueued in the ipsq and the operation
- * is restarted by ipsq_exit() when the current exclusive operation completes.
- * The lookup and enqueue is atomic using the ill_lock and ipsq_lock. The
+ * Threads handling SIOC set ioctls serialize on the squeue, but this
+ * is not done for SIOC get ioctls. Since a set ioctl can cause several
+ * steps of internal changes to the state, some of which are visible in
+ * ipif_flags (such as IFF_UP being cleared and later set), and we want
+ * the set ioctl to be atomic related to the get ioctls, the SIOC get code
+ * will wait and restart ioctls if IPIF_CHANGING is set. The mblk is then
+ * enqueued in the ipsq and the operation is restarted by ipsq_exit() when
+ * the current exclusive operation completes. The IPIF_CHANGING check
+ * and enqueue is atomic using the ill_lock and ipsq_lock. The
* lookup is done holding the ill_lock. Hence the ill/ipif state flags can't
* change while the ill_lock is held. Before dropping the ill_lock we acquire
* the ipsq_lock and call ipsq_enq. This ensures that ipsq_exit can't finish
- * until we release the ipsq_lock, even though the the ill/ipif state flags
+ * until we release the ipsq_lock, even though the ill/ipif state flags
* can change after we drop the ill_lock.
- *
- * An attempt to send out a packet using an ipif that is currently
- * IPIF_CHANGING will fail. No attempt is made in this case to enqueue this
- * operation and restart it later when the exclusive condition on the ipif ends.
- * This is an example of not passing the wait flag to the lookup functions. For
- * example an attempt to refhold and use conn->conn_multicast_ipif and send
- * out a multicast packet on that ipif will fail while the ipif is
- * IPIF_CHANGING. An attempt to create an IRE_CACHE using an ipif that is
- * currently IPIF_CHANGING will also fail.
*/
int
ipif_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
@@ -14613,6 +12799,9 @@ ipif_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
ip1dbg(("ipif_down(%s:%u)\n", ill->ill_name, ipif->ipif_id));
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_down",
+ ill_t *, ill, ipif_t *, ipif);
+
if (ipif->ipif_flags & IPIF_UP) {
mutex_enter(&ill->ill_lock);
ipif->ipif_flags &= ~IPIF_UP;
@@ -14649,15 +12838,12 @@ ipif_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
}
}
- /*
- * Delete all IRE's pointing at this ipif or its source address.
- */
- if (ipif->ipif_isv6) {
- ire_walk_v6(ipif_down_delete_ire, (char *)ipif, ALL_ZONES,
- ipst);
- } else {
- ire_walk_v4(ipif_down_delete_ire, (char *)ipif, ALL_ZONES,
- ipst);
+ if (ipif_was_up) {
+ /* only delete if we'd added ire's before */
+ if (ipif->ipif_isv6)
+ ipif_delete_ires_v6(ipif);
+ else
+ ipif_delete_ires_v4(ipif);
}
if (ipif_was_up && ill->ill_ipif_up_count == 0) {
@@ -14672,30 +12858,28 @@ ipif_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
}
/*
- * Cleaning up the conn_ire_cache or conns must be done only after the
- * ires have been deleted above. Otherwise a thread could end up
- * caching an ire in a conn after we have finished the cleanup of the
- * conn. The caching is done after making sure that the ire is not yet
- * condemned. Also documented in the block comment above ip_output
+ * neighbor-discovery or arp entries for this interface. The ipif
+ * has to be quiesced, so we walk all the nce's and delete those
+ * that point at the ipif->ipif_ill. At the same time, we also
+ * update IPMP so that ipifs for data addresses are unbound. We dont
+ * call ipif_arp_down to DL_UNBIND the arp stream itself here, but defer
+ * that for ipif_down_tail()
*/
- ipcl_walk(conn_cleanup_stale_ire, NULL, ipst);
- /* Also, delete the ires cached in SCTP */
- sctp_ire_cache_flush(ipif);
+ ipif_nce_down(ipif);
/*
- * Update any other ipifs which have used "our" local address as
- * a source address. This entails removing and recreating IRE_INTERFACE
- * entries for such ipifs.
+ * If this is the last ipif on the ill, we also need to remove
+ * any IREs with ire_ill set. Otherwise ipif_is_quiescent() will
+ * never succeed.
*/
- if (ipif->ipif_isv6)
- ipif_update_other_ipifs_v6(ipif);
- else
- ipif_update_other_ipifs(ipif);
+ if (ill->ill_ipif_up_count == 0 && ill->ill_ipif_dup_count == 0)
+ ire_walk_ill(0, 0, ill_downi, ill, ill);
/*
- * neighbor-discovery or arp entries for this interface.
+ * Walk all CONNs that can have a reference on an ire for this
+ * ipif (we actually walk all that now have stale references).
*/
- ipif_ndp_down(ipif);
+ ipcl_walk(conn_ixa_cleanup, (void *)B_TRUE, ipst);
/*
* If mp is NULL the caller will wait for the appropriate refcnt.
@@ -14748,10 +12932,14 @@ ipif_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
return (EINPROGRESS);
}
-void
+int
ipif_down_tail(ipif_t *ipif)
{
ill_t *ill = ipif->ipif_ill;
+ int err = 0;
+
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_down_tail",
+ ill_t *, ill, ipif_t *, ipif);
/*
* Skip any loopback interface (null wq).
@@ -14766,15 +12954,14 @@ ipif_down_tail(ipif_t *ipif)
ill->ill_dl_up) {
ill_dl_down(ill);
}
- ill->ill_logical_down = 0;
+ if (!ipif->ipif_isv6)
+ err = ipif_arp_down(ipif);
- /*
- * Has to be after removing the routes in ipif_down_delete_ire.
- */
- ipif_resolver_down(ipif);
+ ill->ill_logical_down = 0;
ip_rts_ifmsg(ipif, RTSQ_DEFAULT);
ip_rts_newaddrmsg(RTM_DELETE, 0, ipif, RTSQ_DEFAULT);
+ return (err);
}
/*
@@ -14785,6 +12972,9 @@ ipif_down_tail(ipif_t *ipif)
static int
ipif_logical_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
{
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_logical_down",
+ ill_t *, ipif->ipif_ill, ipif_t *, ipif);
+
/*
* The ill_logical_down flag is a transient flag. It is set here
* and is cleared once the down has completed in ipif_down_tail.
@@ -14799,152 +12989,6 @@ ipif_logical_down(ipif_t *ipif, queue_t *q, mblk_t *mp)
}
/*
- * This is called when the SIOCSLIFUSESRC ioctl is processed in IP.
- * If the usesrc client ILL is already part of a usesrc group or not,
- * in either case a ire_stq with the matching usesrc client ILL will
- * locate the IRE's that need to be deleted. We want IREs to be created
- * with the new source address.
- */
-static void
-ipif_delete_cache_ire(ire_t *ire, char *ill_arg)
-{
- ill_t *ucill = (ill_t *)ill_arg;
-
- ASSERT(IAM_WRITER_ILL(ucill));
-
- if (ire->ire_stq == NULL)
- return;
-
- if ((ire->ire_type == IRE_CACHE) &&
- ((ill_t *)ire->ire_stq->q_ptr == ucill))
- ire_delete(ire);
-}
-
-/*
- * ire_walk routine to delete every IRE dependent on the interface
- * address that is going down. (Always called as writer.)
- * Works for both v4 and v6.
- * In addition for checking for ire_ipif matches it also checks for
- * IRE_CACHE entries which have the same source address as the
- * disappearing ipif since ipif_select_source might have picked
- * that source. Note that ipif_down/ipif_update_other_ipifs takes
- * care of any IRE_INTERFACE with the disappearing source address.
- */
-static void
-ipif_down_delete_ire(ire_t *ire, char *ipif_arg)
-{
- ipif_t *ipif = (ipif_t *)ipif_arg;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
- if (ire->ire_ipif == NULL)
- return;
-
- if (ire->ire_ipif != ipif) {
- /*
- * Look for a matching source address.
- */
- if (ire->ire_type != IRE_CACHE)
- return;
- if (ipif->ipif_flags & IPIF_NOLOCAL)
- return;
-
- if (ire->ire_ipversion == IPV4_VERSION) {
- if (ire->ire_src_addr != ipif->ipif_src_addr)
- return;
- } else {
- if (!IN6_ARE_ADDR_EQUAL(&ire->ire_src_addr_v6,
- &ipif->ipif_v6lcl_addr))
- return;
- }
- ire_delete(ire);
- return;
- }
- /*
- * ire_delete() will do an ire_flush_cache which will delete
- * all ire_ipif matches
- */
- ire_delete(ire);
-}
-
-/*
- * ire_walk_ill function for deleting all IRE_CACHE entries for an ill when
- * 1) an ipif (on that ill) changes the IPIF_DEPRECATED flags, or
- * 2) when an interface is brought up or down (on that ill).
- * This ensures that the IRE_CACHE entries don't retain stale source
- * address selection results.
- */
-void
-ill_ipif_cache_delete(ire_t *ire, char *ill_arg)
-{
- ill_t *ill = (ill_t *)ill_arg;
-
- ASSERT(IAM_WRITER_ILL(ill));
- ASSERT(ire->ire_type == IRE_CACHE);
-
- /*
- * We are called for IRE_CACHEs whose ire_stq or ire_ipif matches
- * ill, but we only want to delete the IRE if ire_ipif matches.
- */
- ASSERT(ire->ire_ipif != NULL);
- if (ill == ire->ire_ipif->ipif_ill)
- ire_delete(ire);
-}
-
-/*
- * Delete all the IREs whose ire_stq's reference `ill_arg'. IPMP uses this
- * instead of ill_ipif_cache_delete() because ire_ipif->ipif_ill references
- * the IPMP ill.
- */
-void
-ill_stq_cache_delete(ire_t *ire, char *ill_arg)
-{
- ill_t *ill = (ill_t *)ill_arg;
-
- ASSERT(IAM_WRITER_ILL(ill));
- ASSERT(ire->ire_type == IRE_CACHE);
-
- /*
- * We are called for IRE_CACHEs whose ire_stq or ire_ipif matches
- * ill, but we only want to delete the IRE if ire_stq matches.
- */
- if (ire->ire_stq->q_ptr == ill_arg)
- ire_delete(ire);
-}
-
-/*
- * Delete all the IREs whose ire_stq's reference any ill in the same IPMP
- * group as `ill_arg'. Used by ipmp_ill_deactivate() to flush all IRE_CACHE
- * entries for the illgrp.
- */
-void
-ill_grp_cache_delete(ire_t *ire, char *ill_arg)
-{
- ill_t *ill = (ill_t *)ill_arg;
-
- ASSERT(IAM_WRITER_ILL(ill));
-
- if (ire->ire_type == IRE_CACHE &&
- IS_IN_SAME_ILLGRP((ill_t *)ire->ire_stq->q_ptr, ill)) {
- ire_delete(ire);
- }
-}
-
-/*
- * Delete all broadcast IREs with a source address on `ill_arg'.
- */
-static void
-ill_broadcast_delete(ire_t *ire, char *ill_arg)
-{
- ill_t *ill = (ill_t *)ill_arg;
-
- ASSERT(IAM_WRITER_ILL(ill));
- ASSERT(ire->ire_type == IRE_BROADCAST);
-
- if (ire->ire_ipif->ipif_ill == ill)
- ire_delete(ire);
-}
-
-/*
* Initiate deallocate of an IPIF. Always called as writer. Called by
* ill_delete or ip_sioctl_removeif.
*/
@@ -14959,16 +13003,6 @@ ipif_free(ipif_t *ipif)
(void) untimeout(ipif->ipif_recovery_id);
ipif->ipif_recovery_id = 0;
- /* Remove conn references */
- reset_conn_ipif(ipif);
-
- /*
- * Make sure we have valid net and subnet broadcast ire's for the
- * other ipif's which share them with this ipif.
- */
- if (!ipif->ipif_isv6)
- ipif_check_bcast_ires(ipif);
-
/*
* Take down the interface. We can be called either from ill_delete
* or from ip_sioctl_removeif.
@@ -14996,27 +13030,15 @@ ipif_free(ipif_t *ipif)
static void
ipif_free_tail(ipif_t *ipif)
{
- mblk_t *mp;
ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
/*
- * Free state for addition IRE_IF_[NO]RESOLVER ire's.
- */
- mutex_enter(&ipif->ipif_saved_ire_lock);
- mp = ipif->ipif_saved_ire_mp;
- ipif->ipif_saved_ire_mp = NULL;
- mutex_exit(&ipif->ipif_saved_ire_lock);
- freemsg(mp);
-
- /*
* Need to hold both ill_g_lock and ill_lock while
* inserting or removing an ipif from the linked list
* of ipifs hanging off the ill.
*/
rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
- ASSERT(ilm_walk_ipif(ipif) == 0);
-
#ifdef DEBUG
ipif_trace_cleanup(ipif);
#endif
@@ -15028,10 +13050,9 @@ ipif_free_tail(ipif_t *ipif)
ipif_remove(ipif);
rw_exit(&ipst->ips_ill_g_lock);
- mutex_destroy(&ipif->ipif_saved_ire_lock);
-
ASSERT(!(ipif->ipif_flags & (IPIF_UP | IPIF_DUPLICATE)));
ASSERT(ipif->ipif_recovery_id == 0);
+ ASSERT(ipif->ipif_ire_local == NULL);
/* Free the memory. */
mi_free(ipif);
@@ -15064,6 +13085,23 @@ ipif_get_name(const ipif_t *ipif, char *buf, int len)
}
/*
+ * Sets `buf' to an ill name.
+ */
+void
+ill_get_name(const ill_t *ill, char *buf, int len)
+{
+ char *name;
+ size_t name_len;
+
+ name = ill->ill_name;
+ name_len = ill->ill_name_length;
+ len -= 1;
+ buf[len] = '\0';
+ len = MIN(len, name_len);
+ bcopy(name, buf, len);
+}
+
+/*
* Find an IPIF based on the name passed in. Names can be of the form <phys>
* (e.g., le0) or <phys>:<#> (e.g., le0:1). When there is no colon, the
* implied unit id is zero. <phys> must correspond to the name of an ILL.
@@ -15071,8 +13109,7 @@ ipif_get_name(const ipif_t *ipif, char *buf, int len)
*/
static ipif_t *
ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
- boolean_t *exists, boolean_t isv6, zoneid_t zoneid, queue_t *q,
- mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst)
+ boolean_t *exists, boolean_t isv6, zoneid_t zoneid, ip_stack_t *ipst)
{
char *cp;
char *endp;
@@ -15081,10 +13118,6 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
ipif_t *ipif;
uint_t ire_type;
boolean_t did_alloc = B_FALSE;
- ipsq_t *ipsq;
-
- if (error != NULL)
- *error = 0;
/*
* If the caller wants to us to create the ipif, make sure we have a
@@ -15093,8 +13126,6 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
ASSERT(!do_alloc || zoneid != ALL_ZONES);
if (namelen == 0) {
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
@@ -15121,8 +13152,6 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
* is zero, fail.
*/
if (&cp[2] < endp && cp[1] == '0') {
- if (error != NULL)
- *error = EINVAL;
return (NULL);
}
}
@@ -15140,7 +13169,7 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
* ill_lookup_on_name will clear it.
*/
ill = ill_lookup_on_name(name, do_alloc, isv6,
- q, mp, func, error, &did_alloc, ipst);
+ &did_alloc, ipst);
if (cp != endp)
*cp = IPIF_SEPARATOR_CHAR;
if (ill == NULL)
@@ -15153,13 +13182,10 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
cp++;
if (ddi_strtol(cp, NULL, 0, &id) != 0) {
ill_refrele(ill);
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
}
- GRAB_CONN_LOCK(q);
mutex_enter(&ill->ill_lock);
/* Now see if there is an IPIF with this unit number. */
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
@@ -15168,16 +13194,9 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
zoneid != ipif->ipif_zoneid &&
ipif->ipif_zoneid != ALL_ZONES) {
mutex_exit(&ill->ill_lock);
- RELEASE_CONN_LOCK(q);
ill_refrele(ill);
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
- /*
- * The block comment at the start of ipif_down
- * explains the use of the macros used below
- */
if (IPIF_CAN_LOOKUP(ipif)) {
ipif_refhold_locked(ipif);
mutex_exit(&ill->ill_lock);
@@ -15189,32 +13208,15 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
* ipif_ill_refrele_tail which can end up
* in trying to acquire any lock.
*/
- RELEASE_CONN_LOCK(q);
ill_refrele(ill);
return (ipif);
- } else if (IPIF_CAN_WAIT(ipif, q)) {
- ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ill->ill_lock);
- ipsq_enq(ipsq, q, mp, func, NEW_OP, ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- RELEASE_CONN_LOCK(q);
- ill_refrele(ill);
- if (error != NULL)
- *error = EINPROGRESS;
- return (NULL);
}
}
}
- RELEASE_CONN_LOCK(q);
if (!do_alloc) {
mutex_exit(&ill->ill_lock);
ill_refrele(ill);
- if (error != NULL)
- *error = ENXIO;
return (NULL);
}
@@ -15236,8 +13238,6 @@ ipif_lookup_on_name(char *name, size_t namelen, boolean_t do_alloc,
ipif = ipif_allocate(ill, id, ire_type, B_TRUE, B_TRUE);
if (ipif != NULL)
ipif_refhold_locked(ipif);
- else if (error != NULL)
- *error = ENOMEM;
mutex_exit(&ill->ill_lock);
ill_refrele(ill);
return (ipif);
@@ -15258,6 +13258,7 @@ ipif_mask_reply(ipif_t *ipif)
ipha_t *ipha;
mblk_t *mp;
ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
+ ip_xmit_attr_t ixas;
#define REPLY_LEN (sizeof (icmp_ipha) + sizeof (icmph_t) + IP_ADDR_LEN)
@@ -15269,6 +13270,9 @@ ipif_mask_reply(ipif_t *ipif)
/* ICMP mask reply is not for a loopback interface */
ASSERT(ipif->ipif_ill->ill_wq != NULL);
+ if (ipif->ipif_lcl_addr == INADDR_ANY)
+ return;
+
mp = allocb(REPLY_LEN, BPRI_HI);
if (mp == NULL)
return;
@@ -15278,7 +13282,7 @@ ipif_mask_reply(ipif_t *ipif)
bzero(ipha, REPLY_LEN);
*ipha = icmp_ipha;
ipha->ipha_ttl = ipst->ips_ip_broadcast_ttl;
- ipha->ipha_src = ipif->ipif_src_addr;
+ ipha->ipha_src = ipif->ipif_lcl_addr;
ipha->ipha_dst = ipif->ipif_brd_addr;
ipha->ipha_length = htons(REPLY_LEN);
ipha->ipha_ident = 0;
@@ -15288,64 +13292,19 @@ ipif_mask_reply(ipif_t *ipif)
bcopy(&ipif->ipif_net_mask, &icmph[1], IP_ADDR_LEN);
icmph->icmph_checksum = IP_CSUM(mp, sizeof (ipha_t), 0);
- put(ipif->ipif_wq, mp);
-
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
+ ixas.ixa_flags |= IXAF_SET_SOURCE;
+ ixas.ixa_zoneid = ALL_ZONES;
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
#undef REPLY_LEN
}
/*
- * When the mtu in the ipif changes, we call this routine through ire_walk
- * to update all the relevant IREs.
- * Skip IRE_LOCAL and "loopback" IRE_BROADCAST by checking ire_stq.
- */
-static void
-ipif_mtu_change(ire_t *ire, char *ipif_arg)
-{
- ipif_t *ipif = (ipif_t *)ipif_arg;
-
- if (ire->ire_stq == NULL || ire->ire_ipif != ipif)
- return;
-
- mutex_enter(&ire->ire_lock);
- if (ire->ire_marks & IRE_MARK_PMTU) {
- /* Avoid increasing the PMTU */
- ire->ire_max_frag = MIN(ipif->ipif_mtu, ire->ire_max_frag);
- if (ire->ire_max_frag == ipif->ipif_mtu)
- ire->ire_marks &= ~IRE_MARK_PMTU;
- } else {
- ire->ire_max_frag = MIN(ipif->ipif_mtu, IP_MAXPACKET);
- }
- mutex_exit(&ire->ire_lock);
-}
-
-/*
- * When the mtu in the ill changes, we call this routine through ire_walk
- * to update all the relevant IREs.
- * Skip IRE_LOCAL and "loopback" IRE_BROADCAST by checking ire_stq.
- */
-void
-ill_mtu_change(ire_t *ire, char *ill_arg)
-{
- ill_t *ill = (ill_t *)ill_arg;
-
- if (ire->ire_stq == NULL || ire->ire_ipif->ipif_ill != ill)
- return;
-
- mutex_enter(&ire->ire_lock);
- if (ire->ire_marks & IRE_MARK_PMTU) {
- /* Avoid increasing the PMTU */
- ire->ire_max_frag = MIN(ire->ire_ipif->ipif_mtu,
- ire->ire_max_frag);
- if (ire->ire_max_frag == ire->ire_ipif->ipif_mtu) {
- ire->ire_marks &= ~IRE_MARK_PMTU;
- }
- } else {
- ire->ire_max_frag = MIN(ire->ire_ipif->ipif_mtu, IP_MAXPACKET);
- }
- mutex_exit(&ire->ire_lock);
-}
-
-/*
* Join the ipif specific multicast groups.
* Must be called after a mapping has been set up in the resolver. (Always
* called as writer.)
@@ -15355,13 +13314,15 @@ ipif_multicast_up(ipif_t *ipif)
{
int err;
ill_t *ill;
+ ilm_t *ilm;
ASSERT(IAM_WRITER_IPIF(ipif));
ill = ipif->ipif_ill;
ip1dbg(("ipif_multicast_up\n"));
- if (!(ill->ill_flags & ILLF_MULTICAST) || ipif->ipif_multicast_up)
+ if (!(ill->ill_flags & ILLF_MULTICAST) ||
+ ipif->ipif_allhosts_ilm != NULL)
return;
if (ipif->ipif_isv6) {
@@ -15380,228 +13341,147 @@ ipif_multicast_up(ipif_t *ipif)
* underlying IPMP interfaces since they should be invisible.
*/
if (!IS_UNDER_IPMP(ill)) {
- err = ip_addmulti_v6(&v6allmc, ill, ipif->ipif_zoneid,
- ILGSTAT_NONE, MODE_IS_EXCLUDE, NULL);
- if (err != 0) {
+ ilm = ip_addmulti(&v6allmc, ill, ipif->ipif_zoneid,
+ &err);
+ if (ilm == NULL) {
+ ASSERT(err != 0);
ip0dbg(("ipif_multicast_up: "
"all_hosts_mcast failed %d\n", err));
return;
}
- ipif->ipif_joined_allhosts = 1;
+ ipif->ipif_allhosts_ilm = ilm;
}
/*
- * Enable multicast for the solicited node multicast address
+ * Enable multicast for the solicited node multicast address.
+ * If IPMP we need to put the membership on the upper ill.
*/
if (!(ipif->ipif_flags & IPIF_NOLOCAL)) {
- err = ip_addmulti_v6(&v6solmc, ill, ipif->ipif_zoneid,
- ILGSTAT_NONE, MODE_IS_EXCLUDE, NULL);
- if (err != 0) {
+ ill_t *mcast_ill = NULL;
+ boolean_t need_refrele;
+
+ if (IS_UNDER_IPMP(ill) &&
+ (mcast_ill = ipmp_ill_hold_ipmp_ill(ill)) != NULL) {
+ need_refrele = B_TRUE;
+ } else {
+ mcast_ill = ill;
+ need_refrele = B_FALSE;
+ }
+
+ ilm = ip_addmulti(&v6solmc, mcast_ill,
+ ipif->ipif_zoneid, &err);
+ if (need_refrele)
+ ill_refrele(mcast_ill);
+
+ if (ilm == NULL) {
+ ASSERT(err != 0);
ip0dbg(("ipif_multicast_up: solicited MC"
" failed %d\n", err));
- if (ipif->ipif_joined_allhosts) {
- (void) ip_delmulti_v6(&v6allmc, ill,
- ipif->ipif_zoneid, B_TRUE, B_TRUE);
- ipif->ipif_joined_allhosts = 0;
+ if ((ilm = ipif->ipif_allhosts_ilm) != NULL) {
+ ipif->ipif_allhosts_ilm = NULL;
+ (void) ip_delmulti(ilm);
}
return;
}
+ ipif->ipif_solmulti_ilm = ilm;
}
} else {
+ in6_addr_t v6group;
+
if (ipif->ipif_lcl_addr == INADDR_ANY || IS_UNDER_IPMP(ill))
return;
/* Join the all hosts multicast address */
ip1dbg(("ipif_multicast_up - addmulti\n"));
- err = ip_addmulti(htonl(INADDR_ALLHOSTS_GROUP), ipif,
- ILGSTAT_NONE, MODE_IS_EXCLUDE, NULL);
- if (err) {
+ IN6_IPADDR_TO_V4MAPPED(htonl(INADDR_ALLHOSTS_GROUP), &v6group);
+
+ ilm = ip_addmulti(&v6group, ill, ipif->ipif_zoneid, &err);
+ if (ilm == NULL) {
+ ASSERT(err != 0);
ip0dbg(("ipif_multicast_up: failed %d\n", err));
return;
}
+ ipif->ipif_allhosts_ilm = ilm;
}
- ipif->ipif_multicast_up = 1;
}
/*
* Blow away any multicast groups that we joined in ipif_multicast_up().
- * (Explicit memberships are blown away in ill_leave_multicast() when the
- * ill is brought down.)
+ * (ilms from explicit memberships are handled in conn_update_ill.)
*/
void
ipif_multicast_down(ipif_t *ipif)
{
- int err;
-
ASSERT(IAM_WRITER_IPIF(ipif));
ip1dbg(("ipif_multicast_down\n"));
- if (!ipif->ipif_multicast_up)
- return;
-
- ip1dbg(("ipif_multicast_down - delmulti\n"));
-
- if (!ipif->ipif_isv6) {
- err = ip_delmulti(htonl(INADDR_ALLHOSTS_GROUP), ipif, B_TRUE,
- B_TRUE);
- if (err != 0)
- ip0dbg(("ipif_multicast_down: failed %d\n", err));
-
- ipif->ipif_multicast_up = 0;
- return;
- }
- /*
- * Leave the all-hosts multicast address.
- */
- if (ipif->ipif_joined_allhosts) {
- err = ip_delmulti_v6(&ipv6_all_hosts_mcast, ipif->ipif_ill,
- ipif->ipif_zoneid, B_TRUE, B_TRUE);
- if (err != 0) {
- ip0dbg(("ipif_multicast_down: all_hosts_mcast "
- "failed %d\n", err));
- }
- ipif->ipif_joined_allhosts = 0;
+ if (ipif->ipif_allhosts_ilm != NULL) {
+ (void) ip_delmulti(ipif->ipif_allhosts_ilm);
+ ipif->ipif_allhosts_ilm = NULL;
}
-
- /*
- * Disable multicast for the solicited node multicast address
- */
- if (!(ipif->ipif_flags & IPIF_NOLOCAL)) {
- in6_addr_t ipv6_multi = ipv6_solicited_node_mcast;
-
- ipv6_multi.s6_addr32[3] |=
- ipif->ipif_v6lcl_addr.s6_addr32[3];
-
- err = ip_delmulti_v6(&ipv6_multi, ipif->ipif_ill,
- ipif->ipif_zoneid, B_TRUE, B_TRUE);
- if (err != 0) {
- ip0dbg(("ipif_multicast_down: sol MC failed %d\n",
- err));
- }
+ if (ipif->ipif_solmulti_ilm != NULL) {
+ (void) ip_delmulti(ipif->ipif_solmulti_ilm);
+ ipif->ipif_solmulti_ilm = NULL;
}
-
- ipif->ipif_multicast_up = 0;
}
/*
* Used when an interface comes up to recreate any extra routes on this
* interface.
*/
-static ire_t **
-ipif_recover_ire(ipif_t *ipif)
+int
+ill_recover_saved_ire(ill_t *ill)
{
- mblk_t *mp;
- ire_t **ipif_saved_irep;
- ire_t **irep;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- ip1dbg(("ipif_recover_ire(%s:%u)", ipif->ipif_ill->ill_name,
- ipif->ipif_id));
+ mblk_t *mp;
+ ip_stack_t *ipst = ill->ill_ipst;
- mutex_enter(&ipif->ipif_saved_ire_lock);
- ipif_saved_irep = (ire_t **)kmem_zalloc(sizeof (ire_t *) *
- ipif->ipif_saved_ire_cnt, KM_NOSLEEP);
- if (ipif_saved_irep == NULL) {
- mutex_exit(&ipif->ipif_saved_ire_lock);
- return (NULL);
- }
+ ip1dbg(("ill_recover_saved_ire(%s)", ill->ill_name));
- irep = ipif_saved_irep;
- for (mp = ipif->ipif_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
- ire_t *ire;
- queue_t *rfq;
- queue_t *stq;
+ mutex_enter(&ill->ill_saved_ire_lock);
+ for (mp = ill->ill_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
+ ire_t *ire, *nire;
ifrt_t *ifrt;
- uchar_t *src_addr;
- uchar_t *gateway_addr;
- ushort_t type;
- /*
- * When the ire was initially created and then added in
- * ip_rt_add(), it was created either using ipif->ipif_net_type
- * in the case of a traditional interface route, or as one of
- * the IRE_OFFSUBNET types (with the exception of
- * IRE_HOST types ire which is created by icmp_redirect() and
- * which we don't need to save or recover). In the case where
- * ipif->ipif_net_type was IRE_LOOPBACK, ip_rt_add() will update
- * the ire_type to IRE_IF_NORESOLVER before calling ire_add()
- * to satisfy software like GateD and Sun Cluster which creates
- * routes using the the loopback interface's address as a
- * gateway.
- *
- * As ifrt->ifrt_type reflects the already updated ire_type,
- * ire_create() will be called in the same way here as
- * in ip_rt_add(), namely using ipif->ipif_net_type when
- * the route looks like a traditional interface route (where
- * ifrt->ifrt_type & IRE_INTERFACE is true) and otherwise using
- * the saved ifrt->ifrt_type. This means that in the case where
- * ipif->ipif_net_type is IRE_LOOPBACK, the ire created by
- * ire_create() will be an IRE_LOOPBACK, it will then be turned
- * into an IRE_IF_NORESOLVER and then added by ire_add().
- */
ifrt = (ifrt_t *)mp->b_rptr;
- ASSERT(ifrt->ifrt_type != IRE_CACHE);
- if (ifrt->ifrt_type & IRE_INTERFACE) {
- rfq = NULL;
- stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
- ? ipif->ipif_rq : ipif->ipif_wq;
- src_addr = (ifrt->ifrt_flags & RTF_SETSRC)
- ? (uint8_t *)&ifrt->ifrt_src_addr
- : (uint8_t *)&ipif->ipif_src_addr;
- gateway_addr = NULL;
- type = ipif->ipif_net_type;
- } else if (ifrt->ifrt_type & IRE_BROADCAST) {
- /* Recover multiroute broadcast IRE. */
- rfq = ipif->ipif_rq;
- stq = ipif->ipif_wq;
- src_addr = (ifrt->ifrt_flags & RTF_SETSRC)
- ? (uint8_t *)&ifrt->ifrt_src_addr
- : (uint8_t *)&ipif->ipif_src_addr;
- gateway_addr = (uint8_t *)&ifrt->ifrt_gateway_addr;
- type = ifrt->ifrt_type;
- } else {
- rfq = NULL;
- stq = NULL;
- src_addr = (ifrt->ifrt_flags & RTF_SETSRC)
- ? (uint8_t *)&ifrt->ifrt_src_addr : NULL;
- gateway_addr = (uint8_t *)&ifrt->ifrt_gateway_addr;
- type = ifrt->ifrt_type;
- }
-
/*
* Create a copy of the IRE with the saved address and netmask.
*/
- ip1dbg(("ipif_recover_ire: creating IRE %s (%d) for "
- "0x%x/0x%x\n",
- ip_nv_lookup(ire_nv_tbl, ifrt->ifrt_type), ifrt->ifrt_type,
- ntohl(ifrt->ifrt_addr),
- ntohl(ifrt->ifrt_mask)));
- ire = ire_create(
- (uint8_t *)&ifrt->ifrt_addr,
- (uint8_t *)&ifrt->ifrt_mask,
- src_addr,
- gateway_addr,
- &ifrt->ifrt_max_frag,
- NULL,
- rfq,
- stq,
- type,
- ipif,
- 0,
- 0,
- 0,
- ifrt->ifrt_flags,
- &ifrt->ifrt_iulp_info,
- NULL,
- NULL,
- ipst);
-
+ if (ill->ill_isv6) {
+ ire = ire_create_v6(
+ &ifrt->ifrt_v6addr,
+ &ifrt->ifrt_v6mask,
+ &ifrt->ifrt_v6gateway_addr,
+ ifrt->ifrt_type,
+ ill,
+ ifrt->ifrt_zoneid,
+ ifrt->ifrt_flags,
+ NULL,
+ ipst);
+ } else {
+ ire = ire_create(
+ (uint8_t *)&ifrt->ifrt_addr,
+ (uint8_t *)&ifrt->ifrt_mask,
+ (uint8_t *)&ifrt->ifrt_gateway_addr,
+ ifrt->ifrt_type,
+ ill,
+ ifrt->ifrt_zoneid,
+ ifrt->ifrt_flags,
+ NULL,
+ ipst);
+ }
if (ire == NULL) {
- mutex_exit(&ipif->ipif_saved_ire_lock);
- kmem_free(ipif_saved_irep,
- ipif->ipif_saved_ire_cnt * sizeof (ire_t *));
- return (NULL);
+ mutex_exit(&ill->ill_saved_ire_lock);
+ return (ENOMEM);
+ }
+
+ if (ifrt->ifrt_flags & RTF_SETSRC) {
+ if (ill->ill_isv6) {
+ ire->ire_setsrc_addr_v6 =
+ ifrt->ifrt_v6setsrc_addr;
+ } else {
+ ire->ire_setsrc_addr = ifrt->ifrt_setsrc_addr;
+ }
}
/*
@@ -15611,23 +13491,37 @@ ipif_recover_ire(ipif_t *ipif)
* set up prefixes with the RTF_REJECT flag set (for example,
* when generating aggregate routes.)
*
- * If the IRE type (as defined by ipif->ipif_net_type) is
+ * If the IRE type (as defined by ill->ill_net_type) is
* IRE_LOOPBACK, then we map the request into a
* IRE_IF_NORESOLVER.
*/
- if (ipif->ipif_net_type == IRE_LOOPBACK)
+ if (ill->ill_net_type == IRE_LOOPBACK)
ire->ire_type = IRE_IF_NORESOLVER;
+
/*
* ire held by ire_add, will be refreled' towards the
* the end of ipif_up_done
*/
- (void) ire_add(&ire, NULL, NULL, NULL, B_FALSE);
- *irep = ire;
- irep++;
- ip1dbg(("ipif_recover_ire: added ire %p\n", (void *)ire));
+ nire = ire_add(ire);
+ /*
+ * Check if it was a duplicate entry. This handles
+ * the case of two racing route adds for the same route
+ */
+ if (nire == NULL) {
+ ip1dbg(("ill_recover_saved_ire: FAILED\n"));
+ } else if (nire != ire) {
+ ip1dbg(("ill_recover_saved_ire: duplicate ire %p\n",
+ (void *)nire));
+ ire_delete(nire);
+ } else {
+ ip1dbg(("ill_recover_saved_ire: added ire %p\n",
+ (void *)nire));
+ }
+ if (nire != NULL)
+ ire_refrele(nire);
}
- mutex_exit(&ipif->ipif_saved_ire_lock);
- return (ipif_saved_irep);
+ mutex_exit(&ill->ill_saved_ire_lock);
+ return (0);
}
/*
@@ -15766,6 +13660,8 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
ASSERT(IAM_WRITER_IPIF(ipif));
ip1dbg(("ipif_up(%s:%u)\n", ill->ill_name, ipif->ipif_id));
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_up",
+ ill_t *, ill, ipif_t *, ipif);
/* Shouldn't get here if it is already up. */
if (ipif->ipif_flags & IPIF_UP)
@@ -15786,7 +13682,7 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
/*
* The ipif being brought up should be quiesced. If it's not,
* something has gone amiss and we need to bail out. (If it's
- * quiesced, we know it will remain so via IPIF_CHANGING.)
+ * quiesced, we know it will remain so via IPIF_CONDEMNED.)
*/
mutex_enter(&ill->ill_lock);
if (!ipif_is_quiescent(ipif)) {
@@ -15868,8 +13764,8 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
/*
* If the ipif being brought up was on slot zero, then we
* first need to bring up the placeholder we stuck there. In
- * ip_rput_dlpi_writer(), ip_arp_done(), or the recursive call
- * to ipif_up() itself, if we successfully bring up the
+ * ip_rput_dlpi_writer(), arp_bringup_done(), or the recursive
+ * call to ipif_up() itself, if we successfully bring up the
* placeholder, we'll check ill_move_ipif and bring it up too.
*/
if (ipif_orig_id == 0) {
@@ -15907,13 +13803,13 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
}
/*
- * ipif_resolver_up may end up sending an
- * AR_INTERFACE_UP message to ARP, which would, in
- * turn send a DLPI message to the driver. ioctls are
+ * ipif_resolver_up may end up needeing to bind/attach
+ * the ARP stream, which in turn necessitates a
+ * DLPI message exchange with the driver. ioctls are
* serialized and so we cannot send more than one
* interface up message at a time. If ipif_resolver_up
- * does send an interface up message to ARP, we get
- * EINPROGRESS and we will complete in ip_arp_done.
+ * does need to wait for the DLPI handshake for the ARP stream,
+ * we get EINPROGRESS and we will complete in arp_bringup_done.
*/
ASSERT(connp != NULL || !CONN_Q(q));
@@ -15928,18 +13824,12 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
return (EINTR);
/*
- * Crank up the resolver. For IPv6, this cranks up the
- * external resolver if one is configured, but even if an
- * external resolver isn't configured, it must be called to
- * reset DAD state. For IPv6, if an external resolver is not
- * being used, ipif_resolver_up() will never return
- * EINPROGRESS, so we can always call ipif_ndp_up() here.
- * Note that if an external resolver is being used, there's no
- * need to call ipif_ndp_up() since it will do nothing.
+ * Crank up IPv6 neighbor discovery. Unlike ARP, this should
+ * complete when ipif_ndp_up returns.
*/
err = ipif_resolver_up(ipif, Res_act_initial);
if (err == EINPROGRESS) {
- /* We will complete it in ip_arp_done() */
+ /* We will complete it in arp_bringup_done() */
return (err);
}
@@ -15958,9 +13848,13 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
*/
ASSERT(!(ipif->ipif_flags & IPIF_DUPLICATE));
ipif->ipif_addr_ready = 1;
+ err = ill_add_ires(ill);
+ /* allocation failure? */
+ if (err != 0)
+ return (err);
}
- err = isv6 ? ipif_up_done_v6(ipif) : ipif_up_done(ipif);
+ err = (isv6 ? ipif_up_done_v6(ipif) : ipif_up_done(ipif));
if (err == 0 && ill->ill_move_ipif != NULL) {
ipif = ill->ill_move_ipif;
ill->ill_move_ipif = NULL;
@@ -15970,6 +13864,53 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
}
/*
+ * Add any IREs tied to the ill. For now this is just an IRE_MULTICAST.
+ * The identical set of IREs need to be removed in ill_delete_ires().
+ */
+int
+ill_add_ires(ill_t *ill)
+{
+ ire_t *ire;
+ in6_addr_t dummy6 = {(uint32_t)V6_MCAST, 0, 0, 1};
+ in_addr_t dummy4 = htonl(INADDR_ALLHOSTS_GROUP);
+
+ if (ill->ill_ire_multicast != NULL)
+ return (0);
+
+ /*
+ * provide some dummy ire_addr for creating the ire.
+ */
+ if (ill->ill_isv6) {
+ ire = ire_create_v6(&dummy6, 0, 0, IRE_MULTICAST, ill,
+ ALL_ZONES, RTF_UP, NULL, ill->ill_ipst);
+ } else {
+ ire = ire_create((uchar_t *)&dummy4, 0, 0, IRE_MULTICAST, ill,
+ ALL_ZONES, RTF_UP, NULL, ill->ill_ipst);
+ }
+ if (ire == NULL)
+ return (ENOMEM);
+
+ ill->ill_ire_multicast = ire;
+ return (0);
+}
+
+void
+ill_delete_ires(ill_t *ill)
+{
+ if (ill->ill_ire_multicast != NULL) {
+ /*
+ * BIND/ATTACH completed; Release the ref for ill_ire_multicast
+ * which was taken without any th_tracing enabled.
+ * We also mark it as condemned (note that it was never added)
+ * so that caching conn's can move off of it.
+ */
+ ire_make_condemned(ill->ill_ire_multicast);
+ ire_refrele_notr(ill->ill_ire_multicast);
+ ill->ill_ire_multicast = NULL;
+ }
+}
+
+/*
* Perform a bind for the physical device.
* When the routine returns EINPROGRESS then mp has been consumed and
* the ioctl will be acked from ip_rput_dlpi.
@@ -15978,30 +13919,26 @@ ipif_up(ipif_t *ipif, queue_t *q, mblk_t *mp)
static int
ill_dl_up(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
{
- areq_t *areq;
- mblk_t *areq_mp = NULL;
mblk_t *bind_mp = NULL;
mblk_t *unbind_mp = NULL;
conn_t *connp;
boolean_t success;
- uint16_t sap_addr;
+ int err;
+
+ DTRACE_PROBE2(ill__downup, char *, "ill_dl_up", ill_t *, ill);
ip1dbg(("ill_dl_up(%s)\n", ill->ill_name));
ASSERT(IAM_WRITER_ILL(ill));
ASSERT(mp != NULL);
- /* Create a resolver cookie for ARP */
- if (!ill->ill_isv6 && ill->ill_net_type == IRE_IF_RESOLVER) {
- areq_mp = ill_arp_alloc(ill, (uchar_t *)&ip_areq_template, 0);
- if (areq_mp == NULL)
- return (ENOMEM);
+ /*
+ * Make sure we have an IRE_MULTICAST in case we immediately
+ * start receiving packets.
+ */
+ err = ill_add_ires(ill);
+ if (err != 0)
+ goto bad;
- freemsg(ill->ill_resolver_mp);
- ill->ill_resolver_mp = areq_mp;
- areq = (areq_t *)areq_mp->b_rptr;
- sap_addr = ill->ill_sap;
- bcopy(&sap_addr, areq->areq_sap, sizeof (sap_addr));
- }
bind_mp = ip_dlpi_alloc(sizeof (dl_bind_req_t) + sizeof (long),
DL_BIND_REQ);
if (bind_mp == NULL)
@@ -16067,46 +14004,39 @@ bad:
return (ENOMEM);
}
+/* Add room for tcp+ip headers */
uint_t ip_loopback_mtuplus = IP_LOOPBACK_MTU + IP_SIMPLE_HDR_LENGTH + 20;
/*
* DLPI and ARP is up.
- * Create all the IREs associated with an interface bring up multicast.
+ * Create all the IREs associated with an interface. Bring up multicast.
* Set the interface flag and finish other initialization
- * that potentially had to be differed to after DL_BIND_ACK.
+ * that potentially had to be deferred to after DL_BIND_ACK.
*/
int
ipif_up_done(ipif_t *ipif)
{
- ire_t *ire_array[20];
- ire_t **irep = ire_array;
- ire_t **irep1;
- ipaddr_t net_mask = 0;
- ipaddr_t subnet_mask, route_mask;
- ill_t *ill = ipif->ipif_ill;
- queue_t *stq;
- ipif_t *src_ipif;
- ipif_t *tmp_ipif;
- boolean_t flush_ire_cache = B_TRUE;
- int err = 0;
- ire_t **ipif_saved_irep = NULL;
- int ipif_saved_ire_cnt;
- int cnt;
- boolean_t src_ipif_held = B_FALSE;
+ ill_t *ill = ipif->ipif_ill;
+ int err = 0;
boolean_t loopback = B_FALSE;
- ip_stack_t *ipst = ill->ill_ipst;
+ boolean_t update_src_selection = B_TRUE;
+ ipif_t *tmp_ipif;
ip1dbg(("ipif_up_done(%s:%u)\n",
ipif->ipif_ill->ill_name, ipif->ipif_id));
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_up_done",
+ ill_t *, ill, ipif_t *, ipif);
+
/* Check if this is a loopback interface */
if (ipif->ipif_ill->ill_wq == NULL)
loopback = B_TRUE;
ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
+
/*
* If all other interfaces for this ill are down or DEPRECATED,
- * or otherwise unsuitable for source address selection, remove
- * any IRE_CACHE entries for this ill to make sure source
+ * or otherwise unsuitable for source address selection,
+ * reset the src generation numbers to make sure source
* address selection gets to take this new ipif into account.
* No need to hold ill_lock while traversing the ipif list since
* we are writer
@@ -16119,31 +14049,16 @@ ipif_up_done(ipif_t *ipif)
(tmp_ipif == ipif))
continue;
/* first useable pre-existing interface */
- flush_ire_cache = B_FALSE;
+ update_src_selection = B_FALSE;
break;
}
- if (flush_ire_cache)
- ire_walk_ill_v4(MATCH_IRE_ILL | MATCH_IRE_TYPE,
- IRE_CACHE, ill_ipif_cache_delete, (char *)ill, ill);
+ if (update_src_selection)
+ ip_update_source_selection(ill->ill_ipst);
- /*
- * Figure out which way the send-to queue should go. Only
- * IRE_IF_RESOLVER or IRE_IF_NORESOLVER or IRE_LOOPBACK
- * should show up here.
- */
- switch (ill->ill_net_type) {
- case IRE_IF_RESOLVER:
- stq = ill->ill_rq;
- break;
- case IRE_IF_NORESOLVER:
- case IRE_LOOPBACK:
- stq = ill->ill_wq;
- break;
- default:
- return (EINVAL);
- }
+ if (IS_LOOPBACK(ill) || ill->ill_net_type == IRE_IF_NORESOLVER) {
+ nce_t *loop_nce = NULL;
+ uint16_t flags = (NCE_F_MYADDR | NCE_F_AUTHORITY | NCE_F_NONUD);
- if (IS_LOOPBACK(ill)) {
/*
* lo0:1 and subsequent ipifs were marked IRE_LOCAL in
* ipif_lookup_on_name(), but in the case of zones we can have
@@ -16155,29 +14070,130 @@ ipif_up_done(ipif_t *ipif)
ipif->ipif_ire_type = IRE_LOOPBACK;
else
ipif->ipif_ire_type = IRE_LOCAL;
+ if (ill->ill_net_type != IRE_LOOPBACK)
+ flags |= NCE_F_PUBLISH;
+
+ /* add unicast nce for the local addr */
+ err = nce_lookup_then_add_v4(ill, NULL,
+ ill->ill_phys_addr_length, &ipif->ipif_lcl_addr, flags,
+ ND_REACHABLE, &loop_nce);
+ /* A shared-IP zone sees EEXIST for lo0:N */
+ if (err == 0 || err == EEXIST) {
+ ipif->ipif_added_nce = 1;
+ loop_nce->nce_ipif_cnt++;
+ nce_refrele(loop_nce);
+ err = 0;
+ } else {
+ ASSERT(loop_nce == NULL);
+ return (err);
+ }
}
- if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST) ||
- ((ipif->ipif_flags & IPIF_DEPRECATED) &&
- !(ipif->ipif_flags & IPIF_NOFAILOVER))) {
+ /* Create all the IREs associated with this interface */
+ err = ipif_add_ires_v4(ipif, loopback);
+ if (err != 0) {
/*
- * Can't use our source address. Select a different
- * source address for the IRE_INTERFACE and IRE_LOCAL
+ * see comments about return value from
+ * ip_addr_availability_check() in ipif_add_ires_v4().
*/
- src_ipif = ipif_select_source(ipif->ipif_ill,
- ipif->ipif_subnet, ipif->ipif_zoneid);
- if (src_ipif == NULL)
- src_ipif = ipif; /* Last resort */
- else
- src_ipif_held = B_TRUE;
- } else {
- src_ipif = ipif;
+ if (err != EADDRINUSE) {
+ (void) ipif_arp_down(ipif);
+ } else {
+ /*
+ * Make IPMP aware of the deleted ipif so that
+ * the needed ipmp cleanup (e.g., of ipif_bound_ill)
+ * can be completed. Note that we do not want to
+ * destroy the nce that was created on the ipmp_ill
+ * for the active copy of the duplicate address in
+ * use.
+ */
+ if (IS_IPMP(ill))
+ ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
+ err = EADDRNOTAVAIL;
+ }
+ return (err);
}
- /* Create all the IREs associated with this interface */
+ if (ill->ill_ipif_up_count == 1 && !loopback) {
+ /* Recover any additional IREs entries for this ill */
+ (void) ill_recover_saved_ire(ill);
+ }
+
+ if (ill->ill_need_recover_multicast) {
+ /*
+ * Need to recover all multicast memberships in the driver.
+ * This had to be deferred until we had attached. The same
+ * code exists in ipif_up_done_v6() to recover IPv6
+ * memberships.
+ *
+ * Note that it would be preferable to unconditionally do the
+ * ill_recover_multicast() in ill_dl_up(), but we cannot do
+ * that since ill_join_allmulti() depends on ill_dl_up being
+ * set, and it is not set until we receive a DL_BIND_ACK after
+ * having called ill_dl_up().
+ */
+ ill_recover_multicast(ill);
+ }
+
+ if (ill->ill_ipif_up_count == 1) {
+ /*
+ * Since the interface is now up, it may now be active.
+ */
+ if (IS_UNDER_IPMP(ill))
+ ipmp_ill_refresh_active(ill);
+
+ /*
+ * If this is an IPMP interface, we may now be able to
+ * establish ARP entries.
+ */
+ if (IS_IPMP(ill))
+ ipmp_illgrp_refresh_arpent(ill->ill_grp);
+ }
+
+ /* Join the allhosts multicast address */
+ ipif_multicast_up(ipif);
+
+ if (!loopback && !update_src_selection &&
+ !(ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED)))
+ ip_update_source_selection(ill->ill_ipst);
+
+ if (!loopback && ipif->ipif_addr_ready) {
+ /* Broadcast an address mask reply. */
+ ipif_mask_reply(ipif);
+ }
+ /* Perhaps ilgs should use this ill */
+ update_conn_ill(NULL, ill->ill_ipst);
+
+ /*
+ * This had to be deferred until we had bound. Tell routing sockets and
+ * others that this interface is up if it looks like the address has
+ * been validated. Otherwise, if it isn't ready yet, wait for
+ * duplicate address detection to do its thing.
+ */
+ if (ipif->ipif_addr_ready)
+ ipif_up_notify(ipif);
+ return (0);
+}
+
+/*
+ * Add the IREs associated with the ipif.
+ * Those MUST be explicitly removed in ipif_delete_ires_v4.
+ */
+static int
+ipif_add_ires_v4(ipif_t *ipif, boolean_t loopback)
+{
+ ill_t *ill = ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ire_t *ire_array[20];
+ ire_t **irep = ire_array;
+ ire_t **irep1;
+ ipaddr_t net_mask = 0;
+ ipaddr_t subnet_mask, route_mask;
+ int err;
+ ire_t *ire_local = NULL; /* LOCAL or LOOPBACK */
+
if ((ipif->ipif_lcl_addr != INADDR_ANY) &&
!(ipif->ipif_flags & IPIF_NOLOCAL)) {
-
/*
* If we're on a labeled system then make sure that zone-
* private addresses have proper remote host database entries.
@@ -16191,38 +14207,34 @@ ipif_up_done(ipif_t *ipif)
err = ip_srcid_insert(&ipif->ipif_v6lcl_addr,
ipif->ipif_zoneid, ipst);
if (err != 0) {
- ip0dbg(("ipif_up_done: srcid_insert %d\n", err));
+ ip0dbg(("ipif_add_ires: srcid_insert %d\n", err));
return (err);
}
/* If the interface address is set, create the local IRE. */
- ip1dbg(("ipif_up_done: 0x%p creating IRE 0x%x for 0x%x\n",
- (void *)ipif,
- ipif->ipif_ire_type,
- ntohl(ipif->ipif_lcl_addr)));
- *irep++ = ire_create(
+ ire_local = ire_create(
(uchar_t *)&ipif->ipif_lcl_addr, /* dest address */
(uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* source address */
NULL, /* no gateway */
- &ip_loopback_mtuplus, /* max frag size */
- NULL,
- ipif->ipif_rq, /* recv-from queue */
- NULL, /* no send-to queue */
ipif->ipif_ire_type, /* LOCAL or LOOPBACK */
- ipif,
- 0,
- 0,
- 0,
- (ipif->ipif_flags & IPIF_PRIVATE) ?
- RTF_PRIVATE : 0,
- &ire_uinfo_null,
- NULL,
+ ipif->ipif_ill,
+ ipif->ipif_zoneid,
+ ((ipif->ipif_flags & IPIF_PRIVATE) ?
+ RTF_PRIVATE : 0) | RTF_KERNEL,
NULL,
ipst);
+ ip1dbg(("ipif_add_ires: 0x%p creating IRE %p type 0x%x"
+ " for 0x%x\n", (void *)ipif, (void *)ire_local,
+ ipif->ipif_ire_type,
+ ntohl(ipif->ipif_lcl_addr)));
+ if (ire_local == NULL) {
+ ip1dbg(("ipif_up_done: NULL ire_local\n"));
+ err = ENOMEM;
+ goto bad;
+ }
} else {
ip1dbg((
- "ipif_up_done: not creating IRE %d for 0x%x: flags 0x%x\n",
+ "ipif_add_ires: not creating IRE %d for 0x%x: flags 0x%x\n",
ipif->ipif_ire_type,
ntohl(ipif->ipif_lcl_addr),
(uint_t)ipif->ipif_flags));
@@ -16249,7 +14261,7 @@ ipif_up_done(ipif_t *ipif)
}
/* Set up the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate. */
- if (stq != NULL && !(ipif->ipif_flags & IPIF_NOXMIT) &&
+ if (!loopback && !(ipif->ipif_flags & IPIF_NOXMIT) &&
ipif->ipif_subnet != INADDR_ANY) {
/* ipif_subnet is ipif_pp_dst_addr for pt-pt */
@@ -16259,7 +14271,7 @@ ipif_up_done(ipif_t *ipif)
route_mask = subnet_mask;
}
- ip1dbg(("ipif_up_done: ipif 0x%p ill 0x%p "
+ ip1dbg(("ipif_add_ires: ipif 0x%p ill 0x%p "
"creating if IRE ill_net_type 0x%x for 0x%x\n",
(void *)ipif, (void *)ill,
ill->ill_net_type,
@@ -16267,20 +14279,12 @@ ipif_up_done(ipif_t *ipif)
*irep++ = ire_create(
(uchar_t *)&ipif->ipif_subnet, /* dest address */
(uchar_t *)&route_mask, /* mask */
- (uchar_t *)&src_ipif->ipif_src_addr, /* src addr */
- NULL, /* no gateway */
- &ipif->ipif_mtu, /* max frag */
- NULL,
- NULL, /* no recv queue */
- stq, /* send-to queue */
+ (uchar_t *)&ipif->ipif_lcl_addr, /* gateway */
ill->ill_net_type, /* IF_[NO]RESOLVER */
- ipif,
- 0,
- 0,
- 0,
- (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE: 0,
- &ire_uinfo_null,
- NULL,
+ ill,
+ ipif->ipif_zoneid,
+ ((ipif->ipif_flags & IPIF_PRIVATE) ?
+ RTF_PRIVATE: 0) | RTF_KERNEL,
NULL,
ipst);
}
@@ -16288,11 +14292,10 @@ ipif_up_done(ipif_t *ipif)
/*
* Create any necessary broadcast IREs.
*/
- if (ipif->ipif_flags & IPIF_BROADCAST)
+ if ((ipif->ipif_flags & IPIF_BROADCAST) &&
+ !(ipif->ipif_flags & IPIF_NOXMIT))
irep = ipif_create_bcast_ires(ipif, irep);
- ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
-
/* If an earlier ire_create failed, get out now */
for (irep1 = irep; irep1 > ire_array; ) {
irep1--;
@@ -16324,14 +14327,9 @@ ipif_up_done(ipif_t *ipif)
* ipif. So we don't want to delete it (otherwise the other ipif
* would be unable to send packets).
* ip_addr_availability_check() identifies this case for us and
- * returns EADDRINUSE; we need to turn it into EADDRNOTAVAIL
+ * returns EADDRINUSE; Caller should turn it into EADDRNOTAVAIL
* which is the expected error code.
*/
- if (err == EADDRINUSE) {
- freemsg(ipif->ipif_arp_del_mp);
- ipif->ipif_arp_del_mp = NULL;
- err = EADDRNOTAVAIL;
- }
ill->ill_ipif_up_count--;
ipif->ipif_flags &= ~IPIF_UP;
goto bad;
@@ -16341,19 +14339,33 @@ ipif_up_done(ipif_t *ipif)
* Add in all newly created IREs. ire_create_bcast() has
* already checked for duplicates of the IRE_BROADCAST type.
*/
+ if (ire_local != NULL) {
+ ire_local = ire_add(ire_local);
+#ifdef DEBUG
+ if (ire_local != NULL) {
+ ire_refhold_notr(ire_local);
+ ire_refrele(ire_local);
+ }
+#endif
+ }
+
+ rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
+ if (ire_local != NULL)
+ ipif->ipif_ire_local = ire_local;
+ rw_exit(&ipst->ips_ill_g_lock);
+ ire_local = NULL;
+
for (irep1 = irep; irep1 > ire_array; ) {
irep1--;
- ASSERT(!MUTEX_HELD(&((*irep1)->ire_ipif->ipif_ill->ill_lock)));
- /*
- * refheld by ire_add. refele towards the end of the func
- */
- (void) ire_add(irep1, NULL, NULL, NULL, B_FALSE);
+ ASSERT(!MUTEX_HELD(&((*irep1)->ire_ill->ill_lock)));
+ /* refheld by ire_add. */
+ *irep1 = ire_add(*irep1);
+ if (*irep1 != NULL) {
+ ire_refrele(*irep1);
+ *irep1 = NULL;
+ }
}
- /* Recover any additional IRE_IF_[NO]RESOLVER entries for this ipif */
- ipif_saved_ire_cnt = ipif->ipif_saved_ire_cnt;
- ipif_saved_irep = ipif_recover_ire(ipif);
-
if (!loopback) {
/*
* If the broadcast address has been set, make sure it makes
@@ -16364,9 +14376,9 @@ ipif_up_done(ipif_t *ipif)
(ipif->ipif_flags & IPIF_BROADCAST)) {
ire_t *ire;
- ire = ire_ctable_lookup(ipif->ipif_brd_addr, 0,
- IRE_BROADCAST, ipif, ALL_ZONES,
- NULL, (MATCH_IRE_TYPE | MATCH_IRE_ILL), ipst);
+ ire = ire_ftable_lookup_v4(ipif->ipif_brd_addr, 0, 0,
+ IRE_BROADCAST, ipif->ipif_ill, ALL_ZONES, NULL,
+ (MATCH_IRE_TYPE | MATCH_IRE_ILL), 0, ipst, NULL);
if (ire == NULL) {
/*
@@ -16383,176 +14395,113 @@ ipif_up_done(ipif_t *ipif)
}
}
-
- if (ill->ill_need_recover_multicast) {
- /*
- * Need to recover all multicast memberships in the driver.
- * This had to be deferred until we had attached. The same
- * code exists in ipif_up_done_v6() to recover IPv6
- * memberships.
- *
- * Note that it would be preferable to unconditionally do the
- * ill_recover_multicast() in ill_dl_up(), but we cannot do
- * that since ill_join_allmulti() depends on ill_dl_up being
- * set, and it is not set until we receive a DL_BIND_ACK after
- * having called ill_dl_up().
- */
- ill_recover_multicast(ill);
- }
-
- if (ill->ill_ipif_up_count == 1) {
- /*
- * Since the interface is now up, it may now be active.
- */
- if (IS_UNDER_IPMP(ill))
- ipmp_ill_refresh_active(ill);
-
- /*
- * If this is an IPMP interface, we may now be able to
- * establish ARP entries.
- */
- if (IS_IPMP(ill))
- ipmp_illgrp_refresh_arpent(ill->ill_grp);
- }
-
- /* Join the allhosts multicast address */
- ipif_multicast_up(ipif);
-
- /*
- * See if anybody else would benefit from our new ipif.
- */
- if (!loopback &&
- !(ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED))) {
- ill_update_source_selection(ill);
- }
-
- for (irep1 = irep; irep1 > ire_array; ) {
- irep1--;
- if (*irep1 != NULL) {
- /* was held in ire_add */
- ire_refrele(*irep1);
- }
- }
-
- cnt = ipif_saved_ire_cnt;
- for (irep1 = ipif_saved_irep; cnt > 0; irep1++, cnt--) {
- if (*irep1 != NULL) {
- /* was held in ire_add */
- ire_refrele(*irep1);
- }
- }
-
- if (!loopback && ipif->ipif_addr_ready) {
- /* Broadcast an address mask reply. */
- ipif_mask_reply(ipif);
- }
- if (ipif_saved_irep != NULL) {
- kmem_free(ipif_saved_irep,
- ipif_saved_ire_cnt * sizeof (ire_t *));
- }
- if (src_ipif_held)
- ipif_refrele(src_ipif);
-
- /*
- * This had to be deferred until we had bound. Tell routing sockets and
- * others that this interface is up if it looks like the address has
- * been validated. Otherwise, if it isn't ready yet, wait for
- * duplicate address detection to do its thing.
- */
- if (ipif->ipif_addr_ready)
- ipif_up_notify(ipif);
return (0);
bad:
- ip1dbg(("ipif_up_done: FAILED \n"));
-
+ ip1dbg(("ipif_add_ires: FAILED \n"));
+ if (ire_local != NULL)
+ ire_delete(ire_local);
while (irep > ire_array) {
irep--;
- if (*irep != NULL)
+ if (*irep != NULL) {
ire_delete(*irep);
+ }
}
(void) ip_srcid_remove(&ipif->ipif_v6lcl_addr, ipif->ipif_zoneid, ipst);
- if (ipif_saved_irep != NULL) {
- kmem_free(ipif_saved_irep,
- ipif_saved_ire_cnt * sizeof (ire_t *));
- }
- if (src_ipif_held)
- ipif_refrele(src_ipif);
-
- ipif_resolver_down(ipif);
return (err);
}
-/*
- * Turn off the ARP with the ILLF_NOARP flag.
- */
-static int
-ill_arp_off(ill_t *ill)
+/* Remove all the IREs created by ipif_add_ires_v4 */
+void
+ipif_delete_ires_v4(ipif_t *ipif)
{
- mblk_t *arp_off_mp = NULL;
- mblk_t *arp_on_mp = NULL;
+ ill_t *ill = ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ipaddr_t net_mask = 0;
+ ipaddr_t subnet_mask, route_mask;
+ int match_args;
+ ire_t *ire;
+ boolean_t loopback;
- ip1dbg(("ill_arp_off(%s)\n", ill->ill_name));
+ /* Check if this is a loopback interface */
+ loopback = (ipif->ipif_ill->ill_wq == NULL);
- ASSERT(IAM_WRITER_ILL(ill));
- ASSERT(ill->ill_net_type == IRE_IF_RESOLVER);
+ match_args = MATCH_IRE_TYPE | MATCH_IRE_ILL | MATCH_IRE_MASK |
+ MATCH_IRE_ZONEONLY;
- /*
- * If the on message is still around we've already done
- * an arp_off without doing an arp_on thus there is no
- * work needed.
- */
- if (ill->ill_arp_on_mp != NULL)
- return (0);
+ rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
+ if ((ire = ipif->ipif_ire_local) != NULL) {
+ ipif->ipif_ire_local = NULL;
+ rw_exit(&ipst->ips_ill_g_lock);
+ /*
+ * Move count to ipif so we don't loose the count due to
+ * a down/up dance.
+ */
+ atomic_add_32(&ipif->ipif_ib_pkt_count, ire->ire_ib_pkt_count);
- /*
- * Allocate an ARP on message (to be saved) and an ARP off message
- */
- arp_off_mp = ill_arp_alloc(ill, (uchar_t *)&ip_aroff_template, 0);
- if (!arp_off_mp)
- return (ENOMEM);
+ ire_delete(ire);
+ ire_refrele_notr(ire);
+ } else {
+ rw_exit(&ipst->ips_ill_g_lock);
+ }
+
+ match_args |= MATCH_IRE_GW;
- arp_on_mp = ill_arp_alloc(ill, (uchar_t *)&ip_aron_template, 0);
- if (!arp_on_mp)
- goto failed;
+ if ((ipif->ipif_lcl_addr != INADDR_ANY) &&
+ !(ipif->ipif_flags & IPIF_NOLOCAL)) {
+ net_mask = ip_net_mask(ipif->ipif_lcl_addr);
+ } else {
+ net_mask = htonl(IN_CLASSA_NET); /* fallback */
+ }
- ASSERT(ill->ill_arp_on_mp == NULL);
- ill->ill_arp_on_mp = arp_on_mp;
+ subnet_mask = ipif->ipif_net_mask;
- /* Send an AR_INTERFACE_OFF request */
- putnext(ill->ill_rq, arp_off_mp);
- return (0);
-failed:
+ /*
+ * If mask was not specified, use natural netmask of
+ * interface address. Also, store this mask back into the
+ * ipif struct.
+ */
+ if (subnet_mask == 0)
+ subnet_mask = net_mask;
- if (arp_off_mp)
- freemsg(arp_off_mp);
- return (ENOMEM);
-}
+ /* Delete the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate. */
+ if (IS_UNDER_IPMP(ill))
+ match_args |= MATCH_IRE_TESTHIDDEN;
-/*
- * Turn on ARP by turning off the ILLF_NOARP flag.
- */
-static int
-ill_arp_on(ill_t *ill)
-{
- mblk_t *mp;
+ if (!loopback && !(ipif->ipif_flags & IPIF_NOXMIT) &&
+ ipif->ipif_subnet != INADDR_ANY) {
+ /* ipif_subnet is ipif_pp_dst_addr for pt-pt */
- ip1dbg(("ipif_arp_on(%s)\n", ill->ill_name));
+ if (ipif->ipif_flags & IPIF_POINTOPOINT) {
+ route_mask = IP_HOST_MASK;
+ } else {
+ route_mask = subnet_mask;
+ }
- ASSERT(ill->ill_net_type == IRE_IF_RESOLVER);
+ ire = ire_ftable_lookup_v4(
+ ipif->ipif_subnet, /* dest address */
+ route_mask, /* mask */
+ ipif->ipif_lcl_addr, /* gateway */
+ ill->ill_net_type, /* IF_[NO]RESOLVER */
+ ill,
+ ipif->ipif_zoneid,
+ NULL,
+ match_args,
+ 0,
+ ipst,
+ NULL);
+ ASSERT(ire != NULL);
+ ire_delete(ire);
+ ire_refrele(ire);
+ }
- ASSERT(IAM_WRITER_ILL(ill));
/*
- * Send an AR_INTERFACE_ON request if we have already done
- * an arp_off (which allocated the message).
+ * Create any necessary broadcast IREs.
*/
- if (ill->ill_arp_on_mp != NULL) {
- mp = ill->ill_arp_on_mp;
- ill->ill_arp_on_mp = NULL;
- putnext(ill->ill_rq, mp);
- }
- return (0);
+ if ((ipif->ipif_flags & IPIF_BROADCAST) &&
+ !(ipif->ipif_flags & IPIF_NOXMIT))
+ ipif_delete_bcast_ires(ipif);
}
/*
@@ -16561,49 +14510,72 @@ ill_arp_on(ill_t *ill)
* this selection is done regardless of the destination.
*/
boolean_t
-ipif_usesrc_avail(ill_t *ill, zoneid_t zoneid)
+ipif_zone_avail(uint_t ifindex, boolean_t isv6, zoneid_t zoneid,
+ ip_stack_t *ipst)
{
- uint_t ifindex;
- ipif_t *ipif = NULL;
- ill_t *uill;
- boolean_t isv6;
- ip_stack_t *ipst = ill->ill_ipst;
+ ipif_t *ipif = NULL;
+ ill_t *uill;
- ASSERT(ill != NULL);
+ ASSERT(ifindex != 0);
- isv6 = ill->ill_isv6;
- ifindex = ill->ill_usesrc_ifindex;
- if (ifindex != 0) {
- uill = ill_lookup_on_ifindex(ifindex, isv6, NULL, NULL, NULL,
- NULL, ipst);
- if (uill == NULL)
- return (B_FALSE);
- mutex_enter(&uill->ill_lock);
- for (ipif = uill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
- if (!IPIF_CAN_LOOKUP(ipif))
- continue;
- if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
- continue;
- if (!(ipif->ipif_flags & IPIF_UP))
- continue;
- if (ipif->ipif_zoneid != zoneid)
- continue;
- if ((isv6 &&
- IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr)) ||
- (ipif->ipif_lcl_addr == INADDR_ANY))
- continue;
- mutex_exit(&uill->ill_lock);
- ill_refrele(uill);
- return (B_TRUE);
- }
+ uill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
+ if (uill == NULL)
+ return (B_FALSE);
+
+ mutex_enter(&uill->ill_lock);
+ for (ipif = uill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
+ if (IPIF_IS_CONDEMNED(ipif))
+ continue;
+ if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
+ continue;
+ if (!(ipif->ipif_flags & IPIF_UP))
+ continue;
+ if (ipif->ipif_zoneid != zoneid)
+ continue;
+ if (isv6 ? IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) :
+ ipif->ipif_lcl_addr == INADDR_ANY)
+ continue;
mutex_exit(&uill->ill_lock);
ill_refrele(uill);
+ return (B_TRUE);
}
+ mutex_exit(&uill->ill_lock);
+ ill_refrele(uill);
return (B_FALSE);
}
/*
+ * Find an ipif with a good local address on the ill+zoneid.
+ */
+ipif_t *
+ipif_good_addr(ill_t *ill, zoneid_t zoneid)
+{
+ ipif_t *ipif;
+
+ mutex_enter(&ill->ill_lock);
+ for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
+ if (IPIF_IS_CONDEMNED(ipif))
+ continue;
+ if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
+ continue;
+ if (!(ipif->ipif_flags & IPIF_UP))
+ continue;
+ if (ipif->ipif_zoneid != zoneid &&
+ ipif->ipif_zoneid != ALL_ZONES && zoneid != ALL_ZONES)
+ continue;
+ if (ill->ill_isv6 ?
+ IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) :
+ ipif->ipif_lcl_addr == INADDR_ANY)
+ continue;
+ ipif_refhold_locked(ipif);
+ mutex_exit(&ill->ill_lock);
+ return (ipif);
+ }
+ mutex_exit(&ill->ill_lock);
+ return (NULL);
+}
+
+/*
* IP source address type, sorted from worst to best. For a given type,
* always prefer IP addresses on the same subnet. All-zones addresses are
* suboptimal because they pose problems with unlabeled destinations.
@@ -16615,7 +14587,8 @@ typedef enum {
IPIF_DIFFNET_ALLZONES, /* allzones and different subnet */
IPIF_SAMENET_ALLZONES, /* allzones and same subnet */
IPIF_DIFFNET, /* normal and different subnet */
- IPIF_SAMENET /* normal and same subnet */
+ IPIF_SAMENET, /* normal and same subnet */
+ IPIF_LOCALADDR /* local loopback */
} ipif_type_t;
/*
@@ -16629,7 +14602,8 @@ typedef enum {
* This only occurs when there is no valid source address for the ill.
*/
ipif_t *
-ipif_select_source(ill_t *ill, ipaddr_t dst, zoneid_t zoneid)
+ipif_select_source_v4(ill_t *ill, ipaddr_t dst, zoneid_t zoneid,
+ boolean_t allow_usesrc, boolean_t *notreadyp)
{
ill_t *usill = NULL;
ill_t *ipmp_ill = NULL;
@@ -16639,9 +14613,9 @@ ipif_select_source(ill_t *ill, ipaddr_t dst, zoneid_t zoneid)
ip_stack_t *ipst = ill->ill_ipst;
boolean_t samenet;
- if (ill->ill_usesrc_ifindex != 0) {
+ if (ill->ill_usesrc_ifindex != 0 && allow_usesrc) {
usill = ill_lookup_on_ifindex(ill->ill_usesrc_ifindex,
- B_FALSE, NULL, NULL, NULL, NULL, ipst);
+ B_FALSE, ipst);
if (usill != NULL)
ill = usill; /* Select source from usesrc ILL */
else
@@ -16705,14 +14679,22 @@ retry:
if ((next_ipif = ipif->ipif_next) == NULL)
next_ipif = ill->ill_ipif;
- if (!IPIF_CAN_LOOKUP(ipif))
+ if (IPIF_IS_CONDEMNED(ipif))
continue;
/* Always skip NOLOCAL and ANYCAST interfaces */
if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST))
continue;
- if (!(ipif->ipif_flags & IPIF_UP) || !ipif->ipif_addr_ready)
+ if (!(ipif->ipif_flags & IPIF_UP))
continue;
- if (ipif->ipif_zoneid != zoneid &&
+
+ if (!ipif->ipif_addr_ready) {
+ if (notreadyp != NULL)
+ *notreadyp = B_TRUE;
+ continue;
+ }
+
+ if (zoneid != ALL_ZONES &&
+ ipif->ipif_zoneid != zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
continue;
@@ -16749,7 +14731,9 @@ retry:
samenet = ((ipif->ipif_net_mask & dst) == ipif->ipif_subnet);
- if (ipif->ipif_flags & IPIF_DEPRECATED) {
+ if (ipif->ipif_lcl_addr == dst) {
+ type = IPIF_LOCALADDR;
+ } else if (ipif->ipif_flags & IPIF_DEPRECATED) {
type = samenet ? IPIF_SAMENET_DEPRECATED :
IPIF_DIFFNET_DEPRECATED;
} else if (ipif->ipif_zoneid == ALL_ZONES) {
@@ -16762,14 +14746,14 @@ retry:
if (type > best_type) {
best_type = type;
best_ipif = ipif;
- if (best_type == IPIF_SAMENET)
+ if (best_type == IPIF_LOCALADDR)
break; /* can't get better */
}
} while ((ipif = next_ipif) != start_ipif);
if ((ipif = best_ipif) != NULL) {
mutex_enter(&ipif->ipif_ill->ill_lock);
- if (!IPIF_CAN_LOOKUP(ipif)) {
+ if (IPIF_IS_CONDEMNED(ipif)) {
mutex_exit(&ipif->ipif_ill->ill_lock);
goto retry;
}
@@ -16783,7 +14767,7 @@ retry:
*/
if (IS_IPMP(ill) && ipif != NULL) {
next_ipif = ipif->ipif_next;
- if (next_ipif != NULL && IPIF_CAN_LOOKUP(next_ipif))
+ if (next_ipif != NULL && !IPIF_IS_CONDEMNED(next_ipif))
ill->ill_src_ipif = next_ipif;
else
ill->ill_src_ipif = NULL;
@@ -16803,14 +14787,14 @@ retry:
if (ipif == NULL) {
char buf1[INET6_ADDRSTRLEN];
- ip1dbg(("ipif_select_source(%s, %s) -> NULL\n",
+ ip1dbg(("ipif_select_source_v4(%s, %s) -> NULL\n",
ill->ill_name,
inet_ntop(AF_INET, &dst, buf1, sizeof (buf1))));
} else {
char buf1[INET6_ADDRSTRLEN];
char buf2[INET6_ADDRSTRLEN];
- ip1dbg(("ipif_select_source(%s, %s) -> %s\n",
+ ip1dbg(("ipif_select_source_v4(%s, %s) -> %s\n",
ipif->ipif_ill->ill_name,
inet_ntop(AF_INET, &dst, buf1, sizeof (buf1)),
inet_ntop(AF_INET, &ipif->ipif_lcl_addr,
@@ -16821,172 +14805,80 @@ retry:
}
/*
- * If old_ipif is not NULL, see if ipif was derived from old
- * ipif and if so, recreate the interface route by re-doing
- * source address selection. This happens when ipif_down ->
- * ipif_update_other_ipifs calls us.
+ * Pick a source address based on the destination ill and an optional setsrc
+ * address.
+ * The result is stored in srcp. If generation is set, then put the source
+ * generation number there before we look for the source address (to avoid
+ * missing changes in the set of source addresses.
+ * If flagsp is set, then us it to pass back ipif_flags.
*
- * If old_ipif is NULL, just redo the source address selection
- * if needed. This happens when ipif_up_done calls us.
+ * If the caller wants to cache the returned source address and detect when
+ * that might be stale, the caller should pass in a generation argument,
+ * which the caller can later compare against ips_src_generation
+ *
+ * The precedence order for selecting an IPv4 source address is:
+ * - RTF_SETSRC on the offlink ire always wins.
+ * - If usrsrc is set, swap the ill to be the usesrc one.
+ * - If IPMP is used on the ill, select a random address from the most
+ * preferred ones below:
+ * 1. If onlink destination, same subnet and not deprecated, not ALL_ZONES
+ * 2. Not deprecated, not ALL_ZONES
+ * 3. If onlink destination, same subnet and not deprecated, ALL_ZONES
+ * 4. Not deprecated, ALL_ZONES
+ * 5. If onlink destination, same subnet and deprecated
+ * 6. Deprecated.
+ *
+ * We have lower preference for ALL_ZONES IP addresses,
+ * as they pose problems with unlabeled destinations.
+ *
+ * Note that when multiple IP addresses match e.g., #1 we pick
+ * the first one if IPMP is not in use. With IPMP we randomize.
*/
-static void
-ipif_recreate_interface_routes(ipif_t *old_ipif, ipif_t *ipif)
+int
+ip_select_source_v4(ill_t *ill, ipaddr_t setsrc, ipaddr_t dst,
+ ipaddr_t multicast_ifaddr,
+ zoneid_t zoneid, ip_stack_t *ipst, ipaddr_t *srcp,
+ uint32_t *generation, uint64_t *flagsp)
{
- ire_t *ire;
- ire_t *ipif_ire;
- queue_t *stq;
- ipif_t *nipif;
- ill_t *ill;
- boolean_t need_rele = B_FALSE;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- ASSERT(old_ipif == NULL || IAM_WRITER_IPIF(old_ipif));
- ASSERT(IAM_WRITER_IPIF(ipif));
+ ipif_t *ipif;
+ boolean_t notready = B_FALSE; /* Set if !ipif_addr_ready found */
- ill = ipif->ipif_ill;
- if (!(ipif->ipif_flags &
- (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED))) {
- /*
- * Can't possibly have borrowed the source
- * from old_ipif.
- */
- return;
- }
+ if (flagsp != NULL)
+ *flagsp = 0;
/*
- * Is there any work to be done? No work if the address
- * is INADDR_ANY, loopback or NOLOCAL or ANYCAST (
- * ipif_select_source() does not borrow addresses from
- * NOLOCAL and ANYCAST interfaces).
+ * Need to grab the generation number before we check to
+ * avoid a race with a change to the set of local addresses.
+ * No lock needed since the thread which updates the set of local
+ * addresses use ipif/ill locks and exit those (hence a store memory
+ * barrier) before doing the atomic increase of ips_src_generation.
*/
- if ((old_ipif != NULL) &&
- ((old_ipif->ipif_lcl_addr == INADDR_ANY) ||
- (old_ipif->ipif_ill->ill_wq == NULL) ||
- (old_ipif->ipif_flags &
- (IPIF_NOLOCAL|IPIF_ANYCAST)))) {
- return;
+ if (generation != NULL) {
+ *generation = ipst->ips_src_generation;
}
- /*
- * Perform the same checks as when creating the
- * IRE_INTERFACE in ipif_up_done.
- */
- if (!(ipif->ipif_flags & IPIF_UP))
- return;
-
- if ((ipif->ipif_flags & IPIF_NOXMIT) ||
- (ipif->ipif_subnet == INADDR_ANY))
- return;
-
- ipif_ire = ipif_to_ire(ipif);
- if (ipif_ire == NULL)
- return;
-
- /*
- * We know that ipif uses some other source for its
- * IRE_INTERFACE. Is it using the source of this
- * old_ipif?
- */
- if (old_ipif != NULL &&
- old_ipif->ipif_lcl_addr != ipif_ire->ire_src_addr) {
- ire_refrele(ipif_ire);
- return;
- }
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("ipif_recreate_interface_routes: deleting IRE for"
- " src %s\n", AF_INET, &ipif_ire->ire_src_addr);
- }
-
- stq = ipif_ire->ire_stq;
-
- /*
- * Can't use our source address. Select a different
- * source address for the IRE_INTERFACE.
- */
- nipif = ipif_select_source(ill, ipif->ipif_subnet, ipif->ipif_zoneid);
- if (nipif == NULL) {
- /* Last resort - all ipif's have IPIF_NOLOCAL */
- nipif = ipif;
- } else {
- need_rele = B_TRUE;
+ if (CLASSD(dst) && multicast_ifaddr != INADDR_ANY) {
+ *srcp = multicast_ifaddr;
+ return (0);
}
- ire = ire_create(
- (uchar_t *)&ipif->ipif_subnet, /* dest pref */
- (uchar_t *)&ipif->ipif_net_mask, /* mask */
- (uchar_t *)&nipif->ipif_src_addr, /* src addr */
- NULL, /* no gateway */
- &ipif->ipif_mtu, /* max frag */
- NULL, /* no src nce */
- NULL, /* no recv from queue */
- stq, /* send-to queue */
- ill->ill_net_type, /* IF_[NO]RESOLVER */
- ipif,
- 0,
- 0,
- 0,
- 0,
- &ire_uinfo_null,
- NULL,
- NULL,
- ipst);
-
- if (ire != NULL) {
- ire_t *ret_ire;
- int error;
-
- /*
- * We don't need ipif_ire anymore. We need to delete
- * before we add so that ire_add does not detect
- * duplicates.
- */
- ire_delete(ipif_ire);
- ret_ire = ire;
- error = ire_add(&ret_ire, NULL, NULL, NULL, B_FALSE);
- ASSERT(error == 0);
- ASSERT(ire == ret_ire);
- /* Held in ire_add */
- ire_refrele(ret_ire);
+ /* Was RTF_SETSRC set on the first IRE in the recursive lookup? */
+ if (setsrc != INADDR_ANY) {
+ *srcp = setsrc;
+ return (0);
}
- /*
- * Either we are falling through from above or could not
- * allocate a replacement.
- */
- ire_refrele(ipif_ire);
- if (need_rele)
- ipif_refrele(nipif);
-}
-
-/*
- * This old_ipif is going away.
- *
- * Determine if any other ipif's are using our address as
- * ipif_lcl_addr (due to those being IPIF_NOLOCAL, IPIF_ANYCAST, or
- * IPIF_DEPRECATED).
- * Find the IRE_INTERFACE for such ipifs and recreate them
- * to use an different source address following the rules in
- * ipif_up_done.
- */
-static void
-ipif_update_other_ipifs(ipif_t *old_ipif)
-{
- ipif_t *ipif;
- ill_t *ill;
- char buf[INET6_ADDRSTRLEN];
-
- ASSERT(IAM_WRITER_IPIF(old_ipif));
-
- ill = old_ipif->ipif_ill;
-
- ip1dbg(("ipif_update_other_ipifs(%s, %s)\n", ill->ill_name,
- inet_ntop(AF_INET, &old_ipif->ipif_lcl_addr, buf, sizeof (buf))));
-
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (ipif == old_ipif)
- continue;
- ipif_recreate_interface_routes(old_ipif, ipif);
+ ipif = ipif_select_source_v4(ill, dst, zoneid, B_TRUE, &notready);
+ if (ipif == NULL) {
+ if (notready)
+ return (ENETDOWN);
+ else
+ return (EADDRNOTAVAIL);
}
+ *srcp = ipif->ipif_lcl_addr;
+ if (flagsp != NULL)
+ *flagsp = ipif->ipif_flags;
+ ipif_refrele(ipif);
+ return (0);
}
/* ARGSUSED */
@@ -17049,51 +14941,12 @@ ip_sioctl_sifname(ipif_t *dummy_ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
}
/*
- * Refresh all IRE_BROADCAST entries associated with `ill' to ensure the
- * minimum (but complete) set exist. This is necessary when adding or
- * removing an interface to/from an IPMP group, since interfaces in an
- * IPMP group use the IRE_BROADCAST entries for the IPMP group (whenever
- * its test address subnets overlap with IPMP data addresses). It's also
- * used to refresh the IRE_BROADCAST entries associated with the IPMP
- * interface when the nominated broadcast interface changes.
- */
-void
-ill_refresh_bcast(ill_t *ill)
-{
- ire_t *ire_array[12]; /* max ipif_create_bcast_ires() can create */
- ire_t **irep;
- ipif_t *ipif;
-
- ASSERT(!ill->ill_isv6);
- ASSERT(IAM_WRITER_ILL(ill));
-
- /*
- * Remove any old broadcast IREs.
- */
- ire_walk_ill_v4(MATCH_IRE_ILL | MATCH_IRE_TYPE, IRE_BROADCAST,
- ill_broadcast_delete, ill, ill);
-
- /*
- * Create new ones for any ipifs that are up and broadcast-capable.
- */
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if ((ipif->ipif_flags & (IPIF_UP|IPIF_BROADCAST)) !=
- (IPIF_UP|IPIF_BROADCAST))
- continue;
-
- irep = ipif_create_bcast_ires(ipif, ire_array);
- while (irep-- > ire_array) {
- (void) ire_add(irep, NULL, NULL, NULL, B_FALSE);
- if (*irep != NULL)
- ire_refrele(*irep);
- }
- }
-}
-
-/*
* Create any IRE_BROADCAST entries for `ipif', and store those entries in
- * `irep'. Returns a pointer to the next free `irep' entry (just like
- * ire_check_and_create_bcast()).
+ * `irep'. Returns a pointer to the next free `irep' entry
+ * A mirror exists in ipif_delete_bcast_ires().
+ *
+ * The management of any "extra" or seemingly duplicate IRE_BROADCASTs is
+ * done in ire_add.
*/
static ire_t **
ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep)
@@ -17101,18 +14954,20 @@ ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep)
ipaddr_t addr;
ipaddr_t netmask = ip_net_mask(ipif->ipif_lcl_addr);
ipaddr_t subnetmask = ipif->ipif_net_mask;
- int flags = MATCH_IRE_TYPE | MATCH_IRE_ILL;
+ ill_t *ill = ipif->ipif_ill;
+ zoneid_t zoneid = ipif->ipif_zoneid;
ip1dbg(("ipif_create_bcast_ires: creating broadcast IREs\n"));
ASSERT(ipif->ipif_flags & IPIF_BROADCAST);
+ ASSERT(!(ipif->ipif_flags & IPIF_NOXMIT));
if (ipif->ipif_lcl_addr == INADDR_ANY ||
(ipif->ipif_flags & IPIF_NOLOCAL))
netmask = htonl(IN_CLASSA_NET); /* fallback */
- irep = ire_check_and_create_bcast(ipif, 0, irep, flags);
- irep = ire_check_and_create_bcast(ipif, INADDR_BROADCAST, irep, flags);
+ irep = ire_create_bcast(ill, 0, zoneid, irep);
+ irep = ire_create_bcast(ill, INADDR_BROADCAST, zoneid, irep);
/*
* For backward compatibility, we create net broadcast IREs based on
@@ -17125,9 +14980,8 @@ ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep)
*/
if (netmask < subnetmask) {
addr = netmask & ipif->ipif_subnet;
- irep = ire_check_and_create_bcast(ipif, addr, irep, flags);
- irep = ire_check_and_create_bcast(ipif, ~netmask | addr, irep,
- flags);
+ irep = ire_create_bcast(ill, addr, zoneid, irep);
+ irep = ire_create_bcast(ill, ~netmask | addr, zoneid, irep);
}
/*
@@ -17138,282 +14992,73 @@ ipif_create_bcast_ires(ipif_t *ipif, ire_t **irep)
*/
if (subnetmask != 0xFFFFFFFF) {
addr = ipif->ipif_subnet;
- irep = ire_check_and_create_bcast(ipif, addr, irep, flags);
- irep = ire_check_and_create_bcast(ipif, ~subnetmask | addr,
- irep, flags);
+ irep = ire_create_bcast(ill, addr, zoneid, irep);
+ irep = ire_create_bcast(ill, ~subnetmask | addr, zoneid, irep);
}
return (irep);
}
/*
- * Broadcast IRE info structure used in the functions below. Since we
- * allocate BCAST_COUNT of them on the stack, keep the bit layout compact.
- */
-typedef struct bcast_ireinfo {
- uchar_t bi_type; /* BCAST_* value from below */
- uchar_t bi_willdie:1, /* will this IRE be going away? */
- bi_needrep:1, /* do we need to replace it? */
- bi_haverep:1, /* have we replaced it? */
- bi_pad:5;
- ipaddr_t bi_addr; /* IRE address */
- ipif_t *bi_backup; /* last-ditch ipif to replace it on */
-} bcast_ireinfo_t;
-
-enum { BCAST_ALLONES, BCAST_ALLZEROES, BCAST_NET, BCAST_SUBNET, BCAST_COUNT };
-
-/*
- * Check if `ipif' needs the dying broadcast IRE described by `bireinfop', and
- * return B_TRUE if it should immediately be used to recreate the IRE.
- */
-static boolean_t
-ipif_consider_bcast(ipif_t *ipif, bcast_ireinfo_t *bireinfop)
-{
- ipaddr_t addr;
-
- ASSERT(!bireinfop->bi_haverep && bireinfop->bi_willdie);
-
- switch (bireinfop->bi_type) {
- case BCAST_NET:
- addr = ipif->ipif_subnet & ip_net_mask(ipif->ipif_subnet);
- if (addr != bireinfop->bi_addr)
- return (B_FALSE);
- break;
- case BCAST_SUBNET:
- if (ipif->ipif_subnet != bireinfop->bi_addr)
- return (B_FALSE);
- break;
- }
-
- bireinfop->bi_needrep = 1;
- if (ipif->ipif_flags & (IPIF_DEPRECATED|IPIF_NOLOCAL|IPIF_ANYCAST)) {
- if (bireinfop->bi_backup == NULL)
- bireinfop->bi_backup = ipif;
- return (B_FALSE);
- }
- return (B_TRUE);
-}
-
-/*
- * Create the broadcast IREs described by `bireinfop' on `ipif', and return
- * them ala ire_check_and_create_bcast().
- */
-static ire_t **
-ipif_create_bcast(ipif_t *ipif, bcast_ireinfo_t *bireinfop, ire_t **irep)
-{
- ipaddr_t mask, addr;
-
- ASSERT(!bireinfop->bi_haverep && bireinfop->bi_needrep);
-
- addr = bireinfop->bi_addr;
- irep = ire_create_bcast(ipif, addr, irep);
-
- switch (bireinfop->bi_type) {
- case BCAST_NET:
- mask = ip_net_mask(ipif->ipif_subnet);
- irep = ire_create_bcast(ipif, addr | ~mask, irep);
- break;
- case BCAST_SUBNET:
- mask = ipif->ipif_net_mask;
- irep = ire_create_bcast(ipif, addr | ~mask, irep);
- break;
- }
-
- bireinfop->bi_haverep = 1;
- return (irep);
-}
-
-/*
- * Walk through all of the ipifs on `ill' that will be affected by `test_ipif'
- * going away, and determine if any of the broadcast IREs (named by `bireinfop')
- * that are going away are still needed. If so, have ipif_create_bcast()
- * recreate them (except for the deprecated case, as explained below).
- */
-static ire_t **
-ill_create_bcast(ill_t *ill, ipif_t *test_ipif, bcast_ireinfo_t *bireinfo,
- ire_t **irep)
-{
- int i;
- ipif_t *ipif;
-
- ASSERT(!ill->ill_isv6);
- for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- /*
- * Skip this ipif if it's (a) the one being taken down, (b)
- * not in the same zone, or (c) has no valid local address.
- */
- if (ipif == test_ipif ||
- ipif->ipif_zoneid != test_ipif->ipif_zoneid ||
- ipif->ipif_subnet == 0 ||
- (ipif->ipif_flags & (IPIF_UP|IPIF_BROADCAST|IPIF_NOXMIT)) !=
- (IPIF_UP|IPIF_BROADCAST))
- continue;
-
- /*
- * For each dying IRE that hasn't yet been replaced, see if
- * `ipif' needs it and whether the IRE should be recreated on
- * `ipif'. If `ipif' is deprecated, ipif_consider_bcast()
- * will return B_FALSE even if `ipif' needs the IRE on the
- * hopes that we'll later find a needy non-deprecated ipif.
- * However, the ipif is recorded in bi_backup for possible
- * subsequent use by ipif_check_bcast_ires().
- */
- for (i = 0; i < BCAST_COUNT; i++) {
- if (!bireinfo[i].bi_willdie || bireinfo[i].bi_haverep)
- continue;
- if (!ipif_consider_bcast(ipif, &bireinfo[i]))
- continue;
- irep = ipif_create_bcast(ipif, &bireinfo[i], irep);
- }
-
- /*
- * If we've replaced all of the broadcast IREs that are going
- * to be taken down, we know we're done.
- */
- for (i = 0; i < BCAST_COUNT; i++) {
- if (bireinfo[i].bi_willdie && !bireinfo[i].bi_haverep)
- break;
- }
- if (i == BCAST_COUNT)
- break;
- }
- return (irep);
-}
-
-/*
- * Check if `test_ipif' (which is going away) is associated with any existing
- * broadcast IREs, and whether any other ipifs (e.g., on the same ill) were
- * using those broadcast IREs. If so, recreate the broadcast IREs on one or
- * more of those other ipifs. (The old IREs will be deleted in ipif_down().)
- *
- * This is necessary because broadcast IREs are shared. In particular, a
- * given ill has one set of all-zeroes and all-ones broadcast IREs (for every
- * zone), plus one set of all-subnet-ones, all-subnet-zeroes, all-net-ones,
- * and all-net-zeroes for every net/subnet (and every zone) it has IPIF_UP
- * ipifs on. Thus, if there are two IPIF_UP ipifs on the same subnet with the
- * same zone, they will share the same set of broadcast IREs.
- *
- * Note: the upper bound of 12 IREs comes from the worst case of replacing all
- * six pairs (loopback and non-loopback) of broadcast IREs (all-zeroes,
- * all-ones, subnet-zeroes, subnet-ones, net-zeroes, and net-ones).
+ * Mirror of ipif_create_bcast_ires()
*/
static void
-ipif_check_bcast_ires(ipif_t *test_ipif)
+ipif_delete_bcast_ires(ipif_t *ipif)
{
- ill_t *ill = test_ipif->ipif_ill;
- ire_t *ire, *ire_array[12]; /* see note above */
- ire_t **irep1, **irep = &ire_array[0];
- uint_t i, willdie;
- ipaddr_t mask = ip_net_mask(test_ipif->ipif_subnet);
- bcast_ireinfo_t bireinfo[BCAST_COUNT];
-
- ASSERT(!test_ipif->ipif_isv6);
- ASSERT(IAM_WRITER_IPIF(test_ipif));
-
- /*
- * No broadcast IREs for the LOOPBACK interface
- * or others such as point to point and IPIF_NOXMIT.
- */
- if (!(test_ipif->ipif_flags & IPIF_BROADCAST) ||
- (test_ipif->ipif_flags & IPIF_NOXMIT))
- return;
-
- bzero(bireinfo, sizeof (bireinfo));
- bireinfo[0].bi_type = BCAST_ALLZEROES;
- bireinfo[0].bi_addr = 0;
-
- bireinfo[1].bi_type = BCAST_ALLONES;
- bireinfo[1].bi_addr = INADDR_BROADCAST;
-
- bireinfo[2].bi_type = BCAST_NET;
- bireinfo[2].bi_addr = test_ipif->ipif_subnet & mask;
-
- if (test_ipif->ipif_net_mask != 0)
- mask = test_ipif->ipif_net_mask;
- bireinfo[3].bi_type = BCAST_SUBNET;
- bireinfo[3].bi_addr = test_ipif->ipif_subnet & mask;
-
- /*
- * Figure out what (if any) broadcast IREs will die as a result of
- * `test_ipif' going away. If none will die, we're done.
- */
- for (i = 0, willdie = 0; i < BCAST_COUNT; i++) {
- ire = ire_ctable_lookup(bireinfo[i].bi_addr, 0, IRE_BROADCAST,
- test_ipif, ALL_ZONES, NULL,
- (MATCH_IRE_TYPE | MATCH_IRE_IPIF), ill->ill_ipst);
- if (ire != NULL) {
- willdie++;
- bireinfo[i].bi_willdie = 1;
- ire_refrele(ire);
- }
- }
-
- if (willdie == 0)
- return;
-
- /*
- * Walk through all the ipifs that will be affected by the dying IREs,
- * and recreate the IREs as necessary. Note that all interfaces in an
- * IPMP illgrp share the same broadcast IREs, and thus the entire
- * illgrp must be walked, starting with the IPMP meta-interface (so
- * that broadcast IREs end up on it whenever possible).
- */
- if (IS_UNDER_IPMP(ill))
- ill = ipmp_illgrp_ipmp_ill(ill->ill_grp);
-
- irep = ill_create_bcast(ill, test_ipif, bireinfo, irep);
+ ipaddr_t addr;
+ ipaddr_t netmask = ip_net_mask(ipif->ipif_lcl_addr);
+ ipaddr_t subnetmask = ipif->ipif_net_mask;
+ ill_t *ill = ipif->ipif_ill;
+ zoneid_t zoneid = ipif->ipif_zoneid;
+ ire_t *ire;
- if (IS_IPMP(ill) || IS_UNDER_IPMP(ill)) {
- ipmp_illgrp_t *illg = ill->ill_grp;
+ ASSERT(ipif->ipif_flags & IPIF_BROADCAST);
+ ASSERT(!(ipif->ipif_flags & IPIF_NOXMIT));
- ill = list_head(&illg->ig_if);
- for (; ill != NULL; ill = list_next(&illg->ig_if, ill)) {
- for (i = 0; i < BCAST_COUNT; i++) {
- if (bireinfo[i].bi_willdie &&
- !bireinfo[i].bi_haverep)
- break;
- }
- if (i == BCAST_COUNT)
- break;
+ if (ipif->ipif_lcl_addr == INADDR_ANY ||
+ (ipif->ipif_flags & IPIF_NOLOCAL))
+ netmask = htonl(IN_CLASSA_NET); /* fallback */
- irep = ill_create_bcast(ill, test_ipif, bireinfo, irep);
- }
- }
+ ire = ire_lookup_bcast(ill, 0, zoneid);
+ ASSERT(ire != NULL);
+ ire_delete(ire); ire_refrele(ire);
+ ire = ire_lookup_bcast(ill, INADDR_BROADCAST, zoneid);
+ ASSERT(ire != NULL);
+ ire_delete(ire); ire_refrele(ire);
/*
- * Scan through the set of broadcast IREs and see if there are any
- * that we need to replace that have not yet been replaced. If so,
- * replace them using the appropriate backup ipif.
+ * For backward compatibility, we create net broadcast IREs based on
+ * the old "IP address class system", since some old machines only
+ * respond to these class derived net broadcast. However, we must not
+ * create these net broadcast IREs if the subnetmask is shorter than
+ * the IP address class based derived netmask. Otherwise, we may
+ * create a net broadcast address which is the same as an IP address
+ * on the subnet -- and then TCP will refuse to talk to that address.
*/
- for (i = 0; i < BCAST_COUNT; i++) {
- if (bireinfo[i].bi_needrep && !bireinfo[i].bi_haverep)
- irep = ipif_create_bcast(bireinfo[i].bi_backup,
- &bireinfo[i], irep);
+ if (netmask < subnetmask) {
+ addr = netmask & ipif->ipif_subnet;
+ ire = ire_lookup_bcast(ill, addr, zoneid);
+ ASSERT(ire != NULL);
+ ire_delete(ire); ire_refrele(ire);
+ ire = ire_lookup_bcast(ill, ~netmask | addr, zoneid);
+ ASSERT(ire != NULL);
+ ire_delete(ire); ire_refrele(ire);
}
/*
- * If we can't create all of them, don't add any of them. (Code in
- * ip_wput_ire() and ire_to_ill() assumes that we always have a
- * non-loopback copy and loopback copy for a given address.)
+ * Don't create IRE_BROADCAST IREs for the interface if the subnetmask
+ * is 0xFFFFFFFF, as an IRE_LOCAL for that interface is already
+ * created. Creating these broadcast IREs will only create confusion
+ * as `addr' will be the same as the IP address.
*/
- for (irep1 = irep; irep1 > ire_array; ) {
- irep1--;
- if (*irep1 == NULL) {
- ip0dbg(("ipif_check_bcast_ires: can't create "
- "IRE_BROADCAST, memory allocation failure\n"));
- while (irep > ire_array) {
- irep--;
- if (*irep != NULL)
- ire_delete(*irep);
- }
- return;
- }
- }
-
- for (irep1 = irep; irep1 > ire_array; ) {
- irep1--;
- if (ire_add(irep1, NULL, NULL, NULL, B_FALSE) == 0)
- ire_refrele(*irep1); /* Held in ire_add */
+ if (subnetmask != 0xFFFFFFFF) {
+ addr = ipif->ipif_subnet;
+ ire = ire_lookup_bcast(ill, addr, zoneid);
+ ASSERT(ire != NULL);
+ ire_delete(ire); ire_refrele(ire);
+ ire = ire_lookup_bcast(ill, ~subnetmask | addr, zoneid);
+ ASSERT(ire != NULL);
+ ire_delete(ire); ire_refrele(ire);
}
}
@@ -17423,7 +15068,7 @@ ipif_check_bcast_ires(ipif_t *test_ipif)
* Set IFF_IPV* and ill_isv6 prior to doing the lookup
* since ipif_lookup_on_name uses the _isv6 flags when matching.
* Returns EINPROGRESS when mp has been consumed by queueing it on
- * ill_pending_mp and the ioctl will complete in ip_rput.
+ * ipx_pending_mp and the ioctl will complete in ip_rput.
*
* Can operate on either a module or a driver queue.
* Returns an error if not a module queue.
@@ -17485,7 +15130,7 @@ ip_sioctl_slifname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
* We start off as IFF_IPV4 in ipif_allocate and become
* IFF_IPV4 or IFF_IPV6 here depending on lifr_flags value.
* The only flags that we read from user space are IFF_IPV4,
- * IFF_IPV6, IFF_XRESOLV and IFF_BROADCAST.
+ * IFF_IPV6, and IFF_BROADCAST.
*
* This ill has not been inserted into the global list.
* So we are still single threaded and don't need any lock
@@ -17502,22 +15147,13 @@ ip_sioctl_slifname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
}
new_flags =
- lifr->lifr_flags & (IFF_IPV6|IFF_IPV4|IFF_XRESOLV|IFF_BROADCAST);
+ lifr->lifr_flags & (IFF_IPV6|IFF_IPV4|IFF_BROADCAST);
if ((new_flags ^ (IFF_IPV6|IFF_IPV4)) == 0) {
ip1dbg(("ip_sioctl_slifname: flags must be exactly one of "
"IFF_IPV4 or IFF_IPV6\n"));
return (EINVAL);
}
- /*
- * Only allow the IFF_XRESOLV flag to be set on IPv6 interfaces.
- */
- if ((new_flags & IFF_XRESOLV) && !(new_flags & IFF_IPV6) &&
- !(ipif->ipif_isv6)) {
- ip1dbg(("ip_sioctl_slifname: XRESOLV only allowed on "
- "IPv6 interface\n"));
- return (EINVAL);
- }
/*
* We always start off as IPv4, so only need to check for IPv6.
@@ -17532,11 +15168,6 @@ ip_sioctl_slifname(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
else
ipif->ipif_flags &= ~IPIF_BROADCAST;
- if ((new_flags & IFF_XRESOLV) != 0)
- ill->ill_flags |= ILLF_XRESOLV;
- else
- ill->ill_flags &= ~ILLF_XRESOLV;
-
/* We started off as V4. */
if (ill->ill_flags & ILLF_IPV6) {
ill->ill_phyint->phyint_illv6 = ill;
@@ -17566,23 +15197,17 @@ ip_sioctl_slifname_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
*/
ipif_t *
ipif_lookup_on_ifindex(uint_t index, boolean_t isv6, zoneid_t zoneid,
- queue_t *q, mblk_t *mp, ipsq_func_t func, int *err, ip_stack_t *ipst)
+ ip_stack_t *ipst)
{
ill_t *ill;
ipif_t *ipif = NULL;
- ASSERT((q == NULL && mp == NULL && func == NULL && err == NULL) ||
- (q != NULL && mp != NULL && func != NULL && err != NULL));
-
- if (err != NULL)
- *err = 0;
-
- ill = ill_lookup_on_ifindex(index, isv6, q, mp, func, err, ipst);
+ ill = ill_lookup_on_ifindex(index, isv6, ipst);
if (ill != NULL) {
mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL;
ipif = ipif->ipif_next) {
- if (IPIF_CAN_LOOKUP(ipif) && (zoneid == ALL_ZONES ||
+ if (!IPIF_IS_CONDEMNED(ipif) && (zoneid == ALL_ZONES ||
zoneid == ipif->ipif_zoneid ||
ipif->ipif_zoneid == ALL_ZONES)) {
ipif_refhold_locked(ipif);
@@ -17591,8 +15216,6 @@ ipif_lookup_on_ifindex(uint_t index, boolean_t isv6, zoneid_t zoneid,
}
mutex_exit(&ill->ill_lock);
ill_refrele(ill);
- if (ipif == NULL && err != NULL)
- *err = ENXIO;
}
return (ipif);
}
@@ -17673,6 +15296,8 @@ ip_sioctl_slifindex(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
if (ILL_OTHER(ill))
ip_rts_ifmsg(ILL_OTHER(ill)->ill_ipif, RTSQ_DEFAULT);
+ /* Perhaps ilgs should use this ill */
+ update_conn_ill(NULL, ill->ill_ipst);
return (0);
}
@@ -17764,7 +15389,7 @@ ip_sioctl_slifzone(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
err = ipif_logical_down(ipif, q, mp);
if (err == EINPROGRESS)
return (err);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
need_up = B_TRUE;
}
@@ -17801,6 +15426,9 @@ ip_sioctl_slifzone_tail(ipif_t *ipif, zoneid_t zoneid,
/* Update sctp list */
sctp_update_ipif(ipif, SCTP_IPIF_UPDATE);
+ /* The default multicast interface might have changed */
+ ire_increment_multicast_generation(ipst, ipif->ipif_ill->ill_isv6);
+
if (need_up) {
/*
* Now bring the interface back up. If this
@@ -17825,7 +15453,6 @@ ip_sioctl_slifzone_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
zone_t *zptr;
zone_status_t status;
- ASSERT(ipif->ipif_id != 0);
ASSERT(ipip->ipi_cmd_type == LIF_CMD);
if ((zoneid = lifr->lifr_zoneid) == ALL_ZONES)
zoneid = GLOBAL_ZONEID;
@@ -17863,7 +15490,7 @@ ip_sioctl_slifzone_restart(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
return (EINVAL);
}
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
return (ip_sioctl_slifzone_tail(ipif, lifr->lifr_zoneid, q, mp,
B_TRUE));
@@ -17943,6 +15570,16 @@ ill_prev_usesrc(ill_t *uill)
* Release all members of the usesrc group. This routine is called
* from ill_delete when the interface being unplumbed is the
* group head.
+ *
+ * This silently clears the usesrc that ifconfig setup.
+ * An alternative would be to keep that ifindex, and drop packets on the floor
+ * since no source address can be selected.
+ * Even if we keep the current semantics, don't need a lock and a linked list.
+ * Can walk all the ills checking if they have a ill_usesrc_ifindex matching
+ * the one that is being removed. Issue is how we return the usesrc users
+ * (SIOCGLIFSRCOF). We want to be able to find the ills which have an
+ * ill_usesrc_ifindex matching a target ill. We could also do that with an
+ * ill walk, but the walker would need to insert in the ioctl response.
*/
static void
ill_disband_usesrc_group(ill_t *uill)
@@ -18023,8 +15660,7 @@ ip_sioctl_slifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ip_ioctl_cmd_t *ipip, void *ifreq)
{
struct lifreq *lifr = (struct lifreq *)ifreq;
- boolean_t isv6 = B_FALSE, reset_flg = B_FALSE,
- ill_flag_changed = B_FALSE;
+ boolean_t isv6 = B_FALSE, reset_flg = B_FALSE;
ill_t *usesrc_ill, *usesrc_cli_ill = ipif->ipif_ill;
int err = 0, ret;
uint_t ifindex;
@@ -18035,7 +15671,7 @@ ip_sioctl_slifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
ASSERT(q->q_next == NULL);
ASSERT(CONN_Q(q));
- isv6 = (Q_TO_CONN(q))->conn_af_isv6;
+ isv6 = (Q_TO_CONN(q))->conn_family == AF_INET6;
ifindex = lifr->lifr_index;
if (ifindex == 0) {
@@ -18048,10 +15684,9 @@ ip_sioctl_slifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
reset_flg = B_TRUE;
}
- usesrc_ill = ill_lookup_on_ifindex(ifindex, isv6, q, mp,
- ip_process_ioctl, &err, ipst);
+ usesrc_ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
if (usesrc_ill == NULL) {
- return (err);
+ return (ENXIO);
}
ipsq = ipsq_try_enter(NULL, usesrc_ill, q, mp, ip_process_ioctl,
@@ -18101,31 +15736,6 @@ ip_sioctl_slifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
usesrc_ill->ill_isv6));
/*
- * The next step ensures that no new ires will be created referencing
- * the client ill, until the ILL_CHANGING flag is cleared. Then
- * we go through an ire walk deleting all ire caches that reference
- * the client ill. New ires referencing the client ill that are added
- * to the ire table before the ILL_CHANGING flag is set, will be
- * cleaned up by the ire walk below. Attempt to add new ires referencing
- * the client ill while the ILL_CHANGING flag is set will be failed
- * during the ire_add in ire_atomic_start. ire_atomic_start atomically
- * checks (under the ill_g_usesrc_lock) that the ire being added
- * is not stale, i.e the ire_stq and ire_ipif are consistent and
- * belong to the same usesrc group.
- */
- mutex_enter(&usesrc_cli_ill->ill_lock);
- usesrc_cli_ill->ill_state_flags |= ILL_CHANGING;
- mutex_exit(&usesrc_cli_ill->ill_lock);
- ill_flag_changed = B_TRUE;
-
- if (ipif->ipif_isv6)
- ire_walk_v6(ipif_delete_cache_ire, (char *)usesrc_cli_ill,
- ALL_ZONES, ipst);
- else
- ire_walk_v4(ipif_delete_cache_ire, (char *)usesrc_cli_ill,
- ALL_ZONES, ipst);
-
- /*
* ill_g_usesrc_lock global lock protects the ill_usesrc_grp_next
* and the ill_usesrc_ifindex fields
*/
@@ -18169,15 +15779,14 @@ ip_sioctl_slifusesrc(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
rw_exit(&ipst->ips_ill_g_usesrc_lock);
done:
- if (ill_flag_changed) {
- mutex_enter(&usesrc_cli_ill->ill_lock);
- usesrc_cli_ill->ill_state_flags &= ~ILL_CHANGING;
- mutex_exit(&usesrc_cli_ill->ill_lock);
- }
if (ipsq != NULL)
ipsq_exit(ipsq);
/* The refrele on the lifr_name ipif is done by ip_process_ioctl */
ill_refrele(usesrc_ill);
+
+ /* Let conn_ixa caching know that source address selection changed */
+ ip_update_source_selection(ipst);
+
return (err);
}
@@ -18384,7 +15993,6 @@ ill_phyint_reinit(ill_t *ill)
* Now that the phyint's ifindex has been assigned, complete the
* remaining
*/
-
ill->ill_ip_mib->ipIfStatsIfIndex = ill->ill_phyint->phyint_ifindex;
if (ill->ill_isv6) {
ill->ill_icmp6_mib->ipv6IfIcmpIfIndex =
@@ -18449,6 +16057,8 @@ ip_ifname_notify(ill_t *ill, queue_t *q)
lifr->lifr_ppa = ill->ill_ppa;
lifr->lifr_flags = (ill->ill_flags & (ILLF_IPV4|ILLF_IPV6));
+ DTRACE_PROBE3(ill__dlpi, char *, "ip_ifname_notify",
+ char *, "SIOCSLIFNAME", ill_t *, ill);
putnext(q, mp1);
}
@@ -18503,23 +16113,6 @@ ipif_set_values_tail(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
*/
err = ill_dl_phys(ill, ipif, mp, q);
- /*
- * If there is no IRE expiration timer running, get one started.
- * igmp and mld timers will be triggered by the first multicast
- */
- if (ipst->ips_ip_ire_expire_id == 0) {
- /*
- * acquire the lock and check again.
- */
- mutex_enter(&ipst->ips_ip_trash_timer_lock);
- if (ipst->ips_ip_ire_expire_id == 0) {
- ipst->ips_ip_ire_expire_id = timeout(
- ip_trash_timer_expire, ipst,
- MSEC_TO_TICK(ipst->ips_ip_timer_interval));
- }
- mutex_exit(&ipst->ips_ip_trash_timer_lock);
- }
-
if (ill->ill_isv6) {
mutex_enter(&ipst->ips_mld_slowtimeout_lock);
if (ipst->ips_mld_slowtimeout_id == 0) {
@@ -18545,7 +16138,7 @@ ipif_set_values_tail(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
* Common routine for ppa and ifname setting. Should be called exclusive.
*
* Returns EINPROGRESS when mp has been consumed by queueing it on
- * ill_pending_mp and the ioctl will complete in ip_rput.
+ * ipx_pending_mp and the ioctl will complete in ip_rput.
*
* NOTE : If ppa is UNIT_MAX, we assign the next valid ppa and return
* the new name and new ppa in lifr_name and lifr_ppa respectively.
@@ -18576,6 +16169,7 @@ ipif_set_values(queue_t *q, mblk_t *mp, char *interf_name, uint_t *new_ppa_ptr)
ASSERT((mi_strlen(interf_name) + 1) <= LIFNAMSIZ);
ASSERT(ill->ill_ppa == UINT_MAX);
+ ill->ill_defend_start = ill->ill_defend_count = 0;
/* The ppa is sent down by ifconfig or is chosen */
if ((ppa_ptr = ill_get_ppa_ptr(interf_name)) == NULL) {
return (EINVAL);
@@ -18630,18 +16224,18 @@ ipif_set_values(queue_t *q, mblk_t *mp, char *interf_name, uint_t *new_ppa_ptr)
if (ill->ill_flags & ILLF_IPV6) {
ill->ill_isv6 = B_TRUE;
+ ill_set_inputfn(ill);
if (ill->ill_rq != NULL) {
ill->ill_rq->q_qinfo = &iprinitv6;
- ill->ill_wq->q_qinfo = &ipwinitv6;
}
/* Keep the !IN6_IS_ADDR_V4MAPPED assertions happy */
ipif->ipif_v6lcl_addr = ipv6_all_zeros;
- ipif->ipif_v6src_addr = ipv6_all_zeros;
ipif->ipif_v6subnet = ipv6_all_zeros;
ipif->ipif_v6net_mask = ipv6_all_zeros;
ipif->ipif_v6brd_addr = ipv6_all_zeros;
ipif->ipif_v6pp_dst_addr = ipv6_all_zeros;
+ ill->ill_reachable_retrans_time = ND_RETRANS_TIMER;
/*
* point-to-point or Non-mulicast capable
* interfaces won't do NUD unless explicitly
@@ -18670,8 +16264,9 @@ ipif_set_values(queue_t *q, mblk_t *mp, char *interf_name, uint_t *new_ppa_ptr)
ill->ill_flags |= ILLF_ROUTER;
} else if (ill->ill_flags & ILLF_IPV4) {
ill->ill_isv6 = B_FALSE;
+ ill_set_inputfn(ill);
+ ill->ill_reachable_retrans_time = ARP_RETRANS_TIMER;
IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6lcl_addr);
- IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6src_addr);
IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6subnet);
IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6net_mask);
IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &ipif->ipif_v6brd_addr);
@@ -18783,6 +16378,7 @@ ipif_set_values(queue_t *q, mblk_t *mp, char *interf_name, uint_t *new_ppa_ptr)
* restore previous values
*/
ill->ill_isv6 = B_FALSE;
+ ill_set_inputfn(ill);
}
return (error);
}
@@ -18810,95 +16406,11 @@ ipif_init(ip_stack_t *ipst)
}
/*
- * Lookup the ipif corresponding to the onlink destination address. For
- * point-to-point interfaces, it matches with remote endpoint destination
- * address. For point-to-multipoint interfaces it only tries to match the
- * destination with the interface's subnet address. The longest, most specific
- * match is found to take care of such rare network configurations like -
- * le0: 129.146.1.1/16
- * le1: 129.146.2.2/24
- *
- * This is used by SO_DONTROUTE and IP_NEXTHOP. Since neither of those are
- * supported on underlying interfaces in an IPMP group, underlying interfaces
- * are ignored when looking up a match. (If we didn't ignore them, we'd
- * risk using a test address as a source for outgoing traffic.)
- */
-ipif_t *
-ipif_lookup_onlink_addr(ipaddr_t addr, zoneid_t zoneid, ip_stack_t *ipst)
-{
- ipif_t *ipif, *best_ipif;
- ill_t *ill;
- ill_walk_context_t ctx;
-
- ASSERT(zoneid != ALL_ZONES);
- best_ipif = NULL;
-
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- ill = ILL_START_WALK_V4(&ctx, ipst);
- for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- if (IS_UNDER_IPMP(ill))
- continue;
- mutex_enter(&ill->ill_lock);
- for (ipif = ill->ill_ipif; ipif != NULL;
- ipif = ipif->ipif_next) {
- if (!IPIF_CAN_LOOKUP(ipif))
- continue;
- if (ipif->ipif_zoneid != zoneid &&
- ipif->ipif_zoneid != ALL_ZONES)
- continue;
- /*
- * Point-to-point case. Look for exact match with
- * destination address.
- */
- if (ipif->ipif_flags & IPIF_POINTOPOINT) {
- if (ipif->ipif_pp_dst_addr == addr) {
- ipif_refhold_locked(ipif);
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- if (best_ipif != NULL)
- ipif_refrele(best_ipif);
- return (ipif);
- }
- } else if (ipif->ipif_subnet == (addr &
- ipif->ipif_net_mask)) {
- /*
- * Point-to-multipoint case. Looping through to
- * find the most specific match. If there are
- * multiple best match ipif's then prefer ipif's
- * that are UP. If there is only one best match
- * ipif and it is DOWN we must still return it.
- */
- if ((best_ipif == NULL) ||
- (ipif->ipif_net_mask >
- best_ipif->ipif_net_mask) ||
- ((ipif->ipif_net_mask ==
- best_ipif->ipif_net_mask) &&
- ((ipif->ipif_flags & IPIF_UP) &&
- (!(best_ipif->ipif_flags & IPIF_UP))))) {
- ipif_refhold_locked(ipif);
- mutex_exit(&ill->ill_lock);
- rw_exit(&ipst->ips_ill_g_lock);
- if (best_ipif != NULL)
- ipif_refrele(best_ipif);
- best_ipif = ipif;
- rw_enter(&ipst->ips_ill_g_lock,
- RW_READER);
- mutex_enter(&ill->ill_lock);
- }
- }
- }
- mutex_exit(&ill->ill_lock);
- }
- rw_exit(&ipst->ips_ill_g_lock);
- return (best_ipif);
-}
-
-/*
* Save enough information so that we can recreate the IRE if
* the interface goes down and then up.
*/
-static void
-ipif_save_ire(ipif_t *ipif, ire_t *ire)
+void
+ill_save_ire(ill_t *ill, ire_t *ire)
{
mblk_t *save_mp;
@@ -18910,115 +16422,148 @@ ipif_save_ire(ipif_t *ipif, ire_t *ire)
ifrt = (ifrt_t *)save_mp->b_rptr;
bzero(ifrt, sizeof (ifrt_t));
ifrt->ifrt_type = ire->ire_type;
- ifrt->ifrt_addr = ire->ire_addr;
- ifrt->ifrt_gateway_addr = ire->ire_gateway_addr;
- ifrt->ifrt_src_addr = ire->ire_src_addr;
- ifrt->ifrt_mask = ire->ire_mask;
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ ASSERT(!ill->ill_isv6);
+ ifrt->ifrt_addr = ire->ire_addr;
+ ifrt->ifrt_gateway_addr = ire->ire_gateway_addr;
+ ifrt->ifrt_setsrc_addr = ire->ire_setsrc_addr;
+ ifrt->ifrt_mask = ire->ire_mask;
+ } else {
+ ASSERT(ill->ill_isv6);
+ ifrt->ifrt_v6addr = ire->ire_addr_v6;
+ /* ire_gateway_addr_v6 can change due to RTM_CHANGE */
+ mutex_enter(&ire->ire_lock);
+ ifrt->ifrt_v6gateway_addr = ire->ire_gateway_addr_v6;
+ mutex_exit(&ire->ire_lock);
+ ifrt->ifrt_v6setsrc_addr = ire->ire_setsrc_addr_v6;
+ ifrt->ifrt_v6mask = ire->ire_mask_v6;
+ }
ifrt->ifrt_flags = ire->ire_flags;
- ifrt->ifrt_max_frag = ire->ire_max_frag;
- mutex_enter(&ipif->ipif_saved_ire_lock);
- save_mp->b_cont = ipif->ipif_saved_ire_mp;
- ipif->ipif_saved_ire_mp = save_mp;
- ipif->ipif_saved_ire_cnt++;
- mutex_exit(&ipif->ipif_saved_ire_lock);
+ ifrt->ifrt_zoneid = ire->ire_zoneid;
+ mutex_enter(&ill->ill_saved_ire_lock);
+ save_mp->b_cont = ill->ill_saved_ire_mp;
+ ill->ill_saved_ire_mp = save_mp;
+ ill->ill_saved_ire_cnt++;
+ mutex_exit(&ill->ill_saved_ire_lock);
}
}
-static void
-ipif_remove_ire(ipif_t *ipif, ire_t *ire)
+/*
+ * Remove one entry from ill_saved_ire_mp.
+ */
+void
+ill_remove_saved_ire(ill_t *ill, ire_t *ire)
{
mblk_t **mpp;
mblk_t *mp;
ifrt_t *ifrt;
- /* Remove from ipif_saved_ire_mp list if it is there */
- mutex_enter(&ipif->ipif_saved_ire_lock);
- for (mpp = &ipif->ipif_saved_ire_mp; *mpp != NULL;
+ /* Remove from ill_saved_ire_mp list if it is there */
+ mutex_enter(&ill->ill_saved_ire_lock);
+ for (mpp = &ill->ill_saved_ire_mp; *mpp != NULL;
mpp = &(*mpp)->b_cont) {
+ in6_addr_t gw_addr_v6;
+
/*
- * On a given ipif, the triple of address, gateway and
- * mask is unique for each saved IRE (in the case of
- * ordinary interface routes, the gateway address is
- * all-zeroes).
+ * On a given ill, the tuple of address, gateway, mask,
+ * ire_type, and zoneid is unique for each saved IRE.
*/
mp = *mpp;
ifrt = (ifrt_t *)mp->b_rptr;
- if (ifrt->ifrt_addr == ire->ire_addr &&
+ /* ire_gateway_addr_v6 can change - need lock */
+ mutex_enter(&ire->ire_lock);
+ gw_addr_v6 = ire->ire_gateway_addr_v6;
+ mutex_exit(&ire->ire_lock);
+
+ if (ifrt->ifrt_zoneid != ire->ire_zoneid ||
+ ifrt->ifrt_type != ire->ire_type)
+ continue;
+
+ if (ill->ill_isv6 ?
+ (IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6addr,
+ &ire->ire_addr_v6) &&
+ IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6gateway_addr,
+ &gw_addr_v6) &&
+ IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6mask,
+ &ire->ire_mask_v6)) :
+ (ifrt->ifrt_addr == ire->ire_addr &&
ifrt->ifrt_gateway_addr == ire->ire_gateway_addr &&
- ifrt->ifrt_mask == ire->ire_mask) {
+ ifrt->ifrt_mask == ire->ire_mask)) {
*mpp = mp->b_cont;
- ipif->ipif_saved_ire_cnt--;
+ ill->ill_saved_ire_cnt--;
freeb(mp);
break;
}
}
- mutex_exit(&ipif->ipif_saved_ire_lock);
+ mutex_exit(&ill->ill_saved_ire_lock);
}
/*
* IP multirouting broadcast routes handling
* Append CGTP broadcast IREs to regular ones created
* at ifconfig time.
+ * The usage is a route add <cgtp_bc> <nic_bc> -multirt i.e., both
+ * the destination and the gateway are broadcast addresses.
+ * The caller has verified that the destination is an IRE_BROADCAST and that
+ * RTF_MULTIRT was set. Here if the gateway is a broadcast address, then
+ * we create a MULTIRT IRE_BROADCAST.
+ * Note that the IRE_HOST created by ire_rt_add doesn't get found by anything
+ * since the IRE_BROADCAST takes precedence; ire_add_v4 does head insertion.
*/
static void
-ip_cgtp_bcast_add(ire_t *ire, ire_t *ire_dst, ip_stack_t *ipst)
+ip_cgtp_bcast_add(ire_t *ire, ip_stack_t *ipst)
{
ire_t *ire_prim;
ASSERT(ire != NULL);
- ASSERT(ire_dst != NULL);
- ire_prim = ire_ctable_lookup(ire->ire_gateway_addr, 0,
- IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
+ ire_prim = ire_ftable_lookup_v4(ire->ire_gateway_addr, 0, 0,
+ IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst,
+ NULL);
if (ire_prim != NULL) {
/*
* We are in the special case of broadcasts for
* CGTP. We add an IRE_BROADCAST that holds
* the RTF_MULTIRT flag, the destination
- * address of ire_dst and the low level
+ * address and the low level
* info of ire_prim. In other words, CGTP
* broadcast is added to the redundant ipif.
*/
- ipif_t *ipif_prim;
+ ill_t *ill_prim;
ire_t *bcast_ire;
- ipif_prim = ire_prim->ire_ipif;
+ ill_prim = ire_prim->ire_ill;
- ip2dbg(("ip_cgtp_filter_bcast_add: "
- "ire_dst %p, ire_prim %p, ipif_prim %p\n",
- (void *)ire_dst, (void *)ire_prim,
- (void *)ipif_prim));
+ ip2dbg(("ip_cgtp_filter_bcast_add: ire_prim %p, ill_prim %p\n",
+ (void *)ire_prim, (void *)ill_prim));
bcast_ire = ire_create(
(uchar_t *)&ire->ire_addr,
(uchar_t *)&ip_g_all_ones,
- (uchar_t *)&ire_dst->ire_src_addr,
(uchar_t *)&ire->ire_gateway_addr,
- &ipif_prim->ipif_mtu,
- NULL,
- ipif_prim->ipif_rq,
- ipif_prim->ipif_wq,
IRE_BROADCAST,
- ipif_prim,
- 0,
- 0,
- 0,
- ire->ire_flags,
- &ire_uinfo_null,
- NULL,
+ ill_prim,
+ GLOBAL_ZONEID, /* CGTP is only for the global zone */
+ ire->ire_flags | RTF_KERNEL,
NULL,
ipst);
+ /*
+ * Here we assume that ire_add does head insertion so that
+ * the added IRE_BROADCAST comes before the existing IRE_HOST.
+ */
if (bcast_ire != NULL) {
-
- if (ire_add(&bcast_ire, NULL, NULL, NULL,
- B_FALSE) == 0) {
+ if (ire->ire_flags & RTF_SETSRC) {
+ bcast_ire->ire_setsrc_addr =
+ ire->ire_setsrc_addr;
+ }
+ bcast_ire = ire_add(bcast_ire);
+ if (bcast_ire != NULL) {
ip2dbg(("ip_cgtp_filter_bcast_add: "
"added bcast_ire %p\n",
(void *)bcast_ire));
- ipif_save_ire(bcast_ire->ire_ipif,
- bcast_ire);
+ ill_save_ire(ill_prim, bcast_ire);
ire_refrele(bcast_ire);
}
}
@@ -19028,430 +16573,52 @@ ip_cgtp_bcast_add(ire_t *ire, ire_t *ire_dst, ip_stack_t *ipst)
/*
* IP multirouting broadcast routes handling
- * Remove the broadcast ire
+ * Remove the broadcast ire.
+ * The usage is a route delete <cgtp_bc> <nic_bc> -multirt i.e., both
+ * the destination and the gateway are broadcast addresses.
+ * The caller has only verified that RTF_MULTIRT was set. We check
+ * that the destination is broadcast and that the gateway is a broadcast
+ * address, and if so delete the IRE added by ip_cgtp_bcast_add().
*/
static void
ip_cgtp_bcast_delete(ire_t *ire, ip_stack_t *ipst)
{
- ire_t *ire_dst;
-
ASSERT(ire != NULL);
- ire_dst = ire_ctable_lookup(ire->ire_addr, 0, IRE_BROADCAST,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (ire_dst != NULL) {
+
+ if (ip_type_v4(ire->ire_addr, ipst) == IRE_BROADCAST) {
ire_t *ire_prim;
- ire_prim = ire_ctable_lookup(ire->ire_gateway_addr, 0,
- IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
+ ire_prim = ire_ftable_lookup_v4(ire->ire_gateway_addr, 0, 0,
+ IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0,
+ ipst, NULL);
if (ire_prim != NULL) {
- ipif_t *ipif_prim;
+ ill_t *ill_prim;
ire_t *bcast_ire;
- ipif_prim = ire_prim->ire_ipif;
+ ill_prim = ire_prim->ire_ill;
ip2dbg(("ip_cgtp_filter_bcast_delete: "
- "ire_dst %p, ire_prim %p, ipif_prim %p\n",
- (void *)ire_dst, (void *)ire_prim,
- (void *)ipif_prim));
-
- bcast_ire = ire_ctable_lookup(ire->ire_addr,
- ire->ire_gateway_addr,
- IRE_BROADCAST,
- ipif_prim, ALL_ZONES,
- NULL,
- MATCH_IRE_TYPE | MATCH_IRE_GW | MATCH_IRE_IPIF |
- MATCH_IRE_MASK, ipst);
+ "ire_prim %p, ill_prim %p\n",
+ (void *)ire_prim, (void *)ill_prim));
+
+ bcast_ire = ire_ftable_lookup_v4(ire->ire_addr, 0,
+ ire->ire_gateway_addr, IRE_BROADCAST,
+ ill_prim, ALL_ZONES, NULL,
+ MATCH_IRE_TYPE | MATCH_IRE_GW | MATCH_IRE_ILL |
+ MATCH_IRE_MASK, 0, ipst, NULL);
if (bcast_ire != NULL) {
ip2dbg(("ip_cgtp_filter_bcast_delete: "
"looked up bcast_ire %p\n",
(void *)bcast_ire));
- ipif_remove_ire(bcast_ire->ire_ipif,
+ ill_remove_saved_ire(bcast_ire->ire_ill,
bcast_ire);
ire_delete(bcast_ire);
ire_refrele(bcast_ire);
}
ire_refrele(ire_prim);
}
- ire_refrele(ire_dst);
- }
-}
-
-/*
- * IPsec hardware acceleration capabilities related functions.
- */
-
-/*
- * Free a per-ill IPsec capabilities structure.
- */
-static void
-ill_ipsec_capab_free(ill_ipsec_capab_t *capab)
-{
- if (capab->auth_hw_algs != NULL)
- kmem_free(capab->auth_hw_algs, capab->algs_size);
- if (capab->encr_hw_algs != NULL)
- kmem_free(capab->encr_hw_algs, capab->algs_size);
- if (capab->encr_algparm != NULL)
- kmem_free(capab->encr_algparm, capab->encr_algparm_size);
- kmem_free(capab, sizeof (ill_ipsec_capab_t));
-}
-
-/*
- * Allocate a new per-ill IPsec capabilities structure. This structure
- * is specific to an IPsec protocol (AH or ESP). It is implemented as
- * an array which specifies, for each algorithm, whether this algorithm
- * is supported by the ill or not.
- */
-static ill_ipsec_capab_t *
-ill_ipsec_capab_alloc(void)
-{
- ill_ipsec_capab_t *capab;
- uint_t nelems;
-
- capab = kmem_zalloc(sizeof (ill_ipsec_capab_t), KM_NOSLEEP);
- if (capab == NULL)
- return (NULL);
-
- /* we need one bit per algorithm */
- nelems = MAX_IPSEC_ALGS / BITS(ipsec_capab_elem_t);
- capab->algs_size = nelems * sizeof (ipsec_capab_elem_t);
-
- /* allocate memory to store algorithm flags */
- capab->encr_hw_algs = kmem_zalloc(capab->algs_size, KM_NOSLEEP);
- if (capab->encr_hw_algs == NULL)
- goto nomem;
- capab->auth_hw_algs = kmem_zalloc(capab->algs_size, KM_NOSLEEP);
- if (capab->auth_hw_algs == NULL)
- goto nomem;
- /*
- * Leave encr_algparm NULL for now since we won't need it half
- * the time
- */
- return (capab);
-
-nomem:
- ill_ipsec_capab_free(capab);
- return (NULL);
-}
-
-/*
- * Resize capability array. Since we're exclusive, this is OK.
- */
-static boolean_t
-ill_ipsec_capab_resize_algparm(ill_ipsec_capab_t *capab, int algid)
-{
- ipsec_capab_algparm_t *nalp, *oalp;
- uint32_t olen, nlen;
-
- oalp = capab->encr_algparm;
- olen = capab->encr_algparm_size;
-
- if (oalp != NULL) {
- if (algid < capab->encr_algparm_end)
- return (B_TRUE);
- }
-
- nlen = (algid + 1) * sizeof (*nalp);
- nalp = kmem_zalloc(nlen, KM_NOSLEEP);
- if (nalp == NULL)
- return (B_FALSE);
-
- if (oalp != NULL) {
- bcopy(oalp, nalp, olen);
- kmem_free(oalp, olen);
- }
- capab->encr_algparm = nalp;
- capab->encr_algparm_size = nlen;
- capab->encr_algparm_end = algid + 1;
-
- return (B_TRUE);
-}
-
-/*
- * Compare the capabilities of the specified ill with the protocol
- * and algorithms specified by the SA passed as argument.
- * If they match, returns B_TRUE, B_FALSE if they do not match.
- *
- * The ill can be passed as a pointer to it, or by specifying its index
- * and whether it is an IPv6 ill (ill_index and ill_isv6 arguments).
- *
- * Called by ipsec_out_is_accelerated() do decide whether an outbound
- * packet is eligible for hardware acceleration, and by
- * ill_ipsec_capab_send_all() to decide whether a SA must be sent down
- * to a particular ill.
- */
-boolean_t
-ipsec_capab_match(ill_t *ill, uint_t ill_index, boolean_t ill_isv6,
- ipsa_t *sa, netstack_t *ns)
-{
- boolean_t sa_isv6;
- uint_t algid;
- struct ill_ipsec_capab_s *cpp;
- boolean_t need_refrele = B_FALSE;
- ip_stack_t *ipst = ns->netstack_ip;
-
- if (ill == NULL) {
- ill = ill_lookup_on_ifindex(ill_index, ill_isv6, NULL,
- NULL, NULL, NULL, ipst);
- if (ill == NULL) {
- ip0dbg(("ipsec_capab_match: ill doesn't exist\n"));
- return (B_FALSE);
- }
- need_refrele = B_TRUE;
- }
-
- /*
- * Use the address length specified by the SA to determine
- * if it corresponds to a IPv6 address, and fail the matching
- * if the isv6 flag passed as argument does not match.
- * Note: this check is used for SADB capability checking before
- * sending SA information to an ill.
- */
- sa_isv6 = (sa->ipsa_addrfam == AF_INET6);
- if (sa_isv6 != ill_isv6)
- /* protocol mismatch */
- goto done;
-
- /*
- * Check if the ill supports the protocol, algorithm(s) and
- * key size(s) specified by the SA, and get the pointers to
- * the algorithms supported by the ill.
- */
- switch (sa->ipsa_type) {
-
- case SADB_SATYPE_ESP:
- if (!(ill->ill_capabilities & ILL_CAPAB_ESP))
- /* ill does not support ESP acceleration */
- goto done;
- cpp = ill->ill_ipsec_capab_esp;
- algid = sa->ipsa_auth_alg;
- if (!IPSEC_ALG_IS_ENABLED(algid, cpp->auth_hw_algs))
- goto done;
- algid = sa->ipsa_encr_alg;
- if (!IPSEC_ALG_IS_ENABLED(algid, cpp->encr_hw_algs))
- goto done;
- if (algid < cpp->encr_algparm_end) {
- ipsec_capab_algparm_t *alp = &cpp->encr_algparm[algid];
- if (sa->ipsa_encrkeybits < alp->minkeylen)
- goto done;
- if (sa->ipsa_encrkeybits > alp->maxkeylen)
- goto done;
- }
- break;
-
- case SADB_SATYPE_AH:
- if (!(ill->ill_capabilities & ILL_CAPAB_AH))
- /* ill does not support AH acceleration */
- goto done;
- if (!IPSEC_ALG_IS_ENABLED(sa->ipsa_auth_alg,
- ill->ill_ipsec_capab_ah->auth_hw_algs))
- goto done;
- break;
}
-
- if (need_refrele)
- ill_refrele(ill);
- return (B_TRUE);
-done:
- if (need_refrele)
- ill_refrele(ill);
- return (B_FALSE);
-}
-
-/*
- * Add a new ill to the list of IPsec capable ills.
- * Called from ill_capability_ipsec_ack() when an ACK was received
- * indicating that IPsec hardware processing was enabled for an ill.
- *
- * ill must point to the ill for which acceleration was enabled.
- * dl_cap must be set to DL_CAPAB_IPSEC_AH or DL_CAPAB_IPSEC_ESP.
- */
-static void
-ill_ipsec_capab_add(ill_t *ill, uint_t dl_cap, boolean_t sadb_resync)
-{
- ipsec_capab_ill_t **ills, *cur_ill, *new_ill;
- uint_t sa_type;
- uint_t ipproto;
- ip_stack_t *ipst = ill->ill_ipst;
-
- ASSERT((dl_cap == DL_CAPAB_IPSEC_AH) ||
- (dl_cap == DL_CAPAB_IPSEC_ESP));
-
- switch (dl_cap) {
- case DL_CAPAB_IPSEC_AH:
- sa_type = SADB_SATYPE_AH;
- ills = &ipst->ips_ipsec_capab_ills_ah;
- ipproto = IPPROTO_AH;
- break;
- case DL_CAPAB_IPSEC_ESP:
- sa_type = SADB_SATYPE_ESP;
- ills = &ipst->ips_ipsec_capab_ills_esp;
- ipproto = IPPROTO_ESP;
- break;
- }
-
- rw_enter(&ipst->ips_ipsec_capab_ills_lock, RW_WRITER);
-
- /*
- * Add ill index to list of hardware accelerators. If
- * already in list, do nothing.
- */
- for (cur_ill = *ills; cur_ill != NULL &&
- (cur_ill->ill_index != ill->ill_phyint->phyint_ifindex ||
- cur_ill->ill_isv6 != ill->ill_isv6); cur_ill = cur_ill->next)
- ;
-
- if (cur_ill == NULL) {
- /* if this is a new entry for this ill */
- new_ill = kmem_zalloc(sizeof (ipsec_capab_ill_t), KM_NOSLEEP);
- if (new_ill == NULL) {
- rw_exit(&ipst->ips_ipsec_capab_ills_lock);
- return;
- }
-
- new_ill->ill_index = ill->ill_phyint->phyint_ifindex;
- new_ill->ill_isv6 = ill->ill_isv6;
- new_ill->next = *ills;
- *ills = new_ill;
- } else if (!sadb_resync) {
- /* not resync'ing SADB and an entry exists for this ill */
- rw_exit(&ipst->ips_ipsec_capab_ills_lock);
- return;
- }
-
- rw_exit(&ipst->ips_ipsec_capab_ills_lock);
-
- if (ipst->ips_ipcl_proto_fanout_v6[ipproto].connf_head != NULL)
- /*
- * IPsec module for protocol loaded, initiate dump
- * of the SADB to this ill.
- */
- sadb_ill_download(ill, sa_type);
-}
-
-/*
- * Remove an ill from the list of IPsec capable ills.
- */
-static void
-ill_ipsec_capab_delete(ill_t *ill, uint_t dl_cap)
-{
- ipsec_capab_ill_t **ills, *cur_ill, *prev_ill;
- ip_stack_t *ipst = ill->ill_ipst;
-
- ASSERT(dl_cap == DL_CAPAB_IPSEC_AH ||
- dl_cap == DL_CAPAB_IPSEC_ESP);
-
- ills = (dl_cap == DL_CAPAB_IPSEC_AH) ? &ipst->ips_ipsec_capab_ills_ah :
- &ipst->ips_ipsec_capab_ills_esp;
-
- rw_enter(&ipst->ips_ipsec_capab_ills_lock, RW_WRITER);
-
- prev_ill = NULL;
- for (cur_ill = *ills; cur_ill != NULL && (cur_ill->ill_index !=
- ill->ill_phyint->phyint_ifindex || cur_ill->ill_isv6 !=
- ill->ill_isv6); prev_ill = cur_ill, cur_ill = cur_ill->next)
- ;
- if (cur_ill == NULL) {
- /* entry not found */
- rw_exit(&ipst->ips_ipsec_capab_ills_lock);
- return;
- }
- if (prev_ill == NULL) {
- /* entry at front of list */
- *ills = NULL;
- } else {
- prev_ill->next = cur_ill->next;
- }
- kmem_free(cur_ill, sizeof (ipsec_capab_ill_t));
- rw_exit(&ipst->ips_ipsec_capab_ills_lock);
-}
-
-/*
- * Called by SADB to send a DL_CONTROL_REQ message to every ill
- * supporting the specified IPsec protocol acceleration.
- * sa_type must be SADB_SATYPE_AH or SADB_SATYPE_ESP.
- * We free the mblk and, if sa is non-null, release the held referece.
- */
-void
-ill_ipsec_capab_send_all(uint_t sa_type, mblk_t *mp, ipsa_t *sa,
- netstack_t *ns)
-{
- ipsec_capab_ill_t *ici, *cur_ici;
- ill_t *ill;
- mblk_t *nmp, *mp_ship_list = NULL, *next_mp;
- ip_stack_t *ipst = ns->netstack_ip;
-
- ici = (sa_type == SADB_SATYPE_AH) ? ipst->ips_ipsec_capab_ills_ah :
- ipst->ips_ipsec_capab_ills_esp;
-
- rw_enter(&ipst->ips_ipsec_capab_ills_lock, RW_READER);
-
- for (cur_ici = ici; cur_ici != NULL; cur_ici = cur_ici->next) {
- ill = ill_lookup_on_ifindex(cur_ici->ill_index,
- cur_ici->ill_isv6, NULL, NULL, NULL, NULL, ipst);
-
- /*
- * Handle the case where the ill goes away while the SADB is
- * attempting to send messages. If it's going away, it's
- * nuking its shadow SADB, so we don't care..
- */
-
- if (ill == NULL)
- continue;
-
- if (sa != NULL) {
- /*
- * Make sure capabilities match before
- * sending SA to ill.
- */
- if (!ipsec_capab_match(ill, cur_ici->ill_index,
- cur_ici->ill_isv6, sa, ipst->ips_netstack)) {
- ill_refrele(ill);
- continue;
- }
-
- mutex_enter(&sa->ipsa_lock);
- sa->ipsa_flags |= IPSA_F_HW;
- mutex_exit(&sa->ipsa_lock);
- }
-
- /*
- * Copy template message, and add it to the front
- * of the mblk ship list. We want to avoid holding
- * the ipsec_capab_ills_lock while sending the
- * message to the ills.
- *
- * The b_next and b_prev are temporarily used
- * to build a list of mblks to be sent down, and to
- * save the ill to which they must be sent.
- */
- nmp = copymsg(mp);
- if (nmp == NULL) {
- ill_refrele(ill);
- continue;
- }
- ASSERT(nmp->b_next == NULL && nmp->b_prev == NULL);
- nmp->b_next = mp_ship_list;
- mp_ship_list = nmp;
- nmp->b_prev = (mblk_t *)ill;
- }
-
- rw_exit(&ipst->ips_ipsec_capab_ills_lock);
-
- for (nmp = mp_ship_list; nmp != NULL; nmp = next_mp) {
- /* restore the mblk to a sane state */
- next_mp = nmp->b_next;
- nmp->b_next = NULL;
- ill = (ill_t *)nmp->b_prev;
- nmp->b_prev = NULL;
-
- ill_dlpi_send(ill, nmp);
- ill_refrele(ill);
- }
-
- if (sa != NULL)
- IPSA_REFRELE(sa);
- freemsg(mp);
}
/*
@@ -19531,71 +16698,79 @@ ip_ipmp_v6intfid(ill_t *ill, in6_addr_t *v6addr)
addr[0] &= ~0x2; /* set local bit */
}
-/* ARGSUSED */
-static boolean_t
-ip_ether_v6mapinfo(uint_t lla_length, uint8_t *bphys_addr, uint8_t *maddr,
- uint32_t *hw_start, in6_addr_t *v6_extract_mask)
+/*
+ * Map the multicast in6_addr_t in m_ip6addr to the physaddr for ethernet.
+ */
+static void
+ip_ether_v6_mapping(ill_t *ill, uchar_t *m_ip6addr, uchar_t *m_physaddr)
{
- /*
- * Multicast address mappings used over Ethernet/802.X.
- * This address is used as a base for mappings.
- */
- static uint8_t ipv6_g_phys_multi_addr[] = {0x33, 0x33, 0x00,
- 0x00, 0x00, 0x00};
+ phyint_t *phyi = ill->ill_phyint;
/*
- * Extract low order 32 bits from IPv6 multicast address.
- * Or that into the link layer address, starting from the
- * second byte.
+ * Check PHYI_MULTI_BCAST and length of physical
+ * address to determine if we use the mapping or the
+ * broadcast address.
*/
- *hw_start = 2;
- v6_extract_mask->s6_addr32[0] = 0;
- v6_extract_mask->s6_addr32[1] = 0;
- v6_extract_mask->s6_addr32[2] = 0;
- v6_extract_mask->s6_addr32[3] = 0xffffffffU;
- bcopy(ipv6_g_phys_multi_addr, maddr, lla_length);
- return (B_TRUE);
+ if ((phyi->phyint_flags & PHYI_MULTI_BCAST) != 0 ||
+ ill->ill_phys_addr_length != ETHERADDRL) {
+ ip_mbcast_mapping(ill, m_ip6addr, m_physaddr);
+ return;
+ }
+ m_physaddr[0] = 0x33;
+ m_physaddr[1] = 0x33;
+ m_physaddr[2] = m_ip6addr[12];
+ m_physaddr[3] = m_ip6addr[13];
+ m_physaddr[4] = m_ip6addr[14];
+ m_physaddr[5] = m_ip6addr[15];
}
/*
- * Indicate by return value whether multicast is supported. If not,
- * this code should not touch/change any parameters.
+ * Map the multicast ipaddr_t in m_ipaddr to the physaddr for ethernet.
*/
-/* ARGSUSED */
-static boolean_t
-ip_ether_v4mapinfo(uint_t phys_length, uint8_t *bphys_addr, uint8_t *maddr,
- uint32_t *hw_start, ipaddr_t *extract_mask)
+static void
+ip_ether_v4_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
{
+ phyint_t *phyi = ill->ill_phyint;
+
/*
- * Multicast address mappings used over Ethernet/802.X.
- * This address is used as a base for mappings.
+ * Check PHYI_MULTI_BCAST and length of physical
+ * address to determine if we use the mapping or the
+ * broadcast address.
*/
- static uint8_t ip_g_phys_multi_addr[] = { 0x01, 0x00, 0x5e,
- 0x00, 0x00, 0x00 };
-
- if (phys_length != ETHERADDRL)
- return (B_FALSE);
-
- *extract_mask = htonl(0x007fffff);
- *hw_start = 2;
- bcopy(ip_g_phys_multi_addr, maddr, ETHERADDRL);
- return (B_TRUE);
+ if ((phyi->phyint_flags & PHYI_MULTI_BCAST) != 0 ||
+ ill->ill_phys_addr_length != ETHERADDRL) {
+ ip_mbcast_mapping(ill, m_ipaddr, m_physaddr);
+ return;
+ }
+ m_physaddr[0] = 0x01;
+ m_physaddr[1] = 0x00;
+ m_physaddr[2] = 0x5e;
+ m_physaddr[3] = m_ipaddr[1] & 0x7f;
+ m_physaddr[4] = m_ipaddr[2];
+ m_physaddr[5] = m_ipaddr[3];
}
/* ARGSUSED */
-static boolean_t
-ip_nodef_v4mapinfo(uint_t phys_length, uint8_t *bphys_addr, uint8_t *maddr,
- uint32_t *hw_start, ipaddr_t *extract_mask)
+static void
+ip_mbcast_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
{
- return (B_FALSE);
-}
+ /*
+ * for the MULTI_BCAST case and other cases when we want to
+ * use the link-layer broadcast address for multicast.
+ */
+ uint8_t *bphys_addr;
+ dl_unitdata_req_t *dlur;
-/* ARGSUSED */
-static boolean_t
-ip_nodef_v6mapinfo(uint_t lla_length, uint8_t *bphys_addr, uint8_t *maddr,
- uint32_t *hw_start, in6_addr_t *v6_extract_mask)
-{
- return (B_FALSE);
+ dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
+ if (ill->ill_sap_length < 0) {
+ bphys_addr = (uchar_t *)dlur +
+ dlur->dl_dest_addr_offset;
+ } else {
+ bphys_addr = (uchar_t *)dlur +
+ dlur->dl_dest_addr_offset + ill->ill_sap_length;
+ }
+
+ bcopy(bphys_addr, m_physaddr, ill->ill_phys_addr_length);
}
/*
@@ -19624,6 +16799,7 @@ ip_ib_v6intfid(ill_t *ill, in6_addr_t *v6addr)
}
/*
+ * Map the multicast ipaddr_t in m_ipaddr to the physaddr for InfiniBand.
* Note on mapping from multicast IP addresses to IPoIB multicast link
* addresses. IPoIB multicast link addresses are based on IBA link addresses.
* The format of an IPoIB multicast address is:
@@ -19637,72 +16813,70 @@ ip_ib_v6intfid(ill_t *ill, in6_addr_t *v6addr)
* network interface. They can be ascertained from the broadcast address.
* The Sign. part is the signature, and is 401B for IPv4 and 601B for IPv6.
*/
-
-static boolean_t
-ip_ib_v6mapinfo(uint_t lla_length, uint8_t *bphys_addr, uint8_t *maddr,
- uint32_t *hw_start, in6_addr_t *v6_extract_mask)
+static void
+ip_ib_v4_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
{
- /*
- * Base IPoIB IPv6 multicast address used for mappings.
- * Does not contain the IBA scope/Pkey values.
- */
- static uint8_t ipv6_g_phys_ibmulti_addr[] = { 0x00, 0xff, 0xff, 0xff,
- 0xff, 0x10, 0x60, 0x1b, 0x00, 0x00, 0x00, 0x00,
+ static uint8_t ipv4_g_phys_ibmulti_addr[] = { 0x00, 0xff, 0xff, 0xff,
+ 0xff, 0x10, 0x40, 0x1b, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+ uint8_t *bphys_addr;
+ dl_unitdata_req_t *dlur;
+
+ bcopy(ipv4_g_phys_ibmulti_addr, m_physaddr, ill->ill_phys_addr_length);
/*
- * Extract low order 80 bits from IPv6 multicast address.
- * Or that into the link layer address, starting from the
- * sixth byte.
+ * RFC 4391: IPv4 MGID is 28-bit long.
*/
- *hw_start = 6;
- bcopy(ipv6_g_phys_ibmulti_addr, maddr, lla_length);
+ m_physaddr[16] = m_ipaddr[0] & 0x0f;
+ m_physaddr[17] = m_ipaddr[1];
+ m_physaddr[18] = m_ipaddr[2];
+ m_physaddr[19] = m_ipaddr[3];
+
+ dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
+ if (ill->ill_sap_length < 0) {
+ bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
+ } else {
+ bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
+ ill->ill_sap_length;
+ }
/*
* Now fill in the IBA scope/Pkey values from the broadcast address.
*/
- *(maddr + 5) = *(bphys_addr + 5);
- *(maddr + 8) = *(bphys_addr + 8);
- *(maddr + 9) = *(bphys_addr + 9);
-
- v6_extract_mask->s6_addr32[0] = 0;
- v6_extract_mask->s6_addr32[1] = htonl(0x0000ffff);
- v6_extract_mask->s6_addr32[2] = 0xffffffffU;
- v6_extract_mask->s6_addr32[3] = 0xffffffffU;
- return (B_TRUE);
+ m_physaddr[5] = bphys_addr[5];
+ m_physaddr[8] = bphys_addr[8];
+ m_physaddr[9] = bphys_addr[9];
}
-static boolean_t
-ip_ib_v4mapinfo(uint_t phys_length, uint8_t *bphys_addr, uint8_t *maddr,
- uint32_t *hw_start, ipaddr_t *extract_mask)
+static void
+ip_ib_v6_mapping(ill_t *ill, uchar_t *m_ipaddr, uchar_t *m_physaddr)
{
- /*
- * Base IPoIB IPv4 multicast address used for mappings.
- * Does not contain the IBA scope/Pkey values.
- */
static uint8_t ipv4_g_phys_ibmulti_addr[] = { 0x00, 0xff, 0xff, 0xff,
- 0xff, 0x10, 0x40, 0x1b, 0x00, 0x00, 0x00, 0x00,
+ 0xff, 0x10, 0x60, 0x1b, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+ uint8_t *bphys_addr;
+ dl_unitdata_req_t *dlur;
- if (phys_length != sizeof (ipv4_g_phys_ibmulti_addr))
- return (B_FALSE);
+ bcopy(ipv4_g_phys_ibmulti_addr, m_physaddr, ill->ill_phys_addr_length);
/*
- * Extract low order 28 bits from IPv4 multicast address.
- * Or that into the link layer address, starting from the
- * sixteenth byte.
+ * RFC 4391: IPv4 MGID is 80-bit long.
*/
- *extract_mask = htonl(0x0fffffff);
- *hw_start = 16;
- bcopy(ipv4_g_phys_ibmulti_addr, maddr, phys_length);
+ bcopy(&m_ipaddr[6], &m_physaddr[10], 10);
+ dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
+ if (ill->ill_sap_length < 0) {
+ bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
+ } else {
+ bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset +
+ ill->ill_sap_length;
+ }
/*
* Now fill in the IBA scope/Pkey values from the broadcast address.
*/
- *(maddr + 5) = *(bphys_addr + 5);
- *(maddr + 8) = *(bphys_addr + 8);
- *(maddr + 9) = *(bphys_addr + 9);
- return (B_TRUE);
+ m_physaddr[5] = bphys_addr[5];
+ m_physaddr[8] = bphys_addr[8];
+ m_physaddr[9] = bphys_addr[9];
}
/*
@@ -19758,56 +16932,34 @@ ip_ipv4_v6destintfid(ill_t *ill, in6_addr_t *v6addr)
}
/*
- * Returns B_TRUE if an ipif is present in the given zone, matching some flags
- * (typically IPIF_UP). If ipifp is non-null, the held ipif is returned there.
- * This works for both IPv4 and IPv6; if the passed-in ill is v6, the ipif with
- * the link-local address is preferred.
+ * Lookup an ill and verify that the zoneid has an ipif on that ill.
+ * Returns an held ill, or NULL.
*/
-boolean_t
-ipif_lookup_zoneid(ill_t *ill, zoneid_t zoneid, int flags, ipif_t **ipifp)
+ill_t *
+ill_lookup_on_ifindex_zoneid(uint_t index, zoneid_t zoneid, boolean_t isv6,
+ ip_stack_t *ipst)
{
+ ill_t *ill;
ipif_t *ipif;
- ipif_t *maybe_ipif = NULL;
- mutex_enter(&ill->ill_lock);
- if (ill->ill_state_flags & ILL_CONDEMNED) {
- mutex_exit(&ill->ill_lock);
- if (ipifp != NULL)
- *ipifp = NULL;
- return (B_FALSE);
- }
+ ill = ill_lookup_on_ifindex(index, isv6, ipst);
+ if (ill == NULL)
+ return (NULL);
+ mutex_enter(&ill->ill_lock);
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
- if (!IPIF_CAN_LOOKUP(ipif))
+ if (IPIF_IS_CONDEMNED(ipif))
continue;
if (zoneid != ALL_ZONES && ipif->ipif_zoneid != zoneid &&
ipif->ipif_zoneid != ALL_ZONES)
continue;
- if ((ipif->ipif_flags & flags) != flags)
- continue;
- if (ipifp == NULL) {
- mutex_exit(&ill->ill_lock);
- ASSERT(maybe_ipif == NULL);
- return (B_TRUE);
- }
- if (!ill->ill_isv6 ||
- IN6_IS_ADDR_LINKLOCAL(&ipif->ipif_v6src_addr)) {
- ipif_refhold_locked(ipif);
- mutex_exit(&ill->ill_lock);
- *ipifp = ipif;
- return (B_TRUE);
- }
- if (maybe_ipif == NULL)
- maybe_ipif = ipif;
- }
- if (ipifp != NULL) {
- if (maybe_ipif != NULL)
- ipif_refhold_locked(maybe_ipif);
- *ipifp = maybe_ipif;
+ mutex_exit(&ill->ill_lock);
+ return (ill);
}
mutex_exit(&ill->ill_lock);
- return (maybe_ipif != NULL);
+ ill_refrele(ill);
+ return (NULL);
}
/*
@@ -19822,8 +16974,7 @@ ipif_getby_indexes(uint_t ifindex, uint_t lifidx, boolean_t isv6,
ipif_t *ipif;
ill_t *ill;
- ill = ill_lookup_on_ifindex(ifindex, isv6, NULL, NULL, NULL, NULL,
- ipst);
+ ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
if (ill == NULL)
return (NULL);
@@ -19849,19 +17000,52 @@ ipif_getby_indexes(uint_t ifindex, uint_t lifidx, boolean_t isv6,
}
/*
- * Flush the fastpath by deleting any nce's that are waiting for the fastpath,
- * There is one exceptions IRE_BROADCAST are difficult to recreate,
- * so instead we just nuke their nce_fp_mp's; see ndp_fastpath_flush()
- * for details.
+ * Set ill_inputfn based on the current know state.
+ * This needs to be called when any of the factors taken into
+ * account changes.
*/
void
-ill_fastpath_flush(ill_t *ill)
+ill_set_inputfn(ill_t *ill)
{
- ip_stack_t *ipst = ill->ill_ipst;
+ ip_stack_t *ipst = ill->ill_ipst;
- nce_fastpath_list_dispatch(ill, NULL, NULL);
- ndp_walk_common((ill->ill_isv6 ? ipst->ips_ndp6 : ipst->ips_ndp4),
- ill, (pfi_t)ndp_fastpath_flush, NULL, B_TRUE);
+ if (ill->ill_isv6) {
+ if (is_system_labeled())
+ ill->ill_inputfn = ill_input_full_v6;
+ else
+ ill->ill_inputfn = ill_input_short_v6;
+ } else {
+ if (is_system_labeled())
+ ill->ill_inputfn = ill_input_full_v4;
+ else if (ill->ill_dhcpinit != 0)
+ ill->ill_inputfn = ill_input_full_v4;
+ else if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_RSVP].connf_head
+ != NULL)
+ ill->ill_inputfn = ill_input_full_v4;
+ else if (ipst->ips_ip_cgtp_filter &&
+ ipst->ips_ip_cgtp_filter_ops != NULL)
+ ill->ill_inputfn = ill_input_full_v4;
+ else
+ ill->ill_inputfn = ill_input_short_v4;
+ }
+}
+
+/*
+ * Re-evaluate ill_inputfn for all the IPv4 ills.
+ * Used when RSVP and CGTP comes and goes.
+ */
+void
+ill_set_inputfn_all(ip_stack_t *ipst)
+{
+ ill_walk_context_t ctx;
+ ill_t *ill;
+
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ ill = ILL_START_WALK_V4(&ctx, ipst);
+ for (; ill != NULL; ill = ill_next(&ctx, ill))
+ ill_set_inputfn(ill);
+
+ rw_exit(&ipst->ips_ill_g_lock);
}
/*
@@ -19897,6 +17081,10 @@ ill_set_phys_addr(ill_t *ill, mblk_t *mp)
}
ipsq_current_start(ipsq, ill->ill_ipif, 0);
+ mutex_enter(&ill->ill_lock);
+ ill->ill_state_flags |= ILL_DOWN_IN_PROGRESS;
+ /* no more nce addition allowed */
+ mutex_exit(&ill->ill_lock);
/*
* If we can quiesce the ill, then set the address. If not, then
@@ -19923,8 +17111,8 @@ ill_set_phys_addr(ill_t *ill, mblk_t *mp)
* are passed (linked by b_cont), since we sometimes need to save two distinct
* copies in the ill_t, and our context doesn't permit sleeping or allocation
* failure (we'll free the other copy if it's not needed). Since the ill_t
- * is quiesced, we know any stale IREs with the old address information have
- * already been removed, so we don't need to call ill_fastpath_flush().
+ * is quiesced, we know any stale nce's with the old address information have
+ * already been removed, so we don't need to call nce_flush().
*/
/* ARGSUSED */
static void
@@ -19934,6 +17122,7 @@ ill_set_phys_addr_tail(ipsq_t *ipsq, queue_t *q, mblk_t *addrmp, void *dummy)
mblk_t *addrmp2 = unlinkb(addrmp);
dl_notify_ind_t *dlindp = (dl_notify_ind_t *)addrmp->b_rptr;
uint_t addrlen, addroff;
+ int status;
ASSERT(IAM_WRITER_IPSQ(ipsq));
@@ -19962,7 +17151,7 @@ ill_set_phys_addr_tail(ipsq_t *ipsq, queue_t *q, mblk_t *addrmp, void *dummy)
ill->ill_phys_addr = addrmp->b_rptr + addroff;
ill->ill_phys_addr_mp = addrmp;
ill->ill_phys_addr_length = addrlen;
- if (ill->ill_isv6 && !(ill->ill_flags & ILLF_XRESOLV))
+ if (ill->ill_isv6)
ill_set_ndmp(ill, addrmp2, addroff, addrlen);
else
freemsg(addrmp2);
@@ -19978,10 +17167,15 @@ ill_set_phys_addr_tail(ipsq_t *ipsq, queue_t *q, mblk_t *addrmp, void *dummy)
/*
* If there are ipifs to bring up, ill_up_ipifs() will return
* EINPROGRESS, and ipsq_current_finish() will be called by
- * ip_rput_dlpi_writer() or ip_arp_done() when the last ipif is
+ * ip_rput_dlpi_writer() or arp_bringup_done() when the last ipif is
* brought up.
*/
- if (ill_up_ipifs(ill, q, addrmp) != EINPROGRESS)
+ status = ill_up_ipifs(ill, q, addrmp);
+ mutex_enter(&ill->ill_lock);
+ if (ill->ill_dl_up)
+ ill->ill_state_flags &= ~ILL_DOWN_IN_PROGRESS;
+ mutex_exit(&ill->ill_lock);
+ if (status != EINPROGRESS)
ipsq_current_finish(ipsq);
}
@@ -20009,6 +17203,11 @@ ill_replumb(ill_t *ill, mblk_t *mp)
ipsq_current_start(ipsq, ill->ill_ipif, 0);
+ mutex_enter(&ill->ill_lock);
+ ill->ill_state_flags |= ILL_DOWN_IN_PROGRESS;
+ /* no more nce addition allowed */
+ mutex_exit(&ill->ill_lock);
+
/*
* If we can quiesce the ill, then continue. If not, then
* ill_replumb_tail() will be called from ipif_ill_refrele_tail().
@@ -20034,14 +17233,32 @@ static void
ill_replumb_tail(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy)
{
ill_t *ill = q->q_ptr;
+ int err;
+ conn_t *connp = NULL;
ASSERT(IAM_WRITER_IPSQ(ipsq));
-
- ill_down_ipifs_tail(ill);
-
freemsg(ill->ill_replumb_mp);
ill->ill_replumb_mp = copyb(mp);
+ if (ill->ill_replumb_mp == NULL) {
+ /* out of memory */
+ ipsq_current_finish(ipsq);
+ return;
+ }
+
+ mutex_enter(&ill->ill_lock);
+ ill->ill_up_ipifs = ipsq_pending_mp_add(NULL, ill->ill_ipif,
+ ill->ill_rq, ill->ill_replumb_mp, 0);
+ mutex_exit(&ill->ill_lock);
+
+ if (!ill->ill_up_ipifs) {
+ /* already closing */
+ ipsq_current_finish(ipsq);
+ return;
+ }
+ ill->ill_replumbing = 1;
+ err = ill_down_ipifs_tail(ill);
+
/*
* Successfully quiesced and brought down the interface, now we send
* the DL_NOTE_REPLUMB_DONE message down to the driver. Reuse the
@@ -20055,15 +17272,23 @@ ill_replumb_tail(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy)
ill_dlpi_send(ill, mp);
/*
- * If there are ipifs to bring up, ill_up_ipifs() will return
- * EINPROGRESS, and ipsq_current_finish() will be called by
- * ip_rput_dlpi_writer() or ip_arp_done() when the last ipif is
- * brought up.
+ * For IPv4, we would usually get EINPROGRESS because the ETHERTYPE_ARP
+ * streams have to be unbound. When all the DLPI exchanges are done,
+ * ipsq_current_finish() will be called by arp_bringup_done(). The
+ * remainder of ipif bringup via ill_up_ipifs() will also be done in
+ * arp_bringup_done().
*/
- if (ill->ill_replumb_mp == NULL ||
- ill_up_ipifs(ill, q, ill->ill_replumb_mp) != EINPROGRESS) {
- ipsq_current_finish(ipsq);
+ ASSERT(ill->ill_replumb_mp != NULL);
+ if (err == EINPROGRESS)
+ return;
+ else
+ ill->ill_replumb_mp = ipsq_pending_mp_get(ipsq, &connp);
+ ASSERT(connp == NULL);
+ if (err == 0 && ill->ill_replumb_mp != NULL &&
+ ill_up_ipifs(ill, q, ill->ill_replumb_mp) == EINPROGRESS) {
+ return;
}
+ ipsq_current_finish(ipsq);
}
/*
@@ -20342,6 +17567,338 @@ fail:
"information for %s (ENOMEM)\n", str, ill->ill_name));
}
+static int
+ipif_arp_up_done_tail(ipif_t *ipif, enum ip_resolver_action res_act)
+{
+ int err = 0;
+ const in_addr_t *addr = NULL;
+ nce_t *nce = NULL;
+ ill_t *ill = ipif->ipif_ill;
+ ill_t *bound_ill;
+ boolean_t added_ipif = B_FALSE;
+ uint16_t state;
+ uint16_t flags;
+
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_up_done_tail",
+ ill_t *, ill, ipif_t *, ipif);
+ if (ipif->ipif_lcl_addr != INADDR_ANY) {
+ addr = &ipif->ipif_lcl_addr;
+ }
+
+ if ((ipif->ipif_flags & IPIF_UNNUMBERED) || addr == NULL) {
+ if (res_act != Res_act_initial)
+ return (EINVAL);
+ }
+
+ if (addr != NULL) {
+ ipmp_illgrp_t *illg = ill->ill_grp;
+
+ /* add unicast nce for the local addr */
+
+ if (IS_IPMP(ill)) {
+ /*
+ * If we're here via ipif_up(), then the ipif
+ * won't be bound yet -- add it to the group,
+ * which will bind it if possible. (We would
+ * add it in ipif_up(), but deleting on failure
+ * there is gruesome.) If we're here via
+ * ipmp_ill_bind_ipif(), then the ipif has
+ * already been added to the group and we
+ * just need to use the binding.
+ */
+ if ((bound_ill = ipmp_ipif_bound_ill(ipif)) == NULL) {
+ bound_ill = ipmp_illgrp_add_ipif(illg, ipif);
+ if (bound_ill == NULL) {
+ /*
+ * We couldn't bind the ipif to an ill
+ * yet, so we have nothing to publish.
+ * Mark the address as ready and return.
+ */
+ ipif->ipif_addr_ready = 1;
+ return (0);
+ }
+ added_ipif = B_TRUE;
+ }
+ } else {
+ bound_ill = ill;
+ }
+
+ flags = (NCE_F_MYADDR | NCE_F_PUBLISH | NCE_F_AUTHORITY |
+ NCE_F_NONUD);
+ /*
+ * If this is an initial bring-up (or the ipif was never
+ * completely brought up), do DAD. Otherwise, we're here
+ * because IPMP has rebound an address to this ill: send
+ * unsolicited advertisements (ARP announcements) to
+ * inform others.
+ */
+ if (res_act == Res_act_initial || !ipif->ipif_addr_ready) {
+ state = ND_UNCHANGED; /* compute in nce_add_common() */
+ } else {
+ state = ND_REACHABLE;
+ flags |= NCE_F_UNSOL_ADV;
+ }
+
+retry:
+ err = nce_lookup_then_add_v4(ill,
+ bound_ill->ill_phys_addr, bound_ill->ill_phys_addr_length,
+ addr, flags, state, &nce);
+
+ /*
+ * note that we may encounter EEXIST if we are moving
+ * the nce as a result of a rebind operation.
+ */
+ switch (err) {
+ case 0:
+ ipif->ipif_added_nce = 1;
+ nce->nce_ipif_cnt++;
+ break;
+ case EEXIST:
+ ip1dbg(("ipif_arp_up: NCE already exists for %s\n",
+ ill->ill_name));
+ if (!NCE_MYADDR(nce->nce_common)) {
+ /*
+ * A leftover nce from before this address
+ * existed
+ */
+ ncec_delete(nce->nce_common);
+ nce_refrele(nce);
+ nce = NULL;
+ goto retry;
+ }
+ if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) {
+ nce_refrele(nce);
+ nce = NULL;
+ ip1dbg(("ipif_arp_up: NCE already exists "
+ "for %s:%u\n", ill->ill_name,
+ ipif->ipif_id));
+ goto arp_up_done;
+ }
+ /*
+ * Duplicate local addresses are permissible for
+ * IPIF_POINTOPOINT interfaces which will get marked
+ * IPIF_UNNUMBERED later in
+ * ip_addr_availability_check().
+ *
+ * The nce_ipif_cnt field tracks the number of
+ * ipifs that have nce_addr as their local address.
+ */
+ ipif->ipif_addr_ready = 1;
+ ipif->ipif_added_nce = 1;
+ nce->nce_ipif_cnt++;
+ err = 0;
+ break;
+ default:
+ ASSERT(nce == NULL);
+ goto arp_up_done;
+ }
+ if (arp_no_defense) {
+ if ((ipif->ipif_flags & IPIF_UP) &&
+ !ipif->ipif_addr_ready)
+ ipif_up_notify(ipif);
+ ipif->ipif_addr_ready = 1;
+ }
+ } else {
+ /* zero address. nothing to publish */
+ ipif->ipif_addr_ready = 1;
+ }
+ if (nce != NULL)
+ nce_refrele(nce);
+arp_up_done:
+ if (added_ipif && err != 0)
+ ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
+ return (err);
+}
+
+int
+ipif_arp_up(ipif_t *ipif, enum ip_resolver_action res_act, boolean_t was_dup)
+{
+ int err = 0;
+ ill_t *ill = ipif->ipif_ill;
+ boolean_t first_interface, wait_for_dlpi = B_FALSE;
+
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_arp_up",
+ ill_t *, ill, ipif_t *, ipif);
+
+ /*
+ * need to bring up ARP or setup mcast mapping only
+ * when the first interface is coming UP.
+ */
+ first_interface = (ill->ill_ipif_up_count == 0 &&
+ ill->ill_ipif_dup_count == 0 && !was_dup);
+
+ if (res_act == Res_act_initial && first_interface) {
+ /*
+ * Send ATTACH + BIND
+ */
+ err = arp_ll_up(ill);
+ if (err != EINPROGRESS && err != 0)
+ return (err);
+
+ /*
+ * Add NCE for local address. Start DAD.
+ * we'll wait to hear that DAD has finished
+ * before using the interface.
+ */
+ if (err == EINPROGRESS)
+ wait_for_dlpi = B_TRUE;
+ }
+
+ if (!wait_for_dlpi)
+ (void) ipif_arp_up_done_tail(ipif, res_act);
+
+ return (!wait_for_dlpi ? 0 : EINPROGRESS);
+}
+
+/*
+ * Finish processing of "arp_up" after all the DLPI message
+ * exchanges have completed between arp and the driver.
+ */
+void
+arp_bringup_done(ill_t *ill, int err)
+{
+ mblk_t *mp1;
+ ipif_t *ipif;
+ conn_t *connp = NULL;
+ ipsq_t *ipsq;
+ queue_t *q;
+
+ ip1dbg(("arp_bringup_done(%s)\n", ill->ill_name));
+
+ ASSERT(IAM_WRITER_ILL(ill));
+
+ ipsq = ill->ill_phyint->phyint_ipsq;
+ ipif = ipsq->ipsq_xop->ipx_pending_ipif;
+ mp1 = ipsq_pending_mp_get(ipsq, &connp);
+ ASSERT(!((mp1 != NULL) ^ (ipif != NULL)));
+ if (mp1 == NULL) /* bringup was aborted by the user */
+ return;
+
+ /*
+ * If an IOCTL is waiting on this (ipsq_current_ioctl != 0), then we
+ * must have an associated conn_t. Otherwise, we're bringing this
+ * interface back up as part of handling an asynchronous event (e.g.,
+ * physical address change).
+ */
+ if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
+ ASSERT(connp != NULL);
+ q = CONNP_TO_WQ(connp);
+ } else {
+ ASSERT(connp == NULL);
+ q = ill->ill_rq;
+ }
+ if (err == 0) {
+ if (ipif->ipif_isv6) {
+ if ((err = ipif_up_done_v6(ipif)) != 0)
+ ip0dbg(("arp_bringup_done: init failed\n"));
+ } else {
+ err = ipif_arp_up_done_tail(ipif, Res_act_initial);
+ if (err != 0 || (err = ipif_up_done(ipif)) != 0)
+ ip0dbg(("arp_bringup_done: init failed\n"));
+ }
+ } else {
+ ip0dbg(("arp_bringup_done: DL_BIND_REQ failed\n"));
+ }
+
+ if ((err == 0) && (ill->ill_up_ipifs)) {
+ err = ill_up_ipifs(ill, q, mp1);
+ if (err == EINPROGRESS)
+ return;
+ }
+
+ /*
+ * If we have a moved ipif to bring up, and everything has succeeded
+ * to this point, bring it up on the IPMP ill. Otherwise, leave it
+ * down -- the admin can try to bring it up by hand if need be.
+ */
+ if (ill->ill_move_ipif != NULL) {
+ ipif = ill->ill_move_ipif;
+ ip1dbg(("bringing up ipif %p on ill %s\n", (void *)ipif,
+ ipif->ipif_ill->ill_name));
+ ill->ill_move_ipif = NULL;
+ if (err == 0) {
+ err = ipif_up(ipif, q, mp1);
+ if (err == EINPROGRESS)
+ return;
+ }
+ }
+
+ /*
+ * The operation must complete without EINPROGRESS since
+ * ipsq_pending_mp_get() has removed the mblk from ipsq_pending_mp.
+ * Otherwise, the operation will be stuck forever in the ipsq.
+ */
+ ASSERT(err != EINPROGRESS);
+ if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
+ DTRACE_PROBE4(ipif__ioctl, char *, "arp_bringup_done finish",
+ int, ipsq->ipsq_xop->ipx_current_ioctl,
+ ill_t *, ill, ipif_t *, ipif);
+ ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
+ } else {
+ ipsq_current_finish(ipsq);
+ }
+}
+
+/*
+ * Finish processing of arp replumb after all the DLPI message
+ * exchanges have completed between arp and the driver.
+ */
+void
+arp_replumb_done(ill_t *ill, int err)
+{
+ mblk_t *mp1;
+ ipif_t *ipif;
+ conn_t *connp = NULL;
+ ipsq_t *ipsq;
+ queue_t *q;
+
+ ASSERT(IAM_WRITER_ILL(ill));
+
+ ipsq = ill->ill_phyint->phyint_ipsq;
+ ipif = ipsq->ipsq_xop->ipx_pending_ipif;
+ mp1 = ipsq_pending_mp_get(ipsq, &connp);
+ ASSERT(!((mp1 != NULL) ^ (ipif != NULL)));
+ if (mp1 == NULL) {
+ ip0dbg(("arp_replumb_done: bringup aborted ioctl %x\n",
+ ipsq->ipsq_xop->ipx_current_ioctl));
+ /* bringup was aborted by the user */
+ return;
+ }
+ /*
+ * If an IOCTL is waiting on this (ipsq_current_ioctl != 0), then we
+ * must have an associated conn_t. Otherwise, we're bringing this
+ * interface back up as part of handling an asynchronous event (e.g.,
+ * physical address change).
+ */
+ if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
+ ASSERT(connp != NULL);
+ q = CONNP_TO_WQ(connp);
+ } else {
+ ASSERT(connp == NULL);
+ q = ill->ill_rq;
+ }
+ if ((err == 0) && (ill->ill_up_ipifs)) {
+ err = ill_up_ipifs(ill, q, mp1);
+ if (err == EINPROGRESS)
+ return;
+ }
+ /*
+ * The operation must complete without EINPROGRESS since
+ * ipsq_pending_mp_get() has removed the mblk from ipsq_pending_mp.
+ * Otherwise, the operation will be stuck forever in the ipsq.
+ */
+ ASSERT(err != EINPROGRESS);
+ if (ipsq->ipsq_xop->ipx_current_ioctl != 0) {
+ DTRACE_PROBE4(ipif__ioctl, char *,
+ "arp_replumb_done finish",
+ int, ipsq->ipsq_xop->ipx_current_ioctl,
+ ill_t *, ill, ipif_t *, ipif);
+ ip_ioctl_finish(q, mp1, err, NO_COPYOUT, ipsq);
+ } else {
+ ipsq_current_finish(ipsq);
+ }
+}
+
void
ipif_up_notify(ipif_t *ipif)
{
@@ -20610,3 +18167,48 @@ ip_sioctl_ilb_cmd(ipif_t *ipif, sin_t *sin, queue_t *q, mblk_t *mp,
done:
return (ret);
}
+
+/* Remove all cache entries for this logical interface */
+void
+ipif_nce_down(ipif_t *ipif)
+{
+ ill_t *ill = ipif->ipif_ill;
+ nce_t *nce;
+
+ DTRACE_PROBE3(ipif__downup, char *, "ipif_nce_down",
+ ill_t *, ill, ipif_t *, ipif);
+ if (ipif->ipif_added_nce) {
+ if (ipif->ipif_isv6)
+ nce = nce_lookup_v6(ill, &ipif->ipif_v6lcl_addr);
+ else
+ nce = nce_lookup_v4(ill, &ipif->ipif_lcl_addr);
+ if (nce != NULL) {
+ if (--nce->nce_ipif_cnt == 0)
+ ncec_delete(nce->nce_common);
+ ipif->ipif_added_nce = 0;
+ nce_refrele(nce);
+ } else {
+ /*
+ * nce may already be NULL because it was already
+ * flushed, e.g., due to a call to nce_flush
+ */
+ ipif->ipif_added_nce = 0;
+ }
+ }
+ /*
+ * Make IPMP aware of the deleted data address.
+ */
+ if (IS_IPMP(ill))
+ ipmp_illgrp_del_ipif(ill->ill_grp, ipif);
+
+ /*
+ * Remove all other nces dependent on this ill when the last ipif
+ * is going away.
+ */
+ if (ill->ill_ipif_up_count == 0) {
+ ncec_walk(ill, (pfi_t)ncec_delete_per_ill,
+ (uchar_t *)ill, ill->ill_ipst);
+ if (IS_UNDER_IPMP(ill))
+ nce_flush(ill, B_TRUE);
+ }
+}
diff --git a/usr/src/uts/common/inet/ip/ip_input.c b/usr/src/uts/common/inet/ip/ip_input.c
new file mode 100644
index 0000000000..d47670f85d
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/ip_input.c
@@ -0,0 +1,3095 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+/* Copyright (c) 1990 Mentat Inc. */
+
+#include <sys/types.h>
+#include <sys/stream.h>
+#include <sys/dlpi.h>
+#include <sys/stropts.h>
+#include <sys/sysmacros.h>
+#include <sys/strsubr.h>
+#include <sys/strlog.h>
+#include <sys/strsun.h>
+#include <sys/zone.h>
+#define _SUN_TPI_VERSION 2
+#include <sys/tihdr.h>
+#include <sys/xti_inet.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cmn_err.h>
+#include <sys/debug.h>
+#include <sys/kobj.h>
+#include <sys/modctl.h>
+#include <sys/atomic.h>
+#include <sys/policy.h>
+#include <sys/priv.h>
+
+#include <sys/systm.h>
+#include <sys/param.h>
+#include <sys/kmem.h>
+#include <sys/sdt.h>
+#include <sys/socket.h>
+#include <sys/vtrace.h>
+#include <sys/isa_defs.h>
+#include <sys/mac.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <sys/sockio.h>
+#include <netinet/in.h>
+#include <net/if_dl.h>
+
+#include <inet/common.h>
+#include <inet/mi.h>
+#include <inet/mib2.h>
+#include <inet/nd.h>
+#include <inet/arp.h>
+#include <inet/snmpcom.h>
+#include <inet/kstatcom.h>
+
+#include <netinet/igmp_var.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet/sctp.h>
+
+#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ip6.h>
+#include <inet/ip6_asp.h>
+#include <inet/optcom.h>
+#include <inet/tcp.h>
+#include <inet/tcp_impl.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_ftable.h>
+#include <inet/ip_rts.h>
+#include <inet/ip_ndp.h>
+#include <inet/ip_listutils.h>
+#include <netinet/igmp.h>
+#include <netinet/ip_mroute.h>
+#include <inet/ipp_common.h>
+
+#include <net/pfkeyv2.h>
+#include <inet/sadb.h>
+#include <inet/ipsec_impl.h>
+#include <inet/ipdrop.h>
+#include <inet/ip_netinfo.h>
+#include <inet/ilb_ip.h>
+#include <sys/squeue_impl.h>
+#include <sys/squeue.h>
+
+#include <sys/ethernet.h>
+#include <net/if_types.h>
+#include <sys/cpuvar.h>
+
+#include <ipp/ipp.h>
+#include <ipp/ipp_impl.h>
+#include <ipp/ipgpc/ipgpc.h>
+
+#include <sys/pattr.h>
+#include <inet/ipclassifier.h>
+#include <inet/sctp_ip.h>
+#include <inet/sctp/sctp_impl.h>
+#include <inet/udp_impl.h>
+#include <sys/sunddi.h>
+
+#include <sys/tsol/label.h>
+#include <sys/tsol/tnet.h>
+
+#include <rpc/pmap_prot.h>
+
+#ifdef DEBUG
+extern boolean_t skip_sctp_cksum;
+#endif
+
+static void ip_input_local_v4(ire_t *, mblk_t *, ipha_t *,
+ ip_recv_attr_t *);
+
+static void ip_input_broadcast_v4(ire_t *, mblk_t *, ipha_t *,
+ ip_recv_attr_t *);
+static void ip_input_multicast_v4(ire_t *, mblk_t *, ipha_t *,
+ ip_recv_attr_t *);
+
+#pragma inline(ip_input_common_v4, ip_input_local_v4, ip_forward_xmit_v4)
+
+/*
+ * Direct read side procedure capable of dealing with chains. GLDv3 based
+ * drivers call this function directly with mblk chains while STREAMS
+ * read side procedure ip_rput() calls this for single packet with ip_ring
+ * set to NULL to process one packet at a time.
+ *
+ * The ill will always be valid if this function is called directly from
+ * the driver.
+ *
+ * If ip_input() is called from GLDv3:
+ *
+ * - This must be a non-VLAN IP stream.
+ * - 'mp' is either an untagged or a special priority-tagged packet.
+ * - Any VLAN tag that was in the MAC header has been stripped.
+ *
+ * If the IP header in packet is not 32-bit aligned, every message in the
+ * chain will be aligned before further operations. This is required on SPARC
+ * platform.
+ */
+void
+ip_input(ill_t *ill, ill_rx_ring_t *ip_ring, mblk_t *mp_chain,
+ struct mac_header_info_s *mhip)
+{
+ (void) ip_input_common_v4(ill, ip_ring, mp_chain, mhip, NULL, NULL,
+ NULL);
+}
+
+/*
+ * ip_accept_tcp() - This function is called by the squeue when it retrieves
+ * a chain of packets in the poll mode. The packets have gone through the
+ * data link processing but not IP processing. For performance and latency
+ * reasons, the squeue wants to process the chain in line instead of feeding
+ * it back via ip_input path.
+ *
+ * We set up the ip_recv_attr_t with IRAF_TARGET_SQP to that ip_fanout_v4
+ * will pass back any TCP packets matching the target sqp to
+ * ip_input_common_v4 using ira_target_sqp_mp. Other packets are handled by
+ * ip_input_v4 and ip_fanout_v4 as normal.
+ * The TCP packets that match the target squeue are returned to the caller
+ * as a b_next chain after each packet has been prepend with an mblk
+ * from ip_recv_attr_to_mblk.
+ */
+mblk_t *
+ip_accept_tcp(ill_t *ill, ill_rx_ring_t *ip_ring, squeue_t *target_sqp,
+ mblk_t *mp_chain, mblk_t **last, uint_t *cnt)
+{
+ return (ip_input_common_v4(ill, ip_ring, mp_chain, NULL, target_sqp,
+ last, cnt));
+}
+
+/*
+ * Used by ip_input and ip_accept_tcp
+ * The last three arguments are only used by ip_accept_tcp, and mhip is
+ * only used by ip_input.
+ */
+mblk_t *
+ip_input_common_v4(ill_t *ill, ill_rx_ring_t *ip_ring, mblk_t *mp_chain,
+ struct mac_header_info_s *mhip, squeue_t *target_sqp,
+ mblk_t **last, uint_t *cnt)
+{
+ mblk_t *mp;
+ ipha_t *ipha;
+ ip_recv_attr_t iras; /* Receive attributes */
+ rtc_t rtc;
+ iaflags_t chain_flags = 0; /* Fixed for chain */
+ mblk_t *ahead = NULL; /* Accepted head */
+ mblk_t *atail = NULL; /* Accepted tail */
+ uint_t acnt = 0; /* Accepted count */
+
+ ASSERT(mp_chain != NULL);
+ ASSERT(ill != NULL);
+
+ /* These ones do not change as we loop over packets */
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
+ iras.ira_sqp = NULL;
+ iras.ira_ring = ip_ring;
+ /* For ECMP and outbound transmit ring selection */
+ iras.ira_xmit_hint = ILL_RING_TO_XMIT_HINT(ip_ring);
+
+ iras.ira_target_sqp = target_sqp;
+ iras.ira_target_sqp_mp = NULL;
+ if (target_sqp != NULL)
+ chain_flags |= IRAF_TARGET_SQP;
+
+ /*
+ * We try to have a mhip pointer when possible, but
+ * it might be NULL in some cases. In those cases we
+ * have to assume unicast.
+ */
+ iras.ira_mhip = mhip;
+ iras.ira_flags = 0;
+ if (mhip != NULL) {
+ switch (mhip->mhi_dsttype) {
+ case MAC_ADDRTYPE_MULTICAST :
+ chain_flags |= IRAF_L2DST_MULTICAST;
+ break;
+ case MAC_ADDRTYPE_BROADCAST :
+ chain_flags |= IRAF_L2DST_BROADCAST;
+ break;
+ }
+ }
+
+ /*
+ * Initialize the one-element route cache.
+ *
+ * We do ire caching from one iteration to
+ * another. In the event the packet chain contains
+ * all packets from the same dst, this caching saves
+ * an ire_route_recursive for each of the succeeding
+ * packets in a packet chain.
+ */
+ rtc.rtc_ire = NULL;
+ rtc.rtc_ipaddr = INADDR_ANY;
+
+ /* Loop over b_next */
+ for (mp = mp_chain; mp != NULL; mp = mp_chain) {
+ mp_chain = mp->b_next;
+ mp->b_next = NULL;
+
+ ASSERT(DB_TYPE(mp) == M_DATA);
+
+
+ /*
+ * if db_ref > 1 then copymsg and free original. Packet
+ * may be changed and we do not want the other entity
+ * who has a reference to this message to trip over the
+ * changes. This is a blind change because trying to
+ * catch all places that might change the packet is too
+ * difficult.
+ *
+ * This corresponds to the fast path case, where we have
+ * a chain of M_DATA mblks. We check the db_ref count
+ * of only the 1st data block in the mblk chain. There
+ * doesn't seem to be a reason why a device driver would
+ * send up data with varying db_ref counts in the mblk
+ * chain. In any case the Fast path is a private
+ * interface, and our drivers don't do such a thing.
+ * Given the above assumption, there is no need to walk
+ * down the entire mblk chain (which could have a
+ * potential performance problem)
+ *
+ * The "(DB_REF(mp) > 1)" check was moved from ip_rput()
+ * to here because of exclusive ip stacks and vnics.
+ * Packets transmitted from exclusive stack over vnic
+ * can have db_ref > 1 and when it gets looped back to
+ * another vnic in a different zone, you have ip_input()
+ * getting dblks with db_ref > 1. So if someone
+ * complains of TCP performance under this scenario,
+ * take a serious look here on the impact of copymsg().
+ */
+ if (DB_REF(mp) > 1) {
+ if ((mp = ip_fix_dbref(mp, &iras)) == NULL) {
+ /* mhip might point into 1st packet in chain */
+ iras.ira_mhip = NULL;
+ continue;
+ }
+ }
+
+ /*
+ * IP header ptr not aligned?
+ * OR IP header not complete in first mblk
+ */
+ ipha = (ipha_t *)mp->b_rptr;
+ if (!OK_32PTR(ipha) || MBLKL(mp) < IP_SIMPLE_HDR_LENGTH) {
+ mp = ip_check_and_align_header(mp, IP_SIMPLE_HDR_LENGTH,
+ &iras);
+ if (mp == NULL) {
+ /* mhip might point into 1st packet in chain */
+ iras.ira_mhip = NULL;
+ continue;
+ }
+ ipha = (ipha_t *)mp->b_rptr;
+ }
+
+ /* Protect against a mix of Ethertypes and IP versions */
+ if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInHdrErrors);
+ ip_drop_input("ipIfStatsInHdrErrors", mp, ill);
+ freemsg(mp);
+ /* mhip might point into 1st packet in the chain. */
+ iras.ira_mhip = NULL;
+ continue;
+ }
+
+ /*
+ * Check for Martian addrs; we have to explicitly
+ * test for for zero dst since this is also used as
+ * an indication that the rtc is not used.
+ */
+ if (ipha->ipha_dst == INADDR_ANY) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ /* mhip might point into 1st packet in the chain. */
+ iras.ira_mhip = NULL;
+ continue;
+ }
+
+ /*
+ * Keep L2SRC from a previous packet in chain since mhip
+ * might point into an earlier packet in the chain.
+ * Keep IRAF_VERIFIED_SRC to avoid redoing broadcast
+ * source check in forwarding path.
+ */
+ chain_flags |= (iras.ira_flags &
+ (IRAF_L2SRC_SET|IRAF_VERIFIED_SRC));
+
+ iras.ira_flags = IRAF_IS_IPV4 | IRAF_VERIFY_IP_CKSUM |
+ IRAF_VERIFY_ULP_CKSUM | chain_flags;
+ iras.ira_free_flags = 0;
+ iras.ira_cred = NULL;
+ iras.ira_cpid = NOPID;
+ iras.ira_tsl = NULL;
+ iras.ira_zoneid = ALL_ZONES; /* Default for forwarding */
+
+ /*
+ * We must count all incoming packets, even if they end
+ * up being dropped later on. Defer counting bytes until
+ * we have the whole IP header in first mblk.
+ */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
+
+ iras.ira_pktlen = ntohs(ipha->ipha_length);
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets,
+ iras.ira_pktlen);
+
+ /*
+ * Call one of:
+ * ill_input_full_v4
+ * ill_input_short_v4
+ * The former is used in unusual cases. See ill_set_inputfn().
+ */
+ (*ill->ill_inputfn)(mp, ipha, &ipha->ipha_dst, &iras, &rtc);
+
+ /* Any references to clean up? No hold on ira_ill */
+ if (iras.ira_flags & (IRAF_IPSEC_SECURE|IRAF_SYSTEM_LABELED))
+ ira_cleanup(&iras, B_FALSE);
+
+ if (iras.ira_target_sqp_mp != NULL) {
+ /* Better be called from ip_accept_tcp */
+ ASSERT(target_sqp != NULL);
+
+ /* Found one packet to accept */
+ mp = iras.ira_target_sqp_mp;
+ iras.ira_target_sqp_mp = NULL;
+ ASSERT(ip_recv_attr_is_mblk(mp));
+
+ if (atail != NULL)
+ atail->b_next = mp;
+ else
+ ahead = mp;
+ atail = mp;
+ acnt++;
+ mp = NULL;
+ }
+ /* mhip might point into 1st packet in the chain. */
+ iras.ira_mhip = NULL;
+ }
+ /* Any remaining references to the route cache? */
+ if (rtc.rtc_ire != NULL) {
+ ASSERT(rtc.rtc_ipaddr != INADDR_ANY);
+ ire_refrele(rtc.rtc_ire);
+ }
+
+ if (ahead != NULL) {
+ /* Better be called from ip_accept_tcp */
+ ASSERT(target_sqp != NULL);
+ *last = atail;
+ *cnt = acnt;
+ return (ahead);
+ }
+
+ return (NULL);
+}
+
+/*
+ * This input function is used when
+ * - is_system_labeled()
+ * - CGTP filtering
+ * - DHCP unicast before we have an IP address configured
+ * - there is an listener for IPPROTO_RSVP
+ */
+void
+ill_input_full_v4(mblk_t *mp, void *iph_arg, void *nexthop_arg,
+ ip_recv_attr_t *ira, rtc_t *rtc)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ipaddr_t nexthop = *(ipaddr_t *)nexthop_arg;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ int cgtp_flt_pkt;
+
+ ASSERT(ira->ira_tsl == NULL);
+
+ /*
+ * Attach any necessary label information to
+ * this packet
+ */
+ if (is_system_labeled()) {
+ ira->ira_flags |= IRAF_SYSTEM_LABELED;
+
+ /*
+ * This updates ira_cred, ira_tsl and ira_free_flags based
+ * on the label.
+ */
+ if (!tsol_get_pkt_label(mp, IPV4_VERSION, ira)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /* Note that ira_tsl can be NULL here. */
+
+ /* tsol_get_pkt_label sometimes does pullupmsg */
+ ipha = (ipha_t *)mp->b_rptr;
+ }
+
+ /*
+ * Invoke the CGTP (multirouting) filtering module to process
+ * the incoming packet. Packets identified as duplicates
+ * must be discarded. Filtering is active only if the
+ * the ip_cgtp_filter ndd variable is non-zero.
+ */
+ cgtp_flt_pkt = CGTP_IP_PKT_NOT_CGTP;
+ if (ipst->ips_ip_cgtp_filter &&
+ ipst->ips_ip_cgtp_filter_ops != NULL) {
+ netstackid_t stackid;
+
+ stackid = ipst->ips_netstack->netstack_stackid;
+ /*
+ * CGTP and IPMP are mutually exclusive so
+ * phyint_ifindex is fine here.
+ */
+ cgtp_flt_pkt =
+ ipst->ips_ip_cgtp_filter_ops->cfo_filter(stackid,
+ ill->ill_phyint->phyint_ifindex, mp);
+ if (cgtp_flt_pkt == CGTP_IP_PKT_DUPLICATE) {
+ ip_drop_input("CGTP_IP_PKT_DUPLICATE", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+
+ /*
+ * Brutal hack for DHCPv4 unicast: RFC2131 allows a DHCP
+ * server to unicast DHCP packets to a DHCP client using the
+ * IP address it is offering to the client. This can be
+ * disabled through the "broadcast bit", but not all DHCP
+ * servers honor that bit. Therefore, to interoperate with as
+ * many DHCP servers as possible, the DHCP client allows the
+ * server to unicast, but we treat those packets as broadcast
+ * here. Note that we don't rewrite the packet itself since
+ * (a) that would mess up the checksums and (b) the DHCP
+ * client conn is bound to INADDR_ANY so ip_fanout_udp() will
+ * hand it the packet regardless.
+ */
+ if (ill->ill_dhcpinit != 0 &&
+ ipha->ipha_version_and_hdr_length == IP_SIMPLE_HDR_VERSION &&
+ ipha->ipha_protocol == IPPROTO_UDP) {
+ udpha_t *udpha;
+
+ ipha = ip_pullup(mp, sizeof (ipha_t) + sizeof (udpha_t), ira);
+ if (ipha == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - dhcp", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /* Reload since pullupmsg() can change b_rptr. */
+ udpha = (udpha_t *)&ipha[1];
+
+ if (ntohs(udpha->uha_dst_port) == IPPORT_BOOTPC) {
+ DTRACE_PROBE2(ip4__dhcpinit__pkt, ill_t *, ill,
+ mblk_t *, mp);
+ /*
+ * This assumes that we deliver to all conns for
+ * multicast and broadcast packets.
+ */
+ nexthop = INADDR_BROADCAST;
+ ira->ira_flags |= IRAF_DHCP_UNICAST;
+ }
+ }
+
+ /*
+ * If rsvpd is running, let RSVP daemon handle its processing
+ * and forwarding of RSVP multicast/unicast packets.
+ * If rsvpd is not running but mrouted is running, RSVP
+ * multicast packets are forwarded as multicast traffic
+ * and RSVP unicast packets are forwarded by unicast router.
+ * If neither rsvpd nor mrouted is running, RSVP multicast
+ * packets are not forwarded, but the unicast packets are
+ * forwarded like unicast traffic.
+ */
+ if (ipha->ipha_protocol == IPPROTO_RSVP &&
+ ipst->ips_ipcl_proto_fanout_v4[IPPROTO_RSVP].connf_head != NULL) {
+ /* RSVP packet and rsvpd running. Treat as ours */
+ ip2dbg(("ip_input: RSVP for us: 0x%x\n", ntohl(nexthop)));
+ /*
+ * We use a multicast address to get the packet to
+ * ire_recv_multicast_v4. There will not be a membership
+ * check since we set IRAF_RSVP
+ */
+ nexthop = htonl(INADDR_UNSPEC_GROUP);
+ ira->ira_flags |= IRAF_RSVP;
+ }
+
+ ill_input_short_v4(mp, ipha, &nexthop, ira, rtc);
+}
+
+/*
+ * This is the tail-end of the full receive side packet handling.
+ * It can be used directly when the configuration is simple.
+ */
+void
+ill_input_short_v4(mblk_t *mp, void *iph_arg, void *nexthop_arg,
+ ip_recv_attr_t *ira, rtc_t *rtc)
+{
+ ire_t *ire;
+ uint_t opt_len;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint_t pkt_len;
+ ssize_t len;
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ipaddr_t nexthop = *(ipaddr_t *)nexthop_arg;
+ ilb_stack_t *ilbs = ipst->ips_netstack->netstack_ilb;
+#define rptr ((uchar_t *)ipha)
+
+ ASSERT(DB_TYPE(mp) == M_DATA);
+
+ /*
+ * The following test for loopback is faster than
+ * IP_LOOPBACK_ADDR(), because it avoids any bitwise
+ * operations.
+ * Note that these addresses are always in network byte order
+ */
+ if (((*(uchar_t *)&ipha->ipha_dst) == 127) ||
+ ((*(uchar_t *)&ipha->ipha_src) == 127)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ len = mp->b_wptr - rptr;
+ pkt_len = ira->ira_pktlen;
+
+ /* multiple mblk or too short */
+ len -= pkt_len;
+ if (len != 0) {
+ mp = ip_check_length(mp, rptr, len, pkt_len,
+ IP_SIMPLE_HDR_LENGTH, ira);
+ if (mp == NULL)
+ return;
+ ipha = (ipha_t *)mp->b_rptr;
+ }
+
+ DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, ip6_t *, NULL,
+ int, 0);
+
+ /*
+ * The event for packets being received from a 'physical'
+ * interface is placed after validation of the source and/or
+ * destination address as being local so that packets can be
+ * redirected to loopback addresses using ipnat.
+ */
+ DTRACE_PROBE4(ip4__physical__in__start,
+ ill_t *, ill, ill_t *, NULL,
+ ipha_t *, ipha, mblk_t *, mp);
+
+ if (HOOKS4_INTERESTED_PHYSICAL_IN(ipst)) {
+ int ll_multicast = 0;
+ int error;
+ ipaddr_t orig_dst = ipha->ipha_dst;
+
+ if (ira->ira_flags & IRAF_L2DST_MULTICAST)
+ ll_multicast = HPE_MULTICAST;
+ else if (ira->ira_flags & IRAF_L2DST_BROADCAST)
+ ll_multicast = HPE_BROADCAST;
+
+ FW_HOOKS(ipst->ips_ip4_physical_in_event,
+ ipst->ips_ipv4firewall_physical_in,
+ ill, NULL, ipha, mp, mp, ll_multicast, ipst, error);
+
+ DTRACE_PROBE1(ip4__physical__in__end, mblk_t *, mp);
+
+ if (mp == NULL)
+ return;
+ /* The length could have changed */
+ ipha = (ipha_t *)mp->b_rptr;
+ ira->ira_pktlen = ntohs(ipha->ipha_length);
+ pkt_len = ira->ira_pktlen;
+
+ /*
+ * In case the destination changed we override any previous
+ * change to nexthop.
+ */
+ if (orig_dst != ipha->ipha_dst)
+ nexthop = ipha->ipha_dst;
+ if (nexthop == INADDR_ANY) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+
+ if (ipst->ips_ip4_observe.he_interested) {
+ zoneid_t dzone;
+
+ /*
+ * On the inbound path the src zone will be unknown as
+ * this packet has come from the wire.
+ */
+ dzone = ip_get_zoneid_v4(nexthop, mp, ira, ALL_ZONES);
+ ipobs_hook(mp, IPOBS_HOOK_INBOUND, ALL_ZONES, dzone, ill, ipst);
+ }
+
+ /*
+ * If there is a good HW IP header checksum we clear the need
+ * look at the IP header checksum.
+ */
+ if ((DB_CKSUMFLAGS(mp) & HCK_IPV4_HDRCKSUM) &&
+ ILL_HCKSUM_CAPABLE(ill) && dohwcksum) {
+ /* Header checksum was ok. Clear the flag */
+ DB_CKSUMFLAGS(mp) &= ~HCK_IPV4_HDRCKSUM;
+ ira->ira_flags &= ~IRAF_VERIFY_IP_CKSUM;
+ }
+
+ /*
+ * Here we check to see if we machine is setup as
+ * L3 loadbalancer and if the incoming packet is for a VIP
+ *
+ * Check the following:
+ * - there is at least a rule
+ * - protocol of the packet is supported
+ */
+ if (ilb_has_rules(ilbs) && ILB_SUPP_L4(ipha->ipha_protocol)) {
+ ipaddr_t lb_dst;
+ int lb_ret;
+
+ /* For convenience, we pull up the mblk. */
+ if (mp->b_cont != NULL) {
+ if (pullupmsg(mp, -1) == 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - pullupmsg",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ipha = (ipha_t *)mp->b_rptr;
+ }
+
+ /*
+ * We just drop all fragments going to any VIP, at
+ * least for now....
+ */
+ if (ntohs(ipha->ipha_fragment_offset_and_flags) &
+ (IPH_MF | IPH_OFFSET)) {
+ if (!ilb_rule_match_vip_v4(ilbs, nexthop, NULL)) {
+ goto after_ilb;
+ }
+
+ ILB_KSTAT_UPDATE(ilbs, ip_frag_in, 1);
+ ILB_KSTAT_UPDATE(ilbs, ip_frag_dropped, 1);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ILB fragment", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ lb_ret = ilb_check_v4(ilbs, ill, mp, ipha, ipha->ipha_protocol,
+ (uint8_t *)ipha + IPH_HDR_LENGTH(ipha), &lb_dst);
+
+ if (lb_ret == ILB_DROPPED) {
+ /* Is this the right counter to increase? */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ILB_DROPPED", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (lb_ret == ILB_BALANCED) {
+ /* Set the dst to that of the chosen server */
+ nexthop = lb_dst;
+ DB_CKSUMFLAGS(mp) = 0;
+ }
+ }
+
+after_ilb:
+ opt_len = ipha->ipha_version_and_hdr_length - IP_SIMPLE_HDR_VERSION;
+ ira->ira_ip_hdr_length = IP_SIMPLE_HDR_LENGTH;
+ if (opt_len != 0) {
+ int error = 0;
+
+ ira->ira_ip_hdr_length += (opt_len << 2);
+ ira->ira_flags |= IRAF_IPV4_OPTIONS;
+
+ /* IP Options present! Validate the length. */
+ mp = ip_check_optlen(mp, ipha, opt_len, pkt_len, ira);
+ if (mp == NULL)
+ return;
+
+ /* Might have changed */
+ ipha = (ipha_t *)mp->b_rptr;
+
+ /* Verify IP header checksum before parsing the options */
+ if ((ira->ira_flags & IRAF_VERIFY_IP_CKSUM) &&
+ ip_csum_hdr(ipha)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
+ ip_drop_input("ipIfStatsInCksumErrs", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ira->ira_flags &= ~IRAF_VERIFY_IP_CKSUM;
+
+ /*
+ * Go off to ip_input_options which returns the next hop
+ * destination address, which may have been affected
+ * by source routing.
+ */
+ IP_STAT(ipst, ip_opt);
+
+ nexthop = ip_input_options(ipha, nexthop, mp, ira, &error);
+ if (error != 0) {
+ /*
+ * An ICMP error has been sent and the packet has
+ * been dropped.
+ */
+ return;
+ }
+ }
+ /* Can not use route cache with TX since the labels can differ */
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ if (CLASSD(nexthop)) {
+ ire = ire_multicast(ill);
+ } else {
+ /* Match destination and label */
+ ire = ire_route_recursive_v4(nexthop, 0, NULL,
+ ALL_ZONES, ira->ira_tsl, MATCH_IRE_SECATTR,
+ (ill->ill_flags & ILLF_ROUTER),
+ ira->ira_xmit_hint, ipst, NULL, NULL, NULL);
+ }
+ /* Update the route cache so we do the ire_refrele */
+ ASSERT(ire != NULL);
+ if (rtc->rtc_ire != NULL)
+ ire_refrele(rtc->rtc_ire);
+ rtc->rtc_ire = ire;
+ rtc->rtc_ipaddr = nexthop;
+ } else if (nexthop == rtc->rtc_ipaddr) {
+ /* Use the route cache */
+ ASSERT(rtc->rtc_ire != NULL);
+ ire = rtc->rtc_ire;
+ } else {
+ /* Update the route cache */
+ if (CLASSD(nexthop)) {
+ ire = ire_multicast(ill);
+ } else {
+ /* Just match the destination */
+ ire = ire_route_recursive_dstonly_v4(nexthop,
+ (ill->ill_flags & ILLF_ROUTER), ira->ira_xmit_hint,
+ ipst);
+ }
+ ASSERT(ire != NULL);
+ if (rtc->rtc_ire != NULL)
+ ire_refrele(rtc->rtc_ire);
+ rtc->rtc_ire = ire;
+ rtc->rtc_ipaddr = nexthop;
+ }
+
+ ire->ire_ib_pkt_count++;
+
+ /*
+ * Based on ire_type and ire_flags call one of:
+ * ire_recv_local_v4 - for IRE_LOCAL
+ * ire_recv_loopback_v4 - for IRE_LOOPBACK
+ * ire_recv_multirt_v4 - if RTF_MULTIRT
+ * ire_recv_noroute_v4 - if RTF_REJECT or RTF_BLACHOLE
+ * ire_recv_multicast_v4 - for IRE_MULTICAST
+ * ire_recv_broadcast_v4 - for IRE_BROADCAST
+ * ire_recv_noaccept_v4 - for ire_noaccept ones
+ * ire_recv_forward_v4 - for the rest.
+ */
+ (*ire->ire_recvfn)(ire, mp, ipha, ira);
+}
+#undef rptr
+
+/*
+ * ire_recvfn for IREs that need forwarding
+ */
+void
+ire_recv_forward_v4(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ill_t *dst_ill;
+ nce_t *nce;
+ ipaddr_t src = ipha->ipha_src;
+ uint32_t added_tx_len;
+ uint32_t mtu, iremtu;
+
+ if (ira->ira_flags & (IRAF_L2DST_MULTICAST|IRAF_L2DST_BROADCAST)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("l2 multicast not forwarded", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ if (!(ill->ill_flags & ILLF_ROUTER) && !ip_source_routed(ipha, ipst)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsForwProhibits", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ /*
+ * Either ire_nce_capable or ire_dep_parent would be set for the IRE
+ * when it is found by ire_route_recursive, but that some other thread
+ * could have changed the routes with the effect of clearing
+ * ire_dep_parent. In that case we'd end up dropping the packet, or
+ * finding a new nce below.
+ * Get, allocate, or update the nce.
+ * We get a refhold on ire_nce_cache as a result of this to avoid races
+ * where ire_nce_cache is deleted.
+ *
+ * This ensures that we don't forward if the interface is down since
+ * ipif_down removes all the nces.
+ */
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ if (nce == NULL) {
+ /* Not yet set up - try to set one up */
+ mutex_exit(&ire->ire_lock);
+ (void) ire_revalidate_nce(ire);
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ if (nce == NULL) {
+ mutex_exit(&ire->ire_lock);
+ /* The ire_dep_parent chain went bad, or no memory */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("No ire_dep_parent", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ nce_refhold(nce);
+ mutex_exit(&ire->ire_lock);
+
+ if (nce->nce_is_condemned) {
+ nce_t *nce1;
+
+ nce1 = ire_handle_condemned_nce(nce, ire, ipha, NULL, B_FALSE);
+ nce_refrele(nce);
+ if (nce1 == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("No nce", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ nce = nce1;
+ }
+ dst_ill = nce->nce_ill;
+
+ /*
+ * Unless we are forwarding, drop the packet.
+ * We have to let source routed packets through if they go out
+ * the same interface i.e., they are 'ping -l' packets.
+ */
+ if (!(dst_ill->ill_flags & ILLF_ROUTER) &&
+ !(ip_source_routed(ipha, ipst) && dst_ill == ill)) {
+ if (ip_source_routed(ipha, ipst)) {
+ ip_drop_input("ICMP_SOURCE_ROUTE_FAILED", mp, ill);
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, ira);
+ nce_refrele(nce);
+ return;
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsForwProhibits", mp, ill);
+ freemsg(mp);
+ nce_refrele(nce);
+ return;
+ }
+
+ if (ire->ire_zoneid != GLOBAL_ZONEID && ire->ire_zoneid != ALL_ZONES) {
+ ipaddr_t dst = ipha->ipha_dst;
+
+ ire->ire_ib_pkt_count--;
+ /*
+ * Should only use IREs that are visible from the
+ * global zone for forwarding.
+ * Take a source route into account the same way as ip_input
+ * did.
+ */
+ if (ira->ira_flags & IRAF_IPV4_OPTIONS) {
+ int error = 0;
+
+ dst = ip_input_options(ipha, dst, mp, ira, &error);
+ ASSERT(error == 0); /* ip_input checked */
+ }
+ ire = ire_route_recursive_v4(dst, 0, NULL, GLOBAL_ZONEID,
+ ira->ira_tsl, MATCH_IRE_SECATTR,
+ (ill->ill_flags & ILLF_ROUTER), ira->ira_xmit_hint, ipst,
+ NULL, NULL, NULL);
+ ire->ire_ib_pkt_count++;
+ (*ire->ire_recvfn)(ire, mp, ipha, ira);
+ ire_refrele(ire);
+ nce_refrele(nce);
+ return;
+ }
+
+ /*
+ * ipIfStatsHCInForwDatagrams should only be increment if there
+ * will be an attempt to forward the packet, which is why we
+ * increment after the above condition has been checked.
+ */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
+
+ /* Initiate Read side IPPF processing */
+ if (IPP_ENABLED(IPP_FWD_IN, ipst)) {
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_FWD_IN, mp, ill, ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ ip2dbg(("ire_recv_forward_v4: pkt dropped/deferred "
+ "during IPPF processing\n"));
+ nce_refrele(nce);
+ return;
+ }
+ }
+
+ DTRACE_PROBE4(ip4__forwarding__start,
+ ill_t *, ill, ill_t *, dst_ill, ipha_t *, ipha, mblk_t *, mp);
+
+ if (HOOKS4_INTERESTED_FORWARDING(ipst)) {
+ int error;
+
+ FW_HOOKS(ipst->ips_ip4_forwarding_event,
+ ipst->ips_ipv4firewall_forwarding,
+ ill, dst_ill, ipha, mp, mp, 0, ipst, error);
+
+ DTRACE_PROBE1(ip4__forwarding__end, mblk_t *, mp);
+
+ if (mp == NULL) {
+ nce_refrele(nce);
+ return;
+ }
+ /*
+ * Even if the destination was changed by the filter we use the
+ * forwarding decision that was made based on the address
+ * in ip_input.
+ */
+
+ /* Might have changed */
+ ipha = (ipha_t *)mp->b_rptr;
+ ira->ira_pktlen = ntohs(ipha->ipha_length);
+ }
+
+ /* Packet is being forwarded. Turning off hwcksum flag. */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ /*
+ * Martian Address Filtering [RFC 1812, Section 5.3.7]
+ * The loopback address check for both src and dst has already
+ * been checked in ip_input
+ * In the future one can envision adding RPF checks using number 3.
+ * If we already checked the same source address we can skip this.
+ */
+ if (!(ira->ira_flags & IRAF_VERIFIED_SRC) ||
+ src != ira->ira_verified_src) {
+ switch (ipst->ips_src_check) {
+ case 0:
+ break;
+ case 2:
+ if (ip_type_v4(src, ipst) == IRE_BROADCAST) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsForwProhibits);
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ nce_refrele(nce);
+ return;
+ }
+ /* FALLTHRU */
+
+ case 1:
+ if (CLASSD(src)) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsForwProhibits);
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInAddrErrors);
+ ip_drop_input("ipIfStatsInAddrErrors", mp, ill);
+ freemsg(mp);
+ nce_refrele(nce);
+ return;
+ }
+ break;
+ }
+ /* Remember for next packet */
+ ira->ira_flags |= IRAF_VERIFIED_SRC;
+ ira->ira_verified_src = src;
+ }
+
+ /*
+ * Check if packet is going out the same link on which it arrived.
+ * Means we might need to send a redirect.
+ */
+ if (IS_ON_SAME_LAN(dst_ill, ill) && ipst->ips_ip_g_send_redirects) {
+ ip_send_potential_redirect_v4(mp, ipha, ire, ira);
+ }
+
+ added_tx_len = 0;
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ mblk_t *mp1;
+ uint32_t old_pkt_len = ira->ira_pktlen;
+
+ /*
+ * Check if it can be forwarded and add/remove
+ * CIPSO options as needed.
+ */
+ if ((mp1 = tsol_ip_forward(ire, mp, ira)) == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("tsol_ip_forward", mp, ill);
+ freemsg(mp);
+ nce_refrele(nce);
+ return;
+ }
+ /*
+ * Size may have changed. Remember amount added in case
+ * IP needs to send an ICMP too big.
+ */
+ mp = mp1;
+ ipha = (ipha_t *)mp->b_rptr;
+ ira->ira_pktlen = ntohs(ipha->ipha_length);
+ ira->ira_ip_hdr_length = IPH_HDR_LENGTH(ipha);
+ if (ira->ira_pktlen > old_pkt_len)
+ added_tx_len = ira->ira_pktlen - old_pkt_len;
+
+ /* Options can have been added or removed */
+ if (ira->ira_ip_hdr_length != IP_SIMPLE_HDR_LENGTH)
+ ira->ira_flags |= IRAF_IPV4_OPTIONS;
+ else
+ ira->ira_flags &= ~IRAF_IPV4_OPTIONS;
+ }
+
+ mtu = dst_ill->ill_mtu;
+ if ((iremtu = ire->ire_metrics.iulp_mtu) != 0 && iremtu < mtu)
+ mtu = iremtu;
+ ip_forward_xmit_v4(nce, ill, mp, ipha, ira, mtu, added_tx_len);
+ nce_refrele(nce);
+}
+
+/*
+ * Used for sending out unicast and multicast packets that are
+ * forwarded.
+ */
+void
+ip_forward_xmit_v4(nce_t *nce, ill_t *ill, mblk_t *mp, ipha_t *ipha,
+ ip_recv_attr_t *ira, uint32_t mtu, uint32_t added_tx_len)
+{
+ ill_t *dst_ill = nce->nce_ill;
+ uint32_t pkt_len;
+ uint32_t sum;
+ iaflags_t iraflags = ira->ira_flags;
+ ip_stack_t *ipst = ill->ill_ipst;
+ iaflags_t ixaflags;
+
+ if (ipha->ipha_ttl <= 1) {
+ /* Perhaps the checksum was bad */
+ if ((iraflags & IRAF_VERIFY_IP_CKSUM) && ip_csum_hdr(ipha)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
+ ip_drop_input("ipIfStatsInCksumErrs", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ICMP_TTL_EXCEEDED", mp, ill);
+ icmp_time_exceeded(mp, ICMP_TTL_EXCEEDED, ira);
+ return;
+ }
+ ipha->ipha_ttl--;
+ /* Adjust the checksum to reflect the ttl decrement. */
+ sum = (int)ipha->ipha_hdr_checksum + IP_HDR_CSUM_TTL_ADJUST;
+ ipha->ipha_hdr_checksum = (uint16_t)(sum + (sum >> 16));
+
+ /* Check if there are options to update */
+ if (iraflags & IRAF_IPV4_OPTIONS) {
+ ASSERT(ipha->ipha_version_and_hdr_length !=
+ IP_SIMPLE_HDR_VERSION);
+ ASSERT(!(iraflags & IRAF_VERIFY_IP_CKSUM));
+
+ if (!ip_forward_options(mp, ipha, dst_ill, ira)) {
+ /* ipIfStatsForwProhibits and ip_drop_input done */
+ return;
+ }
+
+ ipha->ipha_hdr_checksum = 0;
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ }
+
+ /* Initiate Write side IPPF processing before any fragmentation */
+ if (IPP_ENABLED(IPP_FWD_OUT, ipst)) {
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_FWD_OUT, mp, dst_ill, dst_ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ ip2dbg(("ire_recv_forward_v4: pkt dropped/deferred" \
+ " during IPPF processing\n"));
+ return;
+ }
+ }
+
+ pkt_len = ira->ira_pktlen;
+
+ BUMP_MIB(dst_ill->ill_ip_mib, ipIfStatsHCOutForwDatagrams);
+
+ ixaflags = IXAF_IS_IPV4 | IXAF_NO_DEV_FLOW_CTL;
+
+ if (pkt_len > mtu) {
+ /*
+ * It needs fragging on its way out. If we haven't
+ * verified the header checksum yet we do it now since
+ * are going to put a surely good checksum in the
+ * outgoing header, we have to make sure that it
+ * was good coming in.
+ */
+ if ((iraflags & IRAF_VERIFY_IP_CKSUM) && ip_csum_hdr(ipha)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
+ ip_drop_input("ipIfStatsInCksumErrs", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (ipha->ipha_fragment_offset_and_flags & IPH_DF_HTONS) {
+ BUMP_MIB(dst_ill->ill_ip_mib, ipIfStatsOutFragFails);
+ ip_drop_output("ipIfStatsOutFragFails", mp, dst_ill);
+ if (iraflags & IRAF_SYSTEM_LABELED) {
+ /*
+ * Remove any CIPSO option added by
+ * tsol_ip_forward, and make sure we report
+ * a path MTU so that there
+ * is room to add such a CIPSO option for future
+ * packets.
+ */
+ mtu = tsol_pmtu_adjust(mp, mtu, added_tx_len,
+ AF_INET);
+ }
+
+ icmp_frag_needed(mp, mtu, ira);
+ return;
+ }
+
+ (void) ip_fragment_v4(mp, nce, ixaflags, pkt_len, mtu,
+ ira->ira_xmit_hint, GLOBAL_ZONEID, 0, ip_xmit, NULL);
+ return;
+ }
+
+ ASSERT(pkt_len == ntohs(((ipha_t *)mp->b_rptr)->ipha_length));
+ if (iraflags & IRAF_LOOPBACK_COPY) {
+ /*
+ * IXAF_NO_LOOP_ZONEID is not set hence 7th arg
+ * is don't care
+ */
+ (void) ip_postfrag_loopcheck(mp, nce,
+ ixaflags | IXAF_LOOPBACK_COPY,
+ pkt_len, ira->ira_xmit_hint, GLOBAL_ZONEID, 0, NULL);
+ } else {
+ (void) ip_xmit(mp, nce, ixaflags, pkt_len, ira->ira_xmit_hint,
+ GLOBAL_ZONEID, 0, NULL);
+ }
+}
+
+/*
+ * ire_recvfn for RTF_REJECT and RTF_BLACKHOLE routes, including IRE_NOROUTE,
+ * which is what ire_route_recursive returns when there is no matching ire.
+ * Send ICMP unreachable unless blackhole.
+ */
+void
+ire_recv_noroute_v4(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ /* Would we have forwarded this packet if we had a route? */
+ if (ira->ira_flags & (IRAF_L2DST_MULTICAST|IRAF_L2DST_BROADCAST)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("l2 multicast not forwarded", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ if (!(ill->ill_flags & ILLF_ROUTER)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsForwProhibits", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /*
+ * If we had a route this could have been forwarded. Count as such.
+ *
+ * ipIfStatsHCInForwDatagrams should only be increment if there
+ * will be an attempt to forward the packet, which is why we
+ * increment after the above condition has been checked.
+ */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInForwDatagrams);
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInNoRoutes);
+
+ ip_rts_change(RTM_MISS, ipha->ipha_dst, 0, 0, 0, 0, 0, 0, RTA_DST,
+ ipst);
+
+ if (ire->ire_flags & RTF_BLACKHOLE) {
+ ip_drop_input("ipIfStatsInNoRoutes RTF_BLACKHOLE", mp, ill);
+ freemsg(mp);
+ } else {
+ ip_drop_input("ipIfStatsInNoRoutes RTF_REJECT", mp, ill);
+
+ if (ip_source_routed(ipha, ipst)) {
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, ira);
+ } else {
+ icmp_unreachable(mp, ICMP_HOST_UNREACHABLE, ira);
+ }
+ }
+}
+
+/*
+ * ire_recvfn for IRE_LOCALs marked with ire_noaccept. Such IREs are used for
+ * VRRP when in noaccept mode.
+ * We silently drop the packet. ARP handles packets even if noaccept is set.
+ */
+/* ARGSUSED */
+void
+ire_recv_noaccept_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - noaccept", mp, ill);
+ freemsg(mp);
+}
+
+/*
+ * ire_recvfn for IRE_BROADCAST.
+ */
+void
+ire_recv_broadcast_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_recv_attr_t *ira)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ill_t *dst_ill = ire->ire_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ ire_t *alt_ire;
+ nce_t *nce;
+ ipaddr_t ipha_dst;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInBcastPkts);
+
+ /* Tag for higher-level protocols */
+ ira->ira_flags |= IRAF_BROADCAST;
+
+ /*
+ * Whether local or directed broadcast forwarding: don't allow
+ * for TCP.
+ */
+ if (ipha->ipha_protocol == IPPROTO_TCP) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ /*
+ * So that we don't end up with dups, only one ill an IPMP group is
+ * nominated to receive broadcast traffic.
+ * If we have no cast_ill we are liberal and accept everything.
+ */
+ if (IS_UNDER_IPMP(ill)) {
+ /* For an under ill_grp can change under lock */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (!ill->ill_nom_cast && ill->ill_grp != NULL &&
+ ill->ill_grp->ig_cast_ill != NULL) {
+ rw_exit(&ipst->ips_ill_g_lock);
+ /* No MIB since this is normal operation */
+ ip_drop_input("not nom_cast", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+
+ ira->ira_ruifindex = ill_get_upper_ifindex(ill);
+ }
+
+ /*
+ * After reassembly and IPsec we will need to duplicate the
+ * broadcast packet for all matching zones on the ill.
+ */
+ ira->ira_zoneid = ALL_ZONES;
+
+ /*
+ * Check for directed broadcast i.e. ire->ire_ill is different than
+ * the incoming ill.
+ * The same broadcast address can be assigned to multiple interfaces
+ * so have to check explicitly for that case by looking up the alt_ire
+ */
+ if (dst_ill == ill && !(ire->ire_flags & RTF_MULTIRT)) {
+ /* Reassemble on the ill on which the packet arrived */
+ ip_input_local_v4(ire, mp, ipha, ira);
+ /* Restore */
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ return;
+ }
+
+ /* Is there an IRE_BROADCAST on the incoming ill? */
+ ipha_dst = ((ira->ira_flags & IRAF_DHCP_UNICAST) ? INADDR_BROADCAST :
+ ipha->ipha_dst);
+ alt_ire = ire_ftable_lookup_v4(ipha_dst, 0, 0, IRE_BROADCAST, ill,
+ ALL_ZONES, ira->ira_tsl,
+ MATCH_IRE_TYPE|MATCH_IRE_ILL|MATCH_IRE_SECATTR, 0, ipst, NULL);
+ if (alt_ire != NULL) {
+ /* Not a directed broadcast */
+ /*
+ * In the special case of multirouted broadcast
+ * packets, we unconditionally need to "gateway"
+ * them to the appropriate interface here so that reassembly
+ * works. We know that the IRE_BROADCAST on cgtp0 doesn't
+ * have RTF_MULTIRT set so we look for such an IRE in the
+ * bucket.
+ */
+ if (alt_ire->ire_flags & RTF_MULTIRT) {
+ irb_t *irb;
+ ire_t *ire1;
+
+ irb = ire->ire_bucket;
+ irb_refhold(irb);
+ for (ire1 = irb->irb_ire; ire1 != NULL;
+ ire1 = ire1->ire_next) {
+ if (IRE_IS_CONDEMNED(ire1))
+ continue;
+ if (!(ire1->ire_type & IRE_BROADCAST) ||
+ (ire1->ire_flags & RTF_MULTIRT))
+ continue;
+ ill = ire1->ire_ill;
+ ill_refhold(ill);
+ break;
+ }
+ irb_refrele(irb);
+ if (ire1 != NULL) {
+ ill_t *orig_ill = ira->ira_ill;
+
+ ire_refrele(alt_ire);
+ /* Reassemble on the new ill */
+ ira->ira_ill = ill;
+ ip_input_local_v4(ire, mp, ipha, ira);
+ ill_refrele(ill);
+ /* Restore */
+ ira->ira_ill = orig_ill;
+ ira->ira_ruifindex =
+ orig_ill->ill_phyint->phyint_ifindex;
+ return;
+ }
+ }
+ ire_refrele(alt_ire);
+ /* Reassemble on the ill on which the packet arrived */
+ ip_input_local_v4(ire, mp, ipha, ira);
+ goto done;
+ }
+
+ /*
+ * This is a directed broadcast
+ *
+ * If directed broadcast is allowed, then forward the packet out
+ * the destination interface with IXAF_LOOPBACK_COPY set. That will
+ * result in ip_input() receiving a copy of the packet on the
+ * appropriate ill. (We could optimize this to avoid the extra trip
+ * via ip_input(), but since directed broadcasts are normally disabled
+ * it doesn't make sense to optimize it.)
+ */
+ if (!ipst->ips_ip_g_forward_directed_bcast ||
+ (ira->ira_flags & (IRAF_L2DST_MULTICAST|IRAF_L2DST_BROADCAST))) {
+ ip_drop_input("directed broadcast not allowed", mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+ if ((ira->ira_flags & IRAF_VERIFY_IP_CKSUM) && ip_csum_hdr(ipha)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
+ ip_drop_input("ipIfStatsInCksumErrs", mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+
+ /*
+ * Clear the indication that this may have hardware
+ * checksum as we are not using it for forwarding.
+ */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ /*
+ * Adjust ttl to 2 (1+1 - the forward engine will decrement it by one.
+ */
+ ipha->ipha_ttl = ipst->ips_ip_broadcast_ttl + 1;
+ ipha->ipha_hdr_checksum = 0;
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+
+ /*
+ * We use ip_forward_xmit to do any fragmentation.
+ * and loopback copy on the outbound interface.
+ *
+ * Make it so that IXAF_LOOPBACK_COPY to be set on transmit side.
+ */
+ ira->ira_flags |= IRAF_LOOPBACK_COPY;
+
+ nce = arp_nce_init(dst_ill, ipha->ipha_dst, IRE_BROADCAST);
+ if (nce == NULL) {
+ BUMP_MIB(dst_ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("No nce", mp, dst_ill);
+ freemsg(mp);
+ goto done;
+ }
+
+ ip_forward_xmit_v4(nce, ill, mp, ipha, ira, dst_ill->ill_mtu, 0);
+ nce_refrele(nce);
+done:
+ /* Restore */
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+}
+
+/*
+ * ire_recvfn for IRE_MULTICAST.
+ */
+void
+ire_recv_multicast_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_recv_attr_t *ira)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ ASSERT(ire->ire_ill == ira->ira_ill);
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastPkts);
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInMcastOctets, ira->ira_pktlen);
+
+ /* RSVP hook */
+ if (ira->ira_flags & IRAF_RSVP)
+ goto forus;
+
+ /* Tag for higher-level protocols */
+ ira->ira_flags |= IRAF_MULTICAST;
+
+ /*
+ * So that we don't end up with dups, only one ill an IPMP group is
+ * nominated to receive multicast traffic.
+ * If we have no cast_ill we are liberal and accept everything.
+ */
+ if (IS_UNDER_IPMP(ill)) {
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ /* For an under ill_grp can change under lock */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (!ill->ill_nom_cast && ill->ill_grp != NULL &&
+ ill->ill_grp->ig_cast_ill != NULL) {
+ rw_exit(&ipst->ips_ill_g_lock);
+ ip_drop_input("not on cast ill", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+ /*
+ * We switch to the upper ill so that mrouter and hasmembers
+ * can operate on upper here and in ip_input_multicast.
+ */
+ ill = ipmp_ill_hold_ipmp_ill(ill);
+ if (ill != NULL) {
+ ASSERT(ill != ira->ira_ill);
+ ASSERT(ire->ire_ill == ira->ira_ill);
+ ira->ira_ill = ill;
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ } else {
+ ill = ira->ira_ill;
+ }
+ }
+
+ /*
+ * Check if we are a multicast router - send ip_mforward a copy of
+ * the packet.
+ * Due to mroute_decap tunnels we consider forwarding packets even if
+ * mrouted has not joined the allmulti group on this interface.
+ */
+ if (ipst->ips_ip_g_mrouter) {
+ int retval;
+
+ /*
+ * Clear the indication that this may have hardware
+ * checksum as we are not using it for forwarding.
+ */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ /*
+ * ip_mforward helps us make these distinctions: If received
+ * on tunnel and not IGMP, then drop.
+ * If IGMP packet, then don't check membership
+ * If received on a phyint and IGMP or PIM, then
+ * don't check membership
+ */
+ retval = ip_mforward(mp, ira);
+ /* ip_mforward updates mib variables if needed */
+
+ switch (retval) {
+ case 0:
+ /*
+ * pkt is okay and arrived on phyint.
+ *
+ * If we are running as a multicast router
+ * we need to see all IGMP and/or PIM packets.
+ */
+ if ((ipha->ipha_protocol == IPPROTO_IGMP) ||
+ (ipha->ipha_protocol == IPPROTO_PIM)) {
+ goto forus;
+ }
+ break;
+ case -1:
+ /* pkt is mal-formed, toss it */
+ freemsg(mp);
+ goto done;
+ case 1:
+ /*
+ * pkt is okay and arrived on a tunnel
+ *
+ * If we are running a multicast router
+ * we need to see all igmp packets.
+ */
+ if (ipha->ipha_protocol == IPPROTO_IGMP) {
+ goto forus;
+ }
+ ip_drop_input("Multicast on tunnel ignored", mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+ }
+
+ /*
+ * Check if we have members on this ill. This is not necessary for
+ * correctness because even if the NIC/GLD had a leaky filter, we
+ * filter before passing to each conn_t.
+ */
+ if (!ill_hasmembers_v4(ill, ipha->ipha_dst)) {
+ /*
+ * Nobody interested
+ *
+ * This might just be caused by the fact that
+ * multiple IP Multicast addresses map to the same
+ * link layer multicast - no need to increment counter!
+ */
+ ip_drop_input("Multicast with no members", mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+forus:
+ ip2dbg(("ire_recv_multicast_v4: multicast for us: 0x%x\n",
+ ntohl(ipha->ipha_dst)));
+
+ /*
+ * After reassembly and IPsec we will need to duplicate the
+ * multicast packet for all matching zones on the ill.
+ */
+ ira->ira_zoneid = ALL_ZONES;
+
+ /* Reassemble on the ill on which the packet arrived */
+ ip_input_local_v4(ire, mp, ipha, ira);
+done:
+ if (ill != ire->ire_ill) {
+ ill_refrele(ill);
+ ira->ira_ill = ire->ire_ill;
+ ira->ira_ruifindex = ira->ira_ill->ill_phyint->phyint_ifindex;
+ }
+}
+
+/*
+ * ire_recvfn for IRE_OFFLINK with RTF_MULTIRT.
+ * Drop packets since we don't forward out multirt routes.
+ */
+/* ARGSUSED */
+void
+ire_recv_multirt_v4(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInNoRoutes);
+ ip_drop_input("Not forwarding out MULTIRT", mp, ill);
+ freemsg(mp);
+}
+
+/*
+ * ire_recvfn for IRE_LOOPBACK. This is only used when a FW_HOOK
+ * has rewritten the packet to have a loopback destination address (We
+ * filter out packet with a loopback destination from arriving over the wire).
+ * We don't know what zone to use, thus we always use the GLOBAL_ZONEID.
+ */
+void
+ire_recv_loopback_v4(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ill_t *ire_ill = ire->ire_ill;
+
+ ira->ira_zoneid = GLOBAL_ZONEID;
+
+ /* Switch to the lo0 ill for further processing */
+ if (ire_ill != ill) {
+ /*
+ * Update ira_ill to be the ILL on which the IP address
+ * is hosted.
+ * No need to hold the ill since we have a hold on the ire
+ */
+ ASSERT(ira->ira_ill == ira->ira_rill);
+ ira->ira_ill = ire_ill;
+
+ ip_input_local_v4(ire, mp, ipha, ira);
+
+ /* Restore */
+ ASSERT(ira->ira_ill == ire_ill);
+ ira->ira_ill = ill;
+ return;
+
+ }
+ ip_input_local_v4(ire, mp, ipha, ira);
+}
+
+/*
+ * ire_recvfn for IRE_LOCAL.
+ */
+void
+ire_recv_local_v4(ire_t *ire, mblk_t *mp, void *iph_arg, ip_recv_attr_t *ira)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ill_t *ill = ira->ira_ill;
+ ill_t *ire_ill = ire->ire_ill;
+
+ /* Make a note for DAD that this address is in use */
+ ire->ire_last_used_time = lbolt;
+
+ /* Only target the IRE_LOCAL with the right zoneid. */
+ ira->ira_zoneid = ire->ire_zoneid;
+
+ /*
+ * If the packet arrived on the wrong ill, we check that
+ * this is ok.
+ * If it is, then we ensure that we do the reassembly on
+ * the ill on which the address is hosted. We keep ira_rill as
+ * the one on which the packet arrived, so that IP_PKTINFO and
+ * friends can report this.
+ */
+ if (ire_ill != ill) {
+ ire_t *new_ire;
+
+ new_ire = ip_check_multihome(&ipha->ipha_dst, ire, ill);
+ if (new_ire == NULL) {
+ /* Drop packet */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsForwProhibits);
+ ip_drop_input("ipIfStatsInForwProhibits", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /*
+ * Update ira_ill to be the ILL on which the IP address
+ * is hosted. No need to hold the ill since we have a
+ * hold on the ire. Note that we do the switch even if
+ * new_ire == ire (for IPMP, ire would be the one corresponding
+ * to the IPMP ill).
+ */
+ ASSERT(ira->ira_ill == ira->ira_rill);
+ ira->ira_ill = new_ire->ire_ill;
+
+ /* ira_ruifindex tracks the upper for ira_rill */
+ if (IS_UNDER_IPMP(ill))
+ ira->ira_ruifindex = ill_get_upper_ifindex(ill);
+
+ ip_input_local_v4(new_ire, mp, ipha, ira);
+
+ /* Restore */
+ ASSERT(ira->ira_ill == new_ire->ire_ill);
+ ira->ira_ill = ill;
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+
+ if (new_ire != ire)
+ ire_refrele(new_ire);
+ return;
+ }
+
+ ip_input_local_v4(ire, mp, ipha, ira);
+}
+
+/*
+ * Common function for packets arriving for the host. Handles
+ * checksum verification, reassembly checks, etc.
+ */
+static void
+ip_input_local_v4(ire_t *ire, mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ iaflags_t iraflags = ira->ira_flags;
+
+ /*
+ * Verify IP header checksum. If the packet was AH or ESP then
+ * this flag has already been cleared. Likewise if the packet
+ * had a hardware checksum.
+ */
+ if ((iraflags & IRAF_VERIFY_IP_CKSUM) && ip_csum_hdr(ipha)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInCksumErrs);
+ ip_drop_input("ipIfStatsInCksumErrs", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ if (iraflags & IRAF_IPV4_OPTIONS) {
+ if (!ip_input_local_options(mp, ipha, ira)) {
+ /* Error has been sent and mp consumed */
+ return;
+ }
+ }
+
+ /*
+ * Is packet part of fragmented IP packet?
+ * We compare against defined values in network byte order
+ */
+ if (ipha->ipha_fragment_offset_and_flags &
+ (IPH_MF_HTONS | IPH_OFFSET_HTONS)) {
+ /*
+ * Make sure we have ira_l2src before we loose the original
+ * mblk
+ */
+ if (!(ira->ira_flags & IRAF_L2SRC_SET))
+ ip_setl2src(mp, ira, ira->ira_rill);
+
+ mp = ip_input_fragment(mp, ipha, ira);
+ if (mp == NULL)
+ return;
+ /* Completed reassembly */
+ ipha = (ipha_t *)mp->b_rptr;
+ }
+
+ /*
+ * For broadcast and multicast we need some extra work before
+ * we call ip_fanout_v4(), since in the case of shared-IP zones
+ * we need to pretend that a packet arrived for each zoneid.
+ */
+ if (iraflags & IRAF_MULTIBROADCAST) {
+ if (iraflags & IRAF_BROADCAST)
+ ip_input_broadcast_v4(ire, mp, ipha, ira);
+ else
+ ip_input_multicast_v4(ire, mp, ipha, ira);
+ return;
+ }
+ ip_fanout_v4(mp, ipha, ira);
+}
+
+
+/*
+ * Handle multiple zones which match the same broadcast address
+ * and ill by delivering a packet to each of them.
+ * Walk the bucket and look for different ire_zoneid but otherwise
+ * the same IRE (same ill/addr/mask/type).
+ * Note that ire_add() tracks IREs that are identical in all
+ * fields (addr/mask/type/gw/ill/zoneid) within a single IRE by
+ * increasing ire_identical_cnt. Thus we don't need to be concerned
+ * about those.
+ */
+static void
+ip_input_broadcast_v4(ire_t *ire, mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ netstack_t *ns = ipst->ips_netstack;
+ irb_t *irb;
+ ire_t *ire1;
+ mblk_t *mp1;
+ ipha_t *ipha1;
+
+ irb = ire->ire_bucket;
+
+ /*
+ * If we don't have more than one shared-IP zone, or if
+ * there can't be more than one IRE_BROADCAST for this
+ * IP address, then just set the zoneid and proceed.
+ */
+ if (ns->netstack_numzones == 1 || irb->irb_ire_cnt == 1) {
+ ira->ira_zoneid = ire->ire_zoneid;
+
+ ip_fanout_v4(mp, ipha, ira);
+ return;
+ }
+ irb_refhold(irb);
+ for (ire1 = irb->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
+ /* We do the main IRE after the end of the loop */
+ if (ire1 == ire)
+ continue;
+
+ /*
+ * Only IREs for the same IP address should be in the same
+ * bucket.
+ * But could have IRE_HOSTs in the case of CGTP.
+ */
+ ASSERT(ire1->ire_addr == ire->ire_addr);
+ if (!(ire1->ire_type & IRE_BROADCAST))
+ continue;
+
+ if (IRE_IS_CONDEMNED(ire1))
+ continue;
+
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ /* Failed to deliver to one zone */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ continue;
+ }
+ ira->ira_zoneid = ire1->ire_zoneid;
+ ipha1 = (ipha_t *)mp1->b_rptr;
+ ip_fanout_v4(mp1, ipha1, ira);
+ }
+ irb_refrele(irb);
+ /* Do the main ire */
+ ira->ira_zoneid = ire->ire_zoneid;
+ ip_fanout_v4(mp, ipha, ira);
+}
+
+/*
+ * Handle multiple zones which want to receive the same multicast packets
+ * on this ill by delivering a packet to each of them.
+ *
+ * Note that for packets delivered to transports we could instead do this
+ * as part of the fanout code, but since we need to handle icmp_inbound
+ * it is simpler to have multicast work the same as broadcast.
+ *
+ * The ip_fanout matching for multicast matches based on ilm independent of
+ * zoneid since the zoneid restriction is applied when joining a multicast
+ * group.
+ */
+/* ARGSUSED */
+static void
+ip_input_multicast_v4(ire_t *ire, mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ iaflags_t iraflags = ira->ira_flags;
+ ip_stack_t *ipst = ill->ill_ipst;
+ netstack_t *ns = ipst->ips_netstack;
+ zoneid_t zoneid;
+ mblk_t *mp1;
+ ipha_t *ipha1;
+
+ /* ire_recv_multicast has switched to the upper ill for IPMP */
+ ASSERT(!IS_UNDER_IPMP(ill));
+
+ /*
+ * If we don't have more than one shared-IP zone, or if
+ * there are no members in anything but the global zone,
+ * then just set the zoneid and proceed.
+ */
+ if (ns->netstack_numzones == 1 ||
+ !ill_hasmembers_otherzones_v4(ill, ipha->ipha_dst,
+ GLOBAL_ZONEID)) {
+ ira->ira_zoneid = GLOBAL_ZONEID;
+
+ /* If sender didn't want this zone to receive it, drop */
+ if ((iraflags & IRAF_NO_LOOP_ZONEID_SET) &&
+ ira->ira_no_loop_zoneid == ira->ira_zoneid) {
+ ip_drop_input("Multicast but wrong zoneid", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ip_fanout_v4(mp, ipha, ira);
+ return;
+ }
+
+ /*
+ * Here we loop over all zoneids that have members in the group
+ * and deliver a packet to ip_fanout for each zoneid.
+ *
+ * First find any members in the lowest numeric zoneid by looking for
+ * first zoneid larger than -1 (ALL_ZONES).
+ * We terminate the loop when we receive -1 (ALL_ZONES).
+ */
+ zoneid = ill_hasmembers_nextzone_v4(ill, ipha->ipha_dst, ALL_ZONES);
+ for (; zoneid != ALL_ZONES;
+ zoneid = ill_hasmembers_nextzone_v4(ill, ipha->ipha_dst, zoneid)) {
+ /*
+ * Avoid an extra copymsg/freemsg by skipping global zone here
+ * and doing that at the end.
+ */
+ if (zoneid == GLOBAL_ZONEID)
+ continue;
+
+ ira->ira_zoneid = zoneid;
+
+ /* If sender didn't want this zone to receive it, skip */
+ if ((iraflags & IRAF_NO_LOOP_ZONEID_SET) &&
+ ira->ira_no_loop_zoneid == ira->ira_zoneid)
+ continue;
+
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ /* Failed to deliver to one zone */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ continue;
+ }
+ ipha1 = (ipha_t *)mp1->b_rptr;
+ ip_fanout_v4(mp1, ipha1, ira);
+ }
+
+ /* Do the main ire */
+ ira->ira_zoneid = GLOBAL_ZONEID;
+ /* If sender didn't want this zone to receive it, drop */
+ if ((iraflags & IRAF_NO_LOOP_ZONEID_SET) &&
+ ira->ira_no_loop_zoneid == ira->ira_zoneid) {
+ ip_drop_input("Multicast but wrong zoneid", mp, ill);
+ freemsg(mp);
+ } else {
+ ip_fanout_v4(mp, ipha, ira);
+ }
+}
+
+
+/*
+ * Determine the zoneid and IRAF_TX_* flags if trusted extensions
+ * is in use. Updates ira_zoneid and ira_flags as a result.
+ */
+static void
+ip_fanout_tx_v4(mblk_t *mp, ipha_t *ipha, uint8_t protocol,
+ uint_t ip_hdr_length, ip_recv_attr_t *ira)
+{
+ uint16_t *up;
+ uint16_t lport;
+ zoneid_t zoneid;
+
+ ASSERT(ira->ira_flags & IRAF_SYSTEM_LABELED);
+
+ /*
+ * If the packet is unlabeled we might allow read-down
+ * for MAC_EXEMPT. Below we clear this if it is a multi-level
+ * port (MLP).
+ * Note that ira_tsl can be NULL here.
+ */
+ if (ira->ira_tsl != NULL && ira->ira_tsl->tsl_flags & TSLF_UNLABELED)
+ ira->ira_flags |= IRAF_TX_MAC_EXEMPTABLE;
+
+ if (ira->ira_zoneid != ALL_ZONES)
+ return;
+
+ ira->ira_flags |= IRAF_TX_SHARED_ADDR;
+
+ up = (uint16_t *)((uchar_t *)ipha + ip_hdr_length);
+ switch (protocol) {
+ case IPPROTO_TCP:
+ case IPPROTO_SCTP:
+ case IPPROTO_UDP:
+ /* Caller ensures this */
+ ASSERT(((uchar_t *)ipha) + ip_hdr_length +4 <= mp->b_wptr);
+
+ /*
+ * Only these transports support MLP.
+ * We know their destination port numbers is in
+ * the same place in the header.
+ */
+ lport = up[1];
+
+ /*
+ * No need to handle exclusive-stack zones
+ * since ALL_ZONES only applies to the shared IP instance.
+ */
+ zoneid = tsol_mlp_findzone(protocol, lport);
+ /*
+ * If no shared MLP is found, tsol_mlp_findzone returns
+ * ALL_ZONES. In that case, we assume it's SLP, and
+ * search for the zone based on the packet label.
+ *
+ * If there is such a zone, we prefer to find a
+ * connection in it. Otherwise, we look for a
+ * MAC-exempt connection in any zone whose label
+ * dominates the default label on the packet.
+ */
+ if (zoneid == ALL_ZONES)
+ zoneid = tsol_attr_to_zoneid(ira);
+ else
+ ira->ira_flags &= ~IRAF_TX_MAC_EXEMPTABLE;
+ break;
+ default:
+ /* Handle shared address for other protocols */
+ zoneid = tsol_attr_to_zoneid(ira);
+ break;
+ }
+ ira->ira_zoneid = zoneid;
+}
+
+/*
+ * Increment checksum failure statistics
+ */
+static void
+ip_input_cksum_err_v4(uint8_t protocol, uint16_t hck_flags, ill_t *ill)
+{
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+ BUMP_MIB(ill->ill_ip_mib, tcpIfStatsInErrs);
+
+ if (hck_flags & HCK_FULLCKSUM)
+ IP_STAT(ipst, ip_tcp_in_full_hw_cksum_err);
+ else if (hck_flags & HCK_PARTIALCKSUM)
+ IP_STAT(ipst, ip_tcp_in_part_hw_cksum_err);
+ else
+ IP_STAT(ipst, ip_tcp_in_sw_cksum_err);
+ break;
+ case IPPROTO_UDP:
+ BUMP_MIB(ill->ill_ip_mib, udpIfStatsInCksumErrs);
+ if (hck_flags & HCK_FULLCKSUM)
+ IP_STAT(ipst, ip_udp_in_full_hw_cksum_err);
+ else if (hck_flags & HCK_PARTIALCKSUM)
+ IP_STAT(ipst, ip_udp_in_part_hw_cksum_err);
+ else
+ IP_STAT(ipst, ip_udp_in_sw_cksum_err);
+ break;
+ case IPPROTO_ICMP:
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpInCksumErrs);
+ break;
+ default:
+ ASSERT(0);
+ break;
+ }
+}
+
+/* Calculate the IPv4 pseudo-header checksum */
+uint32_t
+ip_input_cksum_pseudo_v4(ipha_t *ipha, ip_recv_attr_t *ira)
+{
+ uint_t ulp_len;
+ uint32_t cksum;
+ uint8_t protocol = ira->ira_protocol;
+ uint16_t ip_hdr_length = ira->ira_ip_hdr_length;
+
+#define iphs ((uint16_t *)ipha)
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+ ulp_len = ira->ira_pktlen - ip_hdr_length;
+
+ /* Protocol and length */
+ cksum = htons(ulp_len) + IP_TCP_CSUM_COMP;
+ /* IP addresses */
+ cksum += iphs[6] + iphs[7] + iphs[8] + iphs[9];
+ break;
+
+ case IPPROTO_UDP: {
+ udpha_t *udpha;
+
+ udpha = (udpha_t *)((uchar_t *)ipha + ip_hdr_length);
+
+ /* Protocol and length */
+ cksum = udpha->uha_length + IP_UDP_CSUM_COMP;
+ /* IP addresses */
+ cksum += iphs[6] + iphs[7] + iphs[8] + iphs[9];
+ break;
+ }
+
+ default:
+ cksum = 0;
+ break;
+ }
+#undef iphs
+ return (cksum);
+}
+
+
+/*
+ * Software verification of the ULP checksums.
+ * Returns B_TRUE if ok.
+ * Increments statistics of failed.
+ */
+static boolean_t
+ip_input_sw_cksum_v4(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
+{
+ ip_stack_t *ipst = ira->ira_ill->ill_ipst;
+ uint32_t cksum;
+ uint8_t protocol = ira->ira_protocol;
+ uint16_t ip_hdr_length = ira->ira_ip_hdr_length;
+
+ IP_STAT(ipst, ip_in_sw_cksum);
+
+ ASSERT(protocol == IPPROTO_TCP || protocol == IPPROTO_UDP);
+
+ cksum = ip_input_cksum_pseudo_v4(ipha, ira);
+ cksum = IP_CSUM(mp, ip_hdr_length, cksum);
+ if (cksum == 0)
+ return (B_TRUE);
+
+ ip_input_cksum_err_v4(protocol, 0, ira->ira_ill);
+ return (B_FALSE);
+}
+
+/* There are drivers that can't do partial checksum with IP options */
+int eri_cksum_workaround = 1;
+
+/*
+ * Verify the ULP checksums.
+ * Returns B_TRUE if ok, or if the ULP doesn't have a well-defined checksum
+ * algorithm.
+ * Increments statistics if failed.
+ */
+static boolean_t
+ip_input_cksum_v4(iaflags_t iraflags, mblk_t *mp, ipha_t *ipha,
+ ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_rill;
+ uint16_t hck_flags;
+ uint32_t cksum;
+ mblk_t *mp1;
+ int32_t len;
+ uint8_t protocol = ira->ira_protocol;
+ uint16_t ip_hdr_length = ira->ira_ip_hdr_length;
+
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+ break;
+
+ case IPPROTO_UDP: {
+ udpha_t *udpha;
+
+ udpha = (udpha_t *)((uchar_t *)ipha + ip_hdr_length);
+ if (udpha->uha_checksum == 0) {
+ /* Packet doesn't have a UDP checksum */
+ return (B_TRUE);
+ }
+ break;
+ }
+ case IPPROTO_SCTP: {
+ sctp_hdr_t *sctph;
+ uint32_t pktsum;
+
+ sctph = (sctp_hdr_t *)((uchar_t *)ipha + ip_hdr_length);
+#ifdef DEBUG
+ if (skip_sctp_cksum)
+ return (B_TRUE);
+#endif
+ pktsum = sctph->sh_chksum;
+ sctph->sh_chksum = 0;
+ cksum = sctp_cksum(mp, ip_hdr_length);
+ sctph->sh_chksum = pktsum;
+ if (cksum == pktsum)
+ return (B_TRUE);
+
+ /*
+ * Defer until later whether a bad checksum is ok
+ * in order to allow RAW sockets to use Adler checksum
+ * with SCTP.
+ */
+ ira->ira_flags |= IRAF_SCTP_CSUM_ERR;
+ return (B_TRUE);
+ }
+
+ default:
+ /* No ULP checksum to verify. */
+ return (B_TRUE);
+ }
+ /*
+ * Revert to software checksum calculation if the interface
+ * isn't capable of checksum offload.
+ * We clear DB_CKSUMFLAGS when going through IPsec in ip_fanout.
+ * Note: IRAF_NO_HW_CKSUM is not currently used.
+ */
+ ASSERT(!IS_IPMP(ill));
+ if ((iraflags & IRAF_NO_HW_CKSUM) || !ILL_HCKSUM_CAPABLE(ill) ||
+ !dohwcksum) {
+ return (ip_input_sw_cksum_v4(mp, ipha, ira));
+ }
+
+ /*
+ * We apply this for all ULP protocols. Does the HW know to
+ * not set the flags for SCTP and other protocols.
+ */
+
+ hck_flags = DB_CKSUMFLAGS(mp);
+
+ if (hck_flags & HCK_FULLCKSUM) {
+ /*
+ * Full checksum has been computed by the hardware
+ * and has been attached. If the driver wants us to
+ * verify the correctness of the attached value, in
+ * order to protect against faulty hardware, compare
+ * it against -0 (0xFFFF) to see if it's valid.
+ */
+ if (hck_flags & HCK_FULLCKSUM_OK)
+ return (B_TRUE);
+
+ cksum = DB_CKSUM16(mp);
+ if (cksum == 0xFFFF)
+ return (B_TRUE);
+ ip_input_cksum_err_v4(protocol, hck_flags, ira->ira_ill);
+ return (B_FALSE);
+ }
+
+ mp1 = mp->b_cont;
+ if ((hck_flags & HCK_PARTIALCKSUM) &&
+ (mp1 == NULL || mp1->b_cont == NULL) &&
+ ip_hdr_length >= DB_CKSUMSTART(mp) &&
+ (!eri_cksum_workaround || ip_hdr_length == IP_SIMPLE_HDR_LENGTH) &&
+ ((len = ip_hdr_length - DB_CKSUMSTART(mp)) & 1) == 0) {
+ uint32_t adj;
+ uchar_t *cksum_start;
+
+ cksum = ip_input_cksum_pseudo_v4(ipha, ira);
+
+ cksum_start = ((uchar_t *)ipha + DB_CKSUMSTART(mp));
+
+ /*
+ * Partial checksum has been calculated by hardware
+ * and attached to the packet; in addition, any
+ * prepended extraneous data is even byte aligned,
+ * and there are at most two mblks associated with
+ * the packet. If any such data exists, we adjust
+ * the checksum; also take care any postpended data.
+ */
+ IP_ADJCKSUM_PARTIAL(cksum_start, mp, mp1, len, adj);
+ /*
+ * One's complement subtract extraneous checksum
+ */
+ cksum += DB_CKSUM16(mp);
+ if (adj >= cksum)
+ cksum = ~(adj - cksum) & 0xFFFF;
+ else
+ cksum -= adj;
+ cksum = (cksum & 0xFFFF) + ((int)cksum >> 16);
+ cksum = (cksum & 0xFFFF) + ((int)cksum >> 16);
+ if (!(~cksum & 0xFFFF))
+ return (B_TRUE);
+
+ ip_input_cksum_err_v4(protocol, hck_flags, ira->ira_ill);
+ return (B_FALSE);
+ }
+ return (ip_input_sw_cksum_v4(mp, ipha, ira));
+}
+
+
+/*
+ * Handle fanout of received packets.
+ * Unicast packets that are looped back (from ire_send_local_v4) and packets
+ * from the wire are differentiated by checking IRAF_VERIFY_ULP_CKSUM.
+ *
+ * IPQoS Notes
+ * Before sending it to the client, invoke IPPF processing. Policy processing
+ * takes place only if the callout_position, IPP_LOCAL_IN, is enabled.
+ */
+void
+ip_fanout_v4(mblk_t *mp, ipha_t *ipha, ip_recv_attr_t *ira)
+{
+ ill_t *ill = ira->ira_ill;
+ iaflags_t iraflags = ira->ira_flags;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint8_t protocol = ipha->ipha_protocol;
+ conn_t *connp;
+#define rptr ((uchar_t *)ipha)
+ uint_t ip_hdr_length;
+ uint_t min_ulp_header_length;
+ int offset;
+ ssize_t len;
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ill_t *rill = ira->ira_rill;
+
+ ASSERT(ira->ira_pktlen == ntohs(ipha->ipha_length));
+
+ ip_hdr_length = ira->ira_ip_hdr_length;
+ ira->ira_protocol = protocol;
+
+ /*
+ * Time for IPP once we've done reassembly and IPsec.
+ * We skip this for loopback packets since we don't do IPQoS
+ * on loopback.
+ */
+ if (IPP_ENABLED(IPP_LOCAL_IN, ipst) &&
+ !(iraflags & IRAF_LOOPBACK) &&
+ (protocol != IPPROTO_ESP || protocol != IPPROTO_AH)) {
+ /*
+ * Use the interface on which the packet arrived - not where
+ * the IP address is hosted.
+ */
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_LOCAL_IN, mp, rill, ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ return;
+ }
+ }
+
+ /* Determine the minimum required size of the upper-layer header */
+ /* Need to do this for at least the set of ULPs that TX handles. */
+ switch (protocol) {
+ case IPPROTO_TCP:
+ min_ulp_header_length = TCP_MIN_HEADER_LENGTH;
+ break;
+ case IPPROTO_SCTP:
+ min_ulp_header_length = SCTP_COMMON_HDR_LENGTH;
+ break;
+ case IPPROTO_UDP:
+ min_ulp_header_length = UDPH_SIZE;
+ break;
+ case IPPROTO_ICMP:
+ min_ulp_header_length = ICMPH_SIZE;
+ break;
+ default:
+ min_ulp_header_length = 0;
+ break;
+ }
+ /* Make sure we have the min ULP header length */
+ len = mp->b_wptr - rptr;
+ if (len < ip_hdr_length + min_ulp_header_length) {
+ if (ira->ira_pktlen < ip_hdr_length + min_ulp_header_length) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ IP_STAT(ipst, ip_recv_pullup);
+ ipha = ip_pullup(mp, ip_hdr_length + min_ulp_header_length,
+ ira);
+ if (ipha == NULL)
+ goto discard;
+ len = mp->b_wptr - rptr;
+ }
+
+ /*
+ * If trusted extensions then determine the zoneid and TX specific
+ * ira_flags.
+ */
+ if (iraflags & IRAF_SYSTEM_LABELED) {
+ /* This can update ira->ira_flags and ira->ira_zoneid */
+ ip_fanout_tx_v4(mp, ipha, protocol, ip_hdr_length, ira);
+ iraflags = ira->ira_flags;
+ }
+
+
+ /* Verify ULP checksum. Handles TCP, UDP, and SCTP */
+ if (iraflags & IRAF_VERIFY_ULP_CKSUM) {
+ if (!ip_input_cksum_v4(iraflags, mp, ipha, ira)) {
+ /* Bad checksum. Stats are already incremented */
+ ip_drop_input("Bad ULP checksum", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /* IRAF_SCTP_CSUM_ERR could have been set */
+ iraflags = ira->ira_flags;
+ }
+ switch (protocol) {
+ case IPPROTO_TCP:
+ /* For TCP, discard broadcast and multicast packets. */
+ if (iraflags & IRAF_MULTIBROADCAST)
+ goto discard;
+
+ /* First mblk contains IP+TCP headers per above check */
+ ASSERT(len >= ip_hdr_length + TCP_MIN_HEADER_LENGTH);
+
+ /* TCP options present? */
+ offset = ((uchar_t *)ipha)[ip_hdr_length + 12] >> 4;
+ if (offset != 5) {
+ if (offset < 5)
+ goto discard;
+
+ /*
+ * There must be TCP options.
+ * Make sure we can grab them.
+ */
+ offset <<= 2;
+ offset += ip_hdr_length;
+ if (len < offset) {
+ if (ira->ira_pktlen < offset) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInTruncatedPkts);
+ ip_drop_input(
+ "ipIfStatsInTruncatedPkts",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ IP_STAT(ipst, ip_recv_pullup);
+ ipha = ip_pullup(mp, offset, ira);
+ if (ipha == NULL)
+ goto discard;
+ len = mp->b_wptr - rptr;
+ }
+ }
+
+ /*
+ * Pass up a squeue hint to tcp.
+ * If ira_sqp is already set (this is loopback) we leave it
+ * alone.
+ */
+ if (ira->ira_sqp == NULL) {
+ ira->ira_sqp = ip_squeue_get(ira->ira_ring);
+ }
+
+ /* Look for AF_INET or AF_INET6 that matches */
+ connp = ipcl_classify_v4(mp, IPPROTO_TCP, ip_hdr_length,
+ ira, ipst);
+ if (connp == NULL) {
+ /* Send the TH_RST */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ tcp_xmit_listeners_reset(mp, ira, ipst, NULL);
+ return;
+ }
+ if (connp->conn_incoming_ifindex != 0 &&
+ connp->conn_incoming_ifindex != ira->ira_ruifindex) {
+ CONN_DEC_REF(connp);
+
+ /* Send the TH_RST */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ tcp_xmit_listeners_reset(mp, ira, ipst, NULL);
+ return;
+ }
+ if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) ||
+ (iraflags & IRAF_IPSEC_SECURE)) {
+ mp = ipsec_check_inbound_policy(mp, connp,
+ ipha, NULL, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ CONN_DEC_REF(connp);
+ return;
+ }
+ }
+ /* Found a client; up it goes */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ if (!IPCL_IS_TCP(connp)) {
+ /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+ }
+
+ /*
+ * We do different processing whether called from
+ * ip_accept_tcp and we match the target, don't match
+ * the target, and when we are called by ip_input.
+ */
+ if (iraflags & IRAF_TARGET_SQP) {
+ if (ira->ira_target_sqp == connp->conn_sqp) {
+ mblk_t *attrmp;
+
+ attrmp = ip_recv_attr_to_mblk(ira);
+ if (attrmp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards",
+ mp, ill);
+ freemsg(mp);
+ CONN_DEC_REF(connp);
+ } else {
+ SET_SQUEUE(attrmp, connp->conn_recv,
+ connp);
+ attrmp->b_cont = mp;
+ ASSERT(ira->ira_target_sqp_mp == NULL);
+ ira->ira_target_sqp_mp = attrmp;
+ /*
+ * Conn ref release when drained from
+ * the squeue.
+ */
+ }
+ } else {
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
+ connp->conn_recv, connp, ira, SQ_FILL,
+ SQTAG_IP_TCP_INPUT);
+ }
+ } else {
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv,
+ connp, ira, ip_squeue_flag, SQTAG_IP_TCP_INPUT);
+ }
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+
+ case IPPROTO_SCTP: {
+ sctp_hdr_t *sctph;
+ in6_addr_t map_src, map_dst;
+ uint32_t ports; /* Source and destination ports */
+ sctp_stack_t *sctps = ipst->ips_netstack->netstack_sctp;
+
+ /* For SCTP, discard broadcast and multicast packets. */
+ if (iraflags & IRAF_MULTIBROADCAST)
+ goto discard;
+
+ /*
+ * Since there is no SCTP h/w cksum support yet, just
+ * clear the flag.
+ */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ /* Length ensured above */
+ ASSERT(MBLKL(mp) >= ip_hdr_length + SCTP_COMMON_HDR_LENGTH);
+ sctph = (sctp_hdr_t *)(rptr + ip_hdr_length);
+
+ /* get the ports */
+ ports = *(uint32_t *)&sctph->sh_sport;
+
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &map_dst);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &map_src);
+ if (iraflags & IRAF_SCTP_CSUM_ERR) {
+ /*
+ * No potential sctp checksum errors go to the Sun
+ * sctp stack however they might be Adler-32 summed
+ * packets a userland stack bound to a raw IP socket
+ * could reasonably use. Note though that Adler-32 is
+ * a long deprecated algorithm and customer sctp
+ * networks should eventually migrate to CRC-32 at
+ * which time this facility should be removed.
+ */
+ ip_fanout_sctp_raw(mp, ipha, NULL, ports, ira);
+ return;
+ }
+ connp = sctp_fanout(&map_src, &map_dst, ports, ira, mp, sctps);
+ if (connp == NULL) {
+ /* Check for raw socket or OOTB handling */
+ ip_fanout_sctp_raw(mp, ipha, NULL, ports, ira);
+ return;
+ }
+ if (connp->conn_incoming_ifindex != 0 &&
+ connp->conn_incoming_ifindex != ira->ira_ruifindex) {
+ CONN_DEC_REF(connp);
+ /* Check for raw socket or OOTB handling */
+ ip_fanout_sctp_raw(mp, ipha, NULL, ports, ira);
+ return;
+ }
+
+ /* Found a client; up it goes */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ sctp_input(connp, ipha, NULL, mp, ira);
+ /* sctp_input does a rele of the sctp_t */
+ return;
+ }
+
+ case IPPROTO_UDP:
+ /* First mblk contains IP+UDP headers as checked above */
+ ASSERT(MBLKL(mp) >= ip_hdr_length + UDPH_SIZE);
+
+ if (iraflags & IRAF_MULTIBROADCAST) {
+ uint16_t *up; /* Pointer to ports in ULP header */
+
+ up = (uint16_t *)((uchar_t *)ipha + ip_hdr_length);
+ ip_fanout_udp_multi_v4(mp, ipha, up[1], up[0], ira);
+ return;
+ }
+
+ /* Look for AF_INET or AF_INET6 that matches */
+ connp = ipcl_classify_v4(mp, IPPROTO_UDP, ip_hdr_length,
+ ira, ipst);
+ if (connp == NULL) {
+ no_udp_match:
+ if (ipst->ips_ipcl_proto_fanout_v4[IPPROTO_UDP].
+ connf_head != NULL) {
+ ASSERT(ira->ira_protocol == IPPROTO_UDP);
+ ip_fanout_proto_v4(mp, ipha, ira);
+ } else {
+ ip_fanout_send_icmp_v4(mp,
+ ICMP_DEST_UNREACHABLE,
+ ICMP_PORT_UNREACHABLE, ira);
+ }
+ return;
+
+ }
+ if (connp->conn_incoming_ifindex != 0 &&
+ connp->conn_incoming_ifindex != ira->ira_ruifindex) {
+ CONN_DEC_REF(connp);
+ goto no_udp_match;
+ }
+ if (IPCL_IS_NONSTR(connp) ? connp->conn_flow_cntrld :
+ !canputnext(connp->conn_rq)) {
+ CONN_DEC_REF(connp);
+ BUMP_MIB(ill->ill_ip_mib, udpIfStatsInOverflows);
+ ip_drop_input("udpIfStatsInOverflows", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) ||
+ (iraflags & IRAF_IPSEC_SECURE)) {
+ mp = ipsec_check_inbound_policy(mp, connp,
+ ipha, NULL, ira);
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ CONN_DEC_REF(connp);
+ return;
+ }
+ }
+ /*
+ * Remove 0-spi if it's 0, or move everything behind
+ * the UDP header over it and forward to ESP via
+ * ip_fanout_v4().
+ */
+ if (connp->conn_udp->udp_nat_t_endpoint) {
+ if (iraflags & IRAF_IPSEC_SECURE) {
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
+ DROPPER(ipss, ipds_esp_nat_t_ipsec),
+ &ipss->ipsec_dropper);
+ CONN_DEC_REF(connp);
+ return;
+ }
+
+ mp = zero_spi_check(mp, ira);
+ if (mp == NULL) {
+ /*
+ * Packet was consumed - probably sent to
+ * ip_fanout_v4.
+ */
+ CONN_DEC_REF(connp);
+ return;
+ }
+ /* Else continue like a normal UDP packet. */
+ ipha = (ipha_t *)mp->b_rptr;
+ protocol = ipha->ipha_protocol;
+ ira->ira_protocol = protocol;
+ }
+ /* Found a client; up it goes */
+ IP_STAT(ipst, ip_udp_fannorm);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+ default:
+ break;
+ }
+
+ /*
+ * Clear hardware checksumming flag as it is currently only
+ * used by TCP and UDP.
+ */
+ DB_CKSUMFLAGS(mp) = 0;
+
+ switch (protocol) {
+ case IPPROTO_ICMP:
+ /*
+ * We need to accomodate icmp messages coming in clear
+ * until we get everything secure from the wire. If
+ * icmp_accept_clear_messages is zero we check with
+ * the global policy and act accordingly. If it is
+ * non-zero, we accept the message without any checks.
+ * But *this does not mean* that this will be delivered
+ * to RAW socket clients. By accepting we might send
+ * replies back, change our MTU value etc.,
+ * but delivery to the ULP/clients depends on their
+ * policy dispositions.
+ */
+ if (ipst->ips_icmp_accept_clear_messages == 0) {
+ mp = ipsec_check_global_policy(mp, NULL,
+ ipha, NULL, ira, ns);
+ if (mp == NULL)
+ return;
+ }
+
+ /*
+ * On a labeled system, we have to check whether the zone
+ * itself is permitted to receive raw traffic.
+ */
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ if (!tsol_can_accept_raw(mp, ira, B_FALSE)) {
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpInErrors);
+ ip_drop_input("tsol_can_accept_raw", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+
+ /*
+ * ICMP header checksum, including checksum field,
+ * should be zero.
+ */
+ if (IP_CSUM(mp, ip_hdr_length, 0)) {
+ BUMP_MIB(&ipst->ips_icmp_mib, icmpInCksumErrs);
+ ip_drop_input("icmpInCksumErrs", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ mp = icmp_inbound_v4(mp, ira);
+ if (mp == NULL) {
+ /* No need to pass to RAW sockets */
+ return;
+ }
+ break;
+
+ case IPPROTO_IGMP:
+ /*
+ * If we are not willing to accept IGMP packets in clear,
+ * then check with global policy.
+ */
+ if (ipst->ips_igmp_accept_clear_messages == 0) {
+ mp = ipsec_check_global_policy(mp, NULL,
+ ipha, NULL, ira, ns);
+ if (mp == NULL)
+ return;
+ }
+ if ((ira->ira_flags & IRAF_SYSTEM_LABELED) &&
+ !tsol_can_accept_raw(mp, ira, B_TRUE)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ /*
+ * Validate checksum
+ */
+ if (IP_CSUM(mp, ip_hdr_length, 0)) {
+ ++ipst->ips_igmpstat.igps_rcv_badsum;
+ ip_drop_input("igps_rcv_badsum", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ mp = igmp_input(mp, ira);
+ if (mp == NULL) {
+ /* Bad packet - discarded by igmp_input */
+ return;
+ }
+ break;
+ case IPPROTO_PIM:
+ /*
+ * If we are not willing to accept PIM packets in clear,
+ * then check with global policy.
+ */
+ if (ipst->ips_pim_accept_clear_messages == 0) {
+ mp = ipsec_check_global_policy(mp, NULL,
+ ipha, NULL, ira, ns);
+ if (mp == NULL)
+ return;
+ }
+ if ((ira->ira_flags & IRAF_SYSTEM_LABELED) &&
+ !tsol_can_accept_raw(mp, ira, B_TRUE)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+
+ /* Checksum is verified in pim_input */
+ mp = pim_input(mp, ira);
+ if (mp == NULL) {
+ /* Bad packet - discarded by pim_input */
+ return;
+ }
+ break;
+ case IPPROTO_AH:
+ case IPPROTO_ESP: {
+ /*
+ * Fast path for AH/ESP.
+ */
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+
+ IP_STAT(ipst, ipsec_proto_ahesp);
+
+ if (!ipsec_loaded(ipss)) {
+ ip_proto_not_sup(mp, ira);
+ return;
+ }
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ /* select inbound SA and have IPsec process the pkt */
+ if (protocol == IPPROTO_ESP) {
+ esph_t *esph;
+ boolean_t esp_in_udp_sa;
+ boolean_t esp_in_udp_packet;
+
+ mp = ipsec_inbound_esp_sa(mp, ira, &esph);
+ if (mp == NULL)
+ return;
+
+ ASSERT(esph != NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_esp_sa != NULL);
+ ASSERT(ira->ira_ipsec_esp_sa->ipsa_input_func != NULL);
+
+ esp_in_udp_sa = ((ira->ira_ipsec_esp_sa->ipsa_flags &
+ IPSA_F_NATT) != 0);
+ esp_in_udp_packet =
+ (ira->ira_flags & IRAF_ESP_UDP_PORTS) != 0;
+
+ /*
+ * The following is a fancy, but quick, way of saying:
+ * ESP-in-UDP SA and Raw ESP packet --> drop
+ * OR
+ * ESP SA and ESP-in-UDP packet --> drop
+ */
+ if (esp_in_udp_sa != esp_in_udp_packet) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
+ DROPPER(ipss, ipds_esp_no_sa),
+ &ipss->ipsec_dropper);
+ return;
+ }
+ mp = ira->ira_ipsec_esp_sa->ipsa_input_func(mp, esph,
+ ira);
+ } else {
+ ah_t *ah;
+
+ mp = ipsec_inbound_ah_sa(mp, ira, &ah);
+ if (mp == NULL)
+ return;
+
+ ASSERT(ah != NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_ah_sa != NULL);
+ ASSERT(ira->ira_ipsec_ah_sa->ipsa_input_func != NULL);
+ mp = ira->ira_ipsec_ah_sa->ipsa_input_func(mp, ah,
+ ira);
+ }
+
+ if (mp == NULL) {
+ /*
+ * Either it failed or is pending. In the former case
+ * ipIfStatsInDiscards was increased.
+ */
+ return;
+ }
+ /* we're done with IPsec processing, send it up */
+ ip_input_post_ipsec(mp, ira);
+ return;
+ }
+ case IPPROTO_ENCAP: {
+ ipha_t *inner_ipha;
+
+ /*
+ * Handle self-encapsulated packets (IP-in-IP where
+ * the inner addresses == the outer addresses).
+ */
+ if ((uchar_t *)ipha + ip_hdr_length + sizeof (ipha_t) >
+ mp->b_wptr) {
+ if (ira->ira_pktlen <
+ ip_hdr_length + sizeof (ipha_t)) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ipha = ip_pullup(mp, (uchar_t *)ipha + ip_hdr_length +
+ sizeof (ipha_t) - mp->b_rptr, ira);
+ if (ipha == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ inner_ipha = (ipha_t *)((uchar_t *)ipha + ip_hdr_length);
+ /*
+ * Check the sanity of the inner IP header.
+ */
+ if ((IPH_HDR_VERSION(inner_ipha) != IPV4_VERSION)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (IPH_HDR_LENGTH(inner_ipha) < sizeof (ipha_t)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ if (inner_ipha->ipha_src != ipha->ipha_src ||
+ inner_ipha->ipha_dst != ipha->ipha_dst) {
+ /* We fallthru to iptun fanout below */
+ goto iptun;
+ }
+
+ /*
+ * Self-encapsulated tunnel packet. Remove
+ * the outer IP header and fanout again.
+ * We also need to make sure that the inner
+ * header is pulled up until options.
+ */
+ mp->b_rptr = (uchar_t *)inner_ipha;
+ ipha = inner_ipha;
+ ip_hdr_length = IPH_HDR_LENGTH(ipha);
+ if ((uchar_t *)ipha + ip_hdr_length > mp->b_wptr) {
+ if (ira->ira_pktlen <
+ (uchar_t *)ipha + ip_hdr_length - mp->b_rptr) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsInTruncatedPkts);
+ ip_drop_input("ipIfStatsInTruncatedPkts",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ipha = ip_pullup(mp,
+ (uchar_t *)ipha + ip_hdr_length - mp->b_rptr, ira);
+ if (ipha == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ if (ip_hdr_length > sizeof (ipha_t)) {
+ /* We got options on the inner packet. */
+ ipaddr_t dst = ipha->ipha_dst;
+ int error = 0;
+
+ dst = ip_input_options(ipha, dst, mp, ira, &error);
+ if (error != 0) {
+ /*
+ * An ICMP error has been sent and the packet
+ * has been dropped.
+ */
+ return;
+ }
+ if (dst != ipha->ipha_dst) {
+ /*
+ * Someone put a source-route in
+ * the inside header of a self-
+ * encapsulated packet. Drop it
+ * with extreme prejudice and let
+ * the sender know.
+ */
+ ip_drop_input("ICMP_SOURCE_ROUTE_FAILED",
+ mp, ill);
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED,
+ ira);
+ return;
+ }
+ }
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ /*
+ * This means that somebody is sending
+ * Self-encapsualted packets without AH/ESP.
+ *
+ * Send this packet to find a tunnel endpoint.
+ * if I can't find one, an ICMP
+ * PROTOCOL_UNREACHABLE will get sent.
+ */
+ protocol = ipha->ipha_protocol;
+ ira->ira_protocol = protocol;
+ goto iptun;
+ }
+
+ /* Update based on removed IP header */
+ ira->ira_ip_hdr_length = ip_hdr_length;
+ ira->ira_pktlen = ntohs(ipha->ipha_length);
+
+ if (ira->ira_flags & IRAF_IPSEC_DECAPS) {
+ /*
+ * This packet is self-encapsulated multiple
+ * times. We don't want to recurse infinitely.
+ * To keep it simple, drop the packet.
+ */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ira->ira_flags |= IRAF_IPSEC_DECAPS;
+
+ ip_input_post_ipsec(mp, ira);
+ return;
+ }
+
+ iptun: /* IPPROTO_ENCAPS that is not self-encapsulated */
+ case IPPROTO_IPV6:
+ /* iptun will verify trusted label */
+ connp = ipcl_classify_v4(mp, protocol, ip_hdr_length,
+ ira, ipst);
+ if (connp != NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInDelivers);
+ ira->ira_ill = ira->ira_rill = NULL;
+ (connp->conn_recv)(connp, mp, NULL, ira);
+ CONN_DEC_REF(connp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
+ return;
+ }
+ /* FALLTHRU */
+ default:
+ /*
+ * On a labeled system, we have to check whether the zone
+ * itself is permitted to receive raw traffic.
+ */
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ if (!tsol_can_accept_raw(mp, ira, B_FALSE)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ }
+ break;
+ }
+
+ /*
+ * The above input functions may have returned the pulled up message.
+ * So ipha need to be reinitialized.
+ */
+ ipha = (ipha_t *)mp->b_rptr;
+ ira->ira_protocol = protocol = ipha->ipha_protocol;
+ if (ipst->ips_ipcl_proto_fanout_v4[protocol].connf_head == NULL) {
+ /*
+ * No user-level listener for these packets packets.
+ * Check for IPPROTO_ENCAP...
+ */
+ if (protocol == IPPROTO_ENCAP && ipst->ips_ip_g_mrouter) {
+ /*
+ * Check policy here,
+ * THEN ship off to ip_mroute_decap().
+ *
+ * BTW, If I match a configured IP-in-IP
+ * tunnel above, this path will not be reached, and
+ * ip_mroute_decap will never be called.
+ */
+ mp = ipsec_check_global_policy(mp, connp,
+ ipha, NULL, ira, ns);
+ if (mp != NULL) {
+ ip_mroute_decap(mp, ira);
+ } /* Else we already freed everything! */
+ } else {
+ ip_proto_not_sup(mp, ira);
+ }
+ return;
+ }
+
+ /*
+ * Handle fanout to raw sockets. There
+ * can be more than one stream bound to a particular
+ * protocol. When this is the case, each one gets a copy
+ * of any incoming packets.
+ */
+ ASSERT(ira->ira_protocol == ipha->ipha_protocol);
+ ip_fanout_proto_v4(mp, ipha, ira);
+ return;
+
+discard:
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
+#undef rptr
+}
diff --git a/usr/src/uts/common/inet/ip/ip_ire.c b/usr/src/uts/common/inet/ip/ip_ire.c
index 63a6863844..be0017cb62 100644
--- a/usr/src/uts/common/inet/ip/ip_ire.c
+++ b/usr/src/uts/common/inet/ip/ip_ire.c
@@ -60,9 +60,6 @@
#include <inet/ip_rts.h>
#include <inet/nd.h>
-#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
-#include <inet/sadb.h>
#include <inet/tcp.h>
#include <inet/ipclassifier.h>
#include <sys/zone.h>
@@ -73,6 +70,11 @@
struct kmem_cache *rt_entry_cache;
+typedef struct nce_clookup_s {
+ ipaddr_t ncecl_addr;
+ boolean_t ncecl_found;
+} nce_clookup_t;
+
/*
* Synchronization notes:
*
@@ -80,17 +82,17 @@ struct kmem_cache *rt_entry_cache;
*
* ire_next/ire_ptpn
*
- * - bucket lock of the respective tables (cache or forwarding tables).
+ * - bucket lock of the forwarding table in which is ire stored.
*
- * ire_mp, ire_rfq, ire_stq, ire_u *except* ire_gateway_addr[v6], ire_mask,
- * ire_type, ire_create_time, ire_masklen, ire_ipversion, ire_flags, ire_ipif,
- * ire_ihandle, ire_phandle, ire_nce, ire_bucket, ire_in_ill, ire_in_src_addr
+ * ire_ill, ire_u *except* ire_gateway_addr[v6], ire_mask,
+ * ire_type, ire_create_time, ire_masklen, ire_ipversion, ire_flags,
+ * ire_bucket
*
* - Set in ire_create_v4/v6 and never changes after that. Thus,
* we don't need a lock whenever these fields are accessed.
*
* - ire_bucket and ire_masklen (also set in ire_create) is set in
- * ire_add_v4/ire_add_v6 before inserting in the bucket and never
+ * ire_add before inserting in the bucket and never
* changes after that. Thus we don't need a lock whenever these
* fields are accessed.
*
@@ -102,7 +104,7 @@ struct kmem_cache *rt_entry_cache;
* does not use any locks. ire_gateway_addr_v6 updates are not atomic
* and hence any access to it uses ire_lock to get/set the right value.
*
- * ire_ident, ire_refcnt
+ * ire_refcnt, ire_identical_ref
*
* - Updated atomically using atomic_add_32
*
@@ -111,40 +113,33 @@ struct kmem_cache *rt_entry_cache;
* - Assumes that 32 bit writes are atomic. No locks. ire_lock is
* used to serialize updates to ire_ssthresh, ire_rtt_sd, ire_rtt.
*
- * ire_max_frag, ire_frag_flag
- *
- * - ire_lock is used to set/read both of them together.
- *
- * ire_tire_mark
+ * ire_generation
+ * - Under ire_lock
*
- * - Set in ire_create and updated in ire_expire, which is called
- * by only one function namely ip_trash_timer_expire. Thus only
- * one function updates and examines the value.
+ * ire_nce_cache
+ * - Under ire_lock
*
- * ire_marks
- * - bucket lock protects this.
+ * ire_dep_parent (To next IRE in recursive lookup chain)
+ * - Under ips_ire_dep_lock. Write held when modifying. Read held when
+ * walking. We also hold ire_lock when modifying to allow the data path
+ * to only acquire ire_lock.
*
- * ire_ll_hdr_length
+ * ire_dep_parent_generation (Generation number from ire_dep_parent)
+ * - Under ips_ire_dep_lock and/or ire_lock. (A read claim on the dep_lock
+ * and ire_lock held when modifying)
*
- * - Place holder for returning the information to the upper layers
- * when IRE_DB_REQ comes down.
- *
- *
- * ipv6_ire_default_count is protected by the bucket lock of
- * ip_forwarding_table_v6[0][0].
- *
- * ipv6_ire_default_index is not protected as it is just a hint
- * at which default gateway to use. There is nothing
- * wrong in using the same gateway for two different connections.
+ * ire_dep_children (From parent to first child)
+ * ire_dep_sib_next (linked list of siblings)
+ * ire_dep_sib_ptpn (linked list of siblings)
+ * - Under ips_ire_dep_lock. Write held when modifying. Read held when
+ * walking.
*
* As we always hold the bucket locks in all the places while accessing
* the above values, it is natural to use them for protecting them.
*
- * We have a separate cache table and forwarding table for IPv4 and IPv6.
- * Cache table (ip_cache_table/ip_cache_table_v6) is a pointer to an
- * array of irb_t structures. The IPv6 forwarding table
+ * We have a forwarding table for IPv4 and IPv6. The IPv6 forwarding table
* (ip_forwarding_table_v6) is an array of pointers to arrays of irb_t
- * structure. ip_forwarding_table_v6 is allocated dynamically in
+ * structures. ip_forwarding_table_v6 is allocated dynamically in
* ire_add_v6. ire_ft_init_lock is used to serialize multiple threads
* initializing the same bucket. Once a bucket is initialized, it is never
* de-alloacted. This assumption enables us to access
@@ -158,39 +153,37 @@ struct kmem_cache *rt_entry_cache;
* a bucket and the ires residing in the bucket have a back pointer to
* the bucket structure. It also has a reference count for the number
* of threads walking the bucket - irb_refcnt which is bumped up
- * using the macro IRB_REFHOLD macro. The flags irb_flags can be
- * set to IRE_MARK_CONDEMNED indicating that there are some ires
- * in this bucket that are marked with IRE_MARK_CONDEMNED and the
+ * using the irb_refhold function. The flags irb_marks can be
+ * set to IRB_MARK_CONDEMNED indicating that there are some ires
+ * in this bucket that are IRE_IS_CONDEMNED and the
* last thread to leave the bucket should delete the ires. Usually
- * this is done by the IRB_REFRELE macro which is used to decrement
+ * this is done by the irb_refrele function which is used to decrement
* the reference count on a bucket. See comments above irb_t structure
* definition in ip.h for further details.
*
- * IRE_REFHOLD/IRE_REFRELE macros operate on the ire which increments/
+ * The ire_refhold/ire_refrele functions operate on the ire which increments/
* decrements the reference count, ire_refcnt, atomically on the ire.
- * ire_refcnt is modified only using this macro. Operations on the IRE
+ * ire_refcnt is modified only using those functions. Operations on the IRE
* could be described as follows :
*
* CREATE an ire with reference count initialized to 1.
*
* ADDITION of an ire holds the bucket lock, checks for duplicates
- * and then adds the ire. ire_add_v4/ire_add_v6 returns the ire after
+ * and then adds the ire. ire_add returns the ire after
* bumping up once more i.e the reference count is 2. This is to avoid
* an extra lookup in the functions calling ire_add which wants to
* work with the ire after adding.
*
- * LOOKUP of an ire bumps up the reference count using IRE_REFHOLD
- * macro. It is valid to bump up the referece count of the IRE,
+ * LOOKUP of an ire bumps up the reference count using ire_refhold
+ * function. It is valid to bump up the referece count of the IRE,
* after the lookup has returned an ire. Following are the lookup
* functions that return an HELD ire :
*
- * ire_lookup_local[_v6], ire_ctable_lookup[_v6], ire_ftable_lookup[_v6],
- * ire_cache_lookup[_v6], ire_lookup_multi[_v6], ire_route_lookup[_v6],
- * ipif_to_ire[_v6].
+ * ire_ftable_lookup[_v6], ire_lookup_multi_ill[_v6]
*
* DELETION of an ire holds the bucket lock, removes it from the list
* and then decrements the reference count for having removed from the list
- * by using the IRE_REFRELE macro. If some other thread has looked up
+ * by using the ire_refrele function. If some other thread has looked up
* the ire, the reference count would have been bumped up and hence
* this ire will not be freed once deleted. It will be freed once the
* reference count drops to zero.
@@ -198,27 +191,12 @@ struct kmem_cache *rt_entry_cache;
* Add and Delete acquires the bucket lock as RW_WRITER, while all the
* lookups acquire the bucket lock as RW_READER.
*
- * NOTE : The only functions that does the IRE_REFRELE when an ire is
- * passed as an argument are :
- *
- * 1) ip_wput_ire : This is because it IRE_REFHOLD/RELEs the
- * broadcast ires it looks up internally within
- * the function. Currently, for simplicity it does
- * not differentiate the one that is passed in and
- * the ones it looks up internally. It always
- * IRE_REFRELEs.
- * 2) ire_send
- * ire_send_v6 : As ire_send calls ip_wput_ire and other functions
- * that take ire as an argument, it has to selectively
- * IRE_REFRELE the ire. To maintain symmetry,
- * ire_send_v6 does the same.
- *
- * Otherwise, the general rule is to do the IRE_REFRELE in the function
+ * The general rule is to do the ire_refrele in the function
* that is passing the ire as an argument.
*
* In trying to locate ires the following points are to be noted.
*
- * IRE_MARK_CONDEMNED signifies that the ire has been logically deleted and is
+ * IRE_IS_CONDEMNED signifies that the ire has been logically deleted and is
* to be ignored when walking the ires using ire_next.
*
* Zones note:
@@ -230,14 +208,6 @@ struct kmem_cache *rt_entry_cache;
*/
/*
- * The minimum size of IRE cache table. It will be recalcuated in
- * ip_ire_init().
- * Setable in /etc/system
- */
-uint32_t ip_cache_table_size = IP_CACHE_TABLE_SIZE;
-uint32_t ip6_cache_table_size = IP6_CACHE_TABLE_SIZE;
-
-/*
* The size of the forwarding table. We will make sure that it is a
* power of 2 in ip_ire_init().
* Setable in /etc/system
@@ -245,313 +215,213 @@ uint32_t ip6_cache_table_size = IP6_CACHE_TABLE_SIZE;
uint32_t ip6_ftable_hash_size = IP6_FTABLE_HASH_SIZE;
struct kmem_cache *ire_cache;
-static ire_t ire_null;
-
-/*
- * The threshold number of IRE in a bucket when the IREs are
- * cleaned up. This threshold is calculated later in ip_open()
- * based on the speed of CPU and available memory. This default
- * value is the maximum.
- *
- * We have two kinds of cached IRE, temporary and
- * non-temporary. Temporary IREs are marked with
- * IRE_MARK_TEMPORARY. They are IREs created for non
- * TCP traffic and for forwarding purposes. All others
- * are non-temporary IREs. We don't mark IRE created for
- * TCP as temporary because TCP is stateful and there are
- * info stored in the IRE which can be shared by other TCP
- * connections to the same destination. For connected
- * endpoint, we also don't want to mark the IRE used as
- * temporary because the same IRE will be used frequently,
- * otherwise, the app should not do a connect(). We change
- * the marking at ip_bind_connected_*() if necessary.
- *
- * We want to keep the cache IRE hash bucket length reasonably
- * short, otherwise IRE lookup functions will take "forever."
- * We use the "crude" function that the IRE bucket
- * length should be based on the CPU speed, which is 1 entry
- * per x MHz, depending on the shift factor ip_ire_cpu_ratio
- * (n). This means that with a 750MHz CPU, the max bucket
- * length can be (750 >> n) entries.
- *
- * Note that this threshold is separate for temp and non-temp
- * IREs. This means that the actual bucket length can be
- * twice as that. And while we try to keep temporary IRE
- * length at most at the threshold value, we do not attempt to
- * make the length for non-temporary IREs fixed, for the
- * reason stated above. Instead, we start trying to find
- * "unused" non-temporary IREs when the bucket length reaches
- * this threshold and clean them up.
- *
- * We also want to limit the amount of memory used by
- * IREs. So if we are allowed to use ~3% of memory (M)
- * for those IREs, each bucket should not have more than
- *
- * M / num of cache bucket / sizeof (ire_t)
- *
- * Again the above memory uses are separate for temp and
- * non-temp cached IREs.
- *
- * We may also want the limit to be a function of the number
- * of interfaces and number of CPUs. Doing the initialization
- * in ip_open() means that every time an interface is plumbed,
- * the max is re-calculated. Right now, we don't do anything
- * different. In future, when we have more experience, we
- * may want to change this behavior.
- */
-uint32_t ip_ire_max_bucket_cnt = 10; /* Setable in /etc/system */
-uint32_t ip6_ire_max_bucket_cnt = 10;
-uint32_t ip_ire_cleanup_cnt = 2;
-
-/*
- * The minimum of the temporary IRE bucket count. We do not want
- * the length of each bucket to be too short. This may hurt
- * performance of some apps as the temporary IREs are removed too
- * often.
- */
-uint32_t ip_ire_min_bucket_cnt = 3; /* /etc/system - not used */
-uint32_t ip6_ire_min_bucket_cnt = 3;
-
-/*
- * The ratio of memory consumed by IRE used for temporary to available
- * memory. This is a shift factor, so 6 means the ratio 1 to 64. This
- * value can be changed in /etc/system. 6 is a reasonable number.
- */
-uint32_t ip_ire_mem_ratio = 6; /* /etc/system */
-/* The shift factor for CPU speed to calculate the max IRE bucket length. */
-uint32_t ip_ire_cpu_ratio = 7; /* /etc/system */
-
-typedef struct nce_clookup_s {
- ipaddr_t ncecl_addr;
- boolean_t ncecl_found;
-} nce_clookup_t;
-
-/*
- * The maximum number of buckets in IRE cache table. In future, we may
- * want to make it a dynamic hash table. For the moment, we fix the
- * size and allocate the table in ip_ire_init() when IP is first loaded.
- * We take into account the amount of memory a system has.
- */
-#define IP_MAX_CACHE_TABLE_SIZE 4096
-
-/* Setable in /etc/system */
-static uint32_t ip_max_cache_table_size = IP_MAX_CACHE_TABLE_SIZE;
-static uint32_t ip6_max_cache_table_size = IP_MAX_CACHE_TABLE_SIZE;
+struct kmem_cache *ncec_cache;
+struct kmem_cache *nce_cache;
-/* Zero iulp_t for initialization. */
-const iulp_t ire_uinfo_null = { 0 };
+static ire_t ire_null;
-static int ire_add_v4(ire_t **ire_p, queue_t *q, mblk_t *mp,
- ipsq_func_t func, boolean_t);
+static ire_t *ire_add_v4(ire_t *ire);
static void ire_delete_v4(ire_t *ire);
+static void ire_dep_invalidate_children(ire_t *child);
static void ire_walk_ipvers(pfv_t func, void *arg, uchar_t vers,
zoneid_t zoneid, ip_stack_t *);
static void ire_walk_ill_ipvers(uint_t match_flags, uint_t ire_type,
pfv_t func, void *arg, uchar_t vers, ill_t *ill);
-static void ire_cache_cleanup(irb_t *irb, uint32_t threshold,
- ire_t *ref_ire);
-static void ip_nce_clookup_and_delete(nce_t *nce, void *arg);
-static ire_t *ip4_ctable_lookup_impl(ire_ctable_args_t *margs);
#ifdef DEBUG
static void ire_trace_cleanup(const ire_t *);
#endif
/*
- * To avoid bloating the code, we call this function instead of
- * using the macro IRE_REFRELE. Use macro only in performance
- * critical paths.
- *
- * Must not be called while holding any locks. Otherwise if this is
- * the last reference to be released there is a chance of recursive mutex
- * panic due to ire_refrele -> ipif_ill_refrele_tail -> qwriter_ip trying
- * to restart an ioctl. The one exception is when the caller is sure that
- * this is not the last reference to be released. Eg. if the caller is
- * sure that the ire has not been deleted and won't be deleted.
+ * Following are the functions to increment/decrement the reference
+ * count of the IREs and IRBs (ire bucket).
+ *
+ * 1) We bump up the reference count of an IRE to make sure that
+ * it does not get deleted and freed while we are using it.
+ * Typically all the lookup functions hold the bucket lock,
+ * and look for the IRE. If it finds an IRE, it bumps up the
+ * reference count before dropping the lock. Sometimes we *may* want
+ * to bump up the reference count after we *looked* up i.e without
+ * holding the bucket lock. So, the ire_refhold function does not assert
+ * on the bucket lock being held. Any thread trying to delete from
+ * the hash bucket can still do so but cannot free the IRE if
+ * ire_refcnt is not 0.
+ *
+ * 2) We bump up the reference count on the bucket where the IRE resides
+ * (IRB), when we want to prevent the IREs getting deleted from a given
+ * hash bucket. This makes life easier for ire_walk type functions which
+ * wants to walk the IRE list, call a function, but needs to drop
+ * the bucket lock to prevent recursive rw_enters. While the
+ * lock is dropped, the list could be changed by other threads or
+ * the same thread could end up deleting the ire or the ire pointed by
+ * ire_next. ire_refholding the ire or ire_next is not sufficient as
+ * a delete will still remove the ire from the bucket while we have
+ * dropped the lock and hence the ire_next would be NULL. Thus, we
+ * need a mechanism to prevent deletions from a given bucket.
+ *
+ * To prevent deletions, we bump up the reference count on the
+ * bucket. If the bucket is held, ire_delete just marks both
+ * the ire and irb as CONDEMNED. When the
+ * reference count on the bucket drops to zero, all the CONDEMNED ires
+ * are deleted. We don't have to bump up the reference count on the
+ * bucket if we are walking the bucket and never have to drop the bucket
+ * lock. Note that irb_refhold does not prevent addition of new ires
+ * in the list. It is okay because addition of new ires will not cause
+ * ire_next to point to freed memory. We do irb_refhold only when
+ * all of the 3 conditions are true :
+ *
+ * 1) The code needs to walk the IRE bucket from start to end.
+ * 2) It may have to drop the bucket lock sometimes while doing (1)
+ * 3) It does not want any ires to be deleted meanwhile.
+ */
+
+/*
+ * Bump up the reference count on the hash bucket - IRB to
+ * prevent ires from being deleted in this bucket.
*/
void
-ire_refrele(ire_t *ire)
+irb_refhold(irb_t *irb)
{
- IRE_REFRELE(ire);
+ rw_enter(&irb->irb_lock, RW_WRITER);
+ irb->irb_refcnt++;
+ ASSERT(irb->irb_refcnt != 0);
+ rw_exit(&irb->irb_lock);
}
void
-ire_refrele_notr(ire_t *ire)
+irb_refhold_locked(irb_t *irb)
{
- IRE_REFRELE_NOTR(ire);
+ ASSERT(RW_WRITE_HELD(&irb->irb_lock));
+ irb->irb_refcnt++;
+ ASSERT(irb->irb_refcnt != 0);
}
/*
- * kmem_cache_alloc constructor for IRE in kma space.
- * Note that when ire_mp is set the IRE is stored in that mblk and
- * not in this cache.
+ * Note: when IRB_MARK_DYNAMIC is not set the irb_t
+ * is statically allocated, so that when the irb_refcnt goes to 0,
+ * we simply clean up the ire list and continue.
*/
-/* ARGSUSED */
-static int
-ip_ire_constructor(void *buf, void *cdrarg, int kmflags)
+void
+irb_refrele(irb_t *irb)
{
- ire_t *ire = buf;
+ if (irb->irb_marks & IRB_MARK_DYNAMIC) {
+ irb_refrele_ftable(irb);
+ } else {
+ rw_enter(&irb->irb_lock, RW_WRITER);
+ ASSERT(irb->irb_refcnt != 0);
+ if (--irb->irb_refcnt == 0 &&
+ (irb->irb_marks & IRB_MARK_CONDEMNED)) {
+ ire_t *ire_list;
+
+ ire_list = ire_unlink(irb);
+ rw_exit(&irb->irb_lock);
+ ASSERT(ire_list != NULL);
+ ire_cleanup(ire_list);
+ } else {
+ rw_exit(&irb->irb_lock);
+ }
+ }
+}
- ire->ire_nce = NULL;
- return (0);
+/*
+ * Bump up the reference count on the IRE. We cannot assert that the
+ * bucket lock is being held as it is legal to bump up the reference
+ * count after the first lookup has returned the IRE without
+ * holding the lock.
+ */
+void
+ire_refhold(ire_t *ire)
+{
+ atomic_add_32(&(ire)->ire_refcnt, 1);
+ ASSERT((ire)->ire_refcnt != 0);
+#ifdef DEBUG
+ ire_trace_ref(ire);
+#endif
}
-/* ARGSUSED1 */
-static void
-ip_ire_destructor(void *buf, void *cdrarg)
+void
+ire_refhold_notr(ire_t *ire)
{
- ire_t *ire = buf;
+ atomic_add_32(&(ire)->ire_refcnt, 1);
+ ASSERT((ire)->ire_refcnt != 0);
+}
- ASSERT(ire->ire_nce == NULL);
+void
+ire_refhold_locked(ire_t *ire)
+{
+#ifdef DEBUG
+ ire_trace_ref(ire);
+#endif
+ ire->ire_refcnt++;
}
/*
- * This function is associated with the IP_IOC_IRE_ADVISE_NO_REPLY
- * IOCTL. It is used by TCP (or other ULPs) to supply revised information
- * for an existing CACHED IRE.
+ * Release a ref on an IRE.
+ *
+ * Must not be called while holding any locks. Otherwise if this is
+ * the last reference to be released there is a chance of recursive mutex
+ * panic due to ire_refrele -> ipif_ill_refrele_tail -> qwriter_ip trying
+ * to restart an ioctl. The one exception is when the caller is sure that
+ * this is not the last reference to be released. Eg. if the caller is
+ * sure that the ire has not been deleted and won't be deleted.
+ *
+ * In architectures e.g sun4u, where atomic_add_32_nv is just
+ * a cas, we need to maintain the right memory barrier semantics
+ * as that of mutex_exit i.e all the loads and stores should complete
+ * before the cas is executed. membar_exit() does that here.
*/
-/* ARGSUSED */
-int
-ip_ire_advise(queue_t *q, mblk_t *mp, cred_t *ioc_cr)
+void
+ire_refrele(ire_t *ire)
{
- uchar_t *addr_ucp;
- ipic_t *ipic;
- ire_t *ire;
- ipaddr_t addr;
- in6_addr_t v6addr;
- irb_t *irb;
- zoneid_t zoneid;
- ip_stack_t *ipst = CONNQ_TO_IPST(q);
-
- ASSERT(q->q_next == NULL);
- zoneid = Q_TO_CONN(q)->conn_zoneid;
-
- /*
- * Check privilege using the ioctl credential; if it is NULL
- * then this is a kernel message and therefor privileged.
- */
- if (ioc_cr != NULL && secpolicy_ip_config(ioc_cr, B_FALSE) != 0)
- return (EPERM);
-
- ipic = (ipic_t *)mp->b_rptr;
- if (!(addr_ucp = mi_offset_param(mp, ipic->ipic_addr_offset,
- ipic->ipic_addr_length))) {
- return (EINVAL);
- }
- if (!OK_32PTR(addr_ucp))
- return (EINVAL);
- switch (ipic->ipic_addr_length) {
- case IP_ADDR_LEN: {
- /* Extract the destination address. */
- addr = *(ipaddr_t *)addr_ucp;
- /* Find the corresponding IRE. */
- ire = ire_cache_lookup(addr, zoneid, NULL, ipst);
- break;
- }
- case IPV6_ADDR_LEN: {
- /* Extract the destination address. */
- v6addr = *(in6_addr_t *)addr_ucp;
- /* Find the corresponding IRE. */
- ire = ire_cache_lookup_v6(&v6addr, zoneid, NULL, ipst);
- break;
- }
- default:
- return (EINVAL);
- }
-
- if (ire == NULL)
- return (ENOENT);
- /*
- * Update the round trip time estimate and/or the max frag size
- * and/or the slow start threshold.
- *
- * We serialize multiple advises using ire_lock.
- */
- mutex_enter(&ire->ire_lock);
- if (ipic->ipic_rtt) {
- /*
- * If there is no old cached values, initialize them
- * conservatively. Set them to be (1.5 * new value).
- */
- if (ire->ire_uinfo.iulp_rtt != 0) {
- ire->ire_uinfo.iulp_rtt = (ire->ire_uinfo.iulp_rtt +
- ipic->ipic_rtt) >> 1;
- } else {
- ire->ire_uinfo.iulp_rtt = ipic->ipic_rtt +
- (ipic->ipic_rtt >> 1);
- }
- if (ire->ire_uinfo.iulp_rtt_sd != 0) {
- ire->ire_uinfo.iulp_rtt_sd =
- (ire->ire_uinfo.iulp_rtt_sd +
- ipic->ipic_rtt_sd) >> 1;
- } else {
- ire->ire_uinfo.iulp_rtt_sd = ipic->ipic_rtt_sd +
- (ipic->ipic_rtt_sd >> 1);
- }
- }
- if (ipic->ipic_max_frag)
- ire->ire_max_frag = MIN(ipic->ipic_max_frag, IP_MAXPACKET);
- if (ipic->ipic_ssthresh != 0) {
- if (ire->ire_uinfo.iulp_ssthresh != 0)
- ire->ire_uinfo.iulp_ssthresh =
- (ipic->ipic_ssthresh +
- ire->ire_uinfo.iulp_ssthresh) >> 1;
- else
- ire->ire_uinfo.iulp_ssthresh = ipic->ipic_ssthresh;
- }
- /*
- * Don't need the ire_lock below this. ire_type does not change
- * after initialization. ire_marks is protected by irb_lock.
- */
- mutex_exit(&ire->ire_lock);
-
- if (ipic->ipic_ire_marks != 0 && ire->ire_type == IRE_CACHE) {
- /*
- * Only increment the temporary IRE count if the original
- * IRE is not already marked temporary.
- */
- irb = ire->ire_bucket;
- rw_enter(&irb->irb_lock, RW_WRITER);
- if ((ipic->ipic_ire_marks & IRE_MARK_TEMPORARY) &&
- !(ire->ire_marks & IRE_MARK_TEMPORARY)) {
- irb->irb_tmp_ire_cnt++;
- }
- ire->ire_marks |= ipic->ipic_ire_marks;
- rw_exit(&irb->irb_lock);
- }
+#ifdef DEBUG
+ ire_untrace_ref(ire);
+#endif
+ ASSERT((ire)->ire_refcnt != 0);
+ membar_exit();
+ if (atomic_add_32_nv(&(ire)->ire_refcnt, -1) == 0)
+ ire_inactive(ire);
+}
- ire_refrele(ire);
- return (0);
+void
+ire_refrele_notr(ire_t *ire)
+{
+ ASSERT((ire)->ire_refcnt != 0);
+ membar_exit();
+ if (atomic_add_32_nv(&(ire)->ire_refcnt, -1) == 0)
+ ire_inactive(ire);
}
/*
* This function is associated with the IP_IOC_IRE_DELETE[_NO_REPLY]
- * IOCTL[s]. The NO_REPLY form is used by TCP to delete a route IRE
- * for a host that is not responding. This will force an attempt to
- * establish a new route, if available, and flush out the ARP entry so
- * it will re-resolve. Management processes may want to use the
- * version that generates a reply.
- *
- * This function does not support IPv6 since Neighbor Unreachability Detection
- * means that negative advise like this is useless.
+ * IOCTL[s]. The NO_REPLY form is used by TCP to tell IP that it is
+ * having problems reaching a particular destination.
+ * This will make IP consider alternate routes (e.g., when there are
+ * muliple default routes), and it will also make IP discard any (potentially)
+ * stale redirect.
+ * Management processes may want to use the version that generates a reply.
+ *
+ * With the use of NUD like behavior for IPv4/ARP in addition to IPv6
+ * this function shouldn't be necessary for IP to recover from a bad redirect,
+ * a bad default router (when there are multiple default routers), or
+ * a stale ND/ARP entry. But we retain it in any case.
+ * For instance, this is helpful when TCP suspects a failure before NUD does.
*/
-/* ARGSUSED */
int
ip_ire_delete(queue_t *q, mblk_t *mp, cred_t *ioc_cr)
{
uchar_t *addr_ucp;
- ipaddr_t addr;
+ uint_t ipversion;
+ sin_t *sin;
+ sin6_t *sin6;
+ ipaddr_t v4addr;
+ in6_addr_t v6addr;
ire_t *ire;
ipid_t *ipid;
- boolean_t routing_sock_info = B_FALSE; /* Sent info? */
zoneid_t zoneid;
- ire_t *gire = NULL;
- ill_t *ill;
- mblk_t *arp_mp;
ip_stack_t *ipst;
ASSERT(q->q_next == NULL);
- zoneid = Q_TO_CONN(q)->conn_zoneid;
+ zoneid = IPCL_ZONEID(Q_TO_CONN(q));
ipst = CONNQ_TO_IPST(q);
/*
@@ -563,948 +433,192 @@ ip_ire_delete(queue_t *q, mblk_t *mp, cred_t *ioc_cr)
ipid = (ipid_t *)mp->b_rptr;
- /* Only actions on IRE_CACHEs are acceptable at present. */
- if (ipid->ipid_ire_type != IRE_CACHE)
- return (EINVAL);
-
addr_ucp = mi_offset_param(mp, ipid->ipid_addr_offset,
ipid->ipid_addr_length);
if (addr_ucp == NULL || !OK_32PTR(addr_ucp))
return (EINVAL);
switch (ipid->ipid_addr_length) {
- case IP_ADDR_LEN:
- /* addr_ucp points at IP addr */
- break;
- case sizeof (sin_t): {
- sin_t *sin;
+ case sizeof (sin_t):
/*
* got complete (sockaddr) address - increment addr_ucp to point
* at the ip_addr field.
*/
sin = (sin_t *)addr_ucp;
addr_ucp = (uchar_t *)&sin->sin_addr.s_addr;
+ ipversion = IPV4_VERSION;
+ break;
+ case sizeof (sin6_t):
+ /*
+ * got complete (sockaddr) address - increment addr_ucp to point
+ * at the ip_addr field.
+ */
+ sin6 = (sin6_t *)addr_ucp;
+ addr_ucp = (uchar_t *)&sin6->sin6_addr;
+ ipversion = IPV6_VERSION;
break;
- }
default:
return (EINVAL);
}
- /* Extract the destination address. */
- bcopy(addr_ucp, &addr, IP_ADDR_LEN);
-
- /* Try to find the CACHED IRE. */
- ire = ire_cache_lookup(addr, zoneid, NULL, ipst);
-
- /* Nail it. */
- if (ire) {
- /* Allow delete only on CACHE entries */
- if (ire->ire_type != IRE_CACHE) {
- ire_refrele(ire);
- return (EINVAL);
- }
-
- /*
- * Verify that the IRE has been around for a while.
- * This is to protect against transport protocols
- * that are too eager in sending delete messages.
- */
- if (gethrestime_sec() <
- ire->ire_create_time + ipst->ips_ip_ignore_delete_time) {
- ire_refrele(ire);
- return (EINVAL);
- }
- /*
- * Now we have a potentially dead cache entry. We need
- * to remove it.
- * If this cache entry is generated from a
- * default route (i.e., ire_cmask == 0),
- * search the default list and mark it dead and some
- * background process will try to activate it.
- */
- if ((ire->ire_gateway_addr != 0) && (ire->ire_cmask == 0)) {
- /*
- * Make sure that we pick a different
- * IRE_DEFAULT next time.
- */
- ire_t *gw_ire;
- irb_t *irb = NULL;
- uint_t match_flags;
-
- match_flags = (MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE);
-
- gire = ire_ftable_lookup(ire->ire_addr,
- ire->ire_cmask, 0, 0,
- ire->ire_ipif, NULL, zoneid, 0, NULL, match_flags,
- ipst);
-
- ip3dbg(("ire_ftable_lookup() returned gire %p\n",
- (void *)gire));
-
- if (gire != NULL) {
- irb = gire->ire_bucket;
-
- /*
- * We grab it as writer just to serialize
- * multiple threads trying to bump up
- * irb_rr_origin
- */
- rw_enter(&irb->irb_lock, RW_WRITER);
- if ((gw_ire = irb->irb_rr_origin) == NULL) {
- rw_exit(&irb->irb_lock);
- goto done;
- }
-
- DTRACE_PROBE1(ip__ire__del__origin,
- (ire_t *), gw_ire);
-
- /* Skip past the potentially bad gateway */
- if (ire->ire_gateway_addr ==
- gw_ire->ire_gateway_addr) {
- ire_t *next = gw_ire->ire_next;
-
- DTRACE_PROBE2(ip__ire__del,
- (ire_t *), gw_ire, (irb_t *), irb);
- IRE_FIND_NEXT_ORIGIN(next);
- irb->irb_rr_origin = next;
- }
- rw_exit(&irb->irb_lock);
- }
- }
-done:
- if (gire != NULL)
- IRE_REFRELE(gire);
- /* report the bad route to routing sockets */
- ip_rts_change(RTM_LOSING, ire->ire_addr, ire->ire_gateway_addr,
- ire->ire_mask, ire->ire_src_addr, 0, 0, 0,
- (RTA_DST | RTA_GATEWAY | RTA_NETMASK | RTA_IFA), ipst);
- routing_sock_info = B_TRUE;
+ if (ipversion == IPV4_VERSION) {
+ /* Extract the destination address. */
+ bcopy(addr_ucp, &v4addr, IP_ADDR_LEN);
- /*
- * TCP is really telling us to start over completely, and it
- * expects that we'll resend the ARP query. Tell ARP to
- * discard the entry, if this is a local destination.
- *
- * But, if the ARP entry is permanent then it shouldn't be
- * deleted, so we set ARED_F_PRESERVE_PERM.
- */
- ill = ire->ire_stq->q_ptr;
- if (ire->ire_gateway_addr == 0 &&
- (arp_mp = ill_ared_alloc(ill, addr)) != NULL) {
- ared_t *ared = (ared_t *)arp_mp->b_rptr;
-
- ASSERT(ared->ared_cmd == AR_ENTRY_DELETE);
- ared->ared_flags |= ARED_F_PRESERVE_PERM;
- putnext(ill->ill_rq, arp_mp);
- }
+ ire = ire_ftable_lookup_v4(v4addr, 0, 0, 0, NULL,
+ zoneid, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
+ } else {
+ /* Extract the destination address. */
+ bcopy(addr_ucp, &v6addr, IPV6_ADDR_LEN);
- ire_delete(ire);
- ire_refrele(ire);
+ ire = ire_ftable_lookup_v6(&v6addr, NULL, NULL, 0, NULL,
+ zoneid, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
}
- /*
- * Also look for an IRE_HOST type redirect ire and
- * remove it if present.
- */
- ire = ire_route_lookup(addr, 0, 0, IRE_HOST, NULL, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
-
- /* Nail it. */
if (ire != NULL) {
- if (ire->ire_flags & RTF_DYNAMIC) {
- if (!routing_sock_info) {
- ip_rts_change(RTM_LOSING, ire->ire_addr,
- ire->ire_gateway_addr, ire->ire_mask,
- ire->ire_src_addr, 0, 0, 0,
- (RTA_DST | RTA_GATEWAY |
- RTA_NETMASK | RTA_IFA),
- ipst);
- }
- ire_delete(ire);
- }
+ if (ipversion == IPV4_VERSION) {
+ ip_rts_change(RTM_LOSING, ire->ire_addr,
+ ire->ire_gateway_addr, ire->ire_mask,
+ (Q_TO_CONN(q))->conn_laddr_v4, 0, 0, 0,
+ (RTA_DST | RTA_GATEWAY | RTA_NETMASK | RTA_IFA),
+ ire->ire_ipst);
+ }
+ (void) ire_no_good(ire);
ire_refrele(ire);
}
return (0);
}
/*
- * ip_ire_req is called by ip_wput when an IRE_DB_REQ_TYPE message is handed
- * down from the Upper Level Protocol to request a copy of the IRE (to check
- * its type or to extract information like round-trip time estimates or the
- * MTU.)
- * The address is assumed to be in the ire_addr field. If no IRE is found
- * an IRE is returned with ire_type being zero.
- * Note that the upper lavel protocol has to check for broadcast
- * (IRE_BROADCAST) and multicast (CLASSD(addr)).
- * If there is a b_cont the resulting IRE_DB_TYPE mblk is placed at the
- * end of the returned message.
- *
- * TCP sends down a message of this type with a connection request packet
- * chained on. UDP and ICMP send it down to verify that a route exists for
- * the destination address when they get connected.
- */
-void
-ip_ire_req(queue_t *q, mblk_t *mp)
-{
- ire_t *inire;
- ire_t *ire;
- mblk_t *mp1;
- ire_t *sire = NULL;
- zoneid_t zoneid = Q_TO_CONN(q)->conn_zoneid;
- ip_stack_t *ipst = CONNQ_TO_IPST(q);
-
- ASSERT(q->q_next == NULL);
-
- if ((mp->b_wptr - mp->b_rptr) < sizeof (ire_t) ||
- !OK_32PTR(mp->b_rptr)) {
- freemsg(mp);
- return;
- }
- inire = (ire_t *)mp->b_rptr;
- /*
- * Got it, now take our best shot at an IRE.
- */
- if (inire->ire_ipversion == IPV6_VERSION) {
- ire = ire_route_lookup_v6(&inire->ire_addr_v6, 0, 0, 0,
- NULL, &sire, zoneid, NULL,
- (MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT), ipst);
- } else {
- ASSERT(inire->ire_ipversion == IPV4_VERSION);
- ire = ire_route_lookup(inire->ire_addr, 0, 0, 0,
- NULL, &sire, zoneid, NULL,
- (MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT), ipst);
- }
-
- /*
- * We prevent returning IRES with source address INADDR_ANY
- * as these were temporarily created for sending packets
- * from endpoints that have conn_unspec_src set.
- */
- if (ire == NULL ||
- (ire->ire_ipversion == IPV4_VERSION &&
- ire->ire_src_addr == INADDR_ANY) ||
- (ire->ire_ipversion == IPV6_VERSION &&
- IN6_IS_ADDR_UNSPECIFIED(&ire->ire_src_addr_v6))) {
- inire->ire_type = 0;
- } else {
- bcopy(ire, inire, sizeof (ire_t));
- /* Copy the route metrics from the parent. */
- if (sire != NULL) {
- bcopy(&(sire->ire_uinfo), &(inire->ire_uinfo),
- sizeof (iulp_t));
- }
-
- /* Pass the latest setting of the ip_path_mtu_discovery */
- inire->ire_frag_flag |=
- (ipst->ips_ip_path_mtu_discovery) ? IPH_DF : 0;
- }
- if (ire != NULL)
- ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
- mp->b_wptr = &mp->b_rptr[sizeof (ire_t)];
- mp->b_datap->db_type = IRE_DB_TYPE;
-
- /* Put the IRE_DB_TYPE mblk last in the chain */
- mp1 = mp->b_cont;
- if (mp1 != NULL) {
- mp->b_cont = NULL;
- linkb(mp1, mp);
- mp = mp1;
- }
- qreply(q, mp);
-}
-
-/*
- * Send a packet using the specified IRE.
- * If ire_src_addr_v6 is all zero then discard the IRE after
- * the packet has been sent.
- */
-static void
-ire_send(queue_t *q, mblk_t *pkt, ire_t *ire)
-{
- mblk_t *ipsec_mp;
- boolean_t is_secure;
- uint_t ifindex;
- ill_t *ill;
- zoneid_t zoneid = ire->ire_zoneid;
- ip_stack_t *ipst = ire->ire_ipst;
-
- ASSERT(ire->ire_ipversion == IPV4_VERSION);
- ASSERT(!(ire->ire_type & IRE_LOCAL)); /* Has different ire_zoneid */
- ipsec_mp = pkt;
- is_secure = (pkt->b_datap->db_type == M_CTL);
- if (is_secure) {
- ipsec_out_t *io;
-
- pkt = pkt->b_cont;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- if (io->ipsec_out_type == IPSEC_OUT)
- zoneid = io->ipsec_out_zoneid;
- }
-
- /* If the packet originated externally then */
- if (pkt->b_prev) {
- ire_refrele(ire);
- /*
- * Extract the ifindex from b_prev (set in ip_rput_noire).
- * Look up interface to see if it still exists (it could have
- * been unplumbed by the time the reply came back from ARP)
- */
- ifindex = (uint_t)(uintptr_t)pkt->b_prev;
- ill = ill_lookup_on_ifindex(ifindex, B_FALSE,
- NULL, NULL, NULL, NULL, ipst);
- if (ill == NULL) {
- pkt->b_prev = NULL;
- pkt->b_next = NULL;
- freemsg(ipsec_mp);
- return;
- }
- q = ill->ill_rq;
- pkt->b_prev = NULL;
- /*
- * This packet has not gone through IPSEC processing
- * and hence we should not have any IPSEC message
- * prepended.
- */
- ASSERT(ipsec_mp == pkt);
- put(q, pkt);
- ill_refrele(ill);
- } else if (pkt->b_next) {
- /* Packets from multicast router */
- pkt->b_next = NULL;
- /*
- * We never get the IPSEC_OUT while forwarding the
- * packet for multicast router.
- */
- ASSERT(ipsec_mp == pkt);
- ip_rput_forward(ire, (ipha_t *)pkt->b_rptr, ipsec_mp, NULL);
- ire_refrele(ire);
- } else {
- /* Locally originated packets */
- boolean_t delete_ire = B_FALSE;
- ipha_t *ipha = (ipha_t *)pkt->b_rptr;
-
- /*
- * If this IRE shouldn't be kept in the table (because its
- * source address is unspecified), hold a reference to it so
- * we can delete it even after e.g. ip_wput_ire() has dropped
- * its reference.
- */
- if (!(ire->ire_marks & IRE_MARK_NOADD) &&
- ire->ire_src_addr == INADDR_ANY) {
- delete_ire = B_TRUE;
- IRE_REFHOLD(ire);
- }
-
- /*
- * If we were resolving a router we can not use the
- * routers IRE for sending the packet (since it would
- * violate the uniqness of the IP idents) thus we
- * make another pass through ip_wput to create the IRE_CACHE
- * for the destination.
- * When IRE_MARK_NOADD is set, ire_add() is not called.
- * Thus ip_wput() will never find a ire and result in an
- * infinite loop. Thus we check whether IRE_MARK_NOADD is
- * is set. This also implies that IRE_MARK_NOADD can only be
- * used to send packets to directly connected hosts.
- */
- if (ipha->ipha_dst != ire->ire_addr &&
- !(ire->ire_marks & IRE_MARK_NOADD)) {
- ire_refrele(ire); /* Held in ire_add */
- if (CONN_Q(q)) {
- (void) ip_output(Q_TO_CONN(q), ipsec_mp, q,
- IRE_SEND);
- } else {
- (void) ip_output((void *)(uintptr_t)zoneid,
- ipsec_mp, q, IRE_SEND);
- }
- } else {
- if (is_secure) {
- ipsec_out_t *oi;
- ipha_t *ipha;
-
- oi = (ipsec_out_t *)ipsec_mp->b_rptr;
- ipha = (ipha_t *)ipsec_mp->b_cont->b_rptr;
- if (oi->ipsec_out_proc_begin) {
- /*
- * This is the case where
- * ip_wput_ipsec_out could not find
- * the IRE and recreated a new one.
- * As ip_wput_ipsec_out does ire
- * lookups, ire_refrele for the extra
- * bump in ire_add.
- */
- ire_refrele(ire);
- ip_wput_ipsec_out(q, ipsec_mp, ipha,
- NULL, NULL);
- } else {
- /*
- * IRE_REFRELE will be done in
- * ip_wput_ire.
- */
- ip_wput_ire(q, ipsec_mp, ire, NULL,
- IRE_SEND, zoneid);
- }
- } else {
- /*
- * IRE_REFRELE will be done in ip_wput_ire.
- */
- ip_wput_ire(q, ipsec_mp, ire, NULL,
- IRE_SEND, zoneid);
- }
- }
- /*
- * Special code to support sending a single packet with
- * conn_unspec_src using an IRE which has no source address.
- * The IRE is deleted here after sending the packet to avoid
- * having other code trip on it. But before we delete the
- * ire, somebody could have looked up this ire.
- * We prevent returning/using this IRE by the upper layers
- * by making checks to NULL source address in other places
- * like e.g ip_ire_append, ip_ire_req and ip_bind_connected.
- * Though this does not completely prevent other threads
- * from using this ire, this should not cause any problems.
- */
- if (delete_ire) {
- ip1dbg(("ire_send: delete IRE\n"));
- ire_delete(ire);
- ire_refrele(ire); /* Held above */
- }
- }
-}
-
-/*
- * Send a packet using the specified IRE.
- * If ire_src_addr_v6 is all zero then discard the IRE after
- * the packet has been sent.
- */
-static void
-ire_send_v6(queue_t *q, mblk_t *pkt, ire_t *ire)
-{
- mblk_t *ipsec_mp;
- boolean_t secure;
- uint_t ifindex;
- zoneid_t zoneid = ire->ire_zoneid;
- ip_stack_t *ipst = ire->ire_ipst;
-
- ASSERT(ire->ire_ipversion == IPV6_VERSION);
- ASSERT(!(ire->ire_type & IRE_LOCAL)); /* Has different ire_zoneid */
- if (pkt->b_datap->db_type == M_CTL) {
- ipsec_out_t *io;
-
- ipsec_mp = pkt;
- pkt = pkt->b_cont;
- secure = B_TRUE;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- if (io->ipsec_out_type == IPSEC_OUT)
- zoneid = io->ipsec_out_zoneid;
- } else {
- ipsec_mp = pkt;
- secure = B_FALSE;
- }
-
- /* If the packet originated externally then */
- if (pkt->b_prev) {
- ill_t *ill;
- /*
- * Extract the ifindex from b_prev (set in ip_rput_data_v6).
- * Look up interface to see if it still exists (it could have
- * been unplumbed by the time the reply came back from the
- * resolver).
- */
- ifindex = (uint_t)(uintptr_t)pkt->b_prev;
- ill = ill_lookup_on_ifindex(ifindex, B_TRUE,
- NULL, NULL, NULL, NULL, ipst);
- if (ill == NULL) {
- pkt->b_prev = NULL;
- pkt->b_next = NULL;
- freemsg(ipsec_mp);
- ire_refrele(ire); /* Held in ire_add */
- return;
- }
- q = ill->ill_rq;
- pkt->b_prev = NULL;
- /*
- * This packet has not gone through IPSEC processing
- * and hence we should not have any IPSEC message
- * prepended.
- */
- ASSERT(ipsec_mp == pkt);
- put(q, pkt);
- ill_refrele(ill);
- } else if (pkt->b_next) {
- /* Packets from multicast router */
- pkt->b_next = NULL;
- /*
- * We never get the IPSEC_OUT while forwarding the
- * packet for multicast router.
- */
- ASSERT(ipsec_mp == pkt);
- /*
- * XXX TODO IPv6.
- */
- freemsg(pkt);
-#ifdef XXX
- ip_rput_forward(ire, (ipha_t *)pkt->b_rptr, pkt, NULL);
-#endif
- } else {
- if (secure) {
- ipsec_out_t *oi;
- ip6_t *ip6h;
-
- oi = (ipsec_out_t *)ipsec_mp->b_rptr;
- ip6h = (ip6_t *)ipsec_mp->b_cont->b_rptr;
- if (oi->ipsec_out_proc_begin) {
- /*
- * This is the case where
- * ip_wput_ipsec_out could not find
- * the IRE and recreated a new one.
- */
- ip_wput_ipsec_out_v6(q, ipsec_mp, ip6h,
- NULL, NULL);
- } else {
- if (CONN_Q(q)) {
- (void) ip_output_v6(Q_TO_CONN(q),
- ipsec_mp, q, IRE_SEND);
- } else {
- (void) ip_output_v6(
- (void *)(uintptr_t)zoneid,
- ipsec_mp, q, IRE_SEND);
- }
- }
- } else {
- /*
- * Send packets through ip_output_v6 so that any
- * ip6_info header can be processed again.
- */
- if (CONN_Q(q)) {
- (void) ip_output_v6(Q_TO_CONN(q), ipsec_mp, q,
- IRE_SEND);
- } else {
- (void) ip_output_v6((void *)(uintptr_t)zoneid,
- ipsec_mp, q, IRE_SEND);
- }
- }
- /*
- * Special code to support sending a single packet with
- * conn_unspec_src using an IRE which has no source address.
- * The IRE is deleted here after sending the packet to avoid
- * having other code trip on it. But before we delete the
- * ire, somebody could have looked up this ire.
- * We prevent returning/using this IRE by the upper layers
- * by making checks to NULL source address in other places
- * like e.g ip_ire_append_v6, ip_ire_req and
- * ip_bind_connected_v6. Though, this does not completely
- * prevent other threads from using this ire, this should
- * not cause any problems.
- */
- if (IN6_IS_ADDR_UNSPECIFIED(&ire->ire_src_addr_v6)) {
- ip1dbg(("ire_send_v6: delete IRE\n"));
- ire_delete(ire);
- }
- }
- ire_refrele(ire); /* Held in ire_add */
-}
-
-/*
- * Make sure that IRE bucket does not get too long.
- * This can cause lock up because ire_cache_lookup()
- * may take "forever" to finish.
- *
- * We only remove a maximum of cnt IREs each time. This
- * should keep the bucket length approximately constant,
- * depending on cnt. This should be enough to defend
- * against DoS attack based on creating temporary IREs
- * (for forwarding and non-TCP traffic).
- *
- * We also pass in the address of the newly created IRE
- * as we do not want to remove this straight after adding
- * it. New IREs are normally added at the tail of the
- * bucket. This means that we are removing the "oldest"
- * temporary IREs added. Only if there are IREs with
- * the same ire_addr, do we not add it at the tail. Refer
- * to ire_add_v*(). It should be OK for our purpose.
- *
- * For non-temporary cached IREs, we make sure that they
- * have not been used for some time (defined below), they
- * are non-local destinations, and there is no one using
- * them at the moment (refcnt == 1).
- *
- * The above means that the IRE bucket length may become
- * very long, consisting of mostly non-temporary IREs.
- * This can happen when the hash function does a bad job
- * so that most TCP connections cluster to a specific bucket.
- * This "hopefully" should never happen. It can also
- * happen if most TCP connections have very long lives.
- * Even with the minimal hash table size of 256, there
- * has to be a lot of such connections to make the bucket
- * length unreasonably long. This should probably not
- * happen either. The third can when this can happen is
- * when the machine is under attack, such as SYN flooding.
- * TCP should already have the proper mechanism to protect
- * that. So we should be safe.
- *
- * This function is called by ire_add_then_send() after
- * a new IRE is added and the packet is sent.
- *
- * The idle cutoff interval is set to 60s. It can be
- * changed using /etc/system.
- */
-uint32_t ire_idle_cutoff_interval = 60000;
-
-static void
-ire_cache_cleanup(irb_t *irb, uint32_t threshold, ire_t *ref_ire)
-{
- ire_t *ire;
- clock_t cut_off = drv_usectohz(ire_idle_cutoff_interval * 1000);
- int cnt = ip_ire_cleanup_cnt;
-
- /*
- * Try to remove cnt temporary IREs first.
- */
- for (ire = irb->irb_ire; cnt > 0 && ire != NULL; ire = ire->ire_next) {
- if (ire == ref_ire)
- continue;
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
- if (ire->ire_marks & IRE_MARK_TEMPORARY) {
- ASSERT(ire->ire_type == IRE_CACHE);
- ire_delete(ire);
- cnt--;
- }
- }
- if (cnt == 0)
- return;
-
- /*
- * If we didn't satisfy our removal target from temporary IREs
- * we see how many non-temporary IREs are currently in the bucket.
- * If this quantity is above the threshold then we see if there are any
- * candidates for removal. We are still limited to removing a maximum
- * of cnt IREs.
- */
- if ((irb->irb_ire_cnt - irb->irb_tmp_ire_cnt) > threshold) {
- for (ire = irb->irb_ire; cnt > 0 && ire != NULL;
- ire = ire->ire_next) {
- if (ire == ref_ire)
- continue;
- if (ire->ire_type != IRE_CACHE)
- continue;
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
- if ((ire->ire_refcnt == 1) &&
- (lbolt - ire->ire_last_used_time > cut_off)) {
- ire_delete(ire);
- cnt--;
- }
- }
- }
-}
-
-/*
- * ire_add_then_send is called when a new IRE has been created in order to
- * route an outgoing packet. Typically, it is called from ip_wput when
- * a response comes back down from a resolver. We add the IRE, and then
- * possibly run the packet through ip_wput or ip_rput, as appropriate.
- * However, we do not add the newly created IRE in the cache when
- * IRE_MARK_NOADD is set in the IRE. IRE_MARK_NOADD is set at
- * ip_newroute_ipif(). The ires with IRE_MARK_NOADD are ire_refrele'd by
- * ip_wput_ire() and get deleted.
- * Multirouting support: the packet is silently discarded when the new IRE
- * holds the RTF_MULTIRT flag, but is not the first IRE to be added with the
- * RTF_MULTIRT flag for the same destination address.
- * In this case, we just want to register this additional ire without
- * sending the packet, as it has already been replicated through
- * existing multirt routes in ip_wput().
- */
-void
-ire_add_then_send(queue_t *q, ire_t *ire, mblk_t *mp)
-{
- irb_t *irb;
- boolean_t drop = B_FALSE;
- boolean_t mctl_present;
- mblk_t *first_mp = NULL;
- mblk_t *data_mp = NULL;
- ire_t *dst_ire;
- ipha_t *ipha;
- ip6_t *ip6h;
- ip_stack_t *ipst = ire->ire_ipst;
- int ire_limit;
-
- if (mp != NULL) {
- /*
- * We first have to retrieve the destination address carried
- * by the packet.
- * We can't rely on ire as it can be related to a gateway.
- * The destination address will help in determining if
- * other RTF_MULTIRT ires are already registered.
- *
- * We first need to know where we are going : v4 or V6.
- * the ire version is enough, as there is no risk that
- * we resolve an IPv6 address with an IPv4 ire
- * or vice versa.
- */
- EXTRACT_PKT_MP(mp, first_mp, mctl_present);
- data_mp = mp;
- mp = first_mp;
- if (ire->ire_ipversion == IPV4_VERSION) {
- ipha = (ipha_t *)data_mp->b_rptr;
- dst_ire = ire_cache_lookup(ipha->ipha_dst,
- ire->ire_zoneid, msg_getlabel(mp), ipst);
- } else {
- ASSERT(ire->ire_ipversion == IPV6_VERSION);
- ip6h = (ip6_t *)data_mp->b_rptr;
- dst_ire = ire_cache_lookup_v6(&ip6h->ip6_dst,
- ire->ire_zoneid, msg_getlabel(mp), ipst);
- }
- if (dst_ire != NULL) {
- if (dst_ire->ire_flags & RTF_MULTIRT) {
- /*
- * At least one resolved multirt route
- * already exists for the destination,
- * don't sent this packet: either drop it
- * or complete the pending resolution,
- * depending on the ire.
- */
- drop = B_TRUE;
- }
- ip1dbg(("ire_add_then_send: dst_ire %p "
- "[dst %08x, gw %08x], drop %d\n",
- (void *)dst_ire,
- (dst_ire->ire_ipversion == IPV4_VERSION) ? \
- ntohl(dst_ire->ire_addr) : \
- ntohl(V4_PART_OF_V6(dst_ire->ire_addr_v6)),
- (dst_ire->ire_ipversion == IPV4_VERSION) ? \
- ntohl(dst_ire->ire_gateway_addr) : \
- ntohl(V4_PART_OF_V6(
- dst_ire->ire_gateway_addr_v6)),
- drop));
- ire_refrele(dst_ire);
- }
- }
-
- if (!(ire->ire_marks & IRE_MARK_NOADD)) {
- /* Regular packets with cache bound ires are here. */
- (void) ire_add(&ire, NULL, NULL, NULL, B_FALSE);
-
- if (ire == NULL) {
- mp->b_prev = NULL;
- mp->b_next = NULL;
- MULTIRT_DEBUG_UNTAG(mp);
- freemsg(mp);
- return;
- }
- if (mp == NULL) {
- ire_refrele(ire); /* Held in ire_add_v4/v6 */
- return;
- }
- }
- if (drop) {
- /*
- * If we're adding an RTF_MULTIRT ire, the resolution
- * is over: we just drop the packet.
- */
- if (ire->ire_flags & RTF_MULTIRT) {
- data_mp->b_prev = NULL;
- data_mp->b_next = NULL;
- MULTIRT_DEBUG_UNTAG(mp);
- freemsg(mp);
- } else {
- /*
- * Otherwise, we're adding the ire to a gateway
- * for a multirt route.
- * Invoke ip_newroute() to complete the resolution
- * of the route. We will then come back here and
- * finally drop this packet in the above code.
- */
- if (ire->ire_ipversion == IPV4_VERSION) {
- /*
- * TODO: in order for CGTP to work in non-global
- * zones, ip_newroute() must create the IRE
- * cache in the zone indicated by
- * ire->ire_zoneid.
- */
- ip_newroute(q, mp, ipha->ipha_dst,
- (CONN_Q(q) ? Q_TO_CONN(q) : NULL),
- ire->ire_zoneid, ipst);
- } else {
- int minlen = sizeof (ip6i_t) + IPV6_HDR_LEN;
-
- ASSERT(ire->ire_ipversion == IPV6_VERSION);
-
- /*
- * If necessary, skip over the ip6i_t to find
- * the header with the actual source address.
- */
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- if (MBLKL(data_mp) < minlen &&
- pullupmsg(data_mp, -1) == 0) {
- ip1dbg(("ire_add_then_send: "
- "cannot pullupmsg ip6i\n"));
- if (mctl_present)
- freeb(first_mp);
- ire_refrele(ire);
- return;
- }
- ASSERT(MBLKL(data_mp) >= IPV6_HDR_LEN);
- ip6h = (ip6_t *)(data_mp->b_rptr +
- sizeof (ip6i_t));
- }
- ip_newroute_v6(q, mp, &ip6h->ip6_dst,
- &ip6h->ip6_src, NULL, ire->ire_zoneid,
- ipst);
- }
- }
-
- ire_refrele(ire); /* As done by ire_send(). */
- return;
- }
- /*
- * Need to remember ire_bucket here as ire_send*() may delete
- * the ire so we cannot reference it after that.
- */
- irb = ire->ire_bucket;
- if (ire->ire_ipversion == IPV4_VERSION) {
- ire_send(q, mp, ire);
- ire_limit = ip_ire_max_bucket_cnt;
- } else {
- ire_send_v6(q, mp, ire);
- ire_limit = ip6_ire_max_bucket_cnt;
- }
-
- /*
- * irb is NULL if the IRE was not added to the hash. This happens
- * when IRE_MARK_NOADD is set and when IREs are returned from
- * ire_update_srcif_v4().
- */
- if (irb != NULL) {
- IRB_REFHOLD(irb);
- if (irb->irb_ire_cnt > ire_limit)
- ire_cache_cleanup(irb, ire_limit, ire);
- IRB_REFRELE(irb);
- }
-}
-
-/*
* Initialize the ire that is specific to IPv4 part and call
* ire_init_common to finish it.
+ * Returns zero or errno.
*/
-ire_t *
-ire_init(ire_t *ire, uchar_t *addr, uchar_t *mask, uchar_t *src_addr,
- uchar_t *gateway, uint_t *max_fragp, nce_t *src_nce, queue_t *rfq,
- queue_t *stq, ushort_t type, ipif_t *ipif, ipaddr_t cmask, uint32_t phandle,
- uint32_t ihandle, uint32_t flags, const iulp_t *ulp_info, tsol_gc_t *gc,
- tsol_gcgrp_t *gcgrp, ip_stack_t *ipst)
+int
+ire_init_v4(ire_t *ire, uchar_t *addr, uchar_t *mask, uchar_t *gateway,
+ ushort_t type, ill_t *ill, zoneid_t zoneid, uint_t flags,
+ tsol_gc_t *gc, ip_stack_t *ipst)
{
- ASSERT(type != IRE_CACHE || stq != NULL);
+ int error;
+
/*
* Reject IRE security attribute creation/initialization
* if system is not running in Trusted mode.
*/
- if ((gc != NULL || gcgrp != NULL) && !is_system_labeled())
- return (NULL);
+ if (gc != NULL && !is_system_labeled())
+ return (EINVAL);
BUMP_IRE_STATS(ipst->ips_ire_stats_v4, ire_stats_alloced);
if (addr != NULL)
bcopy(addr, &ire->ire_addr, IP_ADDR_LEN);
- if (src_addr != NULL)
- bcopy(src_addr, &ire->ire_src_addr, IP_ADDR_LEN);
- if (mask != NULL) {
- bcopy(mask, &ire->ire_mask, IP_ADDR_LEN);
- ire->ire_masklen = ip_mask_to_plen(ire->ire_mask);
- }
- if (gateway != NULL) {
+ if (gateway != NULL)
bcopy(gateway, &ire->ire_gateway_addr, IP_ADDR_LEN);
+
+ /* Make sure we don't have stray values in some fields */
+ switch (type) {
+ case IRE_LOOPBACK:
+ bcopy(&ire->ire_addr, &ire->ire_gateway_addr, IP_ADDR_LEN);
+ /* FALLTHRU */
+ case IRE_HOST:
+ case IRE_BROADCAST:
+ case IRE_LOCAL:
+ case IRE_IF_CLONE:
+ ire->ire_mask = IP_HOST_MASK;
+ ire->ire_masklen = IPV4_ABITS;
+ break;
+ case IRE_PREFIX:
+ case IRE_DEFAULT:
+ case IRE_IF_RESOLVER:
+ case IRE_IF_NORESOLVER:
+ if (mask != NULL) {
+ bcopy(mask, &ire->ire_mask, IP_ADDR_LEN);
+ ire->ire_masklen = ip_mask_to_plen(ire->ire_mask);
+ }
+ break;
+ case IRE_MULTICAST:
+ case IRE_NOROUTE:
+ ASSERT(mask == NULL);
+ break;
+ default:
+ ASSERT(0);
+ return (EINVAL);
}
- if (type == IRE_CACHE)
- ire->ire_cmask = cmask;
+ error = ire_init_common(ire, type, ill, zoneid, flags, IPV4_VERSION,
+ gc, ipst);
+ if (error != NULL)
+ return (error);
- /* ire_init_common will free the mblks upon encountering any failure */
- if (!ire_init_common(ire, max_fragp, src_nce, rfq, stq, type, ipif,
- phandle, ihandle, flags, IPV4_VERSION, ulp_info, gc, gcgrp, ipst))
- return (NULL);
+ /* Determine which function pointers to use */
+ ire->ire_postfragfn = ip_xmit; /* Common case */
- return (ire);
+ switch (ire->ire_type) {
+ case IRE_LOCAL:
+ ire->ire_sendfn = ire_send_local_v4;
+ ire->ire_recvfn = ire_recv_local_v4;
+#ifdef SO_VRRP
+ ASSERT(ire->ire_ill != NULL);
+ if (ire->ire_ill->ill_flags & ILLF_NOACCEPT) {
+ ire->ire_noaccept = B_TRUE;
+ ire->ire_recvfn = ire_recv_noaccept_v6;
+ }
+#endif
+ break;
+ case IRE_LOOPBACK:
+ ire->ire_sendfn = ire_send_local_v4;
+ ire->ire_recvfn = ire_recv_loopback_v4;
+ break;
+ case IRE_BROADCAST:
+ ire->ire_postfragfn = ip_postfrag_loopcheck;
+ ire->ire_sendfn = ire_send_broadcast_v4;
+ ire->ire_recvfn = ire_recv_broadcast_v4;
+ break;
+ case IRE_MULTICAST:
+ ire->ire_postfragfn = ip_postfrag_loopcheck;
+ ire->ire_sendfn = ire_send_multicast_v4;
+ ire->ire_recvfn = ire_recv_multicast_v4;
+ break;
+ default:
+ /*
+ * For IRE_IF_ALL and IRE_OFFLINK we forward received
+ * packets by default.
+ */
+ ire->ire_sendfn = ire_send_wire_v4;
+ ire->ire_recvfn = ire_recv_forward_v4;
+ break;
+ }
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ ire->ire_sendfn = ire_send_noroute_v4;
+ ire->ire_recvfn = ire_recv_noroute_v4;
+ } else if (ire->ire_flags & RTF_MULTIRT) {
+ ire->ire_postfragfn = ip_postfrag_multirt_v4;
+ ire->ire_sendfn = ire_send_multirt_v4;
+ /* Multirt receive of broadcast uses ire_recv_broadcast_v4 */
+ if (ire->ire_type != IRE_BROADCAST)
+ ire->ire_recvfn = ire_recv_multirt_v4;
+ }
+ ire->ire_nce_capable = ire_determine_nce_capable(ire);
+ return (0);
}
/*
- * Similar to ire_create except that it is called only when
- * we want to allocate ire as an mblk e.g. we have an external
- * resolver ARP.
+ * Determine ire_nce_capable
*/
-ire_t *
-ire_create_mp(uchar_t *addr, uchar_t *mask, uchar_t *src_addr, uchar_t *gateway,
- uint_t max_frag, nce_t *src_nce, queue_t *rfq, queue_t *stq, ushort_t type,
- ipif_t *ipif, ipaddr_t cmask, uint32_t phandle, uint32_t ihandle,
- uint32_t flags, const iulp_t *ulp_info, tsol_gc_t *gc, tsol_gcgrp_t *gcgrp,
- ip_stack_t *ipst)
+boolean_t
+ire_determine_nce_capable(ire_t *ire)
{
- ire_t *ire, *buf;
- ire_t *ret_ire;
- mblk_t *mp;
- size_t bufsize;
- frtn_t *frtnp;
- ill_t *ill;
+ int max_masklen;
- bufsize = sizeof (ire_t) + sizeof (frtn_t);
- buf = kmem_alloc(bufsize, KM_NOSLEEP);
- if (buf == NULL) {
- ip1dbg(("ire_create_mp: alloc failed\n"));
- return (NULL);
- }
- frtnp = (frtn_t *)(buf + 1);
- frtnp->free_arg = (caddr_t)buf;
- frtnp->free_func = ire_freemblk;
+ if ((ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
+ (ire->ire_type & IRE_MULTICAST))
+ return (B_TRUE);
- /*
- * Allocate the new IRE. The ire created will hold a ref on
- * an nce_t after ire_nce_init, and this ref must either be
- * (a) transferred to the ire_cache entry created when ire_add_v4
- * is called after successful arp resolution, or,
- * (b) released, when arp resolution fails
- * Case (b) is handled in ire_freemblk() which will be called
- * when mp is freed as a result of failed arp.
- */
- mp = esballoc((unsigned char *)buf, bufsize, BPRI_MED, frtnp);
- if (mp == NULL) {
- ip1dbg(("ire_create_mp: alloc failed\n"));
- kmem_free(buf, bufsize);
- return (NULL);
- }
- ire = (ire_t *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)&ire[1];
+ if (ire->ire_ipversion == IPV4_VERSION)
+ max_masklen = IPV4_ABITS;
+ else
+ max_masklen = IPV6_ABITS;
- /* Start clean. */
- *ire = ire_null;
- ire->ire_mp = mp;
- mp->b_datap->db_type = IRE_DB_TYPE;
- ire->ire_marks |= IRE_MARK_UNCACHED;
-
- ret_ire = ire_init(ire, addr, mask, src_addr, gateway, NULL, src_nce,
- rfq, stq, type, ipif, cmask, phandle, ihandle, flags, ulp_info, gc,
- gcgrp, ipst);
-
- ill = (ill_t *)(stq->q_ptr);
- if (ret_ire == NULL) {
- /* ire_freemblk needs these set */
- ire->ire_stq_ifindex = ill->ill_phyint->phyint_ifindex;
- ire->ire_stackid = ipst->ips_netstack->netstack_stackid;
- ire->ire_ipst = ipst;
- freeb(ire->ire_mp);
- return (NULL);
- }
- ret_ire->ire_stq_ifindex = ill->ill_phyint->phyint_ifindex;
- ret_ire->ire_stackid = ipst->ips_netstack->netstack_stackid;
- ASSERT(ret_ire == ire);
- ASSERT(ret_ire->ire_ipst == ipst);
- /*
- * ire_max_frag is normally zero here and is atomically set
- * under the irebucket lock in ire_add_v[46] except for the
- * case of IRE_MARK_NOADD. In that event the the ire_max_frag
- * is non-zero here.
- */
- ire->ire_max_frag = max_frag;
- return (ire);
+ if ((ire->ire_type & IRE_ONLINK) && ire->ire_masklen == max_masklen)
+ return (B_TRUE);
+ return (B_FALSE);
}
/*
@@ -1514,49 +628,43 @@ ire_create_mp(uchar_t *addr, uchar_t *mask, uchar_t *src_addr, uchar_t *gateway,
* by this function.
*/
ire_t *
-ire_create(uchar_t *addr, uchar_t *mask, uchar_t *src_addr, uchar_t *gateway,
- uint_t *max_fragp, nce_t *src_nce, queue_t *rfq, queue_t *stq,
- ushort_t type, ipif_t *ipif, ipaddr_t cmask, uint32_t phandle,
- uint32_t ihandle, uint32_t flags, const iulp_t *ulp_info, tsol_gc_t *gc,
- tsol_gcgrp_t *gcgrp, ip_stack_t *ipst)
+ire_create(uchar_t *addr, uchar_t *mask, uchar_t *gateway,
+ ushort_t type, ill_t *ill, zoneid_t zoneid, uint_t flags, tsol_gc_t *gc,
+ ip_stack_t *ipst)
{
ire_t *ire;
- ire_t *ret_ire;
+ int error;
ire = kmem_cache_alloc(ire_cache, KM_NOSLEEP);
if (ire == NULL) {
- ip1dbg(("ire_create: alloc failed\n"));
+ DTRACE_PROBE(kmem__cache__alloc);
return (NULL);
}
*ire = ire_null;
- ret_ire = ire_init(ire, addr, mask, src_addr, gateway, max_fragp,
- src_nce, rfq, stq, type, ipif, cmask, phandle, ihandle, flags,
- ulp_info, gc, gcgrp, ipst);
-
- if (ret_ire == NULL) {
+ error = ire_init_v4(ire, addr, mask, gateway, type, ill, zoneid, flags,
+ gc, ipst);
+ if (error != 0) {
+ DTRACE_PROBE2(ire__init, ire_t *, ire, int, error);
kmem_cache_free(ire_cache, ire);
return (NULL);
}
- ASSERT(ret_ire == ire);
return (ire);
}
/*
* Common to IPv4 and IPv6
+ * Returns zero or errno.
*/
-boolean_t
-ire_init_common(ire_t *ire, uint_t *max_fragp, nce_t *src_nce, queue_t *rfq,
- queue_t *stq, ushort_t type, ipif_t *ipif, uint32_t phandle,
- uint32_t ihandle, uint32_t flags, uchar_t ipversion, const iulp_t *ulp_info,
- tsol_gc_t *gc, tsol_gcgrp_t *gcgrp, ip_stack_t *ipst)
+int
+ire_init_common(ire_t *ire, ushort_t type, ill_t *ill, zoneid_t zoneid,
+ uint_t flags, uchar_t ipversion, tsol_gc_t *gc, ip_stack_t *ipst)
{
- ire->ire_max_fragp = max_fragp;
- ire->ire_frag_flag |= (ipst->ips_ip_path_mtu_discovery) ? IPH_DF : 0;
+ int error;
#ifdef DEBUG
- if (ipif != NULL) {
- if (ipif->ipif_isv6)
+ if (ill != NULL) {
+ if (ill->ill_isv6)
ASSERT(ipversion == IPV6_VERSION);
else
ASSERT(ipversion == IPV4_VERSION);
@@ -1565,223 +673,73 @@ ire_init_common(ire_t *ire, uint_t *max_fragp, nce_t *src_nce, queue_t *rfq,
/*
* Create/initialize IRE security attribute only in Trusted mode;
- * if the passed in gc/gcgrp is non-NULL, we expect that the caller
+ * if the passed in gc is non-NULL, we expect that the caller
* has held a reference to it and will release it when this routine
* returns a failure, otherwise we own the reference. We do this
* prior to initializing the rest IRE fields.
- *
- * Don't allocate ire_gw_secattr for the resolver case to prevent
- * memory leak (in case of external resolution failure). We'll
- * allocate it after a successful external resolution, in ire_add().
- * Note that ire->ire_mp != NULL here means this ire is headed
- * to an external resolver.
*/
if (is_system_labeled()) {
if ((type & (IRE_LOCAL | IRE_LOOPBACK | IRE_BROADCAST |
- IRE_INTERFACE)) != 0) {
+ IRE_IF_ALL | IRE_MULTICAST | IRE_NOROUTE)) != 0) {
/* release references on behalf of caller */
if (gc != NULL)
GC_REFRELE(gc);
- if (gcgrp != NULL)
- GCGRP_REFRELE(gcgrp);
- } else if ((ire->ire_mp == NULL) &&
- tsol_ire_init_gwattr(ire, ipversion, gc, gcgrp) != 0) {
- return (B_FALSE);
+ } else {
+ error = tsol_ire_init_gwattr(ire, ipversion, gc);
+ if (error != 0)
+ return (error);
}
}
- ire->ire_stq = stq;
- ire->ire_rfq = rfq;
ire->ire_type = type;
ire->ire_flags = RTF_UP | flags;
- ire->ire_ident = TICK_TO_MSEC(lbolt);
- bcopy(ulp_info, &ire->ire_uinfo, sizeof (iulp_t));
-
- ire->ire_tire_mark = ire->ire_ob_pkt_count + ire->ire_ib_pkt_count;
- ire->ire_last_used_time = lbolt;
ire->ire_create_time = (uint32_t)gethrestime_sec();
+ ire->ire_generation = IRE_GENERATION_INITIAL;
/*
- * If this IRE is an IRE_CACHE, inherit the handles from the
- * parent IREs. For others in the forwarding table, assign appropriate
- * new ones.
+ * The ill_ire_cnt isn't increased until
+ * the IRE is added to ensure that a walker will find
+ * all IREs that hold a reference on an ill.
*
- * The mutex protecting ire_handle is because ire_create is not always
- * called as a writer.
+ * Note that ill_ire_multicast doesn't hold a ref on the ill since
+ * ire_add() is not called for the IRE_MULTICAST.
*/
- if (ire->ire_type & IRE_OFFSUBNET) {
- mutex_enter(&ipst->ips_ire_handle_lock);
- ire->ire_phandle = (uint32_t)ipst->ips_ire_handle++;
- mutex_exit(&ipst->ips_ire_handle_lock);
- } else if (ire->ire_type & IRE_INTERFACE) {
- mutex_enter(&ipst->ips_ire_handle_lock);
- ire->ire_ihandle = (uint32_t)ipst->ips_ire_handle++;
- mutex_exit(&ipst->ips_ire_handle_lock);
- } else if (ire->ire_type == IRE_CACHE) {
- ire->ire_phandle = phandle;
- ire->ire_ihandle = ihandle;
- }
- ire->ire_ipif = ipif;
- if (ipif != NULL) {
- ire->ire_ipif_seqid = ipif->ipif_seqid;
- ire->ire_ipif_ifindex =
- ipif->ipif_ill->ill_phyint->phyint_ifindex;
- ire->ire_zoneid = ipif->ipif_zoneid;
- } else {
- ire->ire_zoneid = GLOBAL_ZONEID;
- }
+ ire->ire_ill = ill;
+ ire->ire_zoneid = zoneid;
ire->ire_ipversion = ipversion;
+
mutex_init(&ire->ire_lock, NULL, MUTEX_DEFAULT, NULL);
- if (ipversion == IPV4_VERSION) {
- /*
- * IPv6 initializes the ire_nce in ire_add_v6, which expects
- * to find the ire_nce to be null when it is called.
- */
- if (ire_nce_init(ire, src_nce) != 0) {
- /* some failure occurred. propagate error back */
- return (B_FALSE);
- }
- }
ire->ire_refcnt = 1;
+ ire->ire_identical_ref = 1; /* Number of ire_delete's needed */
ire->ire_ipst = ipst; /* No netstack_hold */
ire->ire_trace_disable = B_FALSE;
- return (B_TRUE);
+ return (0);
}
/*
- * This routine is called repeatedly by ipif_up to create broadcast IREs.
- * It is passed a pointer to a slot in an IRE pointer array into which to
- * place the pointer to the new IRE, if indeed we create one. If the
- * IRE corresponding to the address passed in would be a duplicate of an
- * existing one, we don't create the new one. irep is incremented before
- * return only if we do create a new IRE. (Always called as writer.)
+ * This creates an IRE_BROADCAST based on the arguments.
+ * A mirror is ire_lookup_bcast().
*
- * Note that with the "match_flags" parameter, we can match on either
- * a particular logical interface (MATCH_IRE_IPIF) or for all logical
- * interfaces for a given physical interface (MATCH_IRE_ILL). Currently,
- * we only create broadcast ire's on a per physical interface basis. If
- * someone is going to be mucking with logical interfaces, it is important
- * to call "ipif_check_bcast_ires()" to make sure that any change to a
- * logical interface will not cause critical broadcast IRE's to be deleted.
- */
-ire_t **
-ire_check_and_create_bcast(ipif_t *ipif, ipaddr_t addr, ire_t **irep,
- int match_flags)
-{
- ire_t *ire;
- uint64_t check_flags = IPIF_DEPRECATED | IPIF_NOLOCAL | IPIF_ANYCAST;
- boolean_t prefer;
- ill_t *ill = ipif->ipif_ill;
- ip_stack_t *ipst = ill->ill_ipst;
-
- /*
- * No broadcast IREs for the LOOPBACK interface
- * or others such as point to point and IPIF_NOXMIT.
- */
- if (!(ipif->ipif_flags & IPIF_BROADCAST) ||
- (ipif->ipif_flags & IPIF_NOXMIT))
- return (irep);
-
- /*
- * If this new IRE would be a duplicate, only prefer it if one of
- * the following is true:
- *
- * 1. The existing one has IPIF_DEPRECATED|IPIF_LOCAL|IPIF_ANYCAST
- * set and the new one has all of those clear.
- *
- * 2. The existing one corresponds to an underlying ILL in an IPMP
- * group and the new one corresponds to an IPMP group interface.
- */
- if ((ire = ire_ctable_lookup(addr, 0, IRE_BROADCAST, ipif,
- ipif->ipif_zoneid, NULL, match_flags, ipst)) != NULL) {
- prefer = ((ire->ire_ipif->ipif_flags & check_flags) &&
- !(ipif->ipif_flags & check_flags)) ||
- (IS_UNDER_IPMP(ire->ire_ipif->ipif_ill) && IS_IPMP(ill));
- if (!prefer) {
- ire_refrele(ire);
- return (irep);
- }
-
- /*
- * Bcast ires exist in pairs. Both have to be deleted,
- * Since we are exclusive we can make the above assertion.
- * The 1st has to be refrele'd since it was ctable_lookup'd.
- */
- ASSERT(IAM_WRITER_IPIF(ipif));
- ASSERT(ire->ire_next->ire_addr == ire->ire_addr);
- ire_delete(ire->ire_next);
- ire_delete(ire);
- ire_refrele(ire);
- }
- return (ire_create_bcast(ipif, addr, irep));
-}
-
-uint_t ip_loopback_mtu = IP_LOOPBACK_MTU;
-
-/*
- * This routine is called from ipif_check_bcast_ires and ire_check_bcast.
- * It leaves all the verifying and deleting to those routines. So it always
- * creates 2 bcast ires and chains them into the ire array passed in.
+ * Any supression of unneeded ones is done in ire_add_v4.
+ * We add one IRE_BROADCAST per address. ire_send_broadcast_v4()
+ * takes care of generating a loopback copy of the packet.
*/
ire_t **
-ire_create_bcast(ipif_t *ipif, ipaddr_t addr, ire_t **irep)
+ire_create_bcast(ill_t *ill, ipaddr_t addr, zoneid_t zoneid, ire_t **irep)
{
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
- ill_t *ill = ipif->ipif_ill;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
+ ip_stack_t *ipst = ill->ill_ipst;
- if (IS_IPMP(ill)) {
- /*
- * Broadcast IREs for the IPMP meta-interface use the
- * nominated broadcast interface to send and receive packets.
- * If there's no nominated interface, send the packets down to
- * the IPMP stub driver, which will discard them. If the
- * nominated broadcast interface changes, ill_refresh_bcast()
- * will refresh the broadcast IREs.
- */
- if ((ill = ipmp_illgrp_cast_ill(ill->ill_grp)) == NULL)
- ill = ipif->ipif_ill;
- }
+ ASSERT(IAM_WRITER_ILL(ill));
*irep++ = ire_create(
(uchar_t *)&addr, /* dest addr */
(uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&ipif->ipif_src_addr, /* source addr */
NULL, /* no gateway */
- &ipif->ipif_mtu, /* max frag */
- NULL, /* no src nce */
- ill->ill_rq, /* recv-from queue */
- ill->ill_wq, /* send-to queue */
IRE_BROADCAST,
- ipif,
- 0,
- 0,
- 0,
- 0,
- &ire_uinfo_null,
- NULL,
- NULL,
- ipst);
-
- *irep++ = ire_create(
- (uchar_t *)&addr, /* dest address */
- (uchar_t *)&ip_g_all_ones, /* mask */
- (uchar_t *)&ipif->ipif_src_addr, /* source address */
- NULL, /* no gateway */
- &ip_loopback_mtu, /* max frag size */
- NULL, /* no src_nce */
- ill->ill_rq, /* recv-from queue */
- NULL, /* no send-to queue */
- IRE_BROADCAST, /* Needed for fanout in wput */
- ipif,
- 0,
- 0,
- 0,
- 0,
- &ire_uinfo_null,
- NULL,
+ ill,
+ zoneid,
+ RTF_KERNEL,
NULL,
ipst);
@@ -1789,174 +747,34 @@ ire_create_bcast(ipif_t *ipif, ipaddr_t addr, ire_t **irep)
}
/*
- * ire_walk routine to delete or update any IRE_CACHE that might contain
- * stale information.
- * The flags state which entries to delete or update.
- * Garbage collection is done separately using kmem alloc callbacks to
- * ip_trash_ire_reclaim.
- * Used for both IPv4 and IPv6. However, IPv6 only uses FLUSH_MTU_TIME
- * since other stale information is cleaned up using NUD.
- */
-void
-ire_expire(ire_t *ire, char *arg)
-{
- ire_expire_arg_t *ieap = (ire_expire_arg_t *)(uintptr_t)arg;
- ill_t *stq_ill;
- int flush_flags = ieap->iea_flush_flag;
- ip_stack_t *ipst = ieap->iea_ipst;
-
- if ((flush_flags & FLUSH_REDIRECT_TIME) &&
- (ire->ire_flags & RTF_DYNAMIC)) {
- /* Make sure we delete the corresponding IRE_CACHE */
- ip1dbg(("ire_expire: all redirects\n"));
- ip_rts_rtmsg(RTM_DELETE, ire, 0, ipst);
- ire_delete(ire);
- atomic_dec_32(&ipst->ips_ip_redirect_cnt);
- return;
- }
- if (ire->ire_type != IRE_CACHE)
- return;
-
- if (flush_flags & FLUSH_ARP_TIME) {
- /*
- * Remove all IRE_CACHE except IPv4 multicast ires. These
- * ires will be deleted by ip_trash_ire_reclaim_stack()
- * when system runs low in memory.
- * Verify that create time is more than ip_ire_arp_interval
- * milliseconds ago.
- */
-
- if (!(ire->ire_ipversion == IPV4_VERSION &&
- CLASSD(ire->ire_addr)) && NCE_EXPIRED(ire->ire_nce, ipst)) {
- ire_delete(ire);
- return;
- }
- }
-
- if (ipst->ips_ip_path_mtu_discovery && (flush_flags & FLUSH_MTU_TIME) &&
- (ire->ire_ipif != NULL)) {
- /* Increase pmtu if it is less than the interface mtu */
- mutex_enter(&ire->ire_lock);
- /*
- * If the ipif is a vni (whose mtu is 0, since it's virtual)
- * get the mtu from the sending interfaces' ipif
- */
- if (IS_VNI(ire->ire_ipif->ipif_ill)) {
- stq_ill = ire->ire_stq->q_ptr;
- ire->ire_max_frag = MIN(stq_ill->ill_ipif->ipif_mtu,
- IP_MAXPACKET);
- } else {
- ire->ire_max_frag = MIN(ire->ire_ipif->ipif_mtu,
- IP_MAXPACKET);
- }
- ire->ire_marks &= ~IRE_MARK_PMTU;
- ire->ire_frag_flag |= IPH_DF;
- mutex_exit(&ire->ire_lock);
- }
-}
-
-/*
- * Return any local address. We use this to target ourselves
- * when the src address was specified as 'default'.
- * Preference for IRE_LOCAL entries.
+ * This looks up an IRE_BROADCAST based on the arguments.
+ * Mirrors ire_create_bcast().
*/
ire_t *
-ire_lookup_local(zoneid_t zoneid, ip_stack_t *ipst)
+ire_lookup_bcast(ill_t *ill, ipaddr_t addr, zoneid_t zoneid)
{
- ire_t *ire;
- irb_t *irb;
- ire_t *maybe = NULL;
- int i;
+ ire_t *ire;
+ int match_args;
- for (i = 0; i < ipst->ips_ip_cache_table_size; i++) {
- irb = &ipst->ips_ip_cache_table[i];
- if (irb->irb_ire == NULL)
- continue;
- rw_enter(&irb->irb_lock, RW_READER);
- for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
- if ((ire->ire_marks & IRE_MARK_CONDEMNED) ||
- (ire->ire_zoneid != zoneid &&
- ire->ire_zoneid != ALL_ZONES))
- continue;
- switch (ire->ire_type) {
- case IRE_LOOPBACK:
- if (maybe == NULL) {
- IRE_REFHOLD(ire);
- maybe = ire;
- }
- break;
- case IRE_LOCAL:
- if (maybe != NULL) {
- ire_refrele(maybe);
- }
- IRE_REFHOLD(ire);
- rw_exit(&irb->irb_lock);
- return (ire);
- }
- }
- rw_exit(&irb->irb_lock);
- }
- return (maybe);
-}
+ match_args = MATCH_IRE_TYPE | MATCH_IRE_ILL | MATCH_IRE_GW |
+ MATCH_IRE_MASK | MATCH_IRE_ZONEONLY;
-/*
- * If the specified IRE is associated with a particular ILL, return
- * that ILL pointer (May be called as writer.).
- *
- * NOTE : This is not a generic function that can be used always.
- * This function always returns the ill of the outgoing packets
- * if this ire is used.
- */
-ill_t *
-ire_to_ill(const ire_t *ire)
-{
- ill_t *ill = NULL;
+ if (IS_UNDER_IPMP(ill))
+ match_args |= MATCH_IRE_TESTHIDDEN;
- /*
- * 1) For an IRE_CACHE, ire_ipif is the one where it obtained
- * the source address from. ire_stq is the one where the
- * packets will be sent out on. We return that here.
- *
- * 2) IRE_BROADCAST normally has a loopback and a non-loopback
- * copy and they always exist next to each other with loopback
- * copy being the first one. If we are called on the non-loopback
- * copy, return the one pointed by ire_stq. If it was called on
- * a loopback copy, we still return the one pointed by the next
- * ire's ire_stq pointer i.e the one pointed by the non-loopback
- * copy. We don't want use ire_ipif as it might represent the
- * source address (if we borrow source addresses for
- * IRE_BROADCASTS in the future).
- * However if an interface is currently coming up, the above
- * condition may not hold during that period since the ires
- * are added one at a time. Thus one of the pair could have been
- * added and the other not yet added.
- * 3) For many other IREs (e.g., IRE_LOCAL), ire_rfq indicates the ill.
- * 4) For all others return the ones pointed by ire_ipif->ipif_ill.
- * That handles IRE_LOOPBACK.
- */
-
- if (ire->ire_type == IRE_CACHE) {
- ill = (ill_t *)ire->ire_stq->q_ptr;
- } else if (ire->ire_type == IRE_BROADCAST) {
- if (ire->ire_stq != NULL) {
- ill = (ill_t *)ire->ire_stq->q_ptr;
- } else {
- ire_t *ire_next;
-
- ire_next = ire->ire_next;
- if (ire_next != NULL &&
- ire_next->ire_type == IRE_BROADCAST &&
- ire_next->ire_addr == ire->ire_addr &&
- ire_next->ire_ipif == ire->ire_ipif) {
- ill = (ill_t *)ire_next->ire_stq->q_ptr;
- }
- }
- } else if (ire->ire_rfq != NULL) {
- ill = ire->ire_rfq->q_ptr;
- } else if (ire->ire_ipif != NULL) {
- ill = ire->ire_ipif->ipif_ill;
- }
- return (ill);
+ ire = ire_ftable_lookup_v4(
+ addr, /* dest addr */
+ ip_g_all_ones, /* mask */
+ 0, /* no gateway */
+ IRE_BROADCAST,
+ ill,
+ zoneid,
+ NULL,
+ match_args,
+ 0,
+ ill->ill_ipst,
+ NULL);
+ return (ire);
}
/* Arrange to call the specified function for every IRE in the world. */
@@ -1992,15 +810,13 @@ ire_walk_ipvers(pfv_t func, void *arg, uchar_t vers, zoneid_t zoneid,
*/
ire_walk_ill_tables(0, 0, func, arg, IP_MASK_TABLE_SIZE,
0, NULL,
- ipst->ips_ip_cache_table_size, ipst->ips_ip_cache_table,
NULL, zoneid, ipst);
}
if (vers != IPV4_VERSION) {
ire_walk_ill_tables(0, 0, func, arg, IP6_MASK_TABLE_SIZE,
ipst->ips_ip6_ftable_hash_size,
ipst->ips_ip_forwarding_table_v6,
- ipst->ips_ip6_cache_table_size,
- ipst->ips_ip_cache_table_v6, NULL, zoneid, ipst);
+ NULL, zoneid, ipst);
}
}
@@ -2016,22 +832,6 @@ ire_walk_ill(uint_t match_flags, uint_t ire_type, pfv_t func, void *arg,
ire_walk_ill_ipvers(match_flags, ire_type, func, arg, vers, ill);
}
-void
-ire_walk_ill_v4(uint_t match_flags, uint_t ire_type, pfv_t func, void *arg,
- ill_t *ill)
-{
- ire_walk_ill_ipvers(match_flags, ire_type, func, arg, IPV4_VERSION,
- ill);
-}
-
-void
-ire_walk_ill_v6(uint_t match_flags, uint_t ire_type, pfv_t func, void *arg,
- ill_t *ill)
-{
- ire_walk_ill_ipvers(match_flags, ire_type, func, arg, IPV6_VERSION,
- ill);
-}
-
/*
* Walk a particular ill and version.
*/
@@ -2043,137 +843,121 @@ ire_walk_ill_ipvers(uint_t match_flags, uint_t ire_type, pfv_t func,
if (vers == IPV4_VERSION) {
ire_walk_ill_tables(match_flags, ire_type, func, arg,
- IP_MASK_TABLE_SIZE, 0,
- NULL, ipst->ips_ip_cache_table_size,
- ipst->ips_ip_cache_table, ill, ALL_ZONES, ipst);
- } else if (vers == IPV6_VERSION) {
+ IP_MASK_TABLE_SIZE,
+ 0, NULL,
+ ill, ALL_ZONES, ipst);
+ }
+ if (vers != IPV4_VERSION) {
ire_walk_ill_tables(match_flags, ire_type, func, arg,
IP6_MASK_TABLE_SIZE, ipst->ips_ip6_ftable_hash_size,
ipst->ips_ip_forwarding_table_v6,
- ipst->ips_ip6_cache_table_size,
- ipst->ips_ip_cache_table_v6, ill, ALL_ZONES, ipst);
+ ill, ALL_ZONES, ipst);
}
}
+/*
+ * Do the specific matching of IREs to shared-IP zones.
+ *
+ * We have the same logic as in ire_match_args but implemented slightly
+ * differently.
+ */
boolean_t
ire_walk_ill_match(uint_t match_flags, uint_t ire_type, ire_t *ire,
ill_t *ill, zoneid_t zoneid, ip_stack_t *ipst)
{
- ill_t *ire_stq_ill = NULL;
- ill_t *ire_ipif_ill = NULL;
+ ill_t *dst_ill = NULL;
ASSERT(match_flags != 0 || zoneid != ALL_ZONES);
- /*
- * MATCH_IRE_ILL: We match both on ill pointed by ire_stq and
- * ire_ipif. Only in the case of IRE_CACHEs can ire_stq and
- * ire_ipif be pointing to different ills. But we want to keep
- * this function generic enough for future use. So, we always
- * try to match on both. The only caller of this function
- * ire_walk_ill_tables, will call "func" after we return from
- * this function. We expect "func" to do the right filtering
- * of ires in this case.
- */
if (match_flags & MATCH_IRE_ILL) {
- if (ire->ire_stq != NULL)
- ire_stq_ill = ire->ire_stq->q_ptr;
- if (ire->ire_ipif != NULL)
- ire_ipif_ill = ire->ire_ipif->ipif_ill;
+ dst_ill = ire->ire_ill;
}
- if (zoneid != ALL_ZONES) {
+ if (zoneid != ALL_ZONES && zoneid != ire->ire_zoneid &&
+ ire->ire_zoneid != ALL_ZONES) {
/*
* We're walking the IREs for a specific zone. The only relevant
* IREs are:
* - all IREs with a matching ire_zoneid
- * - all IRE_OFFSUBNETs as they're shared across all zones
- * - IRE_INTERFACE IREs for interfaces with a usable source addr
+ * - IRE_IF_ALL IREs for interfaces with a usable source addr
* with a matching zone
- * - IRE_DEFAULTs with a gateway reachable from the zone
- * We should really match on IRE_OFFSUBNETs and IRE_DEFAULTs
- * using the same rule; but the above rules are consistent with
- * the behavior of ire_ftable_lookup[_v6]() so that all the
- * routes that can be matched during lookup are also matched
- * here.
+ * - IRE_OFFLINK with a gateway reachable from the zone
+ * Note that ealier we only did the IRE_OFFLINK check for
+ * IRE_DEFAULT (and only when we had multiple IRE_DEFAULTs).
*/
- if (zoneid != ire->ire_zoneid && ire->ire_zoneid != ALL_ZONES) {
+ dst_ill = ire->ire_ill;
+
+ if (ire->ire_type & IRE_ONLINK) {
+ uint_t ifindex;
+
/*
- * Note, IRE_INTERFACE can have the stq as NULL. For
- * example, if the default multicast route is tied to
- * the loopback address.
+ * Note there is no IRE_INTERFACE on vniN thus
+ * can't do an IRE lookup for a matching route.
*/
- if ((ire->ire_type & IRE_INTERFACE) &&
- (ire->ire_stq != NULL)) {
- ire_stq_ill = (ill_t *)ire->ire_stq->q_ptr;
- if (ire->ire_ipversion == IPV4_VERSION) {
- if (!ipif_usesrc_avail(ire_stq_ill,
- zoneid))
- /* No usable src addr in zone */
- return (B_FALSE);
- } else if (ire_stq_ill->ill_usesrc_ifindex
- != 0) {
- /*
- * For IPv6 use ipif_select_source_v6()
- * so the right scope selection is done
- */
- ipif_t *src_ipif;
- src_ipif =
- ipif_select_source_v6(ire_stq_ill,
- &ire->ire_addr_v6, B_FALSE,
- IPV6_PREFER_SRC_DEFAULT,
- zoneid);
- if (src_ipif != NULL) {
- ipif_refrele(src_ipif);
- } else {
- return (B_FALSE);
- }
- } else {
- return (B_FALSE);
- }
+ ifindex = dst_ill->ill_usesrc_ifindex;
+ if (ifindex == 0)
+ return (B_FALSE);
- } else if (!(ire->ire_type & IRE_OFFSUBNET)) {
+ /*
+ * If there is a usable source address in the
+ * zone, then it's ok to return an
+ * IRE_INTERFACE
+ */
+ if (!ipif_zone_avail(ifindex, dst_ill->ill_isv6,
+ zoneid, ipst)) {
+ return (B_FALSE);
+ }
+ }
+
+ if (dst_ill != NULL && (ire->ire_type & IRE_OFFLINK)) {
+ ipif_t *tipif;
+
+ mutex_enter(&dst_ill->ill_lock);
+ for (tipif = dst_ill->ill_ipif;
+ tipif != NULL; tipif = tipif->ipif_next) {
+ if (!IPIF_IS_CONDEMNED(tipif) &&
+ (tipif->ipif_flags & IPIF_UP) &&
+ (tipif->ipif_zoneid == zoneid ||
+ tipif->ipif_zoneid == ALL_ZONES))
+ break;
+ }
+ mutex_exit(&dst_ill->ill_lock);
+ if (tipif == NULL) {
return (B_FALSE);
}
}
/*
- * Match all default routes from the global zone, irrespective
+ * Match all offlink routes from the global zone, irrespective
* of reachability. For a non-global zone only match those
- * where ire_gateway_addr has a IRE_INTERFACE for the zoneid.
+ * where ire_gateway_addr has an IRE_INTERFACE for the zoneid.
*/
- if (ire->ire_type == IRE_DEFAULT && zoneid != GLOBAL_ZONEID) {
- int ire_match_flags = 0;
+ if ((ire->ire_type & IRE_OFFLINK) && zoneid != GLOBAL_ZONEID &&
+ zoneid != ALL_ZONES) {
in6_addr_t gw_addr_v6;
- ire_t *rire;
-
- ire_match_flags |= MATCH_IRE_TYPE;
- if (ire->ire_ipif != NULL)
- ire_match_flags |= MATCH_IRE_ILL;
if (ire->ire_ipversion == IPV4_VERSION) {
- rire = ire_route_lookup(ire->ire_gateway_addr,
- 0, 0, IRE_INTERFACE, ire->ire_ipif, NULL,
- zoneid, NULL, ire_match_flags, ipst);
+ if (!ire_gateway_ok_zone_v4(
+ ire->ire_gateway_addr, zoneid,
+ dst_ill, NULL, ipst, B_FALSE))
+ return (B_FALSE);
} else {
ASSERT(ire->ire_ipversion == IPV6_VERSION);
mutex_enter(&ire->ire_lock);
gw_addr_v6 = ire->ire_gateway_addr_v6;
mutex_exit(&ire->ire_lock);
- rire = ire_route_lookup_v6(&gw_addr_v6,
- NULL, NULL, IRE_INTERFACE, ire->ire_ipif,
- NULL, zoneid, NULL, ire_match_flags, ipst);
- }
- if (rire == NULL) {
- return (B_FALSE);
+
+ if (!ire_gateway_ok_zone_v6(&gw_addr_v6, zoneid,
+ dst_ill, NULL, ipst, B_FALSE))
+ return (B_FALSE);
}
- ire_refrele(rire);
}
}
if (((!(match_flags & MATCH_IRE_TYPE)) ||
(ire->ire_type & ire_type)) &&
((!(match_flags & MATCH_IRE_ILL)) ||
- (ire_stq_ill == ill || ire_ipif_ill == ill ||
- ire_ipif_ill != NULL && IS_IN_SAME_ILLGRP(ire_ipif_ill, ill)))) {
+ (dst_ill == ill ||
+ dst_ill != NULL && IS_IN_SAME_ILLGRP(dst_ill, ill)))) {
return (B_TRUE);
}
return (B_FALSE);
@@ -2197,8 +981,9 @@ rtfunc(struct radix_node *rn, void *arg)
ret = ire_walk_ill_match(rtf->rt_match_flags,
rtf->rt_ire_type, ire,
rtf->rt_ill, rtf->rt_zoneid, rtf->rt_ipst);
- } else
+ } else {
ret = B_TRUE;
+ }
if (ret)
(*rtf->rt_func)(ire, rtf->rt_arg);
}
@@ -2206,12 +991,12 @@ rtfunc(struct radix_node *rn, void *arg)
}
/*
- * Walk the ftable and the ctable entries that match the ill.
+ * Walk the ftable entries that match the ill.
*/
void
ire_walk_ill_tables(uint_t match_flags, uint_t ire_type, pfv_t func,
void *arg, size_t ftbl_sz, size_t htbl_sz, irb_t **ipftbl,
- size_t ctbl_sz, irb_t *ipctbl, ill_t *ill, zoneid_t zoneid,
+ ill_t *ill, zoneid_t zoneid,
ip_stack_t *ipst)
{
irb_t *irb_ptr;
@@ -2223,85 +1008,50 @@ ire_walk_ill_tables(uint_t match_flags, uint_t ire_type, pfv_t func,
ASSERT((!(match_flags & MATCH_IRE_ILL)) || (ill != NULL));
ASSERT(!(match_flags & MATCH_IRE_TYPE) || (ire_type != 0));
- /*
- * Optimize by not looking at the forwarding table if there
- * is a MATCH_IRE_TYPE specified with no IRE_FORWARDTABLE
- * specified in ire_type.
- */
- if (!(match_flags & MATCH_IRE_TYPE) ||
- ((ire_type & IRE_FORWARDTABLE) != 0)) {
- /* knobs such that routine is called only for v6 case */
- if (ipftbl == ipst->ips_ip_forwarding_table_v6) {
- for (i = (ftbl_sz - 1); i >= 0; i--) {
- if ((irb_ptr = ipftbl[i]) == NULL)
+
+ /* knobs such that routine is called only for v6 case */
+ if (ipftbl == ipst->ips_ip_forwarding_table_v6) {
+ for (i = (ftbl_sz - 1); i >= 0; i--) {
+ if ((irb_ptr = ipftbl[i]) == NULL)
+ continue;
+ for (j = 0; j < htbl_sz; j++) {
+ irb = &irb_ptr[j];
+ if (irb->irb_ire == NULL)
continue;
- for (j = 0; j < htbl_sz; j++) {
- irb = &irb_ptr[j];
- if (irb->irb_ire == NULL)
- continue;
-
- IRB_REFHOLD(irb);
- for (ire = irb->irb_ire; ire != NULL;
- ire = ire->ire_next) {
- if (match_flags == 0 &&
- zoneid == ALL_ZONES) {
- ret = B_TRUE;
- } else {
- ret =
- ire_walk_ill_match(
- match_flags,
- ire_type, ire, ill,
- zoneid, ipst);
- }
- if (ret)
- (*func)(ire, arg);
+
+ irb_refhold(irb);
+ for (ire = irb->irb_ire; ire != NULL;
+ ire = ire->ire_next) {
+ if (match_flags == 0 &&
+ zoneid == ALL_ZONES) {
+ ret = B_TRUE;
+ } else {
+ ret =
+ ire_walk_ill_match(
+ match_flags,
+ ire_type, ire, ill,
+ zoneid, ipst);
}
- IRB_REFRELE(irb);
+ if (ret)
+ (*func)(ire, arg);
}
+ irb_refrele(irb);
}
- } else {
- (void) memset(&rtfarg, 0, sizeof (rtfarg));
- rtfarg.rt_func = func;
- rtfarg.rt_arg = arg;
- if (match_flags != 0) {
- rtfarg.rt_match_flags = match_flags;
- }
- rtfarg.rt_ire_type = ire_type;
- rtfarg.rt_ill = ill;
- rtfarg.rt_zoneid = zoneid;
- rtfarg.rt_ipst = ipst; /* No netstack_hold */
- (void) ipst->ips_ip_ftable->rnh_walktree_mt(
- ipst->ips_ip_ftable,
- rtfunc, &rtfarg, irb_refhold_rn, irb_refrele_rn);
}
- }
-
- /*
- * Optimize by not looking at the cache table if there
- * is a MATCH_IRE_TYPE specified with no IRE_CACHETABLE
- * specified in ire_type.
- */
- if (!(match_flags & MATCH_IRE_TYPE) ||
- ((ire_type & IRE_CACHETABLE) != 0)) {
- for (i = 0; i < ctbl_sz; i++) {
- irb = &ipctbl[i];
- if (irb->irb_ire == NULL)
- continue;
- IRB_REFHOLD(irb);
- for (ire = irb->irb_ire; ire != NULL;
- ire = ire->ire_next) {
- if (match_flags == 0 && zoneid == ALL_ZONES) {
- ret = B_TRUE;
- } else {
- ret = ire_walk_ill_match(
- match_flags, ire_type,
- ire, ill, zoneid, ipst);
- }
- if (ret)
- (*func)(ire, arg);
- }
- IRB_REFRELE(irb);
+ } else {
+ (void) memset(&rtfarg, 0, sizeof (rtfarg));
+ rtfarg.rt_func = func;
+ rtfarg.rt_arg = arg;
+ if (match_flags != 0) {
+ rtfarg.rt_match_flags = match_flags;
}
+ rtfarg.rt_ire_type = ire_type;
+ rtfarg.rt_ill = ill;
+ rtfarg.rt_zoneid = zoneid;
+ rtfarg.rt_ipst = ipst; /* No netstack_hold */
+ (void) ipst->ips_ip_ftable->rnh_walktree_mt(
+ ipst->ips_ip_ftable,
+ rtfunc, &rtfarg, irb_refhold_rn, irb_refrele_rn);
}
}
@@ -2323,557 +1073,178 @@ ip_mask_to_plen(ipaddr_t mask)
ipaddr_t
ip_plen_to_mask(uint_t masklen)
{
+ if (masklen == 0)
+ return (0);
+
return (htonl(IP_HOST_MASK << (IP_ABITS - masklen)));
}
void
ire_atomic_end(irb_t *irb_ptr, ire_t *ire)
{
- ill_t *stq_ill, *ipif_ill;
- ip_stack_t *ipst = ire->ire_ipst;
+ ill_t *ill;
- stq_ill = ire->ire_stq != NULL ? ire->ire_stq->q_ptr : NULL;
- ipif_ill = ire->ire_ipif != NULL ? ire->ire_ipif->ipif_ill : NULL;
- RELEASE_ILL_LOCKS(ipif_ill, stq_ill);
+ ill = ire->ire_ill;
+ if (ill != NULL)
+ mutex_exit(&ill->ill_lock);
rw_exit(&irb_ptr->irb_lock);
- rw_exit(&ipst->ips_ill_g_usesrc_lock);
}
/*
- * ire_add_v[46] atomically make sure that the ipif or ill associated
- * with the new ire being added is stable and not IPIF_CHANGING or ILL_CHANGING
- * before adding the ire to the table. This ensures that we don't create
- * new IRE_CACHEs with stale values for parameters that are passed to
- * ire_create such as ire_max_frag. Note that ire_create() is passed a pointer
- * to the ipif_mtu, and not the value. The actual value is derived from the
- * parent ire or ipif under the bucket lock.
+ * ire_add_v[46] atomically make sure that the ill associated
+ * with the new ire is not going away i.e., we check ILL_CONDEMNED.
*/
int
-ire_atomic_start(irb_t *irb_ptr, ire_t *ire, queue_t *q, mblk_t *mp,
- ipsq_func_t func)
+ire_atomic_start(irb_t *irb_ptr, ire_t *ire)
{
- ill_t *stq_ill;
- ill_t *ipif_ill;
- int error = 0;
- ill_t *ill = NULL;
- ip_stack_t *ipst = ire->ire_ipst;
+ ill_t *ill;
- stq_ill = ire->ire_stq != NULL ? ire->ire_stq->q_ptr : NULL;
- ipif_ill = ire->ire_ipif != NULL ? ire->ire_ipif->ipif_ill : NULL;
+ ill = ire->ire_ill;
- ASSERT((q != NULL && mp != NULL && func != NULL) ||
- (q == NULL && mp == NULL && func == NULL));
- rw_enter(&ipst->ips_ill_g_usesrc_lock, RW_READER);
- GRAB_CONN_LOCK(q);
rw_enter(&irb_ptr->irb_lock, RW_WRITER);
- GRAB_ILL_LOCKS(ipif_ill, stq_ill);
+ if (ill != NULL) {
+ mutex_enter(&ill->ill_lock);
- /*
- * While the IRE is in the process of being added, a user may have
- * invoked the ifconfig usesrc option on the stq_ill to make it a
- * usesrc client ILL. Check for this possibility here, if it is true
- * then we fail adding the IRE_CACHE. Another check is to make sure
- * that an ipif_ill of an IRE_CACHE being added is not part of a usesrc
- * group. The ill_g_usesrc_lock is released in ire_atomic_end
- */
- if ((ire->ire_type & IRE_CACHE) &&
- (ire->ire_marks & IRE_MARK_USESRC_CHECK)) {
- if (stq_ill->ill_usesrc_ifindex != 0) {
- ASSERT(stq_ill->ill_usesrc_grp_next != NULL);
- if ((ipif_ill->ill_phyint->phyint_ifindex !=
- stq_ill->ill_usesrc_ifindex) ||
- (ipif_ill->ill_usesrc_grp_next == NULL) ||
- (ipif_ill->ill_usesrc_ifindex != 0)) {
- error = EINVAL;
- goto done;
- }
- } else if (ipif_ill->ill_usesrc_grp_next != NULL) {
- error = EINVAL;
- goto done;
+ /*
+ * Don't allow IRE's to be created on dying ills.
+ */
+ if (ill->ill_state_flags & ILL_CONDEMNED) {
+ ire_atomic_end(irb_ptr, ire);
+ return (ENXIO);
}
- }
- /*
- * Don't allow IRE's to be created on changing ill's. Also, since
- * IPMP flags can be set on an ill without quiescing it, if we're not
- * a writer on stq_ill, check that the flags still allow IRE creation.
- */
- if ((stq_ill != NULL) && !IAM_WRITER_ILL(stq_ill)) {
- if (stq_ill->ill_state_flags & ILL_CHANGING) {
- ill = stq_ill;
- error = EAGAIN;
- } else if (IS_UNDER_IPMP(stq_ill)) {
- mutex_enter(&stq_ill->ill_phyint->phyint_lock);
- if (!ipmp_ill_is_active(stq_ill) &&
- !(ire->ire_marks & IRE_MARK_TESTHIDDEN)) {
+ if (IS_UNDER_IPMP(ill)) {
+ int error = 0;
+ mutex_enter(&ill->ill_phyint->phyint_lock);
+ if (!ipmp_ill_is_active(ill) &&
+ IRE_HIDDEN_TYPE(ire->ire_type) &&
+ !ire->ire_testhidden) {
error = EINVAL;
}
- mutex_exit(&stq_ill->ill_phyint->phyint_lock);
+ mutex_exit(&ill->ill_phyint->phyint_lock);
+ if (error != 0) {
+ ire_atomic_end(irb_ptr, ire);
+ return (error);
+ }
}
- if (error != 0)
- goto done;
- }
- if ((ipif_ill != NULL) && !IAM_WRITER_ILL(ipif_ill) &&
- (ipif_ill->ill_state_flags & ILL_CHANGING)) {
- ill = ipif_ill;
- error = EAGAIN;
- goto done;
}
-
- if ((ire->ire_ipif != NULL) && !IAM_WRITER_IPIF(ire->ire_ipif) &&
- (ire->ire_ipif->ipif_state_flags & IPIF_CHANGING)) {
- ill = ire->ire_ipif->ipif_ill;
- ASSERT(ill != NULL);
- error = EAGAIN;
- goto done;
- }
-
-done:
- if (error == EAGAIN && ILL_CAN_WAIT(ill, q)) {
- ipsq_t *ipsq = ill->ill_phyint->phyint_ipsq;
- mutex_enter(&ipsq->ipsq_lock);
- mutex_enter(&ipsq->ipsq_xop->ipx_lock);
- ire_atomic_end(irb_ptr, ire);
- ipsq_enq(ipsq, q, mp, func, NEW_OP, ill);
- mutex_exit(&ipsq->ipsq_xop->ipx_lock);
- mutex_exit(&ipsq->ipsq_lock);
- error = EINPROGRESS;
- } else if (error != 0) {
- ire_atomic_end(irb_ptr, ire);
- }
-
- RELEASE_CONN_LOCK(q);
- return (error);
+ return (0);
}
/*
- * Add a fully initialized IRE to an appropriate table based on
- * ire_type.
- *
- * allow_unresolved == B_FALSE indicates a legacy code-path call
- * that has prohibited the addition of incomplete ire's. If this
- * parameter is set, and we find an nce that is in a state other
- * than ND_REACHABLE, we fail the add. Note that nce_state could be
- * something other than ND_REACHABLE if the nce had just expired and
- * the ire_create preceding the ire_add added a new ND_INITIAL nce.
+ * Add a fully initialized IRE to the forwarding table.
+ * This returns NULL on failure, or a held IRE on success.
+ * Normally the returned IRE is the same as the argument. But a different
+ * IRE will be returned if the added IRE is deemed identical to an existing
+ * one. In that case ire_identical_ref will be increased.
+ * The caller always needs to do an ire_refrele() on the returned IRE.
*/
-int
-ire_add(ire_t **irep, queue_t *q, mblk_t *mp, ipsq_func_t func,
- boolean_t allow_unresolved)
+ire_t *
+ire_add(ire_t *ire)
{
- ire_t *ire1;
- ill_t *stq_ill = NULL;
- ill_t *ill;
- ipif_t *ipif = NULL;
- ill_walk_context_t ctx;
- ire_t *ire = *irep;
- int error;
- boolean_t ire_is_mblk = B_FALSE;
- tsol_gcgrp_t *gcgrp = NULL;
- tsol_gcgrp_addr_t ga;
- ip_stack_t *ipst = ire->ire_ipst;
-
- /* get ready for the day when original ire is not created as mblk */
- if (ire->ire_mp != NULL) {
- ire_is_mblk = B_TRUE;
- /* Copy the ire to a kmem_alloc'ed area */
- ire1 = kmem_cache_alloc(ire_cache, KM_NOSLEEP);
- if (ire1 == NULL) {
- ip1dbg(("ire_add: alloc failed\n"));
- ire_delete(ire);
- *irep = NULL;
- return (ENOMEM);
- }
- ire->ire_marks &= ~IRE_MARK_UNCACHED;
- *ire1 = *ire;
- ire1->ire_mp = NULL;
- ire1->ire_stq_ifindex = 0;
- freeb(ire->ire_mp);
- ire = ire1;
- }
- if (ire->ire_stq != NULL)
- stq_ill = ire->ire_stq->q_ptr;
-
- if (stq_ill != NULL && ire->ire_type == IRE_CACHE &&
- stq_ill->ill_net_type == IRE_IF_RESOLVER) {
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- ill = ILL_START_WALK_ALL(&ctx, ipst);
- for (; ill != NULL; ill = ill_next(&ctx, ill)) {
- mutex_enter(&ill->ill_lock);
- if (ill->ill_state_flags & ILL_CONDEMNED) {
- mutex_exit(&ill->ill_lock);
- continue;
- }
- /*
- * We need to make sure that the ipif is a valid one
- * before adding the IRE_CACHE. This happens only
- * with IRE_CACHE when there is an external resolver.
- *
- * We can unplumb a logical interface while the
- * packet is waiting in ARP with the IRE. Then,
- * later on when we feed the IRE back, the ipif
- * has to be re-checked. This can't happen with
- * NDP currently, as we never queue the IRE with
- * the packet. We always try to recreate the IRE
- * when the resolution is completed. But, we do
- * it for IPv6 also here so that in future if
- * we have external resolvers, it will work without
- * any change.
- */
- ipif = ipif_lookup_seqid(ill, ire->ire_ipif_seqid);
- if (ipif != NULL) {
- ipif_refhold_locked(ipif);
- mutex_exit(&ill->ill_lock);
- break;
- }
- mutex_exit(&ill->ill_lock);
- }
- rw_exit(&ipst->ips_ill_g_lock);
- if (ipif == NULL ||
- (ipif->ipif_isv6 &&
- !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_src_addr_v6) &&
- !IN6_ARE_ADDR_EQUAL(&ire->ire_src_addr_v6,
- &ipif->ipif_v6src_addr)) ||
- (!ipif->ipif_isv6 &&
- ire->ire_src_addr != ipif->ipif_src_addr) ||
- ire->ire_zoneid != ipif->ipif_zoneid) {
- if (ipif != NULL)
- ipif_refrele(ipif);
- ire->ire_ipif = NULL;
- ire_delete(ire);
- *irep = NULL;
- return (EINVAL);
- }
-
- ASSERT(ill != NULL);
-
+ if (IRE_HIDDEN_TYPE(ire->ire_type) &&
+ ire->ire_ill != NULL && IS_UNDER_IPMP(ire->ire_ill)) {
/*
- * Since we didn't attach label security attributes to the
- * ire for the resolver case, we need to add it now. (only
- * for v4 resolver and v6 xresolv case).
+ * IREs hosted on interfaces that are under IPMP
+ * should be hidden so that applications don't
+ * accidentally end up sending packets with test
+ * addresses as their source addresses, or
+ * sending out interfaces that are e.g. IFF_INACTIVE.
+ * Hide them here.
*/
- if (is_system_labeled() && ire_is_mblk) {
- if (ire->ire_ipversion == IPV4_VERSION) {
- ga.ga_af = AF_INET;
- IN6_IPADDR_TO_V4MAPPED(ire->ire_gateway_addr !=
- INADDR_ANY ? ire->ire_gateway_addr :
- ire->ire_addr, &ga.ga_addr);
- } else {
- ga.ga_af = AF_INET6;
- ga.ga_addr = IN6_IS_ADDR_UNSPECIFIED(
- &ire->ire_gateway_addr_v6) ?
- ire->ire_addr_v6 :
- ire->ire_gateway_addr_v6;
- }
- gcgrp = gcgrp_lookup(&ga, B_FALSE);
- error = tsol_ire_init_gwattr(ire, ire->ire_ipversion,
- NULL, gcgrp);
- if (error != 0) {
- if (gcgrp != NULL) {
- GCGRP_REFRELE(gcgrp);
- gcgrp = NULL;
- }
- ipif_refrele(ipif);
- ire->ire_ipif = NULL;
- ire_delete(ire);
- *irep = NULL;
- return (error);
- }
- }
+ ire->ire_testhidden = B_TRUE;
}
- /*
- * In case ire was changed
- */
- *irep = ire;
if (ire->ire_ipversion == IPV6_VERSION)
- error = ire_add_v6(irep, q, mp, func);
+ return (ire_add_v6(ire));
else
- error = ire_add_v4(irep, q, mp, func, allow_unresolved);
- if (ipif != NULL)
- ipif_refrele(ipif);
- return (error);
+ return (ire_add_v4(ire));
}
/*
- * Add an initialized IRE to an appropriate table based on ire_type.
- *
- * The forward table contains IRE_PREFIX/IRE_HOST and
- * IRE_IF_RESOLVER/IRE_IF_NORESOLVER and IRE_DEFAULT.
- *
- * The cache table contains IRE_BROADCAST/IRE_LOCAL/IRE_LOOPBACK
- * and IRE_CACHE.
- *
- * NOTE : This function is called as writer though not required
- * by this function.
+ * Add a fully initialized IPv4 IRE to the forwarding table.
+ * This returns NULL on failure, or a held IRE on success.
+ * Normally the returned IRE is the same as the argument. But a different
+ * IRE will be returned if the added IRE is deemed identical to an existing
+ * one. In that case ire_identical_ref will be increased.
+ * The caller always needs to do an ire_refrele() on the returned IRE.
*/
-static int
-ire_add_v4(ire_t **ire_p, queue_t *q, mblk_t *mp, ipsq_func_t func,
- boolean_t allow_unresolved)
+static ire_t *
+ire_add_v4(ire_t *ire)
{
ire_t *ire1;
irb_t *irb_ptr;
ire_t **irep;
- int flags;
- ire_t *pire = NULL;
- ill_t *stq_ill;
- ire_t *ire = *ire_p;
+ int match_flags;
int error;
- boolean_t need_refrele = B_FALSE;
- nce_t *nce;
ip_stack_t *ipst = ire->ire_ipst;
- uint_t marks = 0;
- /*
- * IREs with source addresses hosted on interfaces that are under IPMP
- * should be hidden so that applications don't accidentally end up
- * sending packets with test addresses as their source addresses, or
- * sending out interfaces that are e.g. IFF_INACTIVE. Hide them here.
- */
- if (ire->ire_ipif != NULL && IS_UNDER_IPMP(ire->ire_ipif->ipif_ill))
- marks |= IRE_MARK_TESTHIDDEN;
-
- if (ire->ire_ipif != NULL)
- ASSERT(!MUTEX_HELD(&ire->ire_ipif->ipif_ill->ill_lock));
- if (ire->ire_stq != NULL)
- ASSERT(!MUTEX_HELD(
- &((ill_t *)(ire->ire_stq->q_ptr))->ill_lock));
+ if (ire->ire_ill != NULL)
+ ASSERT(!MUTEX_HELD(&ire->ire_ill->ill_lock));
ASSERT(ire->ire_ipversion == IPV4_VERSION);
- ASSERT(ire->ire_mp == NULL); /* Calls should go through ire_add */
-
- /* Find the appropriate list head. */
- switch (ire->ire_type) {
- case IRE_HOST:
- ire->ire_mask = IP_HOST_MASK;
- ire->ire_masklen = IP_ABITS;
- ire->ire_marks |= marks;
- if ((ire->ire_flags & RTF_SETSRC) == 0)
- ire->ire_src_addr = 0;
- break;
- case IRE_CACHE:
- ire->ire_mask = IP_HOST_MASK;
- ire->ire_masklen = IP_ABITS;
- ire->ire_marks |= marks;
- break;
- case IRE_BROADCAST:
- case IRE_LOCAL:
- case IRE_LOOPBACK:
- ire->ire_mask = IP_HOST_MASK;
- ire->ire_masklen = IP_ABITS;
- break;
- case IRE_PREFIX:
- case IRE_DEFAULT:
- ire->ire_marks |= marks;
- if ((ire->ire_flags & RTF_SETSRC) == 0)
- ire->ire_src_addr = 0;
- break;
- case IRE_IF_RESOLVER:
- case IRE_IF_NORESOLVER:
- ire->ire_marks |= marks;
- break;
- default:
- ip0dbg(("ire_add_v4: ire %p has unrecognized IRE type (%d)\n",
- (void *)ire, ire->ire_type));
- ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
- }
/* Make sure the address is properly masked. */
ire->ire_addr &= ire->ire_mask;
- /*
- * ip_newroute/ip_newroute_multi are unable to prevent the deletion
- * of the interface route while adding an IRE_CACHE for an on-link
- * destination in the IRE_IF_RESOLVER case, since the ire has to
- * go to ARP and return. We can't do a REFHOLD on the
- * associated interface ire for fear of ARP freeing the message.
- * Here we look up the interface ire in the forwarding table and
- * make sure that the interface route has not been deleted.
- */
- if (ire->ire_type == IRE_CACHE && ire->ire_gateway_addr == 0 &&
- ((ill_t *)ire->ire_stq->q_ptr)->ill_net_type == IRE_IF_RESOLVER) {
-
- ASSERT(ire->ire_max_fragp == NULL);
- if (CLASSD(ire->ire_addr) && !(ire->ire_flags & RTF_SETSRC)) {
- /*
- * The ihandle that we used in ip_newroute_multi
- * comes from the interface route corresponding
- * to ire_ipif. Lookup here to see if it exists
- * still.
- * If the ire has a source address assigned using
- * RTF_SETSRC, ire_ipif is the logical interface holding
- * this source address, so we can't use it to check for
- * the existence of the interface route. Instead we rely
- * on the brute force ihandle search in
- * ire_ihandle_lookup_onlink() below.
- */
- pire = ipif_to_ire(ire->ire_ipif);
- if (pire == NULL) {
- ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
- } else if (pire->ire_ihandle != ire->ire_ihandle) {
- ire_refrele(pire);
- ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
- }
- } else {
- pire = ire_ihandle_lookup_onlink(ire);
- if (pire == NULL) {
- ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
- }
- }
- /* Prevent pire from getting deleted */
- IRB_REFHOLD(pire->ire_bucket);
- /* Has it been removed already ? */
- if (pire->ire_marks & IRE_MARK_CONDEMNED) {
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- ire_delete(ire);
- *ire_p = NULL;
- return (EINVAL);
- }
- } else {
- ASSERT(ire->ire_max_fragp != NULL);
- }
- flags = (MATCH_IRE_MASK | MATCH_IRE_TYPE | MATCH_IRE_GW);
+ match_flags = (MATCH_IRE_MASK | MATCH_IRE_TYPE | MATCH_IRE_GW);
- if (ire->ire_ipif != NULL) {
- /*
- * We use MATCH_IRE_IPIF while adding IRE_CACHES only
- * for historic reasons and to maintain symmetry with
- * IPv6 code path. Historically this was used by
- * multicast code to create multiple IRE_CACHES on
- * a single ill with different ipifs. This was used
- * so that multicast packets leaving the node had the
- * right source address. This is no longer needed as
- * ip_wput initializes the address correctly.
- */
- flags |= MATCH_IRE_IPIF;
- /*
- * If we are creating a hidden IRE, make sure we search for
- * hidden IREs when searching for duplicates below.
- * Otherwise, we might find an IRE on some other interface
- * that's not marked hidden.
- */
- if (ire->ire_marks & IRE_MARK_TESTHIDDEN)
- flags |= MATCH_IRE_MARK_TESTHIDDEN;
+ if (ire->ire_ill != NULL) {
+ match_flags |= MATCH_IRE_ILL;
}
- if ((ire->ire_type & IRE_CACHETABLE) == 0) {
- irb_ptr = ire_get_bucket(ire);
- need_refrele = B_TRUE;
- if (irb_ptr == NULL) {
- /*
- * This assumes that the ire has not added
- * a reference to the ipif.
- */
- ire->ire_ipif = NULL;
- ire_delete(ire);
- if (pire != NULL) {
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
- *ire_p = NULL;
- return (EINVAL);
- }
- } else {
- irb_ptr = &(ipst->ips_ip_cache_table[IRE_ADDR_HASH(
- ire->ire_addr, ipst->ips_ip_cache_table_size)]);
+ irb_ptr = ire_get_bucket(ire);
+ if (irb_ptr == NULL) {
+ printf("no bucket for %p\n", (void *)ire);
+ ire_delete(ire);
+ return (NULL);
}
/*
- * Start the atomic add of the ire. Grab the ill locks,
- * ill_g_usesrc_lock and the bucket lock. Check for condemned
- *
- * If ipif or ill is changing ire_atomic_start() may queue the
- * request and return EINPROGRESS.
- * To avoid lock order problems, get the ndp4->ndp_g_lock.
+ * Start the atomic add of the ire. Grab the ill lock,
+ * the bucket lock. Check for condemned.
*/
- mutex_enter(&ipst->ips_ndp4->ndp_g_lock);
- error = ire_atomic_start(irb_ptr, ire, q, mp, func);
+ error = ire_atomic_start(irb_ptr, ire);
if (error != 0) {
- mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
- /*
- * We don't know whether it is a valid ipif or not.
- * So, set it to NULL. This assumes that the ire has not added
- * a reference to the ipif.
- */
- ire->ire_ipif = NULL;
+ printf("no ire_atomic_start for %p\n", (void *)ire);
ire_delete(ire);
- if (pire != NULL) {
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
- *ire_p = NULL;
- if (need_refrele)
- IRB_REFRELE(irb_ptr);
- return (error);
+ irb_refrele(irb_ptr);
+ return (NULL);
}
/*
- * To avoid creating ires having stale values for the ire_max_frag
- * we get the latest value atomically here. For more details
- * see the block comment in ip_sioctl_mtu and in DL_NOTE_SDU_CHANGE
- * in ip_rput_dlpi_writer
+ * If we are creating a hidden IRE, make sure we search for
+ * hidden IREs when searching for duplicates below.
+ * Otherwise, we might find an IRE on some other interface
+ * that's not marked hidden.
*/
- if (ire->ire_max_fragp == NULL) {
- if (CLASSD(ire->ire_addr))
- ire->ire_max_frag = ire->ire_ipif->ipif_mtu;
- else
- ire->ire_max_frag = pire->ire_max_frag;
- } else {
- uint_t max_frag;
+ if (ire->ire_testhidden)
+ match_flags |= MATCH_IRE_TESTHIDDEN;
- max_frag = *ire->ire_max_fragp;
- ire->ire_max_fragp = NULL;
- ire->ire_max_frag = max_frag;
- }
/*
* Atomically check for duplicate and insert in the table.
*/
for (ire1 = irb_ptr->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
- if (ire1->ire_marks & IRE_MARK_CONDEMNED)
+ if (IRE_IS_CONDEMNED(ire1))
continue;
- if (ire->ire_ipif != NULL) {
- /*
- * We do MATCH_IRE_ILL implicitly here for IREs
- * with a non-null ire_ipif, including IRE_CACHEs.
- * As ire_ipif and ire_stq could point to two
- * different ills, we can't pass just ire_ipif to
- * ire_match_args and get a match on both ills.
- * This is just needed for duplicate checks here and
- * so we don't add an extra argument to
- * ire_match_args for this. Do it locally.
- *
- * NOTE : Currently there is no part of the code
- * that asks for both MATH_IRE_IPIF and MATCH_IRE_ILL
- * match for IRE_CACHEs. Thus we don't want to
- * extend the arguments to ire_match_args.
- */
- if (ire1->ire_stq != ire->ire_stq)
- continue;
- /*
- * Multiroute IRE_CACHEs for a given destination can
- * have the same ire_ipif, typically if their source
- * address is forced using RTF_SETSRC, and the same
- * send-to queue. We differentiate them using the parent
- * handle.
- */
- if (ire->ire_type == IRE_CACHE &&
- (ire1->ire_flags & RTF_MULTIRT) &&
- (ire->ire_flags & RTF_MULTIRT) &&
- (ire1->ire_phandle != ire->ire_phandle))
- continue;
- }
+ /*
+ * Here we need an exact match on zoneid, i.e.,
+ * ire_match_args doesn't fit.
+ */
if (ire1->ire_zoneid != ire->ire_zoneid)
continue;
+
+ if (ire1->ire_type != ire->ire_type)
+ continue;
+
+ /*
+ * Note: We do not allow multiple routes that differ only
+ * in the gateway security attributes; such routes are
+ * considered duplicates.
+ * To change that we explicitly have to treat them as
+ * different here.
+ */
if (ire_match_args(ire1, ire->ire_addr, ire->ire_mask,
- ire->ire_gateway_addr, ire->ire_type, ire->ire_ipif,
- ire->ire_zoneid, 0, NULL, flags, NULL)) {
+ ire->ire_gateway_addr, ire->ire_type, ire->ire_ill,
+ ire->ire_zoneid, NULL, match_flags)) {
/*
* Return the old ire after doing a REFHOLD.
* As most of the callers continue to use the IRE
@@ -2881,149 +1252,36 @@ ire_add_v4(ire_t **ire_p, queue_t *q, mblk_t *mp, ipsq_func_t func,
* avoid a lookup in the caller again. If the callers
* don't want to use it, they need to do a REFRELE.
*/
- ip1dbg(("found dup ire existing %p new %p\n",
- (void *)ire1, (void *)ire));
- IRE_REFHOLD(ire1);
+ atomic_add_32(&ire1->ire_identical_ref, 1);
+ DTRACE_PROBE2(ire__add__exist, ire_t *, ire1,
+ ire_t *, ire);
+ ire_refhold(ire1);
ire_atomic_end(irb_ptr, ire);
- mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
ire_delete(ire);
- if (pire != NULL) {
- /*
- * Assert that it is not removed from the
- * list yet.
- */
- ASSERT(pire->ire_ptpn != NULL);
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
- *ire_p = ire1;
- if (need_refrele)
- IRB_REFRELE(irb_ptr);
- return (0);
+ irb_refrele(irb_ptr);
+ return (ire1);
}
}
- if (ire->ire_type & IRE_CACHE) {
- ASSERT(ire->ire_stq != NULL);
- nce = ndp_lookup_v4(ire_to_ill(ire),
- ((ire->ire_gateway_addr != INADDR_ANY) ?
- &ire->ire_gateway_addr : &ire->ire_addr),
- B_TRUE);
- if (nce != NULL)
- mutex_enter(&nce->nce_lock);
- /*
- * if the nce is NCE_F_CONDEMNED, or if it is not ND_REACHABLE
- * and the caller has prohibited the addition of incomplete
- * ire's, we fail the add. Note that nce_state could be
- * something other than ND_REACHABLE if the nce had
- * just expired and the ire_create preceding the
- * ire_add added a new ND_INITIAL nce.
- */
- if ((nce == NULL) ||
- (nce->nce_flags & NCE_F_CONDEMNED) ||
- (!allow_unresolved &&
- (nce->nce_state != ND_REACHABLE))) {
- if (nce != NULL) {
- DTRACE_PROBE1(ire__bad__nce, nce_t *, nce);
- mutex_exit(&nce->nce_lock);
- }
- ire_atomic_end(irb_ptr, ire);
- mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
- if (nce != NULL)
- NCE_REFRELE(nce);
- DTRACE_PROBE1(ire__no__nce, ire_t *, ire);
- ire_delete(ire);
- if (pire != NULL) {
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
- *ire_p = NULL;
- if (need_refrele)
- IRB_REFRELE(irb_ptr);
- return (EINVAL);
- } else {
- ire->ire_nce = nce;
- mutex_exit(&nce->nce_lock);
- /*
- * We are associating this nce to the ire, so
- * change the nce ref taken in ndp_lookup_v4() from
- * NCE_REFHOLD to NCE_REFHOLD_NOTR
- */
- NCE_REFHOLD_TO_REFHOLD_NOTR(ire->ire_nce);
- }
- }
/*
- * Make it easy for ip_wput_ire() to hit multiple broadcast ires by
- * grouping identical addresses together on the hash chain. We do
- * this only for IRE_BROADCASTs as ip_wput_ire is currently interested
- * in such groupings only for broadcasts.
- *
- * Find the first entry that matches ire_addr. *irep will be null
- * if no match.
- *
- * Note: the loopback and non-loopback broadcast entries for an
- * interface MUST be added before any MULTIRT entries.
+ * Normally we do head insertion since most things do not care about
+ * the order of the IREs in the bucket. Note that ip_cgtp_bcast_add
+ * assumes we at least do head insertion so that its IRE_BROADCAST
+ * arrive ahead of existing IRE_HOST for the same address.
+ * However, due to shared-IP zones (and restrict_interzone_loopback)
+ * we can have an IRE_LOCAL as well as IRE_IF_CLONE for the same
+ * address. For that reason we do tail insertion for IRE_IF_CLONE.
+ * Due to the IRE_BROADCAST on cgtp0, which must be last in the bucket,
+ * we do tail insertion of IRE_BROADCASTs that do not have RTF_MULTIRT
+ * set.
*/
irep = (ire_t **)irb_ptr;
- while ((ire1 = *irep) != NULL && ire->ire_addr != ire1->ire_addr)
- irep = &ire1->ire_next;
- if (ire->ire_type == IRE_BROADCAST && *irep != NULL) {
- /*
- * We found some ire (i.e *irep) with a matching addr. We
- * want to group ires with same addr.
- */
- for (;;) {
- ire1 = *irep;
- if ((ire1->ire_next == NULL) ||
- (ire1->ire_next->ire_addr != ire->ire_addr) ||
- (ire1->ire_type != IRE_BROADCAST) ||
- (ire1->ire_flags & RTF_MULTIRT) ||
- (ire1->ire_ipif->ipif_ill->ill_grp ==
- ire->ire_ipif->ipif_ill->ill_grp))
- break;
- irep = &ire1->ire_next;
- }
- ASSERT(*irep != NULL);
- /*
- * The ire will be added before *irep, so
- * if irep is a MULTIRT ire, just break to
- * ire insertion code.
- */
- if (((*irep)->ire_flags & RTF_MULTIRT) != 0)
- goto insert_ire;
-
- irep = &((*irep)->ire_next);
-
- /*
- * Either we have hit the end of the list or the address
- * did not match.
- */
- while (*irep != NULL) {
- ire1 = *irep;
- if ((ire1->ire_addr != ire->ire_addr) ||
- (ire1->ire_type != IRE_BROADCAST))
- break;
- if (ire1->ire_ipif == ire->ire_ipif) {
- irep = &ire1->ire_next;
- break;
- }
- irep = &ire1->ire_next;
- }
- } else if (*irep != NULL) {
- /*
- * Find the last ire which matches ire_addr.
- * Needed to do tail insertion among entries with the same
- * ire_addr.
- */
- while (ire->ire_addr == ire1->ire_addr) {
+ if ((ire->ire_type & IRE_IF_CLONE) ||
+ ((ire->ire_type & IRE_BROADCAST) &&
+ !(ire->ire_flags & RTF_MULTIRT))) {
+ while ((ire1 = *irep) != NULL)
irep = &ire1->ire_next;
- ire1 = *irep;
- if (ire1 == NULL)
- break;
- }
}
-
-insert_ire:
/* Insert at *irep */
ire1 = *irep;
if (ire1 != NULL)
@@ -3058,82 +1316,31 @@ insert_ire:
* in the list for the first time and no one else can bump
* up the reference count on this yet.
*/
- IRE_REFHOLD_LOCKED(ire);
+ ire_refhold_locked(ire);
BUMP_IRE_STATS(ipst->ips_ire_stats_v4, ire_stats_inserted);
irb_ptr->irb_ire_cnt++;
- if (irb_ptr->irb_marks & IRB_MARK_FTABLE)
+ if (irb_ptr->irb_marks & IRB_MARK_DYNAMIC)
irb_ptr->irb_nire++;
- if (ire->ire_marks & IRE_MARK_TEMPORARY)
- irb_ptr->irb_tmp_ire_cnt++;
-
- if (ire->ire_ipif != NULL) {
- DTRACE_PROBE3(ipif__incr__cnt, (ipif_t *), ire->ire_ipif,
- (char *), "ire", (void *), ire);
- ire->ire_ipif->ipif_ire_cnt++;
- if (ire->ire_stq != NULL) {
- stq_ill = (ill_t *)ire->ire_stq->q_ptr;
- DTRACE_PROBE3(ill__incr__cnt, (ill_t *), stq_ill,
- (char *), "ire", (void *), ire);
- stq_ill->ill_ire_cnt++;
- }
- } else {
- ASSERT(ire->ire_stq == NULL);
+ if (ire->ire_ill != NULL) {
+ ire->ire_ill->ill_ire_cnt++;
+ ASSERT(ire->ire_ill->ill_ire_cnt != 0); /* Wraparound */
}
ire_atomic_end(irb_ptr, ire);
- mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
- if (pire != NULL) {
- /* Assert that it is not removed from the list yet */
- ASSERT(pire->ire_ptpn != NULL);
- IRB_REFRELE(pire->ire_bucket);
- ire_refrele(pire);
- }
+ /* Make any caching of the IREs be notified or updated */
+ ire_flush_cache_v4(ire, IRE_FLUSH_ADD);
- if (ire->ire_type != IRE_CACHE) {
- /*
- * For ire's with host mask see if there is an entry
- * in the cache. If there is one flush the whole cache as
- * there might be multiple entries due to RTF_MULTIRT (CGTP).
- * If no entry is found than there is no need to flush the
- * cache.
- */
- if (ire->ire_mask == IP_HOST_MASK) {
- ire_t *lire;
- lire = ire_ctable_lookup(ire->ire_addr, NULL, IRE_CACHE,
- NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (lire != NULL) {
- ire_refrele(lire);
- ire_flush_cache_v4(ire, IRE_FLUSH_ADD);
- }
- } else {
- ire_flush_cache_v4(ire, IRE_FLUSH_ADD);
- }
- }
- /*
- * We had to delay the fast path probe until the ire is inserted
- * in the list. Otherwise the fast path ack won't find the ire in
- * the table.
- */
- if (ire->ire_type == IRE_CACHE ||
- (ire->ire_type == IRE_BROADCAST && ire->ire_stq != NULL)) {
- ASSERT(ire->ire_nce != NULL);
- if (ire->ire_nce->nce_state == ND_REACHABLE)
- nce_fastpath(ire->ire_nce);
- }
- if (ire->ire_ipif != NULL)
- ASSERT(!MUTEX_HELD(&ire->ire_ipif->ipif_ill->ill_lock));
- *ire_p = ire;
- if (need_refrele) {
- IRB_REFRELE(irb_ptr);
- }
- return (0);
+ if (ire->ire_ill != NULL)
+ ASSERT(!MUTEX_HELD(&ire->ire_ill->ill_lock));
+ irb_refrele(irb_ptr);
+ return (ire);
}
/*
- * IRB_REFRELE is the only caller of the function. ire_unlink calls to
+ * irb_refrele is the only caller of the function. ire_unlink calls to
* do the final cleanup for this ire.
*/
void
@@ -3162,13 +1369,13 @@ ire_cleanup(ire_t *ire)
* so.
*/
ire->ire_next = NULL;
- IRE_REFRELE_NOTR(ire);
+ ire_refrele_notr(ire);
ire = ire_next;
}
}
/*
- * IRB_REFRELE is the only caller of the function. It calls to unlink
+ * irb_refrele is the only caller of the function. It calls to unlink
* all the CONDEMNED ires from this bucket.
*/
ire_t *
@@ -3180,16 +1387,14 @@ ire_unlink(irb_t *irb)
ire_t *ire_list = NULL;
ASSERT(RW_WRITE_HELD(&irb->irb_lock));
- ASSERT(((irb->irb_marks & IRB_MARK_FTABLE) && irb->irb_refcnt == 1) ||
+ ASSERT(((irb->irb_marks & IRB_MARK_DYNAMIC) && irb->irb_refcnt == 1) ||
(irb->irb_refcnt == 0));
ASSERT(irb->irb_marks & IRB_MARK_CONDEMNED);
ASSERT(irb->irb_ire != NULL);
for (ire = irb->irb_ire; ire != NULL; ire = ire1) {
- ip_stack_t *ipst = ire->ire_ipst;
-
ire1 = ire->ire_next;
- if (ire->ire_marks & IRE_MARK_CONDEMNED) {
+ if (IRE_IS_CONDEMNED(ire)) {
ptpn = ire->ire_ptpn;
ire1 = ire->ire_next;
if (ire1)
@@ -3197,22 +1402,10 @@ ire_unlink(irb_t *irb)
*ptpn = ire1;
ire->ire_ptpn = NULL;
ire->ire_next = NULL;
- if (ire->ire_type == IRE_DEFAULT) {
- /*
- * IRE is out of the list. We need to adjust
- * the accounting before the caller drops
- * the lock.
- */
- if (ire->ire_ipversion == IPV6_VERSION) {
- ASSERT(ipst->
- ips_ipv6_ire_default_count !=
- 0);
- ipst->ips_ipv6_ire_default_count--;
- }
- }
+
/*
- * We need to call ire_delete_v4 or ire_delete_v6
- * to clean up the cache or the redirects pointing at
+ * We need to call ire_delete_v4 or ire_delete_v6 to
+ * clean up dependents and the redirects pointing at
* the default gateway. We need to drop the lock
* as ire_flush_cache/ire_delete_host_redircts require
* so. But we can't drop the lock, as ire_unlink needs
@@ -3230,76 +1423,7 @@ ire_unlink(irb_t *irb)
}
/*
- * Delete all the cache entries with this 'addr'. When IP gets a gratuitous
- * ARP message on any of its interface queue, it scans the nce table and
- * deletes and calls ndp_delete() for the appropriate nce. This action
- * also deletes all the neighbor/ire cache entries for that address.
- * This function is called from ip_arp_news in ip.c and also for
- * ARP ioctl processing in ip_if.c. ip_ire_clookup_and_delete returns
- * true if it finds a nce entry which is used by ip_arp_news to determine if
- * it needs to do an ire_walk_v4. The return value is also used for the
- * same purpose by ARP IOCTL processing * in ip_if.c when deleting
- * ARP entries. For SIOC*IFARP ioctls in addition to the address,
- * ip_if->ipif_ill also needs to be matched.
- */
-boolean_t
-ip_ire_clookup_and_delete(ipaddr_t addr, ipif_t *ipif, ip_stack_t *ipst)
-{
- ill_t *ill;
- nce_t *nce;
-
- ill = (ipif ? ipif->ipif_ill : NULL);
-
- if (ill != NULL) {
- /*
- * clean up the nce (and any relevant ire's) that matches
- * on addr and ill.
- */
- nce = ndp_lookup_v4(ill, &addr, B_FALSE);
- if (nce != NULL) {
- ndp_delete(nce);
- return (B_TRUE);
- }
- } else {
- /*
- * ill is wildcard. clean up all nce's and
- * ire's that match on addr
- */
- nce_clookup_t cl;
-
- cl.ncecl_addr = addr;
- cl.ncecl_found = B_FALSE;
-
- ndp_walk_common(ipst->ips_ndp4, NULL,
- (pfi_t)ip_nce_clookup_and_delete, (uchar_t *)&cl, B_TRUE);
-
- /*
- * ncecl_found would be set by ip_nce_clookup_and_delete if
- * we found a matching nce.
- */
- return (cl.ncecl_found);
- }
- return (B_FALSE);
-
-}
-
-/* Delete the supplied nce if its nce_addr matches the supplied address */
-static void
-ip_nce_clookup_and_delete(nce_t *nce, void *arg)
-{
- nce_clookup_t *cl = (nce_clookup_t *)arg;
- ipaddr_t nce_addr;
-
- IN6_V4MAPPED_TO_IPADDR(&nce->nce_addr, nce_addr);
- if (nce_addr == cl->ncecl_addr) {
- cl->ncecl_found = B_TRUE;
- /* clean up the nce (and any relevant ire's) */
- ndp_delete(nce);
- }
-}
-
-/*
- * Clean up the radix node for this ire. Must be called by IRB_REFRELE
+ * Clean up the radix node for this ire. Must be called by irb_refrele
* when there are no ire's left in the bucket. Returns TRUE if the bucket
* is deleted and freed.
*/
@@ -3335,40 +1459,55 @@ irb_inactive(irb_t *irb)
/*
* Delete the specified IRE.
+ * We assume that if ire_bucket is not set then ire_ill->ill_ire_cnt was
+ * not incremented i.e., that the insertion in the bucket and the increment
+ * of that counter is done atomically.
*/
void
ire_delete(ire_t *ire)
{
ire_t *ire1;
ire_t **ptpn;
- irb_t *irb;
+ irb_t *irb;
+ nce_t *nce;
ip_stack_t *ipst = ire->ire_ipst;
+ /* We can clear ire_nce_cache under ire_lock even if the IRE is used */
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ ire->ire_nce_cache = NULL;
+ mutex_exit(&ire->ire_lock);
+ if (nce != NULL)
+ nce_refrele(nce);
+
if ((irb = ire->ire_bucket) == NULL) {
/*
* It was never inserted in the list. Should call REFRELE
* to free this IRE.
*/
- IRE_REFRELE_NOTR(ire);
+ ire_refrele_notr(ire);
return;
}
- rw_enter(&irb->irb_lock, RW_WRITER);
-
- if (irb->irb_rr_origin == ire) {
- irb->irb_rr_origin = NULL;
- }
-
/*
- * In case of V4 we might still be waiting for fastpath ack.
+ * Move the use counts from an IRE_IF_CLONE to its parent
+ * IRE_INTERFACE.
+ * We need to do this before acquiring irb_lock.
*/
- if (ire->ire_ipversion == IPV4_VERSION &&
- (ire->ire_type == IRE_CACHE ||
- (ire->ire_type == IRE_BROADCAST && ire->ire_stq != NULL))) {
- ASSERT(ire->ire_nce != NULL);
- nce_fastpath_list_delete(ire->ire_nce);
+ if (ire->ire_type & IRE_IF_CLONE) {
+ ire_t *parent;
+
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ if ((parent = ire->ire_dep_parent) != NULL) {
+ parent->ire_ob_pkt_count += ire->ire_ob_pkt_count;
+ parent->ire_ib_pkt_count += ire->ire_ib_pkt_count;
+ ire->ire_ob_pkt_count = 0;
+ ire->ire_ib_pkt_count = 0;
+ }
+ rw_exit(&ipst->ips_ire_dep_lock);
}
+ rw_enter(&irb->irb_lock, RW_WRITER);
if (ire->ire_ptpn == NULL) {
/*
* Some other thread has removed us from the list.
@@ -3378,13 +1517,17 @@ ire_delete(ire_t *ire)
return;
}
- if (!(ire->ire_marks & IRE_MARK_CONDEMNED)) {
- irb->irb_ire_cnt--;
- ire->ire_marks |= IRE_MARK_CONDEMNED;
- if (ire->ire_marks & IRE_MARK_TEMPORARY) {
- irb->irb_tmp_ire_cnt--;
- ire->ire_marks &= ~IRE_MARK_TEMPORARY;
+ if (!IRE_IS_CONDEMNED(ire)) {
+ /* Is this an IRE representing multiple duplicate entries? */
+ ASSERT(ire->ire_identical_ref >= 1);
+ if (atomic_add_32_nv(&ire->ire_identical_ref, -1) != 0) {
+ /* Removed one of the identical parties */
+ rw_exit(&irb->irb_lock);
+ return;
}
+
+ irb->irb_ire_cnt--;
+ ire_make_condemned(ire);
}
if (irb->irb_refcnt != 0) {
@@ -3419,22 +1562,9 @@ ire_delete(ire_t *ire)
} else {
BUMP_IRE_STATS(ipst->ips_ire_stats_v4, ire_stats_deleted);
}
- /*
- * ip_wput/ip_wput_v6 checks this flag to see whether
- * it should still use the cached ire or not.
- */
- if (ire->ire_type == IRE_DEFAULT) {
- /*
- * IRE is out of the list. We need to adjust the
- * accounting before we drop the lock.
- */
- if (ire->ire_ipversion == IPV6_VERSION) {
- ASSERT(ipst->ips_ipv6_ire_default_count != 0);
- ipst->ips_ipv6_ire_default_count--;
- }
- }
rw_exit(&irb->irb_lock);
+ /* Cleanup dependents and related stuff */
if (ire->ire_ipversion == IPV6_VERSION) {
ire_delete_v6(ire);
} else {
@@ -3444,7 +1574,7 @@ ire_delete(ire_t *ire)
* We removed it from the list. Decrement the
* reference count.
*/
- IRE_REFRELE_NOTR(ire);
+ ire_refrele_notr(ire);
}
/*
@@ -3463,8 +1593,7 @@ ire_delete_v4(ire_t *ire)
ASSERT(ire->ire_refcnt >= 1);
ASSERT(ire->ire_ipversion == IPV4_VERSION);
- if (ire->ire_type != IRE_CACHE)
- ire_flush_cache_v4(ire, IRE_FLUSH_DELETE);
+ ire_flush_cache_v4(ire, IRE_FLUSH_DELETE);
if (ire->ire_type == IRE_DEFAULT) {
/*
* when a default gateway is going away
@@ -3473,20 +1602,33 @@ ire_delete_v4(ire_t *ire)
*/
ire_delete_host_redirects(ire->ire_gateway_addr, ipst);
}
+
+ /*
+ * If we are deleting an IRE_INTERFACE then we make sure we also
+ * delete any IRE_IF_CLONE that has been created from it.
+ * Those are always in ire_dep_children.
+ */
+ if ((ire->ire_type & IRE_INTERFACE) && ire->ire_dep_children != NULL)
+ ire_dep_delete_if_clone(ire);
+
+ /* Remove from parent dependencies and child */
+ rw_enter(&ipst->ips_ire_dep_lock, RW_WRITER);
+ if (ire->ire_dep_parent != NULL)
+ ire_dep_remove(ire);
+
+ while (ire->ire_dep_children != NULL)
+ ire_dep_remove(ire->ire_dep_children);
+ rw_exit(&ipst->ips_ire_dep_lock);
}
/*
- * IRE_REFRELE/ire_refrele are the only caller of the function. It calls
+ * ire_refrele is the only caller of the function. It calls
* to free the ire when the reference count goes to zero.
*/
void
ire_inactive(ire_t *ire)
{
- nce_t *nce;
- ill_t *ill = NULL;
- ill_t *stq_ill = NULL;
- ipif_t *ipif;
- boolean_t need_wakeup = B_FALSE;
+ ill_t *ill;
irb_t *irb;
ip_stack_t *ipst = ire->ire_ipst;
@@ -3494,128 +1636,71 @@ ire_inactive(ire_t *ire)
ASSERT(ire->ire_ptpn == NULL);
ASSERT(ire->ire_next == NULL);
+ /* Count how many condemned ires for kmem_cache callback */
+ if (IRE_IS_CONDEMNED(ire))
+ atomic_add_32(&ipst->ips_num_ire_condemned, -1);
+
if (ire->ire_gw_secattr != NULL) {
ire_gw_secattr_free(ire->ire_gw_secattr);
ire->ire_gw_secattr = NULL;
}
- if (ire->ire_mp != NULL) {
- ASSERT(ire->ire_bucket == NULL);
- mutex_destroy(&ire->ire_lock);
- BUMP_IRE_STATS(ipst->ips_ire_stats_v4, ire_stats_freed);
- if (ire->ire_nce != NULL)
- NCE_REFRELE_NOTR(ire->ire_nce);
- freeb(ire->ire_mp);
- return;
- }
-
- if ((nce = ire->ire_nce) != NULL) {
- NCE_REFRELE_NOTR(nce);
- ire->ire_nce = NULL;
- }
-
- if (ire->ire_ipif == NULL)
- goto end;
-
- ipif = ire->ire_ipif;
- ill = ipif->ipif_ill;
+ /*
+ * ire_nce_cache is cleared in ire_delete, and we make sure we don't
+ * set it once the ire is marked condemned.
+ */
+ ASSERT(ire->ire_nce_cache == NULL);
- if (ire->ire_bucket == NULL) {
- /* The ire was never inserted in the table. */
- goto end;
- }
+ /*
+ * Since any parent would have a refhold on us they would already
+ * have been removed.
+ */
+ ASSERT(ire->ire_dep_parent == NULL);
+ ASSERT(ire->ire_dep_sib_next == NULL);
+ ASSERT(ire->ire_dep_sib_ptpn == NULL);
/*
- * ipif_ire_cnt on this ipif goes down by 1. If the ire_stq is
- * non-null ill_ire_count also goes down by 1.
- *
- * The ipif that is associated with an ire is ire->ire_ipif and
- * hence when the ire->ire_ipif->ipif_ire_cnt drops to zero we call
- * ipif_ill_refrele_tail. Usually stq_ill is null or the same as
- * ire->ire_ipif->ipif_ill. So nothing more needs to be done.
- * However, for VNI or IPMP IRE entries, stq_ill can be different.
- * If this is different from ire->ire_ipif->ipif_ill and if the
- * ill_ire_cnt on the stq_ill also has dropped to zero, we call
- * ipif_ill_refrele_tail on the stq_ill.
+ * Since any children would have a refhold on us they should have
+ * already been removed.
*/
- if (ire->ire_stq != NULL)
- stq_ill = ire->ire_stq->q_ptr;
+ ASSERT(ire->ire_dep_children == NULL);
- if (stq_ill == NULL || stq_ill == ill) {
- /* Optimize the most common case */
+ /*
+ * ill_ire_ref is increased when the IRE is inserted in the
+ * bucket - not when the IRE is created.
+ */
+ irb = ire->ire_bucket;
+ ill = ire->ire_ill;
+ if (irb != NULL && ill != NULL) {
mutex_enter(&ill->ill_lock);
- ASSERT(ipif->ipif_ire_cnt != 0);
- DTRACE_PROBE3(ipif__decr__cnt, (ipif_t *), ipif,
+ ASSERT(ill->ill_ire_cnt != 0);
+ DTRACE_PROBE3(ill__decr__cnt, (ill_t *), ill,
(char *), "ire", (void *), ire);
- ipif->ipif_ire_cnt--;
- if (IPIF_DOWN_OK(ipif))
- need_wakeup = B_TRUE;
- if (stq_ill != NULL) {
- ASSERT(stq_ill->ill_ire_cnt != 0);
- DTRACE_PROBE3(ill__decr__cnt, (ill_t *), stq_ill,
- (char *), "ire", (void *), ire);
- stq_ill->ill_ire_cnt--;
- if (ILL_DOWN_OK(stq_ill))
- need_wakeup = B_TRUE;
- }
- if (need_wakeup) {
+ ill->ill_ire_cnt--;
+ if (ILL_DOWN_OK(ill)) {
/* Drops the ill lock */
ipif_ill_refrele_tail(ill);
} else {
mutex_exit(&ill->ill_lock);
}
- } else {
- /*
- * We can't grab all the ill locks at the same time.
- * It can lead to recursive lock enter in the call to
- * ipif_ill_refrele_tail and later. Instead do it 1 at
- * a time.
- */
- mutex_enter(&ill->ill_lock);
- ASSERT(ipif->ipif_ire_cnt != 0);
- DTRACE_PROBE3(ipif__decr__cnt, (ipif_t *), ipif,
- (char *), "ire", (void *), ire);
- ipif->ipif_ire_cnt--;
- if (IPIF_DOWN_OK(ipif)) {
- /* Drops the lock */
- ipif_ill_refrele_tail(ill);
- } else {
- mutex_exit(&ill->ill_lock);
- }
- if (stq_ill != NULL) {
- mutex_enter(&stq_ill->ill_lock);
- ASSERT(stq_ill->ill_ire_cnt != 0);
- DTRACE_PROBE3(ill__decr__cnt, (ill_t *), stq_ill,
- (char *), "ire", (void *), ire);
- stq_ill->ill_ire_cnt--;
- if (ILL_DOWN_OK(stq_ill)) {
- /* Drops the ill lock */
- ipif_ill_refrele_tail(stq_ill);
- } else {
- mutex_exit(&stq_ill->ill_lock);
- }
- }
}
-end:
- /* This should be true for both V4 and V6 */
+ ire->ire_ill = NULL;
- if ((ire->ire_type & IRE_FORWARDTABLE) &&
- (ire->ire_ipversion == IPV4_VERSION) &&
- ((irb = ire->ire_bucket) != NULL)) {
+ /* This should be true for both V4 and V6 */
+ if (irb != NULL && (irb->irb_marks & IRB_MARK_DYNAMIC)) {
rw_enter(&irb->irb_lock, RW_WRITER);
irb->irb_nire--;
/*
* Instead of examining the conditions for freeing
* the radix node here, we do it by calling
- * IRB_REFRELE which is a single point in the code
+ * irb_refrele which is a single point in the code
* that embeds that logic. Bump up the refcnt to
- * be able to call IRB_REFRELE
+ * be able to call irb_refrele
*/
- IRB_REFHOLD_LOCKED(irb);
+ irb_refhold_locked(irb);
rw_exit(&irb->irb_lock);
- IRB_REFRELE(irb);
+ irb_refrele(irb);
}
- ire->ire_ipif = NULL;
#ifdef DEBUG
ire_trace_cleanup(ire);
@@ -3626,333 +1711,276 @@ end:
} else {
BUMP_IRE_STATS(ipst->ips_ire_stats_v4, ire_stats_freed);
}
- ASSERT(ire->ire_mp == NULL);
- /* Has been allocated out of the cache */
kmem_cache_free(ire_cache, ire);
}
/*
- * ire_walk routine to delete all IRE_CACHE/IRE_HOST types redirect
- * entries that have a given gateway address.
+ * ire_update_generation is the callback function provided by
+ * ire_get_bucket() to update the generation number of any
+ * matching shorter route when a new route is added.
+ *
+ * This fucntion always returns a failure return (B_FALSE)
+ * to force the caller (rn_matchaddr_args)
+ * to back-track up the tree looking for shorter matches.
+ */
+/* ARGSUSED */
+static boolean_t
+ire_update_generation(struct radix_node *rn, void *arg)
+{
+ struct rt_entry *rt = (struct rt_entry *)rn;
+
+ /* We need to handle all in the same bucket */
+ irb_increment_generation(&rt->rt_irb);
+ return (B_FALSE);
+}
+
+/*
+ * Take care of all the generation numbers in the bucket.
*/
void
-ire_delete_cache_gw(ire_t *ire, char *cp)
+irb_increment_generation(irb_t *irb)
{
- ipaddr_t gw_addr;
+ ire_t *ire;
- if (!(ire->ire_type & IRE_CACHE) &&
- !(ire->ire_flags & RTF_DYNAMIC))
+ if (irb == NULL || irb->irb_ire_cnt == 0)
return;
- bcopy(cp, &gw_addr, sizeof (gw_addr));
- if (ire->ire_gateway_addr == gw_addr) {
- ip1dbg(("ire_delete_cache_gw: deleted 0x%x type %d to 0x%x\n",
- (int)ntohl(ire->ire_addr), ire->ire_type,
- (int)ntohl(ire->ire_gateway_addr)));
- ire_delete(ire);
+ irb_refhold(irb);
+ for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
+ if (!IRE_IS_CONDEMNED(ire))
+ ire_increment_generation(ire); /* Ourselves */
+ ire_dep_incr_generation(ire); /* Dependants */
}
+ irb_refrele(irb);
}
/*
- * Remove all IRE_CACHE entries that match the ire specified.
+ * When an IRE is added or deleted this routine is called to make sure
+ * any caching of IRE information is notified or updated.
*
* The flag argument indicates if the flush request is due to addition
- * of new route (IRE_FLUSH_ADD) or deletion of old route (IRE_FLUSH_DELETE).
- *
- * This routine takes only the IREs from the forwarding table and flushes
- * the corresponding entries from the cache table.
- *
- * When flushing due to the deletion of an old route, it
- * just checks the cache handles (ire_phandle and ire_ihandle) and
- * deletes the ones that match.
- *
- * When flushing due to the creation of a new route, it checks
- * if a cache entry's address matches the one in the IRE and
- * that the cache entry's parent has a less specific mask than the
- * one in IRE. The destination of such a cache entry could be the
- * gateway for other cache entries, so we need to flush those as
- * well by looking for gateway addresses matching the IRE's address.
+ * of new route (IRE_FLUSH_ADD), deletion of old route (IRE_FLUSH_DELETE),
+ * or a change to ire_gateway_addr (IRE_FLUSH_GWCHANGE).
*/
void
ire_flush_cache_v4(ire_t *ire, int flag)
{
- int i;
- ire_t *cire;
- irb_t *irb;
- ip_stack_t *ipst = ire->ire_ipst;
+ irb_t *irb = ire->ire_bucket;
+ struct rt_entry *rt = IRB2RT(irb);
+ ip_stack_t *ipst = ire->ire_ipst;
- if (ire->ire_type & IRE_CACHE)
+ /*
+ * IRE_IF_CLONE ire's don't provide any new information
+ * than the parent from which they are cloned, so don't
+ * perturb the generation numbers.
+ */
+ if (ire->ire_type & IRE_IF_CLONE)
return;
/*
- * If a default is just created, there is no point
- * in going through the cache, as there will not be any
- * cached ires.
+ * Ensure that an ire_add during a lookup serializes the updates of the
+ * generation numbers under the radix head lock so that the lookup gets
+ * either the old ire and old generation number, or a new ire and new
+ * generation number.
+ */
+ RADIX_NODE_HEAD_WLOCK(ipst->ips_ip_ftable);
+
+ /*
+ * If a route was just added, we need to notify everybody that
+ * has cached an IRE_NOROUTE since there might now be a better
+ * route for them.
*/
- if (ire->ire_type == IRE_DEFAULT && flag == IRE_FLUSH_ADD)
- return;
if (flag == IRE_FLUSH_ADD) {
+ ire_increment_generation(ipst->ips_ire_reject_v4);
+ ire_increment_generation(ipst->ips_ire_blackhole_v4);
+ }
+
+ /* Adding a default can't otherwise provide a better route */
+ if (ire->ire_type == IRE_DEFAULT && flag == IRE_FLUSH_ADD) {
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
+ return;
+ }
+
+ switch (flag) {
+ case IRE_FLUSH_DELETE:
+ case IRE_FLUSH_GWCHANGE:
/*
- * This selective flush is due to the addition of
- * new IRE.
+ * Update ire_generation for all ire_dep_children chains
+ * starting with this IRE
*/
- for (i = 0; i < ipst->ips_ip_cache_table_size; i++) {
- irb = &ipst->ips_ip_cache_table[i];
- if ((cire = irb->irb_ire) == NULL)
- continue;
- IRB_REFHOLD(irb);
- for (cire = irb->irb_ire; cire != NULL;
- cire = cire->ire_next) {
- if (cire->ire_type != IRE_CACHE)
- continue;
- /*
- * If 'cire' belongs to the same subnet
- * as the new ire being added, and 'cire'
- * is derived from a prefix that is less
- * specific than the new ire being added,
- * we need to flush 'cire'; for instance,
- * when a new interface comes up.
- */
- if (((cire->ire_addr & ire->ire_mask) ==
- (ire->ire_addr & ire->ire_mask)) &&
- (ip_mask_to_plen(cire->ire_cmask) <=
- ire->ire_masklen)) {
- ire_delete(cire);
- continue;
- }
- /*
- * This is the case when the ire_gateway_addr
- * of 'cire' belongs to the same subnet as
- * the new ire being added.
- * Flushing such ires is sometimes required to
- * avoid misrouting: say we have a machine with
- * two interfaces (I1 and I2), a default router
- * R on the I1 subnet, and a host route to an
- * off-link destination D with a gateway G on
- * the I2 subnet.
- * Under normal operation, we will have an
- * on-link cache entry for G and an off-link
- * cache entry for D with G as ire_gateway_addr,
- * traffic to D will reach its destination
- * through gateway G.
- * If the administrator does 'ifconfig I2 down',
- * the cache entries for D and G will be
- * flushed. However, G will now be resolved as
- * an off-link destination using R (the default
- * router) as gateway. Then D will also be
- * resolved as an off-link destination using G
- * as gateway - this behavior is due to
- * compatibility reasons, see comment in
- * ire_ihandle_lookup_offlink(). Traffic to D
- * will go to the router R and probably won't
- * reach the destination.
- * The administrator then does 'ifconfig I2 up'.
- * Since G is on the I2 subnet, this routine
- * will flush its cache entry. It must also
- * flush the cache entry for D, otherwise
- * traffic will stay misrouted until the IRE
- * times out.
- */
- if ((cire->ire_gateway_addr & ire->ire_mask) ==
- (ire->ire_addr & ire->ire_mask)) {
- ire_delete(cire);
- continue;
- }
- }
- IRB_REFRELE(irb);
- }
- } else {
+ ire_dep_incr_generation(ire);
+ break;
+ case IRE_FLUSH_ADD:
/*
- * delete the cache entries based on
- * handle in the IRE as this IRE is
- * being deleted/changed.
+ * Update the generation numbers of all shorter matching routes.
+ * ire_update_generation takes care of the dependants by
+ * using ire_dep_incr_generation.
*/
- for (i = 0; i < ipst->ips_ip_cache_table_size; i++) {
- irb = &ipst->ips_ip_cache_table[i];
- if ((cire = irb->irb_ire) == NULL)
- continue;
- IRB_REFHOLD(irb);
- for (cire = irb->irb_ire; cire != NULL;
- cire = cire->ire_next) {
- if (cire->ire_type != IRE_CACHE)
- continue;
- if ((cire->ire_phandle == 0 ||
- cire->ire_phandle != ire->ire_phandle) &&
- (cire->ire_ihandle == 0 ||
- cire->ire_ihandle != ire->ire_ihandle))
- continue;
- ire_delete(cire);
- }
- IRB_REFRELE(irb);
- }
+ (void) ipst->ips_ip_ftable->rnh_matchaddr_args(&rt->rt_dst,
+ ipst->ips_ip_ftable, ire_update_generation, NULL);
+ break;
}
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
}
/*
* Matches the arguments passed with the values in the ire.
*
- * Note: for match types that match using "ipif" passed in, ipif
+ * Note: for match types that match using "ill" passed in, ill
* must be checked for non-NULL before calling this routine.
*/
boolean_t
ire_match_args(ire_t *ire, ipaddr_t addr, ipaddr_t mask, ipaddr_t gateway,
- int type, const ipif_t *ipif, zoneid_t zoneid, uint32_t ihandle,
- const ts_label_t *tsl, int match_flags, queue_t *wq)
+ int type, const ill_t *ill, zoneid_t zoneid,
+ const ts_label_t *tsl, int match_flags)
{
ill_t *ire_ill = NULL, *dst_ill;
- ill_t *ipif_ill = NULL;
+ ip_stack_t *ipst = ire->ire_ipst;
ASSERT(ire->ire_ipversion == IPV4_VERSION);
ASSERT((ire->ire_addr & ~ire->ire_mask) == 0);
ASSERT((!(match_flags & MATCH_IRE_ILL)) ||
- (ipif != NULL && !ipif->ipif_isv6));
- ASSERT(!(match_flags & MATCH_IRE_WQ) || wq != NULL);
+ (ill != NULL && !ill->ill_isv6));
/*
- * If MATCH_IRE_MARK_TESTHIDDEN is set, then only return the IRE if it
- * is in fact hidden, to ensure the caller gets the right one. One
- * exception: if the caller passed MATCH_IRE_IHANDLE, then they
- * already know the identity of the given IRE_INTERFACE entry and
- * there's no point trying to hide it from them.
+ * If MATCH_IRE_TESTHIDDEN is set, then only return the IRE if it is
+ * in fact hidden, to ensure the caller gets the right one.
*/
- if (ire->ire_marks & IRE_MARK_TESTHIDDEN) {
- if (match_flags & MATCH_IRE_IHANDLE)
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
-
- if (!(match_flags & MATCH_IRE_MARK_TESTHIDDEN))
+ if (ire->ire_testhidden) {
+ if (!(match_flags & MATCH_IRE_TESTHIDDEN))
return (B_FALSE);
}
- /*
- * MATCH_IRE_MARK_PRIVATE_ADDR is set when IP_NEXTHOP option
- * is used. In that case the routing table is bypassed and the
- * packets are sent directly to the specified nexthop. The
- * IRE_CACHE entry representing this route should be marked
- * with IRE_MARK_PRIVATE_ADDR.
- */
-
- if (!(match_flags & MATCH_IRE_MARK_PRIVATE_ADDR) &&
- (ire->ire_marks & IRE_MARK_PRIVATE_ADDR))
- return (B_FALSE);
-
if (zoneid != ALL_ZONES && zoneid != ire->ire_zoneid &&
ire->ire_zoneid != ALL_ZONES) {
/*
- * If MATCH_IRE_ZONEONLY has been set and the supplied zoneid is
- * valid and does not match that of ire_zoneid, a failure to
+ * If MATCH_IRE_ZONEONLY has been set and the supplied zoneid
+ * does not match that of ire_zoneid, a failure to
* match is reported at this point. Otherwise, since some IREs
* that are available in the global zone can be used in local
* zones, additional checks need to be performed:
*
- * IRE_BROADCAST, IRE_CACHE and IRE_LOOPBACK
+ * IRE_LOOPBACK
* entries should never be matched in this situation.
+ * Each zone has its own IRE_LOOPBACK.
+ *
+ * IRE_LOCAL
+ * We allow them for any zoneid. ire_route_recursive
+ * does additional checks when
+ * ip_restrict_interzone_loopback is set.
*
- * IRE entries that have an interface associated with them
- * should in general not match unless they are an IRE_LOCAL
- * or in the case when MATCH_IRE_DEFAULT has been set in
- * the caller. In the case of the former, checking of the
- * other fields supplied should take place.
+ * If ill_usesrc_ifindex is set
+ * Then we check if the zone has a valid source address
+ * on the usesrc ill.
*
- * In the case where MATCH_IRE_DEFAULT has been set,
- * all of the ipif's associated with the IRE's ill are
- * checked to see if there is a matching zoneid. If any
- * one ipif has a matching zoneid, this IRE is a
- * potential candidate so checking of the other fields
- * takes place.
+ * If ire_ill is set, then check that the zone has an ipif
+ * on that ill.
*
- * In the case where the IRE_INTERFACE has a usable source
- * address (indicated by ill_usesrc_ifindex) in the
- * correct zone then it's permitted to return this IRE
+ * Outside of this function (in ire_round_robin) we check
+ * that any IRE_OFFLINK has a gateway that reachable from the
+ * zone when we have multiple choices (ECMP).
*/
if (match_flags & MATCH_IRE_ZONEONLY)
return (B_FALSE);
- if (ire->ire_type & (IRE_BROADCAST | IRE_CACHE | IRE_LOOPBACK))
+ if (ire->ire_type & IRE_LOOPBACK)
return (B_FALSE);
+
+ if (ire->ire_type & IRE_LOCAL)
+ goto matchit;
+
/*
- * Note, IRE_INTERFACE can have the stq as NULL. For
- * example, if the default multicast route is tied to
- * the loopback address.
+ * The normal case of IRE_ONLINK has a matching zoneid.
+ * Here we handle the case when shared-IP zones have been
+ * configured with IP addresses on vniN. In that case it
+ * is ok for traffic from a zone to use IRE_ONLINK routes
+ * if the ill has a usesrc pointing at vniN
*/
- if ((ire->ire_type & IRE_INTERFACE) &&
- (ire->ire_stq != NULL)) {
- dst_ill = (ill_t *)ire->ire_stq->q_ptr;
+ dst_ill = ire->ire_ill;
+ if (ire->ire_type & IRE_ONLINK) {
+ uint_t ifindex;
+
+ /*
+ * Note there is no IRE_INTERFACE on vniN thus
+ * can't do an IRE lookup for a matching route.
+ */
+ ifindex = dst_ill->ill_usesrc_ifindex;
+ if (ifindex == 0)
+ return (B_FALSE);
+
/*
* If there is a usable source address in the
- * zone, then it's ok to return an
- * IRE_INTERFACE
+ * zone, then it's ok to return this IRE_INTERFACE
*/
- if (ipif_usesrc_avail(dst_ill, zoneid)) {
- ip3dbg(("ire_match_args: dst_ill %p match %d\n",
- (void *)dst_ill,
- (ire->ire_addr == (addr & mask))));
- } else {
- ip3dbg(("ire_match_args: src_ipif NULL"
+ if (!ipif_zone_avail(ifindex, dst_ill->ill_isv6,
+ zoneid, ipst)) {
+ ip3dbg(("ire_match_args: no usrsrc for zone"
" dst_ill %p\n", (void *)dst_ill));
return (B_FALSE);
}
}
- if (ire->ire_ipif != NULL && ire->ire_type != IRE_LOCAL &&
- !(ire->ire_type & IRE_INTERFACE)) {
+ /*
+ * For exampe, with
+ * route add 11.0.0.0 gw1 -ifp bge0
+ * route add 11.0.0.0 gw2 -ifp bge1
+ * this code would differentiate based on
+ * where the sending zone has addresses.
+ * Only if the zone has an address on bge0 can it use the first
+ * route. It isn't clear if this behavior is documented
+ * anywhere.
+ */
+ if (dst_ill != NULL && (ire->ire_type & IRE_OFFLINK)) {
ipif_t *tipif;
- if ((match_flags & MATCH_IRE_DEFAULT) == 0) {
- return (B_FALSE);
- }
- mutex_enter(&ire->ire_ipif->ipif_ill->ill_lock);
- for (tipif = ire->ire_ipif->ipif_ill->ill_ipif;
+ mutex_enter(&dst_ill->ill_lock);
+ for (tipif = dst_ill->ill_ipif;
tipif != NULL; tipif = tipif->ipif_next) {
- if (IPIF_CAN_LOOKUP(tipif) &&
+ if (!IPIF_IS_CONDEMNED(tipif) &&
(tipif->ipif_flags & IPIF_UP) &&
(tipif->ipif_zoneid == zoneid ||
tipif->ipif_zoneid == ALL_ZONES))
break;
}
- mutex_exit(&ire->ire_ipif->ipif_ill->ill_lock);
+ mutex_exit(&dst_ill->ill_lock);
if (tipif == NULL) {
return (B_FALSE);
}
}
}
- /*
- * For IRE_CACHE entries, MATCH_IRE_ILL means that somebody wants to
- * send out ire_stq (ire_ipif for IRE_CACHE entries is just the means
- * of getting a source address -- i.e., ire_src_addr ==
- * ire->ire_ipif->ipif_src_addr). ire_to_ill() handles this.
- *
- * NOTE: For IPMP, MATCH_IRE_ILL usually matches any ill in the group.
- * However, if MATCH_IRE_MARK_TESTHIDDEN is set (i.e., the IRE is for
- * IPMP test traffic), then the ill must match exactly.
- */
+matchit:
if (match_flags & MATCH_IRE_ILL) {
- ire_ill = ire_to_ill(ire);
- ipif_ill = ipif->ipif_ill;
+ ire_ill = ire->ire_ill;
+
+ /*
+ * If asked to match an ill, we *must* match
+ * on the ire_ill for ipmp test addresses, or
+ * any of the ill in the group for data addresses.
+ * If we don't, we may as well fail.
+ * However, we need an exception for IRE_LOCALs to ensure
+ * we loopback packets even sent to test addresses on different
+ * interfaces in the group.
+ */
+ if ((match_flags & MATCH_IRE_TESTHIDDEN) &&
+ !(ire->ire_type & IRE_LOCAL)) {
+ if (ire->ire_ill != ill)
+ return (B_FALSE);
+ } else {
+ match_flags &= ~MATCH_IRE_TESTHIDDEN;
+ /*
+ * We know that ill is not NULL, but ire_ill could be
+ * NULL
+ */
+ if (ire_ill == NULL || !IS_ON_SAME_LAN(ill, ire_ill))
+ return (B_FALSE);
+ }
}
if ((ire->ire_addr == (addr & mask)) &&
((!(match_flags & MATCH_IRE_GW)) ||
(ire->ire_gateway_addr == gateway)) &&
- ((!(match_flags & MATCH_IRE_TYPE)) ||
- (ire->ire_type & type)) &&
- ((!(match_flags & MATCH_IRE_SRC)) ||
- (ire->ire_src_addr == ipif->ipif_src_addr)) &&
- ((!(match_flags & MATCH_IRE_IPIF)) ||
- (ire->ire_ipif == ipif)) &&
- ((!(match_flags & MATCH_IRE_MARK_TESTHIDDEN)) ||
- (ire->ire_marks & IRE_MARK_TESTHIDDEN)) &&
- ((!(match_flags & MATCH_IRE_MARK_PRIVATE_ADDR)) ||
- (ire->ire_type != IRE_CACHE ||
- ire->ire_marks & IRE_MARK_PRIVATE_ADDR)) &&
- ((!(match_flags & MATCH_IRE_WQ)) ||
- (ire->ire_stq == wq)) &&
- ((!(match_flags & MATCH_IRE_ILL)) ||
- (ire_ill == ipif_ill ||
- (!(match_flags & MATCH_IRE_MARK_TESTHIDDEN) &&
- ire_ill != NULL && IS_IN_SAME_ILLGRP(ipif_ill, ire_ill)))) &&
- ((!(match_flags & MATCH_IRE_IHANDLE)) ||
- (ire->ire_ihandle == ihandle)) &&
- ((!(match_flags & MATCH_IRE_MASK)) ||
- (ire->ire_mask == mask)) &&
+ ((!(match_flags & MATCH_IRE_TYPE)) || (ire->ire_type & type)) &&
+ ((!(match_flags & MATCH_IRE_TESTHIDDEN)) || ire->ire_testhidden) &&
+ ((!(match_flags & MATCH_IRE_MASK)) || (ire->ire_mask == mask)) &&
((!(match_flags & MATCH_IRE_SECATTR)) ||
(!is_system_labeled()) ||
(tsol_ire_match_gwattr(ire, tsl) == 0))) {
@@ -3963,494 +1991,207 @@ ire_match_args(ire_t *ire, ipaddr_t addr, ipaddr_t mask, ipaddr_t gateway,
}
/*
- * Lookup for a route in all the tables
+ * Check if the IRE_LOCAL uses the same ill as another route would use.
+ * If there is no alternate route, or the alternate is a REJECT or BLACKHOLE,
+ * then we don't allow this IRE_LOCAL to be used.
+ * We always return an IRE; will be RTF_REJECT if no route available.
*/
ire_t *
-ire_route_lookup(ipaddr_t addr, ipaddr_t mask, ipaddr_t gateway,
- int type, const ipif_t *ipif, ire_t **pire, zoneid_t zoneid,
- const ts_label_t *tsl, int flags, ip_stack_t *ipst)
+ire_alt_local(ire_t *ire, zoneid_t zoneid, const ts_label_t *tsl,
+ const ill_t *ill, uint_t *generationp)
{
- ire_t *ire = NULL;
+ ip_stack_t *ipst = ire->ire_ipst;
+ ire_t *alt_ire;
+ uint_t ire_type;
+ uint_t generation;
+ uint_t match_flags;
- /*
- * ire_match_args() will dereference ipif MATCH_IRE_SRC or
- * MATCH_IRE_ILL is set.
- */
- if ((flags & (MATCH_IRE_SRC | MATCH_IRE_ILL)) && (ipif == NULL))
- return (NULL);
+ ASSERT(ire->ire_type & IRE_LOCAL);
+ ASSERT(ire->ire_ill != NULL);
/*
- * might be asking for a cache lookup,
- * This is not best way to lookup cache,
- * user should call ire_cache_lookup directly.
- *
- * If MATCH_IRE_TYPE was set, first lookup in the cache table and then
- * in the forwarding table, if the applicable type flags were set.
+ * Need to match on everything but local.
+ * This might result in the creation of a IRE_IF_CLONE for the
+ * same address as the IRE_LOCAL when restrict_interzone_loopback is
+ * set. ire_add_*() ensures that the IRE_IF_CLONE are tail inserted
+ * to make sure the IRE_LOCAL is always found first.
*/
- if ((flags & MATCH_IRE_TYPE) == 0 || (type & IRE_CACHETABLE) != 0) {
- ire = ire_ctable_lookup(addr, gateway, type, ipif, zoneid,
- tsl, flags, ipst);
- if (ire != NULL)
- return (ire);
+ ire_type = (IRE_ONLINK | IRE_OFFLINK) & ~(IRE_LOCAL|IRE_LOOPBACK);
+ match_flags = MATCH_IRE_TYPE | MATCH_IRE_SECATTR;
+ if (ill != NULL)
+ match_flags |= MATCH_IRE_ILL;
+
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ alt_ire = ire_route_recursive_v4(ire->ire_addr, ire_type,
+ ill, zoneid, tsl, match_flags, B_TRUE, 0, ipst, NULL, NULL,
+ &generation);
+ } else {
+ alt_ire = ire_route_recursive_v6(&ire->ire_addr_v6, ire_type,
+ ill, zoneid, tsl, match_flags, B_TRUE, 0, ipst, NULL, NULL,
+ &generation);
}
- if ((flags & MATCH_IRE_TYPE) == 0 || (type & IRE_FORWARDTABLE) != 0) {
- ire = ire_ftable_lookup(addr, mask, gateway, type, ipif, pire,
- zoneid, 0, tsl, flags, ipst);
+ ASSERT(alt_ire != NULL);
+
+ if (alt_ire->ire_ill == ire->ire_ill) {
+ /* Going out the same ILL - ok to send to IRE_LOCAL */
+ ire_refrele(alt_ire);
+ } else {
+ /* Different ill - ignore IRE_LOCAL */
+ ire_refrele(ire);
+ ire = alt_ire;
+ if (generationp != NULL)
+ *generationp = generation;
}
return (ire);
}
-/*
- * Delete the IRE cache for the gateway and all IRE caches whose
- * ire_gateway_addr points to this gateway, and allow them to
- * be created on demand by ip_newroute.
- */
-void
-ire_clookup_delete_cache_gw(ipaddr_t addr, zoneid_t zoneid, ip_stack_t *ipst)
+boolean_t
+ire_find_zoneid(struct radix_node *rn, void *arg)
{
+ struct rt_entry *rt = (struct rt_entry *)rn;
irb_t *irb;
ire_t *ire;
+ ire_ftable_args_t *margs = arg;
- irb = &ipst->ips_ip_cache_table[IRE_ADDR_HASH(addr,
- ipst->ips_ip_cache_table_size)];
- IRB_REFHOLD(irb);
- for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
-
- ASSERT(ire->ire_mask == IP_HOST_MASK);
- if (ire_match_args(ire, addr, ire->ire_mask, 0, IRE_CACHE,
- NULL, zoneid, 0, NULL, MATCH_IRE_TYPE, NULL)) {
- ire_delete(ire);
- }
- }
- IRB_REFRELE(irb);
+ ASSERT(rt != NULL);
- ire_walk_v4(ire_delete_cache_gw, &addr, zoneid, ipst);
-}
+ irb = &rt->rt_irb;
-/*
- * Looks up cache table for a route.
- * specific lookup can be indicated by
- * passing the MATCH_* flags and the
- * necessary parameters.
- */
-ire_t *
-ire_ctable_lookup(ipaddr_t addr, ipaddr_t gateway, int type, const ipif_t *ipif,
- zoneid_t zoneid, const ts_label_t *tsl, int flags, ip_stack_t *ipst)
-{
- ire_ctable_args_t margs;
-
- margs.ict_addr = &addr;
- margs.ict_gateway = &gateway;
- margs.ict_type = type;
- margs.ict_ipif = ipif;
- margs.ict_zoneid = zoneid;
- margs.ict_tsl = tsl;
- margs.ict_flags = flags;
- margs.ict_ipst = ipst;
- margs.ict_wq = NULL;
-
- return (ip4_ctable_lookup_impl(&margs));
-}
+ if (irb->irb_ire_cnt == 0)
+ return (B_FALSE);
-/*
- * Check whether the IRE_LOCAL and the IRE potentially used to transmit
- * (could be an IRE_CACHE, IRE_BROADCAST, or IRE_INTERFACE) are identical
- * or part of the same illgrp. (In the IPMP case, usually the two IREs
- * will both belong to the IPMP ill, but exceptions are possible -- e.g.
- * if IPMP test addresses are on their own subnet.)
- */
-boolean_t
-ire_local_same_lan(ire_t *ire_local, ire_t *xmit_ire)
-{
- ill_t *recv_ill, *xmit_ill;
+ rw_enter(&irb->irb_lock, RW_READER);
+ for (ire = irb->irb_ire; ire != NULL; ire = ire->ire_next) {
+ if (IRE_IS_CONDEMNED(ire))
+ continue;
- ASSERT(ire_local->ire_type & (IRE_LOCAL|IRE_LOOPBACK));
- ASSERT(xmit_ire->ire_type & (IRE_CACHETABLE|IRE_INTERFACE));
+ if (ire->ire_zoneid != ALL_ZONES &&
+ ire->ire_zoneid != margs->ift_zoneid)
+ continue;
- recv_ill = ire_to_ill(ire_local);
- xmit_ill = ire_to_ill(xmit_ire);
+ if (margs->ift_ill != NULL && margs->ift_ill != ire->ire_ill)
+ continue;
- ASSERT(recv_ill != NULL);
- ASSERT(xmit_ill != NULL);
+ if (is_system_labeled() &&
+ tsol_ire_match_gwattr(ire, margs->ift_tsl) != 0)
+ continue;
- return (IS_ON_SAME_LAN(recv_ill, xmit_ill));
+ rw_exit(&irb->irb_lock);
+ return (B_TRUE);
+ }
+ rw_exit(&irb->irb_lock);
+ return (B_FALSE);
}
/*
- * Check if the IRE_LOCAL uses the same ill as another route would use.
- * If there is no alternate route, or the alternate is a REJECT or BLACKHOLE,
- * then we don't allow this IRE_LOCAL to be used.
+ * Check if the zoneid (not ALL_ZONES) has an IRE_INTERFACE for the specified
+ * gateway address. If ill is non-NULL we also match on it.
+ * The caller must hold a read lock on RADIX_NODE_HEAD if lock_held is set.
*/
boolean_t
-ire_local_ok_across_zones(ire_t *ire_local, zoneid_t zoneid, void *addr,
- const ts_label_t *tsl, ip_stack_t *ipst)
+ire_gateway_ok_zone_v4(ipaddr_t gateway, zoneid_t zoneid, ill_t *ill,
+ const ts_label_t *tsl, ip_stack_t *ipst, boolean_t lock_held)
{
- ire_t *alt_ire;
- boolean_t rval;
- int flags;
+ struct rt_sockaddr rdst;
+ struct rt_entry *rt;
+ ire_ftable_args_t margs;
- flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT | MATCH_IRE_RJ_BHOLE;
+ ASSERT(ill == NULL || !ill->ill_isv6);
+ if (lock_held)
+ ASSERT(RW_READ_HELD(&ipst->ips_ip_ftable->rnh_lock));
+ else
+ RADIX_NODE_HEAD_RLOCK(ipst->ips_ip_ftable);
- if (ire_local->ire_ipversion == IPV4_VERSION) {
- alt_ire = ire_ftable_lookup(*((ipaddr_t *)addr), 0, 0, 0, NULL,
- NULL, zoneid, 0, tsl, flags, ipst);
- } else {
- alt_ire = ire_ftable_lookup_v6(addr, NULL, NULL, 0, NULL,
- NULL, zoneid, 0, tsl, flags, ipst);
- }
+ rdst.rt_sin_len = sizeof (rdst);
+ rdst.rt_sin_family = AF_INET;
+ rdst.rt_sin_addr.s_addr = gateway;
- if (alt_ire == NULL)
- return (B_FALSE);
+ /*
+ * We only use margs for ill, zoneid, and tsl matching in
+ * ire_find_zoneid
+ */
+ (void) memset(&margs, 0, sizeof (margs));
+ margs.ift_ill = ill;
+ margs.ift_zoneid = zoneid;
+ margs.ift_tsl = tsl;
+ rt = (struct rt_entry *)ipst->ips_ip_ftable->rnh_matchaddr_args(&rdst,
+ ipst->ips_ip_ftable, ire_find_zoneid, (void *)&margs);
- if (alt_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
- ire_refrele(alt_ire);
- return (B_FALSE);
- }
- rval = ire_local_same_lan(ire_local, alt_ire);
+ if (!lock_held)
+ RADIX_NODE_HEAD_UNLOCK(ipst->ips_ip_ftable);
- ire_refrele(alt_ire);
- return (rval);
+ return (rt != NULL);
}
/*
- * Lookup cache
- *
- * In general the zoneid has to match (where ALL_ZONES match all of them).
- * But for IRE_LOCAL we also need to handle the case where L2 should
- * conceptually loop back the packet. This is necessary since neither
- * Ethernet drivers nor Ethernet hardware loops back packets sent to their
- * own MAC address. This loopback is needed when the normal
- * routes (ignoring IREs with different zoneids) would send out the packet on
- * the same ill as the ill with which this IRE_LOCAL is associated.
- *
- * Earlier versions of this code always matched an IRE_LOCAL independently of
- * the zoneid. We preserve that earlier behavior when
- * ip_restrict_interzone_loopback is turned off.
+ * ire_walk routine to delete a fraction of redirect IREs and IRE_CLONE_IF IREs.
+ * The fraction argument tells us what fraction of the IREs to delete.
+ * Common for IPv4 and IPv6.
+ * Used when memory backpressure.
*/
-ire_t *
-ire_cache_lookup(ipaddr_t addr, zoneid_t zoneid, const ts_label_t *tsl,
- ip_stack_t *ipst)
+static void
+ire_delete_reclaim(ire_t *ire, char *arg)
{
- irb_t *irb_ptr;
- ire_t *ire;
-
- irb_ptr = &ipst->ips_ip_cache_table[IRE_ADDR_HASH(addr,
- ipst->ips_ip_cache_table_size)];
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_marks & (IRE_MARK_CONDEMNED |
- IRE_MARK_TESTHIDDEN | IRE_MARK_PRIVATE_ADDR)) {
- continue;
- }
- if (ire->ire_addr == addr) {
- /*
- * Finally, check if the security policy has any
- * restriction on using this route for the specified
- * message.
- */
- if (tsl != NULL &&
- ire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(ire, tsl) != 0) {
- continue;
- }
+ ip_stack_t *ipst = ire->ire_ipst;
+ uint_t fraction = *(uint_t *)arg;
+ uint_t rand;
- if (zoneid == ALL_ZONES || ire->ire_zoneid == zoneid ||
- ire->ire_zoneid == ALL_ZONES) {
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
- }
+ if ((ire->ire_flags & RTF_DYNAMIC) ||
+ (ire->ire_type & IRE_IF_CLONE)) {
- if (ire->ire_type == IRE_LOCAL) {
- if (ipst->ips_ip_restrict_interzone_loopback &&
- !ire_local_ok_across_zones(ire, zoneid,
- &addr, tsl, ipst))
- continue;
+ /* Pick a random number */
+ rand = (uint_t)lbolt +
+ IRE_ADDR_HASH_V6(ire->ire_addr_v6, 256);
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
- }
+ /* Use truncation */
+ if ((rand/fraction)*fraction == rand) {
+ IP_STAT(ipst, ip_ire_reclaim_deleted);
+ ire_delete(ire);
}
}
- rw_exit(&irb_ptr->irb_lock);
- return (NULL);
-}
-ire_t *
-ire_cache_lookup_simple(ipaddr_t dst, ip_stack_t *ipst)
-{
- irb_t *irb_ptr;
- ire_t *ire;
-
- /*
- * Look for an ire in the cachetable whose
- * ire_addr matches the destination.
- * Since we are being called by forwarding fastpath
- * no need to check for Trusted Solaris label.
- */
- irb_ptr = &ipst->ips_ip_cache_table[IRE_ADDR_HASH(
- dst, ipst->ips_ip_cache_table_size)];
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_marks & (IRE_MARK_CONDEMNED | IRE_MARK_TESTHIDDEN |
- IRE_MARK_PRIVATE_ADDR)) {
- continue;
- }
- if (ire->ire_addr == dst) {
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
- }
- }
- rw_exit(&irb_ptr->irb_lock);
- return (NULL);
}
/*
- * Locate the interface ire that is tied to the cache ire 'cire' via
- * cire->ire_ihandle.
+ * kmem_cache callback to free up memory.
*
- * We are trying to create the cache ire for an offlink destn based
- * on the cache ire of the gateway in 'cire'. 'pire' is the prefix ire
- * as found by ip_newroute(). We are called from ip_newroute() in
- * the IRE_CACHE case.
+ * Free a fraction (ips_ip_ire_reclaim_fraction) of things IP added dynamically
+ * (RTF_DYNAMIC and IRE_IF_CLONE).
*/
-ire_t *
-ire_ihandle_lookup_offlink(ire_t *cire, ire_t *pire)
+static void
+ip_ire_reclaim_stack(ip_stack_t *ipst)
{
- ire_t *ire;
- int match_flags;
- ipaddr_t gw_addr;
- ipif_t *gw_ipif;
- ip_stack_t *ipst = cire->ire_ipst;
-
- ASSERT(cire != NULL && pire != NULL);
-
- /*
- * We don't need to specify the zoneid to ire_ftable_lookup() below
- * because the ihandle refers to an ipif which can be in only one zone.
- */
- match_flags = MATCH_IRE_TYPE | MATCH_IRE_IHANDLE | MATCH_IRE_MASK;
- if (pire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
- /*
- * We know that the mask of the interface ire equals cire->ire_cmask.
- * (When ip_newroute() created 'cire' for the gateway it set its
- * cmask from the interface ire's mask)
- */
- ire = ire_ftable_lookup(cire->ire_addr, cire->ire_cmask, 0,
- IRE_INTERFACE, pire->ire_ipif, NULL, ALL_ZONES, cire->ire_ihandle,
- NULL, match_flags, ipst);
- if (ire != NULL)
- return (ire);
- /*
- * If we didn't find an interface ire above, we can't declare failure.
- * For backwards compatibility, we need to support prefix routes
- * pointing to next hop gateways that are not on-link.
- *
- * Assume we are trying to ping some offlink destn, and we have the
- * routing table below.
- *
- * Eg. default - gw1 <--- pire (line 1)
- * gw1 - gw2 (line 2)
- * gw2 - hme0 (line 3)
- *
- * If we already have a cache ire for gw1 in 'cire', the
- * ire_ftable_lookup above would have failed, since there is no
- * interface ire to reach gw1. We will fallthru below.
- *
- * Here we duplicate the steps that ire_ftable_lookup() did in
- * getting 'cire' from 'pire', in the MATCH_IRE_RECURSIVE case.
- * The differences are the following
- * i. We want the interface ire only, so we call ire_ftable_lookup()
- * instead of ire_route_lookup()
- * ii. We look for only prefix routes in the 1st call below.
- * ii. We want to match on the ihandle in the 2nd call below.
- */
- match_flags = MATCH_IRE_TYPE;
- if (pire->ire_ipif != NULL)
- match_flags |= MATCH_IRE_ILL;
- ire = ire_ftable_lookup(pire->ire_gateway_addr, 0, 0, IRE_OFFSUBNET,
- pire->ire_ipif, NULL, ALL_ZONES, 0, NULL, match_flags, ipst);
- if (ire == NULL)
- return (NULL);
- /*
- * At this point 'ire' corresponds to the entry shown in line 2.
- * gw_addr is 'gw2' in the example above.
- */
- gw_addr = ire->ire_gateway_addr;
- gw_ipif = ire->ire_ipif;
- ire_refrele(ire);
+ uint_t fraction = ipst->ips_ip_ire_reclaim_fraction;
- match_flags |= MATCH_IRE_IHANDLE;
- ire = ire_ftable_lookup(gw_addr, 0, 0, IRE_INTERFACE,
- gw_ipif, NULL, ALL_ZONES, cire->ire_ihandle, NULL, match_flags,
- ipst);
- return (ire);
-}
+ IP_STAT(ipst, ip_ire_reclaim_calls);
-/*
- * Return the IRE_LOOPBACK, IRE_IF_RESOLVER or IRE_IF_NORESOLVER
- * ire associated with the specified ipif.
- *
- * This might occasionally be called when IPIF_UP is not set since
- * the IP_MULTICAST_IF as well as creating interface routes
- * allows specifying a down ipif (ipif_lookup* match ipifs that are down).
- *
- * Note that if IPIF_NOLOCAL, IPIF_NOXMIT, or IPIF_DEPRECATED is set on
- * the ipif, this routine might return NULL.
- */
-ire_t *
-ipif_to_ire(const ipif_t *ipif)
-{
- ire_t *ire;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
- uint_t match_flags = MATCH_IRE_TYPE | MATCH_IRE_IPIF | MATCH_IRE_MASK;
+ ire_walk(ire_delete_reclaim, &fraction, ipst);
/*
- * IRE_INTERFACE entries for ills under IPMP are IRE_MARK_TESTHIDDEN
- * so that they aren't accidentally returned. However, if the
- * caller's ipif is on an ill under IPMP, there's no need to hide 'em.
+ * Walk all CONNs that can have a reference on an ire, nce or dce.
+ * Get them to update any stale references to drop any refholds they
+ * have.
*/
- if (IS_UNDER_IPMP(ipif->ipif_ill))
- match_flags |= MATCH_IRE_MARK_TESTHIDDEN;
-
- ASSERT(!ipif->ipif_isv6);
- if (ipif->ipif_ire_type == IRE_LOOPBACK) {
- ire = ire_ctable_lookup(ipif->ipif_lcl_addr, 0, IRE_LOOPBACK,
- ipif, ALL_ZONES, NULL, (MATCH_IRE_TYPE | MATCH_IRE_IPIF),
- ipst);
- } else if (ipif->ipif_flags & IPIF_POINTOPOINT) {
- /* In this case we need to lookup destination address. */
- ire = ire_ftable_lookup(ipif->ipif_pp_dst_addr, IP_HOST_MASK, 0,
- IRE_INTERFACE, ipif, NULL, ALL_ZONES, 0, NULL, match_flags,
- ipst);
- } else {
- ire = ire_ftable_lookup(ipif->ipif_subnet,
- ipif->ipif_net_mask, 0, IRE_INTERFACE, ipif, NULL,
- ALL_ZONES, 0, NULL, match_flags, ipst);
- }
- return (ire);
+ ipcl_walk(conn_ixa_cleanup, (void *)B_FALSE, ipst);
}
/*
- * ire_walk function.
- * Count the number of IRE_CACHE entries in different categories.
- */
-void
-ire_cache_count(ire_t *ire, char *arg)
-{
- ire_cache_count_t *icc = (ire_cache_count_t *)arg;
-
- if (ire->ire_type != IRE_CACHE)
- return;
-
- icc->icc_total++;
-
- if (ire->ire_ipversion == IPV6_VERSION) {
- mutex_enter(&ire->ire_lock);
- if (IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6)) {
- mutex_exit(&ire->ire_lock);
- icc->icc_onlink++;
- return;
- }
- mutex_exit(&ire->ire_lock);
- } else {
- if (ire->ire_gateway_addr == 0) {
- icc->icc_onlink++;
- return;
- }
- }
-
- ASSERT(ire->ire_ipif != NULL);
- if (ire->ire_max_frag < ire->ire_ipif->ipif_mtu)
- icc->icc_pmtu++;
- else if (ire->ire_tire_mark != ire->ire_ob_pkt_count +
- ire->ire_ib_pkt_count)
- icc->icc_offlink++;
- else
- icc->icc_unused++;
-}
-
-/*
- * ire_walk function called by ip_trash_ire_reclaim().
- * Free a fraction of the IRE_CACHE cache entries. The fractions are
- * different for different categories of IRE_CACHE entries.
- * A fraction of zero means to not free any in that category.
- * Use the hash bucket id plus lbolt as a random number. Thus if the fraction
- * is N then every Nth hash bucket chain will be freed.
+ * Called by the memory allocator subsystem directly, when the system
+ * is running low on memory.
*/
+/* ARGSUSED */
void
-ire_cache_reclaim(ire_t *ire, char *arg)
+ip_ire_reclaim(void *args)
{
- ire_cache_reclaim_t *icr = (ire_cache_reclaim_t *)arg;
- uint_t rand;
- ip_stack_t *ipst = icr->icr_ipst;
-
- if (ire->ire_type != IRE_CACHE)
- return;
+ netstack_handle_t nh;
+ netstack_t *ns;
- if (ire->ire_ipversion == IPV6_VERSION) {
- rand = (uint_t)lbolt +
- IRE_ADDR_HASH_V6(ire->ire_addr_v6,
- ipst->ips_ip6_cache_table_size);
- mutex_enter(&ire->ire_lock);
- if (IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6)) {
- mutex_exit(&ire->ire_lock);
- if (icr->icr_onlink != 0 &&
- (rand/icr->icr_onlink)*icr->icr_onlink == rand) {
- ire_delete(ire);
- return;
- }
- goto done;
- }
- mutex_exit(&ire->ire_lock);
- } else {
- rand = (uint_t)lbolt +
- IRE_ADDR_HASH(ire->ire_addr, ipst->ips_ip_cache_table_size);
- if (ire->ire_gateway_addr == 0) {
- if (icr->icr_onlink != 0 &&
- (rand/icr->icr_onlink)*icr->icr_onlink == rand) {
- ire_delete(ire);
- return;
- }
- goto done;
- }
- }
- /* Not onlink IRE */
- ASSERT(ire->ire_ipif != NULL);
- if (ire->ire_max_frag < ire->ire_ipif->ipif_mtu) {
- /* Use ptmu fraction */
- if (icr->icr_pmtu != 0 &&
- (rand/icr->icr_pmtu)*icr->icr_pmtu == rand) {
- ire_delete(ire);
- return;
- }
- } else if (ire->ire_tire_mark != ire->ire_ob_pkt_count +
- ire->ire_ib_pkt_count) {
- /* Use offlink fraction */
- if (icr->icr_offlink != 0 &&
- (rand/icr->icr_offlink)*icr->icr_offlink == rand) {
- ire_delete(ire);
- return;
- }
- } else {
- /* Use unused fraction */
- if (icr->icr_unused != 0 &&
- (rand/icr->icr_unused)*icr->icr_unused == rand) {
- ire_delete(ire);
- return;
- }
+ netstack_next_init(&nh);
+ while ((ns = netstack_next(&nh)) != NULL) {
+ ip_ire_reclaim_stack(ns->netstack_ip);
+ netstack_rele(ns);
}
-done:
- /*
- * Update tire_mark so that those that haven't been used since this
- * reclaim will be considered unused next time we reclaim.
- */
- ire->ire_tire_mark = ire->ire_ob_pkt_count + ire->ire_ib_pkt_count;
+ netstack_next_fini(&nh);
}
static void
@@ -4470,14 +2211,21 @@ void
ip_ire_g_init()
{
/*
- * Create ire caches, ire_reclaim()
- * will give IRE_CACHE back to system when needed.
+ * Create kmem_caches. ip_ire_reclaim() and ip_nce_reclaim()
+ * will give disposable IREs back to system when needed.
* This needs to be done here before anything else, since
* ire_add() expects the cache to be created.
*/
ire_cache = kmem_cache_create("ire_cache",
- sizeof (ire_t), 0, ip_ire_constructor,
- ip_ire_destructor, ip_trash_ire_reclaim, NULL, NULL, 0);
+ sizeof (ire_t), 0, NULL, NULL,
+ ip_ire_reclaim, NULL, NULL, 0);
+
+ ncec_cache = kmem_cache_create("ncec_cache",
+ sizeof (ncec_t), 0, NULL, NULL,
+ ip_nce_reclaim, NULL, NULL, 0);
+ nce_cache = kmem_cache_create("nce_cache",
+ sizeof (nce_t), 0, NULL, NULL,
+ NULL, NULL, NULL, 0);
rt_entry_cache = kmem_cache_create("rt_entry",
sizeof (struct rt_entry), 0, NULL, NULL, NULL, NULL, NULL, 0);
@@ -4491,104 +2239,65 @@ ip_ire_g_init()
void
ip_ire_init(ip_stack_t *ipst)
{
- int i;
- uint32_t mem_cnt;
- uint32_t cpu_cnt;
- uint32_t min_cnt;
- pgcnt_t mem_avail;
-
- /*
- * ip_ire_max_bucket_cnt is sized below based on the memory
- * size and the cpu speed of the machine. This is upper
- * bounded by the compile time value of ip_ire_max_bucket_cnt
- * and is lower bounded by the compile time value of
- * ip_ire_min_bucket_cnt. Similar logic applies to
- * ip6_ire_max_bucket_cnt.
- *
- * We calculate this for each IP Instances in order to use
- * the kmem_avail and ip_ire_{min,max}_bucket_cnt that are
- * in effect when the zone is booted.
- */
- mem_avail = kmem_avail();
- mem_cnt = (mem_avail >> ip_ire_mem_ratio) /
- ip_cache_table_size / sizeof (ire_t);
- cpu_cnt = CPU->cpu_type_info.pi_clock >> ip_ire_cpu_ratio;
-
- min_cnt = MIN(cpu_cnt, mem_cnt);
- if (min_cnt < ip_ire_min_bucket_cnt)
- min_cnt = ip_ire_min_bucket_cnt;
- if (ip_ire_max_bucket_cnt > min_cnt) {
- ip_ire_max_bucket_cnt = min_cnt;
- }
-
- mem_cnt = (mem_avail >> ip_ire_mem_ratio) /
- ip6_cache_table_size / sizeof (ire_t);
- min_cnt = MIN(cpu_cnt, mem_cnt);
- if (min_cnt < ip6_ire_min_bucket_cnt)
- min_cnt = ip6_ire_min_bucket_cnt;
- if (ip6_ire_max_bucket_cnt > min_cnt) {
- ip6_ire_max_bucket_cnt = min_cnt;
- }
+ ire_t *ire;
+ int error;
mutex_init(&ipst->ips_ire_ft_init_lock, NULL, MUTEX_DEFAULT, 0);
- mutex_init(&ipst->ips_ire_handle_lock, NULL, MUTEX_DEFAULT, NULL);
(void) rn_inithead((void **)&ipst->ips_ip_ftable, 32);
- /* Calculate the IPv4 cache table size. */
- ipst->ips_ip_cache_table_size = MAX(ip_cache_table_size,
- ((mem_avail >> ip_ire_mem_ratio) / sizeof (ire_t) /
- ip_ire_max_bucket_cnt));
- if (ipst->ips_ip_cache_table_size > ip_max_cache_table_size)
- ipst->ips_ip_cache_table_size = ip_max_cache_table_size;
/*
- * Make sure that the table size is always a power of 2. The
- * hash macro IRE_ADDR_HASH() depends on that.
+ * Make sure that the forwarding table size is a power of 2.
+ * The IRE*_ADDR_HASH() macroes depend on that.
*/
- power2_roundup(&ipst->ips_ip_cache_table_size);
-
- ipst->ips_ip_cache_table = kmem_zalloc(ipst->ips_ip_cache_table_size *
- sizeof (irb_t), KM_SLEEP);
-
- for (i = 0; i < ipst->ips_ip_cache_table_size; i++) {
- rw_init(&ipst->ips_ip_cache_table[i].irb_lock, NULL,
- RW_DEFAULT, NULL);
- }
+ ipst->ips_ip6_ftable_hash_size = ip6_ftable_hash_size;
+ power2_roundup(&ipst->ips_ip6_ftable_hash_size);
- /* Calculate the IPv6 cache table size. */
- ipst->ips_ip6_cache_table_size = MAX(ip6_cache_table_size,
- ((mem_avail >> ip_ire_mem_ratio) / sizeof (ire_t) /
- ip6_ire_max_bucket_cnt));
- if (ipst->ips_ip6_cache_table_size > ip6_max_cache_table_size)
- ipst->ips_ip6_cache_table_size = ip6_max_cache_table_size;
/*
- * Make sure that the table size is always a power of 2. The
- * hash macro IRE_ADDR_HASH_V6() depends on that.
+ * Allocate/initialize a pair of IRE_NOROUTEs for each of IPv4 and IPv6.
+ * The ire_reject_v* has RTF_REJECT set, and the ire_blackhole_v* has
+ * RTF_BLACKHOLE set. We use the latter for transient errors such
+ * as memory allocation failures and tripping on IRE_IS_CONDEMNED
+ * entries.
*/
- power2_roundup(&ipst->ips_ip6_cache_table_size);
+ ire = kmem_cache_alloc(ire_cache, KM_SLEEP);
+ *ire = ire_null;
+ error = ire_init_v4(ire, 0, 0, 0, IRE_NOROUTE, NULL, ALL_ZONES,
+ RTF_REJECT|RTF_UP, NULL, ipst);
+ ASSERT(error == 0);
+ ipst->ips_ire_reject_v4 = ire;
- ipst->ips_ip_cache_table_v6 = kmem_zalloc(
- ipst->ips_ip6_cache_table_size * sizeof (irb_t), KM_SLEEP);
+ ire = kmem_cache_alloc(ire_cache, KM_SLEEP);
+ *ire = ire_null;
+ error = ire_init_v6(ire, 0, 0, 0, IRE_NOROUTE, NULL, ALL_ZONES,
+ RTF_REJECT|RTF_UP, NULL, ipst);
+ ASSERT(error == 0);
+ ipst->ips_ire_reject_v6 = ire;
- for (i = 0; i < ipst->ips_ip6_cache_table_size; i++) {
- rw_init(&ipst->ips_ip_cache_table_v6[i].irb_lock, NULL,
- RW_DEFAULT, NULL);
- }
+ ire = kmem_cache_alloc(ire_cache, KM_SLEEP);
+ *ire = ire_null;
+ error = ire_init_v4(ire, 0, 0, 0, IRE_NOROUTE, NULL, ALL_ZONES,
+ RTF_BLACKHOLE|RTF_UP, NULL, ipst);
+ ASSERT(error == 0);
+ ipst->ips_ire_blackhole_v4 = ire;
- /*
- * Make sure that the forwarding table size is a power of 2.
- * The IRE*_ADDR_HASH() macroes depend on that.
- */
- ipst->ips_ip6_ftable_hash_size = ip6_ftable_hash_size;
- power2_roundup(&ipst->ips_ip6_ftable_hash_size);
+ ire = kmem_cache_alloc(ire_cache, KM_SLEEP);
+ *ire = ire_null;
+ error = ire_init_v6(ire, 0, 0, 0, IRE_NOROUTE, NULL, ALL_ZONES,
+ RTF_BLACKHOLE|RTF_UP, NULL, ipst);
+ ASSERT(error == 0);
+ ipst->ips_ire_blackhole_v6 = ire;
- ipst->ips_ire_handle = 1;
+ rw_init(&ipst->ips_ip6_ire_head_lock, NULL, RW_DEFAULT, NULL);
+ rw_init(&ipst->ips_ire_dep_lock, NULL, RW_DEFAULT, NULL);
}
void
ip_ire_g_fini(void)
{
kmem_cache_destroy(ire_cache);
+ kmem_cache_destroy(ncec_cache);
+ kmem_cache_destroy(nce_cache);
kmem_cache_destroy(rt_entry_cache);
rn_fini();
@@ -4599,9 +2308,21 @@ ip_ire_fini(ip_stack_t *ipst)
{
int i;
+ rw_destroy(&ipst->ips_ire_dep_lock);
+ rw_destroy(&ipst->ips_ip6_ire_head_lock);
+
+ ire_refrele_notr(ipst->ips_ire_reject_v6);
+ ipst->ips_ire_reject_v6 = NULL;
+ ire_refrele_notr(ipst->ips_ire_reject_v4);
+ ipst->ips_ire_reject_v4 = NULL;
+ ire_refrele_notr(ipst->ips_ire_blackhole_v6);
+ ipst->ips_ire_blackhole_v6 = NULL;
+ ire_refrele_notr(ipst->ips_ire_blackhole_v4);
+ ipst->ips_ire_blackhole_v4 = NULL;
+
/*
* Delete all IREs - assumes that the ill/ipifs have
- * been removed so what remains are just the ftable and IRE_CACHE.
+ * been removed so what remains are just the ftable to handle.
*/
ire_walk(ire_delete, NULL, ipst);
@@ -4609,23 +2330,6 @@ ip_ire_fini(ip_stack_t *ipst)
ipst->ips_ip_ftable = NULL;
mutex_destroy(&ipst->ips_ire_ft_init_lock);
- mutex_destroy(&ipst->ips_ire_handle_lock);
-
- for (i = 0; i < ipst->ips_ip_cache_table_size; i++) {
- ASSERT(ipst->ips_ip_cache_table[i].irb_ire == NULL);
- rw_destroy(&ipst->ips_ip_cache_table[i].irb_lock);
- }
- kmem_free(ipst->ips_ip_cache_table,
- ipst->ips_ip_cache_table_size * sizeof (irb_t));
- ipst->ips_ip_cache_table = NULL;
-
- for (i = 0; i < ipst->ips_ip6_cache_table_size; i++) {
- ASSERT(ipst->ips_ip_cache_table_v6[i].irb_ire == NULL);
- rw_destroy(&ipst->ips_ip_cache_table_v6[i].irb_lock);
- }
- kmem_free(ipst->ips_ip_cache_table_v6,
- ipst->ips_ip6_cache_table_size * sizeof (irb_t));
- ipst->ips_ip_cache_table_v6 = NULL;
for (i = 0; i < IP6_MASK_TABLE_SIZE; i++) {
irb_t *ptr;
@@ -4643,1116 +2347,1177 @@ ip_ire_fini(ip_stack_t *ipst)
}
}
+#ifdef DEBUG
+void
+ire_trace_ref(ire_t *ire)
+{
+ mutex_enter(&ire->ire_lock);
+ if (ire->ire_trace_disable) {
+ mutex_exit(&ire->ire_lock);
+ return;
+ }
+
+ if (th_trace_ref(ire, ire->ire_ipst)) {
+ mutex_exit(&ire->ire_lock);
+ } else {
+ ire->ire_trace_disable = B_TRUE;
+ mutex_exit(&ire->ire_lock);
+ ire_trace_cleanup(ire);
+ }
+}
+
+void
+ire_untrace_ref(ire_t *ire)
+{
+ mutex_enter(&ire->ire_lock);
+ if (!ire->ire_trace_disable)
+ th_trace_unref(ire);
+ mutex_exit(&ire->ire_lock);
+}
+
+static void
+ire_trace_cleanup(const ire_t *ire)
+{
+ th_trace_cleanup(ire, ire->ire_trace_disable);
+}
+#endif /* DEBUG */
+
/*
- * Check if another multirt route resolution is needed.
- * B_TRUE is returned is there remain a resolvable route,
- * or if no route for that dst is resolved yet.
- * B_FALSE is returned if all routes for that dst are resolved
- * or if the remaining unresolved routes are actually not
- * resolvable.
- * This only works in the global zone.
+ * Find, or create if needed, the nce_t pointer to the neighbor cache
+ * entry ncec_t for an IPv4 address. The nce_t will be created on the ill_t
+ * in the non-IPMP case, or on the cast-ill in the IPMP bcast/mcast case, or
+ * on the next available under-ill (selected by the IPMP rotor) in the
+ * unicast IPMP case.
+ *
+ * If a neighbor-cache entry has to be created (i.e., one does not already
+ * exist in the nce list) the ncec_lladdr and ncec_state of the neighbor cache
+ * entry are initialized in nce_add_v4(). The broadcast, multicast, and
+ * link-layer type determine the contents of {ncec_state, ncec_lladdr} of
+ * the ncec_t created. The ncec_lladdr is non-null for all link types with
+ * non-zero ill_phys_addr_length, though the contents may be zero in cases
+ * where the link-layer type is not known at the time of creation
+ * (e.g., IRE_IFRESOLVER links)
+ *
+ * All IRE_BROADCAST entries have ncec_state = ND_REACHABLE, and the nce_lladr
+ * has the physical broadcast address of the outgoing interface.
