0      stevel /*
     0      stevel  * CDDL HEADER START
     0      stevel  *
     0      stevel  * The contents of this file are subject to the terms of the
  1503    ericheng  * Common Development and Distribution License (the "License").
  1503    ericheng  * You may not use this file except in compliance with the License.
     0      stevel  *
     0      stevel  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
     0      stevel  * or http://www.opensolaris.org/os/licensing.
     0      stevel  * See the License for the specific language governing permissions
     0      stevel  * and limitations under the License.
     0      stevel  *
     0      stevel  * When distributing Covered Code, include this CDDL HEADER in each
     0      stevel  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     0      stevel  * If applicable, add the following below this CDDL HEADER, with the
     0      stevel  * fields enclosed by brackets "[]" replaced with your own identifying
     0      stevel  * information: Portions Copyright [yyyy] [name of copyright owner]
     0      stevel  *
     0      stevel  * CDDL HEADER END
     0      stevel  */
     0      stevel /*
  8485       Peter  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
     0      stevel  * Use is subject to license terms.
     0      stevel  */
     0      stevel 
     0      stevel /*
     0      stevel  * IP PACKET CLASSIFIER
     0      stevel  *
     0      stevel  * The IP packet classifier provides mapping between IP packets and persistent
     0      stevel  * connection state for connection-oriented protocols. It also provides
     0      stevel  * interface for managing connection states.
     0      stevel  *
     0      stevel  * The connection state is kept in conn_t data structure and contains, among
     0      stevel  * other things:
     0      stevel  *
     0      stevel  *	o local/remote address and ports
     0      stevel  *	o Transport protocol
     0      stevel  *	o squeue for the connection (for TCP only)
     0      stevel  *	o reference counter
     0      stevel  *	o Connection state
     0      stevel  *	o hash table linkage
     0      stevel  *	o interface/ire information
     0      stevel  *	o credentials
     0      stevel  *	o ipsec policy
     0      stevel  *	o send and receive functions.
     0      stevel  *	o mutex lock.
     0      stevel  *
     0      stevel  * Connections use a reference counting scheme. They are freed when the
     0      stevel  * reference counter drops to zero. A reference is incremented when connection
     0      stevel  * is placed in a list or table, when incoming packet for the connection arrives
     0      stevel  * and when connection is processed via squeue (squeue processing may be
     0      stevel  * asynchronous and the reference protects the connection from being destroyed
     0      stevel  * before its processing is finished).
     0      stevel  *
 11042        Erik  * conn_recv is used to pass up packets to the ULP.
 11042        Erik  * For TCP conn_recv changes. It is tcp_input_listener_unbound initially for
 11042        Erik  * a listener, and changes to tcp_input_listener as the listener has picked a
 11042        Erik  * good squeue. For other cases it is set to tcp_input_data.
 11042        Erik  *
 11042        Erik  * conn_recvicmp is used to pass up ICMP errors to the ULP.
     0      stevel  *
     0      stevel  * Classifier uses several hash tables:
     0      stevel  *
     0      stevel  * 	ipcl_conn_fanout:	contains all TCP connections in CONNECTED state
     0      stevel  *	ipcl_bind_fanout:	contains all connections in BOUND state
     0      stevel  *	ipcl_proto_fanout:	IPv4 protocol fanout
     0      stevel  *	ipcl_proto_fanout_v6:	IPv6 protocol fanout
     0      stevel  *	ipcl_udp_fanout:	contains all UDP connections
 10616   Sebastien  *	ipcl_iptun_fanout:	contains all IP tunnel connections
     0      stevel  *	ipcl_globalhash_fanout:	contains all connections
     0      stevel  *
     0      stevel  * The ipcl_globalhash_fanout is used for any walkers (like snmp and Clustering)
     0      stevel  * which need to view all existing connections.
     0      stevel  *
     0      stevel  * All tables are protected by per-bucket locks. When both per-bucket lock and
     0      stevel  * connection lock need to be held, the per-bucket lock should be acquired
     0      stevel  * first, followed by the connection lock.
     0      stevel  *
     0      stevel  * All functions doing search in one of these tables increment a reference
     0      stevel  * counter on the connection found (if any). This reference should be dropped
     0      stevel  * when the caller has finished processing the connection.
     0      stevel  *
     0      stevel  *
     0      stevel  * INTERFACES:
     0      stevel  * ===========
     0      stevel  *
     0      stevel  * Connection Lookup:
     0      stevel  * ------------------
     0      stevel  *
 11042        Erik  * conn_t *ipcl_classify_v4(mp, protocol, hdr_len, ira, ip_stack)
 11042        Erik  * conn_t *ipcl_classify_v6(mp, protocol, hdr_len, ira, ip_stack)
     0      stevel  *
     0      stevel  * Finds connection for an incoming IPv4 or IPv6 packet. Returns NULL if
     0      stevel  * it can't find any associated connection. If the connection is found, its
     0      stevel  * reference counter is incremented.
     0      stevel  *
     0      stevel  *	mp:	mblock, containing packet header. The full header should fit
     0      stevel  *		into a single mblock. It should also contain at least full IP
     0      stevel  *		and TCP or UDP header.
     0      stevel  *
     0      stevel  *	protocol: Either IPPROTO_TCP or IPPROTO_UDP.
     0      stevel  *
     0      stevel  *	hdr_len: The size of IP header. It is used to find TCP or UDP header in
     0      stevel  *		 the packet.
     0      stevel  *
 11042        Erik  * 	ira->ira_zoneid: The zone in which the returned connection must be; the
 11042        Erik  *		zoneid corresponding to the ire_zoneid on the IRE located for
 11042        Erik  *		the packet's destination address.
 11042        Erik  *
 11042        Erik  *	ira->ira_flags: Contains the IRAF_TX_MAC_EXEMPTABLE and
 11042        Erik  *		IRAF_TX_SHARED_ADDR flags
     0      stevel  *
     0      stevel  *	For TCP connections, the lookup order is as follows:
     0      stevel  *		5-tuple {src, dst, protocol, local port, remote port}
     0      stevel  *			lookup in ipcl_conn_fanout table.
     0      stevel  *		3-tuple {dst, remote port, protocol} lookup in
     0      stevel  *			ipcl_bind_fanout table.
     0      stevel  *
     0      stevel  *	For UDP connections, a 5-tuple {src, dst, protocol, local port,
     0      stevel  *	remote port} lookup is done on ipcl_udp_fanout. Note that,
     0      stevel  *	these interfaces do not handle cases where a packets belongs
     0      stevel  *	to multiple UDP clients, which is handled in IP itself.
  1676         jpk  *
  1676         jpk  * If the destination IRE is ALL_ZONES (indicated by zoneid), then we must
  1676         jpk  * determine which actual zone gets the segment.  This is used only in a
  1676         jpk  * labeled environment.  The matching rules are:
  1676         jpk  *
  1676         jpk  *	- If it's not a multilevel port, then the label on the packet selects
  1676         jpk  *	  the zone.  Unlabeled packets are delivered to the global zone.
  1676         jpk  *
  1676         jpk  *	- If it's a multilevel port, then only the zone registered to receive
  1676         jpk  *	  packets on that port matches.
  1676         jpk  *
  1676         jpk  * Also, in a labeled environment, packet labels need to be checked.  For fully
  1676         jpk  * bound TCP connections, we can assume that the packet label was checked
  1676         jpk  * during connection establishment, and doesn't need to be checked on each
  1676         jpk  * packet.  For others, though, we need to check for strict equality or, for
  1676         jpk  * multilevel ports, membership in the range or set.  This part currently does
  1676         jpk  * a tnrh lookup on each packet, but could be optimized to use cached results
  1676         jpk  * if that were necessary.  (SCTP doesn't come through here, but if it did,
  1676         jpk  * we would apply the same rules as TCP.)
  1676         jpk  *
  1676         jpk  * An implication of the above is that fully-bound TCP sockets must always use
  1676         jpk  * distinct 4-tuples; they can't be discriminated by label alone.
  1676         jpk  *
  1676         jpk  * Note that we cannot trust labels on packets sent to fully-bound UDP sockets,
  1676         jpk  * as there's no connection set-up handshake and no shared state.
  1676         jpk  *
  1676         jpk  * Labels on looped-back packets within a single zone do not need to be
  1676         jpk  * checked, as all processes in the same zone have the same label.
  1676         jpk  *
  1676         jpk  * Finally, for unlabeled packets received by a labeled system, special rules
  1676         jpk  * apply.  We consider only the MLP if there is one.  Otherwise, we prefer a
  1676         jpk  * socket in the zone whose label matches the default label of the sender, if
  1676         jpk  * any.  In any event, the receiving socket must have SO_MAC_EXEMPT set and the
  1676         jpk  * receiver's label must dominate the sender's default label.
     0      stevel  *
 11042        Erik  * conn_t *ipcl_tcp_lookup_reversed_ipv4(ipha_t *, tcpha_t *, int, ip_stack);
  3448    dh155122  * conn_t *ipcl_tcp_lookup_reversed_ipv6(ip6_t *, tcpha_t *, int, uint_t,
  3448    dh155122  *					 ip_stack);
     0      stevel  *
     0      stevel  *	Lookup routine to find a exact match for {src, dst, local port,
     0      stevel  *	remote port) for TCP connections in ipcl_conn_fanout. The address and
     0      stevel  *	ports are read from the IP and TCP header respectively.
     0      stevel  *
  3448    dh155122  * conn_t	*ipcl_lookup_listener_v4(lport, laddr, protocol,
  3448    dh155122  *					 zoneid, ip_stack);
  3448    dh155122  * conn_t	*ipcl_lookup_listener_v6(lport, laddr, protocol, ifindex,
  3448    dh155122  *					 zoneid, ip_stack);
     0      stevel  *
     0      stevel  * 	Lookup routine to find a listener with the tuple {lport, laddr,
     0      stevel  * 	protocol} in the ipcl_bind_fanout table. For IPv6, an additional
     0      stevel  * 	parameter interface index is also compared.
     0      stevel  *
  3448    dh155122  * void ipcl_walk(func, arg, ip_stack)
     0      stevel  *
     0      stevel  * 	Apply 'func' to every connection available. The 'func' is called as
     0      stevel  *	(*func)(connp, arg). The walk is non-atomic so connections may be
     0      stevel  *	created and destroyed during the walk. The CONN_CONDEMNED and
     0      stevel  *	CONN_INCIPIENT flags ensure that connections which are newly created
     0      stevel  *	or being destroyed are not selected by the walker.
     0      stevel  *
     0      stevel  * Table Updates
     0      stevel  * -------------
     0      stevel  *
 11042        Erik  * int ipcl_conn_insert(connp);
 11042        Erik  * int ipcl_conn_insert_v4(connp);
 11042        Erik  * int ipcl_conn_insert_v6(connp);
     0      stevel  *
     0      stevel  *	Insert 'connp' in the ipcl_conn_fanout.
     0      stevel  *	Arguements :
     0      stevel  *		connp		conn_t to be inserted
     0      stevel  *
     0      stevel  *	Return value :
     0      stevel  *		0		if connp was inserted
     0      stevel  *		EADDRINUSE	if the connection with the same tuple
     0      stevel  *				already exists.
     0      stevel  *
 11042        Erik  * int ipcl_bind_insert(connp);
 11042        Erik  * int ipcl_bind_insert_v4(connp);
 11042        Erik  * int ipcl_bind_insert_v6(connp);
     0      stevel  *
     0      stevel  * 	Insert 'connp' in ipcl_bind_fanout.
     0      stevel  * 	Arguements :
     0      stevel  * 		connp		conn_t to be inserted
     0      stevel  *
     0      stevel  *
     0      stevel  * void ipcl_hash_remove(connp);
     0      stevel  *
     0      stevel  * 	Removes the 'connp' from the connection fanout table.
     0      stevel  *
     0      stevel  * Connection Creation/Destruction
     0      stevel  * -------------------------------
     0      stevel  *
  3448    dh155122  * conn_t *ipcl_conn_create(type, sleep, netstack_t *)
     0      stevel  *
     0      stevel  * 	Creates a new conn based on the type flag, inserts it into
     0      stevel  * 	globalhash table.
     0      stevel  *
     0      stevel  *	type:	This flag determines the type of conn_t which needs to be
  5240    nordmark  *		created i.e., which kmem_cache it comes from.
     0      stevel  *		IPCL_TCPCONN	indicates a TCP connection
  5240    nordmark  *		IPCL_SCTPCONN	indicates a SCTP connection
  5240    nordmark  *		IPCL_UDPCONN	indicates a UDP conn_t.
  5240    nordmark  *		IPCL_RAWIPCONN	indicates a RAWIP/ICMP conn_t.
  5240    nordmark  *		IPCL_RTSCONN	indicates a RTS conn_t.
  5240    nordmark  *		IPCL_IPCCONN	indicates all other connections.
     0      stevel  *
     0      stevel  * void ipcl_conn_destroy(connp)
     0      stevel  *
     0      stevel  * 	Destroys the connection state, removes it from the global
     0      stevel  * 	connection hash table and frees its memory.
     0      stevel  */
     0      stevel 
     0      stevel #include <sys/types.h>
     0      stevel #include <sys/stream.h>
     0      stevel #include <sys/stropts.h>
     0      stevel #include <sys/sysmacros.h>
     0      stevel #include <sys/strsubr.h>
     0      stevel #include <sys/strsun.h>
     0      stevel #define	_SUN_TPI_VERSION 2
     0      stevel #include <sys/ddi.h>
     0      stevel #include <sys/cmn_err.h>
     0      stevel #include <sys/debug.h>
     0      stevel 
     0      stevel #include <sys/systm.h>
     0      stevel #include <sys/param.h>
     0      stevel #include <sys/kmem.h>
     0      stevel #include <sys/isa_defs.h>
     0      stevel #include <inet/common.h>
     0      stevel #include <netinet/ip6.h>
     0      stevel #include <netinet/icmp6.h>
     0      stevel 
     0      stevel #include <inet/ip.h>
 11042        Erik #include <inet/ip_if.h>
 11042        Erik #include <inet/ip_ire.h>
     0      stevel #include <inet/ip6.h>
     0      stevel #include <inet/ip_ndp.h>
  8348        Eric #include <inet/ip_impl.h>
   741    masputra #include <inet/udp_impl.h>
     0      stevel #include <inet/sctp_ip.h>
  3448    dh155122 #include <inet/sctp/sctp_impl.h>
  5240    nordmark #include <inet/rawip_impl.h>
  5240    nordmark #include <inet/rts_impl.h>
 10616   Sebastien #include <inet/iptun/iptun_impl.h>
     0      stevel 
     0      stevel #include <sys/cpuvar.h>
     0      stevel 
     0      stevel #include <inet/ipclassifier.h>
  8348        Eric #include <inet/tcp.h>
     0      stevel #include <inet/ipsec_impl.h>
  1676         jpk 
  1676         jpk #include <sys/tsol/tnet.h>
  8348        Eric #include <sys/sockio.h>
     0      stevel 
  3448    dh155122 /* Old value for compatibility. Setable in /etc/system */
     0      stevel uint_t tcp_conn_hash_size = 0;
     0      stevel 
  3448    dh155122 /* New value. Zero means choose automatically.  Setable in /etc/system */
     0      stevel uint_t ipcl_conn_hash_size = 0;
     0      stevel uint_t ipcl_conn_hash_memfactor = 8192;
     0      stevel uint_t ipcl_conn_hash_maxsize = 82500;
     0      stevel 
     0      stevel /* bind/udp fanout table size */
     0      stevel uint_t ipcl_bind_fanout_size = 512;
  1503    ericheng uint_t ipcl_udp_fanout_size = 16384;
     0      stevel 
     0      stevel /* Raw socket fanout size.  Must be a power of 2. */
     0      stevel uint_t ipcl_raw_fanout_size = 256;
 10616   Sebastien 
 10616   Sebastien /*
 10616   Sebastien  * The IPCL_IPTUN_HASH() function works best with a prime table size.  We
 10616   Sebastien  * expect that most large deployments would have hundreds of tunnels, and
 10616   Sebastien  * thousands in the extreme case.
 10616   Sebastien  */
 10616   Sebastien uint_t ipcl_iptun_fanout_size = 6143;
     0      stevel 
     0      stevel /*
     0      stevel  * Power of 2^N Primes useful for hashing for N of 0-28,
     0      stevel  * these primes are the nearest prime <= 2^N - 2^(N-2).
     0      stevel  */
     0      stevel 
     0      stevel #define	P2Ps() {0, 0, 0, 5, 11, 23, 47, 89, 191, 383, 761, 1531, 3067,	\
     0      stevel 		6143, 12281, 24571, 49139, 98299, 196597, 393209,	\
     0      stevel 		786431, 1572853, 3145721, 6291449, 12582893, 25165813,	\
     0      stevel 		50331599, 100663291, 201326557, 0}
     0      stevel 
     0      stevel /*
  5240    nordmark  * wrapper structure to ensure that conn and what follows it (tcp_t, etc)
  5240    nordmark  * are aligned on cache lines.
