17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
577c67f2fSkcpoon  * Common Development and Distribution License (the "License").
677c67f2fSkcpoon  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
2177c67f2fSkcpoon 
227c478bd9Sstevel@tonic-gate /*
23*481845d8SGeorge Shepherd  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
247c478bd9Sstevel@tonic-gate  */
257c478bd9Sstevel@tonic-gate 
267c478bd9Sstevel@tonic-gate #include <sys/types.h>
277c478bd9Sstevel@tonic-gate #include <sys/systm.h>
287c478bd9Sstevel@tonic-gate #include <sys/stream.h>
297c478bd9Sstevel@tonic-gate #include <sys/ddi.h>
307c478bd9Sstevel@tonic-gate #include <sys/sunddi.h>
317c478bd9Sstevel@tonic-gate #include <sys/strsubr.h>
327c478bd9Sstevel@tonic-gate #include <sys/strsun.h>
337c478bd9Sstevel@tonic-gate 
347c478bd9Sstevel@tonic-gate #include <netinet/in.h>
357c478bd9Sstevel@tonic-gate #include <netinet/ip6.h>
367c478bd9Sstevel@tonic-gate 
37bd670b35SErik Nordmark #include <inet/ipsec_impl.h>
387c478bd9Sstevel@tonic-gate #include <inet/common.h>
397c478bd9Sstevel@tonic-gate #include <inet/ip.h>
407c478bd9Sstevel@tonic-gate #include <inet/ip6.h>
417c478bd9Sstevel@tonic-gate #include <inet/mib2.h>
427c478bd9Sstevel@tonic-gate #include <inet/nd.h>
437c478bd9Sstevel@tonic-gate #include <inet/optcom.h>
447c478bd9Sstevel@tonic-gate #include <inet/sctp_ip.h>
45f4b3ec61Sdh #include <inet/ipclassifier.h>
467c478bd9Sstevel@tonic-gate #include "sctp_impl.h"
477c478bd9Sstevel@tonic-gate 
487c478bd9Sstevel@tonic-gate void
497c478bd9Sstevel@tonic-gate sctp_send_shutdown(sctp_t *sctp, int rexmit)
507c478bd9Sstevel@tonic-gate {
517c478bd9Sstevel@tonic-gate 	mblk_t *smp;
527c478bd9Sstevel@tonic-gate 	mblk_t *sendmp;
537c478bd9Sstevel@tonic-gate 	sctp_chunk_hdr_t *sch;
547c478bd9Sstevel@tonic-gate 	uint32_t *ctsn;
557c478bd9Sstevel@tonic-gate 	sctp_faddr_t *fp;
56f4b3ec61Sdh 	sctp_stack_t	*sctps = sctp->sctp_sctps;
577c478bd9Sstevel@tonic-gate 
587c478bd9Sstevel@tonic-gate 	if (sctp->sctp_state != SCTPS_ESTABLISHED &&
597c478bd9Sstevel@tonic-gate 	    sctp->sctp_state != SCTPS_SHUTDOWN_PENDING &&
607c478bd9Sstevel@tonic-gate 	    sctp->sctp_state != SCTPS_SHUTDOWN_SENT) {
617c478bd9Sstevel@tonic-gate 		return;
627c478bd9Sstevel@tonic-gate 	}
637c478bd9Sstevel@tonic-gate 
647c478bd9Sstevel@tonic-gate 	if (sctp->sctp_state == SCTPS_ESTABLISHED) {
657c478bd9Sstevel@tonic-gate 		sctp->sctp_state = SCTPS_SHUTDOWN_PENDING;
667c478bd9Sstevel@tonic-gate 		/*
677c478bd9Sstevel@tonic-gate 		 * We set an upper bound on how long we will
687c478bd9Sstevel@tonic-gate 		 * wait for a shutdown-ack from the peer. This
697c478bd9Sstevel@tonic-gate 		 * is to prevent the receiver from attempting
707c478bd9Sstevel@tonic-gate 		 * to create a half-closed state indefinately.