+ * For unicast ire entries,
+ * - if the outgoing interface is of type IRE_IF_RESOLVER, a newly created
+ * ncec_t with 0 nce_lladr contents, and will be in the ND_INITIAL state.
+ * - if the outgoing interface is a IRE_IF_NORESOLVER interface, no link
+ * layer resolution is necessary, so that the ncec_t will be in the
+ * ND_REACHABLE state
+ *
+ * The link layer information needed for broadcast addresses, and for
+ * packets sent on IRE_IF_NORESOLVER interfaces is a constant mapping that
+ * never needs re-verification for the lifetime of the ncec_t. These are
+ * therefore marked NCE_F_NONUD.
+ *
+ * The nce returned will be created such that the nce_ill == ill that
+ * is passed in. Note that the nce itself may not have ncec_ill == ill
+ * where IPMP links are involved.
*/
-boolean_t
-ire_multirt_need_resolve(ipaddr_t dst, const ts_label_t *tsl, ip_stack_t *ipst)
+static nce_t *
+ire_nce_init(ill_t *ill, const void *addr, int ire_type)
{
- ire_t *first_fire;
- ire_t *first_cire;
- ire_t *fire;
- ire_t *cire;
- irb_t *firb;
- irb_t *cirb;
- int unres_cnt = 0;
- boolean_t resolvable = B_FALSE;
-
- /* Retrieve the first IRE_HOST that matches the destination */
- first_fire = ire_ftable_lookup(dst, IP_HOST_MASK, 0, IRE_HOST, NULL,
- NULL, ALL_ZONES, 0, tsl,
- MATCH_IRE_MASK | MATCH_IRE_TYPE | MATCH_IRE_SECATTR, ipst);
-
- /* No route at all */
- if (first_fire == NULL) {
- return (B_TRUE);
+ int err;
+ nce_t *nce = NULL;
+ uint16_t ncec_flags;
+ uchar_t *hwaddr;
+ boolean_t need_refrele = B_FALSE;
+ ill_t *in_ill = ill;
+ boolean_t is_unicast;
+ uint_t hwaddr_len;
+
+ is_unicast = ((ire_type & (IRE_MULTICAST|IRE_BROADCAST)) == 0);
+ if (IS_IPMP(ill) ||
+ ((ire_type & IRE_BROADCAST) && IS_UNDER_IPMP(ill))) {
+ if ((ill = ipmp_ill_get_xmit_ill(ill, is_unicast)) == NULL)
+ return (NULL);
+ need_refrele = B_TRUE;
}
+ ncec_flags = (ill->ill_flags & ILLF_NONUD) ? NCE_F_NONUD : 0;
- firb = first_fire->ire_bucket;
- ASSERT(firb != NULL);
+ switch (ire_type) {
+ case IRE_BROADCAST:
+ ASSERT(!ill->ill_isv6);
+ ncec_flags |= (NCE_F_BCAST|NCE_F_NONUD);
+ break;
+ case IRE_MULTICAST:
+ ncec_flags |= (NCE_F_MCAST|NCE_F_NONUD);
+ break;
+ }
- /* Retrieve the first IRE_CACHE ire for that destination. */
- first_cire = ire_cache_lookup(dst, GLOBAL_ZONEID, tsl, ipst);
+ if (ill->ill_net_type == IRE_IF_NORESOLVER && is_unicast) {
+ hwaddr = ill->ill_dest_addr;
+ } else {
+ hwaddr = NULL;
+ }
+ hwaddr_len = ill->ill_phys_addr_length;
- /* No resolved route. */
- if (first_cire == NULL) {
- ire_refrele(first_fire);
- return (B_TRUE);
+retry:
+ /* nce_state will be computed by nce_add_common() */
+ if (!ill->ill_isv6) {
+ err = nce_lookup_then_add_v4(ill, hwaddr, hwaddr_len, addr,
+ ncec_flags, ND_UNCHANGED, &nce);
+ } else {
+ err = nce_lookup_then_add_v6(ill, hwaddr, hwaddr_len, addr,
+ ncec_flags, ND_UNCHANGED, &nce);
}
+ switch (err) {
+ case 0:
+ break;
+ case EEXIST:
+ /*
+ * When subnets change or partially overlap what was once
+ * a broadcast address could now be a unicast, or vice versa.
+ */
+ if (((ncec_flags ^ nce->nce_common->ncec_flags) &
+ NCE_F_BCAST) != 0) {
+ ASSERT(!ill->ill_isv6);
+ ncec_delete(nce->nce_common);
+ nce_refrele(nce);
+ goto retry;
+ }
+ break;
+ default:
+ DTRACE_PROBE2(nce__init__fail, ill_t *, ill, int, err);
+ if (need_refrele)
+ ill_refrele(ill);
+ return (NULL);
+ }
/*
- * At least one route is resolved. Here we look through the forward
- * and cache tables, to compare the number of declared routes
- * with the number of resolved routes. The search for a resolvable
- * route is performed only if at least one route remains
- * unresolved.
+ * If the ill was an under-ill of an IPMP group, we need to verify
+ * that it is still active so that we select an active interface in
+ * the group. However, since ipmp_ill_is_active ASSERTs for
+ * IS_UNDER_IPMP(), we first need to verify that the ill is an
+ * under-ill, and since this is being done in the data path, the
+ * only way to ascertain this is by holding the ill_g_lock.
*/
- cirb = first_cire->ire_bucket;
- ASSERT(cirb != NULL);
-
- /* Count the number of routes to that dest that are declared. */
- IRB_REFHOLD(firb);
- for (fire = first_fire; fire != NULL; fire = fire->ire_next) {
- if (!(fire->ire_flags & RTF_MULTIRT))
- continue;
- if (fire->ire_addr != dst)
- continue;
- unres_cnt++;
+ rw_enter(&ill->ill_ipst->ips_ill_g_lock, RW_READER);
+ mutex_enter(&ill->ill_lock);
+ mutex_enter(&ill->ill_phyint->phyint_lock);
+ if (need_refrele && IS_UNDER_IPMP(ill) && !ipmp_ill_is_active(ill)) {
+ /*
+ * need_refrele implies that the under ill was selected by
+ * ipmp_ill_get_xmit_ill() because either the in_ill was an
+ * ipmp_ill, or we are sending a non-unicast packet on
+ * an under_ill. However, when we get here, the ill selected by
+ * ipmp_ill_get_xmit_ill was pulled out of the active set
+ * (for unicast) or cast_ill nomination (for
+ * !unicast) after it was picked as the outgoing ill.
+ * We have to pick an active interface and/or cast_ill in the
+ * group.
+ */
+ mutex_exit(&ill->ill_phyint->phyint_lock);
+ nce_delete(nce);
+ mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_ipst->ips_ill_g_lock);
+ nce_refrele(nce);
+ ill_refrele(ill);
+ if ((ill = ipmp_ill_get_xmit_ill(in_ill, is_unicast)) == NULL)
+ return (NULL);
+ goto retry;
+ } else {
+ mutex_exit(&ill->ill_phyint->phyint_lock);
+ mutex_exit(&ill->ill_lock);
+ rw_exit(&ill->ill_ipst->ips_ill_g_lock);
}
- IRB_REFRELE(firb);
+done:
+ ASSERT(nce->nce_ill == ill);
+ if (need_refrele)
+ ill_refrele(ill);
+ return (nce);
+}
- /* Then subtract the number of routes to that dst that are resolved */
- IRB_REFHOLD(cirb);
- for (cire = first_cire; cire != NULL; cire = cire->ire_next) {
- if (!(cire->ire_flags & RTF_MULTIRT))
- continue;
- if (cire->ire_addr != dst)
- continue;
- if (cire->ire_marks & (IRE_MARK_CONDEMNED|IRE_MARK_TESTHIDDEN))
- continue;
- unres_cnt--;
- }
- IRB_REFRELE(cirb);
+nce_t *
+arp_nce_init(ill_t *ill, in_addr_t addr4, int ire_type)
+{
+ return (ire_nce_init(ill, &addr4, ire_type));
+}
- /* At least one route is unresolved; search for a resolvable route. */
- if (unres_cnt > 0)
- resolvable = ire_multirt_lookup(&first_cire, &first_fire,
- MULTIRT_USESTAMP | MULTIRT_CACHEGW, NULL, tsl, ipst);
+nce_t *
+ndp_nce_init(ill_t *ill, const in6_addr_t *addr6, int ire_type)
+{
+ ASSERT((ire_type & IRE_BROADCAST) == 0);
+ return (ire_nce_init(ill, addr6, ire_type));
+}
- if (first_fire != NULL)
- ire_refrele(first_fire);
+/*
+ * The caller should hold irb_lock as a writer if the ire is in a bucket.
+ */
+void
+ire_make_condemned(ire_t *ire)
+{
+ ip_stack_t *ipst = ire->ire_ipst;
+
+ mutex_enter(&ire->ire_lock);
+ ASSERT(ire->ire_bucket == NULL ||
+ RW_WRITE_HELD(&ire->ire_bucket->irb_lock));
+ ASSERT(!IRE_IS_CONDEMNED(ire));
+ ire->ire_generation = IRE_GENERATION_CONDEMNED;
+ /* Count how many condemned ires for kmem_cache callback */
+ atomic_add_32(&ipst->ips_num_ire_condemned, 1);
+ mutex_exit(&ire->ire_lock);
+}
- if (first_cire != NULL)
- ire_refrele(first_cire);
+/*
+ * Increment the generation avoiding the special condemned value
+ */
+void
+ire_increment_generation(ire_t *ire)
+{
+ uint_t generation;
- return (resolvable);
+ mutex_enter(&ire->ire_lock);
+ /*
+ * Even though the caller has a hold it can't prevent a concurrent
+ * ire_delete marking the IRE condemned
+ */
+ if (!IRE_IS_CONDEMNED(ire)) {
+ generation = ire->ire_generation + 1;
+ if (generation == IRE_GENERATION_CONDEMNED)
+ generation = IRE_GENERATION_INITIAL;
+ ASSERT(generation != IRE_GENERATION_VERIFY);
+ ire->ire_generation = generation;
+ }
+ mutex_exit(&ire->ire_lock);
}
/*
- * Explore a forward_table bucket, starting from fire_arg.
- * fire_arg MUST be an IRE_HOST entry.
- *
- * Return B_TRUE and update *ire_arg and *fire_arg
- * if at least one resolvable route is found. *ire_arg
- * is the IRE entry for *fire_arg's gateway.
- *
- * Return B_FALSE otherwise (all routes are resolved or
- * the remaining unresolved routes are all unresolvable).
- *
- * The IRE selection relies on a priority mechanism
- * driven by the flags passed in by the caller.
- * The caller, such as ip_newroute_ipif(), can get the most
- * relevant ire at each stage of a multiple route resolution.
- *
- * The rules are:
- *
- * - if MULTIRT_CACHEGW is specified in flags, IRE_CACHETABLE
- * ires are preferred for the gateway. This gives the highest
- * priority to routes that can be resolved without using
- * a resolver.
+ * Increment ire_generation on all the IRE_MULTICASTs
+ * Used when the default multicast interface (as determined by
+ * ill_lookup_multicast) might have changed.
*
- * - if MULTIRT_CACHEGW is not specified, or if MULTIRT_CACHEGW
- * is specified but no IRE_CACHETABLE ire entry for the gateway
- * is found, the following rules apply.
- *
- * - if MULTIRT_USESTAMP is specified in flags, IRE_INTERFACE
- * ires for the gateway, that have not been tried since
- * a configurable amount of time, are preferred.
- * This applies when a resolver must be invoked for
- * a missing route, but we don't want to use the resolver
- * upon each packet emission. If no such resolver is found,
- * B_FALSE is returned.
- * The MULTIRT_USESTAMP flag can be combined with
- * MULTIRT_CACHEGW.
- *
- * - if MULTIRT_USESTAMP is not specified in flags, the first
- * unresolved but resolvable route is selected.
- *
- * - Otherwise, there is no resolvable route, and
- * B_FALSE is returned.
- *
- * At last, MULTIRT_SETSTAMP can be specified in flags to
- * request the timestamp of unresolvable routes to
- * be refreshed. This prevents the useless exploration
- * of those routes for a while, when MULTIRT_USESTAMP is used.
- *
- * The argument already_resolved_count is an output variable to track number
- * of already resolved multirt routes.
- *
- * This only works in the global zone.
+ * That includes the zoneid, IFF_ flags, the IPv6 scope of the address, and
+ * ill unplumb.
*/
-boolean_t
-ire_multirt_lookup(ire_t **ire_arg, ire_t **fire_arg, uint32_t flags,
- int *already_resolved_count, const ts_label_t *tsl, ip_stack_t *ipst)
+void
+ire_increment_multicast_generation(ip_stack_t *ipst, boolean_t isv6)
{
- clock_t delta;
- ire_t *best_fire = NULL;
- ire_t *best_cire = NULL;
- ire_t *first_fire;
- ire_t *first_cire;
- ire_t *fire;
- ire_t *cire;
- irb_t *firb = NULL;
- irb_t *cirb = NULL;
- ire_t *gw_ire;
- boolean_t already_resolved;
- boolean_t res;
- ipaddr_t dst;
- ipaddr_t gw;
-
- ip2dbg(("ire_multirt_lookup: *ire_arg %p, *fire_arg %p, flags %04x\n",
- (void *)*ire_arg, (void *)*fire_arg, flags));
-
- ASSERT(ire_arg != NULL);
- ASSERT(fire_arg != NULL);
-
- /* Not an IRE_HOST ire; give up. */
- if ((*fire_arg == NULL) || ((*fire_arg)->ire_type != IRE_HOST)) {
- return (B_FALSE);
+ ill_t *ill;
+ ill_walk_context_t ctx;
+
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (isv6)
+ ill = ILL_START_WALK_V6(&ctx, ipst);
+ else
+ ill = ILL_START_WALK_V4(&ctx, ipst);
+ for (; ill != NULL; ill = ill_next(&ctx, ill)) {
+ if (ILL_IS_CONDEMNED(ill))
+ continue;
+ if (ill->ill_ire_multicast != NULL)
+ ire_increment_generation(ill->ill_ire_multicast);
}
+ rw_exit(&ipst->ips_ill_g_lock);
+}
- /* This is the first IRE_HOST ire for that destination. */
- first_fire = *fire_arg;
- firb = first_fire->ire_bucket;
- ASSERT(firb != NULL);
+/*
+ * Return a held IRE_NOROUTE with RTF_REJECT set
+ */
+ire_t *
+ire_reject(ip_stack_t *ipst, boolean_t isv6)
+{
+ ire_t *ire;
- dst = first_fire->ire_addr;
+ if (isv6)
+ ire = ipst->ips_ire_reject_v6;
+ else
+ ire = ipst->ips_ire_reject_v4;
- ip2dbg(("ire_multirt_lookup: dst %08x\n", ntohl(dst)));
+ ASSERT(ire->ire_generation != IRE_GENERATION_CONDEMNED);
+ ire_refhold(ire);
+ return (ire);
+}
- /*
- * Retrieve the first IRE_CACHE ire for that destination;
- * if we don't find one, no route for that dest is
- * resolved yet.
- */
- first_cire = ire_cache_lookup(dst, GLOBAL_ZONEID, tsl, ipst);
- if (first_cire != NULL) {
- cirb = first_cire->ire_bucket;
- }
+/*
+ * Return a held IRE_NOROUTE with RTF_BLACKHOLE set
+ */
+ire_t *
+ire_blackhole(ip_stack_t *ipst, boolean_t isv6)
+{
+ ire_t *ire;
- ip2dbg(("ire_multirt_lookup: first_cire %p\n", (void *)first_cire));
+ if (isv6)
+ ire = ipst->ips_ire_blackhole_v6;
+ else
+ ire = ipst->ips_ire_blackhole_v4;
- /*
- * Search for a resolvable route, giving the top priority
- * to routes that can be resolved without any call to the resolver.
- */
- IRB_REFHOLD(firb);
+ ASSERT(ire->ire_generation != IRE_GENERATION_CONDEMNED);
+ ire_refhold(ire);
+ return (ire);
+}
+
+/*
+ * Return a held IRE_MULTICAST.
+ */
+ire_t *
+ire_multicast(ill_t *ill)
+{
+ ire_t *ire = ill->ill_ire_multicast;
+
+ ASSERT(ire == NULL || ire->ire_generation != IRE_GENERATION_CONDEMNED);
+ if (ire == NULL)
+ ire = ire_blackhole(ill->ill_ipst, ill->ill_isv6);
+ else
+ ire_refhold(ire);
+ return (ire);
+}
+
+/*
+ * Given an IRE return its nexthop IRE. The nexthop IRE is an IRE_ONLINK
+ * that is an exact match (i.e., a /32 for IPv4 and /128 for IPv6).
+ * This can return an RTF_REJECT|RTF_BLACKHOLE.
+ * The returned IRE is held.
+ * The assumption is that ip_select_route() has been called and returned the
+ * IRE (thus ip_select_route would have set up the ire_dep* information.)
+ * If some IRE is deleteted then ire_dep_remove() will have been called and
+ * we might not find a nexthop IRE, in which case we return NULL.
+ */
+ire_t *
+ire_nexthop(ire_t *ire)
+{
+ ip_stack_t *ipst = ire->ire_ipst;
- if (!CLASSD(dst)) {
+ /* Acquire lock to walk ire_dep_parent */
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ while (ire != NULL) {
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ goto done;
+ }
/*
- * For all multiroute IRE_HOST ires for that destination,
- * check if the route via the IRE_HOST's gateway is
- * resolved yet.
+ * If we find an IRE_ONLINK we are done. This includes
+ * the case of IRE_MULTICAST.
+ * Note that in order to send packets we need a host-specific
+ * IRE_IF_ALL first in the ire_dep_parent chain. Normally this
+ * is done by inserting an IRE_IF_CLONE if the IRE_INTERFACE
+ * was not host specific.
+ * However, ip_rts_request doesn't want to send packets
+ * hence doesn't want to allocate an IRE_IF_CLONE. Yet
+ * it needs an IRE_IF_ALL to get to the ill. Thus
+ * we return IRE_IF_ALL that are not host specific here.
*/
- for (fire = first_fire; fire != NULL; fire = fire->ire_next) {
-
- if (!(fire->ire_flags & RTF_MULTIRT))
- continue;
- if (fire->ire_addr != dst)
- continue;
+ if (ire->ire_type & IRE_ONLINK)
+ goto done;
+ ire = ire->ire_dep_parent;
+ }
+ rw_exit(&ipst->ips_ire_dep_lock);
+ return (NULL);
- if (fire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(fire, tsl) != 0) {
- continue;
- }
+done:
+ ire_refhold(ire);
+ rw_exit(&ipst->ips_ire_dep_lock);
+ return (ire);
+}
- gw = fire->ire_gateway_addr;
-
- ip2dbg(("ire_multirt_lookup: fire %p, "
- "ire_addr %08x, ire_gateway_addr %08x\n",
- (void *)fire, ntohl(fire->ire_addr), ntohl(gw)));
-
- already_resolved = B_FALSE;
-
- if (first_cire != NULL) {
- ASSERT(cirb != NULL);
-
- IRB_REFHOLD(cirb);
- /*
- * For all IRE_CACHE ires for that
- * destination.
- */
- for (cire = first_cire;
- cire != NULL;
- cire = cire->ire_next) {
-
- if (!(cire->ire_flags & RTF_MULTIRT))
- continue;
- if (cire->ire_addr != dst)
- continue;
- if (cire->ire_marks &
- (IRE_MARK_CONDEMNED |
- IRE_MARK_TESTHIDDEN))
- continue;
-
- if (cire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(cire,
- tsl) != 0) {
- continue;
- }
+/*
+ * Find the ill used to send packets. This will be NULL in case
+ * of a reject or blackhole.
+ * The returned ill is held; caller needs to do ill_refrele when done.
+ */
+ill_t *
+ire_nexthop_ill(ire_t *ire)
+{
+ ill_t *ill;
- /*
- * Check if the IRE_CACHE's gateway
- * matches the IRE_HOST's gateway.
- */
- if (cire->ire_gateway_addr == gw) {
- already_resolved = B_TRUE;
- break;
- }
- }
- IRB_REFRELE(cirb);
- }
+ ire = ire_nexthop(ire);
+ if (ire == NULL)
+ return (NULL);
- /*
- * This route is already resolved;
- * proceed with next one.
- */
- if (already_resolved) {
- ip2dbg(("ire_multirt_lookup: found cire %p, "
- "already resolved\n", (void *)cire));
+ /* ire_ill can not change for an existing ire */
+ ill = ire->ire_ill;
+ if (ill != NULL)
+ ill_refhold(ill);
+ ire_refrele(ire);
+ return (ill);
+}
- if (already_resolved_count != NULL)
- (*already_resolved_count)++;
- continue;
- }
+#ifdef DEBUG
+static boolean_t
+parent_has_child(ire_t *parent, ire_t *child)
+{
+ ire_t *ire;
+ ire_t *prev;
- /*
- * The route is unresolved; is it actually
- * resolvable, i.e. is there a cache or a resolver
- * for the gateway?
- */
- gw_ire = ire_route_lookup(gw, 0, 0, 0, NULL, NULL,
- ALL_ZONES, tsl,
- MATCH_IRE_RECURSIVE | MATCH_IRE_SECATTR, ipst);
+ ire = parent->ire_dep_children;
+ prev = NULL;
+ while (ire != NULL) {
+ if (prev == NULL) {
+ ASSERT(ire->ire_dep_sib_ptpn ==
+ &(parent->ire_dep_children));
+ } else {
+ ASSERT(ire->ire_dep_sib_ptpn ==
+ &(prev->ire_dep_sib_next));
+ }
+ if (ire == child)
+ return (B_TRUE);
+ prev = ire;
+ ire = ire->ire_dep_sib_next;
+ }
+ return (B_FALSE);
+}
- ip2dbg(("ire_multirt_lookup: looked up gw_ire %p\n",
- (void *)gw_ire));
+static void
+ire_dep_verify(ire_t *ire)
+{
+ ire_t *parent = ire->ire_dep_parent;
+ ire_t *child = ire->ire_dep_children;
- /*
- * If gw_ire is typed IRE_CACHETABLE,
- * this route can be resolved without any call to the
- * resolver. If the MULTIRT_CACHEGW flag is set,
- * give the top priority to this ire and exit the
- * loop.
- * This is typically the case when an ARP reply
- * is processed through ip_wput_nondata().
- */
- if ((flags & MULTIRT_CACHEGW) &&
- (gw_ire != NULL) &&
- (gw_ire->ire_type & IRE_CACHETABLE)) {
- ASSERT(gw_ire->ire_nce == NULL ||
- gw_ire->ire_nce->nce_state == ND_REACHABLE);
- /*
- * Release the resolver associated to the
- * previous candidate best ire, if any.
- */
- if (best_cire != NULL) {
- ire_refrele(best_cire);
- ASSERT(best_fire != NULL);
- }
+ ASSERT(ire->ire_ipversion == IPV4_VERSION ||
+ ire->ire_ipversion == IPV6_VERSION);
+ if (parent != NULL) {
+ ASSERT(parent->ire_ipversion == IPV4_VERSION ||
+ parent->ire_ipversion == IPV6_VERSION);
+ ASSERT(parent->ire_refcnt >= 1);
+ ASSERT(parent_has_child(parent, ire));
+ }
+ if (child != NULL) {
+ ASSERT(child->ire_ipversion == IPV4_VERSION ||
+ child->ire_ipversion == IPV6_VERSION);
+ ASSERT(child->ire_dep_parent == ire);
+ ASSERT(child->ire_dep_sib_ptpn != NULL);
+ ASSERT(parent_has_child(ire, child));
+ }
+}
+#endif /* DEBUG */
- best_fire = fire;
- best_cire = gw_ire;
+/*
+ * Assumes ire_dep_parent is set. Remove this child from its parent's linkage.
+ */
+void
+ire_dep_remove(ire_t *ire)
+{
+ ip_stack_t *ipst = ire->ire_ipst;
+ ire_t *parent = ire->ire_dep_parent;
+ ire_t *next;
+ nce_t *nce;
- ip2dbg(("ire_multirt_lookup: found top prio "
- "best_fire %p, best_cire %p\n",
- (void *)best_fire, (void *)best_cire));
- break;
- }
+ ASSERT(RW_WRITE_HELD(&ipst->ips_ire_dep_lock));
+ ASSERT(ire->ire_dep_parent != NULL);
+ ASSERT(ire->ire_dep_sib_ptpn != NULL);
- /*
- * Compute the time elapsed since our preceding
- * attempt to resolve that route.
- * If the MULTIRT_USESTAMP flag is set, we take that
- * route into account only if this time interval
- * exceeds ip_multirt_resolution_interval;
- * this prevents us from attempting to resolve a
- * broken route upon each sending of a packet.
- */
- delta = lbolt - fire->ire_last_used_time;
- delta = TICK_TO_MSEC(delta);
-
- res = (boolean_t)((delta >
- ipst->ips_ip_multirt_resolution_interval) ||
- (!(flags & MULTIRT_USESTAMP)));
-
- ip2dbg(("ire_multirt_lookup: fire %p, delta %lu, "
- "res %d\n",
- (void *)fire, delta, res));
-
- if (res) {
- /*
- * We are here if MULTIRT_USESTAMP flag is set
- * and the resolver for fire's gateway
- * has not been tried since
- * ip_multirt_resolution_interval, or if
- * MULTIRT_USESTAMP is not set but gw_ire did
- * not fill the conditions for MULTIRT_CACHEGW,
- * or if neither MULTIRT_USESTAMP nor
- * MULTIRT_CACHEGW are set.
- */
- if (gw_ire != NULL) {
- if (best_fire == NULL) {
- ASSERT(best_cire == NULL);
-
- best_fire = fire;
- best_cire = gw_ire;
-
- ip2dbg(("ire_multirt_lookup:"
- "found candidate "
- "best_fire %p, "
- "best_cire %p\n",
- (void *)best_fire,
- (void *)best_cire));
-
- /*
- * If MULTIRT_CACHEGW is not
- * set, we ignore the top
- * priority ires that can
- * be resolved without any
- * call to the resolver;
- * In that case, there is
- * actually no need
- * to continue the loop.
- */
- if (!(flags &
- MULTIRT_CACHEGW)) {
- break;
- }
- continue;
- }
- } else {
- /*
- * No resolver for the gateway: the
- * route is not resolvable.
- * If the MULTIRT_SETSTAMP flag is
- * set, we stamp the IRE_HOST ire,
- * so we will not select it again
- * during this resolution interval.
- */
- if (flags & MULTIRT_SETSTAMP)
- fire->ire_last_used_time =
- lbolt;
- }
- }
+#ifdef DEBUG
+ ire_dep_verify(ire);
+ ire_dep_verify(parent);
+#endif
- if (gw_ire != NULL)
- ire_refrele(gw_ire);
- }
- } else { /* CLASSD(dst) */
+ next = ire->ire_dep_sib_next;
+ if (next != NULL)
+ next->ire_dep_sib_ptpn = ire->ire_dep_sib_ptpn;
- for (fire = first_fire;
- fire != NULL;
- fire = fire->ire_next) {
+ ASSERT(*(ire->ire_dep_sib_ptpn) == ire);
+ *(ire->ire_dep_sib_ptpn) = ire->ire_dep_sib_next;
- if (!(fire->ire_flags & RTF_MULTIRT))
- continue;
- if (fire->ire_addr != dst)
- continue;
+ ire->ire_dep_sib_ptpn = NULL;
+ ire->ire_dep_sib_next = NULL;
- if (fire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(fire, tsl) != 0) {
- continue;
- }
+ mutex_enter(&ire->ire_lock);
+ parent = ire->ire_dep_parent;
+ ire->ire_dep_parent = NULL;
+ mutex_exit(&ire->ire_lock);
- already_resolved = B_FALSE;
+ /*
+ * Make sure all our children, grandchildren, etc set
+ * ire_dep_parent_generation to IRE_GENERATION_VERIFY since
+ * we can no longer guarantee than the children have a current
+ * ire_nce_cache and ire_nexthop_ill().
+ */
+ if (ire->ire_dep_children != NULL)
+ ire_dep_invalidate_children(ire->ire_dep_children);
- gw = fire->ire_gateway_addr;
+ /*
+ * Since the parent is gone we make sure we clear ire_nce_cache.
+ * We can clear it under ire_lock even if the IRE is used
+ */
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ ire->ire_nce_cache = NULL;
+ mutex_exit(&ire->ire_lock);
+ if (nce != NULL)
+ nce_refrele(nce);
- gw_ire = ire_ftable_lookup(gw, 0, 0, IRE_INTERFACE,
- NULL, NULL, ALL_ZONES, 0, tsl,
- MATCH_IRE_RECURSIVE | MATCH_IRE_TYPE |
- MATCH_IRE_SECATTR, ipst);
+#ifdef DEBUG
+ ire_dep_verify(ire);
+ ire_dep_verify(parent);
+#endif
- /* No resolver for the gateway; we skip this ire. */
- if (gw_ire == NULL) {
- continue;
- }
- ASSERT(gw_ire->ire_nce == NULL ||
- gw_ire->ire_nce->nce_state == ND_REACHABLE);
-
- if (first_cire != NULL) {
-
- IRB_REFHOLD(cirb);
- /*
- * For all IRE_CACHE ires for that
- * destination.
- */
- for (cire = first_cire;
- cire != NULL;
- cire = cire->ire_next) {
-
- if (!(cire->ire_flags & RTF_MULTIRT))
- continue;
- if (cire->ire_addr != dst)
- continue;
- if (cire->ire_marks &
- (IRE_MARK_CONDEMNED |
- IRE_MARK_TESTHIDDEN))
- continue;
-
- if (cire->ire_gw_secattr != NULL &&
- tsol_ire_match_gwattr(cire,
- tsl) != 0) {
- continue;
- }
+ ire_refrele_notr(parent);
+ ire_refrele_notr(ire);
+}
- /*
- * Cache entries are linked to the
- * parent routes using the parent handle
- * (ire_phandle). If no cache entry has
- * the same handle as fire, fire is
- * still unresolved.
- */
- ASSERT(cire->ire_phandle != 0);
- if (cire->ire_phandle ==
- fire->ire_phandle) {
- already_resolved = B_TRUE;
- break;
- }
- }
- IRB_REFRELE(cirb);
- }
+/*
+ * Insert the child in the linkage of the parent
+ */
+static void
+ire_dep_parent_insert(ire_t *child, ire_t *parent)
+{
+ ip_stack_t *ipst = child->ire_ipst;
+ ire_t *next;
- /*
- * This route is already resolved; proceed with
- * next one.
- */
- if (already_resolved) {
- ire_refrele(gw_ire);
- if (already_resolved_count != NULL)
- (*already_resolved_count)++;
- continue;
- }
+ ASSERT(RW_WRITE_HELD(&ipst->ips_ire_dep_lock));
+ ASSERT(child->ire_dep_parent == NULL);
- /*
- * Compute the time elapsed since our preceding
- * attempt to resolve that route.
- * If the MULTIRT_USESTAMP flag is set, we take
- * that route into account only if this time
- * interval exceeds ip_multirt_resolution_interval;
- * this prevents us from attempting to resolve a
- * broken route upon each sending of a packet.
- */
- delta = lbolt - fire->ire_last_used_time;
- delta = TICK_TO_MSEC(delta);
-
- res = (boolean_t)((delta >
- ipst->ips_ip_multirt_resolution_interval) ||
- (!(flags & MULTIRT_USESTAMP)));
-
- ip3dbg(("ire_multirt_lookup: fire %p, delta %lx, "
- "flags %04x, res %d\n",
- (void *)fire, delta, flags, res));
-
- if (res) {
- if (best_cire != NULL) {
- /*
- * Release the resolver associated
- * to the preceding candidate best
- * ire, if any.
- */
- ire_refrele(best_cire);
- ASSERT(best_fire != NULL);
- }
- best_fire = fire;
- best_cire = gw_ire;
- continue;
- }
+#ifdef DEBUG
+ ire_dep_verify(child);
+ ire_dep_verify(parent);
+#endif
+ /* No parents => no siblings */
+ ASSERT(child->ire_dep_sib_ptpn == NULL);
+ ASSERT(child->ire_dep_sib_next == NULL);
- ire_refrele(gw_ire);
- }
- }
+ ire_refhold_notr(parent);
+ ire_refhold_notr(child);
- if (best_fire != NULL) {
- IRE_REFHOLD(best_fire);
+ /* Head insertion */
+ next = parent->ire_dep_children;
+ if (next != NULL) {
+ ASSERT(next->ire_dep_sib_ptpn == &(parent->ire_dep_children));
+ child->ire_dep_sib_next = next;
+ next->ire_dep_sib_ptpn = &(child->ire_dep_sib_next);
}
- IRB_REFRELE(firb);
+ parent->ire_dep_children = child;
+ child->ire_dep_sib_ptpn = &(parent->ire_dep_children);
- /* Release the first IRE_CACHE we initially looked up, if any. */
- if (first_cire != NULL)
- ire_refrele(first_cire);
+ mutex_enter(&child->ire_lock);
+ child->ire_dep_parent = parent;
+ mutex_exit(&child->ire_lock);
- /* Found a resolvable route. */
- if (best_fire != NULL) {
- ASSERT(best_cire != NULL);
-
- if (*fire_arg != NULL)
- ire_refrele(*fire_arg);
- if (*ire_arg != NULL)
- ire_refrele(*ire_arg);
+#ifdef DEBUG
+ ire_dep_verify(child);
+ ire_dep_verify(parent);
+#endif
+}
- /*
- * Update the passed-in arguments with the
- * resolvable multirt route we found.
- */
- *fire_arg = best_fire;
- *ire_arg = best_cire;
- ip2dbg(("ire_multirt_lookup: returning B_TRUE, "
- "*fire_arg %p, *ire_arg %p\n",
- (void *)best_fire, (void *)best_cire));
+/*
+ * Given count worth of ires and generations, build ire_dep_* relationships
+ * from ires[0] to ires[count-1]. Record generations[i+1] in
+ * ire_dep_parent_generation for ires[i].
+ * We graft onto an existing parent chain by making sure that we don't
+ * touch ire_dep_parent for ires[count-1].
+ *
+ * We check for any condemned ire_generation count and return B_FALSE in
+ * that case so that the caller can tear it apart.
+ *
+ * Note that generations[0] is not used. Caller handles that.
+ */
+boolean_t
+ire_dep_build(ire_t *ires[], uint_t generations[], uint_t count)
+{
+ ire_t *ire = ires[0];
+ ip_stack_t *ipst;
+ uint_t i;
+ ASSERT(count > 0);
+ if (count == 1) {
+ /* No work to do */
return (B_TRUE);
}
+ ipst = ire->ire_ipst;
+ rw_enter(&ipst->ips_ire_dep_lock, RW_WRITER);
+ /*
+ * Do not remove the linkage for any existing parent chain i.e.,
+ * ires[count-1] is left alone.
+ */
+ for (i = 0; i < count-1; i++) {
+ /* Remove existing parent if we need to change it */
+ if (ires[i]->ire_dep_parent != NULL &&
+ ires[i]->ire_dep_parent != ires[i+1])
+ ire_dep_remove(ires[i]);
+ }
- ASSERT(best_cire == NULL);
+ for (i = 0; i < count - 1; i++) {
+ ASSERT(ires[i]->ire_ipversion == IPV4_VERSION ||
+ ires[i]->ire_ipversion == IPV6_VERSION);
+ /* Does it need to change? */
+ if (ires[i]->ire_dep_parent != ires[i+1])
+ ire_dep_parent_insert(ires[i], ires[i+1]);
- ip2dbg(("ire_multirt_lookup: returning B_FALSE, *fire_arg %p, "
- "*ire_arg %p\n",
- (void *)*fire_arg, (void *)*ire_arg));
+ mutex_enter(&ires[i+1]->ire_lock);
+ if (IRE_IS_CONDEMNED(ires[i+1])) {
+ mutex_exit(&ires[i+1]->ire_lock);
+ rw_exit(&ipst->ips_ire_dep_lock);
+ return (B_FALSE);
+ }
+ mutex_exit(&ires[i+1]->ire_lock);
- /* No resolvable route. */
- return (B_FALSE);
+ mutex_enter(&ires[i]->ire_lock);
+ ires[i]->ire_dep_parent_generation = generations[i+1];
+ mutex_exit(&ires[i]->ire_lock);
+ }
+ rw_exit(&ipst->ips_ire_dep_lock);
+ return (B_TRUE);
}
/*
- * IRE iterator for inbound and loopback broadcast processing.
- * Given an IRE_BROADCAST ire, walk the ires with the same destination
- * address, but skip over the passed-in ire. Returns the next ire without
- * a hold - assumes that the caller holds a reference on the IRE bucket.
+ * Given count worth of ires, unbuild ire_dep_* relationships
+ * from ires[0] to ires[count-1].
*/
-ire_t *
-ire_get_next_bcast_ire(ire_t *curr, ire_t *ire)
+void
+ire_dep_unbuild(ire_t *ires[], uint_t count)
{
- ill_t *ill;
+ ip_stack_t *ipst;
+ uint_t i;
- if (curr == NULL) {
- for (curr = ire->ire_bucket->irb_ire; curr != NULL;
- curr = curr->ire_next) {
- if (curr->ire_addr == ire->ire_addr)
- break;
- }
- } else {
- curr = curr->ire_next;
+ if (count == 0) {
+ /* No work to do */
+ return;
}
- ill = ire_to_ill(ire);
- for (; curr != NULL; curr = curr->ire_next) {
- if (curr->ire_addr != ire->ire_addr) {
- /*
- * All the IREs to a given destination are contiguous;
- * break out once the address doesn't match.
- */
- break;
- }
- if (curr == ire) {
- /* skip over the passed-in ire */
- continue;
- }
- if ((curr->ire_stq != NULL && ire->ire_stq == NULL) ||
- (curr->ire_stq == NULL && ire->ire_stq != NULL)) {
+ ipst = ires[0]->ire_ipst;
+ rw_enter(&ipst->ips_ire_dep_lock, RW_WRITER);
+ for (i = 0; i < count; i++) {
+ ASSERT(ires[i]->ire_ipversion == IPV4_VERSION ||
+ ires[i]->ire_ipversion == IPV6_VERSION);
+ if (ires[i]->ire_dep_parent != NULL)
+ ire_dep_remove(ires[i]);
+ mutex_enter(&ires[i]->ire_lock);
+ ires[i]->ire_dep_parent_generation = IRE_GENERATION_VERIFY;
+ mutex_exit(&ires[i]->ire_lock);
+ }
+ rw_exit(&ipst->ips_ire_dep_lock);
+}
+
+/*
+ * Both the forwarding and the outbound code paths can trip on
+ * a condemned NCE, in which case we call this function.
+ * We have two different behaviors: if the NCE was UNREACHABLE
+ * it is an indication that something failed. In that case
+ * we see if we should look for a different IRE (for example,
+ * delete any matching redirect IRE, or try a different
+ * IRE_DEFAULT (ECMP)). We mark the ire as bad so a hopefully
+ * different IRE will be picked next time we send/forward.
+ *
+ * If we are called by the output path then fail_if_better is set
+ * and we return NULL if there could be a better IRE. This is because the
+ * output path retries the IRE lookup. (The input/forward path can not retry.)
+ *
+ * If the NCE was not unreachable then we pick/allocate a
+ * new (most likely ND_INITIAL) NCE and proceed with it.
+ *
+ * ipha/ip6h are needed for multicast packets; ipha needs to be
+ * set for IPv4 and ip6h needs to be set for IPv6 packets.
+ */
+nce_t *
+ire_handle_condemned_nce(nce_t *nce, ire_t *ire, ipha_t *ipha, ip6_t *ip6h,
+ boolean_t fail_if_better)
+{
+ if (nce->nce_common->ncec_state == ND_UNREACHABLE) {
+ if (ire_no_good(ire) && fail_if_better) {
/*
- * If the passed-in ire is loopback, skip over
- * non-loopback ires and vice versa.
+ * Did some changes, or ECMP likely to exist.
+ * Make ip_output look for a different IRE
*/
- continue;
+ return (NULL);
}
- if (ire_to_ill(curr) != ill) {
- /* skip over IREs going through a different interface */
- continue;
+ }
+ if (ire_revalidate_nce(ire) == ENETUNREACH) {
+ /* The ire_dep_parent chain went bad, or no memory? */
+ (void) ire_no_good(ire);
+ return (NULL);
+ }
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ ASSERT(ipha != NULL);
+ nce = ire_to_nce(ire, ipha->ipha_dst, NULL);
+ } else {
+ ASSERT(ip6h != NULL);
+ nce = ire_to_nce(ire, INADDR_ANY, &ip6h->ip6_dst);
+ }
+
+ if (nce == NULL)
+ return (NULL);
+ if (nce->nce_is_condemned) {
+ nce_refrele(nce);
+ return (NULL);
+ }
+ return (nce);
+}
+
+/*
+ * The caller has found that the ire is bad, either due to a reference to an NCE
+ * in ND_UNREACHABLE state, or a MULTIRT route whose gateway can't be resolved.
+ * We update things so a subsequent attempt to send to the destination
+ * is likely to find different IRE, or that a new NCE would be created.
+ *
+ * Returns B_TRUE if it is likely that a subsequent ire_ftable_lookup would
+ * find a different route (either due to having deleted a redirect, or there
+ * being ECMP routes.)
+ *
+ * If we have a redirect (RTF_DYNAMIC) we delete it.
+ * Otherwise we increment ire_badcnt and increment the generation number so
+ * that a cached ixa_ire will redo the route selection. ire_badcnt is taken
+ * into account in the route selection when we have multiple choices (multiple
+ * default routes or ECMP in general).
+ * Any time ip_select_route find an ire with a condemned ire_nce_cache
+ * (e.g., if no equal cost route to the bad one) ip_select_route will make
+ * sure the NCE is revalidated to avoid getting stuck on a
+ * NCE_F_CONDMNED ncec that caused ire_no_good to be called.
+ */
+boolean_t
+ire_no_good(ire_t *ire)
+{
+ ip_stack_t *ipst = ire->ire_ipst;
+ ire_t *ire2;
+ nce_t *nce;
+
+ if (ire->ire_flags & RTF_DYNAMIC) {
+ ire_delete(ire);
+ return (B_TRUE);
+ }
+ if (ire->ire_flags & RTF_INDIRECT) {
+ /* Check if next IRE is a redirect */
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ if (ire->ire_dep_parent != NULL &&
+ (ire->ire_dep_parent->ire_flags & RTF_DYNAMIC)) {
+ ire2 = ire->ire_dep_parent;
+ ire_refhold(ire2);
+ } else {
+ ire2 = NULL;
}
- if (curr->ire_marks & IRE_MARK_CONDEMNED) {
- /* skip over deleted IREs */
- continue;
+ rw_exit(&ipst->ips_ire_dep_lock);
+ if (ire2 != NULL) {
+ ire_delete(ire2);
+ ire_refrele(ire2);
+ return (B_TRUE);
}
- return (curr);
}
- return (NULL);
+ /*
+ * No redirect involved. Increment badcnt so that if we have ECMP
+ * routes we are likely to pick a different one for the next packet.
+ *
+ * If the NCE is unreachable and condemned we should drop the reference
+ * to it so that a new NCE can be created.
+ *
+ * Finally we increment the generation number so that any ixa_ire
+ * cache will be revalidated.
+ */
+ mutex_enter(&ire->ire_lock);
+ ire->ire_badcnt++;
+ ire->ire_last_badcnt = TICK_TO_SEC(lbolt64);
+ nce = ire->ire_nce_cache;
+ if (nce != NULL && nce->nce_is_condemned &&
+ nce->nce_common->ncec_state == ND_UNREACHABLE)
+ ire->ire_nce_cache = NULL;
+ else
+ nce = NULL;
+ mutex_exit(&ire->ire_lock);
+ if (nce != NULL)
+ nce_refrele(nce);
+
+ ire_increment_generation(ire);
+ ire_dep_incr_generation(ire);
+
+ return (ire->ire_bucket->irb_ire_cnt > 1);
}
-#ifdef DEBUG
-void
-ire_trace_ref(ire_t *ire)
+/*
+ * Walk ire_dep_parent chain and validate that ire_dep_parent->ire_generation ==
+ * ire_dep_parent_generation.
+ * If they all match we just return ire_generation from the topmost IRE.
+ * Otherwise we propagate the mismatch by setting all ire_dep_parent_generation
+ * above the mismatch to IRE_GENERATION_VERIFY and also returning
+ * IRE_GENERATION_VERIFY.
+ */
+uint_t
+ire_dep_validate_generations(ire_t *ire)
{
- mutex_enter(&ire->ire_lock);
- if (ire->ire_trace_disable) {
+ ip_stack_t *ipst = ire->ire_ipst;
+ uint_t generation;
+ ire_t *ire1;
+
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ generation = ire->ire_generation; /* Assuming things match */
+ for (ire1 = ire; ire1 != NULL; ire1 = ire1->ire_dep_parent) {
+ ASSERT(ire1->ire_ipversion == IPV4_VERSION ||
+ ire1->ire_ipversion == IPV6_VERSION);
+ if (ire1->ire_dep_parent == NULL)
+ break;
+ if (ire1->ire_dep_parent_generation !=
+ ire1->ire_dep_parent->ire_generation)
+ goto mismatch;
+ }
+ rw_exit(&ipst->ips_ire_dep_lock);
+ return (generation);
+
+mismatch:
+ generation = IRE_GENERATION_VERIFY;
+ /* Fill from top down to the mismatch with _VERIFY */
+ while (ire != ire1) {
+ ASSERT(ire->ire_ipversion == IPV4_VERSION ||
+ ire->ire_ipversion == IPV6_VERSION);
+ mutex_enter(&ire->ire_lock);
+ ire->ire_dep_parent_generation = IRE_GENERATION_VERIFY;
mutex_exit(&ire->ire_lock);
- return;
+ ire = ire->ire_dep_parent;
}
+ rw_exit(&ipst->ips_ire_dep_lock);
+ return (generation);
+}
- if (th_trace_ref(ire, ire->ire_ipst)) {
- mutex_exit(&ire->ire_lock);
- } else {
- ire->ire_trace_disable = B_TRUE;
+/*
+ * Used when we need to return an ire with ire_dep_parent, but we
+ * know the chain is invalid for instance we didn't create an IRE_IF_CLONE
+ * Using IRE_GENERATION_VERIFY means that next time we'll redo the
+ * recursive lookup.
+ */
+void
+ire_dep_invalidate_generations(ire_t *ire)
+{
+ ip_stack_t *ipst = ire->ire_ipst;
+
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ while (ire != NULL) {
+ ASSERT(ire->ire_ipversion == IPV4_VERSION ||
+ ire->ire_ipversion == IPV6_VERSION);
+ mutex_enter(&ire->ire_lock);
+ ire->ire_dep_parent_generation = IRE_GENERATION_VERIFY;
mutex_exit(&ire->ire_lock);
- ire_trace_cleanup(ire);
+ ire = ire->ire_dep_parent;
}
+ rw_exit(&ipst->ips_ire_dep_lock);
}
-void
-ire_untrace_ref(ire_t *ire)
+/* Set _VERIFY ire_dep_parent_generation for all children recursively */
+static void
+ire_dep_invalidate_children(ire_t *child)
{
- mutex_enter(&ire->ire_lock);
- if (!ire->ire_trace_disable)
- th_trace_unref(ire);
- mutex_exit(&ire->ire_lock);
+ ip_stack_t *ipst = child->ire_ipst;
+
+ ASSERT(RW_WRITE_HELD(&ipst->ips_ire_dep_lock));
+ /* Depth first */
+ if (child->ire_dep_children != NULL)
+ ire_dep_invalidate_children(child->ire_dep_children);
+
+ while (child != NULL) {
+ mutex_enter(&child->ire_lock);
+ child->ire_dep_parent_generation = IRE_GENERATION_VERIFY;
+ mutex_exit(&child->ire_lock);
+ child = child->ire_dep_sib_next;
+ }
}
static void
-ire_trace_cleanup(const ire_t *ire)
+ire_dep_increment_children(ire_t *child)
{
- th_trace_cleanup(ire, ire->ire_trace_disable);
+ ip_stack_t *ipst = child->ire_ipst;
+
+ ASSERT(RW_READ_HELD(&ipst->ips_ire_dep_lock));
+ /* Depth first */
+ if (child->ire_dep_children != NULL)
+ ire_dep_increment_children(child->ire_dep_children);
+
+ while (child != NULL) {
+ if (!IRE_IS_CONDEMNED(child))
+ ire_increment_generation(child);
+ child = child->ire_dep_sib_next;
+ }
}
-#endif /* DEBUG */
/*
- * Generate a message chain with an arp request to resolve the in_ire.
- * It is assumed that in_ire itself is currently in the ire cache table,
- * so we create a fake_ire filled with enough information about ire_addr etc.
- * to retrieve in_ire when the DL_UNITDATA response from the resolver
- * comes back. The fake_ire itself is created by calling esballoc with
- * the fr_rtnp (free routine) set to ire_freemblk. This routine will be
- * invoked when the mblk containing fake_ire is freed.
+ * Walk all the children of this ire recursively and increment their
+ * generation number.
*/
void
-ire_arpresolve(ire_t *in_ire)
+ire_dep_incr_generation(ire_t *parent)
{
- areq_t *areq;
- ipaddr_t *addrp;
- mblk_t *ire_mp, *areq_mp;
- ire_t *ire, *buf;
- size_t bufsize;
- frtn_t *frtnp;
- ill_t *dst_ill;
- ip_stack_t *ipst;
+ ip_stack_t *ipst = parent->ire_ipst;
- ASSERT(in_ire->ire_nce != NULL);
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ if (parent->ire_dep_children != NULL)
+ ire_dep_increment_children(parent->ire_dep_children);
+ rw_exit(&ipst->ips_ire_dep_lock);
+}
- dst_ill = ire_to_ill(in_ire);
- ipst = dst_ill->ill_ipst;
+/*
+ * Get a new ire_nce_cache for this IRE as well as its nexthop.
+ * Returns zero if it succeeds. Can fail due to lack of memory or when
+ * the route has become unreachable. Returns ENOMEM and ENETUNREACH in those
+ * cases.
+ *
+ * In the in.mpathd case, the ire will have ire_testhidden
+ * set; so we should create the ncec for the underlying ill.
+ *
+ * Note that the error returned by ire_revalidate_nce() is ignored by most
+ * callers except ire_handle_condemned_nce(), which handles the ENETUNREACH
+ * error to mark potentially bad ire's. For all the other callers, an
+ * error return could indicate a transient condition like ENOMEM, or could
+ * be the result of an interface that is going down/unplumbing. In the former
+ * case (transient error), we would leave the old stale ire/ire_nce_cache
+ * in place, and possibly use incorrect link-layer information to send packets
+ * but would eventually recover. In the latter case (ill down/replumb),
+ * ire_revalidate_nce() might return a condemned nce back, but we would then
+ * recover in the packet output path.
+ */
+int
+ire_revalidate_nce(ire_t *ire)
+{
+ nce_t *nce, *old_nce;
+ ire_t *nexthop;
/*
- * Construct message chain for the resolver
- * of the form:
- * ARP_REQ_MBLK-->IRE_MBLK
- *
- * NOTE : If the response does not
- * come back, ARP frees the packet. For this reason,
- * we can't REFHOLD the bucket of save_ire to prevent
- * deletions. We may not be able to REFRELE the bucket
- * if the response never comes back. Thus, before
- * adding the ire, ire_add_v4 will make sure that the
- * interface route does not get deleted. This is the
- * only case unlike ip_newroute_v6, ip_newroute_ipif_v6
- * where we can always prevent deletions because of
- * the synchronous nature of adding IRES i.e
- * ire_add_then_send is called after creating the IRE.
+ * For multicast we conceptually have an NCE but we don't store it
+ * in ire_nce_cache; when ire_to_nce is called we allocate the nce.
*/
+ if (ire->ire_type & IRE_MULTICAST)
+ return (0);
- /*
- * We use esballoc to allocate the second part (IRE_MBLK)
- * of the message chain depicted above. This mblk will be freed
- * by arp when there is a timeout, and otherwise passed to IP
- * and IP will free it after processing the ARP response.
- */
+ /* ire_testhidden should only be set on under-interfaces */
+ ASSERT(!ire->ire_testhidden || !IS_IPMP(ire->ire_ill));
- bufsize = sizeof (ire_t) + sizeof (frtn_t);
- buf = kmem_alloc(bufsize, KM_NOSLEEP);
- if (buf == NULL) {
- ip1dbg(("ire_arpresolve: alloc buffer failed\n"));
- return;
- }
- frtnp = (frtn_t *)(buf + 1);
- frtnp->free_arg = (caddr_t)buf;
- frtnp->free_func = ire_freemblk;
-
- ire_mp = esballoc((unsigned char *)buf, bufsize, BPRI_MED, frtnp);
- if (ire_mp == NULL) {
- ip1dbg(("ire_arpresolve: esballoc failed\n"));
- kmem_free(buf, bufsize);
- return;
+ nexthop = ire_nexthop(ire);
+ if (nexthop == NULL) {
+ /* The route is potentially bad */
+ (void) ire_no_good(ire);
+ return (ENETUNREACH);
}
+ if (ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) {
+ ASSERT(ire->ire_ill != NULL);
- areq_mp = copyb(dst_ill->ill_resolver_mp);
- if (areq_mp == NULL) {
- freemsg(ire_mp);
- return;
+ if (ire->ire_ipversion == IPV4_VERSION)
+ nce = nce_lookup_v4(ire->ire_ill, &ire->ire_addr);
+ else
+ nce = nce_lookup_v6(ire->ire_ill, &ire->ire_addr_v6);
+ } else {
+ ASSERT(nexthop->ire_type & IRE_ONLINK);
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ nce = arp_nce_init(nexthop->ire_ill, nexthop->ire_addr,
+ nexthop->ire_type);
+ } else {
+ nce = ndp_nce_init(nexthop->ire_ill,
+ &nexthop->ire_addr_v6, nexthop->ire_type);
+ }
+ }
+ if (nce == NULL) {
+ /*
+ * Leave the old stale one in place to avoid a NULL
+ * ire_nce_cache.
+ */
+ ire_refrele(nexthop);
+ return (ENOMEM);
}
- ire_mp->b_datap->db_type = IRE_ARPRESOLVE_TYPE;
- ire = (ire_t *)buf;
- /*
- * keep enough info in the fake ire so that we can pull up
- * the incomplete ire (in_ire) after result comes back from
- * arp and make it complete.
- */
- *ire = ire_null;
- ire->ire_u = in_ire->ire_u;
- ire->ire_ipif_seqid = in_ire->ire_ipif_seqid;
- ire->ire_ipif_ifindex = in_ire->ire_ipif_ifindex;
- ire->ire_ipif = in_ire->ire_ipif;
- ire->ire_stq = dst_ill->ill_wq;
- ire->ire_stq_ifindex = dst_ill->ill_phyint->phyint_ifindex;
- ire->ire_zoneid = in_ire->ire_zoneid;
- ire->ire_stackid = ipst->ips_netstack->netstack_stackid;
- ire->ire_ipst = ipst;
-
- /*
- * ire_freemblk will be called when ire_mp is freed, both for
- * successful and failed arp resolution. IRE_MARK_UNCACHED will be set
- * when the arp resolution failed.
- */
- ire->ire_marks |= IRE_MARK_UNCACHED;
- ire->ire_mp = ire_mp;
- ire_mp->b_wptr = (uchar_t *)&ire[1];
- ire_mp->b_cont = NULL;
- linkb(areq_mp, ire_mp);
-
- /*
- * Fill in the source and dest addrs for the resolver.
- * NOTE: this depends on memory layouts imposed by
- * ill_init().
- */
- areq = (areq_t *)areq_mp->b_rptr;
- addrp = (ipaddr_t *)((char *)areq + areq->areq_sender_addr_offset);
- *addrp = ire->ire_src_addr;
-
- addrp = (ipaddr_t *)((char *)areq + areq->areq_target_addr_offset);
- if (ire->ire_gateway_addr != INADDR_ANY) {
- *addrp = ire->ire_gateway_addr;
- } else {
- *addrp = ire->ire_addr;
+ if (nexthop != ire) {
+ /* Update the nexthop ire */
+ mutex_enter(&nexthop->ire_lock);
+ old_nce = nexthop->ire_nce_cache;
+ if (!IRE_IS_CONDEMNED(nexthop)) {
+ nce_refhold(nce);
+ nexthop->ire_nce_cache = nce;
+ } else {
+ nexthop->ire_nce_cache = NULL;
+ }
+ mutex_exit(&nexthop->ire_lock);
+ if (old_nce != NULL)
+ nce_refrele(old_nce);
}
+ ire_refrele(nexthop);
- /* Up to the resolver. */
- if (canputnext(dst_ill->ill_rq)) {
- putnext(dst_ill->ill_rq, areq_mp);
+ mutex_enter(&ire->ire_lock);
+ old_nce = ire->ire_nce_cache;
+ if (!IRE_IS_CONDEMNED(ire)) {
+ nce_refhold(nce);
+ ire->ire_nce_cache = nce;
} else {
- freemsg(areq_mp);
+ ire->ire_nce_cache = NULL;
}
+ mutex_exit(&ire->ire_lock);
+ if (old_nce != NULL)
+ nce_refrele(old_nce);
+
+ nce_refrele(nce);
+ return (0);
}
/*
- * Esballoc free function for AR_ENTRY_QUERY request to clean up any
- * unresolved ire_t and/or nce_t structures when ARP resolution fails.
- *
- * This function can be called by ARP via free routine for ire_mp or
- * by IPv4(both host and forwarding path) via ire_delete
- * in case ARP resolution fails.
- * NOTE: Since IP is MT, ARP can call into IP but not vice versa
- * (for IP to talk to ARP, it still has to send AR* messages).
- *
- * Note that the ARP/IP merge should replace the functioanlity by providing
- * direct function calls to clean up unresolved entries in ire/nce lists.
+ * Get a held nce for a given ire.
+ * In the common case this is just from ire_nce_cache.
+ * For IRE_MULTICAST this needs to do an explicit lookup since we do not
+ * have an IRE_MULTICAST per address.
+ * Note that this explicitly returns CONDEMNED NCEs. The caller needs those
+ * so they can check whether the NCE went unreachable (as opposed to was
+ * condemned for some other reason).
*/
-void
-ire_freemblk(ire_t *ire_mp)
+nce_t *
+ire_to_nce(ire_t *ire, ipaddr_t v4nexthop, const in6_addr_t *v6nexthop)
{
- nce_t *nce = NULL;
- ill_t *ill;
- ip_stack_t *ipst;
- netstack_t *ns = NULL;
+ nce_t *nce;
- ASSERT(ire_mp != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))
+ return (NULL);
- if ((ire_mp->ire_addr == NULL) && (ire_mp->ire_gateway_addr == NULL)) {
- ip1dbg(("ire_freemblk(0x%p) ire_addr is NULL\n",
- (void *)ire_mp));
- goto cleanup;
- }
- if ((ire_mp->ire_marks & IRE_MARK_UNCACHED) == 0) {
- goto cleanup; /* everything succeeded. just free and return */
+ /* ire_testhidden should only be set on under-interfaces */
+ ASSERT(!ire->ire_testhidden || !IS_IPMP(ire->ire_ill));
+
+ mutex_enter(&ire->ire_lock);
+ nce = ire->ire_nce_cache;
+ if (nce != NULL) {
+ nce_refhold(nce);
+ mutex_exit(&ire->ire_lock);
+ return (nce);
}
+ mutex_exit(&ire->ire_lock);
- /*
- * the arp information corresponding to this ire_mp was not
- * transferred to an ire_cache entry. Need
- * to clean up incomplete ire's and nce, if necessary.
- */
- ASSERT(ire_mp->ire_stq != NULL);
- ASSERT(ire_mp->ire_stq_ifindex != 0);
- ASSERT(ire_mp->ire_ipst != NULL);
+ if (ire->ire_type & IRE_MULTICAST) {
+ ASSERT(ire->ire_ill != NULL);
- ns = netstack_find_by_stackid(ire_mp->ire_stackid);
- ipst = (ns ? ns->netstack_ip : NULL);
- if (ipst == NULL || ipst != ire_mp->ire_ipst) /* Disapeared on us */
- goto cleanup;
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ ASSERT(v6nexthop == NULL);
- /*
- * Get any nce's corresponding to this ire_mp. We first have to
- * make sure that the ill is still around.
- */
- ill = ill_lookup_on_ifindex(ire_mp->ire_stq_ifindex,
- B_FALSE, NULL, NULL, NULL, NULL, ipst);
- if (ill == NULL || (ire_mp->ire_stq != ill->ill_wq) ||
- (ill->ill_state_flags & ILL_CONDEMNED)) {
- /*
- * ill went away. no nce to clean up.
- * Note that the ill_state_flags could be set to
- * ILL_CONDEMNED after this point, but if we know
- * that it is CONDEMNED now, we just bail out quickly.
- */
- if (ill != NULL)
- ill_refrele(ill);
- goto cleanup;
+ nce = arp_nce_init(ire->ire_ill, v4nexthop,
+ ire->ire_type);
+ } else {
+ ASSERT(v6nexthop != NULL);
+ ASSERT(v4nexthop == 0);
+ nce = ndp_nce_init(ire->ire_ill, v6nexthop,
+ ire->ire_type);
+ }
+ return (nce);
}
- nce = ndp_lookup_v4(ill,
- ((ire_mp->ire_gateway_addr != INADDR_ANY) ?
- &ire_mp->ire_gateway_addr : &ire_mp->ire_addr),
- B_FALSE);
- ill_refrele(ill);
+ return (NULL);
+}
- if ((nce != NULL) && (nce->nce_state != ND_REACHABLE)) {
- /*
- * some incomplete nce was found.
- */
- DTRACE_PROBE2(ire__freemblk__arp__resolv__fail,
- nce_t *, nce, ire_t *, ire_mp);
- /*
- * Send the icmp_unreachable messages for the queued mblks in
- * ire->ire_nce->nce_qd_mp, since ARP resolution failed
- * for this ire
- */
- arp_resolv_failed(nce);
- /*
- * Delete the nce and clean up all ire's pointing at this nce
- * in the cachetable
- */
- ndp_delete(nce);
- }
- if (nce != NULL)
- NCE_REFRELE(nce); /* release the ref taken by ndp_lookup_v4 */
+nce_t *
+ire_to_nce_pkt(ire_t *ire, mblk_t *mp)
+{
+ ipha_t *ipha;
+ ip6_t *ip6h;
-cleanup:
- if (ns != NULL)
- netstack_rele(ns);
- /*
- * Get rid of the ire buffer
- * We call kmem_free here(instead of ire_delete()), since
- * this is the freeb's callback.
- */
- kmem_free(ire_mp, sizeof (ire_t) + sizeof (frtn_t));
+ if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
+ ipha = (ipha_t *)mp->b_rptr;
+ return (ire_to_nce(ire, ipha->ipha_dst, NULL));
+ } else {
+ ip6h = (ip6_t *)mp->b_rptr;
+ return (ire_to_nce(ire, INADDR_ANY, &ip6h->ip6_dst));
+ }
}
/*
- * find, or create if needed, a neighbor cache entry nce_t for IRE_CACHE and
- * non-loopback IRE_BROADCAST ire's.
- *
- * If a neighbor-cache entry has to be created (i.e., one does not already
- * exist in the nce list) the nce_res_mp and nce_state of the neighbor cache
- * entry are initialized in ndp_add_v4(). These values are picked from
- * the src_nce, if one is passed in. Otherwise (if src_nce == NULL) the
- * ire->ire_type and the outgoing interface (ire_to_ill(ire)) values
- * determine the {nce_state, nce_res_mp} of the nce_t created. All
- * IRE_BROADCAST entries have nce_state = ND_REACHABLE, and the nce_res_mp
- * is set to the ill_bcast_mp of the outgoing inerface. For unicast ire
- * entries,
- * - if the outgoing interface is of type IRE_IF_RESOLVER, a newly created
- * nce_t will have a null nce_res_mp, and will be in the ND_INITIAL state.
- * - if the outgoing interface is a IRE_IF_NORESOLVER interface, no link
- * layer resolution is necessary, so that the nce_t will be in the
- * ND_REACHABLE state and the nce_res_mp will have a copy of the
- * ill_resolver_mp of the outgoing interface.
- *
- * The link layer information needed for broadcast addresses, and for
- * packets sent on IRE_IF_NORESOLVER interfaces is a constant mapping that
- * never needs re-verification for the lifetime of the nce_t. These are
- * therefore marked NCE_F_PERMANENT, and never allowed to expire via
- * NCE_EXPIRED.
- *
- * IRE_CACHE ire's contain the information for the nexthop (ire_gateway_addr)
- * in the case of indirect routes, and for the dst itself (ire_addr) in the
- * case of direct routes, with the nce_res_mp containing a template
- * DL_UNITDATA request.
- *
- * The actual association of the ire_nce to the nce created here is
- * typically done in ire_add_v4 for IRE_CACHE entries. Exceptions
- * to this rule are SO_DONTROUTE ire's (IRE_MARK_NO_ADD), for which
- * the ire_nce assignment is done in ire_add_then_send.
+ * Given an IRE_INTERFACE (that matches more than one address) create
+ * and return an IRE_IF_CLONE for the specific address.
+ * Return the generation number.
+ * Returns NULL is no memory for the IRE.
+ * Handles both IPv4 and IPv6.
*/
-int
-ire_nce_init(ire_t *ire, nce_t *src_nce)
+ire_t *
+ire_create_if_clone(ire_t *ire_if, const in6_addr_t *addr, uint_t *generationp)
{
- in_addr_t addr4;
- int err;
- nce_t *nce = NULL;
- ill_t *ire_ill;
- uint16_t nce_flags = 0;
- ip_stack_t *ipst;
-
- if (ire->ire_stq == NULL)
- return (0); /* no need to create nce for local/loopback */
-
- switch (ire->ire_type) {
- case IRE_CACHE:
- if (ire->ire_gateway_addr != INADDR_ANY)
- addr4 = ire->ire_gateway_addr; /* 'G' route */
- else
- addr4 = ire->ire_addr; /* direct route */
- break;
- case IRE_BROADCAST:
- addr4 = ire->ire_addr;
- nce_flags |= (NCE_F_PERMANENT|NCE_F_BCAST);
- break;
- default:
- return (0);
+ ire_t *ire;
+ ire_t *nire;
+
+ if (ire_if->ire_ipversion == IPV4_VERSION) {
+ ipaddr_t v4addr;
+ ipaddr_t mask = IP_HOST_MASK;
+
+ ASSERT(IN6_IS_ADDR_V4MAPPED(addr));
+ IN6_V4MAPPED_TO_IPADDR(addr, v4addr);
+
+ ire = ire_create(
+ (uchar_t *)&v4addr, /* dest address */
+ (uchar_t *)&mask, /* mask */
+ (uchar_t *)&ire_if->ire_gateway_addr,
+ IRE_IF_CLONE, /* IRE type */
+ ire_if->ire_ill,
+ ire_if->ire_zoneid,
+ ire_if->ire_flags | RTF_HOST,
+ NULL, /* No security attr for IRE_IF_ALL */
+ ire_if->ire_ipst);
+ } else {
+ ASSERT(!IN6_IS_ADDR_V4MAPPED(addr));
+ ire = ire_create_v6(
+ addr, /* dest address */
+ &ipv6_all_ones, /* mask */
+ &ire_if->ire_gateway_addr_v6, /* gateway addr */
+ IRE_IF_CLONE, /* IRE type */
+ ire_if->ire_ill,
+ ire_if->ire_zoneid,
+ ire_if->ire_flags | RTF_HOST,
+ NULL, /* No security attr for IRE_IF_ALL */
+ ire_if->ire_ipst);
}
+ if (ire == NULL)
+ return (NULL);
- /*
- * ire_ipif is picked based on RTF_SETSRC, usesrc etc.
- * rules in ire_forward_src_ipif. We want the dlureq_mp
- * for the outgoing interface, which we get from the ire_stq.
- */
- ire_ill = ire_to_ill(ire);
- ipst = ire_ill->ill_ipst;
-
- /*
- * IRE_IF_NORESOLVER entries never need re-verification and
- * do not expire, so we mark them as NCE_F_PERMANENT.
- */
- if (ire_ill->ill_net_type == IRE_IF_NORESOLVER)
- nce_flags |= NCE_F_PERMANENT;
-
-retry_nce:
- err = ndp_lookup_then_add_v4(ire_ill, &addr4, nce_flags,
- &nce, src_nce);
+ /* Take the metrics, in particular the mtu, from the IRE_IF */
+ ire->ire_metrics = ire_if->ire_metrics;
- if (err == EEXIST && NCE_EXPIRED(nce, ipst)) {
- /*
- * We looked up an expired nce.
- * Go back and try to create one again.
- */
- ndp_delete(nce);
- NCE_REFRELE(nce);
- nce = NULL;
- goto retry_nce;
- }
+ nire = ire_add(ire);
+ if (nire == NULL) /* Some failure */
+ return (NULL);
- ip1dbg(("ire 0x%p addr 0x%lx type 0x%x; found nce 0x%p err %d\n",
- (void *)ire, (ulong_t)addr4, ire->ire_type, (void *)nce, err));
+ if (generationp != NULL)
+ *generationp = nire->ire_generation;
- switch (err) {
- case 0:
- case EEXIST:
- /*
- * return a pointer to a newly created or existing nce_t;
- * note that the ire-nce mapping is many-one, i.e.,
- * multiple ire's could point to the same nce_t.
- */
- break;
- default:
- DTRACE_PROBE2(nce__init__fail, ill_t *, ire_ill, int, err);
- return (EINVAL);
- }
/*
- * IRE_BROADCAST ire's must be linked to NCE_F_BCAST nce's and
- * vice-versa (IRE_CACHE <-> unicast nce entries). We may have found an
- * existing unicast (or bcast) nce when trying to add a BROADCAST (or
- * unicast) ire, e.g., when address/netmask modifications were in
- * progress, and the ipif_ndp_down() call to quiesce existing state
- * during the addr/mask modification may have skipped the ndp_delete()
- * because the ipif being affected was not the last one on the ill. We
- * recover from the missed ndp_delete() now, by deleting the old nce and
- * adding a new one with the correct NCE_F_BCAST state.
+ * Make sure races don't add a duplicate by
+ * catching the case when an identical was returned.
*/
- if (ire->ire_type == IRE_BROADCAST) {
- if ((nce->nce_flags & NCE_F_BCAST) == 0) {
- /* IRE_BROADCAST needs NCE_F_BCAST */
- ndp_delete(nce);
- NCE_REFRELE(nce);
- goto retry_nce;
- }
- /*
- * Two bcast ires are created for each interface;
- * 1. loopback copy (which does not have an
- * ire_stq, and therefore has no ire_nce), and,
- * 2. the non-loopback copy, which has the nce_res_mp
- * initialized to a copy of the ill_bcast_mp, and
- * is marked as ND_REACHABLE at this point.
- * This nce does not undergo any further state changes,
- * and exists as long as the interface is plumbed.
- * Note: the assignment of ire_nce here is a historical
- * artifact of old code that used to inline ire_add().
- */
- ire->ire_nce = nce;
- /*
- * We are associating this nce to the ire,
- * so change the nce ref taken in
- * ndp_lookup_then_add_v4() from
- * NCE_REFHOLD to NCE_REFHOLD_NOTR
- */
- NCE_REFHOLD_TO_REFHOLD_NOTR(ire->ire_nce);
- } else {
- if ((nce->nce_flags & NCE_F_BCAST) != 0) {
- /* IRE_CACHE needs unicast nce */
- ndp_delete(nce);
- NCE_REFRELE(nce);
- goto retry_nce;
- }
- /*
- * We are not using this nce_t just yet so release
- * the ref taken in ndp_lookup_then_add_v4()
- */
- NCE_REFRELE(nce);
+ if (nire != ire) {
+ ASSERT(nire->ire_identical_ref > 1);
+ ire_delete(nire);
}
- return (0);
+ return (nire);
}
/*
- * This is the implementation of the IPv4 IRE cache lookup procedure.
- * Separating the interface from the implementation allows additional
- * flexibility when specifying search criteria.
+ * The argument is an IRE_INTERFACE. Delete all of IRE_IF_CLONE in the
+ * ire_dep_children (just walk the ire_dep_sib_next since they are all
+ * immediate children.)
+ * Since we hold a lock while we remove them we need to defer the actual
+ * calls to ire_delete() until we have dropped the lock. This makes things
+ * less efficient since we restart at the top after dropping the lock. But
+ * we only run when an IRE_INTERFACE is deleted which is infrquent.
+ *
+ * Note that ire_dep_children can be any mixture of offlink routes and
+ * IRE_IF_CLONE entries.
*/
-static ire_t *
-ip4_ctable_lookup_impl(ire_ctable_args_t *margs)
+void
+ire_dep_delete_if_clone(ire_t *parent)
{
- irb_t *irb_ptr;
- ire_t *ire;
- ip_stack_t *ipst = margs->ict_ipst;
+ ip_stack_t *ipst = parent->ire_ipst;
+ ire_t *child, *next;
- if ((margs->ict_flags & (MATCH_IRE_SRC | MATCH_IRE_ILL)) &&
- (margs->ict_ipif == NULL)) {
- return (NULL);
+restart:
+ rw_enter(&ipst->ips_ire_dep_lock, RW_READER);
+ if (parent->ire_dep_children == NULL) {
+ rw_exit(&ipst->ips_ire_dep_lock);
+ return;
}
-
- irb_ptr = &ipst->ips_ip_cache_table[IRE_ADDR_HASH(
- *((ipaddr_t *)margs->ict_addr), ipst->ips_ip_cache_table_size)];
- rw_enter(&irb_ptr->irb_lock, RW_READER);
- for (ire = irb_ptr->irb_ire; ire != NULL; ire = ire->ire_next) {
- if (ire->ire_marks & IRE_MARK_CONDEMNED)
- continue;
- ASSERT(ire->ire_mask == IP_HOST_MASK);
- if (ire_match_args(ire, *((ipaddr_t *)margs->ict_addr),
- ire->ire_mask, *((ipaddr_t *)margs->ict_gateway),
- margs->ict_type, margs->ict_ipif, margs->ict_zoneid, 0,
- margs->ict_tsl, margs->ict_flags, margs->ict_wq)) {
- IRE_REFHOLD(ire);
- rw_exit(&irb_ptr->irb_lock);
- return (ire);
+ child = parent->ire_dep_children;
+ while (child != NULL) {
+ next = child->ire_dep_sib_next;
+ if ((child->ire_type & IRE_IF_CLONE) &&
+ !IRE_IS_CONDEMNED(child)) {
+ ire_refhold(child);
+ rw_exit(&ipst->ips_ire_dep_lock);
+ ire_delete(child);
+ ASSERT(IRE_IS_CONDEMNED(child));
+ ire_refrele(child);
+ goto restart;
}
+ child = next;
}
-
- rw_exit(&irb_ptr->irb_lock);
- return (NULL);
+ rw_exit(&ipst->ips_ire_dep_lock);
}
/*
- * This function locates IRE_CACHE entries which were added by the
- * ire_forward() path. We can fully specify the IRE we are looking for by
- * providing the ipif (MATCH_IRE_IPIF) *and* the stq (MATCH_IRE_WQ).
+ * ire_pref() is used in recursive route-resolution for a destination to
+ * determine the preference of an ire, where "preference" is determined
+ * based on the level of indirection to the destination of the ire.
+ * A higher preference indicates that fewer lookups are needed to complete
+ * recursive route lookup. Thus
+ * ire_pref(RTF_INDIRECT) < ire_pref(IRE_IF_RESOLVER) < ire_pref(IRE_PREF_CLONE)
*/
-ire_t *
-ire_arpresolve_lookup(ipaddr_t addr, ipaddr_t gw, ipif_t *ipif,
- zoneid_t zoneid, ip_stack_t *ipst, queue_t *wq)
-{
- ire_ctable_args_t margs;
-
- margs.ict_addr = &addr;
- margs.ict_gateway = &gw;
- margs.ict_type = IRE_CACHE;
- margs.ict_ipif = ipif;
- margs.ict_zoneid = zoneid;
- margs.ict_tsl = NULL;
- margs.ict_flags = MATCH_IRE_GW | MATCH_IRE_IPIF | MATCH_IRE_ZONEONLY |
- MATCH_IRE_TYPE | MATCH_IRE_WQ;
- margs.ict_ipst = ipst;
- margs.ict_wq = wq;
-
- return (ip4_ctable_lookup_impl(&margs));
+int
+ire_pref(ire_t *ire)
+{
+ if (ire->ire_flags & RTF_INDIRECT)
+ return (1);
+ if (ire->ire_type & IRE_OFFLINK)
+ return (2);
+ if (ire->ire_type & (IRE_IF_RESOLVER|IRE_IF_NORESOLVER))
+ return (3);
+ if (ire->ire_type & IRE_IF_CLONE)
+ return (4);
+ if (ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK|IRE_BROADCAST))
+ return (5);
+ return (-1); /* unknown ire_type */
}
diff --git a/usr/src/uts/common/inet/ip/ip_mroute.c b/usr/src/uts/common/inet/ip/ip_mroute.c
index 5418c2d8d4..41f4f3f221 100644
--- a/usr/src/uts/common/inet/ip/ip_mroute.c
+++ b/usr/src/uts/common/inet/ip/ip_mroute.c
@@ -1,8 +1,4 @@
/*
- * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
- */
-/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
@@ -23,8 +19,8 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc.
- * All rights reserved. Use is subject to license terms.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
*/
/* Copyright (c) 1990 Mentat Inc. */
@@ -65,6 +61,7 @@
#include <netinet/in.h>
#include <net/if_dl.h>
+#include <inet/ipsec_impl.h>
#include <inet/common.h>
#include <inet/mi.h>
#include <inet/nd.h>
@@ -79,6 +76,7 @@
#include <netinet/ip_mroute.h>
#include <inet/ip_multi.h>
#include <inet/ip_ire.h>
+#include <inet/ip_ndp.h>
#include <inet/ip_if.h>
#include <inet/ipclassifier.h>
@@ -98,7 +96,7 @@
* is when the vif is marked VIF_MARK_NOTINUSE but refcnt != 0. This indicates
* that vif is being initalized.
* Each structure is freed when the refcnt goes down to zero. If a delete comes
- * in when the the recfnt is > 1, the vif structure is marked VIF_MARK_CONDEMNED
+ * in when the recfnt is > 1, the vif structure is marked VIF_MARK_CONDEMNED
* which prevents the struct from further use. When the refcnt goes to zero
* the struct is freed and is marked VIF_MARK_NOTINUSE.
* vif struct stores a pointer to the ipif in v_ipif, to prevent ipif/ill
@@ -171,9 +169,9 @@
/* Function declarations */
static int add_mfc(struct mfcctl *, ip_stack_t *);
-static int add_vif(struct vifctl *, conn_t *, mblk_t *, ip_stack_t *);
+static int add_vif(struct vifctl *, conn_t *, ip_stack_t *);
static int del_mfc(struct mfcctl *, ip_stack_t *);
-static int del_vif(vifi_t *, conn_t *, mblk_t *, ip_stack_t *);
+static int del_vif(vifi_t *, ip_stack_t *);
static void del_vifp(struct vif *);
static void encap_send(ipha_t *, mblk_t *, struct vif *, ipaddr_t);
static void expire_upcalls(void *);
@@ -188,7 +186,7 @@ static int ip_mdq(mblk_t *, ipha_t *, ill_t *,
ipaddr_t, struct mfc *);
static int ip_mrouter_init(conn_t *, uchar_t *, int, ip_stack_t *);
static void phyint_send(ipha_t *, mblk_t *, struct vif *, ipaddr_t);
-static int register_mforward(queue_t *, mblk_t *, ill_t *);
+static int register_mforward(mblk_t *, ip_recv_attr_t *);
static void register_send(ipha_t *, mblk_t *, struct vif *, ipaddr_t);
static int set_assert(int *, ip_stack_t *);
@@ -331,10 +329,9 @@ static ipha_t multicast_encap_iphdr = {
* Handle MRT setsockopt commands to modify the multicast routing tables.
*/
int
-ip_mrouter_set(int cmd, queue_t *q, int checkonly, uchar_t *data,
- int datalen, mblk_t *first_mp)
+ip_mrouter_set(int cmd, conn_t *connp, int checkonly, uchar_t *data,
+ int datalen)
{
- conn_t *connp = Q_TO_CONN(q);
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
mutex_enter(&ipst->ips_ip_g_mrouter_mutex);
@@ -376,11 +373,9 @@ ip_mrouter_set(int cmd, queue_t *q, int checkonly, uchar_t *data,
switch (cmd) {
case MRT_INIT: return (ip_mrouter_init(connp, data, datalen, ipst));
- case MRT_DONE: return (ip_mrouter_done(first_mp, ipst));
- case MRT_ADD_VIF: return (add_vif((struct vifctl *)data, connp,
- first_mp, ipst));
- case MRT_DEL_VIF: return (del_vif((vifi_t *)data, connp, first_mp,
- ipst));
+ case MRT_DONE: return (ip_mrouter_done(ipst));
+ case MRT_ADD_VIF: return (add_vif((struct vifctl *)data, connp, ipst));
+ case MRT_DEL_VIF: return (del_vif((vifi_t *)data, ipst));
case MRT_ADD_MFC: return (add_mfc((struct mfcctl *)data, ipst));
case MRT_DEL_MFC: return (del_mfc((struct mfcctl *)data, ipst));
case MRT_ASSERT: return (set_assert((int *)data, ipst));
@@ -392,9 +387,8 @@ ip_mrouter_set(int cmd, queue_t *q, int checkonly, uchar_t *data,
* Handle MRT getsockopt commands
*/
int
-ip_mrouter_get(int cmd, queue_t *q, uchar_t *data)
+ip_mrouter_get(int cmd, conn_t *connp, uchar_t *data)
{
- conn_t *connp = Q_TO_CONN(q);
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
if (connp != ipst->ips_ip_g_mrouter)
@@ -611,7 +605,7 @@ ip_mrouter_stack_init(ip_stack_t *ipst)
* Didn't use global timeout_val (BSD version), instead check the mfctable.
*/
int
-ip_mrouter_done(mblk_t *mp, ip_stack_t *ipst)
+ip_mrouter_done(ip_stack_t *ipst)
{
conn_t *mrouter;
vifi_t vifi;
@@ -665,47 +659,19 @@ ip_mrouter_done(mblk_t *mp, ip_stack_t *ipst)
/* Phyint only */
if (!(vifp->v_flags & (VIFF_TUNNEL | VIFF_REGISTER))) {
ipif_t *ipif = vifp->v_ipif;
- ipsq_t *ipsq;
- boolean_t suc;
- ill_t *ill;
+ ilm_t *ilm = vifp->v_ilm;
- ill = ipif->ipif_ill;
- suc = B_FALSE;
- if (mp == NULL) {
- /*
- * being called from ip_close,
- * lets do it synchronously.
- * Clear VIF_MARK_GOOD and
- * set VIF_MARK_CONDEMNED.
- */
- vifp->v_marks &= ~VIF_MARK_GOOD;
- vifp->v_marks |= VIF_MARK_CONDEMNED;
- mutex_exit(&(vifp)->v_lock);
- suc = ipsq_enter(ill, B_FALSE, NEW_OP);
- ipsq = ill->ill_phyint->phyint_ipsq;
- } else {
- ipsq = ipsq_try_enter(ipif, NULL,
- mrouter->conn_wq, mp,
- ip_restart_optmgmt, NEW_OP, B_TRUE);
- if (ipsq == NULL) {
- mutex_exit(&(vifp)->v_lock);
- ipif_refrele(ipif);
- return (EINPROGRESS);
- }
- /*
- * Clear VIF_MARK_GOOD and
- * set VIF_MARK_CONDEMNED.
- */
- vifp->v_marks &= ~VIF_MARK_GOOD;
- vifp->v_marks |= VIF_MARK_CONDEMNED;
- mutex_exit(&(vifp)->v_lock);
- suc = B_TRUE;
- }
+ vifp->v_ilm = NULL;
+ vifp->v_marks &= ~VIF_MARK_GOOD;
+ vifp->v_marks |= VIF_MARK_CONDEMNED;
- if (suc) {
- (void) ip_delmulti(INADDR_ANY, ipif,
- B_TRUE, B_TRUE);
- ipsq_exit(ipsq);
+ mutex_exit(&(vifp)->v_lock);
+ if (ilm != NULL) {
+ ill_t *ill = ipif->ipif_ill;
+
+ (void) ip_delmulti(ilm);
+ ASSERT(ill->ill_mrouter_cnt > 0);
+ atomic_dec_32(&ill->ill_mrouter_cnt);
}
mutex_enter(&vifp->v_lock);
}
@@ -866,14 +832,15 @@ lock_good_vif(struct vif *vifp)
* Add a vif to the vif table.
*/
static int
-add_vif(struct vifctl *vifcp, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
+add_vif(struct vifctl *vifcp, conn_t *connp, ip_stack_t *ipst)
{
struct vif *vifp = ipst->ips_vifs + vifcp->vifc_vifi;
ipif_t *ipif;
- int error;
+ int error = 0;
struct tbf *v_tbf = ipst->ips_tbfs + vifcp->vifc_vifi;
- ipsq_t *ipsq;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
+ ilm_t *ilm;
+ ill_t *ill;
ASSERT(connp != NULL);
@@ -913,28 +880,12 @@ add_vif(struct vifctl *vifcp, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
mutex_exit(&vifp->v_lock);
/* Find the interface with the local address */
ipif = ipif_lookup_addr((ipaddr_t)vifcp->vifc_lcl_addr.s_addr, NULL,
- connp->conn_zoneid, CONNP_TO_WQ(connp), first_mp,
- ip_restart_optmgmt, &error, ipst);
+ IPCL_ZONEID(connp), ipst);
if (ipif == NULL) {
VIF_REFRELE(vifp);
- if (error == EINPROGRESS)
- return (error);
return (EADDRNOTAVAIL);
}
- /*
- * We have to be exclusive as we have to call ip_addmulti()
- * This is the best position to try to be exclusive in case
- * we have to wait.
- */
- ipsq = ipsq_try_enter(ipif, NULL, CONNP_TO_WQ(connp), first_mp,
- ip_restart_optmgmt, NEW_OP, B_TRUE);
- if ((ipsq) == NULL) {
- VIF_REFRELE(vifp);
- ipif_refrele(ipif);
- return (EINPROGRESS);
- }
-
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"add_vif: src 0x%x enter",
@@ -959,7 +910,6 @@ add_vif(struct vifctl *vifcp, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
"add_vif: source route tunnels not supported\n");
VIF_REFRELE_LOCKED(vifp);
ipif_refrele(ipif);
- ipsq_exit(ipsq);
return (EOPNOTSUPP);
}
vifp->v_rmt_addr = vifcp->vifc_rmt_addr;
@@ -981,7 +931,6 @@ add_vif(struct vifctl *vifcp, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
mutex_exit(&ipst->ips_numvifs_mutex);
VIF_REFRELE_LOCKED(vifp);
ipif_refrele(ipif);
- ipsq_exit(ipsq);
return (EADDRINUSE);
}
}
@@ -995,22 +944,39 @@ add_vif(struct vifctl *vifcp, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
ipst->ips_reg_vif_num = ALL_VIFS;
mutex_exit(&ipst->ips_numvifs_mutex);
}
- ipsq_exit(ipsq);
return (EOPNOTSUPP);
}
/* Enable promiscuous reception of all IP mcasts from the if */
mutex_exit(&vifp->v_lock);
- error = ip_addmulti(INADDR_ANY, ipif, ILGSTAT_NONE,
- MODE_IS_EXCLUDE, NULL);
+
+ ill = ipif->ipif_ill;
+ if (IS_UNDER_IPMP(ill))
+ ill = ipmp_ill_hold_ipmp_ill(ill);
+
+ if (ill == NULL) {
+ ilm = NULL;
+ } else {
+ ilm = ip_addmulti(&ipv6_all_zeros, ill,
+ ipif->ipif_zoneid, &error);
+ if (ilm != NULL)
+ atomic_inc_32(&ill->ill_mrouter_cnt);
+ if (IS_UNDER_IPMP(ipif->ipif_ill)) {
+ ill_refrele(ill);
+ ill = ipif->ipif_ill;
+ }
+ }
+
mutex_enter(&vifp->v_lock);
/*
* since we released the lock lets make sure that
* ip_mrouter_done() has not been called.
*/
- if (error != 0 || is_mrouter_off(ipst)) {
- if (error == 0)
- (void) ip_delmulti(INADDR_ANY, ipif, B_TRUE,
- B_TRUE);
+ if (ilm == NULL || is_mrouter_off(ipst)) {
+ if (ilm != NULL) {
+ (void) ip_delmulti(ilm);
+ ASSERT(ill->ill_mrouter_cnt > 0);
+ atomic_dec_32(&ill->ill_mrouter_cnt);
+ }
if (vifcp->vifc_flags & VIFF_REGISTER) {
mutex_enter(&ipst->ips_numvifs_mutex);
ipst->ips_reg_vif_num = ALL_VIFS;
@@ -1018,9 +984,9 @@ add_vif(struct vifctl *vifcp, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
}
VIF_REFRELE_LOCKED(vifp);
ipif_refrele(ipif);
- ipsq_exit(ipsq);
return (error?error:EINVAL);
}
+ vifp->v_ilm = ilm;
}
/* Define parameters for the tbf structure */
vifp->v_tbf = v_tbf;
@@ -1063,7 +1029,6 @@ add_vif(struct vifctl *vifcp, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
vifp->v_marks = VIF_MARK_GOOD;
mutex_exit(&vifp->v_lock);
- ipsq_exit(ipsq);
return (0);
}
@@ -1131,10 +1096,9 @@ del_vifp(struct vif *vifp)
}
static int
-del_vif(vifi_t *vifip, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
+del_vif(vifi_t *vifip, ip_stack_t *ipst)
{
struct vif *vifp = ipst->ips_vifs + *vifip;
- ipsq_t *ipsq;
if (*vifip >= ipst->ips_numvifs)
return (EINVAL);
@@ -1151,41 +1115,6 @@ del_vif(vifi_t *vifip, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
return (EADDRNOTAVAIL);
}
- /*
- * This is an optimization, if first_mp == NULL
- * than we are being called from reset_mrt_vif_ipif()
- * so we already have exclusive access to the ipsq.
- * the ASSERT below is a check for this condition.
- */
- if (first_mp != NULL &&
- !(vifp->v_flags & (VIFF_TUNNEL | VIFF_REGISTER))) {
- ASSERT(connp != NULL);
- /*
- * We have to be exclusive as we have to call ip_delmulti()
- * This is the best position to try to be exclusive in case
- * we have to wait.
- */
- ipsq = ipsq_try_enter(vifp->v_ipif, NULL, CONNP_TO_WQ(connp),
- first_mp, ip_restart_optmgmt, NEW_OP, B_TRUE);
- if ((ipsq) == NULL) {
- mutex_exit(&vifp->v_lock);
- return (EINPROGRESS);
- }
- /* recheck after being exclusive */
- if (vifp->v_lcl_addr.s_addr == 0 ||
- !vifp->v_marks & VIF_MARK_GOOD) {
- /*
- * someone beat us.
- */
- mutex_exit(&vifp->v_lock);
- ipsq_exit(ipsq);
- return (EADDRNOTAVAIL);
- }
- }
-
-
- ASSERT(IAM_WRITER_IPIF(vifp->v_ipif));
-
/* Clear VIF_MARK_GOOD and set VIF_MARK_CONDEMNED. */
vifp->v_marks &= ~VIF_MARK_GOOD;
vifp->v_marks |= VIF_MARK_CONDEMNED;
@@ -1193,18 +1122,30 @@ del_vif(vifi_t *vifip, conn_t *connp, mblk_t *first_mp, ip_stack_t *ipst)
/* Phyint only */
if (!(vifp->v_flags & (VIFF_TUNNEL | VIFF_REGISTER))) {
ipif_t *ipif = vifp->v_ipif;
+ ilm_t *ilm = vifp->v_ilm;
+
+ vifp->v_ilm = NULL;
+
ASSERT(ipif != NULL);
/*
* should be OK to drop the lock as we
* have marked this as CONDEMNED.
*/
mutex_exit(&(vifp)->v_lock);
- (void) ip_delmulti(INADDR_ANY, ipif, B_TRUE, B_TRUE);
- if (first_mp != NULL)
- ipsq_exit(ipsq);
+ if (ilm != NULL) {
+ (void) ip_delmulti(ilm);
+ ASSERT(ipif->ipif_ill->ill_mrouter_cnt > 0);
+ atomic_dec_32(&ipif->ipif_ill->ill_mrouter_cnt);
+ }
mutex_enter(&(vifp)->v_lock);
}
+ if (vifp->v_flags & VIFF_REGISTER) {
+ mutex_enter(&ipst->ips_numvifs_mutex);
+ ipst->ips_reg_vif_num = ALL_VIFS;
+ mutex_exit(&ipst->ips_numvifs_mutex);
+ }
+
/*
* decreases the refcnt added in add_vif.
*/
@@ -1584,16 +1525,21 @@ del_mfc(struct mfcctl *mfccp, ip_stack_t *ipst)
* 1 - pkt came in on tunnel
*/
int
-ip_mforward(ill_t *ill, ipha_t *ipha, mblk_t *mp)
+ip_mforward(mblk_t *mp, ip_recv_attr_t *ira)
{
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+ ill_t *ill = ira->ira_ill;
struct mfc *rt;
ipaddr_t src, dst, tunnel_src = 0;
static int srctun = 0;
vifi_t vifi;
boolean_t pim_reg_packet = B_FALSE;
- struct mfcb *mfcbp;
+ struct mfcb *mfcbp;
ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
+ ill_t *rill = ira->ira_rill;
+
+ ASSERT(ira->ira_pktlen == msgdsize(mp));
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
@@ -1603,10 +1549,10 @@ ip_mforward(ill_t *ill, ipha_t *ipha, mblk_t *mp)
}
dst = ipha->ipha_dst;
- if ((uint32_t)(uintptr_t)mp->b_prev == PIM_REGISTER_MARKER)
+ if (ira->ira_flags & IRAF_PIM_REGISTER)
pim_reg_packet = B_TRUE;
- else
- tunnel_src = (ipaddr_t)(uintptr_t)mp->b_prev;
+ else if (ira->ira_flags & IRAF_MROUTE_TUNNEL_SET)
+ tunnel_src = ira->ira_mroute_tunnel;
/*
* Don't forward a packet with time-to-live of zero or one,
@@ -1620,7 +1566,6 @@ ip_mforward(ill_t *ill, ipha_t *ipha, mblk_t *mp)
" dst 0x%x ill %s",
ipha->ipha_ttl, ntohl(dst), ill->ill_name);
}
- mp->b_prev = NULL;
if (tunnel_src != 0)
return (1);
else
@@ -1630,10 +1575,8 @@ ip_mforward(ill_t *ill, ipha_t *ipha, mblk_t *mp)
if ((tunnel_src != 0) || pim_reg_packet) {
/*
* Packet arrived over an encapsulated tunnel or via a PIM
- * register message. Both ip_mroute_decap() and pim_input()
- * encode information in mp->b_prev.
+ * register message.
*/
- mp->b_prev = NULL;
if (ipst->ips_ip_mrtdebug > 1) {
if (tunnel_src != 0) {
(void) mi_strlog(mrouter->conn_rq, 1,
@@ -1926,10 +1869,16 @@ ip_mforward(ill_t *ill, ipha_t *ipha, mblk_t *mp)
mutex_exit(&mfc_rt->mfc_mutex);
mutex_exit(&(ipst->ips_mfcs[hash].mfcb_lock));
/* Pass to RAWIP */
- (mrouter->conn_recv)(mrouter, mp_copy, NULL);
+ ira->ira_ill = ira->ira_rill = NULL;
+ (mrouter->conn_recv)(mrouter, mp_copy, NULL, ira);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
} else {
mutex_exit(&mfc_rt->mfc_mutex);
mutex_exit(&(ipst->ips_mfcs[hash].mfcb_lock));
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_mforward - upcall already waiting",
+ mp_copy, ill);
freemsg(mp_copy);
}
@@ -1945,8 +1894,11 @@ ip_mforward(ill_t *ill, ipha_t *ipha, mblk_t *mp)
mi_free((char *)mfc_rt);
if (rte != NULL)
mi_free((char *)rte);
- if (mp_copy != NULL)
+ if (mp_copy != NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_mforward error", mp_copy, ill);
freemsg(mp_copy);
+ }
if (mp0 != NULL)
freemsg(mp0);
return (-1);
@@ -2023,7 +1975,6 @@ static int
ip_mdq(mblk_t *mp, ipha_t *ipha, ill_t *ill, ipaddr_t tunnel_src,
struct mfc *rt)
{
- ill_t *vill;
vifi_t vifi;
struct vif *vifp;
ipaddr_t dst = ipha->ipha_dst;
@@ -2031,6 +1982,7 @@ ip_mdq(mblk_t *mp, ipha_t *ipha, ill_t *ill, ipaddr_t tunnel_src,
vifi_t num_of_vifs;
ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
+ ip_recv_attr_t iras;
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
@@ -2091,19 +2043,19 @@ ip_mdq(mblk_t *mp, ipha_t *ipha, ill_t *ill, ipaddr_t tunnel_src,
* Don't forward if it didn't arrive from the parent vif for its
* origin.
*/
- vill = ipst->ips_vifs[vifi].v_ipif->ipif_ill;
- if ((vill != ill && !IS_IN_SAME_ILLGRP(vill, ill)) ||
+ if ((ipst->ips_vifs[vifi].v_ipif->ipif_ill != ill) ||
(ipst->ips_vifs[vifi].v_rmt_addr.s_addr != tunnel_src)) {
/* Came in the wrong interface */
ip1dbg(("ip_mdq: arrived wrong if, vifi %d "
"numvifs %d ill %s viftable ill %s\n",
(int)vifi, (int)ipst->ips_numvifs, ill->ill_name,
- vill->ill_name));
+ ipst->ips_vifs[vifi].v_ipif->ipif_ill->ill_name));
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"ip_mdq: arrived wrong if, vifi %d ill "
"%s viftable ill %s\n",
- (int)vifi, ill->ill_name, vill->ill_name);
+ (int)vifi, ill->ill_name,
+ ipst->ips_vifs[vifi].v_ipif->ipif_ill->ill_name);
}
ipst->ips_mrtstat->mrts_wrong_if++;
rt->mfc_wrong_if++;
@@ -2137,7 +2089,14 @@ ip_mdq(mblk_t *mp, ipha_t *ipha, ill_t *ill, ipaddr_t tunnel_src,
im->im_mbz = 0;
im->im_vif = (ushort_t)vifi;
/* Pass to RAWIP */
- (mrouter->conn_recv)(mrouter, mp_copy, NULL);
+
+ bzero(&iras, sizeof (iras));
+ iras.ira_flags = IRAF_IS_IPV4;
+ iras.ira_ip_hdr_length =
+ IPH_HDR_LENGTH(mp_copy->b_rptr);
+ iras.ira_pktlen = msgdsize(mp_copy);
+ (mrouter->conn_recv)(mrouter, mp_copy, NULL, &iras);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
}
unlock_good_vif(&ipst->ips_vifs[vifi]);
if (tunnel_src != 0)
@@ -2239,8 +2198,10 @@ register_send(ipha_t *ipha, mblk_t *mp, struct vif *vifp, ipaddr_t dst)
struct igmpmsg *im;
mblk_t *mp_copy;
ipha_t *ipha_copy;
- ip_stack_t *ipst = vifp->v_ipif->ipif_ill->ill_ipst;
+ ill_t *ill = vifp->v_ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
+ ip_recv_attr_t iras;
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
@@ -2307,16 +2268,24 @@ register_send(ipha_t *ipha, mblk_t *mp, struct vif *vifp, ipaddr_t dst)
im->im_mbz = 0;
++ipst->ips_mrtstat->mrts_upcalls;
- if (!canputnext(mrouter->conn_rq)) {
+ if (IPCL_IS_NONSTR(mrouter) ? mrouter->conn_flow_cntrld :
+ !canputnext(mrouter->conn_rq)) {
++ipst->ips_mrtstat->mrts_pim_regsend_drops;
if (ipst->ips_ip_mrtdebug > 3) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"register_send: register upcall failure.");
}
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_pim_regsend_drops", mp_copy, ill);
freemsg(mp_copy);
} else {
/* Pass to RAWIP */
- (mrouter->conn_recv)(mrouter, mp_copy, NULL);
+ bzero(&iras, sizeof (iras));
+ iras.ira_flags = IRAF_IS_IPV4;
+ iras.ira_ip_hdr_length = sizeof (ipha_t);
+ iras.ira_pktlen = msgdsize(mp_copy);
+ (mrouter->conn_recv)(mrouter, mp_copy, NULL, &iras);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
}
}
@@ -2349,18 +2318,22 @@ pim_validate_cksum(mblk_t *mp, ipha_t *ip, struct pim *pimp)
}
/*
- * int
- * pim_input(queue_t *, mblk_t *, ill_t *ill) - Process PIM protocol packets.
- * IP Protocol 103. Register messages are decapsulated and sent
- * onto multicast forwarding.
+ * Process PIM protocol packets i.e. IP Protocol 103.
+ * Register messages are decapsulated and sent onto multicast forwarding.
+ *
+ * Return NULL for a bad packet that is discarded here.
+ * Return mp if the message is OK and should be handed to "raw" receivers.
+ * Callers of pim_input() may need to reinitialize variables that were copied
+ * from the mblk as this calls pullupmsg().
*/
-int
-pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
+mblk_t *
+pim_input(mblk_t *mp, ip_recv_attr_t *ira)
{
ipha_t *eip, *ip;
int iplen, pimlen, iphlen;
struct pim *pimp; /* pointer to a pim struct */
uint32_t *reghdr;
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
@@ -2369,8 +2342,10 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
*/
if (pullupmsg(mp, -1) == 0) {
++ipst->ips_mrtstat->mrts_pim_nomemory;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_pim_nomemory", mp, ill);
freemsg(mp);
- return (-1);
+ return (NULL);
}
ip = (ipha_t *)mp->b_rptr;
@@ -2387,8 +2362,10 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"pim_input: length not at least minlen");
}
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_pim_malformed", mp, ill);
freemsg(mp);
- return (-1);
+ return (NULL);
}
/*
@@ -2405,8 +2382,10 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"pim_input: unknown version of PIM");
}
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_pim_badversion", mp, ill);
freemsg(mp);
- return (-1);
+ return (NULL);
}
/*
@@ -2418,12 +2397,14 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"pim_input: invalid checksum");
}
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("pim_rcv_badcsum", mp, ill);
freemsg(mp);
- return (-1);
+ return (NULL);
}
if (pimp->pim_type != PIM_REGISTER)
- return (0);
+ return (mp);
reghdr = (uint32_t *)(pimp + 1);
eip = (ipha_t *)(reghdr + 1);
@@ -2437,8 +2418,10 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"pim_input: Inner pkt not mcast .. !");
}
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_pim_badregisters", mp, ill);
freemsg(mp);
- return (-1);
+ return (NULL);
}
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
@@ -2450,27 +2433,36 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
/*
* If the null register bit is not set, decapsulate
* the packet before forwarding it.
+ * Avoid this in no register vif
*/
- if (!(ntohl(*reghdr) & PIM_NULL_REGISTER)) {
+ if (!(ntohl(*reghdr) & PIM_NULL_REGISTER) &&
+ ipst->ips_reg_vif_num != ALL_VIFS) {
mblk_t *mp_copy;
+ uint_t saved_pktlen;
/* Copy the message */
if ((mp_copy = copymsg(mp)) == NULL) {
++ipst->ips_mrtstat->mrts_pim_nomemory;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_pim_nomemory", mp, ill);
freemsg(mp);
- return (-1);
+ return (NULL);
}
/*
* Decapsulate the packet and give it to
* register_mforward.
*/
- mp_copy->b_rptr += iphlen + sizeof (pim_t) +
- sizeof (*reghdr);
- if (register_mforward(q, mp_copy, ill) != 0) {
+ mp_copy->b_rptr += iphlen + sizeof (pim_t) + sizeof (*reghdr);
+ saved_pktlen = ira->ira_pktlen;
+ ira->ira_pktlen -= iphlen + sizeof (pim_t) + sizeof (*reghdr);
+ if (register_mforward(mp_copy, ira) != 0) {
+ /* register_mforward already called ip_drop_input */
freemsg(mp);
- return (-1);
+ ira->ira_pktlen = saved_pktlen;
+ return (NULL);
}
+ ira->ira_pktlen = saved_pktlen;
}
/*
@@ -2478,7 +2470,7 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
* PIM socket. For Solaris it is done right after pim_input() is
* called.
*/
- return (0);
+ return (mp);
}
/*
@@ -2486,38 +2478,52 @@ pim_input(queue_t *q, mblk_t *mp, ill_t *ill)
* the packet. Loop back the packet, as if we have received it.
* In pim_input() we have to check if the destination is a multicast address.
*/
-/* ARGSUSED */
static int
-register_mforward(queue_t *q, mblk_t *mp, ill_t *ill)
+register_mforward(mblk_t *mp, ip_recv_attr_t *ira)
{
+ ire_t *ire;
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
ASSERT(ipst->ips_reg_vif_num <= ipst->ips_numvifs);
if (ipst->ips_ip_mrtdebug > 3) {
- ipha_t *ipha;
-
- ipha = (ipha_t *)mp->b_rptr;
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"register_mforward: src %x, dst %x\n",
ntohl(ipha->ipha_src), ntohl(ipha->ipha_dst));
}
/*
* Need to pass in to ip_mforward() the information that the
- * packet has arrived on the register_vif. We use the solution that
- * ip_mroute_decap() employs: use mp->b_prev to pass some information
- * to ip_mforward(). Nonzero value means the packet has arrived on a
- * tunnel (ip_mroute_decap() puts the address of the other side of the
- * tunnel there.) This is safe since ip_rput() either frees the packet
- * or passes it to ip_mforward(). We use
- * PIM_REGISTER_MARKER = 0xffffffff to indicate the has arrived on the
- * register vif. If in the future we have more than one register vifs,
- * then this will need re-examination.
+ * packet has arrived on the register_vif. We mark it with
+ * the IRAF_PIM_REGISTER attribute.
+ * pim_input verified that the (inner) destination is multicast,
+ * hence we skip the generic code in ip_input.
*/
- mp->b_prev = (mblk_t *)PIM_REGISTER_MARKER;
+ ira->ira_flags |= IRAF_PIM_REGISTER;
++ipst->ips_mrtstat->mrts_pim_regforwards;
- ip_rput(q, mp);
+
+ if (!CLASSD(ipha->ipha_dst)) {
+ ire = ire_route_recursive_v4(ipha->ipha_dst, 0, NULL, ALL_ZONES,
+ ira->ira_tsl, MATCH_IRE_SECATTR, B_TRUE, 0, ipst, NULL,
+ NULL, NULL);
+ } else {
+ ire = ire_multicast(ill);
+ }
+ ASSERT(ire != NULL);
+ /* Normally this will return the IRE_MULTICAST */
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_pim RTF_REJECT", mp, ill);
+ freemsg(mp);
+ ire_refrele(ire);
+ return (-1);
+ }
+ ASSERT(ire->ire_type & IRE_MULTICAST);
+ (*ire->ire_recvfn)(ire, mp, ipha, ira);
+ ire_refrele(ire);
+
return (0);
}
@@ -2575,6 +2581,8 @@ encap_send(ipha_t *ipha, mblk_t *mp, struct vif *vifp, ipaddr_t dst)
ipha->ipha_hdr_checksum = 0;
ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ ipha_copy->ipha_ttl = ipha->ipha_ttl;
+
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"encap_send: group 0x%x", ntohl(ipha->ipha_dst));
@@ -2587,21 +2595,53 @@ encap_send(ipha_t *ipha, mblk_t *mp, struct vif *vifp, ipaddr_t dst)
}
/*
- * De-encapsulate a packet and feed it back through IP input.
+ * De-encapsulate a packet and feed it back through IP input if it
+ * matches one of our multicast tunnels.
+ *
* This routine is called whenever IP gets a packet with prototype
- * IPPROTO_ENCAP and a local destination address.
+ * IPPROTO_ENCAP and a local destination address and the packet didn't
+ * match one of our configured IP-in-IP tunnels.
*/
void
-ip_mroute_decap(queue_t *q, mblk_t *mp, ill_t *ill)
+ip_mroute_decap(mblk_t *mp, ip_recv_attr_t *ira)
{
ipha_t *ipha = (ipha_t *)mp->b_rptr;
ipha_t *ipha_encap;
int hlen = IPH_HDR_LENGTH(ipha);
+ int hlen_encap;
ipaddr_t src;
struct vif *vifp;
+ ire_t *ire;
+ ill_t *ill = ira->ira_ill;
ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
+ /* Make sure we have all of the inner header */
+ ipha_encap = (ipha_t *)((char *)ipha + hlen);
+ if (mp->b_wptr - mp->b_rptr < hlen + IP_SIMPLE_HDR_LENGTH) {
+ ipha = ip_pullup(mp, hlen + IP_SIMPLE_HDR_LENGTH, ira);
+ if (ipha == NULL) {
+ ipst->ips_mrtstat->mrts_bad_tunnel++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_mroute_decap: too short", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ipha_encap = (ipha_t *)((char *)ipha + hlen);
+ }
+ hlen_encap = IPH_HDR_LENGTH(ipha_encap);
+ if (mp->b_wptr - mp->b_rptr < hlen + hlen_encap) {
+ ipha = ip_pullup(mp, hlen + hlen_encap, ira);
+ if (ipha == NULL) {
+ ipst->ips_mrtstat->mrts_bad_tunnel++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_mroute_decap: too short", mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ipha_encap = (ipha_t *)((char *)ipha + hlen);
+ }
+
/*
* Dump the packet if it's not to a multicast destination or if
* we don't have an encapsulating tunnel with the source.
@@ -2609,10 +2649,11 @@ ip_mroute_decap(queue_t *q, mblk_t *mp, ill_t *ill)
* uniquely identifies the tunnel (i.e., that this site has
* at most one tunnel with the remote site).
*/
- ipha_encap = (ipha_t *)((char *)ipha + hlen);
if (!CLASSD(ipha_encap->ipha_dst)) {
ipst->ips_mrtstat->mrts_bad_tunnel++;
ip1dbg(("ip_mroute_decap: bad tunnel\n"));
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_bad_tunnel", mp, ill);
freemsg(mp);
return;
}
@@ -2648,6 +2689,8 @@ ip_mroute_decap(queue_t *q, mblk_t *mp, ill_t *ill)
if ((vifp = ipst->ips_last_encap_vif) == 0) {
mutex_exit(&ipst->ips_last_encap_lock);
ipst->ips_mrtstat->mrts_bad_tunnel++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("mrts_bad_tunnel", mp, ill);
freemsg(mp);
ip1dbg(("ip_mroute_decap: vif %ld no tunnel with %x\n",
(ptrdiff_t)(vifp - ipst->ips_vifs), ntohl(src)));
@@ -2657,14 +2700,43 @@ ip_mroute_decap(queue_t *q, mblk_t *mp, ill_t *ill)
/*
* Need to pass in the tunnel source to ip_mforward (so that it can
- * verify that the packet arrived over the correct vif.) We use b_prev
- * to pass this information. This is safe since the ip_rput either
- * frees the packet or passes it to ip_mforward.
+ * verify that the packet arrived over the correct vif.)
*/
- mp->b_prev = (mblk_t *)(uintptr_t)src;
+ ira->ira_flags |= IRAF_MROUTE_TUNNEL_SET;
+ ira->ira_mroute_tunnel = src;
mp->b_rptr += hlen;
- /* Feed back into ip_rput as an M_DATA. */
- ip_rput(q, mp);
+ ira->ira_pktlen -= hlen;
+ ira->ira_ip_hdr_length = hlen_encap;
+
+ /*
+ * We don't redo any of the filtering in ill_input_full_v4 and we
+ * have checked that all of ipha_encap and any IP options are
+ * pulled up. Hence we call ire_recv_multicast_v4 directly.
+ * However, we have to check for RSVP as in ip_input_full_v4
+ * and if so we pass it to ire_recv_broadcast_v4 for local delivery
+ * to the rsvpd.
+ */
+ if (ipha_encap->ipha_protocol == IPPROTO_RSVP &&
+ ipst->ips_ipcl_proto_fanout_v4[IPPROTO_RSVP].connf_head != NULL) {
+ ire = ire_route_recursive_v4(INADDR_BROADCAST, 0, ill,
+ ALL_ZONES, ira->ira_tsl, MATCH_IRE_ILL|MATCH_IRE_SECATTR,
+ B_TRUE, 0, ipst, NULL, NULL, NULL);
+ } else {
+ ire = ire_multicast(ill);
+ }
+ ASSERT(ire != NULL);
+ /* Normally this will return the IRE_MULTICAST or IRE_BROADCAST */
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_mroute_decap: RTF_REJECT", mp, ill);
+ freemsg(mp);
+ ire_refrele(ire);
+ return;
+ }
+ ire->ire_ib_pkt_count++;
+ ASSERT(ire->ire_type & (IRE_MULTICAST|IRE_BROADCAST));
+ (*ire->ire_recvfn)(ire, mp, ipha_encap, ira);
+ ire_refrele(ire);
}
/*
@@ -2687,7 +2759,7 @@ reset_mrt_vif_ipif(ipif_t *ipif)
for (vifi = num_of_vifs; vifi != 0; vifi--) {
tmp_vifi = vifi - 1;
if (ipst->ips_vifs[tmp_vifi].v_ipif == ipif) {
- (void) del_vif(&tmp_vifi, NULL, NULL, ipst);
+ (void) del_vif(&tmp_vifi, ipst);
}
}
}
@@ -2696,11 +2768,12 @@ reset_mrt_vif_ipif(ipif_t *ipif)
void
reset_mrt_ill(ill_t *ill)
{
- struct mfc *rt;
+ struct mfc *rt;
struct rtdetq *rte;
- int i;
+ int i;
ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
+ timeout_id_t id;
for (i = 0; i < MFCTBLSIZ; i++) {
MFCB_REFHOLD(&ipst->ips_mfcs[i]);
@@ -2713,6 +2786,18 @@ reset_mrt_ill(ill_t *ill)
while (rt != NULL) {
mutex_enter(&rt->mfc_mutex);
while ((rte = rt->mfc_rte) != NULL) {
+ if (rte->ill == ill &&
+ (id = rt->mfc_timeout_id) != 0) {
+ /*
+ * Its ok to drop the lock, the
+ * struct cannot be freed since
+ * we have a ref on the hash
+ * bucket.
+ */
+ mutex_exit(&rt->mfc_mutex);
+ (void) untimeout(id);
+ mutex_enter(&rt->mfc_mutex);
+ }
if (rte->ill == ill) {
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(
@@ -2744,12 +2829,15 @@ tbf_control(struct vif *vifp, mblk_t *mp, ipha_t *ipha)
size_t p_len = msgdsize(mp);
struct tbf *t = vifp->v_tbf;
timeout_id_t id = 0;
- ip_stack_t *ipst = vifp->v_ipif->ipif_ill->ill_ipst;
+ ill_t *ill = vifp->v_ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
/* Drop if packet is too large */
if (p_len > MAX_BKT_SIZE) {
ipst->ips_mrtstat->mrts_pkt2large++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("tbf_control - too large", mp, ill);
freemsg(mp);
return;
}
@@ -2800,6 +2888,9 @@ tbf_control(struct vif *vifp, mblk_t *mp, ipha_t *ipha)
if ((mp->b_wptr - mp->b_rptr) < hdr_length) {
if (!pullupmsg(mp, hdr_length)) {
+ BUMP_MIB(ill->ill_ip_mib,
+ ipIfStatsOutDiscards);
+ ip_drop_output("tbf_control - pullup", mp, ill);
freemsg(mp);
ip1dbg(("tbf_ctl: couldn't pullup udp hdr, "
"vif %ld src 0x%x dst 0x%x\n",
@@ -2818,6 +2909,8 @@ tbf_control(struct vif *vifp, mblk_t *mp, ipha_t *ipha)
*/
if (!tbf_dq_sel(vifp, ipha)) {
ipst->ips_mrtstat->mrts_q_overflow++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("mrts_q_overflow", mp, ill);
freemsg(mp);
} else {
tbf_queue(vifp, mp);
@@ -2958,7 +3051,8 @@ tbf_dq_sel(struct vif *vifp, ipha_t *ipha)
struct tbf *t = vifp->v_tbf;
mblk_t **np;
mblk_t *last, *mp;
- ip_stack_t *ipst = vifp->v_ipif->ipif_ill->ill_ipst;
+ ill_t *ill = vifp->v_ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
if (ipst->ips_ip_mrtdebug > 1) {
@@ -2979,6 +3073,8 @@ tbf_dq_sel(struct vif *vifp, ipha_t *ipha)
if (mp == t->tbf_t)
t->tbf_t = last;
mp->b_prev = mp->b_next = NULL;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("tbf_dq_send", mp, ill);
freemsg(mp);
/*
* It's impossible for the queue to be empty, but
@@ -3000,76 +3096,97 @@ tbf_dq_sel(struct vif *vifp, ipha_t *ipha)
static void
tbf_send_packet(struct vif *vifp, mblk_t *mp)
{
- ipif_t *ipif;
- ip_stack_t *ipst = vifp->v_ipif->ipif_ill->ill_ipst;
+ ipif_t *ipif = vifp->v_ipif;
+ ill_t *ill = ipif->ipif_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
conn_t *mrouter = ipst->ips_ip_g_mrouter;
+ ipha_t *ipha;
+ ipha = (ipha_t *)mp->b_rptr;
/* If encap tunnel options */
if (vifp->v_flags & VIFF_TUNNEL) {
+ ip_xmit_attr_t ixas;
+
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
- "tbf_send_pkt: ENCAP tunnel vif %ld",
+ "tbf_send_packet: ENCAP tunnel vif %ld",
(ptrdiff_t)(vifp - ipst->ips_vifs));
}
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_IS_IPV4 | IXAF_NO_TTL_CHANGE;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = NULL;
+ ixas.ixa_zoneid = GLOBAL_ZONEID; /* Multicast router in GZ */
+ ixas.ixa_pktlen = ntohs(ipha->ipha_length);
+ ixas.ixa_ip_hdr_length = IPH_HDR_LENGTH(ipha);
/*
- * Feed into ip_wput which will set the ident field and
- * checksum the encapsulating header.
+ * Feed into ip_output_simple which will set the ident field
+ * and checksum the encapsulating header.
* BSD gets the cached route vifp->v_route from ip_output()
* to speed up route table lookups. Not necessary in SunOS 5.x.
+ * One could make multicast forwarding faster by putting an
+ * ip_xmit_attr_t in each vif thereby caching the ire/nce.
*/
- put(vifp->v_ipif->ipif_wq, mp);
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
return;
/* phyint */
} else {
/* Need to loop back to members on the outgoing interface. */
- ipha_t *ipha;
- ipaddr_t dst;
- ipha = (ipha_t *)mp->b_rptr;
- dst = ipha->ipha_dst;
- ipif = vifp->v_ipif;
-
- if (ilm_lookup_ipif(ipif, dst) != NULL) {
- /*
- * The packet is not yet reassembled, thus we need to
- * pass it to ip_rput_local for checksum verification
- * and reassembly (and fanout the user stream).
- */
- mblk_t *mp_loop;
- ire_t *ire;
-
- if (ipst->ips_ip_mrtdebug > 1) {
- (void) mi_strlog(mrouter->conn_rq, 1,
- SL_TRACE,
- "tbf_send_pkt: loopback vif %ld",
- (ptrdiff_t)(vifp - ipst->ips_vifs));
- }
- mp_loop = copymsg(mp);
- ire = ire_ctable_lookup(~0, 0, IRE_BROADCAST, NULL,
- ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
-
- if (mp_loop != NULL && ire != NULL) {
- IP_RPUT_LOCAL(ipif->ipif_rq, mp_loop,
- ((ipha_t *)mp_loop->b_rptr),
- ire, (ill_t *)ipif->ipif_rq->q_ptr);
- } else {
- /* Either copymsg failed or no ire */
- (void) mi_strlog(mrouter->conn_rq, 1,
- SL_TRACE,
- "tbf_send_pkt: mp_loop 0x%p, ire 0x%p "
- "vif %ld\n", (void *)mp_loop, (void *)ire,
- (ptrdiff_t)(vifp - ipst->ips_vifs));
- }
- if (ire != NULL)
- ire_refrele(ire);
+ ipaddr_t dst;
+ ip_recv_attr_t iras;
+ nce_t *nce;
+
+ bzero(&iras, sizeof (iras));
+ iras.ira_flags = IRAF_IS_IPV4;
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_zoneid = GLOBAL_ZONEID; /* Multicast router in GZ */
+ iras.ira_pktlen = ntohs(ipha->ipha_length);
+ iras.ira_ip_hdr_length = IPH_HDR_LENGTH(ipha);
+
+ dst = ipha->ipha_dst;
+ if (ill_hasmembers_v4(ill, dst)) {
+ iras.ira_flags |= IRAF_LOOPBACK_COPY;
}
if (ipst->ips_ip_mrtdebug > 1) {
(void) mi_strlog(mrouter->conn_rq, 1, SL_TRACE,
"tbf_send_pkt: phyint forward vif %ld dst = 0x%x",
(ptrdiff_t)(vifp - ipst->ips_vifs), ntohl(dst));
}
- ip_rput_forward_multicast(dst, mp, ipif);
+ /*
+ * Find an NCE which matches the nexthop.
+ * For a pt-pt interface we use the other end of the pt-pt
+ * link.
+ */
+ if (ipif->ipif_flags & IPIF_POINTOPOINT) {
+ dst = ipif->ipif_pp_dst_addr;
+ nce = arp_nce_init(ill, dst, ill->ill_net_type);
+ } else {
+ nce = arp_nce_init(ill, dst, IRE_MULTICAST);
+ }
+ if (nce == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("tbf_send_packet - no nce", mp, ill);
+ freemsg(mp);
+ return;
+ }
+
+ /*
+ * We don't remeber the incoming ill. Thus we
+ * pretend the packet arrived on the outbound ill. This means
+ * statistics for input errors will be increased on the wrong
+ * ill but that isn't a big deal.
+ */
+ ip_forward_xmit_v4(nce, ill, mp, ipha, &iras, ill->ill_mtu, 0);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
+
+ nce_refrele(nce);
}
}
diff --git a/usr/src/uts/common/inet/ip/ip_multi.c b/usr/src/uts/common/inet/ip/ip_multi.c
index d7be67cd26..0912d87227 100644
--- a/usr/src/uts/common/inet/ip/ip_multi.c
+++ b/usr/src/uts/common/inet/ip/ip_multi.c
@@ -66,29 +66,41 @@ static void ilm_bld_flists(conn_t *conn, void *arg);
static void ilm_gen_filter(ilm_t *ilm, mcast_record_t *fmode,
slist_t *flist);
-static ilm_t *ilm_add_v6(ipif_t *ipif, const in6_addr_t *group,
+static ilm_t *ilm_add(ill_t *ill, const in6_addr_t *group,
ilg_stat_t ilgstat, mcast_record_t ilg_fmode, slist_t *ilg_flist,
zoneid_t zoneid);
static void ilm_delete(ilm_t *ilm);
-static int ip_ll_addmulti_v6(ipif_t *ipif, const in6_addr_t *group);
-static int ip_ll_delmulti_v6(ipif_t *ipif, const in6_addr_t *group);
-static ilg_t *ilg_lookup_ipif(conn_t *connp, ipaddr_t group,
- ipif_t *ipif);
-static int ilg_add(conn_t *connp, ipaddr_t group, ipif_t *ipif,
- mcast_record_t fmode, ipaddr_t src);
-static int ilg_add_v6(conn_t *connp, const in6_addr_t *group, ill_t *ill,
- mcast_record_t fmode, const in6_addr_t *v6src);
+static int ilm_numentries(ill_t *, const in6_addr_t *);
+
+static ilm_t *ip_addmulti_serial(const in6_addr_t *, ill_t *, zoneid_t,
+ ilg_stat_t, mcast_record_t, slist_t *, int *);
+static ilm_t *ip_addmulti_impl(const in6_addr_t *, ill_t *,
+ zoneid_t, ilg_stat_t, mcast_record_t, slist_t *, int *);
+static int ip_delmulti_serial(ilm_t *, boolean_t, boolean_t);
+static int ip_delmulti_impl(ilm_t *, boolean_t, boolean_t);
+
+static int ip_ll_multireq(ill_t *ill, const in6_addr_t *group,
+ t_uscalar_t);
+static ilg_t *ilg_lookup(conn_t *, const in6_addr_t *, ipaddr_t ifaddr,
+ uint_t ifindex);
+
+static int ilg_add(conn_t *connp, const in6_addr_t *group,
+ ipaddr_t ifaddr, uint_t ifindex, ill_t *ill, mcast_record_t fmode,
+ const in6_addr_t *v6src);
static void ilg_delete(conn_t *connp, ilg_t *ilg, const in6_addr_t *src);
static mblk_t *ill_create_dl(ill_t *ill, uint32_t dl_primitive,
- uint32_t length, uint32_t *addr_lenp, uint32_t *addr_offp);
-static void conn_ilg_reap(conn_t *connp);
-static int ip_opt_delete_group_excl(conn_t *connp, ipaddr_t group,
- ipif_t *ipif, mcast_record_t fmode, ipaddr_t src);
-static int ip_opt_delete_group_excl_v6(conn_t *connp,
- const in6_addr_t *v6group, ill_t *ill, mcast_record_t fmode,
- const in6_addr_t *v6src);
-static void ill_ilm_walker_hold(ill_t *ill);
-static void ill_ilm_walker_rele(ill_t *ill);
+ uint32_t *addr_lenp, uint32_t *addr_offp);
+static int ip_opt_delete_group_excl(conn_t *connp,
+ const in6_addr_t *v6group, ipaddr_t ifaddr, uint_t ifindex,
+ mcast_record_t fmode, const in6_addr_t *v6src);
+
+static ilm_t *ilm_lookup(ill_t *, const in6_addr_t *, zoneid_t);
+
+static int ip_msfilter_ill(conn_t *, mblk_t *, const ip_ioctl_cmd_t *,
+ ill_t **);
+
+static void ilg_check_detach(conn_t *, ill_t *);
+static void ilg_check_reattach(conn_t *);
/*
* MT notes:
@@ -98,124 +110,122 @@ static void ill_ilm_walker_rele(ill_t *ill);
* need to synchronize when operating on the ilg. Multiple threads
* potentially operating on different conn (socket endpoints) trying to
* do multicast joins could eventually end up trying to manipulate the
- * ilm simultaneously and need to synchronize access to the ilm. Currently,
- * this is done by synchronizing join/leave via per-phyint ipsq_t
- * serialization.
+ * ilm simulatenously and need to synchronize on the access to the ilm.
+ * The access and lookup of the ilm, as well as other ill multicast state,
+ * is under ill_mcast_lock.
+ * The modifications and lookup of ilg entries is serialized using conn_ilg_lock
+ * rwlock. An ilg will not be freed until ilg_refcnt drops to zero.
+ *
+ * In some cases we hold ill_mcast_lock and then acquire conn_ilg_lock, but
+ * never the other way around.
*
* An ilm is an IP data structure used to track multicast join/leave.
* An ilm is associated with a <multicast group, ipif> tuple in IPv4 and
* with just <multicast group> in IPv6. ilm_refcnt is the number of ilg's
- * referencing the ilm. ilms are created / destroyed only as writer. ilms
- * are not passed around, instead they are looked up and used under the
- * ill_lock or as writer. So we don't need a dynamic refcount of the number
+ * referencing the ilm.
+ * The modifications and lookup of ilm entries is serialized using the
+ * ill_mcast_lock rwlock; that lock handles all the igmp/mld modifications
+ * of the ilm state.
+ * ilms are created / destroyed only as writer. ilms
+ * are not passed around. The datapath (anything outside of this file
+ * and igmp.c) use functions that do not return ilms - just the number
+ * of members. So we don't need a dynamic refcount of the number
* of threads holding reference to an ilm.
*
- * Multicast Join operation:
- *
- * The first step is to determine the ipif (v4) or ill (v6) on which
- * the join operation is to be done. The join is done after becoming
- * exclusive on the ipsq associated with the ipif or ill. The conn->conn_ilg
- * and ill->ill_ilm are thus accessed and modified exclusively per ill.
- * Multiple threads can attempt to join simultaneously on different ipif/ill
- * on the same conn. In this case the ipsq serialization does not help in
- * protecting the ilg. It is the conn_lock that is used to protect the ilg.
- * The conn_lock also protects all the ilg_t members.
+ * In the cases where we serially access the ilg and ilm, which happens when
+ * we handle the applications requests to join or leave groups and sources,
+ * we use the ill_mcast_serializer mutex to ensure that a multithreaded
+ * application which does concurrent joins and/or leaves on the same group on
+ * the same socket always results in a consistent order for the ilg and ilm
+ * modifications.
*
- * Leave operation.
- *
- * Similar to the join operation, the first step is to determine the ipif
- * or ill (v6) on which the leave operation is to be done. The leave operation
- * is done after becoming exclusive on the ipsq associated with the ipif or ill.
- * As with join ilg modification is done under the protection of the conn lock.
+ * When a multicast operation results in needing to send a message to
+ * the driver (to join/leave a L2 multicast address), we use ill_dlpi_queue()
+ * which serialized the DLPI requests. The IGMP/MLD code uses ill_mcast_queue()
+ * to send IGMP/MLD IP packet to avoid dropping the lock just to send a packet.
*/
-#define IPSQ_ENTER_IPIF(ipif, connp, first_mp, func, ipsq, type) \
- ASSERT(connp != NULL); \
- (ipsq) = ipsq_try_enter((ipif), NULL, CONNP_TO_WQ(connp), \
- (first_mp), (func), (type), B_TRUE); \
- if ((ipsq) == NULL) { \
- ipif_refrele(ipif); \
- return (EINPROGRESS); \
- }
-
-#define IPSQ_ENTER_ILL(ill, connp, first_mp, func, ipsq, type) \
- ASSERT(connp != NULL); \
- (ipsq) = ipsq_try_enter(NULL, ill, CONNP_TO_WQ(connp), \
- (first_mp), (func), (type), B_TRUE); \
- if ((ipsq) == NULL) { \
- ill_refrele(ill); \
- return (EINPROGRESS); \
- }
-
-#define IPSQ_EXIT(ipsq) \
- if (ipsq != NULL) \
- ipsq_exit(ipsq);
+#define GETSTRUCT(structure, number) \
+ ((structure *)mi_zalloc(sizeof (structure) * (number)))
-#define ILG_WALKER_HOLD(connp) (connp)->conn_ilg_walker_cnt++
+/*
+ * Caller must ensure that the ilg has not been condemned
+ * The condemned flag is only set in ilg_delete under conn_ilg_lock.
+ *
+ * The caller must hold conn_ilg_lock as writer.
+ */
+static void
+ilg_refhold(ilg_t *ilg)
+{
+ ASSERT(ilg->ilg_refcnt != 0);
+ ASSERT(!ilg->ilg_condemned);
+ ASSERT(RW_WRITE_HELD(&ilg->ilg_connp->conn_ilg_lock));
-#define ILG_WALKER_RELE(connp) \
- { \
- (connp)->conn_ilg_walker_cnt--; \
- if ((connp)->conn_ilg_walker_cnt == 0) \
- conn_ilg_reap(connp); \
- }
+ ilg->ilg_refcnt++;
+}
static void
-conn_ilg_reap(conn_t *connp)
+ilg_inactive(ilg_t *ilg)
{
- int to;
- int from;
- ilg_t *ilg;
-
- ASSERT(MUTEX_HELD(&connp->conn_lock));
+ ASSERT(ilg->ilg_ill == NULL);
+ ASSERT(ilg->ilg_ilm == NULL);
+ ASSERT(ilg->ilg_filter == NULL);
+ ASSERT(ilg->ilg_condemned);
- to = 0;
- from = 0;
- while (from < connp->conn_ilg_inuse) {
- if (connp->conn_ilg[from].ilg_flags & ILG_DELETED) {
- ilg = &connp->conn_ilg[from];
- FREE_SLIST(ilg->ilg_filter);
- ilg->ilg_flags &= ~ILG_DELETED;
- from++;
- continue;
- }
- if (to != from)
- connp->conn_ilg[to] = connp->conn_ilg[from];
- to++;
- from++;
- }
+ /* Unlink from list */
+ *ilg->ilg_ptpn = ilg->ilg_next;
+ if (ilg->ilg_next != NULL)
+ ilg->ilg_next->ilg_ptpn = ilg->ilg_ptpn;
+ ilg->ilg_next = NULL;
+ ilg->ilg_ptpn = NULL;
- connp->conn_ilg_inuse = to;
+ ilg->ilg_connp = NULL;
+ kmem_free(ilg, sizeof (*ilg));
+}
- if (connp->conn_ilg_inuse == 0) {
- mi_free((char *)connp->conn_ilg);
- connp->conn_ilg = NULL;
- cv_broadcast(&connp->conn_refcv);
- }
+/*
+ * The caller must hold conn_ilg_lock as writer.
+ */
+static void
+ilg_refrele(ilg_t *ilg)
+{
+ ASSERT(RW_WRITE_HELD(&ilg->ilg_connp->conn_ilg_lock));
+ ASSERT(ilg->ilg_refcnt != 0);
+ if (--ilg->ilg_refcnt == 0)
+ ilg_inactive(ilg);
}
-#define GETSTRUCT(structure, number) \
- ((structure *)mi_zalloc(sizeof (structure) * (number)))
+/*
+ * Acquire reference on ilg and drop reference on held_ilg.
+ * In the case when held_ilg is the same as ilg we already have
+ * a reference, but the held_ilg might be condemned. In that case
+ * we avoid the ilg_refhold/rele so that we can assert in ire_refhold
+ * that the ilg isn't condemned.
+ */
+static void
+ilg_transfer_hold(ilg_t *held_ilg, ilg_t *ilg)
+{
+ if (held_ilg == ilg)
+ return;
-#define ILG_ALLOC_CHUNK 16
+ ilg_refhold(ilg);
+ if (held_ilg != NULL)
+ ilg_refrele(held_ilg);
+}
/*
- * Returns a pointer to the next available ilg in conn_ilg. Allocs more
- * buffers in size of ILG_ALLOC_CHUNK ilgs when needed, and updates conn's
- * ilg tracking fields appropriately (conn_ilg_inuse reflects usage of the
- * returned ilg). Returns NULL on failure, in which case `*errp' will be
+ * Allocate a new ilg_t and links it into conn_ilg.
+ * Returns NULL on failure, in which case `*errp' will be
* filled in with the reason.
*
- * Assumes connp->conn_lock is held.
+ * Assumes connp->conn_ilg_lock is held.
*/
static ilg_t *
conn_ilg_alloc(conn_t *connp, int *errp)
{
- ilg_t *new, *ret;
- int curcnt;
+ ilg_t *ilg;
- ASSERT(MUTEX_HELD(&connp->conn_lock));
- ASSERT(connp->conn_ilg_inuse <= connp->conn_ilg_allocated);
+ ASSERT(RW_WRITE_HELD(&connp->conn_ilg_lock));
/*
* If CONN_CLOSING is set, conn_ilg cleanup has begun and we must not
@@ -226,44 +236,23 @@ conn_ilg_alloc(conn_t *connp, int *errp)
return (NULL);
}
- if (connp->conn_ilg == NULL) {
- connp->conn_ilg = GETSTRUCT(ilg_t, ILG_ALLOC_CHUNK);
- if (connp->conn_ilg == NULL) {
- *errp = ENOMEM;
- return (NULL);
- }
- connp->conn_ilg_allocated = ILG_ALLOC_CHUNK;
- connp->conn_ilg_inuse = 0;
- }
- if (connp->conn_ilg_inuse == connp->conn_ilg_allocated) {
- if (connp->conn_ilg_walker_cnt != 0) {
- /*
- * XXX We cannot grow the array at this point
- * because a list walker could be in progress, and
- * we cannot wipe out the existing array until the
- * walker is done. Just return NULL for now.
- * ilg_delete_all() will have to be changed when
- * this logic is changed.
- */
- *errp = EBUSY;
- return (NULL);
- }
- curcnt = connp->conn_ilg_allocated;
- new = GETSTRUCT(ilg_t, curcnt + ILG_ALLOC_CHUNK);
- if (new == NULL) {
- *errp = ENOMEM;
- return (NULL);
- }
- bcopy(connp->conn_ilg, new, sizeof (ilg_t) * curcnt);
- mi_free((char *)connp->conn_ilg);
- connp->conn_ilg = new;
- connp->conn_ilg_allocated += ILG_ALLOC_CHUNK;
+ ilg = kmem_zalloc(sizeof (ilg_t), KM_NOSLEEP);
+ if (ilg == NULL) {
+ *errp = ENOMEM;
+ return (NULL);
}
- ret = &connp->conn_ilg[connp->conn_ilg_inuse++];
- ASSERT((ret->ilg_flags & ILG_DELETED) == 0);
- bzero(ret, sizeof (*ret));
- return (ret);
+ ilg->ilg_refcnt = 1;
+
+ /* Insert at head */
+ if (connp->conn_ilg != NULL)
+ connp->conn_ilg->ilg_ptpn = &ilg->ilg_next;
+ ilg->ilg_next = connp->conn_ilg;
+ ilg->ilg_ptpn = &connp->conn_ilg;
+ connp->conn_ilg = ilg;
+
+ ilg->ilg_connp = connp;
+ return (ilg);
}
typedef struct ilm_fbld_s {
@@ -275,15 +264,18 @@ typedef struct ilm_fbld_s {
boolean_t fbld_in_overflow;
} ilm_fbld_t;
+/*
+ * Caller must hold ill_mcast_lock
+ */
static void
-ilm_bld_flists(conn_t *conn, void *arg)
+ilm_bld_flists(conn_t *connp, void *arg)
{
- int i;
+ ilg_t *ilg;
ilm_fbld_t *fbld = (ilm_fbld_t *)(arg);
ilm_t *ilm = fbld->fbld_ilm;
in6_addr_t *v6group = &ilm->ilm_v6addr;
- if (conn->conn_ilg_inuse == 0)
+ if (connp->conn_ilg == NULL)
return;
/*
@@ -300,12 +292,26 @@ ilm_bld_flists(conn_t *conn, void *arg)
* ilm (group, interface match). If so, update the master
* include and exclude lists we're building in the fbld struct
* with this ilg's filter info.
+ *
+ * Note that the caller has already serialized on the ill we care
+ * about.
*/
- mutex_enter(&conn->conn_lock);
- for (i = 0; i < conn->conn_ilg_inuse; i++) {
- ilg_t *ilg = &conn->conn_ilg[i];
+ ASSERT(MUTEX_HELD(&ilm->ilm_ill->ill_mcast_serializer));
+
+ rw_enter(&connp->conn_ilg_lock, RW_READER);
+ for (ilg = connp->conn_ilg; ilg != NULL; ilg = ilg->ilg_next) {
+ if (ilg->ilg_condemned)
+ continue;
+
+ /*
+ * Since we are under the ill_mcast_serializer we know
+ * that any ilg+ilm operations on this ilm have either
+ * not started or completed, except for the last ilg
+ * (the one that caused us to be called) which doesn't
+ * have ilg_ilm set yet. Hence we compare using ilg_ill
+ * and the address.
+ */
if ((ilg->ilg_ill == ilm->ilm_ill) &&
- (ilg->ilg_ipif == ilm->ilm_ipif) &&
IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, v6group)) {
if (ilg->ilg_fmode == MODE_IS_INCLUDE) {
fbld->fbld_in_cnt++;
@@ -337,9 +343,12 @@ ilm_bld_flists(conn_t *conn, void *arg)
break;
}
}
- mutex_exit(&conn->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
}
+/*
+ * Caller must hold ill_mcast_lock
+ */
static void
ilm_gen_filter(ilm_t *ilm, mcast_record_t *fmode, slist_t *flist)
{
@@ -385,15 +394,17 @@ ilm_gen_filter(ilm_t *ilm, mcast_record_t *fmode, slist_t *flist)
}
}
+/*
+ * Caller must hold ill_mcast_lock
+ */
static int
-ilm_update_add(ilm_t *ilm, ilg_stat_t ilgstat, slist_t *ilg_flist,
- boolean_t isv6)
+ilm_update_add(ilm_t *ilm, ilg_stat_t ilgstat, slist_t *ilg_flist)
{
mcast_record_t fmode;
slist_t *flist;
boolean_t fdefault;
char buf[INET6_ADDRSTRLEN];
- ill_t *ill = isv6 ? ilm->ilm_ill : ilm->ilm_ipif->ipif_ill;
+ ill_t *ill = ilm->ilm_ill;
/*
* There are several cases where the ilm's filter state
@@ -444,7 +455,7 @@ ilm_update_add(ilm_t *ilm, ilg_stat_t ilgstat, slist_t *ilg_flist,
/* send the state change report */
if (!IS_LOOPBACK(ill)) {
- if (isv6)
+ if (ill->ill_isv6)
mld_statechange(ilm, fmode, flist);
else
igmp_statechange(ilm, fmode, flist);
@@ -464,12 +475,15 @@ ilm_update_add(ilm_t *ilm, ilg_stat_t ilgstat, slist_t *ilg_flist,
return (0);
}
+/*
+ * Caller must hold ill_mcast_lock
+ */
static int
-ilm_update_del(ilm_t *ilm, boolean_t isv6)
+ilm_update_del(ilm_t *ilm)
{
mcast_record_t fmode;
slist_t *flist;
- ill_t *ill = isv6 ? ilm->ilm_ill : ilm->ilm_ipif->ipif_ill;
+ ill_t *ill = ilm->ilm_ill;
ip1dbg(("ilm_update_del: still %d left; updating state\n",
ilm->ilm_refcnt));
@@ -500,7 +514,7 @@ ilm_update_del(ilm_t *ilm, boolean_t isv6)
}
if (!IS_LOOPBACK(ill)) {
- if (isv6)
+ if (ill->ill_isv6)
mld_statechange(ilm, fmode, flist);
else
igmp_statechange(ilm, fmode, flist);
@@ -531,240 +545,245 @@ ilm_update_del(ilm_t *ilm, boolean_t isv6)
}
/*
- * INADDR_ANY means all multicast addresses.
- * INADDR_ANY is stored as IPv6 unspecified addr.
+ * Create/update the ilm for the group/ill. Used by other parts of IP to
+ * do the ILGSTAT_NONE (no ilg), MODE_IS_EXCLUDE, with no slist join.
+ * Returns with a refhold on the ilm.
+ *
+ * The unspecified address means all multicast addresses for in both the
+ * case of IPv4 and IPv6.
+ *
+ * The caller should have already mapped an IPMP under ill to the upper.
*/
-int
-ip_addmulti(ipaddr_t group, ipif_t *ipif, ilg_stat_t ilgstat,
- mcast_record_t ilg_fmode, slist_t *ilg_flist)
+ilm_t *
+ip_addmulti(const in6_addr_t *v6group, ill_t *ill, zoneid_t zoneid,
+ int *errorp)
{
- ill_t *ill = ipif->ipif_ill;
- ilm_t *ilm;
- in6_addr_t v6group;
- int ret;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
-
- if (!CLASSD(group) && group != INADDR_ANY)
- return (EINVAL);
-
- if (IS_UNDER_IPMP(ill))
- return (EINVAL);
-
- /*
- * INADDR_ANY is represented as the IPv6 unspecified addr.
- */
- if (group == INADDR_ANY)
- v6group = ipv6_all_zeros;
- else
- IN6_IPADDR_TO_V4MAPPED(group, &v6group);
-
- ilm = ilm_lookup_ipif(ipif, group);
- /*
- * Since we are writer, we know the ilm_flags itself cannot
- * change at this point, and ilm_lookup_ipif would not have
- * returned a DELETED ilm. However, the data path can free
- * ilm->ilm_next via ilm_walker_cleanup() so we can safely
- * access anything in ilm except ilm_next (for safe access to
- * ilm_next we'd have to take the ill_lock).
- */
- if (ilm != NULL)
- return (ilm_update_add(ilm, ilgstat, ilg_flist, B_FALSE));
-
- ilm = ilm_add_v6(ipif, &v6group, ilgstat, ilg_fmode, ilg_flist,
- ipif->ipif_zoneid);
- if (ilm == NULL)
- return (ENOMEM);
-
- if (group == INADDR_ANY) {
- /*
- * Check how many ipif's have members in this group -
- * if more then one we should not tell the driver to join
- * this time
- */
- if (ilm_numentries_v6(ill, &v6group) > 1)
- return (0);
- ret = ill_join_allmulti(ill);
- if (ret != 0)
- ilm_delete(ilm);
- return (ret);
- }
-
- if (!IS_LOOPBACK(ill))
- igmp_joingroup(ilm);
-
- if (ilm_numentries_v6(ill, &v6group) > 1)
- return (0);
+ ilm_t *ilm;
- ret = ip_ll_addmulti_v6(ipif, &v6group);
- if (ret != 0)
- ilm_delete(ilm);
- return (ret);
+ /* Acquire serializer to keep assert in ilm_bld_flists happy */
+ mutex_enter(&ill->ill_mcast_serializer);
+ ilm = ip_addmulti_serial(v6group, ill, zoneid, ILGSTAT_NONE,
+ MODE_IS_EXCLUDE, NULL, errorp);
+ mutex_exit(&ill->ill_mcast_serializer);
+ return (ilm);
}
/*
- * The unspecified address means all multicast addresses.
+ * Create/update the ilm for the group/ill. If ILGSTAT_CHANGE is not set
+ * then this returns with a refhold on the ilm.
+ *
+ * Internal routine which assumes the caller has already acquired
+ * ill_multi_serializer.
*
- * ill identifies the interface to join on.
+ * The unspecified address means all multicast addresses for in both the
+ * case of IPv4 and IPv6.
*
* ilgstat tells us if there's an ilg associated with this join,
* and if so, if it's a new ilg or a change to an existing one.
* ilg_fmode and ilg_flist give us the current filter state of
* the ilg (and will be EXCLUDE {NULL} in the case of no ilg).
+ *
+ * The caller should have already mapped an IPMP under ill to the upper.
*/
-int
-ip_addmulti_v6(const in6_addr_t *v6group, ill_t *ill, zoneid_t zoneid,
- ilg_stat_t ilgstat, mcast_record_t ilg_fmode, slist_t *ilg_flist)
+static ilm_t *
+ip_addmulti_serial(const in6_addr_t *v6group, ill_t *ill, zoneid_t zoneid,
+ ilg_stat_t ilgstat, mcast_record_t ilg_fmode, slist_t *ilg_flist,
+ int *errorp)
{
- ilm_t *ilm;
- int ret;
+ ilm_t *ilm;
- ASSERT(IAM_WRITER_ILL(ill));
+ ASSERT(MUTEX_HELD(&ill->ill_mcast_serializer));
- if (!IN6_IS_ADDR_MULTICAST(v6group) &&
- !IN6_IS_ADDR_UNSPECIFIED(v6group)) {
- return (EINVAL);
+ if (ill->ill_isv6) {
+ if (!IN6_IS_ADDR_MULTICAST(v6group) &&
+ !IN6_IS_ADDR_UNSPECIFIED(v6group)) {
+ *errorp = EINVAL;
+ return (NULL);
+ }
+ } else {
+ if (IN6_IS_ADDR_V4MAPPED(v6group)) {
+ ipaddr_t v4group;
+
+ IN6_V4MAPPED_TO_IPADDR(v6group, v4group);
+ if (!CLASSD(v4group)) {
+ *errorp = EINVAL;
+ return (NULL);
+ }
+ } else if (!IN6_IS_ADDR_UNSPECIFIED(v6group)) {
+ *errorp = EINVAL;
+ return (NULL);
+ }
}
- if (IS_UNDER_IPMP(ill) && !IN6_IS_ADDR_MC_SOLICITEDNODE(v6group))
- return (EINVAL);
+ if (IS_UNDER_IPMP(ill)) {
+ *errorp = EINVAL;
+ return (NULL);
+ }
+
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
+ /*
+ * We do the equivalent of a lookup by checking after we get the lock
+ * This is needed since the ill could have been condemned after
+ * we looked it up, and we need to check condemned after we hold
+ * ill_mcast_lock to synchronize with the unplumb code.
+ */
+ if (ill->ill_state_flags & ILL_CONDEMNED) {
+ rw_exit(&ill->ill_mcast_lock);
+ *errorp = ENXIO;
+ return (NULL);
+ }
+ ilm = ip_addmulti_impl(v6group, ill, zoneid, ilgstat, ilg_fmode,
+ ilg_flist, errorp);
+ rw_exit(&ill->ill_mcast_lock);
+
+ /* Send any deferred/queued DLPI or IP packets */
+ ill_mcast_send_queued(ill);
+ ill_dlpi_send_queued(ill);
+ ill_mcast_timer_start(ill->ill_ipst);
+ return (ilm);
+}
+
+static ilm_t *
+ip_addmulti_impl(const in6_addr_t *v6group, ill_t *ill, zoneid_t zoneid,
+ ilg_stat_t ilgstat, mcast_record_t ilg_fmode, slist_t *ilg_flist,
+ int *errorp)
+{
+ ilm_t *ilm;
+ int ret = 0;
+
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
+ *errorp = 0;
/*
* An ilm is uniquely identified by the tuple of (group, ill) where
* `group' is the multicast group address, and `ill' is the interface
* on which it is currently joined.
*/
- ilm = ilm_lookup_ill_v6(ill, v6group, B_TRUE, zoneid);
- if (ilm != NULL)
- return (ilm_update_add(ilm, ilgstat, ilg_flist, B_TRUE));
- ilm = ilm_add_v6(ill->ill_ipif, v6group, ilgstat, ilg_fmode,
- ilg_flist, zoneid);
- if (ilm == NULL)
- return (ENOMEM);
+ ilm = ilm_lookup(ill, v6group, zoneid);
+ if (ilm != NULL) {
+ /* ilm_update_add bumps ilm_refcnt unless ILGSTAT_CHANGE */
+ ret = ilm_update_add(ilm, ilgstat, ilg_flist);
+ if (ret == 0)
+ return (ilm);
- if (IN6_IS_ADDR_UNSPECIFIED(v6group)) {
- /*
- * Check how many ipif's that have members in this group -
- * if more then one we should not tell the driver to join
- * this time
- */
- if (ilm_numentries_v6(ill, v6group) > 1)
- return (0);
- ret = ill_join_allmulti(ill);
- if (ret != 0)
- ilm_delete(ilm);
- return (ret);
+ *errorp = ret;
+ return (NULL);
}
- if (!IS_LOOPBACK(ill))
- mld_joingroup(ilm);
-
/*
- * If we have more then one we should not tell the driver
- * to join this time.
+ * The callers checks on the ilg and the ilg+ilm consistency under
+ * ill_mcast_serializer ensures that we can not have ILGSTAT_CHANGE
+ * and no ilm.
*/
- if (ilm_numentries_v6(ill, v6group) > 1)
- return (0);
-
- ret = ip_ll_addmulti_v6(ill->ill_ipif, v6group);
- if (ret != 0)
- ilm_delete(ilm);
- return (ret);
-}
+ ASSERT(ilgstat != ILGSTAT_CHANGE);
+ ilm = ilm_add(ill, v6group, ilgstat, ilg_fmode, ilg_flist, zoneid);
+ if (ilm == NULL) {
+ *errorp = ENOMEM;
+ return (NULL);
+ }
-/*
- * Mapping the given IP multicast address to the L2 multicast mac address.
- */
-static void
-ill_multicast_mapping(ill_t *ill, ipaddr_t ip_addr, uint8_t *hw_addr,
- uint32_t hw_addrlen)
-{
- dl_unitdata_req_t *dlur;
- ipaddr_t proto_extract_mask;
- uint8_t *from, *bcast_addr;
- uint32_t hw_extract_start;
- int len;
+ if (IN6_IS_ADDR_UNSPECIFIED(v6group)) {
+ /*
+ * If we have more then one we should not tell the driver
+ * to join this time.
+ */
+ if (ilm_numentries(ill, v6group) == 1) {
+ ret = ill_join_allmulti(ill);
+ }
+ } else {
+ if (!IS_LOOPBACK(ill)) {
+ if (ill->ill_isv6)
+ mld_joingroup(ilm);
+ else
+ igmp_joingroup(ilm);
+ }
- ASSERT(IN_CLASSD(ntohl(ip_addr)));
- ASSERT(hw_addrlen == ill->ill_phys_addr_length);
- ASSERT((ill->ill_phyint->phyint_flags & PHYI_MULTI_BCAST) == 0);
- ASSERT((ill->ill_flags & ILLF_MULTICAST) != 0);
+ /*
+ * If we have more then one we should not tell the driver
+ * to join this time.
+ */
+ if (ilm_numentries(ill, v6group) == 1) {
+ ret = ip_ll_multireq(ill, v6group, DL_ENABMULTI_REQ);
+ }
+ }
+ if (ret != 0) {
+ if (ret == ENETDOWN) {
+ char buf[INET6_ADDRSTRLEN];
- /*
- * Find the physical broadcast address.
- */
- dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
- bcast_addr = (uint8_t *)dlur + dlur->dl_dest_addr_offset;
- if (ill->ill_sap_length > 0)
- bcast_addr += ill->ill_sap_length;
-
- VERIFY(MEDIA_V4MINFO(ill->ill_media, hw_addrlen, bcast_addr,
- hw_addr, &hw_extract_start, &proto_extract_mask));
-
- len = MIN((int)hw_addrlen - hw_extract_start, IP_ADDR_LEN);
- ip_addr &= proto_extract_mask;
- from = (uint8_t *)&ip_addr;
- while (len-- > 0)
- hw_addr[hw_extract_start + len] |= from[len];
+ ip0dbg(("ip_addmulti: ENETDOWN for %s on %s",
+ inet_ntop(AF_INET6, &ilm->ilm_v6addr,
+ buf, sizeof (buf)), ill->ill_name));
+ }
+ ilm_delete(ilm);
+ *errorp = ret;
+ return (NULL);
+ } else {
+ return (ilm);
+ }
}
/*
- * Send a multicast request to the driver for enabling multicast reception
- * for v6groupp address. The caller has already checked whether it is
- * appropriate to send one or not.
+ * Send a multicast request to the driver for enabling or disabling
+ * multicast reception for v6groupp address. The caller has already
+ * checked whether it is appropriate to send one or not.
+ *
+ * For IPMP we switch to the cast_ill since it has the right hardware
+ * information.
*/
-int
-ip_ll_send_enabmulti_req(ill_t *ill, const in6_addr_t *v6groupp)
+static int
+ip_ll_send_multireq(ill_t *ill, const in6_addr_t *v6groupp, t_uscalar_t prim)
{
mblk_t *mp;
uint32_t addrlen, addroff;
- char group_buf[INET6_ADDRSTRLEN];
-
- ASSERT(IAM_WRITER_ILL(ill));
-
- /*
- * If we're on the IPMP ill, use the nominated multicast interface to
- * send and receive DLPI messages, if one exists. (If none exists,
- * there are no usable interfaces and thus nothing to do.)
- */
- if (IS_IPMP(ill) && (ill = ipmp_illgrp_cast_ill(ill->ill_grp)) == NULL)
- return (0);
-
- /*
- * Create a DL_ENABMULTI_REQ.
- */
- mp = ill_create_dl(ill, DL_ENABMULTI_REQ, sizeof (dl_enabmulti_req_t),
- &addrlen, &addroff);
- if (!mp)
- return (ENOMEM);
-
- if (IN6_IS_ADDR_V4MAPPED(v6groupp)) {
- ipaddr_t v4group;
+ ill_t *release_ill = NULL;
+ int err = 0;
- IN6_V4MAPPED_TO_IPADDR(v6groupp, v4group);
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
- ill_multicast_mapping(ill, v4group,
- mp->b_rptr + addroff, addrlen);
+ if (IS_IPMP(ill)) {
+ /* On the upper IPMP ill. */
+ release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
+ if (release_ill == NULL) {
+ /*
+ * Avoid sending it down to the ipmpstub.
+ * We will be called again once the members of the
+ * group are in place
+ */
+ ip1dbg(("ip_ll_send_multireq: no cast_ill for %s %d\n",
+ ill->ill_name, ill->ill_isv6));
+ return (0);
+ }
+ ill = release_ill;
+ }
+ /* Create a DL_ENABMULTI_REQ or DL_DISABMULTI_REQ message. */
+ mp = ill_create_dl(ill, prim, &addrlen, &addroff);
+ if (mp == NULL) {
+ err = ENOMEM;
+ goto done;
+ }
- ip1dbg(("ip_ll_send_enabmulti_req: IPv4 %s on %s\n",
- inet_ntop(AF_INET6, v6groupp, group_buf,
- sizeof (group_buf)),
- ill->ill_name));
+ mp = ndp_mcastreq(ill, v6groupp, addrlen, addroff, mp);
+ if (mp == NULL) {
+ ip0dbg(("null from ndp_mcastreq(ill %s)\n", ill->ill_name));
+ err = ENOMEM;
+ goto done;
+ }
+ switch (((union DL_primitives *)mp->b_rptr)->dl_primitive) {
+ case DL_ENABMULTI_REQ:
+ mutex_enter(&ill->ill_lock);
/* Track the state if this is the first enabmulti */
if (ill->ill_dlpi_multicast_state == IDS_UNKNOWN)
ill->ill_dlpi_multicast_state = IDS_INPROGRESS;
- ill_dlpi_send(ill, mp);
- } else {
- ip1dbg(("ip_ll_send_enabmulti_req: IPv6 ndp_mcastreq %s on"
- " %s\n",
- inet_ntop(AF_INET6, v6groupp, group_buf,
- sizeof (group_buf)),
- ill->ill_name));
- return (ndp_mcastreq(ill, v6groupp, addrlen, addroff, mp));
+ mutex_exit(&ill->ill_lock);
+ break;
}
- return (0);
+ ill_dlpi_queue(ill, mp);
+done:
+ if (release_ill != NULL)
+ ill_refrele(release_ill);
+ return (err);
}
/*
@@ -772,132 +791,71 @@ ip_ll_send_enabmulti_req(ill_t *ill, const in6_addr_t *v6groupp)
* membership for v6group if appropriate.
*/
static int
-ip_ll_addmulti_v6(ipif_t *ipif, const in6_addr_t *v6groupp)
+ip_ll_multireq(ill_t *ill, const in6_addr_t *v6groupp, t_uscalar_t prim)
{
- ill_t *ill = ipif->ipif_ill;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
-
if (ill->ill_net_type != IRE_IF_RESOLVER ||
- ipif->ipif_flags & IPIF_POINTOPOINT) {
- ip1dbg(("ip_ll_addmulti_v6: not resolver\n"));
+ ill->ill_ipif->ipif_flags & IPIF_POINTOPOINT) {
+ ip1dbg(("ip_ll_multireq: not resolver\n"));
return (0); /* Must be IRE_IF_NORESOLVER */
}
if (ill->ill_phyint->phyint_flags & PHYI_MULTI_BCAST) {
- ip1dbg(("ip_ll_addmulti_v6: MULTI_BCAST\n"));
- return (0);
- }
- if (!ill->ill_dl_up) {
- /*
- * Nobody there. All multicast addresses will be re-joined
- * when we get the DL_BIND_ACK bringing the interface up.
- */
- ip1dbg(("ip_ll_addmulti_v6: nobody up\n"));
+ ip1dbg(("ip_ll_multireq: MULTI_BCAST\n"));
return (0);
}
- return (ip_ll_send_enabmulti_req(ill, v6groupp));
+ return (ip_ll_send_multireq(ill, v6groupp, prim));
}
/*
- * INADDR_ANY means all multicast addresses.
- * INADDR_ANY is stored as the IPv6 unspecified addr.
+ * Delete the ilm. Used by other parts of IP for the case of no_ilg/leaving
+ * being true.
*/
int
-ip_delmulti(ipaddr_t group, ipif_t *ipif, boolean_t no_ilg, boolean_t leaving)
+ip_delmulti(ilm_t *ilm)
{
- ill_t *ill = ipif->ipif_ill;
- ilm_t *ilm;
- in6_addr_t v6group;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
-
- if (!CLASSD(group) && group != INADDR_ANY)
- return (EINVAL);
-
- /*
- * INADDR_ANY is represented as the IPv6 unspecified addr.
- */
- if (group == INADDR_ANY)
- v6group = ipv6_all_zeros;
- else
- IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ ill_t *ill = ilm->ilm_ill;
+ int error;
- /*
- * Look for a match on the ipif.
- * (IP_DROP_MEMBERSHIP specifies an ipif using an IP address).
- */
- ilm = ilm_lookup_ipif(ipif, group);
- if (ilm == NULL)
- return (ENOENT);
-
- /* Update counters */
- if (no_ilg)
- ilm->ilm_no_ilg_cnt--;
-
- if (leaving)
- ilm->ilm_refcnt--;
-
- if (ilm->ilm_refcnt > 0)
- return (ilm_update_del(ilm, B_FALSE));
-
- if (group == INADDR_ANY) {
- ilm_delete(ilm);
- /*
- * Check how many ipif's that have members in this group -
- * if there are still some left then don't tell the driver
- * to drop it.
- */
- if (ilm_numentries_v6(ill, &v6group) != 0)
- return (0);
-
- /* If we never joined, then don't leave. */
- if (ill->ill_join_allmulti)
- ill_leave_allmulti(ill);
-
- return (0);
- }
-
- if (!IS_LOOPBACK(ill))
- igmp_leavegroup(ilm);
-
- ilm_delete(ilm);
- /*
- * Check how many ipif's that have members in this group -
- * if there are still some left then don't tell the driver
- * to drop it.
- */
- if (ilm_numentries_v6(ill, &v6group) != 0)
- return (0);
- return (ip_ll_delmulti_v6(ipif, &v6group));
+ /* Acquire serializer to keep assert in ilm_bld_flists happy */
+ mutex_enter(&ill->ill_mcast_serializer);
+ error = ip_delmulti_serial(ilm, B_TRUE, B_TRUE);
+ mutex_exit(&ill->ill_mcast_serializer);
+ return (error);
}
+
/*
- * The unspecified address means all multicast addresses.
+ * Delete the ilm.
+ * Assumes ill_multi_serializer is held by the caller.
*/
-int
-ip_delmulti_v6(const in6_addr_t *v6group, ill_t *ill, zoneid_t zoneid,
- boolean_t no_ilg, boolean_t leaving)
+static int
+ip_delmulti_serial(ilm_t *ilm, boolean_t no_ilg, boolean_t leaving)
{
- ipif_t *ipif;
- ilm_t *ilm;
+ ill_t *ill = ilm->ilm_ill;
+ int ret;
- ASSERT(IAM_WRITER_ILL(ill));
+ ASSERT(MUTEX_HELD(&ill->ill_mcast_serializer));
+ ASSERT(!(IS_UNDER_IPMP(ill)));
- if (!IN6_IS_ADDR_MULTICAST(v6group) &&
- !IN6_IS_ADDR_UNSPECIFIED(v6group))
- return (EINVAL);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
+ ret = ip_delmulti_impl(ilm, no_ilg, leaving);
+ rw_exit(&ill->ill_mcast_lock);
+ /* Send any deferred/queued DLPI or IP packets */
+ ill_mcast_send_queued(ill);
+ ill_dlpi_send_queued(ill);
+ ill_mcast_timer_start(ill->ill_ipst);
- /*
- * Look for a match on the ill.
- */
- ilm = ilm_lookup_ill_v6(ill, v6group, B_TRUE, zoneid);
- if (ilm == NULL)
- return (ENOENT);
+ return (ret);
+}
- ASSERT(ilm->ilm_ill == ill);
+static int
+ip_delmulti_impl(ilm_t *ilm, boolean_t no_ilg, boolean_t leaving)
+{
+ ill_t *ill = ilm->ilm_ill;
+ int error;
+ in6_addr_t v6group;
- ipif = ill->ill_ipif;
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
/* Update counters */
if (no_ilg)
@@ -907,150 +865,90 @@ ip_delmulti_v6(const in6_addr_t *v6group, ill_t *ill, zoneid_t zoneid,
ilm->ilm_refcnt--;
if (ilm->ilm_refcnt > 0)
- return (ilm_update_del(ilm, B_TRUE));
+ return (ilm_update_del(ilm));
- if (IN6_IS_ADDR_UNSPECIFIED(v6group)) {
+ v6group = ilm->ilm_v6addr;
+
+ if (IN6_IS_ADDR_UNSPECIFIED(&ilm->ilm_v6addr)) {
ilm_delete(ilm);
/*
- * Check how many ipif's that have members in this group -
- * if there are still some left then don't tell the driver
- * to drop it.
+ * If we have some left then one we should not tell the driver
+ * to leave.
*/
- if (ilm_numentries_v6(ill, v6group) != 0)
+ if (ilm_numentries(ill, &v6group) != 0)
return (0);
- /* If we never joined, then don't leave. */
- if (ill->ill_join_allmulti)
- ill_leave_allmulti(ill);
+ ill_leave_allmulti(ill);
return (0);
}
- if (!IS_LOOPBACK(ill))
- mld_leavegroup(ilm);
+ if (!IS_LOOPBACK(ill)) {
+ if (ill->ill_isv6)
+ mld_leavegroup(ilm);
+ else
+ igmp_leavegroup(ilm);
+ }
ilm_delete(ilm);
/*
- * Check how many ipif's that have members in this group -
- * if there are still some left then don't tell the driver
- * to drop it.
+ * If we have some left then one we should not tell the driver
+ * to leave.
*/
- if (ilm_numentries_v6(ill, v6group) != 0)
+ if (ilm_numentries(ill, &v6group) != 0)
return (0);
- return (ip_ll_delmulti_v6(ipif, v6group));
-}
-/*
- * Send a multicast request to the driver for disabling multicast reception
- * for v6groupp address. The caller has already checked whether it is
- * appropriate to send one or not.
- */
-int
-ip_ll_send_disabmulti_req(ill_t *ill, const in6_addr_t *v6groupp)
-{
- mblk_t *mp;
- char group_buf[INET6_ADDRSTRLEN];
- uint32_t addrlen, addroff;
+ error = ip_ll_multireq(ill, &v6group, DL_DISABMULTI_REQ);
+ /* We ignore the case when ill_dl_up is not set */
+ if (error == ENETDOWN) {
+ char buf[INET6_ADDRSTRLEN];
- ASSERT(IAM_WRITER_ILL(ill));
-
- /*
- * See comment in ip_ll_send_enabmulti_req().
- */
- if (IS_IPMP(ill) && (ill = ipmp_illgrp_cast_ill(ill->ill_grp)) == NULL)
- return (0);
-
- /*
- * Create a DL_DISABMULTI_REQ.
- */
- mp = ill_create_dl(ill, DL_DISABMULTI_REQ,
- sizeof (dl_disabmulti_req_t), &addrlen, &addroff);
- if (!mp)
- return (ENOMEM);
-
- if (IN6_IS_ADDR_V4MAPPED(v6groupp)) {
- ipaddr_t v4group;
-
- IN6_V4MAPPED_TO_IPADDR(v6groupp, v4group);
-
- ill_multicast_mapping(ill, v4group,
- mp->b_rptr + addroff, addrlen);
-
- ip1dbg(("ip_ll_send_disabmulti_req: IPv4 %s on %s\n",
- inet_ntop(AF_INET6, v6groupp, group_buf,
- sizeof (group_buf)),
+ ip0dbg(("ip_delmulti: ENETDOWN for %s on %s",
+ inet_ntop(AF_INET6, &v6group, buf, sizeof (buf)),
ill->ill_name));
- ill_dlpi_send(ill, mp);
- } else {
- ip1dbg(("ip_ll_send_disabmulti_req: IPv6 ndp_mcastreq %s on"
- " %s\n",
- inet_ntop(AF_INET6, v6groupp, group_buf,
- sizeof (group_buf)),
- ill->ill_name));
- return (ndp_mcastreq(ill, v6groupp, addrlen, addroff, mp));
- }
- return (0);
-}
-
-/*
- * Send a multicast request to the driver for disabling multicast
- * membership for v6group if appropriate.
- */
-static int
-ip_ll_delmulti_v6(ipif_t *ipif, const in6_addr_t *v6group)
-{
- ill_t *ill = ipif->ipif_ill;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
-
- if (ill->ill_net_type != IRE_IF_RESOLVER ||
- ipif->ipif_flags & IPIF_POINTOPOINT) {
- return (0); /* Must be IRE_IF_NORESOLVER */
- }
- if (ill->ill_phyint->phyint_flags & PHYI_MULTI_BCAST) {
- ip1dbg(("ip_ll_delmulti_v6: MULTI_BCAST\n"));
- return (0);
}
- if (!ill->ill_dl_up) {
- /*
- * Nobody there. All multicast addresses will be re-joined
- * when we get the DL_BIND_ACK bringing the interface up.
- */
- ip1dbg(("ip_ll_delmulti_v6: nobody up\n"));
- return (0);
- }
- return (ip_ll_send_disabmulti_req(ill, v6group));
+ return (error);
}
/*
- * Make the driver pass up all multicast packets. NOTE: to keep callers
- * IPMP-unaware, if an IPMP ill is passed in, the ill_join_allmulti flag is
- * set on it (rather than the cast ill).
+ * Make the driver pass up all multicast packets.
*/
int
ill_join_allmulti(ill_t *ill)
{
- mblk_t *promiscon_mp, *promiscoff_mp;
+ mblk_t *promiscon_mp, *promiscoff_mp = NULL;
uint32_t addrlen, addroff;
- ill_t *join_ill = ill;
+ ill_t *release_ill = NULL;
- ASSERT(IAM_WRITER_ILL(ill));
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
if (!ill->ill_dl_up) {
/*
* Nobody there. All multicast addresses will be re-joined
* when we get the DL_BIND_ACK bringing the interface up.
*/
- return (0);
+ return (ENETDOWN);
}
- /*
- * See comment in ip_ll_send_enabmulti_req().
- */
- if (IS_IPMP(ill) && (ill = ipmp_illgrp_cast_ill(ill->ill_grp)) == NULL)
- return (0);
-
- ASSERT(!join_ill->ill_join_allmulti);
+ if (IS_IPMP(ill)) {
+ /* On the upper IPMP ill. */
+ release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
+ if (release_ill == NULL) {
+ /*
+ * Avoid sending it down to the ipmpstub.
+ * We will be called again once the members of the
+ * group are in place
+ */
+ ip1dbg(("ill_join_allmulti: no cast_ill for %s %d\n",
+ ill->ill_name, ill->ill_isv6));
+ return (0);
+ }
+ ill = release_ill;
+ if (!ill->ill_dl_up) {
+ ill_refrele(ill);
+ return (ENETDOWN);
+ }
+ }
/*
* Create a DL_PROMISCON_REQ message and send it directly to the DLPI
@@ -1062,19 +960,24 @@ ill_join_allmulti(ill_t *ill)
if ((ill->ill_net_type == IRE_IF_RESOLVER) &&
!(ill->ill_phyint->phyint_flags & PHYI_MULTI_BCAST)) {
promiscon_mp = ill_create_dl(ill, DL_PROMISCON_REQ,
- sizeof (dl_promiscon_req_t), &addrlen, &addroff);
- promiscoff_mp = ill_create_dl(ill, DL_PROMISCOFF_REQ,
- sizeof (dl_promiscoff_req_t), &addrlen, &addroff);
- if (promiscon_mp == NULL || promiscoff_mp == NULL) {
+ &addrlen, &addroff);
+ if (ill->ill_promiscoff_mp == NULL)
+ promiscoff_mp = ill_create_dl(ill, DL_PROMISCOFF_REQ,
+ &addrlen, &addroff);
+ if (promiscon_mp == NULL ||
+ (ill->ill_promiscoff_mp == NULL && promiscoff_mp == NULL)) {
freemsg(promiscon_mp);
freemsg(promiscoff_mp);
+ if (release_ill != NULL)
+ ill_refrele(release_ill);
return (ENOMEM);
}
- ill->ill_promiscoff_mp = promiscoff_mp;
- ill_dlpi_send(ill, promiscon_mp);
+ if (ill->ill_promiscoff_mp == NULL)
+ ill->ill_promiscoff_mp = promiscoff_mp;
+ ill_dlpi_queue(ill, promiscon_mp);
}
-
- join_ill->ill_join_allmulti = B_TRUE;
+ if (release_ill != NULL)
+ ill_refrele(release_ill);
return (0);
}
@@ -1085,9 +988,9 @@ void
ill_leave_allmulti(ill_t *ill)
{
mblk_t *promiscoff_mp;
- ill_t *leave_ill = ill;
+ ill_t *release_ill = NULL;
- ASSERT(IAM_WRITER_ILL(ill));
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
if (!ill->ill_dl_up) {
/*
@@ -1097,105 +1000,130 @@ ill_leave_allmulti(ill_t *ill)
return;
}
- /*
- * See comment in ip_ll_send_enabmulti_req().
- */
- if (IS_IPMP(ill) && (ill = ipmp_illgrp_cast_ill(ill->ill_grp)) == NULL)
- return;
-
- ASSERT(leave_ill->ill_join_allmulti);
+ if (IS_IPMP(ill)) {
+ /* On the upper IPMP ill. */
+ release_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
+ if (release_ill == NULL) {
+ /*
+ * Avoid sending it down to the ipmpstub.
+ * We will be called again once the members of the
+ * group are in place
+ */
+ ip1dbg(("ill_leave_allmulti: no cast_ill on %s %d\n",
+ ill->ill_name, ill->ill_isv6));
+ return;
+ }
+ ill = release_ill;
+ if (!ill->ill_dl_up)
+ goto done;
+ }
/*
- * Create a DL_PROMISCOFF_REQ message and send it directly to
- * the DLPI provider. We don't need to do this for certain
- * media types for which we never need to turn promiscuous
- * mode on.
+ * In the case of IPMP and ill_dl_up not being set when we joined
+ * we didn't allocate a promiscoff_mp. In that case we have
+ * nothing to do when we leave.
+ * Ditto for PHYI_MULTI_BCAST
*/
- if ((ill->ill_net_type == IRE_IF_RESOLVER) &&
- !(ill->ill_phyint->phyint_flags & PHYI_MULTI_BCAST)) {
- promiscoff_mp = ill->ill_promiscoff_mp;
- ASSERT(promiscoff_mp != NULL);
+ promiscoff_mp = ill->ill_promiscoff_mp;
+ if (promiscoff_mp != NULL) {
ill->ill_promiscoff_mp = NULL;
- ill_dlpi_send(ill, promiscoff_mp);
- }
-
- leave_ill->ill_join_allmulti = B_FALSE;
-}
-
-static ill_t *
-ipsq_enter_byifindex(uint_t ifindex, boolean_t isv6, ip_stack_t *ipst)
-{
- ill_t *ill;
- boolean_t in_ipsq;
-
- ill = ill_lookup_on_ifindex(ifindex, isv6, NULL, NULL, NULL, NULL,
- ipst);
- if (ill != NULL) {
- if (!ill_waiter_inc(ill)) {
- ill_refrele(ill);
- return (NULL);
- }
- ill_refrele(ill);
- in_ipsq = ipsq_enter(ill, B_FALSE, NEW_OP);
- ill_waiter_dcr(ill);
- if (!in_ipsq)
- ill = NULL;
+ ill_dlpi_queue(ill, promiscoff_mp);
}
- return (ill);
+done:
+ if (release_ill != NULL)
+ ill_refrele(release_ill);
}
int
ip_join_allmulti(uint_t ifindex, boolean_t isv6, ip_stack_t *ipst)
{
ill_t *ill;
- int ret = 0;
+ int ret;
+ ilm_t *ilm;
- if ((ill = ipsq_enter_byifindex(ifindex, isv6, ipst)) == NULL)
+ ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
+ if (ill == NULL)
return (ENODEV);
/*
- * The ip_addmulti*() functions won't allow IPMP underlying interfaces
+ * The ip_addmulti() function doesn't allow IPMP underlying interfaces
* to join allmulti since only the nominated underlying interface in
* the group should receive multicast. We silently succeed to avoid
* having to teach IPobs (currently the only caller of this routine)
* to ignore failures in this case.
*/
- if (IS_UNDER_IPMP(ill))
- goto out;
+ if (IS_UNDER_IPMP(ill)) {
+ ill_refrele(ill);
+ return (0);
+ }
+ mutex_enter(&ill->ill_lock);
+ if (ill->ill_ipallmulti_cnt > 0) {
+ /* Already joined */
+ ASSERT(ill->ill_ipallmulti_ilm != NULL);
+ ill->ill_ipallmulti_cnt++;
+ mutex_exit(&ill->ill_lock);
+ goto done;
+ }
+ mutex_exit(&ill->ill_lock);
- if (isv6) {
- ret = ip_addmulti_v6(&ipv6_all_zeros, ill, ill->ill_zoneid,
- ILGSTAT_NONE, MODE_IS_EXCLUDE, NULL);
- } else {
- ret = ip_addmulti(INADDR_ANY, ill->ill_ipif, ILGSTAT_NONE,
- MODE_IS_EXCLUDE, NULL);
+ ilm = ip_addmulti(&ipv6_all_zeros, ill, ill->ill_zoneid, &ret);
+ if (ilm == NULL) {
+ ASSERT(ret != 0);
+ ill_refrele(ill);
+ return (ret);
}
+
+ mutex_enter(&ill->ill_lock);
+ if (ill->ill_ipallmulti_cnt > 0) {
+ /* Another thread added it concurrently */
+ (void) ip_delmulti(ilm);
+ mutex_exit(&ill->ill_lock);
+ goto done;
+ }
+ ASSERT(ill->ill_ipallmulti_ilm == NULL);
+ ill->ill_ipallmulti_ilm = ilm;
ill->ill_ipallmulti_cnt++;
-out:
- ipsq_exit(ill->ill_phyint->phyint_ipsq);
- return (ret);
+ mutex_exit(&ill->ill_lock);
+done:
+ ill_refrele(ill);
+ return (0);
}
-
int
ip_leave_allmulti(uint_t ifindex, boolean_t isv6, ip_stack_t *ipst)
{
ill_t *ill;
+ ilm_t *ilm;
- if ((ill = ipsq_enter_byifindex(ifindex, isv6, ipst)) == NULL)
+ ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
+ if (ill == NULL)
return (ENODEV);
- if (ill->ill_ipallmulti_cnt > 0) {
- if (isv6) {
- (void) ip_delmulti_v6(&ipv6_all_zeros, ill,
- ill->ill_zoneid, B_TRUE, B_TRUE);
- } else {
- (void) ip_delmulti(INADDR_ANY, ill->ill_ipif, B_TRUE,
- B_TRUE);
- }
- ill->ill_ipallmulti_cnt--;
+ if (IS_UNDER_IPMP(ill)) {
+ ill_refrele(ill);
+ return (0);
+ }
+
+ mutex_enter(&ill->ill_lock);
+ if (ill->ill_ipallmulti_cnt == 0) {
+ /* ip_purge_allmulti could have removed them all */
+ mutex_exit(&ill->ill_lock);
+ goto done;
+ }
+ ill->ill_ipallmulti_cnt--;
+ if (ill->ill_ipallmulti_cnt == 0) {
+ /* Last one */
+ ilm = ill->ill_ipallmulti_ilm;
+ ill->ill_ipallmulti_ilm = NULL;
+ } else {
+ ilm = NULL;
}
- ipsq_exit(ill->ill_phyint->phyint_ipsq);
+ mutex_exit(&ill->ill_lock);
+ if (ilm != NULL)
+ (void) ip_delmulti(ilm);
+
+done:
+ ill_refrele(ill);
return (0);
}
@@ -1206,108 +1134,34 @@ ip_leave_allmulti(uint_t ifindex, boolean_t isv6, ip_stack_t *ipst)
void
ip_purge_allmulti(ill_t *ill)
{
- ASSERT(IAM_WRITER_ILL(ill));
-
- for (; ill->ill_ipallmulti_cnt > 0; ill->ill_ipallmulti_cnt--) {
- if (ill->ill_isv6) {
- (void) ip_delmulti_v6(&ipv6_all_zeros, ill,
- ill->ill_zoneid, B_TRUE, B_TRUE);
- } else {
- (void) ip_delmulti(INADDR_ANY, ill->ill_ipif, B_TRUE,
- B_TRUE);
- }
- }
-}
-
-/*
- * Copy mp_orig and pass it in as a local message.
- */
-void
-ip_multicast_loopback(queue_t *q, ill_t *ill, mblk_t *mp_orig, int fanout_flags,
- zoneid_t zoneid)
-{
- mblk_t *mp;
- mblk_t *ipsec_mp;
- ipha_t *iph;
- ip_stack_t *ipst = ill->ill_ipst;
-
- if (DB_TYPE(mp_orig) == M_DATA &&
- ((ipha_t *)mp_orig->b_rptr)->ipha_protocol == IPPROTO_UDP) {
- uint_t hdrsz;
-
- hdrsz = IPH_HDR_LENGTH((ipha_t *)mp_orig->b_rptr) +
- sizeof (udpha_t);
- ASSERT(MBLKL(mp_orig) >= hdrsz);
-
- if (((mp = allocb(hdrsz, BPRI_MED)) != NULL) &&
- (mp_orig = dupmsg(mp_orig)) != NULL) {
- cred_t *cr;
-
- bcopy(mp_orig->b_rptr, mp->b_rptr, hdrsz);
- mp->b_wptr += hdrsz;
- mp->b_cont = mp_orig;
- mp_orig->b_rptr += hdrsz;
- if (is_system_labeled() &&
- (cr = msg_getcred(mp_orig, NULL)) != NULL)
- mblk_setcred(mp, cr, NOPID);
- if (MBLKL(mp_orig) == 0) {
- mp->b_cont = mp_orig->b_cont;
- mp_orig->b_cont = NULL;
- freeb(mp_orig);
- }
- } else if (mp != NULL) {
- freeb(mp);
- mp = NULL;
- }
- } else {
- mp = ip_copymsg(mp_orig); /* No refcnt on ipsec_out netstack */
- }
-
- if (mp == NULL)
- return;
- if (DB_TYPE(mp) == M_CTL) {
- ipsec_mp = mp;
- mp = mp->b_cont;
- } else {
- ipsec_mp = mp;
- }
-
- iph = (ipha_t *)mp->b_rptr;
-
- /*
- * DTrace this as ip:::send. A blocked packet will fire the send
- * probe, but not the receive probe.
- */
- DTRACE_IP7(send, mblk_t *, ipsec_mp, conn_t *, NULL, void_ip_t *, iph,
- __dtrace_ipsr_ill_t *, ill, ipha_t *, iph, ip6_t *, NULL, int, 1);
-
- DTRACE_PROBE4(ip4__loopback__out__start,
- ill_t *, NULL, ill_t *, ill,
- ipha_t *, iph, mblk_t *, ipsec_mp);
+ ilm_t *ilm;
- FW_HOOKS(ipst->ips_ip4_loopback_out_event,
- ipst->ips_ipv4firewall_loopback_out,
- NULL, ill, iph, ipsec_mp, mp, HPE_MULTICAST, ipst);
+ ASSERT(IAM_WRITER_ILL(ill));
- DTRACE_PROBE1(ip4__loopback__out__end, mblk_t *, ipsec_mp);
+ mutex_enter(&ill->ill_lock);
+ ilm = ill->ill_ipallmulti_ilm;
+ ill->ill_ipallmulti_ilm = NULL;
+ ill->ill_ipallmulti_cnt = 0;
+ mutex_exit(&ill->ill_lock);
- if (ipsec_mp != NULL)
- ip_wput_local(q, ill, iph, ipsec_mp, NULL,
- fanout_flags, zoneid);
+ if (ilm != NULL)
+ (void) ip_delmulti(ilm);
}
/*
- * Create a DLPI message; for DL_{ENAB,DISAB}MULTI_REQ, room is left for
- * the hardware address.
+ * Create a dlpi message with room for phys+sap. Later
+ * we will strip the sap for those primitives which
+ * only need a physical address.
*/
static mblk_t *
-ill_create_dl(ill_t *ill, uint32_t dl_primitive, uint32_t length,
+ill_create_dl(ill_t *ill, uint32_t dl_primitive,
uint32_t *addr_lenp, uint32_t *addr_offp)
{
mblk_t *mp;
uint32_t hw_addr_length;
char *cp;
uint32_t offset;
+ uint32_t length;
uint32_t size;
*addr_lenp = *addr_offp = 0;
@@ -1318,14 +1172,18 @@ ill_create_dl(ill_t *ill, uint32_t dl_primitive, uint32_t length,
return (NULL);
}
- size = length;
switch (dl_primitive) {
case DL_ENABMULTI_REQ:
+ length = sizeof (dl_enabmulti_req_t);
+ size = length + hw_addr_length;
+ break;
case DL_DISABMULTI_REQ:
- size += hw_addr_length;
+ length = sizeof (dl_disabmulti_req_t);
+ size = length + hw_addr_length;
break;
case DL_PROMISCON_REQ:
case DL_PROMISCOFF_REQ:
+ size = length = sizeof (dl_promiscon_req_t);
break;
default:
return (NULL);
@@ -1373,33 +1231,29 @@ ill_create_dl(ill_t *ill, uint32_t dl_primitive, uint32_t length,
}
/*
- * Rejoin any groups which have been explicitly joined by the application (we
- * left all explicitly joined groups as part of ill_leave_multicast() prior to
- * bringing the interface down). Note that because groups can be joined and
- * left while an interface is down, this may not be the same set of groups
- * that we left in ill_leave_multicast().
+ * Rejoin any groups for which we have ilms.
+ *
+ * This is only needed for IPMP when the cast_ill changes since that
+ * change is invisible to the ilm. Other interface changes are handled
+ * by conn_update_ill.
*/
void
ill_recover_multicast(ill_t *ill)
{
ilm_t *ilm;
- ipif_t *ipif = ill->ill_ipif;
char addrbuf[INET6_ADDRSTRLEN];
- ASSERT(IAM_WRITER_ILL(ill));
-
ill->ill_need_recover_multicast = 0;
- ill_ilm_walker_hold(ill);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
/*
- * Check how many ipif's that have members in this group -
- * if more then one we make sure that this entry is first
- * in the list.
+ * If we have more then one ilm for the group (e.g., with
+ * different zoneid) then we should not tell the driver
+ * to join unless this is the first ilm for the group.
*/
- if (ilm_numentries_v6(ill, &ilm->ilm_v6addr) > 1 &&
- ilm_lookup_ill_v6(ill, &ilm->ilm_v6addr, B_TRUE,
- ALL_ZONES) != ilm) {
+ if (ilm_numentries(ill, &ilm->ilm_v6addr) > 1 &&
+ ilm_lookup(ill, &ilm->ilm_v6addr, ALL_ZONES) != ilm) {
continue;
}
@@ -1414,38 +1268,42 @@ ill_recover_multicast(ill_t *ill)
else
igmp_joingroup(ilm);
- (void) ip_ll_addmulti_v6(ipif, &ilm->ilm_v6addr);
+ (void) ip_ll_multireq(ill, &ilm->ilm_v6addr,
+ DL_ENABMULTI_REQ);
}
}
- ill_ilm_walker_rele(ill);
-
+ rw_exit(&ill->ill_mcast_lock);
+ /* Send any deferred/queued DLPI or IP packets */
+ ill_mcast_send_queued(ill);
+ ill_dlpi_send_queued(ill);
+ ill_mcast_timer_start(ill->ill_ipst);
}
/*
* The opposite of ill_recover_multicast() -- leaves all multicast groups
* that were explicitly joined.
+ *
+ * This is only needed for IPMP when the cast_ill changes since that
+ * change is invisible to the ilm. Other interface changes are handled
+ * by conn_update_ill.
*/
void
ill_leave_multicast(ill_t *ill)
{
ilm_t *ilm;
- ipif_t *ipif = ill->ill_ipif;
char addrbuf[INET6_ADDRSTRLEN];
- ASSERT(IAM_WRITER_ILL(ill));
-
ill->ill_need_recover_multicast = 1;
- ill_ilm_walker_hold(ill);
+ rw_enter(&ill->ill_mcast_lock, RW_WRITER);
for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
/*
- * Check how many ipif's that have members in this group -
- * if more then one we make sure that this entry is first
- * in the list.
+ * If we have more then one ilm for the group (e.g., with
+ * different zoneid) then we should not tell the driver
+ * to leave unless this is the first ilm for the group.
*/
- if (ilm_numentries_v6(ill, &ilm->ilm_v6addr) > 1 &&
- ilm_lookup_ill_v6(ill, &ilm->ilm_v6addr, B_TRUE,
- ALL_ZONES) != ilm) {
+ if (ilm_numentries(ill, &ilm->ilm_v6addr) > 1 &&
+ ilm_lookup(ill, &ilm->ilm_v6addr, ALL_ZONES) != ilm) {
continue;
}
@@ -1460,126 +1318,186 @@ ill_leave_multicast(ill_t *ill)
else
igmp_leavegroup(ilm);
- (void) ip_ll_delmulti_v6(ipif, &ilm->ilm_v6addr);
+ (void) ip_ll_multireq(ill, &ilm->ilm_v6addr,
+ DL_DISABMULTI_REQ);
}
}
- ill_ilm_walker_rele(ill);
+ rw_exit(&ill->ill_mcast_lock);
+ /* Send any deferred/queued DLPI or IP packets */
+ ill_mcast_send_queued(ill);
+ ill_dlpi_send_queued(ill);
+ ill_mcast_timer_start(ill->ill_ipst);
}
-/* Find an ilm for matching the ill */
-ilm_t *
-ilm_lookup_ill(ill_t *ill, ipaddr_t group, zoneid_t zoneid)
+/*
+ * Interface used by IP input/output.
+ * Returns true if there is a member on the ill for any zoneid.
+ */
+boolean_t
+ill_hasmembers_v6(ill_t *ill, const in6_addr_t *v6group)
+{
+ ilm_t *ilm;
+
+ rw_enter(&ill->ill_mcast_lock, RW_READER);
+ ilm = ilm_lookup(ill, v6group, ALL_ZONES);
+ rw_exit(&ill->ill_mcast_lock);
+ return (ilm != NULL);
+}
+
+/*
+ * Interface used by IP input/output.
+ * Returns true if there is a member on the ill for any zoneid.
+ *
+ * The group and source can't be INADDR_ANY here so no need to translate to
+ * the unspecified IPv6 address.
+ */
+boolean_t
+ill_hasmembers_v4(ill_t *ill, ipaddr_t group)
{
in6_addr_t v6group;
- /*
- * INADDR_ANY is represented as the IPv6 unspecified addr.
- */
- if (group == INADDR_ANY)
- v6group = ipv6_all_zeros;
- else
- IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ return (ill_hasmembers_v6(ill, &v6group));
+}
+
+/*
+ * Interface used by IP input/output.
+ * Returns true if there is a member on the ill for any zoneid except skipzone.
+ */
+boolean_t
+ill_hasmembers_otherzones_v6(ill_t *ill, const in6_addr_t *v6group,
+ zoneid_t skipzone)
+{
+ ilm_t *ilm;
- return (ilm_lookup_ill_v6(ill, &v6group, B_TRUE, zoneid));
+ rw_enter(&ill->ill_mcast_lock, RW_READER);
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
+ if (IN6_ARE_ADDR_EQUAL(&ilm->ilm_v6addr, v6group) &&
+ ilm->ilm_zoneid != skipzone) {
+ rw_exit(&ill->ill_mcast_lock);
+ return (B_TRUE);
+ }
+ }
+ rw_exit(&ill->ill_mcast_lock);
+ return (B_FALSE);
}
/*
- * Find an ilm for address `v6group' on `ill' and zone `zoneid' (which may be
- * ALL_ZONES). In general, if `ill' is in an IPMP group, we will match
- * against any ill in the group. However, if `restrict_solicited' is set,
- * then specifically for IPv6 solicited-node multicast, the match will be
- * restricted to the specified `ill'.
+ * Interface used by IP input/output.
+ * Returns true if there is a member on the ill for any zoneid except skipzone.
+ *
+ * The group and source can't be INADDR_ANY here so no need to translate to
+ * the unspecified IPv6 address.
*/
-ilm_t *
-ilm_lookup_ill_v6(ill_t *ill, const in6_addr_t *v6group,
- boolean_t restrict_solicited, zoneid_t zoneid)
+boolean_t
+ill_hasmembers_otherzones_v4(ill_t *ill, ipaddr_t group, zoneid_t skipzone)
{
- ilm_t *ilm;
- ilm_walker_t ilw;
- boolean_t restrict_ill = B_FALSE;
+ in6_addr_t v6group;
- /*
- * In general, underlying interfaces cannot have multicast memberships
- * and thus lookups always match across the illgrp. However, we must
- * allow IPv6 solicited-node multicast memberships on underlying
- * interfaces, and thus an IPMP meta-interface and one of its
- * underlying ills may have the same solicited-node multicast address.
- * In that case, we need to restrict the lookup to the requested ill.
- * However, we may receive packets on an underlying interface that
- * are for the corresponding IPMP interface's solicited-node multicast
- * address, and thus in that case we need to match across the group --
- * hence the unfortunate `restrict_solicited' argument.
- */
- if (IN6_IS_ADDR_MC_SOLICITEDNODE(v6group) && restrict_solicited)
- restrict_ill = (IS_IPMP(ill) || IS_UNDER_IPMP(ill));
+ IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ return (ill_hasmembers_otherzones_v6(ill, &v6group, skipzone));
+}
- ilm = ilm_walker_start(&ilw, ill);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- if (!IN6_ARE_ADDR_EQUAL(&ilm->ilm_v6addr, v6group))
- continue;
- if (zoneid != ALL_ZONES && zoneid != ilm->ilm_zoneid)
- continue;
- if (!restrict_ill || ill == (ill->ill_isv6 ?
- ilm->ilm_ill : ilm->ilm_ipif->ipif_ill)) {
- break;
+/*
+ * Interface used by IP input.
+ * Returns the next numerically larger zoneid that has a member. If none exist
+ * then returns -1 (ALL_ZONES).
+ * The normal usage is for the caller to start with a -1 zoneid (ALL_ZONES)
+ * to find the first zoneid which has a member, and then pass that in for
+ * subsequent calls until ALL_ZONES is returned.
+ *
+ * The implementation of ill_hasmembers_nextzone() assumes the ilms
+ * are sorted by zoneid for efficiency.
+ */
+zoneid_t
+ill_hasmembers_nextzone_v6(ill_t *ill, const in6_addr_t *v6group,
+ zoneid_t zoneid)
+{
+ ilm_t *ilm;
+
+ rw_enter(&ill->ill_mcast_lock, RW_READER);
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
+ if (IN6_ARE_ADDR_EQUAL(&ilm->ilm_v6addr, v6group) &&
+ ilm->ilm_zoneid > zoneid) {
+ zoneid = ilm->ilm_zoneid;
+ rw_exit(&ill->ill_mcast_lock);
+ return (zoneid);
}
}
- ilm_walker_finish(&ilw);
- return (ilm);
+ rw_exit(&ill->ill_mcast_lock);
+ return (ALL_ZONES);
}
/*
- * Find an ilm for the ipif. Only needed for IPv4 which does
- * ipif specific socket options.
+ * Interface used by IP input.
+ * Returns the next numerically larger zoneid that has a member. If none exist
+ * then returns -1 (ALL_ZONES).
+ *
+ * The group and source can't be INADDR_ANY here so no need to translate to
+ * the unspecified IPv6 address.
*/
-ilm_t *
-ilm_lookup_ipif(ipif_t *ipif, ipaddr_t group)
+zoneid_t
+ill_hasmembers_nextzone_v4(ill_t *ill, ipaddr_t group, zoneid_t zoneid)
{
- ilm_t *ilm;
- ilm_walker_t ilw;
+ in6_addr_t v6group;
- ilm = ilm_walker_start(&ilw, ipif->ipif_ill);
- for (; ilm != NULL; ilm = ilm_walker_step(&ilw, ilm)) {
- if (ilm->ilm_ipif == ipif && ilm->ilm_addr == group)
- break;
+ IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+
+ return (ill_hasmembers_nextzone_v6(ill, &v6group, zoneid));
+}
+
+/*
+ * Find an ilm matching the ill, group, and zoneid.
+ */
+static ilm_t *
+ilm_lookup(ill_t *ill, const in6_addr_t *v6group, zoneid_t zoneid)
+{
+ ilm_t *ilm;
+
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
+
+ for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
+ if (!IN6_ARE_ADDR_EQUAL(&ilm->ilm_v6addr, v6group))
+ continue;
+ if (zoneid != ALL_ZONES && zoneid != ilm->ilm_zoneid)
+ continue;
+
+ ASSERT(ilm->ilm_ill == ill);
+ return (ilm);
}
- ilm_walker_finish(&ilw);
- return (ilm);
+ return (NULL);
}
/*
* How many members on this ill?
+ * Since each shared-IP zone has a separate ilm for the same group/ill
+ * we can have several.
*/
-int
-ilm_numentries_v6(ill_t *ill, const in6_addr_t *v6group)
+static int
+ilm_numentries(ill_t *ill, const in6_addr_t *v6group)
{
ilm_t *ilm;
int i = 0;
- mutex_enter(&ill->ill_lock);
+ ASSERT(RW_LOCK_HELD(&ill->ill_mcast_lock));
for (ilm = ill->ill_ilm; ilm; ilm = ilm->ilm_next) {
- if (ilm->ilm_flags & ILM_DELETED)
- continue;
if (IN6_ARE_ADDR_EQUAL(&ilm->ilm_v6addr, v6group)) {
i++;
}
}
- mutex_exit(&ill->ill_lock);
return (i);
}
/* Caller guarantees that the group is not already on the list */
static ilm_t *
-ilm_add_v6(ipif_t *ipif, const in6_addr_t *v6group, ilg_stat_t ilgstat,
+ilm_add(ill_t *ill, const in6_addr_t *v6group, ilg_stat_t ilgstat,
mcast_record_t ilg_fmode, slist_t *ilg_flist, zoneid_t zoneid)
{
- ill_t *ill = ipif->ipif_ill;
ilm_t *ilm;
ilm_t *ilm_cur;
ilm_t **ilm_ptpn;
- ASSERT(IAM_WRITER_IPIF(ipif));
-
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
ilm = GETSTRUCT(ilm_t, 1);
if (ilm == NULL)
return (NULL);
@@ -1596,44 +1514,23 @@ ilm_add_v6(ipif_t *ipif, const in6_addr_t *v6group, ilg_stat_t ilgstat,
ilm->ilm_timer = INFINITY;
ilm->ilm_rtx.rtx_timer = INFINITY;
- /*
- * IPv4 Multicast groups are joined using ipif.
- * IPv6 Multicast groups are joined using ill.
- */
- if (ill->ill_isv6) {
- ilm->ilm_ill = ill;
- ilm->ilm_ipif = NULL;
- DTRACE_PROBE3(ill__incr__cnt, (ill_t *), ill,
- (char *), "ilm", (void *), ilm);
- ill->ill_ilm_cnt++;
- } else {
- ASSERT(ilm->ilm_zoneid == ipif->ipif_zoneid);
- ilm->ilm_ipif = ipif;
- ilm->ilm_ill = NULL;
- DTRACE_PROBE3(ipif__incr__cnt, (ipif_t *), ipif,
- (char *), "ilm", (void *), ilm);
- ipif->ipif_ilm_cnt++;
- }
+ ilm->ilm_ill = ill;
+ DTRACE_PROBE3(ill__incr__cnt, (ill_t *), ill,
+ (char *), "ilm", (void *), ilm);
+ ill->ill_ilm_cnt++;
ASSERT(ill->ill_ipst);
ilm->ilm_ipst = ill->ill_ipst; /* No netstack_hold */
- ASSERT(!(ipif->ipif_state_flags & IPIF_CONDEMNED));
- ASSERT(!(ill->ill_state_flags & ILL_CONDEMNED));
+ /* The ill/ipif could have just been marked as condemned */
/*
- * Grab lock to give consistent view to readers
- */
- mutex_enter(&ill->ill_lock);
- /*
- * All ilms in the same zone are contiguous in the ill_ilm list.
- * The loops in ip_proto_input() and ip_wput_local() use this to avoid
- * sending duplicates up when two applications in the same zone join the
- * same group on different logical interfaces.
+ * To make ill_hasmembers_nextzone_v6 work we keep the list
+ * sorted by zoneid.
*/
ilm_cur = ill->ill_ilm;
ilm_ptpn = &ill->ill_ilm;
- while (ilm_cur != NULL && ilm_cur->ilm_zoneid != ilm->ilm_zoneid) {
+ while (ilm_cur != NULL && ilm_cur->ilm_zoneid < ilm->ilm_zoneid) {
ilm_ptpn = &ilm_cur->ilm_next;
ilm_cur = ilm_cur->ilm_next;
}
@@ -1653,7 +1550,6 @@ ilm_add_v6(ipif_t *ipif, const in6_addr_t *v6group, ilg_stat_t ilgstat,
ilm->ilm_fmode = MODE_IS_EXCLUDE;
}
- mutex_exit(&ill->ill_lock);
return (ilm);
}
@@ -1668,118 +1564,40 @@ ilm_inactive(ilm_t *ilm)
mi_free((char *)ilm);
}
-void
-ilm_walker_cleanup(ill_t *ill)
-{
- ilm_t **ilmp;
- ilm_t *ilm;
- boolean_t need_wakeup = B_FALSE;
-
- ASSERT(MUTEX_HELD(&ill->ill_lock));
- ASSERT(ill->ill_ilm_walker_cnt == 0);
-
- ilmp = &ill->ill_ilm;
- while (*ilmp != NULL) {
- if ((*ilmp)->ilm_flags & ILM_DELETED) {
- ilm = *ilmp;
- *ilmp = ilm->ilm_next;
- /*
- * check if there are any pending FREE or unplumb
- * operations that need to be restarted.
- */
- if (ilm->ilm_ipif != NULL) {
- /*
- * IPv4 ilms hold a ref on the ipif.
- */
- DTRACE_PROBE3(ipif__decr__cnt,
- (ipif_t *), ilm->ilm_ipif,
- (char *), "ilm", (void *), ilm);
- ilm->ilm_ipif->ipif_ilm_cnt--;
- if (IPIF_FREE_OK(ilm->ilm_ipif))
- need_wakeup = B_TRUE;
- } else {
- /*
- * IPv6 ilms hold a ref on the ill.
- */
- ASSERT(ilm->ilm_ill == ill);
- DTRACE_PROBE3(ill__decr__cnt,
- (ill_t *), ill,
- (char *), "ilm", (void *), ilm);
- ASSERT(ill->ill_ilm_cnt > 0);
- ill->ill_ilm_cnt--;
- if (ILL_FREE_OK(ill))
- need_wakeup = B_TRUE;
- }
- ilm_inactive(ilm); /* frees ilm */
- } else {
- ilmp = &(*ilmp)->ilm_next;
- }
- }
- ill->ill_ilm_cleanup_reqd = 0;
- if (need_wakeup)
- ipif_ill_refrele_tail(ill);
- else
- mutex_exit(&ill->ill_lock);
-}
-
/*
* Unlink ilm and free it.
*/
static void
ilm_delete(ilm_t *ilm)
{
- ill_t *ill;
+ ill_t *ill = ilm->ilm_ill;
ilm_t **ilmp;
boolean_t need_wakeup;
-
- if (ilm->ilm_ipif != NULL) {
- ASSERT(IAM_WRITER_IPIF(ilm->ilm_ipif));
- ASSERT(ilm->ilm_ill == NULL);
- ill = ilm->ilm_ipif->ipif_ill;
- ASSERT(!ill->ill_isv6);
- } else {
- ASSERT(IAM_WRITER_ILL(ilm->ilm_ill));
- ASSERT(ilm->ilm_ipif == NULL);
- ill = ilm->ilm_ill;
- ASSERT(ill->ill_isv6);
- }
/*
* Delete under lock protection so that readers don't stumble
* on bad ilm_next
*/
- mutex_enter(&ill->ill_lock);
- if (ill->ill_ilm_walker_cnt != 0) {
- ilm->ilm_flags |= ILM_DELETED;
- ill->ill_ilm_cleanup_reqd = 1;
- mutex_exit(&ill->ill_lock);
- return;
- }
+ ASSERT(RW_WRITE_HELD(&ill->ill_mcast_lock));
for (ilmp = &ill->ill_ilm; *ilmp != ilm; ilmp = &(*ilmp)->ilm_next)
- ;
+ ;
+
*ilmp = ilm->ilm_next;
+ mutex_enter(&ill->ill_lock);
/*
- * if we are the last reference to the ipif (for IPv4 ilms)
- * or the ill (for IPv6 ilms), we may need to wakeup any
- * pending FREE or unplumb operations.
+ * if we are the last reference to the ill, we may need to wakeup any
+ * pending FREE or unplumb operations. This is because conn_update_ill
+ * bails if there is a ilg_delete_all in progress.
*/
need_wakeup = B_FALSE;
- if (ilm->ilm_ipif != NULL) {
- DTRACE_PROBE3(ipif__decr__cnt, (ipif_t *), ilm->ilm_ipif,
- (char *), "ilm", (void *), ilm);
- ilm->ilm_ipif->ipif_ilm_cnt--;
- if (IPIF_FREE_OK(ilm->ilm_ipif))
- need_wakeup = B_TRUE;
- } else {
- DTRACE_PROBE3(ill__decr__cnt, (ill_t *), ill,
- (char *), "ilm", (void *), ilm);
- ASSERT(ill->ill_ilm_cnt > 0);
- ill->ill_ilm_cnt--;
- if (ILL_FREE_OK(ill))
- need_wakeup = B_TRUE;
- }
+ DTRACE_PROBE3(ill__decr__cnt, (ill_t *), ill,
+ (char *), "ilm", (void *), ilm);
+ ASSERT(ill->ill_ilm_cnt > 0);
+ ill->ill_ilm_cnt--;
+ if (ILL_FREE_OK(ill))
+ need_wakeup = B_TRUE;
ilm_inactive(ilm); /* frees this ilm */
@@ -1791,185 +1609,103 @@ ilm_delete(ilm_t *ilm)
}
}
-/* Increment the ILM walker count for `ill' */
-static void
-ill_ilm_walker_hold(ill_t *ill)
-{
- mutex_enter(&ill->ill_lock);
- ill->ill_ilm_walker_cnt++;
- mutex_exit(&ill->ill_lock);
-}
-
-/* Decrement the ILM walker count for `ill' */
-static void
-ill_ilm_walker_rele(ill_t *ill)
-{
- mutex_enter(&ill->ill_lock);
- ill->ill_ilm_walker_cnt--;
- if (ill->ill_ilm_walker_cnt == 0 && ill->ill_ilm_cleanup_reqd)
- ilm_walker_cleanup(ill); /* drops ill_lock */
- else
- mutex_exit(&ill->ill_lock);
-}
-
-/*
- * Start walking the ILMs associated with `ill'; the first ILM in the walk
- * (if any) is returned. State associated with the walk is stored in `ilw'.
- * Note that walks associated with interfaces under IPMP also walk the ILMs
- * on the associated IPMP interface; this is handled transparently to callers
- * via ilm_walker_step(). (Usually with IPMP all ILMs will be on the IPMP
- * interface; the only exception is to support IPv6 test addresses, which
- * require ILMs for their associated solicited-node multicast addresses.)
- */
-ilm_t *
-ilm_walker_start(ilm_walker_t *ilw, ill_t *ill)
-{
- ilw->ilw_ill = ill;
- if (IS_UNDER_IPMP(ill))
- ilw->ilw_ipmp_ill = ipmp_ill_hold_ipmp_ill(ill);
- else
- ilw->ilw_ipmp_ill = NULL;
-
- ill_ilm_walker_hold(ill);
- if (ilw->ilw_ipmp_ill != NULL)
- ill_ilm_walker_hold(ilw->ilw_ipmp_ill);
-
- if (ilw->ilw_ipmp_ill != NULL && ilw->ilw_ipmp_ill->ill_ilm != NULL)
- ilw->ilw_walk_ill = ilw->ilw_ipmp_ill;
- else
- ilw->ilw_walk_ill = ilw->ilw_ill;
-
- return (ilm_walker_step(ilw, NULL));
-}
-
/*
- * Helper function for ilm_walker_step() that returns the next ILM
- * associated with `ilw', regardless of whether it's deleted.
+ * Lookup an ill based on the group, ifindex, ifaddr, and zoneid.
+ * Applies to both IPv4 and IPv6, although ifaddr is only used with
+ * IPv4.
+ * Returns an error for IS_UNDER_IPMP and VNI interfaces.
+ * On error it sets *errorp.
*/
-static ilm_t *
-ilm_walker_step_all(ilm_walker_t *ilw, ilm_t *ilm)
+static ill_t *
+ill_mcast_lookup(const in6_addr_t *group, ipaddr_t ifaddr, uint_t ifindex,
+ zoneid_t zoneid, ip_stack_t *ipst, int *errorp)
{
- if (ilm == NULL)
- return (ilw->ilw_walk_ill->ill_ilm);
+ ill_t *ill;
+ ipaddr_t v4group;
- if (ilm->ilm_next != NULL)
- return (ilm->ilm_next);
+ if (IN6_IS_ADDR_V4MAPPED(group)) {
+ IN6_V4MAPPED_TO_IPADDR(group, v4group);
- if (ilw->ilw_ipmp_ill != NULL && IS_IPMP(ilw->ilw_walk_ill)) {
- ilw->ilw_walk_ill = ilw->ilw_ill;
- /*
- * It's possible that ilw_ill left the group during our walk,
- * so we can't ASSERT() that it's under IPMP. Callers that
- * care will be writer on the IPSQ anyway.
- */
- return (ilw->ilw_walk_ill->ill_ilm);
- }
- return (NULL);
-}
+ if (ifindex != 0) {
+ ill = ill_lookup_on_ifindex_zoneid(ifindex, zoneid,
+ B_FALSE, ipst);
+ } else if (ifaddr != INADDR_ANY) {
+ ipif_t *ipif;
-/*
- * Step to the next ILM associated with `ilw'.
- */
-ilm_t *
-ilm_walker_step(ilm_walker_t *ilw, ilm_t *ilm)
-{
- while ((ilm = ilm_walker_step_all(ilw, ilm)) != NULL) {
- if (!(ilm->ilm_flags & ILM_DELETED))
- break;
- }
- return (ilm);
-}
-
-/*
- * Finish the ILM walk associated with `ilw'.
- */
-void
-ilm_walker_finish(ilm_walker_t *ilw)
-{
- ill_ilm_walker_rele(ilw->ilw_ill);
- if (ilw->ilw_ipmp_ill != NULL) {
- ill_ilm_walker_rele(ilw->ilw_ipmp_ill);
- ill_refrele(ilw->ilw_ipmp_ill);
+ ipif = ipif_lookup_addr(ifaddr, NULL, zoneid, ipst);
+ if (ipif == NULL) {
+ ill = NULL;
+ } else {
+ ill = ipif->ipif_ill;
+ ill_refhold(ill);
+ ipif_refrele(ipif);
+ }
+ } else {
+ ill = ill_lookup_group_v4(v4group, zoneid, ipst, NULL,
+ NULL);
+ }
+ } else {
+ if (ifindex != 0) {
+ ill = ill_lookup_on_ifindex_zoneid(ifindex, zoneid,
+ B_TRUE, ipst);
+ } else {
+ ill = ill_lookup_group_v6(group, zoneid, ipst, NULL,
+ NULL);
+ }
}
- bzero(&ilw, sizeof (ilw));
-}
-
-/*
- * Looks up the appropriate ipif given a v4 multicast group and interface
- * address. On success, returns 0, with *ipifpp pointing to the found
- * struct. On failure, returns an errno and *ipifpp is NULL.
- */
-int
-ip_opt_check(conn_t *connp, ipaddr_t group, ipaddr_t src, ipaddr_t ifaddr,
- uint_t *ifindexp, mblk_t *first_mp, ipsq_func_t func, ipif_t **ipifpp)
-{
- ipif_t *ipif;
- int err = 0;
- zoneid_t zoneid;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- if (!CLASSD(group) || CLASSD(src)) {
- return (EINVAL);
+ if (ill == NULL) {
+ if (ifindex != 0)
+ *errorp = ENXIO;
+ else
+ *errorp = EADDRNOTAVAIL;
+ return (NULL);
}
- *ipifpp = NULL;
-
- zoneid = IPCL_ZONEID(connp);
-
- ASSERT(!(ifaddr != INADDR_ANY && ifindexp != NULL && *ifindexp != 0));
- if (ifaddr != INADDR_ANY) {
- ipif = ipif_lookup_addr(ifaddr, NULL, zoneid,
- CONNP_TO_WQ(connp), first_mp, func, &err, ipst);
- if (err != 0 && err != EINPROGRESS)
- err = EADDRNOTAVAIL;
- } else if (ifindexp != NULL && *ifindexp != 0) {
- ipif = ipif_lookup_on_ifindex(*ifindexp, B_FALSE, zoneid,
- CONNP_TO_WQ(connp), first_mp, func, &err, ipst);
- } else {
- ipif = ipif_lookup_group(group, zoneid, ipst);
- if (ipif == NULL)
- return (EADDRNOTAVAIL);
+ /* operation not supported on the virtual network interface */
+ if (IS_UNDER_IPMP(ill) || IS_VNI(ill)) {
+ ill_refrele(ill);
+ *errorp = EINVAL;
+ return (NULL);
}
- if (ipif == NULL)
- return (err);
-
- *ipifpp = ipif;
- return (0);
+ return (ill);
}
/*
- * Looks up the appropriate ill (or ipif if v4mapped) given an interface
- * index and IPv6 multicast group. On success, returns 0, with *illpp (or
- * *ipifpp if v4mapped) pointing to the found struct. On failure, returns
- * an errno and *illpp and *ipifpp are undefined.
+ * Looks up the appropriate ill given an interface index (or interface address)
+ * and multicast group. On success, returns 0, with *illpp pointing to the
+ * found struct. On failure, returns an errno and *illpp is set to NULL.
+ *
+ * Returns an error for IS_UNDER_IPMP and VNI interfaces.
+ *
+ * Handles both IPv4 and IPv6. The ifaddr argument only applies in the
+ * case of IPv4.
*/
int
-ip_opt_check_v6(conn_t *connp, const in6_addr_t *v6group, ipaddr_t *v4group,
- const in6_addr_t *v6src, ipaddr_t *v4src, boolean_t *isv6, int ifindex,
- mblk_t *first_mp, ipsq_func_t func, ill_t **illpp, ipif_t **ipifpp)
+ip_opt_check(conn_t *connp, const in6_addr_t *v6group,
+ const in6_addr_t *v6src, ipaddr_t ifaddr, uint_t ifindex, ill_t **illpp)
{
boolean_t src_unspec;
ill_t *ill = NULL;
- ipif_t *ipif = NULL;
- int err;
- zoneid_t zoneid = connp->conn_zoneid;
- queue_t *wq = CONNP_TO_WQ(connp);
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ int error = 0;
+
+ *illpp = NULL;
src_unspec = IN6_IS_ADDR_UNSPECIFIED(v6src);
if (IN6_IS_ADDR_V4MAPPED(v6group)) {
+ ipaddr_t v4group;
+ ipaddr_t v4src;
+
if (!IN6_IS_ADDR_V4MAPPED(v6src) && !src_unspec)
return (EINVAL);
- IN6_V4MAPPED_TO_IPADDR(v6group, *v4group);
+ IN6_V4MAPPED_TO_IPADDR(v6group, v4group);
if (src_unspec) {
- *v4src = INADDR_ANY;
+ v4src = INADDR_ANY;
} else {
- IN6_V4MAPPED_TO_IPADDR(v6src, *v4src);
+ IN6_V4MAPPED_TO_IPADDR(v6src, v4src);
}
- if (!CLASSD(*v4group) || CLASSD(*v4src))
+ if (!CLASSD(v4group) || CLASSD(v4src))
return (EINVAL);
- *ipifpp = NULL;
- *isv6 = B_FALSE;
} else {
if (IN6_IS_ADDR_V4MAPPED(v6src) && !src_unspec)
return (EINVAL);
@@ -1977,43 +1713,17 @@ ip_opt_check_v6(conn_t *connp, const in6_addr_t *v6group, ipaddr_t *v4group,
IN6_IS_ADDR_MULTICAST(v6src)) {
return (EINVAL);
}
- *illpp = NULL;
- *isv6 = B_TRUE;
}
- if (ifindex == 0) {
- if (*isv6)
- ill = ill_lookup_group_v6(v6group, zoneid, ipst);
- else
- ipif = ipif_lookup_group(*v4group, zoneid, ipst);
- if (ill == NULL && ipif == NULL)
- return (EADDRNOTAVAIL);
- } else {
- if (*isv6) {
- ill = ill_lookup_on_ifindex(ifindex, B_TRUE,
- wq, first_mp, func, &err, ipst);
- if (ill != NULL &&
- !ipif_lookup_zoneid(ill, zoneid, 0, NULL)) {
- ill_refrele(ill);
- ill = NULL;
- err = EADDRNOTAVAIL;
- }
- } else {
- ipif = ipif_lookup_on_ifindex(ifindex, B_FALSE,
- zoneid, wq, first_mp, func, &err, ipst);
- }
- if (ill == NULL && ipif == NULL)
- return (err);
- }
-
- *ipifpp = ipif;
+ ill = ill_mcast_lookup(v6group, ifaddr, ifindex, IPCL_ZONEID(connp),
+ ipst, &error);
*illpp = ill;
- return (0);
+ return (error);
}
static int
ip_get_srcfilter(conn_t *connp, struct group_filter *gf,
- struct ip_msfilter *imsf, ipaddr_t grp, ipif_t *ipif, boolean_t isv4mapped)
+ struct ip_msfilter *imsf, const struct in6_addr *group, boolean_t issin6)
{
ilg_t *ilg;
int i, numsrc, fmode, outsrcs;
@@ -2022,24 +1732,30 @@ ip_get_srcfilter(conn_t *connp, struct group_filter *gf,
struct in_addr *addrp;
slist_t *fp;
boolean_t is_v4only_api;
-
- mutex_enter(&connp->conn_lock);
-
- ilg = ilg_lookup_ipif(connp, grp, ipif);
- if (ilg == NULL) {
- mutex_exit(&connp->conn_lock);
- return (EADDRNOTAVAIL);
- }
+ ipaddr_t ifaddr;
+ uint_t ifindex;
if (gf == NULL) {
ASSERT(imsf != NULL);
- ASSERT(!isv4mapped);
+ ASSERT(!issin6);
is_v4only_api = B_TRUE;
outsrcs = imsf->imsf_numsrc;
+ ifaddr = imsf->imsf_interface.s_addr;
+ ifindex = 0;
} else {
ASSERT(imsf == NULL);
is_v4only_api = B_FALSE;
outsrcs = gf->gf_numsrc;
+ ifaddr = INADDR_ANY;
+ ifindex = gf->gf_interface;
+ }
+
+ /* No need to use ill_mcast_serializer for the reader */
+ rw_enter(&connp->conn_ilg_lock, RW_READER);
+ ilg = ilg_lookup(connp, group, ifaddr, ifindex);
+ if (ilg == NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ return (EADDRNOTAVAIL);
}
/*
@@ -2055,7 +1771,7 @@ ip_get_srcfilter(conn_t *connp, struct group_filter *gf,
for (i = 0; i < outsrcs; i++) {
if (i == fp->sl_numsrc)
break;
- if (isv4mapped) {
+ if (issin6) {
sin6 = (struct sockaddr_in6 *)&gf->gf_slist[i];
sin6->sin6_family = AF_INET6;
sin6->sin6_addr = fp->sl_addr[i];
@@ -2082,57 +1798,18 @@ ip_get_srcfilter(conn_t *connp, struct group_filter *gf,
gf->gf_fmode = fmode;
}
- mutex_exit(&connp->conn_lock);
-
- return (0);
-}
-
-static int
-ip_get_srcfilter_v6(conn_t *connp, struct group_filter *gf,
- const struct in6_addr *grp, ill_t *ill)
-{
- ilg_t *ilg;
- int i;
- struct sockaddr_storage *sl;
- struct sockaddr_in6 *sin6;
- slist_t *fp;
-
- mutex_enter(&connp->conn_lock);
-
- ilg = ilg_lookup_ill_v6(connp, grp, ill);
- if (ilg == NULL) {
- mutex_exit(&connp->conn_lock);
- return (EADDRNOTAVAIL);
- }
-
- /*
- * In the kernel, we use the state definitions MODE_IS_[IN|EX]CLUDE
- * to identify the filter mode; but the API uses MCAST_[IN|EX]CLUDE.
- * So we need to translate here.
- */
- gf->gf_fmode = (ilg->ilg_fmode == MODE_IS_INCLUDE) ?
- MCAST_INCLUDE : MCAST_EXCLUDE;
- if ((fp = ilg->ilg_filter) == NULL) {
- gf->gf_numsrc = 0;
- } else {
- for (i = 0, sl = gf->gf_slist; i < gf->gf_numsrc; i++, sl++) {
- if (i == fp->sl_numsrc)
- break;
- sin6 = (struct sockaddr_in6 *)sl;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = fp->sl_addr[i];
- }
- gf->gf_numsrc = fp->sl_numsrc;
- }
-
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
return (0);
}
+/*
+ * Common for IPv4 and IPv6.
+ */
static int
ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
- struct ip_msfilter *imsf, ipaddr_t grp, ipif_t *ipif, boolean_t isv4mapped)
+ struct ip_msfilter *imsf, const struct in6_addr *group, ill_t *ill,
+ boolean_t issin6)
{
ilg_t *ilg;
int i, err, infmode, new_fmode;
@@ -2143,20 +1820,27 @@ ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
slist_t *orig_filter = NULL;
slist_t *new_filter = NULL;
mcast_record_t orig_fmode;
- boolean_t leave_grp, is_v4only_api;
+ boolean_t leave_group, is_v4only_api;
ilg_stat_t ilgstat;
+ ilm_t *ilm;
+ ipaddr_t ifaddr;
+ uint_t ifindex;
if (gf == NULL) {
ASSERT(imsf != NULL);
- ASSERT(!isv4mapped);
+ ASSERT(!issin6);
is_v4only_api = B_TRUE;
insrcs = imsf->imsf_numsrc;
infmode = imsf->imsf_fmode;
+ ifaddr = imsf->imsf_interface.s_addr;
+ ifindex = 0;
} else {
ASSERT(imsf == NULL);
is_v4only_api = B_FALSE;
insrcs = gf->gf_numsrc;
infmode = gf->gf_fmode;
+ ifaddr = INADDR_ANY;
+ ifindex = gf->gf_interface;
}
/* Make sure we can handle the source list */
@@ -2167,32 +1851,52 @@ ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
* setting the filter to (INCLUDE, NULL) is treated
* as a request to leave the group.
*/
- leave_grp = (infmode == MCAST_INCLUDE && insrcs == 0);
-
- ASSERT(IAM_WRITER_IPIF(ipif));
+ leave_group = (infmode == MCAST_INCLUDE && insrcs == 0);
- mutex_enter(&connp->conn_lock);
-
- ilg = ilg_lookup_ipif(connp, grp, ipif);
+ mutex_enter(&ill->ill_mcast_serializer);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ ilg = ilg_lookup(connp, group, ifaddr, ifindex);
if (ilg == NULL) {
/*
* if the request was actually to leave, and we
* didn't find an ilg, there's nothing to do.
*/
- if (!leave_grp)
- ilg = conn_ilg_alloc(connp, &err);
- if (leave_grp || ilg == NULL) {
- mutex_exit(&connp->conn_lock);
- return (leave_grp ? 0 : err);
+ if (leave_group) {
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_exit(&ill->ill_mcast_serializer);
+ return (0);
+ }
+ ilg = conn_ilg_alloc(connp, &err);
+ if (ilg == NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_exit(&ill->ill_mcast_serializer);
+ return (err);
}
ilgstat = ILGSTAT_NEW;
- IN6_IPADDR_TO_V4MAPPED(grp, &ilg->ilg_v6group);
- ilg->ilg_ipif = ipif;
- ilg->ilg_ill = NULL;
- } else if (leave_grp) {
+ ilg->ilg_v6group = *group;
+ ilg->ilg_ill = ill;
+ ilg->ilg_ifaddr = ifaddr;
+ ilg->ilg_ifindex = ifindex;
+ } else if (leave_group) {
+ /*
+ * Make sure we have the correct serializer. The ill argument
+ * might not match ilg_ill.
+ */
+ ilg_refhold(ilg);
+ mutex_exit(&ill->ill_mcast_serializer);
+ ill = ilg->ilg_ill;
+ rw_exit(&connp->conn_ilg_lock);
+
+ mutex_enter(&ill->ill_mcast_serializer);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ ilm = ilg->ilg_ilm;
+ ilg->ilg_ilm = NULL;
ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
- (void) ip_delmulti(grp, ipif, B_FALSE, B_TRUE);
+ ilg_refrele(ilg);
+ rw_exit(&connp->conn_ilg_lock);
+ if (ilm != NULL)
+ (void) ip_delmulti_serial(ilm, B_FALSE, B_TRUE);
+ mutex_exit(&ill->ill_mcast_serializer);
return (0);
} else {
ilgstat = ILGSTAT_CHANGE;
@@ -2203,7 +1907,8 @@ ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
} else {
orig_filter = l_alloc_copy(ilg->ilg_filter);
if (orig_filter == NULL) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_exit(&ill->ill_mcast_serializer);
return (ENOMEM);
}
}
@@ -2214,7 +1919,7 @@ ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
* we make any changes, so we can bail if it fails.
*/
if ((new_filter = l_alloc()) == NULL) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
err = ENOMEM;
goto free_and_exit;
}
@@ -2228,7 +1933,7 @@ ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
if (fp == NULL) {
if (ilgstat == ILGSTAT_NEW)
ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
err = ENOMEM;
goto free_and_exit;
}
@@ -2236,7 +1941,7 @@ ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
fp = ilg->ilg_filter;
}
for (i = 0; i < insrcs; i++) {
- if (isv4mapped) {
+ if (issin6) {
sin6 = (struct sockaddr_in6 *)&gf->gf_slist[i];
fp->sl_addr[i] = sin6->sin6_addr;
} else {
@@ -2263,177 +1968,70 @@ ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
/*
* Save copy of ilg's filter state to pass to other functions,
- * so we can release conn_lock now.
+ * so we can release conn_ilg_lock now.
*/
new_fmode = ilg->ilg_fmode;
l_copy(ilg->ilg_filter, new_filter);
- mutex_exit(&connp->conn_lock);
-
- err = ip_addmulti(grp, ipif, ilgstat, new_fmode, new_filter);
- if (err != 0) {
- /*
- * Restore the original filter state, or delete the
- * newly-created ilg. We need to look up the ilg
- * again, though, since we've not been holding the
- * conn_lock.
- */
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ipif(connp, grp, ipif);
- ASSERT(ilg != NULL);
- if (ilgstat == ILGSTAT_NEW) {
- ilg_delete(connp, ilg, NULL);
- } else {
- ilg->ilg_fmode = orig_fmode;
- if (SLIST_IS_EMPTY(orig_filter)) {
- CLEAR_SLIST(ilg->ilg_filter);
- } else {
- /*
- * We didn't free the filter, even if we
- * were trying to make the source list empty;
- * so if orig_filter isn't empty, the ilg
- * must still have a filter alloc'd.
- */
- l_copy(orig_filter, ilg->ilg_filter);
- }
- }
- mutex_exit(&connp->conn_lock);
- }
-
-free_and_exit:
- l_free(orig_filter);
- l_free(new_filter);
-
- return (err);
-}
-
-static int
-ip_set_srcfilter_v6(conn_t *connp, struct group_filter *gf,
- const struct in6_addr *grp, ill_t *ill)
-{
- ilg_t *ilg;
- int i, orig_fmode, new_fmode, err;
- slist_t *orig_filter = NULL;
- slist_t *new_filter = NULL;
- struct sockaddr_storage *sl;
- struct sockaddr_in6 *sin6;
- boolean_t leave_grp;
- ilg_stat_t ilgstat;
-
- /* Make sure we can handle the source list */
- if (gf->gf_numsrc > MAX_FILTER_SIZE)
- return (ENOBUFS);
+ rw_exit(&connp->conn_ilg_lock);
/*
- * setting the filter to (INCLUDE, NULL) is treated
- * as a request to leave the group.
+ * Now update the ill. We wait to do this until after the ilg
+ * has been updated because we need to update the src filter
+ * info for the ill, which involves looking at the status of
+ * all the ilgs associated with this group/interface pair.
*/
- leave_grp = (gf->gf_fmode == MCAST_INCLUDE && gf->gf_numsrc == 0);
-
- ASSERT(IAM_WRITER_ILL(ill));
-
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ill_v6(connp, grp, ill);
- if (ilg == NULL) {
- /*
- * if the request was actually to leave, and we
- * didn't find an ilg, there's nothing to do.
- */
- if (!leave_grp)
- ilg = conn_ilg_alloc(connp, &err);
- if (leave_grp || ilg == NULL) {
- mutex_exit(&connp->conn_lock);
- return (leave_grp ? 0 : err);
- }
- ilgstat = ILGSTAT_NEW;
- ilg->ilg_v6group = *grp;
- ilg->ilg_ipif = NULL;
- ilg->ilg_ill = ill;
- } else if (leave_grp) {
- ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
- (void) ip_delmulti_v6(grp, ill, connp->conn_zoneid, B_FALSE,
- B_TRUE);
- return (0);
- } else {
- ilgstat = ILGSTAT_CHANGE;
- /* preserve existing state in case ip_addmulti() fails */
- orig_fmode = ilg->ilg_fmode;
- if (ilg->ilg_filter == NULL) {
- orig_filter = NULL;
- } else {
- orig_filter = l_alloc_copy(ilg->ilg_filter);
- if (orig_filter == NULL) {
- mutex_exit(&connp->conn_lock);
- return (ENOMEM);
- }
- }
- }
+ ilm = ip_addmulti_serial(group, ill, connp->conn_zoneid, ilgstat,
+ new_fmode, new_filter, &err);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
/*
- * Alloc buffer to copy new state into (see below) before
- * we make any changes, so we can bail if it fails.
+ * Must look up the ilg again since we've not been holding
+ * conn_ilg_lock. The ilg could have disappeared due to an unplumb
+ * having called conn_update_ill, which can run once we dropped the
+ * conn_ilg_lock above.
*/
- if ((new_filter = l_alloc()) == NULL) {
- mutex_exit(&connp->conn_lock);
- err = ENOMEM;
+ ilg = ilg_lookup(connp, group, ifaddr, ifindex);
+ if (ilg == NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ if (ilm != NULL) {
+ (void) ip_delmulti_serial(ilm, B_FALSE,
+ (ilgstat == ILGSTAT_NEW));
+ }
+ err = ENXIO;
goto free_and_exit;
}
- if (gf->gf_numsrc == 0) {
- CLEAR_SLIST(ilg->ilg_filter);
- } else {
- slist_t *fp;
- if (ilg->ilg_filter == NULL) {
- fp = l_alloc();
- if (fp == NULL) {
- if (ilgstat == ILGSTAT_NEW)
- ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
- err = ENOMEM;
- goto free_and_exit;
- }
+ if (ilm != NULL) {
+ /* Succeeded. Update the ilg to point at the ilm */
+ if (ilgstat == ILGSTAT_NEW) {
+ ASSERT(ilg->ilg_ilm == NULL);
+ ilg->ilg_ilm = ilm;
+ ilm->ilm_ifaddr = ifaddr; /* For netstat */
} else {
- fp = ilg->ilg_filter;
- }
- for (i = 0, sl = gf->gf_slist; i < gf->gf_numsrc; i++, sl++) {
- sin6 = (struct sockaddr_in6 *)sl;
- fp->sl_addr[i] = sin6->sin6_addr;
+ /*
+ * ip_addmulti didn't get a held ilm for
+ * ILGSTAT_CHANGE; ilm_refcnt was unchanged.
+ */
+ ASSERT(ilg->ilg_ilm == ilm);
}
- fp->sl_numsrc = gf->gf_numsrc;
- ilg->ilg_filter = fp;
- }
- /*
- * In the kernel, we use the state definitions MODE_IS_[IN|EX]CLUDE
- * to identify the filter mode; but the API uses MCAST_[IN|EX]CLUDE.
- * So we need to translate here.
- */
- ilg->ilg_fmode = (gf->gf_fmode == MCAST_INCLUDE) ?
- MODE_IS_INCLUDE : MODE_IS_EXCLUDE;
-
- /*
- * Save copy of ilg's filter state to pass to other functions,
- * so we can release conn_lock now.
- */
- new_fmode = ilg->ilg_fmode;
- l_copy(ilg->ilg_filter, new_filter);
-
- mutex_exit(&connp->conn_lock);
-
- err = ip_addmulti_v6(grp, ill, connp->conn_zoneid, ilgstat, new_fmode,
- new_filter);
- if (err != 0) {
+ } else {
+ ASSERT(err != 0);
/*
+ * Failed to allocate the ilm.
* Restore the original filter state, or delete the
- * newly-created ilg. We need to look up the ilg
- * again, though, since we've not been holding the
- * conn_lock.
+ * newly-created ilg.
+ * If ENETDOWN just clear ill_ilg since so that we
+ * will rejoin when the ill comes back; don't report ENETDOWN
+ * to application.
*/
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ill_v6(connp, grp, ill);
- ASSERT(ilg != NULL);
if (ilgstat == ILGSTAT_NEW) {
- ilg_delete(connp, ilg, NULL);
+ if (err == ENETDOWN) {
+ ilg->ilg_ill = NULL;
+ err = 0;
+ } else {
+ ilg_delete(connp, ilg, NULL);
+ }
} else {
ilg->ilg_fmode = orig_fmode;
if (SLIST_IS_EMPTY(orig_filter)) {
@@ -2448,10 +2046,11 @@ ip_set_srcfilter_v6(conn_t *connp, struct group_filter *gf,
l_copy(orig_filter, ilg->ilg_filter);
}
}
- mutex_exit(&connp->conn_lock);
}
+ rw_exit(&connp->conn_ilg_lock);
free_and_exit:
+ mutex_exit(&ill->ill_mcast_serializer);
l_free(orig_filter);
l_free(new_filter);
@@ -2475,11 +2074,17 @@ ip_sioctl_msfilter(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
boolean_t isv6, is_v4only_api, getcmd;
struct sockaddr_in *gsin;
struct sockaddr_in6 *gsin6;
- ipaddr_t v4grp;
- in6_addr_t v6grp;
+ ipaddr_t v4group;
+ in6_addr_t v6group;
struct group_filter *gf = NULL;
struct ip_msfilter *imsf = NULL;
mblk_t *ndp;
+ ill_t *ill;
+
+ connp = Q_TO_CONN(q);
+ err = ip_msfilter_ill(connp, mp, ipip, &ill);
+ if (err != 0)
+ return (err);
if (data_mp->b_cont != NULL) {
if ((ndp = msgpullup(data_mp, -1)) == NULL)
@@ -2519,132 +2124,119 @@ ip_sioctl_msfilter(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
if (datalen < expsize)
return (EINVAL);
- connp = Q_TO_CONN(q);
-
- /* operation not supported on the virtual network interface */
- if (IS_VNI(ipif->ipif_ill))
- return (EINVAL);
-
if (isv6) {
- ill_t *ill = ipif->ipif_ill;
- ill_refhold(ill);
-
gsin6 = (struct sockaddr_in6 *)&gf->gf_group;
- v6grp = gsin6->sin6_addr;
- if (getcmd)
- err = ip_get_srcfilter_v6(connp, gf, &v6grp, ill);
- else
- err = ip_set_srcfilter_v6(connp, gf, &v6grp, ill);
-
- ill_refrele(ill);
+ v6group = gsin6->sin6_addr;
+ if (getcmd) {
+ err = ip_get_srcfilter(connp, gf, NULL, &v6group,
+ B_TRUE);
+ } else {
+ err = ip_set_srcfilter(connp, gf, NULL, &v6group, ill,
+ B_TRUE);
+ }
} else {
- boolean_t isv4mapped = B_FALSE;
+ boolean_t issin6 = B_FALSE;
if (is_v4only_api) {
- v4grp = (ipaddr_t)imsf->imsf_multiaddr.s_addr;
+ v4group = (ipaddr_t)imsf->imsf_multiaddr.s_addr;
+ IN6_IPADDR_TO_V4MAPPED(v4group, &v6group);
} else {
if (gf->gf_group.ss_family == AF_INET) {
gsin = (struct sockaddr_in *)&gf->gf_group;
- v4grp = (ipaddr_t)gsin->sin_addr.s_addr;
+ v4group = (ipaddr_t)gsin->sin_addr.s_addr;
+ IN6_IPADDR_TO_V4MAPPED(v4group, &v6group);
} else {
gsin6 = (struct sockaddr_in6 *)&gf->gf_group;
IN6_V4MAPPED_TO_IPADDR(&gsin6->sin6_addr,
- v4grp);
- isv4mapped = B_TRUE;
+ v4group);
+ issin6 = B_TRUE;
}
}
- if (getcmd)
- err = ip_get_srcfilter(connp, gf, imsf, v4grp, ipif,
- isv4mapped);
+ /*
+ * INADDR_ANY is represented as the IPv6 unspecifed addr.
+ */
+ if (v4group == INADDR_ANY)
+ v6group = ipv6_all_zeros;
else
- err = ip_set_srcfilter(connp, gf, imsf, v4grp, ipif,
- isv4mapped);
+ IN6_IPADDR_TO_V4MAPPED(v4group, &v6group);
+
+ if (getcmd) {
+ err = ip_get_srcfilter(connp, gf, imsf, &v6group,
+ issin6);
+ } else {
+ err = ip_set_srcfilter(connp, gf, imsf, &v6group, ill,
+ issin6);
+ }
}
+ ill_refrele(ill);
return (err);
}
/*
- * Finds the ipif based on information in the ioctl headers. Needed to make
- * ip_process_ioctl() happy (it needs to know the ipif for IPI_WR-flagged
- * ioctls prior to calling the ioctl's handler function).
+ * Determine the ill for the SIOC*MSFILTER ioctls
+ *
+ * Returns an error for IS_UNDER_IPMP interfaces.
+ *
+ * Finds the ill based on information in the ioctl headers.
*/
-int
-ip_extract_msfilter(queue_t *q, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
- cmd_info_t *ci, ipsq_func_t func)
+static int
+ip_msfilter_ill(conn_t *connp, mblk_t *mp, const ip_ioctl_cmd_t *ipip,
+ ill_t **illp)
{
int cmd = ipip->ipi_cmd;
int err = 0;
- conn_t *connp;
- ipif_t *ipif;
+ ill_t *ill;
/* caller has verified this mblk exists */
char *dbuf = (char *)mp->b_cont->b_cont->b_rptr;
struct ip_msfilter *imsf;
struct group_filter *gf;
- ipaddr_t v4addr, v4grp;
- in6_addr_t v6grp;
+ ipaddr_t v4addr, v4group;
+ in6_addr_t v6group;
uint32_t index;
- zoneid_t zoneid;
ip_stack_t *ipst;
- connp = Q_TO_CONN(q);
- zoneid = connp->conn_zoneid;
ipst = connp->conn_netstack->netstack_ip;
+ *illp = NULL;
+
/* don't allow multicast operations on a tcp conn */
if (IPCL_IS_TCP(connp))
return (ENOPROTOOPT);
if (cmd == SIOCSIPMSFILTER || cmd == SIOCGIPMSFILTER) {
/* don't allow v4-specific ioctls on v6 socket */
- if (connp->conn_af_isv6)
+ if (connp->conn_family == AF_INET6)
return (EAFNOSUPPORT);
imsf = (struct ip_msfilter *)dbuf;
v4addr = imsf->imsf_interface.s_addr;
- v4grp = imsf->imsf_multiaddr.s_addr;
- if (v4addr == INADDR_ANY) {
- ipif = ipif_lookup_group(v4grp, zoneid, ipst);
- if (ipif == NULL)
- err = EADDRNOTAVAIL;
- } else {
- ipif = ipif_lookup_addr(v4addr, NULL, zoneid, q, mp,
- func, &err, ipst);
- }
+ v4group = imsf->imsf_multiaddr.s_addr;
+ IN6_IPADDR_TO_V4MAPPED(v4group, &v6group);
+ ill = ill_mcast_lookup(&v6group, v4addr, 0, IPCL_ZONEID(connp),
+ ipst, &err);
+ if (ill == NULL && v4addr != INADDR_ANY)
+ err = ENXIO;
} else {
- boolean_t isv6 = B_FALSE;
gf = (struct group_filter *)dbuf;
index = gf->gf_interface;
if (gf->gf_group.ss_family == AF_INET6) {
struct sockaddr_in6 *sin6;
+
sin6 = (struct sockaddr_in6 *)&gf->gf_group;
- v6grp = sin6->sin6_addr;
- if (IN6_IS_ADDR_V4MAPPED(&v6grp))
- IN6_V4MAPPED_TO_IPADDR(&v6grp, v4grp);
- else
- isv6 = B_TRUE;
+ v6group = sin6->sin6_addr;
} else if (gf->gf_group.ss_family == AF_INET) {
struct sockaddr_in *sin;
+
sin = (struct sockaddr_in *)&gf->gf_group;
- v4grp = sin->sin_addr.s_addr;
+ v4group = sin->sin_addr.s_addr;
+ IN6_IPADDR_TO_V4MAPPED(v4group, &v6group);
} else {
return (EAFNOSUPPORT);
}
- if (index == 0) {
- if (isv6) {
- ipif = ipif_lookup_group_v6(&v6grp, zoneid,
- ipst);
- } else {
- ipif = ipif_lookup_group(v4grp, zoneid, ipst);
- }
- if (ipif == NULL)
- err = EADDRNOTAVAIL;
- } else {
- ipif = ipif_lookup_on_ifindex(index, isv6, zoneid,
- q, mp, func, &err, ipst);
- }
+ ill = ill_mcast_lookup(&v6group, INADDR_ANY, index,
+ IPCL_ZONEID(connp), ipst, &err);
}
-
- ci->ci_ipif = ipif;
+ *illp = ill;
return (err);
}
@@ -2695,6 +2287,7 @@ ip_copyin_msfilter(queue_t *q, mblk_t *mp)
/*
* Handle the following optmgmt:
* IP_ADD_MEMBERSHIP must not have joined already
+ * IPV6_JOIN_GROUP must not have joined already
* MCAST_JOIN_GROUP must not have joined already
* IP_BLOCK_SOURCE must have joined already
* MCAST_BLOCK_SOURCE must have joined already
@@ -2702,91 +2295,15 @@ ip_copyin_msfilter(queue_t *q, mblk_t *mp)
* MCAST_JOIN_SOURCE_GROUP may have joined already
*
* fmode and src parameters may be used to determine which option is
- * being set, as follows (the IP_* and MCAST_* versions of each option
- * are functionally equivalent):
- * opt fmode src
- * IP_ADD_MEMBERSHIP MODE_IS_EXCLUDE INADDR_ANY
- * MCAST_JOIN_GROUP MODE_IS_EXCLUDE INADDR_ANY
- * IP_BLOCK_SOURCE MODE_IS_EXCLUDE v4 addr
- * MCAST_BLOCK_SOURCE MODE_IS_EXCLUDE v4 addr
- * IP_JOIN_SOURCE_GROUP MODE_IS_INCLUDE v4 addr
- * MCAST_JOIN_SOURCE_GROUP MODE_IS_INCLUDE v4 addr
- *
- * Changing the filter mode is not allowed; if a matching ilg already
- * exists and fmode != ilg->ilg_fmode, EINVAL is returned.
- *
- * Verifies that there is a source address of appropriate scope for
- * the group; if not, EADDRNOTAVAIL is returned.
- *
- * The interface to be used may be identified by an address or by an
- * index. A pointer to the index is passed; if it is NULL, use the
- * address, otherwise, use the index.
- */
-int
-ip_opt_add_group(conn_t *connp, boolean_t checkonly, ipaddr_t group,
- ipaddr_t ifaddr, uint_t *ifindexp, mcast_record_t fmode, ipaddr_t src,
- mblk_t *first_mp)
-{
- ipif_t *ipif;
- ipsq_t *ipsq;
- int err = 0;
- ill_t *ill;
-
- err = ip_opt_check(connp, group, src, ifaddr, ifindexp, first_mp,
- ip_restart_optmgmt, &ipif);
- if (err != 0) {
- if (err != EINPROGRESS) {
- ip1dbg(("ip_opt_add_group: no ipif for group 0x%x, "
- "ifaddr 0x%x, ifindex %d\n", ntohl(group),
- ntohl(ifaddr), (ifindexp == NULL) ? 0 : *ifindexp));
- }
- return (err);
- }
- ASSERT(ipif != NULL);
-
- ill = ipif->ipif_ill;
- /* Operation not supported on a virtual network interface */
- if (IS_VNI(ill)) {
- ipif_refrele(ipif);
- return (EINVAL);
- }
-
- if (checkonly) {
- /*
- * do not do operation, just pretend to - new T_CHECK
- * semantics. The error return case above if encountered
- * considered a good enough "check" here.
- */
- ipif_refrele(ipif);
- return (0);
- }
-
- IPSQ_ENTER_IPIF(ipif, connp, first_mp, ip_restart_optmgmt, ipsq,
- NEW_OP);
-
- /* unspecified source addr => no source filtering */
- err = ilg_add(connp, group, ipif, fmode, src);
-
- IPSQ_EXIT(ipsq);
-
- ipif_refrele(ipif);
- return (err);
-}
-
-/*
- * Handle the following optmgmt:
- * IPV6_JOIN_GROUP must not have joined already
- * MCAST_JOIN_GROUP must not have joined already
- * MCAST_BLOCK_SOURCE must have joined already
- * MCAST_JOIN_SOURCE_GROUP may have joined already
- *
- * fmode and src parameters may be used to determine which option is
* being set, as follows (IPV6_JOIN_GROUP and MCAST_JOIN_GROUP options
* are functionally equivalent):
* opt fmode v6src
+ * IP_ADD_MEMBERSHIP MODE_IS_EXCLUDE unspecified
* IPV6_JOIN_GROUP MODE_IS_EXCLUDE unspecified
* MCAST_JOIN_GROUP MODE_IS_EXCLUDE unspecified
+ * IP_BLOCK_SOURCE MODE_IS_EXCLUDE IPv4-mapped addr
* MCAST_BLOCK_SOURCE MODE_IS_EXCLUDE v6 addr
+ * IP_JOIN_SOURCE_GROUP MODE_IS_INCLUDE IPv4-mapped addr
* MCAST_JOIN_SOURCE_GROUP MODE_IS_INCLUDE v6 addr
*
* Changing the filter mode is not allowed; if a matching ilg already
@@ -2795,47 +2312,29 @@ ip_opt_add_group(conn_t *connp, boolean_t checkonly, ipaddr_t group,
* Verifies that there is a source address of appropriate scope for
* the group; if not, EADDRNOTAVAIL is returned.
*
+ * The interface to be used may be identified by an IPv4 address or by an
+ * interface index.
+ *
* Handles IPv4-mapped IPv6 multicast addresses by associating them
- * with the link-local ipif. Assumes that if v6group is v4-mapped,
+ * with the IPv4 address. Assumes that if v6group is v4-mapped,
* v6src is also v4-mapped.
*/
int
-ip_opt_add_group_v6(conn_t *connp, boolean_t checkonly,
- const in6_addr_t *v6group, int ifindex, mcast_record_t fmode,
- const in6_addr_t *v6src, mblk_t *first_mp)
+ip_opt_add_group(conn_t *connp, boolean_t checkonly,
+ const in6_addr_t *v6group, ipaddr_t ifaddr, uint_t ifindex,
+ mcast_record_t fmode, const in6_addr_t *v6src)
{
ill_t *ill;
- ipif_t *ipif;
char buf[INET6_ADDRSTRLEN];
- ipaddr_t v4group, v4src;
- boolean_t isv6;
- ipsq_t *ipsq;
int err;
- err = ip_opt_check_v6(connp, v6group, &v4group, v6src, &v4src, &isv6,
- ifindex, first_mp, ip_restart_optmgmt, &ill, &ipif);
+ err = ip_opt_check(connp, v6group, v6src, ifaddr, ifindex, &ill);
if (err != 0) {
- if (err != EINPROGRESS) {
- ip1dbg(("ip_opt_add_group_v6: no ill for group %s/"
- "index %d\n", inet_ntop(AF_INET6, v6group, buf,
- sizeof (buf)), ifindex));
- }
+ ip1dbg(("ip_opt_add_group: no ill for group %s/"
+ "index %d\n", inet_ntop(AF_INET6, v6group, buf,
+ sizeof (buf)), ifindex));
return (err);
}
- ASSERT((!isv6 && ipif != NULL) || (isv6 && ill != NULL));
-
- /* operation is not supported on the virtual network interface */
- if (isv6) {
- if (IS_VNI(ill)) {
- ill_refrele(ill);
- return (EINVAL);
- }
- } else {
- if (IS_VNI(ipif->ipif_ill)) {
- ipif_refrele(ipif);
- return (EINVAL);
- }
- }
if (checkonly) {
/*
@@ -2843,104 +2342,70 @@ ip_opt_add_group_v6(conn_t *connp, boolean_t checkonly,
* semantics. The error return case above if encountered
* considered a good enough "check" here.
*/
- if (isv6)
- ill_refrele(ill);
- else
- ipif_refrele(ipif);
- return (0);
- }
-
- if (!isv6) {
- IPSQ_ENTER_IPIF(ipif, connp, first_mp, ip_restart_optmgmt,
- ipsq, NEW_OP);
- err = ilg_add(connp, v4group, ipif, fmode, v4src);
- IPSQ_EXIT(ipsq);
- ipif_refrele(ipif);
- } else {
- IPSQ_ENTER_ILL(ill, connp, first_mp, ip_restart_optmgmt,
- ipsq, NEW_OP);
- err = ilg_add_v6(connp, v6group, ill, fmode, v6src);
- IPSQ_EXIT(ipsq);
ill_refrele(ill);
+ return (0);
}
+ mutex_enter(&ill->ill_mcast_serializer);
+ err = ilg_add(connp, v6group, ifaddr, ifindex, ill, fmode, v6src);
+ mutex_exit(&ill->ill_mcast_serializer);
+ ill_refrele(ill);
return (err);
}
+/*
+ * Common for IPv6 and IPv4.
+ * Here we handle ilgs that are still attached to their original ill
+ * (the one ifaddr/ifindex points at), as well as detached ones.
+ * The detached ones might have been attached to some other ill.
+ */
static int
-ip_opt_delete_group_excl(conn_t *connp, ipaddr_t group, ipif_t *ipif,
- mcast_record_t fmode, ipaddr_t src)
+ip_opt_delete_group_excl(conn_t *connp, const in6_addr_t *v6group,
+ ipaddr_t ifaddr, uint_t ifindex, mcast_record_t fmode,
+ const in6_addr_t *v6src)
{
ilg_t *ilg;
- in6_addr_t v6src;
- boolean_t leaving = B_FALSE;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
-
- /*
- * The ilg is valid only while we hold the conn lock. Once we drop
- * the lock, another thread can locate another ilg on this connp,
- * but on a different ipif, and delete it, and cause the ilg array
- * to be reallocated and copied. Hence do the ilg_delete before
- * dropping the lock.
- */
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ipif(connp, group, ipif);
- if ((ilg == NULL) || (ilg->ilg_flags & ILG_DELETED)) {
- mutex_exit(&connp->conn_lock);
- return (EADDRNOTAVAIL);
- }
+ boolean_t leaving;
+ ilm_t *ilm;
+ ill_t *ill;
+ int err = 0;
- /*
- * Decide if we're actually deleting the ilg or just removing a
- * source filter address; if just removing an addr, make sure we
- * aren't trying to change the filter mode, and that the addr is
- * actually in our filter list already. If we're removing the
- * last src in an include list, just delete the ilg.
- */
- if (src == INADDR_ANY) {
- v6src = ipv6_all_zeros;
- leaving = B_TRUE;
- } else {
- int err = 0;
- IN6_IPADDR_TO_V4MAPPED(src, &v6src);
- if (fmode != ilg->ilg_fmode)
- err = EINVAL;
- else if (ilg->ilg_filter == NULL ||
- !list_has_addr(ilg->ilg_filter, &v6src))
+retry:
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ ilg = ilg_lookup(connp, v6group, ifaddr, ifindex);
+ if (ilg == NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ /*
+ * Since we didn't have any ilg we now do the error checks
+ * to determine the best errno.
+ */
+ err = ip_opt_check(connp, v6group, v6src, ifaddr, ifindex,
+ &ill);
+ if (ill != NULL) {
+ /* The only error was a missing ilg for the group */
+ ill_refrele(ill);
err = EADDRNOTAVAIL;
- if (err != 0) {
- mutex_exit(&connp->conn_lock);
- return (err);
- }
- if (fmode == MODE_IS_INCLUDE &&
- ilg->ilg_filter->sl_numsrc == 1) {
- v6src = ipv6_all_zeros;
- leaving = B_TRUE;
}
+ return (err);
}
- ilg_delete(connp, ilg, &v6src);
- mutex_exit(&connp->conn_lock);
-
- (void) ip_delmulti(group, ipif, B_FALSE, leaving);
- return (0);
-}
-
-static int
-ip_opt_delete_group_excl_v6(conn_t *connp, const in6_addr_t *v6group,
- ill_t *ill, mcast_record_t fmode, const in6_addr_t *v6src)
-{
- ilg_t *ilg;
- boolean_t leaving = B_TRUE;
-
- ASSERT(IAM_WRITER_ILL(ill));
-
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ill_v6(connp, v6group, ill);
- if ((ilg == NULL) || (ilg->ilg_flags & ILG_DELETED)) {
- mutex_exit(&connp->conn_lock);
- return (EADDRNOTAVAIL);
+ /* If the ilg is attached then we serialize using that ill */
+ ill = ilg->ilg_ill;
+ if (ill != NULL) {
+ /* Prevent the ill and ilg from being freed */
+ ill_refhold(ill);
+ ilg_refhold(ilg);
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_enter(&ill->ill_mcast_serializer);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ if (ilg->ilg_condemned) {
+ /* Disappeared */
+ ilg_refrele(ilg);
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_exit(&ill->ill_mcast_serializer);
+ ill_refrele(ill);
+ goto retry;
+ }
}
/*
@@ -2950,198 +2415,107 @@ ip_opt_delete_group_excl_v6(conn_t *connp, const in6_addr_t *v6group,
* actually in our filter list already. If we're removing the
* last src in an include list, just delete the ilg.
*/
- if (!IN6_IS_ADDR_UNSPECIFIED(v6src)) {
- int err = 0;
+ if (IN6_IS_ADDR_UNSPECIFIED(v6src)) {
+ leaving = B_TRUE;
+ } else {
if (fmode != ilg->ilg_fmode)
err = EINVAL;
else if (ilg->ilg_filter == NULL ||
!list_has_addr(ilg->ilg_filter, v6src))
err = EADDRNOTAVAIL;
if (err != 0) {
- mutex_exit(&connp->conn_lock);
- return (err);
+ if (ill != NULL)
+ ilg_refrele(ilg);
+ rw_exit(&connp->conn_ilg_lock);
+ goto done;
}
if (fmode == MODE_IS_INCLUDE &&
- ilg->ilg_filter->sl_numsrc == 1)
+ ilg->ilg_filter->sl_numsrc == 1) {
+ leaving = B_TRUE;
v6src = NULL;
- else
+ } else {
leaving = B_FALSE;
+ }
}
+ ilm = ilg->ilg_ilm;
+ if (leaving)
+ ilg->ilg_ilm = NULL;
ilg_delete(connp, ilg, v6src);
- mutex_exit(&connp->conn_lock);
- (void) ip_delmulti_v6(v6group, ill, connp->conn_zoneid, B_FALSE,
- leaving);
-
- return (0);
-}
-
-/*
- * Handle the following optmgmt:
- * IP_DROP_MEMBERSHIP will leave
- * MCAST_LEAVE_GROUP will leave
- * IP_UNBLOCK_SOURCE will not leave
- * MCAST_UNBLOCK_SOURCE will not leave
- * IP_LEAVE_SOURCE_GROUP may leave (if leaving last source)
- * MCAST_LEAVE_SOURCE_GROUP may leave (if leaving last source)
- *
- * fmode and src parameters may be used to determine which option is
- * being set, as follows (the IP_* and MCAST_* versions of each option
- * are functionally equivalent):
- * opt fmode src
- * IP_DROP_MEMBERSHIP MODE_IS_INCLUDE INADDR_ANY
- * MCAST_LEAVE_GROUP MODE_IS_INCLUDE INADDR_ANY
- * IP_UNBLOCK_SOURCE MODE_IS_EXCLUDE v4 addr
- * MCAST_UNBLOCK_SOURCE MODE_IS_EXCLUDE v4 addr
- * IP_LEAVE_SOURCE_GROUP MODE_IS_INCLUDE v4 addr
- * MCAST_LEAVE_SOURCE_GROUP MODE_IS_INCLUDE v4 addr
- *
- * Changing the filter mode is not allowed; if a matching ilg already
- * exists and fmode != ilg->ilg_fmode, EINVAL is returned.
- *
- * The interface to be used may be identified by an address or by an
- * index. A pointer to the index is passed; if it is NULL, use the
- * address, otherwise, use the index.
- */
-int
-ip_opt_delete_group(conn_t *connp, boolean_t checkonly, ipaddr_t group,
- ipaddr_t ifaddr, uint_t *ifindexp, mcast_record_t fmode, ipaddr_t src,
- mblk_t *first_mp)
-{
- ipif_t *ipif;
- ipsq_t *ipsq;
- int err;
- ill_t *ill;
-
- err = ip_opt_check(connp, group, src, ifaddr, ifindexp, first_mp,
- ip_restart_optmgmt, &ipif);
- if (err != 0) {
- if (err != EINPROGRESS) {
- ip1dbg(("ip_opt_delete_group: no ipif for group "
- "0x%x, ifaddr 0x%x\n",
- (int)ntohl(group), (int)ntohl(ifaddr)));
- }
- return (err);
- }
- ASSERT(ipif != NULL);
+ if (ill != NULL)
+ ilg_refrele(ilg);
+ rw_exit(&connp->conn_ilg_lock);
- ill = ipif->ipif_ill;
- /* Operation not supported on a virtual network interface */
- if (IS_VNI(ill)) {
- ipif_refrele(ipif);
- return (EINVAL);
+ if (ilm != NULL) {
+ ASSERT(ill != NULL);
+ (void) ip_delmulti_serial(ilm, B_FALSE, leaving);
}
-
- if (checkonly) {
- /*
- * do not do operation, just pretend to - new T_CHECK
- * semantics. The error return case above if encountered
- * considered a good enough "check" here.
- */
- ipif_refrele(ipif);
- return (0);
+done:
+ if (ill != NULL) {
+ mutex_exit(&ill->ill_mcast_serializer);
+ ill_refrele(ill);
}
-
- IPSQ_ENTER_IPIF(ipif, connp, first_mp, ip_restart_optmgmt, ipsq,
- NEW_OP);
- err = ip_opt_delete_group_excl(connp, group, ipif, fmode, src);
- IPSQ_EXIT(ipsq);
-
- ipif_refrele(ipif);
return (err);
}
/*
* Handle the following optmgmt:
+ * IP_DROP_MEMBERSHIP will leave
* IPV6_LEAVE_GROUP will leave
* MCAST_LEAVE_GROUP will leave
+ * IP_UNBLOCK_SOURCE will not leave
* MCAST_UNBLOCK_SOURCE will not leave
+ * IP_LEAVE_SOURCE_GROUP may leave (if leaving last source)
* MCAST_LEAVE_SOURCE_GROUP may leave (if leaving last source)
*
* fmode and src parameters may be used to determine which option is
- * being set, as follows (IPV6_LEAVE_GROUP and MCAST_LEAVE_GROUP options
- * are functionally equivalent):
+ * being set, as follows:
* opt fmode v6src
+ * IP_DROP_MEMBERSHIP MODE_IS_INCLUDE unspecified
* IPV6_LEAVE_GROUP MODE_IS_INCLUDE unspecified
* MCAST_LEAVE_GROUP MODE_IS_INCLUDE unspecified
+ * IP_UNBLOCK_SOURCE MODE_IS_EXCLUDE IPv4-mapped addr
* MCAST_UNBLOCK_SOURCE MODE_IS_EXCLUDE v6 addr
+ * IP_LEAVE_SOURCE_GROUP MODE_IS_INCLUDE IPv4-mapped addr
* MCAST_LEAVE_SOURCE_GROUP MODE_IS_INCLUDE v6 addr
*
* Changing the filter mode is not allowed; if a matching ilg already
* exists and fmode != ilg->ilg_fmode, EINVAL is returned.
*
+ * The interface to be used may be identified by an IPv4 address or by an
+ * interface index.
+ *
* Handles IPv4-mapped IPv6 multicast addresses by associating them
- * with the link-local ipif. Assumes that if v6group is v4-mapped,
+ * with the IPv4 address. Assumes that if v6group is v4-mapped,
* v6src is also v4-mapped.
*/
int
-ip_opt_delete_group_v6(conn_t *connp, boolean_t checkonly,
- const in6_addr_t *v6group, int ifindex, mcast_record_t fmode,
- const in6_addr_t *v6src, mblk_t *first_mp)
+ip_opt_delete_group(conn_t *connp, boolean_t checkonly,
+ const in6_addr_t *v6group, ipaddr_t ifaddr, uint_t ifindex,
+ mcast_record_t fmode, const in6_addr_t *v6src)
{
- ill_t *ill;
- ipif_t *ipif;
- char buf[INET6_ADDRSTRLEN];
- ipaddr_t v4group, v4src;
- boolean_t isv6;
- ipsq_t *ipsq;
- int err;
-
- err = ip_opt_check_v6(connp, v6group, &v4group, v6src, &v4src, &isv6,
- ifindex, first_mp, ip_restart_optmgmt, &ill, &ipif);
- if (err != 0) {
- if (err != EINPROGRESS) {
- ip1dbg(("ip_opt_delete_group_v6: no ill for group %s/"
- "index %d\n", inet_ntop(AF_INET6, v6group, buf,
- sizeof (buf)), ifindex));
- }
- return (err);
- }
- ASSERT((isv6 && ill != NULL) || (!isv6 && ipif != NULL));
-
- /* operation is not supported on the virtual network interface */
- if (isv6) {
- if (IS_VNI(ill)) {
- ill_refrele(ill);
- return (EINVAL);
- }
- } else {
- if (IS_VNI(ipif->ipif_ill)) {
- ipif_refrele(ipif);
- return (EINVAL);
- }
- }
+ /*
+ * In the normal case below we don't check for the ill existing.
+ * Instead we look for an existing ilg in _excl.
+ * If checkonly we sanity check the arguments
+ */
if (checkonly) {
+ ill_t *ill;
+ int err;
+
+ err = ip_opt_check(connp, v6group, v6src, ifaddr, ifindex,
+ &ill);
/*
- * do not do operation, just pretend to - new T_CHECK
- * semantics. The error return case above if encountered
- * considered a good enough "check" here.
+ * do not do operation, just pretend to - new T_CHECK semantics.
+ * ip_opt_check is considered a good enough "check" here.
*/
- if (isv6)
+ if (ill != NULL)
ill_refrele(ill);
- else
- ipif_refrele(ipif);
- return (0);
- }
-
- if (!isv6) {
- IPSQ_ENTER_IPIF(ipif, connp, first_mp, ip_restart_optmgmt,
- ipsq, NEW_OP);
- err = ip_opt_delete_group_excl(connp, v4group, ipif, fmode,
- v4src);
- IPSQ_EXIT(ipsq);
- ipif_refrele(ipif);
- } else {
- IPSQ_ENTER_ILL(ill, connp, first_mp, ip_restart_optmgmt,
- ipsq, NEW_OP);
- err = ip_opt_delete_group_excl_v6(connp, v6group, ill, fmode,
- v6src);
- IPSQ_EXIT(ipsq);
- ill_refrele(ill);
+ return (err);
}
-
- return (err);
+ return (ip_opt_delete_group_excl(connp, v6group, ifaddr, ifindex,
+ fmode, v6src));
}
/*
@@ -3155,185 +2529,26 @@ ip_opt_delete_group_v6(conn_t *connp, boolean_t checkonly,
/*
* Add a group to an upper conn group data structure and pass things down
* to the interface multicast list (and DLPI)
+ * Common for IPv4 and IPv6; for IPv4 we can have an ifaddr.
*/
static int
-ilg_add(conn_t *connp, ipaddr_t group, ipif_t *ipif, mcast_record_t fmode,
- ipaddr_t src)
-{
- int error = 0;
- ill_t *ill;
- ilg_t *ilg;
- ilg_stat_t ilgstat;
- slist_t *new_filter = NULL;
- int new_fmode;
-
- ASSERT(IAM_WRITER_IPIF(ipif));
-
- ill = ipif->ipif_ill;
-
- if (!(ill->ill_flags & ILLF_MULTICAST))
- return (EADDRNOTAVAIL);
-
- /*
- * conn_ilg[] is protected by conn_lock. Need to hold the conn_lock
- * to walk the conn_ilg[] list in ilg_lookup_ipif(); also needed to
- * serialize 2 threads doing join (sock, group1, hme0:0) and
- * (sock, group2, hme1:0) where hme0 and hme1 map to different ipsqs,
- * but both operations happen on the same conn.
- */
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ipif(connp, group, ipif);
-
- /*
- * Depending on the option we're handling, may or may not be okay
- * if group has already been added. Figure out our rules based
- * on fmode and src params. Also make sure there's enough room
- * in the filter if we're adding a source to an existing filter.
- */
- if (src == INADDR_ANY) {
- /* we're joining for all sources, must not have joined */
- if (ilg != NULL)
- error = EADDRINUSE;
- } else {
- if (fmode == MODE_IS_EXCLUDE) {
- /* (excl {addr}) => block source, must have joined */
- if (ilg == NULL)
- error = EADDRNOTAVAIL;
- }
- /* (incl {addr}) => join source, may have joined */
-
- if (ilg != NULL &&
- SLIST_CNT(ilg->ilg_filter) == MAX_FILTER_SIZE)
- error = ENOBUFS;
- }
- if (error != 0) {
- mutex_exit(&connp->conn_lock);
- return (error);
- }
-
- ASSERT(!(ipif->ipif_state_flags & IPIF_CONDEMNED));
-
- /*
- * Alloc buffer to copy new state into (see below) before
- * we make any changes, so we can bail if it fails.
- */
- if ((new_filter = l_alloc()) == NULL) {
- mutex_exit(&connp->conn_lock);
- return (ENOMEM);
- }
-
- if (ilg == NULL) {
- ilgstat = ILGSTAT_NEW;
- if ((ilg = conn_ilg_alloc(connp, &error)) == NULL) {
- mutex_exit(&connp->conn_lock);
- l_free(new_filter);
- return (error);
- }
- if (src != INADDR_ANY) {
- ilg->ilg_filter = l_alloc();
- if (ilg->ilg_filter == NULL) {
- ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
- l_free(new_filter);
- return (ENOMEM);
- }
- ilg->ilg_filter->sl_numsrc = 1;
- IN6_IPADDR_TO_V4MAPPED(src,
- &ilg->ilg_filter->sl_addr[0]);
- }
- if (group == INADDR_ANY) {
- ilg->ilg_v6group = ipv6_all_zeros;
- } else {
- IN6_IPADDR_TO_V4MAPPED(group, &ilg->ilg_v6group);
- }
- ilg->ilg_ipif = ipif;
- ilg->ilg_ill = NULL;
- ilg->ilg_fmode = fmode;
- } else {
- int index;
- in6_addr_t v6src;
- ilgstat = ILGSTAT_CHANGE;
- if (ilg->ilg_fmode != fmode || src == INADDR_ANY) {
- mutex_exit(&connp->conn_lock);
- l_free(new_filter);
- return (EINVAL);
- }
- if (ilg->ilg_filter == NULL) {
- ilg->ilg_filter = l_alloc();
- if (ilg->ilg_filter == NULL) {
- mutex_exit(&connp->conn_lock);
- l_free(new_filter);
- return (ENOMEM);
- }
- }
- IN6_IPADDR_TO_V4MAPPED(src, &v6src);
- if (list_has_addr(ilg->ilg_filter, &v6src)) {
- mutex_exit(&connp->conn_lock);
- l_free(new_filter);
- return (EADDRNOTAVAIL);
- }
- index = ilg->ilg_filter->sl_numsrc++;
- ilg->ilg_filter->sl_addr[index] = v6src;
- }
-
- /*
- * Save copy of ilg's filter state to pass to other functions,
- * so we can release conn_lock now.
- */
- new_fmode = ilg->ilg_fmode;
- l_copy(ilg->ilg_filter, new_filter);
-
- mutex_exit(&connp->conn_lock);
-
- error = ip_addmulti(group, ipif, ilgstat, new_fmode, new_filter);
- if (error != 0) {
- /*
- * Need to undo what we did before calling ip_addmulti()!
- * Must look up the ilg again since we've not been holding
- * conn_lock.
- */
- in6_addr_t v6src;
- if (ilgstat == ILGSTAT_NEW)
- v6src = ipv6_all_zeros;
- else
- IN6_IPADDR_TO_V4MAPPED(src, &v6src);
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ipif(connp, group, ipif);
- ASSERT(ilg != NULL);
- ilg_delete(connp, ilg, &v6src);
- mutex_exit(&connp->conn_lock);
- l_free(new_filter);
- return (error);
- }
-
- l_free(new_filter);
- return (0);
-}
-
-static int
-ilg_add_v6(conn_t *connp, const in6_addr_t *v6group, ill_t *ill,
- mcast_record_t fmode, const in6_addr_t *v6src)
+ilg_add(conn_t *connp, const in6_addr_t *v6group, ipaddr_t ifaddr,
+ uint_t ifindex, ill_t *ill, mcast_record_t fmode, const in6_addr_t *v6src)
{
int error = 0;
ilg_t *ilg;
ilg_stat_t ilgstat;
slist_t *new_filter = NULL;
int new_fmode;
-
- ASSERT(IAM_WRITER_ILL(ill));
+ ilm_t *ilm;
if (!(ill->ill_flags & ILLF_MULTICAST))
return (EADDRNOTAVAIL);
- /*
- * conn_lock protects the ilg list. Serializes 2 threads doing
- * join (sock, group1, hme0) and (sock, group2, hme1) where hme0
- * and hme1 map to different ipsq's, but both operations happen
- * on the same conn.
- */
- mutex_enter(&connp->conn_lock);
-
- ilg = ilg_lookup_ill_v6(connp, v6group, ill);
+ /* conn_ilg_lock protects the ilg list. */
+ ASSERT(MUTEX_HELD(&ill->ill_mcast_serializer));
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ ilg = ilg_lookup(connp, v6group, ifaddr, ifindex);
/*
* Depending on the option we're handling, may or may not be okay
@@ -3358,7 +2573,7 @@ ilg_add_v6(conn_t *connp, const in6_addr_t *v6group, ill_t *ill,
error = ENOBUFS;
}
if (error != 0) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
return (error);
}
@@ -3367,21 +2582,23 @@ ilg_add_v6(conn_t *connp, const in6_addr_t *v6group, ill_t *ill,
* we make any changes, so we can bail if it fails.
*/
if ((new_filter = l_alloc()) == NULL) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
return (ENOMEM);
}
if (ilg == NULL) {
if ((ilg = conn_ilg_alloc(connp, &error)) == NULL) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
l_free(new_filter);
return (error);
}
+ ilg->ilg_ifindex = ifindex;
+ ilg->ilg_ifaddr = ifaddr;
if (!IN6_IS_ADDR_UNSPECIFIED(v6src)) {
ilg->ilg_filter = l_alloc();
if (ilg->ilg_filter == NULL) {
ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
l_free(new_filter);
return (ENOMEM);
}
@@ -3391,25 +2608,24 @@ ilg_add_v6(conn_t *connp, const in6_addr_t *v6group, ill_t *ill,
ilgstat = ILGSTAT_NEW;
ilg->ilg_v6group = *v6group;
ilg->ilg_fmode = fmode;
- ilg->ilg_ipif = NULL;
ilg->ilg_ill = ill;
} else {
int index;
if (ilg->ilg_fmode != fmode || IN6_IS_ADDR_UNSPECIFIED(v6src)) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
l_free(new_filter);
return (EINVAL);
}
if (ilg->ilg_filter == NULL) {
ilg->ilg_filter = l_alloc();
if (ilg->ilg_filter == NULL) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
l_free(new_filter);
return (ENOMEM);
}
}
if (list_has_addr(ilg->ilg_filter, v6src)) {
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
l_free(new_filter);
return (EADDRNOTAVAIL);
}
@@ -3420,12 +2636,12 @@ ilg_add_v6(conn_t *connp, const in6_addr_t *v6group, ill_t *ill,
/*
* Save copy of ilg's filter state to pass to other functions,
- * so we can release conn_lock now.
+ * so we can release conn_ilg_lock now.
*/
new_fmode = ilg->ilg_fmode;
l_copy(ilg->ilg_filter, new_filter);
- mutex_exit(&connp->conn_lock);
+ rw_exit(&connp->conn_ilg_lock);
/*
* Now update the ill. We wait to do this until after the ilg
@@ -3433,72 +2649,105 @@ ilg_add_v6(conn_t *connp, const in6_addr_t *v6group, ill_t *ill,
* info for the ill, which involves looking at the status of
* all the ilgs associated with this group/interface pair.
*/
- error = ip_addmulti_v6(v6group, ill, connp->conn_zoneid, ilgstat,
- new_fmode, new_filter);
- if (error != 0) {
+ ilm = ip_addmulti_serial(v6group, ill, connp->conn_zoneid, ilgstat,
+ new_fmode, new_filter, &error);
+
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ /*
+ * Must look up the ilg again since we've not been holding
+ * conn_ilg_lock. The ilg could have disappeared due to an unplumb
+ * having called conn_update_ill, which can run once we dropped the
+ * conn_ilg_lock above.
+ */
+ ilg = ilg_lookup(connp, v6group, ifaddr, ifindex);
+ if (ilg == NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ if (ilm != NULL) {
+ (void) ip_delmulti_serial(ilm, B_FALSE,
+ (ilgstat == ILGSTAT_NEW));
+ }
+ error = ENXIO;
+ goto free_and_exit;
+ }
+
+ if (ilm != NULL) {
+ /* Succeeded. Update the ilg to point at the ilm */
+ if (ilgstat == ILGSTAT_NEW) {
+ ASSERT(ilg->ilg_ilm == NULL);
+ ilg->ilg_ilm = ilm;
+ ilm->ilm_ifaddr = ifaddr; /* For netstat */
+ } else {
+ /*
+ * ip_addmulti didn't get a held ilm for
+ * ILGSTAT_CHANGE; ilm_refcnt was unchanged.
+ */
+ ASSERT(ilg->ilg_ilm == ilm);
+ }
+ } else {
+ ASSERT(error != 0);
/*
- * But because we waited, we have to undo the ilg update
- * if ip_addmulti_v6() fails. We also must lookup ilg
- * again, since we've not been holding conn_lock.
+ * Failed to allocate the ilm.
+ * Need to undo what we did before calling ip_addmulti()
+ * If ENETDOWN just clear ill_ilg since so that we
+ * will rejoin when the ill comes back; don't report ENETDOWN
+ * to application.
*/
- in6_addr_t delsrc =
- (ilgstat == ILGSTAT_NEW) ? ipv6_all_zeros : *v6src;
- mutex_enter(&connp->conn_lock);
- ilg = ilg_lookup_ill_v6(connp, v6group, ill);
- ASSERT(ilg != NULL);
- ilg_delete(connp, ilg, &delsrc);
- mutex_exit(&connp->conn_lock);
- l_free(new_filter);
- return (error);
+ if (ilgstat == ILGSTAT_NEW && error == ENETDOWN) {
+ ilg->ilg_ill = NULL;
+ error = 0;
+ } else {
+ in6_addr_t delsrc =
+ (ilgstat == ILGSTAT_NEW) ? ipv6_all_zeros : *v6src;
+
+ ilg_delete(connp, ilg, &delsrc);
+ }
}
+ rw_exit(&connp->conn_ilg_lock);
+free_and_exit:
l_free(new_filter);
-
- return (0);
+ return (error);
}
/*
- * Find an IPv4 ilg matching group, ill and source
+ * Find an IPv4 ilg matching group, ill and source.
+ * The group and source can't be INADDR_ANY here so no need to translate to
+ * the unspecified IPv6 address.
*/
-ilg_t *
-ilg_lookup_ill_withsrc(conn_t *connp, ipaddr_t group, ipaddr_t src, ill_t *ill)
+boolean_t
+conn_hasmembers_ill_withsrc_v4(conn_t *connp, ipaddr_t group, ipaddr_t src,
+ ill_t *ill)
{
in6_addr_t v6group, v6src;
int i;
boolean_t isinlist;
ilg_t *ilg;
- ipif_t *ipif;
- ill_t *ilg_ill;
-
- ASSERT(MUTEX_HELD(&connp->conn_lock));
- /*
- * INADDR_ANY is represented as the IPv6 unspecified addr.
- */
- if (group == INADDR_ANY)
- v6group = ipv6_all_zeros;
- else
- IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ rw_enter(&connp->conn_ilg_lock, RW_READER);
+ IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ for (ilg = connp->conn_ilg; ilg != NULL; ilg = ilg->ilg_next) {
+ if (ilg->ilg_condemned)
+ continue;
- for (i = 0; i < connp->conn_ilg_inuse; i++) {
- ilg = &connp->conn_ilg[i];
- if ((ipif = ilg->ilg_ipif) == NULL ||
- (ilg->ilg_flags & ILG_DELETED) != 0)
+ /* ilg_ill could be NULL if an add is in progress */
+ if (ilg->ilg_ill != ill)
continue;
- ASSERT(ilg->ilg_ill == NULL);
- ilg_ill = ipif->ipif_ill;
- ASSERT(!ilg_ill->ill_isv6);
- if (IS_ON_SAME_LAN(ilg_ill, ill) &&
- IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, &v6group)) {
+
+ /* The callers use upper ill for IPMP */
+ ASSERT(!IS_UNDER_IPMP(ill));
+ if (IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, &v6group)) {
if (SLIST_IS_EMPTY(ilg->ilg_filter)) {
/* no source filter, so this is a match */
- return (ilg);
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_TRUE);
}
break;
}
}
- if (i == connp->conn_ilg_inuse)
- return (NULL);
+ if (ilg == NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_FALSE);
+ }
/*
* we have an ilg with matching ill and group; but
@@ -3514,44 +2763,49 @@ ilg_lookup_ill_withsrc(conn_t *connp, ipaddr_t group, ipaddr_t src, ill_t *ill)
}
if ((isinlist && ilg->ilg_fmode == MODE_IS_INCLUDE) ||
- (!isinlist && ilg->ilg_fmode == MODE_IS_EXCLUDE))
- return (ilg);
-
- return (NULL);
+ (!isinlist && ilg->ilg_fmode == MODE_IS_EXCLUDE)) {
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_TRUE);
+ }
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_FALSE);
}
/*
* Find an IPv6 ilg matching group, ill, and source
*/
-ilg_t *
-ilg_lookup_ill_withsrc_v6(conn_t *connp, const in6_addr_t *v6group,
+boolean_t
+conn_hasmembers_ill_withsrc_v6(conn_t *connp, const in6_addr_t *v6group,
const in6_addr_t *v6src, ill_t *ill)
{
int i;
boolean_t isinlist;
ilg_t *ilg;
- ill_t *ilg_ill;
- ASSERT(MUTEX_HELD(&connp->conn_lock));
+ rw_enter(&connp->conn_ilg_lock, RW_READER);
+ for (ilg = connp->conn_ilg; ilg != NULL; ilg = ilg->ilg_next) {
+ if (ilg->ilg_condemned)
+ continue;
- for (i = 0; i < connp->conn_ilg_inuse; i++) {
- ilg = &connp->conn_ilg[i];
- if ((ilg_ill = ilg->ilg_ill) == NULL ||
- (ilg->ilg_flags & ILG_DELETED) != 0)
+ /* ilg_ill could be NULL if an add is in progress */
+ if (ilg->ilg_ill != ill)
continue;
- ASSERT(ilg->ilg_ipif == NULL);
- ASSERT(ilg_ill->ill_isv6);
- if (IS_ON_SAME_LAN(ilg_ill, ill) &&
- IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, v6group)) {
+
+ /* The callers use upper ill for IPMP */
+ ASSERT(!IS_UNDER_IPMP(ill));
+ if (IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, v6group)) {
if (SLIST_IS_EMPTY(ilg->ilg_filter)) {
/* no source filter, so this is a match */
- return (ilg);
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_TRUE);
}
break;
}
}
- if (i == connp->conn_ilg_inuse)
- return (NULL);
+ if (ilg == NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_FALSE);
+ }
/*
* we have an ilg with matching ill and group; but
@@ -3566,61 +2820,34 @@ ilg_lookup_ill_withsrc_v6(conn_t *connp, const in6_addr_t *v6group,
}
if ((isinlist && ilg->ilg_fmode == MODE_IS_INCLUDE) ||
- (!isinlist && ilg->ilg_fmode == MODE_IS_EXCLUDE))
- return (ilg);
-
- return (NULL);
-}
-
-/*
- * Find an IPv6 ilg matching group and ill
- */
-ilg_t *
-ilg_lookup_ill_v6(conn_t *connp, const in6_addr_t *v6group, ill_t *ill)
-{
- ilg_t *ilg;
- int i;
- ill_t *mem_ill;
-
- ASSERT(MUTEX_HELD(&connp->conn_lock));
-
- for (i = 0; i < connp->conn_ilg_inuse; i++) {
- ilg = &connp->conn_ilg[i];
- if ((mem_ill = ilg->ilg_ill) == NULL ||
- (ilg->ilg_flags & ILG_DELETED) != 0)
- continue;
- ASSERT(ilg->ilg_ipif == NULL);
- ASSERT(mem_ill->ill_isv6);
- if (mem_ill == ill &&
- IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, v6group))
- return (ilg);
+ (!isinlist && ilg->ilg_fmode == MODE_IS_EXCLUDE)) {
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_TRUE);
}
- return (NULL);
+ rw_exit(&connp->conn_ilg_lock);
+ return (B_FALSE);
}
/*
- * Find an IPv4 ilg matching group and ipif
+ * Find an ilg matching group and ifaddr/ifindex.
+ * We check both ifaddr and ifindex even though at most one of them
+ * will be non-zero; that way we always find the right one.
*/
static ilg_t *
-ilg_lookup_ipif(conn_t *connp, ipaddr_t group, ipif_t *ipif)
+ilg_lookup(conn_t *connp, const in6_addr_t *v6group, ipaddr_t ifaddr,
+ uint_t ifindex)
{
- in6_addr_t v6group;
- int i;
ilg_t *ilg;
- ASSERT(MUTEX_HELD(&connp->conn_lock));
- ASSERT(!ipif->ipif_ill->ill_isv6);
+ ASSERT(RW_LOCK_HELD(&connp->conn_ilg_lock));
- if (group == INADDR_ANY)
- v6group = ipv6_all_zeros;
- else
- IN6_IPADDR_TO_V4MAPPED(group, &v6group);
+ for (ilg = connp->conn_ilg; ilg != NULL; ilg = ilg->ilg_next) {
+ if (ilg->ilg_condemned)
+ continue;
- for (i = 0; i < connp->conn_ilg_inuse; i++) {
- ilg = &connp->conn_ilg[i];
- if ((ilg->ilg_flags & ILG_DELETED) == 0 &&
- IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, &v6group) &&
- ilg->ilg_ipif == ipif)
+ if (ilg->ilg_ifaddr == ifaddr &&
+ ilg->ilg_ifindex == ifindex &&
+ IN6_ARE_ADDR_EQUAL(&ilg->ilg_v6group, v6group))
return (ilg);
}
return (NULL);
@@ -3634,363 +2861,479 @@ ilg_lookup_ipif(conn_t *connp, ipaddr_t group, ipif_t *ipif)
static void
ilg_delete(conn_t *connp, ilg_t *ilg, const in6_addr_t *src)
{
- int i;
-
- ASSERT((ilg->ilg_ipif != NULL) ^ (ilg->ilg_ill != NULL));
- ASSERT(ilg->ilg_ipif == NULL || IAM_WRITER_IPIF(ilg->ilg_ipif));
- ASSERT(ilg->ilg_ill == NULL || IAM_WRITER_ILL(ilg->ilg_ill));
- ASSERT(MUTEX_HELD(&connp->conn_lock));
- ASSERT(!(ilg->ilg_flags & ILG_DELETED));
+ ASSERT(RW_WRITE_HELD(&connp->conn_ilg_lock));
+ ASSERT(ilg->ilg_ptpn != NULL);
+ ASSERT(!ilg->ilg_condemned);
if (src == NULL || IN6_IS_ADDR_UNSPECIFIED(src)) {
- if (connp->conn_ilg_walker_cnt != 0) {
- ilg->ilg_flags |= ILG_DELETED;
- return;
- }
-
FREE_SLIST(ilg->ilg_filter);
+ ilg->ilg_filter = NULL;
- i = ilg - &connp->conn_ilg[0];
- ASSERT(i >= 0 && i < connp->conn_ilg_inuse);
-
- /* Move other entries up one step */
- connp->conn_ilg_inuse--;
- for (; i < connp->conn_ilg_inuse; i++)
- connp->conn_ilg[i] = connp->conn_ilg[i+1];
+ ASSERT(ilg->ilg_ilm == NULL);
+ ilg->ilg_ill = NULL;
+ ilg->ilg_condemned = B_TRUE;
- if (connp->conn_ilg_inuse == 0) {
- mi_free((char *)connp->conn_ilg);
- connp->conn_ilg = NULL;
- cv_broadcast(&connp->conn_refcv);
- }
+ /* ilg_inactive will unlink from the list */
+ ilg_refrele(ilg);
} else {
l_remove(ilg->ilg_filter, src);
}
}
/*
- * Called from conn close. No new ilg can be added or removed.
+ * Called from conn close. No new ilg can be added or removed
* because CONN_CLOSING has been set by ip_close. ilg_add / ilg_delete
* will return error if conn has started closing.
+ *
+ * We handle locking as follows.
+ * Under conn_ilg_lock we get the first ilg. As we drop the conn_ilg_lock to
+ * proceed with the ilm part of the delete we hold a reference on both the ill
+ * and the ilg. This doesn't prevent changes to the ilg, but prevents it from
+ * being deleted.
+ *
+ * Since the ilg_add code path uses two locks (conn_ilg_lock for the ilg part,
+ * and ill_mcast_lock for the ip_addmulti part) we can run at a point between
+ * the two. At that point ilg_ill is set, but ilg_ilm hasn't yet been set. In
+ * that case we delete the ilg here, which makes ilg_add discover that the ilg
+ * has disappeared when ip_addmulti returns, so it will discard the ilm it just
+ * added.
*/
void
ilg_delete_all(conn_t *connp)
{
- int i;
- ipif_t *ipif = NULL;
- ill_t *ill = NULL;
- ilg_t *ilg;
- in6_addr_t v6group;
- boolean_t success;
- ipsq_t *ipsq;
+ ilg_t *ilg, *next_ilg, *held_ilg;
+ ilm_t *ilm;
+ ill_t *ill;
+ boolean_t need_refrele;
+ /*
+ * Can not run if there is a conn_update_ill already running.
+ * Wait for it to complete. Caller should have already set CONN_CLOSING
+ * which prevents any new threads to run in conn_update_ill.
+ */
mutex_enter(&connp->conn_lock);
-retry:
- ILG_WALKER_HOLD(connp);
- for (i = connp->conn_ilg_inuse - 1; i >= 0; i--) {
- ilg = &connp->conn_ilg[i];
- /*
- * Since this walk is not atomic (we drop the
- * conn_lock and wait in ipsq_enter) we need
- * to check for the ILG_DELETED flag.
- */
- if (ilg->ilg_flags & ILG_DELETED)
- continue;
-
- if (IN6_IS_ADDR_V4MAPPED(&ilg->ilg_v6group)) {
- ipif = ilg->ilg_ipif;
- ill = ipif->ipif_ill;
- } else {
- ipif = NULL;
- ill = ilg->ilg_ill;
- }
+ ASSERT(connp->conn_state_flags & CONN_CLOSING);
+ while (connp->conn_state_flags & CONN_UPDATE_ILL)
+ cv_wait(&connp->conn_cv, &connp->conn_lock);
+ mutex_exit(&connp->conn_lock);
- /*
- * We may not be able to refhold the ill if the ill/ipif
- * is changing. But we need to make sure that the ill will
- * not vanish. So we just bump up the ill_waiter count.
- * If we are unable to do even that, then the ill is closing,
- * in which case the unplumb thread will handle the cleanup,
- * and we move on to the next ilg.
- */
- if (!ill_waiter_inc(ill))
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ ilg = connp->conn_ilg;
+ held_ilg = NULL;
+ while (ilg != NULL) {
+ if (ilg->ilg_condemned) {
+ ilg = ilg->ilg_next;
continue;
-
- mutex_exit(&connp->conn_lock);
- /*
- * To prevent deadlock between ill close which waits inside
- * the perimeter, and conn close, ipsq_enter returns error,
- * the moment ILL_CONDEMNED is set, in which case ill close
- * takes responsibility to cleanup the ilgs. Note that we
- * have not yet set condemned flag, otherwise the conn can't
- * be refheld for cleanup by those routines and it would be
- * a mutual deadlock.
- */
- success = ipsq_enter(ill, B_FALSE, NEW_OP);
- ipsq = ill->ill_phyint->phyint_ipsq;
- ill_waiter_dcr(ill);
- mutex_enter(&connp->conn_lock);
- if (!success)
+ }
+ /* If the ilg is detached then no need to serialize */
+ if (ilg->ilg_ilm == NULL) {
+ next_ilg = ilg->ilg_next;
+ ilg_delete(connp, ilg, NULL);
+ ilg = next_ilg;
continue;
+ }
+ ill = ilg->ilg_ilm->ilm_ill;
/*
- * Move on if the ilg was deleted while conn_lock was dropped.
+ * In order to serialize on the ill we try to enter
+ * and if that fails we unlock and relock and then
+ * check that we still have an ilm.
*/
- if (ilg->ilg_flags & ILG_DELETED) {
- mutex_exit(&connp->conn_lock);
- ipsq_exit(ipsq);
- mutex_enter(&connp->conn_lock);
- continue;
+ need_refrele = B_FALSE;
+ if (!mutex_tryenter(&ill->ill_mcast_serializer)) {
+ ill_refhold(ill);
+ need_refrele = B_TRUE;
+ ilg_refhold(ilg);
+ if (held_ilg != NULL)
+ ilg_refrele(held_ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_enter(&ill->ill_mcast_serializer);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ if (ilg->ilg_condemned) {
+ ilg = ilg->ilg_next;
+ goto next;
+ }
}
- v6group = ilg->ilg_v6group;
+ ilm = ilg->ilg_ilm;
+ ilg->ilg_ilm = NULL;
+ next_ilg = ilg->ilg_next;
ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
+ ilg = next_ilg;
+ rw_exit(&connp->conn_ilg_lock);
- if (ipif != NULL) {
- (void) ip_delmulti(V4_PART_OF_V6(v6group), ipif,
- B_FALSE, B_TRUE);
- } else {
- (void) ip_delmulti_v6(&v6group, ill,
- connp->conn_zoneid, B_FALSE, B_TRUE);
- }
- ipsq_exit(ipsq);
- mutex_enter(&connp->conn_lock);
- }
- ILG_WALKER_RELE(connp);
+ if (ilm != NULL)
+ (void) ip_delmulti_serial(ilm, B_FALSE, B_TRUE);
- /* If any ill was skipped above wait and retry */
- if (connp->conn_ilg_inuse != 0) {
- cv_wait(&connp->conn_refcv, &connp->conn_lock);
- goto retry;
+ next:
+ mutex_exit(&ill->ill_mcast_serializer);
+ if (need_refrele) {
+ /* Drop ill reference while we hold no locks */
+ ill_refrele(ill);
+ }
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
}
- mutex_exit(&connp->conn_lock);
+ if (held_ilg != NULL)
+ ilg_refrele(held_ilg);
+ rw_exit(&connp->conn_ilg_lock);
}
/*
- * Called from ill close by ipcl_walk for clearing conn_ilg and
- * conn_multicast_ipif for a given ipif. conn is held by caller.
- * Note that ipcl_walk only walks conns that are not yet condemned.
- * condemned conns can't be refheld. For this reason, conn must become clean
- * first, i.e. it must not refer to any ill/ire/ipif and then only set
- * condemned flag.
+ * Attach the ilg to an ilm on the ill. If it fails we leave ilg_ill as NULL so
+ * that a subsequent attempt can attach it.
+ * Drops and reacquires conn_ilg_lock.
*/
static void
-conn_delete_ipif(conn_t *connp, caddr_t arg)
+ilg_attach(conn_t *connp, ilg_t *ilg, ill_t *ill)
{
- ipif_t *ipif = (ipif_t *)arg;
- int i;
- char group_buf1[INET6_ADDRSTRLEN];
- char group_buf2[INET6_ADDRSTRLEN];
- ipaddr_t group;
- ilg_t *ilg;
+ ilg_stat_t ilgstat;
+ slist_t *new_filter;
+ int new_fmode;
+ in6_addr_t v6group;
+ ipaddr_t ifaddr;
+ uint_t ifindex;
+ ilm_t *ilm;
+ int error = 0;
+ ASSERT(RW_WRITE_HELD(&connp->conn_ilg_lock));
/*
- * Even though conn_ilg_inuse can change while we are in this loop,
- * i.e.ilgs can be created or deleted on this connp, no new ilgs can
- * be created or deleted for this connp, on this ill, since this ill
- * is the perimeter. So we won't miss any ilg in this cleanup.
+ * Alloc buffer to copy new state into (see below) before
+ * we make any changes, so we can bail if it fails.
*/
- mutex_enter(&connp->conn_lock);
+ if ((new_filter = l_alloc()) == NULL)
+ return;
/*
- * Increment the walker count, so that ilg repacking does not
- * occur while we are in the loop.
+ * Save copy of ilg's filter state to pass to other functions, so
+ * we can release conn_ilg_lock now.
+ * Set ilg_ill so that an unplumb can find us.
*/
- ILG_WALKER_HOLD(connp);
- for (i = connp->conn_ilg_inuse - 1; i >= 0; i--) {
- ilg = &connp->conn_ilg[i];
- if (ilg->ilg_ipif != ipif || (ilg->ilg_flags & ILG_DELETED))
- continue;
- /*
- * ip_close cannot be cleaning this ilg at the same time.
- * since it also has to execute in this ill's perimeter which
- * we are now holding. Only a clean conn can be condemned.
- */
- ASSERT(!(connp->conn_state_flags & CONN_CONDEMNED));
-
- /* Blow away the membership */
- ip1dbg(("conn_delete_ilg_ipif: %s on %s (%s)\n",
- inet_ntop(AF_INET6, &connp->conn_ilg[i].ilg_v6group,
- group_buf1, sizeof (group_buf1)),
- inet_ntop(AF_INET6, &ipif->ipif_v6lcl_addr,
- group_buf2, sizeof (group_buf2)),
- ipif->ipif_ill->ill_name));
-
- /* ilg_ipif is NULL for V6, so we won't be here */
- ASSERT(IN6_IS_ADDR_V4MAPPED(&ilg->ilg_v6group));
+ new_fmode = ilg->ilg_fmode;
+ l_copy(ilg->ilg_filter, new_filter);
+ v6group = ilg->ilg_v6group;
+ ifaddr = ilg->ilg_ifaddr;
+ ifindex = ilg->ilg_ifindex;
+ ilgstat = ILGSTAT_NEW;
- group = V4_PART_OF_V6(ilg->ilg_v6group);
- ilg_delete(connp, &connp->conn_ilg[i], NULL);
- mutex_exit(&connp->conn_lock);
+ ilg->ilg_ill = ill;
+ ASSERT(ilg->ilg_ilm == NULL);
+ rw_exit(&connp->conn_ilg_lock);
- (void) ip_delmulti(group, ipif, B_FALSE, B_TRUE);
- mutex_enter(&connp->conn_lock);
- }
+ ilm = ip_addmulti_serial(&v6group, ill, connp->conn_zoneid, ilgstat,
+ new_fmode, new_filter, &error);
+ l_free(new_filter);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
/*
- * If we are the last walker, need to physically delete the
- * ilgs and repack.
+ * Must look up the ilg again since we've not been holding
+ * conn_ilg_lock. The ilg could have disappeared due to an unplumb
+ * having called conn_update_ill, which can run once we dropped the
+ * conn_ilg_lock above.
*/
- ILG_WALKER_RELE(connp);
-
- if (connp->conn_multicast_ipif == ipif) {
- /* Revert to late binding */
- connp->conn_multicast_ipif = NULL;
+ ilg = ilg_lookup(connp, &v6group, ifaddr, ifindex);
+ if (ilg == NULL) {
+ if (ilm != NULL) {
+ rw_exit(&connp->conn_ilg_lock);
+ (void) ip_delmulti_serial(ilm, B_FALSE,
+ (ilgstat == ILGSTAT_NEW));
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ }
+ return;
}
- mutex_exit(&connp->conn_lock);
-
- conn_delete_ire(connp, (caddr_t)ipif);
+ if (ilm == NULL) {
+ ilg->ilg_ill = NULL;
+ return;
+ }
+ ASSERT(ilg->ilg_ilm == NULL);
+ ilg->ilg_ilm = ilm;
+ ilm->ilm_ifaddr = ifaddr; /* For netstat */
}
/*
- * Called from ill close by ipcl_walk for clearing conn_ilg and
- * conn_multicast_ill for a given ill. conn is held by caller.
+ * Called when an ill is unplumbed to make sure that there are no
+ * dangling conn references to that ill. In that case ill is non-NULL and
+ * we make sure we remove all references to it.
+ * Also called when we should revisit the ilg_ill used for multicast
+ * memberships, in which case ill is NULL.
+ *
+ * conn is held by caller.
+ *
* Note that ipcl_walk only walks conns that are not yet condemned.
* condemned conns can't be refheld. For this reason, conn must become clean
- * first, i.e. it must not refer to any ill/ire/ipif and then only set
+ * first, i.e. it must not refer to any ill/ire and then only set
* condemned flag.
+ *
+ * We leave ixa_multicast_ifindex in place. We prefer dropping
+ * packets instead of sending them out the wrong interface.
+ *
+ * We keep the ilg around in a detached state (with ilg_ill and ilg_ilm being
+ * NULL) so that the application can leave it later. Also, if ilg_ifaddr and
+ * ilg_ifindex are zero, indicating that the system should pick the interface,
+ * then we attempt to reselect the ill and join on it.
+ *
+ * Locking notes:
+ * Under conn_ilg_lock we get the first ilg. As we drop the conn_ilg_lock to
+ * proceed with the ilm part of the delete we hold a reference on both the ill
+ * and the ilg. This doesn't prevent changes to the ilg, but prevents it from
+ * being deleted.
+ *
+ * Note: if this function is called when new ill/ipif's arrive or change status
+ * (SIOCSLIFINDEX, SIOCSLIFADDR) then we will attempt to attach any ilgs with
+ * a NULL ilg_ill to an ill/ilm.
*/
static void
-conn_delete_ill(conn_t *connp, caddr_t arg)
+conn_update_ill(conn_t *connp, caddr_t arg)
{
ill_t *ill = (ill_t *)arg;
- int i;
- char group_buf[INET6_ADDRSTRLEN];
- in6_addr_t v6group;
- ilg_t *ilg;
/*
- * Even though conn_ilg_inuse can change while we are in this loop,
- * no new ilgs can be created/deleted for this connp, on this
- * ill, since this ill is the perimeter. So we won't miss any ilg
- * in this cleanup.
+ * We have to prevent ip_close/ilg_delete_all from running at
+ * the same time. ip_close sets CONN_CLOSING before doing the ilg_delete
+ * all, and we set CONN_UPDATE_ILL. That ensures that only one of
+ * ilg_delete_all and conn_update_ill run at a time for a given conn.
+ * If ilg_delete_all got here first, then we have nothing to do.
*/
mutex_enter(&connp->conn_lock);
+ if (connp->conn_state_flags & (CONN_CLOSING|CONN_UPDATE_ILL)) {
+ /* Caller has to wait for ill_ilm_cnt to drop to zero */
+ mutex_exit(&connp->conn_lock);
+ return;
+ }
+ connp->conn_state_flags |= CONN_UPDATE_ILL;
+ mutex_exit(&connp->conn_lock);
- /*
- * Increment the walker count, so that ilg repacking does not
- * occur while we are in the loop.
- */
- ILG_WALKER_HOLD(connp);
- for (i = connp->conn_ilg_inuse - 1; i >= 0; i--) {
- ilg = &connp->conn_ilg[i];
- if ((ilg->ilg_ill == ill) && !(ilg->ilg_flags & ILG_DELETED)) {
- /*
- * ip_close cannot be cleaning this ilg at the same
- * time, since it also has to execute in this ill's
- * perimeter which we are now holding. Only a clean
- * conn can be condemned.
- */
- ASSERT(!(connp->conn_state_flags & CONN_CONDEMNED));
-
- /* Blow away the membership */
- ip1dbg(("conn_delete_ilg_ill: %s on %s\n",
- inet_ntop(AF_INET6, &ilg->ilg_v6group,
- group_buf, sizeof (group_buf)),
- ill->ill_name));
+ if (ill != NULL)
+ ilg_check_detach(connp, ill);
- v6group = ilg->ilg_v6group;
- ilg_delete(connp, ilg, NULL);
- mutex_exit(&connp->conn_lock);
+ ilg_check_reattach(connp);
- (void) ip_delmulti_v6(&v6group, ill,
- connp->conn_zoneid, B_FALSE, B_TRUE);
- mutex_enter(&connp->conn_lock);
- }
- }
- /*
- * If we are the last walker, need to physically delete the
- * ilgs and repack.
- */
- ILG_WALKER_RELE(connp);
-
- if (connp->conn_multicast_ill == ill) {
- /* Revert to late binding */
- connp->conn_multicast_ill = NULL;
- }
+ /* Do we need to wake up a thread in ilg_delete_all? */
+ mutex_enter(&connp->conn_lock);
+ connp->conn_state_flags &= ~CONN_UPDATE_ILL;
+ if (connp->conn_state_flags & CONN_CLOSING)
+ cv_broadcast(&connp->conn_cv);
mutex_exit(&connp->conn_lock);
}
-/*
- * Called when an ipif is unplumbed to make sure that there are no
- * dangling conn references to that ipif.
- * Handles ilg_ipif and conn_multicast_ipif
- */
-void
-reset_conn_ipif(ipif)
- ipif_t *ipif;
+/* Detach from an ill that is going away */
+static void
+ilg_check_detach(conn_t *connp, ill_t *ill)
{
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
+ char group_buf[INET6_ADDRSTRLEN];
+ ilg_t *ilg, *held_ilg;
+ ilm_t *ilm;
- ipcl_walk(conn_delete_ipif, (caddr_t)ipif, ipst);
-}
+ mutex_enter(&ill->ill_mcast_serializer);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ held_ilg = NULL;
+ for (ilg = connp->conn_ilg; ilg != NULL; ilg = ilg->ilg_next) {
+ if (ilg->ilg_condemned)
+ continue;
-/*
- * Called when an ill is unplumbed to make sure that there are no
- * dangling conn references to that ill.
- * Handles ilg_ill, conn_multicast_ill.
- */
-void
-reset_conn_ill(ill_t *ill)
-{
- ip_stack_t *ipst = ill->ill_ipst;
+ if (ilg->ilg_ill != ill)
+ continue;
+
+ /* Detach from current ill */
+ ip1dbg(("ilg_check_detach: detach %s on %s\n",
+ inet_ntop(AF_INET6, &ilg->ilg_v6group,
+ group_buf, sizeof (group_buf)),
+ ilg->ilg_ill->ill_name));
+
+ /* Detach this ilg from the ill/ilm */
+ ilm = ilg->ilg_ilm;
+ ilg->ilg_ilm = NULL;
+ ilg->ilg_ill = NULL;
+ if (ilm == NULL)
+ continue;
- ipcl_walk(conn_delete_ill, (caddr_t)ill, ipst);
+ /* Prevent ilg from disappearing */
+ ilg_transfer_hold(held_ilg, ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+
+ (void) ip_delmulti_serial(ilm, B_FALSE, B_TRUE);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ }
+ if (held_ilg != NULL)
+ ilg_refrele(held_ilg);
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_exit(&ill->ill_mcast_serializer);
}
-#ifdef DEBUG
/*
- * Walk functions walk all the interfaces in the system to make
- * sure that there is no refernece to the ipif or ill that is
- * going away.
+ * Check if there is a place to attach the conn_ilgs. We do this for both
+ * detached ilgs and attached ones, since for the latter there could be
+ * a better ill to attach them to.
*/
-int
-ilm_walk_ill(ill_t *ill)
+static void
+ilg_check_reattach(conn_t *connp)
{
- int cnt = 0;
- ill_t *till;
- ilm_t *ilm;
- ill_walk_context_t ctx;
- ip_stack_t *ipst = ill->ill_ipst;
-
- rw_enter(&ipst->ips_ill_g_lock, RW_READER);
- till = ILL_START_WALK_ALL(&ctx, ipst);
- for (; till != NULL; till = ill_next(&ctx, till)) {
- mutex_enter(&till->ill_lock);
- for (ilm = till->ill_ilm; ilm != NULL; ilm = ilm->ilm_next) {
- if (ilm->ilm_ill == ill) {
- cnt++;
+ ill_t *ill;
+ char group_buf[INET6_ADDRSTRLEN];
+ ilg_t *ilg, *held_ilg;
+ ilm_t *ilm;
+ zoneid_t zoneid = IPCL_ZONEID(connp);
+ int error;
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ held_ilg = NULL;
+ for (ilg = connp->conn_ilg; ilg != NULL; ilg = ilg->ilg_next) {
+ if (ilg->ilg_condemned)
+ continue;
+
+ /* Check if the conn_ill matches what we would pick now */
+ ill = ill_mcast_lookup(&ilg->ilg_v6group, ilg->ilg_ifaddr,
+ ilg->ilg_ifindex, zoneid, ipst, &error);
+
+ /*
+ * Make sure the ill is usable for multicast and that
+ * we can send the DL_ADDMULTI_REQ before we create an
+ * ilm.
+ */
+ if (ill != NULL &&
+ (!(ill->ill_flags & ILLF_MULTICAST) || !ill->ill_dl_up)) {
+ /* Drop locks across ill_refrele */
+ ilg_transfer_hold(held_ilg, ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+ ill_refrele(ill);
+ ill = NULL;
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ /* Note that ilg could have become condemned */
+ }
+
+ /* Is the ill unchanged, even if both are NULL? */
+ if (ill == ilg->ilg_ill) {
+ if (ill != NULL) {
+ /* Drop locks across ill_refrele */
+ ilg_transfer_hold(held_ilg, ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+ ill_refrele(ill);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
}
+ continue;
}
- mutex_exit(&till->ill_lock);
- }
- rw_exit(&ipst->ips_ill_g_lock);
- return (cnt);
+ /* Something changed; detach from old first if needed */
+ if (ilg->ilg_ill != NULL) {
+ ill_t *ill2 = ilg->ilg_ill;
+ boolean_t need_refrele = B_FALSE;
+
+ /*
+ * In order to serialize on the ill we try to enter
+ * and if that fails we unlock and relock.
+ */
+ if (!mutex_tryenter(&ill2->ill_mcast_serializer)) {
+ ill_refhold(ill2);
+ need_refrele = B_TRUE;
+ ilg_transfer_hold(held_ilg, ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_enter(&ill2->ill_mcast_serializer);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ /* Note that ilg could have become condemned */
+ }
+ /*
+ * Check that nobody else re-attached the ilg while we
+ * dropped the lock.
+ */
+ if (ilg->ilg_ill == ill2) {
+ ASSERT(!ilg->ilg_condemned);
+ /* Detach from current ill */
+ ip1dbg(("conn_check_reattach: detach %s/%s\n",
+ inet_ntop(AF_INET6, &ilg->ilg_v6group,
+ group_buf, sizeof (group_buf)),
+ ill2->ill_name));
+
+ ilm = ilg->ilg_ilm;
+ ilg->ilg_ilm = NULL;
+ ilg->ilg_ill = NULL;
+ } else {
+ ilm = NULL;
+ }
+ rw_exit(&connp->conn_ilg_lock);
+ if (ilm != NULL)
+ (void) ip_delmulti_serial(ilm, B_FALSE, B_TRUE);
+ mutex_exit(&ill2->ill_mcast_serializer);
+ if (need_refrele) {
+ /* Drop ill reference while we hold no locks */
+ ill_refrele(ill2);
+ }
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ /*
+ * While we dropped conn_ilg_lock some other thread
+ * could have attached this ilg, thus we check again.
+ */
+ if (ilg->ilg_ill != NULL) {
+ if (ill != NULL) {
+ /* Drop locks across ill_refrele */
+ ilg_transfer_hold(held_ilg, ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+ ill_refrele(ill);
+ rw_enter(&connp->conn_ilg_lock,
+ RW_WRITER);
+ }
+ continue;
+ }
+ }
+ if (ill != NULL) {
+ /*
+ * In order to serialize on the ill we try to enter
+ * and if that fails we unlock and relock.
+ */
+ if (!mutex_tryenter(&ill->ill_mcast_serializer)) {
+ /* Already have a refhold on ill */
+ ilg_transfer_hold(held_ilg, ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+ mutex_enter(&ill->ill_mcast_serializer);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ /* Note that ilg could have become condemned */
+ }
+
+ /*
+ * Check that nobody else attached the ilg and that
+ * it wasn't condemned while we dropped the lock.
+ */
+ if (ilg->ilg_ill == NULL && !ilg->ilg_condemned) {
+ /*
+ * Attach to the new ill. Can fail in which
+ * case ilg_ill will remain NULL. ilg_attach
+ * drops and reacquires conn_ilg_lock.
+ */
+ ip1dbg(("conn_check_reattach: attach %s/%s\n",
+ inet_ntop(AF_INET6, &ilg->ilg_v6group,
+ group_buf, sizeof (group_buf)),
+ ill->ill_name));
+ ilg_attach(connp, ilg, ill);
+ ASSERT(RW_WRITE_HELD(&connp->conn_ilg_lock));
+ }
+ mutex_exit(&ill->ill_mcast_serializer);
+ /* Drop locks across ill_refrele */
+ ilg_transfer_hold(held_ilg, ilg);
+ held_ilg = ilg;
+ rw_exit(&connp->conn_ilg_lock);
+ ill_refrele(ill);
+ rw_enter(&connp->conn_ilg_lock, RW_WRITER);
+ }
+ }
+ if (held_ilg != NULL)
+ ilg_refrele(held_ilg);
+ rw_exit(&connp->conn_ilg_lock);
}
/*
- * This function is called before the ipif is freed.
+ * Called when an ill is unplumbed to make sure that there are no
+ * dangling conn references to that ill. In that case ill is non-NULL and
+ * we make sure we remove all references to it.
+ * Also called when we should revisit the ilg_ill used for multicast
+ * memberships, in which case ill is NULL.
*/
-int
-ilm_walk_ipif(ipif_t *ipif)
+void
+update_conn_ill(ill_t *ill, ip_stack_t *ipst)
{
- int cnt = 0;
- ill_t *till;
- ilm_t *ilm;
- ill_walk_context_t ctx;
- ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
-
- till = ILL_START_WALK_ALL(&ctx, ipst);
- for (; till != NULL; till = ill_next(&ctx, till)) {
- mutex_enter(&till->ill_lock);
- for (ilm = till->ill_ilm; ilm != NULL; ilm = ilm->ilm_next) {
- if (ilm->ilm_ipif == ipif) {
- cnt++;
- }
- }
- mutex_exit(&till->ill_lock);
- }
- return (cnt);
+ ipcl_walk(conn_update_ill, (caddr_t)ill, ipst);
}
-#endif
diff --git a/usr/src/uts/common/inet/ip/ip_ndp.c b/usr/src/uts/common/inet/ip/ip_ndp.c
index 35f9d541e8..97096bea99 100644
--- a/usr/src/uts/common/inet/ip/ip_ndp.c
+++ b/usr/src/uts/common/inet/ip/ip_ndp.c
@@ -40,6 +40,7 @@
#include <sys/zone.h>
#include <sys/ethernet.h>
#include <sys/sdt.h>
+#include <sys/mac.h>
#include <net/if.h>
#include <net/if_types.h>
@@ -61,53 +62,93 @@
#include <inet/ip_rts.h>
#include <inet/ip6.h>
#include <inet/ip_ndp.h>
-#include <inet/ipsec_impl.h>
-#include <inet/ipsec_info.h>
#include <inet/sctp_ip.h>
+#include <inet/ip_arp.h>
#include <inet/ip2mac_impl.h>
+#define ANNOUNCE_INTERVAL(isv6) \
+ (isv6 ? ipst->ips_ip_ndp_unsolicit_interval : \
+ ipst->ips_ip_arp_publish_interval)
+
+#define DEFENSE_INTERVAL(isv6) \
+ (isv6 ? ipst->ips_ndp_defend_interval : \
+ ipst->ips_arp_defend_interval)
+
+/* Non-tunable probe interval, based on link capabilities */
+#define ILL_PROBE_INTERVAL(ill) ((ill)->ill_note_link ? 150 : 1500)
+
+/*
+ * The IPv4 Link Local address space is special; we do extra duplicate checking
+ * there, as the entire assignment mechanism rests on random numbers.
+ */
+#define IS_IPV4_LL_SPACE(ptr) (((uchar_t *)ptr)[0] == 169 && \
+ ((uchar_t *)ptr)[1] == 254)
+
+/*
+ * NCE_EXTERNAL_FLAGS_MASK defines the set of ncec_flags that may be passed
+ * in to the ncec*add* functions.
+ *
+ * NCE_F_AUTHORITY means that we ignore any incoming adverts for that
+ * mapping (though DAD is performed for the mapping). NCE_F_PUBLISH means
+ * that we will respond to requests for the protocol address.
+ */
+#define NCE_EXTERNAL_FLAGS_MASK \
+ (NCE_F_MYADDR | NCE_F_ISROUTER | NCE_F_NONUD | \
+ NCE_F_ANYCAST | NCE_F_UNSOL_ADV | NCE_F_BCAST | NCE_F_MCAST | \
+ NCE_F_AUTHORITY | NCE_F_PUBLISH | NCE_F_STATIC)
+
/*
* Function names with nce_ prefix are static while function
* names with ndp_ prefix are used by rest of the IP.
*
* Lock ordering:
*
- * ndp_g_lock -> ill_lock -> nce_lock
+ * ndp_g_lock -> ill_lock -> ncec_lock
*
* The ndp_g_lock protects the NCE hash (nce_hash_tbl, NCE_HASH_PTR) and
- * nce_next. Nce_lock protects the contents of the NCE (particularly
- * nce_refcnt).
- */
-
-static boolean_t nce_cmp_ll_addr(const nce_t *nce, const uchar_t *new_ll_addr,
- uint32_t ll_addr_len);
-static void nce_ire_delete(nce_t *nce);
-static void nce_ire_delete1(ire_t *ire, char *nce_arg);
-static void nce_set_ll(nce_t *nce, uchar_t *ll_addr);
-static nce_t *nce_lookup_addr(ill_t *, boolean_t, const in6_addr_t *,
- nce_t *);
-static nce_t *nce_lookup_mapping(ill_t *, const in6_addr_t *);
-static void nce_make_mapping(nce_t *nce, uchar_t *addrpos,
- uchar_t *addr);
-static int nce_set_multicast(ill_t *ill, const in6_addr_t *addr);
-static void nce_queue_mp(nce_t *nce, mblk_t *mp);
-static mblk_t *nce_udreq_alloc(ill_t *ill);
-static void nce_update(nce_t *nce, uint16_t new_state,
- uchar_t *new_ll_addr);
-static uint32_t nce_solicit(nce_t *nce, in6_addr_t src);
-static boolean_t nce_xmit(ill_t *ill, uint8_t type,
- boolean_t use_lla_addr, const in6_addr_t *sender,
+ * ncec_next. ncec_lock protects the contents of the NCE (particularly
+ * ncec_refcnt).
+ */
+
+static void nce_cleanup_list(ncec_t *ncec);
+static void nce_set_ll(ncec_t *ncec, uchar_t *ll_addr);
+static ncec_t *ncec_lookup_illgrp(ill_t *, const in6_addr_t *,
+ ncec_t *);
+static nce_t *nce_lookup_addr(ill_t *, const in6_addr_t *);
+static int nce_set_multicast_v6(ill_t *ill, const in6_addr_t *addr,
+ uint16_t ncec_flags, nce_t **newnce);
+static int nce_set_multicast_v4(ill_t *ill, const in_addr_t *dst,
+ uint16_t ncec_flags, nce_t **newnce);
+static boolean_t ndp_xmit(ill_t *ill, uint32_t operation,
+ uint8_t *hwaddr, uint_t hwaddr_len, const in6_addr_t *sender,
const in6_addr_t *target, int flag);
-static boolean_t nce_xmit_advert(nce_t *nce, boolean_t use_nd_lla,
- const in6_addr_t *target, uint_t flags);
-static boolean_t nce_xmit_solicit(nce_t *nce, boolean_t use_nd_lla,
- const in6_addr_t *src, uint_t flags);
-static int ndp_add_v4(ill_t *, const in_addr_t *, uint16_t,
- nce_t **, nce_t *);
-static ipif_t *ip_ndp_lookup_addr_v6(const in6_addr_t *v6addrp, ill_t *ill);
+static void ncec_refhold_locked(ncec_t *);
+static boolean_t ill_defend_rate_limit(ill_t *, ncec_t *);
+static void nce_queue_mp_common(ncec_t *, mblk_t *, boolean_t);
+static int nce_add_common(ill_t *, uchar_t *, uint_t, const in6_addr_t *,
+ uint16_t, uint16_t, nce_t **);
+static nce_t *nce_add_impl(ill_t *, ncec_t *, nce_t *, mblk_t *);
+static nce_t *nce_add(ill_t *, ncec_t *);
+static void nce_inactive(nce_t *);
+extern nce_t *nce_lookup(ill_t *, const in6_addr_t *);
+static nce_t *nce_ill_lookup_then_add(ill_t *, ncec_t *);
+static int nce_add_v6(ill_t *, uchar_t *, uint_t, const in6_addr_t *,
+ uint16_t, uint16_t, nce_t **);
+static int nce_add_v4(ill_t *, uchar_t *, uint_t, const in_addr_t *,
+ uint16_t, uint16_t, nce_t **);
+static int nce_add_v6_postprocess(nce_t *);
+static int nce_add_v4_postprocess(nce_t *);
+static ill_t *nce_resolve_src(ncec_t *, in6_addr_t *);
+static clock_t nce_fuzz_interval(clock_t, boolean_t);
+static void nce_resolv_ipmp_ok(ncec_t *);
+static void nce_walk_common(ill_t *, pfi_t, void *);
+static void nce_start_timer(ncec_t *, uint_t);
+static nce_t *nce_fastpath_create(ill_t *, ncec_t *);
+static void nce_fastpath_trigger(nce_t *);
+static nce_t *nce_fastpath(ncec_t *, boolean_t, nce_t *);
#ifdef DEBUG
-static void nce_trace_cleanup(const nce_t *);
+static void ncec_trace_cleanup(const ncec_t *);
#endif
#define NCE_HASH_PTR_V4(ipst, addr) \
@@ -117,233 +158,245 @@ static void nce_trace_cleanup(const nce_t *);
(&((ipst)->ips_ndp6->nce_hash_tbl[NCE_ADDR_HASH_V6(addr, \
NCE_TABLE_SIZE)]))
-/* Non-tunable probe interval, based on link capabilities */
-#define ILL_PROBE_INTERVAL(ill) ((ill)->ill_note_link ? 150 : 1500)
+extern kmem_cache_t *ncec_cache;
+extern kmem_cache_t *nce_cache;
+
+/*
+ * Send out a IPv6 (unicast) or IPv4 (broadcast) DAD probe
+ * If src_ill is not null, the ncec_addr is bound to src_ill. The
+ * src_ill is ignored by nce_dad for IPv4 Neighbor Cache entries where
+ * the probe is sent on the ncec_ill (in the non-IPMP case) or the
+ * IPMP cast_ill (in the IPMP case).
+ *
+ * Note that the probe interval is based on ncec->ncec_ill which
+ * may be the ipmp_ill.
+ */
+static void
+nce_dad(ncec_t *ncec, ill_t *src_ill, boolean_t send_probe)
+{
+ boolean_t dropped;
+ uint32_t probe_interval;
+
+ ASSERT(!(ncec->ncec_flags & NCE_F_MCAST));
+ ASSERT(!(ncec->ncec_flags & NCE_F_BCAST));
+ if (ncec->ncec_ipversion == IPV6_VERSION) {
+ dropped = ndp_xmit(src_ill, ND_NEIGHBOR_SOLICIT,
+ ncec->ncec_lladdr, ncec->ncec_lladdr_length,
+ &ipv6_all_zeros, &ncec->ncec_addr, NDP_PROBE);
+ probe_interval = ILL_PROBE_INTERVAL(ncec->ncec_ill);
+ } else {
+ /* IPv4 DAD delay the initial probe. */
+ if (send_probe)
+ dropped = arp_probe(ncec);
+ else
+ dropped = B_TRUE;
+ probe_interval = nce_fuzz_interval(ncec->ncec_xmit_interval,
+ !send_probe);
+ }
+ if (!dropped) {
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_pcnt--;
+ mutex_exit(&ncec->ncec_lock);
+ }
+ nce_restart_timer(ncec, probe_interval);
+}
+
+/*
+ * Compute default flags to use for an advertisement of this ncec's address.
+ */
+static int
+nce_advert_flags(const ncec_t *ncec)
+{
+ int flag = 0;
+
+ if (ncec->ncec_flags & NCE_F_ISROUTER)
+ flag |= NDP_ISROUTER;
+ if (!(ncec->ncec_flags & NCE_F_ANYCAST))
+ flag |= NDP_ORIDE;
+
+ return (flag);
+}
/*
* NDP Cache Entry creation routine.
* Mapped entries will never do NUD .
* This routine must always be called with ndp6->ndp_g_lock held.
- * Prior to return, nce_refcnt is incremented.
*/
int
-ndp_add_v6(ill_t *ill, uchar_t *hw_addr, const in6_addr_t *addr,
- const in6_addr_t *mask, const in6_addr_t *extract_mask,
- uint32_t hw_extract_start, uint16_t flags, uint16_t state,
- nce_t **newnce)
+nce_add_v6(ill_t *ill, uchar_t *hw_addr, uint_t hw_addr_len,
+ const in6_addr_t *addr, uint16_t flags, uint16_t state, nce_t **newnce)
{
- static nce_t nce_nil;
- nce_t *nce;
- mblk_t *mp;
- mblk_t *template;
- nce_t **ncep;
int err;
- boolean_t dropped = B_FALSE;
- ip_stack_t *ipst = ill->ill_ipst;
+ nce_t *nce;
- ASSERT(MUTEX_HELD(&ipst->ips_ndp6->ndp_g_lock));
+ ASSERT(MUTEX_HELD(&ill->ill_ipst->ips_ndp6->ndp_g_lock));
ASSERT(ill != NULL && ill->ill_isv6);
- if (IN6_IS_ADDR_UNSPECIFIED(addr)) {
- ip0dbg(("ndp_add_v6: no addr\n"));
- return (EINVAL);
- }
- if ((flags & ~NCE_EXTERNAL_FLAGS_MASK)) {
- ip0dbg(("ndp_add_v6: flags = %x\n", (int)flags));
- return (EINVAL);
- }
- if (IN6_IS_ADDR_UNSPECIFIED(extract_mask) &&
- (flags & NCE_F_MAPPING)) {
- ip0dbg(("ndp_add_v6: extract mask zero for mapping"));
- return (EINVAL);
- }
- /*
- * Allocate the mblk to hold the nce.
- *
- * XXX This can come out of a separate cache - nce_cache.
- * We don't need the mp anymore as there are no more
- * "qwriter"s
- */
- mp = allocb(sizeof (nce_t), BPRI_MED);
- if (mp == NULL)
- return (ENOMEM);
- nce = (nce_t *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)&nce[1];
- *nce = nce_nil;
-
- /*
- * This one holds link layer address
- */
- if (ill->ill_net_type == IRE_IF_RESOLVER) {
- template = nce_udreq_alloc(ill);
- } else {
- if (ill->ill_phys_addr_length == IPV6_ADDR_LEN &&
- ill->ill_mactype != DL_IPV6) {
- /*
- * We create a nce_res_mp with the IP nexthop address
- * as the destination address if the physical length
- * is exactly 16 bytes for point-to-multipoint links
- * that do their own resolution from IP to link-layer
- * address.
- */
- template = ill_dlur_gen((uchar_t *)addr,
- ill->ill_phys_addr_length, ill->ill_sap,
- ill->ill_sap_length);
- } else {
- if (ill->ill_resolver_mp == NULL) {
- freeb(mp);
- return (EINVAL);
- }
- ASSERT((ill->ill_net_type == IRE_IF_NORESOLVER));
- template = copyb(ill->ill_resolver_mp);
- }
- }
- if (template == NULL) {
- freeb(mp);
- return (ENOMEM);
- }
- nce->nce_ill = ill;
- nce->nce_ipversion = IPV6_VERSION;
- nce->nce_flags = flags;
- nce->nce_state = state;
- nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT;
- nce->nce_rcnt = ill->ill_xmit_count;
- nce->nce_addr = *addr;
- nce->nce_mask = *mask;
- nce->nce_extract_mask = *extract_mask;
- nce->nce_ll_extract_start = hw_extract_start;
- nce->nce_fp_mp = NULL;
- nce->nce_res_mp = template;
- if (state == ND_REACHABLE)
- nce->nce_last = TICK_TO_MSEC(lbolt64);
- else
- nce->nce_last = 0;
- nce->nce_qd_mp = NULL;
- nce->nce_mp = mp;
- if (hw_addr != NULL)
- nce_set_ll(nce, hw_addr);
- /* This one is for nce getting created */
- nce->nce_refcnt = 1;
- mutex_init(&nce->nce_lock, NULL, MUTEX_DEFAULT, NULL);
- if (nce->nce_flags & NCE_F_MAPPING) {
- ASSERT(IN6_IS_ADDR_MULTICAST(addr));
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&nce->nce_mask));
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&nce->nce_extract_mask));
- ncep = &ipst->ips_ndp6->nce_mask_entries;
- } else {
- ncep = ((nce_t **)NCE_HASH_PTR_V6(ipst, *addr));
- }
+ err = nce_add_common(ill, hw_addr, hw_addr_len, addr, flags, state,
+ &nce);
+ if (err != 0)
+ return (err);
+ ASSERT(newnce != NULL);
+ *newnce = nce;
+ return (err);
+}
- nce->nce_trace_disable = B_FALSE;
+/*
+ * Post-processing routine to be executed after nce_add_v6(). This function
+ * triggers fastpath (if appropriate) and DAD on the newly added nce entry
+ * and must be called without any locks held.
+ */
+int
+nce_add_v6_postprocess(nce_t *nce)
+{
+ ncec_t *ncec = nce->nce_common;
+ boolean_t dropped = B_FALSE;
+ uchar_t *hw_addr = ncec->ncec_lladdr;
+ uint_t hw_addr_len = ncec->ncec_lladdr_length;
+ ill_t *ill = ncec->ncec_ill;
+ int err = 0;
+ uint16_t flags = ncec->ncec_flags;
+ ip_stack_t *ipst = ill->ill_ipst;
+ boolean_t trigger_fastpath = B_TRUE;
- list_create(&nce->nce_cb, sizeof (nce_cb_t),
- offsetof(nce_cb_t, nce_cb_node));
/*
- * Atomically ensure that the ill is not CONDEMNED, before
- * adding the NCE.
+ * If the hw_addr is NULL, typically for ND_INCOMPLETE nces, then
+ * we call nce_fastpath as soon as the ncec is resolved in nce_process.
+ * We call nce_fastpath from nce_update if the link layer address of
+ * the peer changes from nce_update
*/
- mutex_enter(&ill->ill_lock);
- if (ill->ill_state_flags & ILL_CONDEMNED) {
- mutex_exit(&ill->ill_lock);
- freeb(mp);
- freeb(template);
- return (EINVAL);
- }
- if ((nce->nce_next = *ncep) != NULL)
- nce->nce_next->nce_ptpn = &nce->nce_next;
- *ncep = nce;
- nce->nce_ptpn = ncep;
- *newnce = nce;
- /* This one is for nce being used by an active thread */
- NCE_REFHOLD(*newnce);
-
- /* Bump up the number of nce's referencing this ill */
- DTRACE_PROBE3(ill__incr__cnt, (ill_t *), ill,
- (char *), "nce", (void *), nce);
- ill->ill_nce_cnt++;
- mutex_exit(&ill->ill_lock);
-
- err = 0;
- if ((flags & NCE_F_PERMANENT) && state == ND_PROBE) {
- mutex_enter(&nce->nce_lock);
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT;
- mutex_exit(&nce->nce_lock);
- dropped = nce_xmit_solicit(nce, B_FALSE, NULL, NDP_PROBE);
- if (dropped) {
- mutex_enter(&nce->nce_lock);
- nce->nce_pcnt++;
- mutex_exit(&nce->nce_lock);
+ if (NCE_PUBLISH(ncec) || !NCE_ISREACHABLE(ncec) ||
+ (hw_addr == NULL && ill->ill_net_type != IRE_IF_NORESOLVER))
+ trigger_fastpath = B_FALSE;
+
+ if (trigger_fastpath)
+ nce_fastpath_trigger(nce);
+ if (NCE_PUBLISH(ncec) && ncec->ncec_state == ND_PROBE) {
+ ill_t *hwaddr_ill;
+ /*
+ * Unicast entry that needs DAD.
+ */
+ if (IS_IPMP(ill)) {
+ hwaddr_ill = ipmp_illgrp_find_ill(ill->ill_grp,
+ hw_addr, hw_addr_len);
+ } else {
+ hwaddr_ill = ill;
}
- NDP_RESTART_TIMER(nce, ILL_PROBE_INTERVAL(ill));
- mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
+ nce_dad(ncec, hwaddr_ill, B_TRUE);
err = EINPROGRESS;
} else if (flags & NCE_F_UNSOL_ADV) {
/*
* We account for the transmit below by assigning one
* less than the ndd variable. Subsequent decrements
- * are done in ndp_timer.
+ * are done in nce_timer.
*/
- mutex_enter(&nce->nce_lock);
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- nce->nce_unsolicit_count = ipst->ips_ip_ndp_unsolicit_count - 1;
- mutex_exit(&nce->nce_lock);
- dropped = nce_xmit_advert(nce, B_TRUE, &ipv6_all_hosts_mcast,
- 0);
- mutex_enter(&nce->nce_lock);
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_unsolicit_count =
+ ipst->ips_ip_ndp_unsolicit_count - 1;
+ mutex_exit(&ncec->ncec_lock);
+ dropped = ndp_xmit(ill,
+ ND_NEIGHBOR_ADVERT,
+ hw_addr,
+ hw_addr_len,
+ &ncec->ncec_addr, /* Source and target of the adv */
+ &ipv6_all_hosts_mcast, /* Destination of the packet */
+ nce_advert_flags(ncec));
+ mutex_enter(&ncec->ncec_lock);
if (dropped)
- nce->nce_unsolicit_count++;
- if (nce->nce_unsolicit_count != 0) {
- ASSERT(nce->nce_timeout_id == 0);
- nce->nce_timeout_id = timeout(ndp_timer, nce,
- MSEC_TO_TICK(ipst->ips_ip_ndp_unsolicit_interval));
+ ncec->ncec_unsolicit_count++;
+ else
+ ncec->ncec_last_time_defended = ddi_get_lbolt();
+ if (ncec->ncec_unsolicit_count != 0) {
+ nce_start_timer(ncec,
+ ipst->ips_ip_ndp_unsolicit_interval);
}
- mutex_exit(&nce->nce_lock);
- mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
+ mutex_exit(&ncec->ncec_lock);
}
-
- /*
- * If the hw_addr is NULL, typically for ND_INCOMPLETE nces, then
- * we call nce_fastpath as soon as the nce is resolved in ndp_process.
- * We call nce_fastpath from nce_update if the link layer address of
- * the peer changes from nce_update
- */
- if (hw_addr != NULL || ill->ill_net_type == IRE_IF_NORESOLVER)
- nce_fastpath(nce);
return (err);
}
+/*
+ * Atomically lookup and add (if needed) Neighbor Cache information for
+ * an address.
+ *
+ * IPMP notes: the ncec for non-local (i.e., !NCE_MYADDR(ncec) addresses
+ * are always added pointing at the ipmp_ill. Thus, when the ill passed
+ * to nce_add_v6 is an under_ill (i.e., IS_UNDER_IPMP(ill)) two nce_t
+ * entries will be created, both pointing at the same ncec_t. The nce_t
+ * entries will have their nce_ill set to the ipmp_ill and the under_ill
+ * respectively, with the ncec_t having its ncec_ill pointing at the ipmp_ill.
+ * Local addresses are always created on the ill passed to nce_add_v6.
+ */
int
-ndp_lookup_then_add_v6(ill_t *ill, boolean_t match_illgrp, uchar_t *hw_addr,
- const in6_addr_t *addr, const in6_addr_t *mask,
- const in6_addr_t *extract_mask, uint32_t hw_extract_start, uint16_t flags,
- uint16_t state, nce_t **newnce)
+nce_lookup_then_add_v6(ill_t *ill, uchar_t *hw_addr, uint_t hw_addr_len,
+ const in6_addr_t *addr, uint16_t flags, uint16_t state, nce_t **newnce)
{
- int err = 0;
- nce_t *nce;
+ int err = 0;
ip_stack_t *ipst = ill->ill_ipst;
+ nce_t *nce, *upper_nce = NULL;
+ ill_t *in_ill = ill;
+ boolean_t need_ill_refrele = B_FALSE;
+ if (flags & NCE_F_MCAST) {
+ /*
+ * hw_addr will be figured out in nce_set_multicast_v6;
+ * caller has to select the cast_ill
+ */
+ ASSERT(hw_addr == NULL);
+ ASSERT(!IS_IPMP(ill));
+ err = nce_set_multicast_v6(ill, addr, flags, newnce);
+ return (err);
+ }
ASSERT(ill->ill_isv6);
- mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
+ if (IS_UNDER_IPMP(ill) && !(flags & NCE_F_MYADDR)) {
+ ill = ipmp_ill_hold_ipmp_ill(ill);
+ if (ill == NULL)
+ return (ENXIO);
+ need_ill_refrele = B_TRUE;
+ }
- /* Get head of v6 hash table */
- nce = *((nce_t **)NCE_HASH_PTR_V6(ipst, *addr));
- nce = nce_lookup_addr(ill, match_illgrp, addr, nce);
+ mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
+ nce = nce_lookup_addr(ill, addr);
if (nce == NULL) {
- err = ndp_add_v6(ill,
- hw_addr,
- addr,
- mask,
- extract_mask,
- hw_extract_start,
- flags,
- state,
- newnce);
+ err = nce_add_v6(ill, hw_addr, hw_addr_len, addr, flags, state,
+ &nce);
} else {
- *newnce = nce;
err = EEXIST;
}
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
+ if (err == 0)
+ err = nce_add_v6_postprocess(nce);
+ if (in_ill != ill && nce != NULL) {
+ nce_t *under_nce;
+
+ /*
+ * in_ill was the under_ill. Try to create the under_nce.
+ * Hold the ill_g_lock to prevent changes to group membership
+ * until we are done.
+ */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (IS_IN_SAME_ILLGRP(in_ill, ill)) {
+ under_nce = nce_fastpath_create(in_ill,
+ nce->nce_common);
+ upper_nce = nce;
+ if ((nce = under_nce) == NULL)
+ err = EINVAL;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+ if (under_nce != NULL && NCE_ISREACHABLE(nce->nce_common))
+ nce_fastpath_trigger(under_nce);
+ }
+ if (nce != NULL) {
+ if (newnce != NULL)
+ *newnce = nce;
+ else
+ nce_refrele(nce);
+ }
+ /* nce_refrele is deferred until the lock is dropped */
+ if (upper_nce != NULL)
+ nce_refrele(upper_nce);
+ if (need_ill_refrele)
+ ill_refrele(ill);
return (err);
}
@@ -351,53 +404,51 @@ ndp_lookup_then_add_v6(ill_t *ill, boolean_t match_illgrp, uchar_t *hw_addr,
* Remove all the CONDEMNED nces from the appropriate hash table.
* We create a private list of NCEs, these may have ires pointing
* to them, so the list will be passed through to clean up dependent
- * ires and only then we can do NCE_REFRELE which can make NCE inactive.
+ * ires and only then we can do ncec_refrele() which can make NCE inactive.
*/
static void
-nce_remove(ndp_g_t *ndp, nce_t *nce, nce_t **free_nce_list)
+nce_remove(ndp_g_t *ndp, ncec_t *ncec, ncec_t **free_nce_list)
{
- nce_t *nce1;
- nce_t **ptpn;
+ ncec_t *ncec1;
+ ncec_t **ptpn;
ASSERT(MUTEX_HELD(&ndp->ndp_g_lock));
ASSERT(ndp->ndp_g_walker == 0);
- for (; nce; nce = nce1) {
- nce1 = nce->nce_next;
- mutex_enter(&nce->nce_lock);
- if (nce->nce_flags & NCE_F_CONDEMNED) {
- ptpn = nce->nce_ptpn;
- nce1 = nce->nce_next;
- if (nce1 != NULL)
- nce1->nce_ptpn = ptpn;
- *ptpn = nce1;
- nce->nce_ptpn = NULL;
- nce->nce_next = NULL;
- nce->nce_next = *free_nce_list;
- *free_nce_list = nce;
+ for (; ncec; ncec = ncec1) {
+ ncec1 = ncec->ncec_next;
+ mutex_enter(&ncec->ncec_lock);
+ if (NCE_ISCONDEMNED(ncec)) {
+ ptpn = ncec->ncec_ptpn;
+ ncec1 = ncec->ncec_next;
+ if (ncec1 != NULL)
+ ncec1->ncec_ptpn = ptpn;
+ *ptpn = ncec1;
+ ncec->ncec_ptpn = NULL;
+ ncec->ncec_next = NULL;
+ ncec->ncec_next = *free_nce_list;
+ *free_nce_list = ncec;
}
- mutex_exit(&nce->nce_lock);
+ mutex_exit(&ncec->ncec_lock);
}
}
/*
- * 1. Mark the nce CONDEMNED. This ensures that no new nce_lookup()
- * will return this NCE. Also no new IREs will be created that
- * point to this NCE (See ire_add_v6). Also no new timeouts will
- * be started (See NDP_RESTART_TIMER).
+ * 1. Mark the entry CONDEMNED. This ensures that no new nce_lookup()
+ * will return this NCE. Also no new timeouts will
+ * be started (See nce_restart_timer).
* 2. Cancel any currently running timeouts.
* 3. If there is an ndp walker, return. The walker will do the cleanup.
* This ensures that walkers see a consistent list of NCEs while walking.
* 4. Otherwise remove the NCE from the list of NCEs
- * 5. Delete all IREs pointing to this NCE.
*/
void
-ndp_delete(nce_t *nce)
+ncec_delete(ncec_t *ncec)
{
- nce_t **ptpn;
- nce_t *nce1;
- int ipversion = nce->nce_ipversion;
+ ncec_t **ptpn;
+ ncec_t *ncec1;
+ int ipversion = ncec->ncec_ipversion;
ndp_g_t *ndp;
- ip_stack_t *ipst = nce->nce_ill->ill_ipst;
+ ip_stack_t *ipst = ncec->ncec_ipst;
if (ipversion == IPV4_VERSION)
ndp = ipst->ips_ndp4;
@@ -405,40 +456,42 @@ ndp_delete(nce_t *nce)
ndp = ipst->ips_ndp6;
/* Serialize deletes */
- mutex_enter(&nce->nce_lock);
- if (nce->nce_flags & NCE_F_CONDEMNED) {
+ mutex_enter(&ncec->ncec_lock);
+ if (NCE_ISCONDEMNED(ncec)) {
/* Some other thread is doing the delete */
- mutex_exit(&nce->nce_lock);
+ mutex_exit(&ncec->ncec_lock);
return;
}
/*
* Caller has a refhold. Also 1 ref for being in the list. Thus
* refcnt has to be >= 2
*/
- ASSERT(nce->nce_refcnt >= 2);
- nce->nce_flags |= NCE_F_CONDEMNED;
- mutex_exit(&nce->nce_lock);
+ ASSERT(ncec->ncec_refcnt >= 2);
+ ncec->ncec_flags |= NCE_F_CONDEMNED;
+ mutex_exit(&ncec->ncec_lock);
- nce_fastpath_list_delete(nce);
+ /* Count how many condemned ires for kmem_cache callback */
+ atomic_add_32(&ipst->ips_num_nce_condemned, 1);
+ nce_fastpath_list_delete(ncec->ncec_ill, ncec, NULL);
/* Complete any waiting callbacks */
- nce_cb_dispatch(nce);
+ ncec_cb_dispatch(ncec);
/*
* Cancel any running timer. Timeout can't be restarted
- * since CONDEMNED is set. Can't hold nce_lock across untimeout.
+ * since CONDEMNED is set. Can't hold ncec_lock across untimeout.
* Passing invalid timeout id is fine.
*/
- if (nce->nce_timeout_id != 0) {
- (void) untimeout(nce->nce_timeout_id);
- nce->nce_timeout_id = 0;
+ if (ncec->ncec_timeout_id != 0) {
+ (void) untimeout(ncec->ncec_timeout_id);
+ ncec->ncec_timeout_id = 0;
}
mutex_enter(&ndp->ndp_g_lock);
- if (nce->nce_ptpn == NULL) {
+ if (ncec->ncec_ptpn == NULL) {
/*
- * The last ndp walker has already removed this nce from
- * the list after we marked the nce CONDEMNED and before
+ * The last ndp walker has already removed this ncec from
+ * the list after we marked the ncec CONDEMNED and before
* we grabbed the global lock.
*/
mutex_exit(&ndp->ndp_g_lock);
@@ -454,62 +507,68 @@ ndp_delete(nce_t *nce)
}
/*
- * Now remove the nce from the list. NDP_RESTART_TIMER won't restart
+ * Now remove the ncec from the list. nce_restart_timer won't restart
* the timer since it is marked CONDEMNED.
*/
- ptpn = nce->nce_ptpn;
- nce1 = nce->nce_next;
- if (nce1 != NULL)
- nce1->nce_ptpn = ptpn;
- *ptpn = nce1;
- nce->nce_ptpn = NULL;
- nce->nce_next = NULL;
+ ptpn = ncec->ncec_ptpn;
+ ncec1 = ncec->ncec_next;
+ if (ncec1 != NULL)
+ ncec1->ncec_ptpn = ptpn;
+ *ptpn = ncec1;
+ ncec->ncec_ptpn = NULL;
+ ncec->ncec_next = NULL;
mutex_exit(&ndp->ndp_g_lock);
- nce_ire_delete(nce);
+ /* Removed from ncec_ptpn/ncec_next list */
+ ncec_refrele_notr(ncec);
}
void
-ndp_inactive(nce_t *nce)
+ncec_inactive(ncec_t *ncec)
{
mblk_t **mpp;
- ill_t *ill;
+ ill_t *ill = ncec->ncec_ill;
+ ip_stack_t *ipst = ncec->ncec_ipst;
- ASSERT(nce->nce_refcnt == 0);
- ASSERT(MUTEX_HELD(&nce->nce_lock));
- ASSERT(nce->nce_fastpath == NULL);
+ ASSERT(ncec->ncec_refcnt == 0);
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
- /* Free all nce allocated messages */
- mpp = &nce->nce_first_mp_to_free;
- do {
- while (*mpp != NULL) {
- mblk_t *mp;
+ /* Count how many condemned nces for kmem_cache callback */
+ if (NCE_ISCONDEMNED(ncec))
+ atomic_add_32(&ipst->ips_num_nce_condemned, -1);
- mp = *mpp;
- *mpp = mp->b_next;
+ /* Free all allocated messages */
+ mpp = &ncec->ncec_qd_mp;
+ while (*mpp != NULL) {
+ mblk_t *mp;
- inet_freemsg(mp);
- }
- } while (mpp++ != &nce->nce_last_mp_to_free);
+ mp = *mpp;
+ *mpp = mp->b_next;
- if (nce->nce_ipversion == IPV6_VERSION) {
- /*
- * must have been cleaned up in nce_delete
- */
- ASSERT(list_is_empty(&nce->nce_cb));
- list_destroy(&nce->nce_cb);
+ inet_freemsg(mp);
}
+ /*
+ * must have been cleaned up in ncec_delete
+ */
+ ASSERT(list_is_empty(&ncec->ncec_cb));
+ list_destroy(&ncec->ncec_cb);
+ /*
+ * free the ncec_lladdr if one was allocated in nce_add_common()
+ */
+ if (ncec->ncec_lladdr_length > 0)
+ kmem_free(ncec->ncec_lladdr, ncec->ncec_lladdr_length);
+
#ifdef DEBUG
- nce_trace_cleanup(nce);
+ ncec_trace_cleanup(ncec);
#endif
- ill = nce->nce_ill;
mutex_enter(&ill->ill_lock);
DTRACE_PROBE3(ill__decr__cnt, (ill_t *), ill,
- (char *), "nce", (void *), nce);
- ill->ill_nce_cnt--;
+ (char *), "ncec", (void *), ncec);
+ ill->ill_ncec_cnt--;
+ ncec->ncec_ill = NULL;
/*
- * If the number of nce's associated with this ill have dropped
+ * If the number of ncec's associated with this ill have dropped
* to zero, check whether we need to restart any operation that
* is waiting for this to happen.
*/
@@ -519,104 +578,59 @@ ndp_inactive(nce_t *nce)
} else {
mutex_exit(&ill->ill_lock);
}
- mutex_destroy(&nce->nce_lock);
- if (nce->nce_mp != NULL)
- inet_freemsg(nce->nce_mp);
+
+ mutex_destroy(&ncec->ncec_lock);
+ kmem_cache_free(ncec_cache, ncec);
}
/*
- * ndp_walk routine. Delete the nce if it is associated with the ill
+ * ncec_walk routine. Delete the ncec if it is associated with the ill
* that is going away. Always called as a writer.
*/
void
-ndp_delete_per_ill(nce_t *nce, uchar_t *arg)
+ncec_delete_per_ill(ncec_t *ncec, uchar_t *arg)
{
- if ((nce != NULL) && nce->nce_ill == (ill_t *)arg) {
- ndp_delete(nce);
+ if ((ncec != NULL) && ncec->ncec_ill == (ill_t *)arg) {
+ ncec_delete(ncec);
}
}
/*
- * Walk a list of to be inactive NCEs and blow away all the ires.
+ * Neighbor Cache cleanup logic for a list of ncec_t entries.
*/
static void
-nce_ire_delete_list(nce_t *nce)
+nce_cleanup_list(ncec_t *ncec)
{
- nce_t *nce_next;
+ ncec_t *ncec_next;
- ASSERT(nce != NULL);
- while (nce != NULL) {
- nce_next = nce->nce_next;
- nce->nce_next = NULL;
+ ASSERT(ncec != NULL);
+ while (ncec != NULL) {
+ ncec_next = ncec->ncec_next;
+ ncec->ncec_next = NULL;
/*
* It is possible for the last ndp walker (this thread)
- * to come here after ndp_delete has marked the nce CONDEMNED
- * and before it has removed the nce from the fastpath list
+ * to come here after ncec_delete has marked the ncec CONDEMNED
+ * and before it has removed the ncec from the fastpath list
* or called untimeout. So we need to do it here. It is safe
- * for both ndp_delete and this thread to do it twice or
+ * for both ncec_delete and this thread to do it twice or
* even simultaneously since each of the threads has a
- * reference on the nce.
+ * reference on the ncec.
*/
- nce_fastpath_list_delete(nce);
+ nce_fastpath_list_delete(ncec->ncec_ill, ncec, NULL);
/*
* Cancel any running timer. Timeout can't be restarted
- * since CONDEMNED is set. Can't hold nce_lock across untimeout.
- * Passing invalid timeout id is fine.
+ * since CONDEMNED is set. The ncec_lock can't be
+ * held across untimeout though passing invalid timeout
+ * id is fine.
*/
- if (nce->nce_timeout_id != 0) {
- (void) untimeout(nce->nce_timeout_id);
- nce->nce_timeout_id = 0;
+ if (ncec->ncec_timeout_id != 0) {
+ (void) untimeout(ncec->ncec_timeout_id);
+ ncec->ncec_timeout_id = 0;
}
- /*
- * We might hit this func thus in the v4 case:
- * ipif_down->ipif_ndp_down->ndp_walk
- */
-
- if (nce->nce_ipversion == IPV4_VERSION) {
- ire_walk_ill_v4(MATCH_IRE_ILL | MATCH_IRE_TYPE,
- IRE_CACHE, nce_ire_delete1, nce, nce->nce_ill);
- } else {
- ASSERT(nce->nce_ipversion == IPV6_VERSION);
- ire_walk_ill_v6(MATCH_IRE_ILL | MATCH_IRE_TYPE,
- IRE_CACHE, nce_ire_delete1, nce, nce->nce_ill);
- }
- NCE_REFRELE_NOTR(nce);
- nce = nce_next;
- }
-}
-
-/*
- * Delete an ire when the nce goes away.
- */
-/* ARGSUSED */
-static void
-nce_ire_delete(nce_t *nce)
-{
- if (nce->nce_ipversion == IPV6_VERSION) {
- ire_walk_ill_v6(MATCH_IRE_ILL | MATCH_IRE_TYPE, IRE_CACHE,
- nce_ire_delete1, (char *)nce, nce->nce_ill);
- NCE_REFRELE_NOTR(nce);
- } else {
- ire_walk_ill_v4(MATCH_IRE_ILL | MATCH_IRE_TYPE, IRE_CACHE,
- nce_ire_delete1, (char *)nce, nce->nce_ill);
- NCE_REFRELE_NOTR(nce);
- }
-}
-
-/*
- * ire_walk routine used to delete every IRE that shares this nce
- */
-static void
-nce_ire_delete1(ire_t *ire, char *nce_arg)
-{
- nce_t *nce = (nce_t *)nce_arg;
-
- ASSERT(ire->ire_type == IRE_CACHE);
-
- if (ire->ire_nce == nce) {
- ASSERT(ire->ire_ipversion == nce->nce_ipversion);
- ire_delete(ire);
+ /* Removed from ncec_ptpn/ncec_next list */
+ ncec_refrele_notr(ncec);
+ ncec = ncec_next;
}
}
@@ -624,100 +638,97 @@ nce_ire_delete1(ire_t *ire, char *nce_arg)
* Restart DAD on given NCE. Returns B_TRUE if DAD has been restarted.
*/
boolean_t
-ndp_restart_dad(nce_t *nce)
+nce_restart_dad(ncec_t *ncec)
{
boolean_t started;
- boolean_t dropped;
+ ill_t *ill, *hwaddr_ill;
- if (nce == NULL)
+ if (ncec == NULL)
return (B_FALSE);
- mutex_enter(&nce->nce_lock);
- if (nce->nce_state == ND_PROBE) {
- mutex_exit(&nce->nce_lock);
+ ill = ncec->ncec_ill;
+ mutex_enter(&ncec->ncec_lock);
+ if (ncec->ncec_state == ND_PROBE) {
+ mutex_exit(&ncec->ncec_lock);
started = B_TRUE;
- } else if (nce->nce_state == ND_REACHABLE) {
- nce->nce_state = ND_PROBE;
- nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT - 1;
- mutex_exit(&nce->nce_lock);
- dropped = nce_xmit_solicit(nce, B_FALSE, NULL, NDP_PROBE);
- if (dropped) {
- mutex_enter(&nce->nce_lock);
- nce->nce_pcnt++;
- mutex_exit(&nce->nce_lock);
+ } else if (ncec->ncec_state == ND_REACHABLE) {
+ ASSERT(ncec->ncec_lladdr != NULL);
+ ncec->ncec_state = ND_PROBE;
+ ncec->ncec_pcnt = ND_MAX_UNICAST_SOLICIT;
+ /*
+ * Slight cheat here: we don't use the initial probe delay
+ * for IPv4 in this obscure case.
+ */
+ mutex_exit(&ncec->ncec_lock);
+ if (IS_IPMP(ill)) {
+ hwaddr_ill = ipmp_illgrp_find_ill(ill->ill_grp,
+ ncec->ncec_lladdr, ncec->ncec_lladdr_length);
+ } else {
+ hwaddr_ill = ill;
}
- NDP_RESTART_TIMER(nce, ILL_PROBE_INTERVAL(nce->nce_ill));
+ nce_dad(ncec, hwaddr_ill, B_TRUE);
started = B_TRUE;
} else {
- mutex_exit(&nce->nce_lock);
+ mutex_exit(&ncec->ncec_lock);
started = B_FALSE;
}
return (started);
}
/*
- * IPv6 Cache entry lookup. Try to find an nce matching the parameters passed.
- * If one is found, the refcnt on the nce will be incremented.
+ * IPv6 Cache entry lookup. Try to find an ncec matching the parameters passed.
+ * If one is found, the refcnt on the ncec will be incremented.
*/
-nce_t *
-ndp_lookup_v6(ill_t *ill, boolean_t match_illgrp, const in6_addr_t *addr,
- boolean_t caller_holds_lock)
+ncec_t *
+ncec_lookup_illgrp_v6(ill_t *ill, const in6_addr_t *addr)
{
- nce_t *nce;
- ip_stack_t *ipst = ill->ill_ipst;
+ ncec_t *ncec;
+ ip_stack_t *ipst = ill->ill_ipst;
- ASSERT(ill->ill_isv6);
- if (!caller_holds_lock)
- mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
/* Get head of v6 hash table */
- nce = *((nce_t **)NCE_HASH_PTR_V6(ipst, *addr));
- nce = nce_lookup_addr(ill, match_illgrp, addr, nce);
- if (nce == NULL)
- nce = nce_lookup_mapping(ill, addr);
- if (!caller_holds_lock)
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- return (nce);
+ ncec = *((ncec_t **)NCE_HASH_PTR_V6(ipst, *addr));
+ ncec = ncec_lookup_illgrp(ill, addr, ncec);
+ mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
+ rw_exit(&ipst->ips_ill_g_lock);
+ return (ncec);
}
/*
- * IPv4 Cache entry lookup. Try to find an nce matching the parameters passed.
- * If one is found, the refcnt on the nce will be incremented.
- * Since multicast mappings are handled in arp, there are no nce_mcast_entries
- * so we skip the nce_lookup_mapping call.
- * XXX TODO: if the nce is found to be ND_STALE, ndp_delete it and return NULL
+ * IPv4 Cache entry lookup. Try to find an ncec matching the parameters passed.
+ * If one is found, the refcnt on the ncec will be incremented.
*/
-nce_t *
-ndp_lookup_v4(ill_t *ill, const in_addr_t *addr, boolean_t caller_holds_lock)
+ncec_t *
+ncec_lookup_illgrp_v4(ill_t *ill, const in_addr_t *addr)
{
- nce_t *nce;
+ ncec_t *ncec = NULL;
in6_addr_t addr6;
ip_stack_t *ipst = ill->ill_ipst;
- if (!caller_holds_lock)
- mutex_enter(&ipst->ips_ndp4->ndp_g_lock);
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ mutex_enter(&ipst->ips_ndp4->ndp_g_lock);
/* Get head of v4 hash table */
- nce = *((nce_t **)NCE_HASH_PTR_V4(ipst, *addr));
+ ncec = *((ncec_t **)NCE_HASH_PTR_V4(ipst, *addr));
IN6_IPADDR_TO_V4MAPPED(*addr, &addr6);
- /*
- * NOTE: IPv4 never matches across the illgrp since the NCE's we're
- * looking up have fastpath headers that are inherently per-ill.
- */
- nce = nce_lookup_addr(ill, B_FALSE, &addr6, nce);
- if (!caller_holds_lock)
- mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
- return (nce);
+ ncec = ncec_lookup_illgrp(ill, &addr6, ncec);
+ mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
+ rw_exit(&ipst->ips_ill_g_lock);
+ return (ncec);
}
/*
- * Cache entry lookup. Try to find an nce matching the parameters passed.
- * Look only for exact entries (no mappings). If an nce is found, increment
- * the hold count on that nce. The caller passes in the start of the
- * appropriate hash table, and must be holding the appropriate global
- * lock (ndp_g_lock).
+ * Cache entry lookup. Try to find an ncec matching the parameters passed.
+ * If an ncec is found, increment the hold count on that ncec.
+ * The caller passes in the start of the appropriate hash table, and must
+ * be holding the appropriate global lock (ndp_g_lock). In addition, since
+ * this function matches ncec_t entries across the illgrp, the ips_ill_g_lock
+ * must be held as reader.
+ *
+ * This function always matches across the ipmp group.
*/
-static nce_t *
-nce_lookup_addr(ill_t *ill, boolean_t match_illgrp, const in6_addr_t *addr,
- nce_t *nce)
+ncec_t *
+ncec_lookup_illgrp(ill_t *ill, const in6_addr_t *addr, ncec_t *ncec)
{
ndp_g_t *ndp;
ip_stack_t *ipst = ill->ill_ipst;
@@ -727,348 +738,246 @@ nce_lookup_addr(ill_t *ill, boolean_t match_illgrp, const in6_addr_t *addr,
else
ndp = ipst->ips_ndp4;
+ ASSERT(ill != NULL);
ASSERT(MUTEX_HELD(&ndp->ndp_g_lock));
if (IN6_IS_ADDR_UNSPECIFIED(addr))
return (NULL);
- for (; nce != NULL; nce = nce->nce_next) {
- if (nce->nce_ill == ill ||
- match_illgrp && IS_IN_SAME_ILLGRP(ill, nce->nce_ill)) {
- if (IN6_ARE_ADDR_EQUAL(&nce->nce_addr, addr) &&
- IN6_ARE_ADDR_EQUAL(&nce->nce_mask,
- &ipv6_all_ones)) {
- mutex_enter(&nce->nce_lock);
- if (!(nce->nce_flags & NCE_F_CONDEMNED)) {
- NCE_REFHOLD_LOCKED(nce);
- mutex_exit(&nce->nce_lock);
+ for (; ncec != NULL; ncec = ncec->ncec_next) {
+ if (ncec->ncec_ill == ill ||
+ IS_IN_SAME_ILLGRP(ill, ncec->ncec_ill)) {
+ if (IN6_ARE_ADDR_EQUAL(&ncec->ncec_addr, addr)) {
+ mutex_enter(&ncec->ncec_lock);
+ if (!NCE_ISCONDEMNED(ncec)) {
+ ncec_refhold_locked(ncec);
+ mutex_exit(&ncec->ncec_lock);
break;
}
- mutex_exit(&nce->nce_lock);
+ mutex_exit(&ncec->ncec_lock);
}
}
}
+ return (ncec);
+}
+
+/*
+ * Find an nce_t on ill with nce_addr == addr. Lookup the nce_t
+ * entries for ill only, i.e., when ill is part of an ipmp group,
+ * nce_lookup_v4 will never try to match across the group.
+ */
+nce_t *
+nce_lookup_v4(ill_t *ill, const in_addr_t *addr)
+{
+ nce_t *nce;
+ in6_addr_t addr6;
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ mutex_enter(&ipst->ips_ndp4->ndp_g_lock);
+ IN6_IPADDR_TO_V4MAPPED(*addr, &addr6);
+ nce = nce_lookup_addr(ill, &addr6);
+ mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
return (nce);
}
/*
- * Cache entry lookup. Try to find an nce matching the parameters passed.
- * Look only for mappings.
+ * Find an nce_t on ill with nce_addr == addr. Lookup the nce_t
+ * entries for ill only, i.e., when ill is part of an ipmp group,
+ * nce_lookup_v6 will never try to match across the group.
*/
+nce_t *
+nce_lookup_v6(ill_t *ill, const in6_addr_t *addr6)
+{
+ nce_t *nce;
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
+ nce = nce_lookup_addr(ill, addr6);
+ mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
+ return (nce);
+}
+
static nce_t *
-nce_lookup_mapping(ill_t *ill, const in6_addr_t *addr)
+nce_lookup_addr(ill_t *ill, const in6_addr_t *addr)
{
- nce_t *nce;
- ip_stack_t *ipst = ill->ill_ipst;
+ nce_t *nce;
- ASSERT(ill != NULL && ill->ill_isv6);
- ASSERT(MUTEX_HELD(&ipst->ips_ndp6->ndp_g_lock));
- if (!IN6_IS_ADDR_MULTICAST(addr))
- return (NULL);
- nce = ipst->ips_ndp6->nce_mask_entries;
- for (; nce != NULL; nce = nce->nce_next)
- if (nce->nce_ill == ill &&
- (V6_MASK_EQ(*addr, nce->nce_mask, nce->nce_addr))) {
- mutex_enter(&nce->nce_lock);
- if (!(nce->nce_flags & NCE_F_CONDEMNED)) {
- NCE_REFHOLD_LOCKED(nce);
- mutex_exit(&nce->nce_lock);
- break;
- }
- mutex_exit(&nce->nce_lock);
- }
+ ASSERT(ill != NULL);
+#ifdef DEBUG
+ if (ill->ill_isv6)
+ ASSERT(MUTEX_HELD(&ill->ill_ipst->ips_ndp6->ndp_g_lock));
+ else
+ ASSERT(MUTEX_HELD(&ill->ill_ipst->ips_ndp4->ndp_g_lock));
+#endif
+ mutex_enter(&ill->ill_lock);
+ nce = nce_lookup(ill, addr);
+ mutex_exit(&ill->ill_lock);
return (nce);
}
+
+/*
+ * Router turned to host. We need to make sure that cached copies of the ncec
+ * are not used for forwarding packets if they were derived from the default
+ * route, and that the default route itself is removed, as required by
+ * section 7.2.5 of RFC 2461.
+ *
+ * Note that the ncec itself probably has valid link-layer information for the
+ * nexthop, so that there is no reason to delete the ncec, as long as the
+ * ISROUTER flag is turned off.
+ */
+static void
+ncec_router_to_host(ncec_t *ncec)
+{
+ ire_t *ire;
+ ip_stack_t *ipst = ncec->ncec_ipst;
+
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_flags &= ~NCE_F_ISROUTER;
+ mutex_exit(&ncec->ncec_lock);
+
+ ire = ire_ftable_lookup_v6(&ipv6_all_zeros, &ipv6_all_zeros,
+ &ncec->ncec_addr, IRE_DEFAULT, ncec->ncec_ill, ALL_ZONES, NULL,
+ MATCH_IRE_ILL | MATCH_IRE_TYPE | MATCH_IRE_GW, 0, ipst, NULL);
+ if (ire != NULL) {
+ ip_rts_rtmsg(RTM_DELETE, ire, 0, ipst);
+ ire_delete(ire);
+ ire_refrele(ire);
+ }
+}
+
/*
* Process passed in parameters either from an incoming packet or via
* user ioctl.
*/
-static void
-nce_process(nce_t *nce, uchar_t *hw_addr, uint32_t flag, boolean_t is_adv)
+void
+nce_process(ncec_t *ncec, uchar_t *hw_addr, uint32_t flag, boolean_t is_adv)
{
- ill_t *ill = nce->nce_ill;
- uint32_t hw_addr_len = ill->ill_nd_lla_len;
- mblk_t *mp;
+ ill_t *ill = ncec->ncec_ill;
+ uint32_t hw_addr_len = ill->ill_phys_addr_length;
boolean_t ll_updated = B_FALSE;
boolean_t ll_changed;
- ip_stack_t *ipst = ill->ill_ipst;
+ nce_t *nce;
- ASSERT(nce->nce_ipversion == IPV6_VERSION);
+ ASSERT(ncec->ncec_ipversion == IPV6_VERSION);
/*
* No updates of link layer address or the neighbor state is
* allowed, when the cache is in NONUD state. This still
* allows for responding to reachability solicitation.
*/
- mutex_enter(&nce->nce_lock);
- if (nce->nce_state == ND_INCOMPLETE) {
+ mutex_enter(&ncec->ncec_lock);
+ if (ncec->ncec_state == ND_INCOMPLETE) {
if (hw_addr == NULL) {
- mutex_exit(&nce->nce_lock);
+ mutex_exit(&ncec->ncec_lock);
return;
}
- nce_set_ll(nce, hw_addr);
+ nce_set_ll(ncec, hw_addr);
/*
- * Update nce state and send the queued packets
+ * Update ncec state and send the queued packets
* back to ip this time ire will be added.
*/
if (flag & ND_NA_FLAG_SOLICITED) {
- nce_update(nce, ND_REACHABLE, NULL);
+ nce_update(ncec, ND_REACHABLE, NULL);
} else {
- nce_update(nce, ND_STALE, NULL);
- }
- mutex_exit(&nce->nce_lock);
- nce_fastpath(nce);
- nce_cb_dispatch(nce); /* complete callbacks */
- mutex_enter(&nce->nce_lock);
- mp = nce->nce_qd_mp;
- nce->nce_qd_mp = NULL;
- mutex_exit(&nce->nce_lock);
- while (mp != NULL) {
- mblk_t *nxt_mp, *data_mp;
-
- nxt_mp = mp->b_next;
- mp->b_next = NULL;
-
- if (mp->b_datap->db_type == M_CTL)
- data_mp = mp->b_cont;
- else
- data_mp = mp;
- if (data_mp->b_prev != NULL) {
- ill_t *inbound_ill;
- queue_t *fwdq = NULL;
- uint_t ifindex;
-
- ifindex = (uint_t)(uintptr_t)data_mp->b_prev;
- inbound_ill = ill_lookup_on_ifindex(ifindex,
- B_TRUE, NULL, NULL, NULL, NULL, ipst);
- if (inbound_ill == NULL) {
- data_mp->b_prev = NULL;
- freemsg(mp);
- return;
- } else {
- fwdq = inbound_ill->ill_rq;
- }
- data_mp->b_prev = NULL;
- /*
- * Send a forwarded packet back into ip_rput_v6
- * just as in ire_send_v6().
- * Extract the queue from b_prev (set in
- * ip_rput_data_v6).
- */
- if (fwdq != NULL) {
- /*
- * Forwarded packets hop count will
- * get decremented in ip_rput_data_v6
- */
- if (data_mp != mp)
- freeb(mp);
- put(fwdq, data_mp);
- } else {
- /*
- * Send locally originated packets back
- * into ip_wput_v6.
- */
- put(ill->ill_wq, mp);
- }
- ill_refrele(inbound_ill);
- } else {
- put(ill->ill_wq, mp);
- }
- mp = nxt_mp;
+ nce_update(ncec, ND_STALE, NULL);
}
+ mutex_exit(&ncec->ncec_lock);
+ nce = nce_fastpath(ncec, B_TRUE, NULL);
+ nce_resolv_ok(ncec);
+ if (nce != NULL)
+ nce_refrele(nce);
return;
}
- ll_changed = nce_cmp_ll_addr(nce, hw_addr, hw_addr_len);
+ ll_changed = nce_cmp_ll_addr(ncec, hw_addr, hw_addr_len);
if (!is_adv) {
/* If this is a SOLICITATION request only */
if (ll_changed)
- nce_update(nce, ND_STALE, hw_addr);
- mutex_exit(&nce->nce_lock);
- nce_cb_dispatch(nce);
+ nce_update(ncec, ND_STALE, hw_addr);
+ mutex_exit(&ncec->ncec_lock);
+ ncec_cb_dispatch(ncec);
return;
}
if (!(flag & ND_NA_FLAG_OVERRIDE) && ll_changed) {
/* If in any other state than REACHABLE, ignore */
- if (nce->nce_state == ND_REACHABLE) {
- nce_update(nce, ND_STALE, NULL);
+ if (ncec->ncec_state == ND_REACHABLE) {
+ nce_update(ncec, ND_STALE, NULL);
}
- mutex_exit(&nce->nce_lock);
- nce_cb_dispatch(nce);
+ mutex_exit(&ncec->ncec_lock);
+ ncec_cb_dispatch(ncec);
return;
} else {
if (ll_changed) {
- nce_update(nce, ND_UNCHANGED, hw_addr);
+ nce_update(ncec, ND_UNCHANGED, hw_addr);
ll_updated = B_TRUE;
}
if (flag & ND_NA_FLAG_SOLICITED) {
- nce_update(nce, ND_REACHABLE, NULL);
+ nce_update(ncec, ND_REACHABLE, NULL);
} else {
if (ll_updated) {
- nce_update(nce, ND_STALE, NULL);
+ nce_update(ncec, ND_STALE, NULL);
}
}
- mutex_exit(&nce->nce_lock);
- if (!(flag & ND_NA_FLAG_ROUTER) && (nce->nce_flags &
+ mutex_exit(&ncec->ncec_lock);
+ if (!(flag & ND_NA_FLAG_ROUTER) && (ncec->ncec_flags &
NCE_F_ISROUTER)) {
- ire_t *ire;
-
- /*
- * Router turned to host. We need to remove the
- * entry as well as any default route that may be
- * using this as a next hop. This is required by
- * section 7.2.5 of RFC 2461.
- */
- ire = ire_ftable_lookup_v6(&ipv6_all_zeros,
- &ipv6_all_zeros, &nce->nce_addr, IRE_DEFAULT,
- nce->nce_ill->ill_ipif, NULL, ALL_ZONES, 0, NULL,
- MATCH_IRE_ILL | MATCH_IRE_TYPE | MATCH_IRE_GW |
- MATCH_IRE_DEFAULT, ipst);
- if (ire != NULL) {
- ip_rts_rtmsg(RTM_DELETE, ire, 0, ipst);
- ire_delete(ire);
- ire_refrele(ire);
- }
- ndp_delete(nce); /* will do nce_cb_dispatch */
+ ncec_router_to_host(ncec);
} else {
- nce_cb_dispatch(nce);
+ ncec_cb_dispatch(ncec);
}
}
}
/*
- * Walker state structure used by ndp_process() / ndp_process_entry().
- */
-typedef struct ndp_process_data {
- ill_t *np_ill; /* ill/illgrp to match against */
- const in6_addr_t *np_addr; /* IPv6 address to match */
- uchar_t *np_hw_addr; /* passed to nce_process() */
- uint32_t np_flag; /* passed to nce_process() */
- boolean_t np_is_adv; /* passed to nce_process() */
-} ndp_process_data_t;
-
-/*
- * Walker callback used by ndp_process() for IPMP groups: calls nce_process()
- * for each NCE with a matching address that's in the same IPMP group.
- */
-static void
-ndp_process_entry(nce_t *nce, void *arg)
-{
- ndp_process_data_t *npp = arg;
-
- if (IS_IN_SAME_ILLGRP(nce->nce_ill, npp->np_ill) &&
- IN6_ARE_ADDR_EQUAL(&nce->nce_addr, npp->np_addr) &&
- IN6_ARE_ADDR_EQUAL(&nce->nce_mask, &ipv6_all_ones)) {
- nce_process(nce, npp->np_hw_addr, npp->np_flag, npp->np_is_adv);
- }
-}
-
-/*
- * Wrapper around nce_process() that handles IPMP. In particular, for IPMP,
- * NCEs are per-underlying-ill (because of nce_fp_mp) and thus we may have
- * more than one NCE for a given IPv6 address to tend to. In that case, we
- * need to walk all NCEs and callback nce_process() for each one. Since this
- * is expensive, in the non-IPMP case we just directly call nce_process().
- * Ultimately, nce_fp_mp needs to be moved out of the nce_t so that all IP
- * interfaces in an IPMP group share the same NCEs -- at which point this
- * function can be removed entirely.
- */
-void
-ndp_process(nce_t *nce, uchar_t *hw_addr, uint32_t flag, boolean_t is_adv)
-{
- ill_t *ill = nce->nce_ill;
- struct ndp_g_s *ndp = ill->ill_ipst->ips_ndp6;
- ndp_process_data_t np;
-
- if (ill->ill_grp == NULL) {
- nce_process(nce, hw_addr, flag, is_adv);
- return;
- }
-
- /* IPMP case: walk all NCEs */
- np.np_ill = ill;
- np.np_addr = &nce->nce_addr;
- np.np_flag = flag;
- np.np_is_adv = is_adv;
- np.np_hw_addr = hw_addr;
-
- ndp_walk_common(ndp, NULL, (pfi_t)ndp_process_entry, &np, ALL_ZONES);
-}
-
-/*
- * Pass arg1 to the pfi supplied, along with each nce in existence.
- * ndp_walk() places a REFHOLD on the nce and drops the lock when
+ * Pass arg1 to the pfi supplied, along with each ncec in existence.
+ * ncec_walk() places a REFHOLD on the ncec and drops the lock when
* walking the hash list.
*/
void
-ndp_walk_common(ndp_g_t *ndp, ill_t *ill, pfi_t pfi, void *arg1,
+ncec_walk_common(ndp_g_t *ndp, ill_t *ill, pfi_t pfi, void *arg1,
boolean_t trace)
{
- nce_t *nce;
- nce_t *nce1;
- nce_t **ncep;
- nce_t *free_nce_list = NULL;
+ ncec_t *ncec;
+ ncec_t *ncec1;
+ ncec_t **ncep;
+ ncec_t *free_nce_list = NULL;
mutex_enter(&ndp->ndp_g_lock);
- /* Prevent ndp_delete from unlink and free of NCE */
+ /* Prevent ncec_delete from unlink and free of NCE */
ndp->ndp_g_walker++;
mutex_exit(&ndp->ndp_g_lock);
for (ncep = ndp->nce_hash_tbl;
ncep < A_END(ndp->nce_hash_tbl); ncep++) {
- for (nce = *ncep; nce != NULL; nce = nce1) {
- nce1 = nce->nce_next;
- if (ill == NULL || nce->nce_ill == ill) {
+ for (ncec = *ncep; ncec != NULL; ncec = ncec1) {
+ ncec1 = ncec->ncec_next;
+ if (ill == NULL || ncec->ncec_ill == ill) {
if (trace) {
- NCE_REFHOLD(nce);
- (*pfi)(nce, arg1);
- NCE_REFRELE(nce);
+ ncec_refhold(ncec);
+ (*pfi)(ncec, arg1);
+ ncec_refrele(ncec);
} else {
- NCE_REFHOLD_NOTR(nce);
- (*pfi)(nce, arg1);
- NCE_REFRELE_NOTR(nce);
+ ncec_refhold_notr(ncec);
+ (*pfi)(ncec, arg1);
+ ncec_refrele_notr(ncec);
}
}
}
}
- for (nce = ndp->nce_mask_entries; nce != NULL; nce = nce1) {
- nce1 = nce->nce_next;
- if (ill == NULL || nce->nce_ill == ill) {
- if (trace) {
- NCE_REFHOLD(nce);
- (*pfi)(nce, arg1);
- NCE_REFRELE(nce);
- } else {
- NCE_REFHOLD_NOTR(nce);
- (*pfi)(nce, arg1);
- NCE_REFRELE_NOTR(nce);
- }
- }
- }
mutex_enter(&ndp->ndp_g_lock);
ndp->ndp_g_walker--;
- /*
- * While NCE's are removed from global list they are placed
- * in a private list, to be passed to nce_ire_delete_list().
- * The reason is, there may be ires pointing to this nce
- * which needs to cleaned up.
- */
if (ndp->ndp_g_walker_cleanup && ndp->ndp_g_walker == 0) {
/* Time to delete condemned entries */
for (ncep = ndp->nce_hash_tbl;
ncep < A_END(ndp->nce_hash_tbl); ncep++) {
- nce = *ncep;
- if (nce != NULL) {
- nce_remove(ndp, nce, &free_nce_list);
+ ncec = *ncep;
+ if (ncec != NULL) {
+ nce_remove(ndp, ncec, &free_nce_list);
}
}
- nce = ndp->nce_mask_entries;
- if (nce != NULL) {
- nce_remove(ndp, nce, &free_nce_list);
- }
ndp->ndp_g_walker_cleanup = B_FALSE;
}
mutex_exit(&ndp->ndp_g_lock);
if (free_nce_list != NULL) {
- nce_ire_delete_list(free_nce_list);
+ nce_cleanup_list(free_nce_list);
}
}
@@ -1077,198 +986,10 @@ ndp_walk_common(ndp_g_t *ndp, ill_t *ill, pfi_t pfi, void *arg1,
* Note that ill can be NULL hence can't derive the ipst from it.
*/
void
-ndp_walk(ill_t *ill, pfi_t pfi, void *arg1, ip_stack_t *ipst)
-{
- ndp_walk_common(ipst->ips_ndp4, ill, pfi, arg1, B_TRUE);
- ndp_walk_common(ipst->ips_ndp6, ill, pfi, arg1, B_TRUE);
-}
-
-/*
- * Process resolve requests. Handles both mapped entries
- * as well as cases that needs to be send out on the wire.
- * Lookup a NCE for a given IRE. Regardless of whether one exists
- * or one is created, we defer making ire point to nce until the
- * ire is actually added at which point the nce_refcnt on the nce is
- * incremented. This is done primarily to have symmetry between ire_add()
- * and ire_delete() which decrements the nce_refcnt, when an ire is deleted.
- */
-int
-ndp_resolver(ill_t *ill, const in6_addr_t *dst, mblk_t *mp, zoneid_t zoneid)
-{
- nce_t *nce, *hw_nce = NULL;
- int err;
- ill_t *ipmp_ill;
- uint16_t nce_flags;
- mblk_t *mp_nce = NULL;
- ip_stack_t *ipst = ill->ill_ipst;
- uchar_t *hwaddr = NULL;
-
- ASSERT(ill->ill_isv6);
-
- if (IN6_IS_ADDR_MULTICAST(dst))
- return (nce_set_multicast(ill, dst));
-
- nce_flags = (ill->ill_flags & ILLF_NONUD) ? NCE_F_NONUD : 0;
-
- /*
- * If `ill' is under IPMP, then first check to see if there's an NCE
- * for `dst' on the IPMP meta-interface (e.g., because an application
- * explicitly did an SIOCLIFSETND to tie a hardware address to `dst').
- * If so, we use that hardware address when creating the NCE below.
- * Note that we don't yet have a mechanism to remove these NCEs if the
- * NCE for `dst' on the IPMP meta-interface is subsequently removed --
- * but rather than build such a beast, we should fix NCEs so that they
- * can be properly shared across an IPMP group.
- */
- if (IS_UNDER_IPMP(ill)) {
- if ((ipmp_ill = ipmp_ill_hold_ipmp_ill(ill)) != NULL) {
- hw_nce = ndp_lookup_v6(ipmp_ill, B_FALSE, dst, B_FALSE);
- if (hw_nce != NULL && hw_nce->nce_res_mp != NULL) {
- hwaddr = hw_nce->nce_res_mp->b_rptr +
- NCE_LL_ADDR_OFFSET(ipmp_ill);
- nce_flags |= hw_nce->nce_flags;
- }
- ill_refrele(ipmp_ill);
- }
- }
-
- err = ndp_lookup_then_add_v6(ill,
- B_FALSE, /* NCE fastpath is per ill; don't match across group */
- hwaddr,
- dst,
- &ipv6_all_ones,
- &ipv6_all_zeros,
- 0,
- nce_flags,
- hwaddr != NULL ? ND_REACHABLE : ND_INCOMPLETE,
- &nce);
-
- if (hw_nce != NULL)
- NCE_REFRELE(hw_nce);
-
- switch (err) {
- case 0:
- /*
- * New cache entry was created. Make sure that the state
- * is not ND_INCOMPLETE. It can be in some other state
- * even before we send out the solicitation as we could
- * get un-solicited advertisements.
- *
- * If this is an XRESOLV interface, simply return 0,
- * since we don't want to solicit just yet.
- */
- if (ill->ill_flags & ILLF_XRESOLV) {
- NCE_REFRELE(nce);
- return (0);
- }
-
- mutex_enter(&nce->nce_lock);
- if (nce->nce_state != ND_INCOMPLETE) {
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
- return (0);
- }
- if (nce->nce_rcnt == 0) {
- /* The caller will free mp */
- mutex_exit(&nce->nce_lock);
- ndp_delete(nce);
- NCE_REFRELE(nce);
- return (ESRCH);
- }
- mp_nce = ip_prepend_zoneid(mp, zoneid, ipst);
- if (mp_nce == NULL) {
- /* The caller will free mp */
- mutex_exit(&nce->nce_lock);
- ndp_delete(nce);
- NCE_REFRELE(nce);
- return (ENOMEM);
- }
- nce_queue_mp(nce, mp_nce);
- ip_ndp_resolve(nce);
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
- return (EINPROGRESS);
- case EEXIST:
- /* Resolution in progress just queue the packet */
- mutex_enter(&nce->nce_lock);
- if (nce->nce_state == ND_INCOMPLETE) {
- mp_nce = ip_prepend_zoneid(mp, zoneid, ipst);
- if (mp_nce == NULL) {
- err = ENOMEM;
- } else {
- nce_queue_mp(nce, mp_nce);
- err = EINPROGRESS;
- }
- } else {
- /*
- * Any other state implies we have
- * a nce but IRE needs to be added ...
- * ire_add_v6() will take care of the
- * the case when the nce becomes CONDEMNED
- * before the ire is added to the table.
- */
- err = 0;
- }
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
- break;
- default:
- ip1dbg(("ndp_resolver: Can't create NCE %d\n", err));
- break;
- }
- return (err);
-}
-
-/*
- * When there is no resolver, the link layer template is passed in
- * the IRE.
- * Lookup a NCE for a given IRE. Regardless of whether one exists
- * or one is created, we defer making ire point to nce until the
- * ire is actually added at which point the nce_refcnt on the nce is
- * incremented. This is done primarily to have symmetry between ire_add()
- * and ire_delete() which decrements the nce_refcnt, when an ire is deleted.
- */
-int
-ndp_noresolver(ill_t *ill, const in6_addr_t *dst)
+ncec_walk(ill_t *ill, pfi_t pfi, void *arg1, ip_stack_t *ipst)
{
- nce_t *nce;
- int err = 0;
-
- ASSERT(ill != NULL);
- ASSERT(ill->ill_isv6);
- if (IN6_IS_ADDR_MULTICAST(dst)) {
- err = nce_set_multicast(ill, dst);
- return (err);
- }
-
- err = ndp_lookup_then_add_v6(ill,
- B_FALSE, /* NCE fastpath is per ill; don't match across group */
- ill->ill_dest_addr, /* hardware address is NULL in most cases */
- dst,
- &ipv6_all_ones,
- &ipv6_all_zeros,
- 0,
- (ill->ill_flags & ILLF_NONUD) ? NCE_F_NONUD : 0,
- ND_REACHABLE,
- &nce);
-
- switch (err) {
- case 0:
- /*
- * Cache entry with a proper resolver cookie was
- * created.
- */
- NCE_REFRELE(nce);
- break;
- case EEXIST:
- err = 0;
- NCE_REFRELE(nce);
- break;
- default:
- ip1dbg(("ndp_noresolver: Can't create NCE %d\n", err));
- break;
- }
- return (err);
+ ncec_walk_common(ipst->ips_ndp4, ill, pfi, arg1, B_TRUE);
+ ncec_walk_common(ipst->ips_ndp6, ill, pfi, arg1, B_TRUE);
}
/*
@@ -1277,83 +998,73 @@ ndp_noresolver(ill_t *ill, const in6_addr_t *dst)
* multicast destination.
*/
static int
-nce_set_multicast(ill_t *ill, const in6_addr_t *dst)
+nce_set_multicast_v6(ill_t *ill, const in6_addr_t *dst,
+ uint16_t flags, nce_t **newnce)
{
- nce_t *mnce; /* Multicast mapping entry */
- nce_t *nce;
- uchar_t *hw_addr = NULL;
+ uchar_t *hw_addr;
int err = 0;
ip_stack_t *ipst = ill->ill_ipst;
+ nce_t *nce;
ASSERT(ill != NULL);
ASSERT(ill->ill_isv6);
ASSERT(!(IN6_IS_ADDR_UNSPECIFIED(dst)));
mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
- nce = *((nce_t **)NCE_HASH_PTR_V6(ipst, *dst));
- nce = nce_lookup_addr(ill, B_FALSE, dst, nce);
+ nce = nce_lookup_addr(ill, dst);
if (nce != NULL) {
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- NCE_REFRELE(nce);
- return (0);
- }
- /* No entry, now lookup for a mapping this should never fail */
- mnce = nce_lookup_mapping(ill, dst);
- if (mnce == NULL) {
- /* Something broken for the interface. */
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- return (ESRCH);
+ goto done;
}
- ASSERT(mnce->nce_flags & NCE_F_MAPPING);
if (ill->ill_net_type == IRE_IF_RESOLVER) {
/*
* For IRE_IF_RESOLVER a hardware mapping can be
- * generated, for IRE_IF_NORESOLVER, resolution cookie
- * in the ill is copied in ndp_add_v6().
+ * generated.
*/
hw_addr = kmem_alloc(ill->ill_nd_lla_len, KM_NOSLEEP);
if (hw_addr == NULL) {
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- NCE_REFRELE(mnce);
return (ENOMEM);
}
- nce_make_mapping(mnce, hw_addr, (uchar_t *)dst);
+ ip_mcast_mapping(ill, (uchar_t *)dst, hw_addr);
+ } else {
+ /*
+ * So no hw_addr is needed for IRE_IF_NORESOLVER.
+ */
+ hw_addr = NULL;
}
- NCE_REFRELE(mnce);
- /*
- * IRE_IF_NORESOLVER type simply copies the resolution
- * cookie passed in. So no hw_addr is needed.
- */
- err = ndp_add_v6(ill,
- hw_addr,
- dst,
- &ipv6_all_ones,
- &ipv6_all_zeros,
- 0,
- NCE_F_NONUD,
- ND_REACHABLE,
- &nce);
+ ASSERT((flags & NCE_F_MCAST) != 0);
+ ASSERT((flags & NCE_F_NONUD) != 0);
+ /* nce_state will be computed by nce_add_common() */
+ err = nce_add_v6(ill, hw_addr, ill->ill_phys_addr_length, dst, flags,
+ ND_UNCHANGED, &nce);
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
+ if (err == 0)
+ err = nce_add_v6_postprocess(nce);
if (hw_addr != NULL)
kmem_free(hw_addr, ill->ill_nd_lla_len);
if (err != 0) {
- ip1dbg(("nce_set_multicast: create failed" "%d\n", err));
+ ip1dbg(("nce_set_multicast_v6: create failed" "%d\n", err));
return (err);
}
- NCE_REFRELE(nce);
+done:
+ ASSERT(nce->nce_common->ncec_state == ND_REACHABLE);
+ if (newnce != NULL)
+ *newnce = nce;
+ else
+ nce_refrele(nce);
return (0);
}
/*
- * Return the link layer address, and any flags of a nce.
+ * Return the link layer address, and any flags of a ncec.
*/
int
ndp_query(ill_t *ill, struct lif_nd_req *lnr)
{
- nce_t *nce;
+ ncec_t *ncec;
in6_addr_t *addr;
sin6_t *sin6;
- dl_unitdata_req_t *dl;
ASSERT(ill != NULL && ill->ill_isv6);
sin6 = (sin6_t *)&lnr->lnr_addr;
@@ -1363,158 +1074,135 @@ ndp_query(ill_t *ill, struct lif_nd_req *lnr)
* NOTE: if the ill is an IPMP interface, then match against the whole
* illgrp. This e.g. allows in.ndpd to retrieve the link layer
* addresses for the data addresses on an IPMP interface even though
- * ipif_ndp_up() created them with an nce_ill of ipif_bound_ill.
+ * ipif_ndp_up() created them with an ncec_ill of ipif_bound_ill.
*/
- nce = ndp_lookup_v6(ill, IS_IPMP(ill), addr, B_FALSE);
- if (nce == NULL)
+ ncec = ncec_lookup_illgrp_v6(ill, addr);
+ if (ncec == NULL)
return (ESRCH);
- /* If in INCOMPLETE state, no link layer address is available yet */
- if (!NCE_ISREACHABLE(nce)) {
- NCE_REFRELE(nce);
+ /* If no link layer address is available yet, return ESRCH */
+ if (!NCE_ISREACHABLE(ncec)) {
+ ncec_refrele(ncec);
return (ESRCH);
}
- dl = (dl_unitdata_req_t *)nce->nce_res_mp->b_rptr;
- if (ill->ill_flags & ILLF_XRESOLV)
- lnr->lnr_hdw_len = dl->dl_dest_addr_length;
- else
- lnr->lnr_hdw_len = ill->ill_nd_lla_len;
- ASSERT(NCE_LL_ADDR_OFFSET(ill) + lnr->lnr_hdw_len <=
- sizeof (lnr->lnr_hdw_addr));
- bcopy(nce->nce_res_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill),
- (uchar_t *)&lnr->lnr_hdw_addr, lnr->lnr_hdw_len);
- if (nce->nce_flags & NCE_F_ISROUTER)
+ lnr->lnr_hdw_len = ill->ill_phys_addr_length;
+ bcopy(ncec->ncec_lladdr, (uchar_t *)&lnr->lnr_hdw_addr,
+ lnr->lnr_hdw_len);
+ if (ncec->ncec_flags & NCE_F_ISROUTER)
lnr->lnr_flags = NDF_ISROUTER_ON;
- if (nce->nce_flags & NCE_F_ANYCAST)
+ if (ncec->ncec_flags & NCE_F_ANYCAST)
lnr->lnr_flags |= NDF_ANYCAST_ON;
- NCE_REFRELE(nce);
+ ncec_refrele(ncec);
return (0);
}
/*
- * Send Enable/Disable multicast reqs to driver.
+ * Finish setting up the Enable/Disable multicast for the driver.
*/
-int
-ndp_mcastreq(ill_t *ill, const in6_addr_t *addr, uint32_t hw_addr_len,
+mblk_t *
+ndp_mcastreq(ill_t *ill, const in6_addr_t *v6group, uint32_t hw_addr_len,
uint32_t hw_addr_offset, mblk_t *mp)
{
- nce_t *nce;
uchar_t *hw_addr;
- ip_stack_t *ipst = ill->ill_ipst;
+ ipaddr_t v4group;
+ uchar_t *addr;
- ASSERT(ill != NULL && ill->ill_isv6);
ASSERT(ill->ill_net_type == IRE_IF_RESOLVER);
- hw_addr = mi_offset_paramc(mp, hw_addr_offset, hw_addr_len);
- if (hw_addr == NULL || !IN6_IS_ADDR_MULTICAST(addr)) {
- freemsg(mp);
- return (EINVAL);
+ if (IN6_IS_ADDR_V4MAPPED(v6group)) {
+ IN6_V4MAPPED_TO_IPADDR(v6group, v4group);
+
+ ASSERT(CLASSD(v4group));
+ ASSERT(!(ill->ill_isv6));
+
+ addr = (uchar_t *)&v4group;
+ } else {
+ ASSERT(IN6_IS_ADDR_MULTICAST(v6group));
+ ASSERT(ill->ill_isv6);
+
+ addr = (uchar_t *)v6group;
}
- mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
- nce = nce_lookup_mapping(ill, addr);
- if (nce == NULL) {
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
+ hw_addr = mi_offset_paramc(mp, hw_addr_offset, hw_addr_len);
+ if (hw_addr == NULL) {
+ ip0dbg(("ndp_mcastreq NULL hw_addr\n"));
freemsg(mp);
- return (ESRCH);
- }
- mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- /*
- * Update dl_addr_length and dl_addr_offset for primitives that
- * have physical addresses as opposed to full saps
- */
- switch (((union DL_primitives *)mp->b_rptr)->dl_primitive) {
- case DL_ENABMULTI_REQ:
- /* Track the state if this is the first enabmulti */
- if (ill->ill_dlpi_multicast_state == IDS_UNKNOWN)
- ill->ill_dlpi_multicast_state = IDS_INPROGRESS;
- ip1dbg(("ndp_mcastreq: ENABMULTI\n"));
- break;
- case DL_DISABMULTI_REQ:
- ip1dbg(("ndp_mcastreq: DISABMULTI\n"));
- break;
- default:
- NCE_REFRELE(nce);
- ip1dbg(("ndp_mcastreq: default\n"));
- return (EINVAL);
+ return (NULL);
}
- nce_make_mapping(nce, hw_addr, (uchar_t *)addr);
- NCE_REFRELE(nce);
- ill_dlpi_send(ill, mp);
- return (0);
-}
+ ip_mcast_mapping(ill, addr, hw_addr);
+ return (mp);
+}
-/*
- * Send out a NS for resolving the ip address in nce.
- */
void
-ip_ndp_resolve(nce_t *nce)
+ip_ndp_resolve(ncec_t *ncec)
{
+ in_addr_t sender4 = INADDR_ANY;
in6_addr_t sender6 = ipv6_all_zeros;
+ ill_t *src_ill;
uint32_t ms;
- mblk_t *mp;
- ip6_t *ip6h;
- ASSERT(MUTEX_HELD(&nce->nce_lock));
- /*
- * Pick the src from outgoing packet, if one is available.
- * Otherwise let nce_xmit figure out the src.
- */
- if ((mp = nce->nce_qd_mp) != NULL) {
- /* Handle ip_newroute_v6 giving us IPSEC packets */
- if (mp->b_datap->db_type == M_CTL)
- mp = mp->b_cont;
- ip6h = (ip6_t *)mp->b_rptr;
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- /*
- * This message should have been pulled up already in
- * ip_wput_v6. We can't do pullups here because
- * the message could be from the nce_qd_mp which could
- * have b_next/b_prev non-NULL.
- */
- ASSERT(MBLKL(mp) >= sizeof (ip6i_t) + IPV6_HDR_LEN);
- ip6h = (ip6_t *)(mp->b_rptr + sizeof (ip6i_t));
- }
- sender6 = ip6h->ip6_src;
+ src_ill = nce_resolve_src(ncec, &sender6);
+ if (src_ill == NULL) {
+ /* Make sure we try again later */
+ ms = ncec->ncec_ill->ill_reachable_retrans_time;
+ nce_restart_timer(ncec, (clock_t)ms);
+ return;
}
- ms = nce_solicit(nce, sender6);
- mutex_exit(&nce->nce_lock);
+ if (ncec->ncec_ipversion == IPV4_VERSION)
+ IN6_V4MAPPED_TO_IPADDR(&sender6, sender4);
+ mutex_enter(&ncec->ncec_lock);
+ if (ncec->ncec_ipversion == IPV6_VERSION)
+ ms = ndp_solicit(ncec, sender6, src_ill);
+ else
+ ms = arp_request(ncec, sender4, src_ill);
+ mutex_exit(&ncec->ncec_lock);
if (ms == 0) {
- if (nce->nce_state != ND_REACHABLE) {
- nce_resolv_failed(nce);
- ndp_delete(nce);
+ if (ncec->ncec_state != ND_REACHABLE) {
+ if (ncec->ncec_ipversion == IPV6_VERSION)
+ ndp_resolv_failed(ncec);
+ else
+ arp_resolv_failed(ncec);
+ ASSERT((ncec->ncec_flags & NCE_F_STATIC) == 0);
+ nce_make_unreachable(ncec);
+ ncec_delete(ncec);
}
} else {
- NDP_RESTART_TIMER(nce, (clock_t)ms);
+ nce_restart_timer(ncec, (clock_t)ms);
}
- mutex_enter(&nce->nce_lock);
+done:
+ ill_refrele(src_ill);
}
/*
- * Send a neighbor solicitation.
+ * Send an IPv6 neighbor solicitation.
* Returns number of milliseconds after which we should either rexmit or abort.
* Return of zero means we should abort.
- * The caller holds the nce_lock to protect nce_qd_mp and nce_rcnt.
+ * The caller holds the ncec_lock to protect ncec_qd_mp and ncec_rcnt.
+ * The optional source address is used as a hint to ndp_solicit for
+ * which source to use in the packet.
*
- * NOTE: This routine drops nce_lock (and later reacquires it) when sending
+ * NOTE: This routine drops ncec_lock (and later reacquires it) when sending
* the packet.
*/
uint32_t
-nce_solicit(nce_t *nce, in6_addr_t sender)
+ndp_solicit(ncec_t *ncec, in6_addr_t src, ill_t *ill)
{
- boolean_t dropped;
+ in6_addr_t dst;
+ boolean_t dropped = B_FALSE;
- ASSERT(nce->nce_ipversion == IPV6_VERSION);
- ASSERT(MUTEX_HELD(&nce->nce_lock));
+ ASSERT(ncec->ncec_ipversion == IPV6_VERSION);
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
- if (nce->nce_rcnt == 0)
+ if (ncec->ncec_rcnt == 0)
return (0);
- nce->nce_rcnt--;
- mutex_exit(&nce->nce_lock);
- dropped = nce_xmit_solicit(nce, B_TRUE, &sender, 0);
- mutex_enter(&nce->nce_lock);
+ dst = ncec->ncec_addr;
+ ncec->ncec_rcnt--;
+ mutex_exit(&ncec->ncec_lock);
+ dropped = ndp_xmit(ill, ND_NEIGHBOR_SOLICIT, ill->ill_phys_addr,
+ ill->ill_phys_addr_length, &src, &dst, 0);
+ mutex_enter(&ncec->ncec_lock);
if (dropped)
- nce->nce_rcnt++;
- return (nce->nce_ill->ill_reachable_retrans_time);
+ ncec->ncec_rcnt++;
+ return (ncec->ncec_ill->ill_reachable_retrans_time);
}
/*
@@ -1528,23 +1216,30 @@ nce_solicit(nce_t *nce, in6_addr_t sender)
* ip_ndp_excl.
*/
/* ARGSUSED */
-static void
-ip_ndp_recover(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
+void
+ip_addr_recover(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
{
ill_t *ill = rq->q_ptr;
ipif_t *ipif;
- in6_addr_t *addr = (in6_addr_t *)mp->b_rptr;
+ in6_addr_t *addr6 = (in6_addr_t *)mp->b_rptr;
+ in_addr_t *addr4 = (in_addr_t *)mp->b_rptr;
+ boolean_t addr_equal;
for (ipif = ill->ill_ipif; ipif != NULL; ipif = ipif->ipif_next) {
/*
* We do not support recovery of proxy ARP'd interfaces,
* because the system lacks a complete proxy ARP mechanism.
*/
- if ((ipif->ipif_flags & IPIF_POINTOPOINT) ||
- !IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr, addr)) {
- continue;
+ if (ill->ill_isv6) {
+ addr_equal = IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr,
+ addr6);
+ } else {
+ addr_equal = (ipif->ipif_lcl_addr == *addr4);
}
+ if ((ipif->ipif_flags & IPIF_POINTOPOINT) || !addr_equal)
+ continue;
+
/*
* If we have already recovered or if the interface is going
* away, then ignore.
@@ -1561,13 +1256,20 @@ ip_ndp_recover(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
mutex_exit(&ill->ill_lock);
ipif->ipif_was_dup = B_TRUE;
- VERIFY(ipif_ndp_up(ipif, B_TRUE) != EINPROGRESS);
- (void) ipif_up_done_v6(ipif);
+ if (ill->ill_isv6) {
+ VERIFY(ipif_ndp_up(ipif, B_TRUE) != EINPROGRESS);
+ (void) ipif_up_done_v6(ipif);
+ } else {
+ VERIFY(ipif_arp_up(ipif, Res_act_initial, B_TRUE) !=
+ EINPROGRESS);
+ (void) ipif_up_done(ipif);
+ }
}
freeb(mp);
}
/*
+ *
* Attempt to recover an IPv6 interface that's been shut down as a duplicate.
* As long as someone else holds the address, the interface will stay down.
* When that conflict goes away, the interface is brought back up. This is
@@ -1579,8 +1281,8 @@ ip_ndp_recover(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
*
* This function is entered on a timer expiry; the ID is in ipif_recovery_id.
*/
-static void
-ipif6_dup_recovery(void *arg)
+void
+ipif_dup_recovery(void *arg)
{
ipif_t *ipif = arg;
@@ -1598,7 +1300,7 @@ ipif6_dup_recovery(void *arg)
if (!(ipif->ipif_ill->ill_phyint->phyint_flags & PHYI_RUNNING))
return;
- ndp_do_recovery(ipif);
+ ipif_do_recovery(ipif);
}
/*
@@ -1608,18 +1310,24 @@ ipif6_dup_recovery(void *arg)
* Called both by recovery timer expiry and link-up notification.
*/
void
-ndp_do_recovery(ipif_t *ipif)
+ipif_do_recovery(ipif_t *ipif)
{
ill_t *ill = ipif->ipif_ill;
mblk_t *mp;
ip_stack_t *ipst = ill->ill_ipst;
+ size_t mp_size;
- mp = allocb(sizeof (ipif->ipif_v6lcl_addr), BPRI_MED);
+ if (ipif->ipif_isv6)
+ mp_size = sizeof (ipif->ipif_v6lcl_addr);
+ else
+ mp_size = sizeof (ipif->ipif_lcl_addr);
+ mp = allocb(mp_size, BPRI_MED);
if (mp == NULL) {
mutex_enter(&ill->ill_lock);
- if (ipif->ipif_recovery_id == 0 &&
+ if (ipst->ips_ip_dup_recovery > 0 &&
+ ipif->ipif_recovery_id == 0 &&
!(ipif->ipif_state_flags & IPIF_CONDEMNED)) {
- ipif->ipif_recovery_id = timeout(ipif6_dup_recovery,
+ ipif->ipif_recovery_id = timeout(ipif_dup_recovery,
ipif, MSEC_TO_TICK(ipst->ips_ip_dup_recovery));
}
mutex_exit(&ill->ill_lock);
@@ -1632,10 +1340,15 @@ ndp_do_recovery(ipif_t *ipif)
(void) untimeout(ipif->ipif_recovery_id);
ipif->ipif_recovery_id = 0;
- bcopy(&ipif->ipif_v6lcl_addr, mp->b_rptr,
- sizeof (ipif->ipif_v6lcl_addr));
+ if (ipif->ipif_isv6) {
+ bcopy(&ipif->ipif_v6lcl_addr, mp->b_rptr,
+ sizeof (ipif->ipif_v6lcl_addr));
+ } else {
+ bcopy(&ipif->ipif_lcl_addr, mp->b_rptr,
+ sizeof (ipif->ipif_lcl_addr));
+ }
ill_refhold(ill);
- qwriter_ip(ill, ill->ill_rq, mp, ip_ndp_recover, NEW_OP,
+ qwriter_ip(ill, ill->ill_rq, mp, ip_addr_recover, NEW_OP,
B_FALSE);
}
}
@@ -1644,80 +1357,19 @@ ndp_do_recovery(ipif_t *ipif)
* Find the MAC and IP addresses in an NA/NS message.
*/
static void
-ip_ndp_find_addresses(mblk_t *mp, mblk_t *dl_mp, ill_t *ill, in6_addr_t *targp,
- uchar_t **haddr, uint_t *haddrlenp)
+ip_ndp_find_addresses(mblk_t *mp, ip_recv_attr_t *ira, ill_t *ill,
+ in6_addr_t *targp, uchar_t **haddr, uint_t *haddrlenp)
{
- ip6_t *ip6h = (ip6_t *)mp->b_rptr;
icmp6_t *icmp6 = (icmp6_t *)(mp->b_rptr + IPV6_HDR_LEN);
- nd_neighbor_advert_t *na = (nd_neighbor_advert_t *)icmp6;
nd_neighbor_solicit_t *ns = (nd_neighbor_solicit_t *)icmp6;
uchar_t *addr;
- int alen = 0;
+ int alen;
- if (dl_mp == NULL) {
- nd_opt_hdr_t *opt = NULL;
- int len;
-
- /*
- * If it's from the fast-path, then it can't be a probe
- * message, and thus must include a linkaddr option.
- * Extract that here.
- */
- switch (icmp6->icmp6_type) {
- case ND_NEIGHBOR_SOLICIT:
- len = mp->b_wptr - (uchar_t *)ns;
- if ((len -= sizeof (*ns)) > 0) {
- opt = ndp_get_option((nd_opt_hdr_t *)(ns + 1),
- len, ND_OPT_SOURCE_LINKADDR);
- }
- break;
- case ND_NEIGHBOR_ADVERT:
- len = mp->b_wptr - (uchar_t *)na;
- if ((len -= sizeof (*na)) > 0) {
- opt = ndp_get_option((nd_opt_hdr_t *)(na + 1),
- len, ND_OPT_TARGET_LINKADDR);
- }
- break;
- }
-
- if (opt != NULL && opt->nd_opt_len * 8 - sizeof (*opt) >=
- ill->ill_nd_lla_len) {
- addr = (uchar_t *)(opt + 1);
- alen = ill->ill_nd_lla_len;
- }
-
- /*
- * We cheat a bit here for the sake of printing usable log
- * messages in the rare case where the reply we got was unicast
- * without a source linkaddr option, and the interface is in
- * fastpath mode. (Sigh.)
- */
- if (alen == 0 && ill->ill_type == IFT_ETHER &&
- MBLKHEAD(mp) >= sizeof (struct ether_header)) {
- struct ether_header *pether;
-
- pether = (struct ether_header *)((char *)ip6h -
- sizeof (*pether));
- addr = pether->ether_shost.ether_addr_octet;
- alen = ETHERADDRL;
- }
- } else {
- dl_unitdata_ind_t *dlu;
-
- dlu = (dl_unitdata_ind_t *)dl_mp->b_rptr;
- alen = dlu->dl_src_addr_length;
- if (alen > 0 && dlu->dl_src_addr_offset >= sizeof (*dlu) &&
- dlu->dl_src_addr_offset + alen <= MBLKL(dl_mp)) {
- addr = dl_mp->b_rptr + dlu->dl_src_addr_offset;
- if (ill->ill_sap_length < 0) {
- alen += ill->ill_sap_length;
- } else {
- addr += ill->ill_sap_length;
- alen -= ill->ill_sap_length;
- }
- }
- }
+ /* icmp_inbound_v6 ensures this */
+ ASSERT(ira->ira_flags & IRAF_L2SRC_SET);
+ addr = ira->ira_l2src;
+ alen = ill->ill_phys_addr_length;
if (alen > 0) {
*haddr = addr;
*haddrlenp = alen;
@@ -1740,35 +1392,58 @@ ip_ndp_excl(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
{
ill_t *ill = rq->q_ptr;
ipif_t *ipif;
- mblk_t *dl_mp = NULL;
uchar_t *haddr;
uint_t haddrlen;
ip_stack_t *ipst = ill->ill_ipst;
in6_addr_t targ;
-
- if (DB_TYPE(mp) != M_DATA) {
- dl_mp = mp;
- mp = mp->b_cont;
+ ip_recv_attr_t iras;
+ mblk_t *attrmp;
+
+ attrmp = mp;
+ mp = mp->b_cont;
+ attrmp->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(attrmp, &iras)) {
+ /* The ill or ip_stack_t disappeared on us */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ip_recv_attr_from_mblk", mp, ill);
+ freemsg(mp);
+ ira_cleanup(&iras, B_TRUE);
+ return;
}
- ip_ndp_find_addresses(mp, dl_mp, ill, &targ, &haddr, &haddrlen);
+ ASSERT(ill == iras.ira_rill);
+
+ ip_ndp_find_addresses(mp, &iras, ill, &targ, &haddr, &haddrlen);
if (haddr != NULL && haddrlen == ill->ill_phys_addr_length) {
/*
* Ignore conflicts generated by misbehaving switches that
* just reflect our own messages back to us. For IPMP, we may
* see reflections across any ill in the illgrp.
+ *
+ * RFC2462 and revisions tried to detect both the case
+ * when a statically configured IPv6 address is a duplicate,
+ * and the case when the L2 address itself is a duplicate. The
+ * later is important because, with stateles address autoconf,
+ * if the L2 address is a duplicate, the resulting IPv6
+ * address(es) would also be duplicates. We rely on DAD of the
+ * IPv6 address itself to detect the latter case.
*/
+ /* For an under ill_grp can change under lock */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
if (bcmp(haddr, ill->ill_phys_addr, haddrlen) == 0 ||
IS_UNDER_IPMP(ill) &&
- ipmp_illgrp_find_ill(ill->ill_grp, haddr, haddrlen) != NULL)
+ ipmp_illgrp_find_ill(ill->ill_grp, haddr,
+ haddrlen) != NULL) {
+ rw_exit(&ipst->ips_ill_g_lock);
goto ignore_conflict;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
}
/*
* Look up the appropriate ipif.
*/
- ipif = ipif_lookup_addr_v6(&targ, ill, ALL_ZONES, NULL, NULL, NULL,
- NULL, ipst);
+ ipif = ipif_lookup_addr_v6(&targ, ill, ALL_ZONES, ipst);
if (ipif == NULL)
goto ignore_conflict;
@@ -1802,43 +1477,64 @@ ip_ndp_excl(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
ill->ill_ipif_dup_count++;
mutex_exit(&ill->ill_lock);
(void) ipif_down(ipif, NULL, NULL);
- ipif_down_tail(ipif);
+ (void) ipif_down_tail(ipif);
mutex_enter(&ill->ill_lock);
if (!(ipif->ipif_flags & (IPIF_DHCPRUNNING|IPIF_TEMPORARY)) &&
ill->ill_net_type == IRE_IF_RESOLVER &&
!(ipif->ipif_state_flags & IPIF_CONDEMNED) &&
ipst->ips_ip_dup_recovery > 0) {
ASSERT(ipif->ipif_recovery_id == 0);
- ipif->ipif_recovery_id = timeout(ipif6_dup_recovery,
+ ipif->ipif_recovery_id = timeout(ipif_dup_recovery,
ipif, MSEC_TO_TICK(ipst->ips_ip_dup_recovery));
}
mutex_exit(&ill->ill_lock);
ipif_refrele(ipif);
+
ignore_conflict:
- if (dl_mp != NULL)
- freeb(dl_mp);
freemsg(mp);
+ ira_cleanup(&iras, B_TRUE);
}
/*
* Handle failure by tearing down the ipifs with the specified address. Note
- * that tearing down the ipif also means deleting the nce through ipif_down, so
- * it's not possible to do recovery by just restarting the nce timer. Instead,
+ * that tearing down the ipif also means deleting the ncec through ipif_down, so
+ * it's not possible to do recovery by just restarting the ncec timer. Instead,
* we start a timer on the ipif.
+ * Caller has to free mp;
*/
static void
-ip_ndp_failure(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
+ndp_failure(mblk_t *mp, ip_recv_attr_t *ira)
{
+ const uchar_t *haddr;
+ ill_t *ill = ira->ira_rill;
+
+ /*
+ * Ignore conflicts generated by misbehaving switches that just
+ * reflect our own messages back to us.
+ */
+
+ /* icmp_inbound_v6 ensures this */
+ ASSERT(ira->ira_flags & IRAF_L2SRC_SET);
+ haddr = ira->ira_l2src;
+ if (haddr != NULL &&
+ bcmp(haddr, ill->ill_phys_addr, ill->ill_phys_addr_length) == 0) {
+ return;
+ }
+
if ((mp = copymsg(mp)) != NULL) {
- if (dl_mp == NULL)
- dl_mp = mp;
- else if ((dl_mp = copyb(dl_mp)) != NULL)
- dl_mp->b_cont = mp;
- if (dl_mp == NULL) {
+ mblk_t *attrmp;
+
+ attrmp = ip_recv_attr_to_mblk(ira);
+ if (attrmp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
freemsg(mp);
} else {
+ ASSERT(attrmp->b_cont == NULL);
+ attrmp->b_cont = mp;
+ mp = attrmp;
ill_refhold(ill);
- qwriter_ip(ill, ill->ill_rq, dl_mp, ip_ndp_excl, NEW_OP,
+ qwriter_ip(ill, ill->ill_rq, mp, ip_ndp_excl, NEW_OP,
B_FALSE);
}
}
@@ -1848,20 +1544,39 @@ ip_ndp_failure(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
* Handle a discovered conflict: some other system is advertising that it owns
* one of our IP addresses. We need to defend ourselves, or just shut down the
* interface.
+ *
+ * Handles both IPv4 and IPv6
*/
-static void
-ip_ndp_conflict(ill_t *ill, mblk_t *mp, mblk_t *dl_mp, nce_t *nce)
+boolean_t
+ip_nce_conflict(mblk_t *mp, ip_recv_attr_t *ira, ncec_t *ncec)
{
- ipif_t *ipif;
- uint32_t now;
- uint_t maxdefense;
- uint_t defs;
- ip_stack_t *ipst = ill->ill_ipst;
+ ipif_t *ipif;
+ clock_t now;
+ uint_t maxdefense;
+ uint_t defs;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint32_t elapsed;
+ boolean_t isv6 = ill->ill_isv6;
+ ipaddr_t ncec_addr;
- ipif = ipif_lookup_addr_v6(&nce->nce_addr, ill, ALL_ZONES, NULL, NULL,
- NULL, NULL, ipst);
+ if (isv6) {
+ ipif = ipif_lookup_addr_v6(&ncec->ncec_addr, ill, ALL_ZONES,
+ ipst);
+ } else {
+ if (arp_no_defense) {
+ /*
+ * Yes, there is a conflict, but no, we do not
+ * defend ourself.
+ */
+ return (B_TRUE);
+ }
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, ncec_addr);
+ ipif = ipif_lookup_addr(ncec_addr, ill, ALL_ZONES,
+ ipst);
+ }
if (ipif == NULL)
- return;
+ return (B_FALSE);
/*
* First, figure out if this address is disposable.
@@ -1875,50 +1590,51 @@ ip_ndp_conflict(ill_t *ill, mblk_t *mp, mblk_t *dl_mp, nce_t *nce)
* Now figure out how many times we've defended ourselves. Ignore
* defenses that happened long in the past.
*/
- now = gethrestime_sec();
- mutex_enter(&nce->nce_lock);
- if ((defs = nce->nce_defense_count) > 0 &&
- now - nce->nce_defense_time > ipst->ips_ip_defend_interval) {
- nce->nce_defense_count = defs = 0;
+ now = ddi_get_lbolt();
+ elapsed = (drv_hztousec(now - ncec->ncec_last_time_defended))/1000000;
+ mutex_enter(&ncec->ncec_lock);
+ if ((defs = ncec->ncec_defense_count) > 0 &&
+ elapsed > ipst->ips_ip_defend_interval) {
+ /*
+ * ip_defend_interval has elapsed.
+ * reset the defense count.
+ */
+ ncec->ncec_defense_count = defs = 0;
}
- nce->nce_defense_count++;
- nce->nce_defense_time = now;
- mutex_exit(&nce->nce_lock);
+ ncec->ncec_defense_count++;
+ ncec->ncec_last_time_defended = now;
+ mutex_exit(&ncec->ncec_lock);
ipif_refrele(ipif);
/*
* If we've defended ourselves too many times already, then give up and
- * tear down the interface(s) using this address. Otherwise, defend by
- * sending out an unsolicited Neighbor Advertisement.
+ * tear down the interface(s) using this address.
+ * Otherwise, caller has to defend by sending out an announce.
*/
if (defs >= maxdefense) {
- ip_ndp_failure(ill, mp, dl_mp);
+ if (isv6)
+ ndp_failure(mp, ira);
+ else
+ arp_failure(mp, ira);
} else {
- char hbuf[MAC_STR_LEN];
- char sbuf[INET6_ADDRSTRLEN];
- uchar_t *haddr;
- uint_t haddrlen;
- in6_addr_t targ;
-
- ip_ndp_find_addresses(mp, dl_mp, ill, &targ, &haddr, &haddrlen);
- cmn_err(CE_WARN, "node %s is using our IP address %s on %s",
- mac_colon_addr(haddr, haddrlen, hbuf, sizeof (hbuf)),
- inet_ntop(AF_INET6, &targ, sbuf, sizeof (sbuf)),
- ill->ill_name);
-
- (void) nce_xmit_advert(nce, B_FALSE, &ipv6_all_hosts_mcast, 0);
+ return (B_TRUE); /* caller must defend this address */
}
+ return (B_FALSE);
}
+/*
+ * Handle reception of Neighbor Solicitation messages.
+ */
static void
-ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
+ndp_input_solicit(mblk_t *mp, ip_recv_attr_t *ira)
{
+ ill_t *ill = ira->ira_ill, *under_ill;
nd_neighbor_solicit_t *ns;
- uint32_t hlen = ill->ill_nd_lla_len;
+ uint32_t hlen = ill->ill_phys_addr_length;
uchar_t *haddr = NULL;
icmp6_t *icmp_nd;
ip6_t *ip6h;
- nce_t *our_nce = NULL;
+ ncec_t *our_ncec = NULL;
in6_addr_t target;
in6_addr_t src;
int len;
@@ -1926,6 +1642,7 @@ ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
nd_opt_hdr_t *opt = NULL;
boolean_t bad_solicit = B_FALSE;
mib2_ipv6IfIcmpEntry_t *mib = ill->ill_icmp6_mib;
+ boolean_t need_ill_refrele = B_FALSE;
ip6h = (ip6_t *)mp->b_rptr;
icmp_nd = (icmp6_t *)(mp->b_rptr + IPV6_HDR_LEN);
@@ -1951,7 +1668,6 @@ ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
bad_solicit = B_TRUE;
goto done;
}
-
}
if (IN6_IS_ADDR_UNSPECIFIED(&src)) {
/* Check to see if this is a valid DAD solicitation */
@@ -1974,20 +1690,20 @@ ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
* e.g. the IPMP ill's data link-local. So we match across the illgrp
* to ensure we find the associated NCE.
*/
- our_nce = ndp_lookup_v6(ill, B_TRUE, &target, B_FALSE);
+ our_ncec = ncec_lookup_illgrp_v6(ill, &target);
/*
- * If this is a valid Solicitation, a permanent
- * entry should exist in the cache
+ * If this is a valid Solicitation for an address we are publishing,
+ * then a PUBLISH entry should exist in the cache
*/
- if (our_nce == NULL ||
- !(our_nce->nce_flags & NCE_F_PERMANENT)) {
+ if (our_ncec == NULL || !NCE_PUBLISH(our_ncec)) {
ip1dbg(("ndp_input_solicit: Wrong target in NS?!"
"ifname=%s ", ill->ill_name));
if (ip_debug > 2) {
/* ip1dbg */
pr_addr_dbg(" dst %s\n", AF_INET6, &target);
}
- bad_solicit = B_TRUE;
+ if (our_ncec == NULL)
+ bad_solicit = B_TRUE;
goto done;
}
@@ -1998,7 +1714,7 @@ ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
haddr = (uchar_t *)&opt[1];
if (hlen > opt->nd_opt_len * 8 - sizeof (*opt) ||
hlen == 0) {
- ip1dbg(("ndp_input_solicit: bad SLLA\n"));
+ ip1dbg(("ndp_input_advert: bad SLLA\n"));
bad_solicit = B_TRUE;
goto done;
}
@@ -2010,7 +1726,7 @@ ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
flag |= NDP_UNICAST;
/*
- * Create/update the entry for the soliciting node.
+ * Create/update the entry for the soliciting node on the ipmp_ill.
* or respond to outstanding queries, don't if
* the source is unspecified address.
*/
@@ -2035,7 +1751,7 @@ ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
* process of verifying the address, then don't respond at all
* and don't keep track of the sender.
*/
- if (our_nce->nce_state == ND_PROBE)
+ if (our_ncec->ncec_state == ND_PROBE)
goto done;
/*
@@ -2048,27 +1764,37 @@ ndp_input_solicit(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
if (haddr == NULL)
goto no_source;
- err = ndp_lookup_then_add_v6(ill,
- B_FALSE,
- haddr,
+ under_ill = ill;
+ if (IS_UNDER_IPMP(under_ill)) {
+ ill = ipmp_ill_hold_ipmp_ill(under_ill);
+ if (ill == NULL)
+ ill = under_ill;
+ else
+ need_ill_refrele = B_TRUE;
+ }
+ err = nce_lookup_then_add_v6(ill,
+ haddr, hlen,
&src, /* Soliciting nodes address */
- &ipv6_all_ones,
- &ipv6_all_zeros,
- 0,
0,
ND_STALE,
&nnce);
+
+ if (need_ill_refrele) {
+ ill_refrele(ill);
+ ill = under_ill;
+ need_ill_refrele = B_FALSE;
+ }
switch (err) {
case 0:
/* done with this entry */
- NCE_REFRELE(nnce);
+ nce_refrele(nnce);
break;
case EEXIST:
/*
* B_FALSE indicates this is not an an advertisement.
*/
- ndp_process(nnce, haddr, 0, B_FALSE);
- NCE_REFRELE(nnce);
+ nce_process(nnce->nce_common, haddr, 0, B_FALSE);
+ nce_refrele(nnce);
break;
default:
ip1dbg(("ndp_input_solicit: Can't create NCE %d\n",
@@ -2088,19 +1814,18 @@ no_source:
bad_solicit = B_TRUE;
goto done;
}
- if (our_nce->nce_state == ND_PROBE) {
+ if (our_ncec->ncec_state == ND_PROBE) {
/*
- * Internally looped-back probes won't have DLPI
- * attached to them. External ones (which are sent by
- * multicast) always will. Just ignore our own
+ * Internally looped-back probes will have
+ * IRAF_L2SRC_LOOPBACK set so we can ignore our own
* transmissions.
*/
- if (dl_mp != NULL) {
+ if (!(ira->ira_flags & IRAF_L2SRC_LOOPBACK)) {
/*
* If someone else is probing our address, then
* we've crossed wires. Declare failure.
*/
- ip_ndp_failure(ill, mp, dl_mp);
+ ndp_failure(mp, ira);
}
goto done;
}
@@ -2110,24 +1835,34 @@ no_source:
*/
src = ipv6_all_hosts_mcast;
}
- /* Response to a solicitation */
- (void) nce_xmit_advert(our_nce, B_TRUE, &src, flag);
+ flag |= nce_advert_flags(our_ncec);
+ (void) ndp_xmit(ill,
+ ND_NEIGHBOR_ADVERT,
+ our_ncec->ncec_lladdr,
+ our_ncec->ncec_lladdr_length,
+ &target, /* Source and target of the advertisement pkt */
+ &src, /* IP Destination (source of original pkt) */
+ flag);
done:
if (bad_solicit)
BUMP_MIB(mib, ipv6IfIcmpInBadNeighborSolicitations);
- if (our_nce != NULL)
- NCE_REFRELE(our_nce);
+ if (our_ncec != NULL)
+ ncec_refrele(our_ncec);
}
+/*
+ * Handle reception of Neighbor Solicitation messages
+ */
void
-ndp_input_advert(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
+ndp_input_advert(mblk_t *mp, ip_recv_attr_t *ira)
{
+ ill_t *ill = ira->ira_ill;
nd_neighbor_advert_t *na;
- uint32_t hlen = ill->ill_nd_lla_len;
+ uint32_t hlen = ill->ill_phys_addr_length;
uchar_t *haddr = NULL;
icmp6_t *icmp_nd;
ip6_t *ip6h;
- nce_t *dst_nce = NULL;
+ ncec_t *dst_ncec = NULL;
in6_addr_t target;
nd_opt_hdr_t *opt = NULL;
int len;
@@ -2138,6 +1873,7 @@ ndp_input_advert(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
icmp_nd = (icmp6_t *)(mp->b_rptr + IPV6_HDR_LEN);
len = mp->b_wptr - mp->b_rptr - IPV6_HDR_LEN;
na = (nd_neighbor_advert_t *)icmp_nd;
+
if (IN6_IS_ADDR_MULTICAST(&ip6h->ip6_dst) &&
(na->nd_na_flags_reserved & ND_NA_FLAG_SOLICITED)) {
ip1dbg(("ndp_input_advert: Target is multicast but the "
@@ -2179,17 +1915,25 @@ ndp_input_advert(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
* our local addresses, and those are spread across all the active
* ills in the group.
*/
- if ((dst_nce = ndp_lookup_v6(ill, B_TRUE, &target, B_FALSE)) == NULL)
+ if ((dst_ncec = ncec_lookup_illgrp_v6(ill, &target)) == NULL)
return;
- if (dst_nce->nce_flags & NCE_F_PERMANENT) {
+ if (NCE_PUBLISH(dst_ncec)) {
/*
- * Someone just advertised one of our local addresses. First,
+ * Someone just advertised an addresses that we publish. First,
* check it it was us -- if so, we can safely ignore it.
+ * We don't get the haddr from the ira_l2src because, in the
+ * case that the packet originated from us, on an IPMP group,
+ * the ira_l2src may would be the link-layer address of the
+ * cast_ill used to send the packet, which may not be the same
+ * as the dst_ncec->ncec_lladdr of the address.
*/
if (haddr != NULL) {
- if (!nce_cmp_ll_addr(dst_nce, haddr, hlen))
- goto out; /* from us -- no conflict */
+ if (ira->ira_flags & IRAF_L2SRC_LOOPBACK)
+ goto out;
+
+ if (!nce_cmp_ll_addr(dst_ncec, haddr, hlen))
+ goto out; /* from us -- no conflict */
/*
* If we're in an IPMP group, check if this is an echo
@@ -2209,59 +1953,96 @@ ndp_input_advert(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
}
/*
- * Our own (looped-back) unsolicited neighbor advertisements
- * will get here with dl_mp == NULL. (These will usually be
- * filtered by the `haddr' checks above, but point-to-point
- * links have no hardware address and thus make it here.)
- */
- if (dl_mp == NULL && dst_nce->nce_state != ND_PROBE)
- goto out;
-
- /*
* This appears to be a real conflict. If we're trying to
* configure this NCE (ND_PROBE), then shut it down.
* Otherwise, handle the discovered conflict.
- *
- * In the ND_PROBE case, dl_mp might be NULL if we're getting
- * a unicast reply. This isn't typically done (multicast is
- * the norm in response to a probe), but we can handle it.
*/
- if (dst_nce->nce_state == ND_PROBE)
- ip_ndp_failure(ill, mp, dl_mp);
- else
- ip_ndp_conflict(ill, mp, dl_mp, dst_nce);
+ if (dst_ncec->ncec_state == ND_PROBE) {
+ ndp_failure(mp, ira);
+ } else {
+ if (ip_nce_conflict(mp, ira, dst_ncec)) {
+ char hbuf[MAC_STR_LEN];
+ char sbuf[INET6_ADDRSTRLEN];
+
+ cmn_err(CE_WARN,
+ "node '%s' is using %s on %s",
+ inet_ntop(AF_INET6, &target, sbuf,
+ sizeof (sbuf)),
+ haddr == NULL ? "<none>" :
+ mac_colon_addr(haddr, hlen, hbuf,
+ sizeof (hbuf)), ill->ill_name);
+ /*
+ * RFC 4862, Section 5.4.4 does not mandate
+ * any specific behavior when an NA matches
+ * a non-tentative address assigned to the
+ * receiver. We make the choice of defending
+ * our address, based on the assumption that
+ * the sender has not detected the Duplicate.
+ *
+ * ncec_last_time_defended has been adjusted
+ * in ip_nce_conflict()
+ */
+ (void) ndp_announce(dst_ncec);
+ }
+ }
} else {
if (na->nd_na_flags_reserved & ND_NA_FLAG_ROUTER)
- dst_nce->nce_flags |= NCE_F_ISROUTER;
+ dst_ncec->ncec_flags |= NCE_F_ISROUTER;
/* B_TRUE indicates this an advertisement */
- ndp_process(dst_nce, haddr, na->nd_na_flags_reserved, B_TRUE);
+ nce_process(dst_ncec, haddr, na->nd_na_flags_reserved, B_TRUE);
}
out:
- NCE_REFRELE(dst_nce);
+ ncec_refrele(dst_ncec);
}
/*
* Process NDP neighbor solicitation/advertisement messages.
* The checksum has already checked o.k before reaching here.
+ * Information about the datalink header is contained in ira_l2src, but
+ * that should be ignored for loopback packets.
*/
void
-ndp_input(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
+ndp_input(mblk_t *mp, ip_recv_attr_t *ira)
{
+ ill_t *ill = ira->ira_rill;
icmp6_t *icmp_nd;
ip6_t *ip6h;
int len;
mib2_ipv6IfIcmpEntry_t *mib = ill->ill_icmp6_mib;
+ ill_t *orig_ill = NULL;
-
+ /*
+ * Since ira_ill is where the IRE_LOCAL was hosted we use ira_rill
+ * and make it be the IPMP upper so avoid being confused by a packet
+ * addressed to a unicast address on a different ill.
+ */
+ if (IS_UNDER_IPMP(ill)) {
+ orig_ill = ill;
+ ill = ipmp_ill_hold_ipmp_ill(orig_ill);
+ if (ill == NULL) {
+ ill = orig_ill;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - IPMP ill",
+ mp, ill);
+ freemsg(mp);
+ return;
+ }
+ ASSERT(ill != orig_ill);
+ orig_ill = ira->ira_ill;
+ ira->ira_ill = ill;
+ mib = ill->ill_icmp6_mib;
+ }
if (!pullupmsg(mp, -1)) {
ip1dbg(("ndp_input: pullupmsg failed\n"));
BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards - pullupmsg", mp, ill);
goto done;
}
ip6h = (ip6_t *)mp->b_rptr;
if (ip6h->ip6_hops != IPV6_MAX_HOPS) {
ip1dbg(("ndp_input: hoplimit != IPV6_MAX_HOPS\n"));
+ ip_drop_input("ipv6IfIcmpBadHoplimit", mp, ill);
BUMP_MIB(mib, ipv6IfIcmpBadHoplimit);
goto done;
}
@@ -2275,6 +2056,7 @@ ndp_input(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
if (ip6h->ip6_nxt != IPPROTO_ICMPV6) {
ip1dbg(("ndp_input: Wrong next header 0x%x\n",
ip6h->ip6_nxt));
+ ip_drop_input("Wrong next header", mp, ill);
BUMP_MIB(mib, ipv6IfIcmpInErrors);
goto done;
}
@@ -2283,6 +2065,7 @@ ndp_input(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
icmp_nd->icmp6_type == ND_NEIGHBOR_ADVERT);
if (icmp_nd->icmp6_code != 0) {
ip1dbg(("ndp_input: icmp6 code != 0 \n"));
+ ip_drop_input("code non-zero", mp, ill);
BUMP_MIB(mib, ipv6IfIcmpInErrors);
goto done;
}
@@ -2293,54 +2076,25 @@ ndp_input(ill_t *ill, mblk_t *mp, mblk_t *dl_mp)
*/
if (len < sizeof (struct icmp6_hdr) + sizeof (struct in6_addr)) {
ip1dbg(("ndp_input: packet too short\n"));
+ ip_drop_input("packet too short", mp, ill);
BUMP_MIB(mib, ipv6IfIcmpInErrors);
goto done;
}
if (icmp_nd->icmp6_type == ND_NEIGHBOR_SOLICIT) {
- ndp_input_solicit(ill, mp, dl_mp);
+ ndp_input_solicit(mp, ira);
} else {
- ndp_input_advert(ill, mp, dl_mp);
+ ndp_input_advert(mp, ira);
}
done:
freemsg(mp);
+ if (orig_ill != NULL) {
+ ill_refrele(ill);
+ ira->ira_ill = orig_ill;
+ }
}
/*
- * Utility routine to send an advertisement. Assumes that the NCE cannot
- * go away (e.g., because it's refheld).
- */
-static boolean_t
-nce_xmit_advert(nce_t *nce, boolean_t use_nd_lla, const in6_addr_t *target,
- uint_t flags)
-{
- ASSERT((flags & NDP_PROBE) == 0);
-
- if (nce->nce_flags & NCE_F_ISROUTER)
- flags |= NDP_ISROUTER;
- if (!(nce->nce_flags & NCE_F_ANYCAST))
- flags |= NDP_ORIDE;
-
- return (nce_xmit(nce->nce_ill, ND_NEIGHBOR_ADVERT, use_nd_lla,
- &nce->nce_addr, target, flags));
-}
-
-/*
- * Utility routine to send a solicitation. Assumes that the NCE cannot
- * go away (e.g., because it's refheld).
- */
-static boolean_t
-nce_xmit_solicit(nce_t *nce, boolean_t use_nd_lla, const in6_addr_t *sender,
- uint_t flags)
-{
- if (flags & NDP_PROBE)
- sender = &ipv6_all_zeros;
-
- return (nce_xmit(nce->nce_ill, ND_NEIGHBOR_SOLICIT, use_nd_lla,
- sender, &nce->nce_addr, flags));
-}
-
-/*
- * nce_xmit is called to form and transmit a ND solicitation or
+ * ndp_xmit is called to form and transmit a ND solicitation or
* advertisement ICMP packet.
*
* If the source address is unspecified and this isn't a probe (used for
@@ -2353,112 +2107,123 @@ nce_xmit_solicit(nce_t *nce, boolean_t use_nd_lla, const in6_addr_t *sender,
* corresponding ill's ill_wq otherwise returns B_TRUE.
*/
static boolean_t
-nce_xmit(ill_t *ill, uint8_t type, boolean_t use_nd_lla,
+ndp_xmit(ill_t *ill, uint32_t operation, uint8_t *hw_addr, uint_t hw_addr_len,
const in6_addr_t *sender, const in6_addr_t *target, int flag)
{
- ill_t *hwaddr_ill;
uint32_t len;
icmp6_t *icmp6;
mblk_t *mp;
ip6_t *ip6h;
nd_opt_hdr_t *opt;
- uint_t plen, maxplen;
- ip6i_t *ip6i;
- ipif_t *src_ipif = NULL;
- uint8_t *hw_addr;
+ uint_t plen;
zoneid_t zoneid = GLOBAL_ZONEID;
- char buf[INET6_ADDRSTRLEN];
+ ill_t *hwaddr_ill = ill;
+ ip_xmit_attr_t ixas;
+ ip_stack_t *ipst = ill->ill_ipst;
+ boolean_t need_refrele = B_FALSE;
+ boolean_t probe = B_FALSE;
- ASSERT(!IS_IPMP(ill));
+ if (IS_UNDER_IPMP(ill)) {
+ probe = ipif_lookup_testaddr_v6(ill, sender, NULL);
+ /*
+ * We send non-probe packets on the upper IPMP interface.
+ * ip_output_simple() will use cast_ill for sending any
+ * multicast packets. Note that we can't follow the same
+ * logic for probe packets because all interfaces in the ipmp
+ * group may have failed, so that we really want to only try
+ * to send the ND packet on the ill corresponding to the src
+ * address.
+ */
+ if (!probe) {
+ ill = ipmp_ill_hold_ipmp_ill(ill);
+ if (ill != NULL)
+ need_refrele = B_TRUE;
+ else
+ ill = hwaddr_ill;
+ }
+ }
/*
- * Check that the sender is actually a usable address on `ill', and if
- * so, track that as the src_ipif. If not, for solicitations, set the
- * sender to :: so that a new one will be picked below; for adverts,
- * drop the packet since we expect nce_xmit_advert() to always provide
- * a valid sender.
+ * If we have a unspecified source(sender) address, select a
+ * proper source address for the solicitation here itself so
+ * that we can initialize the h/w address correctly.
+ *
+ * If the sender is specified then we use this address in order
+ * to lookup the zoneid before calling ip_output_v6(). This is to
+ * enable unicast ND_NEIGHBOR_ADVERT packets to be routed correctly
+ * by IP (we cannot guarantee that the global zone has an interface
+ * route to the destination).
+ *
+ * Note that the NA never comes here with the unspecified source
+ * address.
*/
- if (!IN6_IS_ADDR_UNSPECIFIED(sender)) {
- if ((src_ipif = ip_ndp_lookup_addr_v6(sender, ill)) == NULL ||
- !src_ipif->ipif_addr_ready) {
- if (src_ipif != NULL) {
- ipif_refrele(src_ipif);
- src_ipif = NULL;
- }
- if (type == ND_NEIGHBOR_ADVERT) {
- ip1dbg(("nce_xmit: No source ipif for src %s\n",
- inet_ntop(AF_INET6, sender, buf,
- sizeof (buf))));
- return (B_TRUE);
- }
- sender = &ipv6_all_zeros;
- }
- }
/*
- * If we still have an unspecified source (sender) address and this
- * isn't a probe, select a source address from `ill'.
+ * Probes will have unspec src at this point.
*/
- if (IN6_IS_ADDR_UNSPECIFIED(sender) && !(flag & NDP_PROBE)) {
- ASSERT(type != ND_NEIGHBOR_ADVERT);
+ if (!(IN6_IS_ADDR_UNSPECIFIED(sender))) {
+ zoneid = ipif_lookup_addr_zoneid_v6(sender, ill, ipst);
/*
- * Pick a source address for this solicitation, but restrict
- * the selection to addresses assigned to the output
- * interface. We do this because the destination will create
- * a neighbor cache entry for the source address of this
- * packet, so the source address needs to be a valid neighbor.
+ * It's possible for ipif_lookup_addr_zoneid_v6() to return
+ * ALL_ZONES if it cannot find a matching ipif for the address
+ * we are trying to use. In this case we err on the side of
+ * trying to send the packet by defaulting to the GLOBAL_ZONEID.
*/
- src_ipif = ipif_select_source_v6(ill, target, B_TRUE,
- IPV6_PREFER_SRC_DEFAULT, ALL_ZONES);
- if (src_ipif == NULL) {
- ip1dbg(("nce_xmit: No source ipif for dst %s\n",
- inet_ntop(AF_INET6, target, buf, sizeof (buf))));
- return (B_TRUE);
- }
- sender = &src_ipif->ipif_v6src_addr;
+ if (zoneid == ALL_ZONES)
+ zoneid = GLOBAL_ZONEID;
}
- /*
- * We're either sending a probe or we have a source address.
- */
- ASSERT((flag & NDP_PROBE) || src_ipif != NULL);
-
- maxplen = roundup(sizeof (nd_opt_hdr_t) + ND_MAX_HDW_LEN, 8);
- len = IPV6_HDR_LEN + sizeof (ip6i_t) + sizeof (nd_neighbor_advert_t) +
- maxplen;
+ plen = (sizeof (nd_opt_hdr_t) + hw_addr_len + 7) / 8;
+ len = IPV6_HDR_LEN + sizeof (nd_neighbor_advert_t) + plen * 8;
mp = allocb(len, BPRI_LO);
if (mp == NULL) {
- if (src_ipif != NULL)
- ipif_refrele(src_ipif);
+ if (need_refrele)
+ ill_refrele(ill);
return (B_TRUE);
}
+
bzero((char *)mp->b_rptr, len);
mp->b_wptr = mp->b_rptr + len;
- ip6i = (ip6i_t *)mp->b_rptr;
- ip6i->ip6i_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- ip6i->ip6i_nxt = IPPROTO_RAW;
- ip6i->ip6i_flags = IP6I_HOPLIMIT;
- if (flag & NDP_PROBE)
- ip6i->ip6i_flags |= IP6I_UNSPEC_SRC;
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6 | IXAF_NO_HW_CKSUM;
- ip6h = (ip6_t *)(mp->b_rptr + sizeof (ip6i_t));
+ ixas.ixa_ifindex = ill->ill_phyint->phyint_ifindex;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = NULL;
+ ixas.ixa_zoneid = zoneid;
+
+ ip6h = (ip6_t *)mp->b_rptr;
ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- ip6h->ip6_plen = htons(len - IPV6_HDR_LEN - sizeof (ip6i_t));
+ ip6h->ip6_plen = htons(len - IPV6_HDR_LEN);
ip6h->ip6_nxt = IPPROTO_ICMPV6;
ip6h->ip6_hops = IPV6_MAX_HOPS;
- ip6h->ip6_src = *sender;
+ ixas.ixa_multicast_ttl = ip6h->ip6_hops;
ip6h->ip6_dst = *target;
icmp6 = (icmp6_t *)&ip6h[1];
- opt = (nd_opt_hdr_t *)((uint8_t *)ip6h + IPV6_HDR_LEN +
- sizeof (nd_neighbor_advert_t));
-
- if (type == ND_NEIGHBOR_SOLICIT) {
+ if (hw_addr_len != 0) {
+ opt = (nd_opt_hdr_t *)((uint8_t *)ip6h + IPV6_HDR_LEN +
+ sizeof (nd_neighbor_advert_t));
+ } else {
+ opt = NULL;
+ }
+ if (operation == ND_NEIGHBOR_SOLICIT) {
nd_neighbor_solicit_t *ns = (nd_neighbor_solicit_t *)icmp6;
- if (!(flag & NDP_PROBE))
+ if (opt != NULL && !(flag & NDP_PROBE)) {
+ /*
+ * Note that we don't send out SLLA for ND probes
+ * per RFC 4862, even though we do send out the src
+ * haddr for IPv4 DAD probes, even though both IPv4
+ * and IPv6 go out with the unspecified/INADDR_ANY
+ * src IP addr.
+ */
opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR;
+ }
+ ip6h->ip6_src = *sender;
ns->nd_ns_target = *target;
if (!(flag & NDP_UNICAST)) {
/* Form multicast address of the target */
@@ -2470,7 +2235,9 @@ nce_xmit(ill_t *ill, uint8_t type, boolean_t use_nd_lla,
nd_neighbor_advert_t *na = (nd_neighbor_advert_t *)icmp6;
ASSERT(!(flag & NDP_PROBE));
- opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
+ if (opt != NULL)
+ opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
+ ip6h->ip6_src = *sender;
na->nd_na_target = *sender;
if (flag & NDP_ISROUTER)
na->nd_na_flags_reserved |= ND_NA_FLAG_ROUTER;
@@ -2480,231 +2247,223 @@ nce_xmit(ill_t *ill, uint8_t type, boolean_t use_nd_lla,
na->nd_na_flags_reserved |= ND_NA_FLAG_OVERRIDE;
}
- hw_addr = NULL;
if (!(flag & NDP_PROBE)) {
- /*
- * Use our source address to find the hardware address to put
- * in the packet, so that the hardware address and IP address
- * will match up -- even if that hardware address doesn't
- * match the ill we actually transmit the packet through.
- */
- if (IS_IPMP(src_ipif->ipif_ill)) {
- hwaddr_ill = ipmp_ipif_hold_bound_ill(src_ipif);
- if (hwaddr_ill == NULL) {
- ip1dbg(("nce_xmit: no bound ill!\n"));
- ipif_refrele(src_ipif);
- freemsg(mp);
- return (B_TRUE);
- }
- } else {
- hwaddr_ill = src_ipif->ipif_ill;
- ill_refhold(hwaddr_ill); /* for symmetry */
- }
-
- plen = roundup(sizeof (nd_opt_hdr_t) +
- hwaddr_ill->ill_nd_lla_len, 8);
-
- hw_addr = use_nd_lla ? hwaddr_ill->ill_nd_lla :
- hwaddr_ill->ill_phys_addr;
- if (hw_addr != NULL) {
+ if (hw_addr != NULL && opt != NULL) {
/* Fill in link layer address and option len */
- opt->nd_opt_len = (uint8_t)(plen / 8);
- bcopy(hw_addr, &opt[1], hwaddr_ill->ill_nd_lla_len);
+ opt->nd_opt_len = (uint8_t)plen;
+ bcopy(hw_addr, &opt[1], hw_addr_len);
}
-
- ill_refrele(hwaddr_ill);
+ }
+ if (opt != NULL && opt->nd_opt_type == 0) {
+ /* If there's no link layer address option, then strip it. */
+ len -= plen * 8;
+ mp->b_wptr = mp->b_rptr + len;
+ ip6h->ip6_plen = htons(len - IPV6_HDR_LEN);
}
- if (hw_addr == NULL)
- plen = 0;
-
- /* Fix up the length of the packet now that plen is known */
- len -= (maxplen - plen);
- mp->b_wptr = mp->b_rptr + len;
- ip6h->ip6_plen = htons(len - IPV6_HDR_LEN - sizeof (ip6i_t));
-
- icmp6->icmp6_type = type;
+ icmp6->icmp6_type = (uint8_t)operation;
icmp6->icmp6_code = 0;
/*
* Prepare for checksum by putting icmp length in the icmp
- * checksum field. The checksum is calculated in ip_wput_v6.
+ * checksum field. The checksum is calculated in ip_output.c.
*/
icmp6->icmp6_cksum = ip6h->ip6_plen;
- /*
- * Before we toss the src_ipif, look up the zoneid to pass to
- * ip_output_v6(). This is to ensure unicast ND_NEIGHBOR_ADVERT
- * packets to be routed correctly by IP (we cannot guarantee that the
- * global zone has an interface route to the destination).
- */
- if (src_ipif != NULL) {
- if ((zoneid = src_ipif->ipif_zoneid) == ALL_ZONES)
- zoneid = GLOBAL_ZONEID;
- ipif_refrele(src_ipif);
- }
-
- ip_output_v6((void *)(uintptr_t)zoneid, mp, ill->ill_wq, IP_WPUT);
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
+ if (need_refrele)
+ ill_refrele(ill);
return (B_FALSE);
}
/*
- * Make a link layer address (does not include the SAP) from an nce.
- * To form the link layer address, use the last four bytes of ipv6
- * address passed in and the fixed offset stored in nce.
+ * Used to set ND_UNREACHBLE before ncec_delete sets it NCE_F_CONDEMNED.
+ * The datapath uses this as an indication that there
+ * is a problem (as opposed to a NCE that was just
+ * reclaimed due to lack of memory.
+ * Note that static ARP entries never become unreachable.
*/
-static void
-nce_make_mapping(nce_t *nce, uchar_t *addrpos, uchar_t *addr)
-{
- uchar_t *mask, *to;
- ill_t *ill = nce->nce_ill;
- int len;
-
- if (ill->ill_net_type == IRE_IF_NORESOLVER)
- return;
- ASSERT(nce->nce_res_mp != NULL);
- ASSERT(ill->ill_net_type == IRE_IF_RESOLVER);
- ASSERT(nce->nce_flags & NCE_F_MAPPING);
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&nce->nce_extract_mask));
- ASSERT(addr != NULL);
- bcopy(nce->nce_res_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill),
- addrpos, ill->ill_nd_lla_len);
- len = MIN((int)ill->ill_nd_lla_len - nce->nce_ll_extract_start,
- IPV6_ADDR_LEN);
- mask = (uchar_t *)&nce->nce_extract_mask;
- mask += (IPV6_ADDR_LEN - len);
- addr += (IPV6_ADDR_LEN - len);
- to = addrpos + nce->nce_ll_extract_start;
- while (len-- > 0)
- *to++ |= *mask++ & *addr++;
-}
-
-mblk_t *
-nce_udreq_alloc(ill_t *ill)
+void
+nce_make_unreachable(ncec_t *ncec)
{
- mblk_t *template_mp = NULL;
- dl_unitdata_req_t *dlur;
- int sap_length;
-
- ASSERT(ill->ill_isv6);
-
- sap_length = ill->ill_sap_length;
- template_mp = ip_dlpi_alloc(sizeof (dl_unitdata_req_t) +
- ill->ill_nd_lla_len + ABS(sap_length), DL_UNITDATA_REQ);
- if (template_mp == NULL)
- return (NULL);
-
- dlur = (dl_unitdata_req_t *)template_mp->b_rptr;
- dlur->dl_priority.dl_min = 0;
- dlur->dl_priority.dl_max = 0;
- dlur->dl_dest_addr_length = ABS(sap_length) + ill->ill_nd_lla_len;
- dlur->dl_dest_addr_offset = sizeof (dl_unitdata_req_t);
-
- /* Copy in the SAP value. */
- NCE_LL_SAP_COPY(ill, template_mp);
-
- return (template_mp);
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_state = ND_UNREACHABLE;
+ mutex_exit(&ncec->ncec_lock);
}
/*
- * NDP retransmit timer.
+ * NCE retransmit timer. Common to IPv4 and IPv6.
* This timer goes off when:
- * a. It is time to retransmit NS for resolver.
+ * a. It is time to retransmit a resolution for resolver.
* b. It is time to send reachability probes.
*/
void
-ndp_timer(void *arg)
+nce_timer(void *arg)
{
- nce_t *nce = arg;
- ill_t *ill = nce->nce_ill;
+ ncec_t *ncec = arg;
+ ill_t *ill = ncec->ncec_ill, *src_ill;
char addrbuf[INET6_ADDRSTRLEN];
boolean_t dropped = B_FALSE;
- ip_stack_t *ipst = ill->ill_ipst;
+ ip_stack_t *ipst = ncec->ncec_ipst;
+ boolean_t isv6 = (ncec->ncec_ipversion == IPV6_VERSION);
+ in_addr_t sender4 = INADDR_ANY;
+ in6_addr_t sender6 = ipv6_all_zeros;
/*
- * The timer has to be cancelled by ndp_delete before doing the final
+ * The timer has to be cancelled by ncec_delete before doing the final
* refrele. So the NCE is guaranteed to exist when the timer runs
* until it clears the timeout_id. Before clearing the timeout_id
- * bump up the refcnt so that we can continue to use the nce
+ * bump up the refcnt so that we can continue to use the ncec
*/
- ASSERT(nce != NULL);
-
- mutex_enter(&nce->nce_lock);
- NCE_REFHOLD_LOCKED(nce);
- nce->nce_timeout_id = 0;
+ ASSERT(ncec != NULL);
+ mutex_enter(&ncec->ncec_lock);
+ ncec_refhold_locked(ncec);
+ ncec->ncec_timeout_id = 0;
+ mutex_exit(&ncec->ncec_lock);
+
+ src_ill = nce_resolve_src(ncec, &sender6);
+ /* if we could not find a sender address, return */
+ if (src_ill == NULL) {
+ if (!isv6) {
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, sender4);
+ ip1dbg(("no src ill for %s\n", inet_ntop(AF_INET,
+ &sender4, addrbuf, sizeof (addrbuf))));
+ } else {
+ ip1dbg(("no src ill for %s\n", inet_ntop(AF_INET6,
+ &ncec->ncec_addr, addrbuf, sizeof (addrbuf))));
+ }
+ nce_restart_timer(ncec, ill->ill_reachable_retrans_time);
+ ncec_refrele(ncec);
+ return;
+ }
+ if (!isv6)
+ IN6_V4MAPPED_TO_IPADDR(&sender6, sender4);
+ mutex_enter(&ncec->ncec_lock);
/*
- * Check the reachability state first.
+ * Check the reachability state.
*/
- switch (nce->nce_state) {
+ switch (ncec->ncec_state) {
case ND_DELAY:
- nce->nce_state = ND_PROBE;
- mutex_exit(&nce->nce_lock);
- (void) nce_xmit_solicit(nce, B_FALSE, &ipv6_all_zeros,
- NDP_UNICAST);
+ ASSERT(ncec->ncec_lladdr != NULL);
+ ncec->ncec_state = ND_PROBE;
+ ncec->ncec_pcnt = ND_MAX_UNICAST_SOLICIT;
+ if (isv6) {
+ mutex_exit(&ncec->ncec_lock);
+ (void) ndp_xmit(src_ill, ND_NEIGHBOR_SOLICIT,
+ src_ill->ill_phys_addr,
+ src_ill->ill_phys_addr_length,
+ &sender6, &ncec->ncec_addr,
+ NDP_UNICAST);
+ } else {
+ (void) arp_request(ncec, sender4, src_ill);
+ mutex_exit(&ncec->ncec_lock);
+ }
if (ip_debug > 3) {
/* ip2dbg */
- pr_addr_dbg("ndp_timer: state for %s changed "
- "to PROBE\n", AF_INET6, &nce->nce_addr);
+ pr_addr_dbg("nce_timer: state for %s changed "
+ "to PROBE\n", AF_INET6, &ncec->ncec_addr);
}
- NDP_RESTART_TIMER(nce, ill->ill_reachable_retrans_time);
- NCE_REFRELE(nce);
- return;
+ nce_restart_timer(ncec, ill->ill_reachable_retrans_time);
+ break;
case ND_PROBE:
/* must be retransmit timer */
- nce->nce_pcnt--;
- ASSERT(nce->nce_pcnt < ND_MAX_UNICAST_SOLICIT &&
- nce->nce_pcnt >= -1);
- if (nce->nce_pcnt > 0) {
+ ASSERT(ncec->ncec_pcnt >= -1);
+ if (ncec->ncec_pcnt > 0) {
/*
- * As per RFC2461, the nce gets deleted after
+ * As per RFC2461, the ncec gets deleted after
* MAX_UNICAST_SOLICIT unsuccessful re-transmissions.
* Note that the first unicast solicitation is sent
* during the DELAY state.
*/
- ip2dbg(("ndp_timer: pcount=%x dst %s\n",
- nce->nce_pcnt, inet_ntop(AF_INET6, &nce->nce_addr,
- addrbuf, sizeof (addrbuf))));
- mutex_exit(&nce->nce_lock);
- dropped = nce_xmit_solicit(nce, B_FALSE,
- &ipv6_all_zeros,
- (nce->nce_flags & NCE_F_PERMANENT) ? NDP_PROBE :
- NDP_UNICAST);
- if (dropped) {
- mutex_enter(&nce->nce_lock);
- nce->nce_pcnt++;
- mutex_exit(&nce->nce_lock);
+ ip2dbg(("nce_timer: pcount=%x dst %s\n",
+ ncec->ncec_pcnt,
+ inet_ntop((isv6? AF_INET6 : AF_INET),
+ &ncec->ncec_addr, addrbuf, sizeof (addrbuf))));
+ if (NCE_PUBLISH(ncec)) {
+ mutex_exit(&ncec->ncec_lock);
+ /*
+ * send out a probe; note that src_ill
+ * is ignored by nce_dad() for all
+ * DAD message types other than IPv6
+ * unicast probes
+ */
+ nce_dad(ncec, src_ill, B_TRUE);
+ } else {
+ ASSERT(src_ill != NULL);
+ ncec->ncec_pcnt--;
+ if (isv6) {
+ mutex_exit(&ncec->ncec_lock);
+ (void) ndp_xmit(src_ill,
+ ND_NEIGHBOR_SOLICIT,
+ src_ill->ill_phys_addr,
+ src_ill->ill_phys_addr_length,
+ &sender6, &ncec->ncec_addr,
+ NDP_UNICAST);
+ } else {
+ /*
+ * since the nce is REACHABLE,
+ * the ARP request will be sent out
+ * as a link-layer unicast.
+ */
+ (void) arp_request(ncec, sender4,
+ src_ill);
+ mutex_exit(&ncec->ncec_lock);
+ }
+ nce_restart_timer(ncec,
+ ill->ill_reachable_retrans_time);
}
- NDP_RESTART_TIMER(nce, ILL_PROBE_INTERVAL(ill));
- } else if (nce->nce_pcnt < 0) {
- /* No hope, delete the nce */
- nce->nce_state = ND_UNREACHABLE;
- mutex_exit(&nce->nce_lock);
+ } else if (ncec->ncec_pcnt < 0) {
+ /* No hope, delete the ncec */
+ /* Tell datapath it went bad */
+ ncec->ncec_state = ND_UNREACHABLE;
+ mutex_exit(&ncec->ncec_lock);
if (ip_debug > 2) {
/* ip1dbg */
- pr_addr_dbg("ndp_timer: Delete IRE for"
- " dst %s\n", AF_INET6, &nce->nce_addr);
+ pr_addr_dbg("nce_timer: Delete NCE for"
+ " dst %s\n", (isv6? AF_INET6: AF_INET),
+ &ncec->ncec_addr);
}
- ndp_delete(nce);
- } else if (!(nce->nce_flags & NCE_F_PERMANENT)) {
- /* Wait RetransTimer, before deleting the entry */
- ip2dbg(("ndp_timer: pcount=%x dst %s\n",
- nce->nce_pcnt, inet_ntop(AF_INET6,
- &nce->nce_addr, addrbuf, sizeof (addrbuf))));
- mutex_exit(&nce->nce_lock);
+ /* if static ARP can't delete. */
+ if ((ncec->ncec_flags & NCE_F_STATIC) == 0)
+ ncec_delete(ncec);
+
+ } else if (!NCE_PUBLISH(ncec)) {
+ /*
+ * Probe count is 0 for a dynamic entry (one that we
+ * ourselves are not publishing). We should never get
+ * here if NONUD was requested, hence the ASSERT below.
+ */
+ ASSERT((ncec->ncec_flags & NCE_F_NONUD) == 0);
+ ip2dbg(("nce_timer: pcount=%x dst %s\n",
+ ncec->ncec_pcnt, inet_ntop(AF_INET6,
+ &ncec->ncec_addr, addrbuf, sizeof (addrbuf))));
+ ncec->ncec_pcnt--;
+ mutex_exit(&ncec->ncec_lock);
/* Wait one interval before killing */
- NDP_RESTART_TIMER(nce, ill->ill_reachable_retrans_time);
+ nce_restart_timer(ncec,
+ ill->ill_reachable_retrans_time);
} else if (ill->ill_phyint->phyint_flags & PHYI_RUNNING) {
ipif_t *ipif;
+ ipaddr_t ncec_addr;
/*
* We're done probing, and we can now declare this
* address to be usable. Let IP know that it's ok to
* use.
*/
- nce->nce_state = ND_REACHABLE;
- mutex_exit(&nce->nce_lock);
- ipif = ip_ndp_lookup_addr_v6(&nce->nce_addr,
- nce->nce_ill);
+ ncec->ncec_state = ND_REACHABLE;
+ ncec->ncec_flags &= ~NCE_F_UNVERIFIED;
+ mutex_exit(&ncec->ncec_lock);
+ if (isv6) {
+ ipif = ipif_lookup_addr_exact_v6(
+ &ncec->ncec_addr, ill, ipst);
+ } else {
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr,
+ ncec_addr);
+ ipif = ipif_lookup_addr_exact(ncec_addr, ill,
+ ipst);
+ }
if (ipif != NULL) {
if (ipif->ipif_was_dup) {
char ibuf[LIFNAMSIZ + 10];
@@ -2725,17 +2484,28 @@ ndp_timer(void *arg)
ipif->ipif_addr_ready = 1;
ipif_refrele(ipif);
}
+ if (!isv6 && arp_no_defense)
+ break;
/* Begin defending our new address */
- nce->nce_unsolicit_count = 0;
- dropped = nce_xmit_advert(nce, B_FALSE,
- &ipv6_all_hosts_mcast, 0);
- if (dropped) {
- nce->nce_unsolicit_count = 1;
- NDP_RESTART_TIMER(nce,
- ipst->ips_ip_ndp_unsolicit_interval);
- } else if (ipst->ips_ip_ndp_defense_interval != 0) {
- NDP_RESTART_TIMER(nce,
- ipst->ips_ip_ndp_defense_interval);
+ if (ncec->ncec_unsolicit_count > 0) {
+ ncec->ncec_unsolicit_count--;
+ if (isv6) {
+ dropped = ndp_announce(ncec);
+ } else {
+ dropped = arp_announce(ncec);
+ }
+
+ if (dropped)
+ ncec->ncec_unsolicit_count++;
+ else
+ ncec->ncec_last_time_defended =
+ ddi_get_lbolt();
+ }
+ if (ncec->ncec_unsolicit_count > 0) {
+ nce_restart_timer(ncec,
+ ANNOUNCE_INTERVAL(isv6));
+ } else if (DEFENSE_INTERVAL(isv6) != 0) {
+ nce_restart_timer(ncec, DEFENSE_INTERVAL(isv6));
}
} else {
/*
@@ -2744,76 +2514,93 @@ ndp_timer(void *arg)
* doing anything, but switch to reachable state so
* that the restart will work.
*/
- nce->nce_state = ND_REACHABLE;
- mutex_exit(&nce->nce_lock);
+ ncec->ncec_state = ND_REACHABLE;
+ mutex_exit(&ncec->ncec_lock);
}
- NCE_REFRELE(nce);
- return;
+ break;
case ND_INCOMPLETE: {
- ip6_t *ip6h;
- ip6i_t *ip6i;
- mblk_t *mp, *datamp, *nextmp, **prevmpp;
+ mblk_t *mp, *nextmp;
+ mblk_t **prevmpp;
/*
- * Per case (2) in the nce_queue_mp() comments, scan nce_qd_mp
- * for any IPMP probe packets, and toss 'em. IPMP probe
- * packets will always be at the head of nce_qd_mp and always
- * have an ip6i_t header, so we can stop at the first queued
- * ND packet without an ip6i_t.
+ * Per case (2) in the nce_queue_mp() comments, scan ncec_qd_mp
+ * for any IPMP probe packets, and toss them. IPMP probe
+ * packets will always be at the head of ncec_qd_mp, so that
+ * we can stop at the first queued ND packet that is
+ * not a probe packet.
*/
- prevmpp = &nce->nce_qd_mp;
- for (mp = nce->nce_qd_mp; mp != NULL; mp = nextmp) {
+ prevmpp = &ncec->ncec_qd_mp;
+ for (mp = ncec->ncec_qd_mp; mp != NULL; mp = nextmp) {
nextmp = mp->b_next;
- datamp = (DB_TYPE(mp) == M_CTL) ? mp->b_cont : mp;
- ip6h = (ip6_t *)datamp->b_rptr;
- if (ip6h->ip6_nxt != IPPROTO_RAW)
- break;
- ip6i = (ip6i_t *)ip6h;
- if (ip6i->ip6i_flags & IP6I_IPMP_PROBE) {
+ if (IS_UNDER_IPMP(ill) && ncec->ncec_nprobes > 0) {
inet_freemsg(mp);
+ ncec->ncec_nprobes--;
*prevmpp = nextmp;
} else {
prevmpp = &mp->b_next;
}
}
- ip_ndp_resolve(nce);
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
+
+ /*
+ * Must be resolver's retransmit timer.
+ */
+ mutex_exit(&ncec->ncec_lock);
+ ip_ndp_resolve(ncec);
break;
}
case ND_REACHABLE:
- if (((nce->nce_flags & NCE_F_UNSOL_ADV) &&
- nce->nce_unsolicit_count != 0) ||
- ((nce->nce_flags & NCE_F_PERMANENT) &&
- ipst->ips_ip_ndp_defense_interval != 0)) {
- if (nce->nce_unsolicit_count > 0)
- nce->nce_unsolicit_count--;
- mutex_exit(&nce->nce_lock);
- dropped = nce_xmit_advert(nce, B_FALSE,
- &ipv6_all_hosts_mcast, 0);
+ if (((ncec->ncec_flags & NCE_F_UNSOL_ADV) &&
+ ncec->ncec_unsolicit_count != 0) ||
+ (NCE_PUBLISH(ncec) && DEFENSE_INTERVAL(isv6) != 0)) {
+ if (ncec->ncec_unsolicit_count > 0) {
+ ncec->ncec_unsolicit_count--;
+ mutex_exit(&ncec->ncec_lock);
+ /*
+ * When we get to zero announcements left,
+ * switch to address defense
+ */
+ } else {
+ boolean_t rate_limit;
+
+ mutex_exit(&ncec->ncec_lock);
+ rate_limit = ill_defend_rate_limit(ill, ncec);
+ if (rate_limit) {
+ nce_restart_timer(ncec,
+ DEFENSE_INTERVAL(isv6));
+ break;
+ }
+ }
+ if (isv6) {
+ dropped = ndp_announce(ncec);
+ } else {
+ dropped = arp_announce(ncec);
+ }
+ mutex_enter(&ncec->ncec_lock);
if (dropped) {
- mutex_enter(&nce->nce_lock);
- nce->nce_unsolicit_count++;
- mutex_exit(&nce->nce_lock);
+ ncec->ncec_unsolicit_count++;
+ } else {
+ ncec->ncec_last_time_defended =
+ ddi_get_lbolt();
}
- if (nce->nce_unsolicit_count != 0) {
- NDP_RESTART_TIMER(nce,
- ipst->ips_ip_ndp_unsolicit_interval);
+ mutex_exit(&ncec->ncec_lock);
+ if (ncec->ncec_unsolicit_count != 0) {
+ nce_restart_timer(ncec,
+ ANNOUNCE_INTERVAL(isv6));
} else {
- NDP_RESTART_TIMER(nce,
- ipst->ips_ip_ndp_defense_interval);
+ nce_restart_timer(ncec, DEFENSE_INTERVAL(isv6));
}
} else {
- mutex_exit(&nce->nce_lock);
+ mutex_exit(&ncec->ncec_lock);
}
- NCE_REFRELE(nce);
break;
default:
- mutex_exit(&nce->nce_lock);
- NCE_REFRELE(nce);
+ mutex_exit(&ncec->ncec_lock);
break;
}
+done:
+ ncec_refrele(ncec);
+ ill_refrele(src_ill);
}
/*
@@ -2821,31 +2608,21 @@ ndp_timer(void *arg)
* Copy SAP from ill.
*/
static void
-nce_set_ll(nce_t *nce, uchar_t *ll_addr)
+nce_set_ll(ncec_t *ncec, uchar_t *ll_addr)
{
- ill_t *ill = nce->nce_ill;
- uchar_t *woffset;
+ ill_t *ill = ncec->ncec_ill;
ASSERT(ll_addr != NULL);
- /* Always called before fast_path_probe */
- ASSERT(nce->nce_fp_mp == NULL);
- if (ill->ill_sap_length != 0) {
- /*
- * Copy the SAP type specified in the
- * request into the xmit template.
- */
- NCE_LL_SAP_COPY(ill, nce->nce_res_mp);
- }
if (ill->ill_phys_addr_length > 0) {
/*
* The bcopy() below used to be called for the physical address
* length rather than the link layer address length. For
* ethernet and many other media, the phys_addr and lla are
* identical.
- * However, with xresolv interfaces being introduced, the
- * phys_addr and lla are no longer the same, and the physical
- * address may not have any useful meaning, so we use the lla
- * for IPv6 address resolution and destination addressing.
+ *
+ * The phys_addr and lla may not be the same for devices that
+ * support DL_IPV6_LINK_LAYER_ADDR, though there are currently
+ * no known instances of these.
*
* For PPP or other interfaces with a zero length
* physical address, don't do anything here.
@@ -2854,22 +2631,18 @@ nce_set_ll(nce_t *nce, uchar_t *ll_addr)
* Using the lla for them would change the way they operate.
* Doing nothing in such cases preserves expected behavior.
*/
- woffset = nce->nce_res_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);
- bcopy(ll_addr, woffset, ill->ill_nd_lla_len);
+ bcopy(ll_addr, ncec->ncec_lladdr, ill->ill_nd_lla_len);
}
}
-static boolean_t
-nce_cmp_ll_addr(const nce_t *nce, const uchar_t *ll_addr, uint32_t ll_addr_len)
+boolean_t
+nce_cmp_ll_addr(const ncec_t *ncec, const uchar_t *ll_addr,
+ uint32_t ll_addr_len)
{
- ill_t *ill = nce->nce_ill;
- uchar_t *ll_offset;
-
- ASSERT(nce->nce_res_mp != NULL);
+ ASSERT(ncec->ncec_lladdr != NULL);
if (ll_addr == NULL)
return (B_FALSE);
- ll_offset = nce->nce_res_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);
- if (bcmp(ll_addr, ll_offset, ll_addr_len) != 0)
+ if (bcmp(ll_addr, ncec->ncec_lladdr, ll_addr_len) != 0)
return (B_TRUE);
return (B_FALSE);
}
@@ -2878,15 +2651,16 @@ nce_cmp_ll_addr(const nce_t *nce, const uchar_t *ll_addr, uint32_t ll_addr_len)
* Updates the link layer address or the reachability state of
* a cache entry. Reset probe counter if needed.
*/
-static void
-nce_update(nce_t *nce, uint16_t new_state, uchar_t *new_ll_addr)
+void
+nce_update(ncec_t *ncec, uint16_t new_state, uchar_t *new_ll_addr)
{
- ill_t *ill = nce->nce_ill;
+ ill_t *ill = ncec->ncec_ill;
boolean_t need_stop_timer = B_FALSE;
boolean_t need_fastpath_update = B_FALSE;
+ nce_t *nce = NULL;
+ timeout_id_t tid;
- ASSERT(MUTEX_HELD(&nce->nce_lock));
- ASSERT(nce->nce_ipversion == IPV6_VERSION);
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
/*
* If this interface does not do NUD, there is no point
* in allowing an update to the cache entry. Although
@@ -2896,184 +2670,251 @@ nce_update(nce_t *nce, uint16_t new_state, uchar_t *new_ll_addr)
* Non-Resolvers will always be created as REACHABLE.
*/
if (new_state != ND_UNCHANGED) {
- if ((nce->nce_flags & NCE_F_NONUD) &&
- (nce->nce_state != ND_INCOMPLETE))
+ if ((ncec->ncec_flags & NCE_F_NONUD) &&
+ (ncec->ncec_state != ND_INCOMPLETE))
return;
ASSERT((int16_t)new_state >= ND_STATE_VALID_MIN);
ASSERT((int16_t)new_state <= ND_STATE_VALID_MAX);
need_stop_timer = B_TRUE;
if (new_state == ND_REACHABLE)
- nce->nce_last = TICK_TO_MSEC(lbolt64);
+ ncec->ncec_last = TICK_TO_MSEC(lbolt64);
else {
/* We force NUD in this case */
- nce->nce_last = 0;
+ ncec->ncec_last = 0;
}
- nce->nce_state = new_state;
- nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT;
+ ncec->ncec_state = new_state;
+ ncec->ncec_pcnt = ND_MAX_UNICAST_SOLICIT;
+ ASSERT(ncec->ncec_lladdr != NULL || new_state == ND_INITIAL ||
+ new_state == ND_INCOMPLETE);
+ }
+ if (need_stop_timer || (ncec->ncec_flags & NCE_F_STATIC)) {
+ tid = ncec->ncec_timeout_id;
+ ncec->ncec_timeout_id = 0;
}
/*
- * In case of fast path we need to free the the fastpath
- * M_DATA and do another probe. Otherwise we can just
+ * Re-trigger fastpath probe and
* overwrite the DL_UNITDATA_REQ data, noting we'll lose
* whatever packets that happens to be transmitting at the time.
*/
if (new_ll_addr != NULL) {
- ASSERT(nce->nce_res_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill) +
- ill->ill_nd_lla_len <= nce->nce_res_mp->b_wptr);
- bcopy(new_ll_addr, nce->nce_res_mp->b_rptr +
- NCE_LL_ADDR_OFFSET(ill), ill->ill_nd_lla_len);
- if (nce->nce_fp_mp != NULL) {
- freemsg(nce->nce_fp_mp);
- nce->nce_fp_mp = NULL;
- }
+ bcopy(new_ll_addr, ncec->ncec_lladdr,
+ ill->ill_phys_addr_length);
need_fastpath_update = B_TRUE;
}
- mutex_exit(&nce->nce_lock);
- if (need_stop_timer) {
- (void) untimeout(nce->nce_timeout_id);
- nce->nce_timeout_id = 0;
+ mutex_exit(&ncec->ncec_lock);
+ if (need_stop_timer || (ncec->ncec_flags & NCE_F_STATIC)) {
+ if (tid != 0)
+ (void) untimeout(tid);
}
- if (need_fastpath_update)
- nce_fastpath(nce);
- mutex_enter(&nce->nce_lock);
+ if (need_fastpath_update) {
+ /*
+ * Delete any existing existing dlur_mp and fp_mp information.
+ * For IPMP interfaces, all underlying ill's must be checked
+ * and purged.
+ */
+ nce_fastpath_list_delete(ncec->ncec_ill, ncec, NULL);
+ /*
+ * add the new dlur_mp and fp_mp
+ */
+ nce = nce_fastpath(ncec, B_TRUE, NULL);
+ if (nce != NULL)
+ nce_refrele(nce);
+ }
+ mutex_enter(&ncec->ncec_lock);
}
-void
-nce_queue_mp_common(nce_t *nce, mblk_t *mp, boolean_t head_insert)
+static void
+nce_queue_mp_common(ncec_t *ncec, mblk_t *mp, boolean_t head_insert)
{
uint_t count = 0;
mblk_t **mpp, *tmp;
- ASSERT(MUTEX_HELD(&nce->nce_lock));
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
- for (mpp = &nce->nce_qd_mp; *mpp != NULL; mpp = &(*mpp)->b_next) {
- if (++count > nce->nce_ill->ill_max_buf) {
- tmp = nce->nce_qd_mp->b_next;
- nce->nce_qd_mp->b_next = NULL;
- nce->nce_qd_mp->b_prev = NULL;
- freemsg(nce->nce_qd_mp);
- nce->nce_qd_mp = tmp;
+ for (mpp = &ncec->ncec_qd_mp; *mpp != NULL; mpp = &(*mpp)->b_next) {
+ if (++count > ncec->ncec_ill->ill_max_buf) {
+ tmp = ncec->ncec_qd_mp->b_next;
+ ncec->ncec_qd_mp->b_next = NULL;
+ /*
+ * if we never create data addrs on the under_ill
+ * does this matter?
+ */
+ BUMP_MIB(ncec->ncec_ill->ill_ip_mib,
+ ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", ncec->ncec_qd_mp,
+ ncec->ncec_ill);
+ freemsg(ncec->ncec_qd_mp);
+ ncec->ncec_qd_mp = tmp;
}
}
if (head_insert) {
- mp->b_next = nce->nce_qd_mp;
- nce->nce_qd_mp = mp;
+ ncec->ncec_nprobes++;
+ mp->b_next = ncec->ncec_qd_mp;
+ ncec->ncec_qd_mp = mp;
} else {
*mpp = mp;
}
}
-static void
-nce_queue_mp(nce_t *nce, mblk_t *mp)
+/*
+ * nce_queue_mp will queue the packet into the ncec_qd_mp. The packet will be
+ * queued at the head or tail of the queue based on the input argument
+ * 'head_insert'. The caller should specify this argument as B_TRUE if this
+ * packet is an IPMP probe packet, in which case the following happens:
+ *
+ * 1. Insert it at the head of the ncec_qd_mp list. Consider the normal
+ * (non-ipmp_probe) load-speading case where the source address of the ND
+ * packet is not tied to ncec_ill. If the ill bound to the source address
+ * cannot receive, the response to the ND packet will not be received.
+ * However, if ND packets for ncec_ill's probes are queued behind that ND
+ * packet, those probes will also fail to be sent, and thus in.mpathd will
+ * erroneously conclude that ncec_ill has also failed.
+ *
+ * 2. Drop the ipmp_probe packet in ndp_timer() if the ND did not succeed on
+ * the first attempt. This ensures that ND problems do not manifest as
+ * probe RTT spikes.
+ *
+ * We achieve this by inserting ipmp_probe() packets at the head of the
+ * nce_queue.
+ *
+ * The ncec for the probe target is created with ncec_ill set to the ipmp_ill,
+ * but the caller needs to set head_insert to B_TRUE if this is a probe packet.
+ */
+void
+nce_queue_mp(ncec_t *ncec, mblk_t *mp, boolean_t head_insert)
{
- boolean_t head_insert = B_FALSE;
- ip6_t *ip6h;
- ip6i_t *ip6i;
- mblk_t *data_mp;
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
+ nce_queue_mp_common(ncec, mp, head_insert);
+}
- ASSERT(MUTEX_HELD(&nce->nce_lock));
+/*
+ * Called when address resolution failed due to a timeout.
+ * Send an ICMP unreachable in response to all queued packets.
+ */
+void
+ndp_resolv_failed(ncec_t *ncec)
+{
+ mblk_t *mp, *nxt_mp;
+ char buf[INET6_ADDRSTRLEN];
+ ill_t *ill = ncec->ncec_ill;
+ ip_recv_attr_t iras;
- if (mp->b_datap->db_type == M_CTL)
- data_mp = mp->b_cont;
- else
- data_mp = mp;
- ip6h = (ip6_t *)data_mp->b_rptr;
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- /*
- * This message should have been pulled up already in
- * ip_wput_v6. We can't do pullups here because the message
- * could be from the nce_qd_mp which could have b_next/b_prev
- * non-NULL.
- */
- ip6i = (ip6i_t *)ip6h;
- ASSERT(MBLKL(data_mp) >= sizeof (ip6i_t) + IPV6_HDR_LEN);
+ bzero(&iras, sizeof (iras));
+ iras.ira_flags = 0;
+ /*
+ * we are setting the ira_rill to the ipmp_ill (instead of
+ * the actual ill on which the packet was received), but this
+ * is ok because we don't actually need the real ira_rill.
+ * to send the icmp unreachable to the sender.
+ */
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
+
+ ip1dbg(("ndp_resolv_failed: dst %s\n",
+ inet_ntop(AF_INET6, (char *)&ncec->ncec_addr, buf, sizeof (buf))));
+ mutex_enter(&ncec->ncec_lock);
+ mp = ncec->ncec_qd_mp;
+ ncec->ncec_qd_mp = NULL;
+ ncec->ncec_nprobes = 0;
+ mutex_exit(&ncec->ncec_lock);
+ while (mp != NULL) {
+ nxt_mp = mp->b_next;
+ mp->b_next = NULL;
- /*
- * If this packet is marked IP6I_IPMP_PROBE, then we need to:
- *
- * 1. Insert it at the head of the nce_qd_mp list. Consider
- * the normal (non-probe) load-speading case where the
- * source address of the ND packet is not tied to nce_ill.
- * If the ill bound to the source address cannot receive,
- * the response to the ND packet will not be received.
- * However, if ND packets for nce_ill's probes are queued
- * behind that ND packet, those probes will also fail to
- * be sent, and thus in.mpathd will erroneously conclude
- * that nce_ill has also failed.
- *
- * 2. Drop the probe packet in ndp_timer() if the ND did
- * not succeed on the first attempt. This ensures that
- * ND problems do not manifest as probe RTT spikes.
- */
- if (ip6i->ip6i_flags & IP6I_IPMP_PROBE)
- head_insert = B_TRUE;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - address unreachable",
+ mp, ill);
+ icmp_unreachable_v6(mp,
+ ICMP6_DST_UNREACH_ADDR, B_FALSE, &iras);
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
+ mp = nxt_mp;
}
- nce_queue_mp_common(nce, mp, head_insert);
+ ncec_cb_dispatch(ncec); /* finish off waiting callbacks */
}
/*
- * Called when address resolution failed due to a timeout.
- * Send an ICMP unreachable in response to all queued packets.
+ * Handle the completion of NDP and ARP resolution.
*/
void
-nce_resolv_failed(nce_t *nce)
+nce_resolv_ok(ncec_t *ncec)
{
- mblk_t *mp, *nxt_mp, *first_mp;
- char buf[INET6_ADDRSTRLEN];
- ip6_t *ip6h;
- zoneid_t zoneid = GLOBAL_ZONEID;
- ip_stack_t *ipst = nce->nce_ill->ill_ipst;
+ mblk_t *mp;
+ uint_t pkt_len;
+ iaflags_t ixaflags = IXAF_NO_TRACE;
+ nce_t *nce;
+ ill_t *ill = ncec->ncec_ill;
+ boolean_t isv6 = (ncec->ncec_ipversion == IPV6_VERSION);
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ if (IS_IPMP(ncec->ncec_ill)) {
+ nce_resolv_ipmp_ok(ncec);
+ return;
+ }
+ /* non IPMP case */
+
+ mutex_enter(&ncec->ncec_lock);
+ ASSERT(ncec->ncec_nprobes == 0);
+ mp = ncec->ncec_qd_mp;
+ ncec->ncec_qd_mp = NULL;
+ mutex_exit(&ncec->ncec_lock);
- ip1dbg(("nce_resolv_failed: dst %s\n",
- inet_ntop(AF_INET6, (char *)&nce->nce_addr, buf, sizeof (buf))));
- mutex_enter(&nce->nce_lock);
- mp = nce->nce_qd_mp;
- nce->nce_qd_mp = NULL;
- mutex_exit(&nce->nce_lock);
while (mp != NULL) {
+ mblk_t *nxt_mp;
+
+ if (ill->ill_isv6) {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ pkt_len = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ } else {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ixaflags |= IXAF_IS_IPV4;
+ pkt_len = ntohs(ipha->ipha_length);
+ }
nxt_mp = mp->b_next;
mp->b_next = NULL;
- mp->b_prev = NULL;
-
- first_mp = mp;
- if (mp->b_datap->db_type == M_CTL) {
- ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- zoneid = io->ipsec_out_zoneid;
- ASSERT(zoneid != ALL_ZONES);
- mp = mp->b_cont;
- mp->b_next = NULL;
- mp->b_prev = NULL;
- }
-
- ip6h = (ip6_t *)mp->b_rptr;
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- ip6i_t *ip6i;
+ /*
+ * IXAF_NO_DEV_FLOW_CTL information for TCP packets is no
+ * longer available, but it's ok to drop this flag because TCP
+ * has its own flow-control in effect, so TCP packets
+ * are not likely to get here when flow-control is in effect.
+ */
+ mutex_enter(&ill->ill_lock);
+ nce = nce_lookup(ill, &ncec->ncec_addr);
+ mutex_exit(&ill->ill_lock);
+
+ if (nce == NULL) {
+ if (isv6) {
+ BUMP_MIB(&ipst->ips_ip6_mib,
+ ipIfStatsOutDiscards);
+ } else {
+ BUMP_MIB(&ipst->ips_ip_mib,
+ ipIfStatsOutDiscards);
+ }
+ ip_drop_output("ipIfStatsOutDiscards - no nce",
+ mp, NULL);
+ freemsg(mp);
+ } else {
/*
- * This message should have been pulled up already
- * in ip_wput_v6. ip_hdr_complete_v6 assumes that
- * the header is pulled up.
+ * We don't know the zoneid, but
+ * ip_xmit does not care since IXAF_NO_TRACE
+ * is set. (We traced the packet the first
+ * time through ip_xmit.)
*/
- ip6i = (ip6i_t *)ip6h;
- ASSERT((mp->b_wptr - (uchar_t *)ip6i) >=
- sizeof (ip6i_t) + IPV6_HDR_LEN);
- mp->b_rptr += sizeof (ip6i_t);
+ (void) ip_xmit(mp, nce, ixaflags, pkt_len, 0,
+ ALL_ZONES, 0, NULL);
+ nce_refrele(nce);
}
- /*
- * Ignore failure since icmp_unreachable_v6 will silently
- * drop packets with an unspecified source address.
- */
- (void) ip_hdr_complete_v6((ip6_t *)mp->b_rptr, zoneid, ipst);
- icmp_unreachable_v6(nce->nce_ill->ill_wq, first_mp,
- ICMP6_DST_UNREACH_ADDR, B_FALSE, B_FALSE, zoneid, ipst);
mp = nxt_mp;
}
- nce_cb_dispatch(nce);
+
+ ncec_cb_dispatch(ncec); /* complete callbacks */
}
/*
- * Called by SIOCSNDP* ioctl to add/change an nce entry
+ * Called by SIOCSNDP* ioctl to add/change an ncec entry
* and the corresponding attributes.
* Disallow states other than ND_REACHABLE or ND_STALE.
*/
@@ -3082,31 +2923,28 @@ ndp_sioc_update(ill_t *ill, lif_nd_req_t *lnr)
{
sin6_t *sin6;
in6_addr_t *addr;
+ ncec_t *ncec;
nce_t *nce;
- int err;
+ int err = 0;
uint16_t new_flags = 0;
uint16_t old_flags = 0;
int inflags = lnr->lnr_flags;
ip_stack_t *ipst = ill->ill_ipst;
+ boolean_t do_postprocess = B_FALSE;
ASSERT(ill->ill_isv6);
if ((lnr->lnr_state_create != ND_REACHABLE) &&
(lnr->lnr_state_create != ND_STALE))
return (EINVAL);
- if (lnr->lnr_hdw_len > ND_MAX_HDW_LEN)
- return (EINVAL);
-
sin6 = (sin6_t *)&lnr->lnr_addr;
addr = &sin6->sin6_addr;
mutex_enter(&ipst->ips_ndp6->ndp_g_lock);
- /* We know it can not be mapping so just look in the hash table */
- nce = *((nce_t **)NCE_HASH_PTR_V6(ipst, *addr));
- /* See comment in ndp_query() regarding IS_IPMP(ill) usage */
- nce = nce_lookup_addr(ill, IS_IPMP(ill), addr, nce);
+ ASSERT(!IS_UNDER_IPMP(ill));
+ nce = nce_lookup_addr(ill, addr);
if (nce != NULL)
- new_flags = nce->nce_flags;
+ new_flags = nce->nce_common->ncec_flags;
switch (inflags & (NDF_ISROUTER_ON|NDF_ISROUTER_OFF)) {
case NDF_ISROUTER_ON:
@@ -3118,7 +2956,7 @@ ndp_sioc_update(ill_t *ill, lif_nd_req_t *lnr)
case (NDF_ISROUTER_OFF|NDF_ISROUTER_ON):
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
if (nce != NULL)
- NCE_REFRELE(nce);
+ nce_refrele(nce);
return (EINVAL);
}
@@ -3132,17 +2970,15 @@ ndp_sioc_update(ill_t *ill, lif_nd_req_t *lnr)
case (NDF_ANYCAST_OFF|NDF_ANYCAST_ON):
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
if (nce != NULL)
- NCE_REFRELE(nce);
+ nce_refrele(nce);
return (EINVAL);
}
if (nce == NULL) {
- err = ndp_add_v6(ill,
+ err = nce_add_v6(ill,
(uchar_t *)lnr->lnr_hdw_addr,
+ ill->ill_phys_addr_length,
addr,
- &ipv6_all_ones,
- &ipv6_all_zeros,
- 0,
new_flags,
lnr->lnr_state_create,
&nce);
@@ -3150,269 +2986,354 @@ ndp_sioc_update(ill_t *ill, lif_nd_req_t *lnr)
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
ip1dbg(("ndp_sioc_update: Can't create NCE %d\n", err));
return (err);
+ } else {
+ do_postprocess = B_TRUE;
}
}
- old_flags = nce->nce_flags;
+ ncec = nce->nce_common;
+ old_flags = ncec->ncec_flags;
if (old_flags & NCE_F_ISROUTER && !(new_flags & NCE_F_ISROUTER)) {
- /*
- * Router turned to host, delete all ires.
- * XXX Just delete the entry, but we need to add too.
- */
- nce->nce_flags &= ~NCE_F_ISROUTER;
+ ncec_router_to_host(ncec);
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- ndp_delete(nce);
- NCE_REFRELE(nce);
+ if (do_postprocess)
+ err = nce_add_v6_postprocess(nce);
+ nce_refrele(nce);
return (0);
}
mutex_exit(&ipst->ips_ndp6->ndp_g_lock);
- mutex_enter(&nce->nce_lock);
- nce->nce_flags = new_flags;
- mutex_exit(&nce->nce_lock);
+ if (do_postprocess)
+ err = nce_add_v6_postprocess(nce);
+ /*
+ * err cannot be anything other than 0 because we don't support
+ * proxy arp of static addresses.
+ */
+ ASSERT(err == 0);
+
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_flags = new_flags;
+ mutex_exit(&ncec->ncec_lock);
/*
* Note that we ignore the state at this point, which
* should be either STALE or REACHABLE. Instead we let
* the link layer address passed in to determine the state
* much like incoming packets.
*/
- nce_process(nce, (uchar_t *)lnr->lnr_hdw_addr, 0, B_FALSE);
- NCE_REFRELE(nce);
+ nce_process(ncec, (uchar_t *)lnr->lnr_hdw_addr, 0, B_FALSE);
+ nce_refrele(nce);
return (0);
}
/*
- * If the device driver supports it, we make nce_fp_mp to have
- * an M_DATA prepend. Otherwise nce_fp_mp will be null.
- * The caller ensures there is hold on nce for this function.
- * Note that since ill_fastpath_probe() copies the mblk there is
- * no need for the hold beyond this function.
+ * Create an nce_t structure for ill using the ncec->ncec_lladdr to set up
+ * the nce_dlur_mp. If ill != ncec->ncec_ill, then the ips_ill_g_lock must
+ * be held to ensure that they are in the same group.
*/
-void
-nce_fastpath(nce_t *nce)
+static nce_t *
+nce_fastpath_create(ill_t *ill, ncec_t *ncec)
{
- ill_t *ill = nce->nce_ill;
- int res;
- ASSERT(ill != NULL);
- ASSERT(nce->nce_state != ND_INITIAL && nce->nce_state != ND_INCOMPLETE);
+ nce_t *nce;
- if (nce->nce_fp_mp != NULL) {
- /* Already contains fastpath info */
- return;
- }
- if (nce->nce_res_mp != NULL) {
- nce_fastpath_list_add(nce);
- res = ill_fastpath_probe(ill, nce->nce_res_mp);
- /*
- * EAGAIN is an indication of a transient error
- * i.e. allocation failure etc. leave the nce in the list it
- * will be updated when another probe happens for another ire
- * if not it will be taken out of the list when the ire is
- * deleted.
- */
+ nce = nce_ill_lookup_then_add(ill, ncec);
+
+ if (nce == NULL || IS_LOOPBACK(nce->nce_ill) || IS_VNI(nce->nce_ill))
+ return (nce);
- if (res != 0 && res != EAGAIN)
- nce_fastpath_list_delete(nce);
+ /*
+ * hold the ncec_lock to synchronize with nce_update() so that,
+ * at the end of this function, the contents of nce_dlur_mp are
+ * consistent with ncec->ncec_lladdr, even though some intermediate
+ * packet may have been sent out with a mangled address, which would
+ * only be a transient condition.
+ */
+ mutex_enter(&ncec->ncec_lock);
+ if (ncec->ncec_lladdr != NULL) {
+ bcopy(ncec->ncec_lladdr, nce->nce_dlur_mp->b_rptr +
+ NCE_LL_ADDR_OFFSET(ill), ill->ill_phys_addr_length);
+ } else {
+ nce->nce_dlur_mp = ill_dlur_gen(NULL, 0, ill->ill_sap,
+ ill->ill_sap_length);
}
+ mutex_exit(&ncec->ncec_lock);
+ return (nce);
}
/*
- * Drain the list of nce's waiting for fastpath response.
+ * we make nce_fp_mp to have an M_DATA prepend.
+ * The caller ensures there is hold on ncec for this function.
+ * Note that since ill_fastpath_probe() copies the mblk there is
+ * no need to hold the nce or ncec beyond this function.
+ *
+ * If the caller has passed in a non-null ncec_nce to nce_faspath() that
+ * ncec_nce must correspond to the nce for ncec with nce_ill == ncec->ncec_ill
+ * and will be returned back by this function, so that no extra nce_refrele
+ * is required for the caller. The calls from nce_add_common() use this
+ * method. All other callers (that pass in NULL ncec_nce) will have to do a
+ * nce_refrele of the returned nce (when it is non-null).
*/
-void
-nce_fastpath_list_dispatch(ill_t *ill, boolean_t (*func)(nce_t *, void *),
- void *arg)
+nce_t *
+nce_fastpath(ncec_t *ncec, boolean_t trigger_fp_req, nce_t *ncec_nce)
{
+ nce_t *nce;
+ ill_t *ill = ncec->ncec_ill;
- nce_t *next_nce;
- nce_t *current_nce;
- nce_t *first_nce;
- nce_t *prev_nce = NULL;
+ ASSERT(ill != NULL);
+
+ if (IS_IPMP(ill) && trigger_fp_req) {
+ trigger_fp_req = B_FALSE;
+ ipmp_ncec_fastpath(ncec, ill);
- mutex_enter(&ill->ill_lock);
- first_nce = current_nce = (nce_t *)ill->ill_fastpath_list;
- while (current_nce != (nce_t *)&ill->ill_fastpath_list) {
- next_nce = current_nce->nce_fastpath;
- /*
- * Take it off the list if we're flushing, or if the callback
- * routine tells us to do so. Otherwise, leave the nce in the
- * fastpath list to handle any pending response from the lower
- * layer. We can't drain the list when the callback routine
- * comparison failed, because the response is asynchronous in
- * nature, and may not arrive in the same order as the list
- * insertion.
- */
- if (func == NULL || func(current_nce, arg)) {
- current_nce->nce_fastpath = NULL;
- if (current_nce == first_nce)
- ill->ill_fastpath_list = first_nce = next_nce;
- else
- prev_nce->nce_fastpath = next_nce;
- } else {
- /* previous element that is still in the list */
- prev_nce = current_nce;
- }
- current_nce = next_nce;
}
- mutex_exit(&ill->ill_lock);
+ /*
+ * If the caller already has the nce corresponding to the ill, use
+ * that one. Otherwise we have to lookup/add the nce. Calls from
+ * nce_add_common() fall in the former category, and have just done
+ * the nce lookup/add that can be reused.
+ */
+ if (ncec_nce == NULL)
+ nce = nce_fastpath_create(ill, ncec);
+ else
+ nce = ncec_nce;
+
+ if (nce == NULL || IS_LOOPBACK(nce->nce_ill) || IS_VNI(nce->nce_ill))
+ return (nce);
+
+ if (trigger_fp_req)
+ nce_fastpath_trigger(nce);
+ return (nce);
}
/*
- * Add nce to the nce fastpath list.
+ * Trigger fastpath on nce. No locks may be held.
*/
-void
-nce_fastpath_list_add(nce_t *nce)
+static void
+nce_fastpath_trigger(nce_t *nce)
{
- ill_t *ill;
+ int res;
+ ill_t *ill = nce->nce_ill;
+ ncec_t *ncec = nce->nce_common;
- ill = nce->nce_ill;
+ res = ill_fastpath_probe(ill, nce->nce_dlur_mp);
+ /*
+ * EAGAIN is an indication of a transient error
+ * i.e. allocation failure etc. leave the ncec in the list it
+ * will be updated when another probe happens for another ire
+ * if not it will be taken out of the list when the ire is
+ * deleted.
+ */
+ if (res != 0 && res != EAGAIN && res != ENOTSUP)
+ nce_fastpath_list_delete(ill, ncec, NULL);
+}
- mutex_enter(&ill->ill_lock);
- mutex_enter(&nce->nce_lock);
+/*
+ * Add ncec to the nce fastpath list on ill.
+ */
+static nce_t *
+nce_ill_lookup_then_add_locked(ill_t *ill, ncec_t *ncec)
+{
+ nce_t *nce = NULL;
+ ASSERT(MUTEX_HELD(&ill->ill_lock));
/*
- * if nce has not been deleted and
+ * Atomically ensure that the ill is not CONDEMNED and is not going
+ * down, before adding the NCE.
+ */
+ if (ill->ill_state_flags & ILL_CONDEMNED)
+ return (NULL);
+ mutex_enter(&ncec->ncec_lock);
+ /*
+ * if ncec has not been deleted and
* is not already in the list add it.
*/
- if (!(nce->nce_flags & NCE_F_CONDEMNED) &&
- (nce->nce_fastpath == NULL)) {
- nce->nce_fastpath = (nce_t *)ill->ill_fastpath_list;
- ill->ill_fastpath_list = nce;
+ if (!NCE_ISCONDEMNED(ncec)) {
+ nce = nce_lookup(ill, &ncec->ncec_addr);
+ if (nce != NULL)
+ goto done;
+ nce = nce_add(ill, ncec);
}
+done:
+ mutex_exit(&ncec->ncec_lock);
+ return (nce);
+}
- mutex_exit(&nce->nce_lock);
+nce_t *
+nce_ill_lookup_then_add(ill_t *ill, ncec_t *ncec)
+{
+ nce_t *nce;
+
+ mutex_enter(&ill->ill_lock);
+ nce = nce_ill_lookup_then_add_locked(ill, ncec);
mutex_exit(&ill->ill_lock);
+ return (nce);
}
+
/*
- * remove nce from the nce fastpath list.
+ * remove ncec from the ill_nce list. If 'dead' is non-null, the deleted
+ * nce is added to the 'dead' list, and the caller must nce_refrele() the
+ * entry after all locks have been dropped.
*/
void
-nce_fastpath_list_delete(nce_t *nce)
+nce_fastpath_list_delete(ill_t *ill, ncec_t *ncec, list_t *dead)
{
- nce_t *nce_ptr;
-
- ill_t *ill;
+ nce_t *nce;
- ill = nce->nce_ill;
ASSERT(ill != NULL);
- mutex_enter(&ill->ill_lock);
- if (nce->nce_fastpath == NULL)
- goto done;
-
- ASSERT(ill->ill_fastpath_list != &ill->ill_fastpath_list);
+ /* first clean out any nce pointers in the under_ills */
+ if (IS_IPMP(ill))
+ ipmp_ncec_flush_nce(ncec);
- if (ill->ill_fastpath_list == nce) {
- ill->ill_fastpath_list = nce->nce_fastpath;
- } else {
- nce_ptr = ill->ill_fastpath_list;
- while (nce_ptr != (nce_t *)&ill->ill_fastpath_list) {
- if (nce_ptr->nce_fastpath == nce) {
- nce_ptr->nce_fastpath = nce->nce_fastpath;
- break;
- }
- nce_ptr = nce_ptr->nce_fastpath;
+ /* now the ill itself */
+ mutex_enter(&ill->ill_lock);
+ for (nce = list_head(&ill->ill_nce); nce != NULL;
+ nce = list_next(&ill->ill_nce, nce)) {
+ if (nce->nce_common == ncec) {
+ nce_refhold(nce);
+ nce_delete(nce);
+ break;
}
}
-
- nce->nce_fastpath = NULL;
-done:
mutex_exit(&ill->ill_lock);
+ if (nce != NULL) {
+ if (dead == NULL)
+ nce_refrele(nce);
+ else
+ list_insert_tail(dead, nce);
+ }
}
/*
- * Update all NCE's that are not in fastpath mode and
- * have an nce_fp_mp that matches mp. mp->b_cont contains
- * the fastpath header.
