1bd670b35SErik Nordmark /*
2bd670b35SErik Nordmark * CDDL HEADER START
3bd670b35SErik Nordmark *
4bd670b35SErik Nordmark * The contents of this file are subject to the terms of the
5bd670b35SErik Nordmark * Common Development and Distribution License (the "License").
6bd670b35SErik Nordmark * You may not use this file except in compliance with the License.
7bd670b35SErik Nordmark *
8bd670b35SErik Nordmark * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9bd670b35SErik Nordmark * or http://www.opensolaris.org/os/licensing.
10bd670b35SErik Nordmark * See the License for the specific language governing permissions
11bd670b35SErik Nordmark * and limitations under the License.
12bd670b35SErik Nordmark *
13bd670b35SErik Nordmark * When distributing Covered Code, include this CDDL HEADER in each
14bd670b35SErik Nordmark * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15bd670b35SErik Nordmark * If applicable, add the following below this CDDL HEADER, with the
16bd670b35SErik Nordmark * fields enclosed by brackets "[]" replaced with your own identifying
17bd670b35SErik Nordmark * information: Portions Copyright [yyyy] [name of copyright owner]
18bd670b35SErik Nordmark *
19bd670b35SErik Nordmark * CDDL HEADER END
20bd670b35SErik Nordmark */
21bd670b35SErik Nordmark
22bd670b35SErik Nordmark /*
239e3469d3SErik Nordmark * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
24bd670b35SErik Nordmark * Use is subject to license terms.
257199b8e7SDan McDonald * Copyright 2017 OmniTI Computer Consulting, Inc. All rights reserved.
26*b22a70abSPatrick Mooney * Copyright 2018 Joyent, Inc.
27bd670b35SErik Nordmark */
28bd670b35SErik Nordmark /* Copyright (c) 1990 Mentat Inc. */
29bd670b35SErik Nordmark
30bd670b35SErik Nordmark #include <sys/types.h>
31bd670b35SErik Nordmark #include <sys/stream.h>
32bd670b35SErik Nordmark #include <sys/strsubr.h>
33bd670b35SErik Nordmark #include <sys/dlpi.h>
34bd670b35SErik Nordmark #include <sys/strsun.h>
35bd670b35SErik Nordmark #include <sys/zone.h>
36bd670b35SErik Nordmark #include <sys/ddi.h>
37bd670b35SErik Nordmark #include <sys/sunddi.h>
38bd670b35SErik Nordmark #include <sys/cmn_err.h>
39bd670b35SErik Nordmark #include <sys/debug.h>
40bd670b35SErik Nordmark #include <sys/atomic.h>
41bd670b35SErik Nordmark
42bd670b35SErik Nordmark #include <sys/systm.h>
43bd670b35SErik Nordmark #include <sys/param.h>
44bd670b35SErik Nordmark #include <sys/kmem.h>
45bd670b35SErik Nordmark #include <sys/sdt.h>
46bd670b35SErik Nordmark #include <sys/socket.h>
47bd670b35SErik Nordmark #include <sys/mac.h>
48bd670b35SErik Nordmark #include <net/if.h>
49bd670b35SErik Nordmark #include <net/if_arp.h>
50bd670b35SErik Nordmark #include <net/route.h>
51bd670b35SErik Nordmark #include <sys/sockio.h>
52bd670b35SErik Nordmark #include <netinet/in.h>
53bd670b35SErik Nordmark #include <net/if_dl.h>
54bd670b35SErik Nordmark
55bd670b35SErik Nordmark #include <inet/common.h>
56bd670b35SErik Nordmark #include <inet/mi.h>
57bd670b35SErik Nordmark #include <inet/mib2.h>
58bd670b35SErik Nordmark #include <inet/nd.h>
59bd670b35SErik Nordmark #include <inet/arp.h>
60bd670b35SErik Nordmark #include <inet/snmpcom.h>
61bd670b35SErik Nordmark #include <inet/kstatcom.h>
62bd670b35SErik Nordmark
63bd670b35SErik Nordmark #include <netinet/igmp_var.h>
64bd670b35SErik Nordmark #include <netinet/ip6.h>
65bd670b35SErik Nordmark #include <netinet/icmp6.h>
66bd670b35SErik Nordmark #include <netinet/sctp.h>
67bd670b35SErik Nordmark
68bd670b35SErik Nordmark #include <inet/ip.h>
69bd670b35SErik Nordmark #include <inet/ip_impl.h>
70bd670b35SErik Nordmark #include <inet/ip6.h>
71bd670b35SErik Nordmark #include <inet/ip6_asp.h>
72bd670b35SErik Nordmark #include <inet/tcp.h>
73bd670b35SErik Nordmark #include <inet/ip_multi.h>
74bd670b35SErik Nordmark #include <inet/ip_if.h>
75bd670b35SErik Nordmark #include <inet/ip_ire.h>
76bd670b35SErik Nordmark #include <inet/ip_ftable.h>
77bd670b35SErik Nordmark #include <inet/ip_rts.h>
78bd670b35SErik Nordmark #include <inet/optcom.h>
79bd670b35SErik Nordmark #include <inet/ip_ndp.h>
80bd670b35SErik Nordmark #include <inet/ip_listutils.h>
81bd670b35SErik Nordmark #include <netinet/igmp.h>
82bd670b35SErik Nordmark #include <netinet/ip_mroute.h>
83bd670b35SErik Nordmark #include <inet/ipp_common.h>
84bd670b35SErik Nordmark
85bd670b35SErik Nordmark #include <net/pfkeyv2.h>
86bd670b35SErik Nordmark #include <inet/sadb.h>
87bd670b35SErik Nordmark #include <inet/ipsec_impl.h>
88bd670b35SErik Nordmark #include <inet/ipdrop.h>
89bd670b35SErik Nordmark #include <inet/ip_netinfo.h>
90bd670b35SErik Nordmark
91bd670b35SErik Nordmark #include <sys/pattr.h>
92bd670b35SErik Nordmark #include <inet/ipclassifier.h>
93bd670b35SErik Nordmark #include <inet/sctp_ip.h>
94bd670b35SErik Nordmark #include <inet/sctp/sctp_impl.h>
95bd670b35SErik Nordmark #include <inet/udp_impl.h>
96bd670b35SErik Nordmark #include <sys/sunddi.h>
97bd670b35SErik Nordmark
98bd670b35SErik Nordmark #include <sys/tsol/label.h>
99bd670b35SErik Nordmark #include <sys/tsol/tnet.h>
100bd670b35SErik Nordmark
101bd670b35SErik Nordmark #ifdef DEBUG
102bd670b35SErik Nordmark extern boolean_t skip_sctp_cksum;
103bd670b35SErik Nordmark #endif
104bd670b35SErik Nordmark
105bd670b35SErik Nordmark int
ip_output_simple_v6(mblk_t * mp,ip_xmit_attr_t * ixa)106bd670b35SErik Nordmark ip_output_simple_v6(mblk_t *mp, ip_xmit_attr_t *ixa)
107bd670b35SErik Nordmark {
108bd670b35SErik Nordmark ip6_t *ip6h;
109bd670b35SErik Nordmark in6_addr_t firsthop; /* In IP header */
110bd670b35SErik Nordmark in6_addr_t dst; /* End of source route, or ip6_dst if none */
111bd670b35SErik Nordmark ire_t *ire;
112bd670b35SErik Nordmark in6_addr_t setsrc;
113bd670b35SErik Nordmark int error;
114bd670b35SErik Nordmark ill_t *ill = NULL;
115bd670b35SErik Nordmark dce_t *dce = NULL;
116bd670b35SErik Nordmark nce_t *nce;
117bd670b35SErik Nordmark iaflags_t ixaflags = ixa->ixa_flags;
118bd670b35SErik Nordmark ip_stack_t *ipst = ixa->ixa_ipst;
119bd670b35SErik Nordmark uint8_t *nexthdrp;
120bd670b35SErik Nordmark boolean_t repeat = B_FALSE;
121bd670b35SErik Nordmark boolean_t multirt = B_FALSE;
122bd670b35SErik Nordmark uint_t ifindex;
123d3d50737SRafael Vanoni int64_t now;
124bd670b35SErik Nordmark
125bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr;
126bd670b35SErik Nordmark ASSERT(IPH_HDR_VERSION(ip6h) == IPV6_VERSION);
127bd670b35SErik Nordmark
128bd670b35SErik Nordmark ASSERT(ixa->ixa_nce == NULL);
129bd670b35SErik Nordmark
130bd670b35SErik Nordmark ixa->ixa_pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
131bd670b35SErik Nordmark ASSERT(ixa->ixa_pktlen == msgdsize(mp));
132bd670b35SErik Nordmark if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &ixa->ixa_ip_hdr_length,
133bd670b35SErik Nordmark &nexthdrp)) {
134bd670b35SErik Nordmark /* Malformed packet */
135bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
136bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
137bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
138bd670b35SErik Nordmark freemsg(mp);
139bd670b35SErik Nordmark return (EINVAL);
140bd670b35SErik Nordmark }
141bd670b35SErik Nordmark ixa->ixa_protocol = *nexthdrp;
142bd670b35SErik Nordmark
143bd670b35SErik Nordmark /*
144bd670b35SErik Nordmark * Assumes that source routed packets have already been massaged by
145bd670b35SErik Nordmark * the ULP (ip_massage_options_v6) and as a result ip6_dst is the next
146bd670b35SErik Nordmark * hop in the source route. The final destination is used for IPsec
147bd670b35SErik Nordmark * policy and DCE lookup.
