| blob | c7c241f9441c4b212c0a902f7749fb05257cdd12 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
22 /*
23 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved
24 *
25 * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
26 */
27 /* Copyright (c) 1990 Mentat Inc. */
29 #include <sys/types.h>
30 #include <sys/stream.h>
31 #include <sys/dlpi.h>
32 #include <sys/stropts.h>
33 #include <sys/sysmacros.h>
34 #include <sys/strsubr.h>
35 #include <sys/strlog.h>
36 #include <sys/strsun.h>
37 #include <sys/zone.h>
38 #define _SUN_TPI_VERSION 2
39 #include <sys/tihdr.h>
40 #include <sys/xti_inet.h>
41 #include <sys/ddi.h>
42 #include <sys/sunddi.h>
43 #include <sys/cmn_err.h>
44 #include <sys/debug.h>
45 #include <sys/kobj.h>
46 #include <sys/modctl.h>
47 #include <sys/atomic.h>
48 #include <sys/policy.h>
49 #include <sys/priv.h>
51 #include <sys/systm.h>
52 #include <sys/param.h>
53 #include <sys/kmem.h>
54 #include <sys/sdt.h>
55 #include <sys/socket.h>
56 #include <sys/vtrace.h>
57 #include <sys/isa_defs.h>
58 #include <sys/mac.h>
59 #include <net/if.h>
60 #include <net/if_arp.h>
61 #include <net/route.h>
62 #include <sys/sockio.h>
63 #include <netinet/in.h>
64 #include <net/if_dl.h>
66 #include <inet/common.h>
67 #include <inet/mi.h>
68 #include <inet/mib2.h>
69 #include <inet/nd.h>
70 #include <inet/arp.h>
71 #include <inet/snmpcom.h>
72 #include <inet/kstatcom.h>
74 #include <netinet/igmp_var.h>
75 #include <netinet/ip6.h>
76 #include <netinet/icmp6.h>
77 #include <netinet/sctp.h>
79 #include <inet/ip.h>
80 #include <inet/ip_impl.h>
81 #include <inet/ip6.h>
82 #include <inet/ip6_asp.h>
83 #include <inet/optcom.h>
84 #include <inet/tcp.h>
85 #include <inet/tcp_impl.h>
86 #include <inet/ip_multi.h>
87 #include <inet/ip_if.h>
88 #include <inet/ip_ire.h>
89 #include <inet/ip_ftable.h>
90 #include <inet/ip_rts.h>
91 #include <inet/ip_ndp.h>
92 #include <inet/ip_listutils.h>
93 #include <netinet/igmp.h>
94 #include <netinet/ip_mroute.h>
95 #include <inet/ipp_common.h>
97 #include <net/pfkeyv2.h>
98 #include <inet/sadb.h>
99 #include <inet/ipsec_impl.h>
100 #include <inet/ipdrop.h>
101 #include <inet/ip_netinfo.h>
102 #include <inet/ilb_ip.h>
103 #include <sys/squeue_impl.h>
104 #include <sys/squeue.h>
106 #include <sys/ethernet.h>
107 #include <net/if_types.h>
108 #include <sys/cpuvar.h>
110 #include <ipp/ipp.h>
111 #include <ipp/ipp_impl.h>
112 #include <ipp/ipgpc/ipgpc.h>
114 #include <sys/pattr.h>
115 #include <inet/ipclassifier.h>
116 #include <inet/sctp_ip.h>
117 #include <inet/sctp/sctp_impl.h>
118 #include <inet/udp_impl.h>
119 #include <sys/sunddi.h>
121 #include <sys/tsol/label.h>
122 #include <sys/tsol/tnet.h>
126 #ifdef DEBUG
128 #endif
133 ip_recv_attr_t *);
135 #pragma inline(ip_input_common_v6, ip_input_local_v6, ip_forward_xmit_v6)
137 /*
138 * Direct read side procedure capable of dealing with chains. GLDv3 based
139 * drivers call this function directly with mblk chains while STREAMS
140 * read side procedure ip_rput() calls this for single packet with ip_ring
141 * set to NULL to process one packet at a time.
142 *
143 * The ill will always be valid if this function is called directly from
144 * the driver.
145 *
146 * If ip_input_v6() is called from GLDv3:
147 *
148 * - This must be a non-VLAN IP stream.
149 * - 'mp' is either an untagged or a special priority-tagged packet.
150 * - Any VLAN tag that was in the MAC header has been stripped.
151 *
152 * If the IP header in packet is not 32-bit aligned, every message in the
153 * chain will be aligned before further operations. This is required on SPARC
154 * platform.
155 */
156 void
159 {
161 NULL);
162 }
164 /*
165 * ip_accept_tcp_v6() - This function is called by the squeue when it retrieves
166 * a chain of packets in the poll mode. The packets have gone through the
167 * data link processing but not IP processing. For performance and latency
168 * reasons, the squeue wants to process the chain in line instead of feeding
169 * it back via ip_input path.
