xref: /onnv-gate/usr/src/uts/common/inet/ip/ip6_if.c (revision 0:68f95e015346)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */
/*
 * Copyright (c) 1990 Mentat Inc.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

/*
 * This file contains the interface control functions for IPv6.
 */

#include <sys/types.h>
#include <sys/sysmacros.h>
#include <sys/stream.h>
#include <sys/dlpi.h>
#include <sys/stropts.h>
#include <sys/strlog.h>
#include <sys/ddi.h>
#include <sys/cmn_err.h>
#include <sys/kstat.h>
#include <sys/debug.h>
#include <sys/zone.h>

#include <sys/systm.h>
#include <sys/param.h>
#include <sys/socket.h>
#define	_SUN_TPI_VERSION	2
#include <sys/tihdr.h>
#include <sys/isa_defs.h>
#include <net/if.h>
#include <net/if_types.h>
#include <net/if_dl.h>
#include <net/route.h>
#include <sys/sockio.h>
#include <netinet/in.h>
#include <netinet/igmp_var.h>
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
#include <netinet/in.h>

#include <inet/common.h>
#include <inet/mi.h>
#include <inet/nd.h>
#include <inet/mib2.h>
#include <inet/arp.h>
#include <inet/ip.h>
#include <inet/ip6.h>
#include <inet/ip_multi.h>
#include <inet/ip_ire.h>
#include <inet/ip_rts.h>
#include <inet/ip_ndp.h>
#include <inet/ip_if.h>
#include <inet/ip6_asp.h>
#include <inet/tun.h>
#include <inet/ipclassifier.h>
#include <inet/sctp_ip.h>

#include <netinet/igmp.h>
#include <netinet/ip_mroute.h>

static in6_addr_t	ipv6_ll_template =
			{(uint32_t)V6_LINKLOCAL, 0x0, 0x0, 0x0};

static ipif_t *
ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
    queue_t *q, mblk_t *mp, ipsq_func_t func, int *error);

/*
 * ipif_lookup_group_v6
 */
ipif_t *
ipif_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid)
{
	ire_t	*ire;
	ipif_t	*ipif;

	ire = ire_lookup_multi_v6(group, zoneid);
	if (ire == NULL)
		return (NULL);
	ipif = ire->ire_ipif;
	ipif_refhold(ipif);
	ire_refrele(ire);
	return (ipif);
}

/*
 * ill_lookup_group_v6
 */
ill_t *
ill_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid)
{
	ire_t	*ire;
	ill_t	*ill;

	ire = ire_lookup_multi_v6(group, zoneid);
	if (ire == NULL)
		return (NULL);
	ill = ire->ire_ipif->ipif_ill;
	ill_refhold(ill);
	ire_refrele(ire);
	return (ill);
}

/*
 * Look for an ipif with the specified interface address and destination.
 * The destination address is used only for matching point-to-point interfaces.
 */
static ipif_t *
ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst,
    queue_t *q, mblk_t *mp, ipsq_func_t func, int *error)
{
	ipif_t	*ipif;
	ill_t	*ill;
	ipsq_t	*ipsq;
	ill_walk_context_t ctx;

	if (error != NULL)
		*error = 0;

	/*
	 * First match all the point-to-point interfaces
	 * before looking at non-point-to-point interfaces.
	 * This is done to avoid returning non-point-to-point
	 * ipif instead of unnumbered point-to-point ipif.
	 */
	rw_enter(&ill_g_lock, RW_READER);
	ill = ILL_START_WALK_V6(&ctx);
	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
		GRAB_CONN_LOCK(q);
		mutex_enter(&ill->ill_lock);
		for (ipif = ill->ill_ipif; ipif; ipif = ipif->ipif_next) {
			/* Allow the ipif to be down */
			if ((ipif->ipif_flags & IPIF_POINTOPOINT) &&
			    (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr,
			    if_addr)) &&
			    (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr,
			    dst))) {
				if (IPIF_CAN_LOOKUP(ipif)) {
					ipif_refhold_locked(ipif);
					mutex_exit(&ill->ill_lock);
					RELEASE_CONN_LOCK(q);
					rw_exit(&ill_g_lock);
					return (ipif);
				} else if (IPIF_CAN_WAIT(ipif, q)) {
					ipsq = ill->ill_phyint->phyint_ipsq;
					mutex_enter(&ipsq->ipsq_lock);
					mutex_exit(&ill->ill_lock);
					rw_exit(&ill_g_lock);
					ipsq_enq(ipsq, q, mp, func, NEW_OP,
						ill);
					mutex_exit(&ipsq->ipsq_lock);
					RELEASE_CONN_LOCK(q);
					*error = EINPROGRESS;
					return (NULL);
				}
			}
		}
		mutex_exit(&ill->ill_lock);
		RELEASE_CONN_LOCK(q);
	}
	rw_exit(&ill_g_lock);
	/* lookup the ipif based on interface address */
	ipif = ipif_lookup_addr_v6(if_addr, NULL, ALL_ZONES, q, mp, func,
	    error);
	ASSERT(ipif == NULL || ipif->ipif_isv6);
	return (ipif);
}

/*
 * Look for an ipif with the specified address. For point-point links
 * we look for matches on either the destination address and the local
 * address, but we ignore the check on the local address if IPIF_UNNUMBERED
 * is set.
 * Matches on a specific ill if match_ill is set.
 */
/* ARGSUSED */
ipif_t *
ipif_lookup_addr_v6(const in6_addr_t *addr, ill_t *match_ill, zoneid_t zoneid,
    queue_t *q, mblk_t *mp, ipsq_func_t func, int *error)
{
	ipif_t	*ipif;
	ill_t	*ill;
	boolean_t  ptp = B_FALSE;
	ipsq_t	*ipsq;
	ill_walk_context_t ctx;

	if (error != NULL)
		*error = 0;

	rw_enter(&ill_g_lock, RW_READER);
	/*
	 * Repeat twice, first based on local addresses and
	 * next time for pointopoint.
	 */
repeat:
	ill = ILL_START_WALK_V6(&ctx);
	for (; ill != NULL; ill = ill_next(&ctx, ill)) {
		if (match_ill != NULL && ill != match_ill) {
			continue;
		}
		GRAB_CONN_LOCK(q);
		mutex_enter(&ill->ill_lock);
		for (ipif = ill->ill_ipif; ipif; ipif = ipif->ipif_next) {
			if (zoneid != ALL_ZONES && ipif->ipif_zoneid != zoneid)
				continue;
			/* Allow the ipif to be down */
			if ((!ptp && (IN6_ARE_ADDR_EQUAL(
			    &ipif->ipif_v6lcl_addr, addr) &&
			    (ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) ||
			    (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) &&
			    IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr,
			    addr))) {
				if (IPIF_CAN_LOOKUP(ipif)) {
					ipif_refhold_locked(ipif);
					mutex_exit(&ill->ill_lock);
					RELEASE_CONN_LOCK(q);
					rw_exit(&ill_g_lock);
					return (ipif);
				} else if (IPIF_CAN_WAIT(ipif, q)) {
					ipsq = ill->ill_phyint->phyint_ipsq;
					mutex_enter(&ipsq->ipsq_lock);
					mutex_exit(&ill->ill_lock);
					rw_exit(&ill_g_lock);
					ipsq_enq(ipsq, q, mp, func, NEW_OP,
						ill);
					mutex_exit(&ipsq->ipsq_lock);
					RELEASE_CONN_LOCK(q);
					*error = EINPROGRESS;
					return (NULL);
				}
			}
		}
		mutex_exit(&ill->ill_lock);
		RELEASE_CONN_LOCK(q);
	}

	/* Repeat once more if needed */
	if (ptp) {
		rw_exit(&ill_g_lock);
		if (error != NULL)
			*error = ENXIO;
		return (NULL);
	}
	ptp = B_TRUE;
	goto repeat;
}

/*
 * Perform various checks to verify that an address would make sense as a local
 * interface address.  This is currently only called when an attempt is made
 * to set a local address.
 *
 * Does not allow a v4-mapped address, an address that equals the subnet
 * anycast address, ... a multicast address, ...
 */
boolean_t
ip_local_addr_ok_v6(const in6_addr_t *addr, const in6_addr_t *subnet_mask)
{
	in6_addr_t subnet;

	if (IN6_IS_ADDR_UNSPECIFIED(addr))
		return (B_TRUE);	/* Allow all zeros */

	/*
	 * Don't allow all zeroes or host part, but allow
	 * all ones netmask.
	 */
	V6_MASK_COPY(*addr, *subnet_mask, subnet);
	if (IN6_IS_ADDR_V4MAPPED(addr) ||
	    (IN6_ARE_ADDR_EQUAL(addr, &subnet) &&
	    !IN6_ARE_ADDR_EQUAL(subnet_mask, &ipv6_all_ones)) ||
	    (IN6_IS_ADDR_V4COMPAT(addr) && CLASSD(V4_PART_OF_V6((*addr)))) ||
	    IN6_IS_ADDR_MULTICAST(addr))
		return (B_FALSE);

	return (B_TRUE);
}

/*
 * Perform various checks to verify that an address would make sense as a
 * remote/subnet interface address.
 */
boolean_t
ip_remote_addr_ok_v6(const in6_addr_t *addr, const in6_addr_t *subnet_mask)
{
	in6_addr_t subnet;

	if (IN6_IS_ADDR_UNSPECIFIED(addr))
		return (B_TRUE);	/* Allow all zeros */

	V6_MASK_COPY(*addr, *subnet_mask, subnet);
	if (IN6_IS_ADDR_V4MAPPED(addr) ||
	    (IN6_ARE_ADDR_EQUAL(addr, &subnet) &&
	    !IN6_ARE_ADDR_EQUAL(subnet_mask, &ipv6_all_ones)) ||
	    IN6_IS_ADDR_MULTICAST(addr) ||
	    (IN6_IS_ADDR_V4COMPAT(addr) && CLASSD(V4_PART_OF_V6((*addr)))))
		return (B_FALSE);

	return (B_TRUE);
}

/*
 * ip_rt_add_v6 is called to add an IPv6 route to the forwarding table.
 * ipif_arg is passed in to associate it with the correct interface
 * (for link-local destinations and gateways).
 */
/* ARGSUSED1 */
int
ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
    const in6_addr_t *gw_addr, const in6_addr_t *src_addr, int flags,
    ipif_t *ipif_arg, ire_t **ire_arg, queue_t *q, mblk_t *mp, ipsq_func_t func)
{
	ire_t	*ire;
	ire_t	*gw_ire = NULL;
	ipif_t	*ipif;
	boolean_t ipif_refheld = B_FALSE;
	uint_t	type;
	int	match_flags = MATCH_IRE_TYPE;
	int	error;

	if (ire_arg != NULL)
		*ire_arg = NULL;

	/*
	 * Prevent routes with a zero gateway from being created (since
	 * interfaces can currently be plumbed and brought up with no assigned
	 * address).
	 */
	if (IN6_IS_ADDR_UNSPECIFIED(gw_addr))
		return (ENETUNREACH);

	/*
	 * If this is the case of RTF_HOST being set, then we set the netmask
	 * to all ones (regardless if one was supplied).
	 */
	if (flags & RTF_HOST)
		mask = &ipv6_all_ones;

	/*
	 * Get the ipif, if any, corresponding to the gw_addr
	 */
	ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, q, mp, func,
	    &error);
	if (ipif != NULL)
		ipif_refheld = B_TRUE;
	else if (error == EINPROGRESS) {
		ip1dbg(("ip_rt_add_v6: null and EINPROGRESS"));
		return (error);
	}

	/*
	 * GateD will attempt to create routes with a loopback interface
	 * address as the gateway and with RTF_GATEWAY set.  We allow
	 * these routes to be added, but create them as interface routes
	 * since the gateway is an interface address.
	 */
	if ((ipif != NULL) && (ipif->ipif_ire_type == IRE_LOOPBACK))
		flags &= ~RTF_GATEWAY;

	/*
	 * Traditionally, interface routes are ones where RTF_GATEWAY isn't set
	 * and the gateway address provided is one of the system's interface
	 * addresses.  By using the routing socket interface and supplying an
	 * RTA_IFP sockaddr with an interface index, an alternate method of
	 * specifying an interface route to be created is available which uses
	 * the interface index that specifies the outgoing interface rather than
	 * the address of an outgoing interface (which may not be able to
	 * uniquely identify an interface).  When coupled with the RTF_GATEWAY
	 * flag, routes can be specified which not only specify the next-hop to
	 * be used when routing to a certain prefix, but also which outgoing
	 * interface should be used.
	 *
	 * Previously, interfaces would have unique addresses assigned to them
	 * and so the address assigned to a particular interface could be used
	 * to identify a particular interface.  One exception to this was the
	 * case of an unnumbered interface (where IPIF_UNNUMBERED was set).
	 *
	 * With the advent of IPv6 and its link-local addresses, this
	 * restriction was relaxed and interfaces could share addresses between
	 * themselves.  In fact, typically all of the link-local interfaces on
	 * an IPv6 node or router will have the same link-local address.  In
	 * order to differentiate between these interfaces, the use of an
	 * interface index is necessary and this index can be carried inside a
	 * RTA_IFP sockaddr (which is actually a sockaddr_dl).  One restriction
	 * of using the interface index, however, is that all of the ipif's that
	 * are part of an ill have the same index and so the RTA_IFP sockaddr
	 * cannot be used to differentiate between ipif's (or logical
	 * interfaces) that belong to the same ill (physical interface).
	 *
	 * For example, in the following case involving IPv4 interfaces and
	 * logical interfaces
	 *
	 *	192.0.2.32	255.255.255.224	192.0.2.33	U	if0
	 *	192.0.2.32	255.255.255.224	192.0.2.34	U	if0:1
	 *	192.0.2.32	255.255.255.224	192.0.2.35	U	if0:2
	 *
	 * the ipif's corresponding to each of these interface routes can be
	 * uniquely identified by the "gateway" (actually interface address).
	 *
	 * In this case involving multiple IPv6 default routes to a particular
	 * link-local gateway, the use of RTA_IFP is necessary to specify which
	 * default route is of interest:
	 *
	 *	default		fe80::123:4567:89ab:cdef	U	if0
	 *	default		fe80::123:4567:89ab:cdef	U	if1
	 */

