inet/ipf/ip_fil_solaris.c

7c478bd9Sstevel@tonic-gate/*
ab25eeb5Syz * Copyright (C) 1993-2001, 2003 by Darren Reed.
7c478bd9Sstevel@tonic-gate *
7c478bd9Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing.
7c478bd9Sstevel@tonic-gate *
d0dd088cSAlexandr Nedvedicky * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
94bdecd9SRob Gulewich *
*ec71f88eSPatrick Mooney * Copyright 2018 Joyent, Inc.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#if !defined(lint)
c793af95Ssangeetastatic const char sccsid[] = "@(#)ip_fil_solaris.c	1.7 07/22/06 (C) 1993-2000 Darren Reed";
ab25eeb5Syzstatic const char rcsid[] = "@(#)$Id: ip_fil_solaris.c,v 2.62.2.19 2005/07/13 21:40:46 darrenr Exp $";
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#include <sys/types.h>
7c478bd9Sstevel@tonic-gate#include <sys/errno.h>
7c478bd9Sstevel@tonic-gate#include <sys/param.h>
7c478bd9Sstevel@tonic-gate#include <sys/cpuvar.h>
7c478bd9Sstevel@tonic-gate#include <sys/open.h>
7c478bd9Sstevel@tonic-gate#include <sys/ioctl.h>
7c478bd9Sstevel@tonic-gate#include <sys/filio.h>
7c478bd9Sstevel@tonic-gate#include <sys/systm.h>
ab25eeb5Syz#include <sys/strsubr.h>
7c478bd9Sstevel@tonic-gate#include <sys/cred.h>
7c478bd9Sstevel@tonic-gate#include <sys/ddi.h>
7c478bd9Sstevel@tonic-gate#include <sys/sunddi.h>
7c478bd9Sstevel@tonic-gate#include <sys/ksynch.h>
7c478bd9Sstevel@tonic-gate#include <sys/kmem.h>
*ec71f88eSPatrick Mooney#include <sys/mac_provider.h>
7c478bd9Sstevel@tonic-gate#include <sys/mkdev.h>
7c478bd9Sstevel@tonic-gate#include <sys/protosw.h>
7c478bd9Sstevel@tonic-gate#include <sys/socket.h>
7c478bd9Sstevel@tonic-gate#include <sys/dditypes.h>
7c478bd9Sstevel@tonic-gate#include <sys/cmn_err.h>
f4b3ec61Sdh#include <sys/zone.h>
7c478bd9Sstevel@tonic-gate#include <net/if.h>
7c478bd9Sstevel@tonic-gate#include <net/af.h>
7c478bd9Sstevel@tonic-gate#include <net/route.h>
7c478bd9Sstevel@tonic-gate#include <netinet/in.h>
7c478bd9Sstevel@tonic-gate#include <netinet/in_systm.h>
7c478bd9Sstevel@tonic-gate#include <netinet/ip.h>
7c478bd9Sstevel@tonic-gate#include <netinet/ip_var.h>
7c478bd9Sstevel@tonic-gate#include <netinet/tcp.h>
7c478bd9Sstevel@tonic-gate#include <netinet/udp.h>
7c478bd9Sstevel@tonic-gate#include <netinet/tcpip.h>
7c478bd9Sstevel@tonic-gate#include <netinet/ip_icmp.h>
ab25eeb5Syz#include "netinet/ip_compat.h"
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate# include <netinet/icmp6.h>
7c478bd9Sstevel@tonic-gate#endif
ab25eeb5Syz#include "netinet/ip_fil.h"
ab25eeb5Syz#include "netinet/ip_nat.h"
ab25eeb5Syz#include "netinet/ip_frag.h"
ab25eeb5Syz#include "netinet/ip_state.h"
ab25eeb5Syz#include "netinet/ip_auth.h"
ab25eeb5Syz#include "netinet/ip_proxy.h"
f4b3ec61Sdh#include "netinet/ipf_stack.h"
7c478bd9Sstevel@tonic-gate#ifdef	IPFILTER_LOOKUP
ab25eeb5Syz# include "netinet/ip_lookup.h"
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate#include <inet/ip_ire.h>
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#include <sys/md5.h>
381a2a9aSdr#include <sys/neti.h>
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdhstatic	int	frzerostats __P((caddr_t, ipf_stack_t *));
f4b3ec61Sdhstatic	int	fr_setipfloopback __P((int, ipf_stack_t *));
7ddc9b1aSDarren Reedstatic	int	fr_enableipf __P((ipf_stack_t *, int));
ab25eeb5Syzstatic	int	fr_send_ip __P((fr_info_t *fin, mblk_t *m, mblk_t **mp));
7ddc9b1aSDarren Reedstatic	int	ipf_nic_event_v4 __P((hook_event_token_t, hook_data_t, void *));
7ddc9b1aSDarren Reedstatic	int	ipf_nic_event_v6 __P((hook_event_token_t, hook_data_t, void *));
7ddc9b1aSDarren Reedstatic	int	ipf_hook __P((hook_data_t, int, int, void *));
7ddc9b1aSDarren Reedstatic	int	ipf_hook4_in __P((hook_event_token_t, hook_data_t, void *));
7ddc9b1aSDarren Reedstatic	int	ipf_hook4_out __P((hook_event_token_t, hook_data_t, void *));
cbded9aeSdrstatic	int	ipf_hook4_loop_out __P((hook_event_token_t, hook_data_t,
7ddc9b1aSDarren Reed    void *));
7ddc9b1aSDarren Reedstatic	int	ipf_hook4_loop_in __P((hook_event_token_t, hook_data_t, void *));
7ddc9b1aSDarren Reedstatic	int	ipf_hook4 __P((hook_data_t, int, int, void *));
7ddc9b1aSDarren Reedstatic	int	ipf_hook6_out __P((hook_event_token_t, hook_data_t, void *));
7ddc9b1aSDarren Reedstatic	int	ipf_hook6_in __P((hook_event_token_t, hook_data_t, void *));
cbded9aeSdrstatic	int	ipf_hook6_loop_out __P((hook_event_token_t, hook_data_t,
7ddc9b1aSDarren Reed    void *));
cbded9aeSdrstatic	int	ipf_hook6_loop_in __P((hook_event_token_t, hook_data_t,
7ddc9b1aSDarren Reed    void *));
7ddc9b1aSDarren Reedstatic	int     ipf_hook6 __P((hook_data_t, int, int, void *));
f4b3ec61Sdhextern	int	ipf_geniter __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *));
f4b3ec61Sdhextern	int	ipf_frruleiter __P((void *, int, void *, ipf_stack_t *));
f4b3ec61Sdh
7c478bd9Sstevel@tonic-gate#if SOLARIS2 < 10
7c478bd9Sstevel@tonic-gate#if SOLARIS2 >= 7
ab25eeb5Syzu_int		*ip_ttl_ptr = NULL;
ab25eeb5Syzu_int		*ip_mtudisc = NULL;
7c478bd9Sstevel@tonic-gate# if SOLARIS2 >= 8
ab25eeb5Syzint		*ip_forwarding = NULL;
ab25eeb5Syzu_int		*ip6_forwarding = NULL;
7c478bd9Sstevel@tonic-gate# else
ab25eeb5Syzu_int		*ip_forwarding = NULL;
7c478bd9Sstevel@tonic-gate# endif
7c478bd9Sstevel@tonic-gate#else
ab25eeb5Syzu_long		*ip_ttl_ptr = NULL;
ab25eeb5Syzu_long		*ip_mtudisc = NULL;
ab25eeb5Syzu_long		*ip_forwarding = NULL;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
94bdecd9SRob Gulewichvmem_t	*ipf_minor;	/* minor number arena */
94bdecd9SRob Gulewichvoid 	*ipf_state;	/* DDI state */
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich/*
94bdecd9SRob Gulewich * GZ-controlled and per-zone stacks:
94bdecd9SRob Gulewich *
94bdecd9SRob Gulewich * For each non-global zone, we create two ipf stacks: the per-zone stack and
94bdecd9SRob Gulewich * the GZ-controlled stack.  The per-zone stack can be controlled and observed
94bdecd9SRob Gulewich * from inside the zone or from the global zone.  The GZ-controlled stack can
94bdecd9SRob Gulewich * only be controlled and observed from the global zone (though the rules
94bdecd9SRob Gulewich * still only affect that non-global zone).
94bdecd9SRob Gulewich *
94bdecd9SRob Gulewich * The two hooks are always arranged so that the GZ-controlled stack is always
94bdecd9SRob Gulewich * "outermost" with respect to the zone.  The traffic flow then looks like
94bdecd9SRob Gulewich * this:
94bdecd9SRob Gulewich *
94bdecd9SRob Gulewich * Inbound:
94bdecd9SRob Gulewich *
94bdecd9SRob Gulewich *     nic ---> [ GZ-controlled rules ] ---> [ per-zone rules ] ---> zone
94bdecd9SRob Gulewich *
94bdecd9SRob Gulewich * Outbound:
94bdecd9SRob Gulewich *
94bdecd9SRob Gulewich *     nic <--- [ GZ-controlled rules ] <--- [ per-zone rules ] <--- zone
94bdecd9SRob Gulewich */
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich/* IPv4 hook names */
94bdecd9SRob Gulewichchar *hook4_nicevents = 	"ipfilter_hook4_nicevents";
94bdecd9SRob Gulewichchar *hook4_nicevents_gz = 	"ipfilter_hook4_nicevents_gz";
94bdecd9SRob Gulewichchar *hook4_in = 		"ipfilter_hook4_in";
94bdecd9SRob Gulewichchar *hook4_in_gz = 		"ipfilter_hook4_in_gz";
94bdecd9SRob Gulewichchar *hook4_out = 		"ipfilter_hook4_out";
94bdecd9SRob Gulewichchar *hook4_out_gz = 		"ipfilter_hook4_out_gz";
94bdecd9SRob Gulewichchar *hook4_loop_in = 		"ipfilter_hook4_loop_in";
94bdecd9SRob Gulewichchar *hook4_loop_in_gz = 	"ipfilter_hook4_loop_in_gz";
94bdecd9SRob Gulewichchar *hook4_loop_out = 		"ipfilter_hook4_loop_out";
94bdecd9SRob Gulewichchar *hook4_loop_out_gz = 	"ipfilter_hook4_loop_out_gz";
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich/* IPv6 hook names */
94bdecd9SRob Gulewichchar *hook6_nicevents = 	"ipfilter_hook6_nicevents";
94bdecd9SRob Gulewichchar *hook6_nicevents_gz = 	"ipfilter_hook6_nicevents_gz";
94bdecd9SRob Gulewichchar *hook6_in = 		"ipfilter_hook6_in";
94bdecd9SRob Gulewichchar *hook6_in_gz = 		"ipfilter_hook6_in_gz";
94bdecd9SRob Gulewichchar *hook6_out = 		"ipfilter_hook6_out";
94bdecd9SRob Gulewichchar *hook6_out_gz = 		"ipfilter_hook6_out_gz";
94bdecd9SRob Gulewichchar *hook6_loop_in = 		"ipfilter_hook6_loop_in";
94bdecd9SRob Gulewichchar *hook6_loop_in_gz = 	"ipfilter_hook6_loop_in_gz";
94bdecd9SRob Gulewichchar *hook6_loop_out = 		"ipfilter_hook6_loop_out";
94bdecd9SRob Gulewichchar *hook6_loop_out_gz = 	"ipfilter_hook6_loop_out_gz";
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/* ------------------------------------------------------------------------ */
7c478bd9Sstevel@tonic-gate/* Function:    ipldetach                                                   */
7c478bd9Sstevel@tonic-gate/* Returns:     int - 0 == success, else error.                             */
7c478bd9Sstevel@tonic-gate/* Parameters:  Nil                                                         */
7c478bd9Sstevel@tonic-gate/*                                                                          */
7c478bd9Sstevel@tonic-gate/* This function is responsible for undoing anything that might have been   */
7c478bd9Sstevel@tonic-gate/* done in a call to iplattach().  It must be able to clean up from a call  */
7c478bd9Sstevel@tonic-gate/* to iplattach() that did not succeed.  Why might that happen?  Someone    */
7c478bd9Sstevel@tonic-gate/* configures a table to be so large that we cannot allocate enough memory  */
7c478bd9Sstevel@tonic-gate/* for it.                                                                  */
7c478bd9Sstevel@tonic-gate/* ------------------------------------------------------------------------ */
f4b3ec61Sdhint ipldetach(ifs)
f4b3ec61Sdhipf_stack_t *ifs;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate
94bdecd9SRob Gulewich	ASSERT(RW_WRITE_HELD(&ifs->ifs_ipf_global.ipf_lk));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#if SOLARIS2 < 10
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	if (ifs->ifs_fr_control_forwarding & 2) {
ab25eeb5Syz		if (ip_forwarding != NULL)
ab25eeb5Syz			*ip_forwarding = 0;
7c478bd9Sstevel@tonic-gate#if SOLARIS2 >= 8
ab25eeb5Syz		if (ip6_forwarding != NULL)
ab25eeb5Syz			*ip6_forwarding = 0;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
381a2a9aSdr	/*
7ddc9b1aSDarren Reed	 * This lock needs to be dropped around the net_hook_unregister calls
381a2a9aSdr	 * because we can deadlock here with:
381a2a9aSdr	 * W(ipf_global)->R(hook_family)->W(hei_lock) (this code path) vs
381a2a9aSdr	 * R(hook_family)->R(hei_lock)->R(ipf_global) (active hook running)
381a2a9aSdr	 */
f4b3ec61Sdh	RWLOCK_EXIT(&ifs->ifs_ipf_global);
381a2a9aSdr
7ddc9b1aSDarren Reed#define	UNDO_HOOK(_f, _b, _e, _h)					\
7ddc9b1aSDarren Reed	do {								\
7ddc9b1aSDarren Reed		if (ifs->_f != NULL) {					\
7ddc9b1aSDarren Reed			if (ifs->_b) {					\
c6798761SJerry Jelinek				int tmp = net_hook_unregister(ifs->_f,	\
c6798761SJerry Jelinek					   _e, ifs->_h);		\
c6798761SJerry Jelinek				ifs->_b = (tmp != 0 && tmp != ENXIO);	\
c6798761SJerry Jelinek				if (!ifs->_b && ifs->_h != NULL) {	\
7ddc9b1aSDarren Reed					hook_free(ifs->_h);		\
7ddc9b1aSDarren Reed					ifs->_h = NULL;			\
7ddc9b1aSDarren Reed				}					\
7ddc9b1aSDarren Reed			} else if (ifs->_h != NULL) {			\
7ddc9b1aSDarren Reed				hook_free(ifs->_h);			\
7ddc9b1aSDarren Reed				ifs->_h = NULL;				\
7ddc9b1aSDarren Reed			}						\
7ddc9b1aSDarren Reed		}							\
7ddc9b1aSDarren Reed		_NOTE(CONSTCOND)					\
7ddc9b1aSDarren Reed	} while (0)
7ddc9b1aSDarren Reed
381a2a9aSdr	/*
381a2a9aSdr	 * Remove IPv6 Hooks
381a2a9aSdr	 */
f4b3ec61Sdh	if (ifs->ifs_ipf_ipv6 != NULL) {
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv6, ifs_hook6_physical_in,
7ddc9b1aSDarren Reed			  NH_PHYSICAL_IN, ifs_ipfhook6_in);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv6, ifs_hook6_physical_out,
7ddc9b1aSDarren Reed			  NH_PHYSICAL_OUT, ifs_ipfhook6_out);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv6, ifs_hook6_nic_events,
7ddc9b1aSDarren Reed			  NH_NIC_EVENTS, ifs_ipfhook6_nicevents);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv6, ifs_hook6_loopback_in,
7ddc9b1aSDarren Reed			  NH_LOOPBACK_IN, ifs_ipfhook6_loop_in);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv6, ifs_hook6_loopback_out,
7ddc9b1aSDarren Reed			  NH_LOOPBACK_OUT, ifs_ipfhook6_loop_out);
7ddc9b1aSDarren Reed
7ddc9b1aSDarren Reed		if (net_protocol_release(ifs->ifs_ipf_ipv6) != 0)
381a2a9aSdr			goto detach_failed;
f4b3ec61Sdh		ifs->ifs_ipf_ipv6 = NULL;
381a2a9aSdr        }
381a2a9aSdr
381a2a9aSdr	/*
381a2a9aSdr	 * Remove IPv4 Hooks
381a2a9aSdr	 */
f4b3ec61Sdh	if (ifs->ifs_ipf_ipv4 != NULL) {
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv4, ifs_hook4_physical_in,
7ddc9b1aSDarren Reed			  NH_PHYSICAL_IN, ifs_ipfhook4_in);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv4, ifs_hook4_physical_out,
7ddc9b1aSDarren Reed			  NH_PHYSICAL_OUT, ifs_ipfhook4_out);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv4, ifs_hook4_nic_events,
7ddc9b1aSDarren Reed			  NH_NIC_EVENTS, ifs_ipfhook4_nicevents);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv4, ifs_hook4_loopback_in,
7ddc9b1aSDarren Reed			  NH_LOOPBACK_IN, ifs_ipfhook4_loop_in);
7ddc9b1aSDarren Reed		UNDO_HOOK(ifs_ipf_ipv4, ifs_hook4_loopback_out,
7ddc9b1aSDarren Reed			  NH_LOOPBACK_OUT, ifs_ipfhook4_loop_out);
7ddc9b1aSDarren Reed
7ddc9b1aSDarren Reed		if (net_protocol_release(ifs->ifs_ipf_ipv4) != 0)
381a2a9aSdr			goto detach_failed;
f4b3ec61Sdh		ifs->ifs_ipf_ipv4 = NULL;
381a2a9aSdr	}
381a2a9aSdr
7ddc9b1aSDarren Reed#undef UNDO_HOOK
7ddc9b1aSDarren Reed
7c478bd9Sstevel@tonic-gate#ifdef	IPFDEBUG
7c478bd9Sstevel@tonic-gate	cmn_err(CE_CONT, "ipldetach()\n");
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	WRITE_ENTER(&ifs->ifs_ipf_global);
f4b3ec61Sdh	fr_deinitialise(ifs);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	(void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE, ifs);
f4b3ec61Sdh	(void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE, ifs);
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	if (ifs->ifs_ipf_locks_done == 1) {
f4b3ec61Sdh		MUTEX_DESTROY(&ifs->ifs_ipf_timeoutlock);
f4b3ec61Sdh		MUTEX_DESTROY(&ifs->ifs_ipf_rw);
f4b3ec61Sdh		RW_DESTROY(&ifs->ifs_ipf_tokens);
f4b3ec61Sdh		RW_DESTROY(&ifs->ifs_ipf_ipidfrag);
f4b3ec61Sdh		ifs->ifs_ipf_locks_done = 0;
7c478bd9Sstevel@tonic-gate	}
381a2a9aSdr
7ddc9b1aSDarren Reed	if (ifs->ifs_hook4_physical_in || ifs->ifs_hook4_physical_out ||
7ddc9b1aSDarren Reed	    ifs->ifs_hook4_nic_events || ifs->ifs_hook4_loopback_in ||
7ddc9b1aSDarren Reed	    ifs->ifs_hook4_loopback_out || ifs->ifs_hook6_nic_events ||
7ddc9b1aSDarren Reed	    ifs->ifs_hook6_physical_in || ifs->ifs_hook6_physical_out ||
7ddc9b1aSDarren Reed	    ifs->ifs_hook6_loopback_in || ifs->ifs_hook6_loopback_out)
381a2a9aSdr		return -1;
381a2a9aSdr
7c478bd9Sstevel@tonic-gate	return 0;
381a2a9aSdr
381a2a9aSdrdetach_failed:
f4b3ec61Sdh	WRITE_ENTER(&ifs->ifs_ipf_global);
381a2a9aSdr	return -1;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7ddc9b1aSDarren Reedint iplattach(ifs)
f4b3ec61Sdhipf_stack_t *ifs;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate#if SOLARIS2 < 10
7c478bd9Sstevel@tonic-gate	int i;
7c478bd9Sstevel@tonic-gate#endif
7ddc9b1aSDarren Reed	netid_t id = ifs->ifs_netid;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	IPFDEBUG
7c478bd9Sstevel@tonic-gate	cmn_err(CE_CONT, "iplattach()\n");
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
94bdecd9SRob Gulewich	ASSERT(RW_WRITE_HELD(&ifs->ifs_ipf_global.ipf_lk));
f4b3ec61Sdh	ifs->ifs_fr_flags = IPF_LOGGING;
f4b3ec61Sdh#ifdef _KERNEL
f4b3ec61Sdh	ifs->ifs_fr_update_ipid = 0;
f4b3ec61Sdh#else
f4b3ec61Sdh	ifs->ifs_fr_update_ipid = 1;
f4b3ec61Sdh#endif
f4b3ec61Sdh	ifs->ifs_fr_minttl = 4;
f4b3ec61Sdh	ifs->ifs_fr_icmpminfragmtu = 68;
f4b3ec61Sdh#if defined(IPFILTER_DEFAULT_BLOCK)
f4b3ec61Sdh	ifs->ifs_fr_pass = FR_BLOCK|FR_NOMATCH;
f4b3ec61Sdh#else
f4b3ec61Sdh	ifs->ifs_fr_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH;
f4b3ec61Sdh#endif
7c478bd9Sstevel@tonic-gate
14d3298eSAlexandr Nedvedicky	bzero((char *)ifs->ifs_frcache, sizeof(ifs->ifs_frcache));
f4b3ec61Sdh	MUTEX_INIT(&ifs->ifs_ipf_rw, "ipf rw mutex");
f4b3ec61Sdh	MUTEX_INIT(&ifs->ifs_ipf_timeoutlock, "ipf timeout lock mutex");
f4b3ec61Sdh	RWLOCK_INIT(&ifs->ifs_ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
f4b3ec61Sdh	RWLOCK_INIT(&ifs->ifs_ipf_tokens, "ipf token rwlock");
f4b3ec61Sdh	ifs->ifs_ipf_locks_done = 1;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	if (fr_initialise(ifs) < 0)
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate
94bdecd9SRob Gulewich	/*
94bdecd9SRob Gulewich	 * For incoming packets, we want the GZ-controlled hooks to run before
94bdecd9SRob Gulewich	 * the per-zone hooks, regardless of what order they're are installed.
