| blob | 298bec923c68b62719939f943244955ccaed791a |
1 /*
2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
6 /*
7 * Copyright (c) 1987 Regents of the University of California.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms are permitted
11 * provided that the above copyright notice and this paragraph are
12 * duplicated in all such forms and that any documentation,
13 * advertising materials, and other materials related to such
14 * distribution and use acknowledge that the software was developed
15 * by the University of California, Berkeley. The name of the
16 * University may not be used to endorse or promote products derived
17 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
20 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
26 /*
27 * Probe types for probe()
28 */
35 /*
36 * Format of probe / probe response packets. This is an ICMP Echo request
37 * or ICMP Echo reply. Packet format is same for both IPv4 and IPv6
38 */
39 struct pr_icmp
40 {
48 };
62 boolean_t is_probe_uni);
86 /*
87 * CRTT - Conservative Round Trip Time Estimate
88 * Probe success - A matching probe reply received before CRTT ms has elapsed
89 * after sending the probe.
90 * Probe failure - No probe reply received and more than CRTT ms has elapsed
91 * after sending the probe.
92 *
93 * TLS - Time last success. Most recent probe ack received at this time.
94 * TFF - Time first fail. The time of the earliest probe failure in
95 * a consecutive series of probe failures.
96 * NUM_PROBE_REPAIRS - Number of consecutive successful probes required
97 * before declaring phyint repair.
98 * NUM_PROBE_FAILS - Number of consecutive probe failures required to
99 * declare a phyint failure.
100 *
101 * Phyint state diagram
102 *
103 * The state of a phyint that is capable of being probed, is completely
104 * specified by the 3-tuple <pi_state, pg_state, I>.
105 *
106 * A phyint starts in either PI_RUNNING or PI_OFFLINE, depending on whether
107 * IFF_OFFLINE is set. If the phyint is also configured with a test address
108 * (the common case) and probe targets, then a phyint must also successfully
109 * be able to send and receive probes in order to remain in the PI_RUNNING
110 * state (otherwise, it transitions to PI_FAILED).
111 *
112 * Further, if a PI_RUNNING phyint is configured with a test address but is
113 * unable to find any probe targets, it will transition to the PI_NOTARGETS
114 * state, which indicates that the link is apparently functional but that
115 * in.mpathd is unable to send probes to verify functionality (in this case,
116 * in.mpathd makes the optimistic assumption that the interface is working
117 * correctly and thus does not mark the interface FAILED, but reports it as
118 * IPMP_IF_UNKNOWN through the async events and query interfaces).
119 *
120 * At any point, a phyint may be administratively marked offline via if_mpadm.
121 * In this case, the interface always transitions to PI_OFFLINE, regardless
122 * of its previous state. When the interface is later brought back online,
123 * in.mpathd acts as if the interface is new (and thus it transitions to
124 * PI_RUNNING or PI_FAILED based on the status of the link and the result of
125 * its probes, if probes are sent).
126 *
127 * pi_state - PI_RUNNING or PI_FAILED
128 * PI_RUNNING: The failure detection logic says the phyint is good.
129 * PI_FAILED: The failure detection logic says the phyint has failed.
130 *
131 * pg_state - PG_OK, PG_DEGRADED, or PG_FAILED.
132 * PG_OK: All interfaces in the group are OK.
133 * PG_DEGRADED: Some interfaces in the group are unusable.
134 * PG_FAILED: All interfaces in the group are unusable.
135 *
136 * In the case of router targets, we assume that the current list of
137 * targets obtained from the routing table, is still valid, so the
138 * phyint stat is PI_FAILED. In the case of host targets, we delete the
139 * list of targets, and multicast to the all hosts, to reconstruct the
140 * target list. So the phyints are in the PI_NOTARGETS state.
141 *
142 * I - value of (pi_flags & IFF_INACTIVE)
143 * IFF_INACTIVE: This phyint will not send or receive packets.
144 * Usually, inactive is tied to standby interfaces that are not yet
145 * needed (e.g., no non-standby interfaces in the group have failed).
146 * When failback has been disabled (FAILBACK=no configured), phyint can
147 * also be a non-STANDBY. In this case IFF_INACTIVE is set when phyint
148 * subsequently recovers after a failure.
149 *
150 * Not all 9 possible combinations of the above 3-tuple are possible.
151 *
152 * I is tracked by IP. pi_state is tracked by mpathd.
153 *
154 * pi_state state machine
155 * ---------------------------------------------------------------------------
156 * Event State New State
157 * Action:
158 * ---------------------------------------------------------------------------
159 * IP interface failure (PI_RUNNING, I == 0) -> (PI_FAILED, I == 0)
160 * detection : set IFF_FAILED on this phyint
161 *
162 * IP interface failure (PI_RUNNING, I == 1) -> (PI_FAILED, I == 0)
163 * detection : set IFF_FAILED on this phyint
164 *
165 * IP interface repair (PI_FAILED, I == 0, FAILBACK=yes)
166 * detection -> (PI_RUNNING, I == 0)
167 * : clear IFF_FAILED on this phyint
168 *
169 * IP interface repair (PI_FAILED, I == 0, FAILBACK=no)
170 * detection -> (PI_RUNNING, I == 1)
171 * : clear IFF_FAILED on this phyint
172 * : if failback is disabled set I == 1
173 *
174 * Group failure (perform on all phyints in the group)
175 * detection PI_RUNNING PI_FAILED
176 * (Router targets) : set IFF_FAILED
177 *
178 * Group failure (perform on all phyints in the group)
179 * detection PI_RUNNING PI_NOTARGETS
180 * (Host targets) : set IFF_FAILED
181 * : delete the target list on all phyints
182 * ---------------------------------------------------------------------------
183 */
187 /*
188 * Compose and transmit an ICMP ECHO REQUEST packet. The IP header
189 * will be added on by the kernel. The id field identifies this phyint.