- *
- * Returns TRUE if entry should be dequeued, or FALSE otherwise.
+ * when the fastpath response does not fit in the datab
+ * associated with the existing nce_fp_mp, we delete and
+ * add the nce to retrigger fastpath based on the information
+ * in the ncec_t.
*/
-boolean_t
-ndp_fastpath_update(nce_t *nce, void *arg)
+static nce_t *
+nce_delete_then_add(nce_t *nce)
+{
+ ill_t *ill = nce->nce_ill;
+ nce_t *newnce = NULL;
+
+ ip0dbg(("nce_delete_then_add nce %p ill %s\n",
+ (void *)nce, ill->ill_name));
+ mutex_enter(&ill->ill_lock);
+ mutex_enter(&nce->nce_common->ncec_lock);
+ nce_delete(nce);
+ /*
+ * Make sure that ncec is not condemned before adding. We hold the
+ * ill_lock and ncec_lock to synchronize with ncec_delete() and
+ * ipmp_ncec_flush_nce()
+ */
+ if (!NCE_ISCONDEMNED(nce->nce_common))
+ newnce = nce_add(ill, nce->nce_common);
+ mutex_exit(&nce->nce_common->ncec_lock);
+ mutex_exit(&ill->ill_lock);
+ nce_refrele(nce);
+ return (newnce); /* could be null if nomem */
+}
+
+typedef struct nce_fp_match_s {
+ nce_t *nce_fp_match_res;
+ mblk_t *nce_fp_match_ack_mp;
+} nce_fp_match_t;
+
+/* ARGSUSED */
+static int
+nce_fastpath_match_dlur(ill_t *ill, nce_t *nce, void *arg)
{
- mblk_t *mp, *fp_mp;
+ nce_fp_match_t *nce_fp_marg = arg;
+ ncec_t *ncec = nce->nce_common;
+ mblk_t *mp = nce_fp_marg->nce_fp_match_ack_mp;
uchar_t *mp_rptr, *ud_mp_rptr;
- mblk_t *ud_mp = nce->nce_res_mp;
+ mblk_t *ud_mp = nce->nce_dlur_mp;
ptrdiff_t cmplen;
- if (nce->nce_flags & NCE_F_MAPPING)
- return (B_TRUE);
- if ((nce->nce_fp_mp != NULL) || (ud_mp == NULL))
- return (B_TRUE);
-
- ip2dbg(("ndp_fastpath_update: trying\n"));
- mp = (mblk_t *)arg;
+ /*
+ * mp is the mp associated with the fastpath ack.
+ * ud_mp is the outstanding DL_UNITDATA_REQ on the nce_t
+ * under consideration. If the contents match, then the
+ * fastpath ack is used to update the nce.
+ */
+ if (ud_mp == NULL)
+ return (0); /* MH_WALK_CONTINUE */
mp_rptr = mp->b_rptr;
cmplen = mp->b_wptr - mp_rptr;
ASSERT(cmplen >= 0);
+
ud_mp_rptr = ud_mp->b_rptr;
/*
- * The nce is locked here to prevent any other threads
- * from accessing and changing nce_res_mp when the IPv6 address
- * becomes resolved to an lla while we're in the middle
- * of looking at and comparing the hardware address (lla).
- * It is also locked to prevent multiple threads in nce_fastpath_update
- * from examining nce_res_mp atthe same time.
+ * The ncec is locked here to prevent any other threads from accessing
+ * and changing nce_dlur_mp when the address becomes resolved to an
+ * lla while we're in the middle of looking at and comparing the
+ * hardware address (lla). It is also locked to prevent multiple
+ * threads in nce_fastpath() from examining nce_dlur_mp at the same
+ * time.
*/
- mutex_enter(&nce->nce_lock);
+ mutex_enter(&ncec->ncec_lock);
if (ud_mp->b_wptr - ud_mp_rptr != cmplen ||
- bcmp((char *)mp_rptr, (char *)ud_mp_rptr, cmplen) != 0) {
- mutex_exit(&nce->nce_lock);
- /*
- * Don't take the ire off the fastpath list yet,
- * since the response may come later.
- */
- return (B_FALSE);
- }
- /* Matched - install mp as the fastpath mp */
- ip1dbg(("ndp_fastpath_update: match\n"));
- fp_mp = dupb(mp->b_cont);
- if (fp_mp != NULL) {
- nce->nce_fp_mp = fp_mp;
+ bcmp((char *)mp_rptr, (char *)ud_mp_rptr, cmplen) == 0) {
+ nce_fp_marg->nce_fp_match_res = nce;
+ mutex_exit(&ncec->ncec_lock);
+ nce_refhold(nce);
+ return (1); /* MH_WALK_TERMINATE */
}
- mutex_exit(&nce->nce_lock);
- return (B_TRUE);
+ mutex_exit(&ncec->ncec_lock);
+ return (0); /* MH_WALK_CONTINUE */
}
/*
- * This function handles the DL_NOTE_FASTPATH_FLUSH notification from
- * driver. Note that it assumes IP is exclusive...
+ * Update all NCE's that are not in fastpath mode and
+ * have an nce_fp_mp that matches mp. mp->b_cont contains
+ * the fastpath header.
+ *
+ * Returns TRUE if entry should be dequeued, or FALSE otherwise.
*/
-/* ARGSUSED */
void
-ndp_fastpath_flush(nce_t *nce, char *arg)
+nce_fastpath_update(ill_t *ill, mblk_t *mp)
{
- if (nce->nce_flags & NCE_F_MAPPING)
- return;
- /* No fastpath info? */
- if (nce->nce_fp_mp == NULL || nce->nce_res_mp == NULL)
+ nce_fp_match_t nce_fp_marg;
+ nce_t *nce;
+ mblk_t *nce_fp_mp, *fp_mp;
+
+ nce_fp_marg.nce_fp_match_res = NULL;
+ nce_fp_marg.nce_fp_match_ack_mp = mp;
+
+ nce_walk(ill, nce_fastpath_match_dlur, &nce_fp_marg);
+
+ if ((nce = nce_fp_marg.nce_fp_match_res) == NULL)
return;
- if (nce->nce_ipversion == IPV4_VERSION &&
- nce->nce_flags & NCE_F_BCAST) {
- /*
- * IPv4 BROADCAST entries:
- * We can't delete the nce since it is difficult to
- * recreate these without going through the
- * ipif down/up dance.
- *
- * All access to nce->nce_fp_mp in the case of these
- * is protected by nce_lock.
- */
- mutex_enter(&nce->nce_lock);
- if (nce->nce_fp_mp != NULL) {
- freeb(nce->nce_fp_mp);
- nce->nce_fp_mp = NULL;
- mutex_exit(&nce->nce_lock);
- nce_fastpath(nce);
- } else {
+ mutex_enter(&nce->nce_lock);
+ nce_fp_mp = nce->nce_fp_mp;
+
+ if (nce_fp_mp != NULL) {
+ fp_mp = mp->b_cont;
+ if (nce_fp_mp->b_rptr + MBLKL(fp_mp) >
+ nce_fp_mp->b_datap->db_lim) {
mutex_exit(&nce->nce_lock);
+ nce = nce_delete_then_add(nce);
+ if (nce == NULL) {
+ return;
+ }
+ mutex_enter(&nce->nce_lock);
+ nce_fp_mp = nce->nce_fp_mp;
}
+ }
+
+ /* Matched - install mp as the fastpath mp */
+ if (nce_fp_mp == NULL) {
+ fp_mp = dupb(mp->b_cont);
+ nce->nce_fp_mp = fp_mp;
} else {
- /* Just delete the NCE... */
- ndp_delete(nce);
+ fp_mp = mp->b_cont;
+ bcopy(fp_mp->b_rptr, nce_fp_mp->b_rptr, MBLKL(fp_mp));
+ nce->nce_fp_mp->b_wptr = nce->nce_fp_mp->b_rptr
+ + MBLKL(fp_mp);
}
+ mutex_exit(&nce->nce_lock);
+ nce_refrele(nce);
}
/*
@@ -3451,74 +3372,103 @@ ndp_verify_optlen(nd_opt_hdr_t *opt, int optlen)
}
/*
- * ndp_walk function.
+ * ncec_walk function.
* Free a fraction of the NCE cache entries.
- * A fraction of zero means to not free any in that category.
+ *
+ * A possible optimization here would be to use ncec_last where possible, and
+ * delete the least-frequently used entry, which would require more complex
+ * computation as we walk through the ncec's (e.g., track ncec entries by
+ * order of ncec_last and/or maintain state)
*/
-void
-ndp_cache_reclaim(nce_t *nce, char *arg)
+static void
+ncec_cache_reclaim(ncec_t *ncec, char *arg)
{
- nce_cache_reclaim_t *ncr = (nce_cache_reclaim_t *)arg;
- uint_t rand;
+ ip_stack_t *ipst = ncec->ncec_ipst;
+ uint_t fraction = *(uint_t *)arg;
+ uint_t rand;
- if (nce->nce_flags & NCE_F_PERMANENT)
+ if ((ncec->ncec_flags &
+ (NCE_F_MYADDR | NCE_F_STATIC | NCE_F_BCAST)) != 0) {
return;
+ }
rand = (uint_t)lbolt +
- NCE_ADDR_HASH_V6(nce->nce_addr, NCE_TABLE_SIZE);
- if (ncr->ncr_host != 0 &&
- (rand/ncr->ncr_host)*ncr->ncr_host == rand) {
- ndp_delete(nce);
- return;
+ NCE_ADDR_HASH_V6(ncec->ncec_addr, NCE_TABLE_SIZE);
+ if ((rand/fraction)*fraction == rand) {
+ IP_STAT(ipst, ip_nce_reclaim_deleted);
+ ncec_delete(ncec);
}
}
/*
- * ndp_walk function.
- * Count the number of NCEs that can be deleted.
- * These would be hosts but not routers.
+ * kmem_cache callback to free up memory.
+ *
+ * For now we just delete a fixed fraction.
*/
-void
-ndp_cache_count(nce_t *nce, char *arg)
+static void
+ip_nce_reclaim_stack(ip_stack_t *ipst)
{
- ncc_cache_count_t *ncc = (ncc_cache_count_t *)arg;
+ uint_t fraction = ipst->ips_ip_nce_reclaim_fraction;
- if (nce->nce_flags & NCE_F_PERMANENT)
- return;
+ IP_STAT(ipst, ip_nce_reclaim_calls);
- ncc->ncc_total++;
- if (!(nce->nce_flags & NCE_F_ISROUTER))
- ncc->ncc_host++;
+ ncec_walk(NULL, (pfi_t)ncec_cache_reclaim, (uchar_t *)&fraction, ipst);
+
+ /*
+ * Walk all CONNs that can have a reference on an ire, ncec or dce.
+ * Get them to update any stale references to drop any refholds they
+ * have.
+ */
+ ipcl_walk(conn_ixa_cleanup, (void *)B_FALSE, ipst);
+}
+
+/*
+ * Called by the memory allocator subsystem directly, when the system
+ * is running low on memory.
+ */
+/* ARGSUSED */
+void
+ip_nce_reclaim(void *args)
+{
+ netstack_handle_t nh;
+ netstack_t *ns;
+
+ netstack_next_init(&nh);
+ while ((ns = netstack_next(&nh)) != NULL) {
+ ip_nce_reclaim_stack(ns->netstack_ip);
+ netstack_rele(ns);
+ }
+ netstack_next_fini(&nh);
}
#ifdef DEBUG
void
-nce_trace_ref(nce_t *nce)
+ncec_trace_ref(ncec_t *ncec)
{
- ASSERT(MUTEX_HELD(&nce->nce_lock));
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
- if (nce->nce_trace_disable)
+ if (ncec->ncec_trace_disable)
return;
- if (!th_trace_ref(nce, nce->nce_ill->ill_ipst)) {
- nce->nce_trace_disable = B_TRUE;
- nce_trace_cleanup(nce);
+ if (!th_trace_ref(ncec, ncec->ncec_ipst)) {
+ ncec->ncec_trace_disable = B_TRUE;
+ ncec_trace_cleanup(ncec);
}
}
void
-nce_untrace_ref(nce_t *nce)
+ncec_untrace_ref(ncec_t *ncec)
{
- ASSERT(MUTEX_HELD(&nce->nce_lock));
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
- if (!nce->nce_trace_disable)
- th_trace_unref(nce);
+ if (!ncec->ncec_trace_disable)
+ th_trace_unref(ncec);
}
static void
-nce_trace_cleanup(const nce_t *nce)
+ncec_trace_cleanup(const ncec_t *ncec)
{
- th_trace_cleanup(nce, nce->nce_trace_disable);
+ th_trace_cleanup(ncec, ncec->ncec_trace_disable);
}
#endif
@@ -3527,64 +3477,159 @@ nce_trace_cleanup(const nce_t *nce)
* Send an ICMP unreachable in response to all queued packets.
*/
void
-arp_resolv_failed(nce_t *nce)
+arp_resolv_failed(ncec_t *ncec)
{
- mblk_t *mp, *nxt_mp, *first_mp;
+ mblk_t *mp, *nxt_mp;
char buf[INET6_ADDRSTRLEN];
- zoneid_t zoneid = GLOBAL_ZONEID;
struct in_addr ipv4addr;
- ip_stack_t *ipst = nce->nce_ill->ill_ipst;
+ ill_t *ill = ncec->ncec_ill;
+ ip_stack_t *ipst = ncec->ncec_ipst;
+ ip_recv_attr_t iras;
- IN6_V4MAPPED_TO_INADDR(&nce->nce_addr, &ipv4addr);
+ bzero(&iras, sizeof (iras));
+ iras.ira_flags = IRAF_IS_IPV4;
+ /*
+ * we are setting the ira_rill to the ipmp_ill (instead of
+ * the actual ill on which the packet was received), but this
+ * is ok because we don't actually need the real ira_rill.
+ * to send the icmp unreachable to the sender.
+ */
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
+
+ IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &ipv4addr);
ip3dbg(("arp_resolv_failed: dst %s\n",
inet_ntop(AF_INET, &ipv4addr, buf, sizeof (buf))));
- mutex_enter(&nce->nce_lock);
- mp = nce->nce_qd_mp;
- nce->nce_qd_mp = NULL;
- mutex_exit(&nce->nce_lock);
-
+ mutex_enter(&ncec->ncec_lock);
+ mp = ncec->ncec_qd_mp;
+ ncec->ncec_qd_mp = NULL;
+ ncec->ncec_nprobes = 0;
+ mutex_exit(&ncec->ncec_lock);
while (mp != NULL) {
nxt_mp = mp->b_next;
mp->b_next = NULL;
- mp->b_prev = NULL;
- first_mp = mp;
- /*
- * Send icmp unreachable messages
- * to the hosts.
- */
- (void) ip_hdr_complete((ipha_t *)mp->b_rptr, zoneid, ipst);
- ip3dbg(("arp_resolv_failed: Calling icmp_unreachable\n"));
- icmp_unreachable(nce->nce_ill->ill_wq, first_mp,
- ICMP_HOST_UNREACHABLE, zoneid, ipst);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - address unreachable",
+ mp, ill);
+ if (ipst->ips_ip_arp_icmp_error) {
+ ip3dbg(("arp_resolv_failed: "
+ "Calling icmp_unreachable\n"));
+ icmp_unreachable(mp, ICMP_HOST_UNREACHABLE, &iras);
+ } else {
+ freemsg(mp);
+ }
+ ASSERT(!(iras.ira_flags & IRAF_IPSEC_SECURE));
mp = nxt_mp;
}
+ ncec_cb_dispatch(ncec); /* finish off waiting callbacks */
}
+/*
+ * if ill is an under_ill, translate it to the ipmp_ill and add the
+ * nce on the ipmp_ill. Two nce_t entries (one on the ipmp_ill, and
+ * one on the underlying in_ill) will be created for the
+ * ncec_t in this case. The ncec_t itself will be created on the ipmp_ill.
+ */
int
-ndp_lookup_then_add_v4(ill_t *ill, const in_addr_t *addr, uint16_t flags,
- nce_t **newnce, nce_t *src_nce)
+nce_lookup_then_add_v4(ill_t *ill, uchar_t *hw_addr, uint_t hw_addr_len,
+ const in_addr_t *addr, uint16_t flags, uint16_t state, nce_t **newnce)
{
int err;
- nce_t *nce;
in6_addr_t addr6;
ip_stack_t *ipst = ill->ill_ipst;
+ nce_t *nce, *upper_nce = NULL;
+ ill_t *in_ill = ill, *under = NULL;
+ boolean_t need_ill_refrele = B_FALSE;
+
+ if (flags & NCE_F_MCAST) {
+ /*
+ * hw_addr will be figured out in nce_set_multicast_v4;
+ * caller needs to pass in the cast_ill for ipmp
+ */
+ ASSERT(hw_addr == NULL);
+ ASSERT(!IS_IPMP(ill));
+ err = nce_set_multicast_v4(ill, addr, flags, newnce);
+ return (err);
+ }
+
+ if (IS_UNDER_IPMP(ill) && !(flags & NCE_F_MYADDR)) {
+ ill = ipmp_ill_hold_ipmp_ill(ill);
+ if (ill == NULL)
+ return (ENXIO);
+ need_ill_refrele = B_TRUE;
+ }
+ if ((flags & NCE_F_BCAST) != 0) {
+ /*
+ * IPv4 broadcast ncec: compute the hwaddr.
+ */
+ if (IS_IPMP(ill)) {
+ under = ipmp_ill_get_xmit_ill(ill, B_FALSE);
+ if (under == NULL) {
+ if (need_ill_refrele)
+ ill_refrele(ill);
+ return (ENETDOWN);
+ }
+ hw_addr = under->ill_bcast_mp->b_rptr +
+ NCE_LL_ADDR_OFFSET(under);
+ hw_addr_len = under->ill_phys_addr_length;
+ } else {
+ hw_addr = ill->ill_bcast_mp->b_rptr +
+ NCE_LL_ADDR_OFFSET(ill),
+ hw_addr_len = ill->ill_phys_addr_length;
+ }
+ }
mutex_enter(&ipst->ips_ndp4->ndp_g_lock);
- nce = *((nce_t **)NCE_HASH_PTR_V4(ipst, *addr));
IN6_IPADDR_TO_V4MAPPED(*addr, &addr6);
- /*
- * NOTE: IPv4 never matches across the illgrp since the NCE's we're
- * looking up have fastpath headers that are inherently per-ill.
- */
- nce = nce_lookup_addr(ill, B_FALSE, &addr6, nce);
+ nce = nce_lookup_addr(ill, &addr6);
if (nce == NULL) {
- err = ndp_add_v4(ill, addr, flags, newnce, src_nce);
+ err = nce_add_v4(ill, hw_addr, hw_addr_len, addr, flags,
+ state, &nce);
} else {
- *newnce = nce;
err = EEXIST;
}
mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
+ if (err == 0)
+ err = nce_add_v4_postprocess(nce);
+
+ if (in_ill != ill && nce != NULL) {
+ nce_t *under_nce;
+
+ /*
+ * in_ill was the under_ill. Try to create the under_nce.
+ * Hold the ill_g_lock to prevent changes to group membership
+ * until we are done.
+ */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (IS_IN_SAME_ILLGRP(in_ill, ill)) {
+ under_nce = nce_fastpath_create(in_ill,
+ nce->nce_common);
+ upper_nce = nce;
+ if ((nce = under_nce) == NULL)
+ err = EINVAL;
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+ if (under_nce != NULL && NCE_ISREACHABLE(nce->nce_common))
+ nce_fastpath_trigger(under_nce);
+ }
+ if (nce != NULL) {
+ if (newnce != NULL)
+ *newnce = nce;
+ else
+ nce_refrele(nce);
+ }
+
+ if (under != NULL)
+ ill_refrele(under);
+
+ if (upper_nce != NULL)
+ nce_refrele(upper_nce);
+
+ if (need_ill_refrele)
+ ill_refrele(ill);
+
return (err);
}
@@ -3592,102 +3637,860 @@ ndp_lookup_then_add_v4(ill_t *ill, const in_addr_t *addr, uint16_t flags,
* NDP Cache Entry creation routine for IPv4.
* Mapped entries are handled in arp.
* This routine must always be called with ndp4->ndp_g_lock held.
- * Prior to return, nce_refcnt is incremented.
+ * Prior to return, ncec_refcnt is incremented.
+ *
+ * IPMP notes: the ncec for non-local (i.e., !NCE_MYADDR(ncec) addresses
+ * are always added pointing at the ipmp_ill. Thus, when the ill passed
+ * to nce_add_v4 is an under_ill (i.e., IS_UNDER_IPMP(ill)) two nce_t
+ * entries will be created, both pointing at the same ncec_t. The nce_t
+ * entries will have their nce_ill set to the ipmp_ill and the under_ill
+ * respectively, with the ncec_t having its ncec_ill pointing at the ipmp_ill.
+ * Local addresses are always created on the ill passed to nce_add_v4.
*/
-static int
-ndp_add_v4(ill_t *ill, const in_addr_t *addr, uint16_t flags,
- nce_t **newnce, nce_t *src_nce)
+int
+nce_add_v4(ill_t *ill, uchar_t *hw_addr, uint_t hw_addr_len,
+ const in_addr_t *addr, uint16_t flags, uint16_t state, nce_t **newnce)
{
- static nce_t nce_nil;
- nce_t *nce;
- mblk_t *mp;
- mblk_t *template = NULL;
- nce_t **ncep;
- ip_stack_t *ipst = ill->ill_ipst;
- uint16_t state = ND_INITIAL;
int err;
+ boolean_t is_multicast = (flags & NCE_F_MCAST);
+ struct in6_addr addr6;
+ nce_t *nce;
- ASSERT(MUTEX_HELD(&ipst->ips_ndp4->ndp_g_lock));
+ ASSERT(MUTEX_HELD(&ill->ill_ipst->ips_ndp4->ndp_g_lock));
ASSERT(!ill->ill_isv6);
- ASSERT((flags & NCE_F_MAPPING) == 0);
+ ASSERT(!IN_MULTICAST(htonl(*addr)) || is_multicast);
+
+ IN6_IPADDR_TO_V4MAPPED(*addr, &addr6);
+ err = nce_add_common(ill, hw_addr, hw_addr_len, &addr6, flags, state,
+ &nce);
+ ASSERT(newnce != NULL);
+ *newnce = nce;
+ return (err);
+}
+
+/*
+ * Post-processing routine to be executed after nce_add_v4(). This function
+ * triggers fastpath (if appropriate) and DAD on the newly added nce entry
+ * and must be called without any locks held.
+ *
+ * Always returns 0, but we return an int to keep this symmetric with the
+ * IPv6 counter-part.
+ */
+int
+nce_add_v4_postprocess(nce_t *nce)
+{
+ ncec_t *ncec = nce->nce_common;
+ uint16_t flags = ncec->ncec_flags;
+ boolean_t ndp_need_dad = B_FALSE;
+ boolean_t dropped;
+ clock_t delay;
+ ip_stack_t *ipst = ncec->ncec_ill->ill_ipst;
+ uchar_t *hw_addr = ncec->ncec_lladdr;
+ boolean_t trigger_fastpath = B_TRUE;
- if (ill->ill_resolver_mp == NULL)
- return (EINVAL);
/*
- * Allocate the mblk to hold the nce.
+ * If the hw_addr is NULL, typically for ND_INCOMPLETE nces, then
+ * we call nce_fastpath as soon as the ncec is resolved in nce_process.
+ * We call nce_fastpath from nce_update if the link layer address of
+ * the peer changes from nce_update
*/
- mp = allocb(sizeof (nce_t), BPRI_MED);
- if (mp == NULL)
- return (ENOMEM);
+ if (NCE_PUBLISH(ncec) || !NCE_ISREACHABLE(ncec) || (hw_addr == NULL &&
+ ncec->ncec_ill->ill_net_type != IRE_IF_NORESOLVER))
+ trigger_fastpath = B_FALSE;
- nce = (nce_t *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)&nce[1];
- *nce = nce_nil;
- nce->nce_ill = ill;
- nce->nce_ipversion = IPV4_VERSION;
- nce->nce_flags = flags;
- nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT;
- nce->nce_rcnt = ill->ill_xmit_count;
- IN6_IPADDR_TO_V4MAPPED(*addr, &nce->nce_addr);
- nce->nce_mask = ipv6_all_ones;
- nce->nce_extract_mask = ipv6_all_zeros;
- nce->nce_ll_extract_start = 0;
- nce->nce_qd_mp = NULL;
- nce->nce_mp = mp;
- /* This one is for nce getting created */
- nce->nce_refcnt = 1;
- mutex_init(&nce->nce_lock, NULL, MUTEX_DEFAULT, NULL);
- ncep = ((nce_t **)NCE_HASH_PTR_V4(ipst, *addr));
+ if (trigger_fastpath)
+ nce_fastpath_trigger(nce);
+
+ if (NCE_PUBLISH(ncec) && ncec->ncec_state == ND_PROBE) {
+ /*
+ * Either the caller (by passing in ND_PROBE)
+ * or nce_add_common() (by the internally computed state
+ * based on ncec_addr and ill_net_type) has determined
+ * that this unicast entry needs DAD. Trigger DAD.
+ */
+ ndp_need_dad = B_TRUE;
+ } else if (flags & NCE_F_UNSOL_ADV) {
+ /*
+ * We account for the transmit below by assigning one
+ * less than the ndd variable. Subsequent decrements
+ * are done in nce_timer.
+ */
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_unsolicit_count =
+ ipst->ips_ip_arp_publish_count - 1;
+ mutex_exit(&ncec->ncec_lock);
+ dropped = arp_announce(ncec);
+ mutex_enter(&ncec->ncec_lock);
+ if (dropped)
+ ncec->ncec_unsolicit_count++;
+ else
+ ncec->ncec_last_time_defended = ddi_get_lbolt();
+ if (ncec->ncec_unsolicit_count != 0) {
+ nce_start_timer(ncec,
+ ipst->ips_ip_arp_publish_interval);
+ }
+ mutex_exit(&ncec->ncec_lock);
+ }
- nce->nce_trace_disable = B_FALSE;
+ /*
+ * If ncec_xmit_interval is 0, user has configured us to send the first
+ * probe right away. Do so, and set up for the subsequent probes.
+ */
+ if (ndp_need_dad) {
+ mutex_enter(&ncec->ncec_lock);
+ if (ncec->ncec_pcnt == 0) {
+ /*
+ * DAD probes and announce can be
+ * administratively disabled by setting the
+ * probe_count to zero. Restart the timer in
+ * this case to mark the ipif as ready.
+ */
+ ncec->ncec_unsolicit_count = 0;
+ mutex_exit(&ncec->ncec_lock);
+ nce_restart_timer(ncec, 0);
+ } else {
+ mutex_exit(&ncec->ncec_lock);
+ delay = ((ncec->ncec_flags & NCE_F_FAST) ?
+ ipst->ips_arp_probe_delay :
+ ipst->ips_arp_fastprobe_delay);
+ nce_dad(ncec, NULL, (delay == 0 ? B_TRUE : B_FALSE));
+ }
+ }
+ return (0);
+}
- if (src_nce != NULL) {
+/*
+ * ncec_walk routine to update all entries that have a given destination or
+ * gateway address and cached link layer (MAC) address. This is used when ARP
+ * informs us that a network-to-link-layer mapping may have changed.
+ */
+void
+nce_update_hw_changed(ncec_t *ncec, void *arg)
+{
+ nce_hw_map_t *hwm = arg;
+ ipaddr_t ncec_addr;
+
+ if (ncec->ncec_state != ND_REACHABLE)
+ return;
+
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, ncec_addr);
+ if (ncec_addr != hwm->hwm_addr)
+ return;
+
+ mutex_enter(&ncec->ncec_lock);
+ if (hwm->hwm_flags != 0)
+ ncec->ncec_flags = hwm->hwm_flags;
+ nce_update(ncec, ND_STALE, hwm->hwm_hwaddr);
+ mutex_exit(&ncec->ncec_lock);
+}
+
+void
+ncec_refhold(ncec_t *ncec)
+{
+ mutex_enter(&(ncec)->ncec_lock);
+ (ncec)->ncec_refcnt++;
+ ASSERT((ncec)->ncec_refcnt != 0);
+#ifdef DEBUG
+ ncec_trace_ref(ncec);
+#endif
+ mutex_exit(&(ncec)->ncec_lock);
+}
+
+void
+ncec_refhold_notr(ncec_t *ncec)
+{
+ mutex_enter(&(ncec)->ncec_lock);
+ (ncec)->ncec_refcnt++;
+ ASSERT((ncec)->ncec_refcnt != 0);
+ mutex_exit(&(ncec)->ncec_lock);
+}
+
+static void
+ncec_refhold_locked(ncec_t *ncec)
+{
+ ASSERT(MUTEX_HELD(&(ncec)->ncec_lock));
+ (ncec)->ncec_refcnt++;
+#ifdef DEBUG
+ ncec_trace_ref(ncec);
+#endif
+}
+
+/* ncec_inactive destroys the mutex thus no mutex_exit is needed */
+void
+ncec_refrele(ncec_t *ncec)
+{
+ mutex_enter(&(ncec)->ncec_lock);
+#ifdef DEBUG
+ ncec_untrace_ref(ncec);
+#endif
+ ASSERT((ncec)->ncec_refcnt != 0);
+ if (--(ncec)->ncec_refcnt == 0) {
+ ncec_inactive(ncec);
+ } else {
+ mutex_exit(&(ncec)->ncec_lock);
+ }
+}
+
+void
+ncec_refrele_notr(ncec_t *ncec)
+{
+ mutex_enter(&(ncec)->ncec_lock);
+ ASSERT((ncec)->ncec_refcnt != 0);
+ if (--(ncec)->ncec_refcnt == 0) {
+ ncec_inactive(ncec);
+ } else {
+ mutex_exit(&(ncec)->ncec_lock);
+ }
+}
+
+/*
+ * Common to IPv4 and IPv6.
+ */
+void
+nce_restart_timer(ncec_t *ncec, uint_t ms)
+{
+ timeout_id_t tid;
+
+ ASSERT(!MUTEX_HELD(&(ncec)->ncec_lock));
+
+ /* First cancel any running timer */
+ mutex_enter(&ncec->ncec_lock);
+ tid = ncec->ncec_timeout_id;
+ ncec->ncec_timeout_id = 0;
+ if (tid != 0) {
+ mutex_exit(&ncec->ncec_lock);
+ (void) untimeout(tid);
+ mutex_enter(&ncec->ncec_lock);
+ }
+
+ /* Restart timer */
+ nce_start_timer(ncec, ms);
+ mutex_exit(&ncec->ncec_lock);
+}
+
+static void
+nce_start_timer(ncec_t *ncec, uint_t ms)
+{
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
+ /*
+ * Don't start the timer if the ncec has been deleted, or if the timer
+ * is already running
+ */
+ if (!NCE_ISCONDEMNED(ncec) && ncec->ncec_timeout_id == 0) {
+ ncec->ncec_timeout_id = timeout(nce_timer, ncec,
+ MSEC_TO_TICK(ms) == 0 ? 1 : MSEC_TO_TICK(ms));
+ }
+}
+
+int
+nce_set_multicast_v4(ill_t *ill, const in_addr_t *dst,
+ uint16_t flags, nce_t **newnce)
+{
+ uchar_t *hw_addr;
+ int err = 0;
+ ip_stack_t *ipst = ill->ill_ipst;
+ in6_addr_t dst6;
+ nce_t *nce;
+
+ ASSERT(!ill->ill_isv6);
+
+ IN6_IPADDR_TO_V4MAPPED(*dst, &dst6);
+ mutex_enter(&ipst->ips_ndp4->ndp_g_lock);
+ if ((nce = nce_lookup_addr(ill, &dst6)) != NULL) {
+ mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
+ goto done;
+ }
+ if (ill->ill_net_type == IRE_IF_RESOLVER) {
+ /*
+ * For IRE_IF_RESOLVER a hardware mapping can be
+ * generated, for IRE_IF_NORESOLVER, resolution cookie
+ * in the ill is copied in nce_add_v4().
+ */
+ hw_addr = kmem_alloc(ill->ill_phys_addr_length, KM_NOSLEEP);
+ if (hw_addr == NULL) {
+ mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
+ return (ENOMEM);
+ }
+ ip_mcast_mapping(ill, (uchar_t *)dst, hw_addr);
+ } else {
/*
- * src_nce has been provided by the caller. The only
- * caller who provides a non-null, non-broadcast
- * src_nce is from ip_newroute() which must pass in
- * a ND_REACHABLE src_nce (this condition is verified
- * via an ASSERT for the save_ire->ire_nce in ip_newroute())
+ * IRE_IF_NORESOLVER type simply copies the resolution
+ * cookie passed in. So no hw_addr is needed.
*/
- mutex_enter(&src_nce->nce_lock);
- state = src_nce->nce_state;
- if ((src_nce->nce_flags & NCE_F_CONDEMNED) ||
- (ipst->ips_ndp4->ndp_g_hw_change > 0)) {
+ hw_addr = NULL;
+ }
+ ASSERT(flags & NCE_F_MCAST);
+ ASSERT(flags & NCE_F_NONUD);
+ /* nce_state will be computed by nce_add_common() */
+ err = nce_add_v4(ill, hw_addr, ill->ill_phys_addr_length, dst, flags,
+ ND_UNCHANGED, &nce);
+ mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
+ if (err == 0)
+ err = nce_add_v4_postprocess(nce);
+ if (hw_addr != NULL)
+ kmem_free(hw_addr, ill->ill_phys_addr_length);
+ if (err != 0) {
+ ip1dbg(("nce_set_multicast_v4: create failed" "%d\n", err));
+ return (err);
+ }
+done:
+ if (newnce != NULL)
+ *newnce = nce;
+ else
+ nce_refrele(nce);
+ return (0);
+}
+
+/*
+ * This is used when scanning for "old" (least recently broadcast) NCEs. We
+ * don't want to have to walk the list for every single one, so we gather up
+ * batches at a time.
+ */
+#define NCE_RESCHED_LIST_LEN 8
+
+typedef struct {
+ ill_t *ncert_ill;
+ uint_t ncert_num;
+ ncec_t *ncert_nces[NCE_RESCHED_LIST_LEN];
+} nce_resched_t;
+
+/*
+ * Pick the longest waiting NCEs for defense.
+ */
+/* ARGSUSED */
+static int
+ncec_reschedule(ill_t *ill, nce_t *nce, void *arg)
+{
+ nce_resched_t *ncert = arg;
+ ncec_t **ncecs;
+ ncec_t **ncec_max;
+ ncec_t *ncec_temp;
+ ncec_t *ncec = nce->nce_common;
+
+ ASSERT(ncec->ncec_ill == ncert->ncert_ill);
+ /*
+ * Only reachable entries that are ready for announcement are eligible.
+ */
+ if (!NCE_MYADDR(ncec) || ncec->ncec_state != ND_REACHABLE)
+ return (0);
+ if (ncert->ncert_num < NCE_RESCHED_LIST_LEN) {
+ ncec_refhold(ncec);
+ ncert->ncert_nces[ncert->ncert_num++] = ncec;
+ } else {
+ ncecs = ncert->ncert_nces;
+ ncec_max = ncecs + NCE_RESCHED_LIST_LEN;
+ ncec_refhold(ncec);
+ for (; ncecs < ncec_max; ncecs++) {
+ ASSERT(ncec != NULL);
+ if ((*ncecs)->ncec_last_time_defended >
+ ncec->ncec_last_time_defended) {
+ ncec_temp = *ncecs;
+ *ncecs = ncec;
+ ncec = ncec_temp;
+ }
+ }
+ ncec_refrele(ncec);
+ }
+ return (0);
+}
+
+/*
+ * Reschedule the ARP defense of any long-waiting NCEs. It's assumed that this
+ * doesn't happen very often (if at all), and thus it needn't be highly
+ * optimized. (Note, though, that it's actually O(N) complexity, because the
+ * outer loop is bounded by a constant rather than by the length of the list.)
+ */
+static void
+nce_ill_reschedule(ill_t *ill, nce_resched_t *ncert)
+{
+ ncec_t *ncec;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint_t i, defend_rate;
+
+ i = ill->ill_defend_count;
+ ill->ill_defend_count = 0;
+ if (ill->ill_isv6)
+ defend_rate = ipst->ips_ndp_defend_rate;
+ else
+ defend_rate = ipst->ips_arp_defend_rate;
+ /* If none could be sitting around, then don't reschedule */
+ if (i < defend_rate) {
+ DTRACE_PROBE1(reschedule_none, ill_t *, ill);
+ return;
+ }
+ ncert->ncert_ill = ill;
+ while (ill->ill_defend_count < defend_rate) {
+ nce_walk_common(ill, ncec_reschedule, ncert);
+ for (i = 0; i < ncert->ncert_num; i++) {
+
+ ncec = ncert->ncert_nces[i];
+ mutex_enter(&ncec->ncec_lock);
+ ncec->ncec_flags |= NCE_F_DELAYED;
+ mutex_exit(&ncec->ncec_lock);
/*
- * src_nce has been deleted, or
- * ip_arp_news is in the middle of
- * flushing entries in the the nce.
- * Fail the add, since we don't know
- * if it is safe to copy the contents of
- * src_nce
+ * we plan to schedule this ncec, so incr the
+ * defend_count in anticipation.
*/
- DTRACE_PROBE2(nce__bad__src__nce,
- nce_t *, src_nce, ill_t *, ill);
- mutex_exit(&src_nce->nce_lock);
- err = EINVAL;
- goto err_ret;
+ if (++ill->ill_defend_count >= defend_rate)
+ break;
}
- template = copyb(src_nce->nce_res_mp);
- mutex_exit(&src_nce->nce_lock);
- if (template == NULL) {
- err = ENOMEM;
- goto err_ret;
+ if (ncert->ncert_num < NCE_RESCHED_LIST_LEN)
+ break;
+ }
+}
+
+/*
+ * Check if the current rate-limiting parameters permit the sending
+ * of another address defense announcement for both IPv4 and IPv6.
+ * Returns B_TRUE if rate-limiting is in effect (i.e., send is not
+ * permitted), and B_FALSE otherwise. The `defend_rate' parameter
+ * determines how many address defense announcements are permitted
+ * in any `defense_perio' interval.
+ */
+static boolean_t
+ill_defend_rate_limit(ill_t *ill, ncec_t *ncec)
+{
+ clock_t now = ddi_get_lbolt();
+ ip_stack_t *ipst = ill->ill_ipst;
+ clock_t start = ill->ill_defend_start;
+ uint32_t elapsed, defend_period, defend_rate;
+ nce_resched_t ncert;
+ boolean_t ret;
+ int i;
+
+ if (ill->ill_isv6) {
+ defend_period = ipst->ips_ndp_defend_period;
+ defend_rate = ipst->ips_ndp_defend_rate;
+ } else {
+ defend_period = ipst->ips_arp_defend_period;
+ defend_rate = ipst->ips_arp_defend_rate;
+ }
+ if (defend_rate == 0)
+ return (B_TRUE);
+ bzero(&ncert, sizeof (ncert));
+ mutex_enter(&ill->ill_lock);
+ if (start > 0) {
+ elapsed = now - start;
+ if (elapsed > SEC_TO_TICK(defend_period)) {
+ ill->ill_defend_start = now;
+ /*
+ * nce_ill_reschedule will attempt to
+ * prevent starvation by reschduling the
+ * oldest entries, which are marked with
+ * the NCE_F_DELAYED flag.
+ */
+ nce_ill_reschedule(ill, &ncert);
+ }
+ } else {
+ ill->ill_defend_start = now;
+ }
+ ASSERT(ill->ill_defend_count <= defend_rate);
+ mutex_enter(&ncec->ncec_lock);
+ if (ncec->ncec_flags & NCE_F_DELAYED) {
+ /*
+ * This ncec was rescheduled as one of the really old
+ * entries needing on-going defense. The
+ * ill_defend_count was already incremented in
+ * nce_ill_reschedule. Go ahead and send the announce.
+ */
+ ncec->ncec_flags &= ~NCE_F_DELAYED;
+ mutex_exit(&ncec->ncec_lock);
+ ret = B_FALSE;
+ goto done;
+ }
+ mutex_exit(&ncec->ncec_lock);
+ if (ill->ill_defend_count < defend_rate)
+ ill->ill_defend_count++;
+ if (ill->ill_defend_count == defend_rate) {
+ /*
+ * we are no longer allowed to send unbidden defense
+ * messages. Wait for rescheduling.
+ */
+ ret = B_TRUE;
+ } else {
+ ret = B_FALSE;
+ }
+done:
+ mutex_exit(&ill->ill_lock);
+ /*
+ * After all the locks have been dropped we can restart nce timer,
+ * and refrele the delayed ncecs
+ */
+ for (i = 0; i < ncert.ncert_num; i++) {
+ clock_t xmit_interval;
+ ncec_t *tmp;
+
+ tmp = ncert.ncert_nces[i];
+ xmit_interval = nce_fuzz_interval(tmp->ncec_xmit_interval,
+ B_FALSE);
+ nce_restart_timer(tmp, xmit_interval);
+ ncec_refrele(tmp);
+ }
+ return (ret);
+}
+
+boolean_t
+ndp_announce(ncec_t *ncec)
+{
+ return (ndp_xmit(ncec->ncec_ill, ND_NEIGHBOR_ADVERT, ncec->ncec_lladdr,
+ ncec->ncec_lladdr_length, &ncec->ncec_addr, &ipv6_all_hosts_mcast,
+ nce_advert_flags(ncec)));
+}
+
+ill_t *
+nce_resolve_src(ncec_t *ncec, in6_addr_t *src)
+{
+ mblk_t *mp;
+ in6_addr_t src6;
+ ipaddr_t src4;
+ ill_t *ill = ncec->ncec_ill;
+ ill_t *src_ill = NULL;
+ ipif_t *ipif = NULL;
+ boolean_t is_myaddr = NCE_MYADDR(ncec);
+ boolean_t isv6 = (ncec->ncec_ipversion == IPV6_VERSION);
+
+ ASSERT(src != NULL);
+ ASSERT(IN6_IS_ADDR_UNSPECIFIED(src));
+ src6 = *src;
+ if (is_myaddr) {
+ src6 = ncec->ncec_addr;
+ if (!isv6)
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, src4);
+ } else {
+ /*
+ * try to find one from the outgoing packet.
+ */
+ mutex_enter(&ncec->ncec_lock);
+ mp = ncec->ncec_qd_mp;
+ if (mp != NULL) {
+ if (isv6) {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ src6 = ip6h->ip6_src;
+ } else {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ src4 = ipha->ipha_src;
+ IN6_IPADDR_TO_V4MAPPED(src4, &src6);
+ }
+ }
+ mutex_exit(&ncec->ncec_lock);
+ }
+
+ /*
+ * For outgoing packets, if the src of outgoing packet is one
+ * of the assigned interface addresses use it, otherwise we
+ * will pick the source address below.
+ * For local addresses (is_myaddr) doing DAD, NDP announce
+ * messages are mcast. So we use the (IPMP) cast_ill or the
+ * (non-IPMP) ncec_ill for these message types. The only case
+ * of unicast DAD messages are for IPv6 ND probes, for which
+ * we find the ipif_bound_ill corresponding to the ncec_addr.
+ */
+ if (!IN6_IS_ADDR_UNSPECIFIED(&src6) || is_myaddr) {
+ if (isv6) {
+ ipif = ipif_lookup_addr_nondup_v6(&src6, ill, ALL_ZONES,
+ ill->ill_ipst);
+ } else {
+ ipif = ipif_lookup_addr_nondup(src4, ill, ALL_ZONES,
+ ill->ill_ipst);
+ }
+
+ /*
+ * If no relevant ipif can be found, then it's not one of our
+ * addresses. Reset to :: and try to find a src for the NS or
+ * ARP request using ipif_select_source_v[4,6] below.
+ * If an ipif can be found, but it's not yet done with
+ * DAD verification, and we are not being invoked for
+ * DAD (i.e., !is_myaddr), then just postpone this
+ * transmission until later.
+ */
+ if (ipif == NULL) {
+ src6 = ipv6_all_zeros;
+ src4 = INADDR_ANY;
+ } else if (!ipif->ipif_addr_ready && !is_myaddr) {
+ DTRACE_PROBE2(nce__resolve__ipif__not__ready,
+ ncec_t *, ncec, ipif_t *, ipif);
+ ipif_refrele(ipif);
+ return (NULL);
}
- } else if (flags & NCE_F_BCAST) {
+ }
+
+ if (IN6_IS_ADDR_UNSPECIFIED(&src6) && !is_myaddr) {
/*
- * broadcast nce.
+ * Pick a source address for this solicitation, but
+ * restrict the selection to addresses assigned to the
+ * output interface. We do this because the destination will
+ * create a neighbor cache entry for the source address of
+ * this packet, so the source address had better be a valid
+ * neighbor.
*/
- template = copyb(ill->ill_bcast_mp);
+ if (isv6) {
+ ipif = ipif_select_source_v6(ill, &ncec->ncec_addr,
+ B_TRUE, IPV6_PREFER_SRC_DEFAULT, ALL_ZONES,
+ B_FALSE, NULL);
+ } else {
+ ipaddr_t nce_addr;
+
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, nce_addr);
+ ipif = ipif_select_source_v4(ill, nce_addr, ALL_ZONES,
+ B_FALSE, NULL);
+ }
+ if (ipif == NULL && IS_IPMP(ill)) {
+ ill_t *send_ill = ipmp_ill_get_xmit_ill(ill, B_TRUE);
+
+ if (send_ill != NULL) {
+ if (isv6) {
+ ipif = ipif_select_source_v6(send_ill,
+ &ncec->ncec_addr, B_TRUE,
+ IPV6_PREFER_SRC_DEFAULT, ALL_ZONES,
+ B_FALSE, NULL);
+ } else {
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr,
+ src4);
+ ipif = ipif_select_source_v4(send_ill,
+ src4, ALL_ZONES, B_TRUE, NULL);
+ }
+ ill_refrele(send_ill);
+ }
+ }
+
+ if (ipif == NULL) {
+ char buf[INET6_ADDRSTRLEN];
+
+ ip1dbg(("nce_resolve_src: No source ipif for dst %s\n",
+ inet_ntop((isv6 ? AF_INET6 : AF_INET),
+ (char *)&ncec->ncec_addr, buf, sizeof (buf))));
+ DTRACE_PROBE1(nce__resolve__no__ipif, ncec_t *, ncec);
+ return (NULL);
+ }
+ src6 = ipif->ipif_v6lcl_addr;
+ }
+ *src = src6;
+ if (ipif != NULL) {
+ src_ill = ipif->ipif_ill;
+ if (IS_IPMP(src_ill))
+ src_ill = ipmp_ipif_hold_bound_ill(ipif);
+ else
+ ill_refhold(src_ill);
+ ipif_refrele(ipif);
+ DTRACE_PROBE2(nce__resolve__src__ill, ncec_t *, ncec,
+ ill_t *, src_ill);
+ }
+ return (src_ill);
+}
+
+void
+ip_nce_lookup_and_update(ipaddr_t *addr, ipif_t *ipif, ip_stack_t *ipst,
+ uchar_t *hwaddr, int hwaddr_len, int flags)
+{
+ ill_t *ill;
+ ncec_t *ncec;
+ nce_t *nce;
+ uint16_t new_state;
+
+ ill = (ipif ? ipif->ipif_ill : NULL);
+ if (ill != NULL) {
+ /*
+ * only one ncec is possible
+ */
+ nce = nce_lookup_v4(ill, addr);
+ if (nce != NULL) {
+ ncec = nce->nce_common;
+ mutex_enter(&ncec->ncec_lock);
+ if (NCE_ISREACHABLE(ncec))
+ new_state = ND_UNCHANGED;
+ else
+ new_state = ND_STALE;
+ ncec->ncec_flags = flags;
+ nce_update(ncec, new_state, hwaddr);
+ mutex_exit(&ncec->ncec_lock);
+ nce_refrele(nce);
+ return;
+ }
+ } else {
+ /*
+ * ill is wildcard; clean up all ncec's and ire's
+ * that match on addr.
+ */
+ nce_hw_map_t hwm;
+
+ hwm.hwm_addr = *addr;
+ hwm.hwm_hwlen = hwaddr_len;
+ hwm.hwm_hwaddr = hwaddr;
+ hwm.hwm_flags = flags;
+
+ ncec_walk_common(ipst->ips_ndp4, NULL,
+ (pfi_t)nce_update_hw_changed, (uchar_t *)&hwm, B_TRUE);
+ }
+}
+
+/*
+ * Common function to add ncec entries.
+ * we always add the ncec with ncec_ill == ill, and always create
+ * nce_t on ncec_ill. A dlpi fastpath message may be triggered if the
+ * ncec is !reachable.
+ *
+ * When the caller passes in an nce_state of ND_UNCHANGED,
+ * nce_add_common() will determine the state of the created nce based
+ * on the ill_net_type and nce_flags used. Otherwise, the nce will
+ * be created with state set to the passed in nce_state.
+ */
+static int
+nce_add_common(ill_t *ill, uchar_t *hw_addr, uint_t hw_addr_len,
+ const in6_addr_t *addr, uint16_t flags, uint16_t nce_state, nce_t **retnce)
+{
+ static ncec_t nce_nil;
+ uchar_t *template = NULL;
+ int err;
+ ncec_t *ncec;
+ ncec_t **ncep;
+ ip_stack_t *ipst = ill->ill_ipst;
+ uint16_t state;
+ boolean_t fastprobe = B_FALSE;
+ struct ndp_g_s *ndp;
+ nce_t *nce = NULL;
+ mblk_t *dlur_mp = NULL;
+
+ if (ill->ill_isv6)
+ ndp = ill->ill_ipst->ips_ndp6;
+ else
+ ndp = ill->ill_ipst->ips_ndp4;
+
+ *retnce = NULL;
+
+ ASSERT(MUTEX_HELD(&ndp->ndp_g_lock));
+
+ if (IN6_IS_ADDR_UNSPECIFIED(addr)) {
+ ip0dbg(("nce_add_common: no addr\n"));
+ return (EINVAL);
+ }
+ if ((flags & ~NCE_EXTERNAL_FLAGS_MASK)) {
+ ip0dbg(("nce_add_common: flags = %x\n", (int)flags));
+ return (EINVAL);
+ }
+
+ if (ill->ill_isv6) {
+ ncep = ((ncec_t **)NCE_HASH_PTR_V6(ipst, *addr));
+ } else {
+ ipaddr_t v4addr;
+
+ IN6_V4MAPPED_TO_IPADDR(addr, v4addr);
+ ncep = ((ncec_t **)NCE_HASH_PTR_V4(ipst, v4addr));
+ }
+
+ /*
+ * The caller has ensured that there is no nce on ill, but there could
+ * still be an nce_common_t for the address, so that we find exisiting
+ * ncec_t strucutures first, and atomically add a new nce_t if
+ * one is found. The ndp_g_lock ensures that we don't cross threads
+ * with an ncec_delete(). Unlike ncec_lookup_illgrp() we do not
+ * compare for matches across the illgrp because this function is
+ * called via nce_lookup_then_add_v* -> nce_add_v* -> nce_add_common,
+ * with the nce_lookup_then_add_v* passing in the ipmp_ill where
+ * appropriate.
+ */
+ ncec = *ncep;
+ for (; ncec != NULL; ncec = ncec->ncec_next) {
+ if (ncec->ncec_ill == ill) {
+ if (IN6_ARE_ADDR_EQUAL(&ncec->ncec_addr, addr)) {
+ *retnce = nce_ill_lookup_then_add(ill, ncec);
+ if (*retnce != NULL)
+ break;
+ }
+ }
+ }
+ if (*retnce != NULL) {
+ /*
+ * We should never find *retnce to be MYADDR, since the caller
+ * may then incorrectly restart a DAD timer that's already
+ * running.
+ */
+ ASSERT(!NCE_MYADDR(ncec));
+ /* caller must trigger fastpath on nce */
+ return (0);
+ }
+ ncec = kmem_cache_alloc(ncec_cache, KM_NOSLEEP);
+ if (ncec == NULL)
+ return (ENOMEM);
+ *ncec = nce_nil;
+ ncec->ncec_ill = ill;
+ ncec->ncec_ipversion = (ill->ill_isv6 ? IPV6_VERSION : IPV4_VERSION);
+ ncec->ncec_flags = flags;
+ ncec->ncec_ipst = ipst; /* No netstack_hold */
+
+ if (!ill->ill_isv6) {
+ ipaddr_t addr4;
+
+ /*
+ * DAD probe interval and probe count are set based on
+ * fast/slow probe settings. If the underlying link doesn't
+ * have reliably up/down notifications or if we're working
+ * with IPv4 169.254.0.0/16 Link Local Address space, then
+ * don't use the fast timers. Otherwise, use them.
+ */
+ ASSERT(IN6_IS_ADDR_V4MAPPED(addr));
+ IN6_V4MAPPED_TO_IPADDR(addr, addr4);
+ if (ill->ill_note_link && !IS_IPV4_LL_SPACE(&addr4))
+ fastprobe = B_TRUE;
+ if (fastprobe) {
+ ncec->ncec_xmit_interval =
+ ipst->ips_arp_fastprobe_interval;
+ ncec->ncec_pcnt =
+ ipst->ips_arp_fastprobe_count;
+ ncec->ncec_flags |= NCE_F_FAST;
+ } else {
+ ncec->ncec_xmit_interval =
+ ipst->ips_arp_probe_interval;
+ ncec->ncec_pcnt =
+ ipst->ips_arp_probe_count;
+ }
+ if (NCE_PUBLISH(ncec)) {
+ ncec->ncec_unsolicit_count =
+ ipst->ips_ip_arp_publish_count;
+ }
+ } else {
+ /*
+ * probe interval is constant: ILL_PROBE_INTERVAL
+ * probe count is constant: ND_MAX_UNICAST_SOLICIT
+ */
+ ncec->ncec_pcnt = ND_MAX_UNICAST_SOLICIT;
+ if (NCE_PUBLISH(ncec)) {
+ ncec->ncec_unsolicit_count =
+ ipst->ips_ip_ndp_unsolicit_count;
+ }
+ }
+ ncec->ncec_rcnt = ill->ill_xmit_count;
+ ncec->ncec_addr = *addr;
+ ncec->ncec_qd_mp = NULL;
+ ncec->ncec_refcnt = 1; /* for ncec getting created */
+ mutex_init(&ncec->ncec_lock, NULL, MUTEX_DEFAULT, NULL);
+ ncec->ncec_trace_disable = B_FALSE;
+
+ /*
+ * ncec_lladdr holds link layer address
+ */
+ if (hw_addr_len > 0) {
+ template = kmem_alloc(hw_addr_len, KM_NOSLEEP);
if (template == NULL) {
err = ENOMEM;
goto err_ret;
}
+ ncec->ncec_lladdr = template;
+ ncec->ncec_lladdr_length = hw_addr_len;
+ bzero(ncec->ncec_lladdr, hw_addr_len);
+ }
+ if ((flags & NCE_F_BCAST) != 0) {
state = ND_REACHABLE;
+ ASSERT(hw_addr_len > 0);
+ } else if (ill->ill_net_type == IRE_IF_RESOLVER) {
+ state = ND_INITIAL;
} else if (ill->ill_net_type == IRE_IF_NORESOLVER) {
/*
* NORESOLVER entries are always created in the REACHABLE
* state.
*/
+ state = ND_REACHABLE;
if (ill->ill_phys_addr_length == IP_ADDR_LEN &&
ill->ill_mactype != DL_IPV4 &&
ill->ill_mactype != DL_6TO4) {
@@ -3698,32 +4501,91 @@ ndp_add_v4(ill_t *ill, const in_addr_t *addr, uint16_t flags,
* that do their own resolution from IP to link-layer
* address (e.g. IP over X.25).
*/
- template = ill_dlur_gen((uchar_t *)addr,
- ill->ill_phys_addr_length,
- ill->ill_sap, ill->ill_sap_length);
- } else {
- template = copyb(ill->ill_resolver_mp);
+ bcopy((uchar_t *)addr,
+ ncec->ncec_lladdr, ill->ill_phys_addr_length);
}
- if (template == NULL) {
- err = ENOMEM;
- goto err_ret;
+ if (ill->ill_phys_addr_length == IPV6_ADDR_LEN &&
+ ill->ill_mactype != DL_IPV6) {
+ /*
+ * We create a nce_res_mp with the IP nexthop address
+ * as the destination address if the physical legnth
+ * is exactly 16 bytes for point-to-multipoint links
+ * that do their own resolution from IP to link-layer
+ * address.
+ */
+ bcopy((uchar_t *)addr,
+ ncec->ncec_lladdr, ill->ill_phys_addr_length);
}
+ /*
+ * Since NUD is not part of the base IPv4 protocol definition,
+ * IPv4 neighbor entries on NORESOLVER interfaces will never
+ * age, and are marked NCE_F_NONUD.
+ */
+ if (!ill->ill_isv6)
+ ncec->ncec_flags |= NCE_F_NONUD;
+ } else if (ill->ill_net_type == IRE_LOOPBACK) {
state = ND_REACHABLE;
}
- nce->nce_fp_mp = NULL;
- nce->nce_res_mp = template;
- nce->nce_state = state;
+
+ if (hw_addr != NULL || ill->ill_net_type == IRE_IF_NORESOLVER) {
+ /*
+ * We are adding an ncec with a deterministic hw_addr,
+ * so the state can only be one of {REACHABLE, STALE, PROBE}.
+ *
+ * if we are adding a unicast ncec for the local address
+ * it would be REACHABLE; we would be adding a ND_STALE entry
+ * for the requestor of an ARP_REQUEST/ND_SOLICIT. Our own
+ * addresses are added in PROBE to trigger DAD.
+ */
+ if ((flags & (NCE_F_MCAST|NCE_F_BCAST)) ||
+ ill->ill_net_type == IRE_IF_NORESOLVER)
+ state = ND_REACHABLE;
+ else if (!NCE_PUBLISH(ncec))
+ state = ND_STALE;
+ else
+ state = ND_PROBE;
+ if (hw_addr != NULL)
+ nce_set_ll(ncec, hw_addr);
+ }
+ /* caller overrides internally computed state */
+ if (nce_state != ND_UNCHANGED)
+ state = nce_state;
+
+ if (state == ND_PROBE)
+ ncec->ncec_flags |= NCE_F_UNVERIFIED;
+
+ ncec->ncec_state = state;
+
if (state == ND_REACHABLE) {
- nce->nce_last = TICK_TO_MSEC(lbolt64);
- nce->nce_init_time = TICK_TO_MSEC(lbolt64);
+ ncec->ncec_last = TICK_TO_MSEC(lbolt64);
+ ncec->ncec_init_time = TICK_TO_MSEC(lbolt64);
} else {
- nce->nce_last = 0;
+ ncec->ncec_last = 0;
if (state == ND_INITIAL)
- nce->nce_init_time = TICK_TO_MSEC(lbolt64);
+ ncec->ncec_init_time = TICK_TO_MSEC(lbolt64);
+ }
+ list_create(&ncec->ncec_cb, sizeof (ncec_cb_t),
+ offsetof(ncec_cb_t, ncec_cb_node));
+ /*
+ * have all the memory allocations out of the way before taking locks
+ * and adding the nce.
+ */
+ nce = kmem_cache_alloc(nce_cache, KM_NOSLEEP);
+ if (nce == NULL) {
+ err = ENOMEM;
+ goto err_ret;
+ }
+ if (ncec->ncec_lladdr != NULL ||
+ ill->ill_net_type == IRE_IF_NORESOLVER) {
+ dlur_mp = ill_dlur_gen(ncec->ncec_lladdr,
+ ill->ill_phys_addr_length, ill->ill_sap,
+ ill->ill_sap_length);
+ if (dlur_mp == NULL) {
+ err = ENOMEM;
+ goto err_ret;
+ }
}
- ASSERT((nce->nce_res_mp == NULL && nce->nce_state == ND_INITIAL) ||
- (nce->nce_res_mp != NULL && nce->nce_state == ND_REACHABLE));
/*
* Atomically ensure that the ill is not CONDEMNED, before
* adding the NCE.
@@ -3734,128 +4596,423 @@ ndp_add_v4(ill_t *ill, const in_addr_t *addr, uint16_t flags,
err = EINVAL;
goto err_ret;
}
- if ((nce->nce_next = *ncep) != NULL)
- nce->nce_next->nce_ptpn = &nce->nce_next;
- *ncep = nce;
- nce->nce_ptpn = ncep;
- *newnce = nce;
- /* This one is for nce being used by an active thread */
- NCE_REFHOLD(*newnce);
+ if (!NCE_MYADDR(ncec) &&
+ (ill->ill_state_flags & ILL_DOWN_IN_PROGRESS)) {
+ mutex_exit(&ill->ill_lock);
+ DTRACE_PROBE1(nce__add__on__down__ill, ncec_t *, ncec);
+ err = EINVAL;
+ goto err_ret;
+ }
+ /*
+ * Acquire the ncec_lock even before adding the ncec to the list
+ * so that it cannot get deleted after the ncec is added, but
+ * before we add the nce.
+ */
+ mutex_enter(&ncec->ncec_lock);
+ if ((ncec->ncec_next = *ncep) != NULL)
+ ncec->ncec_next->ncec_ptpn = &ncec->ncec_next;
+ *ncep = ncec;
+ ncec->ncec_ptpn = ncep;
- /* Bump up the number of nce's referencing this ill */
+ /* Bump up the number of ncec's referencing this ill */
DTRACE_PROBE3(ill__incr__cnt, (ill_t *), ill,
- (char *), "nce", (void *), nce);
- ill->ill_nce_cnt++;
+ (char *), "ncec", (void *), ncec);
+ ill->ill_ncec_cnt++;
+ /*
+ * Since we hold the ncec_lock at this time, the ncec cannot be
+ * condemned, and we can safely add the nce.
+ */
+ *retnce = nce_add_impl(ill, ncec, nce, dlur_mp);
+ mutex_exit(&ncec->ncec_lock);
mutex_exit(&ill->ill_lock);
- DTRACE_PROBE1(ndp__add__v4, nce_t *, nce);
+
+ /* caller must trigger fastpath on *retnce */
return (0);
+
err_ret:
- freeb(mp);
- freemsg(template);
+ if (ncec != NULL)
+ kmem_cache_free(ncec_cache, ncec);
+ if (nce != NULL)
+ kmem_cache_free(nce_cache, nce);
+ freemsg(dlur_mp);
+ if (template != NULL)
+ kmem_free(template, ill->ill_phys_addr_length);
return (err);
}
/*
- * ndp_walk routine to delete all entries that have a given destination or
- * gateway address and cached link layer (MAC) address. This is used when ARP
- * informs us that a network-to-link-layer mapping may have changed.
+ * take a ref on the nce
*/
void
-nce_delete_hw_changed(nce_t *nce, void *arg)
+nce_refhold(nce_t *nce)
{
- nce_hw_map_t *hwm = arg;
- mblk_t *mp;
- dl_unitdata_req_t *dlu;
- uchar_t *macaddr;
- ill_t *ill;
- int saplen;
- ipaddr_t nce_addr;
+ mutex_enter(&nce->nce_lock);
+ nce->nce_refcnt++;
+ ASSERT((nce)->nce_refcnt != 0);
+ mutex_exit(&nce->nce_lock);
+}
- if (nce->nce_state != ND_REACHABLE)
- return;
+/*
+ * release a ref on the nce; In general, this
+ * cannot be called with locks held because nce_inactive
+ * may result in nce_inactive which will take the ill_lock,
+ * do ipif_ill_refrele_tail etc. Thus the one exception
+ * where this can be called with locks held is when the caller
+ * is certain that the nce_refcnt is sufficient to prevent
+ * the invocation of nce_inactive.
+ */
+void
+nce_refrele(nce_t *nce)
+{
+ ASSERT((nce)->nce_refcnt != 0);
+ mutex_enter(&nce->nce_lock);
+ if (--nce->nce_refcnt == 0)
+ nce_inactive(nce); /* destroys the mutex */
+ else
+ mutex_exit(&nce->nce_lock);
+}
- IN6_V4MAPPED_TO_IPADDR(&nce->nce_addr, nce_addr);
- if (nce_addr != hwm->hwm_addr)
- return;
+/*
+ * free the nce after all refs have gone away.
+ */
+static void
+nce_inactive(nce_t *nce)
+{
+ ill_t *ill = nce->nce_ill;
+
+ ASSERT(nce->nce_refcnt == 0);
+
+ ncec_refrele_notr(nce->nce_common);
+ nce->nce_common = NULL;
+ freemsg(nce->nce_fp_mp);
+ freemsg(nce->nce_dlur_mp);
+
+ mutex_enter(&ill->ill_lock);
+ DTRACE_PROBE3(ill__decr__cnt, (ill_t *), ill,
+ (char *), "nce", (void *), nce);
+ ill->ill_nce_cnt--;
+ nce->nce_ill = NULL;
+ /*
+ * If the number of ncec's associated with this ill have dropped
+ * to zero, check whether we need to restart any operation that
+ * is waiting for this to happen.
+ */
+ if (ILL_DOWN_OK(ill)) {
+ /* ipif_ill_refrele_tail drops the ill_lock */
+ ipif_ill_refrele_tail(ill);
+ } else {
+ mutex_exit(&ill->ill_lock);
+ }
+
+ mutex_destroy(&nce->nce_lock);
+ kmem_cache_free(nce_cache, nce);
+}
+
+/*
+ * Add an nce to the ill_nce list.
+ */
+static nce_t *
+nce_add_impl(ill_t *ill, ncec_t *ncec, nce_t *nce, mblk_t *dlur_mp)
+{
+ bzero(nce, sizeof (*nce));
+ mutex_init(&nce->nce_lock, NULL, MUTEX_DEFAULT, NULL);
+ nce->nce_common = ncec;
+ nce->nce_addr = ncec->ncec_addr;
+ nce->nce_ill = ill;
+ DTRACE_PROBE3(ill__incr__cnt, (ill_t *), ill,
+ (char *), "nce", (void *), nce);
+ ill->ill_nce_cnt++;
+
+ nce->nce_refcnt = 1; /* for the thread */
+ ncec->ncec_refcnt++; /* want ncec_refhold_locked_notr(ncec) */
+ nce->nce_dlur_mp = dlur_mp;
+
+ /* add nce to the ill's fastpath list. */
+ nce->nce_refcnt++; /* for the list */
+ list_insert_head(&ill->ill_nce, nce);
+ return (nce);
+}
+
+static nce_t *
+nce_add(ill_t *ill, ncec_t *ncec)
+{
+ nce_t *nce;
+ mblk_t *dlur_mp = NULL;
+
+ ASSERT(MUTEX_HELD(&ill->ill_lock));
+ ASSERT(MUTEX_HELD(&ncec->ncec_lock));
+
+ nce = kmem_cache_alloc(nce_cache, KM_NOSLEEP);
+ if (nce == NULL)
+ return (NULL);
+ if (ncec->ncec_lladdr != NULL ||
+ ill->ill_net_type == IRE_IF_NORESOLVER) {
+ dlur_mp = ill_dlur_gen(ncec->ncec_lladdr,
+ ill->ill_phys_addr_length, ill->ill_sap,
+ ill->ill_sap_length);
+ if (dlur_mp == NULL) {
+ kmem_cache_free(nce_cache, nce);
+ return (NULL);
+ }
+ }
+ return (nce_add_impl(ill, ncec, nce, dlur_mp));
+}
+
+/*
+ * remove the nce from the ill_faspath list
+ */
+void
+nce_delete(nce_t *nce)
+{
+ ill_t *ill = nce->nce_ill;
+
+ ASSERT(MUTEX_HELD(&ill->ill_lock));
mutex_enter(&nce->nce_lock);
- if ((mp = nce->nce_res_mp) == NULL) {
+ if (nce->nce_is_condemned) {
+ /*
+ * some other thread has removed this nce from the ill_nce list
+ */
mutex_exit(&nce->nce_lock);
return;
}
- dlu = (dl_unitdata_req_t *)mp->b_rptr;
- macaddr = (uchar_t *)(dlu + 1);
- ill = nce->nce_ill;
- if ((saplen = ill->ill_sap_length) > 0)
- macaddr += saplen;
- else
- saplen = -saplen;
+ nce->nce_is_condemned = B_TRUE;
+ mutex_exit(&nce->nce_lock);
+ list_remove(&ill->ill_nce, nce);
/*
- * If the hardware address is unchanged, then leave this one alone.
- * Note that saplen == abs(saplen) now.
+ * even though we are holding the ill_lock, it is ok to
+ * call nce_refrele here because we know that we should have
+ * at least 2 refs on the nce: one for the thread, and one
+ * for the list. The refrele below will release the one for
+ * the list.
*/
- if (hwm->hwm_hwlen == dlu->dl_dest_addr_length - saplen &&
- bcmp(hwm->hwm_hwaddr, macaddr, hwm->hwm_hwlen) == 0) {
- mutex_exit(&nce->nce_lock);
- return;
+ nce_refrele(nce);
+}
+
+nce_t *
+nce_lookup(ill_t *ill, const in6_addr_t *addr)
+{
+ nce_t *nce = NULL;
+
+ ASSERT(ill != NULL);
+ ASSERT(MUTEX_HELD(&ill->ill_lock));
+
+ for (nce = list_head(&ill->ill_nce); nce != NULL;
+ nce = list_next(&ill->ill_nce, nce)) {
+ if (IN6_ARE_ADDR_EQUAL(&nce->nce_addr, addr))
+ break;
}
- mutex_exit(&nce->nce_lock);
- DTRACE_PROBE1(nce__hw__deleted, nce_t *, nce);
- ndp_delete(nce);
+ /*
+ * if we found the nce on the ill_nce list while holding
+ * the ill_lock, then it cannot be condemned yet.
+ */
+ if (nce != NULL) {
+ ASSERT(!nce->nce_is_condemned);
+ nce_refhold(nce);
+ }
+ return (nce);
}
/*
- * This function verifies whether a given IPv4 address is potentially known to
- * the NCE subsystem. If so, then ARP must not delete the corresponding ace_t,
- * so that it can continue to look for hardware changes on that address.
+ * Walk the ill_nce list on ill. The callback function func() cannot perform
+ * any destructive actions.
*/
-boolean_t
-ndp_lookup_ipaddr(in_addr_t addr, netstack_t *ns)
+static void
+nce_walk_common(ill_t *ill, pfi_t func, void *arg)
{
- nce_t *nce;
- struct in_addr nceaddr;
- ip_stack_t *ipst = ns->netstack_ip;
+ nce_t *nce = NULL, *nce_next;
- if (addr == INADDR_ANY)
- return (B_FALSE);
+ ASSERT(MUTEX_HELD(&ill->ill_lock));
+ for (nce = list_head(&ill->ill_nce); nce != NULL; ) {
+ nce_next = list_next(&ill->ill_nce, nce);
+ if (func(ill, nce, arg) != 0)
+ break;
+ nce = nce_next;
+ }
+}
- mutex_enter(&ipst->ips_ndp4->ndp_g_lock);
- nce = *(nce_t **)NCE_HASH_PTR_V4(ipst, addr);
- for (; nce != NULL; nce = nce->nce_next) {
- /* Note that only v4 mapped entries are in the table. */
- IN6_V4MAPPED_TO_INADDR(&nce->nce_addr, &nceaddr);
- if (addr == nceaddr.s_addr &&
- IN6_ARE_ADDR_EQUAL(&nce->nce_mask, &ipv6_all_ones)) {
- /* Single flag check; no lock needed */
- if (!(nce->nce_flags & NCE_F_CONDEMNED))
- break;
+void
+nce_walk(ill_t *ill, pfi_t func, void *arg)
+{
+ mutex_enter(&ill->ill_lock);
+ nce_walk_common(ill, func, arg);
+ mutex_exit(&ill->ill_lock);
+}
+
+void
+nce_flush(ill_t *ill, boolean_t flushall)
+{
+ nce_t *nce, *nce_next;
+ list_t dead;
+
+ list_create(&dead, sizeof (nce_t), offsetof(nce_t, nce_node));
+ mutex_enter(&ill->ill_lock);
+ for (nce = list_head(&ill->ill_nce); nce != NULL; ) {
+ nce_next = list_next(&ill->ill_nce, nce);
+ if (!flushall && NCE_PUBLISH(nce->nce_common)) {
+ nce = nce_next;
+ continue;
}
+ /*
+ * nce_delete requires that the caller should either not
+ * be holding locks, or should hold a ref to ensure that
+ * we wont hit ncec_inactive. So take a ref and clean up
+ * after the list is flushed.
+ */
+ nce_refhold(nce);
+ nce_delete(nce);
+ list_insert_tail(&dead, nce);
+ nce = nce_next;
}
- mutex_exit(&ipst->ips_ndp4->ndp_g_lock);
- return (nce != NULL);
+ mutex_exit(&ill->ill_lock);
+ while ((nce = list_head(&dead)) != NULL) {
+ list_remove(&dead, nce);
+ nce_refrele(nce);
+ }
+ ASSERT(list_is_empty(&dead));
+ list_destroy(&dead);
}
-/*
- * Wrapper around ipif_lookup_addr_exact_v6() that allows ND to work properly
- * with IPMP. Specifically, since neighbor discovery is always done on
- * underlying interfaces (even for addresses owned by an IPMP interface), we
- * need to check for `v6addrp' on both `ill' and on the IPMP meta-interface
- * associated with `ill' (if it exists).
- */
-static ipif_t *
-ip_ndp_lookup_addr_v6(const in6_addr_t *v6addrp, ill_t *ill)
+/* Return an interval that is anywhere in the [1 .. intv] range */
+static clock_t
+nce_fuzz_interval(clock_t intv, boolean_t initial_time)
+{
+ clock_t rnd, frac;
+
+ (void) random_get_pseudo_bytes((uint8_t *)&rnd, sizeof (rnd));
+ /* Note that clock_t is signed; must chop off bits */
+ rnd &= (1ul << (NBBY * sizeof (rnd) - 1)) - 1;
+ if (initial_time) {
+ if (intv <= 0)
+ intv = 1;
+ else
+ intv = (rnd % intv) + 1;
+ } else {
+ /* Compute 'frac' as 20% of the configured interval */
+ if ((frac = intv / 5) <= 1)
+ frac = 2;
+ /* Set intv randomly in the range [intv-frac .. intv+frac] */
+ if ((intv = intv - frac + rnd % (2 * frac + 1)) <= 0)
+ intv = 1;
+ }
+ return (intv);
+}
+
+void
+nce_resolv_ipmp_ok(ncec_t *ncec)
{
- ipif_t *ipif;
+ mblk_t *mp;
+ uint_t pkt_len;
+ iaflags_t ixaflags = IXAF_NO_TRACE;
+ nce_t *under_nce;
+ ill_t *ill = ncec->ncec_ill;
+ boolean_t isv6 = (ncec->ncec_ipversion == IPV6_VERSION);
+ ipif_t *src_ipif = NULL;
ip_stack_t *ipst = ill->ill_ipst;
+ ill_t *send_ill;
+ uint_t nprobes;
- ipif = ipif_lookup_addr_exact_v6(v6addrp, ill, ipst);
- if (ipif == NULL && IS_UNDER_IPMP(ill)) {
- if ((ill = ipmp_ill_hold_ipmp_ill(ill)) != NULL) {
- ipif = ipif_lookup_addr_exact_v6(v6addrp, ill, ipst);
- ill_refrele(ill);
+ ASSERT(IS_IPMP(ill));
+
+ mutex_enter(&ncec->ncec_lock);
+ nprobes = ncec->ncec_nprobes;
+ mp = ncec->ncec_qd_mp;
+ ncec->ncec_qd_mp = NULL;
+ ncec->ncec_nprobes = 0;
+ mutex_exit(&ncec->ncec_lock);
+
+ while (mp != NULL) {
+ mblk_t *nxt_mp;
+
+ nxt_mp = mp->b_next;
+ mp->b_next = NULL;
+ if (isv6) {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ pkt_len = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
+ src_ipif = ipif_lookup_addr_nondup_v6(&ip6h->ip6_src,
+ ill, ALL_ZONES, ipst);
+ } else {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ixaflags |= IXAF_IS_IPV4;
+ pkt_len = ntohs(ipha->ipha_length);
+ src_ipif = ipif_lookup_addr_nondup(ipha->ipha_src,
+ ill, ALL_ZONES, ipst);
+ }
+
+ /*
+ * find a new nce based on an under_ill. The first IPMP probe
+ * packet gets queued, so we could still find a src_ipif that
+ * matches an IPMP test address.
+ */
+ if (src_ipif == NULL || IS_IPMP(src_ipif->ipif_ill)) {
+ /*
+ * if src_ipif is null, this could be either a
+ * forwarded packet or a probe whose src got deleted.
+ * We identify the former case by looking for the
+ * ncec_nprobes: the first ncec_nprobes packets are
+ * probes;
+ */
+ if (src_ipif == NULL && nprobes > 0)
+ goto drop_pkt;
+
+ /*
+ * For forwarded packets, we use the ipmp rotor
+ * to find send_ill.
+ */
+ send_ill = ipmp_ill_get_xmit_ill(ncec->ncec_ill,
+ B_TRUE);
+ } else {
+ send_ill = src_ipif->ipif_ill;
+ ill_refhold(send_ill);
+ }
+
+ DTRACE_PROBE4(nce__resolve__ipmp, (mblk_t *), mp,
+ (ncec_t *), ncec, (ipif_t *),
+ src_ipif, (ill_t *), send_ill);
+
+ if (send_ill == NULL) {
+ if (src_ipif != NULL)
+ ipif_refrele(src_ipif);
+ goto drop_pkt;
}
+ /* create an under_nce on send_ill */
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (IS_IN_SAME_ILLGRP(send_ill, ncec->ncec_ill))
+ under_nce = nce_fastpath_create(send_ill, ncec);
+ else
+ under_nce = NULL;
+ rw_exit(&ipst->ips_ill_g_lock);
+ if (under_nce != NULL && NCE_ISREACHABLE(ncec))
+ nce_fastpath_trigger(under_nce);
+
+ ill_refrele(send_ill);
+ if (src_ipif != NULL)
+ ipif_refrele(src_ipif);
+
+ if (under_nce != NULL) {
+ (void) ip_xmit(mp, under_nce, ixaflags, pkt_len, 0,
+ ALL_ZONES, 0, NULL);
+ nce_refrele(under_nce);
+ if (nprobes > 0)
+ nprobes--;
+ mp = nxt_mp;
+ continue;
+ }
+drop_pkt:
+ if (isv6) {
+ BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
+ } else {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ }
+ ip_drop_output("ipIfStatsOutDiscards - no under_ill", mp, NULL);
+ freemsg(mp);
+ if (nprobes > 0)
+ nprobes--;
+ mp = nxt_mp;
}
- return (ipif);
+ ncec_cb_dispatch(ncec); /* complete callbacks */
}
diff --git a/usr/src/uts/common/inet/ip/ip_netinfo.c b/usr/src/uts/common/inet/ip/ip_netinfo.c
index 8b97462d13..33e791adac 100644
--- a/usr/src/uts/common/inet/ip/ip_netinfo.c
+++ b/usr/src/uts/common/inet/ip/ip_netinfo.c
@@ -38,6 +38,7 @@
#include <sys/cmn_err.h>
#include <netinet/in.h>
+#include <inet/ipsec_impl.h>
#include <inet/common.h>
#include <inet/mib2.h>
#include <inet/ip.h>
@@ -89,6 +90,20 @@ static phy_if_t ipv6_routeto(net_handle_t, struct sockaddr *,
struct sockaddr *);
static int ipv6_isvalidchecksum(net_handle_t, mblk_t *);
+static int net_no_getmtu(net_handle_t, phy_if_t, lif_if_t);
+static int net_no_getpmtuenabled(net_handle_t);
+static lif_if_t net_no_lifgetnext(net_handle_t, phy_if_t, lif_if_t);
+static int net_no_inject(net_handle_t, inject_t, net_inject_t *);
+static phy_if_t net_no_routeto(net_handle_t, struct sockaddr *,
+ struct sockaddr *);
+static int net_no_ispartialchecksum(net_handle_t, mblk_t *);
+static int net_no_getlifaddr(net_handle_t, phy_if_t, lif_if_t,
+ size_t, net_ifaddr_t [], void *);
+static int net_no_getlifzone(net_handle_t, phy_if_t, lif_if_t,
+ zoneid_t *);
+static int net_no_getlifflags(net_handle_t, phy_if_t, lif_if_t,
+ uint64_t *);
+
/* Netinfo private functions */
static int ip_getifname_impl(phy_if_t, char *,
const size_t, boolean_t, ip_stack_t *);
@@ -111,7 +126,6 @@ static void ip_ni_queue_in_func(void *);
static void ip_ni_queue_out_func(void *);
static void ip_ni_queue_func_impl(injection_t *, boolean_t);
-
static net_protocol_t ipv4info = {
NETINFO_VERSION,
NHF_INET,
@@ -149,6 +163,24 @@ static net_protocol_t ipv6info = {
ipv6_isvalidchecksum
};
+static net_protocol_t arp_netinfo = {
+ NETINFO_VERSION,
+ NHF_ARP,
+ ip_getifname,
+ net_no_getmtu,
+ net_no_getpmtuenabled,
+ net_no_getlifaddr,
+ net_no_getlifzone,
+ net_no_getlifflags,
+ ip_phygetnext,
+ ip_phylookup,
+ net_no_lifgetnext,
+ net_no_inject,
+ net_no_routeto,
+ net_no_ispartialchecksum,
+ ip_isvalidchecksum
+};
+
/*
* The taskq eventq_queue_in is used to process the upside inject messages.
* The taskq eventq_queue_out is used to process the downside inject messages.
@@ -230,6 +262,9 @@ ip_net_init(ip_stack_t *ipst, netstack_t *ns)
ipst->ips_ipv6_net_data = net_protocol_register(id, &ipv6info);
ASSERT(ipst->ips_ipv6_net_data != NULL);
+
+ ipst->ips_arp_net_data = net_protocol_register(id, &arp_netinfo);
+ ASSERT(ipst->ips_ipv6_net_data != NULL);
}
@@ -248,6 +283,11 @@ ip_net_destroy(ip_stack_t *ipst)
if (net_protocol_unregister(ipst->ips_ipv6_net_data) == 0)
ipst->ips_ipv6_net_data = NULL;
}
+
+ if (ipst->ips_arp_net_data != NULL) {
+ if (net_protocol_unregister(ipst->ips_arp_net_data) == 0)
+ ipst->ips_arp_net_data = NULL;
+ }
}
/*
@@ -612,8 +652,7 @@ ip_getifname_impl(phy_if_t phy_ifdata,
ASSERT(buffer != NULL);
- ill = ill_lookup_on_ifindex((uint_t)phy_ifdata, isv6, NULL, NULL,
- NULL, NULL, ipst);
+ ill = ill_lookup_on_ifindex((uint_t)phy_ifdata, isv6, ipst);
if (ill == NULL)
return (1);
@@ -667,17 +706,17 @@ ip_getmtu_impl(phy_if_t phy_ifdata, lif_if_t ifdata, boolean_t isv6,
if (ipif == NULL)
return (0);
- mtu = ipif->ipif_mtu;
+ mtu = ipif->ipif_ill->ill_mtu;
ipif_refrele(ipif);
if (mtu == 0) {
ill_t *ill;
if ((ill = ill_lookup_on_ifindex((uint_t)phy_ifdata, isv6,
- NULL, NULL, NULL, NULL, ipst)) == NULL) {
+ ipst)) == NULL) {
return (0);
}
- mtu = ill->ill_max_frag;
+ mtu = ill->ill_mtu;
ill_refrele(ill);
}
@@ -760,8 +799,7 @@ ip_phylookup_impl(const char *name, boolean_t isv6, ip_stack_t *ipst)
phy_if_t phy;
ill_t *ill;
- ill = ill_lookup_on_name((char *)name, B_FALSE, isv6, NULL, NULL,
- NULL, NULL, NULL, ipst);
+ ill = ill_lookup_on_name((char *)name, B_FALSE, isv6, NULL, ipst);
if (ill == NULL)
return (0);
@@ -813,8 +851,7 @@ ip_lifgetnext_impl(phy_if_t phy_ifdata, lif_if_t ifdata, boolean_t isv6,
ipif_t *ipif;
ill_t *ill;
- ill = ill_lookup_on_ifindex(phy_ifdata, isv6, NULL, NULL,
- NULL, NULL, ipst);
+ ill = ill_lookup_on_ifindex(phy_ifdata, isv6, ipst);
if (ill == NULL)
return (0);
@@ -898,14 +935,10 @@ static int
ip_inject_impl(inject_t style, net_inject_t *packet, boolean_t isv6,
ip_stack_t *ipst)
{
- struct sockaddr_in6 *sin6;
ddi_taskq_t *tq = NULL;
void (* func)(void *);
injection_t *inject;
- ip6_t *ip6h;
- ire_t *ire;
mblk_t *mp;
- zoneid_t zoneid;
ASSERT(packet != NULL);
ASSERT(packet->ni_packet != NULL);
@@ -941,130 +974,44 @@ ip_inject_impl(inject_t style, net_inject_t *packet, boolean_t isv6,
tq = eventq_queue_out;
break;
- case NI_DIRECT_OUT:
- /*
- * Note:
- * For IPv4, the code path below will be greatly simplified
- * with the delivery of surya - it will become a single
- * function call to X. A follow on project is aimed to
- * provide similar functionality for IPv6.
- */
- mp = packet->ni_packet;
- zoneid =
- netstackid_to_zoneid(ipst->ips_netstack->netstack_stackid);
-
- if (!isv6) {
- struct sockaddr *sock;
-
- sock = (struct sockaddr *)&packet->ni_addr;
- /*
- * ipfil_sendpkt was provided by surya to ease the
- * problems associated with sending out a packet.
- * Currently this function only supports IPv4.
- */
- switch (ipfil_sendpkt(sock, mp, packet->ni_physical,
- zoneid)) {
- case 0 :
- case EINPROGRESS:
- return (0);
- case ECOMM :
- case ENONET :
- return (1);
- default :
- return (1);
- }
- /* NOTREACHED */
-
- }
-
- ip6h = (ip6_t *)mp->b_rptr;
- sin6 = (struct sockaddr_in6 *)&packet->ni_addr;
- ASSERT(sin6->sin6_family == AF_INET6);
-
- ire = ire_route_lookup_v6(&sin6->sin6_addr, 0, 0, 0,
- NULL, NULL, zoneid, NULL,
- MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE,
- ipst);
+ case NI_DIRECT_OUT: {
+ struct sockaddr *sock;
- if (ire == NULL) {
- ip2dbg(("ip_inject: ire_cache_lookup failed\n"));
- freemsg(mp);
- return (1);
- }
-
- if (ire->ire_stq == NULL) {
- /* Send to loopback destination. */
- if (ire->ire_rfq == NULL) {
- ip2dbg(("ip_inject: bad nexthop\n"));
- ire_refrele(ire);
- freemsg(mp);
- return (1);
- }
- DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL,
- void_ip_t *, ip6h, __dtrace_ipsr_ill_t *,
- ire->ire_ipif->ipif_ill, ipha_t *, NULL, ip6_t *,
- ip6h, int, 1);
- ip_wput_local_v6(ire->ire_rfq,
- ire->ire_ipif->ipif_ill, ip6h, mp, ire, 0, zoneid);
- ire_refrele(ire);
- return (0);
- }
-
- mp->b_queue = ire->ire_stq;
-
- if (ire->ire_nce == NULL ||
- ire->ire_nce->nce_fp_mp == NULL &&
- ire->ire_nce->nce_res_mp == NULL) {
- ip_newroute_v6(ire->ire_stq, mp, &sin6->sin6_addr,
- &ip6h->ip6_src, NULL, zoneid, ipst);
+ mp = packet->ni_packet;
- ire_refrele(ire);
+ sock = (struct sockaddr *)&packet->ni_addr;
+ /*
+ * ipfil_sendpkt was provided by surya to ease the
+ * problems associated with sending out a packet.
+ */
+ switch (ipfil_sendpkt(sock, mp, packet->ni_physical,
+ netstackid_to_zoneid(
+ ipst->ips_netstack->netstack_stackid))) {
+ case 0 :
+ case EINPROGRESS:
return (0);
- } else {
- /* prepend L2 header for IPv6 packets. */
- mblk_t *llmp;
-
- /*
- * Lock IREs, see 6420438
- */
- mutex_enter(&ire->ire_lock);
- llmp = ire->ire_nce->nce_fp_mp ?
- ire->ire_nce->nce_fp_mp :
- ire->ire_nce->nce_res_mp;
-
- if ((mp = dupb(llmp)) == NULL &&
- (mp = copyb(llmp)) == NULL) {
- ip2dbg(("ip_inject: llhdr failed\n"));
- mutex_exit(&ire->ire_lock);
- ire_refrele(ire);
- freemsg(mp);
- return (1);
- }
- mutex_exit(&ire->ire_lock);
- linkb(mp, packet->ni_packet);
+ case ECOMM :
+ case ENONET :
+ return (1);
+ default :
+ return (1);
}
-
- mp->b_queue = ire->ire_stq;
-
- break;
+ /* NOTREACHED */
+ }
default:
freemsg(packet->ni_packet);
return (1);
}
- if (tq) {
- inject->inj_ptr = ipst;
- if (ddi_taskq_dispatch(tq, func, (void *)inject,
- DDI_SLEEP) == DDI_FAILURE) {
- ip2dbg(("ip_inject: ddi_taskq_dispatch failed\n"));
- freemsg(packet->ni_packet);
- return (1);
- }
- } else {
- putnext(ire->ire_stq, mp);
- ire_refrele(ire);
- }
+ ASSERT(tq != NULL);
+ inject->inj_ptr = ipst;
+ if (ddi_taskq_dispatch(tq, func, (void *)inject,
+ DDI_SLEEP) == DDI_FAILURE) {
+ ip2dbg(("ip_inject: ddi_taskq_dispatch failed\n"));
+ freemsg(packet->ni_packet);
+ return (1);
+ }
return (0);
}
@@ -1121,64 +1068,57 @@ ip_routeto_impl(struct sockaddr *address, struct sockaddr *nexthop,
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)address;
struct sockaddr_in *next = (struct sockaddr_in *)nexthop;
struct sockaddr_in *sin = (struct sockaddr_in *)address;
- ire_t *sire = NULL;
ire_t *ire;
- ill_t *ill;
+ ire_t *nexthop_ire;
phy_if_t phy_if;
zoneid_t zoneid;
zoneid = netstackid_to_zoneid(ipst->ips_netstack->netstack_stackid);
if (address->sa_family == AF_INET6) {
- ire = ire_route_lookup_v6(&sin6->sin6_addr, NULL,
- 0, 0, NULL, &sire, zoneid, NULL,
- MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE,
- ipst);
+ ire = ire_route_recursive_v6(&sin6->sin6_addr, 0, NULL,
+ zoneid, NULL, MATCH_IRE_DSTONLY, B_TRUE, 0, ipst, NULL,
+ NULL, NULL);
} else {
- ire = ire_route_lookup(sin->sin_addr.s_addr, 0,
- 0, 0, NULL, &sire, zoneid, NULL,
- MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE,
- ipst);
+ ire = ire_route_recursive_v4(sin->sin_addr.s_addr, 0, NULL,
+ zoneid, NULL, MATCH_IRE_DSTONLY, B_TRUE, 0, ipst, NULL,
+ NULL, NULL);
}
-
- if (ire == NULL)
- return (0);
-
+ ASSERT(ire != NULL);
/*
* For some destinations, we have routes that are dead ends, so
* return to indicate that no physical interface can be used to
* reach the destination.
*/
- if ((ire->ire_flags & (RTF_REJECT | RTF_BLACKHOLE)) != 0) {
- if (sire != NULL)
- ire_refrele(sire);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
ire_refrele(ire);
- return (0);
+ return (NULL);
}
- ill = ire_to_ill(ire);
- if (ill == NULL) {
- if (sire != NULL)
- ire_refrele(sire);
+ nexthop_ire = ire_nexthop(ire);
+ if (nexthop_ire == NULL) {
+ ire_refrele(ire);
+ return (0);
+ }
+ if (nexthop_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ ire_refrele(nexthop_ire);
ire_refrele(ire);
return (0);
}
+ ASSERT(nexthop_ire->ire_ill != NULL);
+
if (nexthop != NULL) {
if (address->sa_family == AF_INET6) {
- next->sin_addr.s_addr = sire ? sire->ire_gateway_addr :
- sin->sin_addr.s_addr;
+ next6->sin6_addr = nexthop_ire->ire_addr_v6;
} else {
- next6->sin6_addr = sire ? sire->ire_gateway_addr_v6 :
- sin6->sin6_addr;
+ next->sin_addr.s_addr = nexthop_ire->ire_addr;
}
}
- ASSERT(ill != NULL);
- phy_if = (phy_if_t)ill->ill_phyint->phyint_ifindex;
- if (sire != NULL)
- ire_refrele(sire);
+ phy_if = (phy_if_t)nexthop_ire->ire_ill->ill_phyint->phyint_ifindex;
ire_refrele(ire);
+ ire_refrele(nexthop_ire);
return (phy_if);
}
@@ -1477,8 +1417,7 @@ ip_getlifflags_impl(sa_family_t family, phy_if_t phy_ifdata, lif_if_t ifdata,
ipif_t *ipif;
ill_t *ill;
- ill = ill_lookup_on_ifindex(phy_ifdata,
- (family == AF_INET6), NULL, NULL, NULL, NULL, ipst);
+ ill = ill_lookup_on_ifindex(phy_ifdata, (family == AF_INET6), ipst);
if (ill == NULL)
return (-1);
phyi = ill->ill_phyint;
@@ -1538,59 +1477,43 @@ static void
ip_ni_queue_func_impl(injection_t *inject, boolean_t out)
{
net_inject_t *packet;
- conn_t *conn;
ill_t *ill;
ip_stack_t *ipst = (ip_stack_t *)inject->inj_ptr;
+ ip_xmit_attr_t ixas;
ASSERT(inject != NULL);
packet = &inject->inj_data;
ASSERT(packet->ni_packet != NULL);
- ill = ill_lookup_on_ifindex((uint_t)packet->ni_physical,
- B_FALSE, NULL, NULL, NULL, NULL, ipst);
- if (ill == NULL) {
- kmem_free(inject, sizeof (*inject));
- return;
- }
-
if (out == 0) {
+ ill = ill_lookup_on_ifindex((uint_t)packet->ni_physical,
+ inject->inj_isv6, ipst);
+
+ if (ill == NULL) {
+ kmem_free(inject, sizeof (*inject));
+ return;
+ }
+
if (inject->inj_isv6) {
- ip_rput_v6(ill->ill_rq, packet->ni_packet);
+ ip_input_v6(ill, NULL, packet->ni_packet, NULL);
} else {
ip_input(ill, NULL, packet->ni_packet, NULL);
}
- kmem_free(inject, sizeof (*inject));
ill_refrele(ill);
- return;
- }
-
- /*
- * Even though ipcl_conn_create requests that it be passed
- * a different value for "TCP", in this case there may not
- * be a TCP connection backing the packet and more than
- * likely, non-TCP packets will go here too.
- */
- conn = ipcl_conn_create(IPCL_IPCCONN, KM_NOSLEEP, ipst->ips_netstack);
- if (conn != NULL) {
+ } else {
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_ifindex = packet->ni_physical;
+ ixas.ixa_ipst = ipst;
if (inject->inj_isv6) {
- conn->conn_af_isv6 = B_TRUE;
- conn->conn_src_preferences = IPV6_PREFER_SRC_DEFAULT;
- conn->conn_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
- ip_output_v6(conn, packet->ni_packet, ill->ill_wq,
- IP_WPUT);
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
} else {
- conn->conn_af_isv6 = B_FALSE;
- conn->conn_pkt_isv6 = B_FALSE;
- conn->conn_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
- ip_output(conn, packet->ni_packet, ill->ill_wq,
- IP_WPUT);
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
}
-
- CONN_DEC_REF(conn);
+ (void) ip_output_simple(packet->ni_packet, &ixas);
+ ixa_cleanup(&ixas);
}
kmem_free(inject, sizeof (*inject));
- ill_refrele(ill);
}
/*
@@ -1623,3 +1546,152 @@ done:
kmem_free(info->hnei_event.hne_data, info->hnei_event.hne_datalen);
kmem_free(arg, sizeof (hook_nic_event_int_t));
}
+
+/*
+ * Initialize ARP hook family and events
+ */
+void
+arp_hook_init(ip_stack_t *ipst)
+{
+ HOOK_FAMILY_INIT(&ipst->ips_arproot, Hn_ARP);
+ if (net_family_register(ipst->ips_arp_net_data, &ipst->ips_arproot)
+ != 0) {
+ cmn_err(CE_NOTE, "arp_hook_init"
+ "net_family_register failed for arp");
+ }
+
+ HOOK_EVENT_INIT(&ipst->ips_arp_physical_in_event, NH_PHYSICAL_IN);
+ ipst->ips_arp_physical_in = net_event_register(ipst->ips_arp_net_data,
+ &ipst->ips_arp_physical_in_event);
+ if (ipst->ips_arp_physical_in == NULL) {
+ cmn_err(CE_NOTE, "arp_hook_init: "
+ "net_event_register failed for arp/physical_in");
+ }
+
+ HOOK_EVENT_INIT(&ipst->ips_arp_physical_out_event, NH_PHYSICAL_OUT);
+ ipst->ips_arp_physical_out = net_event_register(ipst->ips_arp_net_data,
+ &ipst->ips_arp_physical_out_event);
+ if (ipst->ips_arp_physical_out == NULL) {
+ cmn_err(CE_NOTE, "arp_hook_init: "
+ "net_event_register failed for arp/physical_out");
+ }
+
+ HOOK_EVENT_INIT(&ipst->ips_arp_nic_events, NH_NIC_EVENTS);
+ ipst->ips_arpnicevents = net_event_register(ipst->ips_arp_net_data,
+ &ipst->ips_arp_nic_events);
+ if (ipst->ips_arpnicevents == NULL) {
+ cmn_err(CE_NOTE, "arp_hook_init: "
+ "net_event_register failed for arp/nic_events");
+ }
+}
+
+void
+arp_hook_destroy(ip_stack_t *ipst)
+{
+ if (ipst->ips_arpnicevents != NULL) {
+ if (net_event_unregister(ipst->ips_arp_net_data,
+ &ipst->ips_arp_nic_events) == 0)
+ ipst->ips_arpnicevents = NULL;
+ }
+
+ if (ipst->ips_arp_physical_out != NULL) {
+ if (net_event_unregister(ipst->ips_arp_net_data,
+ &ipst->ips_arp_physical_out_event) == 0)
+ ipst->ips_arp_physical_out = NULL;
+ }
+
+ if (ipst->ips_arp_physical_in != NULL) {
+ if (net_event_unregister(ipst->ips_arp_net_data,
+ &ipst->ips_arp_physical_in_event) == 0)
+ ipst->ips_arp_physical_in = NULL;
+ }
+
+ (void) net_family_unregister(ipst->ips_arp_net_data,
+ &ipst->ips_arproot);
+}
+
+void
+arp_hook_shutdown(ip_stack_t *ipst)
+{
+ if (ipst->ips_arp_physical_in != NULL) {
+ (void) net_event_shutdown(ipst->ips_arp_net_data,
+ &ipst->ips_arp_physical_in_event);
+ }
+ if (ipst->ips_arp_physical_out != NULL) {
+ (void) net_event_shutdown(ipst->ips_arp_net_data,
+ &ipst->ips_arp_physical_out_event);
+ }
+ if (ipst->ips_arpnicevents != NULL) {
+ (void) net_event_shutdown(ipst->ips_arp_net_data,
+ &ipst->ips_arp_nic_events);
+ }
+}
+
+/* netinfo routines for the unsupported cases */
+
+/* ARGSUSED */
+int
+net_no_getmtu(net_handle_t handle, phy_if_t phy_ifdata, lif_if_t ifdata)
+{
+ return (-1);
+}
+
+/* ARGSUSED */
+static int
+net_no_getpmtuenabled(net_handle_t neti)
+{
+ return (-1);
+}
+
+/* ARGSUSED */
+static lif_if_t
+net_no_lifgetnext(net_handle_t neti, phy_if_t phy_ifdata, lif_if_t ifdata)
+{
+ return (-1);
+}
+
+/* ARGSUSED */
+static int
+net_no_inject(net_handle_t neti, inject_t style, net_inject_t *packet)
+{
+ return (-1);
+}
+
+/* ARGSUSED */
+static phy_if_t
+net_no_routeto(net_handle_t neti, struct sockaddr *address,
+ struct sockaddr *next)
+{
+ return ((phy_if_t)-1);
+}
+
+/* ARGSUSED */
+static int
+net_no_ispartialchecksum(net_handle_t neti, mblk_t *mp)
+{
+ return (-1);
+}
+
+/* ARGSUSED */
+static int
+net_no_getlifaddr(net_handle_t neti, phy_if_t phy_ifdata, lif_if_t ifdata,
+ size_t nelem, net_ifaddr_t type[], void *storage)
+{
+ return (-1);
+}
+
+/* ARGSUSED */
+static int
+net_no_getlifzone(net_handle_t neti, phy_if_t phy_ifdata, lif_if_t ifdata,
+ zoneid_t *zoneid)
+{
+ return (-1);
+}
+
+/* ARGSUSED */
+static int
+net_no_getlifflags(net_handle_t neti, phy_if_t phy_ifdata, lif_if_t ifdata,
+ uint64_t *flags)
+{
+ return (-1);
+}
diff --git a/usr/src/uts/common/inet/ip/ip_opt_data.c b/usr/src/uts/common/inet/ip/ip_opt_data.c
deleted file mode 100644
index e86e59f67d..0000000000
--- a/usr/src/uts/common/inet/ip/ip_opt_data.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-/*
- * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
- */
-
-#include <sys/types.h>
-#include <sys/stream.h>
-#define _SUN_TPI_VERSION 2
-#include <sys/tihdr.h>
-#include <sys/socket.h>
-#include <sys/xti_inet.h>
-
-#include <inet/common.h>
-#include <netinet/ip6.h>
-#include <inet/ip.h>
-
-#include <netinet/in.h>
-#include <netinet/ip_mroute.h>
-#include <inet/optcom.h>
-
-
-extern int ip_opt_default(queue_t *q, int level, int name, uchar_t *ptr);
-extern int ip_opt_get(queue_t *q, int level, int name, uchar_t *ptr);
-extern int ip_opt_set(queue_t *q, uint_t optset_context, int level,
- int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *dummy, cred_t *cr, mblk_t *first_mp);
-
-/*
- * Table of all known options handled on a IP protocol stack.
- *
- * Note: Not all of these options are available through all protocol stacks
- * For example, multicast options are not accessible in TCP over IP.
- * The filtering for that happens in option table at transport level.
- * Also, this table excludes any options processed exclusively at the
- * transport protocol level.
- */
-opdes_t ip_opt_arr[] = {
-
-{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_PROTOTYPE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_ANON_MLP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_MAC_IMPLICIT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-
-{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, 0, sizeof (int),
- 0 },
-
-
-{ IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_VARLEN|OP_NODEFAULT),
- IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
-{ T_IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_VARLEN|OP_NODEFAULT),
- IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
-
-{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ IP_MULTICAST_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
- sizeof (struct in_addr), 0 /* INADDR_ANY */ },
-
-{ IP_MULTICAST_LOOP, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_DEF_FN),
- sizeof (uchar_t), -1 /* not initialized */},
-
-{ IP_MULTICAST_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_DEF_FN),
- sizeof (uchar_t), -1 /* not initialized */ },
-
-{ IP_ADD_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_NODEFAULT),
- sizeof (struct ip_mreq), -1 /* not initialized */ },
-
-{ IP_DROP_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_NODEFAULT),
- sizeof (struct ip_mreq), -1 /* not initialized */ },
-
-{ IP_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_NODEFAULT),
- sizeof (struct ip_mreq_source), -1 /* not initialized */ },
-
-{ IP_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_NODEFAULT),
- sizeof (struct ip_mreq_source), -1 /* not initialized */ },
-
-{ IP_ADD_SOURCE_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct ip_mreq_source), -1 },
-
-{ IP_DROP_SOURCE_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct ip_mreq_source), -1 },
-
-{ IP_RECVOPTS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-
-{ IP_RECVDSTADDR, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
- },
-
-{ IP_RECVIF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-
-{ IP_PKTINFO, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-
-{ IP_RECVSLLA, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-
-{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 /* no ifindex */ },
-
-{ IP_DHCPINIT_IF, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, 0,
- sizeof (int), 0 },
-
-{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0,
- sizeof (int), 0 },
-
-{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_NODEFAULT),
- sizeof (ipsec_req_t), -1 /* not initialized */ },
-
-{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, 0,
- sizeof (in_addr_t), -1 /* not initialized */ },
-
-{ MRT_INIT, IPPROTO_IP, 0, OA_X, OP_CONFIG,
- (OP_NODEFAULT), sizeof (int), -1 /* not initialized */ },
-
-{ MRT_DONE, IPPROTO_IP, 0, OA_X, OP_CONFIG,
- (OP_NODEFAULT), 0, -1 /* not initialized */ },
-
-{ MRT_ADD_VIF, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_NODEFAULT),
- sizeof (struct vifctl), -1 /* not initialized */ },
-
-{ MRT_DEL_VIF, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_NODEFAULT),
- sizeof (vifi_t), -1 /* not initialized */ },
-
-{ MRT_ADD_MFC, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_NODEFAULT),
- sizeof (struct mfcctl), -1 /* not initialized */ },
-
-{ MRT_DEL_MFC, IPPROTO_IP, 0, OA_X, OP_CONFIG, (OP_NODEFAULT),
- sizeof (struct mfcctl), -1 /* not initialized */ },
-
-{ MRT_VERSION, IPPROTO_IP, OA_R, OA_R, OP_NP, (OP_NODEFAULT),
- sizeof (int), -1 /* not initialized */ },
-
-{ MRT_ASSERT, IPPROTO_IP, 0, OA_RW, OP_CONFIG, (OP_NODEFAULT),
- sizeof (int), -1 /* not initialized */ },
-
-{ MCAST_JOIN_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_req),
- -1 /* not initialized */ },
-{ MCAST_LEAVE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_req),
- -1 /* not initialized */ },
-{ MCAST_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-{ MCAST_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-{ MCAST_JOIN_SOURCE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-{ MCAST_LEAVE_SOURCE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-
-{ IPV6_MULTICAST_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-
-{ IPV6_MULTICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
-
-{ IPV6_MULTICAST_LOOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_DEF_FN), sizeof (int), -1 /* not initialized */},
-
-{ IPV6_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP, (OP_NODEFAULT),
- sizeof (struct ipv6_mreq), -1 /* not initialized */ },
-
-{ IPV6_LEAVE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT),
- sizeof (struct ipv6_mreq), -1 /* not initialized */ },
-
-{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
-
-{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 /* no ifindex */ },
-
-{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, 0,
- sizeof (int), 0 },
-
-{ IPV6_PKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_NODEFAULT|OP_VARLEN),
- sizeof (struct in6_pktinfo), -1 /* not initialized */ },
-{ IPV6_HOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_NODEFAULT|OP_VARLEN),
- sizeof (int), -1 /* not initialized */ },
-{ IPV6_NEXTHOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_NODEFAULT|OP_VARLEN),
- sizeof (sin6_t), -1 /* not initialized */ },
-{ IPV6_HOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_VARLEN|OP_NODEFAULT), 255*8,
- -1 /* not initialized */ },
-{ IPV6_DSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_VARLEN|OP_NODEFAULT), 255*8,
- -1 /* not initialized */ },
-{ IPV6_RTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_VARLEN|OP_NODEFAULT), 255*8,
- -1 /* not initialized */ },
-{ IPV6_RTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_VARLEN|OP_NODEFAULT), 255*8,
- -1 /* not initialized */ },
-{ IPV6_TCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_NODEFAULT|OP_VARLEN),
- sizeof (int), -1 /* not initialized */ },
-{ IPV6_PATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (struct ip6_mtuinfo), -1 },
-{ IPV6_DONTFRAG, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), -1 },
-{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-
-/* Enable receipt of ancillary data */
-{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-{ IPV6_RECVPATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (int), 0 },
-
-{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, (OP_NODEFAULT),
- sizeof (ipsec_req_t), -1 /* not initialized */ },
-{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
- sizeof (uint32_t), IPV6_PREFER_SRC_DEFAULT },
-
-{ MCAST_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_req),
- -1 /* not initialized */ },
-{ MCAST_LEAVE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_req),
- -1 /* not initialized */ },
-{ MCAST_BLOCK_SOURCE, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-{ MCAST_UNBLOCK_SOURCE, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-{ MCAST_JOIN_SOURCE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-{ MCAST_LEAVE_SOURCE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_NODEFAULT), sizeof (struct group_source_req),
- -1 /* not initialized */ },
-};
-
-
-#define IP_OPT_ARR_CNT A_CNT(ip_opt_arr)
-
-
-/*
- * Initialize option database object for IP
- *
- * This object represents database of options to search passed to
- * {sock,tpi}optcom_req() interface routine to take care of option
- * management and associated methods.
- */
-
-optdb_obj_t ip_opt_obj = {
- ip_opt_default, /* IP default value function pointer */
- ip_opt_get, /* IP get function pointer */
- ip_opt_set, /* IP set function pointer */
- B_FALSE, /* IP is NOT a tpi provider */
- IP_OPT_ARR_CNT, /* IP option database count of entries */
- ip_opt_arr, /* IP option database */
- 0, /* 0 - not needed if not top tpi provider */
- (optlevel_t *)0 /* null - not needed if not top tpi provider */
-};
diff --git a/usr/src/uts/common/inet/ip/ip_output.c b/usr/src/uts/common/inet/ip/ip_output.c
new file mode 100644
index 0000000000..a4940fd3e8
--- /dev/null
+++ b/usr/src/uts/common/inet/ip/ip_output.c
@@ -0,0 +1,2554 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+/* Copyright (c) 1990 Mentat Inc. */
+
+#include <sys/types.h>
+#include <sys/stream.h>
+#include <sys/strsubr.h>
+#include <sys/dlpi.h>
+#include <sys/strsun.h>
+#include <sys/zone.h>
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/cmn_err.h>
+#include <sys/debug.h>
+#include <sys/atomic.h>
+
+#include <sys/systm.h>
+#include <sys/param.h>
+#include <sys/kmem.h>
+#include <sys/sdt.h>
+#include <sys/socket.h>
+#include <sys/mac.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <sys/sockio.h>
+#include <netinet/in.h>
+#include <net/if_dl.h>
+
+#include <inet/common.h>
+#include <inet/mi.h>
+#include <inet/mib2.h>
+#include <inet/nd.h>
+#include <inet/arp.h>
+#include <inet/snmpcom.h>
+#include <inet/kstatcom.h>
+
+#include <netinet/igmp_var.h>
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#include <netinet/sctp.h>
+
+#include <inet/ip.h>
+#include <inet/ip_impl.h>
+#include <inet/ip6.h>
+#include <inet/ip6_asp.h>
+#include <inet/tcp.h>
+#include <inet/ip_multi.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
+#include <inet/ip_ftable.h>
+#include <inet/ip_rts.h>
+#include <inet/optcom.h>
+#include <inet/ip_ndp.h>
+#include <inet/ip_listutils.h>
+#include <netinet/igmp.h>
+#include <netinet/ip_mroute.h>
+#include <inet/ipp_common.h>
+
+#include <net/pfkeyv2.h>
+#include <inet/sadb.h>
+#include <inet/ipsec_impl.h>
+#include <inet/ipdrop.h>
+#include <inet/ip_netinfo.h>
+
+#include <sys/pattr.h>
+#include <inet/ipclassifier.h>
+#include <inet/sctp_ip.h>
+#include <inet/sctp/sctp_impl.h>
+#include <inet/udp_impl.h>
+#include <sys/sunddi.h>
+
+#include <sys/tsol/label.h>
+#include <sys/tsol/tnet.h>
+
+#ifdef DEBUG
+extern boolean_t skip_sctp_cksum;
+#endif
+
+static int ip_verify_nce(mblk_t *, ip_xmit_attr_t *);
+static int ip_verify_dce(mblk_t *, ip_xmit_attr_t *);
+static boolean_t ip_verify_lso(ill_t *, ip_xmit_attr_t *);
+static boolean_t ip_verify_zcopy(ill_t *, ip_xmit_attr_t *);
+static void ip_output_simple_broadcast(ip_xmit_attr_t *, mblk_t *);
+
+/*
+ * There are two types of output functions for IP used for different
+ * purposes:
+ * - ip_output_simple() is when sending ICMP errors, TCP resets, etc when there
+ * is no context in the form of a conn_t. However, there is a
+ * ip_xmit_attr_t that the callers use to influence interface selection
+ * (needed for ICMP echo as well as IPv6 link-locals) and IPsec.
+ *
+ * - conn_ip_output() is used when sending packets with a conn_t and
+ * ip_set_destination has been called to cache information. In that case
+ * various socket options are recorded in the ip_xmit_attr_t and should
+ * be taken into account.
+ */
+
+/*
+ * The caller *must* have called conn_connect() or ip_attr_connect()
+ * before calling conn_ip_output(). The caller needs to redo that each time
+ * the destination IP address or port changes, as well as each time there is
+ * a change to any socket option that would modify how packets are routed out
+ * of the box (e.g., SO_DONTROUTE, IP_NEXTHOP, IP_BOUND_IF).
+ *
+ * The ULP caller has to serialize the use of a single ip_xmit_attr_t.
+ * We assert for that here.
+ */
+int
+conn_ip_output(mblk_t *mp, ip_xmit_attr_t *ixa)
+{
+ iaflags_t ixaflags = ixa->ixa_flags;
+ ire_t *ire;
+ nce_t *nce;
+ dce_t *dce;
+ ill_t *ill;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ int error;
+
+ /* We defer ipIfStatsHCOutRequests until an error or we have an ill */
+
+ ASSERT(ixa->ixa_ire != NULL);
+ /* Note there is no ixa_nce when reject and blackhole routes */
+ ASSERT(ixa->ixa_dce != NULL); /* Could be default dce */
+
+#ifdef DEBUG
+ ASSERT(ixa->ixa_curthread == NULL);
+ ixa->ixa_curthread = curthread;
+#endif
+
+ /*
+ * Even on labeled systems we can have a NULL ixa_tsl e.g.,
+ * for IGMP/MLD traffic.
+ */
+
+ ire = ixa->ixa_ire;
+
+ /*
+ * If the ULP says the (old) IRE resulted in reachability we
+ * record this before determine whether to use a new IRE.
+ * No locking for performance reasons.
+ */
+ if (ixaflags & IXAF_REACH_CONF)
+ ire->ire_badcnt = 0;
+
+ /*
+ * Has routing changed since we cached the results of the lookup?
+ *
+ * This check captures all of:
+ * - the cached ire being deleted (by means of the special
+ * IRE_GENERATION_CONDEMNED)
+ * - A potentially better ire being added (ire_generation being
+ * increased)
+ * - A deletion of the nexthop ire that was used when we did the
+ * lookup.
+ * - An addition of a potentially better nexthop ire.
+ * The last two are handled by walking and increasing the generation
+ * number on all dependant IREs in ire_flush_cache().
+ *
+ * The check also handles all cases of RTF_REJECT and RTF_BLACKHOLE
+ * since we ensure that each time we set ixa_ire to such an IRE we
+ * make sure the ixa_ire_generation does not match (by using
+ * IRE_GENERATION_VERIFY).
+ */
+ if (ire->ire_generation != ixa->ixa_ire_generation) {
+ error = ip_verify_ire(mp, ixa);
+ if (error != 0) {
+ ip_drop_output("ipIfStatsOutDiscards - verify ire",
+ mp, NULL);
+ goto drop;
+ }
+ ire = ixa->ixa_ire;
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+#ifdef DEBUG
+ ASSERT(ixa->ixa_curthread == curthread);
+ ixa->ixa_curthread = NULL;
+#endif
+ ire->ire_ob_pkt_count++;
+ /* ixa_dce might be condemned; use default one */
+ return ((ire->ire_sendfn)(ire, mp, mp->b_rptr, ixa,
+ &ipst->ips_dce_default->dce_ident));
+ }
+ /*
+ * If the ncec changed then ip_verify_ire already set
+ * ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+ * so we can recheck the interface mtu.
+ */
+
+ /*
+ * Note that ire->ire_generation could already have changed.
+ * We catch that next time we send a packet.
+ */
+ }
+
+ /*
+ * No need to lock access to ixa_nce since the ip_xmit_attr usage
+ * is single threaded.
+ */
+ ASSERT(ixa->ixa_nce != NULL);
+ nce = ixa->ixa_nce;
+ if (nce->nce_is_condemned) {
+ error = ip_verify_nce(mp, ixa);
+ /*
+ * In case ZEROCOPY capability become not available, we
+ * copy the message and free the original one. We might
+ * be copying more data than needed but it doesn't hurt
+ * since such change rarely happens.
+ */
+ switch (error) {
+ case 0:
+ break;
+ case ENOTSUP: { /* ZEROCOPY */
+ mblk_t *nmp;
+
+ if ((nmp = copymsg(mp)) != NULL) {
+ freemsg(mp);
+ mp = nmp;
+
+ break;
+ }
+ /* FALLTHROUGH */
+ }
+ default:
+ ip_drop_output("ipIfStatsOutDiscards - verify nce",
+ mp, NULL);
+ goto drop;
+ }
+ ire = ixa->ixa_ire;
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+#ifdef DEBUG
+ ASSERT(ixa->ixa_curthread == curthread);
+ ixa->ixa_curthread = NULL;
+#endif
+ ire->ire_ob_pkt_count++;
+ /* ixa_dce might be condemned; use default one */
+ return ((ire->ire_sendfn)(ire, mp, mp->b_rptr,
+ ixa, &ipst->ips_dce_default->dce_ident));
+ }
+ ASSERT(ixa->ixa_nce != NULL);
+ nce = ixa->ixa_nce;
+
+ /*
+ * Note that some other event could already have made
+ * the new nce condemned. We catch that next time we
+ * try to send a packet.
+ */
+ }
+ /*
+ * If there is no per-destination dce_t then we have a reference to
+ * the default dce_t (which merely contains the dce_ipid).
+ * The generation check captures both the introduction of a
+ * per-destination dce_t (e.g., due to ICMP packet too big) and
+ * any change to the per-destination dce (including it becoming
+ * condemned by use of the special DCE_GENERATION_CONDEMNED).
+ */
+ dce = ixa->ixa_dce;
+
+ /*
+ * To avoid a periodic timer to increase the path MTU we
+ * look at dce_last_change_time each time we send a packet.
+ */
+ if ((dce->dce_flags & DCEF_PMTU) &&
+ (TICK_TO_SEC(lbolt64) - dce->dce_last_change_time >
+ ipst->ips_ip_pathmtu_interval)) {
+ /*
+ * Older than 20 minutes. Drop the path MTU information.
+ * Since the path MTU changes as a result of this, twiddle
+ * ixa_dce_generation to make us go through the dce
+ * verification code in conn_ip_output.
+ */
+ mutex_enter(&dce->dce_lock);
+ dce->dce_flags &= ~(DCEF_PMTU|DCEF_TOO_SMALL_PMTU);
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ mutex_exit(&dce->dce_lock);
+ dce_increment_generation(dce);
+ }
+
+ if (dce->dce_generation != ixa->ixa_dce_generation) {
+ error = ip_verify_dce(mp, ixa);
+ if (error != 0) {
+ ip_drop_output("ipIfStatsOutDiscards - verify dce",
+ mp, NULL);
+ goto drop;
+ }
+ dce = ixa->ixa_dce;
+
+ /*
+ * Note that some other event could already have made the
+ * new dce's generation number change.
+ * We catch that next time we try to send a packet.
+ */
+ }
+
+ ill = nce->nce_ill;
+
+ /*
+ * An initial ixa_fragsize was set in ip_set_destination
+ * and we update it if any routing changes above.
+ * A change to ill_mtu with ifconfig will increase all dce_generation
+ * so that we will detect that with the generation check.
+ */
+
+ /*
+ * Caller needs to make sure IXAF_VERIFY_SRC is not set if
+ * conn_unspec_src.
+ */
+ if ((ixaflags & IXAF_VERIFY_SOURCE) &&
+ ixa->ixa_src_generation != ipst->ips_src_generation) {
+ /* Check if the IP source is still assigned to the host. */
+ uint_t gen;
+
+ if (!ip_verify_src(mp, ixa, &gen)) {
+ /* Don't send a packet with a source that isn't ours */
+ error = EADDRNOTAVAIL;
+ ip_drop_output("ipIfStatsOutDiscards - invalid src",
+ mp, NULL);
+ goto drop;
+ }
+ /* The source is still valid - update the generation number */
+ ixa->ixa_src_generation = gen;
+ }
+
+ /*
+ * We don't have an IRE when we fragment, hence ire_ob_pkt_count
+ * can only count the use prior to fragmentation. However the MIB
+ * counters on the ill will be incremented in post fragmentation.
+ */
+ ire->ire_ob_pkt_count++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
+
+ /*
+ * Based on ire_type and ire_flags call one of:
+ * ire_send_local_v* - for IRE_LOCAL and IRE_LOOPBACK
+ * ire_send_multirt_v* - if RTF_MULTIRT
+ * ire_send_noroute_v* - if RTF_REJECT or RTF_BLACHOLE
+ * ire_send_multicast_v* - for IRE_MULTICAST
+ * ire_send_broadcast_v4 - for IRE_BROADCAST
+ * ire_send_wire_v* - for the rest.
+ */
+#ifdef DEBUG
+ ASSERT(ixa->ixa_curthread == curthread);
+ ixa->ixa_curthread = NULL;
+#endif
+ return ((ire->ire_sendfn)(ire, mp, mp->b_rptr, ixa, &dce->dce_ident));
+
+drop:
+ if (ixaflags & IXAF_IS_IPV4) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ } else {
+ BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
+ }
+ freemsg(mp);
+#ifdef DEBUG
+ ASSERT(ixa->ixa_curthread == curthread);
+ ixa->ixa_curthread = NULL;
+#endif
+ return (error);
+}
+
+/*
+ * Handle both IPv4 and IPv6. Sets the generation number
+ * to allow the caller to know when to call us again.
+ * Returns true if the source address in the packet is a valid source.
+ * We handle callers which try to send with a zero address (since we only
+ * get here if UNSPEC_SRC is not set).
+ */
+boolean_t
+ip_verify_src(mblk_t *mp, ip_xmit_attr_t *ixa, uint_t *generationp)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+
+ /*
+ * Need to grab the generation number before we check to
+ * avoid a race with a change to the set of local addresses.
+ * No lock needed since the thread which updates the set of local
+ * addresses use ipif/ill locks and exit those (hence a store memory
+ * barrier) before doing the atomic increase of ips_src_generation.
+ */
+ if (generationp != NULL)
+ *generationp = ipst->ips_src_generation;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ if (ipha->ipha_src == INADDR_ANY)
+ return (B_FALSE);
+
+ return (ip_laddr_verify_v4(ipha->ipha_src, ixa->ixa_zoneid,
+ ipst, B_FALSE) != IPVL_BAD);
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ uint_t scopeid;
+
+ if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src))
+ return (B_FALSE);
+
+ if (ixa->ixa_flags & IXAF_SCOPEID_SET)
+ scopeid = ixa->ixa_scopeid;
+ else
+ scopeid = 0;
+
+ return (ip_laddr_verify_v6(&ip6h->ip6_src, ixa->ixa_zoneid,
+ ipst, B_FALSE, scopeid) != IPVL_BAD);
+ }
+}
+
+/*
+ * Handle both IPv4 and IPv6. Reverify/recalculate the IRE to use.
+ */
+int
+ip_verify_ire(mblk_t *mp, ip_xmit_attr_t *ixa)
+{
+ uint_t gen;
+ ire_t *ire;
+ nce_t *nce;
+ int error;
+ boolean_t multirt = B_FALSE;
+
+ /*
+ * Redo ip_select_route.
+ * Need to grab generation number as part of the lookup to
+ * avoid race.
+ */
+ error = 0;
+ ire = ip_select_route_pkt(mp, ixa, &gen, &error, &multirt);
+ ASSERT(ire != NULL); /* IRE_NOROUTE if none found */
+ if (error != 0) {
+ ire_refrele(ire);
+ return (error);
+ }
+
+ if (ixa->ixa_ire != NULL)
+ ire_refrele_notr(ixa->ixa_ire);
+#ifdef DEBUG
+ ire_refhold_notr(ire);
+ ire_refrele(ire);
+#endif
+ ixa->ixa_ire = ire;
+ ixa->ixa_ire_generation = gen;
+ if (multirt) {
+ if (ixa->ixa_flags & IXAF_IS_IPV4)
+ ixa->ixa_postfragfn = ip_postfrag_multirt_v4;
+ else
+ ixa->ixa_postfragfn = ip_postfrag_multirt_v6;
+ ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
+ } else {
+ ixa->ixa_postfragfn = ire->ire_postfragfn;
+ ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
+ }
+
+ /*
+ * Don't look for an nce for reject or blackhole.
+ * They have ire_generation set to IRE_GENERATION_VERIFY which
+ * makes conn_ip_output avoid references to ixa_nce.
+ */
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ ASSERT(ixa->ixa_ire_generation == IRE_GENERATION_VERIFY);
+ ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+ return (0);
+ }
+
+ /* The NCE could now be different */
+ nce = ire_to_nce_pkt(ire, mp);
+ if (nce == NULL) {
+ /*
+ * Allocation failure. Make sure we redo ire/nce selection
+ * next time we send.
+ */
+ ixa->ixa_ire_generation = IRE_GENERATION_VERIFY;
+ ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+ return (ENOBUFS);
+ }
+ if (nce == ixa->ixa_nce) {
+ /* No change */
+ nce_refrele(nce);
+ return (0);
+ }
+
+ /*
+ * Since the path MTU might change as a result of this
+ * route change, we twiddle ixa_dce_generation to
+ * make conn_ip_output go through the ip_verify_dce code.
+ */
+ ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+
+ if (ixa->ixa_nce != NULL)
+ nce_refrele(ixa->ixa_nce);
+ ixa->ixa_nce = nce;
+ return (0);
+}
+
+/*
+ * Handle both IPv4 and IPv6. Reverify/recalculate the NCE to use.
+ */
+static int
+ip_verify_nce(mblk_t *mp, ip_xmit_attr_t *ixa)
+{
+ ire_t *ire = ixa->ixa_ire;
+ nce_t *nce;
+ int error = 0;
+ ipha_t *ipha = NULL;
+ ip6_t *ip6h = NULL;
+
+ if (ire->ire_ipversion == IPV4_VERSION)
+ ipha = (ipha_t *)mp->b_rptr;
+ else
+ ip6h = (ip6_t *)mp->b_rptr;
+
+ nce = ire_handle_condemned_nce(ixa->ixa_nce, ire, ipha, ip6h, B_TRUE);
+ if (nce == NULL) {
+ /* Try to find a better ire */
+ return (ip_verify_ire(mp, ixa));
+ }
+
+ /*
+ * The hardware offloading capabilities, for example LSO, of the
+ * interface might have changed, so do sanity verification here.
+ */
+ if (ixa->ixa_flags & IXAF_VERIFY_LSO) {
+ if (!ip_verify_lso(nce->nce_ill, ixa)) {
+ ASSERT(ixa->ixa_notify != NULL);
+ ixa->ixa_notify(ixa->ixa_notify_cookie, ixa,
+ IXAN_LSO, 0);
+ error = ENOTSUP;
+ }
+ }
+
+ /*
+ * Verify ZEROCOPY capability of underlying ill. Notify the ULP with
+ * any ZEROCOPY changes. In case ZEROCOPY capability is not available
+ * any more, return error so that conn_ip_output() can take care of
+ * the ZEROCOPY message properly. It's safe to continue send the
+ * message when ZEROCOPY newly become available.
+ */
+ if (ixa->ixa_flags & IXAF_VERIFY_ZCOPY) {
+ if (!ip_verify_zcopy(nce->nce_ill, ixa)) {
+ ASSERT(ixa->ixa_notify != NULL);
+ ixa->ixa_notify(ixa->ixa_notify_cookie, ixa,
+ IXAN_ZCOPY, 0);
+ if ((ixa->ixa_flags & IXAF_ZCOPY_CAPAB) == 0)
+ error = ENOTSUP;
+ }
+ }
+
+ /*
+ * Since the path MTU might change as a result of this
+ * change, we twiddle ixa_dce_generation to
+ * make conn_ip_output go through the ip_verify_dce code.
+ */
+ ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
+
+ nce_refrele(ixa->ixa_nce);
+ ixa->ixa_nce = nce;
+ return (error);
+}
+
+/*
+ * Handle both IPv4 and IPv6. Reverify/recalculate the DCE to use.
+ */
+static int
+ip_verify_dce(mblk_t *mp, ip_xmit_attr_t *ixa)
+{
+ dce_t *dce;
+ uint_t gen;
+ uint_t pmtu;
+
+ dce = dce_lookup_pkt(mp, ixa, &gen);
+ ASSERT(dce != NULL);
+
+ dce_refrele_notr(ixa->ixa_dce);
+#ifdef DEBUG
+ dce_refhold_notr(dce);
+ dce_refrele(dce);
+#endif
+ ixa->ixa_dce = dce;
+ ixa->ixa_dce_generation = gen;
+
+ /* Extract the (path) mtu from the dce, ncec_ill etc */
+ pmtu = ip_get_pmtu(ixa);
+
+ /*
+ * Tell ULP about PMTU changes - increase or decrease - by returning
+ * an error if IXAF_VERIFY_PMTU is set. In such case, ULP should update
+ * both ixa_pmtu and ixa_fragsize appropriately.
+ *
+ * If ULP doesn't set that flag then we need to update ixa_fragsize
+ * since routing could have changed the ill after after ixa_fragsize
+ * was set previously in the conn_ip_output path or in
+ * ip_set_destination.
+ *
+ * In case of LSO, ixa_fragsize might be greater than ixa_pmtu.
+ *
+ * In the case of a path MTU increase we send the packet after the
+ * notify to the ULP.
+ */
+ if (ixa->ixa_flags & IXAF_VERIFY_PMTU) {
+ if (ixa->ixa_pmtu != pmtu) {
+ uint_t oldmtu = ixa->ixa_pmtu;
+
+ DTRACE_PROBE2(verify_pmtu, uint32_t, pmtu,
+ uint32_t, ixa->ixa_pmtu);
+ ASSERT(ixa->ixa_notify != NULL);
+ ixa->ixa_notify(ixa->ixa_notify_cookie, ixa,
+ IXAN_PMTU, pmtu);
+ if (pmtu < oldmtu)
+ return (EMSGSIZE);
+ }
+ } else {
+ ixa->ixa_fragsize = pmtu;
+ }
+ return (0);
+}
+
+/*
+ * Verify LSO usability. Keep the return value simple to indicate whether
+ * the LSO capability has changed. Handle both IPv4 and IPv6.
+ */
+static boolean_t
+ip_verify_lso(ill_t *ill, ip_xmit_attr_t *ixa)
+{
+ ill_lso_capab_t *lsoc = &ixa->ixa_lso_capab;
+ ill_lso_capab_t *new_lsoc = ill->ill_lso_capab;
+
+ if (ixa->ixa_flags & IXAF_LSO_CAPAB) {
+ /*
+ * Not unsable any more.
+ */
+ if ((ixa->ixa_flags & IXAF_IPSEC_SECURE) ||
+ (ixa->ixa_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) ||
+ (ixa->ixa_ire->ire_flags & RTF_MULTIRT) ||
+ ((ixa->ixa_flags & IXAF_IS_IPV4) ?
+ !ILL_LSO_TCP_IPV4_USABLE(ill) :
+ !ILL_LSO_TCP_IPV6_USABLE(ill))) {
+ ixa->ixa_flags &= ~IXAF_LSO_CAPAB;
+
+ return (B_FALSE);
+ }
+
+ /*
+ * Capability has changed, refresh the copy in ixa.
+ */
+ if (lsoc->ill_lso_max != new_lsoc->ill_lso_max) {
+ *lsoc = *new_lsoc;
+
+ return (B_FALSE);
+ }
+ } else { /* Was not usable */
+ if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE) &&
+ !(ixa->ixa_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) &&
+ !(ixa->ixa_ire->ire_flags & RTF_MULTIRT) &&
+ ((ixa->ixa_flags & IXAF_IS_IPV4) ?
+ ILL_LSO_TCP_IPV4_USABLE(ill) :
+ ILL_LSO_TCP_IPV6_USABLE(ill))) {
+ *lsoc = *new_lsoc;
+ ixa->ixa_flags |= IXAF_LSO_CAPAB;
+
+ return (B_FALSE);
+ }
+ }
+
+ return (B_TRUE);
+}
+
+/*
+ * Verify ZEROCOPY usability. Keep the return value simple to indicate whether
+ * the ZEROCOPY capability has changed. Handle both IPv4 and IPv6.
+ */
+static boolean_t
+ip_verify_zcopy(ill_t *ill, ip_xmit_attr_t *ixa)
+{
+ if (ixa->ixa_flags & IXAF_ZCOPY_CAPAB) {
+ /*
+ * Not unsable any more.
+ */
+ if ((ixa->ixa_flags & IXAF_IPSEC_SECURE) ||
+ (ixa->ixa_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) ||
+ (ixa->ixa_ire->ire_flags & RTF_MULTIRT) ||
+ !ILL_ZCOPY_USABLE(ill)) {
+ ixa->ixa_flags &= ~IXAF_ZCOPY_CAPAB;
+
+ return (B_FALSE);
+ }
+ } else { /* Was not usable */
+ if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE) &&
+ !(ixa->ixa_ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) &&
+ !(ixa->ixa_ire->ire_flags & RTF_MULTIRT) &&
+ ILL_ZCOPY_USABLE(ill)) {
+ ixa->ixa_flags |= IXAF_ZCOPY_CAPAB;
+
+ return (B_FALSE);
+ }
+ }
+
+ return (B_TRUE);
+}
+
+
+/*
+ * When there is no conn_t context, this will send a packet.
+ * The caller must *not* have called conn_connect() or ip_attr_connect()
+ * before calling ip_output_simple().
+ * Handles IPv4 and IPv6. Returns zero or an errno such as ENETUNREACH.
+ * Honors IXAF_SET_SOURCE.
+ *
+ * We acquire the ire and after calling ire_sendfn we release
+ * the hold on the ire. Ditto for the nce and dce.
+ *
+ * This assumes that the caller has set the following in ip_xmit_attr_t:
+ * ixa_tsl, ixa_zoneid, and ixa_ipst must always be set.
+ * If ixa_ifindex is non-zero it means send out that ill. (If it is
+ * an upper IPMP ill we load balance across the group; if a lower we send
+ * on that lower ill without load balancing.)
+ * IXAF_IS_IPV4 must be set correctly.
+ * If IXAF_IPSEC_SECURE is set then the ixa_ipsec_* fields must be set.
+ * If IXAF_NO_IPSEC is set we'd skip IPsec policy lookup.
+ * If neither of those two are set we do an IPsec policy lookup.
+ *
+ * We handle setting things like
+ * ixa_pktlen
+ * ixa_ip_hdr_length
+ * ixa->ixa_protocol
+ *
+ * The caller may set ixa_xmit_hint, which is used for ECMP selection and
+ * transmit ring selecting in GLD.
+ *
+ * The caller must do an ixa_cleanup() to release any IPsec references
+ * after we return.
+ */
+int
+ip_output_simple(mblk_t *mp, ip_xmit_attr_t *ixa)
+{
+ ts_label_t *effective_tsl = NULL;
+ int err;
+
+ ASSERT(ixa->ixa_ipst != NULL);
+
+ if (is_system_labeled()) {
+ ip_stack_t *ipst = ixa->ixa_ipst;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ err = tsol_check_label_v4(ixa->ixa_tsl, ixa->ixa_zoneid,
+ &mp, CONN_MAC_DEFAULT, B_FALSE, ixa->ixa_ipst,
+ &effective_tsl);
+ } else {
+ err = tsol_check_label_v6(ixa->ixa_tsl, ixa->ixa_zoneid,
+ &mp, CONN_MAC_DEFAULT, B_FALSE, ixa->ixa_ipst,
+ &effective_tsl);
+ }
+ if (err != 0) {
+ ip2dbg(("tsol_check: label check failed (%d)\n", err));
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("tsol_check_label", mp, NULL);
+ freemsg(mp);
+ return (err);
+ }
+ if (effective_tsl != NULL) {
+ /* Update the label */
+ ip_xmit_attr_replace_tsl(ixa, effective_tsl);
+ }
+ }
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4)
+ return (ip_output_simple_v4(mp, ixa));
+ else
+ return (ip_output_simple_v6(mp, ixa));
+}
+
+int
+ip_output_simple_v4(mblk_t *mp, ip_xmit_attr_t *ixa)
+{
+ ipha_t *ipha;
+ ipaddr_t firsthop; /* In IP header */
+ ipaddr_t dst; /* End of source route, or ipha_dst if none */
+ ire_t *ire;
+ ipaddr_t setsrc; /* RTF_SETSRC */
+ int error;
+ ill_t *ill = NULL;
+ dce_t *dce = NULL;
+ nce_t *nce;
+ iaflags_t ixaflags = ixa->ixa_flags;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ boolean_t repeat = B_FALSE;
+ boolean_t multirt = B_FALSE;
+
+ ipha = (ipha_t *)mp->b_rptr;
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
+
+ /*
+ * Even on labeled systems we can have a NULL ixa_tsl e.g.,
+ * for IGMP/MLD traffic.
+ */
+
+ /* Caller already set flags */
+ ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
+
+ ASSERT(ixa->ixa_nce == NULL);
+
+ ixa->ixa_pktlen = ntohs(ipha->ipha_length);
+ ASSERT(ixa->ixa_pktlen == msgdsize(mp));
+ ixa->ixa_ip_hdr_length = IPH_HDR_LENGTH(ipha);
+ ixa->ixa_protocol = ipha->ipha_protocol;
+
+ /*
+ * Assumes that source routed packets have already been massaged by
+ * the ULP (ip_massage_options) and as a result ipha_dst is the next
+ * hop in the source route. The final destination is used for IPsec
+ * policy and DCE lookup.
+ */
+ firsthop = ipha->ipha_dst;
+ dst = ip_get_dst(ipha);
+
+repeat_ire:
+ error = 0;
+ setsrc = INADDR_ANY;
+ ire = ip_select_route_v4(firsthop, ixa, NULL, &setsrc, &error,
+ &multirt);
+ ASSERT(ire != NULL); /* IRE_NOROUTE if none found */
+ if (error != 0) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - select route", mp, NULL);
+ freemsg(mp);
+ goto done;
+ }
+
+ if (ire->ire_flags & (RTF_BLACKHOLE|RTF_REJECT)) {
+ /* ire_ill might be NULL hence need to skip some code */
+ if (ixaflags & IXAF_SET_SOURCE)
+ ipha->ipha_src = htonl(INADDR_LOOPBACK);
+ ixa->ixa_fragsize = IP_MAXPACKET;
+ ill = NULL;
+ nce = NULL;
+ ire->ire_ob_pkt_count++;
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ /* No dce yet; use default one */
+ error = (ire->ire_sendfn)(ire, mp, ipha, ixa,
+ &ipst->ips_dce_default->dce_ident);
+ goto done;
+ }
+
+ /* Note that ipha_dst is only used for IRE_MULTICAST */
+ nce = ire_to_nce(ire, ipha->ipha_dst, NULL);
+ if (nce == NULL) {
+ /* Allocation failure? */
+ ip_drop_output("ire_to_nce", mp, ill);
+ freemsg(mp);
+ error = ENOBUFS;
+ goto done;
+ }
+ if (nce->nce_is_condemned) {
+ nce_t *nce1;
+
+ nce1 = ire_handle_condemned_nce(nce, ire, ipha, NULL, B_TRUE);
+ nce_refrele(nce);
+ if (nce1 == NULL) {
+ if (!repeat) {
+ /* Try finding a better IRE */
+ repeat = B_TRUE;
+ ire_refrele(ire);
+ goto repeat_ire;
+ }
+ /* Tried twice - drop packet */
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("No nce", mp, ill);
+ freemsg(mp);
+ error = ENOBUFS;
+ goto done;
+ }
+ nce = nce1;
+ }
+
+ /*
+ * For multicast with multirt we have a flag passed back from
+ * ire_lookup_multi_ill_v4 since we don't have an IRE for each
+ * possible multicast address.
+ * We also need a flag for multicast since we can't check
+ * whether RTF_MULTIRT is set in ixa_ire for multicast.
+ */
+ if (multirt) {
+ ixa->ixa_postfragfn = ip_postfrag_multirt_v4;
+ ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
+ } else {
+ ixa->ixa_postfragfn = ire->ire_postfragfn;
+ ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
+ }
+ ASSERT(ixa->ixa_nce == NULL);
+ ixa->ixa_nce = nce;
+
+ /*
+ * Check for a dce_t with a path mtu.
+ */
+ dce = dce_lookup_v4(dst, ipst, NULL);
+ ASSERT(dce != NULL);
+
+ if (!(ixaflags & IXAF_PMTU_DISCOVERY)) {
+ ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
+ } else if (dce->dce_flags & DCEF_PMTU) {
+ /*
+ * To avoid a periodic timer to increase the path MTU we
+ * look at dce_last_change_time each time we send a packet.
+ */
+ if (TICK_TO_SEC(lbolt64) - dce->dce_last_change_time >
+ ipst->ips_ip_pathmtu_interval) {
+ /*
+ * Older than 20 minutes. Drop the path MTU information.
+ */
+ mutex_enter(&dce->dce_lock);
+ dce->dce_flags &= ~(DCEF_PMTU|DCEF_TOO_SMALL_PMTU);
+ dce->dce_last_change_time = TICK_TO_SEC(lbolt64);
+ mutex_exit(&dce->dce_lock);
+ dce_increment_generation(dce);
+ ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
+ } else {
+ uint_t fragsize;
+
+ fragsize = ip_get_base_mtu(nce->nce_ill, ire);
+ if (fragsize > dce->dce_pmtu)
+ fragsize = dce->dce_pmtu;
+ ixa->ixa_fragsize = fragsize;
+ }
+ } else {
+ ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
+ }
+
+ /*
+ * We use use ire_nexthop_ill (and not ncec_ill) to avoid the under ipmp
+ * interface for source address selection.
+ */
+ ill = ire_nexthop_ill(ire);
+
+ if (ixaflags & IXAF_SET_SOURCE) {
+ ipaddr_t src;
+
+ /*
+ * We use the final destination to get
+ * correct selection for source routed packets
+ */
+
+ /* If unreachable we have no ill but need some source */
+ if (ill == NULL) {
+ src = htonl(INADDR_LOOPBACK);
+ error = 0;
+ } else {
+ error = ip_select_source_v4(ill, setsrc, dst,
+ ixa->ixa_multicast_ifaddr, ixa->ixa_zoneid, ipst,
+ &src, NULL, NULL);
+ }
+ if (error != 0) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - no source",
+ mp, ill);
+ freemsg(mp);
+ goto done;
+ }
+ ipha->ipha_src = src;
+ } else if (ixaflags & IXAF_VERIFY_SOURCE) {
+ /* Check if the IP source is assigned to the host. */
+ if (!ip_verify_src(mp, ixa, NULL)) {
+ /* Don't send a packet with a source that isn't ours */
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - invalid source",
+ mp, ill);
+ freemsg(mp);
+ error = EADDRNOTAVAIL;
+ goto done;
+ }
+ }
+
+
+ /*
+ * Check against global IPsec policy to set the AH/ESP attributes.
+ * IPsec will set IXAF_IPSEC_* and ixa_ipsec_* as appropriate.
+ */
+ if (!(ixaflags & (IXAF_NO_IPSEC|IXAF_IPSEC_SECURE))) {
+ ASSERT(ixa->ixa_ipsec_policy == NULL);
+ mp = ip_output_attach_policy(mp, ipha, NULL, NULL, ixa);
+ if (mp == NULL) {
+ /* MIB and ip_drop_packet already done */
+ return (EHOSTUNREACH); /* IPsec policy failure */
+ }
+ }
+
+ if (ill != NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
+ } else {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
+ }
+
+ /*
+ * We update the statistics on the most specific IRE i.e., the first
+ * one we found.
+ * We don't have an IRE when we fragment, hence ire_ob_pkt_count
+ * can only count the use prior to fragmentation. However the MIB
+ * counters on the ill will be incremented in post fragmentation.
+ */
+ ire->ire_ob_pkt_count++;
+
+ /*
+ * Based on ire_type and ire_flags call one of:
+ * ire_send_local_v4 - for IRE_LOCAL and IRE_LOOPBACK
+ * ire_send_multirt_v4 - if RTF_MULTIRT
+ * ire_send_noroute_v4 - if RTF_REJECT or RTF_BLACHOLE
+ * ire_send_multicast_v4 - for IRE_MULTICAST
+ * ire_send_broadcast_v4 - for IRE_BROADCAST
+ * ire_send_wire_v4 - for the rest.
+ */
+ error = (ire->ire_sendfn)(ire, mp, ipha, ixa, &dce->dce_ident);
+done:
+ ire_refrele(ire);
+ if (dce != NULL)
+ dce_refrele(dce);
+ if (ill != NULL)
+ ill_refrele(ill);
+ if (ixa->ixa_nce != NULL)
+ nce_refrele(ixa->ixa_nce);
+ ixa->ixa_nce = NULL;
+ return (error);
+}
+
+/*
+ * ire_sendfn() functions.
+ * These functions use the following xmit_attr:
+ * - ixa_fragsize - read to determine whether or not to fragment
+ * - IXAF_IPSEC_SECURE - to determine whether or not to invoke IPsec
+ * - ixa_ipsec_* are used inside IPsec
+ * - IXAF_SET_SOURCE - replace IP source in broadcast case.
+ * - IXAF_LOOPBACK_COPY - for multicast and broadcast
+ */
+
+
+/*
+ * ire_sendfn for IRE_LOCAL and IRE_LOOPBACK
+ *
+ * The checks for restrict_interzone_loopback are done in ire_route_recursive.
+ */
+/* ARGSUSED4 */
+int
+ire_send_local_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ill_t *ill = ire->ire_ill;
+ ip_recv_attr_t iras; /* NOTE: No bzero for performance */
+ uint_t pktlen = ixa->ixa_pktlen;
+
+ /*
+ * No fragmentation, no nce, no application of IPsec,
+ * and no ipha_ident assignment.
+ *
+ * Note different order between IP provider and FW_HOOKS than in
+ * send_wire case.
+ */
+
+ /*
+ * DTrace this as ip:::send. A packet blocked by FW_HOOKS will fire the
+ * send probe, but not the receive probe.
+ */
+ DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, ip6_t *, NULL,
+ int, 1);
+
+ if (HOOKS4_INTERESTED_LOOPBACK_OUT(ipst)) {
+ int error;
+
+ DTRACE_PROBE4(ip4__loopback__out__start, ill_t *, NULL,
+ ill_t *, ill, ipha_t *, ipha, mblk_t *, mp);
+ FW_HOOKS(ipst->ips_ip4_loopback_out_event,
+ ipst->ips_ipv4firewall_loopback_out,
+ NULL, ill, ipha, mp, mp, 0, ipst, error);
+ DTRACE_PROBE1(ip4__loopback__out__end, mblk_t *, mp);
+ if (mp == NULL)
+ return (error);
+
+ /*
+ * Even if the destination was changed by the filter we use the
+ * forwarding decision that was made based on the address
+ * in ip_output/ip_set_destination.
+ */
+ /* Length could be different */
+ ipha = (ipha_t *)mp->b_rptr;
+ pktlen = ntohs(ipha->ipha_length);
+ }
+
+ /*
+ * If a callback is enabled then we need to know the
+ * source and destination zoneids for the packet. We already
+ * have those handy.
+ */
+ if (ipst->ips_ip4_observe.he_interested) {
+ zoneid_t szone, dzone;
+ zoneid_t stackzoneid;
+
+ stackzoneid = netstackid_to_zoneid(
+ ipst->ips_netstack->netstack_stackid);
+
+ if (stackzoneid == GLOBAL_ZONEID) {
+ /* Shared-IP zone */
+ dzone = ire->ire_zoneid;
+ szone = ixa->ixa_zoneid;
+ } else {
+ szone = dzone = stackzoneid;
+ }
+ ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill, ipst);
+ }
+
+ /* Handle lo0 stats */
+ ipst->ips_loopback_packets++;
+
+ /* Map ixa to ira including IPsec policies */
+ ipsec_out_to_in(ixa, ill, &iras);
+ iras.ira_pktlen = pktlen;
+
+ if (!IS_SIMPLE_IPH(ipha)) {
+ ip_output_local_options(ipha, ipst);
+ iras.ira_flags |= IRAF_IPV4_OPTIONS;
+ }
+
+ if (HOOKS4_INTERESTED_LOOPBACK_IN(ipst)) {
+ int error;
+
+ DTRACE_PROBE4(ip4__loopback__in__start, ill_t *, ill,
+ ill_t *, NULL, ipha_t *, ipha, mblk_t *, mp);
+ FW_HOOKS(ipst->ips_ip4_loopback_in_event,
+ ipst->ips_ipv4firewall_loopback_in,
+ ill, NULL, ipha, mp, mp, 0, ipst, error);
+
+ DTRACE_PROBE1(ip4__loopback__in__end, mblk_t *, mp);
+ if (mp == NULL) {
+ ira_cleanup(&iras, B_FALSE);
+ return (error);
+ }
+ /*
+ * Even if the destination was changed by the filter we use the
+ * forwarding decision that was made based on the address
+ * in ip_output/ip_set_destination.
+ */
+ /* Length could be different */
+ ipha = (ipha_t *)mp->b_rptr;
+ pktlen = iras.ira_pktlen = ntohs(ipha->ipha_length);
+ }
+
+ DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, ip6_t *, NULL,
+ int, 1);
+
+ ire->ire_ib_pkt_count++;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, pktlen);
+
+ /* Destined to ire_zoneid - use that for fanout */
+ iras.ira_zoneid = ire->ire_zoneid;
+
+ if (is_system_labeled()) {
+ iras.ira_flags |= IRAF_SYSTEM_LABELED;
+
+ /*
+ * This updates ira_cred, ira_tsl and ira_free_flags based
+ * on the label. We don't expect this to ever fail for
+ * loopback packets, so we silently drop the packet should it
+ * fail.
+ */
+ if (!tsol_get_pkt_label(mp, IPV4_VERSION, &iras)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("tsol_get_pkt_label", mp, ill);
+ freemsg(mp);
+ return (0);
+ }
+ ASSERT(iras.ira_tsl != NULL);
+
+ /* tsol_get_pkt_label sometimes does pullupmsg */
+ ipha = (ipha_t *)mp->b_rptr;
+ }
+
+ ip_fanout_v4(mp, ipha, &iras);
+
+ /* We moved any IPsec refs from ixa to iras */
+ ira_cleanup(&iras, B_FALSE);
+ return (0);
+}
+
+/*
+ * ire_sendfn for IRE_BROADCAST
+ * If the broadcast address is present on multiple ills and ixa_ifindex
+ * isn't set, then we generate
+ * a separate datagram (potentially with different source address) for
+ * those ills. In any case, only one copy is looped back to ip_input_v4.
+ */
+int
+ire_send_broadcast_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ irb_t *irb = ire->ire_bucket;
+ ire_t *ire1;
+ mblk_t *mp1;
+ ipha_t *ipha1;
+ iaflags_t ixaflags = ixa->ixa_flags;
+ nce_t *nce1, *nce_orig;
+
+ /*
+ * Unless ire_send_multirt_v4 already set a ttl, force the
+ * ttl to a smallish value.
+ */
+ if (!(ixa->ixa_flags & IXAF_NO_TTL_CHANGE)) {
+ /*
+ * To avoid broadcast storms, we usually set the TTL to 1 for
+ * broadcasts. This can
+ * be overridden stack-wide through the ip_broadcast_ttl
+ * ndd tunable, or on a per-connection basis through the
+ * IP_BROADCAST_TTL socket option.
+ *
+ * If SO_DONTROUTE/IXAF_DONTROUTE is set, then ire_send_wire_v4
+ * will force ttl to one after we've set this.
+ */
+ if (ixaflags & IXAF_BROADCAST_TTL_SET)
+ ipha->ipha_ttl = ixa->ixa_broadcast_ttl;
+ else
+ ipha->ipha_ttl = ipst->ips_ip_broadcast_ttl;
+ }
+ /*
+ * Make sure we get a loopback copy (after IPsec and frag)
+ * Skip hardware checksum so that loopback copy is checksumed.
+ */
+ ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
+
+ /* Do we need to potentially generate multiple copies? */
+ if (irb->irb_ire_cnt == 1 || ixa->ixa_ifindex != 0)
+ return (ire_send_wire_v4(ire, mp, ipha, ixa, identp));
+
+ /*
+ * Loop over all IRE_BROADCAST in the bucket (might only be one).
+ * Note that everything in the bucket has the same destination address.
+ */
+ irb_refhold(irb);
+ for (ire1 = irb->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
+ /* We do the main IRE after the end of the loop */
+ if (ire1 == ire)
+ continue;
+
+ /*
+ * Only IREs for the same IP address should be in the same
+ * bucket.
+ * But could have IRE_HOSTs in the case of CGTP.
+ * If we find any multirt routes we bail out of the loop
+ * and just do the single packet at the end; ip_postfrag_multirt
+ * will duplicate the packet.
+ */
+ ASSERT(ire1->ire_addr == ire->ire_addr);
+ if (!(ire1->ire_type & IRE_BROADCAST))
+ continue;
+
+ if (IRE_IS_CONDEMNED(ire1))
+ continue;
+
+ if (ixa->ixa_zoneid != ALL_ZONES &&
+ ire->ire_zoneid != ire1->ire_zoneid)
+ continue;
+
+ ASSERT(ire->ire_ill != ire1->ire_ill && ire1->ire_ill != NULL);
+
+ if (ire1->ire_flags & RTF_MULTIRT)
+ break;
+
+ /*
+ * For IPMP we only send for the ipmp_ill. arp_nce_init() will
+ * ensure that this goes out on the cast_ill.
+ */
+ if (IS_UNDER_IPMP(ire1->ire_ill))
+ continue;
+
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ BUMP_MIB(ire1->ire_ill->ill_ip_mib,
+ ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards",
+ mp, ire1->ire_ill);
+ continue;
+ }
+
+ ipha1 = (ipha_t *)mp1->b_rptr;
+ if (ixa->ixa_flags & IXAF_SET_SOURCE) {
+ /*
+ * Need to pick a different source address for each
+ * interface. If we have a global IPsec policy and
+ * no per-socket policy then we punt to
+ * ip_output_simple_v4 using a separate ip_xmit_attr_t.
+ */
+ if (ixaflags & IXAF_IPSEC_GLOBAL_POLICY) {
+ ip_output_simple_broadcast(ixa, mp1);
+ continue;
+ }
+ /* Pick a new source address for each interface */
+ if (ip_select_source_v4(ire1->ire_ill, INADDR_ANY,
+ ipha1->ipha_dst, INADDR_ANY, ixa->ixa_zoneid, ipst,
+ &ipha1->ipha_src, NULL, NULL) != 0) {
+ BUMP_MIB(ire1->ire_ill->ill_ip_mib,
+ ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - select "
+ "broadcast source", mp1, ire1->ire_ill);
+ freemsg(mp1);
+ continue;
+ }
+ /*
+ * Check against global IPsec policy to set the AH/ESP
+ * attributes. IPsec will set IXAF_IPSEC_* and
+ * ixa_ipsec_* as appropriate.
+ */
+ if (!(ixaflags & (IXAF_NO_IPSEC|IXAF_IPSEC_SECURE))) {
+ ASSERT(ixa->ixa_ipsec_policy == NULL);
+ mp1 = ip_output_attach_policy(mp1, ipha, NULL,
+ NULL, ixa);
+ if (mp1 == NULL) {
+ /*
+ * MIB and ip_drop_packet already
+ * done
+ */
+ continue;
+ }
+ }
+ }
+ /* Make sure we have an NCE on this ill */
+ nce1 = arp_nce_init(ire1->ire_ill, ire1->ire_addr,
+ ire1->ire_type);
+ if (nce1 == NULL) {
+ BUMP_MIB(ire1->ire_ill->ill_ip_mib,
+ ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - broadcast nce",
+ mp1, ire1->ire_ill);
+ freemsg(mp1);
+ continue;
+ }
+ nce_orig = ixa->ixa_nce;
+ ixa->ixa_nce = nce1;
+
+ ire_refhold(ire1);
+ /*
+ * Ignore any errors here. We just collect the errno for
+ * the main ire below
+ */
+ (void) ire_send_wire_v4(ire1, mp1, ipha1, ixa, identp);
+ ire_refrele(ire1);
+
+ ixa->ixa_nce = nce_orig;
+ nce_refrele(nce1);
+
+ ixa->ixa_flags &= ~IXAF_LOOPBACK_COPY;
+ }
+ irb_refrele(irb);
+ /* Finally, the main one */
+
+ /*
+ * For IPMP we only send broadcasts on the ipmp_ill.
+ */
+ if (IS_UNDER_IPMP(ire->ire_ill)) {
+ freemsg(mp);
+ return (0);
+ }
+
+ return (ire_send_wire_v4(ire, mp, ipha, ixa, identp));
+}
+
+/*
+ * Send a packet using a different source address and different
+ * IPsec policy.
+ */
+static void
+ip_output_simple_broadcast(ip_xmit_attr_t *ixa, mblk_t *mp)
+{
+ ip_xmit_attr_t ixas;
+
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
+ ixas.ixa_zoneid = ixa->ixa_zoneid;
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_ipst = ixa->ixa_ipst;
+ ixas.ixa_cred = ixa->ixa_cred;
+ ixas.ixa_cpid = ixa->ixa_cpid;
+ ixas.ixa_tsl = ixa->ixa_tsl;
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
+}
+
+
+static void
+multirt_check_v4(ire_t *ire, ipha_t *ipha, ip_xmit_attr_t *ixa)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+
+ /* Limit the TTL on multirt packets */
+ if (ire->ire_type & IRE_MULTICAST) {
+ if (ipha->ipha_ttl > 1) {
+ ip2dbg(("ire_send_multirt_v4: forcing multicast "
+ "multirt TTL to 1 (was %d), dst 0x%08x\n",
+ ipha->ipha_ttl, ntohl(ire->ire_addr)));
+ ipha->ipha_ttl = 1;
+ }
+ ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
+ } else if ((ipst->ips_ip_multirt_ttl > 0) &&
+ (ipha->ipha_ttl > ipst->ips_ip_multirt_ttl)) {
+ ipha->ipha_ttl = ipst->ips_ip_multirt_ttl;
+ /*
+ * Need to ensure we don't increase the ttl should we go through
+ * ire_send_broadcast or multicast.
+ */
+ ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
+ }
+}
+
+/*
+ * ire_sendfn for IRE_MULTICAST
+ */
+int
+ire_send_multicast_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ill_t *ill = ire->ire_ill;
+ iaflags_t ixaflags = ixa->ixa_flags;
+
+ /*
+ * The IRE_MULTICAST is the same whether or not multirt is in use.
+ * Hence we need special-case code.
+ */
+ if (ixaflags & IXAF_MULTIRT_MULTICAST)
+ multirt_check_v4(ire, ipha, ixa);
+
+ /*
+ * Check if anything in ip_input_v4 wants a copy of the transmitted
+ * packet (after IPsec and fragmentation)
+ *
+ * 1. Multicast routers always need a copy unless SO_DONTROUTE is set
+ * RSVP and the rsvp daemon is an example of a
+ * protocol and user level process that
+ * handles it's own routing. Hence, it uses the
+ * SO_DONTROUTE option to accomplish this.
+ * 2. If the sender has set IP_MULTICAST_LOOP, then we just
+ * check whether there are any receivers for the group on the ill
+ * (ignoring the zoneid).
+ * 3. If IP_MULTICAST_LOOP is not set, then we check if there are
+ * any members in other shared-IP zones.
+ * If such members exist, then we indicate that the sending zone
+ * shouldn't get a loopback copy to preserve the IP_MULTICAST_LOOP
+ * behavior.
+ *
+ * When we loopback we skip hardware checksum to make sure loopback
+ * copy is checksumed.
+ *
+ * Note that ire_ill is the upper in the case of IPMP.
+ */
+ ixa->ixa_flags &= ~(IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM);
+ if (ipst->ips_ip_g_mrouter && ill->ill_mrouter_cnt > 0 &&
+ !(ixaflags & IXAF_DONTROUTE)) {
+ ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
+ } else if (ixaflags & IXAF_MULTICAST_LOOP) {
+ /*
+ * If this zone or any other zone has members then loopback
+ * a copy.
+ */
+ if (ill_hasmembers_v4(ill, ipha->ipha_dst))
+ ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
+ } else if (ipst->ips_netstack->netstack_numzones > 1) {
+ /*
+ * This zone should not have a copy. But there are some other
+ * zones which might have members.
+ */
+ if (ill_hasmembers_otherzones_v4(ill, ipha->ipha_dst,
+ ixa->ixa_zoneid)) {
+ ixa->ixa_flags |= IXAF_NO_LOOP_ZONEID_SET;
+ ixa->ixa_no_loop_zoneid = ixa->ixa_zoneid;
+ ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
+ }
+ }
+
+ /*
+ * Unless ire_send_multirt_v4 or icmp_output_hdrincl already set a ttl,
+ * force the ttl to the IP_MULTICAST_TTL value
+ */
+ if (!(ixaflags & IXAF_NO_TTL_CHANGE)) {
+ ipha->ipha_ttl = ixa->ixa_multicast_ttl;
+ }
+
+ return (ire_send_wire_v4(ire, mp, ipha, ixa, identp));
+}
+
+/*
+ * ire_sendfn for IREs with RTF_MULTIRT
+ */
+int
+ire_send_multirt_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ipha_t *ipha = (ipha_t *)iph_arg;
+
+ multirt_check_v4(ire, ipha, ixa);
+
+ if (ire->ire_type & IRE_MULTICAST)
+ return (ire_send_multicast_v4(ire, mp, ipha, ixa, identp));
+ else if (ire->ire_type & IRE_BROADCAST)
+ return (ire_send_broadcast_v4(ire, mp, ipha, ixa, identp));
+ else
+ return (ire_send_wire_v4(ire, mp, ipha, ixa, identp));
+}
+
+/*
+ * ire_sendfn for IREs with RTF_REJECT/RTF_BLACKHOLE, including IRE_NOROUTE
+ */
+int
+ire_send_noroute_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ ill_t *ill;
+ ip_recv_attr_t iras;
+ boolean_t dummy;
+
+ /* We assign an IP ident for nice errors */
+ ipha->ipha_ident = atomic_add_32_nv(identp, 1);
+
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
+
+ if (ire->ire_type & IRE_NOROUTE) {
+ /* A lack of a route as opposed to RTF_REJECT|BLACKHOLE */
+ ip_rts_change(RTM_MISS, ipha->ipha_dst, 0, 0, 0, 0, 0, 0,
+ RTA_DST, ipst);
+ }
+
+ if (ire->ire_flags & RTF_BLACKHOLE) {
+ ip_drop_output("ipIfStatsOutNoRoutes RTF_BLACKHOLE", mp, NULL);
+ freemsg(mp);
+ /* No error even for local senders - silent blackhole */
+ return (0);
+ }
+ ip_drop_output("ipIfStatsOutNoRoutes RTF_REJECT", mp, NULL);
+
+ /*
+ * We need an ill_t for the ip_recv_attr_t even though this packet
+ * was never received and icmp_unreachable doesn't currently use
+ * ira_ill.
+ */
+ ill = ill_lookup_on_name("lo0", B_FALSE,
+ !(ixa->ixa_flags & IRAF_IS_IPV4), &dummy, ipst);
+ if (ill == NULL) {
+ freemsg(mp);
+ return (EHOSTUNREACH);
+ }
+
+ bzero(&iras, sizeof (iras));
+ /* Map ixa to ira including IPsec policies */
+ ipsec_out_to_in(ixa, ill, &iras);
+
+ if (ip_source_routed(ipha, ipst)) {
+ icmp_unreachable(mp, ICMP_SOURCE_ROUTE_FAILED, &iras);
+ } else {
+ icmp_unreachable(mp, ICMP_HOST_UNREACHABLE, &iras);
+ }
+ /* We moved any IPsec refs from ixa to iras */
+ ira_cleanup(&iras, B_FALSE);
+ ill_refrele(ill);
+ return (EHOSTUNREACH);
+}
+
+/*
+ * Calculate a checksum ignoring any hardware capabilities
+ *
+ * Returns B_FALSE if the packet was too short for the checksum. Caller
+ * should free and do stats.
+ */
+static boolean_t
+ip_output_sw_cksum_v4(mblk_t *mp, ipha_t *ipha, ip_xmit_attr_t *ixa)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ uint_t pktlen = ixa->ixa_pktlen;
+ uint16_t *cksump;
+ uint32_t cksum;
+ uint8_t protocol = ixa->ixa_protocol;
+ uint16_t ip_hdr_length = ixa->ixa_ip_hdr_length;
+ ipaddr_t dst = ipha->ipha_dst;
+ ipaddr_t src = ipha->ipha_src;
+
+ /* Just in case it contained garbage */
+ DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
+
+ /*
+ * Calculate ULP checksum
+ */
+ if (protocol == IPPROTO_TCP) {
+ cksump = IPH_TCPH_CHECKSUMP(ipha, ip_hdr_length);
+ cksum = IP_TCP_CSUM_COMP;
+ } else if (protocol == IPPROTO_UDP) {
+ cksump = IPH_UDPH_CHECKSUMP(ipha, ip_hdr_length);
+ cksum = IP_UDP_CSUM_COMP;
+ } else if (protocol == IPPROTO_SCTP) {
+ sctp_hdr_t *sctph;
+
+ ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
+ sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
+ /*
+ * Zero out the checksum field to ensure proper
+ * checksum calculation.
+ */
+ sctph->sh_chksum = 0;
+#ifdef DEBUG
+ if (!skip_sctp_cksum)
+#endif
+ sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
+ goto ip_hdr_cksum;
+ } else {
+ goto ip_hdr_cksum;
+ }
+
+ /* ULP puts the checksum field is in the first mblk */
+ ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
+
+ /*
+ * We accumulate the pseudo header checksum in cksum.
+ * This is pretty hairy code, so watch close. One
+ * thing to keep in mind is that UDP and TCP have
+ * stored their respective datagram lengths in their
+ * checksum fields. This lines things up real nice.
+ */
+ cksum += (dst >> 16) + (dst & 0xFFFF) + (src >> 16) + (src & 0xFFFF);
+
+ cksum = IP_CSUM(mp, ip_hdr_length, cksum);
+ /*
+ * For UDP/IPv4 a zero means that the packets wasn't checksummed.
+ * Change to 0xffff
+ */
+ if (protocol == IPPROTO_UDP && cksum == 0)
+ *cksump = ~cksum;
+ else
+ *cksump = cksum;
+
+ IP_STAT(ipst, ip_out_sw_cksum);
+ IP_STAT_UPDATE(ipst, ip_out_sw_cksum_bytes, pktlen);
+
+ip_hdr_cksum:
+ /* Calculate IPv4 header checksum */
+ ipha->ipha_hdr_checksum = 0;
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ return (B_TRUE);
+}
+
+/*
+ * Calculate the ULP checksum - try to use hardware.
+ * In the case of MULTIRT, broadcast or multicast the
+ * IXAF_NO_HW_CKSUM is set in which case we use software.
+ *
+ * If the hardware supports IP header checksum offload; then clear the
+ * contents of IP header checksum field as expected by NIC.
+ * Do this only if we offloaded either full or partial sum.
+ *
+ * Returns B_FALSE if the packet was too short for the checksum. Caller
+ * should free and do stats.
+ */
+static boolean_t
+ip_output_cksum_v4(iaflags_t ixaflags, mblk_t *mp, ipha_t *ipha,
+ ip_xmit_attr_t *ixa, ill_t *ill)
+{
+ uint_t pktlen = ixa->ixa_pktlen;
+ uint16_t *cksump;
+ uint16_t hck_flags;
+ uint32_t cksum;
+ uint8_t protocol = ixa->ixa_protocol;
+ uint16_t ip_hdr_length = ixa->ixa_ip_hdr_length;
+
+ if ((ixaflags & IXAF_NO_HW_CKSUM) || !ILL_HCKSUM_CAPABLE(ill) ||
+ !dohwcksum) {
+ return (ip_output_sw_cksum_v4(mp, ipha, ixa));
+ }
+
+ /*
+ * Calculate ULP checksum. Note that we don't use cksump and cksum
+ * if the ill has FULL support.
+ */
+ if (protocol == IPPROTO_TCP) {
+ cksump = IPH_TCPH_CHECKSUMP(ipha, ip_hdr_length);
+ cksum = IP_TCP_CSUM_COMP; /* Pseudo-header cksum */
+ } else if (protocol == IPPROTO_UDP) {
+ cksump = IPH_UDPH_CHECKSUMP(ipha, ip_hdr_length);
+ cksum = IP_UDP_CSUM_COMP; /* Pseudo-header cksum */
+ } else if (protocol == IPPROTO_SCTP) {
+ sctp_hdr_t *sctph;
+
+ ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
+ sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
+ /*
+ * Zero out the checksum field to ensure proper
+ * checksum calculation.
+ */
+ sctph->sh_chksum = 0;
+#ifdef DEBUG
+ if (!skip_sctp_cksum)
+#endif
+ sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
+ goto ip_hdr_cksum;
+ } else {
+ ip_hdr_cksum:
+ /* Calculate IPv4 header checksum */
+ ipha->ipha_hdr_checksum = 0;
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ return (B_TRUE);
+ }
+
+ /* ULP puts the checksum field is in the first mblk */
+ ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
+
+ /*
+ * Underlying interface supports hardware checksum offload for
+ * the payload; leave the payload checksum for the hardware to
+ * calculate. N.B: We only need to set up checksum info on the
+ * first mblk.
+ */
+ hck_flags = ill->ill_hcksum_capab->ill_hcksum_txflags;
+
+ DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
+ if (hck_flags & HCKSUM_INET_FULL_V4) {
+ /*
+ * Hardware calculates pseudo-header, header and the
+ * payload checksums, so clear the checksum field in
+ * the protocol header.
+ */
+ *cksump = 0;
+ DB_CKSUMFLAGS(mp) |= HCK_FULLCKSUM;
+
+ ipha->ipha_hdr_checksum = 0;
+ if (hck_flags & HCKSUM_IPHDRCKSUM) {
+ DB_CKSUMFLAGS(mp) |= HCK_IPV4_HDRCKSUM;
+ } else {
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ }
+ return (B_TRUE);
+ }
+ if ((hck_flags) & HCKSUM_INET_PARTIAL) {
+ ipaddr_t dst = ipha->ipha_dst;
+ ipaddr_t src = ipha->ipha_src;
+ /*
+ * Partial checksum offload has been enabled. Fill
+ * the checksum field in the protocol header with the
+ * pseudo-header checksum value.
+ *
+ * We accumulate the pseudo header checksum in cksum.
+ * This is pretty hairy code, so watch close. One
+ * thing to keep in mind is that UDP and TCP have
+ * stored their respective datagram lengths in their
+ * checksum fields. This lines things up real nice.
+ */
+ cksum += (dst >> 16) + (dst & 0xFFFF) +
+ (src >> 16) + (src & 0xFFFF);
+ cksum += *(cksump);
+ cksum = (cksum & 0xFFFF) + (cksum >> 16);
+ *(cksump) = (cksum & 0xFFFF) + (cksum >> 16);
+
+ /*
+ * Offsets are relative to beginning of IP header.
+ */
+ DB_CKSUMSTART(mp) = ip_hdr_length;
+ DB_CKSUMSTUFF(mp) = (uint8_t *)cksump - (uint8_t *)ipha;
+ DB_CKSUMEND(mp) = pktlen;
+ DB_CKSUMFLAGS(mp) |= HCK_PARTIALCKSUM;
+
+ ipha->ipha_hdr_checksum = 0;
+ if (hck_flags & HCKSUM_IPHDRCKSUM) {
+ DB_CKSUMFLAGS(mp) |= HCK_IPV4_HDRCKSUM;
+ } else {
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ }
+ return (B_TRUE);
+ }
+ /* Hardware capabilities include neither full nor partial IPv4 */
+ return (ip_output_sw_cksum_v4(mp, ipha, ixa));
+}
+
+/*
+ * ire_sendfn for offlink and onlink destinations.
+ * Also called from the multicast, broadcast, multirt send functions.
+ *
+ * Assumes that the caller has a hold on the ire.
+ *
+ * This function doesn't care if the IRE just became condemned since that
+ * can happen at any time.
+ */
+/* ARGSUSED */
+int
+ire_send_wire_v4(ire_t *ire, mblk_t *mp, void *iph_arg,
+ ip_xmit_attr_t *ixa, uint32_t *identp)
+{
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ ipha_t *ipha = (ipha_t *)iph_arg;
+ iaflags_t ixaflags = ixa->ixa_flags;
+ ill_t *ill;
+
+ ASSERT(ixa->ixa_nce != NULL);
+ ill = ixa->ixa_nce->nce_ill;
+
+ if (ixaflags & IXAF_DONTROUTE)
+ ipha->ipha_ttl = 1;
+
+ /*
+ * Assign an ident value for this packet. There could be other
+ * threads targeting the same destination, so we have to arrange
+ * for a atomic increment. Note that we use a 32-bit atomic add
+ * because it has better performance than its 16-bit sibling.
+ *
+ * Normally ixa_extra_ident is 0, but in the case of LSO it will
+ * be the number of TCP segments that the driver/hardware will
+ * extraly construct.
+ *
+ * If running in cluster mode and if the source address
+ * belongs to a replicated service then vector through
+ * cl_inet_ipident vector to allocate ip identifier
+ * NOTE: This is a contract private interface with the
+ * clustering group.
+ */
+ if (cl_inet_ipident != NULL) {
+ ipaddr_t src = ipha->ipha_src;
+ ipaddr_t dst = ipha->ipha_dst;
+ netstackid_t stack_id = ipst->ips_netstack->netstack_stackid;
+
+ ASSERT(cl_inet_isclusterwide != NULL);
+ if ((*cl_inet_isclusterwide)(stack_id, IPPROTO_IP,
+ AF_INET, (uint8_t *)(uintptr_t)src, NULL)) {
+ /*
+ * Note: not correct with LSO since we can't allocate
+ * ixa_extra_ident+1 consecutive values.
+ */
+ ipha->ipha_ident = (*cl_inet_ipident)(stack_id,
+ IPPROTO_IP, AF_INET, (uint8_t *)(uintptr_t)src,
+ (uint8_t *)(uintptr_t)dst, NULL);
+ } else {
+ ipha->ipha_ident = atomic_add_32_nv(identp,
+ ixa->ixa_extra_ident + 1);
+ }
+ } else {
+ ipha->ipha_ident = atomic_add_32_nv(identp,
+ ixa->ixa_extra_ident + 1);
+ }
+#ifndef _BIG_ENDIAN
+ ipha->ipha_ident = htons(ipha->ipha_ident);
+#endif
+
+ /*
+ * This might set b_band, thus the IPsec and fragmentation
+ * code in IP ensures that b_band is updated in the first mblk.
+ */
+ if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
+ /* ip_process translates an IS_UNDER_IPMP */
+ mp = ip_process(IPP_LOCAL_OUT, mp, ill, ill);
+ if (mp == NULL) {
+ /* ip_drop_packet and MIB done */
+ return (0); /* Might just be delayed */
+ }
+ }
+
+ /*
+ * Verify any IPv4 options.
+ *
+ * The presense of IP options also forces the network stack to
+ * calculate the checksum in software. This is because:
+ *
+ * Wrap around: certain partial-checksum NICs (eri, ce) limit
+ * the size of "start offset" width to 6-bit. This effectively
+ * sets the largest value of the offset to 64-bytes, starting
+ * from the MAC header. When the cumulative MAC and IP headers
+ * exceed such limit, the offset will wrap around. This causes
+ * the checksum to be calculated at the wrong place.
+ *
+ * IPv4 source routing: none of the full-checksum capable NICs
+ * is capable of correctly handling the IPv4 source-routing
+ * option for purposes of calculating the pseudo-header; the
+ * actual destination is different from the destination in the
+ * header which is that of the next-hop. (This case may not be
+ * true for NICs which can parse IPv6 extension headers, but
+ * we choose to simplify the implementation by not offloading
+ * checksum when they are present.)
+ */
+ if (!IS_SIMPLE_IPH(ipha)) {
+ ixaflags = ixa->ixa_flags |= IXAF_NO_HW_CKSUM;
+ /* An IS_UNDER_IPMP ill is ok here */
+ if (ip_output_options(mp, ipha, ixa, ill)) {
+ /* Packet has been consumed and ICMP error sent */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ return (EINVAL);
+ }
+ }
+
+ /*
+ * To handle IPsec/iptun's labeling needs we need to tag packets
+ * while we still have ixa_tsl
+ */
+ if (is_system_labeled() && ixa->ixa_tsl != NULL &&
+ (ill->ill_mactype == DL_6TO4 || ill->ill_mactype == DL_IPV4 ||
+ ill->ill_mactype == DL_IPV6)) {
+ cred_t *newcr;
+
+ newcr = copycred_from_tslabel(ixa->ixa_cred, ixa->ixa_tsl,
+ KM_NOSLEEP);
+ if (newcr == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - newcr",
+ mp, ill);
+ freemsg(mp);
+ return (ENOBUFS);
+ }
+ mblk_setcred(mp, newcr, NOPID);
+ crfree(newcr); /* mblk_setcred did its own crhold */
+ }
+
+ if (ixa->ixa_pktlen > ixa->ixa_fragsize ||
+ (ixaflags & IXAF_IPSEC_SECURE)) {
+ uint32_t pktlen;
+
+ pktlen = ixa->ixa_pktlen;
+ if (ixaflags & IXAF_IPSEC_SECURE)
+ pktlen += ipsec_out_extra_length(ixa);
+
+ if (pktlen > IP_MAXPACKET)
+ return (EMSGSIZE);
+
+ if (ixaflags & IXAF_SET_ULP_CKSUM) {
+ /*
+ * Compute ULP checksum and IP header checksum
+ * using software
+ */
+ if (!ip_output_sw_cksum_v4(mp, ipha, ixa)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ freemsg(mp);
+ return (EINVAL);
+ }
+ } else {
+ /* Calculate IPv4 header checksum */
+ ipha->ipha_hdr_checksum = 0;
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ }
+
+ /*
+ * If this packet would generate a icmp_frag_needed
+ * message, we need to handle it before we do the IPsec
+ * processing. Otherwise, we need to strip the IPsec
+ * headers before we send up the message to the ULPs
+ * which becomes messy and difficult.
+ *
+ * We check using IXAF_DONTFRAG. The DF bit in the header
+ * is not inspected - it will be copied to any generated
+ * fragments.
+ */
+ if ((pktlen > ixa->ixa_fragsize) &&
+ (ixaflags & IXAF_DONTFRAG)) {
+ /* Generate ICMP and return error */
+ ip_recv_attr_t iras;
+
+ DTRACE_PROBE4(ip4__fragsize__fail, uint_t, pktlen,
+ uint_t, ixa->ixa_fragsize, uint_t, ixa->ixa_pktlen,
+ uint_t, ixa->ixa_pmtu);
+
+ bzero(&iras, sizeof (iras));
+ /* Map ixa to ira including IPsec policies */
+ ipsec_out_to_in(ixa, ill, &iras);
+
+ ip_drop_output("ICMP_FRAG_NEEDED", mp, ill);
+ icmp_frag_needed(mp, ixa->ixa_fragsize, &iras);
+ /* We moved any IPsec refs from ixa to iras */
+ ira_cleanup(&iras, B_FALSE);
+ return (EMSGSIZE);
+ }
+ DTRACE_PROBE4(ip4__fragsize__ok, uint_t, pktlen,
+ uint_t, ixa->ixa_fragsize, uint_t, ixa->ixa_pktlen,
+ uint_t, ixa->ixa_pmtu);
+
+ if (ixaflags & IXAF_IPSEC_SECURE) {
+ /*
+ * Pass in sufficient information so that
+ * IPsec can determine whether to fragment, and
+ * which function to call after fragmentation.
+ */
+ return (ipsec_out_process(mp, ixa));
+ }
+ return (ip_fragment_v4(mp, ixa->ixa_nce, ixaflags,
+ ixa->ixa_pktlen, ixa->ixa_fragsize, ixa->ixa_xmit_hint,
+ ixa->ixa_zoneid, ixa->ixa_no_loop_zoneid,
+ ixa->ixa_postfragfn, &ixa->ixa_cookie));
+ }
+ if (ixaflags & IXAF_SET_ULP_CKSUM) {
+ /* Compute ULP checksum and IP header checksum */
+ /* An IS_UNDER_IPMP ill is ok here */
+ if (!ip_output_cksum_v4(ixaflags, mp, ipha, ixa, ill)) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ freemsg(mp);
+ return (EINVAL);
+ }
+ } else {
+ /* Calculate IPv4 header checksum */
+ ipha->ipha_hdr_checksum = 0;
+ ipha->ipha_hdr_checksum = ip_csum_hdr(ipha);
+ }
+ return ((ixa->ixa_postfragfn)(mp, ixa->ixa_nce, ixaflags,
+ ixa->ixa_pktlen, ixa->ixa_xmit_hint, ixa->ixa_zoneid,
+ ixa->ixa_no_loop_zoneid, &ixa->ixa_cookie));
+}
+
+/*
+ * Send mp into ip_input
+ * Common for IPv4 and IPv6
+ */
+void
+ip_postfrag_loopback(mblk_t *mp, nce_t *nce, iaflags_t ixaflags,
+ uint_t pkt_len, zoneid_t nolzid)
+{
+ rtc_t rtc;
+ ill_t *ill = nce->nce_ill;
+ ip_recv_attr_t iras; /* NOTE: No bzero for performance */
+ ncec_t *ncec;
+
+ ncec = nce->nce_common;
+ iras.ira_flags = IRAF_VERIFY_IP_CKSUM | IRAF_VERIFY_ULP_CKSUM |
+ IRAF_LOOPBACK | IRAF_L2SRC_LOOPBACK;
+ if (ncec->ncec_flags & NCE_F_BCAST)
+ iras.ira_flags |= IRAF_L2DST_BROADCAST;
+ else if (ncec->ncec_flags & NCE_F_MCAST)
+ iras.ira_flags |= IRAF_L2DST_MULTICAST;
+
+ iras.ira_free_flags = 0;
+ iras.ira_cred = NULL;
+ iras.ira_cpid = NOPID;
+ iras.ira_tsl = NULL;
+ iras.ira_zoneid = ALL_ZONES;
+ iras.ira_pktlen = pkt_len;
+ UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, iras.ira_pktlen);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
+
+ if (ixaflags & IXAF_IS_IPV4)
+ iras.ira_flags |= IRAF_IS_IPV4;
+
+ iras.ira_ill = iras.ira_rill = ill;
+ iras.ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ iras.ira_rifindex = iras.ira_ruifindex;
+ iras.ira_mhip = NULL;
+
+ iras.ira_flags |= ixaflags & IAF_MASK;
+ iras.ira_no_loop_zoneid = nolzid;
+
+ /* Broadcast and multicast doesn't care about the squeue */
+ iras.ira_sqp = NULL;
+
+ rtc.rtc_ire = NULL;
+ if (ixaflags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ rtc.rtc_ipaddr = INADDR_ANY;
+
+ (*ill->ill_inputfn)(mp, ipha, &ipha->ipha_dst, &iras, &rtc);
+ if (rtc.rtc_ire != NULL) {
+ ASSERT(rtc.rtc_ipaddr != INADDR_ANY);
+ ire_refrele(rtc.rtc_ire);
+ }
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ rtc.rtc_ip6addr = ipv6_all_zeros;
+
+ (*ill->ill_inputfn)(mp, ip6h, &ip6h->ip6_dst, &iras, &rtc);
+ if (rtc.rtc_ire != NULL) {
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&rtc.rtc_ip6addr));
+ ire_refrele(rtc.rtc_ire);
+ }
+ }
+ /* Any references to clean up? No hold on ira */
+ if (iras.ira_flags & (IRAF_IPSEC_SECURE|IRAF_SYSTEM_LABELED))
+ ira_cleanup(&iras, B_FALSE);
+}
+
+/*
+ * Post fragmentation function for IRE_MULTICAST and IRE_BROADCAST which
+ * looks at the IXAF_LOOPBACK_COPY flag.
+ * Common for IPv4 and IPv6.
+ *
+ * If the loopback copy fails (due to no memory) but we send the packet out
+ * on the wire we return no failure. Only in the case we supress the wire
+ * sending do we take the loopback failure into account.
+ *
+ * Note that we do not perform DTRACE_IP7 and FW_HOOKS for the looped back copy.
+ * Those operations are performed on this packet in ip_xmit() and it would
+ * be odd to do it twice for the same packet.
+ */
+int
+ip_postfrag_loopcheck(mblk_t *mp, nce_t *nce, iaflags_t ixaflags,
+ uint_t pkt_len, uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid,
+ uintptr_t *ixacookie)
+{
+ ill_t *ill = nce->nce_ill;
+ int error = 0;
+
+ /*
+ * Check for IXAF_LOOPBACK_COPY - send a copy to ip as if the driver
+ * had looped it back
+ */
+ if (ixaflags & IXAF_LOOPBACK_COPY) {
+ mblk_t *mp1;
+
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ /* Failed to deliver the loopback copy. */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ error = ENOBUFS;
+ } else {
+ ip_postfrag_loopback(mp1, nce, ixaflags, pkt_len,
+ nolzid);
+ }
+ }
+
+ /*
+ * If TTL = 0 then only do the loopback to this host i.e. we are
+ * done. We are also done if this was the
+ * loopback interface since it is sufficient
+ * to loopback one copy of a multicast packet.
+ */
+ if (ixaflags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ if (ipha->ipha_ttl == 0) {
+ ip_drop_output("multicast ipha_ttl not sent to wire",
+ mp, ill);
+ freemsg(mp);
+ return (error);
+ }
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ if (ip6h->ip6_hops == 0) {
+ ip_drop_output("multicast ipha_ttl not sent to wire",
+ mp, ill);
+ freemsg(mp);
+ return (error);
+ }
+ }
+ if (nce->nce_ill->ill_wq == NULL) {
+ /* Loopback interface */
+ ip_drop_output("multicast on lo0 not sent to wire", mp, ill);
+ freemsg(mp);
+ return (error);
+ }
+
+ return (ip_xmit(mp, nce, ixaflags, pkt_len, xmit_hint, szone, 0,
+ ixacookie));
+}
+
+/*
+ * Post fragmentation function for RTF_MULTIRT routes.
+ * Since IRE_BROADCASTs can have RTF_MULTIRT, this function
+ * checks IXAF_LOOPBACK_COPY.
+ *
+ * If no packet is sent due to failures then we return an errno, but if at
+ * least one succeeded we return zero.
+ */
+int
+ip_postfrag_multirt_v4(mblk_t *mp, nce_t *nce, iaflags_t ixaflags,
+ uint_t pkt_len, uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid,
+ uintptr_t *ixacookie)
+{
+ irb_t *irb;
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+ ire_t *ire;
+ ire_t *ire1;
+ mblk_t *mp1;
+ nce_t *nce1;
+ ill_t *ill = nce->nce_ill;
+ ill_t *ill1;
+ ip_stack_t *ipst = ill->ill_ipst;
+ int error = 0;
+ int num_sent = 0;
+ int err;
+ uint_t ire_type;
+ ipaddr_t nexthop;
+
+ ASSERT(ixaflags & IXAF_IS_IPV4);
+
+ /* Check for IXAF_LOOPBACK_COPY */
+ if (ixaflags & IXAF_LOOPBACK_COPY) {
+ mblk_t *mp1;
+
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ /* Failed to deliver the loopback copy. */
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill);
+ error = ENOBUFS;
+ } else {
+ ip_postfrag_loopback(mp1, nce, ixaflags, pkt_len,
+ nolzid);
+ }
+ }
+
+ /*
+ * Loop over RTF_MULTIRT for ipha_dst in the same bucket. Send
+ * a copy to each one.
+ * Use the nce (nexthop) and ipha_dst to find the ire.
+ *
+ * MULTIRT is not designed to work with shared-IP zones thus we don't
+ * need to pass a zoneid or a label to the IRE lookup.
+ */
+ if (V4_PART_OF_V6(nce->nce_addr) == ipha->ipha_dst) {
+ /* Broadcast and multicast case */
+ ire = ire_ftable_lookup_v4(ipha->ipha_dst, 0, 0, 0,
+ NULL, ALL_ZONES, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
+ } else {
+ ipaddr_t v4addr = V4_PART_OF_V6(nce->nce_addr);
+
+ /* Unicast case */
+ ire = ire_ftable_lookup_v4(ipha->ipha_dst, 0, v4addr, 0,
+ NULL, ALL_ZONES, NULL, MATCH_IRE_GW, 0, ipst, NULL);
+ }
+
+ if (ire == NULL ||
+ (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
+ !(ire->ire_flags & RTF_MULTIRT)) {
+ /* Drop */
+ ip_drop_output("ip_postfrag_multirt didn't find route",
+ mp, nce->nce_ill);
+ if (ire != NULL)
+ ire_refrele(ire);
+ return (ENETUNREACH);
+ }
+
+ irb = ire->ire_bucket;
+ irb_refhold(irb);
+ for (ire1 = irb->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
+ /*
+ * For broadcast we can have a mixture of IRE_BROADCAST and
+ * IRE_HOST due to the manually added IRE_HOSTs that are used
+ * to trigger the creation of the special CGTP broadcast routes.
+ * Thus we have to skip if ire_type doesn't match the original.
+ */
+ if (IRE_IS_CONDEMNED(ire1) ||
+ !(ire1->ire_flags & RTF_MULTIRT) ||
+ ire1->ire_type != ire->ire_type)
+ continue;
+
+ /* Do the ire argument one after the loop */
+ if (ire1 == ire)
+ continue;
+
+ ill1 = ire_nexthop_ill(ire1);
+ if (ill1 == NULL) {
+ /*
+ * This ire might not have been picked by
+ * ire_route_recursive, in which case ire_dep might
+ * not have been setup yet.
+ * We kick ire_route_recursive to try to resolve
+ * starting at ire1.
+ */
+ ire_t *ire2;
+
+ ire2 = ire_route_recursive_impl_v4(ire1,
+ ire1->ire_addr, ire1->ire_type, ire1->ire_ill,
+ ire1->ire_zoneid, NULL, MATCH_IRE_DSTONLY,
+ B_TRUE, 0, ipst, NULL, NULL, NULL);
+ if (ire2 != NULL)
+ ire_refrele(ire2);
+ ill1 = ire_nexthop_ill(ire1);
+ }
+
+ if (ill1 == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - no ill",
+ mp, ill);
+ error = ENETUNREACH;
+ continue;
+ }
+
+ /* Pick the addr and type to use for arp_nce_init */
+ if (nce->nce_common->ncec_flags & NCE_F_BCAST) {
+ ire_type = IRE_BROADCAST;
+ nexthop = ire1->ire_gateway_addr;
+ } else if (nce->nce_common->ncec_flags & NCE_F_MCAST) {
+ ire_type = IRE_MULTICAST;
+ nexthop = ipha->ipha_dst;
+ } else {
+ ire_type = ire1->ire_type; /* Doesn't matter */
+ nexthop = ire1->ire_gateway_addr;
+ }
+
+ /* If IPMP meta or under, then we just drop */
+ if (ill1->ill_grp != NULL) {
+ BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - IPMP",
+ mp, ill1);
+ ill_refrele(ill1);
+ error = ENETUNREACH;
+ continue;
+ }
+
+ nce1 = arp_nce_init(ill1, nexthop, ire_type);
+ if (nce1 == NULL) {
+ BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards - no nce",
+ mp, ill1);
+ ill_refrele(ill1);
+ error = ENETUNREACH;
+ continue;
+ }
+ mp1 = copymsg(mp);
+ if (mp1 == NULL) {
+ BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", mp, ill1);
+ nce_refrele(nce1);
+ ill_refrele(ill1);
+ error = ENOBUFS;
+ continue;
+ }
+ /* Preserve HW checksum for this copy */
+ DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
+ DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
+ DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
+ DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
+ DB_LSOMSS(mp1) = DB_LSOMSS(mp);
+
+ ire1->ire_ob_pkt_count++;
+ err = ip_xmit(mp1, nce1, ixaflags, pkt_len, xmit_hint, szone,
+ 0, ixacookie);
+ if (err == 0)
+ num_sent++;
+ else
+ error = err;
+ nce_refrele(nce1);
+ ill_refrele(ill1);
+ }
+ irb_refrele(irb);
+ ire_refrele(ire);
+ /* Finally, the main one */
+ err = ip_xmit(mp, nce, ixaflags, pkt_len, xmit_hint, szone, 0,
+ ixacookie);
+ if (err == 0)
+ num_sent++;
+ else
+ error = err;
+ if (num_sent > 0)
+ return (0);
+ else
+ return (error);
+}
+
+/*
+ * Verify local connectivity. This check is called by ULP fusion code.
+ * The generation number on an IRE_LOCAL or IRE_LOOPBACK only changes if
+ * the interface is brought down and back up. So we simply fail the local
+ * process. The caller, TCP Fusion, should unfuse the connection.
+ */
+boolean_t
+ip_output_verify_local(ip_xmit_attr_t *ixa)
+{
+ ire_t *ire = ixa->ixa_ire;
+
+ if (!(ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)))
+ return (B_FALSE);
+
+ return (ixa->ixa_ire->ire_generation == ixa->ixa_ire_generation);
+}
+
+/*
+ * Local process for ULP loopback, TCP Fusion. Handle both IPv4 and IPv6.
+ *
+ * The caller must call ip_output_verify_local() first. This function handles
+ * IPobs, FW_HOOKS, and/or IPsec cases sequentially.
+ */
+mblk_t *
+ip_output_process_local(mblk_t *mp, ip_xmit_attr_t *ixa, boolean_t hooks_out,
+ boolean_t hooks_in, conn_t *peer_connp)
+{
+ ill_t *ill = ixa->ixa_ire->ire_ill;
+ ipha_t *ipha = NULL;
+ ip6_t *ip6h = NULL;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ iaflags_t ixaflags = ixa->ixa_flags;
+ ip_recv_attr_t iras;
+ int error;
+
+ ASSERT(mp != NULL);
+
+ if (ixaflags & IXAF_IS_IPV4) {
+ ipha = (ipha_t *)mp->b_rptr;
+
+ /*
+ * If a callback is enabled then we need to know the
+ * source and destination zoneids for the packet. We already
+ * have those handy.
+ */
+ if (ipst->ips_ip4_observe.he_interested) {
+ zoneid_t szone, dzone;
+ zoneid_t stackzoneid;
+
+ stackzoneid = netstackid_to_zoneid(
+ ipst->ips_netstack->netstack_stackid);
+
+ if (stackzoneid == GLOBAL_ZONEID) {
+ /* Shared-IP zone */
+ dzone = ixa->ixa_ire->ire_zoneid;
+ szone = ixa->ixa_zoneid;
+ } else {
+ szone = dzone = stackzoneid;
+ }
+ ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill,
+ ipst);
+ }
+ DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, ip6_t *,
+ NULL, int, 1);
+
+ /* FW_HOOKS: LOOPBACK_OUT */
+ if (hooks_out) {
+ DTRACE_PROBE4(ip4__loopback__out__start, ill_t *, NULL,
+ ill_t *, ill, ipha_t *, ipha, mblk_t *, mp);
+ FW_HOOKS(ipst->ips_ip4_loopback_out_event,
+ ipst->ips_ipv4firewall_loopback_out,
+ NULL, ill, ipha, mp, mp, 0, ipst, error);
+ DTRACE_PROBE1(ip4__loopback__out__end, mblk_t *, mp);
+ }
+ if (mp == NULL)
+ return (NULL);
+
+ /* FW_HOOKS: LOOPBACK_IN */
+ if (hooks_in) {
+ DTRACE_PROBE4(ip4__loopback__in__start, ill_t *, ill,
+ ill_t *, NULL, ipha_t *, ipha, mblk_t *, mp);
+ FW_HOOKS(ipst->ips_ip4_loopback_in_event,
+ ipst->ips_ipv4firewall_loopback_in,
+ ill, NULL, ipha, mp, mp, 0, ipst, error);
+ DTRACE_PROBE1(ip4__loopback__in__end, mblk_t *, mp);
+ }
+ if (mp == NULL)
+ return (NULL);
+
+ DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, ip6_t *,
+ NULL, int, 1);
+
+ /* Inbound IPsec polocies */
+ if (peer_connp != NULL) {
+ /* Map ixa to ira including IPsec policies. */
+ ipsec_out_to_in(ixa, ill, &iras);
+ mp = ipsec_check_inbound_policy(mp, peer_connp, ipha,
+ NULL, &iras);
+ }
+ } else {
+ ip6h = (ip6_t *)mp->b_rptr;
+
+ /*
+ * If a callback is enabled then we need to know the
+ * source and destination zoneids for the packet. We already
+ * have those handy.
+ */
+ if (ipst->ips_ip6_observe.he_interested) {
+ zoneid_t szone, dzone;
+ zoneid_t stackzoneid;
+
+ stackzoneid = netstackid_to_zoneid(
+ ipst->ips_netstack->netstack_stackid);
+
+ if (stackzoneid == GLOBAL_ZONEID) {
+ /* Shared-IP zone */
+ dzone = ixa->ixa_ire->ire_zoneid;
+ szone = ixa->ixa_zoneid;
+ } else {
+ szone = dzone = stackzoneid;
+ }
+ ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill,
+ ipst);
+ }
+ DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *,
+ ip6h, int, 1);
+
+ /* FW_HOOKS: LOOPBACK_OUT */
+ if (hooks_out) {
+ DTRACE_PROBE4(ip6__loopback__out__start, ill_t *, NULL,
+ ill_t *, ill, ip6_t *, ip6h, mblk_t *, mp);
+ FW_HOOKS6(ipst->ips_ip6_loopback_out_event,
+ ipst->ips_ipv6firewall_loopback_out,
+ NULL, ill, ip6h, mp, mp, 0, ipst, error);
+ DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, mp);
+ }
+ if (mp == NULL)
+ return (NULL);
+
+ /* FW_HOOKS: LOOPBACK_IN */
+ if (hooks_in) {
+ DTRACE_PROBE4(ip6__loopback__in__start, ill_t *, ill,
+ ill_t *, NULL, ip6_t *, ip6h, mblk_t *, mp);
+ FW_HOOKS6(ipst->ips_ip6_loopback_in_event,
+ ipst->ips_ipv6firewall_loopback_in,
+ ill, NULL, ip6h, mp, mp, 0, ipst, error);
+ DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, mp);
+ }
+ if (mp == NULL)
+ return (NULL);
+
+ DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *,
+ ip6h, int, 1);
+
+ /* Inbound IPsec polocies */
+ if (peer_connp != NULL) {
+ /* Map ixa to ira including IPsec policies. */
+ ipsec_out_to_in(ixa, ill, &iras);
+ mp = ipsec_check_inbound_policy(mp, peer_connp, NULL,
+ ip6h, &iras);
+ }
+ }
+
+ if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", NULL, ill);
+ }
+
+ return (mp);
+}
diff --git a/usr/src/uts/common/inet/ip/ip_rts.c b/usr/src/uts/common/inet/ip/ip_rts.c
index 70c8bd2ea1..228c7581a3 100644
--- a/usr/src/uts/common/inet/ip/ip_rts.c
+++ b/usr/src/uts/common/inet/ip/ip_rts.c
@@ -81,24 +81,33 @@
static size_t rts_copyfromsockaddr(struct sockaddr *sa, in6_addr_t *addrp);
static void rts_fill_msg(int type, int rtm_addrs, ipaddr_t dst,
ipaddr_t mask, ipaddr_t gateway, ipaddr_t src_addr, ipaddr_t brd_addr,
- ipaddr_t author, const ipif_t *ipif, mblk_t *mp, uint_t, const tsol_gc_t *);
+ ipaddr_t author, ipaddr_t ifaddr, const ill_t *ill, mblk_t *mp,
+ const tsol_gc_t *);
static int rts_getaddrs(rt_msghdr_t *rtm, in6_addr_t *dst_addrp,
in6_addr_t *gw_addrp, in6_addr_t *net_maskp, in6_addr_t *authorp,
in6_addr_t *if_addrp, in6_addr_t *src_addrp, ushort_t *indexp,
sa_family_t *afp, tsol_rtsecattr_t *rtsecattr, int *error);
static void rts_getifdata(if_data_t *if_data, const ipif_t *ipif);
static int rts_getmetrics(ire_t *ire, rt_metrics_t *metrics);
-static mblk_t *rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *sire,
- sa_family_t af);
+static mblk_t *rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *ifire,
+ const in6_addr_t *setsrc, tsol_ire_gw_secattr_t *attrp, sa_family_t af);
static void rts_setmetrics(ire_t *ire, uint_t which, rt_metrics_t *metrics);
-static void ip_rts_request_retry(ipsq_t *, queue_t *q, mblk_t *mp, void *);
+static ire_t *ire_lookup_v4(ipaddr_t dst_addr, ipaddr_t net_mask,
+ ipaddr_t gw_addr, const ill_t *ill, zoneid_t zoneid,
+ const ts_label_t *tsl, int match_flags, ip_stack_t *ipst, ire_t **pifire,
+ ipaddr_t *v4setsrcp, tsol_ire_gw_secattr_t **gwattrp);
+static ire_t *ire_lookup_v6(const in6_addr_t *dst_addr_v6,
+ const in6_addr_t *net_mask_v6, const in6_addr_t *gw_addr_v6,
+ const ill_t *ill, zoneid_t zoneid, const ts_label_t *tsl, int match_flags,
+ ip_stack_t *ipst, ire_t **pifire,
+ in6_addr_t *v6setsrcp, tsol_ire_gw_secattr_t **gwattrp);
/*
* Send `mp' to all eligible routing queues. A queue is ineligible if:
*
* 1. SO_USELOOPBACK is off and it is not the originating queue.
- * 2. RTAW_UNDER_IPMP is on and RTSQ_UNDER_IPMP is clear in `flags'.
- * 3. RTAW_UNDER_IPMP is off and RTSQ_NORMAL is clear in `flags'.
+ * 2. RTA_UNDER_IPMP is on and RTSQ_UNDER_IPMP is not set in `flags'.
+ * 3. RTA_UNDER_IPMP is off and RTSQ_NORMAL is not set in `flags'.
* 4. It is not the same address family as `af', and `af' isn't AF_UNSPEC.
*/
void
@@ -110,7 +119,7 @@ rts_queue_input(mblk_t *mp, conn_t *o_connp, sa_family_t af, uint_t flags,
/*
* Since we don't have an ill_t here, RTSQ_DEFAULT must already be
- * resolved to one or more of RTSQ_NORMAL|RTSQ_UNDER_IPMP by now.
+ * resolved to one or more of RTSQ_NORMAL|RTSQ_UNDER_IPMP at this point.
*/
ASSERT(!(flags & RTSQ_DEFAULT));
@@ -119,7 +128,6 @@ rts_queue_input(mblk_t *mp, conn_t *o_connp, sa_family_t af, uint_t flags,
for (; connp != NULL; connp = next_connp) {
next_connp = connp->conn_next;
-
/*
* If there was a family specified when this routing socket was
* created and it doesn't match the family of the message to
@@ -139,28 +147,27 @@ rts_queue_input(mblk_t *mp, conn_t *o_connp, sa_family_t af, uint_t flags,
if (!(flags & RTSQ_NORMAL))
continue;
}
-
/*
* For the originating queue, we only copy the message upstream
* if loopback is set. For others reading on the routing
* socket, we check if there is room upstream for a copy of the
* message.
*/
- if ((o_connp == connp) && connp->conn_loopback == 0) {
+ if ((o_connp == connp) && connp->conn_useloopback == 0) {
connp = connp->conn_next;
continue;
}
CONN_INC_REF(connp);
mutex_exit(&ipst->ips_rts_clients->connf_lock);
/* Pass to rts_input */
- if ((IPCL_IS_NONSTR(connp) && !PROTO_FLOW_CNTRLD(connp))||
- (!IPCL_IS_NONSTR(connp) &&
- canputnext(CONNP_TO_RQ(connp)))) {
+ if (IPCL_IS_NONSTR(connp) ? !connp->conn_flow_cntrld :
+ canputnext(connp->conn_rq)) {
mp1 = dupmsg(mp);
if (mp1 == NULL)
mp1 = copymsg(mp);
+ /* Note that we pass a NULL ira to rts_input */
if (mp1 != NULL)
- (connp->conn_recv)(connp, mp1, NULL);
+ (connp->conn_recv)(connp, mp1, NULL, NULL);
}
mutex_enter(&ipst->ips_rts_clients->connf_lock);
@@ -176,7 +183,7 @@ rts_queue_input(mblk_t *mp, conn_t *o_connp, sa_family_t af, uint_t flags,
* Takes an ire and sends an ack to all the routing sockets. This
* routine is used
* - when a route is created/deleted through the ioctl interface.
- * - when ire_expire deletes a stale redirect
+ * - when a stale redirect is deleted
*/
void
ip_rts_rtmsg(int type, ire_t *ire, int error, ip_stack_t *ipst)
@@ -192,6 +199,8 @@ ip_rts_rtmsg(int type, ire_t *ire, int error, ip_stack_t *ipst)
ASSERT(ire->ire_ipversion == IPV4_VERSION ||
ire->ire_ipversion == IPV6_VERSION);
+ ASSERT(!(ire->ire_type & IRE_IF_CLONE));
+
if (ire->ire_flags & RTF_SETSRC)
rtm_addrs |= RTA_SRC;
@@ -202,8 +211,8 @@ ip_rts_rtmsg(int type, ire_t *ire, int error, ip_stack_t *ipst)
if (mp == NULL)
return;
rts_fill_msg(type, rtm_addrs, ire->ire_addr, ire->ire_mask,
- ire->ire_gateway_addr, ire->ire_src_addr, 0, 0, NULL, mp,
- 0, NULL);
+ ire->ire_gateway_addr, ire->ire_setsrc_addr, 0, 0, 0, NULL,
+ mp, NULL);
break;
case IPV6_VERSION:
af = AF_INET6;
@@ -215,8 +224,8 @@ ip_rts_rtmsg(int type, ire_t *ire, int error, ip_stack_t *ipst)
mutex_exit(&ire->ire_lock);
rts_fill_msg_v6(type, rtm_addrs, &ire->ire_addr_v6,
&ire->ire_mask_v6, &gw_addr_v6,
- &ire->ire_src_addr_v6, &ipv6_all_zeros, &ipv6_all_zeros,
- NULL, mp, 0, NULL);
+ &ire->ire_setsrc_addr_v6, &ipv6_all_zeros, &ipv6_all_zeros,
+ &ipv6_all_zeros, NULL, mp, NULL);
break;
}
rtm = (rt_msghdr_t *)mp->b_rptr;
@@ -230,13 +239,6 @@ ip_rts_rtmsg(int type, ire_t *ire, int error, ip_stack_t *ipst)
rts_queue_input(mp, NULL, af, RTSQ_ALL, ipst);
}
-/* ARGSUSED */
-static void
-ip_rts_request_retry(ipsq_t *dummy_sq, queue_t *q, mblk_t *mp, void *dummy)
-{
- (void) ip_rts_request(q, mp, msg_getcred(mp, NULL));
-}
-
/*
* This is a call from the RTS module
* indicating that this is a Routing Socket
@@ -248,7 +250,7 @@ ip_rts_register(conn_t *connp)
{
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- connp->conn_loopback = 1;
+ connp->conn_useloopback = 1;
ipcl_hash_insert_wildcard(ipst->ips_rts_clients, connp);
}
@@ -269,18 +271,9 @@ ip_rts_unregister(conn_t *connp)
*
* In general, this function does not consume the message supplied but rather
* sends the message upstream with an appropriate UNIX errno.
- *
- * We may need to restart this operation if the ipif cannot be looked up
- * due to an exclusive operation that is currently in progress. The restart
- * entry point is ip_rts_request_retry. While the request is enqueud in the
- * ipsq the ioctl could be aborted and the conn close. To ensure that we don't
- * have stale conn pointers, ip_wput_ioctl does a conn refhold. This is
- * released at the completion of the rts ioctl at the end of this function
- * by calling CONN_OPER_PENDING_DONE or when the ioctl is aborted and
- * conn close occurs in conn_ioctl_cleanup.
*/
int
-ip_rts_request_common(queue_t *q, mblk_t *mp, conn_t *connp, cred_t *ioc_cr)
+ip_rts_request_common(mblk_t *mp, conn_t *connp, cred_t *ioc_cr)
{
rt_msghdr_t *rtm = NULL;
in6_addr_t dst_addr_v6;
@@ -289,9 +282,12 @@ ip_rts_request_common(queue_t *q, mblk_t *mp, conn_t *connp, cred_t *ioc_cr)
in6_addr_t net_mask_v6;
in6_addr_t author_v6;
in6_addr_t if_addr_v6;
- mblk_t *mp1, *ioc_mp = mp;
+ mblk_t *mp1;
ire_t *ire = NULL;
- ire_t *sire = NULL;
+ ire_t *ifire = NULL;
+ ipaddr_t v4setsrc;
+ in6_addr_t v6setsrc = ipv6_all_zeros;
+ tsol_ire_gw_secattr_t *gwattr = NULL;
int error = 0;
int match_flags = MATCH_IRE_DSTONLY;
int match_flags_local = MATCH_IRE_TYPE | MATCH_IRE_GW;
@@ -302,9 +298,6 @@ ip_rts_request_common(queue_t *q, mblk_t *mp, conn_t *connp, cred_t *ioc_cr)
ipaddr_t src_addr;
ipaddr_t net_mask;
ushort_t index;
- ipif_t *ipif = NULL;
- ipif_t *tmp_ipif = NULL;
- IOCP iocp = (IOCP)mp->b_rptr;
boolean_t gcgrp_xtraref = B_FALSE;
tsol_gcgrp_addr_t ga;
tsol_rtsecattr_t rtsecattr;
@@ -314,42 +307,11 @@ ip_rts_request_common(queue_t *q, mblk_t *mp, conn_t *connp, cred_t *ioc_cr)
ts_label_t *tsl = NULL;
zoneid_t zoneid;
ip_stack_t *ipst;
-
- ip1dbg(("ip_rts_request: mp is %x\n", DB_TYPE(mp)));
+ ill_t *ill = NULL;
zoneid = connp->conn_zoneid;
ipst = connp->conn_netstack->netstack_ip;
- ASSERT(mp->b_cont != NULL);
- /* ioc_mp holds mp */
- mp = mp->b_cont;
-
- /*
- * The Routing Socket data starts on
- * next block. If there is no next block
- * this is an indication from routing module
- * that it is a routing socket stream queue.
- * We need to support that for compatibility with SDP since
- * it has a contract private interface to use IP_IOC_RTS_REQUEST.
- */
- if (mp->b_cont == NULL) {
- /*
- * This is a message from SDP
- * indicating that this is a Routing Socket
- * Stream. Insert this conn_t in routing
- * socket client list.
- */
- connp->conn_loopback = 1;
- ipcl_hash_insert_wildcard(ipst->ips_rts_clients, connp);
- goto done;
- }
- mp1 = dupmsg(mp->b_cont);
- if (mp1 == NULL) {
- error = ENOBUFS;
- goto done;
- }
- mp = mp1;
-
if (mp->b_cont != NULL && !pullupmsg(mp, -1)) {
freemsg(mp);
error = EINVAL;
@@ -446,20 +408,13 @@ ip_rts_request_common(queue_t *q, mblk_t *mp, conn_t *connp, cred_t *ioc_cr)
*/
ASSERT(af == AF_INET || af == AF_INET6);
+ /* Handle RTA_IFP */
if (index != 0) {
- ill_t *ill;
+ ipif_t *ipif;
lookup:
- /*
- * IPC must be refheld somewhere in ip_wput_nondata or
- * ip_wput_ioctl etc... and cleaned up if ioctl is killed.
- * If ILL_CHANGING the request is queued in the ipsq.
- */
- ill = ill_lookup_on_ifindex(index, af == AF_INET6,
- CONNP_TO_WQ(connp), ioc_mp, ip_rts_request_retry, &error,
- ipst);
+ ill = ill_lookup_on_ifindex(index, af == AF_INET6, ipst);
if (ill == NULL) {
- if (error != EINPROGRESS)
- error = EINVAL;
+ error = EINVAL;
goto done;
}
@@ -474,13 +429,13 @@ lookup:
switch (rtm->rtm_type) {
case RTM_CHANGE:
case RTM_DELETE:
- ill_refrele(ill);
error = EINVAL;
goto done;
case RTM_ADD:
index = ipmp_ill_get_ipmp_ifindex(ill);
ill_refrele(ill);
if (index == 0) {
+ ill = NULL; /* already refrele'd */
error = EINVAL;
goto done;
}
@@ -488,9 +443,18 @@ lookup:
}
}
- ipif = ipif_get_next_ipif(NULL, ill);
- ill_refrele(ill);
match_flags |= MATCH_IRE_ILL;
+ /*
+ * This provides the same zoneid as in Solaris 10
+ * that -ifp picks the zoneid from the first ipif on the ill.
+ * But it might not be useful since the first ipif will always
+ * have the same zoneid as the ill.
+ */
+ ipif = ipif_get_next_ipif(NULL, ill);
+ if (ipif != NULL) {
+ zoneid = ipif->ipif_zoneid;
+ ipif_refrele(ipif);
+ }
}
/*
@@ -545,6 +509,8 @@ lookup:
switch (af) {
case AF_INET:
if (src_addr != INADDR_ANY) {
+ uint_t type;
+
/*
* The RTF_SETSRC flag is present, check that
* the supplied src address is not the loopback
@@ -556,20 +522,11 @@ lookup:
}
/*
* Also check that the supplied address is a
- * valid, local one.
+ * valid, local one. Only allow IFF_UP ones
*/
- tmp_ipif = ipif_lookup_addr(src_addr, NULL,
- ALL_ZONES, CONNP_TO_WQ(connp), ioc_mp,
- ip_rts_request_retry, &error, ipst);
- if (tmp_ipif == NULL) {
- if (error != EINPROGRESS)
- error = EADDRNOTAVAIL;
- goto done;
- }
- if (!(tmp_ipif->ipif_flags & IPIF_UP) ||
- (tmp_ipif->ipif_flags &
- (IPIF_NOLOCAL | IPIF_ANYCAST))) {
- error = EINVAL;
+ type = ip_type_v4(src_addr, ipst);
+ if (!(type & (IRE_LOCAL|IRE_LOOPBACK))) {
+ error = EADDRNOTAVAIL;
goto done;
}
} else {
@@ -584,14 +541,15 @@ lookup:
}
error = ip_rt_add(dst_addr, net_mask, gw_addr, src_addr,
- rtm->rtm_flags, ipif, &ire, B_FALSE,
- WR(q), ioc_mp, ip_rts_request_retry,
- rtsap, ipst);
- if (ipif != NULL)
- ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
+ rtm->rtm_flags, ill, &ire, B_FALSE,
+ rtsap, ipst, zoneid);
+ if (ill != NULL)
+ ASSERT(!MUTEX_HELD(&ill->ill_lock));
break;
case AF_INET6:
if (!IN6_IS_ADDR_UNSPECIFIED(&src_addr_v6)) {
+ uint_t type;
+
/*
* The RTF_SETSRC flag is present, check that
* the supplied src address is not the loopback
@@ -603,28 +561,17 @@ lookup:
}
/*
* Also check that the supplied address is a
- * valid, local one.
+ * valid, local one. Only allow UP ones.
*/
- tmp_ipif = ipif_lookup_addr_v6(&src_addr_v6,
- NULL, ALL_ZONES, CONNP_TO_WQ(connp), ioc_mp,
- ip_rts_request_retry, &error, ipst);
- if (tmp_ipif == NULL) {
- if (error != EINPROGRESS)
- error = EADDRNOTAVAIL;
- goto done;
- }
-
- if (!(tmp_ipif->ipif_flags & IPIF_UP) ||
- (tmp_ipif->ipif_flags &
- (IPIF_NOLOCAL | IPIF_ANYCAST))) {
- error = EINVAL;
+ type = ip_type_v6(&src_addr_v6, ipst);
+ if (!(type & (IRE_LOCAL|IRE_LOOPBACK))) {
+ error = EADDRNOTAVAIL;
goto done;
}
error = ip_rt_add_v6(&dst_addr_v6, &net_mask_v6,
&gw_addr_v6, &src_addr_v6, rtm->rtm_flags,
- ipif, &ire, WR(q), ioc_mp,
- ip_rts_request_retry, rtsap, ipst);
+ ill, &ire, rtsap, ipst, zoneid);
break;
}
/*
@@ -637,10 +584,9 @@ lookup:
}
error = ip_rt_add_v6(&dst_addr_v6, &net_mask_v6,
&gw_addr_v6, NULL, rtm->rtm_flags,
- ipif, &ire, WR(q), ioc_mp,
- ip_rts_request_retry, rtsap, ipst);
- if (ipif != NULL)
- ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
+ ill, &ire, rtsap, ipst, zoneid);
+ if (ill != NULL)
+ ASSERT(!MUTEX_HELD(&ill->ill_lock));
break;
}
if (error != 0)
@@ -666,13 +612,13 @@ lookup:
switch (af) {
case AF_INET:
error = ip_rt_delete(dst_addr, net_mask, gw_addr,
- found_addrs, rtm->rtm_flags, ipif, B_FALSE,
- WR(q), ioc_mp, ip_rts_request_retry, ipst);
+ found_addrs, rtm->rtm_flags, ill, B_FALSE,
+ ipst, zoneid);
break;
case AF_INET6:
error = ip_rt_delete_v6(&dst_addr_v6, &net_mask_v6,
- &gw_addr_v6, found_addrs, rtm->rtm_flags, ipif,
- WR(q), ioc_mp, ip_rts_request_retry, ipst);
+ &gw_addr_v6, found_addrs, rtm->rtm_flags, ill,
+ ipst, zoneid);
break;
}
break;
@@ -680,8 +626,7 @@ lookup:
case RTM_CHANGE:
/*
* In the case of RTM_GET, the forwarding table should be
- * searched recursively with default being matched if the
- * specific route doesn't exist. Also, if a gateway was
+ * searched recursively. Also, if a gateway was
* specified then the gateway address must also be matched.
*
* In the case of RTM_CHANGE, the gateway address (if supplied)
@@ -706,9 +651,7 @@ lookup:
}
if (rtm->rtm_type == RTM_GET) {
- match_flags |=
- (MATCH_IRE_DEFAULT | MATCH_IRE_RECURSIVE |
- MATCH_IRE_SECATTR);
+ match_flags |= MATCH_IRE_SECATTR;
match_flags_local |= MATCH_IRE_SECATTR;
if ((found_addrs & RTA_GATEWAY) != 0)
match_flags |= MATCH_IRE_GW;
@@ -749,57 +692,34 @@ lookup:
* IRE_LOCAL entry.
*
* If we didn't check for or find an IRE_LOOPBACK or IRE_LOCAL
- * entry, then look in the forwarding table.
+ * entry, then look for any other type of IRE.
*/
switch (af) {
case AF_INET:
if (net_mask == IP_HOST_MASK) {
- ire = ire_ctable_lookup(dst_addr, gw_addr,
+ ire = ire_ftable_lookup_v4(dst_addr, 0, gw_addr,
IRE_LOCAL | IRE_LOOPBACK, NULL, zoneid,
- tsl, match_flags_local, ipst);
- /*
- * If we found an IRE_LOCAL, make sure
- * it is one that would be used by this
- * zone to send packets.
- */
- if (ire != NULL &&
- ire->ire_type == IRE_LOCAL &&
- ipst->ips_ip_restrict_interzone_loopback &&
- !ire_local_ok_across_zones(ire,
- zoneid, &dst_addr, tsl, ipst)) {
- ire_refrele(ire);
- ire = NULL;
- }
+ tsl, match_flags_local, 0, ipst, NULL);
}
if (ire == NULL) {
- ire = ire_ftable_lookup(dst_addr, net_mask,
- gw_addr, 0, ipif, &sire, zoneid, 0,
- tsl, match_flags, ipst);
+ ire = ire_lookup_v4(dst_addr, net_mask,
+ gw_addr, ill, zoneid, tsl, match_flags,
+ ipst, &ifire, &v4setsrc, &gwattr);
+ IN6_IPADDR_TO_V4MAPPED(v4setsrc, &v6setsrc);
}
break;
case AF_INET6:
if (IN6_ARE_ADDR_EQUAL(&net_mask_v6, &ipv6_all_ones)) {
- ire = ire_ctable_lookup_v6(&dst_addr_v6,
+ ire = ire_ftable_lookup_v6(&dst_addr_v6, NULL,
&gw_addr_v6, IRE_LOCAL | IRE_LOOPBACK, NULL,
- zoneid, tsl, match_flags_local, ipst);
- /*
- * If we found an IRE_LOCAL, make sure
- * it is one that would be used by this
- * zone to send packets.
- */
- if (ire != NULL &&
- ire->ire_type == IRE_LOCAL &&
- ipst->ips_ip_restrict_interzone_loopback &&
- !ire_local_ok_across_zones(ire,
- zoneid, (void *)&dst_addr_v6, tsl, ipst)) {
- ire_refrele(ire);
- ire = NULL;
- }
+ zoneid, tsl, match_flags_local, 0, ipst,
+ NULL);
}
if (ire == NULL) {
- ire = ire_ftable_lookup_v6(&dst_addr_v6,
- &net_mask_v6, &gw_addr_v6, 0, ipif, &sire,
- zoneid, 0, tsl, match_flags, ipst);
+ ire = ire_lookup_v6(&dst_addr_v6,
+ &net_mask_v6, &gw_addr_v6, ill, zoneid,
+ tsl, match_flags, ipst, &ifire, &v6setsrc,
+ &gwattr);
}
break;
}
@@ -810,10 +730,21 @@ lookup:
error = ESRCH;
goto done;
}
+ /*
+ * Want to return failure if we get an IRE_NOROUTE from
+ * ire_route_recursive
+ */
+ if (ire->ire_type & IRE_NOROUTE) {
+ ire_refrele(ire);
+ ire = NULL;
+ error = ESRCH;
+ goto done;
+ }
+
/* we know the IRE before we come here */
switch (rtm->rtm_type) {
case RTM_GET:
- mp1 = rts_rtmget(mp, ire, sire, af);
+ mp1 = rts_rtmget(mp, ire, ifire, &v6setsrc, gwattr, af);
if (mp1 == NULL) {
error = ENOBUFS;
goto done;
@@ -843,7 +774,6 @@ lookup:
*/
switch (af) {
case AF_INET:
- ire_flush_cache_v4(ire, IRE_FLUSH_DELETE);
if ((found_addrs & RTA_GATEWAY) != 0 &&
(ire->ire_gateway_addr != gw_addr)) {
ire->ire_gateway_addr = gw_addr;
@@ -863,9 +793,10 @@ lookup:
if ((found_addrs & RTA_SRC) != 0 &&
(rtm->rtm_flags & RTF_SETSRC) != 0 &&
- (ire->ire_src_addr != src_addr)) {
-
+ (ire->ire_setsrc_addr != src_addr)) {
if (src_addr != INADDR_ANY) {
+ uint_t type;
+
/*
* The RTF_SETSRC flag is
* present, check that the
@@ -880,50 +811,47 @@ lookup:
goto done;
}
/*
- * Also check that the the
+ * Also check that the
* supplied addr is a valid
* local address.
*/
- tmp_ipif = ipif_lookup_addr(
- src_addr, NULL, ALL_ZONES,
- WR(q), ioc_mp,
- ip_rts_request_retry,
- &error, ipst);
- if (tmp_ipif == NULL) {
- error = (error ==
- EINPROGRESS) ?
- error :
- EADDRNOTAVAIL;
- goto done;
- }
-
- if (!(tmp_ipif->ipif_flags &
- IPIF_UP) ||
- (tmp_ipif->ipif_flags &
- (IPIF_NOLOCAL |
- IPIF_ANYCAST))) {
- error = EINVAL;
+ type = ip_type_v4(src_addr,
+ ipst);
+ if (!(type &
+ (IRE_LOCAL|IRE_LOOPBACK))) {
+ error = EADDRNOTAVAIL;
goto done;
}
ire->ire_flags |= RTF_SETSRC;
+ ire->ire_setsrc_addr =
+ src_addr;
} else {
ire->ire_flags &= ~RTF_SETSRC;
+ ire->ire_setsrc_addr =
+ INADDR_ANY;
}
- ire->ire_src_addr = src_addr;
+ /*
+ * Let conn_ixa caching know that
+ * source address selection changed
+ */
+ ip_update_source_selection(ipst);
}
+ ire_flush_cache_v4(ire, IRE_FLUSH_GWCHANGE);
break;
case AF_INET6:
- ire_flush_cache_v6(ire, IRE_FLUSH_DELETE);
mutex_enter(&ire->ire_lock);
if ((found_addrs & RTA_GATEWAY) != 0 &&
!IN6_ARE_ADDR_EQUAL(
&ire->ire_gateway_addr_v6, &gw_addr_v6)) {
ire->ire_gateway_addr_v6 = gw_addr_v6;
}
+ mutex_exit(&ire->ire_lock);
if (rtsap != NULL) {
ga.ga_af = AF_INET6;
+ mutex_enter(&ire->ire_lock);
ga.ga_addr = ire->ire_gateway_addr_v6;
+ mutex_exit(&ire->ire_lock);
gcgrp = gcgrp_lookup(&ga, B_TRUE);
if (gcgrp == NULL) {
@@ -935,10 +863,11 @@ lookup:
if ((found_addrs & RTA_SRC) != 0 &&
(rtm->rtm_flags & RTF_SETSRC) != 0 &&
!IN6_ARE_ADDR_EQUAL(
- &ire->ire_src_addr_v6, &src_addr_v6)) {
-
+ &ire->ire_setsrc_addr_v6, &src_addr_v6)) {
if (!IN6_IS_ADDR_UNSPECIFIED(
&src_addr_v6)) {
+ uint_t type;
+
/*
* The RTF_SETSRC flag is
* present, check that the
@@ -949,54 +878,44 @@ lookup:
*/
if (IN6_IS_ADDR_LOOPBACK(
&src_addr_v6)) {
- mutex_exit(
- &ire->ire_lock);
error = EINVAL;
goto done;
}
/*
- * Also check that the the
+ * Also check that the
* supplied addr is a valid
* local address.
*/
- tmp_ipif = ipif_lookup_addr_v6(
- &src_addr_v6, NULL,
- ALL_ZONES,
- CONNP_TO_WQ(connp), ioc_mp,
- ip_rts_request_retry,
- &error, ipst);
- if (tmp_ipif == NULL) {
- mutex_exit(
- &ire->ire_lock);
- error = (error ==
- EINPROGRESS) ?
- error :
- EADDRNOTAVAIL;
- goto done;
- }
- if (!(tmp_ipif->ipif_flags &
- IPIF_UP) ||
- (tmp_ipif->ipif_flags &
- (IPIF_NOLOCAL |
- IPIF_ANYCAST))) {
- mutex_exit(
- &ire->ire_lock);
- error = EINVAL;
+ type = ip_type_v6(&src_addr_v6,
+ ipst);
+ if (!(type &
+ (IRE_LOCAL|IRE_LOOPBACK))) {
+ error = EADDRNOTAVAIL;
goto done;
}
+ mutex_enter(&ire->ire_lock);
ire->ire_flags |= RTF_SETSRC;
+ ire->ire_setsrc_addr_v6 =
+ src_addr_v6;
+ mutex_exit(&ire->ire_lock);
} else {
+ mutex_enter(&ire->ire_lock);
ire->ire_flags &= ~RTF_SETSRC;
+ ire->ire_setsrc_addr_v6 =
+ ipv6_all_zeros;
+ mutex_exit(&ire->ire_lock);
}
- ire->ire_src_addr_v6 = src_addr_v6;
+ /*
+ * Let conn_ixa caching know that
+ * source address selection changed
+ */
+ ip_update_source_selection(ipst);
}
- mutex_exit(&ire->ire_lock);
+ ire_flush_cache_v6(ire, IRE_FLUSH_GWCHANGE);
break;
}
if (rtsap != NULL) {
- in_addr_t ga_addr4;
-
ASSERT(gcgrp != NULL);
/*
@@ -1010,7 +929,7 @@ lookup:
gc = gc_create(rtsap, gcgrp, &gcgrp_xtraref);
if (gc == NULL ||
(error = tsol_ire_init_gwattr(ire,
- ire->ire_ipversion, gc, NULL)) != 0) {
+ ire->ire_ipversion, gc)) != 0) {
if (gc != NULL) {
GC_REFRELE(gc);
} else {
@@ -1019,21 +938,6 @@ lookup:
}
goto done;
}
-
- /*
- * Now delete any existing gateway IRE caches
- * as well as all caches using the gateway,
- * and allow them to be created on demand
- * through ip_newroute{_v6}.
- */
- IN6_V4MAPPED_TO_IPADDR(&ga.ga_addr, ga_addr4);
- if (af == AF_INET) {
- ire_clookup_delete_cache_gw(
- ga_addr4, ALL_ZONES, ipst);
- } else {
- ire_clookup_delete_cache_gw_v6(
- &ga.ga_addr, ALL_ZONES, ipst);
- }
}
rts_setmetrics(ire, rtm->rtm_inits, &rtm->rtm_rmx);
break;
@@ -1046,21 +950,14 @@ lookup:
done:
if (ire != NULL)
ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
- if (ipif != NULL)
- ipif_refrele(ipif);
- if (tmp_ipif != NULL)
- ipif_refrele(tmp_ipif);
+ if (ifire != NULL)
+ ire_refrele(ifire);
+ if (ill != NULL)
+ ill_refrele(ill);
if (gcgrp_xtraref)
GCGRP_REFRELE(gcgrp);
- if (error == EINPROGRESS) {
- if (rtm != NULL)
- freemsg(mp);
- return (error);
- }
if (rtm != NULL) {
ASSERT(mp->b_wptr <= mp->b_datap->db_lim);
if (error != 0) {
@@ -1074,12 +971,190 @@ done:
}
rts_queue_input(mp, connp, af, RTSQ_ALL, ipst);
}
+ return (error);
+}
+
+/*
+ * Helper function that can do recursive lookups including when
+ * MATCH_IRE_GW and/or MATCH_IRE_MASK is set.
+ */
+static ire_t *
+ire_lookup_v4(ipaddr_t dst_addr, ipaddr_t net_mask, ipaddr_t gw_addr,
+ const ill_t *ill, zoneid_t zoneid, const ts_label_t *tsl,
+ int match_flags, ip_stack_t *ipst, ire_t **pifire, ipaddr_t *v4setsrcp,
+ tsol_ire_gw_secattr_t **gwattrp)
+{
+ ire_t *ire;
+ ire_t *ifire = NULL;
+ uint_t ire_type;
+
+ *pifire = NULL;
+ *v4setsrcp = INADDR_ANY;
+ *gwattrp = NULL;
+
+ /* Skip IRE_IF_CLONE */
+ match_flags |= MATCH_IRE_TYPE;
+ ire_type = (IRE_ONLINK|IRE_OFFLINK) & ~IRE_IF_CLONE;
+
+ /*
+ * ire_route_recursive can't match gateway or mask thus if they are
+ * set we have to do two steps of lookups
+ */
+ if (match_flags & (MATCH_IRE_GW|MATCH_IRE_MASK)) {
+ ire = ire_ftable_lookup_v4(dst_addr, net_mask, gw_addr,
+ ire_type, ill, zoneid, tsl, match_flags, 0, ipst, NULL);
+
+ if (ire == NULL ||(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)))
+ return (ire);
+
+ if (ire->ire_type & IRE_ONLINK)
+ return (ire);
+
+ if (ire->ire_flags & RTF_SETSRC) {
+ ASSERT(ire->ire_setsrc_addr != INADDR_ANY);
+ *v4setsrcp = ire->ire_setsrc_addr;
+ v4setsrcp = NULL;
+ }
+
+ /* The first ire_gw_secattr is passed back */
+ if (ire->ire_gw_secattr != NULL) {
+ *gwattrp = ire->ire_gw_secattr;
+ gwattrp = NULL;
+ }
+
+ /* Look for an interface ire recursively based on the gateway */
+ dst_addr = ire->ire_gateway_addr;
+ match_flags &= ~(MATCH_IRE_GW|MATCH_IRE_MASK);
+ ifire = ire_route_recursive_v4(dst_addr, ire_type, ill, zoneid,
+ tsl, match_flags, B_FALSE, 0, ipst, v4setsrcp, gwattrp,
+ NULL);
+ } else {
+ ire = ire_route_recursive_v4(dst_addr, ire_type, ill, zoneid,
+ tsl, match_flags, B_FALSE, 0, ipst, v4setsrcp, gwattrp,
+ NULL);
+ }
+ *pifire = ifire;
+ return (ire);
+}
+
+static ire_t *
+ire_lookup_v6(const in6_addr_t *dst_addr_v6,
+ const in6_addr_t *net_mask_v6, const in6_addr_t *gw_addr_v6,
+ const ill_t *ill, zoneid_t zoneid, const ts_label_t *tsl, int match_flags,
+ ip_stack_t *ipst, ire_t **pifire,
+ in6_addr_t *v6setsrcp, tsol_ire_gw_secattr_t **gwattrp)
+{
+ ire_t *ire;
+ ire_t *ifire = NULL;
+ uint_t ire_type;
+
+ *pifire = NULL;
+ *v6setsrcp = ipv6_all_zeros;
+ *gwattrp = NULL;
+
+ /* Skip IRE_IF_CLONE */
+ match_flags |= MATCH_IRE_TYPE;
+ ire_type = (IRE_ONLINK|IRE_OFFLINK) & ~IRE_IF_CLONE;
+
+ /*
+ * ire_route_recursive can't match gateway or mask thus if they are
+ * set we have to do two steps of lookups
+ */
+ if (match_flags & (MATCH_IRE_GW|MATCH_IRE_MASK)) {
+ in6_addr_t dst;
+
+ ire = ire_ftable_lookup_v6(dst_addr_v6, net_mask_v6,
+ gw_addr_v6, ire_type, ill, zoneid, tsl, match_flags, 0,
+ ipst, NULL);
+
+ if (ire == NULL ||(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)))
+ return (ire);
+
+ if (ire->ire_type & IRE_ONLINK)
+ return (ire);
+
+ if (ire->ire_flags & RTF_SETSRC) {
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(
+ &ire->ire_setsrc_addr_v6));
+ *v6setsrcp = ire->ire_setsrc_addr_v6;
+ v6setsrcp = NULL;
+ }
+
+ /* The first ire_gw_secattr is passed back */
+ if (ire->ire_gw_secattr != NULL) {
+ *gwattrp = ire->ire_gw_secattr;
+ gwattrp = NULL;
+ }
+
+ mutex_enter(&ire->ire_lock);
+ dst = ire->ire_gateway_addr_v6;
+ mutex_exit(&ire->ire_lock);
+ match_flags &= ~(MATCH_IRE_GW|MATCH_IRE_MASK);
+ ifire = ire_route_recursive_v6(&dst, ire_type, ill, zoneid, tsl,
+ match_flags, B_FALSE, 0, ipst, v6setsrcp, gwattrp, NULL);
+ } else {
+ ire = ire_route_recursive_v6(dst_addr_v6, ire_type, ill, zoneid,
+ tsl, match_flags, B_FALSE, 0, ipst, v6setsrcp, gwattrp,
+ NULL);
+ }
+ *pifire = ifire;
+ return (ire);
+}
+
+
+/*
+ * Handle IP_IOC_RTS_REQUEST ioctls
+ */
+int
+ip_rts_request(queue_t *q, mblk_t *mp, cred_t *ioc_cr)
+{
+ conn_t *connp = Q_TO_CONN(q);
+ IOCP iocp = (IOCP)mp->b_rptr;
+ mblk_t *mp1, *ioc_mp = mp;
+ int error = 0;
+ ip_stack_t *ipst;
+ ipst = connp->conn_netstack->netstack_ip;
+
+ ASSERT(mp->b_cont != NULL);
+ /* ioc_mp holds mp */
+ mp = mp->b_cont;
+
+ /*
+ * The Routing Socket data starts on
+ * next block. If there is no next block
+ * this is an indication from routing module
+ * that it is a routing socket stream queue.
+ * We need to support that for compatibility with SDP since
+ * it has a contract private interface to use IP_IOC_RTS_REQUEST.
+ * Note: SDP no longer uses IP_IOC_RTS_REQUEST - we can remove this.
+ */
+ if (mp->b_cont == NULL) {
+ /*
+ * This is a message from SDP
+ * indicating that this is a Routing Socket
+ * Stream. Insert this conn_t in routing
+ * socket client list.
+ */
+ connp->conn_useloopback = 1;
+ ipcl_hash_insert_wildcard(ipst->ips_rts_clients, connp);
+ goto done;
+ }
+ mp1 = dupmsg(mp->b_cont);
+ if (mp1 == NULL) {
+ error = ENOBUFS;
+ goto done;
+ }
+ mp = mp1;
+
+ error = ip_rts_request_common(mp, connp, ioc_cr);
+done:
iocp->ioc_error = error;
ioc_mp->b_datap->db_type = M_IOCACK;
if (iocp->ioc_error != 0)
iocp->ioc_count = 0;
- (connp->conn_recv)(connp, ioc_mp, NULL);
+ /* Note that we pass a NULL ira to rts_input */
+ (connp->conn_recv)(connp, ioc_mp, NULL, NULL);
/* conn was refheld in ip_wput_ioctl. */
CONN_OPER_PENDING_DONE(connp);
@@ -1087,12 +1162,6 @@ done:
return (error);
}
-int
-ip_rts_request(queue_t *q, mblk_t *mp, cred_t *ioc_cr)
-{
- return (ip_rts_request_common(q, mp, Q_TO_CONN(q), ioc_cr));
-}
-
/*
* Build a reply to the RTM_GET request contained in the given message block
* using the retrieved IRE of the destination address, the parent IRE (if it
@@ -1102,26 +1171,34 @@ ip_rts_request(queue_t *q, mblk_t *mp, cred_t *ioc_cr)
* otherwise NULL is returned.
*/
static mblk_t *
-rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *sire, sa_family_t af)
+rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *ifire, const in6_addr_t *setsrc,
+ tsol_ire_gw_secattr_t *attrp, sa_family_t af)
{
rt_msghdr_t *rtm;
rt_msghdr_t *new_rtm;
mblk_t *new_mp;
int rtm_addrs;
int rtm_flags;
- in6_addr_t gw_addr_v6;
- tsol_ire_gw_secattr_t *attrp = NULL;
tsol_gc_t *gc = NULL;
tsol_gcgrp_t *gcgrp = NULL;
- int sacnt = 0;
+ ill_t *ill;
+ ipif_t *ipif = NULL;
+ ipaddr_t brdaddr; /* IFF_POINTOPOINT destination */
+ ipaddr_t ifaddr;
+ in6_addr_t brdaddr6; /* IFF_POINTOPOINT destination */
+ in6_addr_t ifaddr6;
+ ipaddr_t v4setsrc;
- ASSERT(ire->ire_ipif != NULL);
rtm = (rt_msghdr_t *)mp->b_rptr;
- if (sire != NULL && sire->ire_gw_secattr != NULL)
- attrp = sire->ire_gw_secattr;
- else if (ire->ire_gw_secattr != NULL)
- attrp = ire->ire_gw_secattr;
+ /*
+ * Find the ill used to send packets. This will be NULL in case
+ * of a reject or blackhole.
+ */
+ if (ifire != NULL)
+ ill = ire_nexthop_ill(ifire);
+ else
+ ill = ire_nexthop_ill(ire);
if (attrp != NULL) {
mutex_enter(&attrp->igsa_lock);
@@ -1129,29 +1206,9 @@ rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *sire, sa_family_t af)
gcgrp = gc->gc_grp;
ASSERT(gcgrp != NULL);
rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- sacnt = 1;
- } else if ((gcgrp = attrp->igsa_gcgrp) != NULL) {
- rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- gc = gcgrp->gcgrp_head;
- sacnt = gcgrp->gcgrp_count;
}
mutex_exit(&attrp->igsa_lock);
-
- /* do nothing if there's no gc to report */
- if (gc == NULL) {
- ASSERT(sacnt == 0);
- if (gcgrp != NULL) {
- /* we might as well drop the lock now */
- rw_exit(&gcgrp->gcgrp_rwlock);
- gcgrp = NULL;
- }
- attrp = NULL;
- }
-
- ASSERT(gc == NULL || (gcgrp != NULL &&
- RW_LOCK_HELD(&gcgrp->gcgrp_rwlock)));
}
- ASSERT(sacnt == 0 || gc != NULL);
/*
* Always return RTA_DST, RTA_GATEWAY and RTA_NETMASK.
@@ -1162,16 +1219,36 @@ rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *sire, sa_family_t af)
* point-to-point.
*/
rtm_addrs = (RTA_DST | RTA_GATEWAY | RTA_NETMASK);
- if (rtm->rtm_addrs & (RTA_IFP | RTA_IFA)) {
+ if ((rtm->rtm_addrs & (RTA_IFP | RTA_IFA)) && ill != NULL) {
rtm_addrs |= (RTA_IFP | RTA_IFA);
- if (ire->ire_ipif->ipif_flags & IPIF_POINTOPOINT)
- rtm_addrs |= RTA_BRD;
+ /*
+ * We associate an IRE with an ILL, hence we don't exactly
+ * know what might make sense for RTA_IFA and RTA_BRD. We
+ * pick the first ipif on the ill.
+ */
+ ipif = ipif_get_next_ipif(NULL, ill);
+ if (ipif != NULL) {
+ if (ipif->ipif_isv6)
+ ifaddr6 = ipif->ipif_v6lcl_addr;
+ else
+ ifaddr = ipif->ipif_lcl_addr;
+ if (ipif->ipif_flags & IPIF_POINTOPOINT) {
+ rtm_addrs |= RTA_BRD;
+ if (ipif->ipif_isv6)
+ brdaddr6 = ipif->ipif_v6pp_dst_addr;
+ else
+ brdaddr = ipif->ipif_pp_dst_addr;
+ }
+ ipif_refrele(ipif);
+ }
}
- new_mp = rts_alloc_msg(RTM_GET, rtm_addrs, af, sacnt);
+ new_mp = rts_alloc_msg(RTM_GET, rtm_addrs, af, gc != NULL ? 1 : 0);
if (new_mp == NULL) {
if (gcgrp != NULL)
rw_exit(&gcgrp->gcgrp_rwlock);
+ if (ill != NULL)
+ ill_refrele(ill);
return (NULL);
}
@@ -1187,49 +1264,24 @@ rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *sire, sa_family_t af)
ASSERT(af == AF_INET || af == AF_INET6);
switch (af) {
case AF_INET:
- if (sire == NULL) {
- rtm_flags = ire->ire_flags;
- rts_fill_msg(RTM_GET, rtm_addrs, ire->ire_addr,
- ire->ire_mask, ire->ire_src_addr, ire->ire_src_addr,
- ire->ire_ipif->ipif_pp_dst_addr, 0, ire->ire_ipif,
- new_mp, sacnt, gc);
- } else {
- if (sire->ire_flags & RTF_SETSRC)
- rtm_addrs |= RTA_SRC;
-
- rtm_flags = sire->ire_flags;
- rts_fill_msg(RTM_GET, rtm_addrs, sire->ire_addr,
- sire->ire_mask, sire->ire_gateway_addr,
- (sire->ire_flags & RTF_SETSRC) ?
- sire->ire_src_addr : ire->ire_src_addr,
- ire->ire_ipif->ipif_pp_dst_addr,
- 0, ire->ire_ipif, new_mp, sacnt, gc);
- }
+ IN6_V4MAPPED_TO_IPADDR(setsrc, v4setsrc);
+ if (v4setsrc != INADDR_ANY)
+ rtm_addrs |= RTA_SRC;
+
+ rtm_flags = ire->ire_flags;
+ rts_fill_msg(RTM_GET, rtm_addrs, ire->ire_addr,
+ ire->ire_mask, ire->ire_gateway_addr, v4setsrc,
+ brdaddr, 0, ifaddr, ill, new_mp, gc);
break;
case AF_INET6:
- if (sire == NULL) {
- rtm_flags = ire->ire_flags;
- rts_fill_msg_v6(RTM_GET, rtm_addrs, &ire->ire_addr_v6,
- &ire->ire_mask_v6, &ire->ire_src_addr_v6,
- &ire->ire_src_addr_v6,
- &ire->ire_ipif->ipif_v6pp_dst_addr,
- &ipv6_all_zeros, ire->ire_ipif, new_mp,
- sacnt, gc);
- } else {
- if (sire->ire_flags & RTF_SETSRC)
- rtm_addrs |= RTA_SRC;
-
- rtm_flags = sire->ire_flags;
- mutex_enter(&sire->ire_lock);
- gw_addr_v6 = sire->ire_gateway_addr_v6;
- mutex_exit(&sire->ire_lock);
- rts_fill_msg_v6(RTM_GET, rtm_addrs, &sire->ire_addr_v6,
- &sire->ire_mask_v6, &gw_addr_v6,
- (sire->ire_flags & RTF_SETSRC) ?
- &sire->ire_src_addr_v6 : &ire->ire_src_addr_v6,
- &ire->ire_ipif->ipif_v6pp_dst_addr, &ipv6_all_zeros,
- ire->ire_ipif, new_mp, sacnt, gc);
- }
+ if (!IN6_IS_ADDR_UNSPECIFIED(setsrc))
+ rtm_addrs |= RTA_SRC;
+
+ rtm_flags = ire->ire_flags;
+ rts_fill_msg_v6(RTM_GET, rtm_addrs, &ire->ire_addr_v6,
+ &ire->ire_mask_v6, &ire->ire_gateway_addr_v6,
+ setsrc, &brdaddr6, &ipv6_all_zeros,
+ &ifaddr6, ill, new_mp, gc);
break;
}
@@ -1259,11 +1311,9 @@ rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *sire, sa_family_t af)
new_rtm->rtm_use = rtm->rtm_use;
new_rtm->rtm_addrs = rtm_addrs;
new_rtm->rtm_flags = rtm_flags;
- if (sire == NULL)
- new_rtm->rtm_inits = rts_getmetrics(ire, &new_rtm->rtm_rmx);
- else
- new_rtm->rtm_inits = rts_getmetrics(sire, &new_rtm->rtm_rmx);
-
+ new_rtm->rtm_inits = rts_getmetrics(ire, &new_rtm->rtm_rmx);
+ if (ill != NULL)
+ ill_refrele(ill);
return (new_mp);
}
@@ -1273,10 +1323,11 @@ rts_rtmget(mblk_t *mp, ire_t *ire, ire_t *sire, sa_family_t af)
static void
rts_getifdata(if_data_t *if_data, const ipif_t *ipif)
{
- if_data->ifi_type = ipif->ipif_type; /* ethernet, tokenring, etc */
+ if_data->ifi_type = ipif->ipif_ill->ill_type;
+ /* ethernet, tokenring, etc */
if_data->ifi_addrlen = 0; /* media address length */
if_data->ifi_hdrlen = 0; /* media header length */
- if_data->ifi_mtu = ipif->ipif_mtu; /* maximum transmission unit */
+ if_data->ifi_mtu = ipif->ipif_ill->ill_mtu; /* mtu */
if_data->ifi_metric = ipif->ipif_metric; /* metric (external only) */
if_data->ifi_baudrate = 0; /* linespeed */
@@ -1302,18 +1353,19 @@ rts_setmetrics(ire_t *ire, uint_t which, rt_metrics_t *metrics)
{
clock_t rtt;
clock_t rtt_sd;
- ipif_t *ipif;
+ ill_t *ill;
ifrt_t *ifrt;
mblk_t *mp;
in6_addr_t gw_addr_v6;
+ /* Need to add back some metrics to the IRE? */
/*
- * Bypass obtaining the lock and searching ipif_saved_ire_mp in the
+ * Bypass obtaining the lock and searching ill_saved_ire_mp in the
* common case of no metrics.
*/
if (which == 0)
return;
- ire->ire_uinfo.iulp_set = B_TRUE;
+ ire->ire_metrics.iulp_set = B_TRUE;
/*
* iulp_rtt and iulp_rtt_sd are in milliseconds, but 4.4BSD-Lite2's
@@ -1330,42 +1382,41 @@ rts_setmetrics(ire_t *ire, uint_t which, rt_metrics_t *metrics)
*/
mutex_enter(&ire->ire_lock);
if (which & RTV_MTU)
- ire->ire_max_frag = metrics->rmx_mtu;
+ ire->ire_metrics.iulp_mtu = metrics->rmx_mtu;
if (which & RTV_RTT)
- ire->ire_uinfo.iulp_rtt = rtt;
+ ire->ire_metrics.iulp_rtt = rtt;
if (which & RTV_SSTHRESH)
- ire->ire_uinfo.iulp_ssthresh = metrics->rmx_ssthresh;
+ ire->ire_metrics.iulp_ssthresh = metrics->rmx_ssthresh;
if (which & RTV_RTTVAR)
- ire->ire_uinfo.iulp_rtt_sd = rtt_sd;
+ ire->ire_metrics.iulp_rtt_sd = rtt_sd;
if (which & RTV_SPIPE)
- ire->ire_uinfo.iulp_spipe = metrics->rmx_sendpipe;
+ ire->ire_metrics.iulp_spipe = metrics->rmx_sendpipe;
if (which & RTV_RPIPE)
- ire->ire_uinfo.iulp_rpipe = metrics->rmx_recvpipe;
+ ire->ire_metrics.iulp_rpipe = metrics->rmx_recvpipe;
mutex_exit(&ire->ire_lock);
/*
- * Search through the ifrt_t chain hanging off the IPIF in order to
+ * Search through the ifrt_t chain hanging off the ILL in order to
* reflect the metric change there.
*/
- ipif = ire->ire_ipif;
- if (ipif == NULL)
+ ill = ire->ire_ill;
+ if (ill == NULL)
return;
- ASSERT((ipif->ipif_isv6 && ire->ire_ipversion == IPV6_VERSION) ||
- ((!ipif->ipif_isv6 && ire->ire_ipversion == IPV4_VERSION)));
- if (ipif->ipif_isv6) {
+ ASSERT((ill->ill_isv6 && ire->ire_ipversion == IPV6_VERSION) ||
+ ((!ill->ill_isv6 && ire->ire_ipversion == IPV4_VERSION)));
+ if (ill->ill_isv6) {
mutex_enter(&ire->ire_lock);
gw_addr_v6 = ire->ire_gateway_addr_v6;
mutex_exit(&ire->ire_lock);
}
- mutex_enter(&ipif->ipif_saved_ire_lock);
- for (mp = ipif->ipif_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
+ mutex_enter(&ill->ill_saved_ire_lock);
+ for (mp = ill->ill_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
/*
- * On a given ipif, the triple of address, gateway and mask is
- * unique for each saved IRE (in the case of ordinary interface
- * routes, the gateway address is all-zeroes).
+ * On a given ill, the tuple of address, gateway, mask,
+ * ire_type and zoneid unique for each saved IRE.
*/
ifrt = (ifrt_t *)mp->b_rptr;
- if (ipif->ipif_isv6) {
+ if (ill->ill_isv6) {
if (!IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6addr,
&ire->ire_addr_v6) ||
!IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6gateway_addr,
@@ -1379,23 +1430,36 @@ rts_setmetrics(ire_t *ire, uint_t which, rt_metrics_t *metrics)
ifrt->ifrt_mask != ire->ire_mask)
continue;
}
+ if (ifrt->ifrt_zoneid != ire->ire_zoneid ||
+ ifrt->ifrt_type != ire->ire_type)
+ continue;
+
if (which & RTV_MTU)
- ifrt->ifrt_max_frag = metrics->rmx_mtu;
+ ifrt->ifrt_metrics.iulp_mtu = metrics->rmx_mtu;
if (which & RTV_RTT)
- ifrt->ifrt_iulp_info.iulp_rtt = rtt;
+ ifrt->ifrt_metrics.iulp_rtt = rtt;
if (which & RTV_SSTHRESH) {
- ifrt->ifrt_iulp_info.iulp_ssthresh =
+ ifrt->ifrt_metrics.iulp_ssthresh =
metrics->rmx_ssthresh;
}
if (which & RTV_RTTVAR)
- ifrt->ifrt_iulp_info.iulp_rtt_sd = metrics->rmx_rttvar;
+ ifrt->ifrt_metrics.iulp_rtt_sd = metrics->rmx_rttvar;
if (which & RTV_SPIPE)
- ifrt->ifrt_iulp_info.iulp_spipe = metrics->rmx_sendpipe;
+ ifrt->ifrt_metrics.iulp_spipe = metrics->rmx_sendpipe;
if (which & RTV_RPIPE)
- ifrt->ifrt_iulp_info.iulp_rpipe = metrics->rmx_recvpipe;
+ ifrt->ifrt_metrics.iulp_rpipe = metrics->rmx_recvpipe;
break;
}
- mutex_exit(&ipif->ipif_saved_ire_lock);
+ mutex_exit(&ill->ill_saved_ire_lock);
+
+ /*
+ * Update any IRE_IF_CLONE hanging created from this IRE_IF so they
+ * get any new iulp_mtu.
+ * We do that by deleting them; ire_create_if_clone will pick
+ * up the new metrics.
+ */
+ if ((ire->ire_type & IRE_INTERFACE) && ire->ire_dep_children != 0)
+ ire_dep_delete_if_clone(ire);
}
/*
@@ -1407,27 +1471,69 @@ rts_getmetrics(ire_t *ire, rt_metrics_t *metrics)
int metrics_set = 0;
bzero(metrics, sizeof (rt_metrics_t));
+
/*
* iulp_rtt and iulp_rtt_sd are in milliseconds, but 4.4BSD-Lite2's
* <net/route.h> says: rmx_rtt and rmx_rttvar are stored as
* microseconds.
*/
- metrics->rmx_rtt = ire->ire_uinfo.iulp_rtt * 1000;
+ metrics->rmx_rtt = ire->ire_metrics.iulp_rtt * 1000;
metrics_set |= RTV_RTT;
- metrics->rmx_mtu = ire->ire_max_frag;
+ metrics->rmx_mtu = ire->ire_metrics.iulp_mtu;
metrics_set |= RTV_MTU;
- metrics->rmx_ssthresh = ire->ire_uinfo.iulp_ssthresh;
+ metrics->rmx_ssthresh = ire->ire_metrics.iulp_ssthresh;
metrics_set |= RTV_SSTHRESH;
- metrics->rmx_rttvar = ire->ire_uinfo.iulp_rtt_sd * 1000;
+ metrics->rmx_rttvar = ire->ire_metrics.iulp_rtt_sd * 1000;
metrics_set |= RTV_RTTVAR;
- metrics->rmx_sendpipe = ire->ire_uinfo.iulp_spipe;
+ metrics->rmx_sendpipe = ire->ire_metrics.iulp_spipe;
metrics_set |= RTV_SPIPE;
- metrics->rmx_recvpipe = ire->ire_uinfo.iulp_rpipe;
+ metrics->rmx_recvpipe = ire->ire_metrics.iulp_rpipe;
metrics_set |= RTV_RPIPE;
return (metrics_set);
}
/*
+ * Given two sets of metrics (src and dst), use the dst values if they are
+ * set. If a dst value is not set but the src value is set, then we use
+ * the src value.
+ * dst is updated with the new values.
+ * This is used to merge information from a dce_t and ire_metrics, where the
+ * dce values takes precedence.
+ */
+void
+rts_merge_metrics(iulp_t *dst, const iulp_t *src)
+{
+ if (!src->iulp_set)
+ return;
+
+ if (dst->iulp_ssthresh == 0)
+ dst->iulp_ssthresh = src->iulp_ssthresh;
+ if (dst->iulp_rtt == 0)
+ dst->iulp_rtt = src->iulp_rtt;
+ if (dst->iulp_rtt_sd == 0)
+ dst->iulp_rtt_sd = src->iulp_rtt_sd;
+ if (dst->iulp_spipe == 0)
+ dst->iulp_spipe = src->iulp_spipe;
+ if (dst->iulp_rpipe == 0)
+ dst->iulp_rpipe = src->iulp_rpipe;
+ if (dst->iulp_rtomax == 0)
+ dst->iulp_rtomax = src->iulp_rtomax;
+ if (dst->iulp_sack == 0)
+ dst->iulp_sack = src->iulp_sack;
+ if (dst->iulp_tstamp_ok == 0)
+ dst->iulp_tstamp_ok = src->iulp_tstamp_ok;
+ if (dst->iulp_wscale_ok == 0)
+ dst->iulp_wscale_ok = src->iulp_wscale_ok;
+ if (dst->iulp_ecn_ok == 0)
+ dst->iulp_ecn_ok = src->iulp_ecn_ok;
+ if (dst->iulp_pmtud_ok == 0)
+ dst->iulp_pmtud_ok = src->iulp_pmtud_ok;
+ if (dst->iulp_mtu == 0)
+ dst->iulp_mtu = src->iulp_mtu;
+}
+
+
+/*
* Takes a pointer to a routing message and extracts necessary info by looking
* at the rtm->rtm_addrs bits and store the requested sockaddrs in the pointers
* passed (all of which must be valid).
@@ -1552,7 +1658,8 @@ rts_getaddrs(rt_msghdr_t *rtm, in6_addr_t *dst_addrp, in6_addr_t *gw_addrp,
static void
rts_fill_msg(int type, int rtm_addrs, ipaddr_t dst, ipaddr_t mask,
ipaddr_t gateway, ipaddr_t src_addr, ipaddr_t brd_addr, ipaddr_t author,
- const ipif_t *ipif, mblk_t *mp, uint_t sacnt, const tsol_gc_t *gc)
+ ipaddr_t ifaddr, const ill_t *ill, mblk_t *mp,
+ const tsol_gc_t *gc)
{
rt_msghdr_t *rtm;
sin_t *sin;
@@ -1561,7 +1668,6 @@ rts_fill_msg(int type, int rtm_addrs, ipaddr_t dst, ipaddr_t mask,
int i;
ASSERT(mp != NULL);
- ASSERT(sacnt == 0 || gc != NULL);
/*
* First find the type of the message
* and its length.
@@ -1571,7 +1677,7 @@ rts_fill_msg(int type, int rtm_addrs, ipaddr_t dst, ipaddr_t mask,
* Now find the size of the data
* that follows the message header.
*/
- data_size = rts_data_msg_size(rtm_addrs, AF_INET, sacnt);
+ data_size = rts_data_msg_size(rtm_addrs, AF_INET, gc != NULL ? 1 : 0);
rtm = (rt_msghdr_t *)mp->b_rptr;
mp->b_wptr = &mp->b_rptr[header_size];
@@ -1596,9 +1702,13 @@ rts_fill_msg(int type, int rtm_addrs, ipaddr_t dst, ipaddr_t mask,
cp += sizeof (sin_t);
break;
case RTA_IFP:
- cp += ill_dls_info((struct sockaddr_dl *)cp, ipif);
+ cp += ill_dls_info((struct sockaddr_dl *)cp, ill);
break;
case RTA_IFA:
+ sin->sin_addr.s_addr = ifaddr;
+ sin->sin_family = AF_INET;
+ cp += sizeof (sin_t);
+ break;
case RTA_SRC:
sin->sin_addr.s_addr = src_addr;
sin->sin_family = AF_INET;
@@ -1625,24 +1735,20 @@ rts_fill_msg(int type, int rtm_addrs, ipaddr_t dst, ipaddr_t mask,
rtm_ext_t *rtm_ext;
struct rtsa_s *rp_dst;
tsol_rtsecattr_t *rsap;
- int i;
ASSERT(gc->gc_grp != NULL);
ASSERT(RW_LOCK_HELD(&gc->gc_grp->gcgrp_rwlock));
- ASSERT(sacnt > 0);
rtm_ext = (rtm_ext_t *)cp;
rtm_ext->rtmex_type = RTMEX_GATEWAY_SECATTR;
- rtm_ext->rtmex_len = TSOL_RTSECATTR_SIZE(sacnt);
+ rtm_ext->rtmex_len = TSOL_RTSECATTR_SIZE(1);
rsap = (tsol_rtsecattr_t *)(rtm_ext + 1);
- rsap->rtsa_cnt = sacnt;
+ rsap->rtsa_cnt = 1;
rp_dst = rsap->rtsa_attr;
- for (i = 0; i < sacnt; i++, gc = gc->gc_next, rp_dst++) {
- ASSERT(gc->gc_db != NULL);
- bcopy(&gc->gc_db->gcdb_attr, rp_dst, sizeof (*rp_dst));
- }
+ ASSERT(gc->gc_db != NULL);
+ bcopy(&gc->gc_db->gcdb_attr, rp_dst, sizeof (*rp_dst));
cp = (uchar_t *)rp_dst;
}
@@ -1659,6 +1765,7 @@ rts_fill_msg(int type, int rtm_addrs, ipaddr_t dst, ipaddr_t mask,
/*
* Allocates and initializes a routing socket message.
+ * Note that sacnt is either zero or one.
*/
mblk_t *
rts_alloc_msg(int type, int rtm_addrs, sa_family_t af, uint_t sacnt)
@@ -1755,7 +1862,7 @@ ip_rts_change(int type, ipaddr_t dst_addr, ipaddr_t gw_addr, ipaddr_t net_mask,
if (mp == NULL)
return;
rts_fill_msg(type, rtm_addrs, dst_addr, net_mask, gw_addr, source, 0,
- author, NULL, mp, 0, NULL);
+ author, 0, NULL, mp, NULL);
rtm = (rt_msghdr_t *)mp->b_rptr;
rtm->rtm_flags = flags;
rtm->rtm_errno = error;
@@ -1784,12 +1891,12 @@ ip_rts_xifmsg(const ipif_t *ipif, uint64_t set, uint64_t clear, uint_t flags)
ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
/*
- * This message should be generated only when the physical interface
- * is changing state.
+ * This message should be generated only
+ * when the physical device is changing
+ * state.
*/
if (ipif->ipif_id != 0)
return;
-
if (ipif->ipif_isv6) {
af = AF_INET6;
mp = rts_alloc_msg(RTM_IFINFO, RTA_IFP, af, 0);
@@ -1797,14 +1904,15 @@ ip_rts_xifmsg(const ipif_t *ipif, uint64_t set, uint64_t clear, uint_t flags)
return;
rts_fill_msg_v6(RTM_IFINFO, RTA_IFP, &ipv6_all_zeros,
&ipv6_all_zeros, &ipv6_all_zeros, &ipv6_all_zeros,
- &ipv6_all_zeros, &ipv6_all_zeros, ipif, mp, 0, NULL);
+ &ipv6_all_zeros, &ipv6_all_zeros, &ipv6_all_zeros,
+ ipif->ipif_ill, mp, NULL);
} else {
af = AF_INET;
mp = rts_alloc_msg(RTM_IFINFO, RTA_IFP, af, 0);
if (mp == NULL)
return;
- rts_fill_msg(RTM_IFINFO, RTA_IFP, 0, 0, 0, 0, 0, 0, ipif, mp,
- 0, NULL);
+ rts_fill_msg(RTM_IFINFO, RTA_IFP, 0, 0, 0, 0, 0, 0, 0,
+ ipif->ipif_ill, mp, NULL);
}
ifm = (if_msghdr_t *)mp->b_rptr;
ifm->ifm_index = ipif->ipif_ill->ill_phyint->phyint_ifindex;
@@ -1843,6 +1951,12 @@ ip_rts_newaddrmsg(int cmd, int error, const ipif_t *ipif, uint_t flags)
sa_family_t af;
ip_stack_t *ipst = ipif->ipif_ill->ill_ipst;
+ /*
+ * Let conn_ixa caching know that source address selection
+ * changed
+ */
+ ip_update_source_selection(ipst);
+
if (ipif->ipif_isv6)
af = AF_INET6;
else
@@ -1875,15 +1989,17 @@ ip_rts_newaddrmsg(int cmd, int error, const ipif_t *ipif, uint_t flags)
case AF_INET:
rts_fill_msg(ncmd, rtm_addrs, 0,
ipif->ipif_net_mask, 0, ipif->ipif_lcl_addr,
- ipif->ipif_pp_dst_addr, 0, ipif, mp,
- 0, NULL);
+ ipif->ipif_pp_dst_addr, 0,
+ ipif->ipif_lcl_addr, ipif->ipif_ill,
+ mp, NULL);
break;
case AF_INET6:
rts_fill_msg_v6(ncmd, rtm_addrs,
&ipv6_all_zeros, &ipif->ipif_v6net_mask,
&ipv6_all_zeros, &ipif->ipif_v6lcl_addr,
&ipif->ipif_v6pp_dst_addr, &ipv6_all_zeros,
- ipif, mp, 0, NULL);
+ &ipif->ipif_v6lcl_addr, ipif->ipif_ill,
+ mp, NULL);
break;
}
ifam = (ifa_msghdr_t *)mp->b_rptr;
@@ -1904,14 +2020,15 @@ ip_rts_newaddrmsg(int cmd, int error, const ipif_t *ipif, uint_t flags)
case AF_INET:
rts_fill_msg(cmd, rtm_addrs,
ipif->ipif_lcl_addr, ipif->ipif_net_mask, 0,
- 0, 0, 0, NULL, mp, 0, NULL);
+ 0, 0, 0, 0, NULL, mp, NULL);
break;
case AF_INET6:
rts_fill_msg_v6(cmd, rtm_addrs,
&ipif->ipif_v6lcl_addr,
&ipif->ipif_v6net_mask, &ipv6_all_zeros,
&ipv6_all_zeros, &ipv6_all_zeros,
- &ipv6_all_zeros, NULL, mp, 0, NULL);
+ &ipv6_all_zeros, &ipv6_all_zeros,
+ NULL, mp, NULL);
break;
}
rtm = (rt_msghdr_t *)mp->b_rptr;
diff --git a/usr/src/uts/common/inet/ip/ip_sadb.c b/usr/src/uts/common/inet/ip/ip_sadb.c
index 35b822902a..e099d04427 100644
--- a/usr/src/uts/common/inet/ip/ip_sadb.c
+++ b/usr/src/uts/common/inet/ip/ip_sadb.c
@@ -36,7 +36,6 @@
#include <inet/ip6.h>
#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
#include <inet/sadb.h>
#include <inet/ipsec_impl.h>
#include <inet/ipdrop.h>
@@ -57,35 +56,21 @@ ipsec_match_outbound_ids(ipsec_latch_t *ipl, ipsa_t *sa)
ipsid_equal(ipl->ipl_remote_cid, sa->ipsa_dst_cid);
}
-/* cr1 is packet cred; cr2 is SA credential */
+/* l1 is packet label; l2 is SA label */
boolean_t
-ipsec_label_match(cred_t *cr1, cred_t *cr2)
+ipsec_label_match(ts_label_t *l1, ts_label_t *l2)
{
- ts_label_t *l1, *l2;
-
if (!is_system_labeled())
return (B_TRUE);
/*
- * Check for NULL creds. Unlabeled SA always matches;
+ * Check for NULL label. Unlabeled SA (l2) always matches;
* unlabeled user with labeled SA always fails
*/
- if (cr2 == NULL)
+ if (l2 == NULL)
return (B_TRUE);
- if (cr1 == NULL)
- return (B_FALSE);
-
- /* If we reach here, we have two passed-in creds. */
- ASSERT(cr2 != NULL && cr1 != NULL);
-
- /* Check for NULL labels. Two is good, one is bad, zero is good. */
- l1 = crgetlabel(cr1);
- l2 = crgetlabel(cr2);
if (l1 == NULL)
- return (l2 == NULL);
-
- if (l2 == NULL)
return (B_FALSE);
/* Simple IPsec MLS policy: labels must be equal */
@@ -109,32 +94,32 @@ ipsec_label_match(cred_t *cr1, cred_t *cr2)
* The SA ptr I return will have its reference count incremented by one.
*/
ipsa_t *
-ipsec_getassocbyconn(isaf_t *bucket, ipsec_out_t *io, uint32_t *src,
- uint32_t *dst, sa_family_t af, uint8_t protocol, cred_t *cr)
+ipsec_getassocbyconn(isaf_t *bucket, ip_xmit_attr_t *ixa, uint32_t *src,
+ uint32_t *dst, sa_family_t af, uint8_t protocol, ts_label_t *tsl)
{
ipsa_t *retval, *candidate;
ipsec_action_t *candact;
boolean_t need_unique;
- boolean_t tunnel_mode = io->ipsec_out_tunnel;
+ boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL);
uint64_t unique_id;
uint32_t old_flags, excludeflags;
- ipsec_policy_t *pp = io->ipsec_out_policy;
- ipsec_action_t *actlist = io->ipsec_out_act;
+ ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
+ ipsec_action_t *actlist = ixa->ixa_ipsec_action;
ipsec_action_t *act;
- ipsec_latch_t *ipl = io->ipsec_out_latch;
+ ipsec_latch_t *ipl = ixa->ixa_ipsec_latch;
ipsa_ref_t *ipr = NULL;
- sa_family_t inaf = io->ipsec_out_inaf;
- uint32_t *insrc = io->ipsec_out_insrc;
- uint32_t *indst = io->ipsec_out_indst;
- uint8_t insrcpfx = io->ipsec_out_insrcpfx;
- uint8_t indstpfx = io->ipsec_out_indstpfx;
+ sa_family_t inaf = ixa->ixa_ipsec_inaf;
+ uint32_t *insrc = ixa->ixa_ipsec_insrc;
+ uint32_t *indst = ixa->ixa_ipsec_indst;
+ uint8_t insrcpfx = ixa->ixa_ipsec_insrcpfx;
+ uint8_t indstpfx = ixa->ixa_ipsec_indstpfx;
ASSERT(MUTEX_HELD(&bucket->isaf_lock));
/*
- * Caller must set ipsec_out_t structure such that we know
+ * Caller must set ip_xmit_attr_t structure such that we know
* whether this is tunnel mode or transport mode based on
- * io->ipsec_out_tunnel. If this flag is set, we assume that
+ * IXAF_IPSEC_TUNNEL. If this flag is set, we assume that
* there are valid inner src and destination addresses to compare.
*/
@@ -145,7 +130,7 @@ ipsec_getassocbyconn(isaf_t *bucket, ipsec_out_t *io, uint32_t *src,
if (ipl != NULL) {
ASSERT((protocol == IPPROTO_AH) || (protocol == IPPROTO_ESP));
- ipr = &ipl->ipl_ref[protocol - IPPROTO_ESP];
+ ipr = &ixa->ixa_ipsec_ref[protocol - IPPROTO_ESP];
retval = ipr->ipsr_sa;
@@ -169,7 +154,7 @@ ipsec_getassocbyconn(isaf_t *bucket, ipsec_out_t *io, uint32_t *src,
ASSERT(actlist != NULL);
need_unique = actlist->ipa_want_unique;
- unique_id = SA_FORM_UNIQUE_ID(io);
+ unique_id = SA_FORM_UNIQUE_ID(ixa);
/*
* Precompute mask for SA flags comparison: If we need a
@@ -332,7 +317,7 @@ ipsec_getassocbyconn(isaf_t *bucket, ipsec_out_t *io, uint32_t *src,
/*
* Do labels match?
*/
- if (!ipsec_label_match(cr, retval->ipsa_cred))
+ if (!ipsec_label_match(tsl, retval->ipsa_tsl))
goto next_ipsa;
/*
@@ -451,10 +436,9 @@ next_ipsa:
ipsec_latch_ids(ipl,
retval->ipsa_src_cid, retval->ipsa_dst_cid);
}
- if (!ipl->ipl_out_action_latched) {
+ if (ixa->ixa_ipsec_action == NULL) {
IPACT_REFHOLD(act);
- ipl->ipl_out_action = act;
- ipl->ipl_out_action_latched = B_TRUE;
+ ixa->ixa_ipsec_action = act;
}
}
@@ -471,7 +455,7 @@ next_ipsa:
retval->ipsa_flags |= IPSA_F_UNIQUE;
retval->ipsa_unique_id = unique_id;
retval->ipsa_unique_mask = SA_UNIQUE_MASK(
- io->ipsec_out_src_port, io->ipsec_out_dst_port,
+ ixa->ixa_ipsec_src_port, ixa->ixa_ipsec_dst_port,
protocol, 0);
}
@@ -581,45 +565,41 @@ ipsec_getassocbyspi(isaf_t *bucket, uint32_t spi, uint32_t *src, uint32_t *dst,
}
boolean_t
-ipsec_outbound_sa(mblk_t *mp, uint_t proto)
+ipsec_outbound_sa(mblk_t *data_mp, ip_xmit_attr_t *ixa, uint_t proto)
{
- mblk_t *data_mp;
- ipsec_out_t *io;
ipaddr_t dst;
uint32_t *dst_ptr, *src_ptr;
isaf_t *bucket;
ipsa_t *assoc;
- ip6_pkt_t ipp;
+ ip_pkt_t ipp;
in6_addr_t dst6;
ipsa_t **sa;
sadbp_t *sadbp;
sadb_t *sp;
sa_family_t af;
- cred_t *cr;
- netstack_t *ns;
+ ip_stack_t *ipst = ixa->ixa_ipst;
+ netstack_t *ns = ipst->ips_netstack;
- data_mp = mp->b_cont;
- io = (ipsec_out_t *)mp->b_rptr;
- ns = io->ipsec_out_ns;
+ ASSERT(ixa->ixa_flags & IXAF_IPSEC_SECURE);
if (proto == IPPROTO_ESP) {
ipsecesp_stack_t *espstack;
espstack = ns->netstack_ipsecesp;
- sa = &io->ipsec_out_esp_sa;
+ sa = &ixa->ixa_ipsec_esp_sa;
sadbp = &espstack->esp_sadb;
} else {
ipsecah_stack_t *ahstack;
ASSERT(proto == IPPROTO_AH);
ahstack = ns->netstack_ipsecah;
- sa = &io->ipsec_out_ah_sa;
+ sa = &ixa->ixa_ipsec_ah_sa;
sadbp = &ahstack->ah_sadb;
}
ASSERT(*sa == NULL);
- if (io->ipsec_out_v4) {
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
@@ -651,11 +631,9 @@ ipsec_outbound_sa(mblk_t *mp, uint_t proto)
dst_ptr = (uint32_t *)&dst6;
}
- cr = msg_getcred(data_mp, NULL);
-
mutex_enter(&bucket->isaf_lock);
- assoc = ipsec_getassocbyconn(bucket, io, src_ptr, dst_ptr, af,
- proto, cr);
+ assoc = ipsec_getassocbyconn(bucket, ixa, src_ptr, dst_ptr, af,
+ proto, ixa->ixa_tsl);
mutex_exit(&bucket->isaf_lock);
if (assoc == NULL)
@@ -674,17 +652,16 @@ ipsec_outbound_sa(mblk_t *mp, uint_t proto)
/*
* Inbound IPsec SA selection.
+ * Can return a pulled up mblk.
+ * When it returns non-NULL ahp is updated
*/
-
-ah_t *
-ipsec_inbound_ah_sa(mblk_t *mp, netstack_t *ns)
+mblk_t *
+ipsec_inbound_ah_sa(mblk_t *mp, ip_recv_attr_t *ira, ah_t **ahp)
{
- mblk_t *ipsec_in;
ipha_t *ipha;
ipsa_t *assoc;
ah_t *ah;
isaf_t *hptr;
- ipsec_in_t *ii;
boolean_t isv6;
ip6_t *ip6h;
int ah_offset;
@@ -692,20 +669,13 @@ ipsec_inbound_ah_sa(mblk_t *mp, netstack_t *ns)
int pullup_len;
sadb_t *sp;
sa_family_t af;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsec_stack_t *ipss = ns->netstack_ipsec;
ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
IP_AH_BUMP_STAT(ipss, in_requests);
- ASSERT(mp->b_datap->db_type == M_CTL);
-
- ipsec_in = mp;
- ii = (ipsec_in_t *)ipsec_in->b_rptr;
- mp = mp->b_cont;
-
- ASSERT(mp->b_datap->db_type == M_DATA);
-
- isv6 = !ii->ipsec_in_v4;
+ isv6 = !(ira->ira_flags & IRAF_IS_IPV4);
if (isv6) {
ip6h = (ip6_t *)mp->b_rptr;
ah_offset = ipsec_ah_get_hdr_size_v6(mp, B_TRUE);
@@ -729,7 +699,7 @@ ipsec_inbound_ah_sa(mblk_t *mp, netstack_t *ns)
SL_WARN | SL_ERROR,
"ipsec_inbound_ah_sa: Small AH header\n");
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_bad_length),
&ipss->ipsec_dropper);
return (NULL);
@@ -763,11 +733,11 @@ ipsec_inbound_ah_sa(mblk_t *mp, netstack_t *ns)
assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) {
IP_AH_BUMP_STAT(ipss, lookup_failure);
IP_AH_BUMP_STAT(ipss, in_discards);
- ipsecah_in_assocfailure(ipsec_in, 0,
+ ipsecah_in_assocfailure(mp, 0,
SL_ERROR | SL_CONSOLE | SL_WARN,
"ipsec_inbound_ah_sa: No association found for "
"spi 0x%x, dst addr %s\n",
- ah->ah_spi, dst_ptr, af, ahstack);
+ ah->ah_spi, dst_ptr, af, ira);
if (assoc != NULL) {
IPSA_REFRELE(assoc);
}
@@ -775,33 +745,44 @@ ipsec_inbound_ah_sa(mblk_t *mp, netstack_t *ns)
}
if (assoc->ipsa_state == IPSA_STATE_LARVAL &&
- sadb_set_lpkt(assoc, ipsec_in, ns)) {
+ sadb_set_lpkt(assoc, mp, ira)) {
/* Not fully baked; swap the packet under a rock until then */
IPSA_REFRELE(assoc);
return (NULL);
}
+ /* Are the IPsec fields initialized at all? */
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ ira->ira_ipsec_action = NULL;
+ ira->ira_ipsec_ah_sa = NULL;
+ ira->ira_ipsec_esp_sa = NULL;
+ }
+
/*
* Save a reference to the association so that it can
* be retrieved after execution. We free any AH SA reference
* already there (innermost SA "wins". The reference to
* the SA will also be used later when doing the policy checks.
*/
-
- if (ii->ipsec_in_ah_sa != NULL) {
- IPSA_REFRELE(ii->ipsec_in_ah_sa);
+ if (ira->ira_ipsec_ah_sa != NULL) {
+ IPSA_REFRELE(ira->ira_ipsec_ah_sa);
}
- ii->ipsec_in_ah_sa = assoc;
+ ira->ira_flags |= IRAF_IPSEC_SECURE;
+ ira->ira_ipsec_ah_sa = assoc;
- return (ah);
+ *ahp = ah;
+ return (mp);
}
-esph_t *
-ipsec_inbound_esp_sa(mblk_t *ipsec_in_mp, netstack_t *ns)
+/*
+ * Can return a pulled up mblk.
+ * When it returns non-NULL esphp is updated
+ */
+mblk_t *
+ipsec_inbound_esp_sa(mblk_t *data_mp, ip_recv_attr_t *ira, esph_t **esphp)
{
- mblk_t *data_mp, *placeholder;
+ mblk_t *placeholder;
uint32_t *src_ptr, *dst_ptr;
- ipsec_in_t *ii;
ipha_t *ipha;
ip6_t *ip6h;
esph_t *esph;
@@ -811,19 +792,13 @@ ipsec_inbound_esp_sa(mblk_t *ipsec_in_mp, netstack_t *ns)
sa_family_t af;
boolean_t isv6;
sadb_t *sp;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsec_stack_t *ipss = ns->netstack_ipsec;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
IP_ESP_BUMP_STAT(ipss, in_requests);
- ASSERT(ipsec_in_mp->b_datap->db_type == M_CTL);
-
- /* We have IPSEC_IN already! */
- ii = (ipsec_in_t *)ipsec_in_mp->b_rptr;
- data_mp = ipsec_in_mp->b_cont;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
-
- isv6 = !ii->ipsec_in_v4;
+ isv6 = !(ira->ira_flags & IRAF_IS_IPV4);
if (isv6) {
ip6h = (ip6_t *)data_mp->b_rptr;
} else {
@@ -841,17 +816,11 @@ ipsec_inbound_esp_sa(mblk_t *ipsec_in_mp, netstack_t *ns)
* actual packet length.
*/
if (data_mp->b_datap->db_ref > 1 ||
- (data_mp->b_wptr - data_mp->b_rptr) <
- (isv6 ? (ntohs(ip6h->ip6_plen) + sizeof (ip6_t))
- : ntohs(ipha->ipha_length))) {
+ (data_mp->b_wptr - data_mp->b_rptr) < ira->ira_pktlen) {
placeholder = msgpullup(data_mp, -1);
if (placeholder == NULL) {
IP_ESP_BUMP_STAT(ipss, in_discards);
- /*
- * TODO: Extract inbound interface from the IPSEC_IN
- * message's ii->ipsec_in_rill_index.
- */
- ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_nomem),
&ipss->ipsec_dropper);
return (NULL);
@@ -859,7 +828,6 @@ ipsec_inbound_esp_sa(mblk_t *ipsec_in_mp, netstack_t *ns)
/* Reset packet with new pulled up mblk. */
freemsg(data_mp);
data_mp = placeholder;
- ipsec_in_mp->b_cont = data_mp;
}
}
@@ -904,11 +872,11 @@ ipsec_inbound_esp_sa(mblk_t *ipsec_in_mp, netstack_t *ns)
/* This is a loggable error! AUDIT ME! */
IP_ESP_BUMP_STAT(ipss, lookup_failure);
IP_ESP_BUMP_STAT(ipss, in_discards);
- ipsecesp_in_assocfailure(ipsec_in_mp, 0,
+ ipsecesp_in_assocfailure(data_mp, 0,
SL_ERROR | SL_CONSOLE | SL_WARN,
"ipsec_inbound_esp_sa: No association found for "
"spi 0x%x, dst addr %s\n",
- esph->esph_spi, dst_ptr, af, espstack);
+ esph->esph_spi, dst_ptr, af, ira);
if (ipsa != NULL) {
IPSA_REFRELE(ipsa);
}
@@ -916,22 +884,31 @@ ipsec_inbound_esp_sa(mblk_t *ipsec_in_mp, netstack_t *ns)
}
if (ipsa->ipsa_state == IPSA_STATE_LARVAL &&
- sadb_set_lpkt(ipsa, ipsec_in_mp, ns)) {
+ sadb_set_lpkt(ipsa, data_mp, ira)) {
/* Not fully baked; swap the packet under a rock until then */
IPSA_REFRELE(ipsa);
return (NULL);
}
+ /* Are the IPsec fields initialized at all? */
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ ira->ira_ipsec_action = NULL;
+ ira->ira_ipsec_ah_sa = NULL;
+ ira->ira_ipsec_esp_sa = NULL;
+ }
+
/*
* Save a reference to the association so that it can
* be retrieved after execution. We free any AH SA reference
* already there (innermost SA "wins". The reference to
* the SA will also be used later when doing the policy checks.
*/
- if (ii->ipsec_in_esp_sa != NULL) {
- IPSA_REFRELE(ii->ipsec_in_esp_sa);
+ if (ira->ira_ipsec_esp_sa != NULL) {
+ IPSA_REFRELE(ira->ira_ipsec_esp_sa);
}
- ii->ipsec_in_esp_sa = ipsa;
+ ira->ira_flags |= IRAF_IPSEC_SECURE;
+ ira->ira_ipsec_esp_sa = ipsa;
- return (esph);
+ *esphp = esph;
+ return (data_mp);
}
diff --git a/usr/src/uts/common/inet/ip/ip_srcid.c b/usr/src/uts/common/inet/ip/ip_srcid.c
index 949508a796..f6507d6413 100644
--- a/usr/src/uts/common/inet/ip/ip_srcid.c
+++ b/usr/src/uts/common/inet/ip/ip_srcid.c
@@ -101,11 +101,7 @@
#include <netinet/ip_mroute.h>
#include <inet/ipclassifier.h>
-#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
-#include <inet/sadb.h>
#include <sys/kmem.h>
-#include <inet/ipsec_impl.h>
static uint_t srcid_nextid(ip_stack_t *);
static srcid_map_t **srcid_lookup_addr(const in6_addr_t *addr,
@@ -239,7 +235,7 @@ ip_srcid_find_id(uint_t id, in6_addr_t *addr, zoneid_t zoneid,
rw_enter(&ipst->ips_srcid_lock, RW_READER);
smpp = srcid_lookup_id(id, ipst);
smp = *smpp;
- if (smp == NULL || smp->sm_zoneid != zoneid) {
+ if (smp == NULL || (smp->sm_zoneid != zoneid && zoneid != ALL_ZONES)) {
/* Not preset */
ip1dbg(("ip_srcid_find_id: unknown %u or in wrong zone\n", id));
*addr = ipv6_all_zeros;
@@ -290,7 +286,7 @@ srcid_lookup_addr(const in6_addr_t *addr, zoneid_t zoneid, ip_stack_t *ipst)
smpp = &ipst->ips_srcid_head;
while (*smpp != NULL) {
if (IN6_ARE_ADDR_EQUAL(&(*smpp)->sm_addr, addr) &&
- zoneid == (*smpp)->sm_zoneid)
+ (zoneid == (*smpp)->sm_zoneid || zoneid == ALL_ZONES))
return (smpp);
smpp = &(*smpp)->sm_next;
}
diff --git a/usr/src/uts/common/inet/ip/ipclassifier.c b/usr/src/uts/common/inet/ip/ipclassifier.c
index 45683ec967..31fa14b4af 100644
--- a/usr/src/uts/common/inet/ip/ipclassifier.c
+++ b/usr/src/uts/common/inet/ip/ipclassifier.c
@@ -52,16 +52,12 @@
* asynchronous and the reference protects the connection from being destroyed
* before its processing is finished).
*
- * send and receive functions are currently used for TCP only. The send function
- * determines the IP entry point for the packet once it leaves TCP to be sent to
- * the destination address. The receive function is used by IP when the packet
- * should be passed for TCP processing. When a new connection is created these
- * are set to ip_output() and tcp_input() respectively. During the lifetime of
- * the connection the send and receive functions may change depending on the
- * changes in the connection state. For example, Once the connection is bound to
- * an addresse, the receive function for this connection is set to
- * tcp_conn_request(). This allows incoming SYNs to go directly into the
- * listener SYN processing function without going to tcp_input() first.
+ * conn_recv is used to pass up packets to the ULP.
+ * For TCP conn_recv changes. It is tcp_input_listener_unbound initially for
+ * a listener, and changes to tcp_input_listener as the listener has picked a
+ * good squeue. For other cases it is set to tcp_input_data.
+ *
+ * conn_recvicmp is used to pass up ICMP errors to the ULP.
*
* Classifier uses several hash tables:
*
@@ -91,8 +87,8 @@
* Connection Lookup:
* ------------------
*
- * conn_t *ipcl_classify_v4(mp, protocol, hdr_len, zoneid, ip_stack)
- * conn_t *ipcl_classify_v6(mp, protocol, hdr_len, zoneid, ip_stack)
+ * conn_t *ipcl_classify_v4(mp, protocol, hdr_len, ira, ip_stack)
+ * conn_t *ipcl_classify_v6(mp, protocol, hdr_len, ira, ip_stack)
*
* Finds connection for an incoming IPv4 or IPv6 packet. Returns NULL if
* it can't find any associated connection. If the connection is found, its
@@ -107,9 +103,12 @@
* hdr_len: The size of IP header. It is used to find TCP or UDP header in
* the packet.
*
- * zoneid: The zone in which the returned connection must be; the zoneid
- * corresponding to the ire_zoneid on the IRE located for the
- * packet's destination address.
+ * ira->ira_zoneid: The zone in which the returned connection must be; the
+ * zoneid corresponding to the ire_zoneid on the IRE located for
+ * the packet's destination address.
+ *
+ * ira->ira_flags: Contains the IRAF_TX_MAC_EXEMPTABLE and
+ * IRAF_TX_SHARED_ADDR flags
*
* For TCP connections, the lookup order is as follows:
* 5-tuple {src, dst, protocol, local port, remote port}
@@ -156,7 +155,7 @@
* any. In any event, the receiving socket must have SO_MAC_EXEMPT set and the
* receiver's label must dominate the sender's default label.
*
- * conn_t *ipcl_tcp_lookup_reversed_ipv4(ipha_t *, tcph_t *, int, ip_stack);
+ * conn_t *ipcl_tcp_lookup_reversed_ipv4(ipha_t *, tcpha_t *, int, ip_stack);
* conn_t *ipcl_tcp_lookup_reversed_ipv6(ip6_t *, tcpha_t *, int, uint_t,
* ip_stack);
*
@@ -184,34 +183,26 @@
* Table Updates
* -------------
*
- * int ipcl_conn_insert(connp, protocol, src, dst, ports)
- * int ipcl_conn_insert_v6(connp, protocol, src, dst, ports, ifindex)
+ * int ipcl_conn_insert(connp);
+ * int ipcl_conn_insert_v4(connp);
+ * int ipcl_conn_insert_v6(connp);
*
* Insert 'connp' in the ipcl_conn_fanout.
* Arguements :
* connp conn_t to be inserted
- * protocol connection protocol
- * src source address
- * dst destination address
- * ports local and remote port
- * ifindex interface index for IPv6 connections
*
* Return value :
* 0 if connp was inserted
* EADDRINUSE if the connection with the same tuple
* already exists.
*
- * int ipcl_bind_insert(connp, protocol, src, lport);
- * int ipcl_bind_insert_v6(connp, protocol, src, lport);
+ * int ipcl_bind_insert(connp);
+ * int ipcl_bind_insert_v4(connp);
+ * int ipcl_bind_insert_v6(connp);
*
* Insert 'connp' in ipcl_bind_fanout.
* Arguements :
* connp conn_t to be inserted
- * protocol connection protocol
- * src source address connection wants
- * to bind to
- * lport local port connection wants to
- * bind to
*
*
* void ipcl_hash_remove(connp);
@@ -261,6 +252,8 @@
#include <netinet/icmp6.h>
#include <inet/ip.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
#include <inet/ip6.h>
#include <inet/ip_ndp.h>
#include <inet/ip_impl.h>
@@ -280,19 +273,6 @@
#include <sys/tsol/tnet.h>
#include <sys/sockio.h>
-#ifdef DEBUG
-#define IPCL_DEBUG
-#else
-#undef IPCL_DEBUG
-#endif
-
-#ifdef IPCL_DEBUG
-int ipcl_debug_level = 0;
-#define IPCL_DEBUG_LVL(level, args) \
- if (ipcl_debug_level & level) { printf args; }
-#else
-#define IPCL_DEBUG_LVL(level, args) {; }
-#endif
/* Old value for compatibility. Setable in /etc/system */
uint_t tcp_conn_hash_size = 0;
@@ -336,10 +316,8 @@ typedef union itc_s {
struct kmem_cache *tcp_conn_cache;
struct kmem_cache *ip_conn_cache;
-struct kmem_cache *ip_helper_stream_cache;
extern struct kmem_cache *sctp_conn_cache;
extern struct kmem_cache *tcp_sack_info_cache;
-extern struct kmem_cache *tcp_iphc_cache;
struct kmem_cache *udp_conn_cache;
struct kmem_cache *rawip_conn_cache;
struct kmem_cache *rts_conn_cache;
@@ -362,34 +340,6 @@ static void rawip_conn_destructor(void *, void *);
static int rts_conn_constructor(void *, void *, int);
static void rts_conn_destructor(void *, void *);
-static int ip_helper_stream_constructor(void *, void *, int);
-static void ip_helper_stream_destructor(void *, void *);
-
-boolean_t ip_use_helper_cache = B_TRUE;
-
-/*
- * Hook functions to enable cluster networking
- * On non-clustered systems these vectors must always be NULL.
- */
-extern void (*cl_inet_listen)(netstackid_t, uint8_t, sa_family_t,
- uint8_t *, in_port_t, void *);
-extern void (*cl_inet_unlisten)(netstackid_t, uint8_t, sa_family_t,
- uint8_t *, in_port_t, void *);
-
-#ifdef IPCL_DEBUG
-#define INET_NTOA_BUFSIZE 18
-
-static char *
-inet_ntoa_r(uint32_t in, char *b)
-{
- unsigned char *p;
-
- p = (unsigned char *)&in;
- (void) sprintf(b, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
- return (b);
-}
-#endif
-
/*
* Global (for all stack instances) init routine
*/
@@ -420,15 +370,6 @@ ipcl_g_init(void)
sizeof (itc_t) + sizeof (rts_t), CACHE_ALIGN_SIZE,
rts_conn_constructor, rts_conn_destructor,
NULL, NULL, NULL, 0);
-
- if (ip_use_helper_cache) {
- ip_helper_stream_cache = kmem_cache_create
- ("ip_helper_stream_cache", sizeof (ip_helper_stream_info_t),
- CACHE_ALIGN_SIZE, ip_helper_stream_constructor,
- ip_helper_stream_destructor, NULL, NULL, NULL, 0);
- } else {
- ip_helper_stream_cache = NULL;
- }
}
/*
@@ -493,10 +434,10 @@ ipcl_init(ip_stack_t *ipst)
MUTEX_DEFAULT, NULL);
}
- ipst->ips_ipcl_proto_fanout = kmem_zalloc(IPPROTO_MAX *
+ ipst->ips_ipcl_proto_fanout_v4 = kmem_zalloc(IPPROTO_MAX *
sizeof (connf_t), KM_SLEEP);
for (i = 0; i < IPPROTO_MAX; i++) {
- mutex_init(&ipst->ips_ipcl_proto_fanout[i].connf_lock, NULL,
+ mutex_init(&ipst->ips_ipcl_proto_fanout_v4[i].connf_lock, NULL,
MUTEX_DEFAULT, NULL);
}
@@ -576,11 +517,12 @@ ipcl_destroy(ip_stack_t *ipst)
ipst->ips_ipcl_bind_fanout = NULL;
for (i = 0; i < IPPROTO_MAX; i++) {
- ASSERT(ipst->ips_ipcl_proto_fanout[i].connf_head == NULL);
- mutex_destroy(&ipst->ips_ipcl_proto_fanout[i].connf_lock);
+ ASSERT(ipst->ips_ipcl_proto_fanout_v4[i].connf_head == NULL);
+ mutex_destroy(&ipst->ips_ipcl_proto_fanout_v4[i].connf_lock);
}
- kmem_free(ipst->ips_ipcl_proto_fanout, IPPROTO_MAX * sizeof (connf_t));
- ipst->ips_ipcl_proto_fanout = NULL;
+ kmem_free(ipst->ips_ipcl_proto_fanout_v4,
+ IPPROTO_MAX * sizeof (connf_t));
+ ipst->ips_ipcl_proto_fanout_v4 = NULL;
for (i = 0; i < IPPROTO_MAX; i++) {
ASSERT(ipst->ips_ipcl_proto_fanout_v6[i].connf_head == NULL);
@@ -636,7 +578,6 @@ conn_t *
ipcl_conn_create(uint32_t type, int sleep, netstack_t *ns)
{
conn_t *connp;
- sctp_stack_t *sctps;
struct kmem_cache *conn_cache;
switch (type) {
@@ -644,10 +585,10 @@ ipcl_conn_create(uint32_t type, int sleep, netstack_t *ns)
if ((connp = kmem_cache_alloc(sctp_conn_cache, sleep)) == NULL)
return (NULL);
sctp_conn_init(connp);
- sctps = ns->netstack_sctp;
- SCTP_G_Q_REFHOLD(sctps);
netstack_hold(ns);
connp->conn_netstack = ns;
+ connp->conn_ixa->ixa_ipst = ns->netstack_ip;
+ ipcl_globalhash_insert(connp);
return (connp);
case IPCL_TCPCONN:
@@ -681,6 +622,7 @@ ipcl_conn_create(uint32_t type, int sleep, netstack_t *ns)
connp->conn_ref = 1;
netstack_hold(ns);
connp->conn_netstack = ns;
+ connp->conn_ixa->ixa_ipst = ns->netstack_ip;
ipcl_globalhash_insert(connp);
return (connp);
}
@@ -693,61 +635,61 @@ ipcl_conn_destroy(conn_t *connp)
ASSERT(!MUTEX_HELD(&connp->conn_lock));
ASSERT(connp->conn_ref == 0);
- ASSERT(connp->conn_ire_cache == NULL);
DTRACE_PROBE1(conn__destroy, conn_t *, connp);
- if (connp->conn_effective_cred != NULL) {
- crfree(connp->conn_effective_cred);
- connp->conn_effective_cred = NULL;
- }
-
if (connp->conn_cred != NULL) {
crfree(connp->conn_cred);
connp->conn_cred = NULL;
}
+ if (connp->conn_ht_iphc != NULL) {
+ kmem_free(connp->conn_ht_iphc, connp->conn_ht_iphc_allocated);
+ connp->conn_ht_iphc = NULL;
+ connp->conn_ht_iphc_allocated = 0;
+ connp->conn_ht_iphc_len = 0;
+ connp->conn_ht_ulp = NULL;
+ connp->conn_ht_ulp_len = 0;
+ }
+ ip_pkt_free(&connp->conn_xmit_ipp);
+
ipcl_globalhash_remove(connp);
- /* FIXME: add separate tcp_conn_free()? */
+ if (connp->conn_latch != NULL) {
+ IPLATCH_REFRELE(connp->conn_latch);
+ connp->conn_latch = NULL;
+ }
+ if (connp->conn_latch_in_policy != NULL) {
+ IPPOL_REFRELE(connp->conn_latch_in_policy);
+ connp->conn_latch_in_policy = NULL;
+ }
+ if (connp->conn_latch_in_action != NULL) {
+ IPACT_REFRELE(connp->conn_latch_in_action);
+ connp->conn_latch_in_action = NULL;
+ }
+ if (connp->conn_policy != NULL) {
+ IPPH_REFRELE(connp->conn_policy, ns);
+ connp->conn_policy = NULL;
+ }
+
+ if (connp->conn_ipsec_opt_mp != NULL) {
+ freemsg(connp->conn_ipsec_opt_mp);
+ connp->conn_ipsec_opt_mp = NULL;
+ }
+
if (connp->conn_flags & IPCL_TCPCONN) {
- tcp_t *tcp = connp->conn_tcp;
- tcp_stack_t *tcps;
-
- ASSERT(tcp != NULL);
- tcps = tcp->tcp_tcps;
- if (tcps != NULL) {
- if (connp->conn_latch != NULL) {
- IPLATCH_REFRELE(connp->conn_latch, ns);
- connp->conn_latch = NULL;
- }
- if (connp->conn_policy != NULL) {
- IPPH_REFRELE(connp->conn_policy, ns);
- connp->conn_policy = NULL;
- }
- tcp->tcp_tcps = NULL;
- TCPS_REFRELE(tcps);
- }
+ tcp_t *tcp = connp->conn_tcp;
tcp_free(tcp);
mp = tcp->tcp_timercache;
- tcp->tcp_cred = NULL;
+
+ tcp->tcp_tcps = NULL;
if (tcp->tcp_sack_info != NULL) {
bzero(tcp->tcp_sack_info, sizeof (tcp_sack_info_t));
kmem_cache_free(tcp_sack_info_cache,
tcp->tcp_sack_info);
}
- if (tcp->tcp_iphc != NULL) {
- if (tcp->tcp_hdr_grown) {
- kmem_free(tcp->tcp_iphc, tcp->tcp_iphc_len);
- } else {
- bzero(tcp->tcp_iphc, tcp->tcp_iphc_len);
- kmem_cache_free(tcp_iphc_cache, tcp->tcp_iphc);
- }
- tcp->tcp_iphc_len = 0;
- }
- ASSERT(tcp->tcp_iphc_len == 0);
/*
* tcp_rsrv_mp can be NULL if tcp_get_conn() fails to allocate
@@ -759,17 +701,15 @@ ipcl_conn_destroy(conn_t *connp)
mutex_destroy(&tcp->tcp_rsrv_mp_lock);
}
- ASSERT(connp->conn_latch == NULL);
- ASSERT(connp->conn_policy == NULL);
-
+ ipcl_conn_cleanup(connp);
+ connp->conn_flags = IPCL_TCPCONN;
if (ns != NULL) {
ASSERT(tcp->tcp_tcps == NULL);
connp->conn_netstack = NULL;
+ connp->conn_ixa->ixa_ipst = NULL;
netstack_rele(ns);
}
- ipcl_conn_cleanup(connp);
- connp->conn_flags = IPCL_TCPCONN;
bzero(tcp, sizeof (tcp_t));
tcp->tcp_timercache = mp;
@@ -777,18 +717,6 @@ ipcl_conn_destroy(conn_t *connp)
kmem_cache_free(tcp_conn_cache, connp);
return;
}
- if (connp->conn_latch != NULL) {
- IPLATCH_REFRELE(connp->conn_latch, connp->conn_netstack);
- connp->conn_latch = NULL;
- }
- if (connp->conn_policy != NULL) {
- IPPH_REFRELE(connp->conn_policy, connp->conn_netstack);
- connp->conn_policy = NULL;
- }
- if (connp->conn_ipsec_opt_mp != NULL) {
- freemsg(connp->conn_ipsec_opt_mp);
- connp->conn_ipsec_opt_mp = NULL;
- }
if (connp->conn_flags & IPCL_SCTPCONN) {
ASSERT(ns != NULL);
@@ -796,21 +724,21 @@ ipcl_conn_destroy(conn_t *connp)
return;
}
+ ipcl_conn_cleanup(connp);
if (ns != NULL) {
connp->conn_netstack = NULL;
+ connp->conn_ixa->ixa_ipst = NULL;
netstack_rele(ns);
}
- ipcl_conn_cleanup(connp);
-
/* leave conn_priv aka conn_udp, conn_icmp, etc in place. */
if (connp->conn_flags & IPCL_UDPCONN) {
connp->conn_flags = IPCL_UDPCONN;
kmem_cache_free(udp_conn_cache, connp);
} else if (connp->conn_flags & IPCL_RAWIPCONN) {
-
connp->conn_flags = IPCL_RAWIPCONN;
- connp->conn_ulp = IPPROTO_ICMP;
+ connp->conn_proto = IPPROTO_ICMP;
+ connp->conn_ixa->ixa_protocol = connp->conn_proto;
kmem_cache_free(rawip_conn_cache, connp);
} else if (connp->conn_flags & IPCL_RTSCONN) {
connp->conn_flags = IPCL_RTSCONN;
@@ -826,7 +754,6 @@ ipcl_conn_destroy(conn_t *connp)
/*
* Running in cluster mode - deregister listener information
*/
-
static void
ipcl_conn_unlisten(conn_t *connp)
{
@@ -837,12 +764,12 @@ ipcl_conn_unlisten(conn_t *connp)
sa_family_t addr_family;
uint8_t *laddrp;
- if (connp->conn_pkt_isv6) {
+ if (connp->conn_ipversion == IPV6_VERSION) {
addr_family = AF_INET6;
- laddrp = (uint8_t *)&connp->conn_bound_source_v6;
+ laddrp = (uint8_t *)&connp->conn_bound_addr_v6;
} else {
addr_family = AF_INET;
- laddrp = (uint8_t *)&connp->conn_bound_source;
+ laddrp = (uint8_t *)&connp->conn_bound_addr_v4;
}
(*cl_inet_unlisten)(connp->conn_netstack->netstack_stackid,
IPPROTO_TCP, addr_family, laddrp, connp->conn_lport, NULL);
@@ -859,8 +786,6 @@ ipcl_conn_unlisten(conn_t *connp)
connf_t *connfp = (connp)->conn_fanout; \
ASSERT(!MUTEX_HELD(&((connp)->conn_lock))); \
if (connfp != NULL) { \
- IPCL_DEBUG_LVL(4, ("IPCL_HASH_REMOVE: connp %p", \
- (void *)(connp))); \
mutex_enter(&connfp->connf_lock); \
if ((connp)->conn_next != NULL) \
(connp)->conn_next->conn_prev = \
@@ -884,7 +809,11 @@ ipcl_conn_unlisten(conn_t *connp)
void
ipcl_hash_remove(conn_t *connp)
{
+ uint8_t protocol = connp->conn_proto;
+
IPCL_HASH_REMOVE(connp);
+ if (protocol == IPPROTO_RSVP)
+ ill_set_inputfn_all(connp->conn_netstack->netstack_ip);
}
/*
@@ -937,8 +866,6 @@ ipcl_hash_remove_locked(conn_t *connp, connf_t *connfp)
}
#define IPCL_HASH_INSERT_CONNECTED(connfp, connp) { \
- IPCL_DEBUG_LVL(8, ("IPCL_HASH_INSERT_CONNECTED: connfp %p " \
- "connp %p", (void *)(connfp), (void *)(connp))); \
IPCL_HASH_REMOVE((connp)); \
mutex_enter(&(connfp)->connf_lock); \
IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp); \
@@ -947,13 +874,11 @@ ipcl_hash_remove_locked(conn_t *connp, connf_t *connfp)
#define IPCL_HASH_INSERT_BOUND(connfp, connp) { \
conn_t *pconnp = NULL, *nconnp; \
- IPCL_DEBUG_LVL(32, ("IPCL_HASH_INSERT_BOUND: connfp %p " \
- "connp %p", (void *)connfp, (void *)(connp))); \
IPCL_HASH_REMOVE((connp)); \
mutex_enter(&(connfp)->connf_lock); \
nconnp = (connfp)->connf_head; \
while (nconnp != NULL && \
- !_IPCL_V4_MATCH_ANY(nconnp->conn_srcv6)) { \
+ !_IPCL_V4_MATCH_ANY(nconnp->conn_laddr_v6)) { \
pconnp = nconnp; \
nconnp = nconnp->conn_next; \
} \
@@ -977,16 +902,14 @@ ipcl_hash_remove_locked(conn_t *connp, connf_t *connfp)
#define IPCL_HASH_INSERT_WILDCARD(connfp, connp) { \
conn_t **list, *prev, *next; \
boolean_t isv4mapped = \
- IN6_IS_ADDR_V4MAPPED(&(connp)->conn_srcv6); \
- IPCL_DEBUG_LVL(32, ("IPCL_HASH_INSERT_WILDCARD: connfp %p " \
- "connp %p", (void *)(connfp), (void *)(connp))); \
+ IN6_IS_ADDR_V4MAPPED(&(connp)->conn_laddr_v6); \
IPCL_HASH_REMOVE((connp)); \
mutex_enter(&(connfp)->connf_lock); \
list = &(connfp)->connf_head; \
prev = NULL; \
while ((next = *list) != NULL) { \
if (isv4mapped && \
- IN6_IS_ADDR_UNSPECIFIED(&next->conn_srcv6) && \
+ IN6_IS_ADDR_UNSPECIFIED(&next->conn_laddr_v6) && \
connp->conn_zoneid == next->conn_zoneid) { \
(connp)->conn_next = next; \
if (prev != NULL) \
@@ -1012,44 +935,13 @@ ipcl_hash_insert_wildcard(connf_t *connfp, conn_t *connp)
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
}
-void
-ipcl_proto_insert(conn_t *connp, uint8_t protocol)
-{
- connf_t *connfp;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(connp != NULL);
- ASSERT((connp->conn_mac_mode == CONN_MAC_DEFAULT) ||
- protocol == IPPROTO_AH || protocol == IPPROTO_ESP);
-
- connp->conn_ulp = protocol;
-
- /* Insert it in the protocol hash */
- connfp = &ipst->ips_ipcl_proto_fanout[protocol];
- IPCL_HASH_INSERT_WILDCARD(connfp, connp);
-}
-
-void
-ipcl_proto_insert_v6(conn_t *connp, uint8_t protocol)
-{
- connf_t *connfp;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(connp != NULL);
- ASSERT((connp->conn_mac_mode == CONN_MAC_DEFAULT) ||
- protocol == IPPROTO_AH || protocol == IPPROTO_ESP);
-
- connp->conn_ulp = protocol;
-
- /* Insert it in the Bind Hash */
- connfp = &ipst->ips_ipcl_proto_fanout_v6[protocol];
- IPCL_HASH_INSERT_WILDCARD(connfp, connp);
-}
-
/*
* Because the classifier is used to classify inbound packets, the destination
* address is meant to be our local tunnel address (tunnel source), and the
* source the remote tunnel address (tunnel destination).
+ *
+ * Note that conn_proto can't be used for fanout since the upper protocol
+ * can be both 41 and 4 when IPv6 and IPv4 are over the same tunnel.
*/
conn_t *
ipcl_iptun_classify_v4(ipaddr_t *src, ipaddr_t *dst, ip_stack_t *ipst)
@@ -1128,13 +1020,13 @@ ipcl_sctp_hash_insert(conn_t *connp, in_port_t lport)
oconnp = oconnp->conn_next) {
if (oconnp->conn_lport == lport &&
oconnp->conn_zoneid == connp->conn_zoneid &&
- oconnp->conn_af_isv6 == connp->conn_af_isv6 &&
- ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) ||
- IN6_IS_ADDR_UNSPECIFIED(&oconnp->conn_srcv6) ||
- IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_srcv6) ||
- IN6_IS_ADDR_V4MAPPED_ANY(&oconnp->conn_srcv6)) ||
- IN6_ARE_ADDR_EQUAL(&oconnp->conn_srcv6,
- &connp->conn_srcv6))) {
+ oconnp->conn_family == connp->conn_family &&
+ ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
+ IN6_IS_ADDR_UNSPECIFIED(&oconnp->conn_laddr_v6) ||
+ IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_laddr_v6) ||
+ IN6_IS_ADDR_V4MAPPED_ANY(&oconnp->conn_laddr_v6)) ||
+ IN6_ARE_ADDR_EQUAL(&oconnp->conn_laddr_v6,
+ &connp->conn_laddr_v6))) {
break;
}
}
@@ -1142,10 +1034,10 @@ ipcl_sctp_hash_insert(conn_t *connp, in_port_t lport)
if (oconnp != NULL)
return (EADDRNOTAVAIL);
- if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) ||
- IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_remv6)) {
- if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) ||
- IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_srcv6)) {
+ if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) ||
+ IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
+ if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
+ IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_laddr_v6)) {
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
} else {
IPCL_HASH_INSERT_BOUND(connfp, connp);
@@ -1157,17 +1049,18 @@ ipcl_sctp_hash_insert(conn_t *connp, in_port_t lport)
}
static int
-ipcl_iptun_hash_insert(conn_t *connp, ipaddr_t src, ipaddr_t dst,
- ip_stack_t *ipst)
+ipcl_iptun_hash_insert(conn_t *connp, ip_stack_t *ipst)
{
connf_t *connfp;
conn_t *tconnp;
+ ipaddr_t laddr = connp->conn_laddr_v4;
+ ipaddr_t faddr = connp->conn_faddr_v4;
- connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH(src, dst)];
+ connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH(laddr, faddr)];
mutex_enter(&connfp->connf_lock);
for (tconnp = connfp->connf_head; tconnp != NULL;
tconnp = tconnp->conn_next) {
- if (IPCL_IPTUN_MATCH(tconnp, src, dst)) {
+ if (IPCL_IPTUN_MATCH(tconnp, laddr, faddr)) {
/* A tunnel is already bound to these addresses. */
mutex_exit(&connfp->connf_lock);
return (EADDRINUSE);
@@ -1179,17 +1072,18 @@ ipcl_iptun_hash_insert(conn_t *connp, ipaddr_t src, ipaddr_t dst,
}
static int
-ipcl_iptun_hash_insert_v6(conn_t *connp, const in6_addr_t *src,
- const in6_addr_t *dst, ip_stack_t *ipst)
+ipcl_iptun_hash_insert_v6(conn_t *connp, ip_stack_t *ipst)
{
connf_t *connfp;
conn_t *tconnp;
+ in6_addr_t *laddr = &connp->conn_laddr_v6;
+ in6_addr_t *faddr = &connp->conn_faddr_v6;
- connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH_V6(src, dst)];
+ connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH_V6(laddr, faddr)];
mutex_enter(&connfp->connf_lock);
for (tconnp = connfp->connf_head; tconnp != NULL;
tconnp = tconnp->conn_next) {
- if (IPCL_IPTUN_MATCH_V6(tconnp, src, dst)) {
+ if (IPCL_IPTUN_MATCH_V6(tconnp, laddr, faddr)) {
/* A tunnel is already bound to these addresses. */
mutex_exit(&connfp->connf_lock);
return (EADDRINUSE);
@@ -1213,12 +1107,12 @@ check_exempt_conflict_v4(conn_t *connp, ip_stack_t *ipst)
connf_t *connfp;
conn_t *tconn;
- connfp = &ipst->ips_ipcl_proto_fanout[connp->conn_ulp];
+ connfp = &ipst->ips_ipcl_proto_fanout_v4[connp->conn_proto];
mutex_enter(&connfp->connf_lock);
for (tconn = connfp->connf_head; tconn != NULL;
tconn = tconn->conn_next) {
/* We don't allow v4 fallback for v6 raw socket */
- if (connp->conn_af_isv6 != tconn->conn_af_isv6)
+ if (connp->conn_family != tconn->conn_family)
continue;
/* If neither is exempt, then there's no conflict */
if ((connp->conn_mac_mode == CONN_MAC_DEFAULT) &&
@@ -1228,9 +1122,9 @@ check_exempt_conflict_v4(conn_t *connp, ip_stack_t *ipst)
if (connp->conn_zoneid == tconn->conn_zoneid)
continue;
/* If both are bound to different specific addrs, ok */
- if (connp->conn_src != INADDR_ANY &&
- tconn->conn_src != INADDR_ANY &&
- connp->conn_src != tconn->conn_src)
+ if (connp->conn_laddr_v4 != INADDR_ANY &&
+ tconn->conn_laddr_v4 != INADDR_ANY &&
+ connp->conn_laddr_v4 != tconn->conn_laddr_v4)
continue;
/* These two conflict; fail */
break;
@@ -1245,12 +1139,12 @@ check_exempt_conflict_v6(conn_t *connp, ip_stack_t *ipst)
connf_t *connfp;
conn_t *tconn;
- connfp = &ipst->ips_ipcl_proto_fanout[connp->conn_ulp];
+ connfp = &ipst->ips_ipcl_proto_fanout_v6[connp->conn_proto];
mutex_enter(&connfp->connf_lock);
for (tconn = connfp->connf_head; tconn != NULL;
tconn = tconn->conn_next) {
/* We don't allow v4 fallback for v6 raw socket */
- if (connp->conn_af_isv6 != tconn->conn_af_isv6)
+ if (connp->conn_family != tconn->conn_family)
continue;
/* If neither is exempt, then there's no conflict */
if ((connp->conn_mac_mode == CONN_MAC_DEFAULT) &&
@@ -1260,9 +1154,10 @@ check_exempt_conflict_v6(conn_t *connp, ip_stack_t *ipst)
if (connp->conn_zoneid == tconn->conn_zoneid)
continue;
/* If both are bound to different addrs, ok */
- if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) &&
- !IN6_IS_ADDR_UNSPECIFIED(&tconn->conn_srcv6) &&
- !IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6, &tconn->conn_srcv6))
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&tconn->conn_laddr_v6) &&
+ !IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
+ &tconn->conn_laddr_v6))
continue;
/* These two conflict; fail */
break;
@@ -1273,28 +1168,29 @@ check_exempt_conflict_v6(conn_t *connp, ip_stack_t *ipst)
/*
* (v4, v6) bind hash insertion routines
+ * The caller has already setup the conn (conn_proto, conn_laddr_v6, conn_lport)
*/
+
+int
+ipcl_bind_insert(conn_t *connp)
+{
+ if (connp->conn_ipversion == IPV6_VERSION)
+ return (ipcl_bind_insert_v6(connp));
+ else
+ return (ipcl_bind_insert_v4(connp));
+}
+
int
-ipcl_bind_insert(conn_t *connp, uint8_t protocol, ipaddr_t src, uint16_t lport)
+ipcl_bind_insert_v4(conn_t *connp)
{
connf_t *connfp;
-#ifdef IPCL_DEBUG
- char buf[INET_NTOA_BUFSIZE];
-#endif
int ret = 0;
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(connp);
-
- IPCL_DEBUG_LVL(64, ("ipcl_bind_insert: connp %p, src = %s, "
- "port = %d\n", (void *)connp, inet_ntoa_r(src, buf), lport));
-
- connp->conn_ulp = protocol;
- IN6_IPADDR_TO_V4MAPPED(src, &connp->conn_srcv6);
- connp->conn_lport = lport;
+ uint16_t lport = connp->conn_lport;
+ uint8_t protocol = connp->conn_proto;
if (IPCL_IS_IPTUN(connp))
- return (ipcl_iptun_hash_insert(connp, src, INADDR_ANY, ipst));
+ return (ipcl_iptun_hash_insert(connp, ipst));
switch (protocol) {
default:
@@ -1304,45 +1200,40 @@ ipcl_bind_insert(conn_t *connp, uint8_t protocol, ipaddr_t src, uint16_t lport)
/* FALLTHROUGH */
case IPPROTO_UDP:
if (protocol == IPPROTO_UDP) {
- IPCL_DEBUG_LVL(64,
- ("ipcl_bind_insert: connp %p - udp\n",
- (void *)connp));
connfp = &ipst->ips_ipcl_udp_fanout[
IPCL_UDP_HASH(lport, ipst)];
} else {
- IPCL_DEBUG_LVL(64,
- ("ipcl_bind_insert: connp %p - protocol\n",
- (void *)connp));
- connfp = &ipst->ips_ipcl_proto_fanout[protocol];
+ connfp = &ipst->ips_ipcl_proto_fanout_v4[protocol];
}
- if (connp->conn_rem != INADDR_ANY) {
+ if (connp->conn_faddr_v4 != INADDR_ANY) {
IPCL_HASH_INSERT_CONNECTED(connfp, connp);
- } else if (connp->conn_src != INADDR_ANY) {
+ } else if (connp->conn_laddr_v4 != INADDR_ANY) {
IPCL_HASH_INSERT_BOUND(connfp, connp);
} else {
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
}
+ if (protocol == IPPROTO_RSVP)
+ ill_set_inputfn_all(ipst);
break;
case IPPROTO_TCP:
-
/* Insert it in the Bind Hash */
ASSERT(connp->conn_zoneid != ALL_ZONES);
connfp = &ipst->ips_ipcl_bind_fanout[
IPCL_BIND_HASH(lport, ipst)];
- if (connp->conn_src != INADDR_ANY) {
+ if (connp->conn_laddr_v4 != INADDR_ANY) {
IPCL_HASH_INSERT_BOUND(connfp, connp);
} else {
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
}
if (cl_inet_listen != NULL) {
- ASSERT(!connp->conn_pkt_isv6);
+ ASSERT(connp->conn_ipversion == IPV4_VERSION);
connp->conn_flags |= IPCL_CL_LISTENER;
(*cl_inet_listen)(
connp->conn_netstack->netstack_stackid,
IPPROTO_TCP, AF_INET,
- (uint8_t *)&connp->conn_bound_source, lport, NULL);
+ (uint8_t *)&connp->conn_bound_addr_v4, lport, NULL);
}
break;
@@ -1355,20 +1246,16 @@ ipcl_bind_insert(conn_t *connp, uint8_t protocol, ipaddr_t src, uint16_t lport)
}
int
-ipcl_bind_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
- uint16_t lport)
+ipcl_bind_insert_v6(conn_t *connp)
{
connf_t *connfp;
int ret = 0;
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- ASSERT(connp != NULL); connp->conn_ulp = protocol;
- connp->conn_srcv6 = *src;
- connp->conn_lport = lport;
+ uint16_t lport = connp->conn_lport;
+ uint8_t protocol = connp->conn_proto;
if (IPCL_IS_IPTUN(connp)) {
- return (ipcl_iptun_hash_insert_v6(connp, src, &ipv6_all_zeros,
- ipst));
+ return (ipcl_iptun_hash_insert_v6(connp, ipst));
}
switch (protocol) {
@@ -1379,21 +1266,15 @@ ipcl_bind_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
/* FALLTHROUGH */
case IPPROTO_UDP:
if (protocol == IPPROTO_UDP) {
- IPCL_DEBUG_LVL(128,
- ("ipcl_bind_insert_v6: connp %p - udp\n",
- (void *)connp));
connfp = &ipst->ips_ipcl_udp_fanout[
IPCL_UDP_HASH(lport, ipst)];
} else {
- IPCL_DEBUG_LVL(128,
- ("ipcl_bind_insert_v6: connp %p - protocol\n",
- (void *)connp));
connfp = &ipst->ips_ipcl_proto_fanout_v6[protocol];
}
- if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6)) {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6)) {
IPCL_HASH_INSERT_CONNECTED(connfp, connp);
- } else if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6)) {
+ } else if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6)) {
IPCL_HASH_INSERT_BOUND(connfp, connp);
} else {
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
@@ -1401,13 +1282,11 @@ ipcl_bind_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
break;
case IPPROTO_TCP:
- /* XXX - Need a separate table for IN6_IS_ADDR_UNSPECIFIED? */
-
/* Insert it in the Bind Hash */
ASSERT(connp->conn_zoneid != ALL_ZONES);
connfp = &ipst->ips_ipcl_bind_fanout[
IPCL_BIND_HASH(lport, ipst)];
- if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6)) {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6)) {
IPCL_HASH_INSERT_BOUND(connfp, connp);
} else {
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
@@ -1416,13 +1295,13 @@ ipcl_bind_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
sa_family_t addr_family;
uint8_t *laddrp;
- if (connp->conn_pkt_isv6) {
+ if (connp->conn_ipversion == IPV6_VERSION) {
addr_family = AF_INET6;
laddrp =
- (uint8_t *)&connp->conn_bound_source_v6;
+ (uint8_t *)&connp->conn_bound_addr_v6;
} else {
addr_family = AF_INET;
- laddrp = (uint8_t *)&connp->conn_bound_source;
+ laddrp = (uint8_t *)&connp->conn_bound_addr_v4;
}
connp->conn_flags |= IPCL_CL_LISTENER;
(*cl_inet_listen)(
@@ -1441,43 +1320,35 @@ ipcl_bind_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
/*
* ipcl_conn_hash insertion routines.
+ * The caller has already set conn_proto and the addresses/ports in the conn_t.
*/
+
int
-ipcl_conn_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
- ipaddr_t rem, uint32_t ports)
+ipcl_conn_insert(conn_t *connp)
+{
+ if (connp->conn_ipversion == IPV6_VERSION)
+ return (ipcl_conn_insert_v6(connp));
+ else
+ return (ipcl_conn_insert_v4(connp));
+}
+
+int
+ipcl_conn_insert_v4(conn_t *connp)
{
connf_t *connfp;
- uint16_t *up;
conn_t *tconnp;
-#ifdef IPCL_DEBUG
- char sbuf[INET_NTOA_BUFSIZE], rbuf[INET_NTOA_BUFSIZE];
-#endif
- in_port_t lport;
int ret = 0;
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- IPCL_DEBUG_LVL(256, ("ipcl_conn_insert: connp %p, src = %s, "
- "dst = %s, ports = %x, protocol = %x", (void *)connp,
- inet_ntoa_r(src, sbuf), inet_ntoa_r(rem, rbuf),
- ports, protocol));
+ uint16_t lport = connp->conn_lport;
+ uint8_t protocol = connp->conn_proto;
if (IPCL_IS_IPTUN(connp))
- return (ipcl_iptun_hash_insert(connp, src, rem, ipst));
+ return (ipcl_iptun_hash_insert(connp, ipst));
switch (protocol) {
case IPPROTO_TCP:
- if (!(connp->conn_flags & IPCL_EAGER)) {
- /*
- * for a eager connection, i.e connections which
- * have just been created, the initialization is
- * already done in ip at conn_creation time, so
- * we can skip the checks here.
- */
- IPCL_CONN_INIT(connp, protocol, src, rem, ports);
- }
-
/*
- * For tcp, we check whether the connection tuple already
+ * For TCP, we check whether the connection tuple already
* exists before allowing the connection to proceed. We
* also allow indexing on the zoneid. This is to allow
* multiple shared stack zones to have the same tcp
@@ -1486,16 +1357,15 @@ ipcl_conn_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
* doesn't have to be unique.
*/
connfp = &ipst->ips_ipcl_conn_fanout[
- IPCL_CONN_HASH(connp->conn_rem,
+ IPCL_CONN_HASH(connp->conn_faddr_v4,
connp->conn_ports, ipst)];
mutex_enter(&connfp->connf_lock);
for (tconnp = connfp->connf_head; tconnp != NULL;
tconnp = tconnp->conn_next) {
- if ((IPCL_CONN_MATCH(tconnp, connp->conn_ulp,
- connp->conn_rem, connp->conn_src,
- connp->conn_ports)) &&
- (IPCL_ZONE_MATCH(tconnp, connp->conn_zoneid))) {
-
+ if (IPCL_CONN_MATCH(tconnp, connp->conn_proto,
+ connp->conn_faddr_v4, connp->conn_laddr_v4,
+ connp->conn_ports) &&
+ IPCL_ZONE_MATCH(tconnp, connp->conn_zoneid)) {
/* Already have a conn. bail out */
mutex_exit(&connfp->connf_lock);
return (EADDRINUSE);
@@ -1512,6 +1382,7 @@ ipcl_conn_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
}
ASSERT(connp->conn_recv != NULL);
+ ASSERT(connp->conn_recvicmp != NULL);
IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp);
mutex_exit(&connfp->connf_lock);
@@ -1523,7 +1394,6 @@ ipcl_conn_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
* from the hash first.
*/
IPCL_HASH_REMOVE(connp);
- lport = htons((uint16_t)(ntohl(ports) & 0xFFFF));
ret = ipcl_sctp_hash_insert(connp, lport);
break;
@@ -1540,18 +1410,16 @@ ipcl_conn_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
/* FALLTHROUGH */
case IPPROTO_UDP:
- up = (uint16_t *)&ports;
- IPCL_CONN_INIT(connp, protocol, src, rem, ports);
if (protocol == IPPROTO_UDP) {
connfp = &ipst->ips_ipcl_udp_fanout[
- IPCL_UDP_HASH(up[1], ipst)];
+ IPCL_UDP_HASH(lport, ipst)];
} else {
- connfp = &ipst->ips_ipcl_proto_fanout[protocol];
+ connfp = &ipst->ips_ipcl_proto_fanout_v4[protocol];
}
- if (connp->conn_rem != INADDR_ANY) {
+ if (connp->conn_faddr_v4 != INADDR_ANY) {
IPCL_HASH_INSERT_CONNECTED(connfp, connp);
- } else if (connp->conn_src != INADDR_ANY) {
+ } else if (connp->conn_laddr_v4 != INADDR_ANY) {
IPCL_HASH_INSERT_BOUND(connfp, connp);
} else {
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
@@ -1563,25 +1431,21 @@ ipcl_conn_insert(conn_t *connp, uint8_t protocol, ipaddr_t src,
}
int
-ipcl_conn_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
- const in6_addr_t *rem, uint32_t ports, uint_t ifindex)
+ipcl_conn_insert_v6(conn_t *connp)
{
connf_t *connfp;
- uint16_t *up;
conn_t *tconnp;
- in_port_t lport;
int ret = 0;
ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ uint16_t lport = connp->conn_lport;
+ uint8_t protocol = connp->conn_proto;
+ uint_t ifindex = connp->conn_bound_if;
if (IPCL_IS_IPTUN(connp))
- return (ipcl_iptun_hash_insert_v6(connp, src, rem, ipst));
+ return (ipcl_iptun_hash_insert_v6(connp, ipst));
switch (protocol) {
case IPPROTO_TCP:
- /* Just need to insert a conn struct */
- if (!(connp->conn_flags & IPCL_EAGER)) {
- IPCL_CONN_INIT_V6(connp, protocol, *src, *rem, ports);
- }
/*
* For tcp, we check whether the connection tuple already
@@ -1593,17 +1457,18 @@ ipcl_conn_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
* doesn't have to be unique.
*/
connfp = &ipst->ips_ipcl_conn_fanout[
- IPCL_CONN_HASH_V6(connp->conn_remv6, connp->conn_ports,
+ IPCL_CONN_HASH_V6(connp->conn_faddr_v6, connp->conn_ports,
ipst)];
mutex_enter(&connfp->connf_lock);
for (tconnp = connfp->connf_head; tconnp != NULL;
tconnp = tconnp->conn_next) {
- if (IPCL_CONN_MATCH_V6(tconnp, connp->conn_ulp,
- connp->conn_remv6, connp->conn_srcv6,
+ /* NOTE: need to match zoneid. Bug in onnv-gate */
+ if (IPCL_CONN_MATCH_V6(tconnp, connp->conn_proto,
+ connp->conn_faddr_v6, connp->conn_laddr_v6,
connp->conn_ports) &&
- (tconnp->conn_tcp->tcp_bound_if == 0 ||
- tconnp->conn_tcp->tcp_bound_if == ifindex) &&
- (IPCL_ZONE_MATCH(tconnp, connp->conn_zoneid))) {
+ (tconnp->conn_bound_if == 0 ||
+ tconnp->conn_bound_if == ifindex) &&
+ IPCL_ZONE_MATCH(tconnp, connp->conn_zoneid)) {
/* Already have a conn. bail out */
mutex_exit(&connfp->connf_lock);
return (EADDRINUSE);
@@ -1624,7 +1489,6 @@ ipcl_conn_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
case IPPROTO_SCTP:
IPCL_HASH_REMOVE(connp);
- lport = htons((uint16_t)(ntohl(ports) & 0xFFFF));
ret = ipcl_sctp_hash_insert(connp, lport);
break;
@@ -1634,18 +1498,16 @@ ipcl_conn_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
return (EADDRINUSE);
/* FALLTHROUGH */
case IPPROTO_UDP:
- up = (uint16_t *)&ports;
- IPCL_CONN_INIT_V6(connp, protocol, *src, *rem, ports);
if (protocol == IPPROTO_UDP) {
connfp = &ipst->ips_ipcl_udp_fanout[
- IPCL_UDP_HASH(up[1], ipst)];
+ IPCL_UDP_HASH(lport, ipst)];
} else {
connfp = &ipst->ips_ipcl_proto_fanout_v6[protocol];
}
- if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6)) {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6)) {
IPCL_HASH_INSERT_CONNECTED(connfp, connp);
- } else if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6)) {
+ } else if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6)) {
IPCL_HASH_INSERT_BOUND(connfp, connp);
} else {
IPCL_HASH_INSERT_WILDCARD(connfp, connp);
@@ -1667,8 +1529,8 @@ ipcl_conn_insert_v6(conn_t *connp, uint8_t protocol, const in6_addr_t *src,
* zone, then label checks are omitted.
*/
conn_t *
-ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
- ip_stack_t *ipst)
+ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len,
+ ip_recv_attr_t *ira, ip_stack_t *ipst)
{
ipha_t *ipha;
connf_t *connfp, *bind_connfp;
@@ -1677,8 +1539,7 @@ ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
uint32_t ports;
conn_t *connp;
uint16_t *up;
- boolean_t shared_addr;
- boolean_t unlabeled;
+ zoneid_t zoneid = ira->ira_zoneid;
ipha = (ipha_t *)mp->b_rptr;
up = (uint16_t *)((uchar_t *)ipha + hdr_len + TCP_PORTS_OFFSET);
@@ -1692,11 +1553,14 @@ ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
mutex_enter(&connfp->connf_lock);
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
- if ((IPCL_CONN_MATCH(connp, protocol,
- ipha->ipha_src, ipha->ipha_dst, ports)) &&
- (IPCL_ZONE_MATCH(connp, zoneid))) {
+ if (IPCL_CONN_MATCH(connp, protocol,
+ ipha->ipha_src, ipha->ipha_dst, ports) &&
+ (connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
break;
- }
}
if (connp != NULL) {
@@ -1713,48 +1577,19 @@ ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
}
mutex_exit(&connfp->connf_lock);
-
lport = up[1];
- unlabeled = B_FALSE;
- /* Cred cannot be null on IPv4 */
- if (is_system_labeled()) {
- cred_t *cr = msg_getcred(mp, NULL);
- ASSERT(cr != NULL);
- unlabeled = (crgetlabel(cr)->tsl_flags &
- TSLF_UNLABELED) != 0;
- }
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since
- * ALL_ZONES only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(protocol, lport);
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and
- * search for the zone based on the packet label.
- *
- * If there is such a zone, we prefer to find a
- * connection in it. Otherwise, we look for a
- * MAC-exempt connection in any zone whose label
- * dominates the default label on the packet.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- else
- unlabeled = B_FALSE;
- }
-
bind_connfp =
&ipst->ips_ipcl_bind_fanout[IPCL_BIND_HASH(lport, ipst)];
mutex_enter(&bind_connfp->connf_lock);
for (connp = bind_connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
if (IPCL_BIND_MATCH(connp, protocol, ipha->ipha_dst,
- lport) && (IPCL_ZONE_MATCH(connp, zoneid) ||
- (unlabeled && shared_addr &&
- (connp->conn_mac_mode != CONN_MAC_DEFAULT))))
+ lport) &&
+ (connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
break;
}
@@ -1762,16 +1597,17 @@ ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
* If the matching connection is SLP on a private address, then
* the label on the packet must match the local zone's label.
* Otherwise, it must be in the label range defined by tnrh.
- * This is ensured by tsol_receive_label.
+ * This is ensured by tsol_receive_local.
+ *
+ * Note that we don't check tsol_receive_local for
+ * the connected case.
*/
- if (connp != NULL && is_system_labeled() &&
+ if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
!tsol_receive_local(mp, &ipha->ipha_dst, IPV4_VERSION,
- shared_addr, connp)) {
- DTRACE_PROBE3(
- tx__ip__log__info__classify__tcp,
- char *,
- "connp(1) could not receive mp(2)",
- conn_t *, connp, mblk_t *, mp);
+ ira, connp)) {
+ DTRACE_PROBE3(tx__ip__log__info__classify__tcp,
+ char *, "connp(1) could not receive mp(2)",
+ conn_t *, connp, mblk_t *, mp);
connp = NULL;
}
@@ -1783,61 +1619,27 @@ ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
}
mutex_exit(&bind_connfp->connf_lock);
-
- IPCL_DEBUG_LVL(512,
- ("ipcl_classify: couldn't classify mp = %p\n",
- (void *)mp));
break;
case IPPROTO_UDP:
lport = up[1];
- unlabeled = B_FALSE;
- /* Cred cannot be null on IPv4 */
- if (is_system_labeled()) {
- cred_t *cr = msg_getcred(mp, NULL);
- ASSERT(cr != NULL);
- unlabeled = (crgetlabel(cr)->tsl_flags &
- TSLF_UNLABELED) != 0;
- }
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since
- * ALL_ZONES only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(protocol, lport);
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and
- * search for the zone based on the packet label.
- *
- * If there is such a zone, we prefer to find a
- * connection in it. Otherwise, we look for a
- * MAC-exempt connection in any zone whose label
- * dominates the default label on the packet.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- else
- unlabeled = B_FALSE;
- }
fport = up[0];
- IPCL_DEBUG_LVL(512, ("ipcl_udp_classify %x %x", lport, fport));
connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
mutex_enter(&connfp->connf_lock);
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
if (IPCL_UDP_MATCH(connp, lport, ipha->ipha_dst,
fport, ipha->ipha_src) &&
- (IPCL_ZONE_MATCH(connp, zoneid) ||
- (unlabeled && shared_addr &&
- (connp->conn_mac_mode != CONN_MAC_DEFAULT))))
+ (connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE))))
break;
}
- if (connp != NULL && is_system_labeled() &&
+ if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
!tsol_receive_local(mp, &ipha->ipha_dst, IPV4_VERSION,
- shared_addr, connp)) {
+ ira, connp)) {
DTRACE_PROBE3(tx__ip__log__info__classify__udp,
char *, "connp(1) could not receive mp(2)",
conn_t *, connp, mblk_t *, mp);
@@ -1854,9 +1656,7 @@ ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
* We shouldn't come here for multicast/broadcast packets
*/
mutex_exit(&connfp->connf_lock);
- IPCL_DEBUG_LVL(512,
- ("ipcl_classify: cant find udp conn_t for ports : %x %x",
- lport, fport));
+
break;
case IPPROTO_ENCAP:
@@ -1869,26 +1669,25 @@ ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
}
conn_t *
-ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
- ip_stack_t *ipst)
+ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len,
+ ip_recv_attr_t *ira, ip_stack_t *ipst)
{
ip6_t *ip6h;
connf_t *connfp, *bind_connfp;
uint16_t lport;
uint16_t fport;
- tcph_t *tcph;
+ tcpha_t *tcpha;
uint32_t ports;
conn_t *connp;
uint16_t *up;
- boolean_t shared_addr;
- boolean_t unlabeled;
+ zoneid_t zoneid = ira->ira_zoneid;
ip6h = (ip6_t *)mp->b_rptr;
switch (protocol) {
case IPPROTO_TCP:
- tcph = (tcph_t *)&mp->b_rptr[hdr_len];
- up = (uint16_t *)tcph->th_lport;
+ tcpha = (tcpha_t *)&mp->b_rptr[hdr_len];
+ up = &tcpha->tha_lport;
ports = *(uint32_t *)up;
connfp =
@@ -1897,11 +1696,14 @@ ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
mutex_enter(&connfp->connf_lock);
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
- if ((IPCL_CONN_MATCH_V6(connp, protocol,
- ip6h->ip6_src, ip6h->ip6_dst, ports)) &&
- (IPCL_ZONE_MATCH(connp, zoneid))) {
+ if (IPCL_CONN_MATCH_V6(connp, protocol,
+ ip6h->ip6_src, ip6h->ip6_dst, ports) &&
+ (connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
break;
- }
}
if (connp != NULL) {
@@ -1920,37 +1722,6 @@ ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
mutex_exit(&connfp->connf_lock);
lport = up[1];
- unlabeled = B_FALSE;
- /* Cred can be null on IPv6 */
- if (is_system_labeled()) {
- cred_t *cr = msg_getcred(mp, NULL);
-
- unlabeled = (cr != NULL &&
- crgetlabel(cr)->tsl_flags & TSLF_UNLABELED) != 0;
- }
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since
- * ALL_ZONES only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(protocol, lport);
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and
- * search for the zone based on the packet label.
- *
- * If there is such a zone, we prefer to find a
- * connection in it. Otherwise, we look for a
- * MAC-exempt connection in any zone whose label
- * dominates the default label on the packet.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- else
- unlabeled = B_FALSE;
- }
-
bind_connfp =
&ipst->ips_ipcl_bind_fanout[IPCL_BIND_HASH(lport, ipst)];
mutex_enter(&bind_connfp->connf_lock);
@@ -1958,15 +1729,17 @@ ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
connp = connp->conn_next) {
if (IPCL_BIND_MATCH_V6(connp, protocol,
ip6h->ip6_dst, lport) &&
- (IPCL_ZONE_MATCH(connp, zoneid) ||
- (unlabeled && shared_addr &&
- (connp->conn_mac_mode != CONN_MAC_DEFAULT))))
+ (connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
break;
}
- if (connp != NULL && is_system_labeled() &&
+ if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
!tsol_receive_local(mp, &ip6h->ip6_dst, IPV6_VERSION,
- shared_addr, connp)) {
+ ira, connp)) {
DTRACE_PROBE3(tx__ip__log__info__classify__tcp6,
char *, "connp(1) could not receive mp(2)",
conn_t *, connp, mblk_t *, mp);
@@ -1977,72 +1750,33 @@ ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
/* Have a listner at least */
CONN_INC_REF(connp);
mutex_exit(&bind_connfp->connf_lock);
- IPCL_DEBUG_LVL(512,
- ("ipcl_classify_v6: found listner "
- "connp = %p\n", (void *)connp));
-
return (connp);
}
mutex_exit(&bind_connfp->connf_lock);
-
- IPCL_DEBUG_LVL(512,
- ("ipcl_classify_v6: couldn't classify mp = %p\n",
- (void *)mp));
break;
case IPPROTO_UDP:
up = (uint16_t *)&mp->b_rptr[hdr_len];
lport = up[1];
- unlabeled = B_FALSE;
- /* Cred can be null on IPv6 */
- if (is_system_labeled()) {
- cred_t *cr = msg_getcred(mp, NULL);
-
- unlabeled = (cr != NULL &&
- crgetlabel(cr)->tsl_flags & TSLF_UNLABELED) != 0;
- }
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since
- * ALL_ZONES only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(protocol, lport);
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and
- * search for the zone based on the packet label.
- *
- * If there is such a zone, we prefer to find a
- * connection in it. Otherwise, we look for a
- * MAC-exempt connection in any zone whose label
- * dominates the default label on the packet.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- else
- unlabeled = B_FALSE;
- }
-
fport = up[0];
- IPCL_DEBUG_LVL(512, ("ipcl_udp_classify_v6 %x %x", lport,
- fport));
connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
mutex_enter(&connfp->connf_lock);
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
if (IPCL_UDP_MATCH_V6(connp, lport, ip6h->ip6_dst,
fport, ip6h->ip6_src) &&
- (IPCL_ZONE_MATCH(connp, zoneid) ||
- (unlabeled && shared_addr &&
- (connp->conn_mac_mode != CONN_MAC_DEFAULT))))
+ (connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
break;
}
- if (connp != NULL && is_system_labeled() &&
+ if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
!tsol_receive_local(mp, &ip6h->ip6_dst, IPV6_VERSION,
- shared_addr, connp)) {
+ ira, connp)) {
DTRACE_PROBE3(tx__ip__log__info__classify__udp6,
char *, "connp(1) could not receive mp(2)",
conn_t *, connp, mblk_t *, mp);
@@ -2059,9 +1793,6 @@ ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
* We shouldn't come here for multicast/broadcast packets
*/
mutex_exit(&connfp->connf_lock);
- IPCL_DEBUG_LVL(512,
- ("ipcl_classify_v6: cant find udp conn_t for ports : %x %x",
- lport, fport));
break;
case IPPROTO_ENCAP:
case IPPROTO_IPV6:
@@ -2076,125 +1807,80 @@ ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len, zoneid_t zoneid,
* wrapper around ipcl_classify_(v4,v6) routines.
*/
conn_t *
-ipcl_classify(mblk_t *mp, zoneid_t zoneid, ip_stack_t *ipst)
+ipcl_classify(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
{
- uint16_t hdr_len;
- ipha_t *ipha;
- uint8_t *nexthdrp;
-
- if (MBLKL(mp) < sizeof (ipha_t))
- return (NULL);
-
- switch (IPH_HDR_VERSION(mp->b_rptr)) {
- case IPV4_VERSION:
- ipha = (ipha_t *)mp->b_rptr;
- hdr_len = IPH_HDR_LENGTH(ipha);
- return (ipcl_classify_v4(mp, ipha->ipha_protocol, hdr_len,
- zoneid, ipst));
- case IPV6_VERSION:
- if (!ip_hdr_length_nexthdr_v6(mp, (ip6_t *)mp->b_rptr,
- &hdr_len, &nexthdrp))
- return (NULL);
-
- return (ipcl_classify_v6(mp, *nexthdrp, hdr_len, zoneid, ipst));
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ return (ipcl_classify_v4(mp, ira->ira_protocol,
+ ira->ira_ip_hdr_length, ira, ipst));
+ } else {
+ return (ipcl_classify_v6(mp, ira->ira_protocol,
+ ira->ira_ip_hdr_length, ira, ipst));
}
-
- return (NULL);
}
+/*
+ * Only used to classify SCTP RAW sockets
+ */
conn_t *
-ipcl_classify_raw(mblk_t *mp, uint8_t protocol, zoneid_t zoneid,
- uint32_t ports, ipha_t *hdr, ip_stack_t *ipst)
+ipcl_classify_raw(mblk_t *mp, uint8_t protocol, uint32_t ports,
+ ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira, ip_stack_t *ipst)
{
connf_t *connfp;
conn_t *connp;
in_port_t lport;
- int af;
- boolean_t shared_addr;
- boolean_t unlabeled;
+ int ipversion;
const void *dst;
+ zoneid_t zoneid = ira->ira_zoneid;
lport = ((uint16_t *)&ports)[1];
-
- unlabeled = B_FALSE;
- /* Cred can be null on IPv6 */
- if (is_system_labeled()) {
- cred_t *cr = msg_getcred(mp, NULL);
-
- unlabeled = (cr != NULL &&
- crgetlabel(cr)->tsl_flags & TSLF_UNLABELED) != 0;
- }
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since ALL_ZONES
- * only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(protocol, lport);
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and search for
- * the zone based on the packet label.
- *
- * If there is such a zone, we prefer to find a connection in
- * it. Otherwise, we look for a MAC-exempt connection in any
- * zone whose label dominates the default label on the packet.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- else
- unlabeled = B_FALSE;
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ dst = (const void *)&ipha->ipha_dst;
+ ipversion = IPV4_VERSION;
+ } else {
+ dst = (const void *)&ip6h->ip6_dst;
+ ipversion = IPV6_VERSION;
}
- af = IPH_HDR_VERSION(hdr);
- dst = af == IPV4_VERSION ? (const void *)&hdr->ipha_dst :
- (const void *)&((ip6_t *)hdr)->ip6_dst;
connfp = &ipst->ips_ipcl_raw_fanout[IPCL_RAW_HASH(ntohs(lport), ipst)];
-
mutex_enter(&connfp->connf_lock);
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
/* We don't allow v4 fallback for v6 raw socket. */
- if (af == (connp->conn_af_isv6 ? IPV4_VERSION :
- IPV6_VERSION))
+ if (ipversion != connp->conn_ipversion)
continue;
- if (connp->conn_fully_bound) {
- if (af == IPV4_VERSION) {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) &&
+ !IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
+ if (ipversion == IPV4_VERSION) {
if (!IPCL_CONN_MATCH(connp, protocol,
- hdr->ipha_src, hdr->ipha_dst, ports))
+ ipha->ipha_src, ipha->ipha_dst, ports))
continue;
} else {
if (!IPCL_CONN_MATCH_V6(connp, protocol,
- ((ip6_t *)hdr)->ip6_src,
- ((ip6_t *)hdr)->ip6_dst, ports))
+ ip6h->ip6_src, ip6h->ip6_dst, ports))
continue;
}
} else {
- if (af == IPV4_VERSION) {
+ if (ipversion == IPV4_VERSION) {
if (!IPCL_BIND_MATCH(connp, protocol,
- hdr->ipha_dst, lport))
+ ipha->ipha_dst, lport))
continue;
} else {
if (!IPCL_BIND_MATCH_V6(connp, protocol,
- ((ip6_t *)hdr)->ip6_dst, lport))
+ ip6h->ip6_dst, lport))
continue;
}
}
- if (IPCL_ZONE_MATCH(connp, zoneid) ||
- (unlabeled &&
- (connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
- shared_addr))
+ if (connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (ira->ira_flags & IRAF_TX_SHARED_ADDR)))
break;
}
- /*
- * If the connection is fully-bound and connection-oriented (TCP or
- * SCTP), then we've already validated the remote system's label.
- * There's no need to do it again for every packet.
- */
- if (connp != NULL && is_system_labeled() && (!connp->conn_fully_bound ||
- !(connp->conn_flags & (IPCL_TCP|IPCL_SCTPCONN))) &&
- !tsol_receive_local(mp, dst, af, shared_addr, connp)) {
+
+ if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
+ !tsol_receive_local(mp, dst, ipversion, ira, connp)) {
DTRACE_PROBE3(tx__ip__log__info__classify__rawip,
char *, "connp(1) could not receive mp(2)",
conn_t *, connp, mblk_t *, mp);
@@ -2205,22 +1891,22 @@ ipcl_classify_raw(mblk_t *mp, uint8_t protocol, zoneid_t zoneid,
goto found;
mutex_exit(&connfp->connf_lock);
- /* Try to look for a wildcard match. */
+ /* Try to look for a wildcard SCTP RAW socket match. */
connfp = &ipst->ips_ipcl_raw_fanout[IPCL_RAW_HASH(0, ipst)];
mutex_enter(&connfp->connf_lock);
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
/* We don't allow v4 fallback for v6 raw socket. */
- if ((af == (connp->conn_af_isv6 ? IPV4_VERSION :
- IPV6_VERSION)) || !IPCL_ZONE_MATCH(connp, zoneid)) {
+ if (ipversion != connp->conn_ipversion)
continue;
- }
- if (af == IPV4_VERSION) {
- if (IPCL_RAW_MATCH(connp, protocol, hdr->ipha_dst))
+ if (!IPCL_ZONE_MATCH(connp, zoneid))
+ continue;
+
+ if (ipversion == IPV4_VERSION) {
+ if (IPCL_RAW_MATCH(connp, protocol, ipha->ipha_dst))
break;
} else {
- if (IPCL_RAW_MATCH_V6(connp, protocol,
- ((ip6_t *)hdr)->ip6_dst)) {
+ if (IPCL_RAW_MATCH_V6(connp, protocol, ip6h->ip6_dst)) {
break;
}
}
@@ -2253,11 +1939,23 @@ tcp_conn_constructor(void *buf, void *cdrarg, int kmflags)
mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
cv_init(&connp->conn_sq_cv, NULL, CV_DEFAULT, NULL);
- tcp->tcp_timercache = tcp_timermp_alloc(KM_NOSLEEP);
+ tcp->tcp_timercache = tcp_timermp_alloc(kmflags);
+ if (tcp->tcp_timercache == NULL)
+ return (ENOMEM);
connp->conn_tcp = tcp;
connp->conn_flags = IPCL_TCPCONN;
- connp->conn_ulp = IPPROTO_TCP;
+ connp->conn_proto = IPPROTO_TCP;
tcp->tcp_connp = connp;
+ rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
+
+ connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
+ if (connp->conn_ixa == NULL) {
+ tcp_timermp_free(tcp);
+ return (ENOMEM);
+ }
+ connp->conn_ixa->ixa_refcnt = 1;
+ connp->conn_ixa->ixa_protocol = connp->conn_proto;
+ connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
return (0);
}
@@ -2276,6 +1974,15 @@ tcp_conn_destructor(void *buf, void *cdrarg)
mutex_destroy(&connp->conn_lock);
cv_destroy(&connp->conn_cv);
cv_destroy(&connp->conn_sq_cv);
+ rw_destroy(&connp->conn_ilg_lock);
+
+ /* Can be NULL if constructor failed */
+ if (connp->conn_ixa != NULL) {
+ ASSERT(connp->conn_ixa->ixa_refcnt == 1);
+ ASSERT(connp->conn_ixa->ixa_ire == NULL);
+ ASSERT(connp->conn_ixa->ixa_nce == NULL);
+ ixa_refrele(connp->conn_ixa);
+ }
}
/* ARGSUSED */
@@ -2289,7 +1996,13 @@ ip_conn_constructor(void *buf, void *cdrarg, int kmflags)
mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
connp->conn_flags = IPCL_IPCCONN;
+ rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
+ connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
+ if (connp->conn_ixa == NULL)
+ return (ENOMEM);
+ connp->conn_ixa->ixa_refcnt = 1;
+ connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
return (0);
}
@@ -2304,6 +2017,15 @@ ip_conn_destructor(void *buf, void *cdrarg)
ASSERT(connp->conn_priv == NULL);
mutex_destroy(&connp->conn_lock);
cv_destroy(&connp->conn_cv);
+ rw_destroy(&connp->conn_ilg_lock);
+
+ /* Can be NULL if constructor failed */
+ if (connp->conn_ixa != NULL) {
+ ASSERT(connp->conn_ixa->ixa_refcnt == 1);
+ ASSERT(connp->conn_ixa->ixa_ire == NULL);
+ ASSERT(connp->conn_ixa->ixa_nce == NULL);
+ ixa_refrele(connp->conn_ixa);
+ }
}
/* ARGSUSED */
@@ -2321,8 +2043,15 @@ udp_conn_constructor(void *buf, void *cdrarg, int kmflags)
cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
connp->conn_udp = udp;
connp->conn_flags = IPCL_UDPCONN;
- connp->conn_ulp = IPPROTO_UDP;
+ connp->conn_proto = IPPROTO_UDP;
udp->udp_connp = connp;
+ rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
+ connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
+ if (connp->conn_ixa == NULL)
+ return (ENOMEM);
+ connp->conn_ixa->ixa_refcnt = 1;
+ connp->conn_ixa->ixa_protocol = connp->conn_proto;
+ connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
return (0);
}
@@ -2339,6 +2068,15 @@ udp_conn_destructor(void *buf, void *cdrarg)
ASSERT(connp->conn_udp == udp);
mutex_destroy(&connp->conn_lock);
cv_destroy(&connp->conn_cv);
+ rw_destroy(&connp->conn_ilg_lock);
+
+ /* Can be NULL if constructor failed */
+ if (connp->conn_ixa != NULL) {
+ ASSERT(connp->conn_ixa->ixa_refcnt == 1);
+ ASSERT(connp->conn_ixa->ixa_ire == NULL);
+ ASSERT(connp->conn_ixa->ixa_nce == NULL);
+ ixa_refrele(connp->conn_ixa);
+ }
}
/* ARGSUSED */
@@ -2356,8 +2094,15 @@ rawip_conn_constructor(void *buf, void *cdrarg, int kmflags)
cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
connp->conn_icmp = icmp;
connp->conn_flags = IPCL_RAWIPCONN;
- connp->conn_ulp = IPPROTO_ICMP;
+ connp->conn_proto = IPPROTO_ICMP;
icmp->icmp_connp = connp;
+ rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
+ connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
+ if (connp->conn_ixa == NULL)
+ return (ENOMEM);
+ connp->conn_ixa->ixa_refcnt = 1;
+ connp->conn_ixa->ixa_protocol = connp->conn_proto;
+ connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
return (0);
}
@@ -2374,6 +2119,15 @@ rawip_conn_destructor(void *buf, void *cdrarg)
ASSERT(connp->conn_icmp == icmp);
mutex_destroy(&connp->conn_lock);
cv_destroy(&connp->conn_cv);
+ rw_destroy(&connp->conn_ilg_lock);
+
+ /* Can be NULL if constructor failed */
+ if (connp->conn_ixa != NULL) {
+ ASSERT(connp->conn_ixa->ixa_refcnt == 1);
+ ASSERT(connp->conn_ixa->ixa_ire == NULL);
+ ASSERT(connp->conn_ixa->ixa_nce == NULL);
+ ixa_refrele(connp->conn_ixa);
+ }
}
/* ARGSUSED */
@@ -2392,6 +2146,12 @@ rts_conn_constructor(void *buf, void *cdrarg, int kmflags)
connp->conn_rts = rts;
connp->conn_flags = IPCL_RTSCONN;
rts->rts_connp = connp;
+ rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
+ connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
+ if (connp->conn_ixa == NULL)
+ return (ENOMEM);
+ connp->conn_ixa->ixa_refcnt = 1;
+ connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
return (0);
}
@@ -2408,71 +2168,35 @@ rts_conn_destructor(void *buf, void *cdrarg)
ASSERT(connp->conn_rts == rts);
mutex_destroy(&connp->conn_lock);
cv_destroy(&connp->conn_cv);
-}
+ rw_destroy(&connp->conn_ilg_lock);
-/* ARGSUSED */
-int
-ip_helper_stream_constructor(void *buf, void *cdrarg, int kmflags)
-{
- int error;
- netstack_t *ns;
- int ret;
- tcp_stack_t *tcps;
- ip_helper_stream_info_t *ip_helper_str;
- ip_stack_t *ipst;
-
- ns = netstack_find_by_cred(kcred);
- ASSERT(ns != NULL);
- tcps = ns->netstack_tcp;
- ipst = ns->netstack_ip;
- ASSERT(tcps != NULL);
- ip_helper_str = (ip_helper_stream_info_t *)buf;
-
- do {
- error = ldi_open_by_name(DEV_IP, IP_HELPER_STR, kcred,
- &ip_helper_str->iphs_handle, ipst->ips_ldi_ident);
- } while (error == EINTR);
-
- if (error == 0) {
- do {
- error = ldi_ioctl(
- ip_helper_str->iphs_handle, SIOCSQPTR,
- (intptr_t)buf, FKIOCTL, kcred, &ret);
- } while (error == EINTR);
-
- if (error != 0) {
- (void) ldi_close(
- ip_helper_str->iphs_handle, 0, kcred);
- }
+ /* Can be NULL if constructor failed */
+ if (connp->conn_ixa != NULL) {
+ ASSERT(connp->conn_ixa->ixa_refcnt == 1);
+ ASSERT(connp->conn_ixa->ixa_ire == NULL);
+ ASSERT(connp->conn_ixa->ixa_nce == NULL);
+ ixa_refrele(connp->conn_ixa);
}
-
- netstack_rele(ipst->ips_netstack);
-
- return (error);
}
-/* ARGSUSED */
-static void
-ip_helper_stream_destructor(void *buf, void *cdrarg)
-{
- ip_helper_stream_info_t *ip_helper_str = (ip_helper_stream_info_t *)buf;
-
- ip_helper_str->iphs_rq->q_ptr =
- ip_helper_str->iphs_wq->q_ptr =
- ip_helper_str->iphs_minfo;
- (void) ldi_close(ip_helper_str->iphs_handle, 0, kcred);
-}
-
-
/*
* Called as part of ipcl_conn_destroy to assert and clear any pointers
* in the conn_t.
+ *
+ * Below we list all the pointers in the conn_t as a documentation aid.
+ * The ones that we can not ASSERT to be NULL are #ifdef'ed out.
+ * If you add any pointers to the conn_t please add an ASSERT here
+ * and #ifdef it out if it can't be actually asserted to be NULL.
+ * In any case, we bzero most of the conn_t at the end of the function.
*/
void
ipcl_conn_cleanup(conn_t *connp)
{
- ASSERT(connp->conn_ire_cache == NULL);
+ ip_xmit_attr_t *ixa;
+
ASSERT(connp->conn_latch == NULL);
+ ASSERT(connp->conn_latch_in_policy == NULL);
+ ASSERT(connp->conn_latch_in_action == NULL);
#ifdef notdef
ASSERT(connp->conn_rq == NULL);
ASSERT(connp->conn_wq == NULL);
@@ -2485,18 +2209,6 @@ ipcl_conn_cleanup(conn_t *connp)
ASSERT(connp->conn_fanout == NULL);
ASSERT(connp->conn_next == NULL);
ASSERT(connp->conn_prev == NULL);
-#ifdef notdef
- /*
- * The ill and ipif pointers are not cleared before the conn_t
- * goes away since they do not hold a reference on the ill/ipif.
- * We should replace these pointers with ifindex/ipaddr_t to
- * make the code less complex.
- */
- ASSERT(connp->conn_outgoing_ill == NULL);
- ASSERT(connp->conn_incoming_ill == NULL);
- ASSERT(connp->conn_multicast_ipif == NULL);
- ASSERT(connp->conn_multicast_ill == NULL);
-#endif
ASSERT(connp->conn_oper_pending_ill == NULL);
ASSERT(connp->conn_ilg == NULL);
ASSERT(connp->conn_drain_next == NULL);
@@ -2506,10 +2218,19 @@ ipcl_conn_cleanup(conn_t *connp)
ASSERT(connp->conn_idl == NULL);
#endif
ASSERT(connp->conn_ipsec_opt_mp == NULL);
- ASSERT(connp->conn_effective_cred == NULL);
+#ifdef notdef
+ /* conn_netstack is cleared by the caller; needed by ixa_cleanup */
ASSERT(connp->conn_netstack == NULL);
+#endif
ASSERT(connp->conn_helper_info == NULL);
+ ASSERT(connp->conn_ixa != NULL);
+ ixa = connp->conn_ixa;
+ ASSERT(ixa->ixa_refcnt == 1);
+ /* Need to preserve ixa_protocol */
+ ixa_cleanup(ixa);
+ ixa->ixa_flags = 0;
+
/* Clear out the conn_t fields that are not preserved */
bzero(&connp->conn_start_clr,
sizeof (conn_t) -
@@ -2602,10 +2323,11 @@ ipcl_globalhash_remove(conn_t *connp)
/*
* Walk the list of all conn_t's in the system, calling the function provided
- * with the specified argument for each.
+ * With the specified argument for each.
* Applies to both IPv4 and IPv6.
*
- * IPCs may hold pointers to ipif/ill. To guard against stale pointers
+ * CONNs may hold pointers to ills (conn_dhcpinit_ill and
+ * conn_oper_pending_ill). To guard against stale pointers
* ipcl_walk() is called to cleanup the conn_t's, typically when an interface is
* unplumbed or removed. New conn_t's that are created while we are walking
* may be missed by this walk, because they are not necessarily inserted
@@ -2657,7 +2379,7 @@ ipcl_walk(pfv_t func, void *arg, ip_stack_t *ipst)
* (peer tcp in ESTABLISHED state).
*/
conn_t *
-ipcl_conn_tcp_lookup_reversed_ipv4(conn_t *connp, ipha_t *ipha, tcph_t *tcph,
+ipcl_conn_tcp_lookup_reversed_ipv4(conn_t *connp, ipha_t *ipha, tcpha_t *tcpha,
ip_stack_t *ipst)
{
uint32_t ports;
@@ -2675,8 +2397,8 @@ ipcl_conn_tcp_lookup_reversed_ipv4(conn_t *connp, ipha_t *ipha, tcph_t *tcph,
zone_chk = (ipha->ipha_src == htonl(INADDR_LOOPBACK) ||
ipha->ipha_dst == htonl(INADDR_LOOPBACK));
- bcopy(tcph->th_fport, &pports[0], sizeof (uint16_t));
- bcopy(tcph->th_lport, &pports[1], sizeof (uint16_t));
+ pports[0] = tcpha->tha_fport;
+ pports[1] = tcpha->tha_lport;
connfp = &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH(ipha->ipha_dst,
ports, ipst)];
@@ -2707,7 +2429,7 @@ ipcl_conn_tcp_lookup_reversed_ipv4(conn_t *connp, ipha_t *ipha, tcph_t *tcph,
* (peer tcp in ESTABLISHED state).
*/
conn_t *
-ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *connp, ip6_t *ip6h, tcph_t *tcph,
+ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *connp, ip6_t *ip6h, tcpha_t *tcpha,
ip_stack_t *ipst)
{
uint32_t ports;
@@ -2728,8 +2450,8 @@ ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *connp, ip6_t *ip6h, tcph_t *tcph,
zone_chk = (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_src) ||
IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_dst));
- bcopy(tcph->th_fport, &pports[0], sizeof (uint16_t));
- bcopy(tcph->th_lport, &pports[1], sizeof (uint16_t));
+ pports[0] = tcpha->tha_fport;
+ pports[1] = tcpha->tha_lport;
connfp = &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH_V6(ip6h->ip6_dst,
ports, ipst)];
@@ -2738,7 +2460,7 @@ ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *connp, ip6_t *ip6h, tcph_t *tcph,
for (tconnp = connfp->connf_head; tconnp != NULL;
tconnp = tconnp->conn_next) {
- /* We skip tcp_bound_if check here as this is loopback tcp */
+ /* We skip conn_bound_if check here as this is loopback tcp */
if (IPCL_CONN_MATCH_V6(tconnp, IPPROTO_TCP,
ip6h->ip6_dst, ip6h->ip6_src, ports) &&
tconnp->conn_tcp->tcp_state == TCPS_ESTABLISHED &&
@@ -2760,7 +2482,7 @@ ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *connp, ip6_t *ip6h, tcph_t *tcph,
* Only checks for connected entries i.e. no INADDR_ANY checks.
*/
conn_t *
-ipcl_tcp_lookup_reversed_ipv4(ipha_t *ipha, tcph_t *tcph, int min_state,
+ipcl_tcp_lookup_reversed_ipv4(ipha_t *ipha, tcpha_t *tcpha, int min_state,
ip_stack_t *ipst)
{
uint32_t ports;
@@ -2769,8 +2491,8 @@ ipcl_tcp_lookup_reversed_ipv4(ipha_t *ipha, tcph_t *tcph, int min_state,
conn_t *tconnp;
pports = (uint16_t *)&ports;
- bcopy(tcph->th_fport, &pports[0], sizeof (uint16_t));
- bcopy(tcph->th_lport, &pports[1], sizeof (uint16_t));
+ pports[0] = tcpha->tha_fport;
+ pports[1] = tcpha->tha_lport;
connfp = &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH(ipha->ipha_dst,
ports, ipst)];
@@ -2823,8 +2545,8 @@ ipcl_tcp_lookup_reversed_ipv6(ip6_t *ip6h, tcpha_t *tcpha, int min_state,
if (IPCL_CONN_MATCH_V6(tconnp, IPPROTO_TCP,
ip6h->ip6_dst, ip6h->ip6_src, ports) &&
tcp->tcp_state >= min_state &&
- (tcp->tcp_bound_if == 0 ||
- tcp->tcp_bound_if == ifindex)) {
+ (tconnp->conn_bound_if == 0 ||
+ tconnp->conn_bound_if == ifindex)) {
CONN_INC_REF(tconnp);
mutex_exit(&connfp->connf_lock);
@@ -2901,8 +2623,8 @@ ipcl_lookup_listener_v6(uint16_t lport, in6_addr_t *laddr, uint_t ifindex,
tcp = connp->conn_tcp;
if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, *laddr, lport) &&
IPCL_ZONE_MATCH(connp, zoneid) &&
- (tcp->tcp_bound_if == 0 ||
- tcp->tcp_bound_if == ifindex) &&
+ (connp->conn_bound_if == 0 ||
+ connp->conn_bound_if == ifindex) &&
tcp->tcp_listener == NULL) {
CONN_INC_REF(connp);
mutex_exit(&bind_connfp->connf_lock);
diff --git a/usr/src/uts/common/inet/ip/ipdrop.c b/usr/src/uts/common/inet/ip/ipdrop.c
index 6d08ec9d60..0f257d6cd2 100644
--- a/usr/src/uts/common/inet/ip/ipdrop.c
+++ b/usr/src/uts/common/inet/ip/ipdrop.c
@@ -29,11 +29,11 @@
#include <sys/sunddi.h>
#include <sys/kstat.h>
#include <sys/kmem.h>
+#include <sys/sdt.h>
#include <net/pfkeyv2.h>
#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip6.h>
-#include <inet/ipsec_info.h>
#include <inet/ipsec_impl.h>
#include <inet/ipdrop.h>
@@ -246,16 +246,11 @@ ip_drop_unregister(ipdropper_t *ipd)
* Actually drop a packet. Many things could happen here, but at the least,
* the packet will be freemsg()ed.
*/
-/* ARGSUSED */
void
-ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *arriving,
- ire_t *outbound_ire, struct kstat_named *counter, ipdropper_t *who_called)
+ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *ill,
+ struct kstat_named *counter, ipdropper_t *who_called)
{
- mblk_t *ipsec_mp = NULL;
- ipsec_in_t *ii = NULL;
- ipsec_out_t *io = NULL;
- ipsec_info_t *in;
- uint8_t vers;
+ char *str;
if (mp == NULL) {
/*
@@ -265,41 +260,7 @@ ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *arriving,
return;
}
- if (DB_TYPE(mp) == M_CTL) {
- in = (ipsec_info_t *)mp->b_rptr;
-
- if (in->ipsec_info_type == IPSEC_IN)
- ii = (ipsec_in_t *)in;
- else if (in->ipsec_info_type == IPSEC_OUT)
- io = (ipsec_out_t *)in;
-
- /* See if this is an ICMP packet (check for v4/v6). */
- vers = (*mp->b_rptr) >> 4;
- if (vers != IPV4_VERSION && vers != IPV6_VERSION) {
- /*
- * If not, it's some other sort of M_CTL to be freed.
- * For now, treat it like an ordinary packet.
- */
- ipsec_mp = mp;
- mp = mp->b_cont;
- }
- }
-
- /* Reality checks */
- if (inbound && io != NULL)
- cmn_err(CE_WARN,
- "ip_drop_packet: inbound packet with IPSEC_OUT");
-
- if (outbound_ire != NULL && ii != NULL)
- cmn_err(CE_WARN,
- "ip_drop_packet: outbound packet with IPSEC_IN");
-
- /* At this point, mp always points to the data. */
- /*
- * Can't make the assertion yet - It could be an inbound ICMP
- * message, which is M_CTL but with data in it.
- */
- /* ASSERT(mp->b_datap->db_type == M_DATA); */
+ ASSERT(mp->b_datap->db_type == M_DATA);
/* Increment the bean counter, if available. */
if (counter != NULL) {
@@ -318,16 +279,22 @@ ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *arriving,
break;
/* Other types we can't handle for now. */
}
-
- /* TODO? Copy out kstat name for use in logging. */
}
- /* TODO: log the packet details if logging is called for. */
+ if (counter != NULL)
+ str = counter->name;
+ else if (who_called != NULL)
+ str = who_called->ipd_name;
+ else
+ str = "Unspecified IPsec drop";
+
+ if (inbound)
+ ip_drop_input(str, mp, ill);
+ else
+ ip_drop_output(str, mp, ill);
+
/* TODO: queue the packet onto a snoop-friendly queue. */
- /* If I haven't queued the packet or some such nonsense, free it. */
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
/*
* ASSERT this isn't a b_next linked mblk chain where a
* chained dropper should be used instead
@@ -335,3 +302,50 @@ ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *arriving,
ASSERT(mp->b_prev == NULL && mp->b_next == NULL);
freemsg(mp);
}
+
+/*
+ * This is just a convinient place for dtrace to see dropped packets
+ */
+/*ARGSUSED*/
+void
+ip_drop_input(char *str, mblk_t *mp, ill_t *ill)
+{
+ if (mp == NULL)
+ return;
+
+ if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha,
+ ip6_t *, NULL, int, 0);
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ DTRACE_IP7(drop__in, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL,
+ ip6_t *, ip6h, int, 0);
+ }
+}
+
+/*ARGSUSED*/
+void
+ip_drop_output(char *str, mblk_t *mp, ill_t *ill)
+{
+ if (mp == NULL)
+ return;
+
+ if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ipha, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha,
+ ip6_t *, NULL, int, 0);
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ DTRACE_IP7(drop__out, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
+ ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL,
+ ip6_t *, ip6h, int, 0);
+ }
+}
diff --git a/usr/src/uts/common/inet/ip/ipmp.c b/usr/src/uts/common/inet/ip/ipmp.c
index ea8b4a73bb..b89171ed2b 100644
--- a/usr/src/uts/common/inet/ip/ipmp.c
+++ b/usr/src/uts/common/inet/ip/ipmp.c
@@ -22,12 +22,12 @@
* Use is subject to license terms.
*/
-#include <inet/arp.h>
#include <inet/ip.h>
#include <inet/ip6.h>
#include <inet/ip_if.h>
#include <inet/ip_ire.h>
#include <inet/ip_multi.h>
+#include <inet/ip_ndp.h>
#include <inet/ip_rts.h>
#include <inet/mi.h>
#include <net/if_types.h>
@@ -52,20 +52,6 @@
#define IPMP_GRP_HASH_SIZE 64
#define IPMP_ILL_REFRESH_TIMEOUT 120 /* seconds */
-/*
- * Templates for IPMP ARP messages.
- */
-static const arie_t ipmp_aract_template = {
- AR_IPMP_ACTIVATE,
- sizeof (arie_t), /* Name offset */
- sizeof (arie_t) /* Name length (set by ill_arp_alloc) */
-};
-
-static const arie_t ipmp_ardeact_template = {
- AR_IPMP_DEACTIVATE,
- sizeof (arie_t), /* Name offset */
- sizeof (arie_t) /* Name length (set by ill_arp_alloc) */
-};
/*
* IPMP meta-interface kstats (based on those in PSARC/1997/198).
@@ -497,7 +483,7 @@ ipmp_grp_vet_ill(ipmp_grp_t *grp, ill_t *ill)
* An ill must strictly be using ARP and/or ND for address
* resolution for it to be allowed into a group.
*/
- if (ill->ill_flags & (ILLF_NONUD | ILLF_NOARP | ILLF_XRESOLV))
+ if (ill->ill_flags & (ILLF_NONUD | ILLF_NOARP))
return (ENOTSUP);
/*
@@ -752,7 +738,7 @@ ipmp_illgrp_hold_next_ill(ipmp_illgrp_t *illg)
if (illg->ig_next_ill == NULL)
illg->ig_next_ill = list_head(&illg->ig_actif);
- if (ill_check_and_refhold(ill) == 0) {
+ if (ill_check_and_refhold(ill)) {
rw_exit(&ipst->ips_ipmp_lock);
return (ill);
}
@@ -763,17 +749,6 @@ ipmp_illgrp_hold_next_ill(ipmp_illgrp_t *illg)
}
/*
- * Return a pointer to the nominated multicast ill in `illg', or NULL if one
- * doesn't exist. Caller must be inside the IPSQ.
- */
-ill_t *
-ipmp_illgrp_cast_ill(ipmp_illgrp_t *illg)
-{
- ASSERT(IAM_WRITER_ILL(illg->ig_ipmp_ill));
- return (illg->ig_cast_ill);
-}
-
-/*
* Return a held pointer to the nominated multicast ill in `illg', or NULL if
* one doesn't exist. Caller need not be inside the IPSQ.
*/
@@ -785,7 +760,7 @@ ipmp_illgrp_hold_cast_ill(ipmp_illgrp_t *illg)
rw_enter(&ipst->ips_ipmp_lock, RW_READER);
castill = illg->ig_cast_ill;
- if (castill != NULL && ill_check_and_refhold(castill) == 0) {
+ if (castill != NULL && ill_check_and_refhold(castill)) {
rw_exit(&ipst->ips_ipmp_lock);
return (castill);
}
@@ -794,6 +769,20 @@ ipmp_illgrp_hold_cast_ill(ipmp_illgrp_t *illg)
}
/*
+ * Callback routine for ncec_walk() that deletes `nce' if it is associated with
+ * the `(ill_t *)arg' and it is not one of the local addresses. Caller must be
+ * inside the IPSQ.
+ */
+static void
+ipmp_ncec_delete_nonlocal(ncec_t *ncec, uchar_t *arg)
+{
+ if ((ncec != NULL) && !NCE_MYADDR(ncec) &&
+ ncec->ncec_ill == (ill_t *)arg) {
+ ncec_delete(ncec);
+ }
+}
+
+/*
* Set the nominated cast ill on `illg' to `castill'. If `castill' is NULL,
* any existing nomination is removed. Caller must be inside the IPSQ.
*/
@@ -820,6 +809,14 @@ ipmp_illgrp_set_cast(ipmp_illgrp_t *illg, ill_t *castill)
*/
if (ipmp_ill->ill_dl_up)
ill_leave_multicast(ipmp_ill);
+
+ /*
+ * Delete any NCEs tied to the old nomination. We must do this
+ * last since ill_leave_multicast() may trigger IREs to be
+ * built using ig_cast_ill.
+ */
+ ncec_walk(ocastill, (pfi_t)ipmp_ncec_delete_nonlocal, ocastill,
+ ocastill->ill_ipst);
}
/*
@@ -829,16 +826,6 @@ ipmp_illgrp_set_cast(ipmp_illgrp_t *illg, ill_t *castill)
illg->ig_cast_ill = castill;
rw_exit(&ipst->ips_ipmp_lock);
- if (ocastill != NULL) {
- /*
- * Delete any IREs tied to the old nomination. We must do
- * this after the new castill is set and has reached global
- * visibility since the datapath has not been quiesced.
- */
- ire_walk_ill(MATCH_IRE_ILL | MATCH_IRE_TYPE, IRE_CACHE,
- ill_stq_cache_delete, ocastill, ocastill);
- }
-
/*
* Enable new nominated ill (if any).
*/
@@ -855,15 +842,6 @@ ipmp_illgrp_set_cast(ipmp_illgrp_t *illg, ill_t *castill)
if (ipmp_ill->ill_dl_up)
ill_recover_multicast(ipmp_ill);
}
-
- /*
- * For IPv4, refresh our broadcast IREs. This needs to be done even
- * if there's no new nomination since ill_refresh_bcast() still must
- * update the IPMP meta-interface's broadcast IREs to point back at
- * the IPMP meta-interface itself.
- */
- if (!ipmp_ill->ill_isv6)
- ill_refresh_bcast(ipmp_ill);
}
/*
@@ -872,33 +850,33 @@ ipmp_illgrp_set_cast(ipmp_illgrp_t *illg, ill_t *castill)
* created IPMP ARP entry, or NULL on failure.
*/
ipmp_arpent_t *
-ipmp_illgrp_create_arpent(ipmp_illgrp_t *illg, mblk_t *mp, boolean_t proxyarp)
+ipmp_illgrp_create_arpent(ipmp_illgrp_t *illg, boolean_t proxyarp,
+ ipaddr_t ipaddr, uchar_t *lladdr, size_t lladdr_len, uint16_t flags)
{
- uchar_t *addrp;
- area_t *area = (area_t *)mp->b_rptr;
ipmp_arpent_t *entp, *oentp;
ASSERT(IAM_WRITER_ILL(illg->ig_ipmp_ill));
- ASSERT(area->area_proto_addr_length == sizeof (ipaddr_t));
- if ((entp = kmem_zalloc(sizeof (ipmp_arpent_t), KM_NOSLEEP)) == NULL)
+ if ((entp = kmem_alloc(sizeof (ipmp_arpent_t) + lladdr_len,
+ KM_NOSLEEP)) == NULL)
return (NULL);
- if ((mp = copyb(mp)) == NULL) {
- kmem_free(entp, sizeof (ipmp_arpent_t));
- return (NULL);
- }
-
- DB_TYPE(mp) = M_PROTO;
- entp->ia_area_mp = mp;
- entp->ia_proxyarp = proxyarp;
- addrp = mi_offset_paramc(mp, area->area_proto_addr_offset,
- sizeof (ipaddr_t));
- bcopy(addrp, &entp->ia_ipaddr, sizeof (ipaddr_t));
-
+ /*
+ * Delete any existing ARP entry for this address.
+ */
if ((oentp = ipmp_illgrp_lookup_arpent(illg, &entp->ia_ipaddr)) != NULL)
ipmp_illgrp_destroy_arpent(illg, oentp);
+ /*
+ * Prepend the new entry.
+ */
+ entp->ia_ipaddr = ipaddr;
+ entp->ia_flags = flags;
+ entp->ia_lladdr_len = lladdr_len;
+ entp->ia_lladdr = (uchar_t *)&entp[1];
+ bcopy(lladdr, entp->ia_lladdr, lladdr_len);
+ entp->ia_proxyarp = proxyarp;
+ entp->ia_notified = B_TRUE;
list_insert_head(&illg->ig_arpent, entp);
return (entp);
}
@@ -912,8 +890,7 @@ ipmp_illgrp_destroy_arpent(ipmp_illgrp_t *illg, ipmp_arpent_t *entp)
ASSERT(IAM_WRITER_ILL(illg->ig_ipmp_ill));
list_remove(&illg->ig_arpent, entp);
- freeb(entp->ia_area_mp);
- kmem_free(entp, sizeof (ipmp_arpent_t));
+ kmem_free(entp, sizeof (ipmp_arpent_t) + entp->ia_lladdr_len);
}
/*
@@ -957,10 +934,9 @@ ipmp_illgrp_refresh_arpent(ipmp_illgrp_t *illg)
{
ill_t *ill, *ipmp_ill = illg->ig_ipmp_ill;
uint_t paddrlen = ipmp_ill->ill_phys_addr_length;
- area_t *area;
- mblk_t *area_mp;
- uchar_t *physaddr;
ipmp_arpent_t *entp;
+ ncec_t *ncec;
+ nce_t *nce;
ASSERT(IAM_WRITER_ILL(ipmp_ill));
ASSERT(!ipmp_ill->ill_isv6);
@@ -973,11 +949,7 @@ ipmp_illgrp_refresh_arpent(ipmp_illgrp_t *illg)
continue;
}
- area = (area_t *)entp->ia_area_mp->b_rptr;
ASSERT(paddrlen == ill->ill_phys_addr_length);
- ASSERT(paddrlen == area->area_hw_addr_length);
- physaddr = mi_offset_paramc(entp->ia_area_mp,
- area->area_hw_addr_offset, paddrlen);
/*
* If this is a proxy ARP entry, we can skip notifying ARP if
@@ -985,18 +957,25 @@ ipmp_illgrp_refresh_arpent(ipmp_illgrp_t *illg)
* update the entry's hardware address before notifying ARP.
*/
if (entp->ia_proxyarp) {
- if (bcmp(ill->ill_phys_addr, physaddr, paddrlen) == 0 &&
- entp->ia_notified)
+ if (bcmp(ill->ill_phys_addr, entp->ia_lladdr,
+ paddrlen) == 0 && entp->ia_notified)
continue;
- bcopy(ill->ill_phys_addr, physaddr, paddrlen);
+ bcopy(ill->ill_phys_addr, entp->ia_lladdr, paddrlen);
}
- if ((area_mp = copyb(entp->ia_area_mp)) == NULL) {
- entp->ia_notified = B_FALSE;
+ (void) nce_lookup_then_add_v4(ipmp_ill, entp->ia_lladdr,
+ paddrlen, &entp->ia_ipaddr, entp->ia_flags, ND_UNCHANGED,
+ &nce);
+ if (nce == NULL || !entp->ia_proxyarp) {
+ if (nce != NULL)
+ nce_refrele(nce);
continue;
}
-
- putnext(ipmp_ill->ill_rq, area_mp);
+ ncec = nce->nce_common;
+ mutex_enter(&ncec->ncec_lock);
+ nce_update(ncec, ND_UNCHANGED, ill->ill_phys_addr);
+ mutex_exit(&ncec->ncec_lock);
+ nce_refrele(nce);
ipmp_illgrp_mark_arpent(illg, entp);
if ((ill = list_next(&illg->ig_actif, ill)) == NULL)
@@ -1061,16 +1040,16 @@ ipmp_illgrp_refresh_mtu(ipmp_illgrp_t *illg)
ASSERT(IAM_WRITER_ILL(ipmp_ill));
/*
- * Since ill_max_mtu can only change under ill_lock, we hold ill_lock
+ * Since ill_mtu can only change under ill_lock, we hold ill_lock
* for each ill as we iterate through the list. Any changes to the
- * ill_max_mtu will also trigger an update, so even if we missed it
+ * ill_mtu will also trigger an update, so even if we missed it
* this time around, the update will catch it.
*/
ill = list_head(&illg->ig_if);
for (; ill != NULL; ill = list_next(&illg->ig_if, ill)) {
mutex_enter(&ill->ill_lock);
- if (mtu == 0 || ill->ill_max_mtu < mtu)
- mtu = ill->ill_max_mtu;
+ if (mtu == 0 || ill->ill_mtu < mtu)
+ mtu = ill->ill_mtu;
mutex_exit(&ill->ill_lock);
}
@@ -1171,13 +1150,12 @@ ipmp_ill_join_illgrp(ill_t *ill, ipmp_illgrp_t *illg)
* This may seem odd, but it's consistent with the application view
* that `ill' no longer exists (e.g., due to ipmp_ill_rtsaddrmsg()).
*/
+ update_conn_ill(ill, ill->ill_ipst);
if (ill->ill_isv6) {
- reset_conn_ill(ill);
reset_mrt_ill(ill);
} else {
ipif = ill->ill_ipif;
for (; ipif != NULL; ipif = ipif->ipif_next) {
- reset_conn_ipif(ipif);
reset_mrt_vif_ipif(ipif);
}
}
@@ -1206,7 +1184,7 @@ ipmp_ill_join_illgrp(ill_t *ill, ipmp_illgrp_t *illg)
ipmp_ill->ill_flags |= ILLF_COS_ENABLED;
mutex_exit(&ipmp_ill->ill_lock);
}
- ipmp_illgrp_set_mtu(illg, ill->ill_max_mtu);
+ ipmp_illgrp_set_mtu(illg, ill->ill_mtu);
} else {
ASSERT(ipmp_ill->ill_phys_addr_length ==
ill->ill_phys_addr_length);
@@ -1217,8 +1195,8 @@ ipmp_ill_join_illgrp(ill_t *ill, ipmp_illgrp_t *illg)
ipmp_ill->ill_flags &= ~ILLF_COS_ENABLED;
mutex_exit(&ipmp_ill->ill_lock);
}
- if (illg->ig_mtu > ill->ill_max_mtu)
- ipmp_illgrp_set_mtu(illg, ill->ill_max_mtu);
+ if (illg->ig_mtu > ill->ill_mtu)
+ ipmp_illgrp_set_mtu(illg, ill->ill_mtu);
}
rw_enter(&ipst->ips_ill_g_lock, RW_WRITER);
@@ -1232,12 +1210,6 @@ ipmp_ill_join_illgrp(ill_t *ill, ipmp_illgrp_t *illg)
*/
ire_walk_ill(MATCH_IRE_ILL, 0, ipmp_ill_ire_mark_testhidden, ill, ill);
- /*
- * Merge any broadcast IREs, if need be.
- */
- if (!ill->ill_isv6)
- ill_refresh_bcast(ill);
-
ipmp_ill_refresh_active(ill);
}
@@ -1301,12 +1273,6 @@ ipmp_ill_leave_illgrp(ill_t *ill)
rw_exit(&ipst->ips_ill_g_lock);
/*
- * Recreate any broadcast IREs that had been shared, if need be.
- */
- if (!ill->ill_isv6)
- ill_refresh_bcast(ill);
-
- /*
* Re-establish multicast memberships that were previously being
* handled by the IPMP meta-interface.
*/
@@ -1456,10 +1422,8 @@ static boolean_t
ipmp_ill_activate(ill_t *ill)
{
ipif_t *ipif;
- mblk_t *actmp = NULL, *deactmp = NULL;
mblk_t *linkupmp = NULL, *linkdownmp = NULL;
ipmp_grp_t *grp = ill->ill_phyint->phyint_grp;
- const char *grifname = grp->gr_ifname;
ipmp_illgrp_t *illg = ill->ill_grp;
ill_t *maxill;
ip_stack_t *ipst = IPMP_ILLGRP_TO_IPST(illg);
@@ -1478,20 +1442,6 @@ ipmp_ill_activate(ill_t *ill)
goto fail;
}
- /*
- * For IPv4, allocate the activate/deactivate messages, and tell ARP.
- */
- if (!ill->ill_isv6) {
- actmp = ill_arie_alloc(ill, grifname, &ipmp_aract_template);
- deactmp = ill_arie_alloc(ill, grifname, &ipmp_ardeact_template);
- if (actmp == NULL || deactmp == NULL)
- goto fail;
-
- ASSERT(ill->ill_ardeact_mp == NULL);
- ill->ill_ardeact_mp = deactmp;
- putnext(illg->ig_ipmp_ill->ill_rq, actmp);
- }
-
if (list_is_empty(&illg->ig_actif)) {
/*
* Now that we have an active ill, nominate it for multicast
@@ -1524,12 +1474,6 @@ ipmp_ill_activate(ill_t *ill)
ipif = ipmp_ill_unbind_ipif(maxill, NULL, B_TRUE);
ipmp_ill_bind_ipif(ill, ipif, Res_act_rebind);
}
-
- /*
- * TODO: explore whether it's advantageous to flush IRE_CACHE
- * bindings to force existing connections to be redistributed
- * to the new ill.
- */
}
/*
@@ -1542,7 +1486,7 @@ ipmp_ill_activate(ill_t *ill)
rw_exit(&ipst->ips_ipmp_lock);
/*
- * Refresh ARP entries to use `ill', if need be.
+ * Refresh static/proxy ARP entries to use `ill', if need be.
*/
if (!ill->ill_isv6)
ipmp_illgrp_refresh_arpent(illg);
@@ -1557,8 +1501,6 @@ ipmp_ill_activate(ill_t *ill)
}
return (B_TRUE);
fail:
- freemsg(actmp);
- freemsg(deactmp);
freemsg(linkupmp);
freemsg(linkdownmp);
return (B_FALSE);
@@ -1581,18 +1523,6 @@ ipmp_ill_deactivate(ill_t *ill)
ASSERT(IS_UNDER_IPMP(ill));
/*
- * Delete all IRE_CACHE entries for the group. (We cannot restrict
- * ourselves to entries with ire_stq == ill since there may be other
- * IREs that are backed by ACEs that are tied to this ill -- and thus
- * when those ACEs are deleted, the IREs will be adrift without any
- * AR_CN_ANNOUNCE notification from ARP.)
- */
- if (ill->ill_isv6)
- ire_walk_v6(ill_grp_cache_delete, ill, ALL_ZONES, ipst);
- else
- ire_walk_v4(ill_grp_cache_delete, ill, ALL_ZONES, ipst);
-
- /*
* Pull the interface out of the active list.
*/
rw_enter(&ipst->ips_ipmp_lock, RW_WRITER);
@@ -1609,6 +1539,12 @@ ipmp_ill_deactivate(ill_t *ill)
ipmp_illgrp_set_cast(illg, list_head(&illg->ig_actif));
/*
+ * Delete all nce_t entries using this ill, so that the next attempt
+ * to send data traffic will revalidate cached nce's.
+ */
+ nce_flush(ill, B_TRUE);
+
+ /*
* Unbind all of the ipifs bound to this ill, and save 'em in a list;
* we'll rebind them after we tell the resolver the ill is no longer
* active. We must do things in this order or the resolver could
@@ -1620,18 +1556,10 @@ ipmp_ill_deactivate(ill_t *ill)
ipif->ipif_bound_next = ubheadipif;
ubheadipif = ipif;
}
-
if (!ill->ill_isv6) {
- /*
- * Tell ARP `ill' is no longer active in the group.
- */
- mp = ill->ill_ardeact_mp;
- ill->ill_ardeact_mp = NULL;
- ASSERT(mp != NULL);
- putnext(illg->ig_ipmp_ill->ill_rq, mp);
/*
- * Refresh any ARP entries that had been using `ill'.
+ * Refresh static/proxy ARP entries that had been using `ill'.
*/
ipmp_illgrp_refresh_arpent(illg);
}
@@ -1649,6 +1577,20 @@ ipmp_ill_deactivate(ill_t *ill)
ipmp_ill_bind_ipif(minill, ipif, Res_act_rebind);
}
+ if (list_is_empty(&illg->ig_actif)) {
+ ill_t *ipmp_ill = illg->ig_ipmp_ill;
+
+ ncec_walk(ipmp_ill, (pfi_t)ncec_delete_per_ill,
+ (uchar_t *)ipmp_ill, ipmp_ill->ill_ipst);
+ }
+
+ /*
+ * Remove any IRE_IF_CLONE for this ill since they might have
+ * an ire_nce_cache/nce_common which refers to another ill in the group.
+ */
+ ire_walk_ill(MATCH_IRE_TYPE, IRE_IF_CLONE, ill_downi_if_clone,
+ ill, ill);
+
/*
* Finally, mark the group link down, if necessary.
*/
@@ -1725,7 +1667,7 @@ ipmp_ill_bind_ipif(ill_t *ill, ipif_t *ipif, enum ip_resolver_action act)
/*
* If necessary, tell ARP/NDP about the new mapping. Note that
- * ipif_resolver_up() cannot fail for non-XRESOLV IPv6 ills.
+ * ipif_resolver_up() cannot fail for IPv6 ills.
*/
if (act != Res_act_none) {
if (ill->ill_isv6) {
@@ -1756,15 +1698,12 @@ ipmp_ill_bind_ipif(ill_t *ill, ipif_t *ipif, enum ip_resolver_action act)
static ipif_t *
ipmp_ill_unbind_ipif(ill_t *ill, ipif_t *ipif, boolean_t notifyres)
{
- ill_t *ipmp_ill;
ipif_t *previpif;
ip_stack_t *ipst = ill->ill_ipst;
ASSERT(IAM_WRITER_ILL(ill));
ASSERT(IS_UNDER_IPMP(ill));
- ipmp_ill = ill->ill_grp->ig_ipmp_ill;
-
/*
* If necessary, find an ipif to unbind.
*/
@@ -1803,13 +1742,10 @@ ipmp_ill_unbind_ipif(ill_t *ill, ipif_t *ipif, boolean_t notifyres)
* If requested, notify the resolvers (provided we're bound).
*/
if (notifyres && ipif->ipif_bound) {
- if (ill->ill_isv6) {
+ if (ill->ill_isv6)
ipif_ndp_down(ipif);
- } else {
- ASSERT(ipif->ipif_arp_del_mp != NULL);
- putnext(ipmp_ill->ill_rq, ipif->ipif_arp_del_mp);
- ipif->ipif_arp_del_mp = NULL;
- }
+ else
+ (void) ipif_arp_down(ipif);
}
ipif->ipif_bound = B_FALSE;
@@ -1845,8 +1781,8 @@ ipmp_ill_is_active(ill_t *ill)
}
/*
- * IRE walker callback: set IRE_MARK_TESTHIDDEN on cache/interface/offsubnet
- * IREs with a source address on `ill_arg'.
+ * IRE walker callback: set ire_testhidden on IRE_HIDDEN_TYPE IREs associated
+ * with `ill_arg'.
*/
static void
ipmp_ill_ire_mark_testhidden(ire_t *ire, char *ill_arg)
@@ -1856,27 +1792,18 @@ ipmp_ill_ire_mark_testhidden(ire_t *ire, char *ill_arg)
ASSERT(IAM_WRITER_ILL(ill));
ASSERT(!IS_IPMP(ill));
- if (ire->ire_ipif->ipif_ill != ill)
+ if (ire->ire_ill != ill)
return;
- switch (ire->ire_type) {
- case IRE_HOST:
- case IRE_PREFIX:
- case IRE_DEFAULT:
- case IRE_CACHE:
- case IRE_IF_RESOLVER:
- case IRE_IF_NORESOLVER:
+ if (IRE_HIDDEN_TYPE(ire->ire_type)) {
DTRACE_PROBE1(ipmp__mark__testhidden, ire_t *, ire);
- ire->ire_marks |= IRE_MARK_TESTHIDDEN;
- break;
- default:
- break;
+ ire->ire_testhidden = B_TRUE;
}
}
/*
- * IRE walker callback: clear IRE_MARK_TESTHIDDEN if the IRE has a source
- * address on `ill_arg'.
+ * IRE walker callback: clear ire_testhidden if the IRE has a source address
+ * on `ill_arg'.
*/
static void
ipmp_ill_ire_clear_testhidden(ire_t *ire, char *ill_arg)
@@ -1886,9 +1813,9 @@ ipmp_ill_ire_clear_testhidden(ire_t *ire, char *ill_arg)
ASSERT(IAM_WRITER_ILL(ill));
ASSERT(!IS_IPMP(ill));
- if (ire->ire_ipif->ipif_ill == ill) {
+ if (ire->ire_ill == ill) {
DTRACE_PROBE1(ipmp__clear__testhidden, ire_t *, ire);
- ire->ire_marks &= ~IRE_MARK_TESTHIDDEN;
+ ire->ire_testhidden = B_FALSE;
}
}
@@ -1909,7 +1836,7 @@ ipmp_ill_hold_ipmp_ill(ill_t *ill)
rw_enter(&ipst->ips_ipmp_lock, RW_READER);
illg = ill->ill_grp;
- if (illg != NULL && ill_check_and_refhold(illg->ig_ipmp_ill) == 0) {
+ if (illg != NULL && ill_check_and_refhold(illg->ig_ipmp_ill)) {
rw_exit(&ipst->ips_ipmp_lock);
return (illg->ig_ipmp_ill);
}
@@ -2135,7 +2062,7 @@ ipmp_ipif_hold_bound_ill(const ipif_t *ipif)
rw_enter(&ipst->ips_ipmp_lock, RW_READER);
boundill = ipif->ipif_bound_ill;
- if (boundill != NULL && ill_check_and_refhold(boundill) == 0) {
+ if (boundill != NULL && ill_check_and_refhold(boundill)) {
rw_exit(&ipst->ips_ipmp_lock);
return (boundill);
}
@@ -2192,3 +2119,182 @@ ipmp_ipif_is_up_dataaddr(const ipif_t *ipif)
{
return (ipmp_ipif_is_dataaddr(ipif) && (ipif->ipif_flags & IPIF_UP));
}
+
+/*
+ * Check if `mp' contains a probe packet by verifying if the IP source address
+ * is a test address on an underlying interface `ill'. Caller need not be inside
+ * the IPSQ.
+ */
+boolean_t
+ipmp_packet_is_probe(mblk_t *mp, ill_t *ill)
+{
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ASSERT(DB_TYPE(mp) != M_CTL);
+
+ if (!IS_UNDER_IPMP(ill))
+ return (B_FALSE);
+
+ if (ill->ill_isv6) {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) &&
+ ipif_lookup_testaddr_v6(ill, &ip6h->ip6_src, NULL))
+ return (B_TRUE);
+ } else {
+ if ((ipha->ipha_src != INADDR_ANY) &&
+ ipif_lookup_testaddr_v4(ill, &ipha->ipha_src, NULL))
+ return (B_TRUE);
+ }
+ return (B_FALSE);
+}
+
+/*
+ * Pick out an appropriate underlying interface for packet transmit. This
+ * function may be called from the data path, so we need to verify that the
+ * IPMP group associated with `ill' is non-null after holding the ill_g_lock.
+ * Caller need not be inside the IPSQ.
+ */
+ill_t *
+ipmp_ill_get_xmit_ill(ill_t *ill, boolean_t is_unicast)
+{
+ ill_t *xmit_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ if (ill->ill_grp == NULL) {
+ /*
+ * The interface was taken out of the group. Return ill itself,
+ * but take a ref so that callers will always be able to do
+ * ill_refrele(ill);
+ */
+ rw_exit(&ipst->ips_ill_g_lock);
+ ill_refhold(ill);
+ return (ill);
+ }
+ if (!is_unicast)
+ xmit_ill = ipmp_illgrp_hold_cast_ill(ill->ill_grp);
+ else
+ xmit_ill = ipmp_illgrp_hold_next_ill(ill->ill_grp);
+ rw_exit(&ipst->ips_ill_g_lock);
+ return (xmit_ill);
+}
+
+/*
+ * Flush out any nce that points at `ncec' from an underlying interface
+ */
+void
+ipmp_ncec_flush_nce(ncec_t *ncec)
+{
+ ill_t *ncec_ill = ncec->ncec_ill;
+ ill_t *ill;
+ ipmp_illgrp_t *illg;
+ ip_stack_t *ipst = ncec_ill->ill_ipst;
+ list_t dead;
+ nce_t *nce;
+
+ if (!IS_IPMP(ncec_ill))
+ return;
+
+ illg = ncec_ill->ill_grp;
+ list_create(&dead, sizeof (nce_t), offsetof(nce_t, nce_node));
+
+ rw_enter(&ipst->ips_ill_g_lock, RW_READER);
+ ill = list_head(&illg->ig_if);
+ for (; ill != NULL; ill = list_next(&illg->ig_if, ill)) {
+ nce_fastpath_list_delete(ill, ncec, &dead);
+ }
+ rw_exit(&ipst->ips_ill_g_lock);
+
+ /*
+ * we may now nce_refrele() all dead entries since all locks have been
+ * dropped.
+ */
+ while ((nce = list_head(&dead)) != NULL) {
+ list_remove(&dead, nce);
+ nce_refrele(nce);
+ }
+ ASSERT(list_is_empty(&dead));
+ list_destroy(&dead);
+}
+
+/*
+ * For each interface in the IPMP group, if there are nce_t entries for the IP
+ * address corresponding to `ncec', then their dl_unitdata_req_t and fastpath
+ * information must be updated to match the link-layer address information in
+ * `ncec'.
+ */
+void
+ipmp_ncec_fastpath(ncec_t *ncec, ill_t *ipmp_ill)
+{
+ ill_t *ill;
+ ipmp_illgrp_t *illg = ipmp_ill->ill_grp;
+ ip_stack_t *ipst = ipmp_ill->ill_ipst;
+ nce_t *nce, *nce_next;
+ list_t replace;
+
+ ASSERT(IS_IPMP(ipmp_ill));
+
+ /*
+ * if ncec itself is not reachable, there is no use in creating nce_t
+ * entries on the underlying interfaces in the group.
+ */
+ if (!NCE_ISREACHABLE(ncec))
+ return;
+
+ list_create(&replace, sizeof (nce_t), offsetof(nce_t, nce_node));
+ rw_enter(&ipst->ips_ipmp_lock, RW_READER);
+ ill = list_head(&illg->ig_actif);
+ for (; ill != NULL; ill = list_next(&illg->ig_actif, ill)) {
+ /*
+ * For each underlying interface, we first check if there is an
+ * nce_t for the address in ncec->ncec_addr. If one exists,
+ * we should trigger nce_fastpath for that nce_t. However, the
+ * catch is that we are holding the ips_ipmp_lock to prevent
+ * changes to the IPMP group membership, so that we cannot
+ * putnext() to the driver. So we nce_delete the
+ * list nce_t entries that need to be updated into the
+ * `replace' list, and then process the `replace' list
+ * after dropping the ips_ipmp_lock.
+ */
+ mutex_enter(&ill->ill_lock);
+ for (nce = list_head(&ill->ill_nce); nce != NULL; ) {
+ nce_next = list_next(&ill->ill_nce, nce);
+ if (!IN6_ARE_ADDR_EQUAL(&nce->nce_addr,
+ &ncec->ncec_addr)) {
+ nce = nce_next;
+ continue;
+ }
+ nce_refhold(nce);
+ nce_delete(nce);
+ list_insert_tail(&replace, nce);
+ nce = nce_next;
+ }
+ mutex_exit(&ill->ill_lock);
+ }
+ rw_exit(&ipst->ips_ipmp_lock);
+ /*
+ * `replace' now has the list of nce's on which we should be triggering
+ * nce_fastpath(). We now retrigger fastpath by setting up the nce
+ * again. The code in nce_lookup_then_add_v* ensures that nce->nce_ill
+ * is still in the group for ncec->ncec_ill
+ */
+ while ((nce = list_head(&replace)) != NULL) {
+ list_remove(&replace, nce);
+ if (ncec->ncec_ill->ill_isv6) {
+ (void) nce_lookup_then_add_v6(nce->nce_ill,
+ ncec->ncec_lladdr, ncec->ncec_lladdr_length,
+ &nce->nce_addr, ncec->ncec_flags, ND_UNCHANGED,
+ NULL);
+ } else {
+ ipaddr_t ipaddr;
+
+ IN6_V4MAPPED_TO_IPADDR(&ncec->ncec_addr, ipaddr);
+ (void) nce_lookup_then_add_v4(nce->nce_ill,
+ ncec->ncec_lladdr, ncec->ncec_lladdr_length,
+ &ipaddr, ncec->ncec_flags, ND_UNCHANGED, NULL);
+ }
+ nce_refrele(nce);
+ }
+ ASSERT(list_is_empty(&replace));
+ list_destroy(&replace);
+}
diff --git a/usr/src/uts/common/inet/ip/ipsec_loader.c b/usr/src/uts/common/inet/ip/ipsec_loader.c
index 6609146fd1..7f5c434359 100644
--- a/usr/src/uts/common/inet/ip/ipsec_loader.c
+++ b/usr/src/uts/common/inet/ip/ipsec_loader.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -121,8 +121,6 @@ ipsec_loader(void *arg)
}
mutex_exit(&ipss->ipsec_loader_lock);
- ip_ipsec_load_complete(ipss);
-
mutex_enter(&ipss->ipsec_loader_lock);
if (!ipsec_failure) {
CALLB_CPR_EXIT(&cprinfo);
diff --git a/usr/src/uts/common/inet/ip/ipsecah.c b/usr/src/uts/common/inet/ip/ipsecah.c
index c130dac490..a511b85ff4 100644
--- a/usr/src/uts/common/inet/ip/ipsecah.c
+++ b/usr/src/uts/common/inet/ip/ipsecah.c
@@ -54,6 +54,8 @@
#include <inet/ip.h>
#include <inet/ip6.h>
#include <inet/nd.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ndp.h>
#include <inet/ipsec_info.h>
#include <inet/ipsec_impl.h>
#include <inet/sadb.h>
@@ -62,7 +64,6 @@
#include <inet/ipdrop.h>
#include <sys/taskq.h>
#include <sys/policy.h>
-#include <sys/iphada.h>
#include <sys/strsun.h>
#include <sys/crypto/common.h>
@@ -132,32 +133,27 @@ static ipsecahparam_t lcl_param_arr[] = {
#define AH_MSGSIZE(mp) ((mp)->b_cont != NULL ? msgdsize(mp) : MBLKL(mp))
-static ipsec_status_t ah_auth_out_done(mblk_t *);
-static ipsec_status_t ah_auth_in_done(mblk_t *);
+static mblk_t *ah_auth_out_done(mblk_t *, ip_xmit_attr_t *, ipsec_crypto_t *);
+static mblk_t *ah_auth_in_done(mblk_t *, ip_recv_attr_t *, ipsec_crypto_t *);
static mblk_t *ah_process_ip_options_v4(mblk_t *, ipsa_t *, int *, uint_t,
boolean_t, ipsecah_stack_t *);
static mblk_t *ah_process_ip_options_v6(mblk_t *, ipsa_t *, int *, uint_t,
boolean_t, ipsecah_stack_t *);
static void ah_getspi(mblk_t *, keysock_in_t *, ipsecah_stack_t *);
-static ipsec_status_t ah_inbound_accelerated(mblk_t *, boolean_t, ipsa_t *,
- uint32_t);
-static ipsec_status_t ah_outbound_accelerated_v4(mblk_t *, ipsa_t *);
-static ipsec_status_t ah_outbound_accelerated_v6(mblk_t *, ipsa_t *);
-static ipsec_status_t ah_outbound(mblk_t *);
+static void ah_inbound_restart(mblk_t *, ip_recv_attr_t *);
+
+static mblk_t *ah_outbound(mblk_t *, ip_xmit_attr_t *);
+static void ah_outbound_finish(mblk_t *, ip_xmit_attr_t *);
static int ipsecah_open(queue_t *, dev_t *, int, int, cred_t *);
static int ipsecah_close(queue_t *);
-static void ipsecah_rput(queue_t *, mblk_t *);
static void ipsecah_wput(queue_t *, mblk_t *);
static void ah_send_acquire(ipsacq_t *, mblk_t *, netstack_t *);
static boolean_t ah_register_out(uint32_t, uint32_t, uint_t, ipsecah_stack_t *,
- mblk_t *);
+ cred_t *);
static void *ipsecah_stack_init(netstackid_t stackid, netstack_t *ns);
static void ipsecah_stack_fini(netstackid_t stackid, void *arg);
-extern void (*cl_inet_getspi)(netstackid_t, uint8_t, uint8_t *, size_t,
- void *);
-
/* Setable in /etc/system */
uint32_t ah_hash_size = IPSEC_DEFAULT_HASH_SIZE;
@@ -168,7 +164,7 @@ static struct module_info info = {
};
static struct qinit rinit = {
- (pfi_t)ipsecah_rput, NULL, ipsecah_open, ipsecah_close, NULL, &info,
+ (pfi_t)putnext, NULL, ipsecah_open, ipsecah_close, NULL, &info,
NULL
};
@@ -215,9 +211,6 @@ ah_kstat_init(ipsecah_stack_t *ahstack, netstackid_t stackid)
KI(acquire_requests);
KI(bytes_expired);
KI(out_discards);
- KI(in_accelerated);
- KI(out_accelerated);
- KI(noaccel);
KI(crypto_sync);
KI(crypto_async);
KI(crypto_failures);
@@ -275,9 +268,9 @@ ah_ager(void *arg)
hrtime_t begin = gethrtime();
sadb_ager(&ahstack->ah_sadb.s_v4, ahstack->ah_pfkey_q,
- ahstack->ah_sadb.s_ip_q, ahstack->ipsecah_reap_delay, ns);
+ ahstack->ipsecah_reap_delay, ns);
sadb_ager(&ahstack->ah_sadb.s_v6, ahstack->ah_pfkey_q,
- ahstack->ah_sadb.s_ip_q, ahstack->ipsecah_reap_delay, ns);
+ ahstack->ipsecah_reap_delay, ns);
ahstack->ah_event = sadb_retimeout(begin, ahstack->ah_pfkey_q,
ah_ager, ahstack,
@@ -474,7 +467,13 @@ ipsecah_stack_fini(netstackid_t stackid, void *arg)
}
/*
- * AH module open routine. The module should be opened by keysock.
+ * AH module open routine, which is here for keysock plumbing.
+ * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
+ * Days of export control, and fears that ESP would not be allowed
+ * to be shipped at all by default. Eventually, keysock should
+ * either access AH and ESP via modstubs or krtld dependencies, or
+ * perhaps be folded in with AH and ESP into a single IPsec/netsec
+ * module ("netsec" if PF_KEY provides more than AH/ESP keying tables).
*/
/* ARGSUSED */
static int
@@ -497,57 +496,10 @@ ipsecah_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
ahstack = ns->netstack_ipsecah;
ASSERT(ahstack != NULL);
- /*
- * ASSUMPTIONS (because I'm MT_OCEXCL):
- *
- * * I'm being pushed on top of IP for all my opens (incl. #1).
- * * Only ipsecah_open() can write into ah_sadb.s_ip_q.
- * * Because of this, I can check lazily for ah_sadb.s_ip_q.
- *
- * If these assumptions are wrong, I'm in BIG trouble...
- */
-
q->q_ptr = ahstack;
WR(q)->q_ptr = q->q_ptr;
- if (ahstack->ah_sadb.s_ip_q == NULL) {
- struct T_unbind_req *tur;
-
- ahstack->ah_sadb.s_ip_q = WR(q);
- /* Allocate an unbind... */
- ahstack->ah_ip_unbind = allocb(sizeof (struct T_unbind_req),
- BPRI_HI);
-
- /*
- * Send down T_BIND_REQ to bind IPPROTO_AH.
- * Handle the ACK here in AH.
- */
- qprocson(q);
- if (ahstack->ah_ip_unbind == NULL ||
- !sadb_t_bind_req(ahstack->ah_sadb.s_ip_q, IPPROTO_AH)) {
- if (ahstack->ah_ip_unbind != NULL) {
- freeb(ahstack->ah_ip_unbind);
- ahstack->ah_ip_unbind = NULL;
- }
- q->q_ptr = NULL;
- qprocsoff(q);
- netstack_rele(ahstack->ipsecah_netstack);
- return (ENOMEM);
- }
-
- ahstack->ah_ip_unbind->b_datap->db_type = M_PROTO;
- tur = (struct T_unbind_req *)ahstack->ah_ip_unbind->b_rptr;
- tur->PRIM_type = T_UNBIND_REQ;
- } else {
- qprocson(q);
- }
-
- /*
- * For now, there's not much I can do. I'll be getting a message
- * passed down to me from keysock (in my wput), and a T_BIND_ACK
- * up from IP (in my rput).
- */
-
+ qprocson(q);
return (0);
}
@@ -560,17 +512,6 @@ ipsecah_close(queue_t *q)
ipsecah_stack_t *ahstack = (ipsecah_stack_t *)q->q_ptr;
/*
- * If ah_sadb.s_ip_q is attached to this instance, send a
- * T_UNBIND_REQ to IP for the instance before doing
- * a qprocsoff().
- */
- if (WR(q) == ahstack->ah_sadb.s_ip_q &&
- ahstack->ah_ip_unbind != NULL) {
- putnext(WR(q), ahstack->ah_ip_unbind);
- ahstack->ah_ip_unbind = NULL;
- }
-
- /*
* Clean up q_ptr, if needed.
*/
qprocsoff(q);
@@ -585,98 +526,16 @@ ipsecah_close(queue_t *q)
(void) quntimeout(q, ahstack->ah_event);
}
- if (WR(q) == ahstack->ah_sadb.s_ip_q) {
- /*
- * If the ah_sadb.s_ip_q is attached to this instance, find
- * another. The OCEXCL outer perimeter helps us here.
- */
-
- ahstack->ah_sadb.s_ip_q = NULL;
-
- /*
- * Find a replacement queue for ah_sadb.s_ip_q.
- */
- if (ahstack->ah_pfkey_q != NULL &&
- ahstack->ah_pfkey_q != RD(q)) {
- /*
- * See if we can use the pfkey_q.
- */
- ahstack->ah_sadb.s_ip_q = WR(ahstack->ah_pfkey_q);
- }
-
- if (ahstack->ah_sadb.s_ip_q == NULL ||
- !sadb_t_bind_req(ahstack->ah_sadb.s_ip_q, IPPROTO_AH)) {
- ah1dbg(ahstack,
- ("ipsecah: Can't reassign ah_sadb.s_ip_q.\n"));
- ahstack->ah_sadb.s_ip_q = NULL;
- } else {
- ahstack->ah_ip_unbind =
- allocb(sizeof (struct T_unbind_req), BPRI_HI);
-
- if (ahstack->ah_ip_unbind != NULL) {
- struct T_unbind_req *tur;
-
- ahstack->ah_ip_unbind->b_datap->db_type =
- M_PROTO;
- tur = (struct T_unbind_req *)
- ahstack->ah_ip_unbind->b_rptr;
- tur->PRIM_type = T_UNBIND_REQ;
- }
- /* If it's NULL, I can't do much here. */
- }
- }
-
netstack_rele(ahstack->ipsecah_netstack);
return (0);
}
/*
- * AH module read put routine.
- */
-/* ARGSUSED */
-static void
-ipsecah_rput(queue_t *q, mblk_t *mp)
-{
- ipsecah_stack_t *ahstack = (ipsecah_stack_t *)q->q_ptr;
-
- ASSERT(mp->b_datap->db_type != M_CTL); /* No more IRE_DB_REQ. */
-
- switch (mp->b_datap->db_type) {
- case M_PROTO:
- case M_PCPROTO:
- /* TPI message of some sort. */
- switch (*((t_scalar_t *)mp->b_rptr)) {
- case T_BIND_ACK:
- /* We expect this. */
- ah3dbg(ahstack,
- ("Thank you IP from AH for T_BIND_ACK\n"));
- break;
- case T_ERROR_ACK:
- cmn_err(CE_WARN,
- "ipsecah: AH received T_ERROR_ACK from IP.");
- break;
- case T_OK_ACK:
- /* Probably from a (rarely sent) T_UNBIND_REQ. */
- break;
- default:
- ah1dbg(ahstack, ("Unknown M_{,PC}PROTO message.\n"));
- }
- freemsg(mp);
- break;
- default:
- /* For now, passthru message. */
- ah2dbg(ahstack, ("AH got unknown mblk type %d.\n",
- mp->b_datap->db_type));
- putnext(q, mp);
- }
-}
-
-/*
* Construct an SADB_REGISTER message with the current algorithms.
*/
static boolean_t
ah_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
- ipsecah_stack_t *ahstack, mblk_t *in_mp)
+ ipsecah_stack_t *ahstack, cred_t *cr)
{
mblk_t *mp;
boolean_t rc = B_TRUE;
@@ -691,7 +550,7 @@ ah_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
sadb_sens_t *sens;
size_t sens_len = 0;
sadb_ext_t *nextext;
- cred_t *sens_cr = NULL;
+ ts_label_t *sens_tsl = NULL;
/* Allocate the KEYSOCK_OUT. */
mp = sadb_keysock_out(serial);
@@ -700,11 +559,10 @@ ah_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
return (B_FALSE);
}
- if (is_system_labeled() && (in_mp != NULL)) {
- sens_cr = msg_getcred(in_mp, NULL);
-
- if (sens_cr != NULL) {
- sens_len = sadb_sens_len_from_cred(sens_cr);
+ if (is_system_labeled() && (cr != NULL)) {
+ sens_tsl = crgetlabel(cr);
+ if (sens_tsl != NULL) {
+ sens_len = sadb_sens_len_from_label(sens_tsl);
allocsize += sens_len;
}
}
@@ -786,10 +644,10 @@ ah_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
mutex_exit(&ipss->ipsec_alg_lock);
- if (sens_cr != NULL) {
+ if (sens_tsl != NULL) {
sens = (sadb_sens_t *)nextext;
- sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY,
- sens_cr, sens_len);
+ sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
+ sens_tsl, sens_len);
nextext = (sadb_ext_t *)(((uint8_t *)sens) + sens_len);
}
@@ -847,40 +705,61 @@ ipsecah_algs_changed(netstack_t *ns)
/*
* Stub function that taskq_dispatch() invokes to take the mblk (in arg)
- * and put() it into AH and STREAMS again.
+ * and send it into AH and IP again.
*/
static void
inbound_task(void *arg)
{
- ah_t *ah;
- mblk_t *mp = (mblk_t *)arg;
- ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
- int ipsec_rc;
- netstack_t *ns;
- ipsecah_stack_t *ahstack;
-
- ns = netstack_find_by_stackid(ii->ipsec_in_stackid);
- if (ns == NULL || ns != ii->ipsec_in_ns) {
- /* Just freemsg(). */
- if (ns != NULL)
- netstack_rele(ns);
+ mblk_t *mp = (mblk_t *)arg;
+ mblk_t *async_mp;
+ ip_recv_attr_t iras;
+
+ async_mp = mp;
+ mp = async_mp->b_cont;
+ async_mp->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(async_mp, &iras)) {
+ /* The ill or ip_stack_t disappeared on us */
+ ip_drop_input("ip_recv_attr_from_mblk", mp, NULL);
freemsg(mp);
- return;
+ goto done;
}
- ahstack = ns->netstack_ipsecah;
+ ah_inbound_restart(mp, &iras);
+done:
+ ira_cleanup(&iras, B_TRUE);
+}
- ah2dbg(ahstack, ("in AH inbound_task"));
+/*
+ * Restart ESP after the SA has been added.
+ */
+static void
+ah_inbound_restart(mblk_t *mp, ip_recv_attr_t *ira)
+{
+ ah_t *ah;
+ netstack_t *ns;
+ ipsecah_stack_t *ahstack;
+
+ ns = ira->ira_ill->ill_ipst->ips_netstack;
+ ahstack = ns->netstack_ipsecah;
ASSERT(ahstack != NULL);
- ah = ipsec_inbound_ah_sa(mp, ns);
- if (ah != NULL) {
- ASSERT(ii->ipsec_in_ah_sa != NULL);
- ipsec_rc = ii->ipsec_in_ah_sa->ipsa_input_func(mp, ah);
- if (ipsec_rc == IPSEC_STATUS_SUCCESS)
- ip_fanout_proto_again(mp, NULL, NULL, NULL);
+ mp = ipsec_inbound_ah_sa(mp, ira, &ah);
+ if (mp == NULL)
+ return;
+
+ ASSERT(ah != NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_ah_sa != NULL);
+
+ mp = ira->ira_ipsec_ah_sa->ipsa_input_func(mp, ah, ira);
+ if (mp == NULL) {
+ /*
+ * Either it failed or is pending. In the former case
+ * ipIfStatsInDiscards was increased.
+ */
+ return;
}
- netstack_rele(ns);
+ ip_input_post_ipsec(mp, ira);
}
/*
@@ -1051,60 +930,96 @@ ah_add_sa_finish(mblk_t *mp, sadb_msg_t *samsg, keysock_in_t *ksi,
if (larval != NULL)
lpkt = sadb_clear_lpkt(larval);
- rc = sadb_common_add(ahstack->ah_sadb.s_ip_q, ahstack->ah_pfkey_q, mp,
+ rc = sadb_common_add(ahstack->ah_pfkey_q, mp,
samsg, ksi, primary, secondary, larval, clone, is_inbound,
diagnostic, ns, &ahstack->ah_sadb);
+ if (lpkt != NULL) {
+ if (rc == 0) {
+ rc = !taskq_dispatch(ah_taskq, inbound_task, lpkt,
+ TQ_NOSLEEP);
+ }
+ if (rc != 0) {
+ lpkt = ip_recv_attr_free_mblk(lpkt);
+ ip_drop_packet(lpkt, B_TRUE, NULL,
+ DROPPER(ipss, ipds_sadb_inlarval_timeout),
+ &ahstack->ah_dropper);
+ }
+ }
+
/*
* How much more stack will I create with all of these
- * ah_inbound_* and ah_outbound_*() calls?
+ * ah_outbound_*() calls?
*/
- if (rc == 0 && lpkt != NULL)
- rc = !taskq_dispatch(ah_taskq, inbound_task, lpkt, TQ_NOSLEEP);
-
- if (rc != 0) {
- ip_drop_packet(lpkt, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_sadb_inlarval_timeout),
- &ahstack->ah_dropper);
- }
-
+ /* Handle the packets queued waiting for the SA */
while (acq_msgs != NULL) {
- mblk_t *mp = acq_msgs;
+ mblk_t *asyncmp;
+ mblk_t *data_mp;
+ ip_xmit_attr_t ixas;
+ ill_t *ill;
+ asyncmp = acq_msgs;
acq_msgs = acq_msgs->b_next;
- mp->b_next = NULL;
- if (rc == 0) {
- ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr;
-
- ASSERT(ahstack->ah_sadb.s_ip_q != NULL);
- if (ipsec_outbound_sa(mp, IPPROTO_AH)) {
- io->ipsec_out_ah_done = B_TRUE;
- if (ah_outbound(mp) == IPSEC_STATUS_SUCCESS) {
- ipha_t *ipha = (ipha_t *)
- mp->b_cont->b_rptr;
- if (sq.af == AF_INET) {
- ip_wput_ipsec_out(NULL, mp,
- ipha, NULL, NULL);
- } else {
- ip6_t *ip6h = (ip6_t *)ipha;
-
- ASSERT(sq.af == AF_INET6);
-
- ip_wput_ipsec_out_v6(NULL,
- mp, ip6h, NULL, NULL);
- }
- }
- continue;
- }
+ asyncmp->b_next = NULL;
+
+ /*
+ * Extract the ip_xmit_attr_t from the first mblk.
+ * Verifies that the netstack and ill is still around; could
+ * have vanished while iked was doing its work.
+ * On succesful return we have a nce_t and the ill/ipst can't
+ * disappear until we do the nce_refrele in ixa_cleanup.
+ */
+ data_mp = asyncmp->b_cont;
+ asyncmp->b_cont = NULL;
+ if (!ip_xmit_attr_from_mblk(asyncmp, &ixas)) {
+ AH_BUMP_STAT(ahstack, out_discards);
+ ip_drop_packet(data_mp, B_FALSE, NULL,
+ DROPPER(ipss, ipds_sadb_acquire_timeout),
+ &ahstack->ah_dropper);
+ } else if (rc != 0) {
+ ill = ixas.ixa_nce->nce_ill;
+ AH_BUMP_STAT(ahstack, out_discards);
+ ip_drop_packet(data_mp, B_FALSE, ill,
+ DROPPER(ipss, ipds_sadb_acquire_timeout),
+ &ahstack->ah_dropper);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ } else {
+ ah_outbound_finish(data_mp, &ixas);
}
+ ixa_cleanup(&ixas);
+ }
+
+ return (rc);
+}
+
+
+/*
+ * Process one of the queued messages (from ipsacq_mp) once the SA
+ * has been added.
+ */
+static void
+ah_outbound_finish(mblk_t *data_mp, ip_xmit_attr_t *ixa)
+{
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
+ ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
+
+ if (!ipsec_outbound_sa(data_mp, ixa, IPPROTO_AH)) {
AH_BUMP_STAT(ahstack, out_discards);
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_sadb_acquire_timeout),
&ahstack->ah_dropper);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ return;
}
- return (rc);
+ data_mp = ah_outbound(data_mp, ixa);
+ if (data_mp == NULL)
+ return;
+
+ (void) ip_output_post_ipsec(data_mp, ixa);
}
/*
@@ -1300,8 +1215,7 @@ ah_del_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
}
return (sadb_purge_sa(mp, ksi,
(sin->sin_family == AF_INET6) ? &ahstack->ah_sadb.s_v6 :
- &ahstack->ah_sadb.s_v4, diagnostic, ahstack->ah_pfkey_q,
- ahstack->ah_sadb.s_ip_q));
+ &ahstack->ah_sadb.s_v4, diagnostic, ahstack->ah_pfkey_q));
}
return (sadb_delget_sa(mp, ksi, &ahstack->ah_sadb, diagnostic,
@@ -1449,7 +1363,7 @@ ah_parse_pfkey(mblk_t *mp, ipsecah_stack_t *ahstack)
* Keysock takes care of the PF_KEY bookkeeping for this.
*/
if (ah_register_out(samsg->sadb_msg_seq, samsg->sadb_msg_pid,
- ksi->ks_in_serial, ahstack, mp)) {
+ ksi->ks_in_serial, ahstack, msg_getcred(mp, NULL))) {
freemsg(mp);
} else {
/*
@@ -1534,8 +1448,7 @@ ah_keysock_no_socket(mblk_t *mp, ipsecah_stack_t *ahstack)
samsg->sadb_msg_errno = kse->ks_err_errno;
samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
/*
- * Use the write-side of the ah_pfkey_q, in case there is
- * no ahstack->ah_sadb.s_ip_q.
+ * Use the write-side of the ah_pfkey_q
*/
sadb_in_acquire(samsg, &ahstack->ah_sadb,
WR(ahstack->ah_pfkey_q), ahstack->ipsecah_netstack);
@@ -1825,22 +1738,15 @@ ah_age_bytes(ipsa_t *assoc, uint64_t bytes, boolean_t inbound)
* Called while holding the algorithm lock.
*/
static void
-ah_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs)
+ah_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs,
+ netstack_t *ns)
{
sadb_comb_t *comb = (sadb_comb_t *)(prop + 1);
- ipsec_out_t *io;
ipsec_action_t *ap;
ipsec_prot_t *prot;
- ipsecah_stack_t *ahstack;
- netstack_t *ns;
- ipsec_stack_t *ipss;
-
- io = (ipsec_out_t *)acqrec->ipsacq_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
+ ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
- ns = io->ipsec_out_ns;
- ipss = ns->netstack_ipsec;
- ahstack = ns->netstack_ipsecah;
ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
@@ -1851,9 +1757,9 @@ ah_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs)
/*
* Based upon algorithm properties, and what-not, prioritize a
- * proposal, based on the ordering of the ah algorithms in the
- * alternatives presented in the policy rule passed down
- * through the ipsec_out_t and attached to the acquire record.
+ * proposal, based on the ordering of the AH algorithms in the
+ * alternatives in the policy rule or socket that was placed
+ * in the acquire record.
*/
for (ap = acqrec->ipsacq_act; ap != NULL;
@@ -1961,7 +1867,7 @@ ah_send_acquire(ipsacq_t *acqrec, mblk_t *extended, netstack_t *ns)
/* Insert proposal here. */
prop = (sadb_prop_t *)(((uint64_t *)samsg) + samsg->sadb_msg_len);
- ah_insert_prop(prop, acqrec, combs);
+ ah_insert_prop(prop, acqrec, combs, ns);
samsg->sadb_msg_len += prop->sadb_prop_len;
msgmp->b_wptr += SADB_64TO8(samsg->sadb_msg_len);
@@ -2117,11 +2023,12 @@ ah_getspi(mblk_t *mp, keysock_in_t *ksi, ipsecah_stack_t *ahstack)
/*
* IPv6 sends up the ICMP errors for validation and the removal of the AH
* header.
+ * If succesful, the mp has been modified to not include the AH header so
+ * that the caller can fanout to the ULP's icmp error handler.
*/
-static ipsec_status_t
-ah_icmp_error_v6(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
+static mblk_t *
+ah_icmp_error_v6(mblk_t *mp, ip_recv_attr_t *ira, ipsecah_stack_t *ahstack)
{
- mblk_t *mp;
ip6_t *ip6h, *oip6h;
uint16_t hdr_length, ah_length;
uint8_t *nexthdrp;
@@ -2132,14 +2039,6 @@ ah_icmp_error_v6(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
uint8_t *post_ah_ptr;
ipsec_stack_t *ipss = ahstack->ipsecah_netstack->netstack_ipsec;
- mp = ipsec_mp->b_cont;
- ASSERT(mp->b_datap->db_type == M_CTL);
-
- /*
- * Change the type to M_DATA till we finish pullups.
- */
- mp->b_datap->db_type = M_DATA;
-
/*
* Eat the cost of a pullupmsg() for now. It makes the rest of this
* code far less convoluted.
@@ -2150,10 +2049,10 @@ ah_icmp_error_v6(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
mp->b_rptr + hdr_length + sizeof (icmp6_t) + sizeof (ip6_t) +
sizeof (ah_t) > mp->b_wptr) {
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
oip6h = (ip6_t *)mp->b_rptr;
@@ -2161,10 +2060,10 @@ ah_icmp_error_v6(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
ip6h = (ip6_t *)(icmp6 + 1);
if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &hdr_length, &nexthdrp)) {
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_bad_v6_hdrs),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
ah = (ah_t *)((uint8_t *)ip6h + hdr_length);
@@ -2186,10 +2085,10 @@ ah_icmp_error_v6(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
ah->ah_spi, &oip6h->ip6_src, AF_INET6,
ahstack->ipsecah_netstack);
}
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_no_sa),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
IPSA_REFRELE(assoc);
@@ -2208,10 +2107,10 @@ ah_icmp_error_v6(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
if (post_ah_ptr > mp->b_wptr) {
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_bad_length),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) - ah_length);
@@ -2219,20 +2118,19 @@ ah_icmp_error_v6(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
ovbcopy(post_ah_ptr, ah,
(size_t)((uintptr_t)mp->b_wptr - (uintptr_t)post_ah_ptr));
mp->b_wptr -= ah_length;
- /* Rewhack to be an ICMP error. */
- mp->b_datap->db_type = M_CTL;
- return (IPSEC_STATUS_SUCCESS);
+ return (mp);
}
/*
* IP sends up the ICMP errors for validation and the removal of
* the AH header.
+ * If succesful, the mp has been modified to not include the AH header so
+ * that the caller can fanout to the ULP's icmp error handler.
*/
-static ipsec_status_t
-ah_icmp_error_v4(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
+static mblk_t *
+ah_icmp_error_v4(mblk_t *mp, ip_recv_attr_t *ira, ipsecah_stack_t *ahstack)
{
- mblk_t *mp;
mblk_t *mp1;
icmph_t *icmph;
int iph_hdr_length;
@@ -2248,14 +2146,6 @@ ah_icmp_error_v4(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
uint8_t nexthdr;
ipsec_stack_t *ipss = ahstack->ipsecah_netstack->netstack_ipsec;
- mp = ipsec_mp->b_cont;
- ASSERT(mp->b_datap->db_type == M_CTL);
-
- /*
- * Change the type to M_DATA till we finish pullups.
- */
- mp->b_datap->db_type = M_DATA;
-
oipha = ipha = (ipha_t *)mp->b_rptr;
iph_hdr_length = IPH_HDR_LENGTH(ipha);
icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
@@ -2274,10 +2164,10 @@ ah_icmp_error_v4(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
SL_WARN | SL_ERROR,
"ICMP error: Small AH header\n");
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_bad_length),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
ipha = (ipha_t *)&icmph[1];
@@ -2304,10 +2194,10 @@ ah_icmp_error_v4(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
ah->ah_spi, &oipha->ipha_src, AF_INET,
ahstack->ipsecah_netstack);
}
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_no_sa),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
IPSA_REFRELE(assoc);
@@ -2343,10 +2233,10 @@ ah_icmp_error_v4(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
* We tried hard, give up now.
*/
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
ipha = (ipha_t *)&icmph[1];
@@ -2354,8 +2244,8 @@ ah_icmp_error_v4(mblk_t *ipsec_mp, ipsecah_stack_t *ahstack)
done:
/*
* Remove the AH header and change the protocol.
- * Don't update the spi fields in the ipsec_in
- * message as we are called just to validate the
+ * Don't update the spi fields in the ip_recv_attr_t
+ * as we are called just to validate the
* message attached to the ICMP message.
*
* If we never pulled up since all of the message
@@ -2368,14 +2258,11 @@ done:
if ((mp1 = allocb(alloc_size, BPRI_LO)) == NULL) {
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
- /* ICMP errors are M_CTL messages */
- mp1->b_datap->db_type = M_CTL;
- ipsec_mp->b_cont = mp1;
bcopy(mp->b_rptr, mp1->b_rptr, alloc_size);
mp1->b_wptr += alloc_size;
@@ -2402,24 +2289,23 @@ done:
ipha->ipha_hdr_checksum = 0;
ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha);
- return (IPSEC_STATUS_SUCCESS);
+ return (mp1);
}
/*
* IP calls this to validate the ICMP errors that
* we got from the network.
*/
-ipsec_status_t
-ipsecah_icmp_error(mblk_t *mp)
+mblk_t *
+ipsecah_icmp_error(mblk_t *data_mp, ip_recv_attr_t *ira)
{
- ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
- netstack_t *ns = ii->ipsec_in_ns;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
- if (ii->ipsec_in_v4)
- return (ah_icmp_error_v4(mp, ahstack));
+ if (ira->ira_flags & IRAF_IS_IPV4)
+ return (ah_icmp_error_v4(data_mp, ira, ahstack));
else
- return (ah_icmp_error_v6(mp, ahstack));
+ return (ah_icmp_error_v6(data_mp, ira, ahstack));
}
static int
@@ -2546,7 +2432,7 @@ ah_fix_phdr_v6(ip6_t *ip6h, ip6_t *oip6h, boolean_t outbound,
prev_nexthdr = (uint8_t *)&ip6h->ip6_nxt;
nexthdr = oip6h->ip6_nxt;
/* Assume IP has already stripped it */
- ASSERT(nexthdr != IPPROTO_FRAGMENT && nexthdr != IPPROTO_RAW);
+ ASSERT(nexthdr != IPPROTO_FRAGMENT);
ah = NULL;
dsthdr = NULL;
for (;;) {
@@ -2741,19 +2627,19 @@ ah_finish_up(ah_t *phdr_ah, ah_t *inbound_ah, ipsa_t *assoc,
* argument is freed.
*/
static void
-ah_log_bad_auth(mblk_t *ipsec_in)
+ah_log_bad_auth(mblk_t *mp, ip_recv_attr_t *ira, ipsec_crypto_t *ic)
{
- mblk_t *mp = ipsec_in->b_cont->b_cont;
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_in->b_rptr;
- boolean_t isv4 = ii->ipsec_in_v4;
- ipsa_t *assoc = ii->ipsec_in_ah_sa;
- int af;
- void *addr;
- netstack_t *ns = ii->ipsec_in_ns;
+ boolean_t isv4 = (ira->ira_flags & IRAF_IS_IPV4);
+ ipsa_t *assoc = ira->ira_ipsec_ah_sa;
+ int af;
+ void *addr;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
ipsec_stack_t *ipss = ns->netstack_ipsec;
- mp->b_rptr -= ii->ipsec_in_skip_len;
+ ASSERT(mp->b_datap->db_type == M_DATA);
+
+ mp->b_rptr -= ic->ic_skip_len;
if (isv4) {
ipha_t *ipha = (ipha_t *)mp->b_rptr;
@@ -2776,110 +2662,163 @@ ah_log_bad_auth(mblk_t *ipsec_in)
assoc->ipsa_spi, addr, af, ahstack->ipsecah_netstack);
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_bad_auth),
&ahstack->ah_dropper);
}
/*
* Kernel crypto framework callback invoked after completion of async
- * crypto requests.
+ * crypto requests for outbound packets.
*/
static void
-ah_kcf_callback(void *arg, int status)
+ah_kcf_callback_outbound(void *arg, int status)
{
- mblk_t *ipsec_mp = (mblk_t *)arg;
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- boolean_t is_inbound = (ii->ipsec_in_type == IPSEC_IN);
- netstackid_t stackid;
- netstack_t *ns, *ns_arg;
+ mblk_t *mp = (mblk_t *)arg;
+ mblk_t *async_mp;
+ netstack_t *ns;
ipsec_stack_t *ipss;
ipsecah_stack_t *ahstack;
- ipsec_out_t *io = (ipsec_out_t *)ii;
+ mblk_t *data_mp;
+ ip_xmit_attr_t ixas;
+ ipsec_crypto_t *ic;
+ ill_t *ill;
- ASSERT(ipsec_mp->b_cont != NULL);
+ /*
+ * First remove the ipsec_crypto_t mblk
+ * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
+ */
+ async_mp = ipsec_remove_crypto_data(mp, &ic);
+ ASSERT(async_mp != NULL);
- if (is_inbound) {
- stackid = ii->ipsec_in_stackid;
- ns_arg = ii->ipsec_in_ns;
+ /*
+ * Extract the ip_xmit_attr_t from the first mblk.
+ * Verifies that the netstack and ill is still around; could
+ * have vanished while kEf was doing its work.
+ * On succesful return we have a nce_t and the ill/ipst can't
+ * disappear until we do the nce_refrele in ixa_cleanup.
+ */
+ data_mp = async_mp->b_cont;
+ async_mp->b_cont = NULL;
+ if (!ip_xmit_attr_from_mblk(async_mp, &ixas)) {
+ /* Disappeared on us - no ill/ipst for MIB */
+ if (ixas.ixa_nce != NULL) {
+ ill = ixas.ixa_nce->nce_ill;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", data_mp, ill);
+ }
+ freemsg(data_mp);
+ goto done;
+ }
+ ns = ixas.ixa_ipst->ips_netstack;
+ ahstack = ns->netstack_ipsecah;
+ ipss = ns->netstack_ipsec;
+ ill = ixas.ixa_nce->nce_ill;
+
+ if (status == CRYPTO_SUCCESS) {
+ data_mp = ah_auth_out_done(data_mp, &ixas, ic);
+ if (data_mp == NULL)
+ goto done;
+
+ (void) ip_output_post_ipsec(data_mp, &ixas);
} else {
- stackid = io->ipsec_out_stackid;
- ns_arg = io->ipsec_out_ns;
+ /* Outbound shouldn't see invalid MAC */
+ ASSERT(status != CRYPTO_INVALID_MAC);
+
+ ah1dbg(ahstack,
+ ("ah_kcf_callback_outbound: crypto failed with 0x%x\n",
+ status));
+ AH_BUMP_STAT(ahstack, crypto_failures);
+ AH_BUMP_STAT(ahstack, out_discards);
+
+ ip_drop_packet(data_mp, B_FALSE, ill,
+ DROPPER(ipss, ipds_ah_crypto_failed),
+ &ahstack->ah_dropper);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
}
+done:
+ ixa_cleanup(&ixas);
+ (void) ipsec_free_crypto_data(mp);
+}
+
+/*
+ * Kernel crypto framework callback invoked after completion of async
+ * crypto requests for inbound packets.
+ */
+static void
+ah_kcf_callback_inbound(void *arg, int status)
+{
+ mblk_t *mp = (mblk_t *)arg;
+ mblk_t *async_mp;
+ netstack_t *ns;
+ ipsec_stack_t *ipss;
+ ipsecah_stack_t *ahstack;
+ mblk_t *data_mp;
+ ip_recv_attr_t iras;
+ ipsec_crypto_t *ic;
+
/*
- * Verify that the netstack is still around; could have vanished
- * while kEf was doing its work.
+ * First remove the ipsec_crypto_t mblk
+ * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
*/
- ns = netstack_find_by_stackid(stackid);
- if (ns == NULL || ns != ns_arg) {
- /* Disappeared on us */
- if (ns != NULL)
- netstack_rele(ns);
- freemsg(ipsec_mp);
- return;
- }
+ async_mp = ipsec_remove_crypto_data(mp, &ic);
+ ASSERT(async_mp != NULL);
+ /*
+ * Extract the ip_xmit_attr_t from the first mblk.
+ * Verifies that the netstack and ill is still around; could
+ * have vanished while kEf was doing its work.
+ */
+ data_mp = async_mp->b_cont;
+ async_mp->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(async_mp, &iras)) {
+ /* The ill or ip_stack_t disappeared on us */
+ ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL);
+ freemsg(data_mp);
+ goto done;
+ }
+ ns = iras.ira_ill->ill_ipst->ips_netstack;
ahstack = ns->netstack_ipsecah;
ipss = ns->netstack_ipsec;
if (status == CRYPTO_SUCCESS) {
- if (is_inbound) {
- if (ah_auth_in_done(ipsec_mp) != IPSEC_STATUS_SUCCESS) {
- netstack_rele(ns);
- return;
- }
- /* finish IPsec processing */
- ip_fanout_proto_again(ipsec_mp, NULL, NULL, NULL);
- } else {
- ipha_t *ipha;
+ data_mp = ah_auth_in_done(data_mp, &iras, ic);
+ if (data_mp == NULL)
+ goto done;
- if (ah_auth_out_done(ipsec_mp) !=
- IPSEC_STATUS_SUCCESS) {
- netstack_rele(ns);
- return;
- }
-
- /* finish IPsec processing */
- ipha = (ipha_t *)ipsec_mp->b_cont->b_rptr;
- if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
- ip_wput_ipsec_out(NULL, ipsec_mp, ipha, NULL,
- NULL);
- } else {
- ip6_t *ip6h = (ip6_t *)ipha;
- ip_wput_ipsec_out_v6(NULL, ipsec_mp, ip6h,
- NULL, NULL);
- }
- }
+ /* finish IPsec processing */
+ ip_input_post_ipsec(data_mp, &iras);
} else if (status == CRYPTO_INVALID_MAC) {
- ah_log_bad_auth(ipsec_mp);
+ ah_log_bad_auth(data_mp, &iras, ic);
} else {
- ah1dbg(ahstack, ("ah_kcf_callback: crypto failed with 0x%x\n",
+ ah1dbg(ahstack,
+ ("ah_kcf_callback_inbound: crypto failed with 0x%x\n",
status));
AH_BUMP_STAT(ahstack, crypto_failures);
- if (is_inbound)
- IP_AH_BUMP_STAT(ipss, in_discards);
- else
- AH_BUMP_STAT(ahstack, out_discards);
- ip_drop_packet(ipsec_mp, is_inbound, NULL, NULL,
+ IP_AH_BUMP_STAT(ipss, in_discards);
+ ip_drop_packet(data_mp, B_TRUE, iras.ira_ill,
DROPPER(ipss, ipds_ah_crypto_failed),
&ahstack->ah_dropper);
+ BUMP_MIB(iras.ira_ill->ill_ip_mib, ipIfStatsInDiscards);
}
- netstack_rele(ns);
+done:
+ ira_cleanup(&iras, B_TRUE);
+ (void) ipsec_free_crypto_data(mp);
}
/*
* Invoked on kernel crypto failure during inbound and outbound processing.
*/
static void
-ah_crypto_failed(mblk_t *mp, boolean_t is_inbound, int kef_rc,
- ipsecah_stack_t *ahstack)
+ah_crypto_failed(mblk_t *data_mp, boolean_t is_inbound, int kef_rc,
+ ill_t *ill, ipsecah_stack_t *ahstack)
{
ipsec_stack_t *ipss = ahstack->ipsecah_netstack->netstack_ipsec;
ah1dbg(ahstack, ("crypto failed for %s AH with 0x%x\n",
is_inbound ? "inbound" : "outbound", kef_rc));
- ip_drop_packet(mp, is_inbound, NULL, NULL,
+ ip_drop_packet(data_mp, is_inbound, ill,
DROPPER(ipss, ipds_ah_crypto_failed),
&ahstack->ah_dropper);
AH_BUMP_STAT(ahstack, crypto_failures);
@@ -2893,14 +2832,14 @@ ah_crypto_failed(mblk_t *mp, boolean_t is_inbound, int kef_rc,
* Helper macros for the ah_submit_req_{inbound,outbound}() functions.
*/
-#define AH_INIT_CALLREQ(_cr, _ipss) { \
- (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_RESTRICTED; \
- if ((_ipss)->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] == \
- IPSEC_ALGS_EXEC_ASYNC) \
- (_cr)->cr_flag |= CRYPTO_ALWAYS_QUEUE; \
- (_cr)->cr_callback_arg = ipsec_mp; \
- (_cr)->cr_callback_func = ah_kcf_callback; \
-}
+/*
+ * A statement-equivalent macro, _cr MUST point to a modifiable
+ * crypto_call_req_t.
+ */
+#define AH_INIT_CALLREQ(_cr, _mp, _callback) \
+ (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_ALWAYS_QUEUE; \
+ (_cr)->cr_callback_arg = (_mp); \
+ (_cr)->cr_callback_func = (_callback)
#define AH_INIT_CRYPTO_DATA(data, msglen, mblk) { \
(data)->cd_format = CRYPTO_DATA_MBLK; \
@@ -2920,124 +2859,185 @@ ah_crypto_failed(mblk_t *mp, boolean_t is_inbound, int kef_rc,
/*
* Submit an inbound packet for processing by the crypto framework.
*/
-static ipsec_status_t
-ah_submit_req_inbound(mblk_t *ipsec_mp, size_t skip_len, uint32_t ah_offset,
- ipsa_t *assoc)
+static mblk_t *
+ah_submit_req_inbound(mblk_t *phdr_mp, ip_recv_attr_t *ira,
+ size_t skip_len, uint32_t ah_offset, ipsa_t *assoc)
{
int kef_rc;
- mblk_t *phdr_mp;
- crypto_call_req_t call_req;
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
+ mblk_t *mp;
+ crypto_call_req_t call_req, *callrp;
uint_t icv_len = assoc->ipsa_mac_len;
crypto_ctx_template_t ctx_tmpl;
- netstack_t *ns = ii->ipsec_in_ns;
- ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ipsecah_stack_t *ahstack;
+ ipsec_crypto_t *ic, icstack;
+ boolean_t force = (assoc->ipsa_flags & IPSA_F_ASYNC);
+
+ ahstack = ira->ira_ill->ill_ipst->ips_netstack->netstack_ipsecah;
- phdr_mp = ipsec_mp->b_cont;
ASSERT(phdr_mp != NULL);
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
+ ASSERT(phdr_mp->b_datap->db_type == M_DATA);
+
+ if (force) {
+ /* We are doing asynch; allocate mblks to hold state */
+ if ((mp = ip_recv_attr_to_mblk(ira)) == NULL ||
+ (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) {
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", phdr_mp,
+ ira->ira_ill);
+ freemsg(phdr_mp);
+ return (NULL);
+ }
- /*
- * In case kEF queues and calls back, make sure we have the
- * netstackid_t for verification that the IP instance is still around
- * in esp_kcf_callback().
- */
- ASSERT(ii->ipsec_in_stackid == ns->netstack_stackid);
+ linkb(mp, phdr_mp);
+ callrp = &call_req;
+ AH_INIT_CALLREQ(callrp, mp, ah_kcf_callback_inbound);
+ } else {
+ /*
+ * If we know we are going to do sync then ipsec_crypto_t
+ * should be on the stack.
+ */
+ ic = &icstack;
+ bzero(ic, sizeof (*ic));
+ callrp = NULL;
+ }
/* init arguments for the crypto framework */
- AH_INIT_CRYPTO_DATA(&ii->ipsec_in_crypto_data, AH_MSGSIZE(phdr_mp),
+ AH_INIT_CRYPTO_DATA(&ic->ic_crypto_data, AH_MSGSIZE(phdr_mp),
phdr_mp);
- AH_INIT_CRYPTO_MAC(&ii->ipsec_in_crypto_mac, icv_len,
+ AH_INIT_CRYPTO_MAC(&ic->ic_crypto_mac, icv_len,
(char *)phdr_mp->b_cont->b_rptr - skip_len + ah_offset +
sizeof (ah_t));
- AH_INIT_CALLREQ(&call_req, ipss);
-
- ii->ipsec_in_skip_len = skip_len;
+ ic->ic_skip_len = skip_len;
IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH, ctx_tmpl);
/* call KEF to do the MAC operation */
kef_rc = crypto_mac_verify(&assoc->ipsa_amech,
- &ii->ipsec_in_crypto_data, &assoc->ipsa_kcfauthkey, ctx_tmpl,
- &ii->ipsec_in_crypto_mac, &call_req);
+ &ic->ic_crypto_data, &assoc->ipsa_kcfauthkey, ctx_tmpl,
+ &ic->ic_crypto_mac, callrp);
switch (kef_rc) {
case CRYPTO_SUCCESS:
AH_BUMP_STAT(ahstack, crypto_sync);
- return (ah_auth_in_done(ipsec_mp));
+ phdr_mp = ah_auth_in_done(phdr_mp, ira, ic);
+ if (force) {
+ /* Free mp after we are done with ic */
+ mp = ipsec_free_crypto_data(mp);
+ (void) ip_recv_attr_free_mblk(mp);
+ }
+ return (phdr_mp);
case CRYPTO_QUEUED:
- /* ah_kcf_callback() will be invoked on completion */
+ /* ah_kcf_callback_inbound() will be invoked on completion */
AH_BUMP_STAT(ahstack, crypto_async);
- return (IPSEC_STATUS_PENDING);
+ return (NULL);
case CRYPTO_INVALID_MAC:
+ /* Free mp after we are done with ic */
AH_BUMP_STAT(ahstack, crypto_sync);
- ah_log_bad_auth(ipsec_mp);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ ah_log_bad_auth(phdr_mp, ira, ic);
+ /* phdr_mp was passed to ip_drop_packet */
+ if (force) {
+ mp = ipsec_free_crypto_data(mp);
+ (void) ip_recv_attr_free_mblk(mp);
+ }
+ return (NULL);
}
- ah_crypto_failed(ipsec_mp, B_TRUE, kef_rc, ahstack);
- return (IPSEC_STATUS_FAILED);
+ if (force) {
+ mp = ipsec_free_crypto_data(mp);
+ phdr_mp = ip_recv_attr_free_mblk(mp);
+ }
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ ah_crypto_failed(phdr_mp, B_TRUE, kef_rc, ira->ira_ill, ahstack);
+ /* phdr_mp was passed to ip_drop_packet */
+ return (NULL);
}
/*
* Submit an outbound packet for processing by the crypto framework.
*/
-static ipsec_status_t
-ah_submit_req_outbound(mblk_t *ipsec_mp, size_t skip_len, ipsa_t *assoc)
+static mblk_t *
+ah_submit_req_outbound(mblk_t *phdr_mp, ip_xmit_attr_t *ixa,
+ size_t skip_len, ipsa_t *assoc)
{
int kef_rc;
- mblk_t *phdr_mp;
- crypto_call_req_t call_req;
- ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
+ mblk_t *mp;
+ crypto_call_req_t call_req, *callrp;
uint_t icv_len = assoc->ipsa_mac_len;
- netstack_t *ns = io->ipsec_out_ns;
- ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ipsecah_stack_t *ahstack;
+ ipsec_crypto_t *ic, icstack;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
+ boolean_t force = (assoc->ipsa_flags & IPSA_F_ASYNC);
- phdr_mp = ipsec_mp->b_cont;
- ASSERT(phdr_mp != NULL);
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
+ ahstack = ill->ill_ipst->ips_netstack->netstack_ipsecah;
- /*
- * In case kEF queues and calls back, keep netstackid_t for
- * verification that the IP instance is still around in
- * ah_kcf_callback().
- */
- io->ipsec_out_stackid = ns->netstack_stackid;
+ ASSERT(phdr_mp != NULL);
+ ASSERT(phdr_mp->b_datap->db_type == M_DATA);
+
+ if (force) {
+ /* We are doing asynch; allocate mblks to hold state */
+ if ((mp = ip_xmit_attr_to_mblk(ixa)) == NULL ||
+ (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", phdr_mp, ill);
+ freemsg(phdr_mp);
+ return (NULL);
+ }
+ linkb(mp, phdr_mp);
+ callrp = &call_req;
+ AH_INIT_CALLREQ(callrp, mp, ah_kcf_callback_outbound);
+ } else {
+ /*
+ * If we know we are going to do sync then ipsec_crypto_t
+ * should be on the stack.
+ */
+ ic = &icstack;
+ bzero(ic, sizeof (*ic));
+ callrp = NULL;
+ }
/* init arguments for the crypto framework */
- AH_INIT_CRYPTO_DATA(&io->ipsec_out_crypto_data, AH_MSGSIZE(phdr_mp),
+ AH_INIT_CRYPTO_DATA(&ic->ic_crypto_data, AH_MSGSIZE(phdr_mp),
phdr_mp);
- AH_INIT_CRYPTO_MAC(&io->ipsec_out_crypto_mac, icv_len,
+ AH_INIT_CRYPTO_MAC(&ic->ic_crypto_mac, icv_len,
(char *)phdr_mp->b_wptr);
- AH_INIT_CALLREQ(&call_req, ipss);
+ ic->ic_skip_len = skip_len;
- io->ipsec_out_skip_len = skip_len;
-
- ASSERT(io->ipsec_out_ah_sa != NULL);
+ ASSERT(ixa->ixa_ipsec_ah_sa != NULL);
/* call KEF to do the MAC operation */
- kef_rc = crypto_mac(&assoc->ipsa_amech, &io->ipsec_out_crypto_data,
+ kef_rc = crypto_mac(&assoc->ipsa_amech, &ic->ic_crypto_data,
&assoc->ipsa_kcfauthkey, assoc->ipsa_authtmpl,
- &io->ipsec_out_crypto_mac, &call_req);
+ &ic->ic_crypto_mac, callrp);
switch (kef_rc) {
case CRYPTO_SUCCESS:
AH_BUMP_STAT(ahstack, crypto_sync);
- return (ah_auth_out_done(ipsec_mp));
+ phdr_mp = ah_auth_out_done(phdr_mp, ixa, ic);
+ if (force) {
+ /* Free mp after we are done with ic */
+ mp = ipsec_free_crypto_data(mp);
+ (void) ip_xmit_attr_free_mblk(mp);
+ }
+ return (phdr_mp);
case CRYPTO_QUEUED:
- /* ah_kcf_callback() will be invoked on completion */
+ /* ah_kcf_callback_outbound() will be invoked on completion */
AH_BUMP_STAT(ahstack, crypto_async);
- return (IPSEC_STATUS_PENDING);
+ return (NULL);
}
- ah_crypto_failed(ipsec_mp, B_FALSE, kef_rc, ahstack);
- return (IPSEC_STATUS_FAILED);
+ if (force) {
+ mp = ipsec_free_crypto_data(mp);
+ phdr_mp = ip_xmit_attr_free_mblk(mp);
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ah_crypto_failed(phdr_mp, B_FALSE, kef_rc, NULL, ahstack);
+ /* phdr_mp was passed to ip_drop_packet */
+ return (NULL);
}
/*
@@ -3056,7 +3056,6 @@ ah_process_ip_options_v6(mblk_t *mp, ipsa_t *assoc, int *length_to_skip,
uint_t ah_align_sz;
uint_t ah_offset;
int hdr_size;
- ipsec_stack_t *ipss = ahstack->ipsecah_netstack->netstack_ipsec;
/*
* Allocate space for the authentication data also. It is
@@ -3135,9 +3134,6 @@ ah_process_ip_options_v6(mblk_t *mp, ipsa_t *assoc, int *length_to_skip,
ah_offset = ah_fix_phdr_v6(ip6h, oip6h, outbound, B_FALSE);
if (ah_offset == 0) {
- ip_drop_packet(phdr_mp, !outbound, NULL, NULL,
- DROPPER(ipss, ipds_ah_bad_v6_hdrs),
- &ahstack->ah_dropper);
return (NULL);
}
}
@@ -3375,65 +3371,67 @@ ah_hdr:
/*
* Authenticate an outbound datagram. This function is called
* whenever IP sends an outbound datagram that needs authentication.
+ * Returns a modified packet if done. Returns NULL if error or queued.
+ * If error return then ipIfStatsOutDiscards has been increased.
*/
-static ipsec_status_t
-ah_outbound(mblk_t *ipsec_out)
+static mblk_t *
+ah_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa)
{
- mblk_t *mp;
mblk_t *phdr_mp;
- ipsec_out_t *oi;
ipsa_t *assoc;
int length_to_skip;
uint_t ah_align_sz;
uint_t age_bytes;
- netstack_t *ns;
- ipsec_stack_t *ipss;
- ipsecah_stack_t *ahstack;
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
+ ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
+ boolean_t need_refrele = B_FALSE;
/*
* Construct the chain of mblks
*
- * IPSEC_OUT->PSEUDO_HDR->DATA
+ * PSEUDO_HDR->DATA
*
* one by one.
*/
- ASSERT(ipsec_out->b_datap->db_type == M_CTL);
-
- ASSERT(MBLKL(ipsec_out) >= sizeof (ipsec_info_t));
-
- mp = ipsec_out->b_cont;
- oi = (ipsec_out_t *)ipsec_out->b_rptr;
- ns = oi->ipsec_out_ns;
- ipss = ns->netstack_ipsec;
- ahstack = ns->netstack_ipsecah;
-
AH_BUMP_STAT(ahstack, out_requests);
- ASSERT(mp->b_datap->db_type == M_DATA);
+ ASSERT(data_mp->b_datap->db_type == M_DATA);
- assoc = oi->ipsec_out_ah_sa;
+ assoc = ixa->ixa_ipsec_ah_sa;
ASSERT(assoc != NULL);
/*
* Get the outer IP header in shape to escape this system..
*/
- if (is_system_labeled() && (assoc->ipsa_ocred != NULL)) {
- int whack;
-
- mblk_setcred(mp, assoc->ipsa_ocred, NOPID);
- if (oi->ipsec_out_v4)
- whack = sadb_whack_label(&mp, assoc);
- else
- whack = sadb_whack_label_v6(&mp, assoc);
- if (whack != 0) {
- ip_drop_packet(ipsec_out, B_FALSE, NULL,
- NULL, DROPPER(ipss, ipds_ah_nomem),
+ if (is_system_labeled() && (assoc->ipsa_otsl != NULL)) {
+ /*
+ * Need to update packet with any CIPSO option and update
+ * ixa_tsl to capture the new label.
+ * We allocate a separate ixa for that purpose.
+ */
+ ixa = ip_xmit_attr_duplicate(ixa);
+ if (ixa == NULL) {
+ ip_drop_packet(data_mp, B_FALSE, ill,
+ DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
+ }
+ need_refrele = B_TRUE;
+
+ label_hold(assoc->ipsa_otsl);
+ ip_xmit_attr_replace_tsl(ixa, assoc->ipsa_otsl);
+
+ data_mp = sadb_whack_label(data_mp, assoc, ixa,
+ DROPPER(ipss, ipds_ah_nomem), &ahstack->ah_dropper);
+ if (data_mp == NULL) {
+ /* Packet dropped by sadb_whack_label */
+ ixa_refrele(ixa);
+ return (NULL);
}
- ipsec_out->b_cont = mp;
}
/*
@@ -3441,14 +3439,14 @@ ah_outbound(mblk_t *ipsec_out)
* adding the AH header, ICV, and padding to the packet.
*/
- if (oi->ipsec_out_v4) {
- ipha_t *ipha = (ipha_t *)mp->b_rptr;
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
ah_align_sz = P2ALIGN(assoc->ipsa_mac_len +
IPV4_PADDING_ALIGN - 1, IPV4_PADDING_ALIGN);
age_bytes = ntohs(ipha->ipha_length) + sizeof (ah_t) +
ah_align_sz;
} else {
- ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+ ip6_t *ip6h = (ip6_t *)data_mp->b_rptr;
ah_align_sz = P2ALIGN(assoc->ipsa_mac_len +
IPV6_PADDING_ALIGN - 1, IPV6_PADDING_ALIGN);
age_bytes = sizeof (ip6_t) + ntohs(ip6h->ip6_plen) +
@@ -3461,8 +3459,12 @@ ah_outbound(mblk_t *ipsec_out)
"AH association 0x%x, dst %s had bytes expire.\n",
ntohl(assoc->ipsa_spi), assoc->ipsa_dstaddr, AF_INET,
ahstack->ipsecah_netstack);
- freemsg(ipsec_out);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", data_mp, ill);
+ freemsg(data_mp);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
/*
@@ -3470,64 +3472,59 @@ ah_outbound(mblk_t *ipsec_out)
* (AH is computing the checksum over the outer label).
*/
- if (oi->ipsec_out_is_capab_ill) {
- ah3dbg(ahstack, ("ah_outbound: pkt can be accelerated\n"));
- if (oi->ipsec_out_v4)
- return (ah_outbound_accelerated_v4(ipsec_out, assoc));
- else
- return (ah_outbound_accelerated_v6(ipsec_out, assoc));
- }
- AH_BUMP_STAT(ahstack, noaccel);
-
/*
* Insert pseudo header:
- * IPSEC_INFO -> [IP, ULP] => IPSEC_INFO -> [IP, AH, ICV] -> ULP
+ * [IP, ULP] => [IP, AH, ICV] -> ULP
*/
- if (oi->ipsec_out_v4) {
- phdr_mp = ah_process_ip_options_v4(mp, assoc, &length_to_skip,
- assoc->ipsa_mac_len, B_TRUE, ahstack);
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ phdr_mp = ah_process_ip_options_v4(data_mp, assoc,
+ &length_to_skip, assoc->ipsa_mac_len, B_TRUE, ahstack);
} else {
- phdr_mp = ah_process_ip_options_v6(mp, assoc, &length_to_skip,
- assoc->ipsa_mac_len, B_TRUE, ahstack);
+ phdr_mp = ah_process_ip_options_v6(data_mp, assoc,
+ &length_to_skip, assoc->ipsa_mac_len, B_TRUE, ahstack);
}
if (phdr_mp == NULL) {
AH_BUMP_STAT(ahstack, out_discards);
- ip_drop_packet(ipsec_out, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ixa->ixa_nce->nce_ill,
DROPPER(ipss, ipds_ah_bad_v4_opts),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
- ipsec_out->b_cont = phdr_mp;
- phdr_mp->b_cont = mp;
- mp->b_rptr += length_to_skip;
+ phdr_mp->b_cont = data_mp;
+ data_mp->b_rptr += length_to_skip;
+ data_mp = phdr_mp;
/*
- * At this point ipsec_out points to the IPSEC_OUT, new_mp
- * points to an mblk containing the pseudo header (IP header,
+ * At this point data_mp points to
+ * an mblk containing the pseudo header (IP header,
* AH header, and ICV with mutable fields zero'ed out).
* mp points to the mblk containing the ULP data. The original
- * IP header is kept before the ULP data in mp.
+ * IP header is kept before the ULP data in data_mp.
*/
/* submit MAC request to KCF */
- return (ah_submit_req_outbound(ipsec_out, length_to_skip, assoc));
+ data_mp = ah_submit_req_outbound(data_mp, ixa, length_to_skip, assoc);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (data_mp);
}
-static ipsec_status_t
-ah_inbound(mblk_t *ipsec_in_mp, void *arg)
+static mblk_t *
+ah_inbound(mblk_t *data_mp, void *arg, ip_recv_attr_t *ira)
{
- mblk_t *data_mp = ipsec_in_mp->b_cont;
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_in_mp->b_rptr;
- ah_t *ah = (ah_t *)arg;
- ipsa_t *assoc = ii->ipsec_in_ah_sa;
- int length_to_skip;
- int ah_length;
- mblk_t *phdr_mp;
- uint32_t ah_offset;
- netstack_t *ns = ii->ipsec_in_ns;
+ ah_t *ah = (ah_t *)arg;
+ ipsa_t *assoc = ira->ira_ipsec_ah_sa;
+ int length_to_skip;
+ int ah_length;
+ mblk_t *phdr_mp;
+ uint32_t ah_offset;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
ipsec_stack_t *ipss = ns->netstack_ipsec;
@@ -3547,10 +3544,11 @@ ah_inbound(mblk_t *ipsec_in_mp, void *arg)
if (!sadb_replay_peek(assoc, ah->ah_replay)) {
AH_BUMP_STAT(ahstack, replay_early_failures);
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_early_replay),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
/*
@@ -3561,19 +3559,6 @@ ah_inbound(mblk_t *ipsec_in_mp, void *arg)
ah_offset = (uchar_t *)ah - data_mp->b_rptr;
/*
- * Has this packet already been processed by a hardware
- * IPsec accelerator?
- */
- if (ii->ipsec_in_accelerated) {
- ah3dbg(ahstack,
- ("ah_inbound_v6: pkt processed by ill=%d isv6=%d\n",
- ii->ipsec_in_ill_index, !ii->ipsec_in_v4));
- return (ah_inbound_accelerated(ipsec_in_mp, ii->ipsec_in_v4,
- assoc, ah_offset));
- }
- AH_BUMP_STAT(ahstack, noaccel);
-
- /*
* We need to pullup until the ICV before we call
* ah_process_ip_options_v6.
*/
@@ -3590,18 +3575,19 @@ ah_inbound(mblk_t *ipsec_in_mp, void *arg)
SL_WARN | SL_ERROR,
"ah_inbound: Small AH header\n");
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
}
/*
* Insert pseudo header:
- * IPSEC_INFO -> [IP, ULP] => IPSEC_INFO -> [IP, AH, ICV] -> ULP
+ * [IP, ULP] => [IP, AH, ICV] -> ULP
*/
- if (ii->ipsec_in_v4) {
+ if (ira->ira_flags & IRAF_IS_IPV4) {
phdr_mp = ah_process_ip_options_v4(data_mp, assoc,
&length_to_skip, assoc->ipsa_mac_len, B_FALSE, ahstack);
} else {
@@ -3611,483 +3597,33 @@ ah_inbound(mblk_t *ipsec_in_mp, void *arg)
if (phdr_mp == NULL) {
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL,
- (ii->ipsec_in_v4 ?
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
+ ((ira->ira_flags & IRAF_IS_IPV4) ?
DROPPER(ipss, ipds_ah_bad_v4_opts) :
DROPPER(ipss, ipds_ah_bad_v6_hdrs)),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
- ipsec_in_mp->b_cont = phdr_mp;
phdr_mp->b_cont = data_mp;
data_mp->b_rptr += length_to_skip;
+ data_mp = phdr_mp;
/* submit request to KCF */
- return (ah_submit_req_inbound(ipsec_in_mp, length_to_skip, ah_offset,
+ return (ah_submit_req_inbound(data_mp, ira, length_to_skip, ah_offset,
assoc));
}
/*
- * ah_inbound_accelerated:
- * Called from ah_inbound() to process IPsec packets that have been
- * accelerated by hardware.
- *
- * Basically does what ah_auth_in_done() with some changes since
- * no pseudo-headers are involved, i.e. the passed message is a
- * IPSEC_INFO->DATA.
- *
- * It is assumed that only packets that have been successfully
- * processed by the adapter come here.
- *
- * 1. get algorithm structure corresponding to association
- * 2. calculate pointers to authentication header and ICV
- * 3. compare ICV in AH header with ICV in data attributes
- * 3.1 if different:
- * 3.1.1 generate error
- * 3.1.2 discard message
- * 3.2 if ICV matches:
- * 3.2.1 check replay
- * 3.2.2 remove AH header
- * 3.2.3 age SA byte
- * 3.2.4 send to IP
- */
-ipsec_status_t
-ah_inbound_accelerated(mblk_t *ipsec_in, boolean_t isv4, ipsa_t *assoc,
- uint32_t ah_offset)
-{
- mblk_t *mp;
- ipha_t *ipha;
- ah_t *ah;
- ipsec_in_t *ii;
- uint32_t icv_len;
- uint32_t align_len;
- uint32_t age_bytes;
- ip6_t *ip6h;
- uint8_t *in_icv;
- mblk_t *hada_mp;
- uint32_t next_hdr;
- da_ipsec_t *hada;
- kstat_named_t *counter;
- ipsecah_stack_t *ahstack;
- netstack_t *ns;
- ipsec_stack_t *ipss;
-
- ii = (ipsec_in_t *)ipsec_in->b_rptr;
- ns = ii->ipsec_in_ns;
- ahstack = ns->netstack_ipsecah;
- ipss = ns->netstack_ipsec;
-
- mp = ipsec_in->b_cont;
- hada_mp = ii->ipsec_in_da;
- ASSERT(hada_mp != NULL);
- hada = (da_ipsec_t *)hada_mp->b_rptr;
-
- AH_BUMP_STAT(ahstack, in_accelerated);
-
- /*
- * We only support one level of decapsulation in hardware, so
- * nuke the pointer.
- */
- ii->ipsec_in_da = NULL;
- ii->ipsec_in_accelerated = B_FALSE;
-
- /*
- * Extract ICV length from attributes M_CTL and sanity check
- * its value. We allow the mblk to be smaller than da_ipsec_t
- * for a small ICV, as long as the entire ICV fits within the mblk.
- * Also ensures that the ICV length computed by Provider
- * corresponds to the ICV length of the algorithm specified by the SA.
- */
- icv_len = hada->da_icv_len;
- if ((icv_len != assoc->ipsa_mac_len) ||
- (icv_len > DA_ICV_MAX_LEN) || (MBLKL(hada_mp) <
- (sizeof (da_ipsec_t) - DA_ICV_MAX_LEN + icv_len))) {
- ah0dbg(("ah_inbound_accelerated: "
- "ICV len (%u) incorrect or mblk too small (%u)\n",
- icv_len, (uint32_t)(MBLKL(hada_mp))));
- counter = DROPPER(ipss, ipds_ah_bad_length);
- goto ah_in_discard;
- }
- ASSERT(icv_len != 0);
-
- /* compute the padded AH ICV len */
- if (isv4) {
- ipha = (ipha_t *)mp->b_rptr;
- align_len = (icv_len + IPV4_PADDING_ALIGN - 1) &
- -IPV4_PADDING_ALIGN;
- } else {
- ip6h = (ip6_t *)mp->b_rptr;
- align_len = (icv_len + IPV6_PADDING_ALIGN - 1) &
- -IPV6_PADDING_ALIGN;
- }
-
- ah = (ah_t *)(mp->b_rptr + ah_offset);
- in_icv = (uint8_t *)ah + sizeof (ah_t);
-
- /* compare ICV in AH header vs ICV computed by adapter */
- if (bcmp(hada->da_icv, in_icv, icv_len)) {
- int af;
- void *addr;
-
- if (isv4) {
- addr = &ipha->ipha_dst;
- af = AF_INET;
- } else {
- addr = &ip6h->ip6_dst;
- af = AF_INET6;
- }
-
- /*
- * Log the event. Don't print to the console, block
- * potential denial-of-service attack.
- */
- AH_BUMP_STAT(ahstack, bad_auth);
- ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
- "AH Authentication failed spi %x, dst_addr %s",
- assoc->ipsa_spi, addr, af, ahstack->ipsecah_netstack);
- counter = DROPPER(ipss, ipds_ah_bad_auth);
- goto ah_in_discard;
- }
-
- ah3dbg(ahstack, ("AH succeeded, checking replay\n"));
- AH_BUMP_STAT(ahstack, good_auth);
-
- if (!sadb_replay_check(assoc, ah->ah_replay)) {
- int af;
- void *addr;
-
- if (isv4) {
- addr = &ipha->ipha_dst;
- af = AF_INET;
- } else {
- addr = &ip6h->ip6_dst;
- af = AF_INET6;
- }
-
- /*
- * Log the event. As of now we print out an event.
- * Do not print the replay failure number, or else
- * syslog cannot collate the error messages. Printing
- * the replay number that failed (or printing to the
- * console) opens a denial-of-service attack.
- */
- AH_BUMP_STAT(ahstack, replay_failures);
- ipsec_assocfailure(info.mi_idnum, 0, 0,
- SL_ERROR | SL_WARN,
- "Replay failed for AH spi %x, dst_addr %s",
- assoc->ipsa_spi, addr, af, ahstack->ipsecah_netstack);
- counter = DROPPER(ipss, ipds_ah_replay);
- goto ah_in_discard;
- }
-
- /*
- * Remove AH header. We do this by copying everything before
- * the AH header onto the AH header+ICV.
- */
- /* overwrite AH with what was preceeding it (IP header) */
- next_hdr = ah->ah_nexthdr;
- ovbcopy(mp->b_rptr, mp->b_rptr + sizeof (ah_t) + align_len,
- ah_offset);
- mp->b_rptr += sizeof (ah_t) + align_len;
- if (isv4) {
- /* adjust IP header next protocol */
- ipha = (ipha_t *)mp->b_rptr;
- ipha->ipha_protocol = next_hdr;
-
- age_bytes = ipha->ipha_length;
-
- /* adjust length in IP header */
- ipha->ipha_length -= (sizeof (ah_t) + align_len);
-
- /* recalculate checksum */
- ipha->ipha_hdr_checksum = 0;
- ipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(ipha);
- } else {
- /* adjust IP header next protocol */
- ip6h = (ip6_t *)mp->b_rptr;
- ip6h->ip6_nxt = next_hdr;
-
- age_bytes = sizeof (ip6_t) + ntohs(ip6h->ip6_plen) +
- sizeof (ah_t);
-
- /* adjust length in IP header */
- ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) -
- (sizeof (ah_t) + align_len));
- }
-
- /* age SA */
- if (!ah_age_bytes(assoc, age_bytes, B_TRUE)) {
- /* The ipsa has hit hard expiration, LOG and AUDIT. */
- ipsec_assocfailure(info.mi_idnum, 0, 0,
- SL_ERROR | SL_WARN,
- "AH Association 0x%x, dst %s had bytes expire.\n",
- assoc->ipsa_spi, assoc->ipsa_dstaddr,
- AF_INET, ahstack->ipsecah_netstack);
- AH_BUMP_STAT(ahstack, bytes_expired);
- counter = DROPPER(ipss, ipds_ah_bytes_expire);
- goto ah_in_discard;
- }
-
- freeb(hada_mp);
- return (IPSEC_STATUS_SUCCESS);
-
-ah_in_discard:
- IP_AH_BUMP_STAT(ipss, in_discards);
- freeb(hada_mp);
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL, counter,
- &ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
-}
-
-/*
- * ah_outbound_accelerated_v4:
- * Called from ah_outbound_v4() and once it is determined that the
- * packet is elligible for hardware acceleration.
- *
- * We proceed as follows:
- * 1. allocate and initialize attributes mblk
- * 2. mark IPSEC_OUT to indicate that pkt is accelerated
- * 3. insert AH header
- */
-static ipsec_status_t
-ah_outbound_accelerated_v4(mblk_t *ipsec_mp, ipsa_t *assoc)
-{
- mblk_t *mp, *new_mp;
- ipsec_out_t *oi;
- uint_t ah_data_sz; /* ICV length, algorithm dependent */
- uint_t ah_align_sz; /* ICV length + padding */
- uint32_t v_hlen_tos_len; /* from original IP header */
- ipha_t *oipha; /* original IP header */
- ipha_t *nipha; /* new IP header */
- uint_t option_length = 0;
- uint_t new_hdr_len; /* new header length */
- uint_t iphdr_length;
- ah_t *ah_hdr; /* ptr to AH header */
- netstack_t *ns;
- ipsec_stack_t *ipss;
- ipsecah_stack_t *ahstack;
-
- oi = (ipsec_out_t *)ipsec_mp->b_rptr;
- ns = oi->ipsec_out_ns;
- ipss = ns->netstack_ipsec;
- ahstack = ns->netstack_ipsecah;
-
- mp = ipsec_mp->b_cont;
-
- AH_BUMP_STAT(ahstack, out_accelerated);
-
- oipha = (ipha_t *)mp->b_rptr;
- v_hlen_tos_len = ((uint32_t *)oipha)[0];
-
- /* mark packet as being accelerated in IPSEC_OUT */
- ASSERT(oi->ipsec_out_accelerated == B_FALSE);
- oi->ipsec_out_accelerated = B_TRUE;
-
- /* calculate authentication data length, i.e. ICV + padding */
- ah_data_sz = assoc->ipsa_mac_len;
- ah_align_sz = (ah_data_sz + IPV4_PADDING_ALIGN - 1) &
- -IPV4_PADDING_ALIGN;
-
- /*
- * Insert pseudo header:
- * IPSEC_INFO -> [IP, ULP] => IPSEC_INFO -> [IP, AH, ICV] -> ULP
- */
-
- /* IP + AH + authentication + padding data length */
- new_hdr_len = IP_SIMPLE_HDR_LENGTH + sizeof (ah_t) + ah_align_sz;
- if (V_HLEN != IP_SIMPLE_HDR_VERSION) {
- option_length = oipha->ipha_version_and_hdr_length -
- (uint8_t)((IP_VERSION << 4) +
- IP_SIMPLE_HDR_LENGTH_IN_WORDS);
- option_length <<= 2;
- new_hdr_len += option_length;
- }
-
- /* allocate pseudo-header mblk */
- if ((new_mp = allocb(new_hdr_len, BPRI_HI)) == NULL) {
- /* IPsec kstats: bump bean counter here */
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_ah_nomem),
- &ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
- }
-
- new_mp->b_cont = mp;
- ipsec_mp->b_cont = new_mp;
- new_mp->b_wptr += new_hdr_len;
-
- /* copy original IP header to new header */
- bcopy(mp->b_rptr, new_mp->b_rptr, IP_SIMPLE_HDR_LENGTH +
- option_length);
-
- /* update IP header */
- nipha = (ipha_t *)new_mp->b_rptr;
- nipha->ipha_protocol = IPPROTO_AH;
- iphdr_length = ntohs(nipha->ipha_length);
- iphdr_length += sizeof (ah_t) + ah_align_sz;
- nipha->ipha_length = htons(iphdr_length);
- nipha->ipha_hdr_checksum = 0;
- nipha->ipha_hdr_checksum = (uint16_t)ip_csum_hdr(nipha);
-
- /* skip original IP header in mp */
- mp->b_rptr += IP_SIMPLE_HDR_LENGTH + option_length;
-
- /* initialize AH header */
- ah_hdr = (ah_t *)(new_mp->b_rptr + IP_SIMPLE_HDR_LENGTH +
- option_length);
- ah_hdr->ah_nexthdr = oipha->ipha_protocol;
- if (!ah_finish_up(ah_hdr, NULL, assoc, ah_data_sz, ah_align_sz,
- ahstack)) {
- /* Only way this fails is if outbound replay counter wraps. */
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_ah_replay),
- &ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
- }
-
- return (IPSEC_STATUS_SUCCESS);
-}
-
-/*
- * ah_outbound_accelerated_v6:
- *
- * Called from ah_outbound_v6() once it is determined that the packet
- * is eligible for hardware acceleration.
- *
- * We proceed as follows:
- * 1. allocate and initialize attributes mblk
- * 2. mark IPSEC_OUT to indicate that pkt is accelerated
- * 3. insert AH header
- */
-static ipsec_status_t
-ah_outbound_accelerated_v6(mblk_t *ipsec_mp, ipsa_t *assoc)
-{
- mblk_t *mp, *phdr_mp;
- ipsec_out_t *oi;
- uint_t ah_data_sz; /* ICV length, algorithm dependent */
- uint_t ah_align_sz; /* ICV length + padding */
- ip6_t *oip6h; /* original IP header */
- ip6_t *ip6h; /* new IP header */
- uint_t option_length = 0;
- uint_t hdr_size;
- uint_t ah_offset;
- ah_t *ah_hdr; /* ptr to AH header */
- netstack_t *ns;
- ipsec_stack_t *ipss;
- ipsecah_stack_t *ahstack;
-
- oi = (ipsec_out_t *)ipsec_mp->b_rptr;
- ns = oi->ipsec_out_ns;
- ipss = ns->netstack_ipsec;
- ahstack = ns->netstack_ipsecah;
-
- mp = ipsec_mp->b_cont;
-
- AH_BUMP_STAT(ahstack, out_accelerated);
-
- oip6h = (ip6_t *)mp->b_rptr;
-
- /* mark packet as being accelerated in IPSEC_OUT */
- ASSERT(oi->ipsec_out_accelerated == B_FALSE);
- oi->ipsec_out_accelerated = B_TRUE;
-
- /* calculate authentication data length, i.e. ICV + padding */
- ah_data_sz = assoc->ipsa_mac_len;
- ah_align_sz = (ah_data_sz + IPV4_PADDING_ALIGN - 1) &
- -IPV4_PADDING_ALIGN;
-
- ASSERT(ah_align_sz >= ah_data_sz);
-
- hdr_size = ipsec_ah_get_hdr_size_v6(mp, B_FALSE);
- option_length = hdr_size - IPV6_HDR_LEN;
-
- /* This was not included in ipsec_ah_get_hdr_size_v6() */
- hdr_size += (sizeof (ah_t) + ah_align_sz);
-
- if ((phdr_mp = allocb(hdr_size, BPRI_HI)) == NULL) {
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_ah_nomem),
- &ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
- }
- phdr_mp->b_wptr += hdr_size;
-
- /*
- * Form the basic IP header first. We always assign every bit
- * of the v6 basic header, so a separate bzero is unneeded.
- */
- ip6h = (ip6_t *)phdr_mp->b_rptr;
- ip6h->ip6_vcf = oip6h->ip6_vcf;
- ip6h->ip6_hlim = oip6h->ip6_hlim;
- ip6h->ip6_src = oip6h->ip6_src;
- ip6h->ip6_dst = oip6h->ip6_dst;
- /*
- * Include the size of AH and authentication data.
- * This is how our recipient would compute the
- * authentication data. Look at what we do in the
- * inbound case below.
- */
- ip6h->ip6_plen = htons(ntohs(oip6h->ip6_plen) + sizeof (ah_t) +
- ah_align_sz);
-
- /*
- * Insert pseudo header:
- * IPSEC_INFO -> [IP6, LLH, ULP] =>
- * IPSEC_INFO -> [IP, LLH, AH, ICV] -> ULP
- */
-
- if (option_length == 0) {
- /* Form the AH header */
- ip6h->ip6_nxt = IPPROTO_AH;
- ((ah_t *)(ip6h + 1))->ah_nexthdr = oip6h->ip6_nxt;
- ah_offset = IPV6_HDR_LEN;
- } else {
- ip6h->ip6_nxt = oip6h->ip6_nxt;
- /* option_length does not include the AH header's size */
- ah_offset = ah_fix_phdr_v6(ip6h, oip6h, B_TRUE, B_FALSE);
- if (ah_offset == 0) {
- freemsg(phdr_mp);
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_ah_bad_v6_hdrs),
- &ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
- }
- }
-
- phdr_mp->b_cont = mp;
- ipsec_mp->b_cont = phdr_mp;
-
- /* skip original IP header in mp */
- mp->b_rptr += IPV6_HDR_LEN + option_length;
-
- /* initialize AH header */
- ah_hdr = (ah_t *)(phdr_mp->b_rptr + IPV6_HDR_LEN + option_length);
- ah_hdr->ah_nexthdr = oip6h->ip6_nxt;
-
- if (!ah_finish_up(((ah_t *)((uint8_t *)ip6h + ah_offset)), NULL,
- assoc, ah_data_sz, ah_align_sz, ahstack)) {
- /* Only way this fails is if outbound replay counter wraps. */
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_ah_replay),
- &ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
- }
-
- return (IPSEC_STATUS_SUCCESS);
-}
-
-/*
* Invoked after processing of an inbound packet by the
* kernel crypto framework. Called by ah_submit_req() for a sync request,
* or by the kcf callback for an async request.
- * Returns IPSEC_STATUS_SUCCESS on success, IPSEC_STATUS_FAILED on failure.
- * On failure, the mblk chain ipsec_in is freed by this function.
+ * Returns NULL if the mblk chain is consumed.
*/
-static ipsec_status_t
-ah_auth_in_done(mblk_t *ipsec_in)
+static mblk_t *
+ah_auth_in_done(mblk_t *phdr_mp, ip_recv_attr_t *ira, ipsec_crypto_t *ic)
{
- mblk_t *phdr_mp;
ipha_t *ipha;
uint_t ah_offset = 0;
mblk_t *mp;
@@ -4096,41 +3632,36 @@ ah_auth_in_done(mblk_t *ipsec_in)
uint32_t length;
uint32_t *dest32;
uint8_t *dest;
- ipsec_in_t *ii;
boolean_t isv4;
ip6_t *ip6h;
uint_t icv_len;
ipsa_t *assoc;
kstat_named_t *counter;
- netstack_t *ns;
- ipsecah_stack_t *ahstack;
- ipsec_stack_t *ipss;
-
- ii = (ipsec_in_t *)ipsec_in->b_rptr;
- ns = ii->ipsec_in_ns;
- ahstack = ns->netstack_ipsecah;
- ipss = ns->netstack_ipsec;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
+ ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
- isv4 = ii->ipsec_in_v4;
- assoc = ii->ipsec_in_ah_sa;
- icv_len = (uint_t)ii->ipsec_in_crypto_mac.cd_raw.iov_len;
+ isv4 = (ira->ira_flags & IRAF_IS_IPV4);
+ assoc = ira->ira_ipsec_ah_sa;
+ icv_len = (uint_t)ic->ic_crypto_mac.cd_raw.iov_len;
- phdr_mp = ipsec_in->b_cont;
if (phdr_mp == NULL) {
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
+ ip_drop_packet(phdr_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
mp = phdr_mp->b_cont;
if (mp == NULL) {
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
+ ip_drop_packet(phdr_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
- mp->b_rptr -= ii->ipsec_in_skip_len;
+ mp->b_rptr -= ic->ic_skip_len;
ah_set_usetime(assoc, B_TRUE);
@@ -4256,8 +3787,7 @@ ah_auth_in_done(mblk_t *ipsec_in)
while (*nexthdr != IPPROTO_AH) {
whereptr += hdrlen;
/* Assume IP has already stripped it */
- ASSERT(*nexthdr != IPPROTO_FRAGMENT &&
- *nexthdr != IPPROTO_RAW);
+ ASSERT(*nexthdr != IPPROTO_FRAGMENT);
switch (*nexthdr) {
case IPPROTO_HOPOPTS:
hbhhdr = (ip6_hbh_t *)whereptr;
@@ -4292,20 +3822,18 @@ ah_auth_in_done(mblk_t *ipsec_in)
while (--dest >= mp->b_rptr)
*dest = *(dest - newpos);
}
- ipsec_in->b_cont = mp;
- phdr_mp->b_cont = NULL;
- /*
- * If a db_credp exists in phdr_mp, it must also exist in mp.
- */
- ASSERT(DB_CRED(phdr_mp) == NULL ||
- msg_getcred(mp, NULL) != NULL);
freeb(phdr_mp);
/*
* If SA is labelled, use its label, else inherit the label
*/
- if (is_system_labeled() && (assoc->ipsa_cred != NULL)) {
- mblk_setcred(mp, assoc->ipsa_cred, NOPID);
+ if (is_system_labeled() && (assoc->ipsa_tsl != NULL)) {
+ if (!ip_recv_attr_replace_label(ira, assoc->ipsa_tsl)) {
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
+ DROPPER(ipss, ipds_ah_nomem), &ahstack->ah_dropper);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
+ }
}
if (assoc->ipsa_state == IPSA_STATE_IDLE) {
@@ -4313,17 +3841,18 @@ ah_auth_in_done(mblk_t *ipsec_in)
* Cluster buffering case. Tell caller that we're
* handling the packet.
*/
- sadb_buf_pkt(assoc, ipsec_in, ns);
- return (IPSEC_STATUS_PENDING);
+ sadb_buf_pkt(assoc, mp, ira);
+ return (NULL);
}
- return (IPSEC_STATUS_SUCCESS);
+ return (mp);
ah_in_discard:
IP_AH_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL, counter,
+ ip_drop_packet(phdr_mp, B_TRUE, ira->ira_ill, counter,
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
/*
@@ -4332,49 +3861,37 @@ ah_in_discard:
* executed syncrhonously, or by the KEF callback for a request
* executed asynchronously.
*/
-static ipsec_status_t
-ah_auth_out_done(mblk_t *ipsec_out)
+static mblk_t *
+ah_auth_out_done(mblk_t *phdr_mp, ip_xmit_attr_t *ixa, ipsec_crypto_t *ic)
{
- mblk_t *phdr_mp;
mblk_t *mp;
int align_len;
uint32_t hdrs_length;
uchar_t *ptr;
uint32_t length;
boolean_t isv4;
- ipsec_out_t *io;
size_t icv_len;
- netstack_t *ns;
- ipsec_stack_t *ipss;
- ipsecah_stack_t *ahstack;
-
- io = (ipsec_out_t *)ipsec_out->b_rptr;
- ns = io->ipsec_out_ns;
- ipss = ns->netstack_ipsec;
- ahstack = ns->netstack_ipsecah;
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
+ ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
- isv4 = io->ipsec_out_v4;
- icv_len = io->ipsec_out_crypto_mac.cd_raw.iov_len;
-
- phdr_mp = ipsec_out->b_cont;
- if (phdr_mp == NULL) {
- ip_drop_packet(ipsec_out, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_ah_nomem),
- &ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
- }
+ isv4 = (ixa->ixa_flags & IXAF_IS_IPV4);
+ icv_len = ic->ic_crypto_mac.cd_raw.iov_len;
mp = phdr_mp->b_cont;
if (mp == NULL) {
- ip_drop_packet(ipsec_out, B_FALSE, NULL, NULL,
+ ip_drop_packet(phdr_mp, B_FALSE, ill,
DROPPER(ipss, ipds_ah_nomem),
&ahstack->ah_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ return (NULL);
}
- mp->b_rptr -= io->ipsec_out_skip_len;
+ mp->b_rptr -= ic->ic_skip_len;
- ASSERT(io->ipsec_out_ah_sa != NULL);
- ah_set_usetime(io->ipsec_out_ah_sa, B_FALSE);
+ ASSERT(ixa->ixa_flags & IXAF_IPSEC_SECURE);
+ ASSERT(ixa->ixa_ipsec_ah_sa != NULL);
+ ah_set_usetime(ixa->ixa_ipsec_ah_sa, B_FALSE);
if (isv4) {
ipha_t *ipha;
@@ -4454,7 +3971,7 @@ ah_auth_out_done(mblk_t *ipsec_out)
freeb(mp);
}
- return (IPSEC_STATUS_SUCCESS);
+ return (phdr_mp);
}
/* Refactor me */
@@ -4464,16 +3981,18 @@ ah_auth_out_done(mblk_t *ipsec_out)
*/
void
ipsecah_in_assocfailure(mblk_t *mp, char level, ushort_t sl, char *fmt,
- uint32_t spi, void *addr, int af, ipsecah_stack_t *ahstack)
+ uint32_t spi, void *addr, int af, ip_recv_attr_t *ira)
{
- ipsec_stack_t *ipss = ahstack->ipsecah_netstack->netstack_ipsec;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
+ ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
if (ahstack->ipsecah_log_unknown_spi) {
ipsec_assocfailure(info.mi_idnum, 0, level, sl, fmt, spi,
addr, af, ahstack->ipsecah_netstack);
}
- ip_drop_packet(mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_ah_no_sa),
&ahstack->ah_dropper);
}
diff --git a/usr/src/uts/common/inet/ip/ipsecesp.c b/usr/src/uts/common/inet/ip/ipsecesp.c
index 089e23e937..8af449384f 100644
--- a/usr/src/uts/common/inet/ip/ipsecesp.c
+++ b/usr/src/uts/common/inet/ip/ipsecesp.c
@@ -53,6 +53,8 @@
#include <inet/ip.h>
#include <inet/ip_impl.h>
#include <inet/ip6.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ndp.h>
#include <inet/sadb.h>
#include <inet/ipsec_info.h>
#include <inet/ipsec_impl.h>
@@ -67,8 +69,6 @@
#include <sys/taskq.h>
#include <sys/note.h>
-#include <sys/iphada.h>
-
#include <sys/tsol/tnet.h>
/*
@@ -130,26 +130,23 @@ static ipsecespparam_t lcl_param_arr[] = {
static int ipsecesp_open(queue_t *, dev_t *, int, int, cred_t *);
static int ipsecesp_close(queue_t *);
-static void ipsecesp_rput(queue_t *, mblk_t *);
static void ipsecesp_wput(queue_t *, mblk_t *);
static void *ipsecesp_stack_init(netstackid_t stackid, netstack_t *ns);
static void ipsecesp_stack_fini(netstackid_t stackid, void *arg);
static void esp_send_acquire(ipsacq_t *, mblk_t *, netstack_t *);
static void esp_prepare_udp(netstack_t *, mblk_t *, ipha_t *);
-static ipsec_status_t esp_outbound_accelerated(mblk_t *, uint_t);
-static ipsec_status_t esp_inbound_accelerated(mblk_t *, mblk_t *,
- boolean_t, ipsa_t *);
+static void esp_outbound_finish(mblk_t *, ip_xmit_attr_t *);
+static void esp_inbound_restart(mblk_t *, ip_recv_attr_t *);
static boolean_t esp_register_out(uint32_t, uint32_t, uint_t,
- ipsecesp_stack_t *, mblk_t *);
+ ipsecesp_stack_t *, cred_t *);
static boolean_t esp_strip_header(mblk_t *, boolean_t, uint32_t,
kstat_named_t **, ipsecesp_stack_t *);
-static ipsec_status_t esp_submit_req_inbound(mblk_t *, ipsa_t *, uint_t);
-static ipsec_status_t esp_submit_req_outbound(mblk_t *, ipsa_t *, uchar_t *,
- uint_t);
-extern void (*cl_inet_getspi)(netstackid_t, uint8_t, uint8_t *, size_t,
- void *);
+static mblk_t *esp_submit_req_inbound(mblk_t *, ip_recv_attr_t *,
+ ipsa_t *, uint_t);
+static mblk_t *esp_submit_req_outbound(mblk_t *, ip_xmit_attr_t *,
+ ipsa_t *, uchar_t *, uint_t);
/* Setable in /etc/system */
uint32_t esp_hash_size = IPSEC_DEFAULT_HASH_SIZE;
@@ -159,7 +156,7 @@ static struct module_info info = {
};
static struct qinit rinit = {
- (pfi_t)ipsecesp_rput, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
+ (pfi_t)putnext, NULL, ipsecesp_open, ipsecesp_close, NULL, &info,
NULL
};
@@ -201,9 +198,6 @@ typedef struct esp_kstats_s {
kstat_named_t esp_stat_acquire_requests;
kstat_named_t esp_stat_bytes_expired;
kstat_named_t esp_stat_out_discards;
- kstat_named_t esp_stat_in_accelerated;
- kstat_named_t esp_stat_out_accelerated;
- kstat_named_t esp_stat_noaccel;
kstat_named_t esp_stat_crypto_sync;
kstat_named_t esp_stat_crypto_async;
kstat_named_t esp_stat_crypto_failures;
@@ -266,9 +260,6 @@ esp_kstat_init(ipsecesp_stack_t *espstack, netstackid_t stackid)
KI(acquire_requests);
KI(bytes_expired);
KI(out_discards);
- KI(in_accelerated);
- KI(out_accelerated);
- KI(noaccel);
KI(crypto_sync);
KI(crypto_async);
KI(crypto_failures);
@@ -384,9 +375,9 @@ esp_ager(void *arg)
hrtime_t begin = gethrtime();
sadb_ager(&espstack->esp_sadb.s_v4, espstack->esp_pfkey_q,
- espstack->esp_sadb.s_ip_q, espstack->ipsecesp_reap_delay, ns);
+ espstack->ipsecesp_reap_delay, ns);
sadb_ager(&espstack->esp_sadb.s_v6, espstack->esp_pfkey_q,
- espstack->esp_sadb.s_ip_q, espstack->ipsecesp_reap_delay, ns);
+ espstack->ipsecesp_reap_delay, ns);
espstack->esp_event = sadb_retimeout(begin, espstack->esp_pfkey_q,
esp_ager, espstack,
@@ -583,7 +574,13 @@ ipsecesp_stack_fini(netstackid_t stackid, void *arg)
}
/*
- * ESP module open routine.
+ * ESP module open routine, which is here for keysock plumbing.
+ * Keysock is pushed over {AH,ESP} which is an artifact from the Bad Old
+ * Days of export control, and fears that ESP would not be allowed
+ * to be shipped at all by default. Eventually, keysock should
+ * either access AH and ESP via modstubs or krtld dependencies, or
+ * perhaps be folded in with AH and ESP into a single IPsec/netsec
+ * module ("netsec" if PF_KEY provides more than AH/ESP keying tables).
*/
/* ARGSUSED */
static int
@@ -606,56 +603,10 @@ ipsecesp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
espstack = ns->netstack_ipsecesp;
ASSERT(espstack != NULL);
- /*
- * ASSUMPTIONS (because I'm MT_OCEXCL):
- *
- * * I'm being pushed on top of IP for all my opens (incl. #1).