94bdecd9SRob Gulewich	 * See the "GZ-controlled and per-zone stacks" comment block at the top
94bdecd9SRob Gulewich	 * of this file.
94bdecd9SRob Gulewich	 */
94bdecd9SRob Gulewich#define HOOK_INIT_GZ_BEFORE(x, fn, n, gzn, a)				\
94bdecd9SRob Gulewich	HOOK_INIT(x, fn, ifs->ifs_gz_controlled ? gzn : n, ifs);	\
94bdecd9SRob Gulewich	(x)->h_hint = ifs->ifs_gz_controlled ? HH_BEFORE : HH_AFTER;	\
94bdecd9SRob Gulewich	(x)->h_hintvalue = (uintptr_t) (ifs->ifs_gz_controlled ? n : gzn);
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	HOOK_INIT_GZ_BEFORE(ifs->ifs_ipfhook4_nicevents, ipf_nic_event_v4,
94bdecd9SRob Gulewich		  hook4_nicevents, hook4_nicevents_gz, ifs);
94bdecd9SRob Gulewich	HOOK_INIT_GZ_BEFORE(ifs->ifs_ipfhook4_in, ipf_hook4_in,
94bdecd9SRob Gulewich		  hook4_in, hook4_in_gz, ifs);
94bdecd9SRob Gulewich	HOOK_INIT_GZ_BEFORE(ifs->ifs_ipfhook4_loop_in, ipf_hook4_loop_in,
94bdecd9SRob Gulewich		  hook4_loop_in, hook4_loop_in_gz, ifs);
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	/*
94bdecd9SRob Gulewich	 * For outgoing packets, we want the GZ-controlled hooks to run after
94bdecd9SRob Gulewich	 * the per-zone hooks, regardless of what order they're are installed.
94bdecd9SRob Gulewich	 * See the "GZ-controlled and per-zone stacks" comment block at the top
94bdecd9SRob Gulewich	 * of this file.
94bdecd9SRob Gulewich	 */
94bdecd9SRob Gulewich#define HOOK_INIT_GZ_AFTER(x, fn, n, gzn, a)				\
94bdecd9SRob Gulewich	HOOK_INIT(x, fn, ifs->ifs_gz_controlled ? gzn : n, ifs);	\
94bdecd9SRob Gulewich	(x)->h_hint = ifs->ifs_gz_controlled ? HH_AFTER : HH_BEFORE;	\
94bdecd9SRob Gulewich	(x)->h_hintvalue = (uintptr_t) (ifs->ifs_gz_controlled ? n : gzn);
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	HOOK_INIT_GZ_AFTER(ifs->ifs_ipfhook4_out, ipf_hook4_out,
94bdecd9SRob Gulewich		  hook4_out, hook4_out_gz, ifs);
94bdecd9SRob Gulewich	HOOK_INIT_GZ_AFTER(ifs->ifs_ipfhook4_loop_out, ipf_hook4_loop_out,
94bdecd9SRob Gulewich		  hook4_loop_out, hook4_loop_out_gz, ifs);
381a2a9aSdr
381a2a9aSdr	/*
7ddc9b1aSDarren Reed	 * If we hold this lock over all of the net_hook_register calls, we
381a2a9aSdr	 * can cause a deadlock to occur with the following lock ordering:
381a2a9aSdr	 * W(ipf_global)->R(hook_family)->W(hei_lock) (this code path) vs
381a2a9aSdr	 * R(hook_family)->R(hei_lock)->R(ipf_global) (packet path)
381a2a9aSdr	 */
f4b3ec61Sdh	RWLOCK_EXIT(&ifs->ifs_ipf_global);
381a2a9aSdr
381a2a9aSdr	/*
381a2a9aSdr	 * Add IPv4 hooks
381a2a9aSdr	 */
7ddc9b1aSDarren Reed	ifs->ifs_ipf_ipv4 = net_protocol_lookup(id, NHF_INET);
f4b3ec61Sdh	if (ifs->ifs_ipf_ipv4 == NULL)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
7ddc9b1aSDarren Reed	ifs->ifs_hook4_nic_events = (net_hook_register(ifs->ifs_ipf_ipv4,
7ddc9b1aSDarren Reed	    NH_NIC_EVENTS, ifs->ifs_ipfhook4_nicevents) == 0);
f4b3ec61Sdh	if (!ifs->ifs_hook4_nic_events)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
7ddc9b1aSDarren Reed	ifs->ifs_hook4_physical_in = (net_hook_register(ifs->ifs_ipf_ipv4,
7ddc9b1aSDarren Reed	    NH_PHYSICAL_IN, ifs->ifs_ipfhook4_in) == 0);
f4b3ec61Sdh	if (!ifs->ifs_hook4_physical_in)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
7ddc9b1aSDarren Reed	ifs->ifs_hook4_physical_out = (net_hook_register(ifs->ifs_ipf_ipv4,
7ddc9b1aSDarren Reed	    NH_PHYSICAL_OUT, ifs->ifs_ipfhook4_out) == 0);
f4b3ec61Sdh	if (!ifs->ifs_hook4_physical_out)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
f4b3ec61Sdh	if (ifs->ifs_ipf_loopback) {
7ddc9b1aSDarren Reed		ifs->ifs_hook4_loopback_in = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv4, NH_LOOPBACK_IN,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook4_loop_in) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook4_loopback_in)
381a2a9aSdr			goto hookup_failed;
381a2a9aSdr
7ddc9b1aSDarren Reed		ifs->ifs_hook4_loopback_out = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv4, NH_LOOPBACK_OUT,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook4_loop_out) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook4_loopback_out)
381a2a9aSdr			goto hookup_failed;
381a2a9aSdr	}
94bdecd9SRob Gulewich
381a2a9aSdr	/*
381a2a9aSdr	 * Add IPv6 hooks
381a2a9aSdr	 */
7ddc9b1aSDarren Reed	ifs->ifs_ipf_ipv6 = net_protocol_lookup(id, NHF_INET6);
f4b3ec61Sdh	if (ifs->ifs_ipf_ipv6 == NULL)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
94bdecd9SRob Gulewich	HOOK_INIT_GZ_BEFORE(ifs->ifs_ipfhook6_nicevents, ipf_nic_event_v6,
94bdecd9SRob Gulewich		  hook6_nicevents, hook6_nicevents_gz, ifs);
94bdecd9SRob Gulewich	HOOK_INIT_GZ_BEFORE(ifs->ifs_ipfhook6_in, ipf_hook6_in,
94bdecd9SRob Gulewich		  hook6_in, hook6_in_gz, ifs);
94bdecd9SRob Gulewich	HOOK_INIT_GZ_BEFORE(ifs->ifs_ipfhook6_loop_in, ipf_hook6_loop_in,
94bdecd9SRob Gulewich		  hook6_loop_in, hook6_loop_in_gz, ifs);
94bdecd9SRob Gulewich	HOOK_INIT_GZ_AFTER(ifs->ifs_ipfhook6_out, ipf_hook6_out,
94bdecd9SRob Gulewich		  hook6_out, hook6_out_gz, ifs);
94bdecd9SRob Gulewich	HOOK_INIT_GZ_AFTER(ifs->ifs_ipfhook6_loop_out, ipf_hook6_loop_out,
94bdecd9SRob Gulewich		  hook6_loop_out, hook6_loop_out_gz, ifs);
7ddc9b1aSDarren Reed
7ddc9b1aSDarren Reed	ifs->ifs_hook6_nic_events = (net_hook_register(ifs->ifs_ipf_ipv6,
7ddc9b1aSDarren Reed	    NH_NIC_EVENTS, ifs->ifs_ipfhook6_nicevents) == 0);
f4b3ec61Sdh	if (!ifs->ifs_hook6_nic_events)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
7ddc9b1aSDarren Reed	ifs->ifs_hook6_physical_in = (net_hook_register(ifs->ifs_ipf_ipv6,
7ddc9b1aSDarren Reed	    NH_PHYSICAL_IN, ifs->ifs_ipfhook6_in) == 0);
f4b3ec61Sdh	if (!ifs->ifs_hook6_physical_in)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
7ddc9b1aSDarren Reed	ifs->ifs_hook6_physical_out = (net_hook_register(ifs->ifs_ipf_ipv6,
7ddc9b1aSDarren Reed	    NH_PHYSICAL_OUT, ifs->ifs_ipfhook6_out) == 0);
f4b3ec61Sdh	if (!ifs->ifs_hook6_physical_out)
381a2a9aSdr		goto hookup_failed;
381a2a9aSdr
f4b3ec61Sdh	if (ifs->ifs_ipf_loopback) {
7ddc9b1aSDarren Reed		ifs->ifs_hook6_loopback_in = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv6, NH_LOOPBACK_IN,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook6_loop_in) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook6_loopback_in)
381a2a9aSdr			goto hookup_failed;
381a2a9aSdr
7ddc9b1aSDarren Reed		ifs->ifs_hook6_loopback_out = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv6, NH_LOOPBACK_OUT,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook6_loop_out) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook6_loopback_out)
381a2a9aSdr			goto hookup_failed;
381a2a9aSdr	}
381a2a9aSdr
381a2a9aSdr	/*
381a2a9aSdr	 * Reacquire ipf_global, now it is safe.
381a2a9aSdr	 */
f4b3ec61Sdh	WRITE_ENTER(&ifs->ifs_ipf_global);
381a2a9aSdr
7c478bd9Sstevel@tonic-gate/* Do not use private interface ip_params_arr[] in Solaris 10 */
7c478bd9Sstevel@tonic-gate#if SOLARIS2 < 10
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#if SOLARIS2 >= 8
7c478bd9Sstevel@tonic-gate	ip_forwarding = &ip_g_forward;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * XXX - There is no terminator for this array, so it is not possible
7c478bd9Sstevel@tonic-gate	 * to tell if what we are looking for is missing and go off the end
7c478bd9Sstevel@tonic-gate	 * of the array.
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate
ab25eeb5Syz#if SOLARIS2 <= 8
7c478bd9Sstevel@tonic-gate	for (i = 0; ; i++) {
7c478bd9Sstevel@tonic-gate		if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) {
7c478bd9Sstevel@tonic-gate			ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
7c478bd9Sstevel@tonic-gate		} else if (!strcmp(ip_param_arr[i].ip_param_name,
7c478bd9Sstevel@tonic-gate			    "ip_path_mtu_discovery")) {
7c478bd9Sstevel@tonic-gate			ip_mtudisc = &ip_param_arr[i].ip_param_value;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate#if SOLARIS2 < 8
7c478bd9Sstevel@tonic-gate		else if (!strcmp(ip_param_arr[i].ip_param_name,
7c478bd9Sstevel@tonic-gate			    "ip_forwarding")) {
7c478bd9Sstevel@tonic-gate			ip_forwarding = &ip_param_arr[i].ip_param_value;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate#else
7c478bd9Sstevel@tonic-gate		else if (!strcmp(ip_param_arr[i].ip_param_name,
7c478bd9Sstevel@tonic-gate			    "ip6_forwarding")) {
7c478bd9Sstevel@tonic-gate			ip6_forwarding = &ip_param_arr[i].ip_param_value;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (ip_mtudisc != NULL && ip_ttl_ptr != NULL &&
7c478bd9Sstevel@tonic-gate#if SOLARIS2 >= 8
7c478bd9Sstevel@tonic-gate		    ip6_forwarding != NULL &&
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate		    ip_forwarding != NULL)
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate	}
ab25eeb5Syz#endif
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	if (ifs->ifs_fr_control_forwarding & 1) {
ab25eeb5Syz		if (ip_forwarding != NULL)
ab25eeb5Syz			*ip_forwarding = 1;
7c478bd9Sstevel@tonic-gate#if SOLARIS2 >= 8
ab25eeb5Syz		if (ip6_forwarding != NULL)
ab25eeb5Syz			*ip6_forwarding = 1;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
381a2a9aSdr	return 0;
381a2a9aSdrhookup_failed:
f4b3ec61Sdh	WRITE_ENTER(&ifs->ifs_ipf_global);
381a2a9aSdr	return -1;
381a2a9aSdr}
381a2a9aSdr
f4b3ec61Sdhstatic	int	fr_setipfloopback(set, ifs)
381a2a9aSdrint set;
f4b3ec61Sdhipf_stack_t *ifs;
381a2a9aSdr{
f4b3ec61Sdh	if (ifs->ifs_ipf_ipv4 == NULL || ifs->ifs_ipf_ipv6 == NULL)
381a2a9aSdr		return EFAULT;
381a2a9aSdr
f4b3ec61Sdh	if (set && !ifs->ifs_ipf_loopback) {
f4b3ec61Sdh		ifs->ifs_ipf_loopback = 1;
381a2a9aSdr
7ddc9b1aSDarren Reed		ifs->ifs_hook4_loopback_in = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv4, NH_LOOPBACK_IN,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook4_loop_in) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook4_loopback_in)
381a2a9aSdr			return EINVAL;
381a2a9aSdr
7ddc9b1aSDarren Reed		ifs->ifs_hook4_loopback_out = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv4, NH_LOOPBACK_OUT,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook4_loop_out) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook4_loopback_out)
381a2a9aSdr			return EINVAL;
381a2a9aSdr
7ddc9b1aSDarren Reed		ifs->ifs_hook6_loopback_in = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv6, NH_LOOPBACK_IN,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook6_loop_in) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook6_loopback_in)
381a2a9aSdr			return EINVAL;
381a2a9aSdr
7ddc9b1aSDarren Reed		ifs->ifs_hook6_loopback_out = (net_hook_register(
7ddc9b1aSDarren Reed		    ifs->ifs_ipf_ipv6, NH_LOOPBACK_OUT,
7ddc9b1aSDarren Reed		    ifs->ifs_ipfhook6_loop_out) == 0);
f4b3ec61Sdh		if (!ifs->ifs_hook6_loopback_out)
381a2a9aSdr			return EINVAL;
381a2a9aSdr
f4b3ec61Sdh	} else if (!set && ifs->ifs_ipf_loopback) {
f4b3ec61Sdh		ifs->ifs_ipf_loopback = 0;
381a2a9aSdr
f4b3ec61Sdh		ifs->ifs_hook4_loopback_in =
7ddc9b1aSDarren Reed		    (net_hook_unregister(ifs->ifs_ipf_ipv4,
7ddc9b1aSDarren Reed		    NH_LOOPBACK_IN, ifs->ifs_ipfhook4_loop_in) != 0);
f4b3ec61Sdh		if (ifs->ifs_hook4_loopback_in)
381a2a9aSdr			return EBUSY;
381a2a9aSdr
f4b3ec61Sdh		ifs->ifs_hook4_loopback_out =
7ddc9b1aSDarren Reed		    (net_hook_unregister(ifs->ifs_ipf_ipv4,
7ddc9b1aSDarren Reed		    NH_LOOPBACK_OUT, ifs->ifs_ipfhook4_loop_out) != 0);
f4b3ec61Sdh		if (ifs->ifs_hook4_loopback_out)
381a2a9aSdr			return EBUSY;
381a2a9aSdr
f4b3ec61Sdh		ifs->ifs_hook6_loopback_in =
7ddc9b1aSDarren Reed		    (net_hook_unregister(ifs->ifs_ipf_ipv6,
7ddc9b1aSDarren Reed		    NH_LOOPBACK_IN, ifs->ifs_ipfhook4_loop_in) != 0);
f4b3ec61Sdh		if (ifs->ifs_hook6_loopback_in)
381a2a9aSdr			return EBUSY;
381a2a9aSdr
f4b3ec61Sdh		ifs->ifs_hook6_loopback_out =
7ddc9b1aSDarren Reed		    (net_hook_unregister(ifs->ifs_ipf_ipv6,
7ddc9b1aSDarren Reed		    NH_LOOPBACK_OUT, ifs->ifs_ipfhook6_loop_out) != 0);
f4b3ec61Sdh		if (ifs->ifs_hook6_loopback_out)
381a2a9aSdr			return EBUSY;
381a2a9aSdr	}
7c478bd9Sstevel@tonic-gate	return 0;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * Filter ioctl interface.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/*ARGSUSED*/
7c478bd9Sstevel@tonic-gateint iplioctl(dev, cmd, data, mode, cp, rp)
7c478bd9Sstevel@tonic-gatedev_t dev;
7c478bd9Sstevel@tonic-gateint cmd;
7c478bd9Sstevel@tonic-gate#if SOLARIS2 >= 7
7c478bd9Sstevel@tonic-gateintptr_t data;
7c478bd9Sstevel@tonic-gate#else
7c478bd9Sstevel@tonic-gateint *data;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gateint mode;
7c478bd9Sstevel@tonic-gatecred_t *cp;
7c478bd9Sstevel@tonic-gateint *rp;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	int error = 0, tmp;
7c478bd9Sstevel@tonic-gate	friostat_t fio;
7c478bd9Sstevel@tonic-gate	minor_t unit;
7c478bd9Sstevel@tonic-gate	u_int enable;
f4b3ec61Sdh	ipf_stack_t *ifs;
94bdecd9SRob Gulewich	zoneid_t zid;
94bdecd9SRob Gulewich	ipf_devstate_t *isp;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	IPFDEBUG
7c478bd9Sstevel@tonic-gate	cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n",
7c478bd9Sstevel@tonic-gate		dev, cmd, data, mode, cp, rp);
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	unit = getminor(dev);
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	isp = ddi_get_soft_state(ipf_state, unit);
94bdecd9SRob Gulewich	if (isp == NULL)
7c478bd9Sstevel@tonic-gate		return ENXIO;
94bdecd9SRob Gulewich	unit = isp->ipfs_minor;
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	zid = crgetzoneid(cp);
94bdecd9SRob Gulewich	if (cmd == SIOCIPFZONESET) {
94bdecd9SRob Gulewich		if (zid == GLOBAL_ZONEID)
94bdecd9SRob Gulewich			return fr_setzoneid(isp, (caddr_t) data);
94bdecd9SRob Gulewich		return EACCES;
94bdecd9SRob Gulewich	}
7c478bd9Sstevel@tonic-gate
7ddc9b1aSDarren Reed        /*
94bdecd9SRob Gulewich	 * ipf_find_stack returns with a read lock on ifs_ipf_global
7ddc9b1aSDarren Reed	 */
94bdecd9SRob Gulewich	ifs = ipf_find_stack(zid, isp);
94bdecd9SRob Gulewich	if (ifs == NULL)
94bdecd9SRob Gulewich		return ENXIO;
f4b3ec61Sdh
f4b3ec61Sdh	if (ifs->ifs_fr_running <= 0) {
f4b3ec61Sdh		if (unit != IPL_LOGIPF) {
94bdecd9SRob Gulewich			RWLOCK_EXIT(&ifs->ifs_ipf_global);
7c478bd9Sstevel@tonic-gate			return EIO;
f4b3ec61Sdh		}
7c478bd9Sstevel@tonic-gate		if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
ab25eeb5Syz		    cmd != SIOCIPFSET && cmd != SIOCFRENB &&
f4b3ec61Sdh		    cmd != SIOCGETFS && cmd != SIOCGETFF) {
94bdecd9SRob Gulewich			RWLOCK_EXIT(&ifs->ifs_ipf_global);
7c478bd9Sstevel@tonic-gate			return EIO;
f4b3ec61Sdh		}
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
72680cf5SDarren Reed	if (ifs->ifs_fr_enable_active != 0) {
72680cf5SDarren Reed		RWLOCK_EXIT(&ifs->ifs_ipf_global);
72680cf5SDarren Reed		return EBUSY;
72680cf5SDarren Reed	}
7c478bd9Sstevel@tonic-gate
67dbe2beSCasper H.S. Dik	error = fr_ioctlswitch(unit, (caddr_t)data, cmd, mode, crgetuid(cp),
7ddc9b1aSDarren Reed			       curproc, ifs);
7c478bd9Sstevel@tonic-gate	if (error != -1) {
f4b3ec61Sdh		RWLOCK_EXIT(&ifs->ifs_ipf_global);
7c478bd9Sstevel@tonic-gate		return error;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	error = 0;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	switch (cmd)
7c478bd9Sstevel@tonic-gate	{
7c478bd9Sstevel@tonic-gate	case SIOCFRENB :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else {
7c478bd9Sstevel@tonic-gate			error = COPYIN((caddr_t)data, (caddr_t)&enable,
7c478bd9Sstevel@tonic-gate				       sizeof(enable));
7c478bd9Sstevel@tonic-gate			if (error != 0) {
7c478bd9Sstevel@tonic-gate				error = EFAULT;
7c478bd9Sstevel@tonic-gate				break;
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh			RWLOCK_EXIT(&ifs->ifs_ipf_global);
f4b3ec61Sdh			WRITE_ENTER(&ifs->ifs_ipf_global);
e8d569f4SAlexandr Nedvedicky
e8d569f4SAlexandr Nedvedicky			/*
e8d569f4SAlexandr Nedvedicky			 * We must recheck fr_enable_active here, since we've
e8d569f4SAlexandr Nedvedicky			 * dropped ifs_ipf_global from R in order to get it
e8d569f4SAlexandr Nedvedicky			 * exclusively.