190 * and the sequence number is an increasing (modulo 2^^16) integer. The data
191 * portion holds the time value when the packet is sent. On echo this is
192 * extracted to compute the round-trip time. Three different types of
193 * probe packets are used.
194 *
195 * PROBE_UNI: This type is used to do failure detection / failure recovery
196 * and RTT calculation. PROBE_UNI probes are spaced apart in time,
197 * not less than the current CRTT. pii_probes[] stores data
198 * about these probes. These packets consume sequence number space.
199 *
200 * PROBE_RTT: This type is used to make only rtt measurements. Normally these
201 * are not used. Under heavy network load, the rtt may go up very high,
202 * due to a spike, or may appear to go high, due to extreme scheduling
203 * delays. Once the network stress is removed, mpathd takes long time to
204 * recover, because the probe_interval is already high, and it takes
205 * a long time to send out sufficient number of probes to bring down the
206 * rtt. To avoid this problem, PROBE_RTT probes are sent out every
207 * user_probe_interval ms. and will cause only rtt updates. These packets
208 * do not consume sequence number space nor is information about these
209 * packets stored in the pii_probes[]
210 *
211 * PROBE_MULTI: This type is only used to construct a list of targets, when
212 * no targets are known. The packet is multicast to the all hosts addr.
213 */
214 static void
216 {
217 hrtime_t sent_hrtime;
229 }
241 /*
242 * Since there is no need to do arithmetic on the icmpid,
243 * (only equality check is done) pii_icmpid is stored in
244 * network byte order at initialization itself.
245 */
250 /*
251 * If probe_type is PROBE_MULTI, this packet will be multicast to
252 * the all hosts address. Otherwise it is unicast to the next target.
253 */
271 }
285 }
287 /*
288 * Compute the IPv4 icmp checksum. Does not cover the IP header.
289 */
292 }
294 /*
295 * Use the current time as the time we sent. Not atomic, but the best
296 * we can do from here.
297 */
302 /*
303 * If the send would block, this may either be transient or a hang in a
304 * lower layer. We pretend the probe was actually sent, the daemon will
305 * not see a reply to the probe and will fail the interface if normal
306 * failure detection criteria are met.
307 */
313 }
315 /*
316 * If this is a PROBE_UNI probe packet being unicast to a target, then
317 * update our tables. We will need this info in processing the probe
318 * response. PROBE_MULTI and PROBE_RTT packets are not used for
319 * the purpose of failure or recovery detection. PROBE_MULTI packets
320 * are only used to construct a list of targets. PROBE_RTT packets are
321 * used only for updating the rtt and not for failure detection.
322 */
327 /* Collect statistics, before we reuse the last slot. */
344 /*
345 * If we have a single variable to denote the next target to
346 * probe for both rtt probes and failure detection probes, we
347 * could end up with a situation where the failure detection
348 * probe targets become disjoint from the rtt probe targets.
349 * Eg. if 2 targets and the actual fdt is double the user
350 * specified fdt. So we have 2 variables. In this scheme
351 * we also reset pii_rtt_target_next for every fdt probe,
352 * though that may not be necessary.
353 */
360 }
361 }
363 /*
364 * Incoming IPv4 data from wire, is received here. Called from main.
365 */
366 void
368 {
385 }
396 /*
397 * Poll has already told us that a message is waiting,
398 * on this socket. Read it now. We should not block.
399 */
403 }
405 /*
406 * If the datalink has indicated the link is down, don't go
407 * any further.
408 */
412 /* Get the printable address for error reporting */
415 /* Ignore packets > 64k or control buffers that don't fit */
420 }
422 }
424 /* Make sure packet contains at least minimum ICMP header */
431 }
433 }
435 /*
436 * Subtract the IP hdr length, 'len' will be length of the probe
437 * reply, starting from the icmp hdr.
438 */
440 /* LINTED */
443 /* Probe replies are icmp echo replies. Ignore anything else */
447 /*
448 * The icmp id should match what we sent, which is stored
449 * in pi_icmpid. The icmp code for reply must be 0.
450 * The reply content must be a struct pr_icmp
451 */
453 /* Not in response to our probe */
455 }
461 }
467 }
474 }
478 /* Unicast probe reply */
481 /* Multicast reply */
486 /* Probably not in response to our probe */
490 }
491 }
493 /*
494 * Incoming IPv6 data from wire is received here. Called from main.
495 */
496 void
498 {
513 }
527 }
529 /*
530 * If the datalink has indicated that the link is down, don't go
531 * any further.
532 */
536 /* Get the printable address for error reporting */
542 }
544 }
545 /* Ignore packets > 64k or control buffers that don't fit */
550 }
552 }
559 /* Not in response to our probe */
561 }
563 /*
564 * The kernel has already verified the the ICMP checksum.
565 */
570 }
573 /* Can't allow routing headers in probe replies */
577 }
583 }
588 }
595 }
604 /* Probably not in response to our probe */
607 }
608 }
610 /*
611 * Process the incoming rtt reply, in response to our rtt probe.
612 * Common for both IPv4 and IPv6. Unlike incoming_echo_reply() we don't
613 * have any stored information about the probe we sent. So we don't log
614 * any errors if we receive bad replies.