     0      stevel  */
  5240    nordmark typedef union itc_s {
  5240    nordmark 	conn_t	itc_conn;
  5240    nordmark 	char	itcu_filler[CACHE_ALIGN(conn_s)];
     0      stevel } itc_t;
     0      stevel 
  5240    nordmark struct kmem_cache  *tcp_conn_cache;
  5240    nordmark struct kmem_cache  *ip_conn_cache;
     0      stevel extern struct kmem_cache  *sctp_conn_cache;
     0      stevel extern struct kmem_cache  *tcp_sack_info_cache;
  5240    nordmark struct kmem_cache  *udp_conn_cache;
  5240    nordmark struct kmem_cache  *rawip_conn_cache;
  5240    nordmark struct kmem_cache  *rts_conn_cache;
     0      stevel 
     0      stevel extern void	tcp_timermp_free(tcp_t *);
     0      stevel extern mblk_t	*tcp_timermp_alloc(int);
     0      stevel 
  5240    nordmark static int	ip_conn_constructor(void *, void *, int);
  5240    nordmark static void	ip_conn_destructor(void *, void *);
  5240    nordmark 
  5240    nordmark static int	tcp_conn_constructor(void *, void *, int);
  5240    nordmark static void	tcp_conn_destructor(void *, void *);
  5240    nordmark 
  5240    nordmark static int	udp_conn_constructor(void *, void *, int);
  5240    nordmark static void	udp_conn_destructor(void *, void *);
  5240    nordmark 
  5240    nordmark static int	rawip_conn_constructor(void *, void *, int);
  5240    nordmark static void	rawip_conn_destructor(void *, void *);
  5240    nordmark 
  5240    nordmark static int	rts_conn_constructor(void *, void *, int);
  5240    nordmark static void	rts_conn_destructor(void *, void *);
     0      stevel 
     0      stevel /*
  3448    dh155122  * Global (for all stack instances) init routine
     0      stevel  */
     0      stevel void
  3448    dh155122 ipcl_g_init(void)
     0      stevel {
  5240    nordmark 	ip_conn_cache = kmem_cache_create("ip_conn_cache",
     0      stevel 	    sizeof (conn_t), CACHE_ALIGN_SIZE,
  5240    nordmark 	    ip_conn_constructor, ip_conn_destructor,
  5240    nordmark 	    NULL, NULL, NULL, 0);
     0      stevel 
  5240    nordmark 	tcp_conn_cache = kmem_cache_create("tcp_conn_cache",
  5240    nordmark 	    sizeof (itc_t) + sizeof (tcp_t), CACHE_ALIGN_SIZE,
  5240    nordmark 	    tcp_conn_constructor, tcp_conn_destructor,
  5240    nordmark 	    NULL, NULL, NULL, 0);
  5240    nordmark 
  5240    nordmark 	udp_conn_cache = kmem_cache_create("udp_conn_cache",
  5240    nordmark 	    sizeof (itc_t) + sizeof (udp_t), CACHE_ALIGN_SIZE,
  5240    nordmark 	    udp_conn_constructor, udp_conn_destructor,
  5240    nordmark 	    NULL, NULL, NULL, 0);
  5240    nordmark 
  5240    nordmark 	rawip_conn_cache = kmem_cache_create("rawip_conn_cache",
  5240    nordmark 	    sizeof (itc_t) + sizeof (icmp_t), CACHE_ALIGN_SIZE,
  5240    nordmark 	    rawip_conn_constructor, rawip_conn_destructor,
  5240    nordmark 	    NULL, NULL, NULL, 0);
  5240    nordmark 
  5240    nordmark 	rts_conn_cache = kmem_cache_create("rts_conn_cache",
  5240    nordmark 	    sizeof (itc_t) + sizeof (rts_t), CACHE_ALIGN_SIZE,
  5240    nordmark 	    rts_conn_constructor, rts_conn_destructor,
     0      stevel 	    NULL, NULL, NULL, 0);
  3448    dh155122 }
  3448    dh155122 
  3448    dh155122 /*
  3448    dh155122  * ipclassifier intialization routine, sets up hash tables.
  3448    dh155122  */
  3448    dh155122 void
  3448    dh155122 ipcl_init(ip_stack_t *ipst)
  3448    dh155122 {
  3448    dh155122 	int i;
  3448    dh155122 	int sizes[] = P2Ps();
     0      stevel 
     0      stevel 	/*
  3448    dh155122 	 * Calculate size of conn fanout table from /etc/system settings
     0      stevel 	 */
     0      stevel 	if (ipcl_conn_hash_size != 0) {
  3448    dh155122 		ipst->ips_ipcl_conn_fanout_size = ipcl_conn_hash_size;
     0      stevel 	} else if (tcp_conn_hash_size != 0) {
  3448    dh155122 		ipst->ips_ipcl_conn_fanout_size = tcp_conn_hash_size;
     0      stevel 	} else {
     0      stevel 		extern pgcnt_t freemem;
     0      stevel 
  3448    dh155122 		ipst->ips_ipcl_conn_fanout_size =
     0      stevel 		    (freemem * PAGESIZE) / ipcl_conn_hash_memfactor;
     0      stevel 
  3448    dh155122 		if (ipst->ips_ipcl_conn_fanout_size > ipcl_conn_hash_maxsize) {
  3448    dh155122 			ipst->ips_ipcl_conn_fanout_size =
  3448    dh155122 			    ipcl_conn_hash_maxsize;
  3448    dh155122 		}
     0      stevel 	}
     0      stevel 
     0      stevel 	for (i = 9; i < sizeof (sizes) / sizeof (*sizes) - 1; i++) {
  3448    dh155122 		if (sizes[i] >= ipst->ips_ipcl_conn_fanout_size) {
     0      stevel 			break;
     0      stevel 		}
     0      stevel 	}
  3448    dh155122 	if ((ipst->ips_ipcl_conn_fanout_size = sizes[i]) == 0) {
     0      stevel 		/* Out of range, use the 2^16 value */
  3448    dh155122 		ipst->ips_ipcl_conn_fanout_size = sizes[16];
     0      stevel 	}
     0      stevel 
  3448    dh155122 	/* Take values from /etc/system */
  3448    dh155122 	ipst->ips_ipcl_bind_fanout_size = ipcl_bind_fanout_size;
  3448    dh155122 	ipst->ips_ipcl_udp_fanout_size = ipcl_udp_fanout_size;
  3448    dh155122 	ipst->ips_ipcl_raw_fanout_size = ipcl_raw_fanout_size;
 10616   Sebastien 	ipst->ips_ipcl_iptun_fanout_size = ipcl_iptun_fanout_size;
  3448    dh155122 
  3448    dh155122 	ASSERT(ipst->ips_ipcl_conn_fanout == NULL);
  3448    dh155122 
  3448    dh155122 	ipst->ips_ipcl_conn_fanout = kmem_zalloc(
  3448    dh155122 	    ipst->ips_ipcl_conn_fanout_size * sizeof (connf_t), KM_SLEEP);
  3448    dh155122 
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_conn_fanout_size; i++) {
  3448    dh155122 		mutex_init(&ipst->ips_ipcl_conn_fanout[i].connf_lock, NULL,
     0      stevel 		    MUTEX_DEFAULT, NULL);
     0      stevel 	}
     0      stevel 
  3448    dh155122 	ipst->ips_ipcl_bind_fanout = kmem_zalloc(
  3448    dh155122 	    ipst->ips_ipcl_bind_fanout_size * sizeof (connf_t), KM_SLEEP);
     0      stevel 
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_bind_fanout_size; i++) {
  3448    dh155122 		mutex_init(&ipst->ips_ipcl_bind_fanout[i].connf_lock, NULL,
     0      stevel 		    MUTEX_DEFAULT, NULL);
     0      stevel 	}
     0      stevel 
 11042        Erik 	ipst->ips_ipcl_proto_fanout_v4 = kmem_zalloc(IPPROTO_MAX *
  3448    dh155122 	    sizeof (connf_t), KM_SLEEP);
  3448    dh155122 	for (i = 0; i < IPPROTO_MAX; i++) {
 11042        Erik 		mutex_init(&ipst->ips_ipcl_proto_fanout_v4[i].connf_lock, NULL,
     0      stevel 		    MUTEX_DEFAULT, NULL);
     0      stevel 	}
     0      stevel 
  3448    dh155122 	ipst->ips_ipcl_proto_fanout_v6 = kmem_zalloc(IPPROTO_MAX *
  3448    dh155122 	    sizeof (connf_t), KM_SLEEP);
  3448    dh155122 	for (i = 0; i < IPPROTO_MAX; i++) {
  3448    dh155122 		mutex_init(&ipst->ips_ipcl_proto_fanout_v6[i].connf_lock, NULL,
     0      stevel 		    MUTEX_DEFAULT, NULL);
     0      stevel 	}
     0      stevel 
  3448    dh155122 	ipst->ips_rts_clients = kmem_zalloc(sizeof (connf_t), KM_SLEEP);
  3448    dh155122 	mutex_init(&ipst->ips_rts_clients->connf_lock,
  3448    dh155122 	    NULL, MUTEX_DEFAULT, NULL);
     0      stevel 
  3448    dh155122 	ipst->ips_ipcl_udp_fanout = kmem_zalloc(
  3448    dh155122 	    ipst->ips_ipcl_udp_fanout_size * sizeof (connf_t), KM_SLEEP);
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_udp_fanout_size; i++) {
  3448    dh155122 		mutex_init(&ipst->ips_ipcl_udp_fanout[i].connf_lock, NULL,
 10616   Sebastien 		    MUTEX_DEFAULT, NULL);
 10616   Sebastien 	}
 10616   Sebastien 
 10616   Sebastien 	ipst->ips_ipcl_iptun_fanout = kmem_zalloc(
 10616   Sebastien 	    ipst->ips_ipcl_iptun_fanout_size * sizeof (connf_t), KM_SLEEP);
 10616   Sebastien 	for (i = 0; i < ipst->ips_ipcl_iptun_fanout_size; i++) {
 10616   Sebastien 		mutex_init(&ipst->ips_ipcl_iptun_fanout[i].connf_lock, NULL,
     0      stevel 		    MUTEX_DEFAULT, NULL);
     0      stevel 	}
     0      stevel 
  3448    dh155122 	ipst->ips_ipcl_raw_fanout = kmem_zalloc(
  3448    dh155122 	    ipst->ips_ipcl_raw_fanout_size * sizeof (connf_t), KM_SLEEP);
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_raw_fanout_size; i++) {
  3448    dh155122 		mutex_init(&ipst->ips_ipcl_raw_fanout[i].connf_lock, NULL,
  3448    dh155122 		    MUTEX_DEFAULT, NULL);
  3448    dh155122 	}
     0      stevel 
  3448    dh155122 	ipst->ips_ipcl_globalhash_fanout = kmem_zalloc(
  3448    dh155122 	    sizeof (connf_t) * CONN_G_HASH_SIZE, KM_SLEEP);
     0      stevel 	for (i = 0; i < CONN_G_HASH_SIZE; i++) {
  3448    dh155122 		mutex_init(&ipst->ips_ipcl_globalhash_fanout[i].connf_lock,
  3448    dh155122 		    NULL, MUTEX_DEFAULT, NULL);
     0      stevel 	}
     0      stevel }
     0      stevel 
     0      stevel void
  3448    dh155122 ipcl_g_destroy(void)
  3448    dh155122 {
  5240    nordmark 	kmem_cache_destroy(ip_conn_cache);
  5240    nordmark 	kmem_cache_destroy(tcp_conn_cache);
  5240    nordmark 	kmem_cache_destroy(udp_conn_cache);
  5240    nordmark 	kmem_cache_destroy(rawip_conn_cache);
  5240    nordmark 	kmem_cache_destroy(rts_conn_cache);
  3448    dh155122 }
  3448    dh155122 
  3448    dh155122 /*
  3448    dh155122  * All user-level and kernel use of the stack must be gone
  3448    dh155122  * by now.
  3448    dh155122  */
  3448    dh155122 void
  3448    dh155122 ipcl_destroy(ip_stack_t *ipst)
     0      stevel {
     0      stevel 	int i;
     0      stevel 
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_conn_fanout_size; i++) {
  3448    dh155122 		ASSERT(ipst->ips_ipcl_conn_fanout[i].connf_head == NULL);
  3448    dh155122 		mutex_destroy(&ipst->ips_ipcl_conn_fanout[i].connf_lock);
  3448    dh155122 	}
  3448    dh155122 	kmem_free(ipst->ips_ipcl_conn_fanout, ipst->ips_ipcl_conn_fanout_size *
  3448    dh155122 	    sizeof (connf_t));
  3448    dh155122 	ipst->ips_ipcl_conn_fanout = NULL;
     0      stevel 
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_bind_fanout_size; i++) {
  3448    dh155122 		ASSERT(ipst->ips_ipcl_bind_fanout[i].connf_head == NULL);
  3448    dh155122 		mutex_destroy(&ipst->ips_ipcl_bind_fanout[i].connf_lock);
  3448    dh155122 	}
  3448    dh155122 	kmem_free(ipst->ips_ipcl_bind_fanout, ipst->ips_ipcl_bind_fanout_size *
  3448    dh155122 	    sizeof (connf_t));
  3448    dh155122 	ipst->ips_ipcl_bind_fanout = NULL;
     0      stevel 
  3448    dh155122 	for (i = 0; i < IPPROTO_MAX; i++) {
 11042        Erik 		ASSERT(ipst->ips_ipcl_proto_fanout_v4[i].connf_head == NULL);
 11042        Erik 		mutex_destroy(&ipst->ips_ipcl_proto_fanout_v4[i].connf_lock);
  3448    dh155122 	}
 11042        Erik 	kmem_free(ipst->ips_ipcl_proto_fanout_v4,
 11042        Erik 	    IPPROTO_MAX * sizeof (connf_t));
 11042        Erik 	ipst->ips_ipcl_proto_fanout_v4 = NULL;
     0      stevel 
  3448    dh155122 	for (i = 0; i < IPPROTO_MAX; i++) {
  3448    dh155122 		ASSERT(ipst->ips_ipcl_proto_fanout_v6[i].connf_head == NULL);
  3448    dh155122 		mutex_destroy(&ipst->ips_ipcl_proto_fanout_v6[i].connf_lock);
  3448    dh155122 	}
  3448    dh155122 	kmem_free(ipst->ips_ipcl_proto_fanout_v6,
  3448    dh155122 	    IPPROTO_MAX * sizeof (connf_t));
  3448    dh155122 	ipst->ips_ipcl_proto_fanout_v6 = NULL;
  3448    dh155122 
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_udp_fanout_size; i++) {
  3448    dh155122 		ASSERT(ipst->ips_ipcl_udp_fanout[i].connf_head == NULL);
  3448    dh155122 		mutex_destroy(&ipst->ips_ipcl_udp_fanout[i].connf_lock);
  3448    dh155122 	}
  3448    dh155122 	kmem_free(ipst->ips_ipcl_udp_fanout, ipst->ips_ipcl_udp_fanout_size *
  3448    dh155122 	    sizeof (connf_t));
  3448    dh155122 	ipst->ips_ipcl_udp_fanout = NULL;
 10616   Sebastien 
 10616   Sebastien 	for (i = 0; i < ipst->ips_ipcl_iptun_fanout_size; i++) {
 10616   Sebastien 		ASSERT(ipst->ips_ipcl_iptun_fanout[i].connf_head == NULL);
 10616   Sebastien 		mutex_destroy(&ipst->ips_ipcl_iptun_fanout[i].connf_lock);
 10616   Sebastien 	}
 10616   Sebastien 	kmem_free(ipst->ips_ipcl_iptun_fanout,
 10616   Sebastien 	    ipst->ips_ipcl_iptun_fanout_size * sizeof (connf_t));
 10616   Sebastien 	ipst->ips_ipcl_iptun_fanout = NULL;
  3448    dh155122 
  3448    dh155122 	for (i = 0; i < ipst->ips_ipcl_raw_fanout_size; i++) {
  3448    dh155122 		ASSERT(ipst->ips_ipcl_raw_fanout[i].connf_head == NULL);
  3448    dh155122 		mutex_destroy(&ipst->ips_ipcl_raw_fanout[i].connf_lock);
  3448    dh155122 	}
  3448    dh155122 	kmem_free(ipst->ips_ipcl_raw_fanout, ipst->ips_ipcl_raw_fanout_size *
  3448    dh155122 	    sizeof (connf_t));
  3448    dh155122 	ipst->ips_ipcl_raw_fanout = NULL;
  3448    dh155122 
  3448    dh155122 	for (i = 0; i < CONN_G_HASH_SIZE; i++) {
  3448    dh155122 		ASSERT(ipst->ips_ipcl_globalhash_fanout[i].connf_head == NULL);
  3448    dh155122 		mutex_destroy(&ipst->ips_ipcl_globalhash_fanout[i].connf_lock);
  3448    dh155122 	}
  3448    dh155122 	kmem_free(ipst->ips_ipcl_globalhash_fanout,
  3448    dh155122 	    sizeof (connf_t) * CONN_G_HASH_SIZE);
  3448    dh155122 	ipst->ips_ipcl_globalhash_fanout = NULL;
  3448    dh155122 
  3448    dh155122 	ASSERT(ipst->ips_rts_clients->connf_head == NULL);
  3448    dh155122 	mutex_destroy(&ipst->ips_rts_clients->connf_lock);
  3448    dh155122 	kmem_free(ipst->ips_rts_clients, sizeof (connf_t));
  3448    dh155122 	ipst->ips_rts_clients = NULL;
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * conn creation routine. initialize the conn, sets the reference
     0      stevel  * and inserts it in the global hash table.
