17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 577c67f2fSkcpoon * Common Development and Distribution License (the "License"). 677c67f2fSkcpoon * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 2177c67f2fSkcpoon 227c478bd9Sstevel@tonic-gate /* 23*bd670b35SErik Nordmark * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 247c478bd9Sstevel@tonic-gate * Use is subject to license terms. 257c478bd9Sstevel@tonic-gate */ 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate #include <sys/types.h> 287c478bd9Sstevel@tonic-gate #include <sys/systm.h> 297c478bd9Sstevel@tonic-gate #include <sys/stream.h> 307c478bd9Sstevel@tonic-gate #include <sys/ddi.h> 317c478bd9Sstevel@tonic-gate #include <sys/sunddi.h> 327c478bd9Sstevel@tonic-gate #include <sys/strsubr.h> 337c478bd9Sstevel@tonic-gate #include <sys/strsun.h> 347c478bd9Sstevel@tonic-gate 357c478bd9Sstevel@tonic-gate #include <netinet/in.h> 367c478bd9Sstevel@tonic-gate #include <netinet/ip6.h> 377c478bd9Sstevel@tonic-gate 38*bd670b35SErik Nordmark #include <inet/ipsec_impl.h> 397c478bd9Sstevel@tonic-gate #include <inet/common.h> 407c478bd9Sstevel@tonic-gate #include <inet/ip.h> 417c478bd9Sstevel@tonic-gate #include <inet/ip6.h> 427c478bd9Sstevel@tonic-gate #include <inet/mib2.h> 437c478bd9Sstevel@tonic-gate #include <inet/nd.h> 447c478bd9Sstevel@tonic-gate #include <inet/optcom.h> 457c478bd9Sstevel@tonic-gate #include <inet/sctp_ip.h> 46f4b3ec61Sdh #include <inet/ipclassifier.h> 477c478bd9Sstevel@tonic-gate #include "sctp_impl.h" 487c478bd9Sstevel@tonic-gate 497c478bd9Sstevel@tonic-gate void 507c478bd9Sstevel@tonic-gate sctp_send_shutdown(sctp_t *sctp, int rexmit) 517c478bd9Sstevel@tonic-gate { 527c478bd9Sstevel@tonic-gate mblk_t *smp; 537c478bd9Sstevel@tonic-gate mblk_t *sendmp; 547c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *sch; 557c478bd9Sstevel@tonic-gate uint32_t *ctsn; 567c478bd9Sstevel@tonic-gate sctp_faddr_t *fp; 57f4b3ec61Sdh sctp_stack_t *sctps = sctp->sctp_sctps; 587c478bd9Sstevel@tonic-gate 597c478bd9Sstevel@tonic-gate if (sctp->sctp_state != SCTPS_ESTABLISHED && 607c478bd9Sstevel@tonic-gate sctp->sctp_state != SCTPS_SHUTDOWN_PENDING && 617c478bd9Sstevel@tonic-gate sctp->sctp_state != SCTPS_SHUTDOWN_SENT) { 627c478bd9Sstevel@tonic-gate return; 637c478bd9Sstevel@tonic-gate } 647c478bd9Sstevel@tonic-gate 657c478bd9Sstevel@tonic-gate if (sctp->sctp_state == SCTPS_ESTABLISHED) { 667c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_PENDING; 677c478bd9Sstevel@tonic-gate /* 687c478bd9Sstevel@tonic-gate * We set an upper bound on how long we will 697c478bd9Sstevel@tonic-gate * wait for a shutdown-ack from the peer. This 707c478bd9Sstevel@tonic-gate * is to prevent the receiver from attempting 717c478bd9Sstevel@tonic-gate * to create a half-closed state indefinately. 727c478bd9Sstevel@tonic-gate * See archive from IETF TSVWG mailing list 737c478bd9Sstevel@tonic-gate * for June 2001 for more information. 