1
/*-
2
 * SPDX-License-Identifier: BSD-3-Clause
3
 *
4
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 * 3. Neither the name of the project nor the names of its contributors
16
 *    may be used to endorse or promote products derived from this software
17
 *    without specific prior written permission.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29
 * SUCH DAMAGE.
30
 *
31
 *	$KAME: nd6.c,v 1.144 2001/05/24 07:44:00 itojun Exp $
32
 */
33

34
#include <sys/cdefs.h>
35
#include "opt_inet.h"
36
#include "opt_inet6.h"
37
#include "opt_route.h"
38

39
#include <sys/param.h>
40
#include <sys/systm.h>
41
#include <sys/eventhandler.h>
42
#include <sys/callout.h>
43
#include <sys/lock.h>
44
#include <sys/malloc.h>
45
#include <sys/mbuf.h>
46
#include <sys/mutex.h>
47
#include <sys/socket.h>
48
#include <sys/sockio.h>
49
#include <sys/time.h>
50
#include <sys/kernel.h>
51
#include <sys/protosw.h>
52
#include <sys/errno.h>
53
#include <sys/syslog.h>
54
#include <sys/rwlock.h>
55
#include <sys/queue.h>
56
#include <sys/sdt.h>
57
#include <sys/sysctl.h>
58

59
#include <net/if.h>
60
#include <net/if_var.h>
61
#include <net/if_dl.h>
62
#include <net/if_private.h>
63
#include <net/if_types.h>
64
#include <net/route.h>
65
#include <net/route/route_ctl.h>
66
#include <net/route/nhop.h>
67
#include <net/vnet.h>
68

69
#include <netinet/in.h>
70
#include <netinet/in_kdtrace.h>
71
#include <net/if_llatbl.h>
72
#include <netinet/if_ether.h>
73
#include <netinet6/in6_fib.h>
74
#include <netinet6/in6_var.h>
75
#include <netinet/ip6.h>
76
#include <netinet6/ip6_var.h>
77
#include <netinet6/scope6_var.h>
78
#include <netinet6/nd6.h>
79
#include <netinet6/in6_ifattach.h>
80
#include <netinet/icmp6.h>
81
#include <netinet6/send.h>
82

83
#include <sys/limits.h>
84

85
#include <security/mac/mac_framework.h>
86

87
#define	ND6_PREFIX_WITH_ROUTER(pr)	!LIST_EMPTY(&(pr)->ndpr_advrtrs)
88

89
#define ND6_SLOWTIMER_INTERVAL (60 * 60) /* 1 hour */
90
#define ND6_RECALC_REACHTM_INTERVAL (60 * 120) /* 2 hours */
91

92
MALLOC_DEFINE(M_IP6NDP, "ip6ndp", "IPv6 Neighbor Discovery");
93

94
VNET_DEFINE_STATIC(int, nd6_prune) = 1;
95
#define	V_nd6_prune	VNET(nd6_prune)
96
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_PRUNE, nd6_prune,
97
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nd6_prune), 0,
98
    "Frequency in seconds of checks for expired prefixes and routers");
99

100
VNET_DEFINE_STATIC(int, nd6_delay) = 5;
101
#define	V_nd6_delay	VNET(nd6_delay)
102
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DELAY, nd6_delay,
103
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nd6_delay), 0,
104
    "Delay in seconds before probing for reachability");
105

106
VNET_DEFINE_STATIC(int, nd6_umaxtries) = 3;
107
#define	V_nd6_umaxtries	VNET(nd6_umaxtries)
108
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_UMAXTRIES, nd6_umaxtries,
109
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nd6_umaxtries), 0,
110
    "Number of ICMPv6 NS messages sent during reachability detection");
111

112
VNET_DEFINE(int, nd6_mmaxtries) = 3;
113
#define	V_nd6_mmaxtries	VNET(nd6_mmaxtries)
114
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_MMAXTRIES, nd6_mmaxtries,
115
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nd6_mmaxtries), 0,
116
    "Number of ICMPv6 NS messages sent during address resolution");
117

118
VNET_DEFINE_STATIC(int, nd6_gctimer) = (60 * 60 * 24); /* 1 day: garbage
119
							* collection timer */
120
#define	V_nd6_gctimer	VNET(nd6_gctimer)
121

122
/* preventing too many loops in ND option parsing */
123
VNET_DEFINE_STATIC(int, nd6_maxndopt) = 10; /* max # of ND options allowed */
124

125
VNET_DEFINE_STATIC(int, nd6_maxqueuelen) = 16; /* max pkts cached in unresolved
126
					 * ND entries */
127
#define	V_nd6_maxndopt			VNET(nd6_maxndopt)
128
#define	V_nd6_maxqueuelen		VNET(nd6_maxqueuelen)
129

130
#ifdef ND6_DEBUG
131
VNET_DEFINE(int, nd6_debug) = 1;
132
#else
133
VNET_DEFINE(int, nd6_debug) = 0;
134
#endif
135
#define	V_nd6_debug	VNET(nd6_debug)
136
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG, nd6_debug,
137
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nd6_debug), 0,
138
    "Log NDP debug messages");
139

140
static eventhandler_tag lle_event_eh, iflladdr_event_eh, ifnet_link_event_eh;
141

142
VNET_DEFINE(struct nd_prhead, nd_prefix);
143
VNET_DEFINE(struct rwlock, nd6_lock);
144
VNET_DEFINE(uint64_t, nd6_list_genid);
145
VNET_DEFINE(struct mtx, nd6_onlink_mtx);
146

147
VNET_DEFINE(int, nd6_recalc_reachtm_interval) = ND6_RECALC_REACHTM_INTERVAL;
148
#define	V_nd6_recalc_reachtm_interval	VNET(nd6_recalc_reachtm_interval)
149

150
int	(*send_sendso_input_hook)(struct mbuf *, struct ifnet *, int, int);
151

152
static bool nd6_is_new_addr_neighbor(const struct sockaddr_in6 *,
153
	struct ifnet *);
154
static void nd6_setmtu0(struct ifnet *, struct nd_ifinfo *);
155
static void nd6_slowtimo(void *);
156
static int regen_tmpaddr(struct in6_ifaddr *);
157
static void nd6_free(struct llentry **, int);
158
static void nd6_free_redirect(const struct llentry *);
159
static void nd6_llinfo_timer(void *);
160
static void nd6_llinfo_settimer_locked(struct llentry *, long);
161
static int nd6_resolve_slow(struct ifnet *, int, int, struct mbuf *,
162
    const struct sockaddr_in6 *, u_char *, uint32_t *, struct llentry **);
163
static int nd6_need_cache(struct ifnet *);
164

165
VNET_DEFINE_STATIC(struct callout, nd6_slowtimo_ch);
166
#define	V_nd6_slowtimo_ch		VNET(nd6_slowtimo_ch)
167

168
VNET_DEFINE_STATIC(struct callout, nd6_timer_ch);
169
#define	V_nd6_timer_ch			VNET(nd6_timer_ch)
170

171
static void
172
nd6_lle_event(void *arg __unused, struct llentry *lle, int evt)
173
{
174
	struct rt_addrinfo rtinfo;
175
	struct sockaddr_in6 dst;
176
	struct sockaddr_dl gw;
177
	struct ifnet *ifp;
178
	int type;
179
	int fibnum;
180

181
	LLE_WLOCK_ASSERT(lle);
182

183
	if (lltable_get_af(lle->lle_tbl) != AF_INET6)
184
		return;
185

186
	switch (evt) {
187
	case LLENTRY_RESOLVED:
188
		type = RTM_ADD;
189
		KASSERT(lle->la_flags & LLE_VALID,
190
		    ("%s: %p resolved but not valid?", __func__, lle));
191
		break;
192
	case LLENTRY_EXPIRED:
193
		type = RTM_DELETE;
194
		break;
195
	default:
196
		return;
197
	}
198

199
	ifp = lltable_get_ifp(lle->lle_tbl);
200

201
	bzero(&dst, sizeof(dst));
202
	bzero(&gw, sizeof(gw));
203
	bzero(&rtinfo, sizeof(rtinfo));
204
	lltable_fill_sa_entry(lle, (struct sockaddr *)&dst);
205
	dst.sin6_scope_id = in6_getscopezone(ifp,
206
	    in6_addrscope(&dst.sin6_addr));
207
	gw.sdl_len = sizeof(struct sockaddr_dl);
208
	gw.sdl_family = AF_LINK;
209
	gw.sdl_alen = ifp->if_addrlen;
210
	gw.sdl_index = ifp->if_index;
211
	gw.sdl_type = ifp->if_type;
212
	if (evt == LLENTRY_RESOLVED)
213
		bcopy(lle->ll_addr, gw.sdl_data, ifp->if_addrlen);
214
	rtinfo.rti_info[RTAX_DST] = (struct sockaddr *)&dst;
215
	rtinfo.rti_info[RTAX_GATEWAY] = (struct sockaddr *)&gw;
216
	rtinfo.rti_addrs = RTA_DST | RTA_GATEWAY;
217
	fibnum = V_rt_add_addr_allfibs ? RT_ALL_FIBS : ifp->if_fib;
218
	rt_missmsg_fib(type, &rtinfo, RTF_HOST | RTF_LLDATA | (
219
	    type == RTM_ADD ? RTF_UP: 0), 0, fibnum);
220
}
221

222
/*
223
 * A handler for interface link layer address change event.
224
 */
225
static void
226
nd6_iflladdr(void *arg __unused, struct ifnet *ifp)
227
{
228
	if (ifp->if_afdata[AF_INET6] == NULL)
229
		return;
230

231
	lltable_update_ifaddr(LLTABLE6(ifp));
232
}
233

234
void
235
nd6_init(void)
236
{
237

238
	mtx_init(&V_nd6_onlink_mtx, "nd6 onlink", NULL, MTX_DEF);
239
	rw_init(&V_nd6_lock, "nd6 list");
240

241
	LIST_INIT(&V_nd_prefix);
242
	nd6_defrouter_init();
243

244
	/* Start timers. */
245
	callout_init(&V_nd6_slowtimo_ch, 1);
246
	callout_reset(&V_nd6_slowtimo_ch, ND6_SLOWTIMER_INTERVAL * hz,
247
	    nd6_slowtimo, curvnet);
248