e8d569f4SAlexandr Nedvedicky			 */
e8d569f4SAlexandr Nedvedicky			if (ifs->ifs_fr_enable_active == 0) {
e8d569f4SAlexandr Nedvedicky				ifs->ifs_fr_enable_active = 1;
e8d569f4SAlexandr Nedvedicky				error = fr_enableipf(ifs, enable);
e8d569f4SAlexandr Nedvedicky				ifs->ifs_fr_enable_active = 0;
e8d569f4SAlexandr Nedvedicky			}
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCIPFSET :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE)) {
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate			break;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		/* FALLTHRU */
7c478bd9Sstevel@tonic-gate	case SIOCIPFGETNEXT :
7c478bd9Sstevel@tonic-gate	case SIOCIPFGET :
f4b3ec61Sdh		error = fr_ipftune(cmd, (void *)data, ifs);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCSETFF :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else {
7ddc9b1aSDarren Reed			error = COPYIN((caddr_t)data,
7ddc9b1aSDarren Reed				       (caddr_t)&ifs->ifs_fr_flags,
7ddc9b1aSDarren Reed				       sizeof(ifs->ifs_fr_flags));
7c478bd9Sstevel@tonic-gate			if (error != 0)
7c478bd9Sstevel@tonic-gate				error = EFAULT;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
381a2a9aSdr	case SIOCIPFLP :
381a2a9aSdr		error = COPYIN((caddr_t)data, (caddr_t)&tmp,
381a2a9aSdr			       sizeof(tmp));
381a2a9aSdr		if (error != 0)
381a2a9aSdr			error = EFAULT;
381a2a9aSdr		else
f4b3ec61Sdh			error = fr_setipfloopback(tmp, ifs);
381a2a9aSdr		break;
7c478bd9Sstevel@tonic-gate	case SIOCGETFF :
f4b3ec61Sdh		error = COPYOUT((caddr_t)&ifs->ifs_fr_flags, (caddr_t)data,
7ddc9b1aSDarren Reed				sizeof(ifs->ifs_fr_flags));
7c478bd9Sstevel@tonic-gate		if (error != 0)
7c478bd9Sstevel@tonic-gate			error = EFAULT;
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCFUNCL :
7c478bd9Sstevel@tonic-gate		error = fr_resolvefunc((void *)data);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCINAFR :
7c478bd9Sstevel@tonic-gate	case SIOCRMAFR :
7c478bd9Sstevel@tonic-gate	case SIOCADAFR :
7c478bd9Sstevel@tonic-gate	case SIOCZRLST :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else
7c478bd9Sstevel@tonic-gate			error = frrequest(unit, cmd, (caddr_t)data,
f4b3ec61Sdh					  ifs->ifs_fr_active, 1, ifs);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCINIFR :
7c478bd9Sstevel@tonic-gate	case SIOCRMIFR :
7c478bd9Sstevel@tonic-gate	case SIOCADIFR :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else
7c478bd9Sstevel@tonic-gate			error = frrequest(unit, cmd, (caddr_t)data,
f4b3ec61Sdh					  1 - ifs->ifs_fr_active, 1, ifs);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCSWAPA :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else {
f4b3ec61Sdh			WRITE_ENTER(&ifs->ifs_ipf_mutex);
14d3298eSAlexandr Nedvedicky			bzero((char *)ifs->ifs_frcache,
14d3298eSAlexandr Nedvedicky			    sizeof (ifs->ifs_frcache));
f4b3ec61Sdh			error = COPYOUT((caddr_t)&ifs->ifs_fr_active,
f4b3ec61Sdh					(caddr_t)data,
f4b3ec61Sdh					sizeof(ifs->ifs_fr_active));
7c478bd9Sstevel@tonic-gate			if (error != 0)
7c478bd9Sstevel@tonic-gate				error = EFAULT;
7c478bd9Sstevel@tonic-gate			else
f4b3ec61Sdh				ifs->ifs_fr_active = 1 - ifs->ifs_fr_active;
f4b3ec61Sdh			RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCGETFS :
f4b3ec61Sdh		fr_getstat(&fio, ifs);
7c478bd9Sstevel@tonic-gate		error = fr_outobj((void *)data, &fio, IPFOBJ_IPFSTAT);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCFRZST :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else
f4b3ec61Sdh			error = fr_zerostats((caddr_t)data, ifs);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case	SIOCIPFFL :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else {
7c478bd9Sstevel@tonic-gate			error = COPYIN((caddr_t)data, (caddr_t)&tmp,
7c478bd9Sstevel@tonic-gate				       sizeof(tmp));
7c478bd9Sstevel@tonic-gate			if (!error) {
f4b3ec61Sdh				tmp = frflush(unit, 4, tmp, ifs);
7c478bd9Sstevel@tonic-gate				error = COPYOUT((caddr_t)&tmp, (caddr_t)data,
7ddc9b1aSDarren Reed						sizeof(tmp));
7c478bd9Sstevel@tonic-gate				if (error != 0)
7c478bd9Sstevel@tonic-gate					error = EFAULT;
7c478bd9Sstevel@tonic-gate			} else
7c478bd9Sstevel@tonic-gate				error = EFAULT;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
7663b816Sml#ifdef USE_INET6
7663b816Sml	case	SIOCIPFL6 :
7663b816Sml		if (!(mode & FWRITE))
7663b816Sml			error = EPERM;
7663b816Sml		else {
7663b816Sml			error = COPYIN((caddr_t)data, (caddr_t)&tmp,
7663b816Sml				       sizeof(tmp));
7663b816Sml			if (!error) {
f4b3ec61Sdh				tmp = frflush(unit, 6, tmp, ifs);
7663b816Sml				error = COPYOUT((caddr_t)&tmp, (caddr_t)data,
7ddc9b1aSDarren Reed						sizeof(tmp));
7663b816Sml				if (error != 0)
7663b816Sml					error = EFAULT;
7663b816Sml			} else
7663b816Sml				error = EFAULT;
7663b816Sml		}
7663b816Sml		break;
7663b816Sml#endif
7c478bd9Sstevel@tonic-gate	case SIOCSTLCK :
7c478bd9Sstevel@tonic-gate		error = COPYIN((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
7c478bd9Sstevel@tonic-gate		if (error == 0) {
f4b3ec61Sdh			ifs->ifs_fr_state_lock = tmp;
f4b3ec61Sdh			ifs->ifs_fr_nat_lock = tmp;
f4b3ec61Sdh			ifs->ifs_fr_frag_lock = tmp;
f4b3ec61Sdh			ifs->ifs_fr_auth_lock = tmp;
7c478bd9Sstevel@tonic-gate		} else
7c478bd9Sstevel@tonic-gate			error = EFAULT;
7c478bd9Sstevel@tonic-gate	break;
7c478bd9Sstevel@tonic-gate#ifdef	IPFILTER_LOG
7c478bd9Sstevel@tonic-gate	case	SIOCIPFFB :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else {
f4b3ec61Sdh			tmp = ipflog_clear(unit, ifs);
7c478bd9Sstevel@tonic-gate			error = COPYOUT((caddr_t)&tmp, (caddr_t)data,
7c478bd9Sstevel@tonic-gate				       sizeof(tmp));
7c478bd9Sstevel@tonic-gate			if (error)
7c478bd9Sstevel@tonic-gate				error = EFAULT;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate#endif /* IPFILTER_LOG */
7c478bd9Sstevel@tonic-gate	case SIOCFRSYN :
7c478bd9Sstevel@tonic-gate		if (!(mode & FWRITE))
7c478bd9Sstevel@tonic-gate			error = EPERM;
7c478bd9Sstevel@tonic-gate		else {
f4b3ec61Sdh			RWLOCK_EXIT(&ifs->ifs_ipf_global);
f4b3ec61Sdh			WRITE_ENTER(&ifs->ifs_ipf_global);
381a2a9aSdr
f4b3ec61Sdh			frsync(IPFSYNC_RESYNC, 0, NULL, NULL, ifs);
d6c23f6fSyx			fr_natifpsync(IPFSYNC_RESYNC, 0, NULL, NULL, ifs);
d6c23f6fSyx			fr_nataddrsync(0, NULL, NULL, ifs);
f4b3ec61Sdh			fr_statesync(IPFSYNC_RESYNC, 0, NULL, NULL, ifs);
381a2a9aSdr			error = 0;
7c478bd9Sstevel@tonic-gate		}
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case SIOCGFRST :
f4b3ec61Sdh		error = fr_outobj((void *)data, fr_fragstats(ifs),
7c478bd9Sstevel@tonic-gate				  IPFOBJ_FRAGSTAT);
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	case FIONREAD :
7c478bd9Sstevel@tonic-gate#ifdef	IPFILTER_LOG
f4b3ec61Sdh		tmp = (int)ifs->ifs_iplused[IPL_LOGIPF];
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		error = COPYOUT((caddr_t)&tmp, (caddr_t)data, sizeof(tmp));
7c478bd9Sstevel@tonic-gate		if (error != 0)
7c478bd9Sstevel@tonic-gate			error = EFAULT;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate		break;
f4b3ec61Sdh	case SIOCIPFITER :
67dbe2beSCasper H.S. Dik		error = ipf_frruleiter((caddr_t)data, crgetuid(cp),
7ddc9b1aSDarren Reed				       curproc, ifs);
f4b3ec61Sdh		break;
f4b3ec61Sdh
f4b3ec61Sdh	case SIOCGENITER :
67dbe2beSCasper H.S. Dik		error = ipf_genericiter((caddr_t)data, crgetuid(cp),
7ddc9b1aSDarren Reed					curproc, ifs);
f4b3ec61Sdh		break;
f4b3ec61Sdh
f4b3ec61Sdh	case SIOCIPFDELTOK :
bb1d9de5SJohn Ojemann		error = BCOPYIN((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
bb1d9de5SJohn Ojemann		if (error != 0) {
bb1d9de5SJohn Ojemann			error = EFAULT;
bb1d9de5SJohn Ojemann		} else {
67dbe2beSCasper H.S. Dik			error = ipf_deltoken(tmp, crgetuid(cp), curproc, ifs);
bb1d9de5SJohn Ojemann		}
f4b3ec61Sdh		break;
f4b3ec61Sdh
7c478bd9Sstevel@tonic-gate	default :
33f2fefdSDarren Reed#ifdef	IPFDEBUG
7ddc9b1aSDarren Reed		cmn_err(CE_NOTE, "Unknown: cmd 0x%x data %p",
7ddc9b1aSDarren Reed			cmd, (void *)data);
33f2fefdSDarren Reed#endif
7c478bd9Sstevel@tonic-gate		error = EINVAL;
7c478bd9Sstevel@tonic-gate		break;
7c478bd9Sstevel@tonic-gate	}
f4b3ec61Sdh	RWLOCK_EXIT(&ifs->ifs_ipf_global);
7c478bd9Sstevel@tonic-gate	return error;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7ddc9b1aSDarren Reedstatic int fr_enableipf(ifs, enable)
882bd30bSdripf_stack_t *ifs;
882bd30bSdrint enable;
882bd30bSdr{
882bd30bSdr	int error;
882bd30bSdr
44aaa2b6Sjojemann	if (!enable) {
882bd30bSdr		error = ipldetach(ifs);
882bd30bSdr		if (error == 0)
882bd30bSdr			ifs->ifs_fr_running = -1;
7ddc9b1aSDarren Reed		return error;
882bd30bSdr	}
882bd30bSdr
44aaa2b6Sjojemann	if (ifs->ifs_fr_running > 0)
7ddc9b1aSDarren Reed		return 0;
44aaa2b6Sjojemann
7ddc9b1aSDarren Reed	error = iplattach(ifs);
44aaa2b6Sjojemann	if (error == 0) {
44aaa2b6Sjojemann		if (ifs->ifs_fr_timer_id == NULL) {
44aaa2b6Sjojemann			int hz = drv_usectohz(500000);
44aaa2b6Sjojemann
44aaa2b6Sjojemann			ifs->ifs_fr_timer_id = timeout(fr_slowtimer,
7ddc9b1aSDarren Reed						       (void *)ifs,
7ddc9b1aSDarren Reed						       hz);
44aaa2b6Sjojemann		}
44aaa2b6Sjojemann		ifs->ifs_fr_running = 1;
44aaa2b6Sjojemann	} else {
44aaa2b6Sjojemann		(void) ipldetach(ifs);
44aaa2b6Sjojemann	}
7ddc9b1aSDarren Reed	return error;
882bd30bSdr}
882bd30bSdr
882bd30bSdr
f4b3ec61Sdhphy_if_t get_unit(name, v, ifs)
f4b3ec61Sdhchar *name;
f4b3ec61Sdhint v;
f4b3ec61Sdhipf_stack_t *ifs;
7c478bd9Sstevel@tonic-gate{
7ddc9b1aSDarren Reed	net_handle_t nif;
381a2a9aSdr
381a2a9aSdr  	if (v == 4)
f4b3ec61Sdh 		nif = ifs->ifs_ipf_ipv4;
381a2a9aSdr  	else if (v == 6)
f4b3ec61Sdh 		nif = ifs->ifs_ipf_ipv6;
381a2a9aSdr  	else
381a2a9aSdr 		return 0;
381a2a9aSdr
f4b3ec61Sdh 	return (net_phylookup(nif, name));
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * routines below for saving IP headers to buffer
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/*ARGSUSED*/
7c478bd9Sstevel@tonic-gateint iplopen(devp, flags, otype, cred)
7c478bd9Sstevel@tonic-gatedev_t *devp;
7c478bd9Sstevel@tonic-gateint flags, otype;
7c478bd9Sstevel@tonic-gatecred_t *cred;
7c478bd9Sstevel@tonic-gate{
94bdecd9SRob Gulewich	ipf_devstate_t *isp;
7c478bd9Sstevel@tonic-gate	minor_t min = getminor(*devp);
94bdecd9SRob Gulewich	minor_t minor;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	IPFDEBUG
7c478bd9Sstevel@tonic-gate	cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred);
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	if (!(otype & OTYP_CHR))
7c478bd9Sstevel@tonic-gate		return ENXIO;
7c478bd9Sstevel@tonic-gate
94bdecd9SRob Gulewich	if (IPL_LOGMAX < min)
94bdecd9SRob Gulewich		return ENXIO;
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	minor = (minor_t)(uintptr_t)vmem_alloc(ipf_minor, 1,
94bdecd9SRob Gulewich	    VM_BESTFIT | VM_SLEEP);
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	if (ddi_soft_state_zalloc(ipf_state, minor) != 0) {
94bdecd9SRob Gulewich		vmem_free(ipf_minor, (void *)(uintptr_t)minor, 1);
94bdecd9SRob Gulewich		return ENXIO;
94bdecd9SRob Gulewich	}
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	*devp = makedevice(getmajor(*devp), minor);
94bdecd9SRob Gulewich	isp = ddi_get_soft_state(ipf_state, minor);
94bdecd9SRob Gulewich	VERIFY(isp != NULL);
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	isp->ipfs_minor = min;
94bdecd9SRob Gulewich	isp->ipfs_zoneid = IPFS_ZONE_UNSET;
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	return 0;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*ARGSUSED*/
7c478bd9Sstevel@tonic-gateint iplclose(dev, flags, otype, cred)
7c478bd9Sstevel@tonic-gatedev_t dev;
7c478bd9Sstevel@tonic-gateint flags, otype;
7c478bd9Sstevel@tonic-gatecred_t *cred;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	minor_t	min = getminor(dev);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	IPFDEBUG
7c478bd9Sstevel@tonic-gate	cmn_err(CE_CONT, "iplclose(%x,%x,%x,%x)\n", dev, flags, otype, cred);
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
94bdecd9SRob Gulewich	if (IPL_LOGMAX < min)
94bdecd9SRob Gulewich		return ENXIO;
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	ddi_soft_state_free(ipf_state, min);
94bdecd9SRob Gulewich	vmem_free(ipf_minor, (void *)(uintptr_t)min, 1);
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	return 0;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	IPFILTER_LOG
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * iplread/ipllog
7c478bd9Sstevel@tonic-gate * both of these must operate with at least splnet() lest they be
7c478bd9Sstevel@tonic-gate * called during packet processing and cause an inconsistancy to appear in
7c478bd9Sstevel@tonic-gate * the filter lists.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/*ARGSUSED*/
7c478bd9Sstevel@tonic-gateint iplread(dev, uio, cp)
7c478bd9Sstevel@tonic-gatedev_t dev;
7c478bd9Sstevel@tonic-gateregister struct uio *uio;
7c478bd9Sstevel@tonic-gatecred_t *cp;
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh	ipf_stack_t *ifs;
f4b3ec61Sdh	int ret;
94bdecd9SRob Gulewich	minor_t unit;
94bdecd9SRob Gulewich	ipf_devstate_t *isp;
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	unit = getminor(dev);
94bdecd9SRob Gulewich	isp = ddi_get_soft_state(ipf_state, unit);
94bdecd9SRob Gulewich	if (isp == NULL)
94bdecd9SRob Gulewich		return ENXIO;
94bdecd9SRob Gulewich	unit = isp->ipfs_minor;
94bdecd9SRob Gulewich
f4b3ec61Sdh
7ddc9b1aSDarren Reed        /*
94bdecd9SRob Gulewich	 * ipf_find_stack returns with a read lock on ifs_ipf_global
7ddc9b1aSDarren Reed	 */
94bdecd9SRob Gulewich	ifs = ipf_find_stack(crgetzoneid(cp), isp);
94bdecd9SRob Gulewich	if (ifs == NULL)
94bdecd9SRob Gulewich		return ENXIO;
f4b3ec61Sdh
7c478bd9Sstevel@tonic-gate# ifdef	IPFDEBUG
7c478bd9Sstevel@tonic-gate	cmn_err(CE_CONT, "iplread(%x,%x,%x)\n", dev, uio, cp);
7c478bd9Sstevel@tonic-gate# endif
08ee25aeSdr
f4b3ec61Sdh	if (ifs->ifs_fr_running < 1) {
94bdecd9SRob Gulewich		RWLOCK_EXIT(&ifs->ifs_ipf_global);
08ee25aeSdr		return EIO;
f4b3ec61Sdh	}
08ee25aeSdr
7c478bd9Sstevel@tonic-gate# ifdef	IPFILTER_SYNC
94bdecd9SRob Gulewich	if (unit == IPL_LOGSYNC) {
94bdecd9SRob Gulewich		RWLOCK_EXIT(&ifs->ifs_ipf_global);
7c478bd9Sstevel@tonic-gate		return ipfsync_read(uio);
f4b3ec61Sdh	}
7c478bd9Sstevel@tonic-gate# endif
7c478bd9Sstevel@tonic-gate
94bdecd9SRob Gulewich	ret = ipflog_read(unit, uio, ifs);
94bdecd9SRob Gulewich	RWLOCK_EXIT(&ifs->ifs_ipf_global);
f4b3ec61Sdh	return ret;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate#endif /* IPFILTER_LOG */
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * iplread/ipllog
7c478bd9Sstevel@tonic-gate * both of these must operate with at least splnet() lest they be
7c478bd9Sstevel@tonic-gate * called during packet processing and cause an inconsistancy to appear in
7c478bd9Sstevel@tonic-gate * the filter lists.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gateint iplwrite(dev, uio, cp)
7c478bd9Sstevel@tonic-gatedev_t dev;
7c478bd9Sstevel@tonic-gateregister struct uio *uio;
7c478bd9Sstevel@tonic-gatecred_t *cp;
7c478bd9Sstevel@tonic-gate{
f4b3ec61Sdh	ipf_stack_t *ifs;
94bdecd9SRob Gulewich	minor_t unit;
94bdecd9SRob Gulewich	ipf_devstate_t *isp;
94bdecd9SRob Gulewich
94bdecd9SRob Gulewich	unit = getminor(dev);
94bdecd9SRob Gulewich	isp = ddi_get_soft_state(ipf_state, unit);
94bdecd9SRob Gulewich	if (isp == NULL)
94bdecd9SRob Gulewich		return ENXIO;
94bdecd9SRob Gulewich	unit = isp->ipfs_minor;
f4b3ec61Sdh
7ddc9b1aSDarren Reed        /*
94bdecd9SRob Gulewich	 * ipf_find_stack returns with a read lock on ifs_ipf_global
7ddc9b1aSDarren Reed	 */
94bdecd9SRob Gulewich	ifs = ipf_find_stack(crgetzoneid(cp), isp);
94bdecd9SRob Gulewich	if (ifs == NULL)
94bdecd9SRob Gulewich		return ENXIO;
f4b3ec61Sdh
7c478bd9Sstevel@tonic-gate#ifdef	IPFDEBUG
7c478bd9Sstevel@tonic-gate	cmn_err(CE_CONT, "iplwrite(%x,%x,%x)\n", dev, uio, cp);
7c478bd9Sstevel@tonic-gate#endif
08ee25aeSdr
f4b3ec61Sdh	if (ifs->ifs_fr_running < 1) {
94bdecd9SRob Gulewich		RWLOCK_EXIT(&ifs->ifs_ipf_global);
08ee25aeSdr		return EIO;
f4b3ec61Sdh	}
08ee25aeSdr
ab25eeb5Syz#ifdef	IPFILTER_SYNC
94bdecd9SRob Gulewich	if (getminor(dev) == IPL_LOGSYNC) {
94bdecd9SRob Gulewich		RWLOCK_EXIT(&ifs->ifs_ipf_global);
ab25eeb5Syz		return ipfsync_write(uio);
94bdecd9SRob Gulewich	}
7c478bd9Sstevel@tonic-gate#endif /* IPFILTER_SYNC */
ab25eeb5Syz	dev = dev;	/* LINT */
ab25eeb5Syz	uio = uio;	/* LINT */
ab25eeb5Syz	cp = cp;	/* LINT */
94bdecd9SRob Gulewich	RWLOCK_EXIT(&ifs->ifs_ipf_global);
ab25eeb5Syz	return ENXIO;
ab25eeb5Syz}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
7c478bd9Sstevel@tonic-gate * fr_send_reset - this could conceivably be a call to tcp_respond(), but that
7c478bd9Sstevel@tonic-gate * requires a large amount of setting up and isn't any more efficient.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gateint fr_send_reset(fin)
7c478bd9Sstevel@tonic-gatefr_info_t *fin;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	tcphdr_t *tcp, *tcp2;
7c478bd9Sstevel@tonic-gate	int tlen, hlen;
7c478bd9Sstevel@tonic-gate	mblk_t *m;
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	ip6_t *ip6;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	ip_t *ip;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	tcp = fin->fin_dp;
7c478bd9Sstevel@tonic-gate	if (tcp->th_flags & TH_RST)
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifndef	IPFILTER_CKSUM
7c478bd9Sstevel@tonic-gate	if (fr_checkl4sum(fin) == -1)
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	tlen = (tcp->th_flags & (TH_SYN|TH_FIN)) ? 1 : 0;
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	if (fin->fin_v == 6)
7c478bd9Sstevel@tonic-gate		hlen = sizeof(ip6_t);
7c478bd9Sstevel@tonic-gate	else
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate		hlen = sizeof(ip_t);
7c478bd9Sstevel@tonic-gate	hlen += sizeof(*tcp2);
7c478bd9Sstevel@tonic-gate	if ((m = (mblk_t *)allocb(hlen + 64, BPRI_HI)) == NULL)
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	m->b_rptr += 64;
7c478bd9Sstevel@tonic-gate	MTYPE(m) = M_DATA;
7c478bd9Sstevel@tonic-gate	m->b_wptr = m->b_rptr + hlen;
ab25eeb5Syz	ip = (ip_t *)m->b_rptr;
ab25eeb5Syz	bzero((char *)ip, hlen);
7c478bd9Sstevel@tonic-gate	tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2));
7c478bd9Sstevel@tonic-gate	tcp2->th_dport = tcp->th_sport;
7c478bd9Sstevel@tonic-gate	tcp2->th_sport = tcp->th_dport;
7c478bd9Sstevel@tonic-gate	if (tcp->th_flags & TH_ACK) {
7c478bd9Sstevel@tonic-gate		tcp2->th_seq = tcp->th_ack;
7c478bd9Sstevel@tonic-gate		tcp2->th_flags = TH_RST;
7c478bd9Sstevel@tonic-gate	} else {
7c478bd9Sstevel@tonic-gate		tcp2->th_ack = ntohl(tcp->th_seq);
7c478bd9Sstevel@tonic-gate		tcp2->th_ack += tlen;
7c478bd9Sstevel@tonic-gate		tcp2->th_ack = htonl(tcp2->th_ack);
7c478bd9Sstevel@tonic-gate		tcp2->th_flags = TH_RST|TH_ACK;
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate	tcp2->th_off = sizeof(struct tcphdr) >> 2;
7c478bd9Sstevel@tonic-gate
ab25eeb5Syz	ip->ip_v = fin->fin_v;
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	if (fin->fin_v == 6) {
7c478bd9Sstevel@tonic-gate		ip6 = (ip6_t *)m->b_rptr;
7663b816Sml		ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
d6c23f6fSyx		ip6->ip6_src = fin->fin_dst6.in6;
d6c23f6fSyx		ip6->ip6_dst = fin->fin_src6.in6;
7c478bd9Sstevel@tonic-gate		ip6->ip6_plen = htons(sizeof(*tcp));
7c478bd9Sstevel@tonic-gate		ip6->ip6_nxt = IPPROTO_TCP;
7663b816Sml		tcp2->th_sum = fr_cksum(m, (ip_t *)ip6, IPPROTO_TCP, tcp2);
7c478bd9Sstevel@tonic-gate	} else
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	{
7c478bd9Sstevel@tonic-gate		ip->ip_src.s_addr = fin->fin_daddr;
7c478bd9Sstevel@tonic-gate		ip->ip_dst.s_addr = fin->fin_saddr;
7c478bd9Sstevel@tonic-gate		ip->ip_id = fr_nextipid(fin);
7c478bd9Sstevel@tonic-gate		ip->ip_hl = sizeof(*ip) >> 2;
7c478bd9Sstevel@tonic-gate		ip->ip_p = IPPROTO_TCP;
37b40788Sekozlow		ip->ip_len = sizeof(*ip) + sizeof(*tcp);
7c478bd9Sstevel@tonic-gate		ip->ip_tos = fin->fin_ip->ip_tos;
7c478bd9Sstevel@tonic-gate		tcp2->th_sum = fr_cksum(m, ip, IPPROTO_TCP, tcp2);
7c478bd9Sstevel@tonic-gate	}
ab25eeb5Syz	return fr_send_ip(fin, m, &m);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
37b40788Sekozlow/*
37b40788Sekozlow * Function:	fr_send_ip
37b40788Sekozlow * Returns:	 0: success
37b40788Sekozlow *		-1: failed
37b40788Sekozlow * Parameters:
37b40788Sekozlow *	fin: packet information
37b40788Sekozlow *	m: the message block where ip head starts
37b40788Sekozlow *
37b40788Sekozlow * Send a new packet through the IP stack.