148bd670b35SErik Nordmark */
149bd670b35SErik Nordmark firsthop = ip6h->ip6_dst;
150bd670b35SErik Nordmark dst = ip_get_dst_v6(ip6h, mp, NULL);
151bd670b35SErik Nordmark
152bd670b35SErik Nordmark repeat_ire:
153bd670b35SErik Nordmark error = 0;
154bd670b35SErik Nordmark setsrc = ipv6_all_zeros;
15544b099c4SSowmini Varadhan ire = ip_select_route_v6(&firsthop, ip6h->ip6_src, ixa, NULL, &setsrc,
15644b099c4SSowmini Varadhan &error, &multirt);
157bd670b35SErik Nordmark ASSERT(ire != NULL); /* IRE_NOROUTE if none found */
158bd670b35SErik Nordmark if (error != 0) {
159bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
160bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
161bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards", mp, NULL);
162bd670b35SErik Nordmark freemsg(mp);
163bd670b35SErik Nordmark goto done;
164bd670b35SErik Nordmark }
165bd670b35SErik Nordmark
166bd670b35SErik Nordmark if (ire->ire_flags & (RTF_BLACKHOLE|RTF_REJECT)) {
167bd670b35SErik Nordmark /* ire_ill might be NULL hence need to skip some code */
168bd670b35SErik Nordmark if (ixaflags & IXAF_SET_SOURCE)
169bd670b35SErik Nordmark ip6h->ip6_src = ipv6_loopback;
170bd670b35SErik Nordmark ixa->ixa_fragsize = IP_MAXPACKET;
171bd670b35SErik Nordmark ire->ire_ob_pkt_count++;
172bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
173bd670b35SErik Nordmark /* No dce yet; use default one */
174bd670b35SErik Nordmark error = (ire->ire_sendfn)(ire, mp, ip6h, ixa,
175bd670b35SErik Nordmark &ipst->ips_dce_default->dce_ident);
176bd670b35SErik Nordmark goto done;
177bd670b35SErik Nordmark }
178bd670b35SErik Nordmark
179bd670b35SErik Nordmark /* Note that ip6_dst is only used for IRE_MULTICAST */
180bd670b35SErik Nordmark nce = ire_to_nce(ire, INADDR_ANY, &ip6h->ip6_dst);
181bd670b35SErik Nordmark if (nce == NULL) {
182bd670b35SErik Nordmark /* Allocation failure? */
183bd670b35SErik Nordmark ip_drop_output("ire_to_nce", mp, ill);
184bd670b35SErik Nordmark freemsg(mp);
185bd670b35SErik Nordmark error = ENOBUFS;
186bd670b35SErik Nordmark goto done;
187bd670b35SErik Nordmark }
188bd670b35SErik Nordmark if (nce->nce_is_condemned) {
189bd670b35SErik Nordmark nce_t *nce1;
190bd670b35SErik Nordmark
191bd670b35SErik Nordmark nce1 = ire_handle_condemned_nce(nce, ire, NULL, ip6h, B_TRUE);
192bd670b35SErik Nordmark nce_refrele(nce);
193bd670b35SErik Nordmark if (nce1 == NULL) {
194bd670b35SErik Nordmark if (!repeat) {
195bd670b35SErik Nordmark /* Try finding a better IRE */
196bd670b35SErik Nordmark repeat = B_TRUE;
197bd670b35SErik Nordmark ire_refrele(ire);
198bd670b35SErik Nordmark goto repeat_ire;
199bd670b35SErik Nordmark }
200bd670b35SErik Nordmark /* Tried twice - drop packet */
201bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
202bd670b35SErik Nordmark ip_drop_output("No nce", mp, ill);
203bd670b35SErik Nordmark freemsg(mp);
204bd670b35SErik Nordmark error = ENOBUFS;
205bd670b35SErik Nordmark goto done;
206bd670b35SErik Nordmark }
207bd670b35SErik Nordmark nce = nce1;
208bd670b35SErik Nordmark }
209bd670b35SErik Nordmark /*
210bd670b35SErik Nordmark * For multicast with multirt we have a flag passed back from
211bd670b35SErik Nordmark * ire_lookup_multi_ill_v6 since we don't have an IRE for each
212bd670b35SErik Nordmark * possible multicast address.
213bd670b35SErik Nordmark * We also need a flag for multicast since we can't check
214bd670b35SErik Nordmark * whether RTF_MULTIRT is set in ixa_ire for multicast.
215bd670b35SErik Nordmark */
216bd670b35SErik Nordmark if (multirt) {
217bd670b35SErik Nordmark ixa->ixa_postfragfn = ip_postfrag_multirt_v6;
218bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_MULTIRT_MULTICAST;
219bd670b35SErik Nordmark } else {
220bd670b35SErik Nordmark ixa->ixa_postfragfn = ire->ire_postfragfn;
221bd670b35SErik Nordmark ixa->ixa_flags &= ~IXAF_MULTIRT_MULTICAST;
222bd670b35SErik Nordmark }
223bd670b35SErik Nordmark ASSERT(ixa->ixa_nce == NULL);
224bd670b35SErik Nordmark ixa->ixa_nce = nce;
225bd670b35SErik Nordmark
226bd670b35SErik Nordmark /*
227bd670b35SErik Nordmark * Check for a dce_t with a path mtu.
228bd670b35SErik Nordmark */
229bd670b35SErik Nordmark ifindex = 0;
230bd670b35SErik Nordmark if (IN6_IS_ADDR_LINKSCOPE(&dst))
231bd670b35SErik Nordmark ifindex = nce->nce_common->ncec_ill->ill_phyint->phyint_ifindex;
232bd670b35SErik Nordmark
233bd670b35SErik Nordmark dce = dce_lookup_v6(&dst, ifindex, ipst, NULL);
234bd670b35SErik Nordmark ASSERT(dce != NULL);
235bd670b35SErik Nordmark
236bd670b35SErik Nordmark if (!(ixaflags & IXAF_PMTU_DISCOVERY)) {
237bd670b35SErik Nordmark ixa->ixa_fragsize = IPV6_MIN_MTU;
238bd670b35SErik Nordmark } else if (dce->dce_flags & DCEF_PMTU) {
239bd670b35SErik Nordmark /*
240bd670b35SErik Nordmark * To avoid a periodic timer to increase the path MTU we
241bd670b35SErik Nordmark * look at dce_last_change_time each time we send a packet.
242bd670b35SErik Nordmark */
243d3d50737SRafael Vanoni now = ddi_get_lbolt64();
244d3d50737SRafael Vanoni if (TICK_TO_SEC(now) - dce->dce_last_change_time >
245bd670b35SErik Nordmark ipst->ips_ip_pathmtu_interval) {
246bd670b35SErik Nordmark /*
247bd670b35SErik Nordmark * Older than 20 minutes. Drop the path MTU information.
248bd670b35SErik Nordmark */
249bd670b35SErik Nordmark mutex_enter(&dce->dce_lock);
2507199b8e7SDan McDonald dce->dce_flags &= ~DCEF_PMTU;
251d3d50737SRafael Vanoni dce->dce_last_change_time = TICK_TO_SEC(now);
252bd670b35SErik Nordmark mutex_exit(&dce->dce_lock);
253bd670b35SErik Nordmark dce_increment_generation(dce);
254bd670b35SErik Nordmark ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
255bd670b35SErik Nordmark } else {
256bd670b35SErik Nordmark uint_t fragsize;
257bd670b35SErik Nordmark
258bd670b35SErik Nordmark fragsize = ip_get_base_mtu(nce->nce_ill, ire);
259bd670b35SErik Nordmark if (fragsize > dce->dce_pmtu)
260bd670b35SErik Nordmark fragsize = dce->dce_pmtu;
261bd670b35SErik Nordmark ixa->ixa_fragsize = fragsize;
262bd670b35SErik Nordmark }
263bd670b35SErik Nordmark } else {
264bd670b35SErik Nordmark ixa->ixa_fragsize = ip_get_base_mtu(nce->nce_ill, ire);
265bd670b35SErik Nordmark }
266bd670b35SErik Nordmark
267bd670b35SErik Nordmark /*
268bd670b35SErik Nordmark * We use use ire_nexthop_ill (and not ncec_ill) to avoid the under ipmp
269bd670b35SErik Nordmark * interface for source address selection.
270bd670b35SErik Nordmark */
271bd670b35SErik Nordmark ill = ire_nexthop_ill(ire);
272bd670b35SErik Nordmark
273bd670b35SErik Nordmark if (ixaflags & IXAF_SET_SOURCE) {
274bd670b35SErik Nordmark in6_addr_t src;
275bd670b35SErik Nordmark
276bd670b35SErik Nordmark /*
277bd670b35SErik Nordmark * We use the final destination to get
278bd670b35SErik Nordmark * correct selection for source routed packets
279bd670b35SErik Nordmark */
280bd670b35SErik Nordmark
281bd670b35SErik Nordmark /* If unreachable we have no ill but need some source */
282bd670b35SErik Nordmark if (ill == NULL) {
283bd670b35SErik Nordmark src = ipv6_loopback;
284bd670b35SErik Nordmark error = 0;
285bd670b35SErik Nordmark } else {
286bd670b35SErik Nordmark error = ip_select_source_v6(ill, &setsrc, &dst,
287bd670b35SErik Nordmark ixa->ixa_zoneid, ipst, B_FALSE,
288bd670b35SErik Nordmark ixa->ixa_src_preferences, &src, NULL, NULL);
289bd670b35SErik Nordmark }
290bd670b35SErik Nordmark if (error != 0) {
291bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
292bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
293bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards - no source",
294bd670b35SErik Nordmark mp, ill);
295bd670b35SErik Nordmark freemsg(mp);
296bd670b35SErik Nordmark goto done;
297bd670b35SErik Nordmark }
298bd670b35SErik Nordmark ip6h->ip6_src = src;
299bd670b35SErik Nordmark } else if (ixaflags & IXAF_VERIFY_SOURCE) {
300bd670b35SErik Nordmark /* Check if the IP source is assigned to the host. */
301bd670b35SErik Nordmark if (!ip_verify_src(mp, ixa, NULL)) {
302bd670b35SErik Nordmark /* Don't send a packet with a source that isn't ours */
303bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
304bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
305bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards - invalid source",
306bd670b35SErik Nordmark mp, ill);
307bd670b35SErik Nordmark freemsg(mp);
308bd670b35SErik Nordmark error = EADDRNOTAVAIL;
309bd670b35SErik Nordmark goto done;
310bd670b35SErik Nordmark }
311bd670b35SErik Nordmark }
312bd670b35SErik Nordmark
313bd670b35SErik Nordmark /*
314bd670b35SErik Nordmark * Check against global IPsec policy to set the AH/ESP attributes.
315bd670b35SErik Nordmark * IPsec will set IXAF_IPSEC_* and ixa_ipsec_* as appropriate.
316bd670b35SErik Nordmark */
317bd670b35SErik Nordmark if (!(ixaflags & (IXAF_NO_IPSEC|IXAF_IPSEC_SECURE))) {
318bd670b35SErik Nordmark ASSERT(ixa->ixa_ipsec_policy == NULL);
319bd670b35SErik Nordmark mp = ip_output_attach_policy(mp, NULL, ip6h, NULL, ixa);
320bd670b35SErik Nordmark if (mp == NULL) {
321bd670b35SErik Nordmark /* MIB and ip_drop_packet already done */
322bd670b35SErik Nordmark return (EHOSTUNREACH); /* IPsec policy failure */
323bd670b35SErik Nordmark }
324bd670b35SErik Nordmark }
325bd670b35SErik Nordmark
326bd670b35SErik Nordmark if (ill != NULL) {
327bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCOutRequests);
328bd670b35SErik Nordmark } else {
329bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsHCOutRequests);
330bd670b35SErik Nordmark }
331bd670b35SErik Nordmark
332bd670b35SErik Nordmark /*
333bd670b35SErik Nordmark * We update the statistics on the most specific IRE i.e., the first
334bd670b35SErik Nordmark * one we found.
335bd670b35SErik Nordmark * We don't have an IRE when we fragment, hence ire_ob_pkt_count
336bd670b35SErik Nordmark * can only count the use prior to fragmentation. However the MIB
337bd670b35SErik Nordmark * counters on the ill will be incremented in post fragmentation.
338bd670b35SErik Nordmark */
339bd670b35SErik Nordmark ire->ire_ob_pkt_count++;
340bd670b35SErik Nordmark
341bd670b35SErik Nordmark /*
342bd670b35SErik Nordmark * Based on ire_type and ire_flags call one of:
343bd670b35SErik Nordmark * ire_send_local_v6 - for IRE_LOCAL and IRE_LOOPBACK
344bd670b35SErik Nordmark * ire_send_multirt_v6 - if RTF_MULTIRT
345bd670b35SErik Nordmark * ire_send_noroute_v6 - if RTF_REJECT or RTF_BLACHOLE
346bd670b35SErik Nordmark * ire_send_multicast_v6 - for IRE_MULTICAST
347bd670b35SErik Nordmark * ire_send_wire_v6 - for the rest.
