usr/src/uts/common/inet/ip/ip_arp.c

root/usr/src/uts/common/inet/ip/ip_arp.c
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <inet/ip_arp.h>
#include <inet/ip_ndp.h>
#include <net/if_arp.h>
#include <netinet/if_ether.h>
#include <sys/strsubr.h>
#include <inet/ip6.h>
#include <inet/ip.h>
#include <inet/ip_ire.h>
#include <inet/ip_if.h>
#include <sys/dlpi.h>
#include <sys/sunddi.h>
#include <sys/strsun.h>
#include <sys/sdt.h>
#include <inet/mi.h>
#include <inet/arp.h>
#include <inet/ipdrop.h>
#include <sys/sockio.h>
#include <inet/ip_impl.h>
#include <sys/policy.h>

#define ARL_LL_ADDR_OFFSET(arl) (((arl)->arl_sap_length) < 0 ? \
        (sizeof (dl_unitdata_req_t)) : \
        ((sizeof (dl_unitdata_req_t)) + (ABS((arl)->arl_sap_length))))

/*
 * MAC-specific intelligence.  Shouldn't be needed, but the DL_INFO_ACK
 * doesn't quite do it for us.
 */
typedef struct arp_m_s {
        t_uscalar_t     arp_mac_type;
        uint32_t        arp_mac_arp_hw_type;
        t_scalar_t      arp_mac_sap_length;
        uint32_t        arp_mac_hw_addr_length;
} arp_m_t;

static int arp_close(queue_t *, int, cred_t *);
static int arp_rput(queue_t *, mblk_t *);
static int arp_wput(queue_t *, mblk_t *);
static arp_m_t  *arp_m_lookup(t_uscalar_t mac_type);
static void arp_notify(ipaddr_t, mblk_t *, uint32_t, ip_recv_attr_t *,
        ncec_t *);
static int arp_output(ill_t *, uint32_t, const uchar_t *, const uchar_t *,
        const uchar_t *, const uchar_t *, uchar_t *);
static int  arp_modclose(arl_t *);
static void  arp_mod_close_tail(arl_t *);
static mblk_t *arl_unbind(arl_t *);
static void arp_process_packet(ill_t *, mblk_t *);
static void arp_excl(ipsq_t *, queue_t *, mblk_t *, void *);
static void arp_drop_packet(const char *str, mblk_t *, ill_t *);
static int arp_open(queue_t *, dev_t *, int, int, cred_t *);
static int ip_sioctl_ifunitsel_arp(queue_t *, int *);
static int ip_sioctl_slifname_arp(queue_t *, void *);
static void arp_dlpi_send(arl_t *, mblk_t *);
static void arl_defaults_common(arl_t *, mblk_t *);
static int arp_modopen(queue_t *, dev_t *, int, int, cred_t *);
static void arp_ifname_notify(arl_t *);
static void arp_rput_dlpi_writer(ipsq_t *, queue_t *, mblk_t *, void *);
static arl_t *ill_to_arl(ill_t *);

#define DL_PRIM(mp)     (((union DL_primitives *)(mp)->b_rptr)->dl_primitive)
#define IS_DLPI_DATA(mp)                                                \
        ((DB_TYPE(mp) == M_PROTO) &&                                    \
        MBLKL(mp) >= sizeof (dl_unitdata_ind_t) &&                      \
        (DL_PRIM(mp) == DL_UNITDATA_IND))

#define AR_NOTFOUND     1       /* No matching ace found in cache */
#define AR_MERGED       2       /* Matching ace updated (RFC 826 Merge_flag) */
#define AR_LOOPBACK     3       /* Our own arp packet was received */
#define AR_BOGON        4       /* Another host has our IP addr. */
#define AR_FAILED       5       /* Duplicate Address Detection has failed */
#define AR_CHANGED      6       /* Address has changed; tell IP (and merged) */

boolean_t arp_no_defense;

struct module_info arp_mod_info = {
        IP_MOD_ID, "arp", 1, INFPSZ, 65536, 1024
};
static struct qinit rinit_arp = {
        arp_rput, NULL, arp_open, arp_close, NULL, &arp_mod_info
};
static struct qinit winit_arp = {
        arp_wput, NULL, arp_open, arp_close, NULL, &arp_mod_info
};
struct streamtab arpinfo = {
        &rinit_arp, &winit_arp
};
#define ARH_FIXED_LEN   8
#define AR_LL_HDR_SLACK 32

/*
 * pfhooks for ARP.
 */
#define ARP_HOOK_IN(_hook, _event, _ilp, _hdr, _fm, _m, ipst)           \
                                                                        \
        if ((_hook).he_interested) {                                    \
                hook_pkt_event_t info;                                  \
                                                                        \
                info.hpe_protocol = ipst->ips_arp_net_data;             \
                info.hpe_ifp = _ilp;                                    \
                info.hpe_ofp = 0;                                       \
                info.hpe_hdr = _hdr;                                    \
                info.hpe_mp = &(_fm);                                   \
                info.hpe_mb = _m;                                       \
                if (hook_run(ipst->ips_arp_net_data->netd_hooks,        \
                    _event, (hook_data_t)&info) != 0) {                 \
                        if (_fm != NULL) {                              \
                                freemsg(_fm);                           \
                                _fm = NULL;                             \
                        }                                               \
                        _hdr = NULL;                                    \
                        _m = NULL;                                      \
                } else {                                                \
                        _hdr = info.hpe_hdr;                            \
                        _m = info.hpe_mb;                               \
                }                                                       \
        }

#define ARP_HOOK_OUT(_hook, _event, _olp, _hdr, _fm, _m, ipst)          \
                                                                        \
        if ((_hook).he_interested) {                                    \
                hook_pkt_event_t info;                                  \
                                                                        \
                info.hpe_protocol = ipst->ips_arp_net_data;             \
                info.hpe_ifp = 0;                                       \
                info.hpe_ofp = _olp;                                    \
                info.hpe_hdr = _hdr;                                    \
                info.hpe_mp = &(_fm);                                   \
                info.hpe_mb = _m;                                       \
                if (hook_run(ipst->ips_arp_net_data->netd_hooks,        \
                    _event, (hook_data_t)&info) != 0) {                 \
                        if (_fm != NULL) {                              \
                                freemsg(_fm);                           \
                                _fm = NULL;                             \
                        }                                               \
                        _hdr = NULL;                                    \
                        _m = NULL;                                      \
                } else {                                                \
                        _hdr = info.hpe_hdr;                            \
                        _m = info.hpe_mb;                               \
                }                                                       \
        }

static arp_m_t  arp_m_tbl[] = {
        { DL_CSMACD,    ARPHRD_ETHER,   -2,     6},     /* 802.3 */
        { DL_TPB,       ARPHRD_IEEE802, -2,     6},     /* 802.4 */
        { DL_TPR,       ARPHRD_IEEE802, -2,     6},     /* 802.5 */
        { DL_METRO,     ARPHRD_IEEE802, -2,     6},     /* 802.6 */
        { DL_ETHER,     ARPHRD_ETHER,   -2,     6},     /* Ethernet */
        { DL_FDDI,      ARPHRD_ETHER,   -2,     6},     /* FDDI */
        { DL_IB,        ARPHRD_IB,      -2,     20},    /* Infiniband */
        { DL_OTHER,     ARPHRD_ETHER,   -2,     6}      /* unknown */
};

static void
arl_refhold_locked(arl_t *arl)
{
        ASSERT(MUTEX_HELD(&arl->arl_lock));
        arl->arl_refcnt++;
        ASSERT(arl->arl_refcnt != 0);
}

static void
arl_refrele(arl_t *arl)
{
        mutex_enter(&arl->arl_lock);
        ASSERT(arl->arl_refcnt != 0);
        arl->arl_refcnt--;
        if (arl->arl_refcnt > 1) {
                mutex_exit(&arl->arl_lock);
                return;
        }

        /* ill_close or arp_unbind_complete may be waiting */
        cv_broadcast(&arl->arl_cv);
        mutex_exit(&arl->arl_lock);
}

/*
 * wake up any pending ip ioctls.
 */
static void
arp_cmd_done(ill_t *ill, int err, t_uscalar_t lastprim)
{
        if (lastprim == DL_UNBIND_REQ && ill->ill_replumbing)
                arp_replumb_done(ill, 0);
        else
                arp_bringup_done(ill, err);
}

static int
ip_nce_resolve_all(ill_t *ill, uchar_t *src_haddr, uint32_t hlen,
    const in_addr_t *src_paddr, ncec_t **sncec, int op)
{
        int retv;
        ncec_t *ncec;
        boolean_t ll_changed;
        uchar_t *lladdr = NULL;
        int new_state;

        ASSERT(ill != NULL);

        ncec = ncec_lookup_illgrp_v4(ill, src_paddr);
        *sncec = ncec;

        if (ncec == NULL) {
                retv = AR_NOTFOUND;
                goto done;
        }

        mutex_enter(&ncec->ncec_lock);
        /*
         * IP addr and hardware address match what we already
         * have, then this is a broadcast packet emitted by one of our
         * interfaces, reflected by the switch and received on another
         * interface.  We return AR_LOOPBACK.
         */
        lladdr = ncec->ncec_lladdr;
        if (NCE_MYADDR(ncec) && hlen == ncec->ncec_ill->ill_phys_addr_length &&
            bcmp(lladdr, src_haddr, hlen) == 0) {
                mutex_exit(&ncec->ncec_lock);
                retv = AR_LOOPBACK;
                goto done;
        }
        /*
         * If the entry is unverified, then we've just verified that
         * someone else already owns this address, because this is a
         * message with the same protocol address but different
         * hardware address.
         */
        if (ncec->ncec_flags & NCE_F_UNVERIFIED) {
                mutex_exit(&ncec->ncec_lock);
                ncec_delete(ncec);
                ncec_refrele(ncec);
                *sncec = NULL;
                retv = AR_FAILED;
                goto done;
        }

        /*
         * If the IP address matches ours and we're authoritative for
         * this entry, then some other node is using our IP addr, so
         * return AR_BOGON.  Also reset the transmit count to zero so
         * that, if we're currently in initial announcement mode, we
         * switch back to the lazier defense mode.  Knowing that
         * there's at least one duplicate out there, we ought not
         * blindly announce.
         *
         * NCE_F_AUTHORITY is set in one of two ways:
         * 1. /sbin/arp told us so, via the "permanent" flag.
         * 2. This is one of my addresses.
         */
        if (ncec->ncec_flags & NCE_F_AUTHORITY) {
                ncec->ncec_unsolicit_count = 0;
                mutex_exit(&ncec->ncec_lock);
                retv = AR_BOGON;
                goto done;
        }

        /*
         * No address conflict was detected, and we are getting
         * ready to update the ncec's hwaddr. The nce MUST NOT be on an
         * under interface, because all dynamic nce's are created on the
         * native interface (in the non-IPMP case) or on the IPMP
         * meta-interface (in the IPMP case)
         */
        ASSERT(!IS_UNDER_IPMP(ncec->ncec_ill));