170 *
171 * We set up the ip_recv_attr_t with IRAF_TARGET_SQP to that ip_fanout_v6
172 * will pass back any TCP packets matching the target sqp to
173 * ip_input_common_v6 using ira_target_sqp_mp. Other packets are handled by
174 * ip_input_v6 and ip_fanout_v6 as normal.
175 * The TCP packets that match the target squeue are returned to the caller
176 * as a b_next chain after each packet has been prepend with an mblk
177 * from ip_recv_attr_to_mblk.
178 */
179 mblk_t *
182 {
185 }
187 /*
188 * Used by ip_input_v6 and ip_accept_tcp_v6
189 * The last three arguments are only used by ip_accept_tcp_v6, and mhip is
190 * only used by ip_input_v6.
191 */
192 mblk_t *
196 {
200 rtc_t rtc;
209 /* These ones do not change as we loop over packets */
215 /* For ECMP and outbound transmit ring selection */
223 /*
224 * We try to have a mhip pointer when possible, but
225 * it might be NULL in some cases. In those cases we
226 * have to assume unicast.
227 */
238 }
239 }
241 /*
242 * Initialize the one-element route cache.
243 *
244 * We do ire caching from one iteration to
245 * another. In the event the packet chain contains
246 * all packets from the same dst, this caching saves
247 * an ire_route_recursive for each of the succeeding
248 * packets in a packet chain.
249 */
253 /* Loop over b_next */
258 /*
259 * if db_ref > 1 then copymsg and free original. Packet
260 * may be changed and we do not want the other entity
261 * who has a reference to this message to trip over the
262 * changes. This is a blind change because trying to
263 * catch all places that might change the packet is too
264 * difficult.
265 *
266 * This corresponds to the fast path case, where we have
267 * a chain of M_DATA mblks. We check the db_ref count
268 * of only the 1st data block in the mblk chain. There
269 * doesn't seem to be a reason why a device driver would
270 * send up data with varying db_ref counts in the mblk
271 * chain. In any case the Fast path is a private
272 * interface, and our drivers don't do such a thing.
273 * Given the above assumption, there is no need to walk
274 * down the entire mblk chain (which could have a
275 * potential performance problem)
276 *
277 * The "(DB_REF(mp) > 1)" check was moved from ip_rput()
278 * to here because of exclusive ip stacks and vnics.
279 * Packets transmitted from exclusive stack over vnic
280 * can have db_ref > 1 and when it gets looped back to
281 * another vnic in a different zone, you have ip_input()
282 * getting dblks with db_ref > 1. So if someone
283 * complains of TCP performance under this scenario,
284 * take a serious look here on the impact of copymsg().
285 */
289 }
291 /*
292 * IP header ptr not aligned?
293 * OR IP header not complete in first mblk
294 */
301 }
303 /* Protect against a mix of Ethertypes and IP versions */
308 /* mhip might point into 1st packet in the chain. */
311 }
313 /*
314 * Check for Martian addrs; we have to explicitly
315 * test for for zero dst since this is also used as
316 * an indication that the rtc is not used.
317 */
322 /* mhip might point into 1st packet in the chain. */
325 }
326 /*
327 * Keep L2SRC from a previous packet in chain since mhip
328 * might point into an earlier packet in the chain.
329 */
339 /*
340 * We must count all incoming packets, even if they end
341 * up being dropped later on. Defer counting bytes until
342 * we have the whole IP header in first mblk.
343 */
350 /*
351 * Call one of:
352 * ill_input_full_v6
353 * ill_input_short_v6
354 * The former is used in the case of TX. See ill_set_inputfn().
355 */
358 /* Any references to clean up? No hold on ira_ill */
363 /* Better be called from ip_accept_tcp */
366 /* Found one packet to accept */
373 else
376 acnt++;
378 }
379 /* mhip might point into 1st packet in the chain. */
381 }
382 /* Any remaining references to the route cache? */
386 }
389 /* Better be called from ip_accept_tcp */
394 }
397 }
399 /*
400 * This input function is used when
401 * - is_system_labeled()
402 *
403 * Note that for IPv6 CGTP filtering is handled only when receiving fragment
404 * headers, and RSVP uses router alert options, thus we don't need anything
405 * extra for them.
406 */
407 void
410 {
417 /*
418 * Attach any necessary label information to
419 * this packet
420 */
424 /*
425 * This updates ira_cred, ira_tsl and ira_free_flags based
426 * on the label.
427 */
435 }
436 /* Note that ira_tsl can be NULL here. */
438 /* tsol_get_pkt_label sometimes does pullupmsg */
440 }
442 }
444 /*
445 * Check for IPv6 addresses that should not appear on the wire
446 * as either source or destination.
447 * If we ever implement Stateless IPv6 Translators (SIIT) we'd have
448 * to revisit the IPv4-mapped part.