348bd670b35SErik Nordmark */
349bd670b35SErik Nordmark error = (ire->ire_sendfn)(ire, mp, ip6h, ixa, &dce->dce_ident);
350bd670b35SErik Nordmark done:
351bd670b35SErik Nordmark ire_refrele(ire);
352bd670b35SErik Nordmark if (dce != NULL)
353bd670b35SErik Nordmark dce_refrele(dce);
354bd670b35SErik Nordmark if (ill != NULL)
355bd670b35SErik Nordmark ill_refrele(ill);
356bd670b35SErik Nordmark if (ixa->ixa_nce != NULL)
357bd670b35SErik Nordmark nce_refrele(ixa->ixa_nce);
358bd670b35SErik Nordmark ixa->ixa_nce = NULL;
359bd670b35SErik Nordmark return (error);
360bd670b35SErik Nordmark }
361bd670b35SErik Nordmark
362bd670b35SErik Nordmark /*
363bd670b35SErik Nordmark * ire_sendfn() functions.
364bd670b35SErik Nordmark * These functions use the following xmit_attr:
365bd670b35SErik Nordmark * - ixa_fragsize - read to determine whether or not to fragment
366bd670b35SErik Nordmark * - IXAF_IPSEC_SECURE - to determine whether or not to invoke IPsec
367bd670b35SErik Nordmark * - ixa_ipsec_* are used inside IPsec
368bd670b35SErik Nordmark * - IXAF_LOOPBACK_COPY - for multicast
369bd670b35SErik Nordmark */
370bd670b35SErik Nordmark
371bd670b35SErik Nordmark
372bd670b35SErik Nordmark /*
373bd670b35SErik Nordmark * ire_sendfn for IRE_LOCAL and IRE_LOOPBACK
374bd670b35SErik Nordmark *
375bd670b35SErik Nordmark * The checks for restrict_interzone_loopback are done in ire_route_recursive.
376bd670b35SErik Nordmark */
377bd670b35SErik Nordmark /* ARGSUSED4 */
378bd670b35SErik Nordmark int
ire_send_local_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)379bd670b35SErik Nordmark ire_send_local_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
380bd670b35SErik Nordmark ip_xmit_attr_t *ixa, uint32_t *identp)
381bd670b35SErik Nordmark {
382bd670b35SErik Nordmark ip6_t *ip6h = (ip6_t *)iph_arg;
383bd670b35SErik Nordmark ip_stack_t *ipst = ixa->ixa_ipst;
384bd670b35SErik Nordmark ill_t *ill = ire->ire_ill;
385bd670b35SErik Nordmark ip_recv_attr_t iras; /* NOTE: No bzero for performance */
386bd670b35SErik Nordmark uint_t pktlen = ixa->ixa_pktlen;
387bd670b35SErik Nordmark
388bd670b35SErik Nordmark /*
389bd670b35SErik Nordmark * No fragmentation, no nce, and no application of IPsec.
390bd670b35SErik Nordmark *
391bd670b35SErik Nordmark *
392bd670b35SErik Nordmark * Note different order between IP provider and FW_HOOKS than in
393bd670b35SErik Nordmark * send_wire case.
394bd670b35SErik Nordmark */
395bd670b35SErik Nordmark
396bd670b35SErik Nordmark /*
397bd670b35SErik Nordmark * DTrace this as ip:::send. A packet blocked by FW_HOOKS will fire the
398bd670b35SErik Nordmark * send probe, but not the receive probe.
399bd670b35SErik Nordmark */
400bd670b35SErik Nordmark DTRACE_IP7(send, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
401bd670b35SErik Nordmark ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
402bd670b35SErik Nordmark int, 1);
403bd670b35SErik Nordmark
404bd670b35SErik Nordmark DTRACE_PROBE4(ip6__loopback__out__start,
405bd670b35SErik Nordmark ill_t *, NULL, ill_t *, ill,
406bd670b35SErik Nordmark ip6_t *, ip6h, mblk_t *, mp);
407bd670b35SErik Nordmark
408bd670b35SErik Nordmark if (HOOKS6_INTERESTED_LOOPBACK_OUT(ipst)) {
409bd670b35SErik Nordmark int error;
410bd670b35SErik Nordmark
411bd670b35SErik Nordmark FW_HOOKS(ipst->ips_ip6_loopback_out_event,
412bd670b35SErik Nordmark ipst->ips_ipv6firewall_loopback_out,
413bd670b35SErik Nordmark NULL, ill, ip6h, mp, mp, 0, ipst, error);
414bd670b35SErik Nordmark
415bd670b35SErik Nordmark DTRACE_PROBE1(ip6__loopback__out__end, mblk_t *, mp);
416bd670b35SErik Nordmark if (mp == NULL)
417bd670b35SErik Nordmark return (error);
418bd670b35SErik Nordmark
419bd670b35SErik Nordmark /*
420bd670b35SErik Nordmark * Even if the destination was changed by the filter we use the
421bd670b35SErik Nordmark * forwarding decision that was made based on the address
422bd670b35SErik Nordmark * in ip_output/ip_set_destination.
423bd670b35SErik Nordmark */
424bd670b35SErik Nordmark /* Length could be different */
425bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr;
426bd670b35SErik Nordmark pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
427bd670b35SErik Nordmark }
428bd670b35SErik Nordmark
429bd670b35SErik Nordmark /*
430bd670b35SErik Nordmark * If a callback is enabled then we need to know the
431bd670b35SErik Nordmark * source and destination zoneids for the packet. We already
432bd670b35SErik Nordmark * have those handy.
433bd670b35SErik Nordmark */
434bd670b35SErik Nordmark if (ipst->ips_ip6_observe.he_interested) {
435bd670b35SErik Nordmark zoneid_t szone, dzone;
436bd670b35SErik Nordmark zoneid_t stackzoneid;
437bd670b35SErik Nordmark
438bd670b35SErik Nordmark stackzoneid = netstackid_to_zoneid(
439bd670b35SErik Nordmark ipst->ips_netstack->netstack_stackid);
440bd670b35SErik Nordmark
441bd670b35SErik Nordmark if (stackzoneid == GLOBAL_ZONEID) {
442bd670b35SErik Nordmark /* Shared-IP zone */
443bd670b35SErik Nordmark dzone = ire->ire_zoneid;
444bd670b35SErik Nordmark szone = ixa->ixa_zoneid;
445bd670b35SErik Nordmark } else {
446bd670b35SErik Nordmark szone = dzone = stackzoneid;
447bd670b35SErik Nordmark }
448bd670b35SErik Nordmark ipobs_hook(mp, IPOBS_HOOK_LOCAL, szone, dzone, ill, ipst);
449bd670b35SErik Nordmark }
450bd670b35SErik Nordmark
451bd670b35SErik Nordmark /* Handle lo0 stats */
452bd670b35SErik Nordmark ipst->ips_loopback_packets++;
453bd670b35SErik Nordmark
454bd670b35SErik Nordmark /*
455bd670b35SErik Nordmark * Update output mib stats. Note that we can't move into the icmp
456bd670b35SErik Nordmark * sender (icmp_output etc) since they don't know the ill and the
457bd670b35SErik Nordmark * stats are per ill.
458bd670b35SErik Nordmark */
459bd670b35SErik Nordmark if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
460bd670b35SErik Nordmark icmp6_t *icmp6;
461bd670b35SErik Nordmark
462bd670b35SErik Nordmark icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
463bd670b35SErik Nordmark icmp_update_out_mib_v6(ill, icmp6);
464bd670b35SErik Nordmark }
465bd670b35SErik Nordmark
466bd670b35SErik Nordmark DTRACE_PROBE4(ip6__loopback__in__start,
467bd670b35SErik Nordmark ill_t *, ill, ill_t *, NULL,
468bd670b35SErik Nordmark ip6_t *, ip6h, mblk_t *, mp);
469bd670b35SErik Nordmark
470bd670b35SErik Nordmark if (HOOKS6_INTERESTED_LOOPBACK_IN(ipst)) {
471bd670b35SErik Nordmark int error;
472bd670b35SErik Nordmark
473bd670b35SErik Nordmark FW_HOOKS(ipst->ips_ip6_loopback_in_event,
474bd670b35SErik Nordmark ipst->ips_ipv6firewall_loopback_in,
475bd670b35SErik Nordmark ill, NULL, ip6h, mp, mp, 0, ipst, error);
476bd670b35SErik Nordmark
477bd670b35SErik Nordmark DTRACE_PROBE1(ip6__loopback__in__end, mblk_t *, mp);
478bd670b35SErik Nordmark if (mp == NULL)
479bd670b35SErik Nordmark return (error);
480bd670b35SErik Nordmark
481bd670b35SErik Nordmark /*
482bd670b35SErik Nordmark * Even if the destination was changed by the filter we use the
483bd670b35SErik Nordmark * forwarding decision that was made based on the address
484bd670b35SErik Nordmark * in ip_output/ip_set_destination.
485bd670b35SErik Nordmark */
486bd670b35SErik Nordmark /* Length could be different */
487bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr;
488bd670b35SErik Nordmark pktlen = ntohs(ip6h->ip6_plen) + IPV6_HDR_LEN;
489bd670b35SErik Nordmark }
490bd670b35SErik Nordmark
491bd670b35SErik Nordmark DTRACE_IP7(receive, mblk_t *, mp, conn_t *, NULL, void_ip_t *,
492bd670b35SErik Nordmark ip6h, __dtrace_ipsr_ill_t *, ill, ipha_t *, NULL, ip6_t *, ip6h,
493bd670b35SErik Nordmark int, 1);
494bd670b35SErik Nordmark
495bd670b35SErik Nordmark /* Map ixa to ira including IPsec policies */
496bd670b35SErik Nordmark ipsec_out_to_in(ixa, ill, &iras);
497bd670b35SErik Nordmark iras.ira_pktlen = pktlen;
498bd670b35SErik Nordmark
499bd670b35SErik Nordmark ire->ire_ib_pkt_count++;
500bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsHCInReceives);
501bd670b35SErik Nordmark UPDATE_MIB(ill->ill_ip_mib, ipIfStatsHCInOctets, pktlen);
502bd670b35SErik Nordmark
503bd670b35SErik Nordmark /* Destined to ire_zoneid - use that for fanout */
504bd670b35SErik Nordmark iras.ira_zoneid = ire->ire_zoneid;
505bd670b35SErik Nordmark
506bd670b35SErik Nordmark if (is_system_labeled()) {
507bd670b35SErik Nordmark iras.ira_flags |= IRAF_SYSTEM_LABELED;
508bd670b35SErik Nordmark
509bd670b35SErik Nordmark /*
510bd670b35SErik Nordmark * This updates ira_cred, ira_tsl and ira_free_flags based
511bd670b35SErik Nordmark * on the label. We don't expect this to ever fail for
512bd670b35SErik Nordmark * loopback packets, so we silently drop the packet should it
513bd670b35SErik Nordmark * fail.