615 */
616 static void
619 {
625 /* Get the printable address for error reporting */
631 }
633 /* Do we know this target ? */
639 /* Invalid rtt. It has wrapped around */
643 /*
644 * Don't update rtt until we see NUM_PROBE_REPAIRS probe responses
645 * The initial few responses after the interface is repaired may
646 * contain high rtt's because they could have been queued up waiting
647 * for ARP/NDP resolution on a failed interface.
648 */
653 /*
654 * Update rtt only if the new rtt is lower than the current rtt.
655 * (specified by the 3rd parameter to pi_set_crtt).
656 * If a spike has caused the current probe_interval to be >
657 * user_probe_interval, then this mechanism is used to bring down
658 * the rtt rapidly once the network stress is removed.
659 * If the new rtt is higher than the current rtt, we don't want to
660 * update the rtt. We are having more than 1 outstanding probe and
661 * the increase in rtt we are seeing is being unnecessarily weighted
662 * many times. The regular rtt update will be handled by
663 * incoming_echo_reply() and will take care of any rtt increase.
664 */
669 /*
670 * If the crtt has now dropped by a factor of LOWER_FT_TRIGGER,
671 * investigate if we can improve the failure detection time to
672 * meet whatever the user specified.
673 */
676 user_failure_detection_time);
684 }
686 /* Avoid any truncation or rounding errors */
688 /*
689 * No more rtt probes will be sent. The actual
690 * fdt has dropped to the user specified value.
691 * pii_fd_snxt_basetime and pii_snxt_basetime
692 * will be in sync henceforth.
693 */
695 }
696 }
697 }
698 }
700 /*
701 * Process the incoming echo reply, in response to our unicast probe.
702 * Common for both IPv4 and IPv6
703 */
704 static void
707 {
713 boolean_t exception;
719 /* Get the printable address for error reporting */
726 }
731 /* Reject out of window probe replies */
738 }
743 /*
744 * This is a ridiculously high value of rtt. rtt has wrapped
745 * around. Log a message, and ignore the rtt.
746 */
749 }
751 /*
752 * Get the probe index pr_ndx corresponding to the received icmp seq.
753 * number in our pii->pii_probes[] array. The icmp sequence number
754 * pii_snxt corresponds to the probe index pii->pii_probe_next
755 */
763 /*
764 * Perform sanity checks, whether this probe reply that we
765 * have received is genuine
766 */
768 /*
769 * Compare the src. addr of the received ICMP or ICMPv6
770 * probe reply with the target address in our tables.
771 */
773 /*
774 * We don't have any record of having sent a probe to
775 * this target. This is a fake probe reply. Log an error
776 */
784 /*
785 * The address matches, but our tables indicate that
786 * this probe reply has been acked already. So this
787 * is a duplicate probe reply. Log an error
788 */
795 }
797 /*
798 * Target must not be NULL in the PR_UNACKED state
799 */
802 /*
803 * The probe stats slot is unused. So we didn't
804 * send out any probe to this target. This is a fake.
805 * Log an error.
806 */
811 }
814 }
816 /*
817 * If the rtt does not appear to be right, don't update the
818 * rtt stats. This can happen if the system dropped into the
819 * debugger, or the system was hung or too busy for a
820 * substantial time that we didn't get a chance to run.
821 */
823 /*
824 * If the probe corresponding to this received response
825 * was truly sent 'm' ns. ago, then this response must
826 * have been rejected by the sequence number checks. The
827 * fact that it has passed the sequence number checks
828 * means that the measured rtt is wrong. We were probably
829 * scheduled long after the packet was received.
830 */
832 }
834 /*
835 * Don't update rtt until we see NUM_PROBE_REPAIRS probe responses
836 * The initial few responses after the interface is repaired may
837 * contain high rtt's because they could have been queued up waiting
838 * for ARP/NDP resolution on a failed interface.
839 */
843 /*
844 * Don't update the Conservative Round Trip Time estimate for this
845 * (phint, target) pair if this is the not the highest ack seq seen
846 * thus far on this target.
847 */
851 /*
852 * Always update the rtt. This is a failure detection probe
853 * and we want to measure both increase / decrease in rtt.
854 */
857 /*
858 * If the crtt exceeds the average time between probes,
859 * investigate if this slow target is an exception. If so we
860 * can avoid this target and still meet the failure detection
861 * time. Otherwise we can't meet the failure detection time.
862 */
866 /*
867 * This target is exceptionally slow. Don't use it
868 * for future probes. check_exception_target() has
869 * made sure that we have at least MIN_PROBE_TARGETS
870 * other active targets
871 */
873 /*
874 * This is a slow router, mark it as slow
875 * and don't use it for further probes. We
876 * don't delete it, since it will be populated
877 * again when we do a router scan. Hence we
878 * need to maintain extra state (unlike the
879 * host case below). Mark it as TG_SLOW.
880 */
891 }
893 /*
894 * the slow target is not a router, we can
895 * just delete it. Send an icmp multicast and
896 * pick the fastest responder that is not
897 * already an active target. target_delete()
898 * adjusts pii->pii_target_next
899 */
902 }
904 /*
905 * We can't meet the failure detection time.
906 * Log a message, and update the detection time to
907 * whatever we can achieve.
908 */
914 " detection time of %d ms on (%s %s) new"
919 }
920 }
924 /*
925 * If the crtt has now dropped by a factor of LOWER_FDT_TRIGGER
926 * investigate if we can improve the failure detection time to
927 * meet whatever the user specified.