249
	callout_init(&V_nd6_timer_ch, 1);
250
	callout_reset(&V_nd6_timer_ch, hz, nd6_timer, curvnet);
251

252
	nd6_dad_init();
253
	if (IS_DEFAULT_VNET(curvnet)) {
254
		lle_event_eh = EVENTHANDLER_REGISTER(lle_event, nd6_lle_event,
255
		    NULL, EVENTHANDLER_PRI_ANY);
256
		iflladdr_event_eh = EVENTHANDLER_REGISTER(iflladdr_event,
257
		    nd6_iflladdr, NULL, EVENTHANDLER_PRI_ANY);
258
		ifnet_link_event_eh = EVENTHANDLER_REGISTER(ifnet_link_event,
259
		    nd6_ifnet_link_event, NULL, EVENTHANDLER_PRI_ANY);
260
	}
261
}
262

263
#ifdef VIMAGE
264
void
265
nd6_destroy(void)
266
{
267

268
	callout_drain(&V_nd6_slowtimo_ch);
269
	callout_drain(&V_nd6_timer_ch);
270
	if (IS_DEFAULT_VNET(curvnet)) {
271
		EVENTHANDLER_DEREGISTER(ifnet_link_event, ifnet_link_event_eh);
272
		EVENTHANDLER_DEREGISTER(lle_event, lle_event_eh);
273
		EVENTHANDLER_DEREGISTER(iflladdr_event, iflladdr_event_eh);
274
	}
275
	rw_destroy(&V_nd6_lock);
276
	mtx_destroy(&V_nd6_onlink_mtx);
277
}
278
#endif
279

280
struct nd_ifinfo *
281
nd6_ifattach(struct ifnet *ifp)
282
{
283
	struct nd_ifinfo *nd;
284

285
	nd = malloc(sizeof(*nd), M_IP6NDP, M_WAITOK | M_ZERO);
286
	nd->initialized = 1;
287

288
	nd->chlim = IPV6_DEFHLIM;
289
	nd->basereachable = REACHABLE_TIME;
290
	nd->reachable = ND_COMPUTE_RTIME(nd->basereachable);
291
	nd->retrans = RETRANS_TIMER;
292

293
	nd->flags = ND6_IFF_PERFORMNUD;
294

295
	/* Set IPv6 disabled on all interfaces but loopback by default. */
296
	if ((ifp->if_flags & IFF_LOOPBACK) == 0)
297
		nd->flags |= ND6_IFF_IFDISABLED;
298

299
	/* A loopback interface always has ND6_IFF_AUTO_LINKLOCAL.
300
	 * XXXHRS: Clear ND6_IFF_AUTO_LINKLOCAL on an IFT_BRIDGE interface by
301
	 * default regardless of the V_ip6_auto_linklocal configuration to
302
	 * give a reasonable default behavior.
303
	 */
304
	if ((V_ip6_auto_linklocal && ifp->if_type != IFT_BRIDGE &&
305
	    ifp->if_type != IFT_WIREGUARD) || (ifp->if_flags & IFF_LOOPBACK))
306
		nd->flags |= ND6_IFF_AUTO_LINKLOCAL;
307
	/*
308
	 * A loopback interface does not need to accept RTADV.
309
	 * XXXHRS: Clear ND6_IFF_ACCEPT_RTADV on an IFT_BRIDGE interface by
310
	 * default regardless of the V_ip6_accept_rtadv configuration to
311
	 * prevent the interface from accepting RA messages arrived
312
	 * on one of the member interfaces with ND6_IFF_ACCEPT_RTADV.
313
	 */
314
	if (V_ip6_accept_rtadv &&
315
	    !(ifp->if_flags & IFF_LOOPBACK) &&
316
	    (ifp->if_type != IFT_BRIDGE)) {
317
			nd->flags |= ND6_IFF_ACCEPT_RTADV;
318
			/* If we globally accept rtadv, assume IPv6 on. */
319
			nd->flags &= ~ND6_IFF_IFDISABLED;
320
	}
321
	if (V_ip6_no_radr && !(ifp->if_flags & IFF_LOOPBACK))
322
		nd->flags |= ND6_IFF_NO_RADR;
323

324
	/* XXX: we cannot call nd6_setmtu since ifp is not fully initialized */
325
	nd6_setmtu0(ifp, nd);
326

327
	/* Configure default value for stable addresses algorithm, skip loopback interface */
328
	if (V_ip6_use_stableaddr && !(ifp->if_flags & IFF_LOOPBACK)) {
329
		nd->flags |= ND6_IFF_STABLEADDR;
330
	}
331

332
	return nd;
333
}
334

335
void
336
nd6_ifdetach(struct ifnet *ifp, struct nd_ifinfo *nd)
337
{
338
	struct epoch_tracker et;
339
	struct ifaddr *ifa, *next;
340

341
	NET_EPOCH_ENTER(et);
342
	CK_STAILQ_FOREACH_SAFE(ifa, &ifp->if_addrhead, ifa_link, next) {
343
		if (ifa->ifa_addr->sa_family != AF_INET6)
344
			continue;
345

346
		/* stop DAD processing */
347
		nd6_dad_stop(ifa);
348
	}
349
	NET_EPOCH_EXIT(et);
350

351
	free(nd, M_IP6NDP);
352
}
353

354
/*
355
 * Reset ND level link MTU. This function is called when the physical MTU
356
 * changes, which means we might have to adjust the ND level MTU.
357
 */
358
void
359
nd6_setmtu(struct ifnet *ifp)
360
{
361
	if (ifp->if_afdata[AF_INET6] == NULL)
362
		return;
363

364
	nd6_setmtu0(ifp, ND_IFINFO(ifp));
365
}
366

367
/* XXX todo: do not maintain copy of ifp->if_mtu in ndi->maxmtu */
368
void
369
nd6_setmtu0(struct ifnet *ifp, struct nd_ifinfo *ndi)
370
{
371
	u_int32_t omaxmtu;
372

373
	omaxmtu = ndi->maxmtu;
374
	ndi->maxmtu = ifp->if_mtu;
375

376
	/*
377
	 * Decreasing the interface MTU under IPV6 minimum MTU may cause
378
	 * undesirable situation.  We thus notify the operator of the change
379
	 * explicitly.  The check for omaxmtu is necessary to restrict the
380
	 * log to the case of changing the MTU, not initializing it.
381
	 */
382
	if (omaxmtu >= IPV6_MMTU && ndi->maxmtu < IPV6_MMTU) {
383
		log(LOG_NOTICE, "nd6_setmtu0: "
384
		    "new link MTU on %s (%lu) is too small for IPv6\n",
385
		    if_name(ifp), (unsigned long)ndi->maxmtu);
386
	}
387
}
388

389
void
390
nd6_option_init(void *opt, int icmp6len, union nd_opts *ndopts)
391
{
392

393
	bzero(ndopts, sizeof(*ndopts));
394
	ndopts->nd_opts_search = (struct nd_opt_hdr *)opt;
395
	ndopts->nd_opts_last
396
		= (struct nd_opt_hdr *)(((u_char *)opt) + icmp6len);
397

398
	if (icmp6len == 0) {
399
		ndopts->nd_opts_done = 1;
400
		ndopts->nd_opts_search = NULL;
401
	}
402
}
403

404
/*
405
 * Take one ND option.
406
 */
407
struct nd_opt_hdr *
408
nd6_option(union nd_opts *ndopts)
409
{
410
	struct nd_opt_hdr *nd_opt;
411
	int olen;
412

413
	KASSERT(ndopts != NULL, ("%s: ndopts == NULL", __func__));
414
	KASSERT(ndopts->nd_opts_last != NULL, ("%s: uninitialized ndopts",
415
	    __func__));
416
	if (ndopts->nd_opts_search == NULL)
417
		return NULL;
418
	if (ndopts->nd_opts_done)
419
		return NULL;
420

421
	nd_opt = ndopts->nd_opts_search;
422

423
	/* make sure nd_opt_len is inside the buffer */
424
	if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) {
425
		bzero(ndopts, sizeof(*ndopts));
426
		return NULL;
427
	}
428

429
	olen = nd_opt->nd_opt_len << 3;
430
	if (olen == 0) {
431
		/*
432
		 * Message validation requires that all included
433
		 * options have a length that is greater than zero.
434
		 */
435
		bzero(ndopts, sizeof(*ndopts));
436
		return NULL;
437
	}
438

439
	ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
440
	if (ndopts->nd_opts_search > ndopts->nd_opts_last) {
441
		/* option overruns the end of buffer, invalid */
442
		bzero(ndopts, sizeof(*ndopts));
443
		return NULL;
444
	} else if (ndopts->nd_opts_search == ndopts->nd_opts_last) {
445
		/* reached the end of options chain */
446
		ndopts->nd_opts_done = 1;
447
		ndopts->nd_opts_search = NULL;
448
	}
449
	return nd_opt;
450
}
451

452
/*
453
 * Parse multiple ND options.
454
 * This function is much easier to use, for ND routines that do not need
455
 * multiple options of the same type.
456
 */
457
int
458
nd6_options(union nd_opts *ndopts)
459
{
460
	struct nd_opt_hdr *nd_opt;
461
	int i = 0;
462

463
	KASSERT(ndopts != NULL, ("%s: ndopts == NULL", __func__));
464
	KASSERT(ndopts->nd_opts_last != NULL, ("%s: uninitialized ndopts",
465
	    __func__));
466
	if (ndopts->nd_opts_search == NULL)
467
		return 0;
468

469
	while (1) {
470
		nd_opt = nd6_option(ndopts);
471
		if (nd_opt == NULL && ndopts->nd_opts_last == NULL) {
472
			/*
473
			 * Message validation requires that all included
474
			 * options have a length that is greater than zero.
475
			 */
476
			ICMP6STAT_INC(icp6s_nd_badopt);
477
			bzero(ndopts, sizeof(*ndopts));
478
			return -1;
479
		}
480