     0      stevel  */
     0      stevel conn_t *
  3448    dh155122 ipcl_conn_create(uint32_t type, int sleep, netstack_t *ns)
     0      stevel {
     0      stevel 	conn_t	*connp;
  5240    nordmark 	struct kmem_cache *conn_cache;
     0      stevel 
     0      stevel 	switch (type) {
     0      stevel 	case IPCL_SCTPCONN:
     0      stevel 		if ((connp = kmem_cache_alloc(sctp_conn_cache, sleep)) == NULL)
     0      stevel 			return (NULL);
  4691      kcpoon 		sctp_conn_init(connp);
  3448    dh155122 		netstack_hold(ns);
  3448    dh155122 		connp->conn_netstack = ns;
 11042        Erik 		connp->conn_ixa->ixa_ipst = ns->netstack_ip;
 11042        Erik 		ipcl_globalhash_insert(connp);
  5240    nordmark 		return (connp);
  5240    nordmark 
  5240    nordmark 	case IPCL_TCPCONN:
  5240    nordmark 		conn_cache = tcp_conn_cache;
     0      stevel 		break;
  5240    nordmark 
  5240    nordmark 	case IPCL_UDPCONN:
  5240    nordmark 		conn_cache = udp_conn_cache;
  5240    nordmark 		break;
  5240    nordmark 
  5240    nordmark 	case IPCL_RAWIPCONN:
  5240    nordmark 		conn_cache = rawip_conn_cache;
  5240    nordmark 		break;
  5240    nordmark 
  5240    nordmark 	case IPCL_RTSCONN:
  5240    nordmark 		conn_cache = rts_conn_cache;
  5240    nordmark 		break;
  5240    nordmark 
     0      stevel 	case IPCL_IPCCONN:
  5240    nordmark 		conn_cache = ip_conn_cache;
     0      stevel 		break;
  5240    nordmark 
   741    masputra 	default:
   741    masputra 		connp = NULL;
   741    masputra 		ASSERT(0);
     0      stevel 	}
     0      stevel 
  5240    nordmark 	if ((connp = kmem_cache_alloc(conn_cache, sleep)) == NULL)
  5240    nordmark 		return (NULL);
  5240    nordmark 
  5240    nordmark 	connp->conn_ref = 1;
  5240    nordmark 	netstack_hold(ns);
  5240    nordmark 	connp->conn_netstack = ns;
 11042        Erik 	connp->conn_ixa->ixa_ipst = ns->netstack_ip;
  5240    nordmark 	ipcl_globalhash_insert(connp);
     0      stevel 	return (connp);
     0      stevel }
     0      stevel 
     0      stevel void
     0      stevel ipcl_conn_destroy(conn_t *connp)
     0      stevel {
     0      stevel 	mblk_t	*mp;
  3448    dh155122 	netstack_t	*ns = connp->conn_netstack;
     0      stevel 
     0      stevel 	ASSERT(!MUTEX_HELD(&connp->conn_lock));
     0      stevel 	ASSERT(connp->conn_ref == 0);
  7502       aruna 
  7502       aruna 	DTRACE_PROBE1(conn__destroy, conn_t *, connp);
  1676         jpk 
  1676         jpk 	if (connp->conn_cred != NULL) {
  1676         jpk 		crfree(connp->conn_cred);
  1676         jpk 		connp->conn_cred = NULL;
  1676         jpk 	}
  1676         jpk 
 11042        Erik 	if (connp->conn_ht_iphc != NULL) {
 11042        Erik 		kmem_free(connp->conn_ht_iphc, connp->conn_ht_iphc_allocated);
 11042        Erik 		connp->conn_ht_iphc = NULL;
 11042        Erik 		connp->conn_ht_iphc_allocated = 0;
 11042        Erik 		connp->conn_ht_iphc_len = 0;
 11042        Erik 		connp->conn_ht_ulp = NULL;
 11042        Erik 		connp->conn_ht_ulp_len = 0;
 11042        Erik 	}
 11042        Erik 	ip_pkt_free(&connp->conn_xmit_ipp);
 11042        Erik 
     0      stevel 	ipcl_globalhash_remove(connp);
     0      stevel 
 11042        Erik 	if (connp->conn_latch != NULL) {
 11042        Erik 		IPLATCH_REFRELE(connp->conn_latch);
 11042        Erik 		connp->conn_latch = NULL;
 11042        Erik 	}
 11042        Erik 	if (connp->conn_latch_in_policy != NULL) {
 11042        Erik 		IPPOL_REFRELE(connp->conn_latch_in_policy);
 11042        Erik 		connp->conn_latch_in_policy = NULL;
 11042        Erik 	}
 11042        Erik 	if (connp->conn_latch_in_action != NULL) {
 11042        Erik 		IPACT_REFRELE(connp->conn_latch_in_action);
 11042        Erik 		connp->conn_latch_in_action = NULL;
 11042        Erik 	}
 11042        Erik 	if (connp->conn_policy != NULL) {
 11042        Erik 		IPPH_REFRELE(connp->conn_policy, ns);
 11042        Erik 		connp->conn_policy = NULL;
 11042        Erik 	}
 11042        Erik 
 11042        Erik 	if (connp->conn_ipsec_opt_mp != NULL) {
 11042        Erik 		freemsg(connp->conn_ipsec_opt_mp);
 11042        Erik 		connp->conn_ipsec_opt_mp = NULL;
 11042        Erik 	}
 11042        Erik 
     0      stevel 	if (connp->conn_flags & IPCL_TCPCONN) {
 11042        Erik 		tcp_t *tcp = connp->conn_tcp;
   741    masputra 
     0      stevel 		tcp_free(tcp);
     0      stevel 		mp = tcp->tcp_timercache;
 11042        Erik 
 11042        Erik 		tcp->tcp_tcps = NULL;
     0      stevel 
     0      stevel 		if (tcp->tcp_sack_info != NULL) {
     0      stevel 			bzero(tcp->tcp_sack_info, sizeof (tcp_sack_info_t));
     0      stevel 			kmem_cache_free(tcp_sack_info_cache,
     0      stevel 			    tcp->tcp_sack_info);
     0      stevel 		}
  8014    Kacheong 
  8014    Kacheong 		/*
  8014    Kacheong 		 * tcp_rsrv_mp can be NULL if tcp_get_conn() fails to allocate
  8014    Kacheong 		 * the mblk.
  8014    Kacheong 		 */
  8014    Kacheong 		if (tcp->tcp_rsrv_mp != NULL) {
  8014    Kacheong 			freeb(tcp->tcp_rsrv_mp);
  8014    Kacheong 			tcp->tcp_rsrv_mp = NULL;
  8014    Kacheong 			mutex_destroy(&tcp->tcp_rsrv_mp_lock);
  8014    Kacheong 		}
     0      stevel 
 11042        Erik 		ipcl_conn_cleanup(connp);
 11042        Erik 		connp->conn_flags = IPCL_TCPCONN;
  3448    dh155122 		if (ns != NULL) {
  3448    dh155122 			ASSERT(tcp->tcp_tcps == NULL);
  3448    dh155122 			connp->conn_netstack = NULL;
 11042        Erik 			connp->conn_ixa->ixa_ipst = NULL;
  3448    dh155122 			netstack_rele(ns);
  3448    dh155122 		}
  5240    nordmark 
  5240    nordmark 		bzero(tcp, sizeof (tcp_t));
  5240    nordmark 
  5240    nordmark 		tcp->tcp_timercache = mp;
  5240    nordmark 		tcp->tcp_connp = connp;
  5240    nordmark 		kmem_cache_free(tcp_conn_cache, connp);
  5240    nordmark 		return;
  5240    nordmark 	}
  5240    nordmark 
  5240    nordmark 	if (connp->conn_flags & IPCL_SCTPCONN) {
  3448    dh155122 		ASSERT(ns != NULL);
     0      stevel 		sctp_free(connp);
  5240    nordmark 		return;
  5240    nordmark 	}
  5240    nordmark 
 11042        Erik 	ipcl_conn_cleanup(connp);
  5240    nordmark 	if (ns != NULL) {
  5240    nordmark 		connp->conn_netstack = NULL;
 11042        Erik 		connp->conn_ixa->ixa_ipst = NULL;
  5240    nordmark 		netstack_rele(ns);
  5240    nordmark 	}
  5240    nordmark 
  5240    nordmark 	/* leave conn_priv aka conn_udp, conn_icmp, etc in place. */
  5240    nordmark 	if (connp->conn_flags & IPCL_UDPCONN) {
  5240    nordmark 		connp->conn_flags = IPCL_UDPCONN;
  5240    nordmark 		kmem_cache_free(udp_conn_cache, connp);
  5240    nordmark 	} else if (connp->conn_flags & IPCL_RAWIPCONN) {
  5240    nordmark 		connp->conn_flags = IPCL_RAWIPCONN;
 11042        Erik 		connp->conn_proto = IPPROTO_ICMP;
 11042        Erik 		connp->conn_ixa->ixa_protocol = connp->conn_proto;
  5240    nordmark 		kmem_cache_free(rawip_conn_cache, connp);
  5240    nordmark 	} else if (connp->conn_flags & IPCL_RTSCONN) {
  5240    nordmark 		connp->conn_flags = IPCL_RTSCONN;
  5240    nordmark 		kmem_cache_free(rts_conn_cache, connp);
     0      stevel 	} else {
  5240    nordmark 		connp->conn_flags = IPCL_IPCCONN;
  5240    nordmark 		ASSERT(connp->conn_flags & IPCL_IPCCONN);
  5240    nordmark 		ASSERT(connp->conn_priv == NULL);
  5240    nordmark 		kmem_cache_free(ip_conn_cache, connp);
     0      stevel 	}
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * Running in cluster mode - deregister listener information
     0      stevel  */
     0      stevel static void
     0      stevel ipcl_conn_unlisten(conn_t *connp)
     0      stevel {
     0      stevel 	ASSERT((connp->conn_flags & IPCL_CL_LISTENER) != 0);
     0      stevel 	ASSERT(connp->conn_lport != 0);
     0      stevel 
     0      stevel 	if (cl_inet_unlisten != NULL) {
     0      stevel 		sa_family_t	addr_family;
     0      stevel 		uint8_t		*laddrp;
     0      stevel 
 11042        Erik 		if (connp->conn_ipversion == IPV6_VERSION) {
     0      stevel 			addr_family = AF_INET6;
 11042        Erik 			laddrp = (uint8_t *)&connp->conn_bound_addr_v6;
     0      stevel 		} else {
     0      stevel 			addr_family = AF_INET;
 11042        Erik 			laddrp = (uint8_t *)&connp->conn_bound_addr_v4;
     0      stevel 		}
  8392     Huafeng 		(*cl_inet_unlisten)(connp->conn_netstack->netstack_stackid,
  8392     Huafeng 		    IPPROTO_TCP, addr_family, laddrp, connp->conn_lport, NULL);
     0      stevel 	}
     0      stevel 	connp->conn_flags &= ~IPCL_CL_LISTENER;
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * We set the IPCL_REMOVED flag (instead of clearing the flag indicating
     0      stevel  * which table the conn belonged to). So for debugging we can see which hash
     0      stevel  * table this connection was in.
     0      stevel  */
     0      stevel #define	IPCL_HASH_REMOVE(connp)	{					\
     0      stevel 	connf_t	*connfp = (connp)->conn_fanout;				\
     0      stevel 	ASSERT(!MUTEX_HELD(&((connp)->conn_lock)));			\
     0      stevel 	if (connfp != NULL) {						\
     0      stevel 		mutex_enter(&connfp->connf_lock);			\
     0      stevel 		if ((connp)->conn_next != NULL)				\
     0      stevel 			(connp)->conn_next->conn_prev =			\
     0      stevel 			    (connp)->conn_prev;				\
     0      stevel 		if ((connp)->conn_prev != NULL)				\
     0      stevel 			(connp)->conn_prev->conn_next =			\
     0      stevel 			    (connp)->conn_next;				\
     0      stevel 		else							\
     0      stevel 			connfp->connf_head = (connp)->conn_next;	\
     0      stevel 		(connp)->conn_fanout = NULL;				\
     0      stevel 		(connp)->conn_next = NULL;				\
     0      stevel 		(connp)->conn_prev = NULL;				\
     0      stevel 		(connp)->conn_flags |= IPCL_REMOVED;			\
     0      stevel 		if (((connp)->conn_flags & IPCL_CL_LISTENER) != 0)	\
     0      stevel 			ipcl_conn_unlisten((connp));			\
     0      stevel 		CONN_DEC_REF((connp));					\
     0      stevel 		mutex_exit(&connfp->connf_lock);			\
     0      stevel 	}								\
     0      stevel }
     0      stevel 
     0      stevel void
     0      stevel ipcl_hash_remove(conn_t *connp)
     0      stevel {
 11042        Erik 	uint8_t		protocol = connp->conn_proto;
 11042        Erik 
     0      stevel 	IPCL_HASH_REMOVE(connp);
 11042        Erik 	if (protocol == IPPROTO_RSVP)
 11042        Erik 		ill_set_inputfn_all(connp->conn_netstack->netstack_ip);
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * The whole purpose of this function is allow removal of
     0      stevel  * a conn_t from the connected hash for timewait reclaim.
     0      stevel  * This is essentially a TW reclaim fastpath where timewait
     0      stevel  * collector checks under fanout lock (so no one else can
     0      stevel  * get access to the conn_t) that refcnt is 2 i.e. one for
     0      stevel  * TCP and one for the classifier hash list. If ref count
     0      stevel  * is indeed 2, we can just remove the conn under lock and
     0      stevel  * avoid cleaning up the conn under squeue. This gives us
     0      stevel  * improved performance.
     0      stevel  */
     0      stevel void
     0      stevel ipcl_hash_remove_locked(conn_t *connp, connf_t	*connfp)
     0      stevel {
     0      stevel 	ASSERT(MUTEX_HELD(&connfp->connf_lock));
     0      stevel 	ASSERT(MUTEX_HELD(&connp->conn_lock));
     0      stevel 	ASSERT((connp->conn_flags & IPCL_CL_LISTENER) == 0);
     0      stevel 
     0      stevel 	if ((connp)->conn_next != NULL) {
  4691      kcpoon 		(connp)->conn_next->conn_prev = (connp)->conn_prev;
     0      stevel 	}
     0      stevel 	if ((connp)->conn_prev != NULL) {
  4691      kcpoon 		(connp)->conn_prev->conn_next = (connp)->conn_next;
     0      stevel 	} else {
     0      stevel 		connfp->connf_head = (connp)->conn_next;
     0      stevel 	}
     0      stevel 	(connp)->conn_fanout = NULL;
     0      stevel 	(connp)->conn_next = NULL;
     0      stevel 	(connp)->conn_prev = NULL;
     0      stevel 	(connp)->conn_flags |= IPCL_REMOVED;
     0      stevel 	ASSERT((connp)->conn_ref == 2);
     0      stevel 	(connp)->conn_ref--;
     0      stevel }
     0      stevel 
     0      stevel #define	IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp) {		\
     0      stevel 	ASSERT((connp)->conn_fanout == NULL);				\
     0      stevel 	ASSERT((connp)->conn_next == NULL);				\
     0      stevel 	ASSERT((connp)->conn_prev == NULL);				\
     0      stevel 	if ((connfp)->connf_head != NULL) {				\
     0      stevel 		(connfp)->connf_head->conn_prev = (connp);		\
     0      stevel 		(connp)->conn_next = (connfp)->connf_head;		\
     0      stevel 	}								\
     0      stevel 	(connp)->conn_fanout = (connfp);				\
     0      stevel 	(connfp)->connf_head = (connp);					\
     0      stevel 	(connp)->conn_flags = ((connp)->conn_flags & ~IPCL_REMOVED) |	\
     0      stevel 	    IPCL_CONNECTED;						\
     0      stevel 	CONN_INC_REF(connp);						\
     0      stevel }
     0      stevel 
     0      stevel #define	IPCL_HASH_INSERT_CONNECTED(connfp, connp) {			\
     0      stevel 	IPCL_HASH_REMOVE((connp));					\
     0      stevel 	mutex_enter(&(connfp)->connf_lock);				\
     0      stevel 	IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp);		\
     0      stevel 	mutex_exit(&(connfp)->connf_lock);				\
     0      stevel }
     0      stevel 
     0      stevel #define	IPCL_HASH_INSERT_BOUND(connfp, connp) {				\
     0      stevel 	conn_t *pconnp = NULL, *nconnp;					\
     0      stevel 	IPCL_HASH_REMOVE((connp));					\
     0      stevel 	mutex_enter(&(connfp)->connf_lock);				\
     0      stevel 	nconnp = (connfp)->connf_head;					\
   153    ethindra 	while (nconnp != NULL &&					\
 11042        Erik 	    !_IPCL_V4_MATCH_ANY(nconnp->conn_laddr_v6)) {		\
   153    ethindra 		pconnp = nconnp;					\
   153    ethindra 		nconnp = nconnp->conn_next;				\
     0      stevel 	}								\
     0      stevel 	if (pconnp != NULL) {						\
     0      stevel 		pconnp->conn_next = (connp);				\
     0      stevel 		(connp)->conn_prev = pconnp;				\
     0      stevel 	} else {							\
     0      stevel 		(connfp)->connf_head = (connp);				\
     0      stevel 	}								\
     0      stevel 	if (nconnp != NULL) {						\
     0      stevel 		(connp)->conn_next = nconnp;				\
     0      stevel 		nconnp->conn_prev = (connp);				\
     0      stevel 	}								\
     0      stevel 	(connp)->conn_fanout = (connfp);				\
     0      stevel 	(connp)->conn_flags = ((connp)->conn_flags & ~IPCL_REMOVED) |	\
     0      stevel 	    IPCL_BOUND;							\
     0      stevel 	CONN_INC_REF(connp);						\
     0      stevel 	mutex_exit(&(connfp)->connf_lock);				\
     0      stevel }
     0      stevel 
     0      stevel #define	IPCL_HASH_INSERT_WILDCARD(connfp, connp) {			\
     0      stevel 	conn_t **list, *prev, *next;					\
     0      stevel 	boolean_t isv4mapped =						\
 11042        Erik 	    IN6_IS_ADDR_V4MAPPED(&(connp)->conn_laddr_v6);		\
     0      stevel 	IPCL_HASH_REMOVE((connp));					\
     0      stevel 	mutex_enter(&(connfp)->connf_lock);				\
     0      stevel 	list = &(connfp)->connf_head;					\
     0      stevel 	prev = NULL;							\
     0      stevel 	while ((next = *list) != NULL) {				\
     0      stevel 		if (isv4mapped &&					\
 11042        Erik 		    IN6_IS_ADDR_UNSPECIFIED(&next->conn_laddr_v6) &&	\
     0      stevel 		    connp->conn_zoneid == next->conn_zoneid) {		\
     0      stevel 			(connp)->conn_next = next;			\
     0      stevel 			if (prev != NULL)				\
     0      stevel 				prev = next->conn_prev;			\
     0      stevel 			next->conn_prev = (connp);			\
     0      stevel 			break;						\
     0      stevel 		}							\
     0      stevel 		list = &next->conn_next;				\
     0      stevel 		prev = next;						\
     0      stevel 	}								\
     0      stevel 	(connp)->conn_prev = prev;					\
     0      stevel 	*list = (connp);						\
     0      stevel 	(connp)->conn_fanout = (connfp);				\
     0      stevel 	(connp)->conn_flags = ((connp)->conn_flags & ~IPCL_REMOVED) |	\
     0      stevel 	    IPCL_BOUND;							\
     0      stevel 	CONN_INC_REF((connp));						\
     0      stevel 	mutex_exit(&(connfp)->connf_lock);				\
     0      stevel }
     0      stevel 
     0      stevel void
     0      stevel ipcl_hash_insert_wildcard(connf_t *connfp, conn_t *connp)