37b40788Sekozlow *
37b40788Sekozlow * For IPv4 packets, ip_len must be in host byte order, and ip_v,
37b40788Sekozlow * ip_ttl, ip_off, and ip_sum are ignored (filled in by this
37b40788Sekozlow * function).
37b40788Sekozlow *
37b40788Sekozlow * For IPv6 packets, ip6_flow, ip6_vfc, and ip6_hlim are filled
37b40788Sekozlow * in by this function.
37b40788Sekozlow *
37b40788Sekozlow * All other portions of the packet must be in on-the-wire format.
37b40788Sekozlow */
ab25eeb5Syz/*ARGSUSED*/
ab25eeb5Syzstatic int fr_send_ip(fin, m, mpp)
7c478bd9Sstevel@tonic-gatefr_info_t *fin;
ab25eeb5Syzmblk_t *m, **mpp;
7c478bd9Sstevel@tonic-gate{
ab25eeb5Syz	qpktinfo_t qpi, *qpip;
ab25eeb5Syz	fr_info_t fnew;
ab25eeb5Syz	ip_t *ip;
ab25eeb5Syz	int i, hlen;
f4b3ec61Sdh	ipf_stack_t *ifs = fin->fin_ifs;
ab25eeb5Syz
ab25eeb5Syz	ip = (ip_t *)m->b_rptr;
ab25eeb5Syz	bzero((char *)&fnew, sizeof(fnew));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	if (fin->fin_v == 6) {
7c478bd9Sstevel@tonic-gate		ip6_t *ip6;
7c478bd9Sstevel@tonic-gate
ab25eeb5Syz		ip6 = (ip6_t *)ip;
7c478bd9Sstevel@tonic-gate		ip6->ip6_vfc = 0x60;
7c478bd9Sstevel@tonic-gate		ip6->ip6_hlim = 127;
ab25eeb5Syz		fnew.fin_v = 6;
ab25eeb5Syz		hlen = sizeof(*ip6);
923d6102Szf		fnew.fin_plen = ntohs(ip6->ip6_plen) + hlen;
7c478bd9Sstevel@tonic-gate	} else
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	{
ab25eeb5Syz		fnew.fin_v = 4;
7c478bd9Sstevel@tonic-gate#if SOLARIS2 >= 10
7c478bd9Sstevel@tonic-gate		ip->ip_ttl = 255;
f4b3ec61Sdh		if (net_getpmtuenabled(ifs->ifs_ipf_ipv4) == 1)
381a2a9aSdr			ip->ip_off = htons(IP_DF);
7c478bd9Sstevel@tonic-gate#else
ab25eeb5Syz		if (ip_ttl_ptr != NULL)
ab25eeb5Syz			ip->ip_ttl = (u_char)(*ip_ttl_ptr);
ab25eeb5Syz		else
ab25eeb5Syz			ip->ip_ttl = 63;
ab25eeb5Syz		if (ip_mtudisc != NULL)
ab25eeb5Syz			ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
ab25eeb5Syz		else
ab25eeb5Syz			ip->ip_off = htons(IP_DF);
7c478bd9Sstevel@tonic-gate#endif
ab25eeb5Syz		/*
ab25eeb5Syz		 * The dance with byte order and ip_len/ip_off is because in
ab25eeb5Syz		 * fr_fastroute, it expects them to be in host byte order but
ab25eeb5Syz		 * ipf_cksum expects them to be in network byte order.
ab25eeb5Syz		 */
ab25eeb5Syz		ip->ip_len = htons(ip->ip_len);
7c478bd9Sstevel@tonic-gate		ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(*ip));
ab25eeb5Syz		ip->ip_len = ntohs(ip->ip_len);
ab25eeb5Syz		ip->ip_off = ntohs(ip->ip_off);
ab25eeb5Syz		hlen = sizeof(*ip);
923d6102Szf		fnew.fin_plen = ip->ip_len;
7c478bd9Sstevel@tonic-gate	}
ab25eeb5Syz
ab25eeb5Syz	qpip = fin->fin_qpi;
ab25eeb5Syz	qpi.qpi_off = 0;
381a2a9aSdr	qpi.qpi_ill = qpip->qpi_ill;
ab25eeb5Syz	qpi.qpi_m = m;
ab25eeb5Syz	qpi.qpi_data = ip;
ab25eeb5Syz	fnew.fin_qpi = &qpi;
ab25eeb5Syz	fnew.fin_ifp = fin->fin_ifp;
ab25eeb5Syz	fnew.fin_flx = FI_NOCKSUM;
ab25eeb5Syz	fnew.fin_m = m;
90907f62SJohn Ojemann	fnew.fin_qfm = m;
ab25eeb5Syz	fnew.fin_ip = ip;
ab25eeb5Syz	fnew.fin_mp = mpp;
ab25eeb5Syz	fnew.fin_hlen = hlen;
ab25eeb5Syz	fnew.fin_dp = (char *)ip + hlen;
f4b3ec61Sdh	fnew.fin_ifs = fin->fin_ifs;
ab25eeb5Syz	(void) fr_makefrip(hlen, ip, &fnew);
ab25eeb5Syz
ab25eeb5Syz	i = fr_fastroute(m, mpp, &fnew, NULL);
7c478bd9Sstevel@tonic-gate	return i;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gateint fr_send_icmp_err(type, fin, dst)
7c478bd9Sstevel@tonic-gateint type;
7c478bd9Sstevel@tonic-gatefr_info_t *fin;
7c478bd9Sstevel@tonic-gateint dst;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	struct in_addr dst4;
7c478bd9Sstevel@tonic-gate	struct icmp *icmp;
ab25eeb5Syz	qpktinfo_t *qpi;
7c478bd9Sstevel@tonic-gate	int hlen, code;
381a2a9aSdr	phy_if_t phy;
7c478bd9Sstevel@tonic-gate	u_short sz;
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	mblk_t *mb;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	mblk_t *m;
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	ip6_t *ip6;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	ip_t *ip;
f4b3ec61Sdh	ipf_stack_t *ifs = fin->fin_ifs;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if ((type < 0) || (type > ICMP_MAXTYPE))
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	code = fin->fin_icode;
7c478bd9Sstevel@tonic-gate#ifdef USE_INET6
33f2fefdSDarren Reed	if ((code < 0) || (code >= ICMP_MAX_UNREACH))
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifndef	IPFILTER_CKSUM
7c478bd9Sstevel@tonic-gate	if (fr_checkl4sum(fin) == -1)
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
ab25eeb5Syz	qpi = fin->fin_qpi;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	mb = fin->fin_qfm;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	if (fin->fin_v == 6) {
7c478bd9Sstevel@tonic-gate		sz = sizeof(ip6_t);
7c478bd9Sstevel@tonic-gate		sz += MIN(mb->b_wptr - mb->b_rptr, 512);
7c478bd9Sstevel@tonic-gate		hlen = sizeof(ip6_t);
7c478bd9Sstevel@tonic-gate		type = icmptoicmp6types[type];
7c478bd9Sstevel@tonic-gate		if (type == ICMP6_DST_UNREACH)
7c478bd9Sstevel@tonic-gate			code = icmptoicmp6unreach[code];
7c478bd9Sstevel@tonic-gate	} else
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	{
7c478bd9Sstevel@tonic-gate		if ((fin->fin_p == IPPROTO_ICMP) &&
7c478bd9Sstevel@tonic-gate		    !(fin->fin_flx & FI_SHORT))
7c478bd9Sstevel@tonic-gate			switch (ntohs(fin->fin_data[0]) >> 8)
7c478bd9Sstevel@tonic-gate			{
7c478bd9Sstevel@tonic-gate			case ICMP_ECHO :
7c478bd9Sstevel@tonic-gate			case ICMP_TSTAMP :
7c478bd9Sstevel@tonic-gate			case ICMP_IREQ :
7c478bd9Sstevel@tonic-gate			case ICMP_MASKREQ :
7c478bd9Sstevel@tonic-gate				break;
7c478bd9Sstevel@tonic-gate			default :
7c478bd9Sstevel@tonic-gate				return 0;
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		sz = sizeof(ip_t) * 2;
7c478bd9Sstevel@tonic-gate		sz += 8;		/* 64 bits of data */
7c478bd9Sstevel@tonic-gate		hlen = sizeof(ip_t);
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	sz += offsetof(struct icmp, icmp_ip);
7c478bd9Sstevel@tonic-gate	if ((m = (mblk_t *)allocb((size_t)sz + 64, BPRI_HI)) == NULL)
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate	MTYPE(m) = M_DATA;
7c478bd9Sstevel@tonic-gate	m->b_rptr += 64;
7c478bd9Sstevel@tonic-gate	m->b_wptr = m->b_rptr + sz;
7c478bd9Sstevel@tonic-gate	bzero((char *)m->b_rptr, (size_t)sz);
ab25eeb5Syz	ip = (ip_t *)m->b_rptr;
ab25eeb5Syz	ip->ip_v = fin->fin_v;
7c478bd9Sstevel@tonic-gate	icmp = (struct icmp *)(m->b_rptr + hlen);
7c478bd9Sstevel@tonic-gate	icmp->icmp_type = type & 0xff;
7c478bd9Sstevel@tonic-gate	icmp->icmp_code = code & 0xff;
381a2a9aSdr	phy = (phy_if_t)qpi->qpi_ill;
381a2a9aSdr	if (type == ICMP_UNREACH && (phy != 0) &&
7c478bd9Sstevel@tonic-gate	    fin->fin_icode == ICMP_UNREACH_NEEDFRAG)
f4b3ec61Sdh		icmp->icmp_nextmtu = net_getmtu(ifs->ifs_ipf_ipv4, phy,0 );
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef	USE_INET6
7c478bd9Sstevel@tonic-gate	if (fin->fin_v == 6) {
7c478bd9Sstevel@tonic-gate		struct in6_addr dst6;
7c478bd9Sstevel@tonic-gate		int csz;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		if (dst == 0) {
f4b3ec61Sdh			ipf_stack_t *ifs = fin->fin_ifs;
f4b3ec61Sdh
381a2a9aSdr			if (fr_ifpaddr(6, FRI_NORMAL, (void *)phy,
f4b3ec61Sdh				       (void *)&dst6, NULL, ifs) == -1) {
7c478bd9Sstevel@tonic-gate				FREE_MB_T(m);
7c478bd9Sstevel@tonic-gate				return -1;
7c478bd9Sstevel@tonic-gate			}
7c478bd9Sstevel@tonic-gate		} else
d6c23f6fSyx			dst6 = fin->fin_dst6.in6;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate		csz = sz;
7c478bd9Sstevel@tonic-gate		sz -= sizeof(ip6_t);
7c478bd9Sstevel@tonic-gate		ip6 = (ip6_t *)m->b_rptr;
7663b816Sml		ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
7c478bd9Sstevel@tonic-gate		ip6->ip6_plen = htons((u_short)sz);
7c478bd9Sstevel@tonic-gate		ip6->ip6_nxt = IPPROTO_ICMPV6;
7c478bd9Sstevel@tonic-gate		ip6->ip6_src = dst6;
d6c23f6fSyx		ip6->ip6_dst = fin->fin_src6.in6;
7c478bd9Sstevel@tonic-gate		sz -= offsetof(struct icmp, icmp_ip);
7c478bd9Sstevel@tonic-gate		bcopy((char *)mb->b_rptr, (char *)&icmp->icmp_ip, sz);
7c478bd9Sstevel@tonic-gate		icmp->icmp_cksum = csz - sizeof(ip6_t);
7c478bd9Sstevel@tonic-gate	} else
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate	{
7c478bd9Sstevel@tonic-gate		ip->ip_hl = sizeof(*ip) >> 2;
7c478bd9Sstevel@tonic-gate		ip->ip_p = IPPROTO_ICMP;
7c478bd9Sstevel@tonic-gate		ip->ip_id = fin->fin_ip->ip_id;
7c478bd9Sstevel@tonic-gate		ip->ip_tos = fin->fin_ip->ip_tos;
37b40788Sekozlow		ip->ip_len = (u_short)sz;
7c478bd9Sstevel@tonic-gate		if (dst == 0) {
f4b3ec61Sdh			ipf_stack_t *ifs = fin->fin_ifs;
f4b3ec61Sdh
381a2a9aSdr			if (fr_ifpaddr(4, FRI_NORMAL, (void *)phy,
f4b3ec61Sdh				       (void *)&dst4, NULL, ifs) == -1) {
7c478bd9Sstevel@tonic-gate				FREE_MB_T(m);
7c478bd9Sstevel@tonic-gate				return -1;
7c478bd9Sstevel@tonic-gate			}
381a2a9aSdr		} else {
7c478bd9Sstevel@tonic-gate			dst4 = fin->fin_dst;
381a2a9aSdr		}
7c478bd9Sstevel@tonic-gate		ip->ip_src = dst4;
7c478bd9Sstevel@tonic-gate		ip->ip_dst = fin->fin_src;
7c478bd9Sstevel@tonic-gate		bcopy((char *)fin->fin_ip, (char *)&icmp->icmp_ip,
7c478bd9Sstevel@tonic-gate		      sizeof(*fin->fin_ip));
7c478bd9Sstevel@tonic-gate		bcopy((char *)fin->fin_ip + fin->fin_hlen,
7c478bd9Sstevel@tonic-gate		      (char *)&icmp->icmp_ip + sizeof(*fin->fin_ip), 8);
7663b816Sml		icmp->icmp_ip.ip_len = htons(icmp->icmp_ip.ip_len);
ab25eeb5Syz		icmp->icmp_ip.ip_off = htons(icmp->icmp_ip.ip_off);
7c478bd9Sstevel@tonic-gate		icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
7c478bd9Sstevel@tonic-gate					     sz - sizeof(ip_t));
7c478bd9Sstevel@tonic-gate	}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Need to exit out of these so we don't recursively call rw_enter
7c478bd9Sstevel@tonic-gate	 * from fr_qout.
7c478bd9Sstevel@tonic-gate	 */
ab25eeb5Syz	return fr_send_ip(fin, m, &m);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#include <sys/time.h>
7c478bd9Sstevel@tonic-gate#include <sys/varargs.h>
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifndef _KERNEL
7c478bd9Sstevel@tonic-gate#include <stdio.h>
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/*
72680cf5SDarren Reed * Return the first IP Address associated with an interface
72680cf5SDarren Reed * For IPv6, we walk through the list of logical interfaces and return
72680cf5SDarren Reed * the address of the first one that isn't a link-local interface.
72680cf5SDarren Reed * We can't assume that it is :1 because another link-local address
72680cf5SDarren Reed * may have been assigned there.
7c478bd9Sstevel@tonic-gate */
7c478bd9Sstevel@tonic-gate/*ARGSUSED*/
f4b3ec61Sdhint fr_ifpaddr(v, atype, ifptr, inp, inpmask, ifs)
7c478bd9Sstevel@tonic-gateint v, atype;
381a2a9aSdrvoid *ifptr;
381a2a9aSdrstruct in_addr  *inp, *inpmask;
f4b3ec61Sdhipf_stack_t *ifs;
7c478bd9Sstevel@tonic-gate{
381a2a9aSdr	struct sockaddr_in6 v6addr[2];
381a2a9aSdr	struct sockaddr_in v4addr[2];
381a2a9aSdr	net_ifaddr_t type[2];
7ddc9b1aSDarren Reed	net_handle_t net_data;
381a2a9aSdr	phy_if_t phyif;
381a2a9aSdr	void *array;
381a2a9aSdr
381a2a9aSdr	switch (v)
381a2a9aSdr	{
381a2a9aSdr	case 4:
f4b3ec61Sdh		net_data = ifs->ifs_ipf_ipv4;
381a2a9aSdr		array = v4addr;
381a2a9aSdr		break;
381a2a9aSdr	case 6:
f4b3ec61Sdh		net_data = ifs->ifs_ipf_ipv6;
381a2a9aSdr		array = v6addr;
381a2a9aSdr		break;
381a2a9aSdr	default:
381a2a9aSdr		net_data = NULL;
381a2a9aSdr		break;
381a2a9aSdr	}
7c478bd9Sstevel@tonic-gate
381a2a9aSdr	if (net_data == NULL)
7c478bd9Sstevel@tonic-gate		return -1;
7c478bd9Sstevel@tonic-gate
381a2a9aSdr	phyif = (phy_if_t)ifptr;
ab25eeb5Syz
ab25eeb5Syz	switch (atype)
ab25eeb5Syz	{
ab25eeb5Syz	case FRI_PEERADDR :
381a2a9aSdr		type[0] = NA_PEER;
ab25eeb5Syz		break;
381a2a9aSdr
381a2a9aSdr	case FRI_BROADCAST :
381a2a9aSdr		type[0] = NA_BROADCAST;
381a2a9aSdr		break;
381a2a9aSdr
ab25eeb5Syz	default :
381a2a9aSdr		type[0] = NA_ADDRESS;
ab25eeb5Syz		break;
ab25eeb5Syz	}
7c478bd9Sstevel@tonic-gate
381a2a9aSdr	type[1] = NA_NETMASK;
381a2a9aSdr
381a2a9aSdr	if (v == 6) {
72680cf5SDarren Reed		lif_if_t idx = 0;
72680cf5SDarren Reed
72680cf5SDarren Reed		do {
72680cf5SDarren Reed			idx = net_lifgetnext(net_data, phyif, idx);
72680cf5SDarren Reed			if (net_getlifaddr(net_data, phyif, idx, 2, type,
72680cf5SDarren Reed					   array) < 0)
72680cf5SDarren Reed				return -1;
72680cf5SDarren Reed			if (!IN6_IS_ADDR_LINKLOCAL(&v6addr[0].sin6_addr) &&
72680cf5SDarren Reed			    !IN6_IS_ADDR_MULTICAST(&v6addr[0].sin6_addr))
72680cf5SDarren Reed				break;
72680cf5SDarren Reed		} while (idx != 0);
72680cf5SDarren Reed
72680cf5SDarren Reed		if (idx == 0)
72680cf5SDarren Reed			return -1;
72680cf5SDarren Reed
381a2a9aSdr		return fr_ifpfillv6addr(atype, &v6addr[0], &v6addr[1],
381a2a9aSdr					inp, inpmask);
7c478bd9Sstevel@tonic-gate	}
72680cf5SDarren Reed
72680cf5SDarren Reed	if (net_getlifaddr(net_data, phyif, 0, 2, type, array) < 0)
72680cf5SDarren Reed		return -1;
72680cf5SDarren Reed
381a2a9aSdr	return fr_ifpfillv4addr(atype, &v4addr[0], &v4addr[1], inp, inpmask);
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gateu_32_t fr_newisn(fin)
7c478bd9Sstevel@tonic-gatefr_info_t *fin;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	static int iss_seq_off = 0;
7c478bd9Sstevel@tonic-gate	u_char hash[16];
7c478bd9Sstevel@tonic-gate	u_32_t newiss;
7c478bd9Sstevel@tonic-gate	MD5_CTX ctx;
f4b3ec61Sdh	ipf_stack_t *ifs = fin->fin_ifs;
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Compute the base value of the ISS.  It is a hash
7c478bd9Sstevel@tonic-gate	 * of (saddr, sport, daddr, dport, secret).