        /*
         * update ncec with src_haddr, hlen.
         *
         * We are trying to resolve this ncec_addr/src_paddr and we
         * got a REQUEST/RESPONSE from the ncec_addr/src_paddr.
         * So the new_state is at least "STALE". If, in addition,
         * this a solicited, unicast ARP_RESPONSE, we can transition
         * to REACHABLE.
         */
        new_state = ND_STALE;
        ip1dbg(("got info for ncec %p from addr %x\n",
            (void *)ncec, *src_paddr));
        retv = AR_MERGED;
        if (ncec->ncec_state == ND_INCOMPLETE ||
            ncec->ncec_state == ND_INITIAL) {
                ll_changed = B_TRUE;
        } else {
                ll_changed = nce_cmp_ll_addr(ncec, src_haddr, hlen);
                if (!ll_changed)
                        new_state = ND_UNCHANGED;
                else
                        retv = AR_CHANGED;
        }
        /*
         * We don't have the equivalent of the IPv6 'S' flag indicating
         * a solicited response, so we assume that if we are in
         * INCOMPLETE, or got back an unchanged lladdr in PROBE state,
         * and this is an ARP_RESPONSE, it must be a
         * solicited response allowing us to transtion to REACHABLE.
         */
        if (op == ARP_RESPONSE) {
                switch (ncec->ncec_state) {
                case ND_PROBE:
                        new_state = (ll_changed ? ND_STALE : ND_REACHABLE);
                        break;
                case ND_INCOMPLETE:
                        new_state = ND_REACHABLE;
                        break;
                }
        }
        /*
         * Call nce_update() to refresh fastpath information on any
         * dependent nce_t entries.
         */
        nce_update(ncec, new_state, (ll_changed ? src_haddr : NULL));
        mutex_exit(&ncec->ncec_lock);
        nce_resolv_ok(ncec);
done:
        return (retv);
}

/* Find an entry for a particular MAC type in the arp_m_tbl. */
static arp_m_t  *
arp_m_lookup(t_uscalar_t mac_type)
{
        arp_m_t *arm;

        for (arm = arp_m_tbl; arm < A_END(arp_m_tbl); arm++) {
                if (arm->arp_mac_type == mac_type)
                        return (arm);
        }
        return (NULL);
}

uint32_t
arp_hw_type(t_uscalar_t mactype)
{
        arp_m_t *arm;

        if ((arm = arp_m_lookup(mactype)) == NULL)
                arm = arp_m_lookup(DL_OTHER);
        return (arm->arp_mac_arp_hw_type);
}

/*
 * Called when an DLPI control message has been acked; send down the next
 * queued message (if any).
 * The DLPI messages of interest being bind, attach and unbind since
 * these are the only ones sent by ARP via arp_dlpi_send.
 */
static void
arp_dlpi_done(arl_t *arl, ill_t *ill)
{
        mblk_t *mp;
        int err;
        t_uscalar_t prim;

        mutex_enter(&arl->arl_lock);
        prim = arl->arl_dlpi_pending;

        if ((mp = arl->arl_dlpi_deferred) == NULL) {
                arl->arl_dlpi_pending = DL_PRIM_INVAL;
                if (arl->arl_state_flags & ARL_LL_DOWN)
                        err = ENETDOWN;
                else
                        err = 0;
                mutex_exit(&arl->arl_lock);

                mutex_enter(&ill->ill_lock);
                ill->ill_arl_dlpi_pending = 0;
                mutex_exit(&ill->ill_lock);
                arp_cmd_done(ill, err, prim);
                return;
        }

        arl->arl_dlpi_deferred = mp->b_next;
        mp->b_next = NULL;

        ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);

        arl->arl_dlpi_pending = DL_PRIM(mp);
        mutex_exit(&arl->arl_lock);

        mutex_enter(&ill->ill_lock);
        ill->ill_arl_dlpi_pending = 1;
        mutex_exit(&ill->ill_lock);

        putnext(arl->arl_wq, mp);
}

/*
 * This routine is called during module initialization when the DL_INFO_ACK
 * comes back from the device.  We set up defaults for all the device dependent
 * doo-dads we are going to need.  This will leave us ready to roll if we are
 * attempting auto-configuration.  Alternatively, these defaults can be
 * overridden by initialization procedures possessing higher intelligence.
 *
 * Caller will free the mp.
 */
static void
arp_ll_set_defaults(arl_t *arl, mblk_t *mp)
{
        arp_m_t         *arm;
        dl_info_ack_t   *dlia = (dl_info_ack_t *)mp->b_rptr;

        if ((arm = arp_m_lookup(dlia->dl_mac_type)) == NULL)
                arm = arp_m_lookup(DL_OTHER);
        ASSERT(arm != NULL);

        /*
         * We initialize based on parameters in the (currently) not too
         * exhaustive arp_m_tbl.
         */
        if (dlia->dl_version == DL_VERSION_2) {
                arl->arl_sap_length = dlia->dl_sap_length;
                arl->arl_phys_addr_length = dlia->dl_brdcst_addr_length;
                if (dlia->dl_provider_style == DL_STYLE2)
                        arl->arl_needs_attach = 1;
        } else {
                arl->arl_sap_length = arm->arp_mac_sap_length;
                arl->arl_phys_addr_length = arm->arp_mac_hw_addr_length;
        }
        /*
         * Note: the arp_hw_type in the arp header may be derived from
         * the ill_mac_type and arp_m_lookup().
         */
        arl->arl_sap = ETHERTYPE_ARP;
        arl_defaults_common(arl, mp);
}

static int
arp_wput(queue_t *q, mblk_t *mp)
{
        int err = EINVAL;
        struct iocblk *ioc;
        mblk_t *mp1;

        switch (DB_TYPE(mp)) {
        case M_IOCTL:
                ASSERT(q->q_next != NULL);
                ioc = (struct iocblk *)mp->b_rptr;
                if (ioc->ioc_cmd != SIOCSLIFNAME &&
                    ioc->ioc_cmd != IF_UNITSEL) {
                        DTRACE_PROBE4(arl__dlpi, char *, "arp_wput",
                            char *, "<some ioctl>", char *, "-",
                            arl_t *, (arl_t *)q->q_ptr);
                        putnext(q, mp);
                        break;
                }
                if ((mp1 = mp->b_cont) == 0)
                        err = EINVAL;
                else if (ioc->ioc_cmd == SIOCSLIFNAME)
                        err = ip_sioctl_slifname_arp(q, mp1->b_rptr);
                else if (ioc->ioc_cmd == IF_UNITSEL)
                        err = ip_sioctl_ifunitsel_arp(q, (int *)mp1->b_rptr);
                if (err == 0)
                        miocack(q, mp, 0, 0);
                else
                        miocnak(q, mp, 0, err);
                break;
        default:
                DTRACE_PROBE4(arl__dlpi, char *, "arp_wput default",
                    char *, "default mblk", char *, "-",
                    arl_t *, (arl_t *)q->q_ptr);
                putnext(q, mp);
                break;
        }
        return (0);
}

/*
 * similar to ill_dlpi_pending(): verify that the received DLPI response
 * matches the one that is pending for the arl.
 */
static boolean_t
arl_dlpi_pending(arl_t *arl, t_uscalar_t prim)
{
        t_uscalar_t pending;

        mutex_enter(&arl->arl_lock);
        if (arl->arl_dlpi_pending == prim) {
                mutex_exit(&arl->arl_lock);
                return (B_TRUE);
        }

        if (arl->arl_state_flags & ARL_CONDEMNED) {
                mutex_exit(&arl->arl_lock);
                return (B_FALSE);
        }
        pending = arl->arl_dlpi_pending;
        mutex_exit(&arl->arl_lock);

        if (pending == DL_PRIM_INVAL) {
                ip0dbg(("arl_dlpi_pending unsolicited ack for %s on %s",
                    dl_primstr(prim), arl->arl_name));
        } else {
                ip0dbg(("arl_dlpi_pending ack for %s on %s expect %s",
                    dl_primstr(prim), arl->arl_name, dl_primstr(pending)));
        }
        return (B_FALSE);
}

/* DLPI messages, other than DL_UNITDATA_IND are handled here. */
static void
arp_rput_dlpi(queue_t *q, mblk_t *mp)
{
        arl_t           *arl = (arl_t *)q->q_ptr;
        union DL_primitives *dlp;
        t_uscalar_t     prim;
        t_uscalar_t     reqprim = DL_PRIM_INVAL;
        ill_t           *ill;

        if ((mp->b_wptr - mp->b_rptr) < sizeof (dlp->dl_primitive)) {
                putnext(q, mp);
                return;
        }
        dlp = (union DL_primitives *)mp->b_rptr;
        prim = dlp->dl_primitive;

        /*
         * If we received an ACK but didn't send a request for it, then it
         * can't be part of any pending operation; discard up-front.
         */
        switch (prim) {
        case DL_ERROR_ACK:
                /*
                 * ce is confused about how DLPI works, so we have to interpret
                 * an "error" on DL_NOTIFY_ACK (which we never could have sent)
                 * as really meaning an error on DL_NOTIFY_REQ.
                 *
                 * Note that supporting DL_NOTIFY_REQ is optional, so printing
                 * out an error message on the console isn't warranted except
                 * for debug.
                 */
                if (dlp->error_ack.dl_error_primitive == DL_NOTIFY_ACK ||
                    dlp->error_ack.dl_error_primitive == DL_NOTIFY_REQ) {
                        reqprim = DL_NOTIFY_REQ;
                } else {
                        reqprim = dlp->error_ack.dl_error_primitive;
                }
                break;
        case DL_INFO_ACK:
                reqprim = DL_INFO_REQ;
                break;
        case DL_OK_ACK:
                reqprim = dlp->ok_ack.dl_correct_primitive;
                break;
        case DL_BIND_ACK:
                reqprim = DL_BIND_REQ;
                break;
        default:
                DTRACE_PROBE2(rput_dl_badprim, arl_t *, arl,
                    union DL_primitives *, dlp);
                putnext(q, mp);
                return;
        }
        if (reqprim == DL_PRIM_INVAL || !arl_dlpi_pending(arl, reqprim)) {
                freemsg(mp);
                return;
        }
        DTRACE_PROBE4(arl__dlpi, char *, "arp_rput_dlpi received",
            char *, dl_primstr(prim), char *, dl_primstr(reqprim),
            arl_t *, arl);