747c478bd9Sstevel@tonic-gate * Since we will not be calculating RTTs after 757c478bd9Sstevel@tonic-gate * sending the shutdown, we can overload out_time 767c478bd9Sstevel@tonic-gate * to track how long we have waited. 777c478bd9Sstevel@tonic-gate */ 787c478bd9Sstevel@tonic-gate sctp->sctp_out_time = lbolt64; 797c478bd9Sstevel@tonic-gate } 807c478bd9Sstevel@tonic-gate 817c478bd9Sstevel@tonic-gate /* 827c478bd9Sstevel@tonic-gate * If there is unsent (or unacked) data, wait for it to get ack'd 837c478bd9Sstevel@tonic-gate */ 847c478bd9Sstevel@tonic-gate if (sctp->sctp_xmit_head != NULL || sctp->sctp_xmit_unsent != NULL) { 857c478bd9Sstevel@tonic-gate return; 867c478bd9Sstevel@tonic-gate } 877c478bd9Sstevel@tonic-gate 887c478bd9Sstevel@tonic-gate /* rotate faddrs if we are retransmitting */ 897c478bd9Sstevel@tonic-gate if (!rexmit) { 907c478bd9Sstevel@tonic-gate fp = sctp->sctp_current; 917c478bd9Sstevel@tonic-gate } else { 927c478bd9Sstevel@tonic-gate fp = sctp_rotate_faddr(sctp, sctp->sctp_shutdown_faddr); 937c478bd9Sstevel@tonic-gate } 947c478bd9Sstevel@tonic-gate 957c478bd9Sstevel@tonic-gate sctp->sctp_shutdown_faddr = fp; 967c478bd9Sstevel@tonic-gate 977c478bd9Sstevel@tonic-gate /* Link in a SACK if resending the shutdown */ 987c478bd9Sstevel@tonic-gate if (sctp->sctp_state > SCTPS_SHUTDOWN_PENDING && 997c478bd9Sstevel@tonic-gate (sendmp = sctp_make_sack(sctp, fp, NULL)) != NULL) { 1007c478bd9Sstevel@tonic-gate 1017c478bd9Sstevel@tonic-gate smp = allocb(sizeof (*sch) + sizeof (*ctsn), BPRI_MED); 1027c478bd9Sstevel@tonic-gate if (smp == NULL) { 1037c478bd9Sstevel@tonic-gate freemsg(sendmp); 1047c478bd9Sstevel@tonic-gate goto done; 1057c478bd9Sstevel@tonic-gate } 1067c478bd9Sstevel@tonic-gate linkb(sendmp, smp); 1077c478bd9Sstevel@tonic-gate 1087c478bd9Sstevel@tonic-gate sch = (sctp_chunk_hdr_t *)smp->b_rptr; 1097c478bd9Sstevel@tonic-gate smp->b_wptr = smp->b_rptr + sizeof (*sch) + sizeof (*ctsn); 1107c478bd9Sstevel@tonic-gate } else { 1117c478bd9Sstevel@tonic-gate sendmp = sctp_make_mp(sctp, fp, 1127c478bd9Sstevel@tonic-gate sizeof (*sch) + sizeof (*ctsn)); 1137c478bd9Sstevel@tonic-gate if (sendmp == NULL) { 114f4b3ec61Sdh SCTP_KSTAT(sctps, sctp_send_shutdown_failed); 1157c478bd9Sstevel@tonic-gate goto done; 1167c478bd9Sstevel@tonic-gate } 1177c478bd9Sstevel@tonic-gate sch = (sctp_chunk_hdr_t *)sendmp->b_wptr; 1187c478bd9Sstevel@tonic-gate sendmp->b_wptr += sizeof (*sch) + sizeof (*ctsn); 1197c478bd9Sstevel@tonic-gate 1207c478bd9Sstevel@tonic-gate /* shutdown w/o sack, update lastacked */ 1217c478bd9Sstevel@tonic-gate sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1227c478bd9Sstevel@tonic-gate } 1237c478bd9Sstevel@tonic-gate 1247c478bd9Sstevel@tonic-gate sch->sch_id = CHUNK_SHUTDOWN; 1257c478bd9Sstevel@tonic-gate sch->sch_flags = 0; 1267c478bd9Sstevel@tonic-gate