ip_output.c revision b36a561ed04ea980dae3aac233036f3500a97c76
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 1990 Mentat Inc. */
#include <inet/kstatcom.h>
#include <netinet/igmp_var.h>
#include <inet/ip_multi.h>
#include <inet/ip_ftable.h>
#include <inet/ip_listutils.h>
#include <netinet/ip_mroute.h>
#include <inet/ipp_common.h>
#include <inet/ipsec_impl.h>
#include <inet/ip_netinfo.h>
#include <inet/ipclassifier.h>
#include <inet/udp_impl.h>
#ifdef DEBUG
extern boolean_t skip_sctp_cksum;
#endif
/*
* There are two types of output functions for IP used for different
* purposes:
* - ip_output_simple() is when sending ICMP errors, TCP resets, etc when there
* is no context in the form of a conn_t. However, there is a
* ip_xmit_attr_t that the callers use to influence interface selection
* (needed for ICMP echo as well as IPv6 link-locals) and IPsec.
*
* - conn_ip_output() is used when sending packets with a conn_t and
* ip_set_destination has been called to cache information. In that case
* various socket options are recorded in the ip_xmit_attr_t and should
* be taken into account.
*/
/*
* The caller *must* have called conn_connect() or ip_attr_connect()
* before calling conn_ip_output(). The caller needs to redo that each time
* the destination IP address or port changes, as well as each time there is
* a change to any socket option that would modify how packets are routed out
* of the box (e.g., SO_DONTROUTE, IP_NEXTHOP, IP_BOUND_IF).
*
* The ULP caller has to serialize the use of a single ip_xmit_attr_t.
* We assert for that here.
*/
int
{
int error;
/* We defer ipIfStatsHCOutRequests until an error or we have an ill */
/* Note there is no ixa_nce when reject and blackhole routes */
#ifdef DEBUG
#endif
/*
* Even on labeled systems we can have a NULL ixa_tsl e.g.,
*/
/*
* If the ULP says the (old) IRE resulted in reachability we
* record this before determine whether to use a new IRE.
* No locking for performance reasons.
*/
if (ixaflags & IXAF_REACH_CONF)
ire->ire_badcnt = 0;
/*
* Has routing changed since we cached the results of the lookup?
*
* This check captures all of:
* - the cached ire being deleted (by means of the special
* IRE_GENERATION_CONDEMNED)
* - A potentially better ire being added (ire_generation being
* increased)
* - A deletion of the nexthop ire that was used when we did the
* lookup.
* - An addition of a potentially better nexthop ire.
* The last two are handled by walking and increasing the generation
* number on all dependant IREs in ire_flush_cache().
*
* The check also handles all cases of RTF_REJECT and RTF_BLACKHOLE
* since we ensure that each time we set ixa_ire to such an IRE we
* make sure the ixa_ire_generation does not match (by using
* IRE_GENERATION_VERIFY).
*/
if (error != 0) {
ip_drop_output("ipIfStatsOutDiscards - verify ire",
goto drop;
}
#ifdef DEBUG
#endif
ire->ire_ob_pkt_count++;
/* ixa_dce might be condemned; use default one */
}
/*
* If the ncec changed then ip_verify_ire already set
* ixa->ixa_dce_generation = DCE_GENERATION_VERIFY;
* so we can recheck the interface mtu.
*/
/*
* Note that ire->ire_generation could already have changed.
* We catch that next time we send a packet.
*/
}
/*
* No need to lock access to ixa_nce since the ip_xmit_attr usage
* is single threaded.
*/
if (nce->nce_is_condemned) {
/*
* In case ZEROCOPY capability become not available, we
* copy the message and free the original one. We might
* be copying more data than needed but it doesn't hurt
* since such change rarely happens.
*/
switch (error) {
case 0:
break;
case ENOTSUP: { /* ZEROCOPY */
break;
}
/* FALLTHROUGH */
}
default:
ip_drop_output("ipIfStatsOutDiscards - verify nce",
goto drop;
}
#ifdef DEBUG
#endif
ire->ire_ob_pkt_count++;
/* ixa_dce might be condemned; use default one */
}
/*
* Note that some other event could already have made
* the new nce condemned. We catch that next time we
* try to send a packet.
*/
}
/*
* If there is no per-destination dce_t then we have a reference to
* the default dce_t (which merely contains the dce_ipid).
* The generation check captures both the introduction of a
* per-destination dce_t (e.g., due to ICMP packet too big) and
* any change to the per-destination dce (including it becoming
* condemned by use of the special DCE_GENERATION_CONDEMNED).
*/
/*
* To avoid a periodic timer to increase the path MTU we
* look at dce_last_change_time each time we send a packet.
*/
/*
* Older than 20 minutes. Drop the path MTU information.