717c478bd9Sstevel@tonic-gate 		 * See archive from IETF TSVWG mailing list
727c478bd9Sstevel@tonic-gate 		 * for June 2001 for more information.
737c478bd9Sstevel@tonic-gate 		 * Since we will not be calculating RTTs after
747c478bd9Sstevel@tonic-gate 		 * sending the shutdown, we can overload out_time
757c478bd9Sstevel@tonic-gate 		 * to track how long we have waited.
767c478bd9Sstevel@tonic-gate 		 */
77d3d50737SRafael Vanoni 		sctp->sctp_out_time = ddi_get_lbolt64();
787c478bd9Sstevel@tonic-gate 	}
797c478bd9Sstevel@tonic-gate 
807c478bd9Sstevel@tonic-gate 	/*
817c478bd9Sstevel@tonic-gate 	 * If there is unsent (or unacked) data, wait for it to get ack'd
827c478bd9Sstevel@tonic-gate 	 */
837c478bd9Sstevel@tonic-gate 	if (sctp->sctp_xmit_head != NULL || sctp->sctp_xmit_unsent != NULL) {
847c478bd9Sstevel@tonic-gate 		return;
857c478bd9Sstevel@tonic-gate 	}
867c478bd9Sstevel@tonic-gate 
877c478bd9Sstevel@tonic-gate 	/* rotate faddrs if we are retransmitting */
887c478bd9Sstevel@tonic-gate 	if (!rexmit) {
897c478bd9Sstevel@tonic-gate 		fp = sctp->sctp_current;
907c478bd9Sstevel@tonic-gate 	} else {
917c478bd9Sstevel@tonic-gate 		fp = sctp_rotate_faddr(sctp, sctp->sctp_shutdown_faddr);
927c478bd9Sstevel@tonic-gate 	}
937c478bd9Sstevel@tonic-gate 
947c478bd9Sstevel@tonic-gate 	sctp->sctp_shutdown_faddr = fp;
957c478bd9Sstevel@tonic-gate 
967c478bd9Sstevel@tonic-gate 	/* Link in a SACK if resending the shutdown */
977c478bd9Sstevel@tonic-gate 	if (sctp->sctp_state > SCTPS_SHUTDOWN_PENDING &&
987c478bd9Sstevel@tonic-gate 	    (sendmp = sctp_make_sack(sctp, fp, NULL)) != NULL) {
997c478bd9Sstevel@tonic-gate 
1007c478bd9Sstevel@tonic-gate 		smp = allocb(sizeof (*sch) + sizeof (*ctsn), BPRI_MED);
1017c478bd9Sstevel@tonic-gate 		if (smp == NULL) {
1027c478bd9Sstevel@tonic-gate 			freemsg(sendmp);
1037c478bd9Sstevel@tonic-gate 			goto done;
1047c478bd9Sstevel@tonic-gate 		}
1057c478bd9Sstevel@tonic-gate 		linkb(sendmp, smp);
1067c478bd9Sstevel@tonic-gate 
1077c478bd9Sstevel@tonic-gate 		sch = (sctp_chunk_hdr_t *)smp->b_rptr;
1087c478bd9Sstevel@tonic-gate 		smp->b_wptr = smp->b_rptr + sizeof (*sch) + sizeof (*ctsn);
1097c478bd9Sstevel@tonic-gate 	} else {
1107c478bd9Sstevel@tonic-gate 		sendmp = sctp_make_mp(sctp, fp,
1117c478bd9Sstevel@tonic-gate 		    sizeof (*sch) + sizeof (*ctsn));
1127c478bd9Sstevel@tonic-gate 		if (sendmp == NULL) {
113f4b3ec61Sdh 			SCTP_KSTAT(sctps, sctp_send_shutdown_failed);
1147c478bd9Sstevel@tonic-gate 			goto done;
1157c478bd9Sstevel@tonic-gate 		}