        ASSERT(prim != DL_NOTIFY_IND);

        ill = arl_to_ill(arl);

        switch (reqprim) {
        case DL_INFO_REQ:
                /*
                 * ill has not been set up yet for this case. This is the
                 * DL_INFO_ACK for the first DL_INFO_REQ sent from
                 * arp_modopen(). There should be no other arl_dlpi_deferred
                 * messages pending. We initialize the arl here.
                 */
                ASSERT(!arl->arl_dlpi_style_set);
                ASSERT(arl->arl_dlpi_pending == DL_INFO_REQ);
                ASSERT(arl->arl_dlpi_deferred == NULL);
                arl->arl_dlpi_pending = DL_PRIM_INVAL;
                arp_ll_set_defaults(arl, mp);
                freemsg(mp);
                return;
        case DL_UNBIND_REQ:
                mutex_enter(&arl->arl_lock);
                arl->arl_state_flags &= ~ARL_DL_UNBIND_IN_PROGRESS;
                /*
                 * This is not an error, so we don't set ARL_LL_DOWN
                 */
                arl->arl_state_flags &= ~ARL_LL_UP;
                arl->arl_state_flags |= ARL_LL_UNBOUND;
                if (arl->arl_state_flags & ARL_CONDEMNED) {
                        /*
                         * if this is part of the unplumb the arl may
                         * vaporize any moment after we cv_signal the
                         * arl_cv so we reset arl_dlpi_pending here.
                         * All other cases (including replumb) will
                         * have the arl_dlpi_pending reset in
                         * arp_dlpi_done.
                         */
                        arl->arl_dlpi_pending = DL_PRIM_INVAL;
                }
                cv_signal(&arl->arl_cv);
                mutex_exit(&arl->arl_lock);
                break;
        }
        if (ill != NULL) {
                /*
                 * ill ref obtained by arl_to_ill()  will be released
                 * by qwriter_ip()
                 */
                qwriter_ip(ill, ill->ill_wq, mp, arp_rput_dlpi_writer,
                    CUR_OP, B_TRUE);
                return;
        }
        freemsg(mp);
}

/*
 * Handling of DLPI messages that require exclusive access to the ipsq.
 */
/* ARGSUSED */
static void
arp_rput_dlpi_writer(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *dummy_arg)
{
        union DL_primitives *dlp = (union DL_primitives *)mp->b_rptr;
        ill_t           *ill = (ill_t *)q->q_ptr;
        arl_t           *arl = ill_to_arl(ill);

        if (arl == NULL) {
                /*
                 * happens as a result arp_modclose triggering unbind.
                 * arp_rput_dlpi will cv_signal the arl_cv and the modclose
                 * will complete, but when it does ipsq_exit, the waiting
                 * qwriter_ip gets into the ipsq but will find the arl null.
                 * There should be no deferred messages in this case, so
                 * just complete and exit.
                 */
                arp_cmd_done(ill, 0, DL_UNBIND_REQ);
                freemsg(mp);
                return;
        }
        switch (dlp->dl_primitive) {
        case DL_ERROR_ACK:
                switch (dlp->error_ack.dl_error_primitive) {
                case DL_UNBIND_REQ:
                        mutex_enter(&arl->arl_lock);
                        arl->arl_state_flags &= ~ARL_DL_UNBIND_IN_PROGRESS;
                        arl->arl_state_flags &= ~ARL_LL_UP;
                        arl->arl_state_flags |= ARL_LL_UNBOUND;
                        arl->arl_state_flags |= ARL_LL_DOWN;
                        cv_signal(&arl->arl_cv);
                        mutex_exit(&arl->arl_lock);
                        break;
                case DL_BIND_REQ:
                        mutex_enter(&arl->arl_lock);
                        arl->arl_state_flags &= ~ARL_LL_UP;
                        arl->arl_state_flags |= ARL_LL_DOWN;
                        arl->arl_state_flags |= ARL_LL_UNBOUND;
                        cv_signal(&arl->arl_cv);
                        mutex_exit(&arl->arl_lock);
                        break;
                case DL_ATTACH_REQ:
                        break;
                default:
                        /* If it's anything else, we didn't send it. */
                        arl_refrele(arl);
                        putnext(q, mp);
                        return;
                }
                break;
        case DL_OK_ACK:
                DTRACE_PROBE4(arl__dlpi, char *, "arp_rput_dlpi_writer ok",
                    char *, dl_primstr(dlp->ok_ack.dl_correct_primitive),
                    char *, dl_primstr(dlp->ok_ack.dl_correct_primitive),
                    arl_t *, arl);
                mutex_enter(&arl->arl_lock);
                switch (dlp->ok_ack.dl_correct_primitive) {
                case DL_UNBIND_REQ:
                case DL_ATTACH_REQ:
                        break;
                default:
                        ip0dbg(("Dropping unrecognized DL_OK_ACK for %s",
                            dl_primstr(dlp->ok_ack.dl_correct_primitive)));
                        mutex_exit(&arl->arl_lock);
                        arl_refrele(arl);
                        freemsg(mp);
                        return;
                }
                mutex_exit(&arl->arl_lock);
                break;
        case DL_BIND_ACK:
                DTRACE_PROBE2(rput_dl_bind, arl_t *, arl,
                    dl_bind_ack_t *, &dlp->bind_ack);

                mutex_enter(&arl->arl_lock);
                ASSERT(arl->arl_state_flags & ARL_LL_BIND_PENDING);
                arl->arl_state_flags &=
                    ~(ARL_LL_BIND_PENDING|ARL_LL_DOWN|ARL_LL_UNBOUND);
                arl->arl_state_flags |= ARL_LL_UP;
                mutex_exit(&arl->arl_lock);
                break;
        case DL_UDERROR_IND:
                DTRACE_PROBE2(rput_dl_uderror, arl_t *, arl,
                    dl_uderror_ind_t *, &dlp->uderror_ind);
                arl_refrele(arl);
                putnext(q, mp);
                return;
        default:
                DTRACE_PROBE2(rput_dl_badprim, arl_t *, arl,
                    union DL_primitives *, dlp);
                arl_refrele(arl);
                putnext(q, mp);
                return;
        }
        arp_dlpi_done(arl, ill);
        arl_refrele(arl);
        freemsg(mp);
}

int
arp_rput(queue_t *q, mblk_t *mp)
{
        arl_t           *arl = q->q_ptr;
        boolean_t       need_refrele = B_FALSE;

        mutex_enter(&arl->arl_lock);
        if (((arl->arl_state_flags &
            (ARL_CONDEMNED | ARL_LL_REPLUMBING)) != 0)) {
                /*
                 * Only allow high priority DLPI messages during unplumb or
                 * replumb, and we don't take an arl_refcnt for that case.
                 */
                if (DB_TYPE(mp) != M_PCPROTO) {
                        mutex_exit(&arl->arl_lock);
                        freemsg(mp);
                        return (0);
                }
        } else {
                arl_refhold_locked(arl);
                need_refrele = B_TRUE;
        }
        mutex_exit(&arl->arl_lock);

        switch (DB_TYPE(mp)) {
        case M_PCPROTO:
        case M_PROTO: {
                ill_t *ill;

                /*
                 * could be one of
                 * (i)   real message from the wire, (DLPI_DATA)
                 * (ii)  DLPI message
                 * Take a ref on the ill associated with this arl to
                 * prevent the ill from being unplumbed until this thread
                 * is done.
                 */
                if (IS_DLPI_DATA(mp)) {
                        ill = arl_to_ill(arl);
                        if (ill == NULL) {
                                arp_drop_packet("No ill", mp, ill);
                                break;
                        }
                        arp_process_packet(ill, mp);
                        ill_refrele(ill);
                        break;
                }
                /* Miscellaneous DLPI messages get shuffled off. */
                arp_rput_dlpi(q, mp);
                break;
        }
        case M_ERROR:
        case M_HANGUP:
                if (mp->b_rptr < mp->b_wptr)
                        arl->arl_error = (int)(*mp->b_rptr & 0xFF);
                if (arl->arl_error == 0)
                        arl->arl_error = ENXIO;
                freemsg(mp);
                break;
        default:
                ip1dbg(("arp_rput other db type %x\n", DB_TYPE(mp)));
                putnext(q, mp);
                break;
        }
        if (need_refrele)
                arl_refrele(arl);
        return (0);
}

static void
arp_process_packet(ill_t *ill, mblk_t *mp)
{
        mblk_t          *mp1;
        arh_t           *arh;
        in_addr_t       src_paddr, dst_paddr;
        uint32_t        hlen, plen;
        boolean_t       is_probe;
        int             op;
        ncec_t          *dst_ncec, *src_ncec = NULL;
        uchar_t         *src_haddr, *arhp, *dst_haddr, *dp, *sp;
        int             err;
        ip_stack_t      *ipst;
        boolean_t       need_ill_refrele = B_FALSE;
        nce_t           *nce;
        uchar_t         *src_lladdr;
        dl_unitdata_ind_t *dlui;
        ip_recv_attr_t  iras;

        ASSERT(ill != NULL);
        if (ill->ill_flags & ILLF_NOARP) {
                arp_drop_packet("Interface does not support ARP", mp, ill);
                return;
        }
        ipst = ill->ill_ipst;
        /*
         * What we should have at this point is a DL_UNITDATA_IND message
         * followed by an ARP packet.  We do some initial checks and then
         * get to work.
         */
        dlui = (dl_unitdata_ind_t *)mp->b_rptr;
        if (dlui->dl_group_address == 1) {
                /*
                 * multicast or broadcast  packet. Only accept on the ipmp
                 * nominated interface for multicasts ('cast_ill').
                 * If we have no cast_ill we are liberal and accept everything.
                 */
                if (IS_UNDER_IPMP(ill)) {
                        /* For an under ill_grp can change under lock */
                        rw_enter(&ipst->ips_ill_g_lock, RW_READER);
                        if (!ill->ill_nom_cast && ill->ill_grp != NULL &&
                            ill->ill_grp->ig_cast_ill != NULL) {
                                rw_exit(&ipst->ips_ill_g_lock);
                                arp_drop_packet("Interface is not nominated "
                                    "for multicast sends and receives",
                                    mp, ill);
                                return;
                        }
                        rw_exit(&ipst->ips_ill_g_lock);
                }
        }
        mp1 = mp->b_cont;
        if (mp1 == NULL) {
                arp_drop_packet("Missing ARP packet", mp, ill);
                return;
        }
        if (mp1->b_cont != NULL) {
                /* No fooling around with funny messages. */
                if (!pullupmsg(mp1, -1)) {
                        arp_drop_packet("Funny message: pullup failed",
                            mp, ill);
                        return;
                }
        }
        arh = (arh_t *)mp1->b_rptr;
        hlen = arh->arh_hlen;
        plen = arh->arh_plen;
        if (MBLKL(mp1) < ARH_FIXED_LEN + 2 * hlen + 2 * plen) {
                arp_drop_packet("mblk len too small", mp, ill);
                return;
        }
        /*
         * hlen 0 is used for RFC 1868 UnARP.
         *
         * Note that the rest of the code checks that hlen is what we expect
         * for this hardware address type, so might as well discard packets
         * here that don't match.
         */
        if ((hlen > 0 && hlen != ill->ill_phys_addr_length) || plen == 0) {
                DTRACE_PROBE2(rput_bogus, ill_t *, ill, mblk_t *, mp1);
                arp_drop_packet("Bogus hlen or plen", mp, ill);
                return;
        }
        /*
         * Historically, Solaris has been lenient about hardware type numbers.
         * We should check here, but don't.
         */
        DTRACE_PROBE3(arp__physical__in__start, ill_t *, ill, arh_t *, arh,
            mblk_t *, mp);
        /*
         * If ill is in an ipmp group, it will be the under ill. If we want
         * to report the packet as coming up the IPMP interface, we should
         * convert it to the ipmp ill.
         */
        ARP_HOOK_IN(ipst->ips_arp_physical_in_event, ipst->ips_arp_physical_in,
            ill->ill_phyint->phyint_ifindex, arh, mp, mp1, ipst);
        DTRACE_PROBE1(arp__physical__in__end, mblk_t *, mp);
        if (mp == NULL)
                return;
        arhp = (uchar_t *)arh + ARH_FIXED_LEN;
        src_haddr = arhp;                       /* ar$sha */
        arhp += hlen;
        bcopy(arhp, &src_paddr, IP_ADDR_LEN);   /* ar$spa */
        sp = arhp;
        arhp += IP_ADDR_LEN;
        dst_haddr = arhp;                       /* ar$dha */
        arhp += hlen;
        bcopy(arhp, &dst_paddr, IP_ADDR_LEN);   /* ar$tpa */
        dp = arhp;
        op = BE16_TO_U16(arh->arh_operation);