* Since the path MTU changes as a result of this,
* twiddle ixa_dce_generation to make us go through the
* dce verification code in conn_ip_output.
*/
}
}
if (error != 0) {
ip_drop_output("ipIfStatsOutDiscards - verify dce",
goto drop;
}
/*
* Note that some other event could already have made the
* new dce's generation number change.
* We catch that next time we try to send a packet.
*/
}
/*
* An initial ixa_fragsize was set in ip_set_destination
* and we update it if any routing changes above.
* A change to ill_mtu with ifconfig will increase all dce_generation
* so that we will detect that with the generation check.
*/
/*
* Caller needs to make sure IXAF_VERIFY_SRC is not set if
* conn_unspec_src.
*/
if ((ixaflags & IXAF_VERIFY_SOURCE) &&
/* Check if the IP source is still assigned to the host. */
/* Don't send a packet with a source that isn't ours */
ip_drop_output("ipIfStatsOutDiscards - invalid src",
goto drop;
}
/* The source is still valid - update the generation number */
}
/*
* We don't have an IRE when we fragment, hence ire_ob_pkt_count
* can only count the use prior to fragmentation. However the MIB
* counters on the ill will be incremented in post fragmentation.
*/
ire->ire_ob_pkt_count++;
/*
* Based on ire_type and ire_flags call one of:
* ire_send_local_v* - for IRE_LOCAL and IRE_LOOPBACK
* ire_send_multirt_v* - if RTF_MULTIRT
* ire_send_noroute_v* - if RTF_REJECT or RTF_BLACHOLE
* ire_send_multicast_v* - for IRE_MULTICAST
* ire_send_broadcast_v4 - for IRE_BROADCAST
* ire_send_wire_v* - for the rest.
*/
#ifdef DEBUG
#endif
drop:
if (ixaflags & IXAF_IS_IPV4) {
} else {
}
#ifdef DEBUG
#endif
return (error);
}
/*
* Handle both IPv4 and IPv6. Sets the generation number
* to allow the caller to know when to call us again.
* Returns true if the source address in the packet is a valid source.
* We handle callers which try to send with a zero address (since we only
* get here if UNSPEC_SRC is not set).
*/
{
/*
* Need to grab the generation number before we check to
* avoid a race with a change to the set of local addresses.
* No lock needed since the thread which updates the set of local
* barrier) before doing the atomic increase of ips_src_generation.
*/
if (generationp != NULL)
return (B_FALSE);
} else {
return (B_FALSE);
else
scopeid = 0;
}
}
/*
* Handle both IPv4 and IPv6. Reverify/recalculate the IRE to use.
*/
int
{
int error;
/*
* Redo ip_select_route.
* Need to grab generation number as part of the lookup to
* avoid race.
*/
error = 0;
if (error != 0) {
return (error);
}
#ifdef DEBUG
#endif
if (multirt) {
else
} else {
}
/*
* Don't look for an nce for reject or blackhole.
* They have ire_generation set to IRE_GENERATION_VERIFY which
* makes conn_ip_output avoid references to ixa_nce.
*/
return (0);
}
/* The NCE could now be different */
/*
* next time we send.
*/
return (ENOBUFS);
}
/* No change */
return (0);
}
/*
* Since the path MTU might change as a result of this
* route change, we twiddle ixa_dce_generation to
* make conn_ip_output go through the ip_verify_dce code.
*/
return (0);
}
/*
* Handle both IPv4 and IPv6. Reverify/recalculate the NCE to use.
*/
static int
{
int error = 0;
else
/* Try to find a better ire */
}
/*
* The hardware offloading capabilities, for example LSO, of the
* interface might have changed, so do sanity verification here.
*/
IXAN_LSO, 0);
}
}
/*
* Verify ZEROCOPY capability of underlying ill. Notify the ULP with
* any ZEROCOPY changes. In case ZEROCOPY capability is not available
* any more, return error so that conn_ip_output() can take care of
* the ZEROCOPY message properly. It's safe to continue send the
* message when ZEROCOPY newly become available.
*/
IXAN_ZCOPY, 0);
}
}
/*
* Since the path MTU might change as a result of this
* change, we twiddle ixa_dce_generation to
* make conn_ip_output go through the ip_verify_dce code.
*/
return (error);
}
/*
* Handle both IPv4 and IPv6. Reverify/recalculate the DCE to use.
*/
static int
{
#ifdef DEBUG
#endif
/* Extract the (path) mtu from the dce, ncec_ill etc */
/*
* Tell ULP about PMTU changes - increase or decrease - by returning
* an error if IXAF_VERIFY_PMTU is set. In such case, ULP should update
* both ixa_pmtu and ixa_fragsize appropriately.