	/* RTF_GATEWAY not set */
	if (!(flags & RTF_GATEWAY)) {
		queue_t	*stq;

		/*
		 * As the interface index specified with the RTA_IFP sockaddr is
		 * the same for all ipif's off of an ill, the matching logic
		 * below uses MATCH_IRE_ILL if such an index was specified.
		 * This means that routes sharing the same prefix when added
		 * using a RTA_IFP sockaddr must have distinct interface
		 * indices (namely, they must be on distinct ill's).
		 *
		 * On the other hand, since the gateway address will usually be
		 * different for each ipif on the system, the matching logic
		 * uses MATCH_IRE_IPIF in the case of a traditional interface
		 * route.  This means that interface routes for the same prefix
		 * can be created if they belong to distinct ipif's and if a
		 * RTA_IFP sockaddr is not present.
		 */
		if (ipif_arg != NULL) {
			if (ipif_refheld) {
				ipif_refrele(ipif);
				ipif_refheld = B_FALSE;
			}
			ipif = ipif_arg;
			match_flags |= MATCH_IRE_ILL;
		} else {
			/*
			 * Check the ipif corresponding to the gw_addr
			 */
			if (ipif == NULL)
				return (ENETUNREACH);
			match_flags |= MATCH_IRE_IPIF;
		}

		ASSERT(ipif != NULL);
		/*
		 * We check for an existing entry at this point.
		 */
		match_flags |= MATCH_IRE_MASK;
		ire = ire_ftable_lookup_v6(dst_addr, mask, 0, IRE_INTERFACE,
		    ipif, NULL, ALL_ZONES, 0, match_flags);
		if (ire != NULL) {
			ire_refrele(ire);
			if (ipif_refheld)
				ipif_refrele(ipif);
			return (EEXIST);
		}

		stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
		    ? ipif->ipif_rq : ipif->ipif_wq;

		/*
		 * Create a copy of the IRE_LOOPBACK, IRE_IF_NORESOLVER or
		 * IRE_IF_RESOLVER with the modified address and netmask.
		 */
		ire = ire_create_v6(
		    dst_addr,
		    mask,
		    &ipif->ipif_v6src_addr,
		    NULL,
		    &ipif->ipif_mtu,
		    NULL,
		    NULL,
		    stq,
		    ipif->ipif_net_type,
		    ipif->ipif_resolver_mp,
		    ipif,
		    NULL,
		    0,
		    0,
		    flags,
		    &ire_uinfo_null);
		if (ire == NULL) {
			if (ipif_refheld)
				ipif_refrele(ipif);
			return (ENOMEM);
		}

		/*
		 * Some software (for example, GateD and Sun Cluster) attempts
		 * to create (what amount to) IRE_PREFIX routes with the
		 * loopback address as the gateway.  This is primarily done to
		 * set up prefixes with the RTF_REJECT flag set (for example,
		 * when generating aggregate routes.)
		 *
		 * If the IRE type (as defined by ipif->ipif_net_type) is
		 * IRE_LOOPBACK, then we map the request into a
		 * IRE_IF_NORESOLVER.
		 *
		 * Needless to say, the real IRE_LOOPBACK is NOT created by this
		 * routine, but rather using ire_create_v6() directly.
		 */
		if (ipif->ipif_net_type == IRE_LOOPBACK)
			ire->ire_type = IRE_IF_NORESOLVER;
		error = ire_add(&ire, q, mp, func);
		if (error == 0)
			goto save_ire;
		/*
		 * In the result of failure, ire_add() will have already
		 * deleted the ire in question, so there is no need to
		 * do that here.
		 */
		if (ipif_refheld)
			ipif_refrele(ipif);
		return (error);
	}
	if (ipif_refheld) {
		ipif_refrele(ipif);
		ipif_refheld = B_FALSE;
	}

	/*
	 * Get an interface IRE for the specified gateway.
	 * If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
	 * gateway, it is currently unreachable and we fail the request
	 * accordingly.
	 */
	ipif = ipif_arg;
	if (ipif_arg != NULL)
		match_flags |= MATCH_IRE_ILL;
	gw_ire = ire_ftable_lookup_v6(gw_addr, 0, 0, IRE_INTERFACE, ipif_arg,
	    NULL, ALL_ZONES, 0, match_flags);
	if (gw_ire == NULL)
		return (ENETUNREACH);

	/*
	 * We create one of three types of IREs as a result of this request
	 * based on the netmask.  A netmask of all ones (which is automatically
	 * assumed when RTF_HOST is set) results in an IRE_HOST being created.
	 * An all zeroes netmask implies a default route so an IRE_DEFAULT is
	 * created.  Otherwise, an IRE_PREFIX route is created for the
	 * destination prefix.
	 */
	if (IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones))
		type = IRE_HOST;
	else if (IN6_IS_ADDR_UNSPECIFIED(mask))
		type = IRE_DEFAULT;
	else
		type = IRE_PREFIX;

	/* check for a duplicate entry */
	ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type, ipif_arg,
	    NULL, ALL_ZONES, 0, match_flags | MATCH_IRE_MASK | MATCH_IRE_GW);
	if (ire != NULL) {
		ire_refrele(gw_ire);
		ire_refrele(ire);
		return (EEXIST);
	}

	/* Create the IRE. */
	ire = ire_create_v6(
	    dst_addr,				/* dest address */
	    mask,				/* mask */
	    /* src address assigned by the caller? */
	    (((flags & RTF_SETSRC) && !IN6_IS_ADDR_UNSPECIFIED(src_addr)) ?
		src_addr : NULL),
	    gw_addr,				/* gateway address */
	    &gw_ire->ire_max_frag,
	    NULL,				/* no Fast Path header */
	    NULL,				/* no recv-from queue */
	    NULL,				/* no send-to queue */
	    (ushort_t)type,			/* IRE type */
	    NULL,
	    ipif_arg,
	    NULL,
	    0,
	    0,
	    flags,
	    &gw_ire->ire_uinfo);		/* Inherit ULP info from gw */
	if (ire == NULL) {
		ire_refrele(gw_ire);
		return (ENOMEM);
	}

	/*
	 * POLICY: should we allow an RTF_HOST with address INADDR_ANY?
	 * SUN/OS socket stuff does but do we really want to allow ::0 ?
	 */

	/* Add the new IRE. */
	error = ire_add(&ire, q, mp, func);
	/*
	 * In the result of failure, ire_add() will have already
	 * deleted the ire in question, so there is no need to
	 * do that here.
	 */
	if (error != 0) {
		ire_refrele(gw_ire);
		return (error);
	}

	if (flags & RTF_MULTIRT) {
		/*
		 * Invoke the CGTP (multirouting) filtering module
		 * to add the dst address in the filtering database.
		 * Replicated inbound packets coming from that address
		 * will be filtered to discard the duplicates.
		 * It is not necessary to call the CGTP filter hook
		 * when the dst address is a multicast, because an
		 * IP source address cannot be a multicast.
		 */
		if ((ip_cgtp_filter_ops != NULL) &&
		    !IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6))) {
			int res = ip_cgtp_filter_ops->cfo_add_dest_v6(
			    &ire->ire_addr_v6,
			    &ire->ire_gateway_addr_v6,
			    &ire->ire_src_addr_v6,
			    &gw_ire->ire_src_addr_v6);
			if (res != 0) {
				ire_refrele(gw_ire);
				ire_delete(ire);
				return (res);
			}
		}
	}

save_ire:
	if (gw_ire != NULL) {
		ire_refrele(gw_ire);
	}
	if (ipif != NULL) {
		mblk_t	*save_mp;

		/*
		 * Save enough information so that we can recreate the IRE if
		 * the interface goes down and then up.  The metrics associated
		 * with the route will be saved as well when rts_setmetrics() is
		 * called after the IRE has been created.  In the case where
		 * memory cannot be allocated, none of this information will be
		 * saved.
		 */
		save_mp = allocb(sizeof (ifrt_t), BPRI_MED);
		if (save_mp != NULL) {
			ifrt_t	*ifrt;

			save_mp->b_wptr += sizeof (ifrt_t);
			ifrt = (ifrt_t *)save_mp->b_rptr;
			bzero(ifrt, sizeof (ifrt_t));
			ifrt->ifrt_type = ire->ire_type;
			ifrt->ifrt_v6addr = ire->ire_addr_v6;
			mutex_enter(&ire->ire_lock);
			ifrt->ifrt_v6gateway_addr = ire->ire_gateway_addr_v6;
			ifrt->ifrt_v6src_addr = ire->ire_src_addr_v6;
			mutex_exit(&ire->ire_lock);
			ifrt->ifrt_v6mask = ire->ire_mask_v6;
			ifrt->ifrt_flags = ire->ire_flags;
			ifrt->ifrt_max_frag = ire->ire_max_frag;
			mutex_enter(&ipif->ipif_saved_ire_lock);
			save_mp->b_cont = ipif->ipif_saved_ire_mp;
			ipif->ipif_saved_ire_mp = save_mp;
			ipif->ipif_saved_ire_cnt++;
			mutex_exit(&ipif->ipif_saved_ire_lock);
		}
	}
	if (ire_arg != NULL) {
		/*
		 * Store the ire that was successfully added into where ire_arg
		 * points to so that callers don't have to look it up
		 * themselves (but they are responsible for ire_refrele()ing
		 * the ire when they are finished with it).
		 */
		*ire_arg = ire;
	} else {
		ire_refrele(ire);		/* Held in ire_add */
	}
	if (ipif_refheld)
		ipif_refrele(ipif);
	return (0);
}

/*
 * ip_rt_delete_v6 is called to delete an IPv6 route.
 * ipif_arg is passed in to associate it with the correct interface
 * (for link-local destinations and gateways).
 */
/* ARGSUSED4 */
int
ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask,
    const in6_addr_t *gw_addr, uint_t rtm_addrs, int flags, ipif_t *ipif_arg,
    queue_t *q, mblk_t *mp, ipsq_func_t func)
{
	ire_t	*ire = NULL;
	ipif_t	*ipif;
	uint_t	type;
	uint_t	match_flags = MATCH_IRE_TYPE;
	int	err = 0;
	boolean_t	ipif_refheld = B_FALSE;

	/*
	 * If this is the case of RTF_HOST being set, then we set the netmask
	 * to all ones.  Otherwise, we use the netmask if one was supplied.
	 */
	if (flags & RTF_HOST) {
		mask = &ipv6_all_ones;
		match_flags |= MATCH_IRE_MASK;
	} else if (rtm_addrs & RTA_NETMASK) {
		match_flags |= MATCH_IRE_MASK;
	}