     0      stevel {
     0      stevel 	IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel }
     0      stevel 
     0      stevel /*
 10616   Sebastien  * Because the classifier is used to classify inbound packets, the destination
 10616   Sebastien  * address is meant to be our local tunnel address (tunnel source), and the
 10616   Sebastien  * source the remote tunnel address (tunnel destination).
 11042        Erik  *
 11042        Erik  * Note that conn_proto can't be used for fanout since the upper protocol
 11042        Erik  * can be both 41 and 4 when IPv6 and IPv4 are over the same tunnel.
 10616   Sebastien  */
 10616   Sebastien conn_t *
 10616   Sebastien ipcl_iptun_classify_v4(ipaddr_t *src, ipaddr_t *dst, ip_stack_t *ipst)
 10616   Sebastien {
 10616   Sebastien 	connf_t	*connfp;
 10616   Sebastien 	conn_t	*connp;
 10616   Sebastien 
 10616   Sebastien 	/* first look for IPv4 tunnel links */
 10616   Sebastien 	connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH(*dst, *src)];
 10616   Sebastien 	mutex_enter(&connfp->connf_lock);
 10616   Sebastien 	for (connp = connfp->connf_head; connp != NULL;
 10616   Sebastien 	    connp = connp->conn_next) {
 10616   Sebastien 		if (IPCL_IPTUN_MATCH(connp, *dst, *src))
 10616   Sebastien 			break;
 10616   Sebastien 	}
 10616   Sebastien 	if (connp != NULL)
 10616   Sebastien 		goto done;
 10616   Sebastien 
 10616   Sebastien 	mutex_exit(&connfp->connf_lock);
 10616   Sebastien 
 10616   Sebastien 	/* We didn't find an IPv4 tunnel, try a 6to4 tunnel */
 10616   Sebastien 	connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH(*dst,
 10616   Sebastien 	    INADDR_ANY)];
 10616   Sebastien 	mutex_enter(&connfp->connf_lock);
 10616   Sebastien 	for (connp = connfp->connf_head; connp != NULL;
 10616   Sebastien 	    connp = connp->conn_next) {
 10616   Sebastien 		if (IPCL_IPTUN_MATCH(connp, *dst, INADDR_ANY))
 10616   Sebastien 			break;
 10616   Sebastien 	}
 10616   Sebastien done:
 10616   Sebastien 	if (connp != NULL)
 10616   Sebastien 		CONN_INC_REF(connp);
 10616   Sebastien 	mutex_exit(&connfp->connf_lock);
 10616   Sebastien 	return (connp);
 10616   Sebastien }
 10616   Sebastien 
 10616   Sebastien conn_t *
 10616   Sebastien ipcl_iptun_classify_v6(in6_addr_t *src, in6_addr_t *dst, ip_stack_t *ipst)
 10616   Sebastien {
 10616   Sebastien 	connf_t	*connfp;
 10616   Sebastien 	conn_t	*connp;
 10616   Sebastien 
 10616   Sebastien 	/* Look for an IPv6 tunnel link */
 10616   Sebastien 	connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH_V6(dst, src)];
 10616   Sebastien 	mutex_enter(&connfp->connf_lock);
 10616   Sebastien 	for (connp = connfp->connf_head; connp != NULL;
 10616   Sebastien 	    connp = connp->conn_next) {
 10616   Sebastien 		if (IPCL_IPTUN_MATCH_V6(connp, dst, src)) {
 10616   Sebastien 			CONN_INC_REF(connp);
 10616   Sebastien 			break;
 10616   Sebastien 		}
 10616   Sebastien 	}
 10616   Sebastien 	mutex_exit(&connfp->connf_lock);
 10616   Sebastien 	return (connp);
 10616   Sebastien }
 10616   Sebastien 
 10616   Sebastien /*
     0      stevel  * This function is used only for inserting SCTP raw socket now.
     0      stevel  * This may change later.
     0      stevel  *
     0      stevel  * Note that only one raw socket can be bound to a port.  The param
     0      stevel  * lport is in network byte order.
     0      stevel  */
     0      stevel static int
     0      stevel ipcl_sctp_hash_insert(conn_t *connp, in_port_t lport)
     0      stevel {
     0      stevel 	connf_t	*connfp;
     0      stevel 	conn_t	*oconnp;
  3448    dh155122 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
     0      stevel 
  3448    dh155122 	connfp = &ipst->ips_ipcl_raw_fanout[IPCL_RAW_HASH(ntohs(lport), ipst)];
     0      stevel 
     0      stevel 	/* Check for existing raw socket already bound to the port. */
     0      stevel 	mutex_enter(&connfp->connf_lock);
     0      stevel 	for (oconnp = connfp->connf_head; oconnp != NULL;
   409      kcpoon 	    oconnp = oconnp->conn_next) {
     0      stevel 		if (oconnp->conn_lport == lport &&
     0      stevel 		    oconnp->conn_zoneid == connp->conn_zoneid &&
 11042        Erik 		    oconnp->conn_family == connp->conn_family &&
 11042        Erik 		    ((IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
 11042        Erik 		    IN6_IS_ADDR_UNSPECIFIED(&oconnp->conn_laddr_v6) ||
 11042        Erik 		    IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_laddr_v6) ||
 11042        Erik 		    IN6_IS_ADDR_V4MAPPED_ANY(&oconnp->conn_laddr_v6)) ||
 11042        Erik 		    IN6_ARE_ADDR_EQUAL(&oconnp->conn_laddr_v6,
 11042        Erik 		    &connp->conn_laddr_v6))) {
     0      stevel 			break;
     0      stevel 		}
     0      stevel 	}
     0      stevel 	mutex_exit(&connfp->connf_lock);
     0      stevel 	if (oconnp != NULL)
     0      stevel 		return (EADDRNOTAVAIL);
     0      stevel 
 11042        Erik 	if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) ||
 11042        Erik 	    IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
 11042        Erik 		if (IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) ||
 11042        Erik 		    IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_laddr_v6)) {
     0      stevel 			IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel 		} else {
     0      stevel 			IPCL_HASH_INSERT_BOUND(connfp, connp);
     0      stevel 		}
     0      stevel 	} else {
     0      stevel 		IPCL_HASH_INSERT_CONNECTED(connfp, connp);
     0      stevel 	}
 10616   Sebastien 	return (0);
 10616   Sebastien }
 10616   Sebastien 
 10616   Sebastien static int
 11042        Erik ipcl_iptun_hash_insert(conn_t *connp, ip_stack_t *ipst)
 10616   Sebastien {
 10616   Sebastien 	connf_t	*connfp;
 10616   Sebastien 	conn_t	*tconnp;
 11042        Erik 	ipaddr_t laddr = connp->conn_laddr_v4;
 11042        Erik 	ipaddr_t faddr = connp->conn_faddr_v4;
 10616   Sebastien 
 11042        Erik 	connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH(laddr, faddr)];
 10616   Sebastien 	mutex_enter(&connfp->connf_lock);
 10616   Sebastien 	for (tconnp = connfp->connf_head; tconnp != NULL;
 10616   Sebastien 	    tconnp = tconnp->conn_next) {
 11042        Erik 		if (IPCL_IPTUN_MATCH(tconnp, laddr, faddr)) {
 10616   Sebastien 			/* A tunnel is already bound to these addresses. */
 10616   Sebastien 			mutex_exit(&connfp->connf_lock);
 10616   Sebastien 			return (EADDRINUSE);
 10616   Sebastien 		}
 10616   Sebastien 	}
 10616   Sebastien 	IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp);
 10616   Sebastien 	mutex_exit(&connfp->connf_lock);
 10616   Sebastien 	return (0);
 10616   Sebastien }
 10616   Sebastien 
 10616   Sebastien static int
 11042        Erik ipcl_iptun_hash_insert_v6(conn_t *connp, ip_stack_t *ipst)
 10616   Sebastien {
 10616   Sebastien 	connf_t	*connfp;
 10616   Sebastien 	conn_t	*tconnp;
 11042        Erik 	in6_addr_t *laddr = &connp->conn_laddr_v6;
 11042        Erik 	in6_addr_t *faddr = &connp->conn_faddr_v6;
 10616   Sebastien 
 11042        Erik 	connfp = &ipst->ips_ipcl_iptun_fanout[IPCL_IPTUN_HASH_V6(laddr, faddr)];
 10616   Sebastien 	mutex_enter(&connfp->connf_lock);
 10616   Sebastien 	for (tconnp = connfp->connf_head; tconnp != NULL;
 10616   Sebastien 	    tconnp = tconnp->conn_next) {
 11042        Erik 		if (IPCL_IPTUN_MATCH_V6(tconnp, laddr, faddr)) {
 10616   Sebastien 			/* A tunnel is already bound to these addresses. */
 10616   Sebastien 			mutex_exit(&connfp->connf_lock);
 10616   Sebastien 			return (EADDRINUSE);
 10616   Sebastien 		}
 10616   Sebastien 	}
 10616   Sebastien 	IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp);
 10616   Sebastien 	mutex_exit(&connfp->connf_lock);
     0      stevel 	return (0);
     0      stevel }
     0      stevel 
     0      stevel /*
  1676         jpk  * Check for a MAC exemption conflict on a labeled system.  Note that for
  1676         jpk  * protocols that use port numbers (UDP, TCP, SCTP), we do this check up in the
  1676         jpk  * transport layer.  This check is for binding all other protocols.
  1676         jpk  *
  1676         jpk  * Returns true if there's a conflict.
  1676         jpk  */
  1676         jpk static boolean_t
  3448    dh155122 check_exempt_conflict_v4(conn_t *connp, ip_stack_t *ipst)
  1676         jpk {
  1676         jpk 	connf_t	*connfp;
  1676         jpk 	conn_t *tconn;
  1676         jpk 
 11042        Erik 	connfp = &ipst->ips_ipcl_proto_fanout_v4[connp->conn_proto];
  1676         jpk 	mutex_enter(&connfp->connf_lock);
  1676         jpk 	for (tconn = connfp->connf_head; tconn != NULL;
  1676         jpk 	    tconn = tconn->conn_next) {
  1676         jpk 		/* We don't allow v4 fallback for v6 raw socket */
 11042        Erik 		if (connp->conn_family != tconn->conn_family)
  1676         jpk 			continue;
  1676         jpk 		/* If neither is exempt, then there's no conflict */
 10934  sommerfeld 		if ((connp->conn_mac_mode == CONN_MAC_DEFAULT) &&
 10934  sommerfeld 		    (tconn->conn_mac_mode == CONN_MAC_DEFAULT))
  1676         jpk 			continue;
  9710         Ken 		/* We are only concerned about sockets for a different zone */
  9710         Ken 		if (connp->conn_zoneid == tconn->conn_zoneid)
  9710         Ken 			continue;
  1676         jpk 		/* If both are bound to different specific addrs, ok */
 11042        Erik 		if (connp->conn_laddr_v4 != INADDR_ANY &&
 11042        Erik 		    tconn->conn_laddr_v4 != INADDR_ANY &&
 11042        Erik 		    connp->conn_laddr_v4 != tconn->conn_laddr_v4)
  1676         jpk 			continue;
  1676         jpk 		/* These two conflict; fail */
  1676         jpk 		break;
  1676         jpk 	}
  1676         jpk 	mutex_exit(&connfp->connf_lock);
  1676         jpk 	return (tconn != NULL);
  1676         jpk }
  1676         jpk 
  1676         jpk static boolean_t
  3448    dh155122 check_exempt_conflict_v6(conn_t *connp, ip_stack_t *ipst)
  1676         jpk {
  1676         jpk 	connf_t	*connfp;
  1676         jpk 	conn_t *tconn;
  1676         jpk 
 11042        Erik 	connfp = &ipst->ips_ipcl_proto_fanout_v6[connp->conn_proto];
  1676         jpk 	mutex_enter(&connfp->connf_lock);
  1676         jpk 	for (tconn = connfp->connf_head; tconn != NULL;
  1676         jpk 	    tconn = tconn->conn_next) {
  1676         jpk 		/* We don't allow v4 fallback for v6 raw socket */
 11042        Erik 		if (connp->conn_family != tconn->conn_family)
  1676         jpk 			continue;
  1676         jpk 		/* If neither is exempt, then there's no conflict */
 10934  sommerfeld 		if ((connp->conn_mac_mode == CONN_MAC_DEFAULT) &&
 10934  sommerfeld 		    (tconn->conn_mac_mode == CONN_MAC_DEFAULT))
  9710         Ken 			continue;
  9710         Ken 		/* We are only concerned about sockets for a different zone */
  9710         Ken 		if (connp->conn_zoneid == tconn->conn_zoneid)
  1676         jpk 			continue;
  1676         jpk 		/* If both are bound to different addrs, ok */
 11042        Erik 		if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6) &&
 11042        Erik 		    !IN6_IS_ADDR_UNSPECIFIED(&tconn->conn_laddr_v6) &&
 11042        Erik 		    !IN6_ARE_ADDR_EQUAL(&connp->conn_laddr_v6,
 11042        Erik 		    &tconn->conn_laddr_v6))
  1676         jpk 			continue;
  1676         jpk 		/* These two conflict; fail */
  1676         jpk 		break;
  1676         jpk 	}
  1676         jpk 	mutex_exit(&connfp->connf_lock);
  1676         jpk 	return (tconn != NULL);
  1676         jpk }
  1676         jpk 
  1676         jpk /*
     0      stevel  * (v4, v6) bind hash insertion routines
 11042        Erik  * The caller has already setup the conn (conn_proto, conn_laddr_v6, conn_lport)
     0      stevel  */
 11042        Erik 
     0      stevel int
 11042        Erik ipcl_bind_insert(conn_t *connp)
 11042        Erik {
 11042        Erik 	if (connp->conn_ipversion == IPV6_VERSION)
 11042        Erik 		return (ipcl_bind_insert_v6(connp));
 11042        Erik 	else
 11042        Erik 		return (ipcl_bind_insert_v4(connp));
 11042        Erik }
 11042        Erik 
 11042        Erik int
 11042        Erik ipcl_bind_insert_v4(conn_t *connp)
     0      stevel {
     0      stevel 	connf_t	*connfp;
     0      stevel 	int	ret = 0;
  3448    dh155122 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
 11042        Erik 	uint16_t	lport = connp->conn_lport;
 11042        Erik 	uint8_t		protocol = connp->conn_proto;
     0      stevel 
 10616   Sebastien 	if (IPCL_IS_IPTUN(connp))
 11042        Erik 		return (ipcl_iptun_hash_insert(connp, ipst));
 10616   Sebastien 
     0      stevel 	switch (protocol) {
  1676         jpk 	default:
  3448    dh155122 		if (is_system_labeled() &&
  3448    dh155122 		    check_exempt_conflict_v4(connp, ipst))
  1676         jpk 			return (EADDRINUSE);
  1676         jpk 		/* FALLTHROUGH */
     0      stevel 	case IPPROTO_UDP:
     0      stevel 		if (protocol == IPPROTO_UDP) {
  3448    dh155122 			connfp = &ipst->ips_ipcl_udp_fanout[
  3448    dh155122 			    IPCL_UDP_HASH(lport, ipst)];
     0      stevel 		} else {
 11042        Erik 			connfp = &ipst->ips_ipcl_proto_fanout_v4[protocol];
     0      stevel 		}
     0      stevel 
 11042        Erik 		if (connp->conn_faddr_v4 != INADDR_ANY) {
     0      stevel 			IPCL_HASH_INSERT_CONNECTED(connfp, connp);
 11042        Erik 		} else if (connp->conn_laddr_v4 != INADDR_ANY) {
     0      stevel 			IPCL_HASH_INSERT_BOUND(connfp, connp);
     0      stevel 		} else {
     0      stevel 			IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel 		}
 11042        Erik 		if (protocol == IPPROTO_RSVP)
 11042        Erik 			ill_set_inputfn_all(ipst);
     0      stevel 		break;
     0      stevel 
     0      stevel 	case IPPROTO_TCP:
     0      stevel 		/* Insert it in the Bind Hash */
  1676         jpk 		ASSERT(connp->conn_zoneid != ALL_ZONES);
  3448    dh155122 		connfp = &ipst->ips_ipcl_bind_fanout[
  3448    dh155122 		    IPCL_BIND_HASH(lport, ipst)];
 11042        Erik 		if (connp->conn_laddr_v4 != INADDR_ANY) {
     0      stevel 			IPCL_HASH_INSERT_BOUND(connfp, connp);
     0      stevel 		} else {
     0      stevel 			IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel 		}
     0      stevel 		if (cl_inet_listen != NULL) {
 11042        Erik 			ASSERT(connp->conn_ipversion == IPV4_VERSION);
     0      stevel 			connp->conn_flags |= IPCL_CL_LISTENER;
  8392     Huafeng 			(*cl_inet_listen)(
  8392     Huafeng 			    connp->conn_netstack->netstack_stackid,
  8392     Huafeng 			    IPPROTO_TCP, AF_INET,
 11042        Erik 			    (uint8_t *)&connp->conn_bound_addr_v4, lport, NULL);
     0      stevel 		}
     0      stevel 		break;
     0      stevel 
     0      stevel 	case IPPROTO_SCTP:
     0      stevel 		ret = ipcl_sctp_hash_insert(connp, lport);
     0      stevel 		break;
     0      stevel 	}
     0      stevel 
     0      stevel 	return (ret);
     0      stevel }
     0      stevel 
     0      stevel int
 11042        Erik ipcl_bind_insert_v6(conn_t *connp)
     0      stevel {
 10616   Sebastien 	connf_t		*connfp;
 10616   Sebastien 	int		ret = 0;
  3448    dh155122 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
 11042        Erik 	uint16_t	lport = connp->conn_lport;
 11042        Erik 	uint8_t		protocol = connp->conn_proto;
 10616   Sebastien 
 10616   Sebastien 	if (IPCL_IS_IPTUN(connp)) {
 11042        Erik 		return (ipcl_iptun_hash_insert_v6(connp, ipst));
 10616   Sebastien 	}
     0      stevel 
     0      stevel 	switch (protocol) {
  1676         jpk 	default:
  3448    dh155122 		if (is_system_labeled() &&
  3448    dh155122 		    check_exempt_conflict_v6(connp, ipst))
  1676         jpk 			return (EADDRINUSE);
  1676         jpk 		/* FALLTHROUGH */
     0      stevel 	case IPPROTO_UDP:
     0      stevel 		if (protocol == IPPROTO_UDP) {
  3448    dh155122 			connfp = &ipst->ips_ipcl_udp_fanout[
  3448    dh155122 			    IPCL_UDP_HASH(lport, ipst)];
     0      stevel 		} else {
  3448    dh155122 			connfp = &ipst->ips_ipcl_proto_fanout_v6[protocol];
     0      stevel 		}
     0      stevel 
 11042        Erik 		if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6)) {
     0      stevel 			IPCL_HASH_INSERT_CONNECTED(connfp, connp);
 11042        Erik 		} else if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6)) {
     0      stevel 			IPCL_HASH_INSERT_BOUND(connfp, connp);
     0      stevel 		} else {
     0      stevel 			IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel 		}
     0      stevel 		break;
     0      stevel 
     0      stevel 	case IPPROTO_TCP:
     0      stevel 		/* Insert it in the Bind Hash */
  1676         jpk 		ASSERT(connp->conn_zoneid != ALL_ZONES);
  3448    dh155122 		connfp = &ipst->ips_ipcl_bind_fanout[
  3448    dh155122 		    IPCL_BIND_HASH(lport, ipst)];
 11042        Erik 		if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6)) {
     0      stevel 			IPCL_HASH_INSERT_BOUND(connfp, connp);
     0      stevel 		} else {
     0      stevel 			IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel 		}
     0      stevel 		if (cl_inet_listen != NULL) {
     0      stevel 			sa_family_t	addr_family;
     0      stevel 			uint8_t		*laddrp;
     0      stevel 
 11042        Erik 			if (connp->conn_ipversion == IPV6_VERSION) {
     0      stevel 				addr_family = AF_INET6;
     0      stevel 				laddrp =
 11042        Erik 				    (uint8_t *)&connp->conn_bound_addr_v6;
     0      stevel 			} else {
     0      stevel 				addr_family = AF_INET;
 11042        Erik 				laddrp = (uint8_t *)&connp->conn_bound_addr_v4;
     0      stevel 			}
     0      stevel 			connp->conn_flags |= IPCL_CL_LISTENER;
  8392     Huafeng 			(*cl_inet_listen)(
  8392     Huafeng 			    connp->conn_netstack->netstack_stackid,
  8392     Huafeng 			    IPPROTO_TCP, addr_family, laddrp, lport, NULL);
     0      stevel 		}
     0      stevel 		break;
     0      stevel 
     0      stevel 	case IPPROTO_SCTP:
     0      stevel 		ret = ipcl_sctp_hash_insert(connp, lport);
     0      stevel 		break;
     0      stevel 	}
     0      stevel 
     0      stevel 	return (ret);
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * ipcl_conn_hash insertion routines.