*
* If ULP doesn't set that flag then we need to update ixa_fragsize
* since routing could have changed the ill after after ixa_fragsize
* was set previously in the conn_ip_output path or in
* ip_set_destination.
*
* In case of LSO, ixa_fragsize might be greater than ixa_pmtu.
*
* In the case of a path MTU increase we send the packet after the
* notify to the ULP.
*/
return (EMSGSIZE);
}
} else {
}
return (0);
}
/*
* Verify LSO usability. Keep the return value simple to indicate whether
* the LSO capability has changed. Handle both IPv4 and IPv6.
*/
static boolean_t
{
/*
* Not unsable any more.
*/
!ILL_LSO_TCP_IPV6_USABLE(ill))) {
return (B_FALSE);
}
/*
* Capability has changed, refresh the copy in ixa.
*/
return (B_FALSE);
}
} else { /* Was not usable */
return (B_FALSE);
}
}
return (B_TRUE);
}
/*
* Verify ZEROCOPY usability. Keep the return value simple to indicate whether
* the ZEROCOPY capability has changed. Handle both IPv4 and IPv6.
*/
static boolean_t
{
/*
* Not unsable any more.
*/
!ILL_ZCOPY_USABLE(ill)) {
return (B_FALSE);
}
} else { /* Was not usable */
ILL_ZCOPY_USABLE(ill)) {
return (B_FALSE);
}
}
return (B_TRUE);
}
/*
* When there is no conn_t context, this will send a packet.
* The caller must *not* have called conn_connect() or ip_attr_connect()
* before calling ip_output_simple().
* Handles IPv4 and IPv6. Returns zero or an errno such as ENETUNREACH.
* Honors IXAF_SET_SOURCE.
*
* We acquire the ire and after calling ire_sendfn we release
* the hold on the ire. Ditto for the nce and dce.
*
* This assumes that the caller has set the following in ip_xmit_attr_t:
* ixa_tsl, ixa_zoneid, and ixa_ipst must always be set.
* If ixa_ifindex is non-zero it means send out that ill. (If it is
* an upper IPMP ill we load balance across the group; if a lower we send
* on that lower ill without load balancing.)
* IXAF_IS_IPV4 must be set correctly.
* If IXAF_IPSEC_SECURE is set then the ixa_ipsec_* fields must be set.
* If IXAF_NO_IPSEC is set we'd skip IPsec policy lookup.
* If neither of those two are set we do an IPsec policy lookup.
*
* We handle setting things like
* ixa_pktlen
* ixa_ip_hdr_length
* ixa->ixa_protocol
*
* The caller may set ixa_xmit_hint, which is used for ECMP selection and
* transmit ring selecting in GLD.
*
* The caller must do an ixa_cleanup() to release any IPsec references
* after we return.
*/
int
{
int err;
if (is_system_labeled()) {
} else {
}
if (err != 0) {
return (err);
}
if (effective_tsl != NULL) {
/* Update the label */
}
}
else
}
int
{
int error;
/*
* Even on labeled systems we can have a NULL ixa_tsl e.g.,
*/
/* Caller already set flags */
/*
* Assumes that source routed packets have already been massaged by
* the ULP (ip_massage_options) and as a result ipha_dst is the next
* hop in the source route. The final destination is used for IPsec
* policy and DCE lookup.
*/
error = 0;
setsrc = INADDR_ANY;
&multirt);
if (error != 0) {
goto done;
}
/* ire_ill might be NULL hence need to skip some code */
if (ixaflags & IXAF_SET_SOURCE)
ire->ire_ob_pkt_count++;
/* No dce yet; use default one */
goto done;
}
/* Note that ipha_dst is only used for IRE_MULTICAST */
/* Allocation failure? */
goto done;
}
if (nce->nce_is_condemned) {
if (!repeat) {
/* Try finding a better IRE */
goto repeat_ire;
}
/* Tried twice - drop packet */
goto done;
}
}
/*
* For multicast with multirt we have a flag passed back from
* ire_lookup_multi_ill_v4 since we don't have an IRE for each
* possible multicast address.
* We also need a flag for multicast since we can't check
* whether RTF_MULTIRT is set in ixa_ire for multicast.
*/
if (multirt) {
} else {
}
/*
* Check for a dce_t with a path mtu.
*/
if (!(ixaflags & IXAF_PMTU_DISCOVERY)) {
/*
* To avoid a periodic timer to increase the path MTU we
* look at dce_last_change_time each time we send a packet.
*/
now = ddi_get_lbolt64();
/*
* Older than 20 minutes. Drop the path MTU information.
*/
} else {
}
} else {
}
/*
* We use use ire_nexthop_ill (and not ncec_ill) to avoid the under ipmp
* interface for source address selection.
