]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/netinet/ip_output.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-1504.9.37.tar.gz
[apple/xnu.git] / bsd / netinet / ip_output.c
diff --git a/bsd/netinet/ip_output.c b/bsd/netinet/ip_output.c
index b6b0817cc860410069489a3e305991fdf44a6d62..07d74f97fbda3a7eaa03630f62400b5c7da0ccb7 100644 (file)
--- a/bsd/netinet/ip_output.c
+++ b/bsd/netinet/ip_output.c
@@ -1,14 +1,19 @@
 /*
 /*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2000-2008 Apple Inc. All rights reserved.
  *
  *
- * @APPLE_LICENSE_HEADER_START@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
  * 
  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ * 
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
  * 
  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * 
  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
@@ -18,7 +23,7 @@
  * Please see the License for the specific language governing rights and
  * limitations under the License.
  * 
  * Please see the License for the specific language governing rights and
  * limitations under the License.
  * 
- * @APPLE_LICENSE_HEADER_END@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
 /*
  * Copyright (c) 1982, 1986, 1988, 1990, 1993
  */
 /*
  * Copyright (c) 1982, 1986, 1988, 1990, 1993
@@ -55,6 +60,12 @@
  *     @(#)ip_output.c 8.3 (Berkeley) 1/21/94
  * $FreeBSD: src/sys/netinet/ip_output.c,v 1.99.2.16 2001/07/19 06:37:26 kris Exp $
  */
  *     @(#)ip_output.c 8.3 (Berkeley) 1/21/94
  * $FreeBSD: src/sys/netinet/ip_output.c,v 1.99.2.16 2001/07/19 06:37:26 kris Exp $
  */
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
 
 #define _IP_VHL
 
 
 #define _IP_VHL
 
@@ -69,7 +80,10 @@
 #include <kern/locks.h>
 #include <sys/sysctl.h>
 
 #include <kern/locks.h>
 #include <sys/sysctl.h>
 
+#include <machine/endian.h>
+
 #include <net/if.h>
 #include <net/if.h>
+#include <net/if_dl.h>
 #include <net/route.h>
 
 #include <netinet/in.h>
 #include <net/route.h>
 
 #include <netinet/in.h>
@@ -81,16 +95,22 @@
 
 #include <netinet/kpi_ipfilter_var.h>
 
 
 #include <netinet/kpi_ipfilter_var.h>
 
+#if CONFIG_MACF_NET
+#include <security/mac_framework.h>
+#endif
+
 #include "faith.h"
 
 #include <net/dlil.h>
 #include <sys/kdebug.h>
 #include "faith.h"
 
 #include <net/dlil.h>
 #include <sys/kdebug.h>
+#include <libkern/OSAtomic.h>
 
 #define DBG_LAYER_BEG          NETDBG_CODE(DBG_NETIP, 1)
 #define DBG_LAYER_END          NETDBG_CODE(DBG_NETIP, 3)
 #define DBG_FNC_IP_OUTPUT      NETDBG_CODE(DBG_NETIP, (1 << 8) | 1)
 #define DBG_FNC_IPSEC4_OUTPUT  NETDBG_CODE(DBG_NETIP, (2 << 8) | 1)
 
 
 #define DBG_LAYER_BEG          NETDBG_CODE(DBG_NETIP, 1)
 #define DBG_LAYER_END          NETDBG_CODE(DBG_NETIP, 3)
 #define DBG_FNC_IP_OUTPUT      NETDBG_CODE(DBG_NETIP, (1 << 8) | 1)
 #define DBG_FNC_IPSEC4_OUTPUT  NETDBG_CODE(DBG_NETIP, (2 << 8) | 1)
 
+#define        SWAP16(v) ((((v) & 0xff) << 8) | ((v) >> 8))
 
 #if IPSEC
 #include <netinet6/ipsec.h>
 
 #if IPSEC
 #include <netinet6/ipsec.h>
@@ -109,6 +129,10 @@
 #include <netinet/ip_dummynet.h>
 #endif
 
 #include <netinet/ip_dummynet.h>
 #endif
 
+#if PF
+#include <net/pfvar.h>
+#endif /* PF */
+
 #if IPFIREWALL_FORWARD_DEBUG
 #define print_ip(a)     printf("%ld.%ld.%ld.%ld",(ntohl(a.s_addr)>>24)&0xFF,\
                                                  (ntohl(a.s_addr)>>16)&0xFF,\
 #if IPFIREWALL_FORWARD_DEBUG
 #define print_ip(a)     printf("%ld.%ld.%ld.%ld",(ntohl(a.s_addr)>>24)&0xFF,\
                                                  (ntohl(a.s_addr)>>16)&0xFF,\
@@ -116,9 +140,6 @@
                                                  (ntohl(a.s_addr))&0xFF);
 #endif
 
                                                  (ntohl(a.s_addr))&0xFF);
 #endif
 
-#if IPSEC
-extern lck_mtx_t    *sadb_mutex;
-#endif
 
 u_short ip_id;
 
 
 u_short ip_id;
 
@@ -130,17 +151,18 @@ static int        ip_getmoptions(struct sockopt *, struct ip_moptions *);
 static int     ip_pcbopts(int, struct mbuf **, struct mbuf *);
 static int     ip_setmoptions(struct sockopt *, struct ip_moptions **);
 
 static int     ip_pcbopts(int, struct mbuf **, struct mbuf *);
 static int     ip_setmoptions(struct sockopt *, struct ip_moptions **);
 
+static void ip_out_cksum_stats(int, u_int32_t);
+static struct ifaddr *in_selectsrcif(struct ip *, struct route *, unsigned int);
+static void ip_bindif(struct inpcb *, unsigned int);
+
 int ip_createmoptions(struct ip_moptions **imop);
 int ip_addmembership(struct ip_moptions *imo, struct ip_mreq *mreq);
 int ip_dropmembership(struct ip_moptions *imo, struct ip_mreq *mreq);
 int    ip_optcopy(struct ip *, struct ip *);
 int ip_createmoptions(struct ip_moptions **imop);
 int ip_addmembership(struct ip_moptions *imo, struct ip_mreq *mreq);
 int ip_dropmembership(struct ip_moptions *imo, struct ip_mreq *mreq);
 int    ip_optcopy(struct ip *, struct ip *);
-extern int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **);
-#ifdef __APPLE__
-extern struct mbuf*    m_dup(register struct mbuf *m, int how);
-#endif
+void in_delayed_cksum_offset(struct mbuf *, int );
+void in_cksum_offset(struct mbuf* , size_t );
 
 
-extern int apple_hwcksum_tx;
-extern u_long  route_generation;
+extern int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **);
 
 extern struct protosw inetsw[];
 
 
 extern struct protosw inetsw[];
 
@@ -155,6 +177,16 @@ extern int ipsec_bypass;
 static int     ip_maxchainsent = 0;
 SYSCTL_INT(_net_inet_ip, OID_AUTO, maxchainsent, CTLFLAG_RW,
     &ip_maxchainsent, 0, "use dlil_output_list");
 static int     ip_maxchainsent = 0;
 SYSCTL_INT(_net_inet_ip, OID_AUTO, maxchainsent, CTLFLAG_RW,
     &ip_maxchainsent, 0, "use dlil_output_list");
+#if DEBUG
+static int forge_ce = 0;
+SYSCTL_INT(_net_inet_ip, OID_AUTO, forge_ce, CTLFLAG_RW,
+    &forge_ce, 0, "Forge ECN CE");
+#endif /* DEBUG */
+
+static int ip_select_srcif_debug = 0;
+SYSCTL_INT(_net_inet_ip, OID_AUTO, select_srcif_debug, CTLFLAG_RW,
+    &ip_select_srcif_debug, 0, "log source interface selection debug info");
+
 /*
  * IP output.  The packet in mbuf chain m contains a skeletal IP
  * header (with len, off, ttl, proto, tos, src, dst).
 /*
  * IP output.  The packet in mbuf chain m contains a skeletal IP
  * header (with len, off, ttl, proto, tos, src, dst).
@@ -167,13 +199,36 @@ ip_output(
        struct mbuf *opt,
        struct route *ro,
        int flags,
        struct mbuf *opt,
        struct route *ro,
        int flags,
-       struct ip_moptions *imo)
+       struct ip_moptions *imo,
+       struct ip_out_args *ipoa)
 {
        int error;
 {
        int error;
-       error = ip_output_list(m0, 0, opt, ro, flags, imo);
+       error = ip_output_list(m0, 0, opt, ro, flags, imo, ipoa);
        return error;
 }
 
        return error;
 }
 
+/*
+ * Returns:    0                       Success
+ *             ENOMEM
+ *             EADDRNOTAVAIL
+ *             ENETUNREACH
+ *             EHOSTUNREACH
+ *             EACCES
+ *             EMSGSIZE
+ *             ENOBUFS
+ *     ipsec4_getpolicybyaddr:???      [IPSEC 4th argument, contents modified]
+ *     ipsec4_getpolicybysock:???      [IPSEC 4th argument, contents modified]
+ *     key_spdacquire:???              [IPSEC]
+ *     ipsec4_output:???               [IPSEC]
+ *     <fr_checkp>:???                 [firewall]
+ *     ip_dn_io_ptr:???                [dummynet]
+ *     dlil_output:???                 [DLIL]
+ *     dlil_output_list:???            [DLIL]
+ *
+ * Notes:      The ipsec4_getpolicyby{addr|sock} function error returns are
+ *             only used as the error return from this function where one of
+ *             these functions fails to return a policy.
+ */
 int
 ip_output_list(
        struct mbuf *m0,
 int
 ip_output_list(
        struct mbuf *m0,
@@ -181,15 +236,17 @@ ip_output_list(
        struct mbuf *opt,
        struct route *ro,
        int flags,
        struct mbuf *opt,
        struct route *ro,
        int flags,
-       struct ip_moptions *imo)
+       struct ip_moptions *imo,
+       struct ip_out_args *ipoa
+       )
 {
 {
-       struct ip *ip, *mhip;
+       struct ip *ip;
        struct ifnet *ifp = NULL;
        struct ifnet *ifp = NULL;
-       struct mbuf *m = m0;
+       struct mbuf *m = m0, **mppn = NULL;
        int hlen = sizeof (struct ip);
        int hlen = sizeof (struct ip);
-       int len, off, error = 0;
+       int len = 0, off, error = 0;
        struct sockaddr_in *dst = NULL;
        struct sockaddr_in *dst = NULL;
-       struct in_ifaddr *ia = NULL;
+       struct in_ifaddr *ia = NULL, *src_ia = NULL;
        int isbroadcast, sw_csum;
        struct in_addr pkt_dst;
 #if IPSEC
        int isbroadcast, sw_csum;
        struct in_addr pkt_dst;
 #if IPSEC
@@ -200,63 +257,81 @@ ip_output_list(
 #if IPFIREWALL_FORWARD
        int fwd_rewrite_src = 0;
 #endif
 #if IPFIREWALL_FORWARD
        int fwd_rewrite_src = 0;
 #endif
+#if IPFIREWALL
        struct ip_fw_args args;
        struct ip_fw_args args;
+#endif
        int didfilter = 0;
        ipfilter_t inject_filter_ref = 0;
        struct m_tag    *tag;
        int didfilter = 0;
        ipfilter_t inject_filter_ref = 0;
        struct m_tag    *tag;
-       struct route    dn_route;
+       struct route    saved_route;
+       struct ip_out_args saved_ipoa;
        struct mbuf * packetlist;
        struct mbuf * packetlist;
-       int pktcnt = 0;
-       
-       lck_mtx_lock(ip_mutex); 
+       int pktcnt = 0, tso = 0;
+       unsigned int ifscope;
+       boolean_t select_srcif;
 
        KERNEL_DEBUG(DBG_FNC_IP_OUTPUT | DBG_FUNC_START, 0,0,0,0,0);
 
        packetlist = m0;
 
        KERNEL_DEBUG(DBG_FNC_IP_OUTPUT | DBG_FUNC_START, 0,0,0,0,0);
 
        packetlist = m0;
+#if IPFIREWALL
+       args.next_hop = NULL;
        args.eh = NULL;
        args.rule = NULL;
        args.eh = NULL;
        args.rule = NULL;
-       args.next_hop = NULL;
        args.divert_rule = 0;                   /* divert cookie */
        args.divert_rule = 0;                   /* divert cookie */
-       
+       args.ipoa = NULL;
+
+       if (SLIST_EMPTY(&m0->m_pkthdr.tags))
+               goto ipfw_tags_done;
+
        /* Grab info from mtags prepended to the chain */
 #if DUMMYNET
        /* Grab info from mtags prepended to the chain */
 #if DUMMYNET
-       if ((tag = m_tag_locate(m0, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_DUMMYNET, NULL)) != NULL) {
+       if ((tag = m_tag_locate(m0, KERNEL_MODULE_TAG_ID,
+           KERNEL_TAG_TYPE_DUMMYNET, NULL)) != NULL) {
                struct dn_pkt_tag       *dn_tag;
                struct dn_pkt_tag       *dn_tag;
-               
+
                dn_tag = (struct dn_pkt_tag *)(tag+1);
                args.rule = dn_tag->rule;
                opt = NULL;
                dn_tag = (struct dn_pkt_tag *)(tag+1);
                args.rule = dn_tag->rule;
                opt = NULL;
-               dn_route = dn_tag->ro;
-               ro = &dn_route;
-                       
+               saved_route = dn_tag->ro;
+               ro = &saved_route;
+
                imo = NULL;
                dst = dn_tag->dn_dst;
                ifp = dn_tag->ifp;
                flags = dn_tag->flags;
                imo = NULL;
                dst = dn_tag->dn_dst;
                ifp = dn_tag->ifp;
                flags = dn_tag->flags;
-               
+               saved_ipoa = dn_tag->ipoa;
+               ipoa = &saved_ipoa;
+
                m_tag_delete(m0, tag);
        }
 #endif /* DUMMYNET */
 
                m_tag_delete(m0, tag);
        }
 #endif /* DUMMYNET */
 
-       if ((tag = m_tag_locate(m0, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_DIVERT, NULL)) != NULL) {
+#if IPDIVERT
+       if ((tag = m_tag_locate(m0, KERNEL_MODULE_TAG_ID,
+           KERNEL_TAG_TYPE_DIVERT, NULL)) != NULL) {
                struct divert_tag       *div_tag;
                struct divert_tag       *div_tag;
-               
+
                div_tag = (struct divert_tag *)(tag+1);
                args.divert_rule = div_tag->cookie;
 
                m_tag_delete(m0, tag);
        }
                div_tag = (struct divert_tag *)(tag+1);
                args.divert_rule = div_tag->cookie;
 
                m_tag_delete(m0, tag);
        }
-       if ((tag = m_tag_locate(m0, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFORWARD, NULL)) != NULL) {
+#endif /* IPDIVERT */
+
+       if ((tag = m_tag_locate(m0, KERNEL_MODULE_TAG_ID,
+           KERNEL_TAG_TYPE_IPFORWARD, NULL)) != NULL) {
                struct ip_fwd_tag       *ipfwd_tag;
                struct ip_fwd_tag       *ipfwd_tag;
-               
+
                ipfwd_tag = (struct ip_fwd_tag *)(tag+1);
                args.next_hop = ipfwd_tag->next_hop;
                ipfwd_tag = (struct ip_fwd_tag *)(tag+1);
                args.next_hop = ipfwd_tag->next_hop;
-               
+
                m_tag_delete(m0, tag);
        }
                m_tag_delete(m0, tag);
        }
+ipfw_tags_done:
+#endif /* IPFIREWALL */
 