sch->sch_len = htons(sizeof (*sch) + sizeof (*ctsn)); 1277c478bd9Sstevel@tonic-gate 1287c478bd9Sstevel@tonic-gate ctsn = (uint32_t *)(sch + 1); 1297c478bd9Sstevel@tonic-gate *ctsn = htonl(sctp->sctp_lastacked); 1307c478bd9Sstevel@tonic-gate 1317c478bd9Sstevel@tonic-gate /* Link the shutdown chunk in after the IP/SCTP header */ 1327c478bd9Sstevel@tonic-gate 1337c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 1347c478bd9Sstevel@tonic-gate 1357c478bd9Sstevel@tonic-gate /* Send the shutdown and restart the timer */ 136*bd670b35SErik Nordmark sctp_set_iplen(sctp, sendmp, fp->ixa); 137*bd670b35SErik Nordmark (void) conn_ip_output(sendmp, fp->ixa); 138*bd670b35SErik Nordmark BUMP_LOCAL(sctp->sctp_opkts); 1397c478bd9Sstevel@tonic-gate 1407c478bd9Sstevel@tonic-gate done: 1417c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_SENT; 1427c478bd9Sstevel@tonic-gate SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 1437c478bd9Sstevel@tonic-gate sctp->sctp_current->rto); 1447c478bd9Sstevel@tonic-gate } 1457c478bd9Sstevel@tonic-gate 1467c478bd9Sstevel@tonic-gate int 14777c67f2fSkcpoon sctp_shutdown_received(sctp_t *sctp, sctp_chunk_hdr_t *sch, boolean_t crwsd, 14877c67f2fSkcpoon boolean_t rexmit, sctp_faddr_t *fp) 1497c478bd9Sstevel@tonic-gate { 1507c478bd9Sstevel@tonic-gate mblk_t *samp; 1517c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *sach; 1527c478bd9Sstevel@tonic-gate uint32_t *tsn; 1537c478bd9Sstevel@tonic-gate int trysend = 0; 154f4b3ec61Sdh sctp_stack_t *sctps = sctp->sctp_sctps; 1557c478bd9Sstevel@tonic-gate 1567c478bd9Sstevel@tonic-gate if (sctp->sctp_state != SCTPS_SHUTDOWN_ACK_SENT) 1577c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_RECEIVED; 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate /* Extract and process the TSN in the shutdown chunk */ 1607c478bd9Sstevel@tonic-gate if (sch != NULL) { 1617c478bd9Sstevel@tonic-gate tsn = (uint32_t *)(sch + 1); 1627c478bd9Sstevel@tonic-gate trysend = sctp_cumack(sctp, ntohl(*tsn), &samp); 1637c478bd9Sstevel@tonic-gate } 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate /* Don't allow sending new data */ 166c31292eeSkcpoon if (!SCTP_IS_DETACHED(sctp) && !sctp->sctp_ulp_discon_done) { 1670f1702c5SYu Xiangning sctp->sctp_ulp_opctl(sctp->sctp_ulpd, SOCK_OPCTL_SHUT_SEND, 0); 168c31292eeSkcpoon sctp->sctp_ulp_discon_done = B_TRUE; 169c31292eeSkcpoon } 1707c478bd9Sstevel@tonic-gate 1717c478bd9Sstevel@tonic-gate /* 1727c478bd9Sstevel@tonic-gate * If there is unsent or unacked data, try sending them out now. 1737c478bd9Sstevel@tonic-gate * The other side should acknowledge them. After we have flushed 1747c478bd9Sstevel@tonic-gate * the transmit queue, we can complete the shutdown sequence. 