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	MD5Init(&ctx);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src,
7c478bd9Sstevel@tonic-gate		  sizeof(fin->fin_fi.fi_src));
7c478bd9Sstevel@tonic-gate	MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst,
7c478bd9Sstevel@tonic-gate		  sizeof(fin->fin_fi.fi_dst));
7c478bd9Sstevel@tonic-gate	MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat));
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	MD5Update(&ctx, ifs->ifs_ipf_iss_secret, sizeof(ifs->ifs_ipf_iss_secret));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	MD5Final(hash, &ctx);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	bcopy(hash, &newiss, sizeof(newiss));
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	/*
7c478bd9Sstevel@tonic-gate	 * Now increment our "timer", and add it in to
7c478bd9Sstevel@tonic-gate	 * the computed value.
7c478bd9Sstevel@tonic-gate	 *
7c478bd9Sstevel@tonic-gate	 * XXX Use `addin'?
7c478bd9Sstevel@tonic-gate	 * XXX TCP_ISSINCR too large to use?
7c478bd9Sstevel@tonic-gate	 */
7c478bd9Sstevel@tonic-gate	iss_seq_off += 0x00010000;
7c478bd9Sstevel@tonic-gate	newiss += iss_seq_off;
7c478bd9Sstevel@tonic-gate	return newiss;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate/* ------------------------------------------------------------------------ */
7c478bd9Sstevel@tonic-gate/* Function:    fr_nextipid                                                 */
7c478bd9Sstevel@tonic-gate/* Returns:     int - 0 == success, -1 == error (packet should be droppped) */
7c478bd9Sstevel@tonic-gate/* Parameters:  fin(I) - pointer to packet information                      */
7c478bd9Sstevel@tonic-gate/*                                                                          */
7c478bd9Sstevel@tonic-gate/* Returns the next IPv4 ID to use for this packet.                         */
7c478bd9Sstevel@tonic-gate/* ------------------------------------------------------------------------ */
ab25eeb5Syzu_short fr_nextipid(fin)
7c478bd9Sstevel@tonic-gatefr_info_t *fin;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate	static u_short ipid = 0;
7c478bd9Sstevel@tonic-gate	u_short id;
f4b3ec61Sdh	ipf_stack_t *ifs = fin->fin_ifs;
7c478bd9Sstevel@tonic-gate
f4b3ec61Sdh	MUTEX_ENTER(&ifs->ifs_ipf_rw);
33f2fefdSDarren Reed	if (fin->fin_pktnum != 0) {
33f2fefdSDarren Reed		id = fin->fin_pktnum & 0xffff;
33f2fefdSDarren Reed	} else {
7c478bd9Sstevel@tonic-gate		id = ipid++;
33f2fefdSDarren Reed	}
f4b3ec61Sdh	MUTEX_EXIT(&ifs->ifs_ipf_rw);
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate	return id;
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifndef IPFILTER_CKSUM
7c478bd9Sstevel@tonic-gate/* ARGSUSED */
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gateINLINE void fr_checkv4sum(fin)
7c478bd9Sstevel@tonic-gatefr_info_t *fin;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate#ifdef IPFILTER_CKSUM
7c478bd9Sstevel@tonic-gate	if (fr_checkl4sum(fin) == -1)
7c478bd9Sstevel@tonic-gate		fin->fin_flx |= FI_BAD;
7c478bd9Sstevel@tonic-gate#endif
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate
7c478bd9Sstevel@tonic-gate#ifdef USE_INET6
ab25eeb5Syz# ifndef IPFILTER_CKSUM
7663b816Sml/* ARGSUSED */
ab25eeb5Syz# endif
7c478bd9Sstevel@tonic-gateINLINE void fr_checkv6sum(fin)
7c478bd9Sstevel@tonic-gatefr_info_t *fin;
7c478bd9Sstevel@tonic-gate{
7c478bd9Sstevel@tonic-gate# ifdef IPFILTER_CKSUM
7c478bd9Sstevel@tonic-gate	if (fr_checkl4sum(fin) == -1)
7c478bd9Sstevel@tonic-gate		fin->fin_flx |= FI_BAD;
7c478bd9Sstevel@tonic-gate# endif
7c478bd9Sstevel@tonic-gate}
7c478bd9Sstevel@tonic-gate#endif /* USE_INET6 */
ab25eeb5Syz
ab25eeb5Syz
ab25eeb5Syz#if (SOLARIS2 < 7)
ab25eeb5Syzvoid fr_slowtimer()
ab25eeb5Syz#else
ab25eeb5Syz/*ARGSUSED*/
f4b3ec61Sdhvoid fr_slowtimer __P((void *arg))
ab25eeb5Syz#endif
ab25eeb5Syz{
f4b3ec61Sdh	ipf_stack_t *ifs = arg;
ab25eeb5Syz
44aaa2b6Sjojemann	READ_ENTER(&ifs->ifs_ipf_global);
44aaa2b6Sjojemann	if (ifs->ifs_fr_running != 1) {
44aaa2b6Sjojemann		ifs->ifs_fr_timer_id = NULL;
f4b3ec61Sdh		RWLOCK_EXIT(&ifs->ifs_ipf_global);
ab25eeb5Syz		return;
ab25eeb5Syz	}
fd636508Szf	ipf_expiretokens(ifs);
f4b3ec61Sdh	fr_fragexpire(ifs);
f4b3ec61Sdh	fr_timeoutstate(ifs);
f4b3ec61Sdh	fr_natexpire(ifs);
f4b3ec61Sdh	fr_authexpire(ifs);
f4b3ec61Sdh	ifs->ifs_fr_ticks++;
44aaa2b6Sjojemann	if (ifs->ifs_fr_running == 1)
f4b3ec61Sdh		ifs->ifs_fr_timer_id = timeout(fr_slowtimer, arg,
f4b3ec61Sdh		    drv_usectohz(500000));
ab25eeb5Syz	else
f4b3ec61Sdh		ifs->ifs_fr_timer_id = NULL;
f4b3ec61Sdh	RWLOCK_EXIT(&ifs->ifs_ipf_global);
ab25eeb5Syz}
ab25eeb5Syz
ab25eeb5Syz
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/* Function:    fr_pullup                                                   */
381a2a9aSdr/* Returns:     NULL == pullup failed, else pointer to protocol header      */
381a2a9aSdr/* Parameters:  m(I)   - pointer to buffer where data packet starts         */
381a2a9aSdr/*              fin(I) - pointer to packet information                      */
381a2a9aSdr/*              len(I) - number of bytes to pullup                          */
381a2a9aSdr/*                                                                          */
381a2a9aSdr/* Attempt to move at least len bytes (from the start of the buffer) into a */
381a2a9aSdr/* single buffer for ease of access.  Operating system native functions are */
381a2a9aSdr/* used to manage buffers - if necessary.  If the entire packet ends up in  */
381a2a9aSdr/* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has  */
381a2a9aSdr/* not been called.  Both fin_ip and fin_dp are updated before exiting _IF_ */
381a2a9aSdr/* and ONLY if the pullup succeeds.                                         */
381a2a9aSdr/*                                                                          */
381a2a9aSdr/* We assume that 'min' is a pointer to a buffer that is part of the chain  */
381a2a9aSdr/* of buffers that starts at *fin->fin_mp.                                  */
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdrvoid *fr_pullup(min, fin, len)
381a2a9aSdrmb_t *min;
381a2a9aSdrfr_info_t *fin;
381a2a9aSdrint len;
381a2a9aSdr{
381a2a9aSdr	qpktinfo_t *qpi = fin->fin_qpi;
381a2a9aSdr	int out = fin->fin_out, dpoff, ipoff;
381a2a9aSdr	mb_t *m = min, *m1, *m2;
381a2a9aSdr	char *ip;
08ee25aeSdr	uint32_t start, stuff, end, value, flags;
f4b3ec61Sdh	ipf_stack_t *ifs = fin->fin_ifs;
381a2a9aSdr
381a2a9aSdr	if (m == NULL)
381a2a9aSdr		return NULL;
381a2a9aSdr
381a2a9aSdr	ip = (char *)fin->fin_ip;
381a2a9aSdr	if ((fin->fin_flx & FI_COALESCE) != 0)
381a2a9aSdr		return ip;
381a2a9aSdr
381a2a9aSdr	ipoff = fin->fin_ipoff;
381a2a9aSdr	if (fin->fin_dp != NULL)
381a2a9aSdr		dpoff = (char *)fin->fin_dp - (char *)ip;
381a2a9aSdr	else
381a2a9aSdr		dpoff = 0;
381a2a9aSdr
40cdc2e8SAlexandr Nedvedicky	if (M_LEN(m) < len + ipoff) {
381a2a9aSdr
381a2a9aSdr		/*
381a2a9aSdr		 * pfil_precheck ensures the IP header is on a 32bit
381a2a9aSdr		 * aligned address so simply fail if that isn't currently
381a2a9aSdr		 * the case (should never happen).
381a2a9aSdr		 */
381a2a9aSdr		int inc = 0;
381a2a9aSdr
381a2a9aSdr		if (ipoff > 0) {
381a2a9aSdr			if ((ipoff & 3) != 0) {
381a2a9aSdr				inc = 4 - (ipoff & 3);
381a2a9aSdr				if (m->b_rptr - inc >= m->b_datap->db_base)
381a2a9aSdr					m->b_rptr -= inc;
381a2a9aSdr				else
381a2a9aSdr					inc = 0;
381a2a9aSdr			}
381a2a9aSdr		}
381a2a9aSdr
381a2a9aSdr		/*
381a2a9aSdr		 * XXX This is here as a work around for a bug with DEBUG
381a2a9aSdr		 * XXX Solaris kernels.  The problem is b_prev is used by IP
381a2a9aSdr		 * XXX code as a way to stash the phyint_index for a packet,
381a2a9aSdr		 * XXX this doesn't get reset by IP but freeb does an ASSERT()
381a2a9aSdr		 * XXX for both of these to be NULL.  See 6442390.
381a2a9aSdr		 */
381a2a9aSdr		m1 = m;
381a2a9aSdr		m2 = m->b_prev;
381a2a9aSdr
381a2a9aSdr		do {
381a2a9aSdr			m1->b_next = NULL;
381a2a9aSdr			m1->b_prev = NULL;
381a2a9aSdr			m1 = m1->b_cont;
381a2a9aSdr		} while (m1);
08ee25aeSdr
08ee25aeSdr		/*
08ee25aeSdr		 * Need to preserve checksum information by copying them
08ee25aeSdr		 * to newmp which heads the pulluped message.
08ee25aeSdr		 */
*ec71f88eSPatrick Mooney		mac_hcksum_get(m, &start, &stuff, &end, &value, &flags);
08ee25aeSdr
381a2a9aSdr		if (pullupmsg(m, len + ipoff + inc) == 0) {
f4b3ec61Sdh			ATOMIC_INCL(ifs->ifs_frstats[out].fr_pull[1]);
381a2a9aSdr			FREE_MB_T(*fin->fin_mp);
381a2a9aSdr			*fin->fin_mp = NULL;
381a2a9aSdr			fin->fin_m = NULL;
381a2a9aSdr			fin->fin_ip = NULL;
381a2a9aSdr			fin->fin_dp = NULL;
381a2a9aSdr			qpi->qpi_data = NULL;
381a2a9aSdr			return NULL;
381a2a9aSdr		}
08ee25aeSdr
*ec71f88eSPatrick Mooney		mac_hcksum_set(m, start, stuff, end, value, flags);
08ee25aeSdr
381a2a9aSdr		m->b_prev = m2;
381a2a9aSdr		m->b_rptr += inc;
381a2a9aSdr		fin->fin_m = m;
381a2a9aSdr		ip = MTOD(m, char *) + ipoff;
381a2a9aSdr		qpi->qpi_data = ip;
381a2a9aSdr	}
381a2a9aSdr
f4b3ec61Sdh	ATOMIC_INCL(ifs->ifs_frstats[out].fr_pull[0]);
381a2a9aSdr	fin->fin_ip = (ip_t *)ip;
381a2a9aSdr	if (fin->fin_dp != NULL)
381a2a9aSdr		fin->fin_dp = (char *)fin->fin_ip + dpoff;
381a2a9aSdr
381a2a9aSdr	if (len == fin->fin_plen)
381a2a9aSdr		fin->fin_flx |= FI_COALESCE;
381a2a9aSdr	return ip;
381a2a9aSdr}
381a2a9aSdr
381a2a9aSdr
ab25eeb5Syz/*
381a2a9aSdr * Function:	fr_verifysrc
381a2a9aSdr * Returns:	int (really boolean)
381a2a9aSdr * Parameters:	fin - packet information
381a2a9aSdr *
381a2a9aSdr * Check whether the packet has a valid source address for the interface on
381a2a9aSdr * which the packet arrived, implementing the "fr_chksrc" feature.
381a2a9aSdr * Returns true iff the packet's source address is valid.
381a2a9aSdr */
381a2a9aSdrint fr_verifysrc(fin)
381a2a9aSdrfr_info_t *fin;
381a2a9aSdr{
7ddc9b1aSDarren Reed	net_handle_t net_data_p;
381a2a9aSdr	phy_if_t phy_ifdata_routeto;
381a2a9aSdr	struct sockaddr	sin;
f4b3ec61Sdh	ipf_stack_t *ifs = fin->fin_ifs;
381a2a9aSdr
381a2a9aSdr	if (fin->fin_v == 4) {
f4b3ec61Sdh		net_data_p = ifs->ifs_ipf_ipv4;
381a2a9aSdr	} else if (fin->fin_v == 6) {
f4b3ec61Sdh		net_data_p = ifs->ifs_ipf_ipv6;
381a2a9aSdr	} else {
381a2a9aSdr		return (0);
381a2a9aSdr	}
381a2a9aSdr
381a2a9aSdr	/* Get the index corresponding to the if name */
381a2a9aSdr	sin.sa_family = (fin->fin_v == 4) ? AF_INET : AF_INET6;
381a2a9aSdr	bcopy(&fin->fin_saddr, &sin.sa_data, sizeof (struct in_addr));
7ddc9b1aSDarren Reed	phy_ifdata_routeto = net_routeto(net_data_p, &sin, NULL);
381a2a9aSdr
381a2a9aSdr	return (((phy_if_t)fin->fin_ifp == phy_ifdata_routeto) ? 1 : 0);
381a2a9aSdr}
381a2a9aSdr
546c3aa8SJerry Jelinek/*
546c3aa8SJerry Jelinek * Return true only if forwarding is enabled on the interface.
546c3aa8SJerry Jelinek */
546c3aa8SJerry Jelinekstatic int
546c3aa8SJerry Jelinekfr_forwarding_enabled(phy_if_t phyif, net_handle_t ndp)
546c3aa8SJerry Jelinek{
546c3aa8SJerry Jelinek	lif_if_t lif;
546c3aa8SJerry Jelinek
546c3aa8SJerry Jelinek	for (lif = net_lifgetnext(ndp, phyif, 0); lif > 0;
546c3aa8SJerry Jelinek	    lif = net_lifgetnext(ndp, phyif, lif)) {
546c3aa8SJerry Jelinek		int res;
546c3aa8SJerry Jelinek		uint64_t flags;
546c3aa8SJerry Jelinek
546c3aa8SJerry Jelinek		res = net_getlifflags(ndp, phyif, lif, &flags);
546c3aa8SJerry Jelinek		if (res != 0)
546c3aa8SJerry Jelinek			return (0);
546c3aa8SJerry Jelinek		if (flags & IFF_ROUTER)
546c3aa8SJerry Jelinek			return (1);
546c3aa8SJerry Jelinek	}
546c3aa8SJerry Jelinek
546c3aa8SJerry Jelinek	return (0);
546c3aa8SJerry Jelinek}
381a2a9aSdr
381a2a9aSdr/*
381a2a9aSdr * Function:	fr_fastroute
381a2a9aSdr * Returns:	 0: success;
381a2a9aSdr *		-1: failed
ab25eeb5Syz * Parameters:
381a2a9aSdr *	mb: the message block where ip head starts
381a2a9aSdr *	mpp: the pointer to the pointer of the orignal
381a2a9aSdr *		packet message
381a2a9aSdr *	fin: packet information
381a2a9aSdr *	fdp: destination interface information
381a2a9aSdr *	if it is NULL, no interface information provided.
ab25eeb5Syz *
ab25eeb5Syz * This function is for fastroute/to/dup-to rules. It calls
ab25eeb5Syz * pfil_make_lay2_packet to search route, make lay-2 header
ab25eeb5Syz * ,and identify output queue for the IP packet.
ab25eeb5Syz * The destination address depends on the following conditions:
ab25eeb5Syz * 1: for fastroute rule, fdp is passed in as NULL, so the
381a2a9aSdr *	destination address is the IP Packet's destination address
ab25eeb5Syz * 2: for to/dup-to rule, if an ip address is specified after
381a2a9aSdr *	the interface name, this address is the as destination
381a2a9aSdr *	address. Otherwise IP Packet's destination address is used
ab25eeb5Syz */
ab25eeb5Syzint fr_fastroute(mb, mpp, fin, fdp)
ab25eeb5Syzmblk_t *mb, **mpp;
ab25eeb5Syzfr_info_t *fin;
ab25eeb5Syzfrdest_t *fdp;
ab25eeb5Syz{
7ddc9b1aSDarren Reed        net_handle_t net_data_p;
7ddc9b1aSDarren Reed	net_inject_t *inj;
ab25eeb5Syz	mblk_t *mp = NULL;
381a2a9aSdr	frentry_t *fr = fin->fin_fr;
ab25eeb5Syz	qpktinfo_t *qpi;
ab25eeb5Syz	ip_t *ip;
381a2a9aSdr
381a2a9aSdr	struct sockaddr_in *sin;
381a2a9aSdr	struct sockaddr_in6 *sin6;
381a2a9aSdr	struct sockaddr *sinp;
f4b3ec61Sdh	ipf_stack_t *ifs = fin->fin_ifs;
ab25eeb5Syz#ifndef	sparc
ab25eeb5Syz	u_short __iplen, __ipoff;
ab25eeb5Syz#endif
381a2a9aSdr
381a2a9aSdr	if (fin->fin_v == 4) {
f4b3ec61Sdh		net_data_p = ifs->ifs_ipf_ipv4;
381a2a9aSdr	} else if (fin->fin_v == 6) {
f4b3ec61Sdh		net_data_p = ifs->ifs_ipf_ipv6;
381a2a9aSdr	} else {
381a2a9aSdr		return (-1);
381a2a9aSdr	}
381a2a9aSdr
546c3aa8SJerry Jelinek	/* Check the src here, fin_ifp is the src interface. */
546c3aa8SJerry Jelinek	if (!fr_forwarding_enabled((phy_if_t)fin->fin_ifp, net_data_p))
546c3aa8SJerry Jelinek		return (-1);
546c3aa8SJerry Jelinek
7ddc9b1aSDarren Reed	inj = net_inject_alloc(NETINFO_VERSION);
7ddc9b1aSDarren Reed	if (inj == NULL)
7ddc9b1aSDarren Reed		return -1;
7ddc9b1aSDarren Reed
ab25eeb5Syz	ip = fin->fin_ip;
ab25eeb5Syz	qpi = fin->fin_qpi;
ab25eeb5Syz
ab25eeb5Syz	/*
ab25eeb5Syz	 * If this is a duplicate mblk then we want ip to point at that
ab25eeb5Syz	 * data, not the original, if and only if it is already pointing at
ab25eeb5Syz	 * the current mblk data.
