10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53055Sdanmcd * Common Development and Distribution License (the "License"). 63055Sdanmcd * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 223448Sdh155122 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate #include <sys/types.h> 290Sstevel@tonic-gate #include <sys/stream.h> 300Sstevel@tonic-gate #include <sys/strsun.h> 310Sstevel@tonic-gate #include <sys/sunddi.h> 320Sstevel@tonic-gate #include <sys/kstat.h> 330Sstevel@tonic-gate #include <sys/kmem.h> 340Sstevel@tonic-gate #include <net/pfkeyv2.h> 350Sstevel@tonic-gate #include <inet/common.h> 360Sstevel@tonic-gate #include <inet/ip.h> 370Sstevel@tonic-gate #include <inet/ip6.h> 380Sstevel@tonic-gate #include <inet/ipsec_info.h> 393448Sdh155122 #include <inet/ipsec_impl.h> 400Sstevel@tonic-gate #include <inet/ipdrop.h> 410Sstevel@tonic-gate 420Sstevel@tonic-gate /* 430Sstevel@tonic-gate * Packet drop facility. 440Sstevel@tonic-gate */ 450Sstevel@tonic-gate 460Sstevel@tonic-gate /* 470Sstevel@tonic-gate * Initialize drop facility kstats. 480Sstevel@tonic-gate */ 490Sstevel@tonic-gate void 503448Sdh155122 ip_drop_init(ipsec_stack_t *ipss) 510Sstevel@tonic-gate { 523448Sdh155122 ipss->ipsec_ip_drop_kstat = kstat_create_netstack("ip", 0, "ipdrop", 533448Sdh155122 "net", KSTAT_TYPE_NAMED, 543448Sdh155122 sizeof (struct ip_dropstats) / sizeof (kstat_named_t), 553448Sdh155122 KSTAT_FLAG_PERSISTENT, ipss->ipsec_netstack->netstack_stackid); 560Sstevel@tonic-gate 573448Sdh155122 if (ipss->ipsec_ip_drop_kstat == NULL || 583448Sdh155122 ipss->ipsec_ip_drop_kstat->ks_data == NULL) 590Sstevel@tonic-gate return; 600Sstevel@tonic-gate 613448Sdh155122 /* 623448Sdh155122 * Note: here ipss->ipsec_ip_drop_types is initialized, however, 633448Sdh155122 * if the previous kstat_create_netstack failed, it will remain 643448Sdh155122 * NULL. Note this is done for all stack instances, so it *could* 653448Sdh155122 * be NULL. Hence a non-NULL checking is added where 663448Sdh155122 * ipss->ipsec_ip_drop_types is used. This checking is hidden in 673448Sdh155122 * the DROPPER macro. 683448Sdh155122 */ 693448Sdh155122 ipss->ipsec_ip_drop_types = ipss->ipsec_ip_drop_kstat->ks_data; 700Sstevel@tonic-gate 710Sstevel@tonic-gate /* TCP IPsec drop statistics. */ 723448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_clear, 733448Sdh155122 "tcp_clear", KSTAT_DATA_UINT64); 743448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_secure, 753448Sdh155122 "tcp_secure", KSTAT_DATA_UINT64); 763448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_mismatch, 773448Sdh155122 "tcp_mismatch", KSTAT_DATA_UINT64); 783448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_tcp_ipsec_alloc, 793448Sdh155122 "tcp_ipsec_alloc", KSTAT_DATA_UINT64); 800Sstevel@tonic-gate 810Sstevel@tonic-gate /* SADB-specific drop statistics. */ 823448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_timeout, 830Sstevel@tonic-gate "sadb_inlarval_timeout", KSTAT_DATA_UINT64); 843448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_inlarval_replace, 850Sstevel@tonic-gate "sadb_inlarval_replace", KSTAT_DATA_UINT64); 863448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_nomem, 