1167c478bd9Sstevel@tonic-gate 		sch = (sctp_chunk_hdr_t *)sendmp->b_wptr;
1177c478bd9Sstevel@tonic-gate 		sendmp->b_wptr += sizeof (*sch) + sizeof (*ctsn);
1187c478bd9Sstevel@tonic-gate 
1197c478bd9Sstevel@tonic-gate 		/* shutdown w/o sack, update lastacked */
1207c478bd9Sstevel@tonic-gate 		sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1217c478bd9Sstevel@tonic-gate 	}
1227c478bd9Sstevel@tonic-gate 
1237c478bd9Sstevel@tonic-gate 	sch->sch_id = CHUNK_SHUTDOWN;
1247c478bd9Sstevel@tonic-gate 	sch->sch_flags = 0;
1257c478bd9Sstevel@tonic-gate 	sch->sch_len = htons(sizeof (*sch) + sizeof (*ctsn));
1267c478bd9Sstevel@tonic-gate 
1277c478bd9Sstevel@tonic-gate 	ctsn = (uint32_t *)(sch + 1);
1287c478bd9Sstevel@tonic-gate 	*ctsn = htonl(sctp->sctp_lastacked);
1297c478bd9Sstevel@tonic-gate 
1307c478bd9Sstevel@tonic-gate 	/* Link the shutdown chunk in after the IP/SCTP header */
1317c478bd9Sstevel@tonic-gate 
1327c478bd9Sstevel@tonic-gate 	BUMP_LOCAL(sctp->sctp_obchunks);
1337c478bd9Sstevel@tonic-gate 
1347c478bd9Sstevel@tonic-gate 	/* Send the shutdown and restart the timer */
135bd670b35SErik Nordmark 	sctp_set_iplen(sctp, sendmp, fp->ixa);
136bd670b35SErik Nordmark 	(void) conn_ip_output(sendmp, fp->ixa);
137bd670b35SErik Nordmark 	BUMP_LOCAL(sctp->sctp_opkts);
1387c478bd9Sstevel@tonic-gate 
1397c478bd9Sstevel@tonic-gate done:
1407c478bd9Sstevel@tonic-gate 	sctp->sctp_state = SCTPS_SHUTDOWN_SENT;
1417c478bd9Sstevel@tonic-gate 	SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
1427c478bd9Sstevel@tonic-gate 	    sctp->sctp_current->rto);
1437c478bd9Sstevel@tonic-gate }
1447c478bd9Sstevel@tonic-gate 
1457c478bd9Sstevel@tonic-gate int
14677c67f2fSkcpoon sctp_shutdown_received(sctp_t *sctp, sctp_chunk_hdr_t *sch, boolean_t crwsd,
14777c67f2fSkcpoon     boolean_t rexmit, sctp_faddr_t *fp)
1487c478bd9Sstevel@tonic-gate {
1497c478bd9Sstevel@tonic-gate 	mblk_t *samp;
1507c478bd9Sstevel@tonic-gate 	sctp_chunk_hdr_t *sach;
1517c478bd9Sstevel@tonic-gate 	uint32_t *tsn;
1527c478bd9Sstevel@tonic-gate 	int trysend = 0;
153f4b3ec61Sdh 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1547c478bd9Sstevel@tonic-gate 
1557c478bd9Sstevel@tonic-gate 	if (sctp->sctp_state != SCTPS_SHUTDOWN_ACK_SENT)
1567c478bd9Sstevel@tonic-gate 		sctp->sctp_state = SCTPS_SHUTDOWN_RECEIVED;
1577c478bd9Sstevel@tonic-gate 
1587c478bd9Sstevel@tonic-gate 	/* Extract and process the TSN in the shutdown chunk */
1597c478bd9Sstevel@tonic-gate 	if (sch != NULL) {
1607c478bd9Sstevel@tonic-gate 		tsn = (uint32_t *)(sch + 1);