- * * Only ipsecesp_open() can write into esp_sadb.s_ip_q.
- * * Because of this, I can check lazily for esp_sadb.s_ip_q.
- *
- * If these assumptions are wrong, I'm in BIG trouble...
- */
-
q->q_ptr = espstack;
WR(q)->q_ptr = q->q_ptr;
- if (espstack->esp_sadb.s_ip_q == NULL) {
- struct T_unbind_req *tur;
-
- espstack->esp_sadb.s_ip_q = WR(q);
- /* Allocate an unbind... */
- espstack->esp_ip_unbind = allocb(sizeof (struct T_unbind_req),
- BPRI_HI);
-
- /*
- * Send down T_BIND_REQ to bind IPPROTO_ESP.
- * Handle the ACK here in ESP.
- */
- qprocson(q);
- if (espstack->esp_ip_unbind == NULL ||
- !sadb_t_bind_req(espstack->esp_sadb.s_ip_q, IPPROTO_ESP)) {
- if (espstack->esp_ip_unbind != NULL) {
- freeb(espstack->esp_ip_unbind);
- espstack->esp_ip_unbind = NULL;
- }
- q->q_ptr = NULL;
- netstack_rele(espstack->ipsecesp_netstack);
- return (ENOMEM);
- }
-
- espstack->esp_ip_unbind->b_datap->db_type = M_PROTO;
- tur = (struct T_unbind_req *)espstack->esp_ip_unbind->b_rptr;
- tur->PRIM_type = T_UNBIND_REQ;
- } else {
- qprocson(q);
- }
-
- /*
- * For now, there's not much I can do. I'll be getting a message
- * passed down to me from keysock (in my wput), and a T_BIND_ACK
- * up from IP (in my rput).
- */
-
+ qprocson(q);
return (0);
}
@@ -668,17 +619,6 @@ ipsecesp_close(queue_t *q)
ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)q->q_ptr;
/*
- * If esp_sadb.s_ip_q is attached to this instance, send a
- * T_UNBIND_REQ to IP for the instance before doing
- * a qprocsoff().
- */
- if (WR(q) == espstack->esp_sadb.s_ip_q &&
- espstack->esp_ip_unbind != NULL) {
- putnext(WR(q), espstack->esp_ip_unbind);
- espstack->esp_ip_unbind = NULL;
- }
-
- /*
* Clean up q_ptr, if needed.
*/
qprocsoff(q);
@@ -693,45 +633,6 @@ ipsecesp_close(queue_t *q)
(void) quntimeout(q, espstack->esp_event);
}
- if (WR(q) == espstack->esp_sadb.s_ip_q) {
- /*
- * If the esp_sadb.s_ip_q is attached to this instance, find
- * another. The OCEXCL outer perimeter helps us here.
- */
- espstack->esp_sadb.s_ip_q = NULL;
-
- /*
- * Find a replacement queue for esp_sadb.s_ip_q.
- */
- if (espstack->esp_pfkey_q != NULL &&
- espstack->esp_pfkey_q != RD(q)) {
- /*
- * See if we can use the pfkey_q.
- */
- espstack->esp_sadb.s_ip_q = WR(espstack->esp_pfkey_q);
- }
-
- if (espstack->esp_sadb.s_ip_q == NULL ||
- !sadb_t_bind_req(espstack->esp_sadb.s_ip_q, IPPROTO_ESP)) {
- esp1dbg(espstack, ("ipsecesp: Can't reassign ip_q.\n"));
- espstack->esp_sadb.s_ip_q = NULL;
- } else {
- espstack->esp_ip_unbind =
- allocb(sizeof (struct T_unbind_req), BPRI_HI);
-
- if (espstack->esp_ip_unbind != NULL) {
- struct T_unbind_req *tur;
-
- espstack->esp_ip_unbind->b_datap->db_type =
- M_PROTO;
- tur = (struct T_unbind_req *)
- espstack->esp_ip_unbind->b_rptr;
- tur->PRIM_type = T_UNBIND_REQ;
- }
- /* If it's NULL, I can't do much here. */
- }
- }
-
netstack_rele(espstack->ipsecesp_netstack);
return (0);
}
@@ -834,26 +735,27 @@ esp_age_bytes(ipsa_t *assoc, uint64_t bytes, boolean_t inbound)
/*
* Do incoming NAT-T manipulations for packet.
+ * Returns NULL if the mblk chain is consumed.
*/
-static ipsec_status_t
+static mblk_t *
esp_fix_natt_checksums(mblk_t *data_mp, ipsa_t *assoc)
{
ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
- tcpha_t *tcph;
+ tcpha_t *tcpha;
udpha_t *udpha;
/* Initialize to our inbound cksum adjustment... */
uint32_t sum = assoc->ipsa_inbound_cksum;
switch (ipha->ipha_protocol) {
case IPPROTO_TCP:
- tcph = (tcpha_t *)(data_mp->b_rptr +
+ tcpha = (tcpha_t *)(data_mp->b_rptr +
IPH_HDR_LENGTH(ipha));
#define DOWN_SUM(x) (x) = ((x) & 0xFFFF) + ((x) >> 16)
- sum += ~ntohs(tcph->tha_sum) & 0xFFFF;
+ sum += ~ntohs(tcpha->tha_sum) & 0xFFFF;
DOWN_SUM(sum);
DOWN_SUM(sum);
- tcph->tha_sum = ~htons(sum);
+ tcpha->tha_sum = ~htons(sum);
break;
case IPPROTO_UDP:
udpha = (udpha_t *)(data_mp->b_rptr + IPH_HDR_LENGTH(ipha));
@@ -876,7 +778,7 @@ esp_fix_natt_checksums(mblk_t *data_mp, ipsa_t *assoc)
*/
break;
}
- return (IPSEC_STATUS_SUCCESS);
+ return (data_mp);
}
@@ -968,10 +870,11 @@ esp_strip_header(mblk_t *data_mp, boolean_t isv4, uint32_t ivlen,
if (ip6h->ip6_nxt == IPPROTO_ESP) {
ip6h->ip6_nxt = nexthdr;
} else {
- ip6_pkt_t ipp;
+ ip_pkt_t ipp;
bzero(&ipp, sizeof (ipp));
- (void) ip_find_hdr_v6(data_mp, ip6h, &ipp, NULL);
+ (void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp,
+ NULL);
if (ipp.ipp_dstopts != NULL) {
ipp.ipp_dstopts->ip6d_nxt = nexthdr;
} else if (ipp.ipp_rthdr != NULL) {
@@ -1227,16 +1130,14 @@ esp_set_usetime(ipsa_t *assoc, boolean_t inbound)
/*
* Handle ESP inbound data for IPv4 and IPv6.
* On success returns B_TRUE, on failure returns B_FALSE and frees the
- * mblk chain ipsec_in_mp.
+ * mblk chain data_mp.
*/
-ipsec_status_t
-esp_inbound(mblk_t *ipsec_in_mp, void *arg)
+mblk_t *
+esp_inbound(mblk_t *data_mp, void *arg, ip_recv_attr_t *ira)
{
- mblk_t *data_mp = ipsec_in_mp->b_cont;
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_in_mp->b_rptr;
esph_t *esph = (esph_t *)arg;
- ipsa_t *ipsa = ii->ipsec_in_esp_sa;
- netstack_t *ns = ii->ipsec_in_ns;
+ ipsa_t *ipsa = ira->ira_ipsec_esp_sa;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
ipsec_stack_t *ipss = ns->netstack_ipsec;
@@ -1254,36 +1155,18 @@ esp_inbound(mblk_t *ipsec_in_mp, void *arg)
if (!sadb_replay_peek(ipsa, esph->esph_replay)) {
ESP_BUMP_STAT(espstack, replay_early_failures);
IP_ESP_BUMP_STAT(ipss, in_discards);
- /*
- * TODO: Extract inbound interface from the IPSEC_IN
- * message's ii->ipsec_in_rill_index.
- */
- ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_early_replay),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
/*
- * Has this packet already been processed by a hardware
- * IPsec accelerator?
- */
- if (ii->ipsec_in_accelerated) {
- ipsec_status_t rv;
- esp3dbg(espstack,
- ("esp_inbound: pkt processed by ill=%d isv6=%d\n",
- ii->ipsec_in_ill_index, !ii->ipsec_in_v4));
- rv = esp_inbound_accelerated(ipsec_in_mp,
- data_mp, ii->ipsec_in_v4, ipsa);
- return (rv);
- }
- ESP_BUMP_STAT(espstack, noaccel);
-
- /*
* Adjust the IP header's payload length to reflect the removal
* of the ICV.
*/
- if (!ii->ipsec_in_v4) {
+ if (!(ira->ira_flags & IRAF_IS_IPV4)) {
ip6_t *ip6h = (ip6_t *)data_mp->b_rptr;
ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) -
ipsa->ipsa_mac_len);
@@ -1294,7 +1177,7 @@ esp_inbound(mblk_t *ipsec_in_mp, void *arg)
}
/* submit the request to the crypto framework */
- return (esp_submit_req_inbound(ipsec_in_mp, ipsa,
+ return (esp_submit_req_inbound(data_mp, ira, ipsa,
(uint8_t *)esph - data_mp->b_rptr));
}
@@ -1303,21 +1186,15 @@ esp_inbound(mblk_t *ipsec_in_mp, void *arg)
* Called while holding the algorithm lock.
*/
static void
-esp_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs)
+esp_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs,
+ netstack_t *ns)
{
sadb_comb_t *comb = (sadb_comb_t *)(prop + 1);
- ipsec_out_t *io;
ipsec_action_t *ap;
ipsec_prot_t *prot;
- netstack_t *ns;
- ipsecesp_stack_t *espstack;
- ipsec_stack_t *ipss;
+ ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
- io = (ipsec_out_t *)acqrec->ipsacq_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ns = io->ipsec_out_ns;
- espstack = ns->netstack_ipsecesp;
- ipss = ns->netstack_ipsec;
ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
@@ -1327,9 +1204,10 @@ esp_insert_prop(sadb_prop_t *prop, ipsacq_t *acqrec, uint_t combs)
prop->sadb_prop_replay = espstack->ipsecesp_replay_size;
/*
- * Based upon algorithm properties, and what-not, prioritize
- * a proposal. If the IPSEC_OUT message has an algorithm specified,
- * use it first and foremost.
+ * Based upon algorithm properties, and what-not, prioritize a
+ * proposal, based on the ordering of the ESP algorithms in the
+ * alternatives in the policy rule or socket that was placed
+ * in the acquire record.
*
* For each action in policy list
* Add combination. If I've hit limit, return.
@@ -1456,7 +1334,7 @@ esp_send_acquire(ipsacq_t *acqrec, mblk_t *extended, netstack_t *ns)
/* Insert proposal here. */
prop = (sadb_prop_t *)(((uint64_t *)samsg) + samsg->sadb_msg_len);
- esp_insert_prop(prop, acqrec, combs);
+ esp_insert_prop(prop, acqrec, combs, ns);
samsg->sadb_msg_len += prop->sadb_prop_len;
msgmp->b_wptr += SADB_64TO8(samsg->sadb_msg_len);
@@ -1756,13 +1634,11 @@ esp_port_freshness(uint32_t ports, ipsa_t *assoc)
* If authentication was performed on the packet, this function is called
* only if the authentication succeeded.
* On success returns B_TRUE, on failure returns B_FALSE and frees the
- * mblk chain ipsec_in_mp.
+ * mblk chain data_mp.
*/
-static ipsec_status_t
-esp_in_done(mblk_t *ipsec_in_mp)
+static mblk_t *
+esp_in_done(mblk_t *data_mp, ip_recv_attr_t *ira, ipsec_crypto_t *ic)
{
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_in_mp->b_rptr;
- mblk_t *data_mp;
ipsa_t *assoc;
uint_t espstart;
uint32_t ivlen = 0;
@@ -1770,11 +1646,11 @@ esp_in_done(mblk_t *ipsec_in_mp)
esph_t *esph;
kstat_named_t *counter;
boolean_t is_natt;
- netstack_t *ns = ii->ipsec_in_ns;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
ipsec_stack_t *ipss = ns->netstack_ipsec;
- assoc = ii->ipsec_in_esp_sa;
+ assoc = ira->ira_ipsec_esp_sa;
ASSERT(assoc != NULL);
is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
@@ -1782,26 +1658,25 @@ esp_in_done(mblk_t *ipsec_in_mp)
/* get the pointer to the ESP header */
if (assoc->ipsa_encr_alg == SADB_EALG_NULL) {
/* authentication-only ESP */
- espstart = ii->ipsec_in_crypto_data.cd_offset;
- processed_len = ii->ipsec_in_crypto_data.cd_length;
+ espstart = ic->ic_crypto_data.cd_offset;
+ processed_len = ic->ic_crypto_data.cd_length;
} else {
/* encryption present */
ivlen = assoc->ipsa_iv_len;
if (assoc->ipsa_auth_alg == SADB_AALG_NONE) {
/* encryption-only ESP */
- espstart = ii->ipsec_in_crypto_data.cd_offset -
+ espstart = ic->ic_crypto_data.cd_offset -
sizeof (esph_t) - assoc->ipsa_iv_len;
- processed_len = ii->ipsec_in_crypto_data.cd_length +
+ processed_len = ic->ic_crypto_data.cd_length +
ivlen;
} else {
/* encryption with authentication */
- espstart = ii->ipsec_in_crypto_dual_data.dd_offset1;
- processed_len = ii->ipsec_in_crypto_dual_data.dd_len2 +
+ espstart = ic->ic_crypto_dual_data.dd_offset1;
+ processed_len = ic->ic_crypto_dual_data.dd_len2 +
ivlen;
}
}
- data_mp = ipsec_in_mp->b_cont;
esph = (esph_t *)(data_mp->b_rptr + espstart);
if (assoc->ipsa_auth_alg != IPSA_AALG_NONE ||
@@ -1840,8 +1715,11 @@ esp_in_done(mblk_t *ipsec_in_mp)
goto drop_and_bail;
}
- if (is_natt)
- esp_port_freshness(ii->ipsec_in_esp_udp_ports, assoc);
+ if (is_natt) {
+ ASSERT(ira->ira_flags & IRAF_ESP_UDP_PORTS);
+ ASSERT(ira->ira_esp_udp_ports != 0);
+ esp_port_freshness(ira->ira_esp_udp_ports, assoc);
+ }
}
esp_set_usetime(assoc, B_TRUE);
@@ -1863,44 +1741,41 @@ esp_in_done(mblk_t *ipsec_in_mp)
* spews "branch, predict taken" code for this.
*/
- if (esp_strip_header(data_mp, ii->ipsec_in_v4, ivlen, &counter,
- espstack)) {
-
- if (is_system_labeled()) {
- cred_t *cr = assoc->ipsa_cred;
+ if (esp_strip_header(data_mp, (ira->ira_flags & IRAF_IS_IPV4),
+ ivlen, &counter, espstack)) {
- if (cr != NULL) {
- mblk_setcred(data_mp, cr, NOPID);
+ if (is_system_labeled() && assoc->ipsa_tsl != NULL) {
+ if (!ip_recv_attr_replace_label(ira, assoc->ipsa_tsl)) {
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
+ DROPPER(ipss, ipds_ah_nomem),
+ &espstack->esp_dropper);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib,
+ ipIfStatsInDiscards);
+ return (NULL);
}
-
}
if (is_natt)
return (esp_fix_natt_checksums(data_mp, assoc));
- ASSERT(!is_system_labeled() || (DB_CRED(data_mp) != NULL));
-
if (assoc->ipsa_state == IPSA_STATE_IDLE) {
/*
* Cluster buffering case. Tell caller that we're
* handling the packet.
*/
- sadb_buf_pkt(assoc, ipsec_in_mp, ns);
- return (IPSEC_STATUS_PENDING);
+ sadb_buf_pkt(assoc, data_mp, ira);
+ return (NULL);
}
- return (IPSEC_STATUS_SUCCESS);
+ return (data_mp);
}
esp1dbg(espstack, ("esp_in_done: esp_strip_header() failed\n"));
drop_and_bail:
IP_ESP_BUMP_STAT(ipss, in_discards);
- /*
- * TODO: Extract inbound interface from the IPSEC_IN message's
- * ii->ipsec_in_rill_index.
- */
- ip_drop_packet(ipsec_in_mp, B_TRUE, NULL, NULL, counter,
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill, counter,
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ return (NULL);
}
/*
@@ -1908,11 +1783,10 @@ drop_and_bail:
* argument is freed.
*/
static void
-esp_log_bad_auth(mblk_t *ipsec_in)
+esp_log_bad_auth(mblk_t *mp, ip_recv_attr_t *ira)
{
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_in->b_rptr;
- ipsa_t *assoc = ii->ipsec_in_esp_sa;
- netstack_t *ns = ii->ipsec_in_ns;
+ ipsa_t *assoc = ira->ira_ipsec_esp_sa;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
ipsec_stack_t *ipss = ns->netstack_ipsec;
@@ -1928,11 +1802,7 @@ esp_log_bad_auth(mblk_t *ipsec_in)
espstack->ipsecesp_netstack);
IP_ESP_BUMP_STAT(ipss, in_discards);
- /*
- * TODO: Extract inbound interface from the IPSEC_IN
- * message's ii->ipsec_in_rill_index.
- */
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_bad_auth),
&espstack->esp_dropper);
}
@@ -1944,148 +1814,205 @@ esp_log_bad_auth(mblk_t *ipsec_in)
* Returns B_TRUE if the AH processing was not needed or if it was
* performed successfully. Returns B_FALSE and consumes the passed mblk
* if AH processing was required but could not be performed.
+ *
+ * Returns data_mp unless data_mp was consumed/queued.
*/
-static boolean_t
-esp_do_outbound_ah(mblk_t *ipsec_mp)
+static mblk_t *
+esp_do_outbound_ah(mblk_t *data_mp, ip_xmit_attr_t *ixa)
{
- ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
- ipsec_status_t ipsec_rc;
ipsec_action_t *ap;
- ap = io->ipsec_out_act;
+ ap = ixa->ixa_ipsec_action;
if (ap == NULL) {
- ipsec_policy_t *pp = io->ipsec_out_policy;
+ ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
ap = pp->ipsp_act;
}
if (!ap->ipa_want_ah)
- return (B_TRUE);
+ return (data_mp);
- ASSERT(io->ipsec_out_ah_done == B_FALSE);
-
- if (io->ipsec_out_ah_sa == NULL) {
- if (!ipsec_outbound_sa(ipsec_mp, IPPROTO_AH)) {
- sadb_acquire(ipsec_mp, io, B_TRUE, B_FALSE);
- return (B_FALSE);
+ /*
+ * Normally the AH SA would have already been put in place
+ * but it could have been flushed so we need to look for it.
+ */
+ if (ixa->ixa_ipsec_ah_sa == NULL) {
+ if (!ipsec_outbound_sa(data_mp, ixa, IPPROTO_AH)) {
+ sadb_acquire(data_mp, ixa, B_TRUE, B_FALSE);
+ return (NULL);
}
}
- ASSERT(io->ipsec_out_ah_sa != NULL);
+ ASSERT(ixa->ixa_ipsec_ah_sa != NULL);
- io->ipsec_out_ah_done = B_TRUE;
- ipsec_rc = io->ipsec_out_ah_sa->ipsa_output_func(ipsec_mp);
- return (ipsec_rc == IPSEC_STATUS_SUCCESS);
+ data_mp = ixa->ixa_ipsec_ah_sa->ipsa_output_func(data_mp, ixa);
+ return (data_mp);
}
/*
* Kernel crypto framework callback invoked after completion of async
- * crypto requests.
+ * crypto requests for outbound packets.
*/
static void
-esp_kcf_callback(void *arg, int status)
+esp_kcf_callback_outbound(void *arg, int status)
{
- mblk_t *ipsec_mp = (mblk_t *)arg;
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
- boolean_t is_inbound = (ii->ipsec_in_type == IPSEC_IN);
- netstackid_t stackid;
- netstack_t *ns, *ns_arg;
- ipsecesp_stack_t *espstack;
+ mblk_t *mp = (mblk_t *)arg;
+ mblk_t *async_mp;
+ netstack_t *ns;
ipsec_stack_t *ipss;
+ ipsecesp_stack_t *espstack;
+ mblk_t *data_mp;
+ ip_xmit_attr_t ixas;
+ ipsec_crypto_t *ic;
+ ill_t *ill;
- ASSERT(ipsec_mp->b_cont != NULL);
+ /*
+ * First remove the ipsec_crypto_t mblk
+ * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
+ */
+ async_mp = ipsec_remove_crypto_data(mp, &ic);
+ ASSERT(async_mp != NULL);
- if (is_inbound) {
- stackid = ii->ipsec_in_stackid;
- ns_arg = ii->ipsec_in_ns;
+ /*
+ * Extract the ip_xmit_attr_t from the first mblk.
+ * Verifies that the netstack and ill is still around; could
+ * have vanished while kEf was doing its work.
+ * On succesful return we have a nce_t and the ill/ipst can't
+ * disappear until we do the nce_refrele in ixa_cleanup.
+ */
+ data_mp = async_mp->b_cont;
+ async_mp->b_cont = NULL;
+ if (!ip_xmit_attr_from_mblk(async_mp, &ixas)) {
+ /* Disappeared on us - no ill/ipst for MIB */
+ /* We have nowhere to do stats since ixa_ipst could be NULL */
+ if (ixas.ixa_nce != NULL) {
+ ill = ixas.ixa_nce->nce_ill;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", data_mp, ill);
+ }
+ freemsg(data_mp);
+ goto done;
+ }
+ ns = ixas.ixa_ipst->ips_netstack;
+ espstack = ns->netstack_ipsecesp;
+ ipss = ns->netstack_ipsec;
+ ill = ixas.ixa_nce->nce_ill;
+
+ if (status == CRYPTO_SUCCESS) {
+ /*
+ * If a ICV was computed, it was stored by the
+ * crypto framework at the end of the packet.
+ */
+ ipha_t *ipha = (ipha_t *)data_mp->b_rptr;
+
+ esp_set_usetime(ixas.ixa_ipsec_esp_sa, B_FALSE);
+ /* NAT-T packet. */
+ if (IPH_HDR_VERSION(ipha) == IP_VERSION &&
+ ipha->ipha_protocol == IPPROTO_UDP)
+ esp_prepare_udp(ns, data_mp, ipha);
+
+ /* do AH processing if needed */
+ data_mp = esp_do_outbound_ah(data_mp, &ixas);
+ if (data_mp == NULL)
+ goto done;
+
+ (void) ip_output_post_ipsec(data_mp, &ixas);
} else {
- stackid = io->ipsec_out_stackid;
- ns_arg = io->ipsec_out_ns;
+ /* Outbound shouldn't see invalid MAC */
+ ASSERT(status != CRYPTO_INVALID_MAC);
+
+ esp1dbg(espstack,
+ ("esp_kcf_callback_outbound: crypto failed with 0x%x\n",
+ status));
+ ESP_BUMP_STAT(espstack, crypto_failures);
+ ESP_BUMP_STAT(espstack, out_discards);
+ ip_drop_packet(data_mp, B_FALSE, ill,
+ DROPPER(ipss, ipds_esp_crypto_failed),
+ &espstack->esp_dropper);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
}
+done:
+ ixa_cleanup(&ixas);
+ (void) ipsec_free_crypto_data(mp);
+}
+
+/*
+ * Kernel crypto framework callback invoked after completion of async
+ * crypto requests for inbound packets.
+ */
+static void
+esp_kcf_callback_inbound(void *arg, int status)
+{
+ mblk_t *mp = (mblk_t *)arg;
+ mblk_t *async_mp;
+ netstack_t *ns;
+ ipsecesp_stack_t *espstack;
+ ipsec_stack_t *ipss;
+ mblk_t *data_mp;
+ ip_recv_attr_t iras;
+ ipsec_crypto_t *ic;
/*
- * Verify that the netstack is still around; could have vanished
- * while kEf was doing its work.
+ * First remove the ipsec_crypto_t mblk
+ * Note that we need to ipsec_free_crypto_data(mp) once done with ic.
*/
- ns = netstack_find_by_stackid(stackid);
- if (ns == NULL || ns != ns_arg) {
- /* Disappeared on us */
- if (ns != NULL)
- netstack_rele(ns);
- freemsg(ipsec_mp);
- return;
+ async_mp = ipsec_remove_crypto_data(mp, &ic);
+ ASSERT(async_mp != NULL);
+
+ /*
+ * Extract the ip_recv_attr_t from the first mblk.
+ * Verifies that the netstack and ill is still around; could
+ * have vanished while kEf was doing its work.
+ */
+ data_mp = async_mp->b_cont;
+ async_mp->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(async_mp, &iras)) {
+ /* The ill or ip_stack_t disappeared on us */
+ ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL);
+ freemsg(data_mp);
+ goto done;
}
+ ns = iras.ira_ill->ill_ipst->ips_netstack;
espstack = ns->netstack_ipsecesp;
ipss = ns->netstack_ipsec;
if (status == CRYPTO_SUCCESS) {
- if (is_inbound) {
- if (esp_in_done(ipsec_mp) != IPSEC_STATUS_SUCCESS) {
- netstack_rele(ns);
- return;
- }
- /* finish IPsec processing */
- ip_fanout_proto_again(ipsec_mp, NULL, NULL, NULL);
- } else {
- /*
- * If a ICV was computed, it was stored by the
- * crypto framework at the end of the packet.
- */
- ipha_t *ipha = (ipha_t *)ipsec_mp->b_cont->b_rptr;
-
- esp_set_usetime(io->ipsec_out_esp_sa, B_FALSE);
- /* NAT-T packet. */
- if (ipha->ipha_protocol == IPPROTO_UDP)
- esp_prepare_udp(ns, ipsec_mp->b_cont, ipha);
-
- /* do AH processing if needed */
- if (!esp_do_outbound_ah(ipsec_mp)) {
- netstack_rele(ns);
- return;
- }
- /* finish IPsec processing */
- if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
- ip_wput_ipsec_out(NULL, ipsec_mp, ipha, NULL,
- NULL);
- } else {
- ip6_t *ip6h = (ip6_t *)ipha;
- ip_wput_ipsec_out_v6(NULL, ipsec_mp, ip6h,
- NULL, NULL);
- }
- }
+ data_mp = esp_in_done(data_mp, &iras, ic);
+ if (data_mp == NULL)
+ goto done;
+ /* finish IPsec processing */
+ ip_input_post_ipsec(data_mp, &iras);
} else if (status == CRYPTO_INVALID_MAC) {
- esp_log_bad_auth(ipsec_mp);
-
+ esp_log_bad_auth(data_mp, &iras);
} else {
esp1dbg(espstack,
("esp_kcf_callback: crypto failed with 0x%x\n",
status));
ESP_BUMP_STAT(espstack, crypto_failures);
- if (is_inbound)
- IP_ESP_BUMP_STAT(ipss, in_discards);
- else
- ESP_BUMP_STAT(espstack, out_discards);
- ip_drop_packet(ipsec_mp, is_inbound, NULL, NULL,
+ IP_ESP_BUMP_STAT(ipss, in_discards);
+ ip_drop_packet(data_mp, B_TRUE, iras.ira_ill,
DROPPER(ipss, ipds_esp_crypto_failed),
&espstack->esp_dropper);
+ BUMP_MIB(iras.ira_ill->ill_ip_mib, ipIfStatsInDiscards);
}
- netstack_rele(ns);
+done:
+ ira_cleanup(&iras, B_TRUE);
+ (void) ipsec_free_crypto_data(mp);
}
/*
* Invoked on crypto framework failure during inbound and outbound processing.
*/
static void
-esp_crypto_failed(mblk_t *mp, boolean_t is_inbound, int kef_rc,
- ipsecesp_stack_t *espstack)
+esp_crypto_failed(mblk_t *data_mp, boolean_t is_inbound, int kef_rc,
+ ill_t *ill, ipsecesp_stack_t *espstack)
{
ipsec_stack_t *ipss = espstack->ipsecesp_netstack->netstack_ipsec;
esp1dbg(espstack, ("crypto failed for %s ESP with 0x%x\n",
is_inbound ? "inbound" : "outbound", kef_rc));
- ip_drop_packet(mp, is_inbound, NULL, NULL,
+ ip_drop_packet(data_mp, is_inbound, ill,
DROPPER(ipss, ipds_esp_crypto_failed),
&espstack->esp_dropper);
ESP_BUMP_STAT(espstack, crypto_failures);
@@ -2095,11 +2022,14 @@ esp_crypto_failed(mblk_t *mp, boolean_t is_inbound, int kef_rc,
ESP_BUMP_STAT(espstack, out_discards);
}
-#define ESP_INIT_CALLREQ(_cr) { \
- (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_RESTRICTED; \
- (_cr)->cr_callback_arg = ipsec_mp; \
- (_cr)->cr_callback_func = esp_kcf_callback; \
-}
+/*
+ * A statement-equivalent macro, _cr MUST point to a modifiable
+ * crypto_call_req_t.
+ */
+#define ESP_INIT_CALLREQ(_cr, _mp, _callback) \
+ (_cr)->cr_flag = CRYPTO_SKIP_REQID|CRYPTO_ALWAYS_QUEUE; \
+ (_cr)->cr_callback_arg = (_mp); \
+ (_cr)->cr_callback_func = (_callback)
#define ESP_INIT_CRYPTO_MAC(mac, icvlen, icvbuf) { \
(mac)->cd_format = CRYPTO_DATA_RAW; \
@@ -2132,44 +2062,45 @@ esp_crypto_failed(mblk_t *mp, boolean_t is_inbound, int kef_rc,
(data)->dd_offset2 = off2; \
}
-static ipsec_status_t
-esp_submit_req_inbound(mblk_t *ipsec_mp, ipsa_t *assoc, uint_t esph_offset)
+/*
+ * Returns data_mp if successfully completed the request. Returns
+ * NULL if it failed (and increments InDiscards) or if it is pending.
+ */
+static mblk_t *
+esp_submit_req_inbound(mblk_t *esp_mp, ip_recv_attr_t *ira,
+ ipsa_t *assoc, uint_t esph_offset)
{
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- boolean_t do_auth;
uint_t auth_offset, msg_len, auth_len;
- crypto_call_req_t call_req;
- mblk_t *esp_mp;
+ crypto_call_req_t call_req, *callrp;
+ mblk_t *mp;
esph_t *esph_ptr;
- int kef_rc = CRYPTO_FAILED;
+ int kef_rc;
uint_t icv_len = assoc->ipsa_mac_len;
crypto_ctx_template_t auth_ctx_tmpl;
- boolean_t do_encr;
+ boolean_t do_auth, do_encr, force;
uint_t encr_offset, encr_len;
uint_t iv_len = assoc->ipsa_iv_len;
crypto_ctx_template_t encr_ctx_tmpl;
- netstack_t *ns = ii->ipsec_in_ns;
- ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ipsec_crypto_t *ic, icstack;
uchar_t *iv_ptr;
-
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
-
- /*
- * In case kEF queues and calls back, keep netstackid_t for
- * verification that the IP instance is still around in
- * esp_kcf_callback().
- */
- ASSERT(ii->ipsec_in_stackid == ns->netstack_stackid);
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
+ force = (assoc->ipsa_flags & IPSA_F_ASYNC);
+
+#ifdef IPSEC_LATENCY_TEST
+ kef_rc = CRYPTO_SUCCESS;
+#else
+ kef_rc = CRYPTO_FAILED;
+#endif
/*
* An inbound packet is of the form:
- * IPSEC_IN -> [IP,options,ESP,IV,data,ICV,pad]
+ * [IP,options,ESP,IV,data,ICV,pad]
*/
- esp_mp = ipsec_mp->b_cont;
esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset);
iv_ptr = (uchar_t *)(esph_ptr + 1);
/* Packet length starting at IP header ending after ESP ICV. */
@@ -2178,8 +2109,6 @@ esp_submit_req_inbound(mblk_t *ipsec_mp, ipsa_t *assoc, uint_t esph_offset)
encr_offset = esph_offset + sizeof (esph_t) + iv_len;
encr_len = msg_len - encr_offset;
- ESP_INIT_CALLREQ(&call_req);
-
/*
* Counter mode algs need a nonce. This is setup in sadb_common_add().
* If for some reason we are using a SA which does not have a nonce
@@ -2187,23 +2116,40 @@ esp_submit_req_inbound(mblk_t *ipsec_mp, ipsa_t *assoc, uint_t esph_offset)
*/
if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
(assoc->ipsa_nonce == NULL)) {
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(esp_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
- if (do_auth) {
- /* force asynchronous processing? */
- if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
- IPSEC_ALGS_EXEC_ASYNC)
- call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
+ if (force) {
+ /* We are doing asynch; allocate mblks to hold state */
+ if ((mp = ip_recv_attr_to_mblk(ira)) == NULL ||
+ (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) {
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", esp_mp,
+ ira->ira_ill);
+ return (NULL);
+ }
+ linkb(mp, esp_mp);
+ callrp = &call_req;
+ ESP_INIT_CALLREQ(callrp, mp, esp_kcf_callback_inbound);
+ } else {
+ /*
+ * If we know we are going to do sync then ipsec_crypto_t
+ * should be on the stack.
+ */
+ ic = &icstack;
+ bzero(ic, sizeof (*ic));
+ callrp = NULL;
+ }
+ if (do_auth) {
/* authentication context template */
IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
auth_ctx_tmpl);
/* ICV to be verified */
- ESP_INIT_CRYPTO_MAC(&ii->ipsec_in_crypto_mac,
+ ESP_INIT_CRYPTO_MAC(&ic->ic_crypto_mac,
icv_len, esp_mp->b_wptr - icv_len);
/* authentication starts at the ESP header */
@@ -2212,79 +2158,90 @@ esp_submit_req_inbound(mblk_t *ipsec_mp, ipsa_t *assoc, uint_t esph_offset)
if (!do_encr) {
/* authentication only */
/* initialize input data argument */
- ESP_INIT_CRYPTO_DATA(&ii->ipsec_in_crypto_data,
+ ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
esp_mp, auth_offset, auth_len);
/* call the crypto framework */
kef_rc = crypto_mac_verify(&assoc->ipsa_amech,
- &ii->ipsec_in_crypto_data,
+ &ic->ic_crypto_data,
&assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
- &ii->ipsec_in_crypto_mac, &call_req);
+ &ic->ic_crypto_mac, callrp);
}
}
if (do_encr) {
- /* force asynchronous processing? */
- if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
- IPSEC_ALGS_EXEC_ASYNC)
- call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
-
/* encryption template */
IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
encr_ctx_tmpl);
/* Call the nonce update function. Also passes in IV */
(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, encr_len,
- iv_ptr, &ii->ipsec_in_cmm, &ii->ipsec_in_crypto_data);
+ iv_ptr, &ic->ic_cmm, &ic->ic_crypto_data);
if (!do_auth) {
/* decryption only */
/* initialize input data argument */
- ESP_INIT_CRYPTO_DATA(&ii->ipsec_in_crypto_data,
+ ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
esp_mp, encr_offset, encr_len);
/* call the crypto framework */
kef_rc = crypto_decrypt((crypto_mechanism_t *)
- &ii->ipsec_in_cmm, &ii->ipsec_in_crypto_data,
+ &ic->ic_cmm, &ic->ic_crypto_data,
&assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
- NULL, &call_req);
+ NULL, callrp);
}
}
if (do_auth && do_encr) {
/* dual operation */
/* initialize input data argument */
- ESP_INIT_CRYPTO_DUAL_DATA(&ii->ipsec_in_crypto_dual_data,
+ ESP_INIT_CRYPTO_DUAL_DATA(&ic->ic_crypto_dual_data,
esp_mp, auth_offset, auth_len,
encr_offset, encr_len - icv_len);
/* specify IV */
- ii->ipsec_in_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
+ ic->ic_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
/* call the framework */
kef_rc = crypto_mac_verify_decrypt(&assoc->ipsa_amech,
- &assoc->ipsa_emech, &ii->ipsec_in_crypto_dual_data,
+ &assoc->ipsa_emech, &ic->ic_crypto_dual_data,
&assoc->ipsa_kcfauthkey, &assoc->ipsa_kcfencrkey,
- auth_ctx_tmpl, encr_ctx_tmpl, &ii->ipsec_in_crypto_mac,
- NULL, &call_req);
+ auth_ctx_tmpl, encr_ctx_tmpl, &ic->ic_crypto_mac,
+ NULL, callrp);
}
switch (kef_rc) {
case CRYPTO_SUCCESS:
ESP_BUMP_STAT(espstack, crypto_sync);
- return (esp_in_done(ipsec_mp));
+ esp_mp = esp_in_done(esp_mp, ira, ic);
+ if (force) {
+ /* Free mp after we are done with ic */
+ mp = ipsec_free_crypto_data(mp);
+ (void) ip_recv_attr_free_mblk(mp);
+ }
+ return (esp_mp);
case CRYPTO_QUEUED:
- /* esp_kcf_callback() will be invoked on completion */
+ /* esp_kcf_callback_inbound() will be invoked on completion */
ESP_BUMP_STAT(espstack, crypto_async);
- return (IPSEC_STATUS_PENDING);
+ return (NULL);
case CRYPTO_INVALID_MAC:
+ if (force) {
+ mp = ipsec_free_crypto_data(mp);
+ esp_mp = ip_recv_attr_free_mblk(mp);
+ }
ESP_BUMP_STAT(espstack, crypto_sync);
- esp_log_bad_auth(ipsec_mp);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ esp_log_bad_auth(esp_mp, ira);
+ /* esp_mp was passed to ip_drop_packet */
+ return (NULL);
}
- esp_crypto_failed(ipsec_mp, B_TRUE, kef_rc, espstack);
- return (IPSEC_STATUS_FAILED);
+ mp = ipsec_free_crypto_data(mp);
+ esp_mp = ip_recv_attr_free_mblk(mp);
+ BUMP_MIB(ira->ira_ill->ill_ip_mib, ipIfStatsInDiscards);
+ esp_crypto_failed(esp_mp, B_TRUE, kef_rc, ira->ira_ill, espstack);
+ /* esp_mp was passed to ip_drop_packet */
+ return (NULL);
}
/*
@@ -2293,6 +2250,9 @@ esp_submit_req_inbound(mblk_t *ipsec_mp, ipsa_t *assoc, uint_t esph_offset)
* uses mblk-insertion to insert the UDP header.
* TODO - If there is an easy way to prep a packet for HW checksums, make
* it happen here.
+ * Note that this is used before both before calling ip_output_simple and
+ * in the esp datapath. The former could use IXAF_SET_ULP_CKSUM but not the
+ * latter.
*/
static void
esp_prepare_udp(netstack_t *ns, mblk_t *mp, ipha_t *ipha)
@@ -2313,7 +2273,7 @@ esp_prepare_udp(netstack_t *ns, mblk_t *mp, ipha_t *ipha)
/* arr points to the IP header. */
arr = (uint16_t *)ipha;
IP_STAT(ns->netstack_ip, ip_out_sw_cksum);
- IP_STAT_UPDATE(ns->netstack_ip, ip_udp_out_sw_cksum_bytes,
+ IP_STAT_UPDATE(ns->netstack_ip, ip_out_sw_cksum_bytes,
ntohs(htons(ipha->ipha_length) - hlen));
/* arr[6-9] are the IP addresses. */
cksum = IP_UDP_CSUM_COMP + arr[6] + arr[7] + arr[8] + arr[9] +
@@ -2336,41 +2296,45 @@ esp_prepare_udp(netstack_t *ns, mblk_t *mp, ipha_t *ipha)
static void
actually_send_keepalive(void *arg)
{
- mblk_t *ipsec_mp = (mblk_t *)arg;
- ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
- ipha_t *ipha;
- netstack_t *ns;
-
- ASSERT(DB_TYPE(ipsec_mp) == M_CTL);
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(ipsec_mp->b_cont != NULL);
- ASSERT(DB_TYPE(ipsec_mp->b_cont) == M_DATA);
-
- ns = netstack_find_by_stackid(io->ipsec_out_stackid);
- if (ns == NULL || ns != io->ipsec_out_ns) {
- /* Just freemsg(). */
- if (ns != NULL)
- netstack_rele(ns);
- freemsg(ipsec_mp);
+ mblk_t *mp = (mblk_t *)arg;
+ ip_xmit_attr_t ixas;
+ netstack_t *ns;
+ netstackid_t stackid;
+
+ stackid = (netstackid_t)(uintptr_t)mp->b_prev;
+ mp->b_prev = NULL;
+ ns = netstack_find_by_stackid(stackid);
+ if (ns == NULL) {
+ /* Disappeared */
+ ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
+ freemsg(mp);
return;
}
- ipha = (ipha_t *)ipsec_mp->b_cont->b_rptr;
- ip_wput_ipsec_out(NULL, ipsec_mp, ipha, NULL, NULL);
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_zoneid = ALL_ZONES;
+ ixas.ixa_cred = kcred;
+ ixas.ixa_cpid = NOPID;
+ ixas.ixa_tsl = NULL;
+ ixas.ixa_ipst = ns->netstack_ip;
+ /* No ULP checksum; done by esp_prepare_udp */
+ ixas.ixa_flags = IXAF_IS_IPV4 | IXAF_NO_IPSEC;
+
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
netstack_rele(ns);
}
/*
- * Send a one-byte UDP NAT-T keepalive. Construct an IPSEC_OUT too that'll
- * get fed into esp_send_udp/ip_wput_ipsec_out.
+ * Send a one-byte UDP NAT-T keepalive.
*/
void
ipsecesp_send_keepalive(ipsa_t *assoc)
{
- mblk_t *mp = NULL, *ipsec_mp = NULL;
- ipha_t *ipha;
- udpha_t *udpha;
- ipsec_out_t *io;
+ mblk_t *mp;
+ ipha_t *ipha;
+ udpha_t *udpha;
+ netstack_t *ns = assoc->ipsa_netstack;
ASSERT(MUTEX_NOT_HELD(&assoc->ipsa_lock));
@@ -2399,85 +2363,78 @@ ipsecesp_send_keepalive(ipsa_t *assoc)
mp->b_wptr = (uint8_t *)(udpha + 1);
*(mp->b_wptr++) = 0xFF;
- ipsec_mp = ipsec_alloc_ipsec_out(assoc->ipsa_netstack);
- if (ipsec_mp == NULL) {
- freeb(mp);
- return;
- }
- ipsec_mp->b_cont = mp;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- io->ipsec_out_zoneid =
- netstackid_to_zoneid(assoc->ipsa_netstack->netstack_stackid);
- io->ipsec_out_stackid = assoc->ipsa_netstack->netstack_stackid;
+ esp_prepare_udp(ns, mp, ipha);
- esp_prepare_udp(assoc->ipsa_netstack, mp, ipha);
/*
* We're holding an isaf_t bucket lock, so pawn off the actual
* packet transmission to another thread. Just in case syncq
* processing causes a same-bucket packet to be processed.
*/
- if (taskq_dispatch(esp_taskq, actually_send_keepalive, ipsec_mp,
+ mp->b_prev = (mblk_t *)(uintptr_t)ns->netstack_stackid;
+
+ if (taskq_dispatch(esp_taskq, actually_send_keepalive, mp,
TQ_NOSLEEP) == 0) {
/* Assume no memory if taskq_dispatch() fails. */
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
- DROPPER(assoc->ipsa_netstack->netstack_ipsec,
- ipds_esp_nomem),
- &assoc->ipsa_netstack->netstack_ipsecesp->esp_dropper);
+ mp->b_prev = NULL;
+ ip_drop_packet(mp, B_FALSE, NULL,
+ DROPPER(ns->netstack_ipsec, ipds_esp_nomem),
+ &ns->netstack_ipsecesp->esp_dropper);
}
}
-static ipsec_status_t
-esp_submit_req_outbound(mblk_t *ipsec_mp, ipsa_t *assoc, uchar_t *icv_buf,
- uint_t payload_len)
+/*
+ * Returns mp if successfully completed the request. Returns
+ * NULL if it failed (and increments InDiscards) or if it is pending.
+ */
+static mblk_t *
+esp_submit_req_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa, ipsa_t *assoc,
+ uchar_t *icv_buf, uint_t payload_len)
{
- ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
uint_t auth_len;
- crypto_call_req_t call_req;
- mblk_t *esp_mp, *data_mp, *ip_mp;
+ crypto_call_req_t call_req, *callrp;
+ mblk_t *esp_mp;
esph_t *esph_ptr;
+ mblk_t *mp;
int kef_rc = CRYPTO_FAILED;
uint_t icv_len = assoc->ipsa_mac_len;
crypto_ctx_template_t auth_ctx_tmpl;
- boolean_t do_auth;
- boolean_t do_encr;
+ boolean_t do_auth, do_encr, force;
uint_t iv_len = assoc->ipsa_iv_len;
crypto_ctx_template_t encr_ctx_tmpl;
boolean_t is_natt = ((assoc->ipsa_flags & IPSA_F_NATT) != 0);
size_t esph_offset = (is_natt ? UDPH_SIZE : 0);
- netstack_t *ns = io->ipsec_out_ns;
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
+ ipsec_crypto_t *ic, icstack;
+ uchar_t *iv_ptr;
+ crypto_data_t *cd_ptr = NULL;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
ipsec_stack_t *ipss = ns->netstack_ipsec;
- uchar_t *iv_ptr;
- crypto_data_t *cd_ptr = NULL;
esp3dbg(espstack, ("esp_submit_req_outbound:%s",
is_natt ? "natt" : "not natt"));
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
-
- /*
- * In case kEF queues and calls back, keep netstackid_t for
- * verification that the IP instance is still around in
- * esp_kcf_callback().
- */
- io->ipsec_out_stackid = ns->netstack_stackid;
-
do_encr = assoc->ipsa_encr_alg != SADB_EALG_NULL;
do_auth = assoc->ipsa_auth_alg != SADB_AALG_NONE;
+ force = (assoc->ipsa_flags & IPSA_F_ASYNC);
+
+#ifdef IPSEC_LATENCY_TEST
+ kef_rc = CRYPTO_SUCCESS;
+#else
+ kef_rc = CRYPTO_FAILED;
+#endif
/*
* Outbound IPsec packets are of the form:
- * IPSEC_OUT -> [IP,options] -> [ESP,IV] -> [data] -> [pad,ICV]
+ * [IP,options] -> [ESP,IV] -> [data] -> [pad,ICV]
* unless it's NATT, then it's
- * IPSEC_OUT -> [IP,options] -> [udp][ESP,IV] -> [data] -> [pad,ICV]
+ * [IP,options] -> [udp][ESP,IV] -> [data] -> [pad,ICV]
* Get a pointer to the mblk containing the ESP header.
*/
- ip_mp = ipsec_mp->b_cont;
- esp_mp = ipsec_mp->b_cont->b_cont;
- ASSERT(ip_mp != NULL && esp_mp != NULL);
+ ASSERT(data_mp->b_cont != NULL);
+ esp_mp = data_mp->b_cont;
esph_ptr = (esph_t *)(esp_mp->b_rptr + esph_offset);
iv_ptr = (uchar_t *)(esph_ptr + 1);
- data_mp = ipsec_mp->b_cont->b_cont->b_cont;
/*
* Combined mode algs need a nonce. This is setup in sadb_common_add().
@@ -2486,25 +2443,42 @@ esp_submit_req_outbound(mblk_t *ipsec_mp, ipsa_t *assoc, uchar_t *icv_buf,
*/
if ((assoc->ipsa_flags & IPSA_F_COUNTERMODE) &&
(assoc->ipsa_nonce == NULL)) {
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, NULL,
DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
- ESP_INIT_CALLREQ(&call_req);
+ if (force) {
+ /* We are doing asynch; allocate mblks to hold state */
+ if ((mp = ip_xmit_attr_to_mblk(ixa)) == NULL ||
+ (mp = ipsec_add_crypto_data(mp, &ic)) == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("ipIfStatsOutDiscards", data_mp, ill);
+ freemsg(data_mp);
+ return (NULL);
+ }
+
+ linkb(mp, data_mp);
+ callrp = &call_req;
+ ESP_INIT_CALLREQ(callrp, mp, esp_kcf_callback_outbound);
+ } else {
+ /*
+ * If we know we are going to do sync then ipsec_crypto_t
+ * should be on the stack.
+ */
+ ic = &icstack;
+ bzero(ic, sizeof (*ic));
+ callrp = NULL;
+ }
- if (do_auth) {
- /* force asynchronous processing? */
- if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
- IPSEC_ALGS_EXEC_ASYNC)
- call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
+ if (do_auth) {
/* authentication context template */
IPSEC_CTX_TMPL(assoc, ipsa_authtmpl, IPSEC_ALG_AUTH,
auth_ctx_tmpl);
/* where to store the computed mac */
- ESP_INIT_CRYPTO_MAC(&io->ipsec_out_crypto_mac,
+ ESP_INIT_CRYPTO_MAC(&ic->ic_crypto_mac,
icv_len, icv_buf);
/* authentication starts at the ESP header */
@@ -2512,35 +2486,30 @@ esp_submit_req_outbound(mblk_t *ipsec_mp, ipsa_t *assoc, uchar_t *icv_buf,
if (!do_encr) {
/* authentication only */
/* initialize input data argument */
- ESP_INIT_CRYPTO_DATA(&io->ipsec_out_crypto_data,
+ ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
esp_mp, esph_offset, auth_len);
/* call the crypto framework */
kef_rc = crypto_mac(&assoc->ipsa_amech,
- &io->ipsec_out_crypto_data,
+ &ic->ic_crypto_data,
&assoc->ipsa_kcfauthkey, auth_ctx_tmpl,
- &io->ipsec_out_crypto_mac, &call_req);
+ &ic->ic_crypto_mac, callrp);
}
}
if (do_encr) {
- /* force asynchronous processing? */
- if (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
- IPSEC_ALGS_EXEC_ASYNC)
- call_req.cr_flag |= CRYPTO_ALWAYS_QUEUE;
-
/* encryption context template */
IPSEC_CTX_TMPL(assoc, ipsa_encrtmpl, IPSEC_ALG_ENCR,
encr_ctx_tmpl);
/* Call the nonce update function. */
(assoc->ipsa_noncefunc)(assoc, (uchar_t *)esph_ptr, payload_len,
- iv_ptr, &io->ipsec_out_cmm, &io->ipsec_out_crypto_data);
+ iv_ptr, &ic->ic_cmm, &ic->ic_crypto_data);
if (!do_auth) {
/* encryption only, skip mblk that contains ESP hdr */
/* initialize input data argument */
- ESP_INIT_CRYPTO_DATA(&io->ipsec_out_crypto_data,
- data_mp, 0, payload_len);
+ ESP_INIT_CRYPTO_DATA(&ic->ic_crypto_data,
+ esp_mp->b_cont, 0, payload_len);
/*
* For combined mode ciphers, the ciphertext is the same
@@ -2556,20 +2525,19 @@ esp_submit_req_outbound(mblk_t *ipsec_mp, ipsa_t *assoc, uchar_t *icv_buf,
* for the cipher to use.
*/
if (assoc->ipsa_flags & IPSA_F_COMBINED) {
- bcopy(&io->ipsec_out_crypto_data,
- &io->ipsec_out_crypto_mac,
+ bcopy(&ic->ic_crypto_data,
+ &ic->ic_crypto_mac,
sizeof (crypto_data_t));
- io->ipsec_out_crypto_mac.cd_length =
+ ic->ic_crypto_mac.cd_length =
payload_len + icv_len;
- cd_ptr = &io->ipsec_out_crypto_mac;
+ cd_ptr = &ic->ic_crypto_mac;
}
/* call the crypto framework */
kef_rc = crypto_encrypt((crypto_mechanism_t *)
- &io->ipsec_out_cmm,
- &io->ipsec_out_crypto_data,
+ &ic->ic_cmm, &ic->ic_crypto_data,
&assoc->ipsa_kcfencrkey, encr_ctx_tmpl,
- cd_ptr, &call_req);
+ cd_ptr, callrp);
}
}
@@ -2584,49 +2552,58 @@ esp_submit_req_outbound(mblk_t *ipsec_mp, ipsa_t *assoc, uchar_t *icv_buf,
* the authentication at the ESP header, i.e. use an
* authentication offset of zero.
*/
- ESP_INIT_CRYPTO_DUAL_DATA(&io->ipsec_out_crypto_dual_data,
+ ESP_INIT_CRYPTO_DUAL_DATA(&ic->ic_crypto_dual_data,
esp_mp, MBLKL(esp_mp), payload_len, esph_offset, auth_len);
/* specify IV */
- io->ipsec_out_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
+ ic->ic_crypto_dual_data.dd_miscdata = (char *)iv_ptr;
/* call the framework */
kef_rc = crypto_encrypt_mac(&assoc->ipsa_emech,
&assoc->ipsa_amech, NULL,
&assoc->ipsa_kcfencrkey, &assoc->ipsa_kcfauthkey,
encr_ctx_tmpl, auth_ctx_tmpl,
- &io->ipsec_out_crypto_dual_data,
- &io->ipsec_out_crypto_mac, &call_req);
+ &ic->ic_crypto_dual_data,
+ &ic->ic_crypto_mac, callrp);
}
switch (kef_rc) {
case CRYPTO_SUCCESS:
ESP_BUMP_STAT(espstack, crypto_sync);
esp_set_usetime(assoc, B_FALSE);
+ if (force) {
+ mp = ipsec_free_crypto_data(mp);
+ data_mp = ip_xmit_attr_free_mblk(mp);
+ }
if (is_natt)
- esp_prepare_udp(ns, ipsec_mp->b_cont,
- (ipha_t *)ipsec_mp->b_cont->b_rptr);
- return (IPSEC_STATUS_SUCCESS);
+ esp_prepare_udp(ns, data_mp, (ipha_t *)data_mp->b_rptr);
+ return (data_mp);
case CRYPTO_QUEUED:
- /* esp_kcf_callback() will be invoked on completion */
+ /* esp_kcf_callback_outbound() will be invoked on completion */
ESP_BUMP_STAT(espstack, crypto_async);
- return (IPSEC_STATUS_PENDING);
+ return (NULL);
}
- esp_crypto_failed(ipsec_mp, B_FALSE, kef_rc, espstack);
- return (IPSEC_STATUS_FAILED);
+ if (force) {
+ mp = ipsec_free_crypto_data(mp);
+ data_mp = ip_xmit_attr_free_mblk(mp);
+ }
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ esp_crypto_failed(data_mp, B_FALSE, kef_rc, NULL, espstack);
+ /* data_mp was passed to ip_drop_packet */
+ return (NULL);
}
/*
* Handle outbound IPsec processing for IPv4 and IPv6
- * On success returns B_TRUE, on failure returns B_FALSE and frees the
- * mblk chain ipsec_in_mp.
+ *
+ * Returns data_mp if successfully completed the request. Returns
+ * NULL if it failed (and increments InDiscards) or if it is pending.
*/
-static ipsec_status_t
-esp_outbound(mblk_t *mp)
+static mblk_t *
+esp_outbound(mblk_t *data_mp, ip_xmit_attr_t *ixa)
{
- mblk_t *ipsec_out_mp, *data_mp, *espmp, *tailmp;
- ipsec_out_t *io;
+ mblk_t *espmp, *tailmp;
ipha_t *ipha;
ip6_t *ip6h;
esph_t *esph_ptr, *iv_ptr;
@@ -2640,17 +2617,11 @@ esp_outbound(mblk_t *mp)
uchar_t *icv_buf;
udpha_t *udpha;
boolean_t is_natt = B_FALSE;
- netstack_t *ns;
- ipsecesp_stack_t *espstack;
- ipsec_stack_t *ipss;
-
- ipsec_out_mp = mp;
- data_mp = ipsec_out_mp->b_cont;
-
- io = (ipsec_out_t *)ipsec_out_mp->b_rptr;
- ns = io->ipsec_out_ns;
- espstack = ns->netstack_ipsecesp;
- ipss = ns->netstack_ipsec;
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
+ ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
+ boolean_t need_refrele = B_FALSE;
ESP_BUMP_STAT(espstack, out_requests);
@@ -2662,65 +2633,73 @@ esp_outbound(mblk_t *mp)
* we might as well make use of msgpullup() and get the mblk into one
* contiguous piece!
*/
- ipsec_out_mp->b_cont = msgpullup(data_mp, -1);
- if (ipsec_out_mp->b_cont == NULL) {
+ tailmp = msgpullup(data_mp, -1);
+ if (tailmp == NULL) {
esp0dbg(("esp_outbound: msgpullup() failed, "
"dropping packet.\n"));
- ipsec_out_mp->b_cont = data_mp;
- /*
- * TODO: Find the outbound IRE for this packet and
- * pass it to ip_drop_packet().
- */
- ip_drop_packet(ipsec_out_mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_esp_nomem),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
- } else {
- freemsg(data_mp);
- data_mp = ipsec_out_mp->b_cont;
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ return (NULL);
}
+ freemsg(data_mp);
+ data_mp = tailmp;
- assoc = io->ipsec_out_esp_sa;
+ assoc = ixa->ixa_ipsec_esp_sa;
ASSERT(assoc != NULL);
/*
* Get the outer IP header in shape to escape this system..
*/
- if (is_system_labeled() && (assoc->ipsa_ocred != NULL)) {
- int whack;
-
- mblk_setcred(data_mp, assoc->ipsa_ocred, NOPID);
- if (io->ipsec_out_v4)
- whack = sadb_whack_label(&data_mp, assoc);
- else
- whack = sadb_whack_label_v6(&data_mp, assoc);
- if (whack != 0) {
- ip_drop_packet(ipsec_out_mp, B_FALSE, NULL,
- NULL, DROPPER(ipss, ipds_esp_nomem),
+ if (is_system_labeled() && (assoc->ipsa_otsl != NULL)) {
+ /*
+ * Need to update packet with any CIPSO option and update
+ * ixa_tsl to capture the new label.
+ * We allocate a separate ixa for that purpose.
+ */
+ ixa = ip_xmit_attr_duplicate(ixa);
+ if (ixa == NULL) {
+ ip_drop_packet(data_mp, B_FALSE, ill,
+ DROPPER(ipss, ipds_esp_nomem),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ return (NULL);
}
- ipsec_out_mp->b_cont = data_mp;
- }
+ need_refrele = B_TRUE;
+ label_hold(assoc->ipsa_otsl);
+ ip_xmit_attr_replace_tsl(ixa, assoc->ipsa_otsl);
+
+ data_mp = sadb_whack_label(data_mp, assoc, ixa,
+ DROPPER(ipss, ipds_esp_nomem), &espstack->esp_dropper);
+ if (data_mp == NULL) {
+ /* Packet dropped by sadb_whack_label */
+ ixa_refrele(ixa);
+ return (NULL);
+ }
+ }
/*
* Reality check....
*/
ipha = (ipha_t *)data_mp->b_rptr; /* So we can call esp_acquire(). */
- if (io->ipsec_out_v4) {
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
+
af = AF_INET;
divpoint = IPH_HDR_LENGTH(ipha);
datalen = ntohs(ipha->ipha_length) - divpoint;
nhp = (uint8_t *)&ipha->ipha_protocol;
} else {
- ip6_pkt_t ipp;
+ ip_pkt_t ipp;
+
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
af = AF_INET6;
ip6h = (ip6_t *)ipha;
bzero(&ipp, sizeof (ipp));
- divpoint = ip_find_hdr_v6(data_mp, ip6h, &ipp, NULL);
+ divpoint = ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp, NULL);
if (ipp.ipp_dstopts != NULL &&
ipp.ipp_dstopts->ip6d_nxt != IPPROTO_ROUTING) {
/*
@@ -2795,28 +2774,26 @@ esp_outbound(mblk_t *mp)
*/
if (!esp_age_bytes(assoc, datalen + padlen + iv_len + 2, B_FALSE)) {
- /*
- * TODO: Find the outbound IRE for this packet and
- * pass it to ip_drop_packet().
- */
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_esp_bytes_expire),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
espmp = allocb(esplen, BPRI_HI);
if (espmp == NULL) {
ESP_BUMP_STAT(espstack, out_discards);
esp1dbg(espstack, ("esp_outbound: can't allocate espmp.\n"));
- /*
- * TODO: Find the outbound IRE for this packet and
- * pass it to ip_drop_packet().
- */
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_esp_nomem),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
espmp->b_wptr += esplen;
esph_ptr = (esph_t *)espmp->b_rptr;
@@ -2853,14 +2830,13 @@ esp_outbound(mblk_t *mp)
ESP_BUMP_STAT(espstack, out_discards);
sadb_replay_delete(assoc);
- /*
- * TODO: Find the outbound IRE for this packet and
- * pass it to ip_drop_packet().
- */
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_esp_replay),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
iv_ptr = (esph_ptr + 1);
@@ -2887,9 +2863,11 @@ esp_outbound(mblk_t *mp)
*/
if (!update_iv((uint8_t *)iv_ptr, espstack->esp_pfkey_q, assoc,
espstack)) {
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_esp_iv_wrap), &espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
/* Fix the IP header. */
@@ -2898,7 +2876,7 @@ esp_outbound(mblk_t *mp)
protocol = *nhp;
- if (io->ipsec_out_v4) {
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
ipha->ipha_length = htons(ntohs(ipha->ipha_length) + adj);
if (is_natt) {
*nhp = IPPROTO_UDP;
@@ -2922,15 +2900,14 @@ esp_outbound(mblk_t *mp)
if (!esp_insert_esp(data_mp, espmp, divpoint, espstack)) {
ESP_BUMP_STAT(espstack, out_discards);
/* NOTE: esp_insert_esp() only fails if there's no memory. */
- /*
- * TODO: Find the outbound IRE for this packet and
- * pass it to ip_drop_packet().
- */
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_esp_nomem),
&espstack->esp_dropper);
freeb(espmp);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
/* Append padding (and leave room for ICV). */
@@ -2941,14 +2918,13 @@ esp_outbound(mblk_t *mp)
if (tailmp->b_cont == NULL) {
ESP_BUMP_STAT(espstack, out_discards);
esp0dbg(("esp_outbound: Can't allocate tailmp.\n"));
- /*
- * TODO: Find the outbound IRE for this packet and
- * pass it to ip_drop_packet().
- */
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_esp_nomem),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (NULL);
}
tailmp = tailmp->b_cont;
}
@@ -2968,29 +2944,6 @@ esp_outbound(mblk_t *mp)
esp2dbg(espstack, (dump_msg(data_mp)));
/*
- * The packet is eligible for hardware acceleration if the
- * following conditions are satisfied:
- *
- * 1. the packet will not be fragmented
- * 2. the provider supports the algorithms specified by SA
- * 3. there is no pending control message being exchanged
- * 4. snoop is not attached
- * 5. the destination address is not a multicast address
- *
- * All five of these conditions are checked by IP prior to
- * sending the packet to ESP.
- *
- * But We, and We Alone, can, nay MUST check if the packet
- * is over NATT, and then disqualify it from hardware
- * acceleration.
- */
-
- if (io->ipsec_out_is_capab_ill && !(assoc->ipsa_flags & IPSA_F_NATT)) {
- return (esp_outbound_accelerated(ipsec_out_mp, mac_len));
- }
- ESP_BUMP_STAT(espstack, noaccel);
-
- /*
* Okay. I've set up the pre-encryption ESP. Let's do it!
*/
@@ -3002,32 +2955,23 @@ esp_outbound(mblk_t *mp)
icv_buf = NULL;
}
- return (esp_submit_req_outbound(ipsec_out_mp, assoc, icv_buf,
- datalen + padlen + 2));
+ data_mp = esp_submit_req_outbound(data_mp, ixa, assoc, icv_buf,
+ datalen + padlen + 2);
+ if (need_refrele)
+ ixa_refrele(ixa);
+ return (data_mp);
}
/*
* IP calls this to validate the ICMP errors that
* we got from the network.
*/
-ipsec_status_t
-ipsecesp_icmp_error(mblk_t *ipsec_mp)
+mblk_t *
+ipsecesp_icmp_error(mblk_t *data_mp, ip_recv_attr_t *ira)
{
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- boolean_t is_inbound = (ii->ipsec_in_type == IPSEC_IN);
- netstack_t *ns;
- ipsecesp_stack_t *espstack;
- ipsec_stack_t *ipss;
-
- if (is_inbound) {
- ns = ii->ipsec_in_ns;
- } else {
- ipsec_out_t *io = (ipsec_out_t *)ipsec_mp->b_rptr;
-
- ns = io->ipsec_out_ns;
- }
- espstack = ns->netstack_ipsecesp;
- ipss = ns->netstack_ipsec;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
+ ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
/*
* Unless we get an entire packet back, this function is useless.
@@ -3044,55 +2988,10 @@ ipsecesp_icmp_error(mblk_t *ipsec_mp)
* very small, we discard here.
*/
IP_ESP_BUMP_STAT(ipss, in_discards);
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(data_mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_icmp),
&espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
-}
-
-/*
- * ESP module read put routine.
- */
-/* ARGSUSED */
-static void
-ipsecesp_rput(queue_t *q, mblk_t *mp)
-{
- ipsecesp_stack_t *espstack = (ipsecesp_stack_t *)q->q_ptr;
-
- ASSERT(mp->b_datap->db_type != M_CTL); /* No more IRE_DB_REQ. */
-
- switch (mp->b_datap->db_type) {
- case M_PROTO:
- case M_PCPROTO:
- /* TPI message of some sort. */
- switch (*((t_scalar_t *)mp->b_rptr)) {
- case T_BIND_ACK:
- esp3dbg(espstack,
- ("Thank you IP from ESP for T_BIND_ACK\n"));
- break;
- case T_ERROR_ACK:
- cmn_err(CE_WARN,
- "ipsecesp: ESP received T_ERROR_ACK from IP.");
- /*
- * Make esp_sadb.s_ip_q NULL, and in the
- * future, perhaps try again.
- */
- espstack->esp_sadb.s_ip_q = NULL;
- break;
- case T_OK_ACK:
- /* Probably from a (rarely sent) T_UNBIND_REQ. */
- break;
- default:
- esp0dbg(("Unknown M_{,PC}PROTO message.\n"));
- }
- freemsg(mp);
- break;
- default:
- /* For now, passthru message. */
- esp2dbg(espstack, ("ESP got unknown mblk type %d.\n",
- mp->b_datap->db_type));
- putnext(q, mp);
- }
+ return (NULL);
}
/*
@@ -3102,7 +3001,7 @@ ipsecesp_rput(queue_t *q, mblk_t *mp)
*/
static boolean_t
esp_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
- ipsecesp_stack_t *espstack, mblk_t *in_mp)
+ ipsecesp_stack_t *espstack, cred_t *cr)
{
mblk_t *pfkey_msg_mp, *keysock_out_mp;
sadb_msg_t *samsg;
@@ -3121,7 +3020,7 @@ esp_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
sadb_sens_t *sens;
size_t sens_len = 0;
sadb_ext_t *nextext;
- cred_t *sens_cr = NULL;
+ ts_label_t *sens_tsl = NULL;
/* Allocate the KEYSOCK_OUT. */
keysock_out_mp = sadb_keysock_out(serial);
@@ -3130,11 +3029,10 @@ esp_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
return (B_FALSE);
}
- if (is_system_labeled() && (in_mp != NULL)) {
- sens_cr = msg_getcred(in_mp, NULL);
-
- if (sens_cr != NULL) {
- sens_len = sadb_sens_len_from_cred(sens_cr);
+ if (is_system_labeled() && (cr != NULL)) {
+ sens_tsl = crgetlabel(cr);
+ if (sens_tsl != NULL) {
+ sens_len = sadb_sens_len_from_label(sens_tsl);
allocsize += sens_len;
}
}
@@ -3268,10 +3166,10 @@ esp_register_out(uint32_t sequence, uint32_t pid, uint_t serial,
mutex_exit(&ipss->ipsec_alg_lock);
- if (sens_cr != NULL) {
+ if (sens_tsl != NULL) {
sens = (sadb_sens_t *)nextext;
- sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY,
- sens_cr, sens_len);
+ sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
+ sens_tsl, sens_len);
nextext = (sadb_ext_t *)(((uint8_t *)sens) + sens_len);
}
@@ -3336,40 +3234,61 @@ ipsecesp_algs_changed(netstack_t *ns)
/*
* Stub function that taskq_dispatch() invokes to take the mblk (in arg)
- * and put() it into AH and STREAMS again.
+ * and send() it into ESP and IP again.
*/
static void
inbound_task(void *arg)
{
- esph_t *esph;
- mblk_t *mp = (mblk_t *)arg;
- ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
- netstack_t *ns;
- ipsecesp_stack_t *espstack;
- int ipsec_rc;
-
- ns = netstack_find_by_stackid(ii->ipsec_in_stackid);
- if (ns == NULL || ns != ii->ipsec_in_ns) {
- /* Just freemsg(). */
- if (ns != NULL)
- netstack_rele(ns);
+ mblk_t *mp = (mblk_t *)arg;
+ mblk_t *async_mp;
+ ip_recv_attr_t iras;
+
+ async_mp = mp;
+ mp = async_mp->b_cont;
+ async_mp->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(async_mp, &iras)) {
+ /* The ill or ip_stack_t disappeared on us */
+ ip_drop_input("ip_recv_attr_from_mblk", mp, NULL);
freemsg(mp);
- return;
+ goto done;
}
- espstack = ns->netstack_ipsecesp;
+ esp_inbound_restart(mp, &iras);
+done:
+ ira_cleanup(&iras, B_TRUE);
+}
+
+/*
+ * Restart ESP after the SA has been added.
+ */
+static void
+esp_inbound_restart(mblk_t *mp, ip_recv_attr_t *ira)
+{
+ esph_t *esph;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
+ ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
esp2dbg(espstack, ("in ESP inbound_task"));
ASSERT(espstack != NULL);
- esph = ipsec_inbound_esp_sa(mp, ns);
- if (esph != NULL) {
- ASSERT(ii->ipsec_in_esp_sa != NULL);
- ipsec_rc = ii->ipsec_in_esp_sa->ipsa_input_func(mp, esph);
- if (ipsec_rc == IPSEC_STATUS_SUCCESS)
- ip_fanout_proto_again(mp, NULL, NULL, NULL);
+ mp = ipsec_inbound_esp_sa(mp, ira, &esph);
+ if (mp == NULL)
+ return;
+
+ ASSERT(esph != NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_esp_sa != NULL);
+
+ mp = ira->ira_ipsec_esp_sa->ipsa_input_func(mp, esph, ira);
+ if (mp == NULL) {
+ /*
+ * Either it failed or is pending. In the former case
+ * ipIfStatsInDiscards was increased.
+ */
+ return;
}
- netstack_rele(ns);
+
+ ip_input_post_ipsec(mp, ira);
}
/*
@@ -3533,17 +3452,21 @@ esp_add_sa_finish(mblk_t *mp, sadb_msg_t *samsg, keysock_in_t *ksi,
if (larval != NULL)
lpkt = sadb_clear_lpkt(larval);
- rc = sadb_common_add(espstack->esp_sadb.s_ip_q, espstack->esp_pfkey_q,
+ rc = sadb_common_add(espstack->esp_pfkey_q,
mp, samsg, ksi, primary, secondary, larval, clone, is_inbound,
diagnostic, espstack->ipsecesp_netstack, &espstack->esp_sadb);
- if (rc == 0 && lpkt != NULL)
- rc = !taskq_dispatch(esp_taskq, inbound_task, lpkt, TQ_NOSLEEP);
-
- if (rc != 0) {
- ip_drop_packet(lpkt, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_sadb_inlarval_timeout),
- &espstack->esp_dropper);
+ if (lpkt != NULL) {
+ if (rc == 0) {
+ rc = !taskq_dispatch(esp_taskq, inbound_task,
+ lpkt, TQ_NOSLEEP);
+ }
+ if (rc != 0) {
+ lpkt = ip_recv_attr_free_mblk(lpkt);
+ ip_drop_packet(lpkt, B_TRUE, NULL,
+ DROPPER(ipss, ipds_sadb_inlarval_timeout),
+ &espstack->esp_dropper);
+ }
}
/*
@@ -3551,45 +3474,78 @@ esp_add_sa_finish(mblk_t *mp, sadb_msg_t *samsg, keysock_in_t *ksi,
* esp_outbound() calls?
*/
+ /* Handle the packets queued waiting for the SA */
while (acq_msgs != NULL) {
- mblk_t *mp = acq_msgs;
+ mblk_t *asyncmp;
+ mblk_t *data_mp;
+ ip_xmit_attr_t ixas;
+ ill_t *ill;
+ asyncmp = acq_msgs;
acq_msgs = acq_msgs->b_next;
- mp->b_next = NULL;
- if (rc == 0) {
- if (ipsec_outbound_sa(mp, IPPROTO_ESP)) {
- ((ipsec_out_t *)(mp->b_rptr))->
- ipsec_out_esp_done = B_TRUE;
- if (esp_outbound(mp) == IPSEC_STATUS_SUCCESS) {
- ipha_t *ipha;
-
- /* do AH processing if needed */
- if (!esp_do_outbound_ah(mp))
- continue;
-
- ipha = (ipha_t *)mp->b_cont->b_rptr;
-
- /* finish IPsec processing */
- if (IPH_HDR_VERSION(ipha) ==
- IP_VERSION) {
- ip_wput_ipsec_out(NULL, mp,
- ipha, NULL, NULL);
- } else {
- ip6_t *ip6h = (ip6_t *)ipha;
- ip_wput_ipsec_out_v6(NULL,
- mp, ip6h, NULL, NULL);
- }
- }
- continue;
- }
+ asyncmp->b_next = NULL;
+
+ /*
+ * Extract the ip_xmit_attr_t from the first mblk.
+ * Verifies that the netstack and ill is still around; could
+ * have vanished while iked was doing its work.
+ * On succesful return we have a nce_t and the ill/ipst can't
+ * disappear until we do the nce_refrele in ixa_cleanup.
+ */
+ data_mp = asyncmp->b_cont;
+ asyncmp->b_cont = NULL;
+ if (!ip_xmit_attr_from_mblk(asyncmp, &ixas)) {
+ ESP_BUMP_STAT(espstack, out_discards);
+ ip_drop_packet(data_mp, B_FALSE, NULL,
+ DROPPER(ipss, ipds_sadb_acquire_timeout),
+ &espstack->esp_dropper);
+ } else if (rc != 0) {
+ ill = ixas.ixa_nce->nce_ill;
+ ESP_BUMP_STAT(espstack, out_discards);
+ ip_drop_packet(data_mp, B_FALSE, ill,
+ DROPPER(ipss, ipds_sadb_acquire_timeout),
+ &espstack->esp_dropper);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ } else {
+ esp_outbound_finish(data_mp, &ixas);
}
+ ixa_cleanup(&ixas);
+ }
+
+ return (rc);
+}
+
+/*
+ * Process one of the queued messages (from ipsacq_mp) once the SA
+ * has been added.
+ */
+static void
+esp_outbound_finish(mblk_t *data_mp, ip_xmit_attr_t *ixa)
+{
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
+ ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ill_t *ill = ixa->ixa_nce->nce_ill;
+
+ if (!ipsec_outbound_sa(data_mp, ixa, IPPROTO_ESP)) {
ESP_BUMP_STAT(espstack, out_discards);
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(data_mp, B_FALSE, ill,
DROPPER(ipss, ipds_sadb_acquire_timeout),
&espstack->esp_dropper);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
+ return;
}
- return (rc);
+ data_mp = esp_outbound(data_mp, ixa);
+ if (data_mp == NULL)
+ return;
+
+ /* do AH processing if needed */
+ data_mp = esp_do_outbound_ah(data_mp, ixa);
+ if (data_mp == NULL)
+ return;
+
+ (void) ip_output_post_ipsec(data_mp, ixa);
}
/*
@@ -3674,11 +3630,13 @@ esp_add_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic, netstack_t *ns)
return (EINVAL);
}
+#ifndef IPSEC_LATENCY_TEST
if (assoc->sadb_sa_encrypt == SADB_EALG_NULL &&
assoc->sadb_sa_auth == SADB_AALG_NONE) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG;
return (EINVAL);
}
+#endif
if (assoc->sadb_sa_flags & ~espstack->esp_sadb.s_addflags) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_SAFLAGS;
@@ -3734,7 +3692,11 @@ esp_add_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic, netstack_t *ns)
/*
* First locate the authentication algorithm.
*/
+#ifdef IPSEC_LATENCY_TEST
+ if (akey != NULL && assoc->sadb_sa_auth != SADB_AALG_NONE) {
+#else
if (akey != NULL) {
+#endif
ipsec_alginfo_t *aalg;
aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
@@ -3883,7 +3845,7 @@ esp_del_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
return (sadb_purge_sa(mp, ksi,
(sin->sin_family == AF_INET6) ? &espstack->esp_sadb.s_v6 :
&espstack->esp_sadb.s_v4, diagnostic,
- espstack->esp_pfkey_q, espstack->esp_sadb.s_ip_q));
+ espstack->esp_pfkey_q));
}
return (sadb_delget_sa(mp, ksi, &espstack->esp_sadb, diagnostic,
@@ -4024,7 +3986,7 @@ esp_parse_pfkey(mblk_t *mp, ipsecesp_stack_t *espstack)
* Keysock takes care of the PF_KEY bookkeeping for this.
*/
if (esp_register_out(samsg->sadb_msg_seq, samsg->sadb_msg_pid,
- ksi->ks_in_serial, espstack, mp)) {
+ ksi->ks_in_serial, espstack, msg_getcred(mp, NULL))) {
freemsg(mp);
} else {
/*
@@ -4109,8 +4071,7 @@ esp_keysock_no_socket(mblk_t *mp, ipsecesp_stack_t *espstack)
samsg->sadb_msg_errno = kse->ks_err_errno;
samsg->sadb_msg_len = SADB_8TO64(sizeof (*samsg));
/*
- * Use the write-side of the esp_pfkey_q, in case there is
- * no esp_sadb.s_ip_q.
+ * Use the write-side of the esp_pfkey_q
*/
sadb_in_acquire(samsg, &espstack->esp_sadb,
WR(espstack->esp_pfkey_q), espstack->ipsecesp_netstack);
@@ -4197,236 +4158,23 @@ ipsecesp_wput(queue_t *q, mblk_t *mp)
}
/*
- * Process an outbound ESP packet that can be accelerated by a IPsec
- * hardware acceleration capable Provider.
- * The caller already inserted and initialized the ESP header.
- * This function allocates a tagging M_CTL, and adds room at the end
- * of the packet to hold the ICV if authentication is needed.
- *
- * On success returns B_TRUE, on failure returns B_FALSE and frees the
- * mblk chain ipsec_out.
- */
-static ipsec_status_t
-esp_outbound_accelerated(mblk_t *ipsec_out, uint_t icv_len)
-{
- ipsec_out_t *io;
- mblk_t *lastmp;
- netstack_t *ns;
- ipsecesp_stack_t *espstack;
- ipsec_stack_t *ipss;
-
- io = (ipsec_out_t *)ipsec_out->b_rptr;
- ns = io->ipsec_out_ns;
- espstack = ns->netstack_ipsecesp;
- ipss = ns->netstack_ipsec;
-
- ESP_BUMP_STAT(espstack, out_accelerated);
-
- /* mark packet as being accelerated in IPSEC_OUT */
- ASSERT(io->ipsec_out_accelerated == B_FALSE);
- io->ipsec_out_accelerated = B_TRUE;
-
- /*
- * add room at the end of the packet for the ICV if needed
- */
- if (icv_len > 0) {
- /* go to last mblk */
- lastmp = ipsec_out; /* For following while loop. */
- do {
- lastmp = lastmp->b_cont;
- } while (lastmp->b_cont != NULL);
-
- /* if not enough available room, allocate new mblk */
- if ((lastmp->b_wptr + icv_len) > lastmp->b_datap->db_lim) {
- lastmp->b_cont = allocb(icv_len, BPRI_HI);
- if (lastmp->b_cont == NULL) {
- ESP_BUMP_STAT(espstack, out_discards);
- ip_drop_packet(ipsec_out, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_esp_nomem),
- &espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
- }
- lastmp = lastmp->b_cont;
- }
- lastmp->b_wptr += icv_len;
- }
-
- return (IPSEC_STATUS_SUCCESS);
-}
-
-/*
- * Process an inbound accelerated ESP packet.
- * On success returns B_TRUE, on failure returns B_FALSE and frees the
- * mblk chain ipsec_in.
- */
-static ipsec_status_t
-esp_inbound_accelerated(mblk_t *ipsec_in, mblk_t *data_mp, boolean_t isv4,
- ipsa_t *assoc)
-{
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_in->b_rptr;
- mblk_t *hada_mp;
- uint32_t icv_len = 0;
- da_ipsec_t *hada;
- ipha_t *ipha;
- ip6_t *ip6h;
- kstat_named_t *counter;
- netstack_t *ns = ii->ipsec_in_ns;
- ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
-
- ESP_BUMP_STAT(espstack, in_accelerated);
-
- hada_mp = ii->ipsec_in_da;
- ASSERT(hada_mp != NULL);
- hada = (da_ipsec_t *)hada_mp->b_rptr;
-
- /*
- * We only support one level of decapsulation in hardware, so
- * nuke the pointer.
- */
- ii->ipsec_in_da = NULL;
- ii->ipsec_in_accelerated = B_FALSE;
-
- if (assoc->ipsa_auth_alg != IPSA_AALG_NONE) {
- /*
- * ESP with authentication. We expect the Provider to have
- * computed the ICV and placed it in the hardware acceleration
- * data attributes.
- *
- * Extract ICV length from attributes M_CTL and sanity check
- * its value. We allow the mblk to be smaller than da_ipsec_t
- * for a small ICV, as long as the entire ICV fits within the
- * mblk.
- *
- * Also ensures that the ICV length computed by Provider
- * corresponds to the ICV length of the agorithm specified by
- * the SA.
- */
- icv_len = hada->da_icv_len;
- if ((icv_len != assoc->ipsa_mac_len) ||
- (icv_len > DA_ICV_MAX_LEN) || (MBLKL(hada_mp) <
- (sizeof (da_ipsec_t) - DA_ICV_MAX_LEN + icv_len))) {
- esp0dbg(("esp_inbound_accelerated: "
- "ICV len (%u) incorrect or mblk too small (%u)\n",
- icv_len, (uint32_t)(MBLKL(hada_mp))));
- counter = DROPPER(ipss, ipds_esp_bad_auth);
- goto esp_in_discard;
- }
- }
-
- /* get pointers to IP header */
- if (isv4) {
- ipha = (ipha_t *)data_mp->b_rptr;
- } else {
- ip6h = (ip6_t *)data_mp->b_rptr;
- }
-
- /*
- * Compare ICV in ESP packet vs ICV computed by adapter.
- * We also remove the ICV from the end of the packet since
- * it will no longer be needed.
- *
- * Assume that esp_inbound() already ensured that the pkt
- * was in one mblk.
- */
- ASSERT(data_mp->b_cont == NULL);
- data_mp->b_wptr -= icv_len;
- /* adjust IP header */
- if (isv4)
- ipha->ipha_length = htons(ntohs(ipha->ipha_length) - icv_len);
- else
- ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) - icv_len);
- if (icv_len && bcmp(hada->da_icv, data_mp->b_wptr, icv_len)) {
- int af;
- void *addr;
-
- if (isv4) {
- addr = &ipha->ipha_dst;
- af = AF_INET;
- } else {
- addr = &ip6h->ip6_dst;
- af = AF_INET6;
- }
-
- /*
- * Log the event. Don't print to the console, block
- * potential denial-of-service attack.
- */
- ESP_BUMP_STAT(espstack, bad_auth);
- ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
- "ESP Authentication failed spi %x, dst_addr %s",
- assoc->ipsa_spi, addr, af, espstack->ipsecesp_netstack);
- counter = DROPPER(ipss, ipds_esp_bad_auth);
- goto esp_in_discard;
- }
-
- esp3dbg(espstack, ("esp_inbound_accelerated: ESP authentication "
- "succeeded, checking replay\n"));
-
- ipsec_in->b_cont = data_mp;
-
- /*
- * Remove ESP header and padding from packet.
- */
- if (!esp_strip_header(data_mp, ii->ipsec_in_v4, assoc->ipsa_iv_len,
- &counter, espstack)) {
- esp1dbg(espstack, ("esp_inbound_accelerated: "
- "esp_strip_header() failed\n"));
- goto esp_in_discard;
- }
-
- freeb(hada_mp);
-
- if (is_system_labeled() && (assoc->ipsa_cred != NULL))
- mblk_setcred(data_mp, assoc->ipsa_cred, NOPID);
-
- /*
- * Account for usage..
- */
- if (!esp_age_bytes(assoc, msgdsize(data_mp), B_TRUE)) {
- /* The ipsa has hit hard expiration, LOG and AUDIT. */
- ESP_BUMP_STAT(espstack, bytes_expired);
- IP_ESP_BUMP_STAT(ipss, in_discards);
- ipsec_assocfailure(info.mi_idnum, 0, 0, SL_ERROR | SL_WARN,
- "ESP association 0x%x, dst %s had bytes expire.\n",
- assoc->ipsa_spi, assoc->ipsa_dstaddr, assoc->ipsa_addrfam,
- espstack->ipsecesp_netstack);
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_esp_bytes_expire),
- &espstack->esp_dropper);
- return (IPSEC_STATUS_FAILED);
- }
-
- /* done processing the packet */
- return (IPSEC_STATUS_SUCCESS);
-
-esp_in_discard:
- IP_ESP_BUMP_STAT(ipss, in_discards);
- freeb(hada_mp);
-
- ipsec_in->b_cont = data_mp; /* For ip_drop_packet()'s sake... */
- ip_drop_packet(ipsec_in, B_TRUE, NULL, NULL, counter,
- &espstack->esp_dropper);
-
- return (IPSEC_STATUS_FAILED);
-}
-
-/*
* Wrapper to allow IP to trigger an ESP association failure message
* during inbound SA selection.
*/
void
ipsecesp_in_assocfailure(mblk_t *mp, char level, ushort_t sl, char *fmt,
- uint32_t spi, void *addr, int af, ipsecesp_stack_t *espstack)
+ uint32_t spi, void *addr, int af, ip_recv_attr_t *ira)
{
- ipsec_stack_t *ipss = espstack->ipsecesp_netstack->netstack_ipsec;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
+ ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
if (espstack->ipsecesp_log_unknown_spi) {
ipsec_assocfailure(info.mi_idnum, 0, level, sl, fmt, spi,
addr, af, espstack->ipsecesp_netstack);
}
- ip_drop_packet(mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(mp, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_esp_no_sa),
&espstack->esp_dropper);
}
diff --git a/usr/src/uts/common/inet/ip/keysock.c b/usr/src/uts/common/inet/ip/keysock.c
index ca82eeece0..855af28bb2 100644
--- a/usr/src/uts/common/inet/ip/keysock.c
+++ b/usr/src/uts/common/inet/ip/keysock.c
@@ -852,7 +852,7 @@ keysock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
int
keysock_opt_set(queue_t *q, uint_t mgmt_flags, int level,
int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp,
- uchar_t *outvalp, void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ uchar_t *outvalp, void *thisdg_attrs, cred_t *cr)
{
int *i1 = (int *)invalp, errno = 0;
keysock_t *ks = (keysock_t *)q->q_ptr;
@@ -936,11 +936,9 @@ keysock_wput_other(queue_t *q, mblk_t *mp)
}
if (((union T_primitives *)mp->b_rptr)->type ==
T_SVR4_OPTMGMT_REQ) {
- (void) svr4_optcom_req(q, mp, cr,
- &keysock_opt_obj, B_FALSE);
+ svr4_optcom_req(q, mp, cr, &keysock_opt_obj);
} else {
- (void) tpi_optcom_req(q, mp, cr,
- &keysock_opt_obj, B_FALSE);
+ tpi_optcom_req(q, mp, cr, &keysock_opt_obj);
}
break;
case T_DATA_REQ:
diff --git a/usr/src/uts/common/inet/ip/keysock_opt_data.c b/usr/src/uts/common/inet/ip/keysock_opt_data.c
index d8d9f1d0ad..4dee663d42 100644
--- a/usr/src/uts/common/inet/ip/keysock_opt_data.c
+++ b/usr/src/uts/common/inet/ip/keysock_opt_data.c
@@ -2,9 +2,8 @@
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License"). You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
@@ -20,12 +19,10 @@
* CDDL HEADER END
*/
/*
- * Copyright 1996-1998,2001-2003 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/types.h>
#include <sys/stream.h>
#define _SUN_TPI_VERSION 1
@@ -51,11 +48,11 @@
*/
opdes_t keysock_opt_arr[] = {
- { SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+ { SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
(t_uscalar_t)sizeof (int), 0 },
- { SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+ { SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
(t_uscalar_t)sizeof (int), 0 },
- { SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+ { SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
(t_uscalar_t)sizeof (int), 0 },
};
@@ -88,7 +85,6 @@ optdb_obj_t keysock_opt_obj = {
NULL, /* KEYSOCK default value function pointer */
keysock_opt_get, /* KEYSOCK get function pointer */
keysock_opt_set, /* KEYSOCK set function pointer */
- B_TRUE, /* KEYSOCK is tpi provider */
KEYSOCK_OPT_ARR_CNT, /* KEYSOCK option database count of entries */
keysock_opt_arr, /* KEYSOCK option database */
KEYSOCK_VALID_LEVELS_CNT, /* KEYSOCK valid level count of entries */
diff --git a/usr/src/uts/common/inet/ip/rts.c b/usr/src/uts/common/inet/ip/rts.c
index ce3ac6faca..d5a1d84395 100644
--- a/usr/src/uts/common/inet/ip/rts.c
+++ b/usr/src/uts/common/inet/ip/rts.c
@@ -72,7 +72,6 @@
* Addresses are assigned to interfaces.
* ICMP redirects are processed and a IRE_HOST/RTF_DYNAMIC is installed.
* No route is found while sending a packet.
- * When TCP requests IP to remove an IRE_CACHE of a troubled destination.
*
* Since all we do is reformat the messages between routing socket and
* ioctl forms, no synchronization is necessary in this module; all
@@ -113,7 +112,8 @@ static rtsparam_t lcl_param_arr[] = {
static void rts_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error,
int sys_error);
-static void rts_input(void *, mblk_t *, void *);
+static void rts_input(void *, mblk_t *, void *, ip_recv_attr_t *);
+static void rts_icmp_input(void *, mblk_t *, void *, ip_recv_attr_t *);
static mblk_t *rts_ioctl_alloc(mblk_t *data);
static int rts_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr);
static boolean_t rts_param_register(IDP *ndp, rtsparam_t *rtspa, int cnt);
@@ -211,28 +211,28 @@ rts_common_close(queue_t *q, conn_t *connp)
if (!IPCL_IS_NONSTR(connp)) {
qprocsoff(q);
+ }
- /*
- * Now we are truly single threaded on this stream, and can
- * delete the things hanging off the connp, and finally the
- * connp.
- * We removed this connp from the fanout list, it cannot be
- * accessed thru the fanouts, and we already waited for the
- * conn_ref to drop to 0. We are already in close, so
- * there cannot be any other thread from the top. qprocsoff
- * has completed, and service has completed or won't run in
- * future.
- */
+ /*
+ * Now we are truly single threaded on this stream, and can
+ * delete the things hanging off the connp, and finally the connp.
+ * We removed this connp from the fanout list, it cannot be
+ * accessed thru the fanouts, and we already waited for the
+ * conn_ref to drop to 0. We are already in close, so
+ * there cannot be any other thread from the top. qprocsoff
+ * has completed, and service has completed or won't run in
+ * future.
+ */
+ ASSERT(connp->conn_ref == 1);
+
+ if (!IPCL_IS_NONSTR(connp)) {
inet_minor_free(connp->conn_minor_arena, connp->conn_dev);
} else {
ip_free_helper_stream(connp);
}
- ASSERT(connp->conn_ref == 1);
-
connp->conn_ref--;
ipcl_conn_destroy(connp);
-
return (0);
}
@@ -256,7 +256,6 @@ rts_stream_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
{
conn_t *connp;
dev_t conn_dev;
- rts_stack_t *rtss;
rts_t *rts;
/* If the stream is already open, return immediately. */
@@ -266,7 +265,6 @@ rts_stream_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
if (sflag == MODOPEN)
return (EINVAL);
-
/*
* Since RTS is not used so heavily, allocating from the small
* arena should be sufficient.
@@ -278,44 +276,31 @@ rts_stream_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
connp = rts_open(flag, credp);
ASSERT(connp != NULL);
-
*devp = makedevice(getemajor(*devp), (minor_t)conn_dev);
rts = connp->conn_rts;
-
rw_enter(&rts->rts_rwlock, RW_WRITER);
connp->conn_dev = conn_dev;
connp->conn_minor_arena = ip_minor_arena_sa;
- /*
- * Initialize the rts_t structure for this stream.
- */
q->q_ptr = connp;
WR(q)->q_ptr = connp;
connp->conn_rq = q;
connp->conn_wq = WR(q);
- rtss = rts->rts_rtss;
- q->q_hiwat = rtss->rtss_recv_hiwat;
- WR(q)->q_hiwat = rtss->rtss_xmit_hiwat;
- WR(q)->q_lowat = rtss->rtss_xmit_lowat;
-
-
+ WR(q)->q_hiwat = connp->conn_sndbuf;
+ WR(q)->q_lowat = connp->conn_sndlowat;
mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
mutex_exit(&connp->conn_lock);
-
- qprocson(q);
rw_exit(&rts->rts_rwlock);
- /*
- * Indicate the down IP module that this is a routing socket
- * client by sending an RTS IOCTL without any user data. Although
- * this is just a notification message (without any real routing
- * request), we pass in any credential for correctness sake.
- */
+
+ /* Indicate to IP that this is a routing socket client */
ip_rts_register(connp);
+ qprocson(q);
+
return (0);
}
@@ -352,22 +337,38 @@ rts_open(int flag, cred_t *credp)
*/
netstack_rele(ns);
-
rw_enter(&rts->rts_rwlock, RW_WRITER);
ASSERT(connp->conn_rts == rts);
ASSERT(rts->rts_connp == connp);
+ connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_ULP_CKSUM;
+ /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
+ connp->conn_ixa->ixa_zoneid = zoneid;
connp->conn_zoneid = zoneid;
connp->conn_flow_cntrld = B_FALSE;
- connp->conn_ulp_labeled = is_system_labeled();
-
rts->rts_rtss = rtss;
- rts->rts_xmit_hiwat = rtss->rtss_xmit_hiwat;
+
+ connp->conn_rcvbuf = rtss->rtss_recv_hiwat;
+ connp->conn_sndbuf = rtss->rtss_xmit_hiwat;
+ connp->conn_sndlowat = rtss->rtss_xmit_lowat;
+ connp->conn_rcvlowat = rts_mod_info.mi_lowat;
+
+ connp->conn_family = PF_ROUTE;
+ connp->conn_so_type = SOCK_RAW;
+ /* SO_PROTOTYPE is always sent down by sockfs setting conn_proto */
connp->conn_recv = rts_input;
+ connp->conn_recvicmp = rts_icmp_input;
+
crhold(credp);
connp->conn_cred = credp;
+ connp->conn_cpid = curproc->p_pid;
+ /* Cache things in ixa without an extra refhold */
+ connp->conn_ixa->ixa_cred = connp->conn_cred;
+ connp->conn_ixa->ixa_cpid = connp->conn_cpid;
+ if (is_system_labeled())
+ connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
/*
* rts sockets start out as bound and connected
@@ -429,7 +430,6 @@ rts_tpi_bind(queue_t *q, mblk_t *mp)
{
conn_t *connp = Q_TO_CONN(q);
rts_t *rts = connp->conn_rts;
- mblk_t *mp1;
struct T_bind_req *tbr;
if ((mp->b_wptr - mp->b_rptr) < sizeof (*tbr)) {
@@ -444,16 +444,6 @@ rts_tpi_bind(queue_t *q, mblk_t *mp)
rts_err_ack(q, mp, TOUTSTATE, 0);
return;
}
- /*
- * Reallocate the message to make sure we have enough room for an
- * address and the protocol type.
- */
- mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin_t), 1);
- if (mp1 == NULL) {
- rts_err_ack(q, mp, TSYSERR, ENOMEM);
- return;
- }
- mp = mp1;
tbr = (struct T_bind_req *)mp->b_rptr;
if (tbr->ADDR_length != 0) {
(void) mi_strlog(q, 1, SL_ERROR|SL_TRACE,
@@ -465,6 +455,7 @@ rts_tpi_bind(queue_t *q, mblk_t *mp)
tbr->ADDR_offset = (t_scalar_t)sizeof (struct T_bind_req);
tbr->ADDR_length = 0;
tbr->PRIM_type = T_BIND_ACK;
+ mp->b_datap->db_type = M_PCPROTO;
rts->rts_state = TS_IDLE;
qreply(q, mp);
}
@@ -545,70 +536,30 @@ static int
rts_opt_get(conn_t *connp, int level, int name, uchar_t *ptr)
{
rts_t *rts = connp->conn_rts;
- int *i1 = (int *)ptr;
+ conn_opt_arg_t coas;
+ int retval;
ASSERT(RW_READ_HELD(&rts->rts_rwlock));
switch (level) {
- case SOL_SOCKET:
- switch (name) {
- case SO_DEBUG:
- *i1 = rts->rts_debug;
- break;
- case SO_REUSEADDR:
- *i1 = rts->rts_reuseaddr;
- break;
- case SO_TYPE:
- *i1 = SOCK_RAW;
- break;
- /*
- * The following three items are available here,
- * but are only meaningful to IP.
- */
- case SO_DONTROUTE:
- *i1 = rts->rts_dontroute;
- break;
- case SO_USELOOPBACK:
- *i1 = rts->rts_useloopback;
- break;
- case SO_BROADCAST:
- *i1 = rts->rts_broadcast;
- break;
- case SO_PROTOTYPE:
- *i1 = rts->rts_proto;
- break;
- /*
- * The following two items can be manipulated,
- * but changing them should do nothing.
- */
- case SO_SNDBUF:
- ASSERT(rts->rts_xmit_hiwat <= INT_MAX);
- *i1 = (int)(rts->rts_xmit_hiwat);
- break;
- case SO_RCVBUF:
- ASSERT(rts->rts_recv_hiwat <= INT_MAX);
- *i1 = (int)(rts->rts_recv_hiwat);
- break;
- case SO_DOMAIN:
- *i1 = PF_ROUTE;
- break;
- default:
- return (-1);
- }
- break;
+ /* do this in conn_opt_get? */
case SOL_ROUTE:
switch (name) {
case RT_AWARE:
mutex_enter(&connp->conn_lock);
- *i1 = connp->conn_rtaware;
+ *(int *)ptr = connp->conn_rtaware;
mutex_exit(&connp->conn_lock);
- break;
+ return (0);
}
break;
- default:
- return (-1);
}
- return ((int)sizeof (int));
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ mutex_enter(&connp->conn_lock);
+ retval = conn_opt_get(&coas, level, name, ptr);
+ mutex_exit(&connp->conn_lock);
+ return (retval);
}
/* ARGSUSED */
@@ -620,6 +571,12 @@ rts_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
int *i1 = (int *)invalp;
rts_t *rts = connp->conn_rts;
rts_stack_t *rtss = rts->rts_rtss;
+ int error;
+ conn_opt_arg_t coas;
+
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
ASSERT(RW_WRITE_HELD(&rts->rts_rwlock));
@@ -638,38 +595,6 @@ rts_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
switch (level) {
case SOL_SOCKET:
switch (name) {
- case SO_REUSEADDR:
- if (!checkonly) {
- rts->rts_reuseaddr = *i1 ? 1 : 0;
- connp->conn_reuseaddr = *i1 ? 1 : 0;
- }
- break; /* goto sizeof (int) option return */
- case SO_DEBUG:
- if (!checkonly)
- rts->rts_debug = *i1 ? 1 : 0;
- break; /* goto sizeof (int) option return */
- /*
- * The following three items are available here,
- * but are only meaningful to IP.
- */
- case SO_DONTROUTE:
- if (!checkonly) {
- rts->rts_dontroute = *i1 ? 1 : 0;
- connp->conn_dontroute = *i1 ? 1 : 0;
- }
- break; /* goto sizeof (int) option return */
- case SO_USELOOPBACK:
- if (!checkonly) {
- rts->rts_useloopback = *i1 ? 1 : 0;
- connp->conn_loopback = *i1 ? 1 : 0;
- }
- break; /* goto sizeof (int) option return */
- case SO_BROADCAST:
- if (!checkonly) {
- rts->rts_broadcast = *i1 ? 1 : 0;
- connp->conn_broadcast = *i1 ? 1 : 0;
- }
- break; /* goto sizeof (int) option return */
case SO_PROTOTYPE:
/*
* Routing socket applications that call socket() with
@@ -678,13 +603,15 @@ rts_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
* down the SO_PROTOTYPE and rts_queue_input()
* implements the filtering.
*/
- if (*i1 != AF_INET && *i1 != AF_INET6)
+ if (*i1 != AF_INET && *i1 != AF_INET6) {
+ *outlenp = 0;
return (EPROTONOSUPPORT);
- if (!checkonly) {
- rts->rts_proto = *i1;
- connp->conn_proto = *i1;
}
- break; /* goto sizeof (int) option return */
+ if (!checkonly)
+ connp->conn_proto = *i1;
+ *outlenp = inlen;
+ return (0);
+
/*
* The following two items can be manipulated,
* but changing them should do nothing.
@@ -694,36 +621,13 @@ rts_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
*outlenp = 0;
return (ENOBUFS);
}
- if (!checkonly) {
- rts->rts_xmit_hiwat = *i1;
- if (!IPCL_IS_NONSTR(connp))
- connp->conn_wq->q_hiwat = *i1;
- }
break; /* goto sizeof (int) option return */
case SO_RCVBUF:
if (*i1 > rtss->rtss_max_buf) {
*outlenp = 0;
return (ENOBUFS);
}
- if (!checkonly) {
- rts->rts_recv_hiwat = *i1;
- rw_exit(&rts->rts_rwlock);
- (void) proto_set_rx_hiwat(connp->conn_rq, connp,
- *i1);
- rw_enter(&rts->rts_rwlock, RW_WRITER);
- }
-
break; /* goto sizeof (int) option return */
- case SO_RCVTIMEO:
- case SO_SNDTIMEO:
- /*
- * Pass these two options in order for third part
- * protocol usage. Here just return directly.
- */
- return (0);
- default:
- *outlenp = 0;
- return (EINVAL);
}
break;
case SOL_ROUTE:
@@ -734,15 +638,17 @@ rts_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
connp->conn_rtaware = *i1;
mutex_exit(&connp->conn_lock);
}
- break; /* goto sizeof (int) option return */
- default:
- *outlenp = 0;
- return (EINVAL);
+ *outlenp = inlen;
+ return (0);
}
break;
- default:
+ }
+ /* Serialized setsockopt since we are D_MTQPAIR */
+ error = conn_opt_set(&coas, level, name, inlen, invalp,
+ checkonly, cr);
+ if (error != 0) {
*outlenp = 0;
- return (EINVAL);
+ return (error);
}
/*
* Common case of return from an option that is sizeof (int)
@@ -832,7 +738,7 @@ rts_tpi_opt_get(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
int
rts_tpi_opt_set(queue_t *q, uint_t optset_context, int level,
int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp,
- uchar_t *outvalp, void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ uchar_t *outvalp, void *thisdg_attrs, cred_t *cr)
{
conn_t *connp = Q_TO_CONN(q);
int error;
@@ -1009,10 +915,6 @@ err_ret:
* consumes the message or passes it downstream; it never queues a
* a message. The data messages that go down are wrapped in an IOCTL
* message.
- *
- * FIXME? Should we call IP rts_request directly? Could punt on returning
- * errno in the case when it defers processing due to
- * IPIF_CHANGING/ILL_CHANGING???
*/
static void
rts_wput(queue_t *q, mblk_t *mp)
@@ -1057,7 +959,7 @@ rts_wput(queue_t *q, mblk_t *mp)
}
return;
}
- ip_output(connp, mp1, q, IP_WPUT);
+ ip_wput_nondata(q, mp1);
}
@@ -1120,11 +1022,9 @@ rts_wput_other(queue_t *q, mblk_t *mp)
}
if (((union T_primitives *)rptr)->type ==
T_SVR4_OPTMGMT_REQ) {
- (void) svr4_optcom_req(q, mp, cr,
- &rts_opt_obj, B_TRUE);
+ svr4_optcom_req(q, mp, cr, &rts_opt_obj);
} else {
- (void) tpi_optcom_req(q, mp, cr,
- &rts_opt_obj, B_TRUE);
+ tpi_optcom_req(q, mp, cr, &rts_opt_obj);
}
return;
case O_T_CONN_RES:
@@ -1168,7 +1068,7 @@ rts_wput_other(queue_t *q, mblk_t *mp)
default:
break;
}
- ip_output(connp, mp, q, IP_WPUT);
+ ip_wput_nondata(q, mp);
}
/*
@@ -1177,7 +1077,6 @@ rts_wput_other(queue_t *q, mblk_t *mp)
static void
rts_wput_iocdata(queue_t *q, mblk_t *mp)
{
- conn_t *connp = Q_TO_CONN(q);
struct sockaddr *rtsaddr;
mblk_t *mp1;
STRUCT_HANDLE(strbuf, sb);
@@ -1188,7 +1087,7 @@ rts_wput_iocdata(queue_t *q, mblk_t *mp)
case TI_GETPEERNAME:
break;
default:
- ip_output(connp, mp, q, IP_WPUT);
+ ip_wput_nondata(q, mp);
return;
}
switch (mi_copy_state(q, mp, &mp1)) {
@@ -1233,9 +1132,12 @@ rts_wput_iocdata(queue_t *q, mblk_t *mp)
mi_copyout(q, mp);
}
+/*
+ * IP passes up a NULL ira.
+ */
/*ARGSUSED2*/
static void
-rts_input(void *arg1, mblk_t *mp, void *arg2)
+rts_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
conn_t *connp = (conn_t *)arg1;
rts_t *rts = connp->conn_rts;
@@ -1248,27 +1150,17 @@ rts_input(void *arg1, mblk_t *mp, void *arg2)
case M_IOCACK:
case M_IOCNAK:
iocp = (struct iocblk *)mp->b_rptr;
- if (IPCL_IS_NONSTR(connp)) {
- ASSERT(rts->rts_flag & (RTS_REQ_PENDING));
- mutex_enter(&rts->rts_send_mutex);
- rts->rts_flag &= ~RTS_REQ_INPROG;
+ ASSERT(!IPCL_IS_NONSTR(connp));
+ if (rts->rts_flag & (RTS_WPUT_PENDING)) {
+ rts->rts_flag &= ~RTS_WPUT_PENDING;
rts->rts_error = iocp->ioc_error;
- cv_signal(&rts->rts_io_cv);
- mutex_exit(&rts->rts_send_mutex);
+ /*
+ * Tell rts_wvw/qwait that we are done.
+ * Note: there is no qwait_wakeup() we can use.
+ */
+ qenable(connp->conn_rq);
freemsg(mp);
return;
- } else {
- if (rts->rts_flag & (RTS_WPUT_PENDING)) {
- rts->rts_flag &= ~RTS_WPUT_PENDING;
- rts->rts_error = iocp->ioc_error;
- /*
- * Tell rts_wvw/qwait that we are done.
- * Note: there is no qwait_wakeup() we can use.
- */
- qenable(connp->conn_rq);
- freemsg(mp);
- return;
- }
}
break;
case M_DATA:
@@ -1316,6 +1208,12 @@ rts_input(void *arg1, mblk_t *mp, void *arg2)
}
}
+/*ARGSUSED*/
+static void
+rts_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
+{
+ freemsg(mp);
+}
void
rts_ddi_g_init(void)
@@ -1427,11 +1325,6 @@ int
rts_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *addr,
socklen_t *addrlen, cred_t *cr)
{
- conn_t *connp = (conn_t *)proto_handle;
- rts_t *rts = connp->conn_rts;
-
- ASSERT(rts != NULL);
-
bzero(addr, sizeof (struct sockaddr));
addr->sa_family = AF_ROUTE;
*addrlen = sizeof (struct sockaddr);
@@ -1444,7 +1337,11 @@ int
rts_getsockname(sock_lower_handle_t proto_handle, struct sockaddr *addr,
socklen_t *addrlen, cred_t *cr)
{
- return (EOPNOTSUPP);
+ bzero(addr, sizeof (struct sockaddr));
+ addr->sa_family = AF_ROUTE;
+ *addrlen = sizeof (struct sockaddr);
+
+ return (0);
}
static int
@@ -1461,7 +1358,6 @@ rts_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, *optlen, &max_optbuf_len,
rts_opt_obj.odb_opt_des_arr,
rts_opt_obj.odb_opt_arr_cnt,
- rts_opt_obj.odb_topmost_tpiprovider,
B_FALSE, B_TRUE, cr);
if (error != 0) {
if (error < 0)
@@ -1473,25 +1369,20 @@ rts_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
rw_enter(&rts->rts_rwlock, RW_READER);
len = rts_opt_get(connp, level, option_name, optvalp_buf);
rw_exit(&rts->rts_rwlock);
-
- if (len < 0) {
- /*
- * Pass on to IP
- */
- error = ip_get_options(connp, level, option_name,
- optvalp, optlen, cr);
- } else {
- /*
- * update optlen and copy option value
- */
- t_uscalar_t size = MIN(len, *optlen);
- bcopy(optvalp_buf, optvalp, size);
- bcopy(&size, optlen, sizeof (size));
- error = 0;
+ if (len == -1) {
+ kmem_free(optvalp_buf, max_optbuf_len);
+ return (EINVAL);
}
+ /*
+ * update optlen and copy option value
+ */
+ t_uscalar_t size = MIN(len, *optlen);
+
+ bcopy(optvalp_buf, optvalp, size);
+ bcopy(&size, optlen, sizeof (size));
kmem_free(optvalp_buf, max_optbuf_len);
- return (error);
+ return (0);
}
static int
@@ -1505,7 +1396,6 @@ rts_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, optlen, NULL,
rts_opt_obj.odb_opt_des_arr,
rts_opt_obj.odb_opt_arr_cnt,
- rts_opt_obj.odb_topmost_tpiprovider,
B_TRUE, B_FALSE, cr);
if (error != 0) {
@@ -1530,9 +1420,7 @@ static int
rts_send(sock_lower_handle_t proto_handle, mblk_t *mp,
struct nmsghdr *msg, cred_t *cr)
{
- mblk_t *mp1;
conn_t *connp = (conn_t *)proto_handle;
- rts_t *rts = connp->conn_rts;
rt_msghdr_t *rtm;
int error;
@@ -1546,65 +1434,19 @@ rts_send(sock_lower_handle_t proto_handle, mblk_t *mp,
*/
if ((mp->b_wptr - mp->b_rptr) < sizeof (rt_msghdr_t)) {
if (!pullupmsg(mp, sizeof (rt_msghdr_t))) {
- rts->rts_error = EINVAL;
freemsg(mp);
- return (rts->rts_error);
+ return (EINVAL);
}
}
rtm = (rt_msghdr_t *)mp->b_rptr;
rtm->rtm_pid = curproc->p_pid;
- mp1 = rts_ioctl_alloc(mp);
- if (mp1 == NULL) {
- ASSERT(rts != NULL);
- freemsg(mp);
- return (ENOMEM);
- }
-
/*
- * Allow only one outstanding request(ioctl) at any given time
+ * We are not constrained by the ioctl interface and
+ * ip_rts_request_common processing requests synchronously hence
+ * we can send them down concurrently.
*/
- mutex_enter(&rts->rts_send_mutex);
- while (rts->rts_flag & RTS_REQ_PENDING) {
- int ret;
-
- ret = cv_wait_sig(&rts->rts_send_cv, &rts->rts_send_mutex);
- if (ret <= 0) {
- mutex_exit(&rts->rts_send_mutex);
- freemsg(mp);
- return (EINTR);
- }
- }
-
- rts->rts_flag |= RTS_REQ_PENDING;
-
- rts->rts_flag |= RTS_REQ_INPROG;
-
- mutex_exit(&rts->rts_send_mutex);
-
- CONN_INC_REF(connp);
-
- error = ip_rts_request_common(rts->rts_connp->conn_wq, mp1, connp, cr);
-
- mutex_enter(&rts->rts_send_mutex);
- if (error == EINPROGRESS) {
- ASSERT(rts->rts_flag & RTS_REQ_INPROG);
- if (rts->rts_flag & RTS_REQ_INPROG) {
- /*
- * Once the request has been issued we wait for
- * completion
- */
- cv_wait(&rts->rts_io_cv, &rts->rts_send_mutex);
- error = rts->rts_error;
- }
- }
-
- ASSERT((error != 0) || !(rts->rts_flag & RTS_REQ_INPROG));
- ASSERT(MUTEX_HELD(&rts->rts_send_mutex));
-
- rts->rts_flag &= ~(RTS_REQ_PENDING | RTS_REQ_INPROG);
- cv_signal(&rts->rts_send_cv);
- mutex_exit(&rts->rts_send_mutex);
+ error = ip_rts_request_common(mp, connp, cr);
return (error);
}
@@ -1614,8 +1456,6 @@ rts_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
uint_t *smodep, int *errorp, int flags, cred_t *credp)
{
conn_t *connp;
- rts_t *rts;
- rts_stack_t *rtss;
if (family != AF_ROUTE || type != SOCK_RAW ||
(proto != 0 && proto != AF_INET && proto != AF_INET6)) {
@@ -1627,25 +1467,7 @@ rts_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
ASSERT(connp != NULL);
connp->conn_flags |= IPCL_NONSTR;
- rts = connp->conn_rts;
- rtss = rts->rts_rtss;
-
- rts->rts_xmit_hiwat = rtss->rtss_xmit_hiwat;
- rts->rts_xmit_lowat = rtss->rtss_xmit_lowat;
- rts->rts_recv_hiwat = rtss->rtss_recv_hiwat;
- rts->rts_recv_lowat = rts_mod_info.mi_lowat;
-
- ASSERT(rtss->rtss_ldi_ident != NULL);
-
- *errorp = ip_create_helper_stream(connp, rtss->rtss_ldi_ident);
- if (*errorp != 0) {
-#ifdef DEBUG
- cmn_err(CE_CONT, "rts_create: create of IP helper stream"
- " failed\n");
-#endif
- (void) rts_close((sock_lower_handle_t)connp, 0, credp);
- return (NULL);
- }
+ connp->conn_proto = proto;
mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
@@ -1663,8 +1485,6 @@ rts_activate(sock_lower_handle_t proto_handle, sock_upper_handle_t sock_handle,
sock_upcalls_t *sock_upcalls, int flags, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- rts_t *rts = connp->conn_rts;
- rts_stack_t *rtss = rts->rts_rtss;
struct sock_proto_props sopp;
connp->conn_upcalls = sock_upcalls;
@@ -1673,8 +1493,8 @@ rts_activate(sock_lower_handle_t proto_handle, sock_upper_handle_t sock_handle,
sopp.sopp_flags = SOCKOPT_WROFF | SOCKOPT_RCVHIWAT | SOCKOPT_RCVLOWAT |
SOCKOPT_MAXBLK | SOCKOPT_MAXPSZ | SOCKOPT_MINPSZ;
sopp.sopp_wroff = 0;
- sopp.sopp_rxhiwat = rtss->rtss_recv_hiwat;
- sopp.sopp_rxlowat = rts_mod_info.mi_lowat;
+ sopp.sopp_rxhiwat = connp->conn_rcvbuf;
+ sopp.sopp_rxlowat = connp->conn_rcvlowat;
sopp.sopp_maxblk = INFPSZ;
sopp.sopp_maxpsz = rts_mod_info.mi_maxpsz;
sopp.sopp_minpsz = (rts_mod_info.mi_minpsz == 1) ? 0 :
@@ -1689,12 +1509,7 @@ rts_activate(sock_lower_handle_t proto_handle, sock_upper_handle_t sock_handle,
(*connp->conn_upcalls->su_connected)
(connp->conn_upper_handle, 0, NULL, -1);
- /*
- * Indicate the down IP module that this is a routing socket
- * client by sending an RTS IOCTL without any user data. Although
- * this is just a notification message (without any real routing
- * request), we pass in any credential for correctness sake.
- */
+ /* Indicate to IP that this is a routing socket client */
ip_rts_register(connp);
}
@@ -1743,6 +1558,27 @@ rts_ioctl(sock_lower_handle_t proto_handle, int cmd, intptr_t arg,
conn_t *connp = (conn_t *)proto_handle;
int error;
+ /*
+ * If we don't have a helper stream then create one.
+ * ip_create_helper_stream takes care of locking the conn_t,
+ * so this check for NULL is just a performance optimization.
+ */
+ if (connp->conn_helper_info == NULL) {
+ rts_stack_t *rtss = connp->conn_rts->rts_rtss;
+
+ ASSERT(rtss->rtss_ldi_ident != NULL);
+
+ /*
+ * Create a helper stream for non-STREAMS socket.
+ */
+ error = ip_create_helper_stream(connp, rtss->rtss_ldi_ident);
+ if (error != 0) {
+ ip0dbg(("rts_ioctl: create of IP helper stream "
+ "failed %d\n", error));
+ return (error);
+ }
+ }
+
switch (cmd) {
case ND_SET:
case ND_GET:
diff --git a/usr/src/uts/common/inet/ip/rts_opt_data.c b/usr/src/uts/common/inet/ip/rts_opt_data.c
index 8a96edb668..1dd64a0317 100644
--- a/usr/src/uts/common/inet/ip/rts_opt_data.c
+++ b/usr/src/uts/common/inet/ip/rts_opt_data.c
@@ -40,6 +40,7 @@
#include <inet/optcom.h>
#include <inet/rts_impl.h>
+#include <inet/rts_impl.h>
/*
* Table of all known options handled on a RTS protocol stack.
*
@@ -49,21 +50,21 @@
*/
opdes_t rts_opt_arr[] = {
-{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_PROTOTYPE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_PROTOTYPE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
{ RT_AWARE, SOL_ROUTE, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
};
@@ -98,9 +99,8 @@ uint_t rts_max_optsize; /* initialized in _init() */
optdb_obj_t rts_opt_obj = {
rts_opt_default, /* RTS default value function pointer */
- rts_tpi_opt_get, /* RTS get function pointer */
- rts_tpi_opt_set, /* RTS set function pointer */
- B_TRUE, /* RTS is tpi provider */
+ rts_tpi_opt_get, /* RTS get function pointer */
+ rts_tpi_opt_set, /* RTS set function pointer */
RTS_OPT_ARR_CNT, /* RTS option database count of entries */
rts_opt_arr, /* RTS option database */
RTS_VALID_LEVELS_CNT, /* RTS valid level count of entries */
diff --git a/usr/src/uts/common/inet/ip/sadb.c b/usr/src/uts/common/inet/ip/sadb.c
index 784b3b08aa..5ae4f6da8e 100644
--- a/usr/src/uts/common/inet/ip/sadb.c
+++ b/usr/src/uts/common/inet/ip/sadb.c
@@ -59,7 +59,6 @@
#include <inet/ipsecesp.h>
#include <sys/random.h>
#include <sys/dlpi.h>
-#include <sys/iphada.h>
#include <sys/strsun.h>
#include <sys/strsubr.h>
#include <inet/ip_if.h>
@@ -77,15 +76,13 @@
static mblk_t *sadb_extended_acquire(ipsec_selector_t *, ipsec_policy_t *,
ipsec_action_t *, boolean_t, uint32_t, uint32_t, sadb_sens_t *,
netstack_t *);
-static void sadb_ill_df(ill_t *, mblk_t *, isaf_t *, int, boolean_t);
-static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *, boolean_t, mblk_t **);
-static void sadb_drain_torchq(queue_t *, mblk_t *);
+static ipsa_t *sadb_torch_assoc(isaf_t *, ipsa_t *);
static void sadb_destroy_acqlist(iacqf_t **, uint_t, boolean_t,
netstack_t *);
static void sadb_destroy(sadb_t *, netstack_t *);
static mblk_t *sadb_sa2msg(ipsa_t *, sadb_msg_t *);
-static cred_t *sadb_cred_from_sens(sadb_sens_t *, uint64_t *);
-static sadb_sens_t *sadb_make_sens_ext(cred_t *cr, int *len);
+static ts_label_t *sadb_label_from_sens(sadb_sens_t *, uint64_t *);
+static sadb_sens_t *sadb_make_sens_ext(ts_label_t *tsl, int *len);
static time_t sadb_add_time(time_t, uint64_t);
static void lifetime_fuzz(ipsa_t *);
@@ -96,12 +93,6 @@ static void destroy_ipsa_pair(ipsap_t *);
static int update_pairing(ipsap_t *, ipsa_query_t *, keysock_in_t *, int *);
static void ipsa_set_replay(ipsa_t *ipsa, uint32_t offset);
-extern void (*cl_inet_getspi)(netstackid_t stack_id, uint8_t protocol,
- uint8_t *ptr, size_t len, void *args);
-extern int (*cl_inet_checkspi)(netstackid_t stack_id, uint8_t protocol,
- uint32_t spi, void *args);
-extern void (*cl_inet_deletespi)(netstackid_t stack_id, uint8_t protocol,
- uint32_t spi, void *args);
/*
* ipsacq_maxpackets is defined here to make it tunable
* from /etc/system.
@@ -269,6 +260,7 @@ static void
sadb_freeassoc(ipsa_t *ipsa)
{
ipsec_stack_t *ipss = ipsa->ipsa_netstack->netstack_ipsec;
+ mblk_t *asyncmp, *mp;
ASSERT(ipss != NULL);
ASSERT(MUTEX_NOT_HELD(&ipsa->ipsa_lock));
@@ -276,20 +268,24 @@ sadb_freeassoc(ipsa_t *ipsa)
ASSERT(ipsa->ipsa_next == NULL);
ASSERT(ipsa->ipsa_ptpn == NULL);
+
+ asyncmp = sadb_clear_lpkt(ipsa);
+ if (asyncmp != NULL) {
+ mp = ip_recv_attr_free_mblk(asyncmp);
+ ip_drop_packet(mp, B_TRUE, NULL,
+ DROPPER(ipss, ipds_sadb_inlarval_timeout),
+ &ipss->ipsec_sadb_dropper);
+ }
mutex_enter(&ipsa->ipsa_lock);
- /* Don't call sadb_clear_lpkt() since we hold the ipsa_lock anyway. */
- ip_drop_packet(ipsa->ipsa_lpkt, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_sadb_inlarval_timeout),
- &ipss->ipsec_sadb_dropper);
- if (ipsa->ipsa_cred != NULL) {
- crfree(ipsa->ipsa_cred);
- ipsa->ipsa_cred = NULL;
+ if (ipsa->ipsa_tsl != NULL) {
+ label_rele(ipsa->ipsa_tsl);
+ ipsa->ipsa_tsl = NULL;
}
- if (ipsa->ipsa_ocred != NULL) {
- crfree(ipsa->ipsa_ocred);
- ipsa->ipsa_ocred = NULL;
+ if (ipsa->ipsa_otsl != NULL) {
+ label_rele(ipsa->ipsa_otsl);
+ ipsa->ipsa_otsl = NULL;
}
ipsec_destroy_ctx_tmpl(ipsa, IPSEC_ALG_AUTH);
@@ -712,336 +708,6 @@ sadb_walker(isaf_t *table, uint_t numentries,
}
/*
- * From the given SA, construct a dl_ct_ipsec_key and
- * a dl_ct_ipsec structures to be sent to the adapter as part
- * of a DL_CONTROL_REQ.
- *
- * ct_sa must point to the storage allocated for the key
- * structure and must be followed by storage allocated
- * for the SA information that must be sent to the driver
- * as part of the DL_CONTROL_REQ request.
- *
- * The is_inbound boolean indicates whether the specified
- * SA is part of an inbound SA table.
- *
- * Returns B_TRUE if the corresponding SA must be passed to
- * a provider, B_FALSE otherwise; frees *mp if it returns B_FALSE.
- */
-static boolean_t
-sadb_req_from_sa(ipsa_t *sa, mblk_t *mp, boolean_t is_inbound)
-{
- dl_ct_ipsec_key_t *keyp;
- dl_ct_ipsec_t *sap;
- void *ct_sa = mp->b_wptr;
-
- ASSERT(MUTEX_HELD(&sa->ipsa_lock));
-
- keyp = (dl_ct_ipsec_key_t *)(ct_sa);
- sap = (dl_ct_ipsec_t *)(keyp + 1);
-
- IPSECHW_DEBUG(IPSECHW_CAPAB, ("sadb_req_from_sa: "
- "is_inbound = %d\n", is_inbound));
-
- /* initialize flag */
- sap->sadb_sa_flags = 0;
- if (is_inbound) {
- sap->sadb_sa_flags |= DL_CT_IPSEC_INBOUND;
- /*
- * If an inbound SA has a peer, then mark it has being
- * an outbound SA as well.
- */
- if (sa->ipsa_haspeer)
- sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND;
- } else {
- /*
- * If an outbound SA has a peer, then don't send it,
- * since we will send the copy from the inbound table.
- */
- if (sa->ipsa_haspeer) {
- freemsg(mp);
- return (B_FALSE);
- }
- sap->sadb_sa_flags |= DL_CT_IPSEC_OUTBOUND;
- }
-
- keyp->dl_key_spi = sa->ipsa_spi;
- bcopy(sa->ipsa_dstaddr, keyp->dl_key_dest_addr,
- DL_CTL_IPSEC_ADDR_LEN);
- keyp->dl_key_addr_family = sa->ipsa_addrfam;
-
- sap->sadb_sa_auth = sa->ipsa_auth_alg;
- sap->sadb_sa_encrypt = sa->ipsa_encr_alg;
-
- sap->sadb_key_len_a = sa->ipsa_authkeylen;
- sap->sadb_key_bits_a = sa->ipsa_authkeybits;
- bcopy(sa->ipsa_authkey,
- sap->sadb_key_data_a, sap->sadb_key_len_a);
-
- sap->sadb_key_len_e = sa->ipsa_encrkeylen;
- sap->sadb_key_bits_e = sa->ipsa_encrkeybits;
- bcopy(sa->ipsa_encrkey,
- sap->sadb_key_data_e, sap->sadb_key_len_e);
-
- mp->b_wptr += sizeof (dl_ct_ipsec_t) + sizeof (dl_ct_ipsec_key_t);
- return (B_TRUE);
-}
-
-/*
- * Called from AH or ESP to format a message which will be used to inform
- * IPsec-acceleration-capable ills of a SADB change.
- * (It is not possible to send the message to IP directly from this function
- * since the SA, if any, is locked during the call).
- *
- * dl_operation: DL_CONTROL_REQ operation (add, delete, update, etc)
- * sa_type: identifies whether the operation applies to AH or ESP
- * (must be one of SADB_SATYPE_AH or SADB_SATYPE_ESP)
- * sa: Pointer to an SA. Must be non-NULL and locked
- * for ADD, DELETE, GET, and UPDATE operations.
- * This function returns an mblk chain that must be passed to IP
- * for forwarding to the IPsec capable providers.
- */
-mblk_t *
-sadb_fmt_sa_req(uint_t dl_operation, uint_t sa_type, ipsa_t *sa,
- boolean_t is_inbound)
-{
- mblk_t *mp;
- dl_control_req_t *ctrl;
- boolean_t need_key = B_FALSE;
- mblk_t *ctl_mp = NULL;
- ipsec_ctl_t *ctl;
-
- /*
- * 1 allocate and initialize DL_CONTROL_REQ M_PROTO
- * 2 if a key is needed for the operation
- * 2.1 initialize key
- * 2.2 if a full SA is needed for the operation
- * 2.2.1 initialize full SA info
- * 3 return message; caller will call ill_ipsec_capab_send_all()
- * to send the resulting message to IPsec capable ills.
- */
-
- ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP);
-
- /*
- * Allocate DL_CONTROL_REQ M_PROTO
- * We allocate room for the SA even if it's not needed
- * by some of the operations (for example flush)
- */
- mp = allocb(sizeof (dl_control_req_t) +
- sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI);
- if (mp == NULL)
- return (NULL);
- mp->b_datap->db_type = M_PROTO;
-
- /* initialize dl_control_req_t */
- ctrl = (dl_control_req_t *)mp->b_wptr;
- ctrl->dl_primitive = DL_CONTROL_REQ;
- ctrl->dl_operation = dl_operation;
- ctrl->dl_type = sa_type == SADB_SATYPE_AH ? DL_CT_IPSEC_AH :
- DL_CT_IPSEC_ESP;
- ctrl->dl_key_offset = sizeof (dl_control_req_t);
- ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t);
- ctrl->dl_data_offset = sizeof (dl_control_req_t) +
- sizeof (dl_ct_ipsec_key_t);
- ctrl->dl_data_length = sizeof (dl_ct_ipsec_t);
- mp->b_wptr += sizeof (dl_control_req_t);
-
- if ((dl_operation == DL_CO_SET) || (dl_operation == DL_CO_DELETE)) {
- ASSERT(sa != NULL);
- ASSERT(MUTEX_HELD(&sa->ipsa_lock));
-
- need_key = B_TRUE;
-
- /*
- * Initialize key and SA data. Note that for some
- * operations the SA data is ignored by the provider
- * (delete, etc.)
- */
- if (!sadb_req_from_sa(sa, mp, is_inbound))
- return (NULL);
- }
-
- /* construct control message */
- ctl_mp = allocb(sizeof (ipsec_ctl_t), BPRI_HI);
- if (ctl_mp == NULL) {
- cmn_err(CE_WARN, "sadb_fmt_sa_req: allocb failed\n");
- freemsg(mp);
- return (NULL);
- }
-
- ctl_mp->b_datap->db_type = M_CTL;
- ctl_mp->b_wptr += sizeof (ipsec_ctl_t);
- ctl_mp->b_cont = mp;
-
- ctl = (ipsec_ctl_t *)ctl_mp->b_rptr;
- ctl->ipsec_ctl_type = IPSEC_CTL;
- ctl->ipsec_ctl_len = sizeof (ipsec_ctl_t);
- ctl->ipsec_ctl_sa_type = sa_type;
-
- if (need_key) {
- /*
- * Keep an additional reference on SA, since it will be
- * needed by IP to send control messages corresponding
- * to that SA from its perimeter. IP will do a
- * IPSA_REFRELE when done with the request.
- */
- ASSERT(MUTEX_HELD(&sa->ipsa_lock));
- IPSA_REFHOLD(sa);
- ctl->ipsec_ctl_sa = sa;
- } else
- ctl->ipsec_ctl_sa = NULL;
-
- return (ctl_mp);
-}
-
-
-/*
- * Called by sadb_ill_download() to dump the entries for a specific
- * fanout table. For each SA entry in the table passed as argument,
- * use mp as a template and constructs a full DL_CONTROL message, and
- * call ill_dlpi_send(), provided by IP, to send the resulting
- * messages to the ill.
- */
-static void
-sadb_ill_df(ill_t *ill, mblk_t *mp, isaf_t *fanout, int num_entries,
- boolean_t is_inbound)
-{
- ipsa_t *walker;
- mblk_t *nmp, *salist;
- int i, error = 0;
- ip_stack_t *ipst = ill->ill_ipst;
- netstack_t *ns = ipst->ips_netstack;
-
- IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_ill_df: fanout at 0x%p ne=%d\n",
- (void *)fanout, num_entries));
- /*
- * For each IPSA hash bucket do:
- * - Hold the mutex
- * - Walk each entry, sending a corresponding request to IP
- * for it.
- */
- ASSERT(mp->b_datap->db_type == M_PROTO);
-
- for (i = 0; i < num_entries; i++) {
- mutex_enter(&fanout[i].isaf_lock);
- salist = NULL;
-
- for (walker = fanout[i].isaf_ipsa; walker != NULL;
- walker = walker->ipsa_next) {
- IPSECHW_DEBUG(IPSECHW_SADB,
- ("sadb_ill_df: sending SA to ill via IP \n"));
- /*
- * Duplicate the template mp passed and
- * complete DL_CONTROL_REQ data.
- * To be more memory efficient, we could use
- * dupb() for the M_CTL and copyb() for the M_PROTO
- * as the M_CTL, since the M_CTL is the same for
- * every SA entry passed down to IP for the same ill.
- *
- * Note that copymsg/copyb ensure that the new mblk
- * is at least as large as the source mblk even if it's
- * not using all its storage -- therefore, nmp
- * has trailing space for sadb_req_from_sa to add
- * the SA-specific bits.
- */
- mutex_enter(&walker->ipsa_lock);
- if (ipsec_capab_match(ill,
- ill->ill_phyint->phyint_ifindex, ill->ill_isv6,
- walker, ns)) {
- nmp = copymsg(mp);
- if (nmp == NULL) {
- IPSECHW_DEBUG(IPSECHW_SADB,
- ("sadb_ill_df: alloc error\n"));
- error = ENOMEM;
- mutex_exit(&walker->ipsa_lock);
- break;
- }
- if (sadb_req_from_sa(walker, nmp, is_inbound)) {
- nmp->b_next = salist;
- salist = nmp;
- }
- }
- mutex_exit(&walker->ipsa_lock);
- }
- mutex_exit(&fanout[i].isaf_lock);
- while (salist != NULL) {
- nmp = salist;
- salist = nmp->b_next;
- nmp->b_next = NULL;
- ill_dlpi_send(ill, nmp);
- }
- if (error != 0)
- break; /* out of for loop. */
- }
-}
-
-/*
- * Called by ill_ipsec_capab_add(). Sends a copy of the SADB of
- * the type specified by sa_type to the specified ill.
- *
- * We call for each fanout table defined by the SADB (one per
- * protocol). sadb_ill_df() finally calls ill_dlpi_send() for
- * each SADB entry in order to send a corresponding DL_CONTROL_REQ
- * message to the ill.
- */
-void
-sadb_ill_download(ill_t *ill, uint_t sa_type)
-{
- mblk_t *protomp; /* prototype message */
- dl_control_req_t *ctrl;
- sadbp_t *spp;
- sadb_t *sp;
- int dlt;
- ip_stack_t *ipst = ill->ill_ipst;
- netstack_t *ns = ipst->ips_netstack;
-
- ASSERT(sa_type == SADB_SATYPE_AH || sa_type == SADB_SATYPE_ESP);
-
- /*
- * Allocate and initialize prototype answer. A duplicate for
- * each SA is sent down to the interface.
- */
-
- /* DL_CONTROL_REQ M_PROTO mblk_t */
- protomp = allocb(sizeof (dl_control_req_t) +
- sizeof (dl_ct_ipsec_key_t) + sizeof (dl_ct_ipsec_t), BPRI_HI);
- if (protomp == NULL)
- return;
- protomp->b_datap->db_type = M_PROTO;
-
- dlt = (sa_type == SADB_SATYPE_AH) ? DL_CT_IPSEC_AH : DL_CT_IPSEC_ESP;
- if (sa_type == SADB_SATYPE_ESP) {
- ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
-
- spp = &espstack->esp_sadb;
- } else {
- ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
-
- spp = &ahstack->ah_sadb;
- }
-
- ctrl = (dl_control_req_t *)protomp->b_wptr;
- ctrl->dl_primitive = DL_CONTROL_REQ;
- ctrl->dl_operation = DL_CO_SET;
- ctrl->dl_type = dlt;
- ctrl->dl_key_offset = sizeof (dl_control_req_t);
- ctrl->dl_key_length = sizeof (dl_ct_ipsec_key_t);
- ctrl->dl_data_offset = sizeof (dl_control_req_t) +
- sizeof (dl_ct_ipsec_key_t);
- ctrl->dl_data_length = sizeof (dl_ct_ipsec_t);
- protomp->b_wptr += sizeof (dl_control_req_t);
-
- /*
- * then for each SADB entry, we fill out the dl_ct_ipsec_key_t
- * and dl_ct_ipsec_t
- */
- sp = ill->ill_isv6 ? &(spp->s_v6) : &(spp->s_v4);
- sadb_ill_df(ill, protomp, sp->sdb_of, sp->sdb_hashsize, B_FALSE);
- sadb_ill_df(ill, protomp, sp->sdb_if, sp->sdb_hashsize, B_TRUE);
- freemsg(protomp);
-}
-
-/*
* Call me to free up a security association fanout. Use the forever
* variable to indicate freeing up the SAs (forever == B_FALSE, e.g.
* an SADB_FLUSH message), or destroying everything (forever == B_TRUE,
@@ -1119,30 +785,11 @@ sadb_destroy(sadb_t *sp, netstack_t *ns)
ASSERT(sp->sdb_acq == NULL);
}
-static void
-sadb_send_flush_req(sadbp_t *spp)
-{
- mblk_t *ctl_mp;
-
- /*
- * we've been unplumbed, or never were plumbed; don't go there.
- */
- if (spp->s_ip_q == NULL)
- return;
-
- /* have IP send a flush msg to the IPsec accelerators */
- ctl_mp = sadb_fmt_sa_req(DL_CO_FLUSH, spp->s_satype, NULL, B_TRUE);
- if (ctl_mp != NULL)
- putnext(spp->s_ip_q, ctl_mp);
-}
-
void
sadbp_flush(sadbp_t *spp, netstack_t *ns)
{
sadb_flush(&spp->s_v4, ns);
sadb_flush(&spp->s_v6, ns);
-
- sadb_send_flush_req(spp);
}
void
@@ -1151,7 +798,6 @@ sadbp_destroy(sadbp_t *spp, netstack_t *ns)
sadb_destroy(&spp->s_v4, ns);
sadb_destroy(&spp->s_v6, ns);
- sadb_send_flush_req(spp);
if (spp->s_satype == SADB_SATYPE_AH) {
ipsec_stack_t *ipss = ns->netstack_ipsec;
@@ -1259,11 +905,11 @@ sadb_cloneassoc(ipsa_t *ipsa)
/* bzero and initialize locks, in case *_init() allocates... */
mutex_init(&newbie->ipsa_lock, NULL, MUTEX_DEFAULT, NULL);
- if (newbie->ipsa_cred != NULL)
- crhold(newbie->ipsa_cred);
+ if (newbie->ipsa_tsl != NULL)
+ label_hold(newbie->ipsa_tsl);
- if (newbie->ipsa_ocred != NULL)
- crhold(newbie->ipsa_ocred);
+ if (newbie->ipsa_otsl != NULL)
+ label_hold(newbie->ipsa_otsl);
/*
* While somewhat dain-bramaged, the most graceful way to
@@ -1554,14 +1200,14 @@ sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg)
encr = B_FALSE;
}
- if (ipsa->ipsa_cred != NULL) {
- senslen = sadb_sens_len_from_cred(ipsa->ipsa_cred);
+ if (ipsa->ipsa_tsl != NULL) {
+ senslen = sadb_sens_len_from_label(ipsa->ipsa_tsl);
alloclen += senslen;
sensinteg = B_TRUE;
}
- if (ipsa->ipsa_ocred != NULL) {
- osenslen = sadb_sens_len_from_cred(ipsa->ipsa_ocred);
+ if (ipsa->ipsa_otsl != NULL) {
+ osenslen = sadb_sens_len_from_label(ipsa->ipsa_otsl);
alloclen += osenslen;
osensinteg = B_TRUE;
}
@@ -1792,8 +1438,8 @@ sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg)
if (sensinteg) {
sens = (sadb_sens_t *)walker;
- sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY,
- ipsa->ipsa_cred, senslen);
+ sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
+ ipsa->ipsa_tsl, senslen);
walker = (sadb_ext_t *)((uint64_t *)walker +
walker->sadb_ext_len);
@@ -1802,8 +1448,8 @@ sadb_sa2msg(ipsa_t *ipsa, sadb_msg_t *samsg)
if (osensinteg) {
sens = (sadb_sens_t *)walker;
- sadb_sens_from_cred(sens, SADB_X_EXT_OUTER_SENS,
- ipsa->ipsa_ocred, osenslen);
+ sadb_sens_from_label(sens, SADB_X_EXT_OUTER_SENS,
+ ipsa->ipsa_otsl, osenslen);
if (ipsa->ipsa_mac_exempt)
sens->sadb_x_sens_flags = SADB_X_SENS_IMPLICIT;
@@ -2123,7 +1769,6 @@ sadb_addrcheck(queue_t *pfkey_q, mblk_t *mp, sadb_ext_t *ext, uint_t serial,
sadb_address_t *addr = (sadb_address_t *)ext;
struct sockaddr_in *sin;
struct sockaddr_in6 *sin6;
- ire_t *ire;
int diagnostic, type;
boolean_t normalized = B_FALSE;
@@ -2249,18 +1894,12 @@ bail:
/*
* At this point, we're a unicast IPv6 address.
*
- * A ctable lookup for local is sufficient here. If we're
- * local, return KS_IN_ADDR_ME, otherwise KS_IN_ADDR_NOTME.
- *
* XXX Zones alert -> me/notme decision needs to be tempered
* by what zone we're in when we go to zone-aware IPsec.
*/
- ire = ire_ctable_lookup_v6(&sin6->sin6_addr, NULL,
- IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE,
- ns->netstack_ip);
- if (ire != NULL) {
+ if (ip_type_v6(&sin6->sin6_addr, ns->netstack_ip) ==
+ IRE_LOCAL) {
/* Hey hey, it's local. */
- IRE_REFRELE(ire);
return (KS_IN_ADDR_ME);
}
} else {
@@ -2272,23 +1911,17 @@ bail:
/*
* At this point we're a unicast or broadcast IPv4 address.
*
- * Lookup on the ctable for IRE_BROADCAST or IRE_LOCAL.
- * A NULL return value is NOTME, otherwise, look at the
- * returned ire for broadcast or not and return accordingly.
+ * Check if the address is IRE_BROADCAST or IRE_LOCAL.
*
* XXX Zones alert -> me/notme decision needs to be tempered
* by what zone we're in when we go to zone-aware IPsec.
*/
- ire = ire_ctable_lookup(sin->sin_addr.s_addr, 0,
- IRE_LOCAL | IRE_BROADCAST, NULL, ALL_ZONES, NULL,
- MATCH_IRE_TYPE, ns->netstack_ip);
- if (ire != NULL) {
- /* Check for local or broadcast */
- type = ire->ire_type;
- IRE_REFRELE(ire);
- ASSERT(type == IRE_LOCAL || type == IRE_BROADCAST);
- return ((type == IRE_LOCAL) ? KS_IN_ADDR_ME :
- KS_IN_ADDR_MBCAST);
+ type = ip_type_v4(sin->sin_addr.s_addr, ns->netstack_ip);
+ switch (type) {
+ case IRE_LOCAL:
+ return (KS_IN_ADDR_ME);
+ case IRE_BROADCAST:
+ return (KS_IN_ADDR_MBCAST);
}
}
@@ -2763,7 +2396,6 @@ struct sadb_purge_state
ipsa_query_t sq;
boolean_t inbnd;
uint8_t sadb_sa_state;
- mblk_t *mq;
};
static void
@@ -2785,7 +2417,7 @@ sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie)
sadb_delete_cluster(entry);
}
entry->ipsa_state = IPSA_STATE_DEAD;
- (void) sadb_torch_assoc(head, entry, ps->inbnd, &ps->mq);
+ (void) sadb_torch_assoc(head, entry);
}
/*
@@ -2794,15 +2426,13 @@ sadb_purge_cb(isaf_t *head, ipsa_t *entry, void *cookie)
*/
int
sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp,
- int *diagnostic, queue_t *pfkey_q, queue_t *ip_q)
+ int *diagnostic, queue_t *pfkey_q)
{
struct sadb_purge_state ps;
int error = sadb_form_query(ksi, 0,
IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
&ps.sq, diagnostic);
- ps.mq = NULL;
-
if (error != 0)
return (error);
@@ -2819,9 +2449,6 @@ sadb_purge_sa(mblk_t *mp, keysock_in_t *ksi, sadb_t *sp,
ps.inbnd = B_FALSE;
sadb_walker(sp->sdb_of, sp->sdb_hashsize, sadb_purge_cb, &ps);
- if (ps.mq != NULL)
- sadb_drain_torchq(ip_q, ps.mq);
-
ASSERT(mp->b_cont != NULL);
sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
NULL);
@@ -2870,12 +2497,11 @@ sadb_delpair_state_one(isaf_t *head, ipsa_t *entry, void *cookie)
}
entry->ipsa_state = IPSA_STATE_DEAD;
- (void) sadb_torch_assoc(head, entry, B_FALSE, &ps->mq);
+ (void) sadb_torch_assoc(head, entry);
if (peer_assoc != NULL) {
mutex_enter(&peer_assoc->ipsa_lock);
peer_assoc->ipsa_state = IPSA_STATE_DEAD;
- (void) sadb_torch_assoc(inbound_bucket, peer_assoc,
- B_FALSE, &ps->mq);
+ (void) sadb_torch_assoc(inbound_bucket, peer_assoc);
}
mutex_exit(&inbound_bucket->isaf_lock);
}
@@ -2889,7 +2515,6 @@ sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
int error;
ps.sq.spp = spp; /* XXX param */
- ps.mq = NULL;
error = sadb_form_query(ksi, IPSA_Q_DST|IPSA_Q_SRC,
IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SRCID|IPSA_Q_DSTID|IPSA_Q_KMC,
@@ -2902,9 +2527,6 @@ sadb_delpair_state(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
sadb_walker(ps.sq.sp->sdb_of, ps.sq.sp->sdb_hashsize,
sadb_delpair_state_one, &ps);
- if (ps.mq != NULL)
- sadb_drain_torchq(pfkey_q, ps.mq);
-
ASSERT(mp->b_cont != NULL);
sadb_pfkey_echo(pfkey_q, mp, (sadb_msg_t *)mp->b_cont->b_rptr,
ksi, NULL);
@@ -2921,7 +2543,6 @@ sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
ipsa_query_t sq;
ipsa_t *echo_target = NULL;
ipsap_t ipsapp;
- mblk_t *torchq = NULL;
uint_t error = 0;
if (sadb_msg_type == SADB_X_DELPAIR_STATE)
@@ -2965,7 +2586,7 @@ sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
}
ipsapp.ipsap_sa_ptr->ipsa_state = IPSA_STATE_DEAD;
(void) sadb_torch_assoc(ipsapp.ipsap_bucket,
- ipsapp.ipsap_sa_ptr, B_FALSE, &torchq);
+ ipsapp.ipsap_sa_ptr);
/*
* sadb_torch_assoc() releases the ipsa_lock
* and calls sadb_unlinkassoc() which does a
@@ -2984,7 +2605,7 @@ sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
ipsapp.ipsap_psa_ptr->ipsa_state =
IPSA_STATE_DEAD;
(void) sadb_torch_assoc(ipsapp.ipsap_pbucket,
- ipsapp.ipsap_psa_ptr, B_FALSE, &torchq);
+ ipsapp.ipsap_psa_ptr);
} else {
/*
* Only half of the "pair" has been deleted.
@@ -3004,9 +2625,6 @@ sadb_delget_sa(mblk_t *mp, keysock_in_t *ksi, sadbp_t *spp,
mutex_exit(&ipsapp.ipsap_pbucket->isaf_lock);
}
- if (torchq != NULL)
- sadb_drain_torchq(spp->s_ip_q, torchq);
-
ASSERT(mp->b_cont != NULL);
if (error == 0)
@@ -3269,7 +2887,7 @@ sadb_nat_calculations(ipsa_t *newbie, sadb_address_t *natt_loc_ext,
* case here.
*/
int
-sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
+sadb_common_add(queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
keysock_in_t *ksi, isaf_t *primary, isaf_t *secondary,
ipsa_t *newbie, boolean_t clone, boolean_t is_inbound, int *diagnostic,
netstack_t *ns, sadbp_t *spp)
@@ -3313,11 +2931,11 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
int error = 0;
boolean_t isupdate = (newbie != NULL);
uint32_t *src_addr_ptr, *dst_addr_ptr, *isrc_addr_ptr, *idst_addr_ptr;
- mblk_t *ctl_mp = NULL;
ipsec_stack_t *ipss = ns->netstack_ipsec;
ip_stack_t *ipst = ns->netstack_ip;
ipsec_alginfo_t *alg;
int rcode;
+ boolean_t async = B_FALSE;
init_ipsa_pair(&ipsapp);
@@ -3549,7 +3167,14 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
newbie->ipsa_authtmpl = NULL;
newbie->ipsa_encrtmpl = NULL;
+#ifdef IPSEC_LATENCY_TEST
+ if (akey != NULL && newbie->ipsa_auth_alg != SADB_AALG_NONE) {
+#else
if (akey != NULL) {
+#endif
+ async = (ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
+ IPSEC_ALGS_EXEC_ASYNC);
+
newbie->ipsa_authkeybits = akey->sadb_key_bits;
newbie->ipsa_authkeylen = SADB_1TO8(akey->sadb_key_bits);
/* In case we have to round up to the next byte... */
@@ -3604,6 +3229,8 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
if (ekey != NULL) {
mutex_enter(&ipss->ipsec_alg_lock);
+ async = async || (ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
+ IPSEC_ALGS_EXEC_ASYNC);
alg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
[newbie->ipsa_encr_alg];
@@ -3757,6 +3384,9 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
}
}
+ if (async)
+ newbie->ipsa_flags |= IPSA_F_ASYNC;
+
/*
* Ptrs to processing functions.
*/
@@ -3812,7 +3442,7 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
if (sens != NULL) {
uint64_t *bitmap = (uint64_t *)(sens + 1);
- newbie->ipsa_cred = sadb_cred_from_sens(sens, bitmap);
+ newbie->ipsa_tsl = sadb_label_from_sens(sens, bitmap);
}
/*
@@ -3820,41 +3450,55 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
*/
if (osens != NULL) {
uint64_t *bitmap = (uint64_t *)(osens + 1);
- cred_t *cred, *effective_cred;
+ ts_label_t *tsl, *effective_tsl;
uint32_t *peer_addr_ptr;
+ zoneid_t zoneid = GLOBAL_ZONEID;
+ zone_t *zone;
peer_addr_ptr = is_inbound ? src_addr_ptr : dst_addr_ptr;
- cred = sadb_cred_from_sens(osens, bitmap);
+ tsl = sadb_label_from_sens(osens, bitmap);
newbie->ipsa_mac_exempt = CONN_MAC_DEFAULT;
if (osens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) {
newbie->ipsa_mac_exempt = CONN_MAC_IMPLICIT;
}
- error = tsol_check_dest(cred, peer_addr_ptr,
+ error = tsol_check_dest(tsl, peer_addr_ptr,
(af == AF_INET6)?IPV6_VERSION:IPV4_VERSION,
- newbie->ipsa_mac_exempt, &effective_cred);
+ newbie->ipsa_mac_exempt, B_TRUE, &effective_tsl);
if (error != 0) {
- crfree(cred);
+ label_rele(tsl);
mutex_exit(&newbie->ipsa_lock);
goto error;
}
- if (effective_cred != NULL) {
- crfree(cred);
- cred = effective_cred;
+ if (effective_tsl != NULL) {
+ label_rele(tsl);
+ tsl = effective_tsl;
}
- newbie->ipsa_ocred = cred;
+ newbie->ipsa_otsl = tsl;
+
+ zone = zone_find_by_label(tsl);
+ if (zone != NULL) {
+ zoneid = zone->zone_id;
+ zone_rele(zone);
+ }
+ /*
+ * For exclusive stacks we set the zoneid to zero to operate
+ * as if in the global zone for tsol_compute_label_v4/v6
+ */
+ if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
+ zoneid = GLOBAL_ZONEID;
if (af == AF_INET6) {
- error = tsol_compute_label_v6(cred,
+ error = tsol_compute_label_v6(tsl, zoneid,
(in6_addr_t *)peer_addr_ptr,
newbie->ipsa_opt_storage, ipst);
} else {
- error = tsol_compute_label(cred, *peer_addr_ptr,
- newbie->ipsa_opt_storage, ipst);
+ error = tsol_compute_label_v4(tsl, zoneid,
+ *peer_addr_ptr, newbie->ipsa_opt_storage, ipst);
}
if (error != 0) {
mutex_exit(&newbie->ipsa_lock);
@@ -3916,9 +3560,6 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
mutex_enter(&primary->isaf_lock);
}
- IPSECHW_DEBUG(IPSECHW_SADB, ("sadb_common_add: spi = 0x%x\n",
- newbie->ipsa_spi));
-
/*
* sadb_insertassoc() doesn't increment the reference
* count. We therefore have to increment the
@@ -3938,10 +3579,6 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
mutex_enter(&newbie->ipsa_lock);
error = sadb_insertassoc(newbie, primary);
- if (error == 0) {
- ctl_mp = sadb_fmt_sa_req(DL_CO_SET, newbie->ipsa_type, newbie,
- is_inbound);
- }
mutex_exit(&newbie->ipsa_lock);
if (error != 0) {
@@ -3982,13 +3619,6 @@ sadb_common_add(queue_t *ip_q, queue_t *pfkey_q, mblk_t *mp, sadb_msg_t *samsg,
ASSERT(MUTEX_NOT_HELD(&newbie->ipsa_lock));
ASSERT(newbie_clone == NULL ||
(MUTEX_NOT_HELD(&newbie_clone->ipsa_lock)));
- /*
- * If hardware acceleration could happen, send it.
- */
- if (ctl_mp != NULL) {
- putnext(ip_q, ctl_mp);
- ctl_mp = NULL;
- }
error_unlock:
@@ -4037,8 +3667,6 @@ error:
if (newbie_clone != NULL) {
IPSA_REFRELE(newbie_clone);
}
- if (ctl_mp != NULL)
- freemsg(ctl_mp);
if (error == 0) {
/*
@@ -4315,37 +3943,12 @@ sadb_age_bytes(queue_t *pfkey_q, ipsa_t *assoc, uint64_t bytes,
}
/*
- * Push one or more DL_CO_DELETE messages queued up by
- * sadb_torch_assoc down to the underlying driver now that it's a
- * convenient time for it (i.e., ipsa bucket locks not held).
- */
-static void
-sadb_drain_torchq(queue_t *q, mblk_t *mp)
-{
- while (mp != NULL) {
- mblk_t *next = mp->b_next;
- mp->b_next = NULL;
- if (q != NULL)
- putnext(q, mp);
- else
- freemsg(mp);
- mp = next;
- }
-}
-
-/*
* "Torch" an individual SA. Returns NULL, so it can be tail-called from
* sadb_age_assoc().
- *
- * If SA is hardware-accelerated, and we can't allocate the mblk
- * containing the DL_CO_DELETE, just return; it will remain in the
- * table and be swept up by sadb_ager() in a subsequent pass.
*/
static ipsa_t *
-sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq)
+sadb_torch_assoc(isaf_t *head, ipsa_t *sa)
{
- mblk_t *mp;
-
ASSERT(MUTEX_HELD(&head->isaf_lock));
ASSERT(MUTEX_HELD(&sa->ipsa_lock));
ASSERT(sa->ipsa_state == IPSA_STATE_DEAD);
@@ -4355,15 +3958,6 @@ sadb_torch_assoc(isaf_t *head, ipsa_t *sa, boolean_t inbnd, mblk_t **mq)
*/
head->isaf_gen++;
- if (sa->ipsa_flags & IPSA_F_HW) {
- mp = sadb_fmt_sa_req(DL_CO_DELETE, sa->ipsa_type, sa, inbnd);
- if (mp == NULL) {
- mutex_exit(&sa->ipsa_lock);
- return (NULL);
- }
- mp->b_next = *mq;
- *mq = mp;
- }
mutex_exit(&sa->ipsa_lock);
sadb_unlinkassoc(sa);
@@ -4404,7 +3998,7 @@ sadb_idle_activities(ipsa_t *assoc, time_t delta, boolean_t inbound)
*/
static ipsa_t *
sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc,
- time_t current, int reap_delay, boolean_t inbound, mblk_t **mq)
+ time_t current, int reap_delay, boolean_t inbound)
{
ipsa_t *retval = NULL;
boolean_t dropped_mutex = B_FALSE;
@@ -4419,7 +4013,7 @@ sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc,
(assoc->ipsa_hardexpiretime != 0))) &&
(assoc->ipsa_hardexpiretime <= current)) {
assoc->ipsa_state = IPSA_STATE_DEAD;
- return (sadb_torch_assoc(head, assoc, inbound, mq));
+ return (sadb_torch_assoc(head, assoc));
}
/*
@@ -4433,7 +4027,7 @@ sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc,
if (assoc->ipsa_hardexpiretime != 0 &&
assoc->ipsa_hardexpiretime <= current) {
if (assoc->ipsa_state == IPSA_STATE_DEAD)
- return (sadb_torch_assoc(head, assoc, inbound, mq));
+ return (sadb_torch_assoc(head, assoc));
if (inbound) {
sadb_delete_cluster(assoc);
@@ -4516,8 +4110,7 @@ sadb_age_assoc(isaf_t *head, queue_t *pfkey_q, ipsa_t *assoc,
* the second time sadb_ager() runs.
*/
void
-sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay,
- netstack_t *ns)
+sadb_ager(sadb_t *sp, queue_t *pfkey_q, int reap_delay, netstack_t *ns)
{
int i;
isaf_t *bucket;
@@ -4527,7 +4120,6 @@ sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay,
templist_t *haspeerlist, *newbie;
/* Snapshot current time now. */
time_t current = gethrestime_sec();
- mblk_t *mq = NULL;
haspeerlist = NULL;
/*
@@ -4559,7 +4151,7 @@ sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay,
assoc = spare) {
spare = assoc->ipsa_next;
if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
- reap_delay, B_TRUE, &mq) != NULL) {
+ reap_delay, B_TRUE) != NULL) {
/*
* Put SA's which have a peer or SA's which
* are paired on a list for processing after
@@ -4585,10 +4177,6 @@ sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay,
mutex_exit(&bucket->isaf_lock);
}
- if (mq != NULL) {
- sadb_drain_torchq(ip_q, mq);
- mq = NULL;
- }
age_pair_peer_list(haspeerlist, sp, B_FALSE);
haspeerlist = NULL;
@@ -4600,7 +4188,7 @@ sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay,
assoc = spare) {
spare = assoc->ipsa_next;
if (sadb_age_assoc(bucket, pfkey_q, assoc, current,
- reap_delay, B_FALSE, &mq) != NULL) {
+ reap_delay, B_FALSE) != NULL) {
/*
* sadb_age_assoc() increments the refcnt,
* effectively doing an IPSA_REFHOLD().
@@ -4621,10 +4209,6 @@ sadb_ager(sadb_t *sp, queue_t *pfkey_q, queue_t *ip_q, int reap_delay,
}
mutex_exit(&bucket->isaf_lock);
}
- if (mq != NULL) {
- sadb_drain_torchq(ip_q, mq);
- mq = NULL;
- }
age_pair_peer_list(haspeerlist, sp, B_TRUE);
@@ -5227,7 +4811,7 @@ update_pairing(ipsap_t *ipsapp, ipsa_query_t *sq, keysock_in_t *ksi,
static ipsacq_t *
sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp,
uint32_t *src, uint32_t *dst, uint32_t *isrc, uint32_t *idst,
- uint64_t unique_id, cred_t *cr)
+ uint64_t unique_id, ts_label_t *tsl)
{
ipsacq_t *walker;
sa_family_t fam;
@@ -5257,7 +4841,7 @@ sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp,
(pp == walker->ipsacq_policy) &&
/* XXX do deep compares of ap/pp? */
(unique_id == walker->ipsacq_unique_id) &&
- (ipsec_label_match(cr, walker->ipsacq_cred)))
+ (ipsec_label_match(tsl, walker->ipsacq_tsl)))
break; /* everything matched */
mutex_exit(&walker->ipsacq_lock);
}
@@ -5272,31 +4856,32 @@ sadb_checkacquire(iacqf_t *bucket, ipsec_action_t *ap, ipsec_policy_t *pp,
* send the acquire up..
*
* In cases where we need both AH and ESP, add the SA to the ESP ACQUIRE
- * list. The ah_add_sa_finish() routines can look at the packet's ipsec_out_t
- * and handle this case specially.
+ * list. The ah_add_sa_finish() routines can look at the packet's attached
+ * attributes and handle this case specially.
*/
void
-sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
+sadb_acquire(mblk_t *datamp, ip_xmit_attr_t *ixa, boolean_t need_ah,
+ boolean_t need_esp)
{
+ mblk_t *asyncmp;
sadbp_t *spp;
sadb_t *sp;
ipsacq_t *newbie;
iacqf_t *bucket;
- mblk_t *datamp = mp->b_cont;
mblk_t *extended;
ipha_t *ipha = (ipha_t *)datamp->b_rptr;
ip6_t *ip6h = (ip6_t *)datamp->b_rptr;
uint32_t *src, *dst, *isrc, *idst;
- ipsec_policy_t *pp = io->ipsec_out_policy;
- ipsec_action_t *ap = io->ipsec_out_act;
+ ipsec_policy_t *pp = ixa->ixa_ipsec_policy;
+ ipsec_action_t *ap = ixa->ixa_ipsec_action;
sa_family_t af;
int hashoffset;
uint32_t seq;
uint64_t unique_id = 0;
ipsec_selector_t sel;
- boolean_t tunnel_mode = io->ipsec_out_tunnel;
- cred_t *cr = NULL;
- netstack_t *ns = io->ipsec_out_ns;
+ boolean_t tunnel_mode = (ixa->ixa_flags & IXAF_IPSEC_TUNNEL) != 0;
+ ts_label_t *tsl = NULL;
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
ipsec_stack_t *ipss = ns->netstack_ipsec;
sadb_sens_t *sens = NULL;
int sens_len;
@@ -5315,12 +4900,10 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
spp = &ahstack->ah_sadb;
}
- sp = io->ipsec_out_v4 ? &spp->s_v4 : &spp->s_v6;
-
- ASSERT(mp->b_cont != NULL);
+ sp = (ixa->ixa_flags & IXAF_IS_IPV4) ? &spp->s_v4 : &spp->s_v6;
if (is_system_labeled())
- cr = msg_getcred(mp->b_cont, NULL);
+ tsl = ixa->ixa_tsl;
if (ap == NULL)
ap = pp->ipsp_act;
@@ -5328,7 +4911,7 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
ASSERT(ap != NULL);
if (ap->ipa_act.ipa_apply.ipp_use_unique || tunnel_mode)
- unique_id = SA_FORM_UNIQUE_ID(io);
+ unique_id = SA_FORM_UNIQUE_ID(ixa);
/*
* Set up an ACQUIRE record.
@@ -5345,14 +4928,14 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
dst = (uint32_t *)&ipha->ipha_dst;
af = AF_INET;
hashoffset = OUTBOUND_HASH_V4(sp, ipha->ipha_dst);
- ASSERT(io->ipsec_out_v4 == B_TRUE);
+ ASSERT(ixa->ixa_flags & IXAF_IS_IPV4);
} else {
ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
src = (uint32_t *)&ip6h->ip6_src;
dst = (uint32_t *)&ip6h->ip6_dst;
af = AF_INET6;
hashoffset = OUTBOUND_HASH_V6(sp, ip6h->ip6_dst);
- ASSERT(io->ipsec_out_v4 == B_FALSE);
+ ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
}
if (tunnel_mode) {
@@ -5363,14 +4946,14 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
* with self-encapsulated protection. Until we better
* support this, drop the packet.
*/
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(datamp, B_FALSE, NULL,
DROPPER(ipss, ipds_spd_got_selfencap),
&ipss->ipsec_spd_dropper);
return;
}
/* Snag inner addresses. */
- isrc = io->ipsec_out_insrc;
- idst = io->ipsec_out_indst;
+ isrc = ixa->ixa_ipsec_insrc;
+ idst = ixa->ixa_ipsec_indst;
} else {
isrc = idst = NULL;
}
@@ -5382,7 +4965,7 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
bucket = &(sp->sdb_acq[hashoffset]);
mutex_enter(&bucket->iacqf_lock);
newbie = sadb_checkacquire(bucket, ap, pp, src, dst, isrc, idst,
- unique_id, cr);
+ unique_id, tsl);
if (newbie == NULL) {
/*
@@ -5391,7 +4974,7 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
newbie = kmem_zalloc(sizeof (*newbie), KM_NOSLEEP);
if (newbie == NULL) {
mutex_exit(&bucket->iacqf_lock);
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(datamp, B_FALSE, NULL,
DROPPER(ipss, ipds_sadb_acquire_nomem),
&ipss->ipsec_sadb_dropper);
return;
@@ -5433,11 +5016,30 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
*/
ASSERT(MUTEX_HELD(&newbie->ipsacq_lock));
- mp->b_next = NULL;
+ /*
+ * Make the ip_xmit_attr_t into something we can queue.
+ * If no memory it frees datamp.
+ */
+ asyncmp = ip_xmit_attr_to_mblk(ixa);
+ if (asyncmp != NULL)
+ linkb(asyncmp, datamp);
+
/* Queue up packet. Use b_next. */
- if (newbie->ipsacq_numpackets == 0) {
+
+ if (asyncmp == NULL) {
+ /* Statistics for allocation failure */
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ BUMP_MIB(&ixa->ixa_ipst->ips_ip_mib,
+ ipIfStatsOutDiscards);
+ } else {
+ BUMP_MIB(&ixa->ixa_ipst->ips_ip6_mib,
+ ipIfStatsOutDiscards);
+ }
+ ip_drop_output("No memory for asyncmp", datamp, NULL);
+ freemsg(datamp);
+ } else if (newbie->ipsacq_numpackets == 0) {
/* First one. */
- newbie->ipsacq_mp = mp;
+ newbie->ipsacq_mp = asyncmp;
newbie->ipsacq_numpackets = 1;
newbie->ipsacq_expire = gethrestime_sec();
/*
@@ -5448,28 +5050,28 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
newbie->ipsacq_seq = seq;
newbie->ipsacq_addrfam = af;
- newbie->ipsacq_srcport = io->ipsec_out_src_port;
- newbie->ipsacq_dstport = io->ipsec_out_dst_port;
- newbie->ipsacq_icmp_type = io->ipsec_out_icmp_type;
- newbie->ipsacq_icmp_code = io->ipsec_out_icmp_code;
+ newbie->ipsacq_srcport = ixa->ixa_ipsec_src_port;
+ newbie->ipsacq_dstport = ixa->ixa_ipsec_dst_port;
+ newbie->ipsacq_icmp_type = ixa->ixa_ipsec_icmp_type;
+ newbie->ipsacq_icmp_code = ixa->ixa_ipsec_icmp_code;
if (tunnel_mode) {
- newbie->ipsacq_inneraddrfam = io->ipsec_out_inaf;
- newbie->ipsacq_proto = io->ipsec_out_inaf == AF_INET6 ?
+ newbie->ipsacq_inneraddrfam = ixa->ixa_ipsec_inaf;
+ newbie->ipsacq_proto = ixa->ixa_ipsec_inaf == AF_INET6 ?
IPPROTO_IPV6 : IPPROTO_ENCAP;
- newbie->ipsacq_innersrcpfx = io->ipsec_out_insrcpfx;
- newbie->ipsacq_innerdstpfx = io->ipsec_out_indstpfx;
+ newbie->ipsacq_innersrcpfx = ixa->ixa_ipsec_insrcpfx;
+ newbie->ipsacq_innerdstpfx = ixa->ixa_ipsec_indstpfx;
IPSA_COPY_ADDR(newbie->ipsacq_innersrc,
- io->ipsec_out_insrc, io->ipsec_out_inaf);
+ ixa->ixa_ipsec_insrc, ixa->ixa_ipsec_inaf);
IPSA_COPY_ADDR(newbie->ipsacq_innerdst,
- io->ipsec_out_indst, io->ipsec_out_inaf);
+ ixa->ixa_ipsec_indst, ixa->ixa_ipsec_inaf);
} else {
- newbie->ipsacq_proto = io->ipsec_out_proto;
+ newbie->ipsacq_proto = ixa->ixa_ipsec_proto;
}
newbie->ipsacq_unique_id = unique_id;
- if (cr != NULL) {
- crhold(cr);
- newbie->ipsacq_cred = cr;
+ if (ixa->ixa_tsl != NULL) {
+ label_hold(ixa->ixa_tsl);
+ newbie->ipsacq_tsl = ixa->ixa_tsl;
}
} else {
/* Scan to the end of the list & insert. */
@@ -5477,13 +5079,16 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
while (lastone->b_next != NULL)
lastone = lastone->b_next;
- lastone->b_next = mp;
+ lastone->b_next = asyncmp;
if (newbie->ipsacq_numpackets++ == ipsacq_maxpackets) {
newbie->ipsacq_numpackets = ipsacq_maxpackets;
lastone = newbie->ipsacq_mp;
newbie->ipsacq_mp = lastone->b_next;
lastone->b_next = NULL;
- ip_drop_packet(lastone, B_FALSE, NULL, NULL,
+
+ /* Freeing the async message */
+ lastone = ip_xmit_attr_free_mblk(lastone);
+ ip_drop_packet(lastone, B_FALSE, NULL,
DROPPER(ipss, ipds_sadb_acquire_toofull),
&ipss->ipsec_sadb_dropper);
} else {
@@ -5518,17 +5123,17 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
* opportunities here in failure cases.
*/
(void) memset(&sel, 0, sizeof (sel));
- sel.ips_isv4 = io->ipsec_out_v4;
+ sel.ips_isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
if (tunnel_mode) {
- sel.ips_protocol = (io->ipsec_out_inaf == AF_INET) ?
+ sel.ips_protocol = (ixa->ixa_ipsec_inaf == AF_INET) ?
IPPROTO_ENCAP : IPPROTO_IPV6;
} else {
- sel.ips_protocol = io->ipsec_out_proto;
- sel.ips_local_port = io->ipsec_out_src_port;
- sel.ips_remote_port = io->ipsec_out_dst_port;
+ sel.ips_protocol = ixa->ixa_ipsec_proto;
+ sel.ips_local_port = ixa->ixa_ipsec_src_port;
+ sel.ips_remote_port = ixa->ixa_ipsec_dst_port;
}
- sel.ips_icmp_type = io->ipsec_out_icmp_type;
- sel.ips_icmp_code = io->ipsec_out_icmp_code;
+ sel.ips_icmp_type = ixa->ixa_ipsec_icmp_type;
+ sel.ips_icmp_code = ixa->ixa_ipsec_icmp_code;
sel.ips_is_icmp_inv_acq = 0;
if (af == AF_INET) {
sel.ips_local_addr_v4 = ipha->ipha_src;
@@ -5542,13 +5147,13 @@ sadb_acquire(mblk_t *mp, ipsec_out_t *io, boolean_t need_ah, boolean_t need_esp)
if (extended == NULL)
goto punt_extended;
- if (cr != NULL) {
+ if (ixa->ixa_tsl != NULL) {
/*
* XXX MLS correct condition here?
* XXX MLS other credential attributes in acquire?
* XXX malloc failure? don't fall back to original?
*/
- sens = sadb_make_sens_ext(cr, &sens_len);
+ sens = sadb_make_sens_ext(ixa->ixa_tsl, &sens_len);
if (sens == NULL) {
freeb(extended);
@@ -5585,13 +5190,13 @@ punt_extended:
void
sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns)
{
- mblk_t *mp;
+ mblk_t *mp;
ipsec_stack_t *ipss = ns->netstack_ipsec;
ASSERT(MUTEX_HELD(acqrec->ipsacq_linklock));
if (acqrec->ipsacq_policy != NULL) {
- IPPOL_REFRELE(acqrec->ipsacq_policy, ns);
+ IPPOL_REFRELE(acqrec->ipsacq_policy);
}
if (acqrec->ipsacq_act != NULL) {
IPACT_REFRELE(acqrec->ipsacq_act);
@@ -5602,9 +5207,9 @@ sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns)
if (acqrec->ipsacq_next != NULL)
acqrec->ipsacq_next->ipsacq_ptpn = acqrec->ipsacq_ptpn;
- if (acqrec->ipsacq_cred) {
- crfree(acqrec->ipsacq_cred);
- acqrec->ipsacq_cred = NULL;
+ if (acqrec->ipsacq_tsl != NULL) {
+ label_rele(acqrec->ipsacq_tsl);
+ acqrec->ipsacq_tsl = NULL;
}
/*
@@ -5618,7 +5223,9 @@ sadb_destroy_acquire(ipsacq_t *acqrec, netstack_t *ns)
mp = acqrec->ipsacq_mp;
acqrec->ipsacq_mp = mp->b_next;
mp->b_next = NULL;
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ /* Freeing the async message */
+ mp = ip_xmit_attr_free_mblk(mp);
+ ip_drop_packet(mp, B_FALSE, NULL,
DROPPER(ipss, ipds_sadb_acquire_timeout),
&ipss->ipsec_sadb_dropper);
}
@@ -5795,24 +5402,23 @@ sadb_action_to_ecomb(uint8_t *start, uint8_t *limit, ipsec_action_t *act,
/* ARGSUSED */
int
-sadb_sens_len_from_cred(cred_t *cr)
+sadb_sens_len_from_label(ts_label_t *tsl)
{
int baselen = sizeof (sadb_sens_t) + _C_LEN * 4;
return (roundup(baselen, sizeof (uint64_t)));
}
void
-sadb_sens_from_cred(sadb_sens_t *sens, int exttype, cred_t *cr, int senslen)
+sadb_sens_from_label(sadb_sens_t *sens, int exttype, ts_label_t *tsl,
+ int senslen)
{
uint8_t *bitmap;
bslabel_t *sl;
- ts_label_t *tsl;
/* LINTED */
ASSERT((_C_LEN & 1) == 0);
ASSERT((senslen & 7) == 0);
- tsl = crgetlabel(cr);
sl = label2bslabel(tsl);
sens->sadb_sens_exttype = exttype;
@@ -5830,14 +5436,14 @@ sadb_sens_from_cred(sadb_sens_t *sens, int exttype, cred_t *cr, int senslen)
}
static sadb_sens_t *
-sadb_make_sens_ext(cred_t *cr, int *len)
+sadb_make_sens_ext(ts_label_t *tsl, int *len)
{
/* XXX allocation failure? */
- int sens_len = sadb_sens_len_from_cred(cr);
+ int sens_len = sadb_sens_len_from_label(tsl);
sadb_sens_t *sens = kmem_alloc(sens_len, KM_SLEEP);
- sadb_sens_from_cred(sens, SADB_EXT_SENSITIVITY, cr, sens_len);
+ sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY, tsl, sens_len);
*len = sens_len;
@@ -5849,12 +5455,12 @@ sadb_make_sens_ext(cred_t *cr, int *len)
* With a special designated "not a label" cred_t ?
*/
/* ARGSUSED */
-cred_t *
-sadb_cred_from_sens(sadb_sens_t *sens, uint64_t *bitmap)
+ts_label_t *
+sadb_label_from_sens(sadb_sens_t *sens, uint64_t *bitmap)
{
int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
bslabel_t sl;
- cred_t *cr;
+ ts_label_t *tsl;
if (sens->sadb_sens_integ_level != 0)
return (NULL);
@@ -5868,13 +5474,13 @@ sadb_cred_from_sens(sadb_sens_t *sens, uint64_t *bitmap)
bcopy(bitmap, &((_bslabel_impl_t *)&sl)->compartments,
bitmap_len);
- cr = newcred_from_bslabel(&sl, sens->sadb_sens_dpd, KM_NOSLEEP);
- if (cr == NULL)
- return (cr);
+ tsl = labelalloc(&sl, sens->sadb_sens_dpd, KM_NOSLEEP);
+ if (tsl == NULL)
+ return (NULL);
if (sens->sadb_x_sens_flags & SADB_X_SENS_UNLABELED)
- crgetlabel(cr)->tsl_flags |= TSLF_UNLABELED;
- return (cr);
+ tsl->tsl_flags |= TSLF_UNLABELED;
+ return (tsl);
}
/* End XXX label-library-leakage */
@@ -6359,12 +5965,13 @@ sadb_getspi(keysock_in_t *ksi, uint32_t master_spi, int *diagnostic,
*
* Caller frees the message, so we don't have to here.
*
- * NOTE: The ip_q parameter may be used in the future for ACQUIRE
+ * NOTE: The pfkey_q parameter may be used in the future for ACQUIRE
* failures.
*/
/* ARGSUSED */
void
-sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *ip_q, netstack_t *ns)
+sadb_in_acquire(sadb_msg_t *samsg, sadbp_t *sp, queue_t *pfkey_q,
+ netstack_t *ns)
{
int i;
ipsacq_t *acqrec;
@@ -6624,36 +6231,6 @@ sadb_replay_delete(ipsa_t *assoc)
}
/*
- * Given a queue that presumably points to IP, send a T_BIND_REQ for _proto_
- * down. The caller will handle the T_BIND_ACK locally.
- */
-boolean_t
-sadb_t_bind_req(queue_t *q, int proto)
-{
- struct T_bind_req *tbr;
- mblk_t *mp;
-
- mp = allocb_cred(sizeof (struct T_bind_req) + 1, kcred, NOPID);
- if (mp == NULL) {
- /* cmn_err(CE_WARN, */
- /* "sadb_t_bind_req(%d): couldn't allocate mblk\n", proto); */
- return (B_FALSE);
- }
- mp->b_datap->db_type = M_PCPROTO;
- tbr = (struct T_bind_req *)mp->b_rptr;
- mp->b_wptr += sizeof (struct T_bind_req);
- tbr->PRIM_type = T_BIND_REQ;
- tbr->ADDR_length = 0;
- tbr->ADDR_offset = 0;
- tbr->CONIND_number = 0;
- *mp->b_wptr = (uint8_t)proto;
- mp->b_wptr++;
-
- putnext(q, mp);
- return (B_TRUE);
-}
-
-/*
* Special front-end to ipsec_rl_strlog() dealing with SA failure.
* this is designed to take only a format string with "* %x * %s *", so
* that "spi" is printed first, then "addr" is converted using inet_pton().
@@ -6676,7 +6253,6 @@ ipsec_assocfailure(short mid, short sid, char level, ushort_t sl, char *fmt,
/*
* Fills in a reference to the policy, if any, from the conn, in *ppp
- * Releases a reference to the passed conn_t.
*/
static void
ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp)
@@ -6684,15 +6260,14 @@ ipsec_conn_pol(ipsec_selector_t *sel, conn_t *connp, ipsec_policy_t **ppp)
ipsec_policy_t *pp;
ipsec_latch_t *ipl = connp->conn_latch;
- if ((ipl != NULL) && (ipl->ipl_out_policy != NULL)) {
- pp = ipl->ipl_out_policy;
+ if ((ipl != NULL) && (connp->conn_ixa->ixa_ipsec_policy != NULL)) {
+ pp = connp->conn_ixa->ixa_ipsec_policy;
IPPOL_REFHOLD(pp);
} else {
- pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel,
+ pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, sel,
connp->conn_netstack);
}
*ppp = pp;
- CONN_DEC_REF(connp);
}
/*
@@ -6753,6 +6328,7 @@ ipsec_udp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
mutex_exit(&connfp->connf_lock);
ipsec_conn_pol(sel, connp, ppp);
+ CONN_DEC_REF(connp);
}
static conn_t *
@@ -6866,6 +6442,7 @@ ipsec_tcp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp, ip_stack_t *ipst)
}
ipsec_conn_pol(sel, connp, ppp);
+ CONN_DEC_REF(connp);
}
static void
@@ -6895,21 +6472,27 @@ ipsec_sctp_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
pptr[0] = sel->ips_remote_port;
pptr[1] = sel->ips_local_port;
+ /*
+ * For labeled systems, there's no need to check the
+ * label here. It's known to be good as we checked
+ * before allowing the connection to become bound.
+ */
if (sel->ips_isv4) {
in6_addr_t src, dst;
IN6_IPADDR_TO_V4MAPPED(sel->ips_remote_addr_v4, &dst);
IN6_IPADDR_TO_V4MAPPED(sel->ips_local_addr_v4, &src);
connp = sctp_find_conn(&dst, &src, ports, ALL_ZONES,
- ipst->ips_netstack->netstack_sctp);
+ 0, ipst->ips_netstack->netstack_sctp);
} else {
connp = sctp_find_conn(&sel->ips_remote_addr_v6,
&sel->ips_local_addr_v6, ports, ALL_ZONES,
- ipst->ips_netstack->netstack_sctp);
+ 0, ipst->ips_netstack->netstack_sctp);
}
if (connp == NULL)
return;
ipsec_conn_pol(sel, connp, ppp);
+ CONN_DEC_REF(connp);
}
/*
@@ -6985,7 +6568,7 @@ ipsec_get_inverse_acquire_sel(ipsec_selector_t *sel, sadb_address_t *srcext,
static int
ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
sadb_address_t *innsrcext, sadb_address_t *inndstext, ipsec_tun_pol_t *itp,
- int *diagnostic, netstack_t *ns)
+ int *diagnostic)
{
int err;
ipsec_policy_head_t *polhead;
@@ -7045,8 +6628,7 @@ ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
polhead = itp->itp_policy;
ASSERT(polhead != NULL);
rw_enter(&polhead->iph_lock, RW_READER);
- *ppp = ipsec_find_policy_head(NULL, polhead,
- IPSEC_TYPE_INBOUND, sel, ns);
+ *ppp = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND, sel);
rw_exit(&polhead->iph_lock);
/*
@@ -7059,6 +6641,10 @@ ipsec_tun_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
return (0);
}
+/*
+ * For sctp conn_faddr is the primary address, hence this is of limited
+ * use for sctp.
+ */
static void
ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
ip_stack_t *ipst)
@@ -7068,7 +6654,7 @@ ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
conn_t *connp;
if (isv4) {
- connfp = &ipst->ips_ipcl_proto_fanout[sel->ips_protocol];
+ connfp = &ipst->ips_ipcl_proto_fanout_v4[sel->ips_protocol];
} else {
connfp = &ipst->ips_ipcl_proto_fanout_v6[sel->ips_protocol];
}
@@ -7076,17 +6662,20 @@ ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
mutex_enter(&connfp->connf_lock);
for (connp = connfp->connf_head; connp != NULL;
connp = connp->conn_next) {
- if (!((isv4 && !((connp->conn_src == 0 ||
- connp->conn_src == sel->ips_local_addr_v4) &&
- (connp->conn_rem == 0 ||
- connp->conn_rem == sel->ips_remote_addr_v4))) ||
- (!isv4 && !((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_srcv6) ||
- IN6_ARE_ADDR_EQUAL(&connp->conn_srcv6,
- &sel->ips_local_addr_v6)) &&
- (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_remv6) ||
- IN6_ARE_ADDR_EQUAL(&connp->conn_remv6,
- &sel->ips_remote_addr_v6)))))) {
- break;
+ if (isv4) {
+ if ((connp->conn_laddr_v4 == INADDR_ANY ||
+ connp->conn_laddr_v4 == sel->ips_local_addr_v4) &&
+ (connp->conn_faddr_v4 == INADDR_ANY ||
+ connp->conn_faddr_v4 == sel->ips_remote_addr_v4))
+ break;
+ } else {
+ if ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
+ IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
+ &sel->ips_local_addr_v6)) &&
+ (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) ||
+ IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6,
+ &sel->ips_remote_addr_v6)))
+ break;
}
}
if (connp == NULL) {
@@ -7098,6 +6687,7 @@ ipsec_oth_pol(ipsec_selector_t *sel, ipsec_policy_t **ppp,
mutex_exit(&connfp->connf_lock);
ipsec_conn_pol(sel, connp, ppp);
+ CONN_DEC_REF(connp);
}
/*
@@ -7245,7 +6835,7 @@ ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[],
isel.ips_isv4 = (sel.ips_protocol == IPPROTO_ENCAP);
} /* Else isel is initialized by ipsec_tun_pol(). */
err = ipsec_tun_pol(&isel, &pp, innsrcext, inndstext, itp,
- &diagnostic, ns);
+ &diagnostic);
/*
* NOTE: isel isn't used for now, but in RFC 430x IPsec, it
* may be.
@@ -7263,8 +6853,7 @@ ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[],
* look in the global policy.
*/
if (pp == NULL) {
- pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, NULL, &sel,
- ns);
+ pp = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, NULL, &sel, ns);
if (pp == NULL) {
/* There's no global policy. */
err = ENOENT;
@@ -7282,7 +6871,7 @@ ipsec_construct_inverse_acquire(sadb_msg_t *samsg, sadb_ext_t *extv[],
(itp != NULL && (itp->itp_flags & ITPF_P_TUNNEL)),
samsg->sadb_msg_seq, samsg->sadb_msg_pid, sens, ns);
if (pp != NULL) {
- IPPOL_REFRELE(pp, ns);
+ IPPOL_REFRELE(pp);
}
ASSERT(err == 0 && diagnostic == 0);
if (retmp == NULL)
@@ -7306,37 +6895,49 @@ bail:
/*
* sadb_set_lpkt: Return TRUE if we can swap in a value to ipsa->ipsa_lpkt and
* freemsg the previous value. Return FALSE if we lost the race and the SA is
- * in a non-LARVAL state. free clue: ip_drop_packet(NULL) is safe.
+ * in a non-LARVAL state. We also return FALSE if we can't allocate the attrmp.
*/
boolean_t
-sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, netstack_t *ns)
+sadb_set_lpkt(ipsa_t *ipsa, mblk_t *npkt, ip_recv_attr_t *ira)
{
- mblk_t *opkt;
+ mblk_t *opkt;
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsec_stack_t *ipss = ns->netstack_ipsec;
boolean_t is_larval;
- /*
- * Check the packet's netstack id in case we go asynch with a
- * taskq_dispatch.
- */
- ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_type == IPSEC_IN);
- ASSERT(((ipsec_in_t *)npkt->b_rptr)->ipsec_in_stackid ==
- ns->netstack_stackid);
-
mutex_enter(&ipsa->ipsa_lock);
is_larval = (ipsa->ipsa_state == IPSA_STATE_LARVAL);
if (is_larval) {
- opkt = ipsa->ipsa_lpkt;
- ipsa->ipsa_lpkt = npkt;
+ mblk_t *attrmp;
+
+ attrmp = ip_recv_attr_to_mblk(ira);
+ if (attrmp == NULL) {
+ ill_t *ill = ira->ira_ill;
+
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", npkt, ill);
+ freemsg(npkt);
+ opkt = NULL;
+ is_larval = B_FALSE;
+ } else {
+ ASSERT(attrmp->b_cont == NULL);
+ attrmp->b_cont = npkt;
+ npkt = attrmp;
+ opkt = ipsa->ipsa_lpkt;
+ ipsa->ipsa_lpkt = npkt;
+ }
} else {
/* We lost the race. */
opkt = NULL;
}
mutex_exit(&ipsa->ipsa_lock);
- ip_drop_packet(opkt, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_sadb_inlarval_replace),
- &ipss->ipsec_sadb_dropper);
+ if (opkt != NULL) {
+ opkt = ip_recv_attr_free_mblk(opkt);
+ ip_drop_packet(opkt, B_TRUE, ira->ira_ill,
+ DROPPER(ipss, ipds_sadb_inlarval_replace),
+ &ipss->ipsec_sadb_dropper);
+ }
return (is_larval);
}
@@ -7353,7 +6954,6 @@ sadb_clear_lpkt(ipsa_t *ipsa)
opkt = ipsa->ipsa_lpkt;
ipsa->ipsa_lpkt = NULL;
mutex_exit(&ipsa->ipsa_lock);
-
return (opkt);
}
@@ -7361,18 +6961,18 @@ sadb_clear_lpkt(ipsa_t *ipsa)
* Buffer a packet that's in IDLE state as set by Solaris Clustering.
*/
void
-sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns)
+sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, ip_recv_attr_t *ira)
{
+ netstack_t *ns = ira->ira_ill->ill_ipst->ips_netstack;
ipsec_stack_t *ipss = ns->netstack_ipsec;
- extern void (*cl_inet_idlesa)(netstackid_t, uint8_t, uint32_t,
- sa_family_t, in6_addr_t, in6_addr_t, void *);
in6_addr_t *srcaddr = (in6_addr_t *)(&ipsa->ipsa_srcaddr);
in6_addr_t *dstaddr = (in6_addr_t *)(&ipsa->ipsa_dstaddr);
+ mblk_t *mp;
ASSERT(ipsa->ipsa_state == IPSA_STATE_IDLE);
if (cl_inet_idlesa == NULL) {
- ip_drop_packet(bpkt, B_TRUE, NULL, NULL,
+ ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
DROPPER(ipss, ipds_sadb_inidle_overflow),
&ipss->ipsec_sadb_dropper);
return;
@@ -7382,13 +6982,14 @@ sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns)
(ipsa->ipsa_type == SADB_SATYPE_AH) ? IPPROTO_AH : IPPROTO_ESP,
ipsa->ipsa_spi, ipsa->ipsa_addrfam, *srcaddr, *dstaddr, NULL);
- /*
- * Check the packet's netstack id in case we go asynch with a
- * taskq_dispatch.
- */
- ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_type == IPSEC_IN);
- ASSERT(((ipsec_in_t *)bpkt->b_rptr)->ipsec_in_stackid ==
- ns->netstack_stackid);
+ mp = ip_recv_attr_to_mblk(ira);
+ if (mp == NULL) {
+ ip_drop_packet(bpkt, B_TRUE, ira->ira_ill,
+ DROPPER(ipss, ipds_sadb_inidle_overflow),
+ &ipss->ipsec_sadb_dropper);
+ return;
+ }
+ linkb(mp, bpkt);
mutex_enter(&ipsa->ipsa_lock);
ipsa->ipsa_mblkcnt++;
@@ -7399,16 +7000,17 @@ sadb_buf_pkt(ipsa_t *ipsa, mblk_t *bpkt, netstack_t *ns)
ipsa->ipsa_bpkt_tail = bpkt;
if (ipsa->ipsa_mblkcnt > SADB_MAX_IDLEPKTS) {
mblk_t *tmp;
+
tmp = ipsa->ipsa_bpkt_head;
ipsa->ipsa_bpkt_head = ipsa->ipsa_bpkt_head->b_next;
- ip_drop_packet(tmp, B_TRUE, NULL, NULL,
+ tmp = ip_recv_attr_free_mblk(tmp);
+ ip_drop_packet(tmp, B_TRUE, NULL,
DROPPER(ipss, ipds_sadb_inidle_overflow),
&ipss->ipsec_sadb_dropper);
ipsa->ipsa_mblkcnt --;
}
}
mutex_exit(&ipsa->ipsa_lock);
-
}
/*
@@ -7419,30 +7021,28 @@ void
sadb_clear_buf_pkt(void *ipkt)
{
mblk_t *tmp, *buf_pkt;
- netstack_t *ns;
- ipsec_in_t *ii;
+ ip_recv_attr_t iras;
buf_pkt = (mblk_t *)ipkt;
- ii = (ipsec_in_t *)buf_pkt->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- ns = netstack_find_by_stackid(ii->ipsec_in_stackid);
- if (ns != NULL && ns != ii->ipsec_in_ns) {
- netstack_rele(ns);
- ns = NULL; /* For while-loop below. */
- }
-
while (buf_pkt != NULL) {
+ mblk_t *data_mp;
+
tmp = buf_pkt->b_next;
buf_pkt->b_next = NULL;
- if (ns != NULL)
- ip_fanout_proto_again(buf_pkt, NULL, NULL, NULL);
- else
- freemsg(buf_pkt);
+
+ data_mp = buf_pkt->b_cont;
+ buf_pkt->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(buf_pkt, &iras)) {
+ /* The ill or ip_stack_t disappeared on us. */
+ ip_drop_input("ip_recv_attr_from_mblk", data_mp, NULL);
+ freemsg(data_mp);
+ } else {
+ ip_input_post_ipsec(data_mp, &iras);
+ }
+ ira_cleanup(&iras, B_TRUE);
buf_pkt = tmp;
}
- if (ns != NULL)
- netstack_rele(ns);
}
/*
* Walker callback used by sadb_alg_update() to free/create crypto
@@ -7454,6 +7054,8 @@ struct sadb_update_alg_state {
ipsec_algtype_t alg_type;
uint8_t alg_id;
boolean_t is_added;
+ boolean_t async_auth;
+ boolean_t async_encr;
};
static void
@@ -7470,6 +7072,15 @@ sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie)
mutex_enter(&entry->ipsa_lock);
+ if ((entry->ipsa_encr_alg != SADB_EALG_NONE && entry->ipsa_encr_alg !=
+ SADB_EALG_NULL && update_state->async_encr) ||
+ (entry->ipsa_auth_alg != SADB_AALG_NONE &&
+ update_state->async_auth)) {
+ entry->ipsa_flags |= IPSA_F_ASYNC;
+ } else {
+ entry->ipsa_flags &= ~IPSA_F_ASYNC;
+ }
+
switch (update_state->alg_type) {
case IPSEC_ALG_AUTH:
if (entry->ipsa_auth_alg == update_state->alg_id)
@@ -7511,8 +7122,11 @@ sadb_alg_update_cb(isaf_t *head, ipsa_t *entry, void *cookie)
}
/*
- * Invoked by IP when an software crypto provider has been updated.
- * The type and id of the corresponding algorithm is passed as argument.
+ * Invoked by IP when an software crypto provider has been updated, or if
+ * the crypto synchrony changes. The type and id of the corresponding
+ * algorithm is passed as argument. The type is set to ALL in the case of
+ * a synchrony change.
+ *
* is_added is B_TRUE if the provider was added, B_FALSE if it was
* removed. The function updates the SADB and free/creates the
* context templates associated with SAs if needed.
@@ -7529,12 +7143,17 @@ sadb_alg_update(ipsec_algtype_t alg_type, uint8_t alg_id, boolean_t is_added,
struct sadb_update_alg_state update_state;
ipsecah_stack_t *ahstack = ns->netstack_ipsecah;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
update_state.alg_type = alg_type;
update_state.alg_id = alg_id;
update_state.is_added = is_added;
+ update_state.async_auth = ipss->ipsec_algs_exec_mode[IPSEC_ALG_AUTH] ==
+ IPSEC_ALGS_EXEC_ASYNC;
+ update_state.async_encr = ipss->ipsec_algs_exec_mode[IPSEC_ALG_ENCR] ==
+ IPSEC_ALGS_EXEC_ASYNC;
- if (alg_type == IPSEC_ALG_AUTH) {
+ if (alg_type == IPSEC_ALG_AUTH || alg_type == IPSEC_ALG_ALL) {
/* walk the AH tables only for auth. algorithm changes */
SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_of);
SADB_ALG_UPDATE_WALK(ahstack->ah_sadb.s_v4, sdb_if);
@@ -7693,15 +7312,15 @@ ipsec_check_key(crypto_mech_type_t mech_type, sadb_key_t *sadb_key,
*
* This is inelegant and really could use refactoring.
*/
-int
-sadb_whack_label(mblk_t **mpp, ipsa_t *assoc)
+mblk_t *
+sadb_whack_label_v4(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
+ ipdropper_t *dropper)
{
int delta;
int plen;
dblk_t *db;
int hlen;
uint8_t *opt_storage = assoc->ipsa_opt_storage;
- mblk_t *mp = *mpp;
ipha_t *ipha = (ipha_t *)mp->b_rptr;
plen = ntohs(ipha->ipha_length);
@@ -7731,8 +7350,10 @@ sadb_whack_label(mblk_t **mpp, ipsa_t *assoc)
new_mp = allocb_tmpl(hlen + copylen +
(mp->b_rptr - mp->b_datap->db_base), mp);
- if (new_mp == NULL)
- return (ENOMEM);
+ if (new_mp == NULL) {
+ ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
+ return (NULL);
+ }
/* keep the bias */
new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
@@ -7743,7 +7364,7 @@ sadb_whack_label(mblk_t **mpp, ipsa_t *assoc)
new_mp->b_cont = mp->b_cont;
freeb(mp);
}
- *mpp = mp = new_mp;
+ mp = new_mp;
ipha = (ipha_t *)mp->b_rptr;
}
@@ -7768,11 +7389,12 @@ sadb_whack_label(mblk_t **mpp, ipsa_t *assoc)
ipha->ipha_length = htons(plen);
- return (0);
+ return (mp);
}
-int
-sadb_whack_label_v6(mblk_t **mpp, ipsa_t *assoc)
+mblk_t *
+sadb_whack_label_v6(mblk_t *mp, ipsa_t *assoc, kstat_named_t *counter,
+ ipdropper_t *dropper)
{
int delta;
int plen;
@@ -7780,7 +7402,6 @@ sadb_whack_label_v6(mblk_t **mpp, ipsa_t *assoc)
int hlen;
uint8_t *opt_storage = assoc->ipsa_opt_storage;
uint_t sec_opt_len; /* label option length not including type, len */
- mblk_t *mp = *mpp;
ip6_t *ip6h = (ip6_t *)mp->b_rptr;
plen = ntohs(ip6h->ip6_plen);
@@ -7818,8 +7439,10 @@ sadb_whack_label_v6(mblk_t **mpp, ipsa_t *assoc)
copylen = hdr_len;
new_mp = allocb_tmpl(hlen + copylen +
(mp->b_rptr - mp->b_datap->db_base), mp);
- if (new_mp == NULL)
- return (ENOMEM);
+ if (new_mp == NULL) {
+ ip_drop_packet(mp, B_FALSE, NULL, counter, dropper);
+ return (NULL);
+ }
/* keep the bias */
new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
@@ -7830,7 +7453,7 @@ sadb_whack_label_v6(mblk_t **mpp, ipsa_t *assoc)
new_mp->b_cont = mp->b_cont;
freeb(mp);
}
- *mpp = mp = new_mp;
+ mp = new_mp;
ip6h = (ip6_t *)mp->b_rptr;
}
@@ -7856,10 +7479,46 @@ sadb_whack_label_v6(mblk_t **mpp, ipsa_t *assoc)
ip6h->ip6_plen = htons(plen);
- return (0);
+ return (mp);
}
+/* Whack the labels and update ip_xmit_attr_t as needed */
+mblk_t *
+sadb_whack_label(mblk_t *mp, ipsa_t *assoc, ip_xmit_attr_t *ixa,
+ kstat_named_t *counter, ipdropper_t *dropper)
+{
+ int adjust;
+ int iplen;
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
+ iplen = ntohs(ipha->ipha_length);
+ mp = sadb_whack_label_v4(mp, assoc, counter, dropper);
+ if (mp == NULL)
+ return (NULL);
+
+ ipha = (ipha_t *)mp->b_rptr;
+ ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
+ adjust = (int)ntohs(ipha->ipha_length) - iplen;
+ } else {
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
+ iplen = ntohs(ip6h->ip6_plen);
+ mp = sadb_whack_label_v6(mp, assoc, counter, dropper);
+ if (mp == NULL)
+ return (NULL);
+
+ ip6h = (ip6_t *)mp->b_rptr;
+ ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
+ adjust = (int)ntohs(ip6h->ip6_plen) - iplen;
+ }
+ ixa->ixa_pktlen += adjust;
+ ixa->ixa_ip_hdr_length += adjust;
+ return (mp);
+}
/*
* If this is an outgoing SA then add some fuzz to the
@@ -7969,7 +7628,7 @@ age_pair_peer_list(templist_t *haspeerlist, sadb_t *sp, boolean_t outbound)
*((ipaddr_t *)&dying->
ipsa_srcaddr));
}
- bucket = &(sp->sdb_of[outhash]);
+ bucket = &(sp->sdb_of[outhash]);
}
mutex_enter(&bucket->isaf_lock);
diff --git a/usr/src/uts/common/inet/ip/spd.c b/usr/src/uts/common/inet/ip/spd.c
index 37a9f47432..e6903cefc2 100644
--- a/usr/src/uts/common/inet/ip/spd.c
+++ b/usr/src/uts/common/inet/ip/spd.c
@@ -37,6 +37,7 @@
#include <sys/strsubr.h>
#include <sys/strsun.h>
#include <sys/strlog.h>
+#include <sys/strsun.h>
#include <sys/cmn_err.h>
#include <sys/zone.h>
@@ -59,7 +60,6 @@
#include <net/pfkeyv2.h>
#include <net/pfpolicy.h>
-#include <inet/ipsec_info.h>
#include <inet/sadb.h>
#include <inet/ipsec_impl.h>
@@ -75,16 +75,8 @@
static void ipsec_update_present_flags(ipsec_stack_t *);
static ipsec_act_t *ipsec_act_wildcard_expand(ipsec_act_t *, uint_t *,
netstack_t *);
-static void ipsec_out_free(void *);
-static void ipsec_in_free(void *);
-static mblk_t *ipsec_attach_global_policy(mblk_t **, conn_t *,
- ipsec_selector_t *, netstack_t *);
-static mblk_t *ipsec_apply_global_policy(mblk_t *, conn_t *,
- ipsec_selector_t *, netstack_t *);
static mblk_t *ipsec_check_ipsecin_policy(mblk_t *, ipsec_policy_t *,
- ipha_t *, ip6_t *, uint64_t, netstack_t *);
-static void ipsec_in_release_refs(ipsec_in_t *);
-static void ipsec_out_release_refs(ipsec_out_t *);
+ ipha_t *, ip6_t *, uint64_t, ip_recv_attr_t *, netstack_t *);
static void ipsec_action_free_table(ipsec_action_t *);
static void ipsec_action_reclaim(void *);
static void ipsec_action_reclaim_stack(netstack_t *);
@@ -105,9 +97,9 @@ typedef enum { SELRET_NOMEM, SELRET_BADPKT, SELRET_SUCCESS, SELRET_TUNFRAG}
static selret_t ipsec_init_inbound_sel(ipsec_selector_t *, mblk_t *,
ipha_t *, ip6_t *, uint8_t);
-static boolean_t ipsec_check_ipsecin_action(struct ipsec_in_s *, mblk_t *,
+static boolean_t ipsec_check_ipsecin_action(ip_recv_attr_t *, mblk_t *,
struct ipsec_action_s *, ipha_t *ipha, ip6_t *ip6h, const char **,
- kstat_named_t **);
+ kstat_named_t **, netstack_t *);
static void ipsec_unregister_prov_update(void);
static void ipsec_prov_update_callback_stack(uint32_t, void *, netstack_t *);
static boolean_t ipsec_compare_action(ipsec_policy_t *, ipsec_policy_t *);
@@ -117,15 +109,13 @@ static void ipsec_kstat_destroy(ipsec_stack_t *);
static int ipsec_free_tables(ipsec_stack_t *);
static int tunnel_compare(const void *, const void *);
static void ipsec_freemsg_chain(mblk_t *);
-static void ip_drop_packet_chain(mblk_t *, boolean_t, ill_t *, ire_t *,
+static void ip_drop_packet_chain(mblk_t *, boolean_t, ill_t *,
struct kstat_named *, ipdropper_t *);
static boolean_t ipsec_kstat_init(ipsec_stack_t *);
static void ipsec_kstat_destroy(ipsec_stack_t *);
static int ipsec_free_tables(ipsec_stack_t *);
static int tunnel_compare(const void *, const void *);
static void ipsec_freemsg_chain(mblk_t *);
-static void ip_drop_packet_chain(mblk_t *, boolean_t, ill_t *, ire_t *,
- struct kstat_named *, ipdropper_t *);
/*
* Selector hash table is statically sized at module load time.
@@ -150,16 +140,15 @@ static crypto_notify_handle_t prov_update_handle = NULL;
static kmem_cache_t *ipsec_action_cache;
static kmem_cache_t *ipsec_sel_cache;
static kmem_cache_t *ipsec_pol_cache;
-static kmem_cache_t *ipsec_info_cache;
/* Frag cache prototypes */
-static void ipsec_fragcache_clean(ipsec_fragcache_t *);
+static void ipsec_fragcache_clean(ipsec_fragcache_t *, ipsec_stack_t *);
static ipsec_fragcache_entry_t *fragcache_delentry(int,
- ipsec_fragcache_entry_t *, ipsec_fragcache_t *);
+ ipsec_fragcache_entry_t *, ipsec_fragcache_t *, ipsec_stack_t *);
boolean_t ipsec_fragcache_init(ipsec_fragcache_t *);
-void ipsec_fragcache_uninit(ipsec_fragcache_t *);
-mblk_t *ipsec_fragcache_add(ipsec_fragcache_t *, mblk_t *, mblk_t *, int,
- ipsec_stack_t *);
+void ipsec_fragcache_uninit(ipsec_fragcache_t *, ipsec_stack_t *ipss);
+mblk_t *ipsec_fragcache_add(ipsec_fragcache_t *, mblk_t *, mblk_t *,
+ int, ipsec_stack_t *);
int ipsec_hdr_pullup_needed = 0;
int ipsec_weird_null_inbound_policy = 0;
@@ -240,23 +229,28 @@ ipsec_freemsg_chain(mblk_t *mp)
ASSERT(mp->b_prev == NULL);
mpnext = mp->b_next;
mp->b_next = NULL;
- freemsg(mp); /* Always works, even if NULL */
+ freemsg(mp);
mp = mpnext;
}
}
-/* ip_drop all messages in an mblk chain */
+/*
+ * ip_drop all messages in an mblk chain
+ * Can handle a b_next chain of ip_recv_attr_t mblks, or just a b_next chain
+ * of data.
+ */
static void
-ip_drop_packet_chain(mblk_t *mp, boolean_t inbound, ill_t *arriving,
- ire_t *outbound_ire, struct kstat_named *counter, ipdropper_t *who_called)
+ip_drop_packet_chain(mblk_t *mp, boolean_t inbound, ill_t *ill,
+ struct kstat_named *counter, ipdropper_t *who_called)
{
mblk_t *mpnext;
while (mp != NULL) {
ASSERT(mp->b_prev == NULL);
mpnext = mp->b_next;
mp->b_next = NULL;
- ip_drop_packet(mp, inbound, arriving, outbound_ire, counter,
- who_called);
+ if (ip_recv_attr_is_mblk(mp))
+ mp = ip_recv_attr_free_mblk(mp);
+ ip_drop_packet(mp, inbound, ill, counter, who_called);
mp = mpnext;
}
}
@@ -287,7 +281,7 @@ ipsec_policy_cmpbyid(const void *a, const void *b)
* ipsl_sel (selector set), so an entry with a NULL ipsp_sel is not
* actually in-tree but rather a template node being used in
* an avl_find query; see ipsec_policy_delete(). This gives us
- * a placeholder in the ordering just before the the first entry with
+ * a placeholder in the ordering just before the first entry with
* a key >= the one we're looking for, so we can walk forward from
* that point to get the remaining entries with the same id.
*/
@@ -443,7 +437,6 @@ ipsec_policy_g_destroy(void)
kmem_cache_destroy(ipsec_action_cache);
kmem_cache_destroy(ipsec_sel_cache);
kmem_cache_destroy(ipsec_pol_cache);
- kmem_cache_destroy(ipsec_info_cache);
ipsec_unregister_prov_update();
@@ -693,9 +686,6 @@ ipsec_policy_g_init(void)
ipsec_pol_cache = kmem_cache_create("ipsec_policy",
sizeof (ipsec_policy_t), _POINTER_ALIGNMENT, NULL, NULL,
NULL, NULL, NULL, 0);
- ipsec_info_cache = kmem_cache_create("ipsec_info",
- sizeof (ipsec_info_t), _POINTER_ALIGNMENT, NULL, NULL,
- NULL, NULL, NULL, 0);
/*
* We want to be informed each time a stack is created or
@@ -920,6 +910,7 @@ ipsec_copy_policy(const ipsec_policy_t *src)
src->ipsp_sel->ipsl_refs++;
HASH_NULL(dst, ipsp_hash);
+ dst->ipsp_netstack = src->ipsp_netstack;
dst->ipsp_refs = 1;
dst->ipsp_sel = src->ipsp_sel;
dst->ipsp_act = src->ipsp_act;
@@ -1469,7 +1460,7 @@ ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
bzero(req, sizeof (*req));
- mutex_enter(&connp->conn_lock);
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
ipl = connp->conn_latch;
/*
@@ -1478,20 +1469,20 @@ ipsec_req_from_conn(conn_t *connp, ipsec_req_t *req, int af)
* look at configured policy.
*/
if (ipl != NULL) {
- if (ipl->ipl_in_action != NULL) {
- rv = ipsec_req_from_act(ipl->ipl_in_action, req);
+ if (connp->conn_latch_in_action != NULL) {
+ rv = ipsec_req_from_act(connp->conn_latch_in_action,
+ req);
goto done;
}
- if (ipl->ipl_in_policy != NULL) {
- rv = ipsec_req_from_act(ipl->ipl_in_policy->ipsp_act,
- req);
+ if (connp->conn_latch_in_policy != NULL) {
+ rv = ipsec_req_from_act(
+ connp->conn_latch_in_policy->ipsp_act, req);
goto done;
}
}
if (connp->conn_policy != NULL)
rv = ipsec_req_from_head(connp->conn_policy, req, af);
done:
- mutex_exit(&connp->conn_lock);
return (rv);
}
@@ -1502,66 +1493,18 @@ ipsec_actvec_free(ipsec_act_t *act, uint_t nact)
}
/*
- * When outbound policy is not cached, look it up the hard way and attach
- * an ipsec_out_t to the packet..
- */
-static mblk_t *
-ipsec_attach_global_policy(mblk_t **mp, conn_t *connp, ipsec_selector_t *sel,
- netstack_t *ns)
-{
- ipsec_policy_t *p;
-
- p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, sel, ns);
-
- if (p == NULL)
- return (NULL);
- return (ipsec_attach_ipsec_out(mp, connp, p, sel->ips_protocol, ns));
-}
-
-/*
- * We have an ipsec_out already, but don't have cached policy; fill it in
- * with the right actions.
- */
-static mblk_t *
-ipsec_apply_global_policy(mblk_t *ipsec_mp, conn_t *connp,
- ipsec_selector_t *sel, netstack_t *ns)
-{
- ipsec_out_t *io;
- ipsec_policy_t *p;
-
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
- ASSERT(ipsec_mp->b_cont->b_datap->db_type == M_DATA);
-
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
-
- if (io->ipsec_out_policy == NULL) {
- p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, io, sel, ns);
- io->ipsec_out_policy = p;
- }
- return (ipsec_mp);
-}
-
-
-/*
* Consumes a reference to ipsp.
*/
static mblk_t *
-ipsec_check_loopback_policy(mblk_t *first_mp, boolean_t mctl_present,
+ipsec_check_loopback_policy(mblk_t *data_mp, ip_recv_attr_t *ira,
ipsec_policy_t *ipsp)
{
- mblk_t *ipsec_mp;
- ipsec_in_t *ii;
- netstack_t *ns;
-
- if (!mctl_present)
- return (first_mp);
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
+ return (data_mp);
- ipsec_mp = first_mp;
+ ASSERT(ira->ira_flags & IRAF_LOOPBACK);
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ns = ii->ipsec_in_ns;
- ASSERT(ii->ipsec_in_loopback);
- IPPOL_REFRELE(ipsp, ns);
+ IPPOL_REFRELE(ipsp);
/*
* We should do an actual policy check here. Revisit this
@@ -1569,7 +1512,7 @@ ipsec_check_loopback_policy(mblk_t *first_mp, boolean_t mctl_present,
* get there.)
*/
- return (first_mp);
+ return (data_mp);
}
/*
@@ -1577,20 +1520,19 @@ ipsec_check_loopback_policy(mblk_t *first_mp, boolean_t mctl_present,
* expected by the SAs it traversed on the way in.
*/
static boolean_t
-ipsec_check_ipsecin_unique(ipsec_in_t *ii, const char **reason,
- kstat_named_t **counter, uint64_t pkt_unique)
+ipsec_check_ipsecin_unique(ip_recv_attr_t *ira, const char **reason,
+ kstat_named_t **counter, uint64_t pkt_unique, netstack_t *ns)
{
uint64_t ah_mask, esp_mask;
ipsa_t *ah_assoc;
ipsa_t *esp_assoc;
- netstack_t *ns = ii->ipsec_in_ns;
ipsec_stack_t *ipss = ns->netstack_ipsec;
- ASSERT(ii->ipsec_in_secure);
- ASSERT(!ii->ipsec_in_loopback);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(!(ira->ira_flags & IRAF_LOOPBACK));
- ah_assoc = ii->ipsec_in_ah_sa;
- esp_assoc = ii->ipsec_in_esp_sa;
+ ah_assoc = ira->ira_ipsec_ah_sa;
+ esp_assoc = ira->ira_ipsec_esp_sa;
ASSERT((ah_assoc != NULL) || (esp_assoc != NULL));
ah_mask = (ah_assoc != NULL) ? ah_assoc->ipsa_unique_mask : 0;
@@ -1621,30 +1563,30 @@ ipsec_check_ipsecin_unique(ipsec_in_t *ii, const char **reason,
}
static boolean_t
-ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap,
- ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter)
+ipsec_check_ipsecin_action(ip_recv_attr_t *ira, mblk_t *mp, ipsec_action_t *ap,
+ ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter,
+ netstack_t *ns)
{
boolean_t ret = B_TRUE;
ipsec_prot_t *ipp;
ipsa_t *ah_assoc;
ipsa_t *esp_assoc;
boolean_t decaps;
- netstack_t *ns = ii->ipsec_in_ns;
ipsec_stack_t *ipss = ns->netstack_ipsec;
ASSERT((ipha == NULL && ip6h != NULL) ||
(ip6h == NULL && ipha != NULL));
- if (ii->ipsec_in_loopback) {
+ if (ira->ira_flags & IRAF_LOOPBACK) {
/*
* Besides accepting pointer-equivalent actions, we also
* accept any ICMP errors we generated for ourselves,
* regardless of policy. If we do not wish to make this
* assumption in the future, check here, and where
- * icmp_loopback is initialized in ip.c and ip6.c. (Look for
- * ipsec_out_icmp_loopback.)
+ * IXAF_TRUSTED_ICMP is initialized in ip.c and ip6.c.
*/
- if (ap == ii->ipsec_in_action || ii->ipsec_in_icmp_loopback)
+ if (ap == ira->ira_ipsec_action ||
+ (ira->ira_flags & IRAF_TRUSTED_ICMP))
return (B_TRUE);
/* Deep compare necessary here?? */
@@ -1652,12 +1594,13 @@ ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap,
*reason = "loopback policy mismatch";
return (B_FALSE);
}
- ASSERT(!ii->ipsec_in_icmp_loopback);
+ ASSERT(!(ira->ira_flags & IRAF_TRUSTED_ICMP));
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
- ah_assoc = ii->ipsec_in_ah_sa;
- esp_assoc = ii->ipsec_in_esp_sa;
+ ah_assoc = ira->ira_ipsec_ah_sa;
+ esp_assoc = ira->ira_ipsec_esp_sa;
- decaps = ii->ipsec_in_decaps;
+ decaps = (ira->ira_flags & IRAF_IPSEC_DECAPS);
switch (ap->ipa_act.ipa_type) {
case IPSEC_ACT_DISCARD:
@@ -1744,10 +1687,10 @@ ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap,
}
}
} else if (esp_assoc != NULL) {
- /*
- * Don't allow this. Check IPSEC NOTE above
- * ip_fanout_proto().
- */
+ /*
+ * Don't allow this. Check IPSEC NOTE above
+ * ip_fanout_proto().
+ */
*counter = DROPPER(ipss, ipds_spd_got_esp);
*reason = "unexpected ESP";
ret = B_FALSE;
@@ -1777,17 +1720,18 @@ ipsec_check_ipsecin_action(ipsec_in_t *ii, mblk_t *mp, ipsec_action_t *ap,
ret = B_FALSE;
break;
}
- if (ii->ipsec_in_action != NULL) {
+ if (ira->ira_ipsec_action != NULL) {
/*
* This can happen if we do a double policy-check on
* a packet
* XXX XXX should fix this case!
*/
- IPACT_REFRELE(ii->ipsec_in_action);
+ IPACT_REFRELE(ira->ira_ipsec_action);
}
- ASSERT(ii->ipsec_in_action == NULL);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ ASSERT(ira->ira_ipsec_action == NULL);
IPACT_REFHOLD(ap);
- ii->ipsec_in_action = ap;
+ ira->ira_ipsec_action = ap;
break; /* from switch */
}
return (ret);
@@ -1818,9 +1762,9 @@ static uint64_t
conn_to_unique(conn_t *connp, mblk_t *data_mp, ipha_t *ipha, ip6_t *ip6h)
{
ipsec_selector_t sel;
- uint8_t ulp = connp->conn_ulp;
+ uint8_t ulp = connp->conn_proto;
- ASSERT(connp->conn_latch->ipl_in_policy != NULL);
+ ASSERT(connp->conn_latch_in_policy != NULL);
if ((ulp == IPPROTO_TCP || ulp == IPPROTO_UDP || ulp == IPPROTO_SCTP) &&
(connp->conn_fport == 0 || connp->conn_lport == 0)) {
@@ -1839,46 +1783,51 @@ conn_to_unique(conn_t *connp, mblk_t *data_mp, ipha_t *ipha, ip6_t *ip6h)
SELRET_SUCCESS) {
ASSERT(sel.ips_local_port == connp->conn_lport);
ASSERT(sel.ips_remote_port == connp->conn_fport);
- ASSERT(sel.ips_protocol == connp->conn_ulp);
+ ASSERT(sel.ips_protocol == connp->conn_proto);
}
- ASSERT(connp->conn_ulp != 0);
+ ASSERT(connp->conn_proto != 0);
#endif
return (SA_UNIQUE_ID(connp->conn_fport, connp->conn_lport, ulp, 0));
}
/*
- * Called to check policy on a latched connection, both from this file
- * and from tcp.c
+ * Called to check policy on a latched connection.
+ * Note that we don't dereference conn_latch or conn_ihere since the conn might
+ * be closing. The caller passes a held ipsec_latch_t instead.
*/
-boolean_t
-ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl,
- ipha_t *ipha, ip6_t *ip6h, const char **reason, kstat_named_t **counter,
- conn_t *connp)
+static boolean_t
+ipsec_check_ipsecin_latch(ip_recv_attr_t *ira, mblk_t *mp, ipsec_latch_t *ipl,
+ ipsec_action_t *ap, ipha_t *ipha, ip6_t *ip6h, const char **reason,
+ kstat_named_t **counter, conn_t *connp, netstack_t *ns)
{
- netstack_t *ns = ii->ipsec_in_ns;
ipsec_stack_t *ipss = ns->netstack_ipsec;
ASSERT(ipl->ipl_ids_latched == B_TRUE);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
- if (!ii->ipsec_in_loopback) {
+ if (!(ira->ira_flags & IRAF_LOOPBACK)) {
/*
* Over loopback, there aren't real security associations,
* so there are neither identities nor "unique" values
* for us to check the packet against.
*/
- if ((ii->ipsec_in_ah_sa != NULL) &&
- (!spd_match_inbound_ids(ipl, ii->ipsec_in_ah_sa))) {
- *counter = DROPPER(ipss, ipds_spd_ah_badid);
- *reason = "AH identity mismatch";
- return (B_FALSE);
+ if (ira->ira_ipsec_ah_sa != NULL) {
+ if (!spd_match_inbound_ids(ipl,
+ ira->ira_ipsec_ah_sa)) {
+ *counter = DROPPER(ipss, ipds_spd_ah_badid);
+ *reason = "AH identity mismatch";
+ return (B_FALSE);
+ }
}
- if ((ii->ipsec_in_esp_sa != NULL) &&
- (!spd_match_inbound_ids(ipl, ii->ipsec_in_esp_sa))) {
- *counter = DROPPER(ipss, ipds_spd_esp_badid);
- *reason = "ESP identity mismatch";
- return (B_FALSE);
+ if (ira->ira_ipsec_esp_sa != NULL) {
+ if (!spd_match_inbound_ids(ipl,
+ ira->ira_ipsec_esp_sa)) {
+ *counter = DROPPER(ipss, ipds_spd_esp_badid);
+ *reason = "ESP identity mismatch";
+ return (B_FALSE);
+ }
}
/*
@@ -1886,14 +1835,13 @@ ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl,
* In DEBUG kernels (see conn_to_unique()'s implementation),
* verify this even if it REALLY slows things down.
*/
- if (!ipsec_check_ipsecin_unique(ii, reason, counter,
- conn_to_unique(connp, mp, ipha, ip6h))) {
+ if (!ipsec_check_ipsecin_unique(ira, reason, counter,
+ conn_to_unique(connp, mp, ipha, ip6h), ns)) {
return (B_FALSE);
}
}
-
- return (ipsec_check_ipsecin_action(ii, mp, ipl->ipl_in_action,
- ipha, ip6h, reason, counter));
+ return (ipsec_check_ipsecin_action(ira, mp, ap, ipha, ip6h, reason,
+ counter, ns));
}
/*
@@ -1903,52 +1851,48 @@ ipsec_check_ipsecin_latch(ipsec_in_t *ii, mblk_t *mp, ipsec_latch_t *ipl,
* Called from ipsec_check_global_policy, and ipsec_check_inbound_policy.
*
* Consumes a reference to ipsp.
+ * Returns the mblk if ok.
*/
static mblk_t *
-ipsec_check_ipsecin_policy(mblk_t *first_mp, ipsec_policy_t *ipsp,
- ipha_t *ipha, ip6_t *ip6h, uint64_t pkt_unique, netstack_t *ns)
+ipsec_check_ipsecin_policy(mblk_t *data_mp, ipsec_policy_t *ipsp,
+ ipha_t *ipha, ip6_t *ip6h, uint64_t pkt_unique, ip_recv_attr_t *ira,
+ netstack_t *ns)
{
- ipsec_in_t *ii;
ipsec_action_t *ap;
const char *reason = "no policy actions found";
- mblk_t *data_mp, *ipsec_mp;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
ip_stack_t *ipst = ns->netstack_ip;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
kstat_named_t *counter;
counter = DROPPER(ipss, ipds_spd_got_secure);
- data_mp = first_mp->b_cont;
- ipsec_mp = first_mp;
-
ASSERT(ipsp != NULL);
ASSERT((ipha == NULL && ip6h != NULL) ||
(ip6h == NULL && ipha != NULL));
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
+ if (ira->ira_flags & IRAF_LOOPBACK)
+ return (ipsec_check_loopback_policy(data_mp, ira, ipsp));
- if (ii->ipsec_in_loopback)
- return (ipsec_check_loopback_policy(first_mp, B_TRUE, ipsp));
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- ASSERT(ii->ipsec_in_secure);
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
- if (ii->ipsec_in_action != NULL) {
+ if (ira->ira_ipsec_action != NULL) {
/*
* this can happen if we do a double policy-check on a packet
* Would be nice to be able to delete this test..
*/
- IPACT_REFRELE(ii->ipsec_in_action);
+ IPACT_REFRELE(ira->ira_ipsec_action);
}
- ASSERT(ii->ipsec_in_action == NULL);
+ ASSERT(ira->ira_ipsec_action == NULL);
- if (!SA_IDS_MATCH(ii->ipsec_in_ah_sa, ii->ipsec_in_esp_sa)) {
+ if (!SA_IDS_MATCH(ira->ira_ipsec_ah_sa, ira->ira_ipsec_esp_sa)) {
reason = "inbound AH and ESP identities differ";
counter = DROPPER(ipss, ipds_spd_ahesp_diffid);
goto drop;
}
- if (!ipsec_check_ipsecin_unique(ii, &reason, &counter, pkt_unique))
+ if (!ipsec_check_ipsecin_unique(ira, &reason, &counter, pkt_unique,
+ ns))
goto drop;
/*
@@ -1957,21 +1901,21 @@ ipsec_check_ipsecin_policy(mblk_t *first_mp, ipsec_policy_t *ipsp,
*/
for (ap = ipsp->ipsp_act; ap != NULL; ap = ap->ipa_next) {
- if (ipsec_check_ipsecin_action(ii, data_mp, ap,
- ipha, ip6h, &reason, &counter)) {
+ if (ipsec_check_ipsecin_action(ira, data_mp, ap,
+ ipha, ip6h, &reason, &counter, ns)) {
BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
- IPPOL_REFRELE(ipsp, ns);
- return (first_mp);
+ IPPOL_REFRELE(ipsp);
+ return (data_mp);
}
}
drop:
ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
"ipsec inbound policy mismatch: %s, packet dropped\n",
reason);
- IPPOL_REFRELE(ipsp, ns);
- ASSERT(ii->ipsec_in_action == NULL);
+ IPPOL_REFRELE(ipsp);
+ ASSERT(ira->ira_ipsec_action == NULL);
BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
- ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter,
+ ip_drop_packet(data_mp, B_TRUE, NULL, counter,
&ipss->ipsec_spd_dropper);
return (NULL);
}
@@ -2075,7 +2019,7 @@ ipsec_find_policy_chain(ipsec_policy_t *best, ipsec_policy_t *chain,
*/
ipsec_policy_t *
ipsec_find_policy_head(ipsec_policy_t *best, ipsec_policy_head_t *head,
- int direction, ipsec_selector_t *sel, netstack_t *ns)
+ int direction, ipsec_selector_t *sel)
{
ipsec_policy_t *curbest;
ipsec_policy_root_t *root;
@@ -2121,7 +2065,7 @@ ipsec_find_policy_head(ipsec_policy_t *best, ipsec_policy_head_t *head,
IPPOL_REFHOLD(curbest);
if (best != NULL) {
- IPPOL_REFRELE(best, ns);
+ IPPOL_REFRELE(best);
}
}
@@ -2139,20 +2083,17 @@ ipsec_find_policy_head(ipsec_policy_t *best, ipsec_policy_head_t *head,
* reference when done.
*/
ipsec_policy_t *
-ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io,
- ipsec_selector_t *sel, netstack_t *ns)
+ipsec_find_policy(int direction, const conn_t *connp, ipsec_selector_t *sel,
+ netstack_t *ns)
{
ipsec_policy_t *p;
ipsec_stack_t *ipss = ns->netstack_ipsec;
p = ipsec_find_policy_head(NULL, &ipss->ipsec_system_policy,
- direction, sel, ns);
+ direction, sel);
if ((connp != NULL) && (connp->conn_policy != NULL)) {
p = ipsec_find_policy_head(p, connp->conn_policy,
- direction, sel, ns);
- } else if ((io != NULL) && (io->ipsec_out_polhead != NULL)) {
- p = ipsec_find_policy_head(p, io->ipsec_out_polhead,
- direction, sel, ns);
+ direction, sel);
}
return (p);
@@ -2172,21 +2113,16 @@ ipsec_find_policy(int direction, conn_t *connp, ipsec_out_t *io,
* floor.
*/
mblk_t *
-ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
- ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present, netstack_t *ns)
+ipsec_check_global_policy(mblk_t *data_mp, conn_t *connp,
+ ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira, netstack_t *ns)
{
ipsec_policy_t *p;
ipsec_selector_t sel;
- mblk_t *data_mp, *ipsec_mp;
boolean_t policy_present;
kstat_named_t *counter;
- ipsec_in_t *ii = NULL;
uint64_t pkt_unique;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
ip_stack_t *ipst = ns->netstack_ip;
-
- data_mp = mctl_present ? first_mp->b_cont : first_mp;
- ipsec_mp = mctl_present ? first_mp : NULL;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
sel.ips_is_icmp_inv_acq = 0;
@@ -2203,13 +2139,7 @@ ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
* No global policy and no per-socket policy;
* just pass it back (but we shouldn't get here in that case)
*/
- return (first_mp);
- }
-
- if (ipsec_mp != NULL) {
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
- ii = (ipsec_in_t *)(ipsec_mp->b_rptr);
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
+ return (data_mp);
}
/*
@@ -2217,32 +2147,11 @@ ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
* Otherwise consult system policy.
*/
if ((connp != NULL) && (connp->conn_latch != NULL)) {
- p = connp->conn_latch->ipl_in_policy;
+ p = connp->conn_latch_in_policy;
if (p != NULL) {
IPPOL_REFHOLD(p);
}
/*
- * The caller may have mistakenly assigned an ip6i_t as the
- * ip6h for this packet, so take that corner-case into
- * account.
- */
- if (ip6h != NULL && ip6h->ip6_nxt == IPPROTO_RAW) {
- ip6h++;
- /* First check for bizarro split-mblk headers. */
- if ((uintptr_t)ip6h > (uintptr_t)data_mp->b_wptr ||
- ((uintptr_t)ip6h) + sizeof (ip6_t) >
- (uintptr_t)data_mp->b_wptr) {
- ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
- "ipsec_check_global_policy", ipha, ip6h,
- B_TRUE, ns);
- counter = DROPPER(ipss, ipds_spd_nomem);
- goto fail;
- }
- /* Next, see if ip6i is at the end of an mblk. */
- if (ip6h == (ip6_t *)data_mp->b_wptr)
- ip6h = (ip6_t *)data_mp->b_cont->b_rptr;
- }
- /*
* Fudge sel for UNIQUE_ID setting below.
*/
pkt_unique = conn_to_unique(connp, data_mp, ipha, ip6h);
@@ -2271,20 +2180,19 @@ ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
* local policy alone.
*/
- p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel,
- ns);
+ p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
sel.ips_local_port, sel.ips_protocol, 0);
}
if (p == NULL) {
- if (ipsec_mp == NULL) {
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
/*
* We have no policy; default to succeeding.
* XXX paranoid system design doesn't do this.
*/
BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
- return (first_mp);
+ return (data_mp);
} else {
counter = DROPPER(ipss, ipds_spd_got_secure);
ipsec_log_policy_failure(IPSEC_POLICY_NOT_NEEDED,
@@ -2293,16 +2201,16 @@ ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
goto fail;
}
}
- if ((ii != NULL) && (ii->ipsec_in_secure)) {
- return (ipsec_check_ipsecin_policy(ipsec_mp, p, ipha, ip6h,
- pkt_unique, ns));
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ return (ipsec_check_ipsecin_policy(data_mp, p, ipha, ip6h,
+ pkt_unique, ira, ns));
}
if (p->ipsp_act->ipa_allow_clear) {
BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
- IPPOL_REFRELE(p, ns);
- return (first_mp);
+ IPPOL_REFRELE(p);
+ return (data_mp);
}
- IPPOL_REFRELE(p, ns);
+ IPPOL_REFRELE(p);
/*
* If we reach here, we will drop the packet because it failed the
* global policy check because the packet was cleartext, and it
@@ -2313,7 +2221,7 @@ ipsec_check_global_policy(mblk_t *first_mp, conn_t *connp,
counter = DROPPER(ipss, ipds_spd_got_clear);
fail:
- ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter,
+ ip_drop_packet(data_mp, B_TRUE, NULL, counter,
&ipss->ipsec_spd_dropper);
BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
return (NULL);
@@ -2435,7 +2343,7 @@ ipsec_inbound_accept_clear(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
case ICMP_FRAGMENTATION_NEEDED:
/*
* Be in sync with icmp_inbound, where we have
- * already set ire_max_frag.
+ * already set dce_pmtu
*/
#ifdef FRAGCACHE_DEBUG
cmn_err(CE_WARN, "ICMP frag needed\n");
@@ -2496,27 +2404,44 @@ ipsec_latch_ids(ipsec_latch_t *ipl, ipsid_t *local, ipsid_t *remote)
}
void
-ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii)
+ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira)
{
ipsa_t *sa;
+ ipsec_latch_t *ipl = connp->conn_latch;
if (!ipl->ipl_ids_latched) {
ipsid_t *local = NULL;
ipsid_t *remote = NULL;
- if (!ii->ipsec_in_loopback) {
- if (ii->ipsec_in_esp_sa != NULL)
- sa = ii->ipsec_in_esp_sa;
+ if (!(ira->ira_flags & IRAF_LOOPBACK)) {
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+ if (ira->ira_ipsec_esp_sa != NULL)
+ sa = ira->ira_ipsec_esp_sa;
else
- sa = ii->ipsec_in_ah_sa;
+ sa = ira->ira_ipsec_ah_sa;
ASSERT(sa != NULL);
local = sa->ipsa_dst_cid;
remote = sa->ipsa_src_cid;
}
ipsec_latch_ids(ipl, local, remote);
}
- ipl->ipl_in_action = ii->ipsec_in_action;
- IPACT_REFHOLD(ipl->ipl_in_action);
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ if (connp->conn_latch_in_action != NULL) {
+ /*
+ * Previously cached action. This is probably
+ * harmless, but in DEBUG kernels, check for
+ * action equality.
+ *
+ * Preserve the existing action to preserve latch
+ * invariance.
+ */
+ ASSERT(connp->conn_latch_in_action ==
+ ira->ira_ipsec_action);
+ return;
+ }
+ connp->conn_latch_in_action = ira->ira_ipsec_action;
+ IPACT_REFHOLD(connp->conn_latch_in_action);
+ }
}
/*
@@ -2527,27 +2452,25 @@ ipsec_latch_inbound(ipsec_latch_t *ipl, ipsec_in_t *ii)
* see also ipsec_check_ipsecin_latch() and ipsec_check_global_policy()
*/
mblk_t *
-ipsec_check_inbound_policy(mblk_t *first_mp, conn_t *connp,
- ipha_t *ipha, ip6_t *ip6h, boolean_t mctl_present)
+ipsec_check_inbound_policy(mblk_t *mp, conn_t *connp,
+ ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira)
{
- ipsec_in_t *ii;
- boolean_t ret;
- mblk_t *mp = mctl_present ? first_mp->b_cont : first_mp;
- mblk_t *ipsec_mp = mctl_present ? first_mp : NULL;
- ipsec_latch_t *ipl;
- uint64_t unique_id;
+ boolean_t ret;
+ ipsec_latch_t *ipl;
+ ipsec_action_t *ap;
+ uint64_t unique_id;
ipsec_stack_t *ipss;
ip_stack_t *ipst;
netstack_t *ns;
ipsec_policy_head_t *policy_head;
+ ipsec_policy_t *p = NULL;
ASSERT(connp != NULL);
ns = connp->conn_netstack;
ipss = ns->netstack_ipsec;
ipst = ns->netstack_ip;
- if (ipsec_mp == NULL) {
-clear:
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
/*
* This is the case where the incoming datagram is
* cleartext and we need to see whether this client
@@ -2559,49 +2482,49 @@ clear:
mutex_enter(&connp->conn_lock);
if (connp->conn_state_flags & CONN_CONDEMNED) {
mutex_exit(&connp->conn_lock);
- ip_drop_packet(first_mp, B_TRUE, NULL,
- NULL, DROPPER(ipss, ipds_spd_got_clear),
+ ip_drop_packet(mp, B_TRUE, NULL,
+ DROPPER(ipss, ipds_spd_got_clear),
&ipss->ipsec_spd_dropper);
BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
return (NULL);
}
- if ((ipl = connp->conn_latch) != NULL) {
+ if (connp->conn_latch != NULL) {
/* Hold a reference in case the conn is closing */
- IPLATCH_REFHOLD(ipl);
+ p = connp->conn_latch_in_policy;
+ if (p != NULL)
+ IPPOL_REFHOLD(p);
mutex_exit(&connp->conn_lock);
/*
* Policy is cached in the conn.
*/
- if ((ipl->ipl_in_policy != NULL) &&
- (!ipl->ipl_in_policy->ipsp_act->ipa_allow_clear)) {
+ if (p != NULL && !p->ipsp_act->ipa_allow_clear) {
ret = ipsec_inbound_accept_clear(mp,
ipha, ip6h);
if (ret) {
BUMP_MIB(&ipst->ips_ip_mib,
ipsecInSucceeded);
- IPLATCH_REFRELE(ipl, ns);
- return (first_mp);
+ IPPOL_REFRELE(p);
+ return (mp);
} else {
ipsec_log_policy_failure(
IPSEC_POLICY_MISMATCH,
"ipsec_check_inbound_policy", ipha,
ip6h, B_FALSE, ns);
- ip_drop_packet(first_mp, B_TRUE, NULL,
- NULL,
+ ip_drop_packet(mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_got_clear),
&ipss->ipsec_spd_dropper);
BUMP_MIB(&ipst->ips_ip_mib,
ipsecInFailed);
- IPLATCH_REFRELE(ipl, ns);
+ IPPOL_REFRELE(p);
return (NULL);
}
} else {
BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
- IPLATCH_REFRELE(ipl, ns);
- return (first_mp);
+ if (p != NULL)
+ IPPOL_REFRELE(p);
+ return (mp);
}
} else {
- uchar_t db_type;
policy_head = connp->conn_policy;
/* Hold a reference in case the conn is closing */
@@ -2611,50 +2534,22 @@ clear:
/*
* As this is a non-hardbound connection we need
* to look at both per-socket policy and global
- * policy. As this is cleartext, mark the mp as
- * M_DATA in case if it is an ICMP error being
- * reported before calling ipsec_check_global_policy
- * so that it does not mistake it for IPSEC_IN.
+ * policy.
*/
- db_type = mp->b_datap->db_type;
- mp->b_datap->db_type = M_DATA;
- first_mp = ipsec_check_global_policy(first_mp, connp,
- ipha, ip6h, mctl_present, ns);
+ mp = ipsec_check_global_policy(mp, connp,
+ ipha, ip6h, ira, ns);
if (policy_head != NULL)
IPPH_REFRELE(policy_head, ns);
- if (first_mp != NULL)
- mp->b_datap->db_type = db_type;
- return (first_mp);
+ return (mp);
}
}
- /*
- * If it is inbound check whether the attached message
- * is secure or not. We have a special case for ICMP,
- * where we have a IPSEC_IN message and the attached
- * message is not secure. See icmp_inbound_error_fanout
- * for details.
- */
- ASSERT(ipsec_mp != NULL);
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
-
- if (!ii->ipsec_in_secure)
- goto clear;
-
- /*
- * mp->b_cont could be either a M_CTL message
- * for icmp errors being sent up or a M_DATA message.
- */
- ASSERT(mp->b_datap->db_type == M_CTL || mp->b_datap->db_type == M_DATA);
-
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
mutex_enter(&connp->conn_lock);
/* Connection is closing */
if (connp->conn_state_flags & CONN_CONDEMNED) {
mutex_exit(&connp->conn_lock);
- ip_drop_packet(first_mp, B_TRUE, NULL,
- NULL, DROPPER(ipss, ipds_spd_got_clear),
+ ip_drop_packet(mp, B_TRUE, NULL,
+ DROPPER(ipss, ipds_spd_got_clear),
&ipss->ipsec_spd_dropper);
BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
return (NULL);
@@ -2679,58 +2574,64 @@ clear:
* policy. It will check against conn or global
* depending on whichever is stronger.
*/
- retmp = ipsec_check_global_policy(first_mp, connp,
- ipha, ip6h, mctl_present, ns);
+ retmp = ipsec_check_global_policy(mp, connp,
+ ipha, ip6h, ira, ns);
if (policy_head != NULL)
IPPH_REFRELE(policy_head, ns);
return (retmp);
}
IPLATCH_REFHOLD(ipl);
+ /* Hold reference on conn_latch_in_action in case conn is closing */
+ ap = connp->conn_latch_in_action;
+ if (ap != NULL)
+ IPACT_REFHOLD(ap);
mutex_exit(&connp->conn_lock);
- if (ipl->ipl_in_action != NULL) {
+ if (ap != NULL) {
/* Policy is cached & latched; fast(er) path */
const char *reason;
kstat_named_t *counter;
- if (ipsec_check_ipsecin_latch(ii, mp, ipl,
- ipha, ip6h, &reason, &counter, connp)) {
+ if (ipsec_check_ipsecin_latch(ira, mp, ipl, ap,
+ ipha, ip6h, &reason, &counter, connp, ns)) {
BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
- IPLATCH_REFRELE(ipl, ns);
- return (first_mp);
+ IPLATCH_REFRELE(ipl);
+ IPACT_REFRELE(ap);
+ return (mp);
}
ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0,
SL_ERROR|SL_WARN|SL_CONSOLE,
"ipsec inbound policy mismatch: %s, packet dropped\n",
reason);
- ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter,
+ ip_drop_packet(mp, B_TRUE, NULL, counter,
&ipss->ipsec_spd_dropper);
BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
- IPLATCH_REFRELE(ipl, ns);
+ IPLATCH_REFRELE(ipl);
+ IPACT_REFRELE(ap);
return (NULL);
- } else if (ipl->ipl_in_policy == NULL) {
+ }
+ if ((p = connp->conn_latch_in_policy) == NULL) {
ipsec_weird_null_inbound_policy++;
- IPLATCH_REFRELE(ipl, ns);
- return (first_mp);
+ IPLATCH_REFRELE(ipl);
+ return (mp);
}
unique_id = conn_to_unique(connp, mp, ipha, ip6h);
- IPPOL_REFHOLD(ipl->ipl_in_policy);
- first_mp = ipsec_check_ipsecin_policy(first_mp, ipl->ipl_in_policy,
- ipha, ip6h, unique_id, ns);
+ IPPOL_REFHOLD(p);
+ mp = ipsec_check_ipsecin_policy(mp, p, ipha, ip6h, unique_id, ira, ns);
/*
* NOTE: ipsecIn{Failed,Succeeeded} bumped by
* ipsec_check_ipsecin_policy().
*/
- if (first_mp != NULL)
- ipsec_latch_inbound(ipl, ii);
- IPLATCH_REFRELE(ipl, ns);
- return (first_mp);
+ if (mp != NULL)
+ ipsec_latch_inbound(connp, ira);
+ IPLATCH_REFRELE(ipl);
+ return (mp);
}
/*
- * Handle all sorts of cases like tunnel-mode, ICMP, and ip6i prepending.
+ * Handle all sorts of cases like tunnel-mode and ICMP.
*/
static int
prepended_length(mblk_t *mp, uintptr_t hptr)
@@ -2779,19 +2680,24 @@ prepended_length(mblk_t *mp, uintptr_t hptr)
* should put this packet in a fragment-gathering queue.
* Only returned if SEL_TUNNEL_MODE and SEL_PORT_POLICY
* is set.
+ *
+ * Note that ipha/ip6h can be in a different mblk (mp->b_cont) in the case
+ * of tunneled packets.
+ * Also, mp->b_rptr can be an ICMP error where ipha/ip6h is the packet in
+ * error past the ICMP error.
*/
static selret_t
ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
ip6_t *ip6h, uint8_t sel_flags)
{
uint16_t *ports;
- int outer_hdr_len = 0; /* For ICMP, tunnel-mode, or ip6i cases... */
+ int outer_hdr_len = 0; /* For ICMP or tunnel-mode cases... */
ushort_t hdr_len;
mblk_t *spare_mp = NULL;
uint8_t *nexthdrp, *transportp;
uint8_t nexthdr;
uint8_t icmp_proto;
- ip6_pkt_t ipp;
+ ip_pkt_t ipp;
boolean_t port_policy_present = (sel_flags & SEL_PORT_POLICY);
boolean_t is_icmp = (sel_flags & SEL_IS_ICMP);
boolean_t tunnel_mode = (sel_flags & SEL_TUNNEL_MODE);
@@ -2802,44 +2708,14 @@ ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
if (ip6h != NULL) {
outer_hdr_len = prepended_length(mp, (uintptr_t)ip6h);
-
nexthdr = ip6h->ip6_nxt;
-
- /*
- * The caller may have mistakenly assigned an ip6i_t as the
- * ip6h for this packet, so take that corner-case into
- * account.
- */
- if (nexthdr == IPPROTO_RAW) {
- ip6h++;
- /* First check for bizarro split-mblk headers. */
- if ((uintptr_t)ip6h > (uintptr_t)mp->b_wptr ||
- ((uintptr_t)ip6h) + sizeof (ip6_t) >
- (uintptr_t)mp->b_wptr) {
- return (SELRET_BADPKT);
- }
- /* Next, see if ip6i is at the end of an mblk. */
- if (ip6h == (ip6_t *)mp->b_wptr)
- ip6h = (ip6_t *)mp->b_cont->b_rptr;
-
- nexthdr = ip6h->ip6_nxt;
-
- /*
- * Finally, if we haven't adjusted for ip6i, do so
- * now. ip6i_t structs are prepended, so an ICMP
- * or tunnel packet would just be overwritten.
- */
- if (outer_hdr_len == 0)
- outer_hdr_len = sizeof (ip6i_t);
- }
-
icmp_proto = IPPROTO_ICMPV6;
sel->ips_isv4 = B_FALSE;
sel->ips_local_addr_v6 = ip6h->ip6_dst;
sel->ips_remote_addr_v6 = ip6h->ip6_src;
bzero(&ipp, sizeof (ipp));
- (void) ip_find_hdr_v6(mp, ip6h, &ipp, NULL);
+ (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
switch (nexthdr) {
case IPPROTO_HOPOPTS:
@@ -2852,7 +2728,6 @@ ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
*/
if ((spare_mp = msgpullup(mp, -1)) == NULL)
return (SELRET_NOMEM);
-
if (!ip_hdr_length_nexthdr_v6(spare_mp,
(ip6_t *)(spare_mp->b_rptr + outer_hdr_len),
&hdr_len, &nexthdrp)) {
@@ -2930,6 +2805,10 @@ ipsec_init_inbound_sel(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
return (SELRET_SUCCESS);
}
+/*
+ * This is called with a b_next chain of messages from the fragcache code,
+ * hence it needs to discard a chain on error.
+ */
static boolean_t
ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
ip6_t *ip6h, int outer_hdr_len, ipsec_stack_t *ipss)
@@ -2967,7 +2846,7 @@ ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
&hdr_len, &nexthdrp)) {
/* Always works, even if NULL. */
ipsec_freemsg_chain(spare_mp);
- ip_drop_packet_chain(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet_chain(mp, B_FALSE, NULL,
DROPPER(ipss, ipds_spd_nomem),
&ipss->ipsec_spd_dropper);
return (B_FALSE);
@@ -3005,7 +2884,7 @@ ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
*/
if (spare_mp == NULL &&
(spare_mp = msgpullup(mp, -1)) == NULL) {
- ip_drop_packet_chain(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet_chain(mp, B_FALSE, NULL,
DROPPER(ipss, ipds_spd_nomem),
&ipss->ipsec_spd_dropper);
return (B_FALSE);
@@ -3029,13 +2908,68 @@ ipsec_init_outbound_ports(ipsec_selector_t *sel, mblk_t *mp, ipha_t *ipha,
}
/*
+ * Prepend an mblk with a ipsec_crypto_t to the message chain.
+ * Frees the argument and returns NULL should the allocation fail.
+ * Returns the pointer to the crypto data part.
+ */
+mblk_t *
+ipsec_add_crypto_data(mblk_t *data_mp, ipsec_crypto_t **icp)
+{
+ mblk_t *mp;
+
+ mp = allocb(sizeof (ipsec_crypto_t), BPRI_MED);
+ if (mp == NULL) {
+ freemsg(data_mp);
+ return (NULL);
+ }
+ bzero(mp->b_rptr, sizeof (ipsec_crypto_t));
+ mp->b_wptr += sizeof (ipsec_crypto_t);
+ mp->b_cont = data_mp;
+ mp->b_datap->db_type = M_EVENT; /* For ASSERT */
+ *icp = (ipsec_crypto_t *)mp->b_rptr;
+ return (mp);
+}
+
+/*
+ * Remove what was prepended above. Return b_cont and a pointer to the
+ * crypto data.
+ * The caller must call ipsec_free_crypto_data for mblk once it is done
+ * with the crypto data.
+ */
+mblk_t *
+ipsec_remove_crypto_data(mblk_t *crypto_mp, ipsec_crypto_t **icp)
+{
+ ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
+ ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
+
+ *icp = (ipsec_crypto_t *)crypto_mp->b_rptr;
+ return (crypto_mp->b_cont);
+}
+
+/*
+ * Free what was prepended above. Return b_cont.
+ */
+mblk_t *
+ipsec_free_crypto_data(mblk_t *crypto_mp)
+{
+ mblk_t *mp;
+
+ ASSERT(crypto_mp->b_datap->db_type == M_EVENT);
+ ASSERT(MBLKL(crypto_mp) == sizeof (ipsec_crypto_t));
+
+ mp = crypto_mp->b_cont;
+ freeb(crypto_mp);
+ return (mp);
+}
+
+/*
* Create an ipsec_action_t based on the way an inbound packet was protected.
* Used to reflect traffic back to a sender.
*
* We don't bother interning the action into the hash table.
*/
ipsec_action_t *
-ipsec_in_to_out_action(ipsec_in_t *ii)
+ipsec_in_to_out_action(ip_recv_attr_t *ira)
{
ipsa_t *ah_assoc, *esp_assoc;
uint_t auth_alg = 0, encr_alg = 0, espa_alg = 0;
@@ -3057,10 +2991,12 @@ ipsec_in_to_out_action(ipsec_in_t *ii)
*/
ap->ipa_act.ipa_type = IPSEC_ACT_APPLY;
ap->ipa_act.ipa_log = 0;
- ah_assoc = ii->ipsec_in_ah_sa;
+ ASSERT(ira->ira_flags & IRAF_IPSEC_SECURE);
+
+ ah_assoc = ira->ira_ipsec_ah_sa;
ap->ipa_act.ipa_apply.ipp_use_ah = (ah_assoc != NULL);
- esp_assoc = ii->ipsec_in_esp_sa;
+ esp_assoc = ira->ira_ipsec_esp_sa;
ap->ipa_act.ipa_apply.ipp_use_esp = (esp_assoc != NULL);
if (esp_assoc != NULL) {
@@ -3074,7 +3010,8 @@ ipsec_in_to_out_action(ipsec_in_t *ii)
ap->ipa_act.ipa_apply.ipp_encr_alg = (uint8_t)encr_alg;
ap->ipa_act.ipa_apply.ipp_auth_alg = (uint8_t)auth_alg;
ap->ipa_act.ipa_apply.ipp_esp_auth_alg = (uint8_t)espa_alg;
- ap->ipa_act.ipa_apply.ipp_use_se = ii->ipsec_in_decaps;
+ ap->ipa_act.ipa_apply.ipp_use_se =
+ !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
unique = B_FALSE;
if (esp_assoc != NULL) {
@@ -3104,7 +3041,7 @@ ipsec_in_to_out_action(ipsec_in_t *ii)
ap->ipa_act.ipa_apply.ipp_use_unique = unique;
ap->ipa_want_unique = unique;
ap->ipa_allow_clear = B_FALSE;
- ap->ipa_want_se = ii->ipsec_in_decaps;
+ ap->ipa_want_se = !!(ira->ira_flags & IRAF_IPSEC_DECAPS);
ap->ipa_want_ah = (ah_assoc != NULL);
ap->ipa_want_esp = (esp_assoc != NULL);
@@ -3500,13 +3437,14 @@ ipsec_sel_rel(ipsec_sel_t **spp, netstack_t *ns)
* Free a policy rule which we know is no longer being referenced.
*/
void
-ipsec_policy_free(ipsec_policy_t *ipp, netstack_t *ns)
+ipsec_policy_free(ipsec_policy_t *ipp)
{
ASSERT(ipp->ipsp_refs == 0);
ASSERT(ipp->ipsp_sel != NULL);
ASSERT(ipp->ipsp_act != NULL);
+ ASSERT(ipp->ipsp_netstack != NULL);
- ipsec_sel_rel(&ipp->ipsp_sel, ns);
+ ipsec_sel_rel(&ipp->ipsp_sel, ipp->ipsp_netstack);
IPACT_REFRELE(ipp->ipsp_act);
kmem_cache_free(ipsec_pol_cache, ipp);
}
@@ -3544,6 +3482,7 @@ ipsec_policy_create(ipsec_selkey_t *keys, const ipsec_act_t *a,
HASH_NULL(ipp, ipsp_hash);
+ ipp->ipsp_netstack = ns; /* Needed for ipsec_policy_free */
ipp->ipsp_refs = 1; /* caller's reference */
ipp->ipsp_sel = sp;
ipp->ipsp_act = ap;
@@ -3613,7 +3552,7 @@ ipsec_policy_delete(ipsec_policy_head_t *php, ipsec_selkey_t *keys, int dir,
continue;
}
- IPPOL_UNCHAIN(php, ip, ns);
+ IPPOL_UNCHAIN(php, ip);
php->iph_gen++;
ipsec_update_present_flags(ns->netstack_ipsec);
@@ -3664,7 +3603,7 @@ ipsec_policy_delete_index(ipsec_policy_head_t *php, uint64_t policy_index,
break;
}
- IPPOL_UNCHAIN(php, ip, ns);
+ IPPOL_UNCHAIN(php, ip);
found = B_TRUE;
}
@@ -3897,8 +3836,7 @@ ipsec_enter_policy(ipsec_policy_head_t *php, ipsec_policy_t *ipp, int direction,
}
static void
-ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr,
- netstack_t *ns)
+ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr)
{
ipsec_policy_t *ip, *nip;
int af, chain, nchain;
@@ -3906,7 +3844,7 @@ ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr,
for (af = 0; af < IPSEC_NAF; af++) {
for (ip = ipr->ipr_nonhash[af]; ip != NULL; ip = nip) {
nip = ip->ipsp_hash.hash_next;
- IPPOL_UNCHAIN(php, ip, ns);
+ IPPOL_UNCHAIN(php, ip);
}
ipr->ipr_nonhash[af] = NULL;
}
@@ -3916,7 +3854,7 @@ ipsec_ipr_flush(ipsec_policy_head_t *php, ipsec_policy_root_t *ipr,
for (ip = ipr->ipr_hash[chain].hash_head; ip != NULL;
ip = nip) {
nip = ip->ipsp_hash.hash_next;
- IPPOL_UNCHAIN(php, ip, ns);
+ IPPOL_UNCHAIN(php, ip);
}
ipr->ipr_hash[chain].hash_head = NULL;
}
@@ -3954,8 +3892,9 @@ ipsec_polhead_flush(ipsec_policy_head_t *php, netstack_t *ns)
ASSERT(RW_WRITE_HELD(&php->iph_lock));
for (dir = 0; dir < IPSEC_NTYPES; dir++)
- ipsec_ipr_flush(php, &php->iph_root[dir], ns);
+ ipsec_ipr_flush(php, &php->iph_root[dir]);
+ php->iph_gen++;
ipsec_update_present_flags(ns->netstack_ipsec);
}
@@ -4066,727 +4005,219 @@ ipsec_polhead_split(ipsec_policy_head_t *php, netstack_t *ns)
*
* NOTE2: This function is called by cleartext cases, so it needs to be
* in IP proper.
+ *
+ * Note: the caller has moved other parts of ira into ixa already.
*/
boolean_t
-ipsec_in_to_out(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, zoneid_t zoneid)
-{
- ipsec_in_t *ii;
- ipsec_out_t *io;
- boolean_t v4;
- mblk_t *mp;
- boolean_t secure;
- uint_t ifindex;
+ipsec_in_to_out(ip_recv_attr_t *ira, ip_xmit_attr_t *ixa, mblk_t *data_mp,
+ ipha_t *ipha, ip6_t *ip6h)
+{
ipsec_selector_t sel;
- ipsec_action_t *reflect_action = NULL;
- netstack_t *ns;
-
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
+ ipsec_action_t *reflect_action = NULL;
+ netstack_t *ns = ixa->ixa_ipst->ips_netstack;
bzero((void*)&sel, sizeof (sel));
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
-
- mp = ipsec_mp->b_cont;
- ASSERT(mp != NULL);
-
- if (ii->ipsec_in_action != NULL) {
+ if (ira->ira_ipsec_action != NULL) {
/* transfer reference.. */
- reflect_action = ii->ipsec_in_action;
- ii->ipsec_in_action = NULL;
- } else if (!ii->ipsec_in_loopback)
- reflect_action = ipsec_in_to_out_action(ii);
- secure = ii->ipsec_in_secure;
- ifindex = ii->ipsec_in_ill_index;
- ns = ii->ipsec_in_ns;
- v4 = ii->ipsec_in_v4;
-
- ipsec_in_release_refs(ii); /* No netstack_rele/hold needed */
-
- /*
- * Use the global zone's id if we don't have a specific zone
- * identified. This is likely to happen when the received packet's
- * destination is a Trusted Extensions all-zones address. We did
- * not copy the zoneid from ii->ipsec_in_zone id because that
- * information represents the zoneid we started input processing
- * with. The caller should have a better idea of which zone the
- * received packet was destined for.
- */
-
- if (zoneid == ALL_ZONES)
- zoneid = GLOBAL_ZONEID;
+ reflect_action = ira->ira_ipsec_action;
+ ira->ira_ipsec_action = NULL;
+ } else if (!(ira->ira_flags & IRAF_LOOPBACK))
+ reflect_action = ipsec_in_to_out_action(ira);
/*
* The caller is going to send the datagram out which might
- * go on the wire or delivered locally through ip_wput_local.
+ * go on the wire or delivered locally through ire_send_local.
*
* 1) If it goes out on the wire, new associations will be
* obtained.
- * 2) If it is delivered locally, ip_wput_local will convert
- * this IPSEC_OUT to a IPSEC_IN looking at the requests.
+ * 2) If it is delivered locally, ire_send_local will convert
+ * this ip_xmit_attr_t back to a ip_recv_attr_t looking at the
+ * requests.
*/
+ ixa->ixa_ipsec_action = reflect_action;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- bzero(io, sizeof (ipsec_out_t));
- io->ipsec_out_type = IPSEC_OUT;
- io->ipsec_out_len = sizeof (ipsec_out_t);
- io->ipsec_out_frtn.free_func = ipsec_out_free;
- io->ipsec_out_frtn.free_arg = (char *)io;
- io->ipsec_out_act = reflect_action;
-
- if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h, 0,
- ns->netstack_ipsec))
+ if (!ipsec_init_outbound_ports(&sel, data_mp, ipha, ip6h, 0,
+ ns->netstack_ipsec)) {
+ /* Note: data_mp already consumed and ip_drop_packet done */
return (B_FALSE);
-
- io->ipsec_out_src_port = sel.ips_local_port;
- io->ipsec_out_dst_port = sel.ips_remote_port;
- io->ipsec_out_proto = sel.ips_protocol;
- io->ipsec_out_icmp_type = sel.ips_icmp_type;
- io->ipsec_out_icmp_code = sel.ips_icmp_code;
+ }
+ ixa->ixa_ipsec_src_port = sel.ips_local_port;
+ ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
+ ixa->ixa_ipsec_proto = sel.ips_protocol;
+ ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
+ ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
/*
* Don't use global policy for this, as we want
* to use the same protection that was applied to the inbound packet.
+ * Thus we set IXAF_NO_IPSEC is it arrived in the clear to make
+ * it be sent in the clear.
*/
- io->ipsec_out_use_global_policy = B_FALSE;
- io->ipsec_out_proc_begin = B_FALSE;
- io->ipsec_out_secure = secure;
- io->ipsec_out_v4 = v4;
- io->ipsec_out_ill_index = ifindex;
- io->ipsec_out_zoneid = zoneid;
- io->ipsec_out_ns = ns; /* No netstack_hold */
+ if (ira->ira_flags & IRAF_IPSEC_SECURE)
+ ixa->ixa_flags |= IXAF_IPSEC_SECURE;
+ else
+ ixa->ixa_flags |= IXAF_NO_IPSEC;
return (B_TRUE);
}
-mblk_t *
-ipsec_in_tag(mblk_t *mp, mblk_t *cont, netstack_t *ns)
-{
- ipsec_in_t *ii = (ipsec_in_t *)mp->b_rptr;
- ipsec_in_t *nii;
- mblk_t *nmp;
- frtn_t nfrtn;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
-
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- ASSERT(ii->ipsec_in_len == sizeof (ipsec_in_t));
-
- nmp = ipsec_in_alloc(ii->ipsec_in_v4, ns);
- if (nmp == NULL) {
- ip_drop_packet_chain(cont, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_spd_nomem),
- &ipss->ipsec_spd_dropper);
- return (NULL);
- }
-
- ASSERT(nmp->b_datap->db_type == M_CTL);
- ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
-
- /*
- * Bump refcounts.
- */
- if (ii->ipsec_in_ah_sa != NULL)
- IPSA_REFHOLD(ii->ipsec_in_ah_sa);
- if (ii->ipsec_in_esp_sa != NULL)
- IPSA_REFHOLD(ii->ipsec_in_esp_sa);
- if (ii->ipsec_in_policy != NULL)
- IPPH_REFHOLD(ii->ipsec_in_policy);
-
- /*
- * Copy everything, but preserve the free routine provided by
- * ipsec_in_alloc().
- */
- nii = (ipsec_in_t *)nmp->b_rptr;
- nfrtn = nii->ipsec_in_frtn;
- bcopy(ii, nii, sizeof (*ii));
- nii->ipsec_in_frtn = nfrtn;
-
- nmp->b_cont = cont;
-
- return (nmp);
-}
-
-mblk_t *
-ipsec_out_tag(mblk_t *mp, mblk_t *cont, netstack_t *ns)
-{
- ipsec_out_t *io = (ipsec_out_t *)mp->b_rptr;
- ipsec_out_t *nio;
- mblk_t *nmp;
- frtn_t nfrtn;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
-
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
-
- nmp = ipsec_alloc_ipsec_out(ns);
- if (nmp == NULL) {
- ip_drop_packet_chain(cont, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_spd_nomem),
- &ipss->ipsec_spd_dropper);
- return (NULL);
- }
- ASSERT(nmp->b_datap->db_type == M_CTL);
- ASSERT(nmp->b_wptr == (nmp->b_rptr + sizeof (ipsec_info_t)));
-
- /*
- * Bump refcounts.
- */
- if (io->ipsec_out_ah_sa != NULL)
- IPSA_REFHOLD(io->ipsec_out_ah_sa);
- if (io->ipsec_out_esp_sa != NULL)
- IPSA_REFHOLD(io->ipsec_out_esp_sa);
- if (io->ipsec_out_polhead != NULL)
- IPPH_REFHOLD(io->ipsec_out_polhead);
- if (io->ipsec_out_policy != NULL)
- IPPOL_REFHOLD(io->ipsec_out_policy);
- if (io->ipsec_out_act != NULL)
- IPACT_REFHOLD(io->ipsec_out_act);
- if (io->ipsec_out_latch != NULL)
- IPLATCH_REFHOLD(io->ipsec_out_latch);
- if (io->ipsec_out_cred != NULL)
- crhold(io->ipsec_out_cred);
-
- /*
- * Copy everything, but preserve the free routine provided by
- * ipsec_alloc_ipsec_out().
- */
- nio = (ipsec_out_t *)nmp->b_rptr;
- nfrtn = nio->ipsec_out_frtn;
- bcopy(io, nio, sizeof (*io));
- nio->ipsec_out_frtn = nfrtn;
-
- nmp->b_cont = cont;
-
- return (nmp);
-}
-
-static void
-ipsec_out_release_refs(ipsec_out_t *io)
+void
+ipsec_out_release_refs(ip_xmit_attr_t *ixa)
{
- netstack_t *ns = io->ipsec_out_ns;
-
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
- ASSERT(io->ipsec_out_ns != NULL);
+ if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
+ return;
- /* Note: IPSA_REFRELE is multi-line macro */
- if (io->ipsec_out_ah_sa != NULL)
- IPSA_REFRELE(io->ipsec_out_ah_sa);
- if (io->ipsec_out_esp_sa != NULL)
- IPSA_REFRELE(io->ipsec_out_esp_sa);
- if (io->ipsec_out_polhead != NULL)
- IPPH_REFRELE(io->ipsec_out_polhead, ns);
- if (io->ipsec_out_policy != NULL)
- IPPOL_REFRELE(io->ipsec_out_policy, ns);
- if (io->ipsec_out_act != NULL)
- IPACT_REFRELE(io->ipsec_out_act);
- if (io->ipsec_out_cred != NULL) {
- crfree(io->ipsec_out_cred);
- io->ipsec_out_cred = NULL;
+ if (ixa->ixa_ipsec_ah_sa != NULL) {
+ IPSA_REFRELE(ixa->ixa_ipsec_ah_sa);
+ ixa->ixa_ipsec_ah_sa = NULL;
}
- if (io->ipsec_out_latch) {
- IPLATCH_REFRELE(io->ipsec_out_latch, ns);
- io->ipsec_out_latch = NULL;
+ if (ixa->ixa_ipsec_esp_sa != NULL) {
+ IPSA_REFRELE(ixa->ixa_ipsec_esp_sa);
+ ixa->ixa_ipsec_esp_sa = NULL;
}
-}
-
-static void
-ipsec_out_free(void *arg)
-{
- ipsec_out_t *io = (ipsec_out_t *)arg;
- ipsec_out_release_refs(io);
- kmem_cache_free(ipsec_info_cache, arg);
-}
-
-static void
-ipsec_in_release_refs(ipsec_in_t *ii)
-{
- netstack_t *ns = ii->ipsec_in_ns;
-
- ASSERT(ii->ipsec_in_ns != NULL);
-
- /* Note: IPSA_REFRELE is multi-line macro */
- if (ii->ipsec_in_ah_sa != NULL)
- IPSA_REFRELE(ii->ipsec_in_ah_sa);
- if (ii->ipsec_in_esp_sa != NULL)
- IPSA_REFRELE(ii->ipsec_in_esp_sa);
- if (ii->ipsec_in_policy != NULL)
- IPPH_REFRELE(ii->ipsec_in_policy, ns);
- if (ii->ipsec_in_da != NULL) {
- freeb(ii->ipsec_in_da);
- ii->ipsec_in_da = NULL;
+ if (ixa->ixa_ipsec_policy != NULL) {
+ IPPOL_REFRELE(ixa->ixa_ipsec_policy);
+ ixa->ixa_ipsec_policy = NULL;
}
-}
-
-static void
-ipsec_in_free(void *arg)
-{
- ipsec_in_t *ii = (ipsec_in_t *)arg;
- ipsec_in_release_refs(ii);
- kmem_cache_free(ipsec_info_cache, arg);
-}
-
-/*
- * This is called only for outbound datagrams if the datagram needs to
- * go out secure. A NULL mp can be passed to get an ipsec_out. This
- * facility is used by ip_unbind.
- *
- * NOTE : o As the data part could be modified by ipsec_out_process etc.
- * we can't make it fast by calling a dup.
- */
-mblk_t *
-ipsec_alloc_ipsec_out(netstack_t *ns)
-{
- mblk_t *ipsec_mp;
- ipsec_out_t *io = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
-
- if (io == NULL)
- return (NULL);
-
- bzero(io, sizeof (ipsec_out_t));
-
- io->ipsec_out_type = IPSEC_OUT;
- io->ipsec_out_len = sizeof (ipsec_out_t);
- io->ipsec_out_frtn.free_func = ipsec_out_free;
- io->ipsec_out_frtn.free_arg = (char *)io;
-
- /*
- * Set the zoneid to ALL_ZONES which is used as an invalid value. Code
- * using ipsec_out_zoneid should assert that the zoneid has been set to
- * a sane value.
- */
- io->ipsec_out_zoneid = ALL_ZONES;
- io->ipsec_out_ns = ns; /* No netstack_hold */
-
- ipsec_mp = desballoc((uint8_t *)io, sizeof (ipsec_info_t), BPRI_HI,
- &io->ipsec_out_frtn);
- if (ipsec_mp == NULL) {
- ipsec_out_free(io);
-
- return (NULL);
+ if (ixa->ixa_ipsec_action != NULL) {
+ IPACT_REFRELE(ixa->ixa_ipsec_action);
+ ixa->ixa_ipsec_action = NULL;
}
- ipsec_mp->b_datap->db_type = M_CTL;
- ipsec_mp->b_wptr = ipsec_mp->b_rptr + sizeof (ipsec_info_t);
-
- return (ipsec_mp);
-}
-
-/*
- * Attach an IPSEC_OUT; use pol for policy if it is non-null.
- * Otherwise initialize using conn.
- *
- * If pol is non-null, we consume a reference to it.
- */
-mblk_t *
-ipsec_attach_ipsec_out(mblk_t **mp, conn_t *connp, ipsec_policy_t *pol,
- uint8_t proto, netstack_t *ns)
-{
- mblk_t *ipsec_mp;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
-
- ASSERT((pol != NULL) || (connp != NULL));
-
- ipsec_mp = ipsec_alloc_ipsec_out(ns);
- if (ipsec_mp == NULL) {
- ipsec_rl_strlog(ns, IP_MOD_ID, 0, 0, SL_ERROR|SL_NOTE,
- "ipsec_attach_ipsec_out: Allocation failure\n");
- ip_drop_packet(*mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_spd_nomem),
- &ipss->ipsec_spd_dropper);
- *mp = NULL;
- return (NULL);
+ if (ixa->ixa_ipsec_latch) {
+ IPLATCH_REFRELE(ixa->ixa_ipsec_latch);
+ ixa->ixa_ipsec_latch = NULL;
}
- ipsec_mp->b_cont = *mp;
- /*
- * If *mp is NULL, ipsec_init_ipsec_out() won't/should not be using it.
- */
- return (ipsec_init_ipsec_out(ipsec_mp, mp, connp, pol, proto, ns));
+ /* Clear the soft references to the SAs */
+ ixa->ixa_ipsec_ref[0].ipsr_sa = NULL;
+ ixa->ixa_ipsec_ref[0].ipsr_bucket = NULL;
+ ixa->ixa_ipsec_ref[0].ipsr_gen = 0;
+ ixa->ixa_ipsec_ref[1].ipsr_sa = NULL;
+ ixa->ixa_ipsec_ref[1].ipsr_bucket = NULL;
+ ixa->ixa_ipsec_ref[1].ipsr_gen = 0;
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
}
-/*
- * Initialize the IPSEC_OUT (ipsec_mp) using pol if it is non-null.
- * Otherwise initialize using conn.
- *
- * If pol is non-null, we consume a reference to it.
- */
-mblk_t *
-ipsec_init_ipsec_out(mblk_t *ipsec_mp, mblk_t **mp, conn_t *connp,
- ipsec_policy_t *pol, uint8_t proto, netstack_t *ns)
+void
+ipsec_in_release_refs(ip_recv_attr_t *ira)
{
- ipsec_out_t *io;
- ipsec_policy_t *p;
- ipha_t *ipha;
- ip6_t *ip6h;
- ipsec_stack_t *ipss = ns->netstack_ipsec;
-
- ASSERT(ipsec_mp->b_cont == *mp);
-
- ASSERT((pol != NULL) || (connp != NULL));
-
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
- ASSERT(ipsec_mp->b_wptr == (ipsec_mp->b_rptr + sizeof (ipsec_info_t)));
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- ASSERT(io->ipsec_out_type == IPSEC_OUT);
- ASSERT(io->ipsec_out_len == sizeof (ipsec_out_t));
- io->ipsec_out_latch = NULL;
- /*
- * Set the zoneid when we have the connp.
- * Otherwise, we're called from ip_wput_attach_policy() who will take
- * care of setting the zoneid.
- */
- if (connp != NULL)
- io->ipsec_out_zoneid = connp->conn_zoneid;
-
- io->ipsec_out_ns = ns; /* No netstack_hold */
-
- if (*mp != NULL) {
- ipha = (ipha_t *)(*mp)->b_rptr;
- if (IPH_HDR_VERSION(ipha) == IP_VERSION) {
- io->ipsec_out_v4 = B_TRUE;
- ip6h = NULL;
- } else {
- io->ipsec_out_v4 = B_FALSE;
- ip6h = (ip6_t *)ipha;
- ipha = NULL;
- }
- } else {
- ASSERT(connp != NULL && connp->conn_policy_cached);
- ip6h = NULL;
- ipha = NULL;
- io->ipsec_out_v4 = !connp->conn_pkt_isv6;
- }
-
- p = NULL;
-
- /*
- * Take latched policies over global policy. Check here again for
- * this, in case we had conn_latch set while the packet was flying
- * around in IP.
- */
- if (connp != NULL && connp->conn_latch != NULL) {
- ASSERT(ns == connp->conn_netstack);
- p = connp->conn_latch->ipl_out_policy;
- io->ipsec_out_latch = connp->conn_latch;
- IPLATCH_REFHOLD(connp->conn_latch);
- if (p != NULL) {
- IPPOL_REFHOLD(p);
- }
- io->ipsec_out_src_port = connp->conn_lport;
- io->ipsec_out_dst_port = connp->conn_fport;
- io->ipsec_out_icmp_type = io->ipsec_out_icmp_code = 0;
- if (pol != NULL)
- IPPOL_REFRELE(pol, ns);
- } else if (pol != NULL) {
- ipsec_selector_t sel;
-
- bzero((void*)&sel, sizeof (sel));
-
- p = pol;
- /*
- * conn does not have the port information. Get
- * it from the packet.
- */
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
+ return;
- if (!ipsec_init_outbound_ports(&sel, *mp, ipha, ip6h, 0,
- ns->netstack_ipsec)) {
- /* Callee did ip_drop_packet() on *mp. */
- *mp = NULL;
- freeb(ipsec_mp);
- return (NULL);
- }
- io->ipsec_out_src_port = sel.ips_local_port;
- io->ipsec_out_dst_port = sel.ips_remote_port;
- io->ipsec_out_icmp_type = sel.ips_icmp_type;
- io->ipsec_out_icmp_code = sel.ips_icmp_code;
+ if (ira->ira_ipsec_ah_sa != NULL) {
+ IPSA_REFRELE(ira->ira_ipsec_ah_sa);
+ ira->ira_ipsec_ah_sa = NULL;
}
-
- io->ipsec_out_proto = proto;
- io->ipsec_out_use_global_policy = B_TRUE;
- io->ipsec_out_secure = (p != NULL);
- io->ipsec_out_policy = p;
-
- if (p == NULL) {
- if (connp->conn_policy != NULL) {
- io->ipsec_out_secure = B_TRUE;
- ASSERT(io->ipsec_out_latch == NULL);
- ASSERT(io->ipsec_out_use_global_policy == B_TRUE);
- io->ipsec_out_need_policy = B_TRUE;
- ASSERT(io->ipsec_out_polhead == NULL);
- IPPH_REFHOLD(connp->conn_policy);
- io->ipsec_out_polhead = connp->conn_policy;
- }
- } else {
- /* Handle explicit drop action. */
- if (p->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_DISCARD ||
- p->ipsp_act->ipa_act.ipa_type == IPSEC_ACT_REJECT) {
- ip_drop_packet(ipsec_mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_spd_explicit),
- &ipss->ipsec_spd_dropper);
- *mp = NULL;
- ipsec_mp = NULL;
- }
+ if (ira->ira_ipsec_esp_sa != NULL) {
+ IPSA_REFRELE(ira->ira_ipsec_esp_sa);
+ ira->ira_ipsec_esp_sa = NULL;
}
-
- return (ipsec_mp);
+ ira->ira_flags &= ~IRAF_IPSEC_SECURE;
}
/*
- * Allocate an IPSEC_IN mblk. This will be prepended to an inbound datagram
- * and keep track of what-if-any IPsec processing will be applied to the
- * datagram.
- */
-mblk_t *
-ipsec_in_alloc(boolean_t isv4, netstack_t *ns)
-{
- mblk_t *ipsec_in;
- ipsec_in_t *ii = kmem_cache_alloc(ipsec_info_cache, KM_NOSLEEP);
-
- if (ii == NULL)
- return (NULL);
-
- bzero(ii, sizeof (ipsec_info_t));
- ii->ipsec_in_type = IPSEC_IN;
- ii->ipsec_in_len = sizeof (ipsec_in_t);
-
- ii->ipsec_in_v4 = isv4;
- ii->ipsec_in_secure = B_TRUE;
- ii->ipsec_in_ns = ns; /* No netstack_hold */
- ii->ipsec_in_stackid = ns->netstack_stackid;
-
- ii->ipsec_in_frtn.free_func = ipsec_in_free;
- ii->ipsec_in_frtn.free_arg = (char *)ii;
-
- ii->ipsec_in_zoneid = ALL_ZONES; /* default for received packets */
-
- ipsec_in = desballoc((uint8_t *)ii, sizeof (ipsec_info_t), BPRI_HI,
- &ii->ipsec_in_frtn);
- if (ipsec_in == NULL) {
- ip1dbg(("ipsec_in_alloc: IPSEC_IN allocation failure.\n"));
- ipsec_in_free(ii);
- return (NULL);
- }
-
- ipsec_in->b_datap->db_type = M_CTL;
- ipsec_in->b_wptr += sizeof (ipsec_info_t);
-
- return (ipsec_in);
-}
-
-/*
- * This is called from ip_wput_local when a packet which needs
- * security is looped back, to convert the IPSEC_OUT to a IPSEC_IN
- * before fanout, where the policy check happens. In most of the
- * cases, IPSEC processing has *never* been done. There is one case
- * (ip_wput_ire_fragmentit -> ip_wput_frag -> icmp_frag_needed) where
- * the packet is destined for localhost, IPSEC processing has already
- * been done.
+ * This is called from ire_send_local when a packet
+ * is looped back. We setup the ip_recv_attr_t "borrowing" the references
+ * held by the callers.
+ * Note that we don't do any IPsec but we carry the actions and IPSEC flags
+ * across so that the fanout policy checks see that IPsec was applied.
*
- * Future: This could happen after SA selection has occurred for
- * outbound.. which will tell us who the src and dst identities are..
- * Then it's just a matter of splicing the ah/esp SA pointers from the
- * ipsec_out_t to the ipsec_in_t.
+ * The caller should do ipsec_in_release_refs() on the ira by calling
+ * ira_cleanup().
*/
void
-ipsec_out_to_in(mblk_t *ipsec_mp)
+ipsec_out_to_in(ip_xmit_attr_t *ixa, ill_t *ill, ip_recv_attr_t *ira)
{
- ipsec_in_t *ii;
- ipsec_out_t *io;
ipsec_policy_t *pol;
ipsec_action_t *act;
- boolean_t v4, icmp_loopback;
- zoneid_t zoneid;
- netstack_t *ns;
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
+ /* Non-IPsec operations */
+ ira->ira_free_flags = 0;
+ ira->ira_zoneid = ixa->ixa_zoneid;
+ ira->ira_cred = ixa->ixa_cred;
+ ira->ira_cpid = ixa->ixa_cpid;
+ ira->ira_tsl = ixa->ixa_tsl;
+ ira->ira_ill = ira->ira_rill = ill;
+ ira->ira_flags = ixa->ixa_flags & IAF_MASK;
+ ira->ira_no_loop_zoneid = ixa->ixa_no_loop_zoneid;
+ ira->ira_pktlen = ixa->ixa_pktlen;
+ ira->ira_ip_hdr_length = ixa->ixa_ip_hdr_length;
+ ira->ira_protocol = ixa->ixa_protocol;
+ ira->ira_mhip = NULL;
+
+ ira->ira_flags |= IRAF_LOOPBACK | IRAF_L2SRC_LOOPBACK;
+
+ ira->ira_sqp = ixa->ixa_sqp;
+ ira->ira_ring = NULL;
+
+ ira->ira_ruifindex = ill->ill_phyint->phyint_ifindex;
+ ira->ira_rifindex = ira->ira_ruifindex;
+
+ if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE))
+ return;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
+ ira->ira_flags |= IRAF_IPSEC_SECURE;
- v4 = io->ipsec_out_v4;
- zoneid = io->ipsec_out_zoneid;
- icmp_loopback = io->ipsec_out_icmp_loopback;
- ns = io->ipsec_out_ns;
+ ira->ira_ipsec_ah_sa = NULL;
+ ira->ira_ipsec_esp_sa = NULL;
- act = io->ipsec_out_act;
+ act = ixa->ixa_ipsec_action;
if (act == NULL) {
- pol = io->ipsec_out_policy;
+ pol = ixa->ixa_ipsec_policy;
if (pol != NULL) {
act = pol->ipsp_act;
IPACT_REFHOLD(act);
}
}
- io->ipsec_out_act = NULL;
-
- ipsec_out_release_refs(io); /* No netstack_rele/hold needed */
-
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- bzero(ii, sizeof (ipsec_in_t));
- ii->ipsec_in_type = IPSEC_IN;
- ii->ipsec_in_len = sizeof (ipsec_in_t);
- ii->ipsec_in_loopback = B_TRUE;
- ii->ipsec_in_ns = ns; /* No netstack_hold */
-
- ii->ipsec_in_frtn.free_func = ipsec_in_free;
- ii->ipsec_in_frtn.free_arg = (char *)ii;
- ii->ipsec_in_action = act;
- ii->ipsec_in_zoneid = zoneid;
-
- /*
- * In most of the cases, we can't look at the ipsec_out_XXX_sa
- * because this never went through IPSEC processing. So, look at
- * the requests and infer whether it would have gone through
- * IPSEC processing or not. Initialize the "done" fields with
- * the requests. The possible values for "done" fields are :
- *
- * 1) zero, indicates that a particular preference was never
- * requested.
- * 2) non-zero, indicates that it could be IPSEC_PREF_REQUIRED/
- * IPSEC_PREF_NEVER. If IPSEC_REQ_DONE is set, it means that
- * IPSEC processing has been completed.
- */
- ii->ipsec_in_secure = B_TRUE;
- ii->ipsec_in_v4 = v4;
- ii->ipsec_in_icmp_loopback = icmp_loopback;
+ ixa->ixa_ipsec_action = NULL;
+ ira->ira_ipsec_action = act;
}
/*
- * Consults global policy to see whether this datagram should
- * go out secure. If so it attaches a ipsec_mp in front and
- * returns.
+ * Consults global policy and per-socket policy to see whether this datagram
+ * should go out secure. If so it updates the ip_xmit_attr_t
+ * Should not be used when connecting, since then we want to latch the policy.
+ *
+ * If connp is NULL we just look at the global policy.
+ *
+ * Returns NULL if the packet was dropped, in which case the MIB has
+ * been incremented and ip_drop_packet done.
*/
mblk_t *
-ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire,
- conn_t *connp, boolean_t unspec_src, zoneid_t zoneid)
+ip_output_attach_policy(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h,
+ const conn_t *connp, ip_xmit_attr_t *ixa)
{
- mblk_t *mp;
- ipsec_out_t *io = NULL;
ipsec_selector_t sel;
- uint_t ill_index;
- boolean_t conn_dontroutex;
- boolean_t conn_multicast_loopx;
- boolean_t policy_present;
- ip_stack_t *ipst = ire->ire_ipst;
+ boolean_t policy_present;
+ ip_stack_t *ipst = ixa->ixa_ipst;
netstack_t *ns = ipst->ips_netstack;
ipsec_stack_t *ipss = ns->netstack_ipsec;
+ ipsec_policy_t *p;
+ ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
ASSERT((ipha != NULL && ip6h == NULL) ||
(ip6h != NULL && ipha == NULL));
- bzero((void*)&sel, sizeof (sel));
-
if (ipha != NULL)
policy_present = ipss->ipsec_outbound_v4_policy_present;
else
policy_present = ipss->ipsec_outbound_v6_policy_present;
- /*
- * Fast Path to see if there is any policy.
- */
- if (!policy_present) {
- if (ipsec_mp->b_datap->db_type == M_CTL) {
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- if (!io->ipsec_out_secure) {
- /*
- * If there is no global policy and ip_wput
- * or ip_wput_multicast has attached this mp
- * for multicast case, free the ipsec_mp and
- * return the original mp.
- */
- mp = ipsec_mp->b_cont;
- freeb(ipsec_mp);
- ipsec_mp = mp;
- io = NULL;
- }
- ASSERT(io == NULL || !io->ipsec_out_tunnel);
- }
- if (((io == NULL) || (io->ipsec_out_polhead == NULL)) &&
- ((connp == NULL) || (connp->conn_policy == NULL)))
- return (ipsec_mp);
- }
- ill_index = 0;
- conn_multicast_loopx = conn_dontroutex = B_FALSE;
- mp = ipsec_mp;
- if (ipsec_mp->b_datap->db_type == M_CTL) {
- mp = ipsec_mp->b_cont;
- /*
- * This is a connection where we have some per-socket
- * policy or ip_wput has attached an ipsec_mp for
- * the multicast datagram.
- */
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- if (!io->ipsec_out_secure) {
- /*
- * This ipsec_mp was allocated in ip_wput or
- * ip_wput_multicast so that we will know the
- * value of ill_index, conn_dontroute,
- * conn_multicast_loop in the multicast case if
- * we inherit global policy here.
- */
- ill_index = io->ipsec_out_ill_index;
- conn_dontroutex = io->ipsec_out_dontroute;
- conn_multicast_loopx = io->ipsec_out_multicast_loop;
- freeb(ipsec_mp);
- ipsec_mp = mp;
- io = NULL;
- }
- ASSERT(io == NULL || !io->ipsec_out_tunnel);
- }
+ if (!policy_present && (connp == NULL || connp->conn_policy == NULL))
+ return (mp);
+
+ bzero((void*)&sel, sizeof (sel));
if (ipha != NULL) {
- sel.ips_local_addr_v4 = (ipha->ipha_src != 0 ?
- ipha->ipha_src : ire->ire_src_addr);
+ sel.ips_local_addr_v4 = ipha->ipha_src;
sel.ips_remote_addr_v4 = ip_get_dst(ipha);
- sel.ips_protocol = (uint8_t)ipha->ipha_protocol;
sel.ips_isv4 = B_TRUE;
} else {
- ushort_t hdr_len;
- uint8_t *nexthdrp;
- boolean_t is_fragment;
-
sel.ips_isv4 = B_FALSE;
- if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
- if (!unspec_src)
- sel.ips_local_addr_v6 = ire->ire_src_addr_v6;
- } else {
- sel.ips_local_addr_v6 = ip6h->ip6_src;
- }
-
- sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, mp, &is_fragment);
- if (is_fragment) {
- /*
- * It's a packet fragment for a packet that
- * we have already processed (since IPsec processing
- * is done before fragmentation), so we don't
- * have to do policy checks again. Fragments can
- * come back to us for processing if they have
- * been queued up due to flow control.
- */
- if (ipsec_mp->b_datap->db_type == M_CTL) {
- mp = ipsec_mp->b_cont;
- freeb(ipsec_mp);
- ipsec_mp = mp;
- }
- return (ipsec_mp);
- }
-
- /* IPv6 common-case. */
- sel.ips_protocol = ip6h->ip6_nxt;
- switch (ip6h->ip6_nxt) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_SCTP:
- case IPPROTO_ICMPV6:
- break;
- default:
- if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
- &hdr_len, &nexthdrp)) {
- BUMP_MIB(&ipst->ips_ip6_mib,
- ipIfStatsOutDiscards);
- freemsg(ipsec_mp); /* Not IPsec-related drop. */
- return (NULL);
- }
- sel.ips_protocol = *nexthdrp;
- break;
- }
+ sel.ips_local_addr_v6 = ip6h->ip6_src;
+ sel.ips_remote_addr_v6 = ip_get_dst_v6(ip6h, mp, NULL);
}
+ sel.ips_protocol = ixa->ixa_protocol;
if (!ipsec_init_outbound_ports(&sel, mp, ipha, ip6h, 0, ipss)) {
if (ipha != NULL) {
@@ -4794,65 +4225,36 @@ ip_wput_attach_policy(mblk_t *ipsec_mp, ipha_t *ipha, ip6_t *ip6h, ire_t *ire,
} else {
BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsOutDiscards);
}
-
- /* Callee dropped the packet. */
+ /* Note: mp already consumed and ip_drop_packet done */
return (NULL);
}
- if (io != NULL) {
- /*
- * We seem to have some local policy (we already have
- * an ipsec_out). Look at global policy and see
- * whether we have to inherit or not.
- */
- io->ipsec_out_need_policy = B_FALSE;
- ipsec_mp = ipsec_apply_global_policy(ipsec_mp, connp,
- &sel, ns);
- ASSERT((io->ipsec_out_policy != NULL) ||
- (io->ipsec_out_act != NULL));
- ASSERT(io->ipsec_out_need_policy == B_FALSE);
- return (ipsec_mp);
+ ASSERT(ixa->ixa_ipsec_policy == NULL);
+ p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
+ ixa->ixa_ipsec_policy = p;
+ if (p != NULL) {
+ ixa->ixa_flags |= IXAF_IPSEC_SECURE;
+ if (connp == NULL || connp->conn_policy == NULL)
+ ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
+ } else {
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
}
- /*
- * We pass in a pointer to a pointer because mp can become
- * NULL due to allocation failures or explicit drops. Callers
- * of this function should assume a NULL mp means the packet
- * was dropped.
- */
- ipsec_mp = ipsec_attach_global_policy(&mp, connp, &sel, ns);
- if (ipsec_mp == NULL)
- return (mp);
/*
* Copy the right port information.
*/
- ASSERT(ipsec_mp->b_datap->db_type == M_CTL);
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
-
- ASSERT(io->ipsec_out_need_policy == B_FALSE);
- ASSERT((io->ipsec_out_policy != NULL) ||
- (io->ipsec_out_act != NULL));
- io->ipsec_out_src_port = sel.ips_local_port;
- io->ipsec_out_dst_port = sel.ips_remote_port;
- io->ipsec_out_icmp_type = sel.ips_icmp_type;
- io->ipsec_out_icmp_code = sel.ips_icmp_code;
- /*
- * Set ill_index, conn_dontroute and conn_multicast_loop
- * for multicast datagrams.
- */
- io->ipsec_out_ill_index = ill_index;
- io->ipsec_out_dontroute = conn_dontroutex;
- io->ipsec_out_multicast_loop = conn_multicast_loopx;
-
- if (zoneid == ALL_ZONES)
- zoneid = GLOBAL_ZONEID;
- io->ipsec_out_zoneid = zoneid;
- return (ipsec_mp);
+ ixa->ixa_ipsec_src_port = sel.ips_local_port;
+ ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
+ ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
+ ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
+ ixa->ixa_ipsec_proto = sel.ips_protocol;
+ return (mp);
}
/*
* When appropriate, this function caches inbound and outbound policy
- * for this connection.
+ * for this connection. The outbound policy is stored in conn_ixa.
+ * Note that it can not be used for SCTP since conn_faddr isn't set for SCTP.
*
* XXX need to work out more details about per-interface policy and
* caching here!
@@ -4866,20 +4268,38 @@ ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
netstack_t *ns = connp->conn_netstack;
ipsec_stack_t *ipss = ns->netstack_ipsec;
+ connp->conn_ixa->ixa_ipsec_policy_gen =
+ ipss->ipsec_system_policy.iph_gen;
/*
* There is no policy latching for ICMP sockets because we can't
* decide on which policy to use until we see the packet and get
* type/code selectors.
*/
- if (connp->conn_ulp == IPPROTO_ICMP ||
- connp->conn_ulp == IPPROTO_ICMPV6) {
+ if (connp->conn_proto == IPPROTO_ICMP ||
+ connp->conn_proto == IPPROTO_ICMPV6) {
connp->conn_in_enforce_policy =
connp->conn_out_enforce_policy = B_TRUE;
if (connp->conn_latch != NULL) {
- IPLATCH_REFRELE(connp->conn_latch, ns);
+ IPLATCH_REFRELE(connp->conn_latch);
connp->conn_latch = NULL;
}
- connp->conn_flags |= IPCL_CHECK_POLICY;
+ if (connp->conn_latch_in_policy != NULL) {
+ IPPOL_REFRELE(connp->conn_latch_in_policy);
+ connp->conn_latch_in_policy = NULL;
+ }
+ if (connp->conn_latch_in_action != NULL) {
+ IPACT_REFRELE(connp->conn_latch_in_action);
+ connp->conn_latch_in_action = NULL;
+ }
+ if (connp->conn_ixa->ixa_ipsec_policy != NULL) {
+ IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
+ connp->conn_ixa->ixa_ipsec_policy = NULL;
+ }
+ if (connp->conn_ixa->ixa_ipsec_action != NULL) {
+ IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
+ connp->conn_ixa->ixa_ipsec_action = NULL;
+ }
+ connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
return (0);
}
@@ -4898,38 +4318,57 @@ ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
return (ENOMEM);
}
- sel.ips_protocol = connp->conn_ulp;
+ bzero((void*)&sel, sizeof (sel));
+
+ sel.ips_protocol = connp->conn_proto;
sel.ips_local_port = connp->conn_lport;
sel.ips_remote_port = connp->conn_fport;
sel.ips_is_icmp_inv_acq = 0;
sel.ips_isv4 = isv4;
if (isv4) {
- sel.ips_local_addr_v4 = connp->conn_src;
- sel.ips_remote_addr_v4 = connp->conn_rem;
+ sel.ips_local_addr_v4 = connp->conn_laddr_v4;
+ sel.ips_remote_addr_v4 = connp->conn_faddr_v4;
} else {
- sel.ips_local_addr_v6 = connp->conn_srcv6;
- sel.ips_remote_addr_v6 = connp->conn_remv6;
+ sel.ips_local_addr_v6 = connp->conn_laddr_v6;
+ sel.ips_remote_addr_v6 = connp->conn_faddr_v6;
}
- p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, NULL, &sel,
- ns);
- if (connp->conn_latch->ipl_in_policy != NULL)
- IPPOL_REFRELE(connp->conn_latch->ipl_in_policy, ns);
- connp->conn_latch->ipl_in_policy = p;
+ p = ipsec_find_policy(IPSEC_TYPE_INBOUND, connp, &sel, ns);
+ if (connp->conn_latch_in_policy != NULL)
+ IPPOL_REFRELE(connp->conn_latch_in_policy);
+ connp->conn_latch_in_policy = p;
connp->conn_in_enforce_policy = (p != NULL);
- p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, NULL, &sel,
- ns);
- if (connp->conn_latch->ipl_out_policy != NULL)
- IPPOL_REFRELE(connp->conn_latch->ipl_out_policy, ns);
- connp->conn_latch->ipl_out_policy = p;
+ p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
+ if (connp->conn_ixa->ixa_ipsec_policy != NULL)
+ IPPOL_REFRELE(connp->conn_ixa->ixa_ipsec_policy);
+ connp->conn_ixa->ixa_ipsec_policy = p;
connp->conn_out_enforce_policy = (p != NULL);
-
+ if (p != NULL) {
+ connp->conn_ixa->ixa_flags |= IXAF_IPSEC_SECURE;
+ if (connp->conn_policy == NULL) {
+ connp->conn_ixa->ixa_flags |=
+ IXAF_IPSEC_GLOBAL_POLICY;
+ }
+ } else {
+ connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
+ }
/* Clear the latched actions too, in case we're recaching. */
- if (connp->conn_latch->ipl_out_action != NULL)
- IPACT_REFRELE(connp->conn_latch->ipl_out_action);
- if (connp->conn_latch->ipl_in_action != NULL)
- IPACT_REFRELE(connp->conn_latch->ipl_in_action);
+ if (connp->conn_ixa->ixa_ipsec_action != NULL) {
+ IPACT_REFRELE(connp->conn_ixa->ixa_ipsec_action);
+ connp->conn_ixa->ixa_ipsec_action = NULL;
+ }
+ if (connp->conn_latch_in_action != NULL) {
+ IPACT_REFRELE(connp->conn_latch_in_action);
+ connp->conn_latch_in_action = NULL;
+ }
+ connp->conn_ixa->ixa_ipsec_src_port = sel.ips_local_port;
+ connp->conn_ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
+ connp->conn_ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
+ connp->conn_ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
+ connp->conn_ixa->ixa_ipsec_proto = sel.ips_protocol;
+ } else {
+ connp->conn_ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
}
/*
@@ -4945,28 +4384,125 @@ ipsec_conn_cache_policy(conn_t *connp, boolean_t isv4)
* global policy (because conn_policy_cached is already set).
*/
connp->conn_policy_cached = B_TRUE;
- if (connp->conn_in_enforce_policy)
- connp->conn_flags |= IPCL_CHECK_POLICY;
return (0);
}
+/*
+ * When appropriate, this function caches outbound policy for faddr/fport.
+ * It is used when we are not connected i.e., when we can not latch the
+ * policy.
+ */
void
-iplatch_free(ipsec_latch_t *ipl, netstack_t *ns)
-{
- if (ipl->ipl_out_policy != NULL)
- IPPOL_REFRELE(ipl->ipl_out_policy, ns);
- if (ipl->ipl_in_policy != NULL)
- IPPOL_REFRELE(ipl->ipl_in_policy, ns);
- if (ipl->ipl_in_action != NULL)
- IPACT_REFRELE(ipl->ipl_in_action);
- if (ipl->ipl_out_action != NULL)
- IPACT_REFRELE(ipl->ipl_out_action);
+ipsec_cache_outbound_policy(const conn_t *connp, const in6_addr_t *v6src,
+ const in6_addr_t *v6dst, in_port_t dstport, ip_xmit_attr_t *ixa)
+{
+ boolean_t isv4 = (ixa->ixa_flags & IXAF_IS_IPV4) != 0;
+ boolean_t global_policy_present;
+ netstack_t *ns = connp->conn_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+
+ ixa->ixa_ipsec_policy_gen = ipss->ipsec_system_policy.iph_gen;
+
+ /*
+ * There is no policy caching for ICMP sockets because we can't
+ * decide on which policy to use until we see the packet and get
+ * type/code selectors.
+ */
+ if (connp->conn_proto == IPPROTO_ICMP ||
+ connp->conn_proto == IPPROTO_ICMPV6) {
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
+ if (ixa->ixa_ipsec_policy != NULL) {
+ IPPOL_REFRELE(ixa->ixa_ipsec_policy);
+ ixa->ixa_ipsec_policy = NULL;
+ }
+ if (ixa->ixa_ipsec_action != NULL) {
+ IPACT_REFRELE(ixa->ixa_ipsec_action);
+ ixa->ixa_ipsec_action = NULL;
+ }
+ return;
+ }
+
+ global_policy_present = isv4 ?
+ (ipss->ipsec_outbound_v4_policy_present ||
+ ipss->ipsec_inbound_v4_policy_present) :
+ (ipss->ipsec_outbound_v6_policy_present ||
+ ipss->ipsec_inbound_v6_policy_present);
+
+ if ((connp->conn_policy != NULL) || global_policy_present) {
+ ipsec_selector_t sel;
+ ipsec_policy_t *p;
+
+ bzero((void*)&sel, sizeof (sel));
+
+ sel.ips_protocol = connp->conn_proto;
+ sel.ips_local_port = connp->conn_lport;
+ sel.ips_remote_port = dstport;
+ sel.ips_is_icmp_inv_acq = 0;
+ sel.ips_isv4 = isv4;
+ if (isv4) {
+ IN6_V4MAPPED_TO_IPADDR(v6src, sel.ips_local_addr_v4);
+ IN6_V4MAPPED_TO_IPADDR(v6dst, sel.ips_remote_addr_v4);
+ } else {
+ sel.ips_local_addr_v6 = *v6src;
+ sel.ips_remote_addr_v6 = *v6dst;
+ }
+
+ p = ipsec_find_policy(IPSEC_TYPE_OUTBOUND, connp, &sel, ns);
+ if (ixa->ixa_ipsec_policy != NULL)
+ IPPOL_REFRELE(ixa->ixa_ipsec_policy);
+ ixa->ixa_ipsec_policy = p;
+ if (p != NULL) {
+ ixa->ixa_flags |= IXAF_IPSEC_SECURE;
+ if (connp->conn_policy == NULL)
+ ixa->ixa_flags |= IXAF_IPSEC_GLOBAL_POLICY;
+ } else {
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
+ }
+ /* Clear the latched actions too, in case we're recaching. */
+ if (ixa->ixa_ipsec_action != NULL) {
+ IPACT_REFRELE(ixa->ixa_ipsec_action);
+ ixa->ixa_ipsec_action = NULL;
+ }
+
+ ixa->ixa_ipsec_src_port = sel.ips_local_port;
+ ixa->ixa_ipsec_dst_port = sel.ips_remote_port;
+ ixa->ixa_ipsec_icmp_type = sel.ips_icmp_type;
+ ixa->ixa_ipsec_icmp_code = sel.ips_icmp_code;
+ ixa->ixa_ipsec_proto = sel.ips_protocol;
+ } else {
+ ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
+ if (ixa->ixa_ipsec_policy != NULL) {
+ IPPOL_REFRELE(ixa->ixa_ipsec_policy);
+ ixa->ixa_ipsec_policy = NULL;
+ }
+ if (ixa->ixa_ipsec_action != NULL) {
+ IPACT_REFRELE(ixa->ixa_ipsec_action);
+ ixa->ixa_ipsec_action = NULL;
+ }
+ }
+}
+
+/*
+ * Returns B_FALSE if the policy has gone stale.
+ */
+boolean_t
+ipsec_outbound_policy_current(ip_xmit_attr_t *ixa)
+{
+ ipsec_stack_t *ipss = ixa->ixa_ipst->ips_netstack->netstack_ipsec;
+
+ if (!(ixa->ixa_flags & IXAF_IPSEC_GLOBAL_POLICY))
+ return (B_TRUE);
+
+ return (ixa->ixa_ipsec_policy_gen == ipss->ipsec_system_policy.iph_gen);
+}
+
+void
+iplatch_free(ipsec_latch_t *ipl)
+{
if (ipl->ipl_local_cid != NULL)
IPSID_REFRELE(ipl->ipl_local_cid);
if (ipl->ipl_remote_cid != NULL)
IPSID_REFRELE(ipl->ipl_remote_cid);
- if (ipl->ipl_local_id != NULL)
- crfree(ipl->ipl_local_id);
mutex_destroy(&ipl->ipl_lock);
kmem_free(ipl, sizeof (*ipl));
}
@@ -5622,18 +5158,19 @@ ipsec_unregister_prov_update(void)
* SAs are available. If there's no per-tunnel policy, or a match comes back
* with no match, then still return the packet and have global policy take
* a crack at it in IP.
+ * This updates the ip_xmit_attr with the IPsec policy.
*
* Remember -> we can be forwarding packets. Keep that in mind w.r.t.
* inner-packet contents.
*/
mblk_t *
ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
- ip6_t *inner_ipv6, ipha_t *outer_ipv4, ip6_t *outer_ipv6, int outer_hdr_len)
+ ip6_t *inner_ipv6, ipha_t *outer_ipv4, ip6_t *outer_ipv6, int outer_hdr_len,
+ ip_xmit_attr_t *ixa)
{
ipsec_policy_head_t *polhead;
ipsec_selector_t sel;
- mblk_t *ipsec_mp, *ipsec_mp_head, *nmp;
- ipsec_out_t *io;
+ mblk_t *nmp;
boolean_t is_fragment;
ipsec_policy_t *pol;
ipsec_tun_pol_t *itp = iptun->iptun_itp;
@@ -5644,6 +5181,15 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
outer_ipv4 != NULL && outer_ipv6 == NULL);
/* We take care of inners in a bit. */
+ /* Are the IPsec fields initialized at all? */
+ if (!(ixa->ixa_flags & IXAF_IPSEC_SECURE)) {
+ ASSERT(ixa->ixa_ipsec_policy == NULL);
+ ASSERT(ixa->ixa_ipsec_latch == NULL);
+ ASSERT(ixa->ixa_ipsec_action == NULL);
+ ASSERT(ixa->ixa_ipsec_ah_sa == NULL);
+ ASSERT(ixa->ixa_ipsec_esp_sa == NULL);
+ }
+
ASSERT(itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE));
polhead = itp->itp_policy;
@@ -5675,7 +5221,7 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
if (mp->b_cont != NULL) {
nmp = msgpullup(mp, -1);
if (nmp == NULL) {
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet(mp, B_FALSE, NULL,
DROPPER(ipss, ipds_spd_nomem),
&ipss->ipsec_spd_dropper);
return (NULL);
@@ -5734,8 +5280,8 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
ip6h = (ip6_t *)mp->b_rptr;
if (!ip_hdr_length_nexthdr_v6(mp, ip6h,
&ip6_hdr_length, &v6_proto_p)) {
- ip_drop_packet_chain(mp, B_FALSE,
- NULL, NULL, DROPPER(ipss,
+ ip_drop_packet_chain(mp, B_FALSE, NULL,
+ DROPPER(ipss,
ipds_spd_malformed_packet),
&ipss->ipsec_spd_dropper);
return (NULL);
@@ -5761,8 +5307,8 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
sel.ips_remote_addr_v6 = inner_ipv6->ip6_dst;
if (!ip_hdr_length_nexthdr_v6(mp,
inner_ipv6, &ip6_hdr_length, &v6_proto_p)) {
- ip_drop_packet_chain(mp, B_FALSE,
- NULL, NULL, DROPPER(ipss,
+ ip_drop_packet_chain(mp, B_FALSE, NULL,
+ DROPPER(ipss,
ipds_spd_malformed_frag),
&ipss->ipsec_spd_dropper);
return (NULL);
@@ -5802,8 +5348,7 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
/* Success so far! */
}
rw_enter(&polhead->iph_lock, RW_READER);
- pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_OUTBOUND,
- &sel, ns);
+ pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_OUTBOUND, &sel);
rw_exit(&polhead->iph_lock);
if (pol == NULL) {
/*
@@ -5825,7 +5370,7 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
cmn_err(CE_WARN, "ipsec_tun_outbound(): No matching tunnel "
"per-port policy\n");
#endif
- ip_drop_packet_chain(mp, B_FALSE, NULL, NULL,
+ ip_drop_packet_chain(mp, B_FALSE, NULL,
DROPPER(ipss, ipds_spd_explicit),
&ipss->ipsec_spd_dropper);
return (NULL);
@@ -5835,101 +5380,65 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
cmn_err(CE_WARN, "Having matching tunnel per-port policy\n");
#endif
- /* Construct an IPSEC_OUT message. */
- ipsec_mp = ipsec_mp_head = ipsec_alloc_ipsec_out(ns);
- if (ipsec_mp == NULL) {
- IPPOL_REFRELE(pol, ns);
- ip_drop_packet(mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_spd_nomem),
- &ipss->ipsec_spd_dropper);
- return (NULL);
- }
- ipsec_mp->b_cont = mp;
- io = (ipsec_out_t *)ipsec_mp->b_rptr;
- IPPH_REFHOLD(polhead);
/*
- * NOTE: free() function of ipsec_out mblk will release polhead and
- * pol references.
+ * NOTE: ixa_cleanup() function will release pol references.
*/
- io->ipsec_out_polhead = polhead;
- io->ipsec_out_policy = pol;
+ ixa->ixa_ipsec_policy = pol;
/*
* NOTE: There is a subtle difference between iptun_zoneid and
* iptun_connp->conn_zoneid explained in iptun_conn_create(). When
* interacting with the ip module, we must use conn_zoneid.
*/
- io->ipsec_out_zoneid = iptun->iptun_connp->conn_zoneid;
- io->ipsec_out_v4 = (outer_ipv4 != NULL);
- io->ipsec_out_secure = B_TRUE;
+ ixa->ixa_zoneid = iptun->iptun_connp->conn_zoneid;
+
+ ASSERT((outer_ipv4 != NULL) ? (ixa->ixa_flags & IXAF_IS_IPV4) :
+ !(ixa->ixa_flags & IXAF_IS_IPV4));
+ ASSERT(ixa->ixa_ipsec_policy != NULL);
+ ixa->ixa_flags |= IXAF_IPSEC_SECURE;
if (!(itp->itp_flags & ITPF_P_TUNNEL)) {
/* Set up transport mode for tunnelled packets. */
- io->ipsec_out_proto = (inner_ipv4 != NULL) ? IPPROTO_ENCAP :
+ ixa->ixa_ipsec_proto = (inner_ipv4 != NULL) ? IPPROTO_ENCAP :
IPPROTO_IPV6;
- return (ipsec_mp);
+ return (mp);
}
/* Fill in tunnel-mode goodies here. */
- io->ipsec_out_tunnel = B_TRUE;
+ ixa->ixa_flags |= IXAF_IPSEC_TUNNEL;
/* XXX Do I need to fill in all of the goodies here? */
if (inner_ipv4) {
- io->ipsec_out_inaf = AF_INET;
- io->ipsec_out_insrc[0] =
+ ixa->ixa_ipsec_inaf = AF_INET;
+ ixa->ixa_ipsec_insrc[0] =
pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v4;
- io->ipsec_out_indst[0] =
+ ixa->ixa_ipsec_indst[0] =
pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v4;
} else {
- io->ipsec_out_inaf = AF_INET6;
- io->ipsec_out_insrc[0] =
+ ixa->ixa_ipsec_inaf = AF_INET6;
+ ixa->ixa_ipsec_insrc[0] =
pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[0];
- io->ipsec_out_insrc[1] =
+ ixa->ixa_ipsec_insrc[1] =
pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[1];
- io->ipsec_out_insrc[2] =
+ ixa->ixa_ipsec_insrc[2] =
pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[2];
- io->ipsec_out_insrc[3] =
+ ixa->ixa_ipsec_insrc[3] =
pol->ipsp_sel->ipsl_key.ipsl_local.ipsad_v6.s6_addr32[3];
- io->ipsec_out_indst[0] =
+ ixa->ixa_ipsec_indst[0] =
pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[0];
- io->ipsec_out_indst[1] =
+ ixa->ixa_ipsec_indst[1] =
pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[1];
- io->ipsec_out_indst[2] =
+ ixa->ixa_ipsec_indst[2] =
pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[2];
- io->ipsec_out_indst[3] =
+ ixa->ixa_ipsec_indst[3] =
pol->ipsp_sel->ipsl_key.ipsl_remote.ipsad_v6.s6_addr32[3];
}
- io->ipsec_out_insrcpfx = pol->ipsp_sel->ipsl_key.ipsl_local_pfxlen;
- io->ipsec_out_indstpfx = pol->ipsp_sel->ipsl_key.ipsl_remote_pfxlen;
+ ixa->ixa_ipsec_insrcpfx = pol->ipsp_sel->ipsl_key.ipsl_local_pfxlen;
+ ixa->ixa_ipsec_indstpfx = pol->ipsp_sel->ipsl_key.ipsl_remote_pfxlen;
/* NOTE: These are used for transport mode too. */
- io->ipsec_out_src_port = pol->ipsp_sel->ipsl_key.ipsl_lport;
- io->ipsec_out_dst_port = pol->ipsp_sel->ipsl_key.ipsl_rport;
- io->ipsec_out_proto = pol->ipsp_sel->ipsl_key.ipsl_proto;
+ ixa->ixa_ipsec_src_port = pol->ipsp_sel->ipsl_key.ipsl_lport;
+ ixa->ixa_ipsec_dst_port = pol->ipsp_sel->ipsl_key.ipsl_rport;
+ ixa->ixa_ipsec_proto = pol->ipsp_sel->ipsl_key.ipsl_proto;
- /*
- * The mp pointer still valid
- * Add ipsec_out to each fragment.
- * The fragment head already has one
- */
- nmp = mp->b_next;
- mp->b_next = NULL;
- mp = nmp;
- ASSERT(ipsec_mp != NULL);
- while (mp != NULL) {
- nmp = mp->b_next;
- ipsec_mp->b_next = ipsec_out_tag(ipsec_mp_head, mp, ns);
- if (ipsec_mp->b_next == NULL) {
- ip_drop_packet_chain(ipsec_mp_head, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_spd_nomem),
- &ipss->ipsec_spd_dropper);
- ip_drop_packet_chain(mp, B_FALSE, NULL, NULL,
- DROPPER(ipss, ipds_spd_nomem),
- &ipss->ipsec_spd_dropper);
- return (NULL);
- }
- ipsec_mp = ipsec_mp->b_next;
- mp->b_next = NULL;
- mp = nmp;
- }
- return (ipsec_mp_head);
+ return (mp);
}
/*
@@ -5937,16 +5446,28 @@ ipsec_tun_outbound(mblk_t *mp, iptun_t *iptun, ipha_t *inner_ipv4,
* calls ip_drop_packet() for me on NULL returns.
*/
mblk_t *
-ipsec_check_ipsecin_policy_reasm(mblk_t *ipsec_mp, ipsec_policy_t *pol,
+ipsec_check_ipsecin_policy_reasm(mblk_t *attr_mp, ipsec_policy_t *pol,
ipha_t *inner_ipv4, ip6_t *inner_ipv6, uint64_t pkt_unique, netstack_t *ns)
{
- /* Assume ipsec_mp is a chain of b_next-linked IPSEC_IN M_CTLs. */
+ /* Assume attr_mp is a chain of b_next-linked ip_recv_attr mblk. */
mblk_t *data_chain = NULL, *data_tail = NULL;
- mblk_t *ii_next;
-
- while (ipsec_mp != NULL) {
- ii_next = ipsec_mp->b_next;
- ipsec_mp->b_next = NULL; /* No tripping asserts. */
+ mblk_t *next;
+ mblk_t *data_mp;
+ ip_recv_attr_t iras;
+
+ while (attr_mp != NULL) {
+ ASSERT(ip_recv_attr_is_mblk(attr_mp));
+ next = attr_mp->b_next;
+ attr_mp->b_next = NULL; /* No tripping asserts. */
+
+ data_mp = attr_mp->b_cont;
+ attr_mp->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(attr_mp, &iras)) {
+ /* The ill or ip_stack_t disappeared on us */
+ freemsg(data_mp); /* ip_drop_packet?? */
+ ira_cleanup(&iras, B_TRUE);
+ goto fail;
+ }
/*
* Need IPPOL_REFHOLD(pol) for extras because
@@ -5954,67 +5475,67 @@ ipsec_check_ipsecin_policy_reasm(mblk_t *ipsec_mp, ipsec_policy_t *pol,
*/
IPPOL_REFHOLD(pol);
- if (ipsec_check_ipsecin_policy(ipsec_mp, pol, inner_ipv4,
- inner_ipv6, pkt_unique, ns) != NULL) {
- if (data_tail == NULL) {
- /* First one */
- data_chain = data_tail = ipsec_mp->b_cont;
- } else {
- data_tail->b_next = ipsec_mp->b_cont;
- data_tail = data_tail->b_next;
- }
- freeb(ipsec_mp);
+ data_mp = ipsec_check_ipsecin_policy(data_mp, pol, inner_ipv4,
+ inner_ipv6, pkt_unique, &iras, ns);
+ ira_cleanup(&iras, B_TRUE);
+
+ if (data_mp == NULL)
+ goto fail;
+
+ if (data_tail == NULL) {
+ /* First one */
+ data_chain = data_tail = data_mp;
} else {
- /*
- * ipsec_check_ipsecin_policy() freed ipsec_mp
- * already. Need to get rid of any extra pol
- * references, and any remaining bits as well.
- */
- IPPOL_REFRELE(pol, ns);
- ipsec_freemsg_chain(data_chain);
- ipsec_freemsg_chain(ii_next); /* ipdrop stats? */
- return (NULL);
+ data_tail->b_next = data_mp;
+ data_tail = data_mp;
}
- ipsec_mp = ii_next;
+ attr_mp = next;
}
/*
* One last release because either the loop bumped it up, or we never
* called ipsec_check_ipsecin_policy().
*/
- IPPOL_REFRELE(pol, ns);
+ IPPOL_REFRELE(pol);
/* data_chain is ready for return to tun module. */
return (data_chain);
-}
+fail:
+ /*
+ * Need to get rid of any extra pol
+ * references, and any remaining bits as well.
+ */
+ IPPOL_REFRELE(pol);
+ ipsec_freemsg_chain(data_chain);
+ ipsec_freemsg_chain(next); /* ipdrop stats? */
+ return (NULL);
+}
/*
- * Returns B_TRUE if the inbound packet passed an IPsec policy check. Returns
- * B_FALSE if it failed or if it is a fragment needing its friends before a
+ * Return a message if the inbound packet passed an IPsec policy check. Returns
+ * NULL if it failed or if it is a fragment needing its friends before a
* policy check can be performed.
*
- * Expects a non-NULL *data_mp, an optional ipsec_mp, and a non-NULL polhead.
- * data_mp may be reassigned with a b_next chain of packets if fragments
+ * Expects a non-NULL data_mp, and a non-NULL polhead.
+ * The returned mblk may be a b_next chain of packets if fragments
* neeeded to be collected for a proper policy check.
*
- * Always frees ipsec_mp, but only frees data_mp if returns B_FALSE. This
- * function calls ip_drop_packet() on data_mp if need be.
+ * This function calls ip_drop_packet() on data_mp if need be.
*
* NOTE: outer_hdr_len is signed. If it's a negative value, the caller
* is inspecting an ICMP packet.
*/
-boolean_t
-ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
+mblk_t *
+ipsec_tun_inbound(ip_recv_attr_t *ira, mblk_t *data_mp, ipsec_tun_pol_t *itp,
ipha_t *inner_ipv4, ip6_t *inner_ipv6, ipha_t *outer_ipv4,
ip6_t *outer_ipv6, int outer_hdr_len, netstack_t *ns)
{
ipsec_policy_head_t *polhead;
ipsec_selector_t sel;
- mblk_t *message = (ipsec_mp == NULL) ? *data_mp : ipsec_mp;
ipsec_policy_t *pol;
uint16_t tmpport;
selret_t rc;
- boolean_t retval, port_policy_present, is_icmp, global_present;
+ boolean_t port_policy_present, is_icmp, global_present;
in6_addr_t tmpaddr;
ipaddr_t tmp4;
uint8_t flags, *inner_hdr;
@@ -6032,7 +5553,6 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
ASSERT(inner_ipv4 != NULL && inner_ipv6 == NULL ||
inner_ipv4 == NULL && inner_ipv6 != NULL);
- ASSERT(message == *data_mp || message->b_cont == *data_mp);
if (outer_hdr_len < 0) {
outer_hdr_len = (-outer_hdr_len);
@@ -6042,6 +5562,8 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
}
if (itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE)) {
+ mblk_t *mp = data_mp;
+
polhead = itp->itp_policy;
/*
* We need to perform full Tunnel-Mode enforcement,
@@ -6061,53 +5583,66 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
flags = ((port_policy_present ? SEL_PORT_POLICY : SEL_NONE) |
(is_icmp ? SEL_IS_ICMP : SEL_NONE) | SEL_TUNNEL_MODE);
- rc = ipsec_init_inbound_sel(&sel, *data_mp, inner_ipv4,
+ rc = ipsec_init_inbound_sel(&sel, data_mp, inner_ipv4,
inner_ipv6, flags);
switch (rc) {
case SELRET_NOMEM:
- ip_drop_packet(message, B_TRUE, NULL, NULL,
+ ip_drop_packet(data_mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_nomem),
&ipss->ipsec_spd_dropper);
- return (B_FALSE);
+ return (NULL);
case SELRET_TUNFRAG:
/*
* At this point, if we're cleartext, we don't want
* to go there.
*/
- if (ipsec_mp == NULL) {
- ip_drop_packet(*data_mp, B_TRUE, NULL, NULL,
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ ip_drop_packet(data_mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_got_clear),
&ipss->ipsec_spd_dropper);
- *data_mp = NULL;
- return (B_FALSE);
+ return (NULL);
+ }
+ /*
+ * If we need to queue the packet. First we
+ * get an mblk with the attributes. ipsec_fragcache_add
+ * will prepend that to the queued data and return
+ * a list of b_next messages each of which starts with
+ * the attribute mblk.
+ */
+ mp = ip_recv_attr_to_mblk(ira);
+ if (mp == NULL) {
+ ip_drop_packet(data_mp, B_TRUE, NULL,
+ DROPPER(ipss, ipds_spd_nomem),
+ &ipss->ipsec_spd_dropper);
+ return (NULL);
}
- ASSERT(((ipsec_in_t *)ipsec_mp->b_rptr)->
- ipsec_in_secure);
- message = ipsec_fragcache_add(&itp->itp_fragcache,
- ipsec_mp, *data_mp, outer_hdr_len, ipss);
+ mp = ipsec_fragcache_add(&itp->itp_fragcache,
+ mp, data_mp, outer_hdr_len, ipss);
- if (message == NULL) {
+ if (mp == NULL) {
/*
* Data is cached, fragment chain is not
- * complete. I consume ipsec_mp and data_mp
+ * complete.
*/
- return (B_FALSE);
+ return (NULL);
}
/*
* If we get here, we have a full fragment chain.
* Reacquire headers and selectors from first fragment.
*/
- inner_hdr = message->b_cont->b_rptr;
+ ASSERT(ip_recv_attr_is_mblk(mp));
+ data_mp = mp->b_cont;
+ inner_hdr = data_mp->b_rptr;
if (outer_ipv4 != NULL) {
inner_hdr += IPH_HDR_LENGTH(
- (ipha_t *)message->b_cont->b_rptr);
+ (ipha_t *)data_mp->b_rptr);
} else {
- inner_hdr += ip_hdr_length_v6(message->b_cont,
- (ip6_t *)message->b_cont->b_rptr);
+ inner_hdr += ip_hdr_length_v6(data_mp,
+ (ip6_t *)data_mp->b_rptr);
}
- ASSERT(inner_hdr <= message->b_cont->b_wptr);
+ ASSERT(inner_hdr <= data_mp->b_wptr);
if (inner_ipv4 != NULL) {
inner_ipv4 = (ipha_t *)inner_hdr;
@@ -6121,7 +5656,7 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
* Use SEL_TUNNEL_MODE to take into account the outer
* header. Use SEL_POST_FRAG so we always get ports.
*/
- rc = ipsec_init_inbound_sel(&sel, message->b_cont,
+ rc = ipsec_init_inbound_sel(&sel, data_mp,
inner_ipv4, inner_ipv6,
SEL_TUNNEL_MODE | SEL_POST_FRAG);
switch (rc) {
@@ -6132,17 +5667,15 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
*/
break;
case SELRET_NOMEM:
- ip_drop_packet_chain(message, B_TRUE,
- NULL, NULL,
+ ip_drop_packet_chain(mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_nomem),
&ipss->ipsec_spd_dropper);
- return (B_FALSE);
+ return (NULL);
case SELRET_BADPKT:
- ip_drop_packet_chain(message, B_TRUE,
- NULL, NULL,
+ ip_drop_packet_chain(mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_malformed_frag),
&ipss->ipsec_spd_dropper);
- return (B_FALSE);
+ return (NULL);
case SELRET_TUNFRAG:
cmn_err(CE_WARN, "(TUNFRAG on 2nd call...)");
/* FALLTHRU */
@@ -6151,7 +5684,7 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
" returns bizarro 0x%x", rc);
/* Guaranteed panic! */
ASSERT(rc == SELRET_NOMEM);
- return (B_FALSE);
+ return (NULL);
}
/* FALLTHRU */
case SELRET_SUCCESS:
@@ -6174,7 +5707,7 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
"ipsec_init_inbound_sel() returns bizarro 0x%x",
rc);
ASSERT(rc == SELRET_NOMEM); /* Guaranteed panic! */
- return (B_FALSE);
+ return (NULL);
}
if (is_icmp) {
@@ -6192,42 +5725,54 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
/* find_policy_head() */
rw_enter(&polhead->iph_lock, RW_READER);
pol = ipsec_find_policy_head(NULL, polhead, IPSEC_TYPE_INBOUND,
- &sel, ns);
+ &sel);
rw_exit(&polhead->iph_lock);
if (pol != NULL) {
- if (ipsec_mp == NULL ||
- !((ipsec_in_t *)ipsec_mp->b_rptr)->
- ipsec_in_secure) {
- retval = pol->ipsp_act->ipa_allow_clear;
- if (!retval) {
+ uint64_t pkt_unique;
+
+ if (!(ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ if (!pol->ipsp_act->ipa_allow_clear) {
/*
* XXX should never get here with
* tunnel reassembled fragments?
*/
- ASSERT(message->b_next == NULL);
- ip_drop_packet(message, B_TRUE, NULL,
- NULL,
+ ASSERT(mp == data_mp);
+ ip_drop_packet(data_mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_got_clear),
&ipss->ipsec_spd_dropper);
- } else if (ipsec_mp != NULL) {
- freeb(ipsec_mp);
+ IPPOL_REFRELE(pol);
+ return (NULL);
+ } else {
+ IPPOL_REFRELE(pol);
+ return (mp);
}
-
- IPPOL_REFRELE(pol, ns);
- return (retval);
}
+ pkt_unique = SA_UNIQUE_ID(sel.ips_remote_port,
+ sel.ips_local_port,
+ (inner_ipv4 == NULL) ? IPPROTO_IPV6 :
+ IPPROTO_ENCAP, sel.ips_protocol);
+
/*
* NOTE: The following releases pol's reference and
* calls ip_drop_packet() for me on NULL returns.
*
* "sel" is still good here, so let's use it!
*/
- *data_mp = ipsec_check_ipsecin_policy_reasm(message,
- pol, inner_ipv4, inner_ipv6, SA_UNIQUE_ID(
- sel.ips_remote_port, sel.ips_local_port,
- (inner_ipv4 == NULL) ? IPPROTO_IPV6 :
- IPPROTO_ENCAP, sel.ips_protocol), ns);
- return (*data_mp != NULL);
+ if (data_mp == mp) {
+ /* A single packet without attributes */
+ data_mp = ipsec_check_ipsecin_policy(data_mp,
+ pol, inner_ipv4, inner_ipv6, pkt_unique,
+ ira, ns);
+ } else {
+ /*
+ * We pass in the b_next chain of attr_mp's
+ * and get back a b_next chain of data_mp's.
+ */
+ data_mp = ipsec_check_ipsecin_policy_reasm(mp,
+ pol, inner_ipv4, inner_ipv6, pkt_unique,
+ ns);
+ }
+ return (data_mp);
}
/*
@@ -6237,11 +5782,10 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
* a new-style tunnel-mode tunnel.
*/
if ((itp->itp_flags & ITPF_P_TUNNEL) && !is_icmp) {
- ip_drop_packet_chain(message, B_TRUE, NULL,
- NULL,
+ ip_drop_packet_chain(data_mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_explicit),
&ipss->ipsec_spd_dropper);
- return (B_FALSE);
+ return (NULL);
}
}
@@ -6251,24 +5795,22 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
* tunnel-mode tunnel, which either returns with a pass, or gets
* hit by the ip_drop_packet_chain() call right above here.
*/
+ ASSERT(data_mp->b_next == NULL);
/* If no per-tunnel security, check global policy now. */
- if (ipsec_mp != NULL && !global_present) {
- if (((ipsec_in_t *)(ipsec_mp->b_rptr))->
- ipsec_in_icmp_loopback) {
+ if ((ira->ira_flags & IRAF_IPSEC_SECURE) && !global_present) {
+ if (ira->ira_flags & IRAF_TRUSTED_ICMP) {
/*
- * This is an ICMP message with an ipsec_mp
- * attached. We should accept it.
+ * This is an ICMP message that was geenrated locally.
+ * We should accept it.
*/
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
- return (B_TRUE);
+ return (data_mp);
}
- ip_drop_packet(ipsec_mp, B_TRUE, NULL, NULL,
+ ip_drop_packet(data_mp, B_TRUE, NULL,
DROPPER(ipss, ipds_spd_got_secure),
&ipss->ipsec_spd_dropper);
- return (B_FALSE);
+ return (NULL);
}
if (is_icmp) {
@@ -6294,11 +5836,10 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
}
}
- /* NOTE: Frees message if it returns NULL. */
- if (ipsec_check_global_policy(message, NULL, outer_ipv4, outer_ipv6,
- (ipsec_mp != NULL), ns) == NULL) {
- return (B_FALSE);
- }
+ data_mp = ipsec_check_global_policy(data_mp, NULL, outer_ipv4,
+ outer_ipv6, ira, ns);
+ if (data_mp == NULL)
+ return (NULL);
if (is_icmp) {
/* Set things back to normal. */
@@ -6314,14 +5855,11 @@ ipsec_tun_inbound(mblk_t *ipsec_mp, mblk_t **data_mp, ipsec_tun_pol_t *itp,
}
}
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
-
/*
* At this point, we pretend it's a cleartext accepted
* packet.
*/
- return (B_TRUE);
+ return (data_mp);
}
/*
@@ -6365,7 +5903,7 @@ itp_unlink(ipsec_tun_pol_t *node, netstack_t *ns)
rw_enter(&ipss->ipsec_tunnel_policy_lock, RW_WRITER);
ipss->ipsec_tunnel_policy_gen++;
- ipsec_fragcache_uninit(&node->itp_fragcache);
+ ipsec_fragcache_uninit(&node->itp_fragcache, ipss);
avl_remove(&ipss->ipsec_tunnel_policies, node);
rw_exit(&ipss->ipsec_tunnel_policy_lock);
ITP_REFRELE(node, ns);
@@ -6615,7 +6153,7 @@ ipsec_fragcache_init(ipsec_fragcache_t *frag)
}
void
-ipsec_fragcache_uninit(ipsec_fragcache_t *frag)
+ipsec_fragcache_uninit(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
{
ipsec_fragcache_entry_t *fep;
int i;
@@ -6627,7 +6165,7 @@ ipsec_fragcache_uninit(ipsec_fragcache_t *frag)
fep = (frag->itpf_ptr)[i];
while (fep != NULL) {
/* Returned fep is next in chain or NULL */
- fep = fragcache_delentry(i, fep, frag);
+ fep = fragcache_delentry(i, fep, frag, ipss);
}
}
/*
@@ -6658,10 +6196,12 @@ ipsec_fragcache_uninit(ipsec_fragcache_t *frag)
/*
* Add a fragment to the fragment cache. Consumes mp if NULL is returned.
* Returns mp if a whole fragment has been assembled, NULL otherwise
+ * The returned mp could be a b_next chain of fragments.
+ *
+ * The iramp argument is set on inbound; NULL if outbound.
*/
-
mblk_t *
-ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
+ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *iramp, mblk_t *mp,
int outer_hdr_len, ipsec_stack_t *ipss)
{
boolean_t is_v4;
@@ -6672,7 +6212,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
uint8_t v6_proto;
uint8_t *v6_proto_p;
uint16_t ip6_hdr_length;
- ip6_pkt_t ipp;
+ ip_pkt_t ipp;
ip6_frag_t *fraghdr;
ipsec_fragcache_entry_t *fep;
int i;
@@ -6680,10 +6220,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
int firstbyte, lastbyte;
int offset;
int last;
- boolean_t inbound = (ipsec_mp != NULL);
- mblk_t *first_mp = inbound ? ipsec_mp : mp;
-
- ASSERT(first_mp == mp || first_mp->b_cont == mp);
+ boolean_t inbound = (iramp != NULL);
/*
* You're on the slow path, so insure that every packet in the
@@ -6692,14 +6229,14 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
if (mp->b_cont != NULL) {
nmp = msgpullup(mp, -1);
if (nmp == NULL) {
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_nomem),
&ipss->ipsec_spd_dropper);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
}
freemsg(mp);
- if (ipsec_mp != NULL)
- ipsec_mp->b_cont = nmp;
mp = nmp;
}
@@ -6721,9 +6258,11 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
* If it fails we have a malformed packet
*/
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_malformed_packet),
&ipss->ipsec_spd_dropper);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
} else {
v6_proto = *v6_proto_p;
@@ -6731,16 +6270,18 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
bzero(&ipp, sizeof (ipp));
- (void) ip_find_hdr_v6(mp, ip6h, &ipp, NULL);
+ (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &ipp, NULL);
if (!(ipp.ipp_fields & IPPF_FRAGHDR)) {
/*
* We think this is a fragment, but didn't find
* a fragment header. Something is wrong.
*/
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_malformed_frag),
&ipss->ipsec_spd_dropper);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
}
fraghdr = ipp.ipp_fraghdr;
@@ -6759,7 +6300,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
*/
itpf_time = gethrestime_sec();
if (itpf_time >= frag->itpf_expire_hint)
- ipsec_fragcache_clean(frag);
+ ipsec_fragcache_clean(frag, ipss);
/* Lookup to see if there is an existing entry */
@@ -6814,11 +6355,13 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
/* check for bogus fragments and delete the entry */
if (firstbyte > 0 && firstbyte <= 8) {
if (fep != NULL)
- (void) fragcache_delentry(i, fep, frag);
+ (void) fragcache_delentry(i, fep, frag, ipss);
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_malformed_frag),
&ipss->ipsec_spd_dropper);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
}
@@ -6826,12 +6369,14 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
if (fep == NULL) {
if (frag->itpf_freelist == NULL) {
/* see if there is some space */
- ipsec_fragcache_clean(frag);
+ ipsec_fragcache_clean(frag, ipss);
if (frag->itpf_freelist == NULL) {
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_nomem),
&ipss->ipsec_spd_dropper);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
}
}
@@ -6879,7 +6424,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
ipha_t *niph;
ipha_t *oniph;
ip6_t *nip6h;
- ip6_pkt_t nipp;
+ ip_pkt_t nipp;
ip6_frag_t *nfraghdr;
uint16_t nip6_hdr_length;
uint8_t *nv6_proto_p;
@@ -6929,14 +6474,17 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
if (!ip_hdr_length_nexthdr_v6(ndata_mp, nip6h,
&nip6_hdr_length, &nv6_proto_p)) {
mutex_exit(&frag->itpf_lock);
- ip_drop_packet_chain(nmp, inbound, NULL, NULL,
+ ip_drop_packet_chain(nmp, inbound, NULL,
DROPPER(ipss, ipds_spd_malformed_frag),
&ipss->ipsec_spd_dropper);
ipsec_freemsg_chain(ndata_mp);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
}
bzero(&nipp, sizeof (nipp));
- (void) ip_find_hdr_v6(ndata_mp, nip6h, &nipp, NULL);
+ (void) ip_find_hdr_v6(ndata_mp, nip6h, B_FALSE, &nipp,
+ NULL);
nfraghdr = nipp.ipp_fraghdr;
nfirstbyte = ntohs(nfraghdr->ip6f_offlg &
IP6F_OFF_MASK);
@@ -6968,11 +6516,13 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
if (bcmp(data, ndata, MIN(lastbyte, nlastbyte) -
firstbyte)) {
/* Overlapping data does not match */
- (void) fragcache_delentry(i, fep, frag);
+ (void) fragcache_delentry(i, fep, frag, ipss);
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_overlap_frag),
&ipss->ipsec_spd_dropper);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
}
/* Part of defense for jolt2.c fragmentation attack */
@@ -6987,9 +6537,11 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
* ---------- ------
*/
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_evil_frag),
&ipss->ipsec_spd_dropper);
+ if (inbound)
+ (void) ip_recv_attr_free_mblk(iramp);
return (NULL);
}
@@ -7027,12 +6579,17 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
if (bcmp(data, ndata, MIN(lastbyte, nlastbyte)
- nfirstbyte)) {
/* Overlap mismatch */
- (void) fragcache_delentry(i, fep, frag);
+ (void) fragcache_delentry(i, fep, frag,
+ ipss);
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL,
- NULL, DROPPER(ipss,
+ ip_drop_packet(mp, inbound, NULL,
+ DROPPER(ipss,
ipds_spd_overlap_frag),
&ipss->ipsec_spd_dropper);
+ if (inbound) {
+ (void) ip_recv_attr_free_mblk(
+ iramp);
+ }
return (NULL);
}
}
@@ -7046,21 +6603,31 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
prevmp = nmp;
}
- first_mp->b_next = nmp;
+ /* Prepend the attributes before we link it in */
+ if (iramp != NULL) {
+ ASSERT(iramp->b_cont == NULL);
+ iramp->b_cont = mp;
+ mp = iramp;
+ iramp = NULL;
+ }
+ mp->b_next = nmp;
if (prevmp == NULL) {
- fep->itpfe_fraglist = first_mp;
+ fep->itpfe_fraglist = mp;
} else {
- prevmp->b_next = first_mp;
+ prevmp->b_next = mp;
}
if (last)
fep->itpfe_last = 1;
/* Part of defense for jolt2.c fragmentation attack */
if (++(fep->itpfe_depth) > IPSEC_MAX_FRAGS) {
- (void) fragcache_delentry(i, fep, frag);
+ (void) fragcache_delentry(i, fep, frag, ipss);
mutex_exit(&frag->itpf_lock);
- ip_drop_packet(first_mp, inbound, NULL, NULL,
+ if (inbound)
+ mp = ip_recv_attr_free_mblk(mp);
+
+ ip_drop_packet(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_max_frags),
&ipss->ipsec_spd_dropper);
return (NULL);
@@ -7078,7 +6645,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
#ifdef FRAGCACHE_DEBUG
cmn_err(CE_WARN, "Last fragment cached.\n");
- cmn_err(CE_WARN, "mp = %p, first_mp = %p.\n", mp, first_mp);
+ cmn_err(CE_WARN, "mp = %p\n", mp);
#endif
offset = 0;
@@ -7118,14 +6685,15 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
if (!ip_hdr_length_nexthdr_v6(data_mp, ip6h,
&ip6_hdr_length, &v6_proto_p)) {
mutex_exit(&frag->itpf_lock);
- ip_drop_packet_chain(mp, inbound, NULL, NULL,
+ ip_drop_packet_chain(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_malformed_frag),
&ipss->ipsec_spd_dropper);
return (NULL);
}
v6_proto = *v6_proto_p;
bzero(&ipp, sizeof (ipp));
- (void) ip_find_hdr_v6(data_mp, ip6h, &ipp, NULL);
+ (void) ip_find_hdr_v6(data_mp, ip6h, B_FALSE, &ipp,
+ NULL);
fraghdr = ipp.ipp_fraghdr;
firstbyte = ntohs(fraghdr->ip6f_offlg &
IP6F_OFF_MASK);
@@ -7163,7 +6731,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
(!is_v4 && !(fraghdr->ip6f_offlg & IP6F_MORE_FRAG))) {
mp = fep->itpfe_fraglist;
fep->itpfe_fraglist = NULL;
- (void) fragcache_delentry(i, fep, frag);
+ (void) fragcache_delentry(i, fep, frag, ipss);
mutex_exit(&frag->itpf_lock);
if ((is_v4 && (firstbyte + ntohs(iph->ipha_length) >
@@ -7171,7 +6739,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
ntohs(ip6h->ip6_plen) > 65535))) {
/* It is an invalid "ping-o-death" packet */
/* Discard it */
- ip_drop_packet_chain(mp, inbound, NULL, NULL,
+ ip_drop_packet_chain(mp, inbound, NULL,
DROPPER(ipss, ipds_spd_evil_frag),
&ipss->ipsec_spd_dropper);
return (NULL);
@@ -7181,7 +6749,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
"mp->b_next = %p", mp, mp->b_next);
#endif
/*
- * For inbound case, mp has ipsec_in b_next'd chain
+ * For inbound case, mp has attrmp b_next'd chain
* For outbound case, it is just data mp chain
*/
return (mp);
@@ -7202,7 +6770,7 @@ ipsec_fragcache_add(ipsec_fragcache_t *frag, mblk_t *ipsec_mp, mblk_t *mp,
}
static void
-ipsec_fragcache_clean(ipsec_fragcache_t *frag)
+ipsec_fragcache_clean(ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
{
ipsec_fragcache_entry_t *fep;
int i;
@@ -7221,7 +6789,7 @@ ipsec_fragcache_clean(ipsec_fragcache_t *frag)
while (fep) {
if (fep->itpfe_exp < itpf_time) {
/* found */
- fep = fragcache_delentry(i, fep, frag);
+ fep = fragcache_delentry(i, fep, frag, ipss);
} else {
if (fep->itpfe_exp < earlyexp) {
earlyfep = fep;
@@ -7237,12 +6805,12 @@ ipsec_fragcache_clean(ipsec_fragcache_t *frag)
/* if (!found) */
if (frag->itpf_freelist == NULL)
- (void) fragcache_delentry(earlyi, earlyfep, frag);
+ (void) fragcache_delentry(earlyi, earlyfep, frag, ipss);
}
static ipsec_fragcache_entry_t *
fragcache_delentry(int slot, ipsec_fragcache_entry_t *fep,
- ipsec_fragcache_t *frag)
+ ipsec_fragcache_t *frag, ipsec_stack_t *ipss)
{
ipsec_fragcache_entry_t *targp;
ipsec_fragcache_entry_t *nextp = fep->itpfe_next;
@@ -7250,7 +6818,12 @@ fragcache_delentry(int slot, ipsec_fragcache_entry_t *fep,
ASSERT(MUTEX_HELD(&frag->itpf_lock));
/* Free up any fragment list still in cache entry */
- ipsec_freemsg_chain(fep->itpfe_fraglist);
+ if (fep->itpfe_fraglist != NULL) {
+ ip_drop_packet_chain(fep->itpfe_fraglist,
+ ip_recv_attr_is_mblk(fep->itpfe_fraglist), NULL,
+ DROPPER(ipss, ipds_spd_nomem), &ipss->ipsec_spd_dropper);
+ }
+ fep->itpfe_fraglist = NULL;
targp = (frag->itpf_ptr)[slot];
ASSERT(targp != 0);
diff --git a/usr/src/uts/common/inet/ip/spdsock.c b/usr/src/uts/common/inet/ip/spdsock.c
index e15d23fdd8..1b25af4a97 100644
--- a/usr/src/uts/common/inet/ip/spdsock.c
+++ b/usr/src/uts/common/inet/ip/spdsock.c
@@ -58,7 +58,6 @@
#include <inet/nd.h>
#include <inet/ip_if.h>
#include <inet/optcom.h>
-#include <inet/ipsec_info.h>
#include <inet/ipsec_impl.h>
#include <inet/spdsock.h>
#include <inet/sadb.h>
@@ -1150,9 +1149,8 @@ spdsock_addrule(queue_t *q, ipsec_policy_head_t *iph, mblk_t *mp,
fail:
rw_exit(&iph->iph_lock);
- while ((--rulep) >= &rules[0]) {
- IPPOL_REFRELE(rulep->pol, spds->spds_netstack);
- }
+ while ((--rulep) >= &rules[0])
+ IPPOL_REFRELE(rulep->pol);
ipsec_actvec_free(actp, nact);
fail2:
if (itp != NULL) {
@@ -2519,8 +2517,8 @@ error:
* be invoked either once IPsec is loaded on a cached request, or
* when a request is received while IPsec is loaded.
*/
-static void
-spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds)
+static int
+spdsock_do_updatealg(spd_ext_t *extv[], spd_stack_t *spds)
{
struct spd_ext_actions *actp;
struct spd_attribute *attr, *endattr;
@@ -2529,17 +2527,15 @@ spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds)
ipsec_algtype_t alg_type = 0;
boolean_t skip_alg = B_TRUE, doing_proto = B_FALSE;
uint_t i, cur_key, cur_block, algid;
+ int diag = -1;
- *diag = -1;
ASSERT(MUTEX_HELD(&spds->spds_alg_lock));
/* parse the message, building the list of algorithms */
actp = (struct spd_ext_actions *)extv[SPD_EXT_ACTION];
- if (actp == NULL) {
- *diag = SPD_DIAGNOSTIC_NO_ACTION_EXT;
- return;
- }
+ if (actp == NULL)
+ return (SPD_DIAGNOSTIC_NO_ACTION_EXT);
start = (uint64_t *)actp;
end = (start + actp->spd_actions_len);
@@ -2583,7 +2579,7 @@ spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds)
ss1dbg(spds, ("spdsock_do_updatealg: "
"invalid alg id %d\n",
attr->spd_attr_value));
- *diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
+ diag = SPD_DIAGNOSTIC_ALG_ID_RANGE;
goto bail;
}
alg->alg_id = attr->spd_attr_value;
@@ -2623,7 +2619,7 @@ spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds)
cur_key >= alg->alg_nkey_sizes) {
ss1dbg(spds, ("spdsock_do_updatealg: "
"too many key sizes\n"));
- *diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
+ diag = SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES;
goto bail;
}
alg->alg_key_sizes[cur_key++] = attr->spd_attr_value;
@@ -2659,7 +2655,7 @@ spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds)
cur_block >= alg->alg_nblock_sizes) {
ss1dbg(spds, ("spdsock_do_updatealg: "
"too many block sizes\n"));
- *diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
+ diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
goto bail;
}
alg->alg_block_sizes[cur_block++] =
@@ -2686,7 +2682,7 @@ spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds)
cur_block >= alg->alg_nparams) {
ss1dbg(spds, ("spdsock_do_updatealg: "
"too many params\n"));
- *diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
+ diag = SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES;
goto bail;
}
/*
@@ -2703,7 +2699,7 @@ spdsock_do_updatealg(spd_ext_t *extv[], int *diag, spd_stack_t *spds)
if (attr->spd_attr_value > CRYPTO_MAX_MECH_NAME) {
ss1dbg(spds, ("spdsock_do_updatealg: "
"mech name too long\n"));
- *diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
+ diag = SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN;
goto bail;
}
mech_name = (char *)(attr + 1);
@@ -2751,6 +2747,7 @@ bail:
for (algid = 0; algid < IPSEC_MAX_ALGS; algid++)
if (spds->spds_algs[alg_type][algid] != NULL)
ipsec_alg_free(spds->spds_algs[alg_type][algid]);
+ return (diag);
}
/*
@@ -2803,9 +2800,12 @@ spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
int diag;
mutex_enter(&spds->spds_alg_lock);
- spdsock_do_updatealg(extv, &diag, spds);
- mutex_exit(&spds->spds_alg_lock);
+ diag = spdsock_do_updatealg(extv, spds);
if (diag == -1) {
+ /* Keep the lock held while we walk the SA tables. */
+ sadb_alg_update(IPSEC_ALG_ALL, 0, 0,
+ spds->spds_netstack);
+ mutex_exit(&spds->spds_alg_lock);
spd_echo(q, mp);
if (audit_active) {
cred_t *cr;
@@ -2817,6 +2817,7 @@ spdsock_updatealg(queue_t *q, mblk_t *mp, spd_ext_t *extv[])
cpid);
}
} else {
+ mutex_exit(&spds->spds_alg_lock);
spdsock_diag(q, mp, diag);
if (audit_active) {
cred_t *cr;
@@ -3117,10 +3118,7 @@ spdsock_update_pending_algs(netstack_t *ns)
mutex_enter(&spds->spds_alg_lock);
if (spds->spds_algs_pending) {
- int diag;
-
- spdsock_do_updatealg(spds->spds_extv_algs, &diag,
- spds);
+ (void) spdsock_do_updatealg(spds->spds_extv_algs, spds);
spds->spds_algs_pending = B_FALSE;
}
mutex_exit(&spds->spds_alg_lock);
@@ -3265,7 +3263,7 @@ spdsock_opt_get(queue_t *q, int level, int name, uchar_t *ptr)
int
spdsock_opt_set(queue_t *q, uint_t mgmt_flags, int level, int name,
uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ void *thisdg_attrs, cred_t *cr)
{
int *i1 = (int *)invalp;
spdsock_t *ss = (spdsock_t *)q->q_ptr;
@@ -3337,11 +3335,9 @@ spdsock_wput_other(queue_t *q, mblk_t *mp)
}
if (((union T_primitives *)mp->b_rptr)->type ==
T_SVR4_OPTMGMT_REQ) {
- (void) svr4_optcom_req(q, mp, cr,
- &spdsock_opt_obj, B_FALSE);
+ svr4_optcom_req(q, mp, cr, &spdsock_opt_obj);
} else {
- (void) tpi_optcom_req(q, mp, cr,
- &spdsock_opt_obj, B_FALSE);
+ tpi_optcom_req(q, mp, cr, &spdsock_opt_obj);
}
break;
case T_DATA_REQ:
diff --git a/usr/src/uts/common/inet/ip/spdsock_opt_data.c b/usr/src/uts/common/inet/ip/spdsock_opt_data.c
index df797bb37a..c5438f29cc 100644
--- a/usr/src/uts/common/inet/ip/spdsock_opt_data.c
+++ b/usr/src/uts/common/inet/ip/spdsock_opt_data.c
@@ -20,12 +20,10 @@
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/types.h>
#include <sys/stream.h>
#define _SUN_TPI_VERSION 1
@@ -53,9 +51,9 @@
*/
opdes_t spdsock_opt_arr[] = {
- { SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_PASSNEXT,
+ { SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, 0,
(t_uscalar_t)sizeof (int), 0 },
- { SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_PASSNEXT,
+ { SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, 0,
(t_uscalar_t)sizeof (int), 0 },
};
@@ -88,7 +86,6 @@ optdb_obj_t spdsock_opt_obj = {
NULL, /* SPDSOCK default value function pointer */
spdsock_opt_get, /* SPDSOCK get function pointer */
spdsock_opt_set, /* SPDSOCK set function pointer */
- B_TRUE, /* SPDSOCK is tpi provider */
SPDSOCK_OPT_ARR_CNT, /* SPDSOCK option database count of entries */
spdsock_opt_arr, /* SPDSOCK option database */
SPDSOCK_VALID_LEVELS_CNT, /* SPDSOCK valid level count of entries */
diff --git a/usr/src/uts/common/inet/ip/tn_ipopt.c b/usr/src/uts/common/inet/ip/tn_ipopt.c
index 359b8d4623..1ce050ec69 100644
--- a/usr/src/uts/common/inet/ip/tn_ipopt.c
+++ b/usr/src/uts/common/inet/ip/tn_ipopt.c
@@ -271,38 +271,40 @@ tsol_get_option_v6(mblk_t *mp, tsol_ip_label_t *label_type, uchar_t **buffer)
* tsol_check_dest()
*
* This routine verifies if a destination is allowed to recieve messages
- * based on the message cred's security label. If any adjustments to
- * the cred are needed due to the connection's MAC mode or
- * the destination's ability to receive labels, an "effective cred"
- * will be returned.
+ * based on the security label. If any adjustments to the label are needed
+ * due to the connection's MAC mode or the destination's ability
+ * to receive labels, an "effective label" will be returned.
+ *
+ * zone_is_global is set if the actual zoneid is global. That is, it is
+ * not set for an exclusive-IP zone.
*
- * On successful return, effective_cred will point to the new creds needed
- * or will be NULL if new creds aren't needed. On error, effective_cred
- * is NULL.
+ * On successful return, effective_tsl will point to the new label needed
+ * or will be NULL if a new label isn't needed. On error, effective_tsl will
+ * point to NULL.
*
* Returns:
- * 0 Have or constructed appropriate credentials
- * EHOSTUNREACH The credentials failed the remote host accreditation
+ * 0 Label (was|is now) correct
+ * EHOSTUNREACH The label failed the remote host accreditation
* ENOMEM Memory allocation failure
*/
int
-tsol_check_dest(const cred_t *credp, const void *dst, uchar_t version,
- uint_t mac_mode, cred_t **effective_cred)
+tsol_check_dest(const ts_label_t *tsl, const void *dst,
+ uchar_t version, uint_t mac_mode, boolean_t zone_is_global,
+ ts_label_t **effective_tsl)
{
- ts_label_t *tsl, *newtsl = NULL;
+ ts_label_t *newtsl = NULL;
tsol_tpc_t *dst_rhtp;
- zoneid_t zoneid;
- if (effective_cred != NULL)
- *effective_cred = NULL;
+ if (effective_tsl != NULL)
+ *effective_tsl = NULL;
ASSERT(version == IPV4_VERSION ||
(version == IPV6_VERSION &&
!IN6_IS_ADDR_V4MAPPED((in6_addr_t *)dst)));
/* Always pass kernel level communication (NULL label) */
- if ((tsl = crgetlabel(credp)) == NULL) {
+ if (tsl == NULL) {
DTRACE_PROBE2(tx__tnopt__log__info__labeling__mac__allownull,
- char *, "destination ip(1) with null cred was passed",
+ char *, "destination ip(1) with null label was passed",
ipaddr_t, dst);
return (0);
}
@@ -358,9 +360,8 @@ tsol_check_dest(const cred_t *credp, const void *dst, uchar_t version,
}
if (!blequal(&dst_rhtp->tpc_tp.tp_def_label,
&tsl->tsl_label)) {
- zoneid = crgetzoneid(credp);
if (mac_mode != CONN_MAC_AWARE ||
- !(zoneid == GLOBAL_ZONEID ||
+ !(zone_is_global ||
bldominates(&tsl->tsl_label,
&dst_rhtp->tpc_tp.tp_def_label))) {
DTRACE_PROBE4(
@@ -438,51 +439,43 @@ tsol_check_dest(const cred_t *credp, const void *dst, uchar_t version,
}
/*
- * Generate a new cred if we modified the security label or
- * label flags.
+ * Return the new label.
*/
if (newtsl != NULL) {
- if (effective_cred != NULL) {
- *effective_cred = copycred_from_tslabel(credp,
- newtsl, KM_NOSLEEP);
- }
- label_rele(newtsl);
- if (effective_cred != NULL && *effective_cred == NULL) {
- TPC_RELE(dst_rhtp);
- return (ENOMEM);
- }
+ if (effective_tsl != NULL)
+ *effective_tsl = newtsl;
+ else
+ label_rele(newtsl);
}
TPC_RELE(dst_rhtp);
return (0);
}
/*
- * tsol_compute_label()
+ * tsol_compute_label_v4()
*
* This routine computes the IP label that should be on a packet based on the
* connection and destination information.
*
+ * The zoneid is the IP zoneid (i.e., GLOBAL_ZONEID for exlusive-IP zones).
+ *
* Returns:
* 0 Fetched label
* EHOSTUNREACH No route to destination
* EINVAL Label cannot be computed
*/
int
-tsol_compute_label(const cred_t *credp, ipaddr_t dst, uchar_t *opt_storage,
- ip_stack_t *ipst)
+tsol_compute_label_v4(const ts_label_t *tsl, zoneid_t zoneid, ipaddr_t dst,
+ uchar_t *opt_storage, ip_stack_t *ipst)
{
uint_t sec_opt_len;
- ts_label_t *tsl;
- ire_t *ire, *sire = NULL;
- tsol_ire_gw_secattr_t *attrp;
- zoneid_t zoneid, ip_zoneid;
-
- ASSERT(credp != NULL);
+ ire_t *ire;
+ tsol_ire_gw_secattr_t *attrp = NULL;
if (opt_storage != NULL)
opt_storage[IPOPT_OLEN] = 0;
- if ((tsl = crgetlabel(credp)) == NULL)
+ if (tsl == NULL)
return (0);
/* always pass multicast */
@@ -493,67 +486,44 @@ tsol_compute_label(const cred_t *credp, ipaddr_t dst, uchar_t *opt_storage,
return (0);
if (tsl->tsl_flags & TSLF_UNLABELED) {
-
/*
* The destination is unlabeled. Only add a label if the
* destination is not a broadcast/local/loopback address,
* the destination is not on the same subnet, and the
* next-hop gateway is labeled.
- *
- * For exclusive stacks we set the zoneid to zero
- * to operate as if we are in the global zone for
- * IRE lookups.
*/
- zoneid = crgetzoneid(credp);
- if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
- ip_zoneid = GLOBAL_ZONEID;
- else
- ip_zoneid = zoneid;
-
- ire = ire_cache_lookup(dst, ip_zoneid, tsl, ipst);
-
- if (ire != NULL && (ire->ire_type & (IRE_BROADCAST | IRE_LOCAL |
- IRE_LOOPBACK | IRE_INTERFACE)) != 0) {
- IRE_REFRELE(ire);
- return (0);
- } else if (ire == NULL) {
- ire = ire_ftable_lookup(dst, 0, 0, 0, NULL, &sire,
- ip_zoneid, 0, tsl, (MATCH_IRE_RECURSIVE |
- MATCH_IRE_DEFAULT | MATCH_IRE_SECATTR), ipst);
- }
-
- /* no route to destination */
- if (ire == NULL) {
+ ire = ire_route_recursive_v4(dst, 0, NULL, zoneid, tsl,
+ MATCH_IRE_SECATTR, B_TRUE, 0, ipst, NULL, &attrp, NULL);
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ /* no route to destination */
+ ire_refrele(ire);
DTRACE_PROBE3(
tx__tnopt__log__info__labeling__routedst__v4,
char *, "No route to unlabeled dest ip(1) with "
- "creds(2).", ipaddr_t, dst, cred_t *, credp);
+ "with label(2).", ipaddr_t, dst, ts_label_t *, tsl);
return (EHOSTUNREACH);
}
+ if (ire->ire_type & (IRE_BROADCAST | IRE_LOCAL | IRE_LOOPBACK |
+ IRE_INTERFACE)) {
+ ire_refrele(ire);
+ return (0);
+ }
/*
- * Prefix IRE from f-table lookup means that the destination
- * is not directly connected; check the next-hop attributes.
+ * ire_route_recursive gives us the first attrp it finds
+ * in the recursive lookup.
*/
- if (sire != NULL) {
- ASSERT(ire != NULL);
- IRE_REFRELE(ire);
- ire = sire;
- }
-
/*
* Return now if next hop gateway is unlabeled. There is
* no need to generate a CIPSO option for this message.
*/
- attrp = ire->ire_gw_secattr;
if (attrp == NULL || attrp->igsa_rhc == NULL ||
attrp->igsa_rhc->rhc_tpc->tpc_tp.host_type == UNLABELED) {
- IRE_REFRELE(ire);
+ ire_refrele(ire);
return (0);
}
-
- IRE_REFRELE(ire);
-
+ ire_refrele(ire);
}
/* compute the CIPSO option */
@@ -562,8 +532,8 @@ tsol_compute_label(const cred_t *credp, ipaddr_t dst, uchar_t *opt_storage,
if (sec_opt_len == 0) {
DTRACE_PROBE3(tx__tnopt__log__error__labeling__lostops__v4,
- char *, "options lack length for dest ip(1) with creds(2).",
- ipaddr_t, dst, cred_t *, credp);
+ char *, "options lack length for dest ip(1) with label(2).",
+ ipaddr_t, dst, ts_label_t *, tsl);
return (EINVAL);
}
@@ -575,6 +545,9 @@ tsol_compute_label(const cred_t *credp, ipaddr_t dst, uchar_t *opt_storage,
* header, move the 'buflen' bytes back to fill the gap, and return the number
* of bytes removed (as zero or negative number). Assumes that the headers are
* sane.
+ *
+ * Note that tsol_remove_secopt does not adjust ipha_length but
+ * tsol_remove_secopt_v6 does adjust ip6_plen.
*/
int
tsol_remove_secopt(ipha_t *ipha, int buflen)
@@ -659,6 +632,9 @@ tsol_remove_secopt(ipha_t *ipha, int buflen)
* option cannot be inserted. (Note that negative return values are possible
* when noops must be compressed, and that only -1 indicates error. Successful
* return value is always evenly divisible by 4, by definition.)
+ *
+ * Note that tsol_prepend_option does not adjust ipha_length but
+ * tsol_prepend_option_v6 does adjust ip6_plen.
*/
int
tsol_prepend_option(uchar_t *optbuf, ipha_t *ipha, int buflen)
@@ -810,28 +786,39 @@ tsol_prepend_option(uchar_t *optbuf, ipha_t *ipha, int buflen)
}
/*
- * tsol_check_label()
+ * tsol_check_label_v4()
*
* This routine computes the IP label that should be on the packet based on the
- * connection and destination information. If the label is there, it returns
- * zero, so the caller knows that the label is syncronized, and further calls
- * are not required. If the label isn't right, then the right one is inserted.
+ * connection and destination information. It's called by the IP forwarding
+ * logic and by ip_output_simple. The ULPs generate the labels before calling
+ * conn_ip_output. If any adjustments to
+ * the label are needed due to the connection's MAC-exempt status or
+ * the destination's ability to receive labels, an "effective label"
+ * will be returned.
*
* The packet's header is clear before entering IPsec's engine.
*
+ * The zoneid is the IP zoneid (i.e., GLOBAL_ZONEID for exlusive-IP zones).
+ * zone_is_global is set if the actual zoneid is global.
+ *
+ * On successful return, effective_tslp will point to the new label needed
+ * or will be NULL if a new label isn't needed. On error, effective_tsl will
+ * point to NULL.
+ *
* Returns:
- * 0 Label on packet (was|is now) correct
+ * 0 Label on (was|is now) correct
* EACCES The packet failed the remote host accreditation.
* ENOMEM Memory allocation failure.
* EINVAL Label cannot be computed
*/
int
-tsol_check_label(const cred_t *credp, mblk_t **mpp, uint_t mac_mode,
- ip_stack_t *ipst, pid_t pid)
+tsol_check_label_v4(const ts_label_t *tsl, zoneid_t zoneid, mblk_t **mpp,
+ uint_t mac_mode, boolean_t zone_is_global, ip_stack_t *ipst,
+ ts_label_t **effective_tslp)
{
mblk_t *mp = *mpp;
ipha_t *ipha;
- cred_t *effective_cred = NULL;
+ ts_label_t *effective_tsl = NULL;
uchar_t opt_storage[IP_MAX_OPT_LENGTH];
uint_t hlen;
uint_t sec_opt_len;
@@ -839,19 +826,18 @@ tsol_check_label(const cred_t *credp, mblk_t **mpp, uint_t mac_mode,
int delta_remove = 0, delta_add, adjust;
int retv;
+ *effective_tslp = NULL;
opt_storage[IPOPT_OPTVAL] = 0;
ipha = (ipha_t *)mp->b_rptr;
/*
* Verify the destination is allowed to receive packets at
- * the security label of the message data. check_dest()
- * may create a new effective cred with a modified label
- * or label flags. Apply any such cred to the message block
- * for use in future routing decisions.
+ * the security label of the message data. tsol_check_dest()
+ * may create a new effective label or label flags.
*/
- retv = tsol_check_dest(credp, &ipha->ipha_dst, IPV4_VERSION,
- mac_mode, &effective_cred);
+ retv = tsol_check_dest(tsl, &ipha->ipha_dst, IPV4_VERSION,
+ mac_mode, zone_is_global, &effective_tsl);
if (retv != 0)
return (retv);
@@ -859,16 +845,15 @@ tsol_check_label(const cred_t *credp, mblk_t **mpp, uint_t mac_mode,
* Calculate the security label to be placed in the text
* of the message (if any).
*/
- if (effective_cred != NULL) {
- if ((retv = tsol_compute_label(effective_cred,
+ if (effective_tsl != NULL) {
+ if ((retv = tsol_compute_label_v4(effective_tsl, zoneid,
ipha->ipha_dst, opt_storage, ipst)) != 0) {
- crfree(effective_cred);
+ label_rele(effective_tsl);
return (retv);
}
- mblk_setcred(mp, effective_cred, pid);
- crfree(effective_cred);
+ *effective_tslp = effective_tsl;
} else {
- if ((retv = tsol_compute_label(credp,
+ if ((retv = tsol_compute_label_v4(tsl, zoneid,
ipha->ipha_dst, opt_storage, ipst)) != 0) {
return (retv);
}
@@ -890,10 +875,6 @@ tsol_check_label(const cred_t *credp, mblk_t **mpp, uint_t mac_mode,
return (0);
}
- if (msg_getcred(mp, NULL) == NULL) {
- mblk_setcred(mp, (cred_t *)credp, NOPID);
- }
-
/*
* If there is an option there, then it must be the wrong one; delete.
*/
@@ -918,8 +899,13 @@ tsol_check_label(const cred_t *credp, mblk_t **mpp, uint_t mac_mode,
copylen = 256;
new_mp = allocb_tmpl(hlen + copylen +
(mp->b_rptr - mp->b_datap->db_base), mp);
- if (new_mp == NULL)
+ if (new_mp == NULL) {
+ if (effective_tsl != NULL) {
+ label_rele(effective_tsl);
+ *effective_tslp = NULL;
+ }
return (ENOMEM);
+ }
/* keep the bias */
new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
@@ -948,6 +934,10 @@ tsol_check_label(const cred_t *credp, mblk_t **mpp, uint_t mac_mode,
return (0);
param_prob:
+ if (effective_tsl != NULL) {
+ label_rele(effective_tsl);
+ *effective_tslp = NULL;
+ }
return (EINVAL);
}
@@ -972,19 +962,17 @@ param_prob:
* i.e starting from the IP6OPT_LS but not including the pad at the end.
* The user must prepend two octets (either padding or next header / length)
* and append padding out to the next 8 octet boundary.
+ *
+ * The zoneid is the IP zoneid (i.e., GLOBAL_ZONEID for exlusive-IP zones).
*/
int
-tsol_compute_label_v6(const cred_t *credp, const in6_addr_t *dst,
- uchar_t *opt_storage, ip_stack_t *ipst)
+tsol_compute_label_v6(const ts_label_t *tsl, zoneid_t zoneid,
+ const in6_addr_t *dst, uchar_t *opt_storage, ip_stack_t *ipst)
{
- ts_label_t *tsl;
uint_t sec_opt_len;
uint32_t doi;
- zoneid_t zoneid, ip_zoneid;
- ire_t *ire, *sire;
- tsol_ire_gw_secattr_t *attrp;
-
- ASSERT(credp != NULL);
+ ire_t *ire;
+ tsol_ire_gw_secattr_t *attrp = NULL;
if (ip6opt_ls == 0)
return (EINVAL);
@@ -992,15 +980,13 @@ tsol_compute_label_v6(const cred_t *credp, const in6_addr_t *dst,
if (opt_storage != NULL)
opt_storage[IPOPT_OLEN] = 0;
- if ((tsl = crgetlabel(credp)) == NULL)
+ if (tsl == NULL)
return (0);
/* Always pass multicast */
if (IN6_IS_ADDR_MULTICAST(dst))
return (0);
- zoneid = crgetzoneid(credp);
-
/*
* Fill in a V6 label. If a new format is added here, make certain
* that the maximum size of this label is reflected in sys/tsol/tnet.h
@@ -1012,62 +998,41 @@ tsol_compute_label_v6(const cred_t *credp, const in6_addr_t *dst,
if (tsl->tsl_flags & TSLF_UNLABELED) {
/*
* The destination is unlabeled. Only add a label if the
- * destination is not broadcast/local/loopback address,
+ * destination is not a broadcast/local/loopback address,
* the destination is not on the same subnet, and the
* next-hop gateway is labeled.
- *
- * For exclusive stacks we set the zoneid to zero to
- * operate as if we are in the global zone when
- * performing IRE lookups and conn_t comparisons.
*/
- if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
- ip_zoneid = GLOBAL_ZONEID;
- else
- ip_zoneid = zoneid;
-
- sire = NULL;
- ire = ire_cache_lookup_v6(dst, ip_zoneid, tsl, ipst);
-
- if (ire != NULL && (ire->ire_type & (IRE_LOCAL |
- IRE_LOOPBACK | IRE_INTERFACE)) != 0) {
- IRE_REFRELE(ire);
- return (0);
- } else if (ire == NULL) {
- ire = ire_ftable_lookup_v6(dst, NULL, NULL, 0, NULL,
- &sire, ip_zoneid, 0, tsl, (MATCH_IRE_RECURSIVE |
- MATCH_IRE_DEFAULT | MATCH_IRE_SECATTR), ipst);
- }
-
- /* no route to destination */
- if (ire == NULL) {
+ ire = ire_route_recursive_v6(dst, 0, NULL, zoneid, tsl,
+ MATCH_IRE_SECATTR, B_TRUE, 0, ipst, NULL, &attrp, NULL);
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ /* no route to destination */
+ ire_refrele(ire);
DTRACE_PROBE3(
tx__tnopt__log__info__labeling__routedst__v6,
char *, "No route to unlabeled dest ip6(1) with "
- "creds(2).", in6_addr_t *, dst, cred_t *, credp);
+ "label(2).", in6_addr_t *, dst, ts_label_t *, tsl);
return (EHOSTUNREACH);
}
-
+ if (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK |
+ IRE_INTERFACE)) {
+ ire_refrele(ire);
+ return (0);
+ }
/*
- * Prefix IRE from f-table lookup means that the destination
- * is not directly connected; check the next-hop attributes.
+ * ire_route_recursive gives us the first attrp it finds
+ * in the recursive lookup.
*/
- if (sire != NULL) {
- ASSERT(ire != NULL);
- IRE_REFRELE(ire);
- ire = sire;
- }
-
/*
* Return now if next hop gateway is unlabeled. There is
* no need to generate a CIPSO option for this message.
*/
- attrp = ire->ire_gw_secattr;
if (attrp == NULL || attrp->igsa_rhc == NULL ||
attrp->igsa_rhc->rhc_tpc->tpc_tp.host_type == UNLABELED) {
- IRE_REFRELE(ire);
+ ire_refrele(ire);
return (0);
}
- IRE_REFRELE(ire);
+ ire_refrele(ire);
}
/* compute the CIPSO option */
@@ -1079,7 +1044,7 @@ tsol_compute_label_v6(const cred_t *credp, const in6_addr_t *dst,
if (sec_opt_len == 0) {
DTRACE_PROBE3(tx__tnopt__log__error__labeling__lostops__v6,
char *, "options lack length for dest ip6(1) with "
- "creds(2).", in6_addr_t *, dst, cred_t *, credp);
+ "label(2).", in6_addr_t *, dst, ts_label_t *, tsl);
return (EINVAL);
}
@@ -1188,6 +1153,9 @@ tsol_find_secopt_v6(
* Header and data following the label option that is deleted are copied
* (i.e. slid backward) to the right position, and returns the number
* of bytes removed (as zero or negative number.)
+ *
+ * Note that tsol_remove_secopt does not adjust ipha_length but
+ * tsol_remove_secopt_v6 does adjust ip6_plen.
*/
int
tsol_remove_secopt_v6(ip6_t *ip6h, int buflen)
@@ -1286,6 +1254,9 @@ tsol_remove_secopt_v6(ip6_t *ip6h, int buflen)
* extra option being added. Header and data following the position where
* the label option is inserted are copied (i.e. slid forward) to the right
* position.
+ *
+ * Note that tsol_prepend_option does not adjust ipha_length but
+ * tsol_prepend_option_v6 does adjust ip6_plen.
*/
int
tsol_prepend_option_v6(uchar_t *optbuf, ip6_t *ip6h, int buflen)
@@ -1368,22 +1339,36 @@ tsol_prepend_option_v6(uchar_t *optbuf, ip6_t *ip6h, int buflen)
* tsol_check_label_v6()
*
* This routine computes the IP label that should be on the packet based on the
- * connection and destination information. It's called only by the IP
- * forwarding logic, because all internal modules atop IP know how to generate
- * their own labels.
+ * connection and destination information. It's called by the IP forwarding
+ * logic and by ip_output_simple. The ULPs generate the labels before calling
+ * conn_ip_output. If any adjustments to
+ * the label are needed due to the connection's MAC-exempt status or
+ * the destination's ability to receive labels, an "effective label"
+ * will be returned.
+ *
+ * The packet's header is clear before entering IPsec's engine.
+ *
+ * The zoneid is the IP zoneid (i.e., GLOBAL_ZONEID for exlusive-IP zones).
+ * zone_is_global is set if the actual zoneid is global.
+ *
+ * On successful return, effective_tslp will point to the new label needed
+ * or will be NULL if a new label isn't needed. On error, effective_tsl will
+ * point to NULL.
*
* Returns:
- * 0 Label on packet was already correct
+ * 0 Label on (was|is now) correct
* EACCES The packet failed the remote host accreditation.
* ENOMEM Memory allocation failure.
+ * EINVAL Label cannot be computed
*/
int
-tsol_check_label_v6(const cred_t *credp, mblk_t **mpp, uint_t mode,
- ip_stack_t *ipst, pid_t pid)
+tsol_check_label_v6(const ts_label_t *tsl, zoneid_t zoneid, mblk_t **mpp,
+ uint_t mac_mode, boolean_t zone_is_global, ip_stack_t *ipst,
+ ts_label_t **effective_tslp)
{
mblk_t *mp = *mpp;
ip6_t *ip6h;
- cred_t *effective_cred;
+ ts_label_t *effective_tsl = NULL;
/*
* Label option length is limited to IP_MAX_OPT_LENGTH for
* symmetry with IPv4. Can be relaxed if needed
@@ -1399,16 +1384,16 @@ tsol_check_label_v6(const cred_t *credp, mblk_t **mpp, uint_t mode,
uint_t hbhlen;
boolean_t hbh_needed;
+ *effective_tslp = NULL;
+
/*
* Verify the destination is allowed to receive packets at
- * the security label of the message data. check_dest()
- * may create a new effective cred with a modified label
- * or label flags. Apply any such cred to the message block
- * for use in future routing decisions.
+ * the security label of the message data. tsol_check_dest()
+ * may create a new effective label or label flags.
*/
ip6h = (ip6_t *)mp->b_rptr;
- retv = tsol_check_dest(credp, &ip6h->ip6_dst, IPV6_VERSION,
- mode, &effective_cred);
+ retv = tsol_check_dest(tsl, &ip6h->ip6_dst, IPV6_VERSION,
+ mac_mode, zone_is_global, &effective_tsl);
if (retv != 0)
return (retv);
@@ -1416,16 +1401,15 @@ tsol_check_label_v6(const cred_t *credp, mblk_t **mpp, uint_t mode,
* Calculate the security label to be placed in the text
* of the message (if any).
*/
- if (effective_cred != NULL) {
- if ((retv = tsol_compute_label_v6(effective_cred,
+ if (effective_tsl != NULL) {
+ if ((retv = tsol_compute_label_v6(effective_tsl, zoneid,
&ip6h->ip6_dst, opt_storage, ipst)) != 0) {
- crfree(effective_cred);
+ label_rele(effective_tsl);
return (retv);
}
- mblk_setcred(mp, effective_cred, pid);
- crfree(effective_cred);
+ *effective_tslp = effective_tsl;
} else {
- if ((retv = tsol_compute_label_v6(credp,
+ if ((retv = tsol_compute_label_v6(tsl, zoneid,
&ip6h->ip6_dst, opt_storage, ipst)) != 0)
return (retv);
}
@@ -1457,10 +1441,6 @@ tsol_check_label_v6(const cred_t *credp, mblk_t **mpp, uint_t mode,
return (0);
}
- if (msg_getcred(mp, NULL) == NULL) {
- mblk_setcred(mp, (cred_t *)credp, NOPID);
- }
-
if (secopt != NULL && sec_opt_len != 0 &&
(bcmp(opt_storage, secopt, sec_opt_len + 2) == 0)) {
/* The packet has the correct label already */
@@ -1499,8 +1479,13 @@ tsol_check_label_v6(const cred_t *credp, mblk_t **mpp, uint_t mode,
copylen = hdr_len;
new_mp = allocb_tmpl(hlen + copylen +
(mp->b_rptr - mp->b_datap->db_base), mp);
- if (new_mp == NULL)
+ if (new_mp == NULL) {
+ if (effective_tsl != NULL) {
+ label_rele(effective_tsl);
+ *effective_tslp = NULL;
+ }
return (ENOMEM);
+ }
/* keep the bias */
new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
@@ -1522,208 +1507,13 @@ tsol_check_label_v6(const cred_t *credp, mblk_t **mpp, uint_t mode,
ASSERT(mp->b_wptr + delta_add <= DB_LIM(mp));
mp->b_wptr += delta_add;
+ /* tsol_prepend_option_v6 has adjusted ip6_plen */
return (0);
param_prob:
- return (EINVAL);
-}
-
-/*
- * Update the given IPv6 "sticky options" structure to contain the provided
- * label, which is encoded as an IPv6 option. Existing label is removed if
- * necessary, and storage is allocated/freed/resized.
- *
- * Returns 0 on success, errno on failure.
- */
-int
-tsol_update_sticky(ip6_pkt_t *ipp, uint_t *labellen, const uchar_t *labelopt)
-{
- int rawlen, optlen, newlen;
- uchar_t *newopts;
-
- /*
- * rawlen is the size of the IPv6 label to be inserted from labelopt.
- * optlen is the total length of that option, including any necessary
- * headers and padding. newlen is the new size of the total hop-by-hop
- * options buffer, including user options.
- */
- ASSERT(*labellen <= ipp->ipp_hopoptslen);
- ASSERT((ipp->ipp_hopopts == NULL && ipp->ipp_hopoptslen == 0) ||
- (ipp->ipp_hopopts != NULL && ipp->ipp_hopoptslen != 0));
-
- if ((rawlen = labelopt[1]) != 0) {
- rawlen += 2; /* add in header size */
- optlen = (2 + rawlen + 7) & ~7;
- } else {
- optlen = 0;
- }
- newlen = ipp->ipp_hopoptslen + optlen - *labellen;
- if (newlen == 0 && ipp->ipp_hopopts != NULL) {
- /* Deleting all existing hop-by-hop options */
- kmem_free(ipp->ipp_hopopts, ipp->ipp_hopoptslen);
- ipp->ipp_hopopts = NULL;
- ipp->ipp_fields &= ~IPPF_HOPOPTS;
- } else if (optlen != *labellen) {
- /* If the label not same size as last time, then reallocate */
- if (newlen > IP6_MAX_OPT_LENGTH)
- return (EHOSTUNREACH);
- newopts = kmem_alloc(newlen, KM_NOSLEEP);
- if (newopts == NULL)
- return (ENOMEM);
- /*
- * If the user has hop-by-hop stickyoptions set, then copy his
- * options in after the security label.
- */
- if (ipp->ipp_hopoptslen > *labellen) {
- bcopy(ipp->ipp_hopopts + *labellen, newopts + optlen,
- ipp->ipp_hopoptslen - *labellen);
- /*
- * Stomp out any header gunk here - this was the
- * previous next-header and option length field.
- */
- newopts[optlen] = IP6OPT_PADN;
- newopts[optlen + 1] = 0;
- }
- if (ipp->ipp_hopopts != NULL)
- kmem_free(ipp->ipp_hopopts, ipp->ipp_hopoptslen);
- ipp->ipp_hopopts = (ip6_hbh_t *)newopts;
- }
- ipp->ipp_hopoptslen = newlen;
- *labellen = optlen;
-
- newopts = (uchar_t *)ipp->ipp_hopopts;
-
- /* If there are any options, then fix up reported length */
- if (newlen > 0) {
- newopts[1] = (newlen + 7) / 8 - 1;
- ipp->ipp_fields |= IPPF_HOPOPTS;
- }
-
- /* If there's a label, then insert it now */
- if (optlen > 0) {
- /* skip next-header and length fields */
- newopts += 2;
- bcopy(labelopt, newopts, rawlen);
- newopts += rawlen;
- /* make sure padding comes out right */
- optlen -= 2 + rawlen;
- if (optlen == 1) {
- newopts[0] = IP6OPT_PAD1;
- } else if (optlen > 1) {
- newopts[0] = IP6OPT_PADN;
- optlen -= 2;
- newopts[1] = optlen;
- if (optlen > 0)
- bzero(newopts + 2, optlen);
- }
- }
- return (0);
-}
-
-int
-tsol_update_options(uchar_t **opts, uint_t *totlen, uint_t *labellen,
- const uchar_t *labelopt)
-{
- int optlen, newlen;
- uchar_t *newopts;
-
- optlen = (labelopt[IPOPT_OLEN] + 3) & ~3;
- newlen = *totlen + optlen - *labellen;
- if (optlen > *labellen) {
- if (newlen > IP_MAX_OPT_LENGTH)
- return (EHOSTUNREACH);
- newopts = (uchar_t *)mi_alloc(newlen, BPRI_HI);
- if (newopts == NULL)
- return (ENOMEM);
- if (*totlen > *labellen) {
- bcopy(*opts + *labellen, newopts + optlen,
- *totlen - *labellen);
- }
- if (*opts != NULL)
- mi_free((char *)*opts);
- *opts = newopts;
- } else if (optlen < *labellen) {
- if (newlen == 0 && *opts != NULL) {
- mi_free((char *)*opts);
- *opts = NULL;
- }
- if (*totlen > *labellen) {
- ovbcopy(*opts + *labellen, *opts + optlen,
- *totlen - *labellen);
- }
- }
- *totlen = newlen;
- *labellen = optlen;
- if (optlen > 0) {
- newopts = *opts;
- bcopy(labelopt, newopts, optlen);
- /* check if there are user-supplied options that follow */
- if (optlen < newlen) {
- /* compute amount of embedded alignment needed */
- optlen -= newopts[IPOPT_OLEN];
- newopts += newopts[IPOPT_OLEN];
- while (--optlen >= 0)
- *newopts++ = IPOPT_NOP;
- } else if (optlen != newopts[IPOPT_OLEN]) {
- /*
- * The label option is the only option and it is
- * not a multiple of 4 bytes.
- */
- optlen -= newopts[IPOPT_OLEN];
- newopts += newopts[IPOPT_OLEN];
- while (--optlen >= 0)
- *newopts++ = IPOPT_EOL;
- }
+ if (effective_tsl != NULL) {
+ label_rele(effective_tsl);
+ *effective_tslp = NULL;
}
- return (0);
-}
-
-/*
- * This does the bulk of the processing for setting IPPROTO_IP {T_,}IP_OPTIONS.
- */
-boolean_t
-tsol_option_set(uchar_t **opts, uint_t *optlen, uint_t labellen,
- const uchar_t *useropts, uint_t userlen)
-{
- int newlen;
- uchar_t *newopts;
-
- newlen = userlen + labellen;
- if (newlen > *optlen) {
- /* need more room */
- newopts = (uchar_t *)mi_alloc(newlen, BPRI_HI);
- if (newopts == NULL)
- return (B_FALSE);
- /*
- * The supplied *opts can't be NULL in this case,
- * since there's an existing label.
- */
- if (labellen > 0)
- bcopy(*opts, newopts, labellen);
- if (*opts != NULL)
- mi_free((char *)*opts);
- *opts = newopts;
- }
-
- if (newlen == 0) {
- /* special case -- no remaining IP options at all */
- if (*opts != NULL) {
- mi_free((char *)*opts);
- *opts = NULL;
- }
- } else if (userlen > 0) {
- /* merge in the user's options */
- newopts = *opts;
- if (labellen > 0) {
- int extra = labellen - newopts[IPOPT_OLEN];
-
- newopts += newopts[IPOPT_OLEN];
- while (--extra >= 0)
- *newopts++ = IPOPT_NOP;
- }
- bcopy(useropts, newopts, userlen);
- }
-
- *optlen = newlen;
- return (B_TRUE);
+ return (EINVAL);
}
diff --git a/usr/src/uts/common/inet/ip/tnet.c b/usr/src/uts/common/inet/ip/tnet.c
index 1e5c0eb170..262d5bc339 100644
--- a/usr/src/uts/common/inet/ip/tnet.c
+++ b/usr/src/uts/common/inet/ip/tnet.c
@@ -133,16 +133,7 @@ int tsol_strict_error;
* - A set of route-related attributes that only get set for prefix
* IREs. If this is non-NULL, the prefix IRE has been associated
* with a set of gateway security attributes by way of route add/
- * change functionality. This field stays NULL for IRE_CACHEs.
- *
- * igsa_gcgrp
- *
- * - Group of gc's which only gets set for IRE_CACHEs. Each of the gc
- * points to a gcdb record that contains the security attributes
- * used to perform the credential checks of the packet which uses
- * the IRE. If the group is not empty, the list of gc's can be
- * traversed starting at gcgrp_head. This field stays NULL for
- * prefix IREs.
+ * change functionality.
*/
static kmem_cache_t *ire_gw_secattr_cache;
@@ -223,7 +214,6 @@ ire_gw_secattr_constructor(void *buf, void *cdrarg, int kmflags)
attrp->igsa_rhc = NULL;
attrp->igsa_gc = NULL;
- attrp->igsa_gcgrp = NULL;
return (0);
}
@@ -257,14 +247,9 @@ ire_gw_secattr_free(tsol_ire_gw_secattr_t *attrp)
GC_REFRELE(attrp->igsa_gc);
attrp->igsa_gc = NULL;
}
- if (attrp->igsa_gcgrp != NULL) {
- GCGRP_REFRELE(attrp->igsa_gcgrp);
- attrp->igsa_gcgrp = NULL;
- }
ASSERT(attrp->igsa_rhc == NULL);
ASSERT(attrp->igsa_gc == NULL);
- ASSERT(attrp->igsa_gcgrp == NULL);
kmem_cache_free(ire_gw_secattr_cache, attrp);
}
@@ -387,9 +372,6 @@ rtsa_validate(const struct rtsa_s *rp)
/*
* A brief explanation of the reference counting scheme:
*
- * Prefix IREs have a non-NULL igsa_gc and a NULL igsa_gcgrp;
- * IRE_CACHEs have it vice-versa.
- *
* Apart from dynamic references due to to reference holds done
* actively by threads, we have the following references:
*
@@ -402,8 +384,6 @@ rtsa_validate(const struct rtsa_s *rp)
* to the gc_refcnt.
*
* gcgrp_refcnt:
- * - An IRE_CACHE that points to an igsa_gcgrp contributes a reference
- * to the gcgrp_refcnt of the associated tsol_gcgrp_t.
* - Every tsol_gc_t in the chain headed by tsol_gcgrp_t contributes
* a reference to the gcgrp_refcnt.
*/
@@ -613,7 +593,6 @@ gcgrp_inactive(tsol_gcgrp_t *gcgrp)
mod_hash_t *hashp;
ASSERT(MUTEX_HELD(&gcgrp_lock));
- ASSERT(!RW_LOCK_HELD(&gcgrp->gcgrp_rwlock));
ASSERT(gcgrp != NULL && gcgrp->gcgrp_refcnt == 0);
ASSERT(gcgrp->gcgrp_head == NULL && gcgrp->gcgrp_count == 0);
@@ -686,21 +665,21 @@ cipso_to_sl(const uchar_t *option, bslabel_t *sl)
}
/*
- * If present, parse a CIPSO label in the incoming packet and
- * construct a ts_label_t that reflects the CIPSO label and attach it
- * to the dblk cred. Later as the mblk flows up through the stack any
+ * If present, parse the CIPSO label in the incoming packet and
+ * construct a ts_label_t that reflects the CIPSO label and put it in
+ * the ip_recv_attr_t. Later as the packet flows up through the stack any
* code that needs to examine the packet label can inspect the label
- * from the dblk cred. This function is called right in ip_rput for
- * all packets, i.e. locally destined and to be forwarded packets. The
- * forwarding path needs to examine the label to determine how to
- * forward the packet.
+ * from the ira_tsl. This function is
+ * called right in ip_input for all packets, i.e. locally destined and
+ * to be forwarded packets. The forwarding path needs to examine the label
+ * to determine how to forward the packet.
*
* This routine pulls all message text up into the first mblk.
* For IPv4, only the first 20 bytes of the IP header are guaranteed
* to exist. For IPv6, only the IPv6 header is guaranteed to exist.
*/
boolean_t
-tsol_get_pkt_label(mblk_t *mp, int version)
+tsol_get_pkt_label(mblk_t *mp, int version, ip_recv_attr_t *ira)
{
tsol_tpc_t *src_rhtp = NULL;
uchar_t *opt_ptr = NULL;
@@ -713,7 +692,6 @@ tsol_get_pkt_label(mblk_t *mp, int version)
const void *src;
const ip6_t *ip6h;
cred_t *credp;
- pid_t cpid;
int proto;
ASSERT(DB_TYPE(mp) == M_DATA);
@@ -846,28 +824,37 @@ tsol_get_pkt_label(mblk_t *mp, int version)
return (B_FALSE);
}
- /* Make sure no other thread is messing with this mblk */
- ASSERT(DB_REF(mp) == 1);
- /* Preserve db_cpid */
- credp = msg_extractcred(mp, &cpid);
- if (credp == NULL) {
+ if (ira->ira_cred == NULL) {
credp = newcred_from_bslabel(&sl, doi, KM_NOSLEEP);
+ if (credp == NULL)
+ return (B_FALSE);
} else {
cred_t *newcr;
- newcr = copycred_from_bslabel(credp, &sl, doi,
+ newcr = copycred_from_bslabel(ira->ira_cred, &sl, doi,
KM_NOSLEEP);
- crfree(credp);
+ if (newcr == NULL)
+ return (B_FALSE);
+ if (ira->ira_free_flags & IRA_FREE_CRED) {
+ crfree(ira->ira_cred);
+ ira->ira_free_flags &= ~IRA_FREE_CRED;
+ ira->ira_cred = NULL;
+ }
credp = newcr;
}
- if (credp == NULL)
- return (B_FALSE);
- crgetlabel(credp)->tsl_flags |= label_flags;
-
- mblk_setcred(mp, credp, cpid);
- crfree(credp); /* mblk has ref on cred */
+ /*
+ * Put the label in ira_tsl for convinience, while keeping
+ * the cred in ira_cred for getpeerucred which is used to get
+ * labels with TX.
+ * Note: no explicit refcnt/free_flag for ira_tsl. The free_flag
+ * for IRA_FREE_CRED is sufficient for both.
+ */
+ ira->ira_tsl = crgetlabel(credp);
+ ira->ira_cred = credp;
+ ira->ira_free_flags |= IRA_FREE_CRED;
+ ira->ira_tsl->tsl_flags |= label_flags;
return (B_TRUE);
}
@@ -878,25 +865,25 @@ tsol_get_pkt_label(mblk_t *mp, int version)
*/
boolean_t
tsol_receive_local(const mblk_t *mp, const void *addr, uchar_t version,
- boolean_t shared_addr, const conn_t *connp)
+ ip_recv_attr_t *ira, const conn_t *connp)
{
const cred_t *credp;
ts_label_t *plabel, *conn_plabel;
tsol_tpc_t *tp;
boolean_t retv;
const bslabel_t *label, *conn_label;
+ boolean_t shared_addr = (ira->ira_flags & IRAF_TX_SHARED_ADDR);
/*
- * The cases in which this can happen are:
- * - IPv6 Router Alert, where ip_rput_data_v6 deliberately skips
- * over the label attachment process.
- * - MLD output looped-back to ourselves.
- * - IPv4 Router Discovery, where tsol_get_pkt_label intentionally
- * avoids the labeling process.
- * We trust that all valid paths in the code set the cred pointer when
- * needed.
+ * tsol_get_pkt_label intentionally avoids the labeling process for:
+ * - IPv6 router and neighbor discovery as well as redirects.
+ * - MLD packets. (Anything between ICMPv6 code 130 and 138.)
+ * - IGMP packets.
+ * - IPv4 router discovery.
+ * In those cases ire_cred is NULL.
*/
- if ((credp = msg_getcred(mp, NULL)) == NULL)
+ credp = ira->ira_cred;
+ if (credp == NULL)
return (B_TRUE);
/*
@@ -904,17 +891,18 @@ tsol_receive_local(const mblk_t *mp, const void *addr, uchar_t version,
* same zoneid as the selected destination, then no checks are
* necessary. Membership in the zone is enough proof. This is
* intended to be a hot path through this function.
+ * Note: Using crgetzone here is ok since the peer is local.
*/
if (!crisremote(credp) &&
crgetzone(credp) == crgetzone(connp->conn_cred))
return (B_TRUE);
- plabel = crgetlabel(credp);
+ plabel = ira->ira_tsl;
conn_plabel = crgetlabel(connp->conn_cred);
ASSERT(plabel != NULL && conn_plabel != NULL);
label = label2bslabel(plabel);
- conn_label = label2bslabel(crgetlabel(connp->conn_cred));
+ conn_label = label2bslabel(conn_plabel);
/*
@@ -954,12 +942,8 @@ tsol_receive_local(const mblk_t *mp, const void *addr, uchar_t version,
blequal(label, conn_label))
return (B_TRUE);
- /*
- * conn_zoneid is global for an exclusive stack, thus we use
- * conn_cred to get the zoneid
- */
if ((connp->conn_mac_mode == CONN_MAC_DEFAULT) ||
- (crgetzoneid(connp->conn_cred) != GLOBAL_ZONEID &&
+ (!connp->conn_zone_is_global &&
(plabel->tsl_doi != conn_plabel->tsl_doi ||
!bldominates(conn_label, label)))) {
DTRACE_PROBE3(
@@ -1046,16 +1030,13 @@ tsol_receive_local(const mblk_t *mp, const void *addr, uchar_t version,
}
boolean_t
-tsol_can_accept_raw(mblk_t *mp, boolean_t check_host)
+tsol_can_accept_raw(mblk_t *mp, ip_recv_attr_t *ira, boolean_t check_host)
{
ts_label_t *plabel = NULL;
tsol_tpc_t *src_rhtp, *dst_rhtp;
boolean_t retv;
- cred_t *credp;
- credp = msg_getcred(mp, NULL);
- if (credp != NULL)
- plabel = crgetlabel(credp);
+ plabel = ira->ira_tsl;
/* We are bootstrapping or the internal template was never deleted */
if (plabel == NULL)
@@ -1144,7 +1125,7 @@ tsol_can_accept_raw(mblk_t *mp, boolean_t check_host)
* TSLF_UNLABELED flag is sufficient.
*/
boolean_t
-tsol_can_reply_error(const mblk_t *mp)
+tsol_can_reply_error(const mblk_t *mp, ip_recv_attr_t *ira)
{
ts_label_t *plabel = NULL;
tsol_tpc_t *rhtp;
@@ -1152,7 +1133,6 @@ tsol_can_reply_error(const mblk_t *mp)
const ip6_t *ip6h;
boolean_t retv;
bslabel_t *pktbs;
- cred_t *credp;
/* Caller must pull up at least the IP header */
ASSERT(MBLKL(mp) >= (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION ?
@@ -1161,9 +1141,7 @@ tsol_can_reply_error(const mblk_t *mp)
if (!tsol_strict_error)
return (B_TRUE);
- credp = msg_getcred(mp, NULL);
- if (credp != NULL)
- plabel = crgetlabel(credp);
+ plabel = ira->ira_tsl;
/* We are bootstrapping or the internal template was never deleted */
if (plabel == NULL)
@@ -1227,33 +1205,30 @@ tsol_can_reply_error(const mblk_t *mp)
}
/*
- * Finds the zone associated with the given packet. Returns GLOBAL_ZONEID if
- * the zone cannot be located.
+ * Finds the zone associated with the receive attributes. Returns GLOBAL_ZONEID
+ * if the zone cannot be located.
*
* This is used by the classifier when the packet matches an ALL_ZONES IRE, and
* there's no MLP defined.
*
* Note that we assume that this is only invoked in the ALL_ZONES case.
- * Handling other cases would require handle exclusive stack zones where either
+ * Handling other cases would require handling exclusive IP zones where either
* this routine or the callers would have to map from
* the zoneid (zone->zone_id) to what IP uses in conn_zoneid etc.
*/
zoneid_t
-tsol_packet_to_zoneid(const mblk_t *mp)
+tsol_attr_to_zoneid(const ip_recv_attr_t *ira)
{
- cred_t *cr = msg_getcred(mp, NULL);
zone_t *zone;
ts_label_t *label;
- if (cr != NULL) {
- if ((label = crgetlabel(cr)) != NULL) {
- zone = zone_find_by_label(label);
- if (zone != NULL) {
- zoneid_t zoneid = zone->zone_id;
+ if ((label = ira->ira_tsl) != NULL) {
+ zone = zone_find_by_label(label);
+ if (zone != NULL) {
+ zoneid_t zoneid = zone->zone_id;
- zone_rele(zone);
- return (zoneid);
- }
+ zone_rele(zone);
+ return (zoneid);
}
}
return (GLOBAL_ZONEID);
@@ -1273,7 +1248,7 @@ tsol_ire_match_gwattr(ire_t *ire, const ts_label_t *tsl)
/* Not in Trusted mode or IRE is local/loopback/broadcast/interface */
if (!is_system_labeled() ||
(ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK | IRE_BROADCAST |
- IRE_INTERFACE)))
+ IRE_IF_ALL | IRE_MULTICAST | IRE_NOROUTE)))
goto done;
/*
@@ -1304,29 +1279,16 @@ tsol_ire_match_gwattr(ire_t *ire, const ts_label_t *tsl)
mutex_enter(&attrp->igsa_lock);
/*
- * Depending on the IRE type (prefix vs. cache), we seek the group
+ * We seek the group
* structure which contains all security credentials of the gateway.
- * A prefix IRE is associated with at most one gateway credential,
- * while a cache IRE is associated with every credentials that the
- * gateway has.
+ * An offline IRE is associated with at most one gateway credential.
*/
- if ((gc = attrp->igsa_gc) != NULL) { /* prefix */
+ if ((gc = attrp->igsa_gc) != NULL) {
gcgrp = gc->gc_grp;
ASSERT(gcgrp != NULL);
rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- } else if ((gcgrp = attrp->igsa_gcgrp) != NULL) { /* cache */
- rw_enter(&gcgrp->gcgrp_rwlock, RW_READER);
- gc = gcgrp->gcgrp_head;
- if (gc == NULL) {
- /* gc group is empty, so the drop lock now */
- ASSERT(gcgrp->gcgrp_count == 0);
- rw_exit(&gcgrp->gcgrp_rwlock);
- gcgrp = NULL;
- }
- }
-
- if (gcgrp != NULL)
GCGRP_REFHOLD(gcgrp);
+ }
if ((gw_rhc = attrp->igsa_rhc) != NULL) {
/*
@@ -1354,12 +1316,11 @@ tsol_ire_match_gwattr(ire_t *ire, const ts_label_t *tsl)
ASSERT(ga->ga_af == AF_INET6);
paddr = &ga->ga_addr;
}
- } else if (ire->ire_ipversion == IPV6_VERSION &&
- !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6)) {
- paddr = &ire->ire_gateway_addr_v6;
- } else if (ire->ire_ipversion == IPV4_VERSION &&
- ire->ire_gateway_addr != INADDR_ANY) {
- paddr = &ire->ire_gateway_addr;
+ } else if (ire->ire_type & IRE_OFFLINK) {
+ if (ire->ire_ipversion == IPV6_VERSION)
+ paddr = &ire->ire_gateway_addr_v6;
+ else if (ire->ire_ipversion == IPV4_VERSION)
+ paddr = &ire->ire_gateway_addr;
}
/* We've found a gateway address to do the template lookup */
@@ -1408,6 +1369,7 @@ tsol_ire_match_gwattr(ire_t *ire, const ts_label_t *tsl)
}
if (gc != NULL) {
+
tsol_gcdb_t *gcdb;
/*
* In the case of IRE_CACHE we've got one or more gateway
@@ -1418,18 +1380,9 @@ tsol_ire_match_gwattr(ire_t *ire, const ts_label_t *tsl)
* just the route itself, so the loop is executed only once.
*/
ASSERT(gcgrp != NULL);
- do {
- gcdb = gc->gc_db;
- if (tsl->tsl_doi == gcdb->gcdb_doi &&
- _blinrange(&tsl->tsl_label, &gcdb->gcdb_slrange))
- break;
- if (ire->ire_type == IRE_CACHE)
- gc = gc->gc_next;
- else
- gc = NULL;
- } while (gc != NULL);
-
- if (gc == NULL) {
+ gcdb = gc->gc_db;
+ if (tsl->tsl_doi != gcdb->gcdb_doi ||
+ !_blinrange(&tsl->tsl_label, &gcdb->gcdb_slrange)) {
DTRACE_PROBE3(
tx__ip__log__drop__irematch__nogcmatched,
char *, "ire(1), tsl(2): all gc failed match",
@@ -1493,12 +1446,13 @@ done:
/*
* Performs label accreditation checks for packet forwarding.
+ * Add or remove a CIPSO option as needed.
*
* Returns a pointer to the modified mblk if allowed for forwarding,
* or NULL if the packet must be dropped.
*/
mblk_t *
-tsol_ip_forward(ire_t *ire, mblk_t *mp)
+tsol_ip_forward(ire_t *ire, mblk_t *mp, const ip_recv_attr_t *ira)
{
tsol_ire_gw_secattr_t *attrp = NULL;
ipha_t *ipha;
@@ -1516,11 +1470,14 @@ tsol_ip_forward(ire_t *ire, mblk_t *mp)
boolean_t need_tpc_rele = B_FALSE;
ipaddr_t *gw;
ip_stack_t *ipst = ire->ire_ipst;
- cred_t *credp;
- pid_t pid;
+ int err;
+ ts_label_t *effective_tsl = NULL;
ASSERT(ire != NULL && mp != NULL);
- ASSERT(ire->ire_stq != NULL);
+ /*
+ * Note that the ire is the first one found, i.e., an IRE_OFFLINK if
+ * the destination is offlink.
+ */
af = (ire->ire_ipversion == IPV4_VERSION) ? AF_INET : AF_INET6;
@@ -1530,16 +1487,6 @@ tsol_ip_forward(ire_t *ire, mblk_t *mp)
psrc = &ipha->ipha_src;
pdst = &ipha->ipha_dst;
proto = ipha->ipha_protocol;
-
- /*
- * off_link is TRUE if destination not directly reachable.
- * Surya note: we avoid creation of per-dst IRE_CACHE entries
- * for forwarded packets, so we set off_link to be TRUE
- * if the packet dst is different from the ire_addr of
- * the ire for the nexthop.
- */
- off_link = ((ipha->ipha_dst != ire->ire_addr) ||
- (ire->ire_gateway_addr != INADDR_ANY));
if (!tsol_get_option_v4(mp, &label_type, &opt_ptr))
return (NULL);
} else {
@@ -1561,14 +1508,15 @@ tsol_ip_forward(ire_t *ire, mblk_t *mp)
}
proto = *nexthdrp;
}
-
- /* destination not directly reachable? */
- off_link = !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6);
if (!tsol_get_option_v6(mp, &label_type, &opt_ptr))
return (NULL);
}
+ /*
+ * off_link is TRUE if destination not directly reachable.
+ */
+ off_link = (ire->ire_type & IRE_OFFLINK);
- if ((tsl = msg_getlabel(mp)) == NULL)
+ if ((tsl = ira->ira_tsl) == NULL)
return (mp);
if (tsl->tsl_flags & TSLF_IMPLICIT_IN) {
@@ -1611,11 +1559,7 @@ tsol_ip_forward(ire_t *ire, mblk_t *mp)
attrp = ire->ire_gw_secattr;
gw_rhtp = attrp->igsa_rhc->rhc_tpc;
} else {
- /*
- * use the ire_addr if this is the IRE_CACHE of nexthop
- */
- gw = (ire->ire_gateway_addr == NULL? &ire->ire_addr :
- &ire->ire_gateway_addr);
+ gw = &ire->ire_gateway_addr;
gw_rhtp = find_tpc(gw, ire->ire_ipversion, B_FALSE);
need_tpc_rele = B_TRUE;
}
@@ -1702,7 +1646,13 @@ tsol_ip_forward(ire_t *ire, mblk_t *mp)
/* adjust is negative */
ASSERT((mp->b_wptr + adjust) >= mp->b_rptr);
mp->b_wptr += adjust;
-
+ /*
+ * Note that caller adjusts ira_pktlen and
+ * ira_ip_hdr_length
+ *
+ * For AF_INET6 note that tsol_remove_secopt_v6
+ * adjusted ip6_plen.
+ */
if (af == AF_INET) {
ipha = (ipha_t *)mp->b_rptr;
iplen = ntohs(ipha->ipha_length) + adjust;
@@ -1729,17 +1679,34 @@ tsol_ip_forward(ire_t *ire, mblk_t *mp)
(!off_link || gw_rhtp->tpc_tp.host_type == UNLABELED))
goto keep_label;
-
- credp = msg_getcred(mp, &pid);
- if ((af == AF_INET &&
- tsol_check_label(credp, &mp, CONN_MAC_DEFAULT, ipst, pid) != 0) ||
- (af == AF_INET6 &&
- tsol_check_label_v6(credp, &mp, CONN_MAC_DEFAULT, ipst,
- pid) != 0)) {
+ /*
+ * Since we are forwarding packets we use GLOBAL_ZONEID for
+ * the IRE lookup in tsol_check_label.
+ * Since mac_exempt is false the zoneid isn't used for anything
+ * but the IRE lookup, hence we set zone_is_global to false.
+ */
+ if (af == AF_INET) {
+ err = tsol_check_label_v4(tsl, GLOBAL_ZONEID, &mp,
+ CONN_MAC_DEFAULT, B_FALSE, ipst, &effective_tsl);
+ } else {
+ err = tsol_check_label_v6(tsl, GLOBAL_ZONEID, &mp,
+ CONN_MAC_DEFAULT, B_FALSE, ipst, &effective_tsl);
+ }
+ if (err != 0) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ ip_drop_output("tsol_check_label", mp, NULL);
+ freemsg(mp);
mp = NULL;
goto keep_label;
}
+ /*
+ * The effective_tsl must never affect the routing decision, hence
+ * we ignore it here.
+ */
+ if (effective_tsl != NULL)
+ label_rele(effective_tsl);
+
if (af == AF_INET) {
ipha = (ipha_t *)mp->b_rptr;
ipha->ipha_hdr_checksum = 0;
@@ -1885,13 +1852,13 @@ tsol_rtsa_init(rt_msghdr_t *rtm, tsol_rtsecattr_t *sp, caddr_t cp)
}
int
-tsol_ire_init_gwattr(ire_t *ire, uchar_t ipversion, tsol_gc_t *gc,
- tsol_gcgrp_t *gcgrp)
+tsol_ire_init_gwattr(ire_t *ire, uchar_t ipversion, tsol_gc_t *gc)
{
tsol_ire_gw_secattr_t *attrp;
boolean_t exists = B_FALSE;
in_addr_t ga_addr4;
void *paddr = NULL;
+ tsol_gcgrp_t *gcgrp = NULL;
ASSERT(ire != NULL);
@@ -1917,20 +1884,16 @@ tsol_ire_init_gwattr(ire_t *ire, uchar_t ipversion, tsol_gc_t *gc,
if (attrp->igsa_gc != NULL)
GC_REFRELE(attrp->igsa_gc);
- if (attrp->igsa_gcgrp != NULL)
- GCGRP_REFRELE(attrp->igsa_gcgrp);
}
ASSERT(!exists || MUTEX_HELD(&attrp->igsa_lock));
/*
* References already held by caller and we keep them;
- * note that both gc and gcgrp may be set to NULL to
- * clear out igsa_gc and igsa_gcgrp, respectively.
+ * note that gc may be set to NULL to clear out igsa_gc.
*/
attrp->igsa_gc = gc;
- attrp->igsa_gcgrp = gcgrp;
- if (gcgrp == NULL && gc != NULL) {
+ if (gc != NULL) {
gcgrp = gc->gc_grp;
ASSERT(gcgrp != NULL);
}
@@ -1955,12 +1918,11 @@ tsol_ire_init_gwattr(ire_t *ire, uchar_t ipversion, tsol_gc_t *gc,
ASSERT(ga->ga_af == AF_INET6);
paddr = &ga->ga_addr;
}
- } else if (ipversion == IPV6_VERSION &&
- !IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6)) {
- paddr = &ire->ire_gateway_addr_v6;
- } else if (ipversion == IPV4_VERSION &&
- ire->ire_gateway_addr != INADDR_ANY) {
- paddr = &ire->ire_gateway_addr;
+ } else if (ire->ire_type & IRE_OFFLINK) {
+ if (ipversion == IPV6_VERSION)
+ paddr = &ire->ire_gateway_addr_v6;
+ else if (ipversion == IPV4_VERSION)
+ paddr = &ire->ire_gateway_addr;
}
/*
@@ -1990,7 +1952,7 @@ tsol_ire_init_gwattr(ire_t *ire, uchar_t ipversion, tsol_gc_t *gc,
* If we can't figure out what it is, then return mlptSingle. That's actually
* an error case.
*
- * The callers are assume to pass in zone->zone_id and not the zoneid that
+ * The callers are assumed to pass in zone->zone_id and not the zoneid that
* is stored in a conn_t (since the latter will be GLOBAL_ZONEID in an
* exclusive stack zone).
*/
@@ -2022,23 +1984,28 @@ tsol_mlp_addr_type(zoneid_t zoneid, uchar_t version, const void *addr,
version = IPV4_VERSION;
}
+ /* Check whether the IRE_LOCAL (or ipif) is ALL_ZONES */
if (version == IPV4_VERSION) {
in4 = *(const in_addr_t *)addr;
if ((in4 == INADDR_ANY) || CLASSD(in4)) {
return (mlptBoth);
}
- ire = ire_cache_lookup(in4, ip_zoneid, NULL, ipst);
+ ire = ire_ftable_lookup_v4(in4, 0, 0, IRE_LOCAL|IRE_LOOPBACK,
+ NULL, ip_zoneid, NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY,
+ 0, ipst, NULL);
} else {
if (IN6_IS_ADDR_UNSPECIFIED((const in6_addr_t *)addr) ||
IN6_IS_ADDR_MULTICAST((const in6_addr_t *)addr)) {
return (mlptBoth);
}
- ire = ire_cache_lookup_v6(addr, ip_zoneid, NULL, ipst);
+ ire = ire_ftable_lookup_v6(addr, 0, 0, IRE_LOCAL|IRE_LOOPBACK,
+ NULL, ip_zoneid, NULL, MATCH_IRE_TYPE | MATCH_IRE_ZONEONLY,
+ 0, ipst, NULL);
}
/*
* If we can't find the IRE, then we have to behave exactly like
- * ip_bind_laddr{,_v6}. That means looking up the IPIF so that users
- * can bind to addresses on "down" interfaces.
+ * ip_laddr_verify_{v4,v6}. That means looking up the IPIF so that
+ * users can bind to addresses on "down" interfaces.
*
* If we can't find that either, then the bind is going to fail, so
* just give up. Note that there's a miniscule chance that the address
@@ -2047,10 +2014,10 @@ tsol_mlp_addr_type(zoneid_t zoneid, uchar_t version, const void *addr,
if (ire == NULL) {
if (version == IPV4_VERSION)
ipif = ipif_lookup_addr(*(const in_addr_t *)addr, NULL,
- ip_zoneid, NULL, NULL, NULL, NULL, ipst);
+ ip_zoneid, ipst);
else
ipif = ipif_lookup_addr_v6((const in6_addr_t *)addr,
- NULL, ip_zoneid, NULL, NULL, NULL, NULL, ipst);
+ NULL, ip_zoneid, ipst);
if (ipif == NULL) {
return (mlptSingle);
}
diff --git a/usr/src/uts/common/inet/ip2mac_impl.h b/usr/src/uts/common/inet/ip2mac_impl.h
index 19d0931441..9a09e14487 100644
--- a/usr/src/uts/common/inet/ip2mac_impl.h
+++ b/usr/src/uts/common/inet/ip2mac_impl.h
@@ -37,10 +37,10 @@ extern "C" {
#ifdef _KERNEL
-extern void nce_cb_dispatch(nce_t *);
-extern void nce_ip2mac_response(ip2mac_t *, nce_t *);
-extern void nce_cb_refhold_locked(nce_t *);
-extern void nce_cb_refrele(nce_t *);
+extern void ncec_cb_dispatch(ncec_t *);
+extern void ncec_ip2mac_response(ip2mac_t *, ncec_t *);
+extern void ncec_cb_refhold_locked(ncec_t *);
+extern void ncec_cb_refrele(ncec_t *);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ip6.h b/usr/src/uts/common/inet/ip6.h
index 5408ab9e55..10c6c81ba2 100644
--- a/usr/src/uts/common/inet/ip6.h
+++ b/usr/src/uts/common/inet/ip6.h
@@ -57,105 +57,12 @@ typedef enum {
IP6_SCOPE_GLOBAL
} in6addr_scope_t;
-#ifdef _KERNEL
+/* From RFC 3542 - setting for IPV6_USE_MIN_MTU socket option */
+#define IPV6_USE_MIN_MTU_MULTICAST -1 /* Default */
+#define IPV6_USE_MIN_MTU_NEVER 0
+#define IPV6_USE_MIN_MTU_ALWAYS 1
-/*
- * Private header used between the transports and IP to carry the content
- * of the options IPV6_PKTINFO/IPV6_RECVPKTINFO (the interface index only)
- * and IPV6_NEXTHOP.
- * Also used to specify that raw sockets do not want the UDP/TCP transport
- * checksums calculated in IP (akin to IP_HDR_INCLUDED) and provide for
- * IPV6_CHECKSUM on the transmit side (using ip6i_checksum_off).
- *
- * When this header is used it must be the first header in the packet i.e.
- * before the real ip6 header. The use of a next header value of 255
- * (IPPROTO_RAW) in this header indicates its presence. Note that
- * ip6_nxt = IPPROTO_RAW indicates that "this" header is ip6_info - the
- * next header is always IPv6.
- *
- * Note that ip6i_nexthop is at the same offset as ip6_dst so that
- * this header can be kept in the packet while the it passes through
- * ip_newroute* and the ndp code. Those routines will use ip6_dst for
- * resolution.
- *
- * Implementation offset assumptions about ip6_info_t and ip6_t fields
- * and their alignments shown in figure below
- *
- * ip6_info (Private headers from transports to IP) header below
- * _______________________________________________________________ _ _ _ _ _
- * | .... | ip6i_nxt (255)| ......................|ip6i_nexthop| ...ip6_t.
- * --------------------------------------------------------------- - - - - -
- * ^ ^
- * <---- >| same offset for {ip6i_nxt,ip6_nxt} ^
- * ^ ^
- * <------^-------------------------------------->| same offset for
- * ^ ^ {ip6i_nxthop,ip6_dst}
- * _______________________________________________________________ _ _ _
- * | .... | ip6_nxt | ......................|ip6_dst | .other hdrs...
- * --------------------------------------------------------------- - - -
- * ip6_t (IPv6 protocol) header above
- */
-struct ip6_info {
- union {
- struct ip6_info_ctl {
- uint32_t ip6i_un1_flow;
- uint16_t ip6i_un1_plen; /* payload length */
- uint8_t ip6i_un1_nxt; /* next header */
- uint8_t ip6i_un1_hlim; /* hop limit */
- } ip6i_un1;
- } ip6i_ctlun;
- int ip6i_flags; /* See below */
- int ip6i_ifindex;
- int ip6i_checksum_off;
- int ip6i_pad;
- in6_addr_t ip6i_nexthop; /* Same offset as ip6_dst */
-};
-typedef struct ip6_info ip6i_t;
-
-#define ip6i_flow ip6i_ctlun.ip6i_un1.ip6i_un1_flow
-#define ip6i_vcf ip6i_flow /* Version, class, flow */
-#define ip6i_nxt ip6i_ctlun.ip6i_un1.ip6i_un1_nxt
-#define ip6i_hops ip6i_ctlun.ip6i_un1.ip6i_un1_hlim
-
-/* ip6_info flags */
-#define IP6I_IFINDEX 0x1 /* ip6i_ifindex is set (to nonzero value) */
-#define IP6I_NEXTHOP 0x2 /* ip6i_nexthop is different than ip6_dst */
-#define IP6I_NO_ULP_CKSUM 0x4
- /*
- * Do not generate TCP/UDP/SCTP transport checksum.
- * Used by raw sockets. Does not affect the
- * generation of transport checksums for ICMPv6
- * since such packets always arrive through
- * a raw socket.
- */
-#define IP6I_UNSPEC_SRC 0x8
- /* Used to carry conn_unspec_src through ip_newroute* */
-#define IP6I_RAW_CHECKSUM 0x10
- /* Compute checksum and stuff in ip6i_checksum_off */
-#define IP6I_VERIFY_SRC 0x20 /* Verify ip6_src. Used when IPV6_PKTINFO */
-#define IP6I_IPMP_PROBE 0x40 /* IPMP (in.mpathd) probe packet */
- /* 0x80 - 0x100 available */
-#define IP6I_DONTFRAG 0x200 /* Don't fragment this packet */
-#define IP6I_HOPLIMIT 0x400 /* hoplimit has been set by the sender */
-
-/*
- * These constants refer to the IPV6_USE_MIN_MTU API. The
- * actually values used in the API are these values shifted down
- * 10 bits minus 2 [-1, 1]. 0 (-2 after conversion) is considered
- * the same as the default (-1). IP6I_API_USE_MIN_MTU(f, x) returns
- * the flags field updated with min mtu. IP6I_USE_MIN_MTU_API takes the
- * field and returns the API value (+ the -2 value).
- */
-#define IP6I_USE_MIN_MTU_UNICAST 0x400
-#define IP6I_USE_MIN_MTU_ALWAYS 0x800
-#define IP6I_USE_MIN_MTU_NEVER 0xC00
-#define IP6I_USE_MIN_MTU_API(x) ((((x) & 0xC00) >> 10) - 2)
-#define IP6I_API_USE_MIN_MTU(f, x) (((f) & ~0xC00) &\
- ((((x) + 2) & 0x3) << 11))
-#define IPV6_USE_MIN_MTU_DEFAULT -2
-#define IPV6_USE_MIN_MTU_UNICAST -1
-#define IPV6_USE_MIN_MTU_ALWAYS 0
-#define IPV6_USE_MIN_MTU_NEVER 1
+#ifdef _KERNEL
/* Extract the scope from a multicast address */
#ifdef _BIG_ENDIAN
@@ -195,28 +102,18 @@ typedef struct ip6_info ip6i_t;
#define MIN_EHDR_LEN 8
#define MAX_EHDR_LEN 2048
-/*
- * The high-order bit of the version field is used by the transports to
- * indicate a reachability confirmation to IP.
- */
-#define IP_FORWARD_PROG_BIT 0x8
-
#ifdef _BIG_ENDIAN
#define IPV6_DEFAULT_VERS_AND_FLOW 0x60000000
#define IPV6_VERS_AND_FLOW_MASK 0xF0000000
-#define IP_FORWARD_PROG ((uint32_t)IP_FORWARD_PROG_BIT << 28)
#define V6_MCAST 0xFF000000
#define V6_LINKLOCAL 0xFE800000
#define IPV6_FLOW_TCLASS(x) (((x) & IPV6_FLOWINFO_TCLASS) >> 20)
#define IPV6_TCLASS_FLOW(f, c) (((f) & ~IPV6_FLOWINFO_TCLASS) |\
((c) << 20))
-
#else
#define IPV6_DEFAULT_VERS_AND_FLOW 0x00000060
#define IPV6_VERS_AND_FLOW_MASK 0x000000F0
-#define IP_FORWARD_PROG ((uint32_t)IP_FORWARD_PROG_BIT << 4)
-
#define V6_MCAST 0x000000FF
#define V6_LINKLOCAL 0x000080FE
@@ -328,71 +225,66 @@ extern const in6_addr_t ipv6_unspecified_group;
* FUNCTION PROTOTYPES
*/
-struct ipsec_out_s;
-
extern void convert2ascii(char *buf, const in6_addr_t *addr);
extern char *inet_ntop(int, const void *, char *, int);
extern int inet_pton(int, char *, void *);
-extern void icmp_time_exceeded_v6(queue_t *, mblk_t *, uint8_t,
- boolean_t, boolean_t, zoneid_t, ip_stack_t *);
-extern void icmp_unreachable_v6(queue_t *, mblk_t *, uint8_t,
- boolean_t, boolean_t, zoneid_t, ip_stack_t *);
-extern void icmp_inbound_error_fanout_v6(queue_t *, mblk_t *, ip6_t *,
- icmp6_t *, ill_t *, ill_t *, boolean_t, zoneid_t);
-extern boolean_t conn_wantpacket_v6(conn_t *, ill_t *, ip6_t *, int, zoneid_t);
-extern mblk_t *ip_add_info_v6(mblk_t *, ill_t *, const in6_addr_t *);
+extern void icmp_param_problem_nexthdr_v6(mblk_t *, boolean_t,
+ ip_recv_attr_t *);
+extern void icmp_pkt2big_v6(mblk_t *, uint32_t, boolean_t,
+ ip_recv_attr_t *);
+extern void icmp_time_exceeded_v6(mblk_t *, uint8_t, boolean_t,
+ ip_recv_attr_t *);
+extern void icmp_unreachable_v6(mblk_t *, uint8_t, boolean_t,
+ ip_recv_attr_t *);
+extern mblk_t *icmp_inbound_v6(mblk_t *, ip_recv_attr_t *);
+extern void icmp_inbound_error_fanout_v6(mblk_t *, icmp6_t *,
+ ip_recv_attr_t *);
+extern void icmp_update_out_mib_v6(ill_t *, icmp6_t *);
+
+extern boolean_t conn_wantpacket_v6(conn_t *, ip_recv_attr_t *, ip6_t *);
+
extern in6addr_scope_t ip_addr_scope_v6(const in6_addr_t *);
-extern mblk_t *ip_bind_v6(queue_t *, mblk_t *, conn_t *, ip6_pkt_t *);
-extern void ip_build_hdrs_v6(uchar_t *, uint_t, ip6_pkt_t *, uint8_t);
-extern int ip_fanout_send_icmp_v6(queue_t *, mblk_t *, uint_t,
- uint_t, uint8_t, uint_t, boolean_t, zoneid_t, ip_stack_t *);
-extern int ip_find_hdr_v6(mblk_t *, ip6_t *, ip6_pkt_t *, uint8_t *);
-extern in6_addr_t ip_get_dst_v6(ip6_t *, mblk_t *, boolean_t *);
+extern void ip_build_hdrs_v6(uchar_t *, uint_t, const ip_pkt_t *, uint8_t,
+ uint32_t);
+extern void ip_fanout_udp_multi_v6(mblk_t *, ip6_t *, uint16_t, uint16_t,
+ ip_recv_attr_t *);
+extern void ip_fanout_send_icmp_v6(mblk_t *, uint_t, uint8_t,
+ ip_recv_attr_t *);
+extern void ip_fanout_proto_v6(mblk_t *, ip6_t *, ip_recv_attr_t *);
+extern int ip_find_hdr_v6(mblk_t *, ip6_t *, boolean_t, ip_pkt_t *,
+ uint8_t *);
+extern in6_addr_t ip_get_dst_v6(ip6_t *, const mblk_t *, boolean_t *);
extern ip6_rthdr_t *ip_find_rthdr_v6(ip6_t *, uint8_t *);
-extern int ip_hdr_complete_v6(ip6_t *, zoneid_t, ip_stack_t *);
extern boolean_t ip_hdr_length_nexthdr_v6(mblk_t *, ip6_t *,
uint16_t *, uint8_t **);
extern int ip_hdr_length_v6(mblk_t *, ip6_t *);
-extern int ip_check_v6_mblk(mblk_t *, ill_t *);
extern uint32_t ip_massage_options_v6(ip6_t *, ip6_rthdr_t *, netstack_t *);
-extern void ip_wput_frag_v6(mblk_t *, ire_t *, uint_t, conn_t *, int, int);
-extern void ip_wput_ipsec_out_v6(queue_t *, mblk_t *, ip6_t *, ill_t *,
- ire_t *);
-extern int ip_total_hdrs_len_v6(ip6_pkt_t *);
+extern void ip_forward_xmit_v6(nce_t *, mblk_t *, ip6_t *, ip_recv_attr_t *,
+ uint32_t, uint32_t);
+extern mblk_t *ip_fraghdr_add_v6(mblk_t *, uint32_t, ip_xmit_attr_t *);
+extern int ip_fragment_v6(mblk_t *, nce_t *, iaflags_t, uint_t, uint32_t,
+ uint32_t, zoneid_t, zoneid_t, pfirepostfrag_t postfragfn,
+ uintptr_t *ixa_cookie);
+extern int ip_process_options_v6(mblk_t *, ip6_t *,
+ uint8_t *, uint_t, uint8_t, ip_recv_attr_t *);
+extern void ip_process_rthdr(mblk_t *, ip6_t *, ip6_rthdr_t *,
+ ip_recv_attr_t *);
+extern int ip_total_hdrs_len_v6(const ip_pkt_t *);
+extern mblk_t *ipsec_early_ah_v6(mblk_t *, ip_recv_attr_t *);
extern int ipsec_ah_get_hdr_size_v6(mblk_t *, boolean_t);
-extern void ip_wput_v6(queue_t *, mblk_t *);
-extern void ip_wput_local_v6(queue_t *, ill_t *, ip6_t *, mblk_t *,
- ire_t *, int, zoneid_t);
-extern void ip_output_v6(void *, mblk_t *, void *, int);
-extern void ip_xmit_v6(mblk_t *, ire_t *, uint_t, conn_t *, int,
- struct ipsec_out_s *);
+extern void ip_send_potential_redirect_v6(mblk_t *, ip6_t *, ire_t *,
+ ip_recv_attr_t *);
extern void ip_rput_v6(queue_t *, mblk_t *);
-extern void ip_rput_data_v6(queue_t *, ill_t *, mblk_t *, ip6_t *,
- uint_t, mblk_t *, mblk_t *);
-extern void mld_input(queue_t *, mblk_t *, ill_t *);
+extern mblk_t *mld_input(mblk_t *, ip_recv_attr_t *);
extern void mld_joingroup(ilm_t *);
extern void mld_leavegroup(ilm_t *);
extern void mld_timeout_handler(void *);
extern void pr_addr_dbg(char *, int, const void *);
-extern int ip_multirt_apply_membership_v6(int (*fn)(conn_t *, boolean_t,
- const in6_addr_t *, int, mcast_record_t, const in6_addr_t *, mblk_t *),
- ire_t *, conn_t *, boolean_t, const in6_addr_t *, mcast_record_t,
- const in6_addr_t *, mblk_t *);
-extern void ip_newroute_ipif_v6(queue_t *, mblk_t *, ipif_t *,
- const in6_addr_t *, const in6_addr_t *, int, zoneid_t);
-extern void ip_newroute_v6(queue_t *, mblk_t *, const in6_addr_t *,
- const in6_addr_t *, ill_t *, zoneid_t, ip_stack_t *);
extern void *ip6_kstat_init(netstackid_t, ip6_stat_t *);
extern void ip6_kstat_fini(netstackid_t, kstat_t *);
-extern size_t ip6_get_src_preferences(conn_t *, uint32_t *);
-extern int ip6_set_src_preferences(conn_t *, uint32_t);
-extern int ip6_set_pktinfo(cred_t *, conn_t *, struct in6_pktinfo *);
-extern int ip_proto_bind_laddr_v6(conn_t *, mblk_t **, uint8_t,
- const in6_addr_t *, uint16_t, boolean_t);
-extern int ip_proto_bind_connected_v6(conn_t *, mblk_t **,
- uint8_t, in6_addr_t *, uint16_t, const in6_addr_t *, ip6_pkt_t *,
- uint16_t, boolean_t, boolean_t, cred_t *);
+extern size_t ip6_get_src_preferences(ip_xmit_attr_t *, uint32_t *);
+extern int ip6_set_src_preferences(ip_xmit_attr_t *, uint32_t);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ip_arp.h b/usr/src/uts/common/inet/ip_arp.h
new file mode 100644
index 0000000000..2cb7e7a05a
--- /dev/null
+++ b/usr/src/uts/common/inet/ip_arp.h
@@ -0,0 +1,136 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef _IP_ARP_H
+#define _IP_ARP_H
+
+/*
+ * Data-structures and functions related to the IP STREAMS queue that handles
+ * packets with the SAP set to 0x806 (ETHERTYPE_ARP).
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <sys/types.h>
+#include <inet/ip.h>
+#include <inet/ip_ndp.h>
+#include <sys/stream.h>
+
+#ifdef _KERNEL
+extern struct streamtab dummymodinfo;
+
+struct arl_ill_common_s;
+/*
+ * The arl_s structure tracks the state of the associated ARP stream.
+ */
+typedef struct arl_s {
+ queue_t *arl_rq;
+ queue_t *arl_wq;
+ ip_stack_t *arl_ipst;
+ zoneid_t arl_zoneid;
+ cred_t *arl_credp;
+ ip_m_t arl_media;
+ struct arl_ill_common_s *arl_common;
+ int arl_muxid;
+ uint_t arl_ppa;
+ t_uscalar_t arl_sap;
+ t_uscalar_t arl_sap_length;
+ uint_t arl_phys_addr_length;
+ char *arl_name;
+ int arl_name_length;
+ t_uscalar_t arl_mactype;
+#define arl_first_mp_to_free arl_dlpi_deferred
+ mblk_t *arl_dlpi_deferred;
+ mblk_t *arl_unbind_mp;
+ mblk_t *arl_detach_mp;
+#define arl_last_mp_to_free arl_detach_mp
+ uint_t arl_state_flags;
+ uint_t
+ arl_needs_attach:1,
+ arl_dlpi_style_set:1,
+ arl_pad_to_bit_31:30;
+ uint_t arl_refcnt;
+ kcondvar_t arl_cv;
+ t_uscalar_t arl_dlpi_pending;
+ kmutex_t arl_lock;
+ int arl_error;
+} arl_t;
+
+/*
+ * The arl_ill_common_t structure is a super-structure that contains pointers
+ * to a pair of matching ill_t, arl_t structures. Given an arl_t (or
+ * ill_t) the corresponding ill_t (or arl_t) must be obtained by
+ * synchronizing on the ai_lock, and ensuring that the desired ill/arl
+ * pointer is non-null, not condemned. The arl_ill_common_t is allocated in
+ * arl_init() and freed only when both the ill_t and the arl_t structures
+ * become NULL.
+ * Lock hierarchy: the ai_lock must be take before the ill_lock or arl_lock.
+ */
+
+typedef struct arl_ill_common_s {
+ kmutex_t ai_lock;
+ ill_t *ai_ill;
+ arl_t *ai_arl;
+ kcondvar_t ai_ill_unplumb_done; /* sent from ip_modclose() */
+} arl_ill_common_t;
+
+extern boolean_t arp_no_defense;
+
+extern struct module_info arp_mod_info;
+extern int arp_ll_up(ill_t *);
+extern int arp_ll_down(ill_t *);
+extern boolean_t arp_announce(ncec_t *);
+extern boolean_t arp_probe(ncec_t *);
+extern int arp_request(ncec_t *, in_addr_t, ill_t *);
+extern void arp_failure(mblk_t *, ip_recv_attr_t *);
+extern int arl_wait_for_info_ack(arl_t *);
+extern int arl_init(queue_t *, arl_t *);
+extern void arl_set_muxid(ill_t *, int);
+extern int arl_get_muxid(ill_t *);
+extern void arp_send_replumb_conf(ill_t *);
+extern void arp_unbind_complete(ill_t *);
+extern ill_t *arl_to_ill(arl_t *);
+#endif
+
+#define ARP_RETRANS_TIMER 500 /* time in milliseconds */
+
+/* The following are arl_state_flags */
+#define ARL_LL_SUBNET_PENDING 0x01 /* Waiting for DL_INFO_ACK from drv */
+#define ARL_CONDEMNED 0x02 /* No more new ref's to the ILL */
+#define ARL_DL_UNBIND_IN_PROGRESS 0x04 /* UNBIND_REQ is sent */
+#define ARL_LL_BIND_PENDING 0x0020 /* BIND sent */
+#define ARL_LL_UP 0x0040 /* BIND acked */
+#define ARL_LL_DOWN 0x0080
+#define ARL_LL_UNBOUND 0x0100 /* UNBIND acked */
+#define ARL_LL_REPLUMBING 0x0200 /* replumb in progress */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _IP_ARP_H */
diff --git a/usr/src/uts/common/inet/ip_ftable.h b/usr/src/uts/common/inet/ip_ftable.h
index 6a3a05183b..d8fa9e566d 100644
--- a/usr/src/uts/common/inet/ip_ftable.h
+++ b/usr/src/uts/common/inet/ip_ftable.h
@@ -20,7 +20,7 @@
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -56,7 +56,7 @@ struct rt_entry {
*
* The comment below (and for other netstack_t references) refers
* to the fact that we only do netstack_hold in particular cases,
- * such as the references from open streams (ill_t and conn_t's
+ * such as the references from open endpoints (ill_t and conn_t's
* pointers). Internally within IP we rely on IP's ability to cleanup e.g.
* ire_t's when an ill goes away.
*/
@@ -74,26 +74,8 @@ int rtfunc(struct radix_node *, void *);
typedef struct rt_entry rt_t;
typedef struct rtfuncarg rtf_t;
-/* For ire_forward() */
-enum ire_forward_action {
- Forward_ok, /* OK to use this IRE to forward */
- Forward_check_multirt, /* CGTP multirt check required */
- Forward_ret_icmp_err, /* Callers to return an ICMP error */
- Forward_blackhole /* Packet is silently discarded */
-};
-
struct ts_label_s;
-extern ire_t *ire_ftable_lookup(ipaddr_t, ipaddr_t, ipaddr_t, int,
- const ipif_t *, ire_t **, zoneid_t, uint32_t,
- const struct ts_label_s *, int, ip_stack_t *);
-extern ire_t *ire_lookup_multi(ipaddr_t, zoneid_t, ip_stack_t *);
-extern ire_t *ipif_lookup_multi_ire(ipif_t *, ipaddr_t);
extern void ire_delete_host_redirects(ipaddr_t, ip_stack_t *);
-extern ire_t *ire_ihandle_lookup_onlink(ire_t *);
-extern ire_t *ire_forward(ipaddr_t, enum ire_forward_action *, ire_t *,
- ire_t *, const struct ts_label_s *, ip_stack_t *);
-extern ire_t *ire_forward_simple(ipaddr_t, enum ire_forward_action *,
- ip_stack_t *);
extern irb_t *ire_get_bucket(ire_t *);
extern uint_t ifindex_lookup(const struct sockaddr *, zoneid_t);
extern int ipfil_sendpkt(const struct sockaddr *, mblk_t *, uint_t, zoneid_t);
diff --git a/usr/src/uts/common/inet/ip_if.h b/usr/src/uts/common/inet/ip_if.h
index 80a9f74e88..d081d9256b 100644
--- a/usr/src/uts/common/inet/ip_if.h
+++ b/usr/src/uts/common/inet/ip_if.h
@@ -80,12 +80,12 @@ extern "C" {
#define IFF_PHYINTINST_FLAGS (IFF_DEBUG|IFF_NOTRAILERS|IFF_NOARP| \
IFF_MULTICAST|IFF_ROUTER|IFF_NONUD|IFF_NORTEXCH|IFF_IPV4|IFF_IPV6| \
- IFF_XRESOLV|IFF_COS_ENABLED)
+ IFF_COS_ENABLED|IFF_FIXEDMTU)
#define IFF_LOGINT_FLAGS (IFF_UP|IFF_BROADCAST|IFF_POINTOPOINT| \
IFF_UNNUMBERED|IFF_DHCPRUNNING|IFF_PRIVATE|IFF_NOXMIT|IFF_NOLOCAL| \
IFF_DEPRECATED|IFF_ADDRCONF|IFF_ANYCAST|IFF_NOFAILOVER| \
- IFF_PREFERRED|IFF_TEMPORARY|IFF_FIXEDMTU|IFF_DUPLICATE)
+ IFF_PREFERRED|IFF_TEMPORARY|IFF_DUPLICATE)
#define PHYI_LOOPBACK IFF_LOOPBACK /* is a loopback net */
#define PHYI_RUNNING IFF_RUNNING /* resources allocated */
@@ -109,8 +109,8 @@ extern "C" {
#define ILLF_NORTEXCH IFF_NORTEXCH /* No routing info exchange */
#define ILLF_IPV4 IFF_IPV4 /* IPv4 interface */
#define ILLF_IPV6 IFF_IPV6 /* IPv6 interface */
-#define ILLF_XRESOLV IFF_XRESOLV /* IPv6 external resolver */
#define ILLF_COS_ENABLED IFF_COS_ENABLED /* Is CoS marking supported */
+#define ILLF_FIXEDMTU IFF_FIXEDMTU /* set with SIOCSLIFMTU */
#define IPIF_UP IFF_UP /* interface is up */
#define IPIF_BROADCAST IFF_BROADCAST /* broadcast address valid */
@@ -126,7 +126,6 @@ extern "C" {
#define IPIF_NOFAILOVER IFF_NOFAILOVER /* No failover on NIC failure */
#define IPIF_PREFERRED IFF_PREFERRED /* Prefer as source address */
#define IPIF_TEMPORARY IFF_TEMPORARY /* RFC3041 */
-#define IPIF_FIXEDMTU IFF_FIXEDMTU /* set with SIOCSLIFMTU */
#define IPIF_DUPLICATE IFF_DUPLICATE /* address is in use */
#ifdef DEBUG
@@ -135,6 +134,12 @@ extern "C" {
#define ILL_MAC_PERIM_HELD(ill)
#endif
+/*
+ * match flags for ipif_lookup_addr_common* functions
+ */
+#define IPIF_MATCH_ILLGRP 0x00000001
+#define IPIF_MATCH_NONDUP 0x00000002
+
/* for ipif_resolver_up */
enum ip_resolver_action {
Res_act_initial, /* initial address establishment */
@@ -143,134 +148,144 @@ enum ip_resolver_action {
Res_act_none /* do nothing */
};
-extern mblk_t *ill_arp_alloc(ill_t *, const uchar_t *, caddr_t);
-extern mblk_t *ipif_area_alloc(ipif_t *, uint_t);
-extern mblk_t *ipif_ared_alloc(ipif_t *);
-extern mblk_t *ill_ared_alloc(ill_t *, ipaddr_t);
-extern mblk_t *ill_arie_alloc(ill_t *, const char *, const void *);
-extern boolean_t ill_dlpi_pending(ill_t *, t_uscalar_t);
+extern int ill_add_ires(ill_t *);
+extern void ill_delete_ires(ill_t *);
extern void ill_dlpi_done(ill_t *, t_uscalar_t);
+extern boolean_t ill_dlpi_pending(ill_t *, t_uscalar_t);
+extern void ill_dlpi_dispatch(ill_t *, mblk_t *);
extern void ill_dlpi_send(ill_t *, mblk_t *);
extern void ill_dlpi_send_deferred(ill_t *);
+extern void ill_dlpi_queue(ill_t *, mblk_t *);
+extern void ill_dlpi_send_queued(ill_t *);
+extern void ill_mcast_queue(ill_t *, mblk_t *);
+extern void ill_mcast_send_queued(ill_t *);
+extern void ill_mcast_timer_start(ip_stack_t *);
extern void ill_capability_done(ill_t *);
extern mblk_t *ill_dlur_gen(uchar_t *, uint_t, t_uscalar_t, t_scalar_t);
/* NOTE: Keep unmodified ill_lookup_on_ifindex for ipp for now */
-extern ill_t *ill_lookup_on_ifindex_global_instance(uint_t, boolean_t,
- queue_t *, mblk_t *, ipsq_func_t, int *);
-extern ill_t *ill_lookup_on_ifindex(uint_t, boolean_t, queue_t *, mblk_t *,
- ipsq_func_t, int *, ip_stack_t *);
-extern ill_t *ill_lookup_on_name(char *, boolean_t,
- boolean_t, queue_t *, mblk_t *, ipsq_func_t, int *, boolean_t *,
+extern ill_t *ill_lookup_on_ifindex_global_instance(uint_t, boolean_t);
+extern ill_t *ill_lookup_on_ifindex(uint_t, boolean_t, ip_stack_t *);
+extern ill_t *ill_lookup_on_ifindex_zoneid(uint_t, zoneid_t, boolean_t,
ip_stack_t *);
+extern ill_t *ill_lookup_on_name(char *, boolean_t,
+ boolean_t, boolean_t *, ip_stack_t *);
+extern boolean_t ip_ifindex_valid(uint_t, boolean_t, ip_stack_t *);
extern uint_t ill_get_next_ifindex(uint_t, boolean_t, ip_stack_t *);
extern uint_t ill_get_ifindex_by_name(char *, ip_stack_t *);
-extern void ill_grp_cache_delete(ire_t *, char *);
-extern void ill_ipif_cache_delete(ire_t *, char *);
-extern void ill_stq_cache_delete(ire_t *, char *);
+extern uint_t ill_get_upper_ifindex(const ill_t *);
extern void ill_delete(ill_t *);
extern void ill_delete_tail(ill_t *);
extern int ill_dl_phys(ill_t *, ipif_t *, mblk_t *, queue_t *);
-extern int ill_dls_info(struct sockaddr_dl *, const ipif_t *);
+extern int ill_dls_info(struct sockaddr_dl *, const ill_t *);
extern void ill_fastpath_ack(ill_t *, mblk_t *);
-extern void ill_fastpath_nack(ill_t *);
extern int ill_fastpath_probe(ill_t *, mblk_t *);
-extern void ill_fastpath_flush(ill_t *);
extern int ill_forward_set(ill_t *, boolean_t);
extern void ill_frag_prune(ill_t *, uint_t);
extern void ill_frag_free_pkts(ill_t *, ipfb_t *, ipf_t *, int);
extern time_t ill_frag_timeout(ill_t *, time_t);
extern int ill_init(queue_t *, ill_t *);
-extern void ill_refresh_bcast(ill_t *);
extern void ill_restart_dad(ill_t *, boolean_t);
extern void ill_setdefaulttoken(ill_t *);
extern void ill_setdesttoken(ill_t *);
+extern void ill_set_inputfn(ill_t *);
+extern void ill_set_inputfn_all(ip_stack_t *);
extern int ill_set_phys_addr(ill_t *, mblk_t *);
extern int ill_replumb(ill_t *, mblk_t *);
extern void ill_set_ndmp(ill_t *, mblk_t *, uint_t, uint_t);
-extern mblk_t *ill_pending_mp_get(ill_t *, conn_t **, uint_t);
-extern boolean_t ill_pending_mp_add(ill_t *, conn_t *, mblk_t *);
extern boolean_t ill_is_freeable(ill_t *ill);
extern void ill_refhold(ill_t *);
extern void ill_refhold_locked(ill_t *);
-extern int ill_check_and_refhold(ill_t *);
+extern boolean_t ill_check_and_refhold(ill_t *);
extern void ill_refrele(ill_t *);
extern boolean_t ill_waiter_inc(ill_t *);
extern void ill_waiter_dcr(ill_t *);
extern void ill_trace_ref(ill_t *);
extern void ill_untrace_ref(ill_t *);
+extern void ill_downi(ire_t *, char *);
+extern void ill_downi_if_clone(ire_t *, char *);
extern boolean_t ill_down_start(queue_t *, mblk_t *);
+extern ill_t *ill_lookup_group_v4(ipaddr_t, zoneid_t,
+ ip_stack_t *, boolean_t *, ipaddr_t *);
extern ill_t *ill_lookup_group_v6(const in6_addr_t *, zoneid_t,
- ip_stack_t *);
+ ip_stack_t *, boolean_t *, in6_addr_t *);
extern void ill_capability_ack(ill_t *, mblk_t *);
extern void ill_capability_probe(ill_t *);
extern void ill_capability_reset(ill_t *, boolean_t);
extern void ill_taskq_dispatch(ip_stack_t *);
-extern void ill_mtu_change(ire_t *, char *);
+extern void ill_get_name(const ill_t *, char *, int);
+extern void ill_group_cleanup(ill_t *);
extern int ill_up_ipifs(ill_t *, queue_t *, mblk_t *);
+extern void ip_update_source_selection(ip_stack_t *);
extern uint_t ill_appaddr_cnt(const ill_t *);
extern uint_t ill_ptpaddr_cnt(const ill_t *);
+extern uint_t ill_admupaddr_cnt(const ill_t *);
+
+extern ill_t *ill_lookup_multicast(ip_stack_t *, zoneid_t, boolean_t);
+extern void ill_save_ire(ill_t *, ire_t *);
+extern void ill_remove_saved_ire(ill_t *, ire_t *);
+extern int ill_recover_saved_ire(ill_t *);
extern void ip_interface_cleanup(ip_stack_t *);
extern void ipif_get_name(const ipif_t *, char *, int);
extern ipif_t *ipif_getby_indexes(uint_t, uint_t, boolean_t, ip_stack_t *);
extern void ipif_init(ip_stack_t *);
-extern ipif_t *ipif_lookup_addr(ipaddr_t, ill_t *, zoneid_t, queue_t *,
- mblk_t *, ipsq_func_t, int *, ip_stack_t *);
-extern boolean_t ip_addr_exists(ipaddr_t, zoneid_t, ip_stack_t *);
+extern ipif_t *ipif_lookup_addr(ipaddr_t, ill_t *, zoneid_t, ip_stack_t *);
+extern ipif_t *ipif_lookup_addr_exact(ipaddr_t, ill_t *, ip_stack_t *);
+extern ipif_t *ipif_lookup_addr_nondup(ipaddr_t, ill_t *, zoneid_t,
+ ip_stack_t *);
extern ipif_t *ipif_lookup_addr_v6(const in6_addr_t *, ill_t *, zoneid_t,
- queue_t *, mblk_t *, ipsq_func_t, int *, ip_stack_t *);
-extern boolean_t ip_addr_exists_v6(const in6_addr_t *, zoneid_t,
ip_stack_t *);
extern ipif_t *ipif_lookup_addr_exact_v6(const in6_addr_t *, ill_t *,
ip_stack_t *);
+extern ipif_t *ipif_lookup_addr_nondup_v6(const in6_addr_t *, ill_t *,
+ zoneid_t, ip_stack_t *);
extern zoneid_t ipif_lookup_addr_zoneid(ipaddr_t, ill_t *, ip_stack_t *);
extern zoneid_t ipif_lookup_addr_zoneid_v6(const in6_addr_t *, ill_t *,
ip_stack_t *);
-extern ipif_t *ipif_lookup_group(ipaddr_t, zoneid_t, ip_stack_t *);
-extern ipif_t *ipif_lookup_group_v6(const in6_addr_t *, zoneid_t,
- ip_stack_t *);
-extern ipif_t *ipif_lookup_interface(ipaddr_t, ipaddr_t,
- queue_t *, mblk_t *, ipsq_func_t, int *, ip_stack_t *);
-extern ipif_t *ipif_lookup_multicast(ip_stack_t *, zoneid_t, boolean_t);
+extern ipif_t *ipif_lookup_interface(ipaddr_t, ipaddr_t, ip_stack_t *);
extern ipif_t *ipif_lookup_remote(ill_t *, ipaddr_t, zoneid_t);
-extern ipif_t *ipif_lookup_onlink_addr(ipaddr_t, zoneid_t, ip_stack_t *);
-extern ipif_t *ipif_lookup_seqid(ill_t *, uint_t);
-extern boolean_t ipif_lookup_zoneid(ill_t *, zoneid_t, int, ipif_t **);
-extern ipif_t *ipif_select_source(ill_t *, ipaddr_t, zoneid_t);
-extern boolean_t ipif_usesrc_avail(ill_t *, zoneid_t);
+extern boolean_t ipif_lookup_testaddr_v6(ill_t *, const in6_addr_t *,
+ ipif_t **);
+extern boolean_t ipif_lookup_testaddr_v4(ill_t *, const in_addr_t *,
+ ipif_t **);
+extern ipif_t *ipif_select_source_v4(ill_t *, ipaddr_t, zoneid_t, boolean_t,
+ boolean_t *);
+extern boolean_t ipif_zone_avail(uint_t, boolean_t, zoneid_t, ip_stack_t *);
+extern ipif_t *ipif_good_addr(ill_t *, zoneid_t);
+extern int ip_select_source_v4(ill_t *, ipaddr_t, ipaddr_t, ipaddr_t,
+ zoneid_t, ip_stack_t *, ipaddr_t *, uint32_t *, uint64_t *);
extern void ipif_refhold(ipif_t *);
extern void ipif_refhold_locked(ipif_t *);
extern void ipif_refrele(ipif_t *);
extern void ipif_all_down_tail(ipsq_t *, queue_t *, mblk_t *, void *);
-extern void ipif_resolver_down(ipif_t *);
extern int ipif_resolver_up(ipif_t *, enum ip_resolver_action);
-extern int ipif_arp_setup_multicast(ipif_t *, mblk_t **);
extern int ipif_down(ipif_t *, queue_t *, mblk_t *);
-extern void ipif_down_tail(ipif_t *);
+extern int ipif_down_tail(ipif_t *);
extern void ipif_multicast_down(ipif_t *);
extern void ipif_multicast_up(ipif_t *);
extern void ipif_ndp_down(ipif_t *);
extern int ipif_ndp_up(ipif_t *, boolean_t);
-extern int ipif_ndp_setup_multicast(ipif_t *, struct nce_s **);
extern int ipif_up_done(ipif_t *);
extern int ipif_up_done_v6(ipif_t *);
extern void ipif_up_notify(ipif_t *);
-extern void ipif_update_other_ipifs_v6(ipif_t *);
-extern void ipif_recreate_interface_routes_v6(ipif_t *, ipif_t *);
-extern void ill_update_source_selection(ill_t *);
extern ipif_t *ipif_select_source_v6(ill_t *, const in6_addr_t *, boolean_t,
- uint32_t, zoneid_t);
+ uint32_t, zoneid_t, boolean_t, boolean_t *);
+extern int ip_select_source_v6(ill_t *, const in6_addr_t *,
+ const in6_addr_t *, zoneid_t, ip_stack_t *, uint_t, uint32_t, in6_addr_t *,
+ uint32_t *, uint64_t *);
extern boolean_t ipif_cant_setlinklocal(ipif_t *);
extern void ipif_setlinklocal(ipif_t *);
extern void ipif_setdestlinklocal(ipif_t *);
-extern ipif_t *ipif_lookup_on_ifindex(uint_t, boolean_t, zoneid_t, queue_t *,
- mblk_t *, ipsq_func_t, int *, ip_stack_t *);
+extern ipif_t *ipif_lookup_on_ifindex(uint_t, boolean_t, zoneid_t,
+ ip_stack_t *);
extern ipif_t *ipif_get_next_ipif(ipif_t *curr, ill_t *ill);
extern void ipif_ill_refrele_tail(ill_t *ill);
+extern void ipif_nce_down(ipif_t *ipif);
+extern int ipif_arp_down(ipif_t *ipif);
extern void ipif_mask_reply(ipif_t *);
extern int ipif_up(ipif_t *, queue_t *, mblk_t *);
@@ -290,7 +305,7 @@ extern void qwriter_ip(ill_t *, queue_t *, mblk_t *, ipsq_func_t, int,
boolean_t);
typedef int ip_extract_func_t(queue_t *, mblk_t *, const ip_ioctl_cmd_t *,
- cmd_info_t *, ipsq_func_t);
+ cmd_info_t *);
extern ip_extract_func_t ip_extract_arpreq, ip_extract_lifreq;
@@ -298,16 +313,14 @@ extern int ip_addr_availability_check(ipif_t *);
extern void ip_ll_subnet_defaults(ill_t *, mblk_t *);
extern int ip_rt_add(ipaddr_t, ipaddr_t, ipaddr_t, ipaddr_t, int,
- ipif_t *, ire_t **, boolean_t, queue_t *, mblk_t *, ipsq_func_t,
- struct rtsa_s *, ip_stack_t *);
+ ill_t *, ire_t **, boolean_t, struct rtsa_s *, ip_stack_t *, zoneid_t);
extern int ip_rt_add_v6(const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, const in6_addr_t *, int, ipif_t *, ire_t **,
- queue_t *, mblk_t *, ipsq_func_t, struct rtsa_s *, ip_stack_t *ipst);
+ const in6_addr_t *, const in6_addr_t *, int, ill_t *, ire_t **,
+ struct rtsa_s *, ip_stack_t *, zoneid_t);
extern int ip_rt_delete(ipaddr_t, ipaddr_t, ipaddr_t, uint_t, int,
- ipif_t *, boolean_t, queue_t *, mblk_t *, ipsq_func_t, ip_stack_t *);
+ ill_t *, boolean_t, ip_stack_t *, zoneid_t);
extern int ip_rt_delete_v6(const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, uint_t, int, ipif_t *, queue_t *, mblk_t *,
- ipsq_func_t, ip_stack_t *);
+ const in6_addr_t *, uint_t, int, ill_t *, ip_stack_t *, zoneid_t);
extern int ip_siocdelndp_v6(ipif_t *, sin_t *, queue_t *, mblk_t *,
ip_ioctl_cmd_t *, void *);
extern int ip_siocqueryndp_v6(ipif_t *, sin_t *, queue_t *, mblk_t *,
@@ -454,11 +467,12 @@ extern int ip_sioctl_get_lifsrcof(ipif_t *, sin_t *, queue_t *,
extern void ip_sioctl_copyin_resume(ipsq_t *, queue_t *, mblk_t *, void *);
extern void ip_sioctl_copyin_setup(queue_t *, mblk_t *);
-extern void ip_sioctl_iocack(ipsq_t *, queue_t *, mblk_t *, void *);
extern ip_ioctl_cmd_t *ip_sioctl_lookup(int);
-
-extern void conn_delete_ire(conn_t *, caddr_t);
-extern boolean_t phyint_exists(uint_t, ip_stack_t *);
+extern void ipif_delete_ires_v4(ipif_t *);
+extern void ipif_delete_ires_v6(ipif_t *);
+extern int ipif_arp_up(ipif_t *, enum ip_resolver_action, boolean_t);
+extern void ipif_dup_recovery(void *);
+extern void ipif_do_recovery(ipif_t *);
/*
* Notes on reference tracing on ill, ipif, ire, nce data structures:
diff --git a/usr/src/uts/common/inet/ip_impl.h b/usr/src/uts/common/inet/ip_impl.h
index 5f9d674e17..694f7a63b0 100644
--- a/usr/src/uts/common/inet/ip_impl.h
+++ b/usr/src/uts/common/inet/ip_impl.h
@@ -50,10 +50,12 @@ extern "C" {
#define IP_HDR_CSUM_TTL_ADJUST 256
#define IP_TCP_CSUM_COMP IPPROTO_TCP
#define IP_UDP_CSUM_COMP IPPROTO_UDP
+#define IP_ICMPV6_CSUM_COMP IPPROTO_ICMPV6
#else
#define IP_HDR_CSUM_TTL_ADJUST 1
#define IP_TCP_CSUM_COMP (IPPROTO_TCP << 8)
#define IP_UDP_CSUM_COMP (IPPROTO_UDP << 8)
+#define IP_ICMPV6_CSUM_COMP (IPPROTO_ICMPV6 << 8)
#endif
#define TCP_CHECKSUM_OFFSET 16
@@ -62,240 +64,20 @@ extern "C" {
#define UDP_CHECKSUM_OFFSET 6
#define UDP_CHECKSUM_SIZE 2
+#define ICMPV6_CHECKSUM_OFFSET 2
+#define ICMPV6_CHECKSUM_SIZE 2
+
#define IPH_TCPH_CHECKSUMP(ipha, hlen) \
((uint16_t *)(((uchar_t *)(ipha)) + ((hlen) + TCP_CHECKSUM_OFFSET)))
#define IPH_UDPH_CHECKSUMP(ipha, hlen) \
((uint16_t *)(((uchar_t *)(ipha)) + ((hlen) + UDP_CHECKSUM_OFFSET)))
+#define IPH_ICMPV6_CHECKSUMP(ipha, hlen) \
+ ((uint16_t *)(((uchar_t *)(ipha)) + ((hlen) + ICMPV6_CHECKSUM_OFFSET)))
+
#define ILL_HCKSUM_CAPABLE(ill) \
(((ill)->ill_capabilities & ILL_CAPAB_HCKSUM) != 0)
-/*
- * Macro that performs software checksum calculation on the IP header.
- */
-#define IP_HDR_CKSUM(ipha, sum, v_hlen_tos_len, ttl_protocol) { \
- (sum) += (ttl_protocol) + (ipha)->ipha_ident + \
- ((v_hlen_tos_len) >> 16) + \
- ((v_hlen_tos_len) & 0xFFFF) + \
- (ipha)->ipha_fragment_offset_and_flags; \
- (sum) = (((sum) & 0xFFFF) + ((sum) >> 16)); \
- (sum) = ~((sum) + ((sum) >> 16)); \
- (ipha)->ipha_hdr_checksum = (uint16_t)(sum); \
-}
-
-#define IS_IP_HDR_HWCKSUM(ipsec, mp, ill) \
- ((!ipsec) && (DB_CKSUMFLAGS(mp) & HCK_IPV4_HDRCKSUM) && \
- ILL_HCKSUM_CAPABLE(ill) && dohwcksum)
-
-/*
- * This macro acts as a wrapper around IP_CKSUM_XMIT_FAST, and it performs
- * several checks on the IRE and ILL (among other things) in order to see
- * whether or not hardware checksum offload is allowed for the outgoing
- * packet. It assumes that the caller has held a reference to the IRE.
- */
-#define IP_CKSUM_XMIT(ill, ire, mp, ihp, up, proto, start, end, \
- max_frag, ipsec_len, pseudo) { \
- uint32_t _hck_flags; \
- /* \
- * We offload checksum calculation to hardware when IPsec isn't \
- * present and if fragmentation isn't required. We also check \
- * if M_DATA fastpath is safe to be used on the corresponding \
- * IRE; this check is performed without grabbing ire_lock but \
- * instead by holding a reference to it. This is sufficient \
- * for IRE_CACHE; for IRE_BROADCAST on non-Ethernet links, the \
- * DL_NOTE_FASTPATH_FLUSH indication could come up from the \
- * driver and trigger the IRE (hence fp_mp) deletion. This is \
- * why only IRE_CACHE type is eligible for offload. \
- * \
- * The presense of IP options also forces the network stack to \
- * calculate the checksum in software. This is because: \
- * \
- * Wrap around: certain partial-checksum NICs (eri, ce) limit \
- * the size of "start offset" width to 6-bit. This effectively \
- * sets the largest value of the offset to 64-bytes, starting \
- * from the MAC header. When the cumulative MAC and IP headers \
- * exceed such limit, the offset will wrap around. This causes \
- * the checksum to be calculated at the wrong place. \
- * \
- * IPv4 source routing: none of the full-checksum capable NICs \
- * is capable of correctly handling the IPv4 source-routing \
- * option for purposes of calculating the pseudo-header; the \
- * actual destination is different from the destination in the \
- * header which is that of the next-hop. (This case may not be \
- * true for NICs which can parse IPv6 extension headers, but \
- * we choose to simplify the implementation by not offloading \
- * checksum when they are present.) \
- * \
- */ \
- if ((ill) != NULL && ILL_HCKSUM_CAPABLE(ill) && \
- !((ire)->ire_flags & RTF_MULTIRT) && \
- (!((ire)->ire_type & IRE_BROADCAST) || \
- (ill)->ill_type == IFT_ETHER) && \
- (ipsec_len) == 0 && \
- (((ire)->ire_ipversion == IPV4_VERSION && \
- (start) == IP_SIMPLE_HDR_LENGTH && \
- ((ire)->ire_nce != NULL && \
- (ire)->ire_nce->nce_fp_mp != NULL && \
- MBLKHEAD(mp) >= MBLKL((ire)->ire_nce->nce_fp_mp))) || \
- ((ire)->ire_ipversion == IPV6_VERSION && \
- (start) == IPV6_HDR_LEN && \
- (ire)->ire_nce->nce_fp_mp != NULL && \
- MBLKHEAD(mp) >= MBLKL((ire)->ire_nce->nce_fp_mp))) && \
- (max_frag) >= (uint_t)((end) + (ipsec_len)) && \
- dohwcksum) { \
- _hck_flags = (ill)->ill_hcksum_capab->ill_hcksum_txflags; \
- } else { \
- _hck_flags = 0; \
- } \
- IP_CKSUM_XMIT_FAST((ire)->ire_ipversion, _hck_flags, mp, ihp, \
- up, proto, start, end, pseudo); \
-}
-
-/*
- * Based on the device capabilities, this macro either marks an outgoing
- * packet with hardware checksum offload information or calculate the
- * checksum in software. If the latter is performed, the checksum field
- * of the dblk is cleared; otherwise it will be non-zero and contain the
- * necessary flag(s) for the driver.
- */
-#define IP_CKSUM_XMIT_FAST(ipver, hck_flags, mp, ihp, up, proto, start, \
- end, pseudo) { \
- uint32_t _sum; \
- /* \
- * Underlying interface supports hardware checksum offload for \
- * the payload; leave the payload checksum for the hardware to \
- * calculate. N.B: We only need to set up checksum info on the \
- * first mblk. \
- */ \
- DB_CKSUMFLAGS(mp) = 0; \
- if (((ipver) == IPV4_VERSION && \
- ((hck_flags) & HCKSUM_INET_FULL_V4)) || \
- ((ipver) == IPV6_VERSION && \
- ((hck_flags) & HCKSUM_INET_FULL_V6))) { \
- /* \
- * Hardware calculates pseudo-header, header and the \
- * payload checksums, so clear the checksum field in \
- * the protocol header. \
- */ \
- *(up) = 0; \
- DB_CKSUMFLAGS(mp) |= HCK_FULLCKSUM; \
- } else if ((hck_flags) & HCKSUM_INET_PARTIAL) { \
- /* \
- * Partial checksum offload has been enabled. Fill \
- * the checksum field in the protocl header with the \
- * pseudo-header checksum value. \
- */ \
- _sum = ((proto) == IPPROTO_UDP) ? \
- IP_UDP_CSUM_COMP : IP_TCP_CSUM_COMP; \
- _sum += *(up) + (pseudo); \
- _sum = (_sum & 0xFFFF) + (_sum >> 16); \
- *(up) = (_sum & 0xFFFF) + (_sum >> 16); \
- /* \
- * Offsets are relative to beginning of IP header. \
- */ \
- DB_CKSUMSTART(mp) = (start); \
- DB_CKSUMSTUFF(mp) = ((proto) == IPPROTO_UDP) ? \
- (start) + UDP_CHECKSUM_OFFSET : \
- (start) + TCP_CHECKSUM_OFFSET; \
- DB_CKSUMEND(mp) = (end); \
- DB_CKSUMFLAGS(mp) |= HCK_PARTIALCKSUM; \
- } else { \
- /* \
- * Software checksumming. \
- */ \
- _sum = ((proto) == IPPROTO_UDP) ? \
- IP_UDP_CSUM_COMP : IP_TCP_CSUM_COMP; \
- _sum += (pseudo); \
- _sum = IP_CSUM(mp, start, _sum); \
- *(up) = (uint16_t)(((proto) == IPPROTO_UDP) ? \
- (_sum ? _sum : ~_sum) : _sum); \
- } \
- /* \
- * Hardware supports IP header checksum offload; clear the \
- * contents of IP header checksum field as expected by NIC. \
- * Do this only if we offloaded either full or partial sum. \
- */ \
- if ((ipver) == IPV4_VERSION && DB_CKSUMFLAGS(mp) != 0 && \
- ((hck_flags) & HCKSUM_IPHDRCKSUM)) { \
- DB_CKSUMFLAGS(mp) |= HCK_IPV4_HDRCKSUM; \
- ((ipha_t *)(ihp))->ipha_hdr_checksum = 0; \
- } \
-}
-
-/*
- * Macro to inspect the checksum of a fully-reassembled incoming datagram.
- */
-#define IP_CKSUM_RECV_REASS(hck_flags, off, pseudo, sum, err) { \
- (err) = B_FALSE; \
- if ((hck_flags) & HCK_FULLCKSUM) { \
- /* \
- * The sum of all fragment checksums should \
- * result in -0 (0xFFFF) or otherwise invalid. \
- */ \
- if ((sum) != 0xFFFF) \
- (err) = B_TRUE; \
- } else if ((hck_flags) & HCK_PARTIALCKSUM) { \
- (sum) += (pseudo); \
- (sum) = ((sum) & 0xFFFF) + ((sum) >> 16); \
- (sum) = ((sum) & 0xFFFF) + ((sum) >> 16); \
- if (~(sum) & 0xFFFF) \
- (err) = B_TRUE; \
- } else if (((sum) = IP_CSUM(mp, off, pseudo)) != 0) { \
- (err) = B_TRUE; \
- } \
-}
-
-/*
- * This macro inspects an incoming packet to see if the checksum value
- * contained in it is valid; if the hardware has provided the information,
- * the value is verified, otherwise it performs software checksumming.
- * The checksum value is returned to caller.
- */
-#define IP_CKSUM_RECV(hck_flags, sum, cksum_start, ulph_off, mp, mp1, err) { \
- int32_t _len; \
- \
- (err) = B_FALSE; \
- if ((hck_flags) & HCK_FULLCKSUM) { \
- /* \
- * Full checksum has been computed by the hardware \
- * and has been attached. If the driver wants us to \
- * verify the correctness of the attached value, in \
- * order to protect against faulty hardware, compare \
- * it against -0 (0xFFFF) to see if it's valid. \
- */ \
- (sum) = DB_CKSUM16(mp); \
- if (!((hck_flags) & HCK_FULLCKSUM_OK) && (sum) != 0xFFFF) \
- (err) = B_TRUE; \
- } else if (((hck_flags) & HCK_PARTIALCKSUM) && \
- ((mp1) == NULL || (mp1)->b_cont == NULL) && \
- (ulph_off) >= DB_CKSUMSTART(mp) && \
- ((_len = (ulph_off) - DB_CKSUMSTART(mp)) & 1) == 0) { \
- uint32_t _adj; \
- /* \
- * Partial checksum has been calculated by hardware \
- * and attached to the packet; in addition, any \
- * prepended extraneous data is even byte aligned, \
- * and there are at most two mblks associated with \
- * the packet. If any such data exists, we adjust \
- * the checksum; also take care any postpended data. \
- */ \
- IP_ADJCKSUM_PARTIAL(cksum_start, mp, mp1, _len, _adj); \
- /* \
- * One's complement subtract extraneous checksum \
- */ \
- (sum) += DB_CKSUM16(mp); \
- if (_adj >= (sum)) \
- (sum) = ~(_adj - (sum)) & 0xFFFF; \
- else \
- (sum) -= _adj; \
- (sum) = ((sum) & 0xFFFF) + ((int)(sum) >> 16); \
- (sum) = ((sum) & 0xFFFF) + ((int)(sum) >> 16); \
- if (~(sum) & 0xFFFF) \
- (err) = B_TRUE; \
- } else if (((sum) = IP_CSUM(mp, ulph_off, sum)) != 0) { \
- (err) = B_TRUE; \
- } \
-}
/*
* Macro to adjust a given checksum value depending on any prepended
@@ -338,98 +120,37 @@ extern "C" {
} \
}
-#define ILL_MDT_CAPABLE(ill) \
- (((ill)->ill_capabilities & ILL_CAPAB_MDT) != 0)
-
-/*
- * ioctl identifier and structure for Multidata Transmit update
- * private M_CTL communication from IP to ULP.
- */
-#define MDT_IOC_INFO_UPDATE (('M' << 8) + 1020)
-
-typedef struct ip_mdt_info_s {
- uint_t mdt_info_id; /* MDT_IOC_INFO_UPDATE */
- ill_mdt_capab_t mdt_capab; /* ILL MDT capabilities */
-} ip_mdt_info_t;
+#define IS_SIMPLE_IPH(ipha) \
+ ((ipha)->ipha_version_and_hdr_length == IP_SIMPLE_HDR_VERSION)
/*
- * Macro that determines whether or not a given ILL is allowed for MDT.
+ * Currently supported flags for LSO.
*/
-#define ILL_MDT_USABLE(ill) \
- (ILL_MDT_CAPABLE(ill) && \
- ill->ill_mdt_capab != NULL && \
- ill->ill_mdt_capab->ill_mdt_version == MDT_VERSION_2 && \
- ill->ill_mdt_capab->ill_mdt_on != 0)
+#define LSO_BASIC_TCP_IPV4 DLD_LSO_BASIC_TCP_IPV4
+#define LSO_BASIC_TCP_IPV6 DLD_LSO_BASIC_TCP_IPV6
-#define ILL_LSO_CAPABLE(ill) \
- (((ill)->ill_capabilities & ILL_CAPAB_DLD_LSO) != 0)
+#define ILL_LSO_CAPABLE(ill) \
+ (((ill)->ill_capabilities & ILL_CAPAB_LSO) != 0)
-/*
- * ioctl identifier and structure for Large Segment Offload
- * private M_CTL communication from IP to ULP.
- */
-#define LSO_IOC_INFO_UPDATE (('L' << 24) + ('S' << 16) + ('O' << 8))
-
-typedef struct ip_lso_info_s {
- uint_t lso_info_id; /* LSO_IOC_INFO_UPDATE */
- ill_lso_capab_t lso_capab; /* ILL LSO capabilities */
-} ip_lso_info_t;
-
-/*
- * Macro that determines whether or not a given ILL is allowed for LSO.
- */
#define ILL_LSO_USABLE(ill) \
(ILL_LSO_CAPABLE(ill) && \
- ill->ill_lso_capab != NULL && \
- ill->ill_lso_capab->ill_lso_on != 0)
+ ill->ill_lso_capab != NULL)
-#define ILL_LSO_TCP_USABLE(ill) \
+#define ILL_LSO_TCP_IPV4_USABLE(ill) \
(ILL_LSO_USABLE(ill) && \
- ill->ill_lso_capab->ill_lso_flags & DLD_LSO_TX_BASIC_TCP_IPV4)
+ ill->ill_lso_capab->ill_lso_flags & LSO_BASIC_TCP_IPV4)
-/*
- * Macro that determines whether or not a given CONN may be considered
- * for fast path prior to proceeding further with LSO or Multidata.
- */
-#define CONN_IS_LSO_MD_FASTPATH(connp) \
- ((connp)->conn_dontroute == 0 && /* SO_DONTROUTE */ \
- !((connp)->conn_nexthop_set) && /* IP_NEXTHOP */ \
- (connp)->conn_outgoing_ill == NULL) /* IP{V6}_BOUND_IF */
-
-/* Definitions for fragmenting IP packets using MDT. */
-
-/*
- * Smaller and private version of pdescinfo_t used specifically for IP,
- * which allows for only a single payload span per packet.
- */
-typedef struct ip_pdescinfo_s PDESCINFO_STRUCT(2) ip_pdescinfo_t;
+#define ILL_LSO_TCP_IPV6_USABLE(ill) \
+ (ILL_LSO_USABLE(ill) && \
+ ill->ill_lso_capab->ill_lso_flags & LSO_BASIC_TCP_IPV6)
-/*
- * Macro version of ip_can_frag_mdt() which avoids the function call if we
- * only examine a single message block.
- */
-#define IP_CAN_FRAG_MDT(mp, hdr_len, len) \
- (((mp)->b_cont == NULL) ? \
- (MBLKL(mp) >= ((hdr_len) + ip_wput_frag_mdt_min)) : \
- ip_can_frag_mdt((mp), (hdr_len), (len)))
+#define ILL_ZCOPY_CAPABLE(ill) \
+ (((ill)->ill_capabilities & ILL_CAPAB_ZEROCOPY) != 0)
-/*
- * Macro that determines whether or not a given IPC requires
- * outbound IPSEC processing.
- */
-#define CONN_IPSEC_OUT_ENCAPSULATED(connp) \
- ((connp)->conn_out_enforce_policy || \
- ((connp)->conn_latch != NULL && \
- (connp)->conn_latch->ipl_out_policy != NULL))
+#define ILL_ZCOPY_USABLE(ill) \
+ (ILL_ZCOPY_CAPABLE(ill) && (ill->ill_zerocopy_capab != NULL) && \
+ (ill->ill_zerocopy_capab->ill_zerocopy_flags != 0))
-/*
- * Macro that checks whether or not a particular UDP conn is
- * flow-controlling on the read-side.
- *
- * Note that this check is done after the conn is found in
- * the UDP fanout table.
- */
-#define CONN_UDP_FLOWCTLD(connp) !canputnext((connp)->conn_rq)
/* Macro that follows definitions of flags for mac_tx() (see mac_client.h) */
#define IP_DROP_ON_NO_DESC 0x01 /* Equivalent to MAC_DROP_ON_NO_DESC */
@@ -437,74 +158,7 @@ typedef struct ip_pdescinfo_s PDESCINFO_STRUCT(2) ip_pdescinfo_t;
#define ILL_DIRECT_CAPABLE(ill) \
(((ill)->ill_capabilities & ILL_CAPAB_DLD_DIRECT) != 0)
-#define ILL_SEND_TX(ill, ire, hint, mp, flag, connp) { \
- if (ILL_DIRECT_CAPABLE(ill) && DB_TYPE(mp) == M_DATA) { \
- ill_dld_direct_t *idd; \
- uintptr_t cookie; \
- conn_t *udp_connp = (conn_t *)connp; \
- \
- idd = &(ill)->ill_dld_capab->idc_direct; \
- /* \
- * Send the packet directly to DLD, where it \
- * may be queued depending on the availability \
- * of transmit resources at the media layer. \
- * Ignore the returned value for the time being \
- * In future, we may want to take this into \
- * account and flow control the TCP. \
- */ \
- cookie = idd->idd_tx_df(idd->idd_tx_dh, mp, \
- (uintptr_t)(hint), flag); \
- \
- /* \
- * non-NULL cookie indicates flow control situation \
- * and the cookie itself identifies this specific \
- * Tx ring that is blocked. This cookie is used to \
- * block the UDP conn that is sending packets over \
- * this specific Tx ring. \
- */ \
- if ((cookie != NULL) && (udp_connp != NULL) && \
- (udp_connp->conn_ulp == IPPROTO_UDP)) { \
- idl_tx_list_t *idl_txl; \
- ip_stack_t *ipst; \
- \
- /* \
- * Flow controlled. \
- */ \
- DTRACE_PROBE2(ill__send__tx__cookie, \
- uintptr_t, cookie, conn_t *, udp_connp); \
- ipst = udp_connp->conn_netstack->netstack_ip; \
- idl_txl = \
- &ipst->ips_idl_tx_list[IDLHASHINDEX(cookie)];\
- mutex_enter(&idl_txl->txl_lock); \
- if (udp_connp->conn_direct_blocked || \
- (idd->idd_tx_fctl_df(idd->idd_tx_fctl_dh, \
- cookie) == 0)) { \
- DTRACE_PROBE1(ill__tx__not__blocked, \
- boolean, \
- udp_connp->conn_direct_blocked); \
- } else if (idl_txl->txl_cookie != NULL && \
- idl_txl->txl_cookie != cookie) { \
- udp_t *udp = udp_connp->conn_udp; \
- udp_stack_t *us = udp->udp_us; \
- \
- DTRACE_PROBE2(ill__send__tx__collision, \
- uintptr_t, cookie, \
- uintptr_t, idl_txl->txl_cookie); \
- UDP_STAT(us, udp_cookie_coll); \
- } else { \
- udp_connp->conn_direct_blocked = B_TRUE;\
- idl_txl->txl_cookie = cookie; \
- conn_drain_insert(udp_connp, idl_txl); \
- DTRACE_PROBE1(ill__send__tx__insert, \
- conn_t *, udp_connp); \
- } \
- mutex_exit(&idl_txl->txl_lock); \
- } \
- } else { \
- putnext((ire)->ire_stq, mp); \
- } \
-}
-
+/* This macro is used by the mac layer */
#define MBLK_RX_FANOUT_SLOWPATH(mp, ipha) \
(DB_TYPE(mp) != M_DATA || DB_REF(mp) != 1 || !OK_32PTR(ipha) || \
(((uchar_t *)ipha + IP_SIMPLE_HDR_LENGTH) >= (mp)->b_wptr))
@@ -520,13 +174,11 @@ typedef struct ip_pdescinfo_s PDESCINFO_STRUCT(2) ip_pdescinfo_t;
netstackid_to_zoneid((ipst)->ips_netstack->netstack_stackid) : \
(zoneid))
-extern int ip_wput_frag_mdt_min;
-extern boolean_t ip_can_frag_mdt(mblk_t *, ssize_t, ssize_t);
-extern mblk_t *ip_prepend_zoneid(mblk_t *, zoneid_t, ip_stack_t *);
extern void ill_flow_enable(void *, ip_mac_tx_cookie_t);
-extern zoneid_t ip_get_zoneid_v4(ipaddr_t, mblk_t *, ip_stack_t *, zoneid_t);
+extern zoneid_t ip_get_zoneid_v4(ipaddr_t, mblk_t *, ip_recv_attr_t *,
+ zoneid_t);
extern zoneid_t ip_get_zoneid_v6(in6_addr_t *, mblk_t *, const ill_t *,
- ip_stack_t *, zoneid_t);
+ ip_recv_attr_t *, zoneid_t);
/*
* flag passed in by IP based protocols to get a private ip stream with
@@ -542,8 +194,6 @@ extern zoneid_t ip_get_zoneid_v6(in6_addr_t *, mblk_t *, const ill_t *,
#define DEV_IP "/devices/pseudo/ip@0:ip"
#define DEV_IP6 "/devices/pseudo/ip6@0:ip6"
-extern struct kmem_cache *ip_helper_stream_cache;
-
#endif /* _KERNEL */
#ifdef __cplusplus
diff --git a/usr/src/uts/common/inet/ip_ire.h b/usr/src/uts/common/inet/ip_ire.h
index f4882f7640..d4dfd9c97e 100644
--- a/usr/src/uts/common/inet/ip_ire.h
+++ b/usr/src/uts/common/inet/ip_ire.h
@@ -68,106 +68,26 @@ extern "C" {
((addr).s6_addr8[14] & (mask).s6_addr8[14]) ^ \
((addr).s6_addr8[15] & (mask).s6_addr8[15])) & ((table_size) - 1))
+#define IRE_HIDDEN_TYPE(ire_type) ((ire_type) & \
+ (IRE_HOST | IRE_PREFIX | IRE_DEFAULT | IRE_IF_ALL | IRE_BROADCAST))
+
/*
* match parameter definitions for IRE lookup routines.
*/
#define MATCH_IRE_DSTONLY 0x0000 /* Match just the address */
#define MATCH_IRE_TYPE 0x0001 /* Match IRE type */
-#define MATCH_IRE_SRC 0x0002 /* Match IRE source address */
-#define MATCH_IRE_MASK 0x0004 /* Match IRE mask */
-#define MATCH_IRE_WQ 0x0008 /* Match IRE ire_stq to write queue */
-#define MATCH_IRE_GW 0x0010 /* Match IRE gateway */
-#define MATCH_IRE_IPIF 0x0020 /* Match IRE ipif */
-#define MATCH_IRE_RECURSIVE 0x0040 /* Do recursive lookup if necessary */
-#define MATCH_IRE_DEFAULT 0x0080 /* Return default route if no route */
- /* found. */
-#define MATCH_IRE_RJ_BHOLE 0x0100 /* During lookup if we hit an ire */
- /* with RTF_REJECT or RTF_BLACKHOLE, */
- /* return the ire. No recursive */
- /* lookup should be done. */
-#define MATCH_IRE_IHANDLE 0x0200 /* Match IRE on ihandle */
-#define MATCH_IRE_MARK_TESTHIDDEN 0x0400 /* Match IRE_MARK_TESTHIDDEN IREs */
-
-/*
- * MATCH_IRE_PARENT is used whenever we unconditionally want to get the
- * parent IRE (sire) while recursively searching IREs for an offsubnet
- * destination. With this flag, even if no IRE_CACHETABLE or IRE_INTERFACE
- * is found to help resolving IRE_OFFSUBNET in lookup routines, the
- * IRE_OFFSUBNET sire, if any, is returned to the caller.
- */
-/* UNUSED 0x0800 */
-#define MATCH_IRE_ILL 0x1000 /* Match IRE on the ill */
-
-#define MATCH_IRE_PARENT 0x2000 /* Match parent ire, if any, */
- /* even if ire is not matched. */
-#define MATCH_IRE_ZONEONLY 0x4000 /* Match IREs in specified zone, ie */
+#define MATCH_IRE_MASK 0x0002 /* Match IRE mask */
+#define MATCH_IRE_SHORTERMASK 0x0004 /* A mask shorter than the argument */
+#define MATCH_IRE_GW 0x0008 /* Match IRE gateway */
+#define MATCH_IRE_ILL 0x0010 /* Match IRE on the ill */
+#define MATCH_IRE_ZONEONLY 0x0020 /* Match IREs in specified zone, ie */
/* don't match IRE_LOCALs from other */
/* zones or shared IREs */
-#define MATCH_IRE_MARK_PRIVATE_ADDR 0x8000 /* Match IRE ire_marks with */
- /* IRE_MARK_PRIVATE_ADDR. */
-#define MATCH_IRE_SECATTR 0x10000 /* Match gateway security attributes */
-#define MATCH_IRE_COMPLETE 0x20000 /* ire_ftable_lookup() can return */
- /* IRE_CACHE entry only if it is */
- /* ND_REACHABLE */
+#define MATCH_IRE_SECATTR 0x0040 /* Match gateway security attributes */
+#define MATCH_IRE_TESTHIDDEN 0x0080 /* Match ire_testhidden IREs */
-/*
- * Any ire to nce association is long term, and
- * the refhold and refrele may be done by different
- * threads. So all cases of making or breaking ire to
- * nce association should all effectively use the NOTR variants.
- * To understand the *effectively* part read on.
- *
- * ndp_lookup() and ndp_add_v4()/ndp_add_v6() implicitly do
- * NCE_REFHOLD. So wherever we make ire to nce association after
- * calling these functions, we effectively want to end up with
- * NCE_REFHOLD_NOTR. We call this macro to achieve this effect. This
- * macro changes a NCE_REFHOLD to a NCE_REFHOLD_NOTR. The macro's
- * NCE_REFRELE cancels off ndp_lookup[ndp_add]'s implicit NCE_REFHOLD,
- * and what you are left with is a NCE_REFHOLD_NOTR
- */
-#define NCE_REFHOLD_TO_REFHOLD_NOTR(nce) { \
- NCE_REFHOLD_NOTR(nce); \
- NCE_REFRELE(nce); \
-}
-
-/*
- * find the next ire_t entry in the ire_next chain starting at ire
- * that is not CONDEMNED. ire is set to NULL if we reach the end of the list.
- * Caller must hold the ire_bucket lock.
- */
+#define MAX_IRE_RECURSION 4 /* Max IREs in ire_route_recursive */
-#define IRE_FIND_NEXT_ORIGIN(ire) { \
- while ((ire) != NULL && ((ire)->ire_marks & IRE_MARK_CONDEMNED))\
- (ire) = (ire)->ire_next; \
-}
-
-
-/* Structure for ire_cache_count() */
-typedef struct {
- int icc_total; /* Total number of IRE_CACHE */
- int icc_unused; /* # off/no PMTU unused since last reclaim */
- int icc_offlink; /* # offlink without PMTU information */
- int icc_pmtu; /* # offlink with PMTU information */
- int icc_onlink; /* # onlink */
-} ire_cache_count_t;
-
-/*
- * Structure for ire_cache_reclaim(). Each field is a fraction i.e. 1 meaning
- * reclaim all, N meaning reclaim 1/Nth of all entries, 0 meaning reclaim none.
- *
- * The comment below (and for other netstack_t references) refers
- * to the fact that we only do netstack_hold in particular cases,
- * such as the references from open streams (ill_t and conn_t's
- * pointers). Internally within IP we rely on IP's ability to cleanup e.g.
- * ire_t's when an ill goes away.
- */
-typedef struct {
- int icr_unused; /* Fraction for unused since last reclaim */
- int icr_offlink; /* Fraction for offlink without PMTU info */
- int icr_pmtu; /* Fraction for offlink with PMTU info */
- int icr_onlink; /* Fraction for onlink */
- ip_stack_t *icr_ipst; /* Does not have a netstack_hold */
-} ire_cache_reclaim_t;
/*
* We use atomics so that we get an accurate accounting on the ires.
@@ -176,180 +96,250 @@ typedef struct {
#define BUMP_IRE_STATS(ire_stats, x) atomic_add_64(&(ire_stats).x, 1)
#ifdef _KERNEL
-/*
- * Structure for passing args for the IRE cache lookup functions.
- */
-typedef struct ire_ctable_args_s {
- void *ict_addr;
- void *ict_gateway;
- int ict_type;
- const ipif_t *ict_ipif;
- zoneid_t ict_zoneid;
- const ts_label_t *ict_tsl;
- int ict_flags;
- ip_stack_t *ict_ipst;
- queue_t *ict_wq;
-} ire_ctable_args_t;
-
struct ts_label_s;
struct nce_s;
+/*
+ * structure for passing args between ire_ftable_lookup and ire_find_best_route
+ */
+typedef struct ire_ftable_args_s {
+ in6_addr_t ift_addr_v6;
+ in6_addr_t ift_mask_v6;
+ in6_addr_t ift_gateway_v6;
+#define ift_addr V4_PART_OF_V6(ift_addr_v6)
+#define ift_mask V4_PART_OF_V6(ift_mask_v6)
+#define ift_gateway V4_PART_OF_V6(ift_gateway_v6)
+ int ift_type;
+ const ill_t *ift_ill;
+ zoneid_t ift_zoneid;
+ const ts_label_t *ift_tsl;
+ int ift_flags;
+ ire_t *ift_best_ire;
+} ire_ftable_args_t;
extern ipaddr_t ip_plen_to_mask(uint_t);
extern in6_addr_t *ip_plen_to_mask_v6(uint_t, in6_addr_t *);
extern int ip_ire_advise(queue_t *, mblk_t *, cred_t *);
extern int ip_ire_delete(queue_t *, mblk_t *, cred_t *);
-extern boolean_t ip_ire_clookup_and_delete(ipaddr_t, ipif_t *, ip_stack_t *);
-extern void ip_ire_clookup_and_delete_v6(const in6_addr_t *,
- ip_stack_t *);
-
-extern void ip_ire_req(queue_t *, mblk_t *);
+extern void ip_ire_reclaim(void *);
extern int ip_mask_to_plen(ipaddr_t);
extern int ip_mask_to_plen_v6(const in6_addr_t *);
-extern ire_t *ipif_to_ire(const ipif_t *);
-extern ire_t *ipif_to_ire_v6(const ipif_t *);
-
-extern int ire_add(ire_t **, queue_t *, mblk_t *, ipsq_func_t, boolean_t);
-extern void ire_add_then_send(queue_t *, ire_t *, mblk_t *);
-extern int ire_add_v6(ire_t **, queue_t *, mblk_t *, ipsq_func_t);
-extern int ire_atomic_start(irb_t *irb_ptr, ire_t *ire, queue_t *q,
- mblk_t *mp, ipsq_func_t func);
+extern ire_t *ire_add(ire_t *);
+extern ire_t *ire_add_v6(ire_t *);
+extern int ire_atomic_start(irb_t *irb_ptr, ire_t *ire);
extern void ire_atomic_end(irb_t *irb_ptr, ire_t *ire);
-extern void ire_cache_count(ire_t *, char *);
-extern ire_t *ire_cache_lookup(ipaddr_t, zoneid_t,
- const struct ts_label_s *, ip_stack_t *);
-extern ire_t *ire_cache_lookup_simple(ipaddr_t, ip_stack_t *);
-extern ire_t *ire_cache_lookup_v6(const in6_addr_t *, zoneid_t,
- const struct ts_label_s *, ip_stack_t *);
-extern void ire_cache_reclaim(ire_t *, char *);
-
-extern ire_t *ire_create_mp(uchar_t *, uchar_t *, uchar_t *, uchar_t *,
- uint_t, struct nce_s *, queue_t *, queue_t *, ushort_t, ipif_t *, ipaddr_t,
- uint32_t, uint32_t, uint32_t, const iulp_t *, tsol_gc_t *, tsol_gcgrp_t *,
- ip_stack_t *);
-extern ire_t *ire_create(uchar_t *, uchar_t *, uchar_t *, uchar_t *,
- uint_t *, struct nce_s *, queue_t *, queue_t *, ushort_t, ipif_t *,
- ipaddr_t, uint32_t, uint32_t, uint32_t, const iulp_t *, tsol_gc_t *,
- tsol_gcgrp_t *, ip_stack_t *);
-
-extern ire_t **ire_check_and_create_bcast(ipif_t *, ipaddr_t,
- ire_t **, int);
-extern ire_t **ire_create_bcast(ipif_t *, ipaddr_t, ire_t **);
-extern ire_t *ire_init(ire_t *, uchar_t *, uchar_t *, uchar_t *, uchar_t *,
- uint_t *, struct nce_s *, queue_t *, queue_t *, ushort_t, ipif_t *,
- ipaddr_t, uint32_t, uint32_t, uint32_t, const iulp_t *, tsol_gc_t *,
- tsol_gcgrp_t *, ip_stack_t *);
-
-extern boolean_t ire_init_common(ire_t *, uint_t *, struct nce_s *, queue_t *,
- queue_t *, ushort_t, ipif_t *, uint32_t, uint32_t, uint32_t, uchar_t,
- const iulp_t *, tsol_gc_t *, tsol_gcgrp_t *, ip_stack_t *);
-
-extern ire_t *ire_create_v6(const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, const in6_addr_t *, uint_t *, struct nce_s *, queue_t *,
- queue_t *, ushort_t, ipif_t *,
- const in6_addr_t *, uint32_t, uint32_t, uint_t, const iulp_t *,
- tsol_gc_t *, tsol_gcgrp_t *, ip_stack_t *);
-
-extern ire_t *ire_create_mp_v6(const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, const in6_addr_t *, struct nce_s *, queue_t *,
- queue_t *, ushort_t, ipif_t *,
- const in6_addr_t *, uint32_t, uint32_t, uint_t, const iulp_t *,
- tsol_gc_t *, tsol_gcgrp_t *, ip_stack_t *);
-
+extern ire_t *ire_create(uchar_t *, uchar_t *, uchar_t *,
+ ushort_t, ill_t *, zoneid_t, uint_t, tsol_gc_t *, ip_stack_t *);
-extern void ire_clookup_delete_cache_gw(ipaddr_t, zoneid_t,
- ip_stack_t *);
-extern void ire_clookup_delete_cache_gw_v6(const in6_addr_t *, zoneid_t,
+extern ire_t **ire_create_bcast(ill_t *, ipaddr_t, zoneid_t, ire_t **);
+extern ire_t *ire_create_if_clone(ire_t *, const in6_addr_t *, uint_t *);
+extern ire_t *ire_lookup_bcast(ill_t *, ipaddr_t, zoneid_t);
+extern int ire_init_v4(ire_t *, uchar_t *, uchar_t *, uchar_t *,
+ ushort_t, ill_t *, zoneid_t, uint_t, tsol_gc_t *, ip_stack_t *);
+extern int ire_init_v6(ire_t *, const in6_addr_t *, const in6_addr_t *,
+ const in6_addr_t *, ushort_t, ill_t *, zoneid_t, uint_t, tsol_gc_t *,
ip_stack_t *);
-extern ire_t *ire_ctable_lookup(ipaddr_t, ipaddr_t, int, const ipif_t *,
- zoneid_t, const struct ts_label_s *, int, ip_stack_t *);
+extern int ire_init_common(ire_t *, ushort_t, ill_t *, zoneid_t, uint_t,
+ uchar_t, tsol_gc_t *, ip_stack_t *);
-extern ire_t *ire_ctable_lookup_v6(const in6_addr_t *, const in6_addr_t *,
- int, const ipif_t *, zoneid_t, const struct ts_label_s *, int,
- ip_stack_t *);
+extern ire_t *ire_create_v6(const in6_addr_t *, const in6_addr_t *,
+ const in6_addr_t *, ushort_t, ill_t *, zoneid_t, uint_t,
+ tsol_gc_t *, ip_stack_t *);
extern void ire_delete(ire_t *);
-extern void ire_delete_cache_gw(ire_t *, char *);
-extern void ire_delete_cache_gw_v6(ire_t *, char *);
-extern void ire_delete_cache_v6(ire_t *, char *);
extern void ire_delete_v6(ire_t *);
-extern void ire_expire(ire_t *, char *);
+/*
+ * ire_pref used to make sure we don't set up routing loops in the ire_dep
+ * chain.
+ */
+extern int ire_pref(ire_t *);
+extern boolean_t ire_dep_build(ire_t *[], uint_t [], uint_t);
+extern void ire_dep_delete_if_clone(ire_t *);
+extern void ire_dep_incr_generation(ire_t *);
+extern void ire_dep_remove(ire_t *);
+extern void ire_dep_unbuild(ire_t *[], uint_t);
+extern uint_t ire_dep_validate_generations(ire_t *);
+extern void ire_dep_invalidate_generations(ire_t *);
+extern boolean_t ire_determine_nce_capable(ire_t *);
extern void ire_flush_cache_v4(ire_t *, int);
extern void ire_flush_cache_v6(ire_t *, int);
+extern ire_t *ire_ftable_lookup_v4(ipaddr_t, ipaddr_t, ipaddr_t, int,
+ const ill_t *, zoneid_t, const struct ts_label_s *, int, uint32_t,
+ ip_stack_t *, uint_t *);
extern ire_t *ire_ftable_lookup_v6(const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, int, const ipif_t *, ire_t **, zoneid_t,
- uint32_t, const struct ts_label_s *, int, ip_stack_t *);
-
-extern ire_t *ire_ihandle_lookup_onlink(ire_t *);
-extern ire_t *ire_ihandle_lookup_offlink(ire_t *, ire_t *);
-extern ire_t *ire_ihandle_lookup_offlink_v6(ire_t *, ire_t *);
-
-extern boolean_t ire_local_same_lan(ire_t *, ire_t *);
-extern boolean_t ire_local_ok_across_zones(ire_t *, zoneid_t, void *,
- const struct ts_label_s *, ip_stack_t *);
-
-extern ire_t *ire_lookup_local(zoneid_t, ip_stack_t *);
-extern ire_t *ire_lookup_local_v6(zoneid_t, ip_stack_t *);
-
-extern ire_t *ire_lookup_multi(ipaddr_t, zoneid_t, ip_stack_t *);
-extern ire_t *ire_lookup_multi_v6(const in6_addr_t *, zoneid_t,
- ip_stack_t *);
-
+ const in6_addr_t *, int, const ill_t *, zoneid_t,
+ const struct ts_label_s *, int, uint32_t, ip_stack_t *, uint_t *);
+
+extern ire_t *ire_ftable_lookup_simple_v4(ipaddr_t, uint32_t, ip_stack_t *,
+ uint_t *);
+extern ire_t *ire_ftable_lookup_simple_v6(const in6_addr_t *, uint32_t,
+ ip_stack_t *, uint_t *);
+
+extern boolean_t ire_gateway_ok_zone_v4(ipaddr_t, zoneid_t, ill_t *,
+ const ts_label_t *, ip_stack_t *, boolean_t);
+extern boolean_t ire_gateway_ok_zone_v6(const in6_addr_t *, zoneid_t, ill_t *,
+ const ts_label_t *, ip_stack_t *, boolean_t);
+
+extern ire_t *ire_alt_local(ire_t *, zoneid_t, const ts_label_t *,
+ const ill_t *, uint_t *);
+
+extern ill_t *ire_lookup_multi_ill_v4(ipaddr_t, zoneid_t, ip_stack_t *,
+ boolean_t *, ipaddr_t *);
+extern ill_t *ire_lookup_multi_ill_v6(const in6_addr_t *, zoneid_t,
+ ip_stack_t *, boolean_t *, in6_addr_t *);
+
+extern ire_t *ire_nexthop(ire_t *);
+extern ill_t *ire_nexthop_ill(ire_t *);
+extern ill_t *ire_nce_ill(ire_t *);
+
+extern ire_t *ire_reject(ip_stack_t *, boolean_t);
+extern ire_t *ire_blackhole(ip_stack_t *, boolean_t);
+extern ire_t *ire_multicast(ill_t *);
+
+/* The different ire_recvfn functions */
+extern void ire_recv_forward_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_noroute_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_broadcast_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_multicast_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_multirt_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_loopback_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_local_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_noaccept_v4(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+
+extern void ire_recv_forward_v6(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_noroute_v6(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_multicast_v6(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_multirt_v6(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_loopback_v6(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+extern void ire_recv_local_v6(ire_t *, mblk_t *, void *, ip_recv_attr_t *);
+extern void ire_recv_noaccept_v6(ire_t *, mblk_t *, void *,
+ ip_recv_attr_t *);
+
+extern void irb_refhold(irb_t *);
+extern void irb_refhold_locked(irb_t *);
+extern void irb_refrele(irb_t *);
+extern void irb_increment_generation(irb_t *);
+
+extern void ire_refhold(ire_t *);
+extern void ire_refhold_notr(ire_t *);
+extern void ire_refhold_locked(ire_t *);
extern void ire_refrele(ire_t *);
extern void ire_refrele_notr(ire_t *);
-extern ire_t *ire_route_lookup(ipaddr_t, ipaddr_t, ipaddr_t, int,
- const ipif_t *, ire_t **, zoneid_t, const struct ts_label_s *, int,
- ip_stack_t *);
-
-extern ire_t *ire_route_lookup_v6(const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, int, const ipif_t *, ire_t **, zoneid_t,
- const struct ts_label_s *, int, ip_stack_t *);
-
-extern ill_t *ire_to_ill(const ire_t *);
+extern void ire_make_condemned(ire_t *);
+extern boolean_t ire_no_good(ire_t *);
+extern nce_t *ire_handle_condemned_nce(nce_t *, ire_t *, ipha_t *, ip6_t *,
+ boolean_t);
+
+extern ire_t *ire_round_robin(irb_t *, ire_ftable_args_t *, uint_t,
+ ire_t *, ip_stack_t *);
+
+extern ire_t *ire_route_recursive_v4(ipaddr_t, uint_t, const ill_t *,
+ zoneid_t, const ts_label_t *, uint_t, boolean_t, uint32_t, ip_stack_t *,
+ ipaddr_t *, tsol_ire_gw_secattr_t **, uint_t *);
+extern ire_t *ire_route_recursive_v6(const in6_addr_t *, uint_t,
+ const ill_t *, zoneid_t, const ts_label_t *, uint_t, boolean_t, uint32_t,
+ ip_stack_t *, in6_addr_t *, tsol_ire_gw_secattr_t **, uint_t *);
+extern ire_t *ire_route_recursive_dstonly_v4(ipaddr_t, boolean_t,
+ uint32_t, ip_stack_t *);
+extern ire_t *ire_route_recursive_dstonly_v6(const in6_addr_t *, boolean_t,
+ uint32_t, ip_stack_t *);
+extern ire_t *ire_route_recursive_impl_v4(ire_t *ire, ipaddr_t, uint_t,
+ const ill_t *, zoneid_t, const ts_label_t *, uint_t, boolean_t, uint32_t,
+ ip_stack_t *, ipaddr_t *, tsol_ire_gw_secattr_t **, uint_t *);
+extern ire_t *ire_route_recursive_impl_v6(ire_t *ire, const in6_addr_t *,
+ uint_t, const ill_t *, zoneid_t, const ts_label_t *, uint_t, boolean_t,
+ uint32_t, ip_stack_t *, in6_addr_t *, tsol_ire_gw_secattr_t **, uint_t *);
+
+/* The different ire_sendfn functions */
+extern int ire_send_local_v4(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_multirt_v4(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_noroute_v4(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_multicast_v4(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_broadcast_v4(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_wire_v4(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_local_v6(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_multirt_v6(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_noroute_v6(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_multicast_v6(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+extern int ire_send_wire_v6(ire_t *, mblk_t *, void *,
+ ip_xmit_attr_t *, uint32_t *);
+
+extern nce_t *ire_to_nce_pkt(ire_t *, mblk_t *);
+extern nce_t *ire_to_nce(ire_t *, ipaddr_t, const in6_addr_t *);
+
+/* Different ire_postfragfn functions */
+extern int ip_xmit(mblk_t *, struct nce_s *,
+ iaflags_t, uint_t, uint32_t, zoneid_t, zoneid_t, uintptr_t *);
+extern int ip_postfrag_loopcheck(mblk_t *, struct nce_s *,
+ iaflags_t, uint_t, uint32_t, zoneid_t, zoneid_t, uintptr_t *);
+extern int ip_postfrag_multirt_v4(mblk_t *, struct nce_s *,
+ iaflags_t, uint_t, uint32_t, zoneid_t, zoneid_t, uintptr_t *);
+extern int ip_postfrag_multirt_v6(mblk_t *, struct nce_s *,
+ iaflags_t, uint_t, uint32_t, zoneid_t, zoneid_t, uintptr_t *);
+
+extern void ip_postfrag_loopback(mblk_t *, struct nce_s *,
+ iaflags_t, uint_t, zoneid_t);
+extern int ire_revalidate_nce(ire_t *);
+
+extern ire_t *ip_select_route_pkt(mblk_t *, ip_xmit_attr_t *,
+ uint_t *, int *, boolean_t *);
+extern ire_t *ip_select_route(const in6_addr_t *, ip_xmit_attr_t *,
+ uint_t *, in6_addr_t *, int *, boolean_t *);
+extern ire_t *ip_select_route_v4(ipaddr_t, ip_xmit_attr_t *,
+ uint_t *, ipaddr_t *, int *, boolean_t *);
+extern ire_t *ip_select_route_v6(const in6_addr_t *, ip_xmit_attr_t *,
+ uint_t *, in6_addr_t *, int *, boolean_t *);
extern void ire_walk(pfv_t, void *, ip_stack_t *);
extern void ire_walk_ill(uint_t, uint_t, pfv_t, void *, ill_t *);
-extern void ire_walk_ill_v4(uint_t, uint_t, pfv_t, void *, ill_t *);
-extern void ire_walk_ill_v6(uint_t, uint_t, pfv_t, void *, ill_t *);
extern void ire_walk_v4(pfv_t, void *, zoneid_t, ip_stack_t *);
extern void ire_walk_ill_tables(uint_t match_flags, uint_t ire_type,
pfv_t func, void *arg, size_t ftbl_sz, size_t htbl_sz,
- irb_t **ipftbl, size_t ctbl_sz, irb_t *ipctbl, ill_t *ill,
+ irb_t **ipftbl, ill_t *ill,
zoneid_t zoneid, ip_stack_t *);
extern void ire_walk_v6(pfv_t, void *, zoneid_t, ip_stack_t *);
-extern boolean_t ire_multirt_lookup(ire_t **, ire_t **, uint32_t, int *,
- const struct ts_label_s *, ip_stack_t *);
-extern boolean_t ire_multirt_need_resolve(ipaddr_t,
- const struct ts_label_s *, ip_stack_t *);
-extern boolean_t ire_multirt_lookup_v6(ire_t **, ire_t **, uint32_t,
- const struct ts_label_s *, ip_stack_t *);
-extern boolean_t ire_multirt_need_resolve_v6(const in6_addr_t *,
- const struct ts_label_s *, ip_stack_t *);
-
-extern ire_t *ipif_lookup_multi_ire(ipif_t *, ipaddr_t);
-extern ire_t *ipif_lookup_multi_ire_v6(ipif_t *, const in6_addr_t *);
-
-extern ire_t *ire_get_next_bcast_ire(ire_t *, ire_t *);
-extern ire_t *ire_get_next_default_ire(ire_t *, ire_t *);
-
-extern void ire_arpresolve(ire_t *);
-extern void ire_freemblk(ire_t *);
extern boolean_t ire_match_args(ire_t *, ipaddr_t, ipaddr_t, ipaddr_t,
- int, const ipif_t *, zoneid_t, uint32_t, const struct ts_label_s *, int,
- queue_t *);
-extern int ire_nce_init(ire_t *, struct nce_s *);
+ int, const ill_t *, zoneid_t, const struct ts_label_s *, int);
+extern boolean_t ire_match_args_v6(ire_t *, const in6_addr_t *,
+ const in6_addr_t *, const in6_addr_t *, int, const ill_t *, zoneid_t,
+ const ts_label_t *, int);
+
+extern struct nce_s *arp_nce_init(ill_t *, in_addr_t, int);
extern boolean_t ire_walk_ill_match(uint_t, uint_t, ire_t *, ill_t *,
zoneid_t, ip_stack_t *);
-extern ire_t *ire_arpresolve_lookup(ipaddr_t, ipaddr_t, ipif_t *, zoneid_t,
- ip_stack_t *, queue_t *);
+extern void ire_increment_generation(ire_t *);
+extern void ire_increment_multicast_generation(ip_stack_t *, boolean_t);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ip_multi.h b/usr/src/uts/common/inet/ip_multi.h
index 7dee133967..c41ef99e3e 100644
--- a/usr/src/uts/common/inet/ip_multi.h
+++ b/usr/src/uts/common/inet/ip_multi.h
@@ -49,18 +49,9 @@ typedef enum {
} ilg_stat_t;
/*
- * Flags shared via ips_mrt_flags, used by mcast_restart_timers_thread().