870Sstevel@tonic-gate "sadb_acquire_nomem", KSTAT_DATA_UINT64); 883448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_toofull, 890Sstevel@tonic-gate "sadb_acquire_toofull", KSTAT_DATA_UINT64); 903448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_sadb_acquire_timeout, 910Sstevel@tonic-gate "sadb_acquire_timeout", KSTAT_DATA_UINT64); 920Sstevel@tonic-gate 930Sstevel@tonic-gate /* SPD drop statistics. */ 943448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ahesp_diffid, 953448Sdh155122 "spd_ahesp_diffid", KSTAT_DATA_UINT64); 963448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_loopback_mismatch, 970Sstevel@tonic-gate "spd_loopback_mismatch", KSTAT_DATA_UINT64); 983448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_explicit, 993448Sdh155122 "spd_explicit", KSTAT_DATA_UINT64); 1003448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_secure, 1013448Sdh155122 "spd_got_secure", KSTAT_DATA_UINT64); 1023448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_clear, 1033448Sdh155122 "spd_got_clear", KSTAT_DATA_UINT64); 1043448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_ahalg, 1053448Sdh155122 "spd_bad_ahalg", KSTAT_DATA_UINT64); 1063448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_ah, 1073448Sdh155122 "spd_got_ah", KSTAT_DATA_UINT64); 1083448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espealg, 1093448Sdh155122 "spd_bad_espealg", KSTAT_DATA_UINT64); 1103448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_espaalg, 1113448Sdh155122 "spd_bad_espaalg", KSTAT_DATA_UINT64); 1123448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_esp, 1133448Sdh155122 "spd_got_esp", KSTAT_DATA_UINT64); 1143448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_got_selfencap, 1153448Sdh155122 "spd_got_selfencap", KSTAT_DATA_UINT64); 1163448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_bad_selfencap, 1173448Sdh155122 "spd_bad_selfencap", KSTAT_DATA_UINT64); 1183448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_nomem, 1193448Sdh155122 "spd_nomem", KSTAT_DATA_UINT64); 1203448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_badid, 1213448Sdh155122 "spd_ah_badid", KSTAT_DATA_UINT64); 1223448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_ah_innermismatch, 123691Ssommerfe "spd_ah_innermismatch", KSTAT_DATA_UINT64); 1243448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_innermismatch, 125691Ssommerfe "spd_esp_innermismatch", KSTAT_DATA_UINT64); 1263448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_esp_badid, 1273448Sdh155122 "spd_esp_badid", KSTAT_DATA_UINT64); 1283448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_no_policy, 1293448Sdh155122 "spd_no_policy", KSTAT_DATA_UINT64); 1303448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_packet, 1313448Sdh155122 "spd_malformed_packet", KSTAT_DATA_UINT64); 1323448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_malformed_frag, 1333448Sdh155122 "spd_malformed_frag", KSTAT_DATA_UINT64); 1343448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_overlap_frag, 1353448Sdh155122 "spd_overlap_frag", KSTAT_DATA_UINT64); 1363448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_evil_frag, 1373448Sdh155122 "spd_evil_frag", KSTAT_DATA_UINT64); 1383448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_spd_max_frags, 1393448Sdh155122 "spd_max_frags", KSTAT_DATA_UINT64); 1400Sstevel@tonic-gate 1410Sstevel@tonic-gate /* ESP-specific drop statistics. */ 1420Sstevel@tonic-gate 1433448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nomem, 1443448Sdh155122 "esp_nomem", KSTAT_DATA_UINT64); 1453448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_no_sa, 1463448Sdh155122 "esp_no_sa", KSTAT_DATA_UINT64); 1473448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_early_replay, 1483448Sdh155122 "esp_early_replay", KSTAT_DATA_UINT64); 1493448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_replay, 1503448Sdh155122 "esp_replay", KSTAT_DATA_UINT64); 1513448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bytes_expire, 1523448Sdh155122 "esp_bytes_expire", KSTAT_DATA_UINT64); 1533448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padlen, 1543448Sdh155122 "esp_bad_padlen", KSTAT_DATA_UINT64); 1553448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_padding, 1563448Sdh155122 "esp_bad_padding", KSTAT_DATA_UINT64); 1573448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_bad_auth, 1583448Sdh155122 "esp_bad_auth", KSTAT_DATA_UINT64); 1593448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_crypto_failed, 1603448Sdh155122 "esp_crypto_failed", KSTAT_DATA_UINT64); 1613448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_icmp, 1623448Sdh155122 "esp_icmp", KSTAT_DATA_UINT64); 163*4987Sdanmcd kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ipsec, 164*4987Sdanmcd "esp_nat_t_ipsec", KSTAT_DATA_UINT64); 165*4987Sdanmcd kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_esp_nat_t_ka, 166*4987Sdanmcd "esp_nat_t_ka", KSTAT_DATA_UINT64); 1670Sstevel@tonic-gate 1680Sstevel@tonic-gate /* AH-specific drop statistics. */ 1693448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_nomem, 1703448Sdh155122 "ah_nomem", KSTAT_DATA_UINT64); 1713448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v6_hdrs, 1723448Sdh155122 "ah_bad_v6_hdrs", KSTAT_DATA_UINT64); 1733448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_v4_opts, 1743448Sdh155122 "ah_bad_v4_opts", KSTAT_DATA_UINT64); 1753448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_no_sa, 1763448Sdh155122 "ah_no_sa", KSTAT_DATA_UINT64); 1773448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_length, 1783448Sdh155122 "ah_bad_length", KSTAT_DATA_UINT64); 1793448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bad_auth, 1803448Sdh155122 "ah_bad_auth", KSTAT_DATA_UINT64); 1813448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_crypto_failed, 1823448Sdh155122 "ah_crypto_failed", KSTAT_DATA_UINT64); 1833448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_early_replay, 1843448Sdh155122 "ah_early_replay", KSTAT_DATA_UINT64); 1853448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_replay, 1863448Sdh155122 "ah_replay", KSTAT_DATA_UINT64); 1873448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ah_bytes_expire, 1883448Sdh155122 "ah_bytes_expire", KSTAT_DATA_UINT64); 1890Sstevel@tonic-gate 1900Sstevel@tonic-gate /* IP-specific drop statistics. */ 