1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  * Copyright 2017 OmniTI Computer Consulting, Inc. All rights reserved.
26  * Copyright 2018 Joyent, Inc.
27  */
28 /* Copyright (c) 1990 Mentat Inc. */
29 
30 #include <sys/types.h>
31 #include <sys/stream.h>
32 #include <sys/strsubr.h>
33 #include <sys/dlpi.h>
34 #include <sys/strsun.h>
35 #include <sys/zone.h>
36 #include <sys/ddi.h>
37 #include <sys/sunddi.h>
38 #include <sys/cmn_err.h>
39 #include <sys/debug.h>
40 #include <sys/atomic.h>
41 
42 #include <sys/systm.h>
43 #include <sys/param.h>
44 #include <sys/kmem.h>
45 #include <sys/sdt.h>
46 #include <sys/socket.h>
47 #include <sys/mac.h>
48 #include <net/if.h>
49 #include <net/if_arp.h>
50 #include <net/route.h>
51 #include <sys/sockio.h>
52 #include <netinet/in.h>
53 #include <net/if_dl.h>
54 
55 #include <inet/common.h>
56 #include <inet/mi.h>
57 #include <inet/mib2.h>
58 #include <inet/nd.h>
59 #include <inet/arp.h>
60 #include <inet/snmpcom.h>
61 #include <inet/kstatcom.h>
62 
63 #include <netinet/igmp_var.h>
64 #include <netinet/ip6.h>
65 #include <netinet/icmp6.h>
66 #include <netinet/sctp.h>
67 
68 #include <inet/ip.h>
69 #include <inet/ip_impl.h>
70 #include <inet/ip6.h>
71 #include <inet/ip6_asp.h>
72 #include <inet/tcp.h>
73 #include <inet/ip_multi.h>
74 #include <inet/ip_if.h>
75 #include <inet/ip_ire.h>
76 #include <inet/ip_ftable.h>
77 #include <inet/ip_rts.h>
78 #include <inet/optcom.h>
79 #include <inet/ip_ndp.h>
80 #include <inet/ip_listutils.h>
81 #include <netinet/igmp.h>
82 #include <netinet/ip_mroute.h>
83 #include <inet/ipp_common.h>
84 
85 #include <net/pfkeyv2.h>
86 #include <inet/sadb.h>
87 #include <inet/ipsec_impl.h>
88 #include <inet/ipdrop.h>
89 #include <inet/ip_netinfo.h>
90 
91 #include <sys/pattr.h>
92 #include <inet/ipclassifier.h>
93 #include <inet/sctp_ip.h>
94 #include <inet/sctp/sctp_impl.h>
95 #include <inet/udp_impl.h>
96 #include <sys/sunddi.h>
97 
98 #include <sys/tsol/label.h>
99 #include <sys/tsol/tnet.h>
100 
101 #ifdef	DEBUG
102 extern boolean_t skip_sctp_cksum;
103 #endif
104 
105 int
ip_output_simple_v6(mblk_t * mp,ip_xmit_attr_t * ixa)106 ip_output_simple_v6(mblk_t *mp, ip_xmit_attr_t *ixa)
107 {
108 	ip6_t		*ip6h;
109 	in6_addr_t	firsthop; /* In IP header */
110 	in6_addr_t	dst;	/* End of source route, or ip6_dst if none */
111 	ire_t		*ire;
112 	in6_addr_t	setsrc;
113 	int		error;
114 	ill_t		*ill = NULL;
115 	dce_t		*dce = NULL;
116 	nce_t		*nce;
117 	iaflags_t	ixaflags = ixa->ixa_flags;
118 	ip_stack_t	*ipst = ixa->ixa_ipst;
119 	uint8_t		*nexthdrp;
120 	boolean_t	repeat = B_FALSE;
121 	boolean_t	multirt = B_FALSE;
122 	uint_t		ifindex;
123 	int64_t		now;
124 
125 	ip6h = (ip6_t *)mp->b_rptr;
126 	ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
127 
128 	ASSERT(ixa->ixa_nce == NULL);
129 
130 	ixa->ixa_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
131 	ASSERT(ixa->ixa_pktlen == msgdsize(mp));
132 	if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ixa->ixa_ip_hdr_length,
133 	    &nexthdrp)) {
134 		/* Malformed packet */
135 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
136 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
137 		ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
138 		freemsg(mp);
139 		return (EINVAL);
140 	}
141 	ixa->ixa_protocol = *nexthdrp;
142 
143 	/*
144 	 * Assumes that source routed packets have already been massaged by
145 	 * the ULP (ip_massage_options_v6) and as a result ip6_dst is the next
146 	 * hop in the source route. The final destination is used for IPsec
147 	 * policy and DCE lookup.
148 	 */
149 	firsthop = ip6h->ip6_dst;
150 	dst = ip_get_dst_v6(ip6h, mp, NULL);
151 
152 repeat_ire:
153 	error = 0;
154 	setsrc = ipv6_all_zeros;
155 	ire = ip_select_route_v6(&firsthop, ip6h->ip6_src, ixa, NULL, &setsrc,
156 	    &error, &multirt);
157 	ASSERT(ire != NULL);	/* IRE_NOROUTE if none found */
158 	if (error != 0) {
159 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
160 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
161 		ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
162 		freemsg(mp);
163 		goto done;
164 	}
165 
166 	if (ire->ire_flags & (RTF_BLACKHOLE|RTF_REJECT)) {
167 		/* ire_ill might be NULL hence need to skip some code */
168 		if (ixaflags & IXAF_SET_SOURCE)
169 			ip6h->ip6_src = ipv6_loopback;
170 		ixa->ixa_fragsize = IP_MAXPACKET;
171 		ire->ire_ob_pkt_count++;
172 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
173 		/* No dce yet; use default one */
174 		error = (ire->ire_sendfn)(ire, mp, ip6h, ixa,
175 		    &ipst->ips_dce_default->dce_ident);
176 		goto done;
177 	}
178 
179 	/* Note that ip6_dst is only used for IRE_MULTICAST */
180 	nce = ire_to_nce(ire, INADDR_ANY, &ip6h->ip6_dst);
181 	if (nce == NULL) {
182 		/* Allocation failure? */
183 		ip_drop_output("ire_to_nce", mp, ill);
184 		freemsg(mp);
185 		error = ENOBUFS;
186 		goto done;
187 	}
188 	if (nce->nce_is_condemned) {
189 		nce_t *nce1;
190 
191 		nce1 = ire_handle_condemned_nce(nce, ire, NULL, ip6h, B_TRUE);
192 		nce_refrele(nce);
193 		if (nce1 == NULL) {
194 			if (!repeat) {
195 				/* Try finding a better IRE */
196 				repeat = B_TRUE;
197 				ire_refrele(ire);
198 				goto repeat_ire;
199 			}
200 			/* Tried twice - drop packet */
201 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
202 			ip_drop_output("No nce", mp, ill);
203 			freemsg(mp);
204 			error = ENOBUFS;
205 			goto done;
206 		}
207 		nce = nce1;
208 	}
209 	/*
210 	 * For multicast with multirt we have a flag passed back from
211 	 * ire_lookup_multi_ill_v6 since we don't have an IRE for each
212 	 * possible multicast address.