*/
if (ixaflags & IXAF_SET_SOURCE) {
/*
* We use the final destination to get
* correct selection for source routed packets
*/
/* If unreachable we have no ill but need some source */
error = 0;
} else {
}
if (error != 0) {
ip_drop_output("ipIfStatsOutDiscards - no source",
goto done;
}
} else if (ixaflags & IXAF_VERIFY_SOURCE) {
/* Check if the IP source is assigned to the host. */
/* Don't send a packet with a source that isn't ours */
ip_drop_output("ipIfStatsOutDiscards - invalid source",
goto done;
}
}
/*
* IPsec will set IXAF_IPSEC_* and ixa_ipsec_* as appropriate.
*/
/* MIB and ip_drop_packet already done */
return (EHOSTUNREACH); /* IPsec policy failure */
}
}
} else {
}
/*
* We update the statistics on the most specific IRE i.e., the first
* one we found.
* We don't have an IRE when we fragment, hence ire_ob_pkt_count
* can only count the use prior to fragmentation. However the MIB
* counters on the ill will be incremented in post fragmentation.
*/
ire->ire_ob_pkt_count++;
/*
* Based on ire_type and ire_flags call one of:
* ire_send_local_v4 - for IRE_LOCAL and IRE_LOOPBACK
* ire_send_multirt_v4 - if RTF_MULTIRT
* ire_send_noroute_v4 - if RTF_REJECT or RTF_BLACHOLE
* ire_send_multicast_v4 - for IRE_MULTICAST
* ire_send_broadcast_v4 - for IRE_BROADCAST
* ire_send_wire_v4 - for the rest.
*/
done:
return (error);
}
/*
* ire_sendfn() functions.
* These functions use the following xmit_attr:
* - ixa_fragsize - read to determine whether or not to fragment
* - IXAF_IPSEC_SECURE - to determine whether or not to invoke IPsec
* - ixa_ipsec_* are used inside IPsec
* - IXAF_SET_SOURCE - replace IP source in broadcast case.
* - IXAF_LOOPBACK_COPY - for multicast and broadcast
*/
/*
* ire_sendfn for IRE_LOCAL and IRE_LOOPBACK
*
* The checks for restrict_interzone_loopback are done in ire_route_recursive.
*/
/* ARGSUSED4 */
int
{
/*
* No fragmentation, no nce, no application of IPsec,
* and no ipha_ident assignment.
*
* Note different order between IP provider and FW_HOOKS than in
* send_wire case.
*/
/*
* DTrace this as ip:::send. A packet blocked by FW_HOOKS will fire the
* send probe, but not the receive probe.
*/
int, 1);
if (HOOKS4_INTERESTED_LOOPBACK_OUT(ipst)) {
int error;
return (error);
/*
* Even if the destination was changed by the filter we use the
* forwarding decision that was made based on the address
* in ip_output/ip_set_destination.
*/
/* Length could be different */
}
/*
* If a callback is enabled then we need to know the
* source and destination zoneids for the packet. We already
* have those handy.
*/
if (stackzoneid == GLOBAL_ZONEID) {
/* Shared-IP zone */
} else {
}
}
/* Handle lo0 stats */
/* Map ixa to ira including IPsec policies */
if (!IS_SIMPLE_IPH(ipha)) {
}
if (HOOKS4_INTERESTED_LOOPBACK_IN(ipst)) {
int error;
return (error);
}
/*
* Even if the destination was changed by the filter we use the
* forwarding decision that was made based on the address
* in ip_output/ip_set_destination.
*/
/* Length could be different */
}
int, 1);
ire->ire_ib_pkt_count++;
/* Destined to ire_zoneid - use that for fanout */
if (is_system_labeled()) {
/*
* This updates ira_cred, ira_tsl and ira_free_flags based
* on the label. We don't expect this to ever fail for
* loopback packets, so we silently drop the packet should it
* fail.
*/
return (0);
}
/* tsol_get_pkt_label sometimes does pullupmsg */
}
/* We moved any IPsec refs from ixa to iras */
return (0);
}
/*
* ire_sendfn for IRE_BROADCAST
* If the broadcast address is present on multiple ills and ixa_ifindex
* isn't set, then we generate
* a separate datagram (potentially with different source address) for
* those ills. In any case, only one copy is looped back to ip_input_v4.
*/
int
{
/*
* Unless ire_send_multirt_v4 already set a ttl, force the
* ttl to a smallish value.
*/
/*
* To avoid broadcast storms, we usually set the TTL to 1 for
* broadcasts. This can
* be overridden stack-wide through the ip_broadcast_ttl
* ndd tunable, or on a per-connection basis through the
* IP_BROADCAST_TTL socket option.
*
* If SO_DONTROUTE/IXAF_DONTROUTE is set, then ire_send_wire_v4
* will force ttl to one after we've set this.