- */
-typedef enum {
- IP_MRT_STOP = 0x1, /* request to stop thread */
- IP_MRT_DONE = 0x2, /* indication that thread is stopped */
- IP_MRT_RUN = 0x4 /* request to restart timers */
-} ip_mrt_flags_t;
-
-/*
* Extern functions
*/
-extern mblk_t *igmp_input(queue_t *, mblk_t *, ill_t *);
+extern mblk_t *igmp_input(mblk_t *, ip_recv_attr_t *);
extern void igmp_joingroup(ilm_t *);
extern void igmp_leavegroup(ilm_t *);
extern void igmp_slowtimo(void *);
@@ -73,85 +64,64 @@ extern void mld_statechange(ilm_t *, mcast_record_t, slist_t *);
extern void mld_slowtimo(void *);
extern void ilg_delete_all(conn_t *connp);
-extern ilg_t *ilg_lookup_ill_v6(conn_t *, const in6_addr_t *,
- ill_t *);
-extern ilg_t *ilg_lookup_ill_withsrc(conn_t *, ipaddr_t, ipaddr_t,
- ill_t *);
-extern ilg_t *ilg_lookup_ill_withsrc_v6(conn_t *, const in6_addr_t *,
- const in6_addr_t *, ill_t *);
+extern boolean_t conn_hasmembers_ill_withsrc_v4(conn_t *, ipaddr_t,
+ ipaddr_t, ill_t *);
+extern boolean_t conn_hasmembers_ill_withsrc_v6(conn_t *,
+ const in6_addr_t *, const in6_addr_t *, ill_t *);
extern void ill_leave_multicast(ill_t *);
extern void ill_recover_multicast(ill_t *);
-extern int ip_get_dlpi_mbcast(ill_t *, mblk_t *);
-
-extern void ilm_free(ipif_t *);
-extern ilm_t *ilm_lookup_ill(ill_t *, ipaddr_t, zoneid_t);
-extern ilm_t *ilm_lookup_ill_v6(ill_t *, const in6_addr_t *,
- boolean_t, zoneid_t);
-extern ilm_t *ilm_lookup_ipif(ipif_t *, ipaddr_t);
-
-extern int ilm_numentries_v6(ill_t *, const in6_addr_t *);
-extern int ilm_walk_ipif(ipif_t *);
-extern int ilm_walk_ill(ill_t *);
-extern void ilm_walker_cleanup(ill_t *);
-extern int ip_ll_send_disabmulti_req(ill_t *, const in6_addr_t *);
-extern int ip_ll_send_enabmulti_req(ill_t *, const in6_addr_t *);
-
-extern int ip_addmulti(ipaddr_t, ipif_t *, ilg_stat_t,
- mcast_record_t, slist_t *);
-extern int ip_addmulti_v6(const in6_addr_t *, ill_t *,
- zoneid_t, ilg_stat_t, mcast_record_t, slist_t *);
-extern int ip_delmulti(ipaddr_t, ipif_t *, boolean_t, boolean_t);
-extern int ip_delmulti_v6(const in6_addr_t *, ill_t *,
- zoneid_t, boolean_t, boolean_t);
+extern void ip_dlur_to_mhi(ill_t *, mblk_t *,
+ struct mac_header_info_s *);
+
+/* These make up the data path interface used by ip_output and ip_input */
+extern boolean_t ill_hasmembers_v4(ill_t *, ipaddr_t);
+extern boolean_t ill_hasmembers_v6(ill_t *, const in6_addr_t *);
+extern boolean_t ill_hasmembers_otherzones_v4(ill_t *, ipaddr_t,
+ zoneid_t);
+extern boolean_t ill_hasmembers_otherzones_v6(ill_t *,
+ const in6_addr_t *, zoneid_t);
+extern zoneid_t ill_hasmembers_nextzone_v4(ill_t *, ipaddr_t, zoneid_t);
+extern zoneid_t ill_hasmembers_nextzone_v6(ill_t *, const in6_addr_t *,
+ zoneid_t);
+
+extern ilm_t *ip_addmulti(const in6_addr_t *, ill_t *, zoneid_t,
+ int *);
+extern int ip_delmulti(ilm_t *);
+extern int ip_mforward(mblk_t *, ip_recv_attr_t *);
+extern void ip_mroute_decap(mblk_t *, ip_recv_attr_t *);
extern int ill_join_allmulti(ill_t *);
extern void ill_leave_allmulti(ill_t *);
extern int ip_join_allmulti(uint_t, boolean_t, ip_stack_t *);
extern int ip_leave_allmulti(uint_t, boolean_t, ip_stack_t *);
extern void ip_purge_allmulti(ill_t *);
-extern void ip_multicast_loopback(queue_t *, ill_t *, mblk_t *,
- int, zoneid_t);
-extern int ip_mforward(ill_t *, ipha_t *, mblk_t *);
-extern void ip_mroute_decap(queue_t *, mblk_t *, ill_t *);
extern int ip_mroute_mrt(mblk_t *, ip_stack_t *);
extern int ip_mroute_stats(mblk_t *, ip_stack_t *);
extern int ip_mroute_vif(mblk_t *, ip_stack_t *);
-extern int ip_mrouter_done(mblk_t *, ip_stack_t *);
-extern int ip_mrouter_get(int, queue_t *, uchar_t *);
-extern int ip_mrouter_set(int, queue_t *, int, uchar_t *, int,
- mblk_t *);
+extern int ip_mrouter_done(ip_stack_t *);
+extern int ip_mrouter_get(int, conn_t *, uchar_t *);
+extern int ip_mrouter_set(int, conn_t *, int, uchar_t *, int);
extern void ip_mrouter_stack_init(ip_stack_t *);
extern void ip_mrouter_stack_destroy(ip_stack_t *);
-extern int ip_opt_add_group(conn_t *, boolean_t, ipaddr_t,
- ipaddr_t, uint_t *, mcast_record_t, ipaddr_t, mblk_t *);
-extern int ip_opt_delete_group(conn_t *, boolean_t, ipaddr_t,
- ipaddr_t, uint_t *, mcast_record_t, ipaddr_t, mblk_t *);
-extern int ip_opt_add_group_v6(conn_t *, boolean_t,
- const in6_addr_t *, int, mcast_record_t, const in6_addr_t *, mblk_t *);
-extern int ip_opt_delete_group_v6(conn_t *, boolean_t,
- const in6_addr_t *, int, mcast_record_t, const in6_addr_t *, mblk_t *);
+extern int ip_opt_add_group(conn_t *, boolean_t,
+ const in6_addr_t *, ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *);
+extern int ip_opt_delete_group(conn_t *, boolean_t,
+ const in6_addr_t *, ipaddr_t, uint_t, mcast_record_t, const in6_addr_t *);
extern int mrt_ioctl(ipif_t *, sin_t *, queue_t *, mblk_t *,
ip_ioctl_cmd_t *, void *);
extern int ip_sioctl_msfilter(ipif_t *, sin_t *, queue_t *,
mblk_t *, ip_ioctl_cmd_t *, void *);
-extern int ip_extract_msfilter(queue_t *, mblk_t *,
- const ip_ioctl_cmd_t *, cmd_info_t *, ipsq_func_t);
extern int ip_copyin_msfilter(queue_t *, mblk_t *);
-extern void ip_wput_ctl(queue_t *, mblk_t *);
-
-extern int pim_input(queue_t *, mblk_t *, ill_t *);
-extern void reset_conn_ipif(ipif_t *);
-extern void reset_conn_ill(ill_t *);
+extern mblk_t *pim_input(mblk_t *, ip_recv_attr_t *);
+extern void update_conn_ill(ill_t *, ip_stack_t *);
extern void reset_mrt_ill(ill_t *);
extern void reset_mrt_vif_ipif(ipif_t *);
-extern void mcast_restart_timers_thread(ip_stack_t *);
+extern void igmp_start_timers(unsigned, ip_stack_t *);
+extern void mld_start_timers(unsigned, ip_stack_t *);
extern void ilm_inactive(ilm_t *);
-extern ilm_t *ilm_walker_start(ilm_walker_t *, ill_t *);
-extern ilm_t *ilm_walker_step(ilm_walker_t *, ilm_t *);
-extern void ilm_walker_finish(ilm_walker_t *);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ip_ndp.h b/usr/src/uts/common/inet/ip_ndp.h
index c1a48b1f1a..21c907f3f3 100644
--- a/usr/src/uts/common/inet/ip_ndp.h
+++ b/usr/src/uts/common/inet/ip_ndp.h
@@ -35,7 +35,7 @@
/*
* Internal definitions for the kernel implementation of the IPv6
- * Neighbor Discovery Protocol (NDP).
+ * Neighbor Discovery Protocol (NDP) and Address Resolution Protocol (ARP).
*/
#ifdef __cplusplus
@@ -48,131 +48,149 @@ extern "C" {
* callbacks set up with ip2mac interface, waiting for result
* of neighbor resolution.
*/
-typedef struct nce_cb_s {
- list_node_t nce_cb_node;
- void *nce_cb_id;
- uint32_t nce_cb_flags;
- ip2mac_callback_t *nce_cb_func;
- void *nce_cb_arg;
-} nce_cb_t;
+typedef struct ncec_cb_s {
+ list_node_t ncec_cb_node; /* next entry in list */
+ void *ncec_cb_id;
+ uint32_t ncec_cb_flags;
+ ip2mac_callback_t *ncec_cb_func;
+ void *ncec_cb_arg;
+} ncec_cb_t;
#define NCE_CB_DISPATCHED 0x00000001
/*
- * NDP Cache Entry
+ * Core information tracking Neighbor Reachability is tracked in the
+ * ncec_s/ncec_t. The information contained in the ncec_t does not contain
+ * any link-specific details other than the pointer to the ill_t itself.
+ * The link-specific information is tracked in the nce_t structure.
*/
-typedef struct nce_s {
- struct nce_s *nce_next; /* Hash chain next pointer */
- struct nce_s **nce_ptpn; /* Pointer to previous next */
- struct ill_s *nce_ill; /* Associated ill */
- uint16_t nce_flags; /* See below */
- uint16_t nce_state; /* See reachability states in if.h */
- int16_t nce_pcnt; /* Probe counter */
- uint16_t nce_rcnt; /* Retransmit counter */
- in6_addr_t nce_addr; /* address of the nighbor */
- in6_addr_t nce_mask; /* If not all ones, mask allows an */
- /* entry to respond to requests for a group of addresses, for */
- /* instantance multicast addresses */
- in6_addr_t nce_extract_mask; /* For mappings */
- uint32_t nce_ll_extract_start; /* For mappings */
-#define nce_first_mp_to_free nce_fp_mp
- mblk_t *nce_fp_mp; /* link layer fast path mp */
- mblk_t *nce_res_mp; /* DL_UNITDATA_REQ */
- mblk_t *nce_qd_mp; /* Head outgoing queued packets */
-#define nce_last_mp_to_free nce_qd_mp
- mblk_t *nce_timer_mp; /* NDP timer mblk */
- mblk_t *nce_mp; /* mblk we are in, last to be freed */
- uint64_t nce_last; /* Time last reachable in msec */
- uint32_t nce_refcnt; /* nce active usage count */
- kmutex_t nce_lock; /* See comments on top for what */
+struct ncec_s {
+ struct ncec_s *ncec_next; /* Hash chain next pointer */
+ struct ncec_s **ncec_ptpn; /* Pointer to previous next */
+ struct ill_s *ncec_ill; /* Associated ill */
+ uint16_t ncec_flags; /* See below */
+ uint16_t ncec_state; /* See reachability states in if.h */
+ int16_t ncec_pcnt; /* Probe counter */
+ uint16_t ncec_rcnt; /* Retransmit counter */
+ in6_addr_t ncec_addr; /* address of the nighbor */
+ uchar_t *ncec_lladdr;
+ mblk_t *ncec_qd_mp; /* Head outgoing queued packets */
+ uint64_t ncec_last; /* Time last reachable in msec */
+ uint32_t ncec_refcnt; /* ncec active usage count */
+ kmutex_t ncec_lock; /* See comments on top for what */
/* this field protects */
- int nce_unsolicit_count; /* Unsolicited Adv count */
- struct nce_s *nce_fastpath; /* for fastpath list */
- timeout_id_t nce_timeout_id;
- uchar_t nce_ipversion; /* IPv4(ARP)/IPv6(NDP) version */
- uint_t nce_defense_count; /* number of NDP conflicts */
- uint_t nce_defense_time; /* last time defended (secs) */
- uint64_t nce_init_time; /* time when it was set to ND_INITIAL */
- boolean_t nce_trace_disable; /* True when alloc fails */
- list_t nce_cb;
- uint_t nce_cb_walker_cnt;
+ int ncec_unsolicit_count; /* Unsolicited Adv count */
+ timeout_id_t ncec_timeout_id;
+ uchar_t ncec_ipversion; /* IPv4(ARP)/IPv6(NDP) version */
+ uint_t ncec_defense_count; /* number of NDP conflicts */
+ uint_t ncec_last_time_defended; /* last time defended (secs) */
+ uint64_t ncec_init_time; /* time when it was set to ND_INITIAL */
+ boolean_t ncec_trace_disable; /* True when alloc fails */
+ /*
+ * interval to keep track of DAD probes.
+ */
+ clock_t ncec_xmit_interval;
+ ip_stack_t *ncec_ipst; /* Does not have a netstack_hold */
+ list_t ncec_cb; /* callbacks waiting for resolution */
+ uint_t ncec_cb_walker_cnt;
+ uint_t ncec_nprobes;
+ uint_t ncec_lladdr_length;
+};
+
+/*
+ * The nce_t list hangs off the ill_s and tracks information that depends
+ * on the underlying physical link. Thus when the ill goes down,
+ * the nce_t list has to be flushed. This is done as part of ill_delete()
+ *
+ * When the fastpath ack comes back in ill_fastpath_ack we call
+ * nce_fastpath_update to update the nce_t. We never actually
+ * flush the fastpath list, which is kept as an index into the
+ * ncec_t structures.
+ *
+ * when we ndp_delete, we remove the nce entries pointing
+ * at the dying ncec from the ill_fastpath_list chain.
+ *
+ */
+struct nce_s {
+ list_node_t nce_node;
+ ill_t *nce_ill;
+ boolean_t nce_is_condemned;
+ in6_addr_t nce_addr;
+ /*
+ * link-layer specific fields below
+ */
+ mblk_t *nce_dlur_mp; /* DL_UNITDATA_REQ mp */
+ mblk_t *nce_fp_mp; /* fast path mp */
+ struct ncec_s *nce_common;
+ kmutex_t nce_lock;
+ uint32_t nce_refcnt;
uint_t nce_ipif_cnt; /* number of ipifs with the nce_addr */
/* as their local address */
-} nce_t;
+};
/*
* The ndp_g_t structure contains protocol specific information needed
* to synchronize and manage neighbor cache entries for IPv4 and IPv6.
* There are 2 such structures, ips_ndp4 and ips_ndp6.
* ips_ndp6 contains the data structures needed for IPv6 Neighbor Discovery.
- * ips_ndp4 has IPv4 link layer info in its nce_t structures
- * Note that the nce_t is not currently used as the arp cache itself;
- * it is used for the following purposes:
- * - queue packets in nce_qd_mp while waiting for arp resolution to complete
- * - nce_{res, fp}_mp are used to track DL_UNITDATA request/responses.
- * - track state of ARP resolution in the nce_state;
+ * ips_ndp4 contains the data structures for IPv4 ARP.
*
* Locking notes:
* ndp_g_lock protects neighbor cache tables access and
- * insertion/removal of cache entries into/from these tables.
- * nce_lock protects nce_pcnt, nce_rcnt, nce_qd_mp nce_state, nce_res_mp,
- * nce_refcnt, nce_last, and nce_cb_walker_cnt.
- * nce_refcnt is incremented for every ire pointing to this nce and
- * every time ndp_lookup() finds an nce.
- * Should there be a need to obtain nce_lock and ndp_g_lock, ndp_g_lock is
+ * insertion/removal of cache entries into/from these tables. The ncec_lock
+ * and nce_lock protect fields in the ncec_t and nce_t structures.
+ * Should there be a need to obtain nce[c]_lock and ndp_g_lock, ndp_g_lock is
* acquired first.
- * To avoid becoming exclusive when deleting NCEs, ndp_walk() routine holds
- * the ndp_g_lock (i.e global lock) and marks NCEs to be deleted with
- * NCE_F_CONDEMNED. When all active users of such NCEs are gone the walk
- * routine passes a list for deletion to nce_ire_delete_list().
- *
- * When the link-layer address of some onlink host changes, ARP will send
- * an AR_CN_ANNOUNCE message to ip so that stale neighbor-cache
- * information will not get used. This message is processed in ip_arp_news()
- * by walking the nce list, and updating as appropriate. The ndp_g_hw_change
- * flag is set by ip_arp_news() to notify nce_t users that ip_arp_news() is
- * in progress.
*/
typedef struct ndp_g_s {
kmutex_t ndp_g_lock; /* Lock protecting cache hash table */
- nce_t *nce_mask_entries; /* mask not all ones */
- nce_t *nce_hash_tbl[NCE_TABLE_SIZE];
+ ncec_t *nce_hash_tbl[NCE_TABLE_SIZE];
int ndp_g_walker; /* # of active thread walking hash list */
boolean_t ndp_g_walker_cleanup; /* true implies defer deletion. */
- int ndp_g_hw_change; /* non-zero if nce flush in progress */
} ndp_g_t;
-#define NDP_HW_CHANGE_INCR(ndp) { \
- mutex_enter(&(ndp)->ndp_g_lock); \
- (ndp)->ndp_g_hw_change++; \
- mutex_exit(&(ndp)->ndp_g_lock); \
-}
-
-#define NDP_HW_CHANGE_DECR(ndp) { \
- mutex_enter(&(ndp)->ndp_g_lock); \
- (ndp)->ndp_g_hw_change--; \
- mutex_exit(&(ndp)->ndp_g_lock); \
-}
-
-/* nce_flags */
-#define NCE_F_PERMANENT 0x1
-#define NCE_F_MAPPING 0x2
+/* ncec_flags */
+#define NCE_F_MYADDR 0x1 /* ipif exists for the ncec_addr */
+#define NCE_F_UNVERIFIED 0x2 /* DAD in progress. */
#define NCE_F_ISROUTER 0x4
-/* unused 0x8 */
+#define NCE_F_FAST 0x8
+
+/*
+ * NCE_F_NONUD is used to disable IPv6 Neighbor Unreachability Detection or
+ * IPv4 aging and maps to the ATF_PERM flag for arp(1m)
+ */
#define NCE_F_NONUD 0x10
+
#define NCE_F_ANYCAST 0x20
#define NCE_F_CONDEMNED 0x40
#define NCE_F_UNSOL_ADV 0x80
#define NCE_F_BCAST 0x100
+#define NCE_F_MCAST 0x200
+
+/*
+ * NCE_F_PUBLISH is set for all ARP/ND entries that we announce. This
+ * includes locally configured addresses as well as those that we proxy for.
+ */
+#define NCE_F_PUBLISH 0x400
+
+/*
+ * NCE_F_AUTHORITY is set for any address that we have authoritatitve
+ * information for. This includes locally configured addresses as well
+ * as statically configured arp entries that are set up using the "permanent"
+ * option described in arp(1m). The NCE_F_AUTHORITY asserts that we would
+ * reject any updates for that nce's (host, link-layer-address) information
+ */
+#define NCE_F_AUTHORITY 0x800
-#define NCE_EXTERNAL_FLAGS_MASK \
- (NCE_F_PERMANENT | NCE_F_MAPPING | NCE_F_ISROUTER | NCE_F_NONUD | \
- NCE_F_ANYCAST | NCE_F_UNSOL_ADV)
+#define NCE_F_DELAYED 0x1000 /* rescheduled on dad_defend_rate */
+#define NCE_F_STATIC 0x2000
/* State REACHABLE, STALE, DELAY or PROBE */
-#define NCE_ISREACHABLE(nce) \
- (((((nce)->nce_state) >= ND_REACHABLE) && \
- ((nce)->nce_state) <= ND_PROBE))
+#define NCE_ISREACHABLE(ncec) \
+ (((((ncec)->ncec_state) >= ND_REACHABLE) && \
+ ((ncec)->ncec_state) <= ND_PROBE))
+
+#define NCE_ISCONDEMNED(ncec) ((ncec)->ncec_flags & NCE_F_CONDEMNED)
/* NDP flags set in SOL/ADV requests */
#define NDP_UNICAST 0x1
@@ -184,95 +202,14 @@ typedef struct ndp_g_s {
/* Number of packets queued in NDP for a neighbor */
#define ND_MAX_Q 4
-
-#ifdef DEBUG
-#define NCE_TRACE_REF(nce) nce_trace_ref(nce)
-#define NCE_UNTRACE_REF(nce) nce_untrace_ref(nce)
-#else
-#define NCE_TRACE_REF(nce)
-#define NCE_UNTRACE_REF(nce)
-#endif
-
-#define NCE_REFHOLD(nce) { \
- mutex_enter(&(nce)->nce_lock); \
- (nce)->nce_refcnt++; \
- ASSERT((nce)->nce_refcnt != 0); \
- NCE_TRACE_REF(nce); \
- mutex_exit(&(nce)->nce_lock); \
-}
-
-#define NCE_REFHOLD_NOTR(nce) { \
- mutex_enter(&(nce)->nce_lock); \
- (nce)->nce_refcnt++; \
- ASSERT((nce)->nce_refcnt != 0); \
- mutex_exit(&(nce)->nce_lock); \
-}
-
-#define NCE_REFHOLD_LOCKED(nce) { \
- ASSERT(MUTEX_HELD(&(nce)->nce_lock)); \
- (nce)->nce_refcnt++; \
- NCE_TRACE_REF(nce); \
-}
-
-/* nce_inactive destroys the mutex thus no mutex_exit is needed */
-#define NCE_REFRELE(nce) { \
- mutex_enter(&(nce)->nce_lock); \
- NCE_UNTRACE_REF(nce); \
- ASSERT((nce)->nce_refcnt != 0); \
- if (--(nce)->nce_refcnt == 0) \
- ndp_inactive(nce); \
- else { \
- mutex_exit(&(nce)->nce_lock);\
- } \
-}
-
-#define NCE_REFRELE_NOTR(nce) { \
- mutex_enter(&(nce)->nce_lock); \
- ASSERT((nce)->nce_refcnt != 0); \
- if (--(nce)->nce_refcnt == 0) \
- ndp_inactive(nce); \
- else { \
- mutex_exit(&(nce)->nce_lock);\
- } \
-}
-
-#define NDP_RESTART_TIMER(nce, ms) { \
- ASSERT(!MUTEX_HELD(&(nce)->nce_lock)); \
- if ((nce)->nce_timeout_id != 0) { \
- /* Ok to untimeout bad id. we don't hold a lock. */ \
- (void) untimeout((nce)->nce_timeout_id); \
- } \
- mutex_enter(&(nce)->nce_lock); \
- /* Don't start the timer if the nce has been deleted */ \
- if (!((nce)->nce_flags & NCE_F_CONDEMNED)) \
- nce->nce_timeout_id = timeout(ndp_timer, nce, \
- MSEC_TO_TICK(ms) == 0 ? 1 : MSEC_TO_TICK(ms)); \
- mutex_exit(&(nce)->nce_lock); \
-}
-
-/* Structure for ndp_cache_count() */
-typedef struct {
- int ncc_total; /* Total number of NCEs */
- int ncc_host; /* NCE entries without R bit set */
-} ncc_cache_count_t;
-
-/*
- * Structure of ndp_cache_reclaim(). Each field is a fraction i.e. 1 means
- * reclaim all, N means reclaim 1/Nth of all entries, 0 means reclaim none.
- */
-typedef struct {
- int ncr_host; /* Fraction for host entries */
-} nce_cache_reclaim_t;
-
/*
- * Structure for nce_delete_hw_changed; specifies an IPv4 address to link-layer
- * address mapping. Any route that has a cached copy of a mapping for that
- * IPv4 address that doesn't match the given mapping must be purged.
+ * Structure for nce_update_hw_changed;
*/
typedef struct {
ipaddr_t hwm_addr; /* IPv4 address */
- uint_t hwm_hwlen; /* Length of hardware address (may be 0) */
+ uint_t hwm_hwlen; /* Length of hardware address (may be 0) */
uchar_t *hwm_hwaddr; /* Pointer to new hardware address, if any */
+ int hwm_flags;
} nce_hw_map_t;
/* When SAP is greater than zero address appears before SAP */
@@ -284,6 +221,15 @@ typedef struct {
((sizeof (dl_unitdata_req_t)) + ((ill)->ill_phys_addr_length)) : \
(sizeof (dl_unitdata_req_t)))
+#define NCE_MYADDR(ncec) (((ncec)->ncec_flags & NCE_F_MYADDR) != 0)
+
+/*
+ * NCE_PUBLISH() identifies the addresses that we are publishing. This
+ * includes locally configured address (NCE_MYADDR()) as well as those that
+ * we are proxying.
+ */
+#define NCE_PUBLISH(ncec) ((ncec->ncec_flags & NCE_F_PUBLISH) != 0)
+
#ifdef _BIG_ENDIAN
#define NCE_LL_SAP_COPY(ill, mp) \
{ \
@@ -327,55 +273,65 @@ typedef struct {
/* NDP Cache Entry Hash Table */
#define NCE_TABLE_SIZE 256
-extern void ndp_cache_count(nce_t *, char *);
-extern void ndp_cache_reclaim(nce_t *, char *);
-extern void ndp_delete(nce_t *);
-extern void ndp_delete_per_ill(nce_t *, uchar_t *);
-extern void ndp_fastpath_flush(nce_t *, char *);
-extern boolean_t ndp_fastpath_update(nce_t *, void *);
+extern void ip_nce_reclaim(void *);
+extern void ncec_delete(ncec_t *);
+extern void ncec_delete_per_ill(ncec_t *, uchar_t *);
+extern void nce_fastpath_update(ill_t *, mblk_t *);
extern nd_opt_hdr_t *ndp_get_option(nd_opt_hdr_t *, int, int);
-extern void ndp_inactive(nce_t *);
-extern void ndp_input(ill_t *, mblk_t *, mblk_t *);
-extern boolean_t ndp_lookup_ipaddr(in_addr_t, netstack_t *);
-extern nce_t *ndp_lookup_v6(ill_t *, boolean_t, const in6_addr_t *,
- boolean_t);
-extern nce_t *ndp_lookup_v4(ill_t *, const in_addr_t *, boolean_t);
-extern int ndp_mcastreq(ill_t *, const in6_addr_t *, uint32_t, uint32_t,
+extern void ncec_inactive(ncec_t *);
+extern void ndp_input(mblk_t *, ip_recv_attr_t *);
+extern ncec_t *ncec_lookup_illgrp_v6(ill_t *, const in6_addr_t *);
+extern ncec_t *ncec_lookup_illgrp_v4(ill_t *, const in_addr_t *);
+extern nce_t *nce_lookup_v4(ill_t *, const in_addr_t *);
+extern nce_t *nce_lookup_v6(ill_t *, const in6_addr_t *);
+extern void nce_make_unreachable(ncec_t *);
+extern mblk_t *ndp_mcastreq(ill_t *, const in6_addr_t *, uint32_t, uint32_t,
mblk_t *);
-extern int ndp_noresolver(ill_t *, const in6_addr_t *);
-extern void ndp_process(nce_t *, uchar_t *, uint32_t, boolean_t);
+extern nce_t *ndp_nce_init(ill_t *, const in6_addr_t *, int);
+extern void nce_process(ncec_t *, uchar_t *, uint32_t, boolean_t);
extern int ndp_query(ill_t *, lif_nd_req_t *);
-extern int ndp_resolver(ill_t *, const in6_addr_t *, mblk_t *, zoneid_t);
extern int ndp_sioc_update(ill_t *, lif_nd_req_t *);
extern boolean_t ndp_verify_optlen(nd_opt_hdr_t *, int);
-extern void ndp_timer(void *);
-extern void ndp_walk(ill_t *, pfi_t, void *, ip_stack_t *);
-extern void ndp_walk_common(ndp_g_t *, ill_t *, pfi_t,
+extern void nce_timer(void *);
+extern void ncec_walk(ill_t *, pfi_t, void *, ip_stack_t *);
+extern void ncec_walk_common(ndp_g_t *, ill_t *, pfi_t,
void *, boolean_t);
-extern boolean_t ndp_restart_dad(nce_t *);
-extern void ndp_do_recovery(ipif_t *);
-extern void nce_resolv_failed(nce_t *);
-extern void arp_resolv_failed(nce_t *);
-extern void nce_fastpath_list_add(nce_t *);
-extern void nce_fastpath_list_delete(nce_t *);
-extern void nce_fastpath_list_dispatch(ill_t *,
- boolean_t (*)(nce_t *, void *), void *);
-extern void nce_queue_mp_common(nce_t *, mblk_t *, boolean_t);
-extern void nce_delete_hw_changed(nce_t *, void *);
-extern void nce_fastpath(nce_t *);
-extern int ndp_add_v6(ill_t *, uchar_t *, const in6_addr_t *,
- const in6_addr_t *, const in6_addr_t *, uint32_t, uint16_t, uint16_t,
- nce_t **);
-extern int ndp_lookup_then_add_v6(ill_t *, boolean_t, uchar_t *,
- const in6_addr_t *, const in6_addr_t *, const in6_addr_t *, uint32_t,
- uint16_t, uint16_t, nce_t **);
-extern int ndp_lookup_then_add_v4(ill_t *,
- const in_addr_t *, uint16_t, nce_t **, nce_t *);
-extern void ip_ndp_resolve(nce_t *);
+extern boolean_t nce_restart_dad(ncec_t *);
+extern void ndp_resolv_failed(ncec_t *);
+extern void arp_resolv_failed(ncec_t *);
+extern void nce_fastpath_list_delete(ill_t *, ncec_t *, list_t *);
+extern void nce_queue_mp(ncec_t *, mblk_t *, boolean_t);
+extern void nce_update_hw_changed(ncec_t *, void *);
+extern int nce_lookup_then_add_v6(ill_t *, uchar_t *, uint_t,
+ const in6_addr_t *, uint16_t, uint16_t, nce_t **);
+extern int nce_lookup_then_add_v4(ill_t *, uchar_t *, uint_t,
+ const in_addr_t *, uint16_t, uint16_t, nce_t **);
+extern boolean_t nce_cmp_ll_addr(const ncec_t *, const uchar_t *, uint32_t);
+extern void nce_update(ncec_t *, uint16_t, uchar_t *);
+extern nce_t *nce_lookup_mapping(ill_t *, const in6_addr_t *);
+
+extern void nce_restart_timer(ncec_t *, uint_t);
+extern void ncec_refrele(ncec_t *);
+extern void ncec_refhold(ncec_t *);
+extern void ncec_refrele_notr(ncec_t *);
+extern void ncec_refhold_notr(ncec_t *);
+extern void nce_resolv_ok(ncec_t *);
+extern uint32_t ndp_solicit(ncec_t *, in6_addr_t, ill_t *);
+extern boolean_t ip_nce_conflict(mblk_t *, ip_recv_attr_t *, ncec_t *);
+extern boolean_t ndp_announce(ncec_t *);
+extern void ip_nce_lookup_and_update(ipaddr_t *, ipif_t *, ip_stack_t *,
+ uchar_t *, int, int);
+extern void nce_refrele(nce_t *);
+extern void nce_refhold(nce_t *);
+extern void nce_delete(nce_t *);
+extern void nce_flush(ill_t *, boolean_t);
+extern void nce_walk(ill_t *, pfi_t, void *);
+extern void ip_ndp_resolve(struct ncec_s *);
+extern void ip_addr_recover(ipsq_t *, queue_t *, mblk_t *, void *);
#ifdef DEBUG
-extern void nce_trace_ref(nce_t *);
-extern void nce_untrace_ref(nce_t *);
+extern void nce_trace_ref(ncec_t *);
+extern void nce_untrace_ref(ncec_t *);
#endif
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ip_netinfo.h b/usr/src/uts/common/inet/ip_netinfo.h
index b34cf0751e..a496248e23 100644
--- a/usr/src/uts/common/inet/ip_netinfo.h
+++ b/usr/src/uts/common/inet/ip_netinfo.h
@@ -20,7 +20,7 @@
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -41,10 +41,13 @@ extern void ip_net_init(ip_stack_t *, netstack_t *);
extern void ip_net_destroy(ip_stack_t *);
extern void ipv4_hook_init(ip_stack_t *);
extern void ipv6_hook_init(ip_stack_t *);
+extern void arp_hook_init(ip_stack_t *);
extern void ipv4_hook_destroy(ip_stack_t *);
extern void ipv6_hook_destroy(ip_stack_t *);
+extern void arp_hook_destroy(ip_stack_t *);
extern void ipv4_hook_shutdown(ip_stack_t *);
extern void ipv6_hook_shutdown(ip_stack_t *);
+extern void arp_hook_shutdown(ip_stack_t *);
extern void ip_ne_queue_func(void *);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ip_rts.h b/usr/src/uts/common/inet/ip_rts.h
index 61bc451995..f5cbedd370 100644
--- a/usr/src/uts/common/inet/ip_rts.h
+++ b/usr/src/uts/common/inet/ip_rts.h
@@ -48,7 +48,8 @@ extern "C" {
#ifdef _KERNEL
extern void ip_rts_change(int, ipaddr_t, ipaddr_t,
- ipaddr_t, ipaddr_t, ipaddr_t, int, int, int, ip_stack_t *);
+ ipaddr_t, ipaddr_t, ipaddr_t, int, int,
+ int, ip_stack_t *);
extern void ip_rts_change_v6(int, const in6_addr_t *, const in6_addr_t *,
const in6_addr_t *, const in6_addr_t *, const in6_addr_t *, int, int, int,
@@ -74,15 +75,17 @@ extern size_t rts_data_msg_size(int, sa_family_t, uint_t);
extern void rts_fill_msg_v6(int, int, const in6_addr_t *,
const in6_addr_t *, const in6_addr_t *, const in6_addr_t *,
- const in6_addr_t *, const in6_addr_t *, const ipif_t *, mblk_t *,
- uint_t, const tsol_gc_t *);
+ const in6_addr_t *, const in6_addr_t *, const in6_addr_t *,
+ const ill_t *, mblk_t *, const tsol_gc_t *);
extern size_t rts_header_msg_size(int);
+extern void rts_merge_metrics(iulp_t *, const iulp_t *);
+
extern void rts_queue_input(mblk_t *, conn_t *, sa_family_t, uint_t,
ip_stack_t *);
-extern int ip_rts_request_common(queue_t *q, mblk_t *mp, conn_t *, cred_t *);
+extern int ip_rts_request_common(mblk_t *mp, conn_t *, cred_t *);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ip_stack.h b/usr/src/uts/common/inet/ip_stack.h
index b5d9715c65..d2f6c07234 100644
--- a/usr/src/uts/common/inet/ip_stack.h
+++ b/usr/src/uts/common/inet/ip_stack.h
@@ -38,6 +38,7 @@ extern "C" {
#ifdef _KERNEL
#include <sys/list.h>
+
/*
* IP statistics.
*/
@@ -46,52 +47,45 @@ extern "C" {
((ipst)->ips_ip_statistics.x.value.ui64 += (n))
typedef struct ip_stat {
- kstat_named_t ipsec_fanout_proto;
kstat_named_t ip_udp_fannorm;
kstat_named_t ip_udp_fanmb;
- kstat_named_t ip_udp_fanothers;
- kstat_named_t ip_udp_fast_path;
- kstat_named_t ip_udp_slow_path;
- kstat_named_t ip_udp_input_err;
- kstat_named_t ip_tcppullup;
- kstat_named_t ip_tcpoptions;
- kstat_named_t ip_multipkttcp;
- kstat_named_t ip_tcp_fast_path;
- kstat_named_t ip_tcp_slow_path;
- kstat_named_t ip_tcp_input_error;
+ kstat_named_t ip_recv_pullup;
kstat_named_t ip_db_ref;
- kstat_named_t ip_notaligned1;
- kstat_named_t ip_notaligned2;
- kstat_named_t ip_multimblk3;
- kstat_named_t ip_multimblk4;
- kstat_named_t ip_ipoptions;
- kstat_named_t ip_classify_fail;
+ kstat_named_t ip_notaligned;
+ kstat_named_t ip_multimblk;
kstat_named_t ip_opt;
- kstat_named_t ip_udp_rput_local;
kstat_named_t ipsec_proto_ahesp;
kstat_named_t ip_conn_flputbq;
kstat_named_t ip_conn_walk_drain;
kstat_named_t ip_out_sw_cksum;
+ kstat_named_t ip_out_sw_cksum_bytes;
kstat_named_t ip_in_sw_cksum;
- kstat_named_t ip_trash_ire_reclaim_calls;
- kstat_named_t ip_trash_ire_reclaim_success;
- kstat_named_t ip_ire_arp_timer_expired;
- kstat_named_t ip_ire_redirect_timer_expired;
- kstat_named_t ip_ire_pmtu_timer_expired;
- kstat_named_t ip_input_multi_squeue;
+ kstat_named_t ip_ire_reclaim_calls;
+ kstat_named_t ip_ire_reclaim_deleted;
+ kstat_named_t ip_nce_reclaim_calls;
+ kstat_named_t ip_nce_reclaim_deleted;
+ kstat_named_t ip_dce_reclaim_calls;
+ kstat_named_t ip_dce_reclaim_deleted;
kstat_named_t ip_tcp_in_full_hw_cksum_err;
kstat_named_t ip_tcp_in_part_hw_cksum_err;
kstat_named_t ip_tcp_in_sw_cksum_err;
- kstat_named_t ip_tcp_out_sw_cksum_bytes;
kstat_named_t ip_udp_in_full_hw_cksum_err;
kstat_named_t ip_udp_in_part_hw_cksum_err;
kstat_named_t ip_udp_in_sw_cksum_err;
- kstat_named_t ip_udp_out_sw_cksum_bytes;
- kstat_named_t ip_frag_mdt_pkt_out;
- kstat_named_t ip_frag_mdt_discarded;
- kstat_named_t ip_frag_mdt_allocfail;
- kstat_named_t ip_frag_mdt_addpdescfail;
- kstat_named_t ip_frag_mdt_allocd;
+ kstat_named_t conn_in_recvdstaddr;
+ kstat_named_t conn_in_recvopts;
+ kstat_named_t conn_in_recvif;
+ kstat_named_t conn_in_recvslla;
+ kstat_named_t conn_in_recvucred;
+ kstat_named_t conn_in_recvttl;
+ kstat_named_t conn_in_recvhopopts;
+ kstat_named_t conn_in_recvhoplimit;
+ kstat_named_t conn_in_recvdstopts;
+ kstat_named_t conn_in_recvrthdrdstopts;
+ kstat_named_t conn_in_recvrthdr;
+ kstat_named_t conn_in_recvpktinfo;
+ kstat_named_t conn_in_recvtclass;
+ kstat_named_t conn_in_timestamp;
} ip_stat_t;
@@ -103,20 +97,22 @@ typedef struct ip_stat {
((ipst)->ips_ip6_statistics.x.value.ui64 += (n))
typedef struct ip6_stat {
- kstat_named_t ip6_udp_fast_path;
- kstat_named_t ip6_udp_slow_path;
kstat_named_t ip6_udp_fannorm;
kstat_named_t ip6_udp_fanmb;
+ kstat_named_t ip6_recv_pullup;
+ kstat_named_t ip6_db_ref;
+ kstat_named_t ip6_notaligned;
+ kstat_named_t ip6_multimblk;
+ kstat_named_t ipsec_proto_ahesp;
kstat_named_t ip6_out_sw_cksum;
+ kstat_named_t ip6_out_sw_cksum_bytes;
kstat_named_t ip6_in_sw_cksum;
kstat_named_t ip6_tcp_in_full_hw_cksum_err;
kstat_named_t ip6_tcp_in_part_hw_cksum_err;
kstat_named_t ip6_tcp_in_sw_cksum_err;
- kstat_named_t ip6_tcp_out_sw_cksum_bytes;
kstat_named_t ip6_udp_in_full_hw_cksum_err;
kstat_named_t ip6_udp_in_part_hw_cksum_err;
kstat_named_t ip6_udp_in_sw_cksum_err;
- kstat_named_t ip6_udp_out_sw_cksum_bytes;
kstat_named_t ip6_frag_mdt_pkt_out;
kstat_named_t ip6_frag_mdt_discarded;
kstat_named_t ip6_frag_mdt_allocfail;
@@ -150,6 +146,8 @@ typedef struct srcid_map {
struct ip_stack {
netstack_t *ips_netstack; /* Common netstack */
+ uint_t ips_src_generation; /* Both IPv4 and IPv6 */
+
struct ipparam_s *ips_param_arr; /* ndd variable table */
struct ipndp_s *ips_ndp_arr;
@@ -178,10 +176,6 @@ struct ip_stack {
kmutex_t ips_ip_mi_lock;
kmutex_t ips_ip_addr_avail_lock;
krwlock_t ips_ill_g_lock;
- krwlock_t ips_ipsec_capab_ills_lock;
- /* protects the list of IPsec capable ills */
- struct ipsec_capab_ill_s *ips_ipsec_capab_ills_ah;
- struct ipsec_capab_ill_s *ips_ipsec_capab_ills_esp;
krwlock_t ips_ill_g_usesrc_lock;
@@ -198,10 +192,10 @@ struct ip_stack {
struct connf_s *ips_rts_clients;
struct connf_s *ips_ipcl_conn_fanout;
struct connf_s *ips_ipcl_bind_fanout;
- struct connf_s *ips_ipcl_proto_fanout;
+ struct connf_s *ips_ipcl_proto_fanout_v4;
struct connf_s *ips_ipcl_proto_fanout_v6;
struct connf_s *ips_ipcl_udp_fanout;
- struct connf_s *ips_ipcl_raw_fanout;
+ struct connf_s *ips_ipcl_raw_fanout; /* RAW SCTP sockets */
struct connf_s *ips_ipcl_iptun_fanout;
uint_t ips_ipcl_conn_fanout_size;
uint_t ips_ipcl_bind_fanout_size;
@@ -237,31 +231,47 @@ struct ip_stack {
/* IPv4 forwarding table */
struct radix_node_head *ips_ip_ftable;
- /* This is dynamically allocated in ip_ire_init */
- struct irb *ips_ip_cache_table;
-
#define IPV6_ABITS 128
#define IP6_MASK_TABLE_SIZE (IPV6_ABITS + 1) /* 129 ptrs */
-
struct irb *ips_ip_forwarding_table_v6[IP6_MASK_TABLE_SIZE];
- /* This is dynamically allocated in ip_ire_init */
- struct irb *ips_ip_cache_table_v6;
- uint32_t ips_ire_handle;
/*
* ire_ft_init_lock is used while initializing ip_forwarding_table
* dynamically in ire_add.
*/
kmutex_t ips_ire_ft_init_lock;
- kmutex_t ips_ire_handle_lock; /* Protects ire_handle */
- uint32_t ips_ip_cache_table_size;
- uint32_t ips_ip6_cache_table_size;
+ /*
+ * This is the IPv6 counterpart of RADIX_NODE_HEAD_LOCK. It is used
+ * to prevent adds and deletes while we are doing a ftable_lookup
+ * and extracting the ire_generation.
+ */
+ krwlock_t ips_ip6_ire_head_lock;
+
uint32_t ips_ip6_ftable_hash_size;
ire_stats_t ips_ire_stats_v4; /* IPv4 ire statistics */
ire_stats_t ips_ire_stats_v6; /* IPv6 ire statistics */
+ /* Count how many condemned objects for kmem_cache callbacks */
+ uint32_t ips_num_ire_condemned;
+ uint32_t ips_num_nce_condemned;
+ uint32_t ips_num_dce_condemned;
+
+ struct ire_s *ips_ire_reject_v4; /* For unreachable dests */
+ struct ire_s *ips_ire_reject_v6; /* For unreachable dests */
+ struct ire_s *ips_ire_blackhole_v4; /* For temporary failures */
+ struct ire_s *ips_ire_blackhole_v6; /* For temporary failures */
+
+ /* ips_ire_dep_lock protects ire_dep_* relationship between IREs */
+ krwlock_t ips_ire_dep_lock;
+
+ /* Destination Cache Entries */
+ struct dce_s *ips_dce_default;
+ uint_t ips_dce_hashsize;
+ struct dcb_s *ips_dce_hash_v4;
+ struct dcb_s *ips_dce_hash_v6;
+
/* pending binds */
mblk_t *ips_ip6_asp_pending_ops;
mblk_t *ips_ip6_asp_pending_ops_tail;
@@ -293,9 +303,10 @@ struct ip_stack {
uint_t ips_icmp_pkt_err_sent;
/* Protected by ip_mi_lock */
- void *ips_ip_g_head; /* Instance Data List Head */
+ void *ips_ip_g_head; /* IP Instance Data List Head */
+ void *ips_arp_g_head; /* ARP Instance Data List Head */
- caddr_t ips_ip_g_nd; /* Named Dispatch List Head */
+ caddr_t ips_ip_g_nd; /* Named Dispatch List Head */
/* Multirouting stuff */
/* Interval (in ms) between consecutive 'bad MTU' warnings */
@@ -306,27 +317,11 @@ struct ip_stack {
struct cgtp_filter_ops *ips_ip_cgtp_filter_ops; /* CGTP hooks */
boolean_t ips_ip_cgtp_filter; /* Enable/disable CGTP hooks */
- kmutex_t ips_ip_trash_timer_lock;
- timeout_id_t ips_ip_ire_expire_id; /* IRE expiration timer. */
struct ipsq_s *ips_ipsq_g_head;
uint_t ips_ill_index; /* Used to assign interface indicies */
/* When set search for unused index */
boolean_t ips_ill_index_wrap;
- clock_t ips_ip_ire_arp_time_elapsed;
- /* Time since IRE cache last flushed */
- clock_t ips_ip_ire_rd_time_elapsed;
- /* ... redirect IREs last flushed */
- clock_t ips_ip_ire_pmtu_time_elapsed;
- /* Time since path mtu increase */
-
- uint_t ips_ip_redirect_cnt;
- /* Num of redirect routes in ftable */
- uint_t ips_ipv6_ire_default_count;
- /* Number of IPv6 IRE_DEFAULT entries */
- uint_t ips_ipv6_ire_default_index;
- /* Walking IPv6 index used to mod in */
-
uint_t ips_loopback_packets;
/* NDP/NCE structures for IPv4 and IPv6 */
@@ -379,15 +374,17 @@ struct ip_stack {
struct srcid_map *ips_srcid_head;
krwlock_t ips_srcid_lock;
- uint64_t ips_ipif_g_seqid;
+ uint64_t ips_ipif_g_seqid; /* Used only for sctp_addr.c */
union phyint_list_u *ips_phyint_g_list; /* start of phyint list */
-/* ip_neti.c */
+/* ip_netinfo.c */
hook_family_t ips_ipv4root;
hook_family_t ips_ipv6root;
+ hook_family_t ips_arproot;
net_handle_t ips_ipv4_net_data;
net_handle_t ips_ipv6_net_data;
+ net_handle_t ips_arp_net_data;
/*
* Hooks for firewalling
@@ -397,17 +394,23 @@ struct ip_stack {
hook_event_t ips_ip4_forwarding_event;
hook_event_t ips_ip4_loopback_in_event;
hook_event_t ips_ip4_loopback_out_event;
+
hook_event_t ips_ip6_physical_in_event;
hook_event_t ips_ip6_physical_out_event;
hook_event_t ips_ip6_forwarding_event;
hook_event_t ips_ip6_loopback_in_event;
hook_event_t ips_ip6_loopback_out_event;
+ hook_event_t ips_arp_physical_in_event;
+ hook_event_t ips_arp_physical_out_event;
+ hook_event_t ips_arp_nic_events;
+
hook_event_token_t ips_ipv4firewall_physical_in;
hook_event_token_t ips_ipv4firewall_physical_out;
hook_event_token_t ips_ipv4firewall_forwarding;
hook_event_token_t ips_ipv4firewall_loopback_in;
hook_event_token_t ips_ipv4firewall_loopback_out;
+
hook_event_token_t ips_ipv6firewall_physical_in;
hook_event_token_t ips_ipv6firewall_physical_out;
hook_event_token_t ips_ipv6firewall_forwarding;
@@ -419,6 +422,10 @@ struct ip_stack {
hook_event_token_t ips_ipv4nicevents;
hook_event_token_t ips_ipv6nicevents;
+ hook_event_token_t ips_arp_physical_in;
+ hook_event_token_t ips_arp_physical_out;
+ hook_event_token_t ips_arpnicevents;
+
net_handle_t ips_ip4_observe_pr;
net_handle_t ips_ip6_observe_pr;
hook_event_t ips_ip4_observe;
@@ -432,13 +439,6 @@ struct ip_stack {
krwlock_t ips_ipmp_lock;
mod_hash_t *ips_ipmp_grp_hash;
-/* igmp.c */
- /* multicast restart timers thread logic */
- kmutex_t ips_mrt_lock;
- uint_t ips_mrt_flags;
- kcondvar_t ips_mrt_cv;
- kcondvar_t ips_mrt_done_cv;
- kthread_t *ips_mrt_thread;
};
typedef struct ip_stack ip_stack_t;
diff --git a/usr/src/uts/common/inet/ipclassifier.h b/usr/src/uts/common/inet/ipclassifier.h
index e24bcd9a73..15a7c32376 100644
--- a/usr/src/uts/common/inet/ipclassifier.h
+++ b/usr/src/uts/common/inet/ipclassifier.h
@@ -41,8 +41,11 @@ extern "C" {
#include <sys/sunddi.h>
#include <sys/sunldi.h>
-typedef void (*edesc_spf)(void *, mblk_t *, void *, int);
-typedef void (*edesc_rpf)(void *, mblk_t *, void *);
+typedef void (*edesc_rpf)(void *, mblk_t *, void *, ip_recv_attr_t *);
+struct icmph_s;
+struct icmp6_hdr;
+typedef boolean_t (*edesc_vpf)(conn_t *, void *, struct icmph_s *,
+ struct icmp6_hdr *, ip_recv_attr_t *);
/*
* ==============================
@@ -53,7 +56,7 @@ typedef void (*edesc_rpf)(void *, mblk_t *, void *);
/*
* The connection structure contains the common information/flags/ref needed.
* Implementation will keep the connection struct, the layers (with their
- * respective data for event i.e. tcp_t if event was tcp_input) all in one
+ * respective data for event i.e. tcp_t if event was tcp_input_data) all in one
* contiguous memory location.
*/
@@ -61,14 +64,14 @@ typedef void (*edesc_rpf)(void *, mblk_t *, void *);
/* Unused 0x00020000 */
/* Unused 0x00040000 */
#define IPCL_FULLY_BOUND 0x00080000 /* Bound to correct squeue */
-#define IPCL_CHECK_POLICY 0x00100000 /* Needs policy checking */
-#define IPCL_SOCKET 0x00200000 /* Sockfs connection */
-#define IPCL_ACCEPTOR 0x00400000 /* Sockfs priv acceptor */
+/* Unused 0x00100000 */
+/* Unused 0x00200000 */
+/* Unused 0x00400000 */
#define IPCL_CL_LISTENER 0x00800000 /* Cluster listener */
-#define IPCL_EAGER 0x01000000 /* Incoming connection */
+/* Unused 0x01000000 */
/* Unused 0x02000000 */
-#define IPCL_TCP6 0x04000000 /* AF_INET6 TCP */
-#define IPCL_TCP4 0x08000000 /* IPv4 packet format TCP */
+/* Unused 0x04000000 */
+/* Unused 0x08000000 */
/* Unused 0x10000000 */
/* Unused 0x20000000 */
#define IPCL_CONNECTED 0x40000000 /* Conn in connected table */
@@ -83,41 +86,21 @@ typedef void (*edesc_rpf)(void *, mblk_t *, void *);
#define IPCL_RTSCONN 0x00000020 /* From rts_conn_cache */
/* Unused 0x00000040 */
#define IPCL_IPTUN 0x00000080 /* iptun module above us */
+
#define IPCL_NONSTR 0x00001000 /* A non-STREAMS socket */
-#define IPCL_IN_SQUEUE 0x10000000 /* Waiting squeue to finish */
+/* Unused 0x10000000 */
-/* Conn Masks */
-#define IPCL_TCP (IPCL_TCP4|IPCL_TCP6)
#define IPCL_REMOVED 0x00000100
#define IPCL_REUSED 0x00000200
-/* The packet format is IPv4; could be an AF_INET or AF_INET6 socket */
-#define IPCL_IS_TCP4(connp) \
- (((connp)->conn_flags & IPCL_TCP4))
-
-/* Connected AF_INET with no IPsec policy */
-#define IPCL_IS_TCP4_CONNECTED_NO_POLICY(connp) \
- (((connp)->conn_flags & \
- (IPCL_TCP4|IPCL_CONNECTED|IPCL_CHECK_POLICY|IPCL_TCP6)) \
- == (IPCL_TCP4|IPCL_CONNECTED))
-
#define IPCL_IS_CONNECTED(connp) \
((connp)->conn_flags & IPCL_CONNECTED)
#define IPCL_IS_BOUND(connp) \
((connp)->conn_flags & IPCL_BOUND)
-/* AF_INET TCP that is bound */
-#define IPCL_IS_TCP4_BOUND(connp) \
- (((connp)->conn_flags & \
- (IPCL_TCP4|IPCL_BOUND|IPCL_TCP6)) == \
- (IPCL_TCP4|IPCL_BOUND))
-
-#define IPCL_IS_FULLY_BOUND(connp) \
- ((connp)->conn_flags & IPCL_FULLY_BOUND)
-
/*
- * Can't use conn_protocol since we need to tell difference
+ * Can't use conn_proto since we need to tell difference
* between a real TCP socket and a SOCK_RAW, IPPROTO_TCP.
*/
#define IPCL_IS_TCP(connp) \
@@ -180,22 +163,80 @@ typedef struct ip_helper_stream_info_s {
#define CONN_MAC_IMPLICIT 2
/*
+ * conn receive ancillary definition.
+ *
+ * These are the set of socket options that make the receive side
+ * potentially pass up ancillary data items.
+ * We have a union with an integer so that we can quickly check whether
+ * any ancillary data items need to be added.
+ */
+typedef struct crb_s {
+ union {
+ uint32_t crbu_all;
+ struct {
+ uint32_t
+ crbb_recvdstaddr : 1, /* IP_RECVDSTADDR option */
+ crbb_recvopts : 1, /* IP_RECVOPTS option */
+ crbb_recvif : 1, /* IP_RECVIF option */
+ crbb_recvslla : 1, /* IP_RECVSLLA option */
+
+ crbb_recvttl : 1, /* IP_RECVTTL option */
+ crbb_ip_recvpktinfo : 1, /* IP*_RECVPKTINFO option */
+ crbb_ipv6_recvhoplimit : 1, /* IPV6_RECVHOPLIMIT option */
+ crbb_ipv6_recvhopopts : 1, /* IPV6_RECVHOPOPTS option */
+
+ crbb_ipv6_recvdstopts : 1, /* IPV6_RECVDSTOPTS option */
+ crbb_ipv6_recvrthdr : 1, /* IPV6_RECVRTHDR option */
+ crbb_old_ipv6_recvdstopts : 1, /* old form of IPV6_DSTOPTS */
+ crbb_ipv6_recvrthdrdstopts : 1, /* IPV6_RECVRTHDRDSTOPTS */
+
+ crbb_ipv6_recvtclass : 1, /* IPV6_RECVTCLASS */
+ crbb_recvucred : 1, /* IP_RECVUCRED option */
+ crbb_timestamp : 1; /* SO_TIMESTAMP "socket" option */
+
+ } crbb;
+ } crbu;
+} crb_t;
+
+#define crb_all crbu.crbu_all
+#define crb_recvdstaddr crbu.crbb.crbb_recvdstaddr
+#define crb_recvopts crbu.crbb.crbb_recvopts
+#define crb_recvif crbu.crbb.crbb_recvif
+#define crb_recvslla crbu.crbb.crbb_recvslla
+#define crb_recvttl crbu.crbb.crbb_recvttl
+#define crb_ip_recvpktinfo crbu.crbb.crbb_ip_recvpktinfo
+#define crb_ipv6_recvhoplimit crbu.crbb.crbb_ipv6_recvhoplimit
+#define crb_ipv6_recvhopopts crbu.crbb.crbb_ipv6_recvhopopts
+#define crb_ipv6_recvdstopts crbu.crbb.crbb_ipv6_recvdstopts
+#define crb_ipv6_recvrthdr crbu.crbb.crbb_ipv6_recvrthdr
+#define crb_old_ipv6_recvdstopts crbu.crbb.crbb_old_ipv6_recvdstopts
+#define crb_ipv6_recvrthdrdstopts crbu.crbb.crbb_ipv6_recvrthdrdstopts
+#define crb_ipv6_recvtclass crbu.crbb.crbb_ipv6_recvtclass
+#define crb_recvucred crbu.crbb.crbb_recvucred
+#define crb_timestamp crbu.crbb.crbb_timestamp
+
+/*
* The initial fields in the conn_t are setup by the kmem_cache constructor,
* and are preserved when it is freed. Fields after that are bzero'ed when
* the conn_t is freed.
+ *
+ * Much of the conn_t is protected by conn_lock.
+ *
+ * conn_lock is also used by some ULPs (like UDP and RAWIP) to protect
+ * their state.
*/
struct conn_s {
kmutex_t conn_lock;
uint32_t conn_ref; /* Reference counter */
uint32_t conn_flags; /* Conn Flags */
-
union {
tcp_t *cp_tcp; /* Pointer to the tcp struct */
struct udp_s *cp_udp; /* Pointer to the udp struct */
struct icmp_s *cp_icmp; /* Pointer to rawip struct */
struct rts_s *cp_rts; /* Pointer to rts struct */
struct iptun_s *cp_iptun; /* Pointer to iptun_t */
+ struct sctp_s *cp_sctp; /* For IPCL_SCTPCONN */
void *cp_priv;
} conn_proto_priv;
#define conn_tcp conn_proto_priv.cp_tcp
@@ -203,71 +244,68 @@ struct conn_s {
#define conn_icmp conn_proto_priv.cp_icmp
#define conn_rts conn_proto_priv.cp_rts
#define conn_iptun conn_proto_priv.cp_iptun
+#define conn_sctp conn_proto_priv.cp_sctp
#define conn_priv conn_proto_priv.cp_priv
kcondvar_t conn_cv;
- uint8_t conn_ulp; /* protocol type */
+ uint8_t conn_proto; /* protocol type */
edesc_rpf conn_recv; /* Pointer to recv routine */
+ edesc_rpf conn_recvicmp; /* For ICMP error */
+ edesc_vpf conn_verifyicmp; /* Verify ICMP error */
+
+ ip_xmit_attr_t *conn_ixa; /* Options if no ancil data */
/* Fields after this are bzero'ed when the conn_t is freed. */
+#define conn_start_clr conn_recv_ancillary
+
+ /* Options for receive-side ancillary data */
+ crb_t conn_recv_ancillary;
squeue_t *conn_sqp; /* Squeue for processing */
uint_t conn_state_flags; /* IP state flags */
-#define conn_start_clr conn_state_flags
- ire_t *conn_ire_cache; /* outbound ire cache */
+ int conn_lingertime; /* linger time (in seconds) */
+
unsigned int
conn_on_sqp : 1, /* Conn is being processed */
- conn_dontroute : 1, /* SO_DONTROUTE state */
- conn_loopback : 1, /* SO_LOOPBACK state */
+ conn_linger : 1, /* SO_LINGER state */
+ conn_useloopback : 1, /* SO_USELOOPBACK state */
conn_broadcast : 1, /* SO_BROADCAST state */
conn_reuseaddr : 1, /* SO_REUSEADDR state */
- conn_multicast_loop : 1, /* IP_MULTICAST_LOOP */
+ conn_keepalive : 1, /* SO_KEEPALIVE state */
conn_multi_router : 1, /* Wants all multicast pkts */
- conn_draining : 1, /* ip_wsrv running */
-
conn_did_putbq : 1, /* ip_wput did a putbq */
+
conn_unspec_src : 1, /* IP_UNSPEC_SRC */
conn_policy_cached : 1, /* Is policy cached/latched ? */
conn_in_enforce_policy : 1, /* Enforce Policy on inbound */
-
conn_out_enforce_policy : 1, /* Enforce Policy on outbound */
- conn_af_isv6 : 1, /* ip address family ver 6 */
- conn_pkt_isv6 : 1, /* ip packet format ver 6 */
- conn_ip_recvpktinfo : 1, /* IPV*_RECVPKTINFO option */
-
- conn_ipv6_recvhoplimit : 1, /* IPV6_RECVHOPLIMIT option */
- conn_ipv6_recvhopopts : 1, /* IPV6_RECVHOPOPTS option */
- conn_ipv6_recvdstopts : 1, /* IPV6_RECVDSTOPTS option */
- conn_ipv6_recvrthdr : 1, /* IPV6_RECVRTHDR option */
- conn_ipv6_recvrtdstopts : 1, /* IPV6_RECVRTHDRDSTOPTS */
+ conn_debug : 1, /* SO_DEBUG */
conn_ipv6_v6only : 1, /* IPV6_V6ONLY */
- conn_ipv6_recvtclass : 1, /* IPV6_RECVTCLASS */
+ conn_oobinline : 1, /* SO_OOBINLINE state */
+ conn_dgram_errind : 1, /* SO_DGRAM_ERRIND state */
+
+ conn_exclbind : 1, /* SO_EXCLBIND state */
+ conn_mdt_ok : 1, /* MDT is permitted */
+ conn_allzones : 1, /* SO_ALLZONES */
conn_ipv6_recvpathmtu : 1, /* IPV6_RECVPATHMTU */
- conn_pathmtu_valid : 1, /* The cached mtu is valid. */
- conn_ipv6_dontfrag : 1, /* IPV6_DONTFRAG */
- conn_fully_bound : 1, /* Fully bound connection */
- conn_recvif : 1, /* IP_RECVIF option */
+ conn_mcbc_bind : 1, /* Bound to multi/broadcast */
- conn_recvslla : 1, /* IP_RECVSLLA option */
- conn_mdt_ok : 1, /* MDT is permitted */
- conn_nexthop_set : 1,
- conn_allzones : 1; /* SO_ALLZONES */
+ conn_pad_to_bit_31 : 11;
- unsigned int
- conn_lso_ok : 1; /* LSO is usable */
boolean_t conn_direct_blocked; /* conn is flow-controlled */
squeue_t *conn_initial_sqp; /* Squeue at open time */
squeue_t *conn_final_sqp; /* Squeue after connect */
ill_t *conn_dhcpinit_ill; /* IP_DHCPINIT_IF */
- ipsec_latch_t *conn_latch; /* latched state */
- ill_t *conn_outgoing_ill; /* IP{,V6}_BOUND_IF */
- edesc_spf conn_send; /* Pointer to send routine */
+ ipsec_latch_t *conn_latch; /* latched IDS */
+ struct ipsec_policy_s *conn_latch_in_policy; /* latched policy (in) */
+ struct ipsec_action_s *conn_latch_in_action; /* latched action (in) */
+ uint_t conn_bound_if; /* IP*_BOUND_IF */
queue_t *conn_rq; /* Read queue */
queue_t *conn_wq; /* Write queue */
dev_t conn_dev; /* Minor number */
@@ -275,80 +313,137 @@ struct conn_s {
ip_helper_stream_info_t *conn_helper_info;
cred_t *conn_cred; /* Credentials */
+ pid_t conn_cpid; /* pid from open/connect */
+ uint64_t conn_open_time; /* time when this was opened */
+
connf_t *conn_g_fanout; /* Global Hash bucket head */
struct conn_s *conn_g_next; /* Global Hash chain next */
struct conn_s *conn_g_prev; /* Global Hash chain prev */
struct ipsec_policy_head_s *conn_policy; /* Configured policy */
- in6_addr_t conn_bound_source_v6;
-#define conn_bound_source V4_PART_OF_V6(conn_bound_source_v6)
-
+ in6_addr_t conn_bound_addr_v6; /* Address in bind() */
+#define conn_bound_addr_v4 V4_PART_OF_V6(conn_bound_addr_v6)
connf_t *conn_fanout; /* Hash bucket we're part of */
struct conn_s *conn_next; /* Hash chain next */
struct conn_s *conn_prev; /* Hash chain prev */
+
struct {
- in6_addr_t connua_laddr; /* Local address */
+ in6_addr_t connua_laddr; /* Local address - match */
in6_addr_t connua_faddr; /* Remote address */
} connua_v6addr;
-#define conn_src V4_PART_OF_V6(connua_v6addr.connua_laddr)
-#define conn_rem V4_PART_OF_V6(connua_v6addr.connua_faddr)
-#define conn_srcv6 connua_v6addr.connua_laddr
-#define conn_remv6 connua_v6addr.connua_faddr
+#define conn_laddr_v4 V4_PART_OF_V6(connua_v6addr.connua_laddr)
+#define conn_faddr_v4 V4_PART_OF_V6(connua_v6addr.connua_faddr)
+#define conn_laddr_v6 connua_v6addr.connua_laddr
+#define conn_faddr_v6 connua_v6addr.connua_faddr
+ in6_addr_t conn_saddr_v6; /* Local address - source */
+#define conn_saddr_v4 V4_PART_OF_V6(conn_saddr_v6)
+
union {
/* Used for classifier match performance */
- uint32_t conn_ports2;
+ uint32_t connu_ports2;
struct {
- in_port_t tcpu_fport; /* Remote port */
- in_port_t tcpu_lport; /* Local port */
- } tcpu_ports;
+ in_port_t connu_fport; /* Remote port */
+ in_port_t connu_lport; /* Local port */
+ } connu_ports;
} u_port;
-#define conn_fport u_port.tcpu_ports.tcpu_fport
-#define conn_lport u_port.tcpu_ports.tcpu_lport
-#define conn_ports u_port.conn_ports2
-#define conn_upq conn_rq
- uint8_t conn_unused_byte;
-
- uint_t conn_proto; /* SO_PROTOTYPE state */
- ill_t *conn_incoming_ill; /* IP{,V6}_BOUND_IF */
+#define conn_fport u_port.connu_ports.connu_fport
+#define conn_lport u_port.connu_ports.connu_lport
+#define conn_ports u_port.connu_ports2
+
+ uint_t conn_incoming_ifindex; /* IP{,V6}_BOUND_IF, scopeid */
ill_t *conn_oper_pending_ill; /* pending shared ioctl */
- ilg_t *conn_ilg; /* Group memberships */
- int conn_ilg_allocated; /* Number allocated */
- int conn_ilg_inuse; /* Number currently used */
- int conn_ilg_walker_cnt; /* No of ilg walkers */
- /* XXXX get rid of this, once ilg_delete_all is fixed */
- kcondvar_t conn_refcv;
-
- struct ipif_s *conn_multicast_ipif; /* IP_MULTICAST_IF */
- ill_t *conn_multicast_ill; /* IPV6_MULTICAST_IF */
- struct conn_s *conn_drain_next; /* Next conn in drain list */
- struct conn_s *conn_drain_prev; /* Prev conn in drain list */
+ krwlock_t conn_ilg_lock; /* Protects conn_ilg_* */
+ ilg_t *conn_ilg; /* Group memberships */
+
+ kcondvar_t conn_refcv; /* For conn_oper_pending_ill */
+
+ struct conn_s *conn_drain_next; /* Next conn in drain list */
+ struct conn_s *conn_drain_prev; /* Prev conn in drain list */
idl_t *conn_idl; /* Ptr to the drain list head */
mblk_t *conn_ipsec_opt_mp; /* ipsec option mblk */
- uint32_t conn_src_preferences; /* prefs for src addr select */
- /* mtuinfo from IPV6_PACKET_TOO_BIG conditional on conn_pathmtu_valid */
- struct ip6_mtuinfo mtuinfo;
zoneid_t conn_zoneid; /* zone connection is in */
- in6_addr_t conn_nexthop_v6; /* nexthop IP address */
- uchar_t conn_broadcast_ttl; /* IP_BROADCAST_TTL */
-#define conn_nexthop_v4 V4_PART_OF_V6(conn_nexthop_v6)
- cred_t *conn_effective_cred; /* Effective TX credentials */
int conn_rtaware; /* RT_AWARE sockopt value */
kcondvar_t conn_sq_cv; /* For non-STREAMS socket IO */
- kthread_t *conn_sq_caller; /* Caller of squeue sync ops */
sock_upcalls_t *conn_upcalls; /* Upcalls to sockfs */
sock_upper_handle_t conn_upper_handle; /* Upper handle: sonode * */
unsigned int
- conn_ulp_labeled : 1, /* ULP label is synced */
conn_mlp_type : 2, /* mlp_type_t; tsol/tndb.h */
conn_anon_mlp : 1, /* user wants anon MLP */
-
conn_anon_port : 1, /* user bound anonymously */
+
conn_mac_mode : 2, /* normal/loose/implicit MAC */
- conn_spare : 26;
+ conn_anon_priv_bind : 1, /* *_ANON_PRIV_BIND state */
+ conn_zone_is_global : 1, /* GLOBAL_ZONEID */
+ conn_spare : 24;
boolean_t conn_flow_cntrld;
netstack_t *conn_netstack; /* Corresponds to a netstack_hold */
+
+ /*
+ * IP format that packets received for this struct should use.
+ * Value can be IP4_VERSION or IPV6_VERSION.
+ * The sending version is encoded using IXAF_IS_IPV4.
+ */
+ ushort_t conn_ipversion;
+
+ /* Written to only once at the time of opening the endpoint */
+ sa_family_t conn_family; /* Family from socket() call */
+ uint_t conn_so_type; /* Type from socket() call */
+
+ uint_t conn_sndbuf; /* SO_SNDBUF state */
+ uint_t conn_rcvbuf; /* SO_RCVBUF state */
+ uint_t conn_wroff; /* Current write offset */
+
+ uint_t conn_sndlowat; /* Send buffer low water mark */
+ uint_t conn_rcvlowat; /* Recv buffer low water mark */
+
+ uint8_t conn_default_ttl; /* Default TTL/hoplimit */
+
+ uint32_t conn_flowinfo; /* Connected flow id and tclass */
+
+ /*
+ * The most recent address for sendto. Initially set to zero
+ * which is always different than then the destination address
+ * since the send interprets zero as the loopback address.
+ */
+ in6_addr_t conn_v6lastdst;
+#define conn_v4lastdst V4_PART_OF_V6(conn_v6lastdst)
+ ushort_t conn_lastipversion;
+ in_port_t conn_lastdstport;
+ uint32_t conn_lastflowinfo; /* IPv6-only */
+ uint_t conn_lastscopeid; /* IPv6-only */
+ uint_t conn_lastsrcid; /* Only for AF_INET6 */
+ /*
+ * When we are not connected conn_saddr might be unspecified.
+ * We track the source that was used with conn_v6lastdst here.
+ */
+ in6_addr_t conn_v6lastsrc;
+#define conn_v4lastsrc V4_PART_OF_V6(conn_v6lastsrc)
+
+ /* Templates for transmitting packets */
+ ip_pkt_t conn_xmit_ipp; /* Options if no ancil data */
+
+ /*
+ * Header template - conn_ht_ulp is a pointer into conn_ht_iphc.
+ * Note that ixa_ip_hdr_length indicates the offset of ht_ulp in
+ * ht_iphc
+ *
+ * The header template is maintained for connected endpoints (and
+ * updated when sticky options are changed) and also for the lastdst.
+ * There is no conflict between those usages since SOCK_DGRAM and
+ * SOCK_RAW can not be used to specify a destination address (with
+ * sendto/sendmsg) if the socket has been connected.
+ */
+ uint8_t *conn_ht_iphc; /* Start of IP header */
+ uint_t conn_ht_iphc_allocated; /* Allocated buffer size */
+ uint_t conn_ht_iphc_len; /* IP+ULP size */
+ uint8_t *conn_ht_ulp; /* Upper-layer header */
+ uint_t conn_ht_ulp_len; /* ULP header len */
+
+ /* Checksum to compensate for source routed packets. Host byte order */
+ uint32_t conn_sum;
+
#ifdef CONN_DEBUG
#define CONN_TRACE_MAX 10
int conn_trace_last; /* ndx of last used tracebuf */
@@ -357,18 +452,6 @@ struct conn_s {
};
/*
- * These two macros are used by TX. First priority is SCM_UCRED having
- * set the label in the mblk. Second priority is the open credentials with
- * peer's label (aka conn_effective_cred). Last priority is the open
- * credentials. BEST_CRED takes all three into account in the above order.
- * CONN_CRED is for connection-oriented cases when we don't need to look
- * at the mblk.
- */
-#define CONN_CRED(connp) ((connp)->conn_effective_cred == NULL ? \
- (connp)->conn_cred : (connp)->conn_effective_cred)
-#define BEST_CRED(mp, connp, pidp) ip_best_cred(mp, connp, pidp)
-
-/*
* connf_t - connection fanout data.
*
* The hash tables and their linkage (conn_t.{hashnextp, hashprevp} are
@@ -461,29 +544,22 @@ struct connf_s {
/*
- * IPCL_PROTO_MATCH() only matches conns with the specified zoneid, while
- * IPCL_PROTO_MATCH_V6() can match other conns in the multicast case, see
- * ip_fanout_proto().
+ * IPCL_PROTO_MATCH() and IPCL_PROTO_MATCH_V6() only matches conns with
+ * the specified ira_zoneid or conn_allzones by calling conn_wantpacket.
*/
-#define IPCL_PROTO_MATCH(connp, protocol, ipha, ill, \
- fanout_flags, zoneid) \
- ((((connp)->conn_src == INADDR_ANY) || \
- (((connp)->conn_src == ((ipha)->ipha_dst)) && \
- (((connp)->conn_rem == INADDR_ANY) || \
- ((connp)->conn_rem == ((ipha)->ipha_src))))) && \
- IPCL_ZONE_MATCH(connp, zoneid) && \
- (conn_wantpacket((connp), (ill), (ipha), (fanout_flags), \
- (zoneid)) || ((protocol) == IPPROTO_PIM) || \
- ((protocol) == IPPROTO_RSVP)))
-
-#define IPCL_PROTO_MATCH_V6(connp, protocol, ip6h, ill, \
- fanout_flags, zoneid) \
- ((IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_srcv6) || \
- (IN6_ARE_ADDR_EQUAL(&(connp)->conn_srcv6, &((ip6h)->ip6_dst)) && \
- (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_remv6) || \
- IN6_ARE_ADDR_EQUAL(&(connp)->conn_remv6, &((ip6h)->ip6_src))))) && \
- (conn_wantpacket_v6((connp), (ill), (ip6h), \
- (fanout_flags), (zoneid)) || ((protocol) == IPPROTO_RSVP)))
+#define IPCL_PROTO_MATCH(connp, ira, ipha) \
+ ((((connp)->conn_laddr_v4 == INADDR_ANY) || \
+ (((connp)->conn_laddr_v4 == ((ipha)->ipha_dst)) && \
+ (((connp)->conn_faddr_v4 == INADDR_ANY) || \
+ ((connp)->conn_faddr_v4 == ((ipha)->ipha_src))))) && \
+ conn_wantpacket((connp), (ira), (ipha)))
+
+#define IPCL_PROTO_MATCH_V6(connp, ira, ip6h) \
+ ((IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_laddr_v6) || \
+ (IN6_ARE_ADDR_EQUAL(&(connp)->conn_laddr_v6, &((ip6h)->ip6_dst)) && \
+ (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_faddr_v6) || \
+ IN6_ARE_ADDR_EQUAL(&(connp)->conn_faddr_v6, &((ip6h)->ip6_src))))) && \
+ (conn_wantpacket_v6((connp), (ira), (ip6h))))
#define IPCL_CONN_HASH(src, ports, ipst) \
((unsigned)(ntohl((src)) ^ ((ports) >> 24) ^ ((ports) >> 16) ^ \
@@ -493,31 +569,17 @@ struct connf_s {
IPCL_CONN_HASH(V4_PART_OF_V6((src)), (ports), (ipst))
#define IPCL_CONN_MATCH(connp, proto, src, dst, ports) \
- ((connp)->conn_ulp == (proto) && \
+ ((connp)->conn_proto == (proto) && \
(connp)->conn_ports == (ports) && \
- _IPCL_V4_MATCH((connp)->conn_remv6, (src)) && \
- _IPCL_V4_MATCH((connp)->conn_srcv6, (dst)) && \
+ _IPCL_V4_MATCH((connp)->conn_faddr_v6, (src)) && \
+ _IPCL_V4_MATCH((connp)->conn_laddr_v6, (dst)) && \
!(connp)->conn_ipv6_v6only)
#define IPCL_CONN_MATCH_V6(connp, proto, src, dst, ports) \
- ((connp)->conn_ulp == (proto) && \
+ ((connp)->conn_proto == (proto) && \
(connp)->conn_ports == (ports) && \
- IN6_ARE_ADDR_EQUAL(&(connp)->conn_remv6, &(src)) && \
- IN6_ARE_ADDR_EQUAL(&(connp)->conn_srcv6, &(dst)))
-
-#define IPCL_CONN_INIT(connp, protocol, src, rem, ports) { \
- (connp)->conn_ulp = protocol; \
- IN6_IPADDR_TO_V4MAPPED(src, &(connp)->conn_srcv6); \
- IN6_IPADDR_TO_V4MAPPED(rem, &(connp)->conn_remv6); \
- (connp)->conn_ports = ports; \
-}
-
-#define IPCL_CONN_INIT_V6(connp, protocol, src, rem, ports) { \
- (connp)->conn_ulp = protocol; \
- (connp)->conn_srcv6 = src; \
- (connp)->conn_remv6 = rem; \
- (connp)->conn_ports = ports; \
-}
+ IN6_ARE_ADDR_EQUAL(&(connp)->conn_faddr_v6, &(src)) && \
+ IN6_ARE_ADDR_EQUAL(&(connp)->conn_laddr_v6, &(dst)))
#define IPCL_PORT_HASH(port, size) \
((((port) >> 8) ^ (port)) & ((size) - 1))
@@ -527,33 +589,45 @@ struct connf_s {
(ipst)->ips_ipcl_bind_fanout_size)
#define IPCL_BIND_MATCH(connp, proto, laddr, lport) \
- ((connp)->conn_ulp == (proto) && \
+ ((connp)->conn_proto == (proto) && \
(connp)->conn_lport == (lport) && \
- (_IPCL_V4_MATCH_ANY((connp)->conn_srcv6) || \
- _IPCL_V4_MATCH((connp)->conn_srcv6, (laddr))) && \
+ (_IPCL_V4_MATCH_ANY((connp)->conn_laddr_v6) || \
+ _IPCL_V4_MATCH((connp)->conn_laddr_v6, (laddr))) && \
!(connp)->conn_ipv6_v6only)
#define IPCL_BIND_MATCH_V6(connp, proto, laddr, lport) \
- ((connp)->conn_ulp == (proto) && \
+ ((connp)->conn_proto == (proto) && \
(connp)->conn_lport == (lport) && \
- (IN6_ARE_ADDR_EQUAL(&(connp)->conn_srcv6, &(laddr)) || \
- IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_srcv6)))
+ (IN6_ARE_ADDR_EQUAL(&(connp)->conn_laddr_v6, &(laddr)) || \
+ IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_laddr_v6)))
+/*
+ * We compare conn_laddr since it captures both connected and a bind to
+ * a multicast or broadcast address.
+ * The caller needs to match the zoneid and also call conn_wantpacket
+ * for multicast, broadcast, or when conn_incoming_ifindex is set.
+ */
#define IPCL_UDP_MATCH(connp, lport, laddr, fport, faddr) \
(((connp)->conn_lport == (lport)) && \
- ((_IPCL_V4_MATCH_ANY((connp)->conn_srcv6) || \
- (_IPCL_V4_MATCH((connp)->conn_srcv6, (laddr)) && \
- (_IPCL_V4_MATCH_ANY((connp)->conn_remv6) || \
- (_IPCL_V4_MATCH((connp)->conn_remv6, (faddr)) && \
+ ((_IPCL_V4_MATCH_ANY((connp)->conn_laddr_v6) || \
+ (_IPCL_V4_MATCH((connp)->conn_laddr_v6, (laddr)) && \
+ (_IPCL_V4_MATCH_ANY((connp)->conn_faddr_v6) || \
+ (_IPCL_V4_MATCH((connp)->conn_faddr_v6, (faddr)) && \
(connp)->conn_fport == (fport)))))) && \
!(connp)->conn_ipv6_v6only)
+/*
+ * We compare conn_laddr since it captures both connected and a bind to
+ * a multicast or broadcast address.
+ * The caller needs to match the zoneid and also call conn_wantpacket_v6
+ * for multicast or when conn_incoming_ifindex is set.
+ */
#define IPCL_UDP_MATCH_V6(connp, lport, laddr, fport, faddr) \
(((connp)->conn_lport == (lport)) && \
- (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_srcv6) || \
- (IN6_ARE_ADDR_EQUAL(&(connp)->conn_srcv6, &(laddr)) && \
- (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_remv6) || \
- (IN6_ARE_ADDR_EQUAL(&(connp)->conn_remv6, &(faddr)) && \
+ (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_laddr_v6) || \
+ (IN6_ARE_ADDR_EQUAL(&(connp)->conn_laddr_v6, &(laddr)) && \
+ (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_faddr_v6) || \
+ (IN6_ARE_ADDR_EQUAL(&(connp)->conn_faddr_v6, &(faddr)) && \
(connp)->conn_fport == (fport))))))
#define IPCL_IPTUN_HASH(laddr, faddr) \
@@ -567,32 +641,12 @@ struct connf_s {
(laddr)->s6_addr32[2] ^ (laddr)->s6_addr32[3])
#define IPCL_IPTUN_MATCH(connp, laddr, faddr) \
- (_IPCL_V4_MATCH((connp)->conn_srcv6, (laddr)) && \
- _IPCL_V4_MATCH((connp)->conn_remv6, (faddr)))
+ (_IPCL_V4_MATCH((connp)->conn_laddr_v6, (laddr)) && \
+ _IPCL_V4_MATCH((connp)->conn_faddr_v6, (faddr)))
#define IPCL_IPTUN_MATCH_V6(connp, laddr, faddr) \
- (IN6_ARE_ADDR_EQUAL(&(connp)->conn_srcv6, (laddr)) && \
- IN6_ARE_ADDR_EQUAL(&(connp)->conn_remv6, (faddr)))
-
-#define IPCL_TCP_EAGER_INIT(connp, protocol, src, rem, ports) { \
- (connp)->conn_flags |= (IPCL_TCP4|IPCL_EAGER); \
- IN6_IPADDR_TO_V4MAPPED(src, &(connp)->conn_srcv6); \
- IN6_IPADDR_TO_V4MAPPED(rem, &(connp)->conn_remv6); \
- (connp)->conn_ports = ports; \
- (connp)->conn_send = ip_output; \
- (connp)->conn_sqp = IP_SQUEUE_GET(lbolt); \
- (connp)->conn_initial_sqp = (connp)->conn_sqp; \
-}
-
-#define IPCL_TCP_EAGER_INIT_V6(connp, protocol, src, rem, ports) { \
- (connp)->conn_flags |= (IPCL_TCP6|IPCL_EAGER); \
- (connp)->conn_srcv6 = src; \
- (connp)->conn_remv6 = rem; \
- (connp)->conn_ports = ports; \
- (connp)->conn_send = ip_output_v6; \
- (connp)->conn_sqp = IP_SQUEUE_GET(lbolt); \
- (connp)->conn_initial_sqp = (connp)->conn_sqp; \
-}
+ (IN6_ARE_ADDR_EQUAL(&(connp)->conn_laddr_v6, (laddr)) && \
+ IN6_ARE_ADDR_EQUAL(&(connp)->conn_faddr_v6, (faddr)))
#define IPCL_UDP_HASH(lport, ipst) \
IPCL_PORT_HASH(lport, (ipst)->ips_ipcl_udp_fanout_size)
@@ -606,18 +660,20 @@ struct connf_s {
/*
* This is similar to IPCL_BIND_MATCH except that the local port check
* is changed to a wildcard port check.
+ * We compare conn_laddr since it captures both connected and a bind to
+ * a multicast or broadcast address.
*/
#define IPCL_RAW_MATCH(connp, proto, laddr) \
- ((connp)->conn_ulp == (proto) && \
+ ((connp)->conn_proto == (proto) && \
(connp)->conn_lport == 0 && \
- (_IPCL_V4_MATCH_ANY((connp)->conn_srcv6) || \
- _IPCL_V4_MATCH((connp)->conn_srcv6, (laddr))))
+ (_IPCL_V4_MATCH_ANY((connp)->conn_laddr_v6) || \
+ _IPCL_V4_MATCH((connp)->conn_laddr_v6, (laddr))))
#define IPCL_RAW_MATCH_V6(connp, proto, laddr) \
- ((connp)->conn_ulp == (proto) && \
+ ((connp)->conn_proto == (proto) && \
(connp)->conn_lport == 0 && \
- (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_srcv6) || \
- IN6_ARE_ADDR_EQUAL(&(connp)->conn_srcv6, &(laddr))))
+ (IN6_IS_ADDR_UNSPECIFIED(&(connp)->conn_laddr_v6) || \
+ IN6_ARE_ADDR_EQUAL(&(connp)->conn_laddr_v6, &(laddr))))
/* Function prototypes */
extern void ipcl_g_init(void);
@@ -631,28 +687,27 @@ void ipcl_hash_insert_wildcard(connf_t *, conn_t *);
void ipcl_hash_remove(conn_t *);
void ipcl_hash_remove_locked(conn_t *connp, connf_t *connfp);
-extern int ipcl_bind_insert(conn_t *, uint8_t, ipaddr_t, uint16_t);
-extern int ipcl_bind_insert_v6(conn_t *, uint8_t, const in6_addr_t *,
- uint16_t);
-extern int ipcl_conn_insert(conn_t *, uint8_t, ipaddr_t, ipaddr_t,
- uint32_t);
-extern int ipcl_conn_insert_v6(conn_t *, uint8_t, const in6_addr_t *,
- const in6_addr_t *, uint32_t, uint_t);
+extern int ipcl_bind_insert(conn_t *);
+extern int ipcl_bind_insert_v4(conn_t *);
+extern int ipcl_bind_insert_v6(conn_t *);
+extern int ipcl_conn_insert(conn_t *);
+extern int ipcl_conn_insert_v4(conn_t *);
+extern int ipcl_conn_insert_v6(conn_t *);
extern conn_t *ipcl_get_next_conn(connf_t *, conn_t *, uint32_t);
-void ipcl_proto_insert(conn_t *, uint8_t);
-void ipcl_proto_insert_v6(conn_t *, uint8_t);
-conn_t *ipcl_classify_v4(mblk_t *, uint8_t, uint_t, zoneid_t, ip_stack_t *);
-conn_t *ipcl_classify_v6(mblk_t *, uint8_t, uint_t, zoneid_t, ip_stack_t *);
-conn_t *ipcl_classify(mblk_t *, zoneid_t, ip_stack_t *);
-conn_t *ipcl_classify_raw(mblk_t *, uint8_t, zoneid_t, uint32_t, ipha_t *,
+conn_t *ipcl_classify_v4(mblk_t *, uint8_t, uint_t, ip_recv_attr_t *,
+ ip_stack_t *);
+conn_t *ipcl_classify_v6(mblk_t *, uint8_t, uint_t, ip_recv_attr_t *,
ip_stack_t *);
+conn_t *ipcl_classify(mblk_t *, ip_recv_attr_t *, ip_stack_t *);
+conn_t *ipcl_classify_raw(mblk_t *, uint8_t, uint32_t, ipha_t *,
+ ip6_t *, ip_recv_attr_t *, ip_stack_t *);
conn_t *ipcl_iptun_classify_v4(ipaddr_t *, ipaddr_t *, ip_stack_t *);
conn_t *ipcl_iptun_classify_v6(in6_addr_t *, in6_addr_t *, ip_stack_t *);
void ipcl_globalhash_insert(conn_t *);
void ipcl_globalhash_remove(conn_t *);
void ipcl_walk(pfv_t, void *, ip_stack_t *);
-conn_t *ipcl_tcp_lookup_reversed_ipv4(ipha_t *, tcph_t *, int, ip_stack_t *);
+conn_t *ipcl_tcp_lookup_reversed_ipv4(ipha_t *, tcpha_t *, int, ip_stack_t *);
conn_t *ipcl_tcp_lookup_reversed_ipv6(ip6_t *, tcpha_t *, int, uint_t,
ip_stack_t *);
conn_t *ipcl_lookup_listener_v4(uint16_t, ipaddr_t, zoneid_t, ip_stack_t *);
@@ -661,17 +716,19 @@ conn_t *ipcl_lookup_listener_v6(uint16_t, in6_addr_t *, uint_t, zoneid_t,
int conn_trace_ref(conn_t *);
int conn_untrace_ref(conn_t *);
void ipcl_conn_cleanup(conn_t *);
-conn_t *ipcl_conn_tcp_lookup_reversed_ipv4(conn_t *, ipha_t *, tcph_t *,
+extern uint_t conn_recvancillary_size(conn_t *, crb_t, ip_recv_attr_t *,
+ mblk_t *, ip_pkt_t *);
+extern void conn_recvancillary_add(conn_t *, crb_t, ip_recv_attr_t *,
+ ip_pkt_t *, uchar_t *, uint_t);
+conn_t *ipcl_conn_tcp_lookup_reversed_ipv4(conn_t *, ipha_t *, tcpha_t *,
ip_stack_t *);
-conn_t *ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *, ip6_t *, tcph_t *,
+conn_t *ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *, ip6_t *, tcpha_t *,
ip_stack_t *);
-extern int ip_create_helper_stream(conn_t *connp, ldi_ident_t li);
-extern void ip_free_helper_stream(conn_t *connp);
-
-extern int ip_get_options(conn_t *, int, int, void *, t_uscalar_t *, cred_t *);
-extern int ip_set_options(conn_t *, int, int, const void *, t_uscalar_t,
- cred_t *);
+extern int ip_create_helper_stream(conn_t *, ldi_ident_t);
+extern void ip_free_helper_stream(conn_t *);
+extern int ip_helper_stream_setup(queue_t *, dev_t *, int, int,
+ cred_t *, boolean_t);
#ifdef __cplusplus
}
diff --git a/usr/src/uts/common/inet/ipdrop.h b/usr/src/uts/common/inet/ipdrop.h
index 153c9c1925..74fe8cfd94 100644
--- a/usr/src/uts/common/inet/ipdrop.h
+++ b/usr/src/uts/common/inet/ipdrop.h
@@ -41,8 +41,10 @@ typedef struct ipdropper_s {
void ip_drop_register(ipdropper_t *, char *);
void ip_drop_unregister(ipdropper_t *);
-void ip_drop_packet(mblk_t *, boolean_t, ill_t *, ire_t *, struct kstat_named *,
+void ip_drop_packet(mblk_t *, boolean_t, ill_t *, struct kstat_named *,
ipdropper_t *);
+void ip_drop_input(char *, mblk_t *, ill_t *);
+void ip_drop_output(char *, mblk_t *, ill_t *);
/*
* ip_dropstats - When a protocol developer comes up with a new reason to
diff --git a/usr/src/uts/common/inet/ipp_common.h b/usr/src/uts/common/inet/ipp_common.h
index 9ac9837f66..d7380896b6 100644
--- a/usr/src/uts/common/inet/ipp_common.h
+++ b/usr/src/uts/common/inet/ipp_common.h
@@ -19,15 +19,13 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_IPP_COMMON_H
#define _INET_IPP_COMMON_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#ifdef __cplusplus
extern "C" {
#endif
@@ -49,14 +47,6 @@ extern uint32_t ipp_action_count;
#define IPP_ENABLED(proc, ipst) ((ipp_action_count != 0) && \
(~((ipst)->ips_ip_policy_mask) & (proc)))
-/* Apply IPQoS policies for inbound traffic? */
-#define IP6_IN_IPP(flags, ipst) (IPP_ENABLED(IPP_LOCAL_IN, ipst) && \
- (!((flags) & IP6_NO_IPPOLICY)))
-
-/* Apply IPQoS policies for oubound traffic? */
-#define IP6_OUT_IPP(flags, ipst) \
- (IPP_ENABLED(IPP_LOCAL_OUT, ipst) && (!((flags) & IP6_NO_IPPOLICY)))
-
/* Extracts 8 bit traffic class from IPV6 flow label field */
#ifdef _BIG_ENDIAN
#define __IPV6_TCLASS_FROM_FLOW(n) (((n)>>20) & 0xff)
@@ -78,7 +68,9 @@ typedef struct ip_priv {
} ip_priv_t;
/* The entry point for ip policy processing */
-extern void ip_process(ip_proc_t, mblk_t **, uint32_t);
+#ifdef ILL_CONDEMNED
+extern mblk_t *ip_process(ip_proc_t, mblk_t *, ill_t *, ill_t *);
+#endif
extern void ip_priv_free(void *);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/ipsec_impl.h b/usr/src/uts/common/inet/ipsec_impl.h
index c5fa9367fe..228e01008d 100644
--- a/usr/src/uts/common/inet/ipsec_impl.h
+++ b/usr/src/uts/common/inet/ipsec_impl.h
@@ -410,24 +410,25 @@ struct ipsec_policy_s
uint32_t ipsp_refs;
ipsec_sel_t *ipsp_sel; /* selector set (shared) */
ipsec_action_t *ipsp_act; /* action (may be shared) */
+ netstack_t *ipsp_netstack; /* No netstack_hold */
};
#define IPPOL_REFHOLD(ipp) { \
atomic_add_32(&(ipp)->ipsp_refs, 1); \
ASSERT((ipp)->ipsp_refs != 0); \
}
-#define IPPOL_REFRELE(ipp, ns) { \
+#define IPPOL_REFRELE(ipp) { \
ASSERT((ipp)->ipsp_refs != 0); \
membar_exit(); \
if (atomic_add_32_nv(&(ipp)->ipsp_refs, -1) == 0) \
- ipsec_policy_free(ipp, ns); \
+ ipsec_policy_free(ipp); \
(ipp) = 0; \
}
-#define IPPOL_UNCHAIN(php, ip, ns) \
- HASHLIST_UNCHAIN((ip), ipsp_hash); \
- avl_remove(&(php)->iph_rulebyid, (ip)); \
- IPPOL_REFRELE(ip, ns);
+#define IPPOL_UNCHAIN(php, ip) \
+ HASHLIST_UNCHAIN((ip), ipsp_hash); \
+ avl_remove(&(php)->iph_rulebyid, (ip)); \
+ IPPOL_REFRELE(ip);
/*
* Policy ruleset. One per (protocol * direction) for system policy.
@@ -590,8 +591,6 @@ typedef struct ipsid_s
atomic_add_32(&(ipsid)->ipsid_refcnt, -1); \
}
-struct ipsec_out_s;
-
/*
* Following are the estimates of what the maximum AH and ESP header size
* would be. This is used to tell the upper layer the right value of MSS
@@ -708,6 +707,17 @@ typedef struct ipsif_s
kmutex_t ipsif_lock;
} ipsif_t;
+/*
+ * For call to the kernel crypto framework. State needed during
+ * the execution of a crypto request.
+ */
+typedef struct ipsec_crypto_s {
+ size_t ic_skip_len; /* len to skip for AH auth */
+ crypto_data_t ic_crypto_data; /* single op crypto data */
+ crypto_dual_data_t ic_crypto_dual_data; /* for dual ops */
+ crypto_data_t ic_crypto_mac; /* to store the MAC */
+ ipsa_cm_mech_t ic_cmm;
+} ipsec_crypto_t;
/*
* IPsec stack instances
@@ -826,45 +836,40 @@ extern boolean_t ipsec_loaded(ipsec_stack_t *);
extern boolean_t ipsec_failed(ipsec_stack_t *);
/*
- * callback from ipsec_loader to ip
- */
-extern void ip_ipsec_load_complete(ipsec_stack_t *);
-
-/*
* ipsec policy entrypoints (spd.c)
*/
extern void ipsec_policy_g_destroy(void);
extern void ipsec_policy_g_init(void);
+extern mblk_t *ipsec_add_crypto_data(mblk_t *, ipsec_crypto_t **);
+extern mblk_t *ipsec_remove_crypto_data(mblk_t *, ipsec_crypto_t **);
+extern mblk_t *ipsec_free_crypto_data(mblk_t *);
extern int ipsec_alloc_table(ipsec_policy_head_t *, int, int, boolean_t,
netstack_t *);
extern void ipsec_polhead_init(ipsec_policy_head_t *, int);
extern void ipsec_polhead_destroy(ipsec_policy_head_t *);
extern void ipsec_polhead_free_table(ipsec_policy_head_t *);
extern mblk_t *ipsec_check_global_policy(mblk_t *, conn_t *, ipha_t *,
- ip6_t *, boolean_t, netstack_t *);
+ ip6_t *, ip_recv_attr_t *, netstack_t *ns);
extern mblk_t *ipsec_check_inbound_policy(mblk_t *, conn_t *, ipha_t *, ip6_t *,
- boolean_t);
+ ip_recv_attr_t *);
-extern boolean_t ipsec_in_to_out(mblk_t *, ipha_t *, ip6_t *, zoneid_t);
+extern boolean_t ipsec_in_to_out(ip_recv_attr_t *, ip_xmit_attr_t *,
+ mblk_t *, ipha_t *, ip6_t *);
+extern void ipsec_in_release_refs(ip_recv_attr_t *);
+extern void ipsec_out_release_refs(ip_xmit_attr_t *);
extern void ipsec_log_policy_failure(int, char *, ipha_t *, ip6_t *, boolean_t,
- netstack_t *);
+ netstack_t *);
extern boolean_t ipsec_inbound_accept_clear(mblk_t *, ipha_t *, ip6_t *);
extern int ipsec_conn_cache_policy(conn_t *, boolean_t);
-extern mblk_t *ipsec_alloc_ipsec_out(netstack_t *);
-extern mblk_t *ipsec_attach_ipsec_out(mblk_t **, conn_t *, ipsec_policy_t *,
- uint8_t, netstack_t *);
-extern mblk_t *ipsec_init_ipsec_out(mblk_t *, mblk_t **, conn_t *,
- ipsec_policy_t *, uint8_t, netstack_t *);
-struct ipsec_in_s;
-extern ipsec_action_t *ipsec_in_to_out_action(struct ipsec_in_s *);
-extern boolean_t ipsec_check_ipsecin_latch(struct ipsec_in_s *, mblk_t *,
- struct ipsec_latch_s *, ipha_t *, ip6_t *, const char **, kstat_named_t **,
- conn_t *);
-extern void ipsec_latch_inbound(ipsec_latch_t *ipl, struct ipsec_in_s *ii);
-
-extern void ipsec_policy_free(ipsec_policy_t *, netstack_t *);
+extern void ipsec_cache_outbound_policy(const conn_t *, const in6_addr_t *,
+ const in6_addr_t *, in_port_t, ip_xmit_attr_t *);
+extern boolean_t ipsec_outbound_policy_current(ip_xmit_attr_t *);
+extern ipsec_action_t *ipsec_in_to_out_action(ip_recv_attr_t *);
+extern void ipsec_latch_inbound(conn_t *connp, ip_recv_attr_t *ira);
+
+extern void ipsec_policy_free(ipsec_policy_t *);
extern void ipsec_action_free(ipsec_action_t *);
extern void ipsec_polhead_free(ipsec_policy_head_t *, netstack_t *);
extern ipsec_policy_head_t *ipsec_polhead_split(ipsec_policy_head_t *,
@@ -894,12 +899,8 @@ extern void ipsec_actvec_free(ipsec_act_t *, uint_t);
extern int ipsec_req_from_head(ipsec_policy_head_t *, ipsec_req_t *, int);
extern mblk_t *ipsec_construct_inverse_acquire(sadb_msg_t *, sadb_ext_t **,
netstack_t *);
-extern mblk_t *ip_wput_attach_policy(mblk_t *, ipha_t *, ip6_t *, ire_t *,
- conn_t *, boolean_t, zoneid_t);
-extern mblk_t *ip_wput_ire_parse_ipsec_out(mblk_t *, ipha_t *, ip6_t *,
- ire_t *, conn_t *, boolean_t, zoneid_t);
-extern ipsec_policy_t *ipsec_find_policy(int, conn_t *,
- struct ipsec_out_s *, ipsec_selector_t *, netstack_t *);
+extern ipsec_policy_t *ipsec_find_policy(int, const conn_t *,
+ ipsec_selector_t *, netstack_t *);
extern ipsid_t *ipsid_lookup(int, char *, netstack_t *);
extern boolean_t ipsid_equal(ipsid_t *, ipsid_t *);
extern void ipsid_gc(netstack_t *);
@@ -912,29 +913,29 @@ extern void ipsec_enter_policy(ipsec_policy_head_t *, ipsec_policy_t *, int,
netstack_t *);
extern boolean_t ipsec_check_action(ipsec_act_t *, int *, netstack_t *);
-extern mblk_t *ipsec_out_tag(mblk_t *, mblk_t *, netstack_t *);
-extern mblk_t *ipsec_in_tag(mblk_t *, mblk_t *, netstack_t *);
-extern mblk_t *ip_copymsg(mblk_t *mp);
-
-extern void iplatch_free(ipsec_latch_t *, netstack_t *);
+extern void iplatch_free(ipsec_latch_t *);
extern ipsec_latch_t *iplatch_create(void);
extern int ipsec_set_req(cred_t *, conn_t *, ipsec_req_t *);
extern void ipsec_insert_always(avl_tree_t *tree, void *new_node);
extern int32_t ipsec_act_ovhd(const ipsec_act_t *act);
-extern int sadb_whack_label(mblk_t **, ipsa_t *);
-extern int sadb_whack_label_v6(mblk_t **, ipsa_t *);
+extern mblk_t *sadb_whack_label(mblk_t *, ipsa_t *, ip_xmit_attr_t *,
+ kstat_named_t *, ipdropper_t *);
+extern mblk_t *sadb_whack_label_v4(mblk_t *, ipsa_t *, kstat_named_t *,
+ ipdropper_t *);
+extern mblk_t *sadb_whack_label_v6(mblk_t *, ipsa_t *, kstat_named_t *,
+ ipdropper_t *);
extern boolean_t update_iv(uint8_t *, queue_t *, ipsa_t *, ipsecesp_stack_t *);
/*
* Tunnel-support SPD functions and variables.
*/
struct iptun_s; /* Defined in inet/iptun/iptun_impl.h. */
-extern boolean_t ipsec_tun_inbound(mblk_t *, mblk_t **, ipsec_tun_pol_t *,
+extern mblk_t *ipsec_tun_inbound(ip_recv_attr_t *, mblk_t *, ipsec_tun_pol_t *,
ipha_t *, ip6_t *, ipha_t *, ip6_t *, int, netstack_t *);
extern mblk_t *ipsec_tun_outbound(mblk_t *, struct iptun_s *, ipha_t *,
- ip6_t *, ipha_t *, ip6_t *, int);
+ ip6_t *, ipha_t *, ip6_t *, int, ip_xmit_attr_t *);
extern void itp_free(ipsec_tun_pol_t *, netstack_t *);
extern ipsec_tun_pol_t *create_tunnel_policy(char *, int *, uint64_t *,
netstack_t *);
@@ -951,9 +952,9 @@ extern ipsec_tun_pol_t *itp_get_byaddr(uint32_t *, uint32_t *, int,
*/
extern void ipsecah_in_assocfailure(mblk_t *, char, ushort_t, char *,
- uint32_t, void *, int, ipsecah_stack_t *);
+ uint32_t, void *, int, ip_recv_attr_t *ira);
extern void ipsecesp_in_assocfailure(mblk_t *, char, ushort_t, char *,
- uint32_t, void *, int, ipsecesp_stack_t *);
+ uint32_t, void *, int, ip_recv_attr_t *ira);
extern void ipsecesp_send_keepalive(ipsa_t *);
/*
@@ -987,13 +988,8 @@ extern void ipsecah_algs_changed(netstack_t *);
extern void ipsecesp_algs_changed(netstack_t *);
extern void ipsecesp_init_funcs(ipsa_t *);
extern void ipsecah_init_funcs(ipsa_t *);
-extern ipsec_status_t ipsecah_icmp_error(mblk_t *);
-extern ipsec_status_t ipsecesp_icmp_error(mblk_t *);
-
-/*
- * Wrapper for putnext() to ipsec accelerated interface.
- */
-extern void ipsec_hw_putnext(queue_t *, mblk_t *);
+extern mblk_t *ipsecah_icmp_error(mblk_t *, ip_recv_attr_t *);
+extern mblk_t *ipsecesp_icmp_error(mblk_t *, ip_recv_attr_t *);
/*
* spdsock functions that are called directly by IP.
@@ -1003,11 +999,11 @@ extern void spdsock_update_pending_algs(netstack_t *);
/*
* IP functions that are called from AH and ESP.
*/
-extern boolean_t ipsec_outbound_sa(mblk_t *, uint_t);
-extern esph_t *ipsec_inbound_esp_sa(mblk_t *, netstack_t *);
-extern ah_t *ipsec_inbound_ah_sa(mblk_t *, netstack_t *);
+extern boolean_t ipsec_outbound_sa(mblk_t *, ip_xmit_attr_t *, uint_t);
+extern mblk_t *ipsec_inbound_esp_sa(mblk_t *, ip_recv_attr_t *, esph_t **);
+extern mblk_t *ipsec_inbound_ah_sa(mblk_t *, ip_recv_attr_t *, ah_t **);
extern ipsec_policy_t *ipsec_find_policy_head(ipsec_policy_t *,
- ipsec_policy_head_t *, int, ipsec_selector_t *, netstack_t *);
+ ipsec_policy_head_t *, int, ipsec_selector_t *);
/*
* IP dropper init/destroy.
@@ -1019,7 +1015,7 @@ void ip_drop_destroy(ipsec_stack_t *);
* Common functions
*/
extern boolean_t ip_addr_match(uint8_t *, int, in6_addr_t *);
-extern boolean_t ipsec_label_match(cred_t *, cred_t *);
+extern boolean_t ipsec_label_match(ts_label_t *, ts_label_t *);
/*
* AH and ESP counters types.
diff --git a/usr/src/uts/common/inet/ipsec_info.h b/usr/src/uts/common/inet/ipsec_info.h
index 3c7ede8405..c1bde9fcb7 100644
--- a/usr/src/uts/common/inet/ipsec_info.h
+++ b/usr/src/uts/common/inet/ipsec_info.h
@@ -34,22 +34,12 @@ extern "C" {
/*
* IPsec informational messages. These are M_CTL STREAMS messages, which
- * convey IPsec information between various IP and related modules. The
- * messages come in a few flavors:
- *
- * * IPSEC_{IN,OUT} - These show what IPsec action have been taken (for
- * inbound datagrams), or need to be taken (for outbound datagrams).
- * They flow between AH/ESP and IP.
+ * convey IPsec information between various IP and related modules. Most
+ * have been deprecated by the de-STREAMS-ing of TCP/IP. What remains is:
*
* * Keysock consumer interface - These messages are wrappers for
* PF_KEY messages. They flow between AH/ESP and keysock.
*
- * Some of these messages include pointers such as a netstack_t pointer.
- * We do not explicitly reference count those with netstack_hold/rele,
- * since we depend on IP's ability to discard all of the IPSEC_{IN,OUT}
- * messages in order to handle the ipsa pointers.
- * We have special logic when doing asynch callouts to kEF for which we
- * verify netstack_t pointer using the netstackid_t.
*/
/*
@@ -69,223 +59,11 @@ extern "C" {
* M_CTL types for IPsec messages. Remember, the values 0x40 - 0x4f and 0x60
* - 0x6f are not to be used because of potential little-endian confusion.
*
- * Offsets 1-25 (decimal) are in use, spread through this file.
+ * Offsets 3-7 (decimal) are in use, spread through this file.
* Check for duplicates through the whole file before adding.
*/
/*
- * IPSEC_{IN,OUT} policy expressors.
- */
-#define IPSEC_IN (IPSEC_M_CTL + 1)
-#define IPSEC_OUT (IPSEC_M_CTL + 2)
-#define MAXSALTSIZE 8
-
-/*
- * For combined mode ciphers, store the crypto_mechanism_t in the
- * per-packet ipsec_in_t/ipsec_out_t structures. This is because the PARAMS
- * and nonce values change for each packet. For non-combined mode
- * ciphers, these values are constant for the life of the SA.
- */
-typedef struct ipsa_cm_mech_s {
- crypto_mechanism_t combined_mech;
- union {
- CK_AES_CCM_PARAMS paramu_ccm;
- CK_AES_GCM_PARAMS paramu_gcm;
- } paramu;
- uint8_t nonce[MAXSALTSIZE + sizeof (uint64_t)];
-#define param_ulMACSize paramu.paramu_ccm.ulMACSize
-#define param_ulNonceSize paramu.paramu_ccm.ipsa_ulNonceSize
-#define param_ulAuthDataSize paramu.paramu_ccm.ipsa_ulAuthDataSize
-#define param_ulDataSize paramu.paramu_ccm.ipsa_ulDataSize
-#define param_nonce paramu.paramu_ccm.nonce
-#define param_authData paramu.paramu_ccm.authData
-#define param_pIv paramu.paramu_gcm.ipsa_pIv
-#define param_ulIvLen paramu.paramu_gcm.ulIvLen
-#define param_ulIvBits paramu.paramu_gcm.ulIvBits
-#define param_pAAD paramu.paramu_gcm.pAAD
-#define param_ulAADLen paramu.paramu_gcm.ulAADLen
-#define param_ulTagBits paramu.paramu_gcm.ulTagBits
-} ipsa_cm_mech_t;
-
-/*
- * This is used for communication between IP and IPSEC (AH/ESP)
- * for Inbound datagrams. IPSEC_IN is allocated by IP before IPSEC
- * processing begins. On return spi fields are initialized so that
- * IP can locate the security associations later on for doing policy
- * checks. For loopback case, IPSEC processing is not done. But the
- * attributes of the security are reflected in <foo>_done fields below.
- * The code in policy check infers that it is a loopback case and
- * would not try to get the associations.
- *
- * The comment below (and for other netstack_t references) refers
- * to the fact that we only do netstack_hold in particular cases,
- * such as the references from open streams (ill_t and conn_t's
- * pointers). Internally within IP we rely on IP's ability to cleanup e.g.
- * ire_t's when an ill goes away.
- */
-typedef struct ipsec_in_s {
- uint32_t ipsec_in_type;
- uint32_t ipsec_in_len;
- frtn_t ipsec_in_frtn; /* for esballoc() callback */
- struct ipsa_s *ipsec_in_ah_sa; /* SA for AH */
- struct ipsa_s *ipsec_in_esp_sa; /* SA for ESP */
-
- struct ipsec_policy_head_s *ipsec_in_policy;
- struct ipsec_action_s *ipsec_in_action; /* how we made it in.. */
- unsigned int
- ipsec_in_secure : 1, /* Is the message attached secure ? */
- ipsec_in_v4 : 1, /* Is this an ipv4 packet ? */
- ipsec_in_loopback : 1, /* Is this a loopback request ? */
- ipsec_in_dont_check : 1, /* Used by TCP to avoid policy check */
-
- ipsec_in_decaps : 1, /* Was this packet decapsulated from */
- /* a matching inner packet? */
- ipsec_in_accelerated : 1, /* hardware accelerated packet */
-
- ipsec_in_icmp_loopback : 1, /* Looped-back ICMP packet, */
- /* all should trust this. */
- ipsec_in_pad_bits : 25;
-
- int ipsec_in_ill_index; /* interface on which ipha_dst was */
- /* configured when pkt was recv'd */
- int ipsec_in_rill_index; /* interface on which pkt was recv'd */
- uint32_t ipsec_in_esp_udp_ports; /* For an ESP-in-UDP packet. */
- mblk_t *ipsec_in_da; /* data attr. for accelerated pkts */
-
- /*
- * For call to the kernel crypto framework. State needed during
- * the execution of a crypto request. Storing these here
- * allow us to avoid a separate allocation before calling the
- * crypto framework.
- */
- size_t ipsec_in_skip_len; /* len to skip for AH auth */
- crypto_data_t ipsec_in_crypto_data; /* single op crypto data */
- crypto_dual_data_t ipsec_in_crypto_dual_data; /* for dual ops */
- crypto_data_t ipsec_in_crypto_mac; /* to store the MAC */
-
- zoneid_t ipsec_in_zoneid; /* target zone for the datagram */
- netstack_t *ipsec_in_ns; /* Does not have a netstack_hold */
- ipsa_cm_mech_t ipsec_in_cmm; /* PARAMS for Combined mode mechs */
- netstackid_t ipsec_in_stackid; /* Used while waing for kEF callback */
-} ipsec_in_t;
-
-#define IPSECOUT_MAX_ADDRLEN 4 /* Max addr len. (in 32-bit words) */
-/*
- * This is used for communication between IP and IPSEC (AH/ESP)
- * for Outbound datagrams. IPSEC_OUT is allocated by IP before IPSEC
- * processing begins. On return SA fields are initialized so that
- * IP can locate the security associations later on for doing policy
- * checks. The policy and the actions associated with this packet are
- * stored in the ipsec_out_policy and ipsec_out_act fields respectively.
- * IPSEC_OUT is also used to carry non-ipsec information when conn is
- * absent or the conn information is lost across the calls to ARP.
- * example: message from ARP or from ICMP error routines.
- */
-typedef struct ipsec_out_s {
- uint32_t ipsec_out_type;
- uint32_t ipsec_out_len;
- frtn_t ipsec_out_frtn; /* for esballoc() callback */
- struct ipsec_policy_head_s *ipsec_out_polhead;
- ipsec_latch_t *ipsec_out_latch;
- struct ipsec_policy_s *ipsec_out_policy; /* why are we here? */
- struct ipsec_action_s *ipsec_out_act; /* what do we want? */
- struct ipsa_s *ipsec_out_ah_sa; /* AH SA used for the packet */
- struct ipsa_s *ipsec_out_esp_sa; /* ESP SA used for the packet */
- /*
- * NOTE: "Source" and "Dest" are w.r.t. outbound datagrams. Ports can
- * be zero, and the protocol number is needed to make the ports
- * significant.
- */
- uint16_t ipsec_out_src_port; /* Source port number of d-gram. */
- uint16_t ipsec_out_dst_port; /* Destination port number of d-gram. */
- uint8_t ipsec_out_icmp_type; /* ICMP type of d-gram */
- uint8_t ipsec_out_icmp_code; /* ICMP code of d-gram */
-
- sa_family_t ipsec_out_inaf; /* Inner address family */
- uint32_t ipsec_out_insrc[IPSECOUT_MAX_ADDRLEN]; /* Inner src address */
- uint32_t ipsec_out_indst[IPSECOUT_MAX_ADDRLEN]; /* Inner dest address */
- uint8_t ipsec_out_insrcpfx; /* Inner source prefix */
- uint8_t ipsec_out_indstpfx; /* Inner destination prefix */
-
- uint_t ipsec_out_ill_index; /* ill index used for multicast etc. */
- uint8_t ipsec_out_proto; /* IP protocol number for d-gram. */
- unsigned int
- ipsec_out_tunnel : 1, /* Tunnel mode? */
- ipsec_out_use_global_policy : 1, /* Inherit global policy ? */
- ipsec_out_secure : 1, /* Is this secure ? */
- ipsec_out_proc_begin : 1, /* IPSEC processing begun */
- /*
- * Following five values reflects the values stored
- * in conn.
- */
- ipsec_out_multicast_loop : 1,
- ipsec_out_dontroute : 1,
- ipsec_out_reserved : 1,
- ipsec_out_v4 : 1,
-
- ipsec_out_unspec_src : 1, /* IPv6 ip6i_t info */
- ipsec_out_reachable : 1, /* NDP reachability info */
- ipsec_out_failed: 1,
- ipsec_out_se_done: 1,
-
- ipsec_out_esp_done: 1,
- ipsec_out_ah_done: 1,
- ipsec_out_need_policy: 1,
-
- /*
- * To indicate that packet must be accelerated, i.e.
- * ICV or encryption performed, by Provider.
- */
- ipsec_out_accelerated : 1,
- /*
- * Used by IP to tell IPsec that the outbound ill for this
- * packet supports acceleration of the AH or ESP prototocol.
- * If set, ipsec_out_capab_ill_index contains the
- * index of the ill.
- */
- ipsec_out_is_capab_ill : 1,
- /*
- * Indicates ICMP message destined for self. These
- * messages are to be trusted by all receivers.
- */
- ipsec_out_icmp_loopback: 1,
- ipsec_out_ip_nexthop : 1, /* IP_NEXTHOP option is set */
- ipsec_out_pad_bits : 13;
- cred_t *ipsec_out_cred;
- uint32_t ipsec_out_capab_ill_index;
-
- /*
- * For call to the kernel crypto framework. State needed during
- * the execution of a crypto request. Storing these here
- * allow us to avoid a separate allocation before calling the
- * crypto framework.
- */
- size_t ipsec_out_skip_len; /* len to skip for AH auth */
- crypto_data_t ipsec_out_crypto_data; /* single op crypto data */
- crypto_dual_data_t ipsec_out_crypto_dual_data; /* for dual ops */
- crypto_data_t ipsec_out_crypto_mac; /* to store the MAC */
-
- zoneid_t ipsec_out_zoneid; /* source zone for the datagram */
- in6_addr_t ipsec_out_nexthop_v6; /* nexthop IP address */
-#define ipsec_out_nexthop_addr V4_PART_OF_V6(ipsec_out_nexthop_v6)
- netstack_t *ipsec_out_ns; /* Does not have a netstack_hold */
- netstackid_t ipsec_out_stackid; /* Used while waing for kEF callback */
- ipsa_cm_mech_t ipsec_out_cmm; /* PARAMS for Combined mode mechs */
-} ipsec_out_t;
-
-/*
- * This is used to mark the ipsec_out_t *req* fields
- * when the operation is done without affecting the
- * requests.
- */
-#define IPSEC_REQ_DONE 0x80000000
-/*
- * Operation could not be performed by the AH/ESP
- * module.
- */
-#define IPSEC_REQ_FAILED 0x40000000
-
-/*
* Keysock consumer interface.
*
* The driver/module keysock (which is a driver to PF_KEY sockets, but is
@@ -368,32 +146,6 @@ typedef struct keysock_out_err_s {
} keysock_out_err_t;
/*
- * M_CTL message type for sending inbound pkt information between IP & ULP.
- * These are _not_ related to IPsec in any way, but are here so that there is
- * one place where all these values are defined which makes it easier to track.
- * The choice of this value has the same rationale as explained above.
- */
-#define IN_PKTINFO (IPSEC_M_CTL + 24)
-
-
-/*
- * IPSEC_CTL messages are used by IPsec to send control type requests
- * to IP. Such a control message is currently used by IPsec to request
- * that IP send the contents of an IPsec SA or the entire SADB to
- * every IPsec hardware acceleration capable provider.
- */
-
-#define IPSEC_CTL (IPSEC_M_CTL + 25)
-
-typedef struct ipsec_ctl_s {
- uint32_t ipsec_ctl_type;
- uint32_t ipsec_ctl_len;
- uint_t ipsec_ctl_sa_type;
- void *ipsec_ctl_sa;
-} ipsec_ctl_t;
-
-
-/*
* All IPsec informational messages are placed into the ipsec_info_t
* union, so that allocation can be done once, and IPsec informational
* messages can be recycled.
@@ -403,13 +155,10 @@ typedef union ipsec_info_u {
uint32_t ipsec_allu_type;
uint32_t ipsec_allu_len; /* In bytes */
} ipsec_allu;
- ipsec_in_t ipsec_in;
- ipsec_out_t ipsec_out;
keysock_hello_ack_t keysock_hello_ack;
keysock_in_t keysock_in;
keysock_out_t keysock_out;
keysock_out_err_t keysock_out_err;
- ipsec_ctl_t ipsec_ctl;
} ipsec_info_t;
#define ipsec_info_type ipsec_allu.ipsec_allu_type
#define ipsec_info_len ipsec_allu.ipsec_allu_len
diff --git a/usr/src/uts/common/inet/ipsecah.h b/usr/src/uts/common/inet/ipsecah.h
index c389664164..cde745da88 100644
--- a/usr/src/uts/common/inet/ipsecah.h
+++ b/usr/src/uts/common/inet/ipsecah.h
@@ -19,15 +19,13 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_IPSECAH_H
#define _INET_IPSECAH_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <inet/ip.h>
#include <inet/ipdrop.h>
@@ -62,9 +60,6 @@ typedef struct ah_kstats_s
kstat_named_t ah_stat_acquire_requests;
kstat_named_t ah_stat_bytes_expired;
kstat_named_t ah_stat_out_discards;
- kstat_named_t ah_stat_in_accelerated;
- kstat_named_t ah_stat_out_accelerated;
- kstat_named_t ah_stat_noaccel;
kstat_named_t ah_stat_crypto_sync;
kstat_named_t ah_stat_crypto_async;
kstat_named_t ah_stat_crypto_failures;
@@ -116,8 +111,6 @@ struct ipsecah_stack {
*/
queue_t *ah_pfkey_q;
timeout_id_t ah_event;
-
- mblk_t *ah_ip_unbind;
};
typedef struct ipsecah_stack ipsecah_stack_t;
diff --git a/usr/src/uts/common/inet/ipsecesp.h b/usr/src/uts/common/inet/ipsecesp.h
index 2dfb73c667..7be35276aa 100644
--- a/usr/src/uts/common/inet/ipsecesp.h
+++ b/usr/src/uts/common/inet/ipsecesp.h
@@ -19,15 +19,13 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_IPSECESP_H
#define _INET_IPSECESP_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <inet/ip.h>
#include <inet/ipdrop.h>
@@ -70,10 +68,7 @@ struct ipsecesp_stack {
queue_t *esp_pfkey_q;
timeout_id_t esp_event;
- mblk_t *esp_ip_unbind;
-
sadbp_t esp_sadb;
-
};
typedef struct ipsecesp_stack ipsecesp_stack_t;
diff --git a/usr/src/uts/common/inet/iptun/iptun.c b/usr/src/uts/common/inet/iptun/iptun.c
index bc2f1d64d5..505aaccb31 100644
--- a/usr/src/uts/common/inet/iptun/iptun.c
+++ b/usr/src/uts/common/inet/iptun/iptun.c
@@ -76,6 +76,8 @@
#include <inet/ip.h>
#include <inet/ip_ire.h>
#include <inet/ipsec_impl.h>
+#include <sys/tsol/label.h>
+#include <sys/tsol/tnet.h>
#include <inet/iptun.h>
#include "iptun_impl.h"
@@ -87,8 +89,6 @@
#define IPTUN_HASH_KEY(key) ((mod_hash_key_t)(uintptr_t)(key))
-#define IPTUNQ_DEV "/dev/iptunq"
-
#define IPTUN_MIN_IPV4_MTU 576 /* ip.h still uses 68 (!) */
#define IPTUN_MIN_IPV6_MTU IPV6_MIN_MTU
#define IPTUN_MAX_IPV4_MTU (IP_MAXPACKET - sizeof (ipha_t))
@@ -113,15 +113,18 @@ static iptun_encaplim_t iptun_encaplim_init = {
0
};
-/* Table containing per-iptun-type information. */
+/*
+ * Table containing per-iptun-type information.
+ * Since IPv6 can run over all of these we have the IPv6 min as the min MTU.
+ */
static iptun_typeinfo_t iptun_type_table[] = {
- { IPTUN_TYPE_IPV4, MAC_PLUGIN_IDENT_IPV4, IPV4_VERSION, ip_output,
- IPTUN_MIN_IPV4_MTU, IPTUN_MAX_IPV4_MTU, B_TRUE },
- { IPTUN_TYPE_IPV6, MAC_PLUGIN_IDENT_IPV6, IPV6_VERSION, ip_output_v6,
+ { IPTUN_TYPE_IPV4, MAC_PLUGIN_IDENT_IPV4, IPV4_VERSION,
+ IPTUN_MIN_IPV6_MTU, IPTUN_MAX_IPV4_MTU, B_TRUE },
+ { IPTUN_TYPE_IPV6, MAC_PLUGIN_IDENT_IPV6, IPV6_VERSION,
IPTUN_MIN_IPV6_MTU, IPTUN_MAX_IPV6_MTU, B_TRUE },
- { IPTUN_TYPE_6TO4, MAC_PLUGIN_IDENT_6TO4, IPV4_VERSION, ip_output,
- IPTUN_MIN_IPV4_MTU, IPTUN_MAX_IPV4_MTU, B_FALSE },
- { IPTUN_TYPE_UNKNOWN, NULL, 0, NULL, 0, 0, B_FALSE }
+ { IPTUN_TYPE_6TO4, MAC_PLUGIN_IDENT_6TO4, IPV4_VERSION,
+ IPTUN_MIN_IPV6_MTU, IPTUN_MAX_IPV4_MTU, B_FALSE },
+ { IPTUN_TYPE_UNKNOWN, NULL, 0, 0, 0, B_FALSE }
};
/*
@@ -140,7 +143,6 @@ kmem_cache_t *iptun_cache;
ddi_taskq_t *iptun_taskq;
typedef enum {
- IPTUN_TASK_PMTU_UPDATE, /* obtain new destination path-MTU */
IPTUN_TASK_MTU_UPDATE, /* tell mac about new tunnel link MTU */
IPTUN_TASK_LADDR_UPDATE, /* tell mac about new local address */
IPTUN_TASK_RADDR_UPDATE, /* tell mac about new remote address */
@@ -158,13 +160,23 @@ static int iptun_enter(iptun_t *);
static void iptun_exit(iptun_t *);
static void iptun_headergen(iptun_t *, boolean_t);
static void iptun_drop_pkt(mblk_t *, uint64_t *);
-static void iptun_input(void *, mblk_t *, void *);
+static void iptun_input(void *, mblk_t *, void *, ip_recv_attr_t *);
+static void iptun_input_icmp(void *, mblk_t *, void *, ip_recv_attr_t *);
static void iptun_output(iptun_t *, mblk_t *);
-static uint32_t iptun_get_maxmtu(iptun_t *, uint32_t);
-static uint32_t iptun_update_mtu(iptun_t *, uint32_t);
-static uint32_t iptun_get_dst_pmtu(iptun_t *);
+static uint32_t iptun_get_maxmtu(iptun_t *, ip_xmit_attr_t *, uint32_t);
+static uint32_t iptun_update_mtu(iptun_t *, ip_xmit_attr_t *, uint32_t);
+static uint32_t iptun_get_dst_pmtu(iptun_t *, ip_xmit_attr_t *);
+static void iptun_update_dst_pmtu(iptun_t *, ip_xmit_attr_t *);
static int iptun_setladdr(iptun_t *, const struct sockaddr_storage *);
+static void iptun_output_6to4(iptun_t *, mblk_t *);
+static void iptun_output_common(iptun_t *, ip_xmit_attr_t *, mblk_t *);
+static boolean_t iptun_verifyicmp(conn_t *, void *, icmph_t *, icmp6_t *,
+ ip_recv_attr_t *);
+
+static void iptun_notify(void *, ip_xmit_attr_t *, ixa_notify_type_t,
+ ixa_notify_arg_t);
+
static mac_callbacks_t iptun_m_callbacks;
static int
@@ -295,13 +307,6 @@ iptun_m_tx(void *arg, mblk_t *mpchain)
return (NULL);
}
- /*
- * Request the destination's path MTU information regularly in case
- * path MTU has increased.
- */
- if (IPTUN_PMTU_TOO_OLD(iptun))
- iptun_task_dispatch(iptun, IPTUN_TASK_PMTU_UPDATE);
-
for (mp = mpchain; mp != NULL; mp = nmp) {
nmp = mp->b_next;
mp->b_next = NULL;
@@ -350,7 +355,7 @@ iptun_m_setprop(void *barg, const char *pr_name, mac_prop_id_t pr_num,
}
break;
case MAC_PROP_MTU: {
- uint32_t maxmtu = iptun_get_maxmtu(iptun, 0);
+ uint32_t maxmtu = iptun_get_maxmtu(iptun, NULL, 0);
if (value < iptun->iptun_typeinfo->iti_minmtu ||
value > maxmtu) {
@@ -434,7 +439,7 @@ iptun_m_getprop(void *barg, const char *pr_name, mac_prop_id_t pr_num,
}
break;
case MAC_PROP_MTU: {
- uint32_t maxmtu = iptun_get_maxmtu(iptun, 0);
+ uint32_t maxmtu = iptun_get_maxmtu(iptun, NULL, 0);
if (is_possible) {
range.range_uint32[0].mpur_min =
@@ -516,20 +521,11 @@ iptun_enter_by_linkid(datalink_id_t linkid, iptun_t **iptun)
}
/*
- * Handle tasks that were deferred through the iptun_taskq. These fall into
- * two categories:
- *
- * 1. Tasks that were defered because we didn't want to spend time doing them
- * while in the data path. Only IPTUN_TASK_PMTU_UPDATE falls into this
- * category.
- *
- * 2. Tasks that were defered because they require calling up to the mac
- * module, and we can't call up to the mac module while holding locks.
+ * Handle tasks that were deferred through the iptun_taskq because they require
+ * calling up to the mac module, and we can't call up to the mac module while
+ * holding locks.
*
- * Handling 1 is easy; we just lookup the iptun_t, perform the task, exit the
- * tunnel, and we're done.
- *
- * Handling 2 is tricky to get right without introducing race conditions and
+ * This is tricky to get right without introducing race conditions and
* deadlocks with the mac module, as we cannot issue an upcall while in the
* iptun_t. The reason is that upcalls may try and enter the mac perimeter,
* while iptun callbacks (such as iptun_m_setprop()) called from the mac
@@ -573,12 +569,6 @@ iptun_task_cb(void *arg)
if (iptun_enter_by_linkid(linkid, &iptun) != 0)
return;
- if (task == IPTUN_TASK_PMTU_UPDATE) {
- (void) iptun_update_mtu(iptun, 0);
- iptun_exit(iptun);
- return;
- }
-
iptun->iptun_flags |= IPTUN_UPCALL_PENDING;
switch (task) {
@@ -742,53 +732,143 @@ iptun_canbind(iptun_t *iptun)
!(iptun->iptun_typeinfo->iti_hasraddr)));
}
+/*
+ * Verify that the local address is valid, and insert in the fanout
+ */
static int
iptun_bind(iptun_t *iptun)
{
- conn_t *connp = iptun->iptun_connp;
- int err;
+ conn_t *connp = iptun->iptun_connp;
+ int error = 0;
+ ip_xmit_attr_t *ixa;
+ iulp_t uinfo;
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+
+ /* Get an exclusive ixa for this thread, and replace conn_ixa */
+ ixa = conn_get_ixa(connp, B_TRUE);
+ if (ixa == NULL)
+ return (ENOMEM);
+ ASSERT(ixa->ixa_refcnt >= 2);
+ ASSERT(ixa == connp->conn_ixa);
+
+ /* We create PMTU state including for 6to4 */
+ ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
ASSERT(iptun_canbind(iptun));
+ mutex_enter(&connp->conn_lock);
+ /*
+ * Note that conn_proto can't be set since the upper protocol
+ * can be both 41 and 4 when IPv6 and IPv4 are over the same tunnel.
+ * ipcl_iptun_classify doesn't use conn_proto.
+ */
+ connp->conn_ipversion = iptun->iptun_typeinfo->iti_ipvers;
+
switch (iptun->iptun_typeinfo->iti_type) {
case IPTUN_TYPE_IPV4:
- /*
- * When we set a tunnel's destination address, we do not care
- * if the destination is reachable. Transient routing issues
- * should not inhibit the creation of a tunnel interface, for
- * example. For that reason, we pass in B_FALSE for the
- * verify_dst argument of ip_proto_bind_connected_v4() (and
- * similarly for IPv6 tunnels below).
- */
- err = ip_proto_bind_connected_v4(connp, NULL, IPPROTO_ENCAP,
- &iptun->iptun_laddr4, 0, iptun->iptun_raddr4, 0, B_TRUE,
- B_FALSE, iptun->iptun_cred);
+ IN6_IPADDR_TO_V4MAPPED(iptun->iptun_laddr4,
+ &connp->conn_laddr_v6);
+ IN6_IPADDR_TO_V4MAPPED(iptun->iptun_raddr4,
+ &connp->conn_faddr_v6);
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ if (ip_laddr_verify_v4(iptun->iptun_laddr4, IPCL_ZONEID(connp),
+ ipst, B_FALSE) != IPVL_UNICAST_UP) {
+ mutex_exit(&connp->conn_lock);
+ error = EADDRNOTAVAIL;
+ goto done;
+ }
break;
case IPTUN_TYPE_IPV6:
- err = ip_proto_bind_connected_v6(connp, NULL, IPPROTO_IPV6,
- &iptun->iptun_laddr6, 0, &iptun->iptun_raddr6, NULL, 0,
- B_TRUE, B_FALSE, iptun->iptun_cred);
+ connp->conn_laddr_v6 = iptun->iptun_laddr6;
+ connp->conn_faddr_v6 = iptun->iptun_raddr6;
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
+ /* We use a zero scopeid for now */
+ if (ip_laddr_verify_v6(&iptun->iptun_laddr6, IPCL_ZONEID(connp),
+ ipst, B_FALSE, 0) != IPVL_UNICAST_UP) {
+ mutex_exit(&connp->conn_lock);
+ error = EADDRNOTAVAIL;
+ goto done;
+ }
break;
case IPTUN_TYPE_6TO4:
- err = ip_proto_bind_laddr_v4(connp, NULL, IPPROTO_IPV6,
- iptun->iptun_laddr4, 0, B_TRUE);
- break;
+ IN6_IPADDR_TO_V4MAPPED(iptun->iptun_laddr4,
+ &connp->conn_laddr_v6);
+ IN6_IPADDR_TO_V4MAPPED(INADDR_ANY, &connp->conn_faddr_v6);
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ mutex_exit(&connp->conn_lock);
+
+ switch (ip_laddr_verify_v4(iptun->iptun_laddr4,
+ IPCL_ZONEID(connp), ipst, B_FALSE)) {
+ case IPVL_UNICAST_UP:
+ case IPVL_UNICAST_DOWN:
+ break;
+ default:
+ error = EADDRNOTAVAIL;
+ goto done;
+ }
+ goto insert;
}
- if (err == 0) {
- iptun->iptun_flags |= IPTUN_BOUND;
+ /* In case previous destination was multirt */
+ ip_attr_newdst(ixa);
- /*
- * Now that we're bound with ip below us, this is a good time
- * to initialize the destination path MTU and to re-calculate
- * the tunnel's link MTU.
- */
- (void) iptun_update_mtu(iptun, 0);
+ /*
+ * When we set a tunnel's destination address, we do not
+ * care if the destination is reachable. Transient routing
+ * issues should not inhibit the creation of a tunnel
+ * interface, for example. Thus we pass B_FALSE here.
+ */
+ connp->conn_saddr_v6 = connp->conn_laddr_v6;
+ mutex_exit(&connp->conn_lock);
- if (IS_IPTUN_RUNNING(iptun))
- iptun_task_dispatch(iptun, IPTUN_TASK_LINK_UPDATE);
- }
- return (err);
+ /* As long as the MTU is large we avoid fragmentation */
+ ixa->ixa_flags |= IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF;
+
+ /* We handle IPsec in iptun_output_common */
+ error = ip_attr_connect(connp, ixa, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, &connp->conn_faddr_v6, 0,
+ &connp->conn_saddr_v6, &uinfo, 0);
+
+ if (error != 0)
+ goto done;
+
+ /* saddr shouldn't change since it was already set */
+ ASSERT(IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
+ &connp->conn_saddr_v6));
+
+ /* We set IXAF_VERIFY_PMTU to catch PMTU increases */
+ ixa->ixa_flags |= IXAF_VERIFY_PMTU;
+ ASSERT(uinfo.iulp_mtu != 0);
+
+ /*
+ * Allow setting new policies.
+ * The addresses/ports are already set, thus the IPsec policy calls
+ * can handle their passed-in conn's.
+ */
+ connp->conn_policy_cached = B_FALSE;
+
+insert:
+ error = ipcl_conn_insert(connp);
+ if (error != 0)
+ goto done;
+
+ /* Record this as the "last" send even though we haven't sent any */
+ connp->conn_v6lastdst = connp->conn_faddr_v6;
+
+ iptun->iptun_flags |= IPTUN_BOUND;
+ /*
+ * Now that we're bound with ip below us, this is a good
+ * time to initialize the destination path MTU and to
+ * re-calculate the tunnel's link MTU.
+ */
+ (void) iptun_update_mtu(iptun, ixa, 0);
+
+ if (IS_IPTUN_RUNNING(iptun))
+ iptun_task_dispatch(iptun, IPTUN_TASK_LINK_UPDATE);
+
+done:
+ ixa_refrele(ixa);
+ return (error);
}
static void
@@ -986,7 +1066,7 @@ iptun_set_sec_simple(iptun_t *iptun, const ipsec_req_t *ipsr)
* Adjust MTU and make sure the DL side knows what's up.
*/
itp->itp_flags = ITPF_P_ACTIVE;
- (void) iptun_update_mtu(iptun, 0);
+ (void) iptun_update_mtu(iptun, NULL, 0);
old_policy = B_FALSE; /* Blank out inactive - we succeeded */
} else {
rw_exit(&itp->itp_policy->iph_lock);
@@ -1170,8 +1250,16 @@ iptun_conn_create(iptun_t *iptun, netstack_t *ns, cred_t *credp)
connp->conn_flags |= IPCL_IPTUN;
connp->conn_iptun = iptun;
connp->conn_recv = iptun_input;
- connp->conn_rq = ns->netstack_iptun->iptuns_g_q;
- connp->conn_wq = WR(connp->conn_rq);
+ connp->conn_recvicmp = iptun_input_icmp;
+ connp->conn_verifyicmp = iptun_verifyicmp;
+
+ /*
+ * Register iptun_notify to listen to capability changes detected by IP.
+ * This upcall is made in the context of the call to conn_ip_output.
+ */
+ connp->conn_ixa->ixa_notify = iptun_notify;
+ connp->conn_ixa->ixa_notify_cookie = iptun;
+
/*
* For exclusive stacks we set conn_zoneid to GLOBAL_ZONEID as is done
* for all other conn_t's.
@@ -1187,11 +1275,32 @@ iptun_conn_create(iptun_t *iptun, netstack_t *ns, cred_t *credp)
connp->conn_cred = credp;
/* crfree() is done in ipcl_conn_destroy(), called by CONN_DEC_REF() */
crhold(connp->conn_cred);
+ connp->conn_cpid = NOPID;
- connp->conn_send = iptun->iptun_typeinfo->iti_txfunc;
- connp->conn_af_isv6 = iptun->iptun_typeinfo->iti_ipvers == IPV6_VERSION;
+ /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
+ connp->conn_ixa->ixa_zoneid = connp->conn_zoneid;
ASSERT(connp->conn_ref == 1);
+ /* Cache things in ixa without an extra refhold */
+ connp->conn_ixa->ixa_cred = connp->conn_cred;
+ connp->conn_ixa->ixa_cpid = connp->conn_cpid;
+ if (is_system_labeled())
+ connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
+
+ /*
+ * Have conn_ip_output drop packets should our outer source
+ * go invalid
+ */
+ connp->conn_ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
+
+ switch (iptun->iptun_typeinfo->iti_ipvers) {
+ case IPV4_VERSION:
+ connp->conn_family = AF_INET6;
+ break;
+ case IPV6_VERSION:
+ connp->conn_family = AF_INET;
+ break;
+ }
mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
mutex_exit(&connp->conn_lock);
@@ -1207,26 +1316,6 @@ iptun_conn_destroy(conn_t *connp)
CONN_DEC_REF(connp);
}
-static int
-iptun_create_g_q(iptun_stack_t *iptuns, cred_t *credp)
-{
- int err;
- conn_t *connp;
-
- ASSERT(iptuns->iptuns_g_q == NULL);
- /*
- * The global queue for this stack is set when iptunq_open() calls
- * iptun_set_g_q().
- */
- err = ldi_open_by_name(IPTUNQ_DEV, FWRITE|FREAD, credp,
- &iptuns->iptuns_g_q_lh, iptun_ldi_ident);
- if (err == 0) {
- connp = iptuns->iptuns_g_q->q_ptr;
- connp->conn_recv = iptun_input;
- }
- return (err);
-}
-
static iptun_t *
iptun_alloc(void)
{
@@ -1289,11 +1378,6 @@ iptun_free(iptun_t *iptun)
iptun->iptun_connp = NULL;
}
- netstack_rele(iptun->iptun_ns);
- iptun->iptun_ns = NULL;
- crfree(iptun->iptun_cred);
- iptun->iptun_cred = NULL;
-
kmem_cache_free(iptun_cache, iptun);
atomic_dec_32(&iptun_tunnelcount);
}
@@ -1340,19 +1424,6 @@ iptun_create(iptun_kparams_t *ik, cred_t *credp)
ns = netstack_find_by_cred(credp);
iptuns = ns->netstack_iptun;
- /*
- * Before we create any tunnel, we need to ensure that the default
- * STREAMS queue (used to satisfy the ip module's requirement for one)
- * is created. We only do this once per stack. The stream is closed
- * when the stack is destroyed in iptun_stack_fni().
- */
- mutex_enter(&iptuns->iptuns_lock);
- if (iptuns->iptuns_g_q == NULL)
- err = iptun_create_g_q(iptuns, zone_kcred());
- mutex_exit(&iptuns->iptuns_lock);
- if (err != 0)
- goto done;
-
if ((iptun = iptun_alloc()) == NULL) {
err = ENOMEM;
goto done;
@@ -1360,8 +1431,6 @@ iptun_create(iptun_kparams_t *ik, cred_t *credp)
iptun->iptun_linkid = ik->iptun_kparam_linkid;
iptun->iptun_zoneid = zoneid;
- crhold(credp);
- iptun->iptun_cred = credp;
iptun->iptun_ns = ns;
iptun->iptun_typeinfo = iptun_gettypeinfo(ik->iptun_kparam_type);
@@ -1668,49 +1737,142 @@ iptun_set_policy(datalink_id_t linkid, ipsec_tun_pol_t *itp)
ITP_REFHOLD(itp);
iptun->iptun_itp = itp;
/* IPsec policy means IPsec overhead, which means lower MTU. */
- (void) iptun_update_mtu(iptun, 0);
+ (void) iptun_update_mtu(iptun, NULL, 0);
}
iptun_exit(iptun);
}
/*
* Obtain the path MTU to the tunnel destination.
+ * Can return zero in some cases.
*/
static uint32_t
-iptun_get_dst_pmtu(iptun_t *iptun)
+iptun_get_dst_pmtu(iptun_t *iptun, ip_xmit_attr_t *ixa)
{
- ire_t *ire = NULL;
- ip_stack_t *ipst = iptun->iptun_ns->netstack_ip;
uint32_t pmtu = 0;
+ conn_t *connp = iptun->iptun_connp;
+ boolean_t need_rele = B_FALSE;
/*
- * We only obtain the destination IRE for tunnels that have a remote
- * tunnel address.
+ * We only obtain the pmtu for tunnels that have a remote tunnel
+ * address.
*/
if (!(iptun->iptun_flags & IPTUN_RADDR))
return (0);
- switch (iptun->iptun_typeinfo->iti_ipvers) {
- case IPV4_VERSION:
- ire = ire_route_lookup(iptun->iptun_raddr4, INADDR_ANY,
- INADDR_ANY, 0, NULL, NULL, iptun->iptun_connp->conn_zoneid,
- NULL, (MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT), ipst);
- break;
- case IPV6_VERSION:
- ire = ire_route_lookup_v6(&iptun->iptun_raddr6, NULL, NULL, 0,
- NULL, NULL, iptun->iptun_connp->conn_zoneid, NULL,
- (MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT), ipst);
- break;
+ if (ixa == NULL) {
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL)
+ return (0);
+ need_rele = B_TRUE;
}
+ /*
+ * Guard against ICMP errors before we have sent, as well as against
+ * and a thread which held conn_ixa.
+ */
+ if (ixa->ixa_ire != NULL) {
+ pmtu = ip_get_pmtu(ixa);
- if (ire != NULL) {
- pmtu = ire->ire_max_frag;
- ire_refrele(ire);
+ /*
+ * For both IPv4 and IPv6 we can have indication that the outer
+ * header needs fragmentation.
+ */
+ if (ixa->ixa_flags & IXAF_PMTU_TOO_SMALL) {
+ /* Must allow fragmentation in ip_output */
+ ixa->ixa_flags &= ~IXAF_DONTFRAG;
+ } else if (iptun->iptun_typeinfo->iti_type != IPTUN_TYPE_6TO4) {
+ ixa->ixa_flags |= IXAF_DONTFRAG;
+ } else {
+ /* ip_get_pmtu might have set this - we don't want it */
+ ixa->ixa_flags &= ~IXAF_PMTU_IPV4_DF;
+ }
}
+
+ if (need_rele)
+ ixa_refrele(ixa);
return (pmtu);
}
/*
+ * Update the ip_xmit_attr_t to capture the current lower path mtu as known
+ * by ip.
+ */
+static void
+iptun_update_dst_pmtu(iptun_t *iptun, ip_xmit_attr_t *ixa)
+{
+ uint32_t pmtu;
+ conn_t *connp = iptun->iptun_connp;
+ boolean_t need_rele = B_FALSE;
+
+ /* IXAF_VERIFY_PMTU is not set if we don't have a fixed destination */
+ if (!(iptun->iptun_flags & IPTUN_RADDR))
+ return;
+
+ if (ixa == NULL) {
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL)
+ return;
+ need_rele = B_TRUE;
+ }
+ /*
+ * Guard against ICMP errors before we have sent, as well as against
+ * and a thread which held conn_ixa.
+ */
+ if (ixa->ixa_ire != NULL) {
+ pmtu = ip_get_pmtu(ixa);
+ /*
+ * Update ixa_fragsize and ixa_pmtu.
+ */
+ ixa->ixa_fragsize = ixa->ixa_pmtu = pmtu;
+
+ /*
+ * For both IPv4 and IPv6 we can have indication that the outer
+ * header needs fragmentation.
+ */
+ if (ixa->ixa_flags & IXAF_PMTU_TOO_SMALL) {
+ /* Must allow fragmentation in ip_output */
+ ixa->ixa_flags &= ~IXAF_DONTFRAG;
+ } else if (iptun->iptun_typeinfo->iti_type != IPTUN_TYPE_6TO4) {
+ ixa->ixa_flags |= IXAF_DONTFRAG;
+ } else {
+ /* ip_get_pmtu might have set this - we don't want it */
+ ixa->ixa_flags &= ~IXAF_PMTU_IPV4_DF;
+ }
+ }
+
+ if (need_rele)
+ ixa_refrele(ixa);
+}
+
+/*
+ * There is nothing that iptun can verify in addition to IP having
+ * verified the IP addresses in the fanout.
+ */
+/* ARGSUSED */
+static boolean_t
+iptun_verifyicmp(conn_t *connp, void *arg2, icmph_t *icmph, icmp6_t *icmp6,
+ ip_recv_attr_t *ira)
+{
+ return (B_TRUE);
+}
+
+/*
+ * Notify function registered with ip_xmit_attr_t.
+ */
+static void
+iptun_notify(void *arg, ip_xmit_attr_t *ixa, ixa_notify_type_t ntype,
+ ixa_notify_arg_t narg)
+{
+ iptun_t *iptun = (iptun_t *)arg;
+
+ switch (ntype) {
+ case IXAN_PMTU:
+ (void) iptun_update_mtu(iptun, ixa, narg);
+ break;
+ }
+}
+
+/*
* Returns the max of old_ovhd and the overhead associated with pol.
*/
static uint32_t
@@ -1765,18 +1927,18 @@ iptun_get_ipsec_overhead(iptun_t *iptun)
/* Check for both IPv4 and IPv6. */
sel.ips_protocol = IPPROTO_ENCAP;
pol = ipsec_find_policy_head(NULL, iph, IPSEC_TYPE_OUTBOUND,
- &sel, ns);
+ &sel);
if (pol != NULL) {
ipsec_ovhd = ipsec_act_ovhd(&pol->ipsp_act->ipa_act);
- IPPOL_REFRELE(pol, ns);
+ IPPOL_REFRELE(pol);
}
sel.ips_protocol = IPPROTO_IPV6;
pol = ipsec_find_policy_head(NULL, iph, IPSEC_TYPE_OUTBOUND,
- &sel, ns);
+ &sel);
if (pol != NULL) {
ipsec_ovhd = max(ipsec_ovhd,
ipsec_act_ovhd(&pol->ipsp_act->ipa_act));
- IPPOL_REFRELE(pol, ns);
+ IPPOL_REFRELE(pol);
}
IPPH_REFRELE(iph, ns);
} else {
@@ -1802,10 +1964,14 @@ iptun_get_ipsec_overhead(iptun_t *iptun)
}
/*
- * Calculate and return the maximum possible MTU for the given tunnel.
+ * Calculate and return the maximum possible upper MTU for the given tunnel.
+ *
+ * If new_pmtu is set then we also need to update the lower path MTU information
+ * in the ip_xmit_attr_t. That is needed since we set IXAF_VERIFY_PMTU so that
+ * we are notified by conn_ip_output() when the path MTU increases.
*/
static uint32_t
-iptun_get_maxmtu(iptun_t *iptun, uint32_t new_pmtu)
+iptun_get_maxmtu(iptun_t *iptun, ip_xmit_attr_t *ixa, uint32_t new_pmtu)
{
size_t header_size, ipsec_overhead;
uint32_t maxmtu, pmtu;
@@ -1816,13 +1982,11 @@ iptun_get_maxmtu(iptun_t *iptun, uint32_t new_pmtu)
* iptun_get_dst_pmtu().
*/
if (new_pmtu != 0) {
- if (iptun->iptun_flags & IPTUN_RADDR) {
+ if (iptun->iptun_flags & IPTUN_RADDR)
iptun->iptun_dpmtu = new_pmtu;
- iptun->iptun_dpmtu_lastupdate = ddi_get_lbolt();
- }
pmtu = new_pmtu;
} else if (iptun->iptun_flags & IPTUN_RADDR) {
- if ((pmtu = iptun_get_dst_pmtu(iptun)) == 0) {
+ if ((pmtu = iptun_get_dst_pmtu(iptun, ixa)) == 0) {
/*
* We weren't able to obtain the path-MTU of the
* destination. Use the previous value.
@@ -1830,7 +1994,6 @@ iptun_get_maxmtu(iptun_t *iptun, uint32_t new_pmtu)
pmtu = iptun->iptun_dpmtu;
} else {
iptun->iptun_dpmtu = pmtu;
- iptun->iptun_dpmtu_lastupdate = ddi_get_lbolt();
}
} else {
/*
@@ -1866,19 +2029,23 @@ iptun_get_maxmtu(iptun_t *iptun, uint32_t new_pmtu)
}
/*
- * Re-calculate the tunnel's MTU and notify the MAC layer of any change in
- * MTU. The new_pmtu argument is the new path MTU to the tunnel destination
- * to be used in the tunnel MTU calculation. Passing in 0 for new_pmtu causes
- * the path MTU to be dynamically updated using iptun_update_pmtu().
+ * Re-calculate the tunnel's MTU as seen from above and notify the MAC layer
+ * of any change in MTU. The new_pmtu argument is the new lower path MTU to
+ * the tunnel destination to be used in the tunnel MTU calculation. Passing
+ * in 0 for new_pmtu causes the lower path MTU to be dynamically updated using
+ * ip_get_pmtu().
*
* If the calculated tunnel MTU is different than its previous value, then we
* notify the MAC layer above us of this change using mac_maxsdu_update().
*/
static uint32_t
-iptun_update_mtu(iptun_t *iptun, uint32_t new_pmtu)
+iptun_update_mtu(iptun_t *iptun, ip_xmit_attr_t *ixa, uint32_t new_pmtu)
{
uint32_t newmtu;
+ /* We always update the ixa since we might have set IXAF_VERIFY_PMTU */
+ iptun_update_dst_pmtu(iptun, ixa);
+
/*
* We return the current MTU without updating it if it was pegged to a
* static value using the MAC_PROP_MTU link property.
@@ -1887,8 +2054,7 @@ iptun_update_mtu(iptun_t *iptun, uint32_t new_pmtu)
return (iptun->iptun_mtu);
/* If the MTU isn't fixed, then use the maximum possible value. */
- newmtu = iptun_get_maxmtu(iptun, new_pmtu);
-
+ newmtu = iptun_get_maxmtu(iptun, ixa, new_pmtu);
/*
* We only dynamically adjust the tunnel MTU for tunnels with
* destinations because dynamic MTU calculations are based on the
@@ -1929,7 +2095,7 @@ iptun_build_icmperr(size_t hdrs_size, mblk_t *orig_pkt)
{
mblk_t *icmperr_mp;
- if ((icmperr_mp = allocb_tmpl(hdrs_size, orig_pkt)) != NULL) {
+ if ((icmperr_mp = allocb(hdrs_size, BPRI_MED)) != NULL) {
icmperr_mp->b_wptr += hdrs_size;
/* tack on the offending packet */
icmperr_mp->b_cont = orig_pkt;
@@ -1942,12 +2108,15 @@ iptun_build_icmperr(size_t hdrs_size, mblk_t *orig_pkt)
* the ICMP error.
*/
static void
-iptun_sendicmp_v4(iptun_t *iptun, icmph_t *icmp, ipha_t *orig_ipha, mblk_t *mp)
+iptun_sendicmp_v4(iptun_t *iptun, icmph_t *icmp, ipha_t *orig_ipha, mblk_t *mp,
+ ts_label_t *tsl)
{
size_t orig_pktsize, hdrs_size;
mblk_t *icmperr_mp;
ipha_t *new_ipha;
icmph_t *new_icmp;
+ ip_xmit_attr_t ixas;
+ conn_t *connp = iptun->iptun_connp;
orig_pktsize = msgdsize(mp);
hdrs_size = sizeof (ipha_t) + sizeof (icmph_t);
@@ -1974,17 +2143,35 @@ iptun_sendicmp_v4(iptun_t *iptun, icmph_t *icmp, ipha_t *orig_ipha, mblk_t *mp)
new_icmp->icmph_checksum = 0;
new_icmp->icmph_checksum = IP_CSUM(icmperr_mp, sizeof (ipha_t), 0);
- ip_output(iptun->iptun_connp, icmperr_mp, iptun->iptun_connp->conn_wq,
- IP_WPUT);
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
+ if (new_ipha->ipha_src == INADDR_ANY)
+ ixas.ixa_flags |= IXAF_SET_SOURCE;
+
+ ixas.ixa_zoneid = IPCL_ZONEID(connp);
+ ixas.ixa_ipst = connp->conn_netstack->netstack_ip;
+ ixas.ixa_cred = connp->conn_cred;
+ ixas.ixa_cpid = NOPID;
+ if (is_system_labeled())
+ ixas.ixa_tsl = tsl;
+
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+
+ (void) ip_output_simple(icmperr_mp, &ixas);
+ ixa_cleanup(&ixas);
}
static void
-iptun_sendicmp_v6(iptun_t *iptun, icmp6_t *icmp6, ip6_t *orig_ip6h, mblk_t *mp)
+iptun_sendicmp_v6(iptun_t *iptun, icmp6_t *icmp6, ip6_t *orig_ip6h, mblk_t *mp,
+ ts_label_t *tsl)
{
size_t orig_pktsize, hdrs_size;
mblk_t *icmp6err_mp;
ip6_t *new_ip6h;
icmp6_t *new_icmp6;
+ ip_xmit_attr_t ixas;
+ conn_t *connp = iptun->iptun_connp;
orig_pktsize = msgdsize(mp);
hdrs_size = sizeof (ip6_t) + sizeof (icmp6_t);
@@ -2004,16 +2191,31 @@ iptun_sendicmp_v6(iptun_t *iptun, icmp6_t *icmp6, ip6_t *orig_ip6h, mblk_t *mp)
new_ip6h->ip6_dst = orig_ip6h->ip6_src;
*new_icmp6 = *icmp6;
- /* The checksum is calculated in ip_wput_ire_v6(). */
+ /* The checksum is calculated in ip_output_simple and friends. */
new_icmp6->icmp6_cksum = new_ip6h->ip6_plen;
- ip_output_v6(iptun->iptun_connp, icmp6err_mp,
- iptun->iptun_connp->conn_wq, IP_WPUT);
+ bzero(&ixas, sizeof (ixas));
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
+ if (IN6_IS_ADDR_UNSPECIFIED(&new_ip6h->ip6_src))
+ ixas.ixa_flags |= IXAF_SET_SOURCE;
+
+ ixas.ixa_zoneid = IPCL_ZONEID(connp);
+ ixas.ixa_ipst = connp->conn_netstack->netstack_ip;
+ ixas.ixa_cred = connp->conn_cred;
+ ixas.ixa_cpid = NOPID;
+ if (is_system_labeled())
+ ixas.ixa_tsl = tsl;
+
+ ixas.ixa_ifindex = 0;
+ ixas.ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+
+ (void) ip_output_simple(icmp6err_mp, &ixas);
+ ixa_cleanup(&ixas);
}
static void
iptun_icmp_error_v4(iptun_t *iptun, ipha_t *orig_ipha, mblk_t *mp,
- uint8_t type, uint8_t code)
+ uint8_t type, uint8_t code, ts_label_t *tsl)
{
icmph_t icmp;
@@ -2021,12 +2223,12 @@ iptun_icmp_error_v4(iptun_t *iptun, ipha_t *orig_ipha, mblk_t *mp,
icmp.icmph_type = type;
icmp.icmph_code = code;
- iptun_sendicmp_v4(iptun, &icmp, orig_ipha, mp);
+ iptun_sendicmp_v4(iptun, &icmp, orig_ipha, mp, tsl);
}
static void
iptun_icmp_fragneeded_v4(iptun_t *iptun, uint32_t newmtu, ipha_t *orig_ipha,
- mblk_t *mp)
+ mblk_t *mp, ts_label_t *tsl)
{
icmph_t icmp;
@@ -2035,12 +2237,12 @@ iptun_icmp_fragneeded_v4(iptun_t *iptun, uint32_t newmtu, ipha_t *orig_ipha,
icmp.icmph_du_zero = 0;
icmp.icmph_du_mtu = htons(newmtu);
- iptun_sendicmp_v4(iptun, &icmp, orig_ipha, mp);
+ iptun_sendicmp_v4(iptun, &icmp, orig_ipha, mp, tsl);
}
static void
iptun_icmp_error_v6(iptun_t *iptun, ip6_t *orig_ip6h, mblk_t *mp,
- uint8_t type, uint8_t code, uint32_t offset)
+ uint8_t type, uint8_t code, uint32_t offset, ts_label_t *tsl)
{
icmp6_t icmp6;
@@ -2050,12 +2252,12 @@ iptun_icmp_error_v6(iptun_t *iptun, ip6_t *orig_ip6h, mblk_t *mp,
if (type == ICMP6_PARAM_PROB)
icmp6.icmp6_pptr = htonl(offset);
- iptun_sendicmp_v6(iptun, &icmp6, orig_ip6h, mp);
+ iptun_sendicmp_v6(iptun, &icmp6, orig_ip6h, mp, tsl);
}
static void
iptun_icmp_toobig_v6(iptun_t *iptun, uint32_t newmtu, ip6_t *orig_ip6h,
- mblk_t *mp)
+ mblk_t *mp, ts_label_t *tsl)
{
icmp6_t icmp6;
@@ -2063,7 +2265,7 @@ iptun_icmp_toobig_v6(iptun_t *iptun, uint32_t newmtu, ip6_t *orig_ip6h,
icmp6.icmp6_code = 0;
icmp6.icmp6_mtu = htonl(newmtu);
- iptun_sendicmp_v6(iptun, &icmp6, orig_ip6h, mp);
+ iptun_sendicmp_v6(iptun, &icmp6, orig_ip6h, mp, tsl);
}
/*
@@ -2105,13 +2307,15 @@ is_icmp_error(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h)
/*
* Find inner and outer IP headers from a tunneled packet as setup for calls
* into ipsec_tun_{in,out}bound().
+ * Note that we need to allow the outer header to be in a separate mblk from
+ * the inner header.
+ * If the caller knows the outer_hlen, the caller passes it in. Otherwise zero.
*/
static size_t
-iptun_find_headers(mblk_t *mp, ipha_t **outer4, ipha_t **inner4, ip6_t **outer6,
- ip6_t **inner6)
+iptun_find_headers(mblk_t *mp, size_t outer_hlen, ipha_t **outer4,
+ ipha_t **inner4, ip6_t **outer6, ip6_t **inner6)
{
ipha_t *ipha;
- size_t outer_hlen;
size_t first_mblkl = MBLKL(mp);
mblk_t *inner_mp;
@@ -2128,12 +2332,14 @@ iptun_find_headers(mblk_t *mp, ipha_t **outer4, ipha_t **inner4, ip6_t **outer6,
case IPV4_VERSION:
*outer4 = ipha;
*outer6 = NULL;
- outer_hlen = IPH_HDR_LENGTH(ipha);
+ if (outer_hlen == 0)
+ outer_hlen = IPH_HDR_LENGTH(ipha);
break;
case IPV6_VERSION:
*outer4 = NULL;
*outer6 = (ip6_t *)ipha;
- outer_hlen = ip_hdr_length_v6(mp, (ip6_t *)ipha);
+ if (outer_hlen == 0)
+ outer_hlen = ip_hdr_length_v6(mp, (ip6_t *)ipha);
break;
default:
return (0);
@@ -2192,8 +2398,8 @@ iptun_find_headers(mblk_t *mp, ipha_t **outer4, ipha_t **inner4, ip6_t **outer6,
* whatever the very-inner packet is (IPv4(2) or IPv6).
*/
static void
-iptun_input_icmp_v4(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
- icmph_t *icmph)
+iptun_input_icmp_v4(iptun_t *iptun, mblk_t *data_mp, icmph_t *icmph,
+ ip_recv_attr_t *ira)
{
uint8_t *orig;
ipha_t *outer4, *inner4;
@@ -2201,12 +2407,6 @@ iptun_input_icmp_v4(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
int outer_hlen;
uint8_t type, code;
- /*
- * Change the db_type to M_DATA because subsequent operations assume
- * the ICMP packet is M_DATA again (i.e. calls to msgdsize()).
- */
- data_mp->b_datap->db_type = M_DATA;
-
ASSERT(data_mp->b_cont == NULL);
/*
* Temporarily move b_rptr forward so that iptun_find_headers() can
@@ -2220,13 +2420,12 @@ iptun_input_icmp_v4(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
* here).
*/
ASSERT(MBLKL(data_mp) >= 0);
- outer_hlen = iptun_find_headers(data_mp, &outer4, &inner4, &outer6,
+ outer_hlen = iptun_find_headers(data_mp, 0, &outer4, &inner4, &outer6,
&inner6);
ASSERT(outer6 == NULL);
data_mp->b_rptr = orig;
if (outer_hlen == 0) {
- iptun_drop_pkt((ipsec_mp != NULL ? ipsec_mp : data_mp),
- &iptun->iptun_ierrors);
+ iptun_drop_pkt(data_mp, &iptun->iptun_ierrors);
return;
}
@@ -2234,10 +2433,9 @@ iptun_input_icmp_v4(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
ASSERT(outer4->ipha_protocol == IPPROTO_ENCAP ||
outer4->ipha_protocol == IPPROTO_IPV6);
- /* ipsec_tun_inbound() always frees ipsec_mp. */
- if (!ipsec_tun_inbound(ipsec_mp, &data_mp, iptun->iptun_itp,
- inner4, inner6, outer4, outer6, -outer_hlen,
- iptun->iptun_ns)) {
+ data_mp = ipsec_tun_inbound(ira, data_mp, iptun->iptun_itp,
+ inner4, inner6, outer4, outer6, -outer_hlen, iptun->iptun_ns);
+ if (data_mp == NULL) {
/* Callee did all of the freeing. */
atomic_inc_64(&iptun->iptun_ierrors);
return;
@@ -2269,15 +2467,15 @@ iptun_input_icmp_v4(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
* also have IPsec policy by letting iptun_update_mtu
* take care of it.
*/
- newmtu =
- iptun_update_mtu(iptun, ntohs(icmph->icmph_du_mtu));
+ newmtu = iptun_update_mtu(iptun, NULL,
+ ntohs(icmph->icmph_du_mtu));
if (inner4 != NULL) {
iptun_icmp_fragneeded_v4(iptun, newmtu, inner4,
- data_mp);
+ data_mp, ira->ira_tsl);
} else {
iptun_icmp_toobig_v6(iptun, newmtu, inner6,
- data_mp);
+ data_mp, ira->ira_tsl);
}
return;
}
@@ -2310,10 +2508,13 @@ iptun_input_icmp_v4(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
return;
}
- if (inner4 != NULL)
- iptun_icmp_error_v4(iptun, inner4, data_mp, type, code);
- else
- iptun_icmp_error_v6(iptun, inner6, data_mp, type, code, 0);
+ if (inner4 != NULL) {
+ iptun_icmp_error_v4(iptun, inner4, data_mp, type, code,
+ ira->ira_tsl);
+ } else {
+ iptun_icmp_error_v6(iptun, inner6, data_mp, type, code, 0,
+ ira->ira_tsl);
+ }
}
/*
@@ -2324,17 +2525,17 @@ iptun_input_icmp_v4(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
static boolean_t
iptun_find_encaplimit(mblk_t *mp, ip6_t *ip6h, uint8_t **encaplim_ptr)
{
- ip6_pkt_t pkt;
+ ip_pkt_t pkt;
uint8_t *endptr;
ip6_dest_t *destp;
struct ip6_opt *optp;
pkt.ipp_fields = 0; /* must be initialized */
- (void) ip_find_hdr_v6(mp, ip6h, &pkt, NULL);
+ (void) ip_find_hdr_v6(mp, ip6h, B_FALSE, &pkt, NULL);
if ((pkt.ipp_fields & IPPF_DSTOPTS) != 0) {
destp = pkt.ipp_dstopts;
- } else if ((pkt.ipp_fields & IPPF_RTDSTOPTS) != 0) {
- destp = pkt.ipp_rtdstopts;
+ } else if ((pkt.ipp_fields & IPPF_RTHDRDSTOPTS) != 0) {
+ destp = pkt.ipp_rthdrdstopts;
} else {
return (B_FALSE);
}
@@ -2370,8 +2571,8 @@ iptun_find_encaplimit(mblk_t *mp, ip6_t *ip6h, uint8_t **encaplim_ptr)
* whatever the very-inner packet is (IPv4 or IPv6(2)).
*/
static void
-iptun_input_icmp_v6(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
- icmp6_t *icmp6h)
+iptun_input_icmp_v6(iptun_t *iptun, mblk_t *data_mp, icmp6_t *icmp6h,
+ ip_recv_attr_t *ira)
{
uint8_t *orig;
ipha_t *outer4, *inner4;
@@ -2379,12 +2580,6 @@ iptun_input_icmp_v6(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
int outer_hlen;
uint8_t type, code;
- /*
- * Change the db_type to M_DATA because subsequent operations assume
- * the ICMP packet is M_DATA again (i.e. calls to msgdsize().)
- */
- data_mp->b_datap->db_type = M_DATA;
-
ASSERT(data_mp->b_cont == NULL);
/*
@@ -2399,19 +2594,18 @@ iptun_input_icmp_v6(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
* here).
*/
ASSERT(MBLKL(data_mp) >= 0);
- outer_hlen = iptun_find_headers(data_mp, &outer4, &inner4, &outer6,
+ outer_hlen = iptun_find_headers(data_mp, 0, &outer4, &inner4, &outer6,
&inner6);
ASSERT(outer4 == NULL);
data_mp->b_rptr = orig; /* Restore r_ptr */
if (outer_hlen == 0) {
- iptun_drop_pkt((ipsec_mp != NULL ? ipsec_mp : data_mp),
- &iptun->iptun_ierrors);
+ iptun_drop_pkt(data_mp, &iptun->iptun_ierrors);
return;
}
- if (!ipsec_tun_inbound(ipsec_mp, &data_mp, iptun->iptun_itp,
- inner4, inner6, outer4, outer6, -outer_hlen,
- iptun->iptun_ns)) {
+ data_mp = ipsec_tun_inbound(ira, data_mp, iptun->iptun_itp,
+ inner4, inner6, outer4, outer6, -outer_hlen, iptun->iptun_ns);
+ if (data_mp == NULL) {
/* Callee did all of the freeing. */
atomic_inc_64(&iptun->iptun_ierrors);
return;
@@ -2466,13 +2660,15 @@ iptun_input_icmp_v6(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
* have IPsec policy by letting iptun_update_mtu take care of
* it.
*/
- newmtu = iptun_update_mtu(iptun, ntohl(icmp6h->icmp6_mtu));
+ newmtu = iptun_update_mtu(iptun, NULL,
+ ntohl(icmp6h->icmp6_mtu));
if (inner4 != NULL) {
iptun_icmp_fragneeded_v4(iptun, newmtu, inner4,
- data_mp);
+ data_mp, ira->ira_tsl);
} else {
- iptun_icmp_toobig_v6(iptun, newmtu, inner6, data_mp);
+ iptun_icmp_toobig_v6(iptun, newmtu, inner6, data_mp,
+ ira->ira_tsl);
}
return;
}
@@ -2481,51 +2677,57 @@ iptun_input_icmp_v6(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp,
return;
}
- if (inner4 != NULL)
- iptun_icmp_error_v4(iptun, inner4, data_mp, type, code);
- else
- iptun_icmp_error_v6(iptun, inner6, data_mp, type, code, 0);
+ if (inner4 != NULL) {
+ iptun_icmp_error_v4(iptun, inner4, data_mp, type, code,
+ ira->ira_tsl);
+ } else {
+ iptun_icmp_error_v6(iptun, inner6, data_mp, type, code, 0,
+ ira->ira_tsl);
+ }
}
+/*
+ * Called as conn_recvicmp from IP for ICMP errors.
+ */
+/* ARGSUSED2 */
static void
-iptun_input_icmp(iptun_t *iptun, mblk_t *ipsec_mp, mblk_t *data_mp)
+iptun_input_icmp(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
- mblk_t *tmpmp;
- size_t hlen;
+ conn_t *connp = arg;
+ iptun_t *iptun = connp->conn_iptun;
+ mblk_t *tmpmp;
+ size_t hlen;
- if (data_mp->b_cont != NULL) {
+ ASSERT(IPCL_IS_IPTUN(connp));
+
+ if (mp->b_cont != NULL) {
/*
* Since ICMP error processing necessitates access to bits
* that are within the ICMP error payload (the original packet
* that caused the error), pull everything up into a single
* block for convenience.
*/
- data_mp->b_datap->db_type = M_DATA;
- if ((tmpmp = msgpullup(data_mp, -1)) == NULL) {
- iptun_drop_pkt((ipsec_mp != NULL ? ipsec_mp : data_mp),
- &iptun->iptun_norcvbuf);
+ if ((tmpmp = msgpullup(mp, -1)) == NULL) {
+ iptun_drop_pkt(mp, &iptun->iptun_norcvbuf);
return;
}
- freemsg(data_mp);
- data_mp = tmpmp;
- if (ipsec_mp != NULL)
- ipsec_mp->b_cont = data_mp;
+ freemsg(mp);
+ mp = tmpmp;
}
+ hlen = ira->ira_ip_hdr_length;
switch (iptun->iptun_typeinfo->iti_ipvers) {
case IPV4_VERSION:
/*
* The outer IP header coming up from IP is always ipha_t
* alligned (otherwise, we would have crashed in ip).
*/
- hlen = IPH_HDR_LENGTH((ipha_t *)data_mp->b_rptr);
- iptun_input_icmp_v4(iptun, ipsec_mp, data_mp,
- (icmph_t *)(data_mp->b_rptr + hlen));
+ iptun_input_icmp_v4(iptun, mp, (icmph_t *)(mp->b_rptr + hlen),
+ ira);
break;
case IPV6_VERSION:
- hlen = ip_hdr_length_v6(data_mp, (ip6_t *)data_mp->b_rptr);
- iptun_input_icmp_v6(iptun, ipsec_mp, data_mp,
- (icmp6_t *)(data_mp->b_rptr + hlen));
+ iptun_input_icmp_v6(iptun, mp, (icmp6_t *)(mp->b_rptr + hlen),
+ ira);
break;
}
}
@@ -2578,63 +2780,24 @@ iptun_in_6to4_ok(iptun_t *iptun, ipha_t *outer4, ip6_t *inner6)
* Input function for everything that comes up from the ip module below us.
* This is called directly from the ip module via connp->conn_recv().
*
- * There are two kinds of packets that can arrive here: (1) IP-in-IP tunneled
- * packets and (2) ICMP errors containing IP-in-IP packets transmitted by us.
- * They have the following structure:
- *
- * 1) M_DATA
- * 2) M_CTL[->M_DATA]
- *
- * (2) Is an M_CTL optionally followed by M_DATA, where the M_CTL block is the
- * start of the actual ICMP packet (it doesn't contain any special control
- * information).
- *
- * Either (1) or (2) can be IPsec-protected, in which case an M_CTL block
- * containing an ipsec_in_t will have been prepended to either (1) or (2),
- * making a total of four combinations of possible mblk chains:
- *
- * A) (1)
- * B) (2)
- * C) M_CTL(ipsec_in_t)->(1)
- * D) M_CTL(ipsec_in_t)->(2)
+ * We receive M_DATA messages with IP-in-IP tunneled packets.
*/
-/* ARGSUSED */
+/* ARGSUSED2 */
static void
-iptun_input(void *arg, mblk_t *mp, void *arg2)
+iptun_input(void *arg, mblk_t *data_mp, void *arg2, ip_recv_attr_t *ira)
{
conn_t *connp = arg;
iptun_t *iptun = connp->conn_iptun;
int outer_hlen;
ipha_t *outer4, *inner4;
ip6_t *outer6, *inner6;
- mblk_t *data_mp = mp;
ASSERT(IPCL_IS_IPTUN(connp));
- ASSERT(DB_TYPE(mp) == M_DATA || DB_TYPE(mp) == M_CTL);
-
- if (DB_TYPE(mp) == M_CTL) {
- if (((ipsec_in_t *)(mp->b_rptr))->ipsec_in_type != IPSEC_IN) {
- iptun_input_icmp(iptun, NULL, mp);
- return;
- }
-
- data_mp = mp->b_cont;
- if (DB_TYPE(data_mp) == M_CTL) {
- /* Protected ICMP packet. */
- iptun_input_icmp(iptun, mp, data_mp);
- return;
- }
- }
-
- /*
- * Request the destination's path MTU information regularly in case
- * path MTU has increased.
- */
- if (IPTUN_PMTU_TOO_OLD(iptun))
- iptun_task_dispatch(iptun, IPTUN_TASK_PMTU_UPDATE);
+ ASSERT(DB_TYPE(data_mp) == M_DATA);
- if ((outer_hlen = iptun_find_headers(data_mp, &outer4, &inner4, &outer6,
- &inner6)) == 0)
+ outer_hlen = iptun_find_headers(data_mp, ira->ira_ip_hdr_length,
+ &outer4, &inner4, &outer6, &inner6);
+ if (outer_hlen == 0)
goto drop;
/*
@@ -2644,25 +2807,22 @@ iptun_input(void *arg, mblk_t *mp, void *arg2)
* the more involved tsol_receive_local() since the tunnel link itself
* cannot be assigned to shared-stack non-global zones.
*/
- if (is_system_labeled()) {
- cred_t *msg_cred;
-
- if ((msg_cred = msg_getcred(data_mp, NULL)) == NULL)
+ if (ira->ira_flags & IRAF_SYSTEM_LABELED) {
+ if (ira->ira_tsl == NULL)
goto drop;
- if (tsol_check_dest(msg_cred, (outer4 != NULL ?
+ if (tsol_check_dest(ira->ira_tsl, (outer4 != NULL ?
(void *)&outer4->ipha_dst : (void *)&outer6->ip6_dst),
(outer4 != NULL ? IPV4_VERSION : IPV6_VERSION),
- CONN_MAC_DEFAULT, NULL) != 0)
+ CONN_MAC_DEFAULT, B_FALSE, NULL) != 0)
goto drop;
}
- if (!ipsec_tun_inbound((mp == data_mp ? NULL : mp), &data_mp,
- iptun->iptun_itp, inner4, inner6, outer4, outer6, outer_hlen,
- iptun->iptun_ns)) {
+ data_mp = ipsec_tun_inbound(ira, data_mp, iptun->iptun_itp,
+ inner4, inner6, outer4, outer6, outer_hlen, iptun->iptun_ns);
+ if (data_mp == NULL) {
/* Callee did all of the freeing. */
return;
}
- mp = data_mp;
if (iptun->iptun_typeinfo->iti_type == IPTUN_TYPE_6TO4 &&
!iptun_in_6to4_ok(iptun, outer4, inner6))
@@ -2673,6 +2833,8 @@ iptun_input(void *arg, mblk_t *mp, void *arg2)
* we might as well split up any b_next chains here.
*/
do {
+ mblk_t *mp;
+
mp = data_mp->b_next;
data_mp->b_next = NULL;
@@ -2684,7 +2846,7 @@ iptun_input(void *arg, mblk_t *mp, void *arg2)
} while (data_mp != NULL);
return;
drop:
- iptun_drop_pkt(mp, &iptun->iptun_ierrors);
+ iptun_drop_pkt(data_mp, &iptun->iptun_ierrors);
}
/*
@@ -2744,6 +2906,10 @@ iptun_out_process_6to4(iptun_t *iptun, ipha_t *outer4, ip6_t *inner6)
/* destination is a 6to4 router */
IN6_6TO4_TO_V4ADDR(&inner6->ip6_dst,
(struct in_addr *)&outer4->ipha_dst);
+
+ /* Reject attempts to send to INADDR_ANY */
+ if (outer4->ipha_dst == INADDR_ANY)
+ return (B_FALSE);
} else {
/*
* The destination is a native IPv6 address. If output to a
@@ -2770,12 +2936,11 @@ iptun_out_process_6to4(iptun_t *iptun, ipha_t *outer4, ip6_t *inner6)
*/
static mblk_t *
iptun_out_process_ipv4(iptun_t *iptun, mblk_t *mp, ipha_t *outer4,
- ipha_t *inner4, ip6_t *inner6)
+ ipha_t *inner4, ip6_t *inner6, ip_xmit_attr_t *ixa)
{
uint8_t *innerptr = (inner4 != NULL ?
(uint8_t *)inner4 : (uint8_t *)inner6);
- size_t minmtu = (inner4 != NULL ?
- IPTUN_MIN_IPV4_MTU : IPTUN_MIN_IPV6_MTU);
+ size_t minmtu = iptun->iptun_typeinfo->iti_minmtu;
if (inner4 != NULL) {
ASSERT(outer4->ipha_protocol == IPPROTO_ENCAP);
@@ -2791,13 +2956,11 @@ iptun_out_process_ipv4(iptun_t *iptun, mblk_t *mp, ipha_t *outer4,
} else {
ASSERT(outer4->ipha_protocol == IPPROTO_IPV6 &&
inner6 != NULL);
-
- if (iptun->iptun_typeinfo->iti_type == IPTUN_TYPE_6TO4 &&
- !iptun_out_process_6to4(iptun, outer4, inner6)) {
- iptun_drop_pkt(mp, &iptun->iptun_oerrors);
- return (NULL);
- }
}
+ if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF)
+ outer4->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
+ else
+ outer4->ipha_fragment_offset_and_flags &= ~IPH_DF_HTONS;
/*
* As described in section 3.2.2 of RFC4213, if the packet payload is
@@ -2807,11 +2970,19 @@ iptun_out_process_ipv4(iptun_t *iptun, mblk_t *mp, ipha_t *outer4,
* won't be allowed to drop its MTU as a result, since the packet was
* already smaller than the smallest allowable MTU for that interface.
*/
- if (mp->b_wptr - innerptr <= minmtu)
+ if (mp->b_wptr - innerptr <= minmtu) {
outer4->ipha_fragment_offset_and_flags = 0;
+ ixa->ixa_flags &= ~IXAF_DONTFRAG;
+ } else if (!(ixa->ixa_flags & IXAF_PMTU_TOO_SMALL) &&
+ (iptun->iptun_typeinfo->iti_type != IPTUN_TYPE_6TO4)) {
+ ixa->ixa_flags |= IXAF_DONTFRAG;
+ }
- outer4->ipha_length = htons(msgdsize(mp));
+ ixa->ixa_ip_hdr_length = IPH_HDR_LENGTH(outer4);
+ ixa->ixa_pktlen = msgdsize(mp);
+ ixa->ixa_protocol = outer4->ipha_protocol;
+ outer4->ipha_length = htons(ixa->ixa_pktlen);
return (mp);
}
@@ -2830,7 +3001,7 @@ iptun_insert_encaplimit(iptun_t *iptun, mblk_t *mp, ip6_t *outer6,
ASSERT(mp->b_cont == NULL);
mp->b_rptr += sizeof (ip6_t);
- newmp = allocb_tmpl(sizeof (iptun_ipv6hdrs_t) + MBLKL(mp), mp);
+ newmp = allocb(sizeof (iptun_ipv6hdrs_t) + MBLKL(mp), BPRI_MED);
if (newmp == NULL) {
iptun_drop_pkt(mp, &iptun->iptun_noxmtbuf);
return (NULL);
@@ -2861,8 +3032,12 @@ iptun_insert_encaplimit(iptun_t *iptun, mblk_t *mp, ip6_t *outer6,
* on error.
*/
static mblk_t *
-iptun_out_process_ipv6(iptun_t *iptun, mblk_t *mp, ip6_t *outer6, ip6_t *inner6)
+iptun_out_process_ipv6(iptun_t *iptun, mblk_t *mp, ip6_t *outer6,
+ ipha_t *inner4, ip6_t *inner6, ip_xmit_attr_t *ixa)
{
+ uint8_t *innerptr = (inner4 != NULL ?
+ (uint8_t *)inner4 : (uint8_t *)inner6);
+ size_t minmtu = iptun->iptun_typeinfo->iti_minmtu;
uint8_t *limit, *configlimit;
uint32_t offset;
iptun_ipv6hdrs_t *v6hdrs;
@@ -2887,7 +3062,7 @@ iptun_out_process_ipv6(iptun_t *iptun, mblk_t *mp, ip6_t *outer6, ip6_t *inner6)
mp->b_rptr = (uint8_t *)inner6;
offset = limit - mp->b_rptr;
iptun_icmp_error_v6(iptun, inner6, mp, ICMP6_PARAM_PROB,
- 0, offset);
+ 0, offset, ixa->ixa_tsl);
atomic_inc_64(&iptun->iptun_noxmtbuf);
return (NULL);
}
@@ -2900,6 +3075,7 @@ iptun_out_process_ipv6(iptun_t *iptun, mblk_t *mp, ip6_t *outer6, ip6_t *inner6)
if ((mp = iptun_insert_encaplimit(iptun, mp, outer6,
(*limit - 1))) == NULL)
return (NULL);
+ v6hdrs = (iptun_ipv6hdrs_t *)mp->b_rptr;
} else {
/*
* There is an existing encapsulation limit option in
@@ -2914,9 +3090,23 @@ iptun_out_process_ipv6(iptun_t *iptun, mblk_t *mp, ip6_t *outer6, ip6_t *inner6)
if ((*limit - 1) < *configlimit)
*configlimit = (*limit - 1);
}
+ ixa->ixa_ip_hdr_length = sizeof (iptun_ipv6hdrs_t);
+ ixa->ixa_protocol = v6hdrs->it6h_encaplim.iel_destopt.ip6d_nxt;
+ } else {
+ ixa->ixa_ip_hdr_length = sizeof (ip6_t);
+ ixa->ixa_protocol = outer6->ip6_nxt;
}
+ /*
+ * See iptun_output_process_ipv4() why we allow fragmentation for
+ * small packets
+ */
+ if (mp->b_wptr - innerptr <= minmtu)
+ ixa->ixa_flags &= ~IXAF_DONTFRAG;
+ else if (!(ixa->ixa_flags & IXAF_PMTU_TOO_SMALL))
+ ixa->ixa_flags |= IXAF_DONTFRAG;
- outer6->ip6_plen = htons(msgdsize(mp) - sizeof (ip6_t));
+ ixa->ixa_pktlen = msgdsize(mp);
+ outer6->ip6_plen = htons(ixa->ixa_pktlen - sizeof (ip6_t));
return (mp);
}
@@ -2929,11 +3119,9 @@ static void
iptun_output(iptun_t *iptun, mblk_t *mp)
{
conn_t *connp = iptun->iptun_connp;
- int outer_hlen;
mblk_t *newmp;
- ipha_t *outer4, *inner4;
- ip6_t *outer6, *inner6;
- ipsec_tun_pol_t *itp = iptun->iptun_itp;
+ int error;
+ ip_xmit_attr_t *ixa;
ASSERT(mp->b_datap->db_type == M_DATA);
@@ -2946,17 +3134,262 @@ iptun_output(iptun_t *iptun, mblk_t *mp)
mp = newmp;
}
- outer_hlen = iptun_find_headers(mp, &outer4, &inner4, &outer6, &inner6);
+ if (iptun->iptun_typeinfo->iti_type == IPTUN_TYPE_6TO4) {
+ iptun_output_6to4(iptun, mp);
+ return;
+ }
+
+ if (is_system_labeled()) {
+ /*
+ * Since the label can be different meaning a potentially
+ * different IRE,we always use a unique ip_xmit_attr_t.
+ */
+ ixa = conn_get_ixa_exclusive(connp);
+ } else {
+ /*
+ * If no other thread is using conn_ixa this just gets a
+ * reference to conn_ixa. Otherwise we get a safe copy of
+ * conn_ixa.
+ */
+ ixa = conn_get_ixa(connp, B_FALSE);
+ }
+ if (ixa == NULL) {
+ iptun_drop_pkt(mp, &iptun->iptun_oerrors);
+ return;
+ }
+
+ /*
+ * In case we got a safe copy of conn_ixa, then we need
+ * to fill in any pointers in it.
+ */
+ if (ixa->ixa_ire == NULL) {
+ error = ip_attr_connect(connp, ixa, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, &connp->conn_faddr_v6, 0,
+ NULL, NULL, 0);
+ if (error != 0) {
+ if (ixa->ixa_ire != NULL &&
+ (error == EHOSTUNREACH || error == ENETUNREACH)) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ } else {
+ ixa_refrele(ixa);
+ iptun_drop_pkt(mp, &iptun->iptun_oerrors);
+ return;
+ }
+ }
+ }
+
+ iptun_output_common(iptun, ixa, mp);
+ ixa_refrele(ixa);
+}
+
+/*
+ * We use an ixa based on the last destination.
+ */
+static void
+iptun_output_6to4(iptun_t *iptun, mblk_t *mp)
+{
+ conn_t *connp = iptun->iptun_connp;
+ ipha_t *outer4, *inner4;
+ ip6_t *outer6, *inner6;
+ ip_xmit_attr_t *ixa;
+ ip_xmit_attr_t *oldixa;
+ int error;
+ boolean_t need_connect;
+ in6_addr_t v6dst;
+
+ ASSERT(mp->b_cont == NULL); /* Verified by iptun_output */
+
+ /* Make sure we set ipha_dst before we look at ipha_dst */
+
+ (void) iptun_find_headers(mp, 0, &outer4, &inner4, &outer6, &inner6);
+ ASSERT(outer4 != NULL);
+ if (!iptun_out_process_6to4(iptun, outer4, inner6)) {
+ iptun_drop_pkt(mp, &iptun->iptun_oerrors);
+ return;
+ }
+
+ if (is_system_labeled()) {
+ /*
+ * Since the label can be different meaning a potentially
+ * different IRE,we always use a unique ip_xmit_attr_t.
+ */
+ ixa = conn_get_ixa_exclusive(connp);
+ } else {
+ /*
+ * If no other thread is using conn_ixa this just gets a
+ * reference to conn_ixa. Otherwise we get a safe copy of
+ * conn_ixa.
+ */
+ ixa = conn_get_ixa(connp, B_FALSE);
+ }
+ if (ixa == NULL) {
+ iptun_drop_pkt(mp, &iptun->iptun_oerrors);
+ return;
+ }
+
+ mutex_enter(&connp->conn_lock);
+ if (connp->conn_v4lastdst == outer4->ipha_dst) {
+ need_connect = (ixa->ixa_ire == NULL);
+ } else {
+ /* In case previous destination was multirt */
+ ip_attr_newdst(ixa);
+
+ /*
+ * We later update conn_ixa when we update conn_v4lastdst
+ * which enables subsequent packets to avoid redoing
+ * ip_attr_connect
+ */
+ need_connect = B_TRUE;
+ }
+ mutex_exit(&connp->conn_lock);
+
+ /*
+ * In case we got a safe copy of conn_ixa, or otherwise we don't
+ * have a current ixa_ire, then we need to fill in any pointers in
+ * the ixa.
+ */
+ if (need_connect) {
+ IN6_IPADDR_TO_V4MAPPED(outer4->ipha_dst, &v6dst);
+
+ /* We handle IPsec in iptun_output_common */
+ error = ip_attr_connect(connp, ixa, &connp->conn_saddr_v6,
+ &v6dst, &v6dst, 0, NULL, NULL, 0);
+ if (error != 0) {
+ if (ixa->ixa_ire != NULL &&
+ (error == EHOSTUNREACH || error == ENETUNREACH)) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ } else {
+ ixa_refrele(ixa);
+ iptun_drop_pkt(mp, &iptun->iptun_oerrors);
+ return;
+ }
+ }
+ }
+
+ iptun_output_common(iptun, ixa, mp);
+
+ /* Atomically replace conn_ixa and conn_v4lastdst */
+ mutex_enter(&connp->conn_lock);
+ if (connp->conn_v4lastdst != outer4->ipha_dst) {
+ /* Remember the dst which corresponds to conn_ixa */
+ connp->conn_v6lastdst = v6dst;
+ oldixa = conn_replace_ixa(connp, ixa);
+ } else {
+ oldixa = NULL;
+ }
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(ixa);
+ if (oldixa != NULL)
+ ixa_refrele(oldixa);
+}
+
+/*
+ * Check the destination/label. Modifies *mpp by adding/removing CIPSO.
+ *
+ * We get the label from the message in order to honor the
+ * ULPs/IPs choice of label. This will be NULL for forwarded
+ * packets, neighbor discovery packets and some others.
+ */
+static int
+iptun_output_check_label(mblk_t **mpp, ip_xmit_attr_t *ixa)
+{
+ cred_t *cr;
+ int adjust;
+ int iplen;
+ int err;
+ ts_label_t *effective_tsl = NULL;
+
+
+ ASSERT(is_system_labeled());
+
+ cr = msg_getcred(*mpp, NULL);
+ if (cr == NULL)
+ return (0);
+
+ /*
+ * We need to start with a label based on the IP/ULP above us
+ */
+ ip_xmit_attr_restore_tsl(ixa, cr);
+
+ /*
+ * Need to update packet with any CIPSO option since
+ * conn_ip_output doesn't do that.
+ */
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha;
+
+ ipha = (ipha_t *)(*mpp)->b_rptr;
+ iplen = ntohs(ipha->ipha_length);
+ err = tsol_check_label_v4(ixa->ixa_tsl,
+ ixa->ixa_zoneid, mpp, CONN_MAC_DEFAULT, B_FALSE,
+ ixa->ixa_ipst, &effective_tsl);
+ if (err != 0)
+ return (err);
+
+ ipha = (ipha_t *)(*mpp)->b_rptr;
+ adjust = (int)ntohs(ipha->ipha_length) - iplen;
+ } else {
+ ip6_t *ip6h;
+
+ ip6h = (ip6_t *)(*mpp)->b_rptr;
+ iplen = ntohs(ip6h->ip6_plen);
+
+ err = tsol_check_label_v6(ixa->ixa_tsl,
+ ixa->ixa_zoneid, mpp, CONN_MAC_DEFAULT, B_FALSE,
+ ixa->ixa_ipst, &effective_tsl);
+ if (err != 0)
+ return (err);
+
+ ip6h = (ip6_t *)(*mpp)->b_rptr;
+ adjust = (int)ntohs(ip6h->ip6_plen) - iplen;
+ }
+
+ if (effective_tsl != NULL) {
+ /* Update the label */
+ ip_xmit_attr_replace_tsl(ixa, effective_tsl);
+ }
+ ixa->ixa_pktlen += adjust;
+ ixa->ixa_ip_hdr_length += adjust;
+ return (0);
+}
+
+
+static void
+iptun_output_common(iptun_t *iptun, ip_xmit_attr_t *ixa, mblk_t *mp)
+{
+ ipsec_tun_pol_t *itp = iptun->iptun_itp;
+ int outer_hlen;
+ mblk_t *newmp;
+ ipha_t *outer4, *inner4;
+ ip6_t *outer6, *inner6;
+ int error;
+ boolean_t update_pktlen;
+
+ ASSERT(ixa->ixa_ire != NULL);
+
+ outer_hlen = iptun_find_headers(mp, 0, &outer4, &inner4, &outer6,
+ &inner6);
if (outer_hlen == 0) {
iptun_drop_pkt(mp, &iptun->iptun_oerrors);
return;
}
/* Perform header processing. */
- if (outer4 != NULL)
- mp = iptun_out_process_ipv4(iptun, mp, outer4, inner4, inner6);
- else
- mp = iptun_out_process_ipv6(iptun, mp, outer6, inner6);
+ if (outer4 != NULL) {
+ mp = iptun_out_process_ipv4(iptun, mp, outer4, inner4, inner6,
+ ixa);
+ } else {
+ mp = iptun_out_process_ipv6(iptun, mp, outer6, inner4, inner6,
+ ixa);
+ }
if (mp == NULL)
return;
@@ -2964,27 +3397,57 @@ iptun_output(iptun_t *iptun, mblk_t *mp)
* Let's hope the compiler optimizes this with "branch taken".
*/
if (itp != NULL && (itp->itp_flags & ITPF_P_ACTIVE)) {
- if ((mp = ipsec_tun_outbound(mp, iptun, inner4, inner6, outer4,
- outer6, outer_hlen)) == NULL) {
- /* ipsec_tun_outbound() frees mp on error. */
+ /* This updates the ip_xmit_attr_t */
+ mp = ipsec_tun_outbound(mp, iptun, inner4, inner6, outer4,
+ outer6, outer_hlen, ixa);
+ if (mp == NULL) {
atomic_inc_64(&iptun->iptun_oerrors);
return;
}
+ if (is_system_labeled()) {
+ /*
+ * Might change the packet by adding/removing CIPSO.
+ * After this caller inner* and outer* and outer_hlen
+ * might be invalid.
+ */
+ error = iptun_output_check_label(&mp, ixa);
+ if (error != 0) {
+ ip2dbg(("label check failed (%d)\n", error));
+ iptun_drop_pkt(mp, &iptun->iptun_oerrors);
+ return;
+ }
+ }
+
/*
* ipsec_tun_outbound() returns a chain of tunneled IP
* fragments linked with b_next (or a single message if the
- * tunneled packet wasn't a fragment). Each message in the
- * chain is prepended by an IPSEC_OUT M_CTL block with
+ * tunneled packet wasn't a fragment).
+ * If fragcache returned a list then we need to update
+ * ixa_pktlen for all packets in the list.
+ */
+ update_pktlen = (mp->b_next != NULL);
+
+ /*
+ * Otherwise, we're good to go. The ixa has been updated with
* instructions for outbound IPsec processing.
*/
for (newmp = mp; newmp != NULL; newmp = mp) {
- ASSERT(newmp->b_datap->db_type == M_CTL);
atomic_inc_64(&iptun->iptun_opackets);
- atomic_add_64(&iptun->iptun_obytes,
- msgdsize(newmp->b_cont));
+ atomic_add_64(&iptun->iptun_obytes, ixa->ixa_pktlen);
mp = mp->b_next;
newmp->b_next = NULL;
- connp->conn_send(connp, newmp, connp->conn_wq, IP_WPUT);
+
+ if (update_pktlen)
+ ixa->ixa_pktlen = msgdsize(mp);
+
+ atomic_inc_64(&iptun->iptun_opackets);
+ atomic_add_64(&iptun->iptun_obytes, ixa->ixa_pktlen);
+
+ error = conn_ip_output(newmp, ixa);
+ if (error == EMSGSIZE) {
+ /* IPsec policy might have changed */
+ (void) iptun_update_mtu(iptun, ixa, 0);
+ }
}
} else {
/*
@@ -2992,30 +3455,37 @@ iptun_output(iptun_t *iptun, mblk_t *mp)
* packet in its output path if there's no active tunnel
* policy.
*/
- atomic_inc_64(&iptun->iptun_opackets);
- atomic_add_64(&iptun->iptun_obytes, msgdsize(mp));
- connp->conn_send(connp, mp, connp->conn_wq, IP_WPUT);
- }
-}
+ ASSERT(ixa->ixa_ipsec_policy == NULL);
+ mp = ip_output_attach_policy(mp, outer4, outer6, NULL, ixa);
+ if (mp == NULL) {
+ atomic_inc_64(&iptun->iptun_oerrors);
+ return;
+ }
+ if (is_system_labeled()) {
+ /*
+ * Might change the packet by adding/removing CIPSO.
+ * After this caller inner* and outer* and outer_hlen
+ * might be invalid.
+ */
+ error = iptun_output_check_label(&mp, ixa);
+ if (error != 0) {
+ ip2dbg(("label check failed (%d)\n", error));
+ iptun_drop_pkt(mp, &iptun->iptun_oerrors);
+ return;
+ }
+ }
-/*
- * Note that the setting or clearing iptun_{set,get}_g_q() is serialized via
- * iptuns_lock and iptunq_open(), so we must never be in a situation where
- * iptun_set_g_q() is called if the queue has already been set or vice versa
- * (hence the ASSERT()s.)
- */
-void
-iptun_set_g_q(netstack_t *ns, queue_t *q)
-{
- ASSERT(ns->netstack_iptun->iptuns_g_q == NULL);
- ns->netstack_iptun->iptuns_g_q = q;
-}
+ atomic_inc_64(&iptun->iptun_opackets);
+ atomic_add_64(&iptun->iptun_obytes, ixa->ixa_pktlen);
-void
-iptun_clear_g_q(netstack_t *ns)
-{
- ASSERT(ns->netstack_iptun->iptuns_g_q != NULL);
- ns->netstack_iptun->iptuns_g_q = NULL;
+ error = conn_ip_output(mp, ixa);
+ if (error == EMSGSIZE) {
+ /* IPsec policy might have changed */
+ (void) iptun_update_mtu(iptun, ixa, 0);
+ }
+ }
+ if (ixa->ixa_flags & IXAF_IPSEC_SECURE)
+ ipsec_out_release_refs(ixa);
}
static mac_callbacks_t iptun_m_callbacks = {
diff --git a/usr/src/uts/common/inet/iptun/iptun_dev.c b/usr/src/uts/common/inet/iptun/iptun_dev.c
index 52218bdc18..5043063690 100644
--- a/usr/src/uts/common/inet/iptun/iptun_dev.c
+++ b/usr/src/uts/common/inet/iptun/iptun_dev.c
@@ -91,11 +91,9 @@ iptun_stack_shutdown(netstackid_t stackid, void *arg)
/* note that iptun_delete() removes iptun from the list */
while ((iptun = list_head(&iptuns->iptuns_iptunlist)) != NULL) {
linkid = iptun->iptun_linkid;
- (void) iptun_delete(linkid, iptun->iptun_cred);
+ (void) iptun_delete(linkid, iptun->iptun_connp->conn_cred);
(void) dls_mgmt_destroy(linkid, B_FALSE);
}
- if (iptuns->iptuns_g_q != NULL)
- (void) ldi_close(iptuns->iptuns_g_q_lh, FWRITE|FREAD, CRED());
}
/*
diff --git a/usr/src/uts/common/inet/iptun/iptun_impl.h b/usr/src/uts/common/inet/iptun/iptun_impl.h
index 593adb7d9c..07e168a423 100644
--- a/usr/src/uts/common/inet/iptun/iptun_impl.h
+++ b/usr/src/uts/common/inet/iptun/iptun_impl.h
@@ -80,7 +80,6 @@ typedef struct iptun_typeinfo {
iptun_type_t iti_type;
const char *iti_ident; /* MAC-Type plugin identifier */
uint_t iti_ipvers; /* outer header IP version */
- edesc_spf iti_txfunc; /* function used to transmit to ip */
uint32_t iti_minmtu; /* minimum possible tunnel MTU */
uint32_t iti_maxmtu; /* maximum possible tunnel MTU */
boolean_t iti_hasraddr; /* has a remote adress */
@@ -95,13 +94,6 @@ typedef struct iptun_typeinfo {
*
* The datapath reads certain fields without locks for performance reasons.
*
- * - IPTUN_PMTU_TOO_OLD() is used without a lock to determine if the
- * destination path-MTU should be queried. This reads iptun_flags
- * IPTUN_RADDR, IPTUN_FIXED_MTU, and iptun_dpmtu_lastupdate. All of these
- * can change without adversely affecting the tunnel, as the worst case
- * scenario is that we launch a task that will ultimately either do nothing
- * or needlessly query the destination path-MTU.
- *
* - IPTUN_IS_RUNNING() is used (read access to iptun_flags IPTUN_BOUND and
* IPTUN_MAC_STARTED) to drop packets if they're sent while the tunnel is
* not running. This is harmless as the worst case scenario is that a
@@ -119,12 +111,10 @@ typedef struct iptun_s {
conn_t *iptun_connp;
zoneid_t iptun_zoneid;
netstack_t *iptun_ns;
- cred_t *iptun_cred;
struct ipsec_tun_pol_s *iptun_itp;
iptun_typeinfo_t *iptun_typeinfo;
uint32_t iptun_mtu;
uint32_t iptun_dpmtu; /* destination path MTU */
- clock_t iptun_dpmtu_lastupdate;
uint8_t iptun_hoplimit;
uint8_t iptun_encaplimit;
iptun_addr_t iptun_laddr; /* local address */
@@ -172,37 +162,12 @@ typedef struct iptun_s {
(IPTUN_BOUND | IPTUN_MAC_STARTED))
/*
- * We request ire information for the tunnel destination in order to obtain
- * its path MTU information. We use that to calculate the initial link MTU of
- * a tunnel.
- *
- * After that, if the path MTU of the tunnel destination becomes smaller
- * than the link MTU of the tunnel, then we will receive a packet too big
- * (aka fragmentation needed) ICMP error when we transmit a packet larger
- * than the path MTU, and we will adjust the tunne's MTU based on the ICMP
- * error's MTU information.
- *
- * In addition to that, we also need to request the ire information
- * periodically to make sure the link MTU of a tunnel doesn't become stale
- * if the path MTU of the tunnel destination becomes larger than the link
- * MTU of the tunnel. The period for the requests is ten minutes in
- * accordance with rfc1191.
- */
-#define IPTUN_PMTU_AGE SEC_TO_TICK(600)
-#define IPTUN_PMTU_TOO_OLD(ipt) \
- (((ipt)->iptun_flags & IPTUN_RADDR) && \
- !((ipt)->iptun_flags & IPTUN_FIXED_MTU) && \
- (ddi_get_lbolt() - (ipt)->iptun_dpmtu_lastupdate) > IPTUN_PMTU_AGE)
-
-/*
- * iptuns_lock protects iptuns_iptunlist and iptuns_g_q.
+ * iptuns_lock protects iptuns_iptunlist.
*/
typedef struct iptun_stack {
netstack_t *iptuns_netstack; /* Common netstack */
kmutex_t iptuns_lock;
list_t iptuns_iptunlist; /* list of tunnels in this stack. */
- queue_t *iptuns_g_q; /* read-side IP queue */
- ldi_handle_t iptuns_g_q_lh;
ipaddr_t iptuns_relay_rtr_addr;
} iptun_stack_t;
@@ -222,8 +187,6 @@ extern int iptun_info(iptun_kparams_t *, cred_t *);
extern int iptun_set_6to4relay(netstack_t *, ipaddr_t);
extern void iptun_get_6to4relay(netstack_t *, ipaddr_t *);
extern void iptun_set_policy(datalink_id_t, ipsec_tun_pol_t *);
-extern void iptun_set_g_q(netstack_t *, queue_t *);
-extern void iptun_clear_g_q(netstack_t *);
#endif /* _KERNEL */
diff --git a/usr/src/uts/common/inet/keysock.h b/usr/src/uts/common/inet/keysock.h
index 50189666c7..cb618cedaf 100644
--- a/usr/src/uts/common/inet/keysock.h
+++ b/usr/src/uts/common/inet/keysock.h
@@ -19,22 +19,20 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_KEYSOCK_H
#define _INET_KEYSOCK_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#ifdef __cplusplus
extern "C" {
#endif
extern int keysock_opt_get(queue_t *, int, int, uchar_t *);
extern int keysock_opt_set(queue_t *, uint_t, int, int, uint_t,
- uchar_t *, uint_t *, uchar_t *, void *, cred_t *cr, mblk_t *mblk);
+ uchar_t *, uint_t *, uchar_t *, void *, cred_t *cr);
/*
* Object to represent database of options to search passed to
diff --git a/usr/src/uts/common/inet/kssl/ksslrec.c b/usr/src/uts/common/inet/kssl/ksslrec.c
index 14a285b4ab..6b7ce0ad42 100644
--- a/usr/src/uts/common/inet/kssl/ksslrec.c
+++ b/usr/src/uts/common/inet/kssl/ksslrec.c
@@ -239,7 +239,7 @@ kssl_compute_record_mac(
* context when called from strsock_kssl_input(). During the
* SSL handshake, we are called for client_finished message
* handling from a squeue worker thread that gets scheduled
- * by an squeue_fill() call. This thread is not in interrupt
+ * by an SQ_FILL call. This thread is not in interrupt
* context and so can block.
*/
rv = crypto_mac(&spec->hmac_mech, &dd, &spec->hmac_key,
diff --git a/usr/src/uts/common/inet/mi.c b/usr/src/uts/common/inet/mi.c
index f88fe3709b..9fe77e88c4 100644
--- a/usr/src/uts/common/inet/mi.c
+++ b/usr/src/uts/common/inet/mi.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 1990 Mentat Inc. */
@@ -1359,7 +1359,7 @@ mi_tpi_addr_and_opt(MBLKP mp, char *addr, t_scalar_t addr_length,
* This code is used more than just for unitdata ind
* (also for T_CONN_IND and T_CONN_CON) and
* relies on correct functioning on the happy
- * coincidence that the the address and option buffers
+ * coincidence that the address and option buffers
* represented by length/offset in all these primitives
* are isomorphic in terms of offset from start of data
* structure
diff --git a/usr/src/uts/common/inet/mib2.h b/usr/src/uts/common/inet/mib2.h
index 16bed4ec2c..06db81ea74 100644
--- a/usr/src/uts/common/inet/mib2.h
+++ b/usr/src/uts/common/inet/mib2.h
@@ -66,8 +66,8 @@ extern "C" {
* "get all" is supported, so all modules get a copy of the request to
* return everything it knows. In general, we use MIB2_IP. There is
* one exception: in general, IP will not report information related to
- * IRE_MARK_TESTHIDDEN routes (e.g., in the MIB2_IP_ROUTE table).
- * However, using the special value EXPER_IP_AND_TESTHIDDEN will cause
+ * ire_testhidden and IRE_IF_CLONE routes (e.g., in the MIB2_IP_ROUTE
+ * table). However, using the special value EXPER_IP_AND_ALL_IRES will cause
* all information to be reported. This special value should only be
* used by IPMP-aware low-level utilities (e.g. in.mpathd).
*
@@ -109,7 +109,7 @@ extern "C" {
#define EXPER_IGMP (EXPER+1)
#define EXPER_DVMRP (EXPER+2)
#define EXPER_RAWIP (EXPER+3)
-#define EXPER_IP_AND_TESTHIDDEN (EXPER+4)
+#define EXPER_IP_AND_ALL_IRES (EXPER+4)
/*
* Define range of levels for experimental use
@@ -170,6 +170,7 @@ typedef uint32_t DeviceIndex; /* Interface index */
#define EXPER_IP_GROUP_SOURCES 102
#define EXPER_IP6_GROUP_SOURCES 103
#define EXPER_IP_RTATTR 104
+#define EXPER_IP_DCE 105
/*
* There can be one of each of these tables per transport (MIB2_* above).
@@ -267,15 +268,13 @@ typedef struct mib2_ip {
int ipMemberEntrySize; /* Size of ip_member_t */
int ipGroupSourceEntrySize; /* Size of ip_grpsrc_t */
- /* # of IPv6 packets received by IPv4 and dropped */
- Counter ipInIPv6;
- /* # of IPv6 packets transmitted by ip_wput */
- Counter ipOutIPv6;
- /* # of times ip_wput has switched to become ip_wput_v6 */
- Counter ipOutSwitchIPv6;
+ Counter ipInIPv6; /* # of IPv6 packets received by IPv4 and dropped */
+ Counter ipOutIPv6; /* No longer used */
+ Counter ipOutSwitchIPv6; /* No longer used */
int ipRouteAttributeSize; /* Size of mib2_ipAttributeEntry_t */
int transportMLPSize; /* Size of mib2_transportMLPEntry_t */
+ int ipDestEntrySize; /* Size of dest_cache_entry_t */
} mib2_ip_t;
/*
@@ -503,14 +502,11 @@ typedef struct mib2_ipIfStatsEntry {
*/
Counter ipIfStatsInWrongIPVersion;
/*
- * Depending on the value of ipIfStatsIPVersion, this counter tracks
- * v4: # of IPv6 packets transmitted by ip_wput or,
- * v6: # of IPv4 packets transmitted by ip_wput_v6.
+ * This counter is no longer used
*/
Counter ipIfStatsOutWrongIPVersion;
/*
- * Depending on the value of ipIfStatsIPVersion, this counter tracks
- * # of times ip_wput has switched to become ip_wput_v6, or vice versa.
+ * This counter is no longer used
*/
Counter ipIfStatsOutSwitchIPVersion;
@@ -981,6 +977,21 @@ typedef struct ipv6_grpsrc {
/*
+ * List of destination cache entries
+ */
+typedef struct dest_cache_entry {
+ /* IP Multicast address */
+ IpAddress DestIpv4Address;
+ Ip6Address DestIpv6Address;
+ uint_t DestFlags; /* DCEF_* */
+ uint32_t DestPmtu; /* Path MTU if DCEF_PMTU */
+ uint32_t DestIdent; /* Per destination IP ident. */
+ DeviceIndex DestIfindex; /* For IPv6 link-locals */
+ uint32_t DestAge; /* Age of MTU info in seconds */
+} dest_cache_entry_t;
+
+
+/*
* ICMP Group
*/
typedef struct mib2_icmp {
diff --git a/usr/src/uts/common/inet/optcom.c b/usr/src/uts/common/inet/optcom.c
index e35b7f6af5..e4d1abff4c 100644
--- a/usr/src/uts/common/inet/optcom.c
+++ b/usr/src/uts/common/inet/optcom.c
@@ -58,21 +58,21 @@
* Function prototypes
*/
static t_scalar_t process_topthdrs_first_pass(mblk_t *, cred_t *, optdb_obj_t *,
- boolean_t *, size_t *);
+ size_t *);
static t_scalar_t do_options_second_pass(queue_t *q, mblk_t *reqmp,
mblk_t *ack_mp, cred_t *, optdb_obj_t *dbobjp,
- mblk_t *first_mp, boolean_t is_restart, boolean_t *queued_statusp);
+ t_uscalar_t *worst_statusp);
static t_uscalar_t get_worst_status(t_uscalar_t, t_uscalar_t);
static int do_opt_default(queue_t *, struct T_opthdr *, uchar_t **,
t_uscalar_t *, cred_t *, optdb_obj_t *);
static void do_opt_current(queue_t *, struct T_opthdr *, uchar_t **,
t_uscalar_t *, cred_t *cr, optdb_obj_t *);
-static int do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
+static void do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
uint_t optset_context, uchar_t **resptrp, t_uscalar_t *worst_statusp,
- cred_t *, optdb_obj_t *dbobjp, mblk_t *first_mp);
+ cred_t *, optdb_obj_t *dbobjp);
static boolean_t opt_level_valid(t_uscalar_t, optlevel_t *, uint_t);
static size_t opt_level_allopts_lengths(t_uscalar_t, opdes_t *, uint_t);
-static boolean_t opt_length_ok(opdes_t *, struct T_opthdr *);
+static boolean_t opt_length_ok(opdes_t *, t_uscalar_t optlen);
static t_uscalar_t optcom_max_optbuf_len(opdes_t *, uint_t);
static boolean_t opt_bloated_maxsize(opdes_t *);
@@ -176,35 +176,15 @@ optcom_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error, int sys_error)
* job requested.
* XXX Code below needs some restructuring after we have some more
* macros to support 'struct opthdr' in the headers.
- *
- * IP-MT notes: The option management framework functions svr4_optcom_req() and
- * tpi_optcom_req() allocate and prepend an M_CTL mblk to the actual
- * T_optmgmt_req mblk and pass the chain as an additional parameter to the
- * protocol set functions. If a protocol set function (such as ip_opt_set)
- * cannot process the option immediately it can return EINPROGRESS. ip_opt_set
- * enqueues the message in the appropriate sq and returns EINPROGRESS. Later
- * the sq framework arranges to restart this operation and passes control to
- * the restart function ip_restart_optmgmt() which in turn calls
- * svr4_optcom_req() or tpi_optcom_req() to restart the option processing.
- *
- * XXX Remove the asynchronous behavior of svr_optcom_req() and
- * tpi_optcom_req().
*/
-int
-svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
- boolean_t pass_to_ip)
+void
+svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp)
{
pfi_t deffn = dbobjp->odb_deffn;
pfi_t getfn = dbobjp->odb_getfn;
opt_set_fn setfn = dbobjp->odb_setfn;
opdes_t *opt_arr = dbobjp->odb_opt_des_arr;
uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
- boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
- opt_restart_t *or;
- struct opthdr *restart_opt;
- boolean_t is_restart = B_FALSE;
- mblk_t *first_mp;
-
t_uscalar_t max_optbuf_len;
int len;
mblk_t *mp1 = NULL;
@@ -214,33 +194,10 @@ svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
struct opthdr *opt_end;
struct opthdr *opt_start;
opdes_t *optd;
- boolean_t pass_to_next = B_FALSE;
struct T_optmgmt_ack *toa;
struct T_optmgmt_req *tor;
int error;
- /*
- * Allocate M_CTL and prepend to the packet for restarting this
- * option if needed. IP may need to queue and restart the option
- * if it cannot obtain exclusive conditions immediately. Please see
- * IP-MT notes before the start of svr4_optcom_req
- */
- if (mp->b_datap->db_type == M_CTL) {
- is_restart = B_TRUE;
- first_mp = mp;
- mp = mp->b_cont;
- ASSERT(mp->b_wptr - mp->b_rptr >=
- sizeof (struct T_optmgmt_req));
- tor = (struct T_optmgmt_req *)mp->b_rptr;
- ASSERT(tor->MGMT_flags == T_NEGOTIATE);
-
- or = (opt_restart_t *)first_mp->b_rptr;
- opt_start = or->or_start;
- opt_end = or->or_end;
- restart_opt = or->or_ropt;
- goto restart;
- }
-
tor = (struct T_optmgmt_req *)mp->b_rptr;
/* Verify message integrity. */
if (mp->b_wptr - mp->b_rptr < sizeof (struct T_optmgmt_req))
@@ -255,7 +212,7 @@ svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
break;
default:
optcom_err_ack(q, mp, TBADFLAG, 0);
- return (0);
+ return;
}
if (tor->MGMT_flags == T_DEFAULT) {
/* Is it a request for default option settings? */
@@ -278,7 +235,6 @@ svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
* ----historical comment end -------
*/
/* T_DEFAULT not passed down */
- ASSERT(topmost_tpiprovider == B_TRUE);
freemsg(mp);
max_optbuf_len = optcom_max_optbuf_len(opt_arr,
opt_arr_cnt);
@@ -286,7 +242,7 @@ svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
if (!mp) {
no_mem:;
optcom_err_ack(q, mp, TSYSERR, ENOMEM);
- return (0);
+ return;
}
/* Initialize the T_optmgmt_ack header. */
@@ -362,7 +318,7 @@ no_mem:;
mp->b_datap->db_type = M_PCPROTO;
/* Ship it back. */
qreply(q, mp);
- return (0);
+ return;
}
/* T_DEFAULT processing complete - no more T_DEFAULT */
@@ -414,15 +370,15 @@ no_mem:;
goto bad_opt;
error = proto_opt_check(opt->level, opt->name, opt->len, NULL,
- opt_arr, opt_arr_cnt, topmost_tpiprovider,
+ opt_arr, opt_arr_cnt,
tor->MGMT_flags == T_NEGOTIATE, tor->MGMT_flags == T_CHECK,
cr);
if (error < 0) {
optcom_err_ack(q, mp, -error, 0);
- return (0);
+ return;
} else if (error > 0) {
optcom_err_ack(q, mp, TSYSERR, error);
- return (0);
+ return;
}
} /* end for loop scanning option buffer */
@@ -491,24 +447,9 @@ no_mem:;
/* Ditch the input buffer. */
freemsg(mp);
mp = mp1;
- /* Always let the next module look at the option. */
- pass_to_next = B_TRUE;
break;
case T_NEGOTIATE:
- first_mp = allocb(sizeof (opt_restart_t), BPRI_LO);
- if (first_mp == NULL) {
- optcom_err_ack(q, mp, TSYSERR, ENOMEM);
- return (0);
- }
- first_mp->b_datap->db_type = M_CTL;
- or = (opt_restart_t *)first_mp->b_rptr;
- or->or_start = opt_start;
- or->or_end = opt_end;
- or->or_type = T_SVR4_OPTMGMT_REQ;
- or->or_private = 0;
- first_mp->b_cont = mp;
-restart:
/*
* Here we are expecting that the response buffer is exactly
* the same size as the input buffer. We pass each opthdr
@@ -523,22 +464,16 @@ restart:
*/
toa = (struct T_optmgmt_ack *)tor;
- for (opt = is_restart ? restart_opt: opt_start; opt < opt_end;
- opt = next_opt) {
+ for (opt = opt_start; opt < opt_end; opt = next_opt) {
int error;
- /*
- * Point to the current option in or, in case this
- * option has to be restarted later on
- */
- or->or_ropt = opt;
next_opt = (struct opthdr *)((uchar_t *)&opt[1] +
_TPI_ALIGN_OPT(opt->len));
error = (*setfn)(q, SETFN_OPTCOM_NEGOTIATE,
opt->level, opt->name,
opt->len, (uchar_t *)&opt[1],
- &opt->len, (uchar_t *)&opt[1], NULL, cr, first_mp);
+ &opt->len, (uchar_t *)&opt[1], NULL, cr);
/*
* Treat positive "errors" as real.
* Note: negative errors are to be treated as
@@ -549,99 +484,48 @@ restart:
* it is valid but was either handled upstream
* or will be handled downstream.
*/
- if (error == EINPROGRESS) {
- /*
- * The message is queued and will be
- * reprocessed later. Typically ip queued
- * the message to get some exclusive conditions
- * and later on calls this func again.
- */
- return (EINPROGRESS);
- } else if (error > 0) {
+ if (error > 0) {
optcom_err_ack(q, mp, TSYSERR, error);
- freeb(first_mp);
- return (0);
+ return;
}
/*
* error < 0 means option is not recognized.
- * But with OP_PASSNEXT the next module
- * might recognize it.
*/
}
- /* Done with the restart control mp. */
- freeb(first_mp);
- pass_to_next = B_TRUE;
break;
default:
optcom_err_ack(q, mp, TBADFLAG, 0);
- return (0);
+ return;
}
- if (pass_to_next && (q->q_next != NULL || pass_to_ip)) {
- /* Send it down to the next module and let it reply */
- toa->PRIM_type = T_SVR4_OPTMGMT_REQ; /* Changed by IP to ACK */
- if (q->q_next != NULL)
- putnext(q, mp);
- else
- ip_output(Q_TO_CONN(q), mp, q, IP_WPUT);
- } else {
- /* Set common fields in the header. */
- toa->MGMT_flags = T_SUCCESS;
- mp->b_datap->db_type = M_PCPROTO;
- toa->PRIM_type = T_OPTMGMT_ACK;
- qreply(q, mp);
- }
- return (0);
+ /* Set common fields in the header. */
+ toa->MGMT_flags = T_SUCCESS;
+ mp->b_datap->db_type = M_PCPROTO;
+ toa->PRIM_type = T_OPTMGMT_ACK;
+ qreply(q, mp);
+ return;
bad_opt:;
optcom_err_ack(q, mp, TBADOPT, 0);
- return (0);
}
/*
* New optcom_req inspired by TPI/XTI semantics
*/
-int
-tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
- boolean_t pass_to_ip)
+void
+tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp)
{
t_scalar_t t_error;
mblk_t *toa_mp;
- boolean_t pass_to_next;
size_t toa_len;
struct T_optmgmt_ack *toa;
struct T_optmgmt_req *tor =
(struct T_optmgmt_req *)mp->b_rptr;
-
- opt_restart_t *or;
- boolean_t is_restart = B_FALSE;
- mblk_t *first_mp = NULL;
t_uscalar_t worst_status;
- boolean_t queued_status;
-
- /*
- * Allocate M_CTL and prepend to the packet for restarting this
- * option if needed. IP may need to queue and restart the option
- * if it cannot obtain exclusive conditions immediately. Please see
- * IP-MT notes before the start of svr4_optcom_req
- */
- if (mp->b_datap->db_type == M_CTL) {
- is_restart = B_TRUE;
- first_mp = mp;
- toa_mp = mp->b_cont;
- mp = toa_mp->b_cont;
- ASSERT(mp->b_wptr - mp->b_rptr >=
- sizeof (struct T_optmgmt_req));
- tor = (struct T_optmgmt_req *)mp->b_rptr;
- ASSERT(tor->MGMT_flags == T_NEGOTIATE);
-
- or = (opt_restart_t *)first_mp->b_rptr;
- goto restart;
- }
/* Verify message integrity. */
if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_optmgmt_req)) {
optcom_err_ack(q, mp, TBADOPT, 0);
- return (0);
+ return;
}
/* Verify MGMT_flags legal */
@@ -654,7 +538,7 @@ tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
break;
default:
optcom_err_ack(q, mp, TBADFLAG, 0);
- return (0);
+ return;
}
/*
@@ -669,7 +553,6 @@ tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
* T_ALLOPT mean that length can be different for output buffer).
*/
- pass_to_next = B_FALSE; /* initial value */
toa_len = 0; /* initial value */
/*
@@ -677,13 +560,11 @@ tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
* - estimate cumulative length needed for results
* - set "status" field based on permissions, option header check
* etc.
- * - determine "pass_to_next" whether we need to send request to
- * downstream module/driver.
*/
if ((t_error = process_topthdrs_first_pass(mp, cr, dbobjp,
- &pass_to_next, &toa_len)) != 0) {
+ &toa_len)) != 0) {
optcom_err_ack(q, mp, t_error, 0);
- return (0);
+ return;
}
/*
@@ -697,26 +578,14 @@ tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
toa_mp = allocb_tmpl(toa_len, mp);
if (!toa_mp) {
optcom_err_ack(q, mp, TSYSERR, ENOMEM);
- return (0);
+ return;
}
- first_mp = allocb(sizeof (opt_restart_t), BPRI_LO);
- if (first_mp == NULL) {
- freeb(toa_mp);
- optcom_err_ack(q, mp, TSYSERR, ENOMEM);
- return (0);
- }
- first_mp->b_datap->db_type = M_CTL;
- or = (opt_restart_t *)first_mp->b_rptr;
/*
* Set initial values for generating output.
*/
- or->or_worst_status = T_SUCCESS;
- or->or_type = T_OPTMGMT_REQ;
- or->or_private = 0;
- /* remaining fields fileed in do_options_second_pass */
+ worst_status = T_SUCCESS; /* initial value */
-restart:
/*
* This routine makes another pass through the option buffer this
* time acting on the request based on "status" result in the
@@ -724,19 +593,11 @@ restart:
* all options of a certain level and acts on each for this request.
*/
if ((t_error = do_options_second_pass(q, mp, toa_mp, cr, dbobjp,
- first_mp, is_restart, &queued_status)) != 0) {
+ &worst_status)) != 0) {
freemsg(toa_mp);
optcom_err_ack(q, mp, t_error, 0);
- return (0);
- }
- if (queued_status) {
- /* Option will be restarted */
- return (EINPROGRESS);
+ return;
}
- worst_status = or->or_worst_status;
- /* Done with the first mp */
- freeb(first_mp);
- toa_mp->b_cont = NULL;
/*
* Following code relies on the coincidence that T_optmgmt_req
@@ -749,34 +610,12 @@ restart:
toa->MGMT_flags = tor->MGMT_flags;
-
freemsg(mp); /* free input mblk */
- /*
- * If there is atleast one option that requires a downstream
- * forwarding and if it is possible, we forward the message
- * downstream. Else we ack it.
- */
- if (pass_to_next && (q->q_next != NULL || pass_to_ip)) {
- /*
- * We pass it down as T_OPTMGMT_REQ. This code relies
- * on the happy coincidence that T_optmgmt_req and
- * T_optmgmt_ack are identical data structures
- * at the binary representation level.
- */
- toa_mp->b_datap->db_type = M_PROTO;
- toa->PRIM_type = T_OPTMGMT_REQ;
- if (q->q_next != NULL)
- putnext(q, toa_mp);
- else
- ip_output(Q_TO_CONN(q), toa_mp, q, IP_WPUT);
- } else {
- toa->PRIM_type = T_OPTMGMT_ACK;
- toa_mp->b_datap->db_type = M_PCPROTO;
- toa->MGMT_flags |= worst_status; /* XXX "worst" or "OR" TPI ? */
- qreply(q, toa_mp);
- }
- return (0);
+ toa->PRIM_type = T_OPTMGMT_ACK;
+ toa_mp->b_datap->db_type = M_PCPROTO;
+ toa->MGMT_flags |= worst_status; /* XXX "worst" or "OR" TPI ? */
+ qreply(q, toa_mp);
}
@@ -786,17 +625,14 @@ restart:
* - estimate cumulative length needed for results
* - set "status" field based on permissions, option header check
* etc.
- * - determine "pass_to_next" whether we need to send request to
- * downstream module/driver.
*/
static t_scalar_t
process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
- boolean_t *pass_to_nextp, size_t *toa_lenp)
+ size_t *toa_lenp)
{
opdes_t *opt_arr = dbobjp->odb_opt_des_arr;
uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
- boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
optlevel_t *valid_level_arr = dbobjp->odb_valid_levels_arr;
uint_t valid_level_arr_cnt = dbobjp->odb_valid_levels_arr_cnt;
struct T_opthdr *opt;
@@ -843,18 +679,14 @@ process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
* unchanged if they do not understand an
* option.
*/
- if (topmost_tpiprovider) {
- if (!opt_level_valid(opt->level,
- valid_level_arr,
- valid_level_arr_cnt))
- return (TBADOPT);
- /*
- * level is valid - initialize
- * option as not supported
- */
- opt->status = T_NOTSUPPORT;
- }
-
+ if (!opt_level_valid(opt->level,
+ valid_level_arr, valid_level_arr_cnt))
+ return (TBADOPT);
+ /*
+ * level is valid - initialize
+ * option as not supported
+ */
+ opt->status = T_NOTSUPPORT;
*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
continue;
}
@@ -866,7 +698,6 @@ process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
*/
allopt_len = 0;
if (tor->MGMT_flags == T_CHECK ||
- !topmost_tpiprovider ||
((allopt_len = opt_level_allopts_lengths(opt->level,
opt_arr, opt_arr_cnt)) == 0)) {
/*
@@ -874,11 +705,6 @@ process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
* It is not valid to to use T_ALLOPT with
* T_CHECK flag.
*
- * T_ALLOPT is assumed "expanded" at the
- * topmost_tpiprovider level so it should not
- * be there as an "option name" if this is not
- * a topmost_tpiprovider call and we fail it.
- *
* opt_level_allopts_lengths() is used to verify
* that "level" associated with the T_ALLOPT is
* supported.
@@ -892,15 +718,8 @@ process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
*toa_lenp += allopt_len;
opt->status = T_SUCCESS;
- /* XXX - always set T_ALLOPT 'pass_to_next' for now */
- *pass_to_nextp = B_TRUE;
continue;
}
- /*
- * Check if option wants to flow downstream
- */
- if (optd->opdes_props & OP_PASSNEXT)
- *pass_to_nextp = B_TRUE;
/* Additional checks dependent on operation. */
switch (tor->MGMT_flags) {
@@ -972,7 +791,9 @@ process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
* Note: This can override anything about this
* option request done at a higher level.
*/
- if (!opt_length_ok(optd, opt)) {
+ if (opt->len < sizeof (struct T_opthdr) ||
+ !opt_length_ok(optd,
+ opt->len - sizeof (struct T_opthdr))) {
/* bad size */
*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
opt->status = T_FAILURE;
@@ -1034,23 +855,14 @@ process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
*/
static t_scalar_t
do_options_second_pass(queue_t *q, mblk_t *reqmp, mblk_t *ack_mp, cred_t *cr,
- optdb_obj_t *dbobjp, mblk_t *first_mp, boolean_t is_restart,
- boolean_t *queued_statusp)
+ optdb_obj_t *dbobjp, t_uscalar_t *worst_statusp)
{
- boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
int failed_option;
struct T_opthdr *opt;
- struct T_opthdr *opt_start, *opt_end, *restart_opt;
+ struct T_opthdr *opt_start, *opt_end;
uchar_t *optr;
uint_t optset_context;
struct T_optmgmt_req *tor = (struct T_optmgmt_req *)reqmp->b_rptr;
- opt_restart_t *or;
- t_uscalar_t *worst_statusp;
- int err;
-
- *queued_statusp = B_FALSE;
- or = (opt_restart_t *)first_mp->b_rptr;
- worst_statusp = &or->or_worst_status;
optr = (uchar_t *)ack_mp->b_rptr +
sizeof (struct T_optmgmt_ack); /* assumed int32_t aligned */
@@ -1058,32 +870,16 @@ do_options_second_pass(queue_t *q, mblk_t *reqmp, mblk_t *ack_mp, cred_t *cr,
/*
* Set initial values for scanning input
*/
- if (is_restart) {
- opt_start = (struct T_opthdr *)or->or_start;
- opt_end = (struct T_opthdr *)or->or_end;
- restart_opt = (struct T_opthdr *)or->or_ropt;
- } else {
- opt_start = (struct T_opthdr *)mi_offset_param(reqmp,
- tor->OPT_offset, tor->OPT_length);
- if (opt_start == NULL)
- return (TBADOPT);
- opt_end = (struct T_opthdr *)((uchar_t *)opt_start +
- tor->OPT_length);
- or->or_start = (struct opthdr *)opt_start;
- or->or_end = (struct opthdr *)opt_end;
- /*
- * construct the mp chain, in case the setfn needs to
- * queue this and restart option processing later on.
- */
- first_mp->b_cont = ack_mp;
- ack_mp->b_cont = reqmp;
- }
+ opt_start = (struct T_opthdr *)mi_offset_param(reqmp,
+ tor->OPT_offset, tor->OPT_length);
+ if (opt_start == NULL)
+ return (TBADOPT);
+ opt_end = (struct T_opthdr *)((uchar_t *)opt_start + tor->OPT_length);
ASSERT(__TPI_TOPT_ISALIGNED(opt_start)); /* verified in first pass */
- for (opt = is_restart ? restart_opt : opt_start;
- opt && (opt < opt_end);
+ for (opt = opt_start; opt && (opt < opt_end);
opt = _TPI_TOPT_NEXTHDR(opt_start, tor->OPT_length, opt)) {
- or->or_ropt = (struct opthdr *)opt;
+
/* verified in first pass */
ASSERT(_TPI_TOPT_VALID(opt, opt_start, opt_end));
@@ -1144,9 +940,7 @@ do_options_second_pass(queue_t *q, mblk_t *reqmp, mblk_t *ack_mp, cred_t *cr,
*/
if (do_opt_default(q, opt, &optr, worst_statusp,
cr, dbobjp) < 0) {
- /* fail or pass transparently */
- if (topmost_tpiprovider)
- opt->status = T_FAILURE;
+ opt->status = T_FAILURE;
bcopy(opt, optr, opt->len);
optr += _TPI_ALIGN_TOPT(opt->len);
*worst_statusp = get_worst_status(opt->status,
@@ -1166,12 +960,8 @@ do_options_second_pass(queue_t *q, mblk_t *reqmp, mblk_t *ack_mp, cred_t *cr,
optset_context = SETFN_OPTCOM_CHECKONLY;
else /* T_NEGOTIATE */
optset_context = SETFN_OPTCOM_NEGOTIATE;
- err = do_opt_check_or_negotiate(q, opt, optset_context,
- &optr, worst_statusp, cr, dbobjp, first_mp);
- if (err == EINPROGRESS) {
- *queued_statusp = B_TRUE;
- return (0);
- }
+ do_opt_check_or_negotiate(q, opt, optset_context,
+ &optr, worst_statusp, cr, dbobjp);
break;
default:
return (TBADFLAG);
@@ -1236,7 +1026,6 @@ do_opt_default(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
pfi_t deffn = dbobjp->odb_deffn;
opdes_t *opt_arr = dbobjp->odb_opt_des_arr;
uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
- boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
struct T_opthdr *topth;
opdes_t *optd;
@@ -1248,15 +1037,8 @@ do_opt_default(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
optd = proto_opt_lookup(reqopt->level, reqopt->name,
opt_arr, opt_arr_cnt);
- if (optd == NULL) {
- /*
- * not found - fail this one. Should not happen
- * for topmost_tpiprovider as calling routine
- * should have verified it.
- */
- ASSERT(!topmost_tpiprovider);
- return (-1);
- }
+ /* Calling routine should have verified it it exists */
+ ASSERT(optd != NULL);
topth = (struct T_opthdr *)(*resptrp);
topth->level = reqopt->level;
@@ -1333,10 +1115,7 @@ do_opt_default(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
*
* lookup and stuff default values of all the options of the
* level specified
- * Note: This expansion of T_ALLOPT should happen in
- * a topmost_tpiprovider.
*/
- ASSERT(topmost_tpiprovider);
for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
if (reqopt->level != optd->opdes_level)
continue;
@@ -1453,8 +1232,6 @@ do_opt_current(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
pfi_t getfn = dbobjp->odb_getfn;
opdes_t *opt_arr = dbobjp->odb_opt_des_arr;
uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
- boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
-
struct T_opthdr *topth;
opdes_t *optd;
int optlen;
@@ -1484,7 +1261,6 @@ do_opt_current(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
*resptrp -= sizeof (struct T_opthdr);
}
} else { /* T_ALLOPT processing */
- ASSERT(topmost_tpiprovider == B_TRUE);
/* scan and get all options */
for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
/* skip other levels */
@@ -1530,14 +1306,9 @@ do_opt_current(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
}
if (*resptrp == initptr) {
/*
- * getfn failed and does not want to handle this option. Maybe
- * something downstream will or something upstream did. (If
- * topmost_tpiprovider, initialize "status" to failure which
- * can possibly change downstream). Copy the input "as is" from
- * input option buffer if any to maintain transparency.
+ * getfn failed and does not want to handle this option.
*/
- if (topmost_tpiprovider)
- reqopt->status = T_FAILURE;
+ reqopt->status = T_FAILURE;
bcopy(reqopt, *resptrp, reqopt->len);
*resptrp += _TPI_ALIGN_TOPT(reqopt->len);
*worst_statusp = get_worst_status(reqopt->status,
@@ -1545,18 +1316,15 @@ do_opt_current(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
}
}
-/* ARGSUSED */
-static int
+static void
do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
uint_t optset_context, uchar_t **resptrp, t_uscalar_t *worst_statusp,
- cred_t *cr, optdb_obj_t *dbobjp, mblk_t *first_mp)
+ cred_t *cr, optdb_obj_t *dbobjp)
{
pfi_t deffn = dbobjp->odb_deffn;
opt_set_fn setfn = dbobjp->odb_setfn;
opdes_t *opt_arr = dbobjp->odb_opt_des_arr;
uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
- boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
-
struct T_opthdr *topth;
opdes_t *optd;
int error;
@@ -1572,12 +1340,10 @@ do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
error = (*setfn)(q, optset_context, reqopt->level, reqopt->name,
reqopt->len - sizeof (struct T_opthdr),
_TPI_TOPT_DATA(reqopt), &optlen, _TPI_TOPT_DATA(topth),
- NULL, cr, first_mp);
+ NULL, cr);
if (error) {
/* failed - reset "*resptrp" */
*resptrp -= sizeof (struct T_opthdr);
- if (error == EINPROGRESS)
- return (error);
} else {
/*
* success - "value" already filled in setfn()
@@ -1594,7 +1360,6 @@ do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
} else { /* T_ALLOPT processing */
/* only for T_NEGOTIATE case */
ASSERT(optset_context == SETFN_OPTCOM_NEGOTIATE);
- ASSERT(topmost_tpiprovider == B_TRUE);
/* scan and set all options to default value */
for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
@@ -1670,7 +1435,7 @@ do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
error = (*setfn)(q, SETFN_OPTCOM_NEGOTIATE,
reqopt->level, optd->opdes_name, optsize,
(uchar_t *)optd->opdes_defbuf, &optlen,
- _TPI_TOPT_DATA(topth), NULL, cr, NULL);
+ _TPI_TOPT_DATA(topth), NULL, cr);
if (error) {
/*
* failed, return as T_FAILURE and null value
@@ -1693,20 +1458,14 @@ do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
if (*resptrp == initptr) {
/*
- * setfn failed and does not want to handle this option. Maybe
- * something downstream will or something upstream
- * did. Copy the input as is from input option buffer if any to
- * maintain transparency (maybe something at a level above
- * did something.
+ * setfn failed and does not want to handle this option.
*/
- if (topmost_tpiprovider)
- reqopt->status = T_FAILURE;
+ reqopt->status = T_FAILURE;
bcopy(reqopt, *resptrp, reqopt->len);
*resptrp += _TPI_ALIGN_TOPT(reqopt->len);
*worst_statusp = get_worst_status(reqopt->status,
*worst_statusp);
}
- return (0);
}
/*
@@ -1886,7 +1645,8 @@ tpi_optcom_buf(queue_t *q, mblk_t *mp, t_scalar_t *opt_lenp,
*/
/* verify length */
- if (!opt_length_ok(optd, opt)) {
+ if (opt->len < (t_uscalar_t)sizeof (struct T_opthdr) ||
+ !opt_length_ok(optd, opt->len - sizeof (struct T_opthdr))) {
/* bad size */
if ((optd->opdes_props & OP_NOT_ABSREQ) == 0) {
/* option is absolute requirement */
@@ -1914,7 +1674,7 @@ tpi_optcom_buf(queue_t *q, mblk_t *mp, t_scalar_t *opt_lenp,
error = (*setfn)(q, optset_context, opt->level, opt->name,
opt->len - (t_uscalar_t)sizeof (struct T_opthdr),
_TPI_TOPT_DATA(opt), &olen, _TPI_TOPT_DATA(opt),
- thisdg_attrs, cr, NULL);
+ thisdg_attrs, cr);
if (olen > (int)(opt->len - sizeof (struct T_opthdr))) {
/*
@@ -2113,8 +1873,12 @@ opt_bloated_maxsize(opdes_t *optd)
return (B_FALSE);
}
+/*
+ * optlen is the length of the option content
+ * Caller should check the optlen is at least sizeof (struct T_opthdr)
+ */
static boolean_t
-opt_length_ok(opdes_t *optd, struct T_opthdr *opt)
+opt_length_ok(opdes_t *optd, t_uscalar_t optlen)
{
/*
* Verify length.
@@ -2122,95 +1886,60 @@ opt_length_ok(opdes_t *optd, struct T_opthdr *opt)
* less than maxlen of variable length option.
*/
if (optd->opdes_props & OP_VARLEN) {
- if (opt->len <= optd->opdes_size +
- (t_uscalar_t)sizeof (struct T_opthdr))
+ if (optlen <= optd->opdes_size)
return (B_TRUE);
} else {
/* fixed length option */
- if (opt->len == optd->opdes_size +
- (t_uscalar_t)sizeof (struct T_opthdr))
+ if (optlen == optd->opdes_size)
return (B_TRUE);
}
return (B_FALSE);
}
/*
- * This routine appends a pssed in hop-by-hop option to the existing
- * option (in this case a cipso label encoded in HOPOPT option). The
- * passed in option is always padded. The 'reservelen' is the
- * length of reserved data (label). New memory will be allocated if
- * the current buffer is not large enough. Return failure if memory
+ * This routine manages the allocation and free of the space for
+ * an extension header or option. Returns failure if memory
* can not be allocated.
*/
int
-optcom_pkt_set(uchar_t *invalp, uint_t inlen, boolean_t sticky,
- uchar_t **optbufp, uint_t *optlenp, uint_t reservelen)
+optcom_pkt_set(uchar_t *invalp, uint_t inlen,
+ uchar_t **optbufp, uint_t *optlenp)
{
uchar_t *optbuf;
uchar_t *optp;
- if (!sticky) {
- *optbufp = invalp;
- *optlenp = inlen;
- return (0);
- }
-
- if (inlen == *optlenp - reservelen) {
+ if (inlen == *optlenp) {
/* Unchanged length - no need to reallocate */
- optp = *optbufp + reservelen;
+ optp = *optbufp;
bcopy(invalp, optp, inlen);
- if (reservelen != 0) {
- /*
- * Convert the NextHeader and Length of the
- * passed in hop-by-hop header to pads
- */
- optp[0] = IP6OPT_PADN;
- optp[1] = 0;
- }
return (0);
}
- if (inlen + reservelen > 0) {
+ if (inlen > 0) {
/* Allocate new buffer before free */
- optbuf = kmem_alloc(inlen + reservelen, KM_NOSLEEP);
+ optbuf = kmem_alloc(inlen, KM_NOSLEEP);
if (optbuf == NULL)
return (ENOMEM);
} else {
optbuf = NULL;
}
- /* Copy out old reserved data (label) */
- if (reservelen > 0)
- bcopy(*optbufp, optbuf, reservelen);
-
/* Free old buffer */
if (*optlenp != 0)
kmem_free(*optbufp, *optlenp);
if (inlen > 0)
- bcopy(invalp, optbuf + reservelen, inlen);
+ bcopy(invalp, optbuf, inlen);
- if (reservelen != 0) {
- /*
- * Convert the NextHeader and Length of the
- * passed in hop-by-hop header to pads
- */
- optbuf[reservelen] = IP6OPT_PADN;
- optbuf[reservelen + 1] = 0;
- /*
- * Set the Length of the hop-by-hop header, number of 8
- * byte-words following the 1st 8 bytes
- */
- optbuf[1] = (reservelen + inlen - 1) >> 3;
- }
*optbufp = optbuf;
- *optlenp = inlen + reservelen;
+ *optlenp = inlen;
return (0);
}
int
process_auxiliary_options(conn_t *connp, void *control, t_uscalar_t controllen,
- void *optbuf, optdb_obj_t *dbobjp, int (*opt_set_fn)(conn_t *, uint_t, int,
- int, uint_t, uchar_t *, uint_t *, uchar_t *, void *, cred_t *), cred_t *cr)
+ void *optbuf, optdb_obj_t *dbobjp, int (*opt_set_fn)(conn_t *,
+ uint_t, int, int, uint_t, uchar_t *, uint_t *, uchar_t *, void *, cred_t *),
+ cred_t *cr)
{
struct cmsghdr *cmsg;
opdes_t *optd;
@@ -2254,7 +1983,7 @@ process_auxiliary_options(conn_t *connp, void *control, t_uscalar_t controllen,
}
error = opt_set_fn(connp, SETFN_UD_NEGOTIATE, optd->opdes_level,
optd->opdes_name, len, (uchar_t *)CMSG_CONTENT(cmsg),
- &outlen, (uchar_t *)CMSG_CONTENT(cmsg), (void *)optbuf, cr);
+ &outlen, (uchar_t *)CMSG_CONTENT(cmsg), optbuf, cr);
if (error > 0) {
return (error);
} else if (outlen > len) {
diff --git a/usr/src/uts/common/inet/optcom.h b/usr/src/uts/common/inet/optcom.h
index df4f227e95..01ca52a759 100644
--- a/usr/src/uts/common/inet/optcom.h
+++ b/usr/src/uts/common/inet/optcom.h
@@ -34,6 +34,7 @@ extern "C" {
#if defined(_KERNEL) && defined(__STDC__)
#include <inet/ipclassifier.h>
+
/* Options Description Structure */
typedef struct opdes_s {
t_uscalar_t opdes_name; /* option name */
@@ -138,20 +139,15 @@ typedef struct opdes_s {
#define OA_NO_PERMISSION(x, c) (OA_MATCHED_PRIV((x), (c)) ? \
((x)->opdes_access_priv == 0) : ((x)->opdes_access_nopriv == 0))
-#define PASS_OPT_TO_IP(connp) \
- if (IPCL_IS_NONSTR(connp)) \
- return (-EINVAL)
-
/*
* Other properties set in opdes_props field.
*/
-#define OP_PASSNEXT 0x1 /* to pass option to next module or not */
-#define OP_VARLEN 0x2 /* option is varible length */
-#define OP_NOT_ABSREQ 0x4 /* option is not a "absolute requirement" */
+#define OP_VARLEN 0x1 /* option is varible length */
+#define OP_NOT_ABSREQ 0x2 /* option is not a "absolute requirement" */
/* i.e. failure to negotiate does not */
/* abort primitive ("ignore" semantics ok) */
-#define OP_NODEFAULT 0x8 /* no concept of "default value" */
-#define OP_DEF_FN 0x10 /* call a "default function" to get default */
+#define OP_NODEFAULT 0x4 /* no concept of "default value" */
+#define OP_DEF_FN 0x8 /* call a "default function" to get default */
/* value, not from static table */
@@ -165,13 +161,12 @@ typedef t_uscalar_t optlevel_t;
typedef int (*opt_def_fn)(queue_t *, int, int, uchar_t *);
typedef int (*opt_get_fn)(queue_t *, int, int, uchar_t *);
typedef int (*opt_set_fn)(queue_t *, uint_t, int, int, uint_t, uchar_t *,
- uint_t *, uchar_t *, void *, cred_t *, mblk_t *);
+ uint_t *, uchar_t *, void *, cred_t *);
typedef struct optdb_obj {
opt_def_fn odb_deffn; /* default value function */
opt_get_fn odb_getfn; /* get function */
opt_set_fn odb_setfn; /* set function */
- boolean_t odb_topmost_tpiprovider; /* whether topmost tpi */
/* provider or downstream */
uint_t odb_opt_arr_cnt; /* count of number of options in db */
opdes_t *odb_opt_des_arr; /* option descriptors in db */
@@ -182,22 +177,6 @@ typedef struct optdb_obj {
} optdb_obj_t;
/*
- * This is used to restart option processing. This goes inside an M_CTL
- * which is prepended to the packet. IP may need to become exclusive on
- * an ill for setting some options. For dg. IP_ADD_MEMBERSHIP. Since
- * there can be more than 1 option packed in an option buffer, we need to
- * remember where to restart option processing after resuming from a wait
- * for exclusive condition in IP.
- */
-typedef struct opt_restart_s {
- struct opthdr *or_start; /* start of option buffer */
- struct opthdr *or_end; /* end of option buffer */
- struct opthdr *or_ropt; /* restart option here */
- t_uscalar_t or_worst_status; /* Used by tpi_optcom_req */
- t_uscalar_t or_type; /* svr4 or tpi optcom variant */
- int or_private; /* currently used by CGTP */
-} opt_restart_t;
-/*
* Values for "optset_context" parameter passed to
* transport specific "setfn()" routines
*/
@@ -210,16 +189,12 @@ typedef struct opt_restart_s {
* Function prototypes
*/
extern void optcom_err_ack(queue_t *, mblk_t *, t_scalar_t, int);
-extern int svr4_optcom_req(queue_t *, mblk_t *, cred_t *, optdb_obj_t *,
- boolean_t);
-extern int tpi_optcom_req(queue_t *, mblk_t *, cred_t *, optdb_obj_t *,
- boolean_t);
+extern void svr4_optcom_req(queue_t *, mblk_t *, cred_t *, optdb_obj_t *);
+extern void tpi_optcom_req(queue_t *, mblk_t *, cred_t *, optdb_obj_t *);
extern int tpi_optcom_buf(queue_t *, mblk_t *, t_scalar_t *, t_scalar_t,
cred_t *, optdb_obj_t *, void *, int *);
extern t_uscalar_t optcom_max_optsize(opdes_t *, uint_t);
-extern int optcom_pkt_set(uchar_t *, uint_t, boolean_t, uchar_t **, uint_t *,
- uint_t);
-
+extern int optcom_pkt_set(uchar_t *, uint_t, uchar_t **, uint_t *);
extern int process_auxiliary_options(conn_t *, void *, t_uscalar_t,
void *, optdb_obj_t *, int (*)(conn_t *, uint_t, int, int, uint_t,
uchar_t *, uint_t *, uchar_t *, void *, cred_t *), cred_t *);
diff --git a/usr/src/uts/common/inet/proto_set.c b/usr/src/uts/common/inet/proto_set.c
index 45f07d2ed3..499f046f6d 100644
--- a/usr/src/uts/common/inet/proto_set.c
+++ b/usr/src/uts/common/inet/proto_set.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -348,27 +348,21 @@ proto_opt_lookup(t_uscalar_t level, t_uscalar_t name, opdes_t *opt_arr,
/*
* Do a lookup of the options in the array and do permission and length checking
* Returns zero if there is no error (note: for non-tpi-providers not being able
- * to find the option is not an error). TPI errors are returned as -ve.
+ * to find the option is not an error). TPI errors are returned as negative
+ * numbers and errnos as positive numbers.
+ * If max_len is set we update it based on the max length of the option.
*/
int
proto_opt_check(int level, int name, int len, t_uscalar_t *max_len,
- opdes_t *opt_arr, uint_t opt_arr_cnt, boolean_t topmost_tpiprovider,
- boolean_t negotiate, boolean_t check, cred_t *cr)
+ opdes_t *opt_arr, uint_t opt_arr_cnt, boolean_t negotiate, boolean_t check,
+ cred_t *cr)
{
opdes_t *optd;
/* Find the option in the opt_arr. */
- if ((optd = proto_opt_lookup(level, name, opt_arr, opt_arr_cnt)) ==
- NULL) {
- /*
- * Not found, that is a bad thing if
- * the caller is a tpi provider
- */
- if (topmost_tpiprovider)
- return (-TBADOPT);
- else
- return (0); /* skip unmodified */
- }
+ optd = proto_opt_lookup(level, name, opt_arr, opt_arr_cnt);
+ if (optd == NULL)
+ return (-TBADOPT);
/* Additional checks dependent on operation. */
if (negotiate) {
@@ -409,15 +403,12 @@ proto_opt_check(int level, int name, int len, t_uscalar_t *max_len,
return (-TBADOPT);
}
/*
- * XXX Change the comments.
- *
* XXX Since T_CURRENT was not there in TLI and the
* official TLI inspired TPI standard, getsockopt()
* API uses T_CHECK (for T_CURRENT semantics)
- * The following fallthru makes sense because of its
- * historical use as semantic equivalent to T_CURRENT.
+ * Thus T_CHECK includes the T_CURRENT semantics due to that
+ * historical use.
*/
- /* FALLTHRU */
if (!OA_READ_PERMISSION(optd, cr)) {
/* can't read option value */
if (!(OA_MATCHED_PRIV(optd, cr)) &&
diff --git a/usr/src/uts/common/inet/proto_set.h b/usr/src/uts/common/inet/proto_set.h
index 8e714c7c05..488cf4d478 100644
--- a/usr/src/uts/common/inet/proto_set.h
+++ b/usr/src/uts/common/inet/proto_set.h
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -48,7 +48,7 @@ extern int proto_tlitosyserr(int);
extern int proto_verify_ip_addr(int, const struct sockaddr *, socklen_t);
extern int proto_opt_check(int, int, int, t_uscalar_t *, opdes_t *,
- uint_t, boolean_t, boolean_t, boolean_t, cred_t *);
+ uint_t, boolean_t, boolean_t, cred_t *);
extern opdes_t *proto_opt_lookup(t_uscalar_t, t_uscalar_t, opdes_t *, uint_t);
#ifdef __cplusplus
diff --git a/usr/src/uts/common/inet/rawip_impl.h b/usr/src/uts/common/inet/rawip_impl.h
index 5635bb0f01..348c4f5239 100644
--- a/usr/src/uts/common/inet/rawip_impl.h
+++ b/usr/src/uts/common/inet/rawip_impl.h
@@ -69,87 +69,25 @@ typedef struct icmp_stack icmp_stack_t;
/* Internal icmp control structure, one per open stream */
typedef struct icmp_s {
- krwlock_t icmp_rwlock; /* Protects most of icmp_t */
- t_scalar_t icmp_pending_op; /* The current TPI operation */
/*
- * Following fields up to icmp_ipversion protected by conn_lock.
+ * The addresses and ports in the conn_t and icmp_state are protected by
+ * conn_lock. conn_lock also protects the content of icmp_t.
*/
uint_t icmp_state; /* TPI state */
- in6_addr_t icmp_v6src; /* Source address of this stream */
- in6_addr_t icmp_bound_v6src; /* Explicitely bound to address */
- sin6_t icmp_v6dst; /* Connected destination */
- /*
- * IP format that packets transmitted from this struct should use.
- * Value can be IP4_VERSION or IPV6_VERSION.
- */
- uchar_t icmp_ipversion;
-
- /* Written to only once at the time of opening the endpoint */
- sa_family_t icmp_family; /* Family from socket() call */
-
- /* Following protected by icmp_rwlock */
- uint32_t icmp_max_hdr_len; /* For write offset in stream head */
- uint_t icmp_proto;
- uint_t icmp_ip_snd_options_len; /* Len of IPv4 options */
- uint8_t *icmp_ip_snd_options; /* Ptr to IPv4 options */
- uint8_t icmp_multicast_ttl; /* IP*_MULTICAST_TTL/HOPS */
- ipaddr_t icmp_multicast_if_addr; /* IP_MULTICAST_IF option */
- uint_t icmp_multicast_if_index; /* IPV6_MULTICAST_IF option */
- int icmp_bound_if; /* IP*_BOUND_IF option */
/* Written to only once at the time of opening the endpoint */
conn_t *icmp_connp;
- /* Following protected by icmp_rwlock */
uint_t
- icmp_debug : 1, /* SO_DEBUG "socket" option. */
- icmp_dontroute : 1, /* SO_DONTROUTE "socket" option. */
- icmp_broadcast : 1, /* SO_BROADCAST "socket" option. */
- icmp_reuseaddr : 1, /* SO_REUSEADDR "socket" option. */
-
- icmp_useloopback : 1, /* SO_USELOOPBACK "socket" option. */
icmp_hdrincl : 1, /* IP_HDRINCL option + RAW and IGMP */
- icmp_dgram_errind : 1, /* SO_DGRAM_ERRIND option */
- icmp_unspec_source : 1, /* IP*_UNSPEC_SRC option */
- icmp_raw_checksum : 1, /* raw checksum per IPV6_CHECKSUM */
- icmp_no_tp_cksum : 1, /* icmp_proto is UDP or TCP */
- icmp_ip_recvpktinfo : 1, /* IPV[4,6]_RECVPKTINFO option */
- icmp_ipv6_recvhoplimit : 1, /* IPV6_RECVHOPLIMIT option */
+ icmp_pad_to_bit_31: 31;
- icmp_ipv6_recvhopopts : 1, /* IPV6_RECVHOPOPTS option */
- icmp_ipv6_recvdstopts : 1, /* IPV6_RECVDSTOPTS option */
- icmp_ipv6_recvrthdr : 1, /* IPV6_RECVRTHDR option */
- icmp_ipv6_recvpathmtu : 1, /* IPV6_RECVPATHMTU option */
-
- icmp_recvif:1, /* IP_RECVIF for raw sockets option */
- icmp_ipv6_recvtclass : 1, /* IPV6_RECVTCLASS option */
- icmp_ipv6_recvrtdstopts : 1, /* Obsolete IPV6_RECVRTHDRDSTOPTS */
- icmp_old_ipv6_recvdstopts : 1, /* Old ver of IPV6_RECVDSTOPTS */
-
- icmp_timestamp : 1, /* SO_TIMESTAMP "socket" option */
-
- icmp_pad_to_bit_31: 11;
-
- uint8_t icmp_type_of_service;
- uint8_t icmp_ttl; /* TTL or hoplimit */
- uint32_t icmp_checksum_off; /* user supplied checksum offset */
icmp6_filter_t *icmp_filter; /* ICMP6_FILTER option */
- ip6_pkt_t icmp_sticky_ipp; /* Sticky options */
- uint8_t *icmp_sticky_hdrs; /* Prebuilt IPv6 hdrs */
- uint_t icmp_sticky_hdrs_len; /* Incl. ip6h and any ip6i */
- zoneid_t icmp_zoneid; /* ID of owning zone */
- uint_t icmp_label_len; /* length of security label */
- uint_t icmp_label_len_v6; /* sec. part of sticky opt */
- in6_addr_t icmp_v6lastdst; /* most recent destination */
- cred_t *icmp_last_cred; /* most recent credentials */
- cred_t *icmp_effective_cred; /* cred with effective label */
+ /* Set at open time and never changed */
icmp_stack_t *icmp_is; /* Stack instance */
- size_t icmp_xmit_hiwat;
- size_t icmp_xmit_lowat;
- size_t icmp_recv_hiwat;
- size_t icmp_recv_lowat;
+
int icmp_delayed_error;
kmutex_t icmp_recv_lock;
mblk_t *icmp_fallback_queue_head;
@@ -165,6 +103,10 @@ typedef struct icmp_s {
extern optdb_obj_t icmp_opt_obj;
extern uint_t icmp_max_optsize;
+extern int icmp_opt_default(queue_t *, t_scalar_t, t_scalar_t, uchar_t *);
+extern int icmp_tpi_opt_get(queue_t *, t_scalar_t, t_scalar_t, uchar_t *);
+extern int icmp_tpi_opt_set(queue_t *, uint_t, int, int, uint_t, uchar_t *,
+ uint_t *, uchar_t *, void *, cred_t *);
extern mblk_t *icmp_snmp_get(queue_t *q, mblk_t *mpctl);
extern void icmp_ddi_g_init(void);
diff --git a/usr/src/uts/common/inet/rts_impl.h b/usr/src/uts/common/inet/rts_impl.h
index de7cd8970b..b2b9080e9e 100644
--- a/usr/src/uts/common/inet/rts_impl.h
+++ b/usr/src/uts/common/inet/rts_impl.h
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 1990 Mentat Inc. */
@@ -71,13 +71,7 @@ typedef struct rts_s {
uint_t rts_state; /* Provider interface state */
uint_t rts_error; /* Routing socket error code */
uint_t rts_flag; /* Pending I/O state */
- uint_t rts_proto; /* SO_PROTOTYPE "socket" option. */
- uint_t rts_debug : 1, /* SO_DEBUG "socket" option. */
- rts_dontroute : 1, /* SO_DONTROUTE "socket" option. */
- rts_broadcast : 1, /* SO_BROADCAST "socket" option. */
- rts_reuseaddr : 1, /* SO_REUSEADDR "socket" option. */
- rts_useloopback : 1, /* SO_USELOOPBACK "socket" option. */
- rts_multicast_loop : 1, /* IP_MULTICAST_LOOP option */
+ uint_t
rts_hdrincl : 1, /* IP_HDRINCL option + RAW and IGMP */
: 0;
@@ -86,30 +80,16 @@ typedef struct rts_s {
/* Written to only once at the time of opening the endpoint */
conn_t *rts_connp;
- /* Outbound flow control */
- size_t rts_xmit_hiwat;
- size_t rts_xmit_lowat;
-
- /* Inbound flow control */
- size_t rts_recv_hiwat;
- size_t rts_recv_lowat;
-
- kmutex_t rts_send_mutex;
- kmutex_t rts_recv_mutex;
- kcondvar_t rts_send_cv;
- kcondvar_t rts_io_cv;
+ kmutex_t rts_recv_mutex; /* For recv flow control */
} rts_t;
#define RTS_WPUT_PENDING 0x1 /* Waiting for write-side to complete */
-#define RTS_REQ_PENDING 0x1 /* For direct sockets */
#define RTS_WRW_PENDING 0x2 /* Routing socket write in progress */
-#define RTS_REQ_INPROG 0x2 /* For direct sockets */
/*
* Object to represent database of options to search passed to
* {sock,tpi}optcom_req() interface routine to take care of option
* management and associated methods.
- * XXX. These and other externs should really move to a rts header.
*/
extern optdb_obj_t rts_opt_obj;
extern uint_t rts_max_optsize;
@@ -119,7 +99,7 @@ extern void rts_ddi_g_destroy(void);
extern int rts_tpi_opt_get(queue_t *, t_scalar_t, t_scalar_t, uchar_t *);
extern int rts_tpi_opt_set(queue_t *, uint_t, int, int, uint_t, uchar_t *,
- uint_t *, uchar_t *, void *, cred_t *, mblk_t *);
+ uint_t *, uchar_t *, void *, cred_t *);
extern int rts_opt_default(queue_t *q, t_scalar_t level, t_scalar_t name,
uchar_t *ptr);
diff --git a/usr/src/uts/common/inet/sadb.h b/usr/src/uts/common/inet/sadb.h
index 6d3b9b5b27..7a45a41b85 100644
--- a/usr/src/uts/common/inet/sadb.h
+++ b/usr/src/uts/common/inet/sadb.h
@@ -37,14 +37,34 @@ extern "C" {
#define IPSA_MAX_ADDRLEN 4 /* Max address len. (in 32-bits) for an SA. */
-/*
- * Return codes of IPsec processing functions.
- */
-typedef enum {
- IPSEC_STATUS_SUCCESS = 1,
- IPSEC_STATUS_FAILED = 2,
- IPSEC_STATUS_PENDING = 3
-} ipsec_status_t;
+#define MAXSALTSIZE 8
+
+/*
+ * For combined mode ciphers, store the crypto_mechanism_t in the
+ * per-packet ipsec_in_t/ipsec_out_t structures. This is because the PARAMS
+ * and nonce values change for each packet. For non-combined mode
+ * ciphers, these values are constant for the life of the SA.
+ */
+typedef struct ipsa_cm_mech_s {
+ crypto_mechanism_t combined_mech;
+ union {
+ CK_AES_CCM_PARAMS paramu_ccm;
+ CK_AES_GCM_PARAMS paramu_gcm;
+ } paramu;
+ uint8_t nonce[MAXSALTSIZE + sizeof (uint64_t)];
+#define param_ulMACSize paramu.paramu_ccm.ulMACSize
+#define param_ulNonceSize paramu.paramu_ccm.ipsa_ulNonceSize
+#define param_ulAuthDataSize paramu.paramu_ccm.ipsa_ulAuthDataSize
+#define param_ulDataSize paramu.paramu_ccm.ipsa_ulDataSize
+#define param_nonce paramu.paramu_ccm.nonce
+#define param_authData paramu.paramu_ccm.authData
+#define param_pIv paramu.paramu_gcm.ipsa_pIv
+#define param_ulIvLen paramu.paramu_gcm.ulIvLen
+#define param_ulIvBits paramu.paramu_gcm.ulIvBits
+#define param_pAAD paramu.paramu_gcm.pAAD
+#define param_ulAADLen paramu.paramu_gcm.ulAADLen
+#define param_ulTagBits paramu.paramu_gcm.ulTagBits
+} ipsa_cm_mech_t;
/*
* The Initialization Vector (also known as IV or Nonce) used to
@@ -280,9 +300,13 @@ typedef struct ipsa_s {
/*
* Input and output processing functions called from IP.
+ * The mblk_t is the data; the IPsec information is in the attributes
+ * Returns NULL if the mblk is consumed which it is if there was
+ * a failure or if pending. If failure then
+ * the ipIfInDiscards/OutDiscards counters are increased.
*/
- ipsec_status_t (*ipsa_output_func)(mblk_t *);
- ipsec_status_t (*ipsa_input_func)(mblk_t *, void *);
+ mblk_t *(*ipsa_output_func)(mblk_t *, ip_xmit_attr_t *);
+ mblk_t *(*ipsa_input_func)(mblk_t *, void *, ip_recv_attr_t *);
/*
* Soft reference to paired SA
@@ -290,8 +314,8 @@ typedef struct ipsa_s {
uint32_t ipsa_otherspi;
netstack_t *ipsa_netstack; /* Does not have a netstack_hold */
- cred_t *ipsa_cred; /* MLS: cred_t attributes */
- cred_t *ipsa_ocred; /* MLS: outer label */
+ ts_label_t *ipsa_tsl; /* MLS: label attributes */
+ ts_label_t *ipsa_otsl; /* MLS: outer label */
uint8_t ipsa_mac_exempt; /* MLS: mac exempt flag */
uchar_t ipsa_opt_storage[IP_MAX_OPT_LENGTH];
} ipsa_t;
@@ -382,7 +406,7 @@ typedef struct ipsa_s {
#define IPSA_F_EALG1 SADB_X_SAFLAGS_EALG1 /* Encrypt alg flag 1 */
#define IPSA_F_EALG2 SADB_X_SAFLAGS_EALG2 /* Encrypt alg flag 2 */
-#define IPSA_F_HW 0x200000 /* hwaccel capable SA */
+#define IPSA_F_ASYNC 0x200000 /* Call KCF asynchronously? */
#define IPSA_F_NATT_LOC SADB_X_SAFLAGS_NATT_LOC
#define IPSA_F_NATT_REM SADB_X_SAFLAGS_NATT_REM
#define IPSA_F_BEHIND_NAT SADB_X_SAFLAGS_NATTED
@@ -503,8 +527,8 @@ typedef struct ipsacq_s {
uint8_t ipsacq_icmp_type;
uint8_t ipsacq_icmp_code;
- /* credentials associated with triggering packet */
- cred_t *ipsacq_cred;
+ /* label associated with triggering packet */
+ ts_label_t *ipsacq_tsl;
} ipsacq_t;
/*
@@ -529,7 +553,7 @@ typedef struct iacqf_s {
* A (network protocol, ipsec protocol) specific SADB.
* (i.e., one each for {ah, esp} and {v4, v6}.
*
- * Keep outbound assocs about the same as ire_cache entries for now.
+ * Keep outbound assocs in a simple hash table for now.
* One danger point, multiple SAs for a single dest will clog a bucket.
* For the future, consider two-level hashing (2nd hash on IPC?), then probe.
*/
@@ -550,7 +574,6 @@ typedef struct sadb_s
typedef struct sadbp_s
{
uint32_t s_satype;
- queue_t *s_ip_q;
uint32_t *s_acquire_timeout;
void (*s_acqfn)(ipsacq_t *, mblk_t *, netstack_t *);
sadb_t s_v4;
@@ -583,14 +606,16 @@ typedef struct templist_s
#define ALL_ZEROES_PTR ((uint32_t *)&ipv6_all_zeros)
/*
- * Form unique id from ipsec_out_t
+ * Form unique id from ip_xmit_attr_t.
*/
-
-#define SA_FORM_UNIQUE_ID(io) \
- SA_UNIQUE_ID((io)->ipsec_out_src_port, (io)->ipsec_out_dst_port, \
- ((io)->ipsec_out_tunnel ? ((io)->ipsec_out_inaf == AF_INET6 ? \
- IPPROTO_IPV6 : IPPROTO_ENCAP) : (io)->ipsec_out_proto), \
- ((io)->ipsec_out_tunnel ? (io)->ipsec_out_proto : 0))
+#define SA_FORM_UNIQUE_ID(ixa) \
+ SA_UNIQUE_ID((ixa)->ixa_ipsec_src_port, (ixa)->ixa_ipsec_dst_port, \
+ (((ixa)->ixa_flags & IXAF_IPSEC_TUNNEL) ? \
+ ((ixa)->ixa_ipsec_inaf == AF_INET6 ? \
+ IPPROTO_IPV6 : IPPROTO_ENCAP) : \
+ (ixa)->ixa_ipsec_proto), \
+ (((ixa)->ixa_flags & IXAF_IPSEC_TUNNEL) ? \
+ (ixa)->ixa_ipsec_proto : 0))
/*
* This macro is used to generate unique ids (along with the addresses, both
@@ -698,8 +723,8 @@ boolean_t sadb_match_query(ipsa_query_t *q, ipsa_t *sa);
/* SA retrieval (inbound and outbound) */
ipsa_t *ipsec_getassocbyspi(isaf_t *, uint32_t, uint32_t *, uint32_t *,
sa_family_t);
-ipsa_t *ipsec_getassocbyconn(isaf_t *, ipsec_out_t *, uint32_t *, uint32_t *,
- sa_family_t, uint8_t, cred_t *);
+ipsa_t *ipsec_getassocbyconn(isaf_t *, ip_xmit_attr_t *, uint32_t *, uint32_t *,
+ sa_family_t, uint8_t, ts_label_t *);
/* SA insertion. */
int sadb_insertassoc(ipsa_t *, isaf_t *);
@@ -727,9 +752,9 @@ boolean_t sadb_addrfix(keysock_in_t *, queue_t *, mblk_t *, netstack_t *);
int sadb_addrset(ire_t *);
int sadb_delget_sa(mblk_t *, keysock_in_t *, sadbp_t *, int *, queue_t *,
uint8_t);
-int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, int *, queue_t *,
- queue_t *);
-int sadb_common_add(queue_t *, queue_t *, mblk_t *, sadb_msg_t *,
+
+int sadb_purge_sa(mblk_t *, keysock_in_t *, sadb_t *, int *, queue_t *);
+int sadb_common_add(queue_t *, mblk_t *, sadb_msg_t *,
keysock_in_t *, isaf_t *, isaf_t *, ipsa_t *, boolean_t, boolean_t, int *,
netstack_t *, sadbp_t *);
void sadb_set_usetime(ipsa_t *);
@@ -737,7 +762,7 @@ boolean_t sadb_age_bytes(queue_t *, ipsa_t *, uint64_t, boolean_t);
int sadb_update_sa(mblk_t *, keysock_in_t *, mblk_t **, sadbp_t *,
int *, queue_t *, int (*)(mblk_t *, keysock_in_t *, int *, netstack_t *),
netstack_t *, uint8_t);
-void sadb_acquire(mblk_t *, ipsec_out_t *, boolean_t, boolean_t);
+void sadb_acquire(mblk_t *, ip_xmit_attr_t *, boolean_t, boolean_t);
void gcm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
crypto_data_t *);
void ccm_params_init(ipsa_t *, uchar_t *, uint_t, uchar_t *, ipsa_cm_mech_t *,
@@ -754,16 +779,17 @@ boolean_t sadb_replay_check(ipsa_t *, uint32_t);
boolean_t sadb_replay_peek(ipsa_t *, uint32_t);
int sadb_dump(queue_t *, mblk_t *, keysock_in_t *, sadb_t *);
void sadb_replay_delete(ipsa_t *);
-void sadb_ager(sadb_t *, queue_t *, queue_t *, int, netstack_t *);
+void sadb_ager(sadb_t *, queue_t *, int, netstack_t *);
timeout_id_t sadb_retimeout(hrtime_t, queue_t *, void (*)(void *), void *,
uint_t *, uint_t, short);
void sadb_sa_refrele(void *target);
-boolean_t sadb_set_lpkt(ipsa_t *, mblk_t *, netstack_t *);
+boolean_t sadb_set_lpkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
mblk_t *sadb_clear_lpkt(ipsa_t *);
-void sadb_buf_pkt(ipsa_t *, mblk_t *, netstack_t *);
+void sadb_buf_pkt(ipsa_t *, mblk_t *, ip_recv_attr_t *);
void sadb_clear_buf_pkt(void *ipkt);
+/* Note that buf_pkt is the product of ip_recv_attr_to_mblk() */
#define HANDLE_BUF_PKT(taskq, stack, dropper, buf_pkt) \
{ \
if (buf_pkt != NULL) { \
@@ -774,8 +800,9 @@ void sadb_clear_buf_pkt(void *ipkt);
while (buf_pkt != NULL) { \
tmp = buf_pkt->b_next; \
buf_pkt->b_next = NULL; \
+ buf_pkt = ip_recv_attr_free_mblk(buf_pkt); \
ip_drop_packet(buf_pkt, B_TRUE, NULL, \
- NULL, DROPPER(stack, \
+ DROPPER(stack, \
ipds_sadb_inidle_timeout), \
&dropper); \
buf_pkt = tmp; \
@@ -785,24 +812,8 @@ void sadb_clear_buf_pkt(void *ipkt);
} \
/*
- * Hw accel-related calls (downloading sadb to driver)
- */
-void sadb_ill_download(ill_t *, uint_t);
-mblk_t *sadb_fmt_sa_req(uint_t, uint_t, ipsa_t *, boolean_t);
-/*
- * Sub-set of the IPsec hardware acceleration capabilities functions
- * implemented by ip_if.c
- */
-extern boolean_t ipsec_capab_match(ill_t *, uint_t, boolean_t, ipsa_t *,
- netstack_t *);
-extern void ill_ipsec_capab_send_all(uint_t, mblk_t *, ipsa_t *,
- netstack_t *);
-
-
-/*
- * One IPsec -> IP linking routine, and two IPsec rate-limiting routines.
+ * Two IPsec rate-limiting routines.
*/
-extern boolean_t sadb_t_bind_req(queue_t *, int);
/*PRINTFLIKE6*/
extern void ipsec_rl_strlog(netstack_t *, short, short, char,
ushort_t, char *, ...)
@@ -818,7 +829,8 @@ extern void ipsec_assocfailure(short, short, char, ushort_t, char *, uint32_t,
typedef enum ipsec_algtype {
IPSEC_ALG_AUTH = 0,
- IPSEC_ALG_ENCR = 1
+ IPSEC_ALG_ENCR = 1,
+ IPSEC_ALG_ALL = 2
} ipsec_algtype_t;
/*
@@ -886,11 +898,10 @@ extern void ipsec_alg_fix_min_max(ipsec_alginfo_t *, ipsec_algtype_t,
extern void alg_flag_check(ipsec_alginfo_t *);
extern void ipsec_alg_free(ipsec_alginfo_t *);
extern void ipsec_register_prov_update(void);
-extern void sadb_alg_update(ipsec_algtype_t, uint8_t, boolean_t,
- netstack_t *);
+extern void sadb_alg_update(ipsec_algtype_t, uint8_t, boolean_t, netstack_t *);
-extern int sadb_sens_len_from_cred(cred_t *);
-extern void sadb_sens_from_cred(sadb_sens_t *, int, cred_t *, int);
+extern int sadb_sens_len_from_label(ts_label_t *);
+extern void sadb_sens_from_label(sadb_sens_t *, int, ts_label_t *, int);
/*
* Context templates management.
diff --git a/usr/src/uts/common/inet/sctp/sctp.c b/usr/src/uts/common/inet/sctp/sctp.c
index 00fc6cda42..d444e1f10e 100644
--- a/usr/src/uts/common/inet/sctp/sctp.c
+++ b/usr/src/uts/common/inet/sctp/sctp.c
@@ -56,6 +56,8 @@
#include <inet/common.h>
#include <inet/ip.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ire.h>
#include <inet/ip6.h>
#include <inet/mi.h>
#include <inet/mib2.h>
@@ -74,12 +76,6 @@
int sctpdebug;
sin6_t sctp_sin6_null; /* Zero address for quick clears */
-/*
- * Have to ensure that sctp_g_q_close is not done by an
- * interrupt thread.
- */
-static taskq_t *sctp_taskq;
-
static void sctp_closei_local(sctp_t *sctp);
static int sctp_init_values(sctp_t *, sctp_t *, int);
static void sctp_icmp_error_ipv6(sctp_t *sctp, mblk_t *mp);
@@ -91,12 +87,10 @@ static void sctp_conn_cache_fini();
static int sctp_conn_cache_constructor();
static void sctp_conn_cache_destructor();
static void sctp_conn_clear(conn_t *);
-void sctp_g_q_setup(sctp_stack_t *);
-void sctp_g_q_create(sctp_stack_t *);
-void sctp_g_q_destroy(sctp_stack_t *);
+static void sctp_notify(void *, ip_xmit_attr_t *, ixa_notify_type_t,
+ ixa_notify_arg_t);
static void *sctp_stack_init(netstackid_t stackid, netstack_t *ns);
-static void sctp_stack_shutdown(netstackid_t stackid, void *arg);
static void sctp_stack_fini(netstackid_t stackid, void *arg);
/*
@@ -178,8 +172,8 @@ sctp_create_eager(sctp_t *psctp)
{
sctp_t *sctp;
mblk_t *ack_mp, *hb_mp;
- conn_t *connp, *pconnp;
- cred_t *credp;
+ conn_t *connp;
+ cred_t *credp;
sctp_stack_t *sctps = psctp->sctp_sctps;
if ((connp = ipcl_conn_create(IPCL_SCTPCONN, KM_NOSLEEP,
@@ -187,8 +181,6 @@ sctp_create_eager(sctp_t *psctp)
return (NULL);
}
- connp->conn_ulp_labeled = is_system_labeled();
-
sctp = CONN2SCTP(connp);
sctp->sctp_sctps = sctps;
@@ -200,7 +192,6 @@ sctp_create_eager(sctp_t *psctp)
freeb(ack_mp);
sctp_conn_clear(connp);
sctp->sctp_sctps = NULL;
- SCTP_G_Q_REFRELE(sctps);
kmem_cache_free(sctp_conn_cache, connp);
return (NULL);
}
@@ -208,43 +199,20 @@ sctp_create_eager(sctp_t *psctp)
sctp->sctp_ack_mp = ack_mp;
sctp->sctp_heartbeat_mp = hb_mp;
- /* Inherit information from the "parent" */
- sctp->sctp_ipversion = psctp->sctp_ipversion;
- sctp->sctp_family = psctp->sctp_family;
- pconnp = psctp->sctp_connp;
- connp->conn_af_isv6 = pconnp->conn_af_isv6;
- connp->conn_pkt_isv6 = pconnp->conn_pkt_isv6;
- connp->conn_ipv6_v6only = pconnp->conn_ipv6_v6only;
if (sctp_init_values(sctp, psctp, KM_NOSLEEP) != 0) {
freeb(ack_mp);
freeb(hb_mp);
sctp_conn_clear(connp);
sctp->sctp_sctps = NULL;
- SCTP_G_Q_REFRELE(sctps);
kmem_cache_free(sctp_conn_cache, connp);
return (NULL);
}
- /*
- * If the parent is multilevel, then we'll fix up the remote cred
- * when we do sctp_accept_comm.
- */
- if ((credp = pconnp->conn_cred) != NULL) {
+ if ((credp = psctp->sctp_connp->conn_cred) != NULL) {
connp->conn_cred = credp;
crhold(credp);
- /*
- * If the caller has the process-wide flag set, then default to
- * MAC exempt mode. This allows read-down to unlabeled hosts.
- */
- if (getpflags(NET_MAC_AWARE, credp) != 0)
- connp->conn_mac_mode = CONN_MAC_AWARE;
}
- connp->conn_allzones = pconnp->conn_allzones;
- connp->conn_zoneid = pconnp->conn_zoneid;
- sctp->sctp_cpid = psctp->sctp_cpid;
- sctp->sctp_open_time = lbolt64;
-
sctp->sctp_mss = psctp->sctp_mss;
sctp->sctp_detached = B_TRUE;
/*
@@ -263,11 +231,6 @@ void
sctp_clean_death(sctp_t *sctp, int err)
{
ASSERT(sctp != NULL);
- ASSERT((sctp->sctp_family == AF_INET &&
- sctp->sctp_ipversion == IPV4_VERSION) ||
- (sctp->sctp_family == AF_INET6 &&
- (sctp->sctp_ipversion == IPV4_VERSION ||
- sctp->sctp_ipversion == IPV6_VERSION)));
dprint(3, ("sctp_clean_death %p, state %d\n", (void *)sctp,
sctp->sctp_state));
@@ -328,7 +291,8 @@ sctp_clean_death(sctp_t *sctp, int err)
int
sctp_disconnect(sctp_t *sctp)
{
- int error = 0;
+ int error = 0;
+ conn_t *connp = sctp->sctp_connp;
dprint(3, ("sctp_disconnect %p, state %d\n", (void *)sctp,
sctp->sctp_state));
@@ -358,7 +322,7 @@ sctp_disconnect(sctp_t *sctp)
* If SO_LINGER has set a zero linger time, terminate the
* association and send an ABORT.
*/
- if (sctp->sctp_linger && sctp->sctp_lingertime == 0) {
+ if (connp->conn_linger && connp->conn_lingertime == 0) {
sctp_user_abort(sctp, NULL);
WAKE_SCTP(sctp);
return (error);
@@ -382,7 +346,7 @@ sctp_disconnect(sctp_t *sctp)
sctp_send_shutdown(sctp, 0);
/* Pass gathered wisdom to IP for keeping */
- sctp_update_ire(sctp);
+ sctp_update_dce(sctp);
/*
* If lingering on close then wait until the shutdown
@@ -391,21 +355,15 @@ sctp_disconnect(sctp_t *sctp)
* can be called more than once. Make sure that only
* one thread waits.
*/
- if (sctp->sctp_linger && sctp->sctp_lingertime > 0 &&
+ if (connp->conn_linger && connp->conn_lingertime > 0 &&
sctp->sctp_state >= SCTPS_ESTABLISHED &&
!sctp->sctp_lingering) {
clock_t stoptime; /* in ticks */
clock_t ret;
- /*
- * Process the sendq to send the SHUTDOWN out
- * before waiting.
- */
- sctp_process_sendq(sctp);
-
sctp->sctp_lingering = 1;
sctp->sctp_client_errno = 0;
- stoptime = lbolt + sctp->sctp_lingertime;
+ stoptime = lbolt + connp->conn_lingertime * hz;
mutex_enter(&sctp->sctp_lock);
sctp->sctp_running = B_FALSE;
@@ -429,7 +387,6 @@ sctp_disconnect(sctp_t *sctp)
}
WAKE_SCTP(sctp);
- sctp_process_sendq(sctp);
return (error);
}
@@ -493,7 +450,6 @@ static void
sctp_closei_local(sctp_t *sctp)
{
mblk_t *mp;
- ire_t *ire = NULL;
conn_t *connp = sctp->sctp_connp;
/* Sanity check, don't do the same thing twice. */
@@ -516,11 +472,7 @@ sctp_closei_local(sctp_t *sctp)
/* Set the CONN_CLOSING flag so that IP will not cache IRE again. */
mutex_enter(&connp->conn_lock);
connp->conn_state_flags |= CONN_CLOSING;
- ire = connp->conn_ire_cache;
- connp->conn_ire_cache = NULL;
mutex_exit(&connp->conn_lock);
- if (ire != NULL)
- IRE_REFRELE_NOTR(ire);
/* Remove from all hashes. */
sctp_bind_hash_remove(sctp);
@@ -534,14 +486,12 @@ sctp_closei_local(sctp_t *sctp)
*/
mutex_enter(&sctp->sctp_recvq_lock);
while ((mp = sctp->sctp_recvq) != NULL) {
- mblk_t *ipsec_mp;
-
sctp->sctp_recvq = mp->b_next;
mp->b_next = NULL;
- if ((ipsec_mp = mp->b_prev) != NULL) {
- freeb(ipsec_mp);
- mp->b_prev = NULL;
- }
+
+ if (ip_recv_attr_is_mblk(mp))
+ mp = ip_recv_attr_free_mblk(mp);
+
freemsg(mp);
}
mutex_exit(&sctp->sctp_recvq_lock);
@@ -668,7 +618,7 @@ sctp_free(conn_t *connp)
SCTP_UNLINK(sctp, sctps);
ASSERT(connp->conn_ref == 0);
- ASSERT(connp->conn_ulp == IPPROTO_SCTP);
+ ASSERT(connp->conn_proto == IPPROTO_SCTP);
ASSERT(!MUTEX_HELD(&sctp->sctp_reflock));
ASSERT(sctp->sctp_refcnt == 0);
@@ -723,8 +673,6 @@ sctp_free(conn_t *connp)
list_destroy(&sctp->sctp_saddrs[cnt].sctp_ipif_list);
}
- ip6_pkt_free(&sctp->sctp_sticky_ipp);
-
if (sctp->sctp_hopopts != NULL) {
mi_free(sctp->sctp_hopopts);
sctp->sctp_hopopts = NULL;
@@ -737,12 +685,12 @@ sctp_free(conn_t *connp)
sctp->sctp_dstoptslen = 0;
}
ASSERT(sctp->sctp_dstoptslen == 0);
- if (sctp->sctp_rtdstopts != NULL) {
- mi_free(sctp->sctp_rtdstopts);
- sctp->sctp_rtdstopts = NULL;
- sctp->sctp_rtdstoptslen = 0;
+ if (sctp->sctp_rthdrdstopts != NULL) {
+ mi_free(sctp->sctp_rthdrdstopts);
+ sctp->sctp_rthdrdstopts = NULL;
+ sctp->sctp_rthdrdstoptslen = 0;
}
- ASSERT(sctp->sctp_rtdstoptslen == 0);
+ ASSERT(sctp->sctp_rthdrdstoptslen == 0);
if (sctp->sctp_rthdr != NULL) {
mi_free(sctp->sctp_rthdr);
sctp->sctp_rthdr = NULL;
@@ -806,9 +754,7 @@ sctp_free(conn_t *connp)
sctp->sctp_v6label_len = 0;
sctp->sctp_v4label_len = 0;
- /* Every sctp_t holds one reference on the default queue */
sctp->sctp_sctps = NULL;
- SCTP_G_Q_REFRELE(sctps);
sctp_conn_clear(connp);
kmem_cache_free(sctp_conn_cache, connp);
@@ -822,10 +768,12 @@ sctp_display(sctp_t *sctp, char *sup_buf)
char buf1[30];
static char priv_buf[INET6_ADDRSTRLEN * 2 + 80];
char *cp;
+ conn_t *connp;
if (sctp == NULL)
return ("NULL_SCTP");
+ connp = sctp->sctp_connp;
buf = (sup_buf != NULL) ? sup_buf : priv_buf;
switch (sctp->sctp_state) {
@@ -865,7 +813,7 @@ sctp_display(sctp_t *sctp, char *sup_buf)
break;
}
(void) mi_sprintf(buf, "[%u, %u] %s",
- ntohs(sctp->sctp_lport), ntohs(sctp->sctp_fport), cp);
+ ntohs(connp->conn_lport), ntohs(connp->conn_fport), cp);
return (buf);
}
@@ -880,13 +828,9 @@ sctp_init_values(sctp_t *sctp, sctp_t *psctp, int sleep)
int err;
int cnt;
sctp_stack_t *sctps = sctp->sctp_sctps;
- conn_t *connp, *pconnp;
+ conn_t *connp;
- ASSERT((sctp->sctp_family == AF_INET &&
- sctp->sctp_ipversion == IPV4_VERSION) ||
- (sctp->sctp_family == AF_INET6 &&
- (sctp->sctp_ipversion == IPV4_VERSION ||
- sctp->sctp_ipversion == IPV6_VERSION)));
+ connp = sctp->sctp_connp;
sctp->sctp_nsaddrs = 0;
for (cnt = 0; cnt < SCTP_IPIF_HASH; cnt++) {
@@ -895,7 +839,7 @@ sctp_init_values(sctp_t *sctp, sctp_t *psctp, int sleep)
sizeof (sctp_saddr_ipif_t), offsetof(sctp_saddr_ipif_t,
saddr_ipif));
}
- sctp->sctp_ports = 0;
+ connp->conn_ports = 0;
sctp->sctp_running = B_FALSE;
sctp->sctp_state = SCTPS_IDLE;
@@ -925,51 +869,16 @@ sctp_init_values(sctp_t *sctp, sctp_t *psctp, int sleep)
if (psctp != NULL) {
/*
* Inherit from parent
+ *
+ * Start by inheriting from the conn_t, including conn_ixa and
+ * conn_xmit_ipp.
*/
- sctp->sctp_iphc = kmem_zalloc(psctp->sctp_iphc_len, sleep);
- if (sctp->sctp_iphc == NULL) {
- sctp->sctp_iphc_len = 0;
- err = ENOMEM;
- goto failure;
- }
- sctp->sctp_iphc_len = psctp->sctp_iphc_len;
- sctp->sctp_hdr_len = psctp->sctp_hdr_len;
-
- sctp->sctp_iphc6 = kmem_zalloc(psctp->sctp_iphc6_len, sleep);
- if (sctp->sctp_iphc6 == NULL) {
- sctp->sctp_iphc6_len = 0;
- err = ENOMEM;
+ err = conn_inherit_parent(psctp->sctp_connp, connp);
+ if (err != 0)
goto failure;
- }
- sctp->sctp_iphc6_len = psctp->sctp_iphc6_len;
- sctp->sctp_hdr6_len = psctp->sctp_hdr6_len;
-
- sctp->sctp_ip_hdr_len = psctp->sctp_ip_hdr_len;
- sctp->sctp_ip_hdr6_len = psctp->sctp_ip_hdr6_len;
-
- /*
- * Copy the IP+SCTP header templates from listener
- */
- bcopy(psctp->sctp_iphc, sctp->sctp_iphc,
- psctp->sctp_hdr_len);
- sctp->sctp_ipha = (ipha_t *)sctp->sctp_iphc;
- sctp->sctp_sctph = (sctp_hdr_t *)(sctp->sctp_iphc +
- sctp->sctp_ip_hdr_len);
-
- bcopy(psctp->sctp_iphc6, sctp->sctp_iphc6,
- psctp->sctp_hdr6_len);
- if (((ip6i_t *)(sctp->sctp_iphc6))->ip6i_nxt == IPPROTO_RAW) {
- sctp->sctp_ip6h = (ip6_t *)(sctp->sctp_iphc6 +
- sizeof (ip6i_t));
- } else {
- sctp->sctp_ip6h = (ip6_t *)sctp->sctp_iphc6;
- }
- sctp->sctp_sctph6 = (sctp_hdr_t *)(sctp->sctp_iphc6 +
- sctp->sctp_ip_hdr6_len);
sctp->sctp_cookie_lifetime = psctp->sctp_cookie_lifetime;
- sctp->sctp_xmit_lowater = psctp->sctp_xmit_lowater;
- sctp->sctp_xmit_hiwater = psctp->sctp_xmit_hiwater;
+
sctp->sctp_cwnd_max = psctp->sctp_cwnd_max;
sctp->sctp_rwnd = psctp->sctp_rwnd;
sctp->sctp_irwnd = psctp->sctp_rwnd;
@@ -996,43 +905,23 @@ sctp_init_values(sctp_t *sctp, sctp_t *psctp, int sleep)
sctp->sctp_tx_adaptation_code = psctp->sctp_tx_adaptation_code;
/* xxx should be a better way to copy these flags xxx */
- sctp->sctp_debug = psctp->sctp_debug;
sctp->sctp_bound_to_all = psctp->sctp_bound_to_all;
sctp->sctp_cansleep = psctp->sctp_cansleep;
sctp->sctp_send_adaptation = psctp->sctp_send_adaptation;
sctp->sctp_ndelay = psctp->sctp_ndelay;
sctp->sctp_events = psctp->sctp_events;
- sctp->sctp_ipv6_recvancillary = psctp->sctp_ipv6_recvancillary;
-
- /* Copy IP-layer options */
- connp = sctp->sctp_connp;
- pconnp = psctp->sctp_connp;
-
- connp->conn_broadcast = pconnp->conn_broadcast;
- connp->conn_loopback = pconnp->conn_loopback;
- connp->conn_dontroute = pconnp->conn_dontroute;
- connp->conn_reuseaddr = pconnp->conn_reuseaddr;
-
} else {
/*
- * Initialize the header template
- */
- if ((err = sctp_header_init_ipv4(sctp, sleep)) != 0) {
- goto failure;
- }
- if ((err = sctp_header_init_ipv6(sctp, sleep)) != 0) {
- goto failure;
- }
-
- /*
* Set to system defaults
*/
sctp->sctp_cookie_lifetime =
MSEC_TO_TICK(sctps->sctps_cookie_life);
- sctp->sctp_xmit_lowater = sctps->sctps_xmit_lowat;
- sctp->sctp_xmit_hiwater = sctps->sctps_xmit_hiwat;
+ connp->conn_sndlowat = sctps->sctps_xmit_lowat;
+ connp->conn_sndbuf = sctps->sctps_xmit_hiwat;
+ connp->conn_rcvbuf = sctps->sctps_recv_hiwat;
+
sctp->sctp_cwnd_max = sctps->sctps_cwnd_max_;
- sctp->sctp_rwnd = sctps->sctps_recv_hiwat;
+ sctp->sctp_rwnd = connp->conn_rcvbuf;
sctp->sctp_irwnd = sctp->sctp_rwnd;
sctp->sctp_pd_point = sctp->sctp_rwnd;
sctp->sctp_rto_max = MSEC_TO_TICK(sctps->sctps_rto_maxg);
@@ -1049,13 +938,28 @@ sctp_init_values(sctp_t *sctp, sctp_t *psctp, int sleep)
sctp->sctp_hb_interval =
MSEC_TO_TICK(sctps->sctps_heartbeat_interval);
+
+ if (connp->conn_family == AF_INET)
+ connp->conn_default_ttl = sctps->sctps_ipv4_ttl;
+ else
+ connp->conn_default_ttl = sctps->sctps_ipv6_hoplimit;
+
+ connp->conn_xmit_ipp.ipp_unicast_hops =
+ connp->conn_default_ttl;
+
+ /*
+ * Initialize the header template
+ */
+ if ((err = sctp_build_hdrs(sctp, sleep)) != 0) {
+ goto failure;
+ }
}
+
sctp->sctp_understands_asconf = B_TRUE;
sctp->sctp_understands_addip = B_TRUE;
sctp->sctp_prsctp_aware = B_FALSE;
sctp->sctp_connp->conn_ref = 1;
- sctp->sctp_connp->conn_fully_bound = B_FALSE;
sctp->sctp_prsctpdrop = 0;
sctp->sctp_msgcount = 0;
@@ -1063,14 +967,7 @@ sctp_init_values(sctp_t *sctp, sctp_t *psctp, int sleep)
return (0);
failure:
- if (sctp->sctp_iphc != NULL) {
- kmem_free(sctp->sctp_iphc, sctp->sctp_iphc_len);
- sctp->sctp_iphc = NULL;
- }
- if (sctp->sctp_iphc6 != NULL) {
- kmem_free(sctp->sctp_iphc6, sctp->sctp_iphc6_len);
- sctp->sctp_iphc6 = NULL;
- }
+ sctp_headers_free(sctp);
return (err);
}
@@ -1102,8 +999,122 @@ sctp_icmp_verf(sctp_t *sctp, sctp_hdr_t *sh, mblk_t *mp)
}
/*
+ * Update the SCTP state according to change of PMTU.
+ *
+ * Path MTU might have changed by either increase or decrease, so need to
+ * adjust the MSS based on the value of ixa_pmtu.
+ */
+static void
+sctp_update_pmtu(sctp_t *sctp, sctp_faddr_t *fp, boolean_t decrease_only)
+{
+ uint32_t pmtu;
+ int32_t mss;
+ ip_xmit_attr_t *ixa = fp->ixa;
+
+ if (sctp->sctp_state < SCTPS_ESTABLISHED)
+ return;
+
+ /*
+ * Always call ip_get_pmtu() to make sure that IP has updated
+ * ixa_flags properly.
+ */
+ pmtu = ip_get_pmtu(ixa);
+
+ /*
+ * Calculate the MSS by decreasing the PMTU by sctp_hdr_len and
+ * IPsec overhead if applied. Make sure to use the most recent
+ * IPsec information.
+ */
+ mss = pmtu - conn_ipsec_length(sctp->sctp_connp);
+ if (ixa->ixa_flags & IXAF_IS_IPV4)
+ mss -= sctp->sctp_hdr_len;
+ else
+ mss -= sctp->sctp_hdr6_len;
+
+ /*
+ * Nothing to change, so just return.
+ */
+ if (mss == fp->sfa_pmss)
+ return;
+
+ /*
+ * Currently, for ICMP errors, only PMTU decrease is handled.
+ */
+ if (mss > fp->sfa_pmss && decrease_only)
+ return;
+
+#ifdef DEBUG
+ (void) printf("sctp_update_pmtu mss from %d to %d\n",
+ fp->sfa_pmss, mss);
+#endif
+ DTRACE_PROBE2(sctp_update_pmtu, int32_t, fp->sfa_pmss, uint32_t, mss);
+
+ /*
+ * Update ixa_fragsize and ixa_pmtu.
+ */
+ ixa->ixa_fragsize = ixa->ixa_pmtu = pmtu;
+
+ /*
+ * Make sure that sfa_pmss is a multiple of
+ * SCTP_ALIGN.
+ */
+ fp->sfa_pmss = mss & ~(SCTP_ALIGN - 1);
+ fp->pmtu_discovered = 1;
+
+#ifdef notyet
+ if (mss < sctp->sctp_sctps->sctps_mss_min)
+ ixa->ixa_flags |= IXAF_PMTU_TOO_SMALL;
+#endif
+ if (ixa->ixa_flags & IXAF_PMTU_TOO_SMALL)
+ ixa->ixa_flags &= ~(IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
+
+ /*
+ * If below the min size then ip_get_pmtu cleared IXAF_PMTU_IPV4_DF.
+ * Make sure to clear IXAF_DONTFRAG, which is used by IP to decide
+ * whether to fragment the packet.
+ */
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ if (!(ixa->ixa_flags & IXAF_PMTU_IPV4_DF)) {
+ fp->df = B_FALSE;
+ if (fp == sctp->sctp_current) {
+ sctp->sctp_ipha->
+ ipha_fragment_offset_and_flags = 0;
+ }
+ }
+ }
+}
+
+/*
+ * Notify function registered with ip_xmit_attr_t. It's called in the context
+ * of conn_ip_output so it's safe to update the SCTP state.
+ * Currently only used for pmtu changes.
+ */
+/* ARGSUSED1 */
+static void
+sctp_notify(void *arg, ip_xmit_attr_t *ixa, ixa_notify_type_t ntype,
+ ixa_notify_arg_t narg)
+{
+ sctp_t *sctp = (sctp_t *)arg;
+ sctp_faddr_t *fp;
+
+ switch (ntype) {
+ case IXAN_PMTU:
+ /* Find the faddr based on the ip_xmit_attr_t pointer */
+ for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
+ if (fp->ixa == ixa)
+ break;
+ }
+ if (fp != NULL)
+ sctp_update_pmtu(sctp, fp, B_FALSE);
+ break;
+ default:
+ break;
+ }
+}
+
+/*
* sctp_icmp_error is called by sctp_input() to process ICMP error messages
- * passed up by IP. The queue is the default queue. We need to find a sctp_t
+ * passed up by IP. We need to find a sctp_t
* that corresponds to the returned datagram. Passes the message back in on
* the correct queue once it has located the connection.
* Assumes that IP has pulled up everything up to and including
@@ -1116,8 +1127,6 @@ sctp_icmp_error(sctp_t *sctp, mblk_t *mp)
ipha_t *ipha;
int iph_hdr_length;
sctp_hdr_t *sctph;
- mblk_t *first_mp;
- uint32_t new_mtu;
in6_addr_t dst;
sctp_faddr_t *fp;
sctp_stack_t *sctps = sctp->sctp_sctps;
@@ -1125,12 +1134,10 @@ sctp_icmp_error(sctp_t *sctp, mblk_t *mp)
dprint(1, ("sctp_icmp_error: sctp=%p, mp=%p\n", (void *)sctp,
(void *)mp));
- first_mp = mp;
-
ipha = (ipha_t *)mp->b_rptr;
if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
- sctp_icmp_error_ipv6(sctp, first_mp);
+ sctp_icmp_error_ipv6(sctp, mp);
return;
}
@@ -1144,7 +1151,7 @@ sctp_icmp_error(sctp_t *sctp, mblk_t *mp)
/* first_mp must expose the full sctp header. */
if ((uchar_t *)(sctph + 1) >= mp->b_wptr) {
/* not enough data for SCTP header */
- freemsg(first_mp);
+ freemsg(mp);
return;
}
@@ -1175,19 +1182,7 @@ sctp_icmp_error(sctp_t *sctp, mblk_t *mp)
if (fp == NULL) {
break;
}
-
- new_mtu = ntohs(icmph->icmph_du_mtu);
-
- if (new_mtu - sctp->sctp_hdr_len >= fp->sfa_pmss)
- break;
-
- /*
- * Make sure that sfa_pmss is a multiple of
- * SCTP_ALIGN.
- */
- fp->sfa_pmss = (new_mtu - sctp->sctp_hdr_len) &
- ~(SCTP_ALIGN - 1);
- fp->pmtu_discovered = 1;
+ sctp_update_pmtu(sctp, fp, B_TRUE);
/*
* It is possible, even likely that a fast retransmit
* attempt has been dropped by ip as a result of this
@@ -1229,7 +1224,7 @@ sctp_icmp_error(sctp_t *sctp, mblk_t *mp)
break;
}
}
- freemsg(first_mp);
+ freemsg(mp);
}
/*
@@ -1246,7 +1241,6 @@ sctp_icmp_error_ipv6(sctp_t *sctp, mblk_t *mp)
uint16_t iph_hdr_length;
sctp_hdr_t *sctpha;
uint8_t *nexthdrp;
- uint32_t new_mtu;
sctp_faddr_t *fp;
sctp_stack_t *sctps = sctp->sctp_sctps;
@@ -1294,16 +1288,16 @@ sctp_icmp_error_ipv6(sctp_t *sctp, mblk_t *mp)
break;
}
- new_mtu = ntohs(icmp6->icmp6_mtu);
-
- if (new_mtu - sctp->sctp_hdr6_len >= fp->sfa_pmss)
- break;
-
- /* Make sure that sfa_pmss is a multiple of SCTP_ALIGN. */
- fp->sfa_pmss = (new_mtu - sctp->sctp_hdr6_len) &
- ~(SCTP_ALIGN - 1);
- fp->pmtu_discovered = 1;
-
+ sctp_update_pmtu(sctp, fp, B_TRUE);
+ /*
+ * It is possible, even likely that a fast retransmit
+ * attempt has been dropped by ip as a result of this
+ * error, retransmission bundles as much as possible.
+ * A retransmit here prevents significant delays waiting
+ * on the timer. Analogous to behaviour of TCP after
+ * ICMP too big.
+ */
+ sctp_rexmit(sctp, fp);
break;
case ICMP6_DST_UNREACH:
@@ -1366,12 +1360,12 @@ sctp_icmp_error_ipv6(sctp_t *sctp, mblk_t *mp)
* If parent pointer is passed in, inherit settings from it.
*/
sctp_t *
-sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
+sctp_create(void *ulpd, sctp_t *parent, int family, int type, int flags,
sock_upcalls_t *upcalls, sctp_sockbuf_limits_t *sbl,
cred_t *credp)
{
sctp_t *sctp, *psctp;
- conn_t *sctp_connp;
+ conn_t *connp;
mblk_t *ack_mp, *hb_mp;
int sleep = flags & SCTP_CAN_BLOCK ? KM_SLEEP : KM_NOSLEEP;
zoneid_t zoneid;
@@ -1403,18 +1397,8 @@ sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
zoneid = GLOBAL_ZONEID;
else
zoneid = crgetzoneid(credp);
-
- /*
- * For stackid zero this is done from strplumb.c, but
- * non-zero stackids are handled here.
- */
- if (sctps->sctps_g_q == NULL &&
- sctps->sctps_netstack->netstack_stackid !=
- GLOBAL_NETSTACKID) {
- sctp_g_q_setup(sctps);
- }
}
- if ((sctp_connp = ipcl_conn_create(IPCL_SCTPCONN, sleep,
+ if ((connp = ipcl_conn_create(IPCL_SCTPCONN, sleep,
sctps->sctps_netstack)) == NULL) {
netstack_rele(sctps->sctps_netstack);
SCTP_KSTAT(sctps, sctp_conn_create);
@@ -1425,49 +1409,38 @@ sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
* done at top of sctp_create.
*/
netstack_rele(sctps->sctps_netstack);
- sctp = CONN2SCTP(sctp_connp);
+ sctp = CONN2SCTP(connp);
sctp->sctp_sctps = sctps;
- sctp_connp->conn_ulp_labeled = is_system_labeled();
if ((ack_mp = sctp_timer_alloc(sctp, sctp_ack_timer, sleep)) == NULL ||
(hb_mp = sctp_timer_alloc(sctp, sctp_heartbeat_timer,
sleep)) == NULL) {
if (ack_mp != NULL)
freeb(ack_mp);
- sctp_conn_clear(sctp_connp);
+ sctp_conn_clear(connp);
sctp->sctp_sctps = NULL;
- SCTP_G_Q_REFRELE(sctps);
- kmem_cache_free(sctp_conn_cache, sctp_connp);
+ kmem_cache_free(sctp_conn_cache, connp);
return (NULL);
}
sctp->sctp_ack_mp = ack_mp;
sctp->sctp_heartbeat_mp = hb_mp;
- switch (family) {
- case AF_INET6:
- sctp_connp->conn_af_isv6 = B_TRUE;
- sctp->sctp_ipversion = IPV6_VERSION;
- sctp->sctp_family = AF_INET6;
- break;
+ /*
+ * Have conn_ip_output drop packets should our outer source
+ * go invalid, and tell us about mtu changes.
+ */
+ connp->conn_ixa->ixa_flags |= IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
+ IXAF_VERIFY_PMTU;
+ connp->conn_family = family;
+ connp->conn_so_type = type;
- case AF_INET:
- sctp_connp->conn_af_isv6 = B_FALSE;
- sctp_connp->conn_pkt_isv6 = B_FALSE;
- sctp->sctp_ipversion = IPV4_VERSION;
- sctp->sctp_family = AF_INET;
- break;
- default:
- ASSERT(0);
- break;
- }
if (sctp_init_values(sctp, psctp, sleep) != 0) {
freeb(ack_mp);
freeb(hb_mp);
- sctp_conn_clear(sctp_connp);
+ sctp_conn_clear(connp);
sctp->sctp_sctps = NULL;
- SCTP_G_Q_REFRELE(sctps);
- kmem_cache_free(sctp_conn_cache, sctp_connp);
+ kmem_cache_free(sctp_conn_cache, connp);
return (NULL);
}
sctp->sctp_cansleep = ((flags & SCTP_CAN_BLOCK) == SCTP_CAN_BLOCK);
@@ -1476,6 +1449,8 @@ sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
sctp->sctp_hdr6_len : sctp->sctp_hdr_len);
if (psctp != NULL) {
+ conn_t *pconnp = psctp->sctp_connp;
+
RUN_SCTP(psctp);
/*
* Inherit local address list, local port. Parent is either
@@ -1488,10 +1463,9 @@ sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
freeb(ack_mp);
freeb(hb_mp);
sctp_headers_free(sctp);
- sctp_conn_clear(sctp_connp);
+ sctp_conn_clear(connp);
sctp->sctp_sctps = NULL;
- SCTP_G_Q_REFRELE(sctps);
- kmem_cache_free(sctp_conn_cache, sctp_connp);
+ kmem_cache_free(sctp_conn_cache, connp);
return (NULL);
}
@@ -1500,28 +1474,32 @@ sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
* followed by sctp_connect(). So don't add this guy to
* bind hash.
*/
- sctp->sctp_lport = psctp->sctp_lport;
+ connp->conn_lport = pconnp->conn_lport;
sctp->sctp_state = SCTPS_BOUND;
- sctp->sctp_allzones = psctp->sctp_allzones;
- sctp->sctp_zoneid = psctp->sctp_zoneid;
WAKE_SCTP(psctp);
} else {
- sctp->sctp_zoneid = zoneid;
- }
-
- sctp->sctp_cpid = curproc->p_pid;
- sctp->sctp_open_time = lbolt64;
+ ASSERT(connp->conn_cred == NULL);
+ connp->conn_zoneid = zoneid;
+ /*
+ * conn_allzones can not be set this early, hence
+ * no IPCL_ZONEID
+ */
+ connp->conn_ixa->ixa_zoneid = zoneid;
+ connp->conn_open_time = lbolt64;
+ connp->conn_cred = credp;
+ crhold(credp);
+ connp->conn_cpid = curproc->p_pid;
- ASSERT(sctp_connp->conn_cred == NULL);
- sctp_connp->conn_cred = credp;
- crhold(credp);
+ /*
+ * If the caller has the process-wide flag set, then default to
+ * MAC exempt mode. This allows read-down to unlabeled hosts.
+ */
+ if (getpflags(NET_MAC_AWARE, credp) != 0)
+ connp->conn_mac_mode = CONN_MAC_AWARE;
- /*
- * If the caller has the process-wide flag set, then default to MAC
- * exempt mode. This allows read-down to unlabeled hosts.
- */
- if (getpflags(NET_MAC_AWARE, credp) != 0)
- sctp_connp->conn_mac_mode = CONN_MAC_AWARE;
+ connp->conn_zone_is_global =
+ (crgetzoneid(credp) == GLOBAL_ZONEID);
+ }
/* Initialize SCTP instance values, our verf tag must never be 0 */
(void) random_get_pseudo_bytes((uint8_t *)&sctp->sctp_lvtag,
@@ -1536,20 +1514,17 @@ sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
sctp->sctp_adv_pap = sctp->sctp_lastack_rxd;
/* Information required by upper layer */
- if (ulpd != NULL) {
- sctp->sctp_ulpd = ulpd;
-
- ASSERT(upcalls != NULL);
- sctp->sctp_upcalls = upcalls;
- ASSERT(sbl != NULL);
- /* Fill in the socket buffer limits for sctpsockfs */
- sbl->sbl_txlowat = sctp->sctp_xmit_lowater;
- sbl->sbl_txbuf = sctp->sctp_xmit_hiwater;
- sbl->sbl_rxbuf = sctp->sctp_rwnd;
- sbl->sbl_rxlowat = SCTP_RECV_LOWATER;
- }
- /* If no ulpd, must be creating the default sctp */
- ASSERT(ulpd != NULL || sctps->sctps_gsctp == NULL);
+ ASSERT(ulpd != NULL);
+ sctp->sctp_ulpd = ulpd;
+
+ ASSERT(upcalls != NULL);
+ sctp->sctp_upcalls = upcalls;
+ ASSERT(sbl != NULL);
+ /* Fill in the socket buffer limits for sctpsockfs */
+ sbl->sbl_txlowat = connp->conn_sndlowat;
+ sbl->sbl_txbuf = connp->conn_sndbuf;
+ sbl->sbl_rxbuf = sctp->sctp_rwnd;
+ sbl->sbl_rxlowat = SCTP_RECV_LOWATER;
/* Insert this in the global list. */
SCTP_LINK(sctp, sctps);
@@ -1557,232 +1532,6 @@ sctp_create(void *ulpd, sctp_t *parent, int family, int flags,
return (sctp);
}
-/*
- * Make sure we wait until the default queue is setup, yet allow
- * sctp_g_q_create() to open a SCTP stream.
- * We need to allow sctp_g_q_create() do do an open
- * of sctp, hence we compare curhread.
- * All others have to wait until the sctps_g_q has been
- * setup.
- */
-void
-sctp_g_q_setup(sctp_stack_t *sctps)
-{
- mutex_enter(&sctps->sctps_g_q_lock);
- if (sctps->sctps_g_q != NULL) {
- mutex_exit(&sctps->sctps_g_q_lock);
- return;
- }
- if (sctps->sctps_g_q_creator == NULL) {
- /* This thread will set it up */
- sctps->sctps_g_q_creator = curthread;
- mutex_exit(&sctps->sctps_g_q_lock);
- sctp_g_q_create(sctps);
- mutex_enter(&sctps->sctps_g_q_lock);
- ASSERT(sctps->sctps_g_q_creator == curthread);
- sctps->sctps_g_q_creator = NULL;
- cv_signal(&sctps->sctps_g_q_cv);
- ASSERT(sctps->sctps_g_q != NULL);
- mutex_exit(&sctps->sctps_g_q_lock);
- return;
- }
- /* Everybody but the creator has to wait */
- if (sctps->sctps_g_q_creator != curthread) {
- while (sctps->sctps_g_q == NULL)
- cv_wait(&sctps->sctps_g_q_cv, &sctps->sctps_g_q_lock);
- }
- mutex_exit(&sctps->sctps_g_q_lock);
-}
-
-#define IP "ip"
-
-#define SCTP6DEV "/devices/pseudo/sctp6@0:sctp6"
-
-/*
- * Create a default sctp queue here instead of in strplumb
- */
-void
-sctp_g_q_create(sctp_stack_t *sctps)
-{
- int error;
- ldi_handle_t lh = NULL;
- ldi_ident_t li = NULL;
- int rval;
- cred_t *cr;
- major_t IP_MAJ;
-
-#ifdef NS_DEBUG
- (void) printf("sctp_g_q_create()for stack %d\n",
- sctps->sctps_netstack->netstack_stackid);
-#endif
-
- IP_MAJ = ddi_name_to_major(IP);
-
- ASSERT(sctps->sctps_g_q_creator == curthread);
-
- error = ldi_ident_from_major(IP_MAJ, &li);
- if (error) {
-#ifdef DEBUG
- printf("sctp_g_q_create: lyr ident get failed error %d\n",
- error);
-#endif
- return;
- }
-
- cr = zone_get_kcred(netstackid_to_zoneid(
- sctps->sctps_netstack->netstack_stackid));
- ASSERT(cr != NULL);
- /*
- * We set the sctp default queue to IPv6 because IPv4 falls
- * back to IPv6 when it can't find a client, but
- * IPv6 does not fall back to IPv4.
- */
- error = ldi_open_by_name(SCTP6DEV, FREAD|FWRITE, cr, &lh, li);
- if (error) {
-#ifdef DEBUG
- printf("sctp_g_q_create: open of SCTP6DEV failed error %d\n",
- error);
-#endif
- goto out;
- }
-
- /*
- * This ioctl causes the sctp framework to cache a pointer to
- * this stream, so we don't want to close the stream after
- * this operation.
- * Use the kernel credentials that are for the zone we're in.
- */
- error = ldi_ioctl(lh, SCTP_IOC_DEFAULT_Q,
- (intptr_t)0, FKIOCTL, cr, &rval);
- if (error) {
-#ifdef DEBUG
- printf("sctp_g_q_create: ioctl SCTP_IOC_DEFAULT_Q failed "
- "error %d\n", error);
-#endif
- goto out;
- }
- sctps->sctps_g_q_lh = lh; /* For sctp_g_q_inactive */
- lh = NULL;
-out:
- /* Close layered handles */
- if (li)
- ldi_ident_release(li);
- /* Keep cred around until _inactive needs it */
- sctps->sctps_g_q_cr = cr;
-}
-
-/*
- * Remove the sctp_default queue so that new connections will not find it.
- * SCTP uses sctp_g_q for all transmission, so all sctp'ts implicitly
- * refer to it. Hence have each one have a reference on sctp_g_q_ref!
- *
- * We decrement the refcnt added in sctp_g_q_create. Once all the
- * sctp_t's which use the default go away, sctp_g_q_close will be called
- * and close the sctp_g_q. Once sctp_g_q is closed, sctp_close() will drop the
- * last reference count on the stack by calling netstack_rele().
- */
-void
-sctp_g_q_destroy(sctp_stack_t *sctps)
-{
- if (sctps->sctps_g_q == NULL) {
- return; /* Nothing to cleanup */
- }
- /*
- * Keep sctps_g_q and sctps_gsctp until the last reference has
- * dropped, since the output is always done using those.
- * Need to decrement twice to take sctp_g_q_create and
- * the gsctp reference into account so that sctp_g_q_inactive is called
- * when all but the default queue remains.
- */
-#ifdef NS_DEBUG
- (void) printf("sctp_g_q_destroy: ref %d\n",
- sctps->sctps_g_q_ref);
-#endif
- SCTP_G_Q_REFRELE(sctps);
-}
-
-/*
- * Called when last user (could be sctp_g_q_destroy) drops reference count
- * using SCTP_G_Q_REFRELE.
- * Run by sctp_q_q_inactive using a taskq.
- */
-static void
-sctp_g_q_close(void *arg)
-{
- sctp_stack_t *sctps = arg;
- int error;
- ldi_handle_t lh = NULL;
- ldi_ident_t li = NULL;
- cred_t *cr;
- major_t IP_MAJ;
-
- IP_MAJ = ddi_name_to_major(IP);
-
- lh = sctps->sctps_g_q_lh;
- if (lh == NULL)
- return; /* Nothing to cleanup */
-
- error = ldi_ident_from_major(IP_MAJ, &li);
- if (error) {
-#ifdef NS_DEBUG
- printf("sctp_g_q_inactive: lyr ident get failed error %d\n",
- error);
-#endif
- return;
- }
-
- cr = sctps->sctps_g_q_cr;
- sctps->sctps_g_q_cr = NULL;
- ASSERT(cr != NULL);
-
- /*
- * Make sure we can break the recursion when sctp_close decrements
- * the reference count causing g_q_inactive to be called again.
- */
- sctps->sctps_g_q_lh = NULL;
-
- /* close the default queue */
- (void) ldi_close(lh, FREAD|FWRITE, cr);
-
- /* Close layered handles */
- ldi_ident_release(li);
- crfree(cr);
-
- ASSERT(sctps->sctps_g_q != NULL);
- sctps->sctps_g_q = NULL;
- /*
- * Now free sctps_gsctp.
- */
- ASSERT(sctps->sctps_gsctp != NULL);
- sctp_closei_local(sctps->sctps_gsctp);
- SCTP_CONDEMNED(sctps->sctps_gsctp);
- SCTP_REFRELE(sctps->sctps_gsctp);
- sctps->sctps_gsctp = NULL;
-}
-
-/*
- * Called when last sctp_t drops reference count using SCTP_G_Q_REFRELE.
- *
- * Have to ensure that the ldi routines are not used by an
- * interrupt thread by using a taskq.
- */
-void
-sctp_g_q_inactive(sctp_stack_t *sctps)
-{
- if (sctps->sctps_g_q_lh == NULL)
- return; /* Nothing to cleanup */
-
- ASSERT(sctps->sctps_g_q_ref == 0);
- SCTP_G_Q_REFHOLD(sctps); /* Compensate for what g_q_destroy did */
-
- if (servicing_interrupt()) {
- (void) taskq_dispatch(sctp_taskq, sctp_g_q_close,
- (void *) sctps, TQ_SLEEP);
- } else {
- sctp_g_q_close(sctps);
- }
-}
-
/* Run at module load time */
void
sctp_ddi_g_init(void)
@@ -1802,16 +1551,12 @@ sctp_ddi_g_init(void)
/* Initialize tables used for CRC calculation */
sctp_crc32_init();
- sctp_taskq = taskq_create("sctp_taskq", 1, minclsyspri, 1, 1,
- TASKQ_PREPOPULATE);
-
/*
* We want to be informed each time a stack is created or
* destroyed in the kernel, so we can maintain the
* set of sctp_stack_t's.
*/
- netstack_register(NS_SCTP, sctp_stack_init, sctp_stack_shutdown,
- sctp_stack_fini);
+ netstack_register(NS_SCTP, sctp_stack_init, NULL, sctp_stack_fini);
}
static void *
@@ -1823,8 +1568,6 @@ sctp_stack_init(netstackid_t stackid, netstack_t *ns)
sctps->sctps_netstack = ns;
/* Initialize locks */
- mutex_init(&sctps->sctps_g_q_lock, NULL, MUTEX_DEFAULT, NULL);
- cv_init(&sctps->sctps_g_q_cv, NULL, CV_DEFAULT, NULL);
mutex_init(&sctps->sctps_g_lock, NULL, MUTEX_DEFAULT, NULL);
mutex_init(&sctps->sctps_epriv_port_lock, NULL, MUTEX_DEFAULT, NULL);
sctps->sctps_g_num_epriv_ports = SCTP_NUM_EPRIV_PORTS;
@@ -1875,19 +1618,6 @@ sctp_ddi_g_destroy(void)
sctp_ftsn_sets_fini();
netstack_unregister(NS_SCTP);
- taskq_destroy(sctp_taskq);
-}
-
-/*
- * Shut down the SCTP stack instance.
- */
-/* ARGSUSED */
-static void
-sctp_stack_shutdown(netstackid_t stackid, void *arg)
-{
- sctp_stack_t *sctps = (sctp_stack_t *)arg;
-
- sctp_g_q_destroy(sctps);
}
/*
@@ -1922,8 +1652,6 @@ sctp_stack_fini(netstackid_t stackid, void *arg)
mutex_destroy(&sctps->sctps_g_lock);
mutex_destroy(&sctps->sctps_epriv_port_lock);
- mutex_destroy(&sctps->sctps_g_q_lock);
- cv_destroy(&sctps->sctps_g_q_cv);
kmem_free(sctps, sizeof (*sctps));
}
@@ -1934,7 +1662,8 @@ sctp_display_all(sctp_stack_t *sctps)
sctp_t *sctp_walker;
mutex_enter(&sctps->sctps_g_lock);
- for (sctp_walker = sctps->sctps_gsctp; sctp_walker != NULL;
+ for (sctp_walker = list_head(&sctps->sctps_g_list);
+ sctp_walker != NULL;
sctp_walker = (sctp_t *)list_next(&sctps->sctps_g_list,
sctp_walker)) {
(void) sctp_display(sctp_walker, NULL);
@@ -2009,81 +1738,6 @@ sctp_inc_taskq(sctp_stack_t *sctps)
}
#ifdef DEBUG
-uint32_t sendq_loop_cnt = 0;
-uint32_t sendq_collision = 0;
-uint32_t sendq_empty = 0;
-#endif
-
-void
-sctp_add_sendq(sctp_t *sctp, mblk_t *mp)
-{
- mutex_enter(&sctp->sctp_sendq_lock);
- if (sctp->sctp_sendq == NULL) {
- sctp->sctp_sendq = mp;
- sctp->sctp_sendq_tail = mp;
- } else {
- sctp->sctp_sendq_tail->b_next = mp;
- sctp->sctp_sendq_tail = mp;
- }
- mutex_exit(&sctp->sctp_sendq_lock);
-}
-
-void
-sctp_process_sendq(sctp_t *sctp)
-{
- mblk_t *mp;
-#ifdef DEBUG
- uint32_t loop_cnt = 0;
-#endif
-
- mutex_enter(&sctp->sctp_sendq_lock);
- if (sctp->sctp_sendq == NULL || sctp->sctp_sendq_sending) {
-#ifdef DEBUG
- if (sctp->sctp_sendq == NULL)
- sendq_empty++;
- else
- sendq_collision++;
-#endif
- mutex_exit(&sctp->sctp_sendq_lock);
- return;
- }
- sctp->sctp_sendq_sending = B_TRUE;
-
- /*
- * Note that while we are in this loop, other thread can put
- * new packets in the receive queue. We may be looping for
- * quite a while. This is OK even for an interrupt thread.
- * The reason is that SCTP should only able to send a limited
- * number of packets out in a burst. So the number of times
- * we go through this loop should not be many.
- */
- while ((mp = sctp->sctp_sendq) != NULL) {
- sctp->sctp_sendq = mp->b_next;
- ASSERT(sctp->sctp_connp->conn_ref > 0);
- mutex_exit(&sctp->sctp_sendq_lock);
- mp->b_next = NULL;
- CONN_INC_REF(sctp->sctp_connp);
- mp->b_flag |= MSGHASREF;
- /* If we don't have sctp_current, default to IPv4 */
- IP_PUT(mp, sctp->sctp_connp, sctp->sctp_current == NULL ?
- B_TRUE : sctp->sctp_current->isv4);
- BUMP_LOCAL(sctp->sctp_opkts);
-#ifdef DEBUG
- loop_cnt++;
-#endif
- mutex_enter(&sctp->sctp_sendq_lock);
- }
-
- sctp->sctp_sendq_tail = NULL;
- sctp->sctp_sendq_sending = B_FALSE;
-#ifdef DEBUG
- if (loop_cnt > sendq_loop_cnt)
- sendq_loop_cnt = loop_cnt;
-#endif
- mutex_exit(&sctp->sctp_sendq_lock);
-}
-
-#ifdef DEBUG
uint32_t recvq_loop_cnt = 0;
uint32_t recvq_call = 0;
#endif
@@ -2144,10 +1798,19 @@ sctp_find_next_tq(sctp_t *sctp)
* If the try_harder argument is B_TRUE, this routine sctp_find_next_tq()
* will try very hard to dispatch the task. Refer to the comment
* for that routine on how it does that.
+ *
+ * On failure the message has been freed i.e., this routine always consumes the
+ * message. It bumps ipIfStatsInDiscards and and uses ip_drop_input to drop.
*/
-boolean_t
-sctp_add_recvq(sctp_t *sctp, mblk_t *mp, boolean_t caller_hold_lock)
+void
+sctp_add_recvq(sctp_t *sctp, mblk_t *mp, boolean_t caller_hold_lock,
+ ip_recv_attr_t *ira)
{
+ mblk_t *attrmp;
+ ip_stack_t *ipst = sctp->sctp_sctps->sctps_netstack->netstack_ip;
+
+ ASSERT(ira->ira_ill == NULL);
+
if (!caller_hold_lock)
mutex_enter(&sctp->sctp_recvq_lock);
@@ -2157,12 +1820,28 @@ sctp_add_recvq(sctp_t *sctp, mblk_t *mp, boolean_t caller_hold_lock)
if (!sctp_find_next_tq(sctp)) {
if (!caller_hold_lock)
mutex_exit(&sctp->sctp_recvq_lock);
- return (B_FALSE);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
+ freemsg(mp);
+ return;
}
/* Make sure the sctp_t will not go away. */
SCTP_REFHOLD(sctp);
}
+ attrmp = ip_recv_attr_to_mblk(ira);
+ if (attrmp == NULL) {
+ if (!caller_hold_lock)
+ mutex_exit(&sctp->sctp_recvq_lock);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
+ freemsg(mp);
+ return;
+ }
+ ASSERT(attrmp->b_cont == NULL);
+ attrmp->b_cont = mp;
+ mp = attrmp;
+
if (sctp->sctp_recvq == NULL) {
sctp->sctp_recvq = mp;
sctp->sctp_recvq_tail = mp;
@@ -2173,7 +1852,6 @@ sctp_add_recvq(sctp_t *sctp, mblk_t *mp, boolean_t caller_hold_lock)
if (!caller_hold_lock)
mutex_exit(&sctp->sctp_recvq_lock);
- return (B_TRUE);
}
static void
@@ -2181,10 +1859,10 @@ sctp_process_recvq(void *arg)
{
sctp_t *sctp = (sctp_t *)arg;
mblk_t *mp;
- mblk_t *ipsec_mp;
#ifdef DEBUG
uint32_t loop_cnt = 0;
#endif
+ ip_recv_attr_t iras;
#ifdef _BIG_ENDIAN
#define IPVER(ip6h) ((((uint32_t *)ip6h)[0] >> 28) & 0x7)
@@ -2204,16 +1882,31 @@ sctp_process_recvq(void *arg)
* quite a while.
*/
while ((mp = sctp->sctp_recvq) != NULL) {
+ mblk_t *data_mp;
+
sctp->sctp_recvq = mp->b_next;
mutex_exit(&sctp->sctp_recvq_lock);
mp->b_next = NULL;
#ifdef DEBUG
loop_cnt++;
#endif
- ipsec_mp = mp->b_prev;
mp->b_prev = NULL;
- sctp_input_data(sctp, mp, ipsec_mp);
+ data_mp = mp->b_cont;
+ mp->b_cont = NULL;
+ if (!ip_recv_attr_from_mblk(mp, &iras)) {
+ ip_drop_input("ip_recv_attr_from_mblk", mp, NULL);
+ freemsg(mp);
+ ira_cleanup(&iras, B_TRUE);
+ continue;
+ }
+
+ if (iras.ira_flags & IRAF_ICMP_ERROR)
+ sctp_icmp_error(sctp, data_mp);
+ else
+ sctp_input_data(sctp, data_mp, &iras);
+
+ ira_cleanup(&iras, B_TRUE);
mutex_enter(&sctp->sctp_recvq_lock);
}
@@ -2224,8 +1917,6 @@ sctp_process_recvq(void *arg)
WAKE_SCTP(sctp);
- /* We may have sent something when processing the receive queue. */
- sctp_process_sendq(sctp);
#ifdef DEBUG
if (loop_cnt > recvq_loop_cnt)
recvq_loop_cnt = loop_cnt;
@@ -2238,18 +1929,32 @@ sctp_process_recvq(void *arg)
static int
sctp_conn_cache_constructor(void *buf, void *cdrarg, int kmflags)
{
- conn_t *sctp_connp = (conn_t *)buf;
- sctp_t *sctp = (sctp_t *)&sctp_connp[1];
+ conn_t *connp = (conn_t *)buf;
+ sctp_t *sctp = (sctp_t *)&connp[1];
+ bzero(connp, sizeof (conn_t));
bzero(buf, (char *)&sctp[1] - (char *)buf);
- sctp->sctp_connp = sctp_connp;
mutex_init(&sctp->sctp_reflock, NULL, MUTEX_DEFAULT, NULL);
mutex_init(&sctp->sctp_lock, NULL, MUTEX_DEFAULT, NULL);
mutex_init(&sctp->sctp_recvq_lock, NULL, MUTEX_DEFAULT, NULL);
cv_init(&sctp->sctp_cv, NULL, CV_DEFAULT, NULL);
- mutex_init(&sctp->sctp_sendq_lock, NULL, MUTEX_DEFAULT, NULL);
+ mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
+ cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
+ connp->conn_flags = IPCL_SCTPCONN;
+ connp->conn_proto = IPPROTO_SCTP;
+ connp->conn_sctp = sctp;
+ sctp->sctp_connp = connp;
+ rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
+
+ connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
+ if (connp->conn_ixa == NULL) {
+ return (ENOMEM);
+ }
+ connp->conn_ixa->ixa_refcnt = 1;
+ connp->conn_ixa->ixa_protocol = connp->conn_proto;
+ connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
return (0);
}
@@ -2257,14 +1962,13 @@ sctp_conn_cache_constructor(void *buf, void *cdrarg, int kmflags)
static void
sctp_conn_cache_destructor(void *buf, void *cdrarg)
{
- conn_t *sctp_connp = (conn_t *)buf;
- sctp_t *sctp = (sctp_t *)&sctp_connp[1];
+ conn_t *connp = (conn_t *)buf;
+ sctp_t *sctp = (sctp_t *)&connp[1];
+ ASSERT(sctp->sctp_connp == connp);
ASSERT(!MUTEX_HELD(&sctp->sctp_lock));
ASSERT(!MUTEX_HELD(&sctp->sctp_reflock));
ASSERT(!MUTEX_HELD(&sctp->sctp_recvq_lock));
- ASSERT(!MUTEX_HELD(&sctp->sctp_sendq_lock));
- ASSERT(!MUTEX_HELD(&sctp->sctp_connp->conn_lock));
ASSERT(sctp->sctp_conn_hash_next == NULL);
ASSERT(sctp->sctp_conn_hash_prev == NULL);
@@ -2317,16 +2021,6 @@ sctp_conn_cache_destructor(void *buf, void *cdrarg)
ASSERT(sctp->sctp_recvq_tail == NULL);
ASSERT(sctp->sctp_recvq_tq == NULL);
- ASSERT(sctp->sctp_sendq == NULL);
- ASSERT(sctp->sctp_sendq_tail == NULL);
- ASSERT(sctp->sctp_sendq_sending == B_FALSE);
-
- ASSERT(sctp->sctp_ipp_hopopts == NULL);
- ASSERT(sctp->sctp_ipp_rtdstopts == NULL);
- ASSERT(sctp->sctp_ipp_rthdr == NULL);
- ASSERT(sctp->sctp_ipp_dstopts == NULL);
- ASSERT(sctp->sctp_ipp_pathmtu == NULL);
-
/*
* sctp_pad_mp can be NULL if the memory allocation fails
* in sctp_init_values() and the conn_t is freed.
@@ -2340,8 +2034,18 @@ sctp_conn_cache_destructor(void *buf, void *cdrarg)
mutex_destroy(&sctp->sctp_lock);
mutex_destroy(&sctp->sctp_recvq_lock);
cv_destroy(&sctp->sctp_cv);
- mutex_destroy(&sctp->sctp_sendq_lock);
+ mutex_destroy(&connp->conn_lock);
+ cv_destroy(&connp->conn_cv);
+ rw_destroy(&connp->conn_ilg_lock);
+
+ /* Can be NULL if constructor failed */
+ if (connp->conn_ixa != NULL) {
+ ASSERT(connp->conn_ixa->ixa_refcnt == 1);
+ ASSERT(connp->conn_ixa->ixa_ire == NULL);
+ ASSERT(connp->conn_ixa->ixa_nce == NULL);
+ ixa_refrele(connp->conn_ixa);
+ }
}
static void
@@ -2361,31 +2065,53 @@ sctp_conn_cache_fini()
void
sctp_conn_init(conn_t *connp)
{
- connp->conn_flags = IPCL_SCTPCONN;
+ ASSERT(connp->conn_flags == IPCL_SCTPCONN);
connp->conn_rq = connp->conn_wq = NULL;
- connp->conn_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
- connp->conn_ulp = IPPROTO_SCTP;
+ connp->conn_ixa->ixa_flags |= IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
+ IXAF_VERIFY_PMTU;
+
+ ASSERT(connp->conn_proto == IPPROTO_SCTP);
+ ASSERT(connp->conn_ixa->ixa_protocol == connp->conn_proto);
connp->conn_state_flags |= CONN_INCIPIENT;
- mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
- cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
+
+ ASSERT(connp->conn_sctp != NULL);
+
+ /*
+ * Register sctp_notify to listen to capability changes detected by IP.
+ * This upcall is made in the context of the call to conn_ip_output
+ * thus it holds whatever locks sctp holds across conn_ip_output.
+ */
+ connp->conn_ixa->ixa_notify = sctp_notify;
+ connp->conn_ixa->ixa_notify_cookie = connp->conn_sctp;
}
static void
sctp_conn_clear(conn_t *connp)
{
/* Clean up conn_t stuff */
- if (connp->conn_latch != NULL)
- IPLATCH_REFRELE(connp->conn_latch, connp->conn_netstack);
- if (connp->conn_policy != NULL)
+ if (connp->conn_latch != NULL) {
+ IPLATCH_REFRELE(connp->conn_latch);
+ connp->conn_latch = NULL;
+ }
+ if (connp->conn_latch_in_policy != NULL) {
+ IPPOL_REFRELE(connp->conn_latch_in_policy);
+ connp->conn_latch_in_policy = NULL;
+ }
+ if (connp->conn_latch_in_action != NULL) {
+ IPACT_REFRELE(connp->conn_latch_in_action);
+ connp->conn_latch_in_action = NULL;
+ }
+ if (connp->conn_policy != NULL) {
IPPH_REFRELE(connp->conn_policy, connp->conn_netstack);
- if (connp->conn_ipsec_opt_mp != NULL)
+ connp->conn_policy = NULL;
+ }
+ if (connp->conn_ipsec_opt_mp != NULL) {
freemsg(connp->conn_ipsec_opt_mp);
- if (connp->conn_cred != NULL)
- crfree(connp->conn_cred);
- if (connp->conn_effective_cred != NULL)
- crfree(connp->conn_effective_cred);
- mutex_destroy(&connp->conn_lock);
- cv_destroy(&connp->conn_cv);
+ connp->conn_ipsec_opt_mp = NULL;
+ }
netstack_rele(connp->conn_netstack);
- bzero(connp, sizeof (struct conn_s));
+ connp->conn_netstack = NULL;
+
+ /* Leave conn_ixa and other constructed fields in place */
+ ipcl_conn_cleanup(connp);
}
diff --git a/usr/src/uts/common/inet/sctp/sctp_addr.c b/usr/src/uts/common/inet/sctp/sctp_addr.c
index b347d30dda..306362211d 100644
--- a/usr/src/uts/common/inet/sctp/sctp_addr.c
+++ b/usr/src/uts/common/inet/sctp/sctp_addr.c
@@ -41,6 +41,7 @@
#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip6.h>
+#include <inet/ip_ire.h>
#include <inet/ip_if.h>
#include <inet/ipclassifier.h>
#include <inet/sctp_ip.h>
@@ -236,6 +237,7 @@ sctp_get_all_ipifs(sctp_t *sctp, int sleep)
int error = 0;
sctp_stack_t *sctps = sctp->sctp_sctps;
boolean_t isv6;
+ conn_t *connp = sctp->sctp_connp;
rw_enter(&sctps->sctps_g_ipifs_lock, RW_READER);
for (i = 0; i < SCTP_IPIF_HASH; i++) {
@@ -250,8 +252,8 @@ sctp_get_all_ipifs(sctp_t *sctp, int sleep)
!SCTP_IPIF_ZONE_MATCH(sctp, sctp_ipif) ||
SCTP_IS_ADDR_UNSPEC(!isv6,
sctp_ipif->sctp_ipif_saddr) ||
- (sctp->sctp_ipversion == IPV4_VERSION && isv6) ||
- (sctp->sctp_connp->conn_ipv6_v6only && !isv6)) {
+ (connp->conn_family == AF_INET && isv6) ||
+ (connp->conn_ipv6_v6only && !isv6)) {
rw_exit(&sctp_ipif->sctp_ipif_lock);
sctp_ipif = list_next(
&sctps->sctps_g_ipifs[i].sctp_ipif_list,
@@ -303,6 +305,7 @@ sctp_valid_addr_list(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
boolean_t check_addrs = B_FALSE;
boolean_t check_lport = B_FALSE;
uchar_t *p = list;
+ conn_t *connp = sctp->sctp_connp;
/*
* Need to check for port and address depending on the state.
@@ -325,11 +328,11 @@ sctp_valid_addr_list(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
boolean_t lookup_saddr = B_TRUE;
uint_t ifindex = 0;
- switch (sctp->sctp_family) {
+ switch (connp->conn_family) {
case AF_INET:
sin4 = (struct sockaddr_in *)addrs + cnt;
if (sin4->sin_family != AF_INET || (check_lport &&
- sin4->sin_port != sctp->sctp_lport)) {
+ sin4->sin_port != connp->conn_lport)) {
err = EINVAL;
goto free_ret;
}
@@ -351,14 +354,14 @@ sctp_valid_addr_list(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
case AF_INET6:
sin6 = (struct sockaddr_in6 *)addrs + cnt;
if (sin6->sin6_family != AF_INET6 || (check_lport &&
- sin6->sin6_port != sctp->sctp_lport)) {
+ sin6->sin6_port != connp->conn_lport)) {
err = EINVAL;
goto free_ret;
}
addr = sin6->sin6_addr;
/* Contains the interface index */
ifindex = sin6->sin6_scope_id;
- if (sctp->sctp_connp->conn_ipv6_v6only &&
+ if (connp->conn_ipv6_v6only &&
IN6_IS_ADDR_V4MAPPED(&addr)) {
err = EAFNOSUPPORT;
goto free_ret;
@@ -382,7 +385,7 @@ sctp_valid_addr_list(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
}
if (lookup_saddr) {
ipif = sctp_lookup_ipif_addr(&addr, B_TRUE,
- sctp->sctp_zoneid, !sctp->sctp_connp->conn_allzones,
+ IPCL_ZONEID(connp), !connp->conn_allzones,
ifindex, 0, B_TRUE, sctp->sctp_sctps);
if (ipif == NULL) {
/* Address not in the list */
@@ -495,6 +498,8 @@ sctp_ipif_hash_insert(sctp_t *sctp, sctp_ipif_t *ipif, int sleep,
/*
* Given a source address, walk through the peer address list to see
* if the source address is being used. If it is, reset that.
+ * A cleared saddr will then make sctp_make_mp lookup the destination again
+ * and as part of that look for a new source.
*/
static void
sctp_fix_saddr(sctp_t *sctp, in6_addr_t *saddr)
@@ -504,10 +509,6 @@ sctp_fix_saddr(sctp_t *sctp, in6_addr_t *saddr)
for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
if (!IN6_ARE_ADDR_EQUAL(&fp->saddr, saddr))
continue;
- if (fp->ire != NULL) {
- IRE_REFRELE_NOTR(fp->ire);
- fp->ire = NULL;
- }
V6_SET_ZERO(fp->saddr);
}
}
@@ -874,8 +875,8 @@ sctp_update_saddrs(sctp_ipif_t *oipif, sctp_ipif_t *nipif, int idx,
sctp_saddr_ipif_t *sobj;
int count;
- sctp = sctps->sctps_gsctp;
mutex_enter(&sctps->sctps_g_lock);
+ sctp = list_head(&sctps->sctps_g_list);
while (sctp != NULL && oipif->sctp_ipif_refcnt > 0) {
mutex_enter(&sctp->sctp_reflock);
if (sctp->sctp_condemned ||
@@ -1202,7 +1203,6 @@ sctp_update_ipif(ipif_t *ipif, int op)
rw_downgrade(&sctps->sctps_g_ipifs_lock);
rw_enter(&sctp_ipif->sctp_ipif_lock, RW_WRITER);
sctp_ipif->sctp_ipif_state = SCTP_IPIFS_UP;
- sctp_ipif->sctp_ipif_mtu = ipif->ipif_mtu;
sctp_ipif->sctp_ipif_flags = ipif->ipif_flags;
rw_exit(&sctp_ipif->sctp_ipif_lock);
sctp_chk_and_updt_saddr(hindex, sctp_ipif,
@@ -1214,7 +1214,6 @@ sctp_update_ipif(ipif_t *ipif, int op)
rw_downgrade(&sctps->sctps_g_ipifs_lock);
rw_enter(&sctp_ipif->sctp_ipif_lock, RW_WRITER);
- sctp_ipif->sctp_ipif_mtu = ipif->ipif_mtu;
sctp_ipif->sctp_ipif_zoneid = ipif->ipif_zoneid;
sctp_ipif->sctp_ipif_flags = ipif->ipif_flags;
rw_exit(&sctp_ipif->sctp_ipif_lock);
@@ -1226,7 +1225,6 @@ sctp_update_ipif(ipif_t *ipif, int op)
rw_downgrade(&sctps->sctps_g_ipifs_lock);
rw_enter(&sctp_ipif->sctp_ipif_lock, RW_WRITER);
sctp_ipif->sctp_ipif_state = SCTP_IPIFS_DOWN;
- sctp_ipif->sctp_ipif_mtu = ipif->ipif_mtu;
sctp_ipif->sctp_ipif_flags = ipif->ipif_flags;
rw_exit(&sctp_ipif->sctp_ipif_lock);
@@ -1277,6 +1275,7 @@ sctp_del_saddr_list(sctp_t *sctp, const void *addrs, int addcnt,
in6_addr_t addr;
sctp_ipif_t *sctp_ipif;
int ifindex = 0;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(sctp->sctp_nsaddrs >= addcnt);
@@ -1288,7 +1287,7 @@ sctp_del_saddr_list(sctp_t *sctp, const void *addrs, int addcnt,
}
for (cnt = 0; cnt < addcnt; cnt++) {
- switch (sctp->sctp_family) {
+ switch (connp->conn_family) {
case AF_INET:
sin4 = (struct sockaddr_in *)addrs + cnt;
IN6_INADDR_TO_V4MAPPED(&sin4->sin_addr, &addr);
@@ -1301,7 +1300,7 @@ sctp_del_saddr_list(sctp_t *sctp, const void *addrs, int addcnt,
break;
}
sctp_ipif = sctp_lookup_ipif_addr(&addr, B_FALSE,
- sctp->sctp_zoneid, !sctp->sctp_connp->conn_allzones,
+ IPCL_ZONEID(connp), !connp->conn_allzones,
ifindex, 0, B_TRUE, sctp->sctp_sctps);
ASSERT(sctp_ipif != NULL);
sctp_ipif_hash_remove(sctp, sctp_ipif);
@@ -1356,10 +1355,10 @@ int
sctp_saddr_add_addr(sctp_t *sctp, in6_addr_t *addr, uint_t ifindex)
{
sctp_ipif_t *sctp_ipif;
+ conn_t *connp = sctp->sctp_connp;
- sctp_ipif = sctp_lookup_ipif_addr(addr, B_TRUE, sctp->sctp_zoneid,
- !sctp->sctp_connp->conn_allzones, ifindex, 0, B_TRUE,
- sctp->sctp_sctps);
+ sctp_ipif = sctp_lookup_ipif_addr(addr, B_TRUE, IPCL_ZONEID(connp),
+ !connp->conn_allzones, ifindex, 0, B_TRUE, sctp->sctp_sctps);
if (sctp_ipif == NULL)
return (EINVAL);
@@ -1386,6 +1385,7 @@ sctp_check_saddr(sctp_t *sctp, int supp_af, boolean_t delete,
int scanned = 0;
int naddr;
int nsaddr;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(!sctp->sctp_loopback && !sctp->sctp_linklocal && supp_af != 0);
@@ -1393,7 +1393,7 @@ sctp_check_saddr(sctp_t *sctp, int supp_af, boolean_t delete,
* Irregardless of the supported address in the INIT, v4
* must be supported.
*/
- if (sctp->sctp_family == AF_INET)
+ if (connp->conn_family == AF_INET)
supp_af = PARM_SUPP_V4;
nsaddr = sctp->sctp_nsaddrs;
@@ -1501,13 +1501,15 @@ sctp_getmyaddrs(void *conn, void *myaddrs, int *addrcnt)
int l;
sctp_saddr_ipif_t *obj;
sctp_t *sctp = (sctp_t *)conn;
- int family = sctp->sctp_family;
+ conn_t *connp = sctp->sctp_connp;
+ int family = connp->conn_family;
int max = *addrcnt;
size_t added = 0;
struct sockaddr_in6 *sin6;
struct sockaddr_in *sin4;
int scanned = 0;
boolean_t skip_lback = B_FALSE;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
if (sctp->sctp_nsaddrs == 0)
return (EINVAL);
@@ -1543,15 +1545,27 @@ sctp_getmyaddrs(void *conn, void *myaddrs, int *addrcnt)
case AF_INET:
sin4 = (struct sockaddr_in *)myaddrs + added;
sin4->sin_family = AF_INET;
- sin4->sin_port = sctp->sctp_lport;
+ sin4->sin_port = connp->conn_lport;
IN6_V4MAPPED_TO_INADDR(&addr, &sin4->sin_addr);
break;
case AF_INET6:
sin6 = (struct sockaddr_in6 *)myaddrs + added;
sin6->sin6_family = AF_INET6;
- sin6->sin6_port = sctp->sctp_lport;
+ sin6->sin6_port = connp->conn_lport;
sin6->sin6_addr = addr;
+ /*
+ * Note that flowinfo is only returned for
+ * getpeername just like for TCP and UDP.
+ */
+ sin6->sin6_flowinfo = 0;
+
+ if (IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr) &&
+ (ixa->ixa_flags & IXAF_SCOPEID_SET))
+ sin6->sin6_scope_id = ixa->ixa_scopeid;
+ else
+ sin6->sin6_scope_id = 0;
+ sin6->__sin6_src_id = 0;
break;
}
added++;
@@ -1700,6 +1714,7 @@ sctp_get_addrlist(sctp_t *sctp, const void *addrs, uint32_t *addrcnt,
uchar_t *p;
int err = 0;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
*addrlist = NULL;
*size = 0;
@@ -1707,7 +1722,7 @@ sctp_get_addrlist(sctp_t *sctp, const void *addrs, uint32_t *addrcnt,
/*
* Create a list of sockaddr_in[6] structs using the input list.
*/
- if (sctp->sctp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
*size = sizeof (struct sockaddr_in) * *addrcnt;
*addrlist = kmem_zalloc(*size, KM_SLEEP);
p = *addrlist;
@@ -1772,7 +1787,7 @@ get_all_addrs:
* We allocate upfront so that the clustering module need to bother
* re-sizing the list.
*/
- if (sctp->sctp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
*size = sizeof (struct sockaddr_in) *
sctps->sctps_g_ipifs_count;
} else {
@@ -1805,7 +1820,7 @@ get_all_addrs:
SCTP_IS_IPIF_LOOPBACK(sctp_ipif) ||
SCTP_IS_IPIF_LINKLOCAL(sctp_ipif) ||
!SCTP_IPIF_ZONE_MATCH(sctp, sctp_ipif) ||
- (sctp->sctp_ipversion == IPV4_VERSION &&
+ (connp->conn_family == AF_INET &&
sctp_ipif->sctp_ipif_isv6) ||
(sctp->sctp_connp->conn_ipv6_v6only &&
!sctp_ipif->sctp_ipif_isv6)) {
@@ -1816,7 +1831,7 @@ get_all_addrs:
continue;
}
rw_exit(&sctp_ipif->sctp_ipif_lock);
- if (sctp->sctp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
s4 = (struct sockaddr_in *)p;
IN6_V4MAPPED_TO_INADDR(&addr, &s4->sin_addr);
s4->sin_family = AF_INET;
diff --git a/usr/src/uts/common/inet/sctp/sctp_addr.h b/usr/src/uts/common/inet/sctp/sctp_addr.h
index 9408c452d4..35e8300958 100644
--- a/usr/src/uts/common/inet/sctp/sctp_addr.h
+++ b/usr/src/uts/common/inet/sctp/sctp_addr.h
@@ -19,15 +19,13 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _SCTP_ADDR_H
#define _SCTP_ADDR_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/list.h>
#include <sys/zone.h>
#include <inet/ip.h>
@@ -54,7 +52,6 @@ extern "C" {
typedef struct sctp_ipif_s {
list_node_t sctp_ipifs; /* Used by the global list */
struct sctp_ill_s *sctp_ipif_ill;
- uint_t sctp_ipif_mtu;
uint_t sctp_ipif_id;
in6_addr_t sctp_ipif_saddr;
int sctp_ipif_state;
diff --git a/usr/src/uts/common/inet/sctp/sctp_asconf.c b/usr/src/uts/common/inet/sctp/sctp_asconf.c
index 859faab0b8..fd7e34f7ba 100644
--- a/usr/src/uts/common/inet/sctp/sctp_asconf.c
+++ b/usr/src/uts/common/inet/sctp/sctp_asconf.c
@@ -571,7 +571,8 @@ sctp_input_asconf(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
* it is the clustering module's responsibility to free the lists.
*/
if (cl_sctp_assoc_change != NULL) {
- (*cl_sctp_assoc_change)(sctp->sctp_family, alist, asize,
+ (*cl_sctp_assoc_change)(sctp->sctp_connp->conn_family,
+ alist, asize,
acount, dlist, dsize, dcount, SCTP_CL_PADDR,
(cl_sctp_handle_t)sctp);
/* alist and dlist will be freed by the clustering module */
@@ -586,9 +587,10 @@ sctp_input_asconf(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
ach->sch_len = htons(msgdsize(hmp) - sctp->sctp_hdr_len);
else
ach->sch_len = htons(msgdsize(hmp) - sctp->sctp_hdr6_len);
- sctp_set_iplen(sctp, hmp);
- sctp_add_sendq(sctp, hmp);
+ sctp_set_iplen(sctp, hmp, fp->ixa);
+ (void) conn_ip_output(hmp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
sctp_validate_peer(sctp);
}
@@ -809,7 +811,7 @@ sctp_input_asconf_ack(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
mp->b_prev = NULL;
ainfo->sctp_cl_alist = NULL;
ainfo->sctp_cl_dlist = NULL;
- (*cl_sctp_assoc_change)(sctp->sctp_family, alist,
+ (*cl_sctp_assoc_change)(sctp->sctp_connp->conn_family, alist,
ainfo->sctp_cl_asize, acount, dlist, ainfo->sctp_cl_dsize,
dcount, SCTP_CL_LADDR, (cl_sctp_handle_t)sctp);
/* alist and dlist will be freed by the clustering module */
@@ -1010,12 +1012,13 @@ sctp_wput_asconf(sctp_t *sctp, sctp_faddr_t *fp)
fp->suna += MBLKL(mp);
/* Attach the header and send the chunk */
ipmp->b_cont = mp;
- sctp_set_iplen(sctp, ipmp);
sctp->sctp_cchunk_pend = 1;
SCTP_SET_SENT_FLAG(sctp->sctp_cxmit_list);
SCTP_SET_CHUNK_DEST(sctp->sctp_cxmit_list, fp);
- sctp_add_sendq(sctp, ipmp);
+ sctp_set_iplen(sctp, ipmp, fp->ixa);
+ (void) conn_ip_output(ipmp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
SCTP_FADDR_RC_TIMER_RESTART(sctp, fp, fp->rto);
#undef SCTP_SET_SENT_FLAG
}
@@ -1418,6 +1421,7 @@ sctp_add_ip(sctp_t *sctp, const void *addrs, uint32_t cnt)
uint16_t type = htons(PARM_ADD_IP);
boolean_t v4mapped = B_FALSE;
sctp_cl_ainfo_t *ainfo = NULL;
+ conn_t *connp = sctp->sctp_connp;
/* Does the peer understand ASCONF and Add-IP? */
if (!sctp->sctp_understands_asconf || !sctp->sctp_understands_addip)
@@ -1453,7 +1457,7 @@ sctp_add_ip(sctp_t *sctp, const void *addrs, uint32_t cnt)
* o Must be part of the association
*/
for (i = 0; i < cnt; i++) {
- switch (sctp->sctp_family) {
+ switch (connp->conn_family) {
case AF_INET:
sin4 = (struct sockaddr_in *)addrs + i;
v4mapped = B_TRUE;
@@ -1538,6 +1542,7 @@ sctp_del_ip(sctp_t *sctp, const void *addrs, uint32_t cnt, uchar_t *ulist,
uchar_t *p = ulist;
boolean_t check_lport = B_FALSE;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
/* Does the peer understand ASCONF and Add-IP? */
if (sctp->sctp_state <= SCTPS_LISTEN || !sctps->sctps_addip_enabled ||
@@ -1577,10 +1582,11 @@ sctp_del_ip(sctp_t *sctp, const void *addrs, uint32_t cnt, uchar_t *ulist,
for (i = 0; i < cnt; i++) {
ifindex = 0;
- switch (sctp->sctp_family) {
+ switch (connp->conn_family) {
case AF_INET:
sin4 = (struct sockaddr_in *)addrs + i;
- if (check_lport && sin4->sin_port != sctp->sctp_lport) {
+ if (check_lport &&
+ sin4->sin_port != connp->conn_lport) {
error = EINVAL;
goto fail;
}
@@ -1591,7 +1597,7 @@ sctp_del_ip(sctp_t *sctp, const void *addrs, uint32_t cnt, uchar_t *ulist,
case AF_INET6:
sin6 = (struct sockaddr_in6 *)addrs + i;
if (check_lport &&
- sin6->sin6_port != sctp->sctp_lport) {
+ sin6->sin6_port != connp->conn_lport) {
error = EINVAL;
goto fail;
}
@@ -1675,7 +1681,7 @@ fail:
for (i = 0; i < addrcnt; i++) {
ifindex = 0;
- switch (sctp->sctp_family) {
+ switch (connp->conn_family) {
case AF_INET:
sin4 = (struct sockaddr_in *)addrs + i;
IN6_INADDR_TO_V4MAPPED(&(sin4->sin_addr), &addr);
@@ -1697,7 +1703,7 @@ fail:
}
int
-sctp_set_peerprim(sctp_t *sctp, const void *inp, uint_t inlen)
+sctp_set_peerprim(sctp_t *sctp, const void *inp)
{
const struct sctp_setprim *prim = inp;
const struct sockaddr_storage *ss;
@@ -1717,9 +1723,6 @@ sctp_set_peerprim(sctp_t *sctp, const void *inp, uint_t inlen)
return (EOPNOTSUPP);
}
- if (inlen < sizeof (*prim))
- return (EINVAL);
-
/* Don't do anything if we are not connected */
if (sctp->sctp_state != SCTPS_ESTABLISHED)
return (EINVAL);
diff --git a/usr/src/uts/common/inet/sctp/sctp_asconf.h b/usr/src/uts/common/inet/sctp/sctp_asconf.h
index 8940aa00bc..221172d7bb 100644
--- a/usr/src/uts/common/inet/sctp/sctp_asconf.h
+++ b/usr/src/uts/common/inet/sctp/sctp_asconf.h
@@ -19,15 +19,13 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_SCTP_SCTP_ASCONF_H
#define _INET_SCTP_SCTP_ASCONF_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#ifdef __cplusplus
extern "C" {
#endif
@@ -57,7 +55,7 @@ extern int sctp_del_ip(sctp_t *, const void *, uint32_t, uchar_t *, size_t);
extern void sctp_asconf_free_cxmit(sctp_t *, sctp_chunk_hdr_t *);
extern void sctp_input_asconf(sctp_t *, sctp_chunk_hdr_t *, sctp_faddr_t *);
extern void sctp_input_asconf_ack(sctp_t *, sctp_chunk_hdr_t *, sctp_faddr_t *);
-extern int sctp_set_peerprim(sctp_t *, const void *, uint_t);
+extern int sctp_set_peerprim(sctp_t *, const void *);
extern void sctp_wput_asconf(sctp_t *, sctp_faddr_t *);
#ifdef __cplusplus
diff --git a/usr/src/uts/common/inet/sctp/sctp_bind.c b/usr/src/uts/common/inet/sctp/sctp_bind.c
index c0c1c7556e..9e0b0e7418 100644
--- a/usr/src/uts/common/inet/sctp/sctp_bind.c
+++ b/usr/src/uts/common/inet/sctp/sctp_bind.c
@@ -56,6 +56,7 @@ static int
sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
{
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
/*
* Get a valid port (within the anonymous range and should not
@@ -68,7 +69,7 @@ sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
if (*requested_port == 0) {
*requested_port = sctp_update_next_port(
sctps->sctps_next_port_to_try,
- crgetzone(sctp->sctp_credp), sctps);
+ crgetzone(connp->conn_cred), sctps);
if (*requested_port == 0)
return (EACCES);
*user_specified = 0;
@@ -101,7 +102,7 @@ sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
* sctp_bind() should take a cred_t argument so that
* we can use it here.
*/
- if (secpolicy_net_privaddr(sctp->sctp_credp,
+ if (secpolicy_net_privaddr(connp->conn_cred,
*requested_port, IPPROTO_SCTP) != 0) {
dprint(1,
("sctp_bind(x): no prive for port %d",
@@ -120,6 +121,7 @@ sctp_listen(sctp_t *sctp)
{
sctp_tf_t *tf;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
RUN_SCTP(sctp);
/*
@@ -138,7 +140,7 @@ sctp_listen(sctp_t *sctp)
int ret;
bzero(&ss, sizeof (ss));
- ss.ss_family = sctp->sctp_family;
+ ss.ss_family = connp->conn_family;
WAKE_SCTP(sctp);
if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
@@ -147,12 +149,18 @@ sctp_listen(sctp_t *sctp)
RUN_SCTP(sctp)
}
+ /* Cache things in the ixa without any refhold */
+ connp->conn_ixa->ixa_cred = connp->conn_cred;
+ connp->conn_ixa->ixa_cpid = connp->conn_cpid;
+ if (is_system_labeled())
+ connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
+
sctp->sctp_state = SCTPS_LISTEN;
(void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
sctp->sctp_last_secret_update = lbolt64;
bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
- ntohs(sctp->sctp_lport))];
+ ntohs(connp->conn_lport))];
sctp_listen_hash_insert(tf, sctp);
WAKE_SCTP(sctp);
return (0);
@@ -170,6 +178,10 @@ sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
in_port_t requested_port;
in_port_t allocated_port;
int err = 0;
+ conn_t *connp = sctp->sctp_connp;
+ uint_t scope_id;
+ sin_t *sin;
+ sin6_t *sin6;
ASSERT(sctp != NULL);
@@ -188,25 +200,35 @@ sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
switch (sa->sa_family) {
case AF_INET:
+ sin = (sin_t *)sa;
if (len < sizeof (struct sockaddr_in) ||
- sctp->sctp_family == AF_INET6) {
+ connp->conn_family == AF_INET6) {
err = EINVAL;
goto done;
}
- requested_port = ntohs(((struct sockaddr_in *)sa)->sin_port);
+ requested_port = ntohs(sin->sin_port);
break;
case AF_INET6:
+ sin6 = (sin6_t *)sa;
if (len < sizeof (struct sockaddr_in6) ||
- sctp->sctp_family == AF_INET) {
+ connp->conn_family == AF_INET) {
err = EINVAL;
goto done;
}
- requested_port = ntohs(((struct sockaddr_in6 *)sa)->sin6_port);
+ requested_port = ntohs(sin6->sin6_port);
/* Set the flowinfo. */
- sctp->sctp_ip6h->ip6_vcf =
- (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
- (((struct sockaddr_in6 *)sa)->sin6_flowinfo &
- ~IPV6_VERS_AND_FLOW_MASK);
+ connp->conn_flowinfo =
+ sin6->sin6_flowinfo & ~IPV6_VERS_AND_FLOW_MASK;
+
+ scope_id = sin6->sin6_scope_id;
+ if (scope_id != 0 && IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr)) {
+ connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ connp->conn_ixa->ixa_scopeid = scope_id;
+ connp->conn_incoming_ifindex = scope_id;
+ } else {
+ connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
+ }
break;
default:
err = EAFNOSUPPORT;
@@ -247,7 +269,7 @@ sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop)
switch (bindop) {
case SCTP_BINDX_ADD_ADDR:
return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE,
- sctp->sctp_lport));
+ sctp->sctp_connp->conn_lport));
case SCTP_BINDX_REM_ADDR:
return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE));
default:
@@ -265,6 +287,7 @@ sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
int err = 0;
boolean_t do_asconf = B_FALSE;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
if (!caller_hold_lock)
RUN_SCTP(sctp);
@@ -329,7 +352,7 @@ sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
return (err);
}
ASSERT(addrlist != NULL);
- (*cl_sctp_check_addrs)(sctp->sctp_family, port, &addrlist,
+ (*cl_sctp_check_addrs)(connp->conn_family, port, &addrlist,
size, &addrcnt, unspec == 1);
if (addrcnt == 0) {
/* We free the list */
@@ -345,8 +368,8 @@ sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist,
lsize);
if (err == 0 && do_listen) {
- (*cl_sctp_listen)(sctp->sctp_family, llist,
- addrcnt, sctp->sctp_lport);
+ (*cl_sctp_listen)(connp->conn_family, llist,
+ addrcnt, connp->conn_lport);
/* list will be freed by the clustering module */
} else if (err != 0 && llist != NULL) {
kmem_free(llist, lsize);
@@ -373,8 +396,6 @@ sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
}
if (!caller_hold_lock)
WAKE_SCTP(sctp);
- if (do_asconf)
- sctp_process_sendq(sctp);
return (0);
}
@@ -390,6 +411,7 @@ sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
uchar_t *ulist = NULL;
size_t usize = 0;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
if (!caller_hold_lock)
RUN_SCTP(sctp);
@@ -439,14 +461,12 @@ sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
/* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */
if (ulist != NULL) {
ASSERT(cl_sctp_unlisten != NULL);
- (*cl_sctp_unlisten)(sctp->sctp_family, ulist, addrcnt,
- sctp->sctp_lport);
+ (*cl_sctp_unlisten)(connp->conn_family, ulist, addrcnt,
+ connp->conn_lport);
/* ulist will be freed by the clustering module */
}
if (!caller_hold_lock)
WAKE_SCTP(sctp);
- if (do_asconf)
- sctp_process_sendq(sctp);
return (error);
}
@@ -473,9 +493,10 @@ sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
int count = 0;
/* maximum number of times to run around the loop */
int loopmax;
- zoneid_t zoneid = sctp->sctp_zoneid;
- zone_t *zone = crgetzone(sctp->sctp_credp);
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
+ zone_t *zone = crgetzone(connp->conn_cred);
+ zoneid_t zoneid = connp->conn_zoneid;
/*
* Lookup for free addresses is done in a loop and "loopmax"
@@ -523,8 +544,9 @@ sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
mutex_enter(&tbf->tf_lock);
for (lsctp = tbf->tf_sctp; lsctp != NULL;
lsctp = lsctp->sctp_bind_hash) {
+ conn_t *lconnp = lsctp->sctp_connp;
- if (lport != lsctp->sctp_lport ||
+ if (lport != lconnp->conn_lport ||
lsctp->sctp_state < SCTPS_BOUND)
continue;
@@ -534,14 +556,14 @@ sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
* privilege as being in all zones, as there's
* otherwise no way to identify the right receiver.
*/
- if (lsctp->sctp_zoneid != zoneid &&
- lsctp->sctp_mac_mode == CONN_MAC_DEFAULT &&
- sctp->sctp_mac_mode == CONN_MAC_DEFAULT)
+ if (lconnp->conn_zoneid != zoneid &&
+ lconnp->conn_mac_mode == CONN_MAC_DEFAULT &&
+ connp->conn_mac_mode == CONN_MAC_DEFAULT)
continue;
addrcmp = sctp_compare_saddrs(sctp, lsctp);
if (addrcmp != SCTP_ADDR_DISJOINT) {
- if (!sctp->sctp_reuseaddr) {
+ if (!connp->conn_reuseaddr) {
/* in use */
break;
} else if (lsctp->sctp_state == SCTPS_BOUND ||
@@ -563,10 +585,9 @@ sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
/* The port number is busy */
mutex_exit(&tbf->tf_lock);
} else {
- conn_t *connp = sctp->sctp_connp;
-
if (is_system_labeled()) {
mlp_type_t addrtype, mlptype;
+ uint_t ipversion;
/*
* On a labeled system we must check the type
@@ -575,11 +596,16 @@ sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
* and that the user's requested binding
* is permitted.
*/
+ if (connp->conn_family == AF_INET)
+ ipversion = IPV4_VERSION;
+ else
+ ipversion = IPV6_VERSION;
+
addrtype = tsol_mlp_addr_type(
connp->conn_allzones ? ALL_ZONES :
zone->zone_id,
- sctp->sctp_ipversion,
- sctp->sctp_ipversion == IPV4_VERSION ?
+ ipversion,
+ connp->conn_family == AF_INET ?
(void *)&sctp->sctp_ipha->ipha_src :
(void *)&sctp->sctp_ip6h->ip6_src,
sctps->sctps_netstack->netstack_ip);
@@ -631,8 +657,7 @@ sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
* number.
*/
sctp->sctp_state = SCTPS_BOUND;
- sctp->sctp_lport = lport;
- sctp->sctp_sctph->sh_sport = lport;
+ connp->conn_lport = lport;
ASSERT(&sctps->sctps_bind_fanout[
SCTP_BIND_HASH(port)] == tbf);
diff --git a/usr/src/uts/common/inet/sctp/sctp_common.c b/usr/src/uts/common/inet/sctp/sctp_common.c
index 3486ba1150..b518eb3981 100644
--- a/usr/src/uts/common/inet/sctp/sctp_common.c
+++ b/usr/src/uts/common/inet/sctp/sctp_common.c
@@ -44,6 +44,8 @@
#include <inet/ip.h>
#include <inet/ip6.h>
#include <inet/ip_ire.h>
+#include <inet/ip_if.h>
+#include <inet/ip_ndp.h>
#include <inet/mib2.h>
#include <inet/nd.h>
#include <inet/optcom.h>
@@ -57,7 +59,7 @@
static struct kmem_cache *sctp_kmem_faddr_cache;
static void sctp_init_faddr(sctp_t *, sctp_faddr_t *, in6_addr_t *, mblk_t *);
-/* Set the source address. Refer to comments in sctp_get_ire(). */
+/* Set the source address. Refer to comments in sctp_get_dest(). */
void
sctp_set_saddr(sctp_t *sctp, sctp_faddr_t *fp)
{
@@ -68,7 +70,7 @@ sctp_set_saddr(sctp_t *sctp, sctp_faddr_t *fp)
/*
* If there is no source address avaialble, mark this peer address
* as unreachable for now. When the heartbeat timer fires, it will
- * call sctp_get_ire() to re-check if there is any source address
+ * call sctp_get_dest() to re-check if there is any source address
* available.
*/
if (!addr_set)
@@ -76,25 +78,31 @@ sctp_set_saddr(sctp_t *sctp, sctp_faddr_t *fp)
}
/*
- * Call this function to update the cached IRE of a peer addr fp.
+ * Call this function to get information about a peer addr fp.
+ *
+ * Uses ip_attr_connect to avoid explicit use of ire and source address
+ * selection.
*/
void
-sctp_get_ire(sctp_t *sctp, sctp_faddr_t *fp)
+sctp_get_dest(sctp_t *sctp, sctp_faddr_t *fp)
{
- ire_t *ire;
- ipaddr_t addr4;
in6_addr_t laddr;
+ in6_addr_t nexthop;
sctp_saddr_ipif_t *sp;
int hdrlen;
- ts_label_t *tsl;
sctp_stack_t *sctps = sctp->sctp_sctps;
- ip_stack_t *ipst = sctps->sctps_netstack->netstack_ip;
+ conn_t *connp = sctp->sctp_connp;
+ iulp_t uinfo;
+ uint_t pmtu;
+ int error;
+ uint32_t flags = IPDF_VERIFY_DST | IPDF_IPSEC |
+ IPDF_SELECT_SRC | IPDF_UNIQUE_DCE;
- /* Remove the previous cache IRE */
- if ((ire = fp->ire) != NULL) {
- IRE_REFRELE_NOTR(ire);
- fp->ire = NULL;
- }
+ /*
+ * Tell sctp_make_mp it needs to call us again should we not
+ * complete and set the saddr.
+ */
+ fp->saddr = ipv6_all_zeros;
/*
* If this addr is not reachable, mark it as unconfirmed for now, the
@@ -105,29 +113,28 @@ sctp_get_ire(sctp_t *sctp, sctp_faddr_t *fp)
fp->state = SCTP_FADDRS_UNCONFIRMED;
}
- tsl = crgetlabel(CONN_CRED(sctp->sctp_connp));
+ /*
+ * Socket is connected - enable PMTU discovery.
+ */
+ if (!sctps->sctps_ignore_path_mtu)
+ fp->ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
- if (fp->isv4) {
- IN6_V4MAPPED_TO_IPADDR(&fp->faddr, addr4);
- ire = ire_cache_lookup(addr4, sctp->sctp_zoneid, tsl, ipst);
- if (ire != NULL)
- IN6_IPADDR_TO_V4MAPPED(ire->ire_src_addr, &laddr);
- } else {
- ire = ire_cache_lookup_v6(&fp->faddr, sctp->sctp_zoneid, tsl,
- ipst);
- if (ire != NULL)
- laddr = ire->ire_src_addr_v6;
- }
+ ip_attr_nexthop(&connp->conn_xmit_ipp, fp->ixa, &fp->faddr,
+ &nexthop);
- if (ire == NULL) {
- dprint(3, ("ire2faddr: no ire for %x:%x:%x:%x\n",
+ laddr = fp->saddr;
+ error = ip_attr_connect(connp, fp->ixa, &laddr, &fp->faddr, &nexthop,
+ connp->conn_fport, &laddr, &uinfo, flags);
+
+ if (error != 0) {
+ dprint(3, ("sctp_get_dest: no ire for %x:%x:%x:%x\n",
SCTP_PRINTADDR(fp->faddr)));
/*
* It is tempting to just leave the src addr
* unspecified and let IP figure it out, but we
* *cannot* do this, since IP may choose a src addr
* that is not part of this association... unless
- * this sctp has bound to all addrs. So if the ire
+ * this sctp has bound to all addrs. So if the dest
* lookup fails, try to find one in our src addr
* list, unless the sctp has bound to all addrs, in
* which case we change the src addr to unspec.
@@ -144,56 +151,44 @@ sctp_get_ire(sctp_t *sctp, sctp_faddr_t *fp)
return;
goto check_current;
}
+ ASSERT(fp->ixa->ixa_ire != NULL);
+ ASSERT(!(fp->ixa->ixa_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)));
+
+ if (!sctp->sctp_loopback)
+ sctp->sctp_loopback = uinfo.iulp_loopback;
/* Make sure the laddr is part of this association */
- if ((sp = sctp_saddr_lookup(sctp, &ire->ire_ipif->ipif_v6lcl_addr,
- 0)) != NULL && !sp->saddr_ipif_dontsrc) {
+ if ((sp = sctp_saddr_lookup(sctp, &laddr, 0)) != NULL &&
+ !sp->saddr_ipif_dontsrc) {
if (sp->saddr_ipif_unconfirmed == 1)
sp->saddr_ipif_unconfirmed = 0;
+ /* We did IPsec policy lookup for laddr already */
fp->saddr = laddr;
} else {
- dprint(2, ("ire2faddr: src addr is not part of assc\n"));
+ dprint(2, ("sctp_get_dest: src addr is not part of assoc "
+ "%x:%x:%x:%x\n", SCTP_PRINTADDR(laddr)));
/*
* Set the src to the first saddr and hope for the best.
- * Note that we will still do the ire caching below.
- * Otherwise, whenever we send a packet, we need to do
- * the ire lookup again and still may not get the correct
- * source address. Note that this case should very seldomly
+ * Note that this case should very seldomly
* happen. One scenario this can happen is an app
* explicitly bind() to an address. But that address is
* not the preferred source address to send to the peer.
*/
sctp_set_saddr(sctp, fp);
if (fp->state == SCTP_FADDRS_UNREACH) {
- IRE_REFRELE(ire);
return;
}
}
/*
- * Note that ire_cache_lookup_*() returns an ire with the tracing
- * bits enabled. This requires the thread holding the ire also
- * do the IRE_REFRELE(). Thus we need to do IRE_REFHOLD_NOTR()
- * and then IRE_REFRELE() the ire here to make the tracing bits
- * work.
- */
- IRE_REFHOLD_NOTR(ire);
- IRE_REFRELE(ire);
-
- /* Cache the IRE */
- fp->ire = ire;
- if (fp->ire->ire_type == IRE_LOOPBACK && !sctp->sctp_loopback)
- sctp->sctp_loopback = 1;
-
- /*
* Pull out RTO information for this faddr and use it if we don't
* have any yet.
*/
- if (fp->srtt == -1 && ire->ire_uinfo.iulp_rtt != 0) {
+ if (fp->srtt == -1 && uinfo.iulp_rtt != 0) {
/* The cached value is in ms. */
- fp->srtt = MSEC_TO_TICK(ire->ire_uinfo.iulp_rtt);
- fp->rttvar = MSEC_TO_TICK(ire->ire_uinfo.iulp_rtt_sd);
+ fp->srtt = MSEC_TO_TICK(uinfo.iulp_rtt);
+ fp->rttvar = MSEC_TO_TICK(uinfo.iulp_rtt_sd);
fp->rto = 3 * fp->srtt;
/* Bound the RTO by configured min and max values */
@@ -205,6 +200,7 @@ sctp_get_ire(sctp_t *sctp, sctp_faddr_t *fp)
}
SCTP_MAX_RTO(sctp, fp);
}
+ pmtu = uinfo.iulp_mtu;
/*
* Record the MTU for this faddr. If the MTU for this faddr has
@@ -215,9 +211,9 @@ sctp_get_ire(sctp_t *sctp, sctp_faddr_t *fp)
} else {
hdrlen = sctp->sctp_hdr6_len;
}
- if ((fp->sfa_pmss + hdrlen) != ire->ire_max_frag) {
+ if ((fp->sfa_pmss + hdrlen) != pmtu) {
/* Make sure that sfa_pmss is a multiple of SCTP_ALIGN. */
- fp->sfa_pmss = (ire->ire_max_frag - hdrlen) & ~(SCTP_ALIGN - 1);
+ fp->sfa_pmss = (pmtu - hdrlen) & ~(SCTP_ALIGN - 1);
if (fp->cwnd < (fp->sfa_pmss * 2)) {
SET_CWND(fp, fp->sfa_pmss,
sctps->sctps_slow_start_initial);
@@ -230,28 +226,16 @@ check_current:
}
void
-sctp_update_ire(sctp_t *sctp)
+sctp_update_dce(sctp_t *sctp)
{
- ire_t *ire;
sctp_faddr_t *fp;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ iulp_t uinfo;
+ ip_stack_t *ipst = sctps->sctps_netstack->netstack_ip;
+ uint_t ifindex;
for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
- if ((ire = fp->ire) == NULL)
- continue;
- mutex_enter(&ire->ire_lock);
-
- /*
- * If the cached IRE is going away, there is no point to
- * update it.
- */
- if (ire->ire_marks & IRE_MARK_CONDEMNED) {
- mutex_exit(&ire->ire_lock);
- IRE_REFRELE_NOTR(ire);
- fp->ire = NULL;
- continue;
- }
-
+ bzero(&uinfo, sizeof (uinfo));
/*
* Only record the PMTU for this faddr if we actually have
* done discovery. This prevents initialized default from
@@ -259,70 +243,60 @@ sctp_update_ire(sctp_t *sctp)
*/
if (fp->pmtu_discovered) {
if (fp->isv4) {
- ire->ire_max_frag = fp->sfa_pmss +
+ uinfo.iulp_mtu = fp->sfa_pmss +
sctp->sctp_hdr_len;
} else {
- ire->ire_max_frag = fp->sfa_pmss +
+ uinfo.iulp_mtu = fp->sfa_pmss +
sctp->sctp_hdr6_len;
}
}
-
if (sctps->sctps_rtt_updates != 0 &&
fp->rtt_updates >= sctps->sctps_rtt_updates) {
/*
- * If there is no old cached values, initialize them
- * conservatively. Set them to be (1.5 * new value).
- * This code copied from ip_ire_advise(). The cached
- * value is in ms.
+ * dce_update_uinfo() merges these values with the
+ * old values.
*/
- if (ire->ire_uinfo.iulp_rtt != 0) {
- ire->ire_uinfo.iulp_rtt =
- (ire->ire_uinfo.iulp_rtt +
- TICK_TO_MSEC(fp->srtt)) >> 1;
- } else {
- ire->ire_uinfo.iulp_rtt =
- TICK_TO_MSEC(fp->srtt + (fp->srtt >> 1));
- }
- if (ire->ire_uinfo.iulp_rtt_sd != 0) {
- ire->ire_uinfo.iulp_rtt_sd =
- (ire->ire_uinfo.iulp_rtt_sd +
- TICK_TO_MSEC(fp->rttvar)) >> 1;
+ uinfo.iulp_rtt = TICK_TO_MSEC(fp->srtt);
+ uinfo.iulp_rtt_sd = TICK_TO_MSEC(fp->rttvar);
+ fp->rtt_updates = 0;
+ }
+ ifindex = 0;
+ if (IN6_IS_ADDR_LINKSCOPE(&fp->faddr)) {
+ /*
+ * If we are going to create a DCE we'd better have
+ * an ifindex
+ */
+ if (fp->ixa->ixa_nce != NULL) {
+ ifindex = fp->ixa->ixa_nce->nce_common->
+ ncec_ill->ill_phyint->phyint_ifindex;
} else {
- ire->ire_uinfo.iulp_rtt_sd =
- TICK_TO_MSEC(fp->rttvar +
- (fp->rttvar >> 1));
+ continue;
}
- fp->rtt_updates = 0;
}
- mutex_exit(&ire->ire_lock);
+
+ (void) dce_update_uinfo(&fp->faddr, ifindex, &uinfo, ipst);
}
}
/*
- * The sender must set the total length in the IP header.
- * If sendto == NULL, the current will be used.
+ * The sender must later set the total length in the IP header.
*/
mblk_t *
-sctp_make_mp(sctp_t *sctp, sctp_faddr_t *sendto, int trailer)
+sctp_make_mp(sctp_t *sctp, sctp_faddr_t *fp, int trailer)
{
mblk_t *mp;
size_t ipsctplen;
int isv4;
- sctp_faddr_t *fp;
sctp_stack_t *sctps = sctp->sctp_sctps;
boolean_t src_changed = B_FALSE;
- ASSERT(sctp->sctp_current != NULL || sendto != NULL);
- if (sendto == NULL) {
- fp = sctp->sctp_current;
- } else {
- fp = sendto;
- }
+ ASSERT(fp != NULL);
isv4 = fp->isv4;
- /* Try to look for another IRE again. */
- if (fp->ire == NULL) {
- sctp_get_ire(sctp, fp);
+ if (SCTP_IS_ADDR_UNSPEC(isv4, fp->saddr) ||
+ (fp->ixa->ixa_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
+ /* Need to pick a source */
+ sctp_get_dest(sctp, fp);
/*
* Although we still may not get an IRE, the source address
* may be changed in sctp_get_ire(). Set src_changed to
@@ -334,7 +308,9 @@ sctp_make_mp(sctp_t *sctp, sctp_faddr_t *sendto, int trailer)
/* There is no suitable source address to use, return. */
if (fp->state == SCTP_FADDRS_UNREACH)
return (NULL);
- ASSERT(!SCTP_IS_ADDR_UNSPEC(fp->isv4, fp->saddr));
+
+ ASSERT(fp->ixa->ixa_ire != NULL);
+ ASSERT(!SCTP_IS_ADDR_UNSPEC(isv4, fp->saddr));
if (isv4) {
ipsctplen = sctp->sctp_hdr_len;
@@ -342,8 +318,7 @@ sctp_make_mp(sctp_t *sctp, sctp_faddr_t *sendto, int trailer)
ipsctplen = sctp->sctp_hdr6_len;
}
- mp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra + trailer,
- CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
+ mp = allocb(ipsctplen + sctps->sctps_wroff_xtra + trailer, BPRI_MED);
if (mp == NULL) {
ip1dbg(("sctp_make_mp: error making mp..\n"));
return (NULL);
@@ -377,18 +352,6 @@ sctp_make_mp(sctp_t *sctp, sctp_faddr_t *sendto, int trailer)
}
}
ASSERT(sctp->sctp_connp != NULL);
-
- /*
- * IP will not free this IRE if it is condemned. SCTP needs to
- * free it.
- */
- if ((fp->ire != NULL) && (fp->ire->ire_marks & IRE_MARK_CONDEMNED)) {
- IRE_REFRELE_NOTR(fp->ire);
- fp->ire = NULL;
- }
- /* Stash the conn and ire ptr info. for IP */
- SCTP_STASH_IPINFO(mp, fp->ire);
-
return (mp);
}
@@ -410,17 +373,22 @@ sctp_set_ulp_prop(sctp_t *sctp)
}
ASSERT(sctp->sctp_ulpd);
+ sctp->sctp_connp->conn_wroff = sctps->sctps_wroff_xtra + hdrlen +
+ sizeof (sctp_data_hdr_t);
+
ASSERT(sctp->sctp_current->sfa_pmss == sctp->sctp_mss);
bzero(&sopp, sizeof (sopp));
sopp.sopp_flags = SOCKOPT_MAXBLK|SOCKOPT_WROFF;
- sopp.sopp_wroff = sctps->sctps_wroff_xtra + hdrlen +
- sizeof (sctp_data_hdr_t);
+ sopp.sopp_wroff = sctp->sctp_connp->conn_wroff;
sopp.sopp_maxblk = sctp->sctp_mss - sizeof (sctp_data_hdr_t);
sctp->sctp_ulp_prop(sctp->sctp_ulpd, &sopp);
}
+/*
+ * Set the lengths in the packet and the transmit attributes.
+ */
void
-sctp_set_iplen(sctp_t *sctp, mblk_t *mp)
+sctp_set_iplen(sctp_t *sctp, mblk_t *mp, ip_xmit_attr_t *ixa)
{
uint16_t sum = 0;
ipha_t *iph;
@@ -432,19 +400,15 @@ sctp_set_iplen(sctp_t *sctp, mblk_t *mp)
for (; pmp; pmp = pmp->b_cont)
sum += pmp->b_wptr - pmp->b_rptr;
+ ixa->ixa_pktlen = sum;
if (isv4) {
iph = (ipha_t *)mp->b_rptr;
iph->ipha_length = htons(sum);
+ ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
} else {
ip6h = (ip6_t *)mp->b_rptr;
- /*
- * If an ip6i_t is present, the real IPv6 header
- * immediately follows.
- */
- if (ip6h->ip6_nxt == IPPROTO_RAW)
- ip6h = (ip6_t *)&ip6h[1];
- ip6h->ip6_plen = htons(sum - ((char *)&sctp->sctp_ip6h[1] -
- sctp->sctp_iphc6));
+ ip6h->ip6_plen = htons(sum - IPV6_HDR_LEN);
+ ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
}
}
@@ -501,21 +465,21 @@ sctp_add_faddr(sctp_t *sctp, in6_addr_t *addr, int sleep, boolean_t first)
sctp_faddr_t *faddr;
mblk_t *timer_mp;
int err;
+ conn_t *connp = sctp->sctp_connp;
if (is_system_labeled()) {
- cred_t *effective_cred;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
+ ts_label_t *effective_tsl = NULL;
+
+ ASSERT(ixa->ixa_tsl != NULL);
/*
* Verify the destination is allowed to receive packets
* at the security label of the connection we are initiating.
*
- * tsol_check_dest() will create a new effective cred for
+ * tsol_check_dest() will create a new effective label for
* this connection with a modified label or label flags only
- * if there are changes from the original cred.
- *
- * conn_effective_cred may be non-NULL if a previous
- * faddr was already added or if this is a server
- * accepting a connection on a multi-label port.
+ * if there are changes from the original label.
*
* Accept whatever label we get if this is the first
* destination address for this connection. The security
@@ -525,27 +489,28 @@ sctp_add_faddr(sctp_t *sctp, in6_addr_t *addr, int sleep, boolean_t first)
if (IN6_IS_ADDR_V4MAPPED(addr)) {
uint32_t dst;
IN6_V4MAPPED_TO_IPADDR(addr, dst);
- err = tsol_check_dest(CONN_CRED(sctp->sctp_connp),
- &dst, IPV4_VERSION, sctp->sctp_mac_mode,
- &effective_cred);
+ err = tsol_check_dest(ixa->ixa_tsl,
+ &dst, IPV4_VERSION, connp->conn_mac_mode,
+ connp->conn_zone_is_global, &effective_tsl);
} else {
- err = tsol_check_dest(CONN_CRED(sctp->sctp_connp),
- addr, IPV6_VERSION, sctp->sctp_mac_mode,
- &effective_cred);
+ err = tsol_check_dest(ixa->ixa_tsl,
+ addr, IPV6_VERSION, connp->conn_mac_mode,
+ connp->conn_zone_is_global, &effective_tsl);
}
if (err != 0)
return (err);
- if (sctp->sctp_faddrs == NULL &&
- sctp->sctp_connp->conn_effective_cred == NULL) {
- sctp->sctp_connp->conn_effective_cred = effective_cred;
- } else if (effective_cred != NULL) {
- crfree(effective_cred);
+
+ if (sctp->sctp_faddrs == NULL && effective_tsl != NULL) {
+ ip_xmit_attr_replace_tsl(ixa, effective_tsl);
+ } else if (effective_tsl != NULL) {
+ label_rele(effective_tsl);
return (EHOSTUNREACH);
}
}
if ((faddr = kmem_cache_alloc(sctp_kmem_faddr_cache, sleep)) == NULL)
return (ENOMEM);
+ bzero(faddr, sizeof (*faddr));
timer_mp = sctp_timer_alloc((sctp), sctp_rexmit_timer, sleep);
if (timer_mp == NULL) {
kmem_cache_free(sctp_kmem_faddr_cache, faddr);
@@ -553,16 +518,19 @@ sctp_add_faddr(sctp_t *sctp, in6_addr_t *addr, int sleep, boolean_t first)
}
((sctpt_t *)(timer_mp->b_rptr))->sctpt_faddr = faddr;
- sctp_init_faddr(sctp, faddr, addr, timer_mp);
-
- /* Check for subnet broadcast. */
- if (faddr->ire != NULL && faddr->ire->ire_type & IRE_BROADCAST) {
- IRE_REFRELE_NOTR(faddr->ire);
- sctp_timer_free(timer_mp);
- faddr->timer_mp = NULL;
+ /* Start with any options set on the conn */
+ faddr->ixa = conn_get_ixa_exclusive(connp);
+ if (faddr->ixa == NULL) {
+ freemsg(timer_mp);
kmem_cache_free(sctp_kmem_faddr_cache, faddr);
- return (EADDRNOTAVAIL);
+ return (ENOMEM);
}
+ faddr->ixa->ixa_notify_cookie = connp->conn_sctp;
+
+ sctp_init_faddr(sctp, faddr, addr, timer_mp);
+ ASSERT(faddr->ixa->ixa_cred != NULL);
+
+ /* ip_attr_connect didn't allow broadcats/multicast dest */
ASSERT(faddr->next == NULL);
if (sctp->sctp_faddrs == NULL) {
@@ -644,7 +612,7 @@ sctp_redo_faddr_srcs(sctp_t *sctp)
sctp_faddr_t *fp;
for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
- sctp_get_ire(sctp, fp);
+ sctp_get_dest(sctp, fp);
}
}
@@ -662,15 +630,17 @@ sctp_faddr_alive(sctp_t *sctp, sctp_faddr_t *fp)
fp->state = SCTP_FADDRS_ALIVE;
sctp_intf_event(sctp, fp->faddr, SCTP_ADDR_AVAILABLE, 0);
/* Should have a full IRE now */
- sctp_get_ire(sctp, fp);
+ sctp_get_dest(sctp, fp);
/*
* If this is the primary, switch back to it now. And
* we probably want to reset the source addr used to reach
* it.
+ * Note that if we didn't find a source in sctp_get_dest
+ * then we'd be unreachable at this point in time.
*/
- if (fp == sctp->sctp_primary) {
- ASSERT(fp->state != SCTP_FADDRS_UNREACH);
+ if (fp == sctp->sctp_primary &&
+ fp->state != SCTP_FADDRS_UNREACH) {
sctp_set_faddr_current(sctp, fp);
return;
}
@@ -816,9 +786,9 @@ sctp_unlink_faddr(sctp_t *sctp, sctp_faddr_t *fp)
fp->rc_timer_mp = NULL;
fp->rc_timer_running = 0;
}
- if (fp->ire != NULL) {
- IRE_REFRELE_NOTR(fp->ire);
- fp->ire = NULL;
+ if (fp->ixa != NULL) {
+ ixa_refrele(fp->ixa);
+ fp->ixa = NULL;
}
if (fp == sctp->sctp_faddrs) {
@@ -837,7 +807,6 @@ gotit:
fpp->next = fp->next;
}
mutex_exit(&sctp->sctp_conn_tfp->tf_lock);
- /* XXX faddr2ire? */
kmem_cache_free(sctp_kmem_faddr_cache, fp);
sctp->sctp_nfaddrs--;
}
@@ -866,8 +835,10 @@ sctp_zap_faddrs(sctp_t *sctp, int caller_holds_lock)
for (fp = sctp->sctp_faddrs; fp; fp = fpn) {
fpn = fp->next;
- if (fp->ire != NULL)
- IRE_REFRELE_NOTR(fp->ire);
+ if (fp->ixa != NULL) {
+ ixa_refrele(fp->ixa);
+ fp->ixa = NULL;
+ }
kmem_cache_free(sctp_kmem_faddr_cache, fp);
sctp->sctp_nfaddrs--;
}
@@ -888,242 +859,177 @@ sctp_zap_addrs(sctp_t *sctp)
}
/*
- * Initialize the IPv4 header. Loses any record of any IP options.
+ * Build two SCTP header templates; one for IPv4 and one for IPv6.
+ * Store them in sctp_iphc and sctp_iphc6 respectively (and related fields).
+ * There are no IP addresses in the templates, but the port numbers and
+ * verifier are field in from the conn_t and sctp_t.
+ *
+ * Returns failure if can't allocate memory, or if there is a problem
+ * with a routing header/option.
+ *
+ * We allocate space for the minimum sctp header (sctp_hdr_t).
+ *
+ * We massage an routing option/header. There is no checksum implication
+ * for a routing header for sctp.
+ *
+ * Caller needs to update conn_wroff if desired.
+ *
+ * TSol notes: This assumes that a SCTP association has a single peer label
+ * since we only track a single pair of ipp_label_v4/v6 and not a separate one
+ * for each faddr.
*/
int
-sctp_header_init_ipv4(sctp_t *sctp, int sleep)
+sctp_build_hdrs(sctp_t *sctp, int sleep)
{
+ conn_t *connp = sctp->sctp_connp;
+ ip_pkt_t *ipp = &connp->conn_xmit_ipp;
+ uint_t ip_hdr_length;
+ uchar_t *hdrs;
+ uint_t hdrs_len;
+ uint_t ulp_hdr_length = sizeof (sctp_hdr_t);
+ ipha_t *ipha;
+ ip6_t *ip6h;
sctp_hdr_t *sctph;
- sctp_stack_t *sctps = sctp->sctp_sctps;
+ in6_addr_t v6src, v6dst;
+ ipaddr_t v4src, v4dst;
- /*
- * This is a simple initialization. If there's
- * already a template, it should never be too small,
- * so reuse it. Otherwise, allocate space for the new one.
- */
- if (sctp->sctp_iphc != NULL) {
- ASSERT(sctp->sctp_iphc_len >= SCTP_MAX_COMBINED_HEADER_LENGTH);
- bzero(sctp->sctp_iphc, sctp->sctp_iphc_len);
- } else {
- sctp->sctp_iphc_len = SCTP_MAX_COMBINED_HEADER_LENGTH;
- sctp->sctp_iphc = kmem_zalloc(sctp->sctp_iphc_len, sleep);
- if (sctp->sctp_iphc == NULL) {
- sctp->sctp_iphc_len = 0;
- return (ENOMEM);
- }
- }
+ v4src = connp->conn_saddr_v4;
+ v4dst = connp->conn_faddr_v4;
+ v6src = connp->conn_saddr_v6;
+ v6dst = connp->conn_faddr_v6;
- sctp->sctp_ipha = (ipha_t *)sctp->sctp_iphc;
+ /* First do IPv4 header */
+ ip_hdr_length = ip_total_hdrs_len_v4(ipp);
- sctp->sctp_hdr_len = sizeof (ipha_t) + sizeof (sctp_hdr_t);
- sctp->sctp_ip_hdr_len = sizeof (ipha_t);
- sctp->sctp_ipha->ipha_length = htons(sizeof (ipha_t) +
- sizeof (sctp_hdr_t));
- sctp->sctp_ipha->ipha_version_and_hdr_length =
- (IP_VERSION << 4) | IP_SIMPLE_HDR_LENGTH_IN_WORDS;
+ /* In case of TX label and IP options it can be too much */
+ if (ip_hdr_length > IP_MAX_HDR_LENGTH) {
+ /* Preserves existing TX errno for this */
+ return (EHOSTUNREACH);
+ }
+ hdrs_len = ip_hdr_length + ulp_hdr_length;
+ ASSERT(hdrs_len != 0);
- /*
- * These two fields should be zero, and are already set above.
- *
- * sctp->sctp_ipha->ipha_ident,
- * sctp->sctp_ipha->ipha_fragment_offset_and_flags.
- */
+ if (hdrs_len != sctp->sctp_iphc_len) {
+ /* Allocate new before we free any old */
+ hdrs = kmem_alloc(hdrs_len, sleep);
+ if (hdrs == NULL)
+ return (ENOMEM);
- sctp->sctp_ipha->ipha_ttl = sctps->sctps_ipv4_ttl;
- sctp->sctp_ipha->ipha_protocol = IPPROTO_SCTP;
+ if (sctp->sctp_iphc != NULL)
+ kmem_free(sctp->sctp_iphc, sctp->sctp_iphc_len);
+ sctp->sctp_iphc = hdrs;
+ sctp->sctp_iphc_len = hdrs_len;
+ } else {
+ hdrs = sctp->sctp_iphc;
+ }
+ sctp->sctp_hdr_len = sctp->sctp_iphc_len;
+ sctp->sctp_ip_hdr_len = ip_hdr_length;
- sctph = (sctp_hdr_t *)(sctp->sctp_iphc + sizeof (ipha_t));
+ sctph = (sctp_hdr_t *)(hdrs + ip_hdr_length);
sctp->sctp_sctph = sctph;
-
- return (0);
-}
-
-/*
- * Update sctp_sticky_hdrs based on sctp_sticky_ipp.
- * The headers include ip6i_t (if needed), ip6_t, any sticky extension
- * headers, and the maximum size sctp header (to avoid reallocation
- * on the fly for additional sctp options).
- * Returns failure if can't allocate memory.
- */
-int
-sctp_build_hdrs(sctp_t *sctp)
-{
- char *hdrs;
- uint_t hdrs_len;
- ip6i_t *ip6i;
- char buf[SCTP_MAX_HDR_LENGTH];
- ip6_pkt_t *ipp = &sctp->sctp_sticky_ipp;
- in6_addr_t src;
- in6_addr_t dst;
- sctp_stack_t *sctps = sctp->sctp_sctps;
-
- /*
- * save the existing sctp header and source/dest IP addresses
- */
- bcopy(sctp->sctp_sctph6, buf, sizeof (sctp_hdr_t));
- src = sctp->sctp_ip6h->ip6_src;
- dst = sctp->sctp_ip6h->ip6_dst;
- hdrs_len = ip_total_hdrs_len_v6(ipp) + SCTP_MAX_HDR_LENGTH;
+ sctph->sh_sport = connp->conn_lport;
+ sctph->sh_dport = connp->conn_fport;
+ sctph->sh_verf = sctp->sctp_fvtag;
+ sctph->sh_chksum = 0;
+
+ ipha = (ipha_t *)hdrs;
+ sctp->sctp_ipha = ipha;
+
+ ipha->ipha_src = v4src;
+ ipha->ipha_dst = v4dst;
+ ip_build_hdrs_v4(hdrs, ip_hdr_length, ipp, connp->conn_proto);
+ ipha->ipha_length = htons(hdrs_len);
+ ipha->ipha_fragment_offset_and_flags = 0;
+
+ if (ipp->ipp_fields & IPPF_IPV4_OPTIONS)
+ (void) ip_massage_options(ipha, connp->conn_netstack);
+
+ /* Now IPv6 */
+ ip_hdr_length = ip_total_hdrs_len_v6(ipp);
+ hdrs_len = ip_hdr_length + ulp_hdr_length;
ASSERT(hdrs_len != 0);
- if (hdrs_len > sctp->sctp_iphc6_len) {
- /* Need to reallocate */
- hdrs = kmem_zalloc(hdrs_len, KM_NOSLEEP);
+
+ if (hdrs_len != sctp->sctp_iphc6_len) {
+ /* Allocate new before we free any old */
+ hdrs = kmem_alloc(hdrs_len, sleep);
if (hdrs == NULL)
return (ENOMEM);
- if (sctp->sctp_iphc6_len != 0)
+ if (sctp->sctp_iphc6 != NULL)
kmem_free(sctp->sctp_iphc6, sctp->sctp_iphc6_len);
sctp->sctp_iphc6 = hdrs;
sctp->sctp_iphc6_len = hdrs_len;
- }
- ip_build_hdrs_v6((uchar_t *)sctp->sctp_iphc6,
- hdrs_len - SCTP_MAX_HDR_LENGTH, ipp, IPPROTO_SCTP);
-
- /* Set header fields not in ipp */
- if (ipp->ipp_fields & IPPF_HAS_IP6I) {
- ip6i = (ip6i_t *)sctp->sctp_iphc6;
- sctp->sctp_ip6h = (ip6_t *)&ip6i[1];
} else {
- sctp->sctp_ip6h = (ip6_t *)sctp->sctp_iphc6;
+ hdrs = sctp->sctp_iphc6;
}
- /*
- * sctp->sctp_ip_hdr_len will include ip6i_t if there is one.
- */
- sctp->sctp_ip_hdr6_len = hdrs_len - SCTP_MAX_HDR_LENGTH;
- sctp->sctp_sctph6 = (sctp_hdr_t *)(sctp->sctp_iphc6 +
- sctp->sctp_ip_hdr6_len);
- sctp->sctp_hdr6_len = sctp->sctp_ip_hdr6_len + sizeof (sctp_hdr_t);
-
- bcopy(buf, sctp->sctp_sctph6, sizeof (sctp_hdr_t));
+ sctp->sctp_hdr6_len = sctp->sctp_iphc6_len;
+ sctp->sctp_ip_hdr6_len = ip_hdr_length;
- sctp->sctp_ip6h->ip6_src = src;
- sctp->sctp_ip6h->ip6_dst = dst;
- /*
- * If the hoplimit was not set by ip_build_hdrs_v6(), we need to
- * set it to the default value for SCTP.
- */
- if (!(ipp->ipp_fields & IPPF_UNICAST_HOPS))
- sctp->sctp_ip6h->ip6_hops = sctps->sctps_ipv6_hoplimit;
- /*
- * If we're setting extension headers after a connection
- * has been established, and if we have a routing header
- * among the extension headers, call ip_massage_options_v6 to
- * manipulate the routing header/ip6_dst set the checksum
- * difference in the sctp header template.
- * (This happens in sctp_connect_ipv6 if the routing header
- * is set prior to the connect.)
- */
-
- if ((sctp->sctp_state >= SCTPS_COOKIE_WAIT) &&
- (sctp->sctp_sticky_ipp.ipp_fields & IPPF_RTHDR)) {
- ip6_rthdr_t *rth;
-
- rth = ip_find_rthdr_v6(sctp->sctp_ip6h,
- (uint8_t *)sctp->sctp_sctph6);
+ sctph = (sctp_hdr_t *)(hdrs + ip_hdr_length);
+ sctp->sctp_sctph6 = sctph;
+ sctph->sh_sport = connp->conn_lport;
+ sctph->sh_dport = connp->conn_fport;
+ sctph->sh_verf = sctp->sctp_fvtag;
+ sctph->sh_chksum = 0;
+
+ ip6h = (ip6_t *)hdrs;
+ sctp->sctp_ip6h = ip6h;
+
+ ip6h->ip6_src = v6src;
+ ip6h->ip6_dst = v6dst;
+ ip_build_hdrs_v6(hdrs, ip_hdr_length, ipp, connp->conn_proto,
+ connp->conn_flowinfo);
+ ip6h->ip6_plen = htons(hdrs_len - IPV6_HDR_LEN);
+
+ if (ipp->ipp_fields & IPPF_RTHDR) {
+ uint8_t *end;
+ ip6_rthdr_t *rth;
+
+ end = (uint8_t *)ip6h + ip_hdr_length;
+ rth = ip_find_rthdr_v6(ip6h, end);
if (rth != NULL) {
- (void) ip_massage_options_v6(sctp->sctp_ip6h, rth,
- sctps->sctps_netstack);
+ (void) ip_massage_options_v6(ip6h, rth,
+ connp->conn_netstack);
}
- }
- return (0);
-}
-/*
- * Initialize the IPv6 header. Loses any record of any IPv6 extension headers.
- */
-int
-sctp_header_init_ipv6(sctp_t *sctp, int sleep)
-{
- sctp_hdr_t *sctph;
- sctp_stack_t *sctps = sctp->sctp_sctps;
-
- /*
- * This is a simple initialization. If there's
- * already a template, it should never be too small,
- * so reuse it. Otherwise, allocate space for the new one.
- * Ensure that there is enough space to "downgrade" the sctp_t
- * to an IPv4 sctp_t. This requires having space for a full load
- * of IPv4 options
- */
- if (sctp->sctp_iphc6 != NULL) {
- ASSERT(sctp->sctp_iphc6_len >=
- SCTP_MAX_COMBINED_HEADER_LENGTH);
- bzero(sctp->sctp_iphc6, sctp->sctp_iphc6_len);
- } else {
- sctp->sctp_iphc6_len = SCTP_MAX_COMBINED_HEADER_LENGTH;
- sctp->sctp_iphc6 = kmem_zalloc(sctp->sctp_iphc_len, sleep);
- if (sctp->sctp_iphc6 == NULL) {
- sctp->sctp_iphc6_len = 0;
- return (ENOMEM);
- }
+ /*
+ * Verify that the first hop isn't a mapped address.
+ * Routers along the path need to do this verification
+ * for subsequent hops.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_dst))
+ return (EADDRNOTAVAIL);
}
- sctp->sctp_hdr6_len = IPV6_HDR_LEN + sizeof (sctp_hdr_t);
- sctp->sctp_ip_hdr6_len = IPV6_HDR_LEN;
- sctp->sctp_ip6h = (ip6_t *)sctp->sctp_iphc6;
-
- /* Initialize the header template */
-
- sctp->sctp_ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- sctp->sctp_ip6h->ip6_plen = ntohs(sizeof (sctp_hdr_t));
- sctp->sctp_ip6h->ip6_nxt = IPPROTO_SCTP;
- sctp->sctp_ip6h->ip6_hops = sctps->sctps_ipv6_hoplimit;
-
- sctph = (sctp_hdr_t *)(sctp->sctp_iphc6 + IPV6_HDR_LEN);
- sctp->sctp_sctph6 = sctph;
-
return (0);
}
static int
-sctp_v4_label(sctp_t *sctp)
+sctp_v4_label(sctp_t *sctp, sctp_faddr_t *fp)
{
- uchar_t optbuf[IP_MAX_OPT_LENGTH];
- const cred_t *cr = CONN_CRED(sctp->sctp_connp);
- int added;
+ conn_t *connp = sctp->sctp_connp;
- if (tsol_compute_label(cr, sctp->sctp_ipha->ipha_dst, optbuf,
- sctp->sctp_sctps->sctps_netstack->netstack_ip) != 0)
- return (EACCES);
-
- added = tsol_remove_secopt(sctp->sctp_ipha, sctp->sctp_hdr_len);
- if (added == -1)
- return (EACCES);
- sctp->sctp_hdr_len += added;
- sctp->sctp_sctph = (sctp_hdr_t *)((uchar_t *)sctp->sctp_sctph + added);
- sctp->sctp_ip_hdr_len += added;
- if ((sctp->sctp_v4label_len = optbuf[IPOPT_OLEN]) != 0) {
- sctp->sctp_v4label_len = (sctp->sctp_v4label_len + 3) & ~3;
- added = tsol_prepend_option(optbuf, sctp->sctp_ipha,
- sctp->sctp_hdr_len);
- if (added == -1)
- return (EACCES);
- sctp->sctp_hdr_len += added;
- sctp->sctp_sctph = (sctp_hdr_t *)((uchar_t *)sctp->sctp_sctph +
- added);
- sctp->sctp_ip_hdr_len += added;
- }
- return (0);
+ ASSERT(fp->ixa->ixa_flags & IXAF_IS_IPV4);
+ return (conn_update_label(connp, fp->ixa, &fp->faddr,
+ &connp->conn_xmit_ipp));
}
static int
-sctp_v6_label(sctp_t *sctp)
+sctp_v6_label(sctp_t *sctp, sctp_faddr_t *fp)
{
- uchar_t optbuf[TSOL_MAX_IPV6_OPTION];
- const cred_t *cr = CONN_CRED(sctp->sctp_connp);
+ conn_t *connp = sctp->sctp_connp;
- if (tsol_compute_label_v6(cr, &sctp->sctp_ip6h->ip6_dst, optbuf,
- sctp->sctp_sctps->sctps_netstack->netstack_ip) != 0)
- return (EACCES);
- if (tsol_update_sticky(&sctp->sctp_sticky_ipp, &sctp->sctp_v6label_len,
- optbuf) != 0)
- return (EACCES);
- if (sctp_build_hdrs(sctp) != 0)
- return (EACCES);
- return (0);
+ ASSERT(!(fp->ixa->ixa_flags & IXAF_IS_IPV4));
+ return (conn_update_label(connp, fp->ixa, &fp->faddr,
+ &connp->conn_xmit_ipp));
}
/*
* XXX implement more sophisticated logic
+ *
+ * Tsol note: We have already verified the addresses using tsol_check_dest
+ * in sctp_add_faddr, thus no need to redo that here.
+ * We do setup ipp_label_v4 and ipp_label_v6 based on which addresses
+ * we have.
*/
int
sctp_set_hdraddrs(sctp_t *sctp)
@@ -1131,50 +1037,43 @@ sctp_set_hdraddrs(sctp_t *sctp)
sctp_faddr_t *fp;
int gotv4 = 0;
int gotv6 = 0;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(sctp->sctp_faddrs != NULL);
ASSERT(sctp->sctp_nsaddrs > 0);
/* Set up using the primary first */
+ connp->conn_faddr_v6 = sctp->sctp_primary->faddr;
+ /* saddr may be unspec; make_mp() will handle this */
+ connp->conn_saddr_v6 = sctp->sctp_primary->saddr;
+ connp->conn_laddr_v6 = connp->conn_saddr_v6;
if (IN6_IS_ADDR_V4MAPPED(&sctp->sctp_primary->faddr)) {
- IN6_V4MAPPED_TO_IPADDR(&sctp->sctp_primary->faddr,
- sctp->sctp_ipha->ipha_dst);
- /* saddr may be unspec; make_mp() will handle this */
- IN6_V4MAPPED_TO_IPADDR(&sctp->sctp_primary->saddr,
- sctp->sctp_ipha->ipha_src);
- if (!is_system_labeled() || sctp_v4_label(sctp) == 0) {
+ if (!is_system_labeled() ||
+ sctp_v4_label(sctp, sctp->sctp_primary) == 0) {
gotv4 = 1;
- if (sctp->sctp_ipversion == IPV4_VERSION) {
- goto copyports;
+ if (connp->conn_family == AF_INET) {
+ goto done;
}
}
} else {
- sctp->sctp_ip6h->ip6_dst = sctp->sctp_primary->faddr;
- /* saddr may be unspec; make_mp() will handle this */
- sctp->sctp_ip6h->ip6_src = sctp->sctp_primary->saddr;
- if (!is_system_labeled() || sctp_v6_label(sctp) == 0)
+ if (!is_system_labeled() ||
+ sctp_v6_label(sctp, sctp->sctp_primary) == 0) {
gotv6 = 1;
+ }
}
for (fp = sctp->sctp_faddrs; fp; fp = fp->next) {
if (!gotv4 && IN6_IS_ADDR_V4MAPPED(&fp->faddr)) {
- IN6_V4MAPPED_TO_IPADDR(&fp->faddr,
- sctp->sctp_ipha->ipha_dst);
- /* copy in the faddr_t's saddr */
- IN6_V4MAPPED_TO_IPADDR(&fp->saddr,
- sctp->sctp_ipha->ipha_src);
- if (!is_system_labeled() || sctp_v4_label(sctp) == 0) {
+ if (!is_system_labeled() ||
+ sctp_v4_label(sctp, fp) == 0) {
gotv4 = 1;
- if (sctp->sctp_ipversion == IPV4_VERSION ||
- gotv6) {
+ if (connp->conn_family == AF_INET || gotv6) {
break;
}
}
} else if (!gotv6 && !IN6_IS_ADDR_V4MAPPED(&fp->faddr)) {
- sctp->sctp_ip6h->ip6_dst = fp->faddr;
- /* copy in the faddr_t's saddr */
- sctp->sctp_ip6h->ip6_src = fp->saddr;
- if (!is_system_labeled() || sctp_v6_label(sctp) == 0) {
+ if (!is_system_labeled() ||
+ sctp_v6_label(sctp, fp) == 0) {
gotv6 = 1;
if (gotv4)
break;
@@ -1182,16 +1081,10 @@ sctp_set_hdraddrs(sctp_t *sctp)
}
}
-copyports:
+done:
if (!gotv4 && !gotv6)
return (EACCES);
- /* copy in the ports for good measure */
- sctp->sctp_sctph->sh_sport = sctp->sctp_lport;
- sctp->sctp_sctph->sh_dport = sctp->sctp_fport;
-
- sctp->sctp_sctph6->sh_sport = sctp->sctp_lport;
- sctp->sctp_sctph6->sh_dport = sctp->sctp_fport;
return (0);
}
@@ -1343,6 +1236,7 @@ sctp_get_addrparams(sctp_t *sctp, sctp_t *psctp, mblk_t *pkt,
boolean_t check_saddr = B_TRUE;
in6_addr_t curaddr;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
if (sctp_options != NULL)
*sctp_options = 0;
@@ -1473,8 +1367,7 @@ sctp_get_addrparams(sctp_t *sctp, sctp_t *psctp, mblk_t *pkt,
if (ta == 0 ||
ta == INADDR_BROADCAST ||
ta == htonl(INADDR_LOOPBACK) ||
- CLASSD(ta) ||
- sctp->sctp_connp->conn_ipv6_v6only) {
+ CLASSD(ta) || connp->conn_ipv6_v6only) {
goto next;
}
IN6_INADDR_TO_V4MAPPED((struct in_addr *)
@@ -1492,7 +1385,7 @@ sctp_get_addrparams(sctp_t *sctp, sctp_t *psctp, mblk_t *pkt,
goto next;
}
} else if (ph->sph_type == htons(PARM_ADDR6) &&
- sctp->sctp_family == AF_INET6) {
+ connp->conn_family == AF_INET6) {
/* An v4 socket should not take v6 addresses. */
if (remaining >= PARM_ADDR6_LEN) {
in6_addr_t *addr6;
@@ -1567,7 +1460,7 @@ next:
}
bcopy(&curaddr, dlist, sizeof (curaddr));
sctp_get_faddr_list(sctp, alist, asize);
- (*cl_sctp_assoc_change)(sctp->sctp_family, alist, asize,
+ (*cl_sctp_assoc_change)(connp->conn_family, alist, asize,
sctp->sctp_nfaddrs, dlist, dsize, 1, SCTP_CL_PADDR,
(cl_sctp_handle_t)sctp);
/* alist and dlist will be freed by the clustering module */
@@ -1581,7 +1474,7 @@ next:
*/
int
sctp_secure_restart_check(mblk_t *pkt, sctp_chunk_hdr_t *ich, uint32_t ports,
- int sleep, sctp_stack_t *sctps)
+ int sleep, sctp_stack_t *sctps, ip_recv_attr_t *ira)
{
sctp_faddr_t *fp, *fphead = NULL;
sctp_parm_hdr_t *ph;
@@ -1696,7 +1589,7 @@ sctp_secure_restart_check(mblk_t *pkt, sctp_chunk_hdr_t *ich, uint32_t ports,
mutex_enter(&tf->tf_lock);
for (sctp = tf->tf_sctp; sctp; sctp = sctp->sctp_conn_hash_next) {
- if (ports != sctp->sctp_ports) {
+ if (ports != sctp->sctp_connp->conn_ports) {
continue;
}
compres = sctp_compare_faddrsets(fphead, sctp->sctp_faddrs);
@@ -1776,7 +1669,8 @@ done:
/* Send off the abort */
sctp_send_abort(sctp, sctp_init2vtag(ich),
- SCTP_ERR_RESTART_NEW_ADDRS, dtail, dlen, pkt, 0, B_TRUE);
+ SCTP_ERR_RESTART_NEW_ADDRS, dtail, dlen, pkt, 0, B_TRUE,
+ ira);
kmem_free(dtail, PARM_ADDR6_LEN * nadded);
}
@@ -1787,6 +1681,10 @@ cleanup:
sctp_faddr_t *fpn;
for (fp = fphead; fp; fp = fpn) {
fpn = fp->next;
+ if (fp->ixa != NULL) {
+ ixa_refrele(fp->ixa);
+ fp->ixa = NULL;
+ }
kmem_cache_free(sctp_kmem_faddr_cache, fp);
}
}
@@ -1850,6 +1748,8 @@ sctp_init_faddr(sctp_t *sctp, sctp_faddr_t *fp, in6_addr_t *addr,
{
sctp_stack_t *sctps = sctp->sctp_sctps;
+ ASSERT(fp->ixa != NULL);
+
bcopy(addr, &fp->faddr, sizeof (*addr));
if (IN6_IS_ADDR_V4MAPPED(addr)) {
fp->isv4 = 1;
@@ -1857,11 +1757,13 @@ sctp_init_faddr(sctp_t *sctp, sctp_faddr_t *fp, in6_addr_t *addr,
fp->sfa_pmss =
(sctps->sctps_initial_mtu - sctp->sctp_hdr_len) &
~(SCTP_ALIGN - 1);
+ fp->ixa->ixa_flags |= IXAF_IS_IPV4;
} else {
fp->isv4 = 0;
fp->sfa_pmss =
(sctps->sctps_initial_mtu - sctp->sctp_hdr6_len) &
~(SCTP_ALIGN - 1);
+ fp->ixa->ixa_flags &= ~IXAF_IS_IPV4;
}
fp->cwnd = sctps->sctps_slow_start_initial * fp->sfa_pmss;
fp->rto = MIN(sctp->sctp_rto_initial, sctp->sctp_init_rto_max);
@@ -1884,14 +1786,13 @@ sctp_init_faddr(sctp_t *sctp, sctp_faddr_t *fp, in6_addr_t *addr,
fp->df = 1;
fp->pmtu_discovered = 0;
fp->next = NULL;
- fp->ire = NULL;
fp->T3expire = 0;
(void) random_get_pseudo_bytes((uint8_t *)&fp->hb_secret,
sizeof (fp->hb_secret));
fp->hb_expiry = lbolt64;
fp->rxt_unacked = 0;
- sctp_get_ire(sctp, fp);
+ sctp_get_dest(sctp, fp);
}
/*ARGSUSED*/
diff --git a/usr/src/uts/common/inet/sctp/sctp_conn.c b/usr/src/uts/common/inet/sctp/sctp_conn.c
index 60c22a3673..7dc048f919 100644
--- a/usr/src/uts/common/inet/sctp/sctp_conn.c
+++ b/usr/src/uts/common/inet/sctp/sctp_conn.c
@@ -64,38 +64,19 @@ sctp_accept_comm(sctp_t *listener, sctp_t *acceptor, mblk_t *cr_pkt,
uint_t sctp_options;
conn_t *aconnp;
conn_t *lconnp;
- cred_t *credp;
- ts_label_t *tslp;
sctp_stack_t *sctps = listener->sctp_sctps;
sctph = (sctp_hdr_t *)(cr_pkt->b_rptr + ip_hdr_len);
ASSERT(OK_32PTR(sctph));
- acceptor->sctp_lport = listener->sctp_lport;
- acceptor->sctp_fport = sctph->sh_sport;
+ aconnp = acceptor->sctp_connp;
+ lconnp = listener->sctp_connp;
+ aconnp->conn_lport = lconnp->conn_lport;
+ aconnp->conn_fport = sctph->sh_sport;
ich = (sctp_chunk_hdr_t *)(iack + 1);
init = (sctp_init_chunk_t *)(ich + 1);
- /*
- * If this is an MLP connection, packets are to be
- * exchanged using the security label of the received
- * Cookie packet instead of the server application's label.
- * Create an effective cred for the connection by attaching
- * the received packet's security label to the server
- * application's cred.
- */
- aconnp = acceptor->sctp_connp;
- lconnp = listener->sctp_connp;
- ASSERT(aconnp->conn_effective_cred == NULL);
- if (lconnp->conn_mlp_type != mlptSingle &&
- (credp = msg_getcred(cr_pkt, NULL)) != NULL &&
- (tslp = crgetlabel(credp)) != NULL) {
- if ((aconnp->conn_effective_cred = copycred_from_tslabel(
- aconnp->conn_cred, tslp, KM_NOSLEEP)) == NULL)
- return (ENOMEM);
- }
-
/* acceptor isn't in any fanouts yet, so don't need to hold locks */
ASSERT(acceptor->sctp_faddrs == NULL);
err = sctp_get_addrparams(acceptor, listener, cr_pkt, ich,
@@ -106,14 +87,15 @@ sctp_accept_comm(sctp_t *listener, sctp_t *acceptor, mblk_t *cr_pkt,
if ((err = sctp_set_hdraddrs(acceptor)) != 0)
return (err);
+ if ((err = sctp_build_hdrs(acceptor, KM_NOSLEEP)) != 0)
+ return (err);
+
if ((sctp_options & SCTP_PRSCTP_OPTION) &&
listener->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) {
acceptor->sctp_prsctp_aware = B_TRUE;
} else {
acceptor->sctp_prsctp_aware = B_FALSE;
}
- /* The new sctp_t is fully bound now. */
- acceptor->sctp_connp->conn_fully_bound = B_TRUE;
/* Get initial TSNs */
acceptor->sctp_ltsn = ntohl(iack->sic_inittsn);
@@ -142,9 +124,9 @@ sctp_accept_comm(sctp_t *listener, sctp_t *acceptor, mblk_t *cr_pkt,
RUN_SCTP(acceptor);
sctp_conn_hash_insert(&sctps->sctps_conn_fanout[
- SCTP_CONN_HASH(sctps, acceptor->sctp_ports)], acceptor, 0);
+ SCTP_CONN_HASH(sctps, aconnp->conn_ports)], acceptor, 0);
sctp_bind_hash_insert(&sctps->sctps_bind_fanout[
- SCTP_BIND_HASH(ntohs(acceptor->sctp_lport))], acceptor, 0);
+ SCTP_BIND_HASH(ntohs(aconnp->conn_lport))], acceptor, 0);
/*
* No need to check for multicast destination since ip will only pass
@@ -170,10 +152,9 @@ sctp_accept_comm(sctp_t *listener, sctp_t *acceptor, mblk_t *cr_pkt,
/* Process the COOKIE packet, mp, directed at the listener 'sctp' */
sctp_t *
sctp_conn_request(sctp_t *sctp, mblk_t *mp, uint_t ifindex, uint_t ip_hdr_len,
- sctp_init_chunk_t *iack, mblk_t *ipsec_mp)
+ sctp_init_chunk_t *iack, ip_recv_attr_t *ira)
{
sctp_t *eager;
- uint_t ipvers;
ip6_t *ip6h;
int err;
conn_t *connp, *econnp;
@@ -181,6 +162,8 @@ sctp_conn_request(sctp_t *sctp, mblk_t *mp, uint_t ifindex, uint_t ip_hdr_len,
struct sock_proto_props sopp;
cred_t *cr;
pid_t cpid;
+ in6_addr_t faddr, laddr;
+ ip_xmit_attr_t *ixa;
/*
* No need to check for duplicate as this is the listener
@@ -189,89 +172,116 @@ sctp_conn_request(sctp_t *sctp, mblk_t *mp, uint_t ifindex, uint_t ip_hdr_len,
* fanout already done cannot find a match, it means that
* there is no duplicate.
*/
- ipvers = IPH_HDR_VERSION(mp->b_rptr);
- ASSERT(ipvers == IPV6_VERSION || ipvers == IPV4_VERSION);
ASSERT(OK_32PTR(mp->b_rptr));
if ((eager = sctp_create_eager(sctp)) == NULL) {
return (NULL);
}
- if (ipvers != IPV4_VERSION) {
- ip6h = (ip6_t *)mp->b_rptr;
- if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src))
- eager->sctp_linklocal = 1;
- /*
- * Record ifindex (might be zero) to tie this connection to
- * that interface if either the listener was bound or
- * if the connection is using link-local addresses.
- */
- if (sctp->sctp_bound_if == ifindex ||
- IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src))
- eager->sctp_bound_if = ifindex;
- /*
- * XXX broken. bound_if is always overwritten by statement
- * below. What is the right thing to do here?
- */
- eager->sctp_bound_if = sctp->sctp_bound_if;
- }
-
connp = sctp->sctp_connp;
sctps = sctp->sctp_sctps;
econnp = eager->sctp_connp;
if (connp->conn_policy != NULL) {
- ipsec_in_t *ii;
-
- ASSERT(ipsec_mp != NULL);
- ii = (ipsec_in_t *)(ipsec_mp->b_rptr);
- ASSERT(ii->ipsec_in_policy == NULL);
- IPPH_REFHOLD(connp->conn_policy);
- ii->ipsec_in_policy = connp->conn_policy;
-
- ipsec_mp->b_datap->db_type = IPSEC_POLICY_SET;
- if (!ip_bind_ipsec_policy_set(econnp, ipsec_mp)) {
+ /* Inherit the policy from the listener; use actions from ira */
+ if (!ip_ipsec_policy_inherit(econnp, connp, ira)) {
sctp_close_eager(eager);
BUMP_MIB(&sctps->sctps_mib, sctpListenDrop);
return (NULL);
}
}
- if (ipsec_mp != NULL) {
+ ip6h = (ip6_t *)mp->b_rptr;
+ if (ira->ira_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha;
+
+ ipha = (ipha_t *)ip6h;
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &laddr);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &faddr);
+ } else {
+ laddr = ip6h->ip6_dst;
+ faddr = ip6h->ip6_src;
+ }
+
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
/*
* XXX need to fix the cached policy issue here.
- * We temporarily set the conn_src/conn_rem here so
+ * We temporarily set the conn_laddr/conn_faddr here so
* that IPsec can use it for the latched policy
* selector. This is obvioursly wrong as SCTP can
* use different addresses...
*/
- if (ipvers == IPV4_VERSION) {
- ipha_t *ipha;
-
- ipha = (ipha_t *)mp->b_rptr;
- econnp->conn_src = ipha->ipha_dst;
- econnp->conn_rem = ipha->ipha_src;
- } else {
- econnp->conn_srcv6 = ip6h->ip6_dst;
- econnp->conn_remv6 = ip6h->ip6_src;
- }
+ econnp->conn_laddr_v6 = laddr;
+ econnp->conn_faddr_v6 = faddr;
+ econnp->conn_saddr_v6 = laddr;
}
- if (ipsec_conn_cache_policy(econnp, ipvers == IPV4_VERSION) != 0) {
+ if (ipsec_conn_cache_policy(econnp,
+ (ira->ira_flags & IRAF_IS_IPV4) != 0) != 0) {
sctp_close_eager(eager);
BUMP_MIB(&sctps->sctps_mib, sctpListenDrop);
return (NULL);
}
/* Save for getpeerucred */
- cr = msg_getcred(mp, &cpid);
+ cr = ira->ira_cred;
+ cpid = ira->ira_cpid;
+
+ if (is_system_labeled()) {
+ ip_xmit_attr_t *ixa = econnp->conn_ixa;
+
+ ASSERT(ira->ira_tsl != NULL);
+
+ /* Discard any old label */
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ ixa->ixa_free_flags &= ~IXA_FREE_TSL;
+ ixa->ixa_tsl = NULL;
+ }
+
+ if ((connp->conn_mlp_type != mlptSingle ||
+ connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ ira->ira_tsl != NULL) {
+ /*
+ * If this is an MLP connection or a MAC-Exempt
+ * connection with an unlabeled node, packets are to be
+ * exchanged using the security label of the received
+ * Cookie packet instead of the server application's
+ * label.
+ * tsol_check_dest called from ip_set_destination
+ * might later update TSF_UNLABELED by replacing
+ * ixa_tsl with a new label.
+ */
+ label_hold(ira->ira_tsl);
+ ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
+ } else {
+ ixa->ixa_tsl = crgetlabel(econnp->conn_cred);
+ }
+ }
err = sctp_accept_comm(sctp, eager, mp, ip_hdr_len, iack);
- if (err) {
+ if (err != 0) {
sctp_close_eager(eager);
BUMP_MIB(&sctps->sctps_mib, sctpListenDrop);
return (NULL);
}
+ ASSERT(eager->sctp_current->ixa != NULL);
+
+ ixa = eager->sctp_current->ixa;
+ if (!(ira->ira_flags & IXAF_IS_IPV4)) {
+ ASSERT(!(ixa->ixa_flags & IXAF_IS_IPV4));
+
+ if (IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_src) ||
+ IN6_IS_ADDR_LINKLOCAL(&ip6h->ip6_dst)) {
+ eager->sctp_linklocal = 1;
+
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ ixa->ixa_scopeid = ifindex;
+ econnp->conn_incoming_ifindex = ifindex;
+ }
+ }
+
/*
* On a clustered note send this notification to the clustering
* subsystem.
@@ -299,9 +309,9 @@ sctp_conn_request(sctp_t *sctp, mblk_t *mp, uint_t ifindex, uint_t ip_hdr_len,
/* The clustering module frees these list */
sctp_get_saddr_list(eager, slist, ssize);
sctp_get_faddr_list(eager, flist, fsize);
- (*cl_sctp_connect)(eager->sctp_family, slist,
- eager->sctp_nsaddrs, eager->sctp_lport, flist,
- eager->sctp_nfaddrs, eager->sctp_fport, B_FALSE,
+ (*cl_sctp_connect)(econnp->conn_family, slist,
+ eager->sctp_nsaddrs, econnp->conn_lport, flist,
+ eager->sctp_nfaddrs, econnp->conn_fport, B_FALSE,
(cl_sctp_handle_t)eager);
}
@@ -318,7 +328,7 @@ sctp_conn_request(sctp_t *sctp, mblk_t *mp, uint_t ifindex, uint_t ip_hdr_len,
bzero(&sopp, sizeof (sopp));
sopp.sopp_flags = SOCKOPT_MAXBLK|SOCKOPT_WROFF;
sopp.sopp_maxblk = strmsgsz;
- if (eager->sctp_family == AF_INET) {
+ if (econnp->conn_family == AF_INET) {
sopp.sopp_wroff = sctps->sctps_wroff_xtra +
sizeof (sctp_data_hdr_t) + sctp->sctp_hdr_len;
} else {
@@ -335,7 +345,8 @@ sctp_conn_request(sctp_t *sctp, mblk_t *mp, uint_t ifindex, uint_t ip_hdr_len,
* with an OK ack.
*/
int
-sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
+sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen,
+ cred_t *cr, pid_t pid)
{
sin_t *sin;
sin6_t *sin6;
@@ -346,18 +357,18 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
sctp_t *lsctp;
char buf[INET6_ADDRSTRLEN];
int sleep = sctp->sctp_cansleep ? KM_SLEEP : KM_NOSLEEP;
- int hdrlen;
- ip6_rthdr_t *rth;
int err;
sctp_faddr_t *cur_fp;
sctp_stack_t *sctps = sctp->sctp_sctps;
- struct sock_proto_props sopp;
+ conn_t *connp = sctp->sctp_connp;
+ uint_t scope_id = 0;
+ ip_xmit_attr_t *ixa;
/*
* Determine packet type based on type of address passed in
* the request should contain an IPv4 or IPv6 address.
* Make sure that address family matches the type of
- * family of the the address passed down
+ * family of the address passed down.
*/
if (addrlen < sizeof (sin_t)) {
return (EINVAL);
@@ -372,7 +383,7 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
ip0dbg(("sctp_connect: non-unicast\n"));
return (EINVAL);
}
- if (sctp->sctp_connp->conn_ipv6_v6only)
+ if (connp->conn_ipv6_v6only)
return (EAFNOSUPPORT);
/* convert to v6 mapped */
@@ -397,11 +408,6 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
IN6_INADDR_TO_V4MAPPED(&sin->sin_addr, &dstaddr);
}
dstport = sin->sin_port;
- if (sin->sin_family == AF_INET) {
- hdrlen = sctp->sctp_hdr_len;
- } else {
- hdrlen = sctp->sctp_hdr6_len;
- }
break;
case AF_INET6:
sin6 = (sin6_t *)dst;
@@ -411,7 +417,7 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
ip0dbg(("sctp_connect: non-unicast\n"));
return (EINVAL);
}
- if (sctp->sctp_connp->conn_ipv6_v6only &&
+ if (connp->conn_ipv6_v6only &&
IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
return (EAFNOSUPPORT);
}
@@ -420,11 +426,13 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
dstaddr = ipv6_loopback;
} else {
dstaddr = sin6->sin6_addr;
- if (IN6_IS_ADDR_LINKLOCAL(&dstaddr))
+ if (IN6_IS_ADDR_LINKLOCAL(&dstaddr)) {
sctp->sctp_linklocal = 1;
+ scope_id = sin6->sin6_scope_id;
+ }
}
dstport = sin6->sin6_port;
- hdrlen = sctp->sctp_hdr6_len;
+ connp->conn_flowinfo = sin6->sin6_flowinfo;
break;
default:
dprint(1, ("sctp_connect: unknown family %d\n",
@@ -437,12 +445,29 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
RUN_SCTP(sctp);
- if (sctp->sctp_family != dst->sa_family ||
- (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
+ if (connp->conn_family != dst->sa_family ||
+ (connp->conn_state_flags & CONN_CLOSING)) {
WAKE_SCTP(sctp);
return (EINVAL);
}
+ /* We update our cred/cpid based on the caller of connect */
+ if (connp->conn_cred != cr) {
+ crhold(cr);
+ crfree(connp->conn_cred);
+ connp->conn_cred = cr;
+ }
+ connp->conn_cpid = pid;
+
+ /* Cache things in conn_ixa without any refhold */
+ ixa = connp->conn_ixa;
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
+ }
+
switch (sctp->sctp_state) {
case SCTPS_IDLE: {
struct sockaddr_storage ss;
@@ -459,7 +484,7 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
ASSERT(sctp->sctp_nsaddrs == 0);
bzero(&ss, sizeof (ss));
- ss.ss_family = sctp->sctp_family;
+ ss.ss_family = connp->conn_family;
WAKE_SCTP(sctp);
if ((err = sctp_bind(sctp, (struct sockaddr *)&ss,
sizeof (ss))) != 0) {
@@ -474,7 +499,7 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
/* do the connect */
/* XXX check for attempt to connect to self */
- sctp->sctp_fport = dstport;
+ connp->conn_fport = dstport;
ASSERT(sctp->sctp_iphc);
ASSERT(sctp->sctp_iphc6);
@@ -487,9 +512,9 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
*/
sctp_conn_hash_remove(sctp);
tbf = &sctps->sctps_conn_fanout[SCTP_CONN_HASH(sctps,
- sctp->sctp_ports)];
+ connp->conn_ports)];
mutex_enter(&tbf->tf_lock);
- lsctp = sctp_lookup(sctp, &dstaddr, tbf, &sctp->sctp_ports,
+ lsctp = sctp_lookup(sctp, &dstaddr, tbf, &connp->conn_ports,
SCTPS_COOKIE_WAIT);
if (lsctp != NULL) {
/* found a duplicate connection */
@@ -498,6 +523,7 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
WAKE_SCTP(sctp);
return (EADDRINUSE);
}
+
/*
* OK; set up the peer addr (this may grow after we get
* the INIT ACK from the peer with additional addresses).
@@ -509,6 +535,7 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
return (err);
}
cur_fp = sctp->sctp_faddrs;
+ ASSERT(cur_fp->ixa != NULL);
/* No valid src addr, return. */
if (cur_fp->state == SCTP_FADDRS_UNREACH) {
@@ -523,6 +550,16 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
sctp_conn_hash_insert(tbf, sctp, 1);
mutex_exit(&tbf->tf_lock);
+ ixa = cur_fp->ixa;
+ ASSERT(ixa->ixa_cred != NULL);
+
+ if (scope_id != 0) {
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ ixa->ixa_scopeid = scope_id;
+ } else {
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ }
+
/* initialize composite headers */
if ((err = sctp_set_hdraddrs(sctp)) != 0) {
sctp_conn_hash_remove(sctp);
@@ -530,15 +567,10 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
return (err);
}
- /*
- * Massage a routing header (if present) putting the first hop
- * in ip6_dst.
- */
- rth = ip_find_rthdr_v6(sctp->sctp_ip6h,
- (uint8_t *)sctp->sctp_sctph6);
- if (rth != NULL) {
- (void) ip_massage_options_v6(sctp->sctp_ip6h, rth,
- sctps->sctps_netstack);
+ if ((err = sctp_build_hdrs(sctp, KM_SLEEP)) != 0) {
+ sctp_conn_hash_remove(sctp);
+ WAKE_SCTP(sctp);
+ return (err);
}
/*
@@ -556,9 +588,6 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
/* Mark this address as alive */
cur_fp->state = SCTP_FADDRS_ALIVE;
- /* This sctp_t is fully bound now. */
- sctp->sctp_connp->conn_fully_bound = B_TRUE;
-
/* Send the INIT to the peer */
SCTP_FADDR_TIMER_RESTART(sctp, cur_fp, cur_fp->rto);
sctp->sctp_state = SCTPS_COOKIE_WAIT;
@@ -567,7 +596,7 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
* address list, so take the hash lock.
*/
mutex_enter(&tbf->tf_lock);
- initmp = sctp_init_mp(sctp);
+ initmp = sctp_init_mp(sctp, cur_fp);
if (initmp == NULL) {
mutex_exit(&tbf->tf_lock);
/*
@@ -605,24 +634,20 @@ sctp_connect(sctp_t *sctp, const struct sockaddr *dst, uint32_t addrlen)
/* The clustering module frees the lists */
sctp_get_saddr_list(sctp, slist, ssize);
sctp_get_faddr_list(sctp, flist, fsize);
- (*cl_sctp_connect)(sctp->sctp_family, slist,
- sctp->sctp_nsaddrs, sctp->sctp_lport,
- flist, sctp->sctp_nfaddrs, sctp->sctp_fport,
+ (*cl_sctp_connect)(connp->conn_family, slist,
+ sctp->sctp_nsaddrs, connp->conn_lport,
+ flist, sctp->sctp_nfaddrs, connp->conn_fport,
B_TRUE, (cl_sctp_handle_t)sctp);
}
- WAKE_SCTP(sctp);
- /* OK to call IP_PUT() here instead of sctp_add_sendq(). */
- CONN_INC_REF(sctp->sctp_connp);
- initmp->b_flag |= MSGHASREF;
- IP_PUT(initmp, sctp->sctp_connp, sctp->sctp_current->isv4);
+ ASSERT(ixa->ixa_cred != NULL);
+ ASSERT(ixa->ixa_ire != NULL);
+
+ (void) conn_ip_output(initmp, ixa);
BUMP_LOCAL(sctp->sctp_opkts);
+ WAKE_SCTP(sctp);
notify_ulp:
- bzero(&sopp, sizeof (sopp));
- sopp.sopp_flags = SOCKOPT_WROFF;
- sopp.sopp_wroff = sctps->sctps_wroff_xtra + hdrlen +
- sizeof (sctp_data_hdr_t);
- sctp->sctp_ulp_prop(sctp->sctp_ulpd, &sopp);
+ sctp_set_ulp_prop(sctp);
return (0);
default:
diff --git a/usr/src/uts/common/inet/sctp/sctp_cookie.c b/usr/src/uts/common/inet/sctp/sctp_cookie.c
index 601938c928..4baf0a7147 100644
--- a/usr/src/uts/common/inet/sctp/sctp_cookie.c
+++ b/usr/src/uts/common/inet/sctp/sctp_cookie.c
@@ -40,6 +40,7 @@
#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip6.h>
+#include <inet/ipsec_impl.h>
#include <inet/sctp_ip.h>
#include <inet/ipclassifier.h>
#include "sctp_impl.h"
@@ -156,7 +157,7 @@ hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len,
static int
validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie,
- mblk_t **errmp, int *supp_af, uint_t *sctp_options)
+ mblk_t **errmp, int *supp_af, uint_t *sctp_options, ip_recv_attr_t *ira)
{
sctp_parm_hdr_t *cph;
sctp_init_chunk_t *ic;
@@ -168,6 +169,7 @@ validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch,
boolean_t got_errchunk = B_FALSE;
uint16_t ptype;
sctp_mpc_t mpc;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(errmp != NULL);
@@ -336,8 +338,8 @@ done:
* is NULL.
*/
if (want_cookie == NULL &&
- ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
- (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
+ ((connp->conn_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) ||
+ (connp->conn_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) &&
sctp->sctp_connp->conn_ipv6_v6only))) {
dprint(1, ("sctp:validate_init_params: supp addr\n"));
serror = SCTP_ERR_BAD_ADDR;
@@ -353,7 +355,7 @@ cookie_abort:
dprint(1, ("validate_init_params: cookie absent\n"));
sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM,
- (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE);
+ (char *)&mpc, sizeof (sctp_mpc_t), inmp, 0, B_FALSE, ira);
return (0);
}
@@ -365,7 +367,7 @@ abort:
return (0);
sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details,
- errlen, inmp, 0, B_FALSE);
+ errlen, inmp, 0, B_FALSE, ira);
return (0);
}
@@ -453,14 +455,17 @@ cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr)
sizeof (sctp_parm_hdr_t) + /* param header */ \
16 /* MD5 hash */
+/*
+ * Note that sctp is the listener, hence we shouldn't modify it.
+ */
void
sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
- mblk_t *initmp)
+ mblk_t *initmp, ip_recv_attr_t *ira)
{
ipha_t *initiph;
ip6_t *initip6h;
- ipha_t *iackiph;
- ip6_t *iackip6h;
+ ipha_t *iackiph = NULL;
+ ip6_t *iackip6h = NULL;
sctp_chunk_hdr_t *iack_ch;
sctp_init_chunk_t *iack;
sctp_init_chunk_t *init;
@@ -485,10 +490,10 @@ sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
mblk_t *errmp = NULL;
boolean_t initcollision = B_FALSE;
boolean_t linklocal = B_FALSE;
- cred_t *cr;
- pid_t pid;
- ts_label_t *initlabel;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
+ int err;
+ ip_xmit_attr_t *ixa = NULL;
BUMP_LOCAL(sctp->sctp_ibchunks);
isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION);
@@ -501,21 +506,24 @@ sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
} else {
initip6h = (ip6_t *)initmp->b_rptr;
ipsctplen = sctp->sctp_ip_hdr6_len;
- if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src))
+ if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src) ||
+ IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_dst))
linklocal = B_TRUE;
supp_af |= PARM_SUPP_V6;
+ if (!sctp->sctp_connp->conn_ipv6_v6only)
+ supp_af |= PARM_SUPP_V4;
}
ASSERT(OK_32PTR(initsh));
init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch));
/* Make sure we like the peer's parameters */
if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp,
- &supp_af, &sctp_options) == 0) {
+ &supp_af, &sctp_options, ira) == 0) {
return;
}
if (errmp != NULL)
errlen = msgdsize(errmp);
- if (sctp->sctp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
/*
* Irregardless of the supported address in the INIT, v4
* must be supported.
@@ -580,43 +588,65 @@ sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
}
/*
- * If the listen socket is bound to a trusted extensions
- * multi-label port, attach a copy of the listener's cred
- * to the new INITACK mblk. Modify the cred to contain
+ * Base the transmission on any routing-related socket options
+ * that have been set on the listener.
+ */
+ ixa = conn_get_ixa_exclusive(connp);
+ if (ixa == NULL) {
+ sctp_send_abort(sctp, sctp_init2vtag(ch),
+ SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
+ return;
+ }
+ ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;
+
+ if (isv4)
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ else
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
+
+ /*
+ * If the listen socket is bound to a trusted extensions multi-label
+ * port, a MAC-Exempt connection with an unlabeled node, we use the
* the security label of the received INIT packet.
* If not a multi-label port, attach the unmodified
- * listener's cred directly.
+ * listener's label directly.
*
* We expect Sun developed kernel modules to properly set
* cred labels for sctp connections. We can't be so sure this
* will be done correctly when 3rd party kernel modules
- * directly use sctp. The initlabel panic guard logic was
- * added to cover this possibility.
+ * directly use sctp. We check for a NULL ira_tsl to cover this
+ * possibility.
*/
- if (sctp->sctp_connp->conn_mlp_type != mlptSingle) {
- cr = msg_getcred(initmp, &pid);
- if (cr == NULL || (initlabel = crgetlabel(cr)) == NULL) {
- sctp_send_abort(sctp, sctp_init2vtag(ch),
- SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE);
- return;
+ if (is_system_labeled()) {
+ /* Discard any old label */
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ ixa->ixa_free_flags &= ~IXA_FREE_TSL;
+ ixa->ixa_tsl = NULL;
}
- cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp),
- &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP);
- if (cr == NULL) {
- sctp_send_abort(sctp, sctp_init2vtag(ch),
- SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE);
- return;
+
+ if (connp->conn_mlp_type != mlptSingle ||
+ connp->conn_mac_mode != CONN_MAC_DEFAULT) {
+ if (ira->ira_tsl == NULL) {
+ sctp_send_abort(sctp, sctp_init2vtag(ch),
+ SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0,
+ B_FALSE, ira);
+ ixa_refrele(ixa);
+ return;
+ }
+ label_hold(ira->ira_tsl);
+ ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
+ } else {
+ ixa->ixa_tsl = crgetlabel(connp->conn_cred);
}
- iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra,
- cr, pid);
- crfree(cr);
- } else {
- iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra,
- CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
}
+
+ iackmp = allocb(ipsctplen + sctps->sctps_wroff_xtra, BPRI_MED);
if (iackmp == NULL) {
sctp_send_abort(sctp, sctp_init2vtag(ch),
- SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE);
+ SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE, ira);
+ ixa_refrele(ixa);
return;
}
@@ -632,6 +662,7 @@ sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
iackiph->ipha_src = initiph->ipha_dst;
iackiph->ipha_length = htons(ipsctplen + errlen);
iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len);
+ ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
} else {
bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len);
iackip6h = (ip6_t *)p;
@@ -639,10 +670,12 @@ sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
/* Copy the peer's IP addr */
iackip6h->ip6_dst = initip6h->ip6_src;
iackip6h->ip6_src = initip6h->ip6_dst;
- iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) +
- errlen);
+ iackip6h->ip6_plen = htons(ipsctplen + errlen - IPV6_HDR_LEN);
iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len);
+ ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
}
+ ixa->ixa_pktlen = ipsctplen + errlen;
+
ASSERT(OK_32PTR(iacksh));
/* Fill in the holes in the SCTP common header */
@@ -776,41 +809,58 @@ sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch,
iackmp->b_cont = errmp; /* OK if NULL */
- if (is_system_labeled() && (cr = msg_getcred(iackmp, &pid)) != NULL &&
- crgetlabel(cr) != NULL) {
- conn_t *connp = sctp->sctp_connp;
- int err;
-
- if (isv4)
- err = tsol_check_label(cr, &iackmp,
- connp->conn_mac_mode,
- sctps->sctps_netstack->netstack_ip, pid);
- else
- err = tsol_check_label_v6(cr, &iackmp,
- connp->conn_mac_mode,
- sctps->sctps_netstack->netstack_ip, pid);
+ if (is_system_labeled()) {
+ ts_label_t *effective_tsl = NULL;
+
+ ASSERT(ira->ira_tsl != NULL);
+
+ /* Discard any old label */
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ ixa->ixa_free_flags &= ~IXA_FREE_TSL;
+ }
+ ixa->ixa_tsl = ira->ira_tsl; /* A multi-level responder */
+
+ /*
+ * We need to check for label-related failures which implies
+ * an extra call to tsol_check_dest (as ip_output_simple
+ * also does a tsol_check_dest as part of computing the
+ * label for the packet, but ip_output_simple doesn't return
+ * a specific errno for that case so we can't rely on its
+ * check.)
+ */
+ if (isv4) {
+ err = tsol_check_dest(ixa->ixa_tsl, &iackiph->ipha_dst,
+ IPV4_VERSION, connp->conn_mac_mode,
+ connp->conn_zone_is_global, &effective_tsl);
+ } else {
+ err = tsol_check_dest(ixa->ixa_tsl, &iackip6h->ip6_dst,
+ IPV6_VERSION, connp->conn_mac_mode,
+ connp->conn_zone_is_global, &effective_tsl);
+ }
if (err != 0) {
sctp_send_abort(sctp, sctp_init2vtag(ch),
- SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE);
+ SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE,
+ ira);
+ ixa_refrele(ixa);
freemsg(iackmp);
return;
}
+ if (effective_tsl != NULL) {
+ /*
+ * Since ip_output_simple will redo the
+ * tsol_check_dest, we just drop the ref.
+ */
+ label_rele(effective_tsl);
+ }
}
- /*
- * Stash the conn ptr info. for IP only as e don't have any
- * cached IRE.
- */
- SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL);
-
- /* XXX sctp == sctp_g_q, so using its obchunks is valid */
BUMP_LOCAL(sctp->sctp_opkts);
BUMP_LOCAL(sctp->sctp_obchunks);
- /* OK to call IP_PUT() here instead of sctp_add_sendq(). */
- CONN_INC_REF(sctp->sctp_connp);
- iackmp->b_flag |= MSGHASREF;
- IP_PUT(iackmp, sctp->sctp_connp, isv4);
+ (void) ip_output_simple(iackmp, ixa);
+ ixa_refrele(ixa);
}
void
@@ -820,7 +870,7 @@ sctp_send_cookie_ack(sctp_t *sctp)
mblk_t *camp;
sctp_stack_t *sctps = sctp->sctp_sctps;
- camp = sctp_make_mp(sctp, NULL, sizeof (*cach));
+ camp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*cach));
if (camp == NULL) {
/* XXX should abort, but don't have the inmp anymore */
SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed);
@@ -833,11 +883,11 @@ sctp_send_cookie_ack(sctp_t *sctp)
cach->sch_flags = 0;
cach->sch_len = htons(sizeof (*cach));
- sctp_set_iplen(sctp, camp);
-
BUMP_LOCAL(sctp->sctp_obchunks);
- sctp_add_sendq(sctp, camp);
+ sctp_set_iplen(sctp, camp, sctp->sctp_current->ixa);
+ (void) conn_ip_output(camp, sctp->sctp_current->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
}
static int
@@ -859,7 +909,8 @@ sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code)
}
void
-sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
+sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp,
+ ip_recv_attr_t *ira)
{
mblk_t *cemp;
mblk_t *mp = NULL;
@@ -886,7 +937,7 @@ sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
cph = NULL;
if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp,
- &pad, &sctp_options) == 0) { /* result in 'pad' ignored */
+ &pad, &sctp_options, ira) == 0) { /* result in 'pad' ignored */
BUMP_MIB(&sctps->sctps_mib, sctpAborted);
sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL);
sctp_clean_death(sctp, ECONNABORTED);
@@ -906,8 +957,8 @@ sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
else
hdrlen = sctp->sctp_hdr6_len;
- cemp = allocb_cred(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
- CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
+ cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad,
+ BPRI_MED);
if (cemp == NULL) {
SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
sctp->sctp_current->rto);
@@ -932,11 +983,13 @@ sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp)
* in sctp_connect().
*/
sctp->sctp_current->df = B_TRUE;
+ sctp->sctp_ipha->ipha_fragment_offset_and_flags |= IPH_DF_HTONS;
+
/*
* Since IP uses this info during the fanout process, we need to hold
* the lock for this hash line while performing this operation.
*/
- /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */
+ /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, connp->conn_ports); */
ASSERT(sctp->sctp_conn_tfp != NULL);
tf = sctp->sctp_conn_tfp;
/* sctp isn't a listener so only need to hold conn fanout lock */
@@ -1139,14 +1192,15 @@ sendcookie:
sctp->sctp_state = SCTPS_COOKIE_ECHOED;
SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
- sctp_set_iplen(sctp, head);
- sctp_add_sendq(sctp, head);
+ sctp_set_iplen(sctp, head, fp->ixa);
+ (void) conn_ip_output(head, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
}
int
sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation,
- in6_addr_t *peer_addr)
+ in6_addr_t *peer_addr, ip_recv_attr_t *ira)
{
int32_t clen;
size_t initplen;
@@ -1163,6 +1217,7 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
uint32_t *fttag;
uint32_t ports;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
BUMP_LOCAL(sctp->sctp_ibchunks);
/* Verify the ICV */
@@ -1232,7 +1287,8 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
staleness = TICK_TO_USEC(diff);
staleness = htonl(staleness);
sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE,
- (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE);
+ (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE,
+ ira);
dprint(1, ("stale cookie %d\n", staleness));
@@ -1242,7 +1298,7 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
/* Check for attack by adding addresses to a restart */
bcopy(insctph, &ports, sizeof (ports));
if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP,
- sctps) != 1) {
+ sctps, ira) != 1) {
return (-1);
}
@@ -1263,7 +1319,7 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n",
SCTP_PRINTADDR(sctp->sctp_current->faddr),
- (int)(sctp->sctp_fport)));
+ (int)(connp->conn_fport)));
return (-1);
}
@@ -1292,7 +1348,7 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n",
SCTP_PRINTADDR(sctp->sctp_current->faddr),
- (int)(sctp->sctp_fport)));
+ (int)(connp->conn_fport)));
/* reset parameters */
sctp_congest_reset(sctp);
@@ -1320,7 +1376,7 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
dprint(1, ("init collision with %x:%x:%x:%x (%d)\n",
SCTP_PRINTADDR(sctp->sctp_current->faddr),
- (int)(sctp->sctp_fport)));
+ (int)(connp->conn_fport)));
return (0);
} else if (iack->sic_inittag != sctp->sctp_lvtag &&
@@ -1330,7 +1386,7 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
/* Section 5.2.4 case C: late COOKIE */
dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n",
SCTP_PRINTADDR(sctp->sctp_current->faddr),
- (int)(sctp->sctp_fport)));
+ (int)(connp->conn_fport)));
return (-1);
} else if (init->sic_inittag == sctp->sctp_fvtag &&
iack->sic_inittag == sctp->sctp_lvtag) {
@@ -1341,7 +1397,7 @@ sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp,
*/
dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n",
SCTP_PRINTADDR(sctp->sctp_current->faddr),
- (int)(sctp->sctp_fport)));
+ (int)(connp->conn_fport)));
if (sctp->sctp_state < SCTPS_ESTABLISHED) {
if (!sctp_initialize_params(sctp, init, iack))
return (-1); /* Drop? */
@@ -1412,13 +1468,17 @@ sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
/*
* params have been put in host byteorder by
* sctp_check_input()
+ *
+ * For labeled systems, there's no need to check the
+ * label here. It's known to be good as we checked
+ * before allowing the connection to become bound.
*/
if (ph->sph_type == PARM_ADDR4) {
IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1),
&src);
sctp = sctp_conn_match(&src, &dst, ports, zoneid,
- sctps);
+ 0, sctps);
dprint(1,
("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
@@ -1431,7 +1491,7 @@ sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich,
} else if (ph->sph_type == PARM_ADDR6) {
src = *(in6_addr_t *)(ph + 1);
sctp = sctp_conn_match(&src, &dst, ports, zoneid,
- sctps);
+ 0, sctps);
dprint(1,
("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n",
diff --git a/usr/src/uts/common/inet/sctp/sctp_error.c b/usr/src/uts/common/inet/sctp/sctp_error.c
index 02d18cf78c..293ff5bd6e 100644
--- a/usr/src/uts/common/inet/sctp/sctp_error.c
+++ b/usr/src/uts/common/inet/sctp/sctp_error.c
@@ -35,9 +35,11 @@
#include <netinet/in.h>
#include <netinet/ip6.h>
+#include <inet/ipsec_impl.h>
#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip6.h>
+#include <inet/ipsec_impl.h>
#include <inet/mib2.h>
#include <inet/sctp_ip.h>
#include <inet/ipclassifier.h>
@@ -99,6 +101,7 @@ sctp_user_abort(sctp_t *sctp, mblk_t *data)
int len, hdrlen;
char *cause;
sctp_faddr_t *fp = sctp->sctp_current;
+ ip_xmit_attr_t *ixa = fp->ixa;
sctp_stack_t *sctps = sctp->sctp_sctps;
/*
@@ -147,14 +150,15 @@ sctp_user_abort(sctp_t *sctp, mblk_t *data)
freemsg(mp);
return;
}
- sctp_set_iplen(sctp, mp);
BUMP_MIB(&sctps->sctps_mib, sctpAborted);
BUMP_LOCAL(sctp->sctp_opkts);
BUMP_LOCAL(sctp->sctp_obchunks);
- CONN_INC_REF(sctp->sctp_connp);
- mp->b_flag |= MSGHASREF;
- IP_PUT(mp, sctp->sctp_connp, fp->isv4);
+ sctp_set_iplen(sctp, mp, ixa);
+ ASSERT(ixa->ixa_ire != NULL);
+ ASSERT(ixa->ixa_cred != NULL);
+
+ (void) conn_ip_output(mp, ixa);
sctp_assoc_event(sctp, SCTP_COMM_LOST, 0, NULL);
sctp_clean_death(sctp, ECONNABORTED);
@@ -165,29 +169,24 @@ sctp_user_abort(sctp_t *sctp, mblk_t *data)
*/
void
sctp_send_abort(sctp_t *sctp, uint32_t vtag, uint16_t serror, char *details,
- size_t len, mblk_t *inmp, int iserror, boolean_t tbit)
+ size_t len, mblk_t *inmp, int iserror, boolean_t tbit, ip_recv_attr_t *ira)
{
mblk_t *hmp;
uint32_t ip_hdr_len;
ipha_t *iniph;
- ipha_t *ahiph;
+ ipha_t *ahiph = NULL;
ip6_t *inip6h;
- ip6_t *ahip6h;
+ ip6_t *ahip6h = NULL;
sctp_hdr_t *sh;
sctp_hdr_t *insh;
size_t ahlen;
uchar_t *p;
ssize_t alen;
int isv4;
- ire_t *ire;
- irb_t *irb;
- ts_label_t *tsl;
- conn_t *connp;
- cred_t *cr = NULL;
- pid_t pid;
+ conn_t *connp = sctp->sctp_connp;
sctp_stack_t *sctps = sctp->sctp_sctps;
- ip_stack_t *ipst;
+ ip_xmit_attr_t *ixa;
isv4 = (IPH_HDR_VERSION(inmp->b_rptr) == IPV4_VERSION);
if (isv4) {
@@ -200,11 +199,10 @@ sctp_send_abort(sctp_t *sctp, uint32_t vtag, uint16_t serror, char *details,
* If this is a labeled system, then check to see if we're allowed to
* send a response to this particular sender. If not, then just drop.
*/
- if (is_system_labeled() && !tsol_can_reply_error(inmp))
+ if (is_system_labeled() && !tsol_can_reply_error(inmp, ira))
return;
- hmp = allocb_cred(sctps->sctps_wroff_xtra + ahlen,
- CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
+ hmp = allocb(sctps->sctps_wroff_xtra + ahlen, BPRI_MED);
if (hmp == NULL) {
/* XXX no resources */
return;
@@ -262,75 +260,209 @@ sctp_send_abort(sctp_t *sctp, uint32_t vtag, uint16_t serror, char *details,
return;
}
+ /*
+ * Base the transmission on any routing-related socket options
+ * that have been set on the listener/connection.
+ */
+ ixa = conn_get_ixa_exclusive(connp);
+ if (ixa == NULL) {
+ freemsg(hmp);
+ return;
+ }
+ ixa->ixa_flags &= ~IXAF_VERIFY_PMTU;
+
+ ixa->ixa_pktlen = ahlen + alen;
if (isv4) {
- ahiph->ipha_length = htons(ahlen + alen);
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ ahiph->ipha_length = htons(ixa->ixa_pktlen);
+ ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr_len;
} else {
- ahip6h->ip6_plen = htons(alen + sizeof (*sh));
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
+ ahip6h->ip6_plen = htons(ixa->ixa_pktlen - IPV6_HDR_LEN);
+ ixa->ixa_ip_hdr_length = sctp->sctp_ip_hdr6_len;
}
BUMP_MIB(&sctps->sctps_mib, sctpAborted);
BUMP_LOCAL(sctp->sctp_obchunks);
- ipst = sctps->sctps_netstack->netstack_ip;
- connp = sctp->sctp_connp;
- if (is_system_labeled() && (cr = msg_getcred(inmp, &pid)) != NULL &&
- crgetlabel(cr) != NULL) {
- int err;
- uint_t mode = connp->conn_mac_mode;
+ if (is_system_labeled() && ixa->ixa_tsl != NULL) {
+ ASSERT(ira->ira_tsl != NULL);
- if (isv4)
- err = tsol_check_label(cr, &hmp, mode, ipst, pid);
- else
- err = tsol_check_label_v6(cr, &hmp, mode, ipst, pid);
- if (err != 0) {
- freemsg(hmp);
- return;
- }
+ ixa->ixa_tsl = ira->ira_tsl; /* A multi-level responder */
}
- /* Stash the conn ptr info. for IP */
- SCTP_STASH_IPINFO(hmp, NULL);
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ /*
+ * Apply IPsec based on how IPsec was applied to
+ * the packet that caused the abort.
+ */
+ if (!ipsec_in_to_out(ira, ixa, hmp, ahiph, ahip6h)) {
+ ip_stack_t *ipst = sctps->sctps_netstack->netstack_ip;
- CONN_INC_REF(connp);
- hmp->b_flag |= MSGHASREF;
- IP_PUT(hmp, connp, sctp->sctp_current == NULL ? B_TRUE :
- sctp->sctp_current->isv4);
- /*
- * Let's just mark the IRE for this destination as temporary
- * to prevent any DoS attack.
- */
- tsl = cr == NULL ? NULL : crgetlabel(cr);
- if (isv4) {
- ire = ire_cache_lookup(iniph->ipha_src, sctp->sctp_zoneid, tsl,
- ipst);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ /* Note: mp already consumed and ip_drop_packet done */
+ ixa_refrele(ixa);
+ return;
+ }
} else {
- ire = ire_cache_lookup_v6(&inip6h->ip6_src, sctp->sctp_zoneid,
- tsl, ipst);
+ ixa->ixa_flags |= IXAF_NO_IPSEC;
}
+
+ BUMP_LOCAL(sctp->sctp_opkts);
+ BUMP_LOCAL(sctp->sctp_obchunks);
+
+ (void) ip_output_simple(hmp, ixa);
+ ixa_refrele(ixa);
+}
+
+/*
+ * OOTB version of the above.
+ * If iserror == 0, sends an abort. If iserror != 0, sends an error.
+ */
+void
+sctp_ootb_send_abort(uint32_t vtag, uint16_t serror, char *details,
+ size_t len, const mblk_t *inmp, int iserror, boolean_t tbit,
+ ip_recv_attr_t *ira, ip_stack_t *ipst)
+{
+ uint32_t ip_hdr_len;
+ size_t ahlen;
+ ipha_t *ipha = NULL;
+ ip6_t *ip6h = NULL;
+ sctp_hdr_t *insctph;
+ int i;
+ uint16_t port;
+ ssize_t alen;
+ int isv4;
+ mblk_t *mp;
+ netstack_t *ns = ipst->ips_netstack;
+ sctp_stack_t *sctps = ns->netstack_sctp;
+ ip_xmit_attr_t ixas;
+
+ bzero(&ixas, sizeof (ixas));
+
+ isv4 = (IPH_HDR_VERSION(inmp->b_rptr) == IPV4_VERSION);
+ ip_hdr_len = ira->ira_ip_hdr_length;
+ ahlen = ip_hdr_len + sizeof (sctp_hdr_t);
+
/*
- * In the normal case the ire would be non-null, however it could be
- * null, say, if IP needs to resolve the gateway for this address. We
- * only care about IRE_CACHE.
+ * If this is a labeled system, then check to see if we're allowed to
+ * send a response to this particular sender. If not, then just drop.
*/
- if (ire == NULL)
+ if (is_system_labeled() && !tsol_can_reply_error(inmp, ira))
return;
- if (ire->ire_type != IRE_CACHE) {
- ire_refrele(ire);
+
+ mp = allocb(ahlen + sctps->sctps_wroff_xtra, BPRI_MED);
+ if (mp == NULL) {
return;
}
- irb = ire->ire_bucket;
- /* ire_lock is not needed, as ire_marks is protected by irb_lock */
- rw_enter(&irb->irb_lock, RW_WRITER);
+ mp->b_rptr += sctps->sctps_wroff_xtra;
+ mp->b_wptr = mp->b_rptr + ahlen;
+ bcopy(inmp->b_rptr, mp->b_rptr, ahlen);
+
/*
- * Only increment the temporary IRE count if the original
- * IRE is not already marked temporary.
+ * We follow the logic in tcp_xmit_early_reset() in that we skip
+ * reversing source route (i.e. replace all IP options with EOL).
*/
- if (!(ire->ire_marks & IRE_MARK_TEMPORARY)) {
- irb->irb_tmp_ire_cnt++;
- ire->ire_marks |= IRE_MARK_TEMPORARY;
+ if (isv4) {
+ ipaddr_t v4addr;
+
+ ipha = (ipha_t *)mp->b_rptr;
+ for (i = IP_SIMPLE_HDR_LENGTH; i < (int)ip_hdr_len; i++)
+ mp->b_rptr[i] = IPOPT_EOL;
+ /* Swap addresses */
+ ipha->ipha_length = htons(ahlen);
+ v4addr = ipha->ipha_src;
+ ipha->ipha_src = ipha->ipha_dst;
+ ipha->ipha_dst = v4addr;
+ ipha->ipha_ident = 0;
+ ipha->ipha_ttl = (uchar_t)sctps->sctps_ipv4_ttl;
+
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
+ } else {
+ in6_addr_t v6addr;
+
+ ip6h = (ip6_t *)mp->b_rptr;
+ /* Remove any extension headers assuming partial overlay */
+ if (ip_hdr_len > IPV6_HDR_LEN) {
+ uint8_t *to;
+
+ to = mp->b_rptr + ip_hdr_len - IPV6_HDR_LEN;
+ ovbcopy(ip6h, to, IPV6_HDR_LEN);
+ mp->b_rptr += ip_hdr_len - IPV6_HDR_LEN;
+ ip_hdr_len = IPV6_HDR_LEN;
+ ip6h = (ip6_t *)mp->b_rptr;
+ ip6h->ip6_nxt = IPPROTO_SCTP;
+ ahlen = ip_hdr_len + sizeof (sctp_hdr_t);
+ }
+ ip6h->ip6_plen = htons(ahlen - IPV6_HDR_LEN);
+ v6addr = ip6h->ip6_src;
+ ip6h->ip6_src = ip6h->ip6_dst;
+ ip6h->ip6_dst = v6addr;
+ ip6h->ip6_hops = (uchar_t)sctps->sctps_ipv6_hoplimit;
+
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
+ if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_dst)) {
+ ixas.ixa_flags |= IXAF_SCOPEID_SET;
+ ixas.ixa_scopeid = ira->ira_ruifindex;
+ }
+ }
+ insctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_len);
+
+ /* Swap ports. Verification tag is reused. */
+ port = insctph->sh_sport;
+ insctph->sh_sport = insctph->sh_dport;
+ insctph->sh_dport = port;
+ insctph->sh_verf = vtag;
+
+ /* Link in the abort chunk */
+ if ((alen = sctp_link_abort(mp, serror, details, len, iserror, tbit))
+ < 0) {
+ freemsg(mp);
+ return;
+ }
+
+ ixas.ixa_pktlen = ahlen + alen;
+ ixas.ixa_ip_hdr_length = ip_hdr_len;
+
+ if (isv4) {
+ ipha->ipha_length = htons(ixas.ixa_pktlen);
+ } else {
+ ip6h->ip6_plen = htons(ixas.ixa_pktlen - IPV6_HDR_LEN);
}
- rw_exit(&irb->irb_lock);
- ire_refrele(ire);
+
+ ixas.ixa_protocol = IPPROTO_SCTP;
+ ixas.ixa_zoneid = ira->ira_zoneid;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_ifindex = 0;
+
+ BUMP_MIB(&sctps->sctps_mib, sctpAborted);
+
+ if (is_system_labeled()) {
+ ASSERT(ira->ira_tsl != NULL);
+
+ ixas.ixa_tsl = ira->ira_tsl; /* A multi-level responder */
+ }
+
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ /*
+ * Apply IPsec based on how IPsec was applied to
+ * the packet that was out of the blue.
+ */
+ if (!ipsec_in_to_out(ira, &ixas, mp, ipha, ip6h)) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ /* Note: mp already consumed and ip_drop_packet done */
+ return;
+ }
+ } else {
+ /*
+ * This is in clear. The abort message we are building
+ * here should go out in clear, independent of our policy.
+ */
+ ixas.ixa_flags |= IXAF_NO_IPSEC;
+ }
+
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
}
/*ARGSUSED*/
@@ -418,8 +550,9 @@ sctp_add_err(sctp_t *sctp, uint16_t serror, void *details, size_t len,
return;
}
sendmp->b_cont = sctp->sctp_err_chunks;
- sctp_set_iplen(sctp, sendmp);
- sctp_add_sendq(sctp, sendmp);
+ sctp_set_iplen(sctp, sendmp, fp->ixa);
+ (void) conn_ip_output(sendmp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
sctp->sctp_err_chunks = emp;
sctp->sctp_err_len = emp_len;
@@ -445,17 +578,20 @@ sctp_process_err(sctp_t *sctp)
sctp_stack_t *sctps = sctp->sctp_sctps;
mblk_t *errmp;
mblk_t *sendmp;
+ sctp_faddr_t *fp;
ASSERT(sctp->sctp_err_chunks != NULL);
errmp = sctp->sctp_err_chunks;
- if ((sendmp = sctp_make_mp(sctp, SCTP_CHUNK_DEST(errmp), 0)) == NULL) {
+ fp = SCTP_CHUNK_DEST(errmp);
+ if ((sendmp = sctp_make_mp(sctp, fp, 0)) == NULL) {
SCTP_KSTAT(sctps, sctp_send_err_failed);
freemsg(errmp);
goto done;
}
sendmp->b_cont = errmp;
- sctp_set_iplen(sctp, sendmp);
- sctp_add_sendq(sctp, sendmp);
+ sctp_set_iplen(sctp, sendmp, fp->ixa);
+ (void) conn_ip_output(sendmp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
done:
sctp->sctp_err_chunks = NULL;
sctp->sctp_err_len = 0;
@@ -467,7 +603,7 @@ done:
*/
int
sctp_handle_error(sctp_t *sctp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ch,
- mblk_t *mp)
+ mblk_t *mp, ip_recv_attr_t *ira)
{
sctp_parm_hdr_t *errh;
sctp_chunk_hdr_t *uch;
@@ -487,11 +623,13 @@ sctp_handle_error(sctp_t *sctp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ch,
*/
case SCTP_ERR_BAD_SID:
cmn_err(CE_WARN, "BUG! send to invalid SID");
- sctp_send_abort(sctp, sctph->sh_verf, 0, NULL, 0, mp, 0, 0);
+ sctp_send_abort(sctp, sctph->sh_verf, 0, NULL, 0, mp, 0, 0,
+ ira);
return (ECONNABORTED);
case SCTP_ERR_NO_USR_DATA:
cmn_err(CE_WARN, "BUG! no usr data");
- sctp_send_abort(sctp, sctph->sh_verf, 0, NULL, 0, mp, 0, 0);
+ sctp_send_abort(sctp, sctph->sh_verf, 0, NULL, 0, mp, 0, 0,
+ ira);
return (ECONNABORTED);
case SCTP_ERR_UNREC_CHUNK:
/* Pull out the unrecognized chunk type */
diff --git a/usr/src/uts/common/inet/sctp/sctp_hash.c b/usr/src/uts/common/inet/sctp/sctp_hash.c
index 289dbc04e7..b5c838d297 100644
--- a/usr/src/uts/common/inet/sctp/sctp_hash.c
+++ b/usr/src/uts/common/inet/sctp/sctp_hash.c
@@ -20,7 +20,7 @@
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -82,7 +82,7 @@ sctp_hash_init(sctp_stack_t *sctps)
}
sctps->sctps_conn_fanout =
(sctp_tf_t *)kmem_zalloc(sctps->sctps_conn_hash_size *
- sizeof (sctp_tf_t), KM_SLEEP);
+ sizeof (sctp_tf_t), KM_SLEEP);
for (i = 0; i < sctps->sctps_conn_hash_size; i++) {
mutex_init(&sctps->sctps_conn_fanout[i].tf_lock, NULL,
MUTEX_DEFAULT, NULL);
@@ -129,87 +129,6 @@ sctp_hash_destroy(sctp_stack_t *sctps)
}
/*
- * Walk the SCTP global list and refrele the ire for this ipif
- * This is called when an address goes down, so that we release any reference
- * to the ire associated with this address. Additionally, for any SCTP if
- * this was the only/last address in its source list, we don't kill the
- * assoc., if there is no address added subsequently, or if this does not
- * come up, then the assoc. will die a natural death (i.e. timeout).
- */
-void
-sctp_ire_cache_flush(ipif_t *ipif)
-{
- sctp_t *sctp;
- sctp_t *sctp_prev = NULL;
- sctp_faddr_t *fp;
- conn_t *connp;
- ire_t *ire;
- sctp_stack_t *sctps = ipif->ipif_ill->ill_ipst->
- ips_netstack->netstack_sctp;
-
- sctp = sctps->sctps_gsctp;
- mutex_enter(&sctps->sctps_g_lock);
- while (sctp != NULL) {
- mutex_enter(&sctp->sctp_reflock);
- if (sctp->sctp_condemned) {
- mutex_exit(&sctp->sctp_reflock);
- sctp = list_next(&sctps->sctps_g_list, sctp);
- continue;
- }
- sctp->sctp_refcnt++;
- mutex_exit(&sctp->sctp_reflock);
- mutex_exit(&sctps->sctps_g_lock);
- if (sctp_prev != NULL)
- SCTP_REFRELE(sctp_prev);
-
- RUN_SCTP(sctp);
- connp = sctp->sctp_connp;
- mutex_enter(&connp->conn_lock);
- ire = connp->conn_ire_cache;
- if (ire != NULL && ire->ire_ipif == ipif) {
- connp->conn_ire_cache = NULL;
- mutex_exit(&connp->conn_lock);
- IRE_REFRELE_NOTR(ire);
- } else {
- mutex_exit(&connp->conn_lock);
- }
- /* check for ires cached in faddr */
- for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
- /*
- * If this ipif is being used as the source address
- * we need to update it as well, else we will end
- * up using the dead source address.
- */
- ire = fp->ire;
- if (ire != NULL && ire->ire_ipif == ipif) {
- fp->ire = NULL;
- IRE_REFRELE_NOTR(ire);
- }
- /*
- * This may result in setting the fp as unreachable,
- * i.e. if all the source addresses are down. In
- * that case the assoc. would timeout.
- */
- if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr,
- &fp->saddr)) {
- sctp_set_saddr(sctp, fp);
- if (fp == sctp->sctp_current &&
- fp->state != SCTP_FADDRS_UNREACH) {
- sctp_set_faddr_current(sctp, fp);
- }
- }
- }
- WAKE_SCTP(sctp);
- sctp_prev = sctp;
- mutex_enter(&sctps->sctps_g_lock);
- sctp = list_next(&sctps->sctps_g_list, sctp);
- }
- mutex_exit(&sctps->sctps_g_lock);
- if (sctp_prev != NULL)
- SCTP_REFRELE(sctp_prev);
-}
-
-/*
* Exported routine for extracting active SCTP associations.
* Like TCP, we terminate the walk if the callback returns non-zero.
*
@@ -244,9 +163,9 @@ cl_sctp_walk_list_stack(int (*cl_callback)(cl_sctp_info_t *, void *),
uchar_t *slist;
uchar_t *flist;
- sctp = sctps->sctps_gsctp;
sctp_prev = NULL;
mutex_enter(&sctps->sctps_g_lock);
+ sctp = list_head(&sctps->sctps_g_list);
while (sctp != NULL) {
size_t ssize;
size_t fsize;
@@ -282,11 +201,14 @@ cl_sctp_walk_list_stack(int (*cl_callback)(cl_sctp_info_t *, void *),
sctp_get_faddr_list(sctp, flist, fsize);
cl_sctpi.cl_sctpi_nladdr = sctp->sctp_nsaddrs;
cl_sctpi.cl_sctpi_nfaddr = sctp->sctp_nfaddrs;
- cl_sctpi.cl_sctpi_family = sctp->sctp_family;
- cl_sctpi.cl_sctpi_ipversion = sctp->sctp_ipversion;
+ cl_sctpi.cl_sctpi_family = sctp->sctp_connp->conn_family;
+ if (cl_sctpi.cl_sctpi_family == AF_INET)
+ cl_sctpi.cl_sctpi_ipversion = IPV4_VERSION;
+ else
+ cl_sctpi.cl_sctpi_ipversion = IPV6_VERSION;
cl_sctpi.cl_sctpi_state = sctp->sctp_state;
- cl_sctpi.cl_sctpi_lport = sctp->sctp_lport;
- cl_sctpi.cl_sctpi_fport = sctp->sctp_fport;
+ cl_sctpi.cl_sctpi_lport = sctp->sctp_connp->conn_lport;
+ cl_sctpi.cl_sctpi_fport = sctp->sctp_connp->conn_fport;
cl_sctpi.cl_sctpi_handle = (cl_sctp_handle_t)sctp;
WAKE_SCTP(sctp);
cl_sctpi.cl_sctpi_laddrp = slist;
@@ -310,20 +232,26 @@ cl_sctp_walk_list_stack(int (*cl_callback)(cl_sctp_info_t *, void *),
sctp_t *
sctp_conn_match(in6_addr_t *faddr, in6_addr_t *laddr, uint32_t ports,
- zoneid_t zoneid, sctp_stack_t *sctps)
+ zoneid_t zoneid, iaflags_t iraflags, sctp_stack_t *sctps)
{
sctp_tf_t *tf;
sctp_t *sctp;
sctp_faddr_t *fp;
+ conn_t *connp;
tf = &(sctps->sctps_conn_fanout[SCTP_CONN_HASH(sctps, ports)]);
mutex_enter(&tf->tf_lock);
for (sctp = tf->tf_sctp; sctp; sctp = sctp->sctp_conn_hash_next) {
- if (ports != sctp->sctp_ports ||
- !IPCL_ZONE_MATCH(sctp->sctp_connp, zoneid)) {
+ connp = sctp->sctp_connp;
+ if (ports != connp->conn_ports)
+ continue;
+ if (!(connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (iraflags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (iraflags & IRAF_TX_SHARED_ADDR))))
continue;
- }
/* check for faddr match */
for (fp = sctp->sctp_faddrs; fp; fp = fp->next) {
@@ -351,11 +279,12 @@ done:
static sctp_t *
listen_match(in6_addr_t *laddr, uint32_t ports, zoneid_t zoneid,
- sctp_stack_t *sctps)
+ iaflags_t iraflags, sctp_stack_t *sctps)
{
sctp_t *sctp;
sctp_tf_t *tf;
uint16_t lport;
+ conn_t *connp;
lport = ((uint16_t *)&ports)[1];
@@ -363,10 +292,16 @@ listen_match(in6_addr_t *laddr, uint32_t ports, zoneid_t zoneid,
mutex_enter(&tf->tf_lock);
for (sctp = tf->tf_sctp; sctp; sctp = sctp->sctp_listen_hash_next) {
- if (lport != sctp->sctp_lport ||
- !IPCL_ZONE_MATCH(sctp->sctp_connp, zoneid)) {
+ connp = sctp->sctp_connp;
+ if (lport != connp->conn_lport)
+ continue;
+
+ if (!(connp->conn_zoneid == zoneid ||
+ connp->conn_allzones ||
+ ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ (iraflags & IRAF_TX_MAC_EXEMPTABLE) &&
+ (iraflags & IRAF_TX_SHARED_ADDR))))
continue;
- }
if (sctp_saddr_lookup(sctp, laddr, 0) != NULL) {
SCTP_REFHOLD(sctp);
@@ -383,48 +318,36 @@ done:
/* called by ipsec_sctp_pol */
conn_t *
sctp_find_conn(in6_addr_t *src, in6_addr_t *dst, uint32_t ports,
- zoneid_t zoneid, sctp_stack_t *sctps)
+ zoneid_t zoneid, iaflags_t iraflags, sctp_stack_t *sctps)
{
sctp_t *sctp;
- if ((sctp = sctp_conn_match(src, dst, ports, zoneid, sctps)) == NULL) {
+ sctp = sctp_conn_match(src, dst, ports, zoneid, iraflags, sctps);
+ if (sctp == NULL) {
/* Not in conn fanout; check listen fanout */
- if ((sctp = listen_match(dst, ports, zoneid, sctps)) == NULL)
+ sctp = listen_match(dst, ports, zoneid, iraflags, sctps);
+ if (sctp == NULL)
return (NULL);
}
return (sctp->sctp_connp);
}
+/*
+ * Fanout to a sctp instance.
+ */
conn_t *
sctp_fanout(in6_addr_t *src, in6_addr_t *dst, uint32_t ports,
- zoneid_t zoneid, mblk_t *mp, sctp_stack_t *sctps)
-
+ ip_recv_attr_t *ira, mblk_t *mp, sctp_stack_t *sctps)
{
+ zoneid_t zoneid = ira->ira_zoneid;
+ iaflags_t iraflags = ira->ira_flags;
sctp_t *sctp;
- boolean_t shared_addr;
-
- if ((sctp = sctp_conn_match(src, dst, ports, zoneid, sctps)) == NULL) {
- shared_addr = (zoneid == ALL_ZONES);
- if (shared_addr) {
- /*
- * No need to handle exclusive-stack zones since
- * ALL_ZONES only applies to the shared stack.
- */
- zoneid = tsol_mlp_findzone(IPPROTO_SCTP,
- htons(ntohl(ports) & 0xFFFF));
- /*
- * If no shared MLP is found, tsol_mlp_findzone returns
- * ALL_ZONES. In that case, we assume it's SLP, and
- * search for the zone based on the packet label.
- * That will also return ALL_ZONES on failure.
- */
- if (zoneid == ALL_ZONES)
- zoneid = tsol_packet_to_zoneid(mp);
- if (zoneid == ALL_ZONES)
- return (NULL);
- }
+
+ sctp = sctp_conn_match(src, dst, ports, zoneid, iraflags, sctps);
+ if (sctp == NULL) {
/* Not in conn fanout; check listen fanout */
- if ((sctp = listen_match(dst, ports, zoneid, sctps)) == NULL)
+ sctp = listen_match(dst, ports, zoneid, iraflags, sctps);
+ if (sctp == NULL)
return (NULL);
/*
* On systems running trusted extensions, check if dst
@@ -432,9 +355,9 @@ sctp_fanout(in6_addr_t *src, in6_addr_t *dst, uint32_t ports,
* that dst is in 16 byte AF_INET6 format. IPv4-mapped
* IPv6 addresses are supported.
*/
- if (is_system_labeled() &&
- !tsol_receive_local(mp, dst, IPV6_VERSION,
- shared_addr, sctp->sctp_connp)) {
+ if ((iraflags & IRAF_SYSTEM_LABELED) &&
+ !tsol_receive_local(mp, dst, IPV6_VERSION, ira,
+ sctp->sctp_connp)) {
DTRACE_PROBE3(
tx__ip__log__info__classify__sctp,
char *,
@@ -444,145 +367,84 @@ sctp_fanout(in6_addr_t *src, in6_addr_t *dst, uint32_t ports,
return (NULL);
}
}
+ /*
+ * For labeled systems, there's no need to check the
+ * label here. It's known to be good as we checked
+ * before allowing the connection to become bound.
+ */
return (sctp->sctp_connp);
}
/*
- * Fanout for SCTP packets
+ * Fanout for ICMP errors for SCTP
* The caller puts <fport, lport> in the ports parameter.
*/
-/* ARGSUSED */
void
-ip_fanout_sctp(mblk_t *mp, ill_t *recv_ill, ipha_t *ipha,
- uint32_t ports, uint_t flags, boolean_t mctl_present, boolean_t ip_policy,
- zoneid_t zoneid)
+ip_fanout_sctp(mblk_t *mp, ipha_t *ipha, ip6_t *ip6h, uint32_t ports,
+ ip_recv_attr_t *ira)
{
- sctp_t *sctp;
- boolean_t isv4;
- conn_t *connp;
- mblk_t *first_mp;
- ip6_t *ip6h;
- in6_addr_t map_src, map_dst;
- in6_addr_t *src, *dst;
- ip_stack_t *ipst;
- ipsec_stack_t *ipss;
- sctp_stack_t *sctps;
-
- ASSERT(recv_ill != NULL);
- ipst = recv_ill->ill_ipst;
- sctps = ipst->ips_netstack->netstack_sctp;
- ipss = ipst->ips_netstack->netstack_ipsec;
-
- first_mp = mp;
- if (mctl_present) {
- mp = first_mp->b_cont;
- ASSERT(mp != NULL);
- }
+ sctp_t *sctp;
+ conn_t *connp;
+ in6_addr_t map_src, map_dst;
+ in6_addr_t *src, *dst;
+ boolean_t secure;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ sctp_stack_t *sctps = ns->netstack_sctp;
+ iaflags_t iraflags = ira->ira_flags;
+ ill_t *rill = ira->ira_rill;
+
+ ASSERT(iraflags & IRAF_ICMP_ERROR);
+
+ secure = iraflags & IRAF_IPSEC_SECURE;
/* Assume IP provides aligned packets - otherwise toss */
if (!OK_32PTR(mp->b_rptr)) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
+ freemsg(mp);
return;
}
- if (IPH_HDR_VERSION(ipha) == IPV6_VERSION) {
- ip6h = (ip6_t *)ipha;
+ if (!(iraflags & IRAF_IS_IPV4)) {
src = &ip6h->ip6_src;
dst = &ip6h->ip6_dst;
- isv4 = B_FALSE;
} else {
- ip6h = NULL;
IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &map_src);
IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &map_dst);
src = &map_src;
dst = &map_dst;
- isv4 = B_TRUE;
}
- connp = sctp_fanout(src, dst, ports, zoneid, mp, sctps);
+ connp = sctp_fanout(src, dst, ports, ira, mp, sctps);
if (connp == NULL) {
- ip_fanout_sctp_raw(first_mp, recv_ill, ipha, isv4,
- ports, mctl_present, flags, ip_policy, zoneid);
+ ip_fanout_sctp_raw(mp, ipha, ip6h, ports, ira);
return;
}
sctp = CONN2SCTP(connp);
- /* Found a client; up it goes */
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsHCInDelivers);
-
/*
* We check some fields in conn_t without holding a lock.
* This should be fine.
*/
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || mctl_present) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp,
- ipha, NULL, mctl_present);
- if (first_mp == NULL) {
- SCTP_REFRELE(sctp);
- return;
- }
- }
-
- /* Initiate IPPF processing for fastpath */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- ip_process(IPP_LOCAL_IN, &mp,
- recv_ill->ill_phyint->phyint_ifindex);
+ if (((iraflags & IRAF_IS_IPV4) ?
+ CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
+ CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
+ secure) {
+ mp = ipsec_check_inbound_policy(mp, connp, ipha,
+ ip6h, ira);
if (mp == NULL) {
SCTP_REFRELE(sctp);
- if (mctl_present)
- freeb(first_mp);
return;
- } else if (mctl_present) {
- /*
- * ip_process might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
}
}
- if (connp->conn_recvif || connp->conn_recvslla ||
- connp->conn_ip_recvpktinfo) {
- int in_flags = 0;
-
- if (connp->conn_recvif || connp->conn_ip_recvpktinfo) {
- in_flags = IPF_RECVIF;
- }
- if (connp->conn_recvslla) {
- in_flags |= IPF_RECVSLLA;
- }
- if (isv4) {
- mp = ip_add_info(mp, recv_ill, in_flags,
- IPCL_ZONEID(connp), ipst);
- } else {
- mp = ip_add_info_v6(mp, recv_ill, &ip6h->ip6_dst);
- }
- if (mp == NULL) {
- SCTP_REFRELE(sctp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- /*
- * ip_add_info might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
+ ira->ira_ill = ira->ira_rill = NULL;
mutex_enter(&sctp->sctp_lock);
if (sctp->sctp_running) {
- if (mctl_present)
- mp->b_prev = first_mp;
- if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- }
+ sctp_add_recvq(sctp, mp, B_FALSE, ira);
mutex_exit(&sctp->sctp_lock);
} else {
sctp->sctp_running = B_TRUE;
@@ -590,24 +452,22 @@ ip_fanout_sctp(mblk_t *mp, ill_t *recv_ill, ipha_t *ipha,
mutex_enter(&sctp->sctp_recvq_lock);
if (sctp->sctp_recvq != NULL) {
- if (mctl_present)
- mp->b_prev = first_mp;
- if (!sctp_add_recvq(sctp, mp, B_TRUE)) {
- BUMP_MIB(recv_ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- }
+ sctp_add_recvq(sctp, mp, B_TRUE, ira);
mutex_exit(&sctp->sctp_recvq_lock);
WAKE_SCTP(sctp);
} else {
mutex_exit(&sctp->sctp_recvq_lock);
- sctp_input_data(sctp, mp, (mctl_present ? first_mp :
- NULL));
+ if (ira->ira_flags & IRAF_ICMP_ERROR) {
+ sctp_icmp_error(sctp, mp);
+ } else {
+ sctp_input_data(sctp, mp, ira);
+ }
WAKE_SCTP(sctp);
- sctp_process_sendq(sctp);
}
}
SCTP_REFRELE(sctp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
}
void
@@ -623,7 +483,7 @@ sctp_conn_hash_remove(sctp_t *sctp)
* subsystem.