1757c478bd9Sstevel@tonic-gate */ 1767c478bd9Sstevel@tonic-gate if (sctp->sctp_xmit_head != NULL || sctp->sctp_xmit_unsent != NULL) 1777c478bd9Sstevel@tonic-gate return (1); 1787c478bd9Sstevel@tonic-gate 17977c67f2fSkcpoon if (fp == NULL) { 18077c67f2fSkcpoon /* rotate faddrs if we are retransmitting */ 18177c67f2fSkcpoon if (!rexmit) 18277c67f2fSkcpoon fp = sctp->sctp_current; 18377c67f2fSkcpoon else 18477c67f2fSkcpoon fp = sctp_rotate_faddr(sctp, sctp->sctp_shutdown_faddr); 18577c67f2fSkcpoon } 18677c67f2fSkcpoon sctp->sctp_shutdown_faddr = fp; 1877c478bd9Sstevel@tonic-gate 1887c478bd9Sstevel@tonic-gate samp = sctp_make_mp(sctp, fp, sizeof (*sach)); 18977c67f2fSkcpoon if (samp == NULL) { 190f4b3ec61Sdh SCTP_KSTAT(sctps, sctp_send_shutdown_ack_failed); 1917c478bd9Sstevel@tonic-gate goto dotimer; 19277c67f2fSkcpoon } 1937c478bd9Sstevel@tonic-gate 1947c478bd9Sstevel@tonic-gate sach = (sctp_chunk_hdr_t *)samp->b_wptr; 1957c478bd9Sstevel@tonic-gate sach->sch_id = CHUNK_SHUTDOWN_ACK; 1967c478bd9Sstevel@tonic-gate sach->sch_flags = 0; 1977c478bd9Sstevel@tonic-gate sach->sch_len = htons(sizeof (*sach)); 1987c478bd9Sstevel@tonic-gate 1997c478bd9Sstevel@tonic-gate samp->b_wptr += sizeof (*sach); 2007c478bd9Sstevel@tonic-gate 2017c478bd9Sstevel@tonic-gate /* 2027c478bd9Sstevel@tonic-gate * bundle a "cookie received while shutting down" error if 2037c478bd9Sstevel@tonic-gate * the caller asks for it. 2047c478bd9Sstevel@tonic-gate */ 2057c478bd9Sstevel@tonic-gate if (crwsd) { 2067c478bd9Sstevel@tonic-gate mblk_t *errmp; 2077c478bd9Sstevel@tonic-gate 2087c478bd9Sstevel@tonic-gate errmp = sctp_make_err(sctp, SCTP_ERR_COOKIE_SHUT, NULL, 0); 2097c478bd9Sstevel@tonic-gate if (errmp != NULL) { 2107c478bd9Sstevel@tonic-gate linkb(samp, errmp); 2117c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 2127c478bd9Sstevel@tonic-gate } 2137c478bd9Sstevel@tonic-gate } 2147c478bd9Sstevel@tonic-gate 2157c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 2167c478bd9Sstevel@tonic-gate 217*bd670b35SErik Nordmark sctp_set_iplen(sctp, samp, fp->ixa); 218*bd670b35SErik Nordmark (void) conn_ip_output(samp, fp->ixa); 219*bd670b35SErik Nordmark BUMP_LOCAL(sctp->sctp_opkts); 2207c478bd9Sstevel@tonic-gate 2217c478bd9Sstevel@tonic-gate dotimer: 2227c478bd9Sstevel@tonic-gate sctp->sctp_state = SCTPS_SHUTDOWN_ACK_SENT; 2237c478bd9Sstevel@tonic-gate SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 2247c478bd9Sstevel@tonic-gate sctp->sctp_current->rto); 2257c478bd9Sstevel@tonic-gate 2267c478bd9Sstevel@tonic-gate return (trysend); 2277c478bd9Sstevel@tonic-gate } 2287c478bd9Sstevel@tonic-gate 2297c478bd9Sstevel@tonic-gate void 2307c478bd9Sstevel@tonic-gate sctp_shutdown_complete(sctp_t *sctp) 2317c478bd9Sstevel@tonic-gate { 2327c478bd9Sstevel@tonic-gate mblk_t *scmp; 2337c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *scch; 234f4b3ec61Sdh sctp_stack_t *sctps = sctp->sctp_sctps; 2357c478bd9Sstevel@tonic-gate 236*bd670b35SErik Nordmark scmp = sctp_make_mp(sctp, sctp->sctp_current, sizeof (*scch)); 2377c478bd9Sstevel@tonic-gate