        m = m0;
 
        m = m0;
-       
+
 #if    DIAGNOSTIC
        if ( !m || (m->m_flags & M_PKTHDR) != 0)
                panic("ip_output no HDR");
 #if    DIAGNOSTIC
        if ( !m || (m->m_flags & M_PKTHDR) != 0)
                panic("ip_output no HDR");
@@ -265,21 +340,40 @@ ip_output_list(
                      mtod(m, struct ip *)->ip_p);
 #endif
 
                      mtod(m, struct ip *)->ip_p);
 #endif
 
+       /*
+        * At present the IP_OUTARGS flag implies a request for IP to
+        * perform source interface selection.  In the forwarding case,
+        * only the ifscope value is used, as source interface selection
+        * doesn't take place.
+        */
+       if (ip_doscopedroute && (flags & IP_OUTARGS)) {
+               select_srcif = !(flags & IP_FORWARDING);
+               ifscope = ipoa->ipoa_ifscope;
+       } else {
+               select_srcif = FALSE;
+               ifscope = IFSCOPE_NONE;
+       }
+
+#if IPFIREWALL
        if (args.rule != NULL) {        /* dummynet already saw us */
        if (args.rule != NULL) {        /* dummynet already saw us */
-            ip = mtod(m, struct ip *);
-            hlen = IP_VHL_HL(ip->ip_vhl) << 2 ;
-            if (ro->ro_rt != NULL)
-                ia = (struct in_ifaddr *)ro->ro_rt->rt_ifa;
+               ip = mtod(m, struct ip *);
+               hlen = IP_VHL_HL(ip->ip_vhl) << 2 ;
+               if (ro->ro_rt != NULL) {
+                       RT_LOCK_SPIN(ro->ro_rt);
+                       ia = (struct in_ifaddr *)ro->ro_rt->rt_ifa;
                        if (ia)
                                ifaref(&ia->ia_ifa);
                        if (ia)
                                ifaref(&ia->ia_ifa);
+                       RT_UNLOCK(ro->ro_rt);
+               }
 #if IPSEC
 #if IPSEC
-                       if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0) {
-                               so = ipsec_getsocket(m);
-                               (void)ipsec_setsocket(m, NULL);
-                       }
+               if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0) {
+                       so = ipsec_getsocket(m);
+                       (void)ipsec_setsocket(m, NULL);
+               }
 #endif
 #endif
-            goto sendit;
+               goto sendit;
        }
        }
+#endif /* IPFIREWALL */
 
 #if IPSEC
        if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0) {
 
 #if IPSEC
        if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0) {
@@ -292,14 +386,21 @@ loopit:
         * No need to proccess packet twice if we've 
         * already seen it
         */
         * No need to proccess packet twice if we've 
         * already seen it
         */
-       inject_filter_ref = ipf_get_inject_filter(m);
+       if (!SLIST_EMPTY(&m->m_pkthdr.tags))
+               inject_filter_ref = ipf_get_inject_filter(m);
+       else
+               inject_filter_ref = 0;
 
        if (opt) {
                m = ip_insertoptions(m, opt, &len);
                hlen = len;
        }
        ip = mtod(m, struct ip *);
 
        if (opt) {
                m = ip_insertoptions(m, opt, &len);
                hlen = len;
        }
        ip = mtod(m, struct ip *);
+#if IPFIREWALL
        pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst;
        pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst;
+#else
+       pkt_dst = ip->ip_dst;
+#endif
 
        /*
         * Fill in IP header.
 
        /*
         * Fill in IP header.
@@ -312,14 +413,24 @@ loopit:
 #else
                ip->ip_id = htons(ip_id++);
 #endif
 #else
                ip->ip_id = htons(ip_id++);
 #endif
-               ipstat.ips_localout++;
+               OSAddAtomic(1, &ipstat.ips_localout);
        } else {
                hlen = IP_VHL_HL(ip->ip_vhl) << 2;
        }
        } else {
                hlen = IP_VHL_HL(ip->ip_vhl) << 2;
        }
+       
+#if DEBUG
+       /* For debugging, we let the stack forge congestion */
+       if (forge_ce != 0 &&
+               ((ip->ip_tos & IPTOS_ECN_MASK) == IPTOS_ECN_ECT1 ||
+                (ip->ip_tos & IPTOS_ECN_MASK) == IPTOS_ECN_ECT0)) {
+               ip->ip_tos = (ip->ip_tos & ~IPTOS_ECN_MASK) | IPTOS_ECN_CE;
+               forge_ce--;
+       }
+#endif /* DEBUG */
 
        KERNEL_DEBUG(DBG_LAYER_BEG, ip->ip_dst.s_addr, 
                     ip->ip_src.s_addr, ip->ip_p, ip->ip_off, ip->ip_len);
 
        KERNEL_DEBUG(DBG_LAYER_BEG, ip->ip_dst.s_addr, 
                     ip->ip_src.s_addr, ip->ip_p, ip->ip_off, ip->ip_len);
-
+       
        dst = (struct sockaddr_in *)&ro->ro_dst;
 
        /*
        dst = (struct sockaddr_in *)&ro->ro_dst;
 
        /*
@@ -330,21 +441,39 @@ loopit:
         * cache with IPv6.
         */
 
         * cache with IPv6.
         */
 
-       {
-               if (ro->ro_rt && (ro->ro_rt->generation_id != route_generation) &&
-                       ((flags & (IP_ROUTETOIF | IP_FORWARDING)) == 0) && (ip->ip_src.s_addr != INADDR_ANY) &&
-                       (ifa_foraddr(ip->ip_src.s_addr) == 0)) {
-                       error = EADDRNOTAVAIL;
-                       goto bad;
+       if (ro->ro_rt != NULL) {
+               if (ro->ro_rt->generation_id != route_generation &&
+                   ((flags & (IP_ROUTETOIF | IP_FORWARDING)) == 0) &&
+                   (ip->ip_src.s_addr != INADDR_ANY)) {
+                       src_ia = ifa_foraddr(ip->ip_src.s_addr);
+                       if (src_ia == NULL) {
+                               error = EADDRNOTAVAIL;
+                               goto bad;
+                       }
+                       ifafree(&src_ia->ia_ifa);
                }
                }
+               /*
+                * Test rt_flags without holding rt_lock for performance
+                * reasons; if the route is down it will hopefully be
+                * caught by the layer below (since it uses this route
+                * as a hint) or during the next transmit.
+                */
+               if ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
+                   dst->sin_family != AF_INET ||
+                   dst->sin_addr.s_addr != pkt_dst.s_addr) {
+                       rtfree(ro->ro_rt);
+                       ro->ro_rt = NULL;
+               }
+               /*
+                * If we're doing source interface selection, we may not
+                * want to use this route; only synch up the generation
+                * count otherwise.
+                */
+               if (!select_srcif && ro->ro_rt != NULL &&
+                   ro->ro_rt->generation_id != route_generation)
+                       ro->ro_rt->generation_id = route_generation;
        }
        }
-       if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
-          dst->sin_family != AF_INET ||
-          dst->sin_addr.s_addr != pkt_dst.s_addr)) {
-               rtfree(ro->ro_rt);
-               ro->ro_rt = (struct rtentry *)0;
-       }
-       if (ro->ro_rt == 0) {
+       if (ro->ro_rt == NULL) {
                bzero(dst, sizeof(*dst));
                dst->sin_family = AF_INET;
                dst->sin_len = sizeof(*dst);
                bzero(dst, sizeof(*dst));
                dst->sin_family = AF_INET;
                dst->sin_len = sizeof(*dst);
@@ -361,7 +490,7 @@ loopit:
                        ifafree(&ia->ia_ifa);
                if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0) {
                        if ((ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) {
                        ifafree(&ia->ia_ifa);
                if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0) {
                        if ((ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) {
-                               ipstat.ips_noroute++;
+                               OSAddAtomic(1, &ipstat.ips_noroute);
                                error = ENETUNREACH;
                                goto bad;
                        }
                                error = ENETUNREACH;
                                goto bad;
                        }
@@ -369,7 +498,74 @@ loopit:
                ifp = ia->ia_ifp;
                ip->ip_ttl = 1;
                isbroadcast = in_broadcast(dst->sin_addr, ifp);
                ifp = ia->ia_ifp;
                ip->ip_ttl = 1;
                isbroadcast = in_broadcast(dst->sin_addr, ifp);
+       } else if (IN_MULTICAST(ntohl(pkt_dst.s_addr)) &&
+           imo != NULL && imo->imo_multicast_ifp != NULL) {
+               /*
+                * Bypass the normal routing lookup for multicast
+                * packets if the interface is specified.
+                */
+               ifp = imo->imo_multicast_ifp;
+               isbroadcast = 0;
+               if (ia != NULL)
+                       ifafree(&ia->ia_ifa);
+
+               /* Macro takes reference on ia */
+               IFP_TO_IA(ifp, ia);
        } else {
        } else {
+               boolean_t cloneok = FALSE;
+               /*
+                * Perform source interface selection; the source IP address
+                * must belong to one of the addresses of the interface used
+                * by the route.  For performance reasons, do this only if
+                * there is no route, or if the routing table has changed,
+                * or if we haven't done source interface selection on this
+                * route (for this PCB instance) before.
+                */
+               if (select_srcif && ip->ip_src.s_addr != INADDR_ANY &&
+                   (ro->ro_rt == NULL || !(ro->ro_rt->rt_flags & RTF_UP) ||
+                   ro->ro_rt->generation_id != route_generation ||
+                   !(ro->ro_flags & ROF_SRCIF_SELECTED))) {
+                       struct ifaddr *ifa;
+
+                       /* Find the source interface */
+                       ifa = in_selectsrcif(ip, ro, ifscope);
+
+                       /*
+                        * If the source address is spoofed (in the case
+                        * of IP_RAWOUTPUT), or if this is destined for
+                        * local/loopback, just let it go out using the
+                        * interface of the route.  Otherwise, there's no
+                        * interface having such an address, so bail out.
+                        */
+                       if (ifa == NULL && !(flags & IP_RAWOUTPUT) &&
+                           ifscope != lo_ifp->if_index) {
+                               error = EADDRNOTAVAIL;
+                               goto bad;
+                       }
+
+                       /*
+                        * If the caller didn't explicitly specify the scope,
+                        * pick it up from the source interface.  If the cached
+                        * route was wrong and was blown away as part of source
+                        * interface selection, don't mask out RTF_PRCLONING
+                        * since that route may have been allocated by the ULP,
+                        * unless the IP header was created by the caller or
+                        * the destination is IPv4 LLA.  The check for the
+                        * latter is needed because IPv4 LLAs are never scoped
+                        * in the current implementation, and we don't want to
+                        * replace the resolved IPv4 LLA route with one whose
+                        * gateway points to that of the default gateway on
+                        * the primary interface of the system.
+                        */
+                       if (ifa != NULL) {
+                               if (ifscope == IFSCOPE_NONE)
+                                       ifscope = ifa->ifa_ifp->if_index;
+                               ifafree(ifa);
+                               cloneok = (!(flags & IP_RAWOUTPUT) &&
+                                   !(IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr))));
+                       }
+               }
+
                /*
                 * If this is the case, we probably don't want to allocate
                 * a protocol-cloned route since we didn't get one from the
                /*
                 * If this is the case, we probably don't want to allocate
                 * a protocol-cloned route since we didn't get one from the
@@ -379,15 +575,53 @@ loopit:
                 * the link layer, as this is probably required in all cases
                 * for correct operation (as it is for ARP).
                 */
                 * the link layer, as this is probably required in all cases
                 * for correct operation (as it is for ARP).
                 */
-               if (ro->ro_rt == 0)
-                       rtalloc_ign(ro, RTF_PRCLONING);
-               if (ro->ro_rt == 0) {
-                       ipstat.ips_noroute++;
+               if (ro->ro_rt == NULL) {
+                       unsigned long ign = RTF_PRCLONING;
+                       /*
+                        * We make an exception here: if the destination
+                        * address is INADDR_BROADCAST, allocate a protocol-
+                        * cloned host route so that we end up with a route
+                        * marked with the RTF_BROADCAST flag.  Otherwise,
+                        * we would end up referring to the default route,
+                        * instead of creating a cloned host route entry.
+                        * That would introduce inconsistencies between ULPs
+                        * that allocate a route and those that don't.  The
+                        * RTF_BROADCAST route is important since we'd want
+                        * to send out undirected IP broadcast packets using
+                        * link-level broadcast address. Another exception
+                        * is for ULP-created routes that got blown away by
+                        * source interface selection (see above).
+                        *
+                        * These exceptions will no longer be necessary when
+                        * the RTF_PRCLONING scheme is no longer present.
+                        */
+                       if (cloneok || dst->sin_addr.s_addr == INADDR_BROADCAST)
+                               ign &= ~RTF_PRCLONING;
+
+                       /*
+                        * Loosen the route lookup criteria if the ifscope
+                        * corresponds to the loopback interface; this is
+                        * needed to support Application Layer Gateways
+                        * listening on loopback, in conjunction with packet
+                        * filter redirection rules.  The final source IP
+                        * address will be rewritten by the packet filter
+                        * prior to the RFC1122 loopback check below.
+                        */
+                       if (ifscope == lo_ifp->if_index)
+                               rtalloc_ign(ro, ign);
+                       else
+                               rtalloc_scoped_ign(ro, ign, ifscope);
+               }
+
+               if (ro->ro_rt == NULL) {
+                       OSAddAtomic(1, &ipstat.ips_noroute);
                        error = EHOSTUNREACH;
                        goto bad;
                }
                        error = EHOSTUNREACH;
                        goto bad;
                }
+
                if (ia)
                        ifafree(&ia->ia_ifa);
                if (ia)
                        ifafree(&ia->ia_ifa);
+               RT_LOCK_SPIN(ro->ro_rt);
                ia = ifatoia(ro->ro_rt->rt_ifa);
                if (ia)
                        ifaref(&ia->ia_ifa);
                ia = ifatoia(ro->ro_rt->rt_ifa);
                if (ia)
                        ifaref(&ia->ia_ifa);
@@ -395,11 +629,16 @@ loopit:
                ro->ro_rt->rt_use++;
                if (ro->ro_rt->rt_flags & RTF_GATEWAY)
                        dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
                ro->ro_rt->rt_use++;
                if (ro->ro_rt->rt_flags & RTF_GATEWAY)
                        dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
-               if (ro->ro_rt->rt_flags & RTF_HOST)
+               if (ro->ro_rt->rt_flags & RTF_HOST) {
                        isbroadcast = (ro->ro_rt->rt_flags & RTF_BROADCAST);
                        isbroadcast = (ro->ro_rt->rt_flags & RTF_BROADCAST);
-               else
+               } else {
+                       /* Become a regular mutex */
+                       RT_CONVERT_LOCK(ro->ro_rt);
                        isbroadcast = in_broadcast(dst->sin_addr, ifp);
                        isbroadcast = in_broadcast(dst->sin_addr, ifp);
+               }
+               RT_UNLOCK(ro->ro_rt);
        }
        }
+
        if (IN_MULTICAST(ntohl(pkt_dst.s_addr))) {
                struct in_multi *inm;
 
        if (IN_MULTICAST(ntohl(pkt_dst.s_addr))) {
                struct in_multi *inm;
 
