17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 577c67f2fSkcpoon * Common Development and Distribution License (the "License"). 677c67f2fSkcpoon * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 2177c67f2fSkcpoon 227c478bd9Sstevel@tonic-gate /* 23*481845d8SGeorge Shepherd * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #include <sys/types.h> 277c478bd9Sstevel@tonic-gate #include <sys/systm.h> 287c478bd9Sstevel@tonic-gate #include <sys/stream.h> 297c478bd9Sstevel@tonic-gate #include <sys/ddi.h> 307c478bd9Sstevel@tonic-gate #include <sys/sunddi.h> 317c478bd9Sstevel@tonic-gate #include <sys/strsubr.h> 327c478bd9Sstevel@tonic-gate #include <sys/strsun.h> 337c478bd9Sstevel@tonic-gate 347c478bd9Sstevel@tonic-gate #include <netinet/in.h> 357c478bd9Sstevel@tonic-gate #include <netinet/ip6.h> 367c478bd9Sstevel@tonic-gate 37bd670b35SErik Nordmark #include <inet/ipsec_impl.h> 387c478bd9Sstevel@tonic-gate #include <inet/common.h> 397c478bd9Sstevel@tonic-gate #include <inet/ip.h> 407c478bd9Sstevel@tonic-gate #include <inet/ip6.h> 417c478bd9Sstevel@tonic-gate #include <inet/mib2.h> 427c478bd9Sstevel@tonic-gate #include <inet/nd.h> 437c478bd9Sstevel@tonic-gate #include <inet/optcom.h> 447c478bd9Sstevel@tonic-gate #include <inet/sctp_ip.h> 45f4b3ec61Sdh #include <inet/ipclassifier.h> 467c478bd9Sstevel@tonic-gate #include "sctp_impl.h" 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gate void 497c478bd9Sstevel@tonic-gate sctp_send_shutdown(sctp_t *sctp, int rexmit) 507c478bd9Sstevel@tonic-gate { 517c478bd9Sstevel@tonic-gate mblk_t *smp; 527c478bd9Sstevel@tonic-gate mblk_t *sendmp; 537c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *sch; 547c478bd9Sstevel@tonic-gate uint32_t *ctsn; 557c478bd9Sstevel@tonic-gate sctp_faddr_t *fp; 56f4b3ec61Sdh sctp_stack_t *sctps = sctp->sctp_sctps; 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate if (sctp->sctp_state != SCTPS_ESTABLISHED && 597c478bd9Sstevel@tonic-gate sctp->sctp_state != SCTPS_SHUTDOWN_PENDING && 607c478bd9Sstevel@tonic-gate sctp->sctp_state != SCTPS_SHUTDOWN_SENT) { 617c478bd9Sstevel@tonic-gate return; 627c478bd9Sstevel@tonic-gate } 637c478bd9Sstevel@tonic-gate 647c478bd9Sstevel@tonic-gate if (sctp->sctp_state == SCTPS_ESTABLISHED) { 657c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_PENDING; 667c478bd9Sstevel@tonic-gate /* 677c478bd9Sstevel@tonic-gate * We set an upper bound on how long we will 687c478bd9Sstevel@tonic-gate * wait for a shutdown-ack from the peer. This 697c478bd9Sstevel@tonic-gate * is to prevent the receiver from attempting 707c478bd9Sstevel@tonic-gate * to create a half-closed state indefinately. 717c478bd9Sstevel@tonic-gate * See archive from IETF TSVWG mailing list 727c478bd9Sstevel@tonic-gate * for June 2001 for more information. 737c478bd9Sstevel@tonic-gate * Since we will not be calculating RTTs after 747c478bd9Sstevel@tonic-gate * sending the shutdown, we can overload out_time 757c478bd9Sstevel@tonic-gate * to track how long we have waited. 