213 	 * We also need a flag for multicast since we can't check
214 	 * whether RTF_MULTIRT is set in ixa_ire for multicast.
215 	 */
216 	if (multirt) {
217 		ixa->ixa_postfragfn = ip_postfrag_multirt_v6;
218 		ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
219 	} else {
220 		ixa->ixa_postfragfn = ire->ire_postfragfn;
221 		ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
222 	}
223 	ASSERT(ixa->ixa_nce == NULL);
224 	ixa->ixa_nce = nce;
225 
226 	/*
227 	 * Check for a dce_t with a path mtu.
228 	 */
229 	ifindex = 0;
230 	if (IN6_IS_ADDR_LINKSCOPE(&dst))
231 		ifindex = nce->nce_common->ncec_ill->ill_phyint->phyint_ifindex;
232 
233 	dce = dce_lookup_v6(&dst, ifindex, ipst, NULL);
234 	ASSERT(dce != NULL);
235 
236 	if (!(ixaflags & IXAF_PMTU_DISCOVERY)) {
237 		ixa->ixa_fragsize = IPV6_MIN_MTU;
238 	} else if (dce->dce_flags & DCEF_PMTU) {
239 		/*
240 		 * To avoid a periodic timer to increase the path MTU we
241 		 * look at dce_last_change_time each time we send a packet.
242 		 */
243 		now = ddi_get_lbolt64();
244 		if (TICK_TO_SEC(now) - dce->dce_last_change_time >
245 		    ipst->ips_ip_pathmtu_interval) {
246 			/*
247 			 * Older than 20 minutes. Drop the path MTU information.
248 			 */
249 			mutex_enter(&dce->dce_lock);
250 			dce->dce_flags &= ~DCEF_PMTU;
251 			dce->dce_last_change_time = TICK_TO_SEC(now);
252 			mutex_exit(&dce->dce_lock);
253 			dce_increment_generation(dce);
254 			ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
255 		} else {
256 			uint_t fragsize;
257 
258 			fragsize = ip_get_base_mtu(nce->nce_ill, ire);
259 			if (fragsize > dce->dce_pmtu)
260 				fragsize = dce->dce_pmtu;
261 			ixa->ixa_fragsize = fragsize;
262 		}
263 	} else {
264 		ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
265 	}
266 
267 	/*
268 	 * We use use ire_nexthop_ill (and not ncec_ill) to avoid the under ipmp
269 	 * interface for source address selection.
270 	 */
271 	ill = ire_nexthop_ill(ire);
272 
273 	if (ixaflags & IXAF_SET_SOURCE) {
274 		in6_addr_t	src;
275 
276 		/*
277 		 * We use the final destination to get
278 		 * correct selection for source routed packets
279 		 */
280 
281 		/* If unreachable we have no ill but need some source */
282 		if (ill == NULL) {
283 			src = ipv6_loopback;
284 			error = 0;
285 		} else {
286 			error = ip_select_source_v6(ill, &setsrc, &dst,
287 			    ixa->ixa_zoneid, ipst, B_FALSE,
288 			    ixa->ixa_src_preferences, &src, NULL, NULL);
289 		}
290 		if (error != 0) {
291 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
292 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
293 			ip_drop_output("ipIfStatsOutDiscards - no source",
294 			    mp, ill);
295 			freemsg(mp);
296 			goto done;
297 		}
298 		ip6h->ip6_src = src;
299 	} else if (ixaflags & IXAF_VERIFY_SOURCE) {
300 		/* Check if the IP source is assigned to the host. */
301 		if (!ip_verify_src(mp, ixa, NULL)) {
302 			/* Don't send a packet with a source that isn't ours */
303 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
304 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
305 			ip_drop_output("ipIfStatsOutDiscards - invalid source",
306 			    mp, ill);
307 			freemsg(mp);
308 			error = EADDRNOTAVAIL;
309 			goto done;
310 		}
311 	}
312 
313 	/*
314 	 * Check against global IPsec policy to set the AH/ESP attributes.
315 	 * IPsec will set IXAF_IPSEC_* and ixa_ipsec_* as appropriate.
316 	 */
317 	if (!(ixaflags & (IXAF_NO_IPSEC|IXAF_IPSEC_SECURE))) {
318 		ASSERT(ixa->ixa_ipsec_policy == NULL);
319 		mp = ip_output_attach_policy(mp, NULL, ip6h, NULL, ixa);
320 		if (mp == NULL) {
321 			/* MIB and ip_drop_packet already done */
322 			return (EHOSTUNREACH);	/* IPsec policy failure */
323 		}
324 	}
325 
326 	if (ill != NULL) {
327 		BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
328 	} else {
329 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
330 	}
331 
332 	/*
333 	 * We update the statistics on the most specific IRE i.e., the first
334 	 * one we found.
335 	 * We don't have an IRE when we fragment, hence ire_ob_pkt_count
336 	 * can only count the use prior to fragmentation. However the MIB
337 	 * counters on the ill will be incremented in post fragmentation.
338 	 */
339 	ire->ire_ob_pkt_count++;
340 
341 	/*
342 	 * Based on ire_type and ire_flags call one of:
343 	 *	ire_send_local_v6 - for IRE_LOCAL and IRE_LOOPBACK
344 	 *	ire_send_multirt_v6 - if RTF_MULTIRT
345 	 *	ire_send_noroute_v6 - if RTF_REJECT or RTF_BLACHOLE
346 	 *	ire_send_multicast_v6 - for IRE_MULTICAST
347 	 *	ire_send_wire_v6 - for the rest.
348 	 */
349 	error = (ire->ire_sendfn)(ire, mp, ip6h, ixa, &dce->dce_ident);
350 done:
351 	ire_refrele(ire);
352 	if (dce != NULL)
353 		dce_refrele(dce);
354 	if (ill != NULL)
355 		ill_refrele(ill);
356 	if (ixa->ixa_nce != NULL)
357 		nce_refrele(ixa->ixa_nce);
358 	ixa->ixa_nce = NULL;
359 	return (error);
360 }
361 
362 /*
363  * ire_sendfn() functions.