*/
if (cl_sctp_disconnect != NULL) {
- (*cl_sctp_disconnect)(sctp->sctp_family,
+ (*cl_sctp_disconnect)(sctp->sctp_connp->conn_family,
(cl_sctp_handle_t)sctp);
}
@@ -683,6 +543,7 @@ void
sctp_listen_hash_remove(sctp_t *sctp)
{
sctp_tf_t *tf = sctp->sctp_listen_tfp;
+ conn_t *connp = sctp->sctp_connp;
if (!tf) {
return;
@@ -698,8 +559,8 @@ sctp_listen_hash_remove(sctp_t *sctp)
ssize = sizeof (in6_addr_t) * sctp->sctp_nsaddrs;
slist = kmem_alloc(ssize, KM_SLEEP);
sctp_get_saddr_list(sctp, slist, ssize);
- (*cl_sctp_unlisten)(sctp->sctp_family, slist,
- sctp->sctp_nsaddrs, sctp->sctp_lport);
+ (*cl_sctp_unlisten)(connp->conn_family, slist,
+ sctp->sctp_nsaddrs, connp->conn_lport);
/* list will be freed by the clustering module */
}
@@ -722,7 +583,10 @@ sctp_listen_hash_remove(sctp_t *sctp)
sctp->sctp_listen_hash_next;
if (sctp->sctp_listen_hash_next != NULL) {
- sctp->sctp_listen_hash_next->sctp_listen_hash_prev =
+ sctp_t *next = sctp->sctp_listen_hash_next;
+
+ ASSERT(next->sctp_listen_hash_prev == sctp);
+ next->sctp_listen_hash_prev =
sctp->sctp_listen_hash_prev;
}
}
@@ -735,6 +599,8 @@ sctp_listen_hash_remove(sctp_t *sctp)
void
sctp_listen_hash_insert(sctp_tf_t *tf, sctp_t *sctp)
{
+ conn_t *connp = sctp->sctp_connp;
+
if (sctp->sctp_listen_tfp) {
sctp_listen_hash_remove(sctp);
}
@@ -759,8 +625,8 @@ sctp_listen_hash_insert(sctp_tf_t *tf, sctp_t *sctp)
ssize = sizeof (in6_addr_t) * sctp->sctp_nsaddrs;
slist = kmem_alloc(ssize, KM_SLEEP);
sctp_get_saddr_list(sctp, slist, ssize);
- (*cl_sctp_listen)(sctp->sctp_family, slist,
- sctp->sctp_nsaddrs, sctp->sctp_lport);
+ (*cl_sctp_listen)(connp->conn_family, slist,
+ sctp->sctp_nsaddrs, connp->conn_lport);
/* list will be freed by the clustering module */
}
}
@@ -850,8 +716,8 @@ sctp_lookup(sctp_t *sctp1, in6_addr_t *faddr, sctp_tf_t *tf, uint32_t *ports,
for (sctp = tf->tf_sctp; sctp != NULL;
sctp = sctp->sctp_conn_hash_next) {
- if (*ports != sctp->sctp_ports || sctp->sctp_state <
- min_state) {
+ if (*ports != sctp->sctp_connp->conn_ports ||
+ sctp->sctp_state < min_state) {
continue;
}
@@ -886,38 +752,3 @@ done:
}
return (sctp);
}
-
-boolean_t
-ip_fanout_sctp_raw_match(conn_t *connp, uint32_t ports, ipha_t *ipha)
-{
- uint16_t lport;
-
- if (connp->conn_fully_bound) {
- return (IPCL_CONN_MATCH(connp, IPPROTO_SCTP, ipha->ipha_src,
- ipha->ipha_dst, ports));
- } else {
- lport = htons(ntohl(ports) & 0xFFFF);
- return (IPCL_BIND_MATCH(connp, IPPROTO_SCTP, ipha->ipha_dst,
- lport));
- }
-}
-
-boolean_t
-ip_fanout_sctp_raw_match_v6(conn_t *connp, uint32_t ports, ip6_t *ip6h,
- boolean_t for_v4)
-{
- uint16_t lport;
- in6_addr_t v6dst;
-
- if (!for_v4 && connp->conn_fully_bound) {
- return (IPCL_CONN_MATCH_V6(connp, IPPROTO_SCTP, ip6h->ip6_src,
- ip6h->ip6_dst, ports));
- } else {
- lport = htons(ntohl(ports) & 0xFFFF);
- if (for_v4)
- v6dst = ipv6_all_zeros;
- else
- v6dst = ip6h->ip6_dst;
- return (IPCL_BIND_MATCH_V6(connp, IPPROTO_SCTP, v6dst, lport));
- }
-}
diff --git a/usr/src/uts/common/inet/sctp/sctp_heartbeat.c b/usr/src/uts/common/inet/sctp/sctp_heartbeat.c
index 914f1cac3f..2fbffee1c3 100644
--- a/usr/src/uts/common/inet/sctp/sctp_heartbeat.c
+++ b/usr/src/uts/common/inet/sctp/sctp_heartbeat.c
@@ -20,12 +20,10 @@
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/types.h>
#include <sys/systm.h>
#include <sys/stream.h>
@@ -66,8 +64,14 @@ sctp_return_heartbeat(sctp_t *sctp, sctp_chunk_hdr_t *hbcp, mblk_t *mp)
addr = inip6h->ip6_src;
}
fp = sctp_lookup_faddr(sctp, &addr);
- ASSERT(fp != NULL);
-
+ /* If the source address is bogus we silently drop the packet */
+ if (fp == NULL) {
+ dprint(1,
+ ("sctp_return_heartbeat: %p bogus hb from %x:%x:%x:%x\n",
+ (void *)sctp, SCTP_PRINTADDR(addr)));
+ SCTP_KSTAT(sctps, sctp_return_hb_failed);
+ return;
+ }
dprint(3, ("sctp_return_heartbeat: %p got hb from %x:%x:%x:%x\n",
(void *)sctp, SCTP_PRINTADDR(addr)));
@@ -98,10 +102,11 @@ sctp_return_heartbeat(sctp_t *sctp, sctp_chunk_hdr_t *hbcp, mblk_t *mp)
smp->b_wptr += len;
- sctp_set_iplen(sctp, smp);
-
BUMP_LOCAL(sctp->sctp_obchunks);
- sctp_add_sendq(sctp, smp);
+
+ sctp_set_iplen(sctp, smp, fp->ixa);
+ (void) conn_ip_output(smp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
}
/*
@@ -126,10 +131,10 @@ sctp_send_heartbeat(sctp_t *sctp, sctp_faddr_t *fp)
SCTP_PRINTADDR(fp->faddr), SCTP_PRINTADDR(fp->saddr)));
hblen = sizeof (*cp) +
- sizeof (*hpp) +
- sizeof (*t) +
- sizeof (fp->hb_secret) +
- sizeof (fp->faddr);
+ sizeof (*hpp) +
+ sizeof (*t) +
+ sizeof (fp->hb_secret) +
+ sizeof (fp->faddr);
hbmp = sctp_make_mp(sctp, fp, hblen);
if (hbmp == NULL) {
SCTP_KSTAT(sctps, sctp_send_hb_failed);
@@ -180,8 +185,6 @@ sctp_send_heartbeat(sctp_t *sctp, sctp_faddr_t *fp)
hbmp->b_wptr += hblen;
- sctp_set_iplen(sctp, hbmp);
-
/* Update the faddr's info */
fp->lastactive = now;
fp->hb_pending = B_TRUE;
@@ -189,7 +192,9 @@ sctp_send_heartbeat(sctp_t *sctp, sctp_faddr_t *fp)
BUMP_LOCAL(sctp->sctp_obchunks);
BUMP_MIB(&sctps->sctps_mib, sctpTimHeartBeatProbe);
- sctp_add_sendq(sctp, hbmp);
+ sctp_set_iplen(sctp, hbmp, fp->ixa);
+ (void) conn_ip_output(hbmp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
}
/*
diff --git a/usr/src/uts/common/inet/sctp/sctp_impl.h b/usr/src/uts/common/inet/sctp/sctp_impl.h
index 32268648f6..d84c3762f3 100644
--- a/usr/src/uts/common/inet/sctp/sctp_impl.h
+++ b/usr/src/uts/common/inet/sctp/sctp_impl.h
@@ -191,7 +191,6 @@ typedef struct sctpparam_s {
#define SCTP_MAX_COMBINED_HEADER_LENGTH (60 + 12) /* Maxed out ip + sctp */
#define SCTP_MAX_IP_OPTIONS_LENGTH (60 - IP_SIMPLE_HDR_LENGTH)
#define SCTP_MAX_HDR_LENGTH 60
-#define ICMP_MIN_SCTP_HDR_LEN (ICMP_MIN_TP_HDR_LEN + sizeof (sctp_hdr_t))
#define SCTP_SECRET_LEN 16
@@ -213,27 +212,6 @@ typedef struct sctpparam_s {
} \
}
-#define SCTP_G_Q_REFHOLD(sctps) { \
- atomic_add_32(&(sctps)->sctps_g_q_ref, 1); \
- ASSERT((sctps)->sctps_g_q_ref != 0); \
- DTRACE_PROBE1(sctp__g__q__refhold, sctp_stack_t, sctps); \
-}
-
-/*
- * Decrement the reference count on sctp_g_q
- * In architectures e.g sun4u, where atomic_add_32_nv is just
- * a cas, we need to maintain the right memory barrier semantics
- * as that of mutex_exit i.e all the loads and stores should complete
- * before the cas is executed. membar_exit() does that here.
- */
-#define SCTP_G_Q_REFRELE(sctps) { \
- ASSERT((sctps)->sctps_g_q_ref != 0); \
- membar_exit(); \
- DTRACE_PROBE1(sctp__g__q__refrele, sctp_stack_t, sctps); \
- if (atomic_add_32_nv(&(sctps)->sctps_g_q_ref, -1) == 0) \
- sctp_g_q_inactive(sctps); \
-}
-
#define SCTP_PRINTADDR(a) (a).s6_addr32[0], (a).s6_addr32[1],\
(a).s6_addr32[2], (a).s6_addr32[3]
@@ -399,15 +377,6 @@ extern sin6_t sctp_sin6_null; /* Zero address for quick clears */
#define SCTP_IS_DETACHED(sctp) ((sctp)->sctp_detached)
-/*
- * Object to represent database of options to search passed to
- * {sock,tpi}optcom_req() interface routine to take care of option
- * management and associated methods.
- * XXX These and other externs should ideally move to a SCTP header
- */
-extern optdb_obj_t sctp_opt_obj;
-extern uint_t sctp_max_optbuf_len;
-
/* Data structure used to track received TSNs */
typedef struct sctp_set_s {
struct sctp_set_s *next;
@@ -528,7 +497,7 @@ typedef struct sctp_faddr_s {
hb_enabled : 1;
mblk_t *rc_timer_mp; /* reliable control chunk timer */
- ire_t *ire; /* cached IRE */
+ ip_xmit_attr_t *ixa; /* Transmit attributes */
uint32_t T3expire; /* # of times T3 timer expired */
uint64_t hb_secret; /* per addr "secret" in heartbeat */
@@ -600,25 +569,6 @@ typedef struct sctp_s {
sctp_ipif_hash_t sctp_saddrs[SCTP_IPIF_HASH];
int sctp_nsaddrs;
- /*
- * These fields contain the same information as sctp_sctph->th_*port.
- * However, the lookup functions can not use the header fields
- * since during IP option manipulation the sctp_sctph pointer
- * changes.
- */
- union {
- struct {
- in_port_t sctpu_fport; /* Remote port */
- in_port_t sctpu_lport; /* Local port */
- } sctpu_ports1;
- uint32_t sctpu_ports2; /* Rem port, */
- /* local port */
- /* Used for SCTP_MATCH performance */
- } sctp_sctpu;
-#define sctp_fport sctp_sctpu.sctpu_ports1.sctpu_fport
-#define sctp_lport sctp_sctpu.sctpu_ports1.sctpu_lport
-#define sctp_ports sctp_sctpu.sctpu_ports2
-
kmutex_t sctp_lock;
kcondvar_t sctp_cv;
boolean_t sctp_running;
@@ -637,12 +587,6 @@ typedef struct sctp_s {
int32_t sctp_state;
conn_t *sctp_connp; /* conn_t stuff */
-#define sctp_zoneid sctp_connp->conn_zoneid
-#define sctp_allzones sctp_connp->conn_allzones
-#define sctp_mac_mode sctp_connp->conn_mac_mode
-#define sctp_credp sctp_connp->conn_cred
-#define sctp_reuseaddr sctp_connp->conn_reuseaddr
-
sctp_stack_t *sctp_sctps;
/* Peer address tracking */
@@ -711,9 +655,6 @@ typedef struct sctp_s {
uint32_t sctp_T3expire; /* # of times T3timer expired */
uint32_t sctp_assoc_start_time; /* time when assoc was est. */
- /* Outbound flow control */
- int32_t sctp_xmit_hiwater; /* Send high water mark */
- int32_t sctp_xmit_lowater; /* Send low water mark */
uint32_t sctp_frwnd; /* Peer RWND */
uint32_t sctp_cwnd_max;
@@ -723,8 +664,8 @@ typedef struct sctp_s {
int32_t sctp_rxqueued; /* No. of bytes in RX q's */
/* Pre-initialized composite headers */
- char *sctp_iphc; /* v4 sctp/ip hdr template buffer */
- char *sctp_iphc6; /* v6 sctp/ip hdr template buffer */
+ uchar_t *sctp_iphc; /* v4 sctp/ip hdr template buffer */
+ uchar_t *sctp_iphc6; /* v6 sctp/ip hdr template buffer */
int32_t sctp_iphc_len; /* actual allocated v4 buffer size */
int32_t sctp_iphc6_len; /* actual allocated v6 buffer size */
@@ -754,17 +695,12 @@ typedef struct sctp_s {
uint32_t
sctp_understands_asconf : 1, /* Peer handles ASCONF chunks */
- sctp_debug : 1, /* SO_DEBUG "socket" option. */
sctp_cchunk_pend : 1, /* Control chunk in flight. */
- sctp_dgram_errind : 1, /* SO_DGRAM_ERRIND option */
-
- sctp_linger : 1, /* SO_LINGER turned on */
sctp_lingering : 1, /* Lingering in close */
sctp_loopback: 1, /* src and dst are the same machine */
- sctp_force_sack : 1,
+ sctp_force_sack : 1,
sctp_ack_timer_running: 1, /* Delayed ACK timer running */
- sctp_recvdstaddr : 1, /* return T_EXTCONN_IND with dstaddr */
sctp_hwcksum : 1, /* The NIC is capable of hwcksum */
sctp_understands_addip : 1,
@@ -802,15 +738,11 @@ typedef struct sctp_s {
} sctp_events;
#define sctp_priv_stream sctp_bits.sctp_priv_stream
#define sctp_understands_asconf sctp_bits.sctp_understands_asconf
-#define sctp_debug sctp_bits.sctp_debug
#define sctp_cchunk_pend sctp_bits.sctp_cchunk_pend
-#define sctp_dgram_errind sctp_bits.sctp_dgram_errind
-#define sctp_linger sctp_bits.sctp_linger
#define sctp_lingering sctp_bits.sctp_lingering
#define sctp_loopback sctp_bits.sctp_loopback
#define sctp_force_sack sctp_bits.sctp_force_sack
#define sctp_ack_timer_running sctp_bits.sctp_ack_timer_running
-#define sctp_recvdstaddr sctp_bits.sctp_recvdstaddr
#define sctp_hwcksum sctp_bits.sctp_hwcksum
#define sctp_understands_addip sctp_bits.sctp_understands_addip
#define sctp_bound_to_all sctp_bits.sctp_bound_to_all
@@ -853,15 +785,6 @@ typedef struct sctp_s {
uint8_t sctp_old_secret[SCTP_SECRET_LEN];
uint32_t sctp_cookie_lifetime; /* cookie lifetime in tick */
- /*
- * Address family that app wishes returned addrsses to be in.
- * Currently taken from address family used in T_BIND_REQ, but
- * should really come from family used in original socket() call.
- * Value can be AF_INET or AF_INET6.
- */
- uint_t sctp_family;
- ushort_t sctp_ipversion;
-
/* Bind hash tables */
kmutex_t *sctp_bind_lockp; /* Ptr to tf_lock */
struct sctp_s *sctp_bind_hash;
@@ -870,14 +793,10 @@ typedef struct sctp_s {
/* Shutdown / cleanup */
sctp_faddr_t *sctp_shutdown_faddr; /* rotate faddr during shutd */
int32_t sctp_client_errno; /* How the client screwed up */
- int sctp_lingertime; /* Close linger time (in seconds) */
kmutex_t sctp_reflock; /* Protects sctp_refcnt & timer mp */
ushort_t sctp_refcnt; /* No. of pending upstream msg */
mblk_t *sctp_timer_mp; /* List of fired timers. */
- /* Misc */
- uint_t sctp_bound_if; /* IPV6_BOUND_IF */
-
mblk_t *sctp_heartbeat_mp; /* Timer block for heartbeats */
uint32_t sctp_hb_interval; /* Default hb_interval */
@@ -897,47 +816,19 @@ typedef struct sctp_s {
mblk_t *sctp_recvq_tail;
taskq_t *sctp_recvq_tq;
- /* Send queue to IP */
- kmutex_t sctp_sendq_lock;
- mblk_t *sctp_sendq;
- mblk_t *sctp_sendq_tail;
- boolean_t sctp_sendq_sending;
-
/* IPv6 ancillary data */
- uint_t sctp_ipv6_recvancillary; /* flags */
-#define SCTP_IPV6_RECVPKTINFO 0x01 /* IPV6_RECVPKTINFO opt */
-#define SCTP_IPV6_RECVHOPLIMIT 0x02 /* IPV6_RECVHOPLIMIT opt */
-#define SCTP_IPV6_RECVHOPOPTS 0x04 /* IPV6_RECVHOPOPTS opt */
-#define SCTP_IPV6_RECVDSTOPTS 0x08 /* IPV6_RECVDSTOPTS opt */
-#define SCTP_IPV6_RECVRTHDR 0x10 /* IPV6_RECVRTHDR opt */
-#define SCTP_IPV6_RECVRTDSTOPTS 0x20 /* IPV6_RECVRTHDRDSTOPTS opt */
-
uint_t sctp_recvifindex; /* last rcvd IPV6_RCVPKTINFO */
uint_t sctp_recvhops; /* " IPV6_RECVHOPLIMIT */
+ uint_t sctp_recvtclass; /* " IPV6_RECVTCLASS */
ip6_hbh_t *sctp_hopopts; /* " IPV6_RECVHOPOPTS */
ip6_dest_t *sctp_dstopts; /* " IPV6_RECVDSTOPTS */
- ip6_dest_t *sctp_rtdstopts; /* " IPV6_RECVRTHDRDSTOPTS */
+ ip6_dest_t *sctp_rthdrdstopts; /* " IPV6_RECVRTHDRDSTOPTS */
ip6_rthdr_t *sctp_rthdr; /* " IPV6_RECVRTHDR */
uint_t sctp_hopoptslen;
uint_t sctp_dstoptslen;
- uint_t sctp_rtdstoptslen;
+ uint_t sctp_rthdrdstoptslen;
uint_t sctp_rthdrlen;
- ip6_pkt_t sctp_sticky_ipp; /* Sticky options */
-#define sctp_ipp_fields sctp_sticky_ipp.ipp_fields
-#define sctp_ipp_ifindex sctp_sticky_ipp.ipp_ifindex
-#define sctp_ipp_addr sctp_sticky_ipp.ipp_addr
-#define sctp_ipp_hoplimit sctp_sticky_ipp.ipp_hoplimit
-#define sctp_ipp_hopoptslen sctp_sticky_ipp.ipp_hopoptslen
-#define sctp_ipp_rtdstoptslen sctp_sticky_ipp.ipp_rtdstoptslen
-#define sctp_ipp_rthdrlen sctp_sticky_ipp.ipp_rthdrlen
-#define sctp_ipp_dstoptslen sctp_sticky_ipp.ipp_dstoptslen
-#define sctp_ipp_hopopts sctp_sticky_ipp.ipp_hopopts
-#define sctp_ipp_rtdstopts sctp_sticky_ipp.ipp_rtdstopts
-#define sctp_ipp_rthdr sctp_sticky_ipp.ipp_rthdr
-#define sctp_ipp_dstopts sctp_sticky_ipp.ipp_dstopts
-#define sctp_ipp_pathmtu sctp_sticky_ipp.ipp_pathmtu
-#define sctp_ipp_nexthop sctp_sticky_ipp.ipp_nexthop
/* Stats */
uint64_t sctp_msgcount;
uint64_t sctp_prsctpdrop;
@@ -951,9 +842,6 @@ typedef struct sctp_s {
mblk_t *sctp_err_chunks; /* Error chunks */
uint32_t sctp_err_len; /* Total error chunks length */
- pid_t sctp_cpid; /* Process id when this was opened */
- uint64_t sctp_open_time; /* time when this was opened */
-
/* additional source data for per endpoint association statistics */
uint64_t sctp_outseqtsns; /* TSN rx > expected TSN */
uint64_t sctp_osacks; /* total sacks sent */
@@ -988,7 +876,7 @@ typedef struct sctp_s {
#define SCTP_TXQ_LEN(sctp) ((sctp)->sctp_unsent + (sctp)->sctp_unacked)
#define SCTP_TXQ_UPDATE(sctp) \
if ((sctp)->sctp_txq_full && SCTP_TXQ_LEN(sctp) <= \
- (sctp)->sctp_xmit_lowater) { \
+ (sctp)->sctp_connp->conn_sndlowat) { \
(sctp)->sctp_txq_full = 0; \
(sctp)->sctp_ulp_xmitted((sctp)->sctp_ulpd, \
B_FALSE); \
@@ -1004,8 +892,8 @@ extern void sctp_add_err(sctp_t *, uint16_t, void *, size_t,
extern int sctp_add_faddr(sctp_t *, in6_addr_t *, int, boolean_t);
extern boolean_t sctp_add_ftsn_set(sctp_ftsn_set_t **, sctp_faddr_t *, mblk_t *,
uint_t *, uint32_t *);
-extern boolean_t sctp_add_recvq(sctp_t *, mblk_t *, boolean_t);
-extern void sctp_add_sendq(sctp_t *, mblk_t *);
+extern void sctp_add_recvq(sctp_t *, mblk_t *, boolean_t,
+ ip_recv_attr_t *);
extern void sctp_add_unrec_parm(sctp_parm_hdr_t *, mblk_t **, boolean_t);
extern size_t sctp_addr_params(sctp_t *, int, uchar_t *, boolean_t);
extern mblk_t *sctp_add_proto_hdr(sctp_t *, sctp_faddr_t *, mblk_t *, int,
@@ -1013,7 +901,6 @@ extern mblk_t *sctp_add_proto_hdr(sctp_t *, sctp_faddr_t *, mblk_t *, int,
extern void sctp_addr_req(sctp_t *, mblk_t *);
extern sctp_t *sctp_addrlist2sctp(mblk_t *, sctp_hdr_t *, sctp_chunk_hdr_t *,
zoneid_t, sctp_stack_t *);
-extern void sctp_add_hdr(sctp_t *, uchar_t *, size_t);
extern void sctp_check_adv_ack_pt(sctp_t *, mblk_t *, mblk_t *);
extern void sctp_assoc_event(sctp_t *, uint16_t, uint16_t,
sctp_chunk_hdr_t *);
@@ -1024,7 +911,7 @@ extern int sctp_bindi(sctp_t *, in_port_t, boolean_t, int, in_port_t *);
extern int sctp_bind_add(sctp_t *, const void *, uint32_t, boolean_t,
in_port_t);
extern int sctp_bind_del(sctp_t *, const void *, uint32_t, boolean_t);
-extern int sctp_build_hdrs(sctp_t *);
+extern int sctp_build_hdrs(sctp_t *, int);
extern int sctp_check_abandoned_msg(sctp_t *, mblk_t *);
extern void sctp_clean_death(sctp_t *, int);
@@ -1035,11 +922,9 @@ extern void sctp_conn_hash_insert(sctp_tf_t *, sctp_t *, int);
extern void sctp_conn_hash_remove(sctp_t *);
extern void sctp_conn_init(conn_t *);
extern sctp_t *sctp_conn_match(in6_addr_t *, in6_addr_t *, uint32_t,
- zoneid_t, sctp_stack_t *);
+ zoneid_t, iaflags_t, sctp_stack_t *);
extern sctp_t *sctp_conn_request(sctp_t *, mblk_t *, uint_t, uint_t,
- sctp_init_chunk_t *, mblk_t *);
-extern int sctp_conprim_opt_process(queue_t *, mblk_t *, int *, int *,
- int *);
+ sctp_init_chunk_t *, ip_recv_attr_t *);
extern uint32_t sctp_cumack(sctp_t *, uint32_t, mblk_t **);
extern sctp_t *sctp_create_eager(sctp_t *);
@@ -1066,10 +951,9 @@ extern void sctp_ftsn_sets_init(void);
extern int sctp_get_addrlist(sctp_t *, const void *, uint32_t *,
uchar_t **, int *, size_t *);
-extern void sctp_g_q_inactive(sctp_stack_t *);
extern int sctp_get_addrparams(sctp_t *, sctp_t *, mblk_t *,
sctp_chunk_hdr_t *, uint_t *);
-extern void sctp_get_ire(sctp_t *, sctp_faddr_t *);
+extern void sctp_get_dest(sctp_t *, sctp_faddr_t *);
extern void sctp_get_faddr_list(sctp_t *, uchar_t *, size_t);
extern mblk_t *sctp_get_first_sent(sctp_t *);
extern mblk_t *sctp_get_msg_to_send(sctp_t *, mblk_t **, mblk_t *, int *,
@@ -1077,22 +961,20 @@ extern mblk_t *sctp_get_msg_to_send(sctp_t *, mblk_t **, mblk_t *, int *,
extern void sctp_get_saddr_list(sctp_t *, uchar_t *, size_t);
extern int sctp_handle_error(sctp_t *, sctp_hdr_t *, sctp_chunk_hdr_t *,
- mblk_t *);
+ mblk_t *, ip_recv_attr_t *);
extern void sctp_hash_destroy(sctp_stack_t *);
extern void sctp_hash_init(sctp_stack_t *);
-extern int sctp_header_init_ipv4(sctp_t *, int);
-extern int sctp_header_init_ipv6(sctp_t *, int);
extern void sctp_heartbeat_timer(sctp_t *);
extern void sctp_icmp_error(sctp_t *, mblk_t *);
extern void sctp_inc_taskq(sctp_stack_t *);
extern void sctp_info_req(sctp_t *, mblk_t *);
-extern mblk_t *sctp_init_mp(sctp_t *);
+extern mblk_t *sctp_init_mp(sctp_t *, sctp_faddr_t *);
extern boolean_t sctp_initialize_params(sctp_t *, sctp_init_chunk_t *,
sctp_init_chunk_t *);
extern uint32_t sctp_init2vtag(sctp_chunk_hdr_t *);
extern void sctp_intf_event(sctp_t *, in6_addr_t, int, int);
-extern void sctp_input_data(sctp_t *, mblk_t *, mblk_t *);
+extern void sctp_input_data(sctp_t *, mblk_t *, ip_recv_attr_t *);
extern void sctp_instream_cleanup(sctp_t *, boolean_t);
extern int sctp_is_a_faddr_clean(sctp_t *);
@@ -1124,7 +1006,8 @@ extern int sctp_nd_getset(queue_t *, MBLKP);
extern boolean_t sctp_nd_init(sctp_stack_t *);
extern sctp_parm_hdr_t *sctp_next_parm(sctp_parm_hdr_t *, ssize_t *);
-extern void sctp_ootb_shutdown_ack(sctp_t *, mblk_t *, uint_t);
+extern void sctp_ootb_shutdown_ack(mblk_t *, uint_t, ip_recv_attr_t *,
+ ip_stack_t *);
extern size_t sctp_options_param(const sctp_t *, void *, int);
extern size_t sctp_options_param_len(const sctp_t *, int);
extern void sctp_output(sctp_t *, uint_t);
@@ -1132,10 +1015,10 @@ extern void sctp_output(sctp_t *, uint_t);
extern boolean_t sctp_param_register(IDP *, sctpparam_t *, int, sctp_stack_t *);
extern void sctp_partial_delivery_event(sctp_t *);
extern int sctp_process_cookie(sctp_t *, sctp_chunk_hdr_t *, mblk_t *,
- sctp_init_chunk_t **, sctp_hdr_t *, int *, in6_addr_t *);
+ sctp_init_chunk_t **, sctp_hdr_t *, int *, in6_addr_t *,
+ ip_recv_attr_t *);
extern void sctp_process_err(sctp_t *);
extern void sctp_process_heartbeat(sctp_t *, sctp_chunk_hdr_t *);
-extern void sctp_process_sendq(sctp_t *);
extern void sctp_process_timer(sctp_t *);
extern void sctp_redo_faddr_srcs(sctp_t *);
@@ -1149,13 +1032,17 @@ extern sctp_faddr_t *sctp_rotate_faddr(sctp_t *, sctp_faddr_t *);
extern boolean_t sctp_sack(sctp_t *, mblk_t *);
extern int sctp_secure_restart_check(mblk_t *, sctp_chunk_hdr_t *,
- uint32_t, int, sctp_stack_t *);
+ uint32_t, int, sctp_stack_t *, ip_recv_attr_t *);
extern void sctp_send_abort(sctp_t *, uint32_t, uint16_t, char *, size_t,
- mblk_t *, int, boolean_t);
+ mblk_t *, int, boolean_t, ip_recv_attr_t *);
+extern void sctp_ootb_send_abort(uint32_t, uint16_t, char *, size_t,
+ const mblk_t *, int, boolean_t, ip_recv_attr_t *,
+ ip_stack_t *);
extern void sctp_send_cookie_ack(sctp_t *);
-extern void sctp_send_cookie_echo(sctp_t *, sctp_chunk_hdr_t *, mblk_t *);
+extern void sctp_send_cookie_echo(sctp_t *, sctp_chunk_hdr_t *, mblk_t *,
+ ip_recv_attr_t *);
extern void sctp_send_initack(sctp_t *, sctp_hdr_t *, sctp_chunk_hdr_t *,
- mblk_t *);
+ mblk_t *, ip_recv_attr_t *);
extern void sctp_send_shutdown(sctp_t *, int);
extern void sctp_send_heartbeat(sctp_t *, sctp_faddr_t *);
extern void sctp_sendfail_event(sctp_t *, mblk_t *, int, boolean_t);
@@ -1170,7 +1057,7 @@ extern int sctp_shutdown_received(sctp_t *, sctp_chunk_hdr_t *, boolean_t,
boolean_t, sctp_faddr_t *);
extern void sctp_shutdown_complete(sctp_t *);
extern void sctp_set_if_mtu(sctp_t *);
-extern void sctp_set_iplen(sctp_t *, mblk_t *);
+extern void sctp_set_iplen(sctp_t *, mblk_t *, ip_xmit_attr_t *);
extern void sctp_set_ulp_prop(sctp_t *);
extern void sctp_ss_rexmit(sctp_t *);
extern size_t sctp_supaddr_param_len(sctp_t *);
@@ -1183,7 +1070,7 @@ extern void sctp_timer_free(mblk_t *);
extern void sctp_timer_stop(mblk_t *);
extern void sctp_unlink_faddr(sctp_t *, sctp_faddr_t *);
-extern void sctp_update_ire(sctp_t *sctp);
+extern void sctp_update_dce(sctp_t *sctp);
extern in_port_t sctp_update_next_port(in_port_t, zone_t *zone, sctp_stack_t *);
extern void sctp_update_rtt(sctp_t *, sctp_faddr_t *, clock_t);
extern void sctp_user_abort(sctp_t *, mblk_t *);
@@ -1209,17 +1096,6 @@ extern void (*cl_sctp_assoc_change)(sa_family_t, uchar_t *, size_t, uint_t,
extern void (*cl_sctp_check_addrs)(sa_family_t, in_port_t, uchar_t **,
size_t, uint_t *, boolean_t);
-/* Send a mp to IP. */
-#define IP_PUT(mp, conn, isv4) \
-{ \
- sctp_stack_t *sctps = conn->conn_netstack->netstack_sctp; \
- \
- if ((isv4)) \
- ip_output((conn), (mp), WR(sctps->sctps_g_q), IP_WPUT); \
- else \
- ip_output_v6((conn), (mp), WR(sctps->sctps_g_q), IP_WPUT);\
-}
-
#define RUN_SCTP(sctp) \
{ \
mutex_enter(&(sctp)->sctp_lock); \
diff --git a/usr/src/uts/common/inet/sctp/sctp_init.c b/usr/src/uts/common/inet/sctp/sctp_init.c
index 5547609c98..ff34147a65 100644
--- a/usr/src/uts/common/inet/sctp/sctp_init.c
+++ b/usr/src/uts/common/inet/sctp/sctp_init.c
@@ -20,12 +20,10 @@
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/types.h>
#include <sys/stream.h>
#include <sys/ddi.h>
@@ -45,32 +43,6 @@
#include "sctp_impl.h"
#include "sctp_addr.h"
-/*
- * This will compute the checksum over the SCTP packet, so this
- * function should only be called after the whole packet has been
- * built.
- *
- * rptr should point to the IP / SCTP composite header.
- * len should be the length of the entire packet, including the IP
- * header.
- */
-void
-sctp_add_hdr(sctp_t *sctp, uchar_t *rptr, size_t len)
-{
- ipha_t *iphdr;
- short iplen;
-
- ASSERT(len >= sctp->sctp_hdr_len);
-
- /* Copy the common header from the template */
- bcopy(sctp->sctp_iphc, rptr, sctp->sctp_hdr_len);
-
- /* Set the total length in the IP hdr */
- iplen = (short)len;
- iphdr = (ipha_t *)rptr;
- U16_TO_ABE16(iplen, &iphdr->ipha_length);
-}
-
/*ARGSUSED*/
size_t
sctp_supaddr_param_len(sctp_t *sctp)
@@ -83,17 +55,18 @@ sctp_supaddr_param(sctp_t *sctp, uchar_t *p)
{
sctp_parm_hdr_t *sph;
uint16_t *addrtype;
+ conn_t *connp = sctp->sctp_connp;
sph = (sctp_parm_hdr_t *)p;
sph->sph_type = htons(PARM_SUPP_ADDRS);
addrtype = (uint16_t *)(sph + 1);
- switch (sctp->sctp_ipversion) {
- case IPV4_VERSION:
+ switch (connp->conn_family) {
+ case AF_INET:
*addrtype++ = htons(PARM_ADDR4);
*addrtype = 0;
sph->sph_len = htons(sizeof (*sph) + sizeof (*addrtype));
break;
- case IPV6_VERSION:
+ case AF_INET6:
*addrtype++ = htons(PARM_ADDR6);
if (!sctp->sctp_connp->conn_ipv6_v6only) {
*addrtype = htons(PARM_ADDR4);
@@ -167,7 +140,7 @@ sctp_adaptation_code_param(sctp_t *sctp, uchar_t *p)
}
mblk_t *
-sctp_init_mp(sctp_t *sctp)
+sctp_init_mp(sctp_t *sctp, sctp_faddr_t *fp)
{
mblk_t *mp;
uchar_t *p;
@@ -176,12 +149,12 @@ sctp_init_mp(sctp_t *sctp)
sctp_chunk_hdr_t *chp;
uint16_t schlen;
int supp_af;
- sctp_stack_t *sctps = sctp->sctp_sctps;
+ sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
- if (sctp->sctp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
supp_af = PARM_SUPP_V4;
} else {
- /* Assume here that a v6 endpoint supports v4 address. */
if (sctp->sctp_connp->conn_ipv6_v6only)
supp_af = PARM_SUPP_V6;
else
@@ -203,11 +176,17 @@ sctp_init_mp(sctp_t *sctp)
sctp->sctp_sctph->sh_verf = 0;
sctp->sctp_sctph6->sh_verf = 0;
- mp = sctp_make_mp(sctp, NULL, initlen);
+ mp = sctp_make_mp(sctp, fp, initlen);
if (mp == NULL) {
SCTP_KSTAT(sctps, sctp_send_init_failed);
return (NULL);
}
+ /* sctp_make_mp could have discovered we have no usable sources */
+ if (sctp->sctp_nsaddrs == 0) {
+ freemsg(mp);
+ SCTP_KSTAT(sctps, sctp_send_init_failed);
+ return (NULL);
+ }
/* Lay in a new INIT chunk, starting with the chunk header */
chp = (sctp_chunk_hdr_t *)mp->b_wptr;
@@ -242,7 +221,7 @@ sctp_init_mp(sctp_t *sctp)
BUMP_LOCAL(sctp->sctp_obchunks);
- sctp_set_iplen(sctp, mp);
+ sctp_set_iplen(sctp, mp, fp->ixa);
return (mp);
}
diff --git a/usr/src/uts/common/inet/sctp/sctp_input.c b/usr/src/uts/common/inet/sctp/sctp_input.c
index e18bfeacdd..e4a5ef5c5b 100644
--- a/usr/src/uts/common/inet/sctp/sctp_input.c
+++ b/usr/src/uts/common/inet/sctp/sctp_input.c
@@ -42,6 +42,7 @@
#include <inet/common.h>
#include <inet/ip.h>
+#include <inet/ip_if.h>
#include <inet/ip6.h>
#include <inet/mib2.h>
#include <inet/ipclassifier.h>
@@ -318,7 +319,7 @@ sctp_next_chunk(sctp_chunk_hdr_t *ch, ssize_t *remaining)
*/
static int
sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
- sctp_faddr_t *fp, ip6_pkt_t *ipp)
+ sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
{
struct T_unitdata_ind *tudi;
int optlen;
@@ -329,57 +330,61 @@ sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
struct sockaddr_in6 sin_buf[1];
struct sockaddr_in6 *sin6;
struct sockaddr_in *sin4;
- uint_t addflag = 0;
+ crb_t addflag; /* Which pieces to add */
+ conn_t *connp = sctp->sctp_connp;
sin4 = NULL;
sin6 = NULL;
optlen = hdrlen = 0;
+ addflag.crb_all = 0;
/* Figure out address size */
- if (sctp->sctp_ipversion == IPV4_VERSION) {
+ if (connp->conn_family == AF_INET) {
sin4 = (struct sockaddr_in *)sin_buf;
sin4->sin_family = AF_INET;
- sin4->sin_port = sctp->sctp_fport;
+ sin4->sin_port = connp->conn_fport;
IN6_V4MAPPED_TO_IPADDR(&fp->faddr, sin4->sin_addr.s_addr);
hdrlen = sizeof (*tudi) + sizeof (*sin4);
} else {
sin6 = sin_buf;
sin6->sin6_family = AF_INET6;
- sin6->sin6_port = sctp->sctp_fport;
+ sin6->sin6_port = connp->conn_fport;
sin6->sin6_addr = fp->faddr;
hdrlen = sizeof (*tudi) + sizeof (*sin6);
}
-
/* If app asked to receive send / recv info */
- if (sctp->sctp_recvsndrcvinfo) {
+ if (sctp->sctp_recvsndrcvinfo)
optlen += sizeof (*cmsg) + sizeof (struct sctp_sndrcvinfo);
- if (hdrlen == 0)
- hdrlen = sizeof (struct T_optdata_ind);
- }
- if (sctp->sctp_ipv6_recvancillary == 0)
+ if (connp->conn_recv_ancillary.crb_all == 0)
goto noancillary;
- if ((ipp->ipp_fields & IPPF_IFINDEX) &&
- ipp->ipp_ifindex != sctp->sctp_recvifindex &&
- (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVPKTINFO)) {
+ if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
+ ira->ira_ruifindex != sctp->sctp_recvifindex) {
optlen += sizeof (*cmsg) + sizeof (struct in6_pktinfo);
if (hdrlen == 0)
hdrlen = sizeof (struct T_unitdata_ind);
- addflag |= SCTP_IPV6_RECVPKTINFO;
+ addflag.crb_ip_recvpktinfo = 1;
}
/* If app asked for hoplimit and it has changed ... */
- if ((ipp->ipp_fields & IPPF_HOPLIMIT) &&
- ipp->ipp_hoplimit != sctp->sctp_recvhops &&
- (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPLIMIT)) {
+ if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
+ ipp->ipp_hoplimit != sctp->sctp_recvhops) {
optlen += sizeof (*cmsg) + sizeof (uint_t);
if (hdrlen == 0)
hdrlen = sizeof (struct T_unitdata_ind);
- addflag |= SCTP_IPV6_RECVHOPLIMIT;
+ addflag.crb_ipv6_recvhoplimit = 1;
+ }
+ /* If app asked for tclass and it has changed ... */
+ if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
+ ipp->ipp_tclass != sctp->sctp_recvtclass) {
+ optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
+ if (hdrlen == 0)
+ hdrlen = sizeof (struct T_unitdata_ind);
+ addflag.crb_ipv6_recvtclass = 1;
}
/* If app asked for hopbyhop headers and it has changed ... */
- if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPOPTS) &&
+ if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
ip_cmpbuf(sctp->sctp_hopopts, sctp->sctp_hopoptslen,
(ipp->ipp_fields & IPPF_HOPOPTS),
ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
@@ -387,7 +392,7 @@ sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
sctp->sctp_v6label_len;
if (hdrlen == 0)
hdrlen = sizeof (struct T_unitdata_ind);
- addflag |= SCTP_IPV6_RECVHOPOPTS;
+ addflag.crb_ipv6_recvhopopts = 1;
if (!ip_allocbuf((void **)&sctp->sctp_hopopts,
&sctp->sctp_hopoptslen,
(ipp->ipp_fields & IPPF_HOPOPTS),
@@ -395,45 +400,44 @@ sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
return (-1);
}
/* If app asked for dst headers before routing headers ... */
- if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTDSTOPTS) &&
- ip_cmpbuf(sctp->sctp_rtdstopts, sctp->sctp_rtdstoptslen,
- (ipp->ipp_fields & IPPF_RTDSTOPTS),
- ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen)) {
- optlen += sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
+ if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
+ ip_cmpbuf(sctp->sctp_rthdrdstopts, sctp->sctp_rthdrdstoptslen,
+ (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
+ ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
+ optlen += sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
if (hdrlen == 0)
hdrlen = sizeof (struct T_unitdata_ind);
- addflag |= SCTP_IPV6_RECVRTDSTOPTS;
- if (!ip_allocbuf((void **)&sctp->sctp_rtdstopts,
- &sctp->sctp_rtdstoptslen,
- (ipp->ipp_fields & IPPF_RTDSTOPTS),
- ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen))
+ addflag.crb_ipv6_recvrthdrdstopts = 1;
+ if (!ip_allocbuf((void **)&sctp->sctp_rthdrdstopts,
+ &sctp->sctp_rthdrdstoptslen,
+ (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
+ ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
return (-1);
}
/* If app asked for routing headers and it has changed ... */
- if (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTHDR) {
- if (ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
+ if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
+ ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
+ (ipp->ipp_fields & IPPF_RTHDR),
+ ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
+ optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
+ if (hdrlen == 0)
+ hdrlen = sizeof (struct T_unitdata_ind);
+ addflag.crb_ipv6_recvrthdr = 1;
+ if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
+ &sctp->sctp_rthdrlen,
(ipp->ipp_fields & IPPF_RTHDR),
- ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
- optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
- if (hdrlen == 0)
- hdrlen = sizeof (struct T_unitdata_ind);
- addflag |= SCTP_IPV6_RECVRTHDR;
- if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
- &sctp->sctp_rthdrlen,
- (ipp->ipp_fields & IPPF_RTHDR),
- ipp->ipp_rthdr, ipp->ipp_rthdrlen))
- return (-1);
- }
+ ipp->ipp_rthdr, ipp->ipp_rthdrlen))
+ return (-1);
}
/* If app asked for dest headers and it has changed ... */
- if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVDSTOPTS) &&
+ if (connp->conn_recv_ancillary.crb_ipv6_recvdstopts &&
ip_cmpbuf(sctp->sctp_dstopts, sctp->sctp_dstoptslen,
(ipp->ipp_fields & IPPF_DSTOPTS),
ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
optlen += sizeof (*cmsg) + ipp->ipp_dstoptslen;
if (hdrlen == 0)
hdrlen = sizeof (struct T_unitdata_ind);
- addflag |= SCTP_IPV6_RECVDSTOPTS;
+ addflag.crb_ipv6_recvdstopts = 1;
if (!ip_allocbuf((void **)&sctp->sctp_dstopts,
&sctp->sctp_dstoptslen,
(ipp->ipp_fields & IPPF_DSTOPTS),
@@ -499,9 +503,11 @@ noancillary:
* If app asked for pktinfo and the index has changed ...
* Note that the local address never changes for the connection.
*/
- if (addflag & SCTP_IPV6_RECVPKTINFO) {
+ if (addflag.crb_ip_recvpktinfo) {
struct in6_pktinfo *pkti;
+ uint_t ifindex;
+ ifindex = ira->ira_ruifindex;
cmsg = (struct cmsghdr *)optptr;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_PKTINFO;
@@ -509,19 +515,20 @@ noancillary:
optptr += sizeof (*cmsg);
pkti = (struct in6_pktinfo *)optptr;
- if (sctp->sctp_ipversion == IPV6_VERSION)
+ if (connp->conn_family == AF_INET6)
pkti->ipi6_addr = sctp->sctp_ip6h->ip6_src;
else
IN6_IPADDR_TO_V4MAPPED(sctp->sctp_ipha->ipha_src,
&pkti->ipi6_addr);
- pkti->ipi6_ifindex = ipp->ipp_ifindex;
+
+ pkti->ipi6_ifindex = ifindex;
optptr += sizeof (*pkti);
ASSERT(OK_32PTR(optptr));
/* Save as "last" value */
- sctp->sctp_recvifindex = ipp->ipp_ifindex;
+ sctp->sctp_recvifindex = ifindex;
}
/* If app asked for hoplimit and it has changed ... */
- if (addflag & SCTP_IPV6_RECVHOPLIMIT) {
+ if (addflag.crb_ipv6_recvhoplimit) {
cmsg = (struct cmsghdr *)optptr;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPLIMIT;
@@ -534,7 +541,21 @@ noancillary:
/* Save as "last" value */
sctp->sctp_recvhops = ipp->ipp_hoplimit;
}
- if (addflag & SCTP_IPV6_RECVHOPOPTS) {
+ /* If app asked for tclass and it has changed ... */
+ if (addflag.crb_ipv6_recvtclass) {
+ cmsg = (struct cmsghdr *)optptr;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_TCLASS;
+ cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
+ optptr += sizeof (*cmsg);
+
+ *(uint_t *)optptr = ipp->ipp_tclass;
+ optptr += sizeof (uint_t);
+ ASSERT(OK_32PTR(optptr));
+ /* Save as "last" value */
+ sctp->sctp_recvtclass = ipp->ipp_tclass;
+ }
+ if (addflag.crb_ipv6_recvhopopts) {
cmsg = (struct cmsghdr *)optptr;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
@@ -550,23 +571,23 @@ noancillary:
(ipp->ipp_fields & IPPF_HOPOPTS),
ipp->ipp_hopopts, ipp->ipp_hopoptslen);
}
- if (addflag & SCTP_IPV6_RECVRTDSTOPTS) {
+ if (addflag.crb_ipv6_recvrthdrdstopts) {
cmsg = (struct cmsghdr *)optptr;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_RTHDRDSTOPTS;
- cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
+ cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
optptr += sizeof (*cmsg);
- bcopy(ipp->ipp_rtdstopts, optptr, ipp->ipp_rtdstoptslen);
- optptr += ipp->ipp_rtdstoptslen;
+ bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
+ optptr += ipp->ipp_rthdrdstoptslen;
ASSERT(OK_32PTR(optptr));
/* Save as last value */
- ip_savebuf((void **)&sctp->sctp_rtdstopts,
- &sctp->sctp_rtdstoptslen,
- (ipp->ipp_fields & IPPF_RTDSTOPTS),
- ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen);
+ ip_savebuf((void **)&sctp->sctp_rthdrdstopts,
+ &sctp->sctp_rthdrdstoptslen,
+ (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
+ ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
}
- if (addflag & SCTP_IPV6_RECVRTHDR) {
+ if (addflag.crb_ipv6_recvrthdr) {
cmsg = (struct cmsghdr *)optptr;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_RTHDR;
@@ -582,7 +603,7 @@ noancillary:
(ipp->ipp_fields & IPPF_RTHDR),
ipp->ipp_rthdr, ipp->ipp_rthdrlen);
}
- if (addflag & SCTP_IPV6_RECVDSTOPTS) {
+ if (addflag.crb_ipv6_recvdstopts) {
cmsg = (struct cmsghdr *)optptr;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_DSTOPTS;
@@ -778,7 +799,6 @@ static mblk_t *
sctp_try_partial_delivery(sctp_t *sctp, mblk_t *hmp, sctp_reass_t *srp,
sctp_data_hdr_t **dc)
{
- mblk_t *first_mp;
mblk_t *mp;
mblk_t *dmp;
mblk_t *qmp;
@@ -791,8 +811,7 @@ sctp_try_partial_delivery(sctp_t *sctp, mblk_t *hmp, sctp_reass_t *srp,
dprint(4, ("trypartial: got=%d, needed=%d\n",
(int)(srp->got), (int)(srp->needed)));
- first_mp = hmp->b_cont;
- mp = first_mp;
+ mp = hmp->b_cont;
qdc = (sctp_data_hdr_t *)mp->b_rptr;
ASSERT(SCTP_DATA_GET_BBIT(qdc) && srp->hasBchunk);
@@ -1175,7 +1194,7 @@ sctp_add_dup(uint32_t tsn, mblk_t **dups)
static void
sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
- sctp_faddr_t *fp, ip6_pkt_t *ipp)
+ sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
{
sctp_data_hdr_t *dc;
mblk_t *dmp, *pmp;
@@ -1419,7 +1438,8 @@ sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
if (can_deliver) {
dmp->b_rptr = (uchar_t *)(dc + 1);
- if (sctp_input_add_ancillary(sctp, &dmp, dc, fp, ipp) == 0) {
+ if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
+ ipp, ira) == 0) {
dprint(1, ("sctp_data_chunk: delivering %lu bytes\n",
msgdsize(dmp)));
sctp->sctp_rwnd -= dlen;
@@ -1507,7 +1527,7 @@ sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
if (can_deliver) {
dmp->b_rptr = (uchar_t *)(dc + 1);
if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
- ipp) == 0) {
+ ipp, ira) == 0) {
dprint(1, ("sctp_data_chunk: delivering %lu "
"bytes\n", msgdsize(dmp)));
sctp->sctp_rwnd -= dlen;
@@ -1646,6 +1666,8 @@ sctp_make_sack(sctp_t *sctp, sctp_faddr_t *sendto, mblk_t *dups)
uint32_t dups_len;
sctp_faddr_t *fp;
+ ASSERT(sendto != NULL);
+
if (sctp->sctp_force_sack) {
sctp->sctp_force_sack = 0;
goto checks_done;
@@ -1696,8 +1718,9 @@ checks_done:
return (NULL);
}
smp->b_cont = sctp->sctp_err_chunks;
- sctp_set_iplen(sctp, smp);
- sctp_add_sendq(sctp, smp);
+ sctp_set_iplen(sctp, smp, fp->ixa);
+ (void) conn_ip_output(smp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
sctp->sctp_err_chunks = NULL;
sctp->sctp_err_len = 0;
}
@@ -1749,8 +1772,6 @@ sctp_sack(sctp_t *sctp, mblk_t *dups)
freeb(dups);
return (B_FALSE);
}
- sctp_set_iplen(sctp, smp);
-
dprint(2, ("sctp_sack: sending to %p %x:%x:%x:%x\n",
(void *)sctp->sctp_lastdata,
SCTP_PRINTADDR(sctp->sctp_lastdata->faddr)));
@@ -1758,7 +1779,10 @@ sctp_sack(sctp_t *sctp, mblk_t *dups)
sctp->sctp_active = lbolt64;
BUMP_MIB(&sctps->sctps_mib, sctpOutAck);
- sctp_add_sendq(sctp, smp);
+
+ sctp_set_iplen(sctp, smp, sctp->sctp_lastdata->ixa);
+ (void) conn_ip_output(smp, sctp->sctp_lastdata->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
return (B_TRUE);
}
@@ -1813,8 +1837,9 @@ sctp_check_abandoned_msg(sctp_t *sctp, mblk_t *meta)
return (ENOMEM);
}
SCTP_MSG_SET_ABANDONED(meta);
- sctp_set_iplen(sctp, head);
- sctp_add_sendq(sctp, head);
+ sctp_set_iplen(sctp, head, fp->ixa);
+ (void) conn_ip_output(head, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
if (!fp->timer_running)
SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
mp1 = mp1->b_next;
@@ -2080,13 +2105,13 @@ sctp_ftsn_check_frag(sctp_t *sctp, uint16_t ssn, sctp_instr_t *sip)
* messages, if any, from the instream queue (that were waiting for this
* sid-ssn message to show up). Once we are done try to update the SACK
* info. We could get a duplicate Forward TSN, in which case just send
- * a SACK. If any of the sid values in the the Forward TSN is invalid,
+ * a SACK. If any of the sid values in the Forward TSN is invalid,
* send back an "Invalid Stream Identifier" error and continue processing
* the rest.
*/
static void
sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
- ip6_pkt_t *ipp)
+ ip_pkt_t *ipp, ip_recv_attr_t *ira)
{
uint32_t *ftsn = (uint32_t *)(ch + 1);
ftsn_entry_t *ftsn_entry;
@@ -2171,7 +2196,7 @@ sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
dmp->b_next = NULL;
ASSERT(dmp->b_prev == NULL);
if (sctp_input_add_ancillary(sctp,
- &dmp, dc, fp, ipp) == 0) {
+ &dmp, dc, fp, ipp, ira) == 0) {
sctp->sctp_rxqueued -= dlen;
sctp->sctp_rwnd -= dlen;
/*
@@ -2280,8 +2305,9 @@ sctp_check_abandoned_data(sctp_t *sctp, sctp_faddr_t *fp)
SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
return;
}
- sctp_set_iplen(sctp, nmp);
- sctp_add_sendq(sctp, nmp);
+ sctp_set_iplen(sctp, nmp, fp->ixa);
+ (void) conn_ip_output(nmp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
if (!fp->timer_running)
SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
}
@@ -2604,8 +2630,9 @@ sctp_got_sack(sctp_t *sctp, sctp_chunk_hdr_t *sch)
sctp->sctp_zero_win_probe = B_FALSE;
sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
- sctp_set_iplen(sctp, pkt);
- sctp_add_sendq(sctp, pkt);
+ sctp_set_iplen(sctp, pkt, fp->ixa);
+ (void) conn_ip_output(pkt, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
}
} else {
if (sctp->sctp_zero_win_probe) {
@@ -3160,97 +3187,15 @@ sctp_check_input(sctp_t *sctp, sctp_chunk_hdr_t *ch, ssize_t len, int first)
return (1);
}
-/* ARGSUSED */
-static sctp_hdr_t *
-find_sctp_hdrs(mblk_t *mp, in6_addr_t *src, in6_addr_t *dst,
- uint_t *ifindex, uint_t *ip_hdr_len, ip6_pkt_t *ipp, ip_pktinfo_t *pinfo)
-{
- uchar_t *rptr;
- ipha_t *ip4h;
- ip6_t *ip6h;
- mblk_t *mp1;
-
- rptr = mp->b_rptr;
- if (IPH_HDR_VERSION(rptr) == IPV4_VERSION) {
- *ip_hdr_len = IPH_HDR_LENGTH(rptr);
- ip4h = (ipha_t *)rptr;
- IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_src, src);
- IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_dst, dst);
-
- ipp->ipp_fields |= IPPF_HOPLIMIT;
- ipp->ipp_hoplimit = ((ipha_t *)rptr)->ipha_ttl;
- if (pinfo != NULL && (pinfo->ip_pkt_flags & IPF_RECVIF)) {
- ipp->ipp_fields |= IPPF_IFINDEX;
- ipp->ipp_ifindex = pinfo->ip_pkt_ifindex;
- }
- } else {
- ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
- ip6h = (ip6_t *)rptr;
- ipp->ipp_fields = IPPF_HOPLIMIT;
- ipp->ipp_hoplimit = ip6h->ip6_hops;
-
- if (ip6h->ip6_nxt != IPPROTO_SCTP) {
- /* Look for ifindex information */
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- ip6i_t *ip6i = (ip6i_t *)ip6h;
-
- if (ip6i->ip6i_flags & IP6I_IFINDEX) {
- ASSERT(ip6i->ip6i_ifindex != 0);
- ipp->ipp_fields |= IPPF_IFINDEX;
- ipp->ipp_ifindex = ip6i->ip6i_ifindex;
- }
- rptr = (uchar_t *)&ip6i[1];
- mp->b_rptr = rptr;
- if (rptr == mp->b_wptr) {
- mp1 = mp->b_cont;
- freeb(mp);
- mp = mp1;
- rptr = mp->b_rptr;
- }
- ASSERT(mp->b_wptr - rptr >=
- IPV6_HDR_LEN + sizeof (sctp_hdr_t));
- ip6h = (ip6_t *)rptr;
- }
- /*
- * Find any potentially interesting extension headers
- * as well as the length of the IPv6 + extension
- * headers.
- */
- *ip_hdr_len = ip_find_hdr_v6(mp, ip6h, ipp, NULL);
- } else {
- *ip_hdr_len = IPV6_HDR_LEN;
- }
- *src = ip6h->ip6_src;
- *dst = ip6h->ip6_dst;
- }
- ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
- return ((sctp_hdr_t *)&rptr[*ip_hdr_len]);
-#undef IPVER
-}
-
static mblk_t *
-sctp_check_in_policy(mblk_t *mp, mblk_t *ipsec_mp)
+sctp_check_in_policy(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
{
- ipsec_in_t *ii;
- boolean_t check = B_TRUE;
boolean_t policy_present;
ipha_t *ipha;
ip6_t *ip6h;
- netstack_t *ns;
- ipsec_stack_t *ipss;
-
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- ns = ii->ipsec_in_ns;
- ipss = ns->netstack_ipsec;
-
- if (ii->ipsec_in_dont_check) {
- check = B_FALSE;
- if (!ii->ipsec_in_secure) {
- freeb(ipsec_mp);
- ipsec_mp = NULL;
- }
- }
+ netstack_t *ns = ipst->ips_netstack;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+
if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
policy_present = ipss->ipsec_inbound_v4_policy_present;
ipha = (ipha_t *)mp->b_rptr;
@@ -3261,109 +3206,88 @@ sctp_check_in_policy(mblk_t *mp, mblk_t *ipsec_mp)
ip6h = (ip6_t *)mp->b_rptr;
}
- if (check && policy_present) {
+ if (policy_present) {
/*
* The conn_t parameter is NULL because we already know
* nobody's home.
*/
- ipsec_mp = ipsec_check_global_policy(ipsec_mp, (conn_t *)NULL,
- ipha, ip6h, B_TRUE, ns);
- if (ipsec_mp == NULL)
+ mp = ipsec_check_global_policy(mp, (conn_t *)NULL,
+ ipha, ip6h, ira, ns);
+ if (mp == NULL)
return (NULL);
}
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
return (mp);
}
/* Handle out-of-the-blue packets */
void
-sctp_ootb_input(mblk_t *mp, ill_t *recv_ill, zoneid_t zoneid,
- boolean_t mctl_present)
+sctp_ootb_input(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
{
sctp_t *sctp;
sctp_chunk_hdr_t *ch;
sctp_hdr_t *sctph;
in6_addr_t src, dst;
- uint_t ip_hdr_len;
- uint_t ifindex;
- ip6_pkt_t ipp;
+ uint_t ip_hdr_len = ira->ira_ip_hdr_length;
ssize_t mlen;
- ip_pktinfo_t *pinfo = NULL;
- mblk_t *first_mp;
sctp_stack_t *sctps;
- ip_stack_t *ipst;
+ boolean_t secure;
+ zoneid_t zoneid = ira->ira_zoneid;
+ uchar_t *rptr;
+
+ ASSERT(ira->ira_ill == NULL);
+
+ secure = ira->ira_flags & IRAF_IPSEC_SECURE;
- ASSERT(recv_ill != NULL);
- ipst = recv_ill->ill_ipst;
sctps = ipst->ips_netstack->netstack_sctp;
BUMP_MIB(&sctps->sctps_mib, sctpOutOfBlue);
BUMP_MIB(&sctps->sctps_mib, sctpInSCTPPkts);
- if (sctps->sctps_gsctp == NULL) {
- /*
- * For non-zero stackids the default queue isn't created
- * until the first open, thus there can be a need to send
- * an error before then. But we can't do that, hence we just
- * drop the packet. Later during boot, when the default queue
- * has been setup, a retransmitted packet from the peer
- * will result in a error.
- */
- ASSERT(sctps->sctps_netstack->netstack_stackid !=
- GLOBAL_NETSTACKID);
- freemsg(mp);
- return;
- }
-
- first_mp = mp;
- if (mctl_present)
- mp = mp->b_cont;
-
- /* Initiate IPPf processing, if needed. */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- ip_process(IPP_LOCAL_IN, &mp,
- recv_ill->ill_phyint->phyint_ifindex);
- if (mp == NULL) {
- if (mctl_present)
- freeb(first_mp);
- return;
- }
- }
-
if (mp->b_cont != NULL) {
/*
* All subsequent code is vastly simplified if it can
* assume a single contiguous chunk of data.
*/
if (pullupmsg(mp, -1) == 0) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
+ freemsg(mp);
return;
}
}
- /*
- * We don't really need to call this function... Need to
- * optimize later.
- */
- sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
- &ipp, pinfo);
+ rptr = mp->b_rptr;
+ sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ ipha_t *ipha;
+
+ ipha = (ipha_t *)rptr;
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
+ } else {
+ ip6_t *ip6h;
+
+ ip6h = (ip6_t *)rptr;
+ src = ip6h->ip6_src;
+ dst = ip6h->ip6_dst;
+ }
+
mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
if ((ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen)) == NULL) {
dprint(3, ("sctp_ootb_input: invalid packet\n"));
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
+ freemsg(mp);
return;
}
switch (ch->sch_id) {
case CHUNK_INIT:
/* no listener; send abort */
- if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
+ if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
return;
- sctp_send_abort(sctps->sctps_gsctp, sctp_init2vtag(ch), 0,
- NULL, 0, mp, 0, B_TRUE);
+ sctp_ootb_send_abort(sctp_init2vtag(ch), 0,
+ NULL, 0, mp, 0, B_TRUE, ira, ipst);
break;
case CHUNK_INIT_ACK:
/* check for changed src addr */
@@ -3372,11 +3296,7 @@ sctp_ootb_input(mblk_t *mp, ill_t *recv_ill, zoneid_t zoneid,
/* success; proceed to normal path */
mutex_enter(&sctp->sctp_lock);
if (sctp->sctp_running) {
- if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
- BUMP_MIB(recv_ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(mp);
- }
+ sctp_add_recvq(sctp, mp, B_FALSE, ira);
mutex_exit(&sctp->sctp_lock);
} else {
/*
@@ -3387,152 +3307,101 @@ sctp_ootb_input(mblk_t *mp, ill_t *recv_ill, zoneid_t zoneid,
*/
sctp->sctp_running = B_TRUE;
mutex_exit(&sctp->sctp_lock);
- sctp_input_data(sctp, mp, NULL);
+ sctp_input_data(sctp, mp, ira);
WAKE_SCTP(sctp);
- sctp_process_sendq(sctp);
}
SCTP_REFRELE(sctp);
return;
}
- if (mctl_present)
- freeb(first_mp);
/* else bogus init ack; drop it */
break;
case CHUNK_SHUTDOWN_ACK:
- if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
+ if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
return;
- sctp_ootb_shutdown_ack(sctps->sctps_gsctp, mp, ip_hdr_len);
- sctp_process_sendq(sctps->sctps_gsctp);
+ sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
return;
case CHUNK_ERROR:
case CHUNK_ABORT:
case CHUNK_COOKIE_ACK:
case CHUNK_SHUTDOWN_COMPLETE:
- if (mctl_present)
- freeb(first_mp);
break;
default:
- if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
+ if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
return;
- sctp_send_abort(sctps->sctps_gsctp, sctph->sh_verf, 0,
- NULL, 0, mp, 0, B_TRUE);
+ sctp_ootb_send_abort(sctph->sh_verf, 0,
+ NULL, 0, mp, 0, B_TRUE, ira, ipst);
break;
}
- sctp_process_sendq(sctps->sctps_gsctp);
freemsg(mp);
}
+/*
+ * Handle sctp packets.
+ * Note that we rele the sctp_t (the caller got a reference on it).
+ */
void
-sctp_input(conn_t *connp, ipha_t *ipha, mblk_t *mp, mblk_t *first_mp,
- ill_t *recv_ill, boolean_t isv4, boolean_t mctl_present)
+sctp_input(conn_t *connp, ipha_t *ipha, ip6_t *ip6h, mblk_t *mp,
+ ip_recv_attr_t *ira)
{
- sctp_t *sctp = CONN2SCTP(connp);
- ip_stack_t *ipst = recv_ill->ill_ipst;
+ sctp_t *sctp = CONN2SCTP(connp);
+ boolean_t secure;
+ ill_t *ill = ira->ira_ill;
+ ip_stack_t *ipst = ill->ill_ipst;
ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
+ iaflags_t iraflags = ira->ira_flags;
+ ill_t *rill = ira->ira_rill;
+
+ secure = iraflags & IRAF_IPSEC_SECURE;
/*
* We check some fields in conn_t without holding a lock.
* This should be fine.
*/
- if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || mctl_present) {
- first_mp = ipsec_check_inbound_policy(first_mp, connp,
- ipha, NULL, mctl_present);
- if (first_mp == NULL) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- SCTP_REFRELE(sctp);
- return;
- }
- }
-
- /* Initiate IPPF processing for fastpath */
- if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
- ip_process(IPP_LOCAL_IN, &mp,
- recv_ill->ill_phyint->phyint_ifindex);
+ if (((iraflags & IRAF_IS_IPV4) ?
+ CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
+ CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
+ secure) {
+ mp = ipsec_check_inbound_policy(mp, connp, ipha,
+ ip6h, ira);
if (mp == NULL) {
+ BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, ill);
SCTP_REFRELE(sctp);
- if (mctl_present)
- freeb(first_mp);
return;
- } else if (mctl_present) {
- /*
- * ip_process might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
}
}
- if (connp->conn_recvif || connp->conn_recvslla ||
- connp->conn_ip_recvpktinfo) {
- int in_flags = 0;
-
- if (connp->conn_recvif || connp->conn_ip_recvpktinfo) {
- in_flags = IPF_RECVIF;
- }
- if (connp->conn_recvslla) {
- in_flags |= IPF_RECVSLLA;
- }
- if (isv4) {
- mp = ip_add_info(mp, recv_ill, in_flags,
- IPCL_ZONEID(connp), ipst);
- } else {
- mp = ip_add_info_v6(mp, recv_ill,
- &(((ip6_t *)ipha)->ip6_dst));
- }
- if (mp == NULL) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- SCTP_REFRELE(sctp);
- if (mctl_present)
- freeb(first_mp);
- return;
- } else if (mctl_present) {
- /*
- * ip_add_info might return a new mp.
- */
- ASSERT(first_mp != mp);
- first_mp->b_cont = mp;
- } else {
- first_mp = mp;
- }
- }
+ ira->ira_ill = ira->ira_rill = NULL;
mutex_enter(&sctp->sctp_lock);
if (sctp->sctp_running) {
- if (mctl_present)
- mp->b_prev = first_mp;
- if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
- BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
- freemsg(first_mp);
- }
+ sctp_add_recvq(sctp, mp, B_FALSE, ira);
mutex_exit(&sctp->sctp_lock);
- SCTP_REFRELE(sctp);
- return;
+ goto done;
} else {
sctp->sctp_running = B_TRUE;
mutex_exit(&sctp->sctp_lock);
mutex_enter(&sctp->sctp_recvq_lock);
if (sctp->sctp_recvq != NULL) {
- if (mctl_present)
- mp->b_prev = first_mp;
- if (!sctp_add_recvq(sctp, mp, B_TRUE)) {
- BUMP_MIB(recv_ill->ill_ip_mib,
- ipIfStatsInDiscards);
- freemsg(first_mp);
- }
+ sctp_add_recvq(sctp, mp, B_TRUE, ira);
mutex_exit(&sctp->sctp_recvq_lock);
WAKE_SCTP(sctp);
- SCTP_REFRELE(sctp);
- return;
+ goto done;
}
}
mutex_exit(&sctp->sctp_recvq_lock);
- sctp_input_data(sctp, mp, (mctl_present ? first_mp : NULL));
+ if (ira->ira_flags & IRAF_ICMP_ERROR)
+ sctp_icmp_error(sctp, mp);
+ else
+ sctp_input_data(sctp, mp, ira);
WAKE_SCTP(sctp);
- sctp_process_sendq(sctp);
+
+done:
SCTP_REFRELE(sctp);
+ ira->ira_ill = ill;
+ ira->ira_rill = rill;
}
static void
@@ -3549,7 +3418,7 @@ sctp_process_abort(sctp_t *sctp, sctp_chunk_hdr_t *ch, int err)
}
void
-sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
+sctp_input_data(sctp_t *sctp, mblk_t *mp, ip_recv_attr_t *ira)
{
sctp_chunk_hdr_t *ch;
ssize_t mlen;
@@ -3559,17 +3428,15 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
sctp_init_chunk_t *iack;
uint32_t tsn;
sctp_data_hdr_t *sdc;
- ip6_pkt_t ipp;
+ ip_pkt_t ipp;
in6_addr_t src;
in6_addr_t dst;
uint_t ifindex;
sctp_hdr_t *sctph;
- uint_t ip_hdr_len;
+ uint_t ip_hdr_len = ira->ira_ip_hdr_length;
mblk_t *dups = NULL;
int recv_adaptation;
boolean_t wake_eager = B_FALSE;
- mblk_t *pinfo_mp;
- ip_pktinfo_t *pinfo = NULL;
in6_addr_t peer_src;
int64_t now;
sctp_stack_t *sctps = sctp->sctp_sctps;
@@ -3577,23 +3444,11 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
boolean_t hb_already = B_FALSE;
cred_t *cr;
pid_t cpid;
+ uchar_t *rptr;
+ conn_t *connp = sctp->sctp_connp;
- if (DB_TYPE(mp) != M_DATA) {
- ASSERT(DB_TYPE(mp) == M_CTL);
- if (MBLKL(mp) == sizeof (ip_pktinfo_t) &&
- ((ip_pktinfo_t *)mp->b_rptr)->ip_pkt_ulp_type ==
- IN_PKTINFO) {
- pinfo = (ip_pktinfo_t *)mp->b_rptr;
- pinfo_mp = mp;
- mp = mp->b_cont;
- } else {
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
- sctp_icmp_error(sctp, mp);
- return;
- }
- }
ASSERT(DB_TYPE(mp) == M_DATA);
+ ASSERT(ira->ira_ill == NULL);
if (mp->b_cont != NULL) {
/*
@@ -3602,32 +3457,72 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
*/
if (pullupmsg(mp, -1) == 0) {
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
- if (pinfo != NULL)
- freeb(pinfo_mp);
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
freemsg(mp);
return;
}
}
BUMP_LOCAL(sctp->sctp_ipkts);
- sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
- &ipp, pinfo);
- if (pinfo != NULL)
- freeb(pinfo_mp);
+ ifindex = ira->ira_ruifindex;
+
+ rptr = mp->b_rptr;
+
+ ipp.ipp_fields = 0;
+ if (connp->conn_recv_ancillary.crb_all != 0) {
+ /*
+ * Record packet information in the ip_pkt_t
+ */
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ (void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
+ B_FALSE);
+ } else {
+ uint8_t nexthdrp;
+
+ /*
+ * IPv6 packets can only be received by applications
+ * that are prepared to receive IPv6 addresses.
+ * The IP fanout must ensure this.
+ */
+ ASSERT(connp->conn_family == AF_INET6);
+
+ (void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
+ &nexthdrp);
+ ASSERT(nexthdrp == IPPROTO_SCTP);
+
+ /* Could have caused a pullup? */
+ rptr = mp->b_rptr;
+ }
+ }
+
+ sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);
+
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ ipha_t *ipha;
+
+ ipha = (ipha_t *)rptr;
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
+ } else {
+ ip6_t *ip6h;
+
+ ip6h = (ip6_t *)rptr;
+ src = ip6h->ip6_src;
+ dst = ip6h->ip6_dst;
+ }
+
mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen);
if (ch == NULL) {
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
freemsg(mp);
return;
}
if (!sctp_check_input(sctp, ch, mlen, 1)) {
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
goto done;
}
/*
@@ -3661,9 +3556,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
if (sctp->sctp_state > SCTPS_BOUND &&
sctp->sctp_state < SCTPS_ESTABLISHED) {
/* treat as OOTB */
- sctp_ootb_shutdown_ack(sctp, mp, ip_hdr_len);
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
+ sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
return;
}
/* else fallthru */
@@ -3717,7 +3610,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
tsn = sdc->sdh_tsn;
sctp_send_abort(sctp, sctp->sctp_fvtag,
SCTP_ERR_NO_USR_DATA, (char *)&tsn,
- sizeof (tsn), mp, 0, B_FALSE);
+ sizeof (tsn), mp, 0, B_FALSE, ira);
sctp_assoc_event(sctp, SCTP_COMM_LOST,
0, NULL);
sctp_clean_death(sctp, ECONNABORTED);
@@ -3726,7 +3619,8 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
ASSERT(fp != NULL);
sctp->sctp_lastdata = fp;
- sctp_data_chunk(sctp, ch, mp, &dups, fp, &ipp);
+ sctp_data_chunk(sctp, ch, mp, &dups, fp,
+ &ipp, ira);
gotdata = 1;
/* Restart shutdown timer if shutting down */
if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
@@ -3743,7 +3637,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
sctps->sctps_shutack_wait_bound) {
sctp_send_abort(sctp,
sctp->sctp_fvtag, 0, NULL,
- 0, mp, 0, B_FALSE);
+ 0, mp, 0, B_FALSE, ira);
sctp_assoc_event(sctp,
SCTP_COMM_LOST, 0, NULL);
sctp_clean_death(sctp,
@@ -3764,7 +3658,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
trysend = sctp_got_sack(sctp, ch);
if (trysend < 0) {
sctp_send_abort(sctp, sctph->sh_verf,
- 0, NULL, 0, mp, 0, B_FALSE);
+ 0, NULL, 0, mp, 0, B_FALSE, ira);
sctp_assoc_event(sctp,
SCTP_COMM_LOST, 0, NULL);
sctp_clean_death(sctp,
@@ -3820,11 +3714,11 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
goto done;
}
case CHUNK_INIT:
- sctp_send_initack(sctp, sctph, ch, mp);
+ sctp_send_initack(sctp, sctph, ch, mp, ira);
break;
case CHUNK_COOKIE:
if (sctp_process_cookie(sctp, ch, mp, &iack,
- sctph, &recv_adaptation, NULL) != -1) {
+ sctph, &recv_adaptation, NULL, ira) != -1) {
sctp_send_cookie_ack(sctp);
sctp_assoc_event(sctp, SCTP_RESTART,
0, NULL);
@@ -3841,7 +3735,8 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
int error;
BUMP_LOCAL(sctp->sctp_ibchunks);
- error = sctp_handle_error(sctp, sctph, ch, mp);
+ error = sctp_handle_error(sctp, sctph, ch, mp,
+ ira);
if (error != 0) {
sctp_assoc_event(sctp, SCTP_COMM_LOST,
0, NULL);
@@ -3864,7 +3759,8 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
case CHUNK_FORWARD_TSN:
ASSERT(fp != NULL);
sctp->sctp_lastdata = fp;
- sctp_process_forward_tsn(sctp, ch, fp, &ipp);
+ sctp_process_forward_tsn(sctp, ch, fp,
+ &ipp, ira);
gotdata = 1;
BUMP_LOCAL(sctp->sctp_ibchunks);
break;
@@ -3879,13 +3775,14 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
case SCTPS_LISTEN:
switch (ch->sch_id) {
case CHUNK_INIT:
- sctp_send_initack(sctp, sctph, ch, mp);
+ sctp_send_initack(sctp, sctph, ch, mp, ira);
break;
case CHUNK_COOKIE: {
sctp_t *eager;
if (sctp_process_cookie(sctp, ch, mp, &iack,
- sctph, &recv_adaptation, &peer_src) == -1) {
+ sctph, &recv_adaptation, &peer_src,
+ ira) == -1) {
BUMP_MIB(&sctps->sctps_mib,
sctpInInvalidCookie);
goto done;
@@ -3900,11 +3797,11 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
goto done;
eager = sctp_conn_request(sctp, mp, ifindex,
- ip_hdr_len, iack, ipsec_mp);
+ ip_hdr_len, iack, ira);
if (eager == NULL) {
sctp_send_abort(sctp, sctph->sh_verf,
SCTP_ERR_NO_RESOURCES, NULL, 0, mp,
- 0, B_FALSE);
+ 0, B_FALSE, ira);
goto done;
}
@@ -3933,9 +3830,6 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
BUMP_MIB(&sctps->sctps_mib, sctpPassiveEstab);
if (mlen > ntohs(ch->sch_len)) {
eager->sctp_cookie_mp = dupb(mp);
- mblk_setcred(eager->sctp_cookie_mp,
- CONN_CRED(eager->sctp_connp),
- eager->sctp_cpid);
/*
* If no mem, just let
* the peer retransmit.
@@ -3986,7 +3880,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
default:
BUMP_LOCAL(sctp->sctp_ibchunks);
sctp_send_abort(sctp, sctph->sh_verf, 0, NULL,
- 0, mp, 0, B_TRUE);
+ 0, mp, 0, B_TRUE, ira);
goto done;
}
break;
@@ -3996,20 +3890,21 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
case CHUNK_INIT_ACK:
sctp_stop_faddr_timers(sctp);
sctp_faddr_alive(sctp, sctp->sctp_current);
- sctp_send_cookie_echo(sctp, ch, mp);
+ sctp_send_cookie_echo(sctp, ch, mp, ira);
BUMP_LOCAL(sctp->sctp_ibchunks);
break;
case CHUNK_ABORT:
sctp_process_abort(sctp, ch, ECONNREFUSED);
goto done;
case CHUNK_INIT:
- sctp_send_initack(sctp, sctph, ch, mp);
+ sctp_send_initack(sctp, sctph, ch, mp, ira);
break;
case CHUNK_COOKIE:
- cr = msg_getcred(mp, &cpid);
+ cr = ira->ira_cred;
+ cpid = ira->ira_cpid;
if (sctp_process_cookie(sctp, ch, mp, &iack,
- sctph, &recv_adaptation, NULL) == -1) {
+ sctph, &recv_adaptation, NULL, ira) == -1) {
BUMP_MIB(&sctps->sctps_mib,
sctpInInvalidCookie);
break;
@@ -4053,7 +3948,8 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
case SCTPS_COOKIE_ECHOED:
switch (ch->sch_id) {
case CHUNK_COOKIE_ACK:
- cr = msg_getcred(mp, &cpid);
+ cr = ira->ira_cred;
+ cpid = ira->ira_cpid;
if (!SCTP_IS_DETACHED(sctp)) {
sctp->sctp_ulp_connected(
@@ -4084,10 +3980,11 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
sctp_process_abort(sctp, ch, ECONNREFUSED);
goto done;
case CHUNK_COOKIE:
- cr = msg_getcred(mp, &cpid);
+ cr = ira->ira_cred;
+ cpid = ira->ira_cpid;
if (sctp_process_cookie(sctp, ch, mp, &iack,
- sctph, &recv_adaptation, NULL) == -1) {
+ sctph, &recv_adaptation, NULL, ira) == -1) {
BUMP_MIB(&sctps->sctps_mib,
sctpInInvalidCookie);
break;
@@ -4122,7 +4019,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
trysend = 1;
break;
case CHUNK_INIT:
- sctp_send_initack(sctp, sctph, ch, mp);
+ sctp_send_initack(sctp, sctph, ch, mp, ira);
break;
case CHUNK_ERROR: {
sctp_parm_hdr_t *p;
@@ -4165,7 +4062,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
switch (ch->sch_id) {
case CHUNK_ABORT:
/* Pass gathered wisdom to IP for keeping */
- sctp_update_ire(sctp);
+ sctp_update_dce(sctp);
sctp_process_abort(sctp, ch, 0);
goto done;
case CHUNK_SHUTDOWN_COMPLETE:
@@ -4175,7 +4072,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
NULL);
/* Pass gathered wisdom to IP for keeping */
- sctp_update_ire(sctp);
+ sctp_update_dce(sctp);
sctp_clean_death(sctp, 0);
goto done;
case CHUNK_SHUTDOWN_ACK:
@@ -4215,7 +4112,7 @@ sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
trysend = sctp_got_sack(sctp, ch);
if (trysend < 0) {
sctp_send_abort(sctp, sctph->sh_verf,
- 0, NULL, 0, mp, 0, B_FALSE);
+ 0, NULL, 0, mp, 0, B_FALSE, ira);
sctp_assoc_event(sctp,
SCTP_COMM_LOST, 0, NULL);
sctp_clean_death(sctp,
@@ -4287,8 +4184,6 @@ nomorechunks:
done:
if (dups != NULL)
freeb(dups);
- if (ipsec_mp != NULL)
- freeb(ipsec_mp);
freemsg(mp);
if (sctp->sctp_err_chunks != NULL)
@@ -4297,15 +4192,9 @@ done:
if (wake_eager) {
/*
* sctp points to newly created control block, need to
- * release it before exiting. Before releasing it and
- * processing the sendq, need to grab a hold on it.
- * Otherwise, another thread can close it while processing
- * the sendq.
+ * release it before exiting.
*/
- SCTP_REFHOLD(sctp);
WAKE_SCTP(sctp);
- sctp_process_sendq(sctp);
- SCTP_REFRELE(sctp);
}
}
@@ -4340,12 +4229,6 @@ sctp_recvd(sctp_t *sctp, int len)
sctp->sctp_force_sack = 1;
BUMP_MIB(&sctps->sctps_mib, sctpOutWinUpdate);
(void) sctp_sack(sctp, NULL);
- old = 1;
- } else {
- old = 0;
}
WAKE_SCTP(sctp);
- if (old > 0) {
- sctp_process_sendq(sctp);
- }
}
diff --git a/usr/src/uts/common/inet/sctp/sctp_ioc.c b/usr/src/uts/common/inet/sctp/sctp_ioc.c
index 7150c48c4b..5f5c2ee629 100644
--- a/usr/src/uts/common/inet/sctp/sctp_ioc.c
+++ b/usr/src/uts/common/inet/sctp/sctp_ioc.c
@@ -49,69 +49,7 @@
#include "sctp_impl.h"
/*
- * We need a stream q for sending packets to IP. This q should
- * be set in strplumb() time. Once it is set, it will never
- * be removed. Since it is done in strplumb() time, there is
- * no need to have a lock on the default q.
- */
-static void
-sctp_def_q_set(queue_t *q, mblk_t *mp)
-{
- conn_t *connp = (conn_t *)q->q_ptr;
- struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
- mblk_t *mp1;
- hrtime_t t;
- sctp_stack_t *sctps = connp->conn_netstack->
- netstack_sctp;
-
- if ((mp1 = mp->b_cont) == NULL) {
- iocp->ioc_error = EINVAL;
- ip0dbg(("sctp_def_q_set: no file descriptor\n"));
- goto done;
- }
-
- mutex_enter(&sctps->sctps_g_q_lock);
- if (sctps->sctps_g_q != NULL) {
- mutex_exit(&sctps->sctps_g_q_lock);
- ip0dbg(("sctp_def_q_set: already set\n"));
- iocp->ioc_error = EALREADY;
- goto done;
- }
-
- sctps->sctps_g_q = q;
- mutex_exit(&sctps->sctps_g_q_lock);
- sctps->sctps_gsctp = (sctp_t *)sctp_create(NULL, NULL, AF_INET6,
- SCTP_CAN_BLOCK, NULL, NULL, connp->conn_cred);
- mutex_enter(&sctps->sctps_g_q_lock);
- if (sctps->sctps_gsctp == NULL) {
- sctps->sctps_g_q = NULL;
- mutex_exit(&sctps->sctps_g_q_lock);
- iocp->ioc_error = ENOMEM;
- goto done;
- }
- mutex_exit(&sctps->sctps_g_q_lock);
- ASSERT(sctps->sctps_g_q_ref >= 1);
- ASSERT(list_head(&sctps->sctps_g_list) == sctps->sctps_gsctp);
-
- /*
- * As a good citizen of using /dev/urandom, add some entropy
- * to the random number pool.
- */
- t = gethrtime();
- (void) random_add_entropy((uint8_t *)&t, sizeof (t), 0);
-done:
- if (mp1 != NULL) {
- freemsg(mp1);
- mp->b_cont = NULL;
- }
- iocp->ioc_count = 0;
- mp->b_datap->db_type = M_IOCACK;
- qreply(q, mp);
-}
-
-
-/*
- * sctp_wput_ioctl is called by sctp_wput_slow to handle all
+ * sctp_wput_ioctl is called by sctp_wput to handle all
* M_IOCTL messages.
*/
void
@@ -119,7 +57,6 @@ sctp_wput_ioctl(queue_t *q, mblk_t *mp)
{
conn_t *connp = (conn_t *)q->q_ptr;
struct iocblk *iocp;
- cred_t *cr;
if (connp == NULL) {
ip0dbg(("sctp_wput_ioctl: null conn\n"));
@@ -127,24 +64,7 @@ sctp_wput_ioctl(queue_t *q, mblk_t *mp)
}
iocp = (struct iocblk *)mp->b_rptr;
- /*
- * prefer credential from mblk over ioctl;
- * see ip_sioctl_copyin_setup
- */
- cr = msg_getcred(mp, NULL);
- if (cr == NULL)
- cr = iocp->ioc_cr;
-
switch (iocp->ioc_cmd) {
- case SCTP_IOC_DEFAULT_Q:
- /* Wants to be the default wq. */
- if (cr != NULL && secpolicy_ip_config(cr, B_FALSE) != 0) {
- iocp->ioc_error = EPERM;
- goto err_ret;
- }
- sctp_def_q_set(q, mp);
- return;
-
case ND_SET:
/* sctp_nd_getset() -> nd_getset() does the checking. */
case ND_GET:
@@ -244,6 +164,9 @@ sctp_str_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
netstack_rele(ns);
connp->conn_zoneid = zoneid;
+ connp->conn_ixa->ixa_flags |= IXAF_SET_ULP_CKSUM;
+ /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
+ connp->conn_ixa->ixa_zoneid = zoneid;
connp->conn_rq = q;
connp->conn_wq = WR(q);
@@ -276,6 +199,12 @@ sctp_str_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
ASSERT(connp->conn_cred == NULL);
connp->conn_cred = credp;
crhold(connp->conn_cred);
+ connp->conn_cpid = curproc->p_pid;
+ /* Cache things in ixa without an extra refhold */
+ connp->conn_ixa->ixa_cred = connp->conn_cred;
+ connp->conn_ixa->ixa_cpid = connp->conn_cpid;
+ if (is_system_labeled())
+ connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
/*
* Make the conn globally visible to walkers
diff --git a/usr/src/uts/common/inet/sctp/sctp_notify.c b/usr/src/uts/common/inet/sctp/sctp_notify.c
index 3ede878954..ea46e0bbd2 100644
--- a/usr/src/uts/common/inet/sctp/sctp_notify.c
+++ b/usr/src/uts/common/inet/sctp/sctp_notify.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -51,6 +51,7 @@ sctp_notify(sctp_t *sctp, mblk_t *emp, size_t len)
sctp_faddr_t *fp;
int32_t rwnd = 0;
int error;
+ conn_t *connp = sctp->sctp_connp;
if ((mp = allocb(sizeof (*tudi) + sizeof (void *) +
sizeof (struct sockaddr_in6), BPRI_HI)) == NULL) {
@@ -82,7 +83,7 @@ sctp_notify(sctp_t *sctp, mblk_t *emp, size_t len)
tudi->SRC_length = sizeof (*sin4);
sin4 = (struct sockaddr_in *)(tudi + 1);
sin4->sin_family = AF_INET;
- sin4->sin_port = sctp->sctp_fport;
+ sin4->sin_port = connp->conn_fport;
IN6_V4MAPPED_TO_IPADDR(&fp->faddr, sin4->sin_addr.s_addr);
mp->b_wptr = (uchar_t *)(sin4 + 1);
} else {
@@ -91,7 +92,7 @@ sctp_notify(sctp_t *sctp, mblk_t *emp, size_t len)
tudi->SRC_length = sizeof (*sin6);
sin6 = (struct sockaddr_in6 *)(tudi + 1);
sin6->sin6_family = AF_INET6;
- sin6->sin6_port = sctp->sctp_fport;
+ sin6->sin6_port = connp->conn_fport;
sin6->sin6_addr = fp->faddr;
mp->b_wptr = (uchar_t *)(sin6 + 1);
}
diff --git a/usr/src/uts/common/inet/sctp/sctp_opt_data.c b/usr/src/uts/common/inet/sctp/sctp_opt_data.c
index 322e4d461e..ee5eb445af 100644
--- a/usr/src/uts/common/inet/sctp/sctp_opt_data.c
+++ b/usr/src/uts/common/inet/sctp/sctp_opt_data.c
@@ -43,6 +43,7 @@
#include <inet/ip.h>
#include <inet/ip_ire.h>
#include <inet/ip_if.h>
+#include <inet/proto_set.h>
#include <inet/ipclassifier.h>
#include <inet/ipsec_impl.h>
@@ -60,68 +61,6 @@
static int sctp_getpeeraddrs(sctp_t *, void *, int *);
-/*
- * Copy the standard header into its new location,
- * lay in the new options and then update the relevant
- * fields in both sctp_t and the standard header.
- * Returns 0 on success, errno otherwise.
- */
-static int
-sctp_opt_set_header(sctp_t *sctp, const void *ptr, uint_t len)
-{
- uint8_t *ip_optp;
- sctp_hdr_t *new_sctph;
-
- if ((len > SCTP_MAX_IP_OPTIONS_LENGTH) || (len & 0x3))
- return (EINVAL);
-
- if (len > IP_MAX_OPT_LENGTH - sctp->sctp_v4label_len)
- return (EINVAL);
-
- ip_optp = (uint8_t *)sctp->sctp_ipha + IP_SIMPLE_HDR_LENGTH;
-
- if (sctp->sctp_v4label_len > 0) {
- int padlen;
- uint8_t opt;
-
- /* convert list termination to no-ops as needed */
- padlen = sctp->sctp_v4label_len - ip_optp[IPOPT_OLEN];
- ip_optp += ip_optp[IPOPT_OLEN];
- opt = len > 0 ? IPOPT_NOP : IPOPT_EOL;
- while (--padlen >= 0)
- *ip_optp++ = opt;
- ASSERT(ip_optp == (uint8_t *)sctp->sctp_ipha +
- IP_SIMPLE_HDR_LENGTH + sctp->sctp_v4label_len);
- }
-
- /*
- * Move the existing SCTP header out where it belongs.
- */
- new_sctph = (sctp_hdr_t *)(ip_optp + len);
- ovbcopy(sctp->sctp_sctph, new_sctph, sizeof (sctp_hdr_t));
- sctp->sctp_sctph = new_sctph;
-
- /*
- * Insert the new user-supplied IP options.
- */
- if (len > 0)
- bcopy(ptr, ip_optp, len);
-
- len += sctp->sctp_v4label_len;
- sctp->sctp_ip_hdr_len = len;
- sctp->sctp_ipha->ipha_version_and_hdr_length =
- (IP_VERSION << 4) | (len >> 2);
- sctp->sctp_hdr_len = len + sizeof (sctp_hdr_t);
-
- if (sctp->sctp_current) {
- /*
- * Could be setting options before setting up connection.
- */
- sctp_set_ulp_prop(sctp);
- }
- return (0);
-}
-
static int
sctp_get_status(sctp_t *sctp, void *ptr)
{
@@ -132,6 +71,7 @@ sctp_get_status(sctp_t *sctp, void *ptr)
struct sctp_paddrinfo *sp;
mblk_t *meta, *mp;
int i;
+ conn_t *connp = sctp->sctp_connp;
sstat->sstat_state = sctp->sctp_state;
sstat->sstat_rwnd = sctp->sctp_frwnd;
@@ -146,13 +86,13 @@ sctp_get_status(sctp_t *sctp, void *ptr)
if (fp->isv4) {
sin = (struct sockaddr_in *)&sp->spinfo_address;
sin->sin_family = AF_INET;
- sin->sin_port = sctp->sctp_fport;
+ sin->sin_port = connp->conn_fport;
IN6_V4MAPPED_TO_INADDR(&fp->faddr, &sin->sin_addr);
sp->spinfo_mtu = sctp->sctp_hdr_len;
} else {
sin6 = (struct sockaddr_in6 *)&sp->spinfo_address;
sin6->sin6_family = AF_INET6;
- sin6->sin6_port = sctp->sctp_fport;
+ sin6->sin6_port = connp->conn_fport;
sin6->sin6_addr = fp->faddr;
sp->spinfo_mtu = sctp->sctp_hdr6_len;
}
@@ -261,18 +201,16 @@ sctp_get_rtoinfo(sctp_t *sctp, void *ptr)
}
static int
-sctp_set_rtoinfo(sctp_t *sctp, const void *invalp, uint_t inlen)
+sctp_set_rtoinfo(sctp_t *sctp, const void *invalp)
{
const struct sctp_rtoinfo *srto;
boolean_t ispriv;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
- if (inlen < sizeof (*srto)) {
- return (EINVAL);
- }
srto = invalp;
- ispriv = secpolicy_ip_config(sctp->sctp_credp, B_TRUE) == 0;
+ ispriv = secpolicy_ip_config(connp->conn_cred, B_TRUE) == 0;
/*
* Bounds checking. Priviledged user can set the RTO initial
@@ -334,17 +272,13 @@ sctp_get_assocparams(sctp_t *sctp, void *ptr)
}
static int
-sctp_set_assocparams(sctp_t *sctp, const void *invalp, uint_t inlen)
+sctp_set_assocparams(sctp_t *sctp, const void *invalp)
{
const struct sctp_assocparams *sap = invalp;
uint32_t sum = 0;
sctp_faddr_t *fp;
sctp_stack_t *sctps = sctp->sctp_sctps;
- if (inlen < sizeof (*sap)) {
- return (EINVAL);
- }
-
if (sap->sasoc_asocmaxrxt) {
if (sctp->sctp_faddrs) {
/*
@@ -403,6 +337,7 @@ sctp_set_initmsg(sctp_t *sctp, const void *invalp, uint_t inlen)
{
const struct sctp_initmsg *si = invalp;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_t *connp = sctp->sctp_connp;
if (sctp->sctp_state > SCTPS_LISTEN) {
return (EINVAL);
@@ -430,7 +365,7 @@ sctp_set_initmsg(sctp_t *sctp, const void *invalp, uint_t inlen)
return (EINVAL);
}
if (si->sinit_max_init_timeo != 0 &&
- (secpolicy_ip_config(sctp->sctp_credp, B_TRUE) != 0 &&
+ (secpolicy_ip_config(connp->conn_cred, B_TRUE) != 0 &&
(si->sinit_max_init_timeo < sctps->sctps_rto_maxg_low ||
si->sinit_max_init_timeo > sctps->sctps_rto_maxg_high))) {
return (EINVAL);
@@ -506,7 +441,7 @@ sctp_get_peer_addr_params(sctp_t *sctp, void *ptr)
}
static int
-sctp_set_peer_addr_params(sctp_t *sctp, const void *invalp, uint_t inlen)
+sctp_set_peer_addr_params(sctp_t *sctp, const void *invalp)
{
const struct sctp_paddrparams *spp = invalp;
sctp_faddr_t *fp, *fp2;
@@ -515,10 +450,6 @@ sctp_set_peer_addr_params(sctp_t *sctp, const void *invalp, uint_t inlen)
int64_t now;
sctp_stack_t *sctps = sctp->sctp_sctps;
- if (inlen < sizeof (*spp)) {
- return (EINVAL);
- }
-
retval = sctp_find_peer_fp(sctp, &spp->spp_address, &fp);
if (retval != 0) {
return (retval);
@@ -620,13 +551,10 @@ sctp_get_def_send_params(sctp_t *sctp, void *ptr)
}
static int
-sctp_set_def_send_params(sctp_t *sctp, const void *invalp, uint_t inlen)
+sctp_set_def_send_params(sctp_t *sctp, const void *invalp)
{
const struct sctp_sndrcvinfo *sinfo = invalp;
- if (inlen < sizeof (*sinfo)) {
- return (EINVAL);
- }
if (sinfo->sinfo_stream >= sctp->sctp_num_ostr) {
return (EINVAL);
}
@@ -641,16 +569,12 @@ sctp_set_def_send_params(sctp_t *sctp, const void *invalp, uint_t inlen)
}
static int
-sctp_set_prim(sctp_t *sctp, const void *invalp, uint_t inlen)
+sctp_set_prim(sctp_t *sctp, const void *invalp)
{
const struct sctp_setpeerprim *pp = invalp;
int retval;
sctp_faddr_t *fp;
- if (inlen < sizeof (*pp)) {
- return (EINVAL);
- }
-
retval = sctp_find_peer_fp(sctp, &pp->sspp_addr, &fp);
if (retval)
return (retval);
@@ -670,6 +594,183 @@ sctp_set_prim(sctp_t *sctp, const void *invalp, uint_t inlen)
return (0);
}
+/*
+ * Table of all known options handled on a SCTP protocol stack.
+ *
+ * Note: This table contains options processed by both SCTP and IP levels
+ * and is the superset of options that can be performed on a SCTP and IP
+ * stack.
+ */
+opdes_t sctp_opt_arr[] = {
+
+{ SO_LINGER, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct linger), 0 },
+
+{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_KEEPALIVE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
+ },
+{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_OOBINLINE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DGRAM_ERRIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
+ },
+{ SO_SND_COPYAVOID, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_ANON_MLP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
+ 0 },
+{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
+ 0 },
+{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, 0, sizeof (int),
+ 0 },
+{ SO_EXCLBIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+
+{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+
+{ SO_PROTOTYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+
+{ SCTP_ADAPTATION_LAYER, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct sctp_setadaptation), 0 },
+{ SCTP_ADD_ADDR, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, OP_VARLEN,
+ sizeof (int), 0 },
+{ SCTP_ASSOCINFO, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct sctp_assocparams), 0 },
+{ SCTP_AUTOCLOSE, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SCTP_DEFAULT_SEND_PARAM, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct sctp_sndrcvinfo), 0 },
+{ SCTP_DISABLE_FRAGMENTS, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ SCTP_EVENTS, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct sctp_event_subscribe), 0 },
+{ SCTP_GET_LADDRS, IPPROTO_SCTP, OA_R, OA_R, OP_NP, OP_VARLEN,
+ sizeof (int), 0 },
+{ SCTP_GET_NLADDRS, IPPROTO_SCTP, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SCTP_GET_NPADDRS, IPPROTO_SCTP, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SCTP_GET_PADDRS, IPPROTO_SCTP, OA_R, OA_R, OP_NP, OP_VARLEN,
+ sizeof (int), 0 },
+{ SCTP_GET_PEER_ADDR_INFO, IPPROTO_SCTP, OA_R, OA_R, OP_NP, 0,
+ sizeof (struct sctp_paddrinfo), 0 },
+{ SCTP_INITMSG, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct sctp_initmsg), 0 },
+{ SCTP_I_WANT_MAPPED_V4_ADDR, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ SCTP_MAXSEG, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SCTP_NODELAY, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SCTP_PEER_ADDR_PARAMS, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct sctp_paddrparams), 0 },
+{ SCTP_PRIMARY_ADDR, IPPROTO_SCTP, OA_W, OA_W, OP_NP, 0,
+ sizeof (struct sctp_setpeerprim), 0 },
+{ SCTP_PRSCTP, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SCTP_GET_ASSOC_STATS, IPPROTO_SCTP, OA_R, OA_R, OP_NP, 0,
+ sizeof (sctp_assoc_stats_t), 0 },
+{ SCTP_REM_ADDR, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, OP_VARLEN,
+ sizeof (int), 0 },
+{ SCTP_RTOINFO, IPPROTO_SCTP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (struct sctp_rtoinfo), 0 },
+{ SCTP_SET_PEER_PRIMARY_ADDR, IPPROTO_SCTP, OA_W, OA_W, OP_NP, 0,
+ sizeof (struct sctp_setprim), 0 },
+{ SCTP_STATUS, IPPROTO_SCTP, OA_R, OA_R, OP_NP, 0,
+ sizeof (struct sctp_status), 0 },
+{ SCTP_UC_SWAP, IPPROTO_SCTP, OA_W, OA_W, OP_NP, 0,
+ sizeof (struct sctp_uc_swap), 0 },
+
+{ IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
+ (OP_VARLEN|OP_NODEFAULT),
+ 40, -1 /* not initialized */ },
+{ T_IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
+ (OP_VARLEN|OP_NODEFAULT),
+ 40, -1 /* not initialized */ },
+
+{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
+ sizeof (int), -1 /* not initialized */ },
+
+{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
+ sizeof (ipsec_req_t), -1 /* not initialized */ },
+
+{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 /* no ifindex */ },
+
+{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0,
+ sizeof (int), 0 },
+
+{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
+ sizeof (int), -1 /* not initialized */ },
+
+{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 /* no ifindex */ },
+
+{ IP_DONTFRAG, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+
+{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, 0,
+ sizeof (in_addr_t), -1 /* not initialized */ },
+
+{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, 0,
+ sizeof (int), 0 },
+
+{ IPV6_PKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ (OP_NODEFAULT|OP_VARLEN),
+ sizeof (struct in6_pktinfo), -1 /* not initialized */ },
+{ IPV6_NEXTHOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ OP_NODEFAULT,
+ sizeof (sin6_t), -1 /* not initialized */ },
+{ IPV6_HOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
+ -1 /* not initialized */ },
+{ IPV6_DSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
+ -1 /* not initialized */ },
+{ IPV6_RTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
+ -1 /* not initialized */ },
+{ IPV6_RTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
+ -1 /* not initialized */ },
+{ IPV6_TCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ OP_NODEFAULT,
+ sizeof (int), -1 /* not initialized */ },
+{ IPV6_PATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
+ OP_NODEFAULT,
+ sizeof (struct ip6_mtuinfo), -1 /* not initialized */ },
+{ IPV6_DONTFRAG, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+
+/* Enable receipt of ancillary data */
+{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+
+{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
+ sizeof (ipsec_req_t), -1 /* not initialized */ },
+{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (uint32_t), IPV6_PREFER_SRC_DEFAULT },
+};
+
+uint_t sctp_opt_arr_size = A_CNT(sctp_opt_arr);
+
/* Handy on off switch for socket option processing. */
#define ONOFF(x) ((x) == 0 ? 0 : 1)
@@ -682,8 +783,12 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
int *i1 = (int *)ptr;
int retval = 0;
int buflen = *optlen;
- conn_t *connp = sctp->sctp_connp;
- ip6_pkt_t *ipp = &sctp->sctp_sticky_ipp;
+ conn_t *connp = sctp->sctp_connp;
+ conn_opt_arg_t coas;
+
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
/* In most cases, the return buffer is just an int */
*optlen = sizeof (int32_t);
@@ -695,83 +800,30 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
return (EINVAL);
}
- switch (level) {
- case SOL_SOCKET:
- switch (name) {
- case SO_LINGER: {
- struct linger *lgr = (struct linger *)ptr;
-
- lgr->l_onoff = sctp->sctp_linger ? SO_LINGER : 0;
- lgr->l_linger = TICK_TO_MSEC(sctp->sctp_lingertime);
- *optlen = sizeof (struct linger);
- break;
- }
- case SO_DEBUG:
- *i1 = sctp->sctp_debug ? SO_DEBUG : 0;
- break;
- case SO_DONTROUTE:
- *i1 = connp->conn_dontroute ? SO_DONTROUTE : 0;
- break;
- case SO_USELOOPBACK:
- *i1 = connp->conn_loopback ? SO_USELOOPBACK : 0;
- break;
- case SO_BROADCAST:
- *i1 = connp->conn_broadcast ? SO_BROADCAST : 0;
- break;
- case SO_REUSEADDR:
- *i1 = connp->conn_reuseaddr ? SO_REUSEADDR : 0;
- break;
- case SO_DGRAM_ERRIND:
- *i1 = sctp->sctp_dgram_errind ? SO_DGRAM_ERRIND : 0;
- break;
- case SO_SNDBUF:
- *i1 = sctp->sctp_xmit_hiwater;
- break;
- case SO_RCVBUF:
- *i1 = sctp->sctp_rwnd;
- break;
- case SO_ALLZONES:
- *i1 = connp->conn_allzones;
- break;
- case SO_MAC_EXEMPT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_AWARE);
- break;
- case SO_MAC_IMPLICIT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_IMPLICIT);
- break;
- case SO_PROTOTYPE:
- *i1 = IPPROTO_SCTP;
- break;
- case SO_DOMAIN:
- *i1 = sctp->sctp_family;
- break;
- default:
- retval = ENOPROTOOPT;
- break;
+ /*
+ * Check that the level and name are supported by SCTP, and that
+ * the length and credentials are ok.
+ */
+ retval = proto_opt_check(level, name, buflen, NULL, sctp_opt_arr,
+ sctp_opt_arr_size, B_FALSE, B_TRUE, connp->conn_cred);
+ if (retval != 0) {
+ WAKE_SCTP(sctp);
+ if (retval < 0) {
+ retval = proto_tlitosyserr(-retval);
}
- break;
+ return (retval);
+ }
+ switch (level) {
case IPPROTO_SCTP:
switch (name) {
case SCTP_RTOINFO:
- if (buflen < sizeof (struct sctp_rtoinfo)) {
- retval = EINVAL;
- break;
- }
*optlen = sctp_get_rtoinfo(sctp, ptr);
break;
case SCTP_ASSOCINFO:
- if (buflen < sizeof (struct sctp_assocparams)) {
- retval = EINVAL;
- break;
- }
*optlen = sctp_get_assocparams(sctp, ptr);
break;
case SCTP_INITMSG:
- if (buflen < sizeof (struct sctp_initmsg)) {
- retval = EINVAL;
- break;
- }
*optlen = sctp_get_initmsg(sctp, ptr);
break;
case SCTP_NODELAY:
@@ -781,34 +833,18 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
*i1 = TICK_TO_SEC(sctp->sctp_autoclose);
break;
case SCTP_ADAPTATION_LAYER:
- if (buflen < sizeof (struct sctp_setadaptation)) {
- retval = EINVAL;
- break;
- }
((struct sctp_setadaptation *)ptr)->ssb_adaptation_ind =
sctp->sctp_tx_adaptation_code;
break;
case SCTP_PEER_ADDR_PARAMS:
- if (buflen < sizeof (struct sctp_paddrparams)) {
- retval = EINVAL;
- break;
- }
*optlen = sctp_get_peer_addr_params(sctp, ptr);
break;
case SCTP_DEFAULT_SEND_PARAM:
- if (buflen < sizeof (struct sctp_sndrcvinfo)) {
- retval = EINVAL;
- break;
- }
*optlen = sctp_get_def_send_params(sctp, ptr);
break;
case SCTP_EVENTS: {
struct sctp_event_subscribe *ev;
- if (buflen < sizeof (struct sctp_event_subscribe)) {
- retval = EINVAL;
- break;
- }
ev = (struct sctp_event_subscribe *)ptr;
ev->sctp_data_io_event =
ONOFF(sctp->sctp_recvsndrcvinfo);
@@ -830,17 +866,9 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
break;
}
case SCTP_STATUS:
- if (buflen < sizeof (struct sctp_status)) {
- retval = EINVAL;
- break;
- }
*optlen = sctp_get_status(sctp, ptr);
break;
case SCTP_GET_PEER_ADDR_INFO:
- if (buflen < sizeof (struct sctp_paddrinfo)) {
- retval = EINVAL;
- break;
- }
retval = sctp_get_paddrinfo(sctp, ptr, optlen);
break;
case SCTP_GET_NLADDRS:
@@ -850,7 +878,7 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
int addr_cnt;
int addr_size;
- if (sctp->sctp_family == AF_INET)
+ if (connp->conn_family == AF_INET)
addr_size = sizeof (struct sockaddr_in);
else
addr_size = sizeof (struct sockaddr_in6);
@@ -874,7 +902,7 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
int addr_cnt;
int addr_size;
- if (sctp->sctp_family == AF_INET)
+ if (connp->conn_family == AF_INET)
addr_size = sizeof (struct sockaddr_in);
else
addr_size = sizeof (struct sockaddr_in6);
@@ -891,11 +919,6 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
case SCTP_GET_ASSOC_STATS: {
sctp_assoc_stats_t *sas;
- if (buflen < sizeof (sctp_assoc_stats_t)) {
- retval = EINVAL;
- break;
- }
-
sas = (sctp_assoc_stats_t *)ptr;
/*
@@ -947,15 +970,15 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
case SCTP_I_WANT_MAPPED_V4_ADDR:
case SCTP_MAXSEG:
case SCTP_DISABLE_FRAGMENTS:
- /* Not yet supported. */
default:
+ /* Not yet supported. */
retval = ENOPROTOOPT;
break;
}
- break;
-
+ WAKE_SCTP(sctp);
+ return (retval);
case IPPROTO_IP:
- if (sctp->sctp_family != AF_INET) {
+ if (connp->conn_family != AF_INET) {
retval = EINVAL;
break;
}
@@ -972,231 +995,52 @@ sctp_get_opt(sctp_t *sctp, int level, int name, void *ptr, socklen_t *optlen)
* ip_opt_get_user() adds the final destination
* at the start.
*/
- char *opt_ptr;
int opt_len;
uchar_t obuf[SCTP_MAX_IP_OPTIONS_LENGTH + IP_ADDR_LEN];
- opt_ptr = (char *)sctp->sctp_ipha +
- IP_SIMPLE_HDR_LENGTH;
- opt_len = (char *)sctp->sctp_sctph - opt_ptr;
- /* Caller ensures enough space */
- if (opt_len > 0) {
- /*
- * TODO: Do we have to handle getsockopt on an
- * initiator as well?
- */
- opt_len = ip_opt_get_user(sctp->sctp_ipha,
- obuf);
- ASSERT(opt_len <= sizeof (obuf));
- } else {
- opt_len = 0;
- }
+ opt_len = ip_opt_get_user(connp, obuf);
+ ASSERT(opt_len <= sizeof (obuf));
+
if (buflen < opt_len) {
/* Silently truncate */
opt_len = buflen;
}
*optlen = opt_len;
bcopy(obuf, ptr, opt_len);
- break;
- }
- case IP_TOS:
- case T_IP_TOS:
- *i1 = (int)sctp->sctp_ipha->ipha_type_of_service;
- break;
- case IP_TTL:
- *i1 = (int)sctp->sctp_ipha->ipha_ttl;
- break;
- case IP_NEXTHOP:
- if (connp->conn_nexthop_set) {
- *(ipaddr_t *)ptr = connp->conn_nexthop_v4;
- *optlen = sizeof (ipaddr_t);
- } else {
- *optlen = 0;
- }
- break;
- default:
- retval = ENOPROTOOPT;
- break;
- }
- break;
- case IPPROTO_IPV6:
- if (sctp->sctp_family != AF_INET6) {
- retval = EINVAL;
- break;
- }
- switch (name) {
- case IPV6_UNICAST_HOPS:
- *i1 = (unsigned int) sctp->sctp_ip6h->ip6_hops;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVPKTINFO:
- if (sctp->sctp_ipv6_recvancillary &
- SCTP_IPV6_RECVPKTINFO) {
- *i1 = 1;
- } else {
- *i1 = 0;
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVHOPLIMIT:
- if (sctp->sctp_ipv6_recvancillary &
- SCTP_IPV6_RECVHOPLIMIT) {
- *i1 = 1;
- } else {
- *i1 = 0;
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVHOPOPTS:
- if (sctp->sctp_ipv6_recvancillary &
- SCTP_IPV6_RECVHOPOPTS) {
- *i1 = 1;
- } else {
- *i1 = 0;
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVDSTOPTS:
- if (sctp->sctp_ipv6_recvancillary &
- SCTP_IPV6_RECVDSTOPTS) {
- *i1 = 1;
- } else {
- *i1 = 0;
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDR:
- if (sctp->sctp_ipv6_recvancillary &
- SCTP_IPV6_RECVRTHDR) {
- *i1 = 1;
- } else {
- *i1 = 0;
- }
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDRDSTOPTS:
- if (sctp->sctp_ipv6_recvancillary &
- SCTP_IPV6_RECVRTDSTOPTS) {
- *i1 = 1;
- } else {
- *i1 = 0;
- }
- break; /* goto sizeof (int) option return */
- case IPV6_PKTINFO: {
- struct in6_pktinfo *pkti;
-
- if (buflen < sizeof (struct in6_pktinfo)) {
- retval = EINVAL;
- break;
- }
- pkti = (struct in6_pktinfo *)ptr;
- if (ipp->ipp_fields & IPPF_IFINDEX)
- pkti->ipi6_ifindex = ipp->ipp_ifindex;
- else
- pkti->ipi6_ifindex = 0;
- if (ipp->ipp_fields & IPPF_ADDR)
- pkti->ipi6_addr = ipp->ipp_addr;
- else
- pkti->ipi6_addr = ipv6_all_zeros;
- *optlen = sizeof (struct in6_pktinfo);
- break;
- }
- case IPV6_NEXTHOP: {
- sin6_t *sin6;
-
- if (buflen < sizeof (sin6_t)) {
- retval = EINVAL;
- break;
- }
- sin6 = (sin6_t *)ptr;
- if (!(ipp->ipp_fields & IPPF_NEXTHOP))
- break;
- *sin6 = sctp_sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = ipp->ipp_nexthop;
- *optlen = sizeof (sin6_t);
- break;
+ WAKE_SCTP(sctp);
+ return (0);
}
- case IPV6_HOPOPTS: {
- int len;
-
- if (!(ipp->ipp_fields & IPPF_HOPOPTS))
- break;
- len = ipp->ipp_hopoptslen - sctp->sctp_v6label_len;
- if (len <= 0)
- break;
- if (buflen < len) {
- retval = EINVAL;
- break;
- }
- bcopy((char *)ipp->ipp_hopopts +
- sctp->sctp_v6label_len, ptr, len);
- if (sctp->sctp_v6label_len > 0) {
- char *cptr = ptr;
-
- /*
- * If the label length is greater than zero,
- * then we need to hide the label from user.
- * Make it look as though a normal Hop-By-Hop
- * Options Header is present here.
- */
- cptr[0] = ((char *)ipp->ipp_hopopts)[0];
- cptr[1] = (len + 7) / 8 - 1;
- }
- *optlen = len;
- break;
- }
- case IPV6_RTHDRDSTOPTS:
- if (!(ipp->ipp_fields & IPPF_RTDSTOPTS))
- break;
- if (buflen < ipp->ipp_rtdstoptslen) {
- retval = EINVAL;
- break;
- }
- bcopy(ipp->ipp_rtdstopts, ptr, ipp->ipp_rtdstoptslen);
- *optlen = ipp->ipp_rtdstoptslen;
- break;
- case IPV6_RTHDR:
- if (!(ipp->ipp_fields & IPPF_RTHDR))
- break;
- if (buflen < ipp->ipp_rthdrlen) {
- retval = EINVAL;
- break;
- }
- bcopy(ipp->ipp_rthdr, ptr, ipp->ipp_rthdrlen);
- *optlen = ipp->ipp_rthdrlen;
- break;
- case IPV6_DSTOPTS:
- if (!(ipp->ipp_fields & IPPF_DSTOPTS))
- break;
- if (buflen < ipp->ipp_dstoptslen) {
- retval = EINVAL;
- break;
- }
- bcopy(ipp->ipp_dstopts, ptr, ipp->ipp_dstoptslen);
- *optlen = ipp->ipp_dstoptslen;
- break;
- case IPV6_V6ONLY:
- *i1 = sctp->sctp_connp->conn_ipv6_v6only;
- break;
default:
- retval = ENOPROTOOPT;
break;
}
break;
-
- default:
- retval = ENOPROTOOPT;
- break;
}
+ mutex_enter(&connp->conn_lock);
+ retval = conn_opt_get(&coas, level, name, ptr);
+ mutex_exit(&connp->conn_lock);
WAKE_SCTP(sctp);
- return (retval);
+ if (retval == -1)
+ return (EINVAL);
+ *optlen = retval;
+ return (0);
}
int
sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
socklen_t inlen)
{
- ip6_pkt_t *ipp = &sctp->sctp_sticky_ipp;
int *i1 = (int *)invalp;
boolean_t onoff;
int retval = 0, addrcnt;
conn_t *connp = sctp->sctp_connp;
sctp_stack_t *sctps = sctp->sctp_sctps;
+ conn_opt_arg_t coas;
+
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ coas.coa_ancillary = B_FALSE;
+ coas.coa_changed = 0;
/* In all cases, the size of the option must be bigger than int */
if (inlen >= sizeof (int32_t)) {
@@ -1211,74 +1055,42 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
return (EINVAL);
}
+ /*
+ * Check that the level and name are supported by SCTP, and that
+ * the length an credentials are ok.
+ */
+ retval = proto_opt_check(level, name, inlen, NULL, sctp_opt_arr,
+ sctp_opt_arr_size, B_TRUE, B_FALSE, connp->conn_cred);
+ if (retval != 0) {
+ if (retval < 0) {
+ retval = proto_tlitosyserr(-retval);
+ }
+ goto done;
+ }
+
+ /* Note: both SCTP and TCP interpret l_linger as being in seconds */
switch (level) {
case SOL_SOCKET:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
switch (name) {
- case SO_LINGER: {
- struct linger *lgr;
-
- if (inlen != sizeof (struct linger)) {
- retval = EINVAL;
- break;
- }
- lgr = (struct linger *)invalp;
- if (lgr->l_onoff != 0) {
- sctp->sctp_linger = 1;
- sctp->sctp_lingertime = MSEC_TO_TICK(
- lgr->l_linger);
- } else {
- sctp->sctp_linger = 0;
- sctp->sctp_lingertime = 0;
- }
- break;
- }
- case SO_DEBUG:
- sctp->sctp_debug = onoff;
- break;
- case SO_KEEPALIVE:
- break;
- case SO_DONTROUTE:
- /*
- * SO_DONTROUTE, SO_USELOOPBACK and SO_BROADCAST are
- * only of interest to IP.
- */
- connp->conn_dontroute = onoff;
- break;
- case SO_USELOOPBACK:
- connp->conn_loopback = onoff;
- break;
- case SO_BROADCAST:
- connp->conn_broadcast = onoff;
- break;
- case SO_REUSEADDR:
- connp->conn_reuseaddr = onoff;
- break;
- case SO_DGRAM_ERRIND:
- sctp->sctp_dgram_errind = onoff;
- break;
case SO_SNDBUF:
if (*i1 > sctps->sctps_max_buf) {
retval = ENOBUFS;
- break;
+ goto done;
}
if (*i1 < 0) {
retval = EINVAL;
- break;
+ goto done;
}
- sctp->sctp_xmit_hiwater = *i1;
- if (sctps->sctps_snd_lowat_fraction != 0)
- sctp->sctp_xmit_lowater =
- sctp->sctp_xmit_hiwater /
+ connp->conn_sndbuf = *i1;
+ if (sctps->sctps_snd_lowat_fraction != 0) {
+ connp->conn_sndlowat = connp->conn_sndbuf /
sctps->sctps_snd_lowat_fraction;
- break;
+ }
+ goto done;
case SO_RCVBUF:
if (*i1 > sctps->sctps_max_buf) {
retval = ENOBUFS;
- break;
+ goto done;
}
/* Silently ignore zero */
if (*i1 != 0) {
@@ -1294,12 +1106,16 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
*i1 = MAX(*i1,
sctps->sctps_recv_hiwat_minmss *
sctp->sctp_mss);
- sctp->sctp_rwnd = *i1;
+ /*
+ * Note that sctp_rwnd is modified by the
+ * protocol and here we just whack it.
+ */
+ connp->conn_rcvbuf = sctp->sctp_rwnd = *i1;
sctp->sctp_irwnd = sctp->sctp_rwnd;
sctp->sctp_pd_point = sctp->sctp_rwnd;
sopp.sopp_flags = SOCKOPT_RCVHIWAT;
- sopp.sopp_rxhiwat = *i1;
+ sopp.sopp_rxhiwat = connp->conn_rcvbuf;
sctp->sctp_ulp_prop(sctp->sctp_ulpd, &sopp);
}
@@ -1307,60 +1123,29 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
* XXX should we return the rwnd here
* and sctp_opt_get ?
*/
- break;
+ goto done;
case SO_ALLZONES:
- if (secpolicy_ip(sctp->sctp_credp, OP_CONFIG,
- B_TRUE)) {
- retval = EACCES;
- break;
- }
if (sctp->sctp_state >= SCTPS_BOUND) {
retval = EINVAL;
- break;
+ goto done;
}
- sctp->sctp_allzones = onoff;
break;
case SO_MAC_EXEMPT:
- if (secpolicy_net_mac_aware(sctp->sctp_credp) != 0) {
- retval = EACCES;
- break;
- }
- if (sctp->sctp_state >= SCTPS_BOUND) {
- retval = EINVAL;
- break;
- }
- connp->conn_mac_mode = onoff ?
- CONN_MAC_AWARE : CONN_MAC_DEFAULT;
- break;
- case SO_MAC_IMPLICIT:
- if (secpolicy_net_mac_implicit(sctp->sctp_credp) != 0) {
- retval = EACCES;
- break;
- }
if (sctp->sctp_state >= SCTPS_BOUND) {
retval = EINVAL;
- break;
+ goto done;
}
- connp->conn_mac_mode = onoff ?
- CONN_MAC_AWARE : CONN_MAC_IMPLICIT;
- break;
- default:
- retval = ENOPROTOOPT;
break;
}
break;
case IPPROTO_SCTP:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
switch (name) {
case SCTP_RTOINFO:
- retval = sctp_set_rtoinfo(sctp, invalp, inlen);
+ retval = sctp_set_rtoinfo(sctp, invalp);
break;
case SCTP_ASSOCINFO:
- retval = sctp_set_assocparams(sctp, invalp, inlen);
+ retval = sctp_set_assocparams(sctp, invalp);
break;
case SCTP_INITMSG:
retval = sctp_set_initmsg(sctp, invalp, inlen);
@@ -1378,37 +1163,28 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
sctp_heartbeat_timer(sctp);
break;
case SCTP_SET_PEER_PRIMARY_ADDR:
- retval = sctp_set_peerprim(sctp, invalp, inlen);
+ retval = sctp_set_peerprim(sctp, invalp);
break;
case SCTP_PRIMARY_ADDR:
- retval = sctp_set_prim(sctp, invalp, inlen);
+ retval = sctp_set_prim(sctp, invalp);
break;
case SCTP_ADAPTATION_LAYER: {
struct sctp_setadaptation *ssb;
- if (inlen < sizeof (struct sctp_setadaptation)) {
- retval = EINVAL;
- break;
- }
ssb = (struct sctp_setadaptation *)invalp;
sctp->sctp_send_adaptation = 1;
sctp->sctp_tx_adaptation_code = ssb->ssb_adaptation_ind;
break;
}
case SCTP_PEER_ADDR_PARAMS:
- retval = sctp_set_peer_addr_params(sctp, invalp,
- inlen);
+ retval = sctp_set_peer_addr_params(sctp, invalp);
break;
case SCTP_DEFAULT_SEND_PARAM:
- retval = sctp_set_def_send_params(sctp, invalp, inlen);
+ retval = sctp_set_def_send_params(sctp, invalp);
break;
case SCTP_EVENTS: {
struct sctp_event_subscribe *ev;
- if (inlen < sizeof (struct sctp_event_subscribe)) {
- retval = EINVAL;
- break;
- }
ev = (struct sctp_event_subscribe *)invalp;
sctp->sctp_recvsndrcvinfo =
ONOFF(ev->sctp_data_io_event);
@@ -1438,15 +1214,15 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
retval = EINVAL;
break;
}
- if (sctp->sctp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
addrcnt = inlen / sizeof (struct sockaddr_in);
} else {
- ASSERT(sctp->sctp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
addrcnt = inlen / sizeof (struct sockaddr_in6);
}
if (name == SCTP_ADD_ADDR) {
retval = sctp_bind_add(sctp, invalp, addrcnt,
- B_TRUE, sctp->sctp_lport);
+ B_TRUE, connp->conn_lport);
} else {
retval = sctp_bind_del(sctp, invalp, addrcnt,
B_TRUE);
@@ -1458,10 +1234,6 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
/*
* Change handle & upcalls.
*/
- if (inlen < sizeof (*us)) {
- retval = EINVAL;
- break;
- }
us = (struct sctp_uc_swap *)invalp;
sctp->sctp_ulpd = us->sus_handle;
sctp->sctp_upcalls = us->sus_upcalls;
@@ -1474,33 +1246,17 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
case SCTP_MAXSEG:
case SCTP_DISABLE_FRAGMENTS:
/* Not yet supported. */
- default:
retval = ENOPROTOOPT;
break;
}
- break;
+ goto done;
case IPPROTO_IP:
- if (sctp->sctp_family != AF_INET) {
+ if (connp->conn_family != AF_INET) {
retval = ENOPROTOOPT;
- break;
- }
- if ((name != IP_OPTIONS) && (inlen < sizeof (int32_t))) {
- retval = EINVAL;
- break;
+ goto done;
}
switch (name) {
- case IP_OPTIONS:
- case T_IP_OPTIONS:
- retval = sctp_opt_set_header(sctp, invalp, inlen);
- break;
- case IP_TOS:
- case T_IP_TOS:
- sctp->sctp_ipha->ipha_type_of_service = (uchar_t)*i1;
- break;
- case IP_TTL:
- sctp->sctp_ipha->ipha_ttl = (uchar_t)*i1;
- break;
case IP_SEC_OPT:
/*
* We should not allow policy setting after
@@ -1508,319 +1264,30 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
*/
if (sctp->sctp_state >= SCTPS_LISTEN) {
retval = EINVAL;
- } else {
- retval = ipsec_set_req(sctp->sctp_credp,
- sctp->sctp_connp, (ipsec_req_t *)invalp);
- }
- break;
- /* IP level options */
- case IP_UNSPEC_SRC:
- connp->conn_unspec_src = onoff;
- break;
- case IP_NEXTHOP: {
- ipaddr_t addr = *i1;
- ipif_t *ipif = NULL;
- ill_t *ill;
- ip_stack_t *ipst = sctps->sctps_netstack->netstack_ip;
-
- if (secpolicy_ip(sctp->sctp_credp, OP_CONFIG,
- B_TRUE) == 0) {
- ipif = ipif_lookup_onlink_addr(addr,
- connp->conn_zoneid, ipst);
- if (ipif == NULL) {
- retval = EHOSTUNREACH;
- break;
- }
- ill = ipif->ipif_ill;
- mutex_enter(&ill->ill_lock);
- if ((ill->ill_state_flags & ILL_CONDEMNED) ||
- (ipif->ipif_state_flags & IPIF_CONDEMNED)) {
- mutex_exit(&ill->ill_lock);
- ipif_refrele(ipif);
- retval = EHOSTUNREACH;
- break;
- }
- mutex_exit(&ill->ill_lock);
- ipif_refrele(ipif);
- mutex_enter(&connp->conn_lock);
- connp->conn_nexthop_v4 = addr;
- connp->conn_nexthop_set = B_TRUE;
- mutex_exit(&connp->conn_lock);
+ goto done;
}
break;
}
- default:
- retval = ENOPROTOOPT;
- break;
- }
break;
- case IPPROTO_IPV6: {
- if (sctp->sctp_family != AF_INET6) {
- retval = ENOPROTOOPT;
- break;
+ case IPPROTO_IPV6:
+ if (connp->conn_family != AF_INET6) {
+ retval = EINVAL;
+ goto done;
}
switch (name) {
- case IPV6_UNICAST_HOPS:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- if (*i1 < -1 || *i1 > IPV6_MAX_HOPS) {
- retval = EINVAL;
- break;
- }
- if (*i1 == -1) {
- ipp->ipp_unicast_hops =
- sctps->sctps_ipv6_hoplimit;
- ipp->ipp_fields &= ~IPPF_UNICAST_HOPS;
- } else {
- ipp->ipp_unicast_hops = (uint8_t)*i1;
- ipp->ipp_fields |= IPPF_UNICAST_HOPS;
- }
- retval = sctp_build_hdrs(sctp);
- break;
- case IPV6_UNSPEC_SRC:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- connp->conn_unspec_src = onoff;
- break;
case IPV6_RECVPKTINFO:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- if (onoff)
- sctp->sctp_ipv6_recvancillary |=
- SCTP_IPV6_RECVPKTINFO;
- else
- sctp->sctp_ipv6_recvancillary &=
- ~SCTP_IPV6_RECVPKTINFO;
/* Send it with the next msg */
sctp->sctp_recvifindex = 0;
- connp->conn_ip_recvpktinfo = onoff;
+ break;
+ case IPV6_RECVTCLASS:
+ /* Force it to be sent up with the next msg */
+ sctp->sctp_recvtclass = 0xffffffffU;
break;
case IPV6_RECVHOPLIMIT:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- if (onoff)
- sctp->sctp_ipv6_recvancillary |=
- SCTP_IPV6_RECVHOPLIMIT;
- else
- sctp->sctp_ipv6_recvancillary &=
- ~SCTP_IPV6_RECVHOPLIMIT;
+ /* Force it to be sent up with the next msg */
sctp->sctp_recvhops = 0xffffffffU;
- connp->conn_ipv6_recvhoplimit = onoff;
- break;
- case IPV6_RECVHOPOPTS:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- if (onoff)
- sctp->sctp_ipv6_recvancillary |=
- SCTP_IPV6_RECVHOPOPTS;
- else
- sctp->sctp_ipv6_recvancillary &=
- ~SCTP_IPV6_RECVHOPOPTS;
- connp->conn_ipv6_recvhopopts = onoff;
- break;
- case IPV6_RECVDSTOPTS:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- if (onoff)
- sctp->sctp_ipv6_recvancillary |=
- SCTP_IPV6_RECVDSTOPTS;
- else
- sctp->sctp_ipv6_recvancillary &=
- ~SCTP_IPV6_RECVDSTOPTS;
- connp->conn_ipv6_recvdstopts = onoff;
- break;
- case IPV6_RECVRTHDR:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- if (onoff)
- sctp->sctp_ipv6_recvancillary |=
- SCTP_IPV6_RECVRTHDR;
- else
- sctp->sctp_ipv6_recvancillary &=
- ~SCTP_IPV6_RECVRTHDR;
- connp->conn_ipv6_recvrthdr = onoff;
- break;
- case IPV6_RECVRTHDRDSTOPTS:
- if (inlen < sizeof (int32_t)) {
- retval = EINVAL;
- break;
- }
- if (onoff)
- sctp->sctp_ipv6_recvancillary |=
- SCTP_IPV6_RECVRTDSTOPTS;
- else
- sctp->sctp_ipv6_recvancillary &=
- ~SCTP_IPV6_RECVRTDSTOPTS;
- connp->conn_ipv6_recvrtdstopts = onoff;
- break;
- case IPV6_PKTINFO:
- if (inlen != 0 &&
- inlen != sizeof (struct in6_pktinfo)) {
- retval = EINVAL;
- break;
- }
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~(IPPF_IFINDEX |IPPF_ADDR);
- } else {
- struct in6_pktinfo *pkti;
-
- pkti = (struct in6_pktinfo *)invalp;
- /* XXX Need to check if the index exists */
- ipp->ipp_ifindex = pkti->ipi6_ifindex;
- ipp->ipp_addr = pkti->ipi6_addr;
- if (ipp->ipp_ifindex != 0)
- ipp->ipp_fields |= IPPF_IFINDEX;
- else
- ipp->ipp_fields &= ~IPPF_IFINDEX;
- if (!IN6_IS_ADDR_UNSPECIFIED(&ipp->ipp_addr))
- ipp->ipp_fields |= IPPF_ADDR;
- else
- ipp->ipp_fields &= ~IPPF_ADDR;
- }
- retval = sctp_build_hdrs(sctp);
- break;
- case IPV6_NEXTHOP: {
- struct sockaddr_in6 *sin6;
- ip_stack_t *ipst = sctps->sctps_netstack->netstack_ip;
-
- if (inlen != 0 && inlen != sizeof (sin6_t)) {
- retval = EINVAL;
- break;
- }
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- } else {
- sin6 = (struct sockaddr_in6 *)invalp;
- if (sin6->sin6_family != AF_INET6) {
- retval = EAFNOSUPPORT;
- break;
- }
- if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
- retval = EADDRNOTAVAIL;
- break;
- }
- ipp->ipp_nexthop = sin6->sin6_addr;
- if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- } else {
- ire_t *ire;
-
- ire = ire_route_lookup_v6(
- &sin6->sin6_addr, NULL, NULL, 0,
- NULL, NULL, ALL_ZONES, NULL,
- MATCH_IRE_DEFAULT, ipst);
- if (ire == NULL) {
- retval = EHOSTUNREACH;
- break;
- }
- ire_refrele(ire);
- ipp->ipp_fields |= IPPF_NEXTHOP;
- }
- }
- retval = sctp_build_hdrs(sctp);
- break;
- }
- case IPV6_HOPOPTS: {
- ip6_hbh_t *hopts = (ip6_hbh_t *)invalp;
-
- if (inlen != 0 &&
- inlen != (8 * (hopts->ip6h_len + 1))) {
- retval = EINVAL;
- break;
- }
-
- retval = optcom_pkt_set((uchar_t *)invalp, inlen,
- B_TRUE, (uchar_t **)&ipp->ipp_hopopts,
- &ipp->ipp_hopoptslen, sctp->sctp_v6label_len);
- if (retval != 0)
- break;
- if (ipp->ipp_hopoptslen == 0)
- ipp->ipp_fields &= ~IPPF_HOPOPTS;
- else
- ipp->ipp_fields |= IPPF_HOPOPTS;
- retval = sctp_build_hdrs(sctp);
- break;
- }
- case IPV6_RTHDRDSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
-
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1))) {
- retval = EINVAL;
- break;
- }
-
- retval = optcom_pkt_set((uchar_t *)invalp, inlen,
- B_TRUE, (uchar_t **)&ipp->ipp_rtdstopts,
- &ipp->ipp_rtdstoptslen, 0);
- if (retval != 0)
- break;
- if (ipp->ipp_rtdstoptslen == 0)
- ipp->ipp_fields &= ~IPPF_RTDSTOPTS;
- else
- ipp->ipp_fields |= IPPF_RTDSTOPTS;
- retval = sctp_build_hdrs(sctp);
- break;
- }
- case IPV6_DSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
-
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1))) {
- retval = EINVAL;
- break;
- }
-
- retval = optcom_pkt_set((uchar_t *)invalp, inlen,
- B_TRUE, (uchar_t **)&ipp->ipp_dstopts,
- &ipp->ipp_dstoptslen, 0);
- if (retval != 0)
- break;
- if (ipp->ipp_dstoptslen == 0)
- ipp->ipp_fields &= ~IPPF_DSTOPTS;
- else
- ipp->ipp_fields |= IPPF_DSTOPTS;
- retval = sctp_build_hdrs(sctp);
break;
- }
- case IPV6_RTHDR: {
- ip6_rthdr_t *rt = (ip6_rthdr_t *)invalp;
-
- if (inlen != 0 &&
- inlen != (8 * (rt->ip6r_len + 1))) {
- retval = EINVAL;
- break;
- }
-
- retval = optcom_pkt_set((uchar_t *)invalp, inlen,
- B_TRUE, (uchar_t **)&ipp->ipp_rthdr,
- &ipp->ipp_rthdrlen, 0);
- if (retval != 0)
- break;
- if (ipp->ipp_rthdrlen == 0)
- ipp->ipp_fields &= ~IPPF_RTHDR;
- else
- ipp->ipp_fields |= IPPF_RTHDR;
- retval = sctp_build_hdrs(sctp);
- break;
- }
case IPV6_SEC_OPT:
/*
* We should not allow policy setting after
@@ -1828,9 +1295,7 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
*/
if (sctp->sctp_state >= SCTPS_LISTEN) {
retval = EINVAL;
- } else {
- retval = ipsec_set_req(sctp->sctp_credp,
- sctp->sctp_connp, (ipsec_req_t *)invalp);
+ goto done;
}
break;
case IPV6_V6ONLY:
@@ -1840,21 +1305,44 @@ sctp_set_opt(sctp_t *sctp, int level, int name, const void *invalp,
*/
if (sctp->sctp_state >= SCTPS_BOUND) {
retval = EINVAL;
- } else {
- sctp->sctp_connp->conn_ipv6_v6only = onoff;
+ goto done;
}
break;
- default:
- retval = ENOPROTOOPT;
- break;
}
break;
}
- default:
- retval = ENOPROTOOPT;
- break;
- }
+ retval = conn_opt_set(&coas, level, name, inlen, (uchar_t *)invalp,
+ B_FALSE, connp->conn_cred);
+ if (retval != 0)
+ goto done;
+
+ if (coas.coa_changed & COA_ROUTE_CHANGED) {
+ sctp_faddr_t *fp;
+ /*
+ * We recache the information which might pick a different
+ * source and redo IPsec as a result.
+ */
+ for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next)
+ sctp_get_dest(sctp, fp);
+ }
+ if (coas.coa_changed & COA_HEADER_CHANGED) {
+ retval = sctp_build_hdrs(sctp, KM_NOSLEEP);
+ if (retval != 0)
+ goto done;
+ }
+ if (coas.coa_changed & COA_WROFF_CHANGED) {
+ connp->conn_wroff = connp->conn_ht_iphc_allocated +
+ sctps->sctps_wroff_xtra;
+ if (sctp->sctp_current != NULL) {
+ /*
+ * Could be setting options before setting up
+ * connection.
+ */
+ sctp_set_ulp_prop(sctp);
+ }
+ }
+done:
WAKE_SCTP(sctp);
return (retval);
}
@@ -1871,18 +1359,19 @@ sctp_getsockname(sctp_t *sctp, struct sockaddr *addr, socklen_t *addrlen)
int addrcnt = 1;
sin_t *sin4;
sin6_t *sin6;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(sctp != NULL);
RUN_SCTP(sctp);
- addr->sa_family = sctp->sctp_family;
- switch (sctp->sctp_family) {
+ addr->sa_family = connp->conn_family;
+ switch (connp->conn_family) {
case AF_INET:
sin4 = (sin_t *)addr;
if ((sctp->sctp_state <= SCTPS_LISTEN) &&
sctp->sctp_bound_to_all) {
sin4->sin_addr.s_addr = INADDR_ANY;
- sin4->sin_port = sctp->sctp_lport;
+ sin4->sin_port = connp->conn_lport;
} else {
err = sctp_getmyaddrs(sctp, sin4, &addrcnt);
if (err != 0) {
@@ -1897,7 +1386,7 @@ sctp_getsockname(sctp_t *sctp, struct sockaddr *addr, socklen_t *addrlen)
if ((sctp->sctp_state <= SCTPS_LISTEN) &&
sctp->sctp_bound_to_all) {
bzero(&sin6->sin6_addr, sizeof (sin6->sin6_addr));
- sin6->sin6_port = sctp->sctp_lport;
+ sin6->sin6_port = connp->conn_lport;
} else {
err = sctp_getmyaddrs(sctp, sin6, &addrcnt);
if (err != 0) {
@@ -1906,10 +1395,7 @@ sctp_getsockname(sctp_t *sctp, struct sockaddr *addr, socklen_t *addrlen)
}
}
*addrlen = sizeof (struct sockaddr_in6);
- sin6->sin6_flowinfo = sctp->sctp_ip6h->ip6_vcf &
- ~IPV6_VERS_AND_FLOW_MASK;
- sin6->sin6_scope_id = 0;
- sin6->__sin6_src_id = 0;
+ /* Note that flowinfo is only returned for getpeername */
break;
}
WAKE_SCTP(sctp);
@@ -1927,12 +1413,13 @@ sctp_getpeername(sctp_t *sctp, struct sockaddr *addr, socklen_t *addrlen)
int err = 0;
int addrcnt = 1;
sin6_t *sin6;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(sctp != NULL);
RUN_SCTP(sctp);
- addr->sa_family = sctp->sctp_family;
- switch (sctp->sctp_family) {
+ addr->sa_family = connp->conn_family;
+ switch (connp->conn_family) {
case AF_INET:
err = sctp_getpeeraddrs(sctp, addr, &addrcnt);
if (err != 0) {
@@ -1949,9 +1436,6 @@ sctp_getpeername(sctp_t *sctp, struct sockaddr *addr, socklen_t *addrlen)
break;
}
*addrlen = sizeof (struct sockaddr_in6);
- sin6->sin6_flowinfo = 0;
- sin6->sin6_scope_id = 0;
- sin6->__sin6_src_id = 0;
break;
}
WAKE_SCTP(sctp);
@@ -1973,13 +1457,14 @@ sctp_getpeeraddrs(sctp_t *sctp, void *paddrs, int *addrcnt)
int cnt;
sctp_faddr_t *fp = sctp->sctp_faddrs;
in6_addr_t addr;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(sctp != NULL);
if (sctp->sctp_faddrs == NULL)
return (ENOTCONN);
- family = sctp->sctp_family;
+ family = connp->conn_family;
max = *addrcnt;
/* If we want only one, give the primary */
@@ -1989,15 +1474,26 @@ sctp_getpeeraddrs(sctp_t *sctp, void *paddrs, int *addrcnt)
case AF_INET:
sin4 = paddrs;
IN6_V4MAPPED_TO_INADDR(&addr, &sin4->sin_addr);
- sin4->sin_port = sctp->sctp_fport;
+ sin4->sin_port = connp->conn_fport;
sin4->sin_family = AF_INET;
break;
case AF_INET6:
sin6 = paddrs;
sin6->sin6_addr = addr;
- sin6->sin6_port = sctp->sctp_fport;
+ sin6->sin6_port = connp->conn_fport;
sin6->sin6_family = AF_INET6;
+ sin6->sin6_flowinfo = connp->conn_flowinfo;
+ if (IN6_IS_ADDR_LINKSCOPE(&addr) &&
+ sctp->sctp_primary != NULL &&
+ (sctp->sctp_primary->ixa->ixa_flags &
+ IXAF_SCOPEID_SET)) {
+ sin6->sin6_scope_id =
+ sctp->sctp_primary->ixa->ixa_scopeid;
+ } else {
+ sin6->sin6_scope_id = 0;
+ }
+ sin6->__sin6_src_id = 0;
break;
}
return (0);
@@ -2010,14 +1506,21 @@ sctp_getpeeraddrs(sctp_t *sctp, void *paddrs, int *addrcnt)
ASSERT(IN6_IS_ADDR_V4MAPPED(&addr));
sin4 = (struct sockaddr_in *)paddrs + cnt;
IN6_V4MAPPED_TO_INADDR(&addr, &sin4->sin_addr);
- sin4->sin_port = sctp->sctp_fport;
+ sin4->sin_port = connp->conn_fport;
sin4->sin_family = AF_INET;
break;
case AF_INET6:
sin6 = (struct sockaddr_in6 *)paddrs + cnt;
sin6->sin6_addr = addr;
- sin6->sin6_port = sctp->sctp_fport;
+ sin6->sin6_port = connp->conn_fport;
sin6->sin6_family = AF_INET6;
+ sin6->sin6_flowinfo = connp->conn_flowinfo;
+ if (IN6_IS_ADDR_LINKSCOPE(&addr) &&
+ (fp->ixa->ixa_flags & IXAF_SCOPEID_SET))
+ sin6->sin6_scope_id = fp->ixa->ixa_scopeid;
+ else
+ sin6->sin6_scope_id = 0;
+ sin6->__sin6_src_id = 0;
break;
}
}
diff --git a/usr/src/uts/common/inet/sctp/sctp_output.c b/usr/src/uts/common/inet/sctp/sctp_output.c
index c16a1166fa..1a50097260 100644
--- a/usr/src/uts/common/inet/sctp/sctp_output.c
+++ b/usr/src/uts/common/inet/sctp/sctp_output.c
@@ -38,6 +38,7 @@
#include <inet/common.h>
#include <inet/mi.h>
#include <inet/ip.h>
+#include <inet/ip_ire.h>
#include <inet/ip6.h>
#include <inet/sctp_ip.h>
#include <inet/ipclassifier.h>
@@ -140,6 +141,7 @@ sctp_sendmsg(sctp_t *sctp, mblk_t *mp, int flags)
sctp_msg_hdr_t *sctp_msg_hdr;
uint32_t msg_len = 0;
uint32_t timetolive = sctp->sctp_def_timetolive;
+ conn_t *connp = sctp->sctp_connp;
ASSERT(DB_TYPE(mproto) == M_PROTO);
@@ -228,7 +230,7 @@ sctp_sendmsg(sctp_t *sctp, mblk_t *mp, int flags)
RUN_SCTP(sctp);
sctp_user_abort(sctp, mp);
freemsg(mproto);
- goto process_sendq;
+ goto done2;
}
if (mp == NULL)
goto done;
@@ -292,15 +294,14 @@ sctp_sendmsg(sctp_t *sctp, mblk_t *mp, int flags)
/*
* Notify sockfs if the tx queue is full.
*/
- if (SCTP_TXQ_LEN(sctp) >= sctp->sctp_xmit_hiwater) {
+ if (SCTP_TXQ_LEN(sctp) >= connp->conn_sndbuf) {
sctp->sctp_txq_full = 1;
sctp->sctp_ulp_xmitted(sctp->sctp_ulpd, B_TRUE);
}
if (sctp->sctp_state == SCTPS_ESTABLISHED)
sctp_output(sctp, UINT_MAX);
-process_sendq:
+done2:
WAKE_SCTP(sctp);
- sctp_process_sendq(sctp);
return (0);
unlock_done:
WAKE_SCTP(sctp);
@@ -569,7 +570,7 @@ sctp_add_proto_hdr(sctp_t *sctp, sctp_faddr_t *fp, mblk_t *mp, int sacklen,
int *error)
{
int hdrlen;
- char *hdr;
+ uchar_t *hdr;
int isv4 = fp->isv4;
sctp_stack_t *sctps = sctp->sctp_sctps;
@@ -584,17 +585,19 @@ sctp_add_proto_hdr(sctp_t *sctp, sctp_faddr_t *fp, mblk_t *mp, int sacklen,
hdr = sctp->sctp_iphc6;
}
/*
- * A null fp->ire could mean that the address is 'down'. Similarly,
+ * A reject|blackhole could mean that the address is 'down'. Similarly,
* it is possible that the address went down, we tried to send an
* heartbeat and ended up setting fp->saddr as unspec because we
* didn't have any usable source address. In either case
- * sctp_get_ire() will try find an IRE, if available, and set
+ * sctp_get_dest() will try find an IRE, if available, and set
* the source address, if needed. If we still don't have any
* usable source address, fp->state will be SCTP_FADDRS_UNREACH and
* we return EHOSTUNREACH.
*/
- if (fp->ire == NULL || SCTP_IS_ADDR_UNSPEC(fp->isv4, fp->saddr)) {
- sctp_get_ire(sctp, fp);
+ ASSERT(fp->ixa->ixa_ire != NULL);
+ if ((fp->ixa->ixa_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
+ SCTP_IS_ADDR_UNSPEC(fp->isv4, fp->saddr)) {
+ sctp_get_dest(sctp, fp);
if (fp->state == SCTP_FADDRS_UNREACH) {
if (error != NULL)
*error = EHOSTUNREACH;
@@ -603,8 +606,7 @@ sctp_add_proto_hdr(sctp_t *sctp, sctp_faddr_t *fp, mblk_t *mp, int sacklen,
}
/* Copy in IP header. */
if ((mp->b_rptr - mp->b_datap->db_base) <
- (sctps->sctps_wroff_xtra + hdrlen + sacklen) || DB_REF(mp) > 2 ||
- !IS_P2ALIGNED(DB_BASE(mp), sizeof (ire_t *))) {
+ (sctps->sctps_wroff_xtra + hdrlen + sacklen) || DB_REF(mp) > 2) {
mblk_t *nmp;
/*
@@ -612,8 +614,8 @@ sctp_add_proto_hdr(sctp_t *sctp, sctp_faddr_t *fp, mblk_t *mp, int sacklen,
* data was moved into chunks, or during retransmission,
* or things like snoop is running.
*/
- nmp = allocb_cred(sctps->sctps_wroff_xtra + hdrlen + sacklen,
- CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
+ nmp = allocb(sctps->sctps_wroff_xtra + hdrlen + sacklen,
+ BPRI_MED);
if (nmp == NULL) {
if (error != NULL)
*error = ENOMEM;
@@ -625,7 +627,6 @@ sctp_add_proto_hdr(sctp_t *sctp, sctp_faddr_t *fp, mblk_t *mp, int sacklen,
mp = nmp;
} else {
mp->b_rptr -= (hdrlen + sacklen);
- mblk_setcred(mp, CONN_CRED(sctp->sctp_connp), sctp->sctp_cpid);
}
bcopy(hdr, mp->b_rptr, hdrlen);
if (sacklen) {
@@ -644,26 +645,16 @@ sctp_add_proto_hdr(sctp_t *sctp, sctp_faddr_t *fp, mblk_t *mp, int sacklen,
iph->ipha_src = INADDR_ANY;
}
} else {
- ((ip6_t *)(mp->b_rptr))->ip6_dst = fp->faddr;
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ ip6h->ip6_dst = fp->faddr;
if (!IN6_IS_ADDR_UNSPECIFIED(&fp->saddr)) {
- ((ip6_t *)(mp->b_rptr))->ip6_src = fp->saddr;
+ ip6h->ip6_src = fp->saddr;
} else if (sctp->sctp_bound_to_all) {
- V6_SET_ZERO(((ip6_t *)(mp->b_rptr))->ip6_src);
+ ip6h->ip6_src = ipv6_all_zeros;
}
}
}
- /*
- * IP will not free this IRE if it is condemned. SCTP needs to
- * free it.
- */
- if ((fp->ire != NULL) && (fp->ire->ire_marks & IRE_MARK_CONDEMNED)) {
- IRE_REFRELE_NOTR(fp->ire);
- fp->ire = NULL;
- }
-
- /* Stash the conn and ire ptr info for IP */
- SCTP_STASH_IPINFO(mp, fp->ire);
-
return (mp);
}
@@ -985,8 +976,9 @@ sctp_fast_rexmit(sctp_t *sctp)
iph->ipha_fragment_offset_and_flags = 0;
}
- sctp_set_iplen(sctp, head);
- sctp_add_sendq(sctp, head);
+ sctp_set_iplen(sctp, head, fp->ixa);
+ (void) conn_ip_output(head, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
sctp->sctp_active = fp->lastactive = lbolt64;
}
@@ -1280,8 +1272,9 @@ sctp_output(sctp_t *sctp, uint_t num_pkt)
seglen - xtralen, ntohl(sdc->sdh_tsn),
ntohs(sdc->sdh_ssn), (void *)fp, sctp->sctp_frwnd,
cansend, sctp->sctp_lastack_rxd));
- sctp_set_iplen(sctp, head);
- sctp_add_sendq(sctp, head);
+ sctp_set_iplen(sctp, head, fp->ixa);
+ (void) conn_ip_output(head, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
/* arm rto timer (if not set) */
if (!fp->timer_running)
SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
@@ -1415,8 +1408,7 @@ sctp_make_ftsn_chunk(sctp_t *sctp, sctp_faddr_t *fp, sctp_ftsn_set_t *sets,
xtralen = sctp->sctp_hdr_len + sctps->sctps_wroff_xtra;
else
xtralen = sctp->sctp_hdr6_len + sctps->sctps_wroff_xtra;
- ftsn_mp = allocb_cred(xtralen + seglen, CONN_CRED(sctp->sctp_connp),
- sctp->sctp_cpid);
+ ftsn_mp = allocb(xtralen + seglen, BPRI_MED);
if (ftsn_mp == NULL)
return (NULL);
ftsn_mp->b_rptr += xtralen;
@@ -1804,8 +1796,9 @@ out:
pkt = sctp_rexmit_packet(sctp, &meta, &mp, fp, &pkt_len);
if (pkt != NULL) {
ASSERT(pkt_len <= fp->sfa_pmss);
- sctp_set_iplen(sctp, pkt);
- sctp_add_sendq(sctp, pkt);
+ sctp_set_iplen(sctp, pkt, fp->ixa);
+ (void) conn_ip_output(pkt, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
} else {
SCTP_KSTAT(sctps, sctp_ss_rexmit_failed);
}
@@ -2022,8 +2015,9 @@ done_bundle:
sctp->sctp_rexmitting = B_TRUE;
sctp->sctp_rxt_nxttsn = first_ua_tsn;
sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn - 1;
- sctp_set_iplen(sctp, head);
- sctp_add_sendq(sctp, head);
+ sctp_set_iplen(sctp, head, fp->ixa);
+ (void) conn_ip_output(head, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
/*
* Restart the oldfp timer with exponential backoff and
@@ -2305,8 +2299,9 @@ found_msg:
*/
iph->ipha_fragment_offset_and_flags = 0;
}
- sctp_set_iplen(sctp, pkt);
- sctp_add_sendq(sctp, pkt);
+ sctp_set_iplen(sctp, pkt, fp->ixa);
+ (void) conn_ip_output(pkt, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
/* Check and see if there is more chunk to be retransmitted. */
if (tot_wnd <= pkt_len || tot_wnd - pkt_len < fp->sfa_pmss ||
diff --git a/usr/src/uts/common/inet/sctp/sctp_param.c b/usr/src/uts/common/inet/sctp/sctp_param.c
index 5d5ed19676..26365c5a06 100644
--- a/usr/src/uts/common/inet/sctp/sctp_param.c
+++ b/usr/src/uts/common/inet/sctp/sctp_param.c
@@ -20,12 +20,10 @@
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/stream.h>
#include <sys/socket.h>
#include <sys/ddi.h>
@@ -72,11 +70,8 @@
/*
* sctp_wroff_xtra is the extra space in front of SCTP/IP header for link
* layer header. It has to be a multiple of 4.
- * Also there has to be enough space to stash in information passed between
- * IP and SCTP.
*/
-sctpparam_t lcl_sctp_wroff_xtra_param = { sizeof (conn_t *) + sizeof (ire_t *),
- 256, 32, "sctp_wroff_xtra" };
+sctpparam_t lcl_sctp_wroff_xtra_param = { 0, 256, 32, "sctp_wroff_xtra" };
/*
* All of these are alterable, within the min/max values given, at run time.
@@ -343,7 +338,7 @@ sctp_nd_init(sctp_stack_t *sctps)
bcopy(lcl_sctp_param_arr, pa, sizeof (lcl_sctp_param_arr));
sctps->sctps_params = pa;
return (sctp_param_register(&sctps->sctps_g_nd, pa,
- A_CNT(lcl_sctp_param_arr), sctps));
+ A_CNT(lcl_sctp_param_arr), sctps));
}
int
diff --git a/usr/src/uts/common/inet/sctp/sctp_shutdown.c b/usr/src/uts/common/inet/sctp/sctp_shutdown.c
index b58016eb15..ff835a60c0 100644
--- a/usr/src/uts/common/inet/sctp/sctp_shutdown.c
+++ b/usr/src/uts/common/inet/sctp/sctp_shutdown.c
@@ -20,7 +20,7 @@
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -35,6 +35,7 @@
#include <netinet/in.h>
#include <netinet/ip6.h>
+#include <inet/ipsec_impl.h>
#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip6.h>
@@ -129,12 +130,12 @@ sctp_send_shutdown(sctp_t *sctp, int rexmit)
/* Link the shutdown chunk in after the IP/SCTP header */
- sctp_set_iplen(sctp, sendmp);
-
BUMP_LOCAL(sctp->sctp_obchunks);
/* Send the shutdown and restart the timer */
- sctp_add_sendq(sctp, sendmp);
+ sctp_set_iplen(sctp, sendmp, fp->ixa);
+ (void) conn_ip_output(sendmp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
done:
sctp->sctp_state = SCTPS_SHUTDOWN_SENT;
@@ -211,11 +212,11 @@ sctp_shutdown_received(sctp_t *sctp, sctp_chunk_hdr_t *sch, boolean_t crwsd,
}
}
- sctp_set_iplen(sctp, samp);
-
BUMP_LOCAL(sctp->sctp_obchunks);
- sctp_add_sendq(sctp, samp);
+ sctp_set_iplen(sctp, samp, fp->ixa);
+ (void) conn_ip_output(samp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
dotimer:
sctp->sctp_state = SCTPS_SHUTDOWN_ACK_SENT;
@@ -232,7 +233,7 @@ sctp_shutdown_complete(sctp_t *sctp)
sctp_chunk_hdr_t *scch;
sctp_stack_t *sctps = sctp->sctp_sctps;
- scmp = sctp_make_mp(sctp, NULL, sizeof (*scch));
+ scmp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*scch));
if (scmp == NULL) {
/* XXX use timer approach */
SCTP_KSTAT(sctps, sctp_send_shutdown_comp_failed);
@@ -246,11 +247,11 @@ sctp_shutdown_complete(sctp_t *sctp)
scmp->b_wptr += sizeof (*scch);
- sctp_set_iplen(sctp, scmp);
-
BUMP_LOCAL(sctp->sctp_obchunks);
- sctp_add_sendq(sctp, scmp);
+ sctp_set_iplen(sctp, scmp, sctp->sctp_current->ixa);
+ (void) conn_ip_output(scmp, sctp->sctp_current->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
}
/*
@@ -259,91 +260,99 @@ sctp_shutdown_complete(sctp_t *sctp)
* and instead must draw all necessary info from the incoming packet.
*/
void
-sctp_ootb_shutdown_ack(sctp_t *gsctp, mblk_t *inmp, uint_t ip_hdr_len)
+sctp_ootb_shutdown_ack(mblk_t *mp, uint_t ip_hdr_len, ip_recv_attr_t *ira,
+ ip_stack_t *ipst)
{
boolean_t isv4;
- ipha_t *inip4h;
- ip6_t *inip6h;
+ ipha_t *ipha = NULL;
+ ip6_t *ip6h = NULL;
sctp_hdr_t *insctph;
sctp_chunk_hdr_t *scch;
int i;
uint16_t port;
mblk_t *mp1;
- sctp_stack_t *sctps = gsctp->sctp_sctps;
+ netstack_t *ns = ipst->ips_netstack;
+ sctp_stack_t *sctps = ns->netstack_sctp;
+ ip_xmit_attr_t ixas;
- isv4 = (IPH_HDR_VERSION(inmp->b_rptr) == IPV4_VERSION);
+ bzero(&ixas, sizeof (ixas));
- /*
- * The gsctp should contain the minimal IP header. So the
- * incoming mblk should be able to hold the new SCTP packet.
- */
- ASSERT(MBLKL(inmp) >= sizeof (*insctph) + sizeof (*scch) +
- (isv4 ? gsctp->sctp_ip_hdr_len : gsctp->sctp_ip_hdr6_len));
+ isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
+
+ ASSERT(MBLKL(mp) >= sizeof (*insctph) + sizeof (*scch) +
+ (isv4 ? sizeof (ipha_t) : sizeof (ip6_t)));
/*
* Check to see if we can reuse the incoming mblk. There should
- * not be other reference and the db_base of the mblk should be
- * properly aligned. Since this packet comes from below,
+ * not be other reference. Since this packet comes from below,
* there should be enough header space to fill in what the lower
- * layers want to add. And we will not stash anything there.
+ * layers want to add.
*/
- if (!IS_P2ALIGNED(DB_BASE(inmp), sizeof (ire_t *)) ||
- DB_REF(inmp) != 1) {
- mp1 = allocb(MBLKL(inmp) + sctps->sctps_wroff_xtra, BPRI_MED);
+ if (DB_REF(mp) != 1) {
+ mp1 = allocb(MBLKL(mp) + sctps->sctps_wroff_xtra, BPRI_MED);
if (mp1 == NULL) {
- freeb(inmp);
+ freeb(mp);
return;
}
mp1->b_rptr += sctps->sctps_wroff_xtra;
- mp1->b_wptr = mp1->b_rptr + MBLKL(inmp);
- bcopy(inmp->b_rptr, mp1->b_rptr, MBLKL(inmp));
- freeb(inmp);
- inmp = mp1;
+ mp1->b_wptr = mp1->b_rptr + MBLKL(mp);
+ bcopy(mp->b_rptr, mp1->b_rptr, MBLKL(mp));
+ freeb(mp);
+ mp = mp1;
} else {
- ASSERT(DB_CKSUMFLAGS(inmp) == 0);
+ DB_CKSUMFLAGS(mp) = 0;
}
+ ixas.ixa_pktlen = ip_hdr_len + sizeof (*insctph) + sizeof (*scch);
+ ixas.ixa_ip_hdr_length = ip_hdr_len;
/*
* We follow the logic in tcp_xmit_early_reset() in that we skip
- * reversing source route (i.e. relpace all IP options with EOL).
+ * reversing source route (i.e. replace all IP options with EOL).
*/
if (isv4) {
ipaddr_t v4addr;
- inip4h = (ipha_t *)inmp->b_rptr;
+ ipha = (ipha_t *)mp->b_rptr;
for (i = IP_SIMPLE_HDR_LENGTH; i < (int)ip_hdr_len; i++)
- inmp->b_rptr[i] = IPOPT_EOL;
+ mp->b_rptr[i] = IPOPT_EOL;
/* Swap addresses */
- inip4h->ipha_length = htons(ip_hdr_len + sizeof (*insctph) +
- sizeof (*scch));
- v4addr = inip4h->ipha_src;
- inip4h->ipha_src = inip4h->ipha_dst;
- inip4h->ipha_dst = v4addr;
- inip4h->ipha_ident = 0;
- inip4h->ipha_ttl = (uchar_t)sctps->sctps_ipv4_ttl;
+ ipha->ipha_length = htons(ixas.ixa_pktlen);
+ v4addr = ipha->ipha_src;
+ ipha->ipha_src = ipha->ipha_dst;
+ ipha->ipha_dst = v4addr;
+ ipha->ipha_ident = 0;
+ ipha->ipha_ttl = (uchar_t)sctps->sctps_ipv4_ttl;
+
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
} else {
in6_addr_t v6addr;
- inip6h = (ip6_t *)inmp->b_rptr;
+ ip6h = (ip6_t *)mp->b_rptr;
/* Remove any extension headers assuming partial overlay */
if (ip_hdr_len > IPV6_HDR_LEN) {
uint8_t *to;
- to = inmp->b_rptr + ip_hdr_len - IPV6_HDR_LEN;
- ovbcopy(inip6h, to, IPV6_HDR_LEN);
- inmp->b_rptr += ip_hdr_len - IPV6_HDR_LEN;
+ to = mp->b_rptr + ip_hdr_len - IPV6_HDR_LEN;
+ ovbcopy(ip6h, to, IPV6_HDR_LEN);
+ mp->b_rptr += ip_hdr_len - IPV6_HDR_LEN;
ip_hdr_len = IPV6_HDR_LEN;
- inip6h = (ip6_t *)inmp->b_rptr;
- inip6h->ip6_nxt = IPPROTO_SCTP;
+ ip6h = (ip6_t *)mp->b_rptr;
+ ip6h->ip6_nxt = IPPROTO_SCTP;
+ }
+ ip6h->ip6_plen = htons(ixas.ixa_pktlen - IPV6_HDR_LEN);
+ v6addr = ip6h->ip6_src;
+ ip6h->ip6_src = ip6h->ip6_dst;
+ ip6h->ip6_dst = v6addr;
+ ip6h->ip6_hops = (uchar_t)sctps->sctps_ipv6_hoplimit;
+
+ ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
+ if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_dst)) {
+ ixas.ixa_flags |= IXAF_SCOPEID_SET;
+ ixas.ixa_scopeid = ira->ira_ruifindex;
}
- inip6h->ip6_plen = htons(ip_hdr_len + sizeof (*insctph) +
- sizeof (*scch) - IPV6_HDR_LEN);
- v6addr = inip6h->ip6_src;
- inip6h->ip6_src = inip6h->ip6_dst;
- inip6h->ip6_dst = v6addr;
- inip6h->ip6_hops = (uchar_t)sctps->sctps_ipv6_hoplimit;
}
- insctph = (sctp_hdr_t *)(inmp->b_rptr + ip_hdr_len);
+
+ insctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_len);
/* Swap ports. Verification tag is reused. */
port = insctph->sh_sport;
@@ -359,9 +368,29 @@ sctp_ootb_shutdown_ack(sctp_t *gsctp, mblk_t *inmp, uint_t ip_hdr_len)
/* Set the T-bit */
SCTP_SET_TBIT(scch);
- BUMP_LOCAL(gsctp->sctp_obchunks);
- /* Nothing to stash... */
- SCTP_STASH_IPINFO(inmp, (ire_t *)NULL);
+ ixas.ixa_protocol = IPPROTO_SCTP;
+ ixas.ixa_zoneid = ira->ira_zoneid;
+ ixas.ixa_ipst = ipst;
+ ixas.ixa_ifindex = 0;
+
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ /*
+ * Apply IPsec based on how IPsec was applied to
+ * the packet that was out of the blue.
+ */
+ if (!ipsec_in_to_out(ira, &ixas, mp, ipha, ip6h)) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ /* Note: mp already consumed and ip_drop_packet done */
+ return;
+ }
+ } else {
+ /*
+ * This is in clear. The message we are building
+ * here should go out in clear, independent of our policy.
+ */
+ ixas.ixa_flags |= IXAF_NO_IPSEC;
+ }
- sctp_add_sendq(gsctp, inmp);
+ (void) ip_output_simple(mp, &ixas);
+ ixa_cleanup(&ixas);
}
diff --git a/usr/src/uts/common/inet/sctp/sctp_snmp.c b/usr/src/uts/common/inet/sctp/sctp_snmp.c
index f859cd6ba5..f1e7deceae 100644
--- a/usr/src/uts/common/inet/sctp/sctp_snmp.c
+++ b/usr/src/uts/common/inet/sctp/sctp_snmp.c
@@ -78,9 +78,9 @@ sctp_kstat_update(kstat_t *kp, int rw)
* individual set of statistics.
*/
SET_MIB(sctps->sctps_mib.sctpCurrEstab, 0);
- sctp = sctps->sctps_gsctp;
sctp_prev = NULL;
mutex_enter(&sctps->sctps_g_lock);
+ sctp = list_head(&sctps->sctps_g_list);
while (sctp != NULL) {
mutex_enter(&sctp->sctp_reflock);
if (sctp->sctp_condemned) {
@@ -471,8 +471,8 @@ sctp_snmp_get_mib2(queue_t *q, mblk_t *mpctl, sctp_stack_t *sctps)
SET_MIB(sctps->sctps_mib.sctpCurrEstab, 0);
idx = 0;
- sctp = sctps->sctps_gsctp;
mutex_enter(&sctps->sctps_g_lock);
+ sctp = list_head(&sctps->sctps_g_list);
while (sctp != NULL) {
mutex_enter(&sctp->sctp_reflock);
if (sctp->sctp_condemned) {
@@ -541,8 +541,8 @@ sctp_snmp_get_mib2(queue_t *q, mblk_t *mpctl, sctp_stack_t *sctps)
sctp->sctp_reassmsgs = 0;
sce.sctpAssocId = ntohl(sctp->sctp_lvtag);
- sce.sctpAssocLocalPort = ntohs(sctp->sctp_lport);
- sce.sctpAssocRemPort = ntohs(sctp->sctp_fport);
+ sce.sctpAssocLocalPort = ntohs(sctp->sctp_connp->conn_lport);
+ sce.sctpAssocRemPort = ntohs(sctp->sctp_connp->conn_fport);
RUN_SCTP(sctp);
if (sctp->sctp_primary != NULL) {
@@ -659,11 +659,10 @@ done:
needattr = B_TRUE;
break;
}
- if (connp->conn_fully_bound &&
- connp->conn_effective_cred != NULL) {
+ if (sctp->sctp_connp->conn_ixa->ixa_tsl != NULL) {
ts_label_t *tsl;
- tsl = crgetlabel(connp->conn_effective_cred);
+ tsl = sctp->sctp_connp->conn_ixa->ixa_tsl;
mlp.tme_flags |= MIB2_TMEF_IS_LABELED;
mlp.tme_doi = label2doi(tsl);
mlp.tme_label = *label2bslabel(tsl);
diff --git a/usr/src/uts/common/inet/sctp/sctp_stack.h b/usr/src/uts/common/inet/sctp/sctp_stack.h
index d467b38a17..e9ad5cf9c7 100644
--- a/usr/src/uts/common/inet/sctp/sctp_stack.h
+++ b/usr/src/uts/common/inet/sctp/sctp_stack.h
@@ -20,15 +20,13 @@
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _INET_SCTP_SCTP_STACK_H
#define _INET_SCTP_SCTP_STACK_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/netstack.h>
#include <sys/taskq.h>
@@ -76,17 +74,6 @@ struct sctp_stack {
mib2_sctp_t sctps_mib;
- /* Protected by sctps_g_q_lock */
- queue_t *sctps_g_q;
- uint_t sctps_g_q_ref; /* Number of sctp_t's that use it */
- kmutex_t sctps_g_q_lock;
- kcondvar_t sctps_g_q_cv;
- kthread_t *sctps_g_q_creator;
- struct __ldi_handle *sctps_g_q_lh;
- cred_t *sctps_g_q_cr; /* For _inactive close call */
- /* The default sctp_t for responding out of the blue packets. */
- struct sctp_s *sctps_gsctp;
-
/* Protected by sctps_g_lock */
struct list sctps_g_list; /* SCTP instance data chain */
kmutex_t sctps_g_lock;
diff --git a/usr/src/uts/common/inet/sctp/sctp_timer.c b/usr/src/uts/common/inet/sctp/sctp_timer.c
index c6fd4a5c71..24b46ad6f0 100644
--- a/usr/src/uts/common/inet/sctp/sctp_timer.c
+++ b/usr/src/uts/common/inet/sctp/sctp_timer.c
@@ -220,7 +220,6 @@ sctp_timer_fire(sctp_tb_t *sctp_tb)
sctp_timer_call(sctp, mp);
WAKE_SCTP(sctp);
- sctp_process_sendq(sctp);
}
SCTP_REFRELE(sctp);
}
@@ -429,7 +428,7 @@ sctp_heartbeat_timer(sctp_t *sctp)
for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
/*
* If the peer is unreachable because there is no available
- * source address, call sctp_get_ire() to see if it is
+ * source address, call sctp_get_dest() to see if it is
* reachable now. If it is OK, the state will become
* unconfirmed. And the following code to handle unconfirmed
* address will be executed. If it is still not OK,
@@ -438,7 +437,7 @@ sctp_heartbeat_timer(sctp_t *sctp)
* is disable, this retry may go on forever.
*/
if (fp->state == SCTP_FADDRS_UNREACH) {
- sctp_get_ire(sctp, fp);
+ sctp_get_dest(sctp, fp);
if (fp->state == SCTP_FADDRS_UNREACH) {
if (fp->hb_enabled &&
++fp->strikes > fp->max_retr &&
@@ -642,15 +641,14 @@ rxmit_init:
* address list won't be modified (it would have been done
* the first time around).
*/
- mp = sctp_init_mp(sctp);
+ mp = sctp_init_mp(sctp, fp);
if (mp != NULL) {
BUMP_MIB(&sctps->sctps_mib, sctpTimRetrans);
- sctp_add_sendq(sctp, mp);
+ (void) conn_ip_output(mp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
}
break;
- case SCTPS_COOKIE_ECHOED: {
- ipha_t *iph;
-
+ case SCTPS_COOKIE_ECHOED:
BUMP_LOCAL(sctp->sctp_T1expire);
if (sctp->sctp_cookie_mp == NULL) {
sctp->sctp_state = SCTPS_COOKIE_WAIT;
@@ -659,14 +657,10 @@ rxmit_init:
mp = dupmsg(sctp->sctp_cookie_mp);
if (mp == NULL)
break;
- iph = (ipha_t *)mp->b_rptr;
- /* Reset the IP ident. */
- if (IPH_HDR_VERSION(iph) == IPV4_VERSION)
- iph->ipha_ident = 0;
- sctp_add_sendq(sctp, mp);
+ (void) conn_ip_output(mp, fp->ixa);
+ BUMP_LOCAL(sctp->sctp_opkts);
BUMP_MIB(&sctps->sctps_mib, sctpTimRetrans);
break;
- }
case SCTPS_SHUTDOWN_SENT:
BUMP_LOCAL(sctp->sctp_T2expire);
sctp_send_shutdown(sctp, 1);
diff --git a/usr/src/uts/common/inet/sctp_ip.h b/usr/src/uts/common/inet/sctp_ip.h
index 7b20d3fd2b..9e4c2ef7ec 100644
--- a/usr/src/uts/common/inet/sctp_ip.h
+++ b/usr/src/uts/common/inet/sctp_ip.h
@@ -35,40 +35,24 @@ extern "C" {
#define SCTP_COMMON_HDR_LENGTH 12 /* SCTP common header length */
/* SCTP routines for IP to call. */
-extern void ip_fanout_sctp(mblk_t *, ill_t *, ipha_t *, uint32_t,
- uint_t, boolean_t, boolean_t, zoneid_t);
+extern void ip_fanout_sctp(mblk_t *, ipha_t *, ip6_t *, uint32_t,
+ ip_recv_attr_t *);
extern void sctp_ddi_g_init(void);
extern void sctp_ddi_g_destroy(void);
extern conn_t *sctp_find_conn(in6_addr_t *, in6_addr_t *, uint32_t,
- zoneid_t, sctp_stack_t *);
+ zoneid_t, iaflags_t, sctp_stack_t *);
extern conn_t *sctp_fanout(in6_addr_t *, in6_addr_t *, uint32_t,
- zoneid_t, mblk_t *, sctp_stack_t *);
+ ip_recv_attr_t *, mblk_t *, sctp_stack_t *);
-extern void sctp_input(conn_t *, ipha_t *, mblk_t *, mblk_t *, ill_t *,
- boolean_t, boolean_t);
+extern void sctp_input(conn_t *, ipha_t *, ip6_t *, mblk_t *, ip_recv_attr_t *);
extern void sctp_wput(queue_t *, mblk_t *);
-extern void sctp_ootb_input(mblk_t *, ill_t *, zoneid_t, boolean_t);
+extern void sctp_ootb_input(mblk_t *, ip_recv_attr_t *, ip_stack_t *);
extern void sctp_hash_init(sctp_stack_t *);
extern void sctp_hash_destroy(sctp_stack_t *);
extern uint32_t sctp_cksum(mblk_t *, int);
extern mblk_t *sctp_snmp_get_mib2(queue_t *, mblk_t *, sctp_stack_t *);
extern void sctp_free(conn_t *);
-#define SCTP_STASH_IPINFO(mp, ire) \
-{ \
- unsigned char *stp; \
- stp = DB_BASE((mp)); \
- ASSERT(stp + sizeof (ire_t *) < (mp)->b_rptr); \
- *(ire_t **)stp = (ire); \
-}
-
-#define SCTP_EXTRACT_IPINFO(mp, ire) \
-{ \
- unsigned char *stp; \
- stp = (mp)->b_datap->db_base; \
- (ire) = *(ire_t **)stp; \
-}
-
/*
* SCTP maintains a list of ILLs/IPIFs, these functions are provided by
* SCTP to keep its interface list up to date.
@@ -87,16 +71,8 @@ extern void sctp_ill_reindex(ill_t *, uint_t);
#define SCTP_IPIF_UPDATE 6
/* IP routines for SCTP to call. */
-extern void ip_fanout_sctp_raw(mblk_t *, ill_t *, ipha_t *, boolean_t,
- uint32_t, boolean_t, uint_t, boolean_t, zoneid_t);
-extern void sctp_ire_cache_flush(ipif_t *);
-
-/*
- * Private (and possibly temporary) ioctls. It is a large number
- * to avoid conflict with other ioctls, which are normally smaller
- * than 2^16.
- */
-#define SCTP_IOC_DEFAULT_Q (('S' << 16) | 1024)
+extern void ip_fanout_sctp_raw(mblk_t *, ipha_t *, ip6_t *, uint32_t,
+ ip_recv_attr_t *);
#ifdef __cplusplus
}
diff --git a/usr/src/uts/common/inet/sctp_itf.h b/usr/src/uts/common/inet/sctp_itf.h
index 9ce69fdaf0..2ae6d3669f 100644
--- a/usr/src/uts/common/inet/sctp_itf.h
+++ b/usr/src/uts/common/inet/sctp_itf.h
@@ -83,9 +83,9 @@ extern int sctp_bindx(struct sctp_s *conn, const void *addrs, int addrcnt,
int flags);
extern void sctp_close(struct sctp_s *conn);
extern int sctp_connect(struct sctp_s *conn, const struct sockaddr *dst,
- socklen_t addrlen);
+ socklen_t addrlen, cred_t *cr, pid_t pid);
extern struct sctp_s *sctp_create(void *newhandle, struct sctp_s *parent,
- int family, int flags, struct sock_upcalls_s *su,
+ int family, int type, int flags, struct sock_upcalls_s *su,
sctp_sockbuf_limits_t *sbl, cred_t *cr);
extern int sctp_disconnect(struct sctp_s *conn);
extern int sctp_get_opt(struct sctp_s *conn, int level, int opt, void *opts,
diff --git a/usr/src/uts/common/inet/sockmods/socksctp.c b/usr/src/uts/common/inet/sockmods/socksctp.c
index 7da9f92dde..4df7e33501 100644
--- a/usr/src/uts/common/inet/sockmods/socksctp.c
+++ b/usr/src/uts/common/inet/sockmods/socksctp.c
@@ -207,7 +207,7 @@ sosctp_init(struct sonode *so, struct sonode *pso, struct cred *cr, int flags)
upcalls = &sosctp_assoc_upcalls;
}
so->so_proto_handle = (sock_lower_handle_t)sctp_create(so, NULL,
- so->so_family, SCTP_CAN_BLOCK, upcalls, &sbl, cr);
+ so->so_family, so->so_type, SCTP_CAN_BLOCK, upcalls, &sbl, cr);
if (so->so_proto_handle == NULL)
return (ENOMEM);
@@ -350,6 +350,7 @@ sosctp_connect(struct sonode *so, const struct sockaddr *name,
socklen_t namelen, int fflag, int flags, struct cred *cr)
{
int error = 0;
+ pid_t pid = curproc->p_pid;
ASSERT(so->so_type == SOCK_STREAM);
@@ -404,7 +405,7 @@ sosctp_connect(struct sonode *so, const struct sockaddr *name,
mutex_exit(&so->so_lock);
error = sctp_connect((struct sctp_s *)so->so_proto_handle,
- name, namelen);
+ name, namelen, cr, pid);
mutex_enter(&so->so_lock);
if (error == 0) {
@@ -662,7 +663,7 @@ done:
int
sosctp_uiomove(mblk_t *hdr_mp, ssize_t count, ssize_t blk_size, int wroff,
- struct uio *uiop, int flags, cred_t *cr)
+ struct uio *uiop, int flags)
{
ssize_t size;
int error;
@@ -683,8 +684,7 @@ sosctp_uiomove(mblk_t *hdr_mp, ssize_t count, ssize_t blk_size, int wroff,
* packets, each mblk will have the extra space before
* data to accommodate what SCTP wants to put in there.
*/
- while ((mp = allocb_cred(size + wroff, cr,
- curproc->p_pid)) == NULL) {
+ while ((mp = allocb(size + wroff, BPRI_MED)) == NULL) {
if ((uiop->uio_fmode & (FNDELAY|FNONBLOCK)) ||
(flags & MSG_DONTWAIT)) {
return (EAGAIN);
@@ -887,7 +887,7 @@ sosctp_sendmsg(struct sonode *so, struct nmsghdr *msg, struct uio *uiop,
/* Copy in the message. */
if ((error = sosctp_uiomove(mctl, count, ss->ss_wrsize, ss->ss_wroff,
- uiop, flags, cr)) != 0) {
+ uiop, flags)) != 0) {
goto error_ret;
}
error = sctp_sendmsg((struct sctp_s *)so->so_proto_handle, mctl, 0);
@@ -1091,7 +1091,7 @@ sosctp_seq_sendmsg(struct sonode *so, struct nmsghdr *msg, struct uio *uiop,
/* Copy in the message. */
if ((error = sosctp_uiomove(mctl, count, ssa->ssa_wrsize,
- ssa->ssa_wroff, uiop, flags, cr)) != 0) {
+ ssa->ssa_wroff, uiop, flags)) != 0) {
goto lock_rele;
}
error = sctp_sendmsg((struct sctp_s *)ssa->ssa_conn, mctl, 0);
diff --git a/usr/src/uts/common/inet/sockmods/socksctp.h b/usr/src/uts/common/inet/sockmods/socksctp.h
index b02622c994..2ac7058821 100644
--- a/usr/src/uts/common/inet/sockmods/socksctp.h
+++ b/usr/src/uts/common/inet/sockmods/socksctp.h
@@ -116,7 +116,7 @@ extern void sosctp_assoc_isdisconnected(struct sctp_soassoc *ssa, int error);
extern int sosctp_waitconnected(struct sonode *so, int fmode);
extern int sosctp_uiomove(mblk_t *hdr_mp, ssize_t count, ssize_t blk_size,
- int wroff, struct uio *uiop, int flags, cred_t *cr);
+ int wroff, struct uio *uiop, int flags);
/*
* Data structure types.
diff --git a/usr/src/uts/common/inet/sockmods/socksctpsubr.c b/usr/src/uts/common/inet/sockmods/socksctpsubr.c
index 4a4cb08007..a647cbe4f2 100644
--- a/usr/src/uts/common/inet/sockmods/socksctpsubr.c
+++ b/usr/src/uts/common/inet/sockmods/socksctpsubr.c
@@ -367,6 +367,7 @@ sosctp_assoc_createconn(struct sctp_sonode *ss, const struct sockaddr *name,
sctp_assoc_t id;
int error;
struct cmsghdr *cmsg;
+ pid_t pid = curproc->p_pid;
ASSERT(MUTEX_HELD(&so->so_lock));
@@ -407,7 +408,8 @@ sosctp_assoc_createconn(struct sctp_sonode *ss, const struct sockaddr *name,
ssa->ssa_wroff = ss->ss_wroff;
ssa->ssa_wrsize = ss->ss_wrsize;
ssa->ssa_conn = sctp_create(ssa, (struct sctp_s *)so->so_proto_handle,
- so->so_family, SCTP_CAN_BLOCK, &sosctp_assoc_upcalls, &sbl, cr);
+ so->so_family, so->so_type, SCTP_CAN_BLOCK, &sosctp_assoc_upcalls,
+ &sbl, cr);
mutex_enter(&so->so_lock);
ss->ss_assocs[id].ssi_assoc = ssa;
@@ -435,7 +437,7 @@ sosctp_assoc_createconn(struct sctp_sonode *ss, const struct sockaddr *name,
goto ret_err;
}
- if ((error = sctp_connect(ssa->ssa_conn, name, namelen)) != 0)
+ if ((error = sctp_connect(ssa->ssa_conn, name, namelen, cr, pid)) != 0)
goto ret_err;
mutex_enter(&so->so_lock);
diff --git a/usr/src/uts/common/inet/spdsock.h b/usr/src/uts/common/inet/spdsock.h
index 7622e56a45..64c63cdd71 100644
--- a/usr/src/uts/common/inet/spdsock.h
+++ b/usr/src/uts/common/inet/spdsock.h
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -110,7 +110,7 @@ extern uint_t spdsock_max_optsize;
extern int spdsock_opt_get(queue_t *, int, int, uchar_t *);
extern int spdsock_opt_set(queue_t *, uint_t, int, int, uint_t, uchar_t *,
- uint_t *, uchar_t *, void *, cred_t *, mblk_t *);
+ uint_t *, uchar_t *, void *, cred_t *);
#ifdef __cplusplus
}
diff --git a/usr/src/uts/common/inet/squeue.c b/usr/src/uts/common/inet/squeue.c
index e46293d820..db11ef79ae 100644
--- a/usr/src/uts/common/inet/squeue.c
+++ b/usr/src/uts/common/inet/squeue.c
@@ -39,8 +39,8 @@
* parallelization (on a per H/W execution pipeline basis) with at
* most one queuing.
*
- * The modules needing protection typically calls squeue_enter() or
- * squeue_enter_chain() routine as soon as a thread enter the module
+ * The modules needing protection typically calls SQUEUE_ENTER_ONE() or
+ * SQUEUE_ENTER() macro as soon as a thread enter the module
* from either direction. For each packet, the processing function
* and argument is stored in the mblk itself. When the packet is ready
* to be processed, the squeue retrieves the stored function and calls
@@ -406,11 +406,15 @@ squeue_worker_wakeup(squeue_t *sqp)
* and drain in the entering thread context. If process_flag is
* SQ_FILL, then we just queue the mblk and return (after signaling
* the worker thread if no one else is processing the squeue).
+ *
+ * The ira argument can be used when the count is one.
+ * For a chain the caller needs to prepend any needed mblks from
+ * ip_recv_attr_to_mblk().
*/
/* ARGSUSED */
void
squeue_enter(squeue_t *sqp, mblk_t *mp, mblk_t *tail, uint32_t cnt,
- int process_flag, uint8_t tag)
+ ip_recv_attr_t *ira, int process_flag, uint8_t tag)
{
conn_t *connp;
sqproc_t proc;
@@ -421,6 +425,7 @@ squeue_enter(squeue_t *sqp, mblk_t *mp, mblk_t *tail, uint32_t cnt,
ASSERT(tail != NULL);
ASSERT(cnt > 0);
ASSERT(MUTEX_NOT_HELD(&sqp->sq_lock));
+ ASSERT(ira == NULL || cnt == 1);
mutex_enter(&sqp->sq_lock);
@@ -467,7 +472,7 @@ squeue_enter(squeue_t *sqp, mblk_t *mp, mblk_t *tail, uint32_t cnt,
connp->conn_on_sqp = B_TRUE;
DTRACE_PROBE3(squeue__proc__start, squeue_t *,
sqp, mblk_t *, mp, conn_t *, connp);
- (*proc)(connp, mp, sqp);
+ (*proc)(connp, mp, sqp, ira);
DTRACE_PROBE2(squeue__proc__end, squeue_t *,
sqp, conn_t *, connp);
connp->conn_on_sqp = B_FALSE;
@@ -475,7 +480,7 @@ squeue_enter(squeue_t *sqp, mblk_t *mp, mblk_t *tail, uint32_t cnt,
CONN_DEC_REF(connp);
} else {
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, proc,
- connp, SQ_FILL, SQTAG_SQUEUE_CHANGE);
+ connp, ira, SQ_FILL, SQTAG_SQUEUE_CHANGE);
}
ASSERT(MUTEX_NOT_HELD(&sqp->sq_lock));
mutex_enter(&sqp->sq_lock);
@@ -499,6 +504,33 @@ squeue_enter(squeue_t *sqp, mblk_t *mp, mblk_t *tail, uint32_t cnt,
return;
}
} else {
+ if (ira != NULL) {
+ mblk_t *attrmp;
+
+ ASSERT(cnt == 1);
+ attrmp = ip_recv_attr_to_mblk(ira);
+ if (attrmp == NULL) {
+ mutex_exit(&sqp->sq_lock);
+ ip_drop_input("squeue: "
+ "ip_recv_attr_to_mblk",
+ mp, NULL);
+ /* Caller already set b_prev/b_next */
+ mp->b_prev = mp->b_next = NULL;
+ freemsg(mp);
+ return;
+ }
+ ASSERT(attrmp->b_cont == NULL);
+ attrmp->b_cont = mp;
+ /* Move connp and func to new */
+ attrmp->b_queue = mp->b_queue;
+ mp->b_queue = NULL;
+ attrmp->b_prev = mp->b_prev;
+ mp->b_prev = NULL;
+
+ ASSERT(mp == tail);
+ tail = mp = attrmp;
+ }
+
ENQUEUE_CHAIN(sqp, mp, tail, cnt);
#ifdef DEBUG
mp->b_tag = tag;
@@ -564,14 +596,14 @@ squeue_enter(squeue_t *sqp, mblk_t *mp, mblk_t *tail, uint32_t cnt,
connp->conn_on_sqp = B_TRUE;
DTRACE_PROBE3(squeue__proc__start, squeue_t *,
sqp, mblk_t *, mp, conn_t *, connp);
- (*proc)(connp, mp, sqp);
+ (*proc)(connp, mp, sqp, ira);
DTRACE_PROBE2(squeue__proc__end, squeue_t *,
sqp, conn_t *, connp);
connp->conn_on_sqp = B_FALSE;
CONN_DEC_REF(connp);
} else {
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, proc,
- connp, SQ_FILL, SQTAG_SQUEUE_CHANGE);
+ connp, ira, SQ_FILL, SQTAG_SQUEUE_CHANGE);
}
mutex_enter(&sqp->sq_lock);
@@ -589,7 +621,31 @@ squeue_enter(squeue_t *sqp, mblk_t *mp, mblk_t *tail, uint32_t cnt,
#ifdef DEBUG
mp->b_tag = tag;
#endif
+ if (ira != NULL) {
+ mblk_t *attrmp;
+ ASSERT(cnt == 1);
+ attrmp = ip_recv_attr_to_mblk(ira);
+ if (attrmp == NULL) {
+ mutex_exit(&sqp->sq_lock);
+ ip_drop_input("squeue: ip_recv_attr_to_mblk",
+ mp, NULL);
+ /* Caller already set b_prev/b_next */
+ mp->b_prev = mp->b_next = NULL;
+ freemsg(mp);
+ return;
+ }
+ ASSERT(attrmp->b_cont == NULL);
+ attrmp->b_cont = mp;
+ /* Move connp and func to new */
+ attrmp->b_queue = mp->b_queue;
+ mp->b_queue = NULL;
+ attrmp->b_prev = mp->b_prev;
+ mp->b_prev = NULL;
+
+ ASSERT(mp == tail);
+ tail = mp = attrmp;
+ }
ENQUEUE_CHAIN(sqp, mp, tail, cnt);
if (!(sqp->sq_state & SQS_PROC)) {
squeue_worker_wakeup(sqp);
@@ -653,6 +709,7 @@ squeue_drain(squeue_t *sqp, uint_t proc_type, hrtime_t expire)
hrtime_t now;
boolean_t did_wakeup = B_FALSE;
boolean_t sq_poll_capable;
+ ip_recv_attr_t *ira, iras;
sq_poll_capable = (sqp->sq_state & SQS_POLL_CAPAB) != 0;
again:
@@ -697,6 +754,31 @@ again:
connp = (conn_t *)mp->b_prev;
mp->b_prev = NULL;
+ /* Is there an ip_recv_attr_t to handle? */
+ if (ip_recv_attr_is_mblk(mp)) {
+ mblk_t *attrmp = mp;
+
+ ASSERT(attrmp->b_cont != NULL);
+
+ mp = attrmp->b_cont;
+ attrmp->b_cont = NULL;
+ ASSERT(mp->b_queue == NULL);
+ ASSERT(mp->b_prev == NULL);
+
+ if (!ip_recv_attr_from_mblk(attrmp, &iras)) {
+ /* The ill or ip_stack_t disappeared on us */
+ ip_drop_input("ip_recv_attr_from_mblk",
+ mp, NULL);
+ ira_cleanup(&iras, B_TRUE);
+ CONN_DEC_REF(connp);
+ continue;
+ }
+ ira = &iras;
+ } else {
+ ira = NULL;
+ }
+
+
/*
* Handle squeue switching. More details in the
* block comment at the top of the file
@@ -707,15 +789,17 @@ again:
connp->conn_on_sqp = B_TRUE;
DTRACE_PROBE3(squeue__proc__start, squeue_t *,
sqp, mblk_t *, mp, conn_t *, connp);
- (*proc)(connp, mp, sqp);
+ (*proc)(connp, mp, sqp, ira);
DTRACE_PROBE2(squeue__proc__end, squeue_t *,
sqp, conn_t *, connp);
connp->conn_on_sqp = B_FALSE;
CONN_DEC_REF(connp);
} else {
- SQUEUE_ENTER_ONE(connp->conn_sqp, mp, proc, connp,
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp, proc, connp, ira,
SQ_FILL, SQTAG_SQUEUE_CHANGE);
}
+ if (ira != NULL)
+ ira_cleanup(ira, B_TRUE);
}
SQUEUE_DBG_CLEAR(sqp);
@@ -991,9 +1075,13 @@ poll_again:
&tail, &cnt);
}
mutex_enter(lock);
- if (mp != NULL)
+ if (mp != NULL) {
+ /*
+ * The ip_accept function has already added an
+ * ip_recv_attr_t mblk if that is needed.
+ */
ENQUEUE_CHAIN(sqp, mp, tail, cnt);
-
+ }
ASSERT((sqp->sq_state &
(SQS_PROC|SQS_POLLING|SQS_GET_PKTS)) ==
(SQS_PROC|SQS_POLLING|SQS_GET_PKTS));
@@ -1263,7 +1351,7 @@ squeue_getprivate(squeue_t *sqp, sqprivate_t p)
/* ARGSUSED */
void
-squeue_wakeup_conn(void *arg, mblk_t *mp, void *arg2)
+squeue_wakeup_conn(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
squeue_t *sqp = connp->conn_sqp;
diff --git a/usr/src/uts/common/inet/tcp.h b/usr/src/uts/common/inet/tcp.h
index 8442c4f384..321d0756fc 100644
--- a/usr/src/uts/common/inet/tcp.h
+++ b/usr/src/uts/common/inet/tcp.h
@@ -36,7 +36,6 @@ extern "C" {
#include <netinet/tcp.h>
#include <sys/socket.h>
#include <sys/socket_proto.h>
-#include <sys/multidata.h>
#include <sys/md5.h>
#include <inet/common.h>
#include <inet/ip.h>
@@ -47,12 +46,6 @@ extern "C" {
#include <inet/tcp_sack.h>
#include <inet/kssl/ksslapi.h>
-/*
- * Private (and possibly temporary) ioctl used by configuration code
- * to lock in the "default" stream for detached closes.
- */
-#define TCP_IOC_DEFAULT_Q (('T' << 8) + 51)
-
/* TCP states */
#define TCPS_CLOSED -6
#define TCPS_IDLE -5 /* idle (opened, but not bound) */
@@ -73,7 +66,7 @@ extern "C" {
/*
* Internal flags used in conjunction with the packet header flags.
- * Used in tcp_rput_data to keep track of what needs to be done.
+ * Used in tcp_input_data to keep track of what needs to be done.
*/
#define TH_LIMIT_XMIT 0x0400 /* Limited xmit is needed */
#define TH_XMIT_NEEDED 0x0800 /* Window opened - send queued data */
@@ -108,11 +101,12 @@ typedef struct tcphdr_s {
uint8_t th_urp[2]; /* Urgent pointer */
} tcph_t;
-#define TCP_HDR_LENGTH(tcph) (((tcph)->th_offset_and_rsrvd[0] >>2) &(0xF << 2))
+#define TCP_HDR_LENGTH(tcph) \
+ ((((tcph_t *)tcph)->th_offset_and_rsrvd[0] >>2) &(0xF << 2))
#define TCP_MAX_COMBINED_HEADER_LENGTH (60 + 60) /* Maxed out ip + tcp */
#define TCP_MAX_IP_OPTIONS_LENGTH (60 - IP_SIMPLE_HDR_LENGTH)
#define TCP_MAX_HDR_LENGTH 60
-#define TCP_MAX_TCP_OPTIONS_LENGTH (60 - sizeof (tcph_t))
+#define TCP_MAX_TCP_OPTIONS_LENGTH (60 - sizeof (tcpha_t))
#define TCP_MIN_HEADER_LENGTH 20
#define TCP_MAXWIN 65535
#define TCP_PORT_LEN sizeof (in_port_t)
@@ -122,7 +116,7 @@ typedef struct tcphdr_s {
#define TCPIP_HDR_LENGTH(mp, n) \
(n) = IPH_HDR_LENGTH((mp)->b_rptr), \
- (n) += TCP_HDR_LENGTH((tcph_t *)&(mp)->b_rptr[(n)])
+ (n) += TCP_HDR_LENGTH((tcpha_t *)&(mp)->b_rptr[(n)])
/* TCP Protocol header (used if the header is known to be 32-bit aligned) */
typedef struct tcphdra_s {
@@ -173,9 +167,6 @@ typedef struct tcp_s {
uint32_t tcp_rnxt; /* Seq we expect to recv next */
uint32_t tcp_rwnd;
- queue_t *tcp_rq; /* Our upstream neighbor (client) */
- queue_t *tcp_wq; /* Our downstream neighbor */
-
/* Fields arranged in approximate access order along main paths */
mblk_t *tcp_xmit_head; /* Head of rexmit list */
mblk_t *tcp_xmit_last; /* last valid data seen by tcp_wput */
@@ -207,46 +198,16 @@ typedef struct tcp_s {
int64_t tcp_last_recv_time; /* Last time we receive a segment. */
uint32_t tcp_init_cwnd; /* Initial cwnd (start/restart) */
- /*
- * Following socket options are set by sockfs outside the squeue
- * and we want to separate these bit fields from the other bit fields
- * set by TCP to avoid grabbing locks. sockfs ensures that only one
- * thread in sockfs can set a socket option at a time on a conn_t.
- * However TCP may read these options concurrently. The linger option
- * needs atomicity since tcp_lingertime also needs to be in sync.
- * However TCP uses it only during close, and by then no socket option
- * can come down. So we don't need any locks, instead just separating
- * the sockfs settable bit fields from the other bit fields is
- * sufficient.
- */
- uint32_t
- tcp_debug : 1, /* SO_DEBUG "socket" option. */
- tcp_dontroute : 1, /* SO_DONTROUTE "socket" option. */
- tcp_broadcast : 1, /* SO_BROADCAST "socket" option. */
- tcp_useloopback : 1, /* SO_USELOOPBACK "socket" option. */
-
- tcp_oobinline : 1, /* SO_OOBINLINE "socket" option. */
- tcp_dgram_errind : 1, /* SO_DGRAM_ERRIND option */
- tcp_linger : 1, /* SO_LINGER turned on */
- tcp_reuseaddr : 1, /* SO_REUSEADDR "socket" option. */
-
- tcp_junk_to_bit_31 : 24;
-
/* Following manipulated by TCP under squeue protection */
uint32_t
tcp_urp_last_valid : 1, /* Is tcp_urp_last valid? */
- tcp_hard_binding : 1, /* If we've started a full bind */
- tcp_hard_bound : 1, /* If we've done a full bind with IP */
+ tcp_hard_binding : 1, /* TCP_DETACHED_NONEAGER */
tcp_fin_acked : 1, /* Has our FIN been acked? */
-
tcp_fin_rcvd : 1, /* Have we seen a FIN? */
+
tcp_fin_sent : 1, /* Have we sent our FIN yet? */
tcp_ordrel_done : 1, /* Have we sent the ord_rel upstream? */
tcp_detached : 1, /* If we're detached from a stream */
-
- tcp_bind_pending : 1, /* Client is waiting for bind ack */
- tcp_unbind_pending : 1, /* Client sent T_UNBIND_REQ */
- tcp_ka_enabled: 1, /* Connection KeepAlive Timer needed */
tcp_zero_win_probe: 1, /* Zero win probing is in progress */
tcp_loopback: 1, /* src and dst are the same machine */
@@ -258,44 +219,40 @@ typedef struct tcp_s {
tcp_active_open: 1, /* This is a active open */
tcp_rexmit : 1, /* TCP is retransmitting */
tcp_snd_sack_ok : 1, /* Can use SACK for this connection */
- tcp_empty_flag : 1, /* Empty flag for future use */
-
- tcp_recvdstaddr : 1, /* return T_EXTCONN_IND with dst addr */
tcp_hwcksum : 1, /* The NIC is capable of hwcksum */
- tcp_ip_forward_progress : 1,
- tcp_anon_priv_bind : 1,
+ tcp_ip_forward_progress : 1,
tcp_ecn_ok : 1, /* Can use ECN for this connection */
tcp_ecn_echo_on : 1, /* Need to do ECN echo */
tcp_ecn_cwr_sent : 1, /* ECN_CWR has been sent */
+
tcp_cwr : 1, /* Cwnd has reduced recently */
- tcp_pad_to_bit31 : 4;
+ tcp_pad_to_bit31 : 11;
+
/* Following manipulated by TCP under squeue protection */
uint32_t
- tcp_mdt : 1, /* Lower layer is capable of MDT */
tcp_snd_ts_ok : 1,
tcp_snd_ws_ok : 1,
- tcp_exclbind : 1, /* ``exclusive'' binding */
-
- tcp_hdr_grown : 1,
+ tcp_reserved_port : 1,
tcp_in_free_list : 1,
- tcp_snd_zcopy_on : 1, /* xmit zero-copy enabled */
+ tcp_snd_zcopy_on : 1, /* xmit zero-copy enabled */
tcp_snd_zcopy_aware : 1, /* client is zero-copy aware */
tcp_xmit_zc_clean : 1, /* the xmit list is free of zc-mblk */
tcp_wait_for_eagers : 1, /* Wait for eagers to disappear */
- tcp_accept_error : 1, /* Error during TLI accept */
+ tcp_accept_error : 1, /* Error during TLI accept */
tcp_send_discon_ind : 1, /* TLI accept err, send discon ind */
tcp_cork : 1, /* tcp_cork option */
tcp_tconnind_started : 1, /* conn_ind message is being sent */
+
tcp_lso :1, /* Lower layer is capable of LSO */
- tcp_refuse :1, /* Connection needs refusing */
tcp_is_wnd_shrnk : 1, /* Window has shrunk */
- tcp_pad_to_bit_31 : 15;
- uint32_t tcp_if_mtu; /* Outgoing interface MTU. */
+ tcp_pad_to_bit_31 : 18;
+
+ uint32_t tcp_initial_pmtu; /* Initial outgoing Path MTU. */
mblk_t *tcp_reass_head; /* Out of order reassembly list head */
mblk_t *tcp_reass_tail; /* Out of order reassembly list tail */
@@ -340,11 +297,6 @@ typedef struct tcp_s {
struct tcp_s *tcp_listener; /* Our listener */
- size_t tcp_xmit_hiwater; /* Send buffer high water mark. */
- size_t tcp_xmit_lowater; /* Send buffer low water mark. */
- size_t tcp_recv_hiwater; /* Recv high water mark */
- size_t tcp_recv_lowater; /* Recv low water mark */
-
uint32_t tcp_irs; /* Initial recv seq num */
uint32_t tcp_fss; /* Final/fin send seq num */
uint32_t tcp_urg; /* Urgent data seq num */
@@ -354,8 +306,6 @@ typedef struct tcp_s {
clock_t tcp_first_ctimer_threshold; /* 1st threshold while connecting */
clock_t tcp_second_ctimer_threshold; /* 2nd ... while connecting */
- int tcp_lingertime; /* Close linger time (in seconds) */
-
uint32_t tcp_urp_last; /* Last urp for which signal sent */
mblk_t *tcp_urp_mp; /* T_EXDATA_IND for urgent byte */
mblk_t *tcp_urp_mark_mp; /* zero-length marked/unmarked msg */
@@ -389,21 +339,14 @@ typedef struct tcp_s {
int32_t tcp_client_errno; /* How the client screwed up */
- char *tcp_iphc; /* Buffer holding tcp/ip hdr template */
- int tcp_iphc_len; /* actual allocated buffer size */
- int32_t tcp_hdr_len; /* Byte len of combined TCP/IP hdr */
- ipha_t *tcp_ipha; /* IPv4 header in the buffer */
- ip6_t *tcp_ip6h; /* IPv6 header in the buffer */
- int tcp_ip_hdr_len; /* Byte len of our current IPvx hdr */
- tcph_t *tcp_tcph; /* tcp header within combined hdr */
- int32_t tcp_tcp_hdr_len; /* tcp header len within combined */
- /* Saved peer headers in the case of re-fusion */
- ipha_t tcp_saved_ipha;
- ip6_t tcp_saved_ip6h;
- tcph_t tcp_saved_tcph;
-
- uint32_t tcp_sum; /* checksum to compensate for source */
- /* routed packets. Host byte order */
+ /*
+ * The header template lives in conn_ht_iphc allocated by tcp_build_hdrs
+ * We maintain three pointers into conn_ht_iphc.
+ */
+ ipha_t *tcp_ipha; /* IPv4 header in conn_ht_iphc */
+ ip6_t *tcp_ip6h; /* IPv6 header in conn_ht_iphc */
+ tcpha_t *tcp_tcpha; /* TCP header in conn_ht_iphc */
+
uint16_t tcp_last_sent_len; /* Record length for nagle */
uint16_t tcp_dupack_cnt; /* # of consequtive duplicate acks */
@@ -413,75 +356,20 @@ typedef struct tcp_s {
t_uscalar_t tcp_acceptor_id; /* ACCEPTOR_id */
int tcp_ipsec_overhead;
- /*
- * Address family that app wishes returned addrsses to be in.
- * Currently taken from address family used in T_BIND_REQ, but
- * should really come from family used in original socket() call.
- * Value can be AF_INET or AF_INET6.
- */
- uint_t tcp_family;
- /*
- * used for a quick test to determine if any ancillary bits are
- * set
- */
- uint_t tcp_ipv6_recvancillary; /* Flags */
-#define TCP_IPV6_RECVPKTINFO 0x01 /* IPV6_RECVPKTINFO option */
-#define TCP_IPV6_RECVHOPLIMIT 0x02 /* IPV6_RECVHOPLIMIT option */
-#define TCP_IPV6_RECVHOPOPTS 0x04 /* IPV6_RECVHOPOPTS option */
-#define TCP_IPV6_RECVDSTOPTS 0x08 /* IPV6_RECVDSTOPTS option */
-#define TCP_IPV6_RECVRTHDR 0x10 /* IPV6_RECVRTHDR option */
-#define TCP_IPV6_RECVRTDSTOPTS 0x20 /* IPV6_RECVRTHDRDSTOPTS option */
-#define TCP_IPV6_RECVTCLASS 0x40 /* IPV6_RECVTCLASS option */
-#define TCP_OLD_IPV6_RECVDSTOPTS 0x80 /* old IPV6_RECVDSTOPTS option */
uint_t tcp_recvifindex; /* Last received IPV6_RCVPKTINFO */
uint_t tcp_recvhops; /* Last received IPV6_RECVHOPLIMIT */
uint_t tcp_recvtclass; /* Last received IPV6_RECVTCLASS */
ip6_hbh_t *tcp_hopopts; /* Last received IPV6_RECVHOPOPTS */
ip6_dest_t *tcp_dstopts; /* Last received IPV6_RECVDSTOPTS */
- ip6_dest_t *tcp_rtdstopts; /* Last recvd IPV6_RECVRTHDRDSTOPTS */
+ ip6_dest_t *tcp_rthdrdstopts; /* Last recv IPV6_RECVRTHDRDSTOPTS */
ip6_rthdr_t *tcp_rthdr; /* Last received IPV6_RECVRTHDR */
uint_t tcp_hopoptslen;
uint_t tcp_dstoptslen;
- uint_t tcp_rtdstoptslen;
+ uint_t tcp_rthdrdstoptslen;
uint_t tcp_rthdrlen;
mblk_t *tcp_timercache;
- cred_t *tcp_cred; /* Credentials when this was opened */
- pid_t tcp_cpid; /* Process id when this was opened */
- uint64_t tcp_open_time; /* time when this was opened */
-
-
- union {
- struct {
- uchar_t v4_ttl;
- /* Dup of tcp_ipha.iph_type_of_service */
- uchar_t v4_tos; /* Dup of tcp_ipha.iph_ttl */
- } v4_hdr_info;
- struct {
- uint_t v6_vcf; /* Dup of tcp_ip6h.ip6h_vcf */
- uchar_t v6_hops; /* Dup of tcp_ip6h.ip6h_hops */
- } v6_hdr_info;
- } tcp_hdr_info;
-#define tcp_ttl tcp_hdr_info.v4_hdr_info.v4_ttl
-#define tcp_tos tcp_hdr_info.v4_hdr_info.v4_tos
-#define tcp_ip6_vcf tcp_hdr_info.v6_hdr_info.v6_vcf
-#define tcp_ip6_hops tcp_hdr_info.v6_hdr_info.v6_hops
-
- ushort_t tcp_ipversion;
- uint_t tcp_bound_if; /* IPV6_BOUND_IF */
-
-#define tcp_lport tcp_connp->conn_lport
-#define tcp_fport tcp_connp->conn_fport
-#define tcp_ports tcp_connp->conn_ports
-
-#define tcp_remote tcp_connp->conn_rem
-#define tcp_ip_src tcp_connp->conn_src
-
-#define tcp_remote_v6 tcp_connp->conn_remv6
-#define tcp_ip_src_v6 tcp_connp->conn_srcv6
-#define tcp_bound_source_v6 tcp_connp->conn_bound_source_v6
-#define tcp_bound_source tcp_connp->conn_bound_source
kmutex_t tcp_closelock;
kcondvar_t tcp_closecv;
@@ -497,36 +385,13 @@ typedef struct tcp_s {
struct tcp_s *tcp_bind_hash_port; /* tcp_t's bound to the same lport */
struct tcp_s **tcp_ptpbhn;
- boolean_t tcp_ire_ill_check_done;
- uint_t tcp_maxpsz;
-
- /*
- * used for Multidata Transmit
- */
- uint_t tcp_mdt_hdr_head; /* leading header fragment extra space */
- uint_t tcp_mdt_hdr_tail; /* trailing header fragment extra space */
- int tcp_mdt_max_pld; /* maximum payload buffers per Multidata */
+ uint_t tcp_maxpsz_multiplier;
uint32_t tcp_lso_max; /* maximum LSO payload */
uint32_t tcp_ofo_fin_seq; /* Recv out of order FIN seq num */
uint32_t tcp_cwr_snd_max;
- uint_t tcp_drop_opt_ack_cnt; /* # tcp generated optmgmt */
- ip6_pkt_t tcp_sticky_ipp; /* Sticky options */
-#define tcp_ipp_fields tcp_sticky_ipp.ipp_fields /* valid fields */
-#define tcp_ipp_ifindex tcp_sticky_ipp.ipp_ifindex /* pktinfo ifindex */
-#define tcp_ipp_addr tcp_sticky_ipp.ipp_addr /* pktinfo src/dst addr */
-#define tcp_ipp_hoplimit tcp_sticky_ipp.ipp_hoplimit
-#define tcp_ipp_hopoptslen tcp_sticky_ipp.ipp_hopoptslen
-#define tcp_ipp_rtdstoptslen tcp_sticky_ipp.ipp_rtdstoptslen
-#define tcp_ipp_rthdrlen tcp_sticky_ipp.ipp_rthdrlen
-#define tcp_ipp_dstoptslen tcp_sticky_ipp.ipp_dstoptslen
-#define tcp_ipp_hopopts tcp_sticky_ipp.ipp_hopopts
-#define tcp_ipp_rtdstopts tcp_sticky_ipp.ipp_rtdstopts
-#define tcp_ipp_rthdr tcp_sticky_ipp.ipp_rthdr
-#define tcp_ipp_dstopts tcp_sticky_ipp.ipp_dstopts
-#define tcp_ipp_nexthop tcp_sticky_ipp.ipp_nexthop
-#define tcp_ipp_use_min_mtu tcp_sticky_ipp.ipp_use_min_mtu
+
struct tcp_s *tcp_saved_listener; /* saved value of listener */
uint32_t tcp_in_ack_unsent; /* ACK for unsent data cnt. */
@@ -562,7 +427,6 @@ typedef struct tcp_s {
boolean_t tcp_kssl_inhandshake; /* during SSL handshake */
kssl_ent_t tcp_kssl_ent; /* SSL table entry */
kssl_ctx_t tcp_kssl_ctx; /* SSL session */
- uint_t tcp_label_len; /* length of cached label */
/*
* tcp_closemp_used is protected by listener's tcp_eager_lock
@@ -620,47 +484,17 @@ typedef struct tcp_s {
#define TCP_DEBUG_GETPCSTACK(buffer, depth)
#endif
-/*
- * Track a reference count on the tcps in order to know when
- * the tcps_g_q can be removed. As long as there is any
- * tcp_t, other that the tcps_g_q itself, in the tcp_stack_t we
- * need to keep tcps_g_q around so that a closing connection can
- * switch to using tcps_g_q as part of it closing.
- */
-#define TCPS_REFHOLD(tcps) { \
- atomic_add_32(&(tcps)->tcps_refcnt, 1); \
- ASSERT((tcps)->tcps_refcnt != 0); \
- DTRACE_PROBE1(tcps__refhold, tcp_stack_t, tcps); \
-}
-
-/*
- * Decrement the reference count on the tcp_stack_t.
- * In architectures e.g sun4u, where atomic_add_32_nv is just
- * a cas, we need to maintain the right memory barrier semantics
- * as that of mutex_exit i.e all the loads and stores should complete
- * before the cas is executed. membar_exit() does that here.
- */
-#define TCPS_REFRELE(tcps) { \
- ASSERT((tcps)->tcps_refcnt != 0); \
- membar_exit(); \
- DTRACE_PROBE1(tcps__refrele, tcp_stack_t, tcps); \
- if (atomic_add_32_nv(&(tcps)->tcps_refcnt, -1) == 0 && \
- (tcps)->tcps_g_q != NULL) { \
- /* Only tcps_g_q left */ \
- tcp_g_q_inactive(tcps); \
- } \
-}
-
extern void tcp_free(tcp_t *tcp);
extern void tcp_ddi_g_init(void);
extern void tcp_ddi_g_destroy(void);
-extern void tcp_g_q_inactive(tcp_stack_t *);
-extern void tcp_xmit_listeners_reset(mblk_t *mp, uint_t ip_hdr_len,
- zoneid_t zoneid, tcp_stack_t *, conn_t *connp);
-extern void tcp_conn_request(void *arg, mblk_t *mp, void *arg2);
-extern void tcp_conn_request_unbound(void *arg, mblk_t *mp, void *arg2);
-extern void tcp_input(void *arg, mblk_t *mp, void *arg2);
-extern void tcp_rput_data(void *arg, mblk_t *mp, void *arg2);
+extern void tcp_xmit_listeners_reset(mblk_t *, ip_recv_attr_t *,
+ ip_stack_t *, conn_t *);
+extern void tcp_input_listener(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *);
+extern void tcp_input_listener_unbound(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *);
+extern void tcp_input_data(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *);
extern void *tcp_get_conn(void *arg, tcp_stack_t *);
extern void tcp_time_wait_collector(void *arg);
extern mblk_t *tcp_snmp_get(queue_t *, mblk_t *);
@@ -668,7 +502,6 @@ extern int tcp_snmp_set(queue_t *, int, int, uchar_t *, int len);
extern mblk_t *tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send,
int32_t *offset, mblk_t **end_mp, uint32_t seq,
boolean_t sendall, uint32_t *seg_len, boolean_t rexmit);
-extern void tcp_xmit_reset(void *arg, mblk_t *mp, void *arg2);
/*
* The TCP Fanout structure.
@@ -706,6 +539,15 @@ typedef struct cl_tcp_info_s {
} cl_tcp_info_t;
/*
+ * Hook functions to enable cluster networking
+ * On non-clustered systems these vectors must always be NULL.
+ */
+extern void (*cl_inet_listen)(netstackid_t, uint8_t, sa_family_t,
+ uint8_t *, in_port_t, void *);
+extern void (*cl_inet_unlisten)(netstackid_t, uint8_t, sa_family_t,
+ uint8_t *, in_port_t, void *);
+
+/*
* Contracted Consolidation Private ioctl for aborting TCP connections.
* In order to keep the offsets and size of the structure the same between
* a 32-bit application and a 64-bit amd64 kernel, we use a #pragma
@@ -729,25 +571,6 @@ typedef struct tcp_ioc_abort_conn_s {
#pragma pack()
#endif
-#if (defined(_KERNEL) || defined(_KMEMUSER))
-extern void tcp_rput_other(tcp_t *tcp, mblk_t *mp);
-#endif
-
-#if (defined(_KERNEL))
-#define TCP_XRE_EVENT_IP_FANOUT_TCP 1
-
-/*
- * This is a private structure used to pass data to an squeue function during
- * tcp's listener reset sending path.
- */
-typedef struct tcp_xmit_reset_event {
- int tcp_xre_event;
- int tcp_xre_iphdrlen;
- zoneid_t tcp_xre_zoneid;
- tcp_stack_t *tcp_xre_tcps;
-} tcp_xmit_reset_event_t;
-#endif
-
#ifdef __cplusplus
}
#endif
diff --git a/usr/src/uts/common/inet/tcp/tcp.c b/usr/src/uts/common/inet/tcp/tcp.c
index c9a941eab2..0e1ef43cfb 100644
--- a/usr/src/uts/common/inet/tcp/tcp.c
+++ b/usr/src/uts/common/inet/tcp/tcp.c
@@ -46,8 +46,6 @@
#include <sys/ethernet.h>
#include <sys/cpuvar.h>
#include <sys/dlpi.h>
-#include <sys/multidata.h>
-#include <sys/multidata_impl.h>
#include <sys/pattr.h>
#include <sys/policy.h>
#include <sys/priv.h>
@@ -87,7 +85,6 @@
#include <inet/tcp_impl.h>
#include <inet/udp_impl.h>
#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
#include <inet/ipdrop.h>
#include <inet/ipclassifier.h>
@@ -95,6 +92,7 @@
#include <inet/ip_ftable.h>
#include <inet/ip_if.h>
#include <inet/ipp_common.h>
+#include <inet/ip_rts.h>
#include <inet/ip_netinfo.h>
#include <sys/squeue_impl.h>
#include <sys/squeue.h>
@@ -111,7 +109,7 @@
*
* The entire tcp state is contained in tcp_t and conn_t structure
* which are allocated in tandem using ipcl_conn_create() and passing
- * IPCL_CONNTCP as a flag. We use 'conn_ref' and 'conn_lock' to protect
+ * IPCL_TCPCONN as a flag. We use 'conn_ref' and 'conn_lock' to protect
* the references on the tcp_t. The tcp_t structure is never compressed
* and packets always land on the correct TCP perimeter from the time
* eager is created till the time tcp_t dies (as such the old mentat
@@ -172,8 +170,8 @@
*
* This is a more interesting case because of various races involved in
* establishing a eager in its own perimeter. Read the meta comment on
- * top of tcp_conn_request(). But briefly, the squeue is picked by
- * ip_tcp_input()/ip_fanout_tcp_v6() based on the interrupted CPU.
+ * top of tcp_input_listener(). But briefly, the squeue is picked by
+ * ip_fanout based on the ring or the sender (if loopback).
*
* Closing a connection:
*
@@ -198,20 +196,13 @@
*
* Special provisions and fast paths:
*
- * We make special provision for (AF_INET, SOCK_STREAM) sockets which
- * can't have 'ipv6_recvpktinfo' set and for these type of sockets, IP
- * will never send a M_CTL to TCP. As such, ip_tcp_input() which handles
- * all TCP packets from the wire makes a IPCL_IS_TCP4_CONNECTED_NO_POLICY
- * check to send packets directly to tcp_rput_data via squeue. Everyone
- * else comes through tcp_input() on the read side.
- *
- * We also make special provisions for sockfs by marking tcp_issocket
+ * We make special provisions for sockfs by marking tcp_issocket
* whenever we have only sockfs on top of TCP. This allows us to skip
* putting the tcp in acceptor hash since a sockfs listener can never
* become acceptor and also avoid allocating a tcp_t for acceptor STREAM
* since eager has already been allocated and the accept now happens
* on acceptor STREAM. There is a big blob of comment on top of
- * tcp_conn_request explaining the new accept. When socket is POP'd,
+ * tcp_input_listener explaining the new accept. When socket is POP'd,
* sockfs sends us an ioctl to mark the fact and we go back to old
* behaviour. Once tcp_issocket is unset, its never set for the
* life of that connection.
@@ -224,13 +215,6 @@
* only exception is tcp_xmit_listeners_reset() which is called
* directly from IP and needs to policy check to see if TH_RST
* can be sent out.
- *
- * PFHooks notes :
- *
- * For mdt case, one meta buffer contains multiple packets. Mblks for every
- * packet are assembled and passed to the hooks. When packets are blocked,
- * or boundary of any packet is changed, the mdt processing is stopped, and
- * packets of the meta buffer are send to the IP path one by one.
*/
/*
@@ -244,7 +228,7 @@ int tcp_squeue_flag;
/*
* This controls how tiny a write must be before we try to copy it
- * into the the mblk on the tail of the transmit queue. Not much
+ * into the mblk on the tail of the transmit queue. Not much
* speedup is observed for values larger than sixteen. Zero will
* disable the optimisation.
*/
@@ -333,16 +317,6 @@ static uint_t tcp_clean_death_stat[TCP_MAX_CLEAN_DEATH_TAG];
tcp_g_stat_t tcp_g_statistics;
kstat_t *tcp_g_kstat;
-/*
- * Call either ip_output or ip_output_v6. This replaces putnext() calls on the
- * tcp write side.
- */
-#define CALL_IP_WPUT(connp, q, mp) { \
- ASSERT(((q)->q_flag & QREADR) == 0); \
- TCP_DBGSTAT(connp->conn_netstack->netstack_tcp, tcp_ip_output); \
- connp->conn_send(connp, (mp), (q), IP_WPUT); \
-}
-
/* Macros for timestamp comparisons */
#define TSTMP_GEQ(a, b) ((int32_t)((a)-(b)) >= 0)
#define TSTMP_LT(a, b) ((int32_t)((a)-(b)) < 0)
@@ -354,7 +328,7 @@ kstat_t *tcp_g_kstat;
* nanoseconds (versus every 4 microseconds suggested by RFC 793, page 27);
* a per-connection component which grows by 125000 for every new connection;
* and an "extra" component that grows by a random amount centered
- * approximately on 64000. This causes the the ISS generator to cycle every
+ * approximately on 64000. This causes the ISS generator to cycle every
* 4.89 hours if no TCP connections are made, and faster if connections are
* made.
*
@@ -381,8 +355,13 @@ static sin6_t sin6_null; /* Zero address for quick clears */
*/
#define TCP_OLD_URP_INTERPRETATION 1
+/*
+ * Since tcp_listener is not cleared atomically with tcp_detached
+ * being cleared we need this extra bit to tell a detached connection
+ * apart from one that is in the process of being accepted.
+ */
#define TCP_IS_DETACHED_NONEAGER(tcp) \
- (TCP_IS_DETACHED(tcp) && \
+ (TCP_IS_DETACHED(tcp) && \
(!(tcp)->tcp_hard_binding))
/*
@@ -495,7 +474,6 @@ typedef struct tcp_timer_s {
static kmem_cache_t *tcp_timercache;
kmem_cache_t *tcp_sack_info_cache;
-kmem_cache_t *tcp_iphc_cache;
/*
* For scalability, we must not run a timer for every TCP connection
@@ -592,17 +570,6 @@ typedef struct tcp_opt_s {
} tcp_opt_t;
/*
- * TCP option struct passing information b/w lisenter and eager.
- */
-struct tcp_options {
- uint_t to_flags;
- ssize_t to_boundif; /* IPV6_BOUND_IF */
-};
-
-#define TCPOPT_BOUNDIF 0x00000001 /* set IPV6_BOUND_IF */
-#define TCPOPT_RECVPKTINFO 0x00000002 /* set IPV6_RECVPKTINFO */
-
-/*
* RFC1323-recommended phrasing of TSTAMP option, for easier parsing
*/
@@ -673,43 +640,53 @@ typedef struct tcpt_s {
/*
* Functions called directly via squeue having a prototype of edesc_t.
*/
-void tcp_conn_request(void *arg, mblk_t *mp, void *arg2);
-static void tcp_wput_nondata(void *arg, mblk_t *mp, void *arg2);
-void tcp_accept_finish(void *arg, mblk_t *mp, void *arg2);
-static void tcp_wput_ioctl(void *arg, mblk_t *mp, void *arg2);
-static void tcp_wput_proto(void *arg, mblk_t *mp, void *arg2);
-void tcp_input(void *arg, mblk_t *mp, void *arg2);
-void tcp_rput_data(void *arg, mblk_t *mp, void *arg2);
-static void tcp_close_output(void *arg, mblk_t *mp, void *arg2);
-void tcp_output(void *arg, mblk_t *mp, void *arg2);
-void tcp_output_urgent(void *arg, mblk_t *mp, void *arg2);
-static void tcp_rsrv_input(void *arg, mblk_t *mp, void *arg2);
-static void tcp_timer_handler(void *arg, mblk_t *mp, void *arg2);
-static void tcp_linger_interrupted(void *arg, mblk_t *mp, void *arg2);
+void tcp_input_listener(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *ira);
+static void tcp_wput_nondata(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+void tcp_accept_finish(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+static void tcp_wput_ioctl(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+static void tcp_wput_proto(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+void tcp_input_data(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *ira);
+static void tcp_close_output(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+void tcp_output(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+void tcp_output_urgent(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+static void tcp_rsrv_input(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+static void tcp_timer_handler(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
+static void tcp_linger_interrupted(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
/* Prototype for TCP functions */
static void tcp_random_init(void);
int tcp_random(void);
static void tcp_tli_accept(tcp_t *tcp, mblk_t *mp);
-static int tcp_accept_swap(tcp_t *listener, tcp_t *acceptor,
+static void tcp_accept_swap(tcp_t *listener, tcp_t *acceptor,
tcp_t *eager);
-static int tcp_adapt_ire(tcp_t *tcp, mblk_t *ire_mp);
+static int tcp_set_destination(tcp_t *tcp);
static in_port_t tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
int reuseaddr, boolean_t quick_connect, boolean_t bind_to_req_port_only,
boolean_t user_specified);
static void tcp_closei_local(tcp_t *tcp);
static void tcp_close_detached(tcp_t *tcp);
-static boolean_t tcp_conn_con(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph,
- mblk_t *idmp, mblk_t **defermp);
+static boolean_t tcp_conn_con(tcp_t *tcp, uchar_t *iphdr,
+ mblk_t *idmp, mblk_t **defermp, ip_recv_attr_t *ira);
static void tcp_tpi_connect(tcp_t *tcp, mblk_t *mp);
static int tcp_connect_ipv4(tcp_t *tcp, ipaddr_t *dstaddrp,
- in_port_t dstport, uint_t srcid, cred_t *cr, pid_t pid);
-static int tcp_connect_ipv6(tcp_t *tcp, in6_addr_t *dstaddrp,
- in_port_t dstport, uint32_t flowinfo, uint_t srcid,
- uint32_t scope_id, cred_t *cr, pid_t pid);
+ in_port_t dstport, uint_t srcid);
+static int tcp_connect_ipv6(tcp_t *tcp, in6_addr_t *dstaddrp,
+ in_port_t dstport, uint32_t flowinfo,
+ uint_t srcid, uint32_t scope_id);
static int tcp_clean_death(tcp_t *tcp, int err, uint8_t tag);
-static void tcp_def_q_set(tcp_t *tcp, mblk_t *mp);
static void tcp_disconnect(tcp_t *tcp, mblk_t *mp);
static char *tcp_display(tcp_t *tcp, char *, char);
static boolean_t tcp_eager_blowoff(tcp_t *listener, t_scalar_t seqnum);
@@ -735,34 +712,16 @@ static void tcp_acceptor_hash_remove(tcp_t *tcp);
static void tcp_capability_req(tcp_t *tcp, mblk_t *mp);
static void tcp_info_req(tcp_t *tcp, mblk_t *mp);
static void tcp_addr_req(tcp_t *tcp, mblk_t *mp);
-static void tcp_addr_req_ipv6(tcp_t *tcp, mblk_t *mp);
-void tcp_g_q_setup(tcp_stack_t *);
-void tcp_g_q_create(tcp_stack_t *);
-void tcp_g_q_destroy(tcp_stack_t *);
-static int tcp_header_init_ipv4(tcp_t *tcp);
-static int tcp_header_init_ipv6(tcp_t *tcp);
-int tcp_init(tcp_t *tcp, queue_t *q);
-static int tcp_init_values(tcp_t *tcp);
-static mblk_t *tcp_ip_advise_mblk(void *addr, int addr_len, ipic_t **ipic);
-static void tcp_ip_ire_mark_advice(tcp_t *tcp);
+static void tcp_init_values(tcp_t *tcp);
static void tcp_ip_notify(tcp_t *tcp);
-static mblk_t *tcp_ire_mp(mblk_t **mpp);
static void tcp_iss_init(tcp_t *tcp);
static void tcp_keepalive_killer(void *arg);
-static int tcp_parse_options(tcph_t *tcph, tcp_opt_t *tcpopt);
-static void tcp_mss_set(tcp_t *tcp, uint32_t size, boolean_t do_ss);
+static int tcp_parse_options(tcpha_t *tcpha, tcp_opt_t *tcpopt);
+static void tcp_mss_set(tcp_t *tcp, uint32_t size);
static int tcp_conprim_opt_process(tcp_t *tcp, mblk_t *mp,
int *do_disconnectp, int *t_errorp, int *sys_errorp);
static boolean_t tcp_allow_connopt_set(int level, int name);
int tcp_opt_default(queue_t *q, int level, int name, uchar_t *ptr);
-int tcp_tpi_opt_get(queue_t *q, int level, int name, uchar_t *ptr);
-int tcp_tpi_opt_set(queue_t *q, uint_t optset_context, int level,
- int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp,
- uchar_t *outvalp, void *thisdg_attrs, cred_t *cr,
- mblk_t *mblk);
-static void tcp_opt_reverse(tcp_t *tcp, ipha_t *ipha);
-static int tcp_opt_set_header(tcp_t *tcp, boolean_t checkonly,
- uchar_t *ptr, uint_t len);
static int tcp_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr);
static boolean_t tcp_param_register(IDP *ndp, tcpparam_t *tcppa, int cnt,
tcp_stack_t *);
@@ -785,9 +744,9 @@ static uint_t tcp_rcv_drain(tcp_t *tcp);
static void tcp_sack_rxmit(tcp_t *tcp, uint_t *flags);
static boolean_t tcp_send_rst_chk(tcp_stack_t *);
static void tcp_ss_rexmit(tcp_t *tcp);
-static mblk_t *tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp);
-static void tcp_process_options(tcp_t *, tcph_t *);
-static void tcp_rput_common(tcp_t *tcp, mblk_t *mp);
+static mblk_t *tcp_input_add_ancillary(tcp_t *tcp, mblk_t *mp, ip_pkt_t *ipp,
+ ip_recv_attr_t *);
+static void tcp_process_options(tcp_t *, tcpha_t *);
static void tcp_rsrv(queue_t *q);
static int tcp_snmp_state(tcp_t *tcp);
static void tcp_timer(void *arg);
@@ -801,16 +760,10 @@ void tcp_tpi_accept(queue_t *q, mblk_t *mp);
static void tcp_wput_data(tcp_t *tcp, mblk_t *mp, boolean_t urgent);
static void tcp_wput_flush(tcp_t *tcp, mblk_t *mp);
static void tcp_wput_iocdata(tcp_t *tcp, mblk_t *mp);
-static int tcp_send(queue_t *q, tcp_t *tcp, const int mss,
- const int tcp_hdr_len, const int tcp_tcp_hdr_len,
+static int tcp_send(tcp_t *tcp, const int mss,
+ const int total_hdr_len, const int tcp_hdr_len,
const int num_sack_blk, int *usable, uint_t *snxt,
- int *tail_unsent, mblk_t **xmit_tail, mblk_t *local_time,
- const int mdt_thres);
-static int tcp_multisend(queue_t *q, tcp_t *tcp, const int mss,
- const int tcp_hdr_len, const int tcp_tcp_hdr_len,
- const int num_sack_blk, int *usable, uint_t *snxt,
- int *tail_unsent, mblk_t **xmit_tail, mblk_t *local_time,
- const int mdt_thres);
+ int *tail_unsent, mblk_t **xmit_tail, mblk_t *local_time);
static void tcp_fill_header(tcp_t *tcp, uchar_t *rptr, clock_t now,
int num_sack_blk);
static void tcp_wsrv(queue_t *q);
@@ -818,38 +771,36 @@ static int tcp_xmit_end(tcp_t *tcp);
static void tcp_ack_timer(void *arg);
static mblk_t *tcp_ack_mp(tcp_t *tcp);
static void tcp_xmit_early_reset(char *str, mblk_t *mp,
- uint32_t seq, uint32_t ack, int ctl, uint_t ip_hdr_len,
- zoneid_t zoneid, tcp_stack_t *, conn_t *connp);
+ uint32_t seq, uint32_t ack, int ctl, ip_recv_attr_t *,
+ ip_stack_t *, conn_t *);
static void tcp_xmit_ctl(char *str, tcp_t *tcp, uint32_t seq,
uint32_t ack, int ctl);
-static int setmaxps(queue_t *q, int maxpsz);
static void tcp_set_rto(tcp_t *, time_t);
-static boolean_t tcp_check_policy(tcp_t *, mblk_t *, ipha_t *, ip6_t *,
- boolean_t, boolean_t);
-static void tcp_icmp_error_ipv6(tcp_t *tcp, mblk_t *mp,
- boolean_t ipsec_mctl);
+static void tcp_icmp_input(void *, mblk_t *, void *, ip_recv_attr_t *);
+static void tcp_icmp_error_ipv6(tcp_t *, mblk_t *, ip_recv_attr_t *);
+static boolean_t tcp_verifyicmp(conn_t *, void *, icmph_t *, icmp6_t *,
+ ip_recv_attr_t *);
static int tcp_build_hdrs(tcp_t *);
static void tcp_time_wait_processing(tcp_t *tcp, mblk_t *mp,
- uint32_t seg_seq, uint32_t seg_ack, int seg_len,
- tcph_t *tcph);
-boolean_t tcp_paws_check(tcp_t *tcp, tcph_t *tcph, tcp_opt_t *tcpoptp);
-static mblk_t *tcp_mdt_info_mp(mblk_t *);
-static void tcp_mdt_update(tcp_t *, ill_mdt_capab_t *, boolean_t);
-static int tcp_mdt_add_attrs(multidata_t *, const mblk_t *,
- const boolean_t, const uint32_t, const uint32_t,
- const uint32_t, const uint32_t, tcp_stack_t *);
-static void tcp_multisend_data(tcp_t *, ire_t *, const ill_t *, mblk_t *,
- const uint_t, const uint_t, boolean_t *);
-static mblk_t *tcp_lso_info_mp(mblk_t *);
-static void tcp_lso_update(tcp_t *, ill_lso_capab_t *);
-static void tcp_send_data(tcp_t *, queue_t *, mblk_t *);
+ uint32_t seg_seq, uint32_t seg_ack, int seg_len, tcpha_t *tcpha,
+ ip_recv_attr_t *ira);
+boolean_t tcp_paws_check(tcp_t *tcp, tcpha_t *tcpha, tcp_opt_t *tcpoptp);
+static boolean_t tcp_zcopy_check(tcp_t *);
+static void tcp_zcopy_notify(tcp_t *);
+static mblk_t *tcp_zcopy_backoff(tcp_t *, mblk_t *, boolean_t);
+static void tcp_update_lso(tcp_t *tcp, ip_xmit_attr_t *ixa);
+static void tcp_update_pmtu(tcp_t *tcp, boolean_t decrease_only);
+static void tcp_update_zcopy(tcp_t *tcp);
+static void tcp_notify(void *, ip_xmit_attr_t *, ixa_notify_type_t,
+ ixa_notify_arg_t);
+static void tcp_rexmit_after_error(tcp_t *tcp);
+static void tcp_send_data(tcp_t *, mblk_t *);
extern mblk_t *tcp_timermp_alloc(int);
extern void tcp_timermp_free(tcp_t *);
static void tcp_timer_free(tcp_t *tcp, mblk_t *mp);
static void tcp_stop_lingering(tcp_t *tcp);
static void tcp_close_linger_timeout(void *arg);
static void *tcp_stack_init(netstackid_t stackid, netstack_t *ns);
-static void tcp_stack_shutdown(netstackid_t stackid, void *arg);
static void tcp_stack_fini(netstackid_t stackid, void *arg);
static void *tcp_g_kstat_init(tcp_g_stat_t *);
static void tcp_g_kstat_fini(kstat_t *);
@@ -858,11 +809,10 @@ static void tcp_kstat_fini(netstackid_t, kstat_t *);
static void *tcp_kstat2_init(netstackid_t, tcp_stat_t *);
static void tcp_kstat2_fini(netstackid_t, kstat_t *);
static int tcp_kstat_update(kstat_t *kp, int rw);
-void tcp_reinput(conn_t *connp, mblk_t *mp, squeue_t *sqp);
-static int tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
- tcph_t *tcph, uint_t ipvers, mblk_t *idmp);
-static int tcp_conn_create_v4(conn_t *lconnp, conn_t *connp, ipha_t *ipha,
- tcph_t *tcph, mblk_t *idmp);
+static mblk_t *tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
+ ip_recv_attr_t *ira);
+static mblk_t *tcp_conn_create_v4(conn_t *lconnp, conn_t *connp, mblk_t *mp,
+ ip_recv_attr_t *ira);
static int tcp_squeue_switch(int);
static int tcp_open(queue_t *, dev_t *, int, int, cred_t *, boolean_t);
@@ -872,21 +822,17 @@ static int tcp_tpi_close(queue_t *, int);
static int tcp_tpi_close_accept(queue_t *);
static void tcp_squeue_add(squeue_t *);
-static boolean_t tcp_zcopy_check(tcp_t *);
-static void tcp_zcopy_notify(tcp_t *);
-static mblk_t *tcp_zcopy_disable(tcp_t *, mblk_t *);
-static mblk_t *tcp_zcopy_backoff(tcp_t *, mblk_t *, int);
-static void tcp_ire_ill_check(tcp_t *, ire_t *, ill_t *, boolean_t);
+static void tcp_setcred_data(mblk_t *, ip_recv_attr_t *);
-extern void tcp_kssl_input(tcp_t *, mblk_t *);
+extern void tcp_kssl_input(tcp_t *, mblk_t *, cred_t *);
-void tcp_eager_kill(void *arg, mblk_t *mp, void *arg2);
-void tcp_clean_death_wrapper(void *arg, mblk_t *mp, void *arg2);
+void tcp_eager_kill(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy);
+void tcp_clean_death_wrapper(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
static int tcp_accept(sock_lower_handle_t, sock_lower_handle_t,
sock_upper_handle_t, cred_t *);
static int tcp_listen(sock_lower_handle_t, int, cred_t *);
-static int tcp_post_ip_bind(tcp_t *, mblk_t *, int, cred_t *, pid_t);
static int tcp_do_listen(conn_t *, struct sockaddr *, socklen_t, int, cred_t *,
boolean_t);
static int tcp_do_connect(conn_t *, const struct sockaddr *, socklen_t,
@@ -922,7 +868,8 @@ static void tcp_ulp_newconn(conn_t *, conn_t *, mblk_t *);
*/
static mblk_t *tcp_ioctl_abort_build_msg(tcp_ioc_abort_conn_t *, tcp_t *);
static void tcp_ioctl_abort_dump(tcp_ioc_abort_conn_t *);
-static void tcp_ioctl_abort_handler(tcp_t *, mblk_t *);
+static void tcp_ioctl_abort_handler(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy);
static int tcp_ioctl_abort(tcp_ioc_abort_conn_t *, tcp_stack_t *tcps);
static void tcp_ioctl_abort_conn(queue_t *, mblk_t *);
static int tcp_ioctl_abort_bucket(tcp_ioc_abort_conn_t *, int, int *,
@@ -988,12 +935,6 @@ struct streamtab tcpinfov6 = {
sock_downcalls_t sock_tcp_downcalls;
-/*
- * Have to ensure that tcp_g_q_close is not done by an
- * interrupt thread.
- */
-static taskq_t *tcp_taskq;
-
/* Setable only in /etc/system. Move to ndd? */
boolean_t tcp_icmp_source_quench = B_FALSE;
@@ -1042,8 +983,8 @@ static struct T_info_ack tcp_g_t_info_ack_v6 = {
#define PARAM_MAX (~(uint32_t)0)
/* Max size IP datagram is 64k - 1 */
-#define TCP_MSS_MAX_IPV4 (IP_MAXPACKET - (sizeof (ipha_t) + sizeof (tcph_t)))
-#define TCP_MSS_MAX_IPV6 (IP_MAXPACKET - (sizeof (ip6_t) + sizeof (tcph_t)))
+#define TCP_MSS_MAX_IPV4 (IP_MAXPACKET - (sizeof (ipha_t) + sizeof (tcpha_t)))
+#define TCP_MSS_MAX_IPV6 (IP_MAXPACKET - (sizeof (ip6_t) + sizeof (tcpha_t)))
/* Max of the above */
#define TCP_MSS_MAX TCP_MSS_MAX_IPV4
@@ -1128,29 +1069,10 @@ static tcpparam_t lcl_tcp_param_arr[] = {
{ 0, 100*MS, 50*MS, "tcp_push_timer_interval"},
{ 0, 1, 0, "tcp_use_smss_as_mss_opt"},
{ 0, PARAM_MAX, 8*MINUTES, "tcp_keepalive_abort_interval"},
+ { 0, 1, 0, "tcp_dev_flow_ctl"},
};
/* END CSTYLED */
-/*
- * tcp_mdt_hdr_{head,tail}_min are the leading and trailing spaces of
- * each header fragment in the header buffer. Each parameter value has
- * to be a multiple of 4 (32-bit aligned).
- */
-static tcpparam_t lcl_tcp_mdt_head_param =
- { 32, 256, 32, "tcp_mdt_hdr_head_min" };
-static tcpparam_t lcl_tcp_mdt_tail_param =
- { 0, 256, 32, "tcp_mdt_hdr_tail_min" };
-#define tcps_mdt_hdr_head_min tcps_mdt_head_param->tcp_param_val
-#define tcps_mdt_hdr_tail_min tcps_mdt_tail_param->tcp_param_val
-
-/*
- * tcp_mdt_max_pbufs is the upper limit value that tcp uses to figure out
- * the maximum number of payload buffers associated per Multidata.
- */
-static tcpparam_t lcl_tcp_mdt_max_pbufs_param =
- { 1, MULTIDATA_MAX_PBUFS, MULTIDATA_MAX_PBUFS, "tcp_mdt_max_pbufs" };
-#define tcps_mdt_max_pbufs tcps_mdt_max_pbufs_param->tcp_param_val
-
/* Round up the value to the nearest mss. */
#define MSS_ROUNDUP(value, mss) ((((value) - 1) / (mss) + 1) * (mss))
@@ -1162,7 +1084,7 @@ static tcpparam_t lcl_tcp_mdt_max_pbufs_param =
* point ECT(0) for TCP as described in RFC 2481.
*/
#define SET_ECT(tcp, iph) \
- if ((tcp)->tcp_ipversion == IPV4_VERSION) { \
+ if ((tcp)->tcp_connp->conn_ipversion == IPV4_VERSION) { \
/* We need to clear the code point first. */ \
((ipha_t *)(iph))->ipha_type_of_service &= 0xFC; \
((ipha_t *)(iph))->ipha_type_of_service |= IPH_ECN_ECT0; \
@@ -1183,23 +1105,12 @@ static tcpparam_t lcl_tcp_mdt_max_pbufs_param =
#define IS_VMLOANED_MBLK(mp) \
(((mp)->b_datap->db_struioflag & STRUIO_ZC) != 0)
-
-/* Enable or disable b_cont M_MULTIDATA chaining for MDT. */
-boolean_t tcp_mdt_chain = B_TRUE;
-
-/*
- * MDT threshold in the form of effective send MSS multiplier; we take
- * the MDT path if the amount of unsent data exceeds the threshold value
- * (default threshold is 1*SMSS).
- */
-uint_t tcp_mdt_smss_threshold = 1;
-
uint32_t do_tcpzcopy = 1; /* 0: disable, 1: enable, 2: force */
/*
* Forces all connections to obey the value of the tcps_maxpsz_multiplier
* tunable settable via NDD. Otherwise, the per-connection behavior is
- * determined dynamically during tcp_adapt_ire(), which is the default.
+ * determined dynamically during tcp_set_destination(), which is the default.
*/
boolean_t tcp_static_maxpsz = B_FALSE;
@@ -1273,84 +1184,73 @@ int (*cl_inet_connect2)(netstackid_t stack_id, uint8_t protocol,
uint8_t *laddrp, in_port_t lport,
uint8_t *faddrp, in_port_t fport,
void *args) = NULL;
-
void (*cl_inet_disconnect)(netstackid_t stack_id, uint8_t protocol,
sa_family_t addr_family, uint8_t *laddrp,
in_port_t lport, uint8_t *faddrp,
in_port_t fport, void *args) = NULL;
-/*
- * The following are defined in ip.c
- */
-extern int (*cl_inet_isclusterwide)(netstackid_t stack_id, uint8_t protocol,
- sa_family_t addr_family, uint8_t *laddrp,
- void *args);
-extern uint32_t (*cl_inet_ipident)(netstackid_t stack_id, uint8_t protocol,
- sa_family_t addr_family, uint8_t *laddrp,
- uint8_t *faddrp, void *args);
-
/*
* int CL_INET_CONNECT(conn_t *cp, tcp_t *tcp, boolean_t is_outgoing, int err)
*/
-#define CL_INET_CONNECT(connp, tcp, is_outgoing, err) { \
+#define CL_INET_CONNECT(connp, is_outgoing, err) { \
(err) = 0; \
if (cl_inet_connect2 != NULL) { \
/* \
* Running in cluster mode - register active connection \
* information \
*/ \
- if ((tcp)->tcp_ipversion == IPV4_VERSION) { \
- if ((tcp)->tcp_ipha->ipha_src != 0) { \
+ if ((connp)->conn_ipversion == IPV4_VERSION) { \
+ if ((connp)->conn_laddr_v4 != 0) { \
(err) = (*cl_inet_connect2)( \
(connp)->conn_netstack->netstack_stackid,\
IPPROTO_TCP, is_outgoing, AF_INET, \
- (uint8_t *)(&((tcp)->tcp_ipha->ipha_src)),\
- (in_port_t)(tcp)->tcp_lport, \
- (uint8_t *)(&((tcp)->tcp_ipha->ipha_dst)),\
- (in_port_t)(tcp)->tcp_fport, NULL); \
+ (uint8_t *)(&((connp)->conn_laddr_v4)),\
+ (in_port_t)(connp)->conn_lport, \
+ (uint8_t *)(&((connp)->conn_faddr_v4)),\
+ (in_port_t)(connp)->conn_fport, NULL); \
} \
} else { \
if (!IN6_IS_ADDR_UNSPECIFIED( \
- &(tcp)->tcp_ip6h->ip6_src)) { \
+ &(connp)->conn_laddr_v6)) { \
(err) = (*cl_inet_connect2)( \
(connp)->conn_netstack->netstack_stackid,\
IPPROTO_TCP, is_outgoing, AF_INET6, \
- (uint8_t *)(&((tcp)->tcp_ip6h->ip6_src)),\
- (in_port_t)(tcp)->tcp_lport, \
- (uint8_t *)(&((tcp)->tcp_ip6h->ip6_dst)),\
- (in_port_t)(tcp)->tcp_fport, NULL); \
+ (uint8_t *)(&((connp)->conn_laddr_v6)),\
+ (in_port_t)(connp)->conn_lport, \
+ (uint8_t *)(&((connp)->conn_faddr_v6)), \
+ (in_port_t)(connp)->conn_fport, NULL); \
} \
} \
} \
}
-#define CL_INET_DISCONNECT(connp, tcp) { \
+#define CL_INET_DISCONNECT(connp) { \
if (cl_inet_disconnect != NULL) { \
/* \
* Running in cluster mode - deregister active \
* connection information \
*/ \
- if ((tcp)->tcp_ipversion == IPV4_VERSION) { \
- if ((tcp)->tcp_ip_src != 0) { \
+ if ((connp)->conn_ipversion == IPV4_VERSION) { \
+ if ((connp)->conn_laddr_v4 != 0) { \
(*cl_inet_disconnect)( \
(connp)->conn_netstack->netstack_stackid,\
IPPROTO_TCP, AF_INET, \
- (uint8_t *)(&((tcp)->tcp_ip_src)), \
- (in_port_t)(tcp)->tcp_lport, \
- (uint8_t *)(&((tcp)->tcp_ipha->ipha_dst)),\
- (in_port_t)(tcp)->tcp_fport, NULL); \
+ (uint8_t *)(&((connp)->conn_laddr_v4)),\
+ (in_port_t)(connp)->conn_lport, \
+ (uint8_t *)(&((connp)->conn_faddr_v4)),\
+ (in_port_t)(connp)->conn_fport, NULL); \
} \
} else { \
if (!IN6_IS_ADDR_UNSPECIFIED( \
- &(tcp)->tcp_ip_src_v6)) { \
+ &(connp)->conn_laddr_v6)) { \
(*cl_inet_disconnect)( \
(connp)->conn_netstack->netstack_stackid,\
IPPROTO_TCP, AF_INET6, \
- (uint8_t *)(&((tcp)->tcp_ip_src_v6)),\
- (in_port_t)(tcp)->tcp_lport, \
- (uint8_t *)(&((tcp)->tcp_ip6h->ip6_dst)),\
- (in_port_t)(tcp)->tcp_fport, NULL); \
+ (uint8_t *)(&((connp)->conn_laddr_v6)),\
+ (in_port_t)(connp)->conn_lport, \
+ (uint8_t *)(&((connp)->conn_faddr_v6)), \
+ (in_port_t)(connp)->conn_fport, NULL); \
} \
} \
} \
@@ -1367,11 +1267,6 @@ int cl_tcp_walk_list(netstackid_t stack_id,
static int cl_tcp_walk_list_stack(int (*callback)(cl_tcp_info_t *, void *),
void *arg, tcp_stack_t *tcps);
-#define DTRACE_IP_FASTPATH(mp, iph, ill, ipha, ip6h) \
- DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *, \
- iph, __dtrace_ipsr_ill_t *, ill, ipha_t *, ipha, \
- ip6_t *, ip6h, int, 0);
-
static void
tcp_set_recv_threshold(tcp_t *tcp, uint32_t new_rcvthresh)
{
@@ -1540,7 +1435,7 @@ tcp_time_wait_append(tcp_t *tcp)
/* ARGSUSED */
void
-tcp_timewait_output(void *arg, mblk_t *mp, void *arg2)
+tcp_timewait_output(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
tcp_t *tcp = connp->conn_tcp;
@@ -1551,11 +1446,11 @@ tcp_timewait_output(void *arg, mblk_t *mp, void *arg2)
return;
}
- ASSERT((tcp->tcp_family == AF_INET &&
- tcp->tcp_ipversion == IPV4_VERSION) ||
- (tcp->tcp_family == AF_INET6 &&
- (tcp->tcp_ipversion == IPV4_VERSION ||
- tcp->tcp_ipversion == IPV6_VERSION)));
+ ASSERT((connp->conn_family == AF_INET &&
+ connp->conn_ipversion == IPV4_VERSION) ||
+ (connp->conn_family == AF_INET6 &&
+ (connp->conn_ipversion == IPV4_VERSION ||
+ connp->conn_ipversion == IPV6_VERSION)));
ASSERT(!tcp->tcp_listener);
TCP_STAT(tcps, tcp_time_wait_reap);
@@ -1579,10 +1474,17 @@ tcp_ipsec_cleanup(tcp_t *tcp)
ASSERT(connp->conn_flags & IPCL_TCPCONN);
if (connp->conn_latch != NULL) {
- IPLATCH_REFRELE(connp->conn_latch,
- connp->conn_netstack);
+ IPLATCH_REFRELE(connp->conn_latch);
connp->conn_latch = NULL;
}
+ if (connp->conn_latch_in_policy != NULL) {
+ IPPOL_REFRELE(connp->conn_latch_in_policy);
+ connp->conn_latch_in_policy = NULL;
+ }
+ if (connp->conn_latch_in_action != NULL) {
+ IPACT_REFRELE(connp->conn_latch_in_action);
+ connp->conn_latch_in_action = NULL;
+ }
if (connp->conn_policy != NULL) {
IPPH_REFRELE(connp->conn_policy, connp->conn_netstack);
connp->conn_policy = NULL;
@@ -1598,9 +1500,6 @@ void
tcp_cleanup(tcp_t *tcp)
{
mblk_t *mp;
- char *tcp_iphc;
- int tcp_iphc_len;
- int tcp_hdr_grown;
tcp_sack_info_t *tcp_sack_info;
conn_t *connp = tcp->tcp_connp;
tcp_stack_t *tcps = tcp->tcp_tcps;
@@ -1611,6 +1510,22 @@ tcp_cleanup(tcp_t *tcp)
/* Cleanup that which needs the netstack first */
tcp_ipsec_cleanup(tcp);
+ ixa_cleanup(connp->conn_ixa);
+
+ if (connp->conn_ht_iphc != NULL) {
+ kmem_free(connp->conn_ht_iphc, connp->conn_ht_iphc_allocated);
+ connp->conn_ht_iphc = NULL;
+ connp->conn_ht_iphc_allocated = 0;
+ connp->conn_ht_iphc_len = 0;
+ connp->conn_ht_ulp = NULL;
+ connp->conn_ht_ulp_len = 0;
+ tcp->tcp_ipha = NULL;
+ tcp->tcp_ip6h = NULL;
+ tcp->tcp_tcpha = NULL;
+ }
+
+ /* We clear any IP_OPTIONS and extension headers */
+ ip_pkt_free(&connp->conn_xmit_ipp);
tcp_free(tcp);
@@ -1626,8 +1541,6 @@ tcp_cleanup(tcp_t *tcp)
}
tcp->tcp_kssl_pending = B_FALSE;
- conn_delete_ire(connp, NULL);
-
/*
* Since we will bzero the entire structure, we need to
* remove it and reinsert it in global hash list. We
@@ -1639,46 +1552,36 @@ tcp_cleanup(tcp_t *tcp)
*/
ipcl_globalhash_remove(connp);
- /*
- * Now it is safe to decrement the reference counts.
- * This might be the last reference on the netstack and TCPS
- * in which case it will cause the tcp_g_q_close and
- * the freeing of the IP Instance.
- */
- connp->conn_netstack = NULL;
- netstack_rele(ns);
- ASSERT(tcps != NULL);
- tcp->tcp_tcps = NULL;
- TCPS_REFRELE(tcps);
-
/* Save some state */
mp = tcp->tcp_timercache;
tcp_sack_info = tcp->tcp_sack_info;
- tcp_iphc = tcp->tcp_iphc;
- tcp_iphc_len = tcp->tcp_iphc_len;
- tcp_hdr_grown = tcp->tcp_hdr_grown;
tcp_rsrv_mp = tcp->tcp_rsrv_mp;
if (connp->conn_cred != NULL) {
crfree(connp->conn_cred);
connp->conn_cred = NULL;
}
- if (connp->conn_effective_cred != NULL) {
- crfree(connp->conn_effective_cred);
- connp->conn_effective_cred = NULL;
- }
ipcl_conn_cleanup(connp);
connp->conn_flags = IPCL_TCPCONN;
+
+ /*
+ * Now it is safe to decrement the reference counts.
+ * This might be the last reference on the netstack
+ * in which case it will cause the freeing of the IP Instance.
+ */
+ connp->conn_netstack = NULL;
+ connp->conn_ixa->ixa_ipst = NULL;
+ netstack_rele(ns);
+ ASSERT(tcps != NULL);
+ tcp->tcp_tcps = NULL;
+
bzero(tcp, sizeof (tcp_t));
/* restore the state */
tcp->tcp_timercache = mp;
tcp->tcp_sack_info = tcp_sack_info;
- tcp->tcp_iphc = tcp_iphc;
- tcp->tcp_iphc_len = tcp_iphc_len;
- tcp->tcp_hdr_grown = tcp_hdr_grown;
tcp->tcp_rsrv_mp = tcp_rsrv_mp;
tcp->tcp_connp = connp;
@@ -1686,7 +1589,7 @@ tcp_cleanup(tcp_t *tcp)
ASSERT(connp->conn_tcp == tcp);
ASSERT(connp->conn_flags & IPCL_TCPCONN);
connp->conn_state_flags = CONN_INCIPIENT;
- ASSERT(connp->conn_ulp == IPPROTO_TCP);
+ ASSERT(connp->conn_proto == IPPROTO_TCP);
ASSERT(connp->conn_ref == 1);
}
@@ -1777,11 +1680,7 @@ tcp_time_wait_collector(void *arg)
/*
* Set the CONDEMNED flag now itself so that
* the refcnt cannot increase due to any
- * walker. But we have still not cleaned up
- * conn_ire_cache. This is still ok since
- * we are going to clean it up in tcp_cleanup
- * immediately and any interface unplumb
- * thread will wait till the ire is blown away
+ * walker.
*/
connp->conn_state_flags |= CONN_CONDEMNED;
mutex_exit(lock);
@@ -1809,7 +1708,7 @@ tcp_time_wait_collector(void *arg)
mutex_exit(
&tcp_time_wait->tcp_time_wait_lock);
tcp_bind_hash_remove(tcp);
- conn_delete_ire(tcp->tcp_connp, NULL);
+ ixa_cleanup(tcp->tcp_connp->conn_ixa);
tcp_ipsec_cleanup(tcp);
CONN_DEC_REF(tcp->tcp_connp);
}
@@ -1839,7 +1738,7 @@ tcp_time_wait_collector(void *arg)
TCP_DEBUG_GETPCSTACK(tcp->tcmp_stk, 15);
mp = &tcp->tcp_closemp;
SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
- tcp_timewait_output, connp,
+ tcp_timewait_output, connp, NULL,
SQ_FILL, SQTAG_TCP_TIMEWAIT);
}
} else {
@@ -1867,7 +1766,7 @@ tcp_time_wait_collector(void *arg)
TCP_DEBUG_GETPCSTACK(tcp->tcmp_stk, 15);
mp = &tcp->tcp_closemp;
SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
- tcp_timewait_output, connp,
+ tcp_timewait_output, connp, NULL,
SQ_FILL, SQTAG_TCP_TIMEWAIT);
}
mutex_enter(&tcp_time_wait->tcp_time_wait_lock);
@@ -1886,24 +1785,23 @@ tcp_time_wait_collector(void *arg)
/*
* Reply to a clients T_CONN_RES TPI message. This function
* is used only for TLI/XTI listener. Sockfs sends T_CONN_RES
- * on the acceptor STREAM and processed in tcp_wput_accept().
- * Read the block comment on top of tcp_conn_request().
+ * on the acceptor STREAM and processed in tcp_accept_common().
+ * Read the block comment on top of tcp_input_listener().
*/
static void
tcp_tli_accept(tcp_t *listener, mblk_t *mp)
{
- tcp_t *acceptor;
- tcp_t *eager;
- tcp_t *tcp;
+ tcp_t *acceptor;
+ tcp_t *eager;
+ tcp_t *tcp;
struct T_conn_res *tcr;
t_uscalar_t acceptor_id;
t_scalar_t seqnum;
- mblk_t *opt_mp = NULL; /* T_OPTMGMT_REQ messages */
- struct tcp_options *tcpopt;
- mblk_t *ok_mp;
- mblk_t *mp1;
+ mblk_t *discon_mp = NULL;
+ mblk_t *ok_mp;
+ mblk_t *mp1;
tcp_stack_t *tcps = listener->tcp_tcps;
- int error;
+ conn_t *econnp;
if ((mp->b_wptr - mp->b_rptr) < sizeof (*tcr)) {
tcp_err_ack(listener, mp, TPROTO, 0);
@@ -1922,8 +1820,8 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
* fanout hash lock is held.
* This prevents any thread from entering the acceptor queue from
* below (since it has not been hard bound yet i.e. any inbound
- * packets will arrive on the listener or default tcp queue and
- * go through tcp_lookup).
+ * packets will arrive on the listener conn_t and
+ * go through the classifier).
* The CONN_INC_REF will prevent the acceptor from closing.
*
* XXX It is still possible for a tli application to send down data
@@ -1974,7 +1872,7 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
} else {
acceptor = tcp_acceptor_hash_lookup(acceptor_id, tcps);
if (acceptor == NULL) {
- if (listener->tcp_debug) {
+ if (listener->tcp_connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_accept: did not find acceptor 0x%x\n",
@@ -2013,7 +1911,7 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
* Rendezvous with an eager connection request packet hanging off
* 'tcp' that has the 'seqnum' tag. We tagged the detached open
* tcp structure when the connection packet arrived in
- * tcp_conn_request().
+ * tcp_input_listener().
*/
seqnum = tcr->SEQ_number;
eager = listener;
@@ -2047,37 +1945,26 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
*/
ASSERT(eager->tcp_connp->conn_ref >= 1);
- /* Pre allocate the stroptions mblk also */
- opt_mp = allocb(MAX(sizeof (struct tcp_options),
- sizeof (struct T_conn_res)), BPRI_HI);
- if (opt_mp == NULL) {
+ /*
+ * Pre allocate the discon_ind mblk also. tcp_accept_finish will
+ * use it if something failed.
+ */
+ discon_mp = allocb(MAX(sizeof (struct T_discon_ind),
+ sizeof (struct stroptions)), BPRI_HI);
+ if (discon_mp == NULL) {
CONN_DEC_REF(acceptor->tcp_connp);
CONN_DEC_REF(eager->tcp_connp);
tcp_err_ack(listener, mp, TSYSERR, ENOMEM);
return;
}
- DB_TYPE(opt_mp) = M_SETOPTS;
- opt_mp->b_wptr += sizeof (struct tcp_options);
- tcpopt = (struct tcp_options *)opt_mp->b_rptr;
- tcpopt->to_flags = 0;
- /*
- * Prepare for inheriting IPV6_BOUND_IF and IPV6_RECVPKTINFO
- * from listener to acceptor.
- */
- if (listener->tcp_bound_if != 0) {
- tcpopt->to_flags |= TCPOPT_BOUNDIF;
- tcpopt->to_boundif = listener->tcp_bound_if;
- }
- if (listener->tcp_ipv6_recvancillary & TCP_IPV6_RECVPKTINFO) {
- tcpopt->to_flags |= TCPOPT_RECVPKTINFO;
- }
+ econnp = eager->tcp_connp;
- /* Re-use mp1 to hold a copy of mp, in case reallocb fails */
+ /* Hold a copy of mp, in case reallocb fails */
if ((mp1 = copymsg(mp)) == NULL) {
CONN_DEC_REF(acceptor->tcp_connp);
CONN_DEC_REF(eager->tcp_connp);
- freemsg(opt_mp);
+ freemsg(discon_mp);
tcp_err_ack(listener, mp, TSYSERR, ENOMEM);
return;
}
@@ -2093,7 +1980,7 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
{
int extra;
- extra = (eager->tcp_family == AF_INET) ?
+ extra = (econnp->conn_family == AF_INET) ?
sizeof (sin_t) : sizeof (sin6_t);
/*
@@ -2104,7 +1991,7 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
if ((ok_mp = mi_tpi_ok_ack_alloc_extra(mp, extra)) == NULL) {
CONN_DEC_REF(acceptor->tcp_connp);
CONN_DEC_REF(eager->tcp_connp);
- freemsg(opt_mp);
+ freemsg(discon_mp);
/* Original mp has been freed by now, so use mp1 */
tcp_err_ack(listener, mp1, TSYSERR, ENOMEM);
return;
@@ -2114,38 +2001,32 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
switch (extra) {
case sizeof (sin_t): {
- sin_t *sin = (sin_t *)ok_mp->b_wptr;
+ sin_t *sin = (sin_t *)ok_mp->b_wptr;
- ok_mp->b_wptr += extra;
- sin->sin_family = AF_INET;
- sin->sin_port = eager->tcp_lport;
- sin->sin_addr.s_addr =
- eager->tcp_ipha->ipha_src;
- break;
- }
+ ok_mp->b_wptr += extra;
+ sin->sin_family = AF_INET;
+ sin->sin_port = econnp->conn_lport;
+ sin->sin_addr.s_addr = econnp->conn_laddr_v4;
+ break;
+ }
case sizeof (sin6_t): {
- sin6_t *sin6 = (sin6_t *)ok_mp->b_wptr;
+ sin6_t *sin6 = (sin6_t *)ok_mp->b_wptr;
- ok_mp->b_wptr += extra;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = eager->tcp_lport;
- if (eager->tcp_ipversion == IPV4_VERSION) {
- sin6->sin6_flowinfo = 0;
- IN6_IPADDR_TO_V4MAPPED(
- eager->tcp_ipha->ipha_src,
- &sin6->sin6_addr);
- } else {
- ASSERT(eager->tcp_ip6h != NULL);
- sin6->sin6_flowinfo =
- eager->tcp_ip6h->ip6_vcf &
- ~IPV6_VERS_AND_FLOW_MASK;
- sin6->sin6_addr =
- eager->tcp_ip6h->ip6_src;
- }
+ ok_mp->b_wptr += extra;
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_port = econnp->conn_lport;
+ sin6->sin6_addr = econnp->conn_laddr_v6;
+ sin6->sin6_flowinfo = econnp->conn_flowinfo;
+ if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6) &&
+ (econnp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET)) {
+ sin6->sin6_scope_id =
+ econnp->conn_ixa->ixa_scopeid;
+ } else {
sin6->sin6_scope_id = 0;
- sin6->__sin6_src_id = 0;
- break;
}
+ sin6->__sin6_src_id = 0;
+ break;
+ }
default:
break;
}
@@ -2158,15 +2039,7 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
* the tcp_accept_swap is done since it would be dangerous to
* let the application start using the new fd prior to the swap.
*/
- error = tcp_accept_swap(listener, acceptor, eager);
- if (error != 0) {
- CONN_DEC_REF(acceptor->tcp_connp);
- CONN_DEC_REF(eager->tcp_connp);
- freemsg(ok_mp);
- /* Original mp has been freed by now, so use mp1 */
- tcp_err_ack(listener, mp1, TSYSERR, error);
- return;
- }
+ tcp_accept_swap(listener, acceptor, eager);
/*
* tcp_accept_swap unlinks eager from listener but does not drop
@@ -2244,7 +2117,7 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
/* We no longer need mp1, since all options processing has passed */
freemsg(mp1);
- putnext(listener->tcp_rq, ok_mp);
+ putnext(listener->tcp_connp->conn_rq, ok_mp);
mutex_enter(&listener->tcp_eager_lock);
if (listener->tcp_eager_prev_q0->tcp_conn_def_q0) {
@@ -2305,7 +2178,7 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
listener->tcp_eager_last_q = tcp;
tcp->tcp_eager_next_q = NULL;
mutex_exit(&listener->tcp_eager_lock);
- putnext(tcp->tcp_rq, conn_ind);
+ putnext(tcp->tcp_connp->conn_rq, conn_ind);
} else {
mutex_exit(&listener->tcp_eager_lock);
}
@@ -2318,26 +2191,20 @@ tcp_tli_accept(tcp_t *listener, mblk_t *mp)
*/
finish:
ASSERT(acceptor->tcp_detached);
- ASSERT(tcps->tcps_g_q != NULL);
+ acceptor->tcp_connp->conn_rq = NULL;
ASSERT(!IPCL_IS_NONSTR(acceptor->tcp_connp));
- acceptor->tcp_rq = tcps->tcps_g_q;
- acceptor->tcp_wq = WR(tcps->tcps_g_q);
+ acceptor->tcp_connp->conn_wq = NULL;
(void) tcp_clean_death(acceptor, 0, 2);
CONN_DEC_REF(acceptor->tcp_connp);
/*
- * In case we already received a FIN we have to make tcp_rput send
- * the ordrel_ind. This will also send up a window update if the window
- * has opened up.
- *
- * In the normal case of a successful connection acceptance
- * we give the O_T_BIND_REQ to the read side put procedure as an
- * indication that this was just accepted. This tells tcp_rput to
- * pass up any data queued in tcp_rcv_list.
+ * We pass discon_mp to tcp_accept_finish to get on the right squeue.
*
- * In the fringe case where options sent with T_CONN_RES failed and
- * we required, we would be indicating a T_DISCON_IND to blow
- * away this connection.
+ * It will update the setting for sockfs/stream head and also take
+ * care of any data that arrived before accept() wad called.
+ * In case we already received a FIN then tcp_accept_finish will send up
+ * the ordrel. It will also send up a window update if the window
+ * has opened up.
*/
/*
@@ -2346,7 +2213,7 @@ finish:
* and is well know but nothing can be done short of major rewrite
* to fix it. Now it is possible to take care of it by assigning TLI/XTI
* eager same squeue as listener (we can distinguish non socket
- * listeners at the time of handling a SYN in tcp_conn_request)
+ * listeners at the time of handling a SYN in tcp_input_listener)
* and do most of the work that tcp_accept_finish does here itself
* and then get behind the acceptor squeue to access the acceptor
* queue.
@@ -2354,52 +2221,38 @@ finish:
/*
* We already have a ref on tcp so no need to do one before squeue_enter
*/
- SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, opt_mp, tcp_accept_finish,
- eager->tcp_connp, SQ_FILL, SQTAG_TCP_ACCEPT_FINISH);
+ SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, discon_mp,
+ tcp_accept_finish, eager->tcp_connp, NULL, SQ_FILL,
+ SQTAG_TCP_ACCEPT_FINISH);
}
/*
* Swap information between the eager and acceptor for a TLI/XTI client.
* The sockfs accept is done on the acceptor stream and control goes
- * through tcp_wput_accept() and tcp_accept()/tcp_accept_swap() is not
+ * through tcp_tli_accept() and tcp_accept()/tcp_accept_swap() is not
* called. In either case, both the eager and listener are in their own
* perimeter (squeue) and the code has to deal with potential race.
*
- * See the block comment on top of tcp_accept() and tcp_wput_accept().
+ * See the block comment on top of tcp_accept() and tcp_tli_accept().
*/
-static int
+static void
tcp_accept_swap(tcp_t *listener, tcp_t *acceptor, tcp_t *eager)
{
conn_t *econnp, *aconnp;
- cred_t *effective_cred = NULL;
- ASSERT(eager->tcp_rq == listener->tcp_rq);
+ ASSERT(eager->tcp_connp->conn_rq == listener->tcp_connp->conn_rq);
ASSERT(eager->tcp_detached && !acceptor->tcp_detached);
- ASSERT(!eager->tcp_hard_bound);
ASSERT(!TCP_IS_SOCKET(acceptor));
ASSERT(!TCP_IS_SOCKET(eager));
ASSERT(!TCP_IS_SOCKET(listener));
- econnp = eager->tcp_connp;
- aconnp = acceptor->tcp_connp;
-
/*
* Trusted Extensions may need to use a security label that is
* different from the acceptor's label on MLP and MAC-Exempt
* sockets. If this is the case, the required security label
- * already exists in econnp->conn_effective_cred. Use this label
- * to generate a new effective cred for the acceptor.
- *
- * We allow for potential application level retry attempts by
- * checking for transient errors before modifying eager.
+ * already exists in econnp->conn_ixa->ixa_tsl. Since we make the
+ * acceptor stream refer to econnp we atomatically get that label.
*/
- if (is_system_labeled() &&
- aconnp->conn_cred != NULL && econnp->conn_effective_cred != NULL) {
- effective_cred = copycred_from_tslabel(aconnp->conn_cred,
- crgetlabel(econnp->conn_effective_cred), KM_NOSLEEP);
- if (effective_cred == NULL)
- return (ENOMEM);
- }
acceptor->tcp_detached = B_TRUE;
/*
@@ -2416,18 +2269,20 @@ tcp_accept_swap(tcp_t *listener, tcp_t *acceptor, tcp_t *eager)
ASSERT(eager->tcp_eager_next_q0 == NULL &&
eager->tcp_eager_prev_q0 == NULL);
mutex_exit(&listener->tcp_eager_lock);
- eager->tcp_rq = acceptor->tcp_rq;
- eager->tcp_wq = acceptor->tcp_wq;
- eager->tcp_rq->q_ptr = econnp;
- eager->tcp_wq->q_ptr = econnp;
+ econnp = eager->tcp_connp;
+ aconnp = acceptor->tcp_connp;
+ econnp->conn_rq = aconnp->conn_rq;
+ econnp->conn_wq = aconnp->conn_wq;
+ econnp->conn_rq->q_ptr = econnp;
+ econnp->conn_wq->q_ptr = econnp;
/*
* In the TLI/XTI loopback case, we are inside the listener's squeue,
* which might be a different squeue from our peer TCP instance.
* For TCP Fusion, the peer expects that whenever tcp_detached is
* clear, our TCP queues point to the acceptor's queues. Thus, use
- * membar_producer() to ensure that the assignments of tcp_rq/tcp_wq
+ * membar_producer() to ensure that the assignments of conn_rq/conn_wq
* above reach global visibility prior to the clearing of tcp_detached.
*/
membar_producer();
@@ -2439,419 +2294,187 @@ tcp_accept_swap(tcp_t *listener, tcp_t *acceptor, tcp_t *eager)
econnp->conn_minor_arena = aconnp->conn_minor_arena;
ASSERT(econnp->conn_minor_arena != NULL);
- if (eager->tcp_cred != NULL)
- crfree(eager->tcp_cred);
- eager->tcp_cred = econnp->conn_cred = aconnp->conn_cred;
- if (econnp->conn_effective_cred != NULL)
- crfree(econnp->conn_effective_cred);
- econnp->conn_effective_cred = effective_cred;
+ if (econnp->conn_cred != NULL)
+ crfree(econnp->conn_cred);
+ econnp->conn_cred = aconnp->conn_cred;
aconnp->conn_cred = NULL;
- ASSERT(aconnp->conn_effective_cred == NULL);
-
+ econnp->conn_cpid = aconnp->conn_cpid;
ASSERT(econnp->conn_netstack == aconnp->conn_netstack);
ASSERT(eager->tcp_tcps == acceptor->tcp_tcps);
econnp->conn_zoneid = aconnp->conn_zoneid;
econnp->conn_allzones = aconnp->conn_allzones;
+ econnp->conn_ixa->ixa_zoneid = aconnp->conn_ixa->ixa_zoneid;
+ econnp->conn_mac_mode = aconnp->conn_mac_mode;
+ econnp->conn_zone_is_global = aconnp->conn_zone_is_global;
aconnp->conn_mac_mode = CONN_MAC_DEFAULT;
/* Do the IPC initialization */
CONN_INC_REF(econnp);
- econnp->conn_multicast_loop = aconnp->conn_multicast_loop;
- econnp->conn_af_isv6 = aconnp->conn_af_isv6;
- econnp->conn_pkt_isv6 = aconnp->conn_pkt_isv6;
+ econnp->conn_family = aconnp->conn_family;
+ econnp->conn_ipversion = aconnp->conn_ipversion;
/* Done with old IPC. Drop its ref on its connp */
CONN_DEC_REF(aconnp);
- return (0);
}
/*
* Adapt to the information, such as rtt and rtt_sd, provided from the
- * ire cached in conn_cache_ire. If no ire cached, do a ire lookup.
+ * DCE and IRE maintained by IP.
*
* Checks for multicast and broadcast destination address.
- * Returns zero on failure; non-zero if ok.
+ * Returns zero if ok; an errno on failure.
*
* Note that the MSS calculation here is based on the info given in
- * the IRE. We do not do any calculation based on TCP options. They
- * will be handled in tcp_rput_other() and tcp_rput_data() when TCP
- * knows which options to use.
+ * the DCE and IRE. We do not do any calculation based on TCP options. They
+ * will be handled in tcp_input_data() when TCP knows which options to use.
*
* Note on how TCP gets its parameters for a connection.
*
* When a tcp_t structure is allocated, it gets all the default parameters.
- * In tcp_adapt_ire(), it gets those metric parameters, like rtt, rtt_sd,
+ * In tcp_set_destination(), it gets those metric parameters, like rtt, rtt_sd,
* spipe, rpipe, ... from the route metrics. Route metric overrides the
* default.
*
- * An incoming SYN with a multicast or broadcast destination address, is dropped
- * in 1 of 2 places.
- *
- * 1. If the packet was received over the wire it is dropped in
- * ip_rput_process_broadcast()
- *
- * 2. If the packet was received through internal IP loopback, i.e. the packet
- * was generated and received on the same machine, it is dropped in
- * ip_wput_local()
+ * An incoming SYN with a multicast or broadcast destination address is dropped
+ * in ip_fanout_v4/v6.
*
* An incoming SYN with a multicast or broadcast source address is always
- * dropped in tcp_adapt_ire. The same logic in tcp_adapt_ire also serves to
+ * dropped in tcp_set_destination, since IPDF_ALLOW_MCBC is not set in
+ * conn_connect.
+ * The same logic in tcp_set_destination also serves to
* reject an attempt to connect to a broadcast or multicast (destination)
* address.
*/
static int
-tcp_adapt_ire(tcp_t *tcp, mblk_t *ire_mp)
+tcp_set_destination(tcp_t *tcp)
{
- ire_t *ire;
- ire_t *sire = NULL;
- iulp_t *ire_uinfo = NULL;
uint32_t mss_max;
uint32_t mss;
boolean_t tcp_detached = TCP_IS_DETACHED(tcp);
conn_t *connp = tcp->tcp_connp;
- boolean_t ire_cacheable = B_FALSE;
- zoneid_t zoneid = connp->conn_zoneid;
- int match_flags = MATCH_IRE_RECURSIVE | MATCH_IRE_DEFAULT |
- MATCH_IRE_SECATTR;
- ts_label_t *tsl = crgetlabel(CONN_CRED(connp));
- ill_t *ill = NULL;
- boolean_t incoming = (ire_mp == NULL);
tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- ASSERT(connp->conn_ire_cache == NULL);
-
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+ iulp_t uinfo;
+ int error;
+ uint32_t flags;
- if (CLASSD(tcp->tcp_connp->conn_rem)) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
- return (0);
- }
- /*
- * If IP_NEXTHOP is set, then look for an IRE_CACHE
- * for the destination with the nexthop as gateway.
- * ire_ctable_lookup() is used because this particular
- * ire, if it exists, will be marked private.
- * If that is not available, use the interface ire
- * for the nexthop.
- *
- * TSol: tcp_update_label will detect label mismatches based
- * only on the destination's label, but that would not
- * detect label mismatches based on the security attributes
- * of routes or next hop gateway. Hence we need to pass the
- * label to ire_ftable_lookup below in order to locate the
- * right prefix (and/or) ire cache. Similarly we also need
- * pass the label to the ire_cache_lookup below to locate
- * the right ire that also matches on the label.
- */
- if (tcp->tcp_connp->conn_nexthop_set) {
- ire = ire_ctable_lookup(tcp->tcp_connp->conn_rem,
- tcp->tcp_connp->conn_nexthop_v4, 0, NULL, zoneid,
- tsl, MATCH_IRE_MARK_PRIVATE_ADDR | MATCH_IRE_GW,
- ipst);
- if (ire == NULL) {
- ire = ire_ftable_lookup(
- tcp->tcp_connp->conn_nexthop_v4,
- 0, 0, IRE_INTERFACE, NULL, NULL, zoneid, 0,
- tsl, match_flags, ipst);
- if (ire == NULL)
- return (0);
- } else {
- ire_uinfo = &ire->ire_uinfo;
- }
- } else {
- ire = ire_cache_lookup(tcp->tcp_connp->conn_rem,
- zoneid, tsl, ipst);
- if (ire != NULL) {
- ire_cacheable = B_TRUE;
- ire_uinfo = (ire_mp != NULL) ?
- &((ire_t *)ire_mp->b_rptr)->ire_uinfo:
- &ire->ire_uinfo;
+ flags = IPDF_LSO | IPDF_ZCOPY;
+ /*
+ * Make sure we have a dce for the destination to avoid dce_ident
+ * contention for connected sockets.
+ */
+ flags |= IPDF_UNIQUE_DCE;
- } else {
- if (ire_mp == NULL) {
- ire = ire_ftable_lookup(
- tcp->tcp_connp->conn_rem,
- 0, 0, 0, NULL, &sire, zoneid, 0,
- tsl, (MATCH_IRE_RECURSIVE |
- MATCH_IRE_DEFAULT), ipst);
- if (ire == NULL)
- return (0);
- ire_uinfo = (sire != NULL) ?
- &sire->ire_uinfo :
- &ire->ire_uinfo;
- } else {
- ire = (ire_t *)ire_mp->b_rptr;
- ire_uinfo =
- &((ire_t *)
- ire_mp->b_rptr)->ire_uinfo;
- }
- }
- }
- ASSERT(ire != NULL);
+ if (!tcps->tcps_ignore_path_mtu)
+ connp->conn_ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
- if ((ire->ire_src_addr == INADDR_ANY) ||
- (ire->ire_type & IRE_BROADCAST)) {
- /*
- * ire->ire_mp is non null when ire_mp passed in is used
- * ire->ire_mp is set in ip_bind_insert_ire[_v6]().
- */
- if (ire->ire_mp == NULL)
- ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
- return (0);
- }
-
- if (tcp->tcp_ipha->ipha_src == INADDR_ANY) {
- ipaddr_t src_addr;
+ /* Use conn_lock to satify ASSERT; tcp is already serialized */
+ mutex_enter(&connp->conn_lock);
+ error = conn_connect(connp, &uinfo, flags);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0)
+ return (error);
- /*
- * ip_bind_connected() has stored the correct source
- * address in conn_src.
- */
- src_addr = tcp->tcp_connp->conn_src;
- tcp->tcp_ipha->ipha_src = src_addr;
- /*
- * Copy of the src addr. in tcp_t is needed
- * for the lookup funcs.
- */
- IN6_IPADDR_TO_V4MAPPED(src_addr, &tcp->tcp_ip_src_v6);
- }
- /*
- * Set the fragment bit so that IP will tell us if the MTU
- * should change. IP tells us the latest setting of
- * ip_path_mtu_discovery through ire_frag_flag.
- */
- if (ipst->ips_ip_path_mtu_discovery) {
- tcp->tcp_ipha->ipha_fragment_offset_and_flags =
- htons(IPH_DF);
- }
- /*
- * If ire_uinfo is NULL, this is the IRE_INTERFACE case
- * for IP_NEXTHOP. No cache ire has been found for the
- * destination and we are working with the nexthop's
- * interface ire. Since we need to forward all packets
- * to the nexthop first, we "blindly" set tcp_localnet
- * to false, eventhough the destination may also be
- * onlink.
- */
- if (ire_uinfo == NULL)
- tcp->tcp_localnet = 0;
- else
- tcp->tcp_localnet = (ire->ire_gateway_addr == 0);
- } else {
- /*
- * For incoming connection ire_mp = NULL
- * For outgoing connection ire_mp != NULL
- * Technically we should check conn_incoming_ill
- * when ire_mp is NULL and conn_outgoing_ill when
- * ire_mp is non-NULL. But this is performance
- * critical path and for IPV*_BOUND_IF, outgoing
- * and incoming ill are always set to the same value.
- */
- ill_t *dst_ill = NULL;
- ipif_t *dst_ipif = NULL;
+ error = tcp_build_hdrs(tcp);
+ if (error != 0)
+ return (error);
- ASSERT(connp->conn_outgoing_ill == connp->conn_incoming_ill);
+ tcp->tcp_localnet = uinfo.iulp_localnet;
- if (connp->conn_outgoing_ill != NULL) {
- /* Outgoing or incoming path */
- int err;
+ if (uinfo.iulp_rtt != 0) {
+ clock_t rto;
- dst_ill = conn_get_held_ill(connp,
- &connp->conn_outgoing_ill, &err);
- if (err == ILL_LOOKUP_FAILED || dst_ill == NULL) {
- ip1dbg(("tcp_adapt_ire: ill_lookup failed\n"));
- return (0);
- }
- match_flags |= MATCH_IRE_ILL;
- dst_ipif = dst_ill->ill_ipif;
- }
- ire = ire_ctable_lookup_v6(&tcp->tcp_connp->conn_remv6,
- 0, 0, dst_ipif, zoneid, tsl, match_flags, ipst);
+ tcp->tcp_rtt_sa = uinfo.iulp_rtt;
+ tcp->tcp_rtt_sd = uinfo.iulp_rtt_sd;
+ rto = (tcp->tcp_rtt_sa >> 3) + tcp->tcp_rtt_sd +
+ tcps->tcps_rexmit_interval_extra +
+ (tcp->tcp_rtt_sa >> 5);
- if (ire != NULL) {
- ire_cacheable = B_TRUE;
- ire_uinfo = (ire_mp != NULL) ?
- &((ire_t *)ire_mp->b_rptr)->ire_uinfo:
- &ire->ire_uinfo;
+ if (rto > tcps->tcps_rexmit_interval_max) {
+ tcp->tcp_rto = tcps->tcps_rexmit_interval_max;
+ } else if (rto < tcps->tcps_rexmit_interval_min) {
+ tcp->tcp_rto = tcps->tcps_rexmit_interval_min;
} else {
- if (ire_mp == NULL) {
- ire = ire_ftable_lookup_v6(
- &tcp->tcp_connp->conn_remv6,
- 0, 0, 0, dst_ipif, &sire, zoneid,
- 0, tsl, match_flags, ipst);
- if (ire == NULL) {
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
- return (0);
- }
- ire_uinfo = (sire != NULL) ? &sire->ire_uinfo :
- &ire->ire_uinfo;
- } else {
- ire = (ire_t *)ire_mp->b_rptr;
- ire_uinfo =
- &((ire_t *)ire_mp->b_rptr)->ire_uinfo;
- }
- }
- if (dst_ill != NULL)
- ill_refrele(dst_ill);
-
- ASSERT(ire != NULL);
- ASSERT(ire_uinfo != NULL);
-
- if (IN6_IS_ADDR_UNSPECIFIED(&ire->ire_src_addr_v6) ||
- IN6_IS_ADDR_MULTICAST(&ire->ire_addr_v6)) {
- /*
- * ire->ire_mp is non null when ire_mp passed in is used
- * ire->ire_mp is set in ip_bind_insert_ire[_v6]().
- */
- if (ire->ire_mp == NULL)
- ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
- return (0);
+ tcp->tcp_rto = rto;
}
-
- if (IN6_IS_ADDR_UNSPECIFIED(&tcp->tcp_ip6h->ip6_src)) {
- in6_addr_t src_addr;
-
- /*
- * ip_bind_connected_v6() has stored the correct source
- * address per IPv6 addr. selection policy in
- * conn_src_v6.
- */
- src_addr = tcp->tcp_connp->conn_srcv6;
-
- tcp->tcp_ip6h->ip6_src = src_addr;
- /*
- * Copy of the src addr. in tcp_t is needed
- * for the lookup funcs.
- */
- tcp->tcp_ip_src_v6 = src_addr;
- ASSERT(IN6_ARE_ADDR_EQUAL(&tcp->tcp_ip6h->ip6_src,
- &connp->conn_srcv6));
+ }
+ if (uinfo.iulp_ssthresh != 0)
+ tcp->tcp_cwnd_ssthresh = uinfo.iulp_ssthresh;
+ else
+ tcp->tcp_cwnd_ssthresh = TCP_MAX_LARGEWIN;
+ if (uinfo.iulp_spipe > 0) {
+ connp->conn_sndbuf = MIN(uinfo.iulp_spipe,
+ tcps->tcps_max_buf);
+ if (tcps->tcps_snd_lowat_fraction != 0) {
+ connp->conn_sndlowat = connp->conn_sndbuf /
+ tcps->tcps_snd_lowat_fraction;
}
- tcp->tcp_localnet =
- IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6);
+ (void) tcp_maxpsz_set(tcp, B_TRUE);
}
-
/*
- * This allows applications to fail quickly when connections are made
- * to dead hosts. Hosts can be labeled dead by adding a reject route
- * with both the RTF_REJECT and RTF_PRIVATE flags set.
+ * Note that up till now, acceptor always inherits receive
+ * window from the listener. But if there is a metrics
+ * associated with a host, we should use that instead of
+ * inheriting it from listener. Thus we need to pass this
+ * info back to the caller.
*/
- if ((ire->ire_flags & RTF_REJECT) &&
- (ire->ire_flags & RTF_PRIVATE))
- goto error;
+ if (uinfo.iulp_rpipe > 0) {
+ tcp->tcp_rwnd = MIN(uinfo.iulp_rpipe,
+ tcps->tcps_max_buf);
+ }
+
+ if (uinfo.iulp_rtomax > 0) {
+ tcp->tcp_second_timer_threshold =
+ uinfo.iulp_rtomax;
+ }
/*
- * Make use of the cached rtt and rtt_sd values to calculate the
- * initial RTO. Note that they are already initialized in
- * tcp_init_values().
- * If ire_uinfo is NULL, i.e., we do not have a cache ire for
- * IP_NEXTHOP, but instead are using the interface ire for the
- * nexthop, then we do not use the ire_uinfo from that ire to
- * do any initializations.
+ * Use the metric option settings, iulp_tstamp_ok and
+ * iulp_wscale_ok, only for active open. What this means
+ * is that if the other side uses timestamp or window
+ * scale option, TCP will also use those options. That
+ * is for passive open. If the application sets a
+ * large window, window scale is enabled regardless of
+ * the value in iulp_wscale_ok. This is the behavior
+ * since 2.6. So we keep it.
+ * The only case left in passive open processing is the
+ * check for SACK.
+ * For ECN, it should probably be like SACK. But the
+ * current value is binary, so we treat it like the other
+ * cases. The metric only controls active open.For passive
+ * open, the ndd param, tcp_ecn_permitted, controls the
+ * behavior.
*/
- if (ire_uinfo != NULL) {
- if (ire_uinfo->iulp_rtt != 0) {
- clock_t rto;
-
- tcp->tcp_rtt_sa = ire_uinfo->iulp_rtt;
- tcp->tcp_rtt_sd = ire_uinfo->iulp_rtt_sd;
- rto = (tcp->tcp_rtt_sa >> 3) + tcp->tcp_rtt_sd +
- tcps->tcps_rexmit_interval_extra +
- (tcp->tcp_rtt_sa >> 5);
-
- if (rto > tcps->tcps_rexmit_interval_max) {
- tcp->tcp_rto = tcps->tcps_rexmit_interval_max;
- } else if (rto < tcps->tcps_rexmit_interval_min) {
- tcp->tcp_rto = tcps->tcps_rexmit_interval_min;
- } else {
- tcp->tcp_rto = rto;
- }
- }
- if (ire_uinfo->iulp_ssthresh != 0)
- tcp->tcp_cwnd_ssthresh = ire_uinfo->iulp_ssthresh;
- else
- tcp->tcp_cwnd_ssthresh = TCP_MAX_LARGEWIN;
- if (ire_uinfo->iulp_spipe > 0) {
- tcp->tcp_xmit_hiwater = MIN(ire_uinfo->iulp_spipe,
- tcps->tcps_max_buf);
- if (tcps->tcps_snd_lowat_fraction != 0)
- tcp->tcp_xmit_lowater = tcp->tcp_xmit_hiwater /
- tcps->tcps_snd_lowat_fraction;
- (void) tcp_maxpsz_set(tcp, B_TRUE);
- }
+ if (!tcp_detached) {
/*
- * Note that up till now, acceptor always inherits receive
- * window from the listener. But if there is a metrics
- * associated with a host, we should use that instead of
- * inheriting it from listener. Thus we need to pass this
- * info back to the caller.
+ * The if check means that the following can only
+ * be turned on by the metrics only IRE, but not off.
*/
- if (ire_uinfo->iulp_rpipe > 0) {
- tcp->tcp_rwnd = MIN(ire_uinfo->iulp_rpipe,
- tcps->tcps_max_buf);
- }
-
- if (ire_uinfo->iulp_rtomax > 0) {
- tcp->tcp_second_timer_threshold =
- ire_uinfo->iulp_rtomax;
- }
-
+ if (uinfo.iulp_tstamp_ok)
+ tcp->tcp_snd_ts_ok = B_TRUE;
+ if (uinfo.iulp_wscale_ok)
+ tcp->tcp_snd_ws_ok = B_TRUE;
+ if (uinfo.iulp_sack == 2)
+ tcp->tcp_snd_sack_ok = B_TRUE;
+ if (uinfo.iulp_ecn_ok)
+ tcp->tcp_ecn_ok = B_TRUE;
+ } else {
/*
- * Use the metric option settings, iulp_tstamp_ok and
- * iulp_wscale_ok, only for active open. What this means
- * is that if the other side uses timestamp or window
- * scale option, TCP will also use those options. That
- * is for passive open. If the application sets a
- * large window, window scale is enabled regardless of
- * the value in iulp_wscale_ok. This is the behavior
- * since 2.6. So we keep it.
- * The only case left in passive open processing is the
- * check for SACK.
- * For ECN, it should probably be like SACK. But the
- * current value is binary, so we treat it like the other
- * cases. The metric only controls active open.For passive
- * open, the ndd param, tcp_ecn_permitted, controls the
- * behavior.
+ * Passive open.
+ *
+ * As above, the if check means that SACK can only be
+ * turned on by the metric only IRE.
*/
- if (!tcp_detached) {
- /*
- * The if check means that the following can only
- * be turned on by the metrics only IRE, but not off.
- */
- if (ire_uinfo->iulp_tstamp_ok)
- tcp->tcp_snd_ts_ok = B_TRUE;
- if (ire_uinfo->iulp_wscale_ok)
- tcp->tcp_snd_ws_ok = B_TRUE;
- if (ire_uinfo->iulp_sack == 2)
- tcp->tcp_snd_sack_ok = B_TRUE;
- if (ire_uinfo->iulp_ecn_ok)
- tcp->tcp_ecn_ok = B_TRUE;
- } else {
- /*
- * Passive open.
- *
- * As above, the if check means that SACK can only be
- * turned on by the metric only IRE.
- */
- if (ire_uinfo->iulp_sack > 0) {
- tcp->tcp_snd_sack_ok = B_TRUE;
- }
+ if (uinfo.iulp_sack > 0) {
+ tcp->tcp_snd_sack_ok = B_TRUE;
}
}
-
/*
- * XXX: Note that currently, ire_max_frag can be as small as 68
+ * XXX Note that currently, iulp_mtu can be as small as 68
* because of PMTUd. So tcp_mss may go to negative if combined
* length of all those options exceeds 28 bytes. But because
* of the tcp_mss_min check below, we may not have a problem if
@@ -2864,31 +2487,15 @@ tcp_adapt_ire(tcp_t *tcp, mblk_t *ire_mp)
* We do not deal with that now. All those problems related to
* PMTUd will be fixed later.
*/
- ASSERT(ire->ire_max_frag != 0);
- mss = tcp->tcp_if_mtu = ire->ire_max_frag;
- if (tcp->tcp_ipp_fields & IPPF_USE_MIN_MTU) {
- if (tcp->tcp_ipp_use_min_mtu == IPV6_USE_MIN_MTU_NEVER) {
- mss = MIN(mss, IPV6_MIN_MTU);
- }
- }
+ ASSERT(uinfo.iulp_mtu != 0);
+ mss = tcp->tcp_initial_pmtu = uinfo.iulp_mtu;
/* Sanity check for MSS value. */
- if (tcp->tcp_ipversion == IPV4_VERSION)
+ if (connp->conn_ipversion == IPV4_VERSION)
mss_max = tcps->tcps_mss_max_ipv4;
else
mss_max = tcps->tcps_mss_max_ipv6;
- if (tcp->tcp_ipversion == IPV6_VERSION &&
- (ire->ire_frag_flag & IPH_FRAG_HDR)) {
- /*
- * After receiving an ICMPv6 "packet too big" message with a
- * MTU < 1280, and for multirouted IPv6 packets, the IP layer
- * will insert a 8-byte fragment header in every packet; we
- * reduce the MSS by that amount here.
- */
- mss -= sizeof (ip6_frag_t);
- }
-
if (tcp->tcp_ipsec_overhead == 0)
tcp->tcp_ipsec_overhead = conn_ipsec_length(connp);
@@ -2903,71 +2510,28 @@ tcp_adapt_ire(tcp_t *tcp, mblk_t *ire_mp)
tcp->tcp_mss = mss;
/*
+ * Update the tcp connection with LSO capability.
+ */
+ tcp_update_lso(tcp, connp->conn_ixa);
+
+ /*
* Initialize the ISS here now that we have the full connection ID.
* The RFC 1948 method of initial sequence number generation requires
* knowledge of the full connection ID before setting the ISS.
*/
-
tcp_iss_init(tcp);
- if (ire->ire_type & (IRE_LOOPBACK | IRE_LOCAL))
- tcp->tcp_loopback = B_TRUE;
-
- if (sire != NULL)
- IRE_REFRELE(sire);
-
- /*
- * If we got an IRE_CACHE and an ILL, go through their properties;
- * otherwise, this is deferred until later when we have an IRE_CACHE.
- */
- if (tcp->tcp_loopback ||
- (ire_cacheable && (ill = ire_to_ill(ire)) != NULL)) {
- /*
- * For incoming, see if this tcp may be MDT-capable. For
- * outgoing, this process has been taken care of through
- * tcp_rput_other.
- */
- tcp_ire_ill_check(tcp, ire, ill, incoming);
- tcp->tcp_ire_ill_check_done = B_TRUE;
- }
+ tcp->tcp_loopback = (uinfo.iulp_loopback | uinfo.iulp_local);
- mutex_enter(&connp->conn_lock);
/*
* Make sure that conn is not marked incipient
* for incoming connections. A blind
* removal of incipient flag is cheaper than
* check and removal.
*/
+ mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
-
- /*
- * Must not cache forwarding table routes
- * or recache an IRE after the conn_t has
- * had conn_ire_cache cleared and is flagged
- * unusable, (see the CONN_CACHE_IRE() macro).
- */
- if (ire_cacheable && CONN_CACHE_IRE(connp)) {
- rw_enter(&ire->ire_bucket->irb_lock, RW_READER);
- if (!(ire->ire_marks & IRE_MARK_CONDEMNED)) {
- connp->conn_ire_cache = ire;
- IRE_UNTRACE_REF(ire);
- rw_exit(&ire->ire_bucket->irb_lock);
- mutex_exit(&connp->conn_lock);
- return (1);
- }
- rw_exit(&ire->ire_bucket->irb_lock);
- }
mutex_exit(&connp->conn_lock);
-
- if (ire->ire_mp == NULL)
- ire_refrele(ire);
- return (1);
-
-error:
- if (ire->ire_mp == NULL)
- ire_refrele(ire);
- if (sire != NULL)
- ire_refrele(sire);
return (0);
}
@@ -3001,7 +2565,7 @@ tcp_tpi_bind(tcp_t *tcp, mblk_t *mp)
ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <= (uintptr_t)INT_MAX);
if ((mp->b_wptr - mp->b_rptr) < sizeof (*tbr)) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_tpi_bind: bad req, len %u",
(uint_t)(mp->b_wptr - mp->b_rptr));
@@ -3010,7 +2574,7 @@ tcp_tpi_bind(tcp_t *tcp, mblk_t *mp)
return;
}
/* Make sure the largest address fits */
- mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t) + 1, 1);
+ mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t), 1);
if (mp1 == NULL) {
tcp_err_ack(tcp, mp, TSYSERR, ENOMEM);
return;
@@ -3024,7 +2588,7 @@ tcp_tpi_bind(tcp_t *tcp, mblk_t *mp)
switch (len) {
case 0: /* request for a generic port */
tbr->ADDR_offset = sizeof (struct T_bind_req);
- if (tcp->tcp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
tbr->ADDR_length = sizeof (sin_t);
sin = (sin_t *)&tbr[1];
*sin = sin_null;
@@ -3033,7 +2597,7 @@ tcp_tpi_bind(tcp_t *tcp, mblk_t *mp)
len = sizeof (sin_t);
mp->b_wptr = (uchar_t *)&sin[1];
} else {
- ASSERT(tcp->tcp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
tbr->ADDR_length = sizeof (sin6_t);
sin6 = (sin6_t *)&tbr[1];
*sin6 = sin6_null;
@@ -3055,7 +2619,7 @@ tcp_tpi_bind(tcp_t *tcp, mblk_t *mp)
break;
default:
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_tpi_bind: bad address length, %d",
tbr->ADDR_length);
@@ -3080,16 +2644,16 @@ done:
/*
* Update port information as sockfs/tpi needs it for checking
*/
- if (tcp->tcp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
sin = (sin_t *)sa;
- sin->sin_port = tcp->tcp_lport;
+ sin->sin_port = connp->conn_lport;
} else {
sin6 = (sin6_t *)sa;
- sin6->sin6_port = tcp->tcp_lport;
+ sin6->sin6_port = connp->conn_lport;
}
mp->b_datap->db_type = M_PCPROTO;
tbr->PRIM_type = T_BIND_ACK;
- putnext(tcp->tcp_rq, mp);
+ putnext(connp->conn_rq, mp);
}
}
@@ -3139,7 +2703,7 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* Set loopmax appropriately so that one does not look
* forever in the case all of the anonymous ports are in use.
*/
- if (tcp->tcp_anon_priv_bind) {
+ if (connp->conn_anon_priv_bind) {
/*
* loopmax =
* (IPPORT_RESERVED-1) - tcp_min_anonpriv_port + 1
@@ -3175,7 +2739,7 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
mutex_enter(&tbf->tf_lock);
for (ltcp = tbf->tf_tcp; ltcp != NULL;
ltcp = ltcp->tcp_bind_hash) {
- if (lport == ltcp->tcp_lport)
+ if (lport == ltcp->tcp_connp->conn_lport)
break;
}
@@ -3191,7 +2755,7 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* privilege as being in all zones, as there's
* otherwise no way to identify the right receiver.
*/
- if (!IPCL_BIND_ZONE_MATCH(ltcp->tcp_connp, connp))
+ if (!IPCL_BIND_ZONE_MATCH(lconnp, connp))
continue;
/*
@@ -3227,7 +2791,7 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* added.
*
* if (ltcp->tcp_state == TCPS_LISTEN ||
- * !reuseaddr || !ltcp->tcp_reuseaddr) {
+ * !reuseaddr || !lconnp->conn_reuseaddr) {
* ...
* }
*
@@ -3243,17 +2807,18 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
*/
not_socket = !(TCP_IS_SOCKET(ltcp) &&
TCP_IS_SOCKET(tcp));
- exclbind = ltcp->tcp_exclbind || tcp->tcp_exclbind;
+ exclbind = lconnp->conn_exclbind ||
+ connp->conn_exclbind;
if ((lconnp->conn_mac_mode != CONN_MAC_DEFAULT) ||
(connp->conn_mac_mode != CONN_MAC_DEFAULT) ||
(exclbind && (not_socket ||
ltcp->tcp_state <= TCPS_ESTABLISHED))) {
if (V6_OR_V4_INADDR_ANY(
- ltcp->tcp_bound_source_v6) ||
+ lconnp->conn_bound_addr_v6) ||
V6_OR_V4_INADDR_ANY(*laddr) ||
IN6_ARE_ADDR_EQUAL(laddr,
- &ltcp->tcp_bound_source_v6)) {
+ &lconnp->conn_bound_addr_v6)) {
break;
}
continue;
@@ -3266,7 +2831,7 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* specific port. We use the same autoassigned port
* number space for IPv4 and IPv6 sockets.
*/
- if (tcp->tcp_ipversion != ltcp->tcp_ipversion &&
+ if (connp->conn_ipversion != lconnp->conn_ipversion &&
bind_to_req_port_only)
continue;
@@ -3281,9 +2846,9 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
*/
if (quick_connect &&
(ltcp->tcp_state > TCPS_LISTEN) &&
- ((tcp->tcp_fport != ltcp->tcp_fport) ||
- !IN6_ARE_ADDR_EQUAL(&tcp->tcp_remote_v6,
- &ltcp->tcp_remote_v6)))
+ ((connp->conn_fport != lconnp->conn_fport) ||
+ !IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6,
+ &lconnp->conn_faddr_v6)))
continue;
if (!reuseaddr) {
@@ -3299,9 +2864,9 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
*/
if (!V6_OR_V4_INADDR_ANY(*laddr) &&
!V6_OR_V4_INADDR_ANY(
- ltcp->tcp_bound_source_v6) &&
+ lconnp->conn_bound_addr_v6) &&
!IN6_ARE_ADDR_EQUAL(laddr,
- &ltcp->tcp_bound_source_v6))
+ &lconnp->conn_bound_addr_v6))
continue;
if (ltcp->tcp_state >= TCPS_BOUND) {
/*
@@ -3327,7 +2892,7 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* SO_REUSEADDR setting, so we break.
*/
if (IN6_ARE_ADDR_EQUAL(laddr,
- &ltcp->tcp_bound_source_v6) &&
+ &lconnp->conn_bound_addr_v6) &&
(ltcp->tcp_state == TCPS_LISTEN ||
ltcp->tcp_state == TCPS_BOUND))
break;
@@ -3343,11 +2908,10 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* number.
*/
tcp->tcp_state = TCPS_BOUND;
- tcp->tcp_lport = htons(port);
- *(uint16_t *)tcp->tcp_tcph->th_lport = tcp->tcp_lport;
+ connp->conn_lport = htons(port);
ASSERT(&tcps->tcps_bind_fanout[TCP_BIND_HASH(
- tcp->tcp_lport)] == tbf);
+ connp->conn_lport)] == tbf);
tcp_bind_hash_insert(tbf, tcp, 1);
mutex_exit(&tbf->tf_lock);
@@ -3364,12 +2928,12 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* is updated. After the update, it may or may not
* be in the valid range.
*/
- if (!tcp->tcp_anon_priv_bind)
+ if (!connp->conn_anon_priv_bind)
tcps->tcps_next_port_to_try = port + 1;
return (port);
}
- if (tcp->tcp_anon_priv_bind) {
+ if (connp->conn_anon_priv_bind) {
port = tcp_get_next_priv_port(tcp);
} else {
if (count == 0 && user_specified) {
@@ -3402,12 +2966,13 @@ tcp_bindi(tcp_t *tcp, in_port_t port, const in6_addr_t *laddr,
* tcp_clean_death / tcp_close_detached must not be called more than once
* on a tcp. Thus every function that potentially calls tcp_clean_death
* must check for the tcp state before calling tcp_clean_death.
- * Eg. tcp_input, tcp_rput_data, tcp_eager_kill, tcp_clean_death_wrapper,
+ * Eg. tcp_input_data, tcp_eager_kill, tcp_clean_death_wrapper,
* tcp_timer_handler, all check for the tcp state.
*/
/* ARGSUSED */
void
-tcp_clean_death_wrapper(void *arg, mblk_t *mp, void *arg2)
+tcp_clean_death_wrapper(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy)
{
tcp_t *tcp = ((conn_t *)arg)->conn_tcp;
@@ -3449,11 +3014,11 @@ tcp_clean_death(tcp_t *tcp, int err, uint8_t tag)
}
ASSERT(tcp != NULL);
- ASSERT((tcp->tcp_family == AF_INET &&
- tcp->tcp_ipversion == IPV4_VERSION) ||
- (tcp->tcp_family == AF_INET6 &&
- (tcp->tcp_ipversion == IPV4_VERSION ||
- tcp->tcp_ipversion == IPV6_VERSION)));
+ ASSERT((connp->conn_family == AF_INET &&
+ connp->conn_ipversion == IPV4_VERSION) ||
+ (connp->conn_family == AF_INET6 &&
+ (connp->conn_ipversion == IPV4_VERSION ||
+ connp->conn_ipversion == IPV6_VERSION)));
if (TCP_IS_DETACHED(tcp)) {
if (tcp->tcp_hard_binding) {
@@ -3483,7 +3048,7 @@ tcp_clean_death(tcp_t *tcp, int err, uint8_t tag)
TCP_STAT(tcps, tcp_clean_death_nondetached);
- q = tcp->tcp_rq;
+ q = connp->conn_rq;
/* Trash all inbound data */
if (!IPCL_IS_NONSTR(connp)) {
@@ -3506,7 +3071,7 @@ tcp_clean_death(tcp_t *tcp, int err, uint8_t tag)
*/
(void) putnextctl1(q, M_FLUSH, FLUSHR);
}
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE|SL_ERROR,
"tcp_clean_death: discon err %d", err);
}
@@ -3519,7 +3084,7 @@ tcp_clean_death(tcp_t *tcp, int err, uint8_t tag)
if (mp != NULL) {
putnext(q, mp);
} else {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_clean_death, sending M_ERROR");
@@ -3552,6 +3117,7 @@ tcp_stop_lingering(tcp_t *tcp)
{
clock_t delta = 0;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
tcp->tcp_linger_tid = 0;
if (tcp->tcp_state > TCPS_LISTEN) {
@@ -3568,15 +3134,14 @@ tcp_stop_lingering(tcp_t *tcp)
}
/*
* Need to cancel those timers which will not be used when
- * TCP is detached. This has to be done before the tcp_wq
- * is set to the global queue.
+ * TCP is detached. This has to be done before the conn_wq
+ * is cleared.
*/
tcp_timers_stop(tcp);
tcp->tcp_detached = B_TRUE;
- ASSERT(tcps->tcps_g_q != NULL);
- tcp->tcp_rq = tcps->tcps_g_q;
- tcp->tcp_wq = WR(tcps->tcps_g_q);
+ connp->conn_rq = NULL;
+ connp->conn_wq = NULL;
if (tcp->tcp_state == TCPS_TIME_WAIT) {
tcp_time_wait_append(tcp);
@@ -3595,16 +3160,14 @@ tcp_stop_lingering(tcp_t *tcp)
}
} else {
tcp_closei_local(tcp);
- CONN_DEC_REF(tcp->tcp_connp);
+ CONN_DEC_REF(connp);
}
finish:
/* Signal closing thread that it can complete close */
mutex_enter(&tcp->tcp_closelock);
tcp->tcp_detached = B_TRUE;
- ASSERT(tcps->tcps_g_q != NULL);
-
- tcp->tcp_rq = tcps->tcps_g_q;
- tcp->tcp_wq = WR(tcps->tcps_g_q);
+ connp->conn_rq = NULL;
+ connp->conn_wq = NULL;
tcp->tcp_closed = 1;
cv_signal(&tcp->tcp_closecv);
@@ -3636,9 +3199,9 @@ tcp_close_common(conn_t *connp, int flags)
ASSERT(connp->conn_ref >= 2);
/*
- * Mark the conn as closing. ill_pending_mp_add will not
+ * Mark the conn as closing. ipsq_pending_mp_add will not
* add any mp to the pending mp list, after this conn has
- * started closing. Same for sq_pending_mp_add
+ * started closing.
*/
mutex_enter(&connp->conn_lock);
connp->conn_state_flags |= CONN_CLOSING;
@@ -3664,7 +3227,7 @@ tcp_close_common(conn_t *connp, int flags)
TCP_DEBUG_GETPCSTACK(tcp->tcmp_stk, 15);
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_close_output, connp,
- tcp_squeue_flag, SQTAG_IP_TCP_CLOSE);
+ NULL, tcp_squeue_flag, SQTAG_IP_TCP_CLOSE);
mutex_enter(&tcp->tcp_closelock);
while (!tcp->tcp_closed) {
@@ -3684,13 +3247,13 @@ tcp_close_common(conn_t *connp, int flags)
* thread is higher priority than the squeue worker
* thread and is bound to the same cpu.
*/
- if (tcp->tcp_linger && tcp->tcp_lingertime > 0) {
+ if (connp->conn_linger && connp->conn_lingertime > 0) {
mutex_exit(&tcp->tcp_closelock);
/* Entering squeue, bump ref count. */
CONN_INC_REF(connp);
bp = allocb_wait(0, BPRI_HI, STR_NOSIG, NULL);
SQUEUE_ENTER_ONE(connp->conn_sqp, bp,
- tcp_linger_interrupted, connp,
+ tcp_linger_interrupted, connp, NULL,
tcp_squeue_flag, SQTAG_IP_TCP_CLOSE);
mutex_enter(&tcp->tcp_closelock);
}
@@ -3703,8 +3266,8 @@ tcp_close_common(conn_t *connp, int flags)
/*
* In the case of listener streams that have eagers in the q or q0
- * we wait for the eagers to drop their reference to us. tcp_rq and
- * tcp_wq of the eagers point to our queues. By waiting for the
+ * we wait for the eagers to drop their reference to us. conn_rq and
+ * conn_wq of the eagers point to our queues. By waiting for the
* refcnt to drop to 1, we are sure that the eagers have cleaned
* up their queue pointers and also dropped their references to us.
*/
@@ -3716,13 +3279,12 @@ tcp_close_common(conn_t *connp, int flags)
mutex_exit(&connp->conn_lock);
}
/*
- * ioctl cleanup. The mp is queued in the
- * ill_pending_mp or in the sq_pending_mp.
+ * ioctl cleanup. The mp is queued in the ipx_pending_mp.
*/
if (conn_ioctl_cleanup_reqd)
conn_ioctl_cleanup(connp);
- tcp->tcp_cpid = -1;
+ connp->conn_cpid = NOPID;
}
static int
@@ -3799,7 +3361,7 @@ tcp_tpi_close_accept(queue_t *q)
/* ARGSUSED */
static void
-tcp_linger_interrupted(void *arg, mblk_t *mp, void *arg2)
+tcp_linger_interrupted(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
tcp_t *tcp = connp->conn_tcp;
@@ -3828,7 +3390,7 @@ tcp_linger_interrupted(void *arg, mblk_t *mp, void *arg2)
/* ARGSUSED */
static void
-tcp_close_output(void *arg, mblk_t *mp, void *arg2)
+tcp_close_output(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
char *msg;
conn_t *connp = (conn_t *)arg;
@@ -3847,10 +3409,6 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
}
mutex_exit(&tcp->tcp_eager_lock);
- connp->conn_mdt_ok = B_FALSE;
- tcp->tcp_mdt = B_FALSE;
-
- connp->conn_lso_ok = B_FALSE;
tcp->tcp_lso = B_FALSE;
msg = NULL;
@@ -3879,12 +3437,11 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
* If SO_LINGER has set a zero linger time, abort the
* connection with a reset.
*/
- if (tcp->tcp_linger && tcp->tcp_lingertime == 0) {
+ if (connp->conn_linger && connp->conn_lingertime == 0) {
msg = "tcp_close, zero lingertime";
break;
}
- ASSERT(tcp->tcp_hard_bound || tcp->tcp_hard_binding);
/*
* Abort connection if there is unread data queued.
*/
@@ -3893,9 +3450,6 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
break;
}
/*
- * tcp_hard_bound is now cleared thus all packets go through
- * tcp_lookup. This fact is used by tcp_detach below.
- *
* We have done a qwait() above which could have possibly
* drained more messages in turn causing transition to a
* different state. Check whether we have to do the rest
@@ -3915,7 +3469,7 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
* If lingering on close then wait until the fin is acked,
* the SO_LINGER time passes, or a reset is sent/received.
*/
- if (tcp->tcp_linger && tcp->tcp_lingertime > 0 &&
+ if (connp->conn_linger && connp->conn_lingertime > 0 &&
!(tcp->tcp_fin_acked) &&
tcp->tcp_state >= TCPS_ESTABLISHED) {
if (tcp->tcp_closeflags & (FNDELAY|FNONBLOCK)) {
@@ -3926,7 +3480,7 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_linger_tid = TCP_TIMER(tcp,
tcp_close_linger_timeout,
- tcp->tcp_lingertime * hz);
+ connp->conn_lingertime * hz);
/* tcp_close_linger_timeout will finish close */
if (tcp->tcp_linger_tid == 0)
@@ -3944,8 +3498,8 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
}
/*
- * Make sure that no other thread will access the tcp_rq of
- * this instance (through lookups etc.) as tcp_rq will go
+ * Make sure that no other thread will access the conn_rq of
+ * this instance (through lookups etc.) as conn_rq will go
* away shortly.
*/
tcp_acceptor_hash_remove(tcp);
@@ -3962,8 +3516,8 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
}
/*
* Need to cancel those timers which will not be used when
- * TCP is detached. This has to be done before the tcp_wq
- * is set to the global queue.
+ * TCP is detached. This has to be done before the conn_wq
+ * is set to NULL.
*/
tcp_timers_stop(tcp);
@@ -4004,18 +3558,6 @@ tcp_close_output(void *arg, mblk_t *mp, void *arg2)
ASSERT(connp->conn_ref >= 2);
finish:
- /*
- * Although packets are always processed on the correct
- * tcp's perimeter and access is serialized via squeue's,
- * IP still needs a queue when sending packets in time_wait
- * state so use WR(tcps_g_q) till ip_output() can be
- * changed to deal with just connp. For read side, we
- * could have set tcp_rq to NULL but there are some cases
- * in tcp_rput_data() from early days of this code which
- * do a putnext without checking if tcp is closed. Those
- * need to be identified before both tcp_rq and tcp_wq
- * can be set to NULL and tcps_g_q can disappear forever.
- */
mutex_enter(&tcp->tcp_closelock);
/*
* Don't change the queues in the case of a listener that has
@@ -4024,13 +3566,8 @@ finish:
*/
if (!tcp->tcp_wait_for_eagers) {
tcp->tcp_detached = B_TRUE;
- /*
- * When default queue is closing we set tcps_g_q to NULL
- * after the close is done.
- */
- ASSERT(tcps->tcps_g_q != NULL);
- tcp->tcp_rq = tcps->tcps_g_q;
- tcp->tcp_wq = WR(tcps->tcps_g_q);
+ connp->conn_rq = NULL;
+ connp->conn_wq = NULL;
}
/* Signal tcp_close() to finish closing. */
@@ -4112,8 +3649,7 @@ tcp_timers_stop(tcp_t *tcp)
static void
tcp_closei_local(tcp_t *tcp)
{
- ire_t *ire;
- conn_t *connp = tcp->tcp_connp;
+ conn_t *connp = tcp->tcp_connp;
tcp_stack_t *tcps = tcp->tcp_tcps;
if (!TCP_IS_SOCKET(tcp))
@@ -4138,7 +3674,7 @@ tcp_closei_local(tcp_t *tcp)
* this point, eager will be closed but we
* leave it in listeners eager list so that
* if listener decides to close without doing
- * accept, we can clean this up. In tcp_wput_accept
+ * accept, we can clean this up. In tcp_tli_accept
* we take care of the case of accept on closed
* eager.
*/
@@ -4150,9 +3686,9 @@ tcp_closei_local(tcp_t *tcp)
* listener queue, after we have released our
* reference on the listener
*/
- ASSERT(tcps->tcps_g_q != NULL);
- tcp->tcp_rq = tcps->tcps_g_q;
- tcp->tcp_wq = WR(tcps->tcps_g_q);
+ ASSERT(tcp->tcp_detached);
+ connp->conn_rq = NULL;
+ connp->conn_wq = NULL;
CONN_DEC_REF(listener->tcp_connp);
} else {
mutex_exit(&listener->tcp_eager_lock);
@@ -4185,20 +3721,16 @@ tcp_closei_local(tcp_t *tcp)
*/
if (tcp->tcp_state == TCPS_TIME_WAIT)
(void) tcp_time_wait_remove(tcp, NULL);
- CL_INET_DISCONNECT(connp, tcp);
+ CL_INET_DISCONNECT(connp);
ipcl_hash_remove(connp);
+ ixa_cleanup(connp->conn_ixa);
/*
- * Delete the cached ire in conn_ire_cache and also mark
- * the conn as CONDEMNED
+ * Mark the conn as CONDEMNED
*/
mutex_enter(&connp->conn_lock);
connp->conn_state_flags |= CONN_CONDEMNED;
- ire = connp->conn_ire_cache;
- connp->conn_ire_cache = NULL;
mutex_exit(&connp->conn_lock);
- if (ire != NULL)
- IRE_REFRELE_NOTR(ire);
/* Need to cleanup any pending ioctls */
ASSERT(tcp->tcp_time_wait_next == NULL);
@@ -4227,14 +3759,14 @@ tcp_closei_local(tcp_t *tcp)
void
tcp_free(tcp_t *tcp)
{
- mblk_t *mp;
- ip6_pkt_t *ipp;
+ mblk_t *mp;
+ conn_t *connp = tcp->tcp_connp;
ASSERT(tcp != NULL);
ASSERT(tcp->tcp_ptpahn == NULL && tcp->tcp_acceptor_hash == NULL);
- tcp->tcp_rq = NULL;
- tcp->tcp_wq = NULL;
+ connp->conn_rq = NULL;
+ connp->conn_wq = NULL;
tcp_close_mpp(&tcp->tcp_xmit_head);
tcp_close_mpp(&tcp->tcp_reass_head);
@@ -4281,12 +3813,12 @@ tcp_free(tcp_t *tcp)
tcp->tcp_dstoptslen = 0;
}
ASSERT(tcp->tcp_dstoptslen == 0);
- if (tcp->tcp_rtdstopts != NULL) {
- mi_free(tcp->tcp_rtdstopts);
- tcp->tcp_rtdstopts = NULL;
- tcp->tcp_rtdstoptslen = 0;
+ if (tcp->tcp_rthdrdstopts != NULL) {
+ mi_free(tcp->tcp_rthdrdstopts);
+ tcp->tcp_rthdrdstopts = NULL;
+ tcp->tcp_rthdrdstoptslen = 0;
}
- ASSERT(tcp->tcp_rtdstoptslen == 0);
+ ASSERT(tcp->tcp_rthdrdstoptslen == 0);
if (tcp->tcp_rthdr != NULL) {
mi_free(tcp->tcp_rthdr);
tcp->tcp_rthdr = NULL;
@@ -4294,18 +3826,6 @@ tcp_free(tcp_t *tcp)
}
ASSERT(tcp->tcp_rthdrlen == 0);
- ipp = &tcp->tcp_sticky_ipp;
- if (ipp->ipp_fields & (IPPF_HOPOPTS | IPPF_RTDSTOPTS | IPPF_DSTOPTS |
- IPPF_RTHDR))
- ip6_pkt_free(ipp);
-
- /*
- * Free memory associated with the tcp/ip header template.
- */
-
- if (tcp->tcp_iphc != NULL)
- bzero(tcp->tcp_iphc, tcp->tcp_iphc_len);
-
/*
* Following is really a blowing away a union.
* It happens to have exactly two members of identical size
@@ -4317,17 +3837,19 @@ tcp_free(tcp_t *tcp)
/*
* Put a connection confirmation message upstream built from the
- * address information within 'iph' and 'tcph'. Report our success or failure.
+ * address/flowid information with the conn and iph. Report our success or
+ * failure.
*/
static boolean_t
-tcp_conn_con(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph, mblk_t *idmp,
- mblk_t **defermp)
+tcp_conn_con(tcp_t *tcp, uchar_t *iphdr, mblk_t *idmp,
+ mblk_t **defermp, ip_recv_attr_t *ira)
{
sin_t sin;
sin6_t sin6;
mblk_t *mp;
char *optp = NULL;
int optlen = 0;
+ conn_t *connp = tcp->tcp_connp;
if (defermp != NULL)
*defermp = NULL;
@@ -4352,20 +3874,19 @@ tcp_conn_con(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph, mblk_t *idmp,
}
if (IPH_HDR_VERSION(iphdr) == IPV4_VERSION) {
- ipha_t *ipha = (ipha_t *)iphdr;
/* packet is IPv4 */
- if (tcp->tcp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
sin = sin_null;
- sin.sin_addr.s_addr = ipha->ipha_src;
- sin.sin_port = *(uint16_t *)tcph->th_lport;
+ sin.sin_addr.s_addr = connp->conn_faddr_v4;
+ sin.sin_port = connp->conn_fport;
sin.sin_family = AF_INET;
mp = mi_tpi_conn_con(NULL, (char *)&sin,
(int)sizeof (sin_t), optp, optlen);
} else {
sin6 = sin6_null;
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &sin6.sin6_addr);
- sin6.sin6_port = *(uint16_t *)tcph->th_lport;
+ sin6.sin6_addr = connp->conn_faddr_v6;
+ sin6.sin6_port = connp->conn_fport;
sin6.sin6_family = AF_INET6;
mp = mi_tpi_conn_con(NULL, (char *)&sin6,
(int)sizeof (sin6_t), optp, optlen);
@@ -4375,10 +3896,10 @@ tcp_conn_con(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph, mblk_t *idmp,
ip6_t *ip6h = (ip6_t *)iphdr;
ASSERT(IPH_HDR_VERSION(iphdr) == IPV6_VERSION);
- ASSERT(tcp->tcp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
sin6 = sin6_null;
- sin6.sin6_addr = ip6h->ip6_src;
- sin6.sin6_port = *(uint16_t *)tcph->th_lport;
+ sin6.sin6_addr = connp->conn_faddr_v6;
+ sin6.sin6_port = connp->conn_fport;
sin6.sin6_family = AF_INET6;
sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
mp = mi_tpi_conn_con(NULL, (char *)&sin6,
@@ -4393,16 +3914,16 @@ tcp_conn_con(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph, mblk_t *idmp,
if (defermp == NULL) {
conn_t *connp = tcp->tcp_connp;
if (IPCL_IS_NONSTR(connp)) {
- cred_t *cr;
- pid_t cpid;
-
- cr = msg_getcred(mp, &cpid);
(*connp->conn_upcalls->su_connected)
- (connp->conn_upper_handle, tcp->tcp_connid, cr,
- cpid);
+ (connp->conn_upper_handle, tcp->tcp_connid,
+ ira->ira_cred, ira->ira_cpid);
freemsg(mp);
} else {
- putnext(tcp->tcp_rq, mp);
+ if (ira->ira_cred != NULL) {
+ /* So that getpeerucred works for TPI sockfs */
+ mblk_setcred(mp, ira->ira_cred, ira->ira_cpid);
+ }
+ putnext(connp->conn_rq, mp);
}
} else {
*defermp = mp;
@@ -4456,7 +3977,7 @@ tcp_drop_q0(tcp_t *tcp)
*/
MAKE_UNDROPPABLE(eager);
- if (tcp->tcp_debug) {
+ if (tcp->tcp_connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
"tcp_drop_q0: listen half-open queue (max=%d) overflow"
" (%d pending) on %s, drop one", tcps->tcps_conn_req_max_q0,
@@ -4469,18 +3990,19 @@ tcp_drop_q0(tcp_t *tcp)
/* Put a reference on the conn as we are enqueueing it in the sqeue */
CONN_INC_REF(eager->tcp_connp);
- /* Mark the IRE created for this SYN request temporary */
- tcp_ip_ire_mark_advice(eager);
SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
- tcp_clean_death_wrapper, eager->tcp_connp,
+ tcp_clean_death_wrapper, eager->tcp_connp, NULL,
SQ_FILL, SQTAG_TCP_DROP_Q0);
return (B_TRUE);
}
-int
+/*
+ * Handle a SYN on an AF_INET6 socket; can be either IPv4 or IPv6
+ */
+static mblk_t *
tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
- tcph_t *tcph, uint_t ipvers, mblk_t *idmp)
+ ip_recv_attr_t *ira)
{
tcp_t *ltcp = lconnp->conn_tcp;
tcp_t *tcp = connp->conn_tcp;
@@ -4488,36 +4010,30 @@ tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
ipha_t *ipha;
ip6_t *ip6h;
sin6_t sin6;
- in6_addr_t v6dst;
- int err;
- int ifindex = 0;
+ uint_t ifindex = ira->ira_ruifindex;
tcp_stack_t *tcps = tcp->tcp_tcps;
- if (ipvers == IPV4_VERSION) {
+ if (ira->ira_flags & IRAF_IS_IPV4) {
ipha = (ipha_t *)mp->b_rptr;
- connp->conn_send = ip_output;
- connp->conn_recv = tcp_input;
-
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst,
- &connp->conn_bound_source_v6);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_srcv6);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_remv6);
+ connp->conn_ipversion = IPV4_VERSION;
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
+ connp->conn_saddr_v6 = connp->conn_laddr_v6;
sin6 = sin6_null;
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &sin6.sin6_addr);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &v6dst);
- sin6.sin6_port = *(uint16_t *)tcph->th_lport;
+ sin6.sin6_addr = connp->conn_faddr_v6;
+ sin6.sin6_port = connp->conn_fport;
sin6.sin6_family = AF_INET6;
- sin6.__sin6_src_id = ip_srcid_find_addr(&v6dst,
- lconnp->conn_zoneid, tcps->tcps_netstack);
- if (tcp->tcp_recvdstaddr) {
+ sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
+ IPCL_ZONEID(lconnp), tcps->tcps_netstack);
+
+ if (connp->conn_recv_ancillary.crb_recvdstaddr) {
sin6_t sin6d;
sin6d = sin6_null;
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst,
- &sin6d.sin6_addr);
- sin6d.sin6_port = *(uint16_t *)tcph->th_fport;
+ sin6d.sin6_addr = connp->conn_laddr_v6;
+ sin6d.sin6_port = connp->conn_lport;
sin6d.sin6_family = AF_INET;
tpi_mp = mi_tpi_extconn_ind(NULL,
(char *)&sin6d, sizeof (sin6_t),
@@ -4534,24 +4050,18 @@ tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
} else {
ip6h = (ip6_t *)mp->b_rptr;
- connp->conn_send = ip_output_v6;
- connp->conn_recv = tcp_input;
-
- connp->conn_bound_source_v6 = ip6h->ip6_dst;
- connp->conn_srcv6 = ip6h->ip6_dst;
- connp->conn_remv6 = ip6h->ip6_src;
-
- /* db_cksumstuff is set at ip_fanout_tcp_v6 */
- ifindex = (int)DB_CKSUMSTUFF(mp);
- DB_CKSUMSTUFF(mp) = 0;
+ connp->conn_ipversion = IPV6_VERSION;
+ connp->conn_laddr_v6 = ip6h->ip6_dst;
+ connp->conn_faddr_v6 = ip6h->ip6_src;
+ connp->conn_saddr_v6 = connp->conn_laddr_v6;
sin6 = sin6_null;
- sin6.sin6_addr = ip6h->ip6_src;
- sin6.sin6_port = *(uint16_t *)tcph->th_lport;
+ sin6.sin6_addr = connp->conn_faddr_v6;
+ sin6.sin6_port = connp->conn_fport;
sin6.sin6_family = AF_INET6;
sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
- sin6.__sin6_src_id = ip_srcid_find_addr(&ip6h->ip6_dst,
- lconnp->conn_zoneid, tcps->tcps_netstack);
+ sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
+ IPCL_ZONEID(lconnp), tcps->tcps_netstack);
if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src)) {
/* Pass up the scope_id of remote addr */
@@ -4559,13 +4069,16 @@ tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
} else {
sin6.sin6_scope_id = 0;
}
- if (tcp->tcp_recvdstaddr) {
+ if (connp->conn_recv_ancillary.crb_recvdstaddr) {
sin6_t sin6d;
sin6d = sin6_null;
- sin6.sin6_addr = ip6h->ip6_dst;
- sin6d.sin6_port = *(uint16_t *)tcph->th_fport;
- sin6d.sin6_family = AF_INET;
+ sin6.sin6_addr = connp->conn_laddr_v6;
+ sin6d.sin6_port = connp->conn_lport;
+ sin6d.sin6_family = AF_INET6;
+ if (IN6_IS_ADDR_LINKSCOPE(&connp->conn_laddr_v6))
+ sin6d.sin6_scope_id = ifindex;
+
tpi_mp = mi_tpi_extconn_ind(NULL,
(char *)&sin6d, sizeof (sin6_t),
(char *)&tcp, (t_scalar_t)sizeof (intptr_t),
@@ -4579,194 +4092,40 @@ tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
}
}
- if (tpi_mp == NULL)
- return (ENOMEM);
-
- connp->conn_fport = *(uint16_t *)tcph->th_lport;
- connp->conn_lport = *(uint16_t *)tcph->th_fport;
- connp->conn_flags |= (IPCL_TCP6|IPCL_EAGER);
- connp->conn_fully_bound = B_FALSE;
-
- /* Inherit information from the "parent" */
- tcp->tcp_ipversion = ltcp->tcp_ipversion;
- tcp->tcp_family = ltcp->tcp_family;
-
- tcp->tcp_wq = ltcp->tcp_wq;
- tcp->tcp_rq = ltcp->tcp_rq;
-
tcp->tcp_mss = tcps->tcps_mss_def_ipv6;
- tcp->tcp_detached = B_TRUE;
- SOCK_CONNID_INIT(tcp->tcp_connid);
- if ((err = tcp_init_values(tcp)) != 0) {
- freemsg(tpi_mp);
- return (err);
- }
-
- if (ipvers == IPV4_VERSION) {
- if ((err = tcp_header_init_ipv4(tcp)) != 0) {
- freemsg(tpi_mp);
- return (err);
- }
- ASSERT(tcp->tcp_ipha != NULL);
- } else {
- /* ifindex must be already set */
- ASSERT(ifindex != 0);
-
- if (ltcp->tcp_bound_if != 0)
- tcp->tcp_bound_if = ltcp->tcp_bound_if;
- else if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src))
- tcp->tcp_bound_if = ifindex;
-
- tcp->tcp_ipv6_recvancillary = ltcp->tcp_ipv6_recvancillary;
- tcp->tcp_recvifindex = 0;
- tcp->tcp_recvhops = 0xffffffffU;
- ASSERT(tcp->tcp_ip6h != NULL);
- }
-
- tcp->tcp_lport = ltcp->tcp_lport;
-
- if (ltcp->tcp_ipversion == tcp->tcp_ipversion) {
- if (tcp->tcp_iphc_len != ltcp->tcp_iphc_len) {
- /*
- * Listener had options of some sort; eager inherits.
- * Free up the eager template and allocate one
- * of the right size.
- */
- if (tcp->tcp_hdr_grown) {
- kmem_free(tcp->tcp_iphc, tcp->tcp_iphc_len);
- } else {
- bzero(tcp->tcp_iphc, tcp->tcp_iphc_len);
- kmem_cache_free(tcp_iphc_cache, tcp->tcp_iphc);
- }
- tcp->tcp_iphc = kmem_zalloc(ltcp->tcp_iphc_len,
- KM_NOSLEEP);
- if (tcp->tcp_iphc == NULL) {
- tcp->tcp_iphc_len = 0;
- freemsg(tpi_mp);
- return (ENOMEM);
- }
- tcp->tcp_iphc_len = ltcp->tcp_iphc_len;
- tcp->tcp_hdr_grown = B_TRUE;
- }
- tcp->tcp_hdr_len = ltcp->tcp_hdr_len;
- tcp->tcp_ip_hdr_len = ltcp->tcp_ip_hdr_len;
- tcp->tcp_tcp_hdr_len = ltcp->tcp_tcp_hdr_len;
- tcp->tcp_ip6_hops = ltcp->tcp_ip6_hops;
- tcp->tcp_ip6_vcf = ltcp->tcp_ip6_vcf;
-
- /*
- * Copy the IP+TCP header template from listener to eager
- */
- bcopy(ltcp->tcp_iphc, tcp->tcp_iphc, ltcp->tcp_hdr_len);
- if (tcp->tcp_ipversion == IPV6_VERSION) {
- if (((ip6i_t *)(tcp->tcp_iphc))->ip6i_nxt ==
- IPPROTO_RAW) {
- tcp->tcp_ip6h =
- (ip6_t *)(tcp->tcp_iphc +
- sizeof (ip6i_t));
- } else {
- tcp->tcp_ip6h =
- (ip6_t *)(tcp->tcp_iphc);
- }
- tcp->tcp_ipha = NULL;
- } else {
- tcp->tcp_ipha = (ipha_t *)tcp->tcp_iphc;
- tcp->tcp_ip6h = NULL;
- }
- tcp->tcp_tcph = (tcph_t *)(tcp->tcp_iphc +
- tcp->tcp_ip_hdr_len);
- } else {
- /*
- * only valid case when ipversion of listener and
- * eager differ is when listener is IPv6 and
- * eager is IPv4.
- * Eager header template has been initialized to the
- * maximum v4 header sizes, which includes space for
- * TCP and IP options.
- */
- ASSERT((ltcp->tcp_ipversion == IPV6_VERSION) &&
- (tcp->tcp_ipversion == IPV4_VERSION));
- ASSERT(tcp->tcp_iphc_len >=
- TCP_MAX_COMBINED_HEADER_LENGTH);
- tcp->tcp_tcp_hdr_len = ltcp->tcp_tcp_hdr_len;
- /* copy IP header fields individually */
- tcp->tcp_ipha->ipha_ttl =
- ltcp->tcp_ip6h->ip6_hops;
- bcopy(ltcp->tcp_tcph->th_lport,
- tcp->tcp_tcph->th_lport, sizeof (ushort_t));
- }
-
- bcopy(tcph->th_lport, tcp->tcp_tcph->th_fport, sizeof (in_port_t));
- bcopy(tcp->tcp_tcph->th_fport, &tcp->tcp_fport,
- sizeof (in_port_t));
-
- if (ltcp->tcp_lport == 0) {
- tcp->tcp_lport = *(in_port_t *)tcph->th_fport;
- bcopy(tcph->th_fport, tcp->tcp_tcph->th_lport,
- sizeof (in_port_t));
- }
-
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- ASSERT(ipha != NULL);
- tcp->tcp_ipha->ipha_dst = ipha->ipha_src;
- tcp->tcp_ipha->ipha_src = ipha->ipha_dst;
-
- /* Source routing option copyover (reverse it) */
- if (tcps->tcps_rev_src_routes)
- tcp_opt_reverse(tcp, ipha);
- } else {
- ASSERT(ip6h != NULL);
- tcp->tcp_ip6h->ip6_dst = ip6h->ip6_src;
- tcp->tcp_ip6h->ip6_src = ip6h->ip6_dst;
- }
-
- ASSERT(tcp->tcp_conn.tcp_eager_conn_ind == NULL);
- ASSERT(!tcp->tcp_tconnind_started);
- /*
- * If the SYN contains a credential, it's a loopback packet; attach
- * the credential to the TPI message.
- */
- mblk_copycred(tpi_mp, idmp);
-
- tcp->tcp_conn.tcp_eager_conn_ind = tpi_mp;
-
- /* Inherit the listener's SSL protection state */
-
- if ((tcp->tcp_kssl_ent = ltcp->tcp_kssl_ent) != NULL) {
- kssl_hold_ent(tcp->tcp_kssl_ent);
- tcp->tcp_kssl_pending = B_TRUE;
- }
-
- /* Inherit the listener's non-STREAMS flag */
- if (IPCL_IS_NONSTR(lconnp)) {
- connp->conn_flags |= IPCL_NONSTR;
- }
-
- return (0);
+ return (tpi_mp);
}
-
-int
-tcp_conn_create_v4(conn_t *lconnp, conn_t *connp, ipha_t *ipha,
- tcph_t *tcph, mblk_t *idmp)
+/* Handle a SYN on an AF_INET socket */
+mblk_t *
+tcp_conn_create_v4(conn_t *lconnp, conn_t *connp, mblk_t *mp,
+ ip_recv_attr_t *ira)
{
tcp_t *ltcp = lconnp->conn_tcp;
tcp_t *tcp = connp->conn_tcp;
sin_t sin;
mblk_t *tpi_mp = NULL;
- int err;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ ipha_t *ipha;
+
+ ASSERT(ira->ira_flags & IRAF_IS_IPV4);
+ ipha = (ipha_t *)mp->b_rptr;
+
+ connp->conn_ipversion = IPV4_VERSION;
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
+ IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
+ connp->conn_saddr_v6 = connp->conn_laddr_v6;
sin = sin_null;
- sin.sin_addr.s_addr = ipha->ipha_src;
- sin.sin_port = *(uint16_t *)tcph->th_lport;
+ sin.sin_addr.s_addr = connp->conn_faddr_v4;
+ sin.sin_port = connp->conn_fport;
sin.sin_family = AF_INET;
- if (ltcp->tcp_recvdstaddr) {
+ if (lconnp->conn_recv_ancillary.crb_recvdstaddr) {
sin_t sind;
sind = sin_null;
- sind.sin_addr.s_addr = ipha->ipha_dst;
- sind.sin_port = *(uint16_t *)tcph->th_fport;
+ sind.sin_addr.s_addr = connp->conn_laddr_v4;
+ sind.sin_port = connp->conn_lport;
sind.sin_family = AF_INET;
tpi_mp = mi_tpi_extconn_ind(NULL,
(char *)&sind, sizeof (sin_t), (char *)&tcp,
@@ -4779,214 +4138,8 @@ tcp_conn_create_v4(conn_t *lconnp, conn_t *connp, ipha_t *ipha,
(t_scalar_t)ltcp->tcp_conn_req_seqnum);
}
- if (tpi_mp == NULL) {
- return (ENOMEM);
- }
-
- connp->conn_flags |= (IPCL_TCP4|IPCL_EAGER);
- connp->conn_send = ip_output;
- connp->conn_recv = tcp_input;
- connp->conn_fully_bound = B_FALSE;
-
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_bound_source_v6);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_srcv6);
- IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_remv6);
- connp->conn_fport = *(uint16_t *)tcph->th_lport;
- connp->conn_lport = *(uint16_t *)tcph->th_fport;
-
- /* Inherit information from the "parent" */
- tcp->tcp_ipversion = ltcp->tcp_ipversion;
- tcp->tcp_family = ltcp->tcp_family;
- tcp->tcp_wq = ltcp->tcp_wq;
- tcp->tcp_rq = ltcp->tcp_rq;
tcp->tcp_mss = tcps->tcps_mss_def_ipv4;
- tcp->tcp_detached = B_TRUE;
- SOCK_CONNID_INIT(tcp->tcp_connid);
- if ((err = tcp_init_values(tcp)) != 0) {
- freemsg(tpi_mp);
- return (err);
- }
-
- /*
- * Let's make sure that eager tcp template has enough space to
- * copy IPv4 listener's tcp template. Since the conn_t structure is
- * preserved and tcp_iphc_len is also preserved, an eager conn_t may
- * have a tcp_template of total len TCP_MAX_COMBINED_HEADER_LENGTH or
- * more (in case of re-allocation of conn_t with tcp-IPv6 template with
- * extension headers or with ip6i_t struct). Note that bcopy() below
- * copies listener tcp's hdr_len which cannot be greater than TCP_MAX_
- * COMBINED_HEADER_LENGTH as this listener must be a IPv4 listener.
- */
- ASSERT(tcp->tcp_iphc_len >= TCP_MAX_COMBINED_HEADER_LENGTH);
- ASSERT(ltcp->tcp_hdr_len <= TCP_MAX_COMBINED_HEADER_LENGTH);
-
- tcp->tcp_hdr_len = ltcp->tcp_hdr_len;
- tcp->tcp_ip_hdr_len = ltcp->tcp_ip_hdr_len;
- tcp->tcp_tcp_hdr_len = ltcp->tcp_tcp_hdr_len;
- tcp->tcp_ttl = ltcp->tcp_ttl;
- tcp->tcp_tos = ltcp->tcp_tos;
-
- /* Copy the IP+TCP header template from listener to eager */
- bcopy(ltcp->tcp_iphc, tcp->tcp_iphc, ltcp->tcp_hdr_len);
- tcp->tcp_ipha = (ipha_t *)tcp->tcp_iphc;
- tcp->tcp_ip6h = NULL;
- tcp->tcp_tcph = (tcph_t *)(tcp->tcp_iphc +
- tcp->tcp_ip_hdr_len);
-
- /* Initialize the IP addresses and Ports */
- tcp->tcp_ipha->ipha_dst = ipha->ipha_src;
- tcp->tcp_ipha->ipha_src = ipha->ipha_dst;
- bcopy(tcph->th_lport, tcp->tcp_tcph->th_fport, sizeof (in_port_t));
- bcopy(tcph->th_fport, tcp->tcp_tcph->th_lport, sizeof (in_port_t));
-
- /* Source routing option copyover (reverse it) */
- if (tcps->tcps_rev_src_routes)
- tcp_opt_reverse(tcp, ipha);
-
- ASSERT(tcp->tcp_conn.tcp_eager_conn_ind == NULL);
- ASSERT(!tcp->tcp_tconnind_started);
-
- /*
- * If the SYN contains a credential, it's a loopback packet; attach
- * the credential to the TPI message.
- */
- mblk_copycred(tpi_mp, idmp);
-
- tcp->tcp_conn.tcp_eager_conn_ind = tpi_mp;
-
- /* Inherit the listener's SSL protection state */
- if ((tcp->tcp_kssl_ent = ltcp->tcp_kssl_ent) != NULL) {
- kssl_hold_ent(tcp->tcp_kssl_ent);
- tcp->tcp_kssl_pending = B_TRUE;
- }
-
- /* Inherit the listener's non-STREAMS flag */
- if (IPCL_IS_NONSTR(lconnp)) {
- connp->conn_flags |= IPCL_NONSTR;
- }
-
- return (0);
-}
-
-/*
- * sets up conn for ipsec.
- * if the first mblk is M_CTL it is consumed and mpp is updated.
- * in case of error mpp is freed.
- */
-conn_t *
-tcp_get_ipsec_conn(tcp_t *tcp, squeue_t *sqp, mblk_t **mpp)
-{
- conn_t *connp = tcp->tcp_connp;
- conn_t *econnp;
- squeue_t *new_sqp;
- mblk_t *first_mp = *mpp;
- mblk_t *mp = *mpp;
- boolean_t mctl_present = B_FALSE;
- uint_t ipvers;
-
- econnp = tcp_get_conn(sqp, tcp->tcp_tcps);
- if (econnp == NULL) {
- freemsg(first_mp);
- return (NULL);
- }
- if (DB_TYPE(mp) == M_CTL) {
- if (mp->b_cont == NULL ||
- mp->b_cont->b_datap->db_type != M_DATA) {
- freemsg(first_mp);
- return (NULL);
- }
- mp = mp->b_cont;
- if ((mp->b_datap->db_struioflag & STRUIO_EAGER) == 0) {
- freemsg(first_mp);
- return (NULL);
- }
-
- mp->b_datap->db_struioflag &= ~STRUIO_EAGER;
- first_mp->b_datap->db_struioflag &= ~STRUIO_POLICY;
- mctl_present = B_TRUE;
- } else {
- ASSERT(mp->b_datap->db_struioflag & STRUIO_POLICY);
- mp->b_datap->db_struioflag &= ~STRUIO_POLICY;
- }
-
- new_sqp = (squeue_t *)DB_CKSUMSTART(mp);
- DB_CKSUMSTART(mp) = 0;
-
- ASSERT(OK_32PTR(mp->b_rptr));
- ipvers = IPH_HDR_VERSION(mp->b_rptr);
- if (ipvers == IPV4_VERSION) {
- uint16_t *up;
- uint32_t ports;
- ipha_t *ipha;
-
- ipha = (ipha_t *)mp->b_rptr;
- up = (uint16_t *)((uchar_t *)ipha +
- IPH_HDR_LENGTH(ipha) + TCP_PORTS_OFFSET);
- ports = *(uint32_t *)up;
- IPCL_TCP_EAGER_INIT(econnp, IPPROTO_TCP,
- ipha->ipha_dst, ipha->ipha_src, ports);
- } else {
- uint16_t *up;
- uint32_t ports;
- uint16_t ip_hdr_len;
- uint8_t *nexthdrp;
- ip6_t *ip6h;
- tcph_t *tcph;
-
- ip6h = (ip6_t *)mp->b_rptr;
- if (ip6h->ip6_nxt == IPPROTO_TCP) {
- ip_hdr_len = IPV6_HDR_LEN;
- } else if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ip_hdr_len,
- &nexthdrp) || *nexthdrp != IPPROTO_TCP) {
- CONN_DEC_REF(econnp);
- freemsg(first_mp);
- return (NULL);
- }
- tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
- up = (uint16_t *)tcph->th_lport;
- ports = *(uint32_t *)up;
- IPCL_TCP_EAGER_INIT_V6(econnp, IPPROTO_TCP,
- ip6h->ip6_dst, ip6h->ip6_src, ports);
- }
-
- /*
- * The caller already ensured that there is a sqp present.
- */
- econnp->conn_sqp = new_sqp;
- econnp->conn_initial_sqp = new_sqp;
-
- if (connp->conn_policy != NULL) {
- ipsec_in_t *ii;
- ii = (ipsec_in_t *)(first_mp->b_rptr);
- ASSERT(ii->ipsec_in_policy == NULL);
- IPPH_REFHOLD(connp->conn_policy);
- ii->ipsec_in_policy = connp->conn_policy;
-
- first_mp->b_datap->db_type = IPSEC_POLICY_SET;
- if (!ip_bind_ipsec_policy_set(econnp, first_mp)) {
- CONN_DEC_REF(econnp);
- freemsg(first_mp);
- return (NULL);
- }
- }
-
- if (ipsec_conn_cache_policy(econnp, ipvers == IPV4_VERSION) != 0) {
- CONN_DEC_REF(econnp);
- freemsg(first_mp);
- return (NULL);
- }
-
- /*
- * If we know we have some policy, pass the "IPSEC"
- * options size TCP uses this adjust the MSS.
- */
- econnp->conn_tcp->tcp_ipsec_overhead = conn_ipsec_length(econnp);
- if (mctl_present) {
- freeb(first_mp);
- *mpp = mp;
- }
-
- return (econnp);
+ return (tpi_mp);
}
/*
@@ -5002,10 +4155,8 @@ tcp_get_ipsec_conn(tcp_t *tcp, squeue_t *sqp, mblk_t **mpp)
* connection sitting in the freelist. Obviously, this buys us
* performance.
*
- * 2) Defence against DOS attack. Allocating a tcp/conn in tcp_conn_request
- * has multiple disadvantages - tying up the squeue during alloc, and the
- * fact that IPSec policy initialization has to happen here which
- * requires us sending a M_CTL and checking for it i.e. real ugliness.
+ * 2) Defence against DOS attack. Allocating a tcp/conn in tcp_input_listener
+ * has multiple disadvantages - tying up the squeue during alloc.
* But allocating the conn/tcp in IP land is also not the best since
* we can't check the 'q' and 'q0' which are protected by squeue and
* blindly allocate memory which might have to be freed here if we are
@@ -5050,9 +4201,15 @@ tcp_get_conn(void *arg, tcp_stack_t *tcps)
ns = tcps->tcps_netstack;
netstack_hold(ns);
connp->conn_netstack = ns;
+ connp->conn_ixa->ixa_ipst = ns->netstack_ip;
tcp->tcp_tcps = tcps;
- TCPS_REFHOLD(tcps);
ipcl_globalhash_insert(connp);
+
+ connp->conn_ixa->ixa_notify_cookie = tcp;
+ ASSERT(connp->conn_ixa->ixa_notify == tcp_notify);
+ connp->conn_recv = tcp_input_data;
+ ASSERT(connp->conn_recvicmp == tcp_icmp_input);
+ ASSERT(connp->conn_verifyicmp == tcp_verifyicmp);
return ((void *)connp);
}
mutex_exit(&tcp_time_wait->tcp_time_wait_lock);
@@ -5075,62 +4232,20 @@ tcp_get_conn(void *arg, tcp_stack_t *tcps)
mutex_init(&tcp->tcp_rsrv_mp_lock, NULL, MUTEX_DEFAULT, NULL);
tcp->tcp_tcps = tcps;
- TCPS_REFHOLD(tcps);
- return ((void *)connp);
-}
+ connp->conn_recv = tcp_input_data;
+ connp->conn_recvicmp = tcp_icmp_input;
+ connp->conn_verifyicmp = tcp_verifyicmp;
-/*
- * Update the cached label for the given tcp_t. This should be called once per
- * connection, and before any packets are sent or tcp_process_options is
- * invoked. Returns B_FALSE if the correct label could not be constructed.
- */
-static boolean_t
-tcp_update_label(tcp_t *tcp, const cred_t *cr)
-{
- conn_t *connp = tcp->tcp_connp;
-
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- uchar_t optbuf[IP_MAX_OPT_LENGTH];
- int added;
-
- if (tsol_compute_label(cr, tcp->tcp_remote, optbuf,
- tcp->tcp_tcps->tcps_netstack->netstack_ip) != 0)
- return (B_FALSE);
-
- added = tsol_remove_secopt(tcp->tcp_ipha, tcp->tcp_hdr_len);
- if (added == -1)
- return (B_FALSE);
- tcp->tcp_hdr_len += added;
- tcp->tcp_tcph = (tcph_t *)((uchar_t *)tcp->tcp_tcph + added);
- tcp->tcp_ip_hdr_len += added;
- if ((tcp->tcp_label_len = optbuf[IPOPT_OLEN]) != 0) {
- tcp->tcp_label_len = (tcp->tcp_label_len + 3) & ~3;
- added = tsol_prepend_option(optbuf, tcp->tcp_ipha,
- tcp->tcp_hdr_len);
- if (added == -1)
- return (B_FALSE);
- tcp->tcp_hdr_len += added;
- tcp->tcp_tcph = (tcph_t *)
- ((uchar_t *)tcp->tcp_tcph + added);
- tcp->tcp_ip_hdr_len += added;
- }
- } else {
- uchar_t optbuf[TSOL_MAX_IPV6_OPTION];
-
- if (tsol_compute_label_v6(cr, &tcp->tcp_remote_v6, optbuf,
- tcp->tcp_tcps->tcps_netstack->netstack_ip) != 0)
- return (B_FALSE);
- if (tsol_update_sticky(&tcp->tcp_sticky_ipp,
- &tcp->tcp_label_len, optbuf) != 0)
- return (B_FALSE);
- if (tcp_build_hdrs(tcp) != 0)
- return (B_FALSE);
- }
-
- connp->conn_ulp_labeled = 1;
+ /*
+ * Register tcp_notify to listen to capability changes detected by IP.
+ * This upcall is made in the context of the call to conn_ip_output
+ * thus it is inside the squeue.
+ */
+ connp->conn_ixa->ixa_notify = tcp_notify;
+ connp->conn_ixa->ixa_notify_cookie = tcp;
- return (B_TRUE);
+ return ((void *)connp);
}
/* BEGIN CSTYLED */
@@ -5140,7 +4255,7 @@ tcp_update_label(tcp_t *tcp, const cred_t *cr)
* =======================
*
* The eager is now established in its own perimeter as soon as SYN is
- * received in tcp_conn_request(). When sockfs receives conn_ind, it
+ * received in tcp_input_listener(). When sockfs receives conn_ind, it
* completes the accept processing on the acceptor STREAM. The sending
* of conn_ind part is common for both sockfs listener and a TLI/XTI
* listener but a TLI/XTI listener completes the accept processing
@@ -5149,29 +4264,28 @@ tcp_update_label(tcp_t *tcp, const cred_t *cr)
* Common control flow for 3 way handshake:
* ----------------------------------------
*
- * incoming SYN (listener perimeter) -> tcp_rput_data()
- * -> tcp_conn_request()
+ * incoming SYN (listener perimeter) -> tcp_input_listener()
*
- * incoming SYN-ACK-ACK (eager perim) -> tcp_rput_data()
+ * incoming SYN-ACK-ACK (eager perim) -> tcp_input_data()
* send T_CONN_IND (listener perim) -> tcp_send_conn_ind()
*
* Sockfs ACCEPT Path:
* -------------------
*
- * open acceptor stream (tcp_open allocates tcp_wput_accept()
+ * open acceptor stream (tcp_open allocates tcp_tli_accept()
* as STREAM entry point)
*
- * soaccept() sends T_CONN_RES on the acceptor STREAM to tcp_wput_accept()
+ * soaccept() sends T_CONN_RES on the acceptor STREAM to tcp_tli_accept()
*
- * tcp_wput_accept() extracts the eager and makes the q->q_ptr <-> eager
+ * tcp_tli_accept() extracts the eager and makes the q->q_ptr <-> eager
* association (we are not behind eager's squeue but sockfs is protecting us
* and no one knows about this stream yet. The STREAMS entry point q->q_info
* is changed to point at tcp_wput().
*
- * tcp_wput_accept() sends any deferred eagers via tcp_send_pending() to
+ * tcp_accept_common() sends any deferred eagers via tcp_send_pending() to
* listener (done on listener's perimeter).
*
- * tcp_wput_accept() calls tcp_accept_finish() on eagers perimeter to finish
+ * tcp_tli_accept() calls tcp_accept_finish() on eagers perimeter to finish
* accept.
*
* TLI/XTI client ACCEPT path:
@@ -5179,8 +4293,8 @@ tcp_update_label(tcp_t *tcp, const cred_t *cr)
*
* soaccept() sends T_CONN_RES on the listener STREAM.
*
- * tcp_accept() -> tcp_accept_swap() complete the processing and send
- * the bind_mp to eager perimeter to finish accept (tcp_rput_other()).
+ * tcp_tli_accept() -> tcp_accept_swap() complete the processing and send
+ * a M_SETOPS mblk to eager perimeter to finish accept (tcp_accept_finish()).
*
* Locks:
* ======
@@ -5191,7 +4305,7 @@ tcp_update_label(tcp_t *tcp, const cred_t *cr)
* Referencing:
* ============
*
- * 1) We start out in tcp_conn_request by eager placing a ref on
+ * 1) We start out in tcp_input_listener by eager placing a ref on
* listener and listener adding eager to listeners->tcp_eager_next_q0.
*
* 2) When a SYN-ACK-ACK arrives, we send the conn_ind to listener. Before
@@ -5249,51 +4363,71 @@ tcp_update_label(tcp_t *tcp, const cred_t *cr)
/*
* THIS FUNCTION IS DIRECTLY CALLED BY IP VIA SQUEUE FOR SYN.
- * tcp_rput_data will not see any SYN packets.
+ * tcp_input_data will not see any packets for listeners since the listener
+ * has conn_recv set to tcp_input_listener.
*/
/* ARGSUSED */
void
-tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
+tcp_input_listener(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
- tcph_t *tcph;
+ tcpha_t *tcpha;
uint32_t seg_seq;
tcp_t *eager;
- uint_t ipvers;
- ipha_t *ipha;
- ip6_t *ip6h;
int err;
conn_t *econnp = NULL;
squeue_t *new_sqp;
mblk_t *mp1;
uint_t ip_hdr_len;
- conn_t *connp = (conn_t *)arg;
- tcp_t *tcp = connp->conn_tcp;
- cred_t *credp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst;
+ conn_t *lconnp = (conn_t *)arg;
+ tcp_t *listener = lconnp->conn_tcp;
+ tcp_stack_t *tcps = listener->tcp_tcps;
+ ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
+ uint_t flags;
+ mblk_t *tpi_mp;
+ uint_t ifindex = ira->ira_ruifindex;
- if (tcp->tcp_state != TCPS_LISTEN)
+ ip_hdr_len = ira->ira_ip_hdr_length;
+ tcpha = (tcpha_t *)&mp->b_rptr[ip_hdr_len];
+ flags = (unsigned int)tcpha->tha_flags & 0xFF;
+
+ if (!(flags & TH_SYN)) {
+ if ((flags & TH_RST) || (flags & TH_URG)) {
+ freemsg(mp);
+ return;
+ }
+ if (flags & TH_ACK) {
+ /* Note this executes in listener's squeue */
+ tcp_xmit_listeners_reset(mp, ira, ipst, lconnp);
+ return;
+ }
+
+ freemsg(mp);
+ return;
+ }
+
+ if (listener->tcp_state != TCPS_LISTEN)
goto error2;
- ASSERT((tcp->tcp_connp->conn_flags & IPCL_BOUND) != 0);
+ ASSERT(IPCL_IS_BOUND(lconnp));
- mutex_enter(&tcp->tcp_eager_lock);
- if (tcp->tcp_conn_req_cnt_q >= tcp->tcp_conn_req_max) {
- mutex_exit(&tcp->tcp_eager_lock);
+ mutex_enter(&listener->tcp_eager_lock);
+ if (listener->tcp_conn_req_cnt_q >= listener->tcp_conn_req_max) {
+ mutex_exit(&listener->tcp_eager_lock);
TCP_STAT(tcps, tcp_listendrop);
BUMP_MIB(&tcps->tcps_mib, tcpListenDrop);
- if (tcp->tcp_debug) {
+ if (lconnp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE|SL_ERROR,
- "tcp_conn_request: listen backlog (max=%d) "
+ "tcp_input_listener: listen backlog (max=%d) "
"overflow (%d pending) on %s",
- tcp->tcp_conn_req_max, tcp->tcp_conn_req_cnt_q,
- tcp_display(tcp, NULL, DISP_PORT_ONLY));
+ listener->tcp_conn_req_max,
+ listener->tcp_conn_req_cnt_q,
+ tcp_display(listener, NULL, DISP_PORT_ONLY));
}
goto error2;
}
- if (tcp->tcp_conn_req_cnt_q0 >=
- tcp->tcp_conn_req_max + tcps->tcps_conn_req_max_q0) {
+ if (listener->tcp_conn_req_cnt_q0 >=
+ listener->tcp_conn_req_max + tcps->tcps_conn_req_max_q0) {
/*
* Q0 is full. Drop a pending half-open req from the queue
* to make room for the new SYN req. Also mark the time we
@@ -5303,83 +4437,127 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
* be to set the "tcp_syn_defense" flag now.
*/
TCP_STAT(tcps, tcp_listendropq0);
- tcp->tcp_last_rcv_lbolt = lbolt64;
- if (!tcp_drop_q0(tcp)) {
- mutex_exit(&tcp->tcp_eager_lock);
+ listener->tcp_last_rcv_lbolt = lbolt64;
+ if (!tcp_drop_q0(listener)) {
+ mutex_exit(&listener->tcp_eager_lock);
BUMP_MIB(&tcps->tcps_mib, tcpListenDropQ0);
- if (tcp->tcp_debug) {
+ if (lconnp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
- "tcp_conn_request: listen half-open queue "
- "(max=%d) full (%d pending) on %s",
+ "tcp_input_listener: listen half-open "
+ "queue (max=%d) full (%d pending) on %s",
tcps->tcps_conn_req_max_q0,
- tcp->tcp_conn_req_cnt_q0,
- tcp_display(tcp, NULL,
+ listener->tcp_conn_req_cnt_q0,
+ tcp_display(listener, NULL,
DISP_PORT_ONLY));
}
goto error2;
}
}
- mutex_exit(&tcp->tcp_eager_lock);
+ mutex_exit(&listener->tcp_eager_lock);
/*
- * IP adds STRUIO_EAGER and ensures that the received packet is
- * M_DATA even if conn_ipv6_recvpktinfo is enabled or for ip6
- * link local address. If IPSec is enabled, db_struioflag has
- * STRUIO_POLICY set (mutually exclusive from STRUIO_EAGER);
- * otherwise an error case if neither of them is set.
+ * IP sets ira_sqp to either the senders conn_sqp (for loopback)
+ * or based on the ring (for packets from GLD). Otherwise it is
+ * set based on lbolt i.e., a somewhat random number.
*/
- if ((mp->b_datap->db_struioflag & STRUIO_EAGER) != 0) {
- new_sqp = (squeue_t *)DB_CKSUMSTART(mp);
- DB_CKSUMSTART(mp) = 0;
- mp->b_datap->db_struioflag &= ~STRUIO_EAGER;
- econnp = (conn_t *)tcp_get_conn(arg2, tcps);
- if (econnp == NULL)
- goto error2;
- ASSERT(econnp->conn_netstack == connp->conn_netstack);
- econnp->conn_sqp = new_sqp;
- econnp->conn_initial_sqp = new_sqp;
- } else if ((mp->b_datap->db_struioflag & STRUIO_POLICY) != 0) {
- /*
- * mp is updated in tcp_get_ipsec_conn().
- */
- econnp = tcp_get_ipsec_conn(tcp, arg2, &mp);
- if (econnp == NULL) {
- /*
- * mp freed by tcp_get_ipsec_conn.
- */
- return;
- }
- ASSERT(econnp->conn_netstack == connp->conn_netstack);
- } else {
+ ASSERT(ira->ira_sqp != NULL);
+ new_sqp = ira->ira_sqp;
+
+ econnp = (conn_t *)tcp_get_conn(arg2, tcps);
+ if (econnp == NULL)
goto error2;
- }
- ASSERT(DB_TYPE(mp) == M_DATA);
+ ASSERT(econnp->conn_netstack == lconnp->conn_netstack);
+ econnp->conn_sqp = new_sqp;
+ econnp->conn_initial_sqp = new_sqp;
+ econnp->conn_ixa->ixa_sqp = new_sqp;
+
+ econnp->conn_fport = tcpha->tha_lport;
+ econnp->conn_lport = tcpha->tha_fport;
+
+ err = conn_inherit_parent(lconnp, econnp);
+ if (err != 0)
+ goto error3;
- ipvers = IPH_HDR_VERSION(mp->b_rptr);
- ASSERT(ipvers == IPV6_VERSION || ipvers == IPV4_VERSION);
ASSERT(OK_32PTR(mp->b_rptr));
- if (ipvers == IPV4_VERSION) {
- ipha = (ipha_t *)mp->b_rptr;
- ip_hdr_len = IPH_HDR_LENGTH(ipha);
- tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
- } else {
- ip6h = (ip6_t *)mp->b_rptr;
- ip_hdr_len = ip_hdr_length_v6(mp, ip6h);
- tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
- }
+ ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION ||
+ IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
- if (tcp->tcp_family == AF_INET) {
- ASSERT(ipvers == IPV4_VERSION);
- err = tcp_conn_create_v4(connp, econnp, ipha, tcph, mp);
+ if (lconnp->conn_family == AF_INET) {
+ ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
+ tpi_mp = tcp_conn_create_v4(lconnp, econnp, mp, ira);
} else {
- err = tcp_conn_create_v6(connp, econnp, mp, tcph, ipvers, mp);
+ tpi_mp = tcp_conn_create_v6(lconnp, econnp, mp, ira);
}
- if (err)
+ if (tpi_mp == NULL)
goto error3;
eager = econnp->conn_tcp;
+ eager->tcp_detached = B_TRUE;
+ SOCK_CONNID_INIT(eager->tcp_connid);
+
+ tcp_init_values(eager);
+
+ ASSERT((econnp->conn_ixa->ixa_flags &
+ (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
+ IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO)) ==
+ (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
+ IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO));
+
+ if (!tcps->tcps_dev_flow_ctl)
+ econnp->conn_ixa->ixa_flags |= IXAF_NO_DEV_FLOW_CTL;
+
+ /* Prepare for diffing against previous packets */
+ eager->tcp_recvifindex = 0;
+ eager->tcp_recvhops = 0xffffffffU;
+
+ if (!(ira->ira_flags & IRAF_IS_IPV4) && econnp->conn_bound_if == 0) {
+ if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_faddr_v6) ||
+ IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6)) {
+ econnp->conn_incoming_ifindex = ifindex;
+ econnp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ econnp->conn_ixa->ixa_scopeid = ifindex;
+ }
+ }
+
+ if ((ira->ira_flags & (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS)) ==
+ (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS) &&
+ tcps->tcps_rev_src_routes) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+ ip_pkt_t *ipp = &econnp->conn_xmit_ipp;
+
+ /* Source routing option copyover (reverse it) */
+ err = ip_find_hdr_v4(ipha, ipp, B_TRUE);
+ if (err != 0) {
+ freemsg(tpi_mp);
+ goto error3;
+ }
+ ip_pkt_source_route_reverse_v4(ipp);
+ }
+
+ ASSERT(eager->tcp_conn.tcp_eager_conn_ind == NULL);
+ ASSERT(!eager->tcp_tconnind_started);
+ /*
+ * If the SYN came with a credential, it's a loopback packet or a
+ * labeled packet; attach the credential to the TPI message.
+ */
+ if (ira->ira_cred != NULL)
+ mblk_setcred(tpi_mp, ira->ira_cred, ira->ira_cpid);
+
+ eager->tcp_conn.tcp_eager_conn_ind = tpi_mp;
+
+ /* Inherit the listener's SSL protection state */
+ if ((eager->tcp_kssl_ent = listener->tcp_kssl_ent) != NULL) {
+ kssl_hold_ent(eager->tcp_kssl_ent);
+ eager->tcp_kssl_pending = B_TRUE;
+ }
+
+ /* Inherit the listener's non-STREAMS flag */
+ if (IPCL_IS_NONSTR(lconnp)) {
+ econnp->conn_flags |= IPCL_NONSTR;
+ }
+
ASSERT(eager->tcp_ordrel_mp == NULL);
if (!IPCL_IS_NONSTR(econnp)) {
@@ -5392,127 +4570,103 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
if ((eager->tcp_ordrel_mp = mi_tpi_ordrel_ind()) == NULL)
goto error3;
}
- /* Inherit various TCP parameters from the listener */
- eager->tcp_naglim = tcp->tcp_naglim;
- eager->tcp_first_timer_threshold = tcp->tcp_first_timer_threshold;
- eager->tcp_second_timer_threshold = tcp->tcp_second_timer_threshold;
-
- eager->tcp_first_ctimer_threshold = tcp->tcp_first_ctimer_threshold;
- eager->tcp_second_ctimer_threshold = tcp->tcp_second_ctimer_threshold;
-
/*
- * tcp_adapt_ire() may change tcp_rwnd according to the ire metrics.
- * If it does not, the eager's receive window will be set to the
- * listener's receive window later in this function.
+ * Now that the IP addresses and ports are setup in econnp we
+ * can do the IPsec policy work.
*/
- eager->tcp_rwnd = 0;
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ if (lconnp->conn_policy != NULL) {
+ /*
+ * Inherit the policy from the listener; use
+ * actions from ira
+ */
+ if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) {
+ CONN_DEC_REF(econnp);
+ freemsg(mp);
+ goto error3;
+ }
+ }
+ }
- /*
- * Inherit listener's tcp_init_cwnd. Need to do this before
- * calling tcp_process_options() where tcp_mss_set() is called
- * to set the initial cwnd.
- */
- eager->tcp_init_cwnd = tcp->tcp_init_cwnd;
+ /* Inherit various TCP parameters from the listener */
+ eager->tcp_naglim = listener->tcp_naglim;
+ eager->tcp_first_timer_threshold = listener->tcp_first_timer_threshold;
+ eager->tcp_second_timer_threshold =
+ listener->tcp_second_timer_threshold;
+ eager->tcp_first_ctimer_threshold =
+ listener->tcp_first_ctimer_threshold;
+ eager->tcp_second_ctimer_threshold =
+ listener->tcp_second_ctimer_threshold;
/*
- * Zones: tcp_adapt_ire() and tcp_send_data() both need the
- * zone id before the accept is completed in tcp_wput_accept().
+ * tcp_set_destination() may set tcp_rwnd according to the route
+ * metrics. If it does not, the eager's receive window will be set
+ * to the listener's receive window later in this function.
*/
- econnp->conn_zoneid = connp->conn_zoneid;
- econnp->conn_allzones = connp->conn_allzones;
-
- /* Copy nexthop information from listener to eager */
- if (connp->conn_nexthop_set) {
- econnp->conn_nexthop_set = connp->conn_nexthop_set;
- econnp->conn_nexthop_v4 = connp->conn_nexthop_v4;
- }
+ eager->tcp_rwnd = 0;
/*
- * TSOL: tsol_input_proc() needs the eager's cred before the
- * eager is accepted
+ * Inherit listener's tcp_init_cwnd. Need to do this before
+ * calling tcp_process_options() which set the initial cwnd.
*/
- econnp->conn_cred = eager->tcp_cred = credp = connp->conn_cred;
- crhold(credp);
+ eager->tcp_init_cwnd = listener->tcp_init_cwnd;
- ASSERT(econnp->conn_effective_cred == NULL);
if (is_system_labeled()) {
- cred_t *cr;
- ts_label_t *tsl;
-
- /*
- * If this is an MLP connection or a MAC-Exempt connection
- * with an unlabeled node, packets are to be
- * exchanged using the security label of the received
- * SYN packet instead of the server application's label.
- */
- if ((cr = msg_getcred(mp, NULL)) != NULL &&
- (tsl = crgetlabel(cr)) != NULL &&
- (connp->conn_mlp_type != mlptSingle ||
- (connp->conn_mac_mode != CONN_MAC_AWARE &&
- (tsl->tsl_flags & TSLF_UNLABELED)))) {
- if ((econnp->conn_effective_cred =
- copycred_from_tslabel(econnp->conn_cred,
- tsl, KM_NOSLEEP)) != NULL) {
- DTRACE_PROBE2(
- syn_accept_peerlabel,
- conn_t *, econnp, cred_t *,
- econnp->conn_effective_cred);
- } else {
- DTRACE_PROBE3(
- tx__ip__log__error__set__eagercred__tcp,
- char *,
- "SYN mp(1) label on eager connp(2) failed",
- mblk_t *, mp, conn_t *, econnp);
- goto error3;
- }
+ ip_xmit_attr_t *ixa = econnp->conn_ixa;
+
+ ASSERT(ira->ira_tsl != NULL);
+ /* Discard any old label */
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ ixa->ixa_free_flags &= ~IXA_FREE_TSL;
+ ixa->ixa_tsl = NULL;
+ }
+ if ((lconnp->conn_mlp_type != mlptSingle ||
+ lconnp->conn_mac_mode != CONN_MAC_DEFAULT) &&
+ ira->ira_tsl != NULL) {
+ /*
+ * If this is an MLP connection or a MAC-Exempt
+ * connection with an unlabeled node, packets are to be
+ * exchanged using the security label of the received
+ * SYN packet instead of the server application's label.
+ * tsol_check_dest called from ip_set_destination
+ * might later update TSF_UNLABELED by replacing
+ * ixa_tsl with a new label.
+ */
+ label_hold(ira->ira_tsl);
+ ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
+ DTRACE_PROBE2(mlp_syn_accept, conn_t *,
+ econnp, ts_label_t *, ixa->ixa_tsl)
} else {
+ ixa->ixa_tsl = crgetlabel(econnp->conn_cred);
DTRACE_PROBE2(syn_accept, conn_t *,
- econnp, cred_t *, econnp->conn_cred)
+ econnp, ts_label_t *, ixa->ixa_tsl)
}
-
/*
- * Verify the destination is allowed to receive packets
- * at the security label of the SYN-ACK we are generating.
- * tsol_check_dest() may create a new effective cred for
- * this connection with a modified label or label flags.
+ * conn_connect() called from tcp_set_destination will verify
+ * the destination is allowed to receive packets at the
+ * security label of the SYN-ACK we are generating. As part of
+ * that, tsol_check_dest() may create a new effective label for
+ * this connection.
+ * Finally conn_connect() will call conn_update_label.
+ * All that remains for TCP to do is to call
+ * conn_build_hdr_template which is done as part of
+ * tcp_set_destination.
*/
- if (IN6_IS_ADDR_V4MAPPED(&econnp->conn_remv6)) {
- uint32_t dst;
- IN6_V4MAPPED_TO_IPADDR(&econnp->conn_remv6, dst);
- err = tsol_check_dest(CONN_CRED(econnp), &dst,
- IPV4_VERSION, B_FALSE, &cr);
- } else {
- err = tsol_check_dest(CONN_CRED(econnp),
- &econnp->conn_remv6, IPV6_VERSION,
- B_FALSE, &cr);
- }
- if (err != 0)
- goto error3;
- if (cr != NULL) {
- if (econnp->conn_effective_cred != NULL)
- crfree(econnp->conn_effective_cred);
- econnp->conn_effective_cred = cr;
- }
-
- /*
- * Generate the security label to be used in the text of
- * this connection's outgoing packets.
- */
- if (!tcp_update_label(eager, CONN_CRED(econnp))) {
- DTRACE_PROBE3(
- tx__ip__log__error__connrequest__tcp,
- char *, "eager connp(1) label on SYN mp(2) failed",
- conn_t *, econnp, mblk_t *, mp);
- goto error3;
- }
}
+ /*
+ * Since we will clear tcp_listener before we clear tcp_detached
+ * in the accept code we need tcp_hard_binding aka tcp_accept_inprogress
+ * so we can tell a TCP_DETACHED_NONEAGER apart.
+ */
eager->tcp_hard_binding = B_TRUE;
tcp_bind_hash_insert(&tcps->tcps_bind_fanout[
- TCP_BIND_HASH(eager->tcp_lport)], eager, 0);
+ TCP_BIND_HASH(econnp->conn_lport)], eager, 0);
- CL_INET_CONNECT(connp, eager, B_FALSE, err);
+ CL_INET_CONNECT(econnp, B_FALSE, err);
if (err != 0) {
tcp_bind_hash_remove(eager);
goto error3;
@@ -5528,32 +4682,27 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
SOCK_CONNID_BUMP(eager->tcp_connid);
/*
- * There should be no ire in the mp as we are being called after
- * receiving the SYN.
- */
- ASSERT(tcp_ire_mp(&mp) == NULL);
-
- /*
- * Adapt our mss, ttl, ... according to information provided in IRE.
+ * Adapt our mss, ttl, ... based on the remote address.
*/
- if (tcp_adapt_ire(eager, NULL) == 0) {
+ if (tcp_set_destination(eager) != 0) {
+ BUMP_MIB(&tcps->tcps_mib, tcpAttemptFails);
/* Undo the bind_hash_insert */
tcp_bind_hash_remove(eager);
goto error3;
}
/* Process all TCP options. */
- tcp_process_options(eager, tcph);
+ tcp_process_options(eager, tcpha);
/* Is the other end ECN capable? */
if (tcps->tcps_ecn_permitted >= 1 &&
- (tcph->th_flags[0] & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) {
+ (tcpha->tha_flags & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) {
eager->tcp_ecn_ok = B_TRUE;
}
/*
- * listeners tcp_recv_hiwater should be the default window size or a
+ * The listener's conn_rcvbuf should be the default window size or a
* window size changed via SO_RCVBUF option. First round up the
* eager's tcp_rwnd to the nearest MSS. Then find out the window
* scale option value if needed. Call tcp_rwnd_set() to finish the
@@ -5563,7 +4712,7 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
* we should not inherit receive window size from listener.
*/
eager->tcp_rwnd = MSS_ROUNDUP(
- (eager->tcp_rwnd == 0 ? tcp->tcp_recv_hiwater:
+ (eager->tcp_rwnd == 0 ? econnp->conn_rcvbuf :
eager->tcp_rwnd), eager->tcp_mss);
if (eager->tcp_snd_ws_ok)
tcp_set_ws_value(eager);
@@ -5575,77 +4724,46 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
*/
(void) tcp_rwnd_set(eager, eager->tcp_rwnd);
- /*
- * We eliminate the need for sockfs to send down a T_SVR4_OPTMGMT_REQ
- * via soaccept()->soinheritoptions() which essentially applies
- * all the listener options to the new STREAM. The options that we
- * need to take care of are:
- * SO_DEBUG, SO_REUSEADDR, SO_KEEPALIVE, SO_DONTROUTE, SO_BROADCAST,
- * SO_USELOOPBACK, SO_OOBINLINE, SO_DGRAM_ERRIND, SO_LINGER,
- * SO_SNDBUF, SO_RCVBUF.
- *
- * SO_RCVBUF: tcp_rwnd_set() above takes care of it.
- * SO_SNDBUF: Set the tcp_xmit_hiwater for the eager. When
- * tcp_maxpsz_set() gets called later from
- * tcp_accept_finish(), the option takes effect.
- *
- */
- /* Set the TCP options */
- eager->tcp_recv_lowater = tcp->tcp_recv_lowater;
- eager->tcp_xmit_hiwater = tcp->tcp_xmit_hiwater;
- eager->tcp_dgram_errind = tcp->tcp_dgram_errind;
- eager->tcp_oobinline = tcp->tcp_oobinline;
- eager->tcp_reuseaddr = tcp->tcp_reuseaddr;
- eager->tcp_broadcast = tcp->tcp_broadcast;
- eager->tcp_useloopback = tcp->tcp_useloopback;
- eager->tcp_dontroute = tcp->tcp_dontroute;
- eager->tcp_debug = tcp->tcp_debug;
- eager->tcp_linger = tcp->tcp_linger;
- eager->tcp_lingertime = tcp->tcp_lingertime;
- if (tcp->tcp_ka_enabled)
- eager->tcp_ka_enabled = 1;
-
- ASSERT(eager->tcp_recv_hiwater != 0 &&
- eager->tcp_recv_hiwater == eager->tcp_rwnd);
-
- /* Set the IP options */
- econnp->conn_broadcast = connp->conn_broadcast;
- econnp->conn_loopback = connp->conn_loopback;
- econnp->conn_dontroute = connp->conn_dontroute;
- econnp->conn_reuseaddr = connp->conn_reuseaddr;
+ ASSERT(eager->tcp_connp->conn_rcvbuf != 0 &&
+ eager->tcp_connp->conn_rcvbuf == eager->tcp_rwnd);
+
+ ASSERT(econnp->conn_rcvbuf != 0 &&
+ econnp->conn_rcvbuf == eager->tcp_rwnd);
/* Put a ref on the listener for the eager. */
- CONN_INC_REF(connp);
- mutex_enter(&tcp->tcp_eager_lock);
- tcp->tcp_eager_next_q0->tcp_eager_prev_q0 = eager;
- eager->tcp_eager_next_q0 = tcp->tcp_eager_next_q0;
- tcp->tcp_eager_next_q0 = eager;
- eager->tcp_eager_prev_q0 = tcp;
+ CONN_INC_REF(lconnp);
+ mutex_enter(&listener->tcp_eager_lock);
+ listener->tcp_eager_next_q0->tcp_eager_prev_q0 = eager;
+ eager->tcp_eager_next_q0 = listener->tcp_eager_next_q0;
+ listener->tcp_eager_next_q0 = eager;
+ eager->tcp_eager_prev_q0 = listener;
/* Set tcp_listener before adding it to tcp_conn_fanout */
- eager->tcp_listener = tcp;
- eager->tcp_saved_listener = tcp;
+ eager->tcp_listener = listener;
+ eager->tcp_saved_listener = listener;
/*
* Tag this detached tcp vector for later retrieval
* by our listener client in tcp_accept().
*/
- eager->tcp_conn_req_seqnum = tcp->tcp_conn_req_seqnum;
- tcp->tcp_conn_req_cnt_q0++;
- if (++tcp->tcp_conn_req_seqnum == -1) {
+ eager->tcp_conn_req_seqnum = listener->tcp_conn_req_seqnum;
+ listener->tcp_conn_req_cnt_q0++;
+ if (++listener->tcp_conn_req_seqnum == -1) {
/*
* -1 is "special" and defined in TPI as something
* that should never be used in T_CONN_IND
*/
- ++tcp->tcp_conn_req_seqnum;
+ ++listener->tcp_conn_req_seqnum;
}
- mutex_exit(&tcp->tcp_eager_lock);
+ mutex_exit(&listener->tcp_eager_lock);
- if (tcp->tcp_syn_defense) {
+ if (listener->tcp_syn_defense) {
/* Don't drop the SYN that comes from a good IP source */
- ipaddr_t *addr_cache = (ipaddr_t *)(tcp->tcp_ip_addr_cache);
- if (addr_cache != NULL && eager->tcp_remote ==
- addr_cache[IP_ADDR_CACHE_HASH(eager->tcp_remote)]) {
+ ipaddr_t *addr_cache;
+
+ addr_cache = (ipaddr_t *)(listener->tcp_ip_addr_cache);
+ if (addr_cache != NULL && econnp->conn_faddr_v4 ==
+ addr_cache[IP_ADDR_CACHE_HASH(econnp->conn_faddr_v4)]) {
eager->tcp_dontdrop = B_TRUE;
}
}
@@ -5655,14 +4773,14 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
* as we do that, we expose the eager to the classifier and
* should not touch any field outside the eager's perimeter.
* So do all the work necessary before inserting the eager
- * in its own perimeter. Be optimistic that ipcl_conn_insert()
+ * in its own perimeter. Be optimistic that conn_connect()
* will succeed but undo everything if it fails.
*/
- seg_seq = ABE32_TO_U32(tcph->th_seq);
+ seg_seq = ntohl(tcpha->tha_seq);
eager->tcp_irs = seg_seq;
eager->tcp_rack = seg_seq;
eager->tcp_rnxt = seg_seq + 1;
- U32_TO_ABE32(eager->tcp_rnxt, eager->tcp_tcph->th_ack);
+ eager->tcp_tcpha->tha_ack = htonl(eager->tcp_rnxt);
BUMP_MIB(&tcps->tcps_mib, tcpPassiveOpens);
eager->tcp_state = TCPS_SYN_RCVD;
mp1 = tcp_xmit_mp(eager, eager->tcp_xmit_head, eager->tcp_mss,
@@ -5677,24 +4795,10 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
}
/*
- * Note that in theory this should use the current pid
- * so that getpeerucred on the client returns the actual listener
- * that does accept. But accept() hasn't been called yet. We could use
- * the pid of the process that did bind/listen on the server.
- * However, with common usage like inetd() the bind/listen can be done
- * by a different process than the accept().
- * Hence we do the simple thing of using the open pid here.
- * Note that db_credp is set later in tcp_send_data().
- */
- mblk_setcred(mp1, credp, tcp->tcp_cpid);
- eager->tcp_cpid = tcp->tcp_cpid;
- eager->tcp_open_time = lbolt64;
-
- /*
* We need to start the rto timer. In normal case, we start
* the timer after sending the packet on the wire (or at
* least believing that packet was sent by waiting for
- * CALL_IP_WPUT() to return). Since this is the first packet
+ * conn_ip_output() to return). Since this is the first packet
* being sent on the wire for the eager, our initial tcp_rto
* is at least tcp_rexmit_interval_min which is a fairly
* large value to allow the algorithm to adjust slowly to large
@@ -5716,7 +4820,7 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
* ensure against an eager close race.
*/
- CONN_INC_REF(eager->tcp_connp);
+ CONN_INC_REF(econnp);
TCP_TIMER_RESTART(eager, eager->tcp_rto);
@@ -5724,22 +4828,16 @@ tcp_conn_request(void *arg, mblk_t *mp, void *arg2)
* Insert the eager in its own perimeter now. We are ready to deal
* with any packets on eager.
*/
- if (eager->tcp_ipversion == IPV4_VERSION) {
- if (ipcl_conn_insert(econnp, IPPROTO_TCP, 0, 0, 0) != 0) {
- goto error;
- }
- } else {
- if (ipcl_conn_insert_v6(econnp, IPPROTO_TCP, 0, 0, 0, 0) != 0) {
- goto error;
- }
- }
-
- /* mark conn as fully-bound */
- econnp->conn_fully_bound = B_TRUE;
+ if (ipcl_conn_insert(econnp) != 0)
+ goto error;
- /* Send the SYN-ACK */
- tcp_send_data(eager, eager->tcp_wq, mp1);
- CONN_DEC_REF(eager->tcp_connp);
+ /*
+ * Send the SYN-ACK. Can't use tcp_send_data since we can't update
+ * pmtu etc; we are not on the eager's squeue
+ */
+ ASSERT(econnp->conn_ixa->ixa_notify_cookie == econnp->conn_tcp);
+ (void) conn_ip_output(mp1, econnp->conn_ixa);
+ CONN_DEC_REF(econnp);
freemsg(mp);
return;
@@ -5749,7 +4847,7 @@ error:
TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
mp1 = &eager->tcp_closemp;
SQUEUE_ENTER_ONE(econnp->conn_sqp, mp1, tcp_eager_kill,
- econnp, SQ_FILL, SQTAG_TCP_CONN_REQ_2);
+ econnp, NULL, SQ_FILL, SQTAG_TCP_CONN_REQ_2);
/*
* If a connection already exists, send the mp to that connections so
@@ -5757,7 +4855,7 @@ error:
*/
ipst = tcps->tcps_netstack->netstack_ip;
- if ((econnp = ipcl_classify(mp, connp->conn_zoneid, ipst)) != NULL) {
+ if ((econnp = ipcl_classify(mp, ira, ipst)) != NULL) {
if (!IPCL_IS_CONNECTED(econnp)) {
/*
* Something bad happened. ipcl_conn_insert()
@@ -5772,8 +4870,8 @@ error:
CONN_DEC_REF(econnp);
freemsg(mp);
} else {
- SQUEUE_ENTER_ONE(econnp->conn_sqp, mp,
- tcp_input, econnp, SQ_FILL, SQTAG_TCP_CONN_REQ_1);
+ SQUEUE_ENTER_ONE(econnp->conn_sqp, mp, tcp_input_data,
+ econnp, ira, SQ_FILL, SQTAG_TCP_CONN_REQ_1);
}
} else {
/* Nobody wants this packet */
@@ -5803,18 +4901,21 @@ error2:
* very first time and there is no attempt to rebind them.
*/
void
-tcp_conn_request_unbound(void *arg, mblk_t *mp, void *arg2)
+tcp_input_listener_unbound(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *ira)
{
conn_t *connp = (conn_t *)arg;
squeue_t *sqp = (squeue_t *)arg2;
squeue_t *new_sqp;
uint32_t conn_flags;
- if ((mp->b_datap->db_struioflag & STRUIO_EAGER) != 0) {
- new_sqp = (squeue_t *)DB_CKSUMSTART(mp);
- } else {
- goto done;
- }
+ /*
+ * IP sets ira_sqp to either the senders conn_sqp (for loopback)
+ * or based on the ring (for packets from GLD). Otherwise it is
+ * set based on lbolt i.e., a somewhat random number.
+ */
+ ASSERT(ira->ira_sqp != NULL);
+ new_sqp = ira->ira_sqp;
if (connp->conn_fanout == NULL)
goto done;
@@ -5849,6 +4950,8 @@ tcp_conn_request_unbound(void *arg, mblk_t *mp, void *arg2)
if (connp->conn_sqp != new_sqp) {
while (connp->conn_sqp != new_sqp)
(void) casptr(&connp->conn_sqp, sqp, new_sqp);
+ /* No special MT issues for outbound ixa_sqp hint */
+ connp->conn_ixa->ixa_sqp = new_sqp;
}
do {
@@ -5860,49 +4963,47 @@ tcp_conn_request_unbound(void *arg, mblk_t *mp, void *arg2)
mutex_exit(&connp->conn_fanout->connf_lock);
mutex_exit(&connp->conn_lock);
+
+ /*
+ * Assume we have picked a good squeue for the listener. Make
+ * subsequent SYNs not try to change the squeue.
+ */
+ connp->conn_recv = tcp_input_listener;
}
done:
if (connp->conn_sqp != sqp) {
CONN_INC_REF(connp);
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv, connp,
- SQ_FILL, SQTAG_TCP_CONN_REQ_UNBOUND);
+ ira, SQ_FILL, SQTAG_TCP_CONN_REQ_UNBOUND);
} else {
- tcp_conn_request(connp, mp, sqp);
+ tcp_input_listener(connp, mp, sqp, ira);
}
}
/*
* Successful connect request processing begins when our client passes
- * a T_CONN_REQ message into tcp_wput() and ends when tcp_rput() passes
- * our T_OK_ACK reply message upstream. The control flow looks like this:
- * upstream -> tcp_wput() -> tcp_wput_proto() -> tcp_tpi_connect() -> IP
- * upstream <- tcp_rput() <- IP
+ * a T_CONN_REQ message into tcp_wput(), which performs function calls into
+ * IP and the passes a T_OK_ACK (or T_ERROR_ACK upstream).
+ *
* After various error checks are completed, tcp_tpi_connect() lays
- * the target address and port into the composite header template,
- * preallocates the T_OK_ACK reply message, construct a full 12 byte bind
- * request followed by an IRE request, and passes the three mblk message
- * down to IP looking like this:
- * O_T_BIND_REQ for IP --> IRE req --> T_OK_ACK for our client
- * Processing continues in tcp_rput() when we receive the following message:
- * T_BIND_ACK from IP --> IRE ack --> T_OK_ACK for our client
- * After consuming the first two mblks, tcp_rput() calls tcp_timer(),
- * to fire off the connection request, and then passes the T_OK_ACK mblk
- * upstream that we filled in below. There are, of course, numerous
- * error conditions along the way which truncate the processing described
- * above.
+ * the target address and port into the composite header template.
+ * Then we ask IP for information, including a source address if we didn't
+ * already have one. Finally we prepare to send the SYN packet, and then
+ * send up the T_OK_ACK reply message.
*/
static void
tcp_tpi_connect(tcp_t *tcp, mblk_t *mp)
{
sin_t *sin;
- queue_t *q = tcp->tcp_wq;
struct T_conn_req *tcr;
struct sockaddr *sa;
socklen_t len;
int error;
cred_t *cr;
pid_t cpid;
+ conn_t *connp = tcp->tcp_connp;
+ queue_t *q = connp->conn_wq;
/*
* All Solaris components should pass a db_credp
@@ -5944,7 +5045,7 @@ tcp_tpi_connect(tcp_t *tcp, mblk_t *mp)
* Determine packet type based on type of address passed in
* the request should contain an IPv4 or IPv6 address.
* Make sure that address family matches the type of
- * family of the the address passed down
+ * family of the address passed down.
*/
switch (tcr->DEST_length) {
default:
@@ -6022,7 +5123,7 @@ tcp_tpi_connect(tcp_t *tcp, mblk_t *mp)
break;
}
- error = proto_verify_ip_addr(tcp->tcp_family, sa, len);
+ error = proto_verify_ip_addr(connp->conn_family, sa, len);
if (error != 0) {
tcp_err_ack(tcp, mp, TSYSERR, error);
return;
@@ -6111,7 +5212,7 @@ tcp_tpi_connect(tcp_t *tcp, mblk_t *mp)
/* return error ack and blow away saved option results if any */
connect_failed:
if (mp != NULL)
- putnext(tcp->tcp_rq, mp);
+ putnext(connp->conn_rq, mp);
else {
tcp_err_ack_prim(tcp, NULL, T_CONN_REQ,
TSYSERR, ENOMEM);
@@ -6121,20 +5222,19 @@ connect_failed:
/*
* Handle connect to IPv4 destinations, including connections for AF_INET6
* sockets connecting to IPv4 mapped IPv6 destinations.
+ * Returns zero if OK, a positive errno, or a negative TLI error.
*/
static int
tcp_connect_ipv4(tcp_t *tcp, ipaddr_t *dstaddrp, in_port_t dstport,
- uint_t srcid, cred_t *cr, pid_t pid)
+ uint_t srcid)
{
- tcph_t *tcph;
- mblk_t *mp;
- ipaddr_t dstaddr = *dstaddrp;
- int32_t oldstate;
- uint16_t lport;
- int error = 0;
+ ipaddr_t dstaddr = *dstaddrp;
+ uint16_t lport;
+ conn_t *connp = tcp->tcp_connp;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ int error;
- ASSERT(tcp->tcp_ipversion == IPV4_VERSION);
+ ASSERT(connp->conn_ipversion == IPV4_VERSION);
/* Check for attempt to connect to INADDR_ANY */
if (dstaddr == INADDR_ANY) {
@@ -6157,74 +5257,21 @@ tcp_connect_ipv4(tcp_t *tcp, ipaddr_t *dstaddrp, in_port_t dstport,
}
/* Handle __sin6_src_id if socket not bound to an IP address */
- if (srcid != 0 && tcp->tcp_ipha->ipha_src == INADDR_ANY) {
- ip_srcid_find_id(srcid, &tcp->tcp_ip_src_v6,
- tcp->tcp_connp->conn_zoneid, tcps->tcps_netstack);
- IN6_V4MAPPED_TO_IPADDR(&tcp->tcp_ip_src_v6,
- tcp->tcp_ipha->ipha_src);
+ if (srcid != 0 && connp->conn_laddr_v4 == INADDR_ANY) {
+ ip_srcid_find_id(srcid, &connp->conn_laddr_v6,
+ IPCL_ZONEID(connp), tcps->tcps_netstack);
+ connp->conn_saddr_v6 = connp->conn_laddr_v6;
}
- /*
- * Don't let an endpoint connect to itself. Note that
- * the test here does not catch the case where the
- * source IP addr was left unspecified by the user. In
- * this case, the source addr is set in tcp_adapt_ire()
- * using the reply to the T_BIND message that we send
- * down to IP here and the check is repeated in tcp_rput_other.
- */
- if (dstaddr == tcp->tcp_ipha->ipha_src &&
- dstport == tcp->tcp_lport) {
- error = -TBADADDR;
- goto failed;
- }
+ IN6_IPADDR_TO_V4MAPPED(dstaddr, &connp->conn_faddr_v6);
+ connp->conn_fport = dstport;
/*
- * Verify the destination is allowed to receive packets
- * at the security label of the connection we are initiating.
- * tsol_check_dest() may create a new effective cred for this
- * connection with a modified label or label flags.
- */
- if (is_system_labeled()) {
- ASSERT(tcp->tcp_connp->conn_effective_cred == NULL);
- if ((error = tsol_check_dest(CONN_CRED(tcp->tcp_connp),
- &dstaddr, IPV4_VERSION, tcp->tcp_connp->conn_mac_mode,
- &tcp->tcp_connp->conn_effective_cred)) != 0) {
- if (error != EHOSTUNREACH)
- error = -TSYSERR;
- goto failed;
- }
- }
-
- tcp->tcp_ipha->ipha_dst = dstaddr;
- IN6_IPADDR_TO_V4MAPPED(dstaddr, &tcp->tcp_remote_v6);
-
- /*
- * Massage a source route if any putting the first hop
- * in iph_dst. Compute a starting value for the checksum which
- * takes into account that the original iph_dst should be
- * included in the checksum but that ip will include the
- * first hop in the source route in the tcp checksum.
- */
- tcp->tcp_sum = ip_massage_options(tcp->tcp_ipha, tcps->tcps_netstack);
- tcp->tcp_sum = (tcp->tcp_sum & 0xFFFF) + (tcp->tcp_sum >> 16);
- tcp->tcp_sum -= ((tcp->tcp_ipha->ipha_dst >> 16) +
- (tcp->tcp_ipha->ipha_dst & 0xffff));
- if ((int)tcp->tcp_sum < 0)
- tcp->tcp_sum--;
- tcp->tcp_sum = (tcp->tcp_sum & 0xFFFF) + (tcp->tcp_sum >> 16);
- tcp->tcp_sum = ntohs((tcp->tcp_sum & 0xFFFF) +
- (tcp->tcp_sum >> 16));
- tcph = tcp->tcp_tcph;
- *(uint16_t *)tcph->th_fport = dstport;
- tcp->tcp_fport = dstport;
-
- oldstate = tcp->tcp_state;
- /*
* At this point the remote destination address and remote port fields
* in the tcp-four-tuple have been filled in the tcp structure. Now we
- * have to see which state tcp was in so we can take apropriate action.
+ * have to see which state tcp was in so we can take appropriate action.
*/
- if (oldstate == TCPS_IDLE) {
+ if (tcp->tcp_state == TCPS_IDLE) {
/*
* We support a quick connect capability here, allowing
* clients to transition directly from IDLE to SYN_SENT
@@ -6233,203 +5280,93 @@ tcp_connect_ipv4(tcp_t *tcp, ipaddr_t *dstaddrp, in_port_t dstport,
*/
lport = tcp_update_next_port(tcps->tcps_next_port_to_try,
tcp, B_TRUE);
- lport = tcp_bindi(tcp, lport, &tcp->tcp_ip_src_v6, 0, B_TRUE,
+ lport = tcp_bindi(tcp, lport, &connp->conn_laddr_v6, 0, B_TRUE,
B_FALSE, B_FALSE);
- if (lport == 0) {
- error = -TNOADDR;
- goto failed;
- }
- }
- tcp->tcp_state = TCPS_SYN_SENT;
-
- mp = allocb(sizeof (ire_t), BPRI_HI);
- if (mp == NULL) {
- tcp->tcp_state = oldstate;
- error = ENOMEM;
- goto failed;
+ if (lport == 0)
+ return (-TNOADDR);
}
- mp->b_wptr += sizeof (ire_t);
- mp->b_datap->db_type = IRE_DB_REQ_TYPE;
- tcp->tcp_hard_binding = 1;
-
/*
- * We need to make sure that the conn_recv is set to a non-null
- * value before we insert the conn_t into the classifier table.
- * This is to avoid a race with an incoming packet which does
- * an ipcl_classify().
+ * Lookup the route to determine a source address and the uinfo.
+ * If there was a source route we have tcp_ipha->ipha_dst as the first
+ * hop.
+ * Setup TCP parameters based on the metrics/DCE.
*/
- tcp->tcp_connp->conn_recv = tcp_input;
+ error = tcp_set_destination(tcp);
+ if (error != 0)
+ return (error);
- if (tcp->tcp_family == AF_INET) {
- error = ip_proto_bind_connected_v4(tcp->tcp_connp, &mp,
- IPPROTO_TCP, &tcp->tcp_ipha->ipha_src, tcp->tcp_lport,
- tcp->tcp_remote, tcp->tcp_fport, B_TRUE, B_TRUE, cr);
- } else {
- in6_addr_t v6src;
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_ipha->ipha_src, &v6src);
- } else {
- v6src = tcp->tcp_ip6h->ip6_src;
- }
- error = ip_proto_bind_connected_v6(tcp->tcp_connp, &mp,
- IPPROTO_TCP, &v6src, tcp->tcp_lport, &tcp->tcp_remote_v6,
- &tcp->tcp_sticky_ipp, tcp->tcp_fport, B_TRUE, B_TRUE, cr);
- }
- BUMP_MIB(&tcps->tcps_mib, tcpActiveOpens);
- tcp->tcp_active_open = 1;
+ /*
+ * Don't let an endpoint connect to itself.
+ */
+ if (connp->conn_faddr_v4 == connp->conn_laddr_v4 &&
+ connp->conn_fport == connp->conn_lport)
+ return (-TBADADDR);
+ tcp->tcp_state = TCPS_SYN_SENT;
- return (tcp_post_ip_bind(tcp, mp, error, cr, pid));
-failed:
- /* return error ack and blow away saved option results if any */
- if (tcp->tcp_conn.tcp_opts_conn_req != NULL)
- tcp_close_mpp(&tcp->tcp_conn.tcp_opts_conn_req);
- return (error);
+ return (ipcl_conn_insert_v4(connp));
}
/*
* Handle connect to IPv6 destinations.
+ * Returns zero if OK, a positive errno, or a negative TLI error.
*/
static int
tcp_connect_ipv6(tcp_t *tcp, in6_addr_t *dstaddrp, in_port_t dstport,
- uint32_t flowinfo, uint_t srcid, uint32_t scope_id, cred_t *cr, pid_t pid)
+ uint32_t flowinfo, uint_t srcid, uint32_t scope_id)
{
- tcph_t *tcph;
- mblk_t *mp;
- ip6_rthdr_t *rth;
- int32_t oldstate;
- uint16_t lport;
+ uint16_t lport;
+ conn_t *connp = tcp->tcp_connp;
tcp_stack_t *tcps = tcp->tcp_tcps;
- int error = 0;
- conn_t *connp = tcp->tcp_connp;
+ int error;
- ASSERT(tcp->tcp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
/*
* If we're here, it means that the destination address is a native
- * IPv6 address. Return an error if tcp_ipversion is not IPv6. A
+ * IPv6 address. Return an error if conn_ipversion is not IPv6. A
* reason why it might not be IPv6 is if the socket was bound to an
* IPv4-mapped IPv6 address.
*/
- if (tcp->tcp_ipversion != IPV6_VERSION) {
+ if (connp->conn_ipversion != IPV6_VERSION)
return (-TBADADDR);
- }
/*
* Interpret a zero destination to mean loopback.
* Update the T_CONN_REQ (sin/sin6) since it is used to
* generate the T_CONN_CON.
*/
- if (IN6_IS_ADDR_UNSPECIFIED(dstaddrp)) {
+ if (IN6_IS_ADDR_UNSPECIFIED(dstaddrp))
*dstaddrp = ipv6_loopback;
- }
/* Handle __sin6_src_id if socket not bound to an IP address */
- if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&tcp->tcp_ip6h->ip6_src)) {
- ip_srcid_find_id(srcid, &tcp->tcp_ip6h->ip6_src,
- connp->conn_zoneid, tcps->tcps_netstack);
- tcp->tcp_ip_src_v6 = tcp->tcp_ip6h->ip6_src;
- }
-
- /*
- * Take care of the scope_id now and add ip6i_t
- * if ip6i_t is not already allocated through TCP
- * sticky options. At this point tcp_ip6h does not
- * have dst info, thus use dstaddrp.
- */
- if (scope_id != 0 &&
- IN6_IS_ADDR_LINKSCOPE(dstaddrp)) {
- ip6_pkt_t *ipp = &tcp->tcp_sticky_ipp;
- ip6i_t *ip6i;
-
- ipp->ipp_ifindex = scope_id;
- ip6i = (ip6i_t *)tcp->tcp_iphc;
-
- if ((ipp->ipp_fields & IPPF_HAS_IP6I) &&
- ip6i != NULL && (ip6i->ip6i_nxt == IPPROTO_RAW)) {
- /* Already allocated */
- ip6i->ip6i_flags |= IP6I_IFINDEX;
- ip6i->ip6i_ifindex = ipp->ipp_ifindex;
- ipp->ipp_fields |= IPPF_SCOPE_ID;
- } else {
- int reterr;
-
- ipp->ipp_fields |= IPPF_SCOPE_ID;
- if (ipp->ipp_fields & IPPF_HAS_IP6I)
- ip2dbg(("tcp_connect_v6: SCOPE_ID set\n"));
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- goto failed;
- ip1dbg(("tcp_connect_ipv6: tcp_bld_hdrs returned\n"));
- }
- }
-
- /*
- * Don't let an endpoint connect to itself. Note that
- * the test here does not catch the case where the
- * source IP addr was left unspecified by the user. In
- * this case, the source addr is set in tcp_adapt_ire()
- * using the reply to the T_BIND message that we send
- * down to IP here and the check is repeated in tcp_rput_other.
- */
- if (IN6_ARE_ADDR_EQUAL(dstaddrp, &tcp->tcp_ip6h->ip6_src) &&
- (dstport == tcp->tcp_lport)) {
- error = -TBADADDR;
- goto failed;
+ if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6)) {
+ ip_srcid_find_id(srcid, &connp->conn_laddr_v6,
+ IPCL_ZONEID(connp), tcps->tcps_netstack);
+ connp->conn_saddr_v6 = connp->conn_laddr_v6;
}
/*
- * Verify the destination is allowed to receive packets
- * at the security label of the connection we are initiating.
- * check_dest may create a new effective cred for this
- * connection with a modified label or label flags.
+ * Take care of the scope_id now.
*/
- if (is_system_labeled()) {
- ASSERT(tcp->tcp_connp->conn_effective_cred == NULL);
- if ((error = tsol_check_dest(CONN_CRED(tcp->tcp_connp),
- dstaddrp, IPV6_VERSION, tcp->tcp_connp->conn_mac_mode,
- &tcp->tcp_connp->conn_effective_cred)) != 0) {
- if (error != EHOSTUNREACH)
- error = -TSYSERR;
- goto failed;
- }
- }
-
- tcp->tcp_ip6h->ip6_dst = *dstaddrp;
- tcp->tcp_remote_v6 = *dstaddrp;
- tcp->tcp_ip6h->ip6_vcf =
- (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
- (flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
-
- /*
- * Massage a routing header (if present) putting the first hop
- * in ip6_dst. Compute a starting value for the checksum which
- * takes into account that the original ip6_dst should be
- * included in the checksum but that ip will include the
- * first hop in the source route in the tcp checksum.
- */
- rth = ip_find_rthdr_v6(tcp->tcp_ip6h, (uint8_t *)tcp->tcp_tcph);
- if (rth != NULL) {
- tcp->tcp_sum = ip_massage_options_v6(tcp->tcp_ip6h, rth,
- tcps->tcps_netstack);
- tcp->tcp_sum = ntohs((tcp->tcp_sum & 0xFFFF) +
- (tcp->tcp_sum >> 16));
+ if (scope_id != 0 && IN6_IS_ADDR_LINKSCOPE(dstaddrp)) {
+ connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ connp->conn_ixa->ixa_scopeid = scope_id;
} else {
- tcp->tcp_sum = 0;
+ connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
}
- tcph = tcp->tcp_tcph;
- *(uint16_t *)tcph->th_fport = dstport;
- tcp->tcp_fport = dstport;
+ connp->conn_flowinfo = flowinfo;
+ connp->conn_faddr_v6 = *dstaddrp;
+ connp->conn_fport = dstport;
- oldstate = tcp->tcp_state;
/*
* At this point the remote destination address and remote port fields
* in the tcp-four-tuple have been filled in the tcp structure. Now we
- * have to see which state tcp was in so we can take apropriate action.
+ * have to see which state tcp was in so we can take appropriate action.
*/
- if (oldstate == TCPS_IDLE) {
+ if (tcp->tcp_state == TCPS_IDLE) {
/*
* We support a quick connect capability here, allowing
* clients to transition directly from IDLE to SYN_SENT
@@ -6438,128 +5375,55 @@ tcp_connect_ipv6(tcp_t *tcp, in6_addr_t *dstaddrp, in_port_t dstport,
*/
lport = tcp_update_next_port(tcps->tcps_next_port_to_try,
tcp, B_TRUE);
- lport = tcp_bindi(tcp, lport, &tcp->tcp_ip_src_v6, 0, B_TRUE,
+ lport = tcp_bindi(tcp, lport, &connp->conn_laddr_v6, 0, B_TRUE,
B_FALSE, B_FALSE);
- if (lport == 0) {
- error = -TNOADDR;
- goto failed;
- }
+ if (lport == 0)
+ return (-TNOADDR);
}
- tcp->tcp_state = TCPS_SYN_SENT;
-
- mp = allocb(sizeof (ire_t), BPRI_HI);
- if (mp != NULL) {
- in6_addr_t v6src;
-
- mp->b_wptr += sizeof (ire_t);
- mp->b_datap->db_type = IRE_DB_REQ_TYPE;
- tcp->tcp_hard_binding = 1;
-
- /*
- * We need to make sure that the conn_recv is set to a non-null
- * value before we insert the conn_t into the classifier table.
- * This is to avoid a race with an incoming packet which does
- * an ipcl_classify().
- */
- tcp->tcp_connp->conn_recv = tcp_input;
+ /*
+ * Lookup the route to determine a source address and the uinfo.
+ * If there was a source route we have tcp_ip6h->ip6_dst as the first
+ * hop.
+ * Setup TCP parameters based on the metrics/DCE.
+ */
+ error = tcp_set_destination(tcp);
+ if (error != 0)
+ return (error);
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_ipha->ipha_src, &v6src);
- } else {
- v6src = tcp->tcp_ip6h->ip6_src;
- }
- error = ip_proto_bind_connected_v6(connp, &mp, IPPROTO_TCP,
- &v6src, tcp->tcp_lport, &tcp->tcp_remote_v6,
- &tcp->tcp_sticky_ipp, tcp->tcp_fport, B_TRUE, B_TRUE, cr);
- BUMP_MIB(&tcps->tcps_mib, tcpActiveOpens);
- tcp->tcp_active_open = 1;
+ /*
+ * Don't let an endpoint connect to itself.
+ */
+ if (IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6, &connp->conn_laddr_v6) &&
+ connp->conn_fport == connp->conn_lport)
+ return (-TBADADDR);
- return (tcp_post_ip_bind(tcp, mp, error, cr, pid));
- }
- /* Error case */
- tcp->tcp_state = oldstate;
- error = ENOMEM;
+ tcp->tcp_state = TCPS_SYN_SENT;
-failed:
- /* return error ack and blow away saved option results if any */
- if (tcp->tcp_conn.tcp_opts_conn_req != NULL)
- tcp_close_mpp(&tcp->tcp_conn.tcp_opts_conn_req);
- return (error);
+ return (ipcl_conn_insert_v6(connp));
}
/*
- * We need a stream q for detached closing tcp connections
- * to use. Our client hereby indicates that this q is the
- * one to use.
+ * Disconnect
+ * Note that unlike other functions this returns a positive tli error
+ * when it fails; it never returns an errno.
*/
-static void
-tcp_def_q_set(tcp_t *tcp, mblk_t *mp)
-{
- struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
- queue_t *q = tcp->tcp_wq;
- tcp_stack_t *tcps = tcp->tcp_tcps;
-
-#ifdef NS_DEBUG
- (void) printf("TCP_IOC_DEFAULT_Q for stack %d\n",
- tcps->tcps_netstack->netstack_stackid);
-#endif
- mp->b_datap->db_type = M_IOCACK;
- iocp->ioc_count = 0;
- mutex_enter(&tcps->tcps_g_q_lock);
- if (tcps->tcps_g_q != NULL) {
- mutex_exit(&tcps->tcps_g_q_lock);
- iocp->ioc_error = EALREADY;
- } else {
- int error = 0;
- conn_t *connp = tcp->tcp_connp;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- tcps->tcps_g_q = tcp->tcp_rq;
- mutex_exit(&tcps->tcps_g_q_lock);
- iocp->ioc_error = 0;
- iocp->ioc_rval = 0;
- /*
- * We are passing tcp_sticky_ipp as NULL
- * as it is not useful for tcp_default queue
- *
- * Set conn_recv just in case.
- */
- tcp->tcp_connp->conn_recv = tcp_conn_request;
-
- ASSERT(connp->conn_af_isv6);
- connp->conn_ulp = IPPROTO_TCP;
-
- if (ipst->ips_ipcl_proto_fanout_v6[IPPROTO_TCP].connf_head !=
- NULL || (connp->conn_mac_mode != CONN_MAC_DEFAULT)) {
- error = -TBADADDR;
- } else {
- connp->conn_srcv6 = ipv6_all_zeros;
- ipcl_proto_insert_v6(connp, IPPROTO_TCP);
- }
-
- (void) tcp_post_ip_bind(tcp, NULL, error, NULL, 0);
- }
- qreply(q, mp);
-}
-
static int
tcp_disconnect_common(tcp_t *tcp, t_scalar_t seqnum)
{
tcp_t *ltcp = NULL;
- conn_t *connp;
+ conn_t *lconnp;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
/*
* Right now, upper modules pass down a T_DISCON_REQ to TCP,
* when the stream is in BOUND state. Do not send a reset,
* since the destination IP address is not valid, and it can
* be the initialized value of all zeros (broadcast address).
- *
- * XXX There won't be any pending bind request to IP.
*/
- if (tcp->tcp_state <= TCPS_BOUND) {
- if (tcp->tcp_debug) {
+ if (tcp->tcp_state <= TCPS_BOUND || tcp->tcp_hard_binding) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_disconnect: bad state, %d", tcp->tcp_state);
}
@@ -6595,19 +5459,23 @@ tcp_disconnect_common(tcp_t *tcp, t_scalar_t seqnum)
* If it used to be a listener, check to make sure no one else
* has taken the port before switching back to LISTEN state.
*/
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- connp = ipcl_lookup_listener_v4(tcp->tcp_lport,
- tcp->tcp_ipha->ipha_src,
- tcp->tcp_connp->conn_zoneid, ipst);
- if (connp != NULL)
- ltcp = connp->conn_tcp;
+ if (connp->conn_ipversion == IPV4_VERSION) {
+ lconnp = ipcl_lookup_listener_v4(connp->conn_lport,
+ connp->conn_laddr_v4, IPCL_ZONEID(connp), ipst);
+ if (lconnp != NULL)
+ ltcp = lconnp->conn_tcp;
} else {
- /* Allow tcp_bound_if listeners? */
- connp = ipcl_lookup_listener_v6(tcp->tcp_lport,
- &tcp->tcp_ip6h->ip6_src, 0,
- tcp->tcp_connp->conn_zoneid, ipst);
- if (connp != NULL)
- ltcp = connp->conn_tcp;
+ uint_t ifindex = 0;
+
+ if (connp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET)
+ ifindex = connp->conn_ixa->ixa_scopeid;
+
+ /* Allow conn_bound_if listeners? */
+ lconnp = ipcl_lookup_listener_v6(connp->conn_lport,
+ &connp->conn_laddr_v6, ifindex, IPCL_ZONEID(connp),
+ ipst);
+ if (lconnp != NULL)
+ ltcp = lconnp->conn_tcp;
}
if (tcp->tcp_conn_req_max && ltcp == NULL) {
tcp->tcp_state = TCPS_LISTEN;
@@ -6616,7 +5484,7 @@ tcp_disconnect_common(tcp_t *tcp, t_scalar_t seqnum)
tcp->tcp_state = TCPS_BOUND;
}
if (ltcp != NULL)
- CONN_DEC_REF(ltcp->tcp_connp);
+ CONN_DEC_REF(lconnp);
if (old_state == TCPS_SYN_SENT || old_state == TCPS_SYN_RCVD) {
BUMP_MIB(&tcps->tcps_mib, tcpAttemptFails);
} else if (old_state == TCPS_ESTABLISHED ||
@@ -6648,7 +5516,7 @@ tcp_disconnect_common(tcp_t *tcp, t_scalar_t seqnum)
/*
* Our client hereby directs us to reject the connection request
- * that tcp_conn_request() marked with 'seqnum'. Rejection consists
+ * that tcp_input_listener() marked with 'seqnum'. Rejection consists
* of sending the appropriate RST, not an ICMP error.
*/
static void
@@ -6656,6 +5524,7 @@ tcp_disconnect(tcp_t *tcp, mblk_t *mp)
{
t_scalar_t seqnum;
int error;
+ conn_t *connp = tcp->tcp_connp;
ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <= (uintptr_t)INT_MAX);
if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_discon_req)) {
@@ -6669,11 +5538,11 @@ tcp_disconnect(tcp_t *tcp, mblk_t *mp)
else {
if (tcp->tcp_state >= TCPS_ESTABLISHED) {
/* Send M_FLUSH according to TPI */
- (void) putnextctl1(tcp->tcp_rq, M_FLUSH, FLUSHRW);
+ (void) putnextctl1(connp->conn_rq, M_FLUSH, FLUSHRW);
}
mp = mi_tpi_ok_ack_alloc(mp);
- if (mp)
- putnext(tcp->tcp_rq, mp);
+ if (mp != NULL)
+ putnext(connp->conn_rq, mp);
}
}
@@ -6695,6 +5564,7 @@ tcp_display(tcp_t *tcp, char *sup_buf, char format)
in6_addr_t local, remote;
char local_addrbuf[INET6_ADDRSTRLEN];
char remote_addrbuf[INET6_ADDRSTRLEN];
+ conn_t *connp;
if (sup_buf != NULL)
buf = sup_buf;
@@ -6703,6 +5573,8 @@ tcp_display(tcp_t *tcp, char *sup_buf, char format)
if (tcp == NULL)
return ("NULL_TCP");
+
+ connp = tcp->tcp_connp;
switch (tcp->tcp_state) {
case TCPS_CLOSED:
cp = "TCP_CLOSED";
@@ -6750,32 +5622,32 @@ tcp_display(tcp_t *tcp, char *sup_buf, char format)
}
switch (format) {
case DISP_ADDR_AND_PORT:
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+ if (connp->conn_ipversion == IPV4_VERSION) {
/*
* Note that we use the remote address in the tcp_b
* structure. This means that it will print out
* the real destination address, not the next hop's
* address if source routing is used.
*/
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_ip_src, &local);
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_remote, &remote);
+ IN6_IPADDR_TO_V4MAPPED(connp->conn_laddr_v4, &local);
+ IN6_IPADDR_TO_V4MAPPED(connp->conn_faddr_v4, &remote);
} else {
- local = tcp->tcp_ip_src_v6;
- remote = tcp->tcp_remote_v6;
+ local = connp->conn_laddr_v6;
+ remote = connp->conn_faddr_v6;
}
(void) inet_ntop(AF_INET6, &local, local_addrbuf,
sizeof (local_addrbuf));
(void) inet_ntop(AF_INET6, &remote, remote_addrbuf,
sizeof (remote_addrbuf));
(void) mi_sprintf(buf, "[%s.%u, %s.%u] %s",
- local_addrbuf, ntohs(tcp->tcp_lport), remote_addrbuf,
- ntohs(tcp->tcp_fport), cp);
+ local_addrbuf, ntohs(connp->conn_lport), remote_addrbuf,
+ ntohs(connp->conn_fport), cp);
break;
case DISP_PORT_ONLY:
default:
(void) mi_sprintf(buf, "[%u, %u] %s",
- ntohs(tcp->tcp_lport), ntohs(tcp->tcp_fport), cp);
+ ntohs(connp->conn_lport), ntohs(connp->conn_fport), cp);
break;
}
@@ -6788,26 +5660,24 @@ tcp_display(tcp_t *tcp, char *sup_buf, char format)
* eager to disappear either by means of tcp_eager_blowoff() or
* tcp_eager_cleanup() being called. tcp_eager_kill() can also be
* called (via squeue) if the eager cannot be inserted in the
- * fanout table in tcp_conn_request().
+ * fanout table in tcp_input_listener().
*/
/* ARGSUSED */
void
-tcp_eager_kill(void *arg, mblk_t *mp, void *arg2)
+tcp_eager_kill(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *econnp = (conn_t *)arg;
tcp_t *eager = econnp->conn_tcp;
tcp_t *listener = eager->tcp_listener;
- tcp_stack_t *tcps = eager->tcp_tcps;
/*
* We could be called because listener is closing. Since
- * the eager is using listener's queue's, its not safe.
- * Better use the default queue just to send the TH_RST
- * out.
+ * the eager was using listener's queue's, we avoid
+ * using the listeners queues from now on.
*/
- ASSERT(tcps->tcps_g_q != NULL);
- eager->tcp_rq = tcps->tcps_g_q;
- eager->tcp_wq = WR(tcps->tcps_g_q);
+ ASSERT(eager->tcp_detached);
+ econnp->conn_rq = NULL;
+ econnp->conn_wq = NULL;
/*
* An eager's conn_fanout will be NULL if it's a duplicate
@@ -6828,7 +5698,7 @@ tcp_eager_kill(void *arg, mblk_t *mp, void *arg2)
* The eager has sent a conn_ind up to the
* listener but listener decides to close
* instead. We need to drop the extra ref
- * placed on eager in tcp_rput_data() before
+ * placed on eager in tcp_input_data() before
* sending the conn_ind to listener.
*/
CONN_DEC_REF(econnp);
@@ -6873,7 +5743,7 @@ tcp_eager_blowoff(tcp_t *listener, t_scalar_t seqnum)
mutex_exit(&listener->tcp_eager_lock);
mp = &eager->tcp_closemp;
SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp, tcp_eager_kill,
- eager->tcp_connp, SQ_FILL, SQTAG_TCP_EAGER_BLOWOFF);
+ eager->tcp_connp, NULL, SQ_FILL, SQTAG_TCP_EAGER_BLOWOFF);
return (B_TRUE);
}
@@ -6901,7 +5771,7 @@ tcp_eager_cleanup(tcp_t *listener, boolean_t q0_only)
CONN_INC_REF(eager->tcp_connp);
mp = &eager->tcp_closemp;
SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
- tcp_eager_kill, eager->tcp_connp,
+ tcp_eager_kill, eager->tcp_connp, NULL,
SQ_FILL, SQTAG_TCP_EAGER_CLEANUP);
}
eager = eager->tcp_eager_next_q;
@@ -6917,7 +5787,7 @@ tcp_eager_cleanup(tcp_t *listener, boolean_t q0_only)
CONN_INC_REF(eager->tcp_connp);
mp = &eager->tcp_closemp;
SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
- tcp_eager_kill, eager->tcp_connp, SQ_FILL,
+ tcp_eager_kill, eager->tcp_connp, NULL, SQ_FILL,
SQTAG_TCP_EAGER_CLEANUP_Q0);
}
eager = eager->tcp_eager_next_q0;
@@ -7008,7 +5878,7 @@ static void
tcp_err_ack(tcp_t *tcp, mblk_t *mp, int t_error, int sys_error)
{
if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
- putnext(tcp->tcp_rq, mp);
+ putnext(tcp->tcp_connp->conn_rq, mp);
}
/* Shorthand to generate and send TPI error acks to our client */
@@ -7024,7 +5894,7 @@ tcp_err_ack_prim(tcp_t *tcp, mblk_t *mp, int primitive,
teackp->ERROR_prim = primitive;
teackp->TLI_error = t_error;
teackp->UNIX_error = sys_error;
- putnext(tcp->tcp_rq, mp);
+ putnext(tcp->tcp_connp->conn_rq, mp);
}
}
@@ -7194,8 +6064,9 @@ static void
tcp_copy_info(struct T_info_ack *tia, tcp_t *tcp)
{
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
- if (tcp->tcp_family == AF_INET6)
+ if (connp->conn_family == AF_INET6)
*tia = tcp_g_t_info_ack_v6;
else
*tia = tcp_g_t_info_ack;
@@ -7203,7 +6074,7 @@ tcp_copy_info(struct T_info_ack *tia, tcp_t *tcp)
tia->OPT_size = tcp_max_optsize;
if (tcp->tcp_mss == 0) {
/* Not yet set - tcp_open does not set mss */
- if (tcp->tcp_ipversion == IPV4_VERSION)
+ if (connp->conn_ipversion == IPV4_VERSION)
tia->TIDU_size = tcps->tcps_mss_def_ipv4;
else
tia->TIDU_size = tcps->tcps_mss_def_ipv6;
@@ -7258,7 +6129,7 @@ tcp_capability_req(tcp_t *tcp, mblk_t *mp)
tcap = (struct T_capability_ack *)mp->b_rptr;
tcp_do_capability_ack(tcp, tcap, cap_bits1);
- putnext(tcp->tcp_rq, mp);
+ putnext(tcp->tcp_connp->conn_rq, mp);
}
/*
@@ -7276,16 +6147,18 @@ tcp_info_req(tcp_t *tcp, mblk_t *mp)
return;
}
tcp_copy_info((struct T_info_ack *)mp->b_rptr, tcp);
- putnext(tcp->tcp_rq, mp);
+ putnext(tcp->tcp_connp->conn_rq, mp);
}
/* Respond to the TPI addr request */
static void
tcp_addr_req(tcp_t *tcp, mblk_t *mp)
{
- sin_t *sin;
+ struct sockaddr *sa;
mblk_t *ackmp;
struct T_addr_ack *taa;
+ conn_t *connp = tcp->tcp_connp;
+ uint_t addrlen;
/* Make it large enough for worst case */
ackmp = reallocb(mp, sizeof (struct T_addr_ack) +
@@ -7295,10 +6168,6 @@ tcp_addr_req(tcp_t *tcp, mblk_t *mp)
return;
}
- if (tcp->tcp_ipversion == IPV6_VERSION) {
- tcp_addr_req_ipv6(tcp, ackmp);
- return;
- }
taa = (struct T_addr_ack *)ackmp->b_rptr;
bzero(taa, sizeof (struct T_addr_ack));
@@ -7307,110 +6176,38 @@ tcp_addr_req(tcp_t *tcp, mblk_t *mp)
taa->PRIM_type = T_ADDR_ACK;
ackmp->b_datap->db_type = M_PCPROTO;
+ if (connp->conn_family == AF_INET)
+ addrlen = sizeof (sin_t);
+ else
+ addrlen = sizeof (sin6_t);
+
/*
* Note: Following code assumes 32 bit alignment of basic
* data structures like sin_t and struct T_addr_ack.
*/
if (tcp->tcp_state >= TCPS_BOUND) {
/*
- * Fill in local address
+ * Fill in local address first
*/
- taa->LOCADDR_length = sizeof (sin_t);
taa->LOCADDR_offset = sizeof (*taa);
-
- sin = (sin_t *)&taa[1];
-
- /* Fill zeroes and then intialize non-zero fields */
- *sin = sin_null;
-
- sin->sin_family = AF_INET;
-
- sin->sin_addr.s_addr = tcp->tcp_ipha->ipha_src;
- sin->sin_port = *(uint16_t *)tcp->tcp_tcph->th_lport;
-
- ackmp->b_wptr = (uchar_t *)&sin[1];
-
- if (tcp->tcp_state >= TCPS_SYN_RCVD) {
- /*
- * Fill in Remote address
- */
- taa->REMADDR_length = sizeof (sin_t);
- taa->REMADDR_offset = ROUNDUP32(taa->LOCADDR_offset +
- taa->LOCADDR_length);
-
- sin = (sin_t *)(ackmp->b_rptr + taa->REMADDR_offset);
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_addr.s_addr = tcp->tcp_remote;
- sin->sin_port = tcp->tcp_fport;
-
- ackmp->b_wptr = (uchar_t *)&sin[1];
- }
+ taa->LOCADDR_length = addrlen;
+ sa = (struct sockaddr *)&taa[1];
+ (void) conn_getsockname(connp, sa, &addrlen);
+ ackmp->b_wptr += addrlen;
}
- putnext(tcp->tcp_rq, ackmp);
-}
-
-/* Assumes that tcp_addr_req gets enough space and alignment */
-static void
-tcp_addr_req_ipv6(tcp_t *tcp, mblk_t *ackmp)
-{
- sin6_t *sin6;
- struct T_addr_ack *taa;
-
- ASSERT(tcp->tcp_ipversion == IPV6_VERSION);
- ASSERT(OK_32PTR(ackmp->b_rptr));
- ASSERT(ackmp->b_wptr - ackmp->b_rptr >= sizeof (struct T_addr_ack) +
- 2 * sizeof (sin6_t));
-
- taa = (struct T_addr_ack *)ackmp->b_rptr;
-
- bzero(taa, sizeof (struct T_addr_ack));
- ackmp->b_wptr = (uchar_t *)&taa[1];
-
- taa->PRIM_type = T_ADDR_ACK;
- ackmp->b_datap->db_type = M_PCPROTO;
-
- /*
- * Note: Following code assumes 32 bit alignment of basic
- * data structures like sin6_t and struct T_addr_ack.
- */
- if (tcp->tcp_state >= TCPS_BOUND) {
+ if (tcp->tcp_state >= TCPS_SYN_RCVD) {
/*
- * Fill in local address
+ * Fill in Remote address
*/
- taa->LOCADDR_length = sizeof (sin6_t);
- taa->LOCADDR_offset = sizeof (*taa);
-
- sin6 = (sin6_t *)&taa[1];
- *sin6 = sin6_null;
-
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = tcp->tcp_ip6h->ip6_src;
- sin6->sin6_port = tcp->tcp_lport;
-
- ackmp->b_wptr = (uchar_t *)&sin6[1];
-
- if (tcp->tcp_state >= TCPS_SYN_RCVD) {
- /*
- * Fill in Remote address
- */
- taa->REMADDR_length = sizeof (sin6_t);
- taa->REMADDR_offset = ROUNDUP32(taa->LOCADDR_offset +
- taa->LOCADDR_length);
-
- sin6 = (sin6_t *)(ackmp->b_rptr + taa->REMADDR_offset);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_flowinfo =
- tcp->tcp_ip6h->ip6_vcf &
- ~IPV6_VERS_AND_FLOW_MASK;
- sin6->sin6_addr = tcp->tcp_remote_v6;
- sin6->sin6_port = tcp->tcp_fport;
-
- ackmp->b_wptr = (uchar_t *)&sin6[1];
- }
+ taa->REMADDR_length = addrlen;
+ /* assumed 32-bit alignment */
+ taa->REMADDR_offset = taa->LOCADDR_offset + taa->LOCADDR_length;
+ sa = (struct sockaddr *)(ackmp->b_rptr + taa->REMADDR_offset);
+ (void) conn_getpeername(connp, sa, &addrlen);
+ ackmp->b_wptr += addrlen;
}
- putnext(tcp->tcp_rq, ackmp);
+ ASSERT(ackmp->b_wptr <= ackmp->b_datap->db_lim);
+ putnext(tcp->tcp_connp->conn_rq, ackmp);
}
/*
@@ -7420,19 +6217,19 @@ tcp_addr_req_ipv6(tcp_t *tcp, mblk_t *ackmp)
static void
tcp_reinit(tcp_t *tcp)
{
- mblk_t *mp;
- int err;
+ mblk_t *mp;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
TCP_STAT(tcps, tcp_reinit_calls);
/* tcp_reinit should never be called for detached tcp_t's */
ASSERT(tcp->tcp_listener == NULL);
- ASSERT((tcp->tcp_family == AF_INET &&
- tcp->tcp_ipversion == IPV4_VERSION) ||
- (tcp->tcp_family == AF_INET6 &&
- (tcp->tcp_ipversion == IPV4_VERSION ||
- tcp->tcp_ipversion == IPV6_VERSION)));
+ ASSERT((connp->conn_family == AF_INET &&
+ connp->conn_ipversion == IPV4_VERSION) ||
+ (connp->conn_family == AF_INET6 &&
+ (connp->conn_ipversion == IPV4_VERSION ||
+ connp->conn_ipversion == IPV6_VERSION)));
/* Cancel outstanding timers */
tcp_timers_stop(tcp);
@@ -7453,7 +6250,7 @@ tcp_reinit(tcp_t *tcp)
tcp->tcp_unsent = tcp->tcp_xmit_tail_unsent = 0;
mutex_enter(&tcp->tcp_non_sq_lock);
if (tcp->tcp_flow_stopped &&
- TCP_UNSENT_BYTES(tcp) <= tcp->tcp_xmit_lowater) {
+ TCP_UNSENT_BYTES(tcp) <= connp->conn_sndlowat) {
tcp_clrqfull(tcp);
}
mutex_exit(&tcp->tcp_non_sq_lock);
@@ -7494,7 +6291,7 @@ tcp_reinit(tcp_t *tcp)
*/
tcp_close_mpp(&tcp->tcp_conn.tcp_eager_conn_ind);
- CL_INET_DISCONNECT(tcp->tcp_connp, tcp);
+ CL_INET_DISCONNECT(connp);
/*
* The connection can't be on the tcp_time_wait_head list
@@ -7522,14 +6319,12 @@ tcp_reinit(tcp_t *tcp)
* Reset/preserve other values
*/
tcp_reinit_values(tcp);
- ipcl_hash_remove(tcp->tcp_connp);
- conn_delete_ire(tcp->tcp_connp, NULL);
+ ipcl_hash_remove(connp);
+ ixa_cleanup(connp->conn_ixa);
tcp_ipsec_cleanup(tcp);
- if (tcp->tcp_connp->conn_effective_cred != NULL) {
- crfree(tcp->tcp_connp->conn_effective_cred);
- tcp->tcp_connp->conn_effective_cred = NULL;
- }
+ connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
if (tcp->tcp_conn_req_max != 0) {
/*
@@ -7553,44 +6348,31 @@ tcp_reinit(tcp_t *tcp)
tcp->tcp_eager_next_q0 = tcp->tcp_eager_prev_q0 = tcp;
tcp->tcp_eager_next_drop_q0 = tcp;
tcp->tcp_eager_prev_drop_q0 = tcp;
- tcp->tcp_connp->conn_recv = tcp_conn_request;
- if (tcp->tcp_family == AF_INET6) {
- ASSERT(tcp->tcp_connp->conn_af_isv6);
- (void) ipcl_bind_insert_v6(tcp->tcp_connp, IPPROTO_TCP,
- &tcp->tcp_ip6h->ip6_src, tcp->tcp_lport);
- } else {
- ASSERT(!tcp->tcp_connp->conn_af_isv6);
- (void) ipcl_bind_insert(tcp->tcp_connp, IPPROTO_TCP,
- tcp->tcp_ipha->ipha_src, tcp->tcp_lport);
- }
+ /*
+ * Initially set conn_recv to tcp_input_listener_unbound to try
+ * to pick a good squeue for the listener when the first SYN
+ * arrives. tcp_input_listener_unbound sets it to
+ * tcp_input_listener on that first SYN.
+ */
+ connp->conn_recv = tcp_input_listener_unbound;
+
+ connp->conn_proto = IPPROTO_TCP;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_fport = 0;
+
+ (void) ipcl_bind_insert(connp);
} else {
tcp->tcp_state = TCPS_BOUND;
}
/*
* Initialize to default values
- * Can't fail since enough header template space already allocated
- * at open().
- */
- err = tcp_init_values(tcp);
- ASSERT(err == 0);
- /* Restore state in tcp_tcph */
- bcopy(&tcp->tcp_lport, tcp->tcp_tcph->th_lport, TCP_PORT_LEN);
- if (tcp->tcp_ipversion == IPV4_VERSION)
- tcp->tcp_ipha->ipha_src = tcp->tcp_bound_source;
- else
- tcp->tcp_ip6h->ip6_src = tcp->tcp_bound_source_v6;
- /*
- * Copy of the src addr. in tcp_t is needed in tcp_t
- * since the lookup funcs can only lookup on tcp_t
*/
- tcp->tcp_ip_src_v6 = tcp->tcp_bound_source_v6;
+ tcp_init_values(tcp);
ASSERT(tcp->tcp_ptpbhn != NULL);
- tcp->tcp_recv_hiwater = tcps->tcps_recv_hiwat;
- tcp->tcp_recv_lowater = tcp_rinfo.mi_lowat;
- tcp->tcp_rwnd = tcps->tcps_recv_hiwat;
- tcp->tcp_mss = tcp->tcp_ipversion != IPV4_VERSION ?
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
+ tcp->tcp_mss = connp->conn_ipversion != IPV4_VERSION ?
tcps->tcps_mss_def_ipv6 : tcps->tcps_mss_def_ipv4;
}
@@ -7606,6 +6388,7 @@ tcp_reinit_values(tcp)
tcp_t *tcp;
{
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
#ifndef lint
#define DONTCARE(x)
@@ -7626,8 +6409,8 @@ tcp_reinit_values(tcp)
ASSERT(tcp->tcp_time_wait_prev == NULL);
ASSERT(tcp->tcp_time_wait_expire == 0);
PRESERVE(tcp->tcp_state);
- PRESERVE(tcp->tcp_rq);
- PRESERVE(tcp->tcp_wq);
+ PRESERVE(connp->conn_rq);
+ PRESERVE(connp->conn_wq);
ASSERT(tcp->tcp_xmit_head == NULL);
ASSERT(tcp->tcp_xmit_last == NULL);
@@ -7638,26 +6421,32 @@ tcp_reinit_values(tcp)
tcp->tcp_snxt = 0; /* Displayed in mib */
tcp->tcp_suna = 0; /* Displayed in mib */
tcp->tcp_swnd = 0;
- DONTCARE(tcp->tcp_cwnd); /* Init in tcp_mss_set */
+ DONTCARE(tcp->tcp_cwnd); /* Init in tcp_process_options */
ASSERT(tcp->tcp_ibsegs == 0);
ASSERT(tcp->tcp_obsegs == 0);
- if (tcp->tcp_iphc != NULL) {
- ASSERT(tcp->tcp_iphc_len >= TCP_MAX_COMBINED_HEADER_LENGTH);
- bzero(tcp->tcp_iphc, tcp->tcp_iphc_len);
+ if (connp->conn_ht_iphc != NULL) {
+ kmem_free(connp->conn_ht_iphc, connp->conn_ht_iphc_allocated);
+ connp->conn_ht_iphc = NULL;
+ connp->conn_ht_iphc_allocated = 0;
+ connp->conn_ht_iphc_len = 0;
+ connp->conn_ht_ulp = NULL;
+ connp->conn_ht_ulp_len = 0;
+ tcp->tcp_ipha = NULL;
+ tcp->tcp_ip6h = NULL;
+ tcp->tcp_tcpha = NULL;
}
+ /* We clear any IP_OPTIONS and extension headers */
+ ip_pkt_free(&connp->conn_xmit_ipp);
+
DONTCARE(tcp->tcp_naglim); /* Init in tcp_init_values */
- DONTCARE(tcp->tcp_hdr_len); /* Init in tcp_init_values */
DONTCARE(tcp->tcp_ipha);
DONTCARE(tcp->tcp_ip6h);
- DONTCARE(tcp->tcp_ip_hdr_len);
- DONTCARE(tcp->tcp_tcph);
- DONTCARE(tcp->tcp_tcp_hdr_len); /* Init in tcp_init_values */
+ DONTCARE(tcp->tcp_tcpha);
tcp->tcp_valid_bits = 0;
- DONTCARE(tcp->tcp_xmit_hiwater); /* Init in tcp_init_values */
DONTCARE(tcp->tcp_timer_backoff); /* Init in tcp_init_values */
DONTCARE(tcp->tcp_last_recv_time); /* Init in tcp_init_values */
tcp->tcp_last_rcv_lbolt = 0;
@@ -7666,38 +6455,19 @@ tcp_reinit_values(tcp)
tcp->tcp_urp_last_valid = 0;
tcp->tcp_hard_binding = 0;
- tcp->tcp_hard_bound = 0;
- PRESERVE(tcp->tcp_cred);
- PRESERVE(tcp->tcp_cpid);
- PRESERVE(tcp->tcp_open_time);
- PRESERVE(tcp->tcp_exclbind);
tcp->tcp_fin_acked = 0;
tcp->tcp_fin_rcvd = 0;
tcp->tcp_fin_sent = 0;
tcp->tcp_ordrel_done = 0;
- tcp->tcp_debug = 0;
- tcp->tcp_dontroute = 0;
- tcp->tcp_broadcast = 0;
-
- tcp->tcp_useloopback = 0;
- tcp->tcp_reuseaddr = 0;
- tcp->tcp_oobinline = 0;
- tcp->tcp_dgram_errind = 0;
-
tcp->tcp_detached = 0;
- tcp->tcp_bind_pending = 0;
- tcp->tcp_unbind_pending = 0;
tcp->tcp_snd_ws_ok = B_FALSE;
tcp->tcp_snd_ts_ok = B_FALSE;
- tcp->tcp_linger = 0;
- tcp->tcp_ka_enabled = 0;
tcp->tcp_zero_win_probe = 0;
tcp->tcp_loopback = 0;
- tcp->tcp_refuse = 0;
tcp->tcp_localnet = 0;
tcp->tcp_syn_defense = 0;
tcp->tcp_set_timer = 0;
@@ -7707,19 +6477,12 @@ tcp_reinit_values(tcp)
tcp->tcp_xmit_zc_clean = B_FALSE;
tcp->tcp_snd_sack_ok = B_FALSE;
- PRESERVE(tcp->tcp_recvdstaddr);
tcp->tcp_hwcksum = B_FALSE;
- tcp->tcp_ire_ill_check_done = B_FALSE;
- DONTCARE(tcp->tcp_maxpsz); /* Init in tcp_init_values */
-
- tcp->tcp_mdt = B_FALSE;
- tcp->tcp_mdt_hdr_head = 0;
- tcp->tcp_mdt_hdr_tail = 0;
+ DONTCARE(tcp->tcp_maxpsz_multiplier); /* Init in tcp_init_values */
tcp->tcp_conn_def_q0 = 0;
tcp->tcp_ip_forward_progress = B_FALSE;
- tcp->tcp_anon_priv_bind = 0;
tcp->tcp_ecn_ok = B_FALSE;
tcp->tcp_cwr = B_FALSE;
@@ -7740,7 +6503,7 @@ tcp_reinit_values(tcp)
tcp->tcp_ts_recent = 0;
tcp->tcp_rnxt = 0; /* Displayed in mib */
DONTCARE(tcp->tcp_rwnd); /* Set in tcp_reinit() */
- tcp->tcp_if_mtu = 0;
+ tcp->tcp_initial_pmtu = 0;
ASSERT(tcp->tcp_reass_head == NULL);
ASSERT(tcp->tcp_reass_tail == NULL);
@@ -7752,7 +6515,7 @@ tcp_reinit_values(tcp)
ASSERT(tcp->tcp_rcv_last_tail == NULL);
ASSERT(tcp->tcp_rcv_cnt == 0);
- DONTCARE(tcp->tcp_cwnd_ssthresh); /* Init in tcp_adapt_ire */
+ DONTCARE(tcp->tcp_cwnd_ssthresh); /* Init in tcp_set_destination */
DONTCARE(tcp->tcp_cwnd_max); /* Init in tcp_init_values */
tcp->tcp_csuna = 0;
@@ -7773,8 +6536,6 @@ tcp_reinit_values(tcp)
ASSERT(tcp->tcp_listener == NULL);
- DONTCARE(tcp->tcp_xmit_lowater); /* Init in tcp_init_values */
-
DONTCARE(tcp->tcp_irs); /* tcp_valid_bits cleared */
DONTCARE(tcp->tcp_iss); /* tcp_valid_bits cleared */
DONTCARE(tcp->tcp_fss); /* tcp_valid_bits cleared */
@@ -7785,14 +6546,11 @@ tcp_reinit_values(tcp)
PRESERVE(tcp->tcp_conn_req_max);
PRESERVE(tcp->tcp_conn_req_seqnum);
- DONTCARE(tcp->tcp_ip_hdr_len); /* Init in tcp_init_values */
DONTCARE(tcp->tcp_first_timer_threshold); /* Init in tcp_init_values */
DONTCARE(tcp->tcp_second_timer_threshold); /* Init in tcp_init_values */
DONTCARE(tcp->tcp_first_ctimer_threshold); /* Init in tcp_init_values */
DONTCARE(tcp->tcp_second_ctimer_threshold); /* in tcp_init_values */
- tcp->tcp_lingertime = 0;
-
DONTCARE(tcp->tcp_urp_last); /* tcp_urp_last_valid is cleared */
ASSERT(tcp->tcp_urp_mp == NULL);
ASSERT(tcp->tcp_urp_mark_mp == NULL);
@@ -7811,16 +6569,16 @@ tcp_reinit_values(tcp)
tcp->tcp_client_errno = 0;
- DONTCARE(tcp->tcp_sum); /* Init in tcp_init_values */
+ DONTCARE(connp->conn_sum); /* Init in tcp_init_values */
- tcp->tcp_remote_v6 = ipv6_all_zeros; /* Displayed in MIB */
+ connp->conn_faddr_v6 = ipv6_all_zeros; /* Displayed in MIB */
- PRESERVE(tcp->tcp_bound_source_v6);
+ PRESERVE(connp->conn_bound_addr_v6);
tcp->tcp_last_sent_len = 0;
tcp->tcp_dupack_cnt = 0;
- tcp->tcp_fport = 0; /* Displayed in MIB */
- PRESERVE(tcp->tcp_lport);
+ connp->conn_fport = 0; /* Displayed in MIB */
+ PRESERVE(connp->conn_lport);
PRESERVE(tcp->tcp_acceptor_lockp);
@@ -7828,16 +6586,18 @@ tcp_reinit_values(tcp)
PRESERVE(tcp->tcp_acceptor_id);
DONTCARE(tcp->tcp_ipsec_overhead);
- PRESERVE(tcp->tcp_family);
- if (tcp->tcp_family == AF_INET6) {
+ PRESERVE(connp->conn_family);
+ /* Remove any remnants of mapped address binding */
+ if (connp->conn_family == AF_INET6) {
+ connp->conn_ipversion = IPV6_VERSION;
tcp->tcp_mss = tcps->tcps_mss_def_ipv6;
} else {
+ connp->conn_ipversion = IPV4_VERSION;
tcp->tcp_mss = tcps->tcps_mss_def_ipv4;
}
- PRESERVE(tcp->tcp_ipversion); /* Init in tcp_init_values */
- tcp->tcp_bound_if = 0;
- tcp->tcp_ipv6_recvancillary = 0;
+ connp->conn_bound_if = 0;
+ connp->conn_recv_ancillary.crb_all = 0;
tcp->tcp_recvifindex = 0;
tcp->tcp_recvhops = 0;
tcp->tcp_closed = 0;
@@ -7854,19 +6614,18 @@ tcp_reinit_values(tcp)
tcp->tcp_dstoptslen = 0;
}
ASSERT(tcp->tcp_dstoptslen == 0);
- if (tcp->tcp_rtdstopts != NULL) {
- mi_free(tcp->tcp_rtdstopts);
- tcp->tcp_rtdstopts = NULL;
- tcp->tcp_rtdstoptslen = 0;
+ if (tcp->tcp_rthdrdstopts != NULL) {
+ mi_free(tcp->tcp_rthdrdstopts);
+ tcp->tcp_rthdrdstopts = NULL;
+ tcp->tcp_rthdrdstoptslen = 0;
}
- ASSERT(tcp->tcp_rtdstoptslen == 0);
+ ASSERT(tcp->tcp_rthdrdstoptslen == 0);
if (tcp->tcp_rthdr != NULL) {
mi_free(tcp->tcp_rthdr);
tcp->tcp_rthdr = NULL;
tcp->tcp_rthdrlen = 0;
}
ASSERT(tcp->tcp_rthdrlen == 0);
- PRESERVE(tcp->tcp_drop_opt_ack_cnt);
/* Reset fusion-related fields */
tcp->tcp_fused = B_FALSE;
@@ -7902,35 +6661,17 @@ tcp_reinit_values(tcp)
#undef PRESERVE
}
-/*
- * Allocate necessary resources and initialize state vector.
- * Guaranteed not to fail so that when an error is returned,
- * the caller doesn't need to do any additional cleanup.
- */
-int
-tcp_init(tcp_t *tcp, queue_t *q)
-{
- int err;
-
- tcp->tcp_rq = q;
- tcp->tcp_wq = WR(q);
- tcp->tcp_state = TCPS_IDLE;
- if ((err = tcp_init_values(tcp)) != 0)
- tcp_timers_stop(tcp);
- return (err);
-}
-
-static int
+static void
tcp_init_values(tcp_t *tcp)
{
- int err;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
- ASSERT((tcp->tcp_family == AF_INET &&
- tcp->tcp_ipversion == IPV4_VERSION) ||
- (tcp->tcp_family == AF_INET6 &&
- (tcp->tcp_ipversion == IPV4_VERSION ||
- tcp->tcp_ipversion == IPV6_VERSION)));
+ ASSERT((connp->conn_family == AF_INET &&
+ connp->conn_ipversion == IPV4_VERSION) ||
+ (connp->conn_family == AF_INET6 &&
+ (connp->conn_ipversion == IPV4_VERSION ||
+ connp->conn_ipversion == IPV6_VERSION)));
/*
* Initialize tcp_rtt_sa and tcp_rtt_sd so that the calculated RTO
@@ -7953,7 +6694,7 @@ tcp_init_values(tcp_t *tcp)
tcp->tcp_cwnd_ssthresh = TCP_MAX_LARGEWIN;
tcp->tcp_snd_burst = TCP_CWND_INFINITE;
- tcp->tcp_maxpsz = tcps->tcps_maxpsz_multiplier;
+ tcp->tcp_maxpsz_multiplier = tcps->tcps_maxpsz_multiplier;
tcp->tcp_first_timer_threshold = tcps->tcps_ip_notify_interval;
tcp->tcp_first_ctimer_threshold = tcps->tcps_ip_notify_cinterval;
@@ -7966,10 +6707,7 @@ tcp_init_values(tcp_t *tcp)
tcp->tcp_naglim = tcps->tcps_naglim_def;
- /* NOTE: ISS is now set in tcp_adapt_ire(). */
-
- tcp->tcp_mdt_hdr_head = 0;
- tcp->tcp_mdt_hdr_tail = 0;
+ /* NOTE: ISS is now set in tcp_set_destination(). */
/* Reset fusion-related fields */
tcp->tcp_fused = B_FALSE;
@@ -7977,280 +6715,84 @@ tcp_init_values(tcp_t *tcp)
tcp->tcp_fused_sigurg = B_FALSE;
tcp->tcp_loopback_peer = NULL;
- /* Initialize the header template */
- if (tcp->tcp_family == AF_INET) {
- err = tcp_header_init_ipv4(tcp);
- } else {
- err = tcp_header_init_ipv6(tcp);
- }
- if (err)
- return (err);
+ /* We rebuild the header template on the next connect/conn_request */
+
+ connp->conn_mlp_type = mlptSingle;
/*
* Init the window scale to the max so tcp_rwnd_set() won't pare
- * down tcp_rwnd. tcp_adapt_ire() will set the right value later.
+ * down tcp_rwnd. tcp_set_destination() will set the right value later.
*/
tcp->tcp_rcv_ws = TCP_MAX_WINSHIFT;
- tcp->tcp_xmit_lowater = tcps->tcps_xmit_lowat;
- tcp->tcp_xmit_hiwater = tcps->tcps_xmit_hiwat;
- tcp->tcp_recv_hiwater = tcps->tcps_recv_hiwat;
- tcp->tcp_rwnd = tcps->tcps_recv_hiwat;
- tcp->tcp_recv_lowater = tcp_rinfo.mi_lowat;
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
tcp->tcp_cork = B_FALSE;
/*
- * Init the tcp_debug option. This value determines whether TCP
+ * Init the tcp_debug option if it wasn't already set. This value
+ * determines whether TCP
* calls strlog() to print out debug messages. Doing this
* initialization here means that this value is not inherited thru
* tcp_reinit().
*/
- tcp->tcp_debug = tcps->tcps_dbg;
+ if (!connp->conn_debug)
+ connp->conn_debug = tcps->tcps_dbg;
tcp->tcp_ka_interval = tcps->tcps_keepalive_interval;
tcp->tcp_ka_abort_thres = tcps->tcps_keepalive_abort_interval;
-
- return (0);
-}
-
-/*
- * Initialize the IPv4 header. Loses any record of any IP options.
- */
-static int
-tcp_header_init_ipv4(tcp_t *tcp)
-{
- tcph_t *tcph;
- uint32_t sum;
- conn_t *connp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
-
- /*
- * This is a simple initialization. If there's
- * already a template, it should never be too small,
- * so reuse it. Otherwise, allocate space for the new one.
- */
- if (tcp->tcp_iphc == NULL) {
- ASSERT(tcp->tcp_iphc_len == 0);
- tcp->tcp_iphc_len = TCP_MAX_COMBINED_HEADER_LENGTH;
- tcp->tcp_iphc = kmem_cache_alloc(tcp_iphc_cache, KM_NOSLEEP);
- if (tcp->tcp_iphc == NULL) {
- tcp->tcp_iphc_len = 0;
- return (ENOMEM);
- }
- }
-
- /* options are gone; may need a new label */
- connp = tcp->tcp_connp;
- connp->conn_mlp_type = mlptSingle;
- connp->conn_ulp_labeled = !is_system_labeled();
- ASSERT(tcp->tcp_iphc_len >= TCP_MAX_COMBINED_HEADER_LENGTH);
-
- /*
- * tcp_do_get{sock,peer}name constructs the sockaddr from the
- * ip header, and decides which header to use based on ip version.
- * That operation happens outside the squeue, so we hold the lock
- * here to ensure that the ip version and header remain consistent.
- */
- mutex_enter(&connp->conn_lock);
- tcp->tcp_ipversion = IPV4_VERSION;
- tcp->tcp_ipha = (ipha_t *)tcp->tcp_iphc;
- tcp->tcp_ip6h = NULL;
- mutex_exit(&connp->conn_lock);
-
- tcp->tcp_hdr_len = sizeof (ipha_t) + sizeof (tcph_t);
- tcp->tcp_tcp_hdr_len = sizeof (tcph_t);
- tcp->tcp_ip_hdr_len = sizeof (ipha_t);
- tcp->tcp_ipha->ipha_length = htons(sizeof (ipha_t) + sizeof (tcph_t));
- tcp->tcp_ipha->ipha_version_and_hdr_length
- = (IP_VERSION << 4) | IP_SIMPLE_HDR_LENGTH_IN_WORDS;
- tcp->tcp_ipha->ipha_ident = 0;
-
- tcp->tcp_ttl = (uchar_t)tcps->tcps_ipv4_ttl;
- tcp->tcp_tos = 0;
- tcp->tcp_ipha->ipha_fragment_offset_and_flags = 0;
- tcp->tcp_ipha->ipha_ttl = (uchar_t)tcps->tcps_ipv4_ttl;
- tcp->tcp_ipha->ipha_protocol = IPPROTO_TCP;
-
- tcph = (tcph_t *)(tcp->tcp_iphc + sizeof (ipha_t));
- tcp->tcp_tcph = tcph;
- tcph->th_offset_and_rsrvd[0] = (5 << 4);
- /*
- * IP wants our header length in the checksum field to
- * allow it to perform a single pseudo-header+checksum
- * calculation on behalf of TCP.
- * Include the adjustment for a source route once IP_OPTIONS is set.
- */
- sum = sizeof (tcph_t) + tcp->tcp_sum;
- sum = (sum >> 16) + (sum & 0xFFFF);
- U16_TO_ABE16(sum, tcph->th_sum);
- return (0);
-}
-
-/*
- * Initialize the IPv6 header. Loses any record of any IPv6 extension headers.
- */
-static int
-tcp_header_init_ipv6(tcp_t *tcp)
-{
- tcph_t *tcph;
- uint32_t sum;
- conn_t *connp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
-
- /*
- * This is a simple initialization. If there's
- * already a template, it should never be too small,
- * so reuse it. Otherwise, allocate space for the new one.
- * Ensure that there is enough space to "downgrade" the tcp_t
- * to an IPv4 tcp_t. This requires having space for a full load
- * of IPv4 options, as well as a full load of TCP options
- * (TCP_MAX_COMBINED_HEADER_LENGTH, 120 bytes); this is more space
- * than a v6 header and a TCP header with a full load of TCP options
- * (IPV6_HDR_LEN is 40 bytes; TCP_MAX_HDR_LENGTH is 60 bytes).
- * We want to avoid reallocation in the "downgraded" case when
- * processing outbound IPv4 options.
- */
- if (tcp->tcp_iphc == NULL) {
- ASSERT(tcp->tcp_iphc_len == 0);
- tcp->tcp_iphc_len = TCP_MAX_COMBINED_HEADER_LENGTH;
- tcp->tcp_iphc = kmem_cache_alloc(tcp_iphc_cache, KM_NOSLEEP);
- if (tcp->tcp_iphc == NULL) {
- tcp->tcp_iphc_len = 0;
- return (ENOMEM);
- }
- }
-
- /* options are gone; may need a new label */
- connp = tcp->tcp_connp;
- connp->conn_mlp_type = mlptSingle;
- connp->conn_ulp_labeled = !is_system_labeled();
-
- ASSERT(tcp->tcp_iphc_len >= TCP_MAX_COMBINED_HEADER_LENGTH);
- tcp->tcp_hdr_len = IPV6_HDR_LEN + sizeof (tcph_t);
- tcp->tcp_tcp_hdr_len = sizeof (tcph_t);
- tcp->tcp_ip_hdr_len = IPV6_HDR_LEN;
-
- /*
- * tcp_do_get{sock,peer}name constructs the sockaddr from the
- * ip header, and decides which header to use based on ip version.
- * That operation happens outside the squeue, so we hold the lock
- * here to ensure that the ip version and header remain consistent.
- */
- mutex_enter(&connp->conn_lock);
- tcp->tcp_ipversion = IPV6_VERSION;
- tcp->tcp_ip6h = (ip6_t *)tcp->tcp_iphc;
- tcp->tcp_ipha = NULL;
- mutex_exit(&connp->conn_lock);
-
- /* Initialize the header template */
-
- tcp->tcp_ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- tcp->tcp_ip6h->ip6_plen = ntohs(sizeof (tcph_t));
- tcp->tcp_ip6h->ip6_nxt = IPPROTO_TCP;
- tcp->tcp_ip6h->ip6_hops = (uint8_t)tcps->tcps_ipv6_hoplimit;
-
- tcph = (tcph_t *)(tcp->tcp_iphc + IPV6_HDR_LEN);
- tcp->tcp_tcph = tcph;
- tcph->th_offset_and_rsrvd[0] = (5 << 4);
- /*
- * IP wants our header length in the checksum field to
- * allow it to perform a single psuedo-header+checksum
- * calculation on behalf of TCP.
- * Include the adjustment for a source route when IPV6_RTHDR is set.
- */
- sum = sizeof (tcph_t) + tcp->tcp_sum;
- sum = (sum >> 16) + (sum & 0xFFFF);
- U16_TO_ABE16(sum, tcph->th_sum);
- return (0);
}
/* At minimum we need 8 bytes in the TCP header for the lookup */
#define ICMP_MIN_TCP_HDR 8
/*
- * tcp_icmp_error is called by tcp_rput_other to process ICMP error messages
+ * tcp_icmp_input is called as conn_recvicmp to process ICMP error messages
* passed up by IP. The message is always received on the correct tcp_t.
* Assumes that IP has pulled up everything up to and including the ICMP header.
*/
-void
-tcp_icmp_error(tcp_t *tcp, mblk_t *mp)
+/* ARGSUSED2 */
+static void
+tcp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
- icmph_t *icmph;
- ipha_t *ipha;
- int iph_hdr_length;
- tcph_t *tcph;
- boolean_t ipsec_mctl = B_FALSE;
- boolean_t secure;
- mblk_t *first_mp = mp;
- int32_t new_mss;
- uint32_t ratio;
- size_t mp_size = MBLKL(mp);
- uint32_t seg_seq;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- /* Assume IP provides aligned packets - otherwise toss */
- if (!OK_32PTR(mp->b_rptr)) {
- freemsg(mp);
- return;
- }
-
- /*
- * Since ICMP errors are normal data marked with M_CTL when sent
- * to TCP or UDP, we have to look for a IPSEC_IN value to identify
- * packets starting with an ipsec_info_t, see ipsec_info.h.
- */
- if ((mp_size == sizeof (ipsec_info_t)) &&
- (((ipsec_info_t *)mp->b_rptr)->ipsec_info_type == IPSEC_IN)) {
- ASSERT(mp->b_cont != NULL);
- mp = mp->b_cont;
- /* IP should have done this */
- ASSERT(OK_32PTR(mp->b_rptr));
- mp_size = MBLKL(mp);
- ipsec_mctl = B_TRUE;
- }
+ conn_t *connp = (conn_t *)arg1;
+ icmph_t *icmph;
+ ipha_t *ipha;
+ int iph_hdr_length;
+ tcpha_t *tcpha;
+ uint32_t seg_seq;
+ tcp_t *tcp = connp->conn_tcp;
- /*
- * Verify that we have a complete outer IP header. If not, drop it.
- */
- if (mp_size < sizeof (ipha_t)) {
-noticmpv4:
- freemsg(first_mp);
- return;
- }
+ /* Assume IP provides aligned packets */
+ ASSERT(OK_32PTR(mp->b_rptr));
+ ASSERT((MBLKL(mp) >= sizeof (ipha_t)));
- ipha = (ipha_t *)mp->b_rptr;
/*
* Verify IP version. Anything other than IPv4 or IPv6 packet is sent
* upstream. ICMPv6 is handled in tcp_icmp_error_ipv6.
*/
- switch (IPH_HDR_VERSION(ipha)) {
- case IPV6_VERSION:
- tcp_icmp_error_ipv6(tcp, first_mp, ipsec_mctl);
+ if (!(ira->ira_flags & IRAF_IS_IPV4)) {
+ tcp_icmp_error_ipv6(tcp, mp, ira);
return;
- case IPV4_VERSION:
- break;
- default:
- goto noticmpv4;
}
/* Skip past the outer IP and ICMP headers */
- iph_hdr_length = IPH_HDR_LENGTH(ipha);
+ iph_hdr_length = ira->ira_ip_hdr_length;
icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
/*
- * If we don't have the correct outer IP header length or if the ULP
- * is not IPPROTO_ICMP or if we don't have a complete inner IP header
- * send it upstream.
+ * If we don't have the correct outer IP header length
+ * or if we don't have a complete inner IP header
+ * drop it.
*/
if (iph_hdr_length < sizeof (ipha_t) ||
- ipha->ipha_protocol != IPPROTO_ICMP ||
(ipha_t *)&icmph[1] + 1 > (ipha_t *)mp->b_wptr) {
- goto noticmpv4;
+noticmpv4:
+ freemsg(mp);
+ return;
}
ipha = (ipha_t *)&icmph[1];
/* Skip past the inner IP and find the ULP header */
iph_hdr_length = IPH_HDR_LENGTH(ipha);
- tcph = (tcph_t *)((char *)ipha + iph_hdr_length);
+ tcpha = (tcpha_t *)((char *)ipha + iph_hdr_length);
/*
* If we don't have the correct inner IP header length or if the ULP
* is not IPPROTO_TCP or if we don't have at least ICMP_MIN_TCP_HDR
@@ -8258,166 +6800,20 @@ noticmpv4:
*/
if (iph_hdr_length < sizeof (ipha_t) ||
ipha->ipha_protocol != IPPROTO_TCP ||
- (uchar_t *)tcph + ICMP_MIN_TCP_HDR > mp->b_wptr) {
- goto noticmpv4;
- }
-
- if (TCP_IS_DETACHED_NONEAGER(tcp)) {
- if (ipsec_mctl) {
- secure = ipsec_in_is_secure(first_mp);
- } else {
- secure = B_FALSE;
- }
- if (secure) {
- /*
- * If we are willing to accept this in clear
- * we don't have to verify policy.
- */
- if (!ipsec_inbound_accept_clear(mp, ipha, NULL)) {
- if (!tcp_check_policy(tcp, first_mp,
- ipha, NULL, secure, ipsec_mctl)) {
- /*
- * tcp_check_policy called
- * ip_drop_packet() on failure.
- */
- return;
- }
- }
- }
- } else if (ipsec_mctl) {
- /*
- * This is a hard_bound connection. IP has already
- * verified policy. We don't have to do it again.
- */
- freeb(first_mp);
- first_mp = mp;
- ipsec_mctl = B_FALSE;
- }
-
- seg_seq = ABE32_TO_U32(tcph->th_seq);
- /*
- * TCP SHOULD check that the TCP sequence number contained in
- * payload of the ICMP error message is within the range
- * SND.UNA <= SEG.SEQ < SND.NXT.
- */
- if (SEQ_LT(seg_seq, tcp->tcp_suna) || SEQ_GEQ(seg_seq, tcp->tcp_snxt)) {
- /*
- * The ICMP message is bogus, just drop it. But if this is
- * an ICMP too big message, IP has already changed
- * the ire_max_frag to the bogus value. We need to change
- * it back.
- */
- if (icmph->icmph_type == ICMP_DEST_UNREACHABLE &&
- icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED) {
- conn_t *connp = tcp->tcp_connp;
- ire_t *ire;
- int flag;
-
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- flag = tcp->tcp_ipha->
- ipha_fragment_offset_and_flags;
- } else {
- flag = 0;
- }
- mutex_enter(&connp->conn_lock);
- if ((ire = connp->conn_ire_cache) != NULL) {
- mutex_enter(&ire->ire_lock);
- mutex_exit(&connp->conn_lock);
- ire->ire_max_frag = tcp->tcp_if_mtu;
- ire->ire_frag_flag |= flag;
- mutex_exit(&ire->ire_lock);
- } else {
- mutex_exit(&connp->conn_lock);
- }
- }
+ (uchar_t *)tcpha + ICMP_MIN_TCP_HDR > mp->b_wptr) {
goto noticmpv4;
}
+ seg_seq = ntohl(tcpha->tha_seq);
switch (icmph->icmph_type) {
case ICMP_DEST_UNREACHABLE:
switch (icmph->icmph_code) {
case ICMP_FRAGMENTATION_NEEDED:
/*
- * Reduce the MSS based on the new MTU. This will
- * eliminate any fragmentation locally.
- * N.B. There may well be some funny side-effects on
- * the local send policy and the remote receive policy.
- * Pending further research, we provide
- * tcp_ignore_path_mtu just in case this proves
- * disastrous somewhere.
- *
- * After updating the MSS, retransmit part of the
- * dropped segment using the new mss by calling
- * tcp_wput_data(). Need to adjust all those
- * params to make sure tcp_wput_data() work properly.
- */
- if (tcps->tcps_ignore_path_mtu ||
- tcp->tcp_ipha->ipha_fragment_offset_and_flags == 0)
- break;
-
- /*
- * Decrease the MSS by time stamp options
- * IP options and IPSEC options. tcp_hdr_len
- * includes time stamp option and IP option
- * length. Note that new_mss may be negative
- * if tcp_ipsec_overhead is large and the
- * icmph_du_mtu is the minimum value, which is 68.
- */
- new_mss = ntohs(icmph->icmph_du_mtu) -
- tcp->tcp_hdr_len - tcp->tcp_ipsec_overhead;
-
- DTRACE_PROBE2(tcp__pmtu__change, tcp_t *, tcp, int,
- new_mss);
-
- /*
- * Only update the MSS if the new one is
- * smaller than the previous one. This is
- * to avoid problems when getting multiple
- * ICMP errors for the same MTU.
- */
- if (new_mss >= tcp->tcp_mss)
- break;
-
- /*
- * Note that we are using the template header's DF
- * bit in the fast path sending. So we need to compare
- * the new mss with both tcps_mss_min and ip_pmtu_min.
- * And stop doing IPv4 PMTUd if new_mss is less than
- * MAX(tcps_mss_min, ip_pmtu_min).
- */
- if (new_mss < tcps->tcps_mss_min ||
- new_mss < ipst->ips_ip_pmtu_min) {
- tcp->tcp_ipha->ipha_fragment_offset_and_flags =
- 0;
- }
-
- ratio = tcp->tcp_cwnd / tcp->tcp_mss;
- ASSERT(ratio >= 1);
- tcp_mss_set(tcp, new_mss, B_TRUE);
-
- /*
- * Make sure we have something to
- * send.
+ * Update Path MTU, then try to send something out.
*/
- if (SEQ_LT(tcp->tcp_suna, tcp->tcp_snxt) &&
- (tcp->tcp_xmit_head != NULL)) {
- /*
- * Shrink tcp_cwnd in
- * proportion to the old MSS/new MSS.
- */
- tcp->tcp_cwnd = ratio * tcp->tcp_mss;
- if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
- (tcp->tcp_unsent == 0)) {
- tcp->tcp_rexmit_max = tcp->tcp_fss;
- } else {
- tcp->tcp_rexmit_max = tcp->tcp_snxt;
- }
- tcp->tcp_rexmit_nxt = tcp->tcp_suna;
- tcp->tcp_rexmit = B_TRUE;
- tcp->tcp_dupack_cnt = 0;
- tcp->tcp_snd_burst = TCP_CWND_SS;
- tcp_ss_rexmit(tcp);
- }
+ tcp_update_pmtu(tcp, B_TRUE);
+ tcp_rexmit_after_error(tcp);
break;
case ICMP_PORT_UNREACHABLE:
case ICMP_PROTOCOL_UNREACHABLE:
@@ -8451,7 +6847,6 @@ noticmpv4:
* Ditch the half-open connection if we
* suspect a SYN attack is under way.
*/
- tcp_ip_ire_mark_advice(tcp);
(void) tcp_clean_death(tcp,
tcp->tcp_client_errno, 7);
}
@@ -8483,67 +6878,191 @@ noticmpv4:
break;
}
}
- freemsg(first_mp);
+ freemsg(mp);
}
/*
- * tcp_icmp_error_ipv6 is called by tcp_rput_other to process ICMPv6
- * error messages passed up by IP.
- * Assumes that IP has pulled up all the extension headers as well
- * as the ICMPv6 header.
+ * CALLED OUTSIDE OF SQUEUE! It can not follow any pointers that tcp might
+ * change. But it can refer to fields like tcp_suna and tcp_snxt.
+ *
+ * Function tcp_verifyicmp is called as conn_verifyicmp to verify the ICMP
+ * error messages received by IP. The message is always received on the correct
+ * tcp_t.
+ */
+/* ARGSUSED */
+static boolean_t
+tcp_verifyicmp(conn_t *connp, void *arg2, icmph_t *icmph, icmp6_t *icmp6,
+ ip_recv_attr_t *ira)
+{
+ tcpha_t *tcpha = (tcpha_t *)arg2;
+ uint32_t seq = ntohl(tcpha->tha_seq);
+ tcp_t *tcp = connp->conn_tcp;
+
+ /*
+ * TCP sequence number contained in payload of the ICMP error message
+ * should be within the range SND.UNA <= SEG.SEQ < SND.NXT. Otherwise,
+ * the message is either a stale ICMP error, or an attack from the
+ * network. Fail the verification.
+ */
+ if (SEQ_LT(seq, tcp->tcp_suna) || SEQ_GEQ(seq, tcp->tcp_snxt))
+ return (B_FALSE);
+
+ /* For "too big" we also check the ignore flag */
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ ASSERT(icmph != NULL);
+ if (icmph->icmph_type == ICMP_DEST_UNREACHABLE &&
+ icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED &&
+ tcp->tcp_tcps->tcps_ignore_path_mtu)
+ return (B_FALSE);
+ } else {
+ ASSERT(icmp6 != NULL);
+ if (icmp6->icmp6_type == ICMP6_PACKET_TOO_BIG &&
+ tcp->tcp_tcps->tcps_ignore_path_mtu)
+ return (B_FALSE);
+ }
+ return (B_TRUE);
+}
+
+/*
+ * Update the TCP connection according to change of PMTU.
+ *
+ * Path MTU might have changed by either increase or decrease, so need to
+ * adjust the MSS based on the value of ixa_pmtu. No need to handle tiny
+ * or negative MSS, since tcp_mss_set() will do it.
*/
static void
-tcp_icmp_error_ipv6(tcp_t *tcp, mblk_t *mp, boolean_t ipsec_mctl)
+tcp_update_pmtu(tcp_t *tcp, boolean_t decrease_only)
{
- icmp6_t *icmp6;
- ip6_t *ip6h;
- uint16_t iph_hdr_length;
- tcpha_t *tcpha;
- uint8_t *nexthdrp;
- uint32_t new_mss;
- uint32_t ratio;
- boolean_t secure;
- mblk_t *first_mp = mp;
- size_t mp_size;
- uint32_t seg_seq;
- tcp_stack_t *tcps = tcp->tcp_tcps;
+ uint32_t pmtu;
+ int32_t mss;
+ conn_t *connp = tcp->tcp_connp;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
+ iaflags_t ixaflags;
+
+ if (tcp->tcp_tcps->tcps_ignore_path_mtu)
+ return;
+
+ if (tcp->tcp_state < TCPS_ESTABLISHED)
+ return;
/*
- * The caller has determined if this is an IPSEC_IN packet and
- * set ipsec_mctl appropriately (see tcp_icmp_error).
+ * Always call ip_get_pmtu() to make sure that IP has updated
+ * ixa_flags properly.
*/
- if (ipsec_mctl)
- mp = mp->b_cont;
+ pmtu = ip_get_pmtu(ixa);
+ ixaflags = ixa->ixa_flags;
- mp_size = MBLKL(mp);
+ /*
+ * Calculate the MSS by decreasing the PMTU by conn_ht_iphc_len and
+ * IPsec overhead if applied. Make sure to use the most recent
+ * IPsec information.
+ */
+ mss = pmtu - connp->conn_ht_iphc_len - conn_ipsec_length(connp);
/*
- * Verify that we have a complete IP header. If not, send it upstream.
+ * Nothing to change, so just return.
*/
- if (mp_size < sizeof (ip6_t)) {
-noticmpv6:
- freemsg(first_mp);
+ if (mss == tcp->tcp_mss)
return;
- }
/*
- * Verify this is an ICMPV6 packet, else send it upstream.
+ * Currently, for ICMP errors, only PMTU decrease is handled.
*/
- ip6h = (ip6_t *)mp->b_rptr;
- if (ip6h->ip6_nxt == IPPROTO_ICMPV6) {
- iph_hdr_length = IPV6_HDR_LEN;
- } else if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length,
- &nexthdrp) ||
- *nexthdrp != IPPROTO_ICMPV6) {
- goto noticmpv6;
+ if (mss > tcp->tcp_mss && decrease_only)
+ return;
+
+ DTRACE_PROBE2(tcp_update_pmtu, int32_t, tcp->tcp_mss, uint32_t, mss);
+
+ /*
+ * Update ixa_fragsize and ixa_pmtu.
+ */
+ ixa->ixa_fragsize = ixa->ixa_pmtu = pmtu;
+
+ /*
+ * Adjust MSS and all relevant variables.
+ */
+ tcp_mss_set(tcp, mss);
+
+ /*
+ * If the PMTU is below the min size maintained by IP, then ip_get_pmtu
+ * has set IXAF_PMTU_TOO_SMALL and cleared IXAF_PMTU_IPV4_DF. Since TCP
+ * has a (potentially different) min size we do the same. Make sure to
+ * clear IXAF_DONTFRAG, which is used by IP to decide whether to
+ * fragment the packet.
+ *
+ * LSO over IPv6 can not be fragmented. So need to disable LSO
+ * when IPv6 fragmentation is needed.
+ */
+ if (mss < tcp->tcp_tcps->tcps_mss_min)
+ ixaflags |= IXAF_PMTU_TOO_SMALL;
+
+ if (ixaflags & IXAF_PMTU_TOO_SMALL)
+ ixaflags &= ~(IXAF_DONTFRAG | IXAF_PMTU_IPV4_DF);
+
+ if ((connp->conn_ipversion == IPV4_VERSION) &&
+ !(ixaflags & IXAF_PMTU_IPV4_DF)) {
+ tcp->tcp_ipha->ipha_fragment_offset_and_flags = 0;
}
+ ixa->ixa_flags = ixaflags;
+}
+
+/*
+ * Do slow start retransmission after ICMP errors of PMTU changes.
+ */
+static void
+tcp_rexmit_after_error(tcp_t *tcp)
+{
+ /*
+ * All sent data has been acknowledged or no data left to send, just
+ * to return.
+ */
+ if (!SEQ_LT(tcp->tcp_suna, tcp->tcp_snxt) ||
+ (tcp->tcp_xmit_head == NULL))
+ return;
+
+ if ((tcp->tcp_valid_bits & TCP_FSS_VALID) && (tcp->tcp_unsent == 0))
+ tcp->tcp_rexmit_max = tcp->tcp_fss;
+ else
+ tcp->tcp_rexmit_max = tcp->tcp_snxt;
+
+ tcp->tcp_rexmit_nxt = tcp->tcp_suna;
+ tcp->tcp_rexmit = B_TRUE;
+ tcp->tcp_dupack_cnt = 0;
+ tcp->tcp_snd_burst = TCP_CWND_SS;
+ tcp_ss_rexmit(tcp);
+}
+
+/*
+ * tcp_icmp_error_ipv6 is called from tcp_icmp_input to process ICMPv6
+ * error messages passed up by IP.
+ * Assumes that IP has pulled up all the extension headers as well
+ * as the ICMPv6 header.
+ */
+static void
+tcp_icmp_error_ipv6(tcp_t *tcp, mblk_t *mp, ip_recv_attr_t *ira)
+{
+ icmp6_t *icmp6;
+ ip6_t *ip6h;
+ uint16_t iph_hdr_length = ira->ira_ip_hdr_length;
+ tcpha_t *tcpha;
+ uint8_t *nexthdrp;
+ uint32_t seg_seq;
+
+ /*
+ * Verify that we have a complete IP header.
+ */
+ ASSERT((MBLKL(mp) >= sizeof (ip6_t)));
+
icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
ip6h = (ip6_t *)&icmp6[1];
/*
* Verify if we have a complete ICMP and inner IP header.
*/
- if ((uchar_t *)&ip6h[1] > mp->b_wptr)
- goto noticmpv6;
+ if ((uchar_t *)&ip6h[1] > mp->b_wptr) {
+noticmpv6:
+ freemsg(mp);
+ return;
+ }
if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp))
goto noticmpv6;
@@ -8558,130 +7077,15 @@ noticmpv6:
goto noticmpv6;
}
- /*
- * ICMP errors come on the right queue or come on
- * listener/global queue for detached connections and
- * get switched to the right queue. If it comes on the
- * right queue, policy check has already been done by IP
- * and thus free the first_mp without verifying the policy.
- * If it has come for a non-hard bound connection, we need
- * to verify policy as IP may not have done it.
- */
- if (!tcp->tcp_hard_bound) {
- if (ipsec_mctl) {
- secure = ipsec_in_is_secure(first_mp);
- } else {
- secure = B_FALSE;
- }
- if (secure) {
- /*
- * If we are willing to accept this in clear
- * we don't have to verify policy.
- */
- if (!ipsec_inbound_accept_clear(mp, NULL, ip6h)) {
- if (!tcp_check_policy(tcp, first_mp,
- NULL, ip6h, secure, ipsec_mctl)) {
- /*
- * tcp_check_policy called
- * ip_drop_packet() on failure.
- */
- return;
- }
- }
- }
- } else if (ipsec_mctl) {
- /*
- * This is a hard_bound connection. IP has already
- * verified policy. We don't have to do it again.
- */
- freeb(first_mp);
- first_mp = mp;
- ipsec_mctl = B_FALSE;
- }
-
seg_seq = ntohl(tcpha->tha_seq);
- /*
- * TCP SHOULD check that the TCP sequence number contained in
- * payload of the ICMP error message is within the range
- * SND.UNA <= SEG.SEQ < SND.NXT.
- */
- if (SEQ_LT(seg_seq, tcp->tcp_suna) || SEQ_GEQ(seg_seq, tcp->tcp_snxt)) {
- /*
- * If the ICMP message is bogus, should we kill the
- * connection, or should we just drop the bogus ICMP
- * message? It would probably make more sense to just
- * drop the message so that if this one managed to get
- * in, the real connection should not suffer.
- */
- goto noticmpv6;
- }
-
switch (icmp6->icmp6_type) {
case ICMP6_PACKET_TOO_BIG:
/*
- * Reduce the MSS based on the new MTU. This will
- * eliminate any fragmentation locally.
- * N.B. There may well be some funny side-effects on
- * the local send policy and the remote receive policy.
- * Pending further research, we provide
- * tcp_ignore_path_mtu just in case this proves
- * disastrous somewhere.
- *
- * After updating the MSS, retransmit part of the
- * dropped segment using the new mss by calling
- * tcp_wput_data(). Need to adjust all those
- * params to make sure tcp_wput_data() work properly.
- */
- if (tcps->tcps_ignore_path_mtu)
- break;
-
- /*
- * Decrease the MSS by time stamp options
- * IP options and IPSEC options. tcp_hdr_len
- * includes time stamp option and IP option
- * length.
- */
- new_mss = ntohs(icmp6->icmp6_mtu) - tcp->tcp_hdr_len -
- tcp->tcp_ipsec_overhead;
-
- /*
- * Only update the MSS if the new one is
- * smaller than the previous one. This is
- * to avoid problems when getting multiple
- * ICMP errors for the same MTU.
- */
- if (new_mss >= tcp->tcp_mss)
- break;
-
- ratio = tcp->tcp_cwnd / tcp->tcp_mss;
- ASSERT(ratio >= 1);
- tcp_mss_set(tcp, new_mss, B_TRUE);
-
- /*
- * Make sure we have something to
- * send.
+ * Update Path MTU, then try to send something out.
*/
- if (SEQ_LT(tcp->tcp_suna, tcp->tcp_snxt) &&
- (tcp->tcp_xmit_head != NULL)) {
- /*
- * Shrink tcp_cwnd in
- * proportion to the old MSS/new MSS.
- */
- tcp->tcp_cwnd = ratio * tcp->tcp_mss;
- if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
- (tcp->tcp_unsent == 0)) {
- tcp->tcp_rexmit_max = tcp->tcp_fss;
- } else {
- tcp->tcp_rexmit_max = tcp->tcp_snxt;
- }
- tcp->tcp_rexmit_nxt = tcp->tcp_suna;
- tcp->tcp_rexmit = B_TRUE;
- tcp->tcp_dupack_cnt = 0;
- tcp->tcp_snd_burst = TCP_CWND_SS;
- tcp_ss_rexmit(tcp);
- }
+ tcp_update_pmtu(tcp, B_TRUE);
+ tcp_rexmit_after_error(tcp);
break;
-
case ICMP6_DST_UNREACH:
switch (icmp6->icmp6_code) {
case ICMP6_DST_UNREACH_NOPORT:
@@ -8692,7 +7096,6 @@ noticmpv6:
ECONNREFUSED, 8);
}
break;
-
case ICMP6_DST_UNREACH_ADMIN:
case ICMP6_DST_UNREACH_NOROUTE:
case ICMP6_DST_UNREACH_BEYONDSCOPE:
@@ -8708,7 +7111,6 @@ noticmpv6:
* Ditch the half-open connection if we
* suspect a SYN attack is under way.
*/
- tcp_ip_ire_mark_advice(tcp);
(void) tcp_clean_death(tcp,
tcp->tcp_client_errno, 9);
}
@@ -8720,7 +7122,6 @@ noticmpv6:
break;
}
break;
-
case ICMP6_PARAM_PROB:
/* If this corresponds to an ICMP_PROTOCOL_UNREACHABLE */
if (icmp6->icmp6_code == ICMP6_PARAMPROB_NEXTHEADER &&
@@ -8739,83 +7140,42 @@ noticmpv6:
default:
break;
}
- freemsg(first_mp);
+ freemsg(mp);
}
/*
* Notify IP that we are having trouble with this connection. IP should
- * blow the IRE away and start over.
+ * make note so it can potentially use a different IRE.
*/
static void
tcp_ip_notify(tcp_t *tcp)
{
- struct iocblk *iocp;
- ipid_t *ipid;
- mblk_t *mp;
-
- /* IPv6 has NUD thus notification to delete the IRE is not needed */
- if (tcp->tcp_ipversion == IPV6_VERSION)
- return;
-
- mp = mkiocb(IP_IOCTL);
- if (mp == NULL)
- return;
-
- iocp = (struct iocblk *)mp->b_rptr;
- iocp->ioc_count = sizeof (ipid_t) + sizeof (tcp->tcp_ipha->ipha_dst);
-
- mp->b_cont = allocb(iocp->ioc_count, BPRI_HI);
- if (!mp->b_cont) {
- freeb(mp);
- return;
- }
+ conn_t *connp = tcp->tcp_connp;
+ ire_t *ire;
- ipid = (ipid_t *)mp->b_cont->b_rptr;
- mp->b_cont->b_wptr += iocp->ioc_count;
- bzero(ipid, sizeof (*ipid));
- ipid->ipid_cmd = IP_IOC_IRE_DELETE_NO_REPLY;
- ipid->ipid_ire_type = IRE_CACHE;
- ipid->ipid_addr_offset = sizeof (ipid_t);
- ipid->ipid_addr_length = sizeof (tcp->tcp_ipha->ipha_dst);
/*
* Note: in the case of source routing we want to blow away the
* route to the first source route hop.
*/
- bcopy(&tcp->tcp_ipha->ipha_dst, &ipid[1],
- sizeof (tcp->tcp_ipha->ipha_dst));
-
- CALL_IP_WPUT(tcp->tcp_connp, tcp->tcp_wq, mp);
-}
-
-/* Unlink and return any mblk that looks like it contains an ire */
-static mblk_t *
-tcp_ire_mp(mblk_t **mpp)
-{
- mblk_t *mp = *mpp;
- mblk_t *prev_mp = NULL;
-
- for (;;) {
- switch (DB_TYPE(mp)) {
- case IRE_DB_TYPE:
- case IRE_DB_REQ_TYPE:
- if (mp == *mpp) {
- *mpp = mp->b_cont;
- } else {
- prev_mp->b_cont = mp->b_cont;
- }
- mp->b_cont = NULL;
- return (mp);
- default:
- break;
+ ire = connp->conn_ixa->ixa_ire;
+ if (ire != NULL && !(ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE))) {
+ if (ire->ire_ipversion == IPV4_VERSION) {
+ /*
+ * As per RFC 1122, we send an RTM_LOSING to inform
+ * routing protocols.
+ */
+ ip_rts_change(RTM_LOSING, ire->ire_addr,
+ ire->ire_gateway_addr, ire->ire_mask,
+ connp->conn_laddr_v4, 0, 0, 0,
+ (RTA_DST | RTA_GATEWAY | RTA_NETMASK | RTA_IFA),
+ ire->ire_ipst);
}
- prev_mp = mp;
- mp = mp->b_cont;
- if (mp == NULL)
- break;
+ (void) ire_no_good(ire);
}
- return (mp);
}
+#pragma inline(tcp_send_data)
+
/*
* Timer callback routine for keepalive probe. We do a fake resend of
* last ACKed byte. Then set a timer using RTO. When the timer expires,
@@ -8890,7 +7250,7 @@ tcp_keepalive_killer(void *arg)
* timer back.
*/
if (mp != NULL) {
- tcp_send_data(tcp, tcp->tcp_wq, mp);
+ tcp_send_data(tcp, mp);
BUMP_MIB(&tcps->tcps_mib,
tcpTimKeepaliveProbe);
if (tcp->tcp_ka_last_intrvl != 0) {
@@ -8930,17 +7290,17 @@ tcp_keepalive_killer(void *arg)
int
tcp_maxpsz_set(tcp_t *tcp, boolean_t set_maxblk)
{
- queue_t *q = tcp->tcp_rq;
+ conn_t *connp = tcp->tcp_connp;
+ queue_t *q = connp->conn_rq;
int32_t mss = tcp->tcp_mss;
int maxpsz;
- conn_t *connp = tcp->tcp_connp;
if (TCP_IS_DETACHED(tcp))
return (mss);
if (tcp->tcp_fused) {
maxpsz = tcp_fuse_maxpsz(tcp);
mss = INFPSZ;
- } else if (tcp->tcp_mdt || tcp->tcp_lso || tcp->tcp_maxpsz == 0) {
+ } else if (tcp->tcp_maxpsz_multiplier == 0) {
/*
* Set the sd_qn_maxpsz according to the socket send buffer
* size, and sd_maxblk to INFPSZ (-1). This will essentially
@@ -8948,7 +7308,7 @@ tcp_maxpsz_set(tcp_t *tcp, boolean_t set_maxblk)
* kernel-allocated buffers without breaking it up into smaller
* chunks. We round up the buffer size to the nearest SMSS.
*/
- maxpsz = MSS_ROUNDUP(tcp->tcp_xmit_hiwater, mss);
+ maxpsz = MSS_ROUNDUP(connp->conn_sndbuf, mss);
if (tcp->tcp_kssl_ctx == NULL)
mss = INFPSZ;
else
@@ -8960,21 +7320,17 @@ tcp_maxpsz_set(tcp_t *tcp, boolean_t set_maxblk)
* head to break down larger than SMSS writes into SMSS-
* size mblks, up to tcp_maxpsz_multiplier mblks at a time.
*/
- /* XXX tune this with ndd tcp_maxpsz_multiplier */
- maxpsz = tcp->tcp_maxpsz * mss;
- if (maxpsz > tcp->tcp_xmit_hiwater/2) {
- maxpsz = tcp->tcp_xmit_hiwater/2;
+ maxpsz = tcp->tcp_maxpsz_multiplier * mss;
+ if (maxpsz > connp->conn_sndbuf / 2) {
+ maxpsz = connp->conn_sndbuf / 2;
/* Round up to nearest mss */
maxpsz = MSS_ROUNDUP(maxpsz, mss);
}
}
(void) proto_set_maxpsz(q, connp, maxpsz);
- if (!(IPCL_IS_NONSTR(connp))) {
- /* XXX do it in set_maxpsz()? */
- tcp->tcp_wq->q_maxpsz = maxpsz;
- }
-
+ if (!(IPCL_IS_NONSTR(connp)))
+ connp->conn_wq->q_maxpsz = maxpsz;
if (set_maxblk)
(void) proto_set_tx_maxblk(q, connp, mss);
return (mss);
@@ -8985,18 +7341,18 @@ tcp_maxpsz_set(tcp_t *tcp, boolean_t set_maxblk)
* tcpopt struct and return a bitmask saying which options were found.
*/
static int
-tcp_parse_options(tcph_t *tcph, tcp_opt_t *tcpopt)
+tcp_parse_options(tcpha_t *tcpha, tcp_opt_t *tcpopt)
{
uchar_t *endp;
int len;
uint32_t mss;
- uchar_t *up = (uchar_t *)tcph;
+ uchar_t *up = (uchar_t *)tcpha;
int found = 0;
int32_t sack_len;
tcp_seq sack_begin, sack_end;
tcp_t *tcp;
- endp = up + TCP_HDR_LENGTH(tcph);
+ endp = up + TCP_HDR_LENGTH(tcpha);
up += TCP_MIN_HEADER_LENGTH;
while (up < endp) {
len = endp - up;
@@ -9135,28 +7491,20 @@ tcp_parse_options(tcph_t *tcph, tcp_opt_t *tcpopt)
}
/*
- * Set the mss associated with a particular tcp based on its current value,
- * and a new one passed in. Observe minimums and maximums, and reset
- * other state variables that we want to view as multiples of mss.
- *
- * This function is called mainly because values like tcp_mss, tcp_cwnd,
- * highwater marks etc. need to be initialized or adjusted.
- * 1) From tcp_process_options() when the other side's SYN/SYN-ACK
- * packet arrives.
- * 2) We need to set a new MSS when ICMP_FRAGMENTATION_NEEDED or
- * ICMP6_PACKET_TOO_BIG arrives.
- * 3) From tcp_paws_check() if the other side stops sending the timestamp,
- * to increase the MSS to use the extra bytes available.
+ * Set the MSS associated with a particular tcp based on its current value,
+ * and a new one passed in. Observe minimums and maximums, and reset other
+ * state variables that we want to view as multiples of MSS.
*
- * Callers except tcp_paws_check() ensure that they only reduce mss.
+ * The value of MSS could be either increased or descreased.
*/
static void
-tcp_mss_set(tcp_t *tcp, uint32_t mss, boolean_t do_ss)
+tcp_mss_set(tcp_t *tcp, uint32_t mss)
{
uint32_t mss_max;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
- if (tcp->tcp_ipversion == IPV4_VERSION)
+ if (connp->conn_ipversion == IPV4_VERSION)
mss_max = tcps->tcps_mss_max_ipv4;
else
mss_max = tcps->tcps_mss_max_ipv6;
@@ -9176,34 +7524,22 @@ tcp_mss_set(tcp_t *tcp, uint32_t mss, boolean_t do_ss)
* TCP should be able to buffer at least 4 MSS data for obvious
* performance reason.
*/
- if ((mss << 2) > tcp->tcp_xmit_hiwater)
- tcp->tcp_xmit_hiwater = mss << 2;
+ if ((mss << 2) > connp->conn_sndbuf)
+ connp->conn_sndbuf = mss << 2;
/*
- * Set the xmit_lowater to at least twice of MSS.
+ * Set the send lowater to at least twice of MSS.
*/
- if ((mss << 1) > tcp->tcp_xmit_lowater)
- tcp->tcp_xmit_lowater = mss << 1;
+ if ((mss << 1) > connp->conn_sndlowat)
+ connp->conn_sndlowat = mss << 1;
+
+ /*
+ * Update tcp_cwnd according to the new value of MSS. Keep the
+ * previous ratio to preserve the transmit rate.
+ */
+ tcp->tcp_cwnd = (tcp->tcp_cwnd / tcp->tcp_mss) * mss;
+ tcp->tcp_cwnd_cnt = 0;
- if (do_ss) {
- /*
- * Either the tcp_cwnd is as yet uninitialized, or mss is
- * changing due to a reduction in MTU, presumably as a
- * result of a new path component, reset cwnd to its
- * "initial" value, as a multiple of the new mss.
- */
- SET_TCP_INIT_CWND(tcp, mss, tcps->tcps_slow_start_initial);
- } else {
- /*
- * Called by tcp_paws_check(), the mss increased
- * marginally to allow use of space previously taken
- * by the timestamp option. It would be inappropriate
- * to apply slow start or tcp_init_cwnd values to
- * tcp_cwnd, simply adjust to a multiple of the new mss.
- */
- tcp->tcp_cwnd = (tcp->tcp_cwnd / tcp->tcp_mss) * mss;
- tcp->tcp_cwnd_cnt = 0;
- }
tcp->tcp_mss = mss;
(void) tcp_maxpsz_set(tcp, B_TRUE);
}
@@ -9223,12 +7559,11 @@ tcp_openv6(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
}
static conn_t *
-tcp_create_common(queue_t *q, cred_t *credp, boolean_t isv6,
- boolean_t issocket, int *errorp)
+tcp_create_common(cred_t *credp, boolean_t isv6, boolean_t issocket,
+ int *errorp)
{
tcp_t *tcp = NULL;
conn_t *connp;
- int err;
zoneid_t zoneid;
tcp_stack_t *tcps;
squeue_t *sqp;
@@ -9265,15 +7600,6 @@ tcp_create_common(queue_t *q, cred_t *credp, boolean_t isv6,
else
zoneid = crgetzoneid(credp);
}
- /*
- * For stackid zero this is done from strplumb.c, but
- * non-zero stackids are handled here.
- */
- if (tcps->tcps_g_q == NULL &&
- tcps->tcps_netstack->netstack_stackid !=
- GLOBAL_NETSTACKID) {
- tcp_g_q_setup(tcps);
- }
sqp = IP_SQUEUE_GET((uint_t)gethrtime());
connp = (conn_t *)tcp_get_conn(sqp, tcps);
@@ -9286,41 +7612,50 @@ tcp_create_common(queue_t *q, cred_t *credp, boolean_t isv6,
*errorp = ENOSR;
return (NULL);
}
+ ASSERT(connp->conn_ixa->ixa_protocol == connp->conn_proto);
+
connp->conn_sqp = sqp;
connp->conn_initial_sqp = connp->conn_sqp;
+ connp->conn_ixa->ixa_sqp = connp->conn_sqp;
tcp = connp->conn_tcp;
+ /*
+ * Besides asking IP to set the checksum for us, have conn_ip_output
+ * to do the following checks when necessary:
+ *
+ * IXAF_VERIFY_SOURCE: drop packets when our outer source goes invalid
+ * IXAF_VERIFY_PMTU: verify PMTU changes
+ * IXAF_VERIFY_LSO: verify LSO capability changes
+ */
+ connp->conn_ixa->ixa_flags |= IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
+ IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO;
+
+ if (!tcps->tcps_dev_flow_ctl)
+ connp->conn_ixa->ixa_flags |= IXAF_NO_DEV_FLOW_CTL;
+
if (isv6) {
- connp->conn_flags |= IPCL_TCP6;
- connp->conn_send = ip_output_v6;
- connp->conn_af_isv6 = B_TRUE;
- connp->conn_pkt_isv6 = B_TRUE;
- connp->conn_src_preferences = IPV6_PREFER_SRC_DEFAULT;
- tcp->tcp_ipversion = IPV6_VERSION;
- tcp->tcp_family = AF_INET6;
+ connp->conn_ixa->ixa_src_preferences = IPV6_PREFER_SRC_DEFAULT;
+ connp->conn_ipversion = IPV6_VERSION;
+ connp->conn_family = AF_INET6;
tcp->tcp_mss = tcps->tcps_mss_def_ipv6;
+ connp->conn_default_ttl = tcps->tcps_ipv6_hoplimit;
} else {
- connp->conn_flags |= IPCL_TCP4;
- connp->conn_send = ip_output;
- connp->conn_af_isv6 = B_FALSE;
- connp->conn_pkt_isv6 = B_FALSE;
- tcp->tcp_ipversion = IPV4_VERSION;
- tcp->tcp_family = AF_INET;
+ connp->conn_ipversion = IPV4_VERSION;
+ connp->conn_family = AF_INET;
tcp->tcp_mss = tcps->tcps_mss_def_ipv4;
+ connp->conn_default_ttl = tcps->tcps_ipv4_ttl;
}
+ connp->conn_xmit_ipp.ipp_unicast_hops = connp->conn_default_ttl;
+
+ crhold(credp);
+ connp->conn_cred = credp;
+ connp->conn_cpid = curproc->p_pid;
+ connp->conn_open_time = lbolt64;
- /*
- * TCP keeps a copy of cred for cache locality reasons but
- * we put a reference only once. If connp->conn_cred
- * becomes invalid, tcp_cred should also be set to NULL.
- */
- tcp->tcp_cred = connp->conn_cred = credp;
- crhold(connp->conn_cred);
- tcp->tcp_cpid = curproc->p_pid;
- tcp->tcp_open_time = lbolt64;
connp->conn_zoneid = zoneid;
+ /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
+ connp->conn_ixa->ixa_zoneid = zoneid;
connp->conn_mlp_type = mlptSingle;
- connp->conn_ulp_labeled = !is_system_labeled();
ASSERT(connp->conn_netstack == tcps->tcps_netstack);
ASSERT(tcp->tcp_tcps == tcps);
@@ -9331,38 +7666,22 @@ tcp_create_common(queue_t *q, cred_t *credp, boolean_t isv6,
if (getpflags(NET_MAC_AWARE, credp) != 0)
connp->conn_mac_mode = CONN_MAC_AWARE;
- connp->conn_dev = NULL;
+ connp->conn_zone_is_global = (crgetzoneid(credp) == GLOBAL_ZONEID);
+
if (issocket) {
- connp->conn_flags |= IPCL_SOCKET;
tcp->tcp_issocket = 1;
}
- /* Non-zero default values */
- connp->conn_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
-
- if (q == NULL) {
- /*
- * Create a helper stream for non-STREAMS socket.