928 */
931 user_failure_detection_time);
938 }
940 /* Avoid any truncation or rounding errors */
942 /*
943 * No more rtt probes will be sent. The actual
944 * fdt has dropped to the user specified value.
945 * pii_fd_snxt_basetime and pii_snxt_basetime
946 * will be in sync henceforth.
947 */
949 }
950 }
951 }
952 out:
960 /*
961 * Update pii->pii_rack, i.e. the sequence number of the last received
962 * probe response, based on the echo reply we have received now, if
963 * either of the following conditions are satisfied.
964 * a. pii_rack is outside the current receive window of
965 * [pii->pii_snxt - PROBE_STATS_COUNT, pii->pii_snxt).
966 * This means we have not received probe responses for a
967 * long time, and the sequence number has wrapped around.
968 * b. pii_rack is within the current receive window and this echo
969 * reply corresponds to the highest sequence number we have seen
970 * so far.
971 */
976 }
977 }
979 /*
980 * Returns true if seq is the highest unacknowledged seq for target tg
981 * else returns false
982 */
983 static boolean_t
985 {
992 /*
993 * Get the seq number of the most recent probe sent so far,
994 * and also get the corresponding probe index in the probe stats
995 * array.
996 */
999 pr_seq--;
1001 /*
1002 * Start from the most recent probe and walk back, trying to find
1003 * an acked probe corresponding to target tg.
1004 */
1011 }
1012 }
1014 }
1016 /*
1017 * Check whether the crtt for the group has improved by a factor of
1018 * LOWER_FDT_TRIGGER. Small crtt improvements are ignored to avoid failure
1019 * detection time flapping in the face of small crtt changes.
1020 */
1021 static boolean_t
1023 {
1029 /*
1030 * The crtt for the group is only improved if each phyint_instance
1031 * for both ipv4 and ipv6 is improved.
1032 */
1037 }
1040 }
1042 /*
1043 * Check whether the crtt has improved substantially on this phyint_instance.
1044 * Returns _B_TRUE if there's no crtt information available, because pii
1045 * is NULL or the phyint_instance is not capable of probing.
1046 */
1047 boolean_t
1062 LOWER_FDT_TRIGGER)) {
1064 }
1065 }
1068 }
1070 /*
1071 * This target responds very slowly to probes. The target's crtt exceeds
1072 * the probe interval of its group. Compare against other targets
1073 * and determine if this target is an exception, if so return true, else false
1074 */
1075 static boolean_t
1077 {
1086 }
1088 /*
1089 * We should have at least MIN_PROBE_TARGETS + 1 good targets now,
1090 * to make a good judgement. Otherwise don't drop this target.
1091 */
1095 /*
1096 * Determine whether only this particular target is slow.
1097 * We know that this target's crtt exceeds the group's probe interval.
1098 * If all other active targets have a
1099 * crtt < (this group's probe interval) / EXCEPTION_FACTOR,
1100 * then this target is considered slow.
1101 */
1106 EXCEPTION_FACTOR) {
1108 }
1109 }
1110 }
1113 }
1115 /*
1116 * Update the target list. The icmp all hosts multicast has given us
1117 * some host to which we can send probes. If we already have sufficient
1118 * targets, discard it.
1119 */
1120 static void
1123 /* ARGSUSED */
1124 {
1133 }
1135 /*
1136 * Using host targets is a fallback mechanism. If we have
1137 * found a router, don't add this host target. If we already
1138 * know MAX_PROBE_TARGETS, don't add another target.
1139 */
1145 }
1146 }
1150 /*
1151 * Guard against response from 0.0.0.0
1152 * and ::. Log a trace message
1153 */
1158 }
1160 /*
1161 * This address is one of our own, so reject this address as a
1162 * valid probe target.
1163 */
1168 /*
1169 * If the phyint is part a named group, then add the address to all
1170 * members of the group. Otherwise, add the address only to the
1171 * phyint itself, since other phyints in the anongroup may not be on
1172 * the same subnet.
1173 */
1181 }
1182 }
1184 /*
1185 * Compute CRTT given an existing scaled average, scaled deviation estimate
1186 * and a new rtt time. The formula is from Jacobson and Karels'
1187 * "Congestion Avoidance and Control" in SIGCOMM '88. The variable names
1188 * are the same as those in Appendix A.2 of that paper.
1189 *
1190 * m = new measurement
1191 * sa = scaled RTT average (8 * average estimates)
1192 * sv = scaled mean deviation (mdev) of RTT (4 * deviation estimates).
1193 * crtt = Conservative round trip time. Used to determine whether probe
1194 * has timed out.
1195 *
1196 * New scaled average and deviation are passed back via sap and svp
1197 */
1198 static int64_t
1200 {
1210 /*
1211 * Update average estimator:
1212 * new rtt = old rtt + 1/8 Error
1213 * where Error = m - old rtt
1214 * i.e. 8 * new rtt = 8 * old rtt + Error
1215 * i.e. new sa = old sa + Error
1216 */
1219 /* Don't allow the smoothed average to be negative. */
1221 }
1223 /*
1224 * Update deviation estimator:
1225 * new mdev = old mdev + 1/4 (abs(Error) - old mdev)
1226 * i.e. 4 * new mdev = 4 * old mdev +
1227 * (abs(Error) - old mdev)
1228 * i.e. new sv = old sv + (abs(Error) - old mdev)
1229 */
1235 /* Initialization. This is the first response received. */
1238 }
1245 }
1250 /*
1251 * CRTT = average estimates + 4 * deviation estimates
1252 * = sa / 8 + sv
1253 */
1255 }
1257 static void
1259 {
1270 /* store the round trip time, in case we need to defer computation */
1275 /*
1276 * If this probe's round trip time would singlehandedly cause an
1277 * increase in the group's probe interval consider it suspect.