381a2a9aSdr	 *
381a2a9aSdr	 * Otherwise, if it's not a duplicate, and we're not already pointing
e6c6c1faSyz	 * at the current mblk data, then we want to ensure that the data
e6c6c1faSyz	 * points at ip.
ab25eeb5Syz	 */
381a2a9aSdr
381a2a9aSdr	if ((ip == (ip_t *)qpi->qpi_m->b_rptr) && (qpi->qpi_m != mb)) {
ab25eeb5Syz		ip = (ip_t *)mb->b_rptr;
381a2a9aSdr	} else if ((qpi->qpi_m == mb) && (ip != (ip_t *)qpi->qpi_m->b_rptr)) {
381a2a9aSdr		qpi->qpi_m->b_rptr = (uchar_t *)ip;
e6c6c1faSyz		qpi->qpi_off = 0;
e6c6c1faSyz	}
ab25eeb5Syz
ab25eeb5Syz	/*
ab25eeb5Syz	 * If there is another M_PROTO, we don't want it
ab25eeb5Syz	 */
ab25eeb5Syz	if (*mpp != mb) {
ab25eeb5Syz		mp = unlinkb(*mpp);
ab25eeb5Syz		freeb(*mpp);
ab25eeb5Syz		*mpp = mp;
ab25eeb5Syz	}
ab25eeb5Syz
7ddc9b1aSDarren Reed	sinp = (struct sockaddr *)&inj->ni_addr;
381a2a9aSdr	sin = (struct sockaddr_in *)sinp;
381a2a9aSdr	sin6 = (struct sockaddr_in6 *)sinp;
7ddc9b1aSDarren Reed	bzero((char *)&inj->ni_addr, sizeof (inj->ni_addr));
7ddc9b1aSDarren Reed	inj->ni_addr.ss_family = (fin->fin_v == 4) ? AF_INET : AF_INET6;
7ddc9b1aSDarren Reed	inj->ni_packet = mb;
ab25eeb5Syz
ab25eeb5Syz	/*
ab25eeb5Syz	 * In case we're here due to "to <if>" being used with
ab25eeb5Syz	 * "keep state", check that we're going in the correct
ab25eeb5Syz	 * direction.
ab25eeb5Syz	 */
381a2a9aSdr	if (fdp != NULL) {
381a2a9aSdr		if ((fr != NULL) && (fdp->fd_ifp != NULL) &&
381a2a9aSdr			(fin->fin_rev != 0) && (fdp == &fr->fr_tif))
381a2a9aSdr			goto bad_fastroute;
7ddc9b1aSDarren Reed		inj->ni_physical = (phy_if_t)fdp->fd_ifp;
ab25eeb5Syz		if (fin->fin_v == 4) {
381a2a9aSdr			sin->sin_addr = fdp->fd_ip;
381a2a9aSdr		} else {
381a2a9aSdr			sin6->sin6_addr = fdp->fd_ip6.in6;
ab25eeb5Syz		}
381a2a9aSdr	} else {
381a2a9aSdr		if (fin->fin_v == 4) {
381a2a9aSdr			sin->sin_addr = ip->ip_dst;
381a2a9aSdr		} else {
381a2a9aSdr			sin6->sin6_addr = ((ip6_t *)ip)->ip6_dst;
ab25eeb5Syz		}
7ddc9b1aSDarren Reed		inj->ni_physical = net_routeto(net_data_p, sinp, NULL);
ab25eeb5Syz	}
ab25eeb5Syz
546c3aa8SJerry Jelinek	/* we're checking the destinatation here */
546c3aa8SJerry Jelinek	if (!fr_forwarding_enabled(inj->ni_physical, net_data_p))
546c3aa8SJerry Jelinek		goto bad_fastroute;
546c3aa8SJerry Jelinek
edd26dc5Sdr	/*
edd26dc5Sdr	 * Clear the hardware checksum flags from packets that we are doing
edd26dc5Sdr	 * input processing on as leaving them set will cause the outgoing
edd26dc5Sdr	 * NIC (if it supports hardware checksum) to calculate them anew,
edd26dc5Sdr	 * using the old (correct) checksums as the pseudo value to start
edd26dc5Sdr	 * from.
edd26dc5Sdr	 */
edd26dc5Sdr	if (fin->fin_out == 0) {
edd26dc5Sdr		DB_CKSUMFLAGS(mb) = 0;
edd26dc5Sdr	}
c793af95Ssangeeta
381a2a9aSdr	*mpp = mb;
ab25eeb5Syz
381a2a9aSdr	if (fin->fin_out == 0) {
381a2a9aSdr		void *saveifp;
381a2a9aSdr		u_32_t pass;
ab25eeb5Syz
381a2a9aSdr		saveifp = fin->fin_ifp;
7ddc9b1aSDarren Reed		fin->fin_ifp = (void *)inj->ni_physical;
d3675867Sjojemann		fin->fin_flx &= ~FI_STATE;
381a2a9aSdr		fin->fin_out = 1;
381a2a9aSdr		(void) fr_acctpkt(fin, &pass);
381a2a9aSdr		fin->fin_fr = NULL;
381a2a9aSdr		if (!fr || !(fr->fr_flags & FR_RETMASK))
381a2a9aSdr			(void) fr_checkstate(fin, &pass);
d3675867Sjojemann		if (fr_checknatout(fin, NULL) == -1)
381a2a9aSdr			goto bad_fastroute;
381a2a9aSdr		fin->fin_out = 0;
381a2a9aSdr		fin->fin_ifp = saveifp;
381a2a9aSdr	}
381a2a9aSdr#ifndef	sparc
381a2a9aSdr	if (fin->fin_v == 4) {
381a2a9aSdr		__iplen = (u_short)ip->ip_len,
381a2a9aSdr		__ipoff = (u_short)ip->ip_off;
ab25eeb5Syz
381a2a9aSdr		ip->ip_len = htons(__iplen);
381a2a9aSdr		ip->ip_off = htons(__ipoff);
381a2a9aSdr	}
ab25eeb5Syz#endif
381a2a9aSdr
381a2a9aSdr	if (net_data_p) {
7ddc9b1aSDarren Reed		if (net_inject(net_data_p, NI_DIRECT_OUT, inj) < 0) {
7ddc9b1aSDarren Reed			net_inject_free(inj);
381a2a9aSdr			return (-1);
ab25eeb5Syz		}
ab25eeb5Syz	}
381a2a9aSdr
f4b3ec61Sdh	ifs->ifs_fr_frouteok[0]++;
7ddc9b1aSDarren Reed	net_inject_free(inj);
381a2a9aSdr	return 0;
ab25eeb5Syzbad_fastroute:
7ddc9b1aSDarren Reed	net_inject_free(inj);
ab25eeb5Syz	freemsg(mb);
f4b3ec61Sdh	ifs->ifs_fr_frouteok[1]++;
ab25eeb5Syz	return -1;
ab25eeb5Syz}
ab25eeb5Syz
ab25eeb5Syz
ab25eeb5Syz/* ------------------------------------------------------------------------ */
7ddc9b1aSDarren Reed/* Function:    ipf_hook4_out                                               */
381a2a9aSdr/* Returns:     int - 0 == packet ok, else problem, free packet if not done */
381a2a9aSdr/* Parameters:  event(I)     - pointer to event                             */
381a2a9aSdr/*              info(I)      - pointer to hook information for firewalling  */
ab25eeb5Syz/*                                                                          */
381a2a9aSdr/* Calling ipf_hook.                                                        */
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_hook4_out(hook_event_token_t token, hook_data_t info, void *arg)
381a2a9aSdr{
7ddc9b1aSDarren Reed	return ipf_hook(info, 1, 0, arg);
cbded9aeSdr}
cbded9aeSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_hook6_out(hook_event_token_t token, hook_data_t info, void *arg)
cbded9aeSdr{
7ddc9b1aSDarren Reed	return ipf_hook6(info, 1, 0, arg);
381a2a9aSdr}
381a2a9aSdr
381a2a9aSdr/* ------------------------------------------------------------------------ */
7ddc9b1aSDarren Reed/* Function:    ipf_hook4_in                                                */
381a2a9aSdr/* Returns:     int - 0 == packet ok, else problem, free packet if not done */
381a2a9aSdr/* Parameters:  event(I)     - pointer to event                             */
381a2a9aSdr/*              info(I)      - pointer to hook information for firewalling  */
ab25eeb5Syz/*                                                                          */
381a2a9aSdr/* Calling ipf_hook.                                                        */
ab25eeb5Syz/* ------------------------------------------------------------------------ */
381a2a9aSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_hook4_in(hook_event_token_t token, hook_data_t info, void *arg)
ab25eeb5Syz{
7ddc9b1aSDarren Reed	return ipf_hook(info, 0, 0, arg);
cbded9aeSdr}
cbded9aeSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_hook6_in(hook_event_token_t token, hook_data_t info, void *arg)
cbded9aeSdr{
7ddc9b1aSDarren Reed	return ipf_hook6(info, 0, 0, arg);
381a2a9aSdr}
ab25eeb5Syz
ab25eeb5Syz
381a2a9aSdr/* ------------------------------------------------------------------------ */
7ddc9b1aSDarren Reed/* Function:    ipf_hook4_loop_out                                          */
381a2a9aSdr/* Returns:     int - 0 == packet ok, else problem, free packet if not done */
381a2a9aSdr/* Parameters:  event(I)     - pointer to event                             */
381a2a9aSdr/*              info(I)      - pointer to hook information for firewalling  */
381a2a9aSdr/*                                                                          */
381a2a9aSdr/* Calling ipf_hook.                                                        */
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_hook4_loop_out(hook_event_token_t token, hook_data_t info, void *arg)
cbded9aeSdr{
7ddc9b1aSDarren Reed	return ipf_hook(info, 1, FI_NOCKSUM, arg);
cbded9aeSdr}
cbded9aeSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_hook6_loop_out(hook_event_token_t token, hook_data_t info, void *arg)
381a2a9aSdr{
7ddc9b1aSDarren Reed	return ipf_hook6(info, 1, FI_NOCKSUM, arg);
381a2a9aSdr}
ab25eeb5Syz
381a2a9aSdr/* ------------------------------------------------------------------------ */
40cdc2e8SAlexandr Nedvedicky/* Function:    ipf_hook4_loop_in                                           */
381a2a9aSdr/* Returns:     int - 0 == packet ok, else problem, free packet if not done */
381a2a9aSdr/* Parameters:  event(I)     - pointer to event                             */
381a2a9aSdr/*              info(I)      - pointer to hook information for firewalling  */
381a2a9aSdr/*                                                                          */
381a2a9aSdr/* Calling ipf_hook.                                                        */
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/*ARGSUSED*/
40cdc2e8SAlexandr Nedvedickyint ipf_hook4_loop_in(hook_event_token_t token, hook_data_t info, void *arg)
cbded9aeSdr{
7ddc9b1aSDarren Reed	return ipf_hook(info, 0, FI_NOCKSUM, arg);
cbded9aeSdr}
cbded9aeSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_hook6_loop_in(hook_event_token_t token, hook_data_t info, void *arg)
381a2a9aSdr{
7ddc9b1aSDarren Reed	return ipf_hook6(info, 0, FI_NOCKSUM, arg);
381a2a9aSdr}
381a2a9aSdr
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/* Function:    ipf_hook                                                    */
381a2a9aSdr/* Returns:     int - 0 == packet ok, else problem, free packet if not done */
381a2a9aSdr/* Parameters:  info(I)      - pointer to hook information for firewalling  */
381a2a9aSdr/*              out(I)       - whether packet is going in or out            */
381a2a9aSdr/*              loopback(I)  - whether packet is a loopback packet or not   */
381a2a9aSdr/*                                                                          */
381a2a9aSdr/* Stepping stone function between the IP mainline and IPFilter.  Extracts  */
381a2a9aSdr/* parameters out of the info structure and forms them up to be useful for  */
381a2a9aSdr/* calling ipfilter.                                                        */
381a2a9aSdr/* ------------------------------------------------------------------------ */
7ddc9b1aSDarren Reedint ipf_hook(hook_data_t info, int out, int loopback, void *arg)
381a2a9aSdr{
381a2a9aSdr	hook_pkt_event_t *fw;
7ddc9b1aSDarren Reed	ipf_stack_t *ifs;
381a2a9aSdr	qpktinfo_t qpi;
7ddc9b1aSDarren Reed	int rval, hlen;
381a2a9aSdr	u_short swap;
381a2a9aSdr	phy_if_t phy;
381a2a9aSdr	ip_t *ip;
381a2a9aSdr
7ddc9b1aSDarren Reed	ifs = arg;
381a2a9aSdr	fw = (hook_pkt_event_t *)info;
381a2a9aSdr
381a2a9aSdr	ASSERT(fw != NULL);
381a2a9aSdr	phy = (out == 0) ? fw->hpe_ifp : fw->hpe_ofp;
381a2a9aSdr
381a2a9aSdr	ip = fw->hpe_hdr;
cbded9aeSdr	swap = ntohs(ip->ip_len);
cbded9aeSdr	ip->ip_len = swap;
cbded9aeSdr	swap = ntohs(ip->ip_off);
cbded9aeSdr	ip->ip_off = swap;
cbded9aeSdr	hlen = IPH_HDR_LENGTH(ip);
381a2a9aSdr
381a2a9aSdr	qpi.qpi_m = fw->hpe_mb;
381a2a9aSdr	qpi.qpi_data = fw->hpe_hdr;
381a2a9aSdr	qpi.qpi_off = (char *)qpi.qpi_data - (char *)fw->hpe_mb->b_rptr;
381a2a9aSdr	qpi.qpi_ill = (void *)phy;
cbded9aeSdr	qpi.qpi_flags = fw->hpe_flags & (HPE_MULTICAST|HPE_BROADCAST);
cbded9aeSdr	if (qpi.qpi_flags)
cbded9aeSdr		qpi.qpi_flags |= FI_MBCAST;
cbded9aeSdr	qpi.qpi_flags |= loopback;
381a2a9aSdr
f4b3ec61Sdh	rval = fr_check(fw->hpe_hdr, hlen, qpi.qpi_ill, out,
7ddc9b1aSDarren Reed	    &qpi, fw->hpe_mp, ifs);
381a2a9aSdr
381a2a9aSdr	/* For fastroute cases, fr_check returns 0 with mp set to NULL */
381a2a9aSdr	if (rval == 0 && *(fw->hpe_mp) == NULL)
381a2a9aSdr		rval = 1;
381a2a9aSdr
cbded9aeSdr	/* Notify IP the packet mblk_t and IP header pointers. */
381a2a9aSdr	fw->hpe_mb = qpi.qpi_m;
381a2a9aSdr	fw->hpe_hdr = qpi.qpi_data;
cbded9aeSdr	if (rval == 0) {
381a2a9aSdr		ip = qpi.qpi_data;
381a2a9aSdr		swap = ntohs(ip->ip_len);
381a2a9aSdr		ip->ip_len = swap;
381a2a9aSdr		swap = ntohs(ip->ip_off);
381a2a9aSdr		ip->ip_off = swap;
381a2a9aSdr	}
381a2a9aSdr	return rval;
ab25eeb5Syz
381a2a9aSdr}
7ddc9b1aSDarren Reedint ipf_hook6(hook_data_t info, int out, int loopback, void *arg)
cbded9aeSdr{
cbded9aeSdr	hook_pkt_event_t *fw;
cbded9aeSdr	int rval, hlen;
cbded9aeSdr	qpktinfo_t qpi;
cbded9aeSdr	phy_if_t phy;
cbded9aeSdr
cbded9aeSdr	fw = (hook_pkt_event_t *)info;
cbded9aeSdr
cbded9aeSdr	ASSERT(fw != NULL);
cbded9aeSdr	phy = (out == 0) ? fw->hpe_ifp : fw->hpe_ofp;
cbded9aeSdr
cbded9aeSdr	hlen = sizeof (ip6_t);
cbded9aeSdr
cbded9aeSdr	qpi.qpi_m = fw->hpe_mb;
cbded9aeSdr	qpi.qpi_data = fw->hpe_hdr;
cbded9aeSdr	qpi.qpi_off = (char *)qpi.qpi_data - (char *)fw->hpe_mb->b_rptr;
cbded9aeSdr	qpi.qpi_ill = (void *)phy;
cbded9aeSdr	qpi.qpi_flags = fw->hpe_flags & (HPE_MULTICAST|HPE_BROADCAST);
cbded9aeSdr	if (qpi.qpi_flags)
cbded9aeSdr		qpi.qpi_flags |= FI_MBCAST;
cbded9aeSdr	qpi.qpi_flags |= loopback;
cbded9aeSdr
cbded9aeSdr	rval = fr_check(fw->hpe_hdr, hlen, qpi.qpi_ill, out,
7ddc9b1aSDarren Reed	    &qpi, fw->hpe_mp, arg);
cbded9aeSdr
cbded9aeSdr	/* For fastroute cases, fr_check returns 0 with mp set to NULL */
cbded9aeSdr	if (rval == 0 && *(fw->hpe_mp) == NULL)
cbded9aeSdr		rval = 1;
cbded9aeSdr
cbded9aeSdr	/* Notify IP the packet mblk_t and IP header pointers. */
cbded9aeSdr	fw->hpe_mb = qpi.qpi_m;
cbded9aeSdr	fw->hpe_hdr = qpi.qpi_data;
cbded9aeSdr	return rval;
cbded9aeSdr}
ab25eeb5Syz
ab25eeb5Syz
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/* Function:    ipf_nic_event_v4                                            */
381a2a9aSdr/* Returns:     int - 0 == no problems encountered                          */
381a2a9aSdr/* Parameters:  event(I)     - pointer to event                             */
381a2a9aSdr/*              info(I)      - pointer to information about a NIC event     */
381a2a9aSdr/*                                                                          */
381a2a9aSdr/* Function to receive asynchronous NIC events from IP                      */
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_nic_event_v4(hook_event_token_t event, hook_data_t info, void *arg)
381a2a9aSdr{
381a2a9aSdr	struct sockaddr_in *sin;
381a2a9aSdr	hook_nic_event_t *hn;
7ddc9b1aSDarren Reed	ipf_stack_t *ifs = arg;
e8d569f4SAlexandr Nedvedicky	void *new_ifp = NULL;
e8d569f4SAlexandr Nedvedicky
e8d569f4SAlexandr Nedvedicky	if (ifs->ifs_fr_running <= 0)
e8d569f4SAlexandr Nedvedicky		return (0);
381a2a9aSdr
381a2a9aSdr	hn = (hook_nic_event_t *)info;
381a2a9aSdr
381a2a9aSdr	switch (hn->hne_event)
381a2a9aSdr	{
381a2a9aSdr	case NE_PLUMB :
a4cf92b0Sdr		frsync(IPFSYNC_NEWIFP, 4, (void *)hn->hne_nic, hn->hne_data,
d6c23f6fSyx		       ifs);
d6c23f6fSyx		fr_natifpsync(IPFSYNC_NEWIFP, 4, (void *)hn->hne_nic,
f4b3ec61Sdh			      hn->hne_data, ifs);
381a2a9aSdr		fr_statesync(IPFSYNC_NEWIFP, 4, (void *)hn->hne_nic,
f4b3ec61Sdh			     hn->hne_data, ifs);
381a2a9aSdr		break;
381a2a9aSdr
381a2a9aSdr	case NE_UNPLUMB :
f4b3ec61Sdh		frsync(IPFSYNC_OLDIFP, 4, (void *)hn->hne_nic, NULL, ifs);
d6c23f6fSyx		fr_natifpsync(IPFSYNC_OLDIFP, 4, (void *)hn->hne_nic, NULL,
d6c23f6fSyx			      ifs);
f4b3ec61Sdh		fr_statesync(IPFSYNC_OLDIFP, 4, (void *)hn->hne_nic, NULL, ifs);
381a2a9aSdr		break;
381a2a9aSdr
381a2a9aSdr	case NE_ADDRESS_CHANGE :
a4cf92b0Sdr		/*
a4cf92b0Sdr		 * We only respond to events for logical interface 0 because
a4cf92b0Sdr		 * IPFilter only uses the first address given to a network
a4cf92b0Sdr		 * interface.  We check for hne_lif==1 because the netinfo
a4cf92b0Sdr		 * code maps adds 1 to the lif number so that it can return
a4cf92b0Sdr		 * 0 to indicate "no more lifs" when walking them.
a4cf92b0Sdr		 */
a4cf92b0Sdr		if (hn->hne_lif == 1) {
a4cf92b0Sdr			frsync(IPFSYNC_RESYNC, 4, (void *)hn->hne_nic, NULL,
a4cf92b0Sdr			    ifs);
a4cf92b0Sdr			sin = hn->hne_data;
d6c23f6fSyx			fr_nataddrsync(4, (void *)hn->hne_nic, &sin->sin_addr,
a4cf92b0Sdr			    ifs);
a4cf92b0Sdr		}
381a2a9aSdr		break;
381a2a9aSdr
e8d569f4SAlexandr Nedvedicky#if SOLARIS2 >= 10
e8d569f4SAlexandr Nedvedicky	case NE_IFINDEX_CHANGE :
e8d569f4SAlexandr Nedvedicky		WRITE_ENTER(&ifs->ifs_ipf_mutex);
e8d569f4SAlexandr Nedvedicky
e8d569f4SAlexandr Nedvedicky		if (hn->hne_data != NULL) {
e8d569f4SAlexandr Nedvedicky			/*
e8d569f4SAlexandr Nedvedicky			 * The netinfo passes interface index as int (hne_data should be
e8d569f4SAlexandr Nedvedicky			 * handled as a pointer to int), which is always 32bit. We need to
e8d569f4SAlexandr Nedvedicky			 * convert it to void pointer here, since interfaces are
e8d569f4SAlexandr Nedvedicky			 * represented as pointers to void in IPF. The pointers are 64 bits
e8d569f4SAlexandr Nedvedicky			 * long on 64bit platforms. Doing something like
e8d569f4SAlexandr Nedvedicky			 *	(void *)((int) x)
e8d569f4SAlexandr Nedvedicky			 * will throw warning:
e8d569f4SAlexandr Nedvedicky			 *   "cast to pointer from integer of different size"
e8d569f4SAlexandr Nedvedicky			 * during 64bit compilation.
e8d569f4SAlexandr Nedvedicky			 *
e8d569f4SAlexandr Nedvedicky			 * The line below uses (size_t) to typecast int to
e8d569f4SAlexandr Nedvedicky			 * size_t, which might be 64bit/32bit (depending
e8d569f4SAlexandr Nedvedicky			 * on architecture). Once we have proper 64bit/32bit
e8d569f4SAlexandr Nedvedicky			 * type (size_t), we can safely convert it to void pointer.