767c478bd9Sstevel@tonic-gate */ 77d3d50737SRafael Vanoni sctp->sctp_out_time = ddi_get_lbolt64(); 787c478bd9Sstevel@tonic-gate } 797c478bd9Sstevel@tonic-gate 807c478bd9Sstevel@tonic-gate /* 817c478bd9Sstevel@tonic-gate * If there is unsent (or unacked) data, wait for it to get ack'd 827c478bd9Sstevel@tonic-gate */ 837c478bd9Sstevel@tonic-gate if (sctp->sctp_xmit_head != NULL || sctp->sctp_xmit_unsent != NULL) { 847c478bd9Sstevel@tonic-gate return; 857c478bd9Sstevel@tonic-gate } 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate /* rotate faddrs if we are retransmitting */ 887c478bd9Sstevel@tonic-gate if (!rexmit) { 897c478bd9Sstevel@tonic-gate fp = sctp->sctp_current; 907c478bd9Sstevel@tonic-gate } else { 917c478bd9Sstevel@tonic-gate fp = sctp_rotate_faddr(sctp, sctp->sctp_shutdown_faddr); 927c478bd9Sstevel@tonic-gate } 937c478bd9Sstevel@tonic-gate 947c478bd9Sstevel@tonic-gate sctp->sctp_shutdown_faddr = fp; 957c478bd9Sstevel@tonic-gate 967c478bd9Sstevel@tonic-gate /* Link in a SACK if resending the shutdown */ 977c478bd9Sstevel@tonic-gate if (sctp->sctp_state > SCTPS_SHUTDOWN_PENDING && 987c478bd9Sstevel@tonic-gate (sendmp = sctp_make_sack(sctp, fp, NULL)) != NULL) { 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate smp = allocb(sizeof (*sch) + sizeof (*ctsn), BPRI_MED); 1017c478bd9Sstevel@tonic-gate if (smp == NULL) { 1027c478bd9Sstevel@tonic-gate freemsg(sendmp); 1037c478bd9Sstevel@tonic-gate goto done; 1047c478bd9Sstevel@tonic-gate } 1057c478bd9Sstevel@tonic-gate linkb(sendmp, smp); 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate sch = (sctp_chunk_hdr_t *)smp->b_rptr; 1087c478bd9Sstevel@tonic-gate smp->b_wptr = smp->b_rptr + sizeof (*sch) + sizeof (*ctsn); 1097c478bd9Sstevel@tonic-gate } else { 1107c478bd9Sstevel@tonic-gate sendmp = sctp_make_mp(sctp, fp, 1117c478bd9Sstevel@tonic-gate sizeof (*sch) + sizeof (*ctsn)); 1127c478bd9Sstevel@tonic-gate if (sendmp == NULL) { 113f4b3ec61Sdh SCTP_KSTAT(sctps, sctp_send_shutdown_failed); 1147c478bd9Sstevel@tonic-gate goto done; 1157c478bd9Sstevel@tonic-gate } 1167c478bd9Sstevel@tonic-gate sch = (sctp_chunk_hdr_t *)sendmp->b_wptr; 1177c478bd9Sstevel@tonic-gate sendmp->b_wptr += sizeof (*sch) + sizeof (*ctsn); 1187c478bd9Sstevel@tonic-gate 1197c478bd9Sstevel@tonic-gate /* shutdown w/o sack, update lastacked */ 1207c478bd9Sstevel@tonic-gate sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1217c478bd9Sstevel@tonic-gate } 1227c478bd9Sstevel@tonic-gate 1237c478bd9Sstevel@tonic-gate sch->sch_id = CHUNK_SHUTDOWN; 1247c478bd9Sstevel@tonic-gate sch->sch_flags = 0; 1257c478bd9Sstevel@tonic-gate sch->sch_len = htons(sizeof (*sch) + sizeof (*ctsn)); 1267c478bd9Sstevel@tonic-gate 1277c478bd9Sstevel@tonic-gate ctsn = (uint32_t *)(sch + 1); 1287c478bd9Sstevel@tonic-gate *ctsn = htonl(sctp->sctp_lastacked); 1297c478bd9Sstevel@tonic-gate 1307c478bd9Sstevel@tonic-gate /* Link the shutdown chunk in after the IP/SCTP header */ 1317c478bd9Sstevel@tonic-gate 1327c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 1337c478bd9Sstevel@tonic-gate 1347c478bd9Sstevel@tonic-gate /* Send the shutdown and restart the timer */ 135bd670b35SErik Nordmark sctp_set_iplen(sctp, sendmp, fp->ixa); 136bd670b35SErik Nordmark (void) conn_ip_output(sendmp, fp->ixa); 137bd670b35SErik Nordmark BUMP_LOCAL(sctp->sctp_opkts); 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate done: 1407c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_SENT; 1417c478bd9Sstevel@tonic-gate SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 1427c478bd9Sstevel@tonic-gate sctp->sctp_current->rto); 1437c478bd9Sstevel@tonic-gate } 1447c478bd9Sstevel@tonic-gate 1457c478bd9Sstevel@tonic-gate int 14677c67f2fSkcpoon sctp_shutdown_received(sctp_t *sctp, sctp_chunk_hdr_t *sch, boolean_t crwsd, 14777c67f2fSkcpoon boolean_t rexmit, sctp_faddr_t *fp) 1487c478bd9Sstevel@tonic-gate { 1497c478bd9Sstevel@tonic-gate mblk_t *samp; 1507c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *sach; 1517c478bd9Sstevel@tonic-gate uint32_t *tsn; 1527c478bd9Sstevel@tonic-gate int trysend = 0; 153f4b3ec61Sdh sctp_stack_t *sctps = sctp->sctp_sctps; 1547c478bd9Sstevel@tonic-gate 1557c478bd9Sstevel@tonic-gate if (sctp->sctp_state != SCTPS_SHUTDOWN_ACK_SENT) 1567c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_RECEIVED; 1577c478bd9Sstevel@tonic-gate 1587c478bd9Sstevel@tonic-gate /* Extract and process the TSN in the shutdown chunk */ 1597c478bd9Sstevel@tonic-gate if (sch != NULL) { 1607c478bd9Sstevel@tonic-gate tsn = (uint32_t *)(sch + 1); 161e18a8f3aSchandrasekar marimuthu - Sun Microsystems - Bangalore India /* not already acked */ 162e18a8f3aSchandrasekar marimuthu - Sun Microsystems - Bangalore India if (!SEQ_LT(ntohl(*tsn), sctp->sctp_lastack_rxd)) 163e18a8f3aSchandrasekar marimuthu - Sun Microsystems - Bangalore India trysend = sctp_cumack(sctp, ntohl(*tsn), &samp); 1647c478bd9Sstevel@tonic-gate } 1657c478bd9Sstevel@tonic-gate 1667c478bd9Sstevel@tonic-gate /* Don't allow sending new data */ 167c31292eeSkcpoon if (!SCTP_IS_DETACHED(sctp) && !sctp->sctp_ulp_discon_done) { 1680f1702c5SYu Xiangning sctp->sctp_ulp_opctl(sctp->sctp_ulpd, SOCK_OPCTL_SHUT_SEND, 0); 169c31292eeSkcpoon sctp->sctp_ulp_discon_done = B_TRUE; 170c31292eeSkcpoon } 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate /* 1737c478bd9Sstevel@tonic-gate * If there is unsent or unacked data, try sending them out now. 1747c478bd9Sstevel@tonic-gate * The other side should acknowledge them. After we have flushed 1757c478bd9Sstevel@tonic-gate * the transmit queue, we can complete the shutdown sequence. 