481
		if (nd_opt == NULL)
482
			goto skip1;
483

484
		switch (nd_opt->nd_opt_type) {
485
		case ND_OPT_SOURCE_LINKADDR:
486
		case ND_OPT_TARGET_LINKADDR:
487
		case ND_OPT_MTU:
488
		case ND_OPT_REDIRECTED_HEADER:
489
		case ND_OPT_NONCE:
490
			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
491
				nd6log((LOG_INFO,
492
				    "duplicated ND6 option found (type=%d)\n",
493
				    nd_opt->nd_opt_type));
494
				/* XXX bark? */
495
			} else {
496
				ndopts->nd_opt_array[nd_opt->nd_opt_type]
497
					= nd_opt;
498
			}
499
			break;
500
		case ND_OPT_PREFIX_INFORMATION:
501
			if (ndopts->nd_opt_array[nd_opt->nd_opt_type] == 0) {
502
				ndopts->nd_opt_array[nd_opt->nd_opt_type]
503
					= nd_opt;
504
			}
505
			ndopts->nd_opts_pi_end =
506
				(struct nd_opt_prefix_info *)nd_opt;
507
			break;
508
		/* What about ND_OPT_ROUTE_INFO? RFC 4191 */
509
		case ND_OPT_RDNSS:	/* RFC 6106 */
510
		case ND_OPT_DNSSL:	/* RFC 6106 */
511
			/*
512
			 * Silently ignore options we know and do not care about
513
			 * in the kernel.
514
			 */
515
			break;
516
		default:
517
			/*
518
			 * Unknown options must be silently ignored,
519
			 * to accommodate future extension to the protocol.
520
			 */
521
			nd6log((LOG_DEBUG,
522
			    "nd6_options: unsupported option %d - "
523
			    "option ignored\n", nd_opt->nd_opt_type));
524
		}
525

526
skip1:
527
		i++;
528
		if (i > V_nd6_maxndopt) {
529
			ICMP6STAT_INC(icp6s_nd_toomanyopt);
530
			nd6log((LOG_INFO, "too many loop in nd opt\n"));
531
			break;
532
		}
533

534
		if (ndopts->nd_opts_done)
535
			break;
536
	}
537

538
	return 0;
539
}
540

541
/*
542
 * ND6 timer routine to handle ND6 entries
543
 */
544
static void
545
nd6_llinfo_settimer_locked(struct llentry *ln, long tick)
546
{
547
	int canceled;
548

549
	LLE_WLOCK_ASSERT(ln);
550

551
	/* Do not schedule timers for child LLEs. */
552
	if (ln->la_flags & LLE_CHILD)
553
		return;
554

555
	if (tick < 0) {
556
		ln->la_expire = 0;
557
		ln->ln_ntick = 0;
558
		canceled = callout_stop(&ln->lle_timer);
559
	} else {
560
		ln->la_expire = time_uptime + tick / hz;
561
		LLE_ADDREF(ln);
562
		if (tick > INT_MAX) {
563
			ln->ln_ntick = tick - INT_MAX;
564
			canceled = callout_reset(&ln->lle_timer, INT_MAX,
565
			    nd6_llinfo_timer, ln);
566
		} else {
567
			ln->ln_ntick = 0;
568
			canceled = callout_reset(&ln->lle_timer, tick,
569
			    nd6_llinfo_timer, ln);
570
		}
571
	}
572
	if (canceled > 0)
573
		LLE_REMREF(ln);
574
}
575

576
/*
577
 * Gets source address of the first packet in hold queue
578
 * and stores it in @src.
579
 * Returns pointer to @src (if hold queue is not empty) or NULL.
580
 *
581
 * Set noinline to be dtrace-friendly
582
 */
583
static __noinline struct in6_addr *
584
nd6_llinfo_get_holdsrc(struct llentry *ln, struct in6_addr *src)
585
{
586
	struct ip6_hdr hdr;
587
	struct mbuf *m;
588

589
	if (ln->la_hold == NULL)
590
		return (NULL);
591

592
	/*
593
	 * assume every packet in la_hold has the same IP header
594
	 */
595
	m = ln->la_hold;
596
	if (sizeof(hdr) > m->m_len)
597
		return (NULL);
598

599
	m_copydata(m, 0, sizeof(hdr), (caddr_t)&hdr);
600
	*src = hdr.ip6_src;
601

602
	return (src);
603
}
604

605
/*
606
 * Checks if we need to switch from STALE state.
607
 *
608
 * RFC 4861 requires switching from STALE to DELAY state
609
 * on first packet matching entry, waiting V_nd6_delay and
610
 * transition to PROBE state (if upper layer confirmation was
611
 * not received).
612
 *
613
 * This code performs a bit differently:
614
 * On packet hit we don't change state (but desired state
615
 * can be guessed by control plane). However, after V_nd6_delay
616
 * seconds code will transition to PROBE state (so DELAY state
617
 * is kinda skipped in most situations).
618
 *
619
 * Typically, V_nd6_gctimer is bigger than V_nd6_delay, so
620
 * we perform the following upon entering STALE state:
621
 *
622
 * 1) Arm timer to run each V_nd6_delay seconds to make sure that
623
 * if packet was transmitted at the start of given interval, we
624
 * would be able to switch to PROBE state in V_nd6_delay seconds
625
 * as user expects.
626
 *
627
 * 2) Reschedule timer until original V_nd6_gctimer expires keeping
628
 * lle in STALE state (remaining timer value stored in lle_remtime).
629
 *
630
 * 3) Reschedule timer if packet was transmitted less that V_nd6_delay
631
 * seconds ago.
632
 *
633
 * Returns non-zero value if the entry is still STALE (storing
634
 * the next timer interval in @pdelay).
635
 *
636
 * Returns zero value if original timer expired or we need to switch to
637
 * PROBE (store that in @do_switch variable).
638
 */
639
static int
640
nd6_is_stale(struct llentry *lle, long *pdelay, int *do_switch)
641
{
642
	int nd_delay, nd_gctimer;
643
	time_t lle_hittime;
644
	long delay;
645

646
	*do_switch = 0;
647
	nd_gctimer = V_nd6_gctimer;
648
	nd_delay = V_nd6_delay;
649

650
	lle_hittime = llentry_get_hittime(lle);
651

652
	if (lle_hittime == 0) {
653
		/*
654
		 * Datapath feedback has been requested upon entering
655
		 * STALE state. No packets has been passed using this lle.
656
		 * Ask for the timer reschedule and keep STALE state.
657
		 */
658
		delay = (long)(MIN(nd_gctimer, nd_delay));
659
		delay *= hz;
660
		if (lle->lle_remtime > delay)
661
			lle->lle_remtime -= delay;
662
		else {
663
			delay = lle->lle_remtime;
664
			lle->lle_remtime = 0;
665
		}
666

667
		if (delay == 0) {
668
			/*
669
			 * The original ng6_gctime timeout ended,
670
			 * no more rescheduling.
671
			 */
672
			return (0);
673
		}
674

675
		*pdelay = delay;
676
		return (1);
677
	}
678

679
	/*
680
	 * Packet received. Verify timestamp
681
	 */
682
	delay = (long)(time_uptime - lle_hittime);
683
	if (delay < nd_delay) {
684
		/*
685
		 * V_nd6_delay still not passed since the first
686
		 * hit in STALE state.
687
		 * Reschedule timer and return.
688
		 */
689
		*pdelay = (long)(nd_delay - delay) * hz;
690
		return (1);
691
	}
692

693
	/* Request switching to probe */
694
	*do_switch = 1;
695
	return (0);
696
}
697

698
/*
699
 * Switch @lle state to new state optionally arming timers.
700
 *
701
 * Set noinline to be dtrace-friendly
702
 */
703
__noinline void
704
nd6_llinfo_setstate(struct llentry *lle, int newstate)
705
{
706
	struct ifnet *ifp;
707
	int nd_gctimer, nd_delay;
708
	long delay, remtime;
709

710
	delay = 0;
711
	remtime = 0;
712

713
	switch (newstate) {
714
	case ND6_LLINFO_INCOMPLETE:
715
		ifp = lle->lle_tbl->llt_ifp;
716
		delay = (long)ND_IFINFO(ifp)->retrans * hz / 1000;
717
		break;
718
	case ND6_LLINFO_REACHABLE:
719
		if (!ND6_LLINFO_PERMANENT(lle)) {
720
			ifp = lle->lle_tbl->llt_ifp;
721
			delay = (long)ND_IFINFO(ifp)->reachable * hz;
722
		}
723
		break;
724
	case ND6_LLINFO_STALE:
725

726
		llentry_request_feedback(lle);
727
		nd_delay = V_nd6_delay;
728
		nd_gctimer = V_nd6_gctimer;
729

730
		delay = (long)(MIN(nd_gctimer, nd_delay)) * hz;
731
		remtime = (long)nd_gctimer * hz - delay;
732
		break;
733
	case ND6_LLINFO_DELAY:
734
		lle->la_asked = 0;
735
		delay = (long)V_nd6_delay * hz;
736
		break;
737
	}
738

739
	if (delay > 0)
740
		nd6_llinfo_settimer_locked(lle, delay);
741

742
	lle->lle_remtime = remtime;
743
	lle->ln_state = newstate;
744
}
745

746
/*
747
 * Timer-dependent part of nd state machine.
748
 *
749
 * Set noinline to be dtrace-friendly
750
 */
751
static __noinline void
752
nd6_llinfo_timer(void *arg)
753
{
754
	struct epoch_tracker et;
755
	struct llentry *ln;
756
	struct in6_addr *dst, *pdst, *psrc, src;
757
	struct ifnet *ifp;
758
	struct nd_ifinfo *ndi;
759
	int do_switch, send_ns;
760
	long delay;
761

762
	KASSERT(arg != NULL, ("%s: arg NULL", __func__));
763
	ln = (struct llentry *)arg;
764
	ifp = lltable_get_ifp(ln->lle_tbl);
765
	CURVNET_SET(ifp->if_vnet);
766

767
	ND6_RLOCK();
768
	LLE_WLOCK(ln);
769
	if (callout_pending(&ln->lle_timer)) {
770
		/*
771
		 * Here we are a bit odd here in the treatment of 
772
		 * active/pending. If the pending bit is set, it got
773
		 * rescheduled before I ran. The active
774
		 * bit we ignore, since if it was stopped
775
		 * in ll_tablefree() and was currently running
776
		 * it would have return 0 so the code would
777
		 * not have deleted it since the callout could
778
		 * not be stopped so we want to go through
779
		 * with the delete here now. If the callout
780
		 * was restarted, the pending bit will be back on and
781
		 * we just want to bail since the callout_reset would
782
		 * return 1 and our reference would have been removed
783
		 * by nd6_llinfo_settimer_locked above since canceled
784
		 * would have been 1.
785
		 */
786
		LLE_WUNLOCK(ln);
787
		ND6_RUNLOCK();
788
		CURVNET_RESTORE();
789
		return;
790
	}
791
	NET_EPOCH_ENTER(et);
792
	ndi = ND_IFINFO(ifp);
793
	send_ns = 0;
794
	dst = &ln->r_l3addr.addr6;
795
	pdst = dst;
796