514bd670b35SErik Nordmark */
515bd670b35SErik Nordmark if (!tsol_get_pkt_label(mp, IPV6_VERSION, &iras)) {
516bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
517bd670b35SErik Nordmark ip_drop_input("tsol_get_pkt_label", mp, ill);
518bd670b35SErik Nordmark freemsg(mp);
519bd670b35SErik Nordmark return (0);
520bd670b35SErik Nordmark }
521bd670b35SErik Nordmark ASSERT(iras.ira_tsl != NULL);
522bd670b35SErik Nordmark
523bd670b35SErik Nordmark /* tsol_get_pkt_label sometimes does pullupmsg */
524bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr;
525bd670b35SErik Nordmark }
526bd670b35SErik Nordmark
527bd670b35SErik Nordmark ip_fanout_v6(mp, ip6h, &iras);
528bd670b35SErik Nordmark
529bd670b35SErik Nordmark /* We moved any IPsec refs from ixa to iras */
530bd670b35SErik Nordmark ira_cleanup(&iras, B_FALSE);
531bd670b35SErik Nordmark return (0);
532bd670b35SErik Nordmark }
533bd670b35SErik Nordmark
534bd670b35SErik Nordmark static void
multirt_check_v6(ire_t * ire,ip6_t * ip6h,ip_xmit_attr_t * ixa)535bd670b35SErik Nordmark multirt_check_v6(ire_t *ire, ip6_t *ip6h, ip_xmit_attr_t *ixa)
536bd670b35SErik Nordmark {
537bd670b35SErik Nordmark ip_stack_t *ipst = ixa->ixa_ipst;
538bd670b35SErik Nordmark
539bd670b35SErik Nordmark /* Limit the TTL on multirt packets. Do this even if IPV6_HOPLIMIT */
540bd670b35SErik Nordmark if (ire->ire_type & IRE_MULTICAST) {
541bd670b35SErik Nordmark if (ip6h->ip6_hops > 1) {
542bd670b35SErik Nordmark ip2dbg(("ire_send_multirt_v6: forcing multicast "
543bd670b35SErik Nordmark "multirt TTL to 1 (was %d)\n", ip6h->ip6_hops));
544bd670b35SErik Nordmark ip6h->ip6_hops = 1;
545bd670b35SErik Nordmark }
546bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
547bd670b35SErik Nordmark } else if ((ipst->ips_ip_multirt_ttl > 0) &&
548bd670b35SErik Nordmark (ip6h->ip6_hops > ipst->ips_ip_multirt_ttl)) {
549bd670b35SErik Nordmark ip6h->ip6_hops = ipst->ips_ip_multirt_ttl;
550bd670b35SErik Nordmark /*
551bd670b35SErik Nordmark * Need to ensure we don't increase the ttl should we go through
552bd670b35SErik Nordmark * ire_send_multicast.
553bd670b35SErik Nordmark */
554bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_NO_TTL_CHANGE;
555bd670b35SErik Nordmark }
556bd670b35SErik Nordmark
557bd670b35SErik Nordmark /* For IPv6 this also needs to insert a fragment header */
558bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_IPV6_ADD_FRAGHDR;
559bd670b35SErik Nordmark }
560bd670b35SErik Nordmark
561bd670b35SErik Nordmark /*
562bd670b35SErik Nordmark * ire_sendfn for IRE_MULTICAST
563bd670b35SErik Nordmark *
564bd670b35SErik Nordmark * Note that we do path MTU discovery by default for IPv6 multicast. But
565bd670b35SErik Nordmark * since unconnected UDP and RAW sockets don't set IXAF_PMTU_DISCOVERY
566bd670b35SErik Nordmark * only connected sockets get this by default.
567bd670b35SErik Nordmark */
568bd670b35SErik Nordmark int
ire_send_multicast_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)569bd670b35SErik Nordmark ire_send_multicast_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
570bd670b35SErik Nordmark ip_xmit_attr_t *ixa, uint32_t *identp)
571bd670b35SErik Nordmark {
572bd670b35SErik Nordmark ip6_t *ip6h = (ip6_t *)iph_arg;
573bd670b35SErik Nordmark ip_stack_t *ipst = ixa->ixa_ipst;
574bd670b35SErik Nordmark ill_t *ill = ire->ire_ill;
575bd670b35SErik Nordmark iaflags_t ixaflags = ixa->ixa_flags;
576bd670b35SErik Nordmark
577bd670b35SErik Nordmark /*
578bd670b35SErik Nordmark * The IRE_MULTICAST is the same whether or not multirt is in use.
579bd670b35SErik Nordmark * Hence we need special-case code.
580bd670b35SErik Nordmark */
581bd670b35SErik Nordmark if (ixaflags & IXAF_MULTIRT_MULTICAST)
582bd670b35SErik Nordmark multirt_check_v6(ire, ip6h, ixa);
583bd670b35SErik Nordmark
584bd670b35SErik Nordmark /*
585bd670b35SErik Nordmark * Check if anything in ip_input_v6 wants a copy of the transmitted
586bd670b35SErik Nordmark * packet (after IPsec and fragmentation)
587bd670b35SErik Nordmark *
588bd670b35SErik Nordmark * 1. Multicast routers always need a copy unless SO_DONTROUTE is set
589bd670b35SErik Nordmark * RSVP and the rsvp daemon is an example of a
590bd670b35SErik Nordmark * protocol and user level process that
591bd670b35SErik Nordmark * handles it's own routing. Hence, it uses the
592bd670b35SErik Nordmark * SO_DONTROUTE option to accomplish this.
593bd670b35SErik Nordmark * 2. If the sender has set IP_MULTICAST_LOOP, then we just
594bd670b35SErik Nordmark * check whether there are any receivers for the group on the ill
595bd670b35SErik Nordmark * (ignoring the zoneid).
596bd670b35SErik Nordmark * 3. If IP_MULTICAST_LOOP is not set, then we check if there are
597bd670b35SErik Nordmark * any members in other shared-IP zones.
598bd670b35SErik Nordmark * If such members exist, then we indicate that the sending zone
599bd670b35SErik Nordmark * shouldn't get a loopback copy to preserve the IP_MULTICAST_LOOP
600bd670b35SErik Nordmark * behavior.
601bd670b35SErik Nordmark *
602bd670b35SErik Nordmark * When we loopback we skip hardware checksum to make sure loopback
603bd670b35SErik Nordmark * copy is checksumed.
604bd670b35SErik Nordmark *
605bd670b35SErik Nordmark * Note that ire_ill is the upper in the case of IPMP.
606bd670b35SErik Nordmark */
607bd670b35SErik Nordmark ixa->ixa_flags &= ~(IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM);
608bd670b35SErik Nordmark if (ipst->ips_ip_g_mrouter && ill->ill_mrouter_cnt > 0 &&
609bd670b35SErik Nordmark !(ixaflags & IXAF_DONTROUTE)) {
610bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
611bd670b35SErik Nordmark } else if (ixaflags & IXAF_MULTICAST_LOOP) {
612bd670b35SErik Nordmark /*
613bd670b35SErik Nordmark * If this zone or any other zone has members then loopback
614bd670b35SErik Nordmark * a copy.
615bd670b35SErik Nordmark */
616bd670b35SErik Nordmark if (ill_hasmembers_v6(ill, &ip6h->ip6_dst))
617bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
618bd670b35SErik Nordmark } else if (ipst->ips_netstack->netstack_numzones > 1) {
619bd670b35SErik Nordmark /*
620bd670b35SErik Nordmark * This zone should not have a copy. But there are some other
621bd670b35SErik Nordmark * zones which might have members.
622bd670b35SErik Nordmark */
623bd670b35SErik Nordmark if (ill_hasmembers_otherzones_v6(ill, &ip6h->ip6_dst,
624bd670b35SErik Nordmark ixa->ixa_zoneid)) {
625bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_NO_LOOP_ZONEID_SET;
626bd670b35SErik Nordmark ixa->ixa_no_loop_zoneid = ixa->ixa_zoneid;
627bd670b35SErik Nordmark ixa->ixa_flags |= IXAF_LOOPBACK_COPY | IXAF_NO_HW_CKSUM;
628bd670b35SErik Nordmark }
629bd670b35SErik Nordmark }
630bd670b35SErik Nordmark
631bd670b35SErik Nordmark /*
632bd670b35SErik Nordmark * Unless IPV6_HOPLIMIT or ire_send_multirt_v6 already set a ttl,
633bd670b35SErik Nordmark * force the ttl to the IP_MULTICAST_TTL value
634bd670b35SErik Nordmark */
635bd670b35SErik Nordmark if (!(ixaflags & IXAF_NO_TTL_CHANGE)) {
636bd670b35SErik Nordmark ip6h->ip6_hops = ixa->ixa_multicast_ttl;
637bd670b35SErik Nordmark }
638bd670b35SErik Nordmark
639bd670b35SErik Nordmark return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
640bd670b35SErik Nordmark }
641bd670b35SErik Nordmark
642bd670b35SErik Nordmark /*
643bd670b35SErik Nordmark * ire_sendfn for IREs with RTF_MULTIRT
644bd670b35SErik Nordmark */
645bd670b35SErik Nordmark int
ire_send_multirt_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)646bd670b35SErik Nordmark ire_send_multirt_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
647bd670b35SErik Nordmark ip_xmit_attr_t *ixa, uint32_t *identp)
648bd670b35SErik Nordmark {
649bd670b35SErik Nordmark ip6_t *ip6h = (ip6_t *)iph_arg;
650bd670b35SErik Nordmark
651bd670b35SErik Nordmark multirt_check_v6(ire, ip6h, ixa);
652bd670b35SErik Nordmark
653bd670b35SErik Nordmark if (ire->ire_type & IRE_MULTICAST)
654bd670b35SErik Nordmark return (ire_send_multicast_v6(ire, mp, ip6h, ixa, identp));
655bd670b35SErik Nordmark else
656bd670b35SErik Nordmark return (ire_send_wire_v6(ire, mp, ip6h, ixa, identp));
657bd670b35SErik Nordmark }
658bd670b35SErik Nordmark
659bd670b35SErik Nordmark /*
660bd670b35SErik Nordmark * ire_sendfn for IREs with RTF_REJECT/RTF_BLACKHOLE, including IRE_NOROUTE
661bd670b35SErik Nordmark */
662bd670b35SErik Nordmark /* ARGSUSED4 */
663bd670b35SErik Nordmark int
ire_send_noroute_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)664bd670b35SErik Nordmark ire_send_noroute_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
665bd670b35SErik Nordmark ip_xmit_attr_t *ixa, uint32_t *identp)
666bd670b35SErik Nordmark {
667bd670b35SErik Nordmark ip6_t *ip6h = (ip6_t *)iph_arg;
668bd670b35SErik Nordmark ip_stack_t *ipst = ixa->ixa_ipst;
669bd670b35SErik Nordmark ill_t *ill;
670bd670b35SErik Nordmark ip_recv_attr_t iras;
671bd670b35SErik Nordmark boolean_t dummy;
672bd670b35SErik Nordmark
673bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutNoRoutes);
674bd670b35SErik Nordmark
675bd670b35SErik Nordmark if (ire->ire_type & IRE_NOROUTE) {
676bd670b35SErik Nordmark /* A lack of a route as opposed to RTF_REJECT|BLACKHOLE */
677bd670b35SErik Nordmark ip_rts_change_v6(RTM_MISS, &ip6h->ip6_dst, 0, 0, 0, 0, 0, 0,
678bd670b35SErik Nordmark RTA_DST, ipst);
679bd670b35SErik Nordmark }
680bd670b35SErik Nordmark
681bd670b35SErik Nordmark if (ire->ire_flags & RTF_BLACKHOLE) {
682bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutNoRoutes RTF_BLACKHOLE", mp, NULL);
683bd670b35SErik Nordmark freemsg(mp);
684bd670b35SErik Nordmark /* No error even for local senders - silent blackhole */
685bd670b35SErik Nordmark return (0);
686bd670b35SErik Nordmark }
687bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutNoRoutes RTF_REJECT", mp, NULL);
688bd670b35SErik Nordmark
689bd670b35SErik Nordmark /*
690bd670b35SErik Nordmark * We need an ill_t for the ip_recv_attr_t even though this packet
691bd670b35SErik Nordmark * was never received and icmp_unreachable doesn't currently use
692bd670b35SErik Nordmark * ira_ill.