@@ -418,10 +657,12 @@ loopit:
                        if (imo->imo_multicast_ifp != NULL) {
                                ifp = imo->imo_multicast_ifp;
                        }
                        if (imo->imo_multicast_ifp != NULL) {
                                ifp = imo->imo_multicast_ifp;
                        }
+#if MROUTING
                        if (imo->imo_multicast_vif != -1 && 
                                ((flags & IP_RAWOUTPUT) == 0 || ip->ip_src.s_addr == INADDR_ANY))
                                ip->ip_src.s_addr =
                                        ip_mcast_src(imo->imo_multicast_vif);
                        if (imo->imo_multicast_vif != -1 && 
                                ((flags & IP_RAWOUTPUT) == 0 || ip->ip_src.s_addr == INADDR_ANY))
                                ip->ip_src.s_addr =
                                        ip_mcast_src(imo->imo_multicast_vif);
+#endif /* MROUTING */
                } else
                        if ((flags & IP_RAWOUTPUT) == 0) ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL;
                /*
                } else
                        if ((flags & IP_RAWOUTPUT) == 0) ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL;
                /*
@@ -429,7 +670,7 @@ loopit:
                 */
                if ((imo == NULL) || (imo->imo_multicast_vif == -1)) {
                        if ((ifp->if_flags & IFF_MULTICAST) == 0) {
                 */
                if ((imo == NULL) || (imo->imo_multicast_vif == -1)) {
                        if ((ifp->if_flags & IFF_MULTICAST) == 0) {
-                               ipstat.ips_noroute++;
+                               OSAddAtomic(1, &ipstat.ips_noroute);
                                error = ENETUNREACH;
                                goto bad;
                        }
                                error = ENETUNREACH;
                                goto bad;
                        }
@@ -439,14 +680,14 @@ loopit:
                 * of outgoing interface.
                 */
                if (ip->ip_src.s_addr == INADDR_ANY) {
                 * of outgoing interface.
                 */
                if (ip->ip_src.s_addr == INADDR_ANY) {
-                       register struct in_ifaddr *ia1;
-
+                       struct in_ifaddr *ia1;
+                       lck_rw_lock_shared(in_ifaddr_rwlock);
                        TAILQ_FOREACH(ia1, &in_ifaddrhead, ia_link)
                                if (ia1->ia_ifp == ifp) {
                                        ip->ip_src = IA_SIN(ia1)->sin_addr;
                        TAILQ_FOREACH(ia1, &in_ifaddrhead, ia_link)
                                if (ia1->ia_ifp == ifp) {
                                        ip->ip_src = IA_SIN(ia1)->sin_addr;
-                                       
                                        break;
                                }
                                        break;
                                }
+                       lck_rw_done(in_ifaddr_rwlock);
                        if (ip->ip_src.s_addr == INADDR_ANY) {
                                error = ENETUNREACH;
                                goto bad;
                        if (ip->ip_src.s_addr == INADDR_ANY) {
                                error = ENETUNREACH;
                                goto bad;
@@ -475,8 +716,15 @@ loopit:
                                        ipf_pktopts.ippo_mcast_loop = imo->imo_multicast_loop;
                                }
                                
                                        ipf_pktopts.ippo_mcast_loop = imo->imo_multicast_loop;
                                }
                                
-                               lck_mtx_unlock(ip_mutex);
                                ipf_ref();
                                ipf_ref();
+                               
+                               /* 4135317 - always pass network byte order to filter */
+
+#if BYTE_ORDER != BIG_ENDIAN
+                               HTONS(ip->ip_len);
+                               HTONS(ip->ip_off);
+#endif
+
                                TAILQ_FOREACH(filter, &ipv4_filters, ipf_link) {
                                        if (seen == 0) {
                                                if ((struct ipfilter *)inject_filter_ref == filter)
                                TAILQ_FOREACH(filter, &ipv4_filters, ipf_link) {
                                        if (seen == 0) {
                                                if ((struct ipfilter *)inject_filter_ref == filter)
@@ -490,17 +738,25 @@ loopit:
                                                }
                                                if (result != 0) {
                                                        ipf_unref();
                                                }
                                                if (result != 0) {
                                                        ipf_unref();
-                                                       lck_mtx_lock(ip_mutex);
                                                        goto bad;
                                                }
                                        }
                                }
                                                        goto bad;
                                                }
                                        }
                                }
-                               lck_mtx_lock(ip_mutex);
+                               
+                               /* set back to host byte order */
+                               ip = mtod(m, struct ip *);
+
+#if BYTE_ORDER != BIG_ENDIAN
+                               NTOHS(ip->ip_len);
+                               NTOHS(ip->ip_off);
+#endif
+
                                ipf_unref();
                                didfilter = 1;
                        }
                        ip_mloopback(ifp, m, dst, hlen);
                }
                                ipf_unref();
                                didfilter = 1;
                        }
                        ip_mloopback(ifp, m, dst, hlen);
                }
+#if MROUTING
                else {
                        /*
                         * If we are acting as a multicast router, perform
                else {
                        /*
                         * If we are acting as a multicast router, perform
@@ -525,11 +781,11 @@ loopit:
                                  imo = NULL;
                                if (ip_mforward(ip, ifp, m, imo) != 0) {
                                        m_freem(m);
                                  imo = NULL;
                                if (ip_mforward(ip, ifp, m, imo) != 0) {
                                        m_freem(m);
-                                       lck_mtx_unlock(ip_mutex);
                                        goto done;
                                }
                        }
                }
                                        goto done;
                                }
                        }
                }
+#endif /* MROUTING */
 
                /*
                 * Multicasts with a time-to-live of zero may be looped-
 
                /*
                 * Multicasts with a time-to-live of zero may be looped-
@@ -541,7 +797,6 @@ loopit:
                 */
                if (ip->ip_ttl == 0 || ifp->if_flags & IFF_LOOPBACK) {
                        m_freem(m);
                 */
                if (ip->ip_ttl == 0 || ifp->if_flags & IFF_LOOPBACK) {
                        m_freem(m);
-                       lck_mtx_unlock(ip_mutex);
                        goto done;
                }
 
                        goto done;
                }
 
@@ -590,6 +845,29 @@ loopit:
        }
 
 sendit:
        }
 
 sendit:
+#if PF
+       /* Invoke outbound packet filter */
+       if (pf_af_hook(ifp, mppn, &m, AF_INET, FALSE) != 0) {
+               if (packetlist == m0) {
+                       packetlist = m;
+                       mppn = NULL;
+               }
+               if (m != NULL) {
+                       m0 = m;
+                       /* Next packet in the chain */
+                       goto loopit;
+               } else if (packetlist != NULL) {
+                       /* No more packet; send down the chain */
+                       goto sendchain;
+               }
+               /* Nothing left; we're done */
+               goto done;
+       }
+       m0 = m;
+       ip = mtod(m, struct ip *);
+       pkt_dst = ip->ip_dst;
+       hlen = IP_VHL_HL(ip->ip_vhl) << 2;
+#endif /* PF */
         /*
          * Force IP TTL to 255 following draft-ietf-zeroconf-ipv4-linklocal.txt
          */
         /*
          * Force IP TTL to 255 following draft-ietf-zeroconf-ipv4-linklocal.txt
          */
@@ -601,13 +879,28 @@ sendit:
                }
         }
 
                }
         }
 
-injectit:
        if (!didfilter && !TAILQ_EMPTY(&ipv4_filters)) {
                struct ipfilter *filter;
                int seen = (inject_filter_ref == 0);
        if (!didfilter && !TAILQ_EMPTY(&ipv4_filters)) {
                struct ipfilter *filter;
                int seen = (inject_filter_ref == 0);
-               
-               lck_mtx_unlock(ip_mutex);
+       
+               /* Check that a TSO frame isn't passed to a filter.
+                * This could happen if a filter is inserted while
+                * TCP is sending the TSO packet.
+                */
+               if (m->m_pkthdr.csum_flags & CSUM_TSO_IPV4) {
+                       error = EMSGSIZE;
+                       goto bad;
+               }
+
                ipf_ref();
                ipf_ref();
+               
+               /* 4135317 - always pass network byte order to filter */
+
+#if BYTE_ORDER != BIG_ENDIAN
+               HTONS(ip->ip_len);
+               HTONS(ip->ip_off);
+#endif
+
                TAILQ_FOREACH(filter, &ipv4_filters, ipf_link) {
                        if (seen == 0) {
                                if ((struct ipfilter *)inject_filter_ref == filter)
                TAILQ_FOREACH(filter, &ipv4_filters, ipf_link) {
                        if (seen == 0) {
                                if ((struct ipfilter *)inject_filter_ref == filter)
@@ -621,13 +914,20 @@ injectit:
                                }
                                if (result != 0) {
                                        ipf_unref();
                                }
                                if (result != 0) {
                                        ipf_unref();
-                                       lck_mtx_lock(ip_mutex);
                                        goto bad;
                                }
                        }
                }
                                        goto bad;
                                }
                        }
                }
+               
+               /* set back to host byte order */
+               ip = mtod(m, struct ip *);
+
+#if BYTE_ORDER != BIG_ENDIAN
+               NTOHS(ip->ip_len);
+               NTOHS(ip->ip_off);
+#endif
+
                ipf_unref();
                ipf_unref();
-               lck_mtx_lock(ip_mutex);
        }
 
 #if IPSEC
        }
 
 #if IPSEC
@@ -638,7 +938,6 @@ injectit:
 
        KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_START, 0,0,0,0,0);
 
 
        KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_START, 0,0,0,0,0);
 
-       lck_mtx_lock(sadb_mutex);
 
        /* get SP for this packet */
        if (so == NULL)
 
        /* get SP for this packet */
        if (so == NULL)
@@ -647,9 +946,8 @@ injectit:
                sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
 
        if (sp == NULL) {
                sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
 
        if (sp == NULL) {
-               ipsecstat.out_inval++;
+               IPSEC_STAT_INCREMENT(ipsecstat.out_inval);              
                KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 0,0,0,0,0);
                KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 0,0,0,0,0);
-               lck_mtx_unlock(sadb_mutex);
                goto bad;
        }
 
                goto bad;
        }
 
@@ -658,19 +956,18 @@ injectit:
        /* check policy */
        switch (sp->policy) {
        case IPSEC_POLICY_DISCARD:
        /* check policy */
        switch (sp->policy) {
        case IPSEC_POLICY_DISCARD:
+       case IPSEC_POLICY_GENERATE:
                /*
                 * This packet is just discarded.
                 */
                /*
                 * This packet is just discarded.
                 */
-               ipsecstat.out_polvio++;
+               IPSEC_STAT_INCREMENT(ipsecstat.out_polvio);
                KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 1,0,0,0,0);
                KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 1,0,0,0,0);
-               lck_mtx_unlock(sadb_mutex);
                goto bad;
 
        case IPSEC_POLICY_BYPASS:
        case IPSEC_POLICY_NONE:
                /* no need to do IPsec. */
                KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 2,0,0,0,0);
                goto bad;
 
        case IPSEC_POLICY_BYPASS:
        case IPSEC_POLICY_NONE:
                /* no need to do IPsec. */
                KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 2,0,0,0,0);
-               lck_mtx_unlock(sadb_mutex);
                goto skip_ipsec;
        
        case IPSEC_POLICY_IPSEC:
                goto skip_ipsec;
        
        case IPSEC_POLICY_IPSEC:
@@ -678,7 +975,6 @@ injectit:
                        /* acquire a policy */
                        error = key_spdacquire(sp);
                        KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 3,0,0,0,0);
                        /* acquire a policy */
                        error = key_spdacquire(sp);
                        KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 3,0,0,0,0);
-                       lck_mtx_unlock(sadb_mutex);
                        goto bad;
                }
                break;
                        goto bad;
                }
                break;
@@ -709,13 +1005,13 @@ injectit:
                m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
        }
 
                m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
        }
 
+
+#if BYTE_ORDER != BIG_ENDIAN
        HTONS(ip->ip_len);
        HTONS(ip->ip_off);
        HTONS(ip->ip_len);
        HTONS(ip->ip_off);
+#endif
 
 
-       lck_mtx_unlock(ip_mutex);
        error = ipsec4_output(&state, sp, flags);
        error = ipsec4_output(&state, sp, flags);
-       lck_mtx_unlock(sadb_mutex);
-       lck_mtx_lock(ip_mutex);
     
        m0 = m = state.m;
        
     
        m0 = m = state.m;
        
@@ -764,45 +1060,71 @@ injectit:
        hlen = ip->ip_hl << 2;
 #endif
        /* Check that there wasn't a route change and src is still valid */
        hlen = ip->ip_hl << 2;
 #endif
        /* Check that there wasn't a route change and src is still valid */
-
-       if (ro->ro_rt->generation_id != route_generation) {
-               if (ifa_foraddr(ip->ip_src.s_addr) == 0 && ((flags & (IP_ROUTETOIF | IP_FORWARDING)) == 0)) {
-                       error = EADDRNOTAVAIL;
-                       KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 5,0,0,0,0);
+       if (ro->ro_rt != NULL && ro->ro_rt->generation_id != route_generation) {
+               if ((src_ia = ifa_foraddr(ip->ip_src.s_addr)) == NULL &&
+                   ((flags & (IP_ROUTETOIF | IP_FORWARDING)) == 0)) {
+                       error = EADDRNOTAVAIL;
+                       KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END,
+                           5,0,0,0,0);
                        goto bad;
                }
                rtfree(ro->ro_rt);
                ro->ro_rt = NULL;
                        goto bad;
                }
                rtfree(ro->ro_rt);
                ro->ro_rt = NULL;
+               if (src_ia != NULL)
+                       ifafree(&src_ia->ia_ifa);
        }
 
        if (ro->ro_rt == NULL) {
                if ((flags & IP_ROUTETOIF) == 0) {
        }
 
        if (ro->ro_rt == NULL) {
                if ((flags & IP_ROUTETOIF) == 0) {
-                       printf("ip_output: "
-                               "can't update route after IPsec processing\n");
-                       error = EHOSTUNREACH;   /*XXX*/ 
-                       KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 6,0,0,0,0);
+                       printf("ip_output: can't update route after "
+                           "IPsec processing\n");
+                       error = EHOSTUNREACH;   /*XXX*/
+                       KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END,
+                           6,0,0,0,0);
                        goto bad;
                }
        } else {
                if (ia)
                        ifafree(&ia->ia_ifa);
                        goto bad;
                }
        } else {
                if (ia)
                        ifafree(&ia->ia_ifa);
+               RT_LOCK_SPIN(ro->ro_rt);
                ia = ifatoia(ro->ro_rt->rt_ifa);
                if (ia)
                        ifaref(&ia->ia_ifa);
                ifp = ro->ro_rt->rt_ifp;
                ia = ifatoia(ro->ro_rt->rt_ifa);
                if (ia)
                        ifaref(&ia->ia_ifa);
                ifp = ro->ro_rt->rt_ifp;
+               RT_UNLOCK(ro->ro_rt);
        }
 
        /* make it flipped, again. */
        }
 
        /* make it flipped, again. */
+
+#if BYTE_ORDER != BIG_ENDIAN
        NTOHS(ip->ip_len);
        NTOHS(ip->ip_off);
        NTOHS(ip->ip_len);
        NTOHS(ip->ip_off);
+#endif
+       
        KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 7,0xff,0xff,0xff,0xff);
        
        /* Pass to filters again */
        if (!TAILQ_EMPTY(&ipv4_filters)) {
                struct ipfilter *filter;
                
        KERNEL_DEBUG(DBG_FNC_IPSEC4_OUTPUT | DBG_FUNC_END, 7,0xff,0xff,0xff,0xff);
        