e8d569f4SAlexandr Nedvedicky			 */
e8d569f4SAlexandr Nedvedicky			new_ifp = (void *)(size_t)*((int *)hn->hne_data);
e8d569f4SAlexandr Nedvedicky			fr_ifindexsync((void *)hn->hne_nic, new_ifp, ifs);
e8d569f4SAlexandr Nedvedicky			fr_natifindexsync((void *)hn->hne_nic, new_ifp, ifs);
e8d569f4SAlexandr Nedvedicky			fr_stateifindexsync((void *)hn->hne_nic, new_ifp, ifs);
e8d569f4SAlexandr Nedvedicky		}
e8d569f4SAlexandr Nedvedicky		RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
e8d569f4SAlexandr Nedvedicky		break;
e8d569f4SAlexandr Nedvedicky#endif
e8d569f4SAlexandr Nedvedicky
381a2a9aSdr	default :
381a2a9aSdr		break;
ab25eeb5Syz	}
ab25eeb5Syz
381a2a9aSdr	return 0;
381a2a9aSdr}
ab25eeb5Syz
381a2a9aSdr
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/* Function:    ipf_nic_event_v6                                            */
381a2a9aSdr/* Returns:     int - 0 == no problems encountered                          */
381a2a9aSdr/* Parameters:  event(I)     - pointer to event                             */
381a2a9aSdr/*              info(I)      - pointer to information about a NIC event     */
381a2a9aSdr/*                                                                          */
381a2a9aSdr/* Function to receive asynchronous NIC events from IP                      */
381a2a9aSdr/* ------------------------------------------------------------------------ */
381a2a9aSdr/*ARGSUSED*/
7ddc9b1aSDarren Reedint ipf_nic_event_v6(hook_event_token_t event, hook_data_t info, void *arg)
381a2a9aSdr{
d6c23f6fSyx	struct sockaddr_in6 *sin6;
381a2a9aSdr	hook_nic_event_t *hn;
7ddc9b1aSDarren Reed	ipf_stack_t *ifs = arg;
e8d569f4SAlexandr Nedvedicky	void *new_ifp = NULL;
e8d569f4SAlexandr Nedvedicky
e8d569f4SAlexandr Nedvedicky	if (ifs->ifs_fr_running <= 0)
e8d569f4SAlexandr Nedvedicky		return (0);
381a2a9aSdr
381a2a9aSdr	hn = (hook_nic_event_t *)info;
381a2a9aSdr
381a2a9aSdr	switch (hn->hne_event)
381a2a9aSdr	{
381a2a9aSdr	case NE_PLUMB :
d6c23f6fSyx		frsync(IPFSYNC_NEWIFP, 6, (void *)hn->hne_nic,
d6c23f6fSyx		       hn->hne_data, ifs);
d6c23f6fSyx		fr_natifpsync(IPFSYNC_NEWIFP, 6, (void *)hn->hne_nic,
d6c23f6fSyx			      hn->hne_data, ifs);
381a2a9aSdr		fr_statesync(IPFSYNC_NEWIFP, 6, (void *)hn->hne_nic,
f4b3ec61Sdh			     hn->hne_data, ifs);
381a2a9aSdr		break;
381a2a9aSdr
381a2a9aSdr	case NE_UNPLUMB :
f4b3ec61Sdh		frsync(IPFSYNC_OLDIFP, 6, (void *)hn->hne_nic, NULL, ifs);
d6c23f6fSyx		fr_natifpsync(IPFSYNC_OLDIFP, 6, (void *)hn->hne_nic, NULL,
d6c23f6fSyx			      ifs);
f4b3ec61Sdh		fr_statesync(IPFSYNC_OLDIFP, 6, (void *)hn->hne_nic, NULL, ifs);
381a2a9aSdr		break;
381a2a9aSdr
381a2a9aSdr	case NE_ADDRESS_CHANGE :
d6c23f6fSyx		if (hn->hne_lif == 1) {
d6c23f6fSyx			sin6 = hn->hne_data;
d6c23f6fSyx			fr_nataddrsync(6, (void *)hn->hne_nic, &sin6->sin6_addr,
d6c23f6fSyx				       ifs);
d6c23f6fSyx		}
381a2a9aSdr		break;
e8d569f4SAlexandr Nedvedicky
e8d569f4SAlexandr Nedvedicky#if SOLARIS2 >= 10
e8d569f4SAlexandr Nedvedicky	case NE_IFINDEX_CHANGE :
e8d569f4SAlexandr Nedvedicky		WRITE_ENTER(&ifs->ifs_ipf_mutex);
e8d569f4SAlexandr Nedvedicky		if (hn->hne_data != NULL) {
e8d569f4SAlexandr Nedvedicky			/*
e8d569f4SAlexandr Nedvedicky			 * The netinfo passes interface index as int (hne_data should be
e8d569f4SAlexandr Nedvedicky			 * handled as a pointer to int), which is always 32bit. We need to
e8d569f4SAlexandr Nedvedicky			 * convert it to void pointer here, since interfaces are
e8d569f4SAlexandr Nedvedicky			 * represented as pointers to void in IPF. The pointers are 64 bits
e8d569f4SAlexandr Nedvedicky			 * long on 64bit platforms. Doing something like
e8d569f4SAlexandr Nedvedicky			 *	(void *)((int) x)
e8d569f4SAlexandr Nedvedicky			 * will throw warning:
e8d569f4SAlexandr Nedvedicky			 *   "cast to pointer from integer of different size"
e8d569f4SAlexandr Nedvedicky			 * during 64bit compilation.
e8d569f4SAlexandr Nedvedicky			 *
e8d569f4SAlexandr Nedvedicky			 * The line below uses (size_t) to typecast int to
e8d569f4SAlexandr Nedvedicky			 * size_t, which might be 64bit/32bit (depending
e8d569f4SAlexandr Nedvedicky			 * on architecture). Once we have proper 64bit/32bit
e8d569f4SAlexandr Nedvedicky			 * type (size_t), we can safely convert it to void pointer.
e8d569f4SAlexandr Nedvedicky			 */
e8d569f4SAlexandr Nedvedicky			new_ifp = (void *)(size_t)*((int *)hn->hne_data);
e8d569f4SAlexandr Nedvedicky			fr_ifindexsync((void *)hn->hne_nic, new_ifp, ifs);
e8d569f4SAlexandr Nedvedicky			fr_natifindexsync((void *)hn->hne_nic, new_ifp, ifs);
e8d569f4SAlexandr Nedvedicky			fr_stateifindexsync((void *)hn->hne_nic, new_ifp, ifs);
e8d569f4SAlexandr Nedvedicky		}
e8d569f4SAlexandr Nedvedicky		RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
e8d569f4SAlexandr Nedvedicky		break;
e8d569f4SAlexandr Nedvedicky#endif
e8d569f4SAlexandr Nedvedicky
381a2a9aSdr	default :
381a2a9aSdr		break;
381a2a9aSdr	}
381a2a9aSdr
381a2a9aSdr	return 0;
ab25eeb5Syz}
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky/*
a1173273SAlexandr Nedvedicky * Functions fr_make_rst(), fr_make_icmp_v4(), fr_make_icmp_v6()
a1173273SAlexandr Nedvedicky * are needed in Solaris kernel only. We don't need them in
a1173273SAlexandr Nedvedicky * ipftest to pretend the ICMP/RST packet was sent as a response.
a1173273SAlexandr Nedvedicky */
a1173273SAlexandr Nedvedicky#if defined(_KERNEL) && (SOLARIS2 >= 10)
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedicky/* Function:    fr_make_rst                                                 */
a1173273SAlexandr Nedvedicky/* Returns:     int - 0 on success, -1 on failure			    */
a1173273SAlexandr Nedvedicky/* Parameters:  fin(I) - pointer to packet information                      */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* We must alter the original mblks passed to IPF from IP stack via	    */
a1173273SAlexandr Nedvedicky/* FW_HOOKS. FW_HOOKS interface is powerfull, but it has some limitations.  */
a1173273SAlexandr Nedvedicky/* IPF can basicaly do only these things with mblk representing the packet: */
a1173273SAlexandr Nedvedicky/*	leave it as it is (pass the packet)				    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*	discard it (block the packet)					    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*	alter it (i.e. NAT)						    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* As you can see IPF can not simply discard the mblk and supply a new one  */
a1173273SAlexandr Nedvedicky/* instead to IP stack via FW_HOOKS.					    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* The return-rst action for packets coming via NIC is handled as follows:  */
a1173273SAlexandr Nedvedicky/*	mblk with packet is discarded					    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*	new mblk with RST response is constructed and injected to network   */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* IPF can't inject packets to loopback interface, this is just another	    */
a1173273SAlexandr Nedvedicky/* limitation we have to deal with here. The only option to send RST	    */
a1173273SAlexandr Nedvedicky/* response to offending TCP packet coming via loopback is to alter it.	    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/* The fr_make_rst() function alters TCP SYN/FIN packet intercepted on	    */
a1173273SAlexandr Nedvedicky/* loopback interface into TCP RST packet. fin->fin_mp is pointer to	    */
a1173273SAlexandr Nedvedicky/* mblk L3 (IP) and L4 (TCP/UDP) packet headers.			    */
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedickyint fr_make_rst(fin)
a1173273SAlexandr Nedvedickyfr_info_t *fin;
a1173273SAlexandr Nedvedicky{
a1173273SAlexandr Nedvedicky	uint16_t tmp_port;
a1173273SAlexandr Nedvedicky	int rv = -1;
a1173273SAlexandr Nedvedicky	uint32_t old_ack;
a1173273SAlexandr Nedvedicky	tcphdr_t *tcp = NULL;
a1173273SAlexandr Nedvedicky	struct in_addr tmp_src;
a1173273SAlexandr Nedvedicky#ifdef USE_INET6
a1173273SAlexandr Nedvedicky	struct in6_addr	tmp_src6;
a1173273SAlexandr Nedvedicky#endif
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	ASSERT(fin->fin_p == IPPROTO_TCP);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * We do not need to adjust chksum, since it is not being checked by
a1173273SAlexandr Nedvedicky	 * Solaris IP stack for loopback clients.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	if ((fin->fin_v == 4) && (fin->fin_p == IPPROTO_TCP) &&
a1173273SAlexandr Nedvedicky	    ((tcp = (tcphdr_t *) fin->fin_dp) != NULL)) {
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky		if (tcp->th_flags & (TH_SYN | TH_FIN)) {
a1173273SAlexandr Nedvedicky			/* Swap IPv4 addresses. */
a1173273SAlexandr Nedvedicky			tmp_src = fin->fin_ip->ip_src;
a1173273SAlexandr Nedvedicky			fin->fin_ip->ip_src = fin->fin_ip->ip_dst;
a1173273SAlexandr Nedvedicky			fin->fin_ip->ip_dst = tmp_src;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky			rv = 0;
a1173273SAlexandr Nedvedicky		}
a1173273SAlexandr Nedvedicky		else
a1173273SAlexandr Nedvedicky			tcp = NULL;
a1173273SAlexandr Nedvedicky	}
a1173273SAlexandr Nedvedicky#ifdef USE_INET6
a1173273SAlexandr Nedvedicky	else if ((fin->fin_v == 6) && (fin->fin_p == IPPROTO_TCP) &&
a1173273SAlexandr Nedvedicky	    ((tcp = (tcphdr_t *) fin->fin_dp) != NULL)) {
a1173273SAlexandr Nedvedicky		/*
a1173273SAlexandr Nedvedicky		 * We are relying on fact the next header is TCP, which is true
a1173273SAlexandr Nedvedicky		 * for regular TCP packets coming in over loopback.
a1173273SAlexandr Nedvedicky		 */
a1173273SAlexandr Nedvedicky		if (tcp->th_flags & (TH_SYN | TH_FIN)) {
a1173273SAlexandr Nedvedicky			/* Swap IPv6 addresses. */
a1173273SAlexandr Nedvedicky			tmp_src6 = fin->fin_ip6->ip6_src;
a1173273SAlexandr Nedvedicky			fin->fin_ip6->ip6_src = fin->fin_ip6->ip6_dst;
a1173273SAlexandr Nedvedicky			fin->fin_ip6->ip6_dst = tmp_src6;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky			rv = 0;
a1173273SAlexandr Nedvedicky		}
a1173273SAlexandr Nedvedicky		else
a1173273SAlexandr Nedvedicky			tcp = NULL;
a1173273SAlexandr Nedvedicky	}
a1173273SAlexandr Nedvedicky#endif
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	if (tcp != NULL) {
a1173273SAlexandr Nedvedicky		/*
a1173273SAlexandr Nedvedicky		 * Adjust TCP header:
a1173273SAlexandr Nedvedicky		 *	swap ports,
a1173273SAlexandr Nedvedicky		 *	set flags,
a1173273SAlexandr Nedvedicky		 *	set correct ACK number
a1173273SAlexandr Nedvedicky		 */
a1173273SAlexandr Nedvedicky		tmp_port = tcp->th_sport;
a1173273SAlexandr Nedvedicky		tcp->th_sport = tcp->th_dport;
a1173273SAlexandr Nedvedicky		tcp->th_dport = tmp_port;
a1173273SAlexandr Nedvedicky		old_ack = tcp->th_ack;
a1173273SAlexandr Nedvedicky		tcp->th_ack = htonl(ntohl(tcp->th_seq) + 1);
a1173273SAlexandr Nedvedicky		tcp->th_seq = old_ack;
a1173273SAlexandr Nedvedicky		tcp->th_flags = TH_RST | TH_ACK;
a1173273SAlexandr Nedvedicky	}
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	return (rv);
a1173273SAlexandr Nedvedicky}
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedicky/* Function:    fr_make_icmp_v4                                             */
a1173273SAlexandr Nedvedicky/* Returns:     int - 0 on success, -1 on failure			    */
a1173273SAlexandr Nedvedicky/* Parameters:  fin(I) - pointer to packet information                      */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* Please read comment at fr_make_icmp() wrapper function to get an idea    */
a1173273SAlexandr Nedvedicky/* what is going to happen here and why. Once you read the comment there,   */
a1173273SAlexandr Nedvedicky/* continue here with next paragraph.					    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/* To turn IPv4 packet into ICMPv4 response packet, these things must	    */
a1173273SAlexandr Nedvedicky/* happen here:								    */
a1173273SAlexandr Nedvedicky/*	(1) Original mblk is copied (duplicated).			    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*	(2) ICMP header is created.					    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*	(3) Link ICMP header with copy of original mblk, we have ICMPv4	    */
a1173273SAlexandr Nedvedicky/*	    data ready then.						    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*      (4) Swap IP addresses in original mblk and adjust IP header data.   */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*	(5) The mblk containing original packet is trimmed to contain IP    */
a1173273SAlexandr Nedvedicky/*	    header only and ICMP chksum is computed.			    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/*	(6) The ICMP header we have from (3) is linked to original mblk,    */
a1173273SAlexandr Nedvedicky/*	    which now contains new IP header. If original packet was spread */
a1173273SAlexandr Nedvedicky/*	    over several mblks, only the first mblk is kept.		    */
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedickystatic int fr_make_icmp_v4(fin)
a1173273SAlexandr Nedvedickyfr_info_t *fin;
a1173273SAlexandr Nedvedicky{
a1173273SAlexandr Nedvedicky	struct in_addr tmp_src;
6ccacea7SAlexandr Nedvedicky	tcphdr_t *tcp;
a1173273SAlexandr Nedvedicky	struct icmp *icmp;
a1173273SAlexandr Nedvedicky	mblk_t *mblk_icmp;
a1173273SAlexandr Nedvedicky	mblk_t *mblk_ip;
a1173273SAlexandr Nedvedicky	size_t icmp_pld_len;	/* octets to append to ICMP header */
a1173273SAlexandr Nedvedicky	size_t orig_iphdr_len;	/* length of IP header only */
a1173273SAlexandr Nedvedicky	uint32_t sum;
a1173273SAlexandr Nedvedicky	uint16_t *buf;
a1173273SAlexandr Nedvedicky	int len;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	if (fin->fin_v != 4)
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * If we are dealing with TCP, then packet must be SYN/FIN to be routed
a1173273SAlexandr Nedvedicky	 * by IP stack. If it is not SYN/FIN, then we must drop it silently.
a1173273SAlexandr Nedvedicky	 */
6ccacea7SAlexandr Nedvedicky	tcp = (tcphdr_t *) fin->fin_dp;
6ccacea7SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	if ((fin->fin_p == IPPROTO_TCP) &&
6ccacea7SAlexandr Nedvedicky	    ((tcp == NULL) || ((tcp->th_flags & (TH_SYN | TH_FIN)) == 0)))
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (1)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Make copy of original mblk.
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * We want to copy as much data as necessary, not less, not more.  The
a1173273SAlexandr Nedvedicky	 * ICMPv4 payload length for unreachable messages is:
a1173273SAlexandr Nedvedicky	 *	original IP header + 8 bytes of L4 (if there are any).
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * We determine if there are at least 8 bytes of L4 data following IP
a1173273SAlexandr Nedvedicky	 * header first.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	icmp_pld_len = (fin->fin_dlen > ICMPERR_ICMPHLEN) ?
a1173273SAlexandr Nedvedicky		ICMPERR_ICMPHLEN : fin->fin_dlen;
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Since we don't want to copy more data than necessary, we must trim
a1173273SAlexandr Nedvedicky	 * the original mblk here.  The right way (STREAMish) would be to use
a1173273SAlexandr Nedvedicky	 * adjmsg() to trim it.  However we would have to calculate the length
a1173273SAlexandr Nedvedicky	 * argument for adjmsg() from pointers we already have here.
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Since we have pointers and offsets, it's faster and easier for
a1173273SAlexandr Nedvedicky	 * us to just adjust pointers by hand instead of using adjmsg().
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	fin->fin_m->b_wptr = (unsigned char *) fin->fin_dp;
a1173273SAlexandr Nedvedicky	fin->fin_m->b_wptr += icmp_pld_len;
a1173273SAlexandr Nedvedicky	icmp_pld_len = fin->fin_m->b_wptr - (unsigned char *) fin->fin_ip;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Also we don't want to copy any L2 stuff, which might precede IP
a1173273SAlexandr Nedvedicky	 * header, so we have have to set b_rptr to point to the start of IP
a1173273SAlexandr Nedvedicky	 * header.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	fin->fin_m->b_rptr += fin->fin_ipoff;
a1173273SAlexandr Nedvedicky	if ((mblk_ip = copyb(fin->fin_m)) == NULL)
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky	fin->fin_m->b_rptr -= fin->fin_ipoff;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (2)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Create an ICMP header, which will be appened to original mblk later.
a1173273SAlexandr Nedvedicky	 * ICMP header is just another mblk.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	mblk_icmp = (mblk_t *) allocb(ICMPERR_ICMPHLEN, BPRI_HI);
a1173273SAlexandr Nedvedicky	if (mblk_icmp == NULL) {
a1173273SAlexandr Nedvedicky		FREE_MB_T(mblk_ip);
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky	}
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	MTYPE(mblk_icmp) = M_DATA;
a1173273SAlexandr Nedvedicky	icmp = (struct icmp *) mblk_icmp->b_wptr;
a1173273SAlexandr Nedvedicky	icmp->icmp_type = ICMP_UNREACH;
a1173273SAlexandr Nedvedicky	icmp->icmp_code = fin->fin_icode & 0xFF;
a1173273SAlexandr Nedvedicky	icmp->icmp_void = 0;
a1173273SAlexandr Nedvedicky	icmp->icmp_cksum = 0;
a1173273SAlexandr Nedvedicky	mblk_icmp->b_wptr += ICMPERR_ICMPHLEN;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (3)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Complete ICMP packet - link ICMP header with L4 data from original
a1173273SAlexandr Nedvedicky	 * IP packet.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	linkb(mblk_icmp, mblk_ip);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (4)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Swap IP addresses and change IP header fields accordingly in
a1173273SAlexandr Nedvedicky	 * original IP packet.
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * There is a rule option return-icmp as a dest for physical
a1173273SAlexandr Nedvedicky	 * interfaces. This option becomes useless for loopback, since IPF box
a1173273SAlexandr Nedvedicky	 * uses same address as a loopback destination. We ignore the option
a1173273SAlexandr Nedvedicky	 * here, the ICMP packet will always look like as it would have been
a1173273SAlexandr Nedvedicky	 * sent from the original destination host.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	tmp_src = fin->fin_ip->ip_src;
a1173273SAlexandr Nedvedicky	fin->fin_ip->ip_src = fin->fin_ip->ip_dst;
a1173273SAlexandr Nedvedicky	fin->fin_ip->ip_dst = tmp_src;
a1173273SAlexandr Nedvedicky	fin->fin_ip->ip_p = IPPROTO_ICMP;
a1173273SAlexandr Nedvedicky	fin->fin_ip->ip_sum = 0;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (5)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * We trim the orignal mblk to hold IP header only.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	fin->fin_m->b_wptr = fin->fin_dp;
a1173273SAlexandr Nedvedicky	orig_iphdr_len = fin->fin_m->b_wptr -
a1173273SAlexandr Nedvedicky			    (fin->fin_m->b_rptr + fin->fin_ipoff);
a1173273SAlexandr Nedvedicky	fin->fin_ip->ip_len = htons(icmp_pld_len + ICMPERR_ICMPHLEN +
a1173273SAlexandr Nedvedicky			    orig_iphdr_len);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * ICMP chksum calculation. The data we are calculating chksum for are
a1173273SAlexandr Nedvedicky	 * spread over two mblks, therefore we have to use two for loops.
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * First for loop computes chksum part for ICMP header.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	buf = (uint16_t *) icmp;
a1173273SAlexandr Nedvedicky	len = ICMPERR_ICMPHLEN;
a1173273SAlexandr Nedvedicky	for (sum = 0; len > 1; len -= 2)
a1173273SAlexandr Nedvedicky		sum += *buf++;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Here we add chksum part for ICMP payload.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	len = icmp_pld_len;
a1173273SAlexandr Nedvedicky	buf = (uint16_t *) mblk_ip->b_rptr;
a1173273SAlexandr Nedvedicky	for (; len > 1; len -= 2)
a1173273SAlexandr Nedvedicky		sum += *buf++;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Chksum is done.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	sum = (sum >> 16) + (sum & 0xffff);
a1173273SAlexandr Nedvedicky	sum += (sum >> 16);
a1173273SAlexandr Nedvedicky	icmp->icmp_cksum = ~sum;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (6)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Release all packet mblks, except the first one.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	if (fin->fin_m->b_cont != NULL) {
a1173273SAlexandr Nedvedicky		FREE_MB_T(fin->fin_m->b_cont);
a1173273SAlexandr Nedvedicky	}
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Append ICMP payload to first mblk, which already contains new IP
a1173273SAlexandr Nedvedicky	 * header.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	linkb(fin->fin_m, mblk_icmp);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	return (0);
a1173273SAlexandr Nedvedicky}
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky#ifdef USE_INET6
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedicky/* Function:    fr_make_icmp_v6                                             */
a1173273SAlexandr Nedvedicky/* Returns:     int - 0 on success, -1 on failure			    */
a1173273SAlexandr Nedvedicky/* Parameters:  fin(I) - pointer to packet information                      */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/* Please read comment at fr_make_icmp() wrapper function to get an idea    */
a1173273SAlexandr Nedvedicky/* what and why is going to happen here. Once you read the comment there,   */
a1173273SAlexandr Nedvedicky/* continue here with next paragraph.					    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/* This function turns IPv6 packet (UDP, TCP, ...) into ICMPv6 response.    */
a1173273SAlexandr Nedvedicky/* The algorithm is fairly simple:					    */
a1173273SAlexandr Nedvedicky/*	1) We need to get copy of complete mblk.			    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/*	2) New ICMPv6 header is created.				    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/*	3) The copy of original mblk with packet is linked to ICMPv6	    */
a1173273SAlexandr Nedvedicky/*	   header.							    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/*	4) The checksum must be adjusted.				    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/*	5) IP addresses in original mblk are swapped and IP header data	    */
a1173273SAlexandr Nedvedicky/*	   are adjusted (protocol number).				    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/*	6) Original mblk is trimmed to hold IPv6 header only, then it is    */
a1173273SAlexandr Nedvedicky/*	   linked with the ICMPv6 data we got from (3).			    */
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedickystatic int fr_make_icmp_v6(fin)
a1173273SAlexandr Nedvedickyfr_info_t *fin;
a1173273SAlexandr Nedvedicky{
a1173273SAlexandr Nedvedicky	struct icmp6_hdr *icmp6;
6ccacea7SAlexandr Nedvedicky	tcphdr_t *tcp;
a1173273SAlexandr Nedvedicky	struct in6_addr	tmp_src6;
a1173273SAlexandr Nedvedicky	size_t icmp_pld_len;
a1173273SAlexandr Nedvedicky	mblk_t *mblk_ip, *mblk_icmp;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	if (fin->fin_v != 6)
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * If we are dealing with TCP, then packet must SYN/FIN to be routed by
a1173273SAlexandr Nedvedicky	 * IP stack. If it is not SYN/FIN, then we must drop it silently.
a1173273SAlexandr Nedvedicky	 */
6ccacea7SAlexandr Nedvedicky	tcp = (tcphdr_t *) fin->fin_dp;
6ccacea7SAlexandr Nedvedicky
6ccacea7SAlexandr Nedvedicky	if ((fin->fin_p == IPPROTO_TCP) &&
6ccacea7SAlexandr Nedvedicky	    ((tcp == NULL) || ((tcp->th_flags & (TH_SYN | TH_FIN)) == 0)))
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (1)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * We need to copy complete packet in case of IPv6, no trimming is
a1173273SAlexandr Nedvedicky	 * needed (except the L2 headers).