449 */
450 static boolean_t
452 {
456 }
460 }
462 /*
463 * having :: in the src is ok: it's used for DAD.
464 */
467 }
469 }
471 /*
472 * Routing lookup for IPv6 link-locals.
473 * First we look on the inbound interface, then we check for IPMP and
474 * look on the upper interface.
475 * We update ira_ruifindex if we find the IRE on the upper interface.
476 */
480 {
491 /*
492 * When we are using IMP we need to look for an IRE on both the
493 * under and upper interfaces since there are different
494 * link-local addresses for the under and upper.
495 */
507 }
509 /*
510 * This is the tail-end of the full receive side packet handling.
511 * It can be used directly when the configuration is simple.
512 */
513 void
516 {
520 uint_t pkt_len;
521 ssize_t len;
525 uint_t irr_flags;
526 #define rptr ((uchar_t *)ip6h)
530 /*
531 * Check for source/dest being a bad address: loopback, any, or
532 * v4mapped. All of them start with a 64 bits of zero.
533 */
542 }
543 }
552 }
553 }
558 /* multiple mblk or too short */
565 }
570 /*
571 * The event for packets being received from a 'physical'
572 * interface is placed after validation of the source and/or
573 * destination address as being local so that packets can be
574 * redirected to loopback addresses using ipnat.
575 */
599 /* The length could have changed */
604 /*
605 * In case the destination changed we override any previous
606 * change to nexthop.
607 */
616 }
618 }
621 zoneid_t dzone;
623 /*
624 * On the inbound path the src zone will be unknown as
625 * this packet has come from the wire.
626 */
629 }
632 IPV6_DEFAULT_VERS_AND_FLOW) {
638 }
640 /*
641 * For IPv6 we update ira_ip_hdr_length and ira_protocol as
642 * we parse the headers, starting with the hop-by-hop options header.
643 */
647 uint_t ehdrlen;
655 }
664 }
665 }
674 }
683 }
685 }
687 /*
688 * Update ira_ip_hdr_length to skip the hop-by-hop header
689 * once we get to ip_fanout_v6
690 */
698 /*
699 * Packet has been consumed and any
700 * needed ICMP messages sent.
701 */
704 /* no action needed */
707 /*
708 * Known router alert. Make use handle it as local
709 * by setting the nexthop to be the all-host multicast
710 * address, and skip multicast membership filter by
711 * marking as a router alert.
712 */
716 }
717 }
719 /*
720 * Here we check to see if we machine is setup as
721 * L3 loadbalancer and if the incoming packet is for a VIP
722 *
723 * Check the following:
724 * - there is at least a rule
725 * - protocol of the packet is supported
726 *
727 * We don't load balance IPv6 link-locals.
728 */
731 in6_addr_t lb_dst;
734 /* For convenience, we just pull up the mblk. */
742 }
744 }
752 }
754 /* Set the dst to that of the chosen server */
757 }
758 }
762 else
765 /* Can not use route cache with TX since the labels can differ */
771 ipst);
773 /* Match destination and label */
777 NULL);
778 }
779 /* Update the route cache so we do the ire_refrele */
787 /* Use the route cache */
790 /* Update the route cache */
795 ipst);
799 }
805 }
809 /*
810 * Based on ire_type and ire_flags call one of:
811 * ire_recv_local_v6 - for IRE_LOCAL
812 * ire_recv_loopback_v6 - for IRE_LOOPBACK
813 * ire_recv_multirt_v6 - if RTF_MULTIRT
814 * ire_recv_noroute_v6 - if RTF_REJECT or RTF_BLACHOLE
815 * ire_recv_multicast_v6 - for IRE_MULTICAST
816 * ire_recv_noaccept_v6 - for ire_noaccept ones
817 * ire_recv_forward_v6 - for the rest.
818 */
821 }
822 #undef rptr
824 /*
825 * ire_recvfn for IREs that need forwarding
826 */
827 void
829 {
844 }
851 }
853 /*
854 * Either ire_nce_capable or ire_dep_parent would be set for the IRE
855 * when it is found by ire_route_recursive, but that some other thread
856 * could have changed the routes with the effect of clearing
857 * ire_dep_parent. In that case we'd end up dropping the packet, or
858 * finding a new nce below.
859 * Get, allocate, or update the nce.
860 * We get a refhold on ire_nce_cache as a result of this to avoid races
861 * where ire_nce_cache is deleted.
862 *
863 * This ensures that we don't forward if the interface is down since
864 * ipif_down removes all the nces.
865 */
869 /* Not yet set up - try to set one up */
876 /* The ire_dep_parent chain went bad, or no memory */
881 }
882 }
896 }
898 }
901 /*
902 * Unless we are forwarding, drop the packet.
903 * Unlike IPv4 we don't allow source routed packets out the same
904 * interface when we are not a router.
905 * Note that ill_forward_set() will set the ILLF_ROUTER on
906 * all the group members when it gets an ipmp-ill or under-ill.