*/
if (ixaflags & IXAF_BROADCAST_TTL_SET)
else
}
/*
* Make sure we get a loopback copy (after IPsec and frag)
* Skip hardware checksum so that loopback copy is checksumed.
*/
/* Do we need to potentially generate multiple copies? */
/*
* Loop over all IRE_BROADCAST in the bucket (might only be one).
* Note that everything in the bucket has the same destination address.
*/
/* We do the main IRE after the end of the loop */
continue;
/*
* Only IREs for the same IP address should be in the same
* bucket.
* But could have IRE_HOSTs in the case of CGTP.
* If we find any multirt routes we bail out of the loop
* and just do the single packet at the end; ip_postfrag_multirt
* will duplicate the packet.
*/
continue;
if (IRE_IS_CONDEMNED(ire1))
continue;
continue;
break;
/*
* For IPMP we only send for the ipmp_ill. arp_nce_init() will
* ensure that this goes out on the cast_ill.
*/
continue;
ip_drop_output("ipIfStatsOutDiscards",
continue;
}
/*
* Need to pick a different source address for each
* interface. If we have a global IPsec policy and
* no per-socket policy then we punt to
* ip_output_simple_v4 using a separate ip_xmit_attr_t.
*/
if (ixaflags & IXAF_IPSEC_GLOBAL_POLICY) {
continue;
}
/* Pick a new source address for each interface */
ip_drop_output("ipIfStatsOutDiscards - select "
continue;
}
/*
* attributes. IPsec will set IXAF_IPSEC_* and
* ixa_ipsec_* as appropriate.
*/
/*
* MIB and ip_drop_packet already
* done
*/
continue;
}
}
}
/* Make sure we have an NCE on this ill */
ip_drop_output("ipIfStatsOutDiscards - broadcast nce",
continue;
}
/*
* Ignore any errors here. We just collect the errno for
* the main ire below
*/
}
/* Finally, the main one */
/*
* For IPMP we only send broadcasts on the ipmp_ill.
*/
return (0);
}
}
/*
* Send a packet using a different source address and different
* IPsec policy.
*/
static void
{
ixas.ixa_ifindex = 0;
ixa_cleanup(&ixas);
}
static void
{
/* Limit the TTL on multirt packets */
ip2dbg(("ire_send_multirt_v4: forcing multicast "
"multirt TTL to 1 (was %d), dst 0x%08x\n",
}
} else if ((ipst->ips_ip_multirt_ttl > 0) &&
/*
* Need to ensure we don't increase the ttl should we go through
* ire_send_broadcast or multicast.
*/
}
}
/*
* ire_sendfn for IRE_MULTICAST
*/
int
{
/*
* The IRE_MULTICAST is the same whether or not multirt is in use.
* Hence we need special-case code.
*/
if (ixaflags & IXAF_MULTIRT_MULTICAST)
/*
* Check if anything in ip_input_v4 wants a copy of the transmitted
* packet (after IPsec and fragmentation)
*
* 1. Multicast routers always need a copy unless SO_DONTROUTE is set
* RSVP and the rsvp daemon is an example of a
* protocol and user level process that
* handles it's own routing. Hence, it uses the
* SO_DONTROUTE option to accomplish this.
* 2. If the sender has set IP_MULTICAST_LOOP, then we just
* check whether there are any receivers for the group on the ill
* (ignoring the zoneid).
* 3. If IP_MULTICAST_LOOP is not set, then we check if there are
* any members in other shared-IP zones.
* If such members exist, then we indicate that the sending zone
* shouldn't get a loopback copy to preserve the IP_MULTICAST_LOOP
* behavior.
*
* When we loopback we skip hardware checksum to make sure loopback
* copy is checksumed.
*
* Note that ire_ill is the upper in the case of IPMP.
*/
!(ixaflags & IXAF_DONTROUTE)) {
} else if (ixaflags & IXAF_MULTICAST_LOOP) {
/*
* If this zone or any other zone has members then loopback
* a copy.
*/
/*
* This zone should not have a copy. But there are some other
* zones which might have members.
*/
ixa->ixa_zoneid)) {
}
}
/*
* Unless ire_send_multirt_v4 or icmp_output_hdrincl already set a ttl,
* force the ttl to the IP_MULTICAST_TTL value
*/
if (!(ixaflags & IXAF_NO_TTL_CHANGE)) {
}
}
/*
* ire_sendfn for IREs with RTF_MULTIRT
*/
int
{
else
}
/*
* ire_sendfn for IREs with RTF_REJECT/RTF_BLACKHOLE, including IRE_NOROUTE
*/
int
{
/* We assign an IP ident for nice errors */
/* A lack of a route as opposed to RTF_REJECT|BLACKHOLE */
}
/* No error even for local senders - silent blackhole */
return (0);
}
/*
* We need an ill_t for the ip_recv_attr_t even though this packet
* was never received and icmp_unreachable doesn't currently use
* ira_ill.