161e18a8f3aSchandrasekar marimuthu - Sun Microsystems - Bangalore India 		/* not already acked */
162e18a8f3aSchandrasekar marimuthu - Sun Microsystems - Bangalore India 		if (!SEQ_LT(ntohl(*tsn), sctp->sctp_lastack_rxd))
163e18a8f3aSchandrasekar marimuthu - Sun Microsystems - Bangalore India 			trysend = sctp_cumack(sctp, ntohl(*tsn), &samp);
1647c478bd9Sstevel@tonic-gate 	}
1657c478bd9Sstevel@tonic-gate 
1667c478bd9Sstevel@tonic-gate 	/* Don't allow sending new data */
167c31292eeSkcpoon 	if (!SCTP_IS_DETACHED(sctp) && !sctp->sctp_ulp_discon_done) {
1680f1702c5SYu Xiangning 		sctp->sctp_ulp_opctl(sctp->sctp_ulpd, SOCK_OPCTL_SHUT_SEND, 0);
169c31292eeSkcpoon 		sctp->sctp_ulp_discon_done = B_TRUE;
170c31292eeSkcpoon 	}
1717c478bd9Sstevel@tonic-gate 
1727c478bd9Sstevel@tonic-gate 	/*
1737c478bd9Sstevel@tonic-gate 	 * If there is unsent or unacked data, try sending them out now.
1747c478bd9Sstevel@tonic-gate 	 * The other side should acknowledge them.  After we have flushed
1757c478bd9Sstevel@tonic-gate 	 * the transmit queue, we can complete the shutdown sequence.
1767c478bd9Sstevel@tonic-gate 	 */
1777c478bd9Sstevel@tonic-gate 	if (sctp->sctp_xmit_head != NULL || sctp->sctp_xmit_unsent != NULL)
1787c478bd9Sstevel@tonic-gate 		return (1);
1797c478bd9Sstevel@tonic-gate 
18077c67f2fSkcpoon 	if (fp == NULL) {
18177c67f2fSkcpoon 		/* rotate faddrs if we are retransmitting */
18277c67f2fSkcpoon 		if (!rexmit)
18377c67f2fSkcpoon 			fp = sctp->sctp_current;
18477c67f2fSkcpoon 		else
18577c67f2fSkcpoon 			fp = sctp_rotate_faddr(sctp, sctp->sctp_shutdown_faddr);
18677c67f2fSkcpoon 	}
18777c67f2fSkcpoon 	sctp->sctp_shutdown_faddr = fp;
1887c478bd9Sstevel@tonic-gate 
1897c478bd9Sstevel@tonic-gate 	samp = sctp_make_mp(sctp, fp, sizeof (*sach));
19077c67f2fSkcpoon 	if (samp == NULL) {
191f4b3ec61Sdh 		SCTP_KSTAT(sctps, sctp_send_shutdown_ack_failed);
1927c478bd9Sstevel@tonic-gate 		goto dotimer;
19377c67f2fSkcpoon 	}
1947c478bd9Sstevel@tonic-gate 
1957c478bd9Sstevel@tonic-gate 	sach = (sctp_chunk_hdr_t *)samp->b_wptr;
1967c478bd9Sstevel@tonic-gate 	sach->sch_id = CHUNK_SHUTDOWN_ACK;
1977c478bd9Sstevel@tonic-gate 	sach->sch_flags = 0;
1987c478bd9Sstevel@tonic-gate 	sach->sch_len = htons(sizeof (*sach));
1997c478bd9Sstevel@tonic-gate 
2007c478bd9Sstevel@tonic-gate 	samp->b_wptr += sizeof (*sach);
2017c478bd9Sstevel@tonic-gate 
2027c478bd9Sstevel@tonic-gate 	/*
2037c478bd9Sstevel@tonic-gate 	 * bundle a "cookie received while shutting down" error if
2047c478bd9Sstevel@tonic-gate 	 * the caller asks for it.