1913448Sdh155122 kstat_named_init(&ipss->ipsec_ip_drop_types->ipds_ip_ipsec_not_loaded, 1923448Sdh155122 "ip_ipsec_not_loaded", KSTAT_DATA_UINT64); 1930Sstevel@tonic-gate 1943448Sdh155122 kstat_install(ipss->ipsec_ip_drop_kstat); 1950Sstevel@tonic-gate } 1960Sstevel@tonic-gate 1970Sstevel@tonic-gate void 1983448Sdh155122 ip_drop_destroy(ipsec_stack_t *ipss) 1990Sstevel@tonic-gate { 2003448Sdh155122 kstat_delete_netstack(ipss->ipsec_ip_drop_kstat, 2013448Sdh155122 ipss->ipsec_netstack->netstack_stackid); 2023448Sdh155122 ipss->ipsec_ip_drop_kstat = NULL; 2033448Sdh155122 ipss->ipsec_ip_drop_types = NULL; 2040Sstevel@tonic-gate } 2050Sstevel@tonic-gate 2060Sstevel@tonic-gate /* 2070Sstevel@tonic-gate * Register a packet dropper. 2080Sstevel@tonic-gate */ 2090Sstevel@tonic-gate void 2100Sstevel@tonic-gate ip_drop_register(ipdropper_t *ipd, char *name) 2110Sstevel@tonic-gate { 2120Sstevel@tonic-gate if (ipd->ipd_name != NULL) { 2130Sstevel@tonic-gate cmn_err(CE_WARN, 2140Sstevel@tonic-gate "ip_drop_register: ipdropper %s already registered with %s", 2150Sstevel@tonic-gate name, ipd->ipd_name); 2160Sstevel@tonic-gate return; 2170Sstevel@tonic-gate } 2180Sstevel@tonic-gate 2190Sstevel@tonic-gate /* Assume that name is reasonable in length. This isn't user-land. */ 2200Sstevel@tonic-gate ipd->ipd_name = kmem_alloc(strlen(name) + 1, KM_SLEEP); 2210Sstevel@tonic-gate (void) strcpy(ipd->ipd_name, name); 2220Sstevel@tonic-gate } 2230Sstevel@tonic-gate 2240Sstevel@tonic-gate /* 2250Sstevel@tonic-gate * Un-register a packet dropper. 2260Sstevel@tonic-gate */ 2270Sstevel@tonic-gate void 2280Sstevel@tonic-gate ip_drop_unregister(ipdropper_t *ipd) 2290Sstevel@tonic-gate { 2303448Sdh155122 if (ipd->ipd_name == NULL) { 2313448Sdh155122 cmn_err(CE_WARN, 2323448Sdh155122 "ip_drop_unregister: not registered (%p)\n", 2333448Sdh155122 (void *)ipd); 2343448Sdh155122 return; 2353448Sdh155122 } 2360Sstevel@tonic-gate kmem_free(ipd->ipd_name, strlen(ipd->ipd_name) + 1); 2370Sstevel@tonic-gate 2380Sstevel@tonic-gate ipd->ipd_name = NULL; 2390Sstevel@tonic-gate } 2400Sstevel@tonic-gate 2410Sstevel@tonic-gate /* 2420Sstevel@tonic-gate * Actually drop a packet. Many things could happen here, but at the least, 2430Sstevel@tonic-gate * the packet will be freemsg()ed. 2440Sstevel@tonic-gate */ 2450Sstevel@tonic-gate /* ARGSUSED */ 2460Sstevel@tonic-gate void 2470Sstevel@tonic-gate ip_drop_packet(mblk_t *mp, boolean_t inbound, ill_t *arriving, 2480Sstevel@tonic-gate ire_t *outbound_ire, struct kstat_named *counter, ipdropper_t *who_called) 2490Sstevel@tonic-gate { 2500Sstevel@tonic-gate mblk_t *ipsec_mp = NULL; 2510Sstevel@tonic-gate ipsec_in_t *ii = NULL; 2520Sstevel@tonic-gate ipsec_out_t *io = NULL; 2530Sstevel@tonic-gate ipsec_info_t *in; 2540Sstevel@tonic-gate uint8_t vers; 2550Sstevel@tonic-gate 2560Sstevel@tonic-gate if (mp == NULL) { 2570Sstevel@tonic-gate /* 2580Sstevel@tonic-gate * Return immediately - NULL packets should not affect any 2590Sstevel@tonic-gate * statistics. 