907 */
914 }
918 /*
919 * Should only use IREs that are visible from the
920 * global zone for forwarding.
921 * For IPv6 any source route would have already been
922 * advanced in ip_fanout_v6
923 */
933 }
934 /*
935 * ipIfStatsHCInForwDatagrams should only be increment if there
936 * will be an attempt to forward the packet, which is why we
937 * increment after the above condition has been checked.
938 */
941 /* Initiate Read side IPPF processing */
943 /* ip_process translates an IS_UNDER_IPMP */
946 /* ip_drop_packet and MIB done */
951 }
952 }
969 }
970 /*
971 * Even if the destination was changed by the filter we use the
972 * forwarding decision that was made based on the address
973 * in ip_input.
974 */
976 /* Might have changed */
979 }
981 /* Packet is being forwarded. Turning off hwcksum flag. */
984 /*
985 * Per RFC 3513 section 2.5.2, we must not forward packets with
986 * an unspecified source address.
987 * The loopback address check for both src and dst has already
988 * been checked in ip_input_v6
989 * In the future one can envision adding RPF checks using number 3.
990 */
1004 }
1006 }
1008 /*
1009 * Check to see if we're forwarding the packet to a
1010 * different link from which it came. If so, check the
1011 * source and destination addresses since routers must not
1012 * forward any packets with link-local source or
1013 * destination addresses to other links. Otherwise (if
1014 * we're forwarding onto the same link), conditionally send
1015 * a redirect message.
1016 */
1025 }
1026 /* TBD add site-local check at site boundary? */
1029 }
1036 /*
1037 * Check if it can be forwarded and add/remove
1038 * CIPSO options as needed.
1039 */
1046 }
1047 /*
1048 * Size may have changed. Remember amount added in case
1049 * ip_fragment needs to send an ICMP too big.
1050 */
1057 }
1066 }
1068 /*
1069 * Used for sending out unicast and multicast packets that are
1070 * forwarded.
1071 */
1072 void
1075 {
1085 ira);
1087 }
1089 /* Initiate Write side IPPF processing before any fragmentation */
1091 /* ip_process translates an IS_UNDER_IPMP */
1094 /* ip_drop_packet and MIB done */
1098 }
1099 }
1109 /*
1110 * Remove any CIPSO option added by
1111 * tsol_ip_forward, and make sure we report
1112 * a path MTU so that there
1113 * is room to add such a CIPSO option for future
1114 * packets.
1115 */
1117 }
1120 }
1126 /*
1127 * IXAF_NO_LOOP_ZONEID is not set hence 6th arg
1128 * is don't care
1129 */
1136 }
1137 }
1139 /*
1140 * ire_recvfn for RTF_REJECT and RTF_BLACKHOLE routes, including IRE_NOROUTE,
1141 * which is what ire_route_recursive returns when there is no matching ire.
1142 * Send ICMP unreachable unless blackhole.
1143 */
1144 void
1146 {
1151 /* Would we have forwarded this packet if we had a route? */
1157 }
1164 }
1165 /*
1166 * If we had a route this could have been forwarded. Count as such.
1167 *
1168 * ipIfStatsHCInForwDatagrams should only be increment if there
1169 * will be an attempt to forward the packet, which is why we
1170 * increment after the above condition has been checked.
1171 */
1177 ipst);
1186 ira);
1187 }
1188 }
1190 /*
1191 * ire_recvfn for IRE_LOCALs marked with ire_noaccept. Such IREs are used for
1192 * VRRP when in noaccept mode.
1193 * We silently drop packets except for Neighbor Solicitations and
1194 * Neighbor Advertisements.
1195 */
1196 void
1199 {
1210 }
1218 }
1224 }
1225 }
1234 }
1236 }
1238 /*
1239 * ire_recvfn for IRE_MULTICAST.
1240 */
1241 void
1244 {
1253 /* Tag for higher-level protocols */
1256 /*
1257 * So that we don't end up with dups, only one ill an IPMP group is
1258 * nominated to receive multicast traffic.
1259 * If we have no cast_ill we are liberal and accept everything.
1260 */
1264 /* For an under ill_grp can change under lock */
1272 }
1274 /*
1275 * We switch to the upper ill so that mrouter and hasmembers
1276 * can operate on upper here and in ip_input_multicast.
1277 */
1286 }
1287 }
1289 #ifdef notdef
1290 /*
1291 * Check if we are a multicast router - send ip_mforward a copy of
1292 * the packet.
1293 * Due to mroute_decap tunnels we consider forwarding packets even if
1294 * mrouted has not joined the allmulti group on this interface.
1295 */
1299 /*
1300 * Clear the indication that this may have hardware
1301 * checksum as we are not using it for forwarding.
1302 */
1305 /*
1306 * ip_mforward helps us make these distinctions: If received
1307 * on tunnel and not IGMP, then drop.