	/*
	 * Note that RTF_GATEWAY is never set on a delete, therefore
	 * we check if the gateway address is one of our interfaces first,
	 * and fall back on RTF_GATEWAY routes.
	 *
	 * This makes it possible to delete an original
	 * IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1.
	 *
	 * As the interface index specified with the RTA_IFP sockaddr is the
	 * same for all ipif's off of an ill, the matching logic below uses
	 * MATCH_IRE_ILL if such an index was specified.  This means a route
	 * sharing the same prefix and interface index as the the route
	 * intended to be deleted might be deleted instead if a RTA_IFP sockaddr
	 * is specified in the request.
	 *
	 * On the other hand, since the gateway address will usually be
	 * different for each ipif on the system, the matching logic
	 * uses MATCH_IRE_IPIF in the case of a traditional interface
	 * route.  This means that interface routes for the same prefix can be
	 * uniquely identified if they belong to distinct ipif's and if a
	 * RTA_IFP sockaddr is not present.
	 *
	 * For more detail on specifying routes by gateway address and by
	 * interface index, see the comments in ip_rt_add_v6().
	 */
	ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, q, mp, func, &err);
	if (ipif != NULL) {
		ipif_refheld = B_TRUE;
		if (ipif_arg != NULL) {
			ipif_refrele(ipif);
			ipif_refheld = B_FALSE;
			ipif = ipif_arg;
			match_flags |= MATCH_IRE_ILL;
		} else {
			match_flags |= MATCH_IRE_IPIF;
		}

		if (ipif->ipif_ire_type == IRE_LOOPBACK)
			ire = ire_ctable_lookup_v6(dst_addr, 0, IRE_LOOPBACK,
			    ipif, ALL_ZONES, match_flags);
		if (ire == NULL)
			ire = ire_ftable_lookup_v6(dst_addr, mask, 0,
			    IRE_INTERFACE, ipif, NULL, ALL_ZONES, 0,
			    match_flags);
	} else if (err == EINPROGRESS) {
		return (err);
	} else {
		err = 0;
	}
	if (ire == NULL) {
		/*
		 * At this point, the gateway address is not one of our own
		 * addresses or a matching interface route was not found.  We
		 * set the IRE type to lookup based on whether
		 * this is a host route, a default route or just a prefix.
		 *
		 * If an ipif_arg was passed in, then the lookup is based on an
		 * interface index so MATCH_IRE_ILL is added to match_flags.
		 * In any case, MATCH_IRE_IPIF is cleared and MATCH_IRE_GW is
		 * set as the route being looked up is not a traditional
		 * interface route.
		 */
		match_flags &= ~MATCH_IRE_IPIF;
		match_flags |= MATCH_IRE_GW;
		if (ipif_arg != NULL)
			match_flags |= MATCH_IRE_ILL;
		if (IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones))
			type = IRE_HOST;
		else if (IN6_IS_ADDR_UNSPECIFIED(mask))
			type = IRE_DEFAULT;
		else
			type = IRE_PREFIX;
		ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type,
		    ipif_arg, NULL, ALL_ZONES, 0, match_flags);
		if (ire == NULL && type == IRE_HOST) {
			ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr,
			    IRE_HOST_REDIRECT, ipif_arg, NULL, ALL_ZONES, 0,
			    match_flags);
		}
	}

	if (ipif_refheld) {
		ipif_refrele(ipif);
		ipif_refheld = B_FALSE;
	}
	if (ire == NULL)
		return (ESRCH);

	if (ire->ire_flags & RTF_MULTIRT) {
		/*
		 * Invoke the CGTP (multirouting) filtering module
		 * to remove the dst address from the filtering database.
		 * Packets coming from that address will no longer be
		 * filtered to remove duplicates.
		 */
		if (ip_cgtp_filter_ops != NULL) {
			err = ip_cgtp_filter_ops->cfo_del_dest_v6(
			    &ire->ire_addr_v6, &ire->ire_gateway_addr_v6);
		}
	}

	ipif = ire->ire_ipif;
	if (ipif != NULL) {
		mblk_t		**mpp;
		mblk_t		*mp;
		ifrt_t		*ifrt;
		in6_addr_t	gw_addr_v6;

		/* Remove from ipif_saved_ire_mp list if it is there */
		mutex_enter(&ire->ire_lock);
		gw_addr_v6 = ire->ire_gateway_addr_v6;
		mutex_exit(&ire->ire_lock);
		mutex_enter(&ipif->ipif_saved_ire_lock);
		for (mpp = &ipif->ipif_saved_ire_mp; *mpp != NULL;
		    mpp = &(*mpp)->b_cont) {
			/*
			 * On a given ipif, the triple of address, gateway and
			 * mask is unique for each saved IRE (in the case of
			 * ordinary interface routes, the gateway address is
			 * all-zeroes).
			 */
			mp = *mpp;
			ifrt = (ifrt_t *)mp->b_rptr;
			if (IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6addr,
			    &ire->ire_addr_v6) &&
			    IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6gateway_addr,
			    &gw_addr_v6) &&
			    IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6mask,
			    &ire->ire_mask_v6)) {
				*mpp = mp->b_cont;
				ipif->ipif_saved_ire_cnt--;
				freeb(mp);
				break;
			}
		}
		mutex_exit(&ipif->ipif_saved_ire_lock);
	}
	ire_delete(ire);
	ire_refrele(ire);
	return (err);
}

/*
 * Derive a token from the link layer address.
 */
boolean_t
ill_setdefaulttoken(ill_t *ill)
{
	int 		i;
	in6_addr_t	v6addr, v6mask;

	/*
	 * Though we execute on the ipsq, we need to hold the ill_lock
	 * to prevent readers from seeing partially updated values
	 * while we do the update.
	 */
	mutex_enter(&ill->ill_lock);
	if (!MEDIA_V6INTFID(ill->ill_media, ill->ill_phys_addr_length,
	    ill->ill_phys_addr, &v6addr)) {
		mutex_exit(&ill->ill_lock);
		return (B_FALSE);
	}

	(void) ip_plen_to_mask_v6(IPV6_TOKEN_LEN, &v6mask);

	for (i = 0; i < 4; i++)
		v6mask.s6_addr32[i] = v6mask.s6_addr32[i] ^
		    (uint32_t)0xffffffff;

	V6_MASK_COPY(v6addr, v6mask, ill->ill_token);
	ill->ill_token_length = IPV6_TOKEN_LEN;
	mutex_exit(&ill->ill_lock);
	return (B_TRUE);
}

/*
 * Create a link-local address from a token.
 */
static void
ipif_get_linklocal(in6_addr_t *dest, const in6_addr_t *token)
{
	int i;

	for (i = 0; i < 4; i++) {
		dest->s6_addr32[i] =
		    token->s6_addr32[i] | ipv6_ll_template.s6_addr32[i];
	}
}

/*
 * Set a nice default address for either automatic tunnels tsrc/96 or
 * 6to4 tunnels 2002:<tsrc>::1/64
 */
static void
ipif_set_tun_auto_addr(ipif_t *ipif, struct iftun_req *ta)
{
	sin6_t	sin6;
	sin_t	*sin;
	ill_t 	*ill = ipif->ipif_ill;
	tun_t *tp = (tun_t *)ill->ill_wq->q_next->q_ptr;

	if (ta->ifta_saddr.ss_family != AF_INET ||
	    (ipif->ipif_flags & IPIF_UP) || !ipif->ipif_isv6 ||
	    (ta->ifta_flags & IFTUN_SRC) == 0)
		return;

	/*
	 * Check the tunnel type by examining q_next->q_ptr
	 */
	if (tp->tun_flags & TUN_AUTOMATIC) {
		/* this is an automatic tunnel */
		(void) ip_plen_to_mask_v6(IPV6_ABITS - IP_ABITS,
		    &ipif->ipif_v6net_mask);
		bzero(&sin6, sizeof (sin6_t));
		sin = (sin_t *)&ta->ifta_saddr;
		V4_PART_OF_V6(sin6.sin6_addr) = sin->sin_addr.s_addr;
		sin6.sin6_family = AF_INET6;
		(void) ip_sioctl_addr(ipif, (sin_t *)&sin6,
		    NULL, NULL, NULL, NULL);
	} else if (tp->tun_flags & TUN_6TO4) {
		/* this is a 6to4 tunnel */
		(void) ip_plen_to_mask_v6(IPV6_PREFIX_LEN,
		    &ipif->ipif_v6net_mask);
		sin = (sin_t *)&ta->ifta_saddr;
		/* create a 6to4 address from the IPv4 tsrc */
		IN6_V4ADDR_TO_6TO4(&sin->sin_addr, &sin6.sin6_addr);
		sin6.sin6_family = AF_INET6;
		(void) ip_sioctl_addr(ipif, (sin_t *)&sin6,
		    NULL, NULL, NULL, NULL);
	} else {
		ip1dbg(("ipif_set_tun_auto_addr: Unknown tunnel type"));
		return;
	}
}

/*
 * Set link local for ipif_id 0 of a configured tunnel based on the
 * tsrc or tdst parameter
 * For tunnels over IPv4 use the IPv4 address prepended with 32 zeros as
 * the token.
 * For tunnels over IPv6 use the low-order 64 bits of the "inner" IPv6 address
 * as the token for the "outer" link.
 */
void
ipif_set_tun_llink(ill_t *ill, struct iftun_req *ta)
{
	ipif_t		*ipif;
	sin_t		*sin;
	in6_addr_t	*s6addr;

	ASSERT(IAM_WRITER_ILL(ill));

	/* The first ipif must be id zero. */
	ipif = ill->ill_ipif;
	ASSERT(ipif->ipif_id == 0);

	/* no link local for automatic tunnels */
	if (!(ipif->ipif_flags & IPIF_POINTOPOINT)) {
		ipif_set_tun_auto_addr(ipif, ta);
		return;
	}

	if ((ta->ifta_flags & IFTUN_DST) &&
	    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6pp_dst_addr)) {
		sin6_t	sin6;

		ASSERT(!(ipif->ipif_flags & IPIF_UP));
		bzero(&sin6, sizeof (sin6_t));
		if ((ta->ifta_saddr.ss_family == AF_INET)) {
			sin = (sin_t *)&ta->ifta_daddr;
			V4_PART_OF_V6(sin6.sin6_addr) =
			    sin->sin_addr.s_addr;
		} else {
			s6addr =
			    &((sin6_t *)&ta->ifta_daddr)->sin6_addr;
			sin6.sin6_addr.s6_addr32[3] = s6addr->s6_addr32[3];
			sin6.sin6_addr.s6_addr32[2] = s6addr->s6_addr32[2];
		}
		ipif_get_linklocal(&ipif->ipif_v6pp_dst_addr,
		    &sin6.sin6_addr);
		ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr;
	}
	if ((ta->ifta_flags & IFTUN_SRC)) {
		ASSERT(!(ipif->ipif_flags & IPIF_UP));

		/* Set the token if it isn't already set */
		if (IN6_IS_ADDR_UNSPECIFIED(&ill->ill_token)) {
			if ((ta->ifta_saddr.ss_family == AF_INET)) {
				sin = (sin_t *)&ta->ifta_saddr;
				V4_PART_OF_V6(ill->ill_token) =
				    sin->sin_addr.s_addr;
			} else {
				s6addr =
				    &((sin6_t *)&ta->ifta_saddr)->sin6_addr;
				ill->ill_token.s6_addr32[3] =
				    s6addr->s6_addr32[3];
				ill->ill_token.s6_addr32[2] =
				    s6addr->s6_addr32[2];
			}
			ill->ill_token_length = IPV6_TOKEN_LEN;
		}
		/*
		 * Attempt to set the link local address if it isn't set.
		 */
		if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr))
			(void) ipif_setlinklocal(ipif);
	}
}

/*
 * Is it not possible to set the link local address?
 * The address can be set if the token is set, and the token
 * isn't too long.
 * Return B_TRUE if the address can't be set, or B_FALSE if it can.
 */
boolean_t
ipif_cant_setlinklocal(ipif_t *ipif)
{
	ill_t *ill = ipif->ipif_ill;

	if (IN6_IS_ADDR_UNSPECIFIED(&ill->ill_token) ||
	    ill->ill_token_length > IPV6_ABITS - IPV6_LL_PREFIXLEN)
		return (B_TRUE);

	return (B_FALSE);
}

/*
 * Generate a link-local address from the token.
 * Return zero if the address was set, or non-zero if it couldn't be set.
 */
int
ipif_setlinklocal(ipif_t *ipif)
{
	ill_t *ill = ipif->ipif_ill;

	ASSERT(IAM_WRITER_ILL(ill));

	if (ipif_cant_setlinklocal(ipif))
		return (-1);

	ipif_get_linklocal(&ipif->ipif_v6lcl_addr, &ill->ill_token);
	(void) ip_plen_to_mask_v6(IPV6_LL_PREFIXLEN, &ipif->ipif_v6net_mask);
	V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask,
	    ipif->ipif_v6subnet);

	if (ipif->ipif_flags & IPIF_NOLOCAL) {
		ipif->ipif_v6src_addr = ipv6_all_zeros;
	} else {
		ipif->ipif_v6src_addr = ipif->ipif_v6lcl_addr;
	}
	return (0);
}

/*
 * This function sets up the multicast mappings in NDP.
 * Unlike ARP, there are no mapping_mps here. We delete the
 * mapping nces and add a new one.
 *
 * Returns non-zero on error and 0 on success.
 */
int
ipif_ndp_setup_multicast(ipif_t *ipif, nce_t **ret_nce)
{
	ill_t		*ill = ipif->ipif_ill;
	in6_addr_t	v6_mcast_addr = {(uint32_t)V6_MCAST, 0, 0, 0};
	in6_addr_t	v6_mcast_mask = {(uint32_t)V6_MCAST, 0, 0, 0};
	in6_addr_t	v6_extract_mask;
	uchar_t		*phys_addr, *bphys_addr, *alloc_phys;
	nce_t		*mnce = NULL;
	int		err = 0;
	phyint_t	*phyi = ill->ill_phyint;
	uint32_t	hw_extract_start;
	dl_unitdata_req_t *dlur;

	if (ret_nce != NULL)
		*ret_nce = NULL;
	/*
	 * Delete the mapping nce. Normally these should not exist
	 * as a previous ipif_down -> ipif_ndp_down should have deleted
	 * all the nces. But they can exist if ip_rput_dlpi_writer
	 * calls this when PHYI_MULTI_BCAST is set.
	 */
	mnce = ndp_lookup(ill, &v6_mcast_addr, B_FALSE);
	if (mnce != NULL) {
		ndp_delete(mnce);
		NCE_REFRELE(mnce);
		mnce = NULL;
	}