364  * These functions use the following xmit_attr:
365  *  - ixa_fragsize - read to determine whether or not to fragment
366  *  - IXAF_IPSEC_SECURE - to determine whether or not to invoke IPsec
367  *  - ixa_ipsec_*  are used inside IPsec
368  *  - IXAF_LOOPBACK_COPY - for multicast
369  */
370 
371 
372 /*
373  * ire_sendfn for IRE_LOCAL and IRE_LOOPBACK
374  *
375  * The checks for restrict_interzone_loopback are done in ire_route_recursive.
376  */
377 /* ARGSUSED4 */
378 int
ire_send_local_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)379 ire_send_local_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
380     ip_xmit_attr_t *ixa, uint32_t *identp)
381 {
382 	ip6_t		*ip6h = (ip6_t *)iph_arg;
383 	ip_stack_t	*ipst = ixa->ixa_ipst;
384 	ill_t		*ill = ire->ire_ill;
385 	ip_recv_attr_t	iras;	/* NOTE: No bzero for performance */
386 	uint_t		pktlen = ixa->ixa_pktlen;
387 
388 	/*
389 	 * No fragmentation, no nce, and no application of IPsec.
390 	 *
391 	 *
392 	 * Note different order between IP provider and FW_HOOKS than in
393 	 * send_wire case.
394 	 */
395 
396 	/*
397 	 * DTrace this as ip:::send.  A packet blocked by FW_HOOKS will fire the
398 	 * send probe, but not the receive probe.
399 	 */
400 	DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
401 	    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
402 	    int, 1);
403 
404 	DTRACE_PROBE4(ip6__loopback__out__start,
405 	    ill_t *, NULL, ill_t *, ill,
406 	    ip6_t *, ip6h, mblk_t *, mp);
407 
408 	if (HOOKS6_INTERESTED_LOOPBACK_OUT(ipst)) {
409 		int	error;
410 
411 		FW_HOOKS(ipst->ips_ip6_loopback_out_event,
412 		    ipst->ips_ipv6firewall_loopback_out,
413 		    NULL, ill, ip6h, mp, mp, 0, ipst, error);
414 
415 		DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, mp);
416 		if (mp == NULL)
417 			return (error);
418 
419 		/*
420 		 * Even if the destination was changed by the filter we use the
421 		 * forwarding decision that was made based on the address
422 		 * in ip_output/ip_set_destination.
423 		 */
424 		/* Length could be different */
425 		ip6h = (ip6_t *)mp->b_rptr;
426 		pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
427 	}
428 
429 	/*
430 	 * If a callback is enabled then we need to know the
431 	 * source and destination zoneids for the packet. We already
432 	 * have those handy.
433 	 */
434 	if (ipst->ips_ip6_observe.he_interested) {
435 		zoneid_t szone, dzone;
436 		zoneid_t stackzoneid;
437 
438 		stackzoneid = netstackid_to_zoneid(
439 		    ipst->ips_netstack->netstack_stackid);
440 
441 		if (stackzoneid == GLOBAL_ZONEID) {
442 			/* Shared-IP zone */
443 			dzone = ire->ire_zoneid;
444 			szone = ixa->ixa_zoneid;
445 		} else {
446 			szone = dzone = stackzoneid;
447 		}
448 		ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill, ipst);
449 	}
450 
451 	/* Handle lo0 stats */
452 	ipst->ips_loopback_packets++;
453 
454 	/*
455 	 * Update output mib stats. Note that we can't move into the icmp
456 	 * sender (icmp_output etc) since they don't know the ill and the
457 	 * stats are per ill.
458 	 */
459 	if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
460 		icmp6_t		*icmp6;
461 
462 		icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
463 		icmp_update_out_mib_v6(ill, icmp6);
464 	}
465 
466 	DTRACE_PROBE4(ip6__loopback__in__start,
467 	    ill_t *, ill, ill_t *, NULL,
468 	    ip6_t *, ip6h, mblk_t *, mp);
469 
470 	if (HOOKS6_INTERESTED_LOOPBACK_IN(ipst)) {
471 		int	error;
472 
473 		FW_HOOKS(ipst->ips_ip6_loopback_in_event,
474 		    ipst->ips_ipv6firewall_loopback_in,
475 		    ill, NULL, ip6h, mp, mp, 0, ipst, error);
476 
477 		DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, mp);
478 		if (mp == NULL)
479 			return (error);
480 
481 		/*
482 		 * Even if the destination was changed by the filter we use the
483 		 * forwarding decision that was made based on the address
484 		 * in ip_output/ip_set_destination.
485 		 */
486 		/* Length could be different */
487 		ip6h = (ip6_t *)mp->b_rptr;
488 		pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
489 	}
490 
491 	DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
492 	    ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
493 	    int, 1);
494 
495 	/* Map ixa to ira including IPsec policies */
496 	ipsec_out_to_in(ixa, ill, &iras);
497 	iras.ira_pktlen = pktlen;
498 
499 	ire->ire_ib_pkt_count++;
500 	BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
501 	UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, pktlen);
502 
503 	/* Destined to ire_zoneid - use that for fanout */
504 	iras.ira_zoneid = ire->ire_zoneid;
505 
506 	if (is_system_labeled()) {
507 		iras.ira_flags |= IRAF_SYSTEM_LABELED;
508 
509 		/*
510 		 * This updates ira_cred, ira_tsl and ira_free_flags based
511 		 * on the label. We don't expect this to ever fail for
512 		 * loopback packets, so we silently drop the packet should it
513 		 * fail.
514 		 */
515 		if (!tsol_get_pkt_label(mp, IPV6_VERSION, &iras)) {
516 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
517 			ip_drop_input("tsol_get_pkt_label", mp, ill);
518 			freemsg(mp);
519 			return (0);
520 		}
521 		ASSERT(iras.ira_tsl != NULL);
522 
523 		/* tsol_get_pkt_label sometimes does pullupmsg */
524 		ip6h = (ip6_t *)mp->b_rptr;
525 	}
526 
527 	ip_fanout_v6(mp, ip6h, &iras);
528 
529 	/* We moved any IPsec refs from ixa to iras */
530 	ira_cleanup(&iras, B_FALSE);
531 	return (0);
532 }
533 
534 static void
multirt_check_v6(ire_t * ire,ip6_t * ip6h,ip_xmit_attr_t * ixa)535 multirt_check_v6(ire_t *ire, ip6_t *ip6h, ip_xmit_attr_t *ixa)
536 {
537 	ip_stack_t *ipst = ixa->ixa_ipst;
538 
539 	/* Limit the TTL on multirt packets. Do this even if IPV6_HOPLIMIT */
540 	if (ire->ire_type & IRE_MULTICAST) {
541 		if (ip6h->ip6_hops > 1) {
542 			ip2dbg(("ire_send_multirt_v6: forcing multicast "
543 			    "multirt TTL to 1 (was %d)\n", ip6h->ip6_hops));
544 			ip6h->ip6_hops = 1;
545 		}
546 		ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
547 	} else if ((ipst->ips_ip_multirt_ttl > 0) &&
548 	    (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl)) {
549 		ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
550 		/*
551 		 * Need to ensure we don't increase the ttl should we go through
552 		 * ire_send_multicast.