1308 * If IGMP packet, then don't check membership
1309 * If received on a phyint and IGMP or PIM, then
1310 * don't check membership
1311 */
1313 /* ip_mforward updates mib variables if needed */
1317 /*
1318 * pkt is okay and arrived on phyint.
1319 */
1322 /* pkt is mal-formed, toss it */
1326 /*
1327 * pkt is okay and arrived on a tunnel
1328 *
1329 * If we are running a multicast router
1330 * we need to see all mld packets, which
1331 * are marked with router alerts.
1332 */
1338 }
1339 }
1342 /*
1343 * If this was a router alert we skip the group membership check.
1344 */
1348 /*
1349 * Check if we have members on this ill. This is not necessary for
1350 * correctness because even if the NIC/GLD had a leaky filter, we
1351 * filter before passing to each conn_t.
1352 */
1354 /*
1355 * Nobody interested
1356 *
1357 * This might just be caused by the fact that
1358 * multiple IP Multicast addresses map to the same
1359 * link layer multicast - no need to increment counter!
1360 */
1364 }
1365 forus:
1368 /*
1369 * After reassembly and IPsec we will need to duplicate the
1370 * multicast packet for all matching zones on the ill.
1371 */
1374 /* Reassemble on the ill on which the packet arrived */
1376 done:
1381 }
1382 }
1384 /*
1385 * ire_recvfn for IRE_OFFLINK with RTF_MULTIRT.
1386 * Drop packets since we don't forward out multirt routes.
1387 */
1388 /* ARGSUSED */
1389 void
1391 {
1397 }
1399 /*
1400 * ire_recvfn for IRE_LOOPBACK. This is only used when a FW_HOOK
1401 * has rewritten the packet to have a loopback destination address (We
1402 * filter out packet with a loopback destination from arriving over the wire).
1403 * We don't know what zone to use, thus we always use the GLOBAL_ZONEID.
1404 */
1405 void
1407 {
1414 /* Switch to the lo0 ill for further processing */
1416 /*
1417 * Update ira_ill to be the ILL on which the IP address
1418 * is hosted.
1419 * No need to hold the ill since we have a hold on the ire
1420 */
1426 /* Restore */
1431 }
1433 }
1435 /*
1436 * ire_recvfn for IRE_LOCAL.
1437 */
1438 void
1440 {
1445 /* Make a note for DAD that this address is in use */
1448 /* Only target the IRE_LOCAL with the right zoneid. */
1451 /*
1452 * If the packet arrived on the wrong ill, we check that
1453 * this is ok.
1454 * If it is, then we ensure that we do the reassembly on
1455 * the ill on which the address is hosted. We keep ira_rill as
1456 * the one on which the packet arrived, so that IP_PKTINFO and
1457 * friends can report this.
1458 */
1464 /* Drop packet */
1469 }
1470 /*
1471 * Update ira_ill to be the ILL on which the IP address
1472 * is hosted. No need to hold the ill since we have a
1473 * hold on the ire. Note that we do the switch even if
1474 * new_ire == ire (for IPMP, ire would be the one corresponding
1475 * to the IPMP ill).
1476 */
1480 /* ira_ruifindex tracks the upper for ira_rill */
1486 /* Restore */
1494 }
1497 }
1499 /*
1500 * Common function for packets arriving for the host. Handles
1501 * checksum verification, reassembly checks, etc.
1502 */
1503 static void
1505 {
1508 /*
1509 * For multicast we need some extra work before
1510 * we call ip_fanout_v6(), since in the case of shared-IP zones
1511 * we need to pretend that a packet arrived for each zoneid.
1512 */
1516 }
1518 }
1520 /*
1521 * Handle multiple zones which want to receive the same multicast packets
1522 * on this ill by delivering a packet to each of them.
1523 *
1524 * Note that for packets delivered to transports we could instead do this
1525 * as part of the fanout code, but since we need to handle icmp_inbound
1526 * it is simpler to have multicast work the same as IPv4 broadcast.
1527 *
1528 * The ip_fanout matching for multicast matches based on ilm independent of
1529 * zoneid since the zoneid restriction is applied when joining a multicast
1530 * group.
1531 */
1532 /* ARGSUSED */
1533 static void
1535 {
1540 zoneid_t zoneid;
1546 /* ire_recv_multicast has switched to the upper ill for IPMP */
1549 /*
1550 * If we don't have more than one shared-IP zone, or if
1551 * there are no members in anything but the global zone,
1552 * then just set the zoneid and proceed.
1553 */
1556 GLOBAL_ZONEID)) {
1559 /* If sender didn't want this zone to receive it, drop */
1565 }
1568 }
1570 /*
1571 * Here we loop over all zoneids that have members in the group
1572 * and deliver a packet to ip_fanout for each zoneid.
1573 *
1574 * First find any members in the lowest numeric zoneid by looking for
1575 * first zoneid larger than -1 (ALL_ZONES).