2057c478bd9Sstevel@tonic-gate 	 */
2067c478bd9Sstevel@tonic-gate 	if (crwsd) {
2077c478bd9Sstevel@tonic-gate 		mblk_t *errmp;
2087c478bd9Sstevel@tonic-gate 
2097c478bd9Sstevel@tonic-gate 		errmp = sctp_make_err(sctp, SCTP_ERR_COOKIE_SHUT, NULL, 0);
2107c478bd9Sstevel@tonic-gate 		if (errmp != NULL) {
2117c478bd9Sstevel@tonic-gate 			linkb(samp, errmp);
2127c478bd9Sstevel@tonic-gate 			BUMP_LOCAL(sctp->sctp_obchunks);
2137c478bd9Sstevel@tonic-gate 		}
2147c478bd9Sstevel@tonic-gate 	}
2157c478bd9Sstevel@tonic-gate 
2167c478bd9Sstevel@tonic-gate 	BUMP_LOCAL(sctp->sctp_obchunks);
2177c478bd9Sstevel@tonic-gate 
218bd670b35SErik Nordmark 	sctp_set_iplen(sctp, samp, fp->ixa);
219bd670b35SErik Nordmark 	(void) conn_ip_output(samp, fp->ixa);
220bd670b35SErik Nordmark 	BUMP_LOCAL(sctp->sctp_opkts);
2217c478bd9Sstevel@tonic-gate 
2227c478bd9Sstevel@tonic-gate dotimer:
2237c478bd9Sstevel@tonic-gate 	sctp->sctp_state = SCTPS_SHUTDOWN_ACK_SENT;
2247c478bd9Sstevel@tonic-gate 	SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
2257c478bd9Sstevel@tonic-gate 	    sctp->sctp_current->rto);
2267c478bd9Sstevel@tonic-gate 
2277c478bd9Sstevel@tonic-gate 	return (trysend);
2287c478bd9Sstevel@tonic-gate }
2297c478bd9Sstevel@tonic-gate 
2307c478bd9Sstevel@tonic-gate void
2317c478bd9Sstevel@tonic-gate sctp_shutdown_complete(sctp_t *sctp)
2327c478bd9Sstevel@tonic-gate {
2337c478bd9Sstevel@tonic-gate 	mblk_t *scmp;
2347c478bd9Sstevel@tonic-gate 	sctp_chunk_hdr_t *scch;
235f4b3ec61Sdh 	sctp_stack_t	*sctps = sctp->sctp_sctps;
2367c478bd9Sstevel@tonic-gate 
237bd670b35SErik Nordmark 	scmp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*scch));
2387c478bd9Sstevel@tonic-gate 	if (scmp == NULL) {
2397c478bd9Sstevel@tonic-gate 		/* XXX use timer approach */
240f4b3ec61Sdh 		SCTP_KSTAT(sctps, sctp_send_shutdown_comp_failed);
2417c478bd9Sstevel@tonic-gate 		return;
2427c478bd9Sstevel@tonic-gate 	}
2437c478bd9Sstevel@tonic-gate 
2447c478bd9Sstevel@tonic-gate 	scch = (sctp_chunk_hdr_t *)scmp->b_wptr;
2457c478bd9Sstevel@tonic-gate 	scch->sch_id = CHUNK_SHUTDOWN_COMPLETE;
2467c478bd9Sstevel@tonic-gate 	scch->sch_flags = 0;
2477c478bd9Sstevel@tonic-gate 	scch->sch_len = htons(sizeof (*scch));
2487c478bd9Sstevel@tonic-gate 
2497c478bd9Sstevel@tonic-gate 	scmp->b_wptr += sizeof (*scch);
2507c478bd9Sstevel@tonic-gate 
2517c478bd9Sstevel@tonic-gate 	BUMP_LOCAL(sctp->sctp_obchunks);
2527c478bd9Sstevel@tonic-gate 
253bd670b35SErik Nordmark 	sctp_set_iplen(sctp, scmp, sctp->sctp_current->ixa);
254bd670b35SErik Nordmark 	(void) conn_ip_output(scmp, sctp->sctp_current->ixa);
255bd670b35SErik Nordmark 	BUMP_LOCAL(sctp->sctp_opkts);
2567c478bd9Sstevel@tonic-gate }
2577c478bd9Sstevel@tonic-gate 
2587c478bd9Sstevel@tonic-gate /*
2597c478bd9Sstevel@tonic-gate  * Similar to sctp_shutdown_complete(), except that since this
2607c478bd9Sstevel@tonic-gate  * is out-of-the-blue, we can't use an sctp's association information,
2617c478bd9Sstevel@tonic-gate  * and instead must draw all necessary info from the incoming packet.
