--- a/usr/src/uts/common/inet/ipclassifier.h	Thu Feb 12 16:09:24 2009 +0000
+++ b/usr/src/uts/common/inet/ipclassifier.h	Thu Feb 12 08:42:06 2009 -0800
@@ -135,7 +135,6 @@
 #define	IPCL_IS_RTS(connp)						\
 	((connp)->conn_flags & IPCL_RTSCONN)
 
-/* FIXME: Isn't it sufficient to check IPCL_IPTUN? */
 #define	IPCL_IS_IPTUN(connp)						\
 	(((connp)->conn_ulp == IPPROTO_ENCAP ||				\
 	(connp)->conn_ulp == IPPROTO_IPV6) &&				\
@@ -316,7 +315,7 @@
 	in6_addr_t	conn_nexthop_v6;	/* nexthop IP address */
 	uchar_t		conn_broadcast_ttl; 	/* IP_BROADCAST_TTL */
 #define	conn_nexthop_v4	V4_PART_OF_V6(conn_nexthop_v6)
-	cred_t		*conn_peercred;		/* Peer credentials, if any */
+	cred_t		*conn_peercred;		/* Peer TX label, if any */
 	int		conn_rtaware; 		/* RT_AWARE sockopt value */
 	kcondvar_t	conn_sq_cv;		/* For non-STREAMS socket IO */
 	kthread_t	*conn_sq_caller;	/* Caller of squeue sync ops */
@@ -341,10 +340,17 @@
 #endif
 };
 
+/*
+ * These two macros are used by TX. First priority is SCM_UCRED having
+ * set the label in the mblk. Second priority is the peers label (aka
+ * conn_peercred). Last priority is the open credentials.
+ * BEST_CRED takes all three into account in the above order.
+ * CONN_CRED is for connection-oriented cases when we don't need to look
+ * at the mblk.
+ */
 #define	CONN_CRED(connp) ((connp)->conn_peercred == NULL ? \
 	(connp)->conn_cred : (connp)->conn_peercred)
-#define	BEST_CRED(mp, connp) ((DB_CRED(mp) != NULL &&	\
-	crgetlabel(DB_CRED(mp)) != NULL) ? DB_CRED(mp) : CONN_CRED(connp))
+#define	BEST_CRED(mp, connp) ip_best_cred(mp, connp)
 
 /*
  * connf_t - connection fanout data.