553 		 */
554 		ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
555 	}
556 
557 	/* For IPv6 this also needs to insert a fragment header */
558 	ixa->ixa_flags |= IXAF_IPV6_ADD_FRAGHDR;
559 }
560 
561 /*
562  * ire_sendfn for IRE_MULTICAST
563  *
564  * Note that we do path MTU discovery by default for IPv6 multicast. But
565  * since unconnected UDP and RAW sockets don't set IXAF_PMTU_DISCOVERY
566  * only connected sockets get this by default.
567  */
568 int
ire_send_multicast_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)569 ire_send_multicast_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
570     ip_xmit_attr_t *ixa, uint32_t *identp)
571 {
572 	ip6_t		*ip6h = (ip6_t *)iph_arg;
573 	ip_stack_t	*ipst = ixa->ixa_ipst;
574 	ill_t		*ill = ire->ire_ill;
575 	iaflags_t	ixaflags = ixa->ixa_flags;
576 
577 	/*
578 	 * The IRE_MULTICAST is the same whether or not multirt is in use.
579 	 * Hence we need special-case code.
580 	 */
581 	if (ixaflags & IXAF_MULTIRT_MULTICAST)
582 		multirt_check_v6(ire, ip6h, ixa);
583 
584 	/*
585 	 * Check if anything in ip_input_v6 wants a copy of the transmitted
586 	 * packet (after IPsec and fragmentation)
587 	 *
588 	 * 1. Multicast routers always need a copy unless SO_DONTROUTE is set
589 	 *    RSVP and the rsvp daemon is an example of a
590 	 *    protocol and user level process that
591 	 *    handles it's own routing. Hence, it uses the
592 	 *    SO_DONTROUTE option to accomplish this.
593 	 * 2. If the sender has set IP_MULTICAST_LOOP, then we just
594 	 *    check whether there are any receivers for the group on the ill
595 	 *    (ignoring the zoneid).
596 	 * 3. If IP_MULTICAST_LOOP is not set, then we check if there are
597 	 *    any members in other shared-IP zones.
598 	 *    If such members exist, then we indicate that the sending zone
599 	 *    shouldn't get a loopback copy to preserve the IP_MULTICAST_LOOP
600 	 *    behavior.
601 	 *
602 	 * When we loopback we skip hardware checksum to make sure loopback
603 	 * copy is checksumed.
604 	 *
605 	 * Note that ire_ill is the upper in the case of IPMP.
606 	 */
607 	ixa->ixa_flags &= ~(IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM);
608 	if (ipst->ips_ip_g_mrouter && ill->ill_mrouter_cnt > 0 &&
609 	    !(ixaflags & IXAF_DONTROUTE)) {
610 		ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
611 	} else if (ixaflags & IXAF_MULTICAST_LOOP) {
612 		/*
613 		 * If this zone or any other zone has members then loopback
614 		 * a copy.
615 		 */
616 		if (ill_hasmembers_v6(ill, &ip6h->ip6_dst))
617 			ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
618 	} else if (ipst->ips_netstack->netstack_numzones > 1) {
619 		/*
620 		 * This zone should not have a copy. But there are some other
621 		 * zones which might have members.
622 		 */
623 		if (ill_hasmembers_otherzones_v6(ill, &ip6h->ip6_dst,
624 		    ixa->ixa_zoneid)) {
625 			ixa->ixa_flags |= IXAF_NO_LOOP_ZONEID_SET;
626 			ixa->ixa_no_loop_zoneid = ixa->ixa_zoneid;
627 			ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
628 		}
629 	}
630 
631 	/*
632 	 * Unless IPV6_HOPLIMIT or ire_send_multirt_v6 already set a ttl,
633 	 * force the ttl to the IP_MULTICAST_TTL value
634 	 */
635 	if (!(ixaflags & IXAF_NO_TTL_CHANGE)) {
636 		ip6h->ip6_hops = ixa->ixa_multicast_ttl;
637 	}
638 
639 	return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
640 }
641 
642 /*
643  * ire_sendfn for IREs with RTF_MULTIRT
644  */
645 int
ire_send_multirt_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)646 ire_send_multirt_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
647     ip_xmit_attr_t *ixa, uint32_t *identp)
648 {
649 	ip6_t		*ip6h = (ip6_t *)iph_arg;
650 
651 	multirt_check_v6(ire, ip6h, ixa);
652 
653 	if (ire->ire_type & IRE_MULTICAST)
654 		return (ire_send_multicast_v6(ire, mp, ip6h, ixa, identp));
655 	else
656 		return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
657 }
658 
659 /*
660  * ire_sendfn for IREs with RTF_REJECT/RTF_BLACKHOLE, including IRE_NOROUTE
661  */
662 /* ARGSUSED4 */
663 int
ire_send_noroute_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)664 ire_send_noroute_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
665     ip_xmit_attr_t *ixa, uint32_t *identp)
666 {
667 	ip6_t		*ip6h = (ip6_t *)iph_arg;
668 	ip_stack_t	*ipst = ixa->ixa_ipst;
669 	ill_t		*ill;
670 	ip_recv_attr_t	iras;
671 	boolean_t	dummy;
672 
673 	BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
674 
675 	if (ire->ire_type & IRE_NOROUTE) {
676 		/* A lack of a route as opposed to RTF_REJECT|BLACKHOLE */
677 		ip_rts_change_v6(RTM_MISS, &ip6h->ip6_dst, 0, 0, 0, 0, 0, 0,
678 		    RTA_DST, ipst);
679 	}
680 
681 	if (ire->ire_flags & RTF_BLACKHOLE) {
682 		ip_drop_output("ipIfStatsOutNoRoutes RTF_BLACKHOLE", mp, NULL);
683 		freemsg(mp);
684 		/* No error even for local senders - silent blackhole */
685 		return (0);
686 	}
687 	ip_drop_output("ipIfStatsOutNoRoutes RTF_REJECT", mp, NULL);
688 
689 	/*
690 	 * We need an ill_t for the ip_recv_attr_t even though this packet
691 	 * was never received and icmp_unreachable doesn't currently use
692 	 * ira_ill.