1278 */
1285 }
1287 /*
1288 * If we've deferred as many rtts as we plan on deferring, then
1289 * assume the link really did slow down and process all queued
1290 * rtts
1291 */
1295 "would cause an increased probe_interval. "
1297 }
1302 }
1307 }
1309 }
1311 /*
1312 * If this is a normal probe, or an RTT probe that would lead to a
1313 * reduced CRTT, then update our CRTT data. Further, if this was
1314 * a normal probe, pitch any deferred probes since our probes are
1315 * again being answered within our CRTT estimates.
1316 */
1323 }
1324 }
1326 /*
1327 * Return a pointer to the specified option buffer.
1328 * If not found return NULL.
1329 */
1332 {
1340 }
1341 }
1343 }
1345 /*
1346 * Try to activate another INACTIVE interface in the same group as `pi'.
1347 * Prefer STANDBY INACTIVE to just INACTIVE.
1348 */
1349 void
1351 {
1366 }
1370 }
1372 /*
1373 * Transition a phyint to PI_RUNNING. The caller must ensure that the
1374 * transition is appropriate. Clears IFF_OFFLINE or IFF_FAILED if
1375 * appropriate. Also sets IFF_INACTIVE on this or other interfaces as
1376 * appropriate (see comment below). Finally, also updates the phyint's group
1377 * state to account for the change.
1378 */
1379 void
1381 {
1389 /*
1390 * The interface is running again, but should it or another interface
1391 * in the group end up INACTIVE? There are three cases:
1392 *
1393 * 1. If it's a STANDBY interface, it should be end up INACTIVE if
1394 * the group is operating at capacity (i.e., there are at least as
1395 * many active interfaces as non-STANDBY interfaces in the group).
1396 * No other interfaces should be changed.
1397 *
1398 * 2. If it's a non-STANDBY interface and we're onlining it or
1399 * FAILBACK is enabled, then it should *not* end up INACTIVE.
1400 * Further, if the group is above capacity as a result of this
1401 * interface, then an active STANDBY interface in the group should
1402 * end up INACTIVE.
1403 *
1404 * 3. If it's a non-STANDBY interface, we're repairing it, and
1405 * FAILBACK is disabled, then it should end up INACTIVE *unless*
1406 * the group was failed (in which case we have no choice but to
1407 * use it). No other interfaces should be changed.
1408 */
1413 nnonstandby++;
1417 nactive++;
1420 }
1421 }
1422 }
1430 else
1437 }
1442 /*
1443 * Update the group state to account for the change.
1444 */
1446 }
1448 /*
1449 * Adjust IFF_INACTIVE on the provided `pi' to trend the group configuration
1450 * to have at least one active interface and as many active interfaces as
1451 * non-standby interfaces.
1452 */
1453 void
1455 {
1459 /*
1460 * All phyints in the anonymous group are effectively in their own
1461 * group and thus active regardless of whether they're marked standby.
1462 */
1466 }
1468 /*
1469 * If the phyint isn't functioning we can't consider it.
1470 */
1476 nnonstandby++;
1480 nactive++;
1481 }
1487 }
1489 /*
1490 * See if a previously failed interface has started working again.
1491 */
1492 void
1494 {
1503 }
1505 /*
1506 * If the interface is PI_OFFLINE, it can't be made PI_RUNNING yet.
1507 * So just clear IFF_OFFLINE and defer phyint_transition_to_running()
1508 * until it is brought back online.
1509 */
1513 }
1516 }
1518 /*
1519 * See if an interface has failed, or if the whole group of interfaces has
1520 * failed.
1521 */
1522 static void
1524 {
1527 boolean_t was_active;
1540 }
1542 /*
1543 * If the failed interface was active, activate another
1544 * INACTIVE interface in the group if possible.
1545 */
1549 /*
1550 * If the interface is offline, the state change will be
1551 * noted when it comes back online.
1552 */
1556 }
1567 /*
1568 * In the case of host targets, we would have flushed
1569 * the targets, and gone to PI_NOTARGETS state.
1570 */
1573 }
1578 }
1579 }
1581 /*
1582 * Determines if any timeout event has occurred and returns the number of
1583 * milliseconds until the next timeout event for the phyint. Returns
1584 * TIMER_INFINITY for "never".
1585 */
1586 uint_t
1588 {
1590 uint_t timeout;
1598 uint_t check_time;
1599 uint_t cur_time;
1600 hrtime_t cur_hrtime;
1609 }
1613 /*
1614 * Check to see if we're here due to link up/down flapping; If
1615 * enough time has passed, then try to bring the interface
1616 * back up; otherwise, schedule a timer to bring it back up
1617 * when enough time *has* elapsed.
1618 */
1626 }
1627 }
1629 /*
1630 * If probing is not enabled on this phyint instance, don't proceed.
1631 */
1635 /*
1636 * If the timer has fired too soon, probably triggered
1637 * by some other phyint instance, return the remaining
1638 * time
1639 */
1643 /*
1644 * If the link is down, don't send any probes for now.
1645 */
1649 /*
1650 * Randomize the next probe time, between MIN_RANDOM_FACTOR
1651 * and MAX_RANDOM_FACTOR with respect to the base probe time.
1652 * Base probe time is strictly periodic.