if (scmp == NULL) { 2387c478bd9Sstevel@tonic-gate /* XXX use timer approach */ 239f4b3ec61Sdh SCTP_KSTAT(sctps, sctp_send_shutdown_comp_failed); 2407c478bd9Sstevel@tonic-gate return; 2417c478bd9Sstevel@tonic-gate } 2427c478bd9Sstevel@tonic-gate 2437c478bd9Sstevel@tonic-gate scch = (sctp_chunk_hdr_t *)scmp->b_wptr; 2447c478bd9Sstevel@tonic-gate scch->sch_id = CHUNK_SHUTDOWN_COMPLETE; 2457c478bd9Sstevel@tonic-gate scch->sch_flags = 0; 2467c478bd9Sstevel@tonic-gate scch->sch_len = htons(sizeof (*scch)); 2477c478bd9Sstevel@tonic-gate 2487c478bd9Sstevel@tonic-gate scmp->b_wptr += sizeof (*scch); 2497c478bd9Sstevel@tonic-gate 2507c478bd9Sstevel@tonic-gate BUMP_LOCAL(sctp->sctp_obchunks); 2517c478bd9Sstevel@tonic-gate 252*bd670b35SErik Nordmark sctp_set_iplen(sctp, scmp, sctp->sctp_current->ixa); 253*bd670b35SErik Nordmark (void) conn_ip_output(scmp, sctp->sctp_current->ixa); 254*bd670b35SErik Nordmark BUMP_LOCAL(sctp->sctp_opkts); 2557c478bd9Sstevel@tonic-gate } 2567c478bd9Sstevel@tonic-gate 2577c478bd9Sstevel@tonic-gate /* 2587c478bd9Sstevel@tonic-gate * Similar to sctp_shutdown_complete(), except that since this 2597c478bd9Sstevel@tonic-gate * is out-of-the-blue, we can't use an sctp's association information, 2607c478bd9Sstevel@tonic-gate * and instead must draw all necessary info from the incoming packet. 2617c478bd9Sstevel@tonic-gate */ 2627c478bd9Sstevel@tonic-gate void 263*bd670b35SErik Nordmark sctp_ootb_shutdown_ack(mblk_t *mp, uint_t ip_hdr_len, ip_recv_attr_t *ira, 264*bd670b35SErik Nordmark ip_stack_t *ipst) 2657c478bd9Sstevel@tonic-gate { 2667c478bd9Sstevel@tonic-gate boolean_t isv4; 267*bd670b35SErik Nordmark ipha_t *ipha = NULL; 268*bd670b35SErik Nordmark ip6_t *ip6h = NULL; 2697c478bd9Sstevel@tonic-gate sctp_hdr_t *insctph; 2707c478bd9Sstevel@tonic-gate sctp_chunk_hdr_t *scch; 2717c478bd9Sstevel@tonic-gate int i; 2727c478bd9Sstevel@tonic-gate uint16_t port; 2737c478bd9Sstevel@tonic-gate mblk_t *mp1; 274*bd670b35SErik Nordmark netstack_t *ns = ipst->ips_netstack; 275*bd670b35SErik Nordmark sctp_stack_t *sctps = ns->netstack_sctp; 276*bd670b35SErik Nordmark ip_xmit_attr_t ixas; 2777c478bd9Sstevel@tonic-gate 278*bd670b35SErik Nordmark bzero(&ixas, sizeof (ixas)); 2797c478bd9Sstevel@tonic-gate 280*bd670b35SErik Nordmark isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 281*bd670b35SErik Nordmark 282*bd670b35SErik Nordmark ASSERT(MBLKL(mp) >= sizeof (*insctph) + sizeof (*scch) + 283*bd670b35SErik Nordmark (isv4 ? sizeof (ipha_t) : sizeof (ip6_t))); 2847c478bd9Sstevel@tonic-gate 2857c478bd9Sstevel@tonic-gate /* 2867c478bd9Sstevel@tonic-gate * Check to see if we can reuse the incoming mblk. There should 287*bd670b35SErik Nordmark * not be other reference. Since this packet comes from below, 2887c478bd9Sstevel@tonic-gate * there should be enough header space to fill in what the lower 289*bd670b35SErik Nordmark * layers want to add. 2907c478bd9Sstevel@tonic-gate */ 291*bd670b35SErik Nordmark if (DB_REF(mp) != 1) { 292*bd670b35SErik Nordmark mp1 = allocb(MBLKL(mp) + sctps->sctps_wroff_xtra, BPRI_MED); 2937c478bd9Sstevel@tonic-gate if (mp1 == NULL) { 294*bd670b35SErik Nordmark freeb(mp); 2957c478bd9Sstevel@tonic-gate return; 2967c478bd9Sstevel@tonic-gate } 297f4b3ec61Sdh mp1->b_rptr += sctps->sctps_wroff_xtra; 298*bd670b35SErik Nordmark mp1->b_wptr = mp1->b_rptr + MBLKL(mp); 299*bd670b35SErik Nordmark bcopy(mp->b_rptr, mp1->b_rptr, MBLKL(mp)); 300*bd670b35SErik Nordmark freeb(mp); 301*bd670b35SErik Nordmark mp = mp1; 302769b977dSvi } else { 303*bd670b35SErik Nordmark DB_CKSUMFLAGS(mp) = 0; 3047c478bd9Sstevel@tonic-gate } 3057c478bd9Sstevel@tonic-gate 306*bd670b35SErik Nordmark ixas.ixa_pktlen = ip_hdr_len + sizeof (*insctph) + sizeof (*scch); 307*bd670b35SErik Nordmark ixas.ixa_ip_hdr_length = ip_hdr_len; 3087c478bd9Sstevel@tonic-gate /* 3097c478bd9Sstevel@tonic-gate * We follow the logic in tcp_xmit_early_reset() in that we skip 310*bd670b35SErik Nordmark * reversing source route (i.e. replace all IP options with EOL). 3117c478bd9Sstevel@tonic-gate */ 3127c478bd9Sstevel@tonic-gate if (isv4) { 3137c478bd9Sstevel@tonic-gate ipaddr_t v4addr; 3147c478bd9Sstevel@tonic-gate 315*bd670b35SErik Nordmark ipha = (ipha_t *)mp->b_rptr; 3167c478bd9Sstevel@tonic-gate for (i = IP_SIMPLE_HDR_LENGTH; i < (int)ip_hdr_len; i++) 317*bd670b35SErik Nordmark mp->b_rptr[i] = IPOPT_EOL; 3187c478bd9Sstevel@tonic-gate /* Swap addresses */ 319*bd670b35SErik Nordmark ipha->ipha_length = htons(ixas.ixa_pktlen); 320*bd670b35SErik Nordmark v4addr = ipha->ipha_src; 321*bd670b35SErik Nordmark ipha->ipha_src = ipha->ipha_dst; 322*bd670b35SErik Nordmark ipha->ipha_dst = v4addr; 323*bd670b35SErik Nordmark ipha->ipha_ident = 0; 324*bd670b35SErik Nordmark ipha->ipha_ttl = (uchar_t)sctps->sctps_ipv4_ttl; 325*bd670b35SErik Nordmark 326*bd670b35SErik Nordmark ixas.ixa_flags = IXAF_BASIC_SIMPLE_V4; 3277c478bd9Sstevel@tonic-gate } else { 3287c478bd9Sstevel@tonic-gate in6_addr_t v6addr; 3297c478bd9Sstevel@tonic-gate 330*bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr; 3317c478bd9Sstevel@tonic-gate /* Remove any extension headers assuming partial overlay */ 3327c478bd9Sstevel@tonic-gate if (ip_hdr_len > IPV6_HDR_LEN) { 3337c478bd9Sstevel@tonic-gate uint8_t *to; 3347c478bd9Sstevel@tonic-gate 335*bd670b35SErik Nordmark to = mp->b_rptr + ip_hdr_len - IPV6_HDR_LEN; 336*bd670b35SErik Nordmark ovbcopy(ip6h, to, IPV6_HDR_LEN); 337*bd670b35SErik Nordmark mp->b_rptr += ip_hdr_len - IPV6_HDR_LEN; 3387c478bd9Sstevel@tonic-gate ip_hdr_len = IPV6_HDR_LEN; 339*bd670b35SErik Nordmark ip6h = (ip6_t *)mp->b_rptr; 340*bd670b35SErik Nordmark ip6h->ip6_nxt = IPPROTO_SCTP; 341*bd670b35SErik Nordmark } 342*bd670b35SErik Nordmark ip6h->ip6_plen = htons(ixas.ixa_pktlen - IPV6_HDR_LEN); 343*bd670b35SErik