        DTRACE_PROBE2(ip__arp__input, (in_addr_t), src_paddr,
            (in_addr_t), dst_paddr);

        /* Determine if this is just a probe */
        is_probe = (src_paddr == INADDR_ANY);

        /*
         * The following test for loopback is faster than
         * IP_LOOPBACK_ADDR(), because it avoids any bitwise
         * operations.
         * Note that these addresses are always in network byte order
         */
        if ((*(uint8_t *)&src_paddr) == IN_LOOPBACKNET ||
            (*(uint8_t *)&dst_paddr) == IN_LOOPBACKNET ||
            CLASSD(src_paddr) || CLASSD(dst_paddr)) {
                arp_drop_packet("Martian IP addr", mp, ill);
                return;
        }

        /*
         * ira_ill is the only field used down the arp_notify path.
         */
        bzero(&iras, sizeof (iras));
        iras.ira_ill = iras.ira_rill = ill;
        /*
         * RFC 826: first check if the <protocol, sender protocol address> is
         * in the cache, if there is a sender protocol address.  Note that this
         * step also handles resolutions based on source.
         */
        /* Note: after here we need to freeb(mp) and freemsg(mp1) separately */
        mp->b_cont = NULL;
        if (is_probe) {
                err = AR_NOTFOUND;
        } else {
                if (plen != 4) {
                        arp_drop_packet("bad protocol len", mp, ill);
                        return;
                }
                err = ip_nce_resolve_all(ill, src_haddr, hlen, &src_paddr,
                    &src_ncec, op);
                switch (err) {
                case AR_BOGON:
                        ASSERT(src_ncec != NULL);
                        arp_notify(src_paddr, mp1, AR_CN_BOGON,
                            &iras, src_ncec);
                        break;
                case AR_FAILED:
                        arp_notify(src_paddr, mp1, AR_CN_FAILED, &iras,
                            src_ncec);
                        break;
                case AR_LOOPBACK:
                        DTRACE_PROBE2(rput_loopback, ill_t *, ill, arh_t *,
                            arh);
                        freemsg(mp1);
                        break;
                default:
                        goto update;
                }
                freemsg(mp);
                if (src_ncec != NULL)
                        ncec_refrele(src_ncec);
                return;
        }
update:
        /*
         * Now look up the destination address.  By RFC 826, we ignore the
         * packet at this step if the target isn't one of our addresses (i.e.,
         * one we have been asked to PUBLISH).  This is true even if the
         * target is something we're trying to resolve and the packet
         * is a response.
         */
        dst_ncec = ncec_lookup_illgrp_v4(ill, &dst_paddr);
        if (dst_ncec == NULL || !NCE_PUBLISH(dst_ncec)) {
                /*
                 * Let the client know if the source mapping has changed, even
                 * if the destination provides no useful information for the
                 * client.
                 */
                if (err == AR_CHANGED) {
                        arp_notify(src_paddr, mp1, AR_CN_ANNOUNCE, &iras,
                            NULL);
                        freemsg(mp);
                } else {
                        freemsg(mp);
                        arp_drop_packet("Target is not interesting", mp1, ill);
                }
                if (dst_ncec != NULL)
                        ncec_refrele(dst_ncec);
                if (src_ncec != NULL)
                        ncec_refrele(src_ncec);
                return;
        }

        if (dst_ncec->ncec_flags & NCE_F_UNVERIFIED) {
                /*
                 * Check for a reflection.  Some misbehaving bridges will
                 * reflect our own transmitted packets back to us.
                 */
                ASSERT(NCE_PUBLISH(dst_ncec));
                if (hlen != dst_ncec->ncec_ill->ill_phys_addr_length) {
                        ncec_refrele(dst_ncec);
                        if (src_ncec != NULL)
                                ncec_refrele(src_ncec);
                        freemsg(mp);
                        arp_drop_packet("bad arh_len", mp1, ill);
                        return;
                }
                if (!nce_cmp_ll_addr(dst_ncec, src_haddr, hlen)) {
                        DTRACE_PROBE3(rput_probe_reflected, ill_t *, ill,
                            arh_t *, arh, ncec_t *, dst_ncec);
                        ncec_refrele(dst_ncec);
                        if (src_ncec != NULL)
                                ncec_refrele(src_ncec);
                        freemsg(mp);
                        arp_drop_packet("Reflected probe", mp1, ill);
                        return;
                }
                /*
                 * Responses targeting our HW address that are not responses to
                 * our DAD probe must be ignored as they are related to requests
                 * sent before DAD was restarted.
                 */
                if (op == ARP_RESPONSE &&
                    (nce_cmp_ll_addr(dst_ncec, dst_haddr, hlen) == 0)) {
                        ncec_refrele(dst_ncec);
                        if (src_ncec != NULL)
                                ncec_refrele(src_ncec);
                        freemsg(mp);
                        arp_drop_packet(
                            "Response to request that was sent before DAD",
                            mp1, ill);
                        return;
                }
                /*
                 * Responses targeted to HW addresses which are not ours but
                 * sent to our unverified proto address are also conflicts.
                 * These may be reported by a proxy rather than the interface
                 * with the conflicting address, dst_paddr is in conflict
                 * rather than src_paddr. To ensure IP can locate the correct
                 * ipif to take down, it is necessary to copy dst_paddr to
                 * the src_paddr field before sending it to IP. The same is
                 * required for probes, where src_paddr will be INADDR_ANY.
                 */
                if (is_probe || op == ARP_RESPONSE) {
                        bcopy(dp, sp, plen);
                        arp_notify(src_paddr, mp1, AR_CN_FAILED, &iras,
                            NULL);
                        ncec_delete(dst_ncec);
                } else if (err == AR_CHANGED) {
                        arp_notify(src_paddr, mp1, AR_CN_ANNOUNCE, &iras,
                            NULL);
                } else {
                        DTRACE_PROBE3(rput_request_unverified,
                            ill_t *, ill, arh_t *, arh, ncec_t *, dst_ncec);
                        arp_drop_packet("Unverified request", mp1, ill);
                }
                freemsg(mp);
                ncec_refrele(dst_ncec);
                if (src_ncec != NULL)
                        ncec_refrele(src_ncec);
                return;
        }
        /*
         * If it's a request, then we reply to this, and if we think the
         * sender's unknown, then we create an entry to avoid unnecessary ARPs.
         * The design assumption is that someone ARPing us is likely to send us
         * a packet soon, and that we'll want to reply to it.
         */
        if (op == ARP_REQUEST) {
                const uchar_t *nce_hwaddr;
                struct in_addr nce_paddr;
                clock_t now;
                ill_t *under_ill = ill;
                boolean_t send_unicast = B_TRUE;

                ASSERT(NCE_PUBLISH(dst_ncec));

                if ((dst_ncec->ncec_flags & (NCE_F_BCAST|NCE_F_MCAST)) != 0) {
                        /*
                         * Ignore senders who are deliberately or accidentally
                         * confused.
                         */
                        goto bail;
                }

                if (!is_probe && err == AR_NOTFOUND) {
                        ASSERT(src_ncec == NULL);

                        if (IS_UNDER_IPMP(under_ill)) {
                                /*
                                 * create the ncec for the sender on ipmp_ill.
                                 * We pass in the ipmp_ill itself to avoid
                                 * creating an nce_t on the under_ill.
                                 */
                                ill = ipmp_ill_hold_ipmp_ill(under_ill);
                                if (ill == NULL)
                                        ill = under_ill;
                                else
                                        need_ill_refrele = B_TRUE;
                        }

                        err = nce_lookup_then_add_v4(ill, src_haddr, hlen,
                            &src_paddr, 0, ND_STALE, &nce);

                        switch (err) {
                        case 0:
                        case EEXIST:
                                ip1dbg(("added ncec %p in state %d ill %s\n",
                                    (void *)src_ncec, src_ncec->ncec_state,
                                    ill->ill_name));
                                src_ncec = nce->nce_common;
                                break;
                        default:
                                /*
                                 * Either no memory, or the outgoing interface
                                 * is in the process of down/unplumb. In the
                                 * latter case, we will fail the send anyway,
                                 * and in the former case, we should try to send
                                 * the ARP response.
                                 */
                                src_lladdr = src_haddr;
                                goto send_response;
                        }
                        ncec_refhold(src_ncec);
                        nce_refrele(nce);
                        /* set up cleanup interval on ncec */
                }

                /*
                 * This implements periodic address defense based on a modified
                 * version of the RFC 3927 requirements.  Instead of sending a
                 * broadcasted reply every time, as demanded by the RFC, we
                 * send at most one broadcast reply per arp_broadcast_interval.
                 */
                now = ddi_get_lbolt();
                if ((now - dst_ncec->ncec_last_time_defended) >
                    MSEC_TO_TICK(ipst->ips_ipv4_dad_announce_interval)) {
                        dst_ncec->ncec_last_time_defended = now;
                        /*
                         * If this is one of the long-suffering entries,
                         * pull it out now.  It no longer needs separate
                         * defense, because we're now doing that with this
                         * broadcasted reply.
                         */
                        dst_ncec->ncec_flags &= ~NCE_F_DELAYED;
                        send_unicast = B_FALSE;
                }
                if (src_ncec != NULL && send_unicast) {
                        src_lladdr = src_ncec->ncec_lladdr;
                } else {
                        src_lladdr = under_ill->ill_bcast_mp->b_rptr +
                            NCE_LL_ADDR_OFFSET(under_ill);
                }
send_response:
                nce_hwaddr = dst_ncec->ncec_lladdr;
                IN6_V4MAPPED_TO_INADDR(&dst_ncec->ncec_addr, &nce_paddr);

                (void) arp_output(under_ill, ARP_RESPONSE,
                    nce_hwaddr, (uchar_t *)&nce_paddr, src_haddr,
                    (uchar_t *)&src_paddr, src_lladdr);
        }
bail:
        if (dst_ncec != NULL) {
                ncec_refrele(dst_ncec);
        }
        if (src_ncec != NULL) {
                ncec_refrele(src_ncec);
        }
        if (err == AR_CHANGED) {
                mp->b_cont = NULL;
                arp_notify(src_paddr, mp1, AR_CN_ANNOUNCE, &iras, NULL);
                mp1 = NULL;
        }
        if (need_ill_refrele)
                ill_refrele(ill);

        freemsg(mp);
        freemsg(mp1);
}

/*
 * Basic initialization of the arl_t and the arl_common structure shared with
 * the ill_t that is done after SLIFNAME/IF_UNITSEL.
 */
static int
arl_ill_init(arl_t *arl, char *ill_name)
{
        ill_t *ill;
        arl_ill_common_t *ai;

        ill = ill_lookup_on_name(ill_name, B_FALSE, B_FALSE, B_FALSE,
            arl->arl_ipst);

        if (ill == NULL)
                return (ENXIO);