        /* Pass to filters again */
        if (!TAILQ_EMPTY(&ipv4_filters)) {
                struct ipfilter *filter;
                
-               lck_mtx_unlock(ip_mutex);
+               /* Check that a TSO frame isn't passed to a filter.
+                * This could happen if a filter is inserted while
+                * TCP is sending the TSO packet.
+                */
+               if (m->m_pkthdr.csum_flags & CSUM_TSO_IPV4) {
+                       error = EMSGSIZE;
+                       goto bad;
+               }
+
                ipf_ref();
                ipf_ref();
+               
+               /* 4135317 - always pass network byte order to filter */
+
+#if BYTE_ORDER != BIG_ENDIAN
+               HTONS(ip->ip_len);
+               HTONS(ip->ip_off);
+#endif
+
                TAILQ_FOREACH(filter, &ipv4_filters, ipf_link) {
                        if (filter->ipf_filter.ipf_output) {
                                errno_t result;
                TAILQ_FOREACH(filter, &ipv4_filters, ipf_link) {
                        if (filter->ipf_filter.ipf_output) {
                                errno_t result;
@@ -813,17 +1135,25 @@ injectit:
                                }
                                if (result != 0) {
                                        ipf_unref();
                                }
                                if (result != 0) {
                                        ipf_unref();
-                                       lck_mtx_lock(ip_mutex);
                                        goto bad;
                                }
                        }
                }
                                        goto bad;
                                }
                        }
                }
+               
+               /* set back to host byte order */
+               ip = mtod(m, struct ip *);
+
+#if BYTE_ORDER != BIG_ENDIAN
+               NTOHS(ip->ip_len);
+               NTOHS(ip->ip_off);
+#endif
+
                ipf_unref();
                ipf_unref();
-               lck_mtx_lock(ip_mutex);
        }
 skip_ipsec:
 #endif /*IPSEC*/
 
        }
 skip_ipsec:
 #endif /*IPSEC*/
 
+#if IPFIREWALL
        /*
         * IpHack's section.
         * - Xlate: translate packet's addr/port (NAT).
        /*
         * IpHack's section.
         * - Xlate: translate packet's addr/port (NAT).
@@ -835,7 +1165,6 @@ skip_ipsec:
                struct  mbuf    *m1 = m;
 
                if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) {
                struct  mbuf    *m1 = m;
 
                if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) {
-                       lck_mtx_unlock(ip_mutex);
                        goto done;
                }
                ip = mtod(m0 = m = m1, struct ip *);
                        goto done;
                }
                ip = mtod(m0 = m = m1, struct ip *);
@@ -851,7 +1180,6 @@ skip_ipsec:
                args.m = m;
                args.next_hop = dst;
                args.oif = ifp;
                args.m = m;
                args.next_hop = dst;
                args.oif = ifp;
-               lck_mtx_unlock(ip_mutex);
                off = ip_fw_chk_ptr(&args);
                m = args.m;
                dst = args.next_hop;
                off = ip_fw_chk_ptr(&args);
                m = args.m;
                dst = args.next_hop;
@@ -878,31 +1206,32 @@ skip_ipsec:
                        goto done ;
                }
                ip = mtod(m, struct ip *);
                        goto done ;
                }
                ip = mtod(m, struct ip *);
+               
                if (off == 0 && dst == old) {/* common case */
                if (off == 0 && dst == old) {/* common case */
-                       lck_mtx_lock(ip_mutex);
                        goto pass ;
                }
 #if DUMMYNET
                 if (DUMMYNET_LOADED && (off & IP_FW_PORT_DYNT_FLAG) != 0) {
                        goto pass ;
                }
 #if DUMMYNET
                 if (DUMMYNET_LOADED && (off & IP_FW_PORT_DYNT_FLAG) != 0) {
-                    /*
-                     * pass the pkt to dummynet. Need to include
-                     * pipe number, m, ifp, ro, dst because these are
-                     * not recomputed in the next pass.
-                     * All other parameters have been already used and
-                     * so they are not needed anymore. 
-                     * XXX note: if the ifp or ro entry are deleted
-                     * while a pkt is in dummynet, we are in trouble!
-                     */ 
-                   args.ro = ro;
-                   args.dst = dst;
-                   args.flags = flags;
-
-                   error = ip_dn_io_ptr(m, off & 0xffff, DN_TO_IP_OUT,
-                               &args);
-                   goto done;
+                       /*
+                        * pass the pkt to dummynet. Need to include
+                        * pipe number, m, ifp, ro, dst because these are
+                        * not recomputed in the next pass.
+                        * All other parameters have been already used and
+                        * so they are not needed anymore.
+                        * XXX note: if the ifp or ro entry are deleted
+                        * while a pkt is in dummynet, we are in trouble!
+                        */
+                       args.ro = ro;
+                       args.dst = dst;
+                       args.flags = flags;
+                       if (flags & IP_OUTARGS)
+                               args.ipoa = ipoa;
+
+                       error = ip_dn_io_ptr(m, off & 0xffff, DN_TO_IP_OUT,
+                           &args);
+                       goto done;
                }
 #endif /* DUMMYNET */
                }
 #endif /* DUMMYNET */
-               lck_mtx_lock(ip_mutex);
 #if IPDIVERT
                if (off != 0 && (off & IP_FW_PORT_DYNT_FLAG) == 0) {
                        struct mbuf *clone = NULL;
 #if IPDIVERT
                if (off != 0 && (off & IP_FW_PORT_DYNT_FLAG) == 0) {
                        struct mbuf *clone = NULL;
@@ -921,8 +1250,11 @@ skip_ipsec:
                        }
 
                        /* Restore packet header fields to original values */
                        }
 
                        /* Restore packet header fields to original values */
+
+#if BYTE_ORDER != BIG_ENDIAN
                        HTONS(ip->ip_len);
                        HTONS(ip->ip_off);
                        HTONS(ip->ip_len);
                        HTONS(ip->ip_off);
+#endif
 
                        /* Deliver packet to divert input routine */
                        divert_packet(m, 0, off & 0xffff, args.divert_rule);
 
                        /* Deliver packet to divert input routine */
                        divert_packet(m, 0, off & 0xffff, args.divert_rule);
@@ -933,7 +1265,6 @@ skip_ipsec:
                                ip = mtod(m, struct ip *);
                                goto pass;
                        }
                                ip = mtod(m, struct ip *);
                                goto pass;
                        }
-                       lck_mtx_unlock(ip_mutex);
                        goto done;
                }
 #endif
                        goto done;
                }
 #endif
@@ -972,6 +1303,7 @@ skip_ipsec:
                         * as the packet runs through ip_input() as
                         * it is done through a ISR.
                         */
                         * as the packet runs through ip_input() as
                         * it is done through a ISR.
                         */
+                       lck_rw_lock_shared(in_ifaddr_rwlock);
                        TAILQ_FOREACH(ia_fw, &in_ifaddrhead, ia_link) {
                                /*
                                 * If the addr to forward to is one
                        TAILQ_FOREACH(ia_fw, &in_ifaddrhead, ia_link) {
                                /*
                                 * If the addr to forward to is one
@@ -982,13 +1314,15 @@ skip_ipsec:
                                                 dst->sin_addr.s_addr)
                                        break;
                        }
                                                 dst->sin_addr.s_addr)
                                        break;
                        }
-                       if (ia) {
+                       lck_rw_done(in_ifaddr_rwlock);
+                       if (ia_fw) {
                                /* tell ip_input "dont filter" */
                                struct m_tag            *fwd_tag;
                                struct ip_fwd_tag       *ipfwd_tag;
                                
                                /* tell ip_input "dont filter" */
                                struct m_tag            *fwd_tag;
                                struct ip_fwd_tag       *ipfwd_tag;
                                
-                               fwd_tag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFORWARD,
-                                               sizeof(struct sockaddr_in), M_NOWAIT);
+                               fwd_tag = m_tag_alloc(KERNEL_MODULE_TAG_ID,
+                                   KERNEL_TAG_TYPE_IPFORWARD,
+                                   sizeof (*ipfwd_tag), M_NOWAIT);
                                if (fwd_tag == NULL) {
                                        error = ENOBUFS;
                                        goto bad;
                                if (fwd_tag == NULL) {
                                        error = ENOBUFS;
                                        goto bad;
@@ -1017,10 +1351,11 @@ skip_ipsec:
                                        m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
                                        ip->ip_sum = in_cksum(m, hlen);
                                }
                                        m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
                                        ip->ip_sum = in_cksum(m, hlen);
                                }
+
+#if BYTE_ORDER != BIG_ENDIAN
                                HTONS(ip->ip_len);
                                HTONS(ip->ip_off);
                                HTONS(ip->ip_len);
                                HTONS(ip->ip_off);
-                               
-                               lck_mtx_unlock(ip_mutex);
+#endif                         
                                
                                /*  we need to call dlil_output to run filters
                                 *      and resync to avoid recursion loops.
                                
                                /*  we need to call dlil_output to run filters
                                 *      and resync to avoid recursion loops.
@@ -1041,25 +1376,32 @@ skip_ipsec:
                         */
                        bcopy(dst, &ro_fwd->ro_dst, sizeof(*dst));
 
                         */
                        bcopy(dst, &ro_fwd->ro_dst, sizeof(*dst));
 
-                       ro_fwd->ro_rt = 0;
+                       ro_fwd->ro_rt = NULL;
                        rtalloc_ign(ro_fwd, RTF_PRCLONING);
 
                        rtalloc_ign(ro_fwd, RTF_PRCLONING);
 
-                       if (ro_fwd->ro_rt == 0) {
-                               ipstat.ips_noroute++;
+                       if (ro_fwd->ro_rt == NULL) {
+                               OSAddAtomic(1, &ipstat.ips_noroute);
                                error = EHOSTUNREACH;
                                goto bad;
                        }
 
                                error = EHOSTUNREACH;
                                goto bad;
                        }
 
+                       RT_LOCK_SPIN(ro_fwd->ro_rt);
                        ia_fw = ifatoia(ro_fwd->ro_rt->rt_ifa);
                        ia_fw = ifatoia(ro_fwd->ro_rt->rt_ifa);
+                       if (ia_fw != NULL)
+                               ifaref(&ia_fw->ia_ifa);
                        ifp = ro_fwd->ro_rt->rt_ifp;
                        ro_fwd->ro_rt->rt_use++;
                        if (ro_fwd->ro_rt->rt_flags & RTF_GATEWAY)
                                dst = (struct sockaddr_in *)ro_fwd->ro_rt->rt_gateway;
                        ifp = ro_fwd->ro_rt->rt_ifp;
                        ro_fwd->ro_rt->rt_use++;
                        if (ro_fwd->ro_rt->rt_flags & RTF_GATEWAY)
                                dst = (struct sockaddr_in *)ro_fwd->ro_rt->rt_gateway;
-                       if (ro_fwd->ro_rt->rt_flags & RTF_HOST)
+                       if (ro_fwd->ro_rt->rt_flags & RTF_HOST) {
                                isbroadcast =
                                    (ro_fwd->ro_rt->rt_flags & RTF_BROADCAST);
                                isbroadcast =
                                    (ro_fwd->ro_rt->rt_flags & RTF_BROADCAST);
-                       else
+                       } else {
+                               /* Become a regular mutex */
+                               RT_CONVERT_LOCK(ro_fwd->ro_rt);
                                isbroadcast = in_broadcast(dst->sin_addr, ifp);
                                isbroadcast = in_broadcast(dst->sin_addr, ifp);
+                       }
+                       RT_UNLOCK(ro_fwd->ro_rt);
                        rtfree(ro->ro_rt);
                        ro->ro_rt = ro_fwd->ro_rt;
                        dst = (struct sockaddr_in *)&ro_fwd->ro_dst;
                        rtfree(ro->ro_rt);
                        ro->ro_rt = ro_fwd->ro_rt;
                        dst = (struct sockaddr_in *)&ro_fwd->ro_dst;
@@ -1069,8 +1411,11 @@ skip_ipsec:
                         * which would have been gotten from the-then
                         * interface, do it again, from the new one.
                         */
                         * which would have been gotten from the-then
                         * interface, do it again, from the new one.
                         */
-                       if (fwd_rewrite_src)
-                               ip->ip_src = IA_SIN(ia_fw)->sin_addr;
+                       if (ia_fw != NULL) {
+                               if (fwd_rewrite_src)
+                                       ip->ip_src = IA_SIN(ia_fw)->sin_addr;
+                               ifafree(&ia_fw->ia_ifa);
+                       }
                        goto pass ;
                }
 #endif /* IPFIREWALL_FORWARD */
                        goto pass ;
                }
 #endif /* IPFIREWALL_FORWARD */
@@ -1080,9 +1425,9 @@ skip_ipsec:
                  */
                m_freem(m);
                error = EACCES; /* not sure this is the right error msg */
                  */
                m_freem(m);
                error = EACCES; /* not sure this is the right error msg */
-               lck_mtx_unlock(ip_mutex);
                goto done;
        }
                goto done;
        }
+#endif /* IPFIREWALL */
 
 pass:
 #if __APPLE__
 
 pass:
 #if __APPLE__
@@ -1090,7 +1435,7 @@ pass:
        if ((ifp->if_flags & IFF_LOOPBACK) == 0 &&
                 ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
                  (ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
        if ((ifp->if_flags & IFF_LOOPBACK) == 0 &&
                 ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
                  (ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
-               ipstat.ips_badaddr++;
+               OSAddAtomic(1, &ipstat.ips_badaddr);
                m_freem(m);
                /* 
                 * Do not simply drop the packet just like a firewall -- we want the 
                m_freem(m);
                /* 
                 * Do not simply drop the packet just like a firewall -- we want the 
@@ -1100,11 +1445,12 @@ pass:
                 * loopback as the source address.
                 */
                error = ENETUNREACH;
                 * loopback as the source address.
                 */
                error = ENETUNREACH;
-               lck_mtx_unlock(ip_mutex);
                goto done;
        }
 #endif
        m->m_pkthdr.csum_flags |= CSUM_IP;
                goto done;
        }
 #endif
        m->m_pkthdr.csum_flags |= CSUM_IP;
+       tso =  (ifp->if_hwassist & IFNET_TSO_IPV4) && (m->m_pkthdr.csum_flags & CSUM_TSO_IPV4);
+                    
        sw_csum = m->m_pkthdr.csum_flags 
                & ~IF_HWASSIST_CSUM_FLAGS(ifp->if_hwassist);
 
        sw_csum = m->m_pkthdr.csum_flags 
                & ~IF_HWASSIST_CSUM_FLAGS(ifp->if_hwassist);
 
@@ -1128,6 +1474,9 @@ pass:
                        /* let the software handle any UDP or TCP checksums */
                        sw_csum |= (CSUM_DELAY_DATA & m->m_pkthdr.csum_flags);
                }
                        /* let the software handle any UDP or TCP checksums */
                        sw_csum |= (CSUM_DELAY_DATA & m->m_pkthdr.csum_flags);
                }
+       } else if (apple_hwcksum_tx == 0) {
+               sw_csum |= (CSUM_DELAY_DATA | CSUM_DELAY_IP) &
+                   m->m_pkthdr.csum_flags;
        }
        
        if (sw_csum & CSUM_DELAY_DATA) {
        }
        
        if (sw_csum & CSUM_DELAY_DATA) {
@@ -1135,17 +1484,29 @@ pass:
                sw_csum &= ~CSUM_DELAY_DATA;
                m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
        }
                sw_csum &= ~CSUM_DELAY_DATA;
                m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
        }
-       
-       m->m_pkthdr.csum_flags &= IF_HWASSIST_CSUM_FLAGS(ifp->if_hwassist);
+
+       if (apple_hwcksum_tx != 0) {
+               m->m_pkthdr.csum_flags &=
+                   IF_HWASSIST_CSUM_FLAGS(ifp->if_hwassist);
+       } else {
+               m->m_pkthdr.csum_flags = 0;
+       }
 