Nordmark v6addr = ip6h->ip6_src; 344*bd670b35SErik Nordmark ip6h->ip6_src = ip6h->ip6_dst; 345*bd670b35SErik Nordmark ip6h->ip6_dst = v6addr; 346*bd670b35SErik Nordmark ip6h->ip6_hops = (uchar_t)sctps->sctps_ipv6_hoplimit; 347*bd670b35SErik Nordmark 348*bd670b35SErik Nordmark ixas.ixa_flags = IXAF_BASIC_SIMPLE_V6; 349*bd670b35SErik Nordmark if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_dst)) { 350*bd670b35SErik Nordmark ixas.ixa_flags |= IXAF_SCOPEID_SET; 351*bd670b35SErik Nordmark ixas.ixa_scopeid = ira->ira_ruifindex; 3527c478bd9Sstevel@tonic-gate } 3537c478bd9Sstevel@tonic-gate } 354*bd670b35SErik Nordmark 355*bd670b35SErik Nordmark insctph = (sctp_hdr_t *)(mp->b_rptr + ip_hdr_len); 3567c478bd9Sstevel@tonic-gate 3577c478bd9Sstevel@tonic-gate /* Swap ports. Verification tag is reused. */ 3587c478bd9Sstevel@tonic-gate port = insctph->sh_sport; 3597c478bd9Sstevel@tonic-gate insctph->sh_sport = insctph->sh_dport; 3607c478bd9Sstevel@tonic-gate insctph->sh_dport = port; 3617c478bd9Sstevel@tonic-gate 3627c478bd9Sstevel@tonic-gate /* Lay in the shutdown complete chunk */ 3637c478bd9Sstevel@tonic-gate scch = (sctp_chunk_hdr_t *)(insctph + 1); 3647c478bd9Sstevel@tonic-gate scch->sch_id = CHUNK_SHUTDOWN_COMPLETE; 3657c478bd9Sstevel@tonic-gate scch->sch_len = htons(sizeof (*scch)); 3667c478bd9Sstevel@tonic-gate scch->sch_flags = 0; 3677c478bd9Sstevel@tonic-gate 3687c478bd9Sstevel@tonic-gate /* Set the T-bit */ 3697c478bd9Sstevel@tonic-gate SCTP_SET_TBIT(scch); 3707c478bd9Sstevel@tonic-gate 371*bd670b35SErik Nordmark ixas.ixa_protocol = IPPROTO_SCTP; 372*bd670b35SErik Nordmark ixas.ixa_zoneid = ira->ira_zoneid; 373*bd670b35SErik Nordmark ixas.ixa_ipst = ipst; 374*bd670b35SErik Nordmark ixas.ixa_ifindex = 0; 375*bd670b35SErik Nordmark 376*bd670b35SErik Nordmark if (ira->ira_flags & IRAF_IPSEC_SECURE) { 377*bd670b35SErik Nordmark /* 378*bd670b35SErik Nordmark * Apply IPsec based on how IPsec was applied to 379*bd670b35SErik Nordmark * the packet that was out of the blue. 380*bd670b35SErik Nordmark */ 381*bd670b35SErik Nordmark if (!ipsec_in_to_out(ira, &ixas, mp, ipha, ip6h)) { 382*bd670b35SErik Nordmark BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsOutDiscards); 383*bd670b35SErik Nordmark /* Note: mp already consumed and ip_drop_packet done */ 384*bd670b35SErik Nordmark return; 385*bd670b35SErik Nordmark } 386*bd670b35SErik Nordmark } else { 387*bd670b35SErik Nordmark /* 388*bd670b35SErik Nordmark * This is in clear. The message we are building 389*bd670b35SErik Nordmark * here should go out in clear, independent of our policy. 390*bd670b35SErik Nordmark */ 391*bd670b35SErik Nordmark ixas.ixa_flags |= IXAF_NO_IPSEC; 392*bd670b35SErik Nordmark } 3937c478bd9Sstevel@tonic-gate 394*bd670b35SErik Nordmark (void) ip_output_simple(mp, &ixas); 395*bd670b35SErik Nordmark ixa_cleanup(&ixas); 3967c478bd9Sstevel@tonic-gate } 397