1576 * We terminate the loop when we receive -1 (ALL_ZONES).
1577 */
1581 /*
1582 * Avoid an extra copymsg/freemsg by skipping global zone here
1583 * and doing that at the end.
1584 */
1590 /* If sender didn't want this zone to receive it, skip */
1597 /* Failed to deliver to one zone */
1601 }
1604 /*
1605 * IPsec might have modified ira_pktlen and ira_ip_hdr_length
1606 * so we restore them for a potential next iteration
1607 */
1610 }
1612 /* Do the main ire */
1614 /* If sender didn't want this zone to receive it, drop */
1621 }
1622 }
1625 /*
1626 * Determine the zoneid and IRAF_TX_MAC_EXEMPTABLE if trusted extensions
1627 * is in use. Updates ira_zoneid and ira_flags as a result.
1628 */
1629 static void
1632 {
1635 zoneid_t zoneid;
1639 /*
1640 * If the packet is unlabeled we might allow read-down
1641 * for MAC_EXEMPT. Below we clear this if it is a multi-level
1642 * port (MLP).
1643 * Note that ira_tsl can be NULL here.
1644 */
1658 /* Caller ensures this */
1661 /*
1662 * Only these transports support MLP.
1663 * We know their destination port numbers is in
1664 * the same place in the header.
1665 */
1668 /*
1669 * No need to handle exclusive-stack zones
1670 * since ALL_ZONES only applies to the shared IP instance.
1671 */
1673 /*
1674 * If no shared MLP is found, tsol_mlp_findzone returns
1675 * ALL_ZONES. In that case, we assume it's SLP, and
1676 * search for the zone based on the packet label.
1677 *
1678 * If there is such a zone, we prefer to find a
1679 * connection in it. Otherwise, we look for a
1680 * MAC-exempt connection in any zone whose label
1681 * dominates the default label on the packet.
1682 */
1685 else
1689 /* Handle shared address for other protocols */
1692 }
1694 }
1696 /*
1697 * Increment checksum failure statistics
1698 */
1699 static void
1701 {
1712 else
1721 else
1731 }
1732 }
1734 /* Calculate the IPv6 pseudo-header checksum for TCP, UDP, and ICMPV6 */
1735 uint32_t
1737 {
1738 uint_t ulp_len;
1743 #define iphs ((uint16_t *)ip6h)
1749 /* Protocol and length */
1751 /* IP addresses */
1763 /* Protocol and length */
1765 /* IP addresses */
1771 }
1775 /* Protocol and length */
1777 /* IP addresses */
1786 }
1787 #undef iphs
1789 }
1792 /*
1793 * Software verification of the ULP checksums.
1794 * Returns B_TRUE if ok.
1795 * Increments statistics of failed.
1796 */
1797 static boolean_t
1799 {
1817 }
1819 /*
1820 * Verify the ULP checksums.
1821 * Returns B_TRUE if ok, or if the ULP doesn't have a well-defined checksum
1822 * algorithm.
1823 * Increments statistics if failed.
1824 */
1825 static boolean_t
1828 {
1833 uint_t len;
1847 /*
1848 * Before going through the regular checksum
1849 * calculation, make sure the received checksum
1850 * is non-zero. RFC 2460 says, a 0x0000 checksum
1851 * in a UDP packet (within IPv6 packet) is invalid
1852 * and should be replaced by 0xffff. This makes
1853 * sense as regular checksum calculation will
1854 * pass for both the cases i.e. 0x0000 and 0xffff.
1855 * Removing one of the case makes error detection
1856 * stronger.
1857 */
1859 /* 0x0000 checksum is invalid */
1862 }
1864 }
1870 #ifdef DEBUG
1873 #endif
1881 /*
1882 * Defer until later whether a bad checksum is ok
1883 * in order to allow RAW sockets to use Adler checksum
1884 * with SCTP.
1885 */
1888 }
1891 /* No ULP checksum to verify. */
1893 }
1895 /*
1896 * Revert to software checksum calculation if the interface
1897 * isn't capable of checksum offload.
1898 * We clear DB_CKSUMFLAGS when going through IPsec in ip_fanout.
1899 * Note: IRAF_NO_HW_CKSUM is not currently used.
1900 */
1905 }
1907 /*
1908 * We apply this for all ULP protocols. Does the HW know to
1909 * not set the flags for SCTP and other protocols.
1910 */
1915 /*
1916 * Hardware has already verified the checksum.
1917 */
1919 }
1922 /*
1923 * Full checksum has been computed by the hardware
1924 * and has been attached. If the driver wants us to
1925 * verify the correctness of the attached value, in
1926 * order to protect against faulty hardware, compare
1927 * it against -0 (0xFFFF) to see if it's valid.
1928 */
1934 }
1948 /*
1949 * Partial checksum has been calculated by hardware
1950 * and attached to the packet; in addition, any
1951 * prepended extraneous data is even byte aligned,
1952 * and there are at most two mblks associated with
1953 * the packet. If any such data exists, we adjust
1954 * the checksum; also take care any postpended data.