        /*
         * If small enough for interface, or the interface will take
         * care of the fragmentation for us, can just send directly.
         */
 
        /*
         * If small enough for interface, or the interface will take
         * care of the fragmentation for us, can just send directly.
         */
-       if ((u_short)ip->ip_len <= ifp->if_mtu ||
+       if ((u_short)ip->ip_len <= ifp->if_mtu || tso ||
            ifp->if_hwassist & CSUM_FRAGMENT) {
            ifp->if_hwassist & CSUM_FRAGMENT) {
+               if (tso) 
+                       m->m_pkthdr.csum_flags |= CSUM_TSO_IPV4;
+                       
+
+#if BYTE_ORDER != BIG_ENDIAN
                HTONS(ip->ip_len);
                HTONS(ip->ip_off);
                HTONS(ip->ip_len);
                HTONS(ip->ip_off);
+#endif
+               
                ip->ip_sum = 0;
                if (sw_csum & CSUM_DELAY_IP) {
                        ip->ip_sum = in_cksum(m, hlen);
                ip->ip_sum = 0;
                if (sw_csum & CSUM_DELAY_IP) {
                        ip->ip_sum = in_cksum(m, hlen);
@@ -1165,20 +1526,22 @@ pass:
                        ipsec_delaux(m);
 #endif
                if (packetchain == 0) {
                        ipsec_delaux(m);
 #endif
                if (packetchain == 0) {
-                       lck_mtx_unlock(ip_mutex);
-                       error = dlil_output(ifp, PF_INET, m, (void *) ro->ro_rt,
-                                   (struct sockaddr *)dst, 0);
-                       goto done;      
+                       error = ifnet_output(ifp, PF_INET, m, ro->ro_rt,
+                           (struct sockaddr *)dst);
+                       goto done;
                }
                else { /* packet chaining allows us to reuse the route for all packets */
                }
                else { /* packet chaining allows us to reuse the route for all packets */
+                       mppn = &m->m_nextpkt;
                        m = m->m_nextpkt;
                        if (m == NULL) {
                        m = m->m_nextpkt;
                        if (m == NULL) {
+#if PF
+sendchain:
+#endif /* PF */
                                if (pktcnt > ip_maxchainsent)
                                        ip_maxchainsent = pktcnt;
                                //send
                                if (pktcnt > ip_maxchainsent)
                                        ip_maxchainsent = pktcnt;
                                //send
-                               lck_mtx_unlock(ip_mutex);
-                               error = dlil_output_list(ifp, PF_INET, packetlist, (void *) ro->ro_rt,
-                                       (struct sockaddr *)dst, 0);
+                               error = ifnet_output(ifp, PF_INET, packetlist,
+                                   ro->ro_rt, (struct sockaddr *)dst);
                                pktcnt = 0;
                                goto done;
        
                                pktcnt = 0;
                                goto done;
        
@@ -1192,60 +1555,132 @@ pass:
         * Too large for interface; fragment if possible.
         * Must be able to put at least 8 bytes per fragment.
         */
         * Too large for interface; fragment if possible.
         * Must be able to put at least 8 bytes per fragment.
         */
-       if (ip->ip_off & IP_DF) {
+
+       if (ip->ip_off & IP_DF  || (m->m_pkthdr.csum_flags & CSUM_TSO_IPV4)) {
                error = EMSGSIZE;
                /*
                 * This case can happen if the user changed the MTU
                error = EMSGSIZE;
                /*
                 * This case can happen if the user changed the MTU
+                *   
                 * of an interface after enabling IP on it.  Because
                 * most netifs don't keep track of routes pointing to
                 * them, there is no way for one to update all its
                 * routes when the MTU is changed.
                 */
                 * of an interface after enabling IP on it.  Because
                 * most netifs don't keep track of routes pointing to
                 * them, there is no way for one to update all its
                 * routes when the MTU is changed.
                 */
-               if ((ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST))
+               RT_LOCK_SPIN(ro->ro_rt);
+               if (ro->ro_rt && (ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST))
                    && !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU)
                    && (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) {
                        ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu;
                }
                    && !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU)
                    && (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) {
                        ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu;
                }
-               ipstat.ips_cantfrag++;
+               RT_UNLOCK(ro->ro_rt);
+               OSAddAtomic(1, &ipstat.ips_cantfrag);
                goto bad;
        }
                goto bad;
        }
-       len = (ifp->if_mtu - hlen) &~ 7;
-       if (len < 8) {
-               error = EMSGSIZE;
+
+       error = ip_fragment(m, ifp, ifp->if_mtu, sw_csum);
+       if (error != 0) {
+               m0 = m = NULL;
                goto bad;
        }
 
                goto bad;
        }
 
-       /*
-        * if the interface will not calculate checksums on
-        * fragmented packets, then do it here.
-        */
-       if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA &&
-           (ifp->if_hwassist & CSUM_IP_FRAGS) == 0) {
-               in_delayed_cksum(m);
-               if (m == NULL) {
-                       lck_mtx_unlock(ip_mutex);
-                       return(ENOMEM);
-               }
-               m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+       KERNEL_DEBUG(DBG_LAYER_END, ip->ip_dst.s_addr, 
+                    ip->ip_src.s_addr, ip->ip_p, ip->ip_off, ip->ip_len);
+
+       for (m = m0; m; m = m0) {
+               m0 = m->m_nextpkt;
+               m->m_nextpkt = 0;
+#if IPSEC
+               /* clean ipsec history once it goes out of the node */
+               if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0)
+                       ipsec_delaux(m);
+#endif
+               if (error == 0) {
+#ifndef __APPLE__
+                       /* Record statistics for this interface address. */
+                       if (ia != NULL) {
+                               ia->ia_ifa.if_opackets++;
+                               ia->ia_ifa.if_obytes += m->m_pkthdr.len;
+                       }
+#endif
+                       if ((packetchain != 0)  && (pktcnt > 0))
+                               panic("ip_output: mix of packet in packetlist is wrong=%p", packetlist);
+                       error = ifnet_output(ifp, PF_INET, m, ro->ro_rt,
+                           (struct sockaddr *)dst);
+               } else
+                       m_freem(m);
        }
 
        }
 
+       if (error == 0)
+               OSAddAtomic(1, &ipstat.ips_fragmented);
 
 
-    {
-       int mhlen, firstlen = len;
-       struct mbuf **mnext = &m->m_nextpkt;
-       int nfrags = 1;
+done:
+       if (ia) {
+               ifafree(&ia->ia_ifa);
+               ia = NULL;
+       }
+#if IPSEC
+       if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0) {
+       if (ro == &iproute && ro->ro_rt) {
+               rtfree(ro->ro_rt);
+               ro->ro_rt = NULL;
+       }
+       if (sp != NULL) {
+               KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
+                       printf("DP ip_output call free SP:%x\n", sp));
+               key_freesp(sp, KEY_SADB_UNLOCKED);
+       }
+       }
+#endif /* IPSEC */
 
 
-       /*
-        * Loop through length of segment after first fragment,
-        * make new header and copy data of each part and link onto chain.
-        */
-       m0 = m;
-       mhlen = sizeof (struct ip);
-       for (off = hlen + len; off < (u_short)ip->ip_len; off += len) {
-               MGETHDR(m, M_DONTWAIT, MT_HEADER);
-               if (m == 0) {
-                       error = ENOBUFS;
-                       ipstat.ips_odropped++;
+       KERNEL_DEBUG(DBG_FNC_IP_OUTPUT | DBG_FUNC_END, error,0,0,0,0);
+       return (error);
+bad:
+       m_freem(m0);
+       goto done;
+}
+
+int
+ip_fragment(struct mbuf *m, struct ifnet *ifp, unsigned long mtu, int sw_csum)
+{
+       struct ip *ip, *mhip;
+       int len, hlen, mhlen, firstlen, off, error = 0;
+       struct mbuf **mnext = &m->m_nextpkt, *m0;
+       int nfrags = 1;
+
+       ip = mtod(m, struct ip *);
+#ifdef _IP_VHL
+       hlen = IP_VHL_HL(ip->ip_vhl) << 2;
+#else
+       hlen = ip->ip_hl << 2;
+#endif
+
+       firstlen = len = (mtu - hlen) &~ 7;
+       if (len < 8) {
+               m_freem(m);
+               return (EMSGSIZE);
+       }
+
+       /*
+        * if the interface will not calculate checksums on
+        * fragmented packets, then do it here.
+        */
+       if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA &&
+           (ifp->if_hwassist & CSUM_IP_FRAGS) == 0) {
+               in_delayed_cksum(m);
+               m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+       }
+
+       /*
+        * Loop through length of segment after first fragment,
+        * make new header and copy data of each part and link onto chain.
+        */
+       m0 = m;
+       mhlen = sizeof (struct ip);
+       for (off = hlen + len; off < (u_short)ip->ip_len; off += len) {
+               MGETHDR(m, M_DONTWAIT, MT_HEADER);      /* MAC-OK */
+               if (m == 0) {
+                       error = ENOBUFS;
+                       OSAddAtomic(1, &ipstat.ips_odropped);
                        goto sendorfree;
                }
                m->m_flags |= (m0->m_flags & M_MCAST) | M_FRAG;
                        goto sendorfree;
                }
                m->m_flags |= (m0->m_flags & M_MCAST) | M_FRAG;
@@ -1269,14 +1704,21 @@ pass:
                if (m->m_next == 0) {
                        (void) m_free(m);
                        error = ENOBUFS;        /* ??? */
                if (m->m_next == 0) {
                        (void) m_free(m);
                        error = ENOBUFS;        /* ??? */
-                       ipstat.ips_odropped++;
+                       OSAddAtomic(1, &ipstat.ips_odropped);
                        goto sendorfree;
                }
                m->m_pkthdr.len = mhlen + len;
                m->m_pkthdr.rcvif = 0;
                m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
                m->m_pkthdr.socket_id = m0->m_pkthdr.socket_id;
                        goto sendorfree;
                }
                m->m_pkthdr.len = mhlen + len;
                m->m_pkthdr.rcvif = 0;
                m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
                m->m_pkthdr.socket_id = m0->m_pkthdr.socket_id;
+#if CONFIG_MACF_NET
+               mac_netinet_fragment(m0, m);
+#endif
+
+#if BYTE_ORDER != BIG_ENDIAN
                HTONS(mhip->ip_off);
                HTONS(mhip->ip_off);
+#endif
+
                mhip->ip_sum = 0;
                if (sw_csum & CSUM_DELAY_IP) {
                        mhip->ip_sum = in_cksum(m, mhlen);
                mhip->ip_sum = 0;
                if (sw_csum & CSUM_DELAY_IP) {
                        mhip->ip_sum = in_cksum(m, mhlen);
@@ -1285,7 +1727,7 @@ pass:
                mnext = &m->m_nextpkt;
                nfrags++;
        }
                mnext = &m->m_nextpkt;
                nfrags++;
        }
-       ipstat.ips_ofragments += nfrags;
+       OSAddAtomic(nfrags, &ipstat.ips_ofragments);
 
        /* set first/last markers for fragment chain */
        m->m_flags |= M_LASTFRAG;
 
        /* set first/last markers for fragment chain */
        m->m_flags |= M_LASTFRAG;
@@ -1301,96 +1743,66 @@ pass:
        m->m_pkthdr.len = hlen + firstlen;
        ip->ip_len = htons((u_short)m->m_pkthdr.len);
        ip->ip_off |= IP_MF;
        m->m_pkthdr.len = hlen + firstlen;
        ip->ip_len = htons((u_short)m->m_pkthdr.len);
        ip->ip_off |= IP_MF;
+
+#if BYTE_ORDER != BIG_ENDIAN
        HTONS(ip->ip_off);
        HTONS(ip->ip_off);
+#endif
+       
        ip->ip_sum = 0;
        if (sw_csum & CSUM_DELAY_IP) {
                ip->ip_sum = in_cksum(m, hlen);
        }
 sendorfree:
        ip->ip_sum = 0;
        if (sw_csum & CSUM_DELAY_IP) {
                ip->ip_sum = in_cksum(m, hlen);
        }
 sendorfree:
+       if (error)
+               m_freem_list(m0);
 
 
-       KERNEL_DEBUG(DBG_LAYER_END, ip->ip_dst.s_addr, 
-                    ip->ip_src.s_addr, ip->ip_p, ip->ip_off, ip->ip_len);
-
-       lck_mtx_unlock(ip_mutex);
-       for (m = m0; m; m = m0) {
-               m0 = m->m_nextpkt;
-               m->m_nextpkt = 0;
-#if IPSEC
-               /* clean ipsec history once it goes out of the node */
-               if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0)
-                       ipsec_delaux(m);
-#endif
-               if (error == 0) {
-#ifndef __APPLE__
-                       /* Record statistics for this interface address. */
-                       if (ia != NULL) {
-                               ia->ia_ifa.if_opackets++;
-                               ia->ia_ifa.if_obytes += m->m_pkthdr.len;
-                       }
-#endif
-                   if ((packetchain != 0)  && (pktcnt > 0))    
-                               panic("ip_output: mix of packet in packetlist is wrong=%x", packetlist);
-                   error = dlil_output(ifp, PF_INET, m, (void *) ro->ro_rt,
-                                       (struct sockaddr *)dst, 0);
-               } else
-                       m_freem(m);
-       }
+       return (error);
+}
 
 
-       if (error == 0)
-               ipstat.ips_fragmented++;
-    }
-done:
-       if (ia) {
-               ifafree(&ia->ia_ifa);
-               ia = NULL;
-       }
-#if IPSEC
-       if (ipsec_bypass == 0 && (flags & IP_NOIPSEC) == 0) {
-       if (ro == &iproute && ro->ro_rt) {
-               rtfree(ro->ro_rt);
-               ro->ro_rt = NULL;
-       }
-       if (sp != NULL) {
-               KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP ip_output call free SP:%x\n", sp));
-               lck_mtx_lock(sadb_mutex);
-               key_freesp(sp);
-               lck_mtx_unlock(sadb_mutex);
-       }
+static void
+ip_out_cksum_stats(int proto, u_int32_t len)
+{
+       switch (proto) {
+       case IPPROTO_TCP:
+               tcp_out_cksum_stats(len);
+               break;
+       case IPPROTO_UDP:
+               udp_out_cksum_stats(len);
+               break;
+       default:
+               /* keep only TCP or UDP stats for now */
+               break;
        }
        }
-#endif /* IPSEC */
-
-       KERNEL_DEBUG(DBG_FNC_IP_OUTPUT | DBG_FUNC_END, error,0,0,0,0);
-       return (error);
-bad:
-       m_freem(m0);
-       lck_mtx_unlock(ip_mutex);
-       goto done;
 }
 
 void
 }
 
 void
-in_delayed_cksum_offset(struct mbuf *m, int ip_offset)
+in_delayed_cksum_offset(struct mbuf *m0, int ip_offset)
 {
        struct ip *ip;
 {
        struct ip *ip;
-       u_short csum, offset;
+       unsigned char buf[sizeof(struct ip)];
+       u_short csum, offset, ip_len;
+       struct mbuf *m = m0;
        