693bd670b35SErik Nordmark */
694bd670b35SErik Nordmark ill = ill_lookup_on_name("lo0", B_FALSE,
695bd670b35SErik Nordmark !(ixa->ixa_flags & IRAF_IS_IPV4), &dummy, ipst);
696bd670b35SErik Nordmark if (ill == NULL) {
697bd670b35SErik Nordmark freemsg(mp);
698bd670b35SErik Nordmark return (EHOSTUNREACH);
699bd670b35SErik Nordmark }
700bd670b35SErik Nordmark
701bd670b35SErik Nordmark bzero(&iras, sizeof (iras));
702bd670b35SErik Nordmark /* Map ixa to ira including IPsec policies */
703bd670b35SErik Nordmark ipsec_out_to_in(ixa, ill, &iras);
704bd670b35SErik Nordmark
705bd670b35SErik Nordmark icmp_unreachable_v6(mp, ICMP6_DST_UNREACH_NOROUTE, B_FALSE, &iras);
706bd670b35SErik Nordmark /* We moved any IPsec refs from ixa to iras */
707bd670b35SErik Nordmark ira_cleanup(&iras, B_FALSE);
708bd670b35SErik Nordmark
709bd670b35SErik Nordmark ill_refrele(ill);
710bd670b35SErik Nordmark return (EHOSTUNREACH);
711bd670b35SErik Nordmark }
712bd670b35SErik Nordmark
713bd670b35SErik Nordmark /*
714bd670b35SErik Nordmark * Calculate a checksum ignoring any hardware capabilities
715bd670b35SErik Nordmark *
716bd670b35SErik Nordmark * Returns B_FALSE if the packet was too short for the checksum. Caller
717bd670b35SErik Nordmark * should free and do stats.
718bd670b35SErik Nordmark */
719bd670b35SErik Nordmark static boolean_t
ip_output_sw_cksum_v6(mblk_t * mp,ip6_t * ip6h,ip_xmit_attr_t * ixa)720bd670b35SErik Nordmark ip_output_sw_cksum_v6(mblk_t *mp, ip6_t *ip6h, ip_xmit_attr_t *ixa)
721bd670b35SErik Nordmark {
722bd670b35SErik Nordmark ip_stack_t *ipst = ixa->ixa_ipst;
723bd670b35SErik Nordmark uint_t pktlen = ixa->ixa_pktlen;
724bd670b35SErik Nordmark uint16_t *cksump;
725bd670b35SErik Nordmark uint32_t cksum;
726bd670b35SErik Nordmark uint8_t protocol = ixa->ixa_protocol;
727bd670b35SErik Nordmark uint16_t ip_hdr_length = ixa->ixa_ip_hdr_length;
728bd670b35SErik Nordmark
729bd670b35SErik Nordmark #define iphs ((uint16_t *)ip6h)
730bd670b35SErik Nordmark
731bd670b35SErik Nordmark /* Just in case it contained garbage */
732bd670b35SErik Nordmark DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
733bd670b35SErik Nordmark
734bd670b35SErik Nordmark /*
735bd670b35SErik Nordmark * Calculate ULP checksum
736bd670b35SErik Nordmark */
737bd670b35SErik Nordmark if (protocol == IPPROTO_TCP) {
738bd670b35SErik Nordmark cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
739bd670b35SErik Nordmark cksum = IP_TCP_CSUM_COMP;
740bd670b35SErik Nordmark } else if (protocol == IPPROTO_UDP) {
741bd670b35SErik Nordmark cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
742bd670b35SErik Nordmark cksum = IP_UDP_CSUM_COMP;
743bd670b35SErik Nordmark } else if (protocol == IPPROTO_SCTP) {
744bd670b35SErik Nordmark sctp_hdr_t *sctph;
745bd670b35SErik Nordmark
746bd670b35SErik Nordmark ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
747bd670b35SErik Nordmark sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
748bd670b35SErik Nordmark /*
749bd670b35SErik Nordmark * Zero out the checksum field to ensure proper
750bd670b35SErik Nordmark * checksum calculation.
751bd670b35SErik Nordmark */
752bd670b35SErik Nordmark sctph->sh_chksum = 0;
753bd670b35SErik Nordmark #ifdef DEBUG
754bd670b35SErik Nordmark if (!skip_sctp_cksum)
755bd670b35SErik Nordmark #endif
756bd670b35SErik Nordmark sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
757bd670b35SErik Nordmark return (B_TRUE);
758bd670b35SErik Nordmark } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
759bd670b35SErik Nordmark /*
760bd670b35SErik Nordmark * icmp has placed length and routing
761bd670b35SErik Nordmark * header adjustment in the checksum field.
762bd670b35SErik Nordmark */
763bd670b35SErik Nordmark cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
764bd670b35SErik Nordmark ixa->ixa_raw_cksum_offset);
765bd670b35SErik Nordmark cksum = htons(protocol);
766bd670b35SErik Nordmark } else if (protocol == IPPROTO_ICMPV6) {
767bd670b35SErik Nordmark cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
768bd670b35SErik Nordmark cksum = IP_ICMPV6_CSUM_COMP; /* Pseudo-header cksum */
769bd670b35SErik Nordmark } else {
770bd670b35SErik Nordmark return (B_TRUE);
771bd670b35SErik Nordmark }
772bd670b35SErik Nordmark
773bd670b35SErik Nordmark /* ULP puts the checksum field is in the first mblk */
774bd670b35SErik Nordmark ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
775bd670b35SErik Nordmark
776bd670b35SErik Nordmark /*
777bd670b35SErik Nordmark * We accumulate the pseudo header checksum in cksum.
778bd670b35SErik Nordmark * This is pretty hairy code, so watch close. One
779bd670b35SErik Nordmark * thing to keep in mind is that UDP and TCP have
780bd670b35SErik Nordmark * stored their respective datagram lengths in their
781bd670b35SErik Nordmark * checksum fields. This lines things up real nice.
782bd670b35SErik Nordmark */
783bd670b35SErik Nordmark cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
784bd670b35SErik Nordmark iphs[8] + iphs[9] + iphs[10] + iphs[11] +
785bd670b35SErik Nordmark iphs[12] + iphs[13] + iphs[14] + iphs[15] +
786bd670b35SErik Nordmark iphs[16] + iphs[17] + iphs[18] + iphs[19];
787bd670b35SErik Nordmark cksum = IP_CSUM(mp, ip_hdr_length, cksum);
788bd670b35SErik Nordmark
789bd670b35SErik Nordmark /*
790bd670b35SErik Nordmark * For UDP/IPv6 a zero UDP checksum is not allowed.
791bd670b35SErik Nordmark * Change to 0xffff
792bd670b35SErik Nordmark */
793bd670b35SErik Nordmark if (protocol == IPPROTO_UDP && cksum == 0)
794bd670b35SErik Nordmark *cksump = ~cksum;
795bd670b35SErik Nordmark else
796bd670b35SErik Nordmark *cksump = cksum;
797bd670b35SErik Nordmark
798bd670b35SErik Nordmark IP6_STAT(ipst, ip6_out_sw_cksum);
799bd670b35SErik Nordmark IP6_STAT_UPDATE(ipst, ip6_out_sw_cksum_bytes, pktlen);
800bd670b35SErik Nordmark
801bd670b35SErik Nordmark /* No IP header checksum for IPv6 */
802bd670b35SErik Nordmark
803bd670b35SErik Nordmark return (B_TRUE);
804bd670b35SErik Nordmark #undef iphs
805bd670b35SErik Nordmark }
806bd670b35SErik Nordmark
807bd670b35SErik Nordmark /* There are drivers that can't do partial checksum for ICMPv6 */
808bd670b35SErik Nordmark int nxge_cksum_workaround = 1;
809bd670b35SErik Nordmark
810bd670b35SErik Nordmark /*
811bd670b35SErik Nordmark * Calculate the ULP checksum - try to use hardware.
812bd670b35SErik Nordmark * In the case of MULTIRT or multicast the
813bd670b35SErik Nordmark * IXAF_NO_HW_CKSUM is set in which case we use software.
814bd670b35SErik Nordmark *
815bd670b35SErik Nordmark * Returns B_FALSE if the packet was too short for the checksum. Caller
816bd670b35SErik Nordmark * should free and do stats.
817bd670b35SErik Nordmark */
818bd670b35SErik Nordmark static boolean_t
ip_output_cksum_v6(iaflags_t ixaflags,mblk_t * mp,ip6_t * ip6h,ip_xmit_attr_t * ixa,ill_t * ill)819bd670b35SErik Nordmark ip_output_cksum_v6(iaflags_t ixaflags, mblk_t *mp, ip6_t *ip6h,
820bd670b35SErik Nordmark ip_xmit_attr_t *ixa, ill_t *ill)
821bd670b35SErik Nordmark {
822bd670b35SErik Nordmark uint_t pktlen = ixa->ixa_pktlen;
823bd670b35SErik Nordmark uint16_t *cksump;
824bd670b35SErik Nordmark uint16_t hck_flags;
825bd670b35SErik Nordmark uint32_t cksum;
826bd670b35SErik Nordmark uint8_t protocol = ixa->ixa_protocol;
827bd670b35SErik Nordmark uint16_t ip_hdr_length = ixa->ixa_ip_hdr_length;
828bd670b35SErik Nordmark
829bd670b35SErik Nordmark #define iphs ((uint16_t *)ip6h)
830bd670b35SErik Nordmark
831bd670b35SErik Nordmark if ((ixaflags & IXAF_NO_HW_CKSUM) || !ILL_HCKSUM_CAPABLE(ill) ||
832bd670b35SErik Nordmark !dohwcksum) {
833bd670b35SErik Nordmark return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
834bd670b35SErik Nordmark }
835bd670b35SErik Nordmark
836bd670b35SErik Nordmark /*
837bd670b35SErik Nordmark * Calculate ULP checksum. Note that we don't use cksump and cksum
838bd670b35SErik Nordmark * if the ill has FULL support.
839bd670b35SErik Nordmark */
840bd670b35SErik Nordmark if (protocol == IPPROTO_TCP) {
841bd670b35SErik Nordmark cksump = IPH_TCPH_CHECKSUMP(ip6h, ip_hdr_length);
842bd670b35SErik Nordmark cksum = IP_TCP_CSUM_COMP; /* Pseudo-header cksum */
843bd670b35SErik Nordmark } else if (protocol == IPPROTO_UDP) {
844bd670b35SErik Nordmark cksump = IPH_UDPH_CHECKSUMP(ip6h, ip_hdr_length);
845bd670b35SErik Nordmark cksum = IP_UDP_CSUM_COMP; /* Pseudo-header cksum */
846bd670b35SErik Nordmark } else if (protocol == IPPROTO_SCTP) {
847bd670b35SErik Nordmark sctp_hdr_t *sctph;
848bd670b35SErik Nordmark
849bd670b35SErik Nordmark ASSERT(MBLKL(mp) >= (ip_hdr_length + sizeof (*sctph)));
850bd670b35SErik Nordmark sctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_length);
851bd670b35SErik Nordmark /*
852bd670b35SErik Nordmark * Zero out the checksum field to ensure proper
853bd670b35SErik Nordmark * checksum calculation.