*/
return (EHOSTUNREACH);
}
/* Map ixa to ira including IPsec policies */
} else {
}
/* We moved any IPsec refs from ixa to iras */
return (EHOSTUNREACH);
}
/*
* Calculate a checksum ignoring any hardware capabilities
*
* Returns B_FALSE if the packet was too short for the checksum. Caller
* should free and do stats.
*/
static boolean_t
{
/* Just in case it contained garbage */
/*
* Calculate ULP checksum
*/
if (protocol == IPPROTO_TCP) {
} else if (protocol == IPPROTO_UDP) {
} else if (protocol == IPPROTO_SCTP) {
/*
* Zero out the checksum field to ensure proper
* checksum calculation.
*/
#ifdef DEBUG
if (!skip_sctp_cksum)
#endif
goto ip_hdr_cksum;
} else {
goto ip_hdr_cksum;
}
/* ULP puts the checksum field is in the first mblk */
/*
* We accumulate the pseudo header checksum in cksum.
* This is pretty hairy code, so watch close. One
* thing to keep in mind is that UDP and TCP have
* stored their respective datagram lengths in their
* checksum fields. This lines things up real nice.
*/
/*
* Change to 0xffff
*/
else
/* Calculate IPv4 header checksum */
ipha->ipha_hdr_checksum = 0;
return (B_TRUE);
}
/*
* Calculate the ULP checksum - try to use hardware.
* In the case of MULTIRT, broadcast or multicast the
* IXAF_NO_HW_CKSUM is set in which case we use software.
*
* If the hardware supports IP header checksum offload; then clear the
* contents of IP header checksum field as expected by NIC.
* Do this only if we offloaded either full or partial sum.
*
* Returns B_FALSE if the packet was too short for the checksum. Caller
* should free and do stats.
*/
static boolean_t
{
!dohwcksum) {
}
/*
* Calculate ULP checksum. Note that we don't use cksump and cksum
* if the ill has FULL support.
*/
if (protocol == IPPROTO_TCP) {
} else if (protocol == IPPROTO_UDP) {
} else if (protocol == IPPROTO_SCTP) {
/*
* Zero out the checksum field to ensure proper
* checksum calculation.
*/
#ifdef DEBUG
if (!skip_sctp_cksum)
#endif
goto ip_hdr_cksum;
} else {
/* Calculate IPv4 header checksum */
ipha->ipha_hdr_checksum = 0;
return (B_TRUE);
}
/* ULP puts the checksum field is in the first mblk */
/*
* Underlying interface supports hardware checksum offload for
* the payload; leave the payload checksum for the hardware to
* calculate. N.B: We only need to set up checksum info on the
* first mblk.
*/
if (hck_flags & HCKSUM_INET_FULL_V4) {
/*
* Hardware calculates pseudo-header, header and the
* payload checksums, so clear the checksum field in
* the protocol header.
*/
*cksump = 0;
ipha->ipha_hdr_checksum = 0;
if (hck_flags & HCKSUM_IPHDRCKSUM) {
} else {
}
return (B_TRUE);
}
if ((hck_flags) & HCKSUM_INET_PARTIAL) {
/*
* Partial checksum offload has been enabled. Fill
* the checksum field in the protocol header with the
* pseudo-header checksum value.
*
* We accumulate the pseudo header checksum in cksum.
* This is pretty hairy code, so watch close. One
* thing to keep in mind is that UDP and TCP have
* stored their respective datagram lengths in their
* checksum fields. This lines things up real nice.
*/
/*
* Offsets are relative to beginning of IP header.
*/
ipha->ipha_hdr_checksum = 0;
if (hck_flags & HCKSUM_IPHDRCKSUM) {
} else {
}
return (B_TRUE);
}
/* Hardware capabilities include neither full nor partial IPv4 */
}
/*
* ire_sendfn for offlink and onlink destinations.
* Also called from the multicast, broadcast, multirt send functions.
*
* Assumes that the caller has a hold on the ire.
*
* This function doesn't care if the IRE just became condemned since that
* can happen at any time.
*/
/* ARGSUSED */
int
{
if (ixaflags & IXAF_DONTROUTE)
/*
* Assign an ident value for this packet. There could be other
* threads targeting the same destination, so we have to arrange
* for a atomic increment. Note that we use a 32-bit atomic add
* because it has better performance than its 16-bit sibling.
*
* Normally ixa_extra_ident is 0, but in the case of LSO it will
* extraly construct.