        
-       while (ip_offset > m->m_len) {
+       while (ip_offset >= m->m_len) {
                ip_offset -= m->m_len;
                m = m->m_next;
                ip_offset -= m->m_len;
                m = m->m_next;
-               if (m) {
+               if (m == NULL) {
                        printf("in_delayed_cksum_withoffset failed - ip_offset wasn't in the packet\n");
                        return;
                }
        }
        
                        printf("in_delayed_cksum_withoffset failed - ip_offset wasn't in the packet\n");
                        return;
                }
        }
        
+       /* Sometimes the IP header is not contiguous, yes this can happen! */
        if (ip_offset + sizeof(struct ip) > m->m_len) {
        if (ip_offset + sizeof(struct ip) > m->m_len) {
-               printf("delayed m_pullup, m->len: %d  off: %d  p: %d\n",
-                       m->m_len, ip_offset, ip->ip_p);
-               /*
-                * XXX
-                * this shouldn't happen
-                */
-               m = m_pullup(m, ip_offset + sizeof(struct ip));
+#if DEBUG              
+               printf("delayed m_pullup, m->len: %d  off: %d\n",
+                       m->m_len, ip_offset);
+#endif
+               m_copydata(m, ip_offset, sizeof(struct ip), (caddr_t) buf);
+               
+               ip = (struct ip *)buf;
+       } else {
+               ip = (struct ip*)(m->m_data + ip_offset);
        }
        
        /* Gross */
        }
        
        /* Gross */
@@ -1399,36 +1811,60 @@ in_delayed_cksum_offset(struct mbuf *m, int ip_offset)
                m->m_data += ip_offset;
        }
        
                m->m_data += ip_offset;
        }
        
-       ip = mtod(m, struct ip*);
        offset = IP_VHL_HL(ip->ip_vhl) << 2 ;
        offset = IP_VHL_HL(ip->ip_vhl) << 2 ;
-       csum = in_cksum_skip(m, ip->ip_len, offset);
-       if (m->m_pkthdr.csum_flags & CSUM_UDP && csum == 0)
+
+       /*
+        * We could be in the context of an IP or interface filter; in the
+        * former case, ip_len would be in host (correct) order while for
+        * the latter it would be in network order.  Because of this, we
+        * attempt to interpret the length field by comparing it against
+        * the actual packet length.  If the comparison fails, byte swap
+        * the length and check again.  If it still fails, then the packet
+        * is bogus and we give up.
+        */
+       ip_len = ip->ip_len;
+       if (ip_len != (m0->m_pkthdr.len - ip_offset)) {
+               ip_len = SWAP16(ip_len);
+               if (ip_len != (m0->m_pkthdr.len - ip_offset)) {
+                       printf("in_delayed_cksum_offset: ip_len %d (%d) "
+                           "doesn't match actual length %d\n", ip->ip_len,
+                           ip_len, (m0->m_pkthdr.len - ip_offset));
+                       return;
+               }
+       }
+
+       csum = in_cksum_skip(m, ip_len, offset);
+
+       /* Update stats */
+       ip_out_cksum_stats(ip->ip_p, ip_len - offset);
+
+       if (m0->m_pkthdr.csum_flags & CSUM_UDP && csum == 0)
                csum = 0xffff;
                csum = 0xffff;
-       offset += m->m_pkthdr.csum_data & 0xFFFF;        /* checksum offset */
-       
+       offset += m0->m_pkthdr.csum_data & 0xFFFF;        /* checksum offset */
+
        /* Gross */
        if (ip_offset) {
                if (M_LEADINGSPACE(m) < ip_offset)
        /* Gross */
        if (ip_offset) {
                if (M_LEADINGSPACE(m) < ip_offset)
-                       panic("in_delayed_cksum_withoffset - chain modified!\n");
+                       panic("in_delayed_cksum_offset - chain modified!\n");
                m->m_len += ip_offset;
                m->m_data -= ip_offset;
        }
 
                m->m_len += ip_offset;
                m->m_data -= ip_offset;
        }
 
-       if (offset > ip->ip_len) /* bogus offset */
+       if (offset > ip_len) /* bogus offset */
                return;
 
                return;
 
+       /* Insert the checksum in the existing chain */
        if (offset + ip_offset + sizeof(u_short) > m->m_len) {
        if (offset + ip_offset + sizeof(u_short) > m->m_len) {
-               printf("delayed m_pullup, m->len: %d  off: %d  p: %d\n",
+               char tmp[2];
+               
+#if DEBUG
+               printf("delayed m_copyback, m->len: %d  off: %d  p: %d\n",
                    m->m_len, offset + ip_offset, ip->ip_p);
                    m->m_len, offset + ip_offset, ip->ip_p);
-               /*
-                * XXX
-                * this shouldn't happen, but if it does, the
-                * correct behavior may be to insert the checksum
-                * in the existing chain instead of rearranging it.
-                */
-               m = m_pullup(m, offset + ip_offset + sizeof(u_short));
-       }
-       *(u_short *)(m->m_data + offset + ip_offset) = csum;
+#endif
+               *(u_short *)tmp = csum;
+               m_copyback(m, offset + ip_offset, 2, tmp);
+       } else
+               *(u_short *)(m->m_data + offset + ip_offset) = csum;
 }
 
 void
 }
 
 void
@@ -1442,24 +1878,33 @@ in_cksum_offset(struct mbuf* m, size_t ip_offset)
 {
        struct ip* ip = NULL;
        int hlen = 0;
 {
        struct ip* ip = NULL;
        int hlen = 0;
+       unsigned char buf[sizeof(struct ip)];
+       int swapped = 0;
        
        
-       while (ip_offset > m->m_len) {
+       while (ip_offset >= m->m_len) {
                ip_offset -= m->m_len;
                m = m->m_next;
                ip_offset -= m->m_len;
                m = m->m_next;
-               if (m) {
+               if (m == NULL) {
                        printf("in_cksum_offset failed - ip_offset wasn't in the packet\n");
                        return;
                }
        }
        
                        printf("in_cksum_offset failed - ip_offset wasn't in the packet\n");
                        return;
                }
        }
        
+       /* Sometimes the IP header is not contiguous, yes this can happen! */
        if (ip_offset + sizeof(struct ip) > m->m_len) {
        if (ip_offset + sizeof(struct ip) > m->m_len) {
-               printf("in_cksum_offset - delayed m_pullup, m->len: %d  off: %d\n",
+
+#if DEBUG
+               printf("in_cksum_offset - delayed m_pullup, m->len: %d  off: %lu\n",
                        m->m_len, ip_offset);
                        m->m_len, ip_offset);
-               /*
-                * XXX
-                * this shouldn't happen
-                */
-               m = m_pullup(m, ip_offset + sizeof(struct ip));
+#endif 
+               m_copydata(m, ip_offset, sizeof(struct ip), (caddr_t) buf);
+
+               ip = (struct ip *)buf;
+               ip->ip_sum = 0;
+               m_copyback(m, ip_offset + offsetof(struct ip, ip_sum), 2, (caddr_t)&ip->ip_sum);
+       } else {
+               ip = (struct ip*)(m->m_data + ip_offset);
+               ip->ip_sum = 0;
        }
        
        /* Gross */
        }
        
        /* Gross */
@@ -1468,17 +1913,38 @@ in_cksum_offset(struct mbuf* m, size_t ip_offset)
                m->m_data += ip_offset;
        }
 
                m->m_data += ip_offset;
        }
 
-       ip = mtod(m, struct ip*);
-
 #ifdef _IP_VHL
        hlen = IP_VHL_HL(ip->ip_vhl) << 2;
 #else
        hlen = ip->ip_hl << 2;
 #endif
 #ifdef _IP_VHL
        hlen = IP_VHL_HL(ip->ip_vhl) << 2;
 #else
        hlen = ip->ip_hl << 2;
 #endif
-       
+       /*
+        * We could be in the context of an IP or interface filter; in the
+        * former case, ip_len would be in host order while for the latter
+        * it would be in network (correct) order.  Because of this, we
+        * attempt to interpret the length field by comparing it against
+        * the actual packet length.  If the comparison fails, byte swap
+        * the length and check again.  If it still fails, then the packet
+        * is bogus and we give up.
+        */
+       if (ntohs(ip->ip_len) != (m->m_pkthdr.len - ip_offset)) {
+               ip->ip_len = SWAP16(ip->ip_len);
+               swapped = 1;
+               if (ntohs(ip->ip_len) != (m->m_pkthdr.len - ip_offset)) {
+                       ip->ip_len = SWAP16(ip->ip_len);
+                       printf("in_cksum_offset: ip_len %d (%d) "
+                           "doesn't match actual length %lu\n",
+                           ip->ip_len, SWAP16(ip->ip_len),
+                           (m->m_pkthdr.len - ip_offset));
+                       return;
+               }
+       }
+
        ip->ip_sum = 0;
        ip->ip_sum = in_cksum(m, hlen);
        ip->ip_sum = 0;
        ip->ip_sum = in_cksum(m, hlen);
-       
+       if (swapped)
+               ip->ip_len = SWAP16(ip->ip_len);
+
        /* Gross */
        if (ip_offset) {
                if (M_LEADINGSPACE(m) < ip_offset)
        /* Gross */
        if (ip_offset) {
                if (M_LEADINGSPACE(m) < ip_offset)
@@ -1486,6 +1952,18 @@ in_cksum_offset(struct mbuf* m, size_t ip_offset)
                m->m_len += ip_offset;
                m->m_data -= ip_offset;
        }
                m->m_len += ip_offset;
                m->m_data -= ip_offset;
        }
+
+       /* Insert the checksum in the existing chain if IP header not contiguous */
+       if (ip_offset + sizeof(struct ip) > m->m_len) {
+               char tmp[2];
+
+#if DEBUG
+               printf("in_cksum_offset m_copyback, m->len: %u  off: %lu  p: %d\n",
+                   m->m_len, ip_offset + offsetof(struct ip, ip_sum), ip->ip_p);
+#endif
+               *(u_short *)tmp = ip->ip_sum;
+               m_copyback(m, ip_offset + offsetof(struct ip, ip_sum), 2, tmp);
+       }
 }
 
 /*
 }
 
 /*
@@ -1512,10 +1990,13 @@ ip_insertoptions(m, opt, phlen)
        if (p->ipopt_dst.s_addr)
                ip->ip_dst = p->ipopt_dst;
        if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) {
        if (p->ipopt_dst.s_addr)
                ip->ip_dst = p->ipopt_dst;
        if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) {
-               MGETHDR(n, M_DONTWAIT, MT_HEADER);
+               MGETHDR(n, M_DONTWAIT, MT_HEADER);      /* MAC-OK */
                if (n == 0)
                        return (m);
                n->m_pkthdr.rcvif = 0;
                if (n == 0)
                        return (m);
                n->m_pkthdr.rcvif = 0;
+#if CONFIG_MACF_NET
+               mac_mbuf_label_copy(m, n);
+#endif
                n->m_pkthdr.len = m->m_pkthdr.len + optlen;
                m->m_len -= sizeof(struct ip);
                m->m_data += sizeof(struct ip);
                n->m_pkthdr.len = m->m_pkthdr.len + optlen;
                m->m_len -= sizeof(struct ip);
                m->m_data += sizeof(struct ip);
@@ -1613,7 +2094,8 @@ ip_ctloutput(so, sopt)
                                error = EMSGSIZE;
                                break;
                        }
                                error = EMSGSIZE;
                                break;
                        }
-                       MGET(m, sopt->sopt_p ? M_WAIT : M_DONTWAIT, MT_HEADER);
+                       MGET(m, sopt->sopt_p != kernproc ? M_WAIT : M_DONTWAIT,
+                           MT_HEADER);
                        if (m == 0) {
                                error = ENOBUFS;
                                break;
                        if (m == 0) {
                                error = ENOBUFS;
                                break;
@@ -1686,6 +2168,69 @@ ip_ctloutput(so, sopt)
                        break;
 #undef OPTSET
 
                        break;
 #undef OPTSET
 
+#if CONFIG_FORCE_OUT_IFP
+               /*
+                * Apple private interface, similar to IP_BOUND_IF, except
+                * that the parameter is a NULL-terminated string containing
+                * the name of the network interface; an emptry string means
+                * unbind.  Applications are encouraged to use IP_BOUND_IF
+                * instead, as that is the current "official" API.
+                */
+               case IP_FORCE_OUT_IFP: {
+                       char ifname[IFNAMSIZ];
+                       unsigned int ifscope;
+
+                       /* This option is settable only for IPv4 */
+                       if (!(inp->inp_vflag & INP_IPV4)) {
+                               error = EINVAL;
+                               break;
+                       }
+
+                       /* Verify interface name parameter is sane */
+                       if (sopt->sopt_valsize > sizeof(ifname)) {
+                               error = EINVAL;
+                               break;
+                       }
+
+                       /* Copy the interface name */
+                       if (sopt->sopt_valsize != 0) {
+                               error = sooptcopyin(sopt, ifname,
+                                   sizeof (ifname), sopt->sopt_valsize);
+                               if (error)
+                                       break;
+                       }
+
+                       if (sopt->sopt_valsize == 0 || ifname[0] == NULL) {
+                               /* Unbind this socket from any interface */
+                               ifscope = IFSCOPE_NONE;
+                       } else {
+                               ifnet_t ifp;
+
+                               /* Verify name is NULL terminated */
+                               if (ifname[sopt->sopt_valsize - 1] != NULL) {
+                                       error = EINVAL;
+                                       break;
+                               }
+
+                               /* Bail out if given bogus interface name */
+                               if (ifnet_find_by_name(ifname, &ifp) != 0) {
+                                       error = ENXIO;
+                                       break;
+                               }
+
+                               /* Bind this socket to this interface */
+                               ifscope = ifp->if_index;
+
+                               /*
+                                * Won't actually free; since we don't release
+                                * this later, we should do it now.
+                                */
+                               ifnet_release(ifp);
+                       }
+                       ip_bindif(inp, ifscope);
+               }
+               break;
+#endif
                case IP_MULTICAST_IF:
                case IP_MULTICAST_VIF:
                case IP_MULTICAST_TTL:
                case IP_MULTICAST_IF:
                case IP_MULTICAST_VIF:
                case IP_MULTICAST_TTL:
@@ -1740,21 +2285,74 @@ ip_ctloutput(so, sopt)
                                break;
                        if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
                                break;
                                break;
                        if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
                                break;
-                       priv = (sopt->sopt_p != NULL &&
-                               proc_suser(sopt->sopt_p) != 0) ? 0 : 1;
+                       priv = (proc_suser(sopt->sopt_p) == 0);
                        if (m) {
                                req = mtod(m, caddr_t);
                                len = m->m_len;
                        }
                        optname = sopt->sopt_name;
                        if (m) {
                                req = mtod(m, caddr_t);
                                len = m->m_len;
                        }
                        optname = sopt->sopt_name;
-                       lck_mtx_lock(sadb_mutex);
                        error = ipsec4_set_policy(inp, optname, req, len, priv);
                        error = ipsec4_set_policy(inp, optname, req, len, priv);
-                       lck_mtx_unlock(sadb_mutex);
                        m_freem(m);
                        break;
                }
 #endif /*IPSEC*/
 