854bd670b35SErik Nordmark */
855bd670b35SErik Nordmark sctph->sh_chksum = 0;
856bd670b35SErik Nordmark #ifdef DEBUG
857bd670b35SErik Nordmark if (!skip_sctp_cksum)
858bd670b35SErik Nordmark #endif
859bd670b35SErik Nordmark sctph->sh_chksum = sctp_cksum(mp, ip_hdr_length);
860bd670b35SErik Nordmark goto ip_hdr_cksum;
861bd670b35SErik Nordmark } else if (ixa->ixa_flags & IXAF_SET_RAW_CKSUM) {
862bd670b35SErik Nordmark /*
863bd670b35SErik Nordmark * icmp has placed length and routing
864bd670b35SErik Nordmark * header adjustment in the checksum field.
865bd670b35SErik Nordmark */
866bd670b35SErik Nordmark cksump = (uint16_t *)(((uint8_t *)ip6h) + ip_hdr_length +
867bd670b35SErik Nordmark ixa->ixa_raw_cksum_offset);
868bd670b35SErik Nordmark cksum = htons(protocol);
869bd670b35SErik Nordmark } else if (protocol == IPPROTO_ICMPV6) {
870*b22a70abSPatrick Mooney /*
871*b22a70abSPatrick Mooney * Currently we assume no HW support for ICMP checksum calc.
872*b22a70abSPatrick Mooney *
873*b22a70abSPatrick Mooney * When HW support is advertised for ICMP, we'll want the
874*b22a70abSPatrick Mooney * following to be set:
875*b22a70abSPatrick Mooney * cksump = IPH_ICMPV6_CHECKSUMP(ip6h, ip_hdr_length);
876*b22a70abSPatrick Mooney * cksum = IP_ICMPV6_CSUM_COMP; Pseudo-header cksum
877*b22a70abSPatrick Mooney */
878*b22a70abSPatrick Mooney
879*b22a70abSPatrick Mooney return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
880bd670b35SErik Nordmark } else {
881bd670b35SErik Nordmark ip_hdr_cksum:
882bd670b35SErik Nordmark /* No IP header checksum for IPv6 */
883bd670b35SErik Nordmark return (B_TRUE);
884bd670b35SErik Nordmark }
885bd670b35SErik Nordmark
886bd670b35SErik Nordmark /* ULP puts the checksum field is in the first mblk */
887bd670b35SErik Nordmark ASSERT(((uchar_t *)cksump) + sizeof (uint16_t) <= mp->b_wptr);
888bd670b35SErik Nordmark
889bd670b35SErik Nordmark /*
890bd670b35SErik Nordmark * Underlying interface supports hardware checksum offload for
891bd670b35SErik Nordmark * the payload; leave the payload checksum for the hardware to
892bd670b35SErik Nordmark * calculate. N.B: We only need to set up checksum info on the
893bd670b35SErik Nordmark * first mblk.
894bd670b35SErik Nordmark */
895bd670b35SErik Nordmark hck_flags = ill->ill_hcksum_capab->ill_hcksum_txflags;
896bd670b35SErik Nordmark
897bd670b35SErik Nordmark DB_CKSUMFLAGS(mp) &= ~HCK_FLAGS;
898bd670b35SErik Nordmark if (hck_flags & HCKSUM_INET_FULL_V6) {
899bd670b35SErik Nordmark /*
900bd670b35SErik Nordmark * Hardware calculates pseudo-header, header and the
901bd670b35SErik Nordmark * payload checksums, so clear the checksum field in
902bd670b35SErik Nordmark * the protocol header.
903bd670b35SErik Nordmark */
904bd670b35SErik Nordmark *cksump = 0;
905bd670b35SErik Nordmark DB_CKSUMFLAGS(mp) |= HCK_FULLCKSUM;
906bd670b35SErik Nordmark return (B_TRUE);
907bd670b35SErik Nordmark }
908bd670b35SErik Nordmark if (((hck_flags) & HCKSUM_INET_PARTIAL) &&
909bd670b35SErik Nordmark (protocol != IPPROTO_ICMPV6 || !nxge_cksum_workaround)) {
910bd670b35SErik Nordmark /*
911bd670b35SErik Nordmark * Partial checksum offload has been enabled. Fill
912bd670b35SErik Nordmark * the checksum field in the protocol header with the
913bd670b35SErik Nordmark * pseudo-header checksum value.
914bd670b35SErik Nordmark *
915bd670b35SErik Nordmark * We accumulate the pseudo header checksum in cksum.
916bd670b35SErik Nordmark * This is pretty hairy code, so watch close. One
917bd670b35SErik Nordmark * thing to keep in mind is that UDP and TCP have
918bd670b35SErik Nordmark * stored their respective datagram lengths in their
919bd670b35SErik Nordmark * checksum fields. This lines things up real nice.
920bd670b35SErik Nordmark */
921bd670b35SErik Nordmark cksum += iphs[4] + iphs[5] + iphs[6] + iphs[7] +
922bd670b35SErik Nordmark iphs[8] + iphs[9] + iphs[10] + iphs[11] +
923bd670b35SErik Nordmark iphs[12] + iphs[13] + iphs[14] + iphs[15] +
924bd670b35SErik Nordmark iphs[16] + iphs[17] + iphs[18] + iphs[19];
925bd670b35SErik Nordmark cksum += *(cksump);
926bd670b35SErik Nordmark cksum = (cksum & 0xFFFF) + (cksum >> 16);
927bd670b35SErik Nordmark *(cksump) = (cksum & 0xFFFF) + (cksum >> 16);
928bd670b35SErik Nordmark
929bd670b35SErik Nordmark /*
930bd670b35SErik Nordmark * Offsets are relative to beginning of IP header.
931bd670b35SErik Nordmark */
932bd670b35SErik Nordmark DB_CKSUMSTART(mp) = ip_hdr_length;
933bd670b35SErik Nordmark DB_CKSUMSTUFF(mp) = (uint8_t *)cksump - (uint8_t *)ip6h;
934bd670b35SErik Nordmark DB_CKSUMEND(mp) = pktlen;
935bd670b35SErik Nordmark DB_CKSUMFLAGS(mp) |= HCK_PARTIALCKSUM;
936bd670b35SErik Nordmark return (B_TRUE);
937bd670b35SErik Nordmark }
938bd670b35SErik Nordmark /* Hardware capabilities include neither full nor partial IPv6 */
939bd670b35SErik Nordmark return (ip_output_sw_cksum_v6(mp, ip6h, ixa));
940bd670b35SErik Nordmark #undef iphs
941bd670b35SErik Nordmark }
942bd670b35SErik Nordmark
943bd670b35SErik Nordmark /*
944bd670b35SErik Nordmark * ire_sendfn for offlink and onlink destinations.
945bd670b35SErik Nordmark * Also called from the multicast, and multirt send functions.
946bd670b35SErik Nordmark *
947bd670b35SErik Nordmark * Assumes that the caller has a hold on the ire.
948bd670b35SErik Nordmark *
949bd670b35SErik Nordmark * This function doesn't care if the IRE just became condemned since that
950bd670b35SErik Nordmark * can happen at any time.
951bd670b35SErik Nordmark */
952bd670b35SErik Nordmark /* ARGSUSED */
953bd670b35SErik Nordmark int
ire_send_wire_v6(ire_t * ire,mblk_t * mp,void * iph_arg,ip_xmit_attr_t * ixa,uint32_t * identp)954bd670b35SErik Nordmark ire_send_wire_v6(ire_t *ire, mblk_t *mp, void *iph_arg,
955bd670b35SErik Nordmark ip_xmit_attr_t *ixa, uint32_t *identp)
956bd670b35SErik Nordmark {
957bd670b35SErik Nordmark ip_stack_t *ipst = ixa->ixa_ipst;
958bd670b35SErik Nordmark ip6_t *ip6h = (ip6_t *)iph_arg;
959bd670b35SErik Nordmark iaflags_t ixaflags = ixa->ixa_flags;
960bd670b35SErik Nordmark ill_t *ill;
961bd670b35SErik Nordmark uint32_t pktlen = ixa->ixa_pktlen;
962bd670b35SErik Nordmark
963bd670b35SErik Nordmark ASSERT(ixa->ixa_nce != NULL);
964bd670b35SErik Nordmark ill = ixa->ixa_nce->nce_ill;
965bd670b35SErik Nordmark
966bd670b35SErik Nordmark /*
967bd670b35SErik Nordmark * Update output mib stats. Note that we can't move into the icmp
968bd670b35SErik Nordmark * sender (icmp_output etc) since they don't know the ill and the
969bd670b35SErik Nordmark * stats are per ill.
970bd670b35SErik Nordmark *
971bd670b35SErik Nordmark * With IPMP we record the stats on the upper ill.
972bd670b35SErik Nordmark */
973bd670b35SErik Nordmark if (ixa->ixa_protocol == IPPROTO_ICMPV6) {
974bd670b35SErik Nordmark icmp6_t *icmp6;
975bd670b35SErik Nordmark
976bd670b35SErik Nordmark icmp6 = (icmp6_t *)((uchar_t *)ip6h + ixa->ixa_ip_hdr_length);
977bd670b35SErik Nordmark icmp_update_out_mib_v6(ixa->ixa_nce->nce_common->ncec_ill,
978bd670b35SErik Nordmark icmp6);
979bd670b35SErik Nordmark }
980bd670b35SErik Nordmark
981bd670b35SErik Nordmark if (ixaflags & IXAF_DONTROUTE)
982bd670b35SErik Nordmark ip6h->ip6_hops = 1;
983bd670b35SErik Nordmark
984bd670b35SErik Nordmark /*
985bd670b35SErik Nordmark * This might set b_band, thus the IPsec and fragmentation
986bd670b35SErik Nordmark * code in IP ensures that b_band is updated in the first mblk.
987bd670b35SErik Nordmark */
988bd670b35SErik Nordmark if (IPP_ENABLED(IPP_LOCAL_OUT, ipst)) {
989bd670b35SErik Nordmark /* ip_process translates an IS_UNDER_IPMP */
990bd670b35SErik Nordmark mp = ip_process(IPP_LOCAL_OUT, mp, ill, ill);
991bd670b35SErik Nordmark if (mp == NULL) {
992bd670b35SErik Nordmark /* ip_drop_packet and MIB done */
993bd670b35SErik Nordmark return (0); /* Might just be delayed */
994bd670b35SErik Nordmark }
995bd670b35SErik Nordmark }
996bd670b35SErik Nordmark
997bd670b35SErik Nordmark /*
998bd670b35SErik Nordmark * To handle IPsec/iptun's labeling needs we need to tag packets
999bd670b35SErik Nordmark * while we still have ixa_tsl
1000bd670b35SErik Nordmark */
1001bd670b35SErik Nordmark if (is_system_labeled() && ixa->ixa_tsl != NULL &&
1002bd670b35SErik Nordmark (ill->ill_mactype == DL_6TO4 || ill->ill_mactype == DL_IPV4 ||
1003bd670b35SErik Nordmark ill->ill_mactype == DL_IPV6)) {
1004bd670b35SErik Nordmark cred_t *newcr;
1005bd670b35SErik Nordmark
1006bd670b35SErik Nordmark newcr = copycred_from_tslabel(ixa->ixa_cred, ixa->ixa_tsl,
1007bd670b35SErik Nordmark KM_NOSLEEP);
1008bd670b35SErik Nordmark if (newcr == NULL) {
1009bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1010bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards - newcr",
1011bd670b35SErik Nordmark mp, ill);
1012bd670b35SErik Nordmark freemsg(mp);
1013bd670b35SErik Nordmark return (ENOBUFS);
1014bd670b35SErik Nordmark }
1015bd670b35SErik Nordmark mblk_setcred(mp, newcr, NOPID);
1016bd670b35SErik Nordmark crfree(newcr); /* mblk_setcred did its own crhold */
1017bd670b35SErik Nordmark }
1018bd670b35SErik Nordmark
1019bd670b35SErik Nordmark /*
1020bd670b35SErik Nordmark * IXAF_IPV6_ADD_FRAGHDR is set for CGTP so that we will add a
1021bd670b35SErik Nordmark * fragment header without fragmenting. CGTP on the receiver will
1022bd670b35SErik Nordmark * filter duplicates on the ident field.