797
	if (ln->ln_ntick > 0) {
798
		if (ln->ln_ntick > INT_MAX) {
799
			ln->ln_ntick -= INT_MAX;
800
			nd6_llinfo_settimer_locked(ln, INT_MAX);
801
		} else {
802
			ln->ln_ntick = 0;
803
			nd6_llinfo_settimer_locked(ln, ln->ln_ntick);
804
		}
805
		goto done;
806
	}
807

808
	if (ln->la_flags & LLE_STATIC) {
809
		goto done;
810
	}
811

812
	if (ln->la_flags & LLE_DELETED) {
813
		nd6_free(&ln, 0);
814
		goto done;
815
	}
816

817
	switch (ln->ln_state) {
818
	case ND6_LLINFO_INCOMPLETE:
819
		if (ln->la_asked < V_nd6_mmaxtries) {
820
			ln->la_asked++;
821
			send_ns = 1;
822
			/* Send NS to multicast address */
823
			pdst = NULL;
824
		} else {
825
			struct mbuf *m;
826

827
			ICMP6STAT_ADD(icp6s_dropped, ln->la_numheld);
828

829
			m = ln->la_hold;
830
			if (m != NULL) {
831
				/*
832
				 * assuming every packet in la_hold has the
833
				 * same IP header.  Send error after unlock.
834
				 */
835
				ln->la_hold = m->m_nextpkt;
836
				m->m_nextpkt = NULL;
837
				ln->la_numheld--;
838
			}
839
			nd6_free(&ln, 0);
840
			if (m != NULL) {
841
				struct mbuf *n = m;
842

843
				/*
844
				 * if there are any ummapped mbufs, we
845
				 * must free them, rather than using
846
				 * them for an ICMP, as they cannot be
847
				 * checksummed.
848
				 */
849
				while ((n = n->m_next) != NULL) {
850
					if (n->m_flags & M_EXTPG)
851
						break;
852
				}
853
				if (n != NULL) {
854
					m_freem(m);
855
					m = NULL;
856
				} else {
857
					icmp6_error2(m, ICMP6_DST_UNREACH,
858
					    ICMP6_DST_UNREACH_ADDR, 0, ifp);
859
				}
860
			}
861
		}
862
		break;
863
	case ND6_LLINFO_REACHABLE:
864
		if (!ND6_LLINFO_PERMANENT(ln))
865
			nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
866
		break;
867

868
	case ND6_LLINFO_STALE:
869
		if (nd6_is_stale(ln, &delay, &do_switch) != 0) {
870
			/*
871
			 * No packet has used this entry and GC timeout
872
			 * has not been passed. Reschedule timer and
873
			 * return.
874
			 */
875
			nd6_llinfo_settimer_locked(ln, delay);
876
			break;
877
		}
878

879
		if (do_switch == 0) {
880
			/*
881
			 * GC timer has ended and entry hasn't been used.
882
			 * Run Garbage collector (RFC 4861, 5.3)
883
			 */
884
			if (!ND6_LLINFO_PERMANENT(ln))
885
				nd6_free(&ln, 1);
886
			break;
887
		}
888

889
		/* Entry has been used AND delay timer has ended. */
890

891
		/* FALLTHROUGH */
892

893
	case ND6_LLINFO_DELAY:
894
		if (ndi && (ndi->flags & ND6_IFF_PERFORMNUD) != 0) {
895
			/* We need NUD */
896
			ln->la_asked = 1;
897
			nd6_llinfo_setstate(ln, ND6_LLINFO_PROBE);
898
			send_ns = 1;
899
		} else
900
			nd6_llinfo_setstate(ln, ND6_LLINFO_STALE); /* XXX */
901
		break;
902
	case ND6_LLINFO_PROBE:
903
		if (ln->la_asked < V_nd6_umaxtries) {
904
			ln->la_asked++;
905
			send_ns = 1;
906
		} else {
907
			nd6_free(&ln, 0);
908
		}
909
		break;
910
	default:
911
		panic("%s: paths in a dark night can be confusing: %d",
912
		    __func__, ln->ln_state);
913
	}
914
done:
915
	if (ln != NULL)
916
		ND6_RUNLOCK();
917
	if (send_ns != 0) {
918
		nd6_llinfo_settimer_locked(ln, (long)ndi->retrans * hz / 1000);
919
		psrc = nd6_llinfo_get_holdsrc(ln, &src);
920
		LLE_FREE_LOCKED(ln);
921
		ln = NULL;
922
		nd6_ns_output(ifp, psrc, pdst, dst, NULL);
923
	}
924

925
	if (ln != NULL)
926
		LLE_FREE_LOCKED(ln);
927
	NET_EPOCH_EXIT(et);
928
	CURVNET_RESTORE();
929
}
930

931
/*
932
 * ND6 timer routine to expire default route list and prefix list
933
 */
934
void
935
nd6_timer(void *arg)
936
{
937
	CURVNET_SET((struct vnet *) arg);
938
	struct epoch_tracker et;
939
	struct nd_prhead prl;
940
	struct nd_prefix *pr, *npr;
941
	struct ifnet *ifp;
942
	struct in6_ifaddr *ia6, *nia6;
943
	uint64_t genid;
944

945
	LIST_INIT(&prl);
946

947
	NET_EPOCH_ENTER(et);
948
	nd6_defrouter_timer();
949

950
	/*
951
	 * expire interface addresses.
952
	 * in the past the loop was inside prefix expiry processing.
953
	 * However, from a stricter speci-confrmance standpoint, we should
954
	 * rather separate address lifetimes and prefix lifetimes.
955
	 *
956
	 * XXXRW: in6_ifaddrhead locking.
957
	 */
958
  addrloop:
959
	CK_STAILQ_FOREACH_SAFE(ia6, &V_in6_ifaddrhead, ia_link, nia6) {
960
		/* check address lifetime */
961
		if (IFA6_IS_INVALID(ia6)) {
962
			int regen = 0;
963

964
			/*
965
			 * If the expiring address is temporary, try
966
			 * regenerating a new one.  This would be useful when
967
			 * we suspended a laptop PC, then turned it on after a
968
			 * period that could invalidate all temporary
969
			 * addresses.  Although we may have to restart the
970
			 * loop (see below), it must be after purging the
971
			 * address.  Otherwise, we'd see an infinite loop of
972
			 * regeneration.
973
			 */
974
			if (V_ip6_use_tempaddr &&
975
			    (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0) {
976
				if (regen_tmpaddr(ia6) == 0)
977
					regen = 1;
978
			}
979

980
			in6_purgeaddr(&ia6->ia_ifa);
981

982
			if (regen)
983
				goto addrloop; /* XXX: see below */
984
		} else if (IFA6_IS_DEPRECATED(ia6)) {
985
			int oldflags = ia6->ia6_flags;
986

987
			ia6->ia6_flags |= IN6_IFF_DEPRECATED;
988

989
			/*
990
			 * If a temporary address has just become deprecated,
991
			 * regenerate a new one if possible.
992
			 */
993
			if (V_ip6_use_tempaddr &&
994
			    (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
995
			    (oldflags & IN6_IFF_DEPRECATED) == 0) {
996
				if (regen_tmpaddr(ia6) == 0) {
997
					/*
998
					 * A new temporary address is
999
					 * generated.
1000
					 * XXX: this means the address chain
1001
					 * has changed while we are still in
1002
					 * the loop.  Although the change
1003
					 * would not cause disaster (because
1004
					 * it's not a deletion, but an
1005
					 * addition,) we'd rather restart the
1006
					 * loop just for safety.  Or does this
1007
					 * significantly reduce performance??
1008
					 */
1009
					goto addrloop;
1010
				}
1011
			}
1012
		} else if ((ia6->ia6_flags & IN6_IFF_TENTATIVE) != 0) {
1013
			/*
1014
			 * Schedule DAD for a tentative address.  This happens
1015
			 * if the interface was down or not running
1016
			 * when the address was configured.
1017
			 */
1018
			int delay;
1019

1020
			delay = arc4random() %
1021
			    (MAX_RTR_SOLICITATION_DELAY * hz);
1022
			nd6_dad_start((struct ifaddr *)ia6, delay);
1023
		} else {
1024
			/*
1025
			 * Check status of the interface.  If it is down,
1026
			 * mark the address as tentative for future DAD.
1027
			 */
1028
			ifp = ia6->ia_ifp;
1029
			if ((ND_IFINFO(ifp)->flags & ND6_IFF_NO_DAD) == 0 &&
1030
			    ((ifp->if_flags & IFF_UP) == 0 ||
1031
			    (ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
1032
			    (ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) != 0)){
1033
				ia6->ia6_flags &= ~IN6_IFF_DUPLICATED;
1034
				ia6->ia6_flags |= IN6_IFF_TENTATIVE;
1035
			}
1036

1037
			/*
1038
			 * A new RA might have made a deprecated address
1039
			 * preferred.
1040
			 */
1041
			ia6->ia6_flags &= ~IN6_IFF_DEPRECATED;
1042
		}
1043
	}
1044
	NET_EPOCH_EXIT(et);
1045

1046
	ND6_WLOCK();
1047
restart:
1048
	LIST_FOREACH_SAFE(pr, &V_nd_prefix, ndpr_entry, npr) {
1049
		/*
1050
		 * Expire prefixes. Since the pltime is only used for
1051
		 * autoconfigured addresses, pltime processing for prefixes is
1052
		 * not necessary.
1053
		 *
1054
		 * Only unlink after all derived addresses have expired. This
1055
		 * may not occur until two hours after the prefix has expired
1056
		 * per RFC 4862. If the prefix expires before its derived
1057
		 * addresses, mark it off-link. This will be done automatically
1058
		 * after unlinking if no address references remain.
1059
		 */
1060
		if (pr->ndpr_vltime == ND6_INFINITE_LIFETIME ||
1061
		    time_uptime - pr->ndpr_lastupdate <= pr->ndpr_vltime)
1062
			continue;
1063