                        m_freem(m);
                        break;
                }
 #endif /*IPSEC*/
 
+#if TRAFFIC_MGT
+               case IP_TRAFFIC_MGT_BACKGROUND:
+               {
+                       unsigned        background = 0;
+                       error = sooptcopyin(sopt, &background, sizeof(background), sizeof(background));
+                       if (error) 
+                               break;
+
+                       if (background) {
+                               socket_set_traffic_mgt_flags(so,
+                                   TRAFFIC_MGT_SO_BACKGROUND |
+                                   TRAFFIC_MGT_SO_BG_REGULATE);
+                       } else {
+                               socket_clear_traffic_mgt_flags(so,
+                                   TRAFFIC_MGT_SO_BACKGROUND |
+                                   TRAFFIC_MGT_SO_BG_REGULATE);
+                       }
+
+                       break;
+               }
+#endif /* TRAFFIC_MGT */
+
+               /*
+                * On a multihomed system, scoped routing can be used to
+                * restrict the source interface used for sending packets.
+                * The socket option IP_BOUND_IF binds a particular AF_INET
+                * socket to an interface such that data sent on the socket
+                * is restricted to that interface.  This is unlike the
+                * SO_DONTROUTE option where the routing table is bypassed;
+                * therefore it allows for a greater flexibility and control
+                * over the system behavior, and does not place any restriction
+                * on the destination address type (e.g.  unicast, multicast,
+                * or broadcast if applicable) or whether or not the host is
+                * directly reachable.  Note that in the multicast transmit
+                * case, IP_MULTICAST_IF takes precedence over IP_BOUND_IF,
+                * since the former practically bypasses the routing table;
+                * in this case, IP_BOUND_IF sets the default interface used
+                * for sending multicast packets in the absence of an explicit
+                * transmit interface set via IP_MULTICAST_IF.
+                */
+               case IP_BOUND_IF:
+                       /* This option is settable only for IPv4 */
+                       if (!(inp->inp_vflag & INP_IPV4)) {
+                               error = EINVAL;
+                               break;
+                       }
+
+                       error = sooptcopyin(sopt, &optval, sizeof (optval),
+                           sizeof (optval));
+
+                       if (error)
+                               break;
+
+                       ip_bindif(inp, optval);
+                       break;
+
                default:
                        error = ENOPROTOOPT;
                        break;
                default:
                        error = ENOPROTOOPT;
                        break;
@@ -1855,9 +2453,7 @@ ip_ctloutput(so, sopt)
                                req = mtod(m, caddr_t);
                                len = m->m_len;
                        }
                                req = mtod(m, caddr_t);
                                len = m->m_len;
                        }
-                       lck_mtx_lock(sadb_mutex);
                        error = ipsec4_get_policy(sotoinpcb(so), req, len, &m);
                        error = ipsec4_get_policy(sotoinpcb(so), req, len, &m);
-                       lck_mtx_unlock(sadb_mutex);
                        if (error == 0)
                                error = soopt_mcopyout(sopt, m); /* XXX */
                        if (error == 0)
                        if (error == 0)
                                error = soopt_mcopyout(sopt, m); /* XXX */
                        if (error == 0)
@@ -1866,6 +2462,21 @@ ip_ctloutput(so, sopt)
                }
 #endif /*IPSEC*/
 
                }
 #endif /*IPSEC*/
 
+#if TRAFFIC_MGT
+               case IP_TRAFFIC_MGT_BACKGROUND:
+               {
+                       unsigned        background = so->so_traffic_mgt_flags;
+                       return (sooptcopyout(sopt, &background, sizeof(background)));
+                       break;
+               }
+#endif /* TRAFFIC_MGT */
+
+               case IP_BOUND_IF:
+                       if (inp->inp_flags & INP_BOUND_IF)
+                               optval = inp->inp_boundif;
+                       error = sooptcopyout(sopt, &optval, sizeof (optval));
+                       break;
+
                default:
                        error = ENOPROTOOPT;
                        break;
                default:
                        error = ENOPROTOOPT;
                        break;
@@ -1881,10 +2492,10 @@ ip_ctloutput(so, sopt)
  * with destination address if source routed.
  */
 static int
  * with destination address if source routed.
  */
 static int
-ip_pcbopts(optname, pcbopt, m)
-       int optname;
-       struct mbuf **pcbopt;
-       register struct mbuf *m;
+ip_pcbopts(
+       __unused int optname,
+       struct mbuf **pcbopt,
+       register struct mbuf *m)
 {
        register int cnt, optlen;
        register u_char *cp;
 {
        register int cnt, optlen;
        register u_char *cp;
@@ -2027,7 +2638,6 @@ ip_setmoptions(sopt, imop)
        struct ip_moptions **imop;
 {
        int error = 0;
        struct ip_moptions **imop;
 {
        int error = 0;
-       int i;
        struct in_addr addr;
        struct ip_mreq mreq;
        struct ifnet *ifp = NULL;
        struct in_addr addr;
        struct ip_mreq mreq;
        struct ifnet *ifp = NULL;
@@ -2047,20 +2657,25 @@ ip_setmoptions(sopt, imop)
 
        switch (sopt->sopt_name) {
        /* store an index number for the vif you wanna use in the send */
 
        switch (sopt->sopt_name) {
        /* store an index number for the vif you wanna use in the send */
-       case IP_MULTICAST_VIF:
-               if (legal_vif_num == 0) {
-                       error = EOPNOTSUPP;
-                       break;
-               }
-               error = sooptcopyin(sopt, &i, sizeof i, sizeof i);
-               if (error)
-                       break;
-               if (!legal_vif_num(i) && (i != -1)) {
-                       error = EINVAL;
+#if MROUTING
+       case IP_MULTICAST_VIF: 
+               {
+                       int i;
+                       if (legal_vif_num == 0) {
+                               error = EOPNOTSUPP;
+                               break;
+                       }
+                       error = sooptcopyin(sopt, &i, sizeof i, sizeof i);
+                       if (error)
+                               break;
+                       if (!legal_vif_num(i) && (i != -1)) {
+                               error = EINVAL;
+                               break;
+                       }
+                       imo->imo_multicast_vif = i;
                        break;
                }
                        break;
                }
-               imo->imo_multicast_vif = i;
-               break;
+#endif /* MROUTING */
 
        case IP_MULTICAST_IF:
                /*
 
        case IP_MULTICAST_IF:
                /*
@@ -2177,7 +2792,7 @@ ip_setmoptions(sopt, imop)
         * If all options have default values, no need to keep the mbuf.
         */
        if (imo->imo_multicast_ifp == NULL &&
         * If all options have default values, no need to keep the mbuf.
         */
        if (imo->imo_multicast_ifp == NULL &&
-           imo->imo_multicast_vif == -1 &&
+           imo->imo_multicast_vif == (u_int32_t)-1 &&
            imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL &&
            imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP &&
            imo->imo_num_memberships == 0) {
            imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL &&
            imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP &&
            imo->imo_num_memberships == 0) {
@@ -2225,32 +2840,31 @@ ip_addmembership(
        struct ifnet *ifp = NULL;
        int error = 0;
        int i;
        struct ifnet *ifp = NULL;
        int error = 0;
        int i;
-       
+
+       bzero((caddr_t)&ro, sizeof(ro));
+
        if (!IN_MULTICAST(ntohl(mreq->imr_multiaddr.s_addr))) {
                error = EINVAL;
        if (!IN_MULTICAST(ntohl(mreq->imr_multiaddr.s_addr))) {
                error = EINVAL;
-               return error;
+               goto done;
        }
        /*
         * If no interface address was provided, use the interface of
         * the route to the given multicast address.
         */
        if (mreq->imr_interface.s_addr == INADDR_ANY) {
        }
        /*
         * If no interface address was provided, use the interface of
         * the route to the given multicast address.
         */
        if (mreq->imr_interface.s_addr == INADDR_ANY) {
-               bzero((caddr_t)&ro, sizeof(ro));
                dst = (struct sockaddr_in *)&ro.ro_dst;
                dst->sin_len = sizeof(*dst);
                dst->sin_family = AF_INET;
                dst->sin_addr = mreq->imr_multiaddr;
                dst = (struct sockaddr_in *)&ro.ro_dst;
                dst->sin_len = sizeof(*dst);
                dst->sin_family = AF_INET;
                dst->sin_addr = mreq->imr_multiaddr;
-               rtalloc(&ro);
+               rtalloc_ign(&ro, 0);
                if (ro.ro_rt != NULL) {
                        ifp = ro.ro_rt->rt_ifp;
                if (ro.ro_rt != NULL) {
                        ifp = ro.ro_rt->rt_ifp;
-                       rtfree(ro.ro_rt);
-               }
-               else {
+               } else {
                        /* If there's no default route, try using loopback */
                        /* If there's no default route, try using loopback */
-                       mreq->imr_interface.s_addr = INADDR_LOOPBACK;
+                       mreq->imr_interface.s_addr = htonl(INADDR_LOOPBACK);
                }
        }
                }
        }
-       
+
        if (ifp == NULL) {
                ifp = ip_multicast_if(&mreq->imr_interface, NULL);
        }
        if (ifp == NULL) {
                ifp = ip_multicast_if(&mreq->imr_interface, NULL);
        }
@@ -2261,7 +2875,7 @@ ip_addmembership(
         */
        if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
                error = EADDRNOTAVAIL;
         */
        if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
                error = EADDRNOTAVAIL;
-               return error;
+               goto done;
        }
        /*
         * See if the membership already exists or if all the
        }
        /*
         * See if the membership already exists or if all the
@@ -2275,11 +2889,11 @@ ip_addmembership(
        }
        if (i < imo->imo_num_memberships) {
                error = EADDRINUSE;
        }
        if (i < imo->imo_num_memberships) {
                error = EADDRINUSE;
-               return error;
+               goto done;
        }
        if (i == IP_MAX_MEMBERSHIPS) {
                error = ETOOMANYREFS;
        }
        if (i == IP_MAX_MEMBERSHIPS) {
                error = ETOOMANYREFS;
-               return error;
+               goto done;
        }
        /*
         * Everything looks good; add a new record to the multicast
        }
        /*
         * Everything looks good; add a new record to the multicast
@@ -2288,10 +2902,14 @@ ip_addmembership(
        if ((imo->imo_membership[i] =
                in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) {
                error = ENOBUFS;
        if ((imo->imo_membership[i] =
                in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) {
                error = ENOBUFS;
-               return error;
+               goto done;
        }
        ++imo->imo_num_memberships;
        }
        ++imo->imo_num_memberships;
-       
+
+done:
+       if (ro.ro_rt != NULL)
+               rtfree(ro.ro_rt);
+
        return error;
 }
 
        return error;
 }
 
@@ -2369,6 +2987,7 @@ ip_getmoptions(sopt, imo)
 
        error = 0;
        switch (sopt->sopt_name) {
 
        error = 0;
        switch (sopt->sopt_name) {
+#if MROUTING
        case IP_MULTICAST_VIF: 
                if (imo != NULL)
                        optval = imo->imo_multicast_vif;
        case IP_MULTICAST_VIF: 
                if (imo != NULL)
                        optval = imo->imo_multicast_vif;
@@ -2376,6 +2995,7 @@ ip_getmoptions(sopt, imo)
                        optval = -1;
                error = sooptcopyout(sopt, &optval, sizeof optval);
                break;
                        optval = -1;
                error = sooptcopyout(sopt, &optval, sizeof optval);
                break;
+#endif /* MROUTING */
 
        case IP_MULTICAST_IF:
                if (imo == NULL || imo->imo_multicast_ifp == NULL)
 
        case IP_MULTICAST_IF:
                if (imo == NULL || imo->imo_multicast_ifp == NULL)
@@ -2387,6 +3007,8 @@ ip_getmoptions(sopt, imo)
                        IFP_TO_IA(imo->imo_multicast_ifp, ia);
                        addr.s_addr = (ia == NULL) ? INADDR_ANY
                                : IA_SIN(ia)->sin_addr.s_addr;
                        IFP_TO_IA(imo->imo_multicast_ifp, ia);
                        addr.s_addr = (ia == NULL) ? INADDR_ANY
                                : IA_SIN(ia)->sin_addr.s_addr;
+                       if (ia != NULL)
+                               ifafree(&ia->ia_ifa);
                }
                error = sooptcopyout(sopt, &addr, sizeof addr);
                break;
                }
                error = sooptcopyout(sopt, &addr, sizeof addr);
                break;
@@ -2452,83 +3074,401 @@ ip_mloopback(ifp, m, dst, hlen)
 {
        register struct ip *ip;
        struct mbuf *copym;
 {
        register struct ip *ip;
        struct mbuf *copym;
+       int sw_csum = (apple_hwcksum_tx == 0);
 
        copym = m_copy(m, 0, M_COPYALL);
        if (copym != NULL && (copym->m_flags & M_EXT || copym->m_len < hlen))
                copym = m_pullup(copym, hlen);
 
        copym = m_copy(m, 0, M_COPYALL);
        if (copym != NULL && (copym->m_flags & M_EXT || copym->m_len < hlen))
                copym = m_pullup(copym, hlen);
-       if (copym != NULL) {
-               /*
-                * We don't bother to fragment if the IP length is greater
-                * than the interface's MTU.  Can this possibly matter?
-                */
-               ip = mtod(copym, struct ip *);
-               HTONS(ip->ip_len);
-               HTONS(ip->ip_off);
-               ip->ip_sum = 0;
-               ip->ip_sum = in_cksum(copym, hlen);
-               /*
-                * NB:
-                * It's not clear whether there are any lingering
-                * reentrancy problems in other areas which might
-                * be exposed by using ip_input directly (in
-                * particular, everything which modifies the packet
-                * in-place).  Yet another option is using the
-                * protosw directly to deliver the looped back
-                * packet.  For the moment, we'll err on the side
-                * of safety by using if_simloop().
-                */
+
+       if (copym == NULL)
+               return;
+
+       /*
+        * We don't bother to fragment if the IP length is greater
+        * than the interface's MTU.  Can this possibly matter?
+        */
+       ip = mtod(copym, struct ip *);
+
+#if BYTE_ORDER != BIG_ENDIAN
+       HTONS(ip->ip_len);
+       HTONS(ip->ip_off);
+#endif
+       
+       ip->ip_sum = 0;
+       ip->ip_sum = in_cksum(copym, hlen);
+       /*
+        * NB:
+        * It's not clear whether there are any lingering
+        * reentrancy problems in other areas which might
+        * be exposed by using ip_input directly (in
+        * particular, everything which modifies the packet
+        * in-place).  Yet another option is using the
+        * protosw directly to deliver the looped back
+        * packet.  For the moment, we'll err on the side
+        * of safety by using if_simloop().
+        */
 #if 1 /* XXX */
 #if 1 /* XXX */
-               if (dst->sin_family != AF_INET) {
-                       printf("ip_mloopback: bad address family %d\n",
-                                               dst->sin_family);
-                       dst->sin_family = AF_INET;
-               }
+       if (dst->sin_family != AF_INET) {
+               printf("ip_mloopback: bad address family %d\n",
+                                       dst->sin_family);
+               dst->sin_family = AF_INET;
+       }
 #endif
 