1023bd670b35SErik Nordmark */
1024bd670b35SErik Nordmark if (pktlen > ixa->ixa_fragsize ||
1025bd670b35SErik Nordmark (ixaflags & (IXAF_IPSEC_SECURE|IXAF_IPV6_ADD_FRAGHDR))) {
1026ab82c29bSToomas Soome uint32_t ident = 0;
1027bd670b35SErik Nordmark
1028bd670b35SErik Nordmark if (ixaflags & IXAF_IPSEC_SECURE)
1029bd670b35SErik Nordmark pktlen += ipsec_out_extra_length(ixa);
1030bd670b35SErik Nordmark
1031bd670b35SErik Nordmark if (pktlen > IP_MAXPACKET)
1032bd670b35SErik Nordmark return (EMSGSIZE);
1033bd670b35SErik Nordmark
1034bd670b35SErik Nordmark if (ixaflags & IXAF_SET_ULP_CKSUM) {
1035bd670b35SErik Nordmark /*
1036bd670b35SErik Nordmark * Compute ULP checksum using software
1037bd670b35SErik Nordmark */
1038bd670b35SErik Nordmark if (!ip_output_sw_cksum_v6(mp, ip6h, ixa)) {
1039bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1040bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1041bd670b35SErik Nordmark freemsg(mp);
1042bd670b35SErik Nordmark return (EINVAL);
1043bd670b35SErik Nordmark }
1044bd670b35SErik Nordmark /* Avoid checksum again below if we only add fraghdr */
1045bd670b35SErik Nordmark ixaflags &= ~IXAF_SET_ULP_CKSUM;
1046bd670b35SErik Nordmark }
1047bd670b35SErik Nordmark
1048bd670b35SErik Nordmark /*
1049bd670b35SErik Nordmark * If we need a fragment header, pick the ident and insert
1050bd670b35SErik Nordmark * the header before IPsec to we have a place to store
1051bd670b35SErik Nordmark * the ident value.
1052bd670b35SErik Nordmark */
1053bd670b35SErik Nordmark if ((ixaflags & IXAF_IPV6_ADD_FRAGHDR) ||
1054bd670b35SErik Nordmark pktlen > ixa->ixa_fragsize) {
1055bd670b35SErik Nordmark /*
1056bd670b35SErik Nordmark * If this packet would generate a icmp_frag_needed
1057bd670b35SErik Nordmark * message, we need to handle it before we do the IPsec
1058bd670b35SErik Nordmark * processing. Otherwise, we need to strip the IPsec
1059bd670b35SErik Nordmark * headers before we send up the message to the ULPs
1060bd670b35SErik Nordmark * which becomes messy and difficult.
1061bd670b35SErik Nordmark */
1062bd670b35SErik Nordmark if ((pktlen > ixa->ixa_fragsize) &&
1063bd670b35SErik Nordmark (ixaflags & IXAF_DONTFRAG)) {
1064bd670b35SErik Nordmark /* Generate ICMP and return error */
1065bd670b35SErik Nordmark ip_recv_attr_t iras;
1066bd670b35SErik Nordmark
1067bd670b35SErik Nordmark DTRACE_PROBE4(ip6__fragsize__fail,
1068bd670b35SErik Nordmark uint_t, pktlen, uint_t, ixa->ixa_fragsize,
1069bd670b35SErik Nordmark uint_t, ixa->ixa_pktlen,
1070bd670b35SErik Nordmark uint_t, ixa->ixa_pmtu);
1071bd670b35SErik Nordmark
1072bd670b35SErik Nordmark bzero(&iras, sizeof (iras));
1073bd670b35SErik Nordmark /* Map ixa to ira including IPsec policies */
1074bd670b35SErik Nordmark ipsec_out_to_in(ixa, ill, &iras);
1075bd670b35SErik Nordmark
1076bd670b35SErik Nordmark ip_drop_output("ICMP6_PKT_TOO_BIG", mp, ill);
1077bd670b35SErik Nordmark icmp_pkt2big_v6(mp, ixa->ixa_fragsize, B_TRUE,
1078bd670b35SErik Nordmark &iras);
1079bd670b35SErik Nordmark /* We moved any IPsec refs from ixa to iras */
1080bd670b35SErik Nordmark ira_cleanup(&iras, B_FALSE);
1081bd670b35SErik Nordmark return (EMSGSIZE);
1082bd670b35SErik Nordmark }
1083bd670b35SErik Nordmark DTRACE_PROBE4(ip6__fragsize__ok, uint_t, pktlen,
1084bd670b35SErik Nordmark uint_t, ixa->ixa_fragsize, uint_t, ixa->ixa_pktlen,
1085bd670b35SErik Nordmark uint_t, ixa->ixa_pmtu);
1086bd670b35SErik Nordmark /*
1087bd670b35SErik Nordmark * Assign an ident value for this packet. There could
1088bd670b35SErik Nordmark * be other threads targeting the same destination, so
1089bd670b35SErik Nordmark * we have to arrange for a atomic increment.
1090bd670b35SErik Nordmark * Normally ixa_extra_ident is 0, but in the case of
1091bd670b35SErik Nordmark * LSO it will be the number of TCP segments that the
1092bd670b35SErik Nordmark * driver/hardware will extraly construct.
1093bd670b35SErik Nordmark *
1094bd670b35SErik Nordmark * Note that cl_inet_ipident has only been used for
1095bd670b35SErik Nordmark * IPv4. We don't use it here.
1096bd670b35SErik Nordmark */
1097bd670b35SErik Nordmark ident = atomic_add_32_nv(identp, ixa->ixa_extra_ident +
1098bd670b35SErik Nordmark 1);
1099bd670b35SErik Nordmark ixa->ixa_ident = ident; /* In case we do IPsec */
1100bd670b35SErik Nordmark }
1101bd670b35SErik Nordmark if (ixaflags & IXAF_IPSEC_SECURE) {
1102bd670b35SErik Nordmark /*
1103bd670b35SErik Nordmark * Pass in sufficient information so that
1104bd670b35SErik Nordmark * IPsec can determine whether to fragment, and
1105bd670b35SErik Nordmark * which function to call after fragmentation.
1106bd670b35SErik Nordmark */
1107bd670b35SErik Nordmark return (ipsec_out_process(mp, ixa));
1108bd670b35SErik Nordmark }
1109bd670b35SErik Nordmark
1110bd670b35SErik Nordmark mp = ip_fraghdr_add_v6(mp, ident, ixa);
1111bd670b35SErik Nordmark if (mp == NULL) {
1112bd670b35SErik Nordmark /* MIB and ip_drop_output already done */
1113bd670b35SErik Nordmark return (ENOMEM);
1114bd670b35SErik Nordmark }
1115bd670b35SErik Nordmark ASSERT(pktlen == ixa->ixa_pktlen);
1116bd670b35SErik Nordmark pktlen += sizeof (ip6_frag_t);
1117bd670b35SErik Nordmark
1118bd670b35SErik Nordmark if (pktlen > ixa->ixa_fragsize) {
1119bd670b35SErik Nordmark return (ip_fragment_v6(mp, ixa->ixa_nce, ixaflags,
1120bd670b35SErik Nordmark pktlen, ixa->ixa_fragsize,
1121bd670b35SErik Nordmark ixa->ixa_xmit_hint, ixa->ixa_zoneid,
1122bd670b35SErik Nordmark ixa->ixa_no_loop_zoneid, ixa->ixa_postfragfn,
1123bd670b35SErik Nordmark &ixa->ixa_cookie));
1124bd670b35SErik Nordmark }
1125bd670b35SErik Nordmark }
1126bd670b35SErik Nordmark if (ixaflags & IXAF_SET_ULP_CKSUM) {
1127bd670b35SErik Nordmark /* Compute ULP checksum and IP header checksum */
1128bd670b35SErik Nordmark /* An IS_UNDER_IPMP ill is ok here */
1129bd670b35SErik Nordmark if (!ip_output_cksum_v6(ixaflags, mp, ip6h, ixa, ill)) {
1130bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1131bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1132bd670b35SErik Nordmark freemsg(mp);
1133bd670b35SErik Nordmark return (EINVAL);
1134bd670b35SErik Nordmark }
1135bd670b35SErik Nordmark }
1136bd670b35SErik Nordmark return ((ixa->ixa_postfragfn)(mp, ixa->ixa_nce, ixaflags,
1137bd670b35SErik Nordmark pktlen, ixa->ixa_xmit_hint, ixa->ixa_zoneid,
1138bd670b35SErik Nordmark ixa->ixa_no_loop_zoneid, &ixa->ixa_cookie));
1139bd670b35SErik Nordmark }
1140bd670b35SErik Nordmark
1141bd670b35SErik Nordmark /*
1142bd670b35SErik Nordmark * Post fragmentation function for RTF_MULTIRT routes.
1143bd670b35SErik Nordmark * Since IRE_MULTICASTs might have RTF_MULTIRT, this function
1144bd670b35SErik Nordmark * checks IXAF_LOOPBACK_COPY.
1145bd670b35SErik Nordmark *
1146bd670b35SErik Nordmark * If no packet is sent due to failures then we return an errno, but if at
1147bd670b35SErik Nordmark * least one succeeded we return zero.