 11042        Erik  * The caller has already set conn_proto and the addresses/ports in the conn_t.
     0      stevel  */
 11042        Erik 
     0      stevel int
 11042        Erik ipcl_conn_insert(conn_t *connp)
 11042        Erik {
 11042        Erik 	if (connp->conn_ipversion == IPV6_VERSION)
 11042        Erik 		return (ipcl_conn_insert_v6(connp));
 11042        Erik 	else
 11042        Erik 		return (ipcl_conn_insert_v4(connp));
 11042        Erik }
 11042        Erik 
 11042        Erik int
 11042        Erik ipcl_conn_insert_v4(conn_t *connp)
     0      stevel {
     0      stevel 	connf_t		*connfp;
     0      stevel 	conn_t		*tconnp;
     0      stevel 	int		ret = 0;
  3448    dh155122 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
 11042        Erik 	uint16_t	lport = connp->conn_lport;
 11042        Erik 	uint8_t		protocol = connp->conn_proto;
 10616   Sebastien 
 10616   Sebastien 	if (IPCL_IS_IPTUN(connp))
 11042        Erik 		return (ipcl_iptun_hash_insert(connp, ipst));
     0      stevel 
     0      stevel 	switch (protocol) {
     0      stevel 	case IPPROTO_TCP:
  8432    Jonathan 		/*
 11042        Erik 		 * For TCP, we check whether the connection tuple already
  8432    Jonathan 		 * exists before allowing the connection to proceed.  We
  8432    Jonathan 		 * also allow indexing on the zoneid. This is to allow
  8432    Jonathan 		 * multiple shared stack zones to have the same tcp
  8432    Jonathan 		 * connection tuple. In practice this only happens for
  8432    Jonathan 		 * INADDR_LOOPBACK as it's the only local address which
  8432    Jonathan 		 * doesn't have to be unique.
  8432    Jonathan 		 */
  3448    dh155122 		connfp = &ipst->ips_ipcl_conn_fanout[
 11042        Erik 		    IPCL_CONN_HASH(connp->conn_faddr_v4,
  3448    dh155122 		    connp->conn_ports, ipst)];
     0      stevel 		mutex_enter(&connfp->connf_lock);
     0      stevel 		for (tconnp = connfp->connf_head; tconnp != NULL;
     0      stevel 		    tconnp = tconnp->conn_next) {
 11042        Erik 			if (IPCL_CONN_MATCH(tconnp, connp->conn_proto,
 11042        Erik 			    connp->conn_faddr_v4, connp->conn_laddr_v4,
 11042        Erik 			    connp->conn_ports) &&
 11042        Erik 			    IPCL_ZONE_MATCH(tconnp, connp->conn_zoneid)) {
     0      stevel 				/* Already have a conn. bail out */
     0      stevel 				mutex_exit(&connfp->connf_lock);
     0      stevel 				return (EADDRINUSE);
     0      stevel 			}
     0      stevel 		}
     0      stevel 		if (connp->conn_fanout != NULL) {
     0      stevel 			/*
     0      stevel 			 * Probably a XTI/TLI application trying to do a
     0      stevel 			 * rebind. Let it happen.
     0      stevel 			 */
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			IPCL_HASH_REMOVE(connp);
     0      stevel 			mutex_enter(&connfp->connf_lock);
     0      stevel 		}
  3104    jprakash 
  3104    jprakash 		ASSERT(connp->conn_recv != NULL);
 11042        Erik 		ASSERT(connp->conn_recvicmp != NULL);
  3104    jprakash 
     0      stevel 		IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp);
     0      stevel 		mutex_exit(&connfp->connf_lock);
     0      stevel 		break;
     0      stevel 
     0      stevel 	case IPPROTO_SCTP:
   409      kcpoon 		/*
   409      kcpoon 		 * The raw socket may have already been bound, remove it
   409      kcpoon 		 * from the hash first.
   409      kcpoon 		 */
   409      kcpoon 		IPCL_HASH_REMOVE(connp);
     0      stevel 		ret = ipcl_sctp_hash_insert(connp, lport);
     0      stevel 		break;
     0      stevel 
  1676         jpk 	default:
  1676         jpk 		/*
  1676         jpk 		 * Check for conflicts among MAC exempt bindings.  For
  1676         jpk 		 * transports with port numbers, this is done by the upper
  1676         jpk 		 * level per-transport binding logic.  For all others, it's
  1676         jpk 		 * done here.
  1676         jpk 		 */
  3448    dh155122 		if (is_system_labeled() &&
  3448    dh155122 		    check_exempt_conflict_v4(connp, ipst))
  1676         jpk 			return (EADDRINUSE);
  1676         jpk 		/* FALLTHROUGH */
  1676         jpk 
     0      stevel 	case IPPROTO_UDP:
     0      stevel 		if (protocol == IPPROTO_UDP) {
  3448    dh155122 			connfp = &ipst->ips_ipcl_udp_fanout[
 11042        Erik 			    IPCL_UDP_HASH(lport, ipst)];
     0      stevel 		} else {
 11042        Erik 			connfp = &ipst->ips_ipcl_proto_fanout_v4[protocol];
     0      stevel 		}
     0      stevel 
 11042        Erik 		if (connp->conn_faddr_v4 != INADDR_ANY) {
     0      stevel 			IPCL_HASH_INSERT_CONNECTED(connfp, connp);
 11042        Erik 		} else if (connp->conn_laddr_v4 != INADDR_ANY) {
     0      stevel 			IPCL_HASH_INSERT_BOUND(connfp, connp);
     0      stevel 		} else {
     0      stevel 			IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel 		}
     0      stevel 		break;
     0      stevel 	}
     0      stevel 
     0      stevel 	return (ret);
     0      stevel }
     0      stevel 
     0      stevel int
 11042        Erik ipcl_conn_insert_v6(conn_t *connp)
     0      stevel {
     0      stevel 	connf_t		*connfp;
     0      stevel 	conn_t		*tconnp;
     0      stevel 	int		ret = 0;
  3448    dh155122 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
 11042        Erik 	uint16_t	lport = connp->conn_lport;
 11042        Erik 	uint8_t		protocol = connp->conn_proto;
 11042        Erik 	uint_t		ifindex = connp->conn_bound_if;
 10616   Sebastien 
 10616   Sebastien 	if (IPCL_IS_IPTUN(connp))
 11042        Erik 		return (ipcl_iptun_hash_insert_v6(connp, ipst));
     0      stevel 
     0      stevel 	switch (protocol) {
     0      stevel 	case IPPROTO_TCP:
  8432    Jonathan 
  8432    Jonathan 		/*
  8432    Jonathan 		 * For tcp, we check whether the connection tuple already
  8432    Jonathan 		 * exists before allowing the connection to proceed.  We
  8432    Jonathan 		 * also allow indexing on the zoneid. This is to allow
  8432    Jonathan 		 * multiple shared stack zones to have the same tcp
  8432    Jonathan 		 * connection tuple. In practice this only happens for
  8432    Jonathan 		 * ipv6_loopback as it's the only local address which
  8432    Jonathan 		 * doesn't have to be unique.
  8432    Jonathan 		 */
  3448    dh155122 		connfp = &ipst->ips_ipcl_conn_fanout[
 11042        Erik 		    IPCL_CONN_HASH_V6(connp->conn_faddr_v6, connp->conn_ports,
  3448    dh155122 		    ipst)];
     0      stevel 		mutex_enter(&connfp->connf_lock);
     0      stevel 		for (tconnp = connfp->connf_head; tconnp != NULL;
     0      stevel 		    tconnp = tconnp->conn_next) {
 11042        Erik 			/* NOTE: need to match zoneid. Bug in onnv-gate */
 11042        Erik 			if (IPCL_CONN_MATCH_V6(tconnp, connp->conn_proto,
 11042        Erik 			    connp->conn_faddr_v6, connp->conn_laddr_v6,
     0      stevel 			    connp->conn_ports) &&
 11042        Erik 			    (tconnp->conn_bound_if == 0 ||
 11042        Erik 			    tconnp->conn_bound_if == ifindex) &&
 11042        Erik 			    IPCL_ZONE_MATCH(tconnp, connp->conn_zoneid)) {
     0      stevel 				/* Already have a conn. bail out */
     0      stevel 				mutex_exit(&connfp->connf_lock);
     0      stevel 				return (EADDRINUSE);
     0      stevel 			}
     0      stevel 		}
     0      stevel 		if (connp->conn_fanout != NULL) {
     0      stevel 			/*
     0      stevel 			 * Probably a XTI/TLI application trying to do a
     0      stevel 			 * rebind. Let it happen.
     0      stevel 			 */
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			IPCL_HASH_REMOVE(connp);
     0      stevel 			mutex_enter(&connfp->connf_lock);
     0      stevel 		}
     0      stevel 		IPCL_HASH_INSERT_CONNECTED_LOCKED(connfp, connp);
     0      stevel 		mutex_exit(&connfp->connf_lock);
     0      stevel 		break;
     0      stevel 
     0      stevel 	case IPPROTO_SCTP:
   409      kcpoon 		IPCL_HASH_REMOVE(connp);
     0      stevel 		ret = ipcl_sctp_hash_insert(connp, lport);
     0      stevel 		break;
     0      stevel 
  1676         jpk 	default:
  3448    dh155122 		if (is_system_labeled() &&
  3448    dh155122 		    check_exempt_conflict_v6(connp, ipst))
  1676         jpk 			return (EADDRINUSE);
  1676         jpk 		/* FALLTHROUGH */
     0      stevel 	case IPPROTO_UDP:
     0      stevel 		if (protocol == IPPROTO_UDP) {
  3448    dh155122 			connfp = &ipst->ips_ipcl_udp_fanout[
 11042        Erik 			    IPCL_UDP_HASH(lport, ipst)];
     0      stevel 		} else {
  3448    dh155122 			connfp = &ipst->ips_ipcl_proto_fanout_v6[protocol];
     0      stevel 		}
     0      stevel 
 11042        Erik 		if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6)) {
     0      stevel 			IPCL_HASH_INSERT_CONNECTED(connfp, connp);
 11042        Erik 		} else if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_laddr_v6)) {
     0      stevel 			IPCL_HASH_INSERT_BOUND(connfp, connp);
     0      stevel 		} else {
     0      stevel 			IPCL_HASH_INSERT_WILDCARD(connfp, connp);
     0      stevel 		}
     0      stevel 		break;
     0      stevel 	}
     0      stevel 
     0      stevel 	return (ret);
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * v4 packet classifying function. looks up the fanout table to
     0      stevel  * find the conn, the packet belongs to. returns the conn with
     0      stevel  * the reference held, null otherwise.
  1676         jpk  *
  1676         jpk  * If zoneid is ALL_ZONES, then the search rules described in the "Connection
  1676         jpk  * Lookup" comment block are applied.  Labels are also checked as described
  1676         jpk  * above.  If the packet is from the inside (looped back), and is from the same
  1676         jpk  * zone, then label checks are omitted.
     0      stevel  */
     0      stevel conn_t *
 11042        Erik ipcl_classify_v4(mblk_t *mp, uint8_t protocol, uint_t hdr_len,
 11042        Erik     ip_recv_attr_t *ira, ip_stack_t *ipst)
     0      stevel {
     0      stevel 	ipha_t	*ipha;
     0      stevel 	connf_t	*connfp, *bind_connfp;
     0      stevel 	uint16_t lport;
     0      stevel 	uint16_t fport;
     0      stevel 	uint32_t ports;
     0      stevel 	conn_t	*connp;
     0      stevel 	uint16_t  *up;
 11042        Erik 	zoneid_t	zoneid = ira->ira_zoneid;
     0      stevel 
     0      stevel 	ipha = (ipha_t *)mp->b_rptr;
     0      stevel 	up = (uint16_t *)((uchar_t *)ipha + hdr_len + TCP_PORTS_OFFSET);
     0      stevel 
     0      stevel 	switch (protocol) {
     0      stevel 	case IPPROTO_TCP:
     0      stevel 		ports = *(uint32_t *)up;
     0      stevel 		connfp =
  3448    dh155122 		    &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH(ipha->ipha_src,
  3448    dh155122 		    ports, ipst)];
     0      stevel 		mutex_enter(&connfp->connf_lock);
     0      stevel 		for (connp = connfp->connf_head; connp != NULL;
     0      stevel 		    connp = connp->conn_next) {
 11042        Erik 			if (IPCL_CONN_MATCH(connp, protocol,
 11042        Erik 			    ipha->ipha_src, ipha->ipha_dst, ports) &&
 11042        Erik 			    (connp->conn_zoneid == zoneid ||
 11042        Erik 			    connp->conn_allzones ||
 11042        Erik 			    ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
     0      stevel 				break;
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		if (connp != NULL) {
 11042        Erik 			/*
 11042        Erik 			 * We have a fully-bound TCP connection.
 11042        Erik 			 *
 11042        Erik 			 * For labeled systems, there's no need to check the
 11042        Erik 			 * label here.  It's known to be good as we checked
 11042        Erik 			 * before allowing the connection to become bound.
 11042        Erik 			 */
 11042        Erik 			CONN_INC_REF(connp);
 11042        Erik 			mutex_exit(&connfp->connf_lock);
 11042        Erik 			return (connp);
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		mutex_exit(&connfp->connf_lock);