        /*
         * By the time we set up the arl, we expect the ETHERTYPE_IP
         * stream to be fully bound and attached. So we copy/verify
         * relevant information as possible from/against the ill.
         *
         * The following should have been set up in arp_ll_set_defaults()
         * after the first DL_INFO_ACK was received.
         */
        ASSERT(arl->arl_phys_addr_length == ill->ill_phys_addr_length);
        ASSERT(arl->arl_sap == ETHERTYPE_ARP);
        ASSERT(arl->arl_mactype == ill->ill_mactype);
        ASSERT(arl->arl_sap_length == ill->ill_sap_length);

        ai =  kmem_zalloc(sizeof (*ai), KM_SLEEP);
        mutex_enter(&ill->ill_lock);
        /* First ensure that the ill is not CONDEMNED.  */
        if (ill->ill_state_flags & ILL_CONDEMNED) {
                mutex_exit(&ill->ill_lock);
                ill_refrele(ill);
                kmem_free(ai, sizeof (*ai));
                return (ENXIO);
        }
        if (ill->ill_common != NULL || arl->arl_common != NULL) {
                mutex_exit(&ill->ill_lock);
                ip0dbg(("%s: PPA already exists", ill->ill_name));
                ill_refrele(ill);
                kmem_free(ai, sizeof (*ai));
                return (EEXIST);
        }
        mutex_init(&ai->ai_lock, NULL, MUTEX_DEFAULT, NULL);
        ai->ai_arl = arl;
        ai->ai_ill = ill;
        ill->ill_common = ai;
        arl->arl_common = ai;
        mutex_exit(&ill->ill_lock);
        (void) strlcpy(arl->arl_name, ill->ill_name, LIFNAMSIZ);
        arl->arl_name_length = ill->ill_name_length;
        ill_refrele(ill);
        arp_ifname_notify(arl);
        return (0);
}

/* Allocate and do common initializations for DLPI messages. */
static mblk_t *
ip_ar_dlpi_comm(t_uscalar_t prim, size_t size)
{
        mblk_t  *mp;

        if ((mp = allocb(size, BPRI_HI)) == NULL)
                return (NULL);

        /*
         * DLPIv2 says that DL_INFO_REQ and DL_TOKEN_REQ (the latter
         * of which we don't seem to use) are sent with M_PCPROTO, and
         * that other DLPI are M_PROTO.
         */
        DB_TYPE(mp) = (prim == DL_INFO_REQ) ? M_PCPROTO : M_PROTO;

        mp->b_wptr = mp->b_rptr + size;
        bzero(mp->b_rptr, size);
        DL_PRIM(mp) = prim;
        return (mp);
}


int
ip_sioctl_ifunitsel_arp(queue_t *q, int *ppa)
{
        arl_t *arl;
        char *cp, ill_name[LIFNAMSIZ];

        if (q->q_next == NULL)
                return (EINVAL);

        do {
                q = q->q_next;
        } while (q->q_next != NULL);
        cp = q->q_qinfo->qi_minfo->mi_idname;

        arl = (arl_t *)q->q_ptr;
        (void) snprintf(ill_name, sizeof (ill_name), "%s%d", cp, *ppa);
        arl->arl_ppa = *ppa;
        return (arl_ill_init(arl, ill_name));
}

int
ip_sioctl_slifname_arp(queue_t *q, void *lifreq)
{
        arl_t *arl;
        struct lifreq *lifr = lifreq;

        /* ioctl not valid when IP opened as a device */
        if (q->q_next == NULL)
                return (EINVAL);

        arl = (arl_t *)q->q_ptr;
        arl->arl_ppa = lifr->lifr_ppa;
        return (arl_ill_init(arl, lifr->lifr_name));
}

arl_t *
ill_to_arl(ill_t *ill)
{
        arl_ill_common_t *ai = ill->ill_common;
        arl_t *arl = NULL;

        if (ai == NULL)
                return (NULL);
        /*
         * Find the arl_t that corresponds to this ill_t from the shared
         * ill_common structure. We can safely access the ai here as it
         * will only be freed in arp_modclose() after we have become
         * single-threaded.
         */
        mutex_enter(&ai->ai_lock);
        if ((arl = ai->ai_arl) != NULL) {
                mutex_enter(&arl->arl_lock);
                if (!(arl->arl_state_flags & ARL_CONDEMNED)) {
                        arl_refhold_locked(arl);
                        mutex_exit(&arl->arl_lock);
                } else {
                        mutex_exit(&arl->arl_lock);
                        arl = NULL;
                }
        }
        mutex_exit(&ai->ai_lock);
        return (arl);
}

ill_t *
arl_to_ill(arl_t *arl)
{
        arl_ill_common_t *ai = arl->arl_common;
        ill_t *ill = NULL;

        if (ai == NULL) {
                /*
                 * happens when the arp stream is just being opened, and
                 * arl_ill_init has not been executed yet.
                 */
                return (NULL);
        }
        /*
         * Find the ill_t that corresponds to this arl_t from the shared
         * arl_common structure. We can safely access the ai here as it
         * will only be freed in arp_modclose() after we have become
         * single-threaded.
         */
        mutex_enter(&ai->ai_lock);
        if ((ill = ai->ai_ill) != NULL) {
                mutex_enter(&ill->ill_lock);
                if (!ILL_IS_CONDEMNED(ill)) {
                        ill_refhold_locked(ill);
                        mutex_exit(&ill->ill_lock);
                } else {
                        mutex_exit(&ill->ill_lock);
                        ill = NULL;
                }
        }
        mutex_exit(&ai->ai_lock);
        return (ill);
}

int
arp_ll_up(ill_t *ill)
{
        mblk_t  *attach_mp = NULL;
        mblk_t  *bind_mp = NULL;
        mblk_t  *unbind_mp = NULL;
        arl_t   *arl;

        ASSERT(IAM_WRITER_ILL(ill));
        arl = ill_to_arl(ill);

        DTRACE_PROBE2(ill__downup, char *, "arp_ll_up", ill_t *, ill);
        if (arl == NULL)
                return (ENXIO);
        DTRACE_PROBE2(arl__downup, char *, "arp_ll_up", arl_t *, arl);
        if ((arl->arl_state_flags & ARL_LL_UP) != 0) {
                arl_refrele(arl);
                return (0);
        }
        if (arl->arl_needs_attach) { /* DL_STYLE2 */
                attach_mp =
                    ip_ar_dlpi_comm(DL_ATTACH_REQ, sizeof (dl_attach_req_t));
                if (attach_mp == NULL)
                        goto bad;
                ((dl_attach_req_t *)attach_mp->b_rptr)->dl_ppa = arl->arl_ppa;
        }

        /* Allocate and initialize a bind message. */
        bind_mp = ip_ar_dlpi_comm(DL_BIND_REQ, sizeof (dl_bind_req_t));
        if (bind_mp == NULL)
                goto bad;
        ((dl_bind_req_t *)bind_mp->b_rptr)->dl_sap = ETHERTYPE_ARP;
        ((dl_bind_req_t *)bind_mp->b_rptr)->dl_service_mode = DL_CLDLS;

        unbind_mp = ip_ar_dlpi_comm(DL_UNBIND_REQ, sizeof (dl_unbind_req_t));
        if (unbind_mp == NULL)
                goto bad;
        if (arl->arl_needs_attach) {
                arp_dlpi_send(arl, attach_mp);
        }
        arl->arl_unbind_mp = unbind_mp;

        arl->arl_state_flags |= ARL_LL_BIND_PENDING;
        arp_dlpi_send(arl, bind_mp);
        arl_refrele(arl);
        return (EINPROGRESS);

bad:
        freemsg(attach_mp);
        freemsg(bind_mp);
        freemsg(unbind_mp);
        arl_refrele(arl);
        return (ENOMEM);
}

/*
 * consumes/frees mp
 */
static void
arp_notify(in_addr_t src, mblk_t *mp, uint32_t arcn_code,
    ip_recv_attr_t *ira, ncec_t *ncec)
{
        char            hbuf[MAC_STR_LEN];
        char            sbuf[INET_ADDRSTRLEN];
        ill_t           *ill = ira->ira_ill;
        ip_stack_t      *ipst = ill->ill_ipst;
        arh_t           *arh = (arh_t *)mp->b_rptr;

        switch (arcn_code) {
        case AR_CN_BOGON:
                /*
                 * Someone is sending ARP packets with a source protocol
                 * address that we have published and for which we believe our
                 * entry is authoritative and verified to be unique on
                 * the network.
                 *
                 * arp_process_packet() sends AR_CN_FAILED for the case when
                 * a DAD probe is received and the hardware address of a
                 * non-authoritative entry has changed. Thus, AR_CN_BOGON
                 * indicates a real conflict, and we have to do resolution.
                 *
                 * We back away quickly from the address if it's from DHCP or
                 * otherwise temporary and hasn't been used recently (or at
                 * all).  We'd like to include "deprecated" addresses here as
                 * well (as there's no real reason to defend something we're
                 * discarding), but IPMP "reuses" this flag to mean something
                 * other than the standard meaning.
                 */
                if (ip_nce_conflict(mp, ira, ncec)) {
                        (void) mac_colon_addr((uint8_t *)(arh + 1),
                            arh->arh_hlen, hbuf, sizeof (hbuf));
                        (void) ip_dot_addr(src, sbuf);
                        cmn_err(CE_WARN,
                            "proxy ARP problem?  Node '%s' is using %s on %s",
                            hbuf, sbuf, ill->ill_name);
                        if (!arp_no_defense)
                                (void) arp_announce(ncec);
                        /*
                         * ncec_last_time_defended has been adjusted in
                         * ip_nce_conflict.
                         */
                } else {
                        ncec_delete(ncec);
                }
                freemsg(mp);
                break;
        case AR_CN_ANNOUNCE: {
                nce_hw_map_t hwm;
                /*
                 * ARP gives us a copy of any packet where it thinks
                 * the address has changed, so that we can update our
                 * caches.  We're responsible for caching known answers
                 * in the current design.  We check whether the
                 * hardware address really has changed in all of our
                 * entries that have cached this mapping, and if so, we
                 * blow them away.  This way we will immediately pick
                 * up the rare case of a host changing hardware
                 * address.
                 */
                if (src == 0) {
                        freemsg(mp);
                        break;
                }
                hwm.hwm_addr = src;
                hwm.hwm_hwlen = arh->arh_hlen;
                hwm.hwm_hwaddr = (uchar_t *)(arh + 1);
                hwm.hwm_flags = 0;
                ncec_walk_common(ipst->ips_ndp4, NULL,
                    nce_update_hw_changed, &hwm, B_TRUE);
                freemsg(mp);
                break;
        }
        case AR_CN_FAILED:
                if (arp_no_defense) {
                        (void) mac_colon_addr((uint8_t *)(arh + 1),
                            arh->arh_hlen, hbuf, sizeof (hbuf));
                        (void) ip_dot_addr(src, sbuf);