1064
		if (pr->ndpr_addrcnt == 0) {
1065
			nd6_prefix_unlink(pr, &prl);
1066
			continue;
1067
		}
1068
		if ((pr->ndpr_stateflags & NDPRF_ONLINK) != 0) {
1069
			genid = V_nd6_list_genid;
1070
			nd6_prefix_ref(pr);
1071
			ND6_WUNLOCK();
1072
			ND6_ONLINK_LOCK();
1073
			(void)nd6_prefix_offlink(pr);
1074
			ND6_ONLINK_UNLOCK();
1075
			ND6_WLOCK();
1076
			nd6_prefix_rele(pr);
1077
			if (genid != V_nd6_list_genid)
1078
				goto restart;
1079
		}
1080
	}
1081
	ND6_WUNLOCK();
1082

1083
	while ((pr = LIST_FIRST(&prl)) != NULL) {
1084
		LIST_REMOVE(pr, ndpr_entry);
1085
		nd6_prefix_del(pr);
1086
	}
1087

1088
	callout_reset(&V_nd6_timer_ch, V_nd6_prune * hz,
1089
	    nd6_timer, curvnet);
1090

1091
	CURVNET_RESTORE();
1092
}
1093

1094
/*
1095
 * ia6 - deprecated/invalidated temporary address
1096
 */
1097
static int
1098
regen_tmpaddr(struct in6_ifaddr *ia6)
1099
{
1100
	struct ifaddr *ifa;
1101
	struct ifnet *ifp;
1102
	struct in6_ifaddr *public_ifa6 = NULL;
1103

1104
	NET_EPOCH_ASSERT();
1105

1106
	ifp = ia6->ia_ifa.ifa_ifp;
1107
	CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
1108
		struct in6_ifaddr *it6;
1109

1110
		if (ifa->ifa_addr->sa_family != AF_INET6)
1111
			continue;
1112

1113
		it6 = (struct in6_ifaddr *)ifa;
1114

1115
		/* ignore no autoconf addresses. */
1116
		if ((it6->ia6_flags & IN6_IFF_AUTOCONF) == 0)
1117
			continue;
1118

1119
		/* ignore autoconf addresses with different prefixes. */
1120
		if (it6->ia6_ndpr == NULL || it6->ia6_ndpr != ia6->ia6_ndpr)
1121
			continue;
1122

1123
		/*
1124
		 * Now we are looking at an autoconf address with the same
1125
		 * prefix as ours.  If the address is temporary and is still
1126
		 * preferred, do not create another one.  It would be rare, but
1127
		 * could happen, for example, when we resume a laptop PC after
1128
		 * a long period.
1129
		 */
1130
		if ((it6->ia6_flags & IN6_IFF_TEMPORARY) != 0 &&
1131
		    !IFA6_IS_DEPRECATED(it6)) {
1132
			public_ifa6 = NULL;
1133
			break;
1134
		}
1135

1136
		/*
1137
		 * This is a public autoconf address that has the same prefix
1138
		 * as ours.  If it is preferred, keep it.  We can't break the
1139
		 * loop here, because there may be a still-preferred temporary
1140
		 * address with the prefix.
1141
		 */
1142
		if (!IFA6_IS_DEPRECATED(it6))
1143
			public_ifa6 = it6;
1144
	}
1145
	if (public_ifa6 != NULL)
1146
		ifa_ref(&public_ifa6->ia_ifa);
1147

1148
	if (public_ifa6 != NULL) {
1149
		int e;
1150

1151
		if ((e = in6_tmpifadd(public_ifa6, 0, 0)) != 0) {
1152
			ifa_free(&public_ifa6->ia_ifa);
1153
			log(LOG_NOTICE, "regen_tmpaddr: failed to create a new"
1154
			    " tmp addr,errno=%d\n", e);
1155
			return (-1);
1156
		}
1157
		ifa_free(&public_ifa6->ia_ifa);
1158
		return (0);
1159
	}
1160

1161
	return (-1);
1162
}
1163

1164
/*
1165
 * Remove prefix and default router list entries corresponding to ifp. Neighbor
1166
 * cache entries are freed in in6_domifdetach().
1167
 */
1168
void
1169
nd6_purge(struct ifnet *ifp)
1170
{
1171
	struct nd_prhead prl;
1172
	struct nd_prefix *pr, *npr;
1173

1174
	LIST_INIT(&prl);
1175

1176
	/* Purge default router list entries toward ifp. */
1177
	nd6_defrouter_purge(ifp);
1178

1179
	ND6_WLOCK();
1180
	/*
1181
	 * Remove prefixes on ifp. We should have already removed addresses on
1182
	 * this interface, so no addresses should be referencing these prefixes.
1183
	 */
1184
	LIST_FOREACH_SAFE(pr, &V_nd_prefix, ndpr_entry, npr) {
1185
		if (pr->ndpr_ifp == ifp)
1186
			nd6_prefix_unlink(pr, &prl);
1187
	}
1188
	ND6_WUNLOCK();
1189

1190
	/* Delete the unlinked prefix objects. */
1191
	while ((pr = LIST_FIRST(&prl)) != NULL) {
1192
		LIST_REMOVE(pr, ndpr_entry);
1193
		nd6_prefix_del(pr);
1194
	}
1195

1196
	/* cancel default outgoing interface setting */
1197
	if (V_nd6_defifindex == ifp->if_index)
1198
		nd6_setdefaultiface(0);
1199

1200
	if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) {
1201
		/* Refresh default router list. */
1202
		defrouter_select_fib(ifp->if_fib);
1203
	}
1204
}
1205

1206
/* 
1207
 * the caller acquires and releases the lock on the lltbls
1208
 * Returns the llentry locked
1209
 */
1210
struct llentry *
1211
nd6_lookup(const struct in6_addr *addr6, int flags, struct ifnet *ifp)
1212
{
1213
	struct sockaddr_in6 sin6;
1214
	struct llentry *ln;
1215

1216
	bzero(&sin6, sizeof(sin6));
1217
	sin6.sin6_len = sizeof(struct sockaddr_in6);
1218
	sin6.sin6_family = AF_INET6;
1219
	sin6.sin6_addr = *addr6;
1220

1221
	IF_AFDATA_LOCK_ASSERT(ifp);
1222

1223
	ln = lla_lookup(LLTABLE6(ifp), flags, (struct sockaddr *)&sin6);
1224

1225
	return (ln);
1226
}
1227

1228
static struct llentry *
1229
nd6_alloc(const struct in6_addr *addr6, int flags, struct ifnet *ifp)
1230
{
1231
	struct sockaddr_in6 sin6;
1232
	struct llentry *ln;
1233

1234
	bzero(&sin6, sizeof(sin6));
1235
	sin6.sin6_len = sizeof(struct sockaddr_in6);
1236
	sin6.sin6_family = AF_INET6;
1237
	sin6.sin6_addr = *addr6;
1238

1239
	ln = lltable_alloc_entry(LLTABLE6(ifp), 0, (struct sockaddr *)&sin6);
1240
	if (ln != NULL)
1241
		ln->ln_state = ND6_LLINFO_NOSTATE;
1242

1243
	return (ln);
1244
}
1245

1246
/*
1247
 * Test whether a given IPv6 address can be a neighbor.
1248
 */
1249
static bool
1250
nd6_is_new_addr_neighbor(const struct sockaddr_in6 *addr, struct ifnet *ifp)
1251
{
1252

1253
	/*
1254
	 * A link-local address is always a neighbor.
1255
	 * XXX: a link does not necessarily specify a single interface.
1256
	 */
1257
	if (IN6_IS_ADDR_LINKLOCAL(&addr->sin6_addr)) {
1258
		struct sockaddr_in6 sin6_copy;
1259
		u_int32_t zone;
1260

1261
		/*
1262
		 * We need sin6_copy since sa6_recoverscope() may modify the
1263
		 * content (XXX).
1264
		 */
1265
		sin6_copy = *addr;
1266
		if (sa6_recoverscope(&sin6_copy))
1267
			return (0); /* XXX: should be impossible */
1268
		if (in6_setscope(&sin6_copy.sin6_addr, ifp, &zone))
1269
			return (0);
1270
		if (sin6_copy.sin6_scope_id == zone)
1271
			return (1);
1272
		else
1273
			return (0);
1274
	}
1275
	/* Checking global unicast */
1276

1277
	/* If an address is directly reachable, it is a neigbor */
1278
	struct nhop_object *nh;
1279
	nh = fib6_lookup(ifp->if_fib, &addr->sin6_addr, 0, NHR_NONE, 0);
1280
	if (nh != NULL && nh->nh_aifp == ifp && (nh->nh_flags & NHF_GATEWAY) == 0)
1281
		return (true);
1282

1283
	/*
1284
	 * Check prefixes with desired on-link state, as some may be not
1285
	 * installed in the routing table.
1286
	 */
1287
	bool matched = false;
1288
	struct nd_prefix *pr;
1289
	ND6_RLOCK();
1290
	LIST_FOREACH(pr, &V_nd_prefix, ndpr_entry) {
1291
		if (pr->ndpr_ifp != ifp)
1292
			continue;
1293
		if ((pr->ndpr_stateflags & NDPRF_ONLINK) == 0)
1294
			continue;
1295
		if (IN6_ARE_MASKED_ADDR_EQUAL(&pr->ndpr_prefix.sin6_addr,
1296
		    &addr->sin6_addr, &pr->ndpr_mask)) {
1297
			matched = true;
1298
			break;
1299
		}
1300
	}
1301
	ND6_RUNLOCK();
1302
	if (matched)
1303
		return (true);
1304

1305
	/*
1306
	 * If the address is assigned on the node of the other side of
1307
	 * a p2p interface, the address should be a neighbor.
1308
	 */
1309
	if (ifp->if_flags & IFF_POINTOPOINT) {
1310
		struct ifaddr *ifa;
1311

1312
		CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
1313
			if (ifa->ifa_addr->sa_family != addr->sin6_family)
1314
				continue;
1315
			if (ifa->ifa_dstaddr != NULL &&
1316
			    sa_equal(addr, ifa->ifa_dstaddr)) {
1317
				return (true);
1318
			}
1319
		}
1320
	}
1321