1955 */
1957 /*
1958 * One's complement subtract extraneous checksum
1959 */
1963 else
1972 }
1974 }
1977 /*
1978 * Handle fanout of received packets.
1979 * Unicast packets that are looped back (from ire_send_local_v6) and packets
1980 * from the wire are differentiated by checking IRAF_VERIFY_ULP_CKSUM.
1981 *
1982 * IPQoS Notes
1983 * Before sending it to the client, invoke IPPF processing. Policy processing
1984 * takes place only if the callout_position, IPP_LOCAL_IN, is enabled.
1985 */
1986 void
1988 {
1994 #define rptr ((uchar_t *)ip6h)
1995 uint_t ip_hdr_length;
1996 uint_t min_ulp_header_length;
1998 ssize_t len;
2005 /*
2006 * We repeat this as we parse over destination options header and
2007 * fragment headers (earlier we've handled any hop-by-hop options
2008 * header.)
2009 * We update ira_protocol and ira_ip_hdr_length as we skip past
2010 * the intermediate headers; they already point past any
2011 * hop-by-hop header.
2012 */
2013 repeat:
2017 /*
2018 * Time for IPP once we've done reassembly and IPsec.
2019 * We skip this for loopback packets since we don't do IPQoS
2020 * on loopback.
2021 */
2027 /*
2028 * Use the interface on which the packet arrived - not where
2029 * the IP address is hosted.
2030 */
2031 /* ip_process translates an IS_UNDER_IPMP */
2034 /* ip_drop_packet and MIB done */
2036 }
2037 }
2039 /* Determine the minimum required size of the upper-layer header */
2040 /* Need to do this for at least the set of ULPs that TX handles. */
2063 }
2064 /* Make sure we have the min ULP header length */
2072 ira);
2076 }
2078 /*
2079 * If trusted extensions then determine the zoneid and TX specific
2080 * ira_flags.
2081 */
2083 /* This can update ira->ira_flags and ira->ira_zoneid */
2086 }
2089 /* Verify ULP checksum. Handles TCP, UDP, and SCTP */
2092 /* Bad checksum. Stats are already incremented */
2096 }
2097 /* IRAF_SCTP_CSUM_ERR could have been set */
2099 }
2102 /* For TCP, discard multicast packets. */
2106 /* First mblk contains IP+TCP headers per above check */
2109 /* TCP options present? */
2115 /*
2116 * There must be TCP options.
2117 * Make sure we can grab them.
2118 */
2130 }
2131 }
2133 /*
2134 * Pass up a squeue hint to tcp.
2135 * If ira_sqp is already set (this is loopback) we leave it
2136 * alone.
2137 */
2140 }
2142 /* Look for AF_INET or AF_INET6 that matches */
2146 /* Send the TH_RST */
2150 }
2155 /* Send the TH_RST */
2159 }
2166 /* Note that mp is NULL */
2170 }
2171 }
2172 /* Found a client; up it goes */
2176 /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
2182 }
2184 /*
2185 * We do different processing whether called from
2186 * ip_accept_tcp and we match the target, don't match
2187 * the target, and when we are called by ip_input.
2188 */
2196 ipIfStatsInDiscards);
2203 connp);
2207 /*
2208 * Conn ref release when drained from
2209 * the squeue.
2210 */
2211 }
2215 SQTAG_IP6_TCP_INPUT);
2216 }
2220 }
2230 /* For SCTP, discard multicast packets. */
2234 /*
2235 * Since there is no SCTP h/w cksum support yet, just
2236 * clear the flag.
2237 */
2240 /* Length ensured above */
2244 /* get the ports */
2248 /*
2249 * No potential sctp checksum errors go to the Sun
2250 * sctp stack however they might be Adler-32 summed
2251 * packets a userland stack bound to a raw IP socket
2252 * could reasonably use. Note though that Adler-32 is
2253 * a long deprecated algorithm and customer sctp
2254 * networks should eventually migrate to CRC-32 at
2255 * which time this facility should be removed.
2256 */
2259 }
2263 /* Check for raw socket or OOTB handling */
2266 }
2271 /* Check for raw socket or OOTB handling */
2274 }
2276 /* Found a client; up it goes */
2279 /* sctp_input does a rele of the sctp_t */
2281 }
2284 /* First mblk contains IP+UDP headers as checked above */
2294 }
2296 /* Look for AF_INET or AF_INET6 that matches */
2300 no_udp_match:
2308 }
2311 }
2316 }
2324 }
2331 /* Note that mp is NULL */
2335 }
2336 }
2338 /* Found a client; up it goes */
2349 }
2351 /*
2352 * Clear hardware checksumming flag as it is currently only
2353 * used by TCP and UDP.