                        cmn_err(CE_WARN,
                            "node %s is using our IP address %s on %s",
                            hbuf, sbuf, ill->ill_name);
                        freemsg(mp);
                        break;
                }
                /*
                 * mp will be freed by arp_excl.
                 */
                ill_refhold(ill);
                qwriter_ip(ill, ill->ill_rq, mp, arp_excl, NEW_OP, B_FALSE);
                return;
        default:
                ASSERT(0);
                freemsg(mp);
                break;
        }
}

/*
 * arp_output is called to transmit an ARP Request or Response. The mapping
 * to RFC 826 variables is:
 *   haddr1 == ar$sha
 *   paddr1 == ar$spa
 *   haddr2 == ar$tha
 *   paddr2 == ar$tpa
 * The ARP frame is sent to the ether_dst in dst_lladdr.
 */
static int
arp_output(ill_t *ill, uint32_t operation,
    const uchar_t *haddr1, const uchar_t *paddr1, const uchar_t *haddr2,
    const uchar_t *paddr2, uchar_t *dst_lladdr)
{
        arh_t   *arh;
        uint8_t *cp;
        uint_t  hlen;
        uint32_t plen = IPV4_ADDR_LEN; /* ar$pln from RFC 826 */
        uint32_t proto = IP_ARP_PROTO_TYPE;
        mblk_t *mp;
        arl_t *arl;

        ASSERT(dst_lladdr != NULL);
        hlen = ill->ill_phys_addr_length; /* ar$hln from RFC 826 */
        mp = ill_dlur_gen(dst_lladdr, hlen, ETHERTYPE_ARP, ill->ill_sap_length);

        if (mp == NULL)
                return (ENOMEM);

        /* IFF_NOARP flag is set or link down: do not send arp messages */
        if ((ill->ill_flags & ILLF_NOARP) || !ill->ill_dl_up) {
                freemsg(mp);
                return (ENXIO);
        }

        mp->b_cont = allocb(AR_LL_HDR_SLACK + ARH_FIXED_LEN + (hlen * 4) +
            plen + plen, BPRI_MED);
        if (mp->b_cont == NULL) {
                freeb(mp);
                return (ENOMEM);
        }

        /* Fill in the ARP header. */
        cp = mp->b_cont->b_rptr + (AR_LL_HDR_SLACK + hlen + hlen);
        mp->b_cont->b_rptr = cp;
        arh = (arh_t *)cp;
        U16_TO_BE16(arp_hw_type(ill->ill_mactype), arh->arh_hardware);
        U16_TO_BE16(proto, arh->arh_proto);
        arh->arh_hlen = (uint8_t)hlen;
        arh->arh_plen = (uint8_t)plen;
        U16_TO_BE16(operation, arh->arh_operation);
        cp += ARH_FIXED_LEN;
        bcopy(haddr1, cp, hlen);
        cp += hlen;
        if (paddr1 == NULL)
                bzero(cp, plen);
        else
                bcopy(paddr1, cp, plen);
        cp += plen;
        if (haddr2 == NULL)
                bzero(cp, hlen);
        else
                bcopy(haddr2, cp, hlen);
        cp += hlen;
        bcopy(paddr2, cp, plen);
        cp += plen;
        mp->b_cont->b_wptr = cp;

        DTRACE_PROBE3(arp__physical__out__start,
            ill_t *, ill, arh_t *, arh, mblk_t *, mp);
        ARP_HOOK_OUT(ill->ill_ipst->ips_arp_physical_out_event,
            ill->ill_ipst->ips_arp_physical_out,
            ill->ill_phyint->phyint_ifindex, arh, mp, mp->b_cont,
            ill->ill_ipst);
        DTRACE_PROBE1(arp__physical__out__end, mblk_t *, mp);
        if (mp == NULL)
                return (0);

        /* Ship it out. */
        arl = ill_to_arl(ill);
        if (arl == NULL) {
                freemsg(mp);
                return (0);
        }
        if (canputnext(arl->arl_wq))
                putnext(arl->arl_wq, mp);
        else
                freemsg(mp);
        arl_refrele(arl);
        return (0);
}

/*
 * Process resolve requests.
 * If we are not yet reachable then we check and decrease ncec_rcnt; otherwise
 * we leave it alone (the caller will check and manage ncec_pcnt in those
 * cases.)
 */
int
arp_request(ncec_t *ncec, in_addr_t sender, ill_t *ill)
{
        int err;
        const uchar_t *target_hwaddr;
        struct in_addr nce_paddr;
        uchar_t *dst_lladdr;
        boolean_t use_rcnt = !NCE_ISREACHABLE(ncec);

        ASSERT(MUTEX_HELD(&ncec->ncec_lock));
        ASSERT(!IS_IPMP(ill));

        if (use_rcnt && ncec->ncec_rcnt == 0) {
                /* not allowed any more retransmits. */
                return (0);
        }

        if ((ill->ill_flags & ILLF_NOARP) != 0)
                return (0);

        IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &nce_paddr);

        target_hwaddr =
            ill->ill_bcast_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);

        if (NCE_ISREACHABLE(ncec)) {
                dst_lladdr =  ncec->ncec_lladdr;
        } else {
                dst_lladdr =  ill->ill_bcast_mp->b_rptr +
                    NCE_LL_ADDR_OFFSET(ill);
        }

        mutex_exit(&ncec->ncec_lock);
        err = arp_output(ill, ARP_REQUEST,
            ill->ill_phys_addr, (uchar_t *)&sender, target_hwaddr,
            (uchar_t *)&nce_paddr, dst_lladdr);
        mutex_enter(&ncec->ncec_lock);

        if (err != 0) {
                /*
                 * Some transient error such as ENOMEM or a down link was
                 * encountered. If the link has been taken down permanently,
                 * the ncec will eventually be cleaned up (ipif_down_tail()
                 * will call ipif_nce_down() and flush the ncec), to terminate
                 * recurring attempts to send ARP requests. In all other cases,
                 * allow the caller another chance at success next time.
                 */
                return (ncec->ncec_ill->ill_reachable_retrans_time);
        }

        if (use_rcnt)
                ncec->ncec_rcnt--;

        return (ncec->ncec_ill->ill_reachable_retrans_time);
}

/* return B_TRUE if dropped */
boolean_t
arp_announce(ncec_t *ncec)
{
        ill_t *ill;
        int err;
        uchar_t *sphys_addr, *bcast_addr;
        struct in_addr ncec_addr;
        boolean_t need_refrele = B_FALSE;

        ASSERT((ncec->ncec_flags & NCE_F_BCAST) == 0);
        ASSERT((ncec->ncec_flags & NCE_F_MCAST) == 0);

        if (IS_IPMP(ncec->ncec_ill)) {
                /* sent on the cast_ill */
                ill = ipmp_ill_hold_xmit_ill(ncec->ncec_ill, B_FALSE);
                if (ill == NULL)
                        return (B_TRUE);
                need_refrele = B_TRUE;
        } else {
                ill = ncec->ncec_ill;
        }

        /*
         * broadcast an announce to ill_bcast address.
         */
        IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &ncec_addr);

        sphys_addr = ncec->ncec_lladdr;
        bcast_addr = ill->ill_bcast_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);

        err = arp_output(ill, ARP_REQUEST,
            sphys_addr, (uchar_t *)&ncec_addr, bcast_addr,
            (uchar_t *)&ncec_addr, bcast_addr);

        if (need_refrele)
                ill_refrele(ill);
        return (err != 0);
}

/* return B_TRUE if dropped */
boolean_t
arp_probe(ncec_t *ncec)
{
        ill_t *ill;
        int err;
        struct in_addr ncec_addr;
        uchar_t *sphys_addr, *dst_lladdr;

        if (IS_IPMP(ncec->ncec_ill)) {
                ill = ipmp_ill_hold_xmit_ill(ncec->ncec_ill, B_FALSE);
                if (ill == NULL)
                        return (B_TRUE);
        } else {
                ill = ncec->ncec_ill;
        }

        IN6_V4MAPPED_TO_INADDR(&ncec->ncec_addr, &ncec_addr);

        sphys_addr = ncec->ncec_lladdr;
        dst_lladdr = ill->ill_bcast_mp->b_rptr + NCE_LL_ADDR_OFFSET(ill);
        err = arp_output(ill, ARP_REQUEST,
            sphys_addr, NULL, NULL, (uchar_t *)&ncec_addr, dst_lladdr);

        if (IS_IPMP(ncec->ncec_ill))
                ill_refrele(ill);
        return (err != 0);
}

static mblk_t *
arl_unbind(arl_t *arl)
{
        mblk_t *mp;

        if ((mp = arl->arl_unbind_mp) != NULL) {
                arl->arl_unbind_mp = NULL;
                arl->arl_state_flags |= ARL_DL_UNBIND_IN_PROGRESS;
        }
        return (mp);
}

int
arp_ll_down(ill_t *ill)
{
        arl_t   *arl;
        mblk_t *unbind_mp;
        int err = 0;
        boolean_t replumb = (ill->ill_replumbing == 1);

        DTRACE_PROBE2(ill__downup, char *, "arp_ll_down", ill_t *, ill);
        if ((arl = ill_to_arl(ill)) == NULL)
                return (ENXIO);
        DTRACE_PROBE2(arl__downup, char *, "arp_ll_down", arl_t *, arl);
        mutex_enter(&arl->arl_lock);
        unbind_mp = arl_unbind(arl);
        if (unbind_mp != NULL) {
                ASSERT(arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS);
                DTRACE_PROBE2(arp__unbinding, mblk_t *, unbind_mp,
                    arl_t *, arl);
                err = EINPROGRESS;
                if (replumb)
                        arl->arl_state_flags |= ARL_LL_REPLUMBING;
        }
        mutex_exit(&arl->arl_lock);
        if (unbind_mp != NULL)
                arp_dlpi_send(arl, unbind_mp);
        arl_refrele(arl);
        return (err);
}

/* ARGSUSED */
int
arp_close(queue_t *q, int flags __unused, cred_t *credp __unused)
{
        if (WR(q)->q_next != NULL) {
                /* This is a module close */
                return (arp_modclose(q->q_ptr));
        }
        qprocsoff(q);
        q->q_ptr = WR(q)->q_ptr = NULL;
        return (0);
}

static int
arp_modclose(arl_t *arl)
{
        arl_ill_common_t *ai = arl->arl_common;
        ill_t           *ill;
        queue_t         *q = arl->arl_rq;
        mblk_t          *mp, *nextmp;
        ipsq_t          *ipsq = NULL;

        ill = arl_to_ill(arl);
        if (ill != NULL) {
                if (!ill_waiter_inc(ill)) {
                        ill_refrele(ill);
                } else {
                        ill_refrele(ill);
                        if (ipsq_enter(ill, B_FALSE, NEW_OP))
                                ipsq = ill->ill_phyint->phyint_ipsq;
                        ill_waiter_dcr(ill);
                }
                if (ipsq == NULL) {
                        /*
                         * could not enter the ipsq because ill is already
                         * marked CONDEMNED.
                         */
                        ill = NULL;
                }
        }
        if (ai != NULL && ipsq == NULL) {
                /*
                 * Either we did not get an ill because it was marked CONDEMNED
                 * or we could not enter the ipsq because it was unplumbing.
                 * In both cases, wait for the ill to complete ip_modclose().
                 *
                 * If the arp_modclose happened even before SLIFNAME, the ai
                 * itself would be NULL, in which case we can complete the close
                 * without waiting.
                 */
                mutex_enter(&ai->ai_lock);
                while (ai->ai_ill != NULL)
                        cv_wait(&ai->ai_ill_unplumb_done, &ai->ai_lock);
                mutex_exit(&ai->ai_lock);
        }
        ASSERT(ill == NULL || IAM_WRITER_ILL(ill));

        mutex_enter(&arl->arl_lock);
        /*
         * If the ill had completed unplumbing before arp_modclose(), there
         * would be no ill (and therefore, no ipsq) to serialize arp_modclose()
         * so that we need to explicitly check for ARL_CONDEMNED and back off
         * if it is set.
         */
        if ((arl->arl_state_flags & ARL_CONDEMNED) != 0) {
                mutex_exit(&arl->arl_lock);
                ASSERT(ipsq == NULL);
                return (0);
        }
        arl->arl_state_flags |= ARL_CONDEMNED;