693 	 */
694 	ill = ill_lookup_on_name("lo0", B_FALSE,
695 	    !(ixa->ixa_flags & IRAF_IS_IPV4), &dummy, ipst);
696 	if (ill == NULL) {
697 		freemsg(mp);
698 		return (EHOSTUNREACH);
699 	}
700 
701 	bzero(&iras, sizeof (iras));
702 	/* Map ixa to ira including IPsec policies */
703 	ipsec_out_to_in(ixa, ill, &iras);
704 
705 	icmp_unreachable_v6(mp, ICMP6_DST_UNREACH_NOROUTE, B_FALSE, &iras);
706 	/* We moved any IPsec refs from ixa to iras */
707 	ira_cleanup(&iras, B_FALSE);
708 
709 	ill_refrele(ill);
710 	return (EHOSTUNREACH);
711 }
712 
713 /*
714  * Calculate a checksum ignoring any hardware capabilities
715  *
716  * Returns B_FALSE if the packet was too short for the checksum. Caller
717  * should free and do stats.
718  */
719 static boolean_t
ip_output_sw_cksum_v6(mblk_t * mp,ip6_t * ip6h,ip_xmit_attr_t * ixa)720 ip_output_sw_cksum_v6(mblk_t *mp, ip6_t *ip6h, ip_xmit_attr_t *ixa)
721 {
722 	ip_stack_t	*ipst = ixa->ixa_ipst;
723 	uint_t		pktlen = ixa->ixa_pktlen;
724 	uint16_t	*cksump;
725 	uint32_t	cksum;
726 	uint8_t		protocol = ixa->ixa_protocol;
727 	uint16_t	ip_hdr_length = ixa->ixa_ip_hdr_length;
728 
729 #define	iphs    ((uint16_t *)ip6h)
730 
731 	/* Just in case it contained garbage */
732 	DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
733 
734 	/*
735 	 * Calculate ULP checksum
736 	 */
737 	if (protocol == IPPROTO_TCP) {
738 		cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
739 		cksum = IP_TCP_CSUM_COMP;
740 	} else if (protocol == IPPROTO_UDP) {
741 		cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
742 		cksum = IP_UDP_CSUM_COMP;
743 	} else if (protocol == IPPROTO_SCTP) {
744 		sctp_hdr_t	*sctph;
745 
746 		ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
747 		sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
748 		/*
749 		 * Zero out the checksum field to ensure proper
750 		 * checksum calculation.
751 		 */
752 		sctph->sh_chksum = 0;
753 #ifdef	DEBUG
754 		if (!skip_sctp_cksum)
755 #endif
756 			sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
757 		return (B_TRUE);
758 	} else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
759 		/*
760 		 * icmp has placed length and routing
761 		 * header adjustment in the checksum field.
762 		 */
763 		cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
764 		    ixa->ixa_raw_cksum_offset);
765 		cksum = htons(protocol);
766 	} else if (protocol == IPPROTO_ICMPV6) {
767 		cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
768 		cksum = IP_ICMPV6_CSUM_COMP;	/* Pseudo-header cksum */
769 	} else {
770 		return (B_TRUE);
771 	}
772 
773 	/* ULP puts the checksum field is in the first mblk */
774 	ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
775 
776 	/*
777 	 * We accumulate the pseudo header checksum in cksum.
778 	 * This is pretty hairy code, so watch close.  One
779 	 * thing to keep in mind is that UDP and TCP have
780 	 * stored their respective datagram lengths in their
781 	 * checksum fields.  This lines things up real nice.
782 	 */
783 	cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
784 	    iphs[8] + iphs[9] + iphs[10] + iphs[11] +
785 	    iphs[12] + iphs[13] + iphs[14] + iphs[15] +
786 	    iphs[16] + iphs[17] + iphs[18] + iphs[19];
787 	cksum = IP_CSUM(mp, ip_hdr_length, cksum);
788 
789 	/*
790 	 * For UDP/IPv6 a zero UDP checksum is not allowed.
791 	 * Change to 0xffff
792 	 */
793 	if (protocol == IPPROTO_UDP && cksum == 0)
794 		*cksump = ~cksum;
795 	else
796 		*cksump = cksum;
797 
798 	IP6_STAT(ipst, ip6_out_sw_cksum);
799 	IP6_STAT_UPDATE(ipst, ip6_out_sw_cksum_bytes, pktlen);
800 
801 	/* No IP header checksum for IPv6 */
802 
803 	return (B_TRUE);
804 #undef	iphs
805 }
806 
807 /* There are drivers that can't do partial checksum for ICMPv6 */
808 int nxge_cksum_workaround = 1;
809 
810 /*
811  * Calculate the ULP checksum - try to use hardware.
812  * In the case of MULTIRT or multicast the
813  * IXAF_NO_HW_CKSUM is set in which case we use software.
814  *
815  * Returns B_FALSE if the packet was too short for the checksum. Caller
816  * should free and do stats.
817  */
818 static boolean_t
ip_output_cksum_v6(iaflags_t ixaflags,mblk_t * mp,ip6_t * ip6h,ip_xmit_attr_t * ixa,ill_t * ill)819 ip_output_cksum_v6(iaflags_t ixaflags, mblk_t *mp, ip6_t *ip6h,
820     ip_xmit_attr_t *ixa, ill_t *ill)
821 {
822 	uint_t		pktlen = ixa->ixa_pktlen;
823 	uint16_t	*cksump;
824 	uint16_t	hck_flags;
825 	uint32_t	cksum;
826 	uint8_t		protocol = ixa->ixa_protocol;
827 	uint16_t	ip_hdr_length = ixa->ixa_ip_hdr_length;
828 
829 #define	iphs    ((uint16_t *)ip6h)
830 
831 	if ((ixaflags & IXAF_NO_HW_CKSUM) || !ILL_HCKSUM_CAPABLE(ill) ||
832 	    !dohwcksum) {
833 		return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
834 	}
835 
836 	/*
837 	 * Calculate ULP checksum. Note that we don't use cksump and cksum
838 	 * if the ill has FULL support.
839 	 */
840 	if (protocol == IPPROTO_TCP) {
841 		cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
842 		cksum = IP_TCP_CSUM_COMP;	/* Pseudo-header cksum */
843 	} else if (protocol == IPPROTO_UDP) {
844 		cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
845 		cksum = IP_UDP_CSUM_COMP;	/* Pseudo-header cksum */
846 	} else if (protocol == IPPROTO_SCTP) {
847 		sctp_hdr_t	*sctph;
848 
849 		ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
850 		sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
851 		/*
852 		 * Zero out the checksum field to ensure proper
853 		 * checksum calculation.
854 		 */
855 		sctph->sh_chksum = 0;
856 #ifdef	DEBUG
857 		if (!skip_sctp_cksum)
858 #endif
859 			sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
860 		goto ip_hdr_cksum;
861 	} else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
862 		/*
863 		 * icmp has placed length and routing
864 		 * header adjustment in the checksum field.