*
* If running in cluster mode and if the source address
* belongs to a replicated service then vector through
* cl_inet_ipident vector to allocate ip identifier
* NOTE: This is a contract private interface with the
* clustering group.
*/
if (cl_inet_ipident != NULL) {
/*
* Note: not correct with LSO since we can't allocate
* ixa_extra_ident+1 consecutive values.
*/
} else {
}
} else {
}
#ifndef _BIG_ENDIAN
#endif
/*
* This might set b_band, thus the IPsec and fragmentation
* code in IP ensures that b_band is updated in the first mblk.
*/
/* ip_process translates an IS_UNDER_IPMP */
/* ip_drop_packet and MIB done */
return (0); /* Might just be delayed */
}
}
/*
* Verify any IPv4 options.
*
* The presense of IP options also forces the network stack to
* calculate the checksum in software. This is because:
*
* Wrap around: certain partial-checksum NICs (eri, ce) limit
* the size of "start offset" width to 6-bit. This effectively
* sets the largest value of the offset to 64-bytes, starting
* from the MAC header. When the cumulative MAC and IP headers
* exceed such limit, the offset will wrap around. This causes
* the checksum to be calculated at the wrong place.
*
* IPv4 source routing: none of the full-checksum capable NICs
* is capable of correctly handling the IPv4 source-routing
* option for purposes of calculating the pseudo-header; the
* actual destination is different from the destination in the
* header which is that of the next-hop. (This case may not be
* true for NICs which can parse IPv6 extension headers, but
* we choose to simplify the implementation by not offloading
* checksum when they are present.)
*/
if (!IS_SIMPLE_IPH(ipha)) {
/* An IS_UNDER_IPMP ill is ok here */
/* Packet has been consumed and ICMP error sent */
return (EINVAL);
}
}
/*
* while we still have ixa_tsl
*/
ip_drop_output("ipIfStatsOutDiscards - newcr",
return (ENOBUFS);
}
}
(ixaflags & IXAF_IPSEC_SECURE)) {
if (ixaflags & IXAF_IPSEC_SECURE)
if (pktlen > IP_MAXPACKET)
return (EMSGSIZE);
if (ixaflags & IXAF_SET_ULP_CKSUM) {
/*
* Compute ULP checksum and IP header checksum
* using software
*/
return (EINVAL);
}
} else {
/* Calculate IPv4 header checksum */
ipha->ipha_hdr_checksum = 0;
}
/*
* If this packet would generate a icmp_frag_needed
* message, we need to handle it before we do the IPsec
* processing. Otherwise, we need to strip the IPsec
* headers before we send up the message to the ULPs
* which becomes messy and difficult.
*
* We check using IXAF_DONTFRAG. The DF bit in the header
* is not inspected - it will be copied to any generated
* fragments.
*/
(ixaflags & IXAF_DONTFRAG)) {
/* Generate ICMP and return error */
/* Map ixa to ira including IPsec policies */
/* We moved any IPsec refs from ixa to iras */
return (EMSGSIZE);
}
if (ixaflags & IXAF_IPSEC_SECURE) {
/*
* Pass in sufficient information so that
* IPsec can determine whether to fragment, and
* which function to call after fragmentation.
*/
}
}
if (ixaflags & IXAF_SET_ULP_CKSUM) {
/* Compute ULP checksum and IP header checksum */
/* An IS_UNDER_IPMP ill is ok here */
return (EINVAL);
}
} else {
/* Calculate IPv4 header checksum */
ipha->ipha_hdr_checksum = 0;
}
}
/*
* Send mp into ip_input
* Common for IPv4 and IPv6
*/
void
{
iras.ira_free_flags = 0;
if (ixaflags & IXAF_IS_IPV4)
/* Broadcast and multicast doesn't care about the squeue */
if (ixaflags & IXAF_IS_IPV4) {
}
} else {
}
}
/* Any references to clean up? No hold on ira */
}
/*
* Post fragmentation function for IRE_MULTICAST and IRE_BROADCAST which
* looks at the IXAF_LOOPBACK_COPY flag.
* Common for IPv4 and IPv6.
*
* If the loopback copy fails (due to no memory) but we send the packet out
* on the wire we return no failure. Only in the case we supress the wire
* sending do we take the loopback failure into account.
*
* Note that we do not perform DTRACE_IP7 and FW_HOOKS for the looped back copy.
* Those operations are performed on this packet in ip_xmit() and it would
* be odd to do it twice for the same packet.
*/
int
{
int error = 0;
/*
* Check for IXAF_LOOPBACK_COPY - send a copy to ip as if the driver
* had looped it back
*/
if (ixaflags & IXAF_LOOPBACK_COPY) {
/* Failed to deliver the loopback copy. */
} else {
nolzid);
}
}
/*
* If TTL = 0 then only do the loopback to this host i.e. we are
* done. We are also done if this was the
* loopback interface since it is sufficient
* to loopback one copy of a multicast packet.