        /*
         * send out all pending dlpi messages, don't wait for the ack (which
         * will be ignored in arp_rput when CONDEMNED is set)
         *
         * We have to check for pending DL_UNBIND_REQ because, in the case
         * that ip_modclose() executed before arp_modclose(), the call to
         * ill_delete_tail->ipif_arp_down() would have triggered a
         * DL_UNBIND_REQ. When arp_modclose() executes ipsq_enter() will fail
         * (since ip_modclose() is in the ipsq) but the DL_UNBIND_ACK may not
         * have been processed yet. In this scenario, we cannot reset
         * arl_dlpi_pending, because the setting/clearing of arl_state_flags
         * related to unbind, and the associated cv_waits must be allowed to
         * continue.
         */
        if (arl->arl_dlpi_pending != DL_UNBIND_REQ)
                arl->arl_dlpi_pending = DL_PRIM_INVAL;
        mp = arl->arl_dlpi_deferred;
        arl->arl_dlpi_deferred = NULL;
        mutex_exit(&arl->arl_lock);

        for (; mp != NULL; mp = nextmp) {
                nextmp = mp->b_next;
                mp->b_next = NULL;
                putnext(arl->arl_wq, mp);
        }

        /* Wait for data paths to quiesce */
        mutex_enter(&arl->arl_lock);
        while (arl->arl_refcnt != 0)
                cv_wait(&arl->arl_cv, &arl->arl_lock);

        /*
         * unbind, so that nothing else can come up from driver.
         */
        mp = arl_unbind(arl);
        mutex_exit(&arl->arl_lock);
        if (mp != NULL)
                arp_dlpi_send(arl, mp);
        mutex_enter(&arl->arl_lock);

        /* wait for unbind ack  */
        while (arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS)
                cv_wait(&arl->arl_cv, &arl->arl_lock);
        mutex_exit(&arl->arl_lock);

        qprocsoff(q);

        if (ill != NULL) {
                mutex_enter(&ill->ill_lock);
                ill->ill_arl_dlpi_pending = 0;
                mutex_exit(&ill->ill_lock);
        }

        if (ai != NULL) {
                mutex_enter(&ai->ai_lock);
                ai->ai_arl = NULL;
                if (ai->ai_ill == NULL) {
                        mutex_destroy(&ai->ai_lock);
                        kmem_free(ai, sizeof (*ai));
                } else {
                        mutex_exit(&ai->ai_lock);
                }
        }

        /* free up the rest */
        arp_mod_close_tail(arl);

        q->q_ptr = WR(q)->q_ptr = NULL;

        if (ipsq != NULL)
                ipsq_exit(ipsq);

        return (0);
}

static void
arp_mod_close_tail(arl_t *arl)
{
        ip_stack_t      *ipst = arl->arl_ipst;
        mblk_t          **mpp;

        mutex_enter(&ipst->ips_ip_mi_lock);
        mi_close_unlink(&ipst->ips_arp_g_head, (IDP)arl);
        mutex_exit(&ipst->ips_ip_mi_lock);

        /*
         * credp could be null if the open didn't succeed and ip_modopen
         * itself calls ip_close.
         */
        if (arl->arl_credp != NULL)
                crfree(arl->arl_credp);

        /* Free all retained control messages. */
        mpp = &arl->arl_first_mp_to_free;
        do {
                while (mpp[0]) {
                        mblk_t  *mp;
                        mblk_t  *mp1;

                        mp = mpp[0];
                        mpp[0] = mp->b_next;
                        for (mp1 = mp; mp1 != NULL; mp1 = mp1->b_cont) {
                                mp1->b_next = NULL;
                                mp1->b_prev = NULL;
                        }
                        freemsg(mp);
                }
        } while (mpp++ != &arl->arl_last_mp_to_free);

        netstack_rele(ipst->ips_netstack);
        mi_free(arl->arl_name);
        mi_close_free((IDP)arl);
}

/*
 * DAD failed. Tear down ipifs with the specified srce address. Note that
 * tearing down the ipif also meas deleting the ncec through ipif_down,
 * so it is not possible to use nce_timer for recovery. Instead we start
 * a timer on the ipif. Caller has to free the mp.
 */
void
arp_failure(mblk_t *mp, ip_recv_attr_t *ira)
{
        ill_t *ill = ira->ira_ill;

        if ((mp = copymsg(mp)) != NULL) {
                ill_refhold(ill);
                qwriter_ip(ill, ill->ill_rq, mp, arp_excl, NEW_OP, B_FALSE);
        }
}

/*
 * This is for exclusive changes due to ARP.  Tear down an interface due
 * to AR_CN_FAILED and AR_CN_BOGON.
 */
/* ARGSUSED */
static void
arp_excl(ipsq_t *ipsq, queue_t *rq, mblk_t *mp, void *dummy_arg)
{
        ill_t   *ill = rq->q_ptr;
        arh_t *arh;
        ipaddr_t src;
        ipif_t  *ipif;
        ip_stack_t *ipst = ill->ill_ipst;
        uchar_t *haddr;
        uint_t  haddrlen;

        /* first try src = ar$spa */
        arh = (arh_t *)mp->b_rptr;
        bcopy((char *)&arh[1] + arh->arh_hlen, &src, IP_ADDR_LEN);

        haddrlen = arh->arh_hlen;
        haddr = (uint8_t *)(arh + 1);

        if (haddrlen == ill->ill_phys_addr_length) {
                /*
                 * Ignore conflicts generated by misbehaving switches that
                 * just reflect our own messages back to us.  For IPMP, we may
                 * see reflections across any ill in the illgrp.
                 */
                /* For an under ill_grp can change under lock */
                rw_enter(&ipst->ips_ill_g_lock, RW_READER);
                if (bcmp(haddr, ill->ill_phys_addr, haddrlen) == 0 ||
                    IS_UNDER_IPMP(ill) && ill->ill_grp != NULL &&
                    ipmp_illgrp_find_ill(ill->ill_grp, haddr,
                    haddrlen) != NULL) {
                        rw_exit(&ipst->ips_ill_g_lock);
                        goto ignore_conflict;
                }
                rw_exit(&ipst->ips_ill_g_lock);
        }

        /*
         * Look up the appropriate ipif.
         */
        ipif = ipif_lookup_addr(src, ill, ALL_ZONES, ipst);
        if (ipif == NULL)
                goto ignore_conflict;

        /* Reload the ill to match the ipif */
        ill = ipif->ipif_ill;

        /* If it's already duplicate or ineligible, then don't do anything. */
        if (ipif->ipif_flags & (IPIF_POINTOPOINT|IPIF_DUPLICATE)) {
                ipif_refrele(ipif);
                goto ignore_conflict;
        }

        /*
         * If we failed on a recovery probe, then restart the timer to
         * try again later.
         */
        if (!ipif->ipif_was_dup) {
                char hbuf[MAC_STR_LEN];
                char sbuf[INET_ADDRSTRLEN];
                char ibuf[LIFNAMSIZ];

                (void) mac_colon_addr(haddr, haddrlen, hbuf, sizeof (hbuf));
                (void) ip_dot_addr(src, sbuf);
                ipif_get_name(ipif, ibuf, sizeof (ibuf));

                cmn_err(CE_WARN, "%s has duplicate address %s (in use by %s);"
                    " disabled", ibuf, sbuf, hbuf);
        }
        mutex_enter(&ill->ill_lock);
        ASSERT(!(ipif->ipif_flags & IPIF_DUPLICATE));
        ipif->ipif_flags |= IPIF_DUPLICATE;
        ill->ill_ipif_dup_count++;
        mutex_exit(&ill->ill_lock);
        (void) ipif_down(ipif, NULL, NULL);
        (void) ipif_down_tail(ipif);
        mutex_enter(&ill->ill_lock);
        if (!(ipif->ipif_flags & (IPIF_DHCPRUNNING|IPIF_TEMPORARY)) &&
            ill->ill_net_type == IRE_IF_RESOLVER &&
            !(ipif->ipif_state_flags & IPIF_CONDEMNED) &&
            ipst->ips_ip_dup_recovery > 0) {
                ASSERT(ipif->ipif_recovery_id == 0);
                ipif->ipif_recovery_id = timeout(ipif_dup_recovery,
                    ipif, MSEC_TO_TICK(ipst->ips_ip_dup_recovery));
        }
        mutex_exit(&ill->ill_lock);
        ipif_refrele(ipif);

ignore_conflict:
        freemsg(mp);
}

/*
 * This is a place for a dtrace hook.
 * Note that mp can be either the DL_UNITDATA_IND with a b_cont payload,
 * or just the ARP packet payload as an M_DATA.
 */
/* ARGSUSED */
static void
arp_drop_packet(const char *str, mblk_t *mp, ill_t *ill)
{
        freemsg(mp);
}

static boolean_t
arp_over_driver(queue_t *q)
{
        queue_t *qnext = STREAM(q)->sd_wrq->q_next;

        /*
         * check if first module below stream head is IP or UDP.
         */
        ASSERT(qnext != NULL);
        if (strcmp(Q2NAME(qnext), "ip") != 0 &&
            strcmp(Q2NAME(qnext), "udp") != 0) {
                /*
                 * module below is not ip or udp, so arp has been pushed
                 * on the driver.
                 */
                return (B_TRUE);
        }
        return (B_FALSE);
}

static int
arp_open(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
{
        int err;

        ASSERT(sflag & MODOPEN);
        if (!arp_over_driver(q)) {
                q->q_qinfo = dummymodinfo.st_rdinit;
                WR(q)->q_qinfo = dummymodinfo.st_wrinit;
                return ((*dummymodinfo.st_rdinit->qi_qopen)(q, devp, flag,
                    sflag, credp));
        }
        err = arp_modopen(q, devp, flag, sflag, credp);
        return (err);
}

/*
 * In most cases we must be a writer on the IP stream before coming to
 * arp_dlpi_send(), to serialize DLPI sends to the driver. The exceptions
 * when we are not a writer are very early duing initialization (in
 * arl_init, before the arl has done a SLIFNAME, so that we don't yet know
 * the associated ill) or during arp_mod_close, when we could not enter the
 * ipsq because the ill has already unplumbed.
 */
static void
arp_dlpi_send(arl_t *arl, mblk_t *mp)
{
        mblk_t **mpp;
        t_uscalar_t prim;
        arl_ill_common_t *ai;