1148bd670b35SErik Nordmark */
1149bd670b35SErik Nordmark int
ip_postfrag_multirt_v6(mblk_t * mp,nce_t * nce,iaflags_t ixaflags,uint_t pkt_len,uint32_t xmit_hint,zoneid_t szone,zoneid_t nolzid,uintptr_t * ixacookie)1150bd670b35SErik Nordmark ip_postfrag_multirt_v6(mblk_t *mp, nce_t *nce, iaflags_t ixaflags,
1151bd670b35SErik Nordmark uint_t pkt_len, uint32_t xmit_hint, zoneid_t szone, zoneid_t nolzid,
1152bd670b35SErik Nordmark uintptr_t *ixacookie)
1153bd670b35SErik Nordmark {
1154bd670b35SErik Nordmark irb_t *irb;
1155bd670b35SErik Nordmark ip6_t *ip6h = (ip6_t *)mp->b_rptr;
1156bd670b35SErik Nordmark ire_t *ire;
1157bd670b35SErik Nordmark ire_t *ire1;
1158bd670b35SErik Nordmark mblk_t *mp1;
1159bd670b35SErik Nordmark nce_t *nce1;
1160bd670b35SErik Nordmark ill_t *ill = nce->nce_ill;
1161bd670b35SErik Nordmark ill_t *ill1;
1162bd670b35SErik Nordmark ip_stack_t *ipst = ill->ill_ipst;
1163bd670b35SErik Nordmark int error = 0;
1164bd670b35SErik Nordmark int num_sent = 0;
1165bd670b35SErik Nordmark int err;
1166bd670b35SErik Nordmark uint_t ire_type;
1167bd670b35SErik Nordmark in6_addr_t nexthop;
1168bd670b35SErik Nordmark
1169bd670b35SErik Nordmark ASSERT(!(ixaflags & IXAF_IS_IPV4));
1170bd670b35SErik Nordmark
1171bd670b35SErik Nordmark /* Check for IXAF_LOOPBACK_COPY */
1172bd670b35SErik Nordmark if (ixaflags & IXAF_LOOPBACK_COPY) {
1173bd670b35SErik Nordmark mblk_t *mp1;
1174bd670b35SErik Nordmark
1175bd670b35SErik Nordmark mp1 = copymsg(mp);
1176bd670b35SErik Nordmark if (mp1 == NULL) {
1177bd670b35SErik Nordmark /* Failed to deliver the loopback copy. */
1178bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1179bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards", mp, ill);
1180bd670b35SErik Nordmark error = ENOBUFS;
1181bd670b35SErik Nordmark } else {
1182bd670b35SErik Nordmark ip_postfrag_loopback(mp1, nce, ixaflags, pkt_len,
1183bd670b35SErik Nordmark nolzid);
1184bd670b35SErik Nordmark }
1185bd670b35SErik Nordmark }
1186bd670b35SErik Nordmark
1187bd670b35SErik Nordmark /*
1188bd670b35SErik Nordmark * Loop over RTF_MULTIRT for ip6_dst in the same bucket. Send
1189bd670b35SErik Nordmark * a copy to each one.
1190bd670b35SErik Nordmark * Use the nce (nexthop) and ip6_dst to find the ire.
1191bd670b35SErik Nordmark *
1192bd670b35SErik Nordmark * MULTIRT is not designed to work with shared-IP zones thus we don't
1193bd670b35SErik Nordmark * need to pass a zoneid or a label to the IRE lookup.
1194bd670b35SErik Nordmark */
1195bd670b35SErik Nordmark if (IN6_ARE_ADDR_EQUAL(&nce->nce_addr, &ip6h->ip6_dst)) {
1196bd670b35SErik Nordmark /* Broadcast and multicast case */
1197bd670b35SErik Nordmark ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, 0, 0, NULL,
1198bd670b35SErik Nordmark ALL_ZONES, NULL, MATCH_IRE_DSTONLY, 0, ipst, NULL);
1199bd670b35SErik Nordmark } else {
1200bd670b35SErik Nordmark /* Unicast case */
1201bd670b35SErik Nordmark ire = ire_ftable_lookup_v6(&ip6h->ip6_dst, 0, &nce->nce_addr,
1202bd670b35SErik Nordmark 0, NULL, ALL_ZONES, NULL, MATCH_IRE_GW, 0, ipst, NULL);
1203bd670b35SErik Nordmark }
1204bd670b35SErik Nordmark
1205bd670b35SErik Nordmark if (ire == NULL ||
1206bd670b35SErik Nordmark (ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
1207bd670b35SErik Nordmark !(ire->ire_flags & RTF_MULTIRT)) {
1208bd670b35SErik Nordmark /* Drop */
1209bd670b35SErik Nordmark ip_drop_output("ip_postfrag_multirt didn't find route",
1210bd670b35SErik Nordmark mp, nce->nce_ill);
1211bd670b35SErik Nordmark if (ire != NULL)
1212bd670b35SErik Nordmark ire_refrele(ire);
1213bd670b35SErik Nordmark return (ENETUNREACH);
1214bd670b35SErik Nordmark }
1215bd670b35SErik Nordmark
1216bd670b35SErik Nordmark irb = ire->ire_bucket;
1217bd670b35SErik Nordmark irb_refhold(irb);
1218bd670b35SErik Nordmark for (ire1 = irb->irb_ire; ire1 != NULL; ire1 = ire1->ire_next) {
1219bd670b35SErik Nordmark if (IRE_IS_CONDEMNED(ire1) ||
1220bd670b35SErik Nordmark !(ire1->ire_flags & RTF_MULTIRT))
1221bd670b35SErik Nordmark continue;
1222bd670b35SErik Nordmark
1223bd670b35SErik Nordmark /* Note: When IPv6 uses radix tree we don't need this check */
1224bd670b35SErik Nordmark if (!IN6_ARE_ADDR_EQUAL(&ire->ire_addr_v6, &ire1->ire_addr_v6))
1225bd670b35SErik Nordmark continue;
1226bd670b35SErik Nordmark
1227bd670b35SErik Nordmark /* Do the ire argument one after the loop */
1228bd670b35SErik Nordmark if (ire1 == ire)
1229bd670b35SErik Nordmark continue;
1230bd670b35SErik Nordmark
1231bd670b35SErik Nordmark ill1 = ire_nexthop_ill(ire1);
1232bd670b35SErik Nordmark if (ill1 == NULL) {
1233bd670b35SErik Nordmark /*
1234bd670b35SErik Nordmark * This ire might not have been picked by
1235bd670b35SErik Nordmark * ire_route_recursive, in which case ire_dep might
1236bd670b35SErik Nordmark * not have been setup yet.
1237bd670b35SErik Nordmark * We kick ire_route_recursive to try to resolve
1238bd670b35SErik Nordmark * starting at ire1.
1239bd670b35SErik Nordmark */
1240bd670b35SErik Nordmark ire_t *ire2;
124144b099c4SSowmini Varadhan uint_t match_flags = MATCH_IRE_DSTONLY;
1242bd670b35SErik Nordmark
124344b099c4SSowmini Varadhan if (ire1->ire_ill != NULL)
124444b099c4SSowmini Varadhan match_flags |= MATCH_IRE_ILL;
1245bd670b35SErik Nordmark ire2 = ire_route_recursive_impl_v6(ire1,
1246bd670b35SErik Nordmark &ire1->ire_addr_v6, ire1->ire_type, ire1->ire_ill,
124744b099c4SSowmini Varadhan ire1->ire_zoneid, NULL, match_flags,
12489e3469d3SErik Nordmark IRR_ALLOCATE, 0, ipst, NULL, NULL, NULL);
1249bd670b35SErik Nordmark if (ire2 != NULL)
1250bd670b35SErik Nordmark ire_refrele(ire2);
1251bd670b35SErik Nordmark ill1 = ire_nexthop_ill(ire1);
1252bd670b35SErik Nordmark }
1253bd670b35SErik Nordmark if (ill1 == NULL) {
1254bd670b35SErik Nordmark BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
1255bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards - no ill",
1256bd670b35SErik Nordmark mp, ill);
1257bd670b35SErik Nordmark error = ENETUNREACH;
1258bd670b35SErik Nordmark continue;
1259bd670b35SErik Nordmark }
1260bd670b35SErik Nordmark /* Pick the addr and type to use for ndp_nce_init */
1261bd670b35SErik Nordmark if (nce->nce_common->ncec_flags & NCE_F_MCAST) {
1262bd670b35SErik Nordmark ire_type = IRE_MULTICAST;
1263bd670b35SErik Nordmark nexthop = ip6h->ip6_dst;
1264bd670b35SErik Nordmark } else {
1265bd670b35SErik Nordmark ire_type = ire1->ire_type; /* Doesn't matter */
1266bd670b35SErik Nordmark nexthop = ire1->ire_gateway_addr_v6;
1267bd670b35SErik Nordmark }
1268bd670b35SErik Nordmark
1269bd670b35SErik Nordmark /* If IPMP meta or under, then we just drop */
1270bd670b35SErik Nordmark if (ill1->ill_grp != NULL) {
1271bd670b35SErik Nordmark BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1272bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards - IPMP",
1273bd670b35SErik Nordmark mp, ill1);
1274bd670b35SErik Nordmark ill_refrele(ill1);
1275bd670b35SErik Nordmark error = ENETUNREACH;
1276bd670b35SErik Nordmark continue;
1277bd670b35SErik Nordmark }
1278bd670b35SErik Nordmark
1279bd670b35SErik Nordmark nce1 = ndp_nce_init(ill1, &nexthop, ire_type);
1280bd670b35SErik Nordmark if (nce1 == NULL) {
1281bd670b35SErik Nordmark BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1282bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards - no nce",
1283bd670b35SErik Nordmark mp, ill1);
1284bd670b35SErik Nordmark ill_refrele(ill1);
1285bd670b35SErik Nordmark error = ENOBUFS;
1286bd670b35SErik Nordmark continue;
1287bd670b35SErik Nordmark }
1288bd670b35SErik Nordmark mp1 = copymsg(mp);
1289bd670b35SErik Nordmark if (mp1 == NULL) {
1290bd670b35SErik Nordmark BUMP_MIB(ill1->ill_ip_mib, ipIfStatsOutDiscards);
1291bd670b35SErik Nordmark ip_drop_output("ipIfStatsOutDiscards", mp, ill1);
1292bd670b35SErik Nordmark nce_refrele(nce1);
1293bd670b35SErik Nordmark ill_refrele(ill1);
1294bd670b35SErik Nordmark error = ENOBUFS;
1295bd670b35SErik Nordmark continue;
1296bd670b35SErik Nordmark }
1297bd670b35SErik Nordmark /* Preserve HW checksum for this copy */
1298bd670b35SErik Nordmark DB_CKSUMSTART(mp1) = DB_CKSUMSTART(mp);
1299bd670b35SErik Nordmark DB_CKSUMSTUFF(mp1) = DB_CKSUMSTUFF(mp);
1300bd670b35SErik Nordmark DB_CKSUMEND(mp1) = DB_CKSUMEND(mp);
1301bd670b35SErik Nordmark DB_CKSUMFLAGS(mp1) = DB_CKSUMFLAGS(mp);
1302bd670b35SErik Nordmark DB_LSOMSS(mp1) = DB_LSOMSS(mp);
1303bd670b35SErik Nordmark
1304bd670b35SErik Nordmark ire1->ire_ob_pkt_count++;
1305bd670b35SErik Nordmark err = ip_xmit(mp1, nce1, ixaflags, pkt_len, xmit_hint, szone,
1306bd670b35SErik Nordmark 0, ixacookie);
1307bd670b35SErik Nordmark if (err == 0)
1308bd670b35SErik Nordmark num_sent++;
1309bd670b35SErik Nordmark else
1310bd670b35SErik Nordmark error = err;
1311bd670b35SErik Nordmark nce_refrele(nce1);
1312bd670b35SErik Nordmark ill_refrele(ill1);
1313bd670b35SErik Nordmark }
1314bd670b35SErik Nordmark irb_refrele(irb);
1315bd670b35SErik Nordmark ire_refrele(ire);
1316bd670b35SErik Nordmark /* Finally, the main one */
1317bd670b35SErik Nordmark err = ip_xmit(mp, nce, ixaflags, pkt_len, xmit_hint, szone, 0,
1318bd670b35SErik Nordmark ixacookie);
1319bd670b35SErik Nordmark if (err == 0)
1320bd670b35SErik Nordmark num_sent++;
1321bd670b35SErik Nordmark else
1322bd670b35SErik Nordmark error = err;
1323bd670b35SErik Nordmark if (num_sent > 0)
1324bd670b35SErik Nordmark return (0);
1325bd670b35SErik Nordmark else
1326bd670b35SErik Nordmark return (error);
1327bd670b35SErik Nordmark }
1328