2354 */
2361 /* Check variable for testing applications */
2366 }
2367 /*
2368 * We need to accomodate icmp messages coming in clear
2369 * until we get everything secure from the wire. If
2370 * icmp_accept_clear_messages is zero we check with
2371 * the global policy and act accordingly. If it is
2372 * non-zero, we accept the message without any checks.
2373 * But *this does not mean* that this will be delivered
2374 * to RAW socket clients. By accepting we might send
2375 * replies back, change our MTU value etc.,
2376 * but delivery to the ULP/clients depends on their
2377 * policy dispositions.
2378 */
2384 }
2386 /*
2387 * On a labeled system, we have to check whether the zone
2388 * itself is permitted to receive raw traffic.
2389 */
2393 ipv6IfIcmpInErrors);
2397 }
2398 }
2403 /* No need to pass to RAW sockets */
2405 }
2410 uint_t ehdrlen;
2413 /* We already check for MIN_EHDR_LEN above */
2415 /* Check if AH is present and needs to be processed. */
2420 /*
2421 * Reinitialize pointers, as ipsec_early_ah_v6() does
2422 * complete pullups. We don't have to do more pullups
2423 * as a result.
2424 */
2435 }
2447 }
2450 /*
2451 * Update ira_ip_hdr_length to skip the destination header
2452 * when we repeat.
2453 */
2458 /*
2459 * Note: XXX This code does not seem to make
2460 * distinction between Destination Options Header
2461 * being before/after Routing Header which can
2462 * happen if we are at the end of source route.
2463 * This may become significant in future.
2464 * (No real significant Destination Options are
2465 * defined/implemented yet ).
2466 */
2470 /*
2471 * Packet has been consumed and any needed
2472 * ICMP errors sent.
2473 */
2476 /* No action needed continue */
2479 /*
2480 * Unnexpected return value
2481 * (Router alert is a Hop-by-Hop option)
2482 */
2483 #ifdef DEBUG
2486 /*NOTREACHED*/
2487 #else
2492 #endif
2493 }
2495 }
2508 }
2513 /*
2514 * Invoke the CGTP (multirouting) filtering module to
2515 * process the incoming packet. Packets identified as
2516 * duplicates must be discarded. Filtering is active
2517 * only if the ip_cgtp_filter ndd variable is
2518 * non-zero.
2519 */
2523 netstackid_t stackid;
2527 /*
2528 * CGTP and IPMP are mutually exclusive so
2529 * phyint_ifindex is fine here.
2530 */
2531 cgtp_flt_pkt =
2539 }
2540 }
2542 /*
2543 * Update ip_hdr_length to skip the frag header
2544 * ip_input_fragment_v6 will determine the extension header
2545 * prior to the fragment header and update its nexthdr value,
2546 * and also set ira_protocol to the nexthdr that follows the
2547 * completed fragment.
2548 */
2551 /*
2552 * Make sure we have ira_l2src before we loose the original
2553 * mblk
2554 */
2561 /* Reassembly is still pending */
2563 }
2566 /*
2567 * The mblk chain has the frag header removed and
2568 * ira_protocol, ira_pktlen, ira_ip_hdr_length as well as the
2569 * IP header has been updated to refleact the result.
2570 */
2574 }
2576 /*
2577 * Illegal header sequence.
2578 * (Hop-by-hop headers are processed above
2579 * and required to immediately follow IPv6 header)
2580 */
2586 uint_t ehdrlen;
2589 /* Check if AH is present and needs to be processed. */
2594 /*
2595 * Reinitialize pointers, as ipsec_early_ah_v6() does
2596 * complete pullups. We don't have to do more pullups
2597 * as a result.
2598 */
2609 }
2621 }
2623 /* Not end of source route */
2627 ipIfStatsForwProhibits);
2632 }
2635 }
2638 }
2642 /*
2643 * Fast path for AH/ESP.
2644 */
2653 }
2656 /* select inbound SA and have IPsec process the pkt */
2670 ira);
2683 ira);
2684 }
2687 /*
2688 * Either it failed or is pending. In the former case
2689 * ipIfStatsInDiscards was increased.
2690 */
2692 }
2693 /* we're done with IPsec processing, send it up */
2696 }
2698 /* All processing is done. Count as "delivered". */
2705 /* iptun will verify trusted label */
2716 }
2717 /* FALLTHRU */
2719 /*
2720 * On a labeled system, we have to check whether the zone
2721 * itself is permitted to receive raw traffic.
2722 */
2729 }
2730 }
2732 }
2734 /*
2735 * The above input functions may have returned the pulled up message.
2736 * So ip6h need to be reinitialized.
2737 */
2741 /* No user-level listener for these packets packets */
2744 }
2746 /*
2747 * Handle fanout to raw sockets. There
2748 * can be more than one stream bound to a particular
2749 * protocol. When this is the case, each one gets a copy
2750 * of any incoming packets.
2751 */
2756 pkt_too_short:
2762 discard:
2766 #undef rptr
2767 }