	/*
	 * Get media specific v6 mapping information. Note that
	 * nd_lla_len can be 0 for tunnels.
	 */
	alloc_phys = kmem_alloc(ill->ill_nd_lla_len, KM_NOSLEEP);
	if ((alloc_phys == NULL) && (ill->ill_nd_lla_len != 0))
		return (ENOMEM);
	/*
	 * Determine the broadcast address.
	 */
	dlur = (dl_unitdata_req_t *)ill->ill_bcast_mp->b_rptr;
	if (ill->ill_sap_length < 0)
		bphys_addr = (uchar_t *)dlur + dlur->dl_dest_addr_offset;
	else
		bphys_addr = (uchar_t *)dlur +
		    dlur->dl_dest_addr_offset + ill->ill_sap_length;

	/*
	 * Check PHYI_MULTI_BCAST and possible length of physical
	 * address to determine if we use the mapping or the
	 * broadcast address.
	 */
	if ((phyi->phyint_flags & PHYI_MULTI_BCAST) ||
	    (!MEDIA_V6MINFO(ill->ill_media, ill->ill_nd_lla_len,
	    bphys_addr, alloc_phys, &hw_extract_start,
	    &v6_extract_mask))) {
		if (ill->ill_phys_addr_length > IP_MAX_HW_LEN) {
			kmem_free(alloc_phys, ill->ill_nd_lla_len);
			return (E2BIG);
		}
		/* Use the link-layer broadcast address for MULTI_BCAST */
		phys_addr = bphys_addr;
		bzero(&v6_extract_mask, sizeof (v6_extract_mask));
		hw_extract_start = ill->ill_nd_lla_len;
	} else {
		phys_addr = alloc_phys;
	}
	if ((ipif->ipif_flags & IPIF_BROADCAST) ||
	    (ill->ill_flags & ILLF_MULTICAST) ||
	    (phyi->phyint_flags & PHYI_MULTI_BCAST)) {
		mutex_enter(&ndp_g_lock);
		err = ndp_add(ill,
		    phys_addr,
		    &v6_mcast_addr,	/* v6 address */
		    &v6_mcast_mask,	/* v6 mask */
		    &v6_extract_mask,
		    hw_extract_start,
		    NCE_F_MAPPING | NCE_F_PERMANENT | NCE_F_NONUD,
		    ND_REACHABLE,
		    &mnce);
		mutex_exit(&ndp_g_lock);
		if (err == 0) {
			if (ret_nce != NULL) {
				*ret_nce = mnce;
			} else {
				NCE_REFRELE(mnce);
			}
		}
	}
	kmem_free(alloc_phys, ill->ill_nd_lla_len);
	return (err);
}

/*
 * Get the resolver set up for a new interface address.  (Always called
 * as writer.)
 */
int
ipif_ndp_up(ipif_t *ipif, const in6_addr_t *addr, boolean_t macaddr_change)
{
	ill_t		*ill = ipif->ipif_ill;
	int		err = 0;
	nce_t		*nce = NULL;
	nce_t		*mnce = NULL;

	ip1dbg(("ipif_ndp_up(%s:%u)\n",
		ipif->ipif_ill->ill_name, ipif->ipif_id));

	/*
	 * ND not supported on XRESOLV interfaces. If ND support (multicast)
	 * added later, take out this check.
	 */
	if (ill->ill_flags & ILLF_XRESOLV)
		return (0);

	if (IN6_IS_ADDR_UNSPECIFIED(addr) ||
	    (!(ill->ill_net_type & IRE_INTERFACE)))
		return (0);

	/*
	 * Need to setup multicast mapping only when the first
	 * interface is coming UP.
	 */
	if (ill->ill_ipif_up_count == 0 &&
	    (ill->ill_flags & ILLF_MULTICAST)) {
		/*
		 * We set the multicast before setting up the mapping for
		 * local address because ipif_ndp_setup_multicast does
		 * ndp_walk to delete nces which will delete the mapping
		 * for local address also if we added the mapping for
		 * local address first.
		 */
		err = ipif_ndp_setup_multicast(ipif, &mnce);
		if (err != 0)
			return (err);
	}

	if ((ipif->ipif_flags & (IPIF_UNNUMBERED|IPIF_NOLOCAL)) == 0) {
		uint16_t	flags;
		uchar_t	*hw_addr = NULL;

		/* Permanent entries don't need NUD */
		flags = NCE_F_PERMANENT;
		flags |= NCE_F_NONUD;
		if (ill->ill_flags & ILLF_ROUTER)
			flags |= NCE_F_ISROUTER;

		if (ipif->ipif_flags & IPIF_ANYCAST)
			flags |= NCE_F_ANYCAST;

		if (ill->ill_net_type == IRE_IF_RESOLVER) {
			hw_addr = ill->ill_nd_lla;

			if (ill->ill_move_in_progress || macaddr_change) {
				/*
				 * Addresses are failing over to this ill.
				 * Don't wait for NUD to see this change.
				 * Publish our new link-layer address.
				 */
				flags |= NCE_F_UNSOL_ADV;
			}
		}
		err = ndp_lookup_then_add(ill,
		    hw_addr,
		    addr,
		    &ipv6_all_ones,
		    &ipv6_all_zeros,
		    0,
		    flags,
		    ND_REACHABLE,
		    &nce);
		switch (err) {
		case 0:
			ip1dbg(("ipif_ndp_up: NCE created for %s\n",
			    ill->ill_name));
			break;
		case EEXIST:
			NCE_REFRELE(nce);
			ip1dbg(("ipif_ndp_up: NCE already exists for %s\n",
			    ill->ill_name));
			if (mnce != NULL) {
				ndp_delete(mnce);
				NCE_REFRELE(mnce);
			}
			return (err);
		default:
			ip1dbg(("ipif_ndp_up: NCE creation failed %s\n",
			    ill->ill_name));
			if (mnce != NULL) {
				ndp_delete(mnce);
				NCE_REFRELE(mnce);
			}
			return (err);
		}
	}
	if (nce != NULL)
		NCE_REFRELE(nce);
	if (mnce != NULL)
		NCE_REFRELE(mnce);
	return (0);
}

/* Remove all cache entries for this logical interface */
void
ipif_ndp_down(ipif_t *ipif)
{
	nce_t	*nce;

	nce = ndp_lookup(ipif->ipif_ill, &ipif->ipif_v6lcl_addr, B_FALSE);
	if (nce != NULL) {
		ndp_delete(nce);
		NCE_REFRELE(nce);
	}
	/*
	 * Remove mapping and all other nces dependent on this ill
	 * when the last ipif is going away.
	 */
	if (ipif->ipif_ill->ill_ipif_up_count == 0) {
		ndp_walk(ipif->ipif_ill, (pfi_t)ndp_delete_per_ill,
		    (uchar_t *)ipif->ipif_ill);
	}
}

/*
 * Used when an interface comes up to recreate any extra routes on this
 * interface.
 */
static ire_t **
ipif_recover_ire_v6(ipif_t *ipif)
{
	mblk_t	*mp;
	ire_t   **ipif_saved_irep;
	ire_t   **irep;

	ip1dbg(("ipif_recover_ire_v6(%s:%u)", ipif->ipif_ill->ill_name,
	    ipif->ipif_id));

	ASSERT(ipif->ipif_isv6);

	mutex_enter(&ipif->ipif_saved_ire_lock);
	ipif_saved_irep = (ire_t **)kmem_zalloc(sizeof (ire_t *) *
	    ipif->ipif_saved_ire_cnt, KM_NOSLEEP);
	if (ipif_saved_irep == NULL) {
		mutex_exit(&ipif->ipif_saved_ire_lock);
		return (NULL);
	}

	irep = ipif_saved_irep;

	for (mp = ipif->ipif_saved_ire_mp; mp != NULL; mp = mp->b_cont) {
		ire_t		*ire;
		queue_t		*rfq;
		queue_t		*stq;
		ifrt_t		*ifrt;
		in6_addr_t	*src_addr;
		in6_addr_t	*gateway_addr;
		mblk_t		*resolver_mp;
		char		buf[INET6_ADDRSTRLEN];
		ushort_t	type;

		/*
		 * When the ire was initially created and then added in
		 * ip_rt_add_v6(), it was created either using
		 * ipif->ipif_net_type in the case of a traditional interface
		 * route, or as one of the IRE_OFFSUBNET types (with the
		 * exception of IRE_HOST_REDIRECT which is created by
		 * icmp_redirect_v6() and which we don't need to save or
		 * recover).  In the case where ipif->ipif_net_type was
		 * IRE_LOOPBACK, ip_rt_add_v6() will update the ire_type to
		 * IRE_IF_NORESOLVER before calling ire_add_v6() to satisfy
		 * software like GateD and Sun Cluster which creates routes
		 * using the the loopback interface's address as a gateway.
		 *
		 * As ifrt->ifrt_type reflects the already updated ire_type and
		 * since ire_create_v6() expects that IRE_IF_NORESOLVER will
		 * have a valid ire_dlureq_mp field (which doesn't make sense
		 * for a IRE_LOOPBACK), ire_create_v6() will be called in the
		 * same way here as in ip_rt_add_v6(), namely using
		 * ipif->ipif_net_type when the route looks like a traditional
		 * interface route (where ifrt->ifrt_type & IRE_INTERFACE is
		 * true) and otherwise using the saved ifrt->ifrt_type.  This
		 * means that in the case where ipif->ipif_net_type is
		 * IRE_LOOPBACK, the ire created by ire_create_v6() will be an
		 * IRE_LOOPBACK, it will then be turned into an
		 * IRE_IF_NORESOLVER and then added by ire_add_v6().
		 */
		ifrt = (ifrt_t *)mp->b_rptr;
		if (ifrt->ifrt_type & IRE_INTERFACE) {
			rfq = NULL;
			stq = (ipif->ipif_net_type == IRE_IF_RESOLVER)
			    ? ipif->ipif_rq : ipif->ipif_wq;
			src_addr = (ifrt->ifrt_flags & RTF_SETSRC)
			    ? &ifrt->ifrt_v6src_addr
			    : &ipif->ipif_v6src_addr;
			gateway_addr = NULL;
			resolver_mp = ipif->ipif_resolver_mp;
			type = ipif->ipif_net_type;
		} else {
			rfq = NULL;
			stq = NULL;
			src_addr = (ifrt->ifrt_flags & RTF_SETSRC)
			    ? &ifrt->ifrt_v6src_addr : NULL;
			gateway_addr = &ifrt->ifrt_v6gateway_addr;
			resolver_mp = NULL;
			type = ifrt->ifrt_type;
		}

		/*
		 * Create a copy of the IRE with the saved address and netmask.
		 */
		ip1dbg(("ipif_recover_ire_v6: creating IRE %s (%d) for %s/%d\n",
		    ip_nv_lookup(ire_nv_tbl, ifrt->ifrt_type), ifrt->ifrt_type,
		    inet_ntop(AF_INET6, &ifrt->ifrt_v6addr, buf, sizeof (buf)),
		    ip_mask_to_plen_v6(&ifrt->ifrt_v6mask)));
		ire = ire_create_v6(
		    &ifrt->ifrt_v6addr,
		    &ifrt->ifrt_v6mask,
		    src_addr,
		    gateway_addr,
		    &ifrt->ifrt_max_frag,
		    NULL,
		    rfq,
		    stq,
		    type,
		    resolver_mp,
		    ipif,
		    NULL,
		    0,
		    0,
		    ifrt->ifrt_flags,
		    &ifrt->ifrt_iulp_info);
		if (ire == NULL) {
			mutex_exit(&ipif->ipif_saved_ire_lock);
			kmem_free(ipif_saved_irep,
			    ipif->ipif_saved_ire_cnt * sizeof (ire_t *));
			return (NULL);
		}

		/*
		 * Some software (for example, GateD and Sun Cluster) attempts
		 * to create (what amount to) IRE_PREFIX routes with the
		 * loopback address as the gateway.  This is primarily done to
		 * set up prefixes with the RTF_REJECT flag set (for example,
		 * when generating aggregate routes.)
		 *
		 * If the IRE type (as defined by ipif->ipif_net_type) is
		 * IRE_LOOPBACK, then we map the request into a
		 * IRE_IF_NORESOLVER.
		 */
		if (ipif->ipif_net_type == IRE_LOOPBACK)
			ire->ire_type = IRE_IF_NORESOLVER;
		/*
		 * ire held by ire_add, will be refreled' in ipif_up_done
		 * towards the end
		 */
		(void) ire_add(&ire, NULL, NULL, NULL);
		*irep = ire;
		irep++;
		ip1dbg(("ipif_recover_ire_v6: added ire %p\n", (void *)ire));
	}
	mutex_exit(&ipif->ipif_saved_ire_lock);
	return (ipif_saved_irep);
}

/*
 * Return the scope of the given IPv6 address.  If the address is an
 * IPv4 mapped IPv6 address, return the scope of the corresponding
 * IPv4 address.
 */
in6addr_scope_t
ip_addr_scope_v6(const in6_addr_t *addr)
{
	static in6_addr_t ipv6loopback = IN6ADDR_LOOPBACK_INIT;

	if (IN6_IS_ADDR_V4MAPPED(addr)) {
		in_addr_t v4addr_h = ntohl(V4_PART_OF_V6((*addr)));
		if ((v4addr_h >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
		    (v4addr_h & IN_AUTOCONF_MASK) == IN_AUTOCONF_NET)
			return (IP6_SCOPE_LINKLOCAL);
		if ((v4addr_h & IN_PRIVATE8_MASK) == IN_PRIVATE8_NET ||
		    (v4addr_h & IN_PRIVATE12_MASK) == IN_PRIVATE12_NET ||
		    (v4addr_h & IN_PRIVATE16_MASK) == IN_PRIVATE16_NET)
			return (IP6_SCOPE_SITELOCAL);
		return (IP6_SCOPE_GLOBAL);
	}

	if (IN6_IS_ADDR_MULTICAST(addr))
		return (IN6_ADDR_MC_SCOPE(addr));