865 		 */
866 		cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
867 		    ixa->ixa_raw_cksum_offset);
868 		cksum = htons(protocol);
869 	} else if (protocol == IPPROTO_ICMPV6) {
870 		/*
871 		 * Currently we assume no HW support for ICMP checksum calc.
872 		 *
873 		 * When HW support is advertised for ICMP, we'll want the
874 		 * following to be set:
875 		 * cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
876 		 * cksum = IP_ICMPV6_CSUM_COMP;		Pseudo-header cksum
877 		 */
878 
879 		return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
880 	} else {
881 	ip_hdr_cksum:
882 		/* No IP header checksum for IPv6 */
883 		return (B_TRUE);
884 	}
885 
886 	/* ULP puts the checksum field is in the first mblk */
887 	ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
888 
889 	/*
890 	 * Underlying interface supports hardware checksum offload for
891 	 * the payload; leave the payload checksum for the hardware to
892 	 * calculate.  N.B: We only need to set up checksum info on the
893 	 * first mblk.
894 	 */
895 	hck_flags = ill->ill_hcksum_capab->ill_hcksum_txflags;
896 
897 	DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
898 	if (hck_flags & HCKSUM_INET_FULL_V6) {
899 		/*
900 		 * Hardware calculates pseudo-header, header and the
901 		 * payload checksums, so clear the checksum field in
902 		 * the protocol header.
903 		 */
904 		*cksump = 0;
905 		DB_CKSUMFLAGS(mp) |= HCK_FULLCKSUM;
906 		return (B_TRUE);
907 	}
908 	if (((hck_flags) & HCKSUM_INET_PARTIAL) &&
909 	    (protocol != IPPROTO_ICMPV6 || !nxge_cksum_workaround)) {
910 		/*
911 		 * Partial checksum offload has been enabled.  Fill
912 		 * the checksum field in the protocol header with the
913 		 * pseudo-header checksum value.
914 		 *
915 		 * We accumulate the pseudo header checksum in cksum.
916 		 * This is pretty hairy code, so watch close.  One
917 		 * thing to keep in mind is that UDP and TCP have
918 		 * stored their respective datagram lengths in their
919 		 * checksum fields.  This lines things up real nice.
920 		 */
921 		cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
922 		    iphs[8] + iphs[9] + iphs[10] + iphs[11] +
923 		    iphs[12] + iphs[13] + iphs[14] + iphs[15] +
924 		    iphs[16] + iphs[17] + iphs[18] + iphs[19];
925 		cksum += *(cksump);
926 		cksum = (cksum & 0xFFFF) + (cksum >> 16);
927 		*(cksump) = (cksum & 0xFFFF) + (cksum >> 16);
928 
929 		/*
930 		 * Offsets are relative to beginning of IP header.
931 		 */
932 		DB_CKSUMSTART(mp) = ip_hdr_length;
933 		DB_CKSUMSTUFF(mp) = (uint8_t *)cksump - (uint8_t *)ip6h;
934 		DB_CKSUMEND(mp) = pktlen;
935 		DB_CKSUMFLAGS(mp) |= HCK_PARTIALCKSUM;
936 		return (B_TRUE);
937 	}
938 	/* Hardware capabilities include neither full nor partial IPv6 */
939 	return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
940 #undef	iphs
941 }
942 
943 /*
944  * ire_sendfn for offlink and onlink destinations.
945  * Also called from the multicast, and multirt send functions.
946  *
947  * Assumes that the caller has a hold on the ire.
948  *
949  * This function doesn't care if the IRE just became condemned since that
950  * can happen at any time.
951  */
952 /* ARGSUSED */
953 int
ire_send_wire_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)954 ire_send_wire_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
955     ip_xmit_attr_t *ixa, uint32_t *identp)
956 {
957 	ip_stack_t	*ipst = ixa->ixa_ipst;
958 	ip6_t		*ip6h = (ip6_t *)iph_arg;
959 	iaflags_t	ixaflags = ixa->ixa_flags;
960 	ill_t		*ill;
961 	uint32_t	pktlen = ixa->ixa_pktlen;
962 
963 	ASSERT(ixa->ixa_nce != NULL);
964 	ill = ixa->ixa_nce->nce_ill;
965 
966 	/*
967 	 * Update output mib stats. Note that we can't move into the icmp
968 	 * sender (icmp_output etc) since they don't know the ill and the
969 	 * stats are per ill.
970 	 *
971 	 * With IPMP we record the stats on the upper ill.
972 	 */
973 	if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
974 		icmp6_t		*icmp6;
975 
976 		icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
977 		icmp_update_out_mib_v6(ixa->ixa_nce->nce_common->ncec_ill,
978 		    icmp6);
979 	}
980 
981 	if (ixaflags & IXAF_DONTROUTE)
982 		ip6h->ip6_hops = 1;
983 
984 	/*
985 	 * This might set b_band, thus the IPsec and fragmentation
986 	 * code in IP ensures that b_band is updated in the first mblk.
987 	 */
988 	if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
989 		/* ip_process translates an IS_UNDER_IPMP */
990 		mp = ip_process(IPP_LOCAL_OUT, mp, ill, ill);
991 		if (mp == NULL) {
992 			/* ip_drop_packet and MIB done */
993 			return (0);	/* Might just be delayed */
994 		}
995 	}
996 
997 	/*
998 	 * To handle IPsec/iptun's labeling needs we need to tag packets
999 	 * while we still have ixa_tsl
1000 	 */
1001 	if (is_system_labeled() && ixa->ixa_tsl != NULL &&
1002 	    (ill->ill_mactype == DL_6TO4 || ill->ill_mactype == DL_IPV4 ||
1003 	    ill->ill_mactype == DL_IPV6)) {
1004 		cred_t *newcr;
1005 
1006 		newcr = copycred_from_tslabel(ixa->ixa_cred, ixa->ixa_tsl,
1007 		    KM_NOSLEEP);
1008 		if (newcr == NULL) {
1009 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1010 			ip_drop_output("ipIfStatsOutDiscards - newcr",
1011 			    mp, ill);
1012 			freemsg(mp);
1013 			return (ENOBUFS);
1014 		}
1015 		mblk_setcred(mp, newcr, NOPID);
1016 		crfree(newcr);	/* mblk_setcred did its own crhold */
1017 	}
1018 
1019 	/*
1020 	 * IXAF_IPV6_ADD_FRAGHDR is set for CGTP so that we will add a
1021 	 * fragment header without fragmenting. CGTP on the receiver will
1022 	 * filter duplicates on the ident field.