2627c478bd9Sstevel@tonic-gate  */
2637c478bd9Sstevel@tonic-gate void
264bd670b35SErik Nordmark sctp_ootb_shutdown_ack(mblk_t *mp, uint_t ip_hdr_len, ip_recv_attr_t *ira,
265bd670b35SErik Nordmark     ip_stack_t *ipst)
2667c478bd9Sstevel@tonic-gate {
2677c478bd9Sstevel@tonic-gate 	boolean_t		isv4;
268bd670b35SErik Nordmark 	ipha_t			*ipha = NULL;
269bd670b35SErik Nordmark 	ip6_t			*ip6h = NULL;
2707c478bd9Sstevel@tonic-gate 	sctp_hdr_t		*insctph;
2717c478bd9Sstevel@tonic-gate 	sctp_chunk_hdr_t	*scch;
2727c478bd9Sstevel@tonic-gate 	int			i;
2737c478bd9Sstevel@tonic-gate 	uint16_t		port;
2747c478bd9Sstevel@tonic-gate 	mblk_t			*mp1;
275bd670b35SErik Nordmark 	netstack_t		*ns = ipst->ips_netstack;
276bd670b35SErik Nordmark 	sctp_stack_t		*sctps = ns->netstack_sctp;
277bd670b35SErik Nordmark 	ip_xmit_attr_t		ixas;
2787c478bd9Sstevel@tonic-gate 
279bd670b35SErik Nordmark 	bzero(&ixas, sizeof (ixas));
2807c478bd9Sstevel@tonic-gate 
281bd670b35SErik Nordmark 	isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
282bd670b35SErik Nordmark 
283bd670b35SErik Nordmark 	ASSERT(MBLKL(mp) >= sizeof (*insctph) + sizeof (*scch) +
284bd670b35SErik Nordmark 	    (isv4 ? sizeof (ipha_t) : sizeof (ip6_t)));
2857c478bd9Sstevel@tonic-gate 
2867c478bd9Sstevel@tonic-gate 	/*
2877c478bd9Sstevel@tonic-gate 	 * Check to see if we can reuse the incoming mblk.  There should
288bd670b35SErik Nordmark 	 * not be other reference. Since this packet comes from below,
2897c478bd9Sstevel@tonic-gate 	 * there should be enough header space to fill in what the lower
290bd670b35SErik Nordmark 	 * layers want to add.
2917c478bd9Sstevel@tonic-gate 	 */
292bd670b35SErik Nordmark 	if (DB_REF(mp) != 1) {
293bd670b35SErik Nordmark 		mp1 = allocb(MBLKL(mp) + sctps->sctps_wroff_xtra, BPRI_MED);
2947c478bd9Sstevel@tonic-gate 		if (mp1 == NULL) {
295bd670b35SErik Nordmark 			freeb(mp);
2967c478bd9Sstevel@tonic-gate 			return;
2977c478bd9Sstevel@tonic-gate 		}
298f4b3ec61Sdh 		mp1->b_rptr += sctps->sctps_wroff_xtra;
299bd670b35SErik Nordmark 		bcopy(mp->b_rptr, mp1->b_rptr, MBLKL(mp));
300bd670b35SErik Nordmark 		freeb(mp);
301bd670b35SErik Nordmark 		mp = mp1;
302769b977dSvi 	} else {
303bd670b35SErik Nordmark 		DB_CKSUMFLAGS(mp) = 0;
3047c478bd9Sstevel@tonic-gate 	}
3057c478bd9Sstevel@tonic-gate 
306bd670b35SErik Nordmark 	ixas.ixa_pktlen = ip_hdr_len + sizeof (*insctph) + sizeof (*scch);
307bd670b35SErik Nordmark 	ixas.ixa_ip_hdr_length = ip_hdr_len;
308*481845d8SGeorge Shepherd 	mp->b_wptr = (mp->b_rptr + ixas.ixa_pktlen);
309*481845d8SGeorge Shepherd 
3107c478bd9Sstevel@tonic-gate 	/*
3117c478bd9Sstevel@tonic-gate 	 * We follow the logic in tcp_xmit_early_reset() in that we skip
312bd670b35SErik Nordmark 	 * reversing source route (i.e. replace all IP options with EOL).