	/* link-local and loopback addresses are of link-local scope */
	if (IN6_IS_ADDR_LINKLOCAL(addr) ||
	    IN6_ARE_ADDR_EQUAL(addr, &ipv6loopback))
		return (IP6_SCOPE_LINKLOCAL);
	if (IN6_IS_ADDR_SITELOCAL(addr))
		return (IP6_SCOPE_SITELOCAL);
	return (IP6_SCOPE_GLOBAL);
}


/*
 * Calculates the xor of a1 and a2, and stores the result in res.
 */
static void
ip_addr_xor_v6(const in6_addr_t *a1, const in6_addr_t *a2, in6_addr_t *res)
{
	int i;

	for (i = 0; i < 4; i++)
		res->s6_addr32[i] = a1->s6_addr32[i] ^ a2->s6_addr32[i];
}

#define	IPIF_VALID_IPV6_SOURCE(ipif) \
	(((ipif)->ipif_flags & IPIF_UP) && \
	!((ipif)->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST)))

/* source address candidate */
typedef struct candidate {
	ipif_t		*cand_ipif;
	/* The properties of this candidate */
	boolean_t	cand_isdst;
	boolean_t	cand_isdst_set;
	in6addr_scope_t	cand_scope;
	boolean_t	cand_scope_set;
	boolean_t	cand_isdeprecated;
	boolean_t	cand_isdeprecated_set;
	boolean_t	cand_ispreferred;
	boolean_t	cand_ispreferred_set;
	boolean_t	cand_matchedinterface;
	boolean_t	cand_matchedinterface_set;
	boolean_t	cand_matchedlabel;
	boolean_t	cand_matchedlabel_set;
	boolean_t	cand_istmp;
	boolean_t	cand_istmp_set;
	in6_addr_t	cand_xor;
	boolean_t	cand_xor_set;
} cand_t;
#define	cand_srcaddr	cand_ipif->ipif_v6lcl_addr
#define	cand_flags	cand_ipif->ipif_flags
#define	cand_ill	cand_ipif->ipif_ill

/* information about the destination for source address selection */
typedef struct dstinfo {
	const in6_addr_t	*dst_addr;
	ill_t			*dst_ill;
	boolean_t		dst_restrict_ill;
	boolean_t		dst_prefer_src_tmp;
	in6addr_scope_t		dst_scope;
	char			*dst_label;
} dstinfo_t;

/*
 * The following functions are rules used to select a source address in
 * ipif_select_source_v6().  Each rule compares a current candidate (cc)
 * against the best candidate (bc).  Each rule has three possible outcomes;
 * the candidate is preferred over the best candidate (CAND_PREFER), the
 * candidate is not preferred over the best candidate (CAND_AVOID), or the
 * candidate is of equal value as the best candidate (CAND_TIE).
 *
 * These rules are part of a greater "Default Address Selection for IPv6"
 * sheme, which is standards based work coming out of the IETF ipv6 working
 * group.  The IETF document defines both IPv6 source address selection and
 * destination address ordering.  The rules defined here implement the IPv6
 * source address selection.  Destination address ordering is done by
 * libnsl, and uses a similar set of rules to implement the sorting.
 */
typedef enum {CAND_AVOID, CAND_TIE, CAND_PREFER} rule_res_t;
typedef	rule_res_t (*rulef_t)(cand_t *, cand_t *, const dstinfo_t *);

/* Prefer an address if it is equal to the destination address. */
static rule_res_t
rule_isdst(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	if (!bc->cand_isdst_set) {
		bc->cand_isdst =
		    IN6_ARE_ADDR_EQUAL(&bc->cand_srcaddr, dstinfo->dst_addr);
		bc->cand_isdst_set = B_TRUE;
	}

	cc->cand_isdst =
	    IN6_ARE_ADDR_EQUAL(&cc->cand_srcaddr, dstinfo->dst_addr);
	cc->cand_isdst_set = B_TRUE;

	if (cc->cand_isdst == bc->cand_isdst)
		return (CAND_TIE);
	else if (cc->cand_isdst)
		return (CAND_PREFER);
	else
		return (CAND_AVOID);
}

/*
 * Prefer addresses that are of closest scope to the destination.  Always
 * prefer addresses that are of greater scope than the destination over
 * those that are of lesser scope than the destination.
 */
static rule_res_t
rule_scope(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	if (!bc->cand_scope_set) {
		bc->cand_scope = ip_addr_scope_v6(&bc->cand_srcaddr);
		bc->cand_scope_set = B_TRUE;
	}

	cc->cand_scope = ip_addr_scope_v6(&cc->cand_srcaddr);
	cc->cand_scope_set = B_TRUE;

	if (cc->cand_scope < bc->cand_scope) {
		if (cc->cand_scope < dstinfo->dst_scope)
			return (CAND_AVOID);
		else
			return (CAND_PREFER);
	} else if (bc->cand_scope < cc->cand_scope) {
		if (bc->cand_scope < dstinfo->dst_scope)
			return (CAND_PREFER);
		else
			return (CAND_AVOID);
	} else {
		return (CAND_TIE);
	}
}

/*
 * Prefer non-deprecated source addresses.
 */
/* ARGSUSED2 */
static rule_res_t
rule_deprecated(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	if (!bc->cand_isdeprecated_set) {
		bc->cand_isdeprecated =
		    ((bc->cand_flags & IPIF_DEPRECATED) != 0);
		bc->cand_isdeprecated_set = B_TRUE;
	}

	cc->cand_isdeprecated = ((cc->cand_flags & IPIF_DEPRECATED) != 0);
	cc->cand_isdeprecated_set = B_TRUE;

	if (bc->cand_isdeprecated == cc->cand_isdeprecated)
		return (CAND_TIE);
	else if (cc->cand_isdeprecated)
		return (CAND_AVOID);
	else
		return (CAND_PREFER);
}

/*
 * Prefer source addresses that have the IPIF_PREFERRED flag set.  This
 * rule must be before rule_interface because the flag could be set on any
 * interface, not just the interface being used for outgoing packets (for
 * example, the IFF_PREFERRED could be set on an address assigned to the
 * loopback interface).
 */
/* ARGSUSED2 */
static rule_res_t
rule_preferred(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	if (!bc->cand_ispreferred_set) {
		bc->cand_ispreferred = ((bc->cand_flags & IPIF_PREFERRED) != 0);
		bc->cand_ispreferred_set = B_TRUE;
	}

	cc->cand_ispreferred = ((cc->cand_flags & IPIF_PREFERRED) != 0);
	cc->cand_ispreferred_set = B_TRUE;

	if (bc->cand_ispreferred == cc->cand_ispreferred)
		return (CAND_TIE);
	else if (cc->cand_ispreferred)
		return (CAND_PREFER);
	else
		return (CAND_AVOID);
}

/*
 * Prefer source addresses that are assigned to the outgoing interface, or
 * to an interface that is in the same IPMP group as the outgoing
 * interface.
 */
static rule_res_t
rule_interface(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	ill_t *dstill = dstinfo->dst_ill;

	/*
	 * If dstinfo->dst_restrict_ill is set, this rule is unnecessary
	 * since we know all candidates will be on the same link.
	 */
	if (dstinfo->dst_restrict_ill)
		return (CAND_TIE);

	if (!bc->cand_matchedinterface_set) {
		bc->cand_matchedinterface = (bc->cand_ill == dstill ||
		    (dstill->ill_group != NULL &&
		    dstill->ill_group == bc->cand_ill->ill_group));
		bc->cand_matchedinterface_set = B_TRUE;
	}

	cc->cand_matchedinterface = (cc->cand_ill == dstill ||
	    (dstill->ill_group != NULL &&
		dstill->ill_group == cc->cand_ill->ill_group));
	cc->cand_matchedinterface_set = B_TRUE;

	if (bc->cand_matchedinterface == cc->cand_matchedinterface)
		return (CAND_TIE);
	else if (cc->cand_matchedinterface)
		return (CAND_PREFER);
	else
		return (CAND_AVOID);
}

/*
 * Prefer source addresses whose label matches the destination's label.
 */
static rule_res_t
rule_label(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	char *label;

	if (!bc->cand_matchedlabel_set) {
		label = ip6_asp_lookup(&bc->cand_srcaddr, NULL);
		bc->cand_matchedlabel =
		    ip6_asp_labelcmp(label, dstinfo->dst_label);
		bc->cand_matchedlabel_set = B_TRUE;
	}

	label = ip6_asp_lookup(&cc->cand_srcaddr, NULL);
	cc->cand_matchedlabel = ip6_asp_labelcmp(label, dstinfo->dst_label);
	cc->cand_matchedlabel_set = B_TRUE;

	if (bc->cand_matchedlabel == cc->cand_matchedlabel)
		return (CAND_TIE);
	else if (cc->cand_matchedlabel)
		return (CAND_PREFER);
	else
		return (CAND_AVOID);
}

/*
 * Prefer public addresses over temporary ones.  An application can reverse
 * the logic of this rule and prefer temporary addresses by using the
 * IPV6_SRC_PREFERENCES socket option.
 */
static rule_res_t
rule_temporary(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	if (!bc->cand_istmp_set) {
		bc->cand_istmp = ((bc->cand_flags & IPIF_TEMPORARY) != 0);
		bc->cand_istmp_set = B_TRUE;
	}

	cc->cand_istmp = ((cc->cand_flags & IPIF_TEMPORARY) != 0);
	cc->cand_istmp_set = B_TRUE;

	if (bc->cand_istmp == cc->cand_istmp)
		return (CAND_TIE);

	if (dstinfo->dst_prefer_src_tmp && cc->cand_istmp)
		return (CAND_PREFER);
	else if (!dstinfo->dst_prefer_src_tmp && !cc->cand_istmp)
		return (CAND_PREFER);
	else
		return (CAND_AVOID);
}

/*
 * Prefer source addresses with longer matching prefix with the
 * destination.  Since this is the last rule, it must not produce a tie.
 * We do the longest matching prefix calculation and the tie break in one
 * calculation by doing an xor of both addresses with the destination, and
 * pick the address with the smallest xor value.  That way, we're both
 * picking the address with the longest matching prefix, and breaking the
 * tie if they happen to have both have equal mathing prefixes.
 */
static rule_res_t
rule_prefix(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo)
{
	int i;

	if (!bc->cand_xor_set) {
		ip_addr_xor_v6(&bc->cand_srcaddr,
		    dstinfo->dst_addr, &bc->cand_xor);
		bc->cand_xor_set = B_TRUE;
	}

	ip_addr_xor_v6(&cc->cand_srcaddr, dstinfo->dst_addr, &cc->cand_xor);
	cc->cand_xor_set = B_TRUE;

	for (i = 0; i < 4; i++) {
		if (bc->cand_xor.s6_addr32[i] != cc->cand_xor.s6_addr32[i])
			break;
	}

	if (cc->cand_xor.s6_addr32[i] < bc->cand_xor.s6_addr32[i])
		return (CAND_PREFER);
	else
		return (CAND_AVOID);
}

/*
 * Determine the best source address given a destination address and a
 * destination ill.  If no suitable source address is found, it returns
 * NULL. If there is a usable address pointed to by the usesrc
 * (i.e ill_usesrc_ifindex != 0) then return that first since it is more
 * fine grained (i.e per interface)
 *
 * This implementation is based on the "Default Address Selection for IPv6"
 * specification produced by the IETF IPv6 working group.  It has been
 * implemented so that the list of addresses is only traversed once (the
 * specification's algorithm could traverse the list of addresses once for
 * every rule).
 *
 * The restrict_ill argument restricts the algorithm to chose a source
 * address that is assigned to the destination ill or an ill in the same
 * IPMP group as the destination ill.  This is used when the destination
 * address is a link-local or multicast address, and when
 * ipv6_strict_dst_multihoming is turned on.
 *
 * src_prefs is the caller's set of source address preferences.  If source
 * address selection is being called to determine the source address of a
 * connected socket (from ip_bind_connected_v6()), then the preferences are
 * taken from conn_src_preferences.  These preferences can be set on a
 * per-socket basis using the IPV6_SRC_PREFERENCES socket option.  The only
 * preference currently implemented is for rfc3041 temporary addresses.
 */
ipif_t *
ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst,
    boolean_t restrict_ill, uint32_t src_prefs, zoneid_t zoneid)
{
	dstinfo_t	dstinfo;
	char		dstr[INET6_ADDRSTRLEN];
	char		sstr[INET6_ADDRSTRLEN];
	ipif_t		*ipif;
	ill_t		*ill, *usesrc_ill = NULL;
	ill_walk_context_t	ctx;
	cand_t		best_c;	/* The best candidate */
	cand_t		curr_c;	/* The current candidate */
	uint_t		index;
	boolean_t	first_candidate = B_TRUE;
	rule_res_t	rule_result;
	phyint_t	*phyi;