- */
- err = ip_create_helper_stream(connp, tcps->tcps_ldi_ident);
- if (err != 0) {
- ip1dbg(("tcp_create_common: create of IP helper stream "
- "failed\n"));
- CONN_DEC_REF(connp);
- *errorp = err;
- return (NULL);
- }
- q = connp->conn_rq;
- }
+ connp->conn_rcvbuf = tcps->tcps_recv_hiwat;
+ connp->conn_sndbuf = tcps->tcps_xmit_hiwat;
+ connp->conn_sndlowat = tcps->tcps_xmit_lowat;
+ connp->conn_so_type = SOCK_STREAM;
+ connp->conn_wroff = connp->conn_ht_iphc_allocated +
+ tcps->tcps_wroff_xtra;
SOCK_CONNID_INIT(tcp->tcp_connid);
- err = tcp_init(tcp, q);
- if (err != 0) {
- CONN_DEC_REF(connp);
- *errorp = err;
- return (NULL);
- }
-
+ tcp->tcp_state = TCPS_IDLE;
+ tcp_init_values(tcp);
return (connp);
}
@@ -9415,7 +7734,7 @@ tcp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
q->q_qinfo = &tcp_acceptor_rinit;
/*
* the conn_dev and minor_arena will be subsequently used by
- * tcp_wput_accept() and tcp_tpi_close_accept() to figure out
+ * tcp_tli_accept() and tcp_tpi_close_accept() to figure out
* the minor device number for this connection from the q_ptr.
*/
RD(q)->q_ptr = (void *)conn_dev;
@@ -9426,7 +7745,7 @@ tcp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
}
issocket = flag & SO_SOCKSTR;
- connp = tcp_create_common(q, credp, isv6, issocket, &err);
+ connp = tcp_create_common(credp, isv6, issocket, &err);
if (connp == NULL) {
inet_minor_free(minor_arena, conn_dev);
@@ -9434,6 +7753,8 @@ tcp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
return (err);
}
+ connp->conn_rq = q;
+ connp->conn_wq = WR(q);
q->q_ptr = WR(q)->q_ptr = connp;
connp->conn_dev = conn_dev;
@@ -9500,7 +7821,7 @@ tcp_allow_connopt_set(int level, int name)
}
/*
- * this routine gets default values of certain options whose default
+ * This routine gets default values of certain options whose default
* values are maintained by protocol specific code
*/
/* ARGSUSED */
@@ -9553,321 +7874,102 @@ tcp_opt_default(queue_t *q, int level, int name, uchar_t *ptr)
return (sizeof (int));
}
+/*
+ * TCP routine to get the values of options.
+ */
static int
tcp_opt_get(conn_t *connp, int level, int name, uchar_t *ptr)
{
int *i1 = (int *)ptr;
tcp_t *tcp = connp->conn_tcp;
- ip6_pkt_t *ipp = &tcp->tcp_sticky_ipp;
+ conn_opt_arg_t coas;
+ int retval;
+
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ coas.coa_ancillary = B_FALSE;
+ coas.coa_changed = 0;
switch (level) {
case SOL_SOCKET:
switch (name) {
- case SO_LINGER: {
- struct linger *lgr = (struct linger *)ptr;
-
- lgr->l_onoff = tcp->tcp_linger ? SO_LINGER : 0;
- lgr->l_linger = tcp->tcp_lingertime;
- }
- return (sizeof (struct linger));
- case SO_DEBUG:
- *i1 = tcp->tcp_debug ? SO_DEBUG : 0;
- break;
- case SO_KEEPALIVE:
- *i1 = tcp->tcp_ka_enabled ? SO_KEEPALIVE : 0;
- break;
- case SO_DONTROUTE:
- *i1 = tcp->tcp_dontroute ? SO_DONTROUTE : 0;
- break;
- case SO_USELOOPBACK:
- *i1 = tcp->tcp_useloopback ? SO_USELOOPBACK : 0;
- break;
- case SO_BROADCAST:
- *i1 = tcp->tcp_broadcast ? SO_BROADCAST : 0;
- break;
- case SO_REUSEADDR:
- *i1 = tcp->tcp_reuseaddr ? SO_REUSEADDR : 0;
- break;
- case SO_OOBINLINE:
- *i1 = tcp->tcp_oobinline ? SO_OOBINLINE : 0;
- break;
- case SO_DGRAM_ERRIND:
- *i1 = tcp->tcp_dgram_errind ? SO_DGRAM_ERRIND : 0;
- break;
- case SO_TYPE:
- *i1 = SOCK_STREAM;
- break;
- case SO_SNDBUF:
- *i1 = tcp->tcp_xmit_hiwater;
- break;
- case SO_RCVBUF:
- *i1 = tcp->tcp_recv_hiwater;
- break;
case SO_SND_COPYAVOID:
*i1 = tcp->tcp_snd_zcopy_on ?
SO_SND_COPYAVOID : 0;
- break;
- case SO_ALLZONES:
- *i1 = connp->conn_allzones ? 1 : 0;
- break;
- case SO_ANON_MLP:
- *i1 = connp->conn_anon_mlp;
- break;
- case SO_MAC_EXEMPT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_AWARE);
- break;
- case SO_MAC_IMPLICIT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_IMPLICIT);
- break;
- case SO_EXCLBIND:
- *i1 = tcp->tcp_exclbind ? SO_EXCLBIND : 0;
- break;
- case SO_PROTOTYPE:
- *i1 = IPPROTO_TCP;
- break;
- case SO_DOMAIN:
- *i1 = tcp->tcp_family;
- break;
+ return (sizeof (int));
case SO_ACCEPTCONN:
*i1 = (tcp->tcp_state == TCPS_LISTEN);
- default:
- return (-1);
+ return (sizeof (int));
}
break;
case IPPROTO_TCP:
switch (name) {
case TCP_NODELAY:
*i1 = (tcp->tcp_naglim == 1) ? TCP_NODELAY : 0;
- break;
+ return (sizeof (int));
case TCP_MAXSEG:
*i1 = tcp->tcp_mss;
- break;
+ return (sizeof (int));
case TCP_NOTIFY_THRESHOLD:
*i1 = (int)tcp->tcp_first_timer_threshold;
- break;
+ return (sizeof (int));
case TCP_ABORT_THRESHOLD:
*i1 = tcp->tcp_second_timer_threshold;
- break;
+ return (sizeof (int));
case TCP_CONN_NOTIFY_THRESHOLD:
*i1 = tcp->tcp_first_ctimer_threshold;
- break;
+ return (sizeof (int));
case TCP_CONN_ABORT_THRESHOLD:
*i1 = tcp->tcp_second_ctimer_threshold;
- break;
- case TCP_RECVDSTADDR:
- *i1 = tcp->tcp_recvdstaddr;
- break;
- case TCP_ANONPRIVBIND:
- *i1 = tcp->tcp_anon_priv_bind;
- break;
- case TCP_EXCLBIND:
- *i1 = tcp->tcp_exclbind ? TCP_EXCLBIND : 0;
- break;
+ return (sizeof (int));
case TCP_INIT_CWND:
*i1 = tcp->tcp_init_cwnd;
- break;
+ return (sizeof (int));
case TCP_KEEPALIVE_THRESHOLD:
*i1 = tcp->tcp_ka_interval;
- break;
+ return (sizeof (int));
case TCP_KEEPALIVE_ABORT_THRESHOLD:
*i1 = tcp->tcp_ka_abort_thres;
- break;
+ return (sizeof (int));
case TCP_CORK:
*i1 = tcp->tcp_cork;
- break;
- default:
- return (-1);
+ return (sizeof (int));
}
break;
case IPPROTO_IP:
- if (tcp->tcp_family != AF_INET)
+ if (connp->conn_family != AF_INET)
return (-1);
switch (name) {
case IP_OPTIONS:
- case T_IP_OPTIONS: {
- /*
- * This is compatible with BSD in that in only return
- * the reverse source route with the final destination
- * as the last entry. The first 4 bytes of the option
- * will contain the final destination.
- */
- int opt_len;
-
- opt_len = (char *)tcp->tcp_tcph - (char *)tcp->tcp_ipha;
- opt_len -= tcp->tcp_label_len + IP_SIMPLE_HDR_LENGTH;
- ASSERT(opt_len >= 0);
+ case T_IP_OPTIONS:
/* Caller ensures enough space */
- if (opt_len > 0) {
- /*
- * TODO: Do we have to handle getsockopt on an
- * initiator as well?
- */
- return (ip_opt_get_user(tcp->tcp_ipha, ptr));
- }
- return (0);
- }
- case IP_TOS:
- case T_IP_TOS:
- *i1 = (int)tcp->tcp_ipha->ipha_type_of_service;
- break;
- case IP_TTL:
- *i1 = (int)tcp->tcp_ipha->ipha_ttl;
- break;
- case IP_NEXTHOP:
- /* Handled at IP level */
- return (-EINVAL);
+ return (ip_opt_get_user(connp, ptr));
default:
- return (-1);
+ break;
}
break;
+
case IPPROTO_IPV6:
/*
* IPPROTO_IPV6 options are only supported for sockets
* that are using IPv6 on the wire.
*/
- if (tcp->tcp_ipversion != IPV6_VERSION) {
+ if (connp->conn_ipversion != IPV6_VERSION) {
return (-1);
}
switch (name) {
- case IPV6_UNICAST_HOPS:
- *i1 = (unsigned int) tcp->tcp_ip6h->ip6_hops;
- break; /* goto sizeof (int) option return */
- case IPV6_BOUND_IF:
- /* Zero if not set */
- *i1 = tcp->tcp_bound_if;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVPKTINFO:
- if (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVPKTINFO)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVTCLASS:
- if (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVTCLASS)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVHOPLIMIT:
- if (tcp->tcp_ipv6_recvancillary &
- TCP_IPV6_RECVHOPLIMIT)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVHOPOPTS:
- if (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVHOPOPTS)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVDSTOPTS:
- if (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVDSTOPTS)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case _OLD_IPV6_RECVDSTOPTS:
- if (tcp->tcp_ipv6_recvancillary &
- TCP_OLD_IPV6_RECVDSTOPTS)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDR:
- if (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVRTHDR)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDRDSTOPTS:
- if (tcp->tcp_ipv6_recvancillary &
- TCP_IPV6_RECVRTDSTOPTS)
- *i1 = 1;
- else
- *i1 = 0;
- break; /* goto sizeof (int) option return */
- case IPV6_PKTINFO: {
- /* XXX assumes that caller has room for max size! */
- struct in6_pktinfo *pkti;
-
- pkti = (struct in6_pktinfo *)ptr;
- if (ipp->ipp_fields & IPPF_IFINDEX)
- pkti->ipi6_ifindex = ipp->ipp_ifindex;
- else
- pkti->ipi6_ifindex = 0;
- if (ipp->ipp_fields & IPPF_ADDR)
- pkti->ipi6_addr = ipp->ipp_addr;
- else
- pkti->ipi6_addr = ipv6_all_zeros;
- return (sizeof (struct in6_pktinfo));
- }
- case IPV6_TCLASS:
- if (ipp->ipp_fields & IPPF_TCLASS)
- *i1 = ipp->ipp_tclass;
- else
- *i1 = IPV6_FLOW_TCLASS(
- IPV6_DEFAULT_VERS_AND_FLOW);
- break; /* goto sizeof (int) option return */
- case IPV6_NEXTHOP: {
- sin6_t *sin6 = (sin6_t *)ptr;
-
- if (!(ipp->ipp_fields & IPPF_NEXTHOP))
- return (0);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = ipp->ipp_nexthop;
- return (sizeof (sin6_t));
- }
- case IPV6_HOPOPTS:
- if (!(ipp->ipp_fields & IPPF_HOPOPTS))
- return (0);
- if (ipp->ipp_hopoptslen <= tcp->tcp_label_len)
- return (0);
- bcopy((char *)ipp->ipp_hopopts + tcp->tcp_label_len,
- ptr, ipp->ipp_hopoptslen - tcp->tcp_label_len);
- if (tcp->tcp_label_len > 0) {
- ptr[0] = ((char *)ipp->ipp_hopopts)[0];
- ptr[1] = (ipp->ipp_hopoptslen -
- tcp->tcp_label_len + 7) / 8 - 1;
- }
- return (ipp->ipp_hopoptslen - tcp->tcp_label_len);
- case IPV6_RTHDRDSTOPTS:
- if (!(ipp->ipp_fields & IPPF_RTDSTOPTS))
- return (0);
- bcopy(ipp->ipp_rtdstopts, ptr, ipp->ipp_rtdstoptslen);
- return (ipp->ipp_rtdstoptslen);
- case IPV6_RTHDR:
- if (!(ipp->ipp_fields & IPPF_RTHDR))
- return (0);
- bcopy(ipp->ipp_rthdr, ptr, ipp->ipp_rthdrlen);
- return (ipp->ipp_rthdrlen);
- case IPV6_DSTOPTS:
- if (!(ipp->ipp_fields & IPPF_DSTOPTS))
- return (0);
- bcopy(ipp->ipp_dstopts, ptr, ipp->ipp_dstoptslen);
- return (ipp->ipp_dstoptslen);
- case IPV6_SRC_PREFERENCES:
- return (ip6_get_src_preferences(connp,
- (uint32_t *)ptr));
- case IPV6_PATHMTU: {
- struct ip6_mtuinfo *mtuinfo = (struct ip6_mtuinfo *)ptr;
-
+ case IPV6_PATHMTU:
if (tcp->tcp_state < TCPS_ESTABLISHED)
return (-1);
-
- return (ip_fill_mtuinfo(&connp->conn_remv6,
- connp->conn_fport, mtuinfo,
- connp->conn_netstack));
- }
- default:
- return (-1);
+ break;
}
break;
- default:
- return (-1);
}
- return (sizeof (int));
+ mutex_enter(&connp->conn_lock);
+ retval = conn_opt_get(&coas, level, name, ptr);
+ mutex_exit(&connp->conn_lock);
+ return (retval);
}
/*
@@ -9896,7 +7998,6 @@ tcp_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, *optlen, &max_optbuf_len,
tcp_opt_obj.odb_opt_des_arr,
tcp_opt_obj.odb_opt_arr_cnt,
- tcp_opt_obj.odb_topmost_tpiprovider,
B_FALSE, B_TRUE, cr);
if (error != 0) {
if (error < 0) {
@@ -9909,30 +8010,28 @@ tcp_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = squeue_synch_enter(sqp, connp, NULL);
if (error == ENOMEM) {
+ kmem_free(optvalp_buf, max_optbuf_len);
return (ENOMEM);
}
len = tcp_opt_get(connp, level, option_name, optvalp_buf);
squeue_synch_exit(sqp, connp);
- if (len < 0) {
- /*
- * Pass on to IP
- */
+ if (len == -1) {
kmem_free(optvalp_buf, max_optbuf_len);
- return (ip_get_options(connp, level, option_name,
- optvalp, optlen, cr));
- } else {
- /*
- * update optlen and copy option value
- */
- t_uscalar_t size = MIN(len, *optlen);
- bcopy(optvalp_buf, optvalp, size);
- bcopy(&size, optlen, sizeof (size));
-
- kmem_free(optvalp_buf, max_optbuf_len);
- return (0);
+ return (EINVAL);
}
+
+ /*
+ * update optlen and copy option value
+ */
+ t_uscalar_t size = MIN(len, *optlen);
+
+ bcopy(optvalp_buf, optvalp, size);
+ bcopy(&size, optlen, sizeof (size));
+
+ kmem_free(optvalp_buf, max_optbuf_len);
+ return (0);
}
/*
@@ -9943,7 +8042,7 @@ tcp_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
int
tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ void *thisdg_attrs, cred_t *cr)
{
tcp_t *tcp = connp->conn_tcp;
int *i1 = (int *)invalp;
@@ -9951,6 +8050,13 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
boolean_t checkonly;
int reterr;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_opt_arg_t coas;
+
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ coas.coa_ancillary = B_FALSE;
+ coas.coa_changed = 0;
switch (optset_context) {
case SETFN_OPTCOM_CHECKONLY:
@@ -10016,37 +8122,6 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
switch (level) {
case SOL_SOCKET:
switch (name) {
- case SO_LINGER: {
- struct linger *lgr = (struct linger *)invalp;
-
- if (!checkonly) {
- if (lgr->l_onoff) {
- tcp->tcp_linger = 1;
- tcp->tcp_lingertime = lgr->l_linger;
- } else {
- tcp->tcp_linger = 0;
- tcp->tcp_lingertime = 0;
- }
- /* struct copy */
- *(struct linger *)outvalp = *lgr;
- } else {
- if (!lgr->l_onoff) {
- ((struct linger *)
- outvalp)->l_onoff = 0;
- ((struct linger *)
- outvalp)->l_linger = 0;
- } else {
- /* struct copy */
- *(struct linger *)outvalp = *lgr;
- }
- }
- *outlenp = sizeof (struct linger);
- return (0);
- }
- case SO_DEBUG:
- if (!checkonly)
- tcp->tcp_debug = onoff;
- break;
case SO_KEEPALIVE:
if (checkonly) {
/* check only case */
@@ -10054,65 +8129,25 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
}
if (!onoff) {
- if (tcp->tcp_ka_enabled) {
+ if (connp->conn_keepalive) {
if (tcp->tcp_ka_tid != 0) {
(void) TCP_TIMER_CANCEL(tcp,
tcp->tcp_ka_tid);
tcp->tcp_ka_tid = 0;
}
- tcp->tcp_ka_enabled = 0;
+ connp->conn_keepalive = 0;
}
break;
}
- if (!tcp->tcp_ka_enabled) {
+ if (!connp->conn_keepalive) {
/* Crank up the keepalive timer */
tcp->tcp_ka_last_intrvl = 0;
tcp->tcp_ka_tid = TCP_TIMER(tcp,
tcp_keepalive_killer,
MSEC_TO_TICK(tcp->tcp_ka_interval));
- tcp->tcp_ka_enabled = 1;
- }
- break;
- case SO_DONTROUTE:
- /*
- * SO_DONTROUTE, SO_USELOOPBACK, and SO_BROADCAST are
- * only of interest to IP. We track them here only so
- * that we can report their current value.
- */
- if (!checkonly) {
- tcp->tcp_dontroute = onoff;
- tcp->tcp_connp->conn_dontroute = onoff;
+ connp->conn_keepalive = 1;
}
break;
- case SO_USELOOPBACK:
- if (!checkonly) {
- tcp->tcp_useloopback = onoff;
- tcp->tcp_connp->conn_loopback = onoff;
- }
- break;
- case SO_BROADCAST:
- if (!checkonly) {
- tcp->tcp_broadcast = onoff;
- tcp->tcp_connp->conn_broadcast = onoff;
- }
- break;
- case SO_REUSEADDR:
- if (!checkonly) {
- tcp->tcp_reuseaddr = onoff;
- tcp->tcp_connp->conn_reuseaddr = onoff;
- }
- break;
- case SO_OOBINLINE:
- if (!checkonly) {
- tcp->tcp_oobinline = onoff;
- if (IPCL_IS_NONSTR(tcp->tcp_connp))
- proto_set_rx_oob_opt(connp, onoff);
- }
- break;
- case SO_DGRAM_ERRIND:
- if (!checkonly)
- tcp->tcp_dgram_errind = onoff;
- break;
case SO_SNDBUF: {
if (*i1 > tcps->tcps_max_buf) {
*outlenp = 0;
@@ -10121,11 +8156,11 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
if (checkonly)
break;
- tcp->tcp_xmit_hiwater = *i1;
- if (tcps->tcps_snd_lowat_fraction != 0)
- tcp->tcp_xmit_lowater =
- tcp->tcp_xmit_hiwater /
+ connp->conn_sndbuf = *i1;
+ if (tcps->tcps_snd_lowat_fraction != 0) {
+ connp->conn_sndlowat = connp->conn_sndbuf /
tcps->tcps_snd_lowat_fraction;
+ }
(void) tcp_maxpsz_set(tcp, B_TRUE);
/*
* If we are flow-controlled, recheck the condition.
@@ -10135,11 +8170,12 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
mutex_enter(&tcp->tcp_non_sq_lock);
if (tcp->tcp_flow_stopped &&
- TCP_UNSENT_BYTES(tcp) < tcp->tcp_xmit_hiwater) {
+ TCP_UNSENT_BYTES(tcp) < connp->conn_sndbuf) {
tcp_clrqfull(tcp);
}
mutex_exit(&tcp->tcp_non_sq_lock);
- break;
+ *outlenp = inlen;
+ return (0);
}
case SO_RCVBUF:
if (*i1 > tcps->tcps_max_buf) {
@@ -10155,43 +8191,20 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
* XXX should we return the rwnd here
* and tcp_opt_get ?
*/
- break;
+ *outlenp = inlen;
+ return (0);
case SO_SND_COPYAVOID:
if (!checkonly) {
- /* we only allow enable at most once for now */
if (tcp->tcp_loopback ||
(tcp->tcp_kssl_ctx != NULL) ||
- (!tcp->tcp_snd_zcopy_aware &&
- (onoff != 1 || !tcp_zcopy_check(tcp)))) {
+ (onoff != 1) || !tcp_zcopy_check(tcp)) {
*outlenp = 0;
return (EOPNOTSUPP);
}
tcp->tcp_snd_zcopy_aware = 1;
}
- break;
- case SO_RCVTIMEO:
- case SO_SNDTIMEO:
- /*
- * Pass these two options in order for third part
- * protocol usage. Here just return directly.
- */
+ *outlenp = inlen;
return (0);
- case SO_ALLZONES:
- /* Pass option along to IP level for handling */
- return (-EINVAL);
- case SO_ANON_MLP:
- /* Pass option along to IP level for handling */
- return (-EINVAL);
- case SO_MAC_EXEMPT:
- /* Pass option along to IP level for handling */
- return (-EINVAL);
- case SO_EXCLBIND:
- if (!checkonly)
- tcp->tcp_exclbind = onoff;
- break;
- default:
- *outlenp = 0;
- return (EINVAL);
}
break;
case IPPROTO_TCP:
@@ -10217,25 +8230,12 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
tcp->tcp_second_ctimer_threshold = *i1;
break;
case TCP_RECVDSTADDR:
- if (tcp->tcp_state > TCPS_LISTEN)
- return (EOPNOTSUPP);
- if (!checkonly)
- tcp->tcp_recvdstaddr = onoff;
- break;
- case TCP_ANONPRIVBIND:
- if ((reterr = secpolicy_net_privaddr(cr, 0,
- IPPROTO_TCP)) != 0) {
+ if (tcp->tcp_state > TCPS_LISTEN) {
*outlenp = 0;
- return (reterr);
- }
- if (!checkonly) {
- tcp->tcp_anon_priv_bind = onoff;
+ return (EOPNOTSUPP);
}
+ /* Setting done in conn_opt_set */
break;
- case TCP_EXCLBIND:
- if (!checkonly)
- tcp->tcp_exclbind = onoff;
- break; /* goto sizeof (int) option return */
case TCP_INIT_CWND: {
uint32_t init_cwnd = *((uint32_t *)invalp);
@@ -10278,7 +8278,7 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
* keepalive timer.
*/
if (tcp->tcp_ka_tid != 0) {
- ASSERT(tcp->tcp_ka_enabled);
+ ASSERT(connp->conn_keepalive);
(void) TCP_TIMER_CANCEL(tcp,
tcp->tcp_ka_tid);
tcp->tcp_ka_last_intrvl = 0;
@@ -10318,49 +8318,15 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
}
break;
default:
- *outlenp = 0;
- return (EINVAL);
+ break;
}
break;
case IPPROTO_IP:
- if (tcp->tcp_family != AF_INET) {
+ if (connp->conn_family != AF_INET) {
*outlenp = 0;
- return (ENOPROTOOPT);
+ return (EINVAL);
}
switch (name) {
- case IP_OPTIONS:
- case T_IP_OPTIONS:
- reterr = tcp_opt_set_header(tcp, checkonly,
- invalp, inlen);
- if (reterr) {
- *outlenp = 0;
- return (reterr);
- }
- /* OK return - copy input buffer into output buffer */
- if (invalp != outvalp) {
- /* don't trust bcopy for identical src/dst */
- bcopy(invalp, outvalp, inlen);
- }
- *outlenp = inlen;
- return (0);
- case IP_TOS:
- case T_IP_TOS:
- if (!checkonly) {
- tcp->tcp_ipha->ipha_type_of_service =
- (uchar_t)*i1;
- tcp->tcp_tos = (uchar_t)*i1;
- }
- break;
- case IP_TTL:
- if (!checkonly) {
- tcp->tcp_ipha->ipha_ttl = (uchar_t)*i1;
- tcp->tcp_ttl = (uchar_t)*i1;
- }
- break;
- case IP_BOUND_IF:
- case IP_NEXTHOP:
- /* Handled at the IP level */
- return (-EINVAL);
case IP_SEC_OPT:
/*
* We should not allow policy setting after
@@ -10368,166 +8334,42 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
if (tcp->tcp_state == TCPS_LISTEN) {
return (EINVAL);
- } else {
- /* Handled at the IP level */
- return (-EINVAL);
}
- default:
- *outlenp = 0;
- return (EINVAL);
+ break;
}
break;
- case IPPROTO_IPV6: {
- ip6_pkt_t *ipp;
-
+ case IPPROTO_IPV6:
/*
* IPPROTO_IPV6 options are only supported for sockets
* that are using IPv6 on the wire.
*/
- if (tcp->tcp_ipversion != IPV6_VERSION) {
+ if (connp->conn_ipversion != IPV6_VERSION) {
*outlenp = 0;
- return (ENOPROTOOPT);
+ return (EINVAL);
}
- /*
- * Only sticky options; no ancillary data
- */
- ipp = &tcp->tcp_sticky_ipp;
switch (name) {
- case IPV6_UNICAST_HOPS:
- /* -1 means use default */
- if (*i1 < -1 || *i1 > IPV6_MAX_HOPS) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (!checkonly) {
- if (*i1 == -1) {
- tcp->tcp_ip6h->ip6_hops =
- ipp->ipp_unicast_hops =
- (uint8_t)tcps->tcps_ipv6_hoplimit;
- ipp->ipp_fields &= ~IPPF_UNICAST_HOPS;
- /* Pass modified value to IP. */
- *i1 = tcp->tcp_ip6h->ip6_hops;
- } else {
- tcp->tcp_ip6h->ip6_hops =
- ipp->ipp_unicast_hops =
- (uint8_t)*i1;
- ipp->ipp_fields |= IPPF_UNICAST_HOPS;
- }
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- }
- break;
- case IPV6_BOUND_IF:
- if (!checkonly) {
- tcp->tcp_bound_if = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- /*
- * Set boolean switches for ancillary data delivery
- */
case IPV6_RECVPKTINFO:
if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_IPV6_RECVPKTINFO;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_IPV6_RECVPKTINFO;
/* Force it to be sent up with the next msg */
tcp->tcp_recvifindex = 0;
- PASS_OPT_TO_IP(connp);
}
break;
case IPV6_RECVTCLASS:
if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_IPV6_RECVTCLASS;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_IPV6_RECVTCLASS;
- PASS_OPT_TO_IP(connp);
+ /* Force it to be sent up with the next msg */
+ tcp->tcp_recvtclass = 0xffffffffU;
}
break;
case IPV6_RECVHOPLIMIT:
if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_IPV6_RECVHOPLIMIT;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_IPV6_RECVHOPLIMIT;
/* Force it to be sent up with the next msg */
tcp->tcp_recvhops = 0xffffffffU;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVHOPOPTS:
- if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_IPV6_RECVHOPOPTS;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_IPV6_RECVHOPOPTS;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVDSTOPTS:
- if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_IPV6_RECVDSTOPTS;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_IPV6_RECVDSTOPTS;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case _OLD_IPV6_RECVDSTOPTS:
- if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_OLD_IPV6_RECVDSTOPTS;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_OLD_IPV6_RECVDSTOPTS;
- }
- break;
- case IPV6_RECVRTHDR:
- if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_IPV6_RECVRTHDR;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_IPV6_RECVRTHDR;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVRTHDRDSTOPTS:
- if (!checkonly) {
- if (onoff)
- tcp->tcp_ipv6_recvancillary |=
- TCP_IPV6_RECVRTDSTOPTS;
- else
- tcp->tcp_ipv6_recvancillary &=
- ~TCP_IPV6_RECVRTDSTOPTS;
- PASS_OPT_TO_IP(connp);
}
break;
case IPV6_PKTINFO:
- if (inlen != 0 && inlen != sizeof (struct in6_pktinfo))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~(IPPF_IFINDEX|IPPF_ADDR);
- } else {
+ /* This is an extra check for TCP */
+ if (inlen == sizeof (struct in6_pktinfo)) {
struct in6_pktinfo *pkti;
pkti = (struct in6_pktinfo *)invalp;
@@ -10539,219 +8381,8 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
if (!IN6_IS_ADDR_UNSPECIFIED(&pkti->ipi6_addr))
return (EINVAL);
- /*
- * IP will validate the source address and
- * interface index.
- */
- if (IPCL_IS_NONSTR(tcp->tcp_connp)) {
- reterr = ip_set_options(tcp->tcp_connp,
- level, name, invalp, inlen, cr);
- } else {
- reterr = ip6_set_pktinfo(cr,
- tcp->tcp_connp, pkti);
- }
- if (reterr != 0)
- return (reterr);
- ipp->ipp_ifindex = pkti->ipi6_ifindex;
- ipp->ipp_addr = pkti->ipi6_addr;
- if (ipp->ipp_ifindex != 0)
- ipp->ipp_fields |= IPPF_IFINDEX;
- else
- ipp->ipp_fields &= ~IPPF_IFINDEX;
- if (!IN6_IS_ADDR_UNSPECIFIED(&ipp->ipp_addr))
- ipp->ipp_fields |= IPPF_ADDR;
- else
- ipp->ipp_fields &= ~IPPF_ADDR;
- }
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- break;
- case IPV6_TCLASS:
- if (inlen != 0 && inlen != sizeof (int))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_TCLASS;
- } else {
- if (*i1 > 255 || *i1 < -1)
- return (EINVAL);
- if (*i1 == -1) {
- ipp->ipp_tclass = 0;
- *i1 = 0;
- } else {
- ipp->ipp_tclass = *i1;
- }
- ipp->ipp_fields |= IPPF_TCLASS;
- }
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- break;
- case IPV6_NEXTHOP:
- /*
- * IP will verify that the nexthop is reachable
- * and fail for sticky options.
- */
- if (inlen != 0 && inlen != sizeof (sin6_t))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- } else {
- sin6_t *sin6 = (sin6_t *)invalp;
-
- if (sin6->sin6_family != AF_INET6)
- return (EAFNOSUPPORT);
- if (IN6_IS_ADDR_V4MAPPED(
- &sin6->sin6_addr))
- return (EADDRNOTAVAIL);
- ipp->ipp_nexthop = sin6->sin6_addr;
- if (!IN6_IS_ADDR_UNSPECIFIED(
- &ipp->ipp_nexthop))
- ipp->ipp_fields |= IPPF_NEXTHOP;
- else
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- }
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- PASS_OPT_TO_IP(connp);
- break;
- case IPV6_HOPOPTS: {
- ip6_hbh_t *hopts = (ip6_hbh_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (hopts->ip6h_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- reterr = optcom_pkt_set(invalp, inlen, B_TRUE,
- (uchar_t **)&ipp->ipp_hopopts,
- &ipp->ipp_hopoptslen, tcp->tcp_label_len);
- if (reterr != 0)
- return (reterr);
- if (ipp->ipp_hopoptslen == 0)
- ipp->ipp_fields &= ~IPPF_HOPOPTS;
- else
- ipp->ipp_fields |= IPPF_HOPOPTS;
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- break;
- }
- case IPV6_RTHDRDSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- reterr = optcom_pkt_set(invalp, inlen, B_TRUE,
- (uchar_t **)&ipp->ipp_rtdstopts,
- &ipp->ipp_rtdstoptslen, 0);
- if (reterr != 0)
- return (reterr);
- if (ipp->ipp_rtdstoptslen == 0)
- ipp->ipp_fields &= ~IPPF_RTDSTOPTS;
- else
- ipp->ipp_fields |= IPPF_RTDSTOPTS;
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- break;
- }
- case IPV6_DSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- reterr = optcom_pkt_set(invalp, inlen, B_TRUE,
- (uchar_t **)&ipp->ipp_dstopts,
- &ipp->ipp_dstoptslen, 0);
- if (reterr != 0)
- return (reterr);
- if (ipp->ipp_dstoptslen == 0)
- ipp->ipp_fields &= ~IPPF_DSTOPTS;
- else
- ipp->ipp_fields |= IPPF_DSTOPTS;
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- break;
- }
- case IPV6_RTHDR: {
- ip6_rthdr_t *rt = (ip6_rthdr_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (rt->ip6r_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- reterr = optcom_pkt_set(invalp, inlen, B_TRUE,
- (uchar_t **)&ipp->ipp_rthdr,
- &ipp->ipp_rthdrlen, 0);
- if (reterr != 0)
- return (reterr);
- if (ipp->ipp_rthdrlen == 0)
- ipp->ipp_fields &= ~IPPF_RTHDR;
- else
- ipp->ipp_fields |= IPPF_RTHDR;
- reterr = tcp_build_hdrs(tcp);
- if (reterr != 0)
- return (reterr);
- break;
- }
- case IPV6_V6ONLY:
- if (!checkonly) {
- tcp->tcp_connp->conn_ipv6_v6only = onoff;
}
break;
- case IPV6_USE_MIN_MTU:
- if (inlen != sizeof (int))
- return (EINVAL);
-
- if (*i1 < -1 || *i1 > 1)
- return (EINVAL);
-
- if (checkonly)
- break;
-
- ipp->ipp_fields |= IPPF_USE_MIN_MTU;
- ipp->ipp_use_min_mtu = *i1;
- break;
case IPV6_SEC_OPT:
/*
* We should not allow policy setting after
@@ -10759,30 +8390,18 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
if (tcp->tcp_state == TCPS_LISTEN) {
return (EINVAL);
- } else {
- /* Handled at the IP level */
- return (-EINVAL);
- }
- case IPV6_SRC_PREFERENCES:
- if (inlen != sizeof (uint32_t))
- return (EINVAL);
- reterr = ip6_set_src_preferences(tcp->tcp_connp,
- *(uint32_t *)invalp);
- if (reterr != 0) {
- *outlenp = 0;
- return (reterr);
}
break;
- default:
- *outlenp = 0;
- return (EINVAL);
}
break;
- } /* end IPPROTO_IPV6 */
- default:
+ }
+ reterr = conn_opt_set(&coas, level, name, inlen, invalp,
+ checkonly, cr);
+ if (reterr != 0) {
*outlenp = 0;
- return (EINVAL);
+ return (reterr);
}
+
/*
* Common case of OK return with outval same as inval
*/
@@ -10791,6 +8410,45 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
(void) bcopy(invalp, outvalp, inlen);
}
*outlenp = inlen;
+
+ if (coas.coa_changed & COA_HEADER_CHANGED) {
+ reterr = tcp_build_hdrs(tcp);
+ if (reterr != 0)
+ return (reterr);
+ }
+ if (coas.coa_changed & COA_ROUTE_CHANGED) {
+ in6_addr_t nexthop;
+
+ /*
+ * If we are connected we re-cache the information.
+ * We ignore errors to preserve BSD behavior.
+ * Note that we don't redo IPsec policy lookup here
+ * since the final destination (or source) didn't change.
+ */
+ ip_attr_nexthop(&connp->conn_xmit_ipp, connp->conn_ixa,
+ &connp->conn_faddr_v6, &nexthop);
+
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) &&
+ !IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
+ (void) ip_attr_connect(connp, connp->conn_ixa,
+ &connp->conn_laddr_v6, &connp->conn_faddr_v6,
+ &nexthop, connp->conn_fport, NULL, NULL,
+ IPDF_VERIFY_DST);
+ }
+ }
+ if ((coas.coa_changed & COA_SNDBUF_CHANGED) && !IPCL_IS_NONSTR(connp)) {
+ connp->conn_wq->q_hiwat = connp->conn_sndbuf;
+ }
+ if (coas.coa_changed & COA_WROFF_CHANGED) {
+ connp->conn_wroff = connp->conn_ht_iphc_allocated +
+ tcps->tcps_wroff_xtra;
+ (void) proto_set_tx_wroff(connp->conn_rq, connp,
+ connp->conn_wroff);
+ }
+ if (coas.coa_changed & COA_OOBINLINE_CHANGED) {
+ if (IPCL_IS_NONSTR(connp))
+ proto_set_rx_oob_opt(connp, onoff);
+ }
return (0);
}
@@ -10798,12 +8456,12 @@ tcp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
int
tcp_tpi_opt_set(queue_t *q, uint_t optset_context, int level, int name,
uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ void *thisdg_attrs, cred_t *cr)
{
conn_t *connp = Q_TO_CONN(q);
return (tcp_opt_set(connp, optset_context, level, name, inlen, invalp,
- outlenp, outvalp, thisdg_attrs, cr, mblk));
+ outlenp, outvalp, thisdg_attrs, cr));
}
int
@@ -10843,7 +8501,6 @@ tcp_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, optlen, NULL,
tcp_opt_obj.odb_opt_des_arr,
tcp_opt_obj.odb_opt_arr_cnt,
- tcp_opt_obj.odb_topmost_tpiprovider,
B_TRUE, B_FALSE, cr);
if (error != 0) {
@@ -10856,292 +8513,75 @@ tcp_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = tcp_opt_set(connp, SETFN_OPTCOM_NEGOTIATE, level, option_name,
optlen, (uchar_t *)optvalp, (uint_t *)&optlen, (uchar_t *)optvalp,
- NULL, cr, NULL);
+ NULL, cr);
squeue_synch_exit(sqp, connp);
- if (error < 0) {
- /*
- * Pass on to ip
- */
- error = ip_set_options(connp, level, option_name, optvalp,
- optlen, cr);
- }
+ ASSERT(error >= 0);
+
return (error);
}
/*
- * Update tcp_sticky_hdrs based on tcp_sticky_ipp.
- * The headers include ip6i_t (if needed), ip6_t, any sticky extension
+ * Build/update the tcp header template (in conn_ht_iphc) based on
+ * conn_xmit_ipp. The headers include ip6_t, any extension
* headers, and the maximum size tcp header (to avoid reallocation
* on the fly for additional tcp options).
+ *
+ * Assumes the caller has already set conn_{faddr,laddr,fport,lport,flowinfo}.
* Returns failure if can't allocate memory.
*/
static int
tcp_build_hdrs(tcp_t *tcp)
{
- char *hdrs;
- uint_t hdrs_len;
- ip6i_t *ip6i;
- char buf[TCP_MAX_HDR_LENGTH];
- ip6_pkt_t *ipp = &tcp->tcp_sticky_ipp;
- in6_addr_t src, dst;
tcp_stack_t *tcps = tcp->tcp_tcps;
- conn_t *connp = tcp->tcp_connp;
+ conn_t *connp = tcp->tcp_connp;
+ tcpha_t *tcpha;
+ uint32_t cksum;
+ int error;
- /*
- * save the existing tcp header and source/dest IP addresses
- */
- bcopy(tcp->tcp_tcph, buf, tcp->tcp_tcp_hdr_len);
- src = tcp->tcp_ip6h->ip6_src;
- dst = tcp->tcp_ip6h->ip6_dst;
- hdrs_len = ip_total_hdrs_len_v6(ipp) + TCP_MAX_HDR_LENGTH;
- ASSERT(hdrs_len != 0);
- if (hdrs_len > tcp->tcp_iphc_len) {
- /* Need to reallocate */
- hdrs = kmem_zalloc(hdrs_len, KM_NOSLEEP);
- if (hdrs == NULL)
- return (ENOMEM);
- if (tcp->tcp_iphc != NULL) {
- if (tcp->tcp_hdr_grown) {
- kmem_free(tcp->tcp_iphc, tcp->tcp_iphc_len);
- } else {
- bzero(tcp->tcp_iphc, tcp->tcp_iphc_len);
- kmem_cache_free(tcp_iphc_cache, tcp->tcp_iphc);
- }
- tcp->tcp_iphc_len = 0;
- }
- ASSERT(tcp->tcp_iphc_len == 0);
- tcp->tcp_iphc = hdrs;
- tcp->tcp_iphc_len = hdrs_len;
- tcp->tcp_hdr_grown = B_TRUE;
- }
- ip_build_hdrs_v6((uchar_t *)tcp->tcp_iphc,
- hdrs_len - TCP_MAX_HDR_LENGTH, ipp, IPPROTO_TCP);
+ /* Grab lock to satisfy ASSERT; TCP is serialized using squeue */
+ mutex_enter(&connp->conn_lock);
+ error = conn_build_hdr_template(connp, TCP_MIN_HEADER_LENGTH,
+ TCP_MAX_TCP_OPTIONS_LENGTH, &connp->conn_laddr_v6,
+ &connp->conn_faddr_v6, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0)
+ return (error);
- /* Set header fields not in ipp */
- if (ipp->ipp_fields & IPPF_HAS_IP6I) {
- ip6i = (ip6i_t *)tcp->tcp_iphc;
- tcp->tcp_ip6h = (ip6_t *)&ip6i[1];
- } else {
- tcp->tcp_ip6h = (ip6_t *)tcp->tcp_iphc;
- }
/*
- * tcp->tcp_ip_hdr_len will include ip6i_t if there is one.
- *
- * tcp->tcp_tcp_hdr_len doesn't change here.
+ * Any routing header/option has been massaged. The checksum difference
+ * is stored in conn_sum for later use.
*/
- tcp->tcp_ip_hdr_len = hdrs_len - TCP_MAX_HDR_LENGTH;
- tcp->tcp_tcph = (tcph_t *)(tcp->tcp_iphc + tcp->tcp_ip_hdr_len);
- tcp->tcp_hdr_len = tcp->tcp_ip_hdr_len + tcp->tcp_tcp_hdr_len;
+ tcpha = (tcpha_t *)connp->conn_ht_ulp;
+ tcp->tcp_tcpha = tcpha;
- bcopy(buf, tcp->tcp_tcph, tcp->tcp_tcp_hdr_len);
-
- tcp->tcp_ip6h->ip6_src = src;
- tcp->tcp_ip6h->ip6_dst = dst;
+ tcpha->tha_lport = connp->conn_lport;
+ tcpha->tha_fport = connp->conn_fport;
+ tcpha->tha_sum = 0;
+ tcpha->tha_offset_and_reserved = (5 << 4);
/*
- * If the hop limit was not set by ip_build_hdrs_v6(), set it to
- * the default value for TCP.
- */
- if (!(ipp->ipp_fields & IPPF_UNICAST_HOPS))
- tcp->tcp_ip6h->ip6_hops = tcps->tcps_ipv6_hoplimit;
-
- /*
- * If we're setting extension headers after a connection
- * has been established, and if we have a routing header
- * among the extension headers, call ip_massage_options_v6 to
- * manipulate the routing header/ip6_dst set the checksum
- * difference in the tcp header template.
- * (This happens in tcp_connect_ipv6 if the routing header
- * is set prior to the connect.)
- * Set the tcp_sum to zero first in case we've cleared a
- * routing header or don't have one at all.
+ * IP wants our header length in the checksum field to
+ * allow it to perform a single pseudo-header+checksum
+ * calculation on behalf of TCP.
+ * Include the adjustment for a source route once IP_OPTIONS is set.
*/
- tcp->tcp_sum = 0;
- if ((tcp->tcp_state >= TCPS_SYN_SENT) &&
- (tcp->tcp_ipp_fields & IPPF_RTHDR)) {
- ip6_rthdr_t *rth = ip_find_rthdr_v6(tcp->tcp_ip6h,
- (uint8_t *)tcp->tcp_tcph);
- if (rth != NULL) {
- tcp->tcp_sum = ip_massage_options_v6(tcp->tcp_ip6h,
- rth, tcps->tcps_netstack);
- tcp->tcp_sum = ntohs((tcp->tcp_sum & 0xFFFF) +
- (tcp->tcp_sum >> 16));
- }
- }
-
- /* Try to get everything in a single mblk */
- (void) proto_set_tx_wroff(tcp->tcp_rq, connp,
- hdrs_len + tcps->tcps_wroff_xtra);
- return (0);
-}
-
-/*
- * Transfer any source route option from ipha to buf/dst in reversed form.
- */
-static int
-tcp_opt_rev_src_route(ipha_t *ipha, char *buf, uchar_t *dst)
-{
- ipoptp_t opts;
- uchar_t *opt;
- uint8_t optval;
- uint8_t optlen;
- uint32_t len = 0;
-
- for (optval = ipoptp_first(&opts, ipha);
- optval != IPOPT_EOL;
- optval = ipoptp_next(&opts)) {
- opt = opts.ipoptp_cur;
- optlen = opts.ipoptp_len;
- switch (optval) {
- int off1, off2;
- case IPOPT_SSRR:
- case IPOPT_LSRR:
-
- /* Reverse source route */
- /*
- * First entry should be the next to last one in the
- * current source route (the last entry is our
- * address.)
- * The last entry should be the final destination.
- */
- buf[IPOPT_OPTVAL] = (uint8_t)optval;
- buf[IPOPT_OLEN] = (uint8_t)optlen;
- off1 = IPOPT_MINOFF_SR - 1;
- off2 = opt[IPOPT_OFFSET] - IP_ADDR_LEN - 1;
- if (off2 < 0) {
- /* No entries in source route */
- break;
- }
- bcopy(opt + off2, dst, IP_ADDR_LEN);
- /*
- * Note: use src since ipha has not had its src
- * and dst reversed (it is in the state it was
- * received.
- */
- bcopy(&ipha->ipha_src, buf + off2,
- IP_ADDR_LEN);
- off2 -= IP_ADDR_LEN;
-
- while (off2 > 0) {
- bcopy(opt + off2, buf + off1,
- IP_ADDR_LEN);
- off1 += IP_ADDR_LEN;
- off2 -= IP_ADDR_LEN;
- }
- buf[IPOPT_OFFSET] = IPOPT_MINOFF_SR;
- buf += optlen;
- len += optlen;
- break;
- }
- }
-done:
- /* Pad the resulting options */
- while (len & 0x3) {
- *buf++ = IPOPT_EOL;
- len++;
- }
- return (len);
-}
-
-
-/*
- * Extract and revert a source route from ipha (if any)
- * and then update the relevant fields in both tcp_t and the standard header.
- */
-static void
-tcp_opt_reverse(tcp_t *tcp, ipha_t *ipha)
-{
- char buf[TCP_MAX_HDR_LENGTH];
- uint_t tcph_len;
- int len;
-
- ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
- len = IPH_HDR_LENGTH(ipha);
- if (len == IP_SIMPLE_HDR_LENGTH)
- /* Nothing to do */
- return;
- if (len > IP_SIMPLE_HDR_LENGTH + TCP_MAX_IP_OPTIONS_LENGTH ||
- (len & 0x3))
- return;
-
- tcph_len = tcp->tcp_tcp_hdr_len;
- bcopy(tcp->tcp_tcph, buf, tcph_len);
- tcp->tcp_sum = (tcp->tcp_ipha->ipha_dst >> 16) +
- (tcp->tcp_ipha->ipha_dst & 0xffff);
- len = tcp_opt_rev_src_route(ipha, (char *)tcp->tcp_ipha +
- IP_SIMPLE_HDR_LENGTH, (uchar_t *)&tcp->tcp_ipha->ipha_dst);
- len += IP_SIMPLE_HDR_LENGTH;
- tcp->tcp_sum -= ((tcp->tcp_ipha->ipha_dst >> 16) +
- (tcp->tcp_ipha->ipha_dst & 0xffff));
- if ((int)tcp->tcp_sum < 0)
- tcp->tcp_sum--;
- tcp->tcp_sum = (tcp->tcp_sum & 0xFFFF) + (tcp->tcp_sum >> 16);
- tcp->tcp_sum = ntohs((tcp->tcp_sum & 0xFFFF) + (tcp->tcp_sum >> 16));
- tcp->tcp_tcph = (tcph_t *)((char *)tcp->tcp_ipha + len);
- bcopy(buf, tcp->tcp_tcph, tcph_len);
- tcp->tcp_ip_hdr_len = len;
- tcp->tcp_ipha->ipha_version_and_hdr_length =
- (IP_VERSION << 4) | (len >> 2);
- len += tcph_len;
- tcp->tcp_hdr_len = len;
-}
-
-/*
- * Copy the standard header into its new location,
- * lay in the new options and then update the relevant
- * fields in both tcp_t and the standard header.
- */
-static int
-tcp_opt_set_header(tcp_t *tcp, boolean_t checkonly, uchar_t *ptr, uint_t len)
-{
- uint_t tcph_len;
- uint8_t *ip_optp;
- tcph_t *new_tcph;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- conn_t *connp = tcp->tcp_connp;
-
- if ((len > TCP_MAX_IP_OPTIONS_LENGTH) || (len & 0x3))
- return (EINVAL);
-
- if (len > IP_MAX_OPT_LENGTH - tcp->tcp_label_len)
- return (EINVAL);
-
- if (checkonly) {
- /*
- * do not really set, just pretend to - T_CHECK
- */
- return (0);
- }
+ cksum = sizeof (tcpha_t) + connp->conn_sum;
+ cksum = (cksum >> 16) + (cksum & 0xFFFF);
+ ASSERT(cksum < 0x10000);
+ tcpha->tha_sum = htons(cksum);
- ip_optp = (uint8_t *)tcp->tcp_ipha + IP_SIMPLE_HDR_LENGTH;
- if (tcp->tcp_label_len > 0) {
- int padlen;
- uint8_t opt;
+ if (connp->conn_ipversion == IPV4_VERSION)
+ tcp->tcp_ipha = (ipha_t *)connp->conn_ht_iphc;
+ else
+ tcp->tcp_ip6h = (ip6_t *)connp->conn_ht_iphc;
- /* convert list termination to no-ops */
- padlen = tcp->tcp_label_len - ip_optp[IPOPT_OLEN];
- ip_optp += ip_optp[IPOPT_OLEN];
- opt = len > 0 ? IPOPT_NOP : IPOPT_EOL;
- while (--padlen >= 0)
- *ip_optp++ = opt;
- }
- tcph_len = tcp->tcp_tcp_hdr_len;
- new_tcph = (tcph_t *)(ip_optp + len);
- ovbcopy(tcp->tcp_tcph, new_tcph, tcph_len);
- tcp->tcp_tcph = new_tcph;
- bcopy(ptr, ip_optp, len);
-
- len += IP_SIMPLE_HDR_LENGTH + tcp->tcp_label_len;
-
- tcp->tcp_ip_hdr_len = len;
- tcp->tcp_ipha->ipha_version_and_hdr_length =
- (IP_VERSION << 4) | (len >> 2);
- tcp->tcp_hdr_len = len + tcph_len;
- if (!TCP_IS_DETACHED(tcp)) {
- /* Always allocate room for all options. */
- (void) proto_set_tx_wroff(tcp->tcp_rq, connp,
- TCP_MAX_COMBINED_HEADER_LENGTH + tcps->tcps_wroff_xtra);
+ if (connp->conn_ht_iphc_allocated + tcps->tcps_wroff_xtra >
+ connp->conn_wroff) {
+ connp->conn_wroff = connp->conn_ht_iphc_allocated +
+ tcps->tcps_wroff_xtra;
+ (void) proto_set_tx_wroff(connp->conn_rq, connp,
+ connp->conn_wroff);
}
return (0);
}
@@ -11184,36 +8624,6 @@ tcp_param_register(IDP *ndp, tcpparam_t *tcppa, int cnt, tcp_stack_t *tcps)
nd_free(ndp);
return (B_FALSE);
}
- tcps->tcps_mdt_head_param = kmem_zalloc(sizeof (tcpparam_t),
- KM_SLEEP);
- bcopy(&lcl_tcp_mdt_head_param, tcps->tcps_mdt_head_param,
- sizeof (tcpparam_t));
- if (!nd_load(ndp, tcps->tcps_mdt_head_param->tcp_param_name,
- tcp_param_get, tcp_param_set_aligned,
- (caddr_t)tcps->tcps_mdt_head_param)) {
- nd_free(ndp);
- return (B_FALSE);
- }
- tcps->tcps_mdt_tail_param = kmem_zalloc(sizeof (tcpparam_t),
- KM_SLEEP);
- bcopy(&lcl_tcp_mdt_tail_param, tcps->tcps_mdt_tail_param,
- sizeof (tcpparam_t));
- if (!nd_load(ndp, tcps->tcps_mdt_tail_param->tcp_param_name,
- tcp_param_get, tcp_param_set_aligned,
- (caddr_t)tcps->tcps_mdt_tail_param)) {
- nd_free(ndp);
- return (B_FALSE);
- }
- tcps->tcps_mdt_max_pbufs_param = kmem_zalloc(sizeof (tcpparam_t),
- KM_SLEEP);
- bcopy(&lcl_tcp_mdt_max_pbufs_param, tcps->tcps_mdt_max_pbufs_param,
- sizeof (tcpparam_t));
- if (!nd_load(ndp, tcps->tcps_mdt_max_pbufs_param->tcp_param_name,
- tcp_param_get, tcp_param_set_aligned,
- (caddr_t)tcps->tcps_mdt_max_pbufs_param)) {
- nd_free(ndp);
- return (B_FALSE);
- }
if (!nd_load(ndp, "tcp_extra_priv_ports",
tcp_extra_priv_ports_get, NULL, NULL)) {
nd_free(ndp);
@@ -11248,7 +8658,7 @@ tcp_param_register(IDP *ndp, tcpparam_t *tcppa, int cnt, tcp_stack_t *tcps)
return (B_TRUE);
}
-/* ndd set routine for tcp_wroff_xtra, tcp_mdt_hdr_{head,tail}_min. */
+/* ndd set routine for tcp_wroff_xtra. */
/* ARGSUSED */
static int
tcp_param_set_aligned(queue_t *q, mblk_t *mp, char *value, caddr_t cp,
@@ -11307,6 +8717,7 @@ tcp_reass(tcp_t *tcp, mblk_t *mp, uint32_t start)
uint32_t u1;
tcp_stack_t *tcps = tcp->tcp_tcps;
+
/* Walk through all the new pieces. */
do {
ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
@@ -11433,9 +8844,10 @@ tcp_rwnd_reopen(tcp_t *tcp)
{
uint_t ret = 0;
uint_t thwin;
+ conn_t *connp = tcp->tcp_connp;
/* Learn the latest rwnd information that we sent to the other side. */
- thwin = ((uint_t)BE16_TO_U16(tcp->tcp_tcph->th_win))
+ thwin = ((uint_t)ntohs(tcp->tcp_tcpha->tha_win))
<< tcp->tcp_rcv_ws;
/* This is peer's calculated send window (our receive window). */
thwin -= tcp->tcp_rnxt - tcp->tcp_rack;
@@ -11444,7 +8856,7 @@ tcp_rwnd_reopen(tcp_t *tcp)
* SWS avoidance. This means that we need to check the increase of
* of receive window is at least 1 MSS.
*/
- if (tcp->tcp_recv_hiwater - thwin >= tcp->tcp_mss) {
+ if (connp->conn_rcvbuf - thwin >= tcp->tcp_mss) {
/*
* If the window that the other side knows is less than max
* deferred acks segments, send an update immediately.
@@ -11453,7 +8865,7 @@ tcp_rwnd_reopen(tcp_t *tcp)
BUMP_MIB(&tcp->tcp_tcps->tcps_mib, tcpOutWinUpdate);
ret = TH_ACK_NEEDED;
}
- tcp->tcp_rwnd = tcp->tcp_recv_hiwater;
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
}
return (ret);
}
@@ -11469,7 +8881,7 @@ tcp_rcv_drain(tcp_t *tcp)
#ifdef DEBUG
uint_t cnt = 0;
#endif
- queue_t *q = tcp->tcp_rq;
+ queue_t *q = tcp->tcp_connp->conn_rq;
/* Can't drain on an eager connection */
if (tcp->tcp_listener != NULL)
@@ -11511,7 +8923,7 @@ tcp_rcv_drain(tcp_t *tcp)
if ((tcp->tcp_kssl_ctx != NULL) && (DB_TYPE(mp) == M_DATA)) {
DTRACE_PROBE1(kssl_mblk__ksslinput_rcvdrain,
mblk_t *, mp);
- tcp_kssl_input(tcp, mp);
+ tcp_kssl_input(tcp, mp, NULL);
continue;
}
putnext(q, mp);
@@ -11538,11 +8950,22 @@ tcp_rcv_drain(tcp_t *tcp)
* Other messages are added as new (b_next) elements.
*/
void
-tcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len)
+tcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len, cred_t *cr)
{
ASSERT(seg_len == msgdsize(mp));
ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_rcv_last_head != NULL);
+ if (is_system_labeled()) {
+ ASSERT(cr != NULL || msg_getcred(mp, NULL) != NULL);
+ /*
+ * Provide for protocols above TCP such as RPC. NOPID leaves
+ * db_cpid unchanged.
+ * The cred could have already been set.
+ */
+ if (cr != NULL)
+ mblk_setcred(mp, cr, NOPID);
+ }
+
if (tcp->tcp_rcv_list == NULL) {
ASSERT(tcp->tcp_rcv_last_head == NULL);
tcp->tcp_rcv_list = mp;
@@ -11562,176 +8985,6 @@ tcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len)
tcp->tcp_rwnd -= seg_len;
}
-/*
- * DEFAULT TCP ENTRY POINT via squeue on READ side.
- *
- * This is the default entry function into TCP on the read side. TCP is
- * always entered via squeue i.e. using squeue's for mutual exclusion.
- * When classifier does a lookup to find the tcp, it also puts a reference
- * on the conn structure associated so the tcp is guaranteed to exist
- * when we come here. We still need to check the state because it might
- * as well has been closed. The squeue processing function i.e. squeue_enter,
- * is responsible for doing the CONN_DEC_REF.
- *
- * Apart from the default entry point, IP also sends packets directly to
- * tcp_rput_data for AF_INET fast path and tcp_conn_request for incoming
- * connections.
- */
-boolean_t tcp_outbound_squeue_switch = B_FALSE;
-void
-tcp_input(void *arg, mblk_t *mp, void *arg2)
-{
- conn_t *connp = (conn_t *)arg;
- tcp_t *tcp = (tcp_t *)connp->conn_tcp;
-
- /* arg2 is the sqp */
- ASSERT(arg2 != NULL);
- ASSERT(mp != NULL);
-
- /*
- * Don't accept any input on a closed tcp as this TCP logically does
- * not exist on the system. Don't proceed further with this TCP.
- * For eg. this packet could trigger another close of this tcp
- * which would be disastrous for tcp_refcnt. tcp_close_detached /
- * tcp_clean_death / tcp_closei_local must be called at most once
- * on a TCP. In this case we need to refeed the packet into the
- * classifier and figure out where the packet should go. Need to
- * preserve the recv_ill somehow. Until we figure that out, for
- * now just drop the packet if we can't classify the packet.
- */
- if (tcp->tcp_state == TCPS_CLOSED ||
- tcp->tcp_state == TCPS_BOUND) {
- conn_t *new_connp;
- ip_stack_t *ipst = tcp->tcp_tcps->tcps_netstack->netstack_ip;
-
- new_connp = ipcl_classify(mp, connp->conn_zoneid, ipst);
- if (new_connp != NULL) {
- tcp_reinput(new_connp, mp, arg2);
- return;
- }
- /* We failed to classify. For now just drop the packet */
- freemsg(mp);
- return;
- }
-
- if (DB_TYPE(mp) != M_DATA) {
- tcp_rput_common(tcp, mp);
- return;
- }
-
- if (mp->b_datap->db_struioflag & STRUIO_CONNECT) {
- squeue_t *final_sqp;
-
- mp->b_datap->db_struioflag &= ~STRUIO_CONNECT;
- final_sqp = (squeue_t *)DB_CKSUMSTART(mp);
- DB_CKSUMSTART(mp) = 0;
- if (tcp->tcp_state == TCPS_SYN_SENT &&
- connp->conn_final_sqp == NULL &&
- tcp_outbound_squeue_switch) {
- ASSERT(connp->conn_initial_sqp == connp->conn_sqp);
- connp->conn_final_sqp = final_sqp;
- if (connp->conn_final_sqp != connp->conn_sqp) {
- CONN_INC_REF(connp);
- SQUEUE_SWITCH(connp, connp->conn_final_sqp);
- SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
- tcp_rput_data, connp, ip_squeue_flag,
- SQTAG_CONNECT_FINISH);
- return;
- }
- }
- }
- tcp_rput_data(connp, mp, arg2);
-}
-
-/*
- * The read side put procedure.
- * The packets passed up by ip are assume to be aligned according to
- * OK_32PTR and the IP+TCP headers fitting in the first mblk.
- */
-static void
-tcp_rput_common(tcp_t *tcp, mblk_t *mp)
-{
- /*
- * tcp_rput_data() does not expect M_CTL except for the case
- * where tcp_ipv6_recvancillary is set and we get a IN_PKTINFO
- * type. Need to make sure that any other M_CTLs don't make
- * it to tcp_rput_data since it is not expecting any and doesn't
- * check for it.
- */
- if (DB_TYPE(mp) == M_CTL) {
- switch (*(uint32_t *)(mp->b_rptr)) {
- case TCP_IOC_ABORT_CONN:
- /*
- * Handle connection abort request.
- */
- tcp_ioctl_abort_handler(tcp, mp);
- return;
- case IPSEC_IN:
- /*
- * Only secure icmp arrive in TCP and they
- * don't go through data path.
- */
- tcp_icmp_error(tcp, mp);
- return;
- case IN_PKTINFO:
- /*
- * Handle IPV6_RECVPKTINFO socket option on AF_INET6
- * sockets that are receiving IPv4 traffic. tcp
- */
- ASSERT(tcp->tcp_family == AF_INET6);
- ASSERT(tcp->tcp_ipv6_recvancillary &
- TCP_IPV6_RECVPKTINFO);
- tcp_rput_data(tcp->tcp_connp, mp,
- tcp->tcp_connp->conn_sqp);
- return;
- case MDT_IOC_INFO_UPDATE:
- /*
- * Handle Multidata information update; the
- * following routine will free the message.
- */
- if (tcp->tcp_connp->conn_mdt_ok) {
- tcp_mdt_update(tcp,
- &((ip_mdt_info_t *)mp->b_rptr)->mdt_capab,
- B_FALSE);
- }
- freemsg(mp);
- return;
- case LSO_IOC_INFO_UPDATE:
- /*
- * Handle LSO information update; the following
- * routine will free the message.
- */
- if (tcp->tcp_connp->conn_lso_ok) {
- tcp_lso_update(tcp,
- &((ip_lso_info_t *)mp->b_rptr)->lso_capab);
- }
- freemsg(mp);
- return;
- default:
- /*
- * tcp_icmp_err() will process the M_CTL packets.
- * Non-ICMP packets, if any, will be discarded in
- * tcp_icmp_err(). We will process the ICMP packet
- * even if we are TCP_IS_DETACHED_NONEAGER as the
- * incoming ICMP packet may result in changing
- * the tcp_mss, which we would need if we have
- * packets to retransmit.
- */
- tcp_icmp_error(tcp, mp);
- return;
- }
- }
-
- /* No point processing the message if tcp is already closed */
- if (TCP_IS_DETACHED_NONEAGER(tcp)) {
- freemsg(mp);
- return;
- }
-
- tcp_rput_other(tcp, mp);
-}
-
-
/* The minimum of smoothed mean deviation in RTO calculation. */
#define TCP_SD_MIN 400
@@ -11885,12 +9138,12 @@ tcp_get_seg_mp(tcp_t *tcp, uint32_t seq, int32_t *off)
* segments. A segment is eligible if sack_cnt for that segment is greater
* than or equal tcp_dupack_fast_retransmit. After it has retransmitted
* all eligible segments, it checks to see if TCP can send some new segments
- * (fast recovery). If it can, set the appropriate flag for tcp_rput_data().
+ * (fast recovery). If it can, set the appropriate flag for tcp_input_data().
*
* Parameters:
* tcp_t *tcp: the tcp structure of the connection.
* uint_t *flags: in return, appropriate value will be set for
- * tcp_rput_data().
+ * tcp_input_data().
*/
static void
tcp_sack_rxmit(tcp_t *tcp, uint_t *flags)
@@ -11988,7 +9241,7 @@ tcp_sack_rxmit(tcp_t *tcp, uint_t *flags)
tcp->tcp_pipe += seg_len;
tcp->tcp_sack_snxt = begin + seg_len;
- tcp_send_data(tcp, tcp->tcp_wq, xmit_mp);
+ tcp_send_data(tcp, xmit_mp);
/*
* Update the send timestamp to avoid false retransmission.
@@ -12012,96 +9265,8 @@ tcp_sack_rxmit(tcp_t *tcp, uint_t *flags)
}
/*
- * This function handles policy checking at TCP level for non-hard_bound/
- * detached connections.
- */
-static boolean_t
-tcp_check_policy(tcp_t *tcp, mblk_t *first_mp, ipha_t *ipha, ip6_t *ip6h,
- boolean_t secure, boolean_t mctl_present)
-{
- ipsec_latch_t *ipl = NULL;
- ipsec_action_t *act = NULL;
- mblk_t *data_mp;
- ipsec_in_t *ii;
- const char *reason;
- kstat_named_t *counter;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ipsec_stack_t *ipss;
- ip_stack_t *ipst;
-
- ASSERT(mctl_present || !secure);
-
- ASSERT((ipha == NULL && ip6h != NULL) ||
- (ip6h == NULL && ipha != NULL));
-
- /*
- * We don't necessarily have an ipsec_in_act action to verify
- * policy because of assymetrical policy where we have only
- * outbound policy and no inbound policy (possible with global
- * policy).
- */
- if (!secure) {
- if (act == NULL || act->ipa_act.ipa_type == IPSEC_ACT_BYPASS ||
- act->ipa_act.ipa_type == IPSEC_ACT_CLEAR)
- return (B_TRUE);
- ipsec_log_policy_failure(IPSEC_POLICY_MISMATCH,
- "tcp_check_policy", ipha, ip6h, secure,
- tcps->tcps_netstack);
- ipss = tcps->tcps_netstack->netstack_ipsec;
-
- ip_drop_packet(first_mp, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_tcp_clear),
- &tcps->tcps_dropper);
- return (B_FALSE);
- }
-
- /*
- * We have a secure packet.
- */
- if (act == NULL) {
- ipsec_log_policy_failure(IPSEC_POLICY_NOT_NEEDED,
- "tcp_check_policy", ipha, ip6h, secure,
- tcps->tcps_netstack);
- ipss = tcps->tcps_netstack->netstack_ipsec;
-
- ip_drop_packet(first_mp, B_TRUE, NULL, NULL,
- DROPPER(ipss, ipds_tcp_secure),
- &tcps->tcps_dropper);
- return (B_FALSE);
- }
-
- /*
- * XXX This whole routine is currently incorrect. ipl should
- * be set to the latch pointer, but is currently not set, so
- * we initialize it to NULL to avoid picking up random garbage.
- */
- if (ipl == NULL)
- return (B_TRUE);
-
- data_mp = first_mp->b_cont;
-
- ii = (ipsec_in_t *)first_mp->b_rptr;
-
- ipst = tcps->tcps_netstack->netstack_ip;
-
- if (ipsec_check_ipsecin_latch(ii, data_mp, ipl, ipha, ip6h, &reason,
- &counter, tcp->tcp_connp)) {
- BUMP_MIB(&ipst->ips_ip_mib, ipsecInSucceeded);
- return (B_TRUE);
- }
- (void) strlog(TCP_MOD_ID, 0, 0, SL_ERROR|SL_WARN|SL_CONSOLE,
- "tcp inbound policy mismatch: %s, packet dropped\n",
- reason);
- BUMP_MIB(&ipst->ips_ip_mib, ipsecInFailed);
-
- ip_drop_packet(first_mp, B_TRUE, NULL, NULL, counter,
- &tcps->tcps_dropper);
- return (B_FALSE);
-}
-
-/*
- * tcp_ss_rexmit() is called in tcp_rput_data() to do slow start
- * retransmission after a timeout.
+ * tcp_ss_rexmit() is called to do slow start retransmission after a timeout
+ * or ICMP errors.
*
* To limit the number of duplicate segments, we limit the number of segment
* to be sent in one time to tcp_snd_burst, the burst variable.
@@ -12150,7 +9315,7 @@ tcp_ss_rexmit(tcp_t *tcp)
if (xmit_mp == NULL)
return;
- tcp_send_data(tcp, tcp->tcp_wq, xmit_mp);
+ tcp_send_data(tcp, xmit_mp);
snxt += cnt;
win -= cnt;
@@ -12184,7 +9349,7 @@ tcp_ss_rexmit(tcp_t *tcp)
/*
* Process all TCP option in SYN segment. Note that this function should
- * be called after tcp_adapt_ire() is called so that the necessary info
+ * be called after tcp_set_destination() is called so that the necessary info
* from IRE is already set in the tcp structure.
*
* This function sets up the correct tcp_mss value according to the
@@ -12194,16 +9359,17 @@ tcp_ss_rexmit(tcp_t *tcp)
* should do the appropriate change.
*/
void
-tcp_process_options(tcp_t *tcp, tcph_t *tcph)
+tcp_process_options(tcp_t *tcp, tcpha_t *tcpha)
{
int options;
tcp_opt_t tcpopt;
uint32_t mss_max;
char *tmp_tcph;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
tcpopt.tcp = NULL;
- options = tcp_parse_options(tcph, &tcpopt);
+ options = tcp_parse_options(tcpha, &tcpopt);
/*
* Process MSS option. Note that MSS option value does not account
@@ -12212,12 +9378,12 @@ tcp_process_options(tcp_t *tcp, tcph_t *tcph)
* IPv6.
*/
if (!(options & TCP_OPT_MSS_PRESENT)) {
- if (tcp->tcp_ipversion == IPV4_VERSION)
+ if (connp->conn_ipversion == IPV4_VERSION)
tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv4;
else
tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv6;
} else {
- if (tcp->tcp_ipversion == IPV4_VERSION)
+ if (connp->conn_ipversion == IPV4_VERSION)
mss_max = tcps->tcps_mss_max_ipv4;
else
mss_max = tcps->tcps_mss_max_ipv6;
@@ -12240,23 +9406,23 @@ tcp_process_options(tcp_t *tcp, tcph_t *tcph)
/* Process Timestamp option. */
if ((options & TCP_OPT_TSTAMP_PRESENT) &&
(tcp->tcp_snd_ts_ok || TCP_IS_DETACHED(tcp))) {
- tmp_tcph = (char *)tcp->tcp_tcph;
+ tmp_tcph = (char *)tcp->tcp_tcpha;
tcp->tcp_snd_ts_ok = B_TRUE;
tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
tcp->tcp_last_rcv_lbolt = lbolt64;
ASSERT(OK_32PTR(tmp_tcph));
- ASSERT(tcp->tcp_tcp_hdr_len == TCP_MIN_HEADER_LENGTH);
+ ASSERT(connp->conn_ht_ulp_len == TCP_MIN_HEADER_LENGTH);
/* Fill in our template header with basic timestamp option. */
- tmp_tcph += tcp->tcp_tcp_hdr_len;
+ tmp_tcph += connp->conn_ht_ulp_len;
tmp_tcph[0] = TCPOPT_NOP;
tmp_tcph[1] = TCPOPT_NOP;
tmp_tcph[2] = TCPOPT_TSTAMP;
tmp_tcph[3] = TCPOPT_TSTAMP_LEN;
- tcp->tcp_hdr_len += TCPOPT_REAL_TS_LEN;
- tcp->tcp_tcp_hdr_len += TCPOPT_REAL_TS_LEN;
- tcp->tcp_tcph->th_offset_and_rsrvd[0] += (3 << 4);
+ connp->conn_ht_iphc_len += TCPOPT_REAL_TS_LEN;
+ connp->conn_ht_ulp_len += TCPOPT_REAL_TS_LEN;
+ tcp->tcp_tcpha->tha_offset_and_reserved += (3 << 4);
} else {
tcp->tcp_snd_ts_ok = B_FALSE;
}
@@ -12266,12 +9432,11 @@ tcp_process_options(tcp_t *tcp, tcph_t *tcph)
* then allocate the SACK info structure. Note the following ways
* when tcp_snd_sack_ok is set to true.
*
- * For active connection: in tcp_adapt_ire() called in
- * tcp_rput_other(), or in tcp_rput_other() when tcp_sack_permitted
- * is checked.
+ * For active connection: in tcp_set_destination() called in
+ * tcp_connect().
*
- * For passive connection: in tcp_adapt_ire() called in
- * tcp_accept_comm().
+ * For passive connection: in tcp_set_destination() called in
+ * tcp_input_listener().
*
* That's the reason why the extra TCP_IS_DETACHED() check is there.
* That check makes sure that if we did not send a SACK OK option,
@@ -12320,7 +9485,8 @@ tcp_process_options(tcp_t *tcp, tcph_t *tcph)
* Now we know the exact TCP/IP header length, subtract
* that from tcp_mss to get our side's MSS.
*/
- tcp->tcp_mss -= tcp->tcp_hdr_len;
+ tcp->tcp_mss -= connp->conn_ht_iphc_len;
+
/*
* Here we assume that the other side's header size will be equal to
* our header size. We calculate the real MSS accordingly. Need to
@@ -12328,22 +9494,29 @@ tcp_process_options(tcp_t *tcp, tcph_t *tcph)
*
* Real MSS = Opt.MSS - (our TCP/IP header - min TCP/IP header)
*/
- tcpopt.tcp_opt_mss -= tcp->tcp_hdr_len + tcp->tcp_ipsec_overhead -
- ((tcp->tcp_ipversion == IPV4_VERSION ?
+ tcpopt.tcp_opt_mss -= connp->conn_ht_iphc_len +
+ tcp->tcp_ipsec_overhead -
+ ((connp->conn_ipversion == IPV4_VERSION ?
IP_SIMPLE_HDR_LENGTH : IPV6_HDR_LEN) + TCP_MIN_HEADER_LENGTH);
/*
* Set MSS to the smaller one of both ends of the connection.
* We should not have called tcp_mss_set() before, but our
* side of the MSS should have been set to a proper value
- * by tcp_adapt_ire(). tcp_mss_set() will also set up the
+ * by tcp_set_destination(). tcp_mss_set() will also set up the
* STREAM head parameters properly.
*
* If we have a larger-than-16-bit window but the other side
* didn't want to do window scale, tcp_rwnd_set() will take
* care of that.
*/
- tcp_mss_set(tcp, MIN(tcpopt.tcp_opt_mss, tcp->tcp_mss), B_TRUE);
+ tcp_mss_set(tcp, MIN(tcpopt.tcp_opt_mss, tcp->tcp_mss));
+
+ /*
+ * Initialize tcp_cwnd value. After tcp_mss_set(), tcp_mss has been
+ * updated properly.
+ */
+ SET_TCP_INIT_CWND(tcp, tcp->tcp_mss, tcps->tcps_slow_start_initial);
}
/*
@@ -12410,7 +9583,7 @@ tcp_send_conn_ind(void *arg, mblk_t *mp, void *arg2)
tcp_t *tail;
/*
- * The eager already has an extra ref put in tcp_rput_data
+ * The eager already has an extra ref put in tcp_input_data
* so that it stays till accept comes back even though it
* might get into TCPS_CLOSED as a result of a TH_RST etc.
*/
@@ -12496,8 +9669,8 @@ tcp_send_conn_ind(void *arg, mblk_t *mp, void *arg2)
* remote host. This proves the IP addr is good.
* Cache it!
*/
- addr_cache[IP_ADDR_CACHE_HASH(
- tcp->tcp_remote)] = tcp->tcp_remote;
+ addr_cache[IP_ADDR_CACHE_HASH(tcp->tcp_connp->conn_faddr_v4)] =
+ tcp->tcp_connp->conn_faddr_v4;
}
mutex_exit(&listener->tcp_eager_lock);
if (need_send_conn_ind)
@@ -12513,17 +9686,16 @@ tcp_ulp_newconn(conn_t *lconnp, conn_t *econnp, mblk_t *mp)
{
if (IPCL_IS_NONSTR(lconnp)) {
cred_t *cr;
- pid_t cpid;
-
- cr = msg_getcred(mp, &cpid);
+ pid_t cpid = NOPID;
ASSERT(econnp->conn_tcp->tcp_listener == lconnp->conn_tcp);
ASSERT(econnp->conn_tcp->tcp_saved_listener ==
lconnp->conn_tcp);
+ cr = msg_getcred(mp, &cpid);
+
/* Keep the message around in case of a fallback to TPI */
econnp->conn_tcp->tcp_conn.tcp_eager_conn_ind = mp;
-
/*
* Notify the ULP about the newconn. It is guaranteed that no
* tcp_accept() call will be made for the eager if the
@@ -12545,177 +9717,83 @@ tcp_ulp_newconn(conn_t *lconnp, conn_t *econnp, mblk_t *mp)
econnp->conn_tcp->tcp_conn_req_seqnum);
}
} else {
- putnext(lconnp->conn_tcp->tcp_rq, mp);
+ putnext(lconnp->conn_rq, mp);
}
}
-mblk_t *
-tcp_find_pktinfo(tcp_t *tcp, mblk_t *mp, uint_t *ipversp, uint_t *ip_hdr_lenp,
- uint_t *ifindexp, ip6_pkt_t *ippp)
+/*
+ * Handle a packet that has been reclassified by TCP.
+ * This function drops the ref on connp that the caller had.
+ */
+static void
+tcp_reinput(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
{
- ip_pktinfo_t *pinfo;
- ip6_t *ip6h;
- uchar_t *rptr;
- mblk_t *first_mp = mp;
- boolean_t mctl_present = B_FALSE;
- uint_t ifindex = 0;
- ip6_pkt_t ipp;
- uint_t ipvers;
- uint_t ip_hdr_len;
- tcp_stack_t *tcps = tcp->tcp_tcps;
+ ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
- rptr = mp->b_rptr;
- ASSERT(OK_32PTR(rptr));
- ASSERT(tcp != NULL);
- ipp.ipp_fields = 0;
+ if (connp->conn_incoming_ifindex != 0 &&
+ connp->conn_incoming_ifindex != ira->ira_ruifindex) {
+ freemsg(mp);
+ CONN_DEC_REF(connp);
+ return;
+ }
- switch DB_TYPE(mp) {
- case M_CTL:
- mp = mp->b_cont;
- if (mp == NULL) {
- freemsg(first_mp);
- return (NULL);
+ if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
+ (ira->ira_flags & IRAF_IPSEC_SECURE)) {
+ ip6_t *ip6h;
+ ipha_t *ipha;
+
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ ipha = (ipha_t *)mp->b_rptr;
+ ip6h = NULL;
+ } else {
+ ipha = NULL;
+ ip6h = (ip6_t *)mp->b_rptr;
}
- if (DB_TYPE(mp) != M_DATA) {
- freemsg(first_mp);
- return (NULL);
+ mp = ipsec_check_inbound_policy(mp, connp, ipha, ip6h, ira);
+ if (mp == NULL) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
+ /* Note that mp is NULL */
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
+ CONN_DEC_REF(connp);
+ return;
}
- mctl_present = B_TRUE;
- break;
- case M_DATA:
- break;
- default:
- cmn_err(CE_NOTE, "tcp_find_pktinfo: unknown db_type");
- freemsg(mp);
- return (NULL);
}
- ipvers = IPH_HDR_VERSION(rptr);
- if (ipvers == IPV4_VERSION) {
- if (tcp == NULL) {
- ip_hdr_len = IPH_HDR_LENGTH(rptr);
- goto done;
- }
-
- ipp.ipp_fields |= IPPF_HOPLIMIT;
- ipp.ipp_hoplimit = ((ipha_t *)rptr)->ipha_ttl;
+ if (IPCL_IS_TCP(connp)) {
/*
- * If we have IN_PKTINFO in an M_CTL and tcp_ipv6_recvancillary
- * has TCP_IPV6_RECVPKTINFO set, pass I/F index along in ipp.
+ * do not drain, certain use cases can blow
+ * the stack
*/
- if ((tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVPKTINFO) &&
- mctl_present) {
- pinfo = (ip_pktinfo_t *)first_mp->b_rptr;
- if ((MBLKL(first_mp) == sizeof (ip_pktinfo_t)) &&
- (pinfo->ip_pkt_ulp_type == IN_PKTINFO) &&
- (pinfo->ip_pkt_flags & IPF_RECVIF)) {
- ipp.ipp_fields |= IPPF_IFINDEX;
- ipp.ipp_ifindex = pinfo->ip_pkt_ifindex;
- ifindex = pinfo->ip_pkt_ifindex;
- }
- freeb(first_mp);
- mctl_present = B_FALSE;
- }
- ip_hdr_len = IPH_HDR_LENGTH(rptr);
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
+ connp->conn_recv, connp, ira,
+ SQ_NODRAIN, SQTAG_IP_TCP_INPUT);
} else {
- ip6h = (ip6_t *)rptr;
-
- ASSERT(ipvers == IPV6_VERSION);
- ipp.ipp_fields = IPPF_HOPLIMIT | IPPF_TCLASS;
- ipp.ipp_tclass = (ip6h->ip6_flow & 0x0FF00000) >> 20;
- ipp.ipp_hoplimit = ip6h->ip6_hops;
-
- if (ip6h->ip6_nxt != IPPROTO_TCP) {
- uint8_t nexthdrp;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- /* Look for ifindex information */
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- ip6i_t *ip6i = (ip6i_t *)ip6h;
- if ((uchar_t *)&ip6i[1] > mp->b_wptr) {
- BUMP_MIB(&ipst->ips_ip_mib, tcpInErrs);
- freemsg(first_mp);
- return (NULL);
- }
-
- if (ip6i->ip6i_flags & IP6I_IFINDEX) {
- ASSERT(ip6i->ip6i_ifindex != 0);
- ipp.ipp_fields |= IPPF_IFINDEX;
- ipp.ipp_ifindex = ip6i->ip6i_ifindex;
- ifindex = ip6i->ip6i_ifindex;
- }
- rptr = (uchar_t *)&ip6i[1];
- mp->b_rptr = rptr;
- if (rptr == mp->b_wptr) {
- mblk_t *mp1;
- mp1 = mp->b_cont;
- freeb(mp);
- mp = mp1;
- rptr = mp->b_rptr;
- }
- if (MBLKL(mp) < IPV6_HDR_LEN +
- sizeof (tcph_t)) {
- BUMP_MIB(&ipst->ips_ip_mib, tcpInErrs);
- freemsg(first_mp);
- return (NULL);
- }
- ip6h = (ip6_t *)rptr;
- }
-
- /*
- * Find any potentially interesting extension headers
- * as well as the length of the IPv6 + extension
- * headers.
- */
- ip_hdr_len = ip_find_hdr_v6(mp, ip6h, &ipp, &nexthdrp);
- /* Verify if this is a TCP packet */
- if (nexthdrp != IPPROTO_TCP) {
- BUMP_MIB(&ipst->ips_ip_mib, tcpInErrs);
- freemsg(first_mp);
- return (NULL);
- }
- } else {
- ip_hdr_len = IPV6_HDR_LEN;
- }
+ /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
+ (connp->conn_recv)(connp, mp, NULL,
+ ira);
+ CONN_DEC_REF(connp);
}
-done:
- if (ipversp != NULL)
- *ipversp = ipvers;
- if (ip_hdr_lenp != NULL)
- *ip_hdr_lenp = ip_hdr_len;
- if (ippp != NULL)
- *ippp = ipp;
- if (ifindexp != NULL)
- *ifindexp = ifindex;
- if (mctl_present) {
- freeb(first_mp);
- }
- return (mp);
}
+boolean_t tcp_outbound_squeue_switch = B_FALSE;
+
/*
* Handle M_DATA messages from IP. Its called directly from IP via
- * squeue for AF_INET type sockets fast path. No M_CTL are expected
- * in this path.
- *
- * For everything else (including AF_INET6 sockets with 'tcp_ipversion'
- * v4 and v6), we are called through tcp_input() and a M_CTL can
- * be present for options but tcp_find_pktinfo() deals with it. We
- * only expect M_DATA packets after tcp_find_pktinfo() is done.
+ * squeue for received IP packets.
*
* The first argument is always the connp/tcp to which the mp belongs.
* There are no exceptions to this rule. The caller has already put
- * a reference on this connp/tcp and once tcp_rput_data() returns,
+ * a reference on this connp/tcp and once tcp_input_data() returns,
* the squeue will do the refrele.
*
- * The TH_SYN for the listener directly go to tcp_conn_request via
- * squeue.
+ * The TH_SYN for the listener directly go to tcp_input_listener via
+ * squeue. ICMP errors go directly to tcp_icmp_input().
*
* sqp: NULL = recursive, sqp != NULL means called from squeue
*/
void
-tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
+tcp_input_data(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
int32_t bytes_acked;
int32_t gap;
@@ -12729,11 +9807,10 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
int seg_len;
uint_t ip_hdr_len;
uint32_t seg_seq;
- tcph_t *tcph;
+ tcpha_t *tcpha;
int urp;
tcp_opt_t tcpopt;
- uint_t ipvers;
- ip6_pkt_t ipp;
+ ip_pkt_t ipp;
boolean_t ofo_seg = B_FALSE; /* Out of order segment */
uint32_t cwnd;
uint32_t add;
@@ -12756,33 +9833,43 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
rptr = mp->b_rptr;
ASSERT(OK_32PTR(rptr));
- /*
- * An AF_INET socket is not capable of receiving any pktinfo. Do inline
- * processing here. For rest call tcp_find_pktinfo to fill up the
- * necessary information.
- */
- if (IPCL_IS_TCP4(connp)) {
- ipvers = IPV4_VERSION;
- ip_hdr_len = IPH_HDR_LENGTH(rptr);
- } else {
- mp = tcp_find_pktinfo(tcp, mp, &ipvers, &ip_hdr_len,
- NULL, &ipp);
- if (mp == NULL) {
- TCP_STAT(tcps, tcp_rput_v6_error);
- return;
+ ip_hdr_len = ira->ira_ip_hdr_length;
+ if (connp->conn_recv_ancillary.crb_all != 0) {
+ /*
+ * Record packet information in the ip_pkt_t
+ */
+ ipp.ipp_fields = 0;
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ (void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
+ B_FALSE);
+ } else {
+ uint8_t nexthdrp;
+
+ /*
+ * IPv6 packets can only be received by applications
+ * that are prepared to receive IPv6 addresses.
+ * The IP fanout must ensure this.
+ */
+ ASSERT(connp->conn_family == AF_INET6);
+
+ (void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
+ &nexthdrp);
+ ASSERT(nexthdrp == IPPROTO_TCP);
+
+ /* Could have caused a pullup? */
+ iphdr = mp->b_rptr;
+ rptr = mp->b_rptr;
}
- iphdr = mp->b_rptr;
- rptr = mp->b_rptr;
}
ASSERT(DB_TYPE(mp) == M_DATA);
ASSERT(mp->b_next == NULL);
- tcph = (tcph_t *)&rptr[ip_hdr_len];
- seg_seq = ABE32_TO_U32(tcph->th_seq);
- seg_ack = ABE32_TO_U32(tcph->th_ack);
+ tcpha = (tcpha_t *)&rptr[ip_hdr_len];
+ seg_seq = ntohl(tcpha->tha_seq);
+ seg_ack = ntohl(tcpha->tha_ack);
ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
seg_len = (int)(mp->b_wptr - rptr) -
- (ip_hdr_len + TCP_HDR_LENGTH(tcph));
+ (ip_hdr_len + TCP_HDR_LENGTH(tcpha));
if ((mp1 = mp->b_cont) != NULL && mp1->b_datap->db_type == M_DATA) {
do {
ASSERT((uintptr_t)(mp1->b_wptr - mp1->b_rptr) <=
@@ -12794,7 +9881,7 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
if (tcp->tcp_state == TCPS_TIME_WAIT) {
tcp_time_wait_processing(tcp, mp, seg_seq, seg_ack,
- seg_len, tcph);
+ seg_len, tcpha, ira);
return;
}
@@ -12809,7 +9896,7 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_last_recv_time = lbolt;
}
- flags = (unsigned int)tcph->th_flags[0] & 0xFF;
+ flags = (unsigned int)tcpha->tha_flags & 0xFF;
BUMP_LOCAL(tcp->tcp_ibsegs);
DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
@@ -12840,7 +9927,7 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
}
/* Update pointers into message */
iphdr = rptr = mp->b_rptr;
- tcph = (tcph_t *)&rptr[ip_hdr_len];
+ tcpha = (tcpha_t *)&rptr[ip_hdr_len];
if (SEQ_GT(seg_seq, tcp->tcp_rnxt)) {
/*
* Since we can't handle any data with this urgent
@@ -12849,13 +9936,29 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
* the urgent mark and generate the M_PCSIG,
* which we can do.
*/
- mp->b_wptr = (uchar_t *)tcph + TCP_HDR_LENGTH(tcph);
+ mp->b_wptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
seg_len = 0;
}
}
switch (tcp->tcp_state) {
case TCPS_SYN_SENT:
+ if (connp->conn_final_sqp == NULL &&
+ tcp_outbound_squeue_switch && sqp != NULL) {
+ ASSERT(connp->conn_initial_sqp == connp->conn_sqp);
+ connp->conn_final_sqp = sqp;
+ if (connp->conn_final_sqp != connp->conn_sqp) {
+ DTRACE_PROBE1(conn__final__sqp__switch,
+ conn_t *, connp);
+ CONN_INC_REF(connp);
+ SQUEUE_SWITCH(connp, connp->conn_final_sqp);
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
+ tcp_input_data, connp, ira, ip_squeue_flag,
+ SQTAG_CONNECT_FINISH);
+ return;
+ }
+ DTRACE_PROBE1(conn__final__sqp__same, conn_t *, connp);
+ }
if (flags & TH_ACK) {
/*
* Note that our stack cannot send data before a
@@ -12887,13 +9990,13 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
}
/* Process all TCP options. */
- tcp_process_options(tcp, tcph);
+ tcp_process_options(tcp, tcpha);
/*
* The following changes our rwnd to be a multiple of the
* MIN(peer MSS, our MSS) for performance reason.
*/
- (void) tcp_rwnd_set(tcp,
- MSS_ROUNDUP(tcp->tcp_recv_hiwater, tcp->tcp_mss));
+ (void) tcp_rwnd_set(tcp, MSS_ROUNDUP(connp->conn_rcvbuf,
+ tcp->tcp_mss));
/* Is the other end ECN capable? */
if (tcp->tcp_ecn_ok) {
@@ -12910,21 +10013,17 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_irs = seg_seq;
tcp->tcp_rack = seg_seq;
tcp->tcp_rnxt = seg_seq + 1;
- U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
+ tcp->tcp_tcpha->tha_ack = htonl(tcp->tcp_rnxt);
if (!TCP_IS_DETACHED(tcp)) {
/* Allocate room for SACK options if needed. */
- if (tcp->tcp_snd_sack_ok) {
- (void) proto_set_tx_wroff(tcp->tcp_rq, connp,
- tcp->tcp_hdr_len +
- TCPOPT_MAX_SACK_LEN +
- (tcp->tcp_loopback ? 0 :
- tcps->tcps_wroff_xtra));
- } else {
- (void) proto_set_tx_wroff(tcp->tcp_rq, connp,
- tcp->tcp_hdr_len +
- (tcp->tcp_loopback ? 0 :
- tcps->tcps_wroff_xtra));
- }
+ connp->conn_wroff = connp->conn_ht_iphc_len;
+ if (tcp->tcp_snd_sack_ok)
+ connp->conn_wroff += TCPOPT_MAX_SACK_LEN;
+ if (!tcp->tcp_loopback)
+ connp->conn_wroff += tcps->tcps_wroff_xtra;
+
+ (void) proto_set_tx_wroff(connp->conn_rq, connp,
+ connp->conn_wroff);
}
if (flags & TH_ACK) {
/*
@@ -12944,15 +10043,14 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
* sending up connection confirmation
*/
tcp->tcp_state = TCPS_ESTABLISHED;
- if (!tcp_conn_con(tcp, iphdr, tcph, mp,
- tcp->tcp_loopback ? &mp1 : NULL)) {
+ if (!tcp_conn_con(tcp, iphdr, mp,
+ tcp->tcp_loopback ? &mp1 : NULL, ira)) {
tcp->tcp_state = TCPS_SYN_SENT;
freemsg(mp);
return;
}
/* SYN was acked - making progress */
- if (tcp->tcp_ipversion == IPV6_VERSION)
- tcp->tcp_ip_forward_progress = B_TRUE;
+ tcp->tcp_ip_forward_progress = B_TRUE;
/* One for the SYN */
tcp->tcp_suna = tcp->tcp_iss + 1;
@@ -12983,7 +10081,7 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_swl1 = seg_seq;
tcp->tcp_swl2 = seg_ack;
- new_swnd = BE16_TO_U16(tcph->th_win);
+ new_swnd = ntohs(tcpha->tha_win);
tcp->tcp_swnd = new_swnd;
if (new_swnd > tcp->tcp_max_swnd)
tcp->tcp_max_swnd = new_swnd;
@@ -13022,22 +10120,25 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_ack_tid);
tcp->tcp_ack_tid = 0;
}
- tcp_send_data(tcp, tcp->tcp_wq, ack_mp);
+ tcp_send_data(tcp, ack_mp);
BUMP_LOCAL(tcp->tcp_obsegs);
BUMP_MIB(&tcps->tcps_mib, tcpOutAck);
if (!IPCL_IS_NONSTR(connp)) {
/* Send up T_CONN_CON */
- putnext(tcp->tcp_rq, mp1);
+ if (ira->ira_cred != NULL) {
+ mblk_setcred(mp1,
+ ira->ira_cred,
+ ira->ira_cpid);
+ }
+ putnext(connp->conn_rq, mp1);
} else {
- cred_t *cr;
- pid_t cpid;
-
- cr = msg_getcred(mp1, &cpid);
(*connp->conn_upcalls->
su_connected)
(connp->conn_upper_handle,
- tcp->tcp_connid, cr, cpid);
+ tcp->tcp_connid,
+ ira->ira_cred,
+ ira->ira_cpid);
freemsg(mp1);
}
@@ -13054,15 +10155,16 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
TCP_STAT(tcps, tcp_fusion_unfusable);
tcp->tcp_unfusable = B_TRUE;
if (!IPCL_IS_NONSTR(connp)) {
- putnext(tcp->tcp_rq, mp1);
+ if (ira->ira_cred != NULL) {
+ mblk_setcred(mp1, ira->ira_cred,
+ ira->ira_cpid);
+ }
+ putnext(connp->conn_rq, mp1);
} else {
- cred_t *cr;
- pid_t cpid;
-
- cr = msg_getcred(mp1, &cpid);
(*connp->conn_upcalls->su_connected)
(connp->conn_upper_handle,
- tcp->tcp_connid, cr, cpid);
+ tcp->tcp_connid, ira->ira_cred,
+ ira->ira_cpid);
freemsg(mp1);
}
}
@@ -13089,13 +10191,8 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_state = TCPS_SYN_RCVD;
mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, tcp->tcp_mss,
NULL, NULL, tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
- if (mp1) {
- /*
- * See comment in tcp_conn_request() for why we use
- * the open() time pid here.
- */
- DB_CPID(mp1) = tcp->tcp_cpid;
- tcp_send_data(tcp, tcp->tcp_wq, mp1);
+ if (mp1 != NULL) {
+ tcp_send_data(tcp, mp1);
TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
}
freemsg(mp);
@@ -13146,9 +10243,20 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
conn_t *new_connp;
ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
- new_connp = ipcl_classify(mp, connp->conn_zoneid, ipst);
+ /*
+ * Don't accept any input on a closed tcp as this TCP logically
+ * does not exist on the system. Don't proceed further with
+ * this TCP. For instance, this packet could trigger another
+ * close of this tcp which would be disastrous for tcp_refcnt.
+ * tcp_close_detached / tcp_clean_death / tcp_closei_local must
+ * be called at most once on a TCP. In this case we need to
+ * refeed the packet into the classifier and figure out where
+ * the packet should go.
+ */
+ new_connp = ipcl_classify(mp, ira, ipst);
if (new_connp != NULL) {
- tcp_reinput(new_connp, mp, connp->conn_sqp);
+ /* Drops ref on new_connp */
+ tcp_reinput(new_connp, mp, ira, ipst);
return;
}
/* We failed to classify. For now just drop the packet */
@@ -13194,7 +10302,7 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_kssl_ctx = NULL;
tcp->tcp_rnxt += seg_len;
- U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
+ tcp->tcp_tcpha->tha_ack = htonl(tcp->tcp_rnxt);
flags |= TH_ACK_NEEDED;
goto ack_check;
}
@@ -13205,13 +10313,13 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
return;
}
- mp->b_rptr = (uchar_t *)tcph + TCP_HDR_LENGTH(tcph);
- urp = BE16_TO_U16(tcph->th_urp) - TCP_OLD_URP_INTERPRETATION;
- new_swnd = BE16_TO_U16(tcph->th_win) <<
- ((tcph->th_flags[0] & TH_SYN) ? 0 : tcp->tcp_snd_ws);
+ mp->b_rptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
+ urp = ntohs(tcpha->tha_urp) - TCP_OLD_URP_INTERPRETATION;
+ new_swnd = ntohs(tcpha->tha_win) <<
+ ((tcpha->tha_flags & TH_SYN) ? 0 : tcp->tcp_snd_ws);
if (tcp->tcp_snd_ts_ok) {
- if (!tcp_paws_check(tcp, tcph, &tcpopt)) {
+ if (!tcp_paws_check(tcp, tcpha, &tcpopt)) {
/*
* This segment is not acceptable.
* Drop it and send back an ACK.
@@ -13227,7 +10335,7 @@ tcp_rput_data(void *arg, mblk_t *mp, void *arg2)
* SACK info in already updated in tcp_parse_options. Ignore
* all other TCP options...
*/
- (void) tcp_parse_options(tcph, &tcpopt);
+ (void) tcp_parse_options(tcpha, &tcpopt);
}
try_again:;
mss = tcp->tcp_mss;
@@ -13289,7 +10397,7 @@ try_again:;
* Adjust seg_len to the original value for tracing.
*/
seg_len -= gap;
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
"tcp_rput: unacceptable, gap %d, rgap %d, "
"flags 0x%x, seg_seq %u, seg_ack %u, "
@@ -13436,7 +10544,7 @@ try_again:;
return;
}
if (!TCP_IS_DETACHED(tcp) &&
- !putnextctl1(tcp->tcp_rq,
+ !putnextctl1(connp->conn_rq,
M_PCSIG, SIGURG)) {
/* Try again on the rexmit. */
freemsg(mp1);
@@ -13505,7 +10613,7 @@ ok:;
* same segment. In this case, we once again turn
* on ECN_ECHO.
*/
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+ if (connp->conn_ipversion == IPV4_VERSION) {
uchar_t tos = ((ipha_t *)rptr)->ipha_type_of_service;
if ((tos & IPH_ECN_CE) == IPH_ECN_CE) {
@@ -13705,7 +10813,7 @@ ok:;
return;
}
if (!TCP_IS_DETACHED(tcp) &&
- !putnextctl1(tcp->tcp_rq, M_PCSIG,
+ !putnextctl1(connp->conn_rq, M_PCSIG,
SIGURG)) {
/* Try again on the rexmit. */
freemsg(mp1);
@@ -13739,7 +10847,7 @@ ok:;
} else if (tcp->tcp_urp_mark_mp != NULL) {
/*
* An allocation failure prevented the previous
- * tcp_rput_data from sending up the allocated
+ * tcp_input_data from sending up the allocated
* MSG*MARKNEXT message - send it up this time
* around.
*/
@@ -13775,14 +10883,14 @@ ok:;
*/
(void) adjmsg(mp,
urp - seg_len);
- tcp_rput_data(connp,
- mp, NULL);
+ tcp_input_data(connp,
+ mp, NULL, ira);
return;
}
(void) adjmsg(mp1, urp - seg_len);
/* Feed this piece back in. */
tmp_rnxt = tcp->tcp_rnxt;
- tcp_rput_data(connp, mp1, NULL);
+ tcp_input_data(connp, mp1, NULL, ira);
/*
* If the data passed back in was not
* processed (ie: bad ACK) sending
@@ -13811,13 +10919,13 @@ ok:;
*/
(void) adjmsg(mp,
urp + 1 - seg_len);
- tcp_rput_data(connp,
- mp, NULL);
+ tcp_input_data(connp,
+ mp, NULL, ira);
return;
}
(void) adjmsg(mp1, urp + 1 - seg_len);
tmp_rnxt = tcp->tcp_rnxt;
- tcp_rput_data(connp, mp1, NULL);
+ tcp_input_data(connp, mp1, NULL, ira);
/*
* If the data passed back in was not
* processed (ie: bad ACK) sending
@@ -13831,7 +10939,7 @@ ok:;
return;
}
}
- tcp_rput_data(connp, mp, NULL);
+ tcp_input_data(connp, mp, NULL, ira);
return;
}
/*
@@ -13960,7 +11068,7 @@ process_ack:
}
bytes_acked = (int)(seg_ack - tcp->tcp_suna);
- if (tcp->tcp_ipversion == IPV6_VERSION && bytes_acked > 0)
+ if (bytes_acked > 0)
tcp->tcp_ip_forward_progress = B_TRUE;
if (tcp->tcp_state == TCPS_SYN_RCVD) {
if ((tcp->tcp_conn.tcp_eager_conn_ind != NULL) &&
@@ -13983,7 +11091,7 @@ process_ack:
/*
* The listener also exists because of the refhold
- * done in tcp_conn_request. Its possible that it
+ * done in tcp_input_listener. Its possible that it
* might have closed. We will check that once we
* get inside listeners context.
*/
@@ -14005,12 +11113,12 @@ process_ack:
} else if (!tcp->tcp_loopback) {
SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
mp, tcp_send_conn_ind,
- listener->tcp_connp, SQ_FILL,
+ listener->tcp_connp, NULL, SQ_FILL,
SQTAG_TCP_CONN_IND);
} else {
SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
mp, tcp_send_conn_ind,
- listener->tcp_connp, SQ_PROCESS,
+ listener->tcp_connp, NULL, SQ_PROCESS,
SQTAG_TCP_CONN_IND);
}
}
@@ -14026,7 +11134,7 @@ process_ack:
*/
tcp->tcp_state = TCPS_ESTABLISHED;
if (tcp->tcp_active_open) {
- if (!tcp_conn_con(tcp, iphdr, tcph, mp, NULL)) {
+ if (!tcp_conn_con(tcp, iphdr, mp, NULL, ira)) {
freemsg(mp);
tcp->tcp_state = TCPS_SYN_RCVD;
return;
@@ -14044,8 +11152,7 @@ process_ack:
tcp->tcp_suna = tcp->tcp_iss + 1; /* One for the SYN */
bytes_acked--;
/* SYN was acked - making progress */
- if (tcp->tcp_ipversion == IPV6_VERSION)
- tcp->tcp_ip_forward_progress = B_TRUE;
+ tcp->tcp_ip_forward_progress = B_TRUE;
/*
* If SYN was retransmitted, need to reset all
@@ -14083,7 +11190,7 @@ process_ack:
/* Fuse when both sides are in ESTABLISHED state */
if (tcp->tcp_loopback && do_tcp_fusion)
- tcp_fuse(tcp, iphdr, tcph);
+ tcp_fuse(tcp, iphdr, tcpha);
}
/* This code follows 4.4BSD-Lite2 mostly. */
@@ -14388,7 +11495,7 @@ process_ack:
if (mp != NULL) {
BUMP_LOCAL(tcp->tcp_obsegs);
BUMP_MIB(&tcps->tcps_mib, tcpOutAck);
- tcp_send_data(tcp, tcp->tcp_wq, mp);
+ tcp_send_data(tcp, mp);
}
return;
}
@@ -14487,7 +11594,6 @@ process_ack:
}
} else {
tcp->tcp_rexmit = B_FALSE;
- tcp->tcp_xmit_zc_clean = B_FALSE;
tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
tcp->tcp_snd_burst = tcp->tcp_localnet ?
TCP_CWND_INFINITE : TCP_CWND_NORMAL;
@@ -14662,8 +11768,7 @@ fin_acked:
tcp->tcp_xmit_tail = NULL;
if (tcp->tcp_fin_sent) {
/* FIN was acked - making progress */
- if (tcp->tcp_ipversion == IPV6_VERSION &&
- !tcp->tcp_fin_acked)
+ if (!tcp->tcp_fin_acked)
tcp->tcp_ip_forward_progress = B_TRUE;
tcp->tcp_fin_acked = B_TRUE;
if (tcp->tcp_linger_tid != 0 &&
@@ -14781,7 +11886,7 @@ est:
* bit so this TIME-WAIT connection won't
* interfere with new ones.
*/
- tcp->tcp_exclbind = 0;
+ connp->conn_exclbind = 0;
if (!TCP_IS_DETACHED(tcp)) {
TCP_TIMER_RESTART(tcp,
tcps->tcps_time_wait_interval);
@@ -14805,8 +11910,8 @@ est:
if (!tcp->tcp_fin_rcvd) {
tcp->tcp_fin_rcvd = B_TRUE;
tcp->tcp_rnxt++;
- tcph = tcp->tcp_tcph;
- U32_TO_ABE32(tcp->tcp_rnxt, tcph->th_ack);
+ tcpha = tcp->tcp_tcpha;
+ tcpha->tha_ack = htonl(tcp->tcp_rnxt);
/*
* Generate the ordrel_ind at the end unless we
@@ -14815,7 +11920,7 @@ est:
* after tcp_accept is done.
*/
if (tcp->tcp_listener == NULL &&
- !TCP_IS_DETACHED(tcp) && (!tcp->tcp_hard_binding))
+ !TCP_IS_DETACHED(tcp) && !tcp->tcp_hard_binding)
flags |= TH_ORDREL_NEEDED;
switch (tcp->tcp_state) {
case TCPS_SYN_RCVD:
@@ -14836,7 +11941,7 @@ est:
* bit so this TIME-WAIT connection won't
* interfere with new ones.
*/
- tcp->tcp_exclbind = 0;
+ connp->conn_exclbind = 0;
if (!TCP_IS_DETACHED(tcp)) {
TCP_TIMER_RESTART(tcp,
tcps->tcps_time_wait_interval);
@@ -14872,7 +11977,7 @@ est:
freeb(mp1);
}
update_ack:
- tcph = tcp->tcp_tcph;
+ tcpha = tcp->tcp_tcpha;
tcp->tcp_rack_cnt++;
{
uint32_t cur_max;
@@ -14915,7 +12020,7 @@ update_ack:
}
}
tcp->tcp_rnxt += seg_len;
- U32_TO_ABE32(tcp->tcp_rnxt, tcph->th_ack);
+ tcpha->tha_ack = htonl(tcp->tcp_rnxt);
if (mp == NULL)
goto xmit_check;
@@ -14942,12 +12047,13 @@ update_ack:
/*
* Check for ancillary data changes compared to last segment.
*/
- if (tcp->tcp_ipv6_recvancillary != 0) {
- mp = tcp_rput_add_ancillary(tcp, mp, &ipp);
- ASSERT(mp != NULL);
+ if (connp->conn_recv_ancillary.crb_all != 0) {
+ mp = tcp_input_add_ancillary(tcp, mp, &ipp, ira);
+ if (mp == NULL)
+ return;
}
- if (tcp->tcp_listener || tcp->tcp_hard_binding) {
+ if (tcp->tcp_listener != NULL || tcp->tcp_hard_binding) {
/*
* Side queue inbound data until the accept happens.
* tcp_accept/tcp_rput drains this when the accept happens.
@@ -14961,9 +12067,9 @@ update_ack:
if (tcp->tcp_kssl_pending) {
DTRACE_PROBE1(kssl_mblk__ksslinput_pending,
mblk_t *, mp);
- tcp_kssl_input(tcp, mp);
+ tcp_kssl_input(tcp, mp, ira->ira_cred);
} else {
- tcp_rcv_enqueue(tcp, mp, seg_len);
+ tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
}
} else if (IPCL_IS_NONSTR(connp)) {
/*
@@ -15015,19 +12121,22 @@ update_ack:
(DB_TYPE(mp) == M_DATA)) {
DTRACE_PROBE1(kssl_mblk__ksslinput_data1,
mblk_t *, mp);
- tcp_kssl_input(tcp, mp);
+ tcp_kssl_input(tcp, mp, ira->ira_cred);
} else {
- putnext(tcp->tcp_rq, mp);
- if (!canputnext(tcp->tcp_rq))
+ if (is_system_labeled())
+ tcp_setcred_data(mp, ira);
+
+ putnext(connp->conn_rq, mp);
+ if (!canputnext(connp->conn_rq))
tcp->tcp_rwnd -= seg_len;
}
} else if ((tcp->tcp_kssl_ctx != NULL) &&
(DB_TYPE(mp) == M_DATA)) {
/* Does this need SSL processing first? */
DTRACE_PROBE1(kssl_mblk__ksslinput_data2, mblk_t *, mp);
- tcp_kssl_input(tcp, mp);
+ tcp_kssl_input(tcp, mp, ira->ira_cred);
} else if ((flags & (TH_PUSH|TH_FIN)) ||
- tcp->tcp_rcv_cnt + seg_len >= tcp->tcp_recv_hiwater >> 3) {
+ tcp->tcp_rcv_cnt + seg_len >= connp->conn_rcvbuf >> 3) {
if (tcp->tcp_rcv_list != NULL) {
/*
* Enqueue the new segment first and then
@@ -15042,11 +12151,15 @@ update_ack:
* canputnext() as tcp_rcv_drain() needs to
* call canputnext().
*/
- tcp_rcv_enqueue(tcp, mp, seg_len);
+ tcp_rcv_enqueue(tcp, mp, seg_len,
+ ira->ira_cred);
flags |= tcp_rcv_drain(tcp);
} else {
- putnext(tcp->tcp_rq, mp);
- if (!canputnext(tcp->tcp_rq))
+ if (is_system_labeled())
+ tcp_setcred_data(mp, ira);
+
+ putnext(connp->conn_rq, mp);
+ if (!canputnext(connp->conn_rq))
tcp->tcp_rwnd -= seg_len;
}
} else {
@@ -15054,7 +12167,7 @@ update_ack:
* Enqueue all packets when processing an mblk
* from the co queue and also enqueue normal packets.
*/
- tcp_rcv_enqueue(tcp, mp, seg_len);
+ tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
}
/*
* Make sure the timer is running if we have data waiting
@@ -15103,7 +12216,7 @@ xmit_check:
BUMP_MIB(&tcps->tcps_mib, tcpRetransSegs);
UPDATE_MIB(&tcps->tcps_mib,
tcpRetransBytes, snd_size);
- tcp_send_data(tcp, tcp->tcp_wq, mp1);
+ tcp_send_data(tcp, mp1);
}
}
if (flags & TH_NEED_SACK_REXMIT) {
@@ -15155,7 +12268,10 @@ ack_check:
ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_fused_sigurg);
mp1 = tcp->tcp_urp_mark_mp;
tcp->tcp_urp_mark_mp = NULL;
- putnext(tcp->tcp_rq, mp1);
+ if (is_system_labeled())
+ tcp_setcred_data(mp1, ira);
+
+ putnext(connp->conn_rq, mp1);
#ifdef DEBUG
(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
"tcp_rput: sending zero-length %s %s",
@@ -15172,7 +12288,7 @@ ack_check:
mp1 = tcp_ack_mp(tcp);
if (mp1 != NULL) {
- tcp_send_data(tcp, tcp->tcp_wq, mp1);
+ tcp_send_data(tcp, mp1);
BUMP_LOCAL(tcp->tcp_obsegs);
BUMP_MIB(&tcps->tcps_mib, tcpOutAck);
}
@@ -15200,6 +12316,7 @@ ack_check:
* after tcp_accept is done.
*/
ASSERT(tcp->tcp_listener == NULL);
+ ASSERT(!tcp->tcp_detached);
if (IPCL_IS_NONSTR(connp)) {
ASSERT(tcp->tcp_ordrel_mp == NULL);
@@ -15220,7 +12337,7 @@ ack_check:
mp1 = tcp->tcp_ordrel_mp;
tcp->tcp_ordrel_mp = NULL;
tcp->tcp_ordrel_done = B_TRUE;
- putnext(tcp->tcp_rq, mp1);
+ putnext(connp->conn_rq, mp1);
}
done:
ASSERT(!(flags & TH_MARKNEXT_NEEDED));
@@ -15251,21 +12368,22 @@ tcp_update_xmit_tail(tcp_t *tcp, uint32_t snxt)
* segment passes the PAWS test, else returns B_FALSE.
*/
boolean_t
-tcp_paws_check(tcp_t *tcp, tcph_t *tcph, tcp_opt_t *tcpoptp)
+tcp_paws_check(tcp_t *tcp, tcpha_t *tcpha, tcp_opt_t *tcpoptp)
{
uint8_t flags;
int options;
uint8_t *up;
+ conn_t *connp = tcp->tcp_connp;
- flags = (unsigned int)tcph->th_flags[0] & 0xFF;
+ flags = (unsigned int)tcpha->tha_flags & 0xFF;
/*
* If timestamp option is aligned nicely, get values inline,
* otherwise call general routine to parse. Only do that
* if timestamp is the only option.
*/
- if (TCP_HDR_LENGTH(tcph) == (uint32_t)TCP_MIN_HEADER_LENGTH +
+ if (TCP_HDR_LENGTH(tcpha) == (uint32_t)TCP_MIN_HEADER_LENGTH +
TCPOPT_REAL_TS_LEN &&
- OK_32PTR((up = ((uint8_t *)tcph) +
+ OK_32PTR((up = ((uint8_t *)tcpha) +
TCP_MIN_HEADER_LENGTH)) &&
*(uint32_t *)up == TCPOPT_NOP_NOP_TSTAMP) {
tcpoptp->tcp_opt_ts_val = ABE32_TO_U32((up+4));
@@ -15278,7 +12396,7 @@ tcp_paws_check(tcp_t *tcp, tcph_t *tcph, tcp_opt_t *tcpoptp)
} else {
tcpoptp->tcp = NULL;
}
- options = tcp_parse_options(tcph, tcpoptp);
+ options = tcp_parse_options(tcpha, tcpoptp);
}
if (options & TCP_OPT_TSTAMP_PRESENT) {
@@ -15311,16 +12429,15 @@ tcp_paws_check(tcp_t *tcp, tcph_t *tcph, tcp_opt_t *tcpoptp)
*/
tcp->tcp_snd_ts_ok = B_FALSE;
- tcp->tcp_hdr_len -= TCPOPT_REAL_TS_LEN;
- tcp->tcp_tcp_hdr_len -= TCPOPT_REAL_TS_LEN;
- tcp->tcp_tcph->th_offset_and_rsrvd[0] -= (3 << 4);
+ connp->conn_ht_iphc_len -= TCPOPT_REAL_TS_LEN;
+ connp->conn_ht_ulp_len -= TCPOPT_REAL_TS_LEN;
+ tcp->tcp_tcpha->tha_offset_and_reserved -= (3 << 4);
/*
- * Adjust the tcp_mss accordingly. We also need to
- * adjust tcp_cwnd here in accordance with the new mss.
- * But we avoid doing a slow start here so as to not
- * to lose on the transfer rate built up so far.
+ * Adjust the tcp_mss and tcp_cwnd accordingly. We avoid
+ * doing a slow start here so as to not to lose on the
+ * transfer rate built up so far.
*/
- tcp_mss_set(tcp, tcp->tcp_mss + TCPOPT_REAL_TS_LEN, B_FALSE);
+ tcp_mss_set(tcp, tcp->tcp_mss + TCPOPT_REAL_TS_LEN);
if (tcp->tcp_snd_sack_ok) {
ASSERT(tcp->tcp_sack_info != NULL);
tcp->tcp_max_sack_blk = 4;
@@ -15338,38 +12455,37 @@ tcp_paws_check(tcp_t *tcp, tcph_t *tcph, tcp_opt_t *tcpoptp)
* when memory allocation fails we can just wait for the next data segment.
*/
static mblk_t *
-tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
+tcp_input_add_ancillary(tcp_t *tcp, mblk_t *mp, ip_pkt_t *ipp,
+ ip_recv_attr_t *ira)
{
struct T_optdata_ind *todi;
int optlen;
uchar_t *optptr;
struct T_opthdr *toh;
- uint_t addflag; /* Which pieces to add */
+ crb_t addflag; /* Which pieces to add */
mblk_t *mp1;
+ conn_t *connp = tcp->tcp_connp;
optlen = 0;
- addflag = 0;
+ addflag.crb_all = 0;
/* If app asked for pktinfo and the index has changed ... */
- if ((ipp->ipp_fields & IPPF_IFINDEX) &&
- ipp->ipp_ifindex != tcp->tcp_recvifindex &&
- (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVPKTINFO)) {
+ if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
+ ira->ira_ruifindex != tcp->tcp_recvifindex) {
optlen += sizeof (struct T_opthdr) +
sizeof (struct in6_pktinfo);
- addflag |= TCP_IPV6_RECVPKTINFO;
+ addflag.crb_ip_recvpktinfo = 1;
}
/* If app asked for hoplimit and it has changed ... */
- if ((ipp->ipp_fields & IPPF_HOPLIMIT) &&
- ipp->ipp_hoplimit != tcp->tcp_recvhops &&
- (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVHOPLIMIT)) {
+ if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
+ ipp->ipp_hoplimit != tcp->tcp_recvhops) {
optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
- addflag |= TCP_IPV6_RECVHOPLIMIT;
+ addflag.crb_ipv6_recvhoplimit = 1;
}
/* If app asked for tclass and it has changed ... */
- if ((ipp->ipp_fields & IPPF_TCLASS) &&
- ipp->ipp_tclass != tcp->tcp_recvtclass &&
- (tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVTCLASS)) {
+ if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
+ ipp->ipp_tclass != tcp->tcp_recvtclass) {
optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
- addflag |= TCP_IPV6_RECVTCLASS;
+ addflag.crb_ipv6_recvtclass = 1;
}
/*
* If app asked for hopbyhop headers and it has changed ...
@@ -15377,51 +12493,51 @@ tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
* a connected socket at all, (2) we're connected to at most one peer,
* (3) if anything changes, then it must be some other extra option.
*/
- if ((tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVHOPOPTS) &&
+ if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
ip_cmpbuf(tcp->tcp_hopopts, tcp->tcp_hopoptslen,
(ipp->ipp_fields & IPPF_HOPOPTS),
ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
- optlen += sizeof (struct T_opthdr) + ipp->ipp_hopoptslen -
- tcp->tcp_label_len;
- addflag |= TCP_IPV6_RECVHOPOPTS;
+ optlen += sizeof (struct T_opthdr) + ipp->ipp_hopoptslen;
+ addflag.crb_ipv6_recvhopopts = 1;
if (!ip_allocbuf((void **)&tcp->tcp_hopopts,
&tcp->tcp_hopoptslen, (ipp->ipp_fields & IPPF_HOPOPTS),
ipp->ipp_hopopts, ipp->ipp_hopoptslen))
return (mp);
}
/* If app asked for dst headers before routing headers ... */
- if ((tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVRTDSTOPTS) &&
- ip_cmpbuf(tcp->tcp_rtdstopts, tcp->tcp_rtdstoptslen,
- (ipp->ipp_fields & IPPF_RTDSTOPTS),
- ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen)) {
+ if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
+ ip_cmpbuf(tcp->tcp_rthdrdstopts, tcp->tcp_rthdrdstoptslen,
+ (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
+ ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
optlen += sizeof (struct T_opthdr) +
- ipp->ipp_rtdstoptslen;
- addflag |= TCP_IPV6_RECVRTDSTOPTS;
- if (!ip_allocbuf((void **)&tcp->tcp_rtdstopts,
- &tcp->tcp_rtdstoptslen, (ipp->ipp_fields & IPPF_RTDSTOPTS),
- ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen))
+ ipp->ipp_rthdrdstoptslen;
+ addflag.crb_ipv6_recvrthdrdstopts = 1;
+ if (!ip_allocbuf((void **)&tcp->tcp_rthdrdstopts,
+ &tcp->tcp_rthdrdstoptslen,
+ (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
+ ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
return (mp);
}
/* If app asked for routing headers and it has changed ... */
- if ((tcp->tcp_ipv6_recvancillary & TCP_IPV6_RECVRTHDR) &&
+ if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
ip_cmpbuf(tcp->tcp_rthdr, tcp->tcp_rthdrlen,
(ipp->ipp_fields & IPPF_RTHDR),
ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
optlen += sizeof (struct T_opthdr) + ipp->ipp_rthdrlen;
- addflag |= TCP_IPV6_RECVRTHDR;
+ addflag.crb_ipv6_recvrthdr = 1;
if (!ip_allocbuf((void **)&tcp->tcp_rthdr,
&tcp->tcp_rthdrlen, (ipp->ipp_fields & IPPF_RTHDR),
ipp->ipp_rthdr, ipp->ipp_rthdrlen))
return (mp);
}
/* If app asked for dest headers and it has changed ... */
- if ((tcp->tcp_ipv6_recvancillary &
- (TCP_IPV6_RECVDSTOPTS | TCP_OLD_IPV6_RECVDSTOPTS)) &&
+ if ((connp->conn_recv_ancillary.crb_ipv6_recvdstopts ||
+ connp->conn_recv_ancillary.crb_old_ipv6_recvdstopts) &&
ip_cmpbuf(tcp->tcp_dstopts, tcp->tcp_dstoptslen,
(ipp->ipp_fields & IPPF_DSTOPTS),
ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
optlen += sizeof (struct T_opthdr) + ipp->ipp_dstoptslen;
- addflag |= TCP_IPV6_RECVDSTOPTS;
+ addflag.crb_ipv6_recvdstopts = 1;
if (!ip_allocbuf((void **)&tcp->tcp_dstopts,
&tcp->tcp_dstoptslen, (ipp->ipp_fields & IPPF_DSTOPTS),
ipp->ipp_dstopts, ipp->ipp_dstoptslen))
@@ -15454,9 +12570,11 @@ tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
* If app asked for pktinfo and the index has changed ...
* Note that the local address never changes for the connection.
*/
- if (addflag & TCP_IPV6_RECVPKTINFO) {
+ if (addflag.crb_ip_recvpktinfo) {
struct in6_pktinfo *pkti;
+ uint_t ifindex;
+ ifindex = ira->ira_ruifindex;
toh = (struct T_opthdr *)optptr;
toh->level = IPPROTO_IPV6;
toh->name = IPV6_PKTINFO;
@@ -15464,19 +12582,15 @@ tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
toh->status = 0;
optptr += sizeof (*toh);
pkti = (struct in6_pktinfo *)optptr;
- if (tcp->tcp_ipversion == IPV6_VERSION)
- pkti->ipi6_addr = tcp->tcp_ip6h->ip6_src;
- else
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_ipha->ipha_src,
- &pkti->ipi6_addr);
- pkti->ipi6_ifindex = ipp->ipp_ifindex;
+ pkti->ipi6_addr = connp->conn_laddr_v6;
+ pkti->ipi6_ifindex = ifindex;
optptr += sizeof (*pkti);
ASSERT(OK_32PTR(optptr));
/* Save as "last" value */
- tcp->tcp_recvifindex = ipp->ipp_ifindex;
+ tcp->tcp_recvifindex = ifindex;
}
/* If app asked for hoplimit and it has changed ... */
- if (addflag & TCP_IPV6_RECVHOPLIMIT) {
+ if (addflag.crb_ipv6_recvhoplimit) {
toh = (struct T_opthdr *)optptr;
toh->level = IPPROTO_IPV6;
toh->name = IPV6_HOPLIMIT;
@@ -15490,7 +12604,7 @@ tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
tcp->tcp_recvhops = ipp->ipp_hoplimit;
}
/* If app asked for tclass and it has changed ... */
- if (addflag & TCP_IPV6_RECVTCLASS) {
+ if (addflag.crb_ipv6_recvtclass) {
toh = (struct T_opthdr *)optptr;
toh->level = IPPROTO_IPV6;
toh->name = IPV6_TCLASS;
@@ -15503,40 +12617,38 @@ tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
/* Save as "last" value */
tcp->tcp_recvtclass = ipp->ipp_tclass;
}
- if (addflag & TCP_IPV6_RECVHOPOPTS) {
+ if (addflag.crb_ipv6_recvhopopts) {
toh = (struct T_opthdr *)optptr;
toh->level = IPPROTO_IPV6;
toh->name = IPV6_HOPOPTS;
- toh->len = sizeof (*toh) + ipp->ipp_hopoptslen -
- tcp->tcp_label_len;
+ toh->len = sizeof (*toh) + ipp->ipp_hopoptslen;
toh->status = 0;
optptr += sizeof (*toh);
- bcopy((uchar_t *)ipp->ipp_hopopts + tcp->tcp_label_len, optptr,
- ipp->ipp_hopoptslen - tcp->tcp_label_len);
- optptr += ipp->ipp_hopoptslen - tcp->tcp_label_len;
+ bcopy((uchar_t *)ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
+ optptr += ipp->ipp_hopoptslen;
ASSERT(OK_32PTR(optptr));
/* Save as last value */
ip_savebuf((void **)&tcp->tcp_hopopts, &tcp->tcp_hopoptslen,
(ipp->ipp_fields & IPPF_HOPOPTS),
ipp->ipp_hopopts, ipp->ipp_hopoptslen);
}
- if (addflag & TCP_IPV6_RECVRTDSTOPTS) {
+ if (addflag.crb_ipv6_recvrthdrdstopts) {
toh = (struct T_opthdr *)optptr;
toh->level = IPPROTO_IPV6;
toh->name = IPV6_RTHDRDSTOPTS;
- toh->len = sizeof (*toh) + ipp->ipp_rtdstoptslen;
+ toh->len = sizeof (*toh) + ipp->ipp_rthdrdstoptslen;
toh->status = 0;
optptr += sizeof (*toh);
- bcopy(ipp->ipp_rtdstopts, optptr, ipp->ipp_rtdstoptslen);
- optptr += ipp->ipp_rtdstoptslen;
+ bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
+ optptr += ipp->ipp_rthdrdstoptslen;
ASSERT(OK_32PTR(optptr));
/* Save as last value */
- ip_savebuf((void **)&tcp->tcp_rtdstopts,
- &tcp->tcp_rtdstoptslen,
- (ipp->ipp_fields & IPPF_RTDSTOPTS),
- ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen);
+ ip_savebuf((void **)&tcp->tcp_rthdrdstopts,
+ &tcp->tcp_rthdrdstoptslen,
+ (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
+ ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
}
- if (addflag & TCP_IPV6_RECVRTHDR) {
+ if (addflag.crb_ipv6_recvrthdr) {
toh = (struct T_opthdr *)optptr;
toh->level = IPPROTO_IPV6;
toh->name = IPV6_RTHDR;
@@ -15551,7 +12663,7 @@ tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
(ipp->ipp_fields & IPPF_RTHDR),
ipp->ipp_rthdr, ipp->ipp_rthdrlen);
}
- if (addflag & (TCP_IPV6_RECVDSTOPTS | TCP_OLD_IPV6_RECVDSTOPTS)) {
+ if (addflag.crb_ipv6_recvdstopts) {
toh = (struct T_opthdr *)optptr;
toh->level = IPPROTO_IPV6;
toh->name = IPV6_DSTOPTS;
@@ -15570,99 +12682,13 @@ tcp_rput_add_ancillary(tcp_t *tcp, mblk_t *mp, ip6_pkt_t *ipp)
return (mp);
}
-/*
- * tcp_rput_other is called by tcp_rput to handle everything other than M_DATA
- * messages.
- */
-void
-tcp_rput_other(tcp_t *tcp, mblk_t *mp)
-{
- uchar_t *rptr = mp->b_rptr;
- queue_t *q = tcp->tcp_rq;
- struct T_error_ack *tea;
-
- switch (mp->b_datap->db_type) {
- case M_PROTO:
- case M_PCPROTO:
- ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
- if ((mp->b_wptr - rptr) < sizeof (t_scalar_t))
- break;
- tea = (struct T_error_ack *)rptr;
- ASSERT(tea->PRIM_type != T_BIND_ACK);
- ASSERT(tea->ERROR_prim != O_T_BIND_REQ &&
- tea->ERROR_prim != T_BIND_REQ);
- switch (tea->PRIM_type) {
- case T_ERROR_ACK:
- if (tcp->tcp_debug) {
- (void) strlog(TCP_MOD_ID, 0, 1,
- SL_TRACE|SL_ERROR,
- "tcp_rput_other: case T_ERROR_ACK, "
- "ERROR_prim == %d",
- tea->ERROR_prim);
- }
- switch (tea->ERROR_prim) {
- case T_SVR4_OPTMGMT_REQ:
- if (tcp->tcp_drop_opt_ack_cnt > 0) {
- /* T_OPTMGMT_REQ generated by TCP */
- printf("T_SVR4_OPTMGMT_REQ failed "
- "%d/%d - dropped (cnt %d)\n",
- tea->TLI_error, tea->UNIX_error,
- tcp->tcp_drop_opt_ack_cnt);
- freemsg(mp);
- tcp->tcp_drop_opt_ack_cnt--;
- return;
- }
- break;
- }
- if (tea->ERROR_prim == T_SVR4_OPTMGMT_REQ &&
- tcp->tcp_drop_opt_ack_cnt > 0) {
- printf("T_SVR4_OPTMGMT_REQ failed %d/%d "
- "- dropped (cnt %d)\n",
- tea->TLI_error, tea->UNIX_error,
- tcp->tcp_drop_opt_ack_cnt);
- freemsg(mp);
- tcp->tcp_drop_opt_ack_cnt--;
- return;
- }
- break;
- case T_OPTMGMT_ACK:
- if (tcp->tcp_drop_opt_ack_cnt > 0) {
- /* T_OPTMGMT_REQ generated by TCP */
- freemsg(mp);
- tcp->tcp_drop_opt_ack_cnt--;
- return;
- }
- break;
- default:
- ASSERT(tea->ERROR_prim != T_UNBIND_REQ);
- break;
- }
- break;
- case M_FLUSH:
- if (*rptr & FLUSHR)
- flushq(q, FLUSHDATA);
- break;
- default:
- /* M_CTL will be directly sent to tcp_icmp_error() */
- ASSERT(DB_TYPE(mp) != M_CTL);
- break;
- }
- /*
- * Make sure we set this bit before sending the ACK for
- * bind. Otherwise accept could possibly run and free
- * this tcp struct.
- */
- ASSERT(q != NULL);
- putnext(q, mp);
-}
-
/* ARGSUSED */
static void
-tcp_rsrv_input(void *arg, mblk_t *mp, void *arg2)
+tcp_rsrv_input(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
tcp_t *tcp = connp->conn_tcp;
- queue_t *q = tcp->tcp_rq;
+ queue_t *q = connp->conn_rq;
tcp_stack_t *tcps = tcp->tcp_tcps;
ASSERT(!IPCL_IS_NONSTR(connp));
@@ -15683,7 +12709,7 @@ tcp_rsrv_input(void *arg, mblk_t *mp, void *arg2)
if (canputnext(q)) {
/* Not flow-controlled, open rwnd */
- tcp->tcp_rwnd = tcp->tcp_recv_hiwater;
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
/*
* Send back a window update immediately if TCP is above
@@ -15712,16 +12738,10 @@ tcp_rsrv(queue_t *q)
conn_t *connp = Q_TO_CONN(q);
tcp_t *tcp = connp->conn_tcp;
mblk_t *mp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
/* No code does a putq on the read side */
ASSERT(q->q_first == NULL);
- /* Nothing to do for the default queue */
- if (q == tcps->tcps_g_q) {
- return;
- }
-
/*
* If tcp->tcp_rsrv_mp == NULL, it means that tcp_rsrv() has already
* been run. So just return.
@@ -15736,7 +12756,7 @@ tcp_rsrv(queue_t *q)
CONN_INC_REF(connp);
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_rsrv_input, connp,
- SQ_PROCESS, SQTAG_TCP_RSRV);
+ NULL, SQ_PROCESS, SQTAG_TCP_RSRV);
}
/*
@@ -15746,8 +12766,8 @@ tcp_rsrv(queue_t *q)
*
* This function is called in 2 cases:
*
- * 1) Before data transfer begins, in tcp_accept_comm() for accepting a
- * connection (passive open) and in tcp_rput_data() for active connect.
+ * 1) Before data transfer begins, in tcp_input_listener() for accepting a
+ * connection (passive open) and in tcp_input_data() for active connect.
* This is called after tcp_mss_set() when the desired MSS value is known.
* This makes sure that our window size is a mutiple of the other side's
* MSS.
@@ -15766,6 +12786,7 @@ tcp_rwnd_set(tcp_t *tcp, uint32_t rwnd)
uint32_t max_transmittable_rwnd;
boolean_t tcp_detached = TCP_IS_DETACHED(tcp);
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
/*
* Insist on a receive window that is at least
@@ -15782,7 +12803,7 @@ tcp_rwnd_set(tcp_t *tcp, uint32_t rwnd)
ASSERT(peer_tcp != NULL);
sth_hiwat = tcp_fuse_set_rcv_hiwat(tcp, rwnd);
if (!tcp_detached) {
- (void) proto_set_rx_hiwat(tcp->tcp_rq, tcp->tcp_connp,
+ (void) proto_set_rx_hiwat(connp->conn_rq, connp,
sth_hiwat);
tcp_set_recv_threshold(tcp, sth_hiwat >> 3);
}
@@ -15797,11 +12818,10 @@ tcp_rwnd_set(tcp_t *tcp, uint32_t rwnd)
return (sth_hiwat);
}
- if (tcp_detached) {
+ if (tcp_detached)
old_max_rwnd = tcp->tcp_rwnd;
- } else {
- old_max_rwnd = tcp->tcp_recv_hiwater;
- }
+ else
+ old_max_rwnd = connp->conn_rcvbuf;
/*
@@ -15854,9 +12874,14 @@ tcp_rwnd_set(tcp_t *tcp, uint32_t rwnd)
* connection.)
*/
tcp->tcp_rwnd += rwnd - old_max_rwnd;
- tcp->tcp_recv_hiwater = rwnd;
+ connp->conn_rcvbuf = rwnd;
+
+ /* Are we already connected? */
+ if (tcp->tcp_tcpha != NULL) {
+ tcp->tcp_tcpha->tha_win =
+ htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
+ }
- U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws, tcp->tcp_tcph->th_win);
if ((tcp->tcp_rcv_ws > 0) && rwnd > tcp->tcp_cwnd_max)
tcp->tcp_cwnd_max = rwnd;
@@ -15865,7 +12890,7 @@ tcp_rwnd_set(tcp_t *tcp, uint32_t rwnd)
tcp_set_recv_threshold(tcp, rwnd >> 3);
- (void) proto_set_rx_hiwat(tcp->tcp_rq, tcp->tcp_connp, rwnd);
+ (void) proto_set_rx_hiwat(connp->conn_rq, connp, rwnd);
return (rwnd);
}
@@ -15944,7 +12969,7 @@ tcp_snmp_get(queue_t *q, mblk_t *mpctl)
connp = NULL;
while ((connp =
- ipcl_get_next_conn(connfp, connp, IPCL_TCP)) != NULL) {
+ ipcl_get_next_conn(connfp, connp, IPCL_TCPCONN)) != NULL) {
tcp_t *tcp;
boolean_t needattr;
@@ -15992,11 +13017,10 @@ tcp_snmp_get(queue_t *q, mblk_t *mpctl)
needattr = B_TRUE;
break;
}
- if (connp->conn_fully_bound &&
- connp->conn_effective_cred != NULL) {
+ if (connp->conn_ixa->ixa_tsl != NULL) {
ts_label_t *tsl;
- tsl = crgetlabel(connp->conn_effective_cred);
+ tsl = connp->conn_ixa->ixa_tsl;
mlp.tme_flags |= MIB2_TMEF_IS_LABELED;
mlp.tme_doi = label2doi(tsl);
mlp.tme_label = *label2bslabel(tsl);
@@ -16004,12 +13028,17 @@ tcp_snmp_get(queue_t *q, mblk_t *mpctl)
}
/* Create a message to report on IPv6 entries */
- if (tcp->tcp_ipversion == IPV6_VERSION) {
- tce6.tcp6ConnLocalAddress = tcp->tcp_ip_src_v6;
- tce6.tcp6ConnRemAddress = tcp->tcp_remote_v6;
- tce6.tcp6ConnLocalPort = ntohs(tcp->tcp_lport);
- tce6.tcp6ConnRemPort = ntohs(tcp->tcp_fport);
- tce6.tcp6ConnIfIndex = tcp->tcp_bound_if;
+ if (connp->conn_ipversion == IPV6_VERSION) {
+ tce6.tcp6ConnLocalAddress = connp->conn_laddr_v6;
+ tce6.tcp6ConnRemAddress = connp->conn_faddr_v6;
+ tce6.tcp6ConnLocalPort = ntohs(connp->conn_lport);
+ tce6.tcp6ConnRemPort = ntohs(connp->conn_fport);
+ if (connp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET) {
+ tce6.tcp6ConnIfIndex =
+ connp->conn_ixa->ixa_scopeid;
+ } else {
+ tce6.tcp6ConnIfIndex = connp->conn_bound_if;
+ }
/* Don't want just anybody seeing these... */
if (ispriv) {
tce6.tcp6ConnEntryInfo.ce_snxt =
@@ -16041,9 +13070,9 @@ tcp_snmp_get(queue_t *q, mblk_t *mpctl)
tce6.tcp6ConnEntryInfo.ce_state = tcp->tcp_state;
tce6.tcp6ConnCreationProcess =
- (tcp->tcp_cpid < 0) ? MIB2_UNKNOWN_PROCESS :
- tcp->tcp_cpid;
- tce6.tcp6ConnCreationTime = tcp->tcp_open_time;
+ (connp->conn_cpid < 0) ? MIB2_UNKNOWN_PROCESS :
+ connp->conn_cpid;
+ tce6.tcp6ConnCreationTime = connp->conn_open_time;
(void) snmp_append_data2(mp6_conn_ctl->b_cont,
&mp6_conn_tail, (char *)&tce6, sizeof (tce6));
@@ -16059,21 +13088,21 @@ tcp_snmp_get(queue_t *q, mblk_t *mpctl)
* but don't have IPV6_V6ONLY set.
* (i.e. anything an IPv4 peer could connect to)
*/
- if (tcp->tcp_ipversion == IPV4_VERSION ||
+ if (connp->conn_ipversion == IPV4_VERSION ||
(tcp->tcp_state <= TCPS_LISTEN &&
- !tcp->tcp_connp->conn_ipv6_v6only &&
- IN6_IS_ADDR_UNSPECIFIED(&tcp->tcp_ip_src_v6))) {
- if (tcp->tcp_ipversion == IPV6_VERSION) {
+ !connp->conn_ipv6_v6only &&
+ IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6))) {
+ if (connp->conn_ipversion == IPV6_VERSION) {
tce.tcpConnRemAddress = INADDR_ANY;
tce.tcpConnLocalAddress = INADDR_ANY;
} else {
tce.tcpConnRemAddress =
- tcp->tcp_remote;
+ connp->conn_faddr_v4;
tce.tcpConnLocalAddress =
- tcp->tcp_ip_src;
+ connp->conn_laddr_v4;
}
- tce.tcpConnLocalPort = ntohs(tcp->tcp_lport);
- tce.tcpConnRemPort = ntohs(tcp->tcp_fport);
+ tce.tcpConnLocalPort = ntohs(connp->conn_lport);
+ tce.tcpConnRemPort = ntohs(connp->conn_fport);
/* Don't want just anybody seeing these... */
if (ispriv) {
tce.tcpConnEntryInfo.ce_snxt =
@@ -16107,9 +13136,10 @@ tcp_snmp_get(queue_t *q, mblk_t *mpctl)
tcp->tcp_state;
tce.tcpConnCreationProcess =
- (tcp->tcp_cpid < 0) ? MIB2_UNKNOWN_PROCESS :
- tcp->tcp_cpid;
- tce.tcpConnCreationTime = tcp->tcp_open_time;
+ (connp->conn_cpid < 0) ?
+ MIB2_UNKNOWN_PROCESS :
+ connp->conn_cpid;
+ tce.tcpConnCreationTime = connp->conn_open_time;
(void) snmp_append_data2(mp_conn_ctl->b_cont,
&mp_conn_tail, (char *)&tce, sizeof (tce));
@@ -16273,7 +13303,6 @@ tcp_timer(void *arg)
tcp_t *listener = tcp->tcp_listener;
if (tcp->tcp_syn_rcvd_timeout == 0 && (listener != NULL)) {
- ASSERT(tcp->tcp_rq == listener->tcp_rq);
/* it's our first timeout */
tcp->tcp_syn_rcvd_timeout = 1;
mutex_enter(&listener->tcp_eager_lock);
@@ -16295,7 +13324,7 @@ tcp_timer(void *arg)
cmn_err(CE_WARN, "High TCP connect timeout "
"rate! System (port %d) may be under a "
"SYN flood attack!",
- BE16_TO_U16(listener->tcp_tcph->th_lport));
+ ntohs(listener->tcp_connp->conn_lport));
listener->tcp_ip_addr_cache = kmem_zalloc(
IP_ADDR_CACHE_SIZE * sizeof (ipaddr_t),
@@ -16363,7 +13392,7 @@ tcp_timer(void *arg)
* backoff.
*/
if (tcp->tcp_swnd == 0 || tcp->tcp_zero_win_probe) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_TRACE, "tcp_timer: zero win");
}
@@ -16415,6 +13444,13 @@ tcp_timer(void *arg)
* 3. But 1 and 3 are exclusive.
*/
if (tcp->tcp_unsent != 0) {
+ /*
+ * Should not hold the zero-copy messages for too long.
+ */
+ if (tcp->tcp_snd_zcopy_aware && !tcp->tcp_xmit_zc_clean)
+ tcp->tcp_xmit_head = tcp_zcopy_backoff(tcp,
+ tcp->tcp_xmit_head, B_TRUE);
+
if (tcp->tcp_cwnd == 0) {
/*
* Set tcp_cwnd to 1 MSS so that a
@@ -16477,7 +13513,7 @@ tcp_timer(void *arg)
(void) tcp_clean_death(tcp, 0, 24);
return;
default:
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE|SL_ERROR,
"tcp_timer: strange state (%d) %s",
tcp->tcp_state, tcp_display(tcp, NULL,
@@ -16485,8 +13521,16 @@ tcp_timer(void *arg)
}
return;
}
+
if ((ms = tcp->tcp_ms_we_have_waited) > second_threshold) {
/*
+ * Should not hold the zero-copy messages for too long.
+ */
+ if (tcp->tcp_snd_zcopy_aware && !tcp->tcp_xmit_zc_clean)
+ tcp->tcp_xmit_head = tcp_zcopy_backoff(tcp,
+ tcp->tcp_xmit_head, B_TRUE);
+
+ /*
* For zero window probe, we need to send indefinitely,
* unless we have not heard from the other side for some
* time...
@@ -16529,11 +13573,13 @@ tcp_timer(void *arg)
tcp->tcp_ms_we_have_waited = second_threshold;
}
} else if (ms > first_threshold) {
- if (tcp->tcp_snd_zcopy_aware && (!tcp->tcp_xmit_zc_clean) &&
- tcp->tcp_xmit_head != NULL) {
- tcp->tcp_xmit_head =
- tcp_zcopy_backoff(tcp, tcp->tcp_xmit_head, 1);
- }
+ /*
+ * Should not hold the zero-copy messages for too long.
+ */
+ if (tcp->tcp_snd_zcopy_aware && !tcp->tcp_xmit_zc_clean)
+ tcp->tcp_xmit_head = tcp_zcopy_backoff(tcp,
+ tcp->tcp_xmit_head, B_TRUE);
+
/*
* We have been retransmitting for too long... The RTT
* we calculated is probably incorrect. Reinitialize it.
@@ -16618,20 +13664,11 @@ tcp_timer(void *arg)
if (mp == NULL) {
return;
}
- /*
- * Attach credentials to retransmitted initial SYNs.
- * In theory we should use the credentials from the connect()
- * call to ensure that getpeerucred() on the peer will be correct.
- * But we assume that SYN's are not dropped for loopback connections.
- */
- if (tcp->tcp_state == TCPS_SYN_SENT) {
- mblk_setcred(mp, CONN_CRED(tcp->tcp_connp), tcp->tcp_cpid);
- }
tcp->tcp_csuna = tcp->tcp_snxt;
BUMP_MIB(&tcps->tcps_mib, tcpRetransSegs);
UPDATE_MIB(&tcps->tcps_mib, tcpRetransBytes, mss);
- tcp_send_data(tcp, tcp->tcp_wq, mp);
+ tcp_send_data(tcp, mp);
}
@@ -16639,7 +13676,6 @@ static int
tcp_do_unbind(conn_t *connp)
{
tcp_t *tcp = connp->conn_tcp;
- int error = 0;
switch (tcp->tcp_state) {
case TCPS_BOUND:
@@ -16659,41 +13695,36 @@ tcp_do_unbind(conn_t *connp)
}
mutex_exit(&tcp->tcp_eager_lock);
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- tcp->tcp_ipha->ipha_src = 0;
- } else {
- V6_SET_ZERO(tcp->tcp_ip6h->ip6_src);
- }
- V6_SET_ZERO(tcp->tcp_ip_src_v6);
- bzero(tcp->tcp_tcph->th_lport, sizeof (tcp->tcp_tcph->th_lport));
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ connp->conn_saddr_v6 = ipv6_all_zeros;
tcp_bind_hash_remove(tcp);
tcp->tcp_state = TCPS_IDLE;
- tcp->tcp_mdt = B_FALSE;
- connp = tcp->tcp_connp;
- connp->conn_mdt_ok = B_FALSE;
- ipcl_hash_remove(connp);
+ ip_unbind(connp);
bzero(&connp->conn_ports, sizeof (connp->conn_ports));
- return (error);
+ return (0);
}
/* tcp_unbind is called by tcp_wput_proto to handle T_UNBIND_REQ messages. */
static void
tcp_tpi_unbind(tcp_t *tcp, mblk_t *mp)
{
- int error = tcp_do_unbind(tcp->tcp_connp);
+ conn_t *connp = tcp->tcp_connp;
+ int error;
+ error = tcp_do_unbind(connp);
if (error > 0) {
tcp_err_ack(tcp, mp, TSYSERR, error);
} else if (error < 0) {
tcp_err_ack(tcp, mp, -error, 0);
} else {
/* Send M_FLUSH according to TPI */
- (void) putnextctl1(tcp->tcp_rq, M_FLUSH, FLUSHRW);
+ (void) putnextctl1(connp->conn_rq, M_FLUSH, FLUSHRW);
mp = mi_tpi_ok_ack_alloc(mp);
- putnext(tcp->tcp_rq, mp);
+ if (mp != NULL)
+ putnext(connp->conn_rq, mp);
}
}
@@ -16764,7 +13795,7 @@ retry:
}
}
if (is_system_labeled() &&
- (i = tsol_next_port(crgetzone(tcp->tcp_cred), port,
+ (i = tsol_next_port(crgetzone(tcp->tcp_connp->conn_cred), port,
IPPROTO_TCP, B_TRUE)) != 0) {
port = i;
goto retry;
@@ -16796,7 +13827,7 @@ retry:
restart = B_TRUE;
}
if (is_system_labeled() &&
- (nextport = tsol_next_port(crgetzone(tcp->tcp_cred),
+ (nextport = tsol_next_port(crgetzone(tcp->tcp_connp->conn_cred),
next_priv_port, IPPROTO_TCP, B_FALSE)) != 0) {
next_priv_port = nextport;
goto retry;
@@ -16820,11 +13851,10 @@ struct {
*/
/* ARGSUSED */
static void
-tcp_wput_nondata(void *arg, mblk_t *mp, void *arg2)
+tcp_wput_nondata(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
tcp_t *tcp = connp->conn_tcp;
- queue_t *q = tcp->tcp_wq;
ASSERT(DB_TYPE(mp) != M_IOCTL);
/*
@@ -16851,7 +13881,7 @@ tcp_wput_nondata(void *arg, mblk_t *mp, void *arg2)
tcp_wput_flush(tcp, mp);
break;
default:
- CALL_IP_WPUT(connp, q, mp);
+ ip_wput_nondata(connp->conn_wq, mp);
break;
}
}
@@ -16862,7 +13892,7 @@ tcp_wput_nondata(void *arg, mblk_t *mp, void *arg2)
*/
/* ARGSUSED */
void
-tcp_output(void *arg, mblk_t *mp, void *arg2)
+tcp_output(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
int len;
int hdrlen;
@@ -16870,7 +13900,7 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
mblk_t *mp1;
uchar_t *rptr;
uint32_t snxt;
- tcph_t *tcph;
+ tcpha_t *tcpha;
struct datab *db;
uint32_t suna;
uint32_t mss;
@@ -16882,7 +13912,7 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
tcp_t *tcp = connp->conn_tcp;
uint32_t msize;
tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
+ ip_xmit_attr_t *ixa;
/*
* Try and ASSERT the minimum possible references on the
@@ -16903,25 +13933,18 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
tcp->tcp_squeue_bytes -= msize;
mutex_exit(&tcp->tcp_non_sq_lock);
- /* Check to see if this connection wants to be re-fused. */
- if (tcp->tcp_refuse) {
- if (tcp->tcp_ipversion == IPV4_VERSION &&
- !ipst->ips_ip4_observe.he_interested) {
- tcp_fuse(tcp, (uchar_t *)&tcp->tcp_saved_ipha,
- &tcp->tcp_saved_tcph);
- } else if (tcp->tcp_ipversion == IPV6_VERSION &&
- !ipst->ips_ip6_observe.he_interested) {
- tcp_fuse(tcp, (uchar_t *)&tcp->tcp_saved_ip6h,
- &tcp->tcp_saved_tcph);
- }
- }
/* Bypass tcp protocol for fused tcp loopback */
if (tcp->tcp_fused && tcp_fuse_output(tcp, mp, msize))
return;
mss = tcp->tcp_mss;
- if (tcp->tcp_xmit_zc_clean)
- mp = tcp_zcopy_backoff(tcp, mp, 0);
+ /*
+ * If ZEROCOPY has turned off, try not to send any zero-copy message
+ * down. Do backoff, now.
+ */
+ if (tcp->tcp_snd_zcopy_aware && !tcp->tcp_snd_zcopy_on)
+ mp = tcp_zcopy_backoff(tcp, mp, B_FALSE);
+
ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <= (uintptr_t)INT_MAX);
len = (int)(mp->b_wptr - mp->b_rptr);
@@ -16977,8 +14000,7 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
* start again to get back the connection's "self-clock" as
* described in VJ's paper.
*
- * Refer to the comment in tcp_mss_set() for the calculation
- * of tcp_cwnd after idle.
+ * Reinitialize tcp_cwnd after idle.
*/
if ((tcp->tcp_suna == snxt) && !tcp->tcp_localnet &&
(TICK_TO_MSEC(lbolt - tcp->tcp_last_recv_time) >= tcp->tcp_rto)) {
@@ -16999,7 +14021,7 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
mutex_enter(&tcp->tcp_non_sq_lock);
if (tcp->tcp_flow_stopped &&
- TCP_UNSENT_BYTES(tcp) <= tcp->tcp_xmit_lowater) {
+ TCP_UNSENT_BYTES(tcp) <= connp->conn_sndlowat) {
tcp_clrqfull(tcp);
}
mutex_exit(&tcp->tcp_non_sq_lock);
@@ -17046,43 +14068,43 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
mp->b_next = (mblk_t *)(uintptr_t)snxt;
/* adjust tcp header information */
- tcph = tcp->tcp_tcph;
- tcph->th_flags[0] = (TH_ACK|TH_PUSH);
+ tcpha = tcp->tcp_tcpha;
+ tcpha->tha_flags = (TH_ACK|TH_PUSH);
- sum = len + tcp->tcp_tcp_hdr_len + tcp->tcp_sum;
+ sum = len + connp->conn_ht_ulp_len + connp->conn_sum;
sum = (sum >> 16) + (sum & 0xFFFF);
- U16_TO_ABE16(sum, tcph->th_sum);
+ tcpha->tha_sum = htons(sum);
- U32_TO_ABE32(snxt, tcph->th_seq);
+ tcpha->tha_seq = htonl(snxt);
BUMP_MIB(&tcps->tcps_mib, tcpOutDataSegs);
UPDATE_MIB(&tcps->tcps_mib, tcpOutDataBytes, len);
BUMP_LOCAL(tcp->tcp_obsegs);
/* Update the latest receive window size in TCP header. */
- U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws,
- tcph->th_win);
+ tcpha->tha_win = htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
tcp->tcp_last_sent_len = (ushort_t)len;
- plen = len + tcp->tcp_hdr_len;
+ plen = len + connp->conn_ht_iphc_len;
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+ ixa = connp->conn_ixa;
+ ixa->ixa_pktlen = plen;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
tcp->tcp_ipha->ipha_length = htons(plen);
} else {
- tcp->tcp_ip6h->ip6_plen = htons(plen -
- ((char *)&tcp->tcp_ip6h[1] - tcp->tcp_iphc));
+ tcp->tcp_ip6h->ip6_plen = htons(plen - IPV6_HDR_LEN);
}
/* see if we need to allocate a mblk for the headers */
- hdrlen = tcp->tcp_hdr_len;
+ hdrlen = connp->conn_ht_iphc_len;
rptr = mp1->b_rptr - hdrlen;
db = mp1->b_datap;
if ((db->db_ref != 2) || rptr < db->db_base ||
(!OK_32PTR(rptr))) {
/* NOTE: we assume allocb returns an OK_32PTR */
- mp = allocb(tcp->tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH +
- tcps->tcps_wroff_xtra, BPRI_MED);
+ mp = allocb(hdrlen + tcps->tcps_wroff_xtra, BPRI_MED);
if (!mp) {
freemsg(mp1);
goto no_memory;
@@ -17090,7 +14112,6 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
mp->b_cont = mp1;
mp1 = mp;
/* Leave room for Link Level header */
- /* hdrlen = tcp->tcp_hdr_len; */
rptr = &mp1->b_rptr[tcps->tcps_wroff_xtra];
mp1->b_wptr = &rptr[hdrlen];
}
@@ -17099,16 +14120,16 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
/* Fill in the timestamp option. */
if (tcp->tcp_snd_ts_ok) {
U32_TO_BE32((uint32_t)lbolt,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+4);
U32_TO_BE32(tcp->tcp_ts_recent,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+8);
} else {
- ASSERT(tcp->tcp_tcp_hdr_len == TCP_MIN_HEADER_LENGTH);
+ ASSERT(connp->conn_ht_ulp_len == TCP_MIN_HEADER_LENGTH);
}
/* copy header into outgoing packet */
dst = (ipaddr_t *)rptr;
- src = (ipaddr_t *)tcp->tcp_iphc;
+ src = (ipaddr_t *)connp->conn_ht_iphc;
dst[0] = src[0];
dst[1] = src[1];
dst[2] = src[2];
@@ -17135,21 +14156,22 @@ tcp_output(void *arg, mblk_t *mp, void *arg2)
if (tcp->tcp_ecn_ok) {
SET_ECT(tcp, rptr);
- tcph = (tcph_t *)(rptr + tcp->tcp_ip_hdr_len);
+ tcpha = (tcpha_t *)(rptr + ixa->ixa_ip_hdr_length);
if (tcp->tcp_ecn_echo_on)
- tcph->th_flags[0] |= TH_ECE;
+ tcpha->tha_flags |= TH_ECE;
if (tcp->tcp_cwr && !tcp->tcp_ecn_cwr_sent) {
- tcph->th_flags[0] |= TH_CWR;
+ tcpha->tha_flags |= TH_CWR;
tcp->tcp_ecn_cwr_sent = B_TRUE;
}
}
if (tcp->tcp_ip_forward_progress) {
- ASSERT(tcp->tcp_ipversion == IPV6_VERSION);
- *(uint32_t *)mp1->b_rptr |= IP_FORWARD_PROG;
tcp->tcp_ip_forward_progress = B_FALSE;
+ connp->conn_ixa->ixa_flags |= IXAF_REACH_CONF;
+ } else {
+ connp->conn_ixa->ixa_flags &= ~IXAF_REACH_CONF;
}
- tcp_send_data(tcp, tcp->tcp_wq, mp1);
+ tcp_send_data(tcp, mp1);
return;
/*
@@ -17166,29 +14188,27 @@ slow:
tcp_wput_data(tcp, NULL, B_FALSE);
}
+/*
+ * This runs at the tail end of accept processing on the squeue of the
+ * new connection.
+ */
/* ARGSUSED */
void
-tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
+tcp_accept_finish(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
tcp_t *tcp = connp->conn_tcp;
- queue_t *q = tcp->tcp_rq;
- struct tcp_options *tcpopt;
+ queue_t *q = connp->conn_rq;
tcp_stack_t *tcps = tcp->tcp_tcps;
-
/* socket options */
- uint_t sopp_flags;
- ssize_t sopp_rxhiwat;
- ssize_t sopp_maxblk;
- ushort_t sopp_wroff;
- ushort_t sopp_tail;
- ushort_t sopp_copyopt;
+ struct sock_proto_props sopp;
- tcpopt = (struct tcp_options *)mp->b_rptr;
+ /* We should just receive a single mblk that fits a T_discon_ind */
+ ASSERT(mp->b_cont == NULL);
/*
* Drop the eager's ref on the listener, that was placed when
- * this eager began life in tcp_conn_request.
+ * this eager began life in tcp_input_listener.
*/
CONN_DEC_REF(tcp->tcp_saved_listener->tcp_connp);
if (IPCL_IS_NONSTR(connp)) {
@@ -17227,15 +14247,12 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
* memory allocation failure problems. We know
* that the size of the incoming mblk i.e.
* stroptions is greater than sizeof
- * T_discon_ind. So the reallocb below can't
- * fail.
+ * T_discon_ind.
*/
- freemsg(mp->b_cont);
- mp->b_cont = NULL;
ASSERT(DB_REF(mp) == 1);
- mp = reallocb(mp, sizeof (struct T_discon_ind),
- B_FALSE);
- ASSERT(mp != NULL);
+ ASSERT(MBLKSIZE(mp) >=
+ sizeof (struct T_discon_ind));
+
DB_TYPE(mp) = M_PROTO;
((union T_primitives *)mp->b_rptr)->type =
T_DISCON_IND;
@@ -17251,41 +14268,21 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
mp->b_wptr = mp->b_rptr +
sizeof (struct T_discon_ind);
putnext(q, mp);
- return;
}
}
- if (tcp->tcp_hard_binding) {
- tcp->tcp_hard_binding = B_FALSE;
- tcp->tcp_hard_bound = B_TRUE;
- }
+ tcp->tcp_hard_binding = B_FALSE;
return;
}
- if (tcpopt->to_flags & TCPOPT_BOUNDIF) {
- int boundif = tcpopt->to_boundif;
- uint_t len = sizeof (int);
-
- (void) tcp_opt_set(connp, SETFN_OPTCOM_NEGOTIATE, IPPROTO_IPV6,
- IPV6_BOUND_IF, len, (uchar_t *)&boundif, &len,
- (uchar_t *)&boundif, NULL, tcp->tcp_cred, NULL);
- }
- if (tcpopt->to_flags & TCPOPT_RECVPKTINFO) {
- uint_t on = 1;
- uint_t len = sizeof (uint_t);
- (void) tcp_opt_set(connp, SETFN_OPTCOM_NEGOTIATE, IPPROTO_IPV6,
- IPV6_RECVPKTINFO, len, (uchar_t *)&on, &len,
- (uchar_t *)&on, NULL, tcp->tcp_cred, NULL);
- }
-
/*
- * Set max window size (tcp_recv_hiwater) of the acceptor.
+ * Set max window size (conn_rcvbuf) of the acceptor.
*/
if (tcp->tcp_rcv_list == NULL) {
/*
* Recv queue is empty, tcp_rwnd should not have changed.
* That means it should be equal to the listener's tcp_rwnd.
*/
- tcp->tcp_recv_hiwater = tcp->tcp_rwnd;
+ connp->conn_rcvbuf = tcp->tcp_rwnd;
} else {
#ifdef DEBUG
mblk_t *tmp;
@@ -17300,19 +14297,19 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
ASSERT(cnt != 0 && tcp->tcp_rcv_cnt == cnt);
#endif
/* There is some data, add them back to get the max. */
- tcp->tcp_recv_hiwater = tcp->tcp_rwnd + tcp->tcp_rcv_cnt;
+ connp->conn_rcvbuf = tcp->tcp_rwnd + tcp->tcp_rcv_cnt;
}
/*
* This is the first time we run on the correct
* queue after tcp_accept. So fix all the q parameters
* here.
*/
- sopp_flags = SOCKOPT_RCVHIWAT | SOCKOPT_MAXBLK | SOCKOPT_WROFF;
- sopp_maxblk = tcp_maxpsz_set(tcp, B_FALSE);
+ sopp.sopp_flags = SOCKOPT_RCVHIWAT | SOCKOPT_MAXBLK | SOCKOPT_WROFF;
+ sopp.sopp_maxblk = tcp_maxpsz_set(tcp, B_FALSE);
- sopp_rxhiwat = tcp->tcp_fused ?
- tcp_fuse_set_rcv_hiwat(tcp, tcp->tcp_recv_hiwater) :
- tcp->tcp_recv_hiwater;
+ sopp.sopp_rxhiwat = tcp->tcp_fused ?
+ tcp_fuse_set_rcv_hiwat(tcp, connp->conn_rcvbuf) :
+ connp->conn_rcvbuf;
/*
* Determine what write offset value to use depending on SACK and
@@ -17328,18 +14325,18 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
* since it would reduce the amount of work done by kmem.
* Non-fused tcp loopback case is handled separately below.
*/
- sopp_wroff = 0;
+ sopp.sopp_wroff = 0;
/*
* Update the peer's transmit parameters according to
* our recently calculated high water mark value.
*/
(void) tcp_maxpsz_set(tcp->tcp_loopback_peer, B_TRUE);
} else if (tcp->tcp_snd_sack_ok) {
- sopp_wroff = tcp->tcp_hdr_len + TCPOPT_MAX_SACK_LEN +
+ sopp.sopp_wroff = connp->conn_ht_iphc_allocated +
(tcp->tcp_loopback ? 0 : tcps->tcps_wroff_xtra);
} else {
- sopp_wroff = tcp->tcp_hdr_len + (tcp->tcp_loopback ? 0 :
- tcps->tcps_wroff_xtra);
+ sopp.sopp_wroff = connp->conn_ht_iphc_len +
+ (tcp->tcp_loopback ? 0 : tcps->tcps_wroff_xtra);
}
/*
@@ -17354,30 +14351,22 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
* costs.
*/
if (tcp->tcp_kssl_ctx != NULL) {
- sopp_wroff += SSL3_WROFFSET;
+ sopp.sopp_wroff += SSL3_WROFFSET;
- sopp_flags |= SOCKOPT_TAIL;
- sopp_tail = SSL3_MAX_TAIL_LEN;
+ sopp.sopp_flags |= SOCKOPT_TAIL;
+ sopp.sopp_tail = SSL3_MAX_TAIL_LEN;
- sopp_flags |= SOCKOPT_ZCOPY;
- sopp_copyopt = ZCVMUNSAFE;
+ sopp.sopp_flags |= SOCKOPT_ZCOPY;
+ sopp.sopp_zcopyflag = ZCVMUNSAFE;
- sopp_maxblk = SSL3_MAX_RECORD_LEN;
+ sopp.sopp_maxblk = SSL3_MAX_RECORD_LEN;
}
/* Send the options up */
if (IPCL_IS_NONSTR(connp)) {
- struct sock_proto_props sopp;
-
- sopp.sopp_flags = sopp_flags;
- sopp.sopp_wroff = sopp_wroff;
- sopp.sopp_maxblk = sopp_maxblk;
- sopp.sopp_rxhiwat = sopp_rxhiwat;
- if (sopp_flags & SOCKOPT_TAIL) {
+ if (sopp.sopp_flags & SOCKOPT_TAIL) {
ASSERT(tcp->tcp_kssl_ctx != NULL);
- ASSERT(sopp_flags & SOCKOPT_ZCOPY);
- sopp.sopp_tail = sopp_tail;
- sopp.sopp_zcopyflag = sopp_copyopt;
+ ASSERT(sopp.sopp_flags & SOCKOPT_ZCOPY);
}
if (tcp->tcp_loopback) {
sopp.sopp_flags |= SOCKOPT_LOOPBACK;
@@ -17385,34 +14374,40 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
}
(*connp->conn_upcalls->su_set_proto_props)
(connp->conn_upper_handle, &sopp);
+ freemsg(mp);
} else {
+ /*
+ * Let us reuse the incoming mblk to avoid
+ * memory allocation failure problems. We know
+ * that the size of the incoming mblk is at least
+ * stroptions
+ */
struct stroptions *stropt;
- mblk_t *stropt_mp = allocb(sizeof (struct stroptions), BPRI_HI);
- if (stropt_mp == NULL) {
- tcp_err_ack(tcp, mp, TSYSERR, ENOMEM);
- return;
- }
- DB_TYPE(stropt_mp) = M_SETOPTS;
- stropt = (struct stroptions *)stropt_mp->b_rptr;
- stropt_mp->b_wptr += sizeof (struct stroptions);
+
+ ASSERT(DB_REF(mp) == 1);
+ ASSERT(MBLKSIZE(mp) >= sizeof (struct stroptions));
+
+ DB_TYPE(mp) = M_SETOPTS;
+ stropt = (struct stroptions *)mp->b_rptr;
+ mp->b_wptr = mp->b_rptr + sizeof (struct stroptions);
+ stropt = (struct stroptions *)mp->b_rptr;
stropt->so_flags = SO_HIWAT | SO_WROFF | SO_MAXBLK;
- stropt->so_hiwat = sopp_rxhiwat;
- stropt->so_wroff = sopp_wroff;
- stropt->so_maxblk = sopp_maxblk;
+ stropt->so_hiwat = sopp.sopp_rxhiwat;
+ stropt->so_wroff = sopp.sopp_wroff;
+ stropt->so_maxblk = sopp.sopp_maxblk;
- if (sopp_flags & SOCKOPT_TAIL) {
+ if (sopp.sopp_flags & SOCKOPT_TAIL) {
ASSERT(tcp->tcp_kssl_ctx != NULL);
stropt->so_flags |= SO_TAIL | SO_COPYOPT;
- stropt->so_tail = sopp_tail;
- stropt->so_copyopt = sopp_copyopt;
+ stropt->so_tail = sopp.sopp_tail;
+ stropt->so_copyopt = sopp.sopp_zcopyflag;
}
/* Send the options up */
- putnext(q, stropt_mp);
+ putnext(q, mp);
}
- freemsg(mp);
/*
* Pass up any data and/or a fin that has been received.
*
@@ -17432,7 +14427,7 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
if (!tcp->tcp_fused && (*connp->conn_upcalls->su_recv)
(connp->conn_upper_handle, NULL, 0, 0, &error,
&push) >= 0) {
- tcp->tcp_rwnd = tcp->tcp_recv_hiwater;
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
if (tcp->tcp_state >= TCPS_ESTABLISHED &&
tcp_rwnd_reopen(tcp) == TH_ACK_NEEDED) {
tcp_xmit_ctl(NULL,
@@ -17463,7 +14458,7 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
/* We drain directly in case of fused tcp loopback */
if (!tcp->tcp_fused && canputnext(q)) {
- tcp->tcp_rwnd = tcp->tcp_recv_hiwater;
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
if (tcp->tcp_state >= TCPS_ESTABLISHED &&
tcp_rwnd_reopen(tcp) == TH_ACK_NEEDED) {
tcp_xmit_ctl(NULL,
@@ -17508,12 +14503,9 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
putnext(q, mp);
}
}
- if (tcp->tcp_hard_binding) {
- tcp->tcp_hard_binding = B_FALSE;
- tcp->tcp_hard_bound = B_TRUE;
- }
+ tcp->tcp_hard_binding = B_FALSE;
- if (tcp->tcp_ka_enabled) {
+ if (connp->conn_keepalive) {
tcp->tcp_ka_last_intrvl = 0;
tcp->tcp_ka_tid = TCP_TIMER(tcp, tcp_keepalive_killer,
MSEC_TO_TICK(tcp->tcp_ka_interval));
@@ -17535,14 +14527,14 @@ tcp_accept_finish(void *arg, mblk_t *mp, void *arg2)
/*
* The function called through squeue to get behind listener's perimeter to
- * send a deffered conn_ind.
+ * send a deferred conn_ind.
*/
/* ARGSUSED */
void
-tcp_send_pending(void *arg, mblk_t *mp, void *arg2)
+tcp_send_pending(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
- conn_t *connp = (conn_t *)arg;
- tcp_t *listener = connp->conn_tcp;
+ conn_t *lconnp = (conn_t *)arg;
+ tcp_t *listener = lconnp->conn_tcp;
struct T_conn_ind *conn_ind;
tcp_t *tcp;
@@ -17560,29 +14552,34 @@ tcp_send_pending(void *arg, mblk_t *mp, void *arg2)
return;
}
- tcp_ulp_newconn(connp, tcp->tcp_connp, mp);
+ tcp_ulp_newconn(lconnp, tcp->tcp_connp, mp);
}
-/* ARGSUSED */
+/*
+ * Common to TPI and sockfs accept code.
+ */
+/* ARGSUSED2 */
static int
tcp_accept_common(conn_t *lconnp, conn_t *econnp, cred_t *cr)
{
tcp_t *listener, *eager;
- mblk_t *opt_mp;
- struct tcp_options *tcpopt;
+ mblk_t *discon_mp;
listener = lconnp->conn_tcp;
ASSERT(listener->tcp_state == TCPS_LISTEN);
eager = econnp->conn_tcp;
ASSERT(eager->tcp_listener != NULL);
- ASSERT(eager->tcp_rq != NULL);
+ /*
+ * Pre allocate the discon_ind mblk also. tcp_accept_finish will
+ * use it if something failed.
+ */
+ discon_mp = allocb(MAX(sizeof (struct T_discon_ind),
+ sizeof (struct stroptions)), BPRI_HI);
- opt_mp = allocb(sizeof (struct tcp_options), BPRI_HI);
- if (opt_mp == NULL) {
+ if (discon_mp == NULL) {
return (-TPROTO);
}
- bzero((char *)opt_mp->b_rptr, sizeof (struct tcp_options));
eager->tcp_issocket = B_TRUE;
econnp->conn_zoneid = listener->tcp_connp->conn_zoneid;
@@ -17607,24 +14604,6 @@ tcp_accept_common(conn_t *lconnp, conn_t *econnp, cred_t *cr)
*/
ASSERT(econnp->conn_ref >= 3);
- opt_mp->b_datap->db_type = M_SETOPTS;
- opt_mp->b_wptr += sizeof (struct tcp_options);
-
- /*
- * Prepare for inheriting IPV6_BOUND_IF and IPV6_RECVPKTINFO
- * from listener to acceptor.
- */
- tcpopt = (struct tcp_options *)opt_mp->b_rptr;
- tcpopt->to_flags = 0;
-
- if (listener->tcp_bound_if != 0) {
- tcpopt->to_flags |= TCPOPT_BOUNDIF;
- tcpopt->to_boundif = listener->tcp_bound_if;
- }
- if (listener->tcp_ipv6_recvancillary & TCP_IPV6_RECVPKTINFO) {
- tcpopt->to_flags |= TCPOPT_RECVPKTINFO;
- }
-
mutex_enter(&listener->tcp_eager_lock);
if (listener->tcp_eager_prev_q0->tcp_conn_def_q0) {
@@ -17686,7 +14665,7 @@ tcp_accept_common(conn_t *lconnp, conn_t *econnp, cred_t *cr)
/* Need to get inside the listener perimeter */
CONN_INC_REF(listener->tcp_connp);
SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp, mp1,
- tcp_send_pending, listener->tcp_connp, SQ_FILL,
+ tcp_send_pending, listener->tcp_connp, NULL, SQ_FILL,
SQTAG_TCP_SEND_PENDING);
}
no_more_eagers:
@@ -17700,8 +14679,8 @@ no_more_eagers:
* before sending the conn_ind in tcp_send_conn_ind.
* The ref will be dropped in tcp_accept_finish().
*/
- SQUEUE_ENTER_ONE(econnp->conn_sqp, opt_mp, tcp_accept_finish,
- econnp, SQ_NODRAIN, SQTAG_TCP_ACCEPT_FINISH_Q0);
+ SQUEUE_ENTER_ONE(econnp->conn_sqp, discon_mp, tcp_accept_finish,
+ econnp, NULL, SQ_NODRAIN, SQTAG_TCP_ACCEPT_FINISH_Q0);
return (0);
}
@@ -17712,7 +14691,6 @@ tcp_accept(sock_lower_handle_t lproto_handle,
{
conn_t *lconnp, *econnp;
tcp_t *listener, *eager;
- tcp_stack_t *tcps;
lconnp = (conn_t *)lproto_handle;
listener = lconnp->conn_tcp;
@@ -17720,7 +14698,6 @@ tcp_accept(sock_lower_handle_t lproto_handle,
econnp = (conn_t *)eproto_handle;
eager = econnp->conn_tcp;
ASSERT(eager->tcp_listener != NULL);
- tcps = eager->tcp_tcps;
/*
* It is OK to manipulate these fields outside the eager's squeue
@@ -17732,19 +14709,6 @@ tcp_accept(sock_lower_handle_t lproto_handle,
econnp->conn_upper_handle = sock_handle;
econnp->conn_upcalls = lconnp->conn_upcalls;
ASSERT(IPCL_IS_NONSTR(econnp));
- /*
- * Create helper stream if it is a non-TPI TCP connection.
- */
- if (ip_create_helper_stream(econnp, tcps->tcps_ldi_ident)) {
- ip1dbg(("tcp_accept: create of IP helper stream"
- " failed\n"));
- return (EPROTO);
- }
- eager->tcp_rq = econnp->conn_rq;
- eager->tcp_wq = econnp->conn_wq;
-
- ASSERT(eager->tcp_rq != NULL);
-
return (tcp_accept_common(lconnp, econnp, cr));
}
@@ -17752,7 +14716,7 @@ tcp_accept(sock_lower_handle_t lproto_handle,
/*
* This is the STREAMS entry point for T_CONN_RES coming down on
* Acceptor STREAM when sockfs listener does accept processing.
- * Read the block comment on top of tcp_conn_request().
+ * Read the block comment on top of tcp_input_listener().
*/
void
tcp_tpi_accept(queue_t *q, mblk_t *mp)
@@ -17815,8 +14779,8 @@ tcp_tpi_accept(queue_t *q, mblk_t *mp)
econnp = eager->tcp_connp;
econnp->conn_dev = (dev_t)RD(q)->q_ptr;
econnp->conn_minor_arena = (vmem_t *)(WR(q)->q_ptr);
- eager->tcp_rq = rq;
- eager->tcp_wq = q;
+ econnp->conn_rq = rq;
+ econnp->conn_wq = q;
rq->q_ptr = econnp;
rq->q_qinfo = &tcp_rinitv4; /* No open - same as rinitv6 */
q->q_ptr = econnp;
@@ -17836,7 +14800,7 @@ tcp_tpi_accept(queue_t *q, mblk_t *mp)
* should already be enough space in the mp that came
* down from soaccept().
*/
- if (eager->tcp_family == AF_INET) {
+ if (econnp->conn_family == AF_INET) {
sin_t *sin;
ASSERT((mp->b_datap->db_lim - mp->b_datap->db_base) >=
@@ -17844,8 +14808,8 @@ tcp_tpi_accept(queue_t *q, mblk_t *mp)
sin = (sin_t *)mp->b_wptr;
mp->b_wptr += sizeof (sin_t);
sin->sin_family = AF_INET;
- sin->sin_port = eager->tcp_lport;
- sin->sin_addr.s_addr = eager->tcp_ipha->ipha_src;
+ sin->sin_port = econnp->conn_lport;
+ sin->sin_addr.s_addr = econnp->conn_laddr_v4;
} else {
sin6_t *sin6;
@@ -17854,20 +14818,23 @@ tcp_tpi_accept(queue_t *q, mblk_t *mp)
sin6 = (sin6_t *)mp->b_wptr;
mp->b_wptr += sizeof (sin6_t);
sin6->sin6_family = AF_INET6;
- sin6->sin6_port = eager->tcp_lport;
- if (eager->tcp_ipversion == IPV4_VERSION) {
+ sin6->sin6_port = econnp->conn_lport;
+ sin6->sin6_addr = econnp->conn_laddr_v6;
+ if (econnp->conn_ipversion == IPV4_VERSION) {
sin6->sin6_flowinfo = 0;
- IN6_IPADDR_TO_V4MAPPED(
- eager->tcp_ipha->ipha_src,
- &sin6->sin6_addr);
} else {
ASSERT(eager->tcp_ip6h != NULL);
sin6->sin6_flowinfo =
eager->tcp_ip6h->ip6_vcf &
~IPV6_VERS_AND_FLOW_MASK;
- sin6->sin6_addr = eager->tcp_ip6h->ip6_src;
}
- sin6->sin6_scope_id = 0;
+ if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6) &&
+ (econnp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET)) {
+ sin6->sin6_scope_id =
+ econnp->conn_ixa->ixa_scopeid;
+ } else {
+ sin6->sin6_scope_id = 0;
+ }
sin6->__sin6_src_id = 0;
}
@@ -17881,97 +14848,6 @@ tcp_tpi_accept(queue_t *q, mblk_t *mp)
}
}
-static int
-tcp_do_getsockname(tcp_t *tcp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- switch (tcp->tcp_family) {
- case AF_INET:
- ASSERT(tcp->tcp_ipversion == IPV4_VERSION);
-
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *sin = sin_null;
- sin->sin_family = AF_INET;
- if (tcp->tcp_state >= TCPS_BOUND) {
- sin->sin_port = tcp->tcp_lport;
- sin->sin_addr.s_addr = tcp->tcp_ipha->ipha_src;
- }
- *salenp = sizeof (sin_t);
- break;
-
- case AF_INET6:
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- if (tcp->tcp_state >= TCPS_BOUND) {
- sin6->sin6_port = tcp->tcp_lport;
- mutex_enter(&tcp->tcp_connp->conn_lock);
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_ipha->ipha_src,
- &sin6->sin6_addr);
- } else {
- sin6->sin6_addr = tcp->tcp_ip6h->ip6_src;
- }
- mutex_exit(&tcp->tcp_connp->conn_lock);
- }
- *salenp = sizeof (sin6_t);
- break;
- }
-
- return (0);
-}
-
-static int
-tcp_do_getpeername(tcp_t *tcp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- if (tcp->tcp_state < TCPS_SYN_RCVD)
- return (ENOTCONN);
-
- switch (tcp->tcp_family) {
- case AF_INET:
- ASSERT(tcp->tcp_ipversion == IPV4_VERSION);
-
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_port = tcp->tcp_fport;
- IN6_V4MAPPED_TO_IPADDR(&tcp->tcp_remote_v6,
- sin->sin_addr.s_addr);
- *salenp = sizeof (sin_t);
- break;
-
- case AF_INET6:
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = tcp->tcp_fport;
- sin6->sin6_addr = tcp->tcp_remote_v6;
- mutex_enter(&tcp->tcp_connp->conn_lock);
- if (tcp->tcp_ipversion == IPV6_VERSION) {
- sin6->sin6_flowinfo = tcp->tcp_ip6h->ip6_vcf &
- ~IPV6_VERS_AND_FLOW_MASK;
- }
- mutex_exit(&tcp->tcp_connp->conn_lock);
- *salenp = sizeof (sin6_t);
- break;
- }
-
- return (0);
-}
-
/*
* Handle special out-of-band ioctl requests (see PSARC/2008/265).
*/
@@ -17980,7 +14856,8 @@ tcp_wput_cmdblk(queue_t *q, mblk_t *mp)
{
void *data;
mblk_t *datamp = mp->b_cont;
- tcp_t *tcp = Q_TO_TCP(q);
+ conn_t *connp = Q_TO_CONN(q);
+ tcp_t *tcp = connp->conn_tcp;
cmdblk_t *cmdp = (cmdblk_t *)mp->b_rptr;
if (datamp == NULL || MBLKL(datamp) < cmdp->cb_len) {
@@ -17993,10 +14870,14 @@ tcp_wput_cmdblk(queue_t *q, mblk_t *mp)
switch (cmdp->cb_cmd) {
case TI_GETPEERNAME:
- cmdp->cb_error = tcp_do_getpeername(tcp, data, &cmdp->cb_len);
+ if (tcp->tcp_state < TCPS_SYN_RCVD)
+ cmdp->cb_error = ENOTCONN;
+ else
+ cmdp->cb_error = conn_getpeername(connp, data,
+ &cmdp->cb_len);
break;
case TI_GETMYNAME:
- cmdp->cb_error = tcp_do_getsockname(tcp, data, &cmdp->cb_len);
+ cmdp->cb_error = conn_getsockname(connp, data, &cmdp->cb_len);
break;
default:
cmdp->cb_error = EINVAL;
@@ -18029,14 +14910,14 @@ tcp_wput(queue_t *q, mblk_t *mp)
mutex_enter(&tcp->tcp_non_sq_lock);
tcp->tcp_squeue_bytes += size;
- if (TCP_UNSENT_BYTES(tcp) > tcp->tcp_xmit_hiwater) {
+ if (TCP_UNSENT_BYTES(tcp) > connp->conn_sndbuf) {
tcp_setqfull(tcp);
}
mutex_exit(&tcp->tcp_non_sq_lock);
CONN_INC_REF(connp);
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_output, connp,
- tcp_squeue_flag, SQTAG_TCP_OUTPUT);
+ NULL, tcp_squeue_flag, SQTAG_TCP_OUTPUT);
return;
case M_CMD:
@@ -18053,7 +14934,7 @@ tcp_wput(queue_t *q, mblk_t *mp)
if ((mp->b_wptr - rptr) >= sizeof (t_scalar_t)) {
type = ((union T_primitives *)rptr)->type;
} else {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_wput_proto, dropping one...");
@@ -18093,7 +14974,7 @@ tcp_wput(queue_t *q, mblk_t *mp)
/*
* Most ioctls can be processed right away without going via
* squeues - process them right here. Those that do require
- * squeue (currently TCP_IOC_DEFAULT_Q and _SIOCSOCKFALLBACK)
+ * squeue (currently _SIOCSOCKFALLBACK)
* are processed by tcp_wput_ioctl().
*/
iocp = (struct iocblk *)mp->b_rptr;
@@ -18111,26 +14992,13 @@ tcp_wput(queue_t *q, mblk_t *mp)
case ND_SET:
/* nd_getset does the necessary checks */
case ND_GET:
- if (!nd_getset(q, tcps->tcps_g_nd, mp)) {
- CALL_IP_WPUT(connp, q, mp);
- return;
- }
- qreply(q, mp);
- return;
- case TCP_IOC_DEFAULT_Q:
- /*
- * Wants to be the default wq. Check the credentials
- * first, the rest is executed via squeue.
- */
- if (secpolicy_ip_config(iocp->ioc_cr, B_FALSE) != 0) {
- iocp->ioc_error = EPERM;
- iocp->ioc_count = 0;
- mp->b_datap->db_type = M_IOCACK;
+ if (nd_getset(q, tcps->tcps_g_nd, mp)) {
qreply(q, mp);
return;
}
- output_proc = tcp_wput_ioctl;
- break;
+ ip_wput_nondata(q, mp);
+ return;
+
default:
output_proc = tcp_wput_ioctl;
break;
@@ -18143,7 +15011,7 @@ tcp_wput(queue_t *q, mblk_t *mp)
CONN_INC_REF(connp);
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, output_proc, connp,
- tcp_squeue_flag, SQTAG_TCP_WPUT_OTHER);
+ NULL, tcp_squeue_flag, SQTAG_TCP_WPUT_OTHER);
}
/*
@@ -18188,52 +15056,32 @@ tcp_wput_fallback(queue_t *wq, mblk_t *mp)
freemsg(mp);
}
+/*
+ * Check the usability of ZEROCOPY. It's instead checking the flag set by IP.
+ */
static boolean_t
tcp_zcopy_check(tcp_t *tcp)
{
- conn_t *connp = tcp->tcp_connp;
- ire_t *ire;
+ conn_t *connp = tcp->tcp_connp;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
boolean_t zc_enabled = B_FALSE;
tcp_stack_t *tcps = tcp->tcp_tcps;
if (do_tcpzcopy == 2)
zc_enabled = B_TRUE;
- else if (tcp->tcp_ipversion == IPV4_VERSION &&
- IPCL_IS_CONNECTED(connp) &&
- (connp->conn_flags & IPCL_CHECK_POLICY) == 0 &&
- connp->conn_dontroute == 0 &&
- !connp->conn_nexthop_set &&
- connp->conn_outgoing_ill == NULL &&
- do_tcpzcopy == 1) {
- /*
- * the checks above closely resemble the fast path checks
- * in tcp_send_data().
- */
- mutex_enter(&connp->conn_lock);
- ire = connp->conn_ire_cache;
- ASSERT(!(connp->conn_state_flags & CONN_INCIPIENT));
- if (ire != NULL && !(ire->ire_marks & IRE_MARK_CONDEMNED)) {
- IRE_REFHOLD(ire);
- if (ire->ire_stq != NULL) {
- ill_t *ill = (ill_t *)ire->ire_stq->q_ptr;
-
- zc_enabled = ill && (ill->ill_capabilities &
- ILL_CAPAB_ZEROCOPY) &&
- (ill->ill_zerocopy_capab->
- ill_zerocopy_flags != 0);
- }
- IRE_REFRELE(ire);
- }
- mutex_exit(&connp->conn_lock);
- }
+ else if ((do_tcpzcopy == 1) && (ixa->ixa_flags & IXAF_ZCOPY_CAPAB))
+ zc_enabled = B_TRUE;
+
tcp->tcp_snd_zcopy_on = zc_enabled;
if (!TCP_IS_DETACHED(tcp)) {
if (zc_enabled) {
- (void) proto_set_tx_copyopt(tcp->tcp_rq, connp,
+ ixa->ixa_flags |= IXAF_VERIFY_ZCOPY;
+ (void) proto_set_tx_copyopt(connp->conn_rq, connp,
ZCVMSAFE);
TCP_STAT(tcps, tcp_zcopy_on);
} else {
- (void) proto_set_tx_copyopt(tcp->tcp_rq, connp,
+ ixa->ixa_flags &= ~IXAF_VERIFY_ZCOPY;
+ (void) proto_set_tx_copyopt(connp->conn_rq, connp,
ZCVMUNSAFE);
TCP_STAT(tcps, tcp_zcopy_off);
}
@@ -18241,99 +15089,84 @@ tcp_zcopy_check(tcp_t *tcp)
return (zc_enabled);
}
-static mblk_t *
-tcp_zcopy_disable(tcp_t *tcp, mblk_t *bp)
-{
- tcp_stack_t *tcps = tcp->tcp_tcps;
-
- if (do_tcpzcopy == 2)
- return (bp);
- else if (tcp->tcp_snd_zcopy_on) {
- tcp->tcp_snd_zcopy_on = B_FALSE;
- if (!TCP_IS_DETACHED(tcp)) {
- (void) proto_set_tx_copyopt(tcp->tcp_rq, tcp->tcp_connp,
- ZCVMUNSAFE);
- TCP_STAT(tcps, tcp_zcopy_disable);
- }
- }
- return (tcp_zcopy_backoff(tcp, bp, 0));
-}
-
/*
- * Backoff from a zero-copy mblk by copying data to a new mblk and freeing
- * the original desballoca'ed segmapped mblk.
+ * Backoff from a zero-copy message by copying data to a new allocated
+ * message and freeing the original desballoca'ed segmapped message.
+ *
+ * This function is called by following two callers:
+ * 1. tcp_timer: fix_xmitlist is set to B_TRUE, because it's safe to free
+ * the origial desballoca'ed message and notify sockfs. This is in re-
+ * transmit state.
+ * 2. tcp_output: fix_xmitlist is set to B_FALSE. Flag STRUIO_ZCNOTIFY need
+ * to be copied to new message.
*/
static mblk_t *
-tcp_zcopy_backoff(tcp_t *tcp, mblk_t *bp, int fix_xmitlist)
+tcp_zcopy_backoff(tcp_t *tcp, mblk_t *bp, boolean_t fix_xmitlist)
{
- mblk_t *head, *tail, *nbp;
+ mblk_t *nbp;
+ mblk_t *head = NULL;
+ mblk_t *tail = NULL;
tcp_stack_t *tcps = tcp->tcp_tcps;
- if (IS_VMLOANED_MBLK(bp)) {
- TCP_STAT(tcps, tcp_zcopy_backoff);
- if ((head = copyb(bp)) == NULL) {
- /* fail to backoff; leave it for the next backoff */
- tcp->tcp_xmit_zc_clean = B_FALSE;
- return (bp);
- }
- if (bp->b_datap->db_struioflag & STRUIO_ZCNOTIFY) {
- if (fix_xmitlist)
- tcp_zcopy_notify(tcp);
- else
- head->b_datap->db_struioflag |= STRUIO_ZCNOTIFY;
- }
- nbp = bp->b_cont;
- if (fix_xmitlist) {
- head->b_prev = bp->b_prev;
- head->b_next = bp->b_next;
- if (tcp->tcp_xmit_tail == bp)
- tcp->tcp_xmit_tail = head;
- }
- bp->b_next = NULL;
- bp->b_prev = NULL;
- freeb(bp);
- } else {
- head = bp;
- nbp = bp->b_cont;
- }
- tail = head;
- while (nbp) {
- if (IS_VMLOANED_MBLK(nbp)) {
+ ASSERT(bp != NULL);
+ while (bp != NULL) {
+ if (IS_VMLOANED_MBLK(bp)) {
TCP_STAT(tcps, tcp_zcopy_backoff);
- if ((tail->b_cont = copyb(nbp)) == NULL) {
+ if ((nbp = copyb(bp)) == NULL) {
tcp->tcp_xmit_zc_clean = B_FALSE;
- tail->b_cont = nbp;
- return (head);
+ if (tail != NULL)
+ tail->b_cont = bp;
+ return ((head == NULL) ? bp : head);
}
- tail = tail->b_cont;
- if (nbp->b_datap->db_struioflag & STRUIO_ZCNOTIFY) {
+
+ if (bp->b_datap->db_struioflag & STRUIO_ZCNOTIFY) {
if (fix_xmitlist)
tcp_zcopy_notify(tcp);
else
- tail->b_datap->db_struioflag |=
+ nbp->b_datap->db_struioflag |=
STRUIO_ZCNOTIFY;
}
- bp = nbp;
- nbp = nbp->b_cont;
+ nbp->b_cont = bp->b_cont;
+
+ /*
+ * Copy saved information and adjust tcp_xmit_tail
+ * if needed.
+ */
if (fix_xmitlist) {
- tail->b_prev = bp->b_prev;
- tail->b_next = bp->b_next;
+ nbp->b_prev = bp->b_prev;
+ nbp->b_next = bp->b_next;
+
if (tcp->tcp_xmit_tail == bp)
- tcp->tcp_xmit_tail = tail;
+ tcp->tcp_xmit_tail = nbp;
}
- bp->b_next = NULL;
+
+ /* Free the original message. */
bp->b_prev = NULL;
+ bp->b_next = NULL;
freeb(bp);
+
+ bp = nbp;
+ }
+
+ if (head == NULL) {
+ head = bp;
+ }
+ if (tail == NULL) {
+ tail = bp;
} else {
- tail->b_cont = nbp;
- tail = nbp;
- nbp = nbp->b_cont;
+ tail->b_cont = bp;
+ tail = bp;
}
+
+ /* Move forward. */
+ bp = bp->b_cont;
}
+
if (fix_xmitlist) {
tcp->tcp_xmit_last = tail;
tcp->tcp_xmit_zc_clean = B_TRUE;
}
+
return (head);
}
@@ -18341,7 +15174,7 @@ static void
tcp_zcopy_notify(tcp_t *tcp)
{
struct stdata *stp;
- conn_t *connp;
+ conn_t *connp;
if (tcp->tcp_detached)
return;
@@ -18351,323 +15184,149 @@ tcp_zcopy_notify(tcp_t *tcp)
(connp->conn_upper_handle);
return;
}
- stp = STREAM(tcp->tcp_rq);
+ stp = STREAM(connp->conn_rq);
mutex_enter(&stp->sd_lock);
stp->sd_flag |= STZCNOTIFY;
cv_broadcast(&stp->sd_zcopy_wait);
mutex_exit(&stp->sd_lock);
}
-static boolean_t
-tcp_send_find_ire(tcp_t *tcp, ipaddr_t *dst, ire_t **irep)
+/*
+ * Update the TCP connection according to change of LSO capability.
+ */
+static void
+tcp_update_lso(tcp_t *tcp, ip_xmit_attr_t *ixa)
{
- ire_t *ire;
- conn_t *connp = tcp->tcp_connp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- mutex_enter(&connp->conn_lock);
- ire = connp->conn_ire_cache;
- ASSERT(!(connp->conn_state_flags & CONN_INCIPIENT));
-
- if ((ire != NULL) &&
- (((dst != NULL) && (ire->ire_addr == *dst)) || ((dst == NULL) &&
- IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &tcp->tcp_ip6h->ip6_dst))) &&
- !(ire->ire_marks & IRE_MARK_CONDEMNED)) {
- IRE_REFHOLD(ire);
- mutex_exit(&connp->conn_lock);
- } else {
- boolean_t cached = B_FALSE;
- ts_label_t *tsl;
-
- /* force a recheck later on */
- tcp->tcp_ire_ill_check_done = B_FALSE;
-
- TCP_DBGSTAT(tcps, tcp_ire_null1);
- connp->conn_ire_cache = NULL;
- mutex_exit(&connp->conn_lock);
-
- if (ire != NULL)
- IRE_REFRELE_NOTR(ire);
-
- tsl = crgetlabel(CONN_CRED(connp));
- ire = (dst ?
- ire_cache_lookup(*dst, connp->conn_zoneid, tsl, ipst) :
- ire_cache_lookup_v6(&tcp->tcp_ip6h->ip6_dst,
- connp->conn_zoneid, tsl, ipst));
+ /*
+ * We check against IPv4 header length to preserve the old behavior
+ * of only enabling LSO when there are no IP options.
+ * But this restriction might not be necessary at all. Before removing
+ * it, need to verify how LSO is handled for source routing case, with
+ * which IP does software checksum.
+ *
+ * For IPv6, whenever any extension header is needed, LSO is supressed.
+ */
+ if (ixa->ixa_ip_hdr_length != ((ixa->ixa_flags & IXAF_IS_IPV4) ?
+ IP_SIMPLE_HDR_LENGTH : IPV6_HDR_LEN))
+ return;
- if (ire == NULL) {
- TCP_STAT(tcps, tcp_ire_null);
- return (B_FALSE);
- }
+ /*
+ * Either the LSO capability newly became usable, or it has changed.
+ */
+ if (ixa->ixa_flags & IXAF_LSO_CAPAB) {
+ ill_lso_capab_t *lsoc = &ixa->ixa_lso_capab;
- IRE_REFHOLD_NOTR(ire);
+ ASSERT(lsoc->ill_lso_max > 0);
+ tcp->tcp_lso_max = MIN(TCP_MAX_LSO_LENGTH, lsoc->ill_lso_max);
- mutex_enter(&connp->conn_lock);
- if (CONN_CACHE_IRE(connp)) {
- rw_enter(&ire->ire_bucket->irb_lock, RW_READER);
- if (!(ire->ire_marks & IRE_MARK_CONDEMNED)) {
- TCP_CHECK_IREINFO(tcp, ire);
- connp->conn_ire_cache = ire;
- cached = B_TRUE;
- }
- rw_exit(&ire->ire_bucket->irb_lock);
- }
- mutex_exit(&connp->conn_lock);
+ DTRACE_PROBE3(tcp_update_lso, boolean_t, tcp->tcp_lso,
+ boolean_t, B_TRUE, uint32_t, tcp->tcp_lso_max);
/*
- * We can continue to use the ire but since it was
- * not cached, we should drop the extra reference.
+ * If LSO to be enabled, notify the STREAM header with larger
+ * data block.
*/
- if (!cached)
- IRE_REFRELE_NOTR(ire);
+ if (!tcp->tcp_lso)
+ tcp->tcp_maxpsz_multiplier = 0;
+
+ tcp->tcp_lso = B_TRUE;
+ TCP_STAT(tcp->tcp_tcps, tcp_lso_enabled);
+ } else { /* LSO capability is not usable any more. */
+ DTRACE_PROBE3(tcp_update_lso, boolean_t, tcp->tcp_lso,
+ boolean_t, B_FALSE, uint32_t, tcp->tcp_lso_max);
/*
- * Rampart note: no need to select a new label here, since
- * labels are not allowed to change during the life of a TCP
- * connection.
+ * If LSO to be disabled, notify the STREAM header with smaller
+ * data block. And need to restore fragsize to PMTU.
*/
+ if (tcp->tcp_lso) {
+ tcp->tcp_maxpsz_multiplier =
+ tcp->tcp_tcps->tcps_maxpsz_multiplier;
+ ixa->ixa_fragsize = ixa->ixa_pmtu;
+ tcp->tcp_lso = B_FALSE;
+ TCP_STAT(tcp->tcp_tcps, tcp_lso_disabled);
+ }
}
- *irep = ire;
-
- return (B_TRUE);
+ (void) tcp_maxpsz_set(tcp, B_TRUE);
}
/*
- * Called from tcp_send() or tcp_send_data() to find workable IRE.
- *
- * 0 = success;
- * 1 = failed to find ire and ill.
+ * Update the TCP connection according to change of ZEROCOPY capability.
*/
-static boolean_t
-tcp_send_find_ire_ill(tcp_t *tcp, mblk_t *mp, ire_t **irep, ill_t **illp)
+static void
+tcp_update_zcopy(tcp_t *tcp)
{
- ipha_t *ipha;
- ipaddr_t dst;
- ire_t *ire;
- ill_t *ill;
- mblk_t *ire_fp_mp;
+ conn_t *connp = tcp->tcp_connp;
tcp_stack_t *tcps = tcp->tcp_tcps;
- if (mp != NULL)
- ipha = (ipha_t *)mp->b_rptr;
- else
- ipha = tcp->tcp_ipha;
- dst = ipha->ipha_dst;
-
- if (!tcp_send_find_ire(tcp, &dst, &ire))
- return (B_FALSE);
-
- if ((ire->ire_flags & RTF_MULTIRT) ||
- (ire->ire_stq == NULL) ||
- (ire->ire_nce == NULL) ||
- ((ire_fp_mp = ire->ire_nce->nce_fp_mp) == NULL) ||
- ((mp != NULL) && (ire->ire_max_frag < ntohs(ipha->ipha_length) ||
- MBLKL(ire_fp_mp) > MBLKHEAD(mp)))) {
- TCP_STAT(tcps, tcp_ip_ire_send);
- IRE_REFRELE(ire);
- return (B_FALSE);
+ if (tcp->tcp_snd_zcopy_on) {
+ tcp->tcp_snd_zcopy_on = B_FALSE;
+ if (!TCP_IS_DETACHED(tcp)) {
+ (void) proto_set_tx_copyopt(connp->conn_rq, connp,
+ ZCVMUNSAFE);
+ TCP_STAT(tcps, tcp_zcopy_off);
+ }
+ } else {
+ tcp->tcp_snd_zcopy_on = B_TRUE;
+ if (!TCP_IS_DETACHED(tcp)) {
+ (void) proto_set_tx_copyopt(connp->conn_rq, connp,
+ ZCVMSAFE);
+ TCP_STAT(tcps, tcp_zcopy_on);
+ }
}
+}
- ill = ire_to_ill(ire);
- ASSERT(ill != NULL);
+/*
+ * Notify function registered with ip_xmit_attr_t. It's called in the squeue
+ * so it's safe to update the TCP connection.
+ */
+/* ARGSUSED1 */
+static void
+tcp_notify(void *arg, ip_xmit_attr_t *ixa, ixa_notify_type_t ntype,
+ ixa_notify_arg_t narg)
+{
+ tcp_t *tcp = (tcp_t *)arg;
+ conn_t *connp = tcp->tcp_connp;
- if (!tcp->tcp_ire_ill_check_done) {
- tcp_ire_ill_check(tcp, ire, ill, B_TRUE);
- tcp->tcp_ire_ill_check_done = B_TRUE;
+ switch (ntype) {
+ case IXAN_LSO:
+ tcp_update_lso(tcp, connp->conn_ixa);
+ break;
+ case IXAN_PMTU:
+ tcp_update_pmtu(tcp, B_FALSE);
+ break;
+ case IXAN_ZCOPY:
+ tcp_update_zcopy(tcp);
+ break;
+ default:
+ break;
}
-
- *irep = ire;
- *illp = ill;
-
- return (B_TRUE);
}
static void
-tcp_send_data(tcp_t *tcp, queue_t *q, mblk_t *mp)
+tcp_send_data(tcp_t *tcp, mblk_t *mp)
{
- ipha_t *ipha;
- ipaddr_t src;
- ipaddr_t dst;
- uint32_t cksum;
- ire_t *ire;
- uint16_t *up;
- ill_t *ill;
conn_t *connp = tcp->tcp_connp;
- uint32_t hcksum_txflags = 0;
- mblk_t *ire_fp_mp;
- uint_t ire_fp_mp_len;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
- cred_t *cr;
- pid_t cpid;
-
- ASSERT(DB_TYPE(mp) == M_DATA);
/*
- * Here we need to handle the overloading of the cred_t for
- * both getpeerucred and TX.
- * If this is a SYN then the caller already set db_credp so
- * that getpeerucred will work. But if TX is in use we might have
- * a conn_effective_cred which is different, and we need to use that
- * cred to make TX use the correct label and label dependent route.
+ * Check here to avoid sending zero-copy message down to IP when
+ * ZEROCOPY capability has turned off. We only need to deal with
+ * the race condition between sockfs and the notification here.
+ * Since we have tried to backoff the tcp_xmit_head when turning
+ * zero-copy off and new messages in tcp_output(), we simply drop
+ * the dup'ed packet here and let tcp retransmit, if tcp_xmit_zc_clean
+ * is not true.
*/
- if (is_system_labeled()) {
- cr = msg_getcred(mp, &cpid);
- if (cr == NULL || connp->conn_effective_cred != NULL)
- mblk_setcred(mp, CONN_CRED(connp), cpid);
- }
-
- ipha = (ipha_t *)mp->b_rptr;
- src = ipha->ipha_src;
- dst = ipha->ipha_dst;
-
- ASSERT(q != NULL);
- DTRACE_PROBE2(tcp__trace__send, mblk_t *, mp, tcp_t *, tcp);
-
- /*
- * Drop off fast path for IPv6 and also if options are present or
- * we need to resolve a TS label.
- */
- if (tcp->tcp_ipversion != IPV4_VERSION ||
- !IPCL_IS_CONNECTED(connp) ||
- !CONN_IS_LSO_MD_FASTPATH(connp) ||
- (connp->conn_flags & IPCL_CHECK_POLICY) != 0 ||
- !connp->conn_ulp_labeled ||
- ipha->ipha_ident == IP_HDR_INCLUDED ||
- ipha->ipha_version_and_hdr_length != IP_SIMPLE_HDR_VERSION ||
- IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
- if (tcp->tcp_snd_zcopy_aware)
- mp = tcp_zcopy_disable(tcp, mp);
- TCP_STAT(tcps, tcp_ip_send);
- CALL_IP_WPUT(connp, q, mp);
- return;
- }
-
- if (!tcp_send_find_ire_ill(tcp, mp, &ire, &ill)) {
- if (tcp->tcp_snd_zcopy_aware)
- mp = tcp_zcopy_backoff(tcp, mp, 0);
- CALL_IP_WPUT(connp, q, mp);
+ if (tcp->tcp_snd_zcopy_aware && !tcp->tcp_snd_zcopy_on &&
+ !tcp->tcp_xmit_zc_clean) {
+ ip_drop_output("TCP ZC was disabled but not clean", mp, NULL);
+ freemsg(mp);
return;
}
- ire_fp_mp = ire->ire_nce->nce_fp_mp;
- ire_fp_mp_len = MBLKL(ire_fp_mp);
-
- ASSERT(ipha->ipha_ident == 0 || ipha->ipha_ident == IP_HDR_INCLUDED);
- ipha->ipha_ident = (uint16_t)atomic_add_32_nv(&ire->ire_ident, 1);
-#ifndef _BIG_ENDIAN
- ipha->ipha_ident = (ipha->ipha_ident << 8) | (ipha->ipha_ident >> 8);
-#endif
-
- /*
- * Check to see if we need to re-enable LSO/MDT for this connection
- * because it was previously disabled due to changes in the ill;
- * note that by doing it here, this re-enabling only applies when
- * the packet is not dispatched through CALL_IP_WPUT().
- *
- * That means for IPv4, it is worth re-enabling LSO/MDT for the fastpath
- * case, since that's how we ended up here. For IPv6, we do the
- * re-enabling work in ip_xmit_v6(), albeit indirectly via squeue.
- */
- if (connp->conn_lso_ok && !tcp->tcp_lso && ILL_LSO_TCP_USABLE(ill)) {
- /*
- * Restore LSO for this connection, so that next time around
- * it is eligible to go through tcp_lsosend() path again.
- */
- TCP_STAT(tcps, tcp_lso_enabled);
- tcp->tcp_lso = B_TRUE;
- ip1dbg(("tcp_send_data: reenabling LSO for connp %p on "
- "interface %s\n", (void *)connp, ill->ill_name));
- } else if (connp->conn_mdt_ok && !tcp->tcp_mdt && ILL_MDT_USABLE(ill)) {
- /*
- * Restore MDT for this connection, so that next time around
- * it is eligible to go through tcp_multisend() path again.
- */
- TCP_STAT(tcps, tcp_mdt_conn_resumed1);
- tcp->tcp_mdt = B_TRUE;
- ip1dbg(("tcp_send_data: reenabling MDT for connp %p on "
- "interface %s\n", (void *)connp, ill->ill_name));
- }
-
- if (tcp->tcp_snd_zcopy_aware) {
- if ((ill->ill_capabilities & ILL_CAPAB_ZEROCOPY) == 0 ||
- (ill->ill_zerocopy_capab->ill_zerocopy_flags == 0))
- mp = tcp_zcopy_disable(tcp, mp);
- /*
- * we shouldn't need to reset ipha as the mp containing
- * ipha should never be a zero-copy mp.
- */
- }
-
- if (ILL_HCKSUM_CAPABLE(ill) && dohwcksum) {
- ASSERT(ill->ill_hcksum_capab != NULL);
- hcksum_txflags = ill->ill_hcksum_capab->ill_hcksum_txflags;
- }
-
- /* pseudo-header checksum (do it in parts for IP header checksum) */
- cksum = (dst >> 16) + (dst & 0xFFFF) + (src >> 16) + (src & 0xFFFF);
-
- ASSERT(ipha->ipha_version_and_hdr_length == IP_SIMPLE_HDR_VERSION);
- up = IPH_TCPH_CHECKSUMP(ipha, IP_SIMPLE_HDR_LENGTH);
-
- IP_CKSUM_XMIT_FAST(ire->ire_ipversion, hcksum_txflags, mp, ipha, up,
- IPPROTO_TCP, IP_SIMPLE_HDR_LENGTH, ntohs(ipha->ipha_length), cksum);
-
- /* Software checksum? */
- if (DB_CKSUMFLAGS(mp) == 0) {
- TCP_STAT(tcps, tcp_out_sw_cksum);
- TCP_STAT_UPDATE(tcps, tcp_out_sw_cksum_bytes,
- ntohs(ipha->ipha_length) - IP_SIMPLE_HDR_LENGTH);
- }
-
- /* Calculate IP header checksum if hardware isn't capable */
- if (!(DB_CKSUMFLAGS(mp) & HCK_IPV4_HDRCKSUM)) {
- IP_HDR_CKSUM(ipha, cksum, ((uint32_t *)ipha)[0],
- ((uint16_t *)ipha)[4]);
- }
- ASSERT(DB_TYPE(ire_fp_mp) == M_DATA);
- mp->b_rptr = (uchar_t *)ipha - ire_fp_mp_len;
- bcopy(ire_fp_mp->b_rptr, mp->b_rptr, ire_fp_mp_len);
-
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
- ntohs(ipha->ipha_length));
-
- DTRACE_PROBE4(ip4__physical__out__start,
- ill_t *, NULL, ill_t *, ill, ipha_t *, ipha, mblk_t *, mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, ill, ipha, mp, mp, 0, ipst);
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, mp);
- DTRACE_IP_FASTPATH(mp, ipha, ill, ipha, NULL);
-
- if (mp != NULL) {
- if (ipst->ips_ip4_observe.he_interested) {
- zoneid_t szone;
-
- /*
- * Both of these functions expect b_rptr to be
- * where the IP header starts, so advance past the
- * link layer header if present.
- */
- mp->b_rptr += ire_fp_mp_len;
- szone = ip_get_zoneid_v4(ipha->ipha_src, mp,
- ipst, ALL_ZONES);
- ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone,
- ALL_ZONES, ill, ipst);
- mp->b_rptr -= ire_fp_mp_len;
- }
-
- ILL_SEND_TX(ill, ire, connp, mp, 0, NULL);
- }
-
- IRE_REFRELE(ire);
+ ASSERT(connp->conn_ixa->ixa_notify_cookie == connp->conn_tcp);
+ (void) conn_ip_output(mp, connp->conn_ixa);
}
/*
@@ -18731,15 +15390,13 @@ tcp_wput_data(tcp_t *tcp, mblk_t *mp, boolean_t urgent)
int tcpstate;
int usable = 0;
mblk_t *xmit_tail;
- queue_t *q = tcp->tcp_wq;
int32_t mss;
int32_t num_sack_blk = 0;
+ int32_t total_hdr_len;
int32_t tcp_hdr_len;
- int32_t tcp_tcp_hdr_len;
- int mdt_thres;
int rc;
tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst;
+ conn_t *connp = tcp->tcp_connp;
tcpstate = tcp->tcp_state;
if (mp == NULL) {
@@ -18771,7 +15428,7 @@ tcp_wput_data(tcp_t *tcp, mblk_t *mp, boolean_t urgent)
tcp_display(tcp, NULL,
DISP_ADDR_AND_PORT));
#else
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_TRACE|SL_ERROR,
"tcp_wput_data: data after ordrel, %s\n",
@@ -18781,12 +15438,12 @@ tcp_wput_data(tcp_t *tcp, mblk_t *mp, boolean_t urgent)
#endif /* DEBUG */
}
if (tcp->tcp_snd_zcopy_aware &&
- (mp->b_datap->db_struioflag & STRUIO_ZCNOTIFY) != 0)
+ (mp->b_datap->db_struioflag & STRUIO_ZCNOTIFY))
tcp_zcopy_notify(tcp);
freemsg(mp);
mutex_enter(&tcp->tcp_non_sq_lock);
if (tcp->tcp_flow_stopped &&
- TCP_UNSENT_BYTES(tcp) <= tcp->tcp_xmit_lowater) {
+ TCP_UNSENT_BYTES(tcp) <= connp->conn_sndlowat) {
tcp_clrqfull(tcp);
}
mutex_exit(&tcp->tcp_non_sq_lock);
@@ -18886,12 +15543,12 @@ data_null:
opt_len = num_sack_blk * sizeof (sack_blk_t) + TCPOPT_NOP_LEN *
2 + TCPOPT_HEADER_LEN;
mss = tcp->tcp_mss - opt_len;
- tcp_hdr_len = tcp->tcp_hdr_len + opt_len;
- tcp_tcp_hdr_len = tcp->tcp_tcp_hdr_len + opt_len;
+ total_hdr_len = connp->conn_ht_iphc_len + opt_len;
+ tcp_hdr_len = connp->conn_ht_ulp_len + opt_len;
} else {
mss = tcp->tcp_mss;
- tcp_hdr_len = tcp->tcp_hdr_len;
- tcp_tcp_hdr_len = tcp->tcp_tcp_hdr_len;
+ total_hdr_len = connp->conn_ht_iphc_len;
+ tcp_hdr_len = connp->conn_ht_ulp_len;
}
if ((tcp->tcp_suna == snxt) && !tcp->tcp_localnet &&
@@ -18913,7 +15570,7 @@ data_null:
* In the special case when cwnd is zero, which can only
* happen if the connection is ECN capable, return now.
* New segments is sent using tcp_timer(). The timer
- * is set in tcp_rput_data().
+ * is set in tcp_input_data().
*/
if (tcp->tcp_cwnd == 0) {
/*
@@ -19023,66 +15680,12 @@ data_null:
}
/* Update the latest receive window size in TCP header. */
- U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws,
- tcp->tcp_tcph->th_win);
+ tcp->tcp_tcpha->tha_win = htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
- /*
- * Determine if it's worthwhile to attempt LSO or MDT, based on:
- *
- * 1. Simple TCP/IP{v4,v6} (no options).
- * 2. IPSEC/IPQoS processing is not needed for the TCP connection.
- * 3. If the TCP connection is in ESTABLISHED state.
- * 4. The TCP is not detached.
- *
- * If any of the above conditions have changed during the
- * connection, stop using LSO/MDT and restore the stream head
- * parameters accordingly.
- */
- ipst = tcps->tcps_netstack->netstack_ip;
-
- if ((tcp->tcp_lso || tcp->tcp_mdt) &&
- ((tcp->tcp_ipversion == IPV4_VERSION &&
- tcp->tcp_ip_hdr_len != IP_SIMPLE_HDR_LENGTH) ||
- (tcp->tcp_ipversion == IPV6_VERSION &&
- tcp->tcp_ip_hdr_len != IPV6_HDR_LEN) ||
- tcp->tcp_state != TCPS_ESTABLISHED ||
- TCP_IS_DETACHED(tcp) || !CONN_IS_LSO_MD_FASTPATH(tcp->tcp_connp) ||
- CONN_IPSEC_OUT_ENCAPSULATED(tcp->tcp_connp) ||
- IPP_ENABLED(IPP_LOCAL_OUT, ipst))) {
- if (tcp->tcp_lso) {
- tcp->tcp_connp->conn_lso_ok = B_FALSE;
- tcp->tcp_lso = B_FALSE;
- } else {
- tcp->tcp_connp->conn_mdt_ok = B_FALSE;
- tcp->tcp_mdt = B_FALSE;
- }
-
- /* Anything other than detached is considered pathological */
- if (!TCP_IS_DETACHED(tcp)) {
- if (tcp->tcp_lso)
- TCP_STAT(tcps, tcp_lso_disabled);
- else
- TCP_STAT(tcps, tcp_mdt_conn_halted1);
- (void) tcp_maxpsz_set(tcp, B_TRUE);
- }
- }
-
- /* Use MDT if sendable amount is greater than the threshold */
- if (tcp->tcp_mdt &&
- (mdt_thres = mss << tcp_mdt_smss_threshold, usable > mdt_thres) &&
- (tail_unsent > mdt_thres || (xmit_tail->b_cont != NULL &&
- MBLKL(xmit_tail->b_cont) > mdt_thres)) &&
- (tcp->tcp_valid_bits == 0 ||
- tcp->tcp_valid_bits == TCP_FSS_VALID)) {
- ASSERT(tcp->tcp_connp->conn_mdt_ok);
- rc = tcp_multisend(q, tcp, mss, tcp_hdr_len, tcp_tcp_hdr_len,
- num_sack_blk, &usable, &snxt, &tail_unsent, &xmit_tail,
- local_time, mdt_thres);
- } else {
- rc = tcp_send(q, tcp, mss, tcp_hdr_len, tcp_tcp_hdr_len,
- num_sack_blk, &usable, &snxt, &tail_unsent, &xmit_tail,
- local_time, INT_MAX);
- }
+ /* Send the packet. */
+ rc = tcp_send(tcp, mss, total_hdr_len, tcp_hdr_len,
+ num_sack_blk, &usable, &snxt, &tail_unsent, &xmit_tail,
+ local_time);
/* Pretend that all we were trying to send really got sent */
if (rc < 0 && tail_unsent < 0) {
@@ -19131,39 +15734,41 @@ done:;
tcp->tcp_unsent += len;
mutex_enter(&tcp->tcp_non_sq_lock);
if (tcp->tcp_flow_stopped) {
- if (TCP_UNSENT_BYTES(tcp) <= tcp->tcp_xmit_lowater) {
+ if (TCP_UNSENT_BYTES(tcp) <= connp->conn_sndlowat) {
tcp_clrqfull(tcp);
}
- } else if (TCP_UNSENT_BYTES(tcp) >= tcp->tcp_xmit_hiwater) {
- tcp_setqfull(tcp);
+ } else if (TCP_UNSENT_BYTES(tcp) >= connp->conn_sndbuf) {
+ if (!(tcp->tcp_detached))
+ tcp_setqfull(tcp);
}
mutex_exit(&tcp->tcp_non_sq_lock);
}
/*
- * tcp_fill_header is called by tcp_send() and tcp_multisend() to fill the
- * outgoing TCP header with the template header, as well as other
- * options such as time-stamp, ECN and/or SACK.
+ * tcp_fill_header is called by tcp_send() to fill the outgoing TCP header
+ * with the template header, as well as other options such as time-stamp,
+ * ECN and/or SACK.
*/
static void
tcp_fill_header(tcp_t *tcp, uchar_t *rptr, clock_t now, int num_sack_blk)
{
- tcph_t *tcp_tmpl, *tcp_h;
+ tcpha_t *tcp_tmpl, *tcpha;
uint32_t *dst, *src;
int hdrlen;
+ conn_t *connp = tcp->tcp_connp;
ASSERT(OK_32PTR(rptr));
/* Template header */
- tcp_tmpl = tcp->tcp_tcph;
+ tcp_tmpl = tcp->tcp_tcpha;
/* Header of outgoing packet */
- tcp_h = (tcph_t *)(rptr + tcp->tcp_ip_hdr_len);
+ tcpha = (tcpha_t *)(rptr + connp->conn_ixa->ixa_ip_hdr_length);
/* dst and src are opaque 32-bit fields, used for copying */
dst = (uint32_t *)rptr;
- src = (uint32_t *)tcp->tcp_iphc;
- hdrlen = tcp->tcp_hdr_len;
+ src = (uint32_t *)connp->conn_ht_iphc;
+ hdrlen = connp->conn_ht_iphc_len;
/* Fill time-stamp option if needed */
if (tcp->tcp_snd_ts_ok) {
@@ -19172,7 +15777,7 @@ tcp_fill_header(tcp_t *tcp, uchar_t *rptr, clock_t now, int num_sack_blk)
U32_TO_BE32(tcp->tcp_ts_recent,
(char *)tcp_tmpl + TCP_MIN_HEADER_LENGTH + 8);
} else {
- ASSERT(tcp->tcp_tcp_hdr_len == TCP_MIN_HEADER_LENGTH);
+ ASSERT(connp->conn_ht_ulp_len == TCP_MIN_HEADER_LENGTH);
}
/*
@@ -19208,16 +15813,16 @@ tcp_fill_header(tcp_t *tcp, uchar_t *rptr, clock_t now, int num_sack_blk)
SET_ECT(tcp, rptr);
if (tcp->tcp_ecn_echo_on)
- tcp_h->th_flags[0] |= TH_ECE;
+ tcpha->tha_flags |= TH_ECE;
if (tcp->tcp_cwr && !tcp->tcp_ecn_cwr_sent) {
- tcp_h->th_flags[0] |= TH_CWR;
+ tcpha->tha_flags |= TH_CWR;
tcp->tcp_ecn_cwr_sent = B_TRUE;
}
}
/* Fill in SACK options */
if (num_sack_blk > 0) {
- uchar_t *wptr = rptr + tcp->tcp_hdr_len;
+ uchar_t *wptr = rptr + connp->conn_ht_iphc_len;
sack_blk_t *tmp;
int32_t i;
@@ -19235,1536 +15840,62 @@ tcp_fill_header(tcp_t *tcp, uchar_t *rptr, clock_t now, int num_sack_blk)
U32_TO_BE32(tmp[i].end, wptr);
wptr += sizeof (tcp_seq);
}
- tcp_h->th_offset_and_rsrvd[0] +=
+ tcpha->tha_offset_and_reserved +=
((num_sack_blk * 2 + 1) << 4);
}
}
/*
- * tcp_mdt_add_attrs() is called by tcp_multisend() in order to attach
- * the destination address and SAP attribute, and if necessary, the
- * hardware checksum offload attribute to a Multidata message.
- */
-static int
-tcp_mdt_add_attrs(multidata_t *mmd, const mblk_t *dlmp, const boolean_t hwcksum,
- const uint32_t start, const uint32_t stuff, const uint32_t end,
- const uint32_t flags, tcp_stack_t *tcps)
-{
- /* Add global destination address & SAP attribute */
- if (dlmp == NULL || !ip_md_addr_attr(mmd, NULL, dlmp)) {
- ip1dbg(("tcp_mdt_add_attrs: can't add global physical "
- "destination address+SAP\n"));
-
- if (dlmp != NULL)
- TCP_STAT(tcps, tcp_mdt_allocfail);
- return (-1);
- }
-
- /* Add global hwcksum attribute */
- if (hwcksum &&
- !ip_md_hcksum_attr(mmd, NULL, start, stuff, end, flags)) {
- ip1dbg(("tcp_mdt_add_attrs: can't add global hardware "
- "checksum attribute\n"));
-
- TCP_STAT(tcps, tcp_mdt_allocfail);
- return (-1);
- }
-
- return (0);
-}
-
-/*
- * Smaller and private version of pdescinfo_t used specifically for TCP,
- * which allows for only two payload spans per packet.
- */
-typedef struct tcp_pdescinfo_s PDESCINFO_STRUCT(2) tcp_pdescinfo_t;
-
-/*
- * tcp_multisend() is called by tcp_wput_data() for Multidata Transmit
- * scheme, and returns one the following:
+ * tcp_send() is called by tcp_wput_data() and returns one of the following:
*
* -1 = failed allocation.
* 0 = success; burst count reached, or usable send window is too small,
* and that we'd rather wait until later before sending again.
*/
static int
-tcp_multisend(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
- const int tcp_tcp_hdr_len, const int num_sack_blk, int *usable,
- uint_t *snxt, int *tail_unsent, mblk_t **xmit_tail, mblk_t *local_time,
- const int mdt_thres)
-{
- mblk_t *md_mp_head, *md_mp, *md_pbuf, *md_pbuf_nxt, *md_hbuf;
- multidata_t *mmd;
- uint_t obsegs, obbytes, hdr_frag_sz;
- uint_t cur_hdr_off, cur_pld_off, base_pld_off, first_snxt;
- int num_burst_seg, max_pld;
- pdesc_t *pkt;
- tcp_pdescinfo_t tcp_pkt_info;
- pdescinfo_t *pkt_info;
- int pbuf_idx, pbuf_idx_nxt;
- int seg_len, len, spill, af;
- boolean_t add_buffer, zcopy, clusterwide;
- boolean_t rconfirm = B_FALSE;
- boolean_t done = B_FALSE;
- uint32_t cksum;
- uint32_t hwcksum_flags;
- ire_t *ire = NULL;
- ill_t *ill;
- ipha_t *ipha;
- ip6_t *ip6h;
- ipaddr_t src, dst;
- ill_zerocopy_capab_t *zc_cap = NULL;
- uint16_t *up;
- int err;
- conn_t *connp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
- int usable_mmd, tail_unsent_mmd;
- uint_t snxt_mmd, obsegs_mmd, obbytes_mmd;
- mblk_t *xmit_tail_mmd;
- netstackid_t stack_id;
-
-#ifdef _BIG_ENDIAN
-#define IPVER(ip6h) ((((uint32_t *)ip6h)[0] >> 28) & 0x7)
-#else
-#define IPVER(ip6h) ((((uint32_t *)ip6h)[0] >> 4) & 0x7)
-#endif
-
-#define PREP_NEW_MULTIDATA() { \
- mmd = NULL; \
- md_mp = md_hbuf = NULL; \
- cur_hdr_off = 0; \
- max_pld = tcp->tcp_mdt_max_pld; \
- pbuf_idx = pbuf_idx_nxt = -1; \
- add_buffer = B_TRUE; \
- zcopy = B_FALSE; \
-}
-
-#define PREP_NEW_PBUF() { \
- md_pbuf = md_pbuf_nxt = NULL; \
- pbuf_idx = pbuf_idx_nxt = -1; \
- cur_pld_off = 0; \
- first_snxt = *snxt; \
- ASSERT(*tail_unsent > 0); \
- base_pld_off = MBLKL(*xmit_tail) - *tail_unsent; \
-}
-
- ASSERT(mdt_thres >= mss);
- ASSERT(*usable > 0 && *usable > mdt_thres);
- ASSERT(tcp->tcp_state == TCPS_ESTABLISHED);
- ASSERT(!TCP_IS_DETACHED(tcp));
- ASSERT(tcp->tcp_valid_bits == 0 ||
- tcp->tcp_valid_bits == TCP_FSS_VALID);
- ASSERT((tcp->tcp_ipversion == IPV4_VERSION &&
- tcp->tcp_ip_hdr_len == IP_SIMPLE_HDR_LENGTH) ||
- (tcp->tcp_ipversion == IPV6_VERSION &&
- tcp->tcp_ip_hdr_len == IPV6_HDR_LEN));
-
- connp = tcp->tcp_connp;
- ASSERT(connp != NULL);
- ASSERT(CONN_IS_LSO_MD_FASTPATH(connp));
- ASSERT(!CONN_IPSEC_OUT_ENCAPSULATED(connp));
-
- stack_id = connp->conn_netstack->netstack_stackid;
-
- usable_mmd = tail_unsent_mmd = 0;
- snxt_mmd = obsegs_mmd = obbytes_mmd = 0;
- xmit_tail_mmd = NULL;
- /*
- * Note that tcp will only declare at most 2 payload spans per
- * packet, which is much lower than the maximum allowable number
- * of packet spans per Multidata. For this reason, we use the
- * privately declared and smaller descriptor info structure, in
- * order to save some stack space.
- */
- pkt_info = (pdescinfo_t *)&tcp_pkt_info;
-
- af = (tcp->tcp_ipversion == IPV4_VERSION) ? AF_INET : AF_INET6;
- if (af == AF_INET) {
- dst = tcp->tcp_ipha->ipha_dst;
- src = tcp->tcp_ipha->ipha_src;
- ASSERT(!CLASSD(dst));
- }
- ASSERT(af == AF_INET ||
- !IN6_IS_ADDR_MULTICAST(&tcp->tcp_ip6h->ip6_dst));
-
- obsegs = obbytes = 0;
- num_burst_seg = tcp->tcp_snd_burst;
- md_mp_head = NULL;
- PREP_NEW_MULTIDATA();
-
- /*
- * Before we go on further, make sure there is an IRE that we can
- * use, and that the ILL supports MDT. Otherwise, there's no point
- * in proceeding any further, and we should just hand everything
- * off to the legacy path.
- */
- if (!tcp_send_find_ire(tcp, (af == AF_INET) ? &dst : NULL, &ire))
- goto legacy_send_no_md;
-
- ASSERT(ire != NULL);
- ASSERT(af != AF_INET || ire->ire_ipversion == IPV4_VERSION);
- ASSERT(af == AF_INET || !IN6_IS_ADDR_V4MAPPED(&(ire->ire_addr_v6)));
- ASSERT(af == AF_INET || ire->ire_nce != NULL);
- ASSERT(!(ire->ire_type & IRE_BROADCAST));
- /*
- * If we do support loopback for MDT (which requires modifications
- * to the receiving paths), the following assertions should go away,
- * and we would be sending the Multidata to loopback conn later on.
- */
- ASSERT(!IRE_IS_LOCAL(ire));
- ASSERT(ire->ire_stq != NULL);
-
- ill = ire_to_ill(ire);
- ASSERT(ill != NULL);
- ASSERT(!ILL_MDT_CAPABLE(ill) || ill->ill_mdt_capab != NULL);
-
- if (!tcp->tcp_ire_ill_check_done) {
- tcp_ire_ill_check(tcp, ire, ill, B_TRUE);
- tcp->tcp_ire_ill_check_done = B_TRUE;
- }
-
- /*
- * If the underlying interface conditions have changed, or if the
- * new interface does not support MDT, go back to legacy path.
- */
- if (!ILL_MDT_USABLE(ill) || (ire->ire_flags & RTF_MULTIRT) != 0) {
- /* don't go through this path anymore for this connection */
- TCP_STAT(tcps, tcp_mdt_conn_halted2);
- tcp->tcp_mdt = B_FALSE;
- ip1dbg(("tcp_multisend: disabling MDT for connp %p on "
- "interface %s\n", (void *)connp, ill->ill_name));
- /* IRE will be released prior to returning */
- goto legacy_send_no_md;
- }
-
- if (ill->ill_capabilities & ILL_CAPAB_ZEROCOPY)
- zc_cap = ill->ill_zerocopy_capab;
-
- /*
- * Check if we can take tcp fast-path. Note that "incomplete"
- * ire's (where the link-layer for next hop is not resolved
- * or where the fast-path header in nce_fp_mp is not available
- * yet) are sent down the legacy (slow) path.
- * NOTE: We should fix ip_xmit_v4 to handle M_MULTIDATA
- */
- if (ire->ire_nce && ire->ire_nce->nce_state != ND_REACHABLE) {
- /* IRE will be released prior to returning */
- goto legacy_send_no_md;
- }
-
- /* go to legacy path if interface doesn't support zerocopy */
- if (tcp->tcp_snd_zcopy_aware && do_tcpzcopy != 2 &&
- (zc_cap == NULL || zc_cap->ill_zerocopy_flags == 0)) {
- /* IRE will be released prior to returning */
- goto legacy_send_no_md;
- }
-
- /* does the interface support hardware checksum offload? */
- hwcksum_flags = 0;
- if (ILL_HCKSUM_CAPABLE(ill) &&
- (ill->ill_hcksum_capab->ill_hcksum_txflags &
- (HCKSUM_INET_FULL_V4 | HCKSUM_INET_FULL_V6 | HCKSUM_INET_PARTIAL |
- HCKSUM_IPHDRCKSUM)) && dohwcksum) {
- if (ill->ill_hcksum_capab->ill_hcksum_txflags &
- HCKSUM_IPHDRCKSUM)
- hwcksum_flags = HCK_IPV4_HDRCKSUM;
-
- if (ill->ill_hcksum_capab->ill_hcksum_txflags &
- (HCKSUM_INET_FULL_V4 | HCKSUM_INET_FULL_V6))
- hwcksum_flags |= HCK_FULLCKSUM;
- else if (ill->ill_hcksum_capab->ill_hcksum_txflags &
- HCKSUM_INET_PARTIAL)
- hwcksum_flags |= HCK_PARTIALCKSUM;
- }
-
- /*
- * Each header fragment consists of the leading extra space,
- * followed by the TCP/IP header, and the trailing extra space.
- * We make sure that each header fragment begins on a 32-bit
- * aligned memory address (tcp_mdt_hdr_head is already 32-bit
- * aligned in tcp_mdt_update).
- */
- hdr_frag_sz = roundup((tcp->tcp_mdt_hdr_head + tcp_hdr_len +
- tcp->tcp_mdt_hdr_tail), 4);
-
- /* are we starting from the beginning of data block? */
- if (*tail_unsent == 0) {
- *xmit_tail = (*xmit_tail)->b_cont;
- ASSERT((uintptr_t)MBLKL(*xmit_tail) <= (uintptr_t)INT_MAX);
- *tail_unsent = (int)MBLKL(*xmit_tail);
- }
-
- /*
- * Here we create one or more Multidata messages, each made up of
- * one header buffer and up to N payload buffers. This entire
- * operation is done within two loops:
- *
- * The outer loop mostly deals with creating the Multidata message,
- * as well as the header buffer that gets added to it. It also
- * links the Multidata messages together such that all of them can
- * be sent down to the lower layer in a single putnext call; this
- * linking behavior depends on the tcp_mdt_chain tunable.
- *
- * The inner loop takes an existing Multidata message, and adds
- * one or more (up to tcp_mdt_max_pld) payload buffers to it. It
- * packetizes those buffers by filling up the corresponding header
- * buffer fragments with the proper IP and TCP headers, and by
- * describing the layout of each packet in the packet descriptors
- * that get added to the Multidata.
- */
- do {
- /*
- * If usable send window is too small, or data blocks in
- * transmit list are smaller than our threshold (i.e. app
- * performs large writes followed by small ones), we hand
- * off the control over to the legacy path. Note that we'll
- * get back the control once it encounters a large block.
- */
- if (*usable < mss || (*tail_unsent <= mdt_thres &&
- (*xmit_tail)->b_cont != NULL &&
- MBLKL((*xmit_tail)->b_cont) <= mdt_thres)) {
- /* send down what we've got so far */
- if (md_mp_head != NULL) {
- tcp_multisend_data(tcp, ire, ill, md_mp_head,
- obsegs, obbytes, &rconfirm);
- }
- /*
- * Pass control over to tcp_send(), but tell it to
- * return to us once a large-size transmission is
- * possible.
- */
- TCP_STAT(tcps, tcp_mdt_legacy_small);
- if ((err = tcp_send(q, tcp, mss, tcp_hdr_len,
- tcp_tcp_hdr_len, num_sack_blk, usable, snxt,
- tail_unsent, xmit_tail, local_time,
- mdt_thres)) <= 0) {
- /* burst count reached, or alloc failed */
- IRE_REFRELE(ire);
- return (err);
- }
-
- /* tcp_send() may have sent everything, so check */
- if (*usable <= 0) {
- IRE_REFRELE(ire);
- return (0);
- }
-
- TCP_STAT(tcps, tcp_mdt_legacy_ret);
- /*
- * We may have delivered the Multidata, so make sure
- * to re-initialize before the next round.
- */
- md_mp_head = NULL;
- obsegs = obbytes = 0;
- num_burst_seg = tcp->tcp_snd_burst;
- PREP_NEW_MULTIDATA();
-
- /* are we starting from the beginning of data block? */
- if (*tail_unsent == 0) {
- *xmit_tail = (*xmit_tail)->b_cont;
- ASSERT((uintptr_t)MBLKL(*xmit_tail) <=
- (uintptr_t)INT_MAX);
- *tail_unsent = (int)MBLKL(*xmit_tail);
- }
- }
- /*
- * Record current values for parameters we may need to pass
- * to tcp_send() or tcp_multisend_data(). We checkpoint at
- * each iteration of the outer loop (each multidata message
- * creation). If we have a failure in the inner loop, we send
- * any complete multidata messages we have before reverting
- * to using the traditional non-md path.
- */
- snxt_mmd = *snxt;
- usable_mmd = *usable;
- xmit_tail_mmd = *xmit_tail;
- tail_unsent_mmd = *tail_unsent;
- obsegs_mmd = obsegs;
- obbytes_mmd = obbytes;
-
- /*
- * max_pld limits the number of mblks in tcp's transmit
- * queue that can be added to a Multidata message. Once
- * this counter reaches zero, no more additional mblks
- * can be added to it. What happens afterwards depends
- * on whether or not we are set to chain the Multidata
- * messages. If we are to link them together, reset
- * max_pld to its original value (tcp_mdt_max_pld) and
- * prepare to create a new Multidata message which will
- * get linked to md_mp_head. Else, leave it alone and
- * let the inner loop break on its own.
- */
- if (tcp_mdt_chain && max_pld == 0)
- PREP_NEW_MULTIDATA();
-
- /* adding a payload buffer; re-initialize values */
- if (add_buffer)
- PREP_NEW_PBUF();
-
- /*
- * If we don't have a Multidata, either because we just
- * (re)entered this outer loop, or after we branched off
- * to tcp_send above, setup the Multidata and header
- * buffer to be used.
- */
- if (md_mp == NULL) {
- int md_hbuflen;
- uint32_t start, stuff;
-
- /*
- * Calculate Multidata header buffer size large enough
- * to hold all of the headers that can possibly be
- * sent at this moment. We'd rather over-estimate
- * the size than running out of space; this is okay
- * since this buffer is small anyway.
- */
- md_hbuflen = (howmany(*usable, mss) + 1) * hdr_frag_sz;
-
- /*
- * Start and stuff offset for partial hardware
- * checksum offload; these are currently for IPv4.
- * For full checksum offload, they are set to zero.
- */
- if ((hwcksum_flags & HCK_PARTIALCKSUM)) {
- if (af == AF_INET) {
- start = IP_SIMPLE_HDR_LENGTH;
- stuff = IP_SIMPLE_HDR_LENGTH +
- TCP_CHECKSUM_OFFSET;
- } else {
- start = IPV6_HDR_LEN;
- stuff = IPV6_HDR_LEN +
- TCP_CHECKSUM_OFFSET;
- }
- } else {
- start = stuff = 0;
- }
-
- /*
- * Create the header buffer, Multidata, as well as
- * any necessary attributes (destination address,
- * SAP and hardware checksum offload) that should
- * be associated with the Multidata message.
- */
- ASSERT(cur_hdr_off == 0);
- if ((md_hbuf = allocb(md_hbuflen, BPRI_HI)) == NULL ||
- ((md_hbuf->b_wptr += md_hbuflen),
- (mmd = mmd_alloc(md_hbuf, &md_mp,
- KM_NOSLEEP)) == NULL) || (tcp_mdt_add_attrs(mmd,
- /* fastpath mblk */
- ire->ire_nce->nce_res_mp,
- /* hardware checksum enabled */
- (hwcksum_flags & (HCK_FULLCKSUM|HCK_PARTIALCKSUM)),
- /* hardware checksum offsets */
- start, stuff, 0,
- /* hardware checksum flag */
- hwcksum_flags, tcps) != 0)) {
-legacy_send:
- /*
- * We arrive here from a failure within the
- * inner (packetizer) loop or we fail one of
- * the conditionals above. We restore the
- * previously checkpointed values for:
- * xmit_tail
- * usable
- * tail_unsent
- * snxt
- * obbytes
- * obsegs
- * We should then be able to dispatch any
- * complete multidata before reverting to the
- * traditional path with consistent parameters
- * (the inner loop updates these as it
- * iterates).
- */
- *xmit_tail = xmit_tail_mmd;
- *usable = usable_mmd;
- *tail_unsent = tail_unsent_mmd;
- *snxt = snxt_mmd;
- obbytes = obbytes_mmd;
- obsegs = obsegs_mmd;
- if (md_mp != NULL) {
- /* Unlink message from the chain */
- if (md_mp_head != NULL) {
- err = (intptr_t)rmvb(md_mp_head,
- md_mp);
- /*
- * We can't assert that rmvb
- * did not return -1, since we
- * may get here before linkb
- * happens. We do, however,
- * check if we just removed the
- * only element in the list.
- */
- if (err == 0)
- md_mp_head = NULL;
- }
- /* md_hbuf gets freed automatically */
- TCP_STAT(tcps, tcp_mdt_discarded);
- freeb(md_mp);
- } else {
- /* Either allocb or mmd_alloc failed */
- TCP_STAT(tcps, tcp_mdt_allocfail);
- if (md_hbuf != NULL)
- freeb(md_hbuf);
- }
-
- /* send down what we've got so far */
- if (md_mp_head != NULL) {
- tcp_multisend_data(tcp, ire, ill,
- md_mp_head, obsegs, obbytes,
- &rconfirm);
- }
-legacy_send_no_md:
- if (ire != NULL)
- IRE_REFRELE(ire);
- /*
- * Too bad; let the legacy path handle this.
- * We specify INT_MAX for the threshold, since
- * we gave up with the Multidata processings
- * and let the old path have it all.
- */
- TCP_STAT(tcps, tcp_mdt_legacy_all);
- return (tcp_send(q, tcp, mss, tcp_hdr_len,
- tcp_tcp_hdr_len, num_sack_blk, usable,
- snxt, tail_unsent, xmit_tail, local_time,
- INT_MAX));
- }
-
- /* link to any existing ones, if applicable */
- TCP_STAT(tcps, tcp_mdt_allocd);
- if (md_mp_head == NULL) {
- md_mp_head = md_mp;
- } else if (tcp_mdt_chain) {
- TCP_STAT(tcps, tcp_mdt_linked);
- linkb(md_mp_head, md_mp);
- }
- }
-
- ASSERT(md_mp_head != NULL);
- ASSERT(tcp_mdt_chain || md_mp_head->b_cont == NULL);
- ASSERT(md_mp != NULL && mmd != NULL);
- ASSERT(md_hbuf != NULL);
-
- /*
- * Packetize the transmittable portion of the data block;
- * each data block is essentially added to the Multidata
- * as a payload buffer. We also deal with adding more
- * than one payload buffers, which happens when the remaining
- * packetized portion of the current payload buffer is less
- * than MSS, while the next data block in transmit queue
- * has enough data to make up for one. This "spillover"
- * case essentially creates a split-packet, where portions
- * of the packet's payload fragments may span across two
- * virtually discontiguous address blocks.
- */
- seg_len = mss;
- do {
- len = seg_len;
-
- /* one must remain NULL for DTRACE_IP_FASTPATH */
- ipha = NULL;
- ip6h = NULL;
-
- ASSERT(len > 0);
- ASSERT(max_pld >= 0);
- ASSERT(!add_buffer || cur_pld_off == 0);
-
- /*
- * First time around for this payload buffer; note
- * in the case of a spillover, the following has
- * been done prior to adding the split-packet
- * descriptor to Multidata, and we don't want to
- * repeat the process.
- */
- if (add_buffer) {
- ASSERT(mmd != NULL);
- ASSERT(md_pbuf == NULL);
- ASSERT(md_pbuf_nxt == NULL);
- ASSERT(pbuf_idx == -1 && pbuf_idx_nxt == -1);
-
- /*
- * Have we reached the limit? We'd get to
- * this case when we're not chaining the
- * Multidata messages together, and since
- * we're done, terminate this loop.
- */
- if (max_pld == 0)
- break; /* done */
-
- if ((md_pbuf = dupb(*xmit_tail)) == NULL) {
- TCP_STAT(tcps, tcp_mdt_allocfail);
- goto legacy_send; /* out_of_mem */
- }
-
- if (IS_VMLOANED_MBLK(md_pbuf) && !zcopy &&
- zc_cap != NULL) {
- if (!ip_md_zcopy_attr(mmd, NULL,
- zc_cap->ill_zerocopy_flags)) {
- freeb(md_pbuf);
- TCP_STAT(tcps,
- tcp_mdt_allocfail);
- /* out_of_mem */
- goto legacy_send;
- }
- zcopy = B_TRUE;
- }
-
- md_pbuf->b_rptr += base_pld_off;
-
- /*
- * Add a payload buffer to the Multidata; this
- * operation must not fail, or otherwise our
- * logic in this routine is broken. There
- * is no memory allocation done by the
- * routine, so any returned failure simply
- * tells us that we've done something wrong.
- *
- * A failure tells us that either we're adding
- * the same payload buffer more than once, or
- * we're trying to add more buffers than
- * allowed (max_pld calculation is wrong).
- * None of the above cases should happen, and
- * we panic because either there's horrible
- * heap corruption, and/or programming mistake.
- */
- pbuf_idx = mmd_addpldbuf(mmd, md_pbuf);
- if (pbuf_idx < 0) {
- cmn_err(CE_PANIC, "tcp_multisend: "
- "payload buffer logic error "
- "detected for tcp %p mmd %p "
- "pbuf %p (%d)\n",
- (void *)tcp, (void *)mmd,
- (void *)md_pbuf, pbuf_idx);
- }
-
- ASSERT(max_pld > 0);
- --max_pld;
- add_buffer = B_FALSE;
- }
-
- ASSERT(md_mp_head != NULL);
- ASSERT(md_pbuf != NULL);
- ASSERT(md_pbuf_nxt == NULL);
- ASSERT(pbuf_idx != -1);
- ASSERT(pbuf_idx_nxt == -1);
- ASSERT(*usable > 0);
-
- /*
- * We spillover to the next payload buffer only
- * if all of the following is true:
- *
- * 1. There is not enough data on the current
- * payload buffer to make up `len',
- * 2. We are allowed to send `len',
- * 3. The next payload buffer length is large
- * enough to accomodate `spill'.
- */
- if ((spill = len - *tail_unsent) > 0 &&
- *usable >= len &&
- MBLKL((*xmit_tail)->b_cont) >= spill &&
- max_pld > 0) {
- md_pbuf_nxt = dupb((*xmit_tail)->b_cont);
- if (md_pbuf_nxt == NULL) {
- TCP_STAT(tcps, tcp_mdt_allocfail);
- goto legacy_send; /* out_of_mem */
- }
-
- if (IS_VMLOANED_MBLK(md_pbuf_nxt) && !zcopy &&
- zc_cap != NULL) {
- if (!ip_md_zcopy_attr(mmd, NULL,
- zc_cap->ill_zerocopy_flags)) {
- freeb(md_pbuf_nxt);
- TCP_STAT(tcps,
- tcp_mdt_allocfail);
- /* out_of_mem */
- goto legacy_send;
- }
- zcopy = B_TRUE;
- }
-
- /*
- * See comments above on the first call to
- * mmd_addpldbuf for explanation on the panic.
- */
- pbuf_idx_nxt = mmd_addpldbuf(mmd, md_pbuf_nxt);
- if (pbuf_idx_nxt < 0) {
- panic("tcp_multisend: "
- "next payload buffer logic error "
- "detected for tcp %p mmd %p "
- "pbuf %p (%d)\n",
- (void *)tcp, (void *)mmd,
- (void *)md_pbuf_nxt, pbuf_idx_nxt);
- }
-
- ASSERT(max_pld > 0);
- --max_pld;
- } else if (spill > 0) {
- /*
- * If there's a spillover, but the following
- * xmit_tail couldn't give us enough octets
- * to reach "len", then stop the current
- * Multidata creation and let the legacy
- * tcp_send() path take over. We don't want
- * to send the tiny segment as part of this
- * Multidata for performance reasons; instead,
- * we let the legacy path deal with grouping
- * it with the subsequent small mblks.
- */
- if (*usable >= len &&
- MBLKL((*xmit_tail)->b_cont) < spill) {
- max_pld = 0;
- break; /* done */
- }
-
- /*
- * We can't spillover, and we are near
- * the end of the current payload buffer,
- * so send what's left.
- */
- ASSERT(*tail_unsent > 0);
- len = *tail_unsent;
- }
-
- /* tail_unsent is negated if there is a spillover */
- *tail_unsent -= len;
- *usable -= len;
- ASSERT(*usable >= 0);
-
- if (*usable < mss)
- seg_len = *usable;
- /*
- * Sender SWS avoidance; see comments in tcp_send();
- * everything else is the same, except that we only
- * do this here if there is no more data to be sent
- * following the current xmit_tail. We don't check
- * for 1-byte urgent data because we shouldn't get
- * here if TCP_URG_VALID is set.
- */
- if (*usable > 0 && *usable < mss &&
- ((md_pbuf_nxt == NULL &&
- (*xmit_tail)->b_cont == NULL) ||
- (md_pbuf_nxt != NULL &&
- (*xmit_tail)->b_cont->b_cont == NULL)) &&
- seg_len < (tcp->tcp_max_swnd >> 1) &&
- (tcp->tcp_unsent -
- ((*snxt + len) - tcp->tcp_snxt)) > seg_len &&
- !tcp->tcp_zero_win_probe) {
- if ((*snxt + len) == tcp->tcp_snxt &&
- (*snxt + len) == tcp->tcp_suna) {
- TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
- }
- done = B_TRUE;
- }
-
- /*
- * Prime pump for IP's checksumming on our behalf;
- * include the adjustment for a source route if any.
- * Do this only for software/partial hardware checksum
- * offload, as this field gets zeroed out later for
- * the full hardware checksum offload case.
- */
- if (!(hwcksum_flags & HCK_FULLCKSUM)) {
- cksum = len + tcp_tcp_hdr_len + tcp->tcp_sum;
- cksum = (cksum >> 16) + (cksum & 0xFFFF);
- U16_TO_ABE16(cksum, tcp->tcp_tcph->th_sum);
- }
-
- U32_TO_ABE32(*snxt, tcp->tcp_tcph->th_seq);
- *snxt += len;
-
- tcp->tcp_tcph->th_flags[0] = TH_ACK;
- /*
- * We set the PUSH bit only if TCP has no more buffered
- * data to be transmitted (or if sender SWS avoidance
- * takes place), as opposed to setting it for every
- * last packet in the burst.
- */
- if (done ||
- (tcp->tcp_unsent - (*snxt - tcp->tcp_snxt)) == 0)
- tcp->tcp_tcph->th_flags[0] |= TH_PUSH;
-
- /*
- * Set FIN bit if this is our last segment; snxt
- * already includes its length, and it will not
- * be adjusted after this point.
- */
- if (tcp->tcp_valid_bits == TCP_FSS_VALID &&
- *snxt == tcp->tcp_fss) {
- if (!tcp->tcp_fin_acked) {
- tcp->tcp_tcph->th_flags[0] |= TH_FIN;
- BUMP_MIB(&tcps->tcps_mib,
- tcpOutControl);
- }
- if (!tcp->tcp_fin_sent) {
- tcp->tcp_fin_sent = B_TRUE;
- /*
- * tcp state must be ESTABLISHED
- * in order for us to get here in
- * the first place.
- */
- tcp->tcp_state = TCPS_FIN_WAIT_1;
-
- /*
- * Upon returning from this routine,
- * tcp_wput_data() will set tcp_snxt
- * to be equal to snxt + tcp_fin_sent.
- * This is essentially the same as
- * setting it to tcp_fss + 1.
- */
- }
- }
-
- tcp->tcp_last_sent_len = (ushort_t)len;
-
- len += tcp_hdr_len;
- if (tcp->tcp_ipversion == IPV4_VERSION)
- tcp->tcp_ipha->ipha_length = htons(len);
- else
- tcp->tcp_ip6h->ip6_plen = htons(len -
- ((char *)&tcp->tcp_ip6h[1] -
- tcp->tcp_iphc));
-
- pkt_info->flags = (PDESC_HBUF_REF | PDESC_PBUF_REF);
-
- /* setup header fragment */
- PDESC_HDR_ADD(pkt_info,
- md_hbuf->b_rptr + cur_hdr_off, /* base */
- tcp->tcp_mdt_hdr_head, /* head room */
- tcp_hdr_len, /* len */
- tcp->tcp_mdt_hdr_tail); /* tail room */
-
- ASSERT(pkt_info->hdr_lim - pkt_info->hdr_base ==
- hdr_frag_sz);
- ASSERT(MBLKIN(md_hbuf,
- (pkt_info->hdr_base - md_hbuf->b_rptr),
- PDESC_HDRSIZE(pkt_info)));
-
- /* setup first payload fragment */
- PDESC_PLD_INIT(pkt_info);
- PDESC_PLD_SPAN_ADD(pkt_info,
- pbuf_idx, /* index */
- md_pbuf->b_rptr + cur_pld_off, /* start */
- tcp->tcp_last_sent_len); /* len */
-
- /* create a split-packet in case of a spillover */
- if (md_pbuf_nxt != NULL) {
- ASSERT(spill > 0);
- ASSERT(pbuf_idx_nxt > pbuf_idx);
- ASSERT(!add_buffer);
-
- md_pbuf = md_pbuf_nxt;
- md_pbuf_nxt = NULL;
- pbuf_idx = pbuf_idx_nxt;
- pbuf_idx_nxt = -1;
- cur_pld_off = spill;
-
- /* trim out first payload fragment */
- PDESC_PLD_SPAN_TRIM(pkt_info, 0, spill);
-
- /* setup second payload fragment */
- PDESC_PLD_SPAN_ADD(pkt_info,
- pbuf_idx, /* index */
- md_pbuf->b_rptr, /* start */
- spill); /* len */
-
- if ((*xmit_tail)->b_next == NULL) {
- /*
- * Store the lbolt used for RTT
- * estimation. We can only record one
- * timestamp per mblk so we do it when
- * we reach the end of the payload
- * buffer. Also we only take a new
- * timestamp sample when the previous
- * timed data from the same mblk has
- * been ack'ed.
- */
- (*xmit_tail)->b_prev = local_time;
- (*xmit_tail)->b_next =
- (mblk_t *)(uintptr_t)first_snxt;
- }
-
- first_snxt = *snxt - spill;
-
- /*
- * Advance xmit_tail; usable could be 0 by
- * the time we got here, but we made sure
- * above that we would only spillover to
- * the next data block if usable includes
- * the spilled-over amount prior to the
- * subtraction. Therefore, we are sure
- * that xmit_tail->b_cont can't be NULL.
- */
- ASSERT((*xmit_tail)->b_cont != NULL);
- *xmit_tail = (*xmit_tail)->b_cont;
- ASSERT((uintptr_t)MBLKL(*xmit_tail) <=
- (uintptr_t)INT_MAX);
- *tail_unsent = (int)MBLKL(*xmit_tail) - spill;
- } else {
- cur_pld_off += tcp->tcp_last_sent_len;
- }
-
- /*
- * Fill in the header using the template header, and
- * add options such as time-stamp, ECN and/or SACK,
- * as needed.
- */
- tcp_fill_header(tcp, pkt_info->hdr_rptr,
- (clock_t)local_time, num_sack_blk);
-
- /* take care of some IP header businesses */
- if (af == AF_INET) {
- ipha = (ipha_t *)pkt_info->hdr_rptr;
-
- ASSERT(OK_32PTR((uchar_t *)ipha));
- ASSERT(PDESC_HDRL(pkt_info) >=
- IP_SIMPLE_HDR_LENGTH);
- ASSERT(ipha->ipha_version_and_hdr_length ==
- IP_SIMPLE_HDR_VERSION);
-
- /*
- * Assign ident value for current packet; see
- * related comments in ip_wput_ire() about the
- * contract private interface with clustering
- * group.
- */
- clusterwide = B_FALSE;
- if (cl_inet_ipident != NULL) {
- ASSERT(cl_inet_isclusterwide != NULL);
- if ((*cl_inet_isclusterwide)(stack_id,
- IPPROTO_IP, AF_INET,
- (uint8_t *)(uintptr_t)src, NULL)) {
- ipha->ipha_ident =
- (*cl_inet_ipident)(stack_id,
- IPPROTO_IP, AF_INET,
- (uint8_t *)(uintptr_t)src,
- (uint8_t *)(uintptr_t)dst,
- NULL);
- clusterwide = B_TRUE;
- }
- }
-
- if (!clusterwide) {
- ipha->ipha_ident = (uint16_t)
- atomic_add_32_nv(
- &ire->ire_ident, 1);
- }
-#ifndef _BIG_ENDIAN
- ipha->ipha_ident = (ipha->ipha_ident << 8) |
- (ipha->ipha_ident >> 8);
-#endif
- } else {
- ip6h = (ip6_t *)pkt_info->hdr_rptr;
-
- ASSERT(OK_32PTR((uchar_t *)ip6h));
- ASSERT(IPVER(ip6h) == IPV6_VERSION);
- ASSERT(ip6h->ip6_nxt == IPPROTO_TCP);
- ASSERT(PDESC_HDRL(pkt_info) >=
- (IPV6_HDR_LEN + TCP_CHECKSUM_OFFSET +
- TCP_CHECKSUM_SIZE));
- ASSERT(tcp->tcp_ipversion == IPV6_VERSION);
-
- if (tcp->tcp_ip_forward_progress) {
- rconfirm = B_TRUE;
- tcp->tcp_ip_forward_progress = B_FALSE;
- }
- }
-
- /* at least one payload span, and at most two */
- ASSERT(pkt_info->pld_cnt > 0 && pkt_info->pld_cnt < 3);
-
- /* add the packet descriptor to Multidata */
- if ((pkt = mmd_addpdesc(mmd, pkt_info, &err,
- KM_NOSLEEP)) == NULL) {
- /*
- * Any failure other than ENOMEM indicates
- * that we have passed in invalid pkt_info
- * or parameters to mmd_addpdesc, which must
- * not happen.
- *
- * EINVAL is a result of failure on boundary
- * checks against the pkt_info contents. It
- * should not happen, and we panic because
- * either there's horrible heap corruption,
- * and/or programming mistake.
- */
- if (err != ENOMEM) {
- cmn_err(CE_PANIC, "tcp_multisend: "
- "pdesc logic error detected for "
- "tcp %p mmd %p pinfo %p (%d)\n",
- (void *)tcp, (void *)mmd,
- (void *)pkt_info, err);
- }
- TCP_STAT(tcps, tcp_mdt_addpdescfail);
- goto legacy_send; /* out_of_mem */
- }
- ASSERT(pkt != NULL);
-
- /* calculate IP header and TCP checksums */
- if (af == AF_INET) {
- /* calculate pseudo-header checksum */
- cksum = (dst >> 16) + (dst & 0xFFFF) +
- (src >> 16) + (src & 0xFFFF);
-
- /* offset for TCP header checksum */
- up = IPH_TCPH_CHECKSUMP(ipha,
- IP_SIMPLE_HDR_LENGTH);
- } else {
- up = (uint16_t *)&ip6h->ip6_src;
-
- /* calculate pseudo-header checksum */
- cksum = up[0] + up[1] + up[2] + up[3] +
- up[4] + up[5] + up[6] + up[7] +
- up[8] + up[9] + up[10] + up[11] +
- up[12] + up[13] + up[14] + up[15];
-
- /* Fold the initial sum */
- cksum = (cksum & 0xffff) + (cksum >> 16);
-
- up = (uint16_t *)(((uchar_t *)ip6h) +
- IPV6_HDR_LEN + TCP_CHECKSUM_OFFSET);
- }
-
- if (hwcksum_flags & HCK_FULLCKSUM) {
- /* clear checksum field for hardware */
- *up = 0;
- } else if (hwcksum_flags & HCK_PARTIALCKSUM) {
- uint32_t sum;
-
- /* pseudo-header checksumming */
- sum = *up + cksum + IP_TCP_CSUM_COMP;
- sum = (sum & 0xFFFF) + (sum >> 16);
- *up = (sum & 0xFFFF) + (sum >> 16);
- } else {
- /* software checksumming */
- TCP_STAT(tcps, tcp_out_sw_cksum);
- TCP_STAT_UPDATE(tcps, tcp_out_sw_cksum_bytes,
- tcp->tcp_hdr_len + tcp->tcp_last_sent_len);
- *up = IP_MD_CSUM(pkt, tcp->tcp_ip_hdr_len,
- cksum + IP_TCP_CSUM_COMP);
- if (*up == 0)
- *up = 0xFFFF;
- }
-
- /* IPv4 header checksum */
- if (af == AF_INET) {
- if (hwcksum_flags & HCK_IPV4_HDRCKSUM) {
- ipha->ipha_hdr_checksum = 0;
- } else {
- IP_HDR_CKSUM(ipha, cksum,
- ((uint32_t *)ipha)[0],
- ((uint16_t *)ipha)[4]);
- }
- }
-
- if (af == AF_INET &&
- HOOKS4_INTERESTED_PHYSICAL_OUT(ipst) ||
- af == AF_INET6 &&
- HOOKS6_INTERESTED_PHYSICAL_OUT(ipst)) {
- mblk_t *mp, *mp1;
- uchar_t *hdr_rptr, *hdr_wptr;
- uchar_t *pld_rptr, *pld_wptr;
-
- /*
- * We reconstruct a pseudo packet for the hooks
- * framework using mmd_transform_link().
- * If it is a split packet we pullup the
- * payload. FW_HOOKS expects a pkt comprising
- * of two mblks: a header and the payload.
- */
- if ((mp = mmd_transform_link(pkt)) == NULL) {
- TCP_STAT(tcps, tcp_mdt_allocfail);
- goto legacy_send;
- }
-
- if (pkt_info->pld_cnt > 1) {
- /* split payload, more than one pld */
- if ((mp1 = msgpullup(mp->b_cont, -1)) ==
- NULL) {
- freemsg(mp);
- TCP_STAT(tcps,
- tcp_mdt_allocfail);
- goto legacy_send;
- }
- freemsg(mp->b_cont);
- mp->b_cont = mp1;
- } else {
- mp1 = mp->b_cont;
- }
- ASSERT(mp1 != NULL && mp1->b_cont == NULL);
-
- /*
- * Remember the message offsets. This is so we
- * can detect changes when we return from the
- * FW_HOOKS callbacks.
- */
- hdr_rptr = mp->b_rptr;
- hdr_wptr = mp->b_wptr;
- pld_rptr = mp->b_cont->b_rptr;
- pld_wptr = mp->b_cont->b_wptr;
-
- if (af == AF_INET) {
- DTRACE_PROBE4(
- ip4__physical__out__start,
- ill_t *, NULL,
- ill_t *, ill,
- ipha_t *, ipha,
- mblk_t *, mp);
- FW_HOOKS(
- ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out,
- NULL, ill, ipha, mp, mp, 0, ipst);
- DTRACE_PROBE1(
- ip4__physical__out__end,
- mblk_t *, mp);
- } else {
- DTRACE_PROBE4(
- ip6__physical__out_start,
- ill_t *, NULL,
- ill_t *, ill,
- ip6_t *, ip6h,
- mblk_t *, mp);
- FW_HOOKS6(
- ipst->ips_ip6_physical_out_event,
- ipst->ips_ipv6firewall_physical_out,
- NULL, ill, ip6h, mp, mp, 0, ipst);
- DTRACE_PROBE1(
- ip6__physical__out__end,
- mblk_t *, mp);
- }
-
- if (mp == NULL ||
- (mp1 = mp->b_cont) == NULL ||
- mp->b_rptr != hdr_rptr ||
- mp->b_wptr != hdr_wptr ||
- mp1->b_rptr != pld_rptr ||
- mp1->b_wptr != pld_wptr ||
- mp1->b_cont != NULL) {
- /*
- * We abandon multidata processing and
- * return to the normal path, either
- * when a packet is blocked, or when
- * the boundaries of header buffer or
- * payload buffer have been changed by
- * FW_HOOKS[6].
- */
- if (mp != NULL)
- freemsg(mp);
- goto legacy_send;
- }
- /* Finished with the pseudo packet */
- freemsg(mp);
- }
- DTRACE_IP_FASTPATH(md_hbuf, pkt_info->hdr_rptr,
- ill, ipha, ip6h);
- /* advance header offset */
- cur_hdr_off += hdr_frag_sz;
-
- obbytes += tcp->tcp_last_sent_len;
- ++obsegs;
- } while (!done && *usable > 0 && --num_burst_seg > 0 &&
- *tail_unsent > 0);
-
- if ((*xmit_tail)->b_next == NULL) {
- /*
- * Store the lbolt used for RTT estimation. We can only
- * record one timestamp per mblk so we do it when we
- * reach the end of the payload buffer. Also we only
- * take a new timestamp sample when the previous timed
- * data from the same mblk has been ack'ed.
- */
- (*xmit_tail)->b_prev = local_time;
- (*xmit_tail)->b_next = (mblk_t *)(uintptr_t)first_snxt;
- }
-
- ASSERT(*tail_unsent >= 0);
- if (*tail_unsent > 0) {
- /*
- * We got here because we broke out of the above
- * loop due to of one of the following cases:
- *
- * 1. len < adjusted MSS (i.e. small),
- * 2. Sender SWS avoidance,
- * 3. max_pld is zero.
- *
- * We are done for this Multidata, so trim our
- * last payload buffer (if any) accordingly.
- */
- if (md_pbuf != NULL)
- md_pbuf->b_wptr -= *tail_unsent;
- } else if (*usable > 0) {
- *xmit_tail = (*xmit_tail)->b_cont;
- ASSERT((uintptr_t)MBLKL(*xmit_tail) <=
- (uintptr_t)INT_MAX);
- *tail_unsent = (int)MBLKL(*xmit_tail);
- add_buffer = B_TRUE;
- }
- } while (!done && *usable > 0 && num_burst_seg > 0 &&
- (tcp_mdt_chain || max_pld > 0));
-
- if (md_mp_head != NULL) {
- /* send everything down */
- tcp_multisend_data(tcp, ire, ill, md_mp_head, obsegs, obbytes,
- &rconfirm);
- }
-
-#undef PREP_NEW_MULTIDATA
-#undef PREP_NEW_PBUF
-#undef IPVER
-
- IRE_REFRELE(ire);
- return (0);
-}
-
-/*
- * A wrapper function for sending one or more Multidata messages down to
- * the module below ip; this routine does not release the reference of the
- * IRE (caller does that). This routine is analogous to tcp_send_data().
- */
-static void
-tcp_multisend_data(tcp_t *tcp, ire_t *ire, const ill_t *ill, mblk_t *md_mp_head,
- const uint_t obsegs, const uint_t obbytes, boolean_t *rconfirm)
+tcp_send(tcp_t *tcp, const int mss, const int total_hdr_len,
+ const int tcp_hdr_len, const int num_sack_blk, int *usable,
+ uint_t *snxt, int *tail_unsent, mblk_t **xmit_tail, mblk_t *local_time)
{
- uint64_t delta;
- nce_t *nce;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- ASSERT(ire != NULL && ill != NULL);
- ASSERT(ire->ire_stq != NULL);
- ASSERT(md_mp_head != NULL);
- ASSERT(rconfirm != NULL);
-
- /* adjust MIBs and IRE timestamp */
- DTRACE_PROBE2(tcp__trace__send, mblk_t *, md_mp_head, tcp_t *, tcp);
- tcp->tcp_obsegs += obsegs;
- UPDATE_MIB(&tcps->tcps_mib, tcpOutDataSegs, obsegs);
- UPDATE_MIB(&tcps->tcps_mib, tcpOutDataBytes, obbytes);
- TCP_STAT_UPDATE(tcps, tcp_mdt_pkt_out, obsegs);
-
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- TCP_STAT_UPDATE(tcps, tcp_mdt_pkt_out_v4, obsegs);
- } else {
- TCP_STAT_UPDATE(tcps, tcp_mdt_pkt_out_v6, obsegs);
- }
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests, obsegs);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits, obsegs);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets, obbytes);
-
- ire->ire_ob_pkt_count += obsegs;
- if (ire->ire_ipif != NULL)
- atomic_add_32(&ire->ire_ipif->ipif_ob_pkt_count, obsegs);
- ire->ire_last_used_time = lbolt;
-
- if ((tcp->tcp_ipversion == IPV4_VERSION &&
- ipst->ips_ip4_observe.he_interested) ||
- (tcp->tcp_ipversion == IPV6_VERSION &&
- ipst->ips_ip6_observe.he_interested)) {
- multidata_t *dlmdp = mmd_getmultidata(md_mp_head);
- pdesc_t *dl_pkt;
- pdescinfo_t pinfo;
- mblk_t *nmp;
- zoneid_t szone = tcp->tcp_connp->conn_zoneid;
-
- for (dl_pkt = mmd_getfirstpdesc(dlmdp, &pinfo);
- (dl_pkt != NULL);
- dl_pkt = mmd_getnextpdesc(dl_pkt, &pinfo)) {
- if ((nmp = mmd_transform_link(dl_pkt)) == NULL)
- continue;
- ipobs_hook(nmp, IPOBS_HOOK_OUTBOUND, szone,
- ALL_ZONES, ill, ipst);
- freemsg(nmp);
- }
- }
-
- /* send it down */
- putnext(ire->ire_stq, md_mp_head);
-
- /* we're done for TCP/IPv4 */
- if (tcp->tcp_ipversion == IPV4_VERSION)
- return;
-
- nce = ire->ire_nce;
-
- ASSERT(nce != NULL);
- ASSERT(!(nce->nce_flags & (NCE_F_NONUD|NCE_F_PERMANENT)));
- ASSERT(nce->nce_state != ND_INCOMPLETE);
-
- /* reachability confirmation? */
- if (*rconfirm) {
- nce->nce_last = TICK_TO_MSEC(lbolt64);
- if (nce->nce_state != ND_REACHABLE) {
- mutex_enter(&nce->nce_lock);
- nce->nce_state = ND_REACHABLE;
- nce->nce_pcnt = ND_MAX_UNICAST_SOLICIT;
- mutex_exit(&nce->nce_lock);
- (void) untimeout(nce->nce_timeout_id);
- if (ip_debug > 2) {
- /* ip1dbg */
- pr_addr_dbg("tcp_multisend_data: state "
- "for %s changed to REACHABLE\n",
- AF_INET6, &ire->ire_addr_v6);
- }
- }
- /* reset transport reachability confirmation */
- *rconfirm = B_FALSE;
- }
-
- delta = TICK_TO_MSEC(lbolt64) - nce->nce_last;
- ip1dbg(("tcp_multisend_data: delta = %" PRId64
- " ill_reachable_time = %d \n", delta, ill->ill_reachable_time));
-
- if (delta > (uint64_t)ill->ill_reachable_time) {
- mutex_enter(&nce->nce_lock);
- switch (nce->nce_state) {
- case ND_REACHABLE:
- case ND_STALE:
- /*
- * ND_REACHABLE is identical to ND_STALE in this
- * specific case. If reachable time has expired for
- * this neighbor (delta is greater than reachable
- * time), conceptually, the neighbor cache is no
- * longer in REACHABLE state, but already in STALE
- * state. So the correct transition here is to
- * ND_DELAY.
- */
- nce->nce_state = ND_DELAY;
- mutex_exit(&nce->nce_lock);
- NDP_RESTART_TIMER(nce,
- ipst->ips_delay_first_probe_time);
- if (ip_debug > 3) {
- /* ip2dbg */
- pr_addr_dbg("tcp_multisend_data: state "
- "for %s changed to DELAY\n",
- AF_INET6, &ire->ire_addr_v6);
- }
- break;
- case ND_DELAY:
- case ND_PROBE:
- mutex_exit(&nce->nce_lock);
- /* Timers have already started */
- break;
- case ND_UNREACHABLE:
- /*
- * ndp timer has detected that this nce is
- * unreachable and initiated deleting this nce
- * and all its associated IREs. This is a race
- * where we found the ire before it was deleted
- * and have just sent out a packet using this
- * unreachable nce.
- */
- mutex_exit(&nce->nce_lock);
- break;
- default:
- ASSERT(0);
- }
- }
-}
-
-/*
- * Derived from tcp_send_data().
- */
-static void
-tcp_lsosend_data(tcp_t *tcp, mblk_t *mp, ire_t *ire, ill_t *ill, const int mss,
- int num_lso_seg)
-{
- ipha_t *ipha;
- mblk_t *ire_fp_mp;
- uint_t ire_fp_mp_len;
- uint32_t hcksum_txflags = 0;
- ipaddr_t src;
- ipaddr_t dst;
- uint32_t cksum;
- uint16_t *up;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- ASSERT(DB_TYPE(mp) == M_DATA);
- ASSERT(tcp->tcp_state == TCPS_ESTABLISHED);
- ASSERT(tcp->tcp_ipversion == IPV4_VERSION);
- ASSERT(tcp->tcp_connp != NULL);
- ASSERT(CONN_IS_LSO_MD_FASTPATH(tcp->tcp_connp));
-
- ipha = (ipha_t *)mp->b_rptr;
- src = ipha->ipha_src;
- dst = ipha->ipha_dst;
-
- DTRACE_PROBE2(tcp__trace__send, mblk_t *, mp, tcp_t *, tcp);
-
- ASSERT(ipha->ipha_ident == 0 || ipha->ipha_ident == IP_HDR_INCLUDED);
- ipha->ipha_ident = (uint16_t)atomic_add_32_nv(&ire->ire_ident,
- num_lso_seg);
-#ifndef _BIG_ENDIAN
- ipha->ipha_ident = (ipha->ipha_ident << 8) | (ipha->ipha_ident >> 8);
-#endif
- if (tcp->tcp_snd_zcopy_aware) {
- if ((ill->ill_capabilities & ILL_CAPAB_ZEROCOPY) == 0 ||
- (ill->ill_zerocopy_capab->ill_zerocopy_flags == 0))
- mp = tcp_zcopy_disable(tcp, mp);
- }
-
- if (ILL_HCKSUM_CAPABLE(ill) && dohwcksum) {
- ASSERT(ill->ill_hcksum_capab != NULL);
- hcksum_txflags = ill->ill_hcksum_capab->ill_hcksum_txflags;
- }
-
- /*
- * Since the TCP checksum should be recalculated by h/w, we can just
- * zero the checksum field for HCK_FULLCKSUM, or calculate partial
- * pseudo-header checksum for HCK_PARTIALCKSUM.
- * The partial pseudo-header excludes TCP length, that was calculated
- * in tcp_send(), so to zero *up before further processing.
- */
- cksum = (dst >> 16) + (dst & 0xFFFF) + (src >> 16) + (src & 0xFFFF);
-
- up = IPH_TCPH_CHECKSUMP(ipha, IP_SIMPLE_HDR_LENGTH);
- *up = 0;
-
- IP_CKSUM_XMIT_FAST(ire->ire_ipversion, hcksum_txflags, mp, ipha, up,
- IPPROTO_TCP, IP_SIMPLE_HDR_LENGTH, ntohs(ipha->ipha_length), cksum);
-
- /*
- * Append LSO flags and mss to the mp.
- */
- lso_info_set(mp, mss, HW_LSO);
-
- ipha->ipha_fragment_offset_and_flags |=
- (uint32_t)htons(ire->ire_frag_flag);
-
- ire_fp_mp = ire->ire_nce->nce_fp_mp;
- ire_fp_mp_len = MBLKL(ire_fp_mp);
- ASSERT(DB_TYPE(ire_fp_mp) == M_DATA);
- mp->b_rptr = (uchar_t *)ipha - ire_fp_mp_len;
- bcopy(ire_fp_mp->b_rptr, mp->b_rptr, ire_fp_mp_len);
-
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
- ntohs(ipha->ipha_length));
-
- DTRACE_PROBE4(ip4__physical__out__start,
- ill_t *, NULL, ill_t *, ill, ipha_t *, ipha, mblk_t *, mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out, NULL,
- ill, ipha, mp, mp, 0, ipst);
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, mp);
- DTRACE_IP_FASTPATH(mp, ipha, ill, ipha, NULL);
-
- if (mp != NULL) {
- if (ipst->ips_ip4_observe.he_interested) {
- zoneid_t szone;
-
- if (ire_fp_mp_len != 0)
- mp->b_rptr += ire_fp_mp_len;
- szone = ip_get_zoneid_v4(ipha->ipha_src, mp,
- ipst, ALL_ZONES);
- ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone,
- ALL_ZONES, ill, ipst);
- if (ire_fp_mp_len != 0)
- mp->b_rptr -= ire_fp_mp_len;
- }
-
- ILL_SEND_TX(ill, ire, tcp->tcp_connp, mp, 0, NULL);
- }
-}
-
-/*
- * tcp_send() is called by tcp_wput_data() for non-Multidata transmission
- * scheme, and returns one of the following:
- *
- * -1 = failed allocation.
- * 0 = success; burst count reached, or usable send window is too small,
- * and that we'd rather wait until later before sending again.
- * 1 = success; we are called from tcp_multisend(), and both usable send
- * window and tail_unsent are greater than the MDT threshold, and thus
- * Multidata Transmit should be used instead.
- */
-static int
-tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
- const int tcp_tcp_hdr_len, const int num_sack_blk, int *usable,
- uint_t *snxt, int *tail_unsent, mblk_t **xmit_tail, mblk_t *local_time,
- const int mdt_thres)
-{
- int num_burst_seg = tcp->tcp_snd_burst;
- ire_t *ire = NULL;
- ill_t *ill = NULL;
- mblk_t *ire_fp_mp = NULL;
- uint_t ire_fp_mp_len = 0;
+ int num_burst_seg = tcp->tcp_snd_burst;
int num_lso_seg = 1;
uint_t lso_usable;
boolean_t do_lso_send = B_FALSE;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
/*
- * Check LSO capability before any further work. And the similar check
- * need to be done in for(;;) loop.
- * LSO will be deployed when therer is more than one mss of available
- * data and a burst transmission is allowed.
+ * Check LSO possibility. The value of tcp->tcp_lso indicates whether
+ * the underlying connection is LSO capable. Will check whether having
+ * enough available data to initiate LSO transmission in the for(){}
+ * loops.
*/
- if (tcp->tcp_lso &&
- (tcp->tcp_valid_bits == 0 ||
- tcp->tcp_valid_bits == TCP_FSS_VALID) &&
- num_burst_seg >= 2 && (*usable - 1) / mss >= 1) {
- /*
- * Try to find usable IRE/ILL and do basic check to the ILL.
- * Double check LSO usability before going further, since the
- * underlying interface could have been changed. In case of any
- * change of LSO capability, set tcp_ire_ill_check_done to
- * B_FALSE to force to check the ILL with the next send.
- */
- if (tcp_send_find_ire_ill(tcp, NULL, &ire, &ill) &&
- tcp->tcp_lso && ILL_LSO_TCP_USABLE(ill)) {
- /*
- * Enable LSO with this transmission.
- * Since IRE has been hold in tcp_send_find_ire_ill(),
- * IRE_REFRELE(ire) should be called before return.
- */
+ if (tcp->tcp_lso && (tcp->tcp_valid_bits & ~TCP_FSS_VALID) == 0)
do_lso_send = B_TRUE;
- ire_fp_mp = ire->ire_nce->nce_fp_mp;
- ire_fp_mp_len = MBLKL(ire_fp_mp);
- /* Round up to multiple of 4 */
- ire_fp_mp_len = ((ire_fp_mp_len + 3) / 4) * 4;
- } else {
- tcp->tcp_lso = B_FALSE;
- tcp->tcp_ire_ill_check_done = B_FALSE;
- do_lso_send = B_FALSE;
- ill = NULL;
- }
- }
for (;;) {
struct datab *db;
- tcph_t *tcph;
+ tcpha_t *tcpha;
uint32_t sum;
mblk_t *mp, *mp1;
uchar_t *rptr;
int len;
/*
- * If we're called by tcp_multisend(), and the amount of
- * sendable data as well as the size of current xmit_tail
- * is beyond the MDT threshold, return to the caller and
- * let the large data transmit be done using MDT.
+ * Burst count reached, return successfully.
*/
- if (*usable > 0 && *usable > mdt_thres &&
- (*tail_unsent > mdt_thres || (*tail_unsent == 0 &&
- MBLKL((*xmit_tail)->b_cont) > mdt_thres))) {
- ASSERT(tcp->tcp_mdt);
- return (1); /* success; do large send */
- }
-
if (num_burst_seg == 0)
- break; /* success; burst count reached */
+ break;
/*
- * Calculate the maximum payload length we can send in *one*
+ * Calculate the maximum payload length we can send at one
* time.
*/
if (do_lso_send) {
/*
- * Check whether need to do LSO any more.
+ * Check whether be able to to do LSO for the current
+ * available data.
*/
if (num_burst_seg >= 2 && (*usable - 1) / mss >= 1) {
lso_usable = MIN(tcp->tcp_lso_max, *usable);
@@ -20787,7 +15918,10 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
}
ASSERT(num_lso_seg <= IP_MAXPACKET / mss + 1);
-
+#ifdef DEBUG
+ DTRACE_PROBE2(tcp_send_lso, int, num_lso_seg, boolean_t,
+ do_lso_send);
+#endif
/*
* Adjust num_burst_seg here.
*/
@@ -20817,7 +15951,7 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
/*
* If the retransmit timer is not running
* we start it so that we will retransmit
- * in the case when the the receiver has
+ * in the case when the receiver has
* decremented the window.
*/
if (*snxt == tcp->tcp_snxt &&
@@ -20838,7 +15972,7 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
}
}
- tcph = tcp->tcp_tcph;
+ tcpha = tcp->tcp_tcpha;
/*
* The reason to adjust len here is that we need to set flags
@@ -20849,19 +15983,25 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
*usable -= len; /* Approximate - can be adjusted later */
if (*usable > 0)
- tcph->th_flags[0] = TH_ACK;
+ tcpha->tha_flags = TH_ACK;
else
- tcph->th_flags[0] = (TH_ACK | TH_PUSH);
+ tcpha->tha_flags = (TH_ACK | TH_PUSH);
/*
- * Prime pump for IP's checksumming on our behalf
+ * Prime pump for IP's checksumming on our behalf.
* Include the adjustment for a source route if any.
+ * In case of LSO, the partial pseudo-header checksum should
+ * exclusive TCP length, so zero tha_sum before IP calculate
+ * pseudo-header checksum for partial checksum offload.
*/
- sum = len + tcp_tcp_hdr_len + tcp->tcp_sum;
- sum = (sum >> 16) + (sum & 0xFFFF);
- U16_TO_ABE16(sum, tcph->th_sum);
-
- U32_TO_ABE32(*snxt, tcph->th_seq);
+ if (do_lso_send) {
+ sum = 0;
+ } else {
+ sum = len + tcp_hdr_len + connp->conn_sum;
+ sum = (sum >> 16) + (sum & 0xFFFF);
+ }
+ tcpha->tha_sum = htons(sum);
+ tcpha->tha_seq = htonl(*snxt);
/*
* Branch off to tcp_xmit_mp() if any of the VALID bits is
@@ -20907,8 +16047,6 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
(*xmit_tail)->b_rptr = prev_rptr;
if (mp == NULL) {
- if (ire != NULL)
- IRE_REFRELE(ire);
return (-1);
}
mp1 = mp->b_cont;
@@ -20927,7 +16065,7 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
BUMP_LOCAL(tcp->tcp_obsegs);
BUMP_MIB(&tcps->tcps_mib, tcpOutDataSegs);
UPDATE_MIB(&tcps->tcps_mib, tcpOutDataBytes, len);
- tcp_send_data(tcp, q, mp);
+ tcp_send_data(tcp, mp);
continue;
}
@@ -20942,18 +16080,18 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
*tail_unsent -= len;
if (len <= mss) /* LSO is unusable */
tcp->tcp_last_sent_len = (ushort_t)len;
- len += tcp_hdr_len;
- if (tcp->tcp_ipversion == IPV4_VERSION)
+ len += total_hdr_len;
+ ixa->ixa_pktlen = len;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
tcp->tcp_ipha->ipha_length = htons(len);
- else
+ } else {
tcp->tcp_ip6h->ip6_plen =
- htons(len -
- ((char *)&tcp->tcp_ip6h[1] -
- tcp->tcp_iphc));
+ htons(len - IPV6_HDR_LEN);
+ }
+
mp = dupb(*xmit_tail);
if (mp == NULL) {
- if (ire != NULL)
- IRE_REFRELE(ire);
return (-1); /* out_of_mem */
}
mp->b_rptr = rptr;
@@ -20983,21 +16121,21 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
if (len <= mss) /* LSO is unusable (!do_lso_send) */
tcp->tcp_last_sent_len = (ushort_t)len;
- len += tcp_hdr_len;
- if (tcp->tcp_ipversion == IPV4_VERSION)
+ len += total_hdr_len;
+ ixa->ixa_pktlen = len;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
tcp->tcp_ipha->ipha_length = htons(len);
- else
- tcp->tcp_ip6h->ip6_plen = htons(len -
- ((char *)&tcp->tcp_ip6h[1] - tcp->tcp_iphc));
+ } else {
+ tcp->tcp_ip6h->ip6_plen = htons(len - IPV6_HDR_LEN);
+ }
mp = dupb(*xmit_tail);
if (mp == NULL) {
- if (ire != NULL)
- IRE_REFRELE(ire);
return (-1); /* out_of_mem */
}
- len = tcp_hdr_len;
+ len = total_hdr_len;
/*
* There are four reasons to allocate a new hdr mblk:
* 1) The bytes above us are in use by another packet
@@ -21008,24 +16146,21 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
rptr = mp->b_rptr - len;
if (!OK_32PTR(rptr) ||
((db = mp->b_datap), db->db_ref != 2) ||
- rptr < db->db_base + ire_fp_mp_len) {
+ rptr < db->db_base) {
/* NOTE: we assume allocb returns an OK_32PTR */
must_alloc:;
- mp1 = allocb(tcp->tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH +
- tcps->tcps_wroff_xtra + ire_fp_mp_len, BPRI_MED);
+ mp1 = allocb(connp->conn_ht_iphc_allocated +
+ tcps->tcps_wroff_xtra, BPRI_MED);
if (mp1 == NULL) {
freemsg(mp);
- if (ire != NULL)
- IRE_REFRELE(ire);
return (-1); /* out_of_mem */
}
mp1->b_cont = mp;
mp = mp1;
/* Leave room for Link Level header */
- len = tcp_hdr_len;
- rptr =
- &mp->b_rptr[tcps->tcps_wroff_xtra + ire_fp_mp_len];
+ len = total_hdr_len;
+ rptr = &mp->b_rptr[tcps->tcps_wroff_xtra];
mp->b_wptr = &rptr[len];
}
@@ -21057,18 +16192,17 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
/*
* Excess data in mblk; can we split it?
- * If MDT is enabled for the connection,
+ * If LSO is enabled for the connection,
* keep on splitting as this is a transient
* send path.
*/
- if (!do_lso_send && !tcp->tcp_mdt &&
- (spill + nmpsz > 0)) {
+ if (!do_lso_send && (spill + nmpsz > 0)) {
/*
* Don't split if stream head was
* told to break up larger writes
* into smaller ones.
*/
- if (tcp->tcp_maxpsz > 0)
+ if (tcp->tcp_maxpsz_multiplier > 0)
break;
/*
@@ -21096,8 +16230,6 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
if (mp1 == NULL) {
*tail_unsent = spill;
freemsg(mp);
- if (ire != NULL)
- IRE_REFRELE(ire);
return (-1); /* out_of_mem */
}
}
@@ -21119,11 +16251,12 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
/*
* Adjust the checksum
*/
- tcph = (tcph_t *)(rptr + tcp->tcp_ip_hdr_len);
+ tcpha = (tcpha_t *)(rptr +
+ ixa->ixa_ip_hdr_length);
sum += spill;
sum = (sum >> 16) + (sum & 0xFFFF);
- U16_TO_ABE16(sum, tcph->th_sum);
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+ tcpha->tha_sum = htons(sum);
+ if (connp->conn_ipversion == IPV4_VERSION) {
sum = ntohs(
((ipha_t *)rptr)->ipha_length) +
spill;
@@ -21136,311 +16269,55 @@ tcp_send(queue_t *q, tcp_t *tcp, const int mss, const int tcp_hdr_len,
((ip6_t *)rptr)->ip6_plen =
htons(sum);
}
+ ixa->ixa_pktlen += spill;
*tail_unsent = 0;
}
}
if (tcp->tcp_ip_forward_progress) {
- ASSERT(tcp->tcp_ipversion == IPV6_VERSION);
- *(uint32_t *)mp->b_rptr |= IP_FORWARD_PROG;
tcp->tcp_ip_forward_progress = B_FALSE;
+ ixa->ixa_flags |= IXAF_REACH_CONF;
+ } else {
+ ixa->ixa_flags &= ~IXAF_REACH_CONF;
}
+ /*
+ * Append LSO information, both flags and mss, to the mp.
+ */
if (do_lso_send) {
- tcp_lsosend_data(tcp, mp, ire, ill, mss,
- num_lso_seg);
- tcp->tcp_obsegs += num_lso_seg;
+ lso_info_set(mp, mss, HW_LSO);
+ ixa->ixa_fragsize = IP_MAXPACKET;
+ ixa->ixa_extra_ident = num_lso_seg - 1;
+ DTRACE_PROBE2(tcp_send_lso, int, num_lso_seg,
+ boolean_t, B_TRUE);
+
+ tcp_send_data(tcp, mp);
+
+ /*
+ * Restore values of ixa_fragsize and ixa_extra_ident.
+ */
+ ixa->ixa_fragsize = ixa->ixa_pmtu;
+ ixa->ixa_extra_ident = 0;
+ tcp->tcp_obsegs += num_lso_seg;
TCP_STAT(tcps, tcp_lso_times);
TCP_STAT_UPDATE(tcps, tcp_lso_pkt_out, num_lso_seg);
} else {
- tcp_send_data(tcp, q, mp);
+ tcp_send_data(tcp, mp);
BUMP_LOCAL(tcp->tcp_obsegs);
}
}
- if (ire != NULL)
- IRE_REFRELE(ire);
return (0);
}
-/* Unlink and return any mblk that looks like it contains a MDT info */
-static mblk_t *
-tcp_mdt_info_mp(mblk_t *mp)
-{
- mblk_t *prev_mp;
-
- for (;;) {
- prev_mp = mp;
- /* no more to process? */
- if ((mp = mp->b_cont) == NULL)
- break;
-
- switch (DB_TYPE(mp)) {
- case M_CTL:
- if (*(uint32_t *)mp->b_rptr != MDT_IOC_INFO_UPDATE)
- continue;
- ASSERT(prev_mp != NULL);
- prev_mp->b_cont = mp->b_cont;
- mp->b_cont = NULL;
- return (mp);
- default:
- break;
- }
- }
- return (mp);
-}
-
-/* MDT info update routine, called when IP notifies us about MDT */
-static void
-tcp_mdt_update(tcp_t *tcp, ill_mdt_capab_t *mdt_capab, boolean_t first)
-{
- boolean_t prev_state;
- tcp_stack_t *tcps = tcp->tcp_tcps;
-
- /*
- * IP is telling us to abort MDT on this connection? We know
- * this because the capability is only turned off when IP
- * encounters some pathological cases, e.g. link-layer change
- * where the new driver doesn't support MDT, or in situation
- * where MDT usage on the link-layer has been switched off.
- * IP would not have sent us the initial MDT_IOC_INFO_UPDATE
- * if the link-layer doesn't support MDT, and if it does, it
- * will indicate that the feature is to be turned on.
- */
- prev_state = tcp->tcp_mdt;
- tcp->tcp_mdt = (mdt_capab->ill_mdt_on != 0);
- if (!tcp->tcp_mdt && !first) {
- TCP_STAT(tcps, tcp_mdt_conn_halted3);
- ip1dbg(("tcp_mdt_update: disabling MDT for connp %p\n",
- (void *)tcp->tcp_connp));
- }
-
- /*
- * We currently only support MDT on simple TCP/{IPv4,IPv6},
- * so disable MDT otherwise. The checks are done here
- * and in tcp_wput_data().
- */
- if (tcp->tcp_mdt &&
- (tcp->tcp_ipversion == IPV4_VERSION &&
- tcp->tcp_ip_hdr_len != IP_SIMPLE_HDR_LENGTH) ||
- (tcp->tcp_ipversion == IPV6_VERSION &&
- tcp->tcp_ip_hdr_len != IPV6_HDR_LEN))
- tcp->tcp_mdt = B_FALSE;
-
- if (tcp->tcp_mdt) {
- if (mdt_capab->ill_mdt_version != MDT_VERSION_2) {
- cmn_err(CE_NOTE, "tcp_mdt_update: unknown MDT "
- "version (%d), expected version is %d",
- mdt_capab->ill_mdt_version, MDT_VERSION_2);
- tcp->tcp_mdt = B_FALSE;
- return;
- }
-
- /*
- * We need the driver to be able to handle at least three
- * spans per packet in order for tcp MDT to be utilized.
- * The first is for the header portion, while the rest are
- * needed to handle a packet that straddles across two
- * virtually non-contiguous buffers; a typical tcp packet
- * therefore consists of only two spans. Note that we take
- * a zero as "don't care".
- */
- if (mdt_capab->ill_mdt_span_limit > 0 &&
- mdt_capab->ill_mdt_span_limit < 3) {
- tcp->tcp_mdt = B_FALSE;
- return;
- }
-
- /* a zero means driver wants default value */
- tcp->tcp_mdt_max_pld = MIN(mdt_capab->ill_mdt_max_pld,
- tcps->tcps_mdt_max_pbufs);
- if (tcp->tcp_mdt_max_pld == 0)
- tcp->tcp_mdt_max_pld = tcps->tcps_mdt_max_pbufs;
-
- /* ensure 32-bit alignment */
- tcp->tcp_mdt_hdr_head = roundup(MAX(tcps->tcps_mdt_hdr_head_min,
- mdt_capab->ill_mdt_hdr_head), 4);
- tcp->tcp_mdt_hdr_tail = roundup(MAX(tcps->tcps_mdt_hdr_tail_min,
- mdt_capab->ill_mdt_hdr_tail), 4);
-
- if (!first && !prev_state) {
- TCP_STAT(tcps, tcp_mdt_conn_resumed2);
- ip1dbg(("tcp_mdt_update: reenabling MDT for connp %p\n",
- (void *)tcp->tcp_connp));
- }
- }
-}
-
-/* Unlink and return any mblk that looks like it contains a LSO info */
-static mblk_t *
-tcp_lso_info_mp(mblk_t *mp)
-{
- mblk_t *prev_mp;
-
- for (;;) {
- prev_mp = mp;
- /* no more to process? */
- if ((mp = mp->b_cont) == NULL)
- break;
-
- switch (DB_TYPE(mp)) {
- case M_CTL:
- if (*(uint32_t *)mp->b_rptr != LSO_IOC_INFO_UPDATE)
- continue;
- ASSERT(prev_mp != NULL);
- prev_mp->b_cont = mp->b_cont;
- mp->b_cont = NULL;
- return (mp);
- default:
- break;
- }
- }
-
- return (mp);
-}
-
-/* LSO info update routine, called when IP notifies us about LSO */
-static void
-tcp_lso_update(tcp_t *tcp, ill_lso_capab_t *lso_capab)
-{
- tcp_stack_t *tcps = tcp->tcp_tcps;
-
- /*
- * IP is telling us to abort LSO on this connection? We know
- * this because the capability is only turned off when IP
- * encounters some pathological cases, e.g. link-layer change
- * where the new NIC/driver doesn't support LSO, or in situation
- * where LSO usage on the link-layer has been switched off.
- * IP would not have sent us the initial LSO_IOC_INFO_UPDATE
- * if the link-layer doesn't support LSO, and if it does, it
- * will indicate that the feature is to be turned on.
- */
- tcp->tcp_lso = (lso_capab->ill_lso_on != 0);
- TCP_STAT(tcps, tcp_lso_enabled);
-
- /*
- * We currently only support LSO on simple TCP/IPv4,
- * so disable LSO otherwise. The checks are done here
- * and in tcp_wput_data().
- */
- if (tcp->tcp_lso &&
- (tcp->tcp_ipversion == IPV4_VERSION &&
- tcp->tcp_ip_hdr_len != IP_SIMPLE_HDR_LENGTH) ||
- (tcp->tcp_ipversion == IPV6_VERSION)) {
- tcp->tcp_lso = B_FALSE;
- TCP_STAT(tcps, tcp_lso_disabled);
- } else {
- tcp->tcp_lso_max = MIN(TCP_MAX_LSO_LENGTH,
- lso_capab->ill_lso_max);
- }
-}
-
-static void
-tcp_ire_ill_check(tcp_t *tcp, ire_t *ire, ill_t *ill, boolean_t check_lso_mdt)
-{
- conn_t *connp = tcp->tcp_connp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- ASSERT(ire != NULL);
-
- /*
- * We may be in the fastpath here, and although we essentially do
- * similar checks as in ip_bind_connected{_v6}/ip_xxinfo_return,
- * we try to keep things as brief as possible. After all, these
- * are only best-effort checks, and we do more thorough ones prior
- * to calling tcp_send()/tcp_multisend().
- */
- if ((ipst->ips_ip_lso_outbound || ipst->ips_ip_multidata_outbound) &&
- check_lso_mdt && !(ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK)) &&
- ill != NULL && !CONN_IPSEC_OUT_ENCAPSULATED(connp) &&
- !(ire->ire_flags & RTF_MULTIRT) &&
- !IPP_ENABLED(IPP_LOCAL_OUT, ipst) &&
- CONN_IS_LSO_MD_FASTPATH(connp)) {
- if (ipst->ips_ip_lso_outbound && ILL_LSO_CAPABLE(ill)) {
- /* Cache the result */
- connp->conn_lso_ok = B_TRUE;
-
- ASSERT(ill->ill_lso_capab != NULL);
- if (!ill->ill_lso_capab->ill_lso_on) {
- ill->ill_lso_capab->ill_lso_on = 1;
- ip1dbg(("tcp_ire_ill_check: connp %p enables "
- "LSO for interface %s\n", (void *)connp,
- ill->ill_name));
- }
- tcp_lso_update(tcp, ill->ill_lso_capab);
- } else if (ipst->ips_ip_multidata_outbound &&
- ILL_MDT_CAPABLE(ill)) {
- /* Cache the result */
- connp->conn_mdt_ok = B_TRUE;
-
- ASSERT(ill->ill_mdt_capab != NULL);
- if (!ill->ill_mdt_capab->ill_mdt_on) {
- ill->ill_mdt_capab->ill_mdt_on = 1;
- ip1dbg(("tcp_ire_ill_check: connp %p enables "
- "MDT for interface %s\n", (void *)connp,
- ill->ill_name));
- }
- tcp_mdt_update(tcp, ill->ill_mdt_capab, B_TRUE);
- }
- }
-
- /*
- * The goal is to reduce the number of generated tcp segments by
- * setting the maxpsz multiplier to 0; this will have an affect on
- * tcp_maxpsz_set(). With this behavior, tcp will pack more data
- * into each packet, up to SMSS bytes. Doing this reduces the number
- * of outbound segments and incoming ACKs, thus allowing for better
- * network and system performance. In contrast the legacy behavior
- * may result in sending less than SMSS size, because the last mblk
- * for some packets may have more data than needed to make up SMSS,
- * and the legacy code refused to "split" it.
- *
- * We apply the new behavior on following situations:
- *
- * 1) Loopback connections,
- * 2) Connections in which the remote peer is not on local subnet,
- * 3) Local subnet connections over the bge interface (see below).
- *
- * Ideally, we would like this behavior to apply for interfaces other
- * than bge. However, doing so would negatively impact drivers which
- * perform dynamic mapping and unmapping of DMA resources, which are
- * increased by setting the maxpsz multiplier to 0 (more mblks per
- * packet will be generated by tcp). The bge driver does not suffer
- * from this, as it copies the mblks into pre-mapped buffers, and
- * therefore does not require more I/O resources than before.
- *
- * Otherwise, this behavior is present on all network interfaces when
- * the destination endpoint is non-local, since reducing the number
- * of packets in general is good for the network.
- *
- * TODO We need to remove this hard-coded conditional for bge once
- * a better "self-tuning" mechanism, or a way to comprehend
- * the driver transmit strategy is devised. Until the solution
- * is found and well understood, we live with this hack.
- */
- if (!tcp_static_maxpsz &&
- (tcp->tcp_loopback || !tcp->tcp_localnet ||
- (ill->ill_name_length > 3 && bcmp(ill->ill_name, "bge", 3) == 0))) {
- /* override the default value */
- tcp->tcp_maxpsz = 0;
-
- ip3dbg(("tcp_ire_ill_check: connp %p tcp_maxpsz %d on "
- "interface %s\n", (void *)connp, tcp->tcp_maxpsz,
- ill != NULL ? ill->ill_name : ipif_loopback_name));
- }
-
- /* set the stream head parameters accordingly */
- (void) tcp_maxpsz_set(tcp, B_TRUE);
-}
-
/* tcp_wput_flush is called by tcp_wput_nondata to handle M_FLUSH messages. */
static void
tcp_wput_flush(tcp_t *tcp, mblk_t *mp)
{
uchar_t fval = *mp->b_rptr;
mblk_t *tail;
- queue_t *q = tcp->tcp_wq;
+ conn_t *connp = tcp->tcp_connp;
+ queue_t *q = connp->conn_wq;
/* TODO: How should flush interact with urgent data? */
if ((fval & FLUSHW) && tcp->tcp_xmit_head &&
@@ -21473,7 +16350,7 @@ tcp_wput_flush(tcp_t *tcp, mblk_t *mp)
}
/*
* We have no unsent data, so unsent must be less than
- * tcp_xmit_lowater, so re-enable flow.
+ * conn_sndlowat, so re-enable flow.
*/
mutex_enter(&tcp->tcp_non_sq_lock);
if (tcp->tcp_flow_stopped) {
@@ -21501,12 +16378,12 @@ tcp_wput_flush(tcp_t *tcp, mblk_t *mp)
static void
tcp_wput_iocdata(tcp_t *tcp, mblk_t *mp)
{
- mblk_t *mp1;
- struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
+ mblk_t *mp1;
+ struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
STRUCT_HANDLE(strbuf, sb);
- queue_t *q = tcp->tcp_wq;
- int error;
- uint_t addrlen;
+ uint_t addrlen;
+ conn_t *connp = tcp->tcp_connp;
+ queue_t *q = connp->conn_wq;
/* Make sure it is one of ours. */
switch (iocp->ioc_cmd) {
@@ -21514,7 +16391,7 @@ tcp_wput_iocdata(tcp_t *tcp, mblk_t *mp)
case TI_GETPEERNAME:
break;
default:
- CALL_IP_WPUT(tcp->tcp_connp, q, mp);
+ ip_wput_nondata(q, mp);
return;
}
switch (mi_copy_state(q, mp, &mp1)) {
@@ -21541,43 +16418,56 @@ tcp_wput_iocdata(tcp_t *tcp, mblk_t *mp)
}
STRUCT_SET_HANDLE(sb, iocp->ioc_flag, (void *)mp1->b_rptr);
- addrlen = tcp->tcp_family == AF_INET ? sizeof (sin_t) : sizeof (sin6_t);
+
+ if (connp->conn_family == AF_INET)
+ addrlen = sizeof (sin_t);
+ else
+ addrlen = sizeof (sin6_t);
+
if (STRUCT_FGET(sb, maxlen) < addrlen) {
mi_copy_done(q, mp, EINVAL);
return;
}
- mp1 = mi_copyout_alloc(q, mp, STRUCT_FGETP(sb, buf), addrlen, B_TRUE);
- if (mp1 == NULL)
- return;
-
switch (iocp->ioc_cmd) {
case TI_GETMYNAME:
- error = tcp_do_getsockname(tcp, (void *)mp1->b_rptr, &addrlen);
break;
case TI_GETPEERNAME:
- error = tcp_do_getpeername(tcp, (void *)mp1->b_rptr, &addrlen);
+ if (tcp->tcp_state < TCPS_SYN_RCVD) {
+ mi_copy_done(q, mp, ENOTCONN);
+ return;
+ }
break;
}
+ mp1 = mi_copyout_alloc(q, mp, STRUCT_FGETP(sb, buf), addrlen, B_TRUE);
+ if (!mp1)
+ return;
- if (error != 0) {
- mi_copy_done(q, mp, error);
- } else {
- mp1->b_wptr += addrlen;
- STRUCT_FSET(sb, len, addrlen);
-
- /* Copy out the address */
- mi_copyout(q, mp);
+ STRUCT_FSET(sb, len, addrlen);
+ switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
+ case TI_GETMYNAME:
+ (void) conn_getsockname(connp, (struct sockaddr *)mp1->b_wptr,
+ &addrlen);
+ break;
+ case TI_GETPEERNAME:
+ (void) conn_getpeername(connp, (struct sockaddr *)mp1->b_wptr,
+ &addrlen);
+ break;
}
+ mp1->b_wptr += addrlen;
+ /* Copy out the address */
+ mi_copyout(q, mp);
}
static void
tcp_use_pure_tpi(tcp_t *tcp)
{
+ conn_t *connp = tcp->tcp_connp;
+
#ifdef _ILP32
- tcp->tcp_acceptor_id = (t_uscalar_t)tcp->tcp_rq;
+ tcp->tcp_acceptor_id = (t_uscalar_t)connp->conn_rq;
#else
- tcp->tcp_acceptor_id = tcp->tcp_connp->conn_dev;
+ tcp->tcp_acceptor_id = connp->conn_dev;
#endif
/*
* Insert this socket into the acceptor hash.
@@ -21595,11 +16485,11 @@ tcp_use_pure_tpi(tcp_t *tcp)
*/
/* ARGSUSED */
static void
-tcp_wput_ioctl(void *arg, mblk_t *mp, void *arg2)
+tcp_wput_ioctl(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
- conn_t *connp = (conn_t *)arg;
- tcp_t *tcp = connp->conn_tcp;
- queue_t *q = tcp->tcp_wq;
+ conn_t *connp = (conn_t *)arg;
+ tcp_t *tcp = connp->conn_tcp;
+ queue_t *q = connp->conn_wq;
struct iocblk *iocp;
ASSERT(DB_TYPE(mp) == M_IOCTL);
@@ -21617,17 +16507,6 @@ tcp_wput_ioctl(void *arg, mblk_t *mp, void *arg2)
iocp = (struct iocblk *)mp->b_rptr;
switch (iocp->ioc_cmd) {
- case TCP_IOC_DEFAULT_Q:
- /* Wants to be the default wq. */
- if (secpolicy_ip_config(iocp->ioc_cr, B_FALSE) != 0) {
- iocp->ioc_error = EPERM;
- iocp->ioc_count = 0;
- mp->b_datap->db_type = M_IOCACK;
- qreply(q, mp);
- return;
- }
- tcp_def_q_set(tcp, mp);
- return;
case _SIOCSOCKFALLBACK:
/*
* Either sockmod is about to be popped and the socket
@@ -21650,7 +16529,7 @@ tcp_wput_ioctl(void *arg, mblk_t *mp, void *arg2)
qreply(q, mp);
return;
}
- CALL_IP_WPUT(connp, q, mp);
+ ip_wput_nondata(q, mp);
}
/*
@@ -21658,14 +16537,14 @@ tcp_wput_ioctl(void *arg, mblk_t *mp, void *arg2)
*/
/* ARGSUSED */
static void
-tcp_wput_proto(void *arg, mblk_t *mp, void *arg2)
+tcp_wput_proto(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
- conn_t *connp = (conn_t *)arg;
- tcp_t *tcp = connp->conn_tcp;
+ conn_t *connp = (conn_t *)arg;
+ tcp_t *tcp = connp->conn_tcp;
union T_primitives *tprim = (union T_primitives *)mp->b_rptr;
- uchar_t *rptr;
- t_scalar_t type;
- cred_t *cr;
+ uchar_t *rptr;
+ t_scalar_t type;
+ cred_t *cr;
/*
* Try and ASSERT the minimum possible references on the
@@ -21684,7 +16563,7 @@ tcp_wput_proto(void *arg, mblk_t *mp, void *arg2)
if ((mp->b_wptr - rptr) >= sizeof (t_scalar_t)) {
type = ((union T_primitives *)rptr)->type;
if (type == T_EXDATA_REQ) {
- tcp_output_urgent(connp, mp, arg2);
+ tcp_output_urgent(connp, mp, arg2, NULL);
} else if (type != T_DATA_REQ) {
goto non_urgent_data;
} else {
@@ -21695,7 +16574,7 @@ tcp_wput_proto(void *arg, mblk_t *mp, void *arg2)
}
return;
} else {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_wput_proto, dropping one...");
}
@@ -21776,17 +16655,10 @@ non_urgent_data:
* for subsequent processing by ip_restart_optmgmt(), which
* will do the CONN_DEC_REF().
*/
- CONN_INC_REF(connp);
if ((int)tprim->type == T_SVR4_OPTMGMT_REQ) {
- if (svr4_optcom_req(tcp->tcp_wq, mp, cr, &tcp_opt_obj,
- B_TRUE) != EINPROGRESS) {
- CONN_DEC_REF(connp);
- }
+ svr4_optcom_req(connp->conn_wq, mp, cr, &tcp_opt_obj);
} else {
- if (tpi_optcom_req(tcp->tcp_wq, mp, cr, &tcp_opt_obj,
- B_TRUE) != EINPROGRESS) {
- CONN_DEC_REF(connp);
- }
+ tpi_optcom_req(connp->conn_wq, mp, cr, &tcp_opt_obj);
}
break;
@@ -21804,7 +16676,7 @@ non_urgent_data:
* We were crossing FINs and got a reset from
* the other side. Just ignore it.
*/
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_wput_proto, T_ORDREL_REQ out of "
@@ -21818,7 +16690,7 @@ non_urgent_data:
tcp_addr_req(tcp, mp);
break;
default:
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_wput_proto, bogus TPI msg, type %d",
tprim->type);
@@ -21844,19 +16716,6 @@ tcp_wsrv(queue_t *q)
TCP_STAT(tcps, tcp_wsrv_called);
}
-/* Non overlapping byte exchanger */
-static void
-tcp_xchg(uchar_t *a, uchar_t *b, int len)
-{
- uchar_t uch;
-
- while (len-- > 0) {
- uch = a[len];
- a[len] = b[len];
- b[len] = uch;
- }
-}
-
/*
* Send out a control packet on the tcp connection specified. This routine
* is typically called where we need a simple ACK or RST generated.
@@ -21865,50 +16724,51 @@ static void
tcp_xmit_ctl(char *str, tcp_t *tcp, uint32_t seq, uint32_t ack, int ctl)
{
uchar_t *rptr;
- tcph_t *tcph;
+ tcpha_t *tcpha;
ipha_t *ipha = NULL;
ip6_t *ip6h = NULL;
uint32_t sum;
- int tcp_hdr_len;
- int tcp_ip_hdr_len;
+ int total_hdr_len;
+ int ip_hdr_len;
mblk_t *mp;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
/*
* Save sum for use in source route later.
*/
- ASSERT(tcp != NULL);
- sum = tcp->tcp_tcp_hdr_len + tcp->tcp_sum;
- tcp_hdr_len = tcp->tcp_hdr_len;
- tcp_ip_hdr_len = tcp->tcp_ip_hdr_len;
+ sum = connp->conn_ht_ulp_len + connp->conn_sum;
+ total_hdr_len = connp->conn_ht_iphc_len;
+ ip_hdr_len = ixa->ixa_ip_hdr_length;
/* If a text string is passed in with the request, pass it to strlog. */
- if (str != NULL && tcp->tcp_debug) {
+ if (str != NULL && connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
"tcp_xmit_ctl: '%s', seq 0x%x, ack 0x%x, ctl 0x%x",
str, seq, ack, ctl);
}
- mp = allocb(tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH + tcps->tcps_wroff_xtra,
+ mp = allocb(connp->conn_ht_iphc_allocated + tcps->tcps_wroff_xtra,
BPRI_MED);
if (mp == NULL) {
return;
}
rptr = &mp->b_rptr[tcps->tcps_wroff_xtra];
mp->b_rptr = rptr;
- mp->b_wptr = &rptr[tcp_hdr_len];
- bcopy(tcp->tcp_iphc, rptr, tcp_hdr_len);
+ mp->b_wptr = &rptr[total_hdr_len];
+ bcopy(connp->conn_ht_iphc, rptr, total_hdr_len);
+
+ ixa->ixa_pktlen = total_hdr_len;
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
ipha = (ipha_t *)rptr;
- ipha->ipha_length = htons(tcp_hdr_len);
+ ipha->ipha_length = htons(total_hdr_len);
} else {
ip6h = (ip6_t *)rptr;
- ASSERT(tcp != NULL);
- ip6h->ip6_plen = htons(tcp->tcp_hdr_len -
- ((char *)&tcp->tcp_ip6h[1] - tcp->tcp_iphc));
+ ip6h->ip6_plen = htons(total_hdr_len - IPV6_HDR_LEN);
}
- tcph = (tcph_t *)&rptr[tcp_ip_hdr_len];
- tcph->th_flags[0] = (uint8_t)ctl;
+ tcpha = (tcpha_t *)&rptr[ip_hdr_len];
+ tcpha->tha_flags = (uint8_t)ctl;
if (ctl & TH_RST) {
BUMP_MIB(&tcps->tcps_mib, tcpOutRsts);
BUMP_MIB(&tcps->tcps_mib, tcpOutControl);
@@ -21917,43 +16777,45 @@ tcp_xmit_ctl(char *str, tcp_t *tcp, uint32_t seq, uint32_t ack, int ctl)
*/
if (tcp->tcp_snd_ts_ok &&
tcp->tcp_state > TCPS_SYN_SENT) {
- mp->b_wptr = &rptr[tcp_hdr_len - TCPOPT_REAL_TS_LEN];
+ mp->b_wptr = &rptr[total_hdr_len - TCPOPT_REAL_TS_LEN];
*(mp->b_wptr) = TCPOPT_EOL;
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- ipha->ipha_length = htons(tcp_hdr_len -
+
+ ixa->ixa_pktlen = total_hdr_len - TCPOPT_REAL_TS_LEN;
+
+ if (connp->conn_ipversion == IPV4_VERSION) {
+ ipha->ipha_length = htons(total_hdr_len -
TCPOPT_REAL_TS_LEN);
} else {
- ip6h->ip6_plen = htons(ntohs(ip6h->ip6_plen) -
- TCPOPT_REAL_TS_LEN);
+ ip6h->ip6_plen = htons(total_hdr_len -
+ IPV6_HDR_LEN - TCPOPT_REAL_TS_LEN);
}
- tcph->th_offset_and_rsrvd[0] -= (3 << 4);
+ tcpha->tha_offset_and_reserved -= (3 << 4);
sum -= TCPOPT_REAL_TS_LEN;
}
}
if (ctl & TH_ACK) {
if (tcp->tcp_snd_ts_ok) {
U32_TO_BE32(lbolt,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+4);
U32_TO_BE32(tcp->tcp_ts_recent,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+8);
}
/* Update the latest receive window size in TCP header. */
- U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws,
- tcph->th_win);
+ tcpha->tha_win = htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
tcp->tcp_rack = ack;
tcp->tcp_rack_cnt = 0;
BUMP_MIB(&tcps->tcps_mib, tcpOutAck);
}
BUMP_LOCAL(tcp->tcp_obsegs);
- U32_TO_BE32(seq, tcph->th_seq);
- U32_TO_BE32(ack, tcph->th_ack);
+ tcpha->tha_seq = htonl(seq);
+ tcpha->tha_ack = htonl(ack);
/*
* Include the adjustment for a source route if any.
*/
sum = (sum >> 16) + (sum & 0xFFFF);
- U16_TO_BE16(sum, tcph->th_sum);
- tcp_send_data(tcp, tcp->tcp_wq, mp);
+ tcpha->tha_sum = htons(sum);
+ tcp_send_data(tcp, mp);
}
/*
@@ -21991,115 +16853,32 @@ tcp_send_rst_chk(tcp_stack_t *tcps)
}
/*
- * Send down the advice IP ioctl to tell IP to mark an IRE temporary.
- */
-static void
-tcp_ip_ire_mark_advice(tcp_t *tcp)
-{
- mblk_t *mp;
- ipic_t *ipic;
-
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- mp = tcp_ip_advise_mblk(&tcp->tcp_ipha->ipha_dst, IP_ADDR_LEN,
- &ipic);
- } else {
- mp = tcp_ip_advise_mblk(&tcp->tcp_ip6h->ip6_dst, IPV6_ADDR_LEN,
- &ipic);
- }
- if (mp == NULL)
- return;
- ipic->ipic_ire_marks |= IRE_MARK_TEMPORARY;
- CALL_IP_WPUT(tcp->tcp_connp, tcp->tcp_wq, mp);
-}
-
-/*
- * Return an IP advice ioctl mblk and set ipic to be the pointer
- * to the advice structure.
- */
-static mblk_t *
-tcp_ip_advise_mblk(void *addr, int addr_len, ipic_t **ipic)
-{
- struct iocblk *ioc;
- mblk_t *mp, *mp1;
-
- mp = allocb(sizeof (ipic_t) + addr_len, BPRI_HI);
- if (mp == NULL)
- return (NULL);
- bzero(mp->b_rptr, sizeof (ipic_t) + addr_len);
- *ipic = (ipic_t *)mp->b_rptr;
- (*ipic)->ipic_cmd = IP_IOC_IRE_ADVISE_NO_REPLY;
- (*ipic)->ipic_addr_offset = sizeof (ipic_t);
-
- bcopy(addr, *ipic + 1, addr_len);
-
- (*ipic)->ipic_addr_length = addr_len;
- mp->b_wptr = &mp->b_rptr[sizeof (ipic_t) + addr_len];
-
- mp1 = mkiocb(IP_IOCTL);
- if (mp1 == NULL) {
- freemsg(mp);
- return (NULL);
- }
- mp1->b_cont = mp;
- ioc = (struct iocblk *)mp1->b_rptr;
- ioc->ioc_count = sizeof (ipic_t) + addr_len;
-
- return (mp1);
-}
-
-/*
* Generate a reset based on an inbound packet, connp is set by caller
* when RST is in response to an unexpected inbound packet for which
* there is active tcp state in the system.
*
* IPSEC NOTE : Try to send the reply with the same protection as it came
- * in. We still have the ipsec_mp that the packet was attached to. Thus
- * the packet will go out at the same level of protection as it came in by
- * converting the IPSEC_IN to IPSEC_OUT.
+ * in. We have the ip_recv_attr_t which is reversed to form the ip_xmit_attr_t.
+ * That way the packet will go out at the same level of protection as it
+ * came in with.
*/
static void
-tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq,
- uint32_t ack, int ctl, uint_t ip_hdr_len, zoneid_t zoneid,
- tcp_stack_t *tcps, conn_t *connp)
+tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq, uint32_t ack, int ctl,
+ ip_recv_attr_t *ira, ip_stack_t *ipst, conn_t *connp)
{
ipha_t *ipha = NULL;
ip6_t *ip6h = NULL;
ushort_t len;
- tcph_t *tcph;
+ tcpha_t *tcpha;
int i;
- mblk_t *ipsec_mp;
- boolean_t mctl_present;
- ipic_t *ipic;
ipaddr_t v4addr;
in6_addr_t v6addr;
- int addr_len;
- void *addr;
- queue_t *q = tcps->tcps_g_q;
- tcp_t *tcp;
- cred_t *cr;
- pid_t pid;
- mblk_t *nmp;
- ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
-
- if (tcps->tcps_g_q == NULL) {
- /*
- * For non-zero stackids the default queue isn't created
- * until the first open, thus there can be a need to send
- * a reset before then. But we can't do that, hence we just
- * drop the packet. Later during boot, when the default queue
- * has been setup, a retransmitted packet from the peer
- * will result in a reset.
- */
- ASSERT(tcps->tcps_netstack->netstack_stackid !=
- GLOBAL_NETSTACKID);
- freemsg(mp);
- return;
- }
-
- if (connp != NULL)
- tcp = connp->conn_tcp;
- else
- tcp = Q_TO_TCP(q);
+ netstack_t *ns = ipst->ips_netstack;
+ tcp_stack_t *tcps = ns->netstack_tcp;
+ ip_xmit_attr_t ixas, *ixa;
+ uint_t ip_hdr_len = ira->ira_ip_hdr_length;
+ boolean_t need_refrele = B_FALSE; /* ixa_refrele(ixa) */
+ ushort_t port;
if (!tcp_send_rst_chk(tcps)) {
tcps->tcps_rst_unsent++;
@@ -22107,16 +16886,41 @@ tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq,
return;
}
- if (mp->b_datap->db_type == M_CTL) {
- ipsec_mp = mp;
- mp = mp->b_cont;
- mctl_present = B_TRUE;
+ /*
+ * If connp != NULL we use conn_ixa to keep IP_NEXTHOP and other
+ * options from the listener. In that case the caller must ensure that
+ * we are running on the listener = connp squeue.
+ *
+ * We get a safe copy of conn_ixa so we don't need to restore anything
+ * we or ip_output_simple might change in the ixa.
+ */
+ if (connp != NULL) {
+ ASSERT(connp->conn_on_sqp);
+
+ ixa = conn_get_ixa_exclusive(connp);
+ if (ixa == NULL) {
+ tcps->tcps_rst_unsent++;
+ freemsg(mp);
+ return;
+ }
+ need_refrele = B_TRUE;
} else {
- ipsec_mp = mp;
- mctl_present = B_FALSE;
+ bzero(&ixas, sizeof (ixas));
+ ixa = &ixas;
+ /*
+ * IXAF_VERIFY_SOURCE is overkill since we know the
+ * packet was for us.
+ */
+ ixa->ixa_flags |= IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE;
+ ixa->ixa_protocol = IPPROTO_TCP;
+ ixa->ixa_zoneid = ira->ira_zoneid;
+ ixa->ixa_ifindex = 0;
+ ixa->ixa_ipst = ipst;
+ ixa->ixa_cred = kcred;
+ ixa->ixa_cpid = NOPID;
}
- if (str && q && tcps->tcps_dbg) {
+ if (str && tcps->tcps_dbg) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
"tcp_xmit_early_reset: '%s', seq 0x%x, ack 0x%x, "
"flags 0x%x",
@@ -22126,20 +16930,12 @@ tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq,
mblk_t *mp1 = copyb(mp);
freemsg(mp);
mp = mp1;
- if (!mp) {
- if (mctl_present)
- freeb(ipsec_mp);
- return;
- } else {
- if (mctl_present) {
- ipsec_mp->b_cont = mp;
- } else {
- ipsec_mp = mp;
- }
- }
+ if (mp == NULL)
+ goto done;
} else if (mp->b_cont) {
freemsg(mp->b_cont);
mp->b_cont = NULL;
+ DB_CKSUMFLAGS(mp) = 0;
}
/*
* We skip reversing source route here.
@@ -22159,18 +16955,20 @@ tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq,
*/
if (ipha->ipha_src == 0 || ipha->ipha_src == INADDR_BROADCAST ||
CLASSD(ipha->ipha_src)) {
- freemsg(ipsec_mp);
BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
- return;
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
+ freemsg(mp);
+ goto done;
}
} else {
ip6h = (ip6_t *)mp->b_rptr;
if (IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src) ||
IN6_IS_ADDR_MULTICAST(&ip6h->ip6_src)) {
- freemsg(ipsec_mp);
BUMP_MIB(&ipst->ips_ip6_mib, ipIfStatsInDiscards);
- return;
+ ip_drop_input("ipIfStatsInDiscards", mp, NULL);
+ freemsg(mp);
+ goto done;
}
/* Remove any extension headers assuming partial overlay */
@@ -22185,13 +16983,13 @@ tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq,
ip6h->ip6_nxt = IPPROTO_TCP;
}
}
- tcph = (tcph_t *)&mp->b_rptr[ip_hdr_len];
- if (tcph->th_flags[0] & TH_RST) {
- freemsg(ipsec_mp);
- return;
+ tcpha = (tcpha_t *)&mp->b_rptr[ip_hdr_len];
+ if (tcpha->tha_flags & TH_RST) {
+ freemsg(mp);
+ goto done;
}
- tcph->th_offset_and_rsrvd[0] = (5 << 4);
- len = ip_hdr_len + sizeof (tcph_t);
+ tcpha->tha_offset_and_reserved = (5 << 4);
+ len = ip_hdr_len + sizeof (tcpha_t);
mp->b_wptr = &mp->b_rptr[len];
if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
ipha->ipha_length = htons(len);
@@ -22201,108 +16999,79 @@ tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq,
ipha->ipha_dst = v4addr;
ipha->ipha_ident = 0;
ipha->ipha_ttl = (uchar_t)tcps->tcps_ipv4_ttl;
- addr_len = IP_ADDR_LEN;
- addr = &v4addr;
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ ixa->ixa_ip_hdr_length = ip_hdr_len;
} else {
- /* No ip6i_t in this case */
ip6h->ip6_plen = htons(len - IPV6_HDR_LEN);
/* Swap addresses */
v6addr = ip6h->ip6_src;
ip6h->ip6_src = ip6h->ip6_dst;
ip6h->ip6_dst = v6addr;
ip6h->ip6_hops = (uchar_t)tcps->tcps_ipv6_hoplimit;
- addr_len = IPV6_ADDR_LEN;
- addr = &v6addr;
- }
- tcp_xchg(tcph->th_fport, tcph->th_lport, 2);
- U32_TO_BE32(ack, tcph->th_ack);
- U32_TO_BE32(seq, tcph->th_seq);
- U16_TO_BE16(0, tcph->th_win);
- U16_TO_BE16(sizeof (tcph_t), tcph->th_sum);
- tcph->th_flags[0] = (uint8_t)ctl;
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
+
+ if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_dst)) {
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ ixa->ixa_scopeid = ira->ira_ruifindex;
+ }
+ ixa->ixa_ip_hdr_length = IPV6_HDR_LEN;
+ }
+ ixa->ixa_pktlen = len;
+
+ /* Swap the ports */
+ port = tcpha->tha_fport;
+ tcpha->tha_fport = tcpha->tha_lport;
+ tcpha->tha_lport = port;
+
+ tcpha->tha_ack = htonl(ack);
+ tcpha->tha_seq = htonl(seq);
+ tcpha->tha_win = 0;
+ tcpha->tha_sum = htons(sizeof (tcpha_t));
+ tcpha->tha_flags = (uint8_t)ctl;
if (ctl & TH_RST) {
BUMP_MIB(&tcps->tcps_mib, tcpOutRsts);
BUMP_MIB(&tcps->tcps_mib, tcpOutControl);
}
- /* IP trusts us to set up labels when required. */
- if (is_system_labeled() && (cr = msg_getcred(mp, &pid)) != NULL &&
- crgetlabel(cr) != NULL) {
- int err;
-
- if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION)
- err = tsol_check_label(cr, &mp,
- tcp->tcp_connp->conn_mac_mode,
- tcps->tcps_netstack->netstack_ip, pid);
- else
- err = tsol_check_label_v6(cr, &mp,
- tcp->tcp_connp->conn_mac_mode,
- tcps->tcps_netstack->netstack_ip, pid);
- if (mctl_present)
- ipsec_mp->b_cont = mp;
- else
- ipsec_mp = mp;
- if (err != 0) {
- freemsg(ipsec_mp);
- return;
- }
- if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
- ipha = (ipha_t *)mp->b_rptr;
- } else {
- ip6h = (ip6_t *)mp->b_rptr;
- }
+ /* Discard any old label */
+ if (ixa->ixa_free_flags & IXA_FREE_TSL) {
+ ASSERT(ixa->ixa_tsl != NULL);
+ label_rele(ixa->ixa_tsl);
+ ixa->ixa_free_flags &= ~IXA_FREE_TSL;
}
+ ixa->ixa_tsl = ira->ira_tsl; /* Behave as a multi-level responder */
- if (mctl_present) {
- ipsec_in_t *ii = (ipsec_in_t *)ipsec_mp->b_rptr;
-
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- if (!ipsec_in_to_out(ipsec_mp, ipha, ip6h, zoneid)) {
- return;
+ if (ira->ira_flags & IRAF_IPSEC_SECURE) {
+ /*
+ * Apply IPsec based on how IPsec was applied to
+ * the packet that caused the RST.
+ */
+ if (!ipsec_in_to_out(ira, ixa, mp, ipha, ip6h)) {
+ BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
+ /* Note: mp already consumed and ip_drop_packet done */
+ goto done;
}
+ } else {
+ /*
+ * This is in clear. The RST message we are building
+ * here should go out in clear, independent of our policy.
+ */
+ ixa->ixa_flags |= IXAF_NO_IPSEC;
}
- if (zoneid == ALL_ZONES)
- zoneid = GLOBAL_ZONEID;
-
- /* Add the zoneid so ip_output routes it properly */
- if ((nmp = ip_prepend_zoneid(ipsec_mp, zoneid, ipst)) == NULL) {
- freemsg(ipsec_mp);
- return;
- }
- ipsec_mp = nmp;
/*
* NOTE: one might consider tracing a TCP packet here, but
* this function has no active TCP state and no tcp structure
* that has a trace buffer. If we traced here, we would have
* to keep a local trace buffer in tcp_record_trace().
- *
- * TSol note: The mblk that contains the incoming packet was
- * reused by tcp_xmit_listener_reset, so it already contains
- * the right credentials and we don't need to call mblk_setcred.
- * Also the conn's cred is not right since it is associated
- * with tcps_g_q.
*/
- CALL_IP_WPUT(tcp->tcp_connp, tcp->tcp_wq, ipsec_mp);
- /*
- * Tell IP to mark the IRE used for this destination temporary.
- * This way, we can limit our exposure to DoS attack because IP
- * creates an IRE for each destination. If there are too many,
- * the time to do any routing lookup will be extremely long. And
- * the lookup can be in interrupt context.
- *
- * Note that in normal circumstances, this marking should not
- * affect anything. It would be nice if only 1 message is
- * needed to inform IP that the IRE created for this RST should
- * not be added to the cache table. But there is currently
- * not such communication mechanism between TCP and IP. So
- * the best we can do now is to send the advice ioctl to IP
- * to mark the IRE temporary.
- */
- if ((mp = tcp_ip_advise_mblk(addr, addr_len, &ipic)) != NULL) {
- ipic->ipic_ire_marks |= IRE_MARK_TEMPORARY;
- CALL_IP_WPUT(tcp->tcp_connp, tcp->tcp_wq, mp);
+ (void) ip_output_simple(mp, ixa);
+done:
+ ixa_cleanup(ixa);
+ if (need_refrele) {
+ ASSERT(ixa != &ixas);
+ ixa_refrele(ixa);
}
}
@@ -22313,9 +17082,11 @@ tcp_xmit_early_reset(char *str, mblk_t *mp, uint32_t seq,
static int
tcp_xmit_end(tcp_t *tcp)
{
- ipic_t *ipic;
- mblk_t *mp;
+ mblk_t *mp;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ iulp_t uinfo;
+ ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
+ conn_t *connp = tcp->tcp_connp;
if (tcp->tcp_state < TCPS_SYN_RCVD ||
tcp->tcp_state > TCPS_CLOSE_WAIT) {
@@ -22337,7 +17108,7 @@ tcp_xmit_end(tcp_t *tcp)
tcp->tcp_fss, B_FALSE, NULL, B_FALSE);
if (mp) {
- tcp_send_data(tcp, tcp->tcp_wq, mp);
+ tcp_send_data(tcp, mp);
} else {
/*
* Couldn't allocate msg. Pretend we got it out.
@@ -22373,66 +17144,49 @@ tcp_xmit_end(tcp_t *tcp)
return (0);
/*
- * NOTE: should not update if source routes i.e. if tcp_remote if
- * different from the destination.
+ * We do not have a good algorithm to update ssthresh at this time.
+ * So don't do any update.
+ */
+ bzero(&uinfo, sizeof (uinfo));
+ uinfo.iulp_rtt = tcp->tcp_rtt_sa;
+ uinfo.iulp_rtt_sd = tcp->tcp_rtt_sd;
+
+ /*
+ * Note that uinfo is kept for conn_faddr in the DCE. Could update even
+ * if source routed but we don't.
*/
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- if (tcp->tcp_remote != tcp->tcp_ipha->ipha_dst) {
+ if (connp->conn_ipversion == IPV4_VERSION) {
+ if (connp->conn_faddr_v4 != tcp->tcp_ipha->ipha_dst) {
return (0);
}
- mp = tcp_ip_advise_mblk(&tcp->tcp_ipha->ipha_dst, IP_ADDR_LEN,
- &ipic);
+ (void) dce_update_uinfo_v4(connp->conn_faddr_v4, &uinfo, ipst);
} else {
- if (!(IN6_ARE_ADDR_EQUAL(&tcp->tcp_remote_v6,
+ uint_t ifindex;
+
+ if (!(IN6_ARE_ADDR_EQUAL(&connp->conn_faddr_v6,
&tcp->tcp_ip6h->ip6_dst))) {
return (0);
}
- mp = tcp_ip_advise_mblk(&tcp->tcp_ip6h->ip6_dst, IPV6_ADDR_LEN,
- &ipic);
- }
-
- /* Record route attributes in the IRE for use by future connections. */
- if (mp == NULL)
- return (0);
-
- /*
- * We do not have a good algorithm to update ssthresh at this time.
- * So don't do any update.
- */
- ipic->ipic_rtt = tcp->tcp_rtt_sa;
- ipic->ipic_rtt_sd = tcp->tcp_rtt_sd;
-
- CALL_IP_WPUT(tcp->tcp_connp, tcp->tcp_wq, mp);
-
- return (0);
-}
+ ifindex = 0;
+ if (IN6_IS_ADDR_LINKSCOPE(&connp->conn_faddr_v6)) {
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
-/* ARGSUSED */
-void
-tcp_xmit_reset(void *arg, mblk_t *mp, void *arg2)
-{
- conn_t *connp = (conn_t *)arg;
- mblk_t *mp1;
- tcp_t *tcp = connp->conn_tcp;
- tcp_xmit_reset_event_t *eventp;
-
- ASSERT(mp->b_datap->db_type == M_PROTO &&
- MBLKL(mp) == sizeof (tcp_xmit_reset_event_t));
+ /*
+ * If we are going to create a DCE we'd better have
+ * an ifindex
+ */
+ if (ixa->ixa_nce != NULL) {
+ ifindex = ixa->ixa_nce->nce_common->ncec_ill->
+ ill_phyint->phyint_ifindex;
+ } else {
+ return (0);
+ }
+ }
- if (tcp->tcp_state != TCPS_LISTEN) {
- freemsg(mp);
- return;
+ (void) dce_update_uinfo(&connp->conn_faddr_v6, ifindex, &uinfo,
+ ipst);
}
-
- mp1 = mp->b_cont;
- mp->b_cont = NULL;
- eventp = (tcp_xmit_reset_event_t *)mp->b_rptr;
- ASSERT(eventp->tcp_xre_tcps->tcps_netstack ==
- connp->conn_netstack);
-
- tcp_xmit_listeners_reset(mp1, eventp->tcp_xre_iphdrlen,
- eventp->tcp_xre_zoneid, eventp->tcp_xre_tcps, connp);
- freemsg(mp);
+ return (0);
}
/*
@@ -22442,45 +17196,25 @@ tcp_xmit_reset(void *arg, mblk_t *mp, void *arg2)
* Note that we are reusing the incoming mp to construct the outgoing RST.
*/
void
-tcp_xmit_listeners_reset(mblk_t *mp, uint_t ip_hdr_len, zoneid_t zoneid,
- tcp_stack_t *tcps, conn_t *connp)
+tcp_xmit_listeners_reset(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst,
+ conn_t *connp)
{
uchar_t *rptr;
uint32_t seg_len;
- tcph_t *tcph;
+ tcpha_t *tcpha;
uint32_t seg_seq;
uint32_t seg_ack;
uint_t flags;
- mblk_t *ipsec_mp;
ipha_t *ipha;
ip6_t *ip6h;
- boolean_t mctl_present = B_FALSE;
- boolean_t check = B_TRUE;
boolean_t policy_present;
+ netstack_t *ns = ipst->ips_netstack;
+ tcp_stack_t *tcps = ns->netstack_tcp;
ipsec_stack_t *ipss = tcps->tcps_netstack->netstack_ipsec;
+ uint_t ip_hdr_len = ira->ira_ip_hdr_length;
TCP_STAT(tcps, tcp_no_listener);
- ipsec_mp = mp;
-
- if (mp->b_datap->db_type == M_CTL) {
- ipsec_in_t *ii;
-
- mctl_present = B_TRUE;
- mp = mp->b_cont;
-
- ii = (ipsec_in_t *)ipsec_mp->b_rptr;
- ASSERT(ii->ipsec_in_type == IPSEC_IN);
- if (ii->ipsec_in_dont_check) {
- check = B_FALSE;
- if (!ii->ipsec_in_secure) {
- freeb(ipsec_mp);
- mctl_present = B_FALSE;
- ipsec_mp = mp;
- }
- }
- }
-
if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
policy_present = ipss->ipsec_inbound_v4_policy_present;
ipha = (ipha_t *)mp->b_rptr;
@@ -22491,41 +17225,39 @@ tcp_xmit_listeners_reset(mblk_t *mp, uint_t ip_hdr_len, zoneid_t zoneid,
ip6h = (ip6_t *)mp->b_rptr;
}
- if (check && policy_present) {
+ if (policy_present) {
/*
* The conn_t parameter is NULL because we already know
* nobody's home.
*/
- ipsec_mp = ipsec_check_global_policy(
- ipsec_mp, (conn_t *)NULL, ipha, ip6h, mctl_present,
- tcps->tcps_netstack);
- if (ipsec_mp == NULL)
+ mp = ipsec_check_global_policy(mp, (conn_t *)NULL, ipha, ip6h,
+ ira, ns);
+ if (mp == NULL)
return;
}
- if (is_system_labeled() && !tsol_can_reply_error(mp)) {
+ if (is_system_labeled() && !tsol_can_reply_error(mp, ira)) {
DTRACE_PROBE2(
tx__ip__log__error__nolistener__tcp,
char *, "Could not reply with RST to mp(1)",
mblk_t *, mp);
ip2dbg(("tcp_xmit_listeners_reset: not permitted to reply\n"));
- freemsg(ipsec_mp);
+ freemsg(mp);
return;
}
rptr = mp->b_rptr;
- tcph = (tcph_t *)&rptr[ip_hdr_len];
- seg_seq = BE32_TO_U32(tcph->th_seq);
- seg_ack = BE32_TO_U32(tcph->th_ack);
- flags = tcph->th_flags[0];
+ tcpha = (tcpha_t *)&rptr[ip_hdr_len];
+ seg_seq = ntohl(tcpha->tha_seq);
+ seg_ack = ntohl(tcpha->tha_ack);
+ flags = tcpha->tha_flags;
- seg_len = msgdsize(mp) - (TCP_HDR_LENGTH(tcph) + ip_hdr_len);
+ seg_len = msgdsize(mp) - (TCP_HDR_LENGTH(tcpha) + ip_hdr_len);
if (flags & TH_RST) {
- freemsg(ipsec_mp);
+ freemsg(mp);
} else if (flags & TH_ACK) {
- tcp_xmit_early_reset("no tcp, reset",
- ipsec_mp, seg_ack, 0, TH_RST, ip_hdr_len, zoneid, tcps,
- connp);
+ tcp_xmit_early_reset("no tcp, reset", mp, seg_ack, 0, TH_RST,
+ ira, ipst, connp);
} else {
if (flags & TH_SYN) {
seg_len++;
@@ -22537,14 +17269,13 @@ tcp_xmit_listeners_reset(mblk_t *mp, uint_t ip_hdr_len, zoneid_t zoneid,
* segment is neither. Just drop it on the
* floor.
*/
- freemsg(ipsec_mp);
+ freemsg(mp);
tcps->tcps_rst_unsent++;
return;
}
- tcp_xmit_early_reset("no tcp, reset/ack",
- ipsec_mp, 0, seg_seq + seg_len,
- TH_RST | TH_ACK, ip_hdr_len, zoneid, tcps, connp);
+ tcp_xmit_early_reset("no tcp, reset/ack", mp, 0,
+ seg_seq + seg_len, TH_RST | TH_ACK, ira, ipst, connp);
}
}
@@ -22573,14 +17304,16 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
mblk_t *mp1;
mblk_t *mp2;
uchar_t *rptr;
- tcph_t *tcph;
+ tcpha_t *tcpha;
int32_t num_sack_blk = 0;
int32_t sack_opt_len = 0;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
/* Allocate for our maximum TCP header + link-level */
- mp1 = allocb(tcp->tcp_ip_hdr_len + TCP_MAX_HDR_LENGTH +
- tcps->tcps_wroff_xtra, BPRI_MED);
+ mp1 = allocb(connp->conn_ht_iphc_allocated + tcps->tcps_wroff_xtra,
+ BPRI_MED);
if (!mp1)
return (NULL);
data_length = 0;
@@ -22646,15 +17379,14 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
}
/* Update the latest receive window size in TCP header. */
- U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws,
- tcp->tcp_tcph->th_win);
+ tcp->tcp_tcpha->tha_win = htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
rptr = mp1->b_rptr + tcps->tcps_wroff_xtra;
mp1->b_rptr = rptr;
- mp1->b_wptr = rptr + tcp->tcp_hdr_len + sack_opt_len;
- bcopy(tcp->tcp_iphc, rptr, tcp->tcp_hdr_len);
- tcph = (tcph_t *)&rptr[tcp->tcp_ip_hdr_len];
- U32_TO_ABE32(seq, tcph->th_seq);
+ mp1->b_wptr = rptr + connp->conn_ht_iphc_len + sack_opt_len;
+ bcopy(connp->conn_ht_iphc, rptr, connp->conn_ht_iphc_len);
+ tcpha = (tcpha_t *)&rptr[ixa->ixa_ip_hdr_length];
+ tcpha->tha_seq = htonl(seq);
/*
* Use tcp_unsent to determine if the PUSH bit should be used assumes
@@ -22729,14 +17461,14 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
wptr[0] = TCPOPT_MAXSEG;
wptr[1] = TCPOPT_MAXSEG_LEN;
wptr += 2;
- u1 = tcp->tcp_if_mtu -
- (tcp->tcp_ipversion == IPV4_VERSION ?
+ u1 = tcp->tcp_initial_pmtu -
+ (connp->conn_ipversion == IPV4_VERSION ?
IP_SIMPLE_HDR_LENGTH : IPV6_HDR_LEN) -
TCP_MIN_HEADER_LENGTH;
U16_TO_BE16(u1, wptr);
mp1->b_wptr = wptr + 2;
/* Update the offset to cover the additional word */
- tcph->th_offset_and_rsrvd[0] += (1 << 4);
+ tcpha->tha_offset_and_reserved += (1 << 4);
/*
* Note that the following way of filling in
@@ -22763,7 +17495,7 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
ASSERT(tcp->tcp_ts_recent == 0);
U32_TO_BE32(0L, wptr);
mp1->b_wptr += TCPOPT_REAL_TS_LEN;
- tcph->th_offset_and_rsrvd[0] +=
+ tcpha->tha_offset_and_reserved +=
(3 << 4);
}
@@ -22819,7 +17551,7 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
wptr[2] = TCPOPT_WS_LEN;
wptr[3] = (uchar_t)tcp->tcp_rcv_ws;
mp1->b_wptr += TCPOPT_REAL_WS_LEN;
- tcph->th_offset_and_rsrvd[0] += (1 << 4);
+ tcpha->tha_offset_and_reserved += (1 << 4);
}
if (tcp->tcp_snd_sack_ok) {
@@ -22829,7 +17561,7 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
wptr[2] = TCPOPT_SACK_PERMITTED;
wptr[3] = TCPOPT_SACK_OK_LEN;
mp1->b_wptr += TCPOPT_REAL_SACK_OK_LEN;
- tcph->th_offset_and_rsrvd[0] += (1 << 4);
+ tcpha->tha_offset_and_reserved += (1 << 4);
}
/* allocb() of adequate mblk assures space */
@@ -22840,9 +17572,9 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
* Get IP set to checksum on our behalf
* Include the adjustment for a source route if any.
*/
- u1 += tcp->tcp_sum;
+ u1 += connp->conn_sum;
u1 = (u1 >> 16) + (u1 & 0xFFFF);
- U16_TO_BE16(u1, tcph->th_sum);
+ tcpha->tha_sum = htons(u1);
BUMP_MIB(&tcps->tcps_mib, tcpOutControl);
}
if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
@@ -22878,10 +17610,10 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
u1 < (uint32_t)(64 * 1024)) {
flags |= TH_URG;
BUMP_MIB(&tcps->tcps_mib, tcpOutUrg);
- U32_TO_ABE16(u1, tcph->th_urp);
+ tcpha->tha_urp = htons(u1);
}
}
- tcph->th_flags[0] = (uchar_t)flags;
+ tcpha->tha_flags = (uchar_t)flags;
tcp->tcp_rack = tcp->tcp_rnxt;
tcp->tcp_rack_cnt = 0;
@@ -22890,14 +17622,14 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
uint32_t llbolt = (uint32_t)lbolt;
U32_TO_BE32(llbolt,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+4);
U32_TO_BE32(tcp->tcp_ts_recent,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+8);
}
}
if (num_sack_blk > 0) {
- uchar_t *wptr = (uchar_t *)tcph + tcp->tcp_tcp_hdr_len;
+ uchar_t *wptr = (uchar_t *)tcpha + connp->conn_ht_ulp_len;
sack_blk_t *tmp;
int32_t i;
@@ -22915,33 +17647,34 @@ tcp_xmit_mp(tcp_t *tcp, mblk_t *mp, int32_t max_to_send, int32_t *offset,
U32_TO_BE32(tmp[i].end, wptr);
wptr += sizeof (tcp_seq);
}
- tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1) << 4);
+ tcpha->tha_offset_and_reserved += ((num_sack_blk * 2 + 1) << 4);
}
ASSERT((uintptr_t)(mp1->b_wptr - rptr) <= (uintptr_t)INT_MAX);
data_length += (int)(mp1->b_wptr - rptr);
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+
+ ixa->ixa_pktlen = data_length;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
((ipha_t *)rptr)->ipha_length = htons(data_length);
} else {
- ip6_t *ip6 = (ip6_t *)(rptr +
- (((ip6_t *)rptr)->ip6_nxt == IPPROTO_RAW ?
- sizeof (ip6i_t) : 0));
+ ip6_t *ip6 = (ip6_t *)rptr;
- ip6->ip6_plen = htons(data_length -
- ((char *)&tcp->tcp_ip6h[1] - tcp->tcp_iphc));
+ ip6->ip6_plen = htons(data_length - IPV6_HDR_LEN);
}
/*
* Prime pump for IP
* Include the adjustment for a source route if any.
*/
- data_length -= tcp->tcp_ip_hdr_len;
- data_length += tcp->tcp_sum;
+ data_length -= ixa->ixa_ip_hdr_length;
+ data_length += connp->conn_sum;
data_length = (data_length >> 16) + (data_length & 0xFFFF);
- U16_TO_ABE16(data_length, tcph->th_sum);
+ tcpha->tha_sum = htons(data_length);
if (tcp->tcp_ip_forward_progress) {
- ASSERT(tcp->tcp_ipversion == IPV6_VERSION);
- *(uint32_t *)mp1->b_rptr |= IP_FORWARD_PROG;
tcp->tcp_ip_forward_progress = B_FALSE;
+ connp->conn_ixa->ixa_flags |= IXAF_REACH_CONF;
+ } else {
+ connp->conn_ixa->ixa_flags &= ~IXAF_REACH_CONF;
}
return (mp1);
}
@@ -23012,7 +17745,7 @@ tcp_ack_timer(void *arg)
BUMP_LOCAL(tcp->tcp_obsegs);
BUMP_MIB(&tcps->tcps_mib, tcpOutAck);
BUMP_MIB(&tcps->tcps_mib, tcpOutAckDelayed);
- tcp_send_data(tcp, tcp->tcp_wq, mp);
+ tcp_send_data(tcp, mp);
}
}
@@ -23023,6 +17756,7 @@ tcp_ack_mp(tcp_t *tcp)
{
uint32_t seq_no;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
/*
* There are a few cases to be considered while setting the sequence no.
@@ -23058,12 +17792,13 @@ tcp_ack_mp(tcp_t *tcp)
/* Generate a simple ACK */
int data_length;
uchar_t *rptr;
- tcph_t *tcph;
+ tcpha_t *tcpha;
mblk_t *mp1;
+ int32_t total_hdr_len;
int32_t tcp_hdr_len;
- int32_t tcp_tcp_hdr_len;
int32_t num_sack_blk = 0;
int32_t sack_opt_len;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
/*
* Allocate space for TCP + IP headers
@@ -23074,34 +17809,34 @@ tcp_ack_mp(tcp_t *tcp)
tcp->tcp_num_sack_blk);
sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
- tcp_hdr_len = tcp->tcp_hdr_len + sack_opt_len;
- tcp_tcp_hdr_len = tcp->tcp_tcp_hdr_len + sack_opt_len;
+ total_hdr_len = connp->conn_ht_iphc_len + sack_opt_len;
+ tcp_hdr_len = connp->conn_ht_ulp_len + sack_opt_len;
} else {
- tcp_hdr_len = tcp->tcp_hdr_len;
- tcp_tcp_hdr_len = tcp->tcp_tcp_hdr_len;
+ total_hdr_len = connp->conn_ht_iphc_len;
+ tcp_hdr_len = connp->conn_ht_ulp_len;
}
- mp1 = allocb(tcp_hdr_len + tcps->tcps_wroff_xtra, BPRI_MED);
+ mp1 = allocb(total_hdr_len + tcps->tcps_wroff_xtra, BPRI_MED);
if (!mp1)
return (NULL);
/* Update the latest receive window size in TCP header. */
- U32_TO_ABE16(tcp->tcp_rwnd >> tcp->tcp_rcv_ws,
- tcp->tcp_tcph->th_win);
+ tcp->tcp_tcpha->tha_win =
+ htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
/* copy in prototype TCP + IP header */
rptr = mp1->b_rptr + tcps->tcps_wroff_xtra;
mp1->b_rptr = rptr;
- mp1->b_wptr = rptr + tcp_hdr_len;
- bcopy(tcp->tcp_iphc, rptr, tcp->tcp_hdr_len);
+ mp1->b_wptr = rptr + total_hdr_len;
+ bcopy(connp->conn_ht_iphc, rptr, connp->conn_ht_iphc_len);
- tcph = (tcph_t *)&rptr[tcp->tcp_ip_hdr_len];
+ tcpha = (tcpha_t *)&rptr[ixa->ixa_ip_hdr_length];
/* Set the TCP sequence number. */
- U32_TO_ABE32(seq_no, tcph->th_seq);
+ tcpha->tha_seq = htonl(seq_no);
/* Set up the TCP flag field. */
- tcph->th_flags[0] = (uchar_t)TH_ACK;
+ tcpha->tha_flags = (uchar_t)TH_ACK;
if (tcp->tcp_ecn_echo_on)
- tcph->th_flags[0] |= TH_ECE;
+ tcpha->tha_flags |= TH_ECE;
tcp->tcp_rack = tcp->tcp_rnxt;
tcp->tcp_rack_cnt = 0;
@@ -23111,14 +17846,15 @@ tcp_ack_mp(tcp_t *tcp)
uint32_t llbolt = (uint32_t)lbolt;
U32_TO_BE32(llbolt,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+4);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+4);
U32_TO_BE32(tcp->tcp_ts_recent,
- (char *)tcph+TCP_MIN_HEADER_LENGTH+8);
+ (char *)tcpha + TCP_MIN_HEADER_LENGTH+8);
}
/* Fill in SACK options */
if (num_sack_blk > 0) {
- uchar_t *wptr = (uchar_t *)tcph + tcp->tcp_tcp_hdr_len;
+ uchar_t *wptr = (uchar_t *)tcpha +
+ connp->conn_ht_ulp_len;
sack_blk_t *tmp;
int32_t i;
@@ -23136,34 +17872,33 @@ tcp_ack_mp(tcp_t *tcp)
U32_TO_BE32(tmp[i].end, wptr);
wptr += sizeof (tcp_seq);
}
- tcph->th_offset_and_rsrvd[0] += ((num_sack_blk * 2 + 1)
- << 4);
+ tcpha->tha_offset_and_reserved +=
+ ((num_sack_blk * 2 + 1) << 4);
}
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- ((ipha_t *)rptr)->ipha_length = htons(tcp_hdr_len);
+ ixa->ixa_pktlen = total_hdr_len;
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ((ipha_t *)rptr)->ipha_length = htons(total_hdr_len);
} else {
- /* Check for ip6i_t header in sticky hdrs */
- ip6_t *ip6 = (ip6_t *)(rptr +
- (((ip6_t *)rptr)->ip6_nxt == IPPROTO_RAW ?
- sizeof (ip6i_t) : 0));
+ ip6_t *ip6 = (ip6_t *)rptr;
- ip6->ip6_plen = htons(tcp_hdr_len -
- ((char *)&tcp->tcp_ip6h[1] - tcp->tcp_iphc));
+ ip6->ip6_plen = htons(total_hdr_len - IPV6_HDR_LEN);
}
/*
* Prime pump for checksum calculation in IP. Include the
* adjustment for a source route if any.
*/
- data_length = tcp_tcp_hdr_len + tcp->tcp_sum;
+ data_length = tcp_hdr_len + connp->conn_sum;
data_length = (data_length >> 16) + (data_length & 0xFFFF);
- U16_TO_ABE16(data_length, tcph->th_sum);
+ tcpha->tha_sum = htons(data_length);
if (tcp->tcp_ip_forward_progress) {
- ASSERT(tcp->tcp_ipversion == IPV6_VERSION);
- *(uint32_t *)mp1->b_rptr |= IP_FORWARD_PROG;
tcp->tcp_ip_forward_progress = B_FALSE;
+ connp->conn_ixa->ixa_flags |= IXAF_REACH_CONF;
+ } else {
+ connp->conn_ixa->ixa_flags &= ~IXAF_REACH_CONF;
}
return (mp1);
}
@@ -23183,6 +17918,8 @@ tcp_bind_hash_insert(tf_t *tbf, tcp_t *tcp, int caller_holds_lock)
tcp_t **tcpp;
tcp_t *tcpnext;
tcp_t *tcphash;
+ conn_t *connp = tcp->tcp_connp;
+ conn_t *connext;
if (tcp->tcp_ptpbhn != NULL) {
ASSERT(!caller_holds_lock);
@@ -23199,7 +17936,7 @@ tcp_bind_hash_insert(tf_t *tbf, tcp_t *tcp, int caller_holds_lock)
if (tcphash != NULL) {
/* Look for an entry using the same port */
while ((tcphash = tcpp[0]) != NULL &&
- tcp->tcp_lport != tcphash->tcp_lport)
+ connp->conn_lport != tcphash->tcp_connp->conn_lport)
tcpp = &(tcphash->tcp_bind_hash);
/* The port was not found, just add to the end */
@@ -23219,14 +17956,19 @@ tcp_bind_hash_insert(tf_t *tbf, tcp_t *tcp, int caller_holds_lock)
* INADDR_ANY.
*/
tcpnext = tcphash;
+ connext = tcpnext->tcp_connp;
tcphash = NULL;
- if (V6_OR_V4_INADDR_ANY(tcp->tcp_bound_source_v6) &&
- !V6_OR_V4_INADDR_ANY(tcpnext->tcp_bound_source_v6)) {
- while ((tcpnext = tcpp[0]) != NULL &&
- !V6_OR_V4_INADDR_ANY(tcpnext->tcp_bound_source_v6))
- tcpp = &(tcpnext->tcp_bind_hash_port);
-
- if (tcpnext) {
+ if (V6_OR_V4_INADDR_ANY(connp->conn_bound_addr_v6) &&
+ !V6_OR_V4_INADDR_ANY(connext->conn_bound_addr_v6)) {
+ while ((tcpnext = tcpp[0]) != NULL) {
+ connext = tcpnext->tcp_connp;
+ if (!V6_OR_V4_INADDR_ANY(
+ connext->conn_bound_addr_v6))
+ tcpp = &(tcpnext->tcp_bind_hash_port);
+ else
+ break;
+ }
+ if (tcpnext != NULL) {
tcpnext->tcp_ptpbhn = &tcp->tcp_bind_hash_port;
tcphash = tcpnext->tcp_bind_hash;
if (tcphash != NULL) {
@@ -23263,6 +18005,7 @@ tcp_bind_hash_remove(tcp_t *tcp)
tcp_t *tcpnext;
kmutex_t *lockp;
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
if (tcp->tcp_ptpbhn == NULL)
return;
@@ -23271,8 +18014,9 @@ tcp_bind_hash_remove(tcp_t *tcp)
* Extract the lock pointer in case there are concurrent
* hash_remove's for this instance.
*/
- ASSERT(tcp->tcp_lport != 0);
- lockp = &tcps->tcps_bind_fanout[TCP_BIND_HASH(tcp->tcp_lport)].tf_lock;
+ ASSERT(connp->conn_lport != 0);
+ lockp = &tcps->tcps_bind_fanout[TCP_BIND_HASH(
+ connp->conn_lport)].tf_lock;
ASSERT(lockp != NULL);
mutex_enter(lockp);
@@ -23548,7 +18292,7 @@ tcp_conprim_opt_process(tcp_t *tcp, mblk_t *mp, int *do_disconnectp,
*sys_errorp = 0;
*do_disconnectp = 0;
- error = tpi_optcom_buf(tcp->tcp_wq, mp, opt_lenp,
+ error = tpi_optcom_buf(tcp->tcp_connp->conn_wq, mp, opt_lenp,
opt_offset, cr, &tcp_opt_obj,
NULL, &is_absreq_failure);
@@ -23663,238 +18407,6 @@ tcp_sack_info_constructor(void *buf, void *cdrarg, int kmflags)
return (0);
}
-/* ARGSUSED */
-static int
-tcp_iphc_constructor(void *buf, void *cdrarg, int kmflags)
-{
- bzero(buf, TCP_MAX_COMBINED_HEADER_LENGTH);
- return (0);
-}
-
-/*
- * Make sure we wait until the default queue is setup, yet allow
- * tcp_g_q_create() to open a TCP stream.
- * We need to allow tcp_g_q_create() do do an open
- * of tcp, hence we compare curhread.
- * All others have to wait until the tcps_g_q has been
- * setup.
- */
-void
-tcp_g_q_setup(tcp_stack_t *tcps)
-{
- mutex_enter(&tcps->tcps_g_q_lock);
- if (tcps->tcps_g_q != NULL) {
- mutex_exit(&tcps->tcps_g_q_lock);
- return;
- }
- if (tcps->tcps_g_q_creator == NULL) {
- /* This thread will set it up */
- tcps->tcps_g_q_creator = curthread;
- mutex_exit(&tcps->tcps_g_q_lock);
- tcp_g_q_create(tcps);
- mutex_enter(&tcps->tcps_g_q_lock);
- ASSERT(tcps->tcps_g_q_creator == curthread);
- tcps->tcps_g_q_creator = NULL;
- cv_signal(&tcps->tcps_g_q_cv);
- ASSERT(tcps->tcps_g_q != NULL);
- mutex_exit(&tcps->tcps_g_q_lock);
- return;
- }
- /* Everybody but the creator has to wait */
- if (tcps->tcps_g_q_creator != curthread) {
- while (tcps->tcps_g_q == NULL)
- cv_wait(&tcps->tcps_g_q_cv, &tcps->tcps_g_q_lock);
- }
- mutex_exit(&tcps->tcps_g_q_lock);
-}
-
-#define IP "ip"
-
-#define TCP6DEV "/devices/pseudo/tcp6@0:tcp6"
-
-/*
- * Create a default tcp queue here instead of in strplumb
- */
-void
-tcp_g_q_create(tcp_stack_t *tcps)
-{
- int error;
- ldi_handle_t lh = NULL;
- ldi_ident_t li = NULL;
- int rval;
- cred_t *cr;
- major_t IP_MAJ;
-
-#ifdef NS_DEBUG
- (void) printf("tcp_g_q_create()\n");
-#endif
-
- IP_MAJ = ddi_name_to_major(IP);
-
- ASSERT(tcps->tcps_g_q_creator == curthread);
-
- error = ldi_ident_from_major(IP_MAJ, &li);
- if (error) {
-#ifdef DEBUG
- printf("tcp_g_q_create: lyr ident get failed error %d\n",
- error);
-#endif
- return;
- }
-
- cr = zone_get_kcred(netstackid_to_zoneid(
- tcps->tcps_netstack->netstack_stackid));
- ASSERT(cr != NULL);
- /*
- * We set the tcp default queue to IPv6 because IPv4 falls
- * back to IPv6 when it can't find a client, but
- * IPv6 does not fall back to IPv4.
- */
- error = ldi_open_by_name(TCP6DEV, FREAD|FWRITE, cr, &lh, li);
- if (error) {
-#ifdef DEBUG
- printf("tcp_g_q_create: open of TCP6DEV failed error %d\n",
- error);
-#endif
- goto out;
- }
-
- /*
- * This ioctl causes the tcp framework to cache a pointer to
- * this stream, so we don't want to close the stream after
- * this operation.
- * Use the kernel credentials that are for the zone we're in.
- */
- error = ldi_ioctl(lh, TCP_IOC_DEFAULT_Q,
- (intptr_t)0, FKIOCTL, cr, &rval);
- if (error) {
-#ifdef DEBUG
- printf("tcp_g_q_create: ioctl TCP_IOC_DEFAULT_Q failed "
- "error %d\n", error);
-#endif
- goto out;
- }
- tcps->tcps_g_q_lh = lh; /* For tcp_g_q_close */
- lh = NULL;
-out:
- /* Close layered handles */
- if (li)
- ldi_ident_release(li);
- /* Keep cred around until _inactive needs it */
- tcps->tcps_g_q_cr = cr;
-}
-
-/*
- * We keep tcp_g_q set until all other tcp_t's in the zone
- * has gone away, and then when tcp_g_q_inactive() is called
- * we clear it.
- */
-void
-tcp_g_q_destroy(tcp_stack_t *tcps)
-{
-#ifdef NS_DEBUG
- (void) printf("tcp_g_q_destroy()for stack %d\n",
- tcps->tcps_netstack->netstack_stackid);
-#endif
-
- if (tcps->tcps_g_q == NULL) {
- return; /* Nothing to cleanup */
- }
- /*
- * Drop reference corresponding to the default queue.
- * This reference was added from tcp_open when the default queue
- * was created, hence we compensate for this extra drop in
- * tcp_g_q_close. If the refcnt drops to zero here it means
- * the default queue was the last one to be open, in which
- * case, then tcp_g_q_inactive will be
- * called as a result of the refrele.
- */
- TCPS_REFRELE(tcps);
-}
-
-/*
- * Called when last tcp_t drops reference count using TCPS_REFRELE.
- * Run by tcp_q_q_inactive using a taskq.
- */
-static void
-tcp_g_q_close(void *arg)
-{
- tcp_stack_t *tcps = arg;
- int error;
- ldi_handle_t lh = NULL;
- ldi_ident_t li = NULL;
- cred_t *cr;
- major_t IP_MAJ;
-
- IP_MAJ = ddi_name_to_major(IP);
-
-#ifdef NS_DEBUG
- (void) printf("tcp_g_q_inactive() for stack %d refcnt %d\n",
- tcps->tcps_netstack->netstack_stackid,
- tcps->tcps_netstack->netstack_refcnt);
-#endif
- lh = tcps->tcps_g_q_lh;
- if (lh == NULL)
- return; /* Nothing to cleanup */
-
- ASSERT(tcps->tcps_refcnt == 1);
- ASSERT(tcps->tcps_g_q != NULL);
-
- error = ldi_ident_from_major(IP_MAJ, &li);
- if (error) {
-#ifdef DEBUG
- printf("tcp_g_q_inactive: lyr ident get failed error %d\n",
- error);
-#endif
- return;
- }
-
- cr = tcps->tcps_g_q_cr;
- tcps->tcps_g_q_cr = NULL;
- ASSERT(cr != NULL);
-
- /*
- * Make sure we can break the recursion when tcp_close decrements
- * the reference count causing g_q_inactive to be called again.
- */
- tcps->tcps_g_q_lh = NULL;
-
- /* close the default queue */
- (void) ldi_close(lh, FREAD|FWRITE, cr);
- /*
- * At this point in time tcps and the rest of netstack_t might
- * have been deleted.
- */
- tcps = NULL;
-
- /* Close layered handles */
- ldi_ident_release(li);
- crfree(cr);
-}
-
-/*
- * Called when last tcp_t drops reference count using TCPS_REFRELE.
- *
- * Have to ensure that the ldi routines are not used by an
- * interrupt thread by using a taskq.
- */
-void
-tcp_g_q_inactive(tcp_stack_t *tcps)
-{
- if (tcps->tcps_g_q_lh == NULL)
- return; /* Nothing to cleanup */
-
- ASSERT(tcps->tcps_refcnt == 0);
- TCPS_REFHOLD(tcps); /* Compensate for what g_q_destroy did */
-
- if (servicing_interrupt()) {
- (void) taskq_dispatch(tcp_taskq, tcp_g_q_close,
- (void *) tcps, TQ_SLEEP);
- } else {
- tcp_g_q_close(tcps);
- }
-}
-
/*
* Called by IP when IP is loaded into the kernel
*/
@@ -23909,10 +18421,6 @@ tcp_ddi_g_init(void)
sizeof (tcp_sack_info_t), 0,
tcp_sack_info_constructor, NULL, NULL, NULL, NULL, 0);
- tcp_iphc_cache = kmem_cache_create("tcp_iphc_cache",
- TCP_MAX_COMBINED_HEADER_LENGTH, 0,
- tcp_iphc_constructor, NULL, NULL, NULL, NULL, 0);
-
mutex_init(&tcp_random_lock, NULL, MUTEX_DEFAULT, NULL);
/* Initialize the random number generator */
@@ -23923,9 +18431,6 @@ tcp_ddi_g_init(void)
tcp_g_kstat = tcp_g_kstat_init(&tcp_g_statistics);
- tcp_taskq = taskq_create("tcp_taskq", 1, minclsyspri, 1, 1,
- TASKQ_PREPOPULATE);
-
tcp_squeue_flag = tcp_squeue_switch(tcp_squeue_wput);
/*
@@ -23933,8 +18438,7 @@ tcp_ddi_g_init(void)
* destroyed in the kernel, so we can maintain the
* set of tcp_stack_t's.
*/
- netstack_register(NS_TCP, tcp_stack_init, tcp_stack_shutdown,
- tcp_stack_fini);
+ netstack_register(NS_TCP, tcp_stack_init, NULL, tcp_stack_fini);
}
@@ -23956,8 +18460,6 @@ tcp_stack_init(netstackid_t stackid, netstack_t *ns)
tcps->tcps_netstack = ns;
/* Initialize locks */
- mutex_init(&tcps->tcps_g_q_lock, NULL, MUTEX_DEFAULT, NULL);
- cv_init(&tcps->tcps_g_q_cv, NULL, CV_DEFAULT, NULL);
mutex_init(&tcps->tcps_iss_key_lock, NULL, MUTEX_DEFAULT, NULL);
mutex_init(&tcps->tcps_epriv_port_lock, NULL, MUTEX_DEFAULT, NULL);
@@ -24018,6 +18520,11 @@ tcp_stack_init(netstackid_t stackid, netstack_t *ns)
major = mod_name_to_major(INET_NAME);
error = ldi_ident_from_major(major, &tcps->tcps_ldi_ident);
ASSERT(error == 0);
+ tcps->tcps_ixa_cleanup_mp = allocb_wait(0, BPRI_MED, STR_NOSIG, NULL);
+ ASSERT(tcps->tcps_ixa_cleanup_mp != NULL);
+ cv_init(&tcps->tcps_ixa_cleanup_cv, NULL, CV_DEFAULT, NULL);
+ mutex_init(&tcps->tcps_ixa_cleanup_lock, NULL, MUTEX_DEFAULT, NULL);
+
return (tcps);
}
@@ -24035,22 +18542,8 @@ tcp_ddi_g_destroy(void)
kmem_cache_destroy(tcp_timercache);
kmem_cache_destroy(tcp_sack_info_cache);
- kmem_cache_destroy(tcp_iphc_cache);
netstack_unregister(NS_TCP);
- taskq_destroy(tcp_taskq);
-}
-
-/*
- * Shut down the TCP stack instance.
- */
-/* ARGSUSED */
-static void
-tcp_stack_shutdown(netstackid_t stackid, void *arg)
-{
- tcp_stack_t *tcps = (tcp_stack_t *)arg;
-
- tcp_g_q_destroy(tcps);
}
/*
@@ -24062,17 +18555,16 @@ tcp_stack_fini(netstackid_t stackid, void *arg)
tcp_stack_t *tcps = (tcp_stack_t *)arg;
int i;
+ freeb(tcps->tcps_ixa_cleanup_mp);
+ tcps->tcps_ixa_cleanup_mp = NULL;
+ cv_destroy(&tcps->tcps_ixa_cleanup_cv);
+ mutex_destroy(&tcps->tcps_ixa_cleanup_lock);
+
nd_free(&tcps->tcps_g_nd);
kmem_free(tcps->tcps_params, sizeof (lcl_tcp_param_arr));
tcps->tcps_params = NULL;
kmem_free(tcps->tcps_wroff_xtra_param, sizeof (tcpparam_t));
tcps->tcps_wroff_xtra_param = NULL;
- kmem_free(tcps->tcps_mdt_head_param, sizeof (tcpparam_t));
- tcps->tcps_mdt_head_param = NULL;
- kmem_free(tcps->tcps_mdt_tail_param, sizeof (tcpparam_t));
- tcps->tcps_mdt_tail_param = NULL;
- kmem_free(tcps->tcps_mdt_max_pbufs_param, sizeof (tcpparam_t));
- tcps->tcps_mdt_max_pbufs_param = NULL;
for (i = 0; i < TCP_BIND_FANOUT_SIZE; i++) {
ASSERT(tcps->tcps_bind_fanout[i].tf_tcp == NULL);
@@ -24091,8 +18583,6 @@ tcp_stack_fini(netstackid_t stackid, void *arg)
tcps->tcps_acceptor_fanout = NULL;
mutex_destroy(&tcps->tcps_iss_key_lock);
- mutex_destroy(&tcps->tcps_g_q_lock);
- cv_destroy(&tcps->tcps_g_q_cv);
mutex_destroy(&tcps->tcps_epriv_port_lock);
ip_drop_unregister(&tcps->tcps_dropper);
@@ -24120,6 +18610,7 @@ tcp_iss_init(tcp_t *tcp)
struct { uint32_t ports; in6_addr_t src; in6_addr_t dst; } arg;
uint32_t answer[4];
tcp_stack_t *tcps = tcp->tcp_tcps;
+ conn_t *connp = tcp->tcp_connp;
tcps->tcps_iss_incr_extra += (ISS_INCR >> 1);
tcp->tcp_iss = tcps->tcps_iss_incr_extra;
@@ -24128,16 +18619,9 @@ tcp_iss_init(tcp_t *tcp)
mutex_enter(&tcps->tcps_iss_key_lock);
context = tcps->tcps_iss_key;
mutex_exit(&tcps->tcps_iss_key_lock);
- arg.ports = tcp->tcp_ports;
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_ipha->ipha_src,
- &arg.src);
- IN6_IPADDR_TO_V4MAPPED(tcp->tcp_ipha->ipha_dst,
- &arg.dst);
- } else {
- arg.src = tcp->tcp_ip6h->ip6_src;
- arg.dst = tcp->tcp_ip6h->ip6_dst;
- }
+ arg.ports = connp->conn_ports;
+ arg.src = connp->conn_laddr_v6;
+ arg.dst = connp->conn_faddr_v6;
MD5Update(&context, (uchar_t *)&arg, sizeof (arg));
MD5Final((uchar_t *)answer, &context);
tcp->tcp_iss += answer[0] ^ answer[1] ^ answer[2] ^ answer[3];
@@ -24220,27 +18704,16 @@ cl_tcp_walk_list_stack(int (*callback)(cl_tcp_info_t *, void *), void *arg,
connp = NULL;
while ((connp =
- ipcl_get_next_conn(connfp, connp, IPCL_TCP)) != NULL) {
+ ipcl_get_next_conn(connfp, connp, IPCL_TCPCONN)) != NULL) {
tcp = connp->conn_tcp;
cl_tcpi.cl_tcpi_version = CL_TCPI_V1;
- cl_tcpi.cl_tcpi_ipversion = tcp->tcp_ipversion;
+ cl_tcpi.cl_tcpi_ipversion = connp->conn_ipversion;
cl_tcpi.cl_tcpi_state = tcp->tcp_state;
- cl_tcpi.cl_tcpi_lport = tcp->tcp_lport;
- cl_tcpi.cl_tcpi_fport = tcp->tcp_fport;
- /*
- * The macros tcp_laddr and tcp_faddr give the IPv4
- * addresses. They are copied implicitly below as
- * mapped addresses.
- */
- cl_tcpi.cl_tcpi_laddr_v6 = tcp->tcp_ip_src_v6;
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- cl_tcpi.cl_tcpi_faddr =
- tcp->tcp_ipha->ipha_dst;
- } else {
- cl_tcpi.cl_tcpi_faddr_v6 =
- tcp->tcp_ip6h->ip6_dst;
- }
+ cl_tcpi.cl_tcpi_lport = connp->conn_lport;
+ cl_tcpi.cl_tcpi_fport = connp->conn_fport;
+ cl_tcpi.cl_tcpi_laddr_v6 = connp->conn_laddr_v6;
+ cl_tcpi.cl_tcpi_faddr_v6 = connp->conn_faddr_v6;
/*
* If the callback returns non-zero
@@ -24302,35 +18775,35 @@ cl_tcp_walk_list_stack(int (*callback)(cl_tcp_info_t *, void *), void *arg,
/*
* Check if a tcp structure matches the info in acp.
*/
-#define TCP_AC_ADDR_MATCH(acp, tcp) \
+#define TCP_AC_ADDR_MATCH(acp, connp, tcp) \
(((acp)->ac_local.ss_family == AF_INET) ? \
((TCP_AC_V4LOCAL((acp)) == INADDR_ANY || \
- TCP_AC_V4LOCAL((acp)) == (tcp)->tcp_ip_src) && \
+ TCP_AC_V4LOCAL((acp)) == (connp)->conn_laddr_v4) && \
(TCP_AC_V4REMOTE((acp)) == INADDR_ANY || \
- TCP_AC_V4REMOTE((acp)) == (tcp)->tcp_remote) && \
+ TCP_AC_V4REMOTE((acp)) == (connp)->conn_faddr_v4) && \
(TCP_AC_V4LPORT((acp)) == 0 || \
- TCP_AC_V4LPORT((acp)) == (tcp)->tcp_lport) && \
+ TCP_AC_V4LPORT((acp)) == (connp)->conn_lport) && \
(TCP_AC_V4RPORT((acp)) == 0 || \
- TCP_AC_V4RPORT((acp)) == (tcp)->tcp_fport) && \
- (acp)->ac_start <= (tcp)->tcp_state && \
- (acp)->ac_end >= (tcp)->tcp_state) : \
+ TCP_AC_V4RPORT((acp)) == (connp)->conn_fport) && \
+ (acp)->ac_start <= (tcp)->tcp_state && \
+ (acp)->ac_end >= (tcp)->tcp_state) : \
((IN6_IS_ADDR_UNSPECIFIED(&TCP_AC_V6LOCAL((acp))) || \
IN6_ARE_ADDR_EQUAL(&TCP_AC_V6LOCAL((acp)), \
- &(tcp)->tcp_ip_src_v6)) && \
+ &(connp)->conn_laddr_v6)) && \
(IN6_IS_ADDR_UNSPECIFIED(&TCP_AC_V6REMOTE((acp))) || \
IN6_ARE_ADDR_EQUAL(&TCP_AC_V6REMOTE((acp)), \
- &(tcp)->tcp_remote_v6)) && \
+ &(connp)->conn_faddr_v6)) && \
(TCP_AC_V6LPORT((acp)) == 0 || \
- TCP_AC_V6LPORT((acp)) == (tcp)->tcp_lport) && \
+ TCP_AC_V6LPORT((acp)) == (connp)->conn_lport) && \
(TCP_AC_V6RPORT((acp)) == 0 || \
- TCP_AC_V6RPORT((acp)) == (tcp)->tcp_fport) && \
- (acp)->ac_start <= (tcp)->tcp_state && \
+ TCP_AC_V6RPORT((acp)) == (connp)->conn_fport) && \
+ (acp)->ac_start <= (tcp)->tcp_state && \
(acp)->ac_end >= (tcp)->tcp_state))
-#define TCP_AC_MATCH(acp, tcp) \
+#define TCP_AC_MATCH(acp, connp, tcp) \
(((acp)->ac_zoneid == ALL_ZONES || \
- (acp)->ac_zoneid == tcp->tcp_connp->conn_zoneid) ? \
- TCP_AC_ADDR_MATCH(acp, tcp) : 0)
+ (acp)->ac_zoneid == (connp)->conn_zoneid) ? \
+ TCP_AC_ADDR_MATCH(acp, connp, tcp) : 0)
/*
* Build a message containing a tcp_ioc_abort_conn_t structure
@@ -24346,8 +18819,6 @@ tcp_ioctl_abort_build_msg(tcp_ioc_abort_conn_t *acp, tcp_t *tp)
if (mp == NULL)
return (NULL);
- mp->b_datap->db_type = M_CTL;
-
*((uint32_t *)mp->b_rptr) = TCP_IOC_ABORT_CONN;
tacp = (tcp_ioc_abort_conn_t *)((uchar_t *)mp->b_rptr +
sizeof (uint32_t));
@@ -24359,17 +18830,17 @@ tcp_ioctl_abort_build_msg(tcp_ioc_abort_conn_t *acp, tcp_t *tp)
if (acp->ac_local.ss_family == AF_INET) {
tacp->ac_local.ss_family = AF_INET;
tacp->ac_remote.ss_family = AF_INET;
- TCP_AC_V4LOCAL(tacp) = tp->tcp_ip_src;
- TCP_AC_V4REMOTE(tacp) = tp->tcp_remote;
- TCP_AC_V4LPORT(tacp) = tp->tcp_lport;
- TCP_AC_V4RPORT(tacp) = tp->tcp_fport;
+ TCP_AC_V4LOCAL(tacp) = tp->tcp_connp->conn_laddr_v4;
+ TCP_AC_V4REMOTE(tacp) = tp->tcp_connp->conn_faddr_v4;
+ TCP_AC_V4LPORT(tacp) = tp->tcp_connp->conn_lport;
+ TCP_AC_V4RPORT(tacp) = tp->tcp_connp->conn_fport;
} else {
tacp->ac_local.ss_family = AF_INET6;
tacp->ac_remote.ss_family = AF_INET6;
- TCP_AC_V6LOCAL(tacp) = tp->tcp_ip_src_v6;
- TCP_AC_V6REMOTE(tacp) = tp->tcp_remote_v6;
- TCP_AC_V6LPORT(tacp) = tp->tcp_lport;
- TCP_AC_V6RPORT(tacp) = tp->tcp_fport;
+ TCP_AC_V6LOCAL(tacp) = tp->tcp_connp->conn_laddr_v6;
+ TCP_AC_V6REMOTE(tacp) = tp->tcp_connp->conn_faddr_v6;
+ TCP_AC_V6LPORT(tacp) = tp->tcp_connp->conn_lport;
+ TCP_AC_V6RPORT(tacp) = tp->tcp_connp->conn_fport;
}
mp->b_wptr = (uchar_t *)mp->b_rptr + sizeof (uint32_t) + sizeof (*acp);
return (mp);
@@ -24419,14 +18890,32 @@ tcp_ioctl_abort_dump(tcp_ioc_abort_conn_t *acp)
}
/*
- * Called inside tcp_rput when a message built using
+ * Called using SQ_FILL when a message built using
* tcp_ioctl_abort_build_msg is put into a queue.
* Note that when we get here there is no wildcard in acp any more.
*/
+/* ARGSUSED2 */
static void
-tcp_ioctl_abort_handler(tcp_t *tcp, mblk_t *mp)
+tcp_ioctl_abort_handler(void *arg, mblk_t *mp, void *arg2,
+ ip_recv_attr_t *dummy)
{
- tcp_ioc_abort_conn_t *acp;
+ conn_t *connp = (conn_t *)arg;
+ tcp_t *tcp = connp->conn_tcp;
+ tcp_ioc_abort_conn_t *acp;
+
+ /*
+ * Don't accept any input on a closed tcp as this TCP logically does
+ * not exist on the system. Don't proceed further with this TCP.
+ * For eg. this packet could trigger another close of this tcp
+ * which would be disastrous for tcp_refcnt. tcp_close_detached /
+ * tcp_clean_death / tcp_closei_local must be called at most once
+ * on a TCP.
+ */
+ if (tcp->tcp_state == TCPS_CLOSED ||
+ tcp->tcp_state == TCPS_BOUND) {
+ freemsg(mp);
+ return;
+ }
acp = (tcp_ioc_abort_conn_t *)(mp->b_rptr + sizeof (uint32_t));
if (tcp->tcp_state <= acp->ac_end) {
@@ -24468,12 +18957,17 @@ startover:
for (tconnp = connfp->connf_head; tconnp != NULL;
tconnp = tconnp->conn_next) {
tcp = tconnp->conn_tcp;
- if (TCP_AC_MATCH(acp, tcp)) {
- CONN_INC_REF(tcp->tcp_connp);
+ /*
+ * We are missing a check on sin6_scope_id for linklocals here,
+ * but current usage is just for aborting based on zoneid
+ * for shared-IP zones.
+ */
+ if (TCP_AC_MATCH(acp, tconnp, tcp)) {
+ CONN_INC_REF(tconnp);
mp = tcp_ioctl_abort_build_msg(acp, tcp);
if (mp == NULL) {
err = ENOMEM;
- CONN_DEC_REF(tcp->tcp_connp);
+ CONN_DEC_REF(tconnp);
break;
}
mp->b_prev = (mblk_t *)tcp;
@@ -24501,8 +18995,9 @@ startover:
listhead = listhead->b_next;
tcp = (tcp_t *)mp->b_prev;
mp->b_next = mp->b_prev = NULL;
- SQUEUE_ENTER_ONE(tcp->tcp_connp->conn_sqp, mp, tcp_input,
- tcp->tcp_connp, SQ_FILL, SQTAG_TCP_ABORT_BUCKET);
+ SQUEUE_ENTER_ONE(tcp->tcp_connp->conn_sqp, mp,
+ tcp_ioctl_abort_handler, tcp->tcp_connp, NULL,
+ SQ_FILL, SQTAG_TCP_ABORT_BUCKET);
}
*count += nmatch;
@@ -24669,7 +19164,7 @@ out:
*/
void
tcp_time_wait_processing(tcp_t *tcp, mblk_t *mp, uint32_t seg_seq,
- uint32_t seg_ack, int seg_len, tcph_t *tcph)
+ uint32_t seg_ack, int seg_len, tcpha_t *tcpha, ip_recv_attr_t *ira)
{
int32_t bytes_acked;
int32_t gap;
@@ -24677,17 +19172,18 @@ tcp_time_wait_processing(tcp_t *tcp, mblk_t *mp, uint32_t seg_seq,
tcp_opt_t tcpopt;
uint_t flags;
uint32_t new_swnd = 0;
- conn_t *connp;
+ conn_t *nconnp;
+ conn_t *connp = tcp->tcp_connp;
tcp_stack_t *tcps = tcp->tcp_tcps;
BUMP_LOCAL(tcp->tcp_ibsegs);
DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
- flags = (unsigned int)tcph->th_flags[0] & 0xFF;
- new_swnd = BE16_TO_U16(tcph->th_win) <<
- ((tcph->th_flags[0] & TH_SYN) ? 0 : tcp->tcp_snd_ws);
+ flags = (unsigned int)tcpha->tha_flags & 0xFF;
+ new_swnd = ntohs(tcpha->tha_win) <<
+ ((tcpha->tha_flags & TH_SYN) ? 0 : tcp->tcp_snd_ws);
if (tcp->tcp_snd_ts_ok) {
- if (!tcp_paws_check(tcp, tcph, &tcpopt)) {
+ if (!tcp_paws_check(tcp, tcpha, &tcpopt)) {
tcp_xmit_ctl(NULL, tcp, tcp->tcp_snxt,
tcp->tcp_rnxt, TH_ACK);
goto done;
@@ -24770,17 +19266,10 @@ tcp_time_wait_processing(tcp_t *tcp, mblk_t *mp, uint32_t seg_seq,
mutex_enter(&tcps->tcps_iss_key_lock);
context = tcps->tcps_iss_key;
mutex_exit(&tcps->tcps_iss_key_lock);
- arg.ports = tcp->tcp_ports;
+ arg.ports = connp->conn_ports;
/* We use MAPPED addresses in tcp_iss_init */
- arg.src = tcp->tcp_ip_src_v6;
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- IN6_IPADDR_TO_V4MAPPED(
- tcp->tcp_ipha->ipha_dst,
- &arg.dst);
- } else {
- arg.dst =
- tcp->tcp_ip6h->ip6_dst;
- }
+ arg.src = connp->conn_laddr_v6;
+ arg.dst = connp->conn_faddr_v6;
MD5Update(&context, (uchar_t *)&arg,
sizeof (arg));
MD5Final((uchar_t *)answer, &context);
@@ -24813,21 +19302,11 @@ tcp_time_wait_processing(tcp_t *tcp, mblk_t *mp, uint32_t seg_seq,
*/
if (tcp_clean_death(tcp, 0, 27) == -1)
goto done;
- /*
- * We will come back to tcp_rput_data
- * on the global queue. Packets destined
- * for the global queue will be checked
- * with global policy. But the policy for
- * this packet has already been checked as
- * this was destined for the detached
- * connection. We need to bypass policy
- * check this time by attaching a dummy
- * ipsec_in with ipsec_in_dont_check set.
- */
- connp = ipcl_classify(mp, tcp->tcp_connp->conn_zoneid, ipst);
- if (connp != NULL) {
+ nconnp = ipcl_classify(mp, ira, ipst);
+ if (nconnp != NULL) {
TCP_STAT(tcps, tcp_time_wait_syn_success);
- tcp_reinput(connp, mp, tcp->tcp_connp->conn_sqp);
+ /* Drops ref on nconnp */
+ tcp_reinput(nconnp, mp, ira, ipst);
return;
}
goto done;
@@ -24905,11 +19384,6 @@ process_ack:
tcp->tcp_rnxt, TH_ACK);
}
done:
- if ((mp->b_datap->db_struioflag & STRUIO_EAGER) != 0) {
- DB_CKSUMSTART(mp) = 0;
- mp->b_datap->db_struioflag &= ~STRUIO_EAGER;
- TCP_STAT(tcps, tcp_time_wait_syn_fail);
- }
freemsg(mp);
}
@@ -24965,11 +19439,12 @@ tcp_timer_callback(void *arg)
tcpt = (tcp_timer_t *)mp->b_rptr;
connp = tcpt->connp;
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_timer_handler, connp,
- SQ_FILL, SQTAG_TCP_TIMER);
+ NULL, SQ_FILL, SQTAG_TCP_TIMER);
}
+/* ARGSUSED */
static void
-tcp_timer_handler(void *arg, mblk_t *mp, void *arg2)
+tcp_timer_handler(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
tcp_timer_t *tcpt;
conn_t *connp = (conn_t *)arg;
@@ -24983,7 +19458,7 @@ tcp_timer_handler(void *arg, mblk_t *mp, void *arg2)
* If the TCP has reached the closed state, don't proceed any
* further. This TCP logically does not exist on the system.
* tcpt_proc could for example access queues, that have already
- * been qprocoff'ed off. Also see comments at the start of tcp_input
+ * been qprocoff'ed off.
*/
if (tcp->tcp_state != TCPS_CLOSED) {
(*tcpt->tcpt_proc)(connp);
@@ -25148,26 +19623,9 @@ tcp_setqfull(tcp_t *tcp)
if (tcp->tcp_closed)
return;
- if (IPCL_IS_NONSTR(connp)) {
- (*connp->conn_upcalls->su_txq_full)
- (tcp->tcp_connp->conn_upper_handle, B_TRUE);
- tcp->tcp_flow_stopped = B_TRUE;
- } else {
- queue_t *q = tcp->tcp_wq;
-
- if (!(q->q_flag & QFULL)) {
- mutex_enter(QLOCK(q));
- if (!(q->q_flag & QFULL)) {
- /* still need to set QFULL */
- q->q_flag |= QFULL;
- tcp->tcp_flow_stopped = B_TRUE;
- mutex_exit(QLOCK(q));
- TCP_STAT(tcps, tcp_flwctl_on);
- } else {
- mutex_exit(QLOCK(q));
- }
- }
- }
+ conn_setqfull(connp, &tcp->tcp_flow_stopped);
+ if (tcp->tcp_flow_stopped)
+ TCP_STAT(tcps, tcp_flwctl_on);
}
void
@@ -25177,27 +19635,7 @@ tcp_clrqfull(tcp_t *tcp)
if (tcp->tcp_closed)
return;
-
- if (IPCL_IS_NONSTR(connp)) {
- (*connp->conn_upcalls->su_txq_full)
- (tcp->tcp_connp->conn_upper_handle, B_FALSE);
- tcp->tcp_flow_stopped = B_FALSE;
- } else {
- queue_t *q = tcp->tcp_wq;
-
- if (q->q_flag & QFULL) {
- mutex_enter(QLOCK(q));
- if (q->q_flag & QFULL) {
- q->q_flag &= ~QFULL;
- tcp->tcp_flow_stopped = B_FALSE;
- mutex_exit(QLOCK(q));
- if (q->q_flag & QWANTW)
- qbackenable(q, 0);
- } else {
- mutex_exit(QLOCK(q));
- }
- }
- }
+ conn_clrqfull(connp, &tcp->tcp_flow_stopped);
}
/*
@@ -25246,10 +19684,7 @@ tcp_kstat2_init(netstackid_t stackid, tcp_stat_t *tcps_statisticsp)
tcp_stat_t template = {
{ "tcp_time_wait", KSTAT_DATA_UINT64 },
{ "tcp_time_wait_syn", KSTAT_DATA_UINT64 },
- { "tcp_time_wait_success", KSTAT_DATA_UINT64 },
- { "tcp_time_wait_fail", KSTAT_DATA_UINT64 },
- { "tcp_reinput_syn", KSTAT_DATA_UINT64 },
- { "tcp_ip_output", KSTAT_DATA_UINT64 },
+ { "tcp_time_wait_syn_success", KSTAT_DATA_UINT64 },
{ "tcp_detach_non_time_wait", KSTAT_DATA_UINT64 },
{ "tcp_detach_time_wait", KSTAT_DATA_UINT64 },
{ "tcp_time_wait_reap", KSTAT_DATA_UINT64 },
@@ -25287,37 +19722,14 @@ tcp_kstat2_init(netstackid_t stackid, tcp_stat_t *tcps_statisticsp)
{ "tcp_timermp_freed", KSTAT_DATA_UINT64 },
{ "tcp_push_timer_cnt", KSTAT_DATA_UINT64 },
{ "tcp_ack_timer_cnt", KSTAT_DATA_UINT64 },
- { "tcp_ire_null1", KSTAT_DATA_UINT64 },
- { "tcp_ire_null", KSTAT_DATA_UINT64 },
- { "tcp_ip_send", KSTAT_DATA_UINT64 },
- { "tcp_ip_ire_send", KSTAT_DATA_UINT64 },
{ "tcp_wsrv_called", KSTAT_DATA_UINT64 },
{ "tcp_flwctl_on", KSTAT_DATA_UINT64 },
{ "tcp_timer_fire_early", KSTAT_DATA_UINT64 },
{ "tcp_timer_fire_miss", KSTAT_DATA_UINT64 },
{ "tcp_rput_v6_error", KSTAT_DATA_UINT64 },
- { "tcp_out_sw_cksum", KSTAT_DATA_UINT64 },
- { "tcp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
{ "tcp_zcopy_on", KSTAT_DATA_UINT64 },
{ "tcp_zcopy_off", KSTAT_DATA_UINT64 },
{ "tcp_zcopy_backoff", KSTAT_DATA_UINT64 },
- { "tcp_zcopy_disable", KSTAT_DATA_UINT64 },
- { "tcp_mdt_pkt_out", KSTAT_DATA_UINT64 },
- { "tcp_mdt_pkt_out_v4", KSTAT_DATA_UINT64 },
- { "tcp_mdt_pkt_out_v6", KSTAT_DATA_UINT64 },
- { "tcp_mdt_discarded", KSTAT_DATA_UINT64 },
- { "tcp_mdt_conn_halted1", KSTAT_DATA_UINT64 },
- { "tcp_mdt_conn_halted2", KSTAT_DATA_UINT64 },
- { "tcp_mdt_conn_halted3", KSTAT_DATA_UINT64 },
- { "tcp_mdt_conn_resumed1", KSTAT_DATA_UINT64 },
- { "tcp_mdt_conn_resumed2", KSTAT_DATA_UINT64 },
- { "tcp_mdt_legacy_small", KSTAT_DATA_UINT64 },
- { "tcp_mdt_legacy_all", KSTAT_DATA_UINT64 },
- { "tcp_mdt_legacy_ret", KSTAT_DATA_UINT64 },
- { "tcp_mdt_allocfail", KSTAT_DATA_UINT64 },
- { "tcp_mdt_addpdescfail", KSTAT_DATA_UINT64 },
- { "tcp_mdt_allocd", KSTAT_DATA_UINT64 },
- { "tcp_mdt_linked", KSTAT_DATA_UINT64 },
{ "tcp_fusion_flowctl", KSTAT_DATA_UINT64 },
{ "tcp_fusion_backenabled", KSTAT_DATA_UINT64 },
{ "tcp_fusion_urg", KSTAT_DATA_UINT64 },
@@ -25490,7 +19902,7 @@ tcp_kstat_update(kstat_t *kp, int rw)
connfp = &ipst->ips_ipcl_globalhash_fanout[i];
connp = NULL;
while ((connp =
- ipcl_get_next_conn(connfp, connp, IPCL_TCP)) != NULL) {
+ ipcl_get_next_conn(connfp, connp, IPCL_TCPCONN)) != NULL) {
tcp = connp->conn_tcp;
switch (tcp_snmp_state(tcp)) {
case MIB2_TCP_established:
@@ -25565,48 +19977,6 @@ tcp_kstat_update(kstat_t *kp, int rw)
return (0);
}
-void
-tcp_reinput(conn_t *connp, mblk_t *mp, squeue_t *sqp)
-{
- uint16_t hdr_len;
- ipha_t *ipha;
- uint8_t *nexthdrp;
- tcph_t *tcph;
- tcp_stack_t *tcps = connp->conn_tcp->tcp_tcps;
-
- /* Already has an eager */
- if ((mp->b_datap->db_struioflag & STRUIO_EAGER) != 0) {
- TCP_STAT(tcps, tcp_reinput_syn);
- SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv, connp,
- SQ_PROCESS, SQTAG_TCP_REINPUT_EAGER);
- return;
- }
-
- switch (IPH_HDR_VERSION(mp->b_rptr)) {
- case IPV4_VERSION:
- ipha = (ipha_t *)mp->b_rptr;
- hdr_len = IPH_HDR_LENGTH(ipha);
- break;
- case IPV6_VERSION:
- if (!ip_hdr_length_nexthdr_v6(mp, (ip6_t *)mp->b_rptr,
- &hdr_len, &nexthdrp)) {
- CONN_DEC_REF(connp);
- freemsg(mp);
- return;
- }
- break;
- }
-
- tcph = (tcph_t *)&mp->b_rptr[hdr_len];
- if ((tcph->th_flags[0] & (TH_SYN|TH_ACK|TH_RST|TH_URG)) == TH_SYN) {
- mp->b_datap->db_struioflag |= STRUIO_EAGER;
- DB_CKSUMSTART(mp) = (intptr_t)sqp;
- }
-
- SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv, connp,
- SQ_FILL, SQTAG_TCP_REINPUT);
-}
-
static int
tcp_squeue_switch(int val)
{
@@ -25653,278 +20023,20 @@ tcp_squeue_add(squeue_t *sqp)
tcp_time_wait->tcp_free_list_cnt = 0;
}
-static int
-tcp_post_ip_bind(tcp_t *tcp, mblk_t *mp, int error, cred_t *cr, pid_t pid)
+/*
+ * On a labeled system we have some protocols above TCP, such as RPC, which
+ * appear to assume that every mblk in a chain has a db_credp.
+ */
+static void
+tcp_setcred_data(mblk_t *mp, ip_recv_attr_t *ira)
{
- mblk_t *ire_mp = NULL;
- mblk_t *syn_mp;
- mblk_t *mdti;
- mblk_t *lsoi;
- int retval;
- tcph_t *tcph;
- cred_t *ecr;
- ts_label_t *tsl;
- uint32_t mss;
- conn_t *connp = tcp->tcp_connp;
- tcp_stack_t *tcps = tcp->tcp_tcps;
-
- if (error == 0) {
- /*
- * Adapt Multidata information, if any. The
- * following tcp_mdt_update routine will free
- * the message.
- */
- if (mp != NULL && ((mdti = tcp_mdt_info_mp(mp)) != NULL)) {
- tcp_mdt_update(tcp, &((ip_mdt_info_t *)mdti->
- b_rptr)->mdt_capab, B_TRUE);
- freemsg(mdti);
- }
-
- /*
- * Check to update LSO information with tcp, and
- * tcp_lso_update routine will free the message.
- */
- if (mp != NULL && ((lsoi = tcp_lso_info_mp(mp)) != NULL)) {
- tcp_lso_update(tcp, &((ip_lso_info_t *)lsoi->
- b_rptr)->lso_capab);
- freemsg(lsoi);
- }
-
- /* Get the IRE, if we had requested for it */
- if (mp != NULL)
- ire_mp = tcp_ire_mp(&mp);
-
- if (tcp->tcp_hard_binding) {
- tcp->tcp_hard_binding = B_FALSE;
- tcp->tcp_hard_bound = B_TRUE;
- CL_INET_CONNECT(tcp->tcp_connp, tcp, B_TRUE, retval);
- if (retval != 0) {
- error = EADDRINUSE;
- goto bind_failed;
- }
- } else {
- if (ire_mp != NULL)
- freeb(ire_mp);
- goto after_syn_sent;
- }
-
- retval = tcp_adapt_ire(tcp, ire_mp);
- if (ire_mp != NULL)
- freeb(ire_mp);
- if (retval == 0) {
- error = (int)((tcp->tcp_state >= TCPS_SYN_SENT) ?
- ENETUNREACH : EADDRNOTAVAIL);
- goto ipcl_rm;
- }
- /*
- * Don't let an endpoint connect to itself.
- * Also checked in tcp_connect() but that
- * check can't handle the case when the
- * local IP address is INADDR_ANY.
- */
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- if ((tcp->tcp_ipha->ipha_dst ==
- tcp->tcp_ipha->ipha_src) &&
- (BE16_EQL(tcp->tcp_tcph->th_lport,
- tcp->tcp_tcph->th_fport))) {
- error = EADDRNOTAVAIL;
- goto ipcl_rm;
- }
- } else {
- if (IN6_ARE_ADDR_EQUAL(
- &tcp->tcp_ip6h->ip6_dst,
- &tcp->tcp_ip6h->ip6_src) &&
- (BE16_EQL(tcp->tcp_tcph->th_lport,
- tcp->tcp_tcph->th_fport))) {
- error = EADDRNOTAVAIL;
- goto ipcl_rm;
- }
- }
- ASSERT(tcp->tcp_state == TCPS_SYN_SENT);
- /*
- * This should not be possible! Just for
- * defensive coding...
- */
- if (tcp->tcp_state != TCPS_SYN_SENT)
- goto after_syn_sent;
-
- if (is_system_labeled() &&
- !tcp_update_label(tcp, CONN_CRED(tcp->tcp_connp))) {
- error = EHOSTUNREACH;
- goto ipcl_rm;
- }
-
- /*
- * tcp_adapt_ire() does not adjust
- * for TCP/IP header length.
- */
- mss = tcp->tcp_mss - tcp->tcp_hdr_len;
-
- /*
- * Just make sure our rwnd is at
- * least tcp_recv_hiwat_mss * MSS
- * large, and round up to the nearest
- * MSS.
- *
- * We do the round up here because
- * we need to get the interface
- * MTU first before we can do the
- * round up.
- */
- tcp->tcp_rwnd = MAX(MSS_ROUNDUP(tcp->tcp_rwnd, mss),
- tcps->tcps_recv_hiwat_minmss * mss);
- tcp->tcp_recv_hiwater = tcp->tcp_rwnd;
- tcp_set_ws_value(tcp);
- U32_TO_ABE16((tcp->tcp_rwnd >> tcp->tcp_rcv_ws),
- tcp->tcp_tcph->th_win);
- if (tcp->tcp_rcv_ws > 0 || tcps->tcps_wscale_always)
- tcp->tcp_snd_ws_ok = B_TRUE;
-
- /*
- * Set tcp_snd_ts_ok to true
- * so that tcp_xmit_mp will
- * include the timestamp
- * option in the SYN segment.
- */
- if (tcps->tcps_tstamp_always ||
- (tcp->tcp_rcv_ws && tcps->tcps_tstamp_if_wscale)) {
- tcp->tcp_snd_ts_ok = B_TRUE;
- }
-
- /*
- * tcp_snd_sack_ok can be set in
- * tcp_adapt_ire() if the sack metric
- * is set. So check it here also.
- */
- if (tcps->tcps_sack_permitted == 2 ||
- tcp->tcp_snd_sack_ok) {
- if (tcp->tcp_sack_info == NULL) {
- tcp->tcp_sack_info =
- kmem_cache_alloc(tcp_sack_info_cache,
- KM_SLEEP);
- }
- tcp->tcp_snd_sack_ok = B_TRUE;
- }
+ ASSERT(is_system_labeled());
+ ASSERT(ira->ira_cred != NULL);
- /*
- * Should we use ECN? Note that the current
- * default value (SunOS 5.9) of tcp_ecn_permitted
- * is 1. The reason for doing this is that there
- * are equipments out there that will drop ECN
- * enabled IP packets. Setting it to 1 avoids
- * compatibility problems.
- */
- if (tcps->tcps_ecn_permitted == 2)
- tcp->tcp_ecn_ok = B_TRUE;
-
- TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
- syn_mp = tcp_xmit_mp(tcp, NULL, 0, NULL, NULL,
- tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
- if (syn_mp) {
- /*
- * cr contains the cred from the thread calling
- * connect().
- *
- * If no thread cred is available, use the
- * socket creator's cred instead. If still no
- * cred, drop the request rather than risk a
- * panic on production systems.
- */
- if (cr == NULL) {
- cr = CONN_CRED(connp);
- pid = tcp->tcp_cpid;
- ASSERT(cr != NULL);
- if (cr != NULL) {
- mblk_setcred(syn_mp, cr, pid);
- } else {
- error = ECONNABORTED;
- goto ipcl_rm;
- }
-
- /*
- * If an effective security label exists for
- * the connection, create a copy of the thread's
- * cred but with the effective label attached.
- */
- } else if (is_system_labeled() &&
- connp->conn_effective_cred != NULL &&
- (tsl = crgetlabel(connp->
- conn_effective_cred)) != NULL) {
- if ((ecr = copycred_from_tslabel(cr,
- tsl, KM_NOSLEEP)) == NULL) {
- error = ENOMEM;
- goto ipcl_rm;
- }
- mblk_setcred(syn_mp, ecr, pid);
- crfree(ecr);
-
- /*
- * Default to using the thread's cred unchanged.
- */
- } else {
- mblk_setcred(syn_mp, cr, pid);
- }
-
- /*
- * We must bump the generation before sending the syn
- * to ensure that we use the right generation in case
- * this thread issues a "connected" up call.
- */
- SOCK_CONNID_BUMP(tcp->tcp_connid);
-
- tcp_send_data(tcp, tcp->tcp_wq, syn_mp);
- }
- after_syn_sent:
- if (mp != NULL) {
- ASSERT(mp->b_cont == NULL);
- freeb(mp);
- }
- return (error);
- } else {
- /* error */
- if (tcp->tcp_debug) {
- (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE|SL_ERROR,
- "tcp_post_ip_bind: error == %d", error);
- }
- if (mp != NULL) {
- freeb(mp);
- }
+ while (mp != NULL) {
+ mblk_setcred(mp, ira->ira_cred, NOPID);
+ mp = mp->b_cont;
}
-
-ipcl_rm:
- /*
- * Need to unbind with classifier since we were just
- * told that our bind succeeded. a.k.a error == 0 at the entry.
- */
- tcp->tcp_hard_bound = B_FALSE;
- tcp->tcp_hard_binding = B_FALSE;
-
- ipcl_hash_remove(connp);
-
-bind_failed:
- tcp->tcp_state = TCPS_IDLE;
- if (tcp->tcp_ipversion == IPV4_VERSION)
- tcp->tcp_ipha->ipha_src = 0;
- else
- V6_SET_ZERO(tcp->tcp_ip6h->ip6_src);
- /*
- * Copy of the src addr. in tcp_t is needed since
- * the lookup funcs. can only look at tcp_t
- */
- V6_SET_ZERO(tcp->tcp_ip_src_v6);
-
- tcph = tcp->tcp_tcph;
- tcph->th_lport[0] = 0;
- tcph->th_lport[1] = 0;
- tcp_bind_hash_remove(tcp);
- bzero(&connp->u_port, sizeof (connp->u_port));
- /* blow away saved option results if any */
- if (tcp->tcp_conn.tcp_opts_conn_req != NULL)
- tcp_close_mpp(&tcp->tcp_conn.tcp_opts_conn_req);
-
- conn_delete_ire(tcp->tcp_connp, NULL);
-
- return (error);
}
static int
@@ -25936,16 +20048,16 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
boolean_t user_specified;
in_port_t allocated_port;
in_port_t requested_port = *requested_port_ptr;
- conn_t *connp;
+ conn_t *connp = tcp->tcp_connp;
zone_t *zone;
tcp_stack_t *tcps = tcp->tcp_tcps;
- in6_addr_t v6addr = tcp->tcp_ip_src_v6;
+ in6_addr_t v6addr = connp->conn_laddr_v6;
/*
* XXX It's up to the caller to specify bind_to_req_port_only or not.
*/
- if (cr == NULL)
- cr = tcp->tcp_cred;
+ ASSERT(cr != NULL);
+
/*
* Get a valid port (within the anonymous range and should not
* be a privileged one) to use if the user has not given a port.
@@ -25961,7 +20073,7 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
mlptype = mlptSingle;
mlp_port = requested_port;
if (requested_port == 0) {
- requested_port = tcp->tcp_anon_priv_bind ?
+ requested_port = connp->conn_anon_priv_bind ?
tcp_get_next_priv_port(tcp) :
tcp_update_next_port(tcps->tcps_next_port_to_try,
tcp, B_TRUE);
@@ -25975,7 +20087,6 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
* this socket and RPC is MLP in this zone, then give him an
* anonymous MLP.
*/
- connp = tcp->tcp_connp;
if (connp->conn_anon_mlp && is_system_labeled()) {
zone = crgetzone(cr);
addrtype = tsol_mlp_addr_type(
@@ -26016,7 +20127,7 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
if (priv) {
if (secpolicy_net_privaddr(cr, requested_port,
IPPROTO_TCP) != 0) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_bind: no priv for port %d",
@@ -26044,7 +20155,7 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
if (mlptype != mlptSingle) {
if (secpolicy_net_bindmlp(cr) != 0) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_bind: no priv for multilevel port %d",
@@ -26068,7 +20179,7 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
mlpzone = tsol_mlp_findzone(IPPROTO_TCP,
htons(mlp_port));
if (connp->conn_zoneid != mlpzone) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_bind: attempt to bind port "
@@ -26083,10 +20194,10 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
if (!user_specified) {
int err;
- err = tsol_mlp_anon(zone, mlptype, connp->conn_ulp,
+ err = tsol_mlp_anon(zone, mlptype, connp->conn_proto,
requested_port, B_TRUE);
if (err != 0) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_bind: cannot establish anon "
@@ -26101,17 +20212,18 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
}
allocated_port = tcp_bindi(tcp, requested_port, &v6addr,
- tcp->tcp_reuseaddr, B_FALSE, bind_to_req_port_only, user_specified);
+ connp->conn_reuseaddr, B_FALSE, bind_to_req_port_only,
+ user_specified);
if (allocated_port == 0) {
connp->conn_mlp_type = mlptSingle;
if (connp->conn_anon_port) {
connp->conn_anon_port = B_FALSE;
- (void) tsol_mlp_anon(zone, mlptype, connp->conn_ulp,
+ (void) tsol_mlp_anon(zone, mlptype, connp->conn_proto,
requested_port, B_FALSE);
}
if (bind_to_req_port_only) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_bind: requested addr busy");
@@ -26119,7 +20231,7 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
return (-TADDRBUSY);
} else {
/* If we are out of ports, fail the bind. */
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_bind: out of ports?");
@@ -26133,6 +20245,9 @@ tcp_bind_select_lport(tcp_t *tcp, in_port_t *requested_port_ptr,
return (0);
}
+/*
+ * Check the address and check/pick a local port number.
+ */
static int
tcp_bind_check(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
boolean_t bind_to_req_port_only)
@@ -26140,18 +20255,22 @@ tcp_bind_check(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
tcp_t *tcp = connp->conn_tcp;
sin_t *sin;
sin6_t *sin6;
- in_port_t requested_port;
+ in_port_t requested_port;
ipaddr_t v4addr;
in6_addr_t v6addr;
- uint_t ipversion;
- int error = 0;
+ ip_laddr_t laddr_type = IPVL_UNICAST_UP; /* INADDR_ANY */
+ zoneid_t zoneid = IPCL_ZONEID(connp);
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
+ uint_t scopeid = 0;
+ int error = 0;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
ASSERT((uintptr_t)len <= (uintptr_t)INT_MAX);
if (tcp->tcp_state == TCPS_BOUND) {
return (0);
} else if (tcp->tcp_state > TCPS_BOUND) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_bind: bad state, %d", tcp->tcp_state);
}
@@ -26161,7 +20280,7 @@ tcp_bind_check(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
ASSERT(sa != NULL && len != 0);
if (!OK_32PTR((char *)sa)) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_bind: bad address parameter, "
@@ -26171,38 +20290,48 @@ tcp_bind_check(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
return (-TPROTO);
}
+ error = proto_verify_ip_addr(connp->conn_family, sa, len);
+ if (error != 0) {
+ return (error);
+ }
+
switch (len) {
case sizeof (sin_t): /* Complete IPv4 address */
sin = (sin_t *)sa;
- /*
- * With sockets sockfs will accept bogus sin_family in
- * bind() and replace it with the family used in the socket
- * call.
- */
- if (sin->sin_family != AF_INET ||
- tcp->tcp_family != AF_INET) {
- return (EAFNOSUPPORT);
- }
requested_port = ntohs(sin->sin_port);
- ipversion = IPV4_VERSION;
v4addr = sin->sin_addr.s_addr;
IN6_IPADDR_TO_V4MAPPED(v4addr, &v6addr);
+ if (v4addr != INADDR_ANY) {
+ laddr_type = ip_laddr_verify_v4(v4addr, zoneid, ipst,
+ B_FALSE);
+ }
break;
case sizeof (sin6_t): /* Complete IPv6 address */
sin6 = (sin6_t *)sa;
- if (sin6->sin6_family != AF_INET6 ||
- tcp->tcp_family != AF_INET6) {
- return (EAFNOSUPPORT);
- }
- requested_port = ntohs(sin6->sin6_port);
- ipversion = IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr) ?
- IPV4_VERSION : IPV6_VERSION;
v6addr = sin6->sin6_addr;
+ requested_port = ntohs(sin6->sin6_port);
+ if (IN6_IS_ADDR_V4MAPPED(&v6addr)) {
+ if (connp->conn_ipv6_v6only)
+ return (EADDRNOTAVAIL);
+
+ IN6_V4MAPPED_TO_IPADDR(&v6addr, v4addr);
+ if (v4addr != INADDR_ANY) {
+ laddr_type = ip_laddr_verify_v4(v4addr,
+ zoneid, ipst, B_FALSE);
+ }
+ } else {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&v6addr)) {
+ if (IN6_IS_ADDR_LINKSCOPE(&v6addr))
+ scopeid = sin6->sin6_scope_id;
+ laddr_type = ip_laddr_verify_v6(&v6addr,
+ zoneid, ipst, B_FALSE, scopeid);
+ }
+ }
break;
default:
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_bind: bad address length, %d", len);
}
@@ -26210,34 +20339,32 @@ tcp_bind_check(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
/* return (-TBADADDR); */
}
- tcp->tcp_bound_source_v6 = v6addr;
+ /* Is the local address a valid unicast address? */
+ if (laddr_type == IPVL_BAD)
+ return (EADDRNOTAVAIL);
- /* Check for change in ipversion */
- if (tcp->tcp_ipversion != ipversion) {
- ASSERT(tcp->tcp_family == AF_INET6);
- error = (ipversion == IPV6_VERSION) ?
- tcp_header_init_ipv6(tcp) : tcp_header_init_ipv4(tcp);
- if (error) {
- return (ENOMEM);
- }
- }
-
- /*
- * Initialize family specific fields. Copy of the src addr.
- * in tcp_t is needed for the lookup funcs.
- */
- if (tcp->tcp_ipversion == IPV6_VERSION) {
- tcp->tcp_ip6h->ip6_src = v6addr;
+ connp->conn_bound_addr_v6 = v6addr;
+ if (scopeid != 0) {
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ ixa->ixa_scopeid = scopeid;
+ connp->conn_incoming_ifindex = scopeid;
} else {
- IN6_V4MAPPED_TO_IPADDR(&v6addr, tcp->tcp_ipha->ipha_src);
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
}
- tcp->tcp_ip_src_v6 = v6addr;
+
+ connp->conn_laddr_v6 = v6addr;
+ connp->conn_saddr_v6 = v6addr;
bind_to_req_port_only = requested_port != 0 && bind_to_req_port_only;
error = tcp_bind_select_lport(tcp, &requested_port,
bind_to_req_port_only, cr);
-
+ if (error != 0) {
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_bound_addr_v6 = ipv6_all_zeros;
+ }
return (error);
}
@@ -26253,7 +20380,7 @@ tcp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
tcp_t *tcp = connp->conn_tcp;
if (tcp->tcp_state >= TCPS_BOUND) {
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_bind: bad state, %d", tcp->tcp_state);
}
@@ -26265,19 +20392,8 @@ tcp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
return (error);
ASSERT(tcp->tcp_state == TCPS_BOUND);
-
tcp->tcp_conn_req_max = 0;
-
- if (tcp->tcp_family == AF_INET6) {
- ASSERT(tcp->tcp_connp->conn_af_isv6);
- error = ip_proto_bind_laddr_v6(connp, NULL, IPPROTO_TCP,
- &tcp->tcp_bound_source_v6, 0, B_FALSE);
- } else {
- ASSERT(!tcp->tcp_connp->conn_af_isv6);
- error = ip_proto_bind_laddr_v4(connp, NULL, IPPROTO_TCP,
- tcp->tcp_ipha->ipha_src, 0, B_FALSE);
- }
- return (tcp_post_ip_bind(tcp, NULL, error, NULL, 0));
+ return (0);
}
int
@@ -26337,7 +20453,14 @@ tcp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
ipaddr_t *dstaddrp;
in_port_t dstport;
uint_t srcid;
- int error = 0;
+ int error;
+ uint32_t mss;
+ mblk_t *syn_mp;
+ tcp_stack_t *tcps = tcp->tcp_tcps;
+ int32_t oldstate;
+ ip_xmit_attr_t *ixa = connp->conn_ixa;
+
+ oldstate = tcp->tcp_state;
switch (len) {
default:
@@ -26351,7 +20474,7 @@ tcp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
if (sin->sin_port == 0) {
return (-TBADADDR);
}
- if (tcp->tcp_connp && tcp->tcp_connp->conn_ipv6_v6only) {
+ if (connp->conn_ipv6_v6only) {
return (EAFNOSUPPORT);
}
break;
@@ -26365,23 +20488,18 @@ tcp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
}
/*
* If we're connecting to an IPv4-mapped IPv6 address, we need to
- * make sure that the template IP header in the tcp structure is an
- * IPv4 header, and that the tcp_ipversion is IPV4_VERSION. We
+ * make sure that the conn_ipversion is IPV4_VERSION. We
* need to this before we call tcp_bindi() so that the port lookup
* code will look for ports in the correct port space (IPv4 and
* IPv6 have separate port spaces).
*/
- if (tcp->tcp_family == AF_INET6 && tcp->tcp_ipversion == IPV6_VERSION &&
+ if (connp->conn_family == AF_INET6 &&
+ connp->conn_ipversion == IPV6_VERSION &&
IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
- int err = 0;
+ if (connp->conn_ipv6_v6only)
+ return (EADDRNOTAVAIL);
- err = tcp_header_init_ipv4(tcp);
- if (err != 0) {
- error = ENOMEM;
- goto connect_failed;
- }
- if (tcp->tcp_lport != 0)
- *(uint16_t *)tcp->tcp_tcph->th_lport = tcp->tcp_lport;
+ connp->conn_ipversion = IPV4_VERSION;
}
switch (tcp->tcp_state) {
@@ -26399,43 +20517,147 @@ tcp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
*/
/* FALLTHRU */
case TCPS_BOUND:
- if (tcp->tcp_family == AF_INET6) {
- if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
- return (tcp_connect_ipv6(tcp,
- &sin6->sin6_addr,
- sin6->sin6_port, sin6->sin6_flowinfo,
- sin6->__sin6_src_id, sin6->sin6_scope_id,
- cr, pid));
- }
+ break;
+ default:
+ return (-TOUTSTATE);
+ }
+
+ /*
+ * We update our cred/cpid based on the caller of connect
+ */
+ if (connp->conn_cred != cr) {
+ crhold(cr);
+ crfree(connp->conn_cred);
+ connp->conn_cred = cr;
+ }
+ connp->conn_cpid = pid;
+
+ /* Cache things in the ixa without any refhold */
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
+ }
+
+ if (connp->conn_family == AF_INET6) {
+ if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+ error = tcp_connect_ipv6(tcp, &sin6->sin6_addr,
+ sin6->sin6_port, sin6->sin6_flowinfo,
+ sin6->__sin6_src_id, sin6->sin6_scope_id);
+ } else {
/*
* Destination adress is mapped IPv6 address.
* Source bound address should be unspecified or
* IPv6 mapped address as well.
*/
if (!IN6_IS_ADDR_UNSPECIFIED(
- &tcp->tcp_bound_source_v6) &&
- !IN6_IS_ADDR_V4MAPPED(&tcp->tcp_bound_source_v6)) {
+ &connp->conn_bound_addr_v6) &&
+ !IN6_IS_ADDR_V4MAPPED(&connp->conn_bound_addr_v6)) {
return (EADDRNOTAVAIL);
}
dstaddrp = &V4_PART_OF_V6((sin6->sin6_addr));
dstport = sin6->sin6_port;
srcid = sin6->__sin6_src_id;
- } else {
- dstaddrp = &sin->sin_addr.s_addr;
- dstport = sin->sin_port;
- srcid = 0;
+ error = tcp_connect_ipv4(tcp, dstaddrp, dstport,
+ srcid);
}
+ } else {
+ dstaddrp = &sin->sin_addr.s_addr;
+ dstport = sin->sin_port;
+ srcid = 0;
+ error = tcp_connect_ipv4(tcp, dstaddrp, dstport, srcid);
+ }
- error = tcp_connect_ipv4(tcp, dstaddrp, dstport, srcid, cr,
- pid);
- break;
- default:
- return (-TOUTSTATE);
+ if (error != 0)
+ goto connect_failed;
+
+ CL_INET_CONNECT(connp, B_TRUE, error);
+ if (error != 0)
+ goto connect_failed;
+
+ /* connect succeeded */
+ BUMP_MIB(&tcps->tcps_mib, tcpActiveOpens);
+ tcp->tcp_active_open = 1;
+
+ /*
+ * tcp_set_destination() does not adjust for TCP/IP header length.
+ */
+ mss = tcp->tcp_mss - connp->conn_ht_iphc_len;
+
+ /*
+ * Just make sure our rwnd is at least rcvbuf * MSS large, and round up
+ * to the nearest MSS.
+ *
+ * We do the round up here because we need to get the interface MTU
+ * first before we can do the round up.
+ */
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
+ tcp->tcp_rwnd = MAX(MSS_ROUNDUP(tcp->tcp_rwnd, mss),
+ tcps->tcps_recv_hiwat_minmss * mss);
+ connp->conn_rcvbuf = tcp->tcp_rwnd;
+ tcp_set_ws_value(tcp);
+ tcp->tcp_tcpha->tha_win = htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
+ if (tcp->tcp_rcv_ws > 0 || tcps->tcps_wscale_always)
+ tcp->tcp_snd_ws_ok = B_TRUE;
+
+ /*
+ * Set tcp_snd_ts_ok to true
+ * so that tcp_xmit_mp will
+ * include the timestamp
+ * option in the SYN segment.
+ */
+ if (tcps->tcps_tstamp_always ||
+ (tcp->tcp_rcv_ws && tcps->tcps_tstamp_if_wscale)) {
+ tcp->tcp_snd_ts_ok = B_TRUE;
}
+
/*
- * Note: Code below is the "failure" case
+ * tcp_snd_sack_ok can be set in
+ * tcp_set_destination() if the sack metric
+ * is set. So check it here also.
+ */
+ if (tcps->tcps_sack_permitted == 2 ||
+ tcp->tcp_snd_sack_ok) {
+ if (tcp->tcp_sack_info == NULL) {
+ tcp->tcp_sack_info = kmem_cache_alloc(
+ tcp_sack_info_cache, KM_SLEEP);
+ }
+ tcp->tcp_snd_sack_ok = B_TRUE;
+ }
+
+ /*
+ * Should we use ECN? Note that the current
+ * default value (SunOS 5.9) of tcp_ecn_permitted
+ * is 1. The reason for doing this is that there
+ * are equipments out there that will drop ECN
+ * enabled IP packets. Setting it to 1 avoids
+ * compatibility problems.
*/
+ if (tcps->tcps_ecn_permitted == 2)
+ tcp->tcp_ecn_ok = B_TRUE;
+
+ TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
+ syn_mp = tcp_xmit_mp(tcp, NULL, 0, NULL, NULL,
+ tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
+ if (syn_mp != NULL) {
+ /*
+ * We must bump the generation before sending the syn
+ * to ensure that we use the right generation in case
+ * this thread issues a "connected" up call.
+ */
+ SOCK_CONNID_BUMP(tcp->tcp_connid);
+ tcp_send_data(tcp, syn_mp);
+ }
+
+ if (tcp->tcp_conn.tcp_opts_conn_req != NULL)
+ tcp_close_mpp(&tcp->tcp_conn.tcp_opts_conn_req);
+ return (0);
+
connect_failed:
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_fport = 0;
+ tcp->tcp_state = oldstate;
if (tcp->tcp_conn.tcp_opts_conn_req != NULL)
tcp_close_mpp(&tcp->tcp_conn.tcp_opts_conn_req);
return (error);
@@ -26446,7 +20668,6 @@ tcp_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
socklen_t len, sock_connid_t *id, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- tcp_t *tcp = connp->conn_tcp;
squeue_t *sqp = connp->conn_sqp;
int error;
@@ -26455,7 +20676,7 @@ tcp_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- error = proto_verify_ip_addr(tcp->tcp_family, sa, len);
+ error = proto_verify_ip_addr(connp->conn_family, sa, len);
if (error != 0) {
return (error);
}
@@ -26493,7 +20714,7 @@ tcp_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
}
}
- if (tcp->tcp_loopback) {
+ if (connp->conn_tcp->tcp_loopback) {
struct sock_proto_props sopp;
sopp.sopp_flags = SOCKOPT_LOOPBACK;
@@ -26521,7 +20742,7 @@ tcp_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
return (NULL);
}
- connp = tcp_create_common(NULL, credp, isv6, B_TRUE, errorp);
+ connp = tcp_create_common(credp, isv6, B_TRUE, errorp);
if (connp == NULL) {
return (NULL);
}
@@ -26578,8 +20799,8 @@ tcp_activate(sock_lower_handle_t proto_handle, sock_upper_handle_t sock_handle,
connp->conn_upcalls = sock_upcalls;
connp->conn_upper_handle = sock_handle;
- ASSERT(connp->conn_tcp->tcp_recv_hiwater != 0 &&
- connp->conn_tcp->tcp_recv_hiwater == connp->conn_tcp->tcp_rwnd);
+ ASSERT(connp->conn_rcvbuf != 0 &&
+ connp->conn_rcvbuf == connp->conn_tcp->tcp_rwnd);
(*sock_upcalls->su_set_proto_props)(sock_handle, &sopp);
}
@@ -26663,7 +20884,7 @@ tcp_sendmsg(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
/*
* Squeue Flow Control
*/
- if (TCP_UNSENT_BYTES(tcp) > tcp->tcp_xmit_hiwater) {
+ if (TCP_UNSENT_BYTES(tcp) > connp->conn_sndbuf) {
tcp_setqfull(tcp);
}
mutex_exit(&tcp->tcp_non_sq_lock);
@@ -26680,12 +20901,11 @@ tcp_sendmsg(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
CONN_INC_REF(connp);
if (msg->msg_flags & MSG_OOB) {
- SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
- tcp_output_urgent, connp, tcp_squeue_flag,
- SQTAG_TCP_OUTPUT);
+ SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_output_urgent,
+ connp, NULL, tcp_squeue_flag, SQTAG_TCP_OUTPUT);
} else {
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_output,
- connp, tcp_squeue_flag, SQTAG_TCP_OUTPUT);
+ connp, NULL, tcp_squeue_flag, SQTAG_TCP_OUTPUT);
}
return (0);
@@ -26698,9 +20918,9 @@ tcp_sendmsg(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
return (0);
}
-/* ARGSUSED */
+/* ARGSUSED2 */
void
-tcp_output_urgent(void *arg, mblk_t *mp, void *arg2)
+tcp_output_urgent(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
int len;
uint32_t msize;
@@ -26739,7 +20959,7 @@ tcp_output_urgent(void *arg, mblk_t *mp, void *arg2)
tcp_wput_data(tcp, mp, B_TRUE);
}
-/* ARGSUSED */
+/* ARGSUSED3 */
int
tcp_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *addr,
socklen_t *addrlenp, cred_t *cr)
@@ -26752,24 +20972,24 @@ tcp_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *addr,
ASSERT(cr != NULL);
ASSERT(tcp != NULL);
+ if (tcp->tcp_state < TCPS_SYN_RCVD)
+ return (ENOTCONN);
- return (tcp_do_getpeername(tcp, addr, addrlenp));
+ return (conn_getpeername(connp, addr, addrlenp));
}
-/* ARGSUSED */
+/* ARGSUSED3 */
int
tcp_getsockname(sock_lower_handle_t proto_handle, struct sockaddr *addr,
socklen_t *addrlenp, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- tcp_t *tcp = connp->conn_tcp;
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
ASSERT(connp->conn_upper_handle != NULL);
-
- return (tcp_do_getsockname(tcp, addr, addrlenp));
+ return (conn_getsockname(connp, addr, addrlenp));
}
/*
@@ -26809,8 +21029,8 @@ tcp_fallback_noneager(tcp_t *tcp, mblk_t *stropt_mp, queue_t *q,
RD(q)->q_ptr = WR(q)->q_ptr = connp;
- connp->conn_tcp->tcp_rq = connp->conn_rq = RD(q);
- connp->conn_tcp->tcp_wq = connp->conn_wq = WR(q);
+ connp->conn_rq = RD(q);
+ connp->conn_wq = WR(q);
WR(q)->q_qinfo = &tcp_sock_winit;
@@ -26830,11 +21050,11 @@ tcp_fallback_noneager(tcp_t *tcp, mblk_t *stropt_mp, queue_t *q,
stropt_mp->b_wptr += sizeof (struct stroptions);
stropt->so_flags = SO_HIWAT | SO_WROFF | SO_MAXBLK;
- stropt->so_wroff = tcp->tcp_hdr_len + (tcp->tcp_loopback ? 0 :
+ stropt->so_wroff = connp->conn_ht_iphc_len + (tcp->tcp_loopback ? 0 :
tcp->tcp_tcps->tcps_wroff_xtra);
if (tcp->tcp_snd_sack_ok)
stropt->so_wroff += TCPOPT_MAX_SACK_LEN;
- stropt->so_hiwat = tcp->tcp_recv_hiwater;
+ stropt->so_hiwat = connp->conn_rcvbuf;
stropt->so_maxblk = tcp_maxpsz_set(tcp, B_FALSE);
putnext(RD(q), stropt_mp);
@@ -26845,15 +21065,17 @@ tcp_fallback_noneager(tcp_t *tcp, mblk_t *stropt_mp, queue_t *q,
tcp_do_capability_ack(tcp, &tca, TC1_INFO|TC1_ACCEPTOR_ID);
laddrlen = faddrlen = sizeof (sin6_t);
- (void) tcp_do_getsockname(tcp, (struct sockaddr *)&laddr, &laddrlen);
- error = tcp_do_getpeername(tcp, (struct sockaddr *)&faddr, &faddrlen);
+ (void) tcp_getsockname((sock_lower_handle_t)connp,
+ (struct sockaddr *)&laddr, &laddrlen, CRED());
+ error = tcp_getpeername((sock_lower_handle_t)connp,
+ (struct sockaddr *)&faddr, &faddrlen, CRED());
if (error != 0)
faddrlen = 0;
opts = 0;
- if (tcp->tcp_oobinline)
+ if (connp->conn_oobinline)
opts |= SO_OOBINLINE;
- if (tcp->tcp_dontroute)
+ if (connp->conn_ixa->ixa_flags & IXAF_DONTROUTE)
opts |= SO_DONTROUTE;
/*
@@ -26868,6 +21090,7 @@ tcp_fallback_noneager(tcp_t *tcp, mblk_t *stropt_mp, queue_t *q,
while ((mp = tcp->tcp_rcv_list) != NULL) {
tcp->tcp_rcv_list = mp->b_next;
mp->b_next = NULL;
+ /* We never do fallback for kernel RPC */
putnext(q, mp);
}
tcp->tcp_rcv_last_head = NULL;
@@ -26908,7 +21131,7 @@ tcp_fallback_eager(tcp_t *eager, boolean_t direct_sockfs)
* Sockfs guarantees that the listener will not be closed
* during fallback. So we can safely use the listener's queue.
*/
- putnext(listener->tcp_rq, mp);
+ putnext(listener->tcp_connp->conn_rq, mp);
}
int
@@ -26987,7 +21210,7 @@ tcp_fallback(sock_lower_handle_t proto_handle, queue_t *q,
/* ARGSUSED */
static void
-tcp_shutdown_output(void *arg, mblk_t *mp, void *arg2)
+tcp_shutdown_output(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
tcp_t *tcp = connp->conn_tcp;
@@ -27002,7 +21225,7 @@ tcp_shutdown_output(void *arg, mblk_t *mp, void *arg2)
* We were crossing FINs and got a reset from
* the other side. Just ignore it.
*/
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"tcp_shutdown_output() out of state %s",
@@ -27036,7 +21259,7 @@ tcp_shutdown(sock_lower_handle_t proto_handle, int how, cred_t *cr)
bp = allocb_wait(0, BPRI_HI, STR_NOSIG, NULL);
CONN_INC_REF(connp);
SQUEUE_ENTER_ONE(connp->conn_sqp, bp, tcp_shutdown_output,
- connp, SQ_NODRAIN, SQTAG_TCP_SHUTDOWN_OUTPUT);
+ connp, NULL, SQ_NODRAIN, SQTAG_TCP_SHUTDOWN_OUTPUT);
(*connp->conn_upcalls->su_opctl)(connp->conn_upper_handle,
SOCK_OPCTL_SHUT_SEND, 0);
@@ -27109,7 +21332,7 @@ tcp_do_listen(conn_t *connp, struct sockaddr *sa, socklen_t len,
*/
goto do_listen;
}
- if (tcp->tcp_debug) {
+ if (connp->conn_debug) {
(void) strlog(TCP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"tcp_listen: bad state, %d", tcp->tcp_state);
}
@@ -27121,15 +21344,14 @@ tcp_do_listen(conn_t *connp, struct sockaddr *sa, socklen_t len,
sin6_t *sin6;
ASSERT(IPCL_IS_NONSTR(connp));
-
/* Do an implicit bind: Request for a generic port. */
- if (tcp->tcp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
len = sizeof (sin_t);
sin = (sin_t *)&addr;
*sin = sin_null;
sin->sin_family = AF_INET;
} else {
- ASSERT(tcp->tcp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
len = sizeof (sin6_t);
sin6 = (sin6_t *)&addr;
*sin6 = sin6_null;
@@ -27171,23 +21393,42 @@ do_listen:
}
/*
- * We can call ip_bind directly, the processing continues
- * in tcp_post_ip_bind().
- *
* We need to make sure that the conn_recv is set to a non-null
* value before we insert the conn into the classifier table.
* This is to avoid a race with an incoming packet which does an
* ipcl_classify().
+ * We initially set it to tcp_input_listener_unbound to try to
+ * pick a good squeue for the listener when the first SYN arrives.
+ * tcp_input_listener_unbound sets it to tcp_input_listener on that
+ * first SYN.
*/
- connp->conn_recv = tcp_conn_request;
- if (tcp->tcp_family == AF_INET) {
- error = ip_proto_bind_laddr_v4(connp, NULL,
- IPPROTO_TCP, tcp->tcp_bound_source, tcp->tcp_lport, B_TRUE);
- } else {
- error = ip_proto_bind_laddr_v6(connp, NULL, IPPROTO_TCP,
- &tcp->tcp_bound_source_v6, tcp->tcp_lport, B_TRUE);
+ connp->conn_recv = tcp_input_listener_unbound;
+
+ /* Insert the listener in the classifier table */
+ error = ip_laddr_fanout_insert(connp);
+ if (error != 0) {
+ /* Undo the bind - release the port number */
+ tcp->tcp_state = TCPS_IDLE;
+ connp->conn_bound_addr_v6 = ipv6_all_zeros;
+
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_ports = 0;
+
+ if (connp->conn_anon_port) {
+ zone_t *zone;
+
+ zone = crgetzone(cr);
+ connp->conn_anon_port = B_FALSE;
+ (void) tsol_mlp_anon(zone, connp->conn_mlp_type,
+ connp->conn_proto, connp->conn_lport, B_FALSE);
+ }
+ connp->conn_mlp_type = mlptSingle;
+
+ tcp_bind_hash_remove(tcp);
+ return (error);
}
- return (tcp_post_ip_bind(tcp, NULL, error, NULL, 0));
+ return (error);
}
void
@@ -27222,7 +21463,7 @@ tcp_clr_flowctrl(sock_lower_handle_t proto_handle)
if (tcp->tcp_fused) {
tcp_fuse_backenable(tcp);
} else {
- tcp->tcp_rwnd = tcp->tcp_recv_hiwater;
+ tcp->tcp_rwnd = connp->conn_rcvbuf;
/*
* Send back a window update immediately if TCP is above
* ESTABLISHED state and the increase of the rcv window
@@ -27253,10 +21494,28 @@ tcp_ioctl(sock_lower_handle_t proto_handle, int cmd, intptr_t arg,
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
+ /*
+ * If we don't have a helper stream then create one.
+ * ip_create_helper_stream takes care of locking the conn_t,
+ * so this check for NULL is just a performance optimization.
+ */
+ if (connp->conn_helper_info == NULL) {
+ tcp_stack_t *tcps = connp->conn_tcp->tcp_tcps;
+
+ /*
+ * Create a helper stream for non-STREAMS socket.
+ */
+ error = ip_create_helper_stream(connp, tcps->tcps_ldi_ident);
+ if (error != 0) {
+ ip0dbg(("tcp_ioctl: create of IP helper stream "
+ "failed %d\n", error));
+ return (error);
+ }
+ }
+
switch (cmd) {
case ND_SET:
case ND_GET:
- case TCP_IOC_DEFAULT_Q:
case _SIOCSOCKFALLBACK:
case TCP_IOC_ABORT_CONN:
case TI_GETPEERNAME:
diff --git a/usr/src/uts/common/inet/tcp/tcp_fusion.c b/usr/src/uts/common/inet/tcp/tcp_fusion.c
index 3ee909cc4d..313b024943 100644
--- a/usr/src/uts/common/inet/tcp/tcp_fusion.c
+++ b/usr/src/uts/common/inet/tcp/tcp_fusion.c
@@ -69,50 +69,6 @@
boolean_t do_tcp_fusion = B_TRUE;
/*
- * Return true if this connection needs some IP functionality
- */
-static boolean_t
-tcp_loopback_needs_ip(tcp_t *tcp, netstack_t *ns)
-{
- ipsec_stack_t *ipss = ns->netstack_ipsec;
-
- /*
- * If ire is not cached, do not use fusion
- */
- if (tcp->tcp_connp->conn_ire_cache == NULL) {
- /*
- * There is no need to hold conn_lock here because when called
- * from tcp_fuse() there can be no window where conn_ire_cache
- * can change. This is not true when called from
- * tcp_fuse_output() as conn_ire_cache can become null just
- * after the check. It will be necessary to recheck for a NULL
- * conn_ire_cache in tcp_fuse_output() to avoid passing a
- * stale ill pointer to FW_HOOKS.
- */
- return (B_TRUE);
- }
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- if (tcp->tcp_ip_hdr_len != IP_SIMPLE_HDR_LENGTH)
- return (B_TRUE);
- if (CONN_OUTBOUND_POLICY_PRESENT(tcp->tcp_connp, ipss))
- return (B_TRUE);
- if (CONN_INBOUND_POLICY_PRESENT(tcp->tcp_connp, ipss))
- return (B_TRUE);
- } else {
- if (tcp->tcp_ip_hdr_len != IPV6_HDR_LEN)
- return (B_TRUE);
- if (CONN_OUTBOUND_POLICY_PRESENT_V6(tcp->tcp_connp, ipss))
- return (B_TRUE);
- if (CONN_INBOUND_POLICY_PRESENT_V6(tcp->tcp_connp, ipss))
- return (B_TRUE);
- }
- if (!CONN_IS_LSO_MD_FASTPATH(tcp->tcp_connp))
- return (B_TRUE);
- return (B_FALSE);
-}
-
-
-/*
* This routine gets called by the eager tcp upon changing state from
* SYN_RCVD to ESTABLISHED. It fuses a direct path between itself
* and the active connect tcp such that the regular tcp processings
@@ -124,10 +80,10 @@ tcp_loopback_needs_ip(tcp_t *tcp, netstack_t *ns)
* same squeue as the one given to the active connect tcp during open.
*/
void
-tcp_fuse(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph)
+tcp_fuse(tcp_t *tcp, uchar_t *iphdr, tcpha_t *tcpha)
{
- conn_t *peer_connp, *connp = tcp->tcp_connp;
- tcp_t *peer_tcp;
+ conn_t *peer_connp, *connp = tcp->tcp_connp;
+ tcp_t *peer_tcp;
tcp_stack_t *tcps = tcp->tcp_tcps;
netstack_t *ns;
ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
@@ -136,20 +92,16 @@ tcp_fuse(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph)
ASSERT(tcp->tcp_loopback);
ASSERT(tcp->tcp_loopback_peer == NULL);
/*
- * We need to inherit tcp_recv_hiwater of the listener tcp,
+ * We need to inherit conn_rcvbuf of the listener tcp,
* but we can't really use tcp_listener since we get here after
- * sending up T_CONN_IND and tcp_wput_accept() may be called
+ * sending up T_CONN_IND and tcp_tli_accept() may be called
* independently, at which point tcp_listener is cleared;
* this is why we use tcp_saved_listener. The listener itself
* is guaranteed to be around until tcp_accept_finish() is called
* on this eager -- this won't happen until we're done since we're
* inside the eager's perimeter now.
- *
- * We can also get called in the case were a connection needs
- * to be re-fused. In this case tcp_saved_listener will be
- * NULL but tcp_refuse will be true.
*/
- ASSERT(tcp->tcp_saved_listener != NULL || tcp->tcp_refuse);
+ ASSERT(tcp->tcp_saved_listener != NULL);
/*
* Lookup peer endpoint; search for the remote endpoint having
* the reversed address-port quadruplet in ESTABLISHED state,
@@ -157,12 +109,12 @@ tcp_fuse(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph)
* is applied accordingly for loopback address, but not for
* local address since we want fusion to happen across Zones.
*/
- if (tcp->tcp_ipversion == IPV4_VERSION) {
+ if (connp->conn_ipversion == IPV4_VERSION) {
peer_connp = ipcl_conn_tcp_lookup_reversed_ipv4(connp,
- (ipha_t *)iphdr, tcph, ipst);
+ (ipha_t *)iphdr, tcpha, ipst);
} else {
peer_connp = ipcl_conn_tcp_lookup_reversed_ipv6(connp,
- (ip6_t *)iphdr, tcph, ipst);
+ (ip6_t *)iphdr, tcpha, ipst);
}
/*
@@ -202,28 +154,20 @@ tcp_fuse(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph)
/*
* Fuse the endpoints; we perform further checks against both
* tcp endpoints to ensure that a fusion is allowed to happen.
- * In particular we bail out for non-simple TCP/IP or if IPsec/
- * IPQoS policy/kernel SSL exists. We also need to check if
- * the connection is quiescent to cover the case when we are
- * trying to re-enable fusion after IPobservability is turned off.
+ * In particular we bail out if kernel SSL exists.
*/
ns = tcps->tcps_netstack;
ipst = ns->netstack_ip;
if (!tcp->tcp_unfusable && !peer_tcp->tcp_unfusable &&
- !tcp_loopback_needs_ip(tcp, ns) &&
- !tcp_loopback_needs_ip(peer_tcp, ns) &&
- tcp->tcp_kssl_ent == NULL &&
- tcp->tcp_xmit_head == NULL && peer_tcp->tcp_xmit_head == NULL &&
- !IPP_ENABLED(IPP_LOCAL_OUT|IPP_LOCAL_IN, ipst)) {
+ (tcp->tcp_kssl_ent == NULL) && (tcp->tcp_xmit_head == NULL) &&
+ (peer_tcp->tcp_xmit_head == NULL)) {
mblk_t *mp;
- queue_t *peer_rq = peer_tcp->tcp_rq;
+ queue_t *peer_rq = peer_connp->conn_rq;
ASSERT(!TCP_IS_DETACHED(peer_tcp));
- ASSERT(tcp->tcp_fused_sigurg_mp == NULL ||
- (!IPCL_IS_NONSTR(connp) && tcp->tcp_refuse));
- ASSERT(peer_tcp->tcp_fused_sigurg_mp == NULL ||
- (!IPCL_IS_NONSTR(peer_connp) && peer_tcp->tcp_refuse));
+ ASSERT(tcp->tcp_fused_sigurg_mp == NULL);
+ ASSERT(peer_tcp->tcp_fused_sigurg_mp == NULL);
ASSERT(tcp->tcp_kssl_ctx == NULL);
/*
@@ -272,54 +216,40 @@ tcp_fuse(tcp_t *tcp, uchar_t *iphdr, tcph_t *tcph)
tcp_timers_stop(tcp);
tcp_timers_stop(peer_tcp);
- if (!tcp->tcp_refuse) {
- /*
- * Set receive buffer and max packet size for the
- * active open tcp.
- * eager's values will be set in tcp_accept_finish.
- */
-
- (void) tcp_rwnd_set(peer_tcp,
- peer_tcp->tcp_recv_hiwater);
+ /*
+ * Set receive buffer and max packet size for the
+ * active open tcp.
+ * eager's values will be set in tcp_accept_finish.
+ */
+ (void) tcp_rwnd_set(peer_tcp, peer_tcp->tcp_connp->conn_rcvbuf);
- /*
- * Set the write offset value to zero since we won't
- * be needing any room for TCP/IP headers.
- */
- if (!IPCL_IS_NONSTR(peer_tcp->tcp_connp)) {
- struct stroptions *stropt;
+ /*
+ * Set the write offset value to zero since we won't
+ * be needing any room for TCP/IP headers.
+ */
+ if (!IPCL_IS_NONSTR(peer_tcp->tcp_connp)) {
+ struct stroptions *stropt;
- DB_TYPE(mp) = M_SETOPTS;
- mp->b_wptr += sizeof (*stropt);
+ DB_TYPE(mp) = M_SETOPTS;
+ mp->b_wptr += sizeof (*stropt);
- stropt = (struct stroptions *)mp->b_rptr;
- stropt->so_flags = SO_WROFF;
- stropt->so_wroff = 0;
+ stropt = (struct stroptions *)mp->b_rptr;
+ stropt->so_flags = SO_WROFF;
+ stropt->so_wroff = 0;
- /* Send the options up */
- putnext(peer_rq, mp);
- } else {
- struct sock_proto_props sopp;
+ /* Send the options up */
+ putnext(peer_rq, mp);
+ } else {
+ struct sock_proto_props sopp;
- /* The peer is a non-STREAMS end point */
- ASSERT(IPCL_IS_TCP(peer_connp));
+ /* The peer is a non-STREAMS end point */
+ ASSERT(IPCL_IS_TCP(peer_connp));
- sopp.sopp_flags = SOCKOPT_WROFF;
- sopp.sopp_wroff = 0;
- (*peer_connp->conn_upcalls->su_set_proto_props)
- (peer_connp->conn_upper_handle, &sopp);
- }
- } else {
- /*
- * Endpoints are being re-fused, so options will not
- * be sent up. In case of STREAMS, free the stroptions
- * mblk.
- */
- if (!IPCL_IS_NONSTR(connp))
- freemsg(mp);
+ sopp.sopp_flags = SOCKOPT_WROFF;
+ sopp.sopp_wroff = 0;
+ (*peer_connp->conn_upcalls->su_set_proto_props)
+ (peer_connp->conn_upper_handle, &sopp);
}
- tcp->tcp_refuse = B_FALSE;
- peer_tcp->tcp_refuse = B_FALSE;
} else {
TCP_STAT(tcps, tcp_fusion_unqualified);
}
@@ -374,12 +304,12 @@ tcp_unfuse(tcp_t *tcp)
* when called from tcp_rcv_drain().
*/
if (!TCP_IS_DETACHED(tcp)) {
- (void) tcp_fuse_rcv_drain(tcp->tcp_rq, tcp,
+ (void) tcp_fuse_rcv_drain(tcp->tcp_connp->conn_rq, tcp,
&tcp->tcp_fused_sigurg_mp);
}
if (!TCP_IS_DETACHED(peer_tcp)) {
- (void) tcp_fuse_rcv_drain(peer_tcp->tcp_rq, peer_tcp,
- &peer_tcp->tcp_fused_sigurg_mp);
+ (void) tcp_fuse_rcv_drain(peer_tcp->tcp_connp->conn_rq,
+ peer_tcp, &peer_tcp->tcp_fused_sigurg_mp);
}
/* Lift up any flow-control conditions */
@@ -398,12 +328,12 @@ tcp_unfuse(tcp_t *tcp)
mutex_exit(&peer_tcp->tcp_non_sq_lock);
/*
- * Update th_seq and th_ack in the header template
+ * Update tha_seq and tha_ack in the header template
*/
- U32_TO_ABE32(tcp->tcp_snxt, tcp->tcp_tcph->th_seq);
- U32_TO_ABE32(tcp->tcp_rnxt, tcp->tcp_tcph->th_ack);
- U32_TO_ABE32(peer_tcp->tcp_snxt, peer_tcp->tcp_tcph->th_seq);
- U32_TO_ABE32(peer_tcp->tcp_rnxt, peer_tcp->tcp_tcph->th_ack);
+ tcp->tcp_tcpha->tha_seq = htonl(tcp->tcp_snxt);
+ tcp->tcp_tcpha->tha_ack = htonl(tcp->tcp_rnxt);
+ peer_tcp->tcp_tcpha->tha_seq = htonl(peer_tcp->tcp_snxt);
+ peer_tcp->tcp_tcpha->tha_ack = htonl(peer_tcp->tcp_rnxt);
/* Unfuse the endpoints */
peer_tcp->tcp_fused = tcp->tcp_fused = B_FALSE;
@@ -509,59 +439,28 @@ tcp_fuse_output_urg(tcp_t *tcp, mblk_t *mp)
boolean_t
tcp_fuse_output(tcp_t *tcp, mblk_t *mp, uint32_t send_size)
{
- tcp_t *peer_tcp = tcp->tcp_loopback_peer;
- boolean_t flow_stopped, peer_data_queued = B_FALSE;
- boolean_t urgent = (DB_TYPE(mp) != M_DATA);
- boolean_t push = B_TRUE;
- mblk_t *mp1 = mp;
- ill_t *ilp, *olp;
- ipif_t *iifp, *oifp;
- ipha_t *ipha;
- ip6_t *ip6h;
- tcph_t *tcph;
- uint_t ip_hdr_len;
- uint32_t seq;
- uint32_t recv_size = send_size;
+ conn_t *connp = tcp->tcp_connp;
+ tcp_t *peer_tcp = tcp->tcp_loopback_peer;
+ conn_t *peer_connp = peer_tcp->tcp_connp;
+ boolean_t flow_stopped, peer_data_queued = B_FALSE;
+ boolean_t urgent = (DB_TYPE(mp) != M_DATA);
+ boolean_t push = B_TRUE;
+ mblk_t *mp1 = mp;
+ uint_t ip_hdr_len;
+ uint32_t recv_size = send_size;
tcp_stack_t *tcps = tcp->tcp_tcps;
netstack_t *ns = tcps->tcps_netstack;
ip_stack_t *ipst = ns->netstack_ip;
+ ipsec_stack_t *ipss = ns->netstack_ipsec;
+ iaflags_t ixaflags = connp->conn_ixa->ixa_flags;
+ boolean_t do_ipsec, hooks_out, hooks_in, ipobs_enabled;
ASSERT(tcp->tcp_fused);
ASSERT(peer_tcp != NULL && peer_tcp->tcp_loopback_peer == tcp);
- ASSERT(tcp->tcp_connp->conn_sqp == peer_tcp->tcp_connp->conn_sqp);
+ ASSERT(connp->conn_sqp == peer_connp->conn_sqp);
ASSERT(DB_TYPE(mp) == M_DATA || DB_TYPE(mp) == M_PROTO ||
DB_TYPE(mp) == M_PCPROTO);
- /* If this connection requires IP, unfuse and use regular path */
- if (tcp_loopback_needs_ip(tcp, ns) ||
- tcp_loopback_needs_ip(peer_tcp, ns) ||
- IPP_ENABLED(IPP_LOCAL_OUT|IPP_LOCAL_IN, ipst) ||
- (tcp->tcp_ipversion == IPV4_VERSION &&
- ipst->ips_ip4_observe.he_interested) ||
- (tcp->tcp_ipversion == IPV6_VERSION &&
- ipst->ips_ip6_observe.he_interested)) {
- TCP_STAT(tcps, tcp_fusion_aborted);
- tcp->tcp_refuse = B_TRUE;
- peer_tcp->tcp_refuse = B_TRUE;
-
- bcopy(peer_tcp->tcp_tcph, &tcp->tcp_saved_tcph,
- sizeof (tcph_t));
- bcopy(tcp->tcp_tcph, &peer_tcp->tcp_saved_tcph,
- sizeof (tcph_t));
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- bcopy(peer_tcp->tcp_ipha, &tcp->tcp_saved_ipha,
- sizeof (ipha_t));
- bcopy(tcp->tcp_ipha, &peer_tcp->tcp_saved_ipha,
- sizeof (ipha_t));
- } else {
- bcopy(peer_tcp->tcp_ip6h, &tcp->tcp_saved_ip6h,
- sizeof (ip6_t));
- bcopy(tcp->tcp_ip6h, &peer_tcp->tcp_saved_ip6h,
- sizeof (ip6_t));
- }
- goto unfuse;
- }
-
if (send_size == 0) {
freemsg(mp);
return (B_TRUE);
@@ -578,123 +477,74 @@ tcp_fuse_output(tcp_t *tcp, mblk_t *mp, uint32_t send_size)
mp1 = mp->b_cont;
}
- if (tcp->tcp_ipversion == IPV4_VERSION &&
- (HOOKS4_INTERESTED_LOOPBACK_IN(ipst) ||
- HOOKS4_INTERESTED_LOOPBACK_OUT(ipst)) ||
- tcp->tcp_ipversion == IPV6_VERSION &&
- (HOOKS6_INTERESTED_LOOPBACK_IN(ipst) ||
- HOOKS6_INTERESTED_LOOPBACK_OUT(ipst))) {
- /*
- * Build ip and tcp header to satisfy FW_HOOKS.
- * We only build it when any hook is present.
- */
+ /*
+ * Check that we are still using an IRE_LOCAL or IRE_LOOPBACK before
+ * further processes.
+ */
+ if (!ip_output_verify_local(connp->conn_ixa))
+ goto unfuse;
+
+ /*
+ * Build IP and TCP header in case we have something that needs the
+ * headers. Those cases are:
+ * 1. IPsec
+ * 2. IPobs
+ * 3. FW_HOOKS
+ *
+ * If tcp_xmit_mp() fails to dupb() the message, unfuse the connection
+ * and back to regular path.
+ */
+ if (ixaflags & IXAF_IS_IPV4) {
+ do_ipsec = (ixaflags & IXAF_IPSEC_SECURE) ||
+ CONN_INBOUND_POLICY_PRESENT(peer_connp, ipss);
+
+ hooks_out = HOOKS4_INTERESTED_LOOPBACK_OUT(ipst);
+ hooks_in = HOOKS4_INTERESTED_LOOPBACK_IN(ipst);
+ ipobs_enabled = (ipst->ips_ip4_observe.he_interested != 0);
+ } else {
+ do_ipsec = (ixaflags & IXAF_IPSEC_SECURE) ||
+ CONN_INBOUND_POLICY_PRESENT_V6(peer_connp, ipss);
+
+ hooks_out = HOOKS6_INTERESTED_LOOPBACK_OUT(ipst);
+ hooks_in = HOOKS6_INTERESTED_LOOPBACK_IN(ipst);
+ ipobs_enabled = (ipst->ips_ip6_observe.he_interested != 0);
+ }
+
+ /* We do logical 'or' for efficiency */
+ if (ipobs_enabled | do_ipsec | hooks_in | hooks_out) {
if ((mp1 = tcp_xmit_mp(tcp, mp1, tcp->tcp_mss, NULL, NULL,
tcp->tcp_snxt, B_TRUE, NULL, B_FALSE)) == NULL)
/* If tcp_xmit_mp fails, use regular path */
goto unfuse;
/*
- * The ipif and ill can be safely referenced under the
- * protection of conn_lock - see head of function comment for
- * conn_get_held_ipif(). It is necessary to check that both
- * the ipif and ill can be looked up (i.e. not condemned). If
- * not, bail out and unfuse this connection.
+ * Leave all IP relevant processes to ip_output_process_local(),
+ * which handles IPsec, IPobs, and FW_HOOKS.
*/
- mutex_enter(&peer_tcp->tcp_connp->conn_lock);
- if ((peer_tcp->tcp_connp->conn_ire_cache == NULL) ||
- (peer_tcp->tcp_connp->conn_ire_cache->ire_marks &
- IRE_MARK_CONDEMNED) ||
- ((oifp = peer_tcp->tcp_connp->conn_ire_cache->ire_ipif)
- == NULL) ||
- (!IPIF_CAN_LOOKUP(oifp)) ||
- ((olp = oifp->ipif_ill) == NULL) ||
- (ill_check_and_refhold(olp) != 0)) {
- mutex_exit(&peer_tcp->tcp_connp->conn_lock);
- goto unfuse;
- }
- mutex_exit(&peer_tcp->tcp_connp->conn_lock);
-
- /* PFHooks: LOOPBACK_OUT */
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- ipha = (ipha_t *)mp1->b_rptr;
-
- DTRACE_PROBE4(ip4__loopback__out__start,
- ill_t *, NULL, ill_t *, olp,
- ipha_t *, ipha, mblk_t *, mp1);
- FW_HOOKS(ipst->ips_ip4_loopback_out_event,
- ipst->ips_ipv4firewall_loopback_out,
- NULL, olp, ipha, mp1, mp1, 0, ipst);
- DTRACE_PROBE1(ip4__loopback__out__end, mblk_t *, mp1);
- } else {
- ip6h = (ip6_t *)mp1->b_rptr;
-
- DTRACE_PROBE4(ip6__loopback__out__start,
- ill_t *, NULL, ill_t *, olp,
- ip6_t *, ip6h, mblk_t *, mp1);
- FW_HOOKS6(ipst->ips_ip6_loopback_out_event,
- ipst->ips_ipv6firewall_loopback_out,
- NULL, olp, ip6h, mp1, mp1, 0, ipst);
- DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, mp1);
- }
- ill_refrele(olp);
+ mp1 = ip_output_process_local(mp1, connp->conn_ixa, hooks_out,
+ hooks_in, do_ipsec ? peer_connp : NULL);
+ /* If the message is dropped for any reason. */
if (mp1 == NULL)
goto unfuse;
/*
- * The ipif and ill can be safely referenced under the
- * protection of conn_lock - see head of function comment for
- * conn_get_held_ipif(). It is necessary to check that both
- * the ipif and ill can be looked up (i.e. not condemned). If
- * not, bail out and unfuse this connection.
+ * Data length might have been changed by FW_HOOKS.
+ * We assume that the first mblk contains the TCP/IP headers.
*/
- mutex_enter(&tcp->tcp_connp->conn_lock);
- if ((tcp->tcp_connp->conn_ire_cache == NULL) ||
- (tcp->tcp_connp->conn_ire_cache->ire_marks &
- IRE_MARK_CONDEMNED) ||
- ((iifp = tcp->tcp_connp->conn_ire_cache->ire_ipif)
- == NULL) ||
- (!IPIF_CAN_LOOKUP(iifp)) ||
- ((ilp = iifp->ipif_ill) == NULL) ||
- (ill_check_and_refhold(ilp) != 0)) {
- mutex_exit(&tcp->tcp_connp->conn_lock);
- goto unfuse;
- }
- mutex_exit(&tcp->tcp_connp->conn_lock);
-
- /* PFHooks: LOOPBACK_IN */
- if (tcp->tcp_ipversion == IPV4_VERSION) {
- DTRACE_PROBE4(ip4__loopback__in__start,
- ill_t *, ilp, ill_t *, NULL,
- ipha_t *, ipha, mblk_t *, mp1);
- FW_HOOKS(ipst->ips_ip4_loopback_in_event,
- ipst->ips_ipv4firewall_loopback_in,
- ilp, NULL, ipha, mp1, mp1, 0, ipst);
- DTRACE_PROBE1(ip4__loopback__in__end, mblk_t *, mp1);
- ill_refrele(ilp);
- if (mp1 == NULL)
- goto unfuse;
-
- ip_hdr_len = IPH_HDR_LENGTH(ipha);
- } else {
- DTRACE_PROBE4(ip6__loopback__in__start,
- ill_t *, ilp, ill_t *, NULL,
- ip6_t *, ip6h, mblk_t *, mp1);
- FW_HOOKS6(ipst->ips_ip6_loopback_in_event,
- ipst->ips_ipv6firewall_loopback_in,
- ilp, NULL, ip6h, mp1, mp1, 0, ipst);
- DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, mp1);
- ill_refrele(ilp);
- if (mp1 == NULL)
- goto unfuse;
-
- ip_hdr_len = ip_hdr_length_v6(mp1, ip6h);
- }
+ if (hooks_in || hooks_out) {
+ tcpha_t *tcpha;
+
+ ip_hdr_len = (ixaflags & IXAF_IS_IPV4) ?
+ IPH_HDR_LENGTH((ipha_t *)mp1->b_rptr) :
+ ip_hdr_length_v6(mp1, (ip6_t *)mp1->b_rptr);
- /* Data length might be changed by FW_HOOKS */
- tcph = (tcph_t *)&mp1->b_rptr[ip_hdr_len];
- seq = ABE32_TO_U32(tcph->th_seq);
- recv_size += seq - tcp->tcp_snxt;
+ tcpha = (tcpha_t *)&mp1->b_rptr[ip_hdr_len];
+ ASSERT((uchar_t *)tcpha + sizeof (tcpha_t) <=
+ mp1->b_wptr);
+ recv_size += htonl(tcpha->tha_seq) - tcp->tcp_snxt;
+
+ }
/*
* The message duplicated by tcp_xmit_mp is freed.
@@ -712,7 +562,7 @@ tcp_fuse_output(tcp_t *tcp, mblk_t *mp, uint32_t send_size)
* detached we use tcp_rcv_enqueue() instead. Queued data will be
* drained when the accept completes (in tcp_accept_finish()).
*/
- if (IPCL_IS_NONSTR(peer_tcp->tcp_connp) &&
+ if (IPCL_IS_NONSTR(peer_connp) &&
!TCP_IS_DETACHED(peer_tcp)) {
int error;
int flags = 0;
@@ -720,18 +570,18 @@ tcp_fuse_output(tcp_t *tcp, mblk_t *mp, uint32_t send_size)
if ((tcp->tcp_valid_bits & TCP_URG_VALID) &&
(tcp->tcp_urg == tcp->tcp_snxt)) {
flags = MSG_OOB;
- (*peer_tcp->tcp_connp->conn_upcalls->su_signal_oob)
- (peer_tcp->tcp_connp->conn_upper_handle, 0);
+ (*peer_connp->conn_upcalls->su_signal_oob)
+ (peer_connp->conn_upper_handle, 0);
tcp->tcp_valid_bits &= ~TCP_URG_VALID;
}
- if ((*peer_tcp->tcp_connp->conn_upcalls->su_recv)(
- peer_tcp->tcp_connp->conn_upper_handle, mp, recv_size,
+ if ((*peer_connp->conn_upcalls->su_recv)(
+ peer_connp->conn_upper_handle, mp, recv_size,
flags, &error, &push) < 0) {
ASSERT(error != EOPNOTSUPP);
peer_data_queued = B_TRUE;
}
} else {
- if (IPCL_IS_NONSTR(peer_tcp->tcp_connp) &&
+ if (IPCL_IS_NONSTR(peer_connp) &&
(tcp->tcp_valid_bits & TCP_URG_VALID) &&
(tcp->tcp_urg == tcp->tcp_snxt)) {
/*
@@ -744,7 +594,8 @@ tcp_fuse_output(tcp_t *tcp, mblk_t *mp, uint32_t send_size)
return (B_TRUE);
}
- tcp_rcv_enqueue(peer_tcp, mp, recv_size);
+ tcp_rcv_enqueue(peer_tcp, mp, recv_size,
+ tcp->tcp_connp->conn_cred);
/* In case it wrapped around and also to keep it constant */
peer_tcp->tcp_rwnd += recv_size;
@@ -764,22 +615,21 @@ tcp_fuse_output(tcp_t *tcp, mblk_t *mp, uint32_t send_size)
mutex_enter(&tcp->tcp_non_sq_lock);
flow_stopped = tcp->tcp_flow_stopped;
if ((TCP_IS_DETACHED(peer_tcp) &&
- (peer_tcp->tcp_rcv_cnt >= peer_tcp->tcp_recv_hiwater)) ||
+ (peer_tcp->tcp_rcv_cnt >= peer_connp->conn_rcvbuf)) ||
(!TCP_IS_DETACHED(peer_tcp) &&
- !IPCL_IS_NONSTR(peer_tcp->tcp_connp) &&
- !canputnext(peer_tcp->tcp_rq))) {
+ !IPCL_IS_NONSTR(peer_connp) && !canputnext(peer_connp->conn_rq))) {
peer_data_queued = B_TRUE;
}
if (!flow_stopped && (peer_data_queued ||
- (TCP_UNSENT_BYTES(tcp) >= tcp->tcp_xmit_hiwater))) {
+ (TCP_UNSENT_BYTES(tcp) >= connp->conn_sndbuf))) {
tcp_setqfull(tcp);
flow_stopped = B_TRUE;
TCP_STAT(tcps, tcp_fusion_flowctl);
DTRACE_PROBE3(tcp__fuse__output__flowctl, tcp_t *, tcp,
uint_t, send_size, uint_t, peer_tcp->tcp_rcv_cnt);
} else if (flow_stopped && !peer_data_queued &&
- (TCP_UNSENT_BYTES(tcp) <= tcp->tcp_xmit_lowater)) {
+ (TCP_UNSENT_BYTES(tcp) <= connp->conn_sndlowat)) {
tcp_clrqfull(tcp);
TCP_STAT(tcps, tcp_fusion_backenabled);
flow_stopped = B_FALSE;
@@ -818,13 +668,14 @@ tcp_fuse_output(tcp_t *tcp, mblk_t *mp, uint32_t send_size)
/*
* For TLI-based streams, a thread in tcp_accept_swap()
* can race with us. That thread will ensure that the
- * correct peer_tcp->tcp_rq is globally visible before
- * peer_tcp->tcp_detached is visible as clear, but we
- * must also ensure that the load of tcp_rq cannot be
- * reordered to be before the tcp_detached check.
+ * correct peer_connp->conn_rq is globally visible
+ * before peer_tcp->tcp_detached is visible as clear,
+ * but we must also ensure that the load of conn_rq
+ * cannot be reordered to be before the tcp_detached
+ * check.
*/
membar_consumer();
- (void) tcp_fuse_rcv_drain(peer_tcp->tcp_rq, peer_tcp,
+ (void) tcp_fuse_rcv_drain(peer_connp->conn_rq, peer_tcp,
NULL);
}
}
@@ -928,11 +779,11 @@ tcp_fuse_rcv_drain(queue_t *q, tcp_t *tcp, mblk_t **sigurg_mpp)
tcp->tcp_rcv_last_head = NULL;
tcp->tcp_rcv_last_tail = NULL;
tcp->tcp_rcv_cnt = 0;
- tcp->tcp_rwnd = tcp->tcp_recv_hiwater;
+ tcp->tcp_rwnd = tcp->tcp_connp->conn_rcvbuf;
mutex_enter(&peer_tcp->tcp_non_sq_lock);
if (peer_tcp->tcp_flow_stopped && (TCP_UNSENT_BYTES(peer_tcp) <=
- peer_tcp->tcp_xmit_lowater)) {
+ peer_tcp->tcp_connp->conn_sndlowat)) {
tcp_clrqfull(peer_tcp);
TCP_STAT(tcps, tcp_fusion_backenabled);
}
@@ -964,8 +815,8 @@ tcp_fuse_set_rcv_hiwat(tcp_t *tcp, size_t rwnd)
* Record high water mark, this is used for flow-control
* purposes in tcp_fuse_output().
*/
- tcp->tcp_recv_hiwater = rwnd;
- tcp->tcp_rwnd = tcp->tcp_recv_hiwater;
+ tcp->tcp_connp->conn_rcvbuf = rwnd;
+ tcp->tcp_rwnd = rwnd;
return (rwnd);
}
@@ -976,12 +827,13 @@ int
tcp_fuse_maxpsz(tcp_t *tcp)
{
tcp_t *peer_tcp = tcp->tcp_loopback_peer;
- uint_t sndbuf = tcp->tcp_xmit_hiwater;
+ conn_t *connp = tcp->tcp_connp;
+ uint_t sndbuf = connp->conn_sndbuf;
uint_t maxpsz = sndbuf;
ASSERT(tcp->tcp_fused);
ASSERT(peer_tcp != NULL);
- ASSERT(peer_tcp->tcp_recv_hiwater != 0);
+ ASSERT(peer_tcp->tcp_connp->conn_rcvbuf != 0);
/*
* In the fused loopback case, we want the stream head to split
* up larger writes into smaller chunks for a more accurate flow-
@@ -990,8 +842,8 @@ tcp_fuse_maxpsz(tcp_t *tcp)
* We round up the buffer to system page size due to the lack of
* TCP MSS concept in Fusion.
*/
- if (maxpsz > peer_tcp->tcp_recv_hiwater)
- maxpsz = peer_tcp->tcp_recv_hiwater;
+ if (maxpsz > peer_tcp->tcp_connp->conn_rcvbuf)
+ maxpsz = peer_tcp->tcp_connp->conn_rcvbuf;
maxpsz = P2ROUNDUP_TYPED(maxpsz, PAGESIZE, uint_t) >> 1;
return (maxpsz);
@@ -1013,12 +865,12 @@ tcp_fuse_backenable(tcp_t *tcp)
peer_tcp->tcp_connp->conn_sqp);
if (tcp->tcp_rcv_list != NULL)
- (void) tcp_fuse_rcv_drain(tcp->tcp_rq, tcp, NULL);
+ (void) tcp_fuse_rcv_drain(tcp->tcp_connp->conn_rq, tcp, NULL);
mutex_enter(&peer_tcp->tcp_non_sq_lock);
if (peer_tcp->tcp_flow_stopped &&
(TCP_UNSENT_BYTES(peer_tcp) <=
- peer_tcp->tcp_xmit_lowater)) {
+ peer_tcp->tcp_connp->conn_sndlowat)) {
tcp_clrqfull(peer_tcp);
}
mutex_exit(&peer_tcp->tcp_non_sq_lock);
diff --git a/usr/src/uts/common/inet/tcp/tcp_kssl.c b/usr/src/uts/common/inet/tcp/tcp_kssl.c
index 75fa36196a..5d9051aed1 100644
--- a/usr/src/uts/common/inet/tcp/tcp_kssl.c
+++ b/usr/src/uts/common/inet/tcp/tcp_kssl.c
@@ -56,20 +56,21 @@
* For the Kernel SSL proxy
*
* Routines in this file are called on tcp's incoming path,
- * tcp_rput_data() mainly, and right before the message is
+ * tcp_input_data() mainly, and right before the message is
* to be putnext()'ed upstreams.
*/
static void tcp_kssl_input_callback(void *, mblk_t *, kssl_cmd_t);
-static void tcp_kssl_input_asynch(void *, mblk_t *, void *);
+static void tcp_kssl_input_asynch(void *, mblk_t *, void *,
+ ip_recv_attr_t *);
-extern void tcp_output(void *, mblk_t *, void *);
+extern void tcp_output(void *, mblk_t *, void *, ip_recv_attr_t *);
extern void tcp_send_conn_ind(void *, mblk_t *, void *);
extern int tcp_squeue_flag;
/*
- * tcp_rput_data() calls this routine for all packet destined to a
+ * tcp_input_data() calls this routine for all packet destined to a
* connection to the SSL port, when the SSL kernel proxy is configured
* to intercept and process those packets.
* A packet may carry multiple SSL records, so the function
@@ -84,7 +85,7 @@ extern int tcp_squeue_flag;
* which could decrement the conn/tcp reference before we get to increment it.
*/
void
-tcp_kssl_input(tcp_t *tcp, mblk_t *mp)
+tcp_kssl_input(tcp_t *tcp, mblk_t *mp, cred_t *cr)
{
struct conn_s *connp = tcp->tcp_connp;
tcp_t *listener;
@@ -97,15 +98,26 @@ tcp_kssl_input(tcp_t *tcp, mblk_t *mp)
boolean_t is_v4;
void *addr;
+ if (is_system_labeled() && mp != NULL) {
+ ASSERT(cr != NULL || msg_getcred(mp, NULL) != NULL);
+ /*
+ * Provide for protocols above TCP such as RPC. NOPID leaves
+ * db_cpid unchanged.
+ * The cred could have already been set.
+ */
+ if (cr != NULL)
+ mblk_setcred(mp, cr, NOPID);
+ }
+
/* First time here, allocate the SSL context */
if (tcp->tcp_kssl_ctx == NULL) {
ASSERT(tcp->tcp_kssl_pending);
- is_v4 = (tcp->tcp_ipversion == IPV4_VERSION);
+ is_v4 = (connp->conn_ipversion == IPV4_VERSION);
if (is_v4) {
- addr = &tcp->tcp_ipha->ipha_dst;
+ addr = &connp->conn_faddr_v4;
} else {
- addr = &tcp->tcp_ip6h->ip6_dst;
+ addr = &connp->conn_faddr_v6;
}
if (kssl_init_context(tcp->tcp_kssl_ent,
@@ -146,7 +158,7 @@ tcp_kssl_input(tcp_t *tcp, mblk_t *mp)
mutex_enter(&tcp->tcp_non_sq_lock);
tcp->tcp_squeue_bytes += msgdsize(outmp);
mutex_exit(&tcp->tcp_non_sq_lock);
- tcp_output(connp, outmp, NULL);
+ tcp_output(connp, outmp, NULL, NULL);
/* FALLTHROUGH */
case KSSL_CMD_NONE:
@@ -194,7 +206,7 @@ tcp_kssl_input(tcp_t *tcp, mblk_t *mp)
tci->PRIM_type = T_SSL_PROXY_CONN_IND;
/*
- * The code below is copied from tcp_rput_data()
+ * The code below is copied from tcp_input_data
* delivering the T_CONN_IND on a TCPS_SYN_RCVD,
* and all conn ref cnt comments apply.
*/
@@ -214,7 +226,7 @@ tcp_kssl_input(tcp_t *tcp, mblk_t *mp)
SQUEUE_ENTER_ONE(
listener->tcp_connp->conn_sqp,
ind_mp, tcp_send_conn_ind,
- listener->tcp_connp, SQ_FILL,
+ listener->tcp_connp, NULL, SQ_FILL,
SQTAG_TCP_CONN_IND);
}
}
@@ -240,11 +252,12 @@ tcp_kssl_input(tcp_t *tcp, mblk_t *mp)
if (tcp->tcp_listener != NULL) {
DTRACE_PROBE1(kssl_mblk__input_rcv_enqueue,
mblk_t *, outmp);
- tcp_rcv_enqueue(tcp, outmp, msgdsize(outmp));
+ tcp_rcv_enqueue(tcp, outmp, msgdsize(outmp),
+ NULL);
} else {
DTRACE_PROBE1(kssl_mblk__input_putnext,
mblk_t *, outmp);
- putnext(tcp->tcp_rq, outmp);
+ putnext(connp->conn_rq, outmp);
}
/*
* We're at a phase where records are sent upstreams,
@@ -283,7 +296,7 @@ no_can_do:
tci->PRIM_type = T_SSL_PROXY_CONN_IND;
/*
- * The code below is copied from tcp_rput_data()
+ * The code below is copied from tcp_input_data
* delivering the T_CONN_IND on a TCPS_SYN_RCVD,
* and all conn ref cnt comments apply.
*/
@@ -303,12 +316,12 @@ no_can_do:
SQUEUE_ENTER_ONE(
listener->tcp_connp->conn_sqp,
ind_mp, tcp_send_conn_ind,
- listener->tcp_connp,
+ listener->tcp_connp, NULL,
SQ_FILL, SQTAG_TCP_CONN_IND);
}
}
if (mp != NULL)
- tcp_rcv_enqueue(tcp, mp, msgdsize(mp));
+ tcp_rcv_enqueue(tcp, mp, msgdsize(mp), NULL);
break;
}
mp = NULL;
@@ -351,7 +364,7 @@ tcp_kssl_input_callback(void *arg, mblk_t *mp, kssl_cmd_t kssl_cmd)
}
CONN_INC_REF(connp);
SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_output, connp,
- tcp_squeue_flag, SQTAG_TCP_OUTPUT);
+ NULL, tcp_squeue_flag, SQTAG_TCP_OUTPUT);
/* FALLTHROUGH */
case KSSL_CMD_NONE:
@@ -363,9 +376,9 @@ tcp_kssl_input_callback(void *arg, mblk_t *mp, kssl_cmd_t kssl_cmd)
* Keep accumulating if not yet accepted.
*/
if (tcp->tcp_listener != NULL) {
- tcp_rcv_enqueue(tcp, mp, msgdsize(mp));
+ tcp_rcv_enqueue(tcp, mp, msgdsize(mp), NULL);
} else {
- putnext(tcp->tcp_rq, mp);
+ putnext(connp->conn_rq, mp);
}
break;
@@ -383,7 +396,7 @@ tcp_kssl_input_callback(void *arg, mblk_t *mp, kssl_cmd_t kssl_cmd)
if ((sqmp = allocb(1, BPRI_MED)) != NULL) {
CONN_INC_REF(connp);
SQUEUE_ENTER_ONE(connp->conn_sqp, sqmp, tcp_kssl_input_asynch,
- connp, SQ_FILL, SQTAG_TCP_KSSL_INPUT);
+ connp, NULL, SQ_FILL, SQTAG_TCP_KSSL_INPUT);
} else {
DTRACE_PROBE(kssl_err__allocb_failed);
}
@@ -396,7 +409,7 @@ tcp_kssl_input_callback(void *arg, mblk_t *mp, kssl_cmd_t kssl_cmd)
*/
/* ARGSUSED */
void
-tcp_kssl_input_asynch(void *arg, mblk_t *mp, void *arg2)
+tcp_kssl_input_asynch(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
{
conn_t *connp = (conn_t *)arg;
tcp_t *tcp = connp->conn_tcp;
@@ -409,6 +422,6 @@ tcp_kssl_input_asynch(void *arg, mblk_t *mp, void *arg2)
* while we're away
*/
if (tcp->tcp_kssl_ctx != NULL) {
- tcp_kssl_input(tcp, NULL);
+ tcp_kssl_input(tcp, NULL, NULL);
}
}
diff --git a/usr/src/uts/common/inet/tcp/tcp_opt_data.c b/usr/src/uts/common/inet/tcp/tcp_opt_data.c
index fa2529a5ac..d15ff4ffcd 100644
--- a/usr/src/uts/common/inet/tcp/tcp_opt_data.c
+++ b/usr/src/uts/common/inet/tcp/tcp_opt_data.c
@@ -39,12 +39,7 @@
#include <netinet/tcp.h>
#include <inet/optcom.h>
-
-extern int tcp_opt_default(queue_t *q, int level, int name, uchar_t *ptr);
-extern int tcp_tpi_opt_get(queue_t *q, int level, int name, uchar_t *ptr);
-extern int tcp_tpi_opt_set(queue_t *q, uint_t optset_context, int level,
- int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *thisdg_attrs, cred_t *cr, mblk_t *mblk);
+#include <inet/tcp_impl.h>
/*
* Table of all known options handled on a TCP protocol stack.
@@ -55,161 +50,165 @@ extern int tcp_tpi_opt_set(queue_t *q, uint_t optset_context, int level,
*/
opdes_t tcp_opt_arr[] = {
-{ SO_LINGER, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_LINGER, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct linger), 0 },
-{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_KEEPALIVE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_KEEPALIVE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_OOBINLINE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_OOBINLINE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_DGRAM_ERRIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ SO_DGRAM_ERRIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
{ SO_SND_COPYAVOID, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_ANON_MLP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_ANON_MLP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_MAC_IMPLICIT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_MAC_IMPLICIT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, OP_PASSNEXT, sizeof (int),
+{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, 0, sizeof (int),
0 },
-{ SO_EXCLBIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_EXCLBIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
-{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
-{ SO_PROTOTYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_PROTOTYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
-{ TCP_NODELAY, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ TCP_NODELAY, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ TCP_MAXSEG, IPPROTO_TCP, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (uint_t),
+{ TCP_MAXSEG, IPPROTO_TCP, OA_R, OA_R, OP_NP, 0, sizeof (uint_t),
536 },
{ TCP_NOTIFY_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */ },
{ TCP_ABORT_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */ },
{ TCP_CONN_NOTIFY_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */ },
{ TCP_CONN_ABORT_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */ },
-{ TCP_RECVDSTADDR, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ TCP_RECVDSTADDR, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ TCP_ANONPRIVBIND, IPPROTO_TCP, OA_R, OA_RW, OP_PRIVPORT, OP_PASSNEXT,
+{ TCP_ANONPRIVBIND, IPPROTO_TCP, OA_R, OA_RW, OP_PRIVPORT, 0,
sizeof (int), 0 },
-{ TCP_EXCLBIND, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ TCP_EXCLBIND, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ TCP_INIT_CWND, IPPROTO_TCP, OA_RW, OA_RW, OP_CONFIG, OP_PASSNEXT,
+{ TCP_INIT_CWND, IPPROTO_TCP, OA_RW, OA_RW, OP_CONFIG, 0,
sizeof (int), 0 },
-{ TCP_KEEPALIVE_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ TCP_KEEPALIVE_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ TCP_KEEPALIVE_ABORT_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ TCP_KEEPALIVE_ABORT_THRESHOLD, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ TCP_CORK, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ TCP_CORK, IPPROTO_TCP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
{ IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
{ T_IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
-{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (int), -1 /* not initialized */ },
-{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
sizeof (ipsec_req_t), -1 /* not initialized */ },
-{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 /* no ifindex */ },
-{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, OP_PASSNEXT,
+{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0,
sizeof (int), 0 },
-{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (int), -1 /* not initialized */ },
-{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 /* no ifindex */ },
-{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, OP_PASSNEXT,
+{ IP_DONTFRAG, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+
+{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, 0,
sizeof (in_addr_t), -1 /* not initialized */ },
-{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, OP_PASSNEXT,
+{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, 0,
sizeof (int), 0 },
{ IPV6_PKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (struct in6_pktinfo), -1 /* not initialized */ },
{ IPV6_NEXTHOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT),
+ OP_NODEFAULT,
sizeof (sin6_t), -1 /* not initialized */ },
{ IPV6_HOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT), 255*8,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
-1 /* not initialized */ },
{ IPV6_DSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT), 255*8,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
-1 /* not initialized */ },
{ IPV6_RTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT), 255*8,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
-1 /* not initialized */ },
{ IPV6_RTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT), 255*8,
+ (OP_VARLEN|OP_NODEFAULT), 255*8,
-1 /* not initialized */ },
{ IPV6_TCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT),
+ OP_NODEFAULT,
sizeof (int), -1 /* not initialized */ },
{ IPV6_PATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT),
+ OP_NODEFAULT,
sizeof (struct ip6_mtuinfo), -1 /* not initialized */ },
-{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_DONTFRAG, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
+ sizeof (int), 0 },
+{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
/* Enable receipt of ancillary data */
-{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
sizeof (ipsec_req_t), -1 /* not initialized */ },
-{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (uint32_t), IPV6_PREFER_SRC_DEFAULT },
};
@@ -247,7 +246,6 @@ optdb_obj_t tcp_opt_obj = {
tcp_opt_default, /* TCP default value function pointer */
tcp_tpi_opt_get, /* TCP get function pointer */
tcp_tpi_opt_set, /* TCP set function pointer */
- B_TRUE, /* TCP is tpi provider */
TCP_OPT_ARR_CNT, /* TCP option database count of entries */
tcp_opt_arr, /* TCP option database */
TCP_VALID_LEVELS_CNT, /* TCP valid level count of entries */
diff --git a/usr/src/uts/common/inet/tcp_impl.h b/usr/src/uts/common/inet/tcp_impl.h
index bec2b3256f..1b7c87736a 100644
--- a/usr/src/uts/common/inet/tcp_impl.h
+++ b/usr/src/uts/common/inet/tcp_impl.h
@@ -70,41 +70,6 @@ extern "C" {
}
/*
- * Before caching the conn IRE, we need to make sure certain TCP
- * states are in sync with the ire. The mismatch could occur if the
- * TCP state has been set in tcp_adapt_ire() using a different IRE,
- * e.g if an address was not present during an initial connect(),
- * tcp_adapt_ire() will set the state using the interface route.
- * Subsequently, if the address is added to the local machine, the
- * retransmitted SYN will get the correct (loopback) IRE, but the TCP
- * state (tcp_loopback and tcp_localnet) will remain out of sync.
- * This is especially an issue with TCP fusion which relies on the
- * TCP state to be accurate.
- *
- * This check/change should be made only if the TCP is not yet in
- * the established state, else it would lead to inconsistencies.
- */
-#define TCP_CHECK_IREINFO(tcp, ire) { \
- if ((tcp)->tcp_state < TCPS_ESTABLISHED) { \
- if (((ire)->ire_type & (IRE_LOOPBACK | \
- IRE_LOCAL)) && !(tcp)->tcp_loopback) { \
- (tcp)->tcp_loopback = B_TRUE; \
- } else if ((tcp)->tcp_loopback && \
- !((ire)->ire_type & (IRE_LOOPBACK | IRE_LOCAL))) { \
- (tcp)->tcp_loopback = B_FALSE; \
- } \
- if ((tcp)->tcp_ipversion == IPV4_VERSION) { \
- (tcp)->tcp_localnet = \
- ((ire)->ire_gateway_addr == 0); \
- } else { \
- (tcp)->tcp_localnet = \
- IN6_IS_ADDR_UNSPECIFIED( \
- &(ire)->ire_gateway_addr_v6); \
- } \
- } \
-}
-
-/*
* Write-side flow-control is implemented via the per instance STREAMS
* write-side Q by explicitly setting QFULL to stop the flow of mblk_t(s)
* and clearing QFULL and calling qbackenable() to restart the flow based
@@ -205,18 +170,19 @@ typedef struct tcpparam_s {
#define tcps_keepalive_abort_interval_high tcps_params[59].tcp_param_max
#define tcps_keepalive_abort_interval tcps_params[59].tcp_param_val
#define tcps_keepalive_abort_interval_low tcps_params[59].tcp_param_min
+#define tcps_dev_flow_ctl tcps_params[60].tcp_param_val
extern struct qinit tcp_rinitv4, tcp_rinitv6;
extern boolean_t do_tcp_fusion;
extern int tcp_maxpsz_set(tcp_t *, boolean_t);
extern void tcp_timers_stop(tcp_t *);
-extern void tcp_rcv_enqueue(tcp_t *, mblk_t *, uint_t);
+extern void tcp_rcv_enqueue(tcp_t *, mblk_t *, uint_t, cred_t *);
extern void tcp_push_timer(void *);
extern timeout_id_t tcp_timeout(conn_t *, void (*)(void *), clock_t);
extern clock_t tcp_timeout_cancel(conn_t *, timeout_id_t);
-extern void tcp_fuse(tcp_t *, uchar_t *, tcph_t *);
+extern void tcp_fuse(tcp_t *, uchar_t *, tcpha_t *);
extern void tcp_unfuse(tcp_t *);
extern boolean_t tcp_fuse_output(tcp_t *, mblk_t *, uint32_t);
extern void tcp_fuse_output_urg(tcp_t *, mblk_t *);
@@ -242,6 +208,11 @@ extern int tcp_fallback(sock_lower_handle_t, queue_t *, boolean_t,
extern sock_downcalls_t sock_tcp_downcalls;
+extern int tcp_opt_default(queue_t *, t_scalar_t, t_scalar_t, uchar_t *);
+extern int tcp_tpi_opt_get(queue_t *, t_scalar_t, t_scalar_t, uchar_t *);
+extern int tcp_tpi_opt_set(queue_t *, uint_t, int, int, uint_t, uchar_t *,
+ uint_t *, uchar_t *, void *, cred_t *);
+
#endif /* _KERNEL */
#ifdef __cplusplus
diff --git a/usr/src/uts/common/inet/tcp_stack.h b/usr/src/uts/common/inet/tcp_stack.h
index 2c151894eb..a254da4b43 100644
--- a/usr/src/uts/common/inet/tcp_stack.h
+++ b/usr/src/uts/common/inet/tcp_stack.h
@@ -42,9 +42,6 @@ typedef struct tcp_stat {
kstat_named_t tcp_time_wait;
kstat_named_t tcp_time_wait_syn;
kstat_named_t tcp_time_wait_syn_success;
- kstat_named_t tcp_time_wait_syn_fail;
- kstat_named_t tcp_reinput_syn;
- kstat_named_t tcp_ip_output;
kstat_named_t tcp_detach_non_time_wait;
kstat_named_t tcp_detach_time_wait;
kstat_named_t tcp_time_wait_reap;
@@ -82,37 +79,14 @@ typedef struct tcp_stat {
kstat_named_t tcp_timermp_freed;
kstat_named_t tcp_push_timer_cnt;
kstat_named_t tcp_ack_timer_cnt;
- kstat_named_t tcp_ire_null1;
- kstat_named_t tcp_ire_null;
- kstat_named_t tcp_ip_send;
- kstat_named_t tcp_ip_ire_send;
kstat_named_t tcp_wsrv_called;
kstat_named_t tcp_flwctl_on;
kstat_named_t tcp_timer_fire_early;
kstat_named_t tcp_timer_fire_miss;
kstat_named_t tcp_rput_v6_error;
- kstat_named_t tcp_out_sw_cksum;
- kstat_named_t tcp_out_sw_cksum_bytes;
kstat_named_t tcp_zcopy_on;
kstat_named_t tcp_zcopy_off;
kstat_named_t tcp_zcopy_backoff;
- kstat_named_t tcp_zcopy_disable;
- kstat_named_t tcp_mdt_pkt_out;
- kstat_named_t tcp_mdt_pkt_out_v4;
- kstat_named_t tcp_mdt_pkt_out_v6;
- kstat_named_t tcp_mdt_discarded;
- kstat_named_t tcp_mdt_conn_halted1;
- kstat_named_t tcp_mdt_conn_halted2;
- kstat_named_t tcp_mdt_conn_halted3;
- kstat_named_t tcp_mdt_conn_resumed1;
- kstat_named_t tcp_mdt_conn_resumed2;
- kstat_named_t tcp_mdt_legacy_small;
- kstat_named_t tcp_mdt_legacy_all;
- kstat_named_t tcp_mdt_legacy_ret;
- kstat_named_t tcp_mdt_allocfail;
- kstat_named_t tcp_mdt_addpdescfail;
- kstat_named_t tcp_mdt_allocd;
- kstat_named_t tcp_mdt_linked;
kstat_named_t tcp_fusion_flowctl;
kstat_named_t tcp_fusion_backenabled;
kstat_named_t tcp_fusion_urg;
@@ -154,15 +128,6 @@ struct tcp_stack {
mib2_tcp_t tcps_mib;
- /* Protected by tcps_g_q_lock */
- queue_t *tcps_g_q; /* Default queue */
- uint_t tcps_refcnt; /* Total number of tcp_t's */
- kmutex_t tcps_g_q_lock;
- kcondvar_t tcps_g_q_cv;
- kthread_t *tcps_g_q_creator;
- struct __ldi_handle *tcps_g_q_lh;
- cred_t *tcps_g_q_cr; /* For _inactive close call */
-
/*
* Extra privileged ports. In host byte order.
* Protected by tcp_epriv_port_lock.
@@ -182,9 +147,6 @@ struct tcp_stack {
caddr_t tcps_g_nd;
struct tcpparam_s *tcps_params; /* ndd parameters */
struct tcpparam_s *tcps_wroff_xtra_param;
- struct tcpparam_s *tcps_mdt_head_param;
- struct tcpparam_s *tcps_mdt_tail_param;
- struct tcpparam_s *tcps_mdt_max_pbufs_param;
/* Hint not protected by any lock */
uint_t tcps_next_port_to_try;
@@ -222,6 +184,11 @@ struct tcp_stack {
/* The number of RST not sent because of the rate limit. */
uint32_t tcps_rst_unsent;
ldi_ident_t tcps_ldi_ident;
+
+ /* Used to synchronize access when reclaiming memory */
+ mblk_t *tcps_ixa_cleanup_mp;
+ kmutex_t tcps_ixa_cleanup_lock;
+ kcondvar_t tcps_ixa_cleanup_cv;
};
typedef struct tcp_stack tcp_stack_t;
diff --git a/usr/src/uts/common/inet/udp/udp.c b/usr/src/uts/common/inet/udp/udp.c
index d0bab511b0..e18fc57f40 100644
--- a/usr/src/uts/common/inet/udp/udp.c
+++ b/usr/src/uts/common/inet/udp/udp.c
@@ -26,12 +26,9 @@
#include <sys/types.h>
#include <sys/stream.h>
-#include <sys/dlpi.h>
-#include <sys/pattr.h>
#include <sys/stropts.h>
#include <sys/strlog.h>
#include <sys/strsun.h>
-#include <sys/time.h>
#define _SUN_TPI_VERSION 2
#include <sys/tihdr.h>
#include <sys/timod.h>
@@ -41,7 +38,9 @@
#include <sys/suntpi.h>
#include <sys/xti_inet.h>
#include <sys/kmem.h>
+#include <sys/cred_impl.h>
#include <sys/policy.h>
+#include <sys/priv.h>
#include <sys/ucred.h>
#include <sys/zone.h>
@@ -57,12 +56,11 @@
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
#include <netinet/udp.h>
-#include <net/if.h>
-#include <net/route.h>
#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip_impl.h>
+#include <inet/ipsec_impl.h>
#include <inet/ip6.h>
#include <inet/ip_ire.h>
#include <inet/ip_if.h>
@@ -74,34 +72,25 @@
#include <inet/optcom.h>
#include <inet/snmpcom.h>
#include <inet/kstatcom.h>
-#include <inet/udp_impl.h>
#include <inet/ipclassifier.h>
-#include <inet/ipsec_impl.h>
-#include <inet/ipp_common.h>
#include <sys/squeue_impl.h>
#include <inet/ipnet.h>
#include <sys/ethernet.h>
-/*
- * The ipsec_info.h header file is here since it has the definition for the
- * M_CTL message types used by IP to convey information to the ULP. The
- * ipsec_info.h needs the pfkeyv2.h, hence the latter's presence.
- */
-#include <net/pfkeyv2.h>
-#include <inet/ipsec_info.h>
-
#include <sys/tsol/label.h>
#include <sys/tsol/tnet.h>
#include <rpc/pmap_prot.h>
+#include <inet/udp_impl.h>
+
/*
* Synchronization notes:
*
* UDP is MT and uses the usual kernel synchronization primitives. There are 2
- * locks, the fanout lock (uf_lock) and the udp endpoint lock udp_rwlock.
- * We also use conn_lock when updating things that affect the IP classifier
- * lookup.
- * The lock order is udp_rwlock -> uf_lock and is udp_rwlock -> conn_lock.
+ * locks, the fanout lock (uf_lock) and conn_lock. conn_lock
+ * protects the contents of the udp_t. uf_lock protects the address and the
+ * fanout information.
+ * The lock order is conn_lock -> uf_lock.
*
* The fanout lock uf_lock:
* When a UDP endpoint is bound to a local port, it is inserted into
@@ -114,11 +103,6 @@
* from the bind hash list only when it is being unbound or being closed.
* The per bucket lock also protects a UDP endpoint's state changes.
*
- * The udp_rwlock:
- * This protects most of the other fields in the udp_t. The exact list of
- * fields which are protected by each of the above locks is documented in
- * the udp_t structure definition.
- *
* Plumbing notes:
* UDP is always a device driver. For compatibility with mibopen() code
* it is possible to I_PUSH "udp", but that results in pushing a passthrough
@@ -133,41 +117,32 @@
/* For /etc/system control */
uint_t udp_bind_fanout_size = UDP_BIND_FANOUT_SIZE;
-/* Option processing attrs */
-typedef struct udpattrs_s {
- union {
- ip6_pkt_t *udpattr_ipp6; /* For V6 */
- ip4_pkt_t *udpattr_ipp4; /* For V4 */
- } udpattr_ippu;
-#define udpattr_ipp6 udpattr_ippu.udpattr_ipp6
-#define udpattr_ipp4 udpattr_ippu.udpattr_ipp4
- mblk_t *udpattr_mb;
- boolean_t udpattr_credset;
-} udpattrs_t;
-
static void udp_addr_req(queue_t *q, mblk_t *mp);
static void udp_tpi_bind(queue_t *q, mblk_t *mp);
static void udp_bind_hash_insert(udp_fanout_t *uf, udp_t *udp);
static void udp_bind_hash_remove(udp_t *udp, boolean_t caller_holds_lock);
-static int udp_build_hdrs(udp_t *udp);
+static int udp_build_hdr_template(conn_t *, const in6_addr_t *,
+ const in6_addr_t *, in_port_t, uint32_t);
static void udp_capability_req(queue_t *q, mblk_t *mp);
static int udp_tpi_close(queue_t *q, int flags);
+static void udp_close_free(conn_t *);
static void udp_tpi_connect(queue_t *q, mblk_t *mp);
static void udp_tpi_disconnect(queue_t *q, mblk_t *mp);
static void udp_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error,
- int sys_error);
-static void udp_err_ack_prim(queue_t *q, mblk_t *mp, int primitive,
- t_scalar_t tlierr, int unixerr);
+ int sys_error);
+static void udp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
+ t_scalar_t tlierr, int sys_error);
static int udp_extra_priv_ports_get(queue_t *q, mblk_t *mp, caddr_t cp,
cred_t *cr);
static int udp_extra_priv_ports_add(queue_t *q, mblk_t *mp,
char *value, caddr_t cp, cred_t *cr);
static int udp_extra_priv_ports_del(queue_t *q, mblk_t *mp,
char *value, caddr_t cp, cred_t *cr);
-static void udp_icmp_error(conn_t *, mblk_t *);
-static void udp_icmp_error_ipv6(conn_t *, mblk_t *);
+static void udp_icmp_input(void *, mblk_t *, void *, ip_recv_attr_t *);
+static void udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp,
+ ip_recv_attr_t *ira);
static void udp_info_req(queue_t *q, mblk_t *mp);
-static void udp_input(void *, mblk_t *, void *);
+static void udp_input(void *, mblk_t *, void *, ip_recv_attr_t *);
static void udp_lrput(queue_t *, mblk_t *);
static void udp_lwput(queue_t *, mblk_t *);
static int udp_open(queue_t *q, dev_t *devp, int flag, int sflag,
@@ -176,24 +151,34 @@ static int udp_openv4(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp);
static int udp_openv6(queue_t *q, dev_t *devp, int flag, int sflag,
cred_t *credp);
-static int udp_unitdata_opt_process(queue_t *q, mblk_t *mp,
- int *errorp, udpattrs_t *udpattrs);
static boolean_t udp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name);
+int udp_opt_set(conn_t *connp, uint_t optset_context,
+ int level, int name, uint_t inlen,
+ uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
+ void *thisdg_attrs, cred_t *cr);
+int udp_opt_get(conn_t *connp, int level, int name,
+ uchar_t *ptr);
+static int udp_output_connected(conn_t *connp, mblk_t *mp, cred_t *cr,
+ pid_t pid);
+static int udp_output_lastdst(conn_t *connp, mblk_t *mp, cred_t *cr,
+ pid_t pid, ip_xmit_attr_t *ixa);
+static int udp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin,
+ sin6_t *sin6, ushort_t ipversion, cred_t *cr, pid_t,
+ ip_xmit_attr_t *ixa);
static int udp_param_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr);
static boolean_t udp_param_register(IDP *ndp, udpparam_t *udppa, int cnt);
static int udp_param_set(queue_t *q, mblk_t *mp, char *value, caddr_t cp,
cred_t *cr);
-static void udp_send_data(udp_t *udp, queue_t *q, mblk_t *mp,
- ipha_t *ipha);
-static void udp_ud_err(queue_t *q, mblk_t *mp, uchar_t *destaddr,
- t_scalar_t destlen, t_scalar_t err);
+static mblk_t *udp_prepend_hdr(conn_t *, ip_xmit_attr_t *, const ip_pkt_t *,
+ const in6_addr_t *, const in6_addr_t *, in_port_t, uint32_t, mblk_t *,
+ int *);
+static mblk_t *udp_prepend_header_template(conn_t *, ip_xmit_attr_t *,
+ mblk_t *, const in6_addr_t *, in_port_t, uint32_t, int *);
+static void udp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err);
+static void udp_ud_err_connected(conn_t *, t_scalar_t);
static void udp_tpi_unbind(queue_t *q, mblk_t *mp);
static in_port_t udp_update_next_port(udp_t *udp, in_port_t port,
boolean_t random);
-static mblk_t *udp_output_v4(conn_t *, mblk_t *, ipaddr_t, uint16_t, uint_t,
- int *, boolean_t, struct nmsghdr *, cred_t *, pid_t);
-static mblk_t *udp_output_v6(conn_t *connp, mblk_t *mp, sin6_t *sin6,
- int *error, struct nmsghdr *msg, cred_t *cr, pid_t pid);
static void udp_wput_other(queue_t *q, mblk_t *mp);
static void udp_wput_iocdata(queue_t *q, mblk_t *mp);
static void udp_wput_fallback(queue_t *q, mblk_t *mp);
@@ -208,11 +193,9 @@ static void *udp_kstat2_init(netstackid_t, udp_stat_t *);
static void udp_kstat2_fini(netstackid_t, kstat_t *);
static int udp_kstat_update(kstat_t *kp, int rw);
-static void udp_xmit(queue_t *, mblk_t *, ire_t *ire, conn_t *, zoneid_t);
-static int udp_send_connected(conn_t *, mblk_t *, struct nmsghdr *,
- cred_t *, pid_t);
-static void udp_ulp_recv(conn_t *, mblk_t *);
+/* Common routines for TPI and socket module */
+static void udp_ulp_recv(conn_t *, mblk_t *, uint_t, ip_recv_attr_t *);
/* Common routine for TPI and socket module */
static conn_t *udp_do_open(cred_t *, boolean_t, int);
@@ -220,30 +203,20 @@ static void udp_do_close(conn_t *);
static int udp_do_bind(conn_t *, struct sockaddr *, socklen_t, cred_t *,
boolean_t);
static int udp_do_unbind(conn_t *);
-static int udp_do_getsockname(udp_t *, struct sockaddr *, uint_t *);
-static int udp_do_getpeername(udp_t *, struct sockaddr *, uint_t *);
int udp_getsockname(sock_lower_handle_t,
struct sockaddr *, socklen_t *, cred_t *);
int udp_getpeername(sock_lower_handle_t,
struct sockaddr *, socklen_t *, cred_t *);
static int udp_do_connect(conn_t *, const struct sockaddr *, socklen_t,
- cred_t *cr);
-static int udp_post_ip_bind_connect(udp_t *, mblk_t *, int);
+ cred_t *, pid_t);
#define UDP_RECV_HIWATER (56 * 1024)
#define UDP_RECV_LOWATER 128
#define UDP_XMIT_HIWATER (56 * 1024)
#define UDP_XMIT_LOWATER 1024
-/*
- * The following is defined in tcp.c
- */
-extern int (*cl_inet_connect2)(netstackid_t stack_id,
- uint8_t protocol, boolean_t is_outgoing,
- sa_family_t addr_family,
- uint8_t *laddrp, in_port_t lport,
- uint8_t *faddrp, in_port_t fport, void *args);
+#pragma inline(udp_output_connected, udp_output_newdst, udp_output_lastdst)
/*
* Checks if the given destination addr/port is allowed out.