1023 	 */
1024 	if (pktlen > ixa->ixa_fragsize ||
1025 	    (ixaflags & (IXAF_IPSEC_SECURE|IXAF_IPV6_ADD_FRAGHDR))) {
1026 		uint32_t ident = 0;
1027 
1028 		if (ixaflags & IXAF_IPSEC_SECURE)
1029 			pktlen += ipsec_out_extra_length(ixa);
1030 
1031 		if (pktlen > IP_MAXPACKET)
1032 			return (EMSGSIZE);
1033 
1034 		if (ixaflags & IXAF_SET_ULP_CKSUM) {
1035 			/*
1036 			 * Compute ULP checksum using software
1037 			 */
1038 			if (!ip_output_sw_cksum_v6(mp, ip6h, ixa)) {
1039 				BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1040 				ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1041 				freemsg(mp);
1042 				return (EINVAL);
1043 			}
1044 			/* Avoid checksum again below if we only add fraghdr */
1045 			ixaflags &= ~IXAF_SET_ULP_CKSUM;
1046 		}
1047 
1048 		/*
1049 		 * If we need a fragment header, pick the ident and insert
1050 		 * the header before IPsec to we have a place to store
1051 		 * the ident value.
1052 		 */
1053 		if ((ixaflags & IXAF_IPV6_ADD_FRAGHDR) ||
1054 		    pktlen > ixa->ixa_fragsize) {
1055 			/*
1056 			 * If this packet would generate a icmp_frag_needed
1057 			 * message, we need to handle it before we do the IPsec
1058 			 * processing. Otherwise, we need to strip the IPsec
1059 			 * headers before we send up the message to the ULPs
1060 			 * which becomes messy and difficult.
1061 			 */
1062 			if ((pktlen > ixa->ixa_fragsize) &&
1063 			    (ixaflags & IXAF_DONTFRAG)) {
1064 				/* Generate ICMP and return error */
1065 				ip_recv_attr_t	iras;
1066 
1067 				DTRACE_PROBE4(ip6__fragsize__fail,
1068 				    uint_t, pktlen, uint_t, ixa->ixa_fragsize,
1069 				    uint_t, ixa->ixa_pktlen,
1070 				    uint_t, ixa->ixa_pmtu);
1071 
1072 				bzero(&iras, sizeof (iras));
1073 				/* Map ixa to ira including IPsec policies */
1074 				ipsec_out_to_in(ixa, ill, &iras);
1075 
1076 				ip_drop_output("ICMP6_PKT_TOO_BIG", mp, ill);
1077 				icmp_pkt2big_v6(mp, ixa->ixa_fragsize, B_TRUE,
1078 				    &iras);
1079 				/* We moved any IPsec refs from ixa to iras */
1080 				ira_cleanup(&iras, B_FALSE);
1081 				return (EMSGSIZE);
1082 			}
1083 			DTRACE_PROBE4(ip6__fragsize__ok, uint_t, pktlen,
1084 			    uint_t, ixa->ixa_fragsize, uint_t, ixa->ixa_pktlen,
1085 			    uint_t, ixa->ixa_pmtu);
1086 			/*
1087 			 * Assign an ident value for this packet. There could
1088 			 * be other threads targeting the same destination, so
1089 			 * we have to arrange for a atomic increment.
1090 			 * Normally ixa_extra_ident is 0, but in the case of
1091 			 * LSO it will be the number of TCP segments  that the
1092 			 * driver/hardware will extraly construct.
1093 			 *
1094 			 * Note that cl_inet_ipident has only been used for
1095 			 * IPv4. We don't use it here.
1096 			 */
1097 			ident = atomic_add_32_nv(identp, ixa->ixa_extra_ident +
1098 			    1);
1099 			ixa->ixa_ident = ident;	/* In case we do IPsec */
1100 		}
1101 		if (ixaflags & IXAF_IPSEC_SECURE) {
1102 			/*
1103 			 * Pass in sufficient information so that
1104 			 * IPsec can determine whether to fragment, and
1105 			 * which function to call after fragmentation.
1106 			 */
1107 			return (ipsec_out_process(mp, ixa));
1108 		}
1109 
1110 		mp = ip_fraghdr_add_v6(mp, ident, ixa);
1111 		if (mp == NULL) {
1112 			/* MIB and ip_drop_output already done */
1113 			return (ENOMEM);
1114 		}
1115 		ASSERT(pktlen == ixa->ixa_pktlen);
1116 		pktlen += sizeof (ip6_frag_t);
1117 
1118 		if (pktlen > ixa->ixa_fragsize) {
1119 			return (ip_fragment_v6(mp, ixa->ixa_nce, ixaflags,
1120 			    pktlen, ixa->ixa_fragsize,
1121 			    ixa->ixa_xmit_hint, ixa->ixa_zoneid,
1122 			    ixa->ixa_no_loop_zoneid, ixa->ixa_postfragfn,
1123 			    &ixa->ixa_cookie));
1124 		}
1125 	}
1126 	if (ixaflags & IXAF_SET_ULP_CKSUM) {
1127 		/* Compute ULP checksum and IP header checksum */
1128 		/* An IS_UNDER_IPMP ill is ok here */
1129 		if (!ip_output_cksum_v6(ixaflags, mp, ip6h, ixa, ill)) {
1130 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1131 			ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1132 			freemsg(mp);
1133 			return (EINVAL);
1134 		}
1135 	}
1136 	return ((ixa->ixa_postfragfn)(mp, ixa->ixa_nce, ixaflags,
1137 	    pktlen, ixa->ixa_xmit_hint, ixa->ixa_zoneid,
1138 	    ixa->ixa_no_loop_zoneid, &ixa->ixa_cookie));
1139 }
1140 
1141 /*
1142  * Post fragmentation function for RTF_MULTIRT routes.
1143  * Since IRE_MULTICASTs might have RTF_MULTIRT, this function
1144  * checks IXAF_LOOPBACK_COPY.
1145  *
1146  * If no packet is sent due to failures then we return an errno, but if at
1147  * least one succeeded we return zero.