1322
	/*
1323
	 * If the default router list is empty, all addresses are regarded
1324
	 * as on-link, and thus, as a neighbor.
1325
	 */
1326
	if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV &&
1327
	    nd6_defrouter_list_empty() &&
1328
	    V_nd6_defifindex == ifp->if_index) {
1329
		return (1);
1330
	}
1331

1332
	return (0);
1333
}
1334

1335
/*
1336
 * Detect if a given IPv6 address identifies a neighbor on a given link.
1337
 * XXX: should take care of the destination of a p2p link?
1338
 */
1339
int
1340
nd6_is_addr_neighbor(const struct sockaddr_in6 *addr, struct ifnet *ifp)
1341
{
1342
	struct llentry *lle;
1343
	int rc = 0;
1344

1345
	NET_EPOCH_ASSERT();
1346
	IF_AFDATA_UNLOCK_ASSERT(ifp);
1347
	if (nd6_is_new_addr_neighbor(addr, ifp))
1348
		return (1);
1349

1350
	/*
1351
	 * Even if the address matches none of our addresses, it might be
1352
	 * in the neighbor cache.
1353
	 */
1354
	if ((lle = nd6_lookup(&addr->sin6_addr, LLE_SF(AF_INET6, 0), ifp)) != NULL) {
1355
		LLE_RUNLOCK(lle);
1356
		rc = 1;
1357
	}
1358
	return (rc);
1359
}
1360

1361
static __noinline void
1362
nd6_free_children(struct llentry *lle)
1363
{
1364
	struct llentry *child_lle;
1365

1366
	NET_EPOCH_ASSERT();
1367
	LLE_WLOCK_ASSERT(lle);
1368

1369
	while ((child_lle = CK_SLIST_FIRST(&lle->lle_children)) != NULL) {
1370
		LLE_WLOCK(child_lle);
1371
		lltable_unlink_child_entry(child_lle);
1372
		llentry_free(child_lle);
1373
	}
1374
}
1375

1376
/*
1377
 * Tries to update @lle address/prepend data with new @lladdr.
1378
 *
1379
 * Returns true on success.
1380
 * In any case, @lle is returned wlocked.
1381
 */
1382
static __noinline bool
1383
nd6_try_set_entry_addr_locked(struct ifnet *ifp, struct llentry *lle, char *lladdr)
1384
{
1385
	u_char buf[LLE_MAX_LINKHDR];
1386
	int fam, off;
1387
	size_t sz;
1388

1389
	sz = sizeof(buf);
1390
	if (lltable_calc_llheader(ifp, AF_INET6, lladdr, buf, &sz, &off) != 0)
1391
		return (false);
1392

1393
	/* Update data */
1394
	lltable_set_entry_addr(ifp, lle, buf, sz, off);
1395

1396
	struct llentry *child_lle;
1397
	CK_SLIST_FOREACH(child_lle, &lle->lle_children, lle_child_next) {
1398
		LLE_WLOCK(child_lle);
1399
		fam = child_lle->r_family;
1400
		sz = sizeof(buf);
1401
		if (lltable_calc_llheader(ifp, fam, lladdr, buf, &sz, &off) == 0) {
1402
			/* success */
1403
			lltable_set_entry_addr(ifp, child_lle, buf, sz, off);
1404
			child_lle->ln_state = ND6_LLINFO_REACHABLE;
1405
		}
1406
		LLE_WUNLOCK(child_lle);
1407
	}
1408

1409
	return (true);
1410
}
1411

1412
bool
1413
nd6_try_set_entry_addr(struct ifnet *ifp, struct llentry *lle, char *lladdr)
1414
{
1415
	NET_EPOCH_ASSERT();
1416
	LLE_WLOCK_ASSERT(lle);
1417

1418
	if (!lltable_acquire_wlock(ifp, lle))
1419
		return (false);
1420
	bool ret = nd6_try_set_entry_addr_locked(ifp, lle, lladdr);
1421
	IF_AFDATA_WUNLOCK(ifp);
1422

1423
	return (ret);
1424
}
1425

1426
/*
1427
 * Free an nd6 llinfo entry.
1428
 * Since the function would cause significant changes in the kernel, DO NOT
1429
 * make it global, unless you have a strong reason for the change, and are sure
1430
 * that the change is safe.
1431
 *
1432
 * Set noinline to be dtrace-friendly
1433
 */
1434
static __noinline void
1435
nd6_free(struct llentry **lnp, int gc)
1436
{
1437
	struct ifnet *ifp;
1438
	struct llentry *ln;
1439
	struct nd_defrouter *dr;
1440

1441
	ln = *lnp;
1442
	*lnp = NULL;
1443

1444
	LLE_WLOCK_ASSERT(ln);
1445
	ND6_RLOCK_ASSERT();
1446

1447
	KASSERT((ln->la_flags & LLE_CHILD) == 0, ("child lle"));
1448

1449
	ifp = lltable_get_ifp(ln->lle_tbl);
1450
	if ((ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) != 0)
1451
		dr = defrouter_lookup_locked(&ln->r_l3addr.addr6, ifp);
1452
	else
1453
		dr = NULL;
1454
	ND6_RUNLOCK();
1455

1456
	if ((ln->la_flags & LLE_DELETED) == 0)
1457
		EVENTHANDLER_INVOKE(lle_event, ln, LLENTRY_EXPIRED);
1458

1459
	/*
1460
	 * we used to have pfctlinput(PRC_HOSTDEAD) here.
1461
	 * even though it is not harmful, it was not really necessary.
1462
	 */
1463

1464
	/* cancel timer */
1465
	nd6_llinfo_settimer_locked(ln, -1);
1466

1467
	if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) {
1468
		if (dr != NULL && dr->expire &&
1469
		    ln->ln_state == ND6_LLINFO_STALE && gc) {
1470
			/*
1471
			 * If the reason for the deletion is just garbage
1472
			 * collection, and the neighbor is an active default
1473
			 * router, do not delete it.  Instead, reset the GC
1474
			 * timer using the router's lifetime.
1475
			 * Simply deleting the entry would affect default
1476
			 * router selection, which is not necessarily a good
1477
			 * thing, especially when we're using router preference
1478
			 * values.
1479
			 * XXX: the check for ln_state would be redundant,
1480
			 *      but we intentionally keep it just in case.
1481
			 */
1482
			if (dr->expire > time_uptime)
1483
				nd6_llinfo_settimer_locked(ln,
1484
				    (dr->expire - time_uptime) * hz);
1485
			else
1486
				nd6_llinfo_settimer_locked(ln,
1487
				    (long)V_nd6_gctimer * hz);
1488

1489
			LLE_REMREF(ln);
1490
			LLE_WUNLOCK(ln);
1491
			defrouter_rele(dr);
1492
			return;
1493
		}
1494

1495
		if (dr) {
1496
			/*
1497
			 * Unreachability of a router might affect the default
1498
			 * router selection and on-link detection of advertised
1499
			 * prefixes.
1500
			 */
1501

1502
			/*
1503
			 * Temporarily fake the state to choose a new default
1504
			 * router and to perform on-link determination of
1505
			 * prefixes correctly.
1506
			 * Below the state will be set correctly,
1507
			 * or the entry itself will be deleted.
1508
			 */
1509
			ln->ln_state = ND6_LLINFO_INCOMPLETE;
1510
		}
1511

1512
		if (ln->ln_router || dr) {
1513
			/*
1514
			 * We need to unlock to avoid a LOR with rt6_flush() with the
1515
			 * rnh and for the calls to pfxlist_onlink_check() and
1516
			 * defrouter_select_fib() in the block further down for calls
1517
			 * into nd6_lookup().  We still hold a ref.
1518
			 */
1519
			LLE_WUNLOCK(ln);
1520

1521
			/*
1522
			 * rt6_flush must be called whether or not the neighbor
1523
			 * is in the Default Router List.
1524
			 * See a corresponding comment in nd6_na_input().
1525
			 */
1526
			rt6_flush(&ln->r_l3addr.addr6, ifp);
1527
		}
1528

1529
		if (dr) {
1530
			/*
1531
			 * Since defrouter_select_fib() does not affect the
1532
			 * on-link determination and MIP6 needs the check
1533
			 * before the default router selection, we perform
1534
			 * the check now.
1535
			 */
1536
			pfxlist_onlink_check();
1537

1538
			/*
1539
			 * Refresh default router list.
1540
			 */
1541
			defrouter_select_fib(dr->ifp->if_fib);
1542
		}
1543

1544
		/*
1545
		 * If this entry was added by an on-link redirect, remove the
1546
		 * corresponding host route.
1547
		 */
1548
		if (ln->la_flags & LLE_REDIRECT)
1549
			nd6_free_redirect(ln);
1550

1551
		if (ln->ln_router || dr)
1552
			LLE_WLOCK(ln);
1553
	}
1554

1555
	/*
1556
	 * Save to unlock. We still hold an extra reference and will not
1557
	 * free(9) in llentry_free() if someone else holds one as well.
1558
	 */
1559
	LLE_WUNLOCK(ln);
1560
	IF_AFDATA_LOCK(ifp);
1561
	LLE_WLOCK(ln);
1562
	/* Guard against race with other llentry_free(). */
1563
	if (ln->la_flags & LLE_LINKED) {
1564
		/* Remove callout reference */
1565
		LLE_REMREF(ln);
1566
		lltable_unlink_entry(ln->lle_tbl, ln);
1567
	}
1568
	IF_AFDATA_UNLOCK(ifp);
1569

1570
	nd6_free_children(ln);
1571

1572
	llentry_free(ln);
1573
	if (dr != NULL)
1574
		defrouter_rele(dr);
1575
}
1576

1577
static int
1578
nd6_isdynrte(const struct rtentry *rt, const struct nhop_object *nh, void *xap)
1579
{
1580

1581
	if (nh->nh_flags & NHF_REDIRECT)
1582
		return (1);
1583

1584
	return (0);
1585
}
1586

1587
/*
1588
 * Remove the rtentry for the given llentry,
1589
 * both of which were installed by a redirect.
1590
 */
1591
static void
1592
nd6_free_redirect(const struct llentry *ln)
1593
{
1594
	int fibnum;
1595
	struct sockaddr_in6 sin6;
1596
	struct rib_cmd_info rc;
1597
	struct epoch_tracker et;
1598