@@ -251,7 +224,7 @@ extern int (*cl_inet_connect2)(netstackid_t stack_id,
* Called for each connect() and for sendto()/sendmsg() to a different
* destination.
* For connect(), called in udp_connect().
- * For sendto()/sendmsg(), called in udp_output_v{4,6}().
+ * For sendto()/sendmsg(), called in udp_output_newdst().
*
* This macro assumes that the cl_inet_connect2 hook is not NULL.
* Please check this before calling this macro.
@@ -260,25 +233,26 @@ extern int (*cl_inet_connect2)(netstackid_t stack_id,
* CL_INET_UDP_CONNECT(conn_t cp, udp_t *udp, boolean_t is_outgoing,
* in6_addr_t *faddrp, in_port_t (or uint16_t) fport, int err);
*/
-#define CL_INET_UDP_CONNECT(cp, udp, is_outgoing, faddrp, fport, err) { \
+#define CL_INET_UDP_CONNECT(cp, is_outgoing, faddrp, fport, err) { \
(err) = 0; \
/* \
* Running in cluster mode - check and register active \
* "connection" information \
*/ \
- if ((udp)->udp_ipversion == IPV4_VERSION) \
+ if ((cp)->conn_ipversion == IPV4_VERSION) \
(err) = (*cl_inet_connect2)( \
(cp)->conn_netstack->netstack_stackid, \
IPPROTO_UDP, is_outgoing, AF_INET, \
- (uint8_t *)&((udp)->udp_v6src._S6_un._S6_u32[3]), \
- (udp)->udp_port, \
- (uint8_t *)&((faddrp)->_S6_un._S6_u32[3]), \
+ (uint8_t *)&((cp)->conn_laddr_v4), \
+ (cp)->conn_lport, \
+ (uint8_t *)&(V4_PART_OF_V6(*faddrp)), \
(in_port_t)(fport), NULL); \
else \
(err) = (*cl_inet_connect2)( \
(cp)->conn_netstack->netstack_stackid, \
IPPROTO_UDP, is_outgoing, AF_INET6, \
- (uint8_t *)&((udp)->udp_v6src), (udp)->udp_port, \
+ (uint8_t *)&((cp)->conn_laddr_v6), \
+ (cp)->conn_lport, \
(uint8_t *)(faddrp), (in_port_t)(fport), NULL); \
}
@@ -387,6 +361,8 @@ udpparam_t udp_param_arr[] = {
{ 0, (1<<30), UDP_XMIT_LOWATER, "udp_xmit_lowat"},
{ UDP_RECV_LOWATER, (1<<30), UDP_RECV_HIWATER, "udp_recv_hiwat"},
{ 65536, (1<<30), 2*1024*1024, "udp_max_buf"},
+ { 0, 1, 0, "udp_pmtu_discovery" },
+ { 0, 1, 0, "udp_sendto_ignerr" },
};
/* END CSTYLED */
@@ -451,9 +427,10 @@ retry:
static void
udp_bind_hash_remove(udp_t *udp, boolean_t caller_holds_lock)
{
- udp_t *udpnext;
- kmutex_t *lockp;
- udp_stack_t *us = udp->udp_us;
+ udp_t *udpnext;
+ kmutex_t *lockp;
+ udp_stack_t *us = udp->udp_us;
+ conn_t *connp = udp->udp_connp;
if (udp->udp_ptpbhn == NULL)
return;
@@ -462,9 +439,9 @@ udp_bind_hash_remove(udp_t *udp, boolean_t caller_holds_lock)
* Extract the lock pointer in case there are concurrent
* hash_remove's for this instance.
*/
- ASSERT(udp->udp_port != 0);
+ ASSERT(connp->conn_lport != 0);
if (!caller_holds_lock) {
- lockp = &us->us_bind_fanout[UDP_BIND_HASH(udp->udp_port,
+ lockp = &us->us_bind_fanout[UDP_BIND_HASH(connp->conn_lport,
us->us_bind_fanout_size)].uf_lock;
ASSERT(lockp != NULL);
mutex_enter(lockp);
@@ -486,8 +463,10 @@ udp_bind_hash_remove(udp_t *udp, boolean_t caller_holds_lock)
static void
udp_bind_hash_insert(udp_fanout_t *uf, udp_t *udp)
{
+ conn_t *connp = udp->udp_connp;
udp_t **udpp;
udp_t *udpnext;
+ conn_t *connext;
ASSERT(MUTEX_HELD(&uf->uf_lock));
ASSERT(udp->udp_ptpbhn == NULL);
@@ -503,11 +482,11 @@ udp_bind_hash_insert(udp_fanout_t *uf, udp_t *udp)
* specific address get preference over those binding to
* INADDR_ANY.
*/
- if (V6_OR_V4_INADDR_ANY(udp->udp_bound_v6src) &&
- !V6_OR_V4_INADDR_ANY(udpnext->udp_bound_v6src)) {
+ connext = udpnext->udp_connp;
+ if (V6_OR_V4_INADDR_ANY(connp->conn_bound_addr_v6) &&
+ !V6_OR_V4_INADDR_ANY(connext->conn_bound_addr_v6)) {
while ((udpnext = udpp[0]) != NULL &&
- !V6_OR_V4_INADDR_ANY(
- udpnext->udp_bound_v6src)) {
+ !V6_OR_V4_INADDR_ANY(connext->conn_bound_addr_v6)) {
udpp = &(udpnext->udp_bind_hash);
}
if (udpnext != NULL)
@@ -525,10 +504,9 @@ udp_bind_hash_insert(udp_fanout_t *uf, udp_t *udp)
* This routine is called to handle each O_T_BIND_REQ/T_BIND_REQ message
* passed to udp_wput.
* It associates a port number and local address with the stream.
- * The O_T_BIND_REQ/T_BIND_REQ is passed downstream to ip with the UDP
- * protocol type (IPPROTO_UDP) placed in the message following the address.
- * A T_BIND_ACK message is passed upstream when ip acknowledges the request.
- * (Called as writer.)
+ * It calls IP to verify the local IP address, and calls IP to insert
+ * the conn_t in the fanout table.
+ * If everything is ok it then sends the T_BIND_ACK back up.
*
* Note that UDP over IPv4 and IPv6 sockets can use the same port number
* without setting SO_REUSEADDR. This is needed so that they
@@ -580,10 +558,10 @@ udp_tpi_bind(queue_t *q, mblk_t *mp)
}
/*
* Reallocate the message to make sure we have enough room for an
- * address and the protocol type.
+ * address.
*/
- mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t) + 1, 1);
- if (!mp1) {
+ mp1 = reallocb(mp, sizeof (struct T_bind_ack) + sizeof (sin6_t), 1);
+ if (mp1 == NULL) {
udp_err_ack(q, mp, TSYSERR, ENOMEM);
return;
}
@@ -597,7 +575,7 @@ udp_tpi_bind(queue_t *q, mblk_t *mp)
switch (tbr->ADDR_length) {
case 0: /* Request for a generic port */
tbr->ADDR_offset = sizeof (struct T_bind_req);
- if (udp->udp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
tbr->ADDR_length = sizeof (sin_t);
sin = (sin_t *)&tbr[1];
*sin = sin_null;
@@ -605,7 +583,7 @@ udp_tpi_bind(queue_t *q, mblk_t *mp)
mp->b_wptr = (uchar_t *)&sin[1];
sa = (struct sockaddr *)sin;
} else {
- ASSERT(udp->udp_family == AF_INET6);
+ ASSERT(connp->conn_family == AF_INET6);
tbr->ADDR_length = sizeof (sin6_t);
sin6 = (sin6_t *)&tbr[1];
*sin6 = sin6_null;
@@ -622,7 +600,7 @@ udp_tpi_bind(queue_t *q, mblk_t *mp)
udp_err_ack(q, mp, TSYSERR, EINVAL);
return;
}
- if (udp->udp_family != AF_INET ||
+ if (connp->conn_family != AF_INET ||
sa->sa_family != AF_INET) {
udp_err_ack(q, mp, TSYSERR, EAFNOSUPPORT);
return;
@@ -636,7 +614,7 @@ udp_tpi_bind(queue_t *q, mblk_t *mp)
udp_err_ack(q, mp, TSYSERR, EINVAL);
return;
}
- if (udp->udp_family != AF_INET6 ||
+ if (connp->conn_family != AF_INET6 ||
sa->sa_family != AF_INET6) {
udp_err_ack(q, mp, TSYSERR, EAFNOSUPPORT);
return;
@@ -669,29 +647,21 @@ udp_tpi_bind(queue_t *q, mblk_t *mp)
* This routine handles each T_CONN_REQ message passed to udp. It
* associates a default destination address with the stream.
*
- * This routine sends down a T_BIND_REQ to IP with the following mblks:
- * T_BIND_REQ - specifying local and remote address/port
- * IRE_DB_REQ_TYPE - to get an IRE back containing ire_type and src
- * T_OK_ACK - for the T_CONN_REQ
- * T_CONN_CON - to keep the TPI user happy
- *
- * The connect completes in udp_do_connect.
- * When a T_BIND_ACK is received information is extracted from the IRE
- * and the two appended messages are sent to the TPI user.
- * Should udp_bind_result receive T_ERROR_ACK for the T_BIND_REQ it will
- * convert it to an error ack for the appropriate primitive.
+ * After various error checks are completed, udp_connect() lays
+ * the target address and port into the composite header template.
+ * Then we ask IP for information, including a source address if we didn't
+ * already have one. Finally we send up the T_OK_ACK reply message.
*/
static void
udp_tpi_connect(queue_t *q, mblk_t *mp)
{
- udp_t *udp;
conn_t *connp = Q_TO_CONN(q);
int error;
socklen_t len;
struct sockaddr *sa;
struct T_conn_req *tcr;
cred_t *cr;
-
+ pid_t pid;
/*
* All Solaris components should pass a db_credp
* for this TPI message, hence we ASSERT.
@@ -699,14 +669,13 @@ udp_tpi_connect(queue_t *q, mblk_t *mp)
* like a TPI message sent by some other kernel
* component, we check and return an error.
*/
- cr = msg_getcred(mp, NULL);
+ cr = msg_getcred(mp, &pid);
ASSERT(cr != NULL);
if (cr == NULL) {
udp_err_ack(q, mp, TSYSERR, EINVAL);
return;
}
- udp = connp->conn_udp;
tcr = (struct T_conn_req *)mp->b_rptr;
/* A bit of sanity checking */
@@ -724,7 +693,7 @@ udp_tpi_connect(queue_t *q, mblk_t *mp)
* Determine packet type based on type of address passed in
* the request should contain an IPv4 or IPv6 address.
* Make sure that address family matches the type of
- * family of the the address passed down
+ * family of the address passed down.
*/
len = tcr->DEST_length;
switch (tcr->DEST_length) {
@@ -743,13 +712,13 @@ udp_tpi_connect(queue_t *q, mblk_t *mp)
break;
}
- error = proto_verify_ip_addr(udp->udp_family, sa, len);
+ error = proto_verify_ip_addr(connp->conn_family, sa, len);
if (error != 0) {
udp_err_ack(q, mp, TSYSERR, error);
return;
}
- error = udp_do_connect(connp, sa, len, cr);
+ error = udp_do_connect(connp, sa, len, cr, pid);
if (error != 0) {
if (error < 0)
udp_err_ack(q, mp, -error, 0);
@@ -761,7 +730,7 @@ udp_tpi_connect(queue_t *q, mblk_t *mp)
* We have to send a connection confirmation to
* keep TLI happy.
*/
- if (udp->udp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
mp1 = mi_tpi_conn_con(NULL, (char *)sa,
sizeof (sin_t), NULL, 0);
} else {
@@ -810,72 +779,14 @@ done:
return (0);
}
-/*
- * Called in the close path to quiesce the conn
- */
-void
-udp_quiesce_conn(conn_t *connp)
-{
- udp_t *udp = connp->conn_udp;
-
- if (cl_inet_unbind != NULL && udp->udp_state == TS_IDLE) {
- /*
- * Running in cluster mode - register unbind information
- */
- if (udp->udp_ipversion == IPV4_VERSION) {
- (*cl_inet_unbind)(
- connp->conn_netstack->netstack_stackid,
- IPPROTO_UDP, AF_INET,
- (uint8_t *)(&(V4_PART_OF_V6(udp->udp_v6src))),
- (in_port_t)udp->udp_port, NULL);
- } else {
- (*cl_inet_unbind)(
- connp->conn_netstack->netstack_stackid,
- IPPROTO_UDP, AF_INET6,
- (uint8_t *)(&(udp->udp_v6src)),
- (in_port_t)udp->udp_port, NULL);
- }
- }
-
- udp_bind_hash_remove(udp, B_FALSE);
-
-}
-
-void
+static void
udp_close_free(conn_t *connp)
{
udp_t *udp = connp->conn_udp;
/* If there are any options associated with the stream, free them. */
- if (udp->udp_ip_snd_options != NULL) {
- mi_free((char *)udp->udp_ip_snd_options);
- udp->udp_ip_snd_options = NULL;
- udp->udp_ip_snd_options_len = 0;
- }
-
- if (udp->udp_ip_rcv_options != NULL) {
- mi_free((char *)udp->udp_ip_rcv_options);
- udp->udp_ip_rcv_options = NULL;
- udp->udp_ip_rcv_options_len = 0;
- }
-
- /* Free memory associated with sticky options */
- if (udp->udp_sticky_hdrs_len != 0) {
- kmem_free(udp->udp_sticky_hdrs,
- udp->udp_sticky_hdrs_len);
- udp->udp_sticky_hdrs = NULL;
- udp->udp_sticky_hdrs_len = 0;
- }
- if (udp->udp_last_cred != NULL) {
- crfree(udp->udp_last_cred);
- udp->udp_last_cred = NULL;
- }
- if (udp->udp_effective_cred != NULL) {
- crfree(udp->udp_effective_cred);
- udp->udp_effective_cred = NULL;
- }
-
- ip6_pkt_free(&udp->udp_sticky_ipp);
+ if (udp->udp_recv_ipp.ipp_fields != 0)
+ ip_pkt_free(&udp->udp_recv_ipp);
/*
* Clear any fields which the kmem_cache constructor clears.
@@ -892,59 +803,48 @@ static int
udp_do_disconnect(conn_t *connp)
{
udp_t *udp;
- mblk_t *ire_mp;
udp_fanout_t *udpf;
udp_stack_t *us;
int error;
udp = connp->conn_udp;
us = udp->udp_us;
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- if (udp->udp_state != TS_DATA_XFER || udp->udp_pending_op != -1) {
- rw_exit(&udp->udp_rwlock);
+ mutex_enter(&connp->conn_lock);
+ if (udp->udp_state != TS_DATA_XFER) {
+ mutex_exit(&connp->conn_lock);
return (-TOUTSTATE);
}
- udp->udp_pending_op = T_DISCON_REQ;
- udpf = &us->us_bind_fanout[UDP_BIND_HASH(udp->udp_port,
+ udpf = &us->us_bind_fanout[UDP_BIND_HASH(connp->conn_lport,
us->us_bind_fanout_size)];
mutex_enter(&udpf->uf_lock);
- udp->udp_v6src = udp->udp_bound_v6src;
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_fport = 0;
udp->udp_state = TS_IDLE;
mutex_exit(&udpf->uf_lock);
- if (udp->udp_family == AF_INET6) {
- /* Rebuild the header template */
- error = udp_build_hdrs(udp);
- if (error != 0) {
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- return (error);
- }
- }
+ /* Remove any remnants of mapped address binding */
+ if (connp->conn_family == AF_INET6)
+ connp->conn_ipversion = IPV6_VERSION;
- ire_mp = allocb(sizeof (ire_t), BPRI_HI);
- if (ire_mp == NULL) {
- mutex_enter(&udpf->uf_lock);
- udp->udp_pending_op = -1;
- mutex_exit(&udpf->uf_lock);
- rw_exit(&udp->udp_rwlock);
- return (ENOMEM);
- }
-
- rw_exit(&udp->udp_rwlock);
-
- if (udp->udp_family == AF_INET6) {
- error = ip_proto_bind_laddr_v6(connp, &ire_mp, IPPROTO_UDP,
- &udp->udp_bound_v6src, udp->udp_port, B_TRUE);
- } else {
- error = ip_proto_bind_laddr_v4(connp, &ire_mp, IPPROTO_UDP,
- V4_PART_OF_V6(udp->udp_bound_v6src), udp->udp_port, B_TRUE);
- }
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ error = udp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_fport, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0)
+ return (error);
- return (udp_post_ip_bind_connect(udp, ire_mp, error));
+ /*
+ * Tell IP to remove the full binding and revert
+ * to the local address binding.
+ */
+ return (ip_laddr_fanout_insert(connp));
}
-
static void
udp_tpi_disconnect(queue_t *q, mblk_t *mp)
{
@@ -981,12 +881,9 @@ int
udp_disconnect(conn_t *connp)
{
int error;
- udp_t *udp = connp->conn_udp;
-
- udp->udp_dgram_errind = B_FALSE;
+ connp->conn_dgram_errind = B_FALSE;
error = udp_do_disconnect(connp);
-
if (error < 0)
error = proto_tlitosyserr(-error);
@@ -1003,8 +900,8 @@ udp_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error, int sys_error)
/* Shorthand to generate and send TPI error acks to our client */
static void
-udp_err_ack_prim(queue_t *q, mblk_t *mp, int primitive, t_scalar_t t_error,
- int sys_error)
+udp_err_ack_prim(queue_t *q, mblk_t *mp, t_scalar_t primitive,
+ t_scalar_t t_error, int sys_error)
{
struct T_error_ack *teackp;
@@ -1018,7 +915,7 @@ udp_err_ack_prim(queue_t *q, mblk_t *mp, int primitive, t_scalar_t t_error,
}
}
-/*ARGSUSED*/
+/*ARGSUSED2*/
static int
udp_extra_priv_ports_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr)
{
@@ -1033,7 +930,7 @@ udp_extra_priv_ports_get(queue_t *q, mblk_t *mp, caddr_t cp, cred_t *cr)
return (0);
}
-/* ARGSUSED */
+/* ARGSUSED1 */
static int
udp_extra_priv_ports_add(queue_t *q, mblk_t *mp, char *value, caddr_t cp,
cred_t *cr)
@@ -1072,7 +969,7 @@ udp_extra_priv_ports_add(queue_t *q, mblk_t *mp, char *value, caddr_t cp,
return (0);
}
-/* ARGSUSED */
+/* ARGSUSED1 */
static int
udp_extra_priv_ports_del(queue_t *q, mblk_t *mp, char *value, caddr_t cp,
cred_t *cr)
@@ -1109,39 +1006,41 @@ udp_extra_priv_ports_del(queue_t *q, mblk_t *mp, char *value, caddr_t cp,
#define ICMP_MIN_UDP_HDR 4
/*
- * udp_icmp_error is called by udp_input to process ICMP msgs. passed up by IP.
+ * udp_icmp_input is called as conn_recvicmp to process ICMP messages.
* Generates the appropriate T_UDERROR_IND for permanent (non-transient) errors.
* Assumes that IP has pulled up everything up to and including the ICMP header.
*/
+/* ARGSUSED2 */
static void
-udp_icmp_error(conn_t *connp, mblk_t *mp)
+udp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
- icmph_t *icmph;
- ipha_t *ipha;
- int iph_hdr_length;
- udpha_t *udpha;
- sin_t sin;
- sin6_t sin6;
- mblk_t *mp1;
- int error = 0;
- udp_t *udp = connp->conn_udp;
+ conn_t *connp = (conn_t *)arg1;
+ icmph_t *icmph;
+ ipha_t *ipha;
+ int iph_hdr_length;
+ udpha_t *udpha;
+ sin_t sin;
+ sin6_t sin6;
+ mblk_t *mp1;
+ int error = 0;
+ udp_t *udp = connp->conn_udp;
- mp1 = NULL;
ipha = (ipha_t *)mp->b_rptr;
ASSERT(OK_32PTR(mp->b_rptr));
if (IPH_HDR_VERSION(ipha) != IPV4_VERSION) {
ASSERT(IPH_HDR_VERSION(ipha) == IPV6_VERSION);
- udp_icmp_error_ipv6(connp, mp);
+ udp_icmp_error_ipv6(connp, mp, ira);
return;
}
ASSERT(IPH_HDR_VERSION(ipha) == IPV4_VERSION);
/* Skip past the outer IP and ICMP headers */
- iph_hdr_length = IPH_HDR_LENGTH(ipha);
+ ASSERT(IPH_HDR_LENGTH(ipha) == ira->ira_ip_hdr_length);
+ iph_hdr_length = ira->ira_ip_hdr_length;
icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
- ipha = (ipha_t *)&icmph[1];
+ ipha = (ipha_t *)&icmph[1]; /* Inner IP header */
/* Skip past the inner IP and find the ULP header */
iph_hdr_length = IPH_HDR_LENGTH(ipha);
@@ -1150,11 +1049,41 @@ udp_icmp_error(conn_t *connp, mblk_t *mp)
switch (icmph->icmph_type) {
case ICMP_DEST_UNREACHABLE:
switch (icmph->icmph_code) {
- case ICMP_FRAGMENTATION_NEEDED:
+ case ICMP_FRAGMENTATION_NEEDED: {
+ ipha_t *ipha;
+ ip_xmit_attr_t *ixa;
/*
* IP has already adjusted the path MTU.
+ * But we need to adjust DF for IPv4.
*/
+ if (connp->conn_ipversion != IPV4_VERSION)
+ break;
+
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL || ixa->ixa_ire == NULL) {
+ /*
+ * Some other thread holds conn_ixa. We will
+ * redo this on the next ICMP too big.
+ */
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ break;
+ }
+ (void) ip_get_pmtu(ixa);
+
+ mutex_enter(&connp->conn_lock);
+ ipha = (ipha_t *)connp->conn_ht_iphc;
+ if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
+ ipha->ipha_fragment_offset_and_flags |=
+ IPH_DF_HTONS;
+ } else {
+ ipha->ipha_fragment_offset_and_flags &=
+ ~IPH_DF_HTONS;
+ }
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(ixa);
break;
+ }
case ICMP_PORT_UNREACHABLE:
case ICMP_PROTOCOL_UNREACHABLE:
error = ECONNREFUSED;
@@ -1177,25 +1106,24 @@ udp_icmp_error(conn_t *connp, mblk_t *mp)
* Deliver T_UDERROR_IND when the application has asked for it.
* The socket layer enables this automatically when connected.
*/
- if (!udp->udp_dgram_errind) {
+ if (!connp->conn_dgram_errind) {
freemsg(mp);
return;
}
-
- switch (udp->udp_family) {
+ switch (connp->conn_family) {
case AF_INET:
sin = sin_null;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ipha->ipha_dst;
sin.sin_port = udpha->uha_dst_port;
if (IPCL_IS_NONSTR(connp)) {
- rw_enter(&udp->udp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
if (udp->udp_state == TS_DATA_XFER) {
- if (sin.sin_port == udp->udp_dstport &&
+ if (sin.sin_port == connp->conn_fport &&
sin.sin_addr.s_addr ==
- V4_PART_OF_V6(udp->udp_v6dst)) {
- rw_exit(&udp->udp_rwlock);
+ connp->conn_faddr_v4) {
+ mutex_exit(&connp->conn_lock);
(*connp->conn_upcalls->su_set_error)
(connp->conn_upper_handle, error);
goto done;
@@ -1204,10 +1132,12 @@ udp_icmp_error(conn_t *connp, mblk_t *mp)
udp->udp_delayed_error = error;
*((sin_t *)&udp->udp_delayed_addr) = sin;
}
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
} else {
mp1 = mi_tpi_uderror_ind((char *)&sin, sizeof (sin_t),
NULL, 0, error);
+ if (mp1 != NULL)
+ putnext(connp->conn_rq, mp1);
}
break;
case AF_INET6:
@@ -1216,12 +1146,12 @@ udp_icmp_error(conn_t *connp, mblk_t *mp)
IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &sin6.sin6_addr);
sin6.sin6_port = udpha->uha_dst_port;
if (IPCL_IS_NONSTR(connp)) {
- rw_enter(&udp->udp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
if (udp->udp_state == TS_DATA_XFER) {
- if (sin6.sin6_port == udp->udp_dstport &&
+ if (sin6.sin6_port == connp->conn_fport &&
IN6_ARE_ADDR_EQUAL(&sin6.sin6_addr,
- &udp->udp_v6dst)) {
- rw_exit(&udp->udp_rwlock);
+ &connp->conn_faddr_v6)) {
+ mutex_exit(&connp->conn_lock);
(*connp->conn_upcalls->su_set_error)
(connp->conn_upper_handle, error);
goto done;
@@ -1230,17 +1160,16 @@ udp_icmp_error(conn_t *connp, mblk_t *mp)
udp->udp_delayed_error = error;
*((sin6_t *)&udp->udp_delayed_addr) = sin6;
}
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
} else {
mp1 = mi_tpi_uderror_ind((char *)&sin6, sizeof (sin6_t),
NULL, 0, error);
+ if (mp1 != NULL)
+ putnext(connp->conn_rq, mp1);
}
break;
}
- if (mp1 != NULL)
- putnext(connp->conn_rq, mp1);
done:
- ASSERT(!RW_ISWRITER(&udp->udp_rwlock));
freemsg(mp);
}
@@ -1251,7 +1180,7 @@ done:
* ICMPv6 header.
*/
static void
-udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
+udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira)
{
icmp6_t *icmp6;
ip6_t *ip6h, *outer_ip6h;
@@ -1265,12 +1194,19 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
udp_stack_t *us = udp->udp_us;
outer_ip6h = (ip6_t *)mp->b_rptr;
+#ifdef DEBUG
if (outer_ip6h->ip6_nxt != IPPROTO_ICMPV6)
iph_hdr_length = ip_hdr_length_v6(mp, outer_ip6h);
else
iph_hdr_length = IPV6_HDR_LEN;
+ ASSERT(iph_hdr_length == ira->ira_ip_hdr_length);
+#endif
+ /* Skip past the outer IP and ICMP headers */
+ iph_hdr_length = ira->ira_ip_hdr_length;
icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
- ip6h = (ip6_t *)&icmp6[1];
+
+ /* Skip past the inner IP and find the ULP header */
+ ip6h = (ip6_t *)&icmp6[1]; /* Inner IP header */
if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp)) {
freemsg(mp);
return;
@@ -1308,7 +1244,7 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
* information, send up an empty message containing an
* IPV6_PATHMTU ancillary data item.
*/
- if (!udp->udp_ipv6_recvpathmtu)
+ if (!connp->conn_ipv6_recvpathmtu)
break;
udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t) +
@@ -1334,7 +1270,7 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
sin6 = (sin6_t *)&tudi[1];
bzero(sin6, sizeof (sin6_t));
sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = udp->udp_v6dst;
+ sin6->sin6_addr = connp->conn_faddr_v6;
toh = (struct T_opthdr *)&sin6[1];
toh->level = IPPROTO_IPV6;
@@ -1352,8 +1288,7 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
* message. Free it, then send our empty message.
*/
freemsg(mp);
- udp_ulp_recv(connp, newmp);
-
+ udp_ulp_recv(connp, newmp, msgdsize(newmp), ira);
return;
}
case ICMP6_TIME_EXCEEDED:
@@ -1378,7 +1313,7 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
* Deliver T_UDERROR_IND when the application has asked for it.
* The socket layer enables this automatically when connected.
*/
- if (!udp->udp_dgram_errind) {
+ if (!connp->conn_dgram_errind) {
freemsg(mp);
return;
}
@@ -1390,12 +1325,12 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
if (IPCL_IS_NONSTR(connp)) {
- rw_enter(&udp->udp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
if (udp->udp_state == TS_DATA_XFER) {
- if (sin6.sin6_port == udp->udp_dstport &&
+ if (sin6.sin6_port == connp->conn_fport &&
IN6_ARE_ADDR_EQUAL(&sin6.sin6_addr,
- &udp->udp_v6dst)) {
- rw_exit(&udp->udp_rwlock);
+ &connp->conn_faddr_v6)) {
+ mutex_exit(&connp->conn_lock);
(*connp->conn_upcalls->su_set_error)
(connp->conn_upper_handle, error);
goto done;
@@ -1404,7 +1339,7 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
udp->udp_delayed_error = error;
*((sin6_t *)&udp->udp_delayed_addr) = sin6;
}
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
} else {
mp1 = mi_tpi_uderror_ind((char *)&sin6, sizeof (sin6_t),
NULL, 0, error);
@@ -1412,7 +1347,6 @@ udp_icmp_error_ipv6(conn_t *connp, mblk_t *mp)
putnext(connp->conn_rq, mp1);
}
done:
- ASSERT(!RW_ISWRITER(&udp->udp_rwlock));
freemsg(mp);
}
@@ -1426,11 +1360,12 @@ done:
static void
udp_addr_req(queue_t *q, mblk_t *mp)
{
- sin_t *sin;
- sin6_t *sin6;
+ struct sockaddr *sa;
mblk_t *ackmp;
struct T_addr_ack *taa;
udp_t *udp = Q_TO_UDP(q);
+ conn_t *connp = udp->udp_connp;
+ uint_t addrlen;
/* Make it large enough for worst case */
ackmp = reallocb(mp, sizeof (struct T_addr_ack) +
@@ -1446,7 +1381,13 @@ udp_addr_req(queue_t *q, mblk_t *mp)
taa->PRIM_type = T_ADDR_ACK;
ackmp->b_datap->db_type = M_PCPROTO;
- rw_enter(&udp->udp_rwlock, RW_READER);
+
+ if (connp->conn_family == AF_INET)
+ addrlen = sizeof (sin_t);
+ else
+ addrlen = sizeof (sin6_t);
+
+ mutex_enter(&connp->conn_lock);
/*
* Note: Following code assumes 32 bit alignment of basic
* data structures like sin_t and struct T_addr_ack.
@@ -1456,91 +1397,23 @@ udp_addr_req(queue_t *q, mblk_t *mp)
* Fill in local address first
*/
taa->LOCADDR_offset = sizeof (*taa);
- if (udp->udp_family == AF_INET) {
- taa->LOCADDR_length = sizeof (sin_t);
- sin = (sin_t *)&taa[1];
- /* Fill zeroes and then initialize non-zero fields */
- *sin = sin_null;
- sin->sin_family = AF_INET;
- if (!IN6_IS_ADDR_V4MAPPED_ANY(&udp->udp_v6src) &&
- !IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src)) {
- IN6_V4MAPPED_TO_IPADDR(&udp->udp_v6src,
- sin->sin_addr.s_addr);
- } else {
- /*
- * INADDR_ANY
- * udp_v6src is not set, we might be bound to
- * broadcast/multicast. Use udp_bound_v6src as
- * local address instead (that could
- * also still be INADDR_ANY)
- */
- IN6_V4MAPPED_TO_IPADDR(&udp->udp_bound_v6src,
- sin->sin_addr.s_addr);
- }
- sin->sin_port = udp->udp_port;
- ackmp->b_wptr = (uchar_t *)&sin[1];
- if (udp->udp_state == TS_DATA_XFER) {
- /*
- * connected, fill remote address too
- */
- taa->REMADDR_length = sizeof (sin_t);
- /* assumed 32-bit alignment */
- taa->REMADDR_offset = taa->LOCADDR_offset +
- taa->LOCADDR_length;
-
- sin = (sin_t *)(ackmp->b_rptr +
- taa->REMADDR_offset);
- /* initialize */
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_addr.s_addr =
- V4_PART_OF_V6(udp->udp_v6dst);
- sin->sin_port = udp->udp_dstport;
- ackmp->b_wptr = (uchar_t *)&sin[1];
- }
- } else {
- taa->LOCADDR_length = sizeof (sin6_t);
- sin6 = (sin6_t *)&taa[1];
- /* Fill zeroes and then initialize non-zero fields */
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- if (!IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src)) {
- sin6->sin6_addr = udp->udp_v6src;
- } else {
- /*
- * UNSPECIFIED
- * udp_v6src is not set, we might be bound to
- * broadcast/multicast. Use udp_bound_v6src as
- * local address instead (that could
- * also still be UNSPECIFIED)
- */
- sin6->sin6_addr =
- udp->udp_bound_v6src;
- }
- sin6->sin6_port = udp->udp_port;
- ackmp->b_wptr = (uchar_t *)&sin6[1];
- if (udp->udp_state == TS_DATA_XFER) {
- /*
- * connected, fill remote address too
- */
- taa->REMADDR_length = sizeof (sin6_t);
- /* assumed 32-bit alignment */
- taa->REMADDR_offset = taa->LOCADDR_offset +
- taa->LOCADDR_length;
-
- sin6 = (sin6_t *)(ackmp->b_rptr +
- taa->REMADDR_offset);
- /* initialize */
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = udp->udp_v6dst;
- sin6->sin6_port = udp->udp_dstport;
- ackmp->b_wptr = (uchar_t *)&sin6[1];
- }
- ackmp->b_wptr = (uchar_t *)&sin6[1];
- }
+ taa->LOCADDR_length = addrlen;
+ sa = (struct sockaddr *)&taa[1];
+ (void) conn_getsockname(connp, sa, &addrlen);
+ ackmp->b_wptr += addrlen;
}
- rw_exit(&udp->udp_rwlock);
+ if (udp->udp_state == TS_DATA_XFER) {
+ /*
+ * connected, fill remote address too
+ */
+ taa->REMADDR_length = addrlen;
+ /* assumed 32-bit alignment */
+ taa->REMADDR_offset = taa->LOCADDR_offset + taa->LOCADDR_length;
+ sa = (struct sockaddr *)(ackmp->b_rptr + taa->REMADDR_offset);
+ (void) conn_getpeername(connp, sa, &addrlen);
+ ackmp->b_wptr += addrlen;
+ }
+ mutex_exit(&connp->conn_lock);
ASSERT(ackmp->b_wptr <= ackmp->b_datap->db_lim);
qreply(q, ackmp);
}
@@ -1548,7 +1421,9 @@ udp_addr_req(queue_t *q, mblk_t *mp)
static void
udp_copy_info(struct T_info_ack *tap, udp_t *udp)
{
- if (udp->udp_family == AF_INET) {
+ conn_t *connp = udp->udp_connp;
+
+ if (connp->conn_family == AF_INET) {
*tap = udp_g_t_info_ack_ipv4;
} else {
*tap = udp_g_t_info_ack_ipv6;
@@ -1632,20 +1507,15 @@ udp_openv6(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
* This is the open routine for udp. It allocates a udp_t structure for
* the stream and, on the first open of the module, creates an ND table.
*/
-/*ARGSUSED2*/
static int
udp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
boolean_t isv6)
{
- int error;
udp_t *udp;
conn_t *connp;
dev_t conn_dev;
- udp_stack_t *us;
vmem_t *minor_arena;
- TRACE_1(TR_FAC_UDP, TR_UDP_OPEN, "udp_open: q %p", q);
-
/* If the stream is already open, return immediately. */
if (q->q_ptr != NULL)
return (0);
@@ -1685,7 +1555,6 @@ udp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
return (ENOMEM);
}
udp = connp->conn_udp;
- us = udp->udp_us;
*devp = makedevice(getemajor(*devp), (minor_t)conn_dev);
connp->conn_dev = conn_dev;
@@ -1699,39 +1568,27 @@ udp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp,
connp->conn_rq = q;
connp->conn_wq = WR(q);
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- ASSERT(connp->conn_ulp == IPPROTO_UDP);
+ /*
+ * Since this conn_t/udp_t is not yet visible to anybody else we don't
+ * need to lock anything.
+ */
+ ASSERT(connp->conn_proto == IPPROTO_UDP);
ASSERT(connp->conn_udp == udp);
ASSERT(udp->udp_connp == connp);
if (flag & SO_SOCKSTR) {
- connp->conn_flags |= IPCL_SOCKET;
udp->udp_issocket = B_TRUE;
}
- q->q_hiwat = us->us_recv_hiwat;
- WR(q)->q_hiwat = us->us_xmit_hiwat;
- WR(q)->q_lowat = us->us_xmit_lowat;
+ WR(q)->q_hiwat = connp->conn_sndbuf;
+ WR(q)->q_lowat = connp->conn_sndlowat;
qprocson(q);
- if (udp->udp_family == AF_INET6) {
- /* Build initial header template for transmit */
- if ((error = udp_build_hdrs(udp)) != 0) {
- rw_exit(&udp->udp_rwlock);
- qprocsoff(q);
- inet_minor_free(minor_arena, conn_dev);
- ipcl_conn_destroy(connp);
- return (error);
- }
- }
- rw_exit(&udp->udp_rwlock);
-
/* Set the Stream head write offset and high watermark. */
- (void) proto_set_tx_wroff(q, connp,
- udp->udp_max_hdr_len + us->us_wroff_extra);
- /* XXX udp_set_rcv_hiwat() doesn't hold the lock, is it a bug??? */
- (void) proto_set_rx_hiwat(q, connp, udp_set_rcv_hiwat(udp, q->q_hiwat));
+ (void) proto_set_tx_wroff(q, connp, connp->conn_wroff);
+ (void) proto_set_rx_hiwat(q, connp,
+ udp_set_rcv_hiwat(udp, connp->conn_rcvbuf));
mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
@@ -1753,7 +1610,6 @@ udp_opt_allow_udr_set(t_scalar_t level, t_scalar_t name)
* This routine gets default values of certain options whose default
* values are maintained by protcol specific code
*/
-/* ARGSUSED */
int
udp_opt_default(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
{
@@ -1791,456 +1647,127 @@ udp_opt_default(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
/*
* This routine retrieves the current status of socket options.
- * It returns the size of the option retrieved.
+ * It returns the size of the option retrieved, or -1.
*/
-static int
-udp_opt_get(conn_t *connp, int level, int name, uchar_t *ptr)
+int
+udp_opt_get(conn_t *connp, t_scalar_t level, t_scalar_t name,
+ uchar_t *ptr)
{
- udp_t *udp = connp->conn_udp;
- udp_stack_t *us = udp->udp_us;
int *i1 = (int *)ptr;
- ip6_pkt_t *ipp = &udp->udp_sticky_ipp;
+ udp_t *udp = connp->conn_udp;
int len;
+ conn_opt_arg_t coas;
+ int retval;
- ASSERT(RW_READ_HELD(&udp->udp_rwlock));
- switch (level) {
- case SOL_SOCKET:
- switch (name) {
- case SO_DEBUG:
- *i1 = udp->udp_debug;
- break; /* goto sizeof (int) option return */
- case SO_REUSEADDR:
- *i1 = udp->udp_reuseaddr;
- break; /* goto sizeof (int) option return */
- case SO_TYPE:
- *i1 = SOCK_DGRAM;
- break; /* goto sizeof (int) option return */
+ coas.coa_connp = connp;
+ coas.coa_ixa = connp->conn_ixa;
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ coas.coa_ancillary = B_FALSE;
+ coas.coa_changed = 0;
+ /*
+ * We assume that the optcom framework has checked for the set
+ * of levels and names that are supported, hence we don't worry
+ * about rejecting based on that.
+ * First check for UDP specific handling, then pass to common routine.
+ */
+ switch (level) {
+ case IPPROTO_IP:
/*
- * The following three items are available here,
- * but are only meaningful to IP.
+ * Only allow IPv4 option processing on IPv4 sockets.
*/
- case SO_DONTROUTE:
- *i1 = udp->udp_dontroute;
- break; /* goto sizeof (int) option return */
- case SO_USELOOPBACK:
- *i1 = udp->udp_useloopback;
- break; /* goto sizeof (int) option return */
- case SO_BROADCAST:
- *i1 = udp->udp_broadcast;
- break; /* goto sizeof (int) option return */
-
- case SO_SNDBUF:
- *i1 = udp->udp_xmit_hiwat;
- break; /* goto sizeof (int) option return */
- case SO_RCVBUF:
- *i1 = udp->udp_rcv_disply_hiwat;
- break; /* goto sizeof (int) option return */
- case SO_DGRAM_ERRIND:
- *i1 = udp->udp_dgram_errind;
- break; /* goto sizeof (int) option return */
- case SO_RECVUCRED:
- *i1 = udp->udp_recvucred;
- break; /* goto sizeof (int) option return */
- case SO_TIMESTAMP:
- *i1 = udp->udp_timestamp;
- break; /* goto sizeof (int) option return */
- case SO_ANON_MLP:
- *i1 = connp->conn_anon_mlp;
- break; /* goto sizeof (int) option return */
- case SO_MAC_EXEMPT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_AWARE);
- break;
- case SO_MAC_IMPLICIT:
- *i1 = (connp->conn_mac_mode == CONN_MAC_IMPLICIT);
- break;
- case SO_ALLZONES:
- *i1 = connp->conn_allzones;
- break; /* goto sizeof (int) option return */
- case SO_EXCLBIND:
- *i1 = udp->udp_exclbind ? SO_EXCLBIND : 0;
- break;
- case SO_PROTOTYPE:
- *i1 = IPPROTO_UDP;
- break;
- case SO_DOMAIN:
- *i1 = udp->udp_family;
- break;
- default:
- return (-1);
- }
- break;
- case IPPROTO_IP:
- if (udp->udp_family != AF_INET)
+ if (connp->conn_family != AF_INET)
return (-1);
+
switch (name) {
case IP_OPTIONS:
case T_IP_OPTIONS:
- len = udp->udp_ip_rcv_options_len - udp->udp_label_len;
- if (len > 0) {
- bcopy(udp->udp_ip_rcv_options +
- udp->udp_label_len, ptr, len);
- }
- return (len);
- case IP_TOS:
- case T_IP_TOS:
- *i1 = (int)udp->udp_type_of_service;
- break; /* goto sizeof (int) option return */
- case IP_TTL:
- *i1 = (int)udp->udp_ttl;
- break; /* goto sizeof (int) option return */
- case IP_DHCPINIT_IF:
- return (-EINVAL);
- case IP_NEXTHOP:
- case IP_RECVPKTINFO:
- /*
- * This also handles IP_PKTINFO.
- * IP_PKTINFO and IP_RECVPKTINFO have the same value.
- * Differentiation is based on the size of the argument
- * passed in.
- * This option is handled in IP which will return an
- * error for IP_PKTINFO as it's not supported as a
- * sticky option.
- */
- return (-EINVAL);
- case IP_MULTICAST_IF:
- /* 0 address if not set */
- *(ipaddr_t *)ptr = udp->udp_multicast_if_addr;
- return (sizeof (ipaddr_t));
- case IP_MULTICAST_TTL:
- *(uchar_t *)ptr = udp->udp_multicast_ttl;
- return (sizeof (uchar_t));
- case IP_MULTICAST_LOOP:
- *ptr = connp->conn_multicast_loop;
- return (sizeof (uint8_t));
- case IP_RECVOPTS:
- *i1 = udp->udp_recvopts;
- break; /* goto sizeof (int) option return */
- case IP_RECVDSTADDR:
- *i1 = udp->udp_recvdstaddr;
- break; /* goto sizeof (int) option return */
- case IP_RECVIF:
- *i1 = udp->udp_recvif;
- break; /* goto sizeof (int) option return */
- case IP_RECVSLLA:
- *i1 = udp->udp_recvslla;
- break; /* goto sizeof (int) option return */
- case IP_RECVTTL:
- *i1 = udp->udp_recvttl;
- break; /* goto sizeof (int) option return */
- case IP_ADD_MEMBERSHIP:
- case IP_DROP_MEMBERSHIP:
- case IP_BLOCK_SOURCE:
- case IP_UNBLOCK_SOURCE:
- case IP_ADD_SOURCE_MEMBERSHIP:
- case IP_DROP_SOURCE_MEMBERSHIP:
- case MCAST_JOIN_GROUP:
- case MCAST_LEAVE_GROUP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP:
- /* cannot "get" the value for these */
- return (-1);
- case IP_BOUND_IF:
- /* Zero if not set */
- *i1 = udp->udp_bound_if;
- break; /* goto sizeof (int) option return */
- case IP_UNSPEC_SRC:
- *i1 = udp->udp_unspec_source;
- break; /* goto sizeof (int) option return */
- case IP_BROADCAST_TTL:
- *(uchar_t *)ptr = connp->conn_broadcast_ttl;
- return (sizeof (uchar_t));
- default:
- return (-1);
- }
- break;
- case IPPROTO_IPV6:
- if (udp->udp_family != AF_INET6)
- return (-1);
- switch (name) {
- case IPV6_UNICAST_HOPS:
- *i1 = (unsigned int)udp->udp_ttl;
- break; /* goto sizeof (int) option return */
- case IPV6_MULTICAST_IF:
- /* 0 index if not set */
- *i1 = udp->udp_multicast_if_index;
- break; /* goto sizeof (int) option return */
- case IPV6_MULTICAST_HOPS:
- *i1 = udp->udp_multicast_ttl;
- break; /* goto sizeof (int) option return */
- case IPV6_MULTICAST_LOOP:
- *i1 = connp->conn_multicast_loop;
- break; /* goto sizeof (int) option return */
- case IPV6_JOIN_GROUP:
- case IPV6_LEAVE_GROUP:
- case MCAST_JOIN_GROUP:
- case MCAST_LEAVE_GROUP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP:
- /* cannot "get" the value for these */
- return (-1);
- case IPV6_BOUND_IF:
- /* Zero if not set */
- *i1 = udp->udp_bound_if;
- break; /* goto sizeof (int) option return */
- case IPV6_UNSPEC_SRC:
- *i1 = udp->udp_unspec_source;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVPKTINFO:
- *i1 = udp->udp_ip_recvpktinfo;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVTCLASS:
- *i1 = udp->udp_ipv6_recvtclass;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVPATHMTU:
- *i1 = udp->udp_ipv6_recvpathmtu;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVHOPLIMIT:
- *i1 = udp->udp_ipv6_recvhoplimit;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVHOPOPTS:
- *i1 = udp->udp_ipv6_recvhopopts;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVDSTOPTS:
- *i1 = udp->udp_ipv6_recvdstopts;
- break; /* goto sizeof (int) option return */
- case _OLD_IPV6_RECVDSTOPTS:
- *i1 = udp->udp_old_ipv6_recvdstopts;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDRDSTOPTS:
- *i1 = udp->udp_ipv6_recvrthdrdstopts;
- break; /* goto sizeof (int) option return */
- case IPV6_RECVRTHDR:
- *i1 = udp->udp_ipv6_recvrthdr;
- break; /* goto sizeof (int) option return */
- case IPV6_PKTINFO: {
- /* XXX assumes that caller has room for max size! */
- struct in6_pktinfo *pkti;
-
- pkti = (struct in6_pktinfo *)ptr;
- if (ipp->ipp_fields & IPPF_IFINDEX)
- pkti->ipi6_ifindex = ipp->ipp_ifindex;
- else
- pkti->ipi6_ifindex = 0;
- if (ipp->ipp_fields & IPPF_ADDR)
- pkti->ipi6_addr = ipp->ipp_addr;
- else
- pkti->ipi6_addr = ipv6_all_zeros;
- return (sizeof (struct in6_pktinfo));
- }
- case IPV6_TCLASS:
- if (ipp->ipp_fields & IPPF_TCLASS)
- *i1 = ipp->ipp_tclass;
- else
- *i1 = IPV6_FLOW_TCLASS(
- IPV6_DEFAULT_VERS_AND_FLOW);
- break; /* goto sizeof (int) option return */
- case IPV6_NEXTHOP: {
- sin6_t *sin6 = (sin6_t *)ptr;
-
- if (!(ipp->ipp_fields & IPPF_NEXTHOP))
- return (0);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = ipp->ipp_nexthop;
- return (sizeof (sin6_t));
- }
- case IPV6_HOPOPTS:
- if (!(ipp->ipp_fields & IPPF_HOPOPTS))
- return (0);
- if (ipp->ipp_hopoptslen <= udp->udp_label_len_v6)
+ mutex_enter(&connp->conn_lock);
+ if (!(udp->udp_recv_ipp.ipp_fields &
+ IPPF_IPV4_OPTIONS)) {
+ mutex_exit(&connp->conn_lock);
return (0);
- /*
- * The cipso/label option is added by kernel.
- * User is not usually aware of this option.
- * We copy out the hbh opt after the label option.
- */
- bcopy((char *)ipp->ipp_hopopts + udp->udp_label_len_v6,
- ptr, ipp->ipp_hopoptslen - udp->udp_label_len_v6);
- if (udp->udp_label_len_v6 > 0) {
- ptr[0] = ((char *)ipp->ipp_hopopts)[0];
- ptr[1] = (ipp->ipp_hopoptslen -
- udp->udp_label_len_v6 + 7) / 8 - 1;
}
- return (ipp->ipp_hopoptslen - udp->udp_label_len_v6);
- case IPV6_RTHDRDSTOPTS:
- if (!(ipp->ipp_fields & IPPF_RTDSTOPTS))
- return (0);
- bcopy(ipp->ipp_rtdstopts, ptr, ipp->ipp_rtdstoptslen);
- return (ipp->ipp_rtdstoptslen);
- case IPV6_RTHDR:
- if (!(ipp->ipp_fields & IPPF_RTHDR))
- return (0);
- bcopy(ipp->ipp_rthdr, ptr, ipp->ipp_rthdrlen);
- return (ipp->ipp_rthdrlen);
- case IPV6_DSTOPTS:
- if (!(ipp->ipp_fields & IPPF_DSTOPTS))
- return (0);
- bcopy(ipp->ipp_dstopts, ptr, ipp->ipp_dstoptslen);
- return (ipp->ipp_dstoptslen);
- case IPV6_PATHMTU:
- return (ip_fill_mtuinfo(&udp->udp_v6dst,
- udp->udp_dstport, (struct ip6_mtuinfo *)ptr,
- us->us_netstack));
- default:
- return (-1);
+
+ len = udp->udp_recv_ipp.ipp_ipv4_options_len;
+ ASSERT(len != 0);
+ bcopy(udp->udp_recv_ipp.ipp_ipv4_options, ptr, len);
+ mutex_exit(&connp->conn_lock);
+ return (len);
}
break;
case IPPROTO_UDP:
switch (name) {
- case UDP_ANONPRIVBIND:
- *i1 = udp->udp_anon_priv_bind;
- break;
- case UDP_EXCLBIND:
- *i1 = udp->udp_exclbind ? UDP_EXCLBIND : 0;
- break;
- case UDP_RCVHDR:
- *i1 = udp->udp_rcvhdr ? 1 : 0;
- break;
case UDP_NAT_T_ENDPOINT:
+ mutex_enter(&connp->conn_lock);
*i1 = udp->udp_nat_t_endpoint;
- break;
- default:
- return (-1);
+ mutex_exit(&connp->conn_lock);
+ return (sizeof (int));
+ case UDP_RCVHDR:
+ mutex_enter(&connp->conn_lock);
+ *i1 = udp->udp_rcvhdr ? 1 : 0;
+ mutex_exit(&connp->conn_lock);
+ return (sizeof (int));
}
- break;
- default:
- return (-1);
}
- return (sizeof (int));
+ mutex_enter(&connp->conn_lock);
+ retval = conn_opt_get(&coas, level, name, ptr);
+ mutex_exit(&connp->conn_lock);
+ return (retval);
}
+/*
+ * This routine retrieves the current status of socket options.
+ * It returns the size of the option retrieved, or -1.
+ */
int
udp_tpi_opt_get(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
{
- udp_t *udp;
- int err;
-
- udp = Q_TO_UDP(q);
+ conn_t *connp = Q_TO_CONN(q);
+ int err;
- rw_enter(&udp->udp_rwlock, RW_READER);
- err = udp_opt_get(Q_TO_CONN(q), level, name, ptr);
- rw_exit(&udp->udp_rwlock);
+ err = udp_opt_get(connp, level, name, ptr);
return (err);
}
/*
* This routine sets socket options.
*/
-/* ARGSUSED */
-static int
-udp_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
- uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp, cred_t *cr,
- void *thisdg_attrs, boolean_t checkonly)
+int
+udp_do_opt_set(conn_opt_arg_t *coa, int level, int name,
+ uint_t inlen, uchar_t *invalp, cred_t *cr, boolean_t checkonly)
{
- udpattrs_t *attrs = thisdg_attrs;
- int *i1 = (int *)invalp;
- boolean_t onoff = (*i1 == 0) ? 0 : 1;
- udp_t *udp = connp->conn_udp;
+ conn_t *connp = coa->coa_connp;
+ ip_xmit_attr_t *ixa = coa->coa_ixa;
+ udp_t *udp = connp->conn_udp;
udp_stack_t *us = udp->udp_us;
- int error;
- uint_t newlen;
- size_t sth_wroff;
+ int *i1 = (int *)invalp;
+ boolean_t onoff = (*i1 == 0) ? 0 : 1;
+ int error;
- ASSERT(RW_WRITE_HELD(&udp->udp_rwlock));
+ ASSERT(MUTEX_NOT_HELD(&coa->coa_connp->conn_lock));
/*
- * For fixed length options, no sanity check
- * of passed in length is done. It is assumed *_optcom_req()
- * routines do the right thing.
+ * First do UDP specific sanity checks and handle UDP specific
+ * options. Note that some IPPROTO_UDP options are handled
+ * by conn_opt_set.
*/
switch (level) {
case SOL_SOCKET:
switch (name) {
- case SO_REUSEADDR:
- if (!checkonly) {
- udp->udp_reuseaddr = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case SO_DEBUG:
- if (!checkonly)
- udp->udp_debug = onoff;
- break;
- /*
- * The following three items are available here,
- * but are only meaningful to IP.
- */
- case SO_DONTROUTE:
- if (!checkonly) {
- udp->udp_dontroute = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case SO_USELOOPBACK:
- if (!checkonly) {
- udp->udp_useloopback = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case SO_BROADCAST:
- if (!checkonly) {
- udp->udp_broadcast = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
-
case SO_SNDBUF:
if (*i1 > us->us_max_buf) {
- *outlenp = 0;
return (ENOBUFS);
}
- if (!checkonly) {
- udp->udp_xmit_hiwat = *i1;
- connp->conn_wq->q_hiwat = *i1;
- }
break;
case SO_RCVBUF:
if (*i1 > us->us_max_buf) {
- *outlenp = 0;
return (ENOBUFS);
}
- if (!checkonly) {
- int size;
-
- udp->udp_rcv_disply_hiwat = *i1;
- size = udp_set_rcv_hiwat(udp, *i1);
- rw_exit(&udp->udp_rwlock);
- (void) proto_set_rx_hiwat(connp->conn_rq, connp,
- size);
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- }
- break;
- case SO_DGRAM_ERRIND:
- if (!checkonly)
- udp->udp_dgram_errind = onoff;
- break;
- case SO_RECVUCRED:
- if (!checkonly)
- udp->udp_recvucred = onoff;
- break;
- case SO_ALLZONES:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Do not modify *outlenp.
- */
- return (-EINVAL);
- case SO_TIMESTAMP:
- if (!checkonly)
- udp->udp_timestamp = onoff;
- break;
- case SO_ANON_MLP:
- case SO_MAC_EXEMPT:
- case SO_MAC_IMPLICIT:
- PASS_OPT_TO_IP(connp);
break;
+
case SCM_UCRED: {
struct ucred_s *ucr;
- cred_t *cr, *newcr;
+ cred_t *newcr;
ts_label_t *tsl;
/*
@@ -2250,20 +1777,18 @@ udp_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
*/
if (connp->conn_mlp_type == mlptSingle)
break;
+
ucr = (struct ucred_s *)invalp;
if (inlen != ucredsize ||
ucr->uc_labeloff < sizeof (*ucr) ||
ucr->uc_labeloff + sizeof (bslabel_t) > inlen)
return (EINVAL);
if (!checkonly) {
- mblk_t *mb;
- pid_t cpid;
-
- if (attrs == NULL ||
- (mb = attrs->udpattr_mb) == NULL)
- return (EINVAL);
- if ((cr = msg_getcred(mb, &cpid)) == NULL)
- cr = udp->udp_connp->conn_cred;
+ /*
+ * Set ixa_tsl to the new label.
+ * We assume that crgetzoneid doesn't change
+ * as part of the SCM_UCRED.
+ */
ASSERT(cr != NULL);
if ((tsl = crgetlabel(cr)) == NULL)
return (EINVAL);
@@ -2271,778 +1796,75 @@ udp_do_opt_set(conn_t *connp, int level, int name, uint_t inlen,
tsl->tsl_doi, KM_NOSLEEP);
if (newcr == NULL)
return (ENOSR);
- mblk_setcred(mb, newcr, cpid);
- attrs->udpattr_credset = B_TRUE;
- crfree(newcr);
- }
- break;
- }
- case SO_EXCLBIND:
- if (!checkonly)
- udp->udp_exclbind = onoff;
- break;
- case SO_RCVTIMEO:
- case SO_SNDTIMEO:
- /*
- * Pass these two options in order for third part
- * protocol usage. Here just return directly.
- */
- return (0);
- default:
- *outlenp = 0;
- return (EINVAL);
- }
- break;
- case IPPROTO_IP:
- if (udp->udp_family != AF_INET) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- switch (name) {
- case IP_OPTIONS:
- case T_IP_OPTIONS:
- /* Save options for use by IP. */
- newlen = inlen + udp->udp_label_len;
- if ((inlen & 0x3) || newlen > IP_MAX_OPT_LENGTH) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (checkonly)
- break;
-
- /*
- * Update the stored options taking into account
- * any CIPSO option which we should not overwrite.
- */
- if (!tsol_option_set(&udp->udp_ip_snd_options,
- &udp->udp_ip_snd_options_len,
- udp->udp_label_len, invalp, inlen)) {
- *outlenp = 0;
- return (ENOMEM);
- }
-
- udp->udp_max_hdr_len = IP_SIMPLE_HDR_LENGTH +
- UDPH_SIZE + udp->udp_ip_snd_options_len;
- sth_wroff = udp->udp_max_hdr_len + us->us_wroff_extra;
- rw_exit(&udp->udp_rwlock);
- (void) proto_set_tx_wroff(connp->conn_rq, connp,
- sth_wroff);
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- break;
-
- case IP_TTL:
- if (!checkonly) {
- udp->udp_ttl = (uchar_t)*i1;
- }
- break;
- case IP_TOS:
- case T_IP_TOS:
- if (!checkonly) {
- udp->udp_type_of_service = (uchar_t)*i1;
- }
- break;
- case IP_MULTICAST_IF: {
- /*
- * TODO should check OPTMGMT reply and undo this if
- * there is an error.
- */
- struct in_addr *inap = (struct in_addr *)invalp;
- if (!checkonly) {
- udp->udp_multicast_if_addr =
- inap->s_addr;
- PASS_OPT_TO_IP(connp);
- }
- break;
- }
- case IP_MULTICAST_TTL:
- if (!checkonly)
- udp->udp_multicast_ttl = *invalp;
- break;
- case IP_MULTICAST_LOOP:
- if (!checkonly) {
- connp->conn_multicast_loop = *invalp;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_RECVOPTS:
- if (!checkonly)
- udp->udp_recvopts = onoff;
- break;
- case IP_RECVDSTADDR:
- if (!checkonly)
- udp->udp_recvdstaddr = onoff;
- break;
- case IP_RECVIF:
- if (!checkonly) {
- udp->udp_recvif = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_RECVSLLA:
- if (!checkonly) {
- udp->udp_recvslla = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_RECVTTL:
- if (!checkonly)
- udp->udp_recvttl = onoff;
- break;
- case IP_PKTINFO: {
- /*
- * This also handles IP_RECVPKTINFO.
- * IP_PKTINFO and IP_RECVPKTINFO have same value.
- * Differentiation is based on the size of the
- * argument passed in.
- */
- struct in_pktinfo *pktinfop;
- ip4_pkt_t *attr_pktinfop;
-
- if (checkonly)
- break;
-
- if (inlen == sizeof (int)) {
- /*
- * This is IP_RECVPKTINFO option.
- * Keep a local copy of whether this option is
- * set or not and pass it down to IP for
- * processing.
- */
-
- udp->udp_ip_recvpktinfo = onoff;
- return (-EINVAL);
- }
-
- if (attrs == NULL ||
- (attr_pktinfop = attrs->udpattr_ipp4) == NULL) {
+ ASSERT(newcr->cr_label != NULL);
/*
- * sticky option or no buffer to return
- * the results.
+ * Move the hold on the cr_label to ixa_tsl by
+ * setting cr_label to NULL. Then release newcr.
*/
- return (EINVAL);
- }
-
- if (inlen != sizeof (struct in_pktinfo))
- return (EINVAL);
-
- pktinfop = (struct in_pktinfo *)invalp;
-
- /*
- * At least one of the values should be specified
- */
- if (pktinfop->ipi_ifindex == 0 &&
- pktinfop->ipi_spec_dst.s_addr == INADDR_ANY) {
- return (EINVAL);
- }
-
- attr_pktinfop->ip4_addr = pktinfop->ipi_spec_dst.s_addr;
- attr_pktinfop->ip4_ill_index = pktinfop->ipi_ifindex;
-
- break;
- }
- case IP_ADD_MEMBERSHIP:
- case IP_DROP_MEMBERSHIP:
- case IP_BLOCK_SOURCE:
- case IP_UNBLOCK_SOURCE:
- case IP_ADD_SOURCE_MEMBERSHIP:
- case IP_DROP_SOURCE_MEMBERSHIP:
- case MCAST_JOIN_GROUP:
- case MCAST_LEAVE_GROUP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP:
- case IP_SEC_OPT:
- case IP_NEXTHOP:
- case IP_DHCPINIT_IF:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Do not modify *outlenp.
- */
- return (-EINVAL);
- case IP_BOUND_IF:
- if (!checkonly) {
- udp->udp_bound_if = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_UNSPEC_SRC:
- if (!checkonly) {
- udp->udp_unspec_source = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IP_BROADCAST_TTL:
- if (!checkonly)
- connp->conn_broadcast_ttl = *invalp;
- break;
- default:
- *outlenp = 0;
- return (EINVAL);
- }
- break;
- case IPPROTO_IPV6: {
- ip6_pkt_t *ipp;
- boolean_t sticky;
-
- if (udp->udp_family != AF_INET6) {
- *outlenp = 0;
- return (ENOPROTOOPT);
- }
- /*
- * Deal with both sticky options and ancillary data
- */
- sticky = B_FALSE;
- if (attrs == NULL || (ipp = attrs->udpattr_ipp6) ==
- NULL) {
- /* sticky options, or none */
- ipp = &udp->udp_sticky_ipp;
- sticky = B_TRUE;
- }
-
- switch (name) {
- case IPV6_MULTICAST_IF:
- if (!checkonly) {
- udp->udp_multicast_if_index = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_UNICAST_HOPS:
- /* -1 means use default */
- if (*i1 < -1 || *i1 > IPV6_MAX_HOPS) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (!checkonly) {
- if (*i1 == -1) {
- udp->udp_ttl = ipp->ipp_unicast_hops =
- us->us_ipv6_hoplimit;
- ipp->ipp_fields &= ~IPPF_UNICAST_HOPS;
- /* Pass modified value to IP. */
- *i1 = udp->udp_ttl;
- } else {
- udp->udp_ttl = ipp->ipp_unicast_hops =
- (uint8_t)*i1;
- ipp->ipp_fields |= IPPF_UNICAST_HOPS;
- }
- /* Rebuild the header template */
- error = udp_build_hdrs(udp);
- if (error != 0) {
- *outlenp = 0;
- return (error);
- }
- }
- break;
- case IPV6_MULTICAST_HOPS:
- /* -1 means use default */
- if (*i1 < -1 || *i1 > IPV6_MAX_HOPS) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (!checkonly) {
- if (*i1 == -1) {
- udp->udp_multicast_ttl =
- ipp->ipp_multicast_hops =
- IP_DEFAULT_MULTICAST_TTL;
- ipp->ipp_fields &= ~IPPF_MULTICAST_HOPS;
- /* Pass modified value to IP. */
- *i1 = udp->udp_multicast_ttl;
- } else {
- udp->udp_multicast_ttl =
- ipp->ipp_multicast_hops =
- (uint8_t)*i1;
- ipp->ipp_fields |= IPPF_MULTICAST_HOPS;
- }
- }
- break;
- case IPV6_MULTICAST_LOOP:
- if (*i1 != 0 && *i1 != 1) {
- *outlenp = 0;
- return (EINVAL);
- }
- if (!checkonly) {
- connp->conn_multicast_loop = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_JOIN_GROUP:
- case IPV6_LEAVE_GROUP:
- case MCAST_JOIN_GROUP:
- case MCAST_LEAVE_GROUP:
- case MCAST_BLOCK_SOURCE:
- case MCAST_UNBLOCK_SOURCE:
- case MCAST_JOIN_SOURCE_GROUP:
- case MCAST_LEAVE_SOURCE_GROUP:
- /*
- * "soft" error (negative)
- * option not handled at this level
- * Note: Do not modify *outlenp
- */
- return (-EINVAL);
- case IPV6_BOUND_IF:
- if (!checkonly) {
- udp->udp_bound_if = *i1;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_UNSPEC_SRC:
- if (!checkonly) {
- udp->udp_unspec_source = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- /*
- * Set boolean switches for ancillary data delivery
- */
- case IPV6_RECVPKTINFO:
- if (!checkonly) {
- udp->udp_ip_recvpktinfo = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVTCLASS:
- if (!checkonly) {
- udp->udp_ipv6_recvtclass = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVPATHMTU:
- if (!checkonly) {
- udp->udp_ipv6_recvpathmtu = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVHOPLIMIT:
- if (!checkonly) {
- udp->udp_ipv6_recvhoplimit = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVHOPOPTS:
- if (!checkonly) {
- udp->udp_ipv6_recvhopopts = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVDSTOPTS:
- if (!checkonly) {
- udp->udp_ipv6_recvdstopts = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case _OLD_IPV6_RECVDSTOPTS:
- if (!checkonly)
- udp->udp_old_ipv6_recvdstopts = onoff;
- break;
- case IPV6_RECVRTHDRDSTOPTS:
- if (!checkonly) {
- udp->udp_ipv6_recvrthdrdstopts = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_RECVRTHDR:
- if (!checkonly) {
- udp->udp_ipv6_recvrthdr = onoff;
- PASS_OPT_TO_IP(connp);
- }
- break;
- /*
- * Set sticky options or ancillary data.
- * If sticky options, (re)build any extension headers
- * that might be needed as a result.
- */
- case IPV6_PKTINFO:
- /*
- * The source address and ifindex are verified
- * in ip_opt_set(). For ancillary data the
- * source address is checked in ip_wput_v6.
- */
- if (inlen != 0 && inlen != sizeof (struct in6_pktinfo))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~(IPPF_IFINDEX|IPPF_ADDR);
- ipp->ipp_sticky_ignored |=
- (IPPF_IFINDEX|IPPF_ADDR);
- } else {
- struct in6_pktinfo *pkti;
-
- pkti = (struct in6_pktinfo *)invalp;
- ipp->ipp_ifindex = pkti->ipi6_ifindex;
- ipp->ipp_addr = pkti->ipi6_addr;
- if (ipp->ipp_ifindex != 0)
- ipp->ipp_fields |= IPPF_IFINDEX;
- else
- ipp->ipp_fields &= ~IPPF_IFINDEX;
- if (!IN6_IS_ADDR_UNSPECIFIED(
- &ipp->ipp_addr))
- ipp->ipp_fields |= IPPF_ADDR;
- else
- ipp->ipp_fields &= ~IPPF_ADDR;
- }
- if (sticky) {
- error = udp_build_hdrs(udp);
- if (error != 0)
- return (error);
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_HOPLIMIT:
- if (sticky)
- return (EINVAL);
- if (inlen != 0 && inlen != sizeof (int))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_HOPLIMIT;
- ipp->ipp_sticky_ignored |= IPPF_HOPLIMIT;
- } else {
- if (*i1 > 255 || *i1 < -1)
- return (EINVAL);
- if (*i1 == -1)
- ipp->ipp_hoplimit =
- us->us_ipv6_hoplimit;
- else
- ipp->ipp_hoplimit = *i1;
- ipp->ipp_fields |= IPPF_HOPLIMIT;
- }
- break;
- case IPV6_TCLASS:
- if (inlen != 0 && inlen != sizeof (int))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_TCLASS;
- ipp->ipp_sticky_ignored |= IPPF_TCLASS;
- } else {
- if (*i1 > 255 || *i1 < -1)
- return (EINVAL);
- if (*i1 == -1)
- ipp->ipp_tclass = 0;
- else
- ipp->ipp_tclass = *i1;
- ipp->ipp_fields |= IPPF_TCLASS;
- }
- if (sticky) {
- error = udp_build_hdrs(udp);
- if (error != 0)
- return (error);
- }
- break;
- case IPV6_NEXTHOP:
- /*
- * IP will verify that the nexthop is reachable
- * and fail for sticky options.
- */
- if (inlen != 0 && inlen != sizeof (sin6_t))
- return (EINVAL);
- if (checkonly)
- break;
-
- if (inlen == 0) {
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- ipp->ipp_sticky_ignored |= IPPF_NEXTHOP;
- } else {
- sin6_t *sin6 = (sin6_t *)invalp;
-
- if (sin6->sin6_family != AF_INET6) {
- return (EAFNOSUPPORT);
- }
- if (IN6_IS_ADDR_V4MAPPED(
- &sin6->sin6_addr))
- return (EADDRNOTAVAIL);
- ipp->ipp_nexthop = sin6->sin6_addr;
- if (!IN6_IS_ADDR_UNSPECIFIED(
- &ipp->ipp_nexthop))
- ipp->ipp_fields |= IPPF_NEXTHOP;
- else
- ipp->ipp_fields &= ~IPPF_NEXTHOP;
- }
- if (sticky) {
- error = udp_build_hdrs(udp);
- if (error != 0)
- return (error);
- PASS_OPT_TO_IP(connp);
- }
- break;
- case IPV6_HOPOPTS: {
- ip6_hbh_t *hopts = (ip6_hbh_t *)invalp;
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (hopts->ip6h_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_hopopts,
- &ipp->ipp_hopoptslen,
- sticky ? udp->udp_label_len_v6 : 0);
- if (error != 0)
- return (error);
- if (ipp->ipp_hopoptslen == 0) {
- ipp->ipp_fields &= ~IPPF_HOPOPTS;
- ipp->ipp_sticky_ignored |= IPPF_HOPOPTS;
- } else {
- ipp->ipp_fields |= IPPF_HOPOPTS;
- }
- if (sticky) {
- error = udp_build_hdrs(udp);
- if (error != 0)
- return (error);
- }
- break;
- }
- case IPV6_RTHDRDSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- if (inlen == 0) {
- if (sticky &&
- (ipp->ipp_fields & IPPF_RTDSTOPTS) != 0) {
- kmem_free(ipp->ipp_rtdstopts,
- ipp->ipp_rtdstoptslen);
- ipp->ipp_rtdstopts = NULL;
- ipp->ipp_rtdstoptslen = 0;
- }
-
- ipp->ipp_fields &= ~IPPF_RTDSTOPTS;
- ipp->ipp_sticky_ignored |= IPPF_RTDSTOPTS;
- } else {
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_rtdstopts,
- &ipp->ipp_rtdstoptslen, 0);
- if (error != 0)
- return (error);
- ipp->ipp_fields |= IPPF_RTDSTOPTS;
- }
- if (sticky) {
- error = udp_build_hdrs(udp);
- if (error != 0)
- return (error);
- }
- break;
- }
- case IPV6_DSTOPTS: {
- ip6_dest_t *dopts = (ip6_dest_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (dopts->ip6d_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- if (inlen == 0) {
- if (sticky &&
- (ipp->ipp_fields & IPPF_DSTOPTS) != 0) {
- kmem_free(ipp->ipp_dstopts,
- ipp->ipp_dstoptslen);
- ipp->ipp_dstopts = NULL;
- ipp->ipp_dstoptslen = 0;
- }
- ipp->ipp_fields &= ~IPPF_DSTOPTS;
- ipp->ipp_sticky_ignored |= IPPF_DSTOPTS;
- } else {
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_dstopts,
- &ipp->ipp_dstoptslen, 0);
- if (error != 0)
- return (error);
- ipp->ipp_fields |= IPPF_DSTOPTS;
- }
- if (sticky) {
- error = udp_build_hdrs(udp);
- if (error != 0)
- return (error);
- }
- break;
- }
- case IPV6_RTHDR: {
- ip6_rthdr_t *rt = (ip6_rthdr_t *)invalp;
-
- /*
- * Sanity checks - minimum size, size a multiple of
- * eight bytes, and matching size passed in.
- */
- if (inlen != 0 &&
- inlen != (8 * (rt->ip6r_len + 1)))
- return (EINVAL);
-
- if (checkonly)
- break;
-
- if (inlen == 0) {
- if (sticky &&
- (ipp->ipp_fields & IPPF_RTHDR) != 0) {
- kmem_free(ipp->ipp_rthdr,
- ipp->ipp_rthdrlen);
- ipp->ipp_rthdr = NULL;
- ipp->ipp_rthdrlen = 0;
- }
- ipp->ipp_fields &= ~IPPF_RTHDR;
- ipp->ipp_sticky_ignored |= IPPF_RTHDR;
- } else {
- error = optcom_pkt_set(invalp, inlen, sticky,
- (uchar_t **)&ipp->ipp_rthdr,
- &ipp->ipp_rthdrlen, 0);
- if (error != 0)
- return (error);
- ipp->ipp_fields |= IPPF_RTHDR;
- }
- if (sticky) {
- error = udp_build_hdrs(udp);
- if (error != 0)
- return (error);
+ ip_xmit_attr_replace_tsl(ixa, newcr->cr_label);
+ ixa->ixa_flags |= IXAF_UCRED_TSL;
+ newcr->cr_label = NULL;
+ crfree(newcr);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_WROFF_CHANGED;
}
- break;
+ /* Fully handled this option. */
+ return (0);
}
-
- case IPV6_DONTFRAG:
- if (checkonly)
- break;
-
- if (onoff) {
- ipp->ipp_fields |= IPPF_DONTFRAG;
- } else {
- ipp->ipp_fields &= ~IPPF_DONTFRAG;
- }
- break;
-
- case IPV6_USE_MIN_MTU:
- if (inlen != sizeof (int))
- return (EINVAL);
-
- if (*i1 < -1 || *i1 > 1)
- return (EINVAL);
-
- if (checkonly)
- break;
-
- ipp->ipp_fields |= IPPF_USE_MIN_MTU;
- ipp->ipp_use_min_mtu = *i1;
- break;
-
- case IPV6_SEC_OPT:
- case IPV6_SRC_PREFERENCES:
- case IPV6_V6ONLY:
- /* Handled at the IP level */
- return (-EINVAL);
- default:
- *outlenp = 0;
- return (EINVAL);
}
break;
- } /* end IPPROTO_IPV6 */
case IPPROTO_UDP:
switch (name) {
- case UDP_ANONPRIVBIND:
- if ((error = secpolicy_net_privaddr(cr, 0,
- IPPROTO_UDP)) != 0) {
- *outlenp = 0;
- return (error);
- }
- if (!checkonly) {
- udp->udp_anon_priv_bind = onoff;
- }
- break;
- case UDP_EXCLBIND:
- if (!checkonly)
- udp->udp_exclbind = onoff;
- break;
- case UDP_RCVHDR:
- if (!checkonly)
- udp->udp_rcvhdr = onoff;
- break;
case UDP_NAT_T_ENDPOINT:
if ((error = secpolicy_ip_config(cr, B_FALSE)) != 0) {
- *outlenp = 0;
return (error);
}
/*
- * Use udp_family instead so we can avoid ambiguitites
+ * Use conn_family instead so we can avoid ambiguitites
* with AF_INET6 sockets that may switch from IPv4
* to IPv6.
*/
- if (udp->udp_family != AF_INET) {
- *outlenp = 0;
+ if (connp->conn_family != AF_INET) {
return (EAFNOSUPPORT);
}
if (!checkonly) {
- int size;
-
+ mutex_enter(&connp->conn_lock);
udp->udp_nat_t_endpoint = onoff;
-
- udp->udp_max_hdr_len = IP_SIMPLE_HDR_LENGTH +
- UDPH_SIZE + udp->udp_ip_snd_options_len;
-
- /* Also, adjust wroff */
- if (onoff) {
- udp->udp_max_hdr_len +=
- sizeof (uint32_t);
- }
- size = udp->udp_max_hdr_len +
- us->us_wroff_extra;
- (void) proto_set_tx_wroff(connp->conn_rq, connp,
- size);
+ mutex_exit(&connp->conn_lock);
+ coa->coa_changed |= COA_HEADER_CHANGED;
+ coa->coa_changed |= COA_WROFF_CHANGED;
}
- break;
- default:
- *outlenp = 0;
- return (EINVAL);
+ /* Fully handled this option. */
+ return (0);
+ case UDP_RCVHDR:
+ mutex_enter(&connp->conn_lock);
+ udp->udp_rcvhdr = onoff;
+ mutex_exit(&connp->conn_lock);
+ return (0);
}
break;
- default:
- *outlenp = 0;
- return (EINVAL);
- }
- /*
- * Common case of OK return with outval same as inval.
- */
- if (invalp != outvalp) {
- /* don't trust bcopy for identical src/dst */
- (void) bcopy(invalp, outvalp, inlen);
}
- *outlenp = inlen;
- return (0);
+ error = conn_opt_set(coa, level, name, inlen, invalp,
+ checkonly, cr);
+ return (error);
}
+/*
+ * This routine sets socket options.
+ */
int
-udp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
- uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *thisdg_attrs, cred_t *cr)
+udp_opt_set(conn_t *connp, uint_t optset_context, int level,
+ int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp,
+ uchar_t *outvalp, void *thisdg_attrs, cred_t *cr)
{
- int error;
+ udp_t *udp = connp->conn_udp;
+ int err;
+ conn_opt_arg_t coas, *coa;
boolean_t checkonly;
+ udp_stack_t *us = udp->udp_us;
- error = 0;
switch (optset_context) {
case SETFN_OPTCOM_CHECKONLY:
checkonly = B_TRUE;
@@ -3056,7 +1878,7 @@ udp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
if (inlen == 0) {
*outlenp = 0;
- goto done;
+ return (0);
}
break;
case SETFN_OPTCOM_NEGOTIATE:
@@ -3074,8 +1896,7 @@ udp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
*/
if (!udp_opt_allow_udr_set(level, name)) {
*outlenp = 0;
- error = EINVAL;
- goto done;
+ return (EINVAL);
}
break;
default:
@@ -3083,99 +1904,326 @@ udp_opt_set(conn_t *connp, uint_t optset_context, int level, int name,
* We should never get here
*/
*outlenp = 0;
- error = EINVAL;
- goto done;
+ return (EINVAL);
}
ASSERT((optset_context != SETFN_OPTCOM_CHECKONLY) ||
(optset_context == SETFN_OPTCOM_CHECKONLY && inlen != 0));
- error = udp_do_opt_set(connp, level, name, inlen, invalp, outlenp,
- outvalp, cr, thisdg_attrs, checkonly);
-done:
- return (error);
+ if (thisdg_attrs != NULL) {
+ /* Options from T_UNITDATA_REQ */
+ coa = (conn_opt_arg_t *)thisdg_attrs;
+ ASSERT(coa->coa_connp == connp);
+ ASSERT(coa->coa_ixa != NULL);
+ ASSERT(coa->coa_ipp != NULL);
+ ASSERT(coa->coa_ancillary);
+ } else {
+ coa = &coas;
+ coas.coa_connp = connp;
+ /* Get a reference on conn_ixa to prevent concurrent mods */
+ coas.coa_ixa = conn_get_ixa(connp, B_TRUE);
+ if (coas.coa_ixa == NULL) {
+ *outlenp = 0;
+ return (ENOMEM);
+ }
+ coas.coa_ipp = &connp->conn_xmit_ipp;
+ coas.coa_ancillary = B_FALSE;
+ coas.coa_changed = 0;
+ }
+
+ err = udp_do_opt_set(coa, level, name, inlen, invalp,
+ cr, checkonly);
+ if (err != 0) {
+errout:
+ if (!coa->coa_ancillary)
+ ixa_refrele(coa->coa_ixa);
+ *outlenp = 0;
+ return (err);
+ }
+ /* Handle DHCPINIT here outside of lock */
+ if (level == IPPROTO_IP && name == IP_DHCPINIT_IF) {
+ uint_t ifindex;
+ ill_t *ill;
+
+ ifindex = *(uint_t *)invalp;
+ if (ifindex == 0) {
+ ill = NULL;
+ } else {
+ ill = ill_lookup_on_ifindex(ifindex, B_FALSE,
+ coa->coa_ixa->ixa_ipst);
+ if (ill == NULL) {
+ err = ENXIO;
+ goto errout;
+ }
+
+ mutex_enter(&ill->ill_lock);
+ if (ill->ill_state_flags & ILL_CONDEMNED) {
+ mutex_exit(&ill->ill_lock);
+ ill_refrele(ill);
+ err = ENXIO;
+ goto errout;
+ }
+ if (IS_VNI(ill)) {
+ mutex_exit(&ill->ill_lock);
+ ill_refrele(ill);
+ err = EINVAL;
+ goto errout;
+ }
+ }
+ mutex_enter(&connp->conn_lock);
+
+ if (connp->conn_dhcpinit_ill != NULL) {
+ /*
+ * We've locked the conn so conn_cleanup_ill()
+ * cannot clear conn_dhcpinit_ill -- so it's
+ * safe to access the ill.
+ */
+ ill_t *oill = connp->conn_dhcpinit_ill;
+
+ ASSERT(oill->ill_dhcpinit != 0);
+ atomic_dec_32(&oill->ill_dhcpinit);
+ ill_set_inputfn(connp->conn_dhcpinit_ill);
+ connp->conn_dhcpinit_ill = NULL;
+ }
+
+ if (ill != NULL) {
+ connp->conn_dhcpinit_ill = ill;
+ atomic_inc_32(&ill->ill_dhcpinit);
+ ill_set_inputfn(ill);
+ mutex_exit(&connp->conn_lock);
+ mutex_exit(&ill->ill_lock);
+ ill_refrele(ill);
+ } else {
+ mutex_exit(&connp->conn_lock);
+ }
+ }
+
+ /*
+ * Common case of OK return with outval same as inval.
+ */
+ if (invalp != outvalp) {
+ /* don't trust bcopy for identical src/dst */
+ (void) bcopy(invalp, outvalp, inlen);
+ }
+ *outlenp = inlen;
+
+ /*
+ * If this was not ancillary data, then we rebuild the headers,
+ * update the IRE/NCE, and IPsec as needed.
+ * Since the label depends on the destination we go through
+ * ip_set_destination first.
+ */
+ if (coa->coa_ancillary) {
+ return (0);
+ }
+
+ if (coa->coa_changed & COA_ROUTE_CHANGED) {
+ in6_addr_t saddr, faddr, nexthop;
+ in_port_t fport;
+
+ /*
+ * We clear lastdst to make sure we pick up the change
+ * next time sending.
+ * If we are connected we re-cache the information.
+ * We ignore errors to preserve BSD behavior.
+ * Note that we don't redo IPsec policy lookup here
+ * since the final destination (or source) didn't change.
+ */
+ mutex_enter(&connp->conn_lock);
+ connp->conn_v6lastdst = ipv6_all_zeros;
+
+ ip_attr_nexthop(coa->coa_ipp, coa->coa_ixa,
+ &connp->conn_faddr_v6, &nexthop);
+ saddr = connp->conn_saddr_v6;
+ faddr = connp->conn_faddr_v6;
+ fport = connp->conn_fport;
+ mutex_exit(&connp->conn_lock);
+
+ if (!IN6_IS_ADDR_UNSPECIFIED(&faddr) &&
+ !IN6_IS_ADDR_V4MAPPED_ANY(&faddr)) {
+ (void) ip_attr_connect(connp, coa->coa_ixa,
+ &saddr, &faddr, &nexthop, fport, NULL, NULL,
+ IPDF_ALLOW_MCBC | IPDF_VERIFY_DST);
+ }
+ }
+
+ ixa_refrele(coa->coa_ixa);
+
+ if (coa->coa_changed & COA_HEADER_CHANGED) {
+ /*
+ * Rebuild the header template if we are connected.
+ * Otherwise clear conn_v6lastdst so we rebuild the header
+ * in the data path.
+ */
+ mutex_enter(&connp->conn_lock);
+ if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) &&
+ !IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
+ err = udp_build_hdr_template(connp,
+ &connp->conn_saddr_v6, &connp->conn_faddr_v6,
+ connp->conn_fport, connp->conn_flowinfo);
+ if (err != 0) {
+ mutex_exit(&connp->conn_lock);
+ return (err);
+ }
+ } else {
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ }
+ mutex_exit(&connp->conn_lock);
+ }
+ if (coa->coa_changed & COA_RCVBUF_CHANGED) {
+ (void) proto_set_rx_hiwat(connp->conn_rq, connp,
+ connp->conn_rcvbuf);
+ }
+ if ((coa->coa_changed & COA_SNDBUF_CHANGED) && !IPCL_IS_NONSTR(connp)) {
+ connp->conn_wq->q_hiwat = connp->conn_sndbuf;
+ }
+ if (coa->coa_changed & COA_WROFF_CHANGED) {
+ /* Increase wroff if needed */
+ uint_t wroff;
+
+ mutex_enter(&connp->conn_lock);
+ wroff = connp->conn_ht_iphc_allocated + us->us_wroff_extra;
+ if (udp->udp_nat_t_endpoint)
+ wroff += sizeof (uint32_t);
+ if (wroff > connp->conn_wroff) {
+ connp->conn_wroff = wroff;
+ mutex_exit(&connp->conn_lock);
+ (void) proto_set_tx_wroff(connp->conn_rq, connp, wroff);
+ } else {
+ mutex_exit(&connp->conn_lock);
+ }
+ }
+ return (err);
}
-/* ARGSUSED */
+/* This routine sets socket options. */
int
udp_tpi_opt_set(queue_t *q, uint_t optset_context, int level, int name,
uint_t inlen, uchar_t *invalp, uint_t *outlenp, uchar_t *outvalp,
- void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ void *thisdg_attrs, cred_t *cr)
{
- conn_t *connp = Q_TO_CONN(q);
+ conn_t *connp = Q_TO_CONN(q);
int error;
- udp_t *udp = connp->conn_udp;
- rw_enter(&udp->udp_rwlock, RW_WRITER);
error = udp_opt_set(connp, optset_context, level, name, inlen, invalp,
outlenp, outvalp, thisdg_attrs, cr);
- rw_exit(&udp->udp_rwlock);
return (error);
}
/*
- * Update udp_sticky_hdrs based on udp_sticky_ipp, udp_v6src, and udp_ttl.
- * The headers include ip6i_t (if needed), ip6_t, any sticky extension
- * headers, and the udp header.
- * Returns failure if can't allocate memory.
+ * Setup IP and UDP headers.
+ * Returns NULL on allocation failure, in which case data_mp is freed.
*/
-static int
-udp_build_hdrs(udp_t *udp)
+mblk_t *
+udp_prepend_hdr(conn_t *connp, ip_xmit_attr_t *ixa, const ip_pkt_t *ipp,
+ const in6_addr_t *v6src, const in6_addr_t *v6dst, in_port_t dstport,
+ uint32_t flowinfo, mblk_t *data_mp, int *errorp)
{
- udp_stack_t *us = udp->udp_us;
- uchar_t *hdrs;
- uint_t hdrs_len;
- ip6_t *ip6h;
- ip6i_t *ip6i;
- udpha_t *udpha;
- ip6_pkt_t *ipp = &udp->udp_sticky_ipp;
- size_t sth_wroff;
- conn_t *connp = udp->udp_connp;
-
- ASSERT(RW_WRITE_HELD(&udp->udp_rwlock));
- ASSERT(connp != NULL);
+ mblk_t *mp;
+ udpha_t *udpha;
+ udp_stack_t *us = connp->conn_netstack->netstack_udp;
+ uint_t data_len;
+ uint32_t cksum;
+ udp_t *udp = connp->conn_udp;
+ boolean_t insert_spi = udp->udp_nat_t_endpoint;
+ uint_t ulp_hdr_len;
- hdrs_len = ip_total_hdrs_len_v6(ipp) + UDPH_SIZE;
- ASSERT(hdrs_len != 0);
- if (hdrs_len != udp->udp_sticky_hdrs_len) {
- /* Need to reallocate */
- hdrs = kmem_alloc(hdrs_len, KM_NOSLEEP);
- if (hdrs == NULL)
- return (ENOMEM);
+ data_len = msgdsize(data_mp);
+ ulp_hdr_len = UDPH_SIZE;
+ if (insert_spi)
+ ulp_hdr_len += sizeof (uint32_t);
- if (udp->udp_sticky_hdrs_len != 0) {
- kmem_free(udp->udp_sticky_hdrs,
- udp->udp_sticky_hdrs_len);
- }
- udp->udp_sticky_hdrs = hdrs;
- udp->udp_sticky_hdrs_len = hdrs_len;
+ mp = conn_prepend_hdr(ixa, ipp, v6src, v6dst, IPPROTO_UDP, flowinfo,
+ ulp_hdr_len, data_mp, data_len, us->us_wroff_extra, &cksum, errorp);
+ if (mp == NULL) {
+ ASSERT(*errorp != 0);
+ return (NULL);
}
- ip_build_hdrs_v6(udp->udp_sticky_hdrs,
- udp->udp_sticky_hdrs_len - UDPH_SIZE, ipp, IPPROTO_UDP);
- /* Set header fields not in ipp */
- if (ipp->ipp_fields & IPPF_HAS_IP6I) {
- ip6i = (ip6i_t *)udp->udp_sticky_hdrs;
- ip6h = (ip6_t *)&ip6i[1];
+ data_len += ulp_hdr_len;
+ ixa->ixa_pktlen = data_len + ixa->ixa_ip_hdr_length;
+
+ udpha = (udpha_t *)(mp->b_rptr + ixa->ixa_ip_hdr_length);
+ udpha->uha_src_port = connp->conn_lport;
+ udpha->uha_dst_port = dstport;
+ udpha->uha_checksum = 0;
+ udpha->uha_length = htons(data_len);
+
+ /*
+ * If there was a routing option/header then conn_prepend_hdr
+ * has massaged it and placed the pseudo-header checksum difference
+ * in the cksum argument.
+ *
+ * Setup header length and prepare for ULP checksum done in IP.
+ *
+ * We make it easy for IP to include our pseudo header
+ * by putting our length in uha_checksum.
+ * The IP source, destination, and length have already been set by
+ * conn_prepend_hdr.
+ */
+ cksum += data_len;
+ cksum = (cksum >> 16) + (cksum & 0xFFFF);
+ ASSERT(cksum < 0x10000);
+
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)mp->b_rptr;
+
+ ASSERT(ntohs(ipha->ipha_length) == ixa->ixa_pktlen);
+
+ /* IP does the checksum if uha_checksum is non-zero */
+ if (us->us_do_checksum) {
+ if (cksum == 0)
+ udpha->uha_checksum = 0xffff;
+ else
+ udpha->uha_checksum = htons(cksum);
+ } else {
+ udpha->uha_checksum = 0;
+ }
} else {
- ip6h = (ip6_t *)udp->udp_sticky_hdrs;
+ ip6_t *ip6h = (ip6_t *)mp->b_rptr;
+
+ ASSERT(ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN == ixa->ixa_pktlen);
+ if (cksum == 0)
+ udpha->uha_checksum = 0xffff;
+ else
+ udpha->uha_checksum = htons(cksum);
}
- if (!(ipp->ipp_fields & IPPF_ADDR))
- ip6h->ip6_src = udp->udp_v6src;
+ /* Insert all-0s SPI now. */
+ if (insert_spi)
+ *((uint32_t *)(udpha + 1)) = 0;
- udpha = (udpha_t *)(udp->udp_sticky_hdrs + hdrs_len - UDPH_SIZE);
- udpha->uha_src_port = udp->udp_port;
+ return (mp);
+}
- /* Try to get everything in a single mblk */
- if (hdrs_len > udp->udp_max_hdr_len) {
- udp->udp_max_hdr_len = hdrs_len;
- sth_wroff = udp->udp_max_hdr_len + us->us_wroff_extra;
- rw_exit(&udp->udp_rwlock);
- (void) proto_set_tx_wroff(udp->udp_connp->conn_rq,
- udp->udp_connp, sth_wroff);
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- }
+static int
+udp_build_hdr_template(conn_t *connp, const in6_addr_t *v6src,
+ const in6_addr_t *v6dst, in_port_t dstport, uint32_t flowinfo)
+{
+ udpha_t *udpha;
+ int error;
+
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+ /*
+ * We clear lastdst to make sure we don't use the lastdst path
+ * next time sending since we might not have set v6dst yet.
+ */
+ connp->conn_v6lastdst = ipv6_all_zeros;
+
+ error = conn_build_hdr_template(connp, UDPH_SIZE, 0, v6src, v6dst,
+ flowinfo);
+ if (error != 0)
+ return (error);
+
+ /*
+ * Any routing header/option has been massaged. The checksum difference
+ * is stored in conn_sum.
+ */
+ udpha = (udpha_t *)connp->conn_ht_ulp;
+ udpha->uha_src_port = connp->conn_lport;
+ udpha->uha_dst_port = dstport;
+ udpha->uha_checksum = 0;
+ udpha->uha_length = htons(UDPH_SIZE); /* Filled in later */
return (0);
}
@@ -3252,189 +2300,6 @@ udp_param_set(queue_t *q, mblk_t *mp, char *value, caddr_t cp, cred_t *cr)
return (0);
}
-/*
- * Copy hop-by-hop option from ipp->ipp_hopopts to the buffer provided (with
- * T_opthdr) and return the number of bytes copied. 'dbuf' may be NULL to
- * just count the length needed for allocation. If 'dbuf' is non-NULL,
- * then it's assumed to be allocated to be large enough.
- *
- * Returns zero if trimming of the security option causes all options to go
- * away.
- */
-static size_t
-copy_hop_opts(const ip6_pkt_t *ipp, uchar_t *dbuf)
-{
- struct T_opthdr *toh;
- size_t hol = ipp->ipp_hopoptslen;
- ip6_hbh_t *dstopt = NULL;
- const ip6_hbh_t *srcopt = ipp->ipp_hopopts;
- size_t tlen, olen, plen;
- boolean_t deleting;
- const struct ip6_opt *sopt, *lastpad;
- struct ip6_opt *dopt;
-
- if ((toh = (struct T_opthdr *)dbuf) != NULL) {
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_HOPOPTS;
- toh->status = 0;
- dstopt = (ip6_hbh_t *)(toh + 1);
- }
-
- /*
- * If labeling is enabled, then skip the label option
- * but get other options if there are any.
- */
- if (is_system_labeled()) {
- dopt = NULL;
- if (dstopt != NULL) {
- /* will fill in ip6h_len later */
- dstopt->ip6h_nxt = srcopt->ip6h_nxt;
- dopt = (struct ip6_opt *)(dstopt + 1);
- }
- sopt = (const struct ip6_opt *)(srcopt + 1);
- hol -= sizeof (*srcopt);
- tlen = sizeof (*dstopt);
- lastpad = NULL;
- deleting = B_FALSE;
- /*
- * This loop finds the first (lastpad pointer) of any number of
- * pads that preceeds the security option, then treats the
- * security option as though it were a pad, and then finds the
- * next non-pad option (or end of list).
- *
- * It then treats the entire block as one big pad. To preserve
- * alignment of any options that follow, or just the end of the
- * list, it computes a minimal new padding size that keeps the
- * same alignment for the next option.
- *
- * If it encounters just a sequence of pads with no security
- * option, those are copied as-is rather than collapsed.
- *
- * Note that to handle the end of list case, the code makes one
- * loop with 'hol' set to zero.
- */
- for (;;) {
- if (hol > 0) {
- if (sopt->ip6o_type == IP6OPT_PAD1) {
- if (lastpad == NULL)
- lastpad = sopt;
- sopt = (const struct ip6_opt *)
- &sopt->ip6o_len;
- hol--;
- continue;
- }
- olen = sopt->ip6o_len + sizeof (*sopt);
- if (olen > hol)
- olen = hol;
- if (sopt->ip6o_type == IP6OPT_PADN ||
- sopt->ip6o_type == ip6opt_ls) {
- if (sopt->ip6o_type == ip6opt_ls)
- deleting = B_TRUE;
- if (lastpad == NULL)
- lastpad = sopt;
- sopt = (const struct ip6_opt *)
- ((const char *)sopt + olen);
- hol -= olen;
- continue;
- }
- } else {
- /* if nothing was copied at all, then delete */
- if (tlen == sizeof (*dstopt))
- return (0);
- /* last pass; pick up any trailing padding */
- olen = 0;
- }
- if (deleting) {
- /*
- * compute aligning effect of deleted material
- * to reproduce with pad.
- */
- plen = ((const char *)sopt -
- (const char *)lastpad) & 7;
- tlen += plen;
- if (dopt != NULL) {
- if (plen == 1) {
- dopt->ip6o_type = IP6OPT_PAD1;
- } else if (plen > 1) {
- plen -= sizeof (*dopt);
- dopt->ip6o_type = IP6OPT_PADN;
- dopt->ip6o_len = plen;
- if (plen > 0)
- bzero(dopt + 1, plen);
- }
- dopt = (struct ip6_opt *)
- ((char *)dopt + plen);
- }
- deleting = B_FALSE;
- lastpad = NULL;
- }
- /* if there's uncopied padding, then copy that now */
- if (lastpad != NULL) {
- olen += (const char *)sopt -
- (const char *)lastpad;
- sopt = lastpad;
- lastpad = NULL;
- }
- if (dopt != NULL && olen > 0) {
- bcopy(sopt, dopt, olen);
- dopt = (struct ip6_opt *)((char *)dopt + olen);
- }
- if (hol == 0)
- break;
- tlen += olen;
- sopt = (const struct ip6_opt *)
- ((const char *)sopt + olen);
- hol -= olen;
- }
- /* go back and patch up the length value, rounded upward */
- if (dstopt != NULL)
- dstopt->ip6h_len = (tlen - 1) >> 3;
- } else {
- tlen = hol;
- if (dstopt != NULL)
- bcopy(srcopt, dstopt, hol);
- }
-
- tlen += sizeof (*toh);
- if (toh != NULL)
- toh->len = tlen;
-
- return (tlen);
-}
-
-/*
- * Update udp_rcv_opt_len from the packet.
- * Called when options received, and when no options received but
- * udp_ip_recv_opt_len has previously recorded options.
- */
-static void
-udp_save_ip_rcv_opt(udp_t *udp, void *opt, int opt_len)
-{
- /* Save the options if any */
- if (opt_len > 0) {
- if (opt_len > udp->udp_ip_rcv_options_len) {
- /* Need to allocate larger buffer */
- if (udp->udp_ip_rcv_options_len != 0)
- mi_free((char *)udp->udp_ip_rcv_options);
- udp->udp_ip_rcv_options_len = 0;
- udp->udp_ip_rcv_options =
- (uchar_t *)mi_alloc(opt_len, BPRI_HI);
- if (udp->udp_ip_rcv_options != NULL)
- udp->udp_ip_rcv_options_len = opt_len;
- }
- if (udp->udp_ip_rcv_options_len != 0) {
- bcopy(opt, udp->udp_ip_rcv_options, opt_len);
- /* Adjust length if we are resusing the space */
- udp->udp_ip_rcv_options_len = opt_len;
- }
- } else if (udp->udp_ip_rcv_options_len != 0) {
- /* Clear out previously recorded options */
- mi_free((char *)udp->udp_ip_rcv_options);
- udp->udp_ip_rcv_options = NULL;
- udp->udp_ip_rcv_options_len = 0;
- }
-}
-
static mblk_t *
udp_queue_fallback(udp_t *udp, mblk_t *mp)
{
@@ -3466,15 +2331,15 @@ udp_queue_fallback(udp_t *udp, mblk_t *mp)
* TPI, then we'll queue the mp for later processing.
*/
static void
-udp_ulp_recv(conn_t *connp, mblk_t *mp)
+udp_ulp_recv(conn_t *connp, mblk_t *mp, uint_t len, ip_recv_attr_t *ira)
{
if (IPCL_IS_NONSTR(connp)) {
udp_t *udp = connp->conn_udp;
int error;
+ ASSERT(len == msgdsize(mp));
if ((*connp->conn_upcalls->su_recv)
- (connp->conn_upper_handle, mp, msgdsize(mp), 0, &error,
- NULL) < 0) {
+ (connp->conn_upper_handle, mp, len, 0, &error, NULL) < 0) {
mutex_enter(&udp->udp_recv_lock);
if (error == ENOSPC) {
/*
@@ -3500,282 +2365,170 @@ udp_ulp_recv(conn_t *connp, mblk_t *mp)
}
ASSERT(MUTEX_NOT_HELD(&udp->udp_recv_lock));
} else {
+ if (is_system_labeled()) {
+ ASSERT(ira->ira_cred != NULL);
+ /*
+ * Provide for protocols above UDP such as RPC
+ * NOPID leaves db_cpid unchanged.
+ */
+ mblk_setcred(mp, ira->ira_cred, NOPID);
+ }
+
putnext(connp->conn_rq, mp);
}
}
+/*
+ * This is the inbound data path.
+ * IP has already pulled up the IP plus UDP headers and verified alignment
+ * etc.
+ */
/* ARGSUSED2 */
static void
-udp_input(void *arg1, mblk_t *mp, void *arg2)
+udp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
{
- conn_t *connp = (conn_t *)arg1;
+ conn_t *connp = (conn_t *)arg1;
struct T_unitdata_ind *tudi;
uchar_t *rptr; /* Pointer to IP header */
int hdr_length; /* Length of IP+UDP headers */
- int opt_len;
int udi_size; /* Size of T_unitdata_ind */
- int mp_len;
+ int pkt_len;
udp_t *udp;
udpha_t *udpha;
- int ipversion;
- ip6_pkt_t ipp;
+ ip_pkt_t ipps;
ip6_t *ip6h;
- ip6i_t *ip6i;
mblk_t *mp1;
- mblk_t *options_mp = NULL;
- ip_pktinfo_t *pinfo = NULL;
- cred_t *cr = NULL;
- pid_t cpid;
- uint32_t udp_ip_rcv_options_len;
- udp_bits_t udp_bits;
- cred_t *rcr = connp->conn_cred;
- udp_stack_t *us;
+ uint32_t udp_ipv4_options_len;
+ crb_t recv_ancillary;
+ udp_stack_t *us;
ASSERT(connp->conn_flags & IPCL_UDPCONN);
udp = connp->conn_udp;
us = udp->udp_us;
rptr = mp->b_rptr;
- ASSERT(DB_TYPE(mp) == M_DATA || DB_TYPE(mp) == M_CTL);
+
+ ASSERT(DB_TYPE(mp) == M_DATA);
ASSERT(OK_32PTR(rptr));
+ ASSERT(ira->ira_pktlen == msgdsize(mp));
+ pkt_len = ira->ira_pktlen;
/*
- * IP should have prepended the options data in an M_CTL
- * Check M_CTL "type" to make sure are not here bcos of
- * a valid ICMP message
+ * Get a snapshot of these and allow other threads to change
+ * them after that. We need the same recv_ancillary when determining
+ * the size as when adding the ancillary data items.
*/
- if (DB_TYPE(mp) == M_CTL) {
- if (MBLKL(mp) == sizeof (ip_pktinfo_t) &&
- ((ip_pktinfo_t *)mp->b_rptr)->ip_pkt_ulp_type ==
- IN_PKTINFO) {
- /*
- * IP_RECVIF or IP_RECVSLLA or IPF_RECVADDR information
- * has been prepended to the packet by IP. We need to
- * extract the mblk and adjust the rptr
- */
- pinfo = (ip_pktinfo_t *)mp->b_rptr;
- options_mp = mp;
- mp = mp->b_cont;
- rptr = mp->b_rptr;
- UDP_STAT(us, udp_in_pktinfo);
- } else {
- /*
- * ICMP messages.
- */
- udp_icmp_error(connp, mp);
- return;
- }
- }
+ mutex_enter(&connp->conn_lock);
+ udp_ipv4_options_len = udp->udp_recv_ipp.ipp_ipv4_options_len;
+ recv_ancillary = connp->conn_recv_ancillary;
+ mutex_exit(&connp->conn_lock);
+
+ hdr_length = ira->ira_ip_hdr_length;
- mp_len = msgdsize(mp);
/*
- * This is the inbound data path.
- * First, we check to make sure the IP version number is correct,
- * and then pull the IP and UDP headers into the first mblk.
+ * IP inspected the UDP header thus all of it must be in the mblk.
+ * UDP length check is performed for IPv6 packets and IPv4 packets
+ * to check if the size of the packet as specified
+ * by the UDP header is the same as the length derived from the IP
+ * header.
*/
+ udpha = (udpha_t *)(rptr + hdr_length);
+ if (pkt_len != ntohs(udpha->uha_length) + hdr_length)
+ goto tossit;
- /* Initialize regardless if ipversion is IPv4 or IPv6 */
- ipp.ipp_fields = 0;
+ hdr_length += UDPH_SIZE;
+ ASSERT(MBLKL(mp) >= hdr_length); /* IP did a pullup */
- ipversion = IPH_HDR_VERSION(rptr);
+ /* Initialize regardless of IP version */
+ ipps.ipp_fields = 0;
- rw_enter(&udp->udp_rwlock, RW_READER);
- udp_ip_rcv_options_len = udp->udp_ip_rcv_options_len;
- udp_bits = udp->udp_bits;
- rw_exit(&udp->udp_rwlock);
+ if (((ira->ira_flags & IRAF_IPV4_OPTIONS) ||
+ udp_ipv4_options_len > 0) &&
+ connp->conn_family == AF_INET) {
+ int err;
- switch (ipversion) {
- case IPV4_VERSION:
- ASSERT(MBLKL(mp) >= sizeof (ipha_t));
- ASSERT(((ipha_t *)rptr)->ipha_protocol == IPPROTO_UDP);
- hdr_length = IPH_HDR_LENGTH(rptr) + UDPH_SIZE;
- opt_len = hdr_length - (IP_SIMPLE_HDR_LENGTH + UDPH_SIZE);
- if ((opt_len > 0 || udp_ip_rcv_options_len > 0) &&
- udp->udp_family == AF_INET) {
- /*
- * Record/update udp_ip_rcv_options with the lock
- * held. Not needed for AF_INET6 sockets
- * since they don't support a getsockopt of IP_OPTIONS.
- */
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp_save_ip_rcv_opt(udp, rptr + IP_SIMPLE_HDR_LENGTH,
- opt_len);
- rw_exit(&udp->udp_rwlock);
- }
- /* Handle IPV6_RECVPKTINFO even for IPv4 packet. */
- if ((udp->udp_family == AF_INET6) && (pinfo != NULL) &&
- udp->udp_ip_recvpktinfo) {
- if (pinfo->ip_pkt_flags & IPF_RECVIF) {
- ipp.ipp_fields |= IPPF_IFINDEX;
- ipp.ipp_ifindex = pinfo->ip_pkt_ifindex;
- }
- }
- break;
- case IPV6_VERSION:
/*
- * IPv6 packets can only be received by applications
- * that are prepared to receive IPv6 addresses.
- * The IP fanout must ensure this.
+ * Record/update udp_recv_ipp with the lock
+ * held. Not needed for AF_INET6 sockets
+ * since they don't support a getsockopt of IP_OPTIONS.
*/
- ASSERT(udp->udp_family == AF_INET6);
+ mutex_enter(&connp->conn_lock);
+ err = ip_find_hdr_v4((ipha_t *)rptr, &udp->udp_recv_ipp,
+ B_TRUE);
+ if (err != 0) {
+ /* Allocation failed. Drop packet */
+ mutex_exit(&connp->conn_lock);
+ freemsg(mp);
+ BUMP_MIB(&us->us_udp_mib, udpInErrors);
+ return;
+ }
+ mutex_exit(&connp->conn_lock);
+ }
- ip6h = (ip6_t *)rptr;
- ASSERT((uchar_t *)&ip6h[1] <= mp->b_wptr);
+ if (recv_ancillary.crb_all != 0) {
+ /*
+ * Record packet information in the ip_pkt_t
+ */
+ if (ira->ira_flags & IRAF_IS_IPV4) {
+ ASSERT(IPH_HDR_VERSION(rptr) == IPV4_VERSION);
+ ASSERT(MBLKL(mp) >= sizeof (ipha_t));
+ ASSERT(((ipha_t *)rptr)->ipha_protocol == IPPROTO_UDP);
+ ASSERT(ira->ira_ip_hdr_length == IPH_HDR_LENGTH(rptr));
- if (ip6h->ip6_nxt != IPPROTO_UDP) {
+ (void) ip_find_hdr_v4((ipha_t *)rptr, &ipps, B_FALSE);
+ } else {
uint8_t nexthdrp;
- /* Look for ifindex information */
- if (ip6h->ip6_nxt == IPPROTO_RAW) {
- ip6i = (ip6i_t *)ip6h;
- if ((uchar_t *)&ip6i[1] > mp->b_wptr)
- goto tossit;
-
- if (ip6i->ip6i_flags & IP6I_IFINDEX) {
- ASSERT(ip6i->ip6i_ifindex != 0);
- ipp.ipp_fields |= IPPF_IFINDEX;
- ipp.ipp_ifindex = ip6i->ip6i_ifindex;
- }
- rptr = (uchar_t *)&ip6i[1];
- mp->b_rptr = rptr;
- if (rptr == mp->b_wptr) {
- mp1 = mp->b_cont;
- freeb(mp);
- mp = mp1;
- rptr = mp->b_rptr;
- }
- if (MBLKL(mp) < (IPV6_HDR_LEN + UDPH_SIZE))
- goto tossit;
- ip6h = (ip6_t *)rptr;
- mp_len = msgdsize(mp);
- }
+
+ ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
/*
- * Find any potentially interesting extension headers
- * as well as the length of the IPv6 + extension
- * headers.
+ * IPv6 packets can only be received by applications
+ * that are prepared to receive IPv6 addresses.
+ * The IP fanout must ensure this.
*/
- hdr_length = ip_find_hdr_v6(mp, ip6h, &ipp, &nexthdrp) +
- UDPH_SIZE;
- ASSERT(nexthdrp == IPPROTO_UDP);
- } else {
- hdr_length = IPV6_HDR_LEN + UDPH_SIZE;
- ip6i = NULL;
- }
- break;
- default:
- ASSERT(0);
- }
+ ASSERT(connp->conn_family == AF_INET6);
- /*
- * IP inspected the UDP header thus all of it must be in the mblk.
- * UDP length check is performed for IPv6 packets and IPv4 packets
- * to check if the size of the packet as specified
- * by the header is the same as the physical size of the packet.
- * FIXME? Didn't IP already check this?
- */
- udpha = (udpha_t *)(rptr + (hdr_length - UDPH_SIZE));
- if ((MBLKL(mp) < hdr_length) ||
- (mp_len != (ntohs(udpha->uha_length) + hdr_length - UDPH_SIZE))) {
- goto tossit;
- }
+ ip6h = (ip6_t *)rptr;
-
- /* Walk past the headers unless UDP_RCVHDR was set. */
- if (!udp_bits.udpb_rcvhdr) {
- mp->b_rptr = rptr + hdr_length;
- mp_len -= hdr_length;
+ /* We don't care about the length, but need the ipp */
+ hdr_length = ip_find_hdr_v6(mp, ip6h, B_TRUE, &ipps,
+ &nexthdrp);
+ ASSERT(hdr_length == ira->ira_ip_hdr_length);
+ /* Restore */
+ hdr_length = ira->ira_ip_hdr_length + UDPH_SIZE;
+ ASSERT(nexthdrp == IPPROTO_UDP);
+ }
}
/*
* This is the inbound data path. Packets are passed upstream as
- * T_UNITDATA_IND messages with full IP headers still attached.
+ * T_UNITDATA_IND messages.
*/
- if (udp->udp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
sin_t *sin;
ASSERT(IPH_HDR_VERSION((ipha_t *)rptr) == IPV4_VERSION);
/*
* Normally only send up the source address.
- * If IP_RECVDSTADDR is set we include the destination IP
- * address as an option. With IP_RECVOPTS we include all
- * the IP options.
+ * If any ancillary data items are wanted we add those.
*/
udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin_t);
- if (udp_bits.udpb_recvdstaddr) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (struct in_addr);
- UDP_STAT(us, udp_in_recvdstaddr);
- }
-
- if (udp_bits.udpb_ip_recvpktinfo && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVADDR)) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (struct in_pktinfo);
- UDP_STAT(us, udp_ip_rcvpktinfo);
- }
-
- if ((udp_bits.udpb_recvopts) && opt_len > 0) {
- udi_size += sizeof (struct T_opthdr) + opt_len;
- UDP_STAT(us, udp_in_recvopts);
- }
-
- /*
- * If the IP_RECVSLLA or the IP_RECVIF is set then allocate
- * space accordingly
- */
- if ((udp_bits.udpb_recvif) && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVIF)) {
- udi_size += sizeof (struct T_opthdr) + sizeof (uint_t);
- UDP_STAT(us, udp_in_recvif);
- }
-
- if ((udp_bits.udpb_recvslla) && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVSLLA)) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (struct sockaddr_dl);
- UDP_STAT(us, udp_in_recvslla);
- }
-
- if ((udp_bits.udpb_recvucred) &&
- (cr = msg_getcred(mp, &cpid)) != NULL) {
- udi_size += sizeof (struct T_opthdr) + ucredsize;
- UDP_STAT(us, udp_in_recvucred);
- }
-
- /*
- * If SO_TIMESTAMP is set allocate the appropriate sized
- * buffer. Since gethrestime() expects a pointer aligned
- * argument, we allocate space necessary for extra
- * alignment (even though it might not be used).
- */
- if (udp_bits.udpb_timestamp) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
- UDP_STAT(us, udp_in_timestamp);
- }
-
- /*
- * If IP_RECVTTL is set allocate the appropriate sized buffer
- */
- if (udp_bits.udpb_recvttl) {
- udi_size += sizeof (struct T_opthdr) + sizeof (uint8_t);
- UDP_STAT(us, udp_in_recvttl);
+ if (recv_ancillary.crb_all != 0) {
+ udi_size += conn_recvancillary_size(connp,
+ recv_ancillary, ira, mp, &ipps);
}
/* Allocate a message block for the T_UNITDATA_IND structure. */
mp1 = allocb(udi_size, BPRI_MED);
if (mp1 == NULL) {
freemsg(mp);
- if (options_mp != NULL)
- freeb(options_mp);
BUMP_MIB(&us->us_udp_mib, udpInErrors);
return;
}
mp1->b_cont = mp;
- mp = mp1;
- mp->b_datap->db_type = M_PROTO;
- tudi = (struct T_unitdata_ind *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)tudi + udi_size;
+ mp1->b_datap->db_type = M_PROTO;
+ tudi = (struct T_unitdata_ind *)mp1->b_rptr;
+ mp1->b_wptr = (uchar_t *)tudi + udi_size;
tudi->PRIM_type = T_UNITDATA_IND;
tudi->SRC_length = sizeof (sin_t);
tudi->SRC_offset = sizeof (struct T_unitdata_ind);
@@ -3786,7 +2539,7 @@ udp_input(void *arg1, mblk_t *mp, void *arg2)
sin = (sin_t *)&tudi[1];
sin->sin_addr.s_addr = ((ipha_t *)rptr)->ipha_src;
sin->sin_port = udpha->uha_src_port;
- sin->sin_family = udp->udp_family;
+ sin->sin_family = connp->conn_family;
*(uint32_t *)&sin->sin_zero[0] = 0;
*(uint32_t *)&sin->sin_zero[4] = 0;
@@ -3795,166 +2548,8 @@ udp_input(void *arg1, mblk_t *mp, void *arg2)
* IP_RECVTTL has been set.
*/
if (udi_size != 0) {
- /*
- * Copy in destination address before options to avoid
- * any padding issues.
- */
- char *dstopt;
-
- dstopt = (char *)&sin[1];
- if (udp_bits.udpb_recvdstaddr) {
- struct T_opthdr *toh;
- ipaddr_t *dstptr;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_RECVDSTADDR;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (ipaddr_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- dstptr = (ipaddr_t *)dstopt;
- *dstptr = ((ipha_t *)rptr)->ipha_dst;
- dstopt += sizeof (ipaddr_t);
- udi_size -= toh->len;
- }
-
- if (udp_bits.udpb_recvopts && opt_len > 0) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_RECVOPTS;
- toh->len = sizeof (struct T_opthdr) + opt_len;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy(rptr + IP_SIMPLE_HDR_LENGTH, dstopt,
- opt_len);
- dstopt += opt_len;
- udi_size -= toh->len;
- }
-
- if ((udp_bits.udpb_ip_recvpktinfo) && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVADDR)) {
- struct T_opthdr *toh;
- struct in_pktinfo *pktinfop;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_PKTINFO;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (*pktinfop);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- pktinfop = (struct in_pktinfo *)dstopt;
- pktinfop->ipi_ifindex = pinfo->ip_pkt_ifindex;
- pktinfop->ipi_spec_dst =
- pinfo->ip_pkt_match_addr;
- pktinfop->ipi_addr.s_addr =
- ((ipha_t *)rptr)->ipha_dst;
-
- dstopt += sizeof (struct in_pktinfo);
- udi_size -= toh->len;
- }
-
- if ((udp_bits.udpb_recvslla) && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVSLLA)) {
-
- struct T_opthdr *toh;
- struct sockaddr_dl *dstptr;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_RECVSLLA;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (struct sockaddr_dl);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- dstptr = (struct sockaddr_dl *)dstopt;
- bcopy(&pinfo->ip_pkt_slla, dstptr,
- sizeof (struct sockaddr_dl));
- dstopt += sizeof (struct sockaddr_dl);
- udi_size -= toh->len;
- }
-
- if ((udp_bits.udpb_recvif) && (pinfo != NULL) &&
- (pinfo->ip_pkt_flags & IPF_RECVIF)) {
-
- struct T_opthdr *toh;
- uint_t *dstptr;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_RECVIF;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (uint_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- dstptr = (uint_t *)dstopt;
- *dstptr = pinfo->ip_pkt_ifindex;
- dstopt += sizeof (uint_t);
- udi_size -= toh->len;
- }
-
- if (cr != NULL) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = SOL_SOCKET;
- toh->name = SCM_UCRED;
- toh->len = sizeof (struct T_opthdr) + ucredsize;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- (void) cred2ucred(cr, cpid, dstopt, rcr);
- dstopt += ucredsize;
- udi_size -= toh->len;
- }
-
- if (udp_bits.udpb_timestamp) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = SOL_SOCKET;
- toh->name = SCM_TIMESTAMP;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- /* Align for gethrestime() */
- dstopt = (char *)P2ROUNDUP((intptr_t)dstopt,
- sizeof (intptr_t));
- gethrestime((timestruc_t *)dstopt);
- dstopt = (char *)toh + toh->len;
- udi_size -= toh->len;
- }
-
- /*
- * CAUTION:
- * Due to aligment issues
- * Processing of IP_RECVTTL option
- * should always be the last. Adding
- * any option processing after this will
- * cause alignment panic.
- */
- if (udp_bits.udpb_recvttl) {
- struct T_opthdr *toh;
- uint8_t *dstptr;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IP;
- toh->name = IP_RECVTTL;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (uint8_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- dstptr = (uint8_t *)dstopt;
- *dstptr = ((ipha_t *)rptr)->ipha_ttl;
- dstopt += sizeof (uint8_t);
- udi_size -= toh->len;
- }
-
- /* Consumed all of allocated space */
- ASSERT(udi_size == 0);
+ conn_recvancillary_add(connp, recv_ancillary, ira,
+ &ipps, (uchar_t *)&sin[1], udi_size);
}
} else {
sin6_t *sin6;
@@ -3968,89 +2563,21 @@ udp_input(void *arg1, mblk_t *mp, void *arg2)
*/
udi_size = sizeof (struct T_unitdata_ind) + sizeof (sin6_t);
- if (ipp.ipp_fields & (IPPF_HOPOPTS|IPPF_DSTOPTS|IPPF_RTDSTOPTS|
- IPPF_RTHDR|IPPF_IFINDEX)) {
- if ((udp_bits.udpb_ipv6_recvhopopts) &&
- (ipp.ipp_fields & IPPF_HOPOPTS)) {
- size_t hlen;
-
- UDP_STAT(us, udp_in_recvhopopts);
- hlen = copy_hop_opts(&ipp, NULL);
- if (hlen == 0)
- ipp.ipp_fields &= ~IPPF_HOPOPTS;
- udi_size += hlen;
- }
- if (((udp_bits.udpb_ipv6_recvdstopts) ||
- udp_bits.udpb_old_ipv6_recvdstopts) &&
- (ipp.ipp_fields & IPPF_DSTOPTS)) {
- udi_size += sizeof (struct T_opthdr) +
- ipp.ipp_dstoptslen;
- UDP_STAT(us, udp_in_recvdstopts);
- }
- if ((((udp_bits.udpb_ipv6_recvdstopts) &&
- udp_bits.udpb_ipv6_recvrthdr &&
- (ipp.ipp_fields & IPPF_RTHDR)) ||
- (udp_bits.udpb_ipv6_recvrthdrdstopts)) &&
- (ipp.ipp_fields & IPPF_RTDSTOPTS)) {
- udi_size += sizeof (struct T_opthdr) +
- ipp.ipp_rtdstoptslen;
- UDP_STAT(us, udp_in_recvrtdstopts);
- }
- if ((udp_bits.udpb_ipv6_recvrthdr) &&
- (ipp.ipp_fields & IPPF_RTHDR)) {
- udi_size += sizeof (struct T_opthdr) +
- ipp.ipp_rthdrlen;
- UDP_STAT(us, udp_in_recvrthdr);
- }
- if ((udp_bits.udpb_ip_recvpktinfo) &&
- (ipp.ipp_fields & IPPF_IFINDEX)) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (struct in6_pktinfo);
- UDP_STAT(us, udp_in_recvpktinfo);
- }
-
- }
- if ((udp_bits.udpb_recvucred) &&
- (cr = msg_getcred(mp, &cpid)) != NULL) {
- udi_size += sizeof (struct T_opthdr) + ucredsize;
- UDP_STAT(us, udp_in_recvucred);
- }
-
- /*
- * If SO_TIMESTAMP is set allocate the appropriate sized
- * buffer. Since gethrestime() expects a pointer aligned
- * argument, we allocate space necessary for extra
- * alignment (even though it might not be used).
- */
- if (udp_bits.udpb_timestamp) {
- udi_size += sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
- UDP_STAT(us, udp_in_timestamp);
- }
-
- if (udp_bits.udpb_ipv6_recvhoplimit) {
- udi_size += sizeof (struct T_opthdr) + sizeof (int);
- UDP_STAT(us, udp_in_recvhoplimit);
- }
-
- if (udp_bits.udpb_ipv6_recvtclass) {
- udi_size += sizeof (struct T_opthdr) + sizeof (int);
- UDP_STAT(us, udp_in_recvtclass);
+ if (recv_ancillary.crb_all != 0) {
+ udi_size += conn_recvancillary_size(connp,
+ recv_ancillary, ira, mp, &ipps);
}
mp1 = allocb(udi_size, BPRI_MED);
if (mp1 == NULL) {
freemsg(mp);
- if (options_mp != NULL)
- freeb(options_mp);
BUMP_MIB(&us->us_udp_mib, udpInErrors);
return;
}
mp1->b_cont = mp;
- mp = mp1;
- mp->b_datap->db_type = M_PROTO;
- tudi = (struct T_unitdata_ind *)mp->b_rptr;
- mp->b_wptr = (uchar_t *)tudi + udi_size;
+ mp1->b_datap->db_type = M_PROTO;
+ tudi = (struct T_unitdata_ind *)mp1->b_rptr;
+ mp1->b_wptr = (uchar_t *)tudi + udi_size;
tudi->PRIM_type = T_UNITDATA_IND;
tudi->SRC_length = sizeof (sin6_t);
tudi->SRC_offset = sizeof (struct T_unitdata_ind);
@@ -4059,7 +2586,7 @@ udp_input(void *arg1, mblk_t *mp, void *arg2)
udi_size -= (sizeof (struct T_unitdata_ind) + sizeof (sin6_t));
tudi->OPT_length = udi_size;
sin6 = (sin6_t *)&tudi[1];
- if (ipversion == IPV4_VERSION) {
+ if (ira->ira_flags & IRAF_IS_IPV4) {
in6_addr_t v6dst;
IN6_IPADDR_TO_V4MAPPED(((ipha_t *)rptr)->ipha_src,
@@ -4069,196 +2596,43 @@ udp_input(void *arg1, mblk_t *mp, void *arg2)
sin6->sin6_flowinfo = 0;
sin6->sin6_scope_id = 0;
sin6->__sin6_src_id = ip_srcid_find_addr(&v6dst,
- connp->conn_zoneid, us->us_netstack);
+ IPCL_ZONEID(connp), us->us_netstack);
} else {
+ ip6h = (ip6_t *)rptr;
+
sin6->sin6_addr = ip6h->ip6_src;
/* No sin6_flowinfo per API */
sin6->sin6_flowinfo = 0;
- /* For link-scope source pass up scope id */
- if ((ipp.ipp_fields & IPPF_IFINDEX) &&
- IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src))
- sin6->sin6_scope_id = ipp.ipp_ifindex;
+ /* For link-scope pass up scope id */
+ if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src))
+ sin6->sin6_scope_id = ira->ira_ruifindex;
else
sin6->sin6_scope_id = 0;
sin6->__sin6_src_id = ip_srcid_find_addr(
- &ip6h->ip6_dst, connp->conn_zoneid,
+ &ip6h->ip6_dst, IPCL_ZONEID(connp),
us->us_netstack);
}
sin6->sin6_port = udpha->uha_src_port;
- sin6->sin6_family = udp->udp_family;
+ sin6->sin6_family = connp->conn_family;
if (udi_size != 0) {
- uchar_t *dstopt;
-
- dstopt = (uchar_t *)&sin6[1];
- if ((udp_bits.udpb_ip_recvpktinfo) &&
- (ipp.ipp_fields & IPPF_IFINDEX)) {
- struct T_opthdr *toh;
- struct in6_pktinfo *pkti;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_PKTINFO;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (*pkti);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- pkti = (struct in6_pktinfo *)dstopt;
- if (ipversion == IPV6_VERSION)
- pkti->ipi6_addr = ip6h->ip6_dst;
- else
- IN6_IPADDR_TO_V4MAPPED(
- ((ipha_t *)rptr)->ipha_dst,
- &pkti->ipi6_addr);
- pkti->ipi6_ifindex = ipp.ipp_ifindex;
- dstopt += sizeof (*pkti);
- udi_size -= toh->len;
- }
- if (udp_bits.udpb_ipv6_recvhoplimit) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_HOPLIMIT;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (uint_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- if (ipversion == IPV6_VERSION)
- *(uint_t *)dstopt = ip6h->ip6_hops;
- else
- *(uint_t *)dstopt =
- ((ipha_t *)rptr)->ipha_ttl;
- dstopt += sizeof (uint_t);
- udi_size -= toh->len;
- }
- if (udp_bits.udpb_ipv6_recvtclass) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_TCLASS;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (uint_t);
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- if (ipversion == IPV6_VERSION) {
- *(uint_t *)dstopt =
- IPV6_FLOW_TCLASS(ip6h->ip6_flow);
- } else {
- ipha_t *ipha = (ipha_t *)rptr;
- *(uint_t *)dstopt =
- ipha->ipha_type_of_service;
- }
- dstopt += sizeof (uint_t);
- udi_size -= toh->len;
- }
- if ((udp_bits.udpb_ipv6_recvhopopts) &&
- (ipp.ipp_fields & IPPF_HOPOPTS)) {
- size_t hlen;
-
- hlen = copy_hop_opts(&ipp, dstopt);
- dstopt += hlen;
- udi_size -= hlen;
- }
- if ((udp_bits.udpb_ipv6_recvdstopts) &&
- (udp_bits.udpb_ipv6_recvrthdr) &&
- (ipp.ipp_fields & IPPF_RTHDR) &&
- (ipp.ipp_fields & IPPF_RTDSTOPTS)) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_DSTOPTS;
- toh->len = sizeof (struct T_opthdr) +
- ipp.ipp_rtdstoptslen;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy(ipp.ipp_rtdstopts, dstopt,
- ipp.ipp_rtdstoptslen);
- dstopt += ipp.ipp_rtdstoptslen;
- udi_size -= toh->len;
- }
- if ((udp_bits.udpb_ipv6_recvrthdr) &&
- (ipp.ipp_fields & IPPF_RTHDR)) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_RTHDR;
- toh->len = sizeof (struct T_opthdr) +
- ipp.ipp_rthdrlen;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy(ipp.ipp_rthdr, dstopt, ipp.ipp_rthdrlen);
- dstopt += ipp.ipp_rthdrlen;
- udi_size -= toh->len;
- }
- if ((udp_bits.udpb_ipv6_recvdstopts) &&
- (ipp.ipp_fields & IPPF_DSTOPTS)) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = IPPROTO_IPV6;
- toh->name = IPV6_DSTOPTS;
- toh->len = sizeof (struct T_opthdr) +
- ipp.ipp_dstoptslen;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- bcopy(ipp.ipp_dstopts, dstopt,
- ipp.ipp_dstoptslen);
- dstopt += ipp.ipp_dstoptslen;
- udi_size -= toh->len;
- }
- if (cr != NULL) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = SOL_SOCKET;
- toh->name = SCM_UCRED;
- toh->len = sizeof (struct T_opthdr) + ucredsize;
- toh->status = 0;
- (void) cred2ucred(cr, cpid, &toh[1], rcr);
- dstopt += toh->len;
- udi_size -= toh->len;
- }
- if (udp_bits.udpb_timestamp) {
- struct T_opthdr *toh;
-
- toh = (struct T_opthdr *)dstopt;
- toh->level = SOL_SOCKET;
- toh->name = SCM_TIMESTAMP;
- toh->len = sizeof (struct T_opthdr) +
- sizeof (timestruc_t) + _POINTER_ALIGNMENT;
- toh->status = 0;
- dstopt += sizeof (struct T_opthdr);
- /* Align for gethrestime() */
- dstopt = (uchar_t *)P2ROUNDUP((intptr_t)dstopt,
- sizeof (intptr_t));
- gethrestime((timestruc_t *)dstopt);
- dstopt = (uchar_t *)toh + toh->len;
- udi_size -= toh->len;
- }
-
- /* Consumed all of allocated space */
- ASSERT(udi_size == 0);
+ conn_recvancillary_add(connp, recv_ancillary, ira,
+ &ipps, (uchar_t *)&sin6[1], udi_size);
}
-#undef sin6
- /* No IP_RECVDSTADDR for IPv6. */
}
- BUMP_MIB(&us->us_udp_mib, udpHCInDatagrams);
- if (options_mp != NULL)
- freeb(options_mp);
-
- udp_ulp_recv(connp, mp);
+ /* Walk past the headers unless IP_RECVHDR was set. */
+ if (!udp->udp_rcvhdr) {
+ mp->b_rptr = rptr + hdr_length;
+ pkt_len -= hdr_length;
+ }
+ BUMP_MIB(&us->us_udp_mib, udpHCInDatagrams);
+ udp_ulp_recv(connp, mp1, pkt_len, ira);
return;
tossit:
freemsg(mp);
- if (options_mp != NULL)
- freeb(options_mp);
BUMP_MIB(&us->us_udp_mib, udpInErrors);
}
@@ -4386,23 +2760,34 @@ udp_snmp_get(queue_t *q, mblk_t *mpctl)
needattr = B_TRUE;
break;
}
+ mutex_enter(&connp->conn_lock);
+ if (udp->udp_state == TS_DATA_XFER &&
+ connp->conn_ixa->ixa_tsl != NULL) {
+ ts_label_t *tsl;
+
+ tsl = connp->conn_ixa->ixa_tsl;
+ mlp.tme_flags |= MIB2_TMEF_IS_LABELED;
+ mlp.tme_doi = label2doi(tsl);
+ mlp.tme_label = *label2bslabel(tsl);
+ needattr = B_TRUE;
+ }
+ mutex_exit(&connp->conn_lock);
/*
* Create an IPv4 table entry for IPv4 entries and also
* any IPv6 entries which are bound to in6addr_any
* (i.e. anything a IPv4 peer could connect/send to).
*/
- if (udp->udp_ipversion == IPV4_VERSION ||
+ if (connp->conn_ipversion == IPV4_VERSION ||
(udp->udp_state <= TS_IDLE &&
- IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src))) {
+ IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6))) {
ude.udpEntryInfo.ue_state = state;
/*
* If in6addr_any this will set it to
* INADDR_ANY
*/
- ude.udpLocalAddress =
- V4_PART_OF_V6(udp->udp_v6src);
- ude.udpLocalPort = ntohs(udp->udp_port);
+ ude.udpLocalAddress = connp->conn_laddr_v4;
+ ude.udpLocalPort = ntohs(connp->conn_lport);
if (udp->udp_state == TS_DATA_XFER) {
/*
* Can potentially get here for
@@ -4414,9 +2799,9 @@ udp_snmp_get(queue_t *q, mblk_t *mpctl)
* this part of the code.
*/
ude.udpEntryInfo.ue_RemoteAddress =
- V4_PART_OF_V6(udp->udp_v6dst);
+ connp->conn_faddr_v4;
ude.udpEntryInfo.ue_RemotePort =
- ntohs(udp->udp_dstport);
+ ntohs(connp->conn_fport);
} else {
ude.udpEntryInfo.ue_RemoteAddress = 0;
ude.udpEntryInfo.ue_RemotePort = 0;
@@ -4429,10 +2814,10 @@ udp_snmp_get(queue_t *q, mblk_t *mpctl)
*/
ude.udpInstance = (uint32_t)(uintptr_t)udp;
ude.udpCreationProcess =
- (udp->udp_open_pid < 0) ?
+ (connp->conn_cpid < 0) ?
MIB2_UNKNOWN_PROCESS :
- udp->udp_open_pid;
- ude.udpCreationTime = udp->udp_open_time;
+ connp->conn_cpid;
+ ude.udpCreationTime = connp->conn_open_time;
(void) snmp_append_data2(mp_conn_ctl->b_cont,
&mp_conn_tail, (char *)&ude, sizeof (ude));
@@ -4442,16 +2827,24 @@ udp_snmp_get(queue_t *q, mblk_t *mpctl)
mp_attr_ctl->b_cont, &mp_attr_tail,
(char *)&mlp, sizeof (mlp));
}
- if (udp->udp_ipversion == IPV6_VERSION) {
+ if (connp->conn_ipversion == IPV6_VERSION) {
ude6.udp6EntryInfo.ue_state = state;
- ude6.udp6LocalAddress = udp->udp_v6src;
- ude6.udp6LocalPort = ntohs(udp->udp_port);
- ude6.udp6IfIndex = udp->udp_bound_if;
+ ude6.udp6LocalAddress = connp->conn_laddr_v6;
+ ude6.udp6LocalPort = ntohs(connp->conn_lport);
+ mutex_enter(&connp->conn_lock);
+ if (connp->conn_ixa->ixa_flags &
+ IXAF_SCOPEID_SET) {
+ ude6.udp6IfIndex =
+ connp->conn_ixa->ixa_scopeid;
+ } else {
+ ude6.udp6IfIndex = connp->conn_bound_if;
+ }
+ mutex_exit(&connp->conn_lock);
if (udp->udp_state == TS_DATA_XFER) {
ude6.udp6EntryInfo.ue_RemoteAddress =
- udp->udp_v6dst;
+ connp->conn_faddr_v6;
ude6.udp6EntryInfo.ue_RemotePort =
- ntohs(udp->udp_dstport);
+ ntohs(connp->conn_fport);
} else {
ude6.udp6EntryInfo.ue_RemoteAddress =
sin6_null.sin6_addr;
@@ -4464,10 +2857,10 @@ udp_snmp_get(queue_t *q, mblk_t *mpctl)
*/
ude6.udp6Instance = (uint32_t)(uintptr_t)udp;
ude6.udp6CreationProcess =
- (udp->udp_open_pid < 0) ?
+ (connp->conn_cpid < 0) ?
MIB2_UNKNOWN_PROCESS :
- udp->udp_open_pid;
- ude6.udp6CreationTime = udp->udp_open_time;
+ connp->conn_cpid;
+ ude6.udp6CreationTime = connp->conn_open_time;
(void) snmp_append_data2(mp6_conn_ctl->b_cont,
&mp6_conn_tail, (char *)&ude6,
@@ -4548,39 +2941,34 @@ udp_snmp_set(queue_t *q, t_scalar_t level, t_scalar_t name,
* passed in mp. This message is freed.
*/
static void
-udp_ud_err(queue_t *q, mblk_t *mp, uchar_t *destaddr, t_scalar_t destlen,
- t_scalar_t err)
+udp_ud_err(queue_t *q, mblk_t *mp, t_scalar_t err)
{
struct T_unitdata_req *tudr;
mblk_t *mp1;
+ uchar_t *destaddr;
+ t_scalar_t destlen;
uchar_t *optaddr;
t_scalar_t optlen;
- if (DB_TYPE(mp) == M_DATA) {
- ASSERT(destaddr != NULL && destlen != 0);
- optaddr = NULL;
- optlen = 0;
- } else {
- if ((mp->b_wptr < mp->b_rptr) ||
- (MBLKL(mp)) < sizeof (struct T_unitdata_req)) {
- goto done;
- }
- tudr = (struct T_unitdata_req *)mp->b_rptr;
- destaddr = mp->b_rptr + tudr->DEST_offset;
- if (destaddr < mp->b_rptr || destaddr >= mp->b_wptr ||
- destaddr + tudr->DEST_length < mp->b_rptr ||
- destaddr + tudr->DEST_length > mp->b_wptr) {
- goto done;
- }
- optaddr = mp->b_rptr + tudr->OPT_offset;
- if (optaddr < mp->b_rptr || optaddr >= mp->b_wptr ||
- optaddr + tudr->OPT_length < mp->b_rptr ||
- optaddr + tudr->OPT_length > mp->b_wptr) {
- goto done;
- }
- destlen = tudr->DEST_length;
- optlen = tudr->OPT_length;
+ if ((mp->b_wptr < mp->b_rptr) ||
+ (MBLKL(mp)) < sizeof (struct T_unitdata_req)) {
+ goto done;
}
+ tudr = (struct T_unitdata_req *)mp->b_rptr;
+ destaddr = mp->b_rptr + tudr->DEST_offset;
+ if (destaddr < mp->b_rptr || destaddr >= mp->b_wptr ||
+ destaddr + tudr->DEST_length < mp->b_rptr ||
+ destaddr + tudr->DEST_length > mp->b_wptr) {
+ goto done;
+ }
+ optaddr = mp->b_rptr + tudr->OPT_offset;
+ if (optaddr < mp->b_rptr || optaddr >= mp->b_wptr ||
+ optaddr + tudr->OPT_length < mp->b_rptr ||
+ optaddr + tudr->OPT_length > mp->b_wptr) {
+ goto done;
+ }
+ destlen = tudr->DEST_length;
+ optlen = tudr->OPT_length;
mp1 = mi_tpi_uderror_ind((char *)destaddr, destlen,
(char *)optaddr, optlen, err);
@@ -4685,1093 +3073,721 @@ retry:
return (port);
}
+/*
+ * Handle T_UNITDATA_REQ with options. Both IPv4 and IPv6
+ * Either tudr_mp or msg is set. If tudr_mp we take ancillary data from
+ * the TPI options, otherwise we take them from msg_control.
+ * If both sin and sin6 is set it is a connected socket and we use conn_faddr.
+ * Always consumes mp; never consumes tudr_mp.
+ */
static int
-udp_update_label(queue_t *wq, mblk_t *mp, ipaddr_t dst)
+udp_output_ancillary(conn_t *connp, sin_t *sin, sin6_t *sin6, mblk_t *mp,
+ mblk_t *tudr_mp, struct nmsghdr *msg, cred_t *cr, pid_t pid)
{
- int err;
- cred_t *cred;
- cred_t *orig_cred = NULL;
- cred_t *effective_cred = NULL;
- uchar_t opt_storage[IP_MAX_OPT_LENGTH];
- udp_t *udp = Q_TO_UDP(wq);
+ udp_t *udp = connp->conn_udp;
udp_stack_t *us = udp->udp_us;
+ int error;
+ ip_xmit_attr_t *ixa;
+ ip_pkt_t *ipp;
+ in6_addr_t v6src;
+ in6_addr_t v6dst;
+ in6_addr_t v6nexthop;
+ in_port_t dstport;
+ uint32_t flowinfo;
+ uint_t srcid;
+ int is_absreq_failure = 0;
+ conn_opt_arg_t coas, *coa;
- /*
- * All Solaris components should pass a db_credp
- * for this message, hence we ASSERT.
- * On production kernels we return an error to be robust against
- * random streams modules sitting on top of us.
- */
- cred = orig_cred = msg_getcred(mp, NULL);
- ASSERT(cred != NULL);
- if (cred == NULL)
- return (EINVAL);
+ ASSERT(tudr_mp != NULL || msg != NULL);
/*
- * Verify the destination is allowed to receive packets at
- * the security label of the message data. tsol_check_dest()
- * may create a new effective cred for this message with a
- * modified label or label flags. Note that we use the cred/label
- * from the message to handle MLP
+ * Get ixa before checking state to handle a disconnect race.
+ *
+ * We need an exclusive copy of conn_ixa since the ancillary data
+ * options might modify it. That copy has no pointers hence we
+ * need to set them up once we've parsed the ancillary data.
*/
- if ((err = tsol_check_dest(cred, &dst, IPV4_VERSION,
- udp->udp_connp->conn_mac_mode, &effective_cred)) != 0)
- goto done;
- if (effective_cred != NULL)
- cred = effective_cred;
+ ixa = conn_get_ixa_exclusive(connp);
+ if (ixa == NULL) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
+ return (ENOMEM);
+ }
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
+ }
- /*
- * Calculate the security label to be placed in the text
- * of the message (if any).
- */
- if ((err = tsol_compute_label(cred, dst, opt_storage,
- us->us_netstack->netstack_ip)) != 0)
- goto done;
+ /* In case previous destination was multicast or multirt */
+ ip_attr_newdst(ixa);
- /*
- * Insert the security label in the cached ip options,
- * removing any old label that may exist.
- */
- if ((err = tsol_update_options(&udp->udp_ip_snd_options,
- &udp->udp_ip_snd_options_len, &udp->udp_label_len,
- opt_storage)) != 0)
+ /* Get a copy of conn_xmit_ipp since the options might change it */
+ ipp = kmem_zalloc(sizeof (*ipp), KM_NOSLEEP);
+ if (ipp == NULL) {
+ ixa_refrele(ixa);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
+ return (ENOMEM);
+ }
+ mutex_enter(&connp->conn_lock);
+ error = ip_pkt_copy(&connp->conn_xmit_ipp, ipp, KM_NOSLEEP);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
goto done;
+ }
/*
- * Save the destination address and creds we used to
- * generate the security label text.
+ * Parse the options and update ixa and ipp as a result.
+ * Note that ixa_tsl can be updated if SCM_UCRED.
+ * ixa_refrele/ixa_inactivate will release any reference on ixa_tsl.
*/
- if (cred != udp->udp_effective_cred) {
- if (udp->udp_effective_cred != NULL)
- crfree(udp->udp_effective_cred);
- crhold(cred);
- udp->udp_effective_cred = cred;
- }
- if (orig_cred != udp->udp_last_cred) {
- if (udp->udp_last_cred != NULL)
- crfree(udp->udp_last_cred);
- crhold(orig_cred);
- udp->udp_last_cred = orig_cred;
- }
-done:
- if (effective_cred != NULL)
- crfree(effective_cred);
- if (err != 0) {
- DTRACE_PROBE4(
- tx__ip__log__info__updatelabel__udp,
- char *, "queue(1) failed to update options(2) on mp(3)",
- queue_t *, wq, char *, opt_storage, mblk_t *, mp);
- }
- return (err);
-}
+ coa = &coas;
+ coa->coa_connp = connp;
+ coa->coa_ixa = ixa;
+ coa->coa_ipp = ipp;
+ coa->coa_ancillary = B_TRUE;
+ coa->coa_changed = 0;
-static mblk_t *
-udp_output_v4(conn_t *connp, mblk_t *mp, ipaddr_t v4dst, uint16_t port,
- uint_t srcid, int *error, boolean_t insert_spi, struct nmsghdr *msg,
- cred_t *cr, pid_t pid)
-{
- udp_t *udp = connp->conn_udp;
- mblk_t *mp1 = mp;
- mblk_t *mp2;
- ipha_t *ipha;
- int ip_hdr_length;
- uint32_t ip_len;
- udpha_t *udpha;
- boolean_t lock_held = B_FALSE;
- in_port_t uha_src_port;
- udpattrs_t attrs;
- uchar_t ip_snd_opt[IP_MAX_OPT_LENGTH];
- uint32_t ip_snd_opt_len = 0;
- ip4_pkt_t pktinfo;
- ip4_pkt_t *pktinfop = &pktinfo;
- ip_opt_info_t optinfo;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- udp_stack_t *us = udp->udp_us;
- ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
- queue_t *q = connp->conn_wq;
- ire_t *ire;
- in6_addr_t v6dst;
- boolean_t update_lastdst = B_FALSE;
-
- *error = 0;
- pktinfop->ip4_ill_index = 0;
- pktinfop->ip4_addr = INADDR_ANY;
- optinfo.ip_opt_flags = 0;
- optinfo.ip_opt_ill_index = 0;
+ if (msg != NULL) {
+ error = process_auxiliary_options(connp, msg->msg_control,
+ msg->msg_controllen, coa, &udp_opt_obj, udp_opt_set, cr);
+ } else {
+ struct T_unitdata_req *tudr;
- if (v4dst == INADDR_ANY)
- v4dst = htonl(INADDR_LOOPBACK);
+ tudr = (struct T_unitdata_req *)tudr_mp->b_rptr;
+ ASSERT(tudr->PRIM_type == T_UNITDATA_REQ);
+ error = tpi_optcom_buf(connp->conn_wq, tudr_mp,
+ &tudr->OPT_length, tudr->OPT_offset, cr, &udp_opt_obj,
+ coa, &is_absreq_failure);
+ }
+ if (error != 0) {
+ /*
+ * Note: No special action needed in this
+ * module for "is_absreq_failure"
+ */
+ freemsg(mp);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ goto done;
+ }
+ ASSERT(is_absreq_failure == 0);
+ mutex_enter(&connp->conn_lock);
/*
- * If options passed in, feed it for verification and handling
+ * If laddr is unspecified then we look at sin6_src_id.
+ * We will give precedence to a source address set with IPV6_PKTINFO
+ * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
+ * want ip_attr_connect to select a source (since it can fail) when
+ * IPV6_PKTINFO is specified.
+ * If this doesn't result in a source address then we get a source
+ * from ip_attr_connect() below.
*/
- attrs.udpattr_credset = B_FALSE;
- if (IPCL_IS_NONSTR(connp)) {
- if (msg->msg_controllen != 0) {
- attrs.udpattr_ipp4 = pktinfop;
- attrs.udpattr_mb = mp;
-
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- *error = process_auxiliary_options(connp,
- msg->msg_control, msg->msg_controllen,
- &attrs, &udp_opt_obj, udp_opt_set, cr);
- rw_exit(&udp->udp_rwlock);
- if (*error)
- goto done;
+ v6src = connp->conn_saddr_v6;
+ if (sin != NULL) {
+ IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
+ dstport = sin->sin_port;
+ flowinfo = 0;
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ } else if (sin6 != NULL) {
+ v6dst = sin6->sin6_addr;
+ dstport = sin6->sin6_port;
+ flowinfo = sin6->sin6_flowinfo;
+ srcid = sin6->__sin6_src_id;
+ if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
+ ixa->ixa_scopeid = sin6->sin6_scope_id;
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ } else {
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
}
- } else {
- if (DB_TYPE(mp) != M_DATA) {
- mp1 = mp->b_cont;
- if (((struct T_unitdata_req *)
- mp->b_rptr)->OPT_length != 0) {
- attrs.udpattr_ipp4 = pktinfop;
- attrs.udpattr_mb = mp;
- if (udp_unitdata_opt_process(q, mp, error,
- &attrs) < 0)
- goto done;
- /*
- * Note: success in processing options.
- * mp option buffer represented by
- * OPT_length/offset now potentially modified
- * and contain option setting results
- */
- ASSERT(*error == 0);
- }
+ if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
}
+ if (IN6_IS_ADDR_V4MAPPED(&v6dst))
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ else
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
+ } else {
+ /* Connected case */
+ v6dst = connp->conn_faddr_v6;
+ dstport = connp->conn_fport;
+ flowinfo = connp->conn_flowinfo;
}
+ mutex_exit(&connp->conn_lock);
- /* mp1 points to the M_DATA mblk carrying the packet */
- ASSERT(mp1 != NULL && DB_TYPE(mp1) == M_DATA);
-
- /*
- * Determine whether we need to mark the mblk with the user's
- * credentials.
- * If labeled then sockfs would have already done this.
- */
- ASSERT(!is_system_labeled() || msg_getcred(mp, NULL) != NULL);
-
- ire = connp->conn_ire_cache;
- if (CLASSD(v4dst) || (ire == NULL) || (ire->ire_addr != v4dst) ||
- (ire->ire_type & (IRE_BROADCAST | IRE_LOCAL | IRE_LOOPBACK))) {
- if (cr != NULL && msg_getcred(mp, NULL) == NULL)
- mblk_setcred(mp, cr, pid);
+ /* Handle IPV6_PKTINFO setting source address. */
+ if (IN6_IS_ADDR_UNSPECIFIED(&v6src) &&
+ (ipp->ipp_fields & IPPF_ADDR)) {
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
+ } else {
+ if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
+ }
}
- rw_enter(&udp->udp_rwlock, RW_READER);
- lock_held = B_TRUE;
+ ip_attr_nexthop(ipp, ixa, &v6dst, &v6nexthop);
+ error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
+ &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST | IPDF_IPSEC);
- /*
- * Cluster and TSOL note:
- * udp.udp_v6lastdst is shared by Cluster and TSOL
- * udp.udp_lastdstport is used by Cluster
- *
- * Both Cluster and TSOL need to update the dest addr and/or port.
- * Updating is done after both Cluster and TSOL checks, protected
- * by conn_lock.
- */
- mutex_enter(&connp->conn_lock);
-
- if (cl_inet_connect2 != NULL &&
- (!IN6_IS_ADDR_V4MAPPED(&udp->udp_v6lastdst) ||
- V4_PART_OF_V6(udp->udp_v6lastdst) != v4dst ||
- udp->udp_lastdstport != port)) {
- mutex_exit(&connp->conn_lock);
- *error = 0;
- IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
- CL_INET_UDP_CONNECT(connp, udp, B_TRUE, &v6dst, port, *error);
- if (*error != 0) {
- *error = EHOSTUNREACH;
- goto done;
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
+ /*
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
+ */
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
}
- update_lastdst = B_TRUE;
- mutex_enter(&connp->conn_lock);
+ /* FALLTHRU */
+ default:
+ failed:
+ freemsg(mp);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ goto done;
}
/*
- * Check if our saved options are valid; update if not.
- * TSOL Note: Since we are not in WRITER mode, UDP packets
- * to different destination may require different labels,
- * or worse, UDP packets to same IP address may require
- * different labels due to use of shared all-zones address.
- * We use conn_lock to ensure that lastdst, ip_snd_options,
- * and ip_snd_options_len are consistent for the current
- * destination and are updated atomically.
+ * We might be going to a different destination than last time,
+ * thus check that TX allows the communication and compute any
+ * needed label.
+ *
+ * TSOL Note: We have an exclusive ipp and ixa for this thread so we
+ * don't have to worry about concurrent threads.
*/
if (is_system_labeled()) {
- cred_t *credp;
- pid_t cpid;
-
/* Using UDP MLP requires SCM_UCRED from user */
if (connp->conn_mlp_type != mlptSingle &&
- !attrs.udpattr_credset) {
- mutex_exit(&connp->conn_lock);
- DTRACE_PROBE4(
- tx__ip__log__info__output__udp,
- char *, "MLP mp(1) lacks SCM_UCRED attr(2) on q(3)",
- mblk_t *, mp, udpattrs_t *, &attrs, queue_t *, q);
- *error = EINVAL;
+ !((ixa->ixa_flags & IXAF_UCRED_TSL))) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ error = ECONNREFUSED;
+ freemsg(mp);
goto done;
}
/*
- * Update label option for this UDP socket if
- * - the destination has changed,
- * - the UDP socket is MLP, or
- * - the cred attached to the mblk changed.
+ * Check whether Trusted Solaris policy allows communication
+ * with this host, and pretend that the destination is
+ * unreachable if not.
+ * Compute any needed label and place it in ipp_label_v4/v6.
+ *
+ * Later conn_build_hdr_template/conn_prepend_hdr takes
+ * ipp_label_v4/v6 to form the packet.
+ *
+ * Tsol note: We have ipp structure local to this thread so
+ * no locking is needed.
*/
- credp = msg_getcred(mp, &cpid);
- if (!IN6_IS_ADDR_V4MAPPED(&udp->udp_v6lastdst) ||
- V4_PART_OF_V6(udp->udp_v6lastdst) != v4dst ||
- connp->conn_mlp_type != mlptSingle ||
- credp != udp->udp_last_cred) {
- if ((*error = udp_update_label(q, mp, v4dst)) != 0) {
- mutex_exit(&connp->conn_lock);
- goto done;
- }
- update_lastdst = B_TRUE;
+ error = conn_update_label(connp, ixa, &v6dst, ipp);
+ if (error != 0) {
+ freemsg(mp);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ goto done;
}
-
- /*
- * Attach the effective cred to the mblk to ensure future
- * routing decisions will be based on it's label.
- */
- mblk_setcred(mp, udp->udp_effective_cred, cpid);
}
- if (update_lastdst) {
- IN6_IPADDR_TO_V4MAPPED(v4dst, &udp->udp_v6lastdst);
- udp->udp_lastdstport = port;
+ mp = udp_prepend_hdr(connp, ixa, ipp, &v6src, &v6dst, dstport,
+ flowinfo, mp, &error);
+ if (mp == NULL) {
+ ASSERT(error != 0);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ goto done;
}
- if (udp->udp_ip_snd_options_len > 0) {
- ip_snd_opt_len = udp->udp_ip_snd_options_len;
- bcopy(udp->udp_ip_snd_options, ip_snd_opt, ip_snd_opt_len);
+ if (ixa->ixa_pktlen > IP_MAXPACKET) {
+ error = EMSGSIZE;
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
+ goto done;
}
- mutex_exit(&connp->conn_lock);
+ /* We're done. Pass the packet to ip. */
+ BUMP_MIB(&us->us_udp_mib, udpHCOutDatagrams);
- /* Add an IP header */
- ip_hdr_length = IP_SIMPLE_HDR_LENGTH + UDPH_SIZE + ip_snd_opt_len +
- (insert_spi ? sizeof (uint32_t) : 0);
- ipha = (ipha_t *)&mp1->b_rptr[-ip_hdr_length];
- if (DB_REF(mp1) != 1 || (uchar_t *)ipha < DB_BASE(mp1) ||
- !OK_32PTR(ipha)) {
- mp2 = allocb(ip_hdr_length + us->us_wroff_extra, BPRI_LO);
- if (mp2 == NULL) {
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: q %p (%S)", q, "allocbfail2");
- *error = ENOMEM;
- goto done;
- }
- mp2->b_wptr = DB_LIM(mp2);
- mp2->b_cont = mp1;
- mp1 = mp2;
- if (DB_TYPE(mp) != M_DATA)
- mp->b_cont = mp1;
- else
- mp = mp1;
- ipha = (ipha_t *)(mp1->b_wptr - ip_hdr_length);
- }
- ip_hdr_length -= (UDPH_SIZE + (insert_spi ? sizeof (uint32_t) : 0));
-#ifdef _BIG_ENDIAN
- /* Set version, header length, and tos */
- *(uint16_t *)&ipha->ipha_version_and_hdr_length =
- ((((IP_VERSION << 4) | (ip_hdr_length>>2)) << 8) |
- udp->udp_type_of_service);
- /* Set ttl and protocol */
- *(uint16_t *)&ipha->ipha_ttl = (udp->udp_ttl << 8) | IPPROTO_UDP;
-#else
- /* Set version, header length, and tos */
- *(uint16_t *)&ipha->ipha_version_and_hdr_length =
- ((udp->udp_type_of_service << 8) |
- ((IP_VERSION << 4) | (ip_hdr_length>>2)));
- /* Set ttl and protocol */
- *(uint16_t *)&ipha->ipha_ttl = (IPPROTO_UDP << 8) | udp->udp_ttl;
-#endif
- if (pktinfop->ip4_addr != INADDR_ANY) {
- ipha->ipha_src = pktinfop->ip4_addr;
- optinfo.ip_opt_flags = IP_VERIFY_SRC;
- } else {
+ error = conn_ip_output(mp, ixa);
+ /* No udpOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
/*
- * Copy our address into the packet. If this is zero,
- * first look at __sin6_src_id for a hint. If we leave the
- * source as INADDR_ANY then ip will fill in the real source
- * address.
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
*/
- IN6_V4MAPPED_TO_IPADDR(&udp->udp_v6src, ipha->ipha_src);
- if (srcid != 0 && ipha->ipha_src == INADDR_ANY) {
- in6_addr_t v6src;
-
- ip_srcid_find_id(srcid, &v6src, connp->conn_zoneid,
- us->us_netstack);
- IN6_V4MAPPED_TO_IPADDR(&v6src, ipha->ipha_src);
- }
- }
- uha_src_port = udp->udp_port;
- if (ip_hdr_length == IP_SIMPLE_HDR_LENGTH) {
- rw_exit(&udp->udp_rwlock);
- lock_held = B_FALSE;
- }
-
- if (pktinfop->ip4_ill_index != 0) {
- optinfo.ip_opt_ill_index = pktinfop->ip4_ill_index;
+ error = ENETUNREACH;
+ /* FALLTHRU */
+ default:
+ mutex_enter(&connp->conn_lock);
+ /*
+ * Clear the source and v6lastdst so we call ip_attr_connect
+ * for the next packet and try to pick a better source.
+ */
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
+ break;
}
+done:
+ ixa_refrele(ixa);
+ ip_pkt_free(ipp);
+ kmem_free(ipp, sizeof (*ipp));
+ return (error);
+}
- ipha->ipha_fragment_offset_and_flags = 0;
- ipha->ipha_ident = 0;
-
- mp1->b_rptr = (uchar_t *)ipha;
-
- ASSERT((uintptr_t)(mp1->b_wptr - (uchar_t *)ipha) <=
- (uintptr_t)UINT_MAX);
+/*
+ * Handle sending an M_DATA for a connected socket.
+ * Handles both IPv4 and IPv6.
+ */
+static int
+udp_output_connected(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid)
+{
+ udp_t *udp = connp->conn_udp;
+ udp_stack_t *us = udp->udp_us;
+ int error;
+ ip_xmit_attr_t *ixa;
- /* Determine length of packet */
- ip_len = (uint32_t)(mp1->b_wptr - (uchar_t *)ipha);
- if ((mp2 = mp1->b_cont) != NULL) {
- do {
- ASSERT((uintptr_t)MBLKL(mp2) <= (uintptr_t)UINT_MAX);
- ip_len += (uint32_t)MBLKL(mp2);
- } while ((mp2 = mp2->b_cont) != NULL);
- }
/*
- * If the size of the packet is greater than the maximum allowed by
- * ip, return an error. Passing this down could cause panics because
- * the size will have wrapped and be inconsistent with the msg size.
+ * If no other thread is using conn_ixa this just gets a reference to
+ * conn_ixa. Otherwise we get a safe copy of conn_ixa.
*/
- if (ip_len > IP_MAXPACKET) {
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: q %p (%S)", q, "IP length exceeded");
- *error = EMSGSIZE;
- goto done;
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
+ return (ENOMEM);
}
- ipha->ipha_length = htons((uint16_t)ip_len);
- ip_len -= ip_hdr_length;
- ip_len = htons((uint16_t)ip_len);
- udpha = (udpha_t *)(((uchar_t *)ipha) + ip_hdr_length);
-
- /* Insert all-0s SPI now. */
- if (insert_spi)
- *((uint32_t *)(udpha + 1)) = 0;
- /*
- * Copy in the destination address
- */
- ipha->ipha_dst = v4dst;
-
- /*
- * Set ttl based on IP_MULTICAST_TTL to match IPv6 logic.
- */
- if (CLASSD(v4dst))
- ipha->ipha_ttl = udp->udp_multicast_ttl;
-
- udpha->uha_dst_port = port;
- udpha->uha_src_port = uha_src_port;
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
- if (ip_snd_opt_len > 0) {
- uint32_t cksum;
+ mutex_enter(&connp->conn_lock);
+ mp = udp_prepend_header_template(connp, ixa, mp, &connp->conn_saddr_v6,
+ connp->conn_fport, connp->conn_flowinfo, &error);
- bcopy(ip_snd_opt, &ipha[1], ip_snd_opt_len);
- lock_held = B_FALSE;
- rw_exit(&udp->udp_rwlock);
- /*
- * Massage source route putting first source route in ipha_dst.
- * Ignore the destination in T_unitdata_req.
- * Create a checksum adjustment for a source route, if any.
- */
- cksum = ip_massage_options(ipha, us->us_netstack);
- cksum = (cksum & 0xFFFF) + (cksum >> 16);
- cksum -= ((ipha->ipha_dst >> 16) & 0xFFFF) +
- (ipha->ipha_dst & 0xFFFF);
- if ((int)cksum < 0)
- cksum--;
- cksum = (cksum & 0xFFFF) + (cksum >> 16);
- /*
- * IP does the checksum if uha_checksum is non-zero,
- * We make it easy for IP to include our pseudo header
- * by putting our length in uha_checksum.
- */
- cksum += ip_len;
- cksum = (cksum & 0xFFFF) + (cksum >> 16);
- /* There might be a carry. */
- cksum = (cksum & 0xFFFF) + (cksum >> 16);
-#ifdef _LITTLE_ENDIAN
- if (us->us_do_checksum)
- ip_len = (cksum << 16) | ip_len;
-#else
- if (us->us_do_checksum)
- ip_len = (ip_len << 16) | cksum;
- else
- ip_len <<= 16;
-#endif
- } else {
- /*
- * IP does the checksum if uha_checksum is non-zero,
- * We make it easy for IP to include our pseudo header
- * by putting our length in uha_checksum.
- */
- if (us->us_do_checksum)
- ip_len |= (ip_len << 16);
-#ifndef _LITTLE_ENDIAN
- else
- ip_len <<= 16;
-#endif
+ if (mp == NULL) {
+ ASSERT(error != 0);
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(ixa);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
+ return (error);
}
- ASSERT(!lock_held);
- /* Set UDP length and checksum */
- *((uint32_t *)&udpha->uha_length) = ip_len;
- if (DB_TYPE(mp) != M_DATA) {
- cred_t *cr;
- pid_t cpid;
+ /*
+ * In case we got a safe copy of conn_ixa, or if opt_set made us a new
+ * safe copy, then we need to fill in any pointers in it.
+ */
+ if (ixa->ixa_ire == NULL) {
+ in6_addr_t faddr, saddr;
+ in6_addr_t nexthop;
+ in_port_t fport;
+
+ saddr = connp->conn_saddr_v6;
+ faddr = connp->conn_faddr_v6;
+ fport = connp->conn_fport;
+ ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &faddr, &nexthop);
+ mutex_exit(&connp->conn_lock);
- /* Move any cred from the T_UNITDATA_REQ to the packet */
- cr = msg_extractcred(mp, &cpid);
- if (cr != NULL) {
- if (mp1->b_datap->db_credp != NULL)
- crfree(mp1->b_datap->db_credp);
- mp1->b_datap->db_credp = cr;
- mp1->b_datap->db_cpid = cpid;
+ error = ip_attr_connect(connp, ixa, &saddr, &faddr, &nexthop,
+ fport, NULL, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST |
+ IPDF_IPSEC);
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
+ /*
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
+ */
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
+ }
+ /* FALLTHRU */
+ default:
+ failed:
+ ixa_refrele(ixa);
+ freemsg(mp);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (error);
}
- ASSERT(mp != mp1);
- freeb(mp);
+ } else {
+ /* Done with conn_t */
+ mutex_exit(&connp->conn_lock);
}
-
- /* mp has been consumed and we'll return success */
- ASSERT(*error == 0);
- mp = NULL;
+ ASSERT(ixa->ixa_ire != NULL);
/* We're done. Pass the packet to ip. */
BUMP_MIB(&us->us_udp_mib, udpHCOutDatagrams);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: q %p (%S)", q, "end");
-
- if ((connp->conn_flags & IPCL_CHECK_POLICY) != 0 ||
- CONN_OUTBOUND_POLICY_PRESENT(connp, ipss) ||
- connp->conn_dontroute ||
- connp->conn_outgoing_ill != NULL || optinfo.ip_opt_flags != 0 ||
- optinfo.ip_opt_ill_index != 0 ||
- ipha->ipha_version_and_hdr_length != IP_SIMPLE_HDR_VERSION ||
- IPP_ENABLED(IPP_LOCAL_OUT, ipst) ||
- ipst->ips_ip_g_mrouter != NULL) {
- UDP_STAT(us, udp_ip_send);
- ip_output_options(connp, mp1, connp->conn_wq, IP_WPUT,
- &optinfo);
- } else {
- udp_send_data(udp, connp->conn_wq, mp1, ipha);
- }
-done:
- if (lock_held)
- rw_exit(&udp->udp_rwlock);
- if (*error != 0) {
- ASSERT(mp != NULL);
- BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ error = conn_ip_output(mp, ixa);
+ /* No udpOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ break;
}
- return (mp);
+ ixa_refrele(ixa);
+ return (error);
}
-static void
-udp_send_data(udp_t *udp, queue_t *q, mblk_t *mp, ipha_t *ipha)
+/*
+ * Handle sending an M_DATA to the last destination.
+ * Handles both IPv4 and IPv6.
+ *
+ * NOTE: The caller must hold conn_lock and we drop it here.
+ */
+static int
+udp_output_lastdst(conn_t *connp, mblk_t *mp, cred_t *cr, pid_t pid,
+ ip_xmit_attr_t *ixa)
{
- conn_t *connp = udp->udp_connp;
- ipaddr_t src, dst;
- ire_t *ire;
- ipif_t *ipif = NULL;
- mblk_t *ire_fp_mp;
- boolean_t retry_caching;
- udp_stack_t *us = udp->udp_us;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
-
- dst = ipha->ipha_dst;
- src = ipha->ipha_src;
- ASSERT(ipha->ipha_ident == 0);
-
- if (CLASSD(dst)) {
- int err;
-
- ipif = conn_get_held_ipif(connp,
- &connp->conn_multicast_ipif, &err);
-
- if (ipif == NULL || ipif->ipif_isv6 ||
- (ipif->ipif_ill->ill_phyint->phyint_flags &
- PHYI_LOOPBACK)) {
- if (ipif != NULL)
- ipif_refrele(ipif);
- UDP_STAT(us, udp_ip_send);
- ip_output(connp, mp, q, IP_WPUT);
- return;
- }
- }
+ udp_t *udp = connp->conn_udp;
+ udp_stack_t *us = udp->udp_us;
+ int error;
- retry_caching = B_FALSE;
- mutex_enter(&connp->conn_lock);
- ire = connp->conn_ire_cache;
- ASSERT(!(connp->conn_state_flags & CONN_INCIPIENT));
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+ ASSERT(ixa != NULL);
- if (ire == NULL || ire->ire_addr != dst ||
- (ire->ire_marks & IRE_MARK_CONDEMNED)) {
- retry_caching = B_TRUE;
- } else if (CLASSD(dst) && (ire->ire_type & IRE_CACHE)) {
- ill_t *stq_ill = (ill_t *)ire->ire_stq->q_ptr;
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
- ASSERT(ipif != NULL);
- if (!IS_ON_SAME_LAN(stq_ill, ipif->ipif_ill))
- retry_caching = B_TRUE;
- }
+ mp = udp_prepend_header_template(connp, ixa, mp, &connp->conn_v6lastsrc,
+ connp->conn_lastdstport, connp->conn_lastflowinfo, &error);
- if (!retry_caching) {
- ASSERT(ire != NULL);
- IRE_REFHOLD(ire);
+ if (mp == NULL) {
+ ASSERT(error != 0);
mutex_exit(&connp->conn_lock);
- } else {
- boolean_t cached = B_FALSE;
+ ixa_refrele(ixa);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
+ return (error);
+ }
- connp->conn_ire_cache = NULL;
+ /*
+ * In case we got a safe copy of conn_ixa, or if opt_set made us a new
+ * safe copy, then we need to fill in any pointers in it.
+ */
+ if (ixa->ixa_ire == NULL) {
+ in6_addr_t lastdst, lastsrc;
+ in6_addr_t nexthop;
+ in_port_t lastport;
+
+ lastsrc = connp->conn_v6lastsrc;
+ lastdst = connp->conn_v6lastdst;
+ lastport = connp->conn_lastdstport;
+ ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &lastdst, &nexthop);
mutex_exit(&connp->conn_lock);
- /* Release the old ire */
- if (ire != NULL) {
- IRE_REFRELE_NOTR(ire);
- ire = NULL;
- }
-
- if (CLASSD(dst)) {
- ASSERT(ipif != NULL);
- ire = ire_ctable_lookup(dst, 0, 0, ipif,
- connp->conn_zoneid, msg_getlabel(mp),
- MATCH_IRE_ILL, ipst);
- } else {
- ASSERT(ipif == NULL);
- ire = ire_cache_lookup(dst, connp->conn_zoneid,
- msg_getlabel(mp), ipst);
- }
-
- if (ire == NULL) {
- if (ipif != NULL)
- ipif_refrele(ipif);
- UDP_STAT(us, udp_ire_null);
- ip_output(connp, mp, q, IP_WPUT);
- return;
- }
- IRE_REFHOLD_NOTR(ire);
-
- mutex_enter(&connp->conn_lock);
- if (CONN_CACHE_IRE(connp) && connp->conn_ire_cache == NULL &&
- !(ire->ire_marks & IRE_MARK_CONDEMNED)) {
- irb_t *irb = ire->ire_bucket;
-
+ error = ip_attr_connect(connp, ixa, &lastsrc, &lastdst,
+ &nexthop, lastport, NULL, NULL, IPDF_ALLOW_MCBC |
+ IPDF_VERIFY_DST | IPDF_IPSEC);
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
/*
- * IRE's created for non-connection oriented transports
- * are normally initialized with IRE_MARK_TEMPORARY set
- * in the ire_marks. These IRE's are preferentially
- * reaped when the hash chain length in the cache
- * bucket exceeds the maximum value specified in
- * ip[6]_ire_max_bucket_cnt. This can severely affect
- * UDP performance if IRE cache entries that we need
- * to reuse are continually removed. To remedy this,
- * when we cache the IRE in the conn_t, we remove the
- * IRE_MARK_TEMPORARY bit from the ire_marks if it was
- * set.
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
*/
- if (ire->ire_marks & IRE_MARK_TEMPORARY) {
- rw_enter(&irb->irb_lock, RW_WRITER);
- if (ire->ire_marks & IRE_MARK_TEMPORARY) {
- ire->ire_marks &= ~IRE_MARK_TEMPORARY;
- irb->irb_tmp_ire_cnt--;
- }
- rw_exit(&irb->irb_lock);
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
+ /*
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
+ */
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
}
- connp->conn_ire_cache = ire;
- cached = B_TRUE;
+ /* FALLTHRU */
+ default:
+ failed:
+ ixa_refrele(ixa);
+ freemsg(mp);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (error);
}
+ } else {
+ /* Done with conn_t */
mutex_exit(&connp->conn_lock);
-
- /*
- * We can continue to use the ire but since it was not
- * cached, we should drop the extra reference.
- */
- if (!cached)
- IRE_REFRELE_NOTR(ire);
}
- ASSERT(ire != NULL && ire->ire_ipversion == IPV4_VERSION);
- ASSERT(!CLASSD(dst) || ipif != NULL);
- /*
- * Check if we can take the fast-path.
- * Note that "incomplete" ire's (where the link-layer for next hop
- * is not resolved, or where the fast-path header in nce_fp_mp is not
- * available yet) are sent down the legacy (slow) path
- */
- if ((ire->ire_type & (IRE_BROADCAST|IRE_LOCAL|IRE_LOOPBACK)) ||
- (ire->ire_flags & RTF_MULTIRT) || (ire->ire_stq == NULL) ||
- (ire->ire_max_frag < ntohs(ipha->ipha_length)) ||
- ((ire->ire_nce == NULL) ||
- ((ire_fp_mp = ire->ire_nce->nce_fp_mp) == NULL)) ||
- connp->conn_nexthop_set || (MBLKL(ire_fp_mp) > MBLKHEAD(mp))) {
- if (ipif != NULL)
- ipif_refrele(ipif);
- UDP_STAT(us, udp_ip_ire_send);
- IRE_REFRELE(ire);
- ip_output(connp, mp, q, IP_WPUT);
- return;
- }
+ /* We're done. Pass the packet to ip. */
+ BUMP_MIB(&us->us_udp_mib, udpHCOutDatagrams);
- if (src == INADDR_ANY && !connp->conn_unspec_src) {
- if (CLASSD(dst) && !(ire->ire_flags & RTF_SETSRC))
- ipha->ipha_src = ipif->ipif_src_addr;
+ error = conn_ip_output(mp, ixa);
+ /* No udpOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
+ break;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
+ break;
+ case EADDRNOTAVAIL:
+ /*
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
+ */
+ error = ENETUNREACH;
+ /* FALLTHRU */
+ default:
+ mutex_enter(&connp->conn_lock);
+ /*
+ * Clear the source and v6lastdst so we call ip_attr_connect
+ * for the next packet and try to pick a better source.
+ */
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
else
- ipha->ipha_src = ire->ire_src_addr;
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
+ break;
}
-
- if (ipif != NULL)
- ipif_refrele(ipif);
-
- udp_xmit(connp->conn_wq, mp, ire, connp, connp->conn_zoneid);
+ ixa_refrele(ixa);
+ return (error);
}
-static void
-udp_xmit(queue_t *q, mblk_t *mp, ire_t *ire, conn_t *connp, zoneid_t zoneid)
+
+/*
+ * Prepend the header template and then fill in the source and
+ * flowinfo. The caller needs to handle the destination address since
+ * it's setting is different if rthdr or source route.
+ *
+ * Returns NULL is allocation failed or if the packet would exceed IP_MAXPACKET.
+ * When it returns NULL it sets errorp.
+ */
+static mblk_t *
+udp_prepend_header_template(conn_t *connp, ip_xmit_attr_t *ixa, mblk_t *mp,
+ const in6_addr_t *v6src, in_port_t dstport, uint32_t flowinfo, int *errorp)
{
- ipaddr_t src, dst;
- ill_t *ill;
- mblk_t *ire_fp_mp;
- uint_t ire_fp_mp_len;
- uint16_t *up;
- uint32_t cksum, hcksum_txflags;
- queue_t *dev_q;
- udp_t *udp = connp->conn_udp;
- ipha_t *ipha = (ipha_t *)mp->b_rptr;
+ udp_t *udp = connp->conn_udp;
udp_stack_t *us = udp->udp_us;
- ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
- boolean_t ll_multicast = B_FALSE;
- boolean_t direct_send;
-
- dev_q = ire->ire_stq->q_next;
- ASSERT(dev_q != NULL);
+ boolean_t insert_spi = udp->udp_nat_t_endpoint;
+ uint_t pktlen;
+ uint_t alloclen;
+ uint_t copylen;
+ uint8_t *iph;
+ uint_t ip_hdr_length;
+ udpha_t *udpha;
+ uint32_t cksum;
+ ip_pkt_t *ipp;
- ill = ire_to_ill(ire);
- ASSERT(ill != NULL);
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
/*
- * For the direct send case, if resetting of conn_direct_blocked
- * was missed, it is still ok because the putq() would enable
- * the queue and write service will drain it out.
+ * Copy the header template and leave space for an SPI
*/
- direct_send = ILL_DIRECT_CAPABLE(ill);
-
- /* is queue flow controlled? */
- if ((!direct_send) && (q->q_first != NULL || connp->conn_draining ||
- DEV_Q_FLOW_BLOCKED(dev_q))) {
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
- BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
- if (ipst->ips_ip_output_queue) {
- DTRACE_PROBE1(udp__xmit__putq, conn_t *, connp);
- (void) putq(connp->conn_wq, mp);
- } else {
- freemsg(mp);
- }
- ire_refrele(ire);
- return;
- }
-
- ire_fp_mp = ire->ire_nce->nce_fp_mp;
- ire_fp_mp_len = MBLKL(ire_fp_mp);
- ASSERT(MBLKHEAD(mp) >= ire_fp_mp_len);
-
- dst = ipha->ipha_dst;
- src = ipha->ipha_src;
-
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
-
- ipha->ipha_ident = (uint16_t)atomic_add_32_nv(&ire->ire_ident, 1);
-#ifndef _BIG_ENDIAN
- ipha->ipha_ident = (ipha->ipha_ident << 8) | (ipha->ipha_ident >> 8);
-#endif
-
- if (ILL_HCKSUM_CAPABLE(ill) && dohwcksum) {
- ASSERT(ill->ill_hcksum_capab != NULL);
- hcksum_txflags = ill->ill_hcksum_capab->ill_hcksum_txflags;
- } else {
- hcksum_txflags = 0;
- }
-
- /* pseudo-header checksum (do it in parts for IP header checksum) */
- cksum = (dst >> 16) + (dst & 0xFFFF) + (src >> 16) + (src & 0xFFFF);
-
- ASSERT(ipha->ipha_version_and_hdr_length == IP_SIMPLE_HDR_VERSION);
- up = IPH_UDPH_CHECKSUMP(ipha, IP_SIMPLE_HDR_LENGTH);
- if (*up != 0) {
- IP_CKSUM_XMIT_FAST(ire->ire_ipversion, hcksum_txflags,
- mp, ipha, up, IPPROTO_UDP, IP_SIMPLE_HDR_LENGTH,
- ntohs(ipha->ipha_length), cksum);
-
- /* Software checksum? */
- if (DB_CKSUMFLAGS(mp) == 0) {
- UDP_STAT(us, udp_out_sw_cksum);
- UDP_STAT_UPDATE(us, udp_out_sw_cksum_bytes,
- ntohs(ipha->ipha_length) - IP_SIMPLE_HDR_LENGTH);
- }
- }
-
- if (!CLASSD(dst)) {
- ipha->ipha_fragment_offset_and_flags |=
- (uint32_t)htons(ire->ire_frag_flag);
- }
-
- /* Calculate IP header checksum if hardware isn't capable */
- if (!(DB_CKSUMFLAGS(mp) & HCK_IPV4_HDRCKSUM)) {
- IP_HDR_CKSUM(ipha, cksum, ((uint32_t *)ipha)[0],
- ((uint16_t *)ipha)[4]);
+ copylen = connp->conn_ht_iphc_len;
+ alloclen = copylen + (insert_spi ? sizeof (uint32_t) : 0);
+ pktlen = alloclen + msgdsize(mp);
+ if (pktlen > IP_MAXPACKET) {
+ freemsg(mp);
+ *errorp = EMSGSIZE;
+ return (NULL);
}
+ ixa->ixa_pktlen = pktlen;
- if (CLASSD(dst)) {
- if (ilm_lookup_ill(ill, dst, ALL_ZONES) != NULL) {
- ip_multicast_loopback(q, ill, mp,
- connp->conn_multicast_loop ? 0 :
- IP_FF_NO_MCAST_LOOP, zoneid);
- }
+ /* check/fix buffer config, setup pointers into it */
+ iph = mp->b_rptr - alloclen;
+ if (DB_REF(mp) != 1 || iph < DB_BASE(mp) || !OK_32PTR(iph)) {
+ mblk_t *mp1;
- /* If multicast TTL is 0 then we are done */
- if (ipha->ipha_ttl == 0) {
+ mp1 = allocb(alloclen + us->us_wroff_extra, BPRI_MED);
+ if (mp1 == NULL) {
freemsg(mp);
- ire_refrele(ire);
- return;
+ *errorp = ENOMEM;
+ return (NULL);
}
- ll_multicast = B_TRUE;
+ mp1->b_wptr = DB_LIM(mp1);
+ mp1->b_cont = mp;
+ mp = mp1;
+ iph = (mp->b_wptr - alloclen);
}
+ mp->b_rptr = iph;
+ bcopy(connp->conn_ht_iphc, iph, copylen);
+ ip_hdr_length = (uint_t)(connp->conn_ht_ulp - connp->conn_ht_iphc);
- ASSERT(DB_TYPE(ire_fp_mp) == M_DATA);
- mp->b_rptr = (uchar_t *)ipha - ire_fp_mp_len;
- bcopy(ire_fp_mp->b_rptr, mp->b_rptr, ire_fp_mp_len);
-
- UPDATE_OB_PKT_COUNT(ire);
- ire->ire_last_used_time = lbolt;
-
- BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutTransmits);
- UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCOutOctets,
- ntohs(ipha->ipha_length));
+ ixa->ixa_ip_hdr_length = ip_hdr_length;
+ udpha = (udpha_t *)(iph + ip_hdr_length);
- DTRACE_PROBE4(ip4__physical__out__start,
- ill_t *, NULL, ill_t *, ill, ipha_t *, ipha, mblk_t *, mp);
- FW_HOOKS(ipst->ips_ip4_physical_out_event,
- ipst->ips_ipv4firewall_physical_out, NULL, ill, ipha, mp, mp,
- ll_multicast, ipst);
- DTRACE_PROBE1(ip4__physical__out__end, mblk_t *, mp);
- if (ipst->ips_ip4_observe.he_interested && mp != NULL) {
- zoneid_t szone;
-
- /*
- * Both of these functions expect b_rptr to be
- * where the IP header starts, so advance past the
- * link layer header if present.
- */
- mp->b_rptr += ire_fp_mp_len;
- szone = ip_get_zoneid_v4(ipha->ipha_src, mp,
- ipst, ALL_ZONES);
- ipobs_hook(mp, IPOBS_HOOK_OUTBOUND, szone,
- ALL_ZONES, ill, ipst);
- mp->b_rptr -= ire_fp_mp_len;
- }
+ /*
+ * Setup header length and prepare for ULP checksum done in IP.
+ * udp_build_hdr_template has already massaged any routing header
+ * and placed the result in conn_sum.
+ *
+ * We make it easy for IP to include our pseudo header
+ * by putting our length in uha_checksum.
+ */
+ cksum = pktlen - ip_hdr_length;
+ udpha->uha_length = htons(cksum);
- if (mp == NULL)
- goto bail;
+ cksum += connp->conn_sum;
+ cksum = (cksum >> 16) + (cksum & 0xFFFF);
+ ASSERT(cksum < 0x10000);
- DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL,
- void_ip_t *, ipha, __dtrace_ipsr_ill_t *, ill,
- ipha_t *, ipha, ip6_t *, NULL, int, 0);
+ ipp = &connp->conn_xmit_ipp;
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)iph;
- if (direct_send) {
- uintptr_t cookie;
- ill_dld_direct_t *idd = &ill->ill_dld_capab->idc_direct;
+ ipha->ipha_length = htons((uint16_t)pktlen);
- cookie = idd->idd_tx_df(idd->idd_tx_dh, mp,
- (uintptr_t)connp, 0);
- if (cookie != NULL) {
- idl_tx_list_t *idl_txl;
+ /* IP does the checksum if uha_checksum is non-zero */
+ if (us->us_do_checksum)
+ udpha->uha_checksum = htons(cksum);
- /*
- * Flow controlled.
- */
- DTRACE_PROBE2(non__null__cookie, uintptr_t,
- cookie, conn_t *, connp);
- idl_txl = &ipst->ips_idl_tx_list[IDLHASHINDEX(cookie)];
- mutex_enter(&idl_txl->txl_lock);
- /*
- * Check again after holding txl_lock to see if Tx
- * ring is still blocked and only then insert the
- * connp into the drain list.
- */
- if (connp->conn_direct_blocked ||
- (idd->idd_tx_fctl_df(idd->idd_tx_fctl_dh,
- cookie) == 0)) {
- mutex_exit(&idl_txl->txl_lock);
- goto bail;
- }
- if (idl_txl->txl_cookie != NULL &&
- idl_txl->txl_cookie != cookie) {
- DTRACE_PROBE2(udp__xmit__collision,
- uintptr_t, cookie,
- uintptr_t, idl_txl->txl_cookie);
- UDP_STAT(us, udp_cookie_coll);
- } else {
- connp->conn_direct_blocked = B_TRUE;
- idl_txl->txl_cookie = cookie;
- conn_drain_insert(connp, idl_txl);
- DTRACE_PROBE1(udp__xmit__insert,
- conn_t *, connp);
- }
- mutex_exit(&idl_txl->txl_lock);
+ /* if IP_PKTINFO specified an addres it wins over bind() */
+ if ((ipp->ipp_fields & IPPF_ADDR) &&
+ IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
+ ASSERT(ipp->ipp_addr_v4 != INADDR_ANY);
+ ipha->ipha_src = ipp->ipp_addr_v4;
+ } else {
+ IN6_V4MAPPED_TO_IPADDR(v6src, ipha->ipha_src);
}
} else {
- DTRACE_PROBE1(udp__xmit__putnext, mblk_t *, mp);
- putnext(ire->ire_stq, mp);
- }
-bail:
- IRE_REFRELE(ire);
-}
+ ip6_t *ip6h = (ip6_t *)iph;
-static boolean_t
-udp_update_label_v6(queue_t *wq, mblk_t *mp, in6_addr_t *dst)
-{
- udp_t *udp = Q_TO_UDP(wq);
- int err;
- cred_t *cred;
- cred_t *orig_cred;
- cred_t *effective_cred = NULL;
- uchar_t opt_storage[TSOL_MAX_IPV6_OPTION];
- udp_stack_t *us = udp->udp_us;
-
- /*
- * All Solaris components should pass a db_credp
- * for this message, hence we ASSERT.
- * On production kernels we return an error to be robust against
- * random streams modules sitting on top of us.
- */
- cred = orig_cred = msg_getcred(mp, NULL);
- ASSERT(cred != NULL);
- if (cred == NULL)
- return (EINVAL);
-
- /*
- * Verify the destination is allowed to receive packets at
- * the security label of the message data. tsol_check_dest()
- * may create a new effective cred for this message with a
- * modified label or label flags. Note that we use the
- * cred/label from the message to handle MLP.
- */
- if ((err = tsol_check_dest(cred, dst, IPV6_VERSION,
- udp->udp_connp->conn_mac_mode, &effective_cred)) != 0)
- goto done;
- if (effective_cred != NULL)
- cred = effective_cred;
-
- /*
- * Calculate the security label to be placed in the text
- * of the message (if any).
- */
- if ((err = tsol_compute_label_v6(cred, dst, opt_storage,
- us->us_netstack->netstack_ip)) != 0)
- goto done;
-
- /*
- * Insert the security label in the cached ip options,
- * removing any old label that may exist.
- */
- if ((err = tsol_update_sticky(&udp->udp_sticky_ipp,
- &udp->udp_label_len_v6, opt_storage)) != 0)
- goto done;
+ ip6h->ip6_plen = htons((uint16_t)(pktlen - IPV6_HDR_LEN));
+ udpha->uha_checksum = htons(cksum);
- /*
- * Save the destination address and cred we used to
- * generate the security label text.
- */
- if (cred != udp->udp_effective_cred) {
- if (udp->udp_effective_cred != NULL)
- crfree(udp->udp_effective_cred);
- crhold(cred);
- udp->udp_effective_cred = cred;
- }
- if (orig_cred != udp->udp_last_cred) {
- if (udp->udp_last_cred != NULL)
- crfree(udp->udp_last_cred);
- crhold(orig_cred);
- udp->udp_last_cred = orig_cred;
+ /* if IP_PKTINFO specified an addres it wins over bind() */
+ if ((ipp->ipp_fields & IPPF_ADDR) &&
+ !IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr)) {
+ ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ipp->ipp_addr));
+ ip6h->ip6_src = ipp->ipp_addr;
+ } else {
+ ip6h->ip6_src = *v6src;
+ }
+ ip6h->ip6_vcf =
+ (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
+ (flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
+ if (ipp->ipp_fields & IPPF_TCLASS) {
+ /* Overrides the class part of flowinfo */
+ ip6h->ip6_vcf = IPV6_TCLASS_FLOW(ip6h->ip6_vcf,
+ ipp->ipp_tclass);
+ }
}
-done:
- if (effective_cred != NULL)
- crfree(effective_cred);
+ /* Insert all-0s SPI now. */
+ if (insert_spi)
+ *((uint32_t *)(udpha + 1)) = 0;
- if (err != 0) {
- DTRACE_PROBE4(
- tx__ip__log__drop__updatelabel__udp6,
- char *, "queue(1) failed to update options(2) on mp(3)",
- queue_t *, wq, char *, opt_storage, mblk_t *, mp);
- }
- return (err);
+ udpha->uha_dst_port = dstport;
+ return (mp);
}
-static int
-udp_send_connected(conn_t *connp, mblk_t *mp, struct nmsghdr *msg, cred_t *cr,
- pid_t pid)
+/*
+ * Send a T_UDERR_IND in response to an M_DATA
+ */
+static void
+udp_ud_err_connected(conn_t *connp, t_scalar_t error)
{
- udp_t *udp = connp->conn_udp;
- udp_stack_t *us = udp->udp_us;
- ipaddr_t v4dst;
- in_port_t dstport;
- boolean_t mapped_addr;
struct sockaddr_storage ss;
sin_t *sin;
sin6_t *sin6;
struct sockaddr *addr;
socklen_t addrlen;
- int error;
- boolean_t insert_spi = udp->udp_nat_t_endpoint;
-
- /* M_DATA for connected socket */
-
- ASSERT(udp->udp_issocket);
- UDP_DBGSTAT(us, udp_data_conn);
+ mblk_t *mp1;
mutex_enter(&connp->conn_lock);
- if (udp->udp_state != TS_DATA_XFER) {
- mutex_exit(&connp->conn_lock);
- BUMP_MIB(&us->us_udp_mib, udpOutErrors);
- UDP_STAT(us, udp_out_err_notconn);
- freemsg(mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: connp %p (%S)", connp,
- "not-connected; address required");
- return (EDESTADDRREQ);
- }
-
- mapped_addr = IN6_IS_ADDR_V4MAPPED(&udp->udp_v6dst);
- if (mapped_addr)
- IN6_V4MAPPED_TO_IPADDR(&udp->udp_v6dst, v4dst);
-
/* Initialize addr and addrlen as if they're passed in */
- if (udp->udp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
sin = (sin_t *)&ss;
+ *sin = sin_null;
sin->sin_family = AF_INET;
- dstport = sin->sin_port = udp->udp_dstport;
- ASSERT(mapped_addr);
- sin->sin_addr.s_addr = v4dst;
+ sin->sin_port = connp->conn_fport;
+ sin->sin_addr.s_addr = connp->conn_faddr_v4;
addr = (struct sockaddr *)sin;
addrlen = sizeof (*sin);
} else {
sin6 = (sin6_t *)&ss;
+ *sin6 = sin6_null;
sin6->sin6_family = AF_INET6;
- dstport = sin6->sin6_port = udp->udp_dstport;
- sin6->sin6_flowinfo = udp->udp_flowinfo;
- sin6->sin6_addr = udp->udp_v6dst;
- sin6->sin6_scope_id = 0;
+ sin6->sin6_port = connp->conn_fport;
+ sin6->sin6_flowinfo = connp->conn_flowinfo;
+ sin6->sin6_addr = connp->conn_faddr_v6;
+ if (IN6_IS_ADDR_LINKSCOPE(&connp->conn_faddr_v6) &&
+ (connp->conn_ixa->ixa_flags & IXAF_SCOPEID_SET)) {
+ sin6->sin6_scope_id = connp->conn_ixa->ixa_scopeid;
+ } else {
+ sin6->sin6_scope_id = 0;
+ }
sin6->__sin6_src_id = 0;
addr = (struct sockaddr *)sin6;
addrlen = sizeof (*sin6);
}
mutex_exit(&connp->conn_lock);
- if (mapped_addr) {
- /*
- * Handle both AF_INET and AF_INET6; the latter
- * for IPV4 mapped destination addresses. Note
- * here that both addr and addrlen point to the
- * corresponding struct depending on the address
- * family of the socket.
- */
- mp = udp_output_v4(connp, mp, v4dst, dstport, 0, &error,
- insert_spi, msg, cr, pid);
- } else {
- mp = udp_output_v6(connp, mp, sin6, &error, msg, cr, pid);
- }
- if (error == 0) {
- ASSERT(mp == NULL);
- return (0);
- }
-
- UDP_STAT(us, udp_out_err_output);
- ASSERT(mp != NULL);
- if (IPCL_IS_NONSTR(connp)) {
- freemsg(mp);
- return (error);
- } else {
- /* mp is freed by the following routine */
- udp_ud_err(connp->conn_wq, mp, (uchar_t *)addr,
- (t_scalar_t)addrlen, (t_scalar_t)error);
- return (0);
- }
-}
-
-/* ARGSUSED */
-static int
-udp_send_not_connected(conn_t *connp, mblk_t *mp, struct sockaddr *addr,
- socklen_t addrlen, struct nmsghdr *msg, cred_t *cr, pid_t pid)
-{
-
- udp_t *udp = connp->conn_udp;
- boolean_t insert_spi = udp->udp_nat_t_endpoint;
- int error = 0;
- sin6_t *sin6;
- sin_t *sin;
- uint_t srcid;
- uint16_t port;
- ipaddr_t v4dst;
-
-
- ASSERT(addr != NULL);
-
- switch (udp->udp_family) {
- case AF_INET6:
- sin6 = (sin6_t *)addr;
- if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
- /*
- * Destination is a non-IPv4-compatible IPv6 address.
- * Send out an IPv6 format packet.
- */
- mp = udp_output_v6(connp, mp, sin6, &error, msg, cr,
- pid);
- if (error != 0)
- goto ud_error;
-
- return (0);
- }
- /*
- * If the local address is not zero or a mapped address
- * return an error. It would be possible to send an IPv4
- * packet but the response would never make it back to the
- * application since it is bound to a non-mapped address.
- */
- if (!IN6_IS_ADDR_V4MAPPED(&udp->udp_v6src) &&
- !IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src)) {
- error = EADDRNOTAVAIL;
- goto ud_error;
- }
- /* Send IPv4 packet without modifying udp_ipversion */
- /* Extract port and ipaddr */
- port = sin6->sin6_port;
- IN6_V4MAPPED_TO_IPADDR(&sin6->sin6_addr, v4dst);
- srcid = sin6->__sin6_src_id;
- break;
-
- case AF_INET:
- sin = (sin_t *)addr;
- /* Extract port and ipaddr */
- port = sin->sin_port;
- v4dst = sin->sin_addr.s_addr;
- srcid = 0;
- break;
- }
-
- mp = udp_output_v4(connp, mp, v4dst, port, srcid, &error, insert_spi,
- msg, cr, pid);
-
- if (error == 0) {
- ASSERT(mp == NULL);
- return (0);
- }
-
-ud_error:
- ASSERT(mp != NULL);
-
- return (error);
+ mp1 = mi_tpi_uderror_ind((char *)addr, addrlen, NULL, 0, error);
+ if (mp1 != NULL)
+ putnext(connp->conn_rq, mp1);
}
/*
@@ -5788,15 +3804,20 @@ ud_error:
void
udp_wput(queue_t *q, mblk_t *mp)
{
+ sin6_t *sin6;
+ sin_t *sin = NULL;
+ uint_t srcid;
conn_t *connp = Q_TO_CONN(q);
udp_t *udp = connp->conn_udp;
int error = 0;
- struct sockaddr *addr;
+ struct sockaddr *addr = NULL;
socklen_t addrlen;
udp_stack_t *us = udp->udp_us;
-
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_START,
- "udp_wput_start: queue %p mp %p", q, mp);
+ struct T_unitdata_req *tudr;
+ mblk_t *data_mp;
+ ushort_t ipversion;
+ cred_t *cr;
+ pid_t pid;
/*
* We directly handle several cases here: T_UNITDATA_REQ message
@@ -5805,910 +3826,612 @@ udp_wput(queue_t *q, mblk_t *mp)
*/
switch (DB_TYPE(mp)) {
case M_DATA:
- /*
- * Quick check for error cases. Checks will be done again
- * under the lock later on
- */
if (!udp->udp_issocket || udp->udp_state != TS_DATA_XFER) {
/* Not connected; address is required */
BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ UDP_DBGSTAT(us, udp_data_notconn);
UDP_STAT(us, udp_out_err_notconn);
freemsg(mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: connp %p (%S)", connp,
- "not-connected; address required");
return;
}
- (void) udp_send_connected(connp, mp, NULL, NULL, -1);
+ /*
+ * All Solaris components should pass a db_credp
+ * for this message, hence we ASSERT.
+ * On production kernels we return an error to be robust against
+ * random streams modules sitting on top of us.
+ */
+ cr = msg_getcred(mp, &pid);
+ ASSERT(cr != NULL);
+ if (cr == NULL) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(mp);
+ return;
+ }
+ ASSERT(udp->udp_issocket);
+ UDP_DBGSTAT(us, udp_data_conn);
+ error = udp_output_connected(connp, mp, cr, pid);
+ if (error != 0) {
+ UDP_STAT(us, udp_out_err_output);
+ if (connp->conn_rq != NULL)
+ udp_ud_err_connected(connp, (t_scalar_t)error);
+#ifdef DEBUG
+ printf("udp_output_connected returned %d\n", error);
+#endif
+ }
return;
case M_PROTO:
- case M_PCPROTO: {
- struct T_unitdata_req *tudr;
-
- ASSERT((uintptr_t)MBLKL(mp) <= (uintptr_t)INT_MAX);
+ case M_PCPROTO:
tudr = (struct T_unitdata_req *)mp->b_rptr;
-
- /* Handle valid T_UNITDATA_REQ here */
- if (MBLKL(mp) >= sizeof (*tudr) &&
- ((t_primp_t)mp->b_rptr)->type == T_UNITDATA_REQ) {
- if (mp->b_cont == NULL) {
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: q %p (%S)", q, "badaddr");
- error = EPROTO;
- goto ud_error;
- }
-
- if (!MBLKIN(mp, 0, tudr->DEST_offset +
- tudr->DEST_length)) {
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: q %p (%S)", q, "badaddr");
- error = EADDRNOTAVAIL;
- goto ud_error;
- }
- /*
- * If a port has not been bound to the stream, fail.
- * This is not a problem when sockfs is directly
- * above us, because it will ensure that the socket
- * is first bound before allowing data to be sent.
- */
- if (udp->udp_state == TS_UNBND) {
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_END,
- "udp_wput_end: q %p (%S)", q, "outstate");
- error = EPROTO;
- goto ud_error;
- }
- addr = (struct sockaddr *)
- &mp->b_rptr[tudr->DEST_offset];
- addrlen = tudr->DEST_length;
- if (tudr->OPT_length != 0)
- UDP_STAT(us, udp_out_opt);
- break;
+ if (MBLKL(mp) < sizeof (*tudr) ||
+ ((t_primp_t)mp->b_rptr)->type != T_UNITDATA_REQ) {
+ udp_wput_other(q, mp);
+ return;
}
- /* FALLTHRU */
- }
+ break;
+
default:
udp_wput_other(q, mp);
return;
}
- ASSERT(addr != NULL);
- error = udp_send_not_connected(connp, mp, addr, addrlen, NULL, NULL,
- -1);
- if (error != 0) {
-ud_error:
- UDP_STAT(us, udp_out_err_output);
- ASSERT(mp != NULL);
- /* mp is freed by the following routine */
- udp_ud_err(q, mp, (uchar_t *)addr, (t_scalar_t)addrlen,
- (t_scalar_t)error);
+ /* Handle valid T_UNITDATA_REQ here */
+ data_mp = mp->b_cont;
+ if (data_mp == NULL) {
+ error = EPROTO;
+ goto ud_error2;
}
-}
+ mp->b_cont = NULL;
-/* ARGSUSED */
-static void
-udp_wput_fallback(queue_t *wq, mblk_t *mp)
-{
-#ifdef DEBUG
- cmn_err(CE_CONT, "udp_wput_fallback: Message in fallback \n");
-#endif
- freemsg(mp);
-}
-
-
-/*
- * udp_output_v6():
- * Assumes that udp_wput did some sanity checking on the destination
- * address.
- */
-static mblk_t *
-udp_output_v6(conn_t *connp, mblk_t *mp, sin6_t *sin6, int *error,
- struct nmsghdr *msg, cred_t *cr, pid_t pid)
-{
- ip6_t *ip6h;
- ip6i_t *ip6i; /* mp1->b_rptr even if no ip6i_t */
- mblk_t *mp1 = mp;
- mblk_t *mp2;
- int udp_ip_hdr_len = IPV6_HDR_LEN + UDPH_SIZE;
- size_t ip_len;
- udpha_t *udph;
- udp_t *udp = connp->conn_udp;
- udp_stack_t *us = udp->udp_us;
- queue_t *q = connp->conn_wq;
- ip6_pkt_t ipp_s; /* For ancillary data options */
- ip6_pkt_t *ipp = &ipp_s;
- ip6_pkt_t *tipp; /* temporary ipp */
- uint32_t csum = 0;
- uint_t ignore = 0;
- uint_t option_exists = 0, is_sticky = 0;
- uint8_t *cp;
- uint8_t *nxthdr_ptr;
- in6_addr_t ip6_dst;
- in_port_t port;
- udpattrs_t attrs;
- boolean_t opt_present;
- ip6_hbh_t *hopoptsptr = NULL;
- uint_t hopoptslen = 0;
- boolean_t is_ancillary = B_FALSE;
- size_t sth_wroff = 0;
- ire_t *ire;
- boolean_t update_lastdst = B_FALSE;
-
- *error = 0;
-
- /*
- * If the local address is a mapped address return
- * an error.
- * It would be possible to send an IPv6 packet but the
- * response would never make it back to the application
- * since it is bound to a mapped address.
- */
- if (IN6_IS_ADDR_V4MAPPED(&udp->udp_v6src)) {
- *error = EADDRNOTAVAIL;
- goto done;
+ if (!MBLKIN(mp, 0, tudr->DEST_offset + tudr->DEST_length)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
- ipp->ipp_fields = 0;
- ipp->ipp_sticky_ignored = 0;
-
/*
- * If TPI options passed in, feed it for verification and handling
+ * All Solaris components should pass a db_credp
+ * for this TPI message, hence we should ASSERT.
+ * However, RPC (svc_clts_ksend) does this odd thing where it
+ * passes the options from a T_UNITDATA_IND unchanged in a
+ * T_UNITDATA_REQ. While that is the right thing to do for
+ * some options, SCM_UCRED being the key one, this also makes it
+ * pass down IP_RECVDSTADDR. Hence we can't ASSERT here.
*/
- attrs.udpattr_credset = B_FALSE;
- opt_present = B_FALSE;
- if (IPCL_IS_NONSTR(connp)) {
- if (msg->msg_controllen != 0) {
- attrs.udpattr_ipp6 = ipp;
- attrs.udpattr_mb = mp;
-
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- *error = process_auxiliary_options(connp,
- msg->msg_control, msg->msg_controllen,
- &attrs, &udp_opt_obj, udp_opt_set, cr);
- rw_exit(&udp->udp_rwlock);
- if (*error)
- goto done;
- ASSERT(*error == 0);
- opt_present = B_TRUE;
- }
- } else {
- if (DB_TYPE(mp) != M_DATA) {
- mp1 = mp->b_cont;
- if (((struct T_unitdata_req *)
- mp->b_rptr)->OPT_length != 0) {
- attrs.udpattr_ipp6 = ipp;
- attrs.udpattr_mb = mp;
- if (udp_unitdata_opt_process(q, mp, error,
- &attrs) < 0) {
- goto done;
- }
- ASSERT(*error == 0);
- opt_present = B_TRUE;
- }
- }
+ cr = msg_getcred(mp, &pid);
+ if (cr == NULL) {
+ cr = connp->conn_cred;
+ pid = connp->conn_cpid;
}
/*
- * Determine whether we need to mark the mblk with the user's
- * credentials.
- * If labeled then sockfs would have already done this.
+ * If a port has not been bound to the stream, fail.
+ * This is not a problem when sockfs is directly
+ * above us, because it will ensure that the socket
+ * is first bound before allowing data to be sent.
*/
- ASSERT(!is_system_labeled() || msg_getcred(mp, NULL) != NULL);
- ire = connp->conn_ire_cache;
- if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) || (ire == NULL) ||
- (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &sin6->sin6_addr)) ||
- (ire->ire_type & (IRE_LOCAL | IRE_LOOPBACK))) {
- if (cr != NULL && msg_getcred(mp, NULL) == NULL)
- mblk_setcred(mp, cr, pid);
- }
-
- rw_enter(&udp->udp_rwlock, RW_READER);
- ignore = ipp->ipp_sticky_ignored;
-
- /* mp1 points to the M_DATA mblk carrying the packet */
- ASSERT(mp1 != NULL && DB_TYPE(mp1) == M_DATA);
-
- if (sin6->sin6_scope_id != 0 &&
- IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
- /*
- * IPPF_SCOPE_ID is special. It's neither a sticky
- * option nor ancillary data. It needs to be
- * explicitly set in options_exists.
- */
- option_exists |= IPPF_SCOPE_ID;
+ if (udp->udp_state == TS_UNBND) {
+ error = EPROTO;
+ goto ud_error2;
}
+ addr = (struct sockaddr *)&mp->b_rptr[tudr->DEST_offset];
+ addrlen = tudr->DEST_length;
- /*
- * Compute the destination address
- */
- ip6_dst = sin6->sin6_addr;
- if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
- ip6_dst = ipv6_loopback;
-
- port = sin6->sin6_port;
-
- /*
- * Cluster and TSOL notes, Cluster check:
- * see comments in udp_output_v4().
- */
- mutex_enter(&connp->conn_lock);
-
- if (cl_inet_connect2 != NULL &&
- (!IN6_ARE_ADDR_EQUAL(&ip6_dst, &udp->udp_v6lastdst) ||
- port != udp->udp_lastdstport)) {
- mutex_exit(&connp->conn_lock);
- *error = 0;
- CL_INET_UDP_CONNECT(connp, udp, B_TRUE, &ip6_dst, port, *error);
- if (*error != 0) {
- *error = EHOSTUNREACH;
- rw_exit(&udp->udp_rwlock);
- goto done;
+ switch (connp->conn_family) {
+ case AF_INET6:
+ sin6 = (sin6_t *)addr;
+ if (!OK_32PTR((char *)sin6) || (addrlen != sizeof (sin6_t)) ||
+ (sin6->sin6_family != AF_INET6)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
- update_lastdst = B_TRUE;
- mutex_enter(&connp->conn_lock);
- }
- /*
- * If we're not going to the same destination as last time, then
- * recompute the label required. This is done in a separate routine to
- * avoid blowing up our stack here.
- *
- * TSOL Note: Since we are not in WRITER mode, UDP packets
- * to different destination may require different labels,
- * or worse, UDP packets to same IP address may require
- * different labels due to use of shared all-zones address.
- * We use conn_lock to ensure that lastdst, sticky ipp_hopopts,
- * and sticky ipp_hopoptslen are consistent for the current
- * destination and are updated atomically.
- */
- if (is_system_labeled()) {
- cred_t *credp;
- pid_t cpid;
+ srcid = sin6->__sin6_src_id;
+ if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+ /*
+ * Destination is a non-IPv4-compatible IPv6 address.
+ * Send out an IPv6 format packet.
+ */
- /* Using UDP MLP requires SCM_UCRED from user */
- if (connp->conn_mlp_type != mlptSingle &&
- !attrs.udpattr_credset) {
- DTRACE_PROBE4(
- tx__ip__log__info__output__udp6,
- char *, "MLP mp(1) lacks SCM_UCRED attr(2) on q(3)",
- mblk_t *, mp1, udpattrs_t *, &attrs, queue_t *, q);
- *error = EINVAL;
- rw_exit(&udp->udp_rwlock);
- mutex_exit(&connp->conn_lock);
- goto done;
- }
- /*
- * update label option for this UDP socket if
- * - the destination has changed,
- * - the UDP socket is MLP, or
- * - the cred attached to the mblk changed.
- */
- credp = msg_getcred(mp, &cpid);
- if (opt_present ||
- !IN6_ARE_ADDR_EQUAL(&udp->udp_v6lastdst, &ip6_dst) ||
- connp->conn_mlp_type != mlptSingle ||
- credp != udp->udp_last_cred) {
- if ((*error = udp_update_label_v6(q, mp, &ip6_dst))
- != 0) {
- rw_exit(&udp->udp_rwlock);
- mutex_exit(&connp->conn_lock);
- goto done;
+ /*
+ * If the local address is a mapped address return
+ * an error.
+ * It would be possible to send an IPv6 packet but the
+ * response would never make it back to the application
+ * since it is bound to a mapped address.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
- update_lastdst = B_TRUE;
- }
- /*
- * Attach the effective cred to the mblk to ensure future
- * routing decisions will be based on it's label.
- */
- mblk_setcred(mp, udp->udp_effective_cred, cpid);
- }
- if (update_lastdst) {
- udp->udp_v6lastdst = ip6_dst;
- udp->udp_lastdstport = port;
- }
+ UDP_DBGSTAT(us, udp_out_ipv6);
- /*
- * If there's a security label here, then we ignore any options the
- * user may try to set. We keep the peer's label as a hidden sticky
- * option. We make a private copy of this label before releasing the
- * lock so that label is kept consistent with the destination addr.
- */
- if (udp->udp_label_len_v6 > 0) {
- ignore &= ~IPPF_HOPOPTS;
- ipp->ipp_fields &= ~IPPF_HOPOPTS;
- }
+ if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
+ sin6->sin6_addr = ipv6_loopback;
+ ipversion = IPV6_VERSION;
+ } else {
+ if (connp->conn_ipv6_v6only) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
+ }
- if ((udp->udp_sticky_ipp.ipp_fields == 0) && (ipp->ipp_fields == 0)) {
- /* No sticky options nor ancillary data. */
- mutex_exit(&connp->conn_lock);
- goto no_options;
- }
+ /*
+ * If the local address is not zero or a mapped address
+ * return an error. It would be possible to send an
+ * IPv4 packet but the response would never make it
+ * back to the application since it is bound to a
+ * non-mapped address.
+ */
+ if (!IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&connp->conn_saddr_v6)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
+ }
+ UDP_DBGSTAT(us, udp_out_mapped);
- /*
- * Go through the options figuring out where each is going to
- * come from and build two masks. The first mask indicates if
- * the option exists at all. The second mask indicates if the
- * option is sticky or ancillary.
- */
- if (!(ignore & IPPF_HOPOPTS)) {
- if (ipp->ipp_fields & IPPF_HOPOPTS) {
- option_exists |= IPPF_HOPOPTS;
- udp_ip_hdr_len += ipp->ipp_hopoptslen;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_HOPOPTS) {
- option_exists |= IPPF_HOPOPTS;
- is_sticky |= IPPF_HOPOPTS;
- ASSERT(udp->udp_sticky_ipp.ipp_hopoptslen != 0);
- hopoptsptr = kmem_alloc(
- udp->udp_sticky_ipp.ipp_hopoptslen, KM_NOSLEEP);
- if (hopoptsptr == NULL) {
- *error = ENOMEM;
- mutex_exit(&connp->conn_lock);
- goto done;
+ if (V4_PART_OF_V6(sin6->sin6_addr) == INADDR_ANY) {
+ V4_PART_OF_V6(sin6->sin6_addr) =
+ htonl(INADDR_LOOPBACK);
}
- hopoptslen = udp->udp_sticky_ipp.ipp_hopoptslen;
- bcopy(udp->udp_sticky_ipp.ipp_hopopts, hopoptsptr,
- hopoptslen);
- udp_ip_hdr_len += hopoptslen;
+ ipversion = IPV4_VERSION;
}
- }
- mutex_exit(&connp->conn_lock);
- if (!(ignore & IPPF_RTHDR)) {
- if (ipp->ipp_fields & IPPF_RTHDR) {
- option_exists |= IPPF_RTHDR;
- udp_ip_hdr_len += ipp->ipp_rthdrlen;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_RTHDR) {
- option_exists |= IPPF_RTHDR;
- is_sticky |= IPPF_RTHDR;
- udp_ip_hdr_len += udp->udp_sticky_ipp.ipp_rthdrlen;
- }
- }
+ if (tudr->OPT_length != 0) {
+ /*
+ * If we are connected then the destination needs to be
+ * the same as the connected one.
+ */
+ if (udp->udp_state == TS_DATA_XFER &&
+ !conn_same_as_last_v6(connp, sin6)) {
+ error = EISCONN;
+ goto ud_error2;
+ }
+ UDP_STAT(us, udp_out_opt);
+ error = udp_output_ancillary(connp, NULL, sin6,
+ data_mp, mp, NULL, cr, pid);
+ } else {
+ ip_xmit_attr_t *ixa;
- if (!(ignore & IPPF_RTDSTOPTS) && (option_exists & IPPF_RTHDR)) {
- if (ipp->ipp_fields & IPPF_RTDSTOPTS) {
- option_exists |= IPPF_RTDSTOPTS;
- udp_ip_hdr_len += ipp->ipp_rtdstoptslen;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_RTDSTOPTS) {
- option_exists |= IPPF_RTDSTOPTS;
- is_sticky |= IPPF_RTDSTOPTS;
- udp_ip_hdr_len += udp->udp_sticky_ipp.ipp_rtdstoptslen;
+ /*
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've
+ * checked conn_same_as_last_v6 to handle concurrent
+ * send* calls on a socket.
+ */
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ error = ENOMEM;
+ goto ud_error2;
+ }
+ mutex_enter(&connp->conn_lock);
+
+ if (conn_same_as_last_v6(connp, sin6) &&
+ connp->conn_lastsrcid == srcid &&
+ ipsec_outbound_policy_current(ixa)) {
+ UDP_DBGSTAT(us, udp_out_lastdst);
+ /* udp_output_lastdst drops conn_lock */
+ error = udp_output_lastdst(connp, data_mp, cr,
+ pid, ixa);
+ } else {
+ UDP_DBGSTAT(us, udp_out_diffdst);
+ /* udp_output_newdst drops conn_lock */
+ error = udp_output_newdst(connp, data_mp, NULL,
+ sin6, ipversion, cr, pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
}
- }
-
- if (!(ignore & IPPF_DSTOPTS)) {
- if (ipp->ipp_fields & IPPF_DSTOPTS) {
- option_exists |= IPPF_DSTOPTS;
- udp_ip_hdr_len += ipp->ipp_dstoptslen;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_DSTOPTS) {
- option_exists |= IPPF_DSTOPTS;
- is_sticky |= IPPF_DSTOPTS;
- udp_ip_hdr_len += udp->udp_sticky_ipp.ipp_dstoptslen;
+ if (error == 0) {
+ freeb(mp);
+ return;
}
- }
+ break;
- if (!(ignore & IPPF_IFINDEX)) {
- if (ipp->ipp_fields & IPPF_IFINDEX) {
- option_exists |= IPPF_IFINDEX;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_IFINDEX) {
- option_exists |= IPPF_IFINDEX;
- is_sticky |= IPPF_IFINDEX;
+ case AF_INET:
+ sin = (sin_t *)addr;
+ if ((!OK_32PTR((char *)sin) || addrlen != sizeof (sin_t)) ||
+ (sin->sin_family != AF_INET)) {
+ error = EADDRNOTAVAIL;
+ goto ud_error2;
}
- }
+ UDP_DBGSTAT(us, udp_out_ipv4);
+ if (sin->sin_addr.s_addr == INADDR_ANY)
+ sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ ipversion = IPV4_VERSION;
- if (!(ignore & IPPF_ADDR)) {
- if (ipp->ipp_fields & IPPF_ADDR) {
- option_exists |= IPPF_ADDR;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_ADDR) {
- option_exists |= IPPF_ADDR;
- is_sticky |= IPPF_ADDR;
- }
- }
+ srcid = 0;
+ if (tudr->OPT_length != 0) {
+ /*
+ * If we are connected then the destination needs to be
+ * the same as the connected one.
+ */
+ if (udp->udp_state == TS_DATA_XFER &&
+ !conn_same_as_last_v4(connp, sin)) {
+ error = EISCONN;
+ goto ud_error2;
+ }
+ UDP_STAT(us, udp_out_opt);
+ error = udp_output_ancillary(connp, sin, NULL,
+ data_mp, mp, NULL, cr, pid);
+ } else {
+ ip_xmit_attr_t *ixa;
- if (!(ignore & IPPF_DONTFRAG)) {
- if (ipp->ipp_fields & IPPF_DONTFRAG) {
- option_exists |= IPPF_DONTFRAG;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_DONTFRAG) {
- option_exists |= IPPF_DONTFRAG;
- is_sticky |= IPPF_DONTFRAG;
+ /*
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've
+ * checked conn_same_as_last_v4 to handle concurrent
+ * send* calls on a socket.
+ */
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ error = ENOMEM;
+ goto ud_error2;
+ }
+ mutex_enter(&connp->conn_lock);
+
+ if (conn_same_as_last_v4(connp, sin) &&
+ ipsec_outbound_policy_current(ixa)) {
+ UDP_DBGSTAT(us, udp_out_lastdst);
+ /* udp_output_lastdst drops conn_lock */
+ error = udp_output_lastdst(connp, data_mp, cr,
+ pid, ixa);
+ } else {
+ UDP_DBGSTAT(us, udp_out_diffdst);
+ /* udp_output_newdst drops conn_lock */
+ error = udp_output_newdst(connp, data_mp, sin,
+ NULL, ipversion, cr, pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
}
- }
-
- if (!(ignore & IPPF_USE_MIN_MTU)) {
- if (ipp->ipp_fields & IPPF_USE_MIN_MTU) {
- option_exists |= IPPF_USE_MIN_MTU;
- } else if (udp->udp_sticky_ipp.ipp_fields &
- IPPF_USE_MIN_MTU) {
- option_exists |= IPPF_USE_MIN_MTU;
- is_sticky |= IPPF_USE_MIN_MTU;
+ if (error == 0) {
+ freeb(mp);
+ return;
}
+ break;
}
+ UDP_STAT(us, udp_out_err_output);
+ ASSERT(mp != NULL);
+ /* mp is freed by the following routine */
+ udp_ud_err(q, mp, (t_scalar_t)error);
+ return;
- if (!(ignore & IPPF_HOPLIMIT) && (ipp->ipp_fields & IPPF_HOPLIMIT))
- option_exists |= IPPF_HOPLIMIT;
- /* IPV6_HOPLIMIT can never be sticky */
- ASSERT(!(udp->udp_sticky_ipp.ipp_fields & IPPF_HOPLIMIT));
+ud_error2:
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ freemsg(data_mp);
+ UDP_STAT(us, udp_out_err_output);
+ ASSERT(mp != NULL);
+ /* mp is freed by the following routine */
+ udp_ud_err(q, mp, (t_scalar_t)error);
+}
- if (!(ignore & IPPF_UNICAST_HOPS) &&
- (udp->udp_sticky_ipp.ipp_fields & IPPF_UNICAST_HOPS)) {
- option_exists |= IPPF_UNICAST_HOPS;
- is_sticky |= IPPF_UNICAST_HOPS;
- }
+/*
+ * Handle the case of the IP address, port, flow label being different
+ * for both IPv4 and IPv6.
+ *
+ * NOTE: The caller must hold conn_lock and we drop it here.
+ */
+static int
+udp_output_newdst(conn_t *connp, mblk_t *data_mp, sin_t *sin, sin6_t *sin6,
+ ushort_t ipversion, cred_t *cr, pid_t pid, ip_xmit_attr_t *ixa)
+{
+ uint_t srcid;
+ uint32_t flowinfo;
+ udp_t *udp = connp->conn_udp;
+ int error = 0;
+ ip_xmit_attr_t *oldixa;
+ udp_stack_t *us = udp->udp_us;
+ in6_addr_t v6src;
+ in6_addr_t v6dst;
+ in6_addr_t v6nexthop;
+ in_port_t dstport;
- if (!(ignore & IPPF_MULTICAST_HOPS) &&
- (udp->udp_sticky_ipp.ipp_fields & IPPF_MULTICAST_HOPS)) {
- option_exists |= IPPF_MULTICAST_HOPS;
- is_sticky |= IPPF_MULTICAST_HOPS;
- }
+ ASSERT(MUTEX_HELD(&connp->conn_lock));
+ ASSERT(ixa != NULL);
+ /*
+ * We hold conn_lock across all the use and modifications of
+ * the conn_lastdst, conn_ixa, and conn_xmit_ipp to ensure that they
+ * stay consistent.
+ */
- if (!(ignore & IPPF_TCLASS)) {
- if (ipp->ipp_fields & IPPF_TCLASS) {
- option_exists |= IPPF_TCLASS;
- } else if (udp->udp_sticky_ipp.ipp_fields & IPPF_TCLASS) {
- option_exists |= IPPF_TCLASS;
- is_sticky |= IPPF_TCLASS;
- }
+ ASSERT(cr != NULL);
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
}
- if (!(ignore & IPPF_NEXTHOP) &&
- (udp->udp_sticky_ipp.ipp_fields & IPPF_NEXTHOP)) {
- option_exists |= IPPF_NEXTHOP;
- is_sticky |= IPPF_NEXTHOP;
+ /*
+ * If we are connected then the destination needs to be the
+ * same as the connected one, which is not the case here since we
+ * checked for that above.
+ */
+ if (udp->udp_state == TS_DATA_XFER) {
+ mutex_exit(&connp->conn_lock);
+ error = EISCONN;
+ goto ud_error;
}
-no_options:
+ /* In case previous destination was multicast or multirt */
+ ip_attr_newdst(ixa);
/*
- * If any options carried in the ip6i_t were specified, we
- * need to account for the ip6i_t in the data we'll be sending
- * down.
+ * If laddr is unspecified then we look at sin6_src_id.
+ * We will give precedence to a source address set with IPV6_PKTINFO
+ * (aka IPPF_ADDR) but that is handled in build_hdrs. However, we don't
+ * want ip_attr_connect to select a source (since it can fail) when
+ * IPV6_PKTINFO is specified.
+ * If this doesn't result in a source address then we get a source
+ * from ip_attr_connect() below.
*/
- if (option_exists & IPPF_HAS_IP6I)
- udp_ip_hdr_len += sizeof (ip6i_t);
-
- /* check/fix buffer config, setup pointers into it */
- ip6h = (ip6_t *)&mp1->b_rptr[-udp_ip_hdr_len];
- if (DB_REF(mp1) != 1 || ((unsigned char *)ip6h < DB_BASE(mp1)) ||
- !OK_32PTR(ip6h)) {
-
- /* Try to get everything in a single mblk next time */
- if (udp_ip_hdr_len > udp->udp_max_hdr_len) {
- udp->udp_max_hdr_len = udp_ip_hdr_len;
- sth_wroff = udp->udp_max_hdr_len + us->us_wroff_extra;
+ v6src = connp->conn_saddr_v6;
+ if (sin != NULL) {
+ IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6dst);
+ dstport = sin->sin_port;
+ flowinfo = 0;
+ srcid = 0;
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ if (srcid != 0 && V4_PART_OF_V6(&v6src) == INADDR_ANY) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
}
-
- mp2 = allocb(udp_ip_hdr_len + us->us_wroff_extra, BPRI_LO);
- if (mp2 == NULL) {
- *error = ENOMEM;
- rw_exit(&udp->udp_rwlock);
- goto done;
+ ixa->ixa_flags |= IXAF_IS_IPV4;
+ } else {
+ v6dst = sin6->sin6_addr;
+ dstport = sin6->sin6_port;
+ flowinfo = sin6->sin6_flowinfo;
+ srcid = sin6->__sin6_src_id;
+ if (IN6_IS_ADDR_LINKSCOPE(&v6dst) && sin6->sin6_scope_id != 0) {
+ ixa->ixa_scopeid = sin6->sin6_scope_id;
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ } else {
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
}
- mp2->b_wptr = DB_LIM(mp2);
- mp2->b_cont = mp1;
- mp1 = mp2;
- if (DB_TYPE(mp) != M_DATA)
- mp->b_cont = mp1;
+ if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
+ }
+ if (IN6_IS_ADDR_V4MAPPED(&v6dst))
+ ixa->ixa_flags |= IXAF_IS_IPV4;
else
- mp = mp1;
-
- ip6h = (ip6_t *)(mp1->b_wptr - udp_ip_hdr_len);
+ ixa->ixa_flags &= ~IXAF_IS_IPV4;
}
- mp1->b_rptr = (unsigned char *)ip6h;
- ip6i = (ip6i_t *)ip6h;
-
-#define ANCIL_OR_STICKY_PTR(f) ((is_sticky & f) ? &udp->udp_sticky_ipp : ipp)
- if (option_exists & IPPF_HAS_IP6I) {
- ip6h = (ip6_t *)&ip6i[1];
- ip6i->ip6i_flags = 0;
- ip6i->ip6i_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
-
- /* sin6_scope_id takes precendence over IPPF_IFINDEX */
- if (option_exists & IPPF_SCOPE_ID) {
- ip6i->ip6i_flags |= IP6I_IFINDEX;
- ip6i->ip6i_ifindex = sin6->sin6_scope_id;
- } else if (option_exists & IPPF_IFINDEX) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_IFINDEX);
- ASSERT(tipp->ipp_ifindex != 0);
- ip6i->ip6i_flags |= IP6I_IFINDEX;
- ip6i->ip6i_ifindex = tipp->ipp_ifindex;
- }
-
- if (option_exists & IPPF_ADDR) {
- /*
- * Enable per-packet source address verification if
- * IPV6_PKTINFO specified the source address.
- * ip6_src is set in the transport's _wput function.
- */
- ip6i->ip6i_flags |= IP6I_VERIFY_SRC;
- }
-
- if (option_exists & IPPF_DONTFRAG) {
- ip6i->ip6i_flags |= IP6I_DONTFRAG;
- }
+ /* Handle IPV6_PKTINFO setting source address. */
+ if (IN6_IS_ADDR_UNSPECIFIED(&v6src) &&
+ (connp->conn_xmit_ipp.ipp_fields & IPPF_ADDR)) {
+ ip_pkt_t *ipp = &connp->conn_xmit_ipp;
- if (option_exists & IPPF_USE_MIN_MTU) {
- ip6i->ip6i_flags = IP6I_API_USE_MIN_MTU(
- ip6i->ip6i_flags, ipp->ipp_use_min_mtu);
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ if (IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
+ } else {
+ if (!IN6_IS_ADDR_V4MAPPED(&ipp->ipp_addr))
+ v6src = ipp->ipp_addr;
}
+ }
- if (option_exists & IPPF_NEXTHOP) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_NEXTHOP);
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&tipp->ipp_nexthop));
- ip6i->ip6i_flags |= IP6I_NEXTHOP;
- ip6i->ip6i_nexthop = tipp->ipp_nexthop;
- }
+ ip_attr_nexthop(&connp->conn_xmit_ipp, ixa, &v6dst, &v6nexthop);
+ mutex_exit(&connp->conn_lock);
+ error = ip_attr_connect(connp, ixa, &v6src, &v6dst, &v6nexthop, dstport,
+ &v6src, NULL, IPDF_ALLOW_MCBC | IPDF_VERIFY_DST | IPDF_IPSEC);
+ switch (error) {
+ case 0:
+ break;
+ case EADDRNOTAVAIL:
/*
- * tell IP this is an ip6i_t private header
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
*/
- ip6i->ip6i_nxt = IPPROTO_RAW;
- }
-
- /* Initialize IPv6 header */
- ip6h->ip6_vcf = IPV6_DEFAULT_VERS_AND_FLOW;
- bzero(&ip6h->ip6_src, sizeof (ip6h->ip6_src));
-
- /* Set the hoplimit of the outgoing packet. */
- if (option_exists & IPPF_HOPLIMIT) {
- /* IPV6_HOPLIMIT ancillary data overrides all other settings. */
- ip6h->ip6_hops = ipp->ipp_hoplimit;
- ip6i->ip6i_flags |= IP6I_HOPLIMIT;
- } else if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
- ip6h->ip6_hops = udp->udp_multicast_ttl;
- if (option_exists & IPPF_MULTICAST_HOPS)
- ip6i->ip6i_flags |= IP6I_HOPLIMIT;
- } else {
- ip6h->ip6_hops = udp->udp_ttl;
- if (option_exists & IPPF_UNICAST_HOPS)
- ip6i->ip6i_flags |= IP6I_HOPLIMIT;
- }
-
- if (option_exists & IPPF_ADDR) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_ADDR);
- ASSERT(!IN6_IS_ADDR_UNSPECIFIED(&tipp->ipp_addr));
- ip6h->ip6_src = tipp->ipp_addr;
- } else {
+ error = ENETUNREACH;
+ goto failed;
+ case ENETDOWN:
/*
- * The source address was not set using IPV6_PKTINFO.
- * First look at the bound source.
- * If unspecified fallback to __sin6_src_id.
+ * Have !ipif_addr_ready address; drop packet silently
+ * until we can get applications to not send until we
+ * are ready.
*/
- ip6h->ip6_src = udp->udp_v6src;
- if (sin6->__sin6_src_id != 0 &&
- IN6_IS_ADDR_UNSPECIFIED(&ip6h->ip6_src)) {
- ip_srcid_find_id(sin6->__sin6_src_id,
- &ip6h->ip6_src, connp->conn_zoneid,
- us->us_netstack);
+ error = 0;
+ goto failed;
+ case EHOSTUNREACH:
+ case ENETUNREACH:
+ if (ixa->ixa_ire != NULL) {
+ /*
+ * Let conn_ip_output/ire_send_noroute return
+ * the error and send any local ICMP error.
+ */
+ error = 0;
+ break;
}
+ /* FALLTHRU */
+ failed:
+ default:
+ goto ud_error;
}
- nxthdr_ptr = (uint8_t *)&ip6h->ip6_nxt;
- cp = (uint8_t *)&ip6h[1];
/*
- * Here's where we have to start stringing together
- * any extension headers in the right order:
- * Hop-by-hop, destination, routing, and final destination opts.
+ * Cluster note: we let the cluster hook know that we are sending to a
+ * new address and/or port.
*/
- if (option_exists & IPPF_HOPOPTS) {
- /* Hop-by-hop options */
- ip6_hbh_t *hbh = (ip6_hbh_t *)cp;
- tipp = ANCIL_OR_STICKY_PTR(IPPF_HOPOPTS);
- if (hopoptslen == 0) {
- hopoptsptr = tipp->ipp_hopopts;
- hopoptslen = tipp->ipp_hopoptslen;
- is_ancillary = B_TRUE;
- }
-
- *nxthdr_ptr = IPPROTO_HOPOPTS;
- nxthdr_ptr = &hbh->ip6h_nxt;
-
- bcopy(hopoptsptr, cp, hopoptslen);
- cp += hopoptslen;
-
- if (hopoptsptr != NULL && !is_ancillary) {
- kmem_free(hopoptsptr, hopoptslen);
- hopoptsptr = NULL;
- hopoptslen = 0;
+ if (cl_inet_connect2 != NULL) {
+ CL_INET_UDP_CONNECT(connp, B_TRUE, &v6dst, dstport, error);
+ if (error != 0) {
+ error = EHOSTUNREACH;
+ goto ud_error;
}
}
- /*
- * En-route destination options
- * Only do them if there's a routing header as well
- */
- if (option_exists & IPPF_RTDSTOPTS) {
- ip6_dest_t *dst = (ip6_dest_t *)cp;
- tipp = ANCIL_OR_STICKY_PTR(IPPF_RTDSTOPTS);
-
- *nxthdr_ptr = IPPROTO_DSTOPTS;
- nxthdr_ptr = &dst->ip6d_nxt;
- bcopy(tipp->ipp_rtdstopts, cp, tipp->ipp_rtdstoptslen);
- cp += tipp->ipp_rtdstoptslen;
- }
- /*
- * Routing header next
- */
- if (option_exists & IPPF_RTHDR) {
- ip6_rthdr_t *rt = (ip6_rthdr_t *)cp;
- tipp = ANCIL_OR_STICKY_PTR(IPPF_RTHDR);
-
- *nxthdr_ptr = IPPROTO_ROUTING;
- nxthdr_ptr = &rt->ip6r_nxt;
-
- bcopy(tipp->ipp_rthdr, cp, tipp->ipp_rthdrlen);
- cp += tipp->ipp_rthdrlen;
- }
+ mutex_enter(&connp->conn_lock);
/*
- * Do ultimate destination options
+ * While we dropped the lock some other thread might have connected
+ * this socket. If so we bail out with EISCONN to ensure that the
+ * connecting thread is the one that updates conn_ixa, conn_ht_*
+ * and conn_*last*.
*/
- if (option_exists & IPPF_DSTOPTS) {
- ip6_dest_t *dest = (ip6_dest_t *)cp;
- tipp = ANCIL_OR_STICKY_PTR(IPPF_DSTOPTS);
-
- *nxthdr_ptr = IPPROTO_DSTOPTS;
- nxthdr_ptr = &dest->ip6d_nxt;
-
- bcopy(tipp->ipp_dstopts, cp, tipp->ipp_dstoptslen);
- cp += tipp->ipp_dstoptslen;
+ if (udp->udp_state == TS_DATA_XFER) {
+ mutex_exit(&connp->conn_lock);
+ error = EISCONN;
+ goto ud_error;
}
- /*
- * Now set the last header pointer to the proto passed in
- */
- ASSERT((int)(cp - (uint8_t *)ip6i) == (udp_ip_hdr_len - UDPH_SIZE));
- *nxthdr_ptr = IPPROTO_UDP;
-
- /* Update UDP header */
- udph = (udpha_t *)((uchar_t *)ip6i + udp_ip_hdr_len - UDPH_SIZE);
- udph->uha_dst_port = sin6->sin6_port;
- udph->uha_src_port = udp->udp_port;
/*
- * Copy in the destination address
+ * We need to rebuild the headers if
+ * - we are labeling packets (could be different for different
+ * destinations)
+ * - we have a source route (or routing header) since we need to
+ * massage that to get the pseudo-header checksum
+ * - the IP version is different than the last time
+ * - a socket option with COA_HEADER_CHANGED has been set which
+ * set conn_v6lastdst to zero.
+ *
+ * Otherwise the prepend function will just update the src, dst,
+ * dstport, and flow label.
*/
- ip6h->ip6_dst = ip6_dst;
-
- ip6h->ip6_vcf =
- (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
- (sin6->sin6_flowinfo & ~IPV6_VERS_AND_FLOW_MASK);
-
- if (option_exists & IPPF_TCLASS) {
- tipp = ANCIL_OR_STICKY_PTR(IPPF_TCLASS);
- ip6h->ip6_vcf = IPV6_TCLASS_FLOW(ip6h->ip6_vcf,
- tipp->ipp_tclass);
- }
- rw_exit(&udp->udp_rwlock);
-
- if (option_exists & IPPF_RTHDR) {
- ip6_rthdr_t *rth;
-
+ if (is_system_labeled()) {
+ /* TX MLP requires SCM_UCRED and don't have that here */
+ if (connp->conn_mlp_type != mlptSingle) {
+ mutex_exit(&connp->conn_lock);
+ error = ECONNREFUSED;
+ goto ud_error;
+ }
/*
- * Perform any processing needed for source routing.
- * We know that all extension headers will be in the same mblk
- * as the IPv6 header.
+ * Check whether Trusted Solaris policy allows communication
+ * with this host, and pretend that the destination is
+ * unreachable if not.
+ * Compute any needed label and place it in ipp_label_v4/v6.
+ *
+ * Later conn_build_hdr_template/conn_prepend_hdr takes
+ * ipp_label_v4/v6 to form the packet.
+ *
+ * Tsol note: Since we hold conn_lock we know no other
+ * thread manipulates conn_xmit_ipp.
*/
- rth = ip_find_rthdr_v6(ip6h, mp1->b_wptr);
- if (rth != NULL && rth->ip6r_segleft != 0) {
- if (rth->ip6r_type != IPV6_RTHDR_TYPE_0) {
- /*
- * Drop packet - only support Type 0 routing.
- * Notify the application as well.
- */
- *error = EPROTO;
- goto done;
- }
-
- /*
- * rth->ip6r_len is twice the number of
- * addresses in the header. Thus it must be even.
- */
- if (rth->ip6r_len & 0x1) {
- *error = EPROTO;
- goto done;
- }
- /*
- * Shuffle the routing header and ip6_dst
- * addresses, and get the checksum difference
- * between the first hop (in ip6_dst) and
- * the destination (in the last routing hdr entry).
- */
- csum = ip_massage_options_v6(ip6h, rth,
- us->us_netstack);
- /*
- * Verify that the first hop isn't a mapped address.
- * Routers along the path need to do this verification
- * for subsequent hops.
- */
- if (IN6_IS_ADDR_V4MAPPED(&ip6h->ip6_dst)) {
- *error = EADDRNOTAVAIL;
- goto done;
+ error = conn_update_label(connp, ixa, &v6dst,
+ &connp->conn_xmit_ipp);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto ud_error;
+ }
+ /* Rebuild the header template */
+ error = udp_build_hdr_template(connp, &v6src, &v6dst, dstport,
+ flowinfo);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto ud_error;
+ }
+ } else if ((connp->conn_xmit_ipp.ipp_fields &
+ (IPPF_IPV4_OPTIONS|IPPF_RTHDR)) ||
+ ipversion != connp->conn_lastipversion ||
+ IN6_IS_ADDR_UNSPECIFIED(&connp->conn_v6lastdst)) {
+ /* Rebuild the header template */
+ error = udp_build_hdr_template(connp, &v6src, &v6dst, dstport,
+ flowinfo);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto ud_error;
+ }
+ } else {
+ /* Simply update the destination address if no source route */
+ if (ixa->ixa_flags & IXAF_IS_IPV4) {
+ ipha_t *ipha = (ipha_t *)connp->conn_ht_iphc;
+
+ IN6_V4MAPPED_TO_IPADDR(&v6dst, ipha->ipha_dst);
+ if (ixa->ixa_flags & IXAF_PMTU_IPV4_DF) {
+ ipha->ipha_fragment_offset_and_flags |=
+ IPH_DF_HTONS;
+ } else {
+ ipha->ipha_fragment_offset_and_flags &=
+ ~IPH_DF_HTONS;
}
-
- cp += (rth->ip6r_len + 1)*8;
+ } else {
+ ip6_t *ip6h = (ip6_t *)connp->conn_ht_iphc;
+ ip6h->ip6_dst = v6dst;
}
}
- /* count up length of UDP packet */
- ip_len = (mp1->b_wptr - (unsigned char *)ip6h) - IPV6_HDR_LEN;
- if ((mp2 = mp1->b_cont) != NULL) {
- do {
- ASSERT((uintptr_t)MBLKL(mp2) <= (uintptr_t)UINT_MAX);
- ip_len += (uint32_t)MBLKL(mp2);
- } while ((mp2 = mp2->b_cont) != NULL);
- }
-
/*
- * If the size of the packet is greater than the maximum allowed by
- * ip, return an error. Passing this down could cause panics because
- * the size will have wrapped and be inconsistent with the msg size.
- */
- if (ip_len > IP_MAXPACKET) {
- *error = EMSGSIZE;
- goto done;
- }
-
- /* Store the UDP length. Subtract length of extension hdrs */
- udph->uha_length = htons(ip_len + IPV6_HDR_LEN -
- (int)((uchar_t *)udph - (uchar_t *)ip6h));
-
- /*
- * We make it easy for IP to include our pseudo header
- * by putting our length in uh_checksum, modified (if
- * we have a routing header) by the checksum difference
- * between the ultimate destination and first hop addresses.
- * Note: UDP over IPv6 must always checksum the packet.
+ * Remember the dst/dstport etc which corresponds to the built header
+ * template and conn_ixa.
*/
- csum += udph->uha_length;
- csum = (csum & 0xFFFF) + (csum >> 16);
- udph->uha_checksum = (uint16_t)csum;
-
-#ifdef _LITTLE_ENDIAN
- ip_len = htons(ip_len);
-#endif
- ip6h->ip6_plen = ip_len;
-
- if (DB_TYPE(mp) != M_DATA) {
- cred_t *cr;
- pid_t cpid;
-
- /* Move any cred from the T_UNITDATA_REQ to the packet */
- cr = msg_extractcred(mp, &cpid);
- if (cr != NULL) {
- if (mp1->b_datap->db_credp != NULL)
- crfree(mp1->b_datap->db_credp);
- mp1->b_datap->db_credp = cr;
- mp1->b_datap->db_cpid = cpid;
- }
+ oldixa = conn_replace_ixa(connp, ixa);
+ connp->conn_v6lastdst = v6dst;
+ connp->conn_lastipversion = ipversion;
+ connp->conn_lastdstport = dstport;
+ connp->conn_lastflowinfo = flowinfo;
+ connp->conn_lastscopeid = ixa->ixa_scopeid;
+ connp->conn_lastsrcid = srcid;
+ /* Also remember a source to use together with lastdst */
+ connp->conn_v6lastsrc = v6src;
+
+ data_mp = udp_prepend_header_template(connp, ixa, data_mp, &v6src,
+ dstport, flowinfo, &error);
+
+ /* Done with conn_t */
+ mutex_exit(&connp->conn_lock);
+ ixa_refrele(oldixa);
- ASSERT(mp != mp1);
- freeb(mp);
+ if (data_mp == NULL) {
+ ASSERT(error != 0);
+ goto ud_error;
}
- /* mp has been consumed and we'll return success */
- ASSERT(*error == 0);
- mp = NULL;
-
- /* We're done. Pass the packet to IP */
+ /* We're done. Pass the packet to ip. */
BUMP_MIB(&us->us_udp_mib, udpHCOutDatagrams);
- ip_output_v6(connp, mp1, q, IP_WPUT);
-done:
- if (sth_wroff != 0) {
- (void) proto_set_tx_wroff(RD(q), connp,
- udp->udp_max_hdr_len + us->us_wroff_extra);
- }
- if (hopoptsptr != NULL && !is_ancillary) {
- kmem_free(hopoptsptr, hopoptslen);
- hopoptsptr = NULL;
- }
- if (*error != 0) {
- ASSERT(mp != NULL);
- BUMP_MIB(&us->us_udp_mib, udpOutErrors);
- }
- return (mp);
-}
-
-
-static int
-i_udp_getpeername(udp_t *udp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- ASSERT(RW_LOCK_HELD(&udp->udp_rwlock));
-
- if (udp->udp_state != TS_DATA_XFER)
- return (ENOTCONN);
-
- switch (udp->udp_family) {
- case AF_INET:
- ASSERT(udp->udp_ipversion == IPV4_VERSION);
-
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *salenp = sizeof (sin_t);
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_port = udp->udp_dstport;
- sin->sin_addr.s_addr = V4_PART_OF_V6(udp->udp_v6dst);
+ error = conn_ip_output(data_mp, ixa);
+ /* No udpOutErrors if an error since IP increases its error counter */
+ switch (error) {
+ case 0:
break;
-
- case AF_INET6:
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *salenp = sizeof (sin6_t);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = udp->udp_dstport;
- sin6->sin6_addr = udp->udp_v6dst;
- sin6->sin6_flowinfo = udp->udp_flowinfo;
+ case EWOULDBLOCK:
+ (void) ixa_check_drain_insert(connp, ixa);
+ error = 0;
break;
- }
-
- return (0);
-}
-
-static int
-udp_getmyname(udp_t *udp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- ASSERT(RW_LOCK_HELD(&udp->udp_rwlock));
-
- switch (udp->udp_family) {
- case AF_INET:
- ASSERT(udp->udp_ipversion == IPV4_VERSION);
-
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *salenp = sizeof (sin_t);
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_port = udp->udp_port;
-
+ case EADDRNOTAVAIL:
/*
- * If udp_v6src is unspecified, we might be bound to broadcast
- * / multicast. Use udp_bound_v6src as local address instead
- * (that could also still be unspecified).
+ * IXAF_VERIFY_SOURCE tells us to pick a better source.
+ * Don't have the application see that errno
*/
- if (!IN6_IS_ADDR_V4MAPPED_ANY(&udp->udp_v6src) &&
- !IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src)) {
- sin->sin_addr.s_addr = V4_PART_OF_V6(udp->udp_v6src);
- } else {
- sin->sin_addr.s_addr =
- V4_PART_OF_V6(udp->udp_bound_v6src);
- }
- break;
-
- case AF_INET6:
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *salenp = sizeof (sin6_t);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = udp->udp_port;
- sin6->sin6_flowinfo = udp->udp_flowinfo;
-
+ error = ENETUNREACH;
+ /* FALLTHRU */
+ default:
+ mutex_enter(&connp->conn_lock);
/*
- * If udp_v6src is unspecified, we might be bound to broadcast
- * / multicast. Use udp_bound_v6src as local address instead
- * (that could also still be unspecified).
+ * Clear the source and v6lastdst so we call ip_attr_connect
+ * for the next packet and try to pick a better source.
*/
- if (!IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src))
- sin6->sin6_addr = udp->udp_v6src;
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
else
- sin6->sin6_addr = udp->udp_bound_v6src;
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
break;
}
+ ixa_refrele(ixa);
+ return (error);
- return (0);
+ud_error:
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+
+ freemsg(data_mp);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ UDP_STAT(us, udp_out_err_output);
+ return (error);
+}
+
+/* ARGSUSED */
+static void
+udp_wput_fallback(queue_t *wq, mblk_t *mp)
+{
+#ifdef DEBUG
+ cmn_err(CE_CONT, "udp_wput_fallback: Message in fallback \n");
+#endif
+ freemsg(mp);
}
+
/*
* Handle special out-of-band ioctl requests (see PSARC/2008/265).
*/
@@ -6717,7 +4440,8 @@ udp_wput_cmdblk(queue_t *q, mblk_t *mp)
{
void *data;
mblk_t *datamp = mp->b_cont;
- udp_t *udp = Q_TO_UDP(q);
+ conn_t *connp = Q_TO_CONN(q);
+ udp_t *udp = connp->conn_udp;
cmdblk_t *cmdp = (cmdblk_t *)mp->b_rptr;
if (datamp == NULL || MBLKL(datamp) < cmdp->cb_len) {
@@ -6727,19 +4451,23 @@ udp_wput_cmdblk(queue_t *q, mblk_t *mp)
}
data = datamp->b_rptr;
- rw_enter(&udp->udp_rwlock, RW_READER);
+ mutex_enter(&connp->conn_lock);
switch (cmdp->cb_cmd) {
case TI_GETPEERNAME:
- cmdp->cb_error = i_udp_getpeername(udp, data, &cmdp->cb_len);
+ if (udp->udp_state != TS_DATA_XFER)
+ cmdp->cb_error = ENOTCONN;
+ else
+ cmdp->cb_error = conn_getpeername(connp, data,
+ &cmdp->cb_len);
break;
case TI_GETMYNAME:
- cmdp->cb_error = udp_getmyname(udp, data, &cmdp->cb_len);
+ cmdp->cb_error = conn_getsockname(connp, data, &cmdp->cb_len);
break;
default:
cmdp->cb_error = EINVAL;
break;
}
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
qreply(q, mp);
}
@@ -6747,10 +4475,11 @@ udp_wput_cmdblk(queue_t *q, mblk_t *mp)
static void
udp_use_pure_tpi(udp_t *udp)
{
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp->udp_issocket = B_FALSE;
- rw_exit(&udp->udp_rwlock);
+ conn_t *connp = udp->udp_connp;
+ mutex_enter(&connp->conn_lock);
+ udp->udp_issocket = B_FALSE;
+ mutex_exit(&connp->conn_lock);
UDP_STAT(udp->udp_us, udp_sock_fallback);
}
@@ -6758,20 +4487,13 @@ static void
udp_wput_other(queue_t *q, mblk_t *mp)
{
uchar_t *rptr = mp->b_rptr;
- struct datab *db;
struct iocblk *iocp;
- cred_t *cr;
conn_t *connp = Q_TO_CONN(q);
udp_t *udp = connp->conn_udp;
- udp_stack_t *us;
-
- TRACE_1(TR_FAC_UDP, TR_UDP_WPUT_OTHER_START,
- "udp_wput_other_start: q %p", q);
-
- us = udp->udp_us;
- db = mp->b_datap;
+ udp_stack_t *us = udp->udp_us;
+ cred_t *cr;
- switch (db->db_type) {
+ switch (mp->b_datap->db_type) {
case M_CMD:
udp_wput_cmdblk(q, mp);
return;
@@ -6779,37 +4501,29 @@ udp_wput_other(queue_t *q, mblk_t *mp)
case M_PROTO:
case M_PCPROTO:
if (mp->b_wptr - rptr < sizeof (t_scalar_t)) {
+ /*
+ * If the message does not contain a PRIM_type,
+ * throw it away.
+ */
freemsg(mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "protoshort");
return;
}
switch (((t_primp_t)rptr)->type) {
case T_ADDR_REQ:
udp_addr_req(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "addrreq");
return;
case O_T_BIND_REQ:
case T_BIND_REQ:
udp_tpi_bind(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "bindreq");
return;
case T_CONN_REQ:
udp_tpi_connect(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "connreq");
return;
case T_CAPABILITY_REQ:
udp_capability_req(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "capabreq");
return;
case T_INFO_REQ:
udp_info_req(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "inforeq");
return;
case T_UNITDATA_REQ:
/*
@@ -6817,14 +4531,10 @@ udp_wput_other(queue_t *q, mblk_t *mp)
* be bad. Valid T_UNITDATA_REQs are handled
* in udp_wput.
*/
- udp_ud_err(q, mp, NULL, 0, EADDRNOTAVAIL);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "unitdatareq");
+ udp_ud_err(q, mp, EADDRNOTAVAIL);
return;
case T_UNBIND_REQ:
udp_tpi_unbind(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "unbindreq");
return;
case T_SVR4_OPTMGMT_REQ:
/*
@@ -6842,11 +4552,8 @@ udp_wput_other(queue_t *q, mblk_t *mp)
}
if (!snmpcom_req(q, mp, udp_snmp_set, ip_snmp_get,
cr)) {
- (void) svr4_optcom_req(q,
- mp, cr, &udp_opt_obj, B_TRUE);
+ svr4_optcom_req(q, mp, cr, &udp_opt_obj);
}
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "optmgmtreq");
return;
case T_OPTMGMT_REQ:
@@ -6863,34 +4570,24 @@ udp_wput_other(queue_t *q, mblk_t *mp)
udp_err_ack(q, mp, TSYSERR, EINVAL);
return;
}
- (void) tpi_optcom_req(q, mp, cr, &udp_opt_obj, B_TRUE);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "optmgmtreq");
+ tpi_optcom_req(q, mp, cr, &udp_opt_obj);
return;
case T_DISCON_REQ:
udp_tpi_disconnect(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "disconreq");
return;
/* The following TPI message is not supported by udp. */
case O_T_CONN_RES:
case T_CONN_RES:
udp_err_ack(q, mp, TNOTSUPPORT, 0);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q,
- "connres/disconreq");
return;
- /* The following 3 TPI messages are illegal for udp. */
+ /* The following 3 TPI requests are illegal for udp. */
case T_DATA_REQ:
case T_EXDATA_REQ:
case T_ORDREL_REQ:
udp_err_ack(q, mp, TNOTSUPPORT, 0);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q,
- "data/exdata/ordrel");
return;
default:
break;
@@ -6914,13 +4611,10 @@ udp_wput_other(queue_t *q, mblk_t *mp)
iocp->ioc_count = 0;
mp->b_datap->db_type = M_IOCACK;
qreply(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q,
- "getpeername");
return;
}
/* FALLTHRU */
- case TI_GETMYNAME: {
+ case TI_GETMYNAME:
/*
* For TI_GETPEERNAME and TI_GETMYNAME, we first
* need to copyin the user's strbuf structure.
@@ -6929,17 +4623,12 @@ udp_wput_other(queue_t *q, mblk_t *mp)
*/
mi_copyin(q, mp, NULL,
SIZEOF_STRUCT(strbuf, iocp->ioc_flag));
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "getmyname");
return;
- }
case ND_SET:
/* nd_getset performs the necessary checking */
case ND_GET:
if (nd_getset(q, us->us_nd, mp)) {
qreply(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "get");
return;
}
break;
@@ -6969,16 +4658,12 @@ udp_wput_other(queue_t *q, mblk_t *mp)
break;
case M_IOCDATA:
udp_wput_iocdata(q, mp);
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "iocdata");
return;
default:
/* Unrecognized messages are passed through without change. */
break;
}
- TRACE_2(TR_FAC_UDP, TR_UDP_WPUT_OTHER_END,
- "udp_wput_other_end: q %p (%S)", q, "end");
- ip_output(connp, mp, q, IP_WPUT);
+ ip_wput_nondata(q, mp);
}
/*
@@ -6991,9 +4676,9 @@ udp_wput_iocdata(queue_t *q, mblk_t *mp)
mblk_t *mp1;
struct iocblk *iocp = (struct iocblk *)mp->b_rptr;
STRUCT_HANDLE(strbuf, sb);
- udp_t *udp = Q_TO_UDP(q);
- int error;
uint_t addrlen;
+ conn_t *connp = Q_TO_CONN(q);
+ udp_t *udp = connp->conn_udp;
/* Make sure it is one of ours. */
switch (iocp->ioc_cmd) {
@@ -7001,7 +4686,7 @@ udp_wput_iocdata(queue_t *q, mblk_t *mp)
case TI_GETPEERNAME:
break;
default:
- ip_output(udp->udp_connp, mp, q, IP_WPUT);
+ ip_wput_nondata(q, mp);
return;
}
@@ -7040,77 +4725,45 @@ udp_wput_iocdata(queue_t *q, mblk_t *mp)
* address and then we'll copyout the strbuf.
*/
STRUCT_SET_HANDLE(sb, iocp->ioc_flag, (void *)mp1->b_rptr);
- addrlen = udp->udp_family == AF_INET ? sizeof (sin_t) : sizeof (sin6_t);
+
+ if (connp->conn_family == AF_INET)
+ addrlen = sizeof (sin_t);
+ else
+ addrlen = sizeof (sin6_t);
+
if (STRUCT_FGET(sb, maxlen) < addrlen) {
mi_copy_done(q, mp, EINVAL);
return;
}
- mp1 = mi_copyout_alloc(q, mp, STRUCT_FGETP(sb, buf), addrlen, B_TRUE);
-
- if (mp1 == NULL)
- return;
-
- rw_enter(&udp->udp_rwlock, RW_READER);
switch (iocp->ioc_cmd) {
case TI_GETMYNAME:
- error = udp_do_getsockname(udp, (void *)mp1->b_rptr, &addrlen);
break;
case TI_GETPEERNAME:
- error = udp_do_getpeername(udp, (void *)mp1->b_rptr, &addrlen);
+ if (udp->udp_state != TS_DATA_XFER) {
+ mi_copy_done(q, mp, ENOTCONN);
+ return;
+ }
break;
}
- rw_exit(&udp->udp_rwlock);
-
- if (error != 0) {
- mi_copy_done(q, mp, error);
- } else {
- mp1->b_wptr += addrlen;
- STRUCT_FSET(sb, len, addrlen);
-
- /* Copy out the address */
- mi_copyout(q, mp);
- }
-}
-
-static int
-udp_unitdata_opt_process(queue_t *q, mblk_t *mp, int *errorp,
- udpattrs_t *udpattrs)
-{
- struct T_unitdata_req *udreqp;
- int is_absreq_failure;
- cred_t *cr;
-
- ASSERT(((t_primp_t)mp->b_rptr)->type);
-
- /*
- * All Solaris components should pass a db_credp
- * for this TPI message, hence we should ASSERT.
- * However, RPC (svc_clts_ksend) does this odd thing where it
- * passes the options from a T_UNITDATA_IND unchanged in a
- * T_UNITDATA_REQ. While that is the right thing to do for
- * some options, SCM_UCRED being the key one, this also makes it
- * pass down IP_RECVDSTADDR. Hence we can't ASSERT here.
- */
- cr = msg_getcred(mp, NULL);
- if (cr == NULL) {
- cr = Q_TO_CONN(q)->conn_cred;
- }
- udreqp = (struct T_unitdata_req *)mp->b_rptr;
-
- *errorp = tpi_optcom_buf(q, mp, &udreqp->OPT_length,
- udreqp->OPT_offset, cr, &udp_opt_obj,
- udpattrs, &is_absreq_failure);
+ mp1 = mi_copyout_alloc(q, mp, STRUCT_FGETP(sb, buf), addrlen, B_TRUE);
+ if (!mp1)
+ return;
- if (*errorp != 0) {
- /*
- * Note: No special action needed in this
- * module for "is_absreq_failure"
- */
- return (-1); /* failure */
+ STRUCT_FSET(sb, len, addrlen);
+ switch (((struct iocblk *)mp->b_rptr)->ioc_cmd) {
+ case TI_GETMYNAME:
+ (void) conn_getsockname(connp, (struct sockaddr *)mp1->b_wptr,
+ &addrlen);
+ break;
+ case TI_GETPEERNAME:
+ (void) conn_getpeername(connp, (struct sockaddr *)mp1->b_wptr,
+ &addrlen);
+ break;
}
- ASSERT(is_absreq_failure == 0);
- return (0); /* success */
+ mp1->b_wptr += addrlen;
+ /* Copy out the address */
+ mi_copyout(q, mp);
}
void
@@ -7234,34 +4887,19 @@ udp_kstat2_init(netstackid_t stackid, udp_stat_t *us_statisticsp)
kstat_t *ksp;
udp_stat_t template = {
- { "udp_ip_send", KSTAT_DATA_UINT64 },
- { "udp_ip_ire_send", KSTAT_DATA_UINT64 },
- { "udp_ire_null", KSTAT_DATA_UINT64 },
{ "udp_sock_fallback", KSTAT_DATA_UINT64 },
- { "udp_out_sw_cksum", KSTAT_DATA_UINT64 },
- { "udp_out_sw_cksum_bytes", KSTAT_DATA_UINT64 },
{ "udp_out_opt", KSTAT_DATA_UINT64 },
{ "udp_out_err_notconn", KSTAT_DATA_UINT64 },
{ "udp_out_err_output", KSTAT_DATA_UINT64 },
{ "udp_out_err_tudr", KSTAT_DATA_UINT64 },
- { "udp_in_pktinfo", KSTAT_DATA_UINT64 },
- { "udp_in_recvdstaddr", KSTAT_DATA_UINT64 },
- { "udp_in_recvopts", KSTAT_DATA_UINT64 },
- { "udp_in_recvif", KSTAT_DATA_UINT64 },
- { "udp_in_recvslla", KSTAT_DATA_UINT64 },
- { "udp_in_recvucred", KSTAT_DATA_UINT64 },
- { "udp_in_recvttl", KSTAT_DATA_UINT64 },
- { "udp_in_recvhopopts", KSTAT_DATA_UINT64 },
- { "udp_in_recvhoplimit", KSTAT_DATA_UINT64 },
- { "udp_in_recvdstopts", KSTAT_DATA_UINT64 },
- { "udp_in_recvrtdstopts", KSTAT_DATA_UINT64 },
- { "udp_in_recvrthdr", KSTAT_DATA_UINT64 },
- { "udp_in_recvpktinfo", KSTAT_DATA_UINT64 },
- { "udp_in_recvtclass", KSTAT_DATA_UINT64 },
- { "udp_in_timestamp", KSTAT_DATA_UINT64 },
#ifdef DEBUG
{ "udp_data_conn", KSTAT_DATA_UINT64 },
{ "udp_data_notconn", KSTAT_DATA_UINT64 },
+ { "udp_out_lastdst", KSTAT_DATA_UINT64 },
+ { "udp_out_diffdst", KSTAT_DATA_UINT64 },
+ { "udp_out_ipv6", KSTAT_DATA_UINT64 },
+ { "udp_out_mapped", KSTAT_DATA_UINT64 },
+ { "udp_out_ipv4", KSTAT_DATA_UINT64 },
#endif
};
@@ -7384,8 +5022,6 @@ udp_set_rcv_hiwat(udp_t *udp, size_t size)
static void
udp_lrput(queue_t *q, mblk_t *mp)
{
- mblk_t *mp1;
-
switch (mp->b_datap->db_type) {
case M_FLUSH:
/* Turn around */
@@ -7396,9 +5032,6 @@ udp_lrput(queue_t *q, mblk_t *mp)
}
break;
}
- /* Could receive messages that passed through ar_rput */
- for (mp1 = mp; mp1; mp1 = mp1->b_cont)
- mp1->b_prev = mp1->b_next = NULL;
freemsg(mp);
}
@@ -7425,6 +5058,7 @@ udp_do_open(cred_t *credp, boolean_t isv6, int flags)
zoneid_t zoneid;
netstack_t *ns;
udp_stack_t *us;
+ int len;
ns = netstack_find_by_cred(credp);
ASSERT(ns != NULL);
@@ -7455,34 +5089,40 @@ udp_do_open(cred_t *credp, boolean_t isv6, int flags)
*/
netstack_rele(ns);
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- ASSERT(connp->conn_ulp == IPPROTO_UDP);
+ /*
+ * Since this conn_t/udp_t is not yet visible to anybody else we don't
+ * need to lock anything.
+ */
+ ASSERT(connp->conn_proto == IPPROTO_UDP);
ASSERT(connp->conn_udp == udp);
ASSERT(udp->udp_connp == connp);
/* Set the initial state of the stream and the privilege status. */
udp->udp_state = TS_UNBND;
+ connp->conn_ixa->ixa_flags |= IXAF_VERIFY_SOURCE;
if (isv6) {
- udp->udp_family = AF_INET6;
- udp->udp_ipversion = IPV6_VERSION;
- udp->udp_max_hdr_len = IPV6_HDR_LEN + UDPH_SIZE;
- udp->udp_ttl = us->us_ipv6_hoplimit;
- connp->conn_af_isv6 = B_TRUE;
+ connp->conn_family = AF_INET6;
+ connp->conn_ipversion = IPV6_VERSION;
+ connp->conn_ixa->ixa_flags &= ~IXAF_IS_IPV4;
+ connp->conn_default_ttl = us->us_ipv6_hoplimit;
+ len = sizeof (ip6_t) + UDPH_SIZE;
} else {
- udp->udp_family = AF_INET;
- udp->udp_ipversion = IPV4_VERSION;
- udp->udp_max_hdr_len = IP_SIMPLE_HDR_LENGTH + UDPH_SIZE;
- udp->udp_ttl = us->us_ipv4_ttl;
- connp->conn_af_isv6 = B_FALSE;
+ connp->conn_family = AF_INET;
+ connp->conn_ipversion = IPV4_VERSION;
+ connp->conn_ixa->ixa_flags |= IXAF_IS_IPV4;
+ connp->conn_default_ttl = us->us_ipv4_ttl;
+ len = sizeof (ipha_t) + UDPH_SIZE;
}
- udp->udp_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
- udp->udp_pending_op = -1;
- connp->conn_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
- connp->conn_zoneid = zoneid;
+ ASSERT(connp->conn_ixa->ixa_protocol == connp->conn_proto);
+ connp->conn_xmit_ipp.ipp_unicast_hops = connp->conn_default_ttl;
+
+ connp->conn_ixa->ixa_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
+ connp->conn_ixa->ixa_flags |= IXAF_MULTICAST_LOOP | IXAF_SET_ULP_CKSUM;
+ /* conn_allzones can not be set this early, hence no IPCL_ZONEID */
+ connp->conn_ixa->ixa_zoneid = zoneid;
- udp->udp_open_time = lbolt64;
- udp->udp_open_pid = curproc->p_pid;
+ connp->conn_zoneid = zoneid;
/*
* If the caller has the process-wide flag set, then default to MAC
@@ -7491,22 +5131,38 @@ udp_do_open(cred_t *credp, boolean_t isv6, int flags)
if (getpflags(NET_MAC_AWARE, credp) != 0)
connp->conn_mac_mode = CONN_MAC_AWARE;
- connp->conn_ulp_labeled = is_system_labeled();
+ connp->conn_zone_is_global = (crgetzoneid(credp) == GLOBAL_ZONEID);
udp->udp_us = us;
+ connp->conn_rcvbuf = us->us_recv_hiwat;
+ connp->conn_sndbuf = us->us_xmit_hiwat;
+ connp->conn_sndlowat = us->us_xmit_lowat;
+ connp->conn_rcvlowat = udp_mod_info.mi_lowat;
+
+ connp->conn_wroff = len + us->us_wroff_extra;
+ connp->conn_so_type = SOCK_DGRAM;
+
connp->conn_recv = udp_input;
+ connp->conn_recvicmp = udp_icmp_input;
crhold(credp);
connp->conn_cred = credp;
+ connp->conn_cpid = curproc->p_pid;
+ connp->conn_open_time = lbolt64;
+ /* Cache things in ixa without an extra refhold */
+ connp->conn_ixa->ixa_cred = connp->conn_cred;
+ connp->conn_ixa->ixa_cpid = connp->conn_cpid;
+ if (is_system_labeled())
+ connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
*((sin6_t *)&udp->udp_delayed_addr) = sin6_null;
- rw_exit(&udp->udp_rwlock);
+ if (us->us_pmtu_discovery)
+ connp->conn_ixa->ixa_flags |= IXAF_PMTU_DISCOVERY;
return (connp);
}
-/* ARGSUSED */
sock_lower_handle_t
udp_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
uint_t *smodep, int *errorp, int flags, cred_t *credp)
@@ -7539,39 +5195,17 @@ udp_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
ASSERT(us != NULL);
udp->udp_issocket = B_TRUE;
- connp->conn_flags |= IPCL_NONSTR | IPCL_SOCKET;
-
- /* Set flow control */
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- (void) udp_set_rcv_hiwat(udp, us->us_recv_hiwat);
- udp->udp_rcv_disply_hiwat = us->us_recv_hiwat;
- udp->udp_rcv_lowat = udp_mod_info.mi_lowat;
- udp->udp_xmit_hiwat = us->us_xmit_hiwat;
- udp->udp_xmit_lowat = us->us_xmit_lowat;
-
- if (udp->udp_family == AF_INET6) {
- /* Build initial header template for transmit */
- if ((*errorp = udp_build_hdrs(udp)) != 0) {
- rw_exit(&udp->udp_rwlock);
- ipcl_conn_destroy(connp);
- return (NULL);
- }
- }
- rw_exit(&udp->udp_rwlock);
+ connp->conn_flags |= IPCL_NONSTR;
- connp->conn_flow_cntrld = B_FALSE;
-
- ASSERT(us->us_ldi_ident != NULL);
-
- if ((*errorp = ip_create_helper_stream(connp, us->us_ldi_ident)) != 0) {
- ip1dbg(("udp_create: create of IP helper stream failed\n"));
- udp_do_close(connp);
- return (NULL);
- }
+ /*
+ * Set flow control
+ * Since this conn_t/udp_t is not yet visible to anybody else we don't
+ * need to lock anything.
+ */
+ (void) udp_set_rcv_hiwat(udp, connp->conn_rcvbuf);
+ udp->udp_rcv_disply_hiwat = connp->conn_rcvbuf;
- /* Set the send flow control */
- connp->conn_wq->q_hiwat = us->us_xmit_hiwat;
- connp->conn_wq->q_lowat = us->us_xmit_lowat;
+ connp->conn_flow_cntrld = B_FALSE;
mutex_enter(&connp->conn_lock);
connp->conn_state_flags &= ~CONN_INCIPIENT;
@@ -7583,14 +5217,12 @@ udp_create(int family, int type, int proto, sock_downcalls_t **sock_downcalls,
return ((sock_lower_handle_t)connp);
}
-/* ARGSUSED */
+/* ARGSUSED3 */
void
udp_activate(sock_lower_handle_t proto_handle, sock_upper_handle_t sock_handle,
sock_upcalls_t *sock_upcalls, int flags, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- udp_t *udp = connp->conn_udp;
- udp_stack_t *us = udp->udp_us;
struct sock_proto_props sopp;
/* All Solaris components should pass a cred for this operation. */
@@ -7599,14 +5231,15 @@ udp_activate(sock_lower_handle_t proto_handle, sock_upper_handle_t sock_handle,
connp->conn_upcalls = sock_upcalls;
connp->conn_upper_handle = sock_handle;
- sopp.sopp_flags = SOCKOPT_WROFF | SOCKOPT_RCVHIWAT |
+ sopp.sopp_flags = SOCKOPT_WROFF | SOCKOPT_RCVHIWAT | SOCKOPT_RCVLOWAT |
SOCKOPT_MAXBLK | SOCKOPT_MAXPSZ | SOCKOPT_MINPSZ;
- sopp.sopp_wroff = udp->udp_max_hdr_len + us->us_wroff_extra;
+ sopp.sopp_wroff = connp->conn_wroff;
sopp.sopp_maxblk = INFPSZ;
- sopp.sopp_rxhiwat = udp->udp_rcv_hiwat;
+ sopp.sopp_rxhiwat = connp->conn_rcvbuf;
+ sopp.sopp_rxlowat = connp->conn_rcvlowat;
sopp.sopp_maxaddrlen = sizeof (sin6_t);
sopp.sopp_maxpsz =
- (udp->udp_family == AF_INET) ? UDP_MAXPACKET_IPV4 :
+ (connp->conn_family == AF_INET) ? UDP_MAXPACKET_IPV4 :
UDP_MAXPACKET_IPV6;
sopp.sopp_minpsz = (udp_mod_info.mi_minpsz == 1) ? 0 :
udp_mod_info.mi_minpsz;
@@ -7618,9 +5251,32 @@ udp_activate(sock_lower_handle_t proto_handle, sock_upper_handle_t sock_handle,
static void
udp_do_close(conn_t *connp)
{
+ udp_t *udp;
+
ASSERT(connp != NULL && IPCL_IS_UDP(connp));
+ udp = connp->conn_udp;
+
+ if (cl_inet_unbind != NULL && udp->udp_state == TS_IDLE) {
+ /*
+ * Running in cluster mode - register unbind information
+ */
+ if (connp->conn_ipversion == IPV4_VERSION) {
+ (*cl_inet_unbind)(
+ connp->conn_netstack->netstack_stackid,
+ IPPROTO_UDP, AF_INET,
+ (uint8_t *)(&V4_PART_OF_V6(connp->conn_laddr_v6)),
+ (in_port_t)connp->conn_lport, NULL);
+ } else {
+ (*cl_inet_unbind)(
+ connp->conn_netstack->netstack_stackid,
+ IPPROTO_UDP, AF_INET6,
+ (uint8_t *)&(connp->conn_laddr_v6),
+ (in_port_t)connp->conn_lport, NULL);
+ }
+ }
+
+ udp_bind_hash_remove(udp, B_FALSE);
- udp_quiesce_conn(connp);
ip_quiesce_conn(connp);
if (!IPCL_IS_NONSTR(connp)) {
@@ -7642,6 +5298,7 @@ udp_do_close(conn_t *connp)
* future.
*/
ASSERT(connp->conn_ref == 1);
+
if (!IPCL_IS_NONSTR(connp)) {
inet_minor_free(connp->conn_minor_arena, connp->conn_dev);
} else {
@@ -7652,7 +5309,7 @@ udp_do_close(conn_t *connp)
ipcl_conn_destroy(connp);
}
-/* ARGSUSED */
+/* ARGSUSED1 */
int
udp_close(sock_lower_handle_t proto_handle, int flags, cred_t *cr)
{
@@ -7671,59 +5328,41 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
{
sin_t *sin;
sin6_t *sin6;
- sin6_t sin6addr;
+ udp_t *udp = connp->conn_udp;
+ int error = 0;
+ ip_laddr_t laddr_type = IPVL_UNICAST_UP; /* INADDR_ANY */
in_port_t port; /* Host byte order */
in_port_t requested_port; /* Host byte order */
int count;
+ ipaddr_t v4src; /* Set if AF_INET */
in6_addr_t v6src;
int loopmax;
udp_fanout_t *udpf;
in_port_t lport; /* Network byte order */
- udp_t *udp;
+ uint_t scopeid = 0;
+ zoneid_t zoneid = IPCL_ZONEID(connp);
+ ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
boolean_t is_inaddr_any;
mlp_type_t addrtype, mlptype;
- udp_stack_t *us;
- int error = 0;
- mblk_t *mp = NULL;
-
- udp = connp->conn_udp;
- us = udp->udp_us;
-
- if (udp->udp_state != TS_UNBND) {
- (void) strlog(UDP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
- "udp_bind: bad state, %u", udp->udp_state);
- return (-TOUTSTATE);
- }
+ udp_stack_t *us = udp->udp_us;
switch (len) {
- case 0:
- if (udp->udp_family == AF_INET) {
- sin = (sin_t *)&sin6addr;
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_addr.s_addr = INADDR_ANY;
- udp->udp_ipversion = IPV4_VERSION;
- } else {
- ASSERT(udp->udp_family == AF_INET6);
- sin6 = (sin6_t *)&sin6addr;
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- V6_SET_ZERO(sin6->sin6_addr);
- udp->udp_ipversion = IPV6_VERSION;
- }
- port = 0;
- break;
-
case sizeof (sin_t): /* Complete IPv4 address */
sin = (sin_t *)sa;
if (sin == NULL || !OK_32PTR((char *)sin))
return (EINVAL);
- if (udp->udp_family != AF_INET ||
+ if (connp->conn_family != AF_INET ||
sin->sin_family != AF_INET) {
return (EAFNOSUPPORT);
}
+ v4src = sin->sin_addr.s_addr;
+ IN6_IPADDR_TO_V4MAPPED(v4src, &v6src);
+ if (v4src != INADDR_ANY) {
+ laddr_type = ip_laddr_verify_v4(v4src, zoneid, ipst,
+ B_TRUE);
+ }
port = ntohs(sin->sin_port);
break;
@@ -7733,10 +5372,28 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
if (sin6 == NULL || !OK_32PTR((char *)sin6))
return (EINVAL);
- if (udp->udp_family != AF_INET6 ||
+ if (connp->conn_family != AF_INET6 ||
sin6->sin6_family != AF_INET6) {
return (EAFNOSUPPORT);
}
+ v6src = sin6->sin6_addr;
+ if (IN6_IS_ADDR_V4MAPPED(&v6src)) {
+ if (connp->conn_ipv6_v6only)
+ return (EADDRNOTAVAIL);
+
+ IN6_V4MAPPED_TO_IPADDR(&v6src, v4src);
+ if (v4src != INADDR_ANY) {
+ laddr_type = ip_laddr_verify_v4(v4src,
+ zoneid, ipst, B_FALSE);
+ }
+ } else {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ if (IN6_IS_ADDR_LINKSCOPE(&v6src))
+ scopeid = sin6->sin6_scope_id;
+ laddr_type = ip_laddr_verify_v6(&v6src,
+ zoneid, ipst, B_TRUE, scopeid);
+ }
+ }
port = ntohs(sin6->sin6_port);
break;
@@ -7746,6 +5403,10 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
return (-TBADADDR);
}
+ /* Is the local address a valid unicast, multicast, or broadcast? */
+ if (laddr_type == IPVL_BAD)
+ return (EADDRNOTAVAIL);
+
requested_port = port;
if (requested_port == 0 || !bind_to_req_port_only)
@@ -7759,7 +5420,7 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* doesn't care which port number we bind to. Get one in the
* valid range.
*/
- if (udp->udp_anon_priv_bind) {
+ if (connp->conn_anon_priv_bind) {
port = udp_get_next_priv_port(udp);
} else {
port = udp_update_next_port(udp,
@@ -7798,53 +5459,45 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* TPI primitives only 1 at a time and wait for the response before
* sending the next primitive.
*/
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- if (udp->udp_state != TS_UNBND || udp->udp_pending_op != -1) {
- rw_exit(&udp->udp_rwlock);
+ mutex_enter(&connp->conn_lock);
+ if (udp->udp_state != TS_UNBND) {
+ mutex_exit(&connp->conn_lock);
(void) strlog(UDP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"udp_bind: bad state, %u", udp->udp_state);
return (-TOUTSTATE);
}
- /* XXX how to remove the T_BIND_REQ? Should set it before calling */
- udp->udp_pending_op = T_BIND_REQ;
/*
* Copy the source address into our udp structure. This address
* may still be zero; if so, IP will fill in the correct address
* each time an outbound packet is passed to it. Since the udp is
* not yet in the bind hash list, we don't grab the uf_lock to
- * change udp_ipversion
+ * change conn_ipversion
*/
- if (udp->udp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
ASSERT(sin != NULL);
- ASSERT(udp->udp_ipversion == IPV4_VERSION);
- udp->udp_max_hdr_len = IP_SIMPLE_HDR_LENGTH + UDPH_SIZE +
- udp->udp_ip_snd_options_len;
- IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &v6src);
+ ASSERT(connp->conn_ixa->ixa_flags & IXAF_IS_IPV4);
} else {
- ASSERT(sin6 != NULL);
- v6src = sin6->sin6_addr;
if (IN6_IS_ADDR_V4MAPPED(&v6src)) {
/*
- * no need to hold the uf_lock to set the udp_ipversion
+ * no need to hold the uf_lock to set the conn_ipversion
* since we are not yet in the fanout list
*/
- udp->udp_ipversion = IPV4_VERSION;
- udp->udp_max_hdr_len = IP_SIMPLE_HDR_LENGTH +
- UDPH_SIZE + udp->udp_ip_snd_options_len;
+ connp->conn_ipversion = IPV4_VERSION;
+ connp->conn_ixa->ixa_flags |= IXAF_IS_IPV4;
} else {
- udp->udp_ipversion = IPV6_VERSION;
- udp->udp_max_hdr_len = udp->udp_sticky_hdrs_len;
+ connp->conn_ipversion = IPV6_VERSION;
+ connp->conn_ixa->ixa_flags &= ~IXAF_IS_IPV4;
}
}
/*
- * If udp_reuseaddr is not set, then we have to make sure that
+ * If conn_reuseaddr is not set, then we have to make sure that
* the IP address and port number the application requested
* (or we selected for the application) is not being used by
* another stream. If another stream is already using the
* requested IP address and port, the behavior depends on
* "bind_to_req_port_only". If set the bind fails; otherwise we
- * search for any an unused port to bind to the the stream.
+ * search for any an unused port to bind to the stream.
*
* As per the BSD semantics, as modified by the Deering multicast
* changes, if udp_reuseaddr is set, then we allow multiple binds
@@ -7860,7 +5513,7 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
*/
count = 0;
- if (udp->udp_anon_priv_bind) {
+ if (connp->conn_anon_priv_bind) {
/*
* loopmax = (IPPORT_RESERVED-1) -
* us->us_min_anonpriv_port + 1
@@ -7876,6 +5529,7 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
for (;;) {
udp_t *udp1;
boolean_t found_exclbind = B_FALSE;
+ conn_t *connp1;
/*
* Walk through the list of udp streams bound to
@@ -7887,7 +5541,9 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
mutex_enter(&udpf->uf_lock);
for (udp1 = udpf->uf_udp; udp1 != NULL;
udp1 = udp1->udp_bind_hash) {
- if (lport != udp1->udp_port)
+ connp1 = udp1->udp_connp;
+
+ if (lport != connp1->conn_lport)
continue;
/*
@@ -7896,7 +5552,7 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* privilege as being in all zones, as there's
* otherwise no way to identify the right receiver.
*/
- if (!IPCL_BIND_ZONE_MATCH(udp1->udp_connp, connp))
+ if (!IPCL_BIND_ZONE_MATCH(connp1, connp))
continue;
/*
@@ -7918,12 +5574,13 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* For labeled systems, SO_MAC_EXEMPT behaves the same
* as UDP_EXCLBIND, except that zoneid is ignored.
*/
- if (udp1->udp_exclbind || udp->udp_exclbind ||
+ if (connp1->conn_exclbind || connp->conn_exclbind ||
IPCL_CONNS_MAC(udp1->udp_connp, connp)) {
if (V6_OR_V4_INADDR_ANY(
- udp1->udp_bound_v6src) ||
+ connp1->conn_bound_addr_v6) ||
is_inaddr_any ||
- IN6_ARE_ADDR_EQUAL(&udp1->udp_bound_v6src,
+ IN6_ARE_ADDR_EQUAL(
+ &connp1->conn_bound_addr_v6,
&v6src)) {
found_exclbind = B_TRUE;
break;
@@ -7935,7 +5592,7 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* Check ipversion to allow IPv4 and IPv6 sockets to
* have disjoint port number spaces.
*/
- if (udp->udp_ipversion != udp1->udp_ipversion) {
+ if (connp->conn_ipversion != connp1->conn_ipversion) {
/*
* On the first time through the loop, if the
@@ -7963,8 +5620,8 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* (non-wildcard, also), keep going.
*/
if (!is_inaddr_any &&
- !V6_OR_V4_INADDR_ANY(udp1->udp_bound_v6src) &&
- !IN6_ARE_ADDR_EQUAL(&udp1->udp_bound_v6src,
+ !V6_OR_V4_INADDR_ANY(connp1->conn_bound_addr_v6) &&
+ !IN6_ARE_ADDR_EQUAL(&connp1->conn_laddr_v6,
&v6src)) {
continue;
}
@@ -7972,7 +5629,7 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
}
if (!found_exclbind &&
- (udp->udp_reuseaddr && requested_port != 0)) {
+ (connp->conn_reuseaddr && requested_port != 0)) {
break;
}
@@ -7995,12 +5652,11 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* the routine (and exit the loop).
*
*/
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
return (-TADDRBUSY);
}
- if (udp->udp_anon_priv_bind) {
+ if (connp->conn_anon_priv_bind) {
port = udp_get_next_priv_port(udp);
} else {
if ((count == 0) && (requested_port != 0)) {
@@ -8025,66 +5681,82 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
* there are none available, so send an error
* to the user.
*/
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
return (-TNOADDR);
}
}
/*
* Copy the source address into our udp structure. This address
- * may still be zero; if so, ip will fill in the correct address
- * each time an outbound packet is passed to it.
+ * may still be zero; if so, ip_attr_connect will fill in the correct
+ * address when a packet is about to be sent.
* If we are binding to a broadcast or multicast address then
- * udp_post_ip_bind_connect will clear the source address
- * when udp_do_bind success.
+ * we just set the conn_bound_addr since we don't want to use
+ * that as the source address when sending.
*/
- udp->udp_v6src = udp->udp_bound_v6src = v6src;
- udp->udp_port = lport;
+ connp->conn_bound_addr_v6 = v6src;
+ connp->conn_laddr_v6 = v6src;
+ if (scopeid != 0) {
+ connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ connp->conn_ixa->ixa_scopeid = scopeid;
+ connp->conn_incoming_ifindex = scopeid;
+ } else {
+ connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
+ }
+
+ switch (laddr_type) {
+ case IPVL_UNICAST_UP:
+ case IPVL_UNICAST_DOWN:
+ connp->conn_saddr_v6 = v6src;
+ connp->conn_mcbc_bind = B_FALSE;
+ break;
+ case IPVL_MCAST:
+ case IPVL_BCAST:
+ /* ip_set_destination will pick a source address later */
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_mcbc_bind = B_TRUE;
+ break;
+ }
+
+ /* Any errors after this point should use late_error */
+ connp->conn_lport = lport;
+
/*
- * Now reset the the next anonymous port if the application requested
+ * Now reset the next anonymous port if the application requested
* an anonymous port, or we handed out the next anonymous port.
*/
- if ((requested_port == 0) && (!udp->udp_anon_priv_bind)) {
+ if ((requested_port == 0) && (!connp->conn_anon_priv_bind)) {
us->us_next_port_to_try = port + 1;
}
- /* Initialize the O_T_BIND_REQ/T_BIND_REQ for ip. */
- if (udp->udp_family == AF_INET) {
- sin->sin_port = udp->udp_port;
+ /* Initialize the T_BIND_ACK. */
+ if (connp->conn_family == AF_INET) {
+ sin->sin_port = connp->conn_lport;
} else {
- sin6->sin6_port = udp->udp_port;
- /* Rebuild the header template */
- error = udp_build_hdrs(udp);
- if (error != 0) {
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- mutex_exit(&udpf->uf_lock);
- return (error);
- }
+ sin6->sin6_port = connp->conn_lport;
}
udp->udp_state = TS_IDLE;
udp_bind_hash_insert(udpf, udp);
mutex_exit(&udpf->uf_lock);
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
if (cl_inet_bind) {
/*
* Running in cluster mode - register bind information
*/
- if (udp->udp_ipversion == IPV4_VERSION) {
+ if (connp->conn_ipversion == IPV4_VERSION) {
(*cl_inet_bind)(connp->conn_netstack->netstack_stackid,
- IPPROTO_UDP, AF_INET,
- (uint8_t *)(&V4_PART_OF_V6(udp->udp_v6src)),
- (in_port_t)udp->udp_port, NULL);
+ IPPROTO_UDP, AF_INET, (uint8_t *)&v4src,
+ (in_port_t)connp->conn_lport, NULL);
} else {
(*cl_inet_bind)(connp->conn_netstack->netstack_stackid,
- IPPROTO_UDP, AF_INET6,
- (uint8_t *)&(udp->udp_v6src),
- (in_port_t)udp->udp_port, NULL);
+ IPPROTO_UDP, AF_INET6, (uint8_t *)&v6src,
+ (in_port_t)connp->conn_lport, NULL);
}
}
+ mutex_enter(&connp->conn_lock);
connp->conn_anon_port = (is_system_labeled() && requested_port == 0);
if (is_system_labeled() && (!connp->conn_anon_port ||
connp->conn_anon_mlp)) {
@@ -8092,18 +5764,16 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
zone_t *zone;
zone = crgetzone(cr);
- connp->conn_mlp_type = udp->udp_recvucred ? mlptBoth :
+ connp->conn_mlp_type =
+ connp->conn_recv_ancillary.crb_recvucred ? mlptBoth :
mlptSingle;
addrtype = tsol_mlp_addr_type(
connp->conn_allzones ? ALL_ZONES : zone->zone_id,
IPV6_VERSION, &v6src, us->us_netstack->netstack_ip);
if (addrtype == mlptSingle) {
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- connp->conn_anon_port = B_FALSE;
- connp->conn_mlp_type = mlptSingle;
- return (-TNOADDR);
+ error = -TNOADDR;
+ mutex_exit(&connp->conn_lock);
+ goto late_error;
}
mlpport = connp->conn_anon_port ? PMAPPORT : port;
mlptype = tsol_mlp_port_type(zone, IPPROTO_UDP, mlpport,
@@ -8115,12 +5785,9 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
*/
if (mlptype != mlptSingle &&
connp->conn_mlp_type == mlptSingle) {
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- connp->conn_anon_port = B_FALSE;
- connp->conn_mlp_type = mlptSingle;
- return (EINVAL);
+ error = EINVAL;
+ mutex_exit(&connp->conn_lock);
+ goto late_error;
}
/*
@@ -8129,18 +5796,15 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
*/
if (mlptype != mlptSingle &&
secpolicy_net_bindmlp(cr) != 0) {
- if (udp->udp_debug) {
+ if (connp->conn_debug) {
(void) strlog(UDP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"udp_bind: no priv for multilevel port %d",
mlpport);
}
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- connp->conn_anon_port = B_FALSE;
- connp->conn_mlp_type = mlptSingle;
- return (-TACCES);
+ error = -TACCES;
+ mutex_exit(&connp->conn_lock);
+ goto late_error;
}
/*
@@ -8158,7 +5822,7 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
mlpzone = tsol_mlp_findzone(IPPROTO_UDP,
htons(mlpport));
if (connp->conn_zoneid != mlpzone) {
- if (udp->udp_debug) {
+ if (connp->conn_debug) {
(void) strlog(UDP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"udp_bind: attempt to bind port "
@@ -8167,62 +5831,82 @@ udp_do_bind(conn_t *connp, struct sockaddr *sa, socklen_t len, cred_t *cr,
mlpport, connp->conn_zoneid,
mlpzone);
}
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- connp->conn_anon_port = B_FALSE;
- connp->conn_mlp_type = mlptSingle;
- return (-TACCES);
+ error = -TACCES;
+ mutex_exit(&connp->conn_lock);
+ goto late_error;
}
}
if (connp->conn_anon_port) {
- error = tsol_mlp_anon(zone, mlptype, connp->conn_ulp,
+ error = tsol_mlp_anon(zone, mlptype, connp->conn_proto,
port, B_TRUE);
if (error != 0) {
- if (udp->udp_debug) {
+ if (connp->conn_debug) {
(void) strlog(UDP_MOD_ID, 0, 1,
SL_ERROR|SL_TRACE,
"udp_bind: cannot establish anon "
"MLP for port %d", port);
}
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- connp->conn_anon_port = B_FALSE;
- connp->conn_mlp_type = mlptSingle;
- return (-TACCES);
+ error = -TACCES;
+ mutex_exit(&connp->conn_lock);
+ goto late_error;
}
}
connp->conn_mlp_type = mlptype;
}
- if (!V6_OR_V4_INADDR_ANY(udp->udp_v6src)) {
- /*
- * Append a request for an IRE if udp_v6src not
- * zero (IPv4 - INADDR_ANY, or IPv6 - all-zeroes address).
- */
- mp = allocb(sizeof (ire_t), BPRI_HI);
- if (!mp) {
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- return (ENOMEM);
- }
- mp->b_wptr += sizeof (ire_t);
- mp->b_datap->db_type = IRE_DB_REQ_TYPE;
+ /*
+ * We create an initial header template here to make a subsequent
+ * sendto have a starting point. Since conn_last_dst is zero the
+ * first sendto will always follow the 'dst changed' code path.
+ * Note that we defer massaging options and the related checksum
+ * adjustment until we have a destination address.
+ */
+ error = udp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_fport, connp->conn_flowinfo);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto late_error;
}
- if (udp->udp_family == AF_INET6) {
- ASSERT(udp->udp_connp->conn_af_isv6);
- error = ip_proto_bind_laddr_v6(connp, &mp, IPPROTO_UDP,
- &udp->udp_bound_v6src, udp->udp_port, B_TRUE);
- } else {
- ASSERT(!udp->udp_connp->conn_af_isv6);
- error = ip_proto_bind_laddr_v4(connp, &mp, IPPROTO_UDP,
- V4_PART_OF_V6(udp->udp_bound_v6src), udp->udp_port,
- B_TRUE);
+ /* Just in case */
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_fport = 0;
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ mutex_exit(&connp->conn_lock);
+
+ error = ip_laddr_fanout_insert(connp);
+ if (error != 0)
+ goto late_error;
+
+ /* Bind succeeded */
+ return (0);
+
+late_error:
+ /* We had already picked the port number, and then the bind failed */
+ mutex_enter(&connp->conn_lock);
+ udpf = &us->us_bind_fanout[
+ UDP_BIND_HASH(connp->conn_lport,
+ us->us_bind_fanout_size)];
+ mutex_enter(&udpf->uf_lock);
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_bound_addr_v6 = ipv6_all_zeros;
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ if (scopeid != 0) {
+ connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
}
+ udp->udp_state = TS_UNBND;
+ udp_bind_hash_remove(udp, B_TRUE);
+ connp->conn_lport = 0;
+ mutex_exit(&udpf->uf_lock);
+ connp->conn_anon_port = B_FALSE;
+ connp->conn_mlp_type = mlptSingle;
- (void) udp_post_ip_bind_connect(udp, mp, error);
+ connp->conn_v6lastdst = ipv6_all_zeros;
+
+ /* Restore the header that was built above - different source address */
+ (void) udp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_fport, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
return (error);
}
@@ -8256,12 +5940,32 @@ udp_bind(sock_lower_handle_t proto_handle, struct sockaddr *sa,
static int
udp_implicit_bind(conn_t *connp, cred_t *cr)
{
+ sin6_t sin6addr;
+ sin_t *sin;
+ sin6_t *sin6;
+ socklen_t len;
int error;
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- error = udp_do_bind(connp, NULL, 0, cr, B_FALSE);
+ if (connp->conn_family == AF_INET) {
+ len = sizeof (struct sockaddr_in);
+ sin = (sin_t *)&sin6addr;
+ *sin = sin_null;
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = INADDR_ANY;
+ } else {
+ ASSERT(connp->conn_family == AF_INET6);
+ len = sizeof (sin6_t);
+ sin6 = (sin6_t *)&sin6addr;
+ *sin6 = sin6_null;
+ sin6->sin6_family = AF_INET6;
+ V6_SET_ZERO(sin6->sin6_addr);
+ }
+
+ error = udp_do_bind(connp, (struct sockaddr *)&sin6addr, len,
+ cr, B_FALSE);
return ((error < 0) ? proto_tlitosyserr(-error) : error);
}
@@ -8280,137 +5984,51 @@ udp_do_unbind(conn_t *connp)
/*
* Running in cluster mode - register unbind information
*/
- if (udp->udp_ipversion == IPV4_VERSION) {
+ if (connp->conn_ipversion == IPV4_VERSION) {
(*cl_inet_unbind)(
connp->conn_netstack->netstack_stackid,
IPPROTO_UDP, AF_INET,
- (uint8_t *)(&V4_PART_OF_V6(udp->udp_v6src)),
- (in_port_t)udp->udp_port, NULL);
+ (uint8_t *)(&V4_PART_OF_V6(connp->conn_laddr_v6)),
+ (in_port_t)connp->conn_lport, NULL);
} else {
(*cl_inet_unbind)(
connp->conn_netstack->netstack_stackid,
IPPROTO_UDP, AF_INET6,
- (uint8_t *)&(udp->udp_v6src),
- (in_port_t)udp->udp_port, NULL);
+ (uint8_t *)&(connp->conn_laddr_v6),
+ (in_port_t)connp->conn_lport, NULL);
}
}
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- if (udp->udp_state == TS_UNBND || udp->udp_pending_op != -1) {
- rw_exit(&udp->udp_rwlock);
+ mutex_enter(&connp->conn_lock);
+ /* If a bind has not been done, we can't unbind. */
+ if (udp->udp_state == TS_UNBND) {
+ mutex_exit(&connp->conn_lock);
return (-TOUTSTATE);
}
- udp->udp_pending_op = T_UNBIND_REQ;
- rw_exit(&udp->udp_rwlock);
-
- /*
- * Pass the unbind to IP; T_UNBIND_REQ is larger than T_OK_ACK
- * and therefore ip_unbind must never return NULL.
- */
- ip_unbind(connp);
-
- /*
- * Once we're unbound from IP, the pending operation may be cleared
- * here.
- */
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- udpf = &us->us_bind_fanout[UDP_BIND_HASH(udp->udp_port,
+ udpf = &us->us_bind_fanout[UDP_BIND_HASH(connp->conn_lport,
us->us_bind_fanout_size)];
-
mutex_enter(&udpf->uf_lock);
udp_bind_hash_remove(udp, B_TRUE);
- V6_SET_ZERO(udp->udp_v6src);
- V6_SET_ZERO(udp->udp_bound_v6src);
- udp->udp_port = 0;
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ connp->conn_bound_addr_v6 = ipv6_all_zeros;
+ connp->conn_laddr_v6 = ipv6_all_zeros;
+ connp->conn_mcbc_bind = B_FALSE;
+ connp->conn_lport = 0;
+ /* In case we were also connected */
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_fport = 0;
mutex_exit(&udpf->uf_lock);
- udp->udp_pending_op = -1;
+ connp->conn_v6lastdst = ipv6_all_zeros;
udp->udp_state = TS_UNBND;
- if (udp->udp_family == AF_INET6)
- (void) udp_build_hdrs(udp);
- rw_exit(&udp->udp_rwlock);
- return (0);
-}
-
-static int
-udp_post_ip_bind_connect(udp_t *udp, mblk_t *ire_mp, int error)
-{
- ire_t *ire;
- udp_fanout_t *udpf;
- udp_stack_t *us = udp->udp_us;
-
- ASSERT(udp->udp_pending_op != -1);
- rw_enter(&udp->udp_rwlock, RW_WRITER);
- if (error == 0) {
- /* For udp_do_connect() success */
- /* udp_do_bind() success will do nothing in here */
- /*
- * If a broadcast/multicast address was bound, set
- * the source address to 0.
- * This ensures no datagrams with broadcast address
- * as source address are emitted (which would violate
- * RFC1122 - Hosts requirements)
- *
- * Note that when connecting the returned IRE is
- * for the destination address and we only perform
- * the broadcast check for the source address (it
- * is OK to connect to a broadcast/multicast address.)
- */
- if (ire_mp != NULL && ire_mp->b_datap->db_type == IRE_DB_TYPE) {
- ire = (ire_t *)ire_mp->b_rptr;
+ (void) udp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_fport, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
- /*
- * Note: we get IRE_BROADCAST for IPv6 to "mark" a
- * multicast local address.
- */
- udpf = &us->us_bind_fanout[UDP_BIND_HASH(udp->udp_port,
- us->us_bind_fanout_size)];
- if (ire->ire_type == IRE_BROADCAST &&
- udp->udp_state != TS_DATA_XFER) {
- ASSERT(udp->udp_pending_op == T_BIND_REQ ||
- udp->udp_pending_op == O_T_BIND_REQ);
- /*
- * This was just a local bind to a broadcast
- * addr.
- */
- mutex_enter(&udpf->uf_lock);
- V6_SET_ZERO(udp->udp_v6src);
- mutex_exit(&udpf->uf_lock);
- if (udp->udp_family == AF_INET6)
- (void) udp_build_hdrs(udp);
- } else if (V6_OR_V4_INADDR_ANY(udp->udp_v6src)) {
- if (udp->udp_family == AF_INET6)
- (void) udp_build_hdrs(udp);
- }
- }
- } else {
- udpf = &us->us_bind_fanout[UDP_BIND_HASH(udp->udp_port,
- us->us_bind_fanout_size)];
- mutex_enter(&udpf->uf_lock);
+ ip_unbind(connp);
- if (udp->udp_state == TS_DATA_XFER) {
- /* Connect failed */
- /* Revert back to the bound source */
- udp->udp_v6src = udp->udp_bound_v6src;
- udp->udp_state = TS_IDLE;
- } else {
- /* For udp_do_bind() failed */
- V6_SET_ZERO(udp->udp_v6src);
- V6_SET_ZERO(udp->udp_bound_v6src);
- udp->udp_state = TS_UNBND;
- udp_bind_hash_remove(udp, B_TRUE);
- udp->udp_port = 0;
- }
- mutex_exit(&udpf->uf_lock);
- if (udp->udp_family == AF_INET6)
- (void) udp_build_hdrs(udp);
- }
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- if (ire_mp != NULL)
- freeb(ire_mp);
- return (error);
+ return (0);
}
/*
@@ -8418,7 +6036,7 @@ udp_post_ip_bind_connect(udp_t *udp, mblk_t *ire_mp, int error)
*/
static int
udp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
- cred_t *cr)
+ cred_t *cr, pid_t pid)
{
sin6_t *sin6;
sin_t *sin;
@@ -8426,12 +6044,16 @@ udp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
ipaddr_t v4dst;
uint16_t dstport;
uint32_t flowinfo;
- mblk_t *ire_mp;
udp_fanout_t *udpf;
udp_t *udp, *udp1;
ushort_t ipversion;
udp_stack_t *us;
int error;
+ conn_t *connp1;
+ ip_xmit_attr_t *ixa;
+ uint_t scopeid = 0;
+ uint_t srcid = 0;
+ in6_addr_t v6src = connp->conn_saddr_v6;
udp = connp->conn_udp;
us = udp->udp_us;
@@ -8451,7 +6073,7 @@ udp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
v4dst = sin->sin_addr.s_addr;
dstport = sin->sin_port;
IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
- ASSERT(udp->udp_ipversion == IPV4_VERSION);
+ ASSERT(connp->conn_ipversion == IPV4_VERSION);
ipversion = IPV4_VERSION;
break;
@@ -8459,13 +6081,33 @@ udp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
sin6 = (sin6_t *)sa;
v6dst = sin6->sin6_addr;
dstport = sin6->sin6_port;
+ srcid = sin6->__sin6_src_id;
+ if (srcid != 0 && IN6_IS_ADDR_UNSPECIFIED(&v6src)) {
+ ip_srcid_find_id(srcid, &v6src, IPCL_ZONEID(connp),
+ connp->conn_netstack);
+ }
if (IN6_IS_ADDR_V4MAPPED(&v6dst)) {
+ if (connp->conn_ipv6_v6only)
+ return (EADDRNOTAVAIL);
+
+ /*
+ * Destination adress is mapped IPv6 address.
+ * Source bound address should be unspecified or
+ * IPv6 mapped address as well.
+ */
+ if (!IN6_IS_ADDR_UNSPECIFIED(
+ &connp->conn_bound_addr_v6) &&
+ !IN6_IS_ADDR_V4MAPPED(&connp->conn_bound_addr_v6)) {
+ return (EADDRNOTAVAIL);
+ }
IN6_V4MAPPED_TO_IPADDR(&v6dst, v4dst);
ipversion = IPV4_VERSION;
flowinfo = 0;
} else {
ipversion = IPV6_VERSION;
flowinfo = sin6->sin6_flowinfo;
+ if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+ scopeid = sin6->sin6_scope_id;
}
break;
}
@@ -8473,44 +6115,53 @@ udp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
if (dstport == 0)
return (-TBADADDR);
- rw_enter(&udp->udp_rwlock, RW_WRITER);
+ /*
+ * If there is a different thread using conn_ixa then we get a new
+ * copy and cut the old one loose from conn_ixa. Otherwise we use
+ * conn_ixa and prevent any other thread from using/changing it.
+ * Once connect() is done other threads can use conn_ixa since the
+ * refcnt will be back at one.
+ */
+ ixa = conn_get_ixa(connp, B_TRUE);
+ if (ixa == NULL)
+ return (ENOMEM);
+ ASSERT(ixa->ixa_refcnt >= 2);
+ ASSERT(ixa == connp->conn_ixa);
+
+ mutex_enter(&connp->conn_lock);
/*
- * This UDP must have bound to a port already before doing a connect.
- * TPI mandates that users must send TPI primitives only 1 at a time
- * and wait for the response before sending the next primitive.
+ * This udp_t must have bound to a port already before doing a connect.
+ * Reject if a connect is in progress (we drop conn_lock during
+ * udp_do_connect).
*/
- if (udp->udp_state == TS_UNBND || udp->udp_pending_op != -1) {
- rw_exit(&udp->udp_rwlock);
+ if (udp->udp_state == TS_UNBND || udp->udp_state == TS_WCON_CREQ) {
+ mutex_exit(&connp->conn_lock);
(void) strlog(UDP_MOD_ID, 0, 1, SL_ERROR|SL_TRACE,
"udp_connect: bad state, %u", udp->udp_state);
+ ixa_refrele(ixa);
return (-TOUTSTATE);
}
- udp->udp_pending_op = T_CONN_REQ;
- ASSERT(udp->udp_port != 0 && udp->udp_ptpbhn != NULL);
-
- if (ipversion == IPV4_VERSION) {
- udp->udp_max_hdr_len = IP_SIMPLE_HDR_LENGTH + UDPH_SIZE +
- udp->udp_ip_snd_options_len;
- } else {
- udp->udp_max_hdr_len = udp->udp_sticky_hdrs_len;
- }
+ ASSERT(connp->conn_lport != 0 && udp->udp_ptpbhn != NULL);
- udpf = &us->us_bind_fanout[UDP_BIND_HASH(udp->udp_port,
+ udpf = &us->us_bind_fanout[UDP_BIND_HASH(connp->conn_lport,
us->us_bind_fanout_size)];
mutex_enter(&udpf->uf_lock);
if (udp->udp_state == TS_DATA_XFER) {
/* Already connected - clear out state */
- udp->udp_v6src = udp->udp_bound_v6src;
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_fport = 0;
udp->udp_state = TS_IDLE;
}
- /*
- * Create a default IP header with no IP options.
- */
- udp->udp_dstport = dstport;
- udp->udp_ipversion = ipversion;
+ connp->conn_fport = dstport;
+ connp->conn_ipversion = ipversion;
if (ipversion == IPV4_VERSION) {
/*
* Interpret a zero destination to mean loopback.
@@ -8520,29 +6171,16 @@ udp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
if (v4dst == INADDR_ANY) {
v4dst = htonl(INADDR_LOOPBACK);
IN6_IPADDR_TO_V4MAPPED(v4dst, &v6dst);
- if (udp->udp_family == AF_INET) {
+ if (connp->conn_family == AF_INET) {
sin->sin_addr.s_addr = v4dst;
} else {
sin6->sin6_addr = v6dst;
}
}
- udp->udp_v6dst = v6dst;
- udp->udp_flowinfo = 0;
-
- /*
- * If the destination address is multicast and
- * an outgoing multicast interface has been set,
- * use the address of that interface as our
- * source address if no source address has been set.
- */
- if (V4_PART_OF_V6(udp->udp_v6src) == INADDR_ANY &&
- CLASSD(v4dst) &&
- udp->udp_multicast_if_addr != INADDR_ANY) {
- IN6_IPADDR_TO_V4MAPPED(udp->udp_multicast_if_addr,
- &udp->udp_v6src);
- }
+ connp->conn_faddr_v6 = v6dst;
+ connp->conn_flowinfo = 0;
} else {
- ASSERT(udp->udp_ipversion == IPV6_VERSION);
+ ASSERT(connp->conn_ipversion == IPV6_VERSION);
/*
* Interpret a zero destination to mean loopback.
* Update the T_CONN_REQ (sin/sin6) since it is used to
@@ -8552,82 +6190,133 @@ udp_do_connect(conn_t *connp, const struct sockaddr *sa, socklen_t len,
v6dst = ipv6_loopback;
sin6->sin6_addr = v6dst;
}
- udp->udp_v6dst = v6dst;
- udp->udp_flowinfo = flowinfo;
- /*
- * If the destination address is multicast and
- * an outgoing multicast interface has been set,
- * then the ip bind logic will pick the correct source
- * address (i.e. matching the outgoing multicast interface).
- */
+ connp->conn_faddr_v6 = v6dst;
+ connp->conn_flowinfo = flowinfo;
+ }
+ mutex_exit(&udpf->uf_lock);
+
+ ixa->ixa_cred = cr;
+ ixa->ixa_cpid = pid;
+ if (is_system_labeled()) {
+ /* We need to restart with a label based on the cred */
+ ip_xmit_attr_restore_tsl(ixa, ixa->ixa_cred);
+ }
+
+ if (scopeid != 0) {
+ ixa->ixa_flags |= IXAF_SCOPEID_SET;
+ ixa->ixa_scopeid = scopeid;
+ connp->conn_incoming_ifindex = scopeid;
+ } else {
+ ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
+ connp->conn_incoming_ifindex = connp->conn_bound_if;
+ }
+ /*
+ * conn_connect will drop conn_lock and reacquire it.
+ * To prevent a send* from messing with this udp_t while the lock
+ * is dropped we set udp_state and clear conn_v6lastdst.
+ * That will make all send* fail with EISCONN.
+ */
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ udp->udp_state = TS_WCON_CREQ;
+
+ error = conn_connect(connp, NULL, IPDF_ALLOW_MCBC);
+ mutex_exit(&connp->conn_lock);
+ if (error != 0)
+ goto connect_failed;
+
+ /*
+ * The addresses have been verified. Time to insert in
+ * the correct fanout list.
+ */
+ error = ipcl_conn_insert(connp);
+ if (error != 0)
+ goto connect_failed;
+
+ mutex_enter(&connp->conn_lock);
+ error = udp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_fport, connp->conn_flowinfo);
+ if (error != 0) {
+ mutex_exit(&connp->conn_lock);
+ goto connect_failed;
}
+ udp->udp_state = TS_DATA_XFER;
+ /* Record this as the "last" send even though we haven't sent any */
+ connp->conn_v6lastdst = connp->conn_faddr_v6;
+ connp->conn_lastipversion = connp->conn_ipversion;
+ connp->conn_lastdstport = connp->conn_fport;
+ connp->conn_lastflowinfo = connp->conn_flowinfo;
+ connp->conn_lastscopeid = scopeid;
+ connp->conn_lastsrcid = srcid;
+ /* Also remember a source to use together with lastdst */
+ connp->conn_v6lastsrc = v6src;
+ mutex_exit(&connp->conn_lock);
+
/*
- * Verify that the src/port/dst/port is unique for all
- * connections in TS_DATA_XFER
+ * We've picked a source address above. Now we can
+ * verify that the src/port/dst/port is unique for all
+ * connections in TS_DATA_XFER, skipping ourselves.
*/
+ mutex_enter(&udpf->uf_lock);
for (udp1 = udpf->uf_udp; udp1 != NULL; udp1 = udp1->udp_bind_hash) {
if (udp1->udp_state != TS_DATA_XFER)
continue;
- if (udp->udp_port != udp1->udp_port ||
- udp->udp_ipversion != udp1->udp_ipversion ||
- dstport != udp1->udp_dstport ||
- !IN6_ARE_ADDR_EQUAL(&udp->udp_v6src, &udp1->udp_v6src) ||
- !IN6_ARE_ADDR_EQUAL(&v6dst, &udp1->udp_v6dst) ||
- !(IPCL_ZONE_MATCH(udp->udp_connp,
- udp1->udp_connp->conn_zoneid) ||
- IPCL_ZONE_MATCH(udp1->udp_connp,
- udp->udp_connp->conn_zoneid)))
+
+ if (udp1 == udp)
+ continue;
+
+ connp1 = udp1->udp_connp;
+ if (connp->conn_lport != connp1->conn_lport ||
+ connp->conn_ipversion != connp1->conn_ipversion ||
+ dstport != connp1->conn_fport ||
+ !IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
+ &connp1->conn_laddr_v6) ||
+ !IN6_ARE_ADDR_EQUAL(&v6dst, &connp1->conn_faddr_v6) ||
+ !(IPCL_ZONE_MATCH(connp, connp1->conn_zoneid) ||
+ IPCL_ZONE_MATCH(connp1, connp->conn_zoneid)))
continue;
mutex_exit(&udpf->uf_lock);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- return (-TBADADDR);
+ error = -TBADADDR;
+ goto connect_failed;
}
-
if (cl_inet_connect2 != NULL) {
- CL_INET_UDP_CONNECT(connp, udp, B_TRUE, &v6dst, dstport, error);
+ CL_INET_UDP_CONNECT(connp, B_TRUE, &v6dst, dstport, error);
if (error != 0) {
mutex_exit(&udpf->uf_lock);
- udp->udp_pending_op = -1;
- rw_exit(&udp->udp_rwlock);
- return (-TBADADDR);
+ error = -TBADADDR;
+ goto connect_failed;
}
}
-
- udp->udp_state = TS_DATA_XFER;
mutex_exit(&udpf->uf_lock);
- ire_mp = allocb(sizeof (ire_t), BPRI_HI);
- if (ire_mp == NULL) {
- mutex_enter(&udpf->uf_lock);
- udp->udp_state = TS_IDLE;
- udp->udp_pending_op = -1;
- mutex_exit(&udpf->uf_lock);
- rw_exit(&udp->udp_rwlock);
- return (ENOMEM);
- }
-
- rw_exit(&udp->udp_rwlock);
+ ixa_refrele(ixa);
+ return (0);
- ire_mp->b_wptr += sizeof (ire_t);
- ire_mp->b_datap->db_type = IRE_DB_REQ_TYPE;
+connect_failed:
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ mutex_enter(&connp->conn_lock);
+ mutex_enter(&udpf->uf_lock);
+ udp->udp_state = TS_IDLE;
+ connp->conn_faddr_v6 = ipv6_all_zeros;
+ connp->conn_fport = 0;
+ /* In case the source address was set above */
+ if (connp->conn_mcbc_bind)
+ connp->conn_saddr_v6 = ipv6_all_zeros;
+ else
+ connp->conn_saddr_v6 = connp->conn_bound_addr_v6;
+ connp->conn_laddr_v6 = connp->conn_bound_addr_v6;
+ mutex_exit(&udpf->uf_lock);
- if (udp->udp_family == AF_INET) {
- error = ip_proto_bind_connected_v4(connp, &ire_mp, IPPROTO_UDP,
- &V4_PART_OF_V6(udp->udp_v6src), udp->udp_port,
- V4_PART_OF_V6(udp->udp_v6dst), udp->udp_dstport,
- B_TRUE, B_TRUE, cr);
- } else {
- error = ip_proto_bind_connected_v6(connp, &ire_mp, IPPROTO_UDP,
- &udp->udp_v6src, udp->udp_port, &udp->udp_v6dst,
- &udp->udp_sticky_ipp, udp->udp_dstport, B_TRUE, B_TRUE, cr);
- }
+ connp->conn_v6lastdst = ipv6_all_zeros;
+ connp->conn_flowinfo = 0;
- return (udp_post_ip_bind_connect(udp, ire_mp, error));
+ (void) udp_build_hdr_template(connp, &connp->conn_saddr_v6,
+ &connp->conn_faddr_v6, connp->conn_fport, connp->conn_flowinfo);
+ mutex_exit(&connp->conn_lock);
+ return (error);
}
-/* ARGSUSED */
static int
udp_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
socklen_t len, sock_connid_t *id, cred_t *cr)
@@ -8636,6 +6325,7 @@ udp_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
udp_t *udp = connp->conn_udp;
int error;
boolean_t did_bind = B_FALSE;
+ pid_t pid = curproc->p_pid;
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
@@ -8652,7 +6342,7 @@ udp_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
return (error);
}
- error = proto_verify_ip_addr(udp->udp_family, sa, len);
+ error = proto_verify_ip_addr(connp->conn_family, sa, len);
if (error != 0)
goto done;
@@ -8671,9 +6361,9 @@ udp_connect(sock_lower_handle_t proto_handle, const struct sockaddr *sa,
/*
* set SO_DGRAM_ERRIND
*/
- udp->udp_dgram_errind = B_TRUE;
+ connp->conn_dgram_errind = B_TRUE;
- error = udp_do_connect(connp, sa, len, cr);
+ error = udp_do_connect(connp, sa, len, cr, pid);
if (error != 0 && did_bind) {
int unbind_err;
@@ -8702,44 +6392,33 @@ done:
return (error);
}
-/* ARGSUSED */
int
udp_send(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
cred_t *cr)
{
+ sin6_t *sin6;
+ sin_t *sin = NULL;
+ uint_t srcid;
conn_t *connp = (conn_t *)proto_handle;
udp_t *udp = connp->conn_udp;
- udp_stack_t *us = udp->udp_us;
int error = 0;
+ udp_stack_t *us = udp->udp_us;
+ ushort_t ipversion;
+ pid_t pid = curproc->p_pid;
+ ip_xmit_attr_t *ixa;
ASSERT(DB_TYPE(mp) == M_DATA);
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- /* If labeled then sockfs should have already set db_credp */
- ASSERT(!is_system_labeled() || msg_getcred(mp, NULL) != NULL);
-
- /*
- * If the socket is connected and no change in destination
- */
- if (msg->msg_namelen == 0) {
- error = udp_send_connected(connp, mp, msg, cr, curproc->p_pid);
- if (error == EDESTADDRREQ)
- return (error);
- else
- return (udp->udp_dgram_errind ? error : 0);
- }
-
- /*
- * Do an implicit bind if necessary.
- */
+ /* do an implicit bind if necessary */
if (udp->udp_state == TS_UNBND) {
error = udp_implicit_bind(connp, cr);
/*
* We could be racing with an actual bind, in which case
* we would see EPROTO. We cross our fingers and try
- * to send.
+ * to connect.
*/
if (!(error == 0 || error == EPROTO)) {
freemsg(mp);
@@ -8747,75 +6426,203 @@ udp_send(sock_lower_handle_t proto_handle, mblk_t *mp, struct nmsghdr *msg,
}
}
- rw_enter(&udp->udp_rwlock, RW_WRITER);
-
- if (msg->msg_name != NULL && udp->udp_state == TS_DATA_XFER) {
- rw_exit(&udp->udp_rwlock);
- freemsg(mp);
+ /* Connected? */
+ if (msg->msg_name == NULL) {
+ if (udp->udp_state != TS_DATA_XFER) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (EDESTADDRREQ);
+ }
+ if (msg->msg_controllen != 0) {
+ error = udp_output_ancillary(connp, NULL, NULL, mp,
+ NULL, msg, cr, pid);
+ } else {
+ error = udp_output_connected(connp, mp, cr, pid);
+ }
+ if (us->us_sendto_ignerr)
+ return (0);
+ else
+ return (error);
+ }
+ if (udp->udp_state == TS_DATA_XFER) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
return (EISCONN);
}
+ error = proto_verify_ip_addr(connp->conn_family,
+ (struct sockaddr *)msg->msg_name, msg->msg_namelen);
+ if (error != 0) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (error);
+ }
+ switch (connp->conn_family) {
+ case AF_INET6:
+ sin6 = (sin6_t *)msg->msg_name;
+ srcid = sin6->__sin6_src_id;
- if (udp->udp_delayed_error != 0) {
- boolean_t match;
+ if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+ /*
+ * Destination is a non-IPv4-compatible IPv6 address.
+ * Send out an IPv6 format packet.
+ */
- error = udp->udp_delayed_error;
- match = B_FALSE;
- udp->udp_delayed_error = 0;
- switch (udp->udp_family) {
- case AF_INET: {
- /* Compare just IP address and port */
- sin_t *sin1 = (sin_t *)msg->msg_name;
- sin_t *sin2 = (sin_t *)&udp->udp_delayed_addr;
+ /*
+ * If the local address is a mapped address return
+ * an error.
+ * It would be possible to send an IPv6 packet but the
+ * response would never make it back to the application
+ * since it is bound to a mapped address.
+ */
+ if (IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6)) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (EADDRNOTAVAIL);
+ }
+ if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
+ sin6->sin6_addr = ipv6_loopback;
+ ipversion = IPV6_VERSION;
+ } else {
+ if (connp->conn_ipv6_v6only) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (EADDRNOTAVAIL);
+ }
- if (msg->msg_namelen == sizeof (sin_t) &&
- sin1->sin_port == sin2->sin_port &&
- sin1->sin_addr.s_addr == sin2->sin_addr.s_addr)
- match = B_TRUE;
+ /*
+ * If the local address is not zero or a mapped address
+ * return an error. It would be possible to send an
+ * IPv4 packet but the response would never make it
+ * back to the application since it is bound to a
+ * non-mapped address.
+ */
+ if (!IN6_IS_ADDR_V4MAPPED(&connp->conn_saddr_v6) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&connp->conn_saddr_v6)) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (EADDRNOTAVAIL);
+ }
- break;
+ if (V4_PART_OF_V6(sin6->sin6_addr) == INADDR_ANY) {
+ V4_PART_OF_V6(sin6->sin6_addr) =
+ htonl(INADDR_LOOPBACK);
+ }
+ ipversion = IPV4_VERSION;
}
- case AF_INET6: {
- sin6_t *sin1 = (sin6_t *)msg->msg_name;
- sin6_t *sin2 = (sin6_t *)&udp->udp_delayed_addr;
- if (msg->msg_namelen == sizeof (sin6_t) &&
- sin1->sin6_port == sin2->sin6_port &&
- IN6_ARE_ADDR_EQUAL(&sin1->sin6_addr,
- &sin2->sin6_addr))
- match = B_TRUE;
- break;
- }
- default:
- ASSERT(0);
+ /*
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've check
+ * conn_same_as_last_v6 to handle concurrent send* calls on a
+ * socket.
+ */
+ if (msg->msg_controllen == 0) {
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (ENOMEM);
+ }
+ } else {
+ ixa = NULL;
}
+ mutex_enter(&connp->conn_lock);
+ if (udp->udp_delayed_error != 0) {
+ sin6_t *sin2 = (sin6_t *)&udp->udp_delayed_addr;
- *((sin6_t *)&udp->udp_delayed_addr) = sin6_null;
+ error = udp->udp_delayed_error;
+ udp->udp_delayed_error = 0;
- if (match) {
- rw_exit(&udp->udp_rwlock);
- freemsg(mp);
+ /* Compare IP address, port, and family */
+
+ if (sin6->sin6_port == sin2->sin6_port &&
+ IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
+ &sin2->sin6_addr) &&
+ sin6->sin6_family == sin2->sin6_family) {
+ mutex_exit(&connp->conn_lock);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ return (error);
+ }
+ }
+
+ if (msg->msg_controllen != 0) {
+ mutex_exit(&connp->conn_lock);
+ ASSERT(ixa == NULL);
+ error = udp_output_ancillary(connp, NULL, sin6, mp,
+ NULL, msg, cr, pid);
+ } else if (conn_same_as_last_v6(connp, sin6) &&
+ connp->conn_lastsrcid == srcid &&
+ ipsec_outbound_policy_current(ixa)) {
+ /* udp_output_lastdst drops conn_lock */
+ error = udp_output_lastdst(connp, mp, cr, pid, ixa);
+ } else {
+ /* udp_output_newdst drops conn_lock */
+ error = udp_output_newdst(connp, mp, NULL, sin6,
+ ipversion, cr, pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
+ if (us->us_sendto_ignerr)
+ return (0);
+ else
return (error);
+ case AF_INET:
+ sin = (sin_t *)msg->msg_name;
+
+ ipversion = IPV4_VERSION;
+
+ if (sin->sin_addr.s_addr == INADDR_ANY)
+ sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+ /*
+ * We have to allocate an ip_xmit_attr_t before we grab
+ * conn_lock and we need to hold conn_lock once we've check
+ * conn_same_as_last_v6 to handle concurrent send* on a socket.
+ */
+ if (msg->msg_controllen == 0) {
+ ixa = conn_get_ixa(connp, B_FALSE);
+ if (ixa == NULL) {
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ return (ENOMEM);
+ }
+ } else {
+ ixa = NULL;
}
- }
+ mutex_enter(&connp->conn_lock);
+ if (udp->udp_delayed_error != 0) {
+ sin_t *sin2 = (sin_t *)&udp->udp_delayed_addr;
- error = proto_verify_ip_addr(udp->udp_family,
- (struct sockaddr *)msg->msg_name, msg->msg_namelen);
- rw_exit(&udp->udp_rwlock);
+ error = udp->udp_delayed_error;
+ udp->udp_delayed_error = 0;
- if (error != 0) {
- freemsg(mp);
- return (error);
- }
+ /* Compare IP address and port */
- error = udp_send_not_connected(connp, mp,
- (struct sockaddr *)msg->msg_name, msg->msg_namelen, msg, cr,
- curproc->p_pid);
- if (error != 0) {
- UDP_STAT(us, udp_out_err_output);
- freemsg(mp);
+ if (sin->sin_port == sin2->sin_port &&
+ sin->sin_addr.s_addr == sin2->sin_addr.s_addr) {
+ mutex_exit(&connp->conn_lock);
+ BUMP_MIB(&us->us_udp_mib, udpOutErrors);
+ if (ixa != NULL)
+ ixa_refrele(ixa);
+ return (error);
+ }
+ }
+ if (msg->msg_controllen != 0) {
+ mutex_exit(&connp->conn_lock);
+ ASSERT(ixa == NULL);
+ error = udp_output_ancillary(connp, sin, NULL, mp,
+ NULL, msg, cr, pid);
+ } else if (conn_same_as_last_v4(connp, sin) &&
+ ipsec_outbound_policy_current(ixa)) {
+ /* udp_output_lastdst drops conn_lock */
+ error = udp_output_lastdst(connp, mp, cr, pid, ixa);
+ } else {
+ /* udp_output_newdst drops conn_lock */
+ error = udp_output_newdst(connp, mp, sin, NULL,
+ ipversion, cr, pid, ixa);
+ }
+ ASSERT(MUTEX_NOT_HELD(&connp->conn_lock));
+ if (us->us_sendto_ignerr)
+ return (0);
+ else
+ return (error);
+ default:
+ return (EINVAL);
}
- return (udp->udp_dgram_errind ? error : 0);
}
int
@@ -8854,8 +6661,7 @@ udp_fallback(sock_lower_handle_t proto_handle, queue_t *q,
stropt_mp->b_wptr += sizeof (*stropt);
stropt = (struct stroptions *)stropt_mp->b_rptr;
stropt->so_flags = SO_WROFF | SO_HIWAT;
- stropt->so_wroff =
- (ushort_t)(udp->udp_max_hdr_len + udp->udp_us->us_wroff_extra);
+ stropt->so_wroff = connp->conn_wroff;
stropt->so_hiwat = udp->udp_rcv_disply_hiwat;
putnext(RD(q), stropt_mp);
@@ -8881,9 +6687,9 @@ udp_fallback(sock_lower_handle_t proto_handle, queue_t *q,
faddrlen = 0;
opts = 0;
- if (udp->udp_dgram_errind)
+ if (connp->conn_dgram_errind)
opts |= SO_DGRAM_ERRIND;
- if (udp->udp_dontroute)
+ if (connp->conn_ixa->ixa_flags & IXAF_DONTROUTE)
opts |= SO_DONTROUTE;
(*quiesced_cb)(connp->conn_upper_handle, q, &tca,
@@ -8908,9 +6714,9 @@ udp_fallback(sock_lower_handle_t proto_handle, queue_t *q,
/*
* No longer a streams less socket
*/
- rw_enter(&udp->udp_rwlock, RW_WRITER);
+ mutex_enter(&connp->conn_lock);
connp->conn_flags &= ~IPCL_NONSTR;
- rw_exit(&udp->udp_rwlock);
+ mutex_exit(&connp->conn_lock);
mutex_exit(&udp->udp_recv_lock);
@@ -8919,48 +6725,7 @@ udp_fallback(sock_lower_handle_t proto_handle, queue_t *q,
return (0);
}
-static int
-udp_do_getpeername(udp_t *udp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- ASSERT(RW_LOCK_HELD(&udp->udp_rwlock));
- ASSERT(udp != NULL);
-
- if (udp->udp_state != TS_DATA_XFER)
- return (ENOTCONN);
-
- switch (udp->udp_family) {
- case AF_INET:
- ASSERT(udp->udp_ipversion == IPV4_VERSION);
-
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *salenp = sizeof (sin_t);
- *sin = sin_null;
- sin->sin_family = AF_INET;
- sin->sin_port = udp->udp_dstport;
- sin->sin_addr.s_addr = V4_PART_OF_V6(udp->udp_v6dst);
- break;
- case AF_INET6:
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *salenp = sizeof (sin6_t);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = udp->udp_dstport;
- sin6->sin6_addr = udp->udp_v6dst;
- sin6->sin6_flowinfo = udp->udp_flowinfo;
- break;
- }
-
- return (0);
-}
-
-/* ARGSUSED */
+/* ARGSUSED3 */
int
udp_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *sa,
socklen_t *salenp, cred_t *cr)
@@ -8972,104 +6737,29 @@ udp_getpeername(sock_lower_handle_t proto_handle, struct sockaddr *sa,
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- ASSERT(udp != NULL);
-
- rw_enter(&udp->udp_rwlock, RW_READER);
-
- error = udp_do_getpeername(udp, sa, salenp);
-
- rw_exit(&udp->udp_rwlock);
-
+ mutex_enter(&connp->conn_lock);
+ if (udp->udp_state != TS_DATA_XFER)
+ error = ENOTCONN;
+ else
+ error = conn_getpeername(connp, sa, salenp);
+ mutex_exit(&connp->conn_lock);
return (error);
}
-static int
-udp_do_getsockname(udp_t *udp, struct sockaddr *sa, uint_t *salenp)
-{
- sin_t *sin = (sin_t *)sa;
- sin6_t *sin6 = (sin6_t *)sa;
-
- ASSERT(udp != NULL);
- ASSERT(RW_LOCK_HELD(&udp->udp_rwlock));
-
- switch (udp->udp_family) {
- case AF_INET:
- ASSERT(udp->udp_ipversion == IPV4_VERSION);
-
- if (*salenp < sizeof (sin_t))
- return (EINVAL);
-
- *salenp = sizeof (sin_t);
- *sin = sin_null;
- sin->sin_family = AF_INET;
- if (udp->udp_state == TS_UNBND) {
- break;
- }
- sin->sin_port = udp->udp_port;
-
- if (!IN6_IS_ADDR_V4MAPPED_ANY(&udp->udp_v6src) &&
- !IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src)) {
- sin->sin_addr.s_addr = V4_PART_OF_V6(udp->udp_v6src);
- } else {
- /*
- * INADDR_ANY
- * udp_v6src is not set, we might be bound to
- * broadcast/multicast. Use udp_bound_v6src as
- * local address instead (that could
- * also still be INADDR_ANY)
- */
- sin->sin_addr.s_addr =
- V4_PART_OF_V6(udp->udp_bound_v6src);
- }
- break;
-
- case AF_INET6:
- if (*salenp < sizeof (sin6_t))
- return (EINVAL);
-
- *salenp = sizeof (sin6_t);
- *sin6 = sin6_null;
- sin6->sin6_family = AF_INET6;
- if (udp->udp_state == TS_UNBND) {
- break;
- }
- sin6->sin6_port = udp->udp_port;
-
- if (!IN6_IS_ADDR_UNSPECIFIED(&udp->udp_v6src)) {
- sin6->sin6_addr = udp->udp_v6src;
- } else {
- /*
- * UNSPECIFIED
- * udp_v6src is not set, we might be bound to
- * broadcast/multicast. Use udp_bound_v6src as
- * local address instead (that could
- * also still be UNSPECIFIED)
- */
- sin6->sin6_addr = udp->udp_bound_v6src;
- }
- }
- return (0);
-}
-
-/* ARGSUSED */
+/* ARGSUSED3 */
int
udp_getsockname(sock_lower_handle_t proto_handle, struct sockaddr *sa,
socklen_t *salenp, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- udp_t *udp = connp->conn_udp;
int error;
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
- ASSERT(udp != NULL);
- rw_enter(&udp->udp_rwlock, RW_READER);
-
- error = udp_do_getsockname(udp, sa, salenp);
-
- rw_exit(&udp->udp_rwlock);
-
+ mutex_enter(&connp->conn_lock);
+ error = conn_getsockname(connp, sa, salenp);
+ mutex_exit(&connp->conn_lock);
return (error);
}
@@ -9078,7 +6768,6 @@ udp_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
void *optvalp, socklen_t *optlen, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- udp_t *udp = connp->conn_udp;
int error;
t_uscalar_t max_optbuf_len;
void *optvalp_buf;
@@ -9090,7 +6779,6 @@ udp_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, *optlen, &max_optbuf_len,
udp_opt_obj.odb_opt_des_arr,
udp_opt_obj.odb_opt_arr_cnt,
- udp_opt_obj.odb_topmost_tpiprovider,
B_FALSE, B_TRUE, cr);
if (error != 0) {
if (error < 0)
@@ -9099,28 +6787,22 @@ udp_getsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
}
optvalp_buf = kmem_alloc(max_optbuf_len, KM_SLEEP);
- rw_enter(&udp->udp_rwlock, RW_READER);
len = udp_opt_get(connp, level, option_name, optvalp_buf);
- rw_exit(&udp->udp_rwlock);
-
- if (len < 0) {
- /*
- * Pass on to IP
- */
+ if (len == -1) {
kmem_free(optvalp_buf, max_optbuf_len);
- return (ip_get_options(connp, level, option_name,
- optvalp, optlen, cr));
- } else {
- /*
- * update optlen and copy option value
- */
- t_uscalar_t size = MIN(len, *optlen);
- bcopy(optvalp_buf, optvalp, size);
- bcopy(&size, optlen, sizeof (size));
-
- kmem_free(optvalp_buf, max_optbuf_len);
- return (0);
+ return (EINVAL);
}
+
+ /*
+ * update optlen and copy option value
+ */
+ t_uscalar_t size = MIN(len, *optlen);
+
+ bcopy(optvalp_buf, optvalp, size);
+ bcopy(&size, optlen, sizeof (size));
+
+ kmem_free(optvalp_buf, max_optbuf_len);
+ return (0);
}
int
@@ -9128,7 +6810,6 @@ udp_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
const void *optvalp, socklen_t optlen, cred_t *cr)
{
conn_t *connp = (conn_t *)proto_handle;
- udp_t *udp = connp->conn_udp;
int error;
/* All Solaris components should pass a cred for this operation. */
@@ -9137,7 +6818,6 @@ udp_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
error = proto_opt_check(level, option_name, optlen, NULL,
udp_opt_obj.odb_opt_des_arr,
udp_opt_obj.odb_opt_arr_cnt,
- udp_opt_obj.odb_topmost_tpiprovider,
B_TRUE, B_FALSE, cr);
if (error != 0) {
@@ -9146,19 +6826,11 @@ udp_setsockopt(sock_lower_handle_t proto_handle, int level, int option_name,
return (error);
}
- rw_enter(&udp->udp_rwlock, RW_WRITER);
error = udp_opt_set(connp, SETFN_OPTCOM_NEGOTIATE, level, option_name,
optlen, (uchar_t *)optvalp, (uint_t *)&optlen, (uchar_t *)optvalp,
NULL, cr);
- rw_exit(&udp->udp_rwlock);
- if (error < 0) {
- /*
- * Pass on to ip
- */
- error = ip_set_options(connp, level, option_name, optvalp,
- optlen, cr);
- }
+ ASSERT(error >= 0);
return (error);
}
@@ -9174,7 +6846,7 @@ udp_clr_flowctrl(sock_lower_handle_t proto_handle)
mutex_exit(&udp->udp_recv_lock);
}
-/* ARGSUSED */
+/* ARGSUSED2 */
int
udp_shutdown(sock_lower_handle_t proto_handle, int how, cred_t *cr)
{
@@ -9204,6 +6876,27 @@ udp_ioctl(sock_lower_handle_t proto_handle, int cmd, intptr_t arg,
/* All Solaris components should pass a cred for this operation. */
ASSERT(cr != NULL);
+ /*
+ * If we don't have a helper stream then create one.
+ * ip_create_helper_stream takes care of locking the conn_t,
+ * so this check for NULL is just a performance optimization.
+ */
+ if (connp->conn_helper_info == NULL) {
+ udp_stack_t *us = connp->conn_udp->udp_us;
+
+ ASSERT(us->us_ldi_ident != NULL);
+
+ /*
+ * Create a helper stream for non-STREAMS socket.
+ */
+ error = ip_create_helper_stream(connp, us->us_ldi_ident);
+ if (error != 0) {
+ ip0dbg(("tcp_ioctl: create of IP helper stream "
+ "failed %d\n", error));
+ return (error);
+ }
+ }
+
switch (cmd) {
case ND_SET:
case ND_GET:
diff --git a/usr/src/uts/common/inet/udp/udp_opt_data.c b/usr/src/uts/common/inet/udp/udp_opt_data.c
index 425d258697..02d9d3f8f8 100644
--- a/usr/src/uts/common/inet/udp/udp_opt_data.c
+++ b/usr/src/uts/common/inet/udp/udp_opt_data.c
@@ -56,227 +56,229 @@
*/
opdes_t udp_opt_arr[] = {
-{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ SO_DEBUG, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DONTROUTE, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_USELOOPBACK, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_BROADCAST, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_REUSEADDR, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ SO_RCVTIMEO, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct timeval), 0 },
-{ SO_DGRAM_ERRIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_DGRAM_ERRIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_RECVUCRED, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ SO_RECVUCRED, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, OP_PASSNEXT, sizeof (int),
+{ SO_ALLZONES, SOL_SOCKET, OA_R, OA_RW, OP_CONFIG, 0, sizeof (int),
0 },
-{ SO_TIMESTAMP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ SO_TIMESTAMP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ SO_ANON_MLP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_ANON_MLP, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_MAC_EXEMPT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ SO_MAC_IMPLICIT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ SO_MAC_IMPLICIT, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
{ SCM_UCRED, SOL_SOCKET, OA_W, OA_W, OP_NP, OP_VARLEN|OP_NODEFAULT, 512, 0 },
-{ SO_EXCLBIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_PROTOTYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_EXCLBIND, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_DOMAIN, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SO_PROTOTYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
{ IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
{ T_IP_OPTIONS, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
IP_MAX_OPT_LENGTH + IP_ADDR_LEN, -1 /* not initialized */ },
-{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ IP_RECVOPTS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ IP_RECVDSTADDR, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ T_IP_TOS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_RECVOPTS, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_RECVDSTADDR, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
-{ IP_RECVIF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ IP_RECVSLLA, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ IP_RECVTTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int),
+{ IP_RECVIF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_RECVSLLA, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ IP_RECVTTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int),
0 },
-{ IP_MULTICAST_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IP_MULTICAST_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
sizeof (struct in_addr), 0 /* INADDR_ANY */ },
-{ IP_MULTICAST_LOOP, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IP_MULTICAST_LOOP, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (uchar_t), -1 /* not initialized */},
-{ IP_MULTICAST_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IP_MULTICAST_TTL, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (uchar_t), -1 /* not initialized */ },
-{ IP_ADD_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_ADD_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq), -1 /* not initialized */ },
-{ IP_DROP_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_DROP_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq), -1 /* not initialized */ },
-{ IP_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq_source), -1 /* not initialized */ },
-{ IP_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ip_mreq_source), -1 /* not initialized */ },
{ IP_ADD_SOURCE_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct ip_mreq_source), -1 },
+ OP_NODEFAULT, sizeof (struct ip_mreq_source), -1 },
{ IP_DROP_SOURCE_MEMBERSHIP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct ip_mreq_source), -1 },
+ OP_NODEFAULT, sizeof (struct ip_mreq_source), -1 },
-{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IP_SEC_OPT, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
sizeof (ipsec_req_t), -1 /* not initialized */ },
-{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IP_BOUND_IF, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 /* no ifindex */ },
-{ IP_DHCPINIT_IF, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, OP_PASSNEXT,
+{ IP_DHCPINIT_IF, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, 0,
sizeof (int), 0 },
-{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, OP_PASSNEXT,
+{ IP_UNSPEC_SRC, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0,
sizeof (int), 0 },
{ IP_BROADCAST_TTL, IPPROTO_IP, OA_R, OA_RW, OP_RAW, 0, sizeof (uchar_t),
0 /* disabled */ },
{ IP_PKTINFO, IPPROTO_IP, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (struct in_pktinfo), -1 /* not initialized */ },
-{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, OP_PASSNEXT,
+{ IP_NEXTHOP, IPPROTO_IP, OA_R, OA_RW, OP_CONFIG, 0,
sizeof (in_addr_t), -1 /* not initialized */ },
+{ IP_DONTFRAG, IPPROTO_IP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+
{ MCAST_JOIN_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_BLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_UNBLOCK_SOURCE, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_JOIN_SOURCE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_SOURCE_GROUP, IPPROTO_IP, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
-{ IPV6_MULTICAST_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_MULTICAST_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
{ IPV6_MULTICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */ },
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */ },
{ IPV6_MULTICAST_LOOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_DEF_FN), sizeof (int), -1 /* not initialized */},
+ OP_DEF_FN, sizeof (int), -1 /* not initialized */},
-{ IPV6_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IPV6_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP, OP_NODEFAULT,
sizeof (struct ipv6_mreq), -1 /* not initialized */ },
{ IPV6_LEAVE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT),
+ OP_NODEFAULT,
sizeof (struct ipv6_mreq), -1 /* not initialized */ },
-{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_DEF_FN),
+{ IPV6_UNICAST_HOPS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_DEF_FN,
sizeof (int), -1 /* not initialized */ },
-{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_BOUND_IF, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 /* no ifindex */ },
-{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, OP_PASSNEXT,
+{ IPV6_UNSPEC_SRC, IPPROTO_IPV6, OA_R, OA_RW, OP_RAW, 0,
sizeof (int), 0 },
{ IPV6_PKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (struct in6_pktinfo), -1 /* not initialized */ },
{ IPV6_HOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT),
+ OP_NODEFAULT,
sizeof (int), -1 /* not initialized */ },
{ IPV6_NEXTHOP, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT|OP_VARLEN),
+ (OP_NODEFAULT|OP_VARLEN),
sizeof (sin6_t), -1 /* not initialized */ },
{ IPV6_HOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_DSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_RTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_RTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_VARLEN|OP_NODEFAULT),
+ (OP_VARLEN|OP_NODEFAULT),
MAX_EHDR_LEN, -1 /* not initialized */ },
{ IPV6_TCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT),
+ OP_NODEFAULT,
sizeof (int), -1 /* not initialized */ },
{ IPV6_PATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT),
- sizeof (int), -1 /* not initialized */ },
-{ IPV6_DONTFRAG, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+ OP_NODEFAULT,
+ sizeof (struct ip6_mtuinfo), -1 },
+{ IPV6_DONTFRAG, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_USE_MIN_MTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_V6ONLY, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVPKTINFO, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVHOPLIMIT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVHOPOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ _OLD_IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVRTHDR, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_RECVRTHDRDSTOPTS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
{ IPV6_RECVPATHMTU, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP,
- OP_PASSNEXT, sizeof (int), 0 },
-{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+ 0, sizeof (int), 0 },
+{ IPV6_RECVTCLASS, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (int), 0 },
-{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, (OP_PASSNEXT|OP_NODEFAULT),
+{ IPV6_SEC_OPT, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_NODEFAULT,
sizeof (ipsec_req_t), -1 /* not initialized */ },
-{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, OP_PASSNEXT,
+{ IPV6_SRC_PREFERENCES, IPPROTO_IPV6, OA_RW, OA_RW, OP_NP, 0,
sizeof (uint32_t), IPV6_PREFER_SRC_DEFAULT },
{ MCAST_JOIN_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_req),
+ OP_NODEFAULT, sizeof (struct group_req),
-1 /* not initialized */ },
{ MCAST_BLOCK_SOURCE, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_UNBLOCK_SOURCE, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_JOIN_SOURCE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
{ MCAST_LEAVE_SOURCE_GROUP, IPPROTO_IPV6, OA_X, OA_X, OP_NP,
- (OP_PASSNEXT|OP_NODEFAULT), sizeof (struct group_source_req),
+ OP_NODEFAULT, sizeof (struct group_source_req),
-1 /* not initialized */ },
-{ UDP_ANONPRIVBIND, IPPROTO_UDP, OA_R, OA_RW, OP_PRIVPORT, OP_PASSNEXT,
+{ UDP_ANONPRIVBIND, IPPROTO_UDP, OA_R, OA_RW, OP_PRIVPORT, 0,
sizeof (int), 0 },
-{ UDP_EXCLBIND, IPPROTO_UDP, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0
+{ UDP_EXCLBIND, IPPROTO_UDP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
{ UDP_RCVHDR, IPPROTO_UDP, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0
},
@@ -317,7 +319,6 @@ optdb_obj_t udp_opt_obj = {
udp_opt_default, /* UDP default value function pointer */
udp_tpi_opt_get, /* UDP get function pointer */
udp_tpi_opt_set, /* UDP set function pointer */
- B_TRUE, /* UDP is tpi provider */
UDP_OPT_ARR_CNT, /* UDP option database count of entries */
udp_opt_arr, /* UDP option database */
UDP_VALID_LEVELS_CNT, /* UDP valid level count of entries */
diff --git a/usr/src/uts/common/inet/udp_impl.h b/usr/src/uts/common/inet/udp_impl.h
index 1b4935f456..4da82a0377 100644
--- a/usr/src/uts/common/inet/udp_impl.h
+++ b/usr/src/uts/common/inet/udp_impl.h
@@ -51,84 +51,6 @@ extern "C" {
#define UDP_MOD_ID 5607
-typedef struct udp_bits_s {
-
- uint32_t
-
- udpb_debug : 1, /* SO_DEBUG "socket" option. */
- udpb_dontroute : 1, /* SO_DONTROUTE "socket" option. */
- udpb_broadcast : 1, /* SO_BROADCAST "socket" option. */
- udpb_useloopback : 1, /* SO_USELOOPBACK "socket" option */
-
- udpb_reuseaddr : 1, /* SO_REUSEADDR "socket" option. */
- udpb_dgram_errind : 1, /* SO_DGRAM_ERRIND option */
- udpb_recvdstaddr : 1, /* IP_RECVDSTADDR option */
- udpb_recvopts : 1, /* IP_RECVOPTS option */
-
- udpb_unspec_source : 1, /* IP*_UNSPEC_SRC option */
- udpb_ip_recvpktinfo : 1, /* IPV6_RECVPKTINFO option */
- udpb_ipv6_recvhoplimit : 1, /* IPV6_RECVHOPLIMIT option */
- udpb_ipv6_recvhopopts : 1, /* IPV6_RECVHOPOPTS option */
-
- udpb_ipv6_recvdstopts : 1, /* IPV6_RECVDSTOPTS option */
- udpb_ipv6_recvrthdr : 1, /* IPV6_RECVRTHDR option */
- udpb_ipv6_recvtclass : 1, /* IPV6_RECVTCLASS */
- udpb_ipv6_recvpathmtu : 1, /* IPV6_RECVPATHMTU */
-
- udpb_anon_priv_bind : 1,
- udpb_exclbind : 1, /* ``exclusive'' binding */
- udpb_recvif : 1, /* IP_RECVIF option */
- udpb_recvslla : 1, /* IP_RECVSLLA option */
-
- udpb_recvttl : 1, /* IP_RECVTTL option */
- udpb_recvucred : 1, /* IP_RECVUCRED option */
- udpb_old_ipv6_recvdstopts : 1, /* old form of IPV6_DSTOPTS */
- udpb_ipv6_recvrthdrdstopts : 1, /* IPV6_RECVRTHDRDSTOPTS */
-
- udpb_rcvhdr : 1, /* UDP_RCVHDR option */
- udpb_issocket : 1, /* socket mode; sockfs is on top */
- udpb_timestamp : 1, /* SO_TIMESTAMP "socket" option */
-
- udpb_nat_t_endpoint : 1, /* UDP_NAT_T_ENDPOINT option */
- udpb_pad_to_bit_31 : 4;
-} udp_bits_t;
-
-#define udp_debug udp_bits.udpb_debug
-#define udp_dontroute udp_bits.udpb_dontroute
-#define udp_broadcast udp_bits.udpb_broadcast
-#define udp_useloopback udp_bits.udpb_useloopback
-
-#define udp_reuseaddr udp_bits.udpb_reuseaddr
-#define udp_dgram_errind udp_bits.udpb_dgram_errind
-#define udp_recvdstaddr udp_bits.udpb_recvdstaddr
-#define udp_recvopts udp_bits.udpb_recvopts
-
-#define udp_unspec_source udp_bits.udpb_unspec_source
-#define udp_ip_recvpktinfo udp_bits.udpb_ip_recvpktinfo
-#define udp_ipv6_recvhoplimit udp_bits.udpb_ipv6_recvhoplimit
-#define udp_ipv6_recvhopopts udp_bits.udpb_ipv6_recvhopopts
-
-#define udp_ipv6_recvdstopts udp_bits.udpb_ipv6_recvdstopts
-#define udp_ipv6_recvrthdr udp_bits.udpb_ipv6_recvrthdr
-#define udp_ipv6_recvtclass udp_bits.udpb_ipv6_recvtclass
-#define udp_ipv6_recvpathmtu udp_bits.udpb_ipv6_recvpathmtu
-
-#define udp_anon_priv_bind udp_bits.udpb_anon_priv_bind
-#define udp_exclbind udp_bits.udpb_exclbind
-#define udp_recvif udp_bits.udpb_recvif
-#define udp_recvslla udp_bits.udpb_recvslla
-
-#define udp_recvttl udp_bits.udpb_recvttl
-#define udp_recvucred udp_bits.udpb_recvucred
-#define udp_old_ipv6_recvdstopts udp_bits.udpb_old_ipv6_recvdstopts
-#define udp_ipv6_recvrthdrdstopts udp_bits.udpb_ipv6_recvrthdrdstopts
-
-#define udp_rcvhdr udp_bits.udpb_rcvhdr
-#define udp_issocket udp_bits.udpb_issocket
-#define udp_timestamp udp_bits.udpb_timestamp
-
-#define udp_nat_t_endpoint udp_bits.udpb_nat_t_endpoint
-
/*
* Bind hash list size and hash function. It has to be a power of 2 for
* hashing.
@@ -148,49 +70,21 @@ typedef struct udp_fanout_s {
#endif
} udp_fanout_t;
-/*
- * dev_q is the write side queue of the entity below IP.
- * If there is a module below IP, we can't optimize by looking
- * at q_first of the queue below IP. If the driver is directly
- * below IP and if the q_first is NULL, we optimize by not doing
- * the canput check
- */
-#define DEV_Q_FLOW_BLOCKED(dev_q) \
- (((dev_q)->q_next != NULL || (dev_q)->q_first != NULL) && \
- !canput(dev_q))
-
/* Kstats */
typedef struct udp_stat { /* Class "net" kstats */
- kstat_named_t udp_ip_send;
- kstat_named_t udp_ip_ire_send;
- kstat_named_t udp_ire_null;
kstat_named_t udp_sock_fallback;
- kstat_named_t udp_out_sw_cksum;
- kstat_named_t udp_out_sw_cksum_bytes;
kstat_named_t udp_out_opt;
kstat_named_t udp_out_err_notconn;
kstat_named_t udp_out_err_output;
kstat_named_t udp_out_err_tudr;
- kstat_named_t udp_in_pktinfo;
- kstat_named_t udp_in_recvdstaddr;
- kstat_named_t udp_in_recvopts;
- kstat_named_t udp_in_recvif;
- kstat_named_t udp_in_recvslla;
- kstat_named_t udp_in_recvucred;
- kstat_named_t udp_in_recvttl;
- kstat_named_t udp_in_recvhopopts;
- kstat_named_t udp_in_recvhoplimit;
- kstat_named_t udp_in_recvdstopts;
- kstat_named_t udp_in_recvrtdstopts;
- kstat_named_t udp_in_recvrthdr;
- kstat_named_t udp_in_recvpktinfo;
- kstat_named_t udp_in_recvtclass;
- kstat_named_t udp_in_timestamp;
- kstat_named_t udp_ip_rcvpktinfo;
- kstat_named_t udp_cookie_coll;
#ifdef DEBUG
kstat_named_t udp_data_conn;
kstat_named_t udp_data_notconn;
+ kstat_named_t udp_out_lastdst;
+ kstat_named_t udp_out_diffdst;
+ kstat_named_t udp_out_ipv6;
+ kstat_named_t udp_out_mapped;
+ kstat_named_t udp_out_ipv4;
#endif
} udp_stat_t;
@@ -242,79 +136,43 @@ typedef struct udp_stack udp_stack_t;
/* Internal udp control structure, one per open stream */
typedef struct udp_s {
- krwlock_t udp_rwlock; /* Protects most of udp_t */
- t_scalar_t udp_pending_op; /* The current TPI operation */
/*
- * Following fields up to udp_ipversion protected by conn_lock,
- * and the fanout lock i.e.uf_lock. Need both locks to change the
- * field, either lock is sufficient for reading the field.
+ * The addresses and ports in the conn_t and udp_state are protected by
+ * conn_lock and the fanout lock i.e. uf_lock. Need both locks to change
+ * the fields, either lock is sufficient for reading the field.
+ * conn_lock also protects the content of udp_t.
*/
uint32_t udp_state; /* TPI state */
- in_port_t udp_port; /* Port bound to this stream */
- in_port_t udp_dstport; /* Connected port */
- in6_addr_t udp_v6src; /* Source address of this stream */
- in6_addr_t udp_bound_v6src; /* Explicitly bound address */
- in6_addr_t udp_v6dst; /* Connected destination */
- /*
- * IP format that packets transmitted from this struct should use.
- * Value can be IP4_VERSION or IPV6_VERSION.
- */
- ushort_t udp_ipversion;
- /* Written to only once at the time of opening the endpoint */
- sa_family_t udp_family; /* Family from socket() call */
-
- /* Following protected by udp_rwlock */
- uint32_t udp_flowinfo; /* Connected flow id and tclass */
- uint32_t udp_max_hdr_len; /* For write offset in stream head */
- uint32_t udp_ip_snd_options_len; /* Len of IPv4 options */
- uchar_t *udp_ip_snd_options; /* Ptr to IPv4 options */
- uint32_t udp_ip_rcv_options_len; /* Len of IPv4 options recvd */
- uchar_t *udp_ip_rcv_options; /* Ptr to IPv4 options recvd */
- uchar_t udp_multicast_ttl; /* IP*_MULTICAST_TTL/HOPS */
- ipaddr_t udp_multicast_if_addr; /* IP_MULTICAST_IF option */
- uint_t udp_multicast_if_index; /* IPV6_MULTICAST_IF option */
- int udp_bound_if; /* IP*_BOUND_IF option */
+ ip_pkt_t udp_recv_ipp; /* Used for IPv4 options received */
/* Written to only once at the time of opening the endpoint */
conn_t *udp_connp;
- /* Following protected by udp_rwlock */
- udp_bits_t udp_bits; /* Bit fields defined above */
- uint8_t udp_type_of_service; /* IP_TOS option */
- uint8_t udp_ttl; /* TTL or hoplimit */
- ip6_pkt_t udp_sticky_ipp; /* Sticky options */
- uint8_t *udp_sticky_hdrs; /* Prebuilt IPv6 hdrs */
- uint_t udp_sticky_hdrs_len; /* Incl. ip6h and any ip6i */
+ uint32_t
+ udp_issocket : 1, /* socket mode; sockfs is on top */
+ udp_nat_t_endpoint : 1, /* UDP_NAT_T_ENDPOINT option */
+ udp_rcvhdr : 1, /* UDP_RCVHDR option */
+
+ udp_pad_to_bit_31 : 29;
/* Following 2 fields protected by the uf_lock */
struct udp_s *udp_bind_hash; /* Bind hash chain */
struct udp_s **udp_ptpbhn; /* Pointer to previous bind hash next. */
- /* Following protected by udp_rwlock */
kmutex_t udp_recv_lock; /* recv lock */
size_t udp_rcv_disply_hiwat; /* user's view of rcvbuf */
size_t udp_rcv_hiwat; /* receive high watermark */
- size_t udp_rcv_lowat; /* receive low watermark */
- size_t udp_xmit_hiwat; /* Send buffer high watermark */
- size_t udp_xmit_lowat; /* Send buffer low watermark */
- uint_t udp_label_len; /* length of security label */
- uint_t udp_label_len_v6; /* len of v6 security label */
- in6_addr_t udp_v6lastdst; /* most recent destination */
- in_port_t udp_lastdstport; /* most recent dest port */
- cred_t *udp_last_cred; /* most recent credentials */
- cred_t *udp_effective_cred; /* cred with effective label */
-
- uint64_t udp_open_time; /* time when this was opened */
- pid_t udp_open_pid; /* process id when this was opened */
+
+ /* Set at open time and never changed */
udp_stack_t *udp_us; /* Stack instance for zone */
+
int udp_delayed_error;
mblk_t *udp_fallback_queue_head;
mblk_t *udp_fallback_queue_tail;
struct sockaddr_storage udp_delayed_addr;
} udp_t;
-/* UDP Protocol header */
/* UDP Protocol header aligned */
typedef struct udpahdr_s {
in_port_t uha_src_port; /* Source port */
@@ -334,6 +192,8 @@ typedef struct udpahdr_s {
#define us_xmit_lowat us_param_arr[8].udp_param_value
#define us_recv_hiwat us_param_arr[9].udp_param_value
#define us_max_buf us_param_arr[10].udp_param_value
+#define us_pmtu_discovery us_param_arr[11].udp_param_value
+#define us_sendto_ignerr us_param_arr[12].udp_param_value
#define UDP_STAT(us, x) ((us)->us_statistics.x.value.ui64++)
@@ -348,14 +208,11 @@ typedef struct udpahdr_s {
extern int udp_opt_default(queue_t *, t_scalar_t, t_scalar_t, uchar_t *);
extern int udp_tpi_opt_get(queue_t *, t_scalar_t, t_scalar_t, uchar_t *);
extern int udp_tpi_opt_set(queue_t *, uint_t, int, int, uint_t, uchar_t *,
- uint_t *, uchar_t *, void *, cred_t *, mblk_t *);
+ uint_t *, uchar_t *, void *, cred_t *);
extern mblk_t *udp_snmp_get(queue_t *, mblk_t *);
extern int udp_snmp_set(queue_t *, t_scalar_t, t_scalar_t, uchar_t *, int);
-extern void udp_close_free(conn_t *);
-extern void udp_quiesce_conn(conn_t *);
extern void udp_ddi_g_init(void);
extern void udp_ddi_g_destroy(void);
-extern void udp_g_q_inactive(udp_stack_t *);
extern void udp_output(conn_t *connp, mblk_t *mp, struct sockaddr *addr,
socklen_t addrlen);
extern void udp_wput(queue_t *, mblk_t *);
diff --git a/usr/src/uts/common/io/dld/dld_proto.c b/usr/src/uts/common/io/dld/dld_proto.c
index 338a1c96d0..79b88ca659 100644
--- a/usr/src/uts/common/io/dld/dld_proto.c
+++ b/usr/src/uts/common/io/dld/dld_proto.c
@@ -1478,7 +1478,7 @@ dld_capab_lso(dld_str_t *dsp, void *data, uint_t flags)
lso->lso_flags = 0;
/* translate the flag for mac clients */
if ((mac_lso.lso_flags & LSO_TX_BASIC_TCP_IPV4) != 0)
- lso->lso_flags |= DLD_LSO_TX_BASIC_TCP_IPV4;
+ lso->lso_flags |= DLD_LSO_BASIC_TCP_IPV4;
dsp->ds_lso = B_TRUE;
dsp->ds_lso_max = lso->lso_max;
} else {
diff --git a/usr/src/uts/common/io/ib/clients/rds/rds_opt.c b/usr/src/uts/common/io/ib/clients/rds/rds_opt.c
index 902d838ff4..639bb28bcc 100644
--- a/usr/src/uts/common/io/ib/clients/rds/rds_opt.c
+++ b/usr/src/uts/common/io/ib/clients/rds/rds_opt.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -29,9 +29,9 @@
#define rds_max_buf 2097152
opdes_t rds_opt_arr[] = {
-{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
-{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, OP_PASSNEXT, sizeof (int), 0 },
+{ SO_TYPE, SOL_SOCKET, OA_R, OA_R, OP_NP, 0, sizeof (int), 0 },
+{ SO_SNDBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
+{ SO_RCVBUF, SOL_SOCKET, OA_RW, OA_RW, OP_NP, 0, sizeof (int), 0 },
};
/* ARGSUSED */
@@ -79,7 +79,7 @@ rds_opt_get(queue_t *q, t_scalar_t level, t_scalar_t name, uchar_t *ptr)
int
rds_opt_set(queue_t *q, uint_t optset_context, int level,
int name, uint_t inlen, uchar_t *invalp, uint_t *outlenp,
- uchar_t *outvalp, void *thisdg_attrs, cred_t *cr, mblk_t *mblk)
+ uchar_t *outvalp, void *thisdg_attrs, cred_t *cr)
{
int *i1 = (int *)(uintptr_t)invalp;
boolean_t checkonly;
@@ -187,7 +187,6 @@ optdb_obj_t rds_opt_obj = {
rds_opt_default, /* RDS default value function pointer */
rds_opt_get, /* RDS get function pointer */
rds_opt_set, /* RDS set function pointer */
- B_TRUE, /* RDS is tpi provider */
RDS_OPT_ARR_CNT, /* RDS option database count of entries */
rds_opt_arr, /* RDS option database */
RDS_VALID_LEVELS_CNT, /* RDS valid level count of entries */
diff --git a/usr/src/uts/common/io/ib/clients/rds/rdsddi.c b/usr/src/uts/common/io/ib/clients/rds/rdsddi.c
index a4a9c6c8e0..13a1d4bf75 100644
--- a/usr/src/uts/common/io/ib/clients/rds/rdsddi.c
+++ b/usr/src/uts/common/io/ib/clients/rds/rdsddi.c
@@ -654,11 +654,9 @@ rds_wput_other(queue_t *q, mblk_t *mp)
}
if (((union T_primitives *)(uintptr_t)rptr)->type ==
T_SVR4_OPTMGMT_REQ) {
- (void) svr4_optcom_req(q, mp, cr, &rds_opt_obj,
- B_FALSE);
+ svr4_optcom_req(q, mp, cr, &rds_opt_obj);
} else {
- (void) tpi_optcom_req(q, mp, cr, &rds_opt_obj,
- B_FALSE);
+ tpi_optcom_req(q, mp, cr, &rds_opt_obj);
}
return;
case T_CONN_REQ:
diff --git a/usr/src/uts/common/io/ib/clients/rds/rdssubr.c b/usr/src/uts/common/io/ib/clients/rds/rdssubr.c
index 8e57cb783d..f9bbcd092f 100644
--- a/usr/src/uts/common/io/ib/clients/rds/rdssubr.c
+++ b/usr/src/uts/common/io/ib/clients/rds/rdssubr.c
@@ -19,12 +19,10 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/ib/clients/rds/rds.h>
#include <sys/ib/clients/rds/rds_kstat.h>
@@ -135,9 +133,9 @@ rds_init()
* kstats
*/
rds_kstatsp = kstat_create("rds", 0,
- "rds_kstat", "misc", KSTAT_TYPE_NAMED,
- sizeof (rds_kstat) / sizeof (kstat_named_t),
- KSTAT_FLAG_VIRTUAL | KSTAT_FLAG_WRITABLE);
+ "rds_kstat", "misc", KSTAT_TYPE_NAMED,
+ sizeof (rds_kstat) / sizeof (kstat_named_t),
+ KSTAT_FLAG_VIRTUAL | KSTAT_FLAG_WRITABLE);
if (rds_kstatsp != NULL) {
rds_kstatsp->ks_lock = &rds_kstat_mutex;
rds_kstatsp->ks_data = (void *)&rds_kstat;
@@ -298,17 +296,14 @@ rds_fanout(ipaddr_t local_addr, ipaddr_t rem_addr,
boolean_t
rds_islocal(ipaddr_t addr)
{
- ire_t *ire;
ip_stack_t *ipst;
ipst = netstack_find_by_zoneid(GLOBAL_ZONEID)->netstack_ip;
ASSERT(ipst != NULL);
-
- ire = ire_ctable_lookup(addr, NULL, IRE_LOCAL | IRE_LOOPBACK |
- IRE_BROADCAST, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- netstack_rele(ipst->ips_netstack);
- if (ire == NULL)
+ if (ip_laddr_verify_v4(addr, ALL_ZONES, ipst, B_FALSE) == IPVL_BAD) {
+ netstack_rele(ipst->ips_netstack);
return (B_FALSE);
- ire_refrele(ire);
+ }
+ netstack_rele(ipst->ips_netstack);
return (B_TRUE);
}
diff --git a/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp.c b/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp.c
index 944e61a067..3bb7d3a98c 100644
--- a/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp.c
+++ b/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp.c
@@ -26,41 +26,28 @@
#include <sys/types.h>
#include <sys/ddi.h>
#include <sys/sunddi.h>
-#include <sys/stropts.h>
-#include <sys/stream.h>
-#include <sys/strsun.h>
#include <sys/strsubr.h>
#include <sys/socket.h>
-#include <sys/stat.h>
#include <net/if_arp.h>
#include <net/if_types.h>
-#include <sys/file.h>
#include <sys/sockio.h>
#include <sys/pathname.h>
-#include <inet/arp.h>
-#include <sys/modctl.h>
#include <sys/ib/mgt/ibcm/ibcm_arp.h>
#include <sys/kstr.h>
-#include <sys/tiuser.h>
#include <sys/t_kuser.h>
extern char cmlog[];
-extern int ibcm_arp_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
- ibt_ip_addr_t *src_addr, ibcm_arp_pr_comp_func_t func);
-extern void ibcm_arp_pr_arp_ack(mblk_t *mp);
-extern void ibcm_arp_prwqn_delete(ibcm_arp_prwqn_t *wqnp);
+extern int ibcm_resolver_pr_lookup(ibcm_arp_streams_t *ib_s,
+ ibt_ip_addr_t *dst_addr, ibt_ip_addr_t *src_addr);
+extern void ibcm_arp_delete_prwqn(ibcm_arp_prwqn_t *wqnp);
-_NOTE(SCHEME_PROTECTS_DATA("Unshared data", datab))
_NOTE(SCHEME_PROTECTS_DATA("Unshared data", ibt_ip_addr_s))
_NOTE(SCHEME_PROTECTS_DATA("Unshared data", ibcm_arp_ip_t))
_NOTE(SCHEME_PROTECTS_DATA("Unshared data", ibcm_arp_ibd_insts_t))
_NOTE(SCHEME_PROTECTS_DATA("Unshared data", ibcm_arp_prwqn_t))
-_NOTE(SCHEME_PROTECTS_DATA("Unshared data", iocblk))
-_NOTE(SCHEME_PROTECTS_DATA("Unshared data", msgb))
-_NOTE(SCHEME_PROTECTS_DATA("Unshared data", queue))
_NOTE(SCHEME_PROTECTS_DATA("Unshared data", sockaddr_in))
_NOTE(SCHEME_PROTECTS_DATA("Unshared data", sockaddr_in6))
@@ -89,269 +76,6 @@ ibcm_ip_print(char *label, ibt_ip_addr_t *ipaddr)
}
}
-/*
- * ibcm_arp_get_ibaddr_cb
- */
-static int
-ibcm_arp_get_ibaddr_cb(void *arg, int status)
-{
- ibcm_arp_prwqn_t *wqnp = (ibcm_arp_prwqn_t *)arg;
- ibcm_arp_streams_t *ib_s = (ibcm_arp_streams_t *)wqnp->arg;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_get_ibaddr_cb(ib_s: %p wqnp: %p)",
- ib_s, wqnp);
-
- mutex_enter(&ib_s->lock);
- ib_s->status = status;
- ib_s->done = B_TRUE;
-
- IBTF_DPRINTF_L3(cmlog, "ibcm_arp_get_ibaddr_cb: SGID %llX:%llX "
- "DGID: %llX:%llX", wqnp->sgid.gid_prefix, wqnp->sgid.gid_guid,
- wqnp->dgid.gid_prefix, wqnp->dgid.gid_guid);
-
- /* lock is held by the caller. */
- cv_signal(&ib_s->cv);
- mutex_exit(&ib_s->lock);
- return (0);
-}
-
-/*
- * Lower read service procedure (messages coming back from arp/ip).
- * Process messages based on queue type.
- */
-static int
-ibcm_arp_lrsrv(queue_t *q)
-{
- mblk_t *mp;
- ibcm_arp_streams_t *ib_s = q->q_ptr;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_lrsrv(%p, ibd_s: 0x%p)", q, ib_s);
-
- if (WR(q) == ib_s->arpqueue) {
- while (mp = getq(q)) {
- ibcm_arp_pr_arp_ack(mp);
- }
- }
-
- return (0);
-}
-
-/*
- * Lower write service procedure.
- * Used when lower streams are flow controlled.
- */
-static int
-ibcm_arp_lwsrv(queue_t *q)
-{
- mblk_t *mp;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_lwsrv(%p)", q);
-
- while (mp = getq(q)) {
- if (canputnext(q)) {
- putnext(q, mp);
- } else {
- (void) putbq(q, mp);
- qenable(q);
- break;
- }
- }
-
- return (0);
-}
-
-/*
- * Lower read put procedure. Arp/ip messages come here.
- */
-static int
-ibcm_arp_lrput(queue_t *q, mblk_t *mp)
-{
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_lrput(0x%p, db_type: %d)",
- q, DB_TYPE(mp));
-
- switch (DB_TYPE(mp)) {
- case M_FLUSH:
- /*
- * Turn around
- */
- if (*mp->b_rptr & FLUSHW) {
- *mp->b_rptr &= ~FLUSHR;
- qreply(q, mp);
- return (0);
- }
- freemsg(mp);
- break;
- case M_IOCACK:
- case M_IOCNAK:
- case M_DATA:
- /*
- * This could be in interrupt context.
- * Some of the ibt calls cannot be called in
- * interrupt context, so
- * put it in the queue and the message will be
- * processed by service proccedure
- */
- (void) putq(q, mp);
- qenable(q);
- break;
- default:
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_lrput: "
- "got unknown msg <0x%x>\n", mp->b_datap->db_type);
- ASSERT(0);
- break;
- }
-
- return (0);
-}
-
-/*
- * Streams write queue module info
- */
-static struct module_info ibcm_arp_winfo = {
- 0, /* module ID number */
- "ibcm", /* module name */
- 0, /* min packet size */
- INFPSZ,
- 49152, /* STREAM queue high water mark -- 49152 */
- 12 /* STREAM queue low water mark -- 12 */
-};
-
-/*
- * Streams lower write queue, for ibcm/ip requests.
- */
-static struct qinit ibcm_arp_lwinit = {
- NULL, /* qi_putp */
- ibcm_arp_lwsrv, /* qi_srvp */
- NULL, /* qi_qopen */
- NULL, /* qi_qclose */
- NULL, /* qi_qadmin */
- &ibcm_arp_winfo, /* module info */
- NULL, /* module statistics struct */
- NULL,
- NULL,
- STRUIOT_NONE /* stream uio type is standard uiomove() */
-};
-
-/*
- * Streams lower read queue: read reply messages from ibcm/ip.
- */
-static struct qinit ibcm_arp_lrinit = {
- ibcm_arp_lrput, /* qi_putp */
- ibcm_arp_lrsrv, /* qi_srvp */
- NULL, /* qi_qopen */
- NULL, /* qi_qclose */
- NULL, /* qi_qadmin */
- &ibcm_arp_winfo, /* module info */
- NULL, /* module statistics struct */
- NULL,
- NULL,
- STRUIOT_NONE /* stream uio type is standard uiomove() */
-};
-
-
-static int
-ibcm_arp_link_driver(ibcm_arp_streams_t *ib_s, char *path, queue_t **q,
- vnode_t **dev_vp)
-{
- struct stdata *dev_stp;
- vnode_t *vp;
- int error;
- queue_t *rq;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_link_driver: Enter: %s", path);
-
- /* open the driver from inside the kernel */
- error = vn_open(path, UIO_SYSSPACE, FREAD|FWRITE, 0, &vp,
- 0, NULL);
- if (error) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_link_driver: "
- "vn_open('%s') failed\n", path);
- return (error);
- }
- *dev_vp = vp;
-
- dev_stp = vp->v_stream;
- *q = dev_stp->sd_wrq;
-
- VN_HOLD(vp);
-
- rq = RD(dev_stp->sd_wrq);
- RD(rq)->q_ptr = WR(rq)->q_ptr = ib_s;
- setq(rq, &ibcm_arp_lrinit, &ibcm_arp_lwinit, NULL, QMTSAFE,
- SQ_CI|SQ_CO, B_FALSE);
-
- return (0);
-}
-
-extern struct qinit strdata;
-extern struct qinit stwdata;
-
-/*
- * Unlink ip, ibcm, icmp6 drivers
- */
-/* ARGSUSED */
-static int
-ibcm_arp_unlink_driver(queue_t **q, vnode_t **dev_vp)
-{
- vnode_t *vp = *dev_vp;
- struct stdata *dev_stp = vp->v_stream;
- queue_t *wrq, *rq;
- int rc;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_unlink_driver: Enter: 0x%p", q);
-
- wrq = dev_stp->sd_wrq;
- rq = RD(wrq);
-
- disable_svc(rq);
- wait_svc(rq);
- flushq(rq, FLUSHALL);
- flushq(WR(rq), FLUSHALL);
-
- rq->q_ptr = wrq->q_ptr = dev_stp;
-
- setq(rq, &strdata, &stwdata, NULL, QMTSAFE, SQ_CI|SQ_CO, B_TRUE);
-
- if ((rc = VOP_CLOSE(vp, FREAD, 1, (offset_t)0, CRED(), NULL)) != 0) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_unlink_driver: VOP_CLOSE "
- "failed %d\n", rc);
- }
- VN_RELE(vp);
-
- return (0);
-}
-
-static int
-ibcm_arp_unlink_drivers(ibcm_arp_streams_t *ib_s)
-{
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_unlink_drivers(%p)", ib_s);
-
- if (ib_s->arpqueue) {
- (void) ibcm_arp_unlink_driver(&ib_s->arpqueue, &ib_s->arp_vp);
- }
-
- return (0);
-}
-
-/*
- * Link ip, ibtl drivers below ibtl
- */
-static int
-ibcm_arp_link_drivers(ibcm_arp_streams_t *ib_s)
-{
- int rc;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_link_drivers(%p)", ib_s);
-
- if ((rc = ibcm_arp_link_driver(ib_s, "/dev/arp", &ib_s->arpqueue,
- &ib_s->arp_vp)) != 0) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_link_drivers: "
- "ibcm_arp_link_driver failed: %d\n", rc);
- return (rc);
- }
-
- return (0);
-}
ibt_status_t
ibcm_arp_get_ibaddr(ibt_ip_addr_t srcaddr, ibt_ip_addr_t destaddr,
@@ -370,21 +94,13 @@ ibcm_arp_get_ibaddr(ibt_ip_addr_t srcaddr, ibt_ip_addr_t destaddr,
mutex_init(&ib_s->lock, NULL, MUTEX_DEFAULT, NULL);
cv_init(&ib_s->cv, NULL, CV_DRIVER, NULL);
- ret = ibcm_arp_link_drivers(ib_s);
- if (ret != 0) {
- IBTF_DPRINTF_L3(cmlog, "ibcm_arp_get_ibaddr: "
- "ibcm_arp_link_drivers failed %d", ret);
- goto arp_ibaddr_error;
- }
-
mutex_enter(&ib_s->lock);
ib_s->done = B_FALSE;
mutex_exit(&ib_s->lock);
- ret = ibcm_arp_pr_lookup(ib_s, &destaddr, &srcaddr,
- ibcm_arp_get_ibaddr_cb);
+ ret = ibcm_resolver_pr_lookup(ib_s, &destaddr, &srcaddr);
- IBTF_DPRINTF_L3(cmlog, "ibcm_arp_get_ibaddr: ibcm_arp_pr_lookup "
+ IBTF_DPRINTF_L3(cmlog, "ibcm_arp_get_ibaddr: ibcm_resolver_pr_lookup "
"returned: %d", ret);
if (ret == 0) {
mutex_enter(&ib_s->lock);
@@ -393,7 +109,6 @@ ibcm_arp_get_ibaddr(ibt_ip_addr_t srcaddr, ibt_ip_addr_t destaddr,
mutex_exit(&ib_s->lock);
}
- (void) ibcm_arp_unlink_drivers(ib_s);
mutex_enter(&ib_s->lock);
wqnp = ib_s->wqnp;
if (ib_s->status == 0) {
@@ -407,11 +122,11 @@ ibcm_arp_get_ibaddr(ibt_ip_addr_t srcaddr, ibt_ip_addr_t destaddr,
ib_s->wqnp->sgid.gid_prefix, ib_s->wqnp->sgid.gid_guid,
ib_s->wqnp->dgid.gid_prefix, ib_s->wqnp->dgid.gid_guid);
- ibcm_arp_prwqn_delete(wqnp);
+ ibcm_arp_delete_prwqn(wqnp);
} else if (ret == 0) {
/*
* We come here only when lookup has returned empty (failed)
- * via callback routine - ibcm_arp_get_ibaddr_cb
+ * via callback routine.
* i.e. ib_s->status is non-zero, while ret is zero.
*/
if (wqnp)
@@ -884,20 +599,3 @@ srcip_plist_end:
return (ret);
}
-/* Routines for warlock */
-
-/* ARGSUSED */
-static int
-ibcm_arp_dummy_ibaddr_hdl(void *arg, int status)
-{
- ibcm_arp_prwqn_t dummy_wqn1;
- ibcm_arp_prwqn_t dummy_wqn2;
-
- dummy_wqn1.func = ibcm_arp_get_ibaddr_cb;
- dummy_wqn2.func = ibcm_arp_dummy_ibaddr_hdl;
-
- IBTF_DPRINTF_L5(cmlog, "ibcm_arp_dummy_ibaddr_hdl: "
- "dummy_wqn1.func %p %p", dummy_wqn1.func, dummy_wqn2.func);
-
- return (0);
-}
diff --git a/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp_link.c b/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp_link.c
index 79d420d467..45fbfd7932 100644
--- a/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp_link.c
+++ b/usr/src/uts/common/io/ib/mgt/ibcm/ibcm_arp_link.c
@@ -24,309 +24,32 @@
*/
#include <sys/types.h>
-#include <sys/stream.h>
-#include <sys/dlpi.h>
-#include <sys/stropts.h>
-#include <sys/strsun.h>
-#include <sys/sysmacros.h>
-#include <sys/strlog.h>
-#include <sys/ddi.h>
-#include <sys/cmn_err.h>
-#include <sys/socket.h>
#include <net/if.h>
#include <net/if_types.h>
-#include <netinet/in.h>
-#include <sys/ethernet.h>
-#include <inet/arp.h>
#include <inet/ip.h>
#include <inet/ip_ire.h>
#include <inet/ip_if.h>
#include <sys/ib/mgt/ibcm/ibcm_arp.h>
-#include <inet/ip_ftable.h>
-
-static areq_t ibcm_arp_areq_template = {
- AR_ENTRY_QUERY, /* cmd */
- sizeof (areq_t) + (2 * IP_ADDR_LEN), /* name offset */
- sizeof (areq_t), /* name len */
- IP_ARP_PROTO_TYPE, /* protocol, from arps perspective */
- sizeof (areq_t), /* target addr offset */
- IP_ADDR_LEN, /* target ADDR_length */
- 0, /* flags */
- sizeof (areq_t) + IP_ADDR_LEN, /* sender addr offset */
- IP_ADDR_LEN, /* sender addr length */
- IBCM_ARP_XMIT_COUNT, /* xmit_count */
- IBCM_ARP_XMIT_INTERVAL, /* (re)xmit_interval in milliseconds */
- 4 /* max # of requests to buffer */
- /*
- * anything else filled in by the code
- */
-};
-
-static area_t ibcm_arp_area_template = {
- AR_ENTRY_ADD, /* cmd */
- sizeof (area_t) + IPOIB_ADDRL + (2 * IP_ADDR_LEN), /* name offset */
- sizeof (area_t), /* name len */
- IP_ARP_PROTO_TYPE, /* protocol, from arps perspective */
- sizeof (area_t), /* proto addr offset */
- IP_ADDR_LEN, /* proto ADDR_length */
- sizeof (area_t) + (IP_ADDR_LEN), /* proto mask offset */
- 0, /* flags */
- sizeof (area_t) + (2 * IP_ADDR_LEN), /* hw addr offset */
- IPOIB_ADDRL /* hw addr length */
-};
extern char cmlog[];
-_NOTE(SCHEME_PROTECTS_DATA("Unshared data", msgb))
-_NOTE(SCHEME_PROTECTS_DATA("Unshared data", area_t))
_NOTE(SCHEME_PROTECTS_DATA("Unshared data", ibcm_arp_streams_t))
-static void ibcm_arp_timeout(void *arg);
-static void ibcm_arp_pr_callback(ibcm_arp_prwqn_t *wqnp, int status);
-static void ibcm_ipv6_resolver_ack(ip2mac_t *, void *);
-static int ibcm_ipv6_lookup(ibcm_arp_prwqn_t *wqnp, ill_t *ill, zoneid_t zid);
-
-/*
- * issue a AR_ENTRY_QUERY to arp driver and schedule a timeout.
- */
-static int
-ibcm_arp_query_arp(ibcm_arp_prwqn_t *wqnp)
-{
- int len;
- int name_len;
- int name_offset;
- char *cp;
- mblk_t *mp;
- mblk_t *mp1;
- areq_t *areqp;
- ibcm_arp_streams_t *ib_s = (ibcm_arp_streams_t *)wqnp->arg;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_query_arp(ib_s: %p wqnp: %p)",
- ib_s, wqnp);
-
- name_offset = ibcm_arp_areq_template.areq_name_offset;
-
- /*
- * allocate mblk for AR_ENTRY_QUERY
- */
- name_len = strlen(wqnp->ifname) + 1;
- len = name_len + name_offset;
- if ((mp = allocb(len, BPRI_HI)) == NULL) {
- return (ENOMEM);
- }
- bzero(mp->b_rptr, len);
- mp->b_wptr += len;
-
- /*
- * allocate a mblk and set wqnp in the data
- */
- if ((mp1 = allocb(sizeof (void *), BPRI_HI)) == NULL) {
- freeb(mp);
- return (ENOMEM);
- }
-
- mp1->b_wptr += sizeof (void *);
- *(uintptr_t *)(void *)mp1->b_rptr = (uintptr_t)wqnp; /* store wqnp */
-
- cp = (char *)mp->b_rptr;
- bcopy(&ibcm_arp_areq_template, cp, sizeof (areq_t));
- areqp = (void *)cp;
- areqp->areq_name_length = name_len;
-
- cp = (char *)areqp + areqp->areq_name_offset;
- bcopy(wqnp->ifname, cp, name_len);
-
- areqp->areq_proto = wqnp->ifproto;
- bcopy(&wqnp->ifproto, areqp->areq_sap, 2);
- cp = (char *)areqp + areqp->areq_target_addr_offset;
- bcopy(&wqnp->dst_addr.un.ip4addr, cp, IP_ADDR_LEN);
- cp = (char *)areqp + areqp->areq_sender_addr_offset;
- bcopy(&wqnp->src_addr.un.ip4addr, cp, IP_ADDR_LEN);
-
- mp->b_cont = mp1;
-
- DB_TYPE(mp) = M_PROTO;
-
- /*
- * issue the request to arp
- */
- wqnp->flags |= IBCM_ARP_PR_RESOLVE_PENDING;
- wqnp->timeout_id = timeout(ibcm_arp_timeout, wqnp,
- drv_usectohz(IBCM_ARP_TIMEOUT * 1000));
- if (canputnext(ib_s->arpqueue)) {
- putnext(ib_s->arpqueue, mp);
- } else {
- (void) putq(ib_s->arpqueue, mp);
- qenable(ib_s->arpqueue);
- }
-
- return (0);
-}
-
-/*
- * issue AR_ENTRY_SQUERY to arp driver
- */
-static int
-ibcm_arp_squery_arp(ibcm_arp_prwqn_t *wqnp)
-{
- int len;
- int name_len;
- char *cp;
- mblk_t *mp;
- mblk_t *mp1;
- area_t *areap;
- uint32_t proto_mask = 0xffffffff;
- struct iocblk *ioc;
- ibcm_arp_streams_t *ib_s = (ibcm_arp_streams_t *)wqnp->arg;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_squery_arp(ib_s: %p wqnp: %p)",
- ib_s, wqnp);
-
- /*
- * allocate mblk for AR_ENTRY_SQUERY
- */
- name_len = strlen(wqnp->ifname) + 1;
- len = ibcm_arp_area_template.area_name_offset + name_len +
- sizeof (uintptr_t);
- if ((mp = allocb(len, BPRI_HI)) == NULL) {
- return (ENOMEM);
- }
- bzero(mp->b_rptr, len);
- mp->b_wptr += len + sizeof (uintptr_t);
-
- *(uintptr_t *)(void *)mp->b_rptr = (uintptr_t)wqnp; /* store wqnp */
- mp->b_rptr += sizeof (uintptr_t);
-
-
- cp = (char *)mp->b_rptr;
- bcopy(&ibcm_arp_area_template, cp, sizeof (area_t));
-
- areap = (void *)cp;
- areap->area_cmd = AR_ENTRY_SQUERY;
- areap->area_name_length = name_len;
- cp = (char *)areap + areap->area_name_offset;
- bcopy(wqnp->ifname, cp, name_len);
-
- cp = (char *)areap + areap->area_proto_addr_offset;
- bcopy(&wqnp->dst_addr.un.ip4addr, cp, IP_ADDR_LEN);
-
- cp = (char *)areap + areap->area_proto_mask_offset;
- bcopy(&proto_mask, cp, IP_ADDR_LEN);
-
- mp1 = allocb(sizeof (struct iocblk), BPRI_HI);
- if (mp1 == NULL) {
- freeb(mp);
- return (ENOMEM);
- }
- ioc = (void *)mp1->b_rptr;
- ioc->ioc_cmd = AR_ENTRY_SQUERY;
- ioc->ioc_error = 0;
- ioc->ioc_cr = NULL;
- ioc->ioc_count = msgdsize(mp);
- mp1->b_wptr += sizeof (struct iocblk);
- mp1->b_cont = mp;
-
- DB_TYPE(mp1) = M_IOCTL;
-
- if (canputnext(ib_s->arpqueue)) {
- putnext(ib_s->arpqueue, mp1);
- } else {
- (void) putq(ib_s->arpqueue, mp1);
- qenable(ib_s->arpqueue);
- }
- return (0);
-}
-
-/*
- * issue a AR_ENTRY_ADD to arp driver
- * This is required as arp driver does not maintain a cache.
- */
-static int
-ibcm_arp_add(ibcm_arp_prwqn_t *wqnp)
-{
- int len;
- int name_len;
- char *cp;
- mblk_t *mp;
- area_t *areap;
- uint32_t proto_mask = 0xffffffff;
- ibcm_arp_streams_t *ib_s = (ibcm_arp_streams_t *)wqnp->arg;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_add(ib_s: %p wqnp: %p)", ib_s, wqnp);
-
- /*
- * allocate mblk for AR_ENTRY_ADD
- */
-
- name_len = strlen(wqnp->ifname) + 1;
- len = ibcm_arp_area_template.area_name_offset + name_len;
- if ((mp = allocb(len, BPRI_HI)) == NULL) {
- return (ENOMEM);
- }
- bzero(mp->b_rptr, len);
- mp->b_wptr += len;
-
- cp = (char *)mp->b_rptr;
- bcopy(&ibcm_arp_area_template, cp, sizeof (area_t));
-
- areap = (void *)mp->b_rptr;
- areap->area_name_length = name_len;
- cp = (char *)areap + areap->area_name_offset;
- bcopy(wqnp->ifname, cp, name_len);
-
- cp = (char *)areap + areap->area_proto_addr_offset;
- bcopy(&wqnp->dst_addr.un.ip4addr, cp, IP_ADDR_LEN);
-
- cp = (char *)areap + areap->area_proto_mask_offset;
- bcopy(&proto_mask, cp, IP_ADDR_LEN);
-
- cp = (char *)areap + areap->area_hw_addr_offset;
- bcopy(&wqnp->dst_mac, cp, IPOIB_ADDRL);
-
- DB_TYPE(mp) = M_PROTO;
-
- if (canputnext(ib_s->arpqueue)) {
- putnext(ib_s->arpqueue, mp);
- } else {
- (void) putq(ib_s->arpqueue, mp);
- qenable(ib_s->arpqueue);
- }
- return (0);
-}
-
-
-/*
- * timeout routine when there is no response to AR_ENTRY_QUERY
- */
-static void
-ibcm_arp_timeout(void *arg)
-{
- ibcm_arp_prwqn_t *wqnp = (ibcm_arp_prwqn_t *)arg;
- ibcm_arp_streams_t *ib_s = (ibcm_arp_streams_t *)wqnp->arg;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_timeout(ib_s: %p wqnp: %p)",
- ib_s, wqnp);
- wqnp->flags &= ~IBCM_ARP_PR_RESOLVE_PENDING;
- cv_broadcast(&ib_s->cv);
-
- /*
- * indicate to user
- */
- ibcm_arp_pr_callback(wqnp, EHOSTUNREACH);
-}
+static void ibcm_resolver_ack(ip2mac_t *, void *);
+static int ibcm_nce_lookup(ibcm_arp_prwqn_t *wqnp, ill_t *ill, zoneid_t zid);
/*
* delete a wait queue node from the list.
* assumes mutex is acquired
*/
void
-ibcm_arp_prwqn_delete(ibcm_arp_prwqn_t *wqnp)
+ibcm_arp_delete_prwqn(ibcm_arp_prwqn_t *wqnp)
{
ibcm_arp_streams_t *ib_s;
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_prwqn_delete(%p)", wqnp);
+ IBTF_DPRINTF_L4(cmlog, "ibcm_arp_delete_prwqn(%p)", wqnp);
- ib_s = (ibcm_arp_streams_t *)wqnp->arg;
+ ib_s = wqnp->ib_str;
ib_s->wqnp = NULL;
kmem_free(wqnp, sizeof (ibcm_arp_prwqn_t));
}
@@ -336,7 +59,7 @@ ibcm_arp_prwqn_delete(ibcm_arp_prwqn_t *wqnp)
*/
static ibcm_arp_prwqn_t *
ibcm_arp_create_prwqn(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
- ibt_ip_addr_t *src_addr, ibcm_arp_pr_comp_func_t func)
+ ibt_ip_addr_t *src_addr)
{
ibcm_arp_prwqn_t *wqnp;
@@ -354,8 +77,7 @@ ibcm_arp_create_prwqn(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
if (src_addr) {
wqnp->usrc_addr = *src_addr;
}
- wqnp->func = func;
- wqnp->arg = ib_s;
+ wqnp->ib_str = ib_s;
wqnp->ifproto = (dst_addr->family == AF_INET) ?
ETHERTYPE_IP : ETHERTYPE_IPV6;
@@ -366,17 +88,6 @@ ibcm_arp_create_prwqn(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
return (wqnp);
}
-/*
- * call the user function
- * called with lock held
- */
-static void
-ibcm_arp_pr_callback(ibcm_arp_prwqn_t *wqnp, int status)
-{
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_pr_callback(%p, %d)", wqnp, status);
-
- wqnp->func((void *)wqnp, status);
-}
/*
* Check if the interface is loopback or IB.
@@ -391,23 +102,24 @@ ibcm_arp_check_interface(ill_t *ill)
}
int
-ibcm_arp_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
- ibt_ip_addr_t *src_addr, ibcm_arp_pr_comp_func_t func)
+ibcm_resolver_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
+ ibt_ip_addr_t *src_addr)
{
ibcm_arp_prwqn_t *wqnp;
ire_t *ire = NULL;
- ire_t *src_ire = NULL;
- ipif_t *ipif;
- ill_t *ill, *hwaddr_ill = NULL;
+ ipif_t *ipif = NULL;
+ ill_t *ill = NULL;
+ ill_t *hwaddr_ill = NULL;
ip_stack_t *ipst;
int len;
+ ipaddr_t setsrcv4;
+ in6_addr_t setsrcv6;
IBCM_PRINT_IP("ibcm_arp_pr_lookup: SRC", src_addr);
IBCM_PRINT_IP("ibcm_arp_pr_lookup: DST", dst_addr);
- if ((wqnp = ibcm_arp_create_prwqn(ib_s, dst_addr,
- src_addr, func)) == NULL) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
+ if ((wqnp = ibcm_arp_create_prwqn(ib_s, dst_addr, src_addr)) == NULL) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
"ibcm_arp_create_prwqn failed");
ib_s->status = ENOMEM;
return (1);
@@ -416,86 +128,111 @@ ibcm_arp_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
ipst = netstack_find_by_zoneid(GLOBAL_ZONEID)->netstack_ip;
if (dst_addr->family == AF_INET) {
/*
- * Get the ire for the local address
+ * A local address is always specified, and it is used
+ * to find the zoneid.
*/
- IBTF_DPRINTF_L5(cmlog, "ibcm_arp_pr_lookup: ire_ctable_lookup");
- src_ire = ire_ctable_lookup(src_addr->un.ip4addr, NULL,
- IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (src_ire == NULL) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
- "ire_ctable_lookup failed");
+ ipif = ipif_lookup_addr(src_addr->un.ip4addr, NULL, ALL_ZONES,
+ ipst);
+ if (ipif == NULL) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "ipif_lookup_addr failed");
ib_s->status = EFAULT;
goto fail;
}
- IBTF_DPRINTF_L5(cmlog, "ibcm_arp_pr_lookup: ire_ctable_lookup");
/*
- * get an ire for the destination address with the matching
- * source address
+ * get an ire for the destination adress.
+ * Note that we can't use MATCH_IRE_ILL since that would
+ * require that the first ill we find have ire_ill set. Thus
+ * we compare ire_ill against ipif_ill after the lookup.
*/
- ire = ire_ftable_lookup(dst_addr->un.ip4addr, 0, 0, 0,
- src_ire->ire_ipif, 0, src_ire->ire_zoneid, 0, NULL,
- MATCH_IRE_SRC, ipst);
- if (ire == NULL) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
- "ire_ftable_lookup failed");
+ setsrcv4 = INADDR_ANY;
+ ire = ire_route_recursive_v4(dst_addr->un.ip4addr, 0, NULL,
+ ipif->ipif_zoneid, NULL, MATCH_IRE_DSTONLY, B_TRUE, 0, ipst,
+ &setsrcv4, NULL, NULL);
+
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "ire_route_recursive_v4 failed");
+ ib_s->status = EFAULT;
+ goto fail;
+ }
+ ill = ire_nexthop_ill(ire);
+ if (ill == NULL) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "ire_nexthop_ill failed");
+ ib_s->status = EFAULT;
+ goto fail;
+ }
+ if (ill != ipif->ipif_ill) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "wrong ill");
ib_s->status = EFAULT;
goto fail;
}
- IBTF_DPRINTF_L5(cmlog, "ibcm_arp_pr_lookup: ire_ftable_lookup:"
- "done");
-
- wqnp->gateway.un.ip4addr =
- ((ire->ire_gateway_addr == INADDR_ANY) ?
- ire->ire_addr : ire->ire_gateway_addr);
+ wqnp->gateway.un.ip4addr = ire->ire_gateway_addr;
wqnp->netmask.un.ip4addr = ire->ire_mask;
- wqnp->src_addr.un.ip4addr = ire->ire_src_addr;
+ wqnp->src_addr.un.ip4addr = src_addr->un.ip4addr;
wqnp->src_addr.family = wqnp->gateway.family =
wqnp->netmask.family = AF_INET;
} else if (dst_addr->family == AF_INET6) {
/*
- * Get the ire for the local address
+ * A local address is always specified, and it is used
+ * to find the zoneid.
+ * We should really match on scopeid for link locals here.
*/
- src_ire = ire_ctable_lookup_v6(&src_addr->un.ip6addr, NULL,
- IRE_LOCAL, NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, ipst);
- if (src_ire == NULL) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
- "ire_ctable_lookup_v6 failed");
+ ipif = ipif_lookup_addr_v6(&src_addr->un.ip6addr, NULL,
+ ALL_ZONES, ipst);
+ if (ipif == NULL) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "ipif_lookup_addr_v6 failed");
ib_s->status = EFAULT;
goto fail;
}
- IBTF_DPRINTF_L5(cmlog, "ibcm_arp_pr_lookup: "
- "ire_ctable_lookup_v6: done");
/*
- * get an ire for the destination address with the matching
- * source address
+ * get an ire for the destination adress.
+ * Note that we can't use MATCH_IRE_ILL since that would
+ * require that the first ill we find have ire_ill set. Thus
+ * we compare ire_ill against ipif_ill after the lookup.
*/
- ire = ire_ftable_lookup_v6(&dst_addr->un.ip6addr, 0, 0, 0,
- src_ire->ire_ipif, 0, src_ire->ire_zoneid, 0, NULL,
- MATCH_IRE_SRC, ipst);
- if (ire == NULL) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
- "ire_ftable_lookup_v6 failed");
+ setsrcv6 = ipv6_all_zeros;
+ ire = ire_route_recursive_v6(&dst_addr->un.ip6addr, 0, NULL,
+ ipif->ipif_zoneid, NULL, MATCH_IRE_DSTONLY, B_TRUE, 0, ipst,
+ &setsrcv6, NULL, NULL);
+
+ ASSERT(ire != NULL);
+ if (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "ire_route_recursive_v6 failed");
+ ib_s->status = EFAULT;
+ goto fail;
+ }
+ ill = ire_nexthop_ill(ire);
+ if (ill == NULL) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "ire_nexthop_ill failed");
+ ib_s->status = EFAULT;
+ goto fail;
+ }
+
+ if (ill != ipif->ipif_ill) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "wrong ill");
ib_s->status = EFAULT;
goto fail;
}
- IBTF_DPRINTF_L5(cmlog, "ibcm_arp_pr_lookup: "
- "ire_ftable_lookup_v6: done");
- wqnp->gateway.un.ip6addr =
- (IN6_IS_ADDR_UNSPECIFIED(&ire->ire_gateway_addr_v6) ?
- ire->ire_addr_v6 : ire->ire_gateway_addr_v6);
+ wqnp->gateway.un.ip6addr = ire->ire_gateway_addr_v6;
wqnp->netmask.un.ip6addr = ire->ire_mask_v6;
- wqnp->src_addr.un.ip6addr = ire->ire_src_addr_v6;
+ wqnp->src_addr.un.ip6addr = src_addr->un.ip6addr;
wqnp->src_addr.family = wqnp->gateway.family =
wqnp->netmask.family = AF_INET6;
}
- ipif = src_ire->ire_ipif;
- ill = ipif->ipif_ill;
(void) strlcpy(wqnp->ifname, ill->ill_name, sizeof (wqnp->ifname));
/*
@@ -504,18 +241,19 @@ ibcm_arp_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
*/
if (IS_IPMP(ill)) {
if ((hwaddr_ill = ipmp_ipif_hold_bound_ill(ipif)) == NULL) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: no bound "
- "ill for IPMP interface %s", ill->ill_name);
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "no bound ill for IPMP interface %s",
+ ill->ill_name);
ib_s->status = EFAULT;
goto fail;
}
} else {
hwaddr_ill = ill;
- ill_refhold(hwaddr_ill); /* for symmetry */
+ ill_refhold(hwaddr_ill); /* for symmetry */
}
if ((ib_s->status = ibcm_arp_check_interface(hwaddr_ill)) != 0) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
"ibcm_arp_check_interface failed");
goto fail;
}
@@ -523,7 +261,7 @@ ibcm_arp_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
bcopy(hwaddr_ill->ill_phys_addr, &wqnp->src_mac,
hwaddr_ill->ill_phys_addr_length);
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_pr_lookup: outgoing if:%s",
+ IBTF_DPRINTF_L4(cmlog, "ibcm_resolver_pr_lookup: outgoing if:%s",
wqnp->ifname);
/*
@@ -534,8 +272,8 @@ ibcm_arp_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
len = (wqnp->usrc_addr.family == AF_INET) ?
IP_ADDR_LEN : sizeof (in6_addr_t);
if (bcmp(&wqnp->usrc_addr.un, &wqnp->src_addr.un, len)) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: srcaddr "
- "mismatch:%d", ENETUNREACH);
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "srcaddr mismatch:%d", ENETUNREACH);
goto fail;
}
}
@@ -545,253 +283,77 @@ ibcm_arp_pr_lookup(ibcm_arp_streams_t *ib_s, ibt_ip_addr_t *dst_addr,
* interface, now get the destination mac address from
* arp or ipv6 drivers
*/
- if (wqnp->dst_addr.family == AF_INET) {
- if ((ib_s->status = ibcm_arp_squery_arp(wqnp)) != 0) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
- "ibcm_arp_squery_arp failed: %d", ib_s->status);
- goto fail;
- }
- } else {
- if ((ib_s->status = ibcm_ipv6_lookup(wqnp, ill, getzoneid())) !=
- 0) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_arp_pr_lookup: "
- "ibcm_ipv6_lookup failed: %d", ib_s->status);
- goto fail;
- }
+ ib_s->status = ibcm_nce_lookup(wqnp, ill, getzoneid());
+ if (ib_s->status != 0) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_pr_lookup: "
+ "ibcm_nce_lookup failed: %d", ib_s->status);
+ goto fail;
}
ill_refrele(hwaddr_ill);
- IRE_REFRELE(ire);
- IRE_REFRELE(src_ire);
+ ill_refrele(ill);
+ ire_refrele(ire);
+ ipif_refrele(ipif);
netstack_rele(ipst->ips_netstack);
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_pr_lookup: Return: 0x%p", wqnp);
+ IBTF_DPRINTF_L4(cmlog, "ibcm_resolver_pr_lookup: Return: 0x%p", wqnp);
return (0);
fail:
if (hwaddr_ill != NULL)
ill_refrele(hwaddr_ill);
+ if (ill != NULL)
+ ill_refrele(ill);
if (ire != NULL)
- IRE_REFRELE(ire);
- if (src_ire != NULL)
- IRE_REFRELE(src_ire);
- ibcm_arp_prwqn_delete(wqnp);
+ ire_refrele(ire);
+ if (ipif != NULL)
+ ipif_refrele(ipif);
+ ibcm_arp_delete_prwqn(wqnp);
netstack_rele(ipst->ips_netstack);
return (1);
}
/*
- * called from lrsrv.
- * process a AR_ENTRY_QUERY reply from arp
- * the message should be M_DATA -->> dl_unitdata_req
- */
-static void
-ibcm_arp_pr_arp_query_ack(mblk_t *mp)
-{
- ibcm_arp_prwqn_t *wqnp;
- dl_unitdata_req_t *dlreq;
- ibcm_arp_streams_t *ib_s;
- char *cp;
- int rc;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_pr_arp_query_ack(%p)", mp);
-
- /*
- * the first mblk contains the wqnp pointer for the request
- */
- if (MBLKL(mp) != sizeof (void *)) {
- freemsg(mp);
- return;
- }
-
- wqnp = *(ibcm_arp_prwqn_t **)(void *)mp->b_rptr; /* retrieve wqnp */
- ib_s = (ibcm_arp_streams_t *)wqnp->arg;
-
- mutex_enter(&ib_s->lock);
-
- /*
- * cancel the timeout for this request
- */
- (void) untimeout(wqnp->timeout_id);
-
- /*
- * sanity checks on the dl_unitdata_req block
- */
- if (!mp->b_cont) {
- IBTF_DPRINTF_L2(cmlog, "areq_ack: b_cont = NULL\n");
- rc = EPROTO;
- goto user_callback;
- }
- if (MBLKL(mp->b_cont) < (sizeof (dl_unitdata_req_t) + IPOIB_ADDRL)) {
- IBTF_DPRINTF_L2(cmlog, "areq_ack: invalid len in "
- "dl_unitdatareq_t block\n");
- rc = EPROTO;
- goto user_callback;
- }
- dlreq = (void *)mp->b_cont->b_rptr;
- if (dlreq->dl_primitive != DL_UNITDATA_REQ) {
- IBTF_DPRINTF_L2(cmlog, "areq_ack: invalid dl_primitive "
- "in dl_unitdatareq_t block\n");
- rc = EPROTO;
- goto user_callback;
- }
- if (dlreq->dl_dest_addr_length != (IPOIB_ADDRL + 2)) {
- IBTF_DPRINTF_L2(cmlog, "areq_ack: invalid hw len in "
- "dl_unitdatareq_t block %d\n", dlreq->dl_dest_addr_length);
- rc = EPROTO;
- goto user_callback;
- }
- cp = (char *)mp->b_cont->b_rptr + dlreq->dl_dest_addr_offset;
- bcopy(cp, &wqnp->dst_mac, IPOIB_ADDRL);
-
- /*
- * at this point we have src/dst gid's derived from the mac addresses
- * now get the hca, port
- */
- bcopy(&wqnp->src_mac.ipoib_gidpref, &wqnp->sgid, sizeof (ib_gid_t));
- bcopy(&wqnp->dst_mac.ipoib_gidpref, &wqnp->dgid, sizeof (ib_gid_t));
- freemsg(mp);
-
- IBCM_H2N_GID(wqnp->sgid);
- IBCM_H2N_GID(wqnp->dgid);
-
- (void) ibcm_arp_add(wqnp);
-
- mutex_exit(&ib_s->lock);
- ibcm_arp_pr_callback(wqnp, 0);
-
- return;
-user_callback:
- freemsg(mp);
- mutex_exit(&ib_s->lock);
-
- /*
- * indicate to user
- */
- ibcm_arp_pr_callback(wqnp, rc);
-}
-
-/*
- * process a AR_ENTRY_SQUERY reply from arp
- * the message should be M_IOCACK -->> area_t
+ * Query the neighbor cache for IPv4/IPv6 to mac address mapping.
*/
-static void
-ibcm_arp_pr_arp_squery_ack(mblk_t *mp)
+static int
+ibcm_nce_lookup(ibcm_arp_prwqn_t *wqnp, ill_t *ill, zoneid_t zoneid)
{
- struct iocblk *ioc;
- mblk_t *mp1;
- ibcm_arp_prwqn_t *wqnp;
- ibcm_arp_streams_t *ib_s;
- area_t *areap;
- char *cp;
-
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_pr_arp_squery_ack(%p)", mp);
-
- if (MBLKL(mp) < sizeof (struct iocblk)) {
- freemsg(mp);
- return;
- }
-
- ioc = (void *)mp->b_rptr;
- if ((ioc->ioc_cmd != AR_ENTRY_SQUERY) || (mp->b_cont == NULL)) {
- freemsg(mp);
- return;
- }
-
- mp1 = mp->b_cont;
-
- wqnp = *(ibcm_arp_prwqn_t **)((uintptr_t)mp1->b_rptr -
- sizeof (uintptr_t));
- ib_s = (ibcm_arp_streams_t *)wqnp->arg;
-
- mutex_enter(&ib_s->lock);
-
- /*
- * cancel the timeout for this request
- */
- (void) untimeout(wqnp->timeout_id);
-
- /* If the entry was not in arp cache, ioc_error is set */
- if (ioc->ioc_error) {
-
- /*
- * send out AR_ENTRY_QUERY which would send
- * arp-request on wire
- */
- IBTF_DPRINTF_L3(cmlog, "Sending a Query_ARP");
-
- (void) ibcm_arp_query_arp(wqnp);
- freemsg(mp);
- mutex_exit(&ib_s->lock);
- return;
+ ip2mac_t ip2m;
+ sin_t *sin;
+ sin6_t *sin6;
+ ip2mac_id_t ip2mid;
+ int err;
+
+ if (wqnp->src_addr.family != wqnp->dst_addr.family) {
+ IBTF_DPRINTF_L2(cmlog, "ibcm_nce_lookup: Mis-match SRC_ADDR "
+ "Family: %d, DST_ADDR Family %d", wqnp->src_addr.family,
+ wqnp->dst_addr.family);
+ return (1);
}
+ bzero(&ip2m, sizeof (ip2m));
- areap = (void *)mp1->b_rptr;
- cp = (char *)areap + areap->area_hw_addr_offset;
- bcopy(cp, &wqnp->dst_mac, IPOIB_ADDRL);
-
- /*
- * at this point we have src/dst gid's derived from the mac addresses
- * now get the hca, port
- */
- bcopy(&wqnp->src_mac.ipoib_gidpref, &wqnp->sgid, sizeof (ib_gid_t));
- bcopy(&wqnp->dst_mac.ipoib_gidpref, &wqnp->dgid, sizeof (ib_gid_t));
- freemsg(mp);
-
- IBCM_H2N_GID(wqnp->sgid);
- IBCM_H2N_GID(wqnp->dgid);
-
- mutex_exit(&ib_s->lock);
- ibcm_arp_pr_callback(wqnp, 0);
-}
-
-/*
- * Process arp ack's.
- */
-void
-ibcm_arp_pr_arp_ack(mblk_t *mp)
-{
- IBTF_DPRINTF_L4(cmlog, "ibcm_arp_pr_arp_ack(0x%p, DB_TYPE %lX)",
- mp, DB_TYPE(mp));
-
- if (DB_TYPE(mp) == M_DATA) {
- ibcm_arp_pr_arp_query_ack(mp);
- } else if ((DB_TYPE(mp) == M_IOCACK) ||
- (DB_TYPE(mp) == M_IOCNAK)) {
- ibcm_arp_pr_arp_squery_ack(mp);
+ if (wqnp->dst_addr.family == AF_INET) {
+ sin = (sin_t *)&ip2m.ip2mac_pa;
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = wqnp->dst_addr.un.ip4addr;
+ } else if (wqnp->dst_addr.family == AF_INET6) {
+ sin6 = (sin6_t *)&ip2m.ip2mac_pa;
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_addr = wqnp->dst_addr.un.ip6addr;
} else {
- freemsg(mp);
- }
-}
-
-/*
- * query the ipv6 driver cache for ipv6 to mac address mapping.
- */
-static int
-ibcm_ipv6_lookup(ibcm_arp_prwqn_t *wqnp, ill_t *ill, zoneid_t zoneid)
-{
- ip2mac_t ip2m;
- sin6_t *sin6;
- ip2mac_id_t ip2mid;
- int err;
-
- if (wqnp->src_addr.family != AF_INET6) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_ipv6_lookup: SRC_ADDR NOT INET6: "
- "%d", wqnp->src_addr.family);
+ IBTF_DPRINTF_L2(cmlog, "ibcm_nce_lookup: Invalid DST_ADDR "
+ "Family: %d", wqnp->dst_addr.family);
return (1);
}
- bzero(&ip2m, sizeof (ip2m));
- sin6 = (sin6_t *)&ip2m.ip2mac_pa;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_addr = wqnp->dst_addr.un.ip6addr;
ip2m.ip2mac_ifindex = ill->ill_phyint->phyint_ifindex;
wqnp->flags |= IBCM_ARP_PR_RESOLVE_PENDING;
+
/*
- * XXX XTBD set the scopeid?
* issue the request to IP for Neighbor Discovery
*/
- ip2mid = ip2mac(IP2MAC_RESOLVE, &ip2m, ibcm_ipv6_resolver_ack, wqnp,
+ ip2mid = ip2mac(IP2MAC_RESOLVE, &ip2m, ibcm_resolver_ack, wqnp,
zoneid);
err = ip2m.ip2mac_err;
if (err == EINPROGRESS) {
@@ -799,7 +361,7 @@ ibcm_ipv6_lookup(ibcm_arp_prwqn_t *wqnp, ill_t *ill, zoneid_t zoneid)
wqnp->flags |= IBCM_ARP_PR_RESOLVE_PENDING;
err = 0;
} else if (err == 0) {
- ibcm_ipv6_resolver_ack(&ip2m, wqnp);
+ ibcm_resolver_ack(&ip2m, wqnp);
}
return (err);
}
@@ -822,16 +384,16 @@ ibcm_check_sockdl(struct sockaddr_dl *sdl)
* If Address resolution was succesful: return GID info.
*/
static void
-ibcm_ipv6_resolver_ack(ip2mac_t *ip2macp, void *arg)
+ibcm_resolver_ack(ip2mac_t *ip2macp, void *arg)
{
ibcm_arp_prwqn_t *wqnp = (ibcm_arp_prwqn_t *)arg;
ibcm_arp_streams_t *ib_s;
uchar_t *cp;
int err = 0;
- IBTF_DPRINTF_L4(cmlog, "ibcm_ipv6_resolver_ack(%p, %p)", ip2macp, wqnp);
+ IBTF_DPRINTF_L4(cmlog, "ibcm_resolver_ack(%p, %p)", ip2macp, wqnp);
- ib_s = (ibcm_arp_streams_t *)wqnp->arg;
+ ib_s = wqnp->ib_str;
mutex_enter(&ib_s->lock);
if (ip2macp->ip2mac_err != 0) {
@@ -842,7 +404,7 @@ ibcm_ipv6_resolver_ack(ip2mac_t *ip2macp, void *arg)
}
if (!ibcm_check_sockdl(&ip2macp->ip2mac_ha)) {
- IBTF_DPRINTF_L2(cmlog, "ibcm_ipv6_resolver_ack: Error: "
+ IBTF_DPRINTF_L2(cmlog, "ibcm_resolver_ack: Error: "
"interface %s is not IB\n", wqnp->ifname);
err = EHOSTUNREACH;
goto user_callback;
@@ -862,6 +424,11 @@ ibcm_ipv6_resolver_ack(ip2mac_t *ip2macp, void *arg)
IBCM_H2N_GID(wqnp->dgid);
user_callback:
+
+ ib_s->status = err;
+ ib_s->done = B_TRUE;
+
+ /* lock is held by the caller. */
+ cv_signal(&ib_s->cv);
mutex_exit(&ib_s->lock);
- ibcm_arp_pr_callback(wqnp, err);
}
diff --git a/usr/src/uts/common/io/mac/mac_util.c b/usr/src/uts/common/io/mac/mac_util.c
index 0d342fdd93..88468b353e 100644
--- a/usr/src/uts/common/io/mac/mac_util.c
+++ b/usr/src/uts/common/io/mac/mac_util.c
@@ -476,7 +476,7 @@ mac_ip_hdr_length_v6(mblk_t *mp, ip6_t *ip6h, uint16_t *hdr_length,
endptr = mp->b_wptr;
if (((uchar_t *)ip6h + IPV6_HDR_LEN) > endptr)
return (B_FALSE);
- ASSERT((IPH_HDR_VERSION(ip6h) & ~IP_FORWARD_PROG_BIT) == IPV6_VERSION);
+ ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
length = IPV6_HDR_LEN;
whereptr = ((uint8_t *)&ip6h[1]); /* point to next hdr */
diff --git a/usr/src/uts/common/io/softmac/softmac_dev.c b/usr/src/uts/common/io/softmac/softmac_dev.c
index 23f43ced0b..eeb09fcb0b 100644
--- a/usr/src/uts/common/io/softmac/softmac_dev.c
+++ b/usr/src/uts/common/io/softmac/softmac_dev.c
@@ -146,6 +146,9 @@ static struct modlinkage softmac_modlinkage = {
NULL
};
+static void softmac_dedicated_rx(void *, mac_resource_handle_t, mblk_t *,
+ mac_header_info_t *);
+
/*ARGSUSED*/
static int
softmac_upper_constructor(void *buf, void *arg, int kmflag)
@@ -367,7 +370,8 @@ softmac_mod_rput(queue_t *rq, mblk_t *mp)
if (dlp->dl_primitive == DL_UNITDATA_IND) {
if ((rxinfo = slp->sl_rxinfo) != NULL) {
- rxinfo->slr_rx(rxinfo->slr_arg, NULL, mp, NULL);
+ softmac_dedicated_rx(slp->sl_sup, NULL, mp,
+ NULL);
break;
}
diff --git a/usr/src/uts/common/io/softmac/softmac_fp.c b/usr/src/uts/common/io/softmac/softmac_fp.c
index 7a10aa68b7..2fc66e9bd3 100644
--- a/usr/src/uts/common/io/softmac/softmac_fp.c
+++ b/usr/src/uts/common/io/softmac/softmac_fp.c
@@ -674,9 +674,12 @@ softmac_wput_single_nondata(softmac_upper_t *sup, mblk_t *mp)
t_uscalar_t prim;
dbtype = DB_TYPE(mp);
+ sup->su_is_arp = 0;
switch (dbtype) {
- case M_IOCTL:
- case M_CTL: {
+ case M_CTL:
+ sup->su_is_arp = 1;
+ /* FALLTHROUGH */
+ case M_IOCTL: {
uint32_t expected_mode;
if (((struct iocblk *)(mp->b_rptr))->ioc_cmd != SIOCSLIFNAME)
@@ -1132,7 +1135,10 @@ softmac_datapath_switch(softmac_t *softmac, boolean_t disable, boolean_t admin)
break;
req->ssq_expected_mode = expected_mode;
-
+ if (sup->su_is_arp) {
+ list_insert_tail(&reqlist, req);
+ continue;
+ }
/*
* Allocate the DL_NOTE_REPLUMB message.
*/
@@ -1174,18 +1180,19 @@ softmac_datapath_switch(softmac_t *softmac, boolean_t disable, boolean_t admin)
*/
for (sup = list_head(&softmac->smac_sup_list); sup != NULL;
sup = list_next(&softmac->smac_sup_list, sup)) {
- mp = head->b_next;
- head->b_next = NULL;
-
+ if (!sup->su_is_arp) {
+ mp = head->b_next;
+ head->b_next = NULL;
+ softmac_wput_nondata(sup, head);
+ head = mp;
+ }
/*
- * Add the swtich request to the requests list of the stream.
+ * Add the switch request to the requests list of the stream.
*/
req = list_head(&reqlist);
ASSERT(req != NULL);
list_remove(&reqlist, req);
list_insert_tail(&sup->su_req_list, req);
- softmac_wput_nondata(sup, head);
- head = mp;
}
mutex_exit(&softmac->smac_fp_mutex);
diff --git a/usr/src/uts/common/io/stream.c b/usr/src/uts/common/io/stream.c
index b23036e9c5..658735b784 100644
--- a/usr/src/uts/common/io/stream.c
+++ b/usr/src/uts/common/io/stream.c
@@ -1605,7 +1605,9 @@ pullupmsg(mblk_t *mp, ssize_t len)
ASSERT(bp->b_datap->db_ref > 0);
ASSERT(bp->b_wptr >= bp->b_rptr);
n = MIN(bp->b_wptr - bp->b_rptr, len);
- bcopy(bp->b_rptr, mp->b_wptr, (size_t)n);
+ ASSERT(n >= 0); /* allow zero-length mblk_t's */
+ if (n > 0)
+ bcopy(bp->b_rptr, mp->b_wptr, (size_t)n);
mp->b_wptr += n;
bp->b_rptr += n;
len -= n;
diff --git a/usr/src/uts/common/io/strplumb.c b/usr/src/uts/common/io/strplumb.c
index f43648fd7f..473f7bc72e 100644
--- a/usr/src/uts/common/io/strplumb.c
+++ b/usr/src/uts/common/io/strplumb.c
@@ -53,17 +53,6 @@
#include <sys/esunddi.h>
#include <sys/promif.h>
-#include <netinet/in.h>
-#include <netinet/ip6.h>
-#include <netinet/icmp6.h>
-#include <netinet/sctp.h>
-#include <inet/common.h>
-#include <inet/ip.h>
-#include <inet/ip6.h>
-#include <inet/tcp.h>
-#include <inet/sctp_ip.h>
-#include <inet/udp_impl.h>
-
#include <sys/strlog.h>
#include <sys/log.h>
#include <sys/ethernet.h>
@@ -222,104 +211,6 @@ strplumb_init(void)
return (0);
}
-static int
-strplumb_autopush(void)
-{
- major_t maj;
- minor_t min;
- char *mods[5];
- uint_t anchor = 1;
- int err;
-
- min = (minor_t)-1;
- mods[1] = NULL;
-
- /*
- * ARP
- */
- DBG0("setting up arp autopush\n");
-
- mods[0] = ARP;
-
- maj = ddi_name_to_major(ARP);
- if ((err = kstr_autopush(SET_AUTOPUSH, &maj, &min, NULL, &anchor,
- mods)) != 0) {
- printf("strplumb: kstr_autopush(SET/ARP) failed: %d\n", err);
- return (err);
- }
-
- return (0);
-}
-
-static int
-strplumb_sctpq(ldi_ident_t li)
-{
- ldi_handle_t lh = NULL;
- int err;
- int rval;
-
- DBG0("configuring SCTP default queue\n");
-
- if ((err = ldi_open_by_name(SCTP6DEV, FREAD|FWRITE, CRED(), &lh,
- li)) != 0) {
- printf("strplumb: open of SCTP6DEV failed: %d\n", err);
- return (err);
- }
-
- if ((err = ldi_ioctl(lh, SCTP_IOC_DEFAULT_Q, (intptr_t)0, FKIOCTL,
- CRED(), &rval)) != 0) {
- printf("strplumb: failed to set SCTP default queue: %d\n",
- err);
- (void) ldi_close(lh, FREAD|FWRITE, CRED());
- return (err);
- }
-
- return (0);
-}
-
-static int
-strplumb_tcpq(ldi_ident_t li)
-{
- ldi_handle_t lh = NULL;
- ldi_handle_t ip_lh = NULL;
- int err;
- int rval;
-
- DBG0("configuring TCP default queue\n");
-
- /*
- * We open IP6DEV here because we need to have it open to in
- * order to open TCP6DEV successfully.
- */
- if ((err = ldi_open_by_name(IP6DEV, FREAD|FWRITE, CRED(), &ip_lh,
- li)) != 0) {
- printf("strplumb: open of IP6DEV failed: %d\n", err);
- return (err);
- }
-
- /*
- * We set the tcp default queue to IPv6 because IPv4 falls back to
- * IPv6 when it can't find a client, but IPv6 does not fall back to
- * IPv4.
- */
- if ((err = ldi_open_by_name(TCP6DEV, FREAD|FWRITE, CRED(), &lh,
- li)) != 0) {
- printf("strplumb: open of TCP6DEV failed: %d\n", err);
- goto done;
- }
-
- if ((err = ldi_ioctl(lh, TCP_IOC_DEFAULT_Q, (intptr_t)0, FKIOCTL,
- CRED(), &rval)) != 0) {
- printf("strplumb: failed to set TCP default queue: %d\n",
- err);
- goto done;
- }
-
-done:
- (void) ldi_close(ip_lh, FREAD|FWRITE, CRED());
- return (err);
-}
-
/*
* Can be set in /etc/system in the case of local booting. See comment below.
*/
@@ -447,11 +338,8 @@ strplumb_dev(ldi_ident_t li)
/*
* Now set up the links. Ultimately, we should have two streams
- * permanently linked underneath UDP (which is actually IP with UDP
- * autopushed). One stream consists of the ARP-[ifname] combination,
- * while the other consists of ARP-IP-[ifname]. The second combination
- * seems a little weird, but is linked underneath UDP just to keep it
- * around.
+ * permanently linked under UDP. One stream consists of the
+ * ARP-[ifname] combination, while the other consists of IP-[ifname].
*
* We pin underneath UDP here to match what is done in ifconfig(1m);
* otherwise, ifconfig will be unable to unplumb the stream (the major
@@ -462,7 +350,7 @@ strplumb_dev(ldi_ident_t li)
*/
/*
- * Plumb UDP-ARP-IP-<dev>
+ * Plumb UDP-IP-<dev>
*/
if ((err = ldi_open_by_name(rootfs.bo_devname, FREAD|FWRITE, CRED(),
@@ -494,12 +382,6 @@ strplumb_dev(ldi_ident_t li)
lifr.lifr_flags &= ~IFF_IPV4;
name = UDP6DEV;
}
- if ((err = ldi_ioctl(lh, I_PUSH, (intptr_t)ARP, FKIOCTL, CRED(),
- &rval)) != 0) {
- printf("strplumb: push ARP failed: %d\n", err);
- goto done;
- }
-
(void) strlcpy(lifr.lifr_name, rootfs.bo_ifname,
sizeof (lifr.lifr_name));
lifr.lifr_ppa = rootfs.bo_ppa;
@@ -507,29 +389,17 @@ strplumb_dev(ldi_ident_t li)
if ((err = setifname(lh, &lifr)) != 0)
goto done;
- /* Get the flags and check if ARP is needed */
+ /* get the flags and check if ARP is needed */
if ((err = getifflags(lh, &lifr)) != 0) {
printf("strplumb: getifflags %s IP failed, error %d\n",
lifr.lifr_name, err);
goto done;
}
-
- /* Pop out ARP if not needed */
- if (lifr.lifr_flags & (IFF_NOARP | IFF_IPV6)) {
- err = ldi_ioctl(lh, I_POP, (intptr_t)0, FKIOCTL, CRED(),
- &rval);
- if (err != 0) {
- printf("strplumb: pop ARP failed, error %d\n", err);
- goto done;
- }
- }
-
if ((err = ldi_open_by_name(name, FREAD|FWRITE, CRED(), &mux_lh,
li)) != 0) {
printf("strplumb: open of %s failed: %d\n", name, err);
goto done;
}
-
if ((err = ldi_ioctl(mux_lh, I_PLINK, (intptr_t)lh,
FREAD|FWRITE|FNOCTTY|FKIOCTL, CRED(),
&(ifr.ifr_ip_muxid))) != 0) {
@@ -538,9 +408,9 @@ strplumb_dev(ldi_ident_t li)
goto done;
}
- if (af == AF_INET6) {
+ /* if ARP is not needed, we are done */
+ if (lifr.lifr_flags & (IFF_NOARP | IFF_IPV6))
goto done;
- }
DBG2("UDP-ARP-IP-%s muxid: %d\n", rootfs.bo_ifname, ifr.ifr_ip_muxid);
@@ -610,22 +480,9 @@ strplumb(void)
if ((err = strplumb_init()) != 0)
return (err);
- if ((err = strplumb_autopush()) != 0)
- return (err);
-
if ((err = ldi_ident_from_mod(&modlinkage, &li)) != 0)
return (err);
- /*
- * Setup the TCP and SCTP default queues for the global stack.
- * tcp/sctp_stack_init will do this for additional stack instances.
- */
- if ((err = strplumb_sctpq(li)) != 0)
- goto done;
-
- if ((err = strplumb_tcpq(li)) != 0)
- goto done;
-
if ((err = resolve_boot_path()) != 0)
goto done;
diff --git a/usr/src/uts/common/io/tl.c b/usr/src/uts/common/io/tl.c
index 7ddb24cddb..83f8cf6944 100644
--- a/usr/src/uts/common/io/tl.c
+++ b/usr/src/uts/common/io/tl.c
@@ -452,7 +452,7 @@ opdes_t tl_opt_arr[] = {
OA_R,
OA_R,
OP_NP,
- OP_PASSNEXT,
+ 0,
sizeof (t_scalar_t),
0
},
@@ -462,7 +462,7 @@ opdes_t tl_opt_arr[] = {
OA_RW,
OA_RW,
OP_NP,
- OP_PASSNEXT,
+ 0,
sizeof (int),
0
}
@@ -867,7 +867,7 @@ static void tl_fill_option(uchar_t *, cred_t *, pid_t, int, cred_t *);
static int tl_default_opt(queue_t *, int, int, uchar_t *);
static int tl_get_opt(queue_t *, int, int, uchar_t *);
static int tl_set_opt(queue_t *, uint_t, int, int, uint_t, uchar_t *, uint_t *,
- uchar_t *, void *, cred_t *, mblk_t *);
+ uchar_t *, void *, cred_t *);
static void tl_memrecover(queue_t *, mblk_t *, size_t);
static void tl_freetip(tl_endpt_t *, tl_icon_t *);
static void tl_free(tl_endpt_t *);
@@ -904,7 +904,6 @@ optdb_obj_t tl_opt_obj = {
tl_default_opt, /* TL default value function pointer */
tl_get_opt, /* TL get function pointer */
tl_set_opt, /* TL set function pointer */
- B_TRUE, /* TL is tpi provider */
TL_OPT_ARR_CNT, /* TL option database count of entries */
tl_opt_arr, /* TL option database */
TL_VALID_LEVELS_CNT, /* TL valid level count of entries */
@@ -2789,12 +2788,10 @@ tl_optmgmt(queue_t *wq, mblk_t *mp)
* call common option management routine from drv/ip
*/
if (prim->type == T_SVR4_OPTMGMT_REQ) {
- (void) svr4_optcom_req(wq, mp, cr, &tl_opt_obj,
- B_FALSE);
+ svr4_optcom_req(wq, mp, cr, &tl_opt_obj);
} else {
ASSERT(prim->type == T_OPTMGMT_REQ);
- (void) tpi_optcom_req(wq, mp, cr, &tl_opt_obj,
- B_FALSE);
+ tpi_optcom_req(wq, mp, cr, &tl_opt_obj);
}
}
@@ -6066,8 +6063,7 @@ tl_set_opt(
uint_t *outlenp,
uchar_t *outvalp,
void *thisdg_attrs,
- cred_t *cr,
- mblk_t *mblk)
+ cred_t *cr)
{
int error;
tl_endpt_t *tep;
diff --git a/usr/src/uts/common/io/warlock/ibcm.wlcmd b/usr/src/uts/common/io/warlock/ibcm.wlcmd
index b4ae04a925..e66149c4fd 100644
--- a/usr/src/uts/common/io/warlock/ibcm.wlcmd
+++ b/usr/src/uts/common/io/warlock/ibcm.wlcmd
@@ -66,11 +66,7 @@ root ibt_get_src_ip
root ibt_ofuvcm_get_req_data
root ibt_ofuvcm_proceed
-root ibcm_arp_timeout
root ibcm_arp_get_srcip_plist
-root ibcm_arp_lrput
-root ibcm_arp_lwsrv
-root ibcm_arp_lrsrv
root ibcm_arp_get_ibd_insts_cb
# callback entry points from ibmf
diff --git a/usr/src/uts/common/ipp/dlcosmk/dlcosmk.c b/usr/src/uts/common/ipp/dlcosmk/dlcosmk.c
index 27eaaba86f..c827fb9e82 100644
--- a/usr/src/uts/common/ipp/dlcosmk/dlcosmk.c
+++ b/usr/src/uts/common/ipp/dlcosmk/dlcosmk.c
@@ -19,12 +19,10 @@
* CDDL HEADER END
*/
/*
- * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#include <sys/types.h>
#include <sys/stream.h>
#include <sys/dlpi.h>
@@ -88,8 +86,8 @@ dlcosmk_process(mblk_t **mpp, dlcosmk_data_t *dlcosmk_data, uint32_t ill_index,
}
if ((ill_index == 0) ||
- ((ill = ill_lookup_on_ifindex_global_instance(ill_index, B_FALSE,
- NULL, NULL, NULL, NULL)) == NULL)) {
+ ((ill = ill_lookup_on_ifindex_global_instance(ill_index,
+ B_FALSE)) == NULL)) {
dlcosmk2dbg(("dlcosmk_process:invalid ill index %u\n",
ill_index));
atomic_add_64(&dlcosmk_data->ipackets, 1);
diff --git a/usr/src/uts/common/ipp/ipgpc/classifierddi.c b/usr/src/uts/common/ipp/ipgpc/classifierddi.c
index 4d31da6396..e76c181d92 100644
--- a/usr/src/uts/common/ipp/ipgpc/classifierddi.c
+++ b/usr/src/uts/common/ipp/ipgpc/classifierddi.c
@@ -445,10 +445,9 @@ ipgpc_invoke_action(ipp_action_id_t aid, ipp_packet_t *packet)
pkt.direction = callout_pos; /* set packet direction */
/* The ill_index could be 0 when called from forwarding (read) path */
- if (ill_idx > 0) {
- ill = ill_lookup_on_ifindex_global_instance(ill_idx, B_FALSE,
- NULL, NULL, NULL, NULL);
- }
+ if (ill_idx > 0)
+ ill = ill_lookup_on_ifindex_global_instance(ill_idx, B_FALSE);
+
if (ill != NULL) {
/*
* Since all IPP actions in an IPMP group are performed
diff --git a/usr/src/uts/common/ktli/t_kutil.c b/usr/src/uts/common/ktli/t_kutil.c
index cfd153d873..ab762403fd 100644
--- a/usr/src/uts/common/ktli/t_kutil.c
+++ b/usr/src/uts/common/ktli/t_kutil.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -36,8 +36,6 @@
* contributors.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
/*
* Contains the following utility functions:
* tli_send:
@@ -230,7 +228,7 @@ t_kadvise(TIUSER *tiptr, uchar_t *addr, int addr_len)
bzero(ipid, sizeof (*ipid));
ipid->ipid_cmd = IP_IOC_IRE_DELETE_NO_REPLY;
- ipid->ipid_ire_type = IRE_CACHE;
+ ipid->ipid_ire_type = 0;
ipid->ipid_addr_offset = sizeof (ipid_t);
ipid->ipid_addr_length = addr_len;
diff --git a/usr/src/uts/common/net/route.h b/usr/src/uts/common/net/route.h
index 3e4307f25e..9c004b74b1 100644
--- a/usr/src/uts/common/net/route.h
+++ b/usr/src/uts/common/net/route.h
@@ -130,7 +130,8 @@ struct rtentry {
#define RTF_PROTO1 0x8000 /* protocol specific routing flag */
#define RTF_MULTIRT 0x10000 /* multiroute */
#define RTF_SETSRC 0x20000 /* set default outgoing src address */
-
+#define RTF_INDIRECT 0x40000 /* gateway not directly reachable */
+#define RTF_KERNEL 0x80000 /* created by kernel; can't delete */
/*
* OLD statistics not used by the kernel. The kernel uses <inet/mib2.h>.
diff --git a/usr/src/uts/common/netinet/in.h b/usr/src/uts/common/netinet/in.h
index fc2c750ba7..c1166fc34f 100644
--- a/usr/src/uts/common/netinet/in.h
+++ b/usr/src/uts/common/netinet/in.h
@@ -888,6 +888,7 @@ struct sockaddr_in6 {
*/
#define IP_PKTINFO 0x1a /* specify src address and/or index */
#define IP_RECVPKTINFO 0x1a /* recv dest/matched addr and index */
+#define IP_DONTFRAG 0x1b /* don't fragment packets */
#if !defined(_XPG4_2) || defined(__EXTENSIONS__)
/*
diff --git a/usr/src/uts/common/netinet/ip_mroute.h b/usr/src/uts/common/netinet/ip_mroute.h
index 8a658a0fca..b1dde41b1f 100644
--- a/usr/src/uts/common/netinet/ip_mroute.h
+++ b/usr/src/uts/common/netinet/ip_mroute.h
@@ -2,9 +2,8 @@
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License"). You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
@@ -19,17 +18,16 @@
*
* CDDL HEADER END
*/
+
/*
- * Copyright 1991, 1997-1999, 2001, 2003 Sun Microsystems, Inc.
- * All rights reserved. Use is subject to license terms.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
*/
/* Copyright (c) 1990 Mentat Inc. */
#ifndef _NETINET_IP_MROUTE_H
#define _NETINET_IP_MROUTE_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#ifdef __cplusplus
extern "C" {
#endif
@@ -188,6 +186,7 @@ struct vif {
uint_t v_refcnt;
uchar_t v_marks;
kmutex_t v_lock;
+ ilm_t *v_ilm; /* allmulti join */
};
/*
diff --git a/usr/src/uts/common/os/ip_cksum.c b/usr/src/uts/common/os/ip_cksum.c
index 722c793b79..1fa1c9425b 100644
--- a/usr/src/uts/common/os/ip_cksum.c
+++ b/usr/src/uts/common/os/ip_cksum.c
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 1990 Mentat Inc. */
@@ -93,9 +93,6 @@ ip_cksum(mblk_t *mp, int offset, uint_t sum)
#endif
ASSERT(dp);
- TRACE_2(TR_FAC_IP, TR_IP_CKSUM_START,
- "ip_cksum_start:%p (%X)", mp, sum);
-
if (mp->b_cont == NULL) {
/*
* May be fast-path, only one mblk.
@@ -277,9 +274,6 @@ slow1:
mlen = mp->b_wptr - (uchar_t *)w;
}
- TRACE_2(TR_FAC_IP, TR_IP_CKSUM_START,
- "ip_cksum_start:%p (%X)", mp, sum)
-
mp = mp->b_cont;
if (mlen > 0 && pmlen == -1) {
/*
diff --git a/usr/src/uts/common/os/strsubr.c b/usr/src/uts/common/os/strsubr.c
index 76ce1af025..22bdc86e03 100644
--- a/usr/src/uts/common/os/strsubr.c
+++ b/usr/src/uts/common/os/strsubr.c
@@ -8474,9 +8474,7 @@ hcksum_retrieve(mblk_t *mp, multidata_t *mmd, pdesc_t *pd,
ASSERT(DB_TYPE(mp) == M_DATA || DB_TYPE(mp) == M_MULTIDATA);
if (mp->b_datap->db_type == M_DATA) {
if (flags != NULL) {
- *flags = DB_CKSUMFLAGS(mp) & (HCK_IPV4_HDRCKSUM |
- HCK_PARTIALCKSUM | HCK_FULLCKSUM |
- HCK_FULLCKSUM_OK);
+ *flags = DB_CKSUMFLAGS(mp) & HCK_FLAGS;
if ((*flags & (HCK_PARTIALCKSUM |
HCK_FULLCKSUM)) != 0) {
if (value != NULL)
diff --git a/usr/src/uts/common/sys/dld.h b/usr/src/uts/common/sys/dld.h
index 9542a15a8e..ed80269fbc 100644
--- a/usr/src/uts/common/sys/dld.h
+++ b/usr/src/uts/common/sys/dld.h
@@ -395,7 +395,8 @@ typedef struct dld_capab_poll_s {
/*
* Currently supported flags for LSO.
*/
-#define DLD_LSO_TX_BASIC_TCP_IPV4 0x01 /* TCP LSO capability */
+#define DLD_LSO_BASIC_TCP_IPV4 0x01 /* TCP LSO over IPv4 capability */
+#define DLD_LSO_BASIC_TCP_IPV6 0x02 /* TCP LSO over IPv6 capability */
typedef struct dld_capab_lso_s {
uint_t lso_flags; /* capability flags */
diff --git a/usr/src/uts/common/sys/dlpi.h b/usr/src/uts/common/sys/dlpi.h
index 8b0681e2d8..6b3a5801d7 100644
--- a/usr/src/uts/common/sys/dlpi.h
+++ b/usr/src/uts/common/sys/dlpi.h
@@ -593,10 +593,6 @@ union DL_qos_types {
/* dl_data is dl_capab_id_t */
#define DL_CAPAB_HCKSUM 0x01 /* Checksum offload */
/* dl_data is dl_capab_hcksum_t */
-#define DL_CAPAB_IPSEC_AH 0x02 /* IPsec AH acceleration */
- /* dl_data is dl_capab_ipsec_t */
-#define DL_CAPAB_IPSEC_ESP 0x03 /* IPsec ESP acceleration */
- /* dl_data is dl_capab_ipsec_t */
#define DL_CAPAB_MDT 0x04 /* Multidata Transmit capability */
/* dl_data is dl_capab_mdt_t */
#define DL_CAPAB_ZEROCOPY 0x05 /* Zero-copy capability */
@@ -611,45 +607,8 @@ typedef struct {
} dl_capability_sub_t;
/*
- * Definitions and structures needed for DL_CONTROL_REQ and DL_CONTROL_ACK
- * primitives.
- * Extensible message to send down control information to the DLS provider.
- * The response is a DL_CONTROL_ACK or DL_ERROR_ACK.
- *
- * Different types of control operations will define different format for the
- * key and data fields. ADD requires key and data fields; if the <type, key>
- * matches an already existing entry a DL_ERROR_ACK will be returned. DELETE
- * requires a key field; if the <type, key> does not exist, a DL_ERROR_ACK
- * will be returned. FLUSH requires neither a key nor data; it
- * unconditionally removes all entries for the specified type. GET requires a
- * key field; the get operation returns the data for the <type, key>. If
- * <type, key> doesn't exist a DL_ERROR_ACK is returned. UPDATE requires key
- * and data fields; if <type, key> doesn't exist a DL_ERROR_ACK is returned.
- */
-
-/*
- * Control operations
- */
-#define DL_CO_ADD 0x01 /* Add new entry matching for <type,key> */
-#define DL_CO_DELETE 0x02 /* Delete the entry matching <type,key> */
-#define DL_CO_FLUSH 0x03 /* Purge all entries of <type> */
-#define DL_CO_GET 0x04 /* Get the data for the <type,key> */
-#define DL_CO_UPDATE 0x05 /* Update the data for <type,key> */
-#define DL_CO_SET 0x06 /* Add or update as appropriate */
-
-/*
- * Control types (dl_type field of dl_control_req_t and dl_control_ack_t)
- */
-#define DL_CT_IPSEC_AH 0x01 /* AH; key=spi,dest_addr; */
- /* data=keying material */
-#define DL_CT_IPSEC_ESP 0x02 /* ESP; key=spi,des_taddr; */
- /* data=keying material */
-
-/*
* Module ID token to be included in new sub-capability structures.
- * Existing sub-capabilities lacking an identification token, e.g. IPSEC
- * hardware acceleration, need to be encapsulated within the ID sub-
- * capability. Access to this structure must be done through
+ * Access to this structure must be done through
* dlcapab{set,check}qid().
*/
typedef struct {
diff --git a/usr/src/uts/common/sys/ib/mgt/ibcm/ibcm_arp.h b/usr/src/uts/common/sys/ib/mgt/ibcm/ibcm_arp.h
index c307ed7575..e0b7e1e1e7 100644
--- a/usr/src/uts/common/sys/ib/mgt/ibcm/ibcm_arp.h
+++ b/usr/src/uts/common/sys/ib/mgt/ibcm/ibcm_arp.h
@@ -31,24 +31,11 @@ extern "C" {
#endif
#include <sys/ib/mgt/ibcm/ibcm_impl.h>
-#include <sys/modhash.h>
#include <sys/ib/clients/ibd/ibd.h>
-#include <sys/strsun.h>
-#include <sys/socket.h>
-#include <sys/stat.h> /* for S_IFCHR */
#include <inet/ip2mac.h>
#include <inet/ip6.h>
-/*
- * IPoIB addr lookup completion function
- */
-typedef int (*ibcm_arp_pr_comp_func_t) (void *usr_arg, int status);
-
#define IBCM_ARP_MAX_IFNAME_LEN 24
-#define IBCM_ARP_XMIT_COUNT 6
-#define IBCM_ARP_XMIT_INTERVAL 1000 /* timeout in milliseconds */
-#define IBCM_ARP_TIMEOUT \
- ((IBCM_ARP_XMIT_COUNT + 1) * IBCM_ARP_XMIT_INTERVAL)
#define IBCM_H2N_GID(gid) \
{ \
@@ -68,9 +55,7 @@ typedef int (*ibcm_arp_pr_comp_func_t) (void *usr_arg, int status);
* Path record wait queue node definition
*/
typedef struct ibcm_arp_prwqn {
- ibcm_arp_pr_comp_func_t func; /* user callback function */
- void *arg; /* callback function arg */
- timeout_id_t timeout_id;
+ struct ibcm_arp_streams_s *ib_str;
uint8_t flags;
ibt_ip_addr_t usrc_addr; /* user supplied src address */
ibt_ip_addr_t dst_addr; /* user supplied dest address */
@@ -89,15 +74,11 @@ typedef struct ibcm_arp_prwqn {
typedef struct ibcm_arp_streams_s {
kmutex_t lock;
kcondvar_t cv;
- queue_t *arpqueue;
- vnode_t *arp_vp;
int status;
boolean_t done;
ibcm_arp_prwqn_t *wqnp;
} ibcm_arp_streams_t;
-/* GID to IP-Addr and Ip-Addr to GID look-up functions. */
-
#define IBCM_ARP_IBD_INSTANCES 4
typedef struct ibcm_arp_ip_s {
diff --git a/usr/src/uts/common/sys/iphada.h b/usr/src/uts/common/sys/iphada.h
deleted file mode 100644
index 9d1a6e28e8..0000000000
--- a/usr/src/uts/common/sys/iphada.h
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License"). You may not use this file except in compliance
- * with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-/*
- * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
- */
-
-#ifndef _SYS_IPHADA_H
-#define _SYS_IPHADA_H
-
-#pragma ident "%Z%%M% %I% %E% SMI"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#define DA_ICV_MAX_LEN 128 /* max ICV length [bytes] */
-
-/*
- * iphada.h header for IP Hardware Acceleration Data Attributes
- *
- * This is a contract private interface for use by the Sun
- * Hardware Accelerated Ethernet driver ONLY.
- */
-typedef struct da_ipsec {
- int da_type; /* M_CTL message ident */
- int da_flag;
- uint32_t da_icv_len; /* da_icv length in bytes */
- uchar_t da_icv[DA_ICV_MAX_LEN]; /* ICV for AH or ESP+auth */
-} da_ipsec_t;
-
-#define IPHADA_M_CTL 0xA1D53DE5u
-
-/*
- * IPSec algorithms capabilities (cip_data in dl_capab_ipsec_t)
- */
-typedef struct {
- t_uscalar_t alg_type;
- t_uscalar_t alg_prim; /* algorithm primitive */
- t_uscalar_t alg_thruput; /* approx throughput metric in Mb/s */
- t_uscalar_t alg_flag; /* flags */
- t_uscalar_t alg_minbits; /* minimum key len in bits */
- t_uscalar_t alg_maxbits; /* maximum key len in bits */
- t_uscalar_t alg_incrbits; /* key len increment in bits */
-} dl_capab_ipsec_alg_t;
-
-/*
- * IPSec sub-capability (follows dl_capability_sub_t)
- */
-typedef struct {
- t_uscalar_t cip_version; /* interface version */
- t_uscalar_t cip_nciphers; /* number ciphers supported */
- dl_capab_ipsec_alg_t cip_data[1]; /* data */
-} dl_capab_ipsec_t;
-
-/*
- * Algorithm types (alg_type field of dl_capab_ipsec_alg_t)
- */
-#define DL_CAPAB_IPSEC_ALG_AUTH 0x01 /* authentication alg. */
-#define DL_CAPAB_IPSEC_ALG_ENCR 0x02 /* encryption alg. */
-
-/* alg_prim ciphers */
-#define DL_CAPAB_IPSEC_ENCR_DES 0x02
-#define DL_CAPAB_IPSEC_ENCR_3DES 0x03
-#define DL_CAPAB_IPSEC_ENCR_BLOWFISH 0x07
-#define DL_CAPAB_IPSEC_ENCR_NULL 0x0b /* no encryption */
-#define DL_CAPAB_IPSEC_ENCR_AES 0x0c
-
-/* alg_prim authentications */
-#define DL_CAPAB_IPSEC_AUTH_NONE 0x00 /* no authentication */
-#define DL_CAPAB_IPSEC_AUTH_MD5HMAC 0x02
-#define DL_CAPAB_IPSEC_AUTH_SHA1HMAC 0x03
-
-/* alg_flag values */
-#define DL_CAPAB_ALG_ENABLE 0x01 /* enable this algorithm */
-
-/*
- * For DL_CT_IPSEC_AH and DL_CT_IPSEC_ESP, the optional dl_key data
- * that follows the dl_control_req_t or dl_control_ack_t will be the IPsec
- * SPI (Security Parameters Index) value and the destination address.
- * This is defined as being unique per protocol.
- */
-
-#define DL_CTL_IPSEC_ADDR_LEN 16 /* IP addr length in bytes */
-
-typedef struct dl_ct_ipsec_key {
- uint32_t dl_key_spi; /* Security Parameters Index value */
- uchar_t dl_key_dest_addr[DL_CTL_IPSEC_ADDR_LEN]; /* dest IP address */
- uint32_t dl_key_addr_family; /* family of dest IP address */
- /* (AF_INET or AF_INET6) */
-} dl_ct_ipsec_key_t;
-
-#define DL_CT_IPSEC_MAX_KEY_LEN 512 /* max key length in bytes */
-
-/*
- * Possible flags for sadb_sa_flags.
- */
-#define DL_CT_IPSEC_INBOUND 0x01 /* SA can be used for inbound pkts */
-#define DL_CT_IPSEC_OUTBOUND 0x02 /* SA can be used for outbound pkts */
-
-/*
- * minimal SADB entry content
- * fields are defined as per RFC 2367 and <net/pfkeyv2.h>
- * This defines the content and format of the dl_data portion of
- * the dl_control_req_t or dl_control_ack_t.
- */
-typedef struct dl_ct_ipsec {
- uint8_t sadb_sa_auth; /* Authentication algorithm */
- uint8_t sadb_sa_encrypt; /* Encryption algorithm */
- uint32_t sadb_sa_flags; /* SA flags. */
- uint16_t sadb_key_len_a; /* auth key length in bytes */
- uint16_t sadb_key_bits_a; /* auth key length in bits */
- uint16_t sadb_key_data_a[DL_CT_IPSEC_MAX_KEY_LEN]; /* key data */
- uint16_t sadb_key_len_e; /* encr key length in bytes */
- uint16_t sadb_key_bits_e; /* encr key length in bits */
- uint16_t sadb_key_data_e[DL_CT_IPSEC_MAX_KEY_LEN]; /* key data */
-} dl_ct_ipsec_t;
-
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _SYS_IPHADA_H */
diff --git a/usr/src/uts/common/sys/pattr.h b/usr/src/uts/common/sys/pattr.h
index cac046d675..f3b8397681 100644
--- a/usr/src/uts/common/sys/pattr.h
+++ b/usr/src/uts/common/sys/pattr.h
@@ -19,15 +19,13 @@
* CDDL HEADER END
*/
/*
- * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _SYS_PATTR_H
#define _SYS_PATTR_H
-#pragma ident "%Z%%M% %I% %E% SMI"
-
#ifdef __cplusplus
extern "C" {
#endif
@@ -92,6 +90,9 @@ typedef struct pattr_hcksum_s {
/* check the attached h/w computed */
/* checksum value to determine if */
/* checksum was bad */
+
+#define HCK_FLAGS (HCK_IPV4_HDRCKSUM | HCK_PARTIALCKSUM | \
+ HCK_FULLCKSUM | HCK_FULLCKSUM_OK)
/*
* Extended hardware offloading flags that also use hcksum_flags
*/
diff --git a/usr/src/uts/common/sys/softmac_impl.h b/usr/src/uts/common/sys/softmac_impl.h
index eb71063bc7..bd94d4982e 100644
--- a/usr/src/uts/common/sys/softmac_impl.h
+++ b/usr/src/uts/common/sys/softmac_impl.h
@@ -301,7 +301,9 @@ typedef struct softmac_upper_s {
uint32_t su_bound : 1, /* SL */
su_active : 1, /* SL */
- su_direct : 1; /* SL */
+ su_direct : 1, /* SL */
+ su_is_arp : 1,
+ su_pad_to_32:28;
/*
* Used for fastpath data path.
diff --git a/usr/src/uts/common/sys/squeue.h b/usr/src/uts/common/sys/squeue.h
index a2d808f647..de0f18bd4d 100644
--- a/usr/src/uts/common/sys/squeue.h
+++ b/usr/src/uts/common/sys/squeue.h
@@ -44,21 +44,19 @@ typedef struct squeue_s squeue_t;
(mp)->b_prev = (mblk_t *)(arg); \
}
-#define GET_SQUEUE(mp) ((conn_t *)((mp)->b_prev))->conn_sqp
-
#define SQ_FILL 0x0001
#define SQ_NODRAIN 0x0002
#define SQ_PROCESS 0x0004
-#define SQUEUE_ENTER(sqp, head, tail, cnt, flag, tag) { \
- sqp->sq_enter(sqp, head, tail, cnt, flag, tag); \
+#define SQUEUE_ENTER(sqp, head, tail, cnt, ira, flag, tag) { \
+ sqp->sq_enter(sqp, head, tail, cnt, ira, flag, tag); \
}
-#define SQUEUE_ENTER_ONE(sqp, mp, proc, arg, flag, tag) { \
+#define SQUEUE_ENTER_ONE(sqp, mp, proc, arg, ira, flag, tag) { \
ASSERT(mp->b_next == NULL); \
ASSERT(mp->b_prev == NULL); \
SET_SQUEUE(mp, proc, arg); \
- SQUEUE_ENTER(sqp, mp, mp, 1, flag, tag); \
+ SQUEUE_ENTER(sqp, mp, mp, 1, ira, flag, tag); \
}
/*
@@ -77,12 +75,13 @@ typedef enum {
SQPRIVATE_MAX
} sqprivate_t;
+struct ip_recv_attr_s;
extern void squeue_init(void);
extern squeue_t *squeue_create(clock_t, pri_t);
extern void squeue_bind(squeue_t *, processorid_t);
extern void squeue_unbind(squeue_t *);
extern void squeue_enter(squeue_t *, mblk_t *, mblk_t *,
- uint32_t, int, uint8_t);
+ uint32_t, struct ip_recv_attr_s *, int, uint8_t);
extern uintptr_t *squeue_getprivate(squeue_t *, sqprivate_t);
struct conn_s;
diff --git a/usr/src/uts/common/sys/squeue_impl.h b/usr/src/uts/common/sys/squeue_impl.h
index bd934cc0b3..22550886eb 100644
--- a/usr/src/uts/common/sys/squeue_impl.h
+++ b/usr/src/uts/common/sys/squeue_impl.h
@@ -19,7 +19,7 @@
* CDDL HEADER END
*/
/*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -79,9 +79,9 @@ typedef struct squeue_set_s {
processorid_t sqs_cpuid;
} squeue_set_t;
-typedef void (*sqproc_t)(void *, mblk_t *, void *);
+typedef void (*sqproc_t)(void *, mblk_t *, void *, struct ip_recv_attr_s *);
typedef void (*sq_enter_proc_t)(squeue_t *, mblk_t *, mblk_t *, uint32_t,
- int, uint8_t);
+ struct ip_recv_attr_s *, int, uint8_t);
typedef void (*sq_drain_proc_t)(squeue_t *, uint_t, hrtime_t);
extern void squeue_worker_wakeup(squeue_t *);
diff --git a/usr/src/uts/common/sys/stream.h b/usr/src/uts/common/sys/stream.h
index b9c96a8345..7a3b4e3448 100644
--- a/usr/src/uts/common/sys/stream.h
+++ b/usr/src/uts/common/sys/stream.h
@@ -404,9 +404,6 @@ typedef struct bcache {
#define STRUIO_IP 0x04 /* IP checksum stored in db_struioun */
#define STRUIO_ZC 0x08 /* mblk eligible for zero-copy */
#define STRUIO_ZCNOTIFY 0x10 /* notify stream head when mblk acked */
-#define STRUIO_EAGER 0x20 /* new eager; db_cksumstart has squeue to use */
-#define STRUIO_POLICY 0x40 /* new eager when IPsec is enabled */
-#define STRUIO_CONNECT 0x80 /* conn did a connect */
/*
* Message flags. These are interpreted by the stream head.
@@ -418,8 +415,7 @@ typedef struct bcache {
/* UNUSED 0x08 was MSGNOGET (can be recycled) */
#define MSGMARKNEXT 0x10 /* Private: first byte of next msg marked */
#define MSGNOTMARKNEXT 0x20 /* Private: ... not marked */
-#define MSGHASREF 0x40 /* Private: message has reference to owner */
-#define MSGWAITSYNC 0x80 /* Private: waiting for sync squeue enter */
+#define MSGWAITSYNC 0x40 /* Private: waiting for sync squeue enter */
/*
* Streams message types.
diff --git a/usr/src/uts/common/sys/tsol/tnet.h b/usr/src/uts/common/sys/tsol/tnet.h
index 221f4c775a..0da65ae5ca 100644
--- a/usr/src/uts/common/sys/tsol/tnet.h
+++ b/usr/src/uts/common/sys/tsol/tnet.h
@@ -46,35 +46,30 @@ extern "C" {
extern int tsol_tnrh_chk(tsol_tpent_t *, bslabel_t *, int);
extern tsol_tnrhc_t *find_rhc(const void *, uchar_t, boolean_t);
-extern int tsol_check_dest(const cred_t *, const void *, uchar_t, uint_t,
- cred_t **);
-extern int tsol_compute_label(const cred_t *, ipaddr_t, uchar_t *,
- ip_stack_t *);
-extern int tsol_compute_label_v6(const cred_t *, const in6_addr_t *, uchar_t *,
- ip_stack_t *);
-extern int tsol_check_label(const cred_t *, mblk_t **, uint_t,
- ip_stack_t *, pid_t);
-extern int tsol_check_label_v6(const cred_t *, mblk_t **, uint_t,
- ip_stack_t *, pid_t);
+extern int tsol_check_dest(const ts_label_t *, const void *, uchar_t,
+ uint_t, boolean_t, ts_label_t **);
+extern int tsol_compute_label_v4(const ts_label_t *, zoneid_t, ipaddr_t,
+ uchar_t *, ip_stack_t *);
+extern int tsol_compute_label_v6(const ts_label_t *, zoneid_t,
+ const in6_addr_t *, uchar_t *, ip_stack_t *);
+extern int tsol_check_label_v4(const ts_label_t *, zoneid_t, mblk_t **,
+ uint_t, boolean_t, ip_stack_t *, ts_label_t **);
+extern int tsol_check_label_v6(const ts_label_t *, zoneid_t, mblk_t **,
+ uint_t, boolean_t, ip_stack_t *, ts_label_t **);
extern int tsol_prepend_option(uchar_t *, ipha_t *, int);
extern int tsol_prepend_option_v6(uchar_t *, ip6_t *, int);
extern int tsol_remove_secopt(ipha_t *, int);
extern int tsol_remove_secopt_v6(ip6_t *, int);
-extern int tsol_update_sticky(ip6_pkt_t *, uint_t *, const uchar_t *);
-extern int tsol_update_options(uchar_t **, uint_t *, uint_t *,
- const uchar_t *);
-extern boolean_t tsol_option_set(uchar_t **, uint_t *, uint_t, const uchar_t *,
- uint_t);
extern tsol_ire_gw_secattr_t *ire_gw_secattr_alloc(int);
extern void ire_gw_secattr_free(tsol_ire_gw_secattr_t *);
-extern boolean_t tsol_can_reply_error(const mblk_t *);
+extern boolean_t tsol_can_reply_error(const mblk_t *, ip_recv_attr_t *);
extern boolean_t tsol_receive_local(const mblk_t *, const void *, uchar_t,
- boolean_t, const conn_t *);
-extern boolean_t tsol_can_accept_raw(mblk_t *, boolean_t);
-extern boolean_t tsol_get_pkt_label(mblk_t *, int);
-extern zoneid_t tsol_packet_to_zoneid(const mblk_t *);
+ ip_recv_attr_t *, const conn_t *);
+extern boolean_t tsol_can_accept_raw(mblk_t *, ip_recv_attr_t *, boolean_t);
+extern boolean_t tsol_get_pkt_label(mblk_t *, int, ip_recv_attr_t *);
+extern zoneid_t tsol_attr_to_zoneid(const ip_recv_attr_t *);
extern boolean_t tsol_get_option_v4(mblk_t *, tsol_ip_label_t *, uint8_t **);
extern boolean_t tsol_get_option_v6(mblk_t *, tsol_ip_label_t *, uint8_t **);
@@ -83,8 +78,8 @@ extern boolean_t tsol_find_secopt_v6(const uchar_t *, uint_t, uchar_t **,
extern int tsol_ire_match_gwattr(ire_t *, const ts_label_t *);
extern int tsol_rtsa_init(rt_msghdr_t *, tsol_rtsecattr_t *, caddr_t);
-extern int tsol_ire_init_gwattr(ire_t *, uchar_t, tsol_gc_t *, tsol_gcgrp_t *);
-extern mblk_t *tsol_ip_forward(ire_t *, mblk_t *);
+extern int tsol_ire_init_gwattr(ire_t *, uchar_t, tsol_gc_t *);
+extern mblk_t *tsol_ip_forward(ire_t *, mblk_t *, const ip_recv_attr_t *);
extern uint32_t tsol_pmtu_adjust(mblk_t *, uint32_t, int, int);
extern mlp_type_t tsol_mlp_addr_type(zoneid_t, uchar_t, const void *,
diff --git a/usr/src/uts/intel/Makefile.intel.shared b/usr/src/uts/intel/Makefile.intel.shared
index f1ceb0257e..6b20559ef4 100644
--- a/usr/src/uts/intel/Makefile.intel.shared
+++ b/usr/src/uts/intel/Makefile.intel.shared
@@ -371,7 +371,6 @@ DRV_KMODS += pppt
DRV_KMODS += ncall nsctl sdbc nskern sv
DRV_KMODS += ii rdc rdcsrv rdcstub
DRV_KMODS += iptun
-DRV_KMODS += iptunq
#
# Don't build some of these for OpenSolaris, since they will be
diff --git a/usr/src/uts/intel/arp/Makefile b/usr/src/uts/intel/arp/Makefile
index aff11806da..9b91950434 100644
--- a/usr/src/uts/intel/arp/Makefile
+++ b/usr/src/uts/intel/arp/Makefile
@@ -21,11 +21,9 @@
#
# uts/intel/arp/Makefile
#
-# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
-# ident "%Z%%M% %I% %E% SMI"
-#
# This makefile drives the production of the arp driver kernel module.
#
# intel implementation architecture dependent
@@ -68,7 +66,7 @@ INSTALL_TARGET = $(BINARY) $(ROOTMODULE) $(ROOTLINK) $(ROOT_CONFFILE)
#
# depends on ip
#
-LDFLAGS += -dy -Ndrv/ip -Ndrv/hook -Nmisc/neti
+LDFLAGS += -dy -Ndrv/ip
#
# For now, disable these lint checks; maintainers should endeavor
diff --git a/usr/src/uts/intel/arp/arp.global-objs.debug64 b/usr/src/uts/intel/arp/arp.global-objs.debug64
index 7f826ea213..f936276753 100644
--- a/usr/src/uts/intel/arp/arp.global-objs.debug64
+++ b/usr/src/uts/intel/arp/arp.global-objs.debug64
@@ -23,15 +23,6 @@
# Use is subject to license terms.
#
-ar_cmd_tbl
-ar_m_tbl
-arp_mod_info
-arp_no_defense
-arpinfo
-arprinit
-arpwinit
-arp_param_arr
-arp_netinfo
cb_inet_devops
fsw
inet_dev_info
diff --git a/usr/src/uts/intel/ia32/ml/modstubs.s b/usr/src/uts/intel/ia32/ml/modstubs.s
index 6cd415a78f..3837728d4c 100644
--- a/usr/src/uts/intel/ia32/ml/modstubs.s
+++ b/usr/src/uts/intel/ia32/ml/modstubs.s
@@ -509,7 +509,6 @@ fcnname/**/_info: \
MODULE(ipsecah,drv);
WSTUB(ipsecah, ipsec_construct_inverse_acquire, nomod_zero);
WSTUB(ipsecah, sadb_acquire, nomod_zero);
- WSTUB(ipsecah, sadb_ill_download, nomod_zero);
WSTUB(ipsecah, ipsecah_algs_changed, nomod_zero);
WSTUB(ipsecah, sadb_alg_update, nomod_zero);
WSTUB(ipsecah, sadb_unlinkassoc, nomod_zero);
@@ -1294,8 +1293,6 @@ fcnname/**/_info: \
STUB(iptun, iptun_create, nomod_einval);
STUB(iptun, iptun_delete, nomod_einval);
STUB(iptun, iptun_set_policy, nomod_void) ;
- STUB(iptun, iptun_set_g_q, nomod_einval);
- STUB(iptun, iptun_clear_g_q, nomod_void);
END_MODULE(iptun);
#endif
diff --git a/usr/src/uts/intel/ip/ip.global-objs.debug64 b/usr/src/uts/intel/ip/ip.global-objs.debug64
index 6009f5b006..07e9aaedde 100644
--- a/usr/src/uts/intel/ip/ip.global-objs.debug64
+++ b/usr/src/uts/intel/ip/ip.global-objs.debug64
@@ -23,19 +23,24 @@
# Use is subject to license terms.
#
+arp_m_tbl
+arp_mod_info
+arp_netinfo
+arp_no_defense
+arpinfo
cb_inet_devops
cl_inet_bind
+cl_inet_checkspi
cl_inet_connect2
+cl_inet_deletespi
cl_inet_disconnect
+cl_inet_getspi
+cl_inet_idlesa
cl_inet_ipident
cl_inet_isclusterwide
cl_inet_listen
cl_inet_unbind
cl_inet_unlisten
-cl_inet_getspi
-cl_inet_checkspi
-cl_inet_deletespi
-cl_inet_idlesa
cl_sctp_assoc_change
cl_sctp_check_addrs
cl_sctp_connect
@@ -43,6 +48,7 @@ cl_sctp_disconnect
cl_sctp_listen
cl_sctp_unlisten
conn_drain_nthreads
+dce_cache
default_ip6_asp_table
do_tcp_fusion
do_tcpzcopy
@@ -97,74 +103,45 @@ ill_no_arena
ill_null
inet_dev_info
inet_devops
-ip6_area_template
-ip6_ared_template
-ip6_cache_table_size
ip6_ftable_hash_size
-ip6_ire_max_bucket_cnt
-ip6_ire_min_bucket_cnt
-ip6_max_cache_table_size
ip6opt_ls
-ip_ard_template
-ip_area_template
-ip_ared_template
-ip_areq_template
-ip_arma_multi_template
-ip_aroff_template
-ip_aron_template
-ip_aru_template
-ip_cache_table_size
ip_cgtp_filter_rev
ip_conn_cache
ip_debug
ip_g_all_ones
-ip_helper_stream_cache
ip_helper_stream_info
ip_helper_stream_rinit
ip_helper_stream_winit
ip_ioctl_ftbl
-ip_ire_cleanup_cnt
-ip_ire_cpu_ratio
-ip_ire_max_bucket_cnt
-ip_ire_mem_ratio
-ip_ire_min_bucket_cnt
-ip_loopback_mtu
ip_loopback_mtu_v6plus
ip_loopback_mtuplus
ip_m_tbl
-ip_max_cache_table_size
ip_max_frag_dups
ip_min_frag_prune_time
-ip_minor_arena_sa
ip_minor_arena_la
+ip_minor_arena_sa
ip_misc_ioctl_count
ip_misc_ioctl_table
ip_mod_info
ip_modclose_ackwait_ms
ip_ndx_ioctl_count
ip_ndx_ioctl_table
-ip_opt_arr
-ip_opt_obj
ip_poll_normal_ms
ip_poll_normal_ticks
ip_rput_pullups
ip_six_byte_all_ones
ip_squeue_create_callback
ip_squeue_enter
-ip_squeue_enter_unbound
ip_squeue_fanout
ip_squeue_flag
ip_squeue_worker_wait
ip_thread_data
ip_thread_list
ip_thread_rwlock
-ip_use_helper_cache
-ip_wput_frag_mdt_min
ipcl_bind_fanout_size
ipcl_conn_hash_maxsize
ipcl_conn_hash_memfactor
ipcl_conn_hash_size
-ipcl_debug_level
ipcl_iptun_fanout_size
ipcl_raw_fanout_size
ipcl_udp_fanout_size
@@ -174,24 +151,16 @@ ipinfov4
ipinfov6
iplrinit
iplwinit
-ipmp_aract_template
-ipmp_ardeact_template
ipmp_kstats
iprinitv4
iprinitv6
ipsec_action_cache
ipsec_hdr_pullup_needed
-ipsec_info_cache
ipsec_pol_cache
ipsec_policy_failure_msgs
ipsec_sel_cache
ipsec_spd_hashsize
ipsec_weird_null_inbound_policy
-ipsechw_debug
-iptunq_info
-iptunq_modinfo
-iptunq_rinit
-iptunq_winit
ipv4_forward_suffix
ipv4info
ipv6_all_hosts_mcast
@@ -199,29 +168,22 @@ ipv6_all_ones
ipv6_all_rtrs_mcast
ipv6_all_v2rtrs_mcast
ipv6_all_zeros
-ipv6_areq_template
ipv6_forward_suffix
ipv6_ll_template
ipv6_loopback
ipv6_solicited_node_mcast
ipv6_unspecified_group
ipv6info
-ipwinitv4
-ipwinitv6
+ipwinit
ire_cache
ire_gw_secattr_cache
-ire_idle_cutoff_interval
ire_null
ire_nv_arr
ire_nv_tbl
-ire_uinfo_null
lcl_ndp_arr
lcl_param_arr
lcl_sctp_param_arr
lcl_sctp_wroff_xtra_param
-lcl_tcp_mdt_head_param
-lcl_tcp_mdt_max_pbufs_param
-lcl_tcp_mdt_tail_param
lcl_tcp_param_arr
lcl_tcp_wroff_xtra_param
mask_rnhead
@@ -230,6 +192,8 @@ modldrv
modlinkage
modlstrmod
multicast_encap_iphdr
+nce_cache
+ncec_cache
netdev_privs
prov_update_handle
radix_mask_cache
@@ -238,6 +202,7 @@ rawip_conn_cache
recvq_call
recvq_loop_cnt
req_arr
+rinit_arp
rn_mkfreelist
rn_ones
rn_zeros
@@ -260,25 +225,23 @@ sctp_kmem_faddr_cache
sctp_kmem_ftsn_set_cache
sctp_kmem_set_cache
sctp_mod_info
+sctp_opt_arr
+sctp_opt_arr_size
sctp_recvq_tq_task_max
sctp_recvq_tq_task_min
sctp_recvq_tq_thr_max
sctp_recvq_tq_thr_min
sctp_sin6_null
-sctp_taskq
sctpdebug
sctpinfo
sctprinit
sctpwinit
-sendq_collision
-sendq_empty
-sendq_loop_cnt
sin6_null
sin_null
skip_sctp_cksum
-sock_tcp_downcalls
-sock_rts_downcalls
sock_rawip_downcalls
+sock_rts_downcalls
+sock_tcp_downcalls
sock_udp_downcalls
sqset_global_list
sqset_global_size
@@ -300,12 +263,10 @@ tcp_g_statistics
tcp_g_t_info_ack
tcp_g_t_info_ack_v6
tcp_icmp_source_quench
-tcp_iphc_cache
tcp_max_optsize
-tcp_mdt_chain
-tcp_mdt_smss_threshold
tcp_opt_arr
tcp_opt_obj
+tcp_outbound_squeue_switch
tcp_random_anon_port
tcp_random_end_ptr
tcp_random_fptr
@@ -321,13 +282,11 @@ tcp_sock_winit
tcp_squeue_flag
tcp_squeue_wput
tcp_static_maxpsz
-tcp_taskq
tcp_timercache
tcp_tx_pull_len
tcp_valid_levels_arr
tcp_winfo
tcp_winit
-tcp_outbound_squeue_switch
tcpinfov4
tcpinfov6
tli_errs
@@ -352,4 +311,6 @@ udp_valid_levels_arr
udp_winit
udpinfov4
udpinfov6
-zero_info
+winit_arp
+eri_cksum_workaround
+nxge_cksum_workaround
diff --git a/usr/src/uts/intel/ip/ip.global-objs.obj64 b/usr/src/uts/intel/ip/ip.global-objs.obj64
index 1706a82aa7..526e907ab5 100644
--- a/usr/src/uts/intel/ip/ip.global-objs.obj64
+++ b/usr/src/uts/intel/ip/ip.global-objs.obj64
@@ -23,19 +23,24 @@
# Use is subject to license terms.
#
+arp_m_tbl
+arp_mod_info
+arp_netinfo
+arp_no_defense
+arpinfo
cb_inet_devops
cl_inet_bind
+cl_inet_checkspi
cl_inet_connect2
+cl_inet_deletespi
cl_inet_disconnect
+cl_inet_getspi
+cl_inet_idlesa
cl_inet_ipident
cl_inet_isclusterwide
cl_inet_listen
cl_inet_unbind
cl_inet_unlisten
-cl_inet_getspi
-cl_inet_checkspi
-cl_inet_deletespi
-cl_inet_idlesa
cl_sctp_assoc_change
cl_sctp_check_addrs
cl_sctp_connect
@@ -43,6 +48,7 @@ cl_sctp_disconnect
cl_sctp_listen
cl_sctp_unlisten
conn_drain_nthreads
+dce_cache
default_ip6_asp_table
do_tcp_fusion
do_tcpzcopy
@@ -97,69 +103,41 @@ ill_no_arena
ill_null
inet_dev_info
inet_devops
-ip6_area_template
-ip6_ared_template
-ip6_cache_table_size
ip6_ftable_hash_size
-ip6_ire_max_bucket_cnt
-ip6_ire_min_bucket_cnt
-ip6_max_cache_table_size
ip6opt_ls
-ip_ard_template
-ip_area_template
-ip_ared_template
-ip_areq_template
-ip_arma_multi_template
-ip_aroff_template
-ip_aron_template
-ip_aru_template
-ip_cache_table_size
ip_cgtp_filter_rev
ip_conn_cache
ip_debug
ip_g_all_ones
-ip_helper_stream_cache
ip_helper_stream_info
ip_helper_stream_rinit
ip_helper_stream_winit
ip_ioctl_ftbl
-ip_ire_cleanup_cnt
-ip_ire_cpu_ratio
-ip_ire_max_bucket_cnt
-ip_ire_mem_ratio
-ip_ire_min_bucket_cnt
-ip_loopback_mtu
ip_loopback_mtu_v6plus
ip_loopback_mtuplus
ip_m_tbl
-ip_max_cache_table_size
ip_max_frag_dups
ip_min_frag_prune_time
-ip_minor_arena_sa
ip_minor_arena_la
+ip_minor_arena_sa
ip_misc_ioctl_count
ip_misc_ioctl_table
ip_mod_info
ip_modclose_ackwait_ms
ip_ndx_ioctl_count
ip_ndx_ioctl_table
-ip_opt_arr
-ip_opt_obj
ip_poll_normal_ms
ip_poll_normal_ticks
ip_rput_pullups
ip_six_byte_all_ones
ip_squeue_create_callback
ip_squeue_enter
-ip_squeue_enter_unbound
ip_squeue_fanout
ip_squeue_flag
ip_squeue_worker_wait
ip_thread_data
ip_thread_list
ip_thread_rwlock
-ip_use_helper_cache
-ip_wput_frag_mdt_min
ipcl_bind_fanout_size
ipcl_conn_hash_maxsize
ipcl_conn_hash_memfactor
@@ -173,23 +151,16 @@ ipinfov4
ipinfov6
iplrinit
iplwinit
-ipmp_aract_template
-ipmp_ardeact_template
ipmp_kstats
iprinitv4
iprinitv6
ipsec_action_cache
ipsec_hdr_pullup_needed
-ipsec_info_cache
ipsec_pol_cache
ipsec_policy_failure_msgs
ipsec_sel_cache
ipsec_spd_hashsize
ipsec_weird_null_inbound_policy
-iptunq_info
-iptunq_modinfo
-iptunq_rinit
-iptunq_winit
ipv4_forward_suffix
ipv4info
ipv6_all_hosts_mcast
@@ -197,29 +168,22 @@ ipv6_all_ones
ipv6_all_rtrs_mcast
ipv6_all_v2rtrs_mcast
ipv6_all_zeros
-ipv6_areq_template
ipv6_forward_suffix
ipv6_ll_template
ipv6_loopback
ipv6_solicited_node_mcast
ipv6_unspecified_group
ipv6info
-ipwinitv4
-ipwinitv6
+ipwinit
ire_cache
ire_gw_secattr_cache
-ire_idle_cutoff_interval
ire_null
ire_nv_arr
ire_nv_tbl
-ire_uinfo_null
lcl_ndp_arr
lcl_param_arr
lcl_sctp_param_arr
lcl_sctp_wroff_xtra_param
-lcl_tcp_mdt_head_param
-lcl_tcp_mdt_max_pbufs_param
-lcl_tcp_mdt_tail_param
lcl_tcp_param_arr
lcl_tcp_wroff_xtra_param
mask_rnhead
@@ -228,12 +192,15 @@ modldrv
modlinkage
modlstrmod
multicast_encap_iphdr
+nce_cache
+ncec_cache
netdev_privs
prov_update_handle
radix_mask_cache
radix_node_cache
rawip_conn_cache
req_arr
+rinit_arp
rn_mkfreelist
rn_ones
rn_zeros
@@ -256,21 +223,22 @@ sctp_kmem_faddr_cache
sctp_kmem_ftsn_set_cache
sctp_kmem_set_cache
sctp_mod_info
+sctp_opt_arr
+sctp_opt_arr_size
sctp_recvq_tq_task_max
sctp_recvq_tq_task_min
sctp_recvq_tq_thr_max
sctp_recvq_tq_thr_min
sctp_sin6_null
-sctp_taskq
sctpdebug
sctpinfo
sctprinit
sctpwinit
sin6_null
sin_null
-sock_tcp_downcalls
-sock_rts_downcalls
sock_rawip_downcalls
+sock_rts_downcalls
+sock_tcp_downcalls
sock_udp_downcalls
sqset_global_list
sqset_global_size
@@ -292,12 +260,10 @@ tcp_g_statistics
tcp_g_t_info_ack
tcp_g_t_info_ack_v6
tcp_icmp_source_quench
-tcp_iphc_cache
tcp_max_optsize
-tcp_mdt_chain
-tcp_mdt_smss_threshold
tcp_opt_arr
tcp_opt_obj
+tcp_outbound_squeue_switch
tcp_random_anon_port
tcp_random_end_ptr
tcp_random_fptr
@@ -313,13 +279,11 @@ tcp_sock_winit
tcp_squeue_flag
tcp_squeue_wput
tcp_static_maxpsz
-tcp_taskq
tcp_timercache
tcp_tx_pull_len
tcp_valid_levels_arr
tcp_winfo
tcp_winit
-tcp_outbound_squeue_switch
tcpinfov4
tcpinfov6
tli_errs
@@ -344,4 +308,6 @@ udp_valid_levels_arr
udp_winit
udpinfov4
udpinfov6
-zero_info
+winit_arp
+eri_cksum_workaround
+nxge_cksum_workaround
diff --git a/usr/src/uts/sparc/Makefile.sparc.shared b/usr/src/uts/sparc/Makefile.sparc.shared
index 7aa463978d..873557cbd6 100644
--- a/usr/src/uts/sparc/Makefile.sparc.shared
+++ b/usr/src/uts/sparc/Makefile.sparc.shared
@@ -205,7 +205,7 @@ DRV_KMODS += aggr arp audio bl bofi clone cn conskbd consms cpuid
DRV_KMODS += crypto cryptoadm devinfo dump
DRV_KMODS += dtrace fasttrap fbt lockstat profile sdt systrace dcpc
DRV_KMODS += fssnap icmp icmp6 ip ip6 ipnet ipsecah
-DRV_KMODS += ipsecesp iptun iptunq iwscn keysock kmdb kstat ksyms llc1
+DRV_KMODS += ipsecesp iptun iwscn keysock kmdb kstat ksyms llc1
DRV_KMODS += lofi
DRV_KMODS += log logindmux kssl mm nca physmem pm poll pool
DRV_KMODS += pseudo ptc ptm pts ptsl ramdisk random rsm rts sad
diff --git a/usr/src/uts/sparc/arp/Makefile b/usr/src/uts/sparc/arp/Makefile
index 21c26c762e..6d1610da66 100644
--- a/usr/src/uts/sparc/arp/Makefile
+++ b/usr/src/uts/sparc/arp/Makefile
@@ -20,11 +20,9 @@
#
#
# uts/sparc/arp/Makefile
-# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
-#ident "%Z%%M% %I% %E% SMI"
-#
# This makefile drives the production of the arp driver kernel module.
#
# sparc architecture dependent
@@ -72,7 +70,7 @@ CFLAGS += $(CCVERBOSE)
#
# depends on ip
#
-LDFLAGS += -dy -Ndrv/ip -Ndrv/hook -Nmisc/neti
+LDFLAGS += -dy -Ndrv/ip
#
# For now, disable these lint checks; maintainers should endeavor
diff --git a/usr/src/uts/sparc/arp/arp.global-objs.debug64 b/usr/src/uts/sparc/arp/arp.global-objs.debug64
index 7f826ea213..f936276753 100644
--- a/usr/src/uts/sparc/arp/arp.global-objs.debug64
+++ b/usr/src/uts/sparc/arp/arp.global-objs.debug64
@@ -23,15 +23,6 @@
# Use is subject to license terms.
#
-ar_cmd_tbl
-ar_m_tbl
-arp_mod_info
-arp_no_defense
-arpinfo
-arprinit
-arpwinit
-arp_param_arr
-arp_netinfo
cb_inet_devops
fsw
inet_dev_info
diff --git a/usr/src/uts/sparc/ip/ip.global-objs.debug64 b/usr/src/uts/sparc/ip/ip.global-objs.debug64
index 8df87d813d..07e9aaedde 100644
--- a/usr/src/uts/sparc/ip/ip.global-objs.debug64
+++ b/usr/src/uts/sparc/ip/ip.global-objs.debug64
@@ -23,19 +23,24 @@
# Use is subject to license terms.
#
+arp_m_tbl
+arp_mod_info
+arp_netinfo
+arp_no_defense
+arpinfo
cb_inet_devops
cl_inet_bind
+cl_inet_checkspi
cl_inet_connect2
+cl_inet_deletespi
cl_inet_disconnect
+cl_inet_getspi
+cl_inet_idlesa
cl_inet_ipident
cl_inet_isclusterwide
cl_inet_listen
cl_inet_unbind
cl_inet_unlisten
-cl_inet_getspi
-cl_inet_checkspi
-cl_inet_deletespi
-cl_inet_idlesa
cl_sctp_assoc_change
cl_sctp_check_addrs
cl_sctp_connect
@@ -43,6 +48,7 @@ cl_sctp_disconnect
cl_sctp_listen
cl_sctp_unlisten
conn_drain_nthreads
+dce_cache
default_ip6_asp_table
do_tcp_fusion
do_tcpzcopy
@@ -97,74 +103,45 @@ ill_no_arena
ill_null
inet_dev_info
inet_devops
-ip6_area_template
-ip6_ared_template
-ip6_cache_table_size
ip6_ftable_hash_size
-ip6_ire_max_bucket_cnt
-ip6_ire_min_bucket_cnt
-ip6_max_cache_table_size
ip6opt_ls
-ip_ard_template
-ip_area_template
-ip_ared_template
-ip_areq_template
-ip_arma_multi_template
-ip_aroff_template
-ip_aron_template
-ip_aru_template
-ip_cache_table_size
ip_cgtp_filter_rev
ip_conn_cache
ip_debug
ip_g_all_ones
-ip_helper_stream_cache
ip_helper_stream_info
ip_helper_stream_rinit
ip_helper_stream_winit
ip_ioctl_ftbl
-ip_ire_cleanup_cnt
-ip_ire_cpu_ratio
-ip_ire_max_bucket_cnt
-ip_ire_mem_ratio
-ip_ire_min_bucket_cnt
-ip_loopback_mtu
ip_loopback_mtu_v6plus
ip_loopback_mtuplus
ip_m_tbl
-ip_max_cache_table_size
ip_max_frag_dups
ip_min_frag_prune_time
-ip_minor_arena_sa
ip_minor_arena_la
+ip_minor_arena_sa
ip_misc_ioctl_count
ip_misc_ioctl_table
ip_mod_info
ip_modclose_ackwait_ms
ip_ndx_ioctl_count
ip_ndx_ioctl_table
-ip_opt_arr
-ip_opt_obj
ip_poll_normal_ms
ip_poll_normal_ticks
ip_rput_pullups
ip_six_byte_all_ones
ip_squeue_create_callback
ip_squeue_enter
-ip_squeue_enter_unbound
ip_squeue_fanout
ip_squeue_flag
ip_squeue_worker_wait
ip_thread_data
ip_thread_list
ip_thread_rwlock
-ip_use_helper_cache
-ip_wput_frag_mdt_min
ipcl_bind_fanout_size
ipcl_conn_hash_maxsize
ipcl_conn_hash_memfactor
ipcl_conn_hash_size
-ipcl_debug_level
ipcl_iptun_fanout_size
ipcl_raw_fanout_size
ipcl_udp_fanout_size
@@ -174,24 +151,16 @@ ipinfov4
ipinfov6
iplrinit
iplwinit
-ipmp_aract_template
-ipmp_ardeact_template
ipmp_kstats
iprinitv4
iprinitv6
ipsec_action_cache
ipsec_hdr_pullup_needed
-ipsec_info_cache
ipsec_pol_cache
ipsec_policy_failure_msgs
ipsec_sel_cache
ipsec_spd_hashsize
ipsec_weird_null_inbound_policy
-ipsechw_debug
-iptunq_info
-iptunq_modinfo
-iptunq_rinit
-iptunq_winit
ipv4_forward_suffix
ipv4info
ipv6_all_hosts_mcast
@@ -199,29 +168,22 @@ ipv6_all_ones
ipv6_all_rtrs_mcast
ipv6_all_v2rtrs_mcast
ipv6_all_zeros
-ipv6_areq_template
ipv6_forward_suffix
ipv6_ll_template
ipv6_loopback
ipv6_solicited_node_mcast
ipv6_unspecified_group
ipv6info
-ipwinitv4
-ipwinitv6
+ipwinit
ire_cache
ire_gw_secattr_cache
-ire_idle_cutoff_interval
ire_null
ire_nv_arr
ire_nv_tbl
-ire_uinfo_null
lcl_ndp_arr
lcl_param_arr
lcl_sctp_param_arr
lcl_sctp_wroff_xtra_param
-lcl_tcp_mdt_head_param
-lcl_tcp_mdt_max_pbufs_param
-lcl_tcp_mdt_tail_param
lcl_tcp_param_arr
lcl_tcp_wroff_xtra_param
mask_rnhead
@@ -230,6 +192,8 @@ modldrv
modlinkage
modlstrmod
multicast_encap_iphdr
+nce_cache
+ncec_cache
netdev_privs
prov_update_handle
radix_mask_cache
@@ -238,6 +202,7 @@ rawip_conn_cache
recvq_call
recvq_loop_cnt
req_arr
+rinit_arp
rn_mkfreelist
rn_ones
rn_zeros
@@ -260,19 +225,17 @@ sctp_kmem_faddr_cache
sctp_kmem_ftsn_set_cache
sctp_kmem_set_cache
sctp_mod_info
+sctp_opt_arr
+sctp_opt_arr_size
sctp_recvq_tq_task_max
sctp_recvq_tq_task_min
sctp_recvq_tq_thr_max
sctp_recvq_tq_thr_min
sctp_sin6_null
-sctp_taskq
sctpdebug
sctpinfo
sctprinit
sctpwinit
-sendq_collision
-sendq_empty
-sendq_loop_cnt
sin6_null
sin_null
skip_sctp_cksum
@@ -300,12 +263,10 @@ tcp_g_statistics
tcp_g_t_info_ack
tcp_g_t_info_ack_v6
tcp_icmp_source_quench
-tcp_iphc_cache
tcp_max_optsize
-tcp_mdt_chain
-tcp_mdt_smss_threshold
tcp_opt_arr
tcp_opt_obj
+tcp_outbound_squeue_switch
tcp_random_anon_port
tcp_random_end_ptr
tcp_random_fptr
@@ -321,13 +282,11 @@ tcp_sock_winit
tcp_squeue_flag
tcp_squeue_wput
tcp_static_maxpsz
-tcp_taskq
tcp_timercache
tcp_tx_pull_len
tcp_valid_levels_arr
tcp_winfo
tcp_winit
-tcp_outbound_squeue_switch
tcpinfov4
tcpinfov6
tli_errs
@@ -352,4 +311,6 @@ udp_valid_levels_arr
udp_winit
udpinfov4
udpinfov6
-zero_info
+winit_arp
+eri_cksum_workaround
+nxge_cksum_workaround
diff --git a/usr/src/uts/sparc/ip/ip.global-objs.obj64 b/usr/src/uts/sparc/ip/ip.global-objs.obj64
index 3df973b8f9..526e907ab5 100644
--- a/usr/src/uts/sparc/ip/ip.global-objs.obj64
+++ b/usr/src/uts/sparc/ip/ip.global-objs.obj64
@@ -23,19 +23,24 @@
# Use is subject to license terms.
#
+arp_m_tbl
+arp_mod_info
+arp_netinfo
+arp_no_defense
+arpinfo
cb_inet_devops
cl_inet_bind
+cl_inet_checkspi
cl_inet_connect2
+cl_inet_deletespi
cl_inet_disconnect
+cl_inet_getspi
+cl_inet_idlesa
cl_inet_ipident
cl_inet_isclusterwide
cl_inet_listen
cl_inet_unbind
cl_inet_unlisten
-cl_inet_getspi
-cl_inet_checkspi
-cl_inet_deletespi
-cl_inet_idlesa
cl_sctp_assoc_change
cl_sctp_check_addrs
cl_sctp_connect
@@ -43,6 +48,7 @@ cl_sctp_disconnect
cl_sctp_listen
cl_sctp_unlisten
conn_drain_nthreads
+dce_cache
default_ip6_asp_table
do_tcp_fusion
do_tcpzcopy
@@ -97,69 +103,41 @@ ill_no_arena
ill_null
inet_dev_info
inet_devops
-ip6_area_template
-ip6_ared_template
-ip6_cache_table_size
ip6_ftable_hash_size
-ip6_ire_max_bucket_cnt
-ip6_ire_min_bucket_cnt
-ip6_max_cache_table_size
ip6opt_ls
-ip_ard_template
-ip_area_template
-ip_ared_template
-ip_areq_template
-ip_arma_multi_template
-ip_aroff_template
-ip_aron_template
-ip_aru_template
-ip_cache_table_size
ip_cgtp_filter_rev
ip_conn_cache
ip_debug
ip_g_all_ones
-ip_helper_stream_cache
ip_helper_stream_info
ip_helper_stream_rinit
ip_helper_stream_winit
ip_ioctl_ftbl
-ip_ire_cleanup_cnt
-ip_ire_cpu_ratio
-ip_ire_max_bucket_cnt
-ip_ire_mem_ratio
-ip_ire_min_bucket_cnt
-ip_loopback_mtu
ip_loopback_mtu_v6plus
ip_loopback_mtuplus
ip_m_tbl
-ip_max_cache_table_size
ip_max_frag_dups
ip_min_frag_prune_time
-ip_minor_arena_sa
ip_minor_arena_la
+ip_minor_arena_sa
ip_misc_ioctl_count
ip_misc_ioctl_table
ip_mod_info
ip_modclose_ackwait_ms
ip_ndx_ioctl_count
ip_ndx_ioctl_table
-ip_opt_arr
-ip_opt_obj
ip_poll_normal_ms
ip_poll_normal_ticks
ip_rput_pullups
ip_six_byte_all_ones
ip_squeue_create_callback
ip_squeue_enter
-ip_squeue_enter_unbound
ip_squeue_fanout
ip_squeue_flag
ip_squeue_worker_wait
ip_thread_data
ip_thread_list
ip_thread_rwlock
-ip_use_helper_cache
-ip_wput_frag_mdt_min
ipcl_bind_fanout_size
ipcl_conn_hash_maxsize
ipcl_conn_hash_memfactor
@@ -173,23 +151,16 @@ ipinfov4
ipinfov6
iplrinit
iplwinit
-ipmp_aract_template
-ipmp_ardeact_template
ipmp_kstats
iprinitv4
iprinitv6
ipsec_action_cache
ipsec_hdr_pullup_needed
-ipsec_info_cache
ipsec_pol_cache
ipsec_policy_failure_msgs
ipsec_sel_cache
ipsec_spd_hashsize
ipsec_weird_null_inbound_policy
-iptunq_info
-iptunq_modinfo
-iptunq_rinit
-iptunq_winit
ipv4_forward_suffix
ipv4info
ipv6_all_hosts_mcast
@@ -197,29 +168,22 @@ ipv6_all_ones
ipv6_all_rtrs_mcast
ipv6_all_v2rtrs_mcast
ipv6_all_zeros
-ipv6_areq_template
ipv6_forward_suffix
ipv6_ll_template
ipv6_loopback
ipv6_solicited_node_mcast
ipv6_unspecified_group
ipv6info
-ipwinitv4
-ipwinitv6
+ipwinit
ire_cache
ire_gw_secattr_cache
-ire_idle_cutoff_interval
ire_null
ire_nv_arr
ire_nv_tbl
-ire_uinfo_null
lcl_ndp_arr
lcl_param_arr
lcl_sctp_param_arr
lcl_sctp_wroff_xtra_param
-lcl_tcp_mdt_head_param
-lcl_tcp_mdt_max_pbufs_param
-lcl_tcp_mdt_tail_param
lcl_tcp_param_arr
lcl_tcp_wroff_xtra_param
mask_rnhead
@@ -228,12 +192,15 @@ modldrv
modlinkage
modlstrmod
multicast_encap_iphdr
+nce_cache
+ncec_cache
netdev_privs
prov_update_handle
radix_mask_cache
radix_node_cache
rawip_conn_cache
req_arr
+rinit_arp
rn_mkfreelist
rn_ones
rn_zeros
@@ -256,12 +223,13 @@ sctp_kmem_faddr_cache
sctp_kmem_ftsn_set_cache
sctp_kmem_set_cache
sctp_mod_info
+sctp_opt_arr
+sctp_opt_arr_size
sctp_recvq_tq_task_max
sctp_recvq_tq_task_min
sctp_recvq_tq_thr_max
sctp_recvq_tq_thr_min
sctp_sin6_null
-sctp_taskq
sctpdebug
sctpinfo
sctprinit
@@ -292,12 +260,10 @@ tcp_g_statistics
tcp_g_t_info_ack
tcp_g_t_info_ack_v6
tcp_icmp_source_quench
-tcp_iphc_cache
tcp_max_optsize
-tcp_mdt_chain
-tcp_mdt_smss_threshold
tcp_opt_arr
tcp_opt_obj
+tcp_outbound_squeue_switch
tcp_random_anon_port
tcp_random_end_ptr
tcp_random_fptr
@@ -313,13 +279,11 @@ tcp_sock_winit
tcp_squeue_flag
tcp_squeue_wput
tcp_static_maxpsz
-tcp_taskq
tcp_timercache
tcp_tx_pull_len
tcp_valid_levels_arr
tcp_winfo
tcp_winit
-tcp_outbound_squeue_switch
tcpinfov4
tcpinfov6
tli_errs
@@ -344,4 +308,6 @@ udp_valid_levels_arr
udp_winit
udpinfov4
udpinfov6
-zero_info
+winit_arp
+eri_cksum_workaround
+nxge_cksum_workaround
diff --git a/usr/src/uts/sparc/ml/modstubs.s b/usr/src/uts/sparc/ml/modstubs.s
index 18eba0bdfa..24058b72e4 100644
--- a/usr/src/uts/sparc/ml/modstubs.s
+++ b/usr/src/uts/sparc/ml/modstubs.s
@@ -397,7 +397,6 @@ stubs_base:
MODULE(ipsecah,drv);
WSTUB(ipsecah, ipsec_construct_inverse_acquire, nomod_zero);
WSTUB(ipsecah, sadb_acquire, nomod_zero);
- WSTUB(ipsecah, sadb_ill_download, nomod_zero);
WSTUB(ipsecah, ipsecah_algs_changed, nomod_zero);
WSTUB(ipsecah, sadb_alg_update, nomod_zero);
WSTUB(ipsecah, sadb_unlinkassoc, nomod_zero);
@@ -1218,8 +1217,6 @@ stubs_base:
STUB(iptun, iptun_create, nomod_einval);
STUB(iptun, iptun_delete, nomod_einval);
STUB(iptun, iptun_set_policy, nomod_einval);
- STUB(iptun, iptun_set_g_q, nomod_einval);
- STUB(iptun, iptun_clear_g_q, nomod_void);
END_MODULE(iptun);
#endif
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-17 05:44:11 +0000