1653 */
1659 /*
1660 * Check if the current time > next time to probe. If so, we missed
1661 * sending 1 or more probes, probably due to heavy system load. At least
1662 * 'MIN_RANDOM_FACTOR * user_probe_interval' ms has elapsed since we
1663 * were scheduled. Make adjustments to the times, in multiples of
1664 * user_probe_interval.
1665 */
1676 /* Collect statistics about missed probes */
1679 }
1686 }
1688 /*
1689 * If no targets are known, we need to send an ICMP multicast. The
1690 * probe type is PROBE_MULTI. We'll check back in 'interval' msec
1691 * to see if we found a target.
1692 */
1698 }
1702 /*
1703 * the failure detection (fd) probe timer has not yet fired.
1704 * Need to send only an rtt probe. The probe type is PROBE_RTT.
1705 */
1708 }
1709 /*
1710 * the fd probe timer has fired. Need to do all failure
1711 * detection / recovery calculations, and then send an fd probe
1712 * of type PROBE_UNI.
1713 */
1715 /*
1716 * We could have missed some probes, and then adjusted
1717 * pii_snxt_basetime above. Otherwise we could have
1718 * blindly added probe_interval to pii_fd_snxt_basetime.
1719 */
1727 probe_interval;
1729 }
1730 }
1732 /*
1733 * We can have at most, the latest 2 probes that we sent, in
1734 * the PR_UNACKED state. All previous probes sent, are either
1735 * PR_LOST or PR_ACKED. An unacknowledged probe is considered
1736 * timed out if the probe's time_start + the CRTT < currenttime.
1737 * For each of the last 2 probes, examine whether it has timed
1738 * out. If so, mark it PR_LOST. The probe stats is a circular array.
1739 */
1748 /*
1749 * We received back an ACK, so the switch clearly
1750 * is not dropping our traffic, and thus we can
1751 * enable failure detection immediately.
1752 */
1758 }
1760 }
1765 /*
1766 * The crtt could be zero for some reason,
1767 * Eg. the phyint could be failed. If the crtt is
1768 * not available use group's probe interval,
1769 * which is a worst case estimate.
1770 */
1776 }
1781 /*
1782 * We are forced to consider this probe
1783 * lost, as we can have at most 2 unack.
1784 * probes any time, and we will be sending a
1785 * probe at the end of this function.
1786 * Normally, we should not be here, but
1787 * this can happen if an incoming response
1788 * that was considered lost has increased
1789 * the crtt for this target, and also bumped
1790 * up the FDT. Note that we never cancel or
1791 * increase the current pii_time_left, so
1792 * when the timer fires, we find 2 valid
1793 * unacked probes, and they are yet to timeout
1794 */
1798 /*
1799 * Only the most recent probe can enter
1800 * this 'else' arm. The second most recent
1801 * probe must take either of the above arms,
1802 * if it is unacked.
1803 */
1804 valid_unack_count++;
1805 }
1807 }
1809 }
1811 /*
1812 * We send out 1 probe randomly in the interval between one half
1813 * and one probe interval for the group. Given that the CRTT is always
1814 * less than the group's probe interval, we can have at most 1
1815 * unacknowledged probe now. All previous probes are either lost or
1816 * acked.
1817 */
1820 /*
1821 * The timer has fired. Take appropriate action depending
1822 * on the current state of the phyint.
1823 *
1824 * PI_RUNNING state - Failure detection
1825 * PI_FAILED state - Repair detection
1826 */
1829 /*
1830 * If the most recent probe (excluding unacked probes that
1831 * are yet to time out) has been acked, check whether the
1832 * phyint is now repaired.
1833 */
1836 }
1840 /*
1841 * It's possible our probes have been lost because of a
1842 * spanning-tree mandated quiet period on the switch. If so,
1843 * ignore the lost probes.
1844 */
1849 /*
1850 * We have 1 or more failed probes (excluding unacked
1851 * probes that are yet to time out). Determine if the
1852 * phyint has failed.
1853 */
1855 }
1862 }
1864 /*
1865 * Start the next probe. probe() will also set pii->pii_probe_time_left
1866 * to the group's probe interval. If phyint_failed -> target_flush_hosts
1867 * was called, the target list may be empty.
1868 */
1871 /*
1872 * If we have just the one probe target, and we're not using
1873 * router targets, try to find another as we presently have
1874 * no resilience.
1875 */
1880 }
1882 }
1884 /*
1885 * Start the probe timer for an interface instance.
1886 */
1887 void
1889 {
1892 /*
1893 * Spread the base probe times (pi_snxt_basetime) across phyints
1894 * uniformly over the (curtime..curtime + the group's probe_interval).
1895 * pi_snxt_basetime is strictly periodic with a frequency of
1896 * the group's probe interval. The actual probe time pi_snxt_time
1897 * adds some randomness to pi_snxt_basetime and happens in probe().
1898 * For the 1st probe on each phyint after the timer is started,
1899 * pi_snxt_time and pi_snxt_basetime are the same.
1900 */
1908 }
1910 /*
1911 * Restart the probe timer on an interface instance.
1912 */
1913 static void
1915 {
1916 /*
1917 * We don't need to restart the timer if it was never started in
1918 * the first place (pii->pii_basetime_inited not set), as the timer
1919 * won't have gone off yet.
1920 */
1929 }
1930 }
1932 static void
1934 {
1937 /*
1938 * Clear the probe statistics arrays, we don't want the repair
1939 * detection logic relying on probes that were successful prior
1940 * to the link going down.
1941 */
1946 /*
1947 * Check for interface failure. Although we know the interface
1948 * has failed, we don't know if all the other interfaces in the
1949 * group have failed as well.