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	icmp_pld_len = M_LEN(fin->fin_m);
a1173273SAlexandr Nedvedicky	fin->fin_m->b_rptr += fin->fin_ipoff;
a1173273SAlexandr Nedvedicky	if ((mblk_ip = copyb(fin->fin_m)) == NULL)
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky	fin->fin_m->b_rptr -= fin->fin_ipoff;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (2)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Allocate and create ICMP header.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	mblk_icmp = (mblk_t *) allocb(sizeof (struct icmp6_hdr),
a1173273SAlexandr Nedvedicky			BPRI_HI);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	if (mblk_icmp == NULL)
a1173273SAlexandr Nedvedicky		return (-1);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	MTYPE(mblk_icmp) = M_DATA;
a1173273SAlexandr Nedvedicky	icmp6 =  (struct icmp6_hdr *) mblk_icmp->b_wptr;
a1173273SAlexandr Nedvedicky	icmp6->icmp6_type = ICMP6_DST_UNREACH;
a1173273SAlexandr Nedvedicky	icmp6->icmp6_code = fin->fin_icode & 0xFF;
a1173273SAlexandr Nedvedicky	icmp6->icmp6_data32[0] = 0;
a1173273SAlexandr Nedvedicky	mblk_icmp->b_wptr += sizeof (struct icmp6_hdr);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (3)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Link the copy of IP packet to ICMP header.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	linkb(mblk_icmp, mblk_ip);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (4)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Calculate chksum - this is much more easier task than in case of
a1173273SAlexandr Nedvedicky	 * IPv4  - ICMPv6 chksum only covers IP addresses, and payload length.
a1173273SAlexandr Nedvedicky	 * We are making compensation just for change of packet length.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	icmp6->icmp6_cksum = icmp_pld_len + sizeof (struct icmp6_hdr);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (5)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * Swap IP addresses.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	tmp_src6 = fin->fin_ip6->ip6_src;
a1173273SAlexandr Nedvedicky	fin->fin_ip6->ip6_src = fin->fin_ip6->ip6_dst;
a1173273SAlexandr Nedvedicky	fin->fin_ip6->ip6_dst = tmp_src6;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * and adjust IP header data.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	fin->fin_ip6->ip6_nxt = IPPROTO_ICMPV6;
a1173273SAlexandr Nedvedicky	fin->fin_ip6->ip6_plen = htons(icmp_pld_len + sizeof (struct icmp6_hdr));
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Step (6)
a1173273SAlexandr Nedvedicky	 *
a1173273SAlexandr Nedvedicky	 * We must release all linked mblks from original packet and keep only
a1173273SAlexandr Nedvedicky	 * the first mblk with IP header to link ICMP data.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	fin->fin_m->b_wptr = (unsigned char *) fin->fin_ip6 + sizeof (ip6_t);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	if (fin->fin_m->b_cont != NULL) {
a1173273SAlexandr Nedvedicky		FREE_MB_T(fin->fin_m->b_cont);
a1173273SAlexandr Nedvedicky	}
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	/*
a1173273SAlexandr Nedvedicky	 * Append ICMP payload to IP header.
a1173273SAlexandr Nedvedicky	 */
a1173273SAlexandr Nedvedicky	linkb(fin->fin_m, mblk_icmp);
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	return (0);
a1173273SAlexandr Nedvedicky}
a1173273SAlexandr Nedvedicky#endif	/* USE_INET6 */
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedicky/* Function:    fr_make_icmp                                                */
a1173273SAlexandr Nedvedicky/* Returns:     int - 0 on success, -1 on failure			    */
a1173273SAlexandr Nedvedicky/* Parameters:  fin(I) - pointer to packet information                      */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* We must alter the original mblks passed to IPF from IP stack via	    */
a1173273SAlexandr Nedvedicky/* FW_HOOKS. The reasons why we must alter packet are discussed within	    */
a1173273SAlexandr Nedvedicky/* comment at fr_make_rst() function.					    */
a1173273SAlexandr Nedvedicky/*									    */
a1173273SAlexandr Nedvedicky/* The fr_make_icmp() function acts as a wrapper, which passes the code	    */
a1173273SAlexandr Nedvedicky/* execution to	fr_make_icmp_v4() or fr_make_icmp_v6() depending on	    */
a1173273SAlexandr Nedvedicky/* protocol version. However there are some details, which are common to    */
a1173273SAlexandr Nedvedicky/* both IP versions. The details are going to be explained here.	    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* The packet looks as follows:						    */
a1173273SAlexandr Nedvedicky/*    xxx | IP hdr | IP payload    ...	| 				    */
a1173273SAlexandr Nedvedicky/*    ^   ^        ^            	^				    */
a1173273SAlexandr Nedvedicky/*    |   |        |            	|				    */
a1173273SAlexandr Nedvedicky/*    |   |        |		fin_m->b_wptr = fin->fin_dp + fin->fin_dlen */
a1173273SAlexandr Nedvedicky/*    |   |        |							    */
a1173273SAlexandr Nedvedicky/*    |   |        `- fin_m->fin_dp (in case of IPv4 points to L4 header)   */
a1173273SAlexandr Nedvedicky/*    |   |								    */
a1173273SAlexandr Nedvedicky/*    |   `- fin_m->b_rptr + fin_ipoff (fin_ipoff is most likely 0 in case  */
a1173273SAlexandr Nedvedicky/*    |      of loopback)						    */
a1173273SAlexandr Nedvedicky/*    |   								    */
a1173273SAlexandr Nedvedicky/*    `- fin_m->b_rptr -  points to L2 header in case of physical NIC	    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* All relevant IP headers are pulled up into the first mblk. It happened   */
a1173273SAlexandr Nedvedicky/* well in advance before the matching rule was found (the rule, which took */
a1173273SAlexandr Nedvedicky/* us here, to fr_make_icmp() function).				    */
a1173273SAlexandr Nedvedicky/*                                                                          */
a1173273SAlexandr Nedvedicky/* Both functions will turn packet passed in fin->fin_m mblk into a new	    */
a1173273SAlexandr Nedvedicky/* packet. New packet will be represented as chain of mblks.		    */
a1173273SAlexandr Nedvedicky/* orig mblk |- b_cont ---.						    */
a1173273SAlexandr Nedvedicky/*    ^                    `-> ICMP hdr |- b_cont--.			    */
a1173273SAlexandr Nedvedicky/*    |	                          ^	            `-> duped orig mblk	    */
a1173273SAlexandr Nedvedicky/*    |                           |				^	    */
a1173273SAlexandr Nedvedicky/*    `- The original mblk        |				|	    */
a1173273SAlexandr Nedvedicky/*       will be trimmed to       |				|	    */
a1173273SAlexandr Nedvedicky/*       to contain IP header     |				|	    */
a1173273SAlexandr Nedvedicky/*       only                     |				|	    */
a1173273SAlexandr Nedvedicky/*                                |				|	    */
a1173273SAlexandr Nedvedicky/*                                `- This is newly		|           */
a1173273SAlexandr Nedvedicky/*                                   allocated mblk to		|	    */
a1173273SAlexandr Nedvedicky/*                                   hold ICMPv6 data.		|	    */
a1173273SAlexandr Nedvedicky/*								|	    */
a1173273SAlexandr Nedvedicky/*								|	    */
a1173273SAlexandr Nedvedicky/*								|	    */
a1173273SAlexandr Nedvedicky/*	    This is the copy of original mblk, it will contain -'	    */
a1173273SAlexandr Nedvedicky/*	    orignal IP  packet in case of ICMPv6. In case of		    */
a1173273SAlexandr Nedvedicky/*	    ICMPv4 it will contain up to 8 bytes of IP payload		    */
a1173273SAlexandr Nedvedicky/*	    (TCP/UDP/L4) data from original packet.			    */
a1173273SAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
a1173273SAlexandr Nedvedickyint fr_make_icmp(fin)
a1173273SAlexandr Nedvedickyfr_info_t *fin;
a1173273SAlexandr Nedvedicky{
a1173273SAlexandr Nedvedicky	int rv;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	if (fin->fin_v == 4)
a1173273SAlexandr Nedvedicky		rv = fr_make_icmp_v4(fin);
a1173273SAlexandr Nedvedicky#ifdef USE_INET6
a1173273SAlexandr Nedvedicky	else if (fin->fin_v == 6)
a1173273SAlexandr Nedvedicky		rv = fr_make_icmp_v6(fin);
a1173273SAlexandr Nedvedicky#endif
a1173273SAlexandr Nedvedicky	else
a1173273SAlexandr Nedvedicky		rv = -1;
a1173273SAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky	return (rv);
a1173273SAlexandr Nedvedicky}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
d0dd088cSAlexandr Nedvedicky/* Function:    fr_buf_sum						    */
d0dd088cSAlexandr Nedvedicky/* Returns:     unsigned int - sum of buffer buf			    */
d0dd088cSAlexandr Nedvedicky/* Parameters:  buf - pointer to buf we want to sum up			    */
d0dd088cSAlexandr Nedvedicky/*              len - length of buffer buf				    */
d0dd088cSAlexandr Nedvedicky/*                                                                          */
d0dd088cSAlexandr Nedvedicky/* Sums buffer buf. The result is used for chksum calculation. The buf	    */
d0dd088cSAlexandr Nedvedicky/* argument must be aligned.						    */
d0dd088cSAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
d0dd088cSAlexandr Nedvedickystatic uint32_t fr_buf_sum(buf, len)
d0dd088cSAlexandr Nedvedickyconst void *buf;
d0dd088cSAlexandr Nedvedickyunsigned int len;
d0dd088cSAlexandr Nedvedicky{
d0dd088cSAlexandr Nedvedicky	uint32_t	sum = 0;
d0dd088cSAlexandr Nedvedicky	uint16_t	*b = (uint16_t *)buf;
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	while (len > 1) {
d0dd088cSAlexandr Nedvedicky		sum += *b++;
d0dd088cSAlexandr Nedvedicky		len -= 2;
d0dd088cSAlexandr Nedvedicky	}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	if (len == 1)
d0dd088cSAlexandr Nedvedicky		sum += htons((*(unsigned char *)b) << 8);
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	return (sum);
d0dd088cSAlexandr Nedvedicky}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
d0dd088cSAlexandr Nedvedicky/* Function:    fr_calc_chksum						    */
d0dd088cSAlexandr Nedvedicky/* Returns:     void							    */
d0dd088cSAlexandr Nedvedicky/* Parameters:  fin - pointer to fr_info_t instance with packet data	    */
d0dd088cSAlexandr Nedvedicky/*              pkt - pointer to duplicated packet			    */
d0dd088cSAlexandr Nedvedicky/*                                                                          */
d0dd088cSAlexandr Nedvedicky/* Calculates all chksums (L3, L4) for packet pkt. Works for both IP	    */
d0dd088cSAlexandr Nedvedicky/* versions.								    */
d0dd088cSAlexandr Nedvedicky/* ------------------------------------------------------------------------ */
d0dd088cSAlexandr Nedvedickyvoid fr_calc_chksum(fin, pkt)
d0dd088cSAlexandr Nedvedickyfr_info_t *fin;
d0dd088cSAlexandr Nedvedickymb_t *pkt;
d0dd088cSAlexandr Nedvedicky{
d0dd088cSAlexandr Nedvedicky	struct pseudo_hdr {
d0dd088cSAlexandr Nedvedicky		union {
d0dd088cSAlexandr Nedvedicky			struct in_addr	in4;
d0dd088cSAlexandr Nedvedicky#ifdef USE_INET6
d0dd088cSAlexandr Nedvedicky			struct in6_addr	in6;
d0dd088cSAlexandr Nedvedicky#endif
d0dd088cSAlexandr Nedvedicky		} src_addr;
d0dd088cSAlexandr Nedvedicky		union {
d0dd088cSAlexandr Nedvedicky			struct in_addr	in4;
d0dd088cSAlexandr Nedvedicky#ifdef USE_INET6
d0dd088cSAlexandr Nedvedicky			struct in6_addr	in6;
d0dd088cSAlexandr Nedvedicky#endif
d0dd088cSAlexandr Nedvedicky		} dst_addr;
d0dd088cSAlexandr Nedvedicky		char		zero;
d0dd088cSAlexandr Nedvedicky		char		proto;
d0dd088cSAlexandr Nedvedicky		uint16_t	len;
d0dd088cSAlexandr Nedvedicky	}	phdr;
d0dd088cSAlexandr Nedvedicky	uint32_t	sum, ip_sum;
d0dd088cSAlexandr Nedvedicky	void	*buf;
d0dd088cSAlexandr Nedvedicky	uint16_t	*l4_csum_p;
d0dd088cSAlexandr Nedvedicky	tcphdr_t	*tcp;
d0dd088cSAlexandr Nedvedicky	udphdr_t	*udp;
d0dd088cSAlexandr Nedvedicky	icmphdr_t	*icmp;
d0dd088cSAlexandr Nedvedicky#ifdef USE_INET6
d0dd088cSAlexandr Nedvedicky	struct icmp6_hdr	*icmp6;
d0dd088cSAlexandr Nedvedicky#endif
d0dd088cSAlexandr Nedvedicky	ip_t		*ip;
d0dd088cSAlexandr Nedvedicky	unsigned int	len;
d0dd088cSAlexandr Nedvedicky	int		pld_len;
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	/*
d0dd088cSAlexandr Nedvedicky	 * We need to pullup the packet to the single continuous buffer to avoid
d0dd088cSAlexandr Nedvedicky	 * potential misaligment of b_rptr member in mblk chain.
d0dd088cSAlexandr Nedvedicky	 */
d0dd088cSAlexandr Nedvedicky	if (pullupmsg(pkt, -1) == 0) {
d0dd088cSAlexandr Nedvedicky		cmn_err(CE_WARN, "Failed to pullup loopback pkt -> chksum"
d0dd088cSAlexandr Nedvedicky		    " will not be computed by IPF");
d0dd088cSAlexandr Nedvedicky		return;
d0dd088cSAlexandr Nedvedicky	}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	/*
d0dd088cSAlexandr Nedvedicky	 * It is guaranteed IP header starts right at b_rptr, because we are
d0dd088cSAlexandr Nedvedicky	 * working with a copy of the original packet.
d0dd088cSAlexandr Nedvedicky	 *
d0dd088cSAlexandr Nedvedicky	 * Compute pseudo header chksum for TCP and UDP.
d0dd088cSAlexandr Nedvedicky	 */
d0dd088cSAlexandr Nedvedicky	if ((fin->fin_p == IPPROTO_UDP) ||
d0dd088cSAlexandr Nedvedicky	    (fin->fin_p == IPPROTO_TCP)) {
d0dd088cSAlexandr Nedvedicky		bzero(&phdr, sizeof (phdr));
d0dd088cSAlexandr Nedvedicky#ifdef USE_INET6
d0dd088cSAlexandr Nedvedicky		if (fin->fin_v == 6) {
d0dd088cSAlexandr Nedvedicky			phdr.src_addr.in6 = fin->fin_srcip6;
d0dd088cSAlexandr Nedvedicky			phdr.dst_addr.in6 = fin->fin_dstip6;
d0dd088cSAlexandr Nedvedicky		} else {
d0dd088cSAlexandr Nedvedicky			phdr.src_addr.in4 = fin->fin_src;
d0dd088cSAlexandr Nedvedicky			phdr.dst_addr.in4 = fin->fin_dst;
d0dd088cSAlexandr Nedvedicky		}
d0dd088cSAlexandr Nedvedicky#else
d0dd088cSAlexandr Nedvedicky		phdr.src_addr.in4 = fin->fin_src;
d0dd088cSAlexandr Nedvedicky		phdr.dst_addr.in4 = fin->fin_dst;
d0dd088cSAlexandr Nedvedicky#endif
d0dd088cSAlexandr Nedvedicky		phdr.zero = (char) 0;
d0dd088cSAlexandr Nedvedicky		phdr.proto = fin->fin_p;
d0dd088cSAlexandr Nedvedicky		phdr.len = htons((uint16_t)fin->fin_dlen);
d0dd088cSAlexandr Nedvedicky		sum = fr_buf_sum(&phdr, (unsigned int)sizeof (phdr));
d0dd088cSAlexandr Nedvedicky	} else {
d0dd088cSAlexandr Nedvedicky		sum = 0;
d0dd088cSAlexandr Nedvedicky	}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	/*
d0dd088cSAlexandr Nedvedicky	 * Set pointer to the L4 chksum field in the packet, set buf pointer to
d0dd088cSAlexandr Nedvedicky	 * the L4 header start.
d0dd088cSAlexandr Nedvedicky	 */
d0dd088cSAlexandr Nedvedicky	switch (fin->fin_p) {
d0dd088cSAlexandr Nedvedicky		case IPPROTO_UDP:
d0dd088cSAlexandr Nedvedicky			udp = (udphdr_t *)(pkt->b_rptr + fin->fin_hlen);
d0dd088cSAlexandr Nedvedicky			l4_csum_p = &udp->uh_sum;
d0dd088cSAlexandr Nedvedicky			buf = udp;
d0dd088cSAlexandr Nedvedicky			break;
d0dd088cSAlexandr Nedvedicky		case IPPROTO_TCP:
d0dd088cSAlexandr Nedvedicky			tcp = (tcphdr_t *)(pkt->b_rptr + fin->fin_hlen);
d0dd088cSAlexandr Nedvedicky			l4_csum_p = &tcp->th_sum;
d0dd088cSAlexandr Nedvedicky			buf = tcp;
d0dd088cSAlexandr Nedvedicky			break;
d0dd088cSAlexandr Nedvedicky		case IPPROTO_ICMP:
d0dd088cSAlexandr Nedvedicky			icmp = (icmphdr_t *)(pkt->b_rptr + fin->fin_hlen);
d0dd088cSAlexandr Nedvedicky			l4_csum_p = &icmp->icmp_cksum;
d0dd088cSAlexandr Nedvedicky			buf = icmp;
d0dd088cSAlexandr Nedvedicky			break;
d0dd088cSAlexandr Nedvedicky#ifdef USE_INET6
d0dd088cSAlexandr Nedvedicky		case IPPROTO_ICMPV6:
d0dd088cSAlexandr Nedvedicky			icmp6 = (struct icmp6_hdr *)(pkt->b_rptr + fin->fin_hlen);
d0dd088cSAlexandr Nedvedicky			l4_csum_p = &icmp6->icmp6_cksum;
d0dd088cSAlexandr Nedvedicky			buf = icmp6;
d0dd088cSAlexandr Nedvedicky			break;
d0dd088cSAlexandr Nedvedicky#endif
d0dd088cSAlexandr Nedvedicky		default:
d0dd088cSAlexandr Nedvedicky			l4_csum_p = NULL;
d0dd088cSAlexandr Nedvedicky	}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	/*
d0dd088cSAlexandr Nedvedicky	 * Compute L4 chksum if needed.
d0dd088cSAlexandr Nedvedicky	 */
d0dd088cSAlexandr Nedvedicky	if (l4_csum_p != NULL) {
d0dd088cSAlexandr Nedvedicky		*l4_csum_p = (uint16_t)0;
d0dd088cSAlexandr Nedvedicky		pld_len = fin->fin_dlen;
d0dd088cSAlexandr Nedvedicky		len = pkt->b_wptr - (unsigned char *)buf;
d0dd088cSAlexandr Nedvedicky		ASSERT(len == pld_len);
d0dd088cSAlexandr Nedvedicky		/*
d0dd088cSAlexandr Nedvedicky		 * Add payload sum to pseudoheader sum.
d0dd088cSAlexandr Nedvedicky		 */
d0dd088cSAlexandr Nedvedicky		sum += fr_buf_sum(buf, len);
d0dd088cSAlexandr Nedvedicky		while (sum >> 16)
d0dd088cSAlexandr Nedvedicky			sum = (sum & 0xFFFF) + (sum >> 16);
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky		*l4_csum_p = ~((uint16_t)sum);
d0dd088cSAlexandr Nedvedicky		DTRACE_PROBE1(l4_sum, uint16_t, *l4_csum_p);
d0dd088cSAlexandr Nedvedicky	}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	/*
d0dd088cSAlexandr Nedvedicky	 * The IP header chksum is needed just for IPv4.
d0dd088cSAlexandr Nedvedicky	 */
d0dd088cSAlexandr Nedvedicky	if (fin->fin_v == 4) {
d0dd088cSAlexandr Nedvedicky		/*
d0dd088cSAlexandr Nedvedicky		 * Compute IPv4 header chksum.
d0dd088cSAlexandr Nedvedicky		 */
d0dd088cSAlexandr Nedvedicky		ip = (ip_t *)pkt->b_rptr;
d0dd088cSAlexandr Nedvedicky		ip->ip_sum = (uint16_t)0;
d0dd088cSAlexandr Nedvedicky		ip_sum = fr_buf_sum(ip, (unsigned int)fin->fin_hlen);
d0dd088cSAlexandr Nedvedicky		while (ip_sum >> 16)
d0dd088cSAlexandr Nedvedicky			ip_sum = (ip_sum & 0xFFFF) + (ip_sum >> 16);
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky		ip->ip_sum = ~((uint16_t)ip_sum);
d0dd088cSAlexandr Nedvedicky		DTRACE_PROBE1(l3_sum, uint16_t, ip->ip_sum);
d0dd088cSAlexandr Nedvedicky	}
d0dd088cSAlexandr Nedvedicky
d0dd088cSAlexandr Nedvedicky	return;
d0dd088cSAlexandr Nedvedicky}
d0dd088cSAlexandr Nedvedicky
a1173273SAlexandr Nedvedicky#endif	/* _KERNEL && SOLARIS2 >= 10 */