3137c478bd9Sstevel@tonic-gate 	 */
3147c478bd9Sstevel@tonic-gate 	if (isv4) {
3157c478bd9Sstevel@tonic-gate 		ipaddr_t	v4addr;
3167c478bd9Sstevel@tonic-gate 
317bd670b35SErik Nordmark 		ipha = (ipha_t *)mp->b_rptr;
3187c478bd9Sstevel@tonic-gate 		for (i = IP_SIMPLE_HDR_LENGTH; i < (int)ip_hdr_len; i++)
319bd670b35SErik Nordmark 			mp->b_rptr[i] = IPOPT_EOL;
3207c478bd9Sstevel@tonic-gate 		/* Swap addresses */
321bd670b35SErik Nordmark 		ipha->ipha_length = htons(ixas.ixa_pktlen);
322bd670b35SErik Nordmark 		v4addr = ipha->ipha_src;
323bd670b35SErik Nordmark 		ipha->ipha_src = ipha->ipha_dst;
324bd670b35SErik Nordmark 		ipha->ipha_dst = v4addr;
325bd670b35SErik Nordmark 		ipha->ipha_ident = 0;
326bd670b35SErik Nordmark 		ipha->ipha_ttl = (uchar_t)sctps->sctps_ipv4_ttl;
327bd670b35SErik Nordmark 
328bd670b35SErik Nordmark 		ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4;
3297c478bd9Sstevel@tonic-gate 	} else {
3307c478bd9Sstevel@tonic-gate 		in6_addr_t	v6addr;
3317c478bd9Sstevel@tonic-gate 
332bd670b35SErik Nordmark 		ip6h = (ip6_t *)mp->b_rptr;
3337c478bd9Sstevel@tonic-gate 		/* Remove any extension headers assuming partial overlay */
3347c478bd9Sstevel@tonic-gate 		if (ip_hdr_len > IPV6_HDR_LEN) {
3357c478bd9Sstevel@tonic-gate 			uint8_t	*to;
3367c478bd9Sstevel@tonic-gate 
337bd670b35SErik Nordmark 			to = mp->b_rptr + ip_hdr_len - IPV6_HDR_LEN;
338bd670b35SErik Nordmark 			ovbcopy(ip6h, to, IPV6_HDR_LEN);
339bd670b35SErik Nordmark 			mp->b_rptr += ip_hdr_len - IPV6_HDR_LEN;
3407c478bd9Sstevel@tonic-gate 			ip_hdr_len = IPV6_HDR_LEN;
341bd670b35SErik Nordmark 			ip6h = (ip6_t *)mp->b_rptr;
342bd670b35SErik Nordmark 			ip6h->ip6_nxt = IPPROTO_SCTP;
343bd670b35SErik Nordmark 		}
344bd670b35SErik Nordmark 		ip6h->ip6_plen = htons(ixas.ixa_pktlen - IPV6_HDR_LEN);
345bd670b35SErik Nordmark 		v6addr = ip6h->ip6_src;
346bd670b35SErik Nordmark 		ip6h->ip6_src = ip6h->ip6_dst;
347bd670b35SErik Nordmark 		ip6h->ip6_dst = v6addr;
348bd670b35SErik Nordmark 		ip6h->ip6_hops = (uchar_t)sctps->sctps_ipv6_hoplimit;
349bd670b35SErik Nordmark 
350bd670b35SErik Nordmark 		ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6;
351bd670b35SErik Nordmark 		if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_dst)) {
352bd670b35SErik Nordmark 			ixas.ixa_flags |= IXAF_SCOPEID_SET;
353bd670b35SErik Nordmark 			ixas.ixa_scopeid = ira->ira_ruifindex;