2600Sstevel@tonic-gate */ 2610Sstevel@tonic-gate return; 2620Sstevel@tonic-gate } 2630Sstevel@tonic-gate 2640Sstevel@tonic-gate if (DB_TYPE(mp) == M_CTL) { 2650Sstevel@tonic-gate in = (ipsec_info_t *)mp->b_rptr; 2660Sstevel@tonic-gate 2670Sstevel@tonic-gate if (in->ipsec_info_type == IPSEC_IN) 2680Sstevel@tonic-gate ii = (ipsec_in_t *)in; 2690Sstevel@tonic-gate else if (in->ipsec_info_type == IPSEC_OUT) 2700Sstevel@tonic-gate io = (ipsec_out_t *)in; 2710Sstevel@tonic-gate 2720Sstevel@tonic-gate /* See if this is an ICMP packet (check for v4/v6). */ 2730Sstevel@tonic-gate vers = (*mp->b_rptr) >> 4; 2740Sstevel@tonic-gate if (vers != IPV4_VERSION && vers != IPV6_VERSION) { 2750Sstevel@tonic-gate /* 2760Sstevel@tonic-gate * If not, it's some other sort of M_CTL to be freed. 2770Sstevel@tonic-gate * For now, treat it like an ordinary packet. 2780Sstevel@tonic-gate */ 2790Sstevel@tonic-gate ipsec_mp = mp; 2800Sstevel@tonic-gate mp = mp->b_cont; 2810Sstevel@tonic-gate } 2820Sstevel@tonic-gate } 2830Sstevel@tonic-gate 2840Sstevel@tonic-gate /* Reality checks */ 2850Sstevel@tonic-gate if (inbound && io != NULL) 2860Sstevel@tonic-gate cmn_err(CE_WARN, 2870Sstevel@tonic-gate "ip_drop_packet: inbound packet with IPSEC_OUT"); 2880Sstevel@tonic-gate 2890Sstevel@tonic-gate if (outbound_ire != NULL && ii != NULL) 2900Sstevel@tonic-gate cmn_err(CE_WARN, 2910Sstevel@tonic-gate "ip_drop_packet: outbound packet with IPSEC_IN"); 2920Sstevel@tonic-gate 2930Sstevel@tonic-gate /* At this point, mp always points to the data. */ 2940Sstevel@tonic-gate /* 2950Sstevel@tonic-gate * Can't make the assertion yet - It could be an inbound ICMP 2960Sstevel@tonic-gate * message, which is M_CTL but with data in it. 2970Sstevel@tonic-gate */ 2980Sstevel@tonic-gate /* ASSERT(mp->b_datap->db_type == M_DATA); */ 2990Sstevel@tonic-gate 3000Sstevel@tonic-gate /* Increment the bean counter, if available. */ 3010Sstevel@tonic-gate if (counter != NULL) { 3020Sstevel@tonic-gate switch (counter->data_type) { 3030Sstevel@tonic-gate case KSTAT_DATA_INT32: 3040Sstevel@tonic-gate counter->value.i32++; 3050Sstevel@tonic-gate break; 3060Sstevel@tonic-gate case KSTAT_DATA_UINT32: 3070Sstevel@tonic-gate counter->value.ui32++; 3080Sstevel@tonic-gate break; 3090Sstevel@tonic-gate case KSTAT_DATA_INT64: 3100Sstevel@tonic-gate counter->value.i64++; 3110Sstevel@tonic-gate break; 3120Sstevel@tonic-gate case KSTAT_DATA_UINT64: 3130Sstevel@tonic-gate counter->value.ui64++; 3140Sstevel@tonic-gate break; 3150Sstevel@tonic-gate /* Other types we can't handle for now. */ 3160Sstevel@tonic-gate } 3170Sstevel@tonic-gate 3180Sstevel@tonic-gate /* TODO? Copy out kstat name for use in logging. */ 3190Sstevel@tonic-gate } 3200Sstevel@tonic-gate 3210Sstevel@tonic-gate /* TODO: log the packet details if logging is called for. */ 3220Sstevel@tonic-gate /* TODO: queue the packet onto a snoop-friendly queue. */ 3230Sstevel@tonic-gate 3240Sstevel@tonic-gate /* If I haven't queued the packet or some such nonsense, free it. */ 3250Sstevel@tonic-gate if (ipsec_mp != NULL) 3260Sstevel@tonic-gate freeb(ipsec_mp); 3273055Sdanmcd /* 3283055Sdanmcd * ASSERT this isn't a b_next linked mblk chain where a 3293055Sdanmcd * chained dropper should be used instead 3303055Sdanmcd */ 3313055Sdanmcd ASSERT(mp->b_prev == NULL && mp->b_next == NULL); 3320Sstevel@tonic-gate freemsg(mp); 3330Sstevel@tonic-gate } 334