1767c478bd9Sstevel@tonic-gate */ 1777c478bd9Sstevel@tonic-gate if (sctp->sctp_xmit_head != NULL || sctp->sctp_xmit_unsent != NULL) 1787c478bd9Sstevel@tonic-gate return (1); 1797c478bd9Sstevel@tonic-gate 18077c67f2fSkcpoon if (fp == NULL) { 18177c67f2fSkcpoon /* rotate faddrs if we are retransmitting */ 18277c67f2fSkcpoon if (!rexmit) 18377c67f2fSkcpoon fp = sctp->sctp_current; 18477c67f2fSkcpoon else 18577c67f2fSkcpoon fp = sctp_rotate_faddr(sctp, sctp->sctp_shutdown_faddr); 18677c67f2fSkcpoon } 18777c67f2fSkcpoon sctp->sctp_shutdown_faddr = fp; 1887c478bd9Sstevel@tonic-gate 1897c478bd9Sstevel@tonic-gate samp = sctp_make_mp(sctp, fp, sizeof (*sach)); 19077c67f2fSkcpoon if (samp == NULL) { 191f4b3ec61Sdh SCTP_KSTAT(sctps, sctp_send_shutdown_ack_failed); 1927c478bd9Sstevel@tonic-gate goto dotimer; 19377c67f2fSkcpoon } 1947c478bd9Sstevel@tonic-gate 1957c478bd9Sstevel@tonic-gate sach = (sctp_chunk_hdr_t *)samp->b_wptr; 1967c478bd9Sstevel@tonic-gate sach->sch_id = CHUNK_SHUTDOWN_ACK; 1977c478bd9Sstevel@tonic-gate sach->sch_flags = 0; 1987c478bd9Sstevel@tonic-gate sach->sch_len = htons(sizeof (*sach)); 1997c478bd9Sstevel@tonic-gate 2007c478bd9Sstevel@tonic-gate samp->b_wptr += sizeof (*sach); 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate /* 2037c478bd9Sstevel@tonic-gate * bundle a "cookie received while shutting down" error if 2047c478bd9Sstevel@tonic-gate * the caller asks for it. 2057c478bd9Sstevel@tonic-gate */ 2067c478bd9Sstevel@tonic-gate if (crwsd) { 2077c478bd9Sstevel@tonic-gate mblk_t *errmp; 2087c478bd9Sstevel@tonic-gate 2097c478bd9Sstevel@tonic-gate errmp = sctp_make_err(sctp, SCTP_ERR_COOKIE_SHUT, NULL, 0); 2107c478bd9Sstevel@tonic-gate if (errmp != NULL) { 2117c478bd9Sstevel@tonic-gate linkb(samp, errmp); 2127c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 2137c478bd9Sstevel@tonic-gate } 2147c478bd9Sstevel@tonic-gate } 2157c478bd9Sstevel@tonic-gate 2167c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 2177c478bd9Sstevel@tonic-gate 218bd670b35SErik Nordmark sctp_set_iplen(sctp, samp, fp->ixa); 219bd670b35SErik Nordmark (void) conn_ip_output(samp, fp->ixa); 220bd670b35SErik Nordmark BUMP_LOCAL(sctp->sctp_opkts); 2217c478bd9Sstevel@tonic-gate 2227c478bd9Sstevel@tonic-gate dotimer: 2237c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_ACK_SENT; 2247c478bd9Sstevel@tonic-gate SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 2257c478bd9Sstevel@tonic-gate sctp->sctp_current->rto); 2267c478bd9Sstevel@tonic-gate 2277c478bd9Sstevel@tonic-gate return (trysend); 2287c478bd9Sstevel@tonic-gate } 2297c478bd9Sstevel@tonic-gate 2307c478bd9Sstevel@tonic-gate void 2317c478bd9Sstevel@tonic-gate sctp_shutdown_complete(sctp_t *sctp) 2327c478bd9Sstevel@tonic-gate { 2337c478bd9Sstevel@tonic-gate mblk_t *scmp; 2347c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *scch; 235f4b3ec61Sdh sctp_stack_t *sctps = sctp->sctp_sctps; 2367c478bd9Sstevel@tonic-gate 237bd670b35SErik Nordmark scmp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*scch)); 