        ASSERT(DB_TYPE(mp) == M_PROTO || DB_TYPE(mp) == M_PCPROTO);

#ifdef DEBUG
        ai = arl->arl_common;
        if (ai != NULL) {
                mutex_enter(&ai->ai_lock);
                if (ai->ai_ill != NULL)
                        ASSERT(IAM_WRITER_ILL(ai->ai_ill));
                mutex_exit(&ai->ai_lock);
        }
#endif /* DEBUG */

        mutex_enter(&arl->arl_lock);
        if (arl->arl_dlpi_pending != DL_PRIM_INVAL) {
                /* Must queue message. Tail insertion */
                mpp = &arl->arl_dlpi_deferred;
                while (*mpp != NULL)
                        mpp = &((*mpp)->b_next);

                *mpp = mp;
                mutex_exit(&arl->arl_lock);
                return;
        }
        mutex_exit(&arl->arl_lock);
        if ((prim = ((union DL_primitives *)mp->b_rptr)->dl_primitive)
            == DL_BIND_REQ) {
                ASSERT((arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS) == 0);
        }
        /*
         * No need to take the arl_lock to examine ARL_CONDEMNED at this point
         * because the only thread that can see ARL_CONDEMNED here is the
         * closing arp_modclose() thread which sets the flag after becoming a
         * writer on the ipsq. Threads from IP must have finished and
         * cannot be active now.
         */
        if (!(arl->arl_state_flags & ARL_CONDEMNED) ||
            (prim == DL_UNBIND_REQ)) {
                if (prim != DL_NOTIFY_CONF) {
                        ill_t *ill = arl_to_ill(arl);

                        arl->arl_dlpi_pending = prim;
                        if (ill != NULL) {
                                mutex_enter(&ill->ill_lock);
                                ill->ill_arl_dlpi_pending = 1;
                                mutex_exit(&ill->ill_lock);
                                ill_refrele(ill);
                        }
                }
        }
        DTRACE_PROBE4(arl__dlpi, char *, "arp_dlpi_send",
            char *, dl_primstr(prim), char *, "-",  arl_t *, arl);
        putnext(arl->arl_wq, mp);
}

static void
arl_defaults_common(arl_t *arl, mblk_t *mp)
{
        dl_info_ack_t   *dlia = (dl_info_ack_t *)mp->b_rptr;
        /*
         * Till the ill is fully up  the ill is not globally visible.
         * So no need for a lock.
         */
        arl->arl_mactype = dlia->dl_mac_type;
        arl->arl_sap_length = dlia->dl_sap_length;

        if (!arl->arl_dlpi_style_set) {
                if (dlia->dl_provider_style == DL_STYLE2)
                        arl->arl_needs_attach = 1;
                mutex_enter(&arl->arl_lock);
                ASSERT(arl->arl_dlpi_style_set == 0);
                arl->arl_dlpi_style_set = 1;
                arl->arl_state_flags &= ~ARL_LL_SUBNET_PENDING;
                cv_broadcast(&arl->arl_cv);
                mutex_exit(&arl->arl_lock);
        }
}

int
arl_init(queue_t *q, arl_t *arl)
{
        mblk_t *info_mp;
        dl_info_req_t   *dlir;

        /* subset of ill_init */
        mutex_init(&arl->arl_lock, NULL, MUTEX_DEFAULT, 0);

        arl->arl_rq = q;
        arl->arl_wq = WR(q);

        info_mp = allocb(MAX(sizeof (dl_info_req_t), sizeof (dl_info_ack_t)),
            BPRI_HI);
        if (info_mp == NULL)
                return (ENOMEM);
        /*
         * allocate sufficient space to contain device name.
         */
        arl->arl_name = (char *)(mi_zalloc(2 * LIFNAMSIZ));
        arl->arl_ppa = UINT_MAX;
        arl->arl_state_flags |= (ARL_LL_SUBNET_PENDING | ARL_LL_UNBOUND);

        /* Send down the Info Request to the driver. */
        info_mp->b_datap->db_type = M_PCPROTO;
        dlir = (dl_info_req_t *)info_mp->b_rptr;
        info_mp->b_wptr = (uchar_t *)&dlir[1];
        dlir->dl_primitive = DL_INFO_REQ;
        arl->arl_dlpi_pending = DL_PRIM_INVAL;
        qprocson(q);

        arp_dlpi_send(arl, info_mp);
        return (0);
}

int
arl_wait_for_info_ack(arl_t *arl)
{
        int err;

        mutex_enter(&arl->arl_lock);
        while (arl->arl_state_flags & ARL_LL_SUBNET_PENDING) {
                /*
                 * Return value of 0 indicates a pending signal.
                 */
                err = cv_wait_sig(&arl->arl_cv, &arl->arl_lock);
                if (err == 0) {
                        mutex_exit(&arl->arl_lock);
                        return (EINTR);
                }
        }
        mutex_exit(&arl->arl_lock);
        /*
         * ip_rput_other could have set an error  in ill_error on
         * receipt of M_ERROR.
         */
        return (arl->arl_error);
}

void
arl_set_muxid(ill_t *ill, int muxid)
{
        arl_t *arl;

        arl = ill_to_arl(ill);
        if (arl != NULL) {
                arl->arl_muxid = muxid;
                arl_refrele(arl);
        }
}

int
arl_get_muxid(ill_t *ill)
{
        arl_t *arl;
        int muxid = 0;

        arl = ill_to_arl(ill);
        if (arl != NULL) {
                muxid = arl->arl_muxid;
                arl_refrele(arl);
        }
        return (muxid);
}

static int
arp_modopen(queue_t *q, dev_t *devp, int flag, int sflag, cred_t *credp)
{
        int     err;
        zoneid_t zoneid;
        netstack_t *ns;
        ip_stack_t *ipst;
        arl_t   *arl = NULL;

        /*
         * Prevent unprivileged processes from pushing IP so that
         * they can't send raw IP.
         */
        if (secpolicy_net_rawaccess(credp) != 0)
                return (EPERM);

        ns = netstack_find_by_cred(credp);
        ASSERT(ns != NULL);
        ipst = ns->netstack_ip;
        ASSERT(ipst != NULL);

        /*
         * For exclusive stacks we set the zoneid to zero
         * to make IP operate as if in the global zone.
         */
        if (ipst->ips_netstack->netstack_stackid != GLOBAL_NETSTACKID)
                zoneid = GLOBAL_ZONEID;
        else
                zoneid = crgetzoneid(credp);

        arl = (arl_t *)mi_open_alloc_sleep(sizeof (arl_t));
        q->q_ptr = WR(q)->q_ptr = arl;
        arl->arl_ipst = ipst;
        arl->arl_zoneid = zoneid;
        err = arl_init(q, arl);

        if (err != 0) {
                mi_free(arl->arl_name);
                mi_free(arl);
                netstack_rele(ipst->ips_netstack);
                q->q_ptr = NULL;
                WR(q)->q_ptr = NULL;
                return (err);
        }

        /*
         * Wait for the DL_INFO_ACK if a DL_INFO_REQ was sent.
         */
        err = arl_wait_for_info_ack(arl);
        if (err == 0)
                arl->arl_credp = credp;
        else
                goto fail;

        crhold(credp);

        mutex_enter(&ipst->ips_ip_mi_lock);
        err = mi_open_link(&ipst->ips_arp_g_head, (IDP)q->q_ptr, devp, flag,
            sflag, credp);
        mutex_exit(&ipst->ips_ip_mi_lock);
fail:
        if (err) {
                (void) arp_close(q, 0, credp);
                return (err);
        }
        return (0);
}

/*
 * Notify any downstream modules (esp softmac and hitbox) of the name
 * of this interface using an M_CTL.
 */
static void
arp_ifname_notify(arl_t *arl)
{
        mblk_t *mp1, *mp2;
        struct iocblk *iocp;
        struct lifreq *lifr;

        if ((mp1 = mkiocb(SIOCSLIFNAME)) == NULL)
                return;
        if ((mp2 = allocb(sizeof (struct lifreq), BPRI_HI)) == NULL) {
                freemsg(mp1);
                return;
        }

        lifr = (struct lifreq *)mp2->b_rptr;
        mp2->b_wptr += sizeof (struct lifreq);
        bzero(lifr, sizeof (struct lifreq));

        (void) strncpy(lifr->lifr_name, arl->arl_name, LIFNAMSIZ);
        lifr->lifr_ppa = arl->arl_ppa;
        lifr->lifr_flags = ILLF_IPV4;

        /* Use M_CTL to avoid confusing anyone else who might be listening. */
        DB_TYPE(mp1) = M_CTL;
        mp1->b_cont = mp2;
        iocp = (struct iocblk *)mp1->b_rptr;
        iocp->ioc_count = msgsize(mp1->b_cont);
        DTRACE_PROBE4(arl__dlpi, char *, "arp_ifname_notify",
            char *, "SIOCSLIFNAME", char *, "-",  arl_t *, arl);
        putnext(arl->arl_wq, mp1);
}

void
arp_send_replumb_conf(ill_t *ill)
{
        mblk_t *mp;
        arl_t *arl = ill_to_arl(ill);

        if (arl == NULL)
                return;
        /*
         * arl_got_replumb and arl_got_unbind to be cleared after we complete
         * arp_cmd_done.
         */
        mp = mexchange(NULL, NULL, sizeof (dl_notify_conf_t), M_PROTO,
            DL_NOTIFY_CONF);
        ((dl_notify_conf_t *)(mp->b_rptr))->dl_notification =
            DL_NOTE_REPLUMB_DONE;
        arp_dlpi_send(arl, mp);
        mutex_enter(&arl->arl_lock);
        arl->arl_state_flags &= ~ARL_LL_REPLUMBING;
        mutex_exit(&arl->arl_lock);
        arl_refrele(arl);
}

/*
 * The unplumb code paths call arp_unbind_complete() to make sure that it is
 * safe to tear down the ill. We wait for DL_UNBIND_ACK to complete, and also
 * for the arl_refcnt to fall to one so that, when we return from
 * arp_unbind_complete(), we know for certain that there are no threads in
 * arp_rput() that might access the arl_ill.
 */
void
arp_unbind_complete(ill_t *ill)
{
        arl_t *arl = ill_to_arl(ill);

        if (arl == NULL)
                return;
        mutex_enter(&arl->arl_lock);
        /*
         * wait for unbind ack and arl_refcnt to drop to 1. Note that the
         * quiescent arl_refcnt for this function is 1 (and not 0) because
         * ill_to_arl() will itself return after taking a ref on the arl_t.
         */
        while (arl->arl_state_flags & ARL_DL_UNBIND_IN_PROGRESS)
                cv_wait(&arl->arl_cv, &arl->arl_lock);
        while (arl->arl_refcnt != 1)
                cv_wait(&arl->arl_cv, &arl->arl_lock);
        mutex_exit(&arl->arl_lock);
        arl_refrele(arl);
}
Illumos