1599
	lltable_fill_sa_entry(ln, (struct sockaddr *)&sin6);
1600

1601
	NET_EPOCH_ENTER(et);
1602
	for (fibnum = 0; fibnum < rt_numfibs; fibnum++)
1603
		rib_del_route_px(fibnum, (struct sockaddr *)&sin6, 128,
1604
		    nd6_isdynrte, NULL, 0, &rc);
1605
	NET_EPOCH_EXIT(et);
1606
}
1607

1608
/*
1609
 * Updates status of the default router route.
1610
 */
1611
static void
1612
check_release_defrouter(const struct rib_cmd_info *rc, void *_cbdata)
1613
{
1614
	struct nd_defrouter *dr;
1615
	struct nhop_object *nh;
1616

1617
	nh = rc->rc_nh_old;
1618
	if (rc->rc_cmd == RTM_DELETE && (nh->nh_flags & NHF_DEFAULT) != 0) {
1619
		dr = defrouter_lookup(&nh->gw6_sa.sin6_addr, nh->nh_ifp);
1620
		if (dr != NULL) {
1621
			dr->installed = 0;
1622
			defrouter_rele(dr);
1623
		}
1624
	}
1625
}
1626

1627
void
1628
nd6_subscription_cb(struct rib_head *rnh, struct rib_cmd_info *rc, void *arg)
1629
{
1630
#ifdef ROUTE_MPATH
1631
	rib_decompose_notification(rc, check_release_defrouter, NULL);
1632
	if (rc->rc_cmd == RTM_DELETE && !NH_IS_NHGRP(rc->rc_nh_old))
1633
		check_release_defrouter(rc, NULL);
1634
#else
1635
	check_release_defrouter(rc, NULL);
1636
#endif
1637
}
1638

1639
int
1640
nd6_ioctl(u_long cmd, caddr_t data, struct ifnet *ifp)
1641
{
1642
	struct in6_ndireq *ndi = (struct in6_ndireq *)data;
1643
	struct in6_nbrinfo *nbi = (struct in6_nbrinfo *)data;
1644
	struct in6_ndifreq *ndif = (struct in6_ndifreq *)data;
1645
	struct epoch_tracker et;
1646
	int error = 0;
1647

1648
	if (ifp->if_afdata[AF_INET6] == NULL)
1649
		return (EPFNOSUPPORT);
1650
	switch (cmd) {
1651
	case OSIOCGIFINFO_IN6:
1652
#define ND	ndi->ndi
1653
		/* XXX: old ndp(8) assumes a positive value for linkmtu. */
1654
		bzero(&ND, sizeof(ND));
1655
		ND.linkmtu = IN6_LINKMTU(ifp);
1656
		ND.maxmtu = ND_IFINFO(ifp)->maxmtu;
1657
		ND.basereachable = ND_IFINFO(ifp)->basereachable;
1658
		ND.reachable = ND_IFINFO(ifp)->reachable;
1659
		ND.retrans = ND_IFINFO(ifp)->retrans;
1660
		ND.flags = ND_IFINFO(ifp)->flags;
1661
		ND.recalctm = ND_IFINFO(ifp)->recalctm;
1662
		ND.chlim = ND_IFINFO(ifp)->chlim;
1663
		break;
1664
	case SIOCGIFINFO_IN6:
1665
		ND = *ND_IFINFO(ifp);
1666
		break;
1667
	case SIOCSIFINFO_IN6:
1668
		/*
1669
		 * used to change host variables from userland.
1670
		 * intended for a use on router to reflect RA configurations.
1671
		 */
1672
		/* 0 means 'unspecified' */
1673
		if (ND.linkmtu != 0) {
1674
			if (ND.linkmtu < IPV6_MMTU ||
1675
			    ND.linkmtu > IN6_LINKMTU(ifp)) {
1676
				error = EINVAL;
1677
				break;
1678
			}
1679
			ND_IFINFO(ifp)->linkmtu = ND.linkmtu;
1680
		}
1681

1682
		if (ND.basereachable != 0) {
1683
			int obasereachable = ND_IFINFO(ifp)->basereachable;
1684

1685
			ND_IFINFO(ifp)->basereachable = ND.basereachable;
1686
			if (ND.basereachable != obasereachable)
1687
				ND_IFINFO(ifp)->reachable =
1688
				    ND_COMPUTE_RTIME(ND.basereachable);
1689
		}
1690
		if (ND.retrans != 0)
1691
			ND_IFINFO(ifp)->retrans = ND.retrans;
1692
		if (ND.chlim != 0)
1693
			ND_IFINFO(ifp)->chlim = ND.chlim;
1694
		/* FALLTHROUGH */
1695
	case SIOCSIFINFO_FLAGS:
1696
	{
1697
		struct ifaddr *ifa;
1698
		struct in6_ifaddr *ia;
1699

1700
		if ((ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) &&
1701
		    !(ND.flags & ND6_IFF_IFDISABLED)) {
1702
			/* ifdisabled 1->0 transision */
1703

1704
			/*
1705
			 * If the interface is marked as ND6_IFF_IFDISABLED and
1706
			 * has an link-local address with IN6_IFF_DUPLICATED,
1707
			 * do not clear ND6_IFF_IFDISABLED.
1708
			 * See RFC 4862, Section 5.4.5.
1709
			 */
1710
			NET_EPOCH_ENTER(et);
1711
			CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
1712
				if (ifa->ifa_addr->sa_family != AF_INET6)
1713
					continue;
1714
				ia = (struct in6_ifaddr *)ifa;
1715
				if ((ia->ia6_flags & IN6_IFF_DUPLICATED) &&
1716
				    IN6_IS_ADDR_LINKLOCAL(IA6_IN6(ia)))
1717
					break;
1718
			}
1719
			NET_EPOCH_EXIT(et);
1720

1721
			if (ifa != NULL) {
1722
				/* LLA is duplicated. */
1723
				ND.flags |= ND6_IFF_IFDISABLED;
1724
				log(LOG_ERR, "Cannot enable an interface"
1725
				    " with a link-local address marked"
1726
				    " duplicate.\n");
1727
			} else {
1728
				ND_IFINFO(ifp)->flags &= ~ND6_IFF_IFDISABLED;
1729
				if (ifp->if_flags & IFF_UP)
1730
					in6_if_up(ifp);
1731
			}
1732
		} else if (!(ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) &&
1733
			    (ND.flags & ND6_IFF_IFDISABLED)) {
1734
			/* ifdisabled 0->1 transision */
1735
			/* Mark all IPv6 address as tentative. */
1736

1737
			ND_IFINFO(ifp)->flags |= ND6_IFF_IFDISABLED;
1738
			if (V_ip6_dad_count > 0 &&
1739
			    (ND_IFINFO(ifp)->flags & ND6_IFF_NO_DAD) == 0) {
1740
				NET_EPOCH_ENTER(et);
1741
				CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead,
1742
				    ifa_link) {
1743
					if (ifa->ifa_addr->sa_family !=
1744
					    AF_INET6)
1745
						continue;
1746
					ia = (struct in6_ifaddr *)ifa;
1747
					ia->ia6_flags |= IN6_IFF_TENTATIVE;
1748
				}
1749
				NET_EPOCH_EXIT(et);
1750
			}
1751
		}
1752

1753
		if (ND.flags & ND6_IFF_AUTO_LINKLOCAL) {
1754
			if (!(ND_IFINFO(ifp)->flags & ND6_IFF_AUTO_LINKLOCAL)) {
1755
				/* auto_linklocal 0->1 transision */
1756

1757
				/* If no link-local address on ifp, configure */
1758
				ND_IFINFO(ifp)->flags |= ND6_IFF_AUTO_LINKLOCAL;
1759
				in6_ifattach(ifp, NULL);
1760
			} else if (!(ND.flags & ND6_IFF_IFDISABLED) &&
1761
			    ifp->if_flags & IFF_UP) {
1762
				/*
1763
				 * When the IF already has
1764
				 * ND6_IFF_AUTO_LINKLOCAL, no link-local
1765
				 * address is assigned, and IFF_UP, try to
1766
				 * assign one.
1767
				 */
1768
				NET_EPOCH_ENTER(et);
1769
				CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead,
1770
				    ifa_link) {
1771
					if (ifa->ifa_addr->sa_family !=
1772
					    AF_INET6)
1773
						continue;
1774
					ia = (struct in6_ifaddr *)ifa;
1775
					if (IN6_IS_ADDR_LINKLOCAL(IA6_IN6(ia)))
1776
						break;
1777
				}
1778
				NET_EPOCH_EXIT(et);
1779
				if (ifa != NULL)
1780
					/* No LLA is configured. */
1781
					in6_ifattach(ifp, NULL);
1782
			}
1783
		}
1784
		ND_IFINFO(ifp)->flags = ND.flags;
1785
		break;
1786
	}
1787
#undef ND
1788
	case SIOCSNDFLUSH_IN6:	/* XXX: the ioctl name is confusing... */
1789
		/* sync kernel routing table with the default router list */
1790
		defrouter_reset();
1791
		defrouter_select_fib(RT_ALL_FIBS);
1792
		break;
1793
	case SIOCSPFXFLUSH_IN6:
1794
	{
1795
		/* flush all the prefix advertised by routers */
1796
		struct in6_ifaddr *ia, *ia_next;
1797
		struct nd_prefix *pr, *next;
1798
		struct nd_prhead prl;
1799

1800
		LIST_INIT(&prl);
1801

1802
		ND6_WLOCK();
1803
		LIST_FOREACH_SAFE(pr, &V_nd_prefix, ndpr_entry, next) {
1804
			if (ND6_PREFIX_WITH_ROUTER(pr))
1805
				nd6_prefix_unlink(pr, &prl);
1806
		}
1807
		ND6_WUNLOCK();
1808

1809
		while ((pr = LIST_FIRST(&prl)) != NULL) {
1810
			LIST_REMOVE(pr, ndpr_entry);
1811
			/* XXXRW: in6_ifaddrhead locking. */
1812
			CK_STAILQ_FOREACH_SAFE(ia, &V_in6_ifaddrhead, ia_link,
1813
			    ia_next) {
1814
				if ((ia->ia6_flags & IN6_IFF_AUTOCONF) == 0)
1815
					continue;
1816