 #endif
 
-
         /*
         /*
-        * Mark checksum as valid or calculate checksum for loopback.
-        * 
-        * This is done this way because we have to embed the ifp of
-        * the interface we will send the original copy of the packet
-        * out on in the mbuf. ip_input will check if_hwassist of the
-        * embedded ifp and ignore all csum_flags if if_hwassist is 0.
-        * The UDP checksum has not been calculated yet.
-        */
-        if (copym->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
-            if (IF_HWASSIST_CSUM_FLAGS(ifp->if_hwassist)) {
-                copym->m_pkthdr.csum_flags |=
-                    CSUM_DATA_VALID | CSUM_PSEUDO_HDR |
-                    CSUM_IP_CHECKED | CSUM_IP_VALID;
-                copym->m_pkthdr.csum_data = 0xffff;
-            } else {
-               NTOHS(ip->ip_len);
-                in_delayed_cksum(copym);
-               HTONS(ip->ip_len);
-           }
+         * Mark checksum as valid or calculate checksum for loopback.
+         *
+         * This is done this way because we have to embed the ifp of
+         * the interface we will send the original copy of the packet
+         * out on in the mbuf. ip_input will check if_hwassist of the
+         * embedded ifp and ignore all csum_flags if if_hwassist is 0.
+         * The UDP checksum has not been calculated yet.
+         */
+        if (sw_csum || (copym->m_pkthdr.csum_flags & CSUM_DELAY_DATA)) {
+               if (!sw_csum && IF_HWASSIST_CSUM_FLAGS(ifp->if_hwassist)) {
+                       copym->m_pkthdr.csum_flags |=
+                           CSUM_DATA_VALID | CSUM_PSEUDO_HDR |
+                           CSUM_IP_CHECKED | CSUM_IP_VALID;
+                       copym->m_pkthdr.csum_data = 0xffff;
+               } else {
+
+#if BYTE_ORDER != BIG_ENDIAN
+                       NTOHS(ip->ip_len);
+#endif
+                       
+                       in_delayed_cksum(copym);
+
+#if BYTE_ORDER != BIG_ENDIAN
+                       HTONS(ip->ip_len);
+#endif
+               
+               }
         }
 
         }
 
+       /*
+        * TedW: 
+        * We need to send all loopback traffic down to dlil in case 
+        * a filter has tapped-in.
+        */
+
+       /*
+        * Stuff the 'real' ifp into the pkthdr, to be used in matching
+        *  in ip_input(); we need the loopback ifp/dl_tag passed as args
+        *  to make the loopback driver compliant with the data link
+        *  requirements.
+        */
+       if (lo_ifp) {
+               copym->m_pkthdr.rcvif = ifp;
+               dlil_output(lo_ifp, PF_INET, copym, 0,
+                   (struct sockaddr *) dst, 0);
+       } else {
+               printf("Warning: ip_output call to dlil_find_dltag failed!\n");
+               m_freem(copym);
+       }
+}
+
+/*
+ * Given a source IP address (and route, if available), determine the best
+ * interface to send the packet from.  Checking for (and updating) the
+ * ROF_SRCIF_SELECTED flag in the pcb-supplied route placeholder is done
+ * without any locks based on the assumption that ip_output() is single-
+ * threaded per-pcb, i.e. for any given pcb there can only be one thread
+ * performing output at the IP layer.
+ */
+static struct ifaddr *
+in_selectsrcif(struct ip *ip, struct route *ro, unsigned int ifscope)
+{
+       struct ifaddr *ifa = NULL;
+       struct in_addr src = ip->ip_src;
+       struct in_addr dst = ip->ip_dst;
+       struct ifnet *rt_ifp;
+       char s_src[MAX_IPv4_STR_LEN], s_dst[MAX_IPv4_STR_LEN];
+
+       if (ip_select_srcif_debug) {
+               (void) inet_ntop(AF_INET, &src.s_addr, s_src, sizeof (s_src));
+               (void) inet_ntop(AF_INET, &dst.s_addr, s_dst, sizeof (s_dst));
+       }
+
+       if (ro->ro_rt != NULL)
+               RT_LOCK(ro->ro_rt);
+
+       rt_ifp = (ro->ro_rt != NULL) ? ro->ro_rt->rt_ifp : NULL;
+
+       /*
+        * Given the source IP address, find a suitable source interface
+        * to use for transmission; if the caller has specified a scope,
+        * optimize the search by looking at the addresses only for that
+        * interface.  This is still suboptimal, however, as we need to
+        * traverse the per-interface list.
+        */
+       if (ifscope != IFSCOPE_NONE || ro->ro_rt != NULL) {
+               unsigned int scope = ifscope;
 
                /*
 
                /*
-                * TedW: 
-                * We need to send all loopback traffic down to dlil in case 
-                * a filter has tapped-in.
+                * If no scope is specified and the route is stale (pointing
+                * to a defunct interface) use the current primary interface;
+                * this happens when switching between interfaces configured
+                * with the same IP address.  Otherwise pick up the scope
+                * information from the route; the ULP may have looked up a
+                * correct route and we just need to verify it here and mark
+                * it with the ROF_SRCIF_SELECTED flag below.
                 */
                 */
+               if (scope == IFSCOPE_NONE) {
+                       scope = rt_ifp->if_index;
+                       if (scope != get_primary_ifscope() &&
+                           ro->ro_rt->generation_id != route_generation)
+                               scope = get_primary_ifscope();
+               }
+
+               ifa = (struct ifaddr *)ifa_foraddr_scoped(src.s_addr, scope);
+
+               if (ifa == NULL && ip->ip_p != IPPROTO_UDP &&
+                   ip->ip_p != IPPROTO_TCP && ipforwarding) {
+                       /*
+                        * If forwarding is enabled, and if the packet isn't
+                        * TCP or UDP, check if the source address belongs
+                        * to one of our own interfaces; if so, demote the
+                        * interface scope and do a route lookup right below.
+                        */
+                       ifa = (struct ifaddr *)ifa_foraddr(src.s_addr);
+                       if (ifa != NULL) {
+                               ifafree(ifa);
+                               ifa = NULL;
+                               ifscope = IFSCOPE_NONE;
+                       }
+               }
+
+               if (ip_select_srcif_debug && ifa != NULL) {
+                       if (ro->ro_rt != NULL) {
+                               printf("%s->%s ifscope %d->%d ifa_if %s%d "
+                                   "ro_if %s%d\n", s_src, s_dst, ifscope,
+                                   scope, ifa->ifa_ifp->if_name,
+                                   ifa->ifa_ifp->if_unit, rt_ifp->if_name,
+                                   rt_ifp->if_unit);
+                       } else {
+                               printf("%s->%s ifscope %d->%d ifa_if %s%d\n",
+                                   s_src, s_dst, ifscope, scope,
+                                   ifa->ifa_ifp->if_name,
+                                   ifa->ifa_ifp->if_unit);
+                       }
+               }
+       }
+
+       /*
+        * Slow path; search for an interface having the corresponding source
+        * IP address if the scope was not specified by the caller, and:
+        *
+        *   1) There currently isn't any route, or,
+        *   2) The interface used by the route does not own that source
+        *      IP address; in this case, the route will get blown away
+        *      and we'll do a more specific scoped search using the newly
+        *      found interface.
+        */
+       if (ifa == NULL && ifscope == IFSCOPE_NONE) {
+               ifa = (struct ifaddr *)ifa_foraddr(src.s_addr);
 
                /*
 
                /*
-                * Stuff the 'real' ifp into the pkthdr, to be used in matching
-                *  in ip_input(); we need the loopback ifp/dl_tag passed as args
-                *  to make the loopback driver compliant with the data link
-                *  requirements.
+                * If we have the IP address, but not the route, we don't
+                * really know whether or not it belongs to the correct
+                * interface (it could be shared across multiple interfaces.)
+                * The only way to find out is to do a route lookup.
                 */
                 */
-               if (lo_ifp) {
-                       copym->m_pkthdr.rcvif = ifp;
-                   dlil_output(lo_ifp, PF_INET, copym, 0, (struct sockaddr *) dst, 0);
-               } else {
-                   printf("Warning: ip_output call to dlil_find_dltag failed!\n");
-                   m_freem(copym);
+               if (ifa != NULL && ro->ro_rt == NULL) {
+                       struct rtentry *rt;
+                       struct sockaddr_in sin;
+                       struct ifaddr *oifa = NULL;
+
+                       bzero(&sin, sizeof (sin));
+                       sin.sin_family = AF_INET;
+                       sin.sin_len = sizeof (sin);
+                       sin.sin_addr = dst;
+
+                       lck_mtx_lock(rnh_lock);
+                       if ((rt = rt_lookup(TRUE, (struct sockaddr *)&sin, NULL,
+                           rt_tables[AF_INET], IFSCOPE_NONE)) != NULL) {
+                               RT_LOCK(rt);
+                               /*
+                                * If the route uses a different interface,
+                                * use that one instead.  The IP address of
+                                * the ifaddr that we pick up here is not
+                                * relevant.
+                                */
+                               if (ifa->ifa_ifp != rt->rt_ifp) {
+                                       oifa = ifa;
+                                       ifa = rt->rt_ifa;
+                                       ifaref(ifa);
+                                       RT_UNLOCK(rt);
+                               } else {
+                                       RT_UNLOCK(rt);
+                               }
+                               rtfree_locked(rt);
+                       }
+                       lck_mtx_unlock(rnh_lock);
+
+                       if (oifa != NULL) {
+                               struct ifaddr *iifa;
+
+                               /*
+                                * See if the interface pointed to by the
+                                * route is configured with the source IP
+                                * address of the packet.
+                                */
+                               iifa = (struct ifaddr *)ifa_foraddr_scoped(
+                                   src.s_addr, ifa->ifa_ifp->if_index);
+
+                               if (iifa != NULL) {
+                                       /*
+                                        * Found it; drop the original one
+                                        * as well as the route interface
+                                        * address, and use this instead.
+                                        */
+                                       ifafree(oifa);
+                                       ifafree(ifa);
+                                       ifa = iifa;
+                               } else if (!ipforwarding ||
+                                   (rt->rt_flags & RTF_GATEWAY)) {
+                                       /*
+                                        * This interface doesn't have that
+                                        * source IP address; drop the route
+                                        * interface address and just use the
+                                        * original one, and let the caller
+                                        * do a scoped route lookup.
+                                        */
+                                       ifafree(ifa);
+                                       ifa = oifa;
+                               } else {
+                                       /*
+                                        * Forwarding is enabled and the source
+                                        * address belongs to one of our own
+                                        * interfaces which isn't the outgoing
+                                        * interface, and we have a route, and
+                                        * the destination is on a network that
+                                        * is directly attached (onlink); drop
+                                        * the original one and use the route
+                                        * interface address instead.
+                                        */
+                                       ifafree(oifa);
+                               }
+                       }
+               } else if (ifa != NULL && ro->ro_rt != NULL &&
+                   !(ro->ro_rt->rt_flags & RTF_GATEWAY) &&
+                   ifa->ifa_ifp != ro->ro_rt->rt_ifp && ipforwarding) {
+                       /*
+                        * Forwarding is enabled and the source address belongs
+                        * to one of our own interfaces which isn't the same
+                        * as the interface used by the known route; drop the
+                        * original one and use the route interface address.
+                        */
+                       ifafree(ifa);
+                       ifa = ro->ro_rt->rt_ifa;
+                       ifaref(ifa);
+               }
+
+               if (ip_select_srcif_debug && ifa != NULL) {
+                       printf("%s->%s ifscope %d ifa_if %s%d\n",
+                           s_src, s_dst, ifscope, ifa->ifa_ifp->if_name,
+                           ifa->ifa_ifp->if_unit);
+               }
+       }
+
+       if (ro->ro_rt != NULL)
+               RT_LOCK_ASSERT_HELD(ro->ro_rt);
+       /*
+        * If there is a non-loopback route with the wrong interface, or if
+        * there is no interface configured with such an address, blow it
+        * away.  Except for local/loopback, we look for one with a matching
+        * interface scope/index.
+        */
+       if (ro->ro_rt != NULL &&
+           (ifa == NULL || (ifa->ifa_ifp != rt_ifp && rt_ifp != lo_ifp) ||
+           !(ro->ro_rt->rt_flags & RTF_UP))) {
+               if (ip_select_srcif_debug) {
+                       if (ifa != NULL) {
+                               printf("%s->%s ifscope %d ro_if %s%d != "
+                                   "ifa_if %s%d (cached route cleared)\n",
+                                   s_src, s_dst, ifscope, rt_ifp->if_name,
+                                   rt_ifp->if_unit, ifa->ifa_ifp->if_name,
+                                   ifa->ifa_ifp->if_unit);
+                       } else {
+                               printf("%s->%s ifscope %d ro_if %s%d "
+                                   "(no ifa_if found)\n",
+                                   s_src, s_dst, ifscope, rt_ifp->if_name,
+                                   rt_ifp->if_unit);
+                       }
+               }
+
+               RT_UNLOCK(ro->ro_rt);
+               rtfree(ro->ro_rt);
+               ro->ro_rt = NULL;
+               ro->ro_flags &= ~ROF_SRCIF_SELECTED;
+
+               /*
+                * If the destination is IPv4 LLA and the route's interface
+                * doesn't match the source interface, then the source IP
+                * address is wrong; it most likely belongs to the primary
+                * interface associated with the IPv4 LL subnet.  Drop the
+                * packet rather than letting it go out and return an error
+                * to the ULP.  This actually applies not only to IPv4 LL
+                * but other shared subnets; for now we explicitly test only
+                * for the former case and save the latter for future.
+                */
+               if (IN_LINKLOCAL(ntohl(dst.s_addr)) &&
+                   !IN_LINKLOCAL(ntohl(src.s_addr)) && ifa != NULL) {
+                       ifafree(ifa);
+                       ifa = NULL;
                }
                }
+       }
+
+       if (ip_select_srcif_debug && ifa == NULL) {
+               printf("%s->%s ifscope %d (neither ro_if/ifa_if found)\n",
+                   s_src, s_dst, ifscope);
+       }
+
+       /*
+        * If there is a route, mark it accordingly.  If there isn't one,
+        * we'll get here again during the next transmit (possibly with a
+        * route) and the flag will get set at that point.  For IPv4 LLA
+        * destination, mark it only if the route has been fully resolved;
+        * otherwise we want to come back here again when the route points
+        * to the interface over which the ARP reply arrives on.
+        */
+       if (ro->ro_rt != NULL && (!IN_LINKLOCAL(ntohl(dst.s_addr)) ||
+           (ro->ro_rt->rt_gateway->sa_family == AF_LINK &&
+           SDL(ro->ro_rt->rt_gateway)->sdl_alen != 0))) {
+               ro->ro_flags |= ROF_SRCIF_SELECTED;
+               ro->ro_rt->generation_id = route_generation;
+       }
+
+       if (ro->ro_rt != NULL)
+               RT_UNLOCK(ro->ro_rt);
+
+       return (ifa);
+}
+
+/*
+ * Handler for setting IP_FORCE_OUT_IFP or IP_BOUND_IF socket option.
+ */
+static void
+ip_bindif(struct inpcb *inp, unsigned int ifscope)
+{
+       /*
+        * A zero interface scope value indicates an "unbind".
+        * Otherwise, take in whatever value the app desires;
+        * the app may already know the scope (or force itself
+        * to such a scope) ahead of time before the interface
+        * gets attached.  It doesn't matter either way; any
+        * route lookup from this point on will require an
+        * exact match for the embedded interface scope.
+        */
+       inp->inp_boundif = ifscope;
+       if (inp->inp_boundif == IFSCOPE_NONE)
+               inp->inp_flags &= ~INP_BOUND_IF;
+       else
+               inp->inp_flags |= INP_BOUND_IF;
 
 
-/*             if_simloop(ifp, copym, (struct sockaddr *)dst, 0);*/
+       /* Blow away any cached route in the PCB */
+       if (inp->inp_route.ro_rt != NULL) {
+               rtfree(inp->inp_route.ro_rt);
+               inp->inp_route.ro_rt = NULL;
        }
 }
        }
 }
mirror of XNU