2387c478bd9Sstevel@tonic-gate if (scmp == NULL) { 2397c478bd9Sstevel@tonic-gate /* XXX use timer approach */ 240f4b3ec61Sdh SCTP_KSTAT(sctps, sctp_send_shutdown_comp_failed); 2417c478bd9Sstevel@tonic-gate return; 2427c478bd9Sstevel@tonic-gate } 2437c478bd9Sstevel@tonic-gate 2447c478bd9Sstevel@tonic-gate scch = (sctp_chunk_hdr_t *)scmp->b_wptr; 2457c478bd9Sstevel@tonic-gate scch->sch_id = CHUNK_SHUTDOWN_COMPLETE; 2467c478bd9Sstevel@tonic-gate scch->sch_flags = 0; 2477c478bd9Sstevel@tonic-gate scch->sch_len = htons(sizeof (*scch)); 2487c478bd9Sstevel@tonic-gate 2497c478bd9Sstevel@tonic-gate scmp->b_wptr += sizeof (*scch); 2507c478bd9Sstevel@tonic-gate 2517c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 2527c478bd9Sstevel@tonic-gate 253bd670b35SErik Nordmark sctp_set_iplen(sctp, scmp, sctp->sctp_current->ixa); 254bd670b35SErik Nordmark (void) conn_ip_output(scmp, sctp->sctp_current->ixa); 255bd670b35SErik Nordmark BUMP_LOCAL(sctp->sctp_opkts); 2567c478bd9Sstevel@tonic-gate } 2577c478bd9Sstevel@tonic-gate 2587c478bd9Sstevel@tonic-gate /* 2597c478bd9Sstevel@tonic-gate * Similar to sctp_shutdown_complete(), except that since this 2607c478bd9Sstevel@tonic-gate * is out-of-the-blue, we can't use an sctp's association information, 2617c478bd9Sstevel@tonic-gate * and instead must draw all necessary info from the incoming packet. 2627c478bd9Sstevel@tonic-gate */ 2637c478bd9Sstevel@tonic-gate void 264bd670b35SErik Nordmark sctp_ootb_shutdown_ack(mblk_t *mp, uint_t ip_hdr_len, ip_recv_attr_t *ira, 265bd670b35SErik Nordmark ip_stack_t *ipst) 2667c478bd9Sstevel@tonic-gate { 2677c478bd9Sstevel@tonic-gate boolean_t isv4; 268bd670b35SErik Nordmark ipha_t *ipha = NULL; 269bd670b35SErik Nordmark ip6_t *ip6h = NULL; 2707c478bd9Sstevel@tonic-gate sctp_hdr_t *insctph; 2717c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *scch; 2727c478bd9Sstevel@tonic-gate int i; 2737c478bd9Sstevel@tonic-gate uint16_t port; 2747c478bd9Sstevel@tonic-gate mblk_t *mp1; 275bd670b35SErik Nordmark netstack_t *ns = ipst->ips_netstack; 276bd670b35SErik Nordmark sctp_stack_t *sctps = ns->netstack_sctp; 277bd670b35SErik Nordmark ip_xmit_attr_t ixas; 2787c478bd9Sstevel@tonic-gate 279bd670b35SErik Nordmark bzero(&ixas, sizeof (ixas)); 2807c478bd9Sstevel@tonic-gate 281bd670b35SErik Nordmark isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 282bd670b35SErik Nordmark 283bd670b35SErik Nordmark ASSERT(MBLKL(mp) >= sizeof (*insctph) + sizeof (*scch) + 284bd670b35SErik Nordmark (isv4 ? sizeof (ipha_t) : sizeof (ip6_t))); 2857c478bd9Sstevel@tonic-gate 2867c478bd9Sstevel@tonic-gate /* 2877c478bd9Sstevel@tonic-gate * Check to see if we can reuse the incoming mblk. There should 288bd670b35SErik Nordmark * not be other reference. Since this packet comes from below, 2897c478bd9Sstevel@tonic-gate * there should be enough header space to fill in what the lower 