 11042        Erik 		lport = up[1];
 11042        Erik 		bind_connfp =
 11042        Erik 		    &ipst->ips_ipcl_bind_fanout[IPCL_BIND_HASH(lport, ipst)];
 11042        Erik 		mutex_enter(&bind_connfp->connf_lock);
 11042        Erik 		for (connp = bind_connfp->connf_head; connp != NULL;
 11042        Erik 		    connp = connp->conn_next) {
 11042        Erik 			if (IPCL_BIND_MATCH(connp, protocol, ipha->ipha_dst,
 11042        Erik 			    lport) &&
 11042        Erik 			    (connp->conn_zoneid == zoneid ||
 11042        Erik 			    connp->conn_allzones ||
 11042        Erik 			    ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
 11042        Erik 				break;
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		/*
 11042        Erik 		 * If the matching connection is SLP on a private address, then
 11042        Erik 		 * the label on the packet must match the local zone's label.
 11042        Erik 		 * Otherwise, it must be in the label range defined by tnrh.
 11042        Erik 		 * This is ensured by tsol_receive_local.
 11042        Erik 		 *
 11042        Erik 		 * Note that we don't check tsol_receive_local for
 11042        Erik 		 * the connected case.
 11042        Erik 		 */
 11042        Erik 		if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
 11042        Erik 		    !tsol_receive_local(mp, &ipha->ipha_dst, IPV4_VERSION,
 11042        Erik 		    ira, connp)) {
 11042        Erik 			DTRACE_PROBE3(tx__ip__log__info__classify__tcp,
 11042        Erik 			    char *, "connp(1) could not receive mp(2)",
 11042        Erik 			    conn_t *, connp, mblk_t *, mp);
 11042        Erik 			connp = NULL;
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		if (connp != NULL) {
 11042        Erik 			/* Have a listener at least */
 11042        Erik 			CONN_INC_REF(connp);
 11042        Erik 			mutex_exit(&bind_connfp->connf_lock);
 11042        Erik 			return (connp);
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		mutex_exit(&bind_connfp->connf_lock);
 11042        Erik 		break;
 11042        Erik 
 11042        Erik 	case IPPROTO_UDP:
 11042        Erik 		lport = up[1];
 11042        Erik 		fport = up[0];
 11042        Erik 		connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
 11042        Erik 		mutex_enter(&connfp->connf_lock);
 11042        Erik 		for (connp = connfp->connf_head; connp != NULL;
 11042        Erik 		    connp = connp->conn_next) {
 11042        Erik 			if (IPCL_UDP_MATCH(connp, lport, ipha->ipha_dst,
 11042        Erik 			    fport, ipha->ipha_src) &&
 11042        Erik 			    (connp->conn_zoneid == zoneid ||
 11042        Erik 			    connp->conn_allzones ||
 11042        Erik 			    ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE))))
 11042        Erik 				break;
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
 11042        Erik 		    !tsol_receive_local(mp, &ipha->ipha_dst, IPV4_VERSION,
 11042        Erik 		    ira, connp)) {
 11042        Erik 			DTRACE_PROBE3(tx__ip__log__info__classify__udp,
 11042        Erik 			    char *, "connp(1) could not receive mp(2)",
 11042        Erik 			    conn_t *, connp, mblk_t *, mp);
 11042        Erik 			connp = NULL;
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		if (connp != NULL) {
 11042        Erik 			CONN_INC_REF(connp);
 11042        Erik 			mutex_exit(&connfp->connf_lock);
 11042        Erik 			return (connp);
 11042        Erik 		}
 11042        Erik 
 11042        Erik 		/*
 11042        Erik 		 * We shouldn't come here for multicast/broadcast packets
 11042        Erik 		 */
 11042        Erik 		mutex_exit(&connfp->connf_lock);
 11042        Erik 
 11042        Erik 		break;
 11042        Erik 
 11042        Erik 	case IPPROTO_ENCAP:
 11042        Erik 	case IPPROTO_IPV6:
 11042        Erik 		return (ipcl_iptun_classify_v4(&ipha->ipha_src,
 11042        Erik 		    &ipha->ipha_dst, ipst));
 11042        Erik 	}
 11042        Erik 
 11042        Erik 	return (NULL);
 11042        Erik }
 11042        Erik 
 11042        Erik conn_t *
 11042        Erik ipcl_classify_v6(mblk_t *mp, uint8_t protocol, uint_t hdr_len,
 11042        Erik     ip_recv_attr_t *ira, ip_stack_t *ipst)
 11042        Erik {
 11042        Erik 	ip6_t		*ip6h;
 11042        Erik 	connf_t		*connfp, *bind_connfp;
 11042        Erik 	uint16_t	lport;
 11042        Erik 	uint16_t	fport;
 11042        Erik 	tcpha_t		*tcpha;
 11042        Erik 	uint32_t	ports;
 11042        Erik 	conn_t		*connp;
 11042        Erik 	uint16_t	*up;
 11042        Erik 	zoneid_t	zoneid = ira->ira_zoneid;
 11042        Erik 
 11042        Erik 	ip6h = (ip6_t *)mp->b_rptr;
 11042        Erik 
 11042        Erik 	switch (protocol) {
 11042        Erik 	case IPPROTO_TCP:
 11042        Erik 		tcpha = (tcpha_t *)&mp->b_rptr[hdr_len];
 11042        Erik 		up = &tcpha->tha_lport;
 11042        Erik 		ports = *(uint32_t *)up;
 11042        Erik 
 11042        Erik 		connfp =
 11042        Erik 		    &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH_V6(ip6h->ip6_src,
 11042        Erik 		    ports, ipst)];
 11042        Erik 		mutex_enter(&connfp->connf_lock);
 11042        Erik 		for (connp = connfp->connf_head; connp != NULL;
 11042        Erik 		    connp = connp->conn_next) {
 11042        Erik 			if (IPCL_CONN_MATCH_V6(connp, protocol,
 11042        Erik 			    ip6h->ip6_src, ip6h->ip6_dst, ports) &&
 11042        Erik 			    (connp->conn_zoneid == zoneid ||
 11042        Erik 			    connp->conn_allzones ||
 11042        Erik 			    ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
 11042        Erik 				break;
     0      stevel 		}
     0      stevel 
     0      stevel 		if (connp != NULL) {
  1676         jpk 			/*
  1676         jpk 			 * We have a fully-bound TCP connection.
  1676         jpk 			 *
  1676         jpk 			 * For labeled systems, there's no need to check the
  1676         jpk 			 * label here.  It's known to be good as we checked
  1676         jpk 			 * before allowing the connection to become bound.
  1676         jpk 			 */
     0      stevel 			CONN_INC_REF(connp);
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			return (connp);
     0      stevel 		}
     0      stevel 
     0      stevel 		mutex_exit(&connfp->connf_lock);
     0      stevel 
     0      stevel 		lport = up[1];
  3448    dh155122 		bind_connfp =
  3448    dh155122 		    &ipst->ips_ipcl_bind_fanout[IPCL_BIND_HASH(lport, ipst)];
     0      stevel 		mutex_enter(&bind_connfp->connf_lock);
     0      stevel 		for (connp = bind_connfp->connf_head; connp != NULL;
     0      stevel 		    connp = connp->conn_next) {
     0      stevel 			if (IPCL_BIND_MATCH_V6(connp, protocol,
     0      stevel 			    ip6h->ip6_dst, lport) &&
 11042        Erik 			    (connp->conn_zoneid == zoneid ||
 11042        Erik 			    connp->conn_allzones ||
 11042        Erik 			    ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
     0      stevel 				break;
  1676         jpk 		}
  1676         jpk 
 11042        Erik 		if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
  1676         jpk 		    !tsol_receive_local(mp, &ip6h->ip6_dst, IPV6_VERSION,
 11042        Erik 		    ira, connp)) {
  1676         jpk 			DTRACE_PROBE3(tx__ip__log__info__classify__tcp6,
  1676         jpk 			    char *, "connp(1) could not receive mp(2)",
  1676         jpk 			    conn_t *, connp, mblk_t *, mp);
  1676         jpk 			connp = NULL;
     0      stevel 		}
     0      stevel 
     0      stevel 		if (connp != NULL) {
     0      stevel 			/* Have a listner at least */
     0      stevel 			CONN_INC_REF(connp);
     0      stevel 			mutex_exit(&bind_connfp->connf_lock);
     0      stevel 			return (connp);
     0      stevel 		}
     0      stevel 
     0      stevel 		mutex_exit(&bind_connfp->connf_lock);
     0      stevel 		break;
     0      stevel 
     0      stevel 	case IPPROTO_UDP:
     0      stevel 		up = (uint16_t *)&mp->b_rptr[hdr_len];
     0      stevel 		lport = up[1];
     0      stevel 		fport = up[0];
  3448    dh155122 		connfp = &ipst->ips_ipcl_udp_fanout[IPCL_UDP_HASH(lport, ipst)];
     0      stevel 		mutex_enter(&connfp->connf_lock);
     0      stevel 		for (connp = connfp->connf_head; connp != NULL;
     0      stevel 		    connp = connp->conn_next) {
     0      stevel 			if (IPCL_UDP_MATCH_V6(connp, lport, ip6h->ip6_dst,
     0      stevel 			    fport, ip6h->ip6_src) &&
 11042        Erik 			    (connp->conn_zoneid == zoneid ||
 11042        Erik 			    connp->conn_allzones ||
 11042        Erik 			    ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
 11042        Erik 			    (ira->ira_flags & IRAF_TX_SHARED_ADDR))))
     0      stevel 				break;
  1676         jpk 		}
  1676         jpk 
 11042        Erik 		if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
  1676         jpk 		    !tsol_receive_local(mp, &ip6h->ip6_dst, IPV6_VERSION,
 11042        Erik 		    ira, connp)) {
  1676         jpk 			DTRACE_PROBE3(tx__ip__log__info__classify__udp6,
  1676         jpk 			    char *, "connp(1) could not receive mp(2)",
  1676         jpk 			    conn_t *, connp, mblk_t *, mp);
  1676         jpk 			connp = NULL;
     0      stevel 		}
     0      stevel 
     0      stevel 		if (connp != NULL) {
     0      stevel 			CONN_INC_REF(connp);
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			return (connp);
     0      stevel 		}
     0      stevel 
     0      stevel 		/*
     0      stevel 		 * We shouldn't come here for multicast/broadcast packets
     0      stevel 		 */
     0      stevel 		mutex_exit(&connfp->connf_lock);
     0      stevel 		break;
 10616   Sebastien 	case IPPROTO_ENCAP:
 10616   Sebastien 	case IPPROTO_IPV6:
 10616   Sebastien 		return (ipcl_iptun_classify_v6(&ip6h->ip6_src,
 10616   Sebastien 		    &ip6h->ip6_dst, ipst));
     0      stevel 	}
     0      stevel 
     0      stevel 	return (NULL);
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * wrapper around ipcl_classify_(v4,v6) routines.
     0      stevel  */
     0      stevel conn_t *
 11042        Erik ipcl_classify(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
     0      stevel {
 11042        Erik 	if (ira->ira_flags & IRAF_IS_IPV4) {
 11042        Erik 		return (ipcl_classify_v4(mp, ira->ira_protocol,
 11042        Erik 		    ira->ira_ip_hdr_length, ira, ipst));
 11042        Erik 	} else {
 11042        Erik 		return (ipcl_classify_v6(mp, ira->ira_protocol,
 11042        Erik 		    ira->ira_ip_hdr_length, ira, ipst));
     0      stevel 	}
     0      stevel }
     0      stevel 
 11042        Erik /*
 11042        Erik  * Only used to classify SCTP RAW sockets
 11042        Erik  */
     0      stevel conn_t *
 11042        Erik ipcl_classify_raw(mblk_t *mp, uint8_t protocol, uint32_t ports,
 11042        Erik     ipha_t *ipha, ip6_t *ip6h, ip_recv_attr_t *ira, ip_stack_t *ipst)
     0      stevel {
  1676         jpk 	connf_t		*connfp;
     0      stevel 	conn_t		*connp;
     0      stevel 	in_port_t	lport;
 11042        Erik 	int		ipversion;
  1676         jpk 	const void	*dst;
 11042        Erik 	zoneid_t	zoneid = ira->ira_zoneid;
     0      stevel 
     0      stevel 	lport = ((uint16_t *)&ports)[1];
 11042        Erik 	if (ira->ira_flags & IRAF_IS_IPV4) {
 11042        Erik 		dst = (const void *)&ipha->ipha_dst;
 11042        Erik 		ipversion = IPV4_VERSION;
 11042        Erik 	} else {
 11042        Erik 		dst = (const void *)&ip6h->ip6_dst;
 11042        Erik 		ipversion = IPV6_VERSION;
  1676         jpk 	}
  1676         jpk 
  3448    dh155122 	connfp = &ipst->ips_ipcl_raw_fanout[IPCL_RAW_HASH(ntohs(lport), ipst)];
     0      stevel 	mutex_enter(&connfp->connf_lock);
     0      stevel 	for (connp = connfp->connf_head; connp != NULL;
     0      stevel 	    connp = connp->conn_next) {
     0      stevel 		/* We don't allow v4 fallback for v6 raw socket. */
 11042        Erik 		if (ipversion != connp->conn_ipversion)
     0      stevel 			continue;
 11042        Erik 		if (!IN6_IS_ADDR_UNSPECIFIED(&connp->conn_faddr_v6) &&
 11042        Erik 		    !IN6_IS_ADDR_V4MAPPED_ANY(&connp->conn_faddr_v6)) {
 11042        Erik 			if (ipversion == IPV4_VERSION) {
  1676         jpk 				if (!IPCL_CONN_MATCH(connp, protocol,
 11042        Erik 				    ipha->ipha_src, ipha->ipha_dst, ports))
  1676         jpk 					continue;
     0      stevel 			} else {
  1676         jpk 				if (!IPCL_CONN_MATCH_V6(connp, protocol,
 11042        Erik 				    ip6h->ip6_src, ip6h->ip6_dst, ports))
  1676         jpk 					continue;
     0      stevel 			}
     0      stevel 		} else {
 11042        Erik 			if (ipversion == IPV4_VERSION) {
  1676         jpk 				if (!IPCL_BIND_MATCH(connp, protocol,
 11042        Erik 				    ipha->ipha_dst, lport))
  1676         jpk 					continue;
     0      stevel 			} else {
  1676         jpk 				if (!IPCL_BIND_MATCH_V6(connp, protocol,
 11042        Erik 				    ip6h->ip6_dst, lport))
  1676         jpk 					continue;
     0      stevel 			}
     0      stevel 		}
  1676         jpk 
 11042        Erik 		if (connp->conn_zoneid == zoneid ||
 11042        Erik 		    connp->conn_allzones ||
 11042        Erik 		    ((connp->conn_mac_mode != CONN_MAC_DEFAULT) &&
 11042        Erik 		    (ira->ira_flags & IRAF_TX_MAC_EXEMPTABLE) &&
 11042        Erik 		    (ira->ira_flags & IRAF_TX_SHARED_ADDR)))
  1676         jpk 			break;
  1676         jpk 	}
 11042        Erik 
 11042        Erik 	if (connp != NULL && (ira->ira_flags & IRAF_SYSTEM_LABELED) &&
 11042        Erik 	    !tsol_receive_local(mp, dst, ipversion, ira, connp)) {
  1676         jpk 		DTRACE_PROBE3(tx__ip__log__info__classify__rawip,
  1676         jpk 		    char *, "connp(1) could not receive mp(2)",
  1676         jpk 		    conn_t *, connp, mblk_t *, mp);
  1676         jpk 		connp = NULL;
     0      stevel 	}
   409      kcpoon 
   409      kcpoon 	if (connp != NULL)
   409      kcpoon 		goto found;
   409      kcpoon 	mutex_exit(&connfp->connf_lock);
   409      kcpoon 
 11042        Erik 	/* Try to look for a wildcard SCTP RAW socket match. */
  3448    dh155122 	connfp = &ipst->ips_ipcl_raw_fanout[IPCL_RAW_HASH(0, ipst)];
   409      kcpoon 	mutex_enter(&connfp->connf_lock);
   409      kcpoon 	for (connp = connfp->connf_head; connp != NULL;
   409      kcpoon 	    connp = connp->conn_next) {
   409      kcpoon 		/* We don't allow v4 fallback for v6 raw socket. */
 11042        Erik 		if (ipversion != connp->conn_ipversion)
   409      kcpoon 			continue;
 11042        Erik 		if (!IPCL_ZONE_MATCH(connp, zoneid))
 11042        Erik 			continue;
 11042        Erik 
 11042        Erik 		if (ipversion == IPV4_VERSION) {
 11042        Erik 			if (IPCL_RAW_MATCH(connp, protocol, ipha->ipha_dst))
   409      kcpoon 				break;
   409      kcpoon 		} else {
 11042        Erik 			if (IPCL_RAW_MATCH_V6(connp, protocol, ip6h->ip6_dst)) {
   409      kcpoon 				break;
   409      kcpoon 			}
   409      kcpoon 		}
     0      stevel 	}
   409      kcpoon 
   409      kcpoon 	if (connp != NULL)
   409      kcpoon 		goto found;
   409      kcpoon 
     0      stevel 	mutex_exit(&connfp->connf_lock);
     0      stevel 	return (NULL);
   409      kcpoon 
   409      kcpoon found:
   409      kcpoon 	ASSERT(connp != NULL);
   409      kcpoon 	CONN_INC_REF(connp);
   409      kcpoon 	mutex_exit(&connfp->connf_lock);
   409      kcpoon 	return (connp);
     0      stevel }
     0      stevel 
     0      stevel /* ARGSUSED */
     0      stevel static int
  5240    nordmark tcp_conn_constructor(void *buf, void *cdrarg, int kmflags)
     0      stevel {
     0      stevel 	itc_t	*itc = (itc_t *)buf;
     0      stevel 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	tcp_t	*tcp = (tcp_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	bzero(connp, sizeof (conn_t));
  5240    nordmark 	bzero(tcp, sizeof (tcp_t));
  5240    nordmark 
  5240    nordmark 	mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
  5240    nordmark 	cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
  8348        Eric 	cv_init(&connp->conn_sq_cv, NULL, CV_DEFAULT, NULL);
 11042        Erik 	tcp->tcp_timercache = tcp_timermp_alloc(kmflags);
 11042        Erik 	if (tcp->tcp_timercache == NULL)
 11042        Erik 		return (ENOMEM);
     0      stevel 	connp->conn_tcp = tcp;
     0      stevel 	connp->conn_flags = IPCL_TCPCONN;
 11042        Erik 	connp->conn_proto = IPPROTO_TCP;
     0      stevel 	tcp->tcp_connp = connp;
 11042        Erik 	rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
 11042        Erik 
 11042        Erik 	connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
 11042        Erik 	if (connp->conn_ixa == NULL) {
 11042        Erik 		tcp_timermp_free(tcp);
 11042        Erik 		return (ENOMEM);
 11042        Erik 	}
 11042        Erik 	connp->conn_ixa->ixa_refcnt = 1;
 11042        Erik 	connp->conn_ixa->ixa_protocol = connp->conn_proto;
 11042        Erik 	connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
     0      stevel 	return (0);
     0      stevel }
     0      stevel 
     0      stevel /* ARGSUSED */
     0      stevel static void
  5240    nordmark tcp_conn_destructor(void *buf, void *cdrarg)
     0      stevel {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	tcp_t	*tcp = (tcp_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	ASSERT(connp->conn_flags & IPCL_TCPCONN);
  5240    nordmark 	ASSERT(tcp->tcp_connp == connp);
  5240    nordmark 	ASSERT(connp->conn_tcp == tcp);
  5240    nordmark 	tcp_timermp_free(tcp);
  5240    nordmark 	mutex_destroy(&connp->conn_lock);
  5240    nordmark 	cv_destroy(&connp->conn_cv);
  8348        Eric 	cv_destroy(&connp->conn_sq_cv);
 11042        Erik 	rw_destroy(&connp->conn_ilg_lock);
 11042        Erik 
 11042        Erik 	/* Can be NULL if constructor failed */
 11042        Erik 	if (connp->conn_ixa != NULL) {
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_refcnt == 1);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_ire == NULL);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_nce == NULL);
 11042        Erik 		ixa_refrele(connp->conn_ixa);
 11042        Erik 	}
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static int
  5240    nordmark ip_conn_constructor(void *buf, void *cdrarg, int kmflags)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 
  5240    nordmark 	bzero(connp, sizeof (conn_t));