*/
if (ixaflags & IXAF_IS_IPV4) {
ip_drop_output("multicast ipha_ttl not sent to wire",
return (error);
}
} else {
ip_drop_output("multicast ipha_ttl not sent to wire",
return (error);
}
}
/* Loopback interface */
return (error);
}
ixacookie));
}
/*
* Post fragmentation function for RTF_MULTIRT routes.
* Since IRE_BROADCASTs can have RTF_MULTIRT, this function
* checks IXAF_LOOPBACK_COPY.
*
* If no packet is sent due to failures then we return an errno, but if at
* least one succeeded we return zero.
*/
int
{
int error = 0;
int num_sent = 0;
int err;
/* Check for IXAF_LOOPBACK_COPY */
if (ixaflags & IXAF_LOOPBACK_COPY) {
/* Failed to deliver the loopback copy. */
} else {
nolzid);
}
}
/*
* Loop over RTF_MULTIRT for ipha_dst in the same bucket. Send
* a copy to each one.
* Use the nce (nexthop) and ipha_dst to find the ire.
*
* MULTIRT is not designed to work with shared-IP zones thus we don't
* need to pass a zoneid or a label to the IRE lookup.
*/
/* Broadcast and multicast case */
} else {
/* Unicast case */
}
/* Drop */
ip_drop_output("ip_postfrag_multirt didn't find route",
return (ENETUNREACH);
}
/*
* For broadcast we can have a mixture of IRE_BROADCAST and
* IRE_HOST due to the manually added IRE_HOSTs that are used
* to trigger the creation of the special CGTP broadcast routes.
* Thus we have to skip if ire_type doesn't match the original.
*/
if (IRE_IS_CONDEMNED(ire1) ||
continue;
/* Do the ire argument one after the loop */
continue;
/*
* This ire might not have been picked by
* ire_route_recursive, in which case ire_dep might
* not have been setup yet.
* We kick ire_route_recursive to try to resolve
* starting at ire1.
*/
}
ip_drop_output("ipIfStatsOutDiscards - no ill",
error = ENETUNREACH;
continue;
}
/* Pick the addr and type to use for arp_nce_init */
} else {
}
/* If IPMP meta or under, then we just drop */
ip_drop_output("ipIfStatsOutDiscards - IPMP",
error = ENETUNREACH;
continue;
}
ip_drop_output("ipIfStatsOutDiscards - no nce",
error = ENETUNREACH;
continue;
}
continue;
}
/* Preserve HW checksum for this copy */
ire1->ire_ob_pkt_count++;
0, ixacookie);
if (err == 0)
num_sent++;
else
}
/* Finally, the main one */
if (err == 0)
num_sent++;
else
if (num_sent > 0)
return (0);
else
return (error);
}
/*
* Verify local connectivity. This check is called by ULP fusion code.
* The generation number on an IRE_LOCAL or IRE_LOOPBACK only changes if
* the interface is brought down and back up. So we simply fail the local
* process. The caller, TCP Fusion, should unfuse the connection.
*/
{
return (B_FALSE);
}
/*
* Local process for ULP loopback, TCP Fusion. Handle both IPv4 and IPv6.
*
* The caller must call ip_output_verify_local() first. This function handles
*/
mblk_t *
{
int error;
if (ixaflags & IXAF_IS_IPV4) {
/*
* If a callback is enabled then we need to know the
* source and destination zoneids for the packet. We already
* have those handy.
*/
if (stackzoneid == GLOBAL_ZONEID) {
/* Shared-IP zone */
} else {
}
ipst);
}
NULL, int, 1);
/* FW_HOOKS: LOOPBACK_OUT */
if (hooks_out) {
}
return (NULL);
/* FW_HOOKS: LOOPBACK_IN */
if (hooks_in) {
}
return (NULL);
NULL, int, 1);
/* Inbound IPsec polocies */
if (peer_connp != NULL) {
/* Map ixa to ira including IPsec policies. */
}
} else {
/*
* If a callback is enabled then we need to know the
* source and destination zoneids for the packet. We already
* have those handy.
*/
if (stackzoneid == GLOBAL_ZONEID) {
/* Shared-IP zone */
} else {
}
ipst);
}
ip6h, int, 1);
/* FW_HOOKS: LOOPBACK_OUT */
if (hooks_out) {
}
return (NULL);
/* FW_HOOKS: LOOPBACK_IN */
if (hooks_in) {
}
return (NULL);
ip6h, int, 1);
/* Inbound IPsec polocies */
if (peer_connp != NULL) {
/* Map ixa to ira including IPsec policies. */
}
}
}
return (mp);
}