290bd670b35SErik Nordmark * layers want to add. 2917c478bd9Sstevel@tonic-gate */ 292bd670b35SErik Nordmark if (DB_REF(mp) != 1) { 293bd670b35SErik Nordmark mp1 = allocb(MBLKL(mp) + sctps->sctps_wroff_xtra, BPRI_MED); 2947c478bd9Sstevel@tonic-gate if (mp1 == NULL) { 295bd670b35SErik Nordmark freeb(mp); 2967c478bd9Sstevel@tonic-gate return; 2977c478bd9Sstevel@tonic-gate } 298f4b3ec61Sdh mp1->b_rptr += sctps->sctps_wroff_xtra; 299bd670b35SErik Nordmark bcopy(mp->b_rptr, mp1->b_rptr, MBLKL(mp)); 300bd670b35SErik Nordmark freeb(mp); 301bd670b35SErik Nordmark mp = mp1; 302769b977dSvi } else { 303bd670b35SErik Nordmark DB_CKSUMFLAGS(mp) = 0; 3047c478bd9Sstevel@tonic-gate } 3057c478bd9Sstevel@tonic-gate 306bd670b35SErik Nordmark ixas.ixa_pktlen = ip_hdr_len + sizeof (*insctph) + sizeof (*scch); 307bd670b35SErik Nordmark ixas.ixa_ip_hdr_length = ip_hdr_len; 308*481845d8SGeorge Shepherd mp->b_wptr = (mp->b_rptr + ixas.ixa_pktlen); 309*481845d8SGeorge Shepherd 3107c478bd9Sstevel@tonic-gate /* 3117c478bd9Sstevel@tonic-gate * We follow the logic in tcp_xmit_early_reset() in that we skip 312bd670b35SErik Nordmark * reversing source route (i.e. replace all IP options with EOL). 3137c478bd9Sstevel@tonic-gate */ 3147c478bd9Sstevel@tonic-gate if (isv4) { 3157c478bd9Sstevel@tonic-gate ipaddr_t v4addr; 3167c478bd9Sstevel@tonic-gate 317bd670b35SErik Nordmark ipha = (ipha_t *)mp->b_rptr; 3187c478bd9Sstevel@tonic-gate for (i = IP_SIMPLE_HDR_LENGTH; i < (int)ip_hdr_len; i++) 319bd670b35SErik Nordmark mp->b_rptr[i] = IPOPT_EOL; 3207c478bd9Sstevel@tonic-gate /* Swap addresses */ 321bd670b35SErik Nordmark ipha->ipha_length = htons(ixas.ixa_pktlen); 322bd670b35SErik Nordmark v4addr = ipha->ipha_src; 323bd670b35SErik Nordmark ipha->ipha_src = ipha->ipha_dst; 324bd670b35SErik Nordmark ipha->ipha_dst = v4addr; 325bd670b35SErik Nordmark ipha->ipha_ident = 0; 326bd670b35SErik Nordmark ipha->ipha_ttl = (uchar_t)sctps->sctps_ipv4_ttl; 327bd670b35SErik Nordmark 328bd670b35SErik Nordmark ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4; 3297c478bd9Sstevel@tonic-gate } else { 3307c478bd9Sstevel@tonic-gate in6_addr_t v6addr; 3317c478bd9Sstevel@tonic-gate 332bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr; 3337c478bd9Sstevel@tonic-gate /* Remove any extension headers assuming partial overlay */ 3347c478bd9Sstevel@tonic-gate if (ip_hdr_len > IPV6_HDR_LEN) { 3357c478bd9Sstevel@tonic-gate uint8_t *to; 3367c478bd9Sstevel@tonic-gate 337bd670b35SErik Nordmark to = mp->b_rptr + ip_hdr_len - IPV6_HDR_LEN; 338bd670b35SErik Nordmark ovbcopy(ip6h, to, IPV6_HDR_LEN); 339bd670b35SErik Nordmark mp->b_rptr += ip_hdr_len - IPV6_HDR_LEN; 3407c478bd9Sstevel@tonic-gate ip_hdr_len = IPV6_HDR_LEN; 341bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr; 342bd670b35SErik Nordmark ip6h->ip6_nxt = IPPROTO_SCTP; 343bd670b35SErik Nordmark } 344bd670b35SErik Nordmark ip6h->ip6_plen = htons(ixas.ixa_pktlen - IPV6_HDR_LEN); 345bd670b35SErik Nordmark v6addr = ip6h->ip6_src; 346bd670b35SErik Nordmark ip6h->ip6_src = ip6h->ip6_dst; 347bd670b35SErik Nordmark ip6h->ip6_dst = v6addr; 348bd670b35SErik Nordmark ip6h->ip6_hops = (uchar_t)sctps->sctps_ipv6_hoplimit; 349bd670b35SErik Nordmark 350bd670b35SErik Nordmark ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6; 351bd670b35SErik Nordmark if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_dst)) { 352bd670b35SErik Nordmark ixas.ixa_flags |= IXAF_SCOPEID_SET; 353bd670b35SErik Nordmark ixas.ixa_scopeid = ira->ira_ruifindex; 3547c478bd9Sstevel@tonic-gate } 3557c478bd9Sstevel@tonic-gate } 356bd670b35SErik Nordmark 357bd670b35SErik Nordmark insctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_len); 3587c478bd9Sstevel@tonic-gate 3597c478bd9Sstevel@tonic-gate /* Swap ports. Verification tag is reused. */ 3607c478bd9Sstevel@tonic-gate port = insctph->sh_sport; 3617c478bd9Sstevel@tonic-gate insctph->sh_sport = insctph->sh_dport; 3627c478bd9Sstevel@tonic-gate insctph->sh_dport = port; 3637c478bd9Sstevel@tonic-gate 3647c478bd9Sstevel@tonic-gate /* Lay in the shutdown complete chunk */ 3657c478bd9Sstevel@tonic-gate scch = (sctp_chunk_hdr_t *)(insctph + 1); 3667c478bd9Sstevel@tonic-gate scch->sch_id = CHUNK_SHUTDOWN_COMPLETE; 3677c478bd9Sstevel@tonic-gate scch->sch_len = htons(sizeof (*scch)); 3687c478bd9Sstevel@tonic-gate scch->sch_flags = 0; 3697c478bd9Sstevel@tonic-gate 3707c478bd9Sstevel@tonic-gate /* Set the T-bit */ 3717c478bd9Sstevel@tonic-gate SCTP_SET_TBIT(scch); 3727c478bd9Sstevel@tonic-gate 373bd670b35SErik Nordmark ixas.ixa_protocol = IPPROTO_SCTP; 374bd670b35SErik Nordmark ixas.ixa_zoneid = ira->ira_zoneid; 375bd670b35SErik Nordmark ixas.ixa_ipst = ipst; 376bd670b35SErik Nordmark ixas.ixa_ifindex = 0; 377bd670b35SErik Nordmark 378bd670b35SErik Nordmark if (ira->ira_flags & IRAF_IPSEC_SECURE) { 379bd670b35SErik Nordmark /* 380bd670b35SErik Nordmark * Apply IPsec based on how IPsec was applied to 381bd670b35SErik Nordmark * the packet that was out of the blue. 382bd670b35SErik Nordmark */ 383bd670b35SErik Nordmark if (!ipsec_in_to_out(ira, &ixas, mp, ipha, ip6h)) { 384bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards); 385bd670b35SErik Nordmark /* Note: mp already consumed and ip_drop_packet done */ 386bd670b35SErik Nordmark return; 387bd670b35SErik Nordmark } 388bd670b35SErik Nordmark } else { 389bd670b35SErik Nordmark /* 390bd670b35SErik Nordmark * This is in clear. The message we are building 391bd670b35SErik Nordmark * here should go out in clear, independent of our policy. 392bd670b35SErik Nordmark */ 393bd670b35SErik Nordmark ixas.ixa_flags |= IXAF_NO_IPSEC; 394bd670b35SErik Nordmark } 3957c478bd9Sstevel@tonic-gate 396bd670b35SErik Nordmark (void) ip_output_simple(mp, &ixas); 397bd670b35SErik Nordmark ixa_cleanup(&ixas); 3987c478bd9Sstevel@tonic-gate } 399