1950 */
1956 }
1962 }
1963 }
1965 static void
1967 {
1970 /*
1971 * We stopped any running timers on each instance when the link
1972 * went down, so restart them.
1973 */
1984 }
1986 /*
1987 * Process any changes in link state passed up from the interfaces.
1988 */
1989 void
1991 {
1994 /* Look for interfaces where the link state has just changed */
1999 /*
2000 * Except when the "phyint" structure is created, this is
2001 * the only place the link state is updated. This allows
2002 * this routine to detect changes in link state, rather
2003 * than just the current state.
2004 */
2008 /*
2009 * Has link just gone down?
2010 */
2014 /*
2015 * Has link just gone back up?
2016 */
2019 }
2020 }
2021 }
2023 void
2025 {
2035 }
2036 }
2044 }
2045 }
2046 }
2048 /*
2049 * Check if the phyint has failed the last NUM_PROBE_FAILS consecutive
2050 * probes on both instances IPv4 and IPv6.
2051 * If the interface has failed, return the time of the first probe failure
2052 * in "tff".
2053 */
2054 static int
2056 {
2057 uint_t pi_tff;
2063 /*
2064 * Get the number of consecutive failed probes on
2065 * this phyint across all targets. Also get the number
2066 * of consecutive failed probes on this target only
2067 */
2072 /* Get the time of first failure, for later use */
2075 /*
2076 * If the current target has not responded to the
2077 * last NUM_PROBE_FAILS probes, and other targets are
2078 * responding delete this target. Dead gateway detection
2079 * will eventually remove this target (if router) from the
2080 * routing tables. If that does not occur, we may end
2081 * up adding this to our list again.
2082 */
2097 }
2099 }
2101 /*
2102 * If the phyint has lost NUM_PROBE_FAILS or more
2103 * consecutive probes, on both IPv4 and IPv6 protocol
2104 * instances of the phyint, then trigger failure
2105 * detection, else return false
2106 */
2114 /*
2115 * We have NUM_PROBE_FAILS or more failures
2116 * on both IPv4 and IPv6. Get the earliest
2117 * time when failure was detected on this
2118 * phyint across IPv4 and IPv6.
2119 */
2123 /*
2124 * This instance has < NUM_PROBE_FAILS failure.
2125 * So return false
2126 */
2128 }
2129 }
2132 }
2134 /*
2135 * Check if the link has gone down on this phyint, or it has failed the
2136 * last NUM_PROBE_FAILS consecutive probes on both instances IPv4 and IPv6.
2137 * Also look at other phyints of this group, for group failures.
2138 */
2139 int
2141 {
2158 PHYINT_OK)
2161 /*
2162 * At this point, the link is down, or the phyint is suspect, as it
2163 * has lost NUM_PROBE_FAILS or more probes. If the phyint does not
2164 * belong to any group, this is a PHYINT_FAILURE. Otherwise, continue
2165 * on to determine whether this should be considered a PHYINT_FAILURE
2166 * or GROUP_FAILURE.
2167 */
2171 /*
2172 * Need to compare against other phyints of the same group
2173 * to exclude group failures. If the failure was detected via
2174 * probing, then if the time of last success (tls) of any
2175 * phyint is more recent than the time of first fail (tff) of the
2176 * phyint in question, and the link is up on the phyint,
2177 * then it is a phyint failure. Otherwise it is a group failure.
2178 * If failure was detected via a link down notification sent from
2179 * the driver to IP, we see if any phyints in the group are still
2180 * running and haven't received a link down notification. We
2181 * will usually be processing the link down notification shortly
2182 * after it was received, so there is no point looking at the tls
2183 * of other phyints.
2184 */
2187 /* Exclude ourself from comparison */
2192 /*
2193 * We use FLAGS_TO_LINK_STATE() to test the flags
2194 * directly, rather then LINK_UP() or LINK_DOWN(), as
2195 * we may not have got round to processing the link
2196 * state for the other phyints in the group yet.
2197 *
2198 * The check for PI_RUNNING and group failure handles
2199 * the case when the group begins to recover.
2200 * PI_RUNNING will be set, and group failure cleared
2201 * only after receipt of NUM_PROBE_REPAIRS, by which
2202 * time the other phyints should have received at
2203 * least 1 packet, and so will not have NUM_PROBE_FAILS.
2204 */
2209 }
2211 }
2216 /*
2217 * If there's no probe-based failure detection on this
2218 * interface, and its link is still up, then it's still
2219 * working and thus the group has not failed.
2220 */
2224 }
2226 /*
2227 * Need to compare against both IPv4 and IPv6 instances.
2228 */
2234 /*
2235 * See comment above regarding check
2236 * for PI_RUNNING and group failure.
2237 */
2244 }
2245 }
2246 }
2253 /*
2254 * See comment above regarding check
2255 * for PI_RUNNING and group failure.
2256 */
2263 }
2264 }
2265 }
2266 }
2268 /*
2269 * Update the group state to account for the changes.
2270 */
2273 }
2275 /*
2276 * Return the information associated with consecutive probe successes
2277 * starting with the most recent probe. At most the last 2 probes can be
2278 * in the unacknowledged state. All previous probes have either failed
2279 * or succeeded.
2280 */
2281 static void
2284 {
2285 uint_t i;
2287 uint_t most_recent;
2288 uint_t second_most_recent;
2291 uint_t now;
2292 uint_t timeout;
2301 /*
2302 * Start with the most recent probe, and count the number
2303 * of consecutive probe successes. Latch the number of successes
2304 * on hitting a failure.