	/*
	 * The list of ordering rules.  They are applied in the order they
	 * appear in the list.
	 *
	 * XXX rule_mipv6 will need to be implemented (the specification's
	 * rules 4) if a mobile IPv6 node is ever implemented.
	 */
	rulef_t	rules[] = {
		rule_isdst,
		rule_scope,
		rule_deprecated,
		rule_preferred,
		rule_interface,
		rule_label,
		rule_temporary,
		rule_prefix,
		NULL
	};

	ASSERT(dstill->ill_isv6);
	ASSERT(!IN6_IS_ADDR_V4MAPPED(dst));

	/*
	 * Check if there is a usable src address pointed to by the
	 * usesrc ifindex. This has higher precedence since it is
	 * finer grained (i.e per interface) v/s being system wide.
	 */
	if (dstill->ill_usesrc_ifindex != 0) {
		if ((usesrc_ill =
		    ill_lookup_on_ifindex(dstill->ill_usesrc_ifindex, B_TRUE,
		    NULL, NULL, NULL, NULL)) != NULL) {
			dstinfo.dst_ill = usesrc_ill;
		} else {
			return (NULL);
		}
	} else {
		dstinfo.dst_ill = dstill;
	}

	dstinfo.dst_addr = dst;
	dstinfo.dst_scope = ip_addr_scope_v6(dst);
	dstinfo.dst_label = ip6_asp_lookup(dst, NULL);
	dstinfo.dst_prefer_src_tmp = ((src_prefs & IPV6_PREFER_SRC_TMP) != 0);

	rw_enter(&ill_g_lock, RW_READER);
	/*
	 * Section three of the I-D states that for multicast and
	 * link-local destinations, the candidate set must be restricted to
	 * an interface that is on the same link as the outgoing interface.
	 * Also, when ipv6_strict_dst_multihoming is turned on, always
	 * restrict the source address to the destination link as doing
	 * otherwise will almost certainly cause problems.
	 */
	if (IN6_IS_ADDR_LINKLOCAL(dst) || IN6_IS_ADDR_MULTICAST(dst) ||
	    ipv6_strict_dst_multihoming || usesrc_ill != NULL)
		dstinfo.dst_restrict_ill = B_TRUE;
	else
		dstinfo.dst_restrict_ill = restrict_ill;

	bzero(&best_c, sizeof (cand_t));

	/*
	 * Take a pass through the list of IPv6 interfaces to chose the
	 * best possible source address.  If restrict_ill is true, we only
	 * iterate through the ill's that are in the same IPMP group as the
	 * destination's outgoing ill.  If restrict_ill is false, we walk
	 * the entire list of IPv6 ill's.
	 */
	if (dstinfo.dst_restrict_ill) {
		if (dstinfo.dst_ill->ill_group != NULL) {
			/*
			 * Try to avoid FAILED/OFFLINE ills. Global and
			 * site local addresses will failover and are not
			 * an issue even if we select them. (i.e. this is
			 * a race where we hit this path before in.mpathd
			 * moves them. But link local addresses don't move.
			 * This creates a problem for NUD. If NUD ends up
			 * (nce_xmit) using the src addr from a failed
			 * interface NUD will fail and end up deleting the nce
			 * This will cause performance issues where ires
			 * are frequently created and deleted every few secs.
			 */
			for (ill = dstinfo.dst_ill->ill_group->illgrp_ill;
			    ill != NULL; ill = ill->ill_group_next) {
				phyi = ill->ill_phyint;
				if (!(phyi->phyint_flags &
				    (PHYI_OFFLINE | PHYI_FAILED)))
					break;
			}
			if (ill == NULL)
				ill = dstinfo.dst_ill->ill_group->illgrp_ill;
		} else {
			ill = dstinfo.dst_ill;
		}
	} else {
		ill = ILL_START_WALK_V6(&ctx);
	}

	while (ill != NULL) {
		ASSERT(ill->ill_isv6);

		for (ipif = ill->ill_ipif; ipif != NULL;
		    ipif = ipif->ipif_next) {

			if (!IPIF_VALID_IPV6_SOURCE(ipif))
				continue;

			if (zoneid != ALL_ZONES && ipif->ipif_zoneid != zoneid)
				continue;

			if (first_candidate) {
				/*
				 * This is first valid address in the list.
				 * It is automatically the best candidate
				 * so far.
				 */
				best_c.cand_ipif = ipif;
				first_candidate = B_FALSE;
				continue;
			}

			bzero(&curr_c, sizeof (cand_t));
			curr_c.cand_ipif = ipif;

			/*
			 * Compare this current candidate (curr_c) with the
			 * best candidate (best_c) by applying the
			 * comparison rules in order until one breaks the
			 * tie.
			 */
			for (index = 0; rules[index] != NULL; index++) {
				/* Apply a comparison rule. */
				rule_result =
				    (rules[index])(&best_c, &curr_c, &dstinfo);
				if (rule_result == CAND_AVOID) {
					/*
					 * The best candidate is still the
					 * best candidate.  Forget about
					 * this current candidate and go on
					 * to the next one.
					 */
					break;
				} else if (rule_result == CAND_PREFER) {
					/*
					 * This candidate is prefered.  It
					 * becomes the best candidate so
					 * far.  Go on to the next address.
					 */
					best_c = curr_c;
					break;
				}
				/* We have a tie, apply the next rule. */
			}

			/*
			 * The last rule must be a tie breaker rule and
			 * must never produce a tie.  At this point, the
			 * candidate should have either been rejected, or
			 * have been prefered as the best candidate so far.
			 */
			ASSERT(rule_result != CAND_TIE);
		}

		/*
		 * We may be walking the linked-list of ill's in an
		 * IPMP group or traversing the IPv6 ill avl tree. If it is a
		 * usesrc ILL then it can't be part of IPMP group and we
		 * will exit the while loop.
		 */
		if (dstinfo.dst_restrict_ill)
			ill = ill->ill_group_next;
		else
			ill = ill_next(&ctx, ill);
	}

	ipif = best_c.cand_ipif;
	ip1dbg(("ipif_select_source_v6(%s, %s) -> %s\n",
	    dstinfo.dst_ill->ill_name,
	    inet_ntop(AF_INET6, dstinfo.dst_addr, dstr, sizeof (dstr)),
	    (ipif == NULL ? "NULL" :
	    inet_ntop(AF_INET6, &ipif->ipif_v6lcl_addr, sstr, sizeof (sstr)))));

	if (usesrc_ill != NULL)
		ill_refrele(usesrc_ill);

	if (ipif == NULL) {
		rw_exit(&ill_g_lock);
		return (NULL);
	}

	mutex_enter(&ipif->ipif_ill->ill_lock);
	if (IPIF_CAN_LOOKUP(ipif)) {
		ipif_refhold_locked(ipif);
		mutex_exit(&ipif->ipif_ill->ill_lock);
		rw_exit(&ill_g_lock);
		return (ipif);
	}
	mutex_exit(&ipif->ipif_ill->ill_lock);
	rw_exit(&ill_g_lock);
	ip1dbg(("ipif_select_source_v6 cannot lookup ipif %p"
	    " returning null \n", (void *)ipif));

	return (NULL);
}

/*
 * If old_ipif is not NULL, see if ipif was derived from old
 * ipif and if so, recreate the interface route by re-doing
 * source address selection. This happens when ipif_down ->
 * ipif_update_other_ipifs calls us.
 *
 * If old_ipif is NULL, just redo the source address selection
 * if needed. This happens when illgrp_insert or ipif_up_done_v6
 * calls us.
 */
void
ipif_recreate_interface_routes_v6(ipif_t *old_ipif, ipif_t *ipif)
{
	ire_t *ire;
	ire_t *ipif_ire;
	queue_t *stq;
	ill_t *ill;
	ipif_t *nipif = NULL;
	boolean_t nipif_refheld = B_FALSE;
	boolean_t ip6_asp_table_held = B_FALSE;

	ill = ipif->ipif_ill;

	if (!(ipif->ipif_flags &
	    (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED))) {
		/*
		 * Can't possibly have borrowed the source
		 * from old_ipif.
		 */
		return;
	}

	/*
	 * Is there any work to be done? No work if the address
	 * is INADDR_ANY, loopback or NOLOCAL or ANYCAST (
	 * ipif_select_source_v6() does not borrow addresses from
	 * NOLOCAL and ANYCAST interfaces).
	 */
	if ((old_ipif != NULL) &&
	    ((IN6_IS_ADDR_UNSPECIFIED(&old_ipif->ipif_v6lcl_addr)) ||
	    (old_ipif->ipif_ill->ill_wq == NULL) ||
	    (old_ipif->ipif_flags &
	    (IPIF_NOLOCAL|IPIF_ANYCAST)))) {
		return;
	}

	/*
	 * Perform the same checks as when creating the
	 * IRE_INTERFACE in ipif_up_done_v6.
	 */
	if (!(ipif->ipif_flags & IPIF_UP))
		return;

	if ((ipif->ipif_flags & IPIF_NOXMIT))
		return;

	if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet) &&
	    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))
		return;

	/*
	 * We know that ipif uses some other source for its
	 * IRE_INTERFACE. Is it using the source of this
	 * old_ipif?
	 */
	ipif_ire = ipif_to_ire_v6(ipif);
	if (ipif_ire == NULL)
		return;

	if (old_ipif != NULL &&
	    !IN6_ARE_ADDR_EQUAL(&old_ipif->ipif_v6lcl_addr,
	    &ipif_ire->ire_src_addr_v6)) {
		ire_refrele(ipif_ire);
		return;
	}

	if (ip_debug > 2) {
		/* ip1dbg */
		pr_addr_dbg("ipif_recreate_interface_routes_v6: deleting IRE"
		    " for src %s\n", AF_INET6, &ipif_ire->ire_src_addr_v6);
	}

	stq = ipif_ire->ire_stq;

	/*
	 * Can't use our source address. Select a different source address
	 * for the IRE_INTERFACE.  We restrict interface route source
	 * address selection to ipif's assigned to the same link as the
	 * interface.
	 */
	if (ip6_asp_can_lookup()) {
		ip6_asp_table_held = B_TRUE;
		nipif = ipif_select_source_v6(ill, &ipif->ipif_v6subnet,
		    B_TRUE, IPV6_PREFER_SRC_DEFAULT, ipif->ipif_zoneid);
	}
	if (nipif == NULL) {
		/* Last resort - all ipif's have IPIF_NOLOCAL */
		nipif = ipif;
	} else {
		nipif_refheld = B_TRUE;
	}

	ire = ire_create_v6(
	    &ipif->ipif_v6subnet,	/* dest pref */
	    &ipif->ipif_v6net_mask,	/* mask */
	    &nipif->ipif_v6src_addr,	/* src addr */
	    NULL,			/* no gateway */
	    &ipif->ipif_mtu,		/* max frag */
	    NULL,			/* no Fast path header */
	    NULL,			/* no recv from queue */
	    stq,			/* send-to queue */
	    ill->ill_net_type,		/* IF_[NO]RESOLVER */
	    ill->ill_resolver_mp,	/* xmit header */
	    ipif,
	    NULL,
	    0,
	    0,
	    0,
	    &ire_uinfo_null);

	if (ire != NULL) {
		ire_t *ret_ire;
		int   error;

		/*
		 * We don't need ipif_ire anymore. We need to delete
		 * before we add so that ire_add does not detect
		 * duplicates.
		 */
		ire_delete(ipif_ire);
		ret_ire = ire;
		error = ire_add(&ret_ire, NULL, NULL, NULL);
		ASSERT(error == 0);
		ASSERT(ret_ire == ire);
		if (ret_ire != NULL) {
			/* Held in ire_add */
			ire_refrele(ret_ire);
		}
	}
	/*
	 * Either we are falling through from above or could not
	 * allocate a replacement.
	 */
	ire_refrele(ipif_ire);
	if (ip6_asp_table_held)
		ip6_asp_table_refrele();
	if (nipif_refheld)
		ipif_refrele(nipif);
}

/*
 * This old_ipif is going away.
 *
 * Determine if any other ipif's are using our address as
 * ipif_v6lcl_addr (due to those being IPIF_NOLOCAL, IPIF_ANYCAST, or
 * IPIF_DEPRECATED).
 * Find the IRE_INTERFACE for such ipif's and recreate them
 * to use an different source address following the rules in
 * ipif_up_done_v6.
 *
 * This function takes an illgrp as an argument so that illgrp_delete
 * can call this to update source address even after deleting the
 * old_ipif->ipif_ill from the ill group.
 */
void
ipif_update_other_ipifs_v6(ipif_t *old_ipif, ill_group_t *illgrp)
{
	ipif_t	*ipif;
	ill_t	*ill;
	char	buf[INET6_ADDRSTRLEN];

	ASSERT(IAM_WRITER_IPIF(old_ipif));

	ill = old_ipif->ipif_ill;

	ip1dbg(("ipif_update_other_ipifs_v6(%s, %s)\n",
	    ill->ill_name,
	    inet_ntop(AF_INET6, &old_ipif->ipif_v6lcl_addr,
	    buf, sizeof (buf))));

	/*
	 * If this part of a group, look at all ills as ipif_select_source
	 * borrows a source address across all the ills in the group.
	 */
	if (illgrp != NULL)
		ill = illgrp->illgrp_ill;