3547c478bd9Sstevel@tonic-gate 		}
3557c478bd9Sstevel@tonic-gate 	}
356bd670b35SErik Nordmark 
357bd670b35SErik Nordmark 	insctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_len);
3587c478bd9Sstevel@tonic-gate 
3597c478bd9Sstevel@tonic-gate 	/* Swap ports.  Verification tag is reused. */
3607c478bd9Sstevel@tonic-gate 	port = insctph->sh_sport;
3617c478bd9Sstevel@tonic-gate 	insctph->sh_sport = insctph->sh_dport;
3627c478bd9Sstevel@tonic-gate 	insctph->sh_dport = port;
3637c478bd9Sstevel@tonic-gate 
3647c478bd9Sstevel@tonic-gate 	/* Lay in the shutdown complete chunk */
3657c478bd9Sstevel@tonic-gate 	scch = (sctp_chunk_hdr_t *)(insctph + 1);
3667c478bd9Sstevel@tonic-gate 	scch->sch_id = CHUNK_SHUTDOWN_COMPLETE;
3677c478bd9Sstevel@tonic-gate 	scch->sch_len = htons(sizeof (*scch));
3687c478bd9Sstevel@tonic-gate 	scch->sch_flags = 0;
3697c478bd9Sstevel@tonic-gate 
3707c478bd9Sstevel@tonic-gate 	/* Set the T-bit */
3717c478bd9Sstevel@tonic-gate 	SCTP_SET_TBIT(scch);
3727c478bd9Sstevel@tonic-gate 
373bd670b35SErik Nordmark 	ixas.ixa_protocol = IPPROTO_SCTP;
374bd670b35SErik Nordmark 	ixas.ixa_zoneid = ira->ira_zoneid;
375bd670b35SErik Nordmark 	ixas.ixa_ipst = ipst;
376bd670b35SErik Nordmark 	ixas.ixa_ifindex = 0;
377bd670b35SErik Nordmark 
378bd670b35SErik Nordmark 	if (ira->ira_flags & IRAF_IPSEC_SECURE) {
379bd670b35SErik Nordmark 		/*
380bd670b35SErik Nordmark 		 * Apply IPsec based on how IPsec was applied to
381bd670b35SErik Nordmark 		 * the packet that was out of the blue.
382bd670b35SErik Nordmark 		 */
383bd670b35SErik Nordmark 		if (!ipsec_in_to_out(ira, &ixas, mp, ipha, ip6h)) {
384bd670b35SErik Nordmark 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards);
385bd670b35SErik Nordmark 			/* Note: mp already consumed and ip_drop_packet done */
386bd670b35SErik Nordmark 			return;
387bd670b35SErik Nordmark 		}
388bd670b35SErik Nordmark 	} else {
389bd670b35SErik Nordmark 		/*
390bd670b35SErik Nordmark 		 * This is in clear. The message we are building
391bd670b35SErik Nordmark 		 * here should go out in clear, independent of our policy.
392bd670b35SErik Nordmark 		 */
393bd670b35SErik Nordmark 		ixas.ixa_flags |= IXAF_NO_IPSEC;
394bd670b35SErik Nordmark 	}
3957c478bd9Sstevel@tonic-gate 
396bd670b35SErik Nordmark 	(void) ip_output_simple(mp, &ixas);
397bd670b35SErik Nordmark 	ixa_cleanup(&ixas);
3987c478bd9Sstevel@tonic-gate }
399