2305 */
2315 /*
2316 * Only the most recent 2 probes can be unacknowledged
2317 */
2322 /*
2323 * The crtt could be zero for some reason,
2324 * Eg. the phyint could be failed. If the crtt is
2325 * not available use the value of the group's probe
2326 * interval which is a worst case estimate.
2327 */
2332 timeout +=
2334 }
2337 /*
2338 * We hit a failure. Latch the total number of
2339 * recent consecutive successes.
2340 */
2345 /*
2346 * We hit a failure for the desired
2347 * target. Latch the number of recent
2348 * consecutive successes for this target
2349 */
2351 }
2352 }
2356 /*
2357 * Bump up the count of probe successes, if we
2358 * have not seen any failure so far.
2359 */
2366 }
2368 /*
2369 * Record the time of last success, if this is
2370 * the most recent probe success.
2371 */
2376 }
2380 /*
2381 * We hit a failure. Latch the total number of
2382 * recent consecutive successes.
2383 */
2386 /*
2387 * We hit a failure for the desired target.
2388 * Latch the number of recent consecutive
2389 * successes for this target
2390 */
2392 }
2398 }
2399 }
2400 }
2402 /*
2403 * Return the information associated with consecutive probe failures
2404 * starting with the most recent probe. Only the last 2 probes can be in the
2405 * unacknowledged state. All previous probes have either failed or succeeded.
2406 */
2407 static void
2410 {
2417 uint_t now;
2418 uint_t timeout;
2427 /*
2428 * Start with the most recent probe, and count the number
2429 * of consecutive probe failures. Latch the number of failures
2430 * on hitting a probe success.
2431 */
2443 /*
2444 * Only the most recent 2 probes can be unacknowledged
2445 */
2449 /*
2450 * Target is guaranteed to exist in the unack. state
2451 */
2453 /*
2454 * The crtt could be zero for some reason,
2455 * Eg. the phyint could be failed. If the crtt is
2456 * not available use the group's probe interval,
2457 * which is a worst case estimate.
2458 */
2463 timeout +=
2465 }
2472 /* FALLTHRU */
2478 }
2482 }
2486 /*
2487 * We hit a success or unused slot. Latch the
2488 * total number of recent consecutive failures.
2489 */
2492 /*
2493 * We hit a success for the desired target.
2494 * Latch the number of recent consecutive
2495 * failures for this target
2496 */
2498 }
2499 }
2500 }
2501 }
2503 /*
2504 * Change the state of probe `pr' on phyint_instance `pii' to state `state'.
2505 */
2506 void
2508 {
2514 }
2516 /*
2517 * Check if the phyint has been repaired. If no test address has been
2518 * configured, then consider the interface repaired if the link is up (unless
2519 * the link is flapping; see below). Otherwise, look for proof of probes
2520 * being sent and received. If last NUM_PROBE_REPAIRS probes are fine on
2521 * either IPv4 or IPv6 instance, the phyint can be considered repaired.
2522 */
2523 static boolean_t
2525 {
2530 uint_t cur_time;
2538 /*
2539 * If we don't have any test addresses and the link is up, then
2540 * consider the interface repaired, unless we've received more than
2541 * LINK_UP_PERMIN link up notifications in the last minute, in
2542 * which case we keep the link down until we drop back below
2543 * the threshold.
2544 */
2551 }
2554 "in the last minute; disabling repair until it "
2557 }
2560 }
2570 }
2580 }
2583 }
2585 /*
2586 * Used to set/clear phyint flags, by making a SIOCSLIFFLAGS call.
2587 */
2588 boolean_t
2590 {
2598 }
2602 else
2605 /*
2606 * Get the current flags from the kernel, and set/clear the
2607 * desired phyint flags. Since we set only phyint flags, we can
2608 * do it on either IPv4 or IPv6 instance.
2609 */
2616 }
2623 /* No change in the flags. No need to send ioctl */
2625 }
2631 }
2633 /*
2634 * Keep pi_flags in synch. with actual flags. Assumes flags are
2635 * phyint flags.
2636 */
2647 }
2649 /*
2650 * icmp cksum computation for IPv4.
2651 */
2652 static int
2654 {
2661 /*
2662 * Our algorithm is simple, using a 32 bit accumulator (sum),
2663 * we add sequential 16 bit words to it, and at the end, fold
2664 * back all the carry bits from the top 16 bits into the lower
2665 * 16 bits.
2666 */
2670 }
2672 /* mop up an odd byte, if necessary */
2676 }
2678 /*
2679 * add back carry outs from top 16 bits to low 16 bits
2680 */
2685 }
2687 static void
2689 {
2694 }
2695 }
2697 /*
2698 * Is the address one of our own addresses? Unfortunately,
2699 * we cannot check our phyint tables to determine if the address
2700 * is our own. This is because, we don't track interfaces that
2701 * are not part of any group. We have to either use a 'bind' or
2702 * get the complete list of all interfaces using SIOCGLIFCONF,
2703 * to do this check. We could also use SIOCTMYADDR.
2704 * Bind fails for the local zone address, so we might include local zone
2705 * address as target address. If local zone address is a target address
2706 * and it is up, it is not possible to detect the interface failure.
2707 * SIOCTMYADDR also doesn't consider local zone address as own address.
2708 * So, we choose to use SIOCGLIFCONF to collect the local addresses, and they
2709 * are stored in `localaddrs'
2710 */
2711 boolean_t
2713 {
2722 }
2724 }
2726 static int
2728 {
2730 }
2732 static int64_t
2734 {
2736 }