1148  */
1149 int
ip_postfrag_multirt_v6(mblk_t * mp,nce_t * nce,iaflags_t ixaflags,uint_t pkt_len,uint32_t xmit_hint,zoneid_t szone,zoneid_t nolzid,uintptr_t * ixacookie)1150 ip_postfrag_multirt_v6(mblk_t *mp, nce_t *nce, iaflags_t ixaflags,
1151     uint_t pkt_len, uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid,
1152     uintptr_t *ixacookie)
1153 {
1154 	irb_t		*irb;
1155 	ip6_t		*ip6h = (ip6_t *)mp->b_rptr;
1156 	ire_t		*ire;
1157 	ire_t		*ire1;
1158 	mblk_t		*mp1;
1159 	nce_t		*nce1;
1160 	ill_t		*ill = nce->nce_ill;
1161 	ill_t		*ill1;
1162 	ip_stack_t	*ipst = ill->ill_ipst;
1163 	int		error = 0;
1164 	int		num_sent = 0;
1165 	int		err;
1166 	uint_t		ire_type;
1167 	in6_addr_t	nexthop;
1168 
1169 	ASSERT(!(ixaflags & IXAF_IS_IPV4));
1170 
1171 	/* Check for IXAF_LOOPBACK_COPY */
1172 	if (ixaflags & IXAF_LOOPBACK_COPY) {
1173 		mblk_t *mp1;
1174 
1175 		mp1 = copymsg(mp);
1176 		if (mp1 == NULL) {
1177 			/* Failed to deliver the loopback copy. */
1178 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1179 			ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1180 			error = ENOBUFS;
1181 		} else {
1182 			ip_postfrag_loopback(mp1, nce, ixaflags, pkt_len,
1183 			    nolzid);
1184 		}
1185 	}
1186 
1187 	/*
1188 	 * Loop over RTF_MULTIRT for ip6_dst in the same bucket. Send
1189 	 * a copy to each one.
1190 	 * Use the nce (nexthop) and ip6_dst to find the ire.
1191 	 *
1192 	 * MULTIRT is not designed to work with shared-IP zones thus we don't
1193 	 * need to pass a zoneid or a label to the IRE lookup.
1194 	 */
1195 	if (IN6_ARE_ADDR_EQUAL(&nce->nce_addr, &ip6h->ip6_dst)) {
1196 		/* Broadcast and multicast case */
1197 		ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0, 0, NULL,
1198 		    ALL_ZONES, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
1199 	} else {
1200 		/* Unicast case */
1201 		ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, &nce->nce_addr,
1202 		    0, NULL, ALL_ZONES, NULL, MATCH_IRE_GW, 0, ipst, NULL);
1203 	}
1204 
1205 	if (ire == NULL ||
1206 	    (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
1207 	    !(ire->ire_flags & RTF_MULTIRT)) {
1208 		/* Drop */
1209 		ip_drop_output("ip_postfrag_multirt didn't find route",
1210 		    mp, nce->nce_ill);
1211 		if (ire != NULL)
1212 			ire_refrele(ire);
1213 		return (ENETUNREACH);
1214 	}
1215 
1216 	irb = ire->ire_bucket;
1217 	irb_refhold(irb);
1218 	for (ire1 = irb->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
1219 		if (IRE_IS_CONDEMNED(ire1) ||
1220 		    !(ire1->ire_flags & RTF_MULTIRT))
1221 			continue;
1222 
1223 		/* Note: When IPv6 uses radix tree we don't need this check */
1224 		if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &ire1->ire_addr_v6))
1225 			continue;
1226 
1227 		/* Do the ire argument one after the loop */
1228 		if (ire1 == ire)
1229 			continue;
1230 
1231 		ill1 = ire_nexthop_ill(ire1);
1232 		if (ill1 == NULL) {
1233 			/*
1234 			 * This ire might not have been picked by
1235 			 * ire_route_recursive, in which case ire_dep might
1236 			 * not have been setup yet.
1237 			 * We kick ire_route_recursive to try to resolve
1238 			 * starting at ire1.
1239 			 */
1240 			ire_t *ire2;
1241 			uint_t match_flags = MATCH_IRE_DSTONLY;
1242 
1243 			if (ire1->ire_ill != NULL)
1244 				match_flags |= MATCH_IRE_ILL;
1245 			ire2 = ire_route_recursive_impl_v6(ire1,
1246 			    &ire1->ire_addr_v6, ire1->ire_type, ire1->ire_ill,
1247 			    ire1->ire_zoneid, NULL, match_flags,
1248 			    IRR_ALLOCATE, 0, ipst, NULL, NULL, NULL);
1249 			if (ire2 != NULL)
1250 				ire_refrele(ire2);
1251 			ill1 = ire_nexthop_ill(ire1);
1252 		}
1253 		if (ill1 == NULL) {
1254 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1255 			ip_drop_output("ipIfStatsOutDiscards - no ill",
1256 			    mp, ill);
1257 			error = ENETUNREACH;
1258 			continue;
1259 		}
1260 		/* Pick the addr and type to use for ndp_nce_init */
1261 		if (nce->nce_common->ncec_flags & NCE_F_MCAST) {
1262 			ire_type = IRE_MULTICAST;
1263 			nexthop = ip6h->ip6_dst;
1264 		} else {
1265 			ire_type = ire1->ire_type;	/* Doesn't matter */
1266 			nexthop = ire1->ire_gateway_addr_v6;
1267 		}
1268 
1269 		/* If IPMP meta or under, then we just drop */
1270 		if (ill1->ill_grp != NULL) {
1271 			BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1272 			ip_drop_output("ipIfStatsOutDiscards - IPMP",
1273 			    mp, ill1);
1274 			ill_refrele(ill1);
1275 			error = ENETUNREACH;
1276 			continue;
1277 		}
1278 
1279 		nce1 = ndp_nce_init(ill1, &nexthop, ire_type);
1280 		if (nce1 == NULL) {
1281 			BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1282 			ip_drop_output("ipIfStatsOutDiscards - no nce",
1283 			    mp, ill1);
1284 			ill_refrele(ill1);
1285 			error = ENOBUFS;
1286 			continue;
1287 		}
1288 		mp1 = copymsg(mp);
1289 		if (mp1 == NULL) {
1290 			BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1291 			ip_drop_output("ipIfStatsOutDiscards", mp, ill1);
1292 			nce_refrele(nce1);
1293 			ill_refrele(ill1);
1294 			error = ENOBUFS;
1295 			continue;
1296 		}
1297 		/* Preserve HW checksum for this copy */
1298 		DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
1299 		DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
1300 		DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
1301 		DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
1302 		DB_LSOMSS(mp1) = DB_LSOMSS(mp);
1303 
1304 		ire1->ire_ob_pkt_count++;
1305 		err = ip_xmit(mp1, nce1, ixaflags, pkt_len, xmit_hint, szone,
1306 		    0, ixacookie);
1307 		if (err == 0)
1308 			num_sent++;
1309 		else
1310 			error = err;
1311 		nce_refrele(nce1);
1312 		ill_refrele(ill1);
1313 	}
1314 	irb_refrele(irb);
1315 	ire_refrele(ire);
1316 	/* Finally, the main one */
1317 	err = ip_xmit(mp, nce, ixaflags, pkt_len, xmit_hint, szone, 0,
1318 	    ixacookie);
1319 	if (err == 0)
1320 		num_sent++;
1321 	else
1322 		error = err;
1323 	if (num_sent > 0)
1324 		return (0);
1325 	else
1326 		return (error);
1327 }
1328