  5240    nordmark 	mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
  5240    nordmark 	cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
  5240    nordmark 	connp->conn_flags = IPCL_IPCCONN;
 11042        Erik 	rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
  5240    nordmark 
 11042        Erik 	connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
 11042        Erik 	if (connp->conn_ixa == NULL)
 11042        Erik 		return (ENOMEM);
 11042        Erik 	connp->conn_ixa->ixa_refcnt = 1;
 11042        Erik 	connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
  5240    nordmark 	return (0);
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static void
  5240    nordmark ip_conn_destructor(void *buf, void *cdrarg)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 
  5240    nordmark 	ASSERT(connp->conn_flags & IPCL_IPCCONN);
  5240    nordmark 	ASSERT(connp->conn_priv == NULL);
  5240    nordmark 	mutex_destroy(&connp->conn_lock);
  5240    nordmark 	cv_destroy(&connp->conn_cv);
 11042        Erik 	rw_destroy(&connp->conn_ilg_lock);
 11042        Erik 
 11042        Erik 	/* Can be NULL if constructor failed */
 11042        Erik 	if (connp->conn_ixa != NULL) {
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_refcnt == 1);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_ire == NULL);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_nce == NULL);
 11042        Erik 		ixa_refrele(connp->conn_ixa);
 11042        Erik 	}
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static int
  5240    nordmark udp_conn_constructor(void *buf, void *cdrarg, int kmflags)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	udp_t	*udp = (udp_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	bzero(connp, sizeof (conn_t));
  5240    nordmark 	bzero(udp, sizeof (udp_t));
  5240    nordmark 
  5240    nordmark 	mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
  5240    nordmark 	cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
  5240    nordmark 	connp->conn_udp = udp;
  5240    nordmark 	connp->conn_flags = IPCL_UDPCONN;
 11042        Erik 	connp->conn_proto = IPPROTO_UDP;
  5240    nordmark 	udp->udp_connp = connp;
 11042        Erik 	rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
 11042        Erik 	connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
 11042        Erik 	if (connp->conn_ixa == NULL)
 11042        Erik 		return (ENOMEM);
 11042        Erik 	connp->conn_ixa->ixa_refcnt = 1;
 11042        Erik 	connp->conn_ixa->ixa_protocol = connp->conn_proto;
 11042        Erik 	connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
  5240    nordmark 	return (0);
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static void
  5240    nordmark udp_conn_destructor(void *buf, void *cdrarg)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	udp_t	*udp = (udp_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	ASSERT(connp->conn_flags & IPCL_UDPCONN);
  5240    nordmark 	ASSERT(udp->udp_connp == connp);
  5240    nordmark 	ASSERT(connp->conn_udp == udp);
  5240    nordmark 	mutex_destroy(&connp->conn_lock);
  5240    nordmark 	cv_destroy(&connp->conn_cv);
 11042        Erik 	rw_destroy(&connp->conn_ilg_lock);
 11042        Erik 
 11042        Erik 	/* Can be NULL if constructor failed */
 11042        Erik 	if (connp->conn_ixa != NULL) {
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_refcnt == 1);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_ire == NULL);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_nce == NULL);
 11042        Erik 		ixa_refrele(connp->conn_ixa);
 11042        Erik 	}
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static int
  5240    nordmark rawip_conn_constructor(void *buf, void *cdrarg, int kmflags)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	icmp_t	*icmp = (icmp_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	bzero(connp, sizeof (conn_t));
  5240    nordmark 	bzero(icmp, sizeof (icmp_t));
  5240    nordmark 
  5240    nordmark 	mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
  5240    nordmark 	cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
  5240    nordmark 	connp->conn_icmp = icmp;
  5240    nordmark 	connp->conn_flags = IPCL_RAWIPCONN;
 11042        Erik 	connp->conn_proto = IPPROTO_ICMP;
  5240    nordmark 	icmp->icmp_connp = connp;
 11042        Erik 	rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
 11042        Erik 	connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
 11042        Erik 	if (connp->conn_ixa == NULL)
 11042        Erik 		return (ENOMEM);
 11042        Erik 	connp->conn_ixa->ixa_refcnt = 1;
 11042        Erik 	connp->conn_ixa->ixa_protocol = connp->conn_proto;
 11042        Erik 	connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
  5240    nordmark 	return (0);
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static void
  5240    nordmark rawip_conn_destructor(void *buf, void *cdrarg)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	icmp_t	*icmp = (icmp_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	ASSERT(connp->conn_flags & IPCL_RAWIPCONN);
  5240    nordmark 	ASSERT(icmp->icmp_connp == connp);
  5240    nordmark 	ASSERT(connp->conn_icmp == icmp);
  5240    nordmark 	mutex_destroy(&connp->conn_lock);
  5240    nordmark 	cv_destroy(&connp->conn_cv);
 11042        Erik 	rw_destroy(&connp->conn_ilg_lock);
 11042        Erik 
 11042        Erik 	/* Can be NULL if constructor failed */
 11042        Erik 	if (connp->conn_ixa != NULL) {
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_refcnt == 1);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_ire == NULL);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_nce == NULL);
 11042        Erik 		ixa_refrele(connp->conn_ixa);
 11042        Erik 	}
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static int
  5240    nordmark rts_conn_constructor(void *buf, void *cdrarg, int kmflags)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	rts_t	*rts = (rts_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	bzero(connp, sizeof (conn_t));
  5240    nordmark 	bzero(rts, sizeof (rts_t));
  5240    nordmark 
  5240    nordmark 	mutex_init(&connp->conn_lock, NULL, MUTEX_DEFAULT, NULL);
  5240    nordmark 	cv_init(&connp->conn_cv, NULL, CV_DEFAULT, NULL);
  5240    nordmark 	connp->conn_rts = rts;
  5240    nordmark 	connp->conn_flags = IPCL_RTSCONN;
  5240    nordmark 	rts->rts_connp = connp;
 11042        Erik 	rw_init(&connp->conn_ilg_lock, NULL, RW_DEFAULT, NULL);
 11042        Erik 	connp->conn_ixa = kmem_zalloc(sizeof (ip_xmit_attr_t), kmflags);
 11042        Erik 	if (connp->conn_ixa == NULL)
 11042        Erik 		return (ENOMEM);
 11042        Erik 	connp->conn_ixa->ixa_refcnt = 1;
 11042        Erik 	connp->conn_ixa->ixa_xmit_hint = CONN_TO_XMIT_HINT(connp);
  5240    nordmark 	return (0);
  5240    nordmark }
  5240    nordmark 
  5240    nordmark /* ARGSUSED */
  5240    nordmark static void
  5240    nordmark rts_conn_destructor(void *buf, void *cdrarg)
  5240    nordmark {
  5240    nordmark 	itc_t	*itc = (itc_t *)buf;
  5240    nordmark 	conn_t 	*connp = &itc->itc_conn;
  5240    nordmark 	rts_t	*rts = (rts_t *)&itc[1];
  5240    nordmark 
  5240    nordmark 	ASSERT(connp->conn_flags & IPCL_RTSCONN);
  5240    nordmark 	ASSERT(rts->rts_connp == connp);
  5240    nordmark 	ASSERT(connp->conn_rts == rts);
  5240    nordmark 	mutex_destroy(&connp->conn_lock);
  5240    nordmark 	cv_destroy(&connp->conn_cv);
 11042        Erik 	rw_destroy(&connp->conn_ilg_lock);
 11042        Erik 
 11042        Erik 	/* Can be NULL if constructor failed */
 11042        Erik 	if (connp->conn_ixa != NULL) {
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_refcnt == 1);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_ire == NULL);
 11042        Erik 		ASSERT(connp->conn_ixa->ixa_nce == NULL);
 11042        Erik 		ixa_refrele(connp->conn_ixa);
 11042        Erik 	}
  5240    nordmark }
  8348        Eric 
  5240    nordmark /*
  5240    nordmark  * Called as part of ipcl_conn_destroy to assert and clear any pointers
  5240    nordmark  * in the conn_t.
 11042        Erik  *
 11042        Erik  * Below we list all the pointers in the conn_t as a documentation aid.
 11042        Erik  * The ones that we can not ASSERT to be NULL are #ifdef'ed out.
 11042        Erik  * If you add any pointers to the conn_t please add an ASSERT here
 11042        Erik  * and #ifdef it out if it can't be actually asserted to be NULL.
 11042        Erik  * In any case, we bzero most of the conn_t at the end of the function.
  5240    nordmark  */
  5240    nordmark void
  5240    nordmark ipcl_conn_cleanup(conn_t *connp)
  5240    nordmark {
 11042        Erik 	ip_xmit_attr_t	*ixa;
 11042        Erik 
  5240    nordmark 	ASSERT(connp->conn_latch == NULL);
 11042        Erik 	ASSERT(connp->conn_latch_in_policy == NULL);
 11042        Erik 	ASSERT(connp->conn_latch_in_action == NULL);
  5240    nordmark #ifdef notdef
  5240    nordmark 	ASSERT(connp->conn_rq == NULL);
  5240    nordmark 	ASSERT(connp->conn_wq == NULL);
  5240    nordmark #endif
  5240    nordmark 	ASSERT(connp->conn_cred == NULL);
  5240    nordmark 	ASSERT(connp->conn_g_fanout == NULL);
  5240    nordmark 	ASSERT(connp->conn_g_next == NULL);
  5240    nordmark 	ASSERT(connp->conn_g_prev == NULL);
  5240    nordmark 	ASSERT(connp->conn_policy == NULL);
  5240    nordmark 	ASSERT(connp->conn_fanout == NULL);
  5240    nordmark 	ASSERT(connp->conn_next == NULL);
  5240    nordmark 	ASSERT(connp->conn_prev == NULL);
  5240    nordmark 	ASSERT(connp->conn_oper_pending_ill == NULL);
  5240    nordmark 	ASSERT(connp->conn_ilg == NULL);
  5240    nordmark 	ASSERT(connp->conn_drain_next == NULL);
  5240    nordmark 	ASSERT(connp->conn_drain_prev == NULL);
  5277    nordmark #ifdef notdef
  5277    nordmark 	/* conn_idl is not cleared when removed from idl list */
  5240    nordmark 	ASSERT(connp->conn_idl == NULL);
  5277    nordmark #endif
  5240    nordmark 	ASSERT(connp->conn_ipsec_opt_mp == NULL);
 11042        Erik #ifdef notdef
 11042        Erik 	/* conn_netstack is cleared by the caller; needed by ixa_cleanup */
  5240    nordmark 	ASSERT(connp->conn_netstack == NULL);
 11042        Erik #endif
  5240    nordmark 
  8348        Eric 	ASSERT(connp->conn_helper_info == NULL);
 11042        Erik 	ASSERT(connp->conn_ixa != NULL);
 11042        Erik 	ixa = connp->conn_ixa;
 11042        Erik 	ASSERT(ixa->ixa_refcnt == 1);
 11042        Erik 	/* Need to preserve ixa_protocol */
 11042        Erik 	ixa_cleanup(ixa);
 11042        Erik 	ixa->ixa_flags = 0;
 11042        Erik 
  5240    nordmark 	/* Clear out the conn_t fields that are not preserved */
  5240    nordmark 	bzero(&connp->conn_start_clr,
  5240    nordmark 	    sizeof (conn_t) -
  5240    nordmark 	    ((uchar_t *)&connp->conn_start_clr - (uchar_t *)connp));
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * All conns are inserted in a global multi-list for the benefit of
     0      stevel  * walkers. The walk is guaranteed to walk all open conns at the time
     0      stevel  * of the start of the walk exactly once. This property is needed to
     0      stevel  * achieve some cleanups during unplumb of interfaces. This is achieved
     0      stevel  * as follows.
     0      stevel  *
     0      stevel  * ipcl_conn_create and ipcl_conn_destroy are the only functions that
     0      stevel  * call the insert and delete functions below at creation and deletion
     0      stevel  * time respectively. The conn never moves or changes its position in this
     0      stevel  * multi-list during its lifetime. CONN_CONDEMNED ensures that the refcnt
     0      stevel  * won't increase due to walkers, once the conn deletion has started. Note
     0      stevel  * that we can't remove the conn from the global list and then wait for
     0      stevel  * the refcnt to drop to zero, since walkers would then see a truncated
     0      stevel  * list. CONN_INCIPIENT ensures that walkers don't start looking at
     0      stevel  * conns until ip_open is ready to make them globally visible.
     0      stevel  * The global round robin multi-list locks are held only to get the
     0      stevel  * next member/insertion/deletion and contention should be negligible
     0      stevel  * if the multi-list is much greater than the number of cpus.
     0      stevel  */
     0      stevel void
     0      stevel ipcl_globalhash_insert(conn_t *connp)
     0      stevel {
     0      stevel 	int	index;
  3448    dh155122 	struct connf_s	*connfp;
  3448    dh155122 	ip_stack_t	*ipst = connp->conn_netstack->netstack_ip;
     0      stevel 
     0      stevel 	/*
     0      stevel 	 * No need for atomic here. Approximate even distribution
     0      stevel 	 * in the global lists is sufficient.
     0      stevel 	 */
  3448    dh155122 	ipst->ips_conn_g_index++;
  3448    dh155122 	index = ipst->ips_conn_g_index & (CONN_G_HASH_SIZE - 1);
     0      stevel 
     0      stevel 	connp->conn_g_prev = NULL;
     0      stevel 	/*
     0      stevel 	 * Mark as INCIPIENT, so that walkers will ignore this
     0      stevel 	 * for now, till ip_open is ready to make it visible globally.
     0      stevel 	 */
     0      stevel 	connp->conn_state_flags |= CONN_INCIPIENT;
     0      stevel 
  3448    dh155122 	connfp = &ipst->ips_ipcl_globalhash_fanout[index];
     0      stevel 	/* Insert at the head of the list */
  3448    dh155122 	mutex_enter(&connfp->connf_lock);
  3448    dh155122 	connp->conn_g_next = connfp->connf_head;
     0      stevel 	if (connp->conn_g_next != NULL)
     0      stevel 		connp->conn_g_next->conn_g_prev = connp;
  3448    dh155122 	connfp->connf_head = connp;
     0      stevel 
     0      stevel 	/* The fanout bucket this conn points to */
  3448    dh155122 	connp->conn_g_fanout = connfp;
     0      stevel 
  3448    dh155122 	mutex_exit(&connfp->connf_lock);
     0      stevel }
     0      stevel 
     0      stevel void
     0      stevel ipcl_globalhash_remove(conn_t *connp)
     0      stevel {
  3448    dh155122 	struct connf_s	*connfp;
  3448    dh155122 
     0      stevel 	/*
     0      stevel 	 * We were never inserted in the global multi list.
     0      stevel 	 * IPCL_NONE variety is never inserted in the global multilist
     0      stevel 	 * since it is presumed to not need any cleanup and is transient.
     0      stevel 	 */
     0      stevel 	if (connp->conn_g_fanout == NULL)
     0      stevel 		return;
     0      stevel 
  3448    dh155122 	connfp = connp->conn_g_fanout;
  3448    dh155122 	mutex_enter(&connfp->connf_lock);
     0      stevel 	if (connp->conn_g_prev != NULL)
     0      stevel 		connp->conn_g_prev->conn_g_next = connp->conn_g_next;
     0      stevel 	else
  3448    dh155122 		connfp->connf_head = connp->conn_g_next;
     0      stevel 	if (connp->conn_g_next != NULL)
     0      stevel 		connp->conn_g_next->conn_g_prev = connp->conn_g_prev;
  3448    dh155122 	mutex_exit(&connfp->connf_lock);
     0      stevel 
     0      stevel 	/* Better to stumble on a null pointer than to corrupt memory */
     0      stevel 	connp->conn_g_next = NULL;
     0      stevel 	connp->conn_g_prev = NULL;
  5240    nordmark 	connp->conn_g_fanout = NULL;
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * Walk the list of all conn_t's in the system, calling the function provided
 11042        Erik  * With the specified argument for each.
     0      stevel  * Applies to both IPv4 and IPv6.
     0      stevel  *
 11042        Erik  * CONNs may hold pointers to ills (conn_dhcpinit_ill and
 11042        Erik  * conn_oper_pending_ill). To guard against stale pointers
     0      stevel  * ipcl_walk() is called to cleanup the conn_t's, typically when an interface is
     0      stevel  * unplumbed or removed. New conn_t's that are created while we are walking
     0      stevel  * may be missed by this walk, because they are not necessarily inserted
     0      stevel  * at the tail of the list. They are new conn_t's and thus don't have any
     0      stevel  * stale pointers. The CONN_CLOSING flag ensures that no new reference
     0      stevel  * is created to the struct that is going away.
     0      stevel  */
     0      stevel void
  3448    dh155122 ipcl_walk(pfv_t func, void *arg, ip_stack_t *ipst)
     0      stevel {
     0      stevel 	int	i;
     0      stevel 	conn_t	*connp;
     0      stevel 	conn_t	*prev_connp;
     0      stevel 
     0      stevel 	for (i = 0; i < CONN_G_HASH_SIZE; i++) {
  3448    dh155122 		mutex_enter(&ipst->ips_ipcl_globalhash_fanout[i].connf_lock);
     0      stevel 		prev_connp = NULL;
  3448    dh155122 		connp = ipst->ips_ipcl_globalhash_fanout[i].connf_head;
     0      stevel 		while (connp != NULL) {
     0      stevel 			mutex_enter(&connp->conn_lock);
     0      stevel 			if (connp->conn_state_flags &
     0      stevel 			    (CONN_CONDEMNED | CONN_INCIPIENT)) {
     0      stevel 				mutex_exit(&connp->conn_lock);
     0      stevel 				connp = connp->conn_g_next;
     0      stevel 				continue;
     0      stevel 			}
     0      stevel 			CONN_INC_REF_LOCKED(connp);
     0      stevel 			mutex_exit(&connp->conn_lock);
  3448    dh155122 			mutex_exit(
  3448    dh155122 			    &ipst->ips_ipcl_globalhash_fanout[i].connf_lock);
     0      stevel 			(*func)(connp, arg);
     0      stevel 			if (prev_connp != NULL)
     0      stevel 				CONN_DEC_REF(prev_connp);
  3448    dh155122 			mutex_enter(
  3448    dh155122 			    &ipst->ips_ipcl_globalhash_fanout[i].connf_lock);
     0      stevel 			prev_connp = connp;
     0      stevel 			connp = connp->conn_g_next;
     0      stevel 		}
  3448    dh155122 		mutex_exit(&ipst->ips_ipcl_globalhash_fanout[i].connf_lock);
     0      stevel 		if (prev_connp != NULL)
     0      stevel 			CONN_DEC_REF(prev_connp);
     0      stevel 	}
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * Search for a peer TCP/IPv4 loopback conn by doing a reverse lookup on
     0      stevel  * the {src, dst, lport, fport} quadruplet.  Returns with conn reference
     0      stevel  * held; caller must call CONN_DEC_REF.  Only checks for connected entries
  2323    ethindra  * (peer tcp in ESTABLISHED state).