	/* Don't need a lock since this is a writer */
	for (; ill != NULL; ill = ill->ill_group_next) {
		for (ipif = ill->ill_ipif; ipif != NULL;
		    ipif = ipif->ipif_next) {

			if (ipif == old_ipif)
				continue;

			ipif_recreate_interface_routes_v6(old_ipif, ipif);
		}
	}
}

/*
 * Perform an attach and bind to get phys addr plus info_req for
 * the physical device.
 * q and mp represents an ioctl which will be queued waiting for
 * completion of the DLPI message exchange.
 * MUST be called on an ill queue. Can not set conn_pending_ill for that
 * reason thus the DL_PHYS_ADDR_ACK code does not assume ill_pending_q.
 *
 * Returns EINPROGRESS when mp has been consumed by queueing it on
 * ill_pending_mp and the ioctl will complete in ip_rput.
 */
int
ill_dl_phys(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q)
{
	mblk_t	*v6token_mp = NULL;
	mblk_t	*v6lla_mp = NULL;
	mblk_t	*phys_mp = NULL;
	mblk_t	*info_mp = NULL;
	mblk_t	*attach_mp = NULL;
	mblk_t	*detach_mp = NULL;
	mblk_t	*bind_mp = NULL;
	mblk_t	*unbind_mp = NULL;
	mblk_t	*notify_mp = NULL;

	ip1dbg(("ill_dl_phys(%s:%u)\n", ill->ill_name, ipif->ipif_id));
	ASSERT(ill->ill_dlpi_style_set);
	ASSERT(WR(q)->q_next != NULL);

	if (ill->ill_isv6) {
		v6token_mp = ip_dlpi_alloc(sizeof (dl_phys_addr_req_t) +
		    sizeof (t_scalar_t), DL_PHYS_ADDR_REQ);
		if (v6token_mp == NULL)
			goto bad;
		((dl_phys_addr_req_t *)v6token_mp->b_rptr)->dl_addr_type =
		    DL_IPV6_TOKEN;

		v6lla_mp = ip_dlpi_alloc(sizeof (dl_phys_addr_req_t) +
		    sizeof (t_scalar_t), DL_PHYS_ADDR_REQ);
		if (v6lla_mp == NULL)
			goto bad;
		((dl_phys_addr_req_t *)v6lla_mp->b_rptr)->dl_addr_type =
		    DL_IPV6_LINK_LAYER_ADDR;
	}

	/*
	 * Allocate a DL_NOTIFY_REQ and set the notifications we want.
	 */
	notify_mp = ip_dlpi_alloc(sizeof (dl_notify_req_t) + sizeof (long),
	    DL_NOTIFY_REQ);
	if (notify_mp == NULL)
		goto bad;
	((dl_notify_req_t *)notify_mp->b_rptr)->dl_notifications =
	    (DL_NOTE_PHYS_ADDR | DL_NOTE_SDU_SIZE | DL_NOTE_FASTPATH_FLUSH |
	    DL_NOTE_LINK_UP | DL_NOTE_LINK_DOWN | DL_NOTE_CAPAB_RENEG);

	phys_mp = ip_dlpi_alloc(sizeof (dl_phys_addr_req_t) +
	    sizeof (t_scalar_t), DL_PHYS_ADDR_REQ);
	if (phys_mp == NULL)
		goto bad;
	((dl_phys_addr_req_t *)phys_mp->b_rptr)->dl_addr_type =
	    DL_CURR_PHYS_ADDR;

	info_mp = ip_dlpi_alloc(
	    sizeof (dl_info_req_t) + sizeof (dl_info_ack_t),
	    DL_INFO_REQ);
	if (info_mp == NULL)
		goto bad;

	bind_mp = ip_dlpi_alloc(sizeof (dl_bind_req_t) + sizeof (long),
	    DL_BIND_REQ);
	if (bind_mp == NULL)
		goto bad;
	((dl_bind_req_t *)bind_mp->b_rptr)->dl_sap = ill->ill_sap;
	((dl_bind_req_t *)bind_mp->b_rptr)->dl_service_mode = DL_CLDLS;

	unbind_mp = ip_dlpi_alloc(sizeof (dl_unbind_req_t), DL_UNBIND_REQ);
	if (unbind_mp == NULL)
		goto bad;

	/* If we need to attach/detach, pre-alloc and initialize the mblks */
	if (ill->ill_needs_attach) {
		attach_mp = ip_dlpi_alloc(sizeof (dl_attach_req_t),
		    DL_ATTACH_REQ);
		if (attach_mp == NULL)
			goto bad;
		((dl_attach_req_t *)attach_mp->b_rptr)->dl_ppa = ill->ill_ppa;

		detach_mp = ip_dlpi_alloc(sizeof (dl_detach_req_t),
		    DL_DETACH_REQ);
		if (detach_mp == NULL)
			goto bad;
	}

	/*
	 * Here we are going to delay the ioctl ack until after
	 * ACKs from DL_PHYS_ADDR_REQ. So need to save the
	 * original ioctl message before sending the requests
	 */
	mutex_enter(&ill->ill_lock);
	/* ipsq_pending_mp_add won't fail since we pass in a NULL connp */
	(void) ipsq_pending_mp_add(NULL, ipif, ill->ill_wq, mp, 0);
	/*
	 * Set ill_phys_addr_pend to zero. It will be set to the addr_type of
	 * the DL_PHYS_ADDR_REQ in ill_dlpi_send() and ill_dlpi_done(). It will
	 * be used to track which DL_PHYS_ADDR_REQ is being ACK'd/NAK'd.
	 */
	ill->ill_phys_addr_pend = 0;
	mutex_exit(&ill->ill_lock);

	if (attach_mp != NULL) {
		ip1dbg(("ill_dl_phys: attach\n"));
		ill_dlpi_send(ill, attach_mp);
	}
	ill_dlpi_send(ill, bind_mp);
	ill_dlpi_send(ill, info_mp);
	if (ill->ill_isv6) {
		ill_dlpi_send(ill, v6token_mp);
		ill_dlpi_send(ill, v6lla_mp);
	}
	ill_dlpi_send(ill, phys_mp);
	ill_dlpi_send(ill, notify_mp);
	ill_dlpi_send(ill, unbind_mp);

	/*
	 * Save the DL_DETACH_REQ (if there is one) for use in ill_delete().
	 */
	ASSERT(ill->ill_detach_mp == NULL);
	ill->ill_detach_mp = detach_mp;

	/*
	 * This operation will complete in ip_rput_dlpi_writer with either
	 * a DL_PHYS_ADDR_ACK or DL_ERROR_ACK.
	 */
	return (EINPROGRESS);
bad:
	if (v6token_mp != NULL)
		freemsg(v6token_mp);
	if (v6lla_mp != NULL)
		freemsg(v6lla_mp);
	if (phys_mp != NULL)
		freemsg(phys_mp);
	if (info_mp != NULL)
		freemsg(info_mp);
	if (attach_mp != NULL)
		freemsg(attach_mp);
	if (detach_mp != NULL)
		freemsg(detach_mp);
	if (bind_mp != NULL)
		freemsg(bind_mp);
	if (unbind_mp != NULL)
		freemsg(unbind_mp);
	if (notify_mp != NULL)
		freemsg(notify_mp);
	return (ENOMEM);
}

uint_t ip_loopback_mtu_v6plus = IP_LOOPBACK_MTU + IPV6_HDR_LEN + 20;

/*
 * DLPI is up.
 * Create all the IREs associated with an interface bring up multicast.
 * Set the interface flag and finish other initialization
 * that potentially had to be differed to after DL_BIND_ACK.
 */
int
ipif_up_done_v6(ipif_t *ipif)
{
	ire_t	*ire_array[20];
	ire_t	**irep = ire_array;
	ire_t	**irep1;
	ill_t	*ill = ipif->ipif_ill;
	queue_t	*stq;
	in6_addr_t	v6addr;
	in6_addr_t	route_mask;
	ipif_t	 *src_ipif = NULL;
	ipif_t   *tmp_ipif;
	boolean_t	flush_ire_cache = B_TRUE;
	int	err;
	char	buf[INET6_ADDRSTRLEN];
	phyint_t *phyi;
	ire_t	**ipif_saved_irep = NULL;
	int ipif_saved_ire_cnt;
	int cnt;
	boolean_t src_ipif_held = B_FALSE;
	boolean_t ire_added = B_FALSE;
	boolean_t loopback = B_FALSE;
	boolean_t ip6_asp_table_held = B_FALSE;

	ip1dbg(("ipif_up_done_v6(%s:%u)\n",
		ipif->ipif_ill->ill_name, ipif->ipif_id));

	/* Check if this is a loopback interface */
	if (ipif->ipif_ill->ill_wq == NULL)
		loopback = B_TRUE;

	ASSERT(ipif->ipif_isv6);
	ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));

	/*
	 * If all other interfaces for this ill are down or DEPRECATED,
	 * or otherwise unsuitable for source address selection, remove
	 * any IRE_CACHE entries for this ill to make sure source
	 * address selection gets to take this new ipif into account.
	 * No need to hold ill_lock while traversing the ipif list since
	 * we are writer
	 */
	for (tmp_ipif = ill->ill_ipif; tmp_ipif;
		tmp_ipif = tmp_ipif->ipif_next) {
		if (((tmp_ipif->ipif_flags &
		    (IPIF_NOXMIT|IPIF_ANYCAST|IPIF_NOLOCAL|IPIF_DEPRECATED)) ||
		    !(tmp_ipif->ipif_flags & IPIF_UP)) ||
		    (tmp_ipif == ipif))
			continue;
		/* first useable pre-existing interface */
		flush_ire_cache = B_FALSE;
		break;
	}
	if (flush_ire_cache)
		ire_walk_ill_v6(MATCH_IRE_ILL_GROUP | MATCH_IRE_TYPE,
		    IRE_CACHE, ill_ipif_cache_delete, (char *)ill, ill);

	/*
	 * Figure out which way the send-to queue should go.  Only
	 * IRE_IF_RESOLVER or IRE_IF_NORESOLVER should show up here.
	 */
	switch (ill->ill_net_type) {
	case IRE_IF_RESOLVER:
		stq = ill->ill_rq;
		break;
	case IRE_IF_NORESOLVER:
	case IRE_LOOPBACK:
		stq = ill->ill_wq;
		break;
	default:
		return (EINVAL);
	}

	if (ill->ill_phyint->phyint_flags & PHYI_LOOPBACK) {
		/*
		 * lo0:1 and subsequent ipifs were marked IRE_LOCAL in
		 * ipif_lookup_on_name(), but in the case of zones we can have
		 * several loopback addresses on lo0. So all the interfaces with
		 * loopback addresses need to be marked IRE_LOOPBACK.
		 */
		if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr, &ipv6_loopback))
			ipif->ipif_ire_type = IRE_LOOPBACK;
		else
			ipif->ipif_ire_type = IRE_LOCAL;
	}

	if (ipif->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST|IPIF_DEPRECATED)) {
		/*
		 * Can't use our source address. Select a different
		 * source address for the IRE_INTERFACE and IRE_LOCAL
		 */
		if (ip6_asp_can_lookup()) {
			ip6_asp_table_held = B_TRUE;
			src_ipif = ipif_select_source_v6(ipif->ipif_ill,
			    &ipif->ipif_v6subnet, B_FALSE,
			    IPV6_PREFER_SRC_DEFAULT, ipif->ipif_zoneid);
		}
		if (src_ipif == NULL)
			src_ipif = ipif;	/* Last resort */
		else
			src_ipif_held = B_TRUE;
	} else {
		src_ipif = ipif;
	}

	if (!IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) &&
	    !(ipif->ipif_flags & IPIF_NOLOCAL)) {
		/* Register the source address for __sin6_src_id */
		err = ip_srcid_insert(&ipif->ipif_v6lcl_addr,
		    ipif->ipif_zoneid);
		if (err != 0) {
			ip0dbg(("ipif_up_done_v6: srcid_insert %d\n", err));
			if (src_ipif_held)
				ipif_refrele(src_ipif);
			if (ip6_asp_table_held)
				ip6_asp_table_refrele();
			return (err);
		}
		/*
		 * If the interface address is set, create the LOCAL
		 * or LOOPBACK IRE.
		 */
		ip1dbg(("ipif_up_done_v6: creating IRE %d for %s\n",
		    ipif->ipif_ire_type,
		    inet_ntop(AF_INET6, &ipif->ipif_v6lcl_addr,
		    buf, sizeof (buf))));

		*irep++ = ire_create_v6(
		    &ipif->ipif_v6lcl_addr,		/* dest address */
		    &ipv6_all_ones,			/* mask */
		    &src_ipif->ipif_v6src_addr,		/* source address */
		    NULL,				/* no gateway */
		    &ip_loopback_mtu_v6plus,		/* max frag size */
		    NULL,
		    ipif->ipif_rq,			/* recv-from queue */
		    NULL,				/* no send-to queue */
		    ipif->ipif_ire_type,		/* LOCAL or LOOPBACK */
		    NULL,
		    ipif,				/* interface */
		    NULL,
		    0,
		    0,
		    (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
		    &ire_uinfo_null);
	}