     0      stevel  */
     0      stevel conn_t *
 11042        Erik ipcl_conn_tcp_lookup_reversed_ipv4(conn_t *connp, ipha_t *ipha, tcpha_t *tcpha,
  3448    dh155122     ip_stack_t *ipst)
     0      stevel {
     0      stevel 	uint32_t ports;
     0      stevel 	uint16_t *pports = (uint16_t *)&ports;
     0      stevel 	connf_t	*connfp;
     0      stevel 	conn_t	*tconnp;
     0      stevel 	boolean_t zone_chk;
     0      stevel 
     0      stevel 	/*
     0      stevel 	 * If either the source of destination address is loopback, then
     0      stevel 	 * both endpoints must be in the same Zone.  Otherwise, both of
     0      stevel 	 * the addresses are system-wide unique (tcp is in ESTABLISHED
     0      stevel 	 * state) and the endpoints may reside in different Zones.
     0      stevel 	 */
     0      stevel 	zone_chk = (ipha->ipha_src == htonl(INADDR_LOOPBACK) ||
     0      stevel 	    ipha->ipha_dst == htonl(INADDR_LOOPBACK));
     0      stevel 
 11042        Erik 	pports[0] = tcpha->tha_fport;
 11042        Erik 	pports[1] = tcpha->tha_lport;
     0      stevel 
  3448    dh155122 	connfp = &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH(ipha->ipha_dst,
  3448    dh155122 	    ports, ipst)];
     0      stevel 
     0      stevel 	mutex_enter(&connfp->connf_lock);
     0      stevel 	for (tconnp = connfp->connf_head; tconnp != NULL;
     0      stevel 	    tconnp = tconnp->conn_next) {
     0      stevel 
     0      stevel 		if (IPCL_CONN_MATCH(tconnp, IPPROTO_TCP,
     0      stevel 		    ipha->ipha_dst, ipha->ipha_src, ports) &&
  2323    ethindra 		    tconnp->conn_tcp->tcp_state == TCPS_ESTABLISHED &&
     0      stevel 		    (!zone_chk || tconnp->conn_zoneid == connp->conn_zoneid)) {
     0      stevel 
     0      stevel 			ASSERT(tconnp != connp);
     0      stevel 			CONN_INC_REF(tconnp);
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			return (tconnp);
     0      stevel 		}
     0      stevel 	}
     0      stevel 	mutex_exit(&connfp->connf_lock);
     0      stevel 	return (NULL);
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * Search for a peer TCP/IPv6 loopback conn by doing a reverse lookup on
     0      stevel  * the {src, dst, lport, fport} quadruplet.  Returns with conn reference
     0      stevel  * held; caller must call CONN_DEC_REF.  Only checks for connected entries
  2323    ethindra  * (peer tcp in ESTABLISHED state).
     0      stevel  */
     0      stevel conn_t *
 11042        Erik ipcl_conn_tcp_lookup_reversed_ipv6(conn_t *connp, ip6_t *ip6h, tcpha_t *tcpha,
  3448    dh155122     ip_stack_t *ipst)
     0      stevel {
     0      stevel 	uint32_t ports;
     0      stevel 	uint16_t *pports = (uint16_t *)&ports;
     0      stevel 	connf_t	*connfp;
     0      stevel 	conn_t	*tconnp;
     0      stevel 	boolean_t zone_chk;
     0      stevel 
     0      stevel 	/*
     0      stevel 	 * If either the source of destination address is loopback, then
     0      stevel 	 * both endpoints must be in the same Zone.  Otherwise, both of
     0      stevel 	 * the addresses are system-wide unique (tcp is in ESTABLISHED
     0      stevel 	 * state) and the endpoints may reside in different Zones.  We
     0      stevel 	 * don't do Zone check for link local address(es) because the
     0      stevel 	 * current Zone implementation treats each link local address as
     0      stevel 	 * being unique per system node, i.e. they belong to global Zone.
     0      stevel 	 */
     0      stevel 	zone_chk = (IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_src) ||
     0      stevel 	    IN6_IS_ADDR_LOOPBACK(&ip6h->ip6_dst));
     0      stevel 
 11042        Erik 	pports[0] = tcpha->tha_fport;
 11042        Erik 	pports[1] = tcpha->tha_lport;
     0      stevel 
  3448    dh155122 	connfp = &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH_V6(ip6h->ip6_dst,
  3448    dh155122 	    ports, ipst)];
     0      stevel 
     0      stevel 	mutex_enter(&connfp->connf_lock);
     0      stevel 	for (tconnp = connfp->connf_head; tconnp != NULL;
     0      stevel 	    tconnp = tconnp->conn_next) {
     0      stevel 
 11042        Erik 		/* We skip conn_bound_if check here as this is loopback tcp */
     0      stevel 		if (IPCL_CONN_MATCH_V6(tconnp, IPPROTO_TCP,
     0      stevel 		    ip6h->ip6_dst, ip6h->ip6_src, ports) &&
  2323    ethindra 		    tconnp->conn_tcp->tcp_state == TCPS_ESTABLISHED &&
     0      stevel 		    (!zone_chk || tconnp->conn_zoneid == connp->conn_zoneid)) {
     0      stevel 
     0      stevel 			ASSERT(tconnp != connp);
     0      stevel 			CONN_INC_REF(tconnp);
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			return (tconnp);
     0      stevel 		}
     0      stevel 	}
     0      stevel 	mutex_exit(&connfp->connf_lock);
     0      stevel 	return (NULL);
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * Find an exact {src, dst, lport, fport} match for a bounced datagram.
     0      stevel  * Returns with conn reference held. Caller must call CONN_DEC_REF.
     0      stevel  * Only checks for connected entries i.e. no INADDR_ANY checks.
     0      stevel  */
     0      stevel conn_t *
 11042        Erik ipcl_tcp_lookup_reversed_ipv4(ipha_t *ipha, tcpha_t *tcpha, int min_state,
  3448    dh155122     ip_stack_t *ipst)
     0      stevel {
     0      stevel 	uint32_t ports;
     0      stevel 	uint16_t *pports;
     0      stevel 	connf_t	*connfp;
     0      stevel 	conn_t	*tconnp;
     0      stevel 
     0      stevel 	pports = (uint16_t *)&ports;
 11042        Erik 	pports[0] = tcpha->tha_fport;
 11042        Erik 	pports[1] = tcpha->tha_lport;
     0      stevel 
  3448    dh155122 	connfp = &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH(ipha->ipha_dst,
  4691      kcpoon 	    ports, ipst)];
     0      stevel 
     0      stevel 	mutex_enter(&connfp->connf_lock);
     0      stevel 	for (tconnp = connfp->connf_head; tconnp != NULL;
     0      stevel 	    tconnp = tconnp->conn_next) {
     0      stevel 
     0      stevel 		if (IPCL_CONN_MATCH(tconnp, IPPROTO_TCP,
     0      stevel 		    ipha->ipha_dst, ipha->ipha_src, ports) &&
     0      stevel 		    tconnp->conn_tcp->tcp_state >= min_state) {
     0      stevel 
     0      stevel 			CONN_INC_REF(tconnp);
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			return (tconnp);
     0      stevel 		}
     0      stevel 	}
     0      stevel 	mutex_exit(&connfp->connf_lock);
     0      stevel 	return (NULL);
     0      stevel }
     0      stevel 
     0      stevel /*
     0      stevel  * Find an exact {src, dst, lport, fport} match for a bounced datagram.
     0      stevel  * Returns with conn reference held. Caller must call CONN_DEC_REF.
     0      stevel  * Only checks for connected entries i.e. no INADDR_ANY checks.
     0      stevel  * Match on ifindex in addition to addresses.
     0      stevel  */
     0      stevel conn_t *
     0      stevel ipcl_tcp_lookup_reversed_ipv6(ip6_t *ip6h, tcpha_t *tcpha, int min_state,
  3448    dh155122     uint_t ifindex, ip_stack_t *ipst)
     0      stevel {
     0      stevel 	tcp_t	*tcp;
     0      stevel 	uint32_t ports;
     0      stevel 	uint16_t *pports;
     0      stevel 	connf_t	*connfp;
     0      stevel 	conn_t	*tconnp;
     0      stevel 
     0      stevel 	pports = (uint16_t *)&ports;
     0      stevel 	pports[0] = tcpha->tha_fport;
     0      stevel 	pports[1] = tcpha->tha_lport;
     0      stevel 
  3448    dh155122 	connfp = &ipst->ips_ipcl_conn_fanout[IPCL_CONN_HASH_V6(ip6h->ip6_dst,
  4691      kcpoon 	    ports, ipst)];
     0      stevel 
     0      stevel 	mutex_enter(&connfp->connf_lock);
     0      stevel 	for (tconnp = connfp->connf_head; tconnp != NULL;
     0      stevel 	    tconnp = tconnp->conn_next) {
     0      stevel 
     0      stevel 		tcp = tconnp->conn_tcp;
     0      stevel 		if (IPCL_CONN_MATCH_V6(tconnp, IPPROTO_TCP,
     0      stevel 		    ip6h->ip6_dst, ip6h->ip6_src, ports) &&
     0      stevel 		    tcp->tcp_state >= min_state &&
 11042        Erik 		    (tconnp->conn_bound_if == 0 ||
 11042        Erik 		    tconnp->conn_bound_if == ifindex)) {
     0      stevel 
     0      stevel 			CONN_INC_REF(tconnp);
     0      stevel 			mutex_exit(&connfp->connf_lock);
     0      stevel 			return (tconnp);
     0      stevel 		}
     0      stevel 	}
     0      stevel 	mutex_exit(&connfp->connf_lock);
     0      stevel 	return (NULL);
     0      stevel }
     0      stevel 
     0      stevel /*
  1676         jpk  * Finds a TCP/IPv4 listening connection; called by tcp_disconnect to locate
  1676         jpk  * a listener when changing state.
     0      stevel  */
     0      stevel conn_t *
  3448    dh155122 ipcl_lookup_listener_v4(uint16_t lport, ipaddr_t laddr, zoneid_t zoneid,
  3448    dh155122     ip_stack_t *ipst)
     0      stevel {
     0      stevel 	connf_t		*bind_connfp;
     0      stevel 	conn_t		*connp;
     0      stevel 	tcp_t		*tcp;
     0      stevel 
     0      stevel 	/*
     0      stevel 	 * Avoid false matches for packets sent to an IP destination of
     0      stevel 	 * all zeros.
     0      stevel 	 */
     0      stevel 	if (laddr == 0)
     0      stevel 		return (NULL);
  1676         jpk 
  1676         jpk 	ASSERT(zoneid != ALL_ZONES);
     0      stevel 
  3448    dh155122 	bind_connfp = &ipst->ips_ipcl_bind_fanout[IPCL_BIND_HASH(lport, ipst)];
     0      stevel 	mutex_enter(&bind_connfp->connf_lock);
     0      stevel 	for (connp = bind_connfp->connf_head; connp != NULL;
     0      stevel 	    connp = connp->conn_next) {
     0      stevel 		tcp = connp->conn_tcp;
     0      stevel 		if (IPCL_BIND_MATCH(connp, IPPROTO_TCP, laddr, lport) &&
  2263    sommerfe 		    IPCL_ZONE_MATCH(connp, zoneid) &&
     0      stevel 		    (tcp->tcp_listener == NULL)) {
     0      stevel 			CONN_INC_REF(connp);
     0      stevel 			mutex_exit(&bind_connfp->connf_lock);
     0      stevel 			return (connp);
     0      stevel 		}
     0      stevel 	}
     0      stevel 	mutex_exit(&bind_connfp->connf_lock);
     0      stevel 	return (NULL);
     0      stevel }
     0      stevel 
  1676         jpk /*
  1676         jpk  * Finds a TCP/IPv6 listening connection; called by tcp_disconnect to locate
  1676         jpk  * a listener when changing state.
  1676         jpk  */
     0      stevel conn_t *
     0      stevel ipcl_lookup_listener_v6(uint16_t lport, in6_addr_t *laddr, uint_t ifindex,
  3448    dh155122     zoneid_t zoneid, ip_stack_t *ipst)
     0      stevel {
     0      stevel 	connf_t		*bind_connfp;
     0      stevel 	conn_t		*connp = NULL;
     0      stevel 	tcp_t		*tcp;
     0      stevel 
     0      stevel 	/*
     0      stevel 	 * Avoid false matches for packets sent to an IP destination of
     0      stevel 	 * all zeros.
     0      stevel 	 */
     0      stevel 	if (IN6_IS_ADDR_UNSPECIFIED(laddr))
     0      stevel 		return (NULL);
     0      stevel 
  1676         jpk 	ASSERT(zoneid != ALL_ZONES);
     0      stevel 
  3448    dh155122 	bind_connfp = &ipst->ips_ipcl_bind_fanout[IPCL_BIND_HASH(lport, ipst)];
     0      stevel 	mutex_enter(&bind_connfp->connf_lock);
     0      stevel 	for (connp = bind_connfp->connf_head; connp != NULL;
     0      stevel 	    connp = connp->conn_next) {
     0      stevel 		tcp = connp->conn_tcp;
     0      stevel 		if (IPCL_BIND_MATCH_V6(connp, IPPROTO_TCP, *laddr, lport) &&
  2263    sommerfe 		    IPCL_ZONE_MATCH(connp, zoneid) &&
 11042        Erik 		    (connp->conn_bound_if == 0 ||
 11042        Erik 		    connp->conn_bound_if == ifindex) &&
     0      stevel 		    tcp->tcp_listener == NULL) {
     0      stevel 			CONN_INC_REF(connp);
     0      stevel 			mutex_exit(&bind_connfp->connf_lock);
     0      stevel 			return (connp);
     0      stevel 		}
     0      stevel 	}
     0      stevel 	mutex_exit(&bind_connfp->connf_lock);
     0      stevel 	return (NULL);
     0      stevel }
     0      stevel 
   741    masputra /*
   741    masputra  * ipcl_get_next_conn
   741    masputra  *	get the next entry in the conn global list
   741    masputra  *	and put a reference on the next_conn.
   741    masputra  *	decrement the reference on the current conn.
   741    masputra  *
   741    masputra  * This is an iterator based walker function that also provides for
   741    masputra  * some selection by the caller. It walks through the conn_hash bucket
   741    masputra  * searching for the next valid connp in the list, and selects connections
   741    masputra  * that are neither closed nor condemned. It also REFHOLDS the conn
   741    masputra  * thus ensuring that the conn exists when the caller uses the conn.
   741    masputra  */
   741    masputra conn_t *
   741    masputra ipcl_get_next_conn(connf_t *connfp, conn_t *connp, uint32_t conn_flags)
   741    masputra {
   741    masputra 	conn_t	*next_connp;
   741    masputra 
   741    masputra 	if (connfp == NULL)
   741    masputra 		return (NULL);
   741    masputra 
   741    masputra 	mutex_enter(&connfp->connf_lock);
   741    masputra 
   741    masputra 	next_connp = (connp == NULL) ?
   741    masputra 	    connfp->connf_head : connp->conn_g_next;
   741    masputra 
   741    masputra 	while (next_connp != NULL) {
   741    masputra 		mutex_enter(&next_connp->conn_lock);
   741    masputra 		if (!(next_connp->conn_flags & conn_flags) ||
   741    masputra 		    (next_connp->conn_state_flags &
   741    masputra 		    (CONN_CONDEMNED | CONN_INCIPIENT))) {
   741    masputra 			/*
   741    masputra 			 * This conn has been condemned or
   741    masputra 			 * is closing, or the flags don't match
   741    masputra 			 */
   741    masputra 			mutex_exit(&next_connp->conn_lock);
   741    masputra 			next_connp = next_connp->conn_g_next;
   741    masputra 			continue;
   741    masputra 		}
   741    masputra 		CONN_INC_REF_LOCKED(next_connp);
   741    masputra 		mutex_exit(&next_connp->conn_lock);
   741    masputra 		break;
   741    masputra 	}
   741    masputra 
   741    masputra 	mutex_exit(&connfp->connf_lock);
   741    masputra 
   741    masputra 	if (connp != NULL)
   741    masputra 		CONN_DEC_REF(connp);
   741    masputra 
   741    masputra 	return (next_connp);
   741    masputra }
   741    masputra 
     0      stevel #ifdef CONN_DEBUG
     0      stevel /*
     0      stevel  * Trace of the last NBUF refhold/refrele
     0      stevel  */
     0      stevel int
     0      stevel conn_trace_ref(conn_t *connp)
     0      stevel {
     0      stevel 	int	last;
     0      stevel 	conn_trace_t	*ctb;
     0      stevel 
     0      stevel 	ASSERT(MUTEX_HELD(&connp->conn_lock));
     0      stevel 	last = connp->conn_trace_last;
     0      stevel 	last++;
     0      stevel 	if (last == CONN_TRACE_MAX)
     0      stevel 		last = 0;
     0      stevel 
     0      stevel 	ctb = &connp->conn_trace_buf[last];
  5023    carlsonj 	ctb->ctb_depth = getpcstack(ctb->ctb_stack, CONN_STACK_DEPTH);
     0      stevel 	connp->conn_trace_last = last;
     0      stevel 	return (1);
     0      stevel }
     0      stevel 
     0      stevel int
     0      stevel conn_untrace_ref(conn_t *connp)
     0      stevel {
     0      stevel 	int	last;
     0      stevel 	conn_trace_t	*ctb;
     0      stevel 
     0      stevel 	ASSERT(MUTEX_HELD(&connp->conn_lock));
     0      stevel 	last = connp->conn_trace_last;
     0      stevel 	last++;
     0      stevel 	if (last == CONN_TRACE_MAX)
     0      stevel 		last = 0;
     0      stevel 
     0      stevel 	ctb = &connp->conn_trace_buf[last];
  5023    carlsonj 	ctb->ctb_depth = getpcstack(ctb->ctb_stack, CONN_STACK_DEPTH);
     0      stevel 	connp->conn_trace_last = last;
     0      stevel 	return (1);
     0      stevel }
     0      stevel #endif