	/*
	 * Set up the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate.
	 * Note that atun interfaces have an all-zero ipif_v6subnet.
	 * Thus we allow a zero subnet as long as the mask is non-zero.
	 */
	if (stq != NULL && !(ipif->ipif_flags & IPIF_NOXMIT) &&
	    !(IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet) &&
	    IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))) {
		/* ipif_v6subnet is ipif_v6pp_dst_addr for pt-pt */
		v6addr = ipif->ipif_v6subnet;

		if (ipif->ipif_flags & IPIF_POINTOPOINT) {
			route_mask = ipv6_all_ones;
		} else {
			route_mask = ipif->ipif_v6net_mask;
		}

		ip1dbg(("ipif_up_done_v6: creating if IRE %d for %s\n",
		    ill->ill_net_type,
		    inet_ntop(AF_INET6, &v6addr, buf, sizeof (buf))));

		*irep++ = ire_create_v6(
		    &v6addr,			/* dest pref */
		    &route_mask,		/* mask */
		    &src_ipif->ipif_v6src_addr,	/* src addr */
		    NULL,			/* no gateway */
		    &ipif->ipif_mtu,		/* max frag */
		    NULL,			/* no Fast path header */
		    NULL,			/* no recv from queue */
		    stq,			/* send-to queue */
		    ill->ill_net_type,		/* IF_[NO]RESOLVER */
		    ill->ill_resolver_mp,	/* xmit header */
		    ipif,
		    NULL,
		    0,
		    0,
		    (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0,
		    &ire_uinfo_null);
	}

	/*
	 * Setup 2002::/16 route, if this interface is a 6to4 tunnel
	 */
	if (IN6_IS_ADDR_6TO4(&ipif->ipif_v6lcl_addr) &&
	    (ill->ill_is_6to4tun)) {
		/*
		 * Destination address is 2002::/16
		 */
#ifdef	_BIG_ENDIAN
		const in6_addr_t prefix_addr = { 0x20020000U, 0, 0, 0 };
		const in6_addr_t prefix_mask = { 0xffff0000U, 0, 0, 0 };
#else
		const in6_addr_t prefix_addr = { 0x00000220U, 0, 0, 0 };
		const in6_addr_t prefix_mask = { 0x0000ffffU, 0, 0, 0 };
#endif /* _BIG_ENDIAN */
		char	buf2[INET6_ADDRSTRLEN];
		ire_t *isdup;
		in6_addr_t *first_addr = &ill->ill_ipif->ipif_v6lcl_addr;

		/*
		 * check to see if this route has already been added for
		 * this tunnel interface.
		 */
		isdup = ire_ftable_lookup_v6(first_addr, &prefix_mask, 0,
		    IRE_IF_NORESOLVER, ill->ill_ipif, NULL, ALL_ZONES, 0,
		    (MATCH_IRE_SRC | MATCH_IRE_MASK));

		if (isdup == NULL) {
			ip1dbg(("ipif_up_done_v6: creating if IRE %d for %s",
			    IRE_IF_NORESOLVER, inet_ntop(AF_INET6, &v6addr,
				buf2, sizeof (buf2))));

			*irep++ = ire_create_v6(
			    &prefix_addr,		/* 2002:: */
			    &prefix_mask,		/* ffff:: */
			    &ipif->ipif_v6lcl_addr, 	/* src addr */
			    NULL, 			/* gateway */
			    &ipif->ipif_mtu, 		/* max_frag */
			    NULL, 			/* no Fast Path hdr */
			    NULL, 			/* no rfq */
			    ill->ill_wq, 		/* stq */
			    IRE_IF_NORESOLVER,		/* type */
			    ill->ill_resolver_mp,	/* dlureq_mp */
			    ipif,			/* interface */
			    NULL,			/* v6cmask */
			    0,
			    0,
			    RTF_UP,
			    &ire_uinfo_null);
		} else {
			ire_refrele(isdup);
		}
	}

	/* If an earlier ire_create failed, get out now */
	for (irep1 = irep; irep1 > ire_array; ) {
		irep1--;
		if (*irep1 == NULL) {
			ip1dbg(("ipif_up_done_v6: NULL ire found in"
			    " ire_array\n"));
			err = ENOMEM;
			goto bad;
		}
	}

	ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));

	/*
	 * Need to atomically check for ip_addr_availablity_check
	 * now under ill_g_lock, and if it fails got bad, and remove
	 * from group also
	 */
	rw_enter(&ill_g_lock, RW_READER);
	mutex_enter(&ip_addr_avail_lock);
	ill->ill_ipif_up_count++;
	ipif->ipif_flags |= IPIF_UP;
	err = ip_addr_availability_check(ipif);
	mutex_exit(&ip_addr_avail_lock);
	rw_exit(&ill_g_lock);

	if (err != 0) {
		/*
		 * Our address may already be up on the same ill. In this case,
		 * the external resolver entry for our ipif replaced the one for
		 * the other ipif. So we don't want to delete it (otherwise the
		 * other ipif would be unable to send packets).
		 * ip_addr_availability_check() identifies this case for us and
		 * returns EADDRINUSE; we need to turn it into EADDRNOTAVAIL
		 * which is the expected error code.
		 */
		if (err == EADDRINUSE) {
			if (ipif->ipif_ill->ill_flags & ILLF_XRESOLV) {
				freemsg(ipif->ipif_arp_del_mp);
				ipif->ipif_arp_del_mp = NULL;
			}
			err = EADDRNOTAVAIL;
		}
		ill->ill_ipif_up_count--;
		ipif->ipif_flags &= ~IPIF_UP;
		goto bad;
	}

	/*
	 * Add in all newly created IREs. We want to add before
	 * we call ifgrp_insert which wants to know whether
	 * IRE_IF_RESOLVER exists or not.
	 *
	 * NOTE : We refrele the ire though we may branch to "bad"
	 *	  later on where we do ire_delete. This is okay
	 *	  because nobody can delete it as we are running
	 *	  exclusively.
	 */
	for (irep1 = irep; irep1 > ire_array; ) {
		irep1--;
		/* Shouldn't be adding any bcast ire's */
		ASSERT((*irep1)->ire_type != IRE_BROADCAST);
		ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock));
		/*
		 * refheld by ire_add. refele towards the end of the func
		 */
		(void) ire_add(irep1, NULL, NULL, NULL);
	}
	if (ip6_asp_table_held) {
		ip6_asp_table_refrele();
		ip6_asp_table_held = B_FALSE;
	}
	ire_added = B_TRUE;

	/*
	 * Form groups if possible.
	 *
	 * If we are supposed to be in a ill_group with a name, insert it
	 * now as we know that at least one ipif is UP. Otherwise form
	 * nameless groups.
	 *
	 * If ip_enable_group_ifs is set and ipif address is not ::0, insert
	 * this ipif into the appropriate interface group, or create a
	 * new one. If this is already in a nameless group, we try to form
	 * a bigger group looking at other ills potentially sharing this
	 * ipif's prefix.
	 */
	phyi = ill->ill_phyint;
	if (phyi->phyint_groupname_len != 0) {
		ASSERT(phyi->phyint_groupname != NULL);
		if (ill->ill_ipif_up_count == 1) {
			ASSERT(ill->ill_group == NULL);
			err = illgrp_insert(&illgrp_head_v6, ill,
			    phyi->phyint_groupname, NULL, B_TRUE);
			if (err != 0) {
				ip1dbg(("ipif_up_done_v6: illgrp allocation "
				    "failed, error %d\n", err));
				goto bad;
			}
		}
		ASSERT(ill->ill_group != NULL);
	}

	/* Recover any additional IRE_IF_[NO]RESOLVER entries for this ipif */
	ipif_saved_ire_cnt = ipif->ipif_saved_ire_cnt;
	ipif_saved_irep = ipif_recover_ire_v6(ipif);

	if (ipif->ipif_ipif_up_count == 1 && !loopback) {
		/*
		 * Need to recover all multicast memberships in the driver.
		 * This had to be deferred until we had attached.
		 */
		ill_recover_multicast(ill);
	}
	/* Join the allhosts multicast address and the solicited node MC */
	ipif_multicast_up(ipif);

	if (!loopback) {
		/*
		 * See whether anybody else would benefit from the
		 * new ipif that we added. We call this always rather
		 * than while adding a non-IPIF_NOLOCAL/DEPRECATED/ANYCAST
		 * ipif for the benefit of illgrp_insert (done above)
		 * which does not do source address selection as it does
		 * not want to re-create interface routes that we are
		 * having reference to it here.
		 */
		ill_update_source_selection(ill);
	}

	for (irep1 = irep; irep1 > ire_array; ) {
		irep1--;
		if (*irep1 != NULL) {
			/* was held in ire_add */
			ire_refrele(*irep1);
		}
	}

	cnt = ipif_saved_ire_cnt;
	for (irep1 = ipif_saved_irep; cnt > 0; irep1++, cnt--) {
		if (*irep1 != NULL) {
			/* was held in ire_add */
			ire_refrele(*irep1);
		}
	}


	ip_rts_ifmsg(ipif);
	ip_rts_newaddrmsg(RTM_ADD, 0, ipif);
	if (ipif_saved_irep != NULL) {
		kmem_free(ipif_saved_irep,
		    ipif_saved_ire_cnt * sizeof (ire_t *));
	}

	if (src_ipif_held)
		ipif_refrele(src_ipif);
	sctp_update_ipif(ipif, SCTP_IPIF_UP);
	return (0);

bad:
	if (ip6_asp_table_held)
		ip6_asp_table_refrele();
	/*
	 * We don't have to bother removing from ill groups because
	 *
	 * 1) For groups with names, we insert only when the first ipif
	 *    comes up. In that case if it fails, it will not be in any
	 *    group. So, we need not try to remove for that case.
	 *
	 * 2) For groups without names, either we tried to insert ipif_ill
	 *    in a group as singleton or found some other group to become
	 *    a bigger group. For the former, if it fails we don't have
	 *    anything to do as ipif_ill is not in the group and for the
	 *    latter, there are no failures in illgrp_insert/illgrp_delete
	 *    (ENOMEM can't occur for this. Check ifgrp_insert).
	 */

	while (irep > ire_array) {
		irep--;
		if (*irep != NULL) {
			ire_delete(*irep);
			if (ire_added)
				ire_refrele(*irep);
		}

	}
	(void) ip_srcid_remove(&ipif->ipif_v6lcl_addr, ipif->ipif_zoneid);

	if (ipif_saved_irep != NULL) {
		kmem_free(ipif_saved_irep,
		    ipif_saved_ire_cnt * sizeof (ire_t *));
	}
	if (src_ipif_held)
		ipif_refrele(src_ipif);

	ipif_ndp_down(ipif);
	if (ipif->ipif_ill->ill_flags & ILLF_XRESOLV)
		ipif_arp_down(ipif);

	return (err);
}

/*
 * Delete an ND entry and the corresponding IRE_CACHE entry if it exists.
 */
/* ARGSUSED */
int
ip_siocdelndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
    ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
{
	in6_addr_t	addr;
	sin6_t		*sin6;
	nce_t		*nce;
	struct lifreq	*lifr;
	lif_nd_req_t	*lnr;
	mblk_t	*mp1;

	mp1 = mp->b_cont->b_cont;
	lifr = (struct lifreq *)mp1->b_rptr;
	lnr = &lifr->lifr_nd;
	/* Only allow for logical unit zero i.e. not on "le0:17" */
	if (ipif->ipif_id != 0)
		return (EINVAL);

	if (!ipif->ipif_isv6)
		return (EINVAL);

	if (lnr->lnr_addr.ss_family != AF_INET6)
		return (EAFNOSUPPORT);

	sin6 = (sin6_t *)&lnr->lnr_addr;
	addr = sin6->sin6_addr;
	nce = ndp_lookup(ipif->ipif_ill, &addr, B_FALSE);
	if (nce == NULL)
		return (ESRCH);
	ndp_delete(nce);
	NCE_REFRELE(nce);
	return (0);
}

/*
 * Return nbr cache info.
 */
/* ARGSUSED */
int
ip_siocqueryndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
    ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
{
	ill_t		*ill = ipif->ipif_ill;
	struct lifreq	*lifr;
	lif_nd_req_t	*lnr;

	lifr = (struct lifreq *)mp->b_cont->b_cont->b_rptr;
	lnr = &lifr->lifr_nd;
	/* Only allow for logical unit zero i.e. not on "le0:17" */
	if (ipif->ipif_id != 0)
		return (EINVAL);

	if (!ipif->ipif_isv6)
		return (EINVAL);

	if (lnr->lnr_addr.ss_family != AF_INET6)
		return (EAFNOSUPPORT);

	if (ill->ill_phys_addr_length > sizeof (lnr->lnr_hdw_addr))
		return (EINVAL);

	return (ndp_query(ill, lnr));
}

/*
 * Perform an update of the nd entry for the specified address.
 */
/* ARGSUSED */
int
ip_siocsetndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp,
    ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
{
	ill_t		*ill = ipif->ipif_ill;
	struct	lifreq	*lifr;
	lif_nd_req_t	*lnr;

	lifr = (struct lifreq *)mp->b_cont->b_cont->b_rptr;
	lnr = &lifr->lifr_nd;
	/* Only allow for logical unit zero i.e. not on "le0:17" */
	if (ipif->ipif_id != 0)
		return (EINVAL);

	if (!ipif->ipif_isv6)
		return (EINVAL);

	if (lnr->lnr_addr.ss_family != AF_INET6)
		return (EAFNOSUPPORT);

	return (ndp_sioc_update(ill, lnr));
}