1817
				if (ia->ia6_ndpr == pr)
1818
					in6_purgeaddr(&ia->ia_ifa);
1819
			}
1820
			nd6_prefix_del(pr);
1821
		}
1822
		break;
1823
	}
1824
	case SIOCSRTRFLUSH_IN6:
1825
	{
1826
		/* flush all the default routers */
1827

1828
		defrouter_reset();
1829
		nd6_defrouter_flush_all();
1830
		defrouter_select_fib(RT_ALL_FIBS);
1831
		break;
1832
	}
1833
	case SIOCGNBRINFO_IN6:
1834
	{
1835
		struct llentry *ln;
1836
		struct in6_addr nb_addr = nbi->addr; /* make local for safety */
1837

1838
		if ((error = in6_setscope(&nb_addr, ifp, NULL)) != 0)
1839
			return (error);
1840

1841
		NET_EPOCH_ENTER(et);
1842
		ln = nd6_lookup(&nb_addr, LLE_SF(AF_INET6, 0), ifp);
1843
		NET_EPOCH_EXIT(et);
1844

1845
		if (ln == NULL) {
1846
			error = EINVAL;
1847
			break;
1848
		}
1849
		nbi->state = ln->ln_state;
1850
		nbi->asked = ln->la_asked;
1851
		nbi->isrouter = ln->ln_router;
1852
		if (ln->la_expire == 0)
1853
			nbi->expire = 0;
1854
		else
1855
			nbi->expire = ln->la_expire + ln->lle_remtime / hz +
1856
			    (time_second - time_uptime);
1857
		LLE_RUNLOCK(ln);
1858
		break;
1859
	}
1860
	case SIOCGDEFIFACE_IN6:	/* XXX: should be implemented as a sysctl? */
1861
		ndif->ifindex = V_nd6_defifindex;
1862
		break;
1863
	case SIOCSDEFIFACE_IN6:	/* XXX: should be implemented as a sysctl? */
1864
		return (nd6_setdefaultiface(ndif->ifindex));
1865
	}
1866
	return (error);
1867
}
1868

1869
/*
1870
 * Calculates new isRouter value based on provided parameters and
1871
 * returns it.
1872
 */
1873
static int
1874
nd6_is_router(int type, int code, int is_new, int old_addr, int new_addr,
1875
    int ln_router)
1876
{
1877

1878
	/*
1879
	 * ICMP6 type dependent behavior.
1880
	 *
1881
	 * NS: clear IsRouter if new entry
1882
	 * RS: clear IsRouter
1883
	 * RA: set IsRouter if there's lladdr
1884
	 * redir: clear IsRouter if new entry
1885
	 *
1886
	 * RA case, (1):
1887
	 * The spec says that we must set IsRouter in the following cases:
1888
	 * - If lladdr exist, set IsRouter.  This means (1-5).
1889
	 * - If it is old entry (!newentry), set IsRouter.  This means (7).
1890
	 * So, based on the spec, in (1-5) and (7) cases we must set IsRouter.
1891
	 * A quetion arises for (1) case.  (1) case has no lladdr in the
1892
	 * neighbor cache, this is similar to (6).
1893
	 * This case is rare but we figured that we MUST NOT set IsRouter.
1894
	 *
1895
	 *   is_new  old_addr new_addr 	    NS  RS  RA	redir
1896
	 *							D R
1897
	 *	0	n	n	(1)	c   ?     s
1898
	 *	0	y	n	(2)	c   s     s
1899
	 *	0	n	y	(3)	c   s     s
1900
	 *	0	y	y	(4)	c   s     s
1901
	 *	0	y	y	(5)	c   s     s
1902
	 *	1	--	n	(6) c	c	c s
1903
	 *	1	--	y	(7) c	c   s	c s
1904
	 *
1905
	 *					(c=clear s=set)
1906
	 */
1907
	switch (type & 0xff) {
1908
	case ND_NEIGHBOR_SOLICIT:
1909
		/*
1910
		 * New entry must have is_router flag cleared.
1911
		 */
1912
		if (is_new)					/* (6-7) */
1913
			ln_router = 0;
1914
		break;
1915
	case ND_REDIRECT:
1916
		/*
1917
		 * If the icmp is a redirect to a better router, always set the
1918
		 * is_router flag.  Otherwise, if the entry is newly created,
1919
		 * clear the flag.  [RFC 2461, sec 8.3]
1920
		 */
1921
		if (code == ND_REDIRECT_ROUTER)
1922
			ln_router = 1;
1923
		else {
1924
			if (is_new)				/* (6-7) */
1925
				ln_router = 0;
1926
		}
1927
		break;
1928
	case ND_ROUTER_SOLICIT:
1929
		/*
1930
		 * is_router flag must always be cleared.
1931
		 */
1932
		ln_router = 0;
1933
		break;
1934
	case ND_ROUTER_ADVERT:
1935
		/*
1936
		 * Mark an entry with lladdr as a router.
1937
		 */
1938
		if ((!is_new && (old_addr || new_addr)) ||	/* (2-5) */
1939
		    (is_new && new_addr)) {			/* (7) */
1940
			ln_router = 1;
1941
		}
1942
		break;
1943
	}
1944

1945
	return (ln_router);
1946
}
1947

1948
/*
1949
 * Create neighbor cache entry and cache link-layer address,
1950
 * on reception of inbound ND6 packets.  (RS/RA/NS/redirect)
1951
 *
1952
 * type - ICMP6 type
1953
 * code - type dependent information
1954
 *
1955
 */
1956
void
1957
nd6_cache_lladdr(struct ifnet *ifp, struct in6_addr *from, char *lladdr,
1958
    int lladdrlen, int type, int code)
1959
{
1960
	struct llentry *ln = NULL, *ln_tmp;
1961
	int is_newentry;
1962
	int do_update;
1963
	int olladdr;
1964
	int llchange;
1965
	int flags;
1966
	uint16_t router = 0;
1967
	struct mbuf *chain = NULL;
1968
	u_char linkhdr[LLE_MAX_LINKHDR];
1969
	size_t linkhdrsize;
1970
	int lladdr_off;
1971

1972
	NET_EPOCH_ASSERT();
1973
	IF_AFDATA_UNLOCK_ASSERT(ifp);
1974

1975
	KASSERT(ifp != NULL, ("%s: ifp == NULL", __func__));
1976
	KASSERT(from != NULL, ("%s: from == NULL", __func__));
1977

1978
	/* nothing must be updated for unspecified address */
1979
	if (IN6_IS_ADDR_UNSPECIFIED(from))
1980
		return;
1981

1982
	/*
1983
	 * Validation about ifp->if_addrlen and lladdrlen must be done in
1984
	 * the caller.
1985
	 *
1986
	 * XXX If the link does not have link-layer adderss, what should
1987
	 * we do? (ifp->if_addrlen == 0)
1988
	 * Spec says nothing in sections for RA, RS and NA.  There's small
1989
	 * description on it in NS section (RFC 2461 7.2.3).
1990
	 */
1991
	flags = lladdr ? LLE_EXCLUSIVE : 0;
1992
	ln = nd6_lookup(from, LLE_SF(AF_INET6, flags), ifp);
1993
	is_newentry = 0;
1994
	if (ln == NULL) {
1995
		flags |= LLE_EXCLUSIVE;
1996
		ln = nd6_alloc(from, 0, ifp);
1997
		if (ln == NULL)
1998
			return;
1999

2000
		/*
2001
		 * Since we already know all the data for the new entry,
2002
		 * fill it before insertion.
2003
		 */
2004
		if (lladdr != NULL) {
2005
			linkhdrsize = sizeof(linkhdr);
2006
			if (lltable_calc_llheader(ifp, AF_INET6, lladdr,
2007
			    linkhdr, &linkhdrsize, &lladdr_off) != 0) {
2008
				lltable_free_entry(LLTABLE6(ifp), ln);
2009
				return;
2010
			}
2011
			lltable_set_entry_addr(ifp, ln, linkhdr, linkhdrsize,
2012
			    lladdr_off);
2013
		}
2014

2015
		IF_AFDATA_WLOCK(ifp);
2016
		LLE_WLOCK(ln);
2017
		/* Prefer any existing lle over newly-created one */
2018
		ln_tmp = nd6_lookup(from, LLE_SF(AF_INET6, LLE_EXCLUSIVE), ifp);
2019
		if (ln_tmp == NULL)
2020
			lltable_link_entry(LLTABLE6(ifp), ln);
2021
		IF_AFDATA_WUNLOCK(ifp);
2022
		if (ln_tmp == NULL) {
2023
			/* No existing lle, mark as new entry (6,7) */
2024
			is_newentry = 1;
2025
			if (lladdr != NULL) {	/* (7) */
2026
				nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
2027
				EVENTHANDLER_INVOKE(lle_event, ln,
2028
				    LLENTRY_RESOLVED);
2029
			}
2030
		} else {
2031
			lltable_free_entry(LLTABLE6(ifp), ln);
2032
			ln = ln_tmp;
2033
			ln_tmp = NULL;
2034
		}
2035
	} 
2036
	/* do nothing if static ndp is set */
2037
	if ((ln->la_flags & LLE_STATIC)) {
2038
		if (flags & LLE_EXCLUSIVE)
2039
			LLE_WUNLOCK(ln);
2040
		else
2041
			LLE_RUNLOCK(ln);
2042
		return;
2043
	}
2044

2045
	olladdr = (ln->la_flags & LLE_VALID) ? 1 : 0;
2046
	if (olladdr && lladdr) {
2047
		llchange = bcmp(lladdr, ln->ll_addr,
2048
		    ifp->if_addrlen);
2049
	} else if (!olladdr && lladdr)
2050
		llchange = 1;
2051
	else
2052
		llchange = 0;
2053

2054
	/*
2055
	 * newentry olladdr  lladdr  llchange	(*=record)
2056
	 *	0	n	n	--	(1)
2057
	 *	0	y	n	--	(2)
2058
	 *	0	n	y	y	(3) * STALE
2059
	 *	0	y	y	n	(4) *
2060
	 *	0	y	y	y	(5) * STALE
2061
	 *	1	--	n	--	(6)   NOSTATE(= PASSIVE)
2062
	 *	1	--	y	--	(7) * STALE
2063
	 */
2064

2065
	do_update = 0;
2066
	if (is_newentry == 0 && llchange != 0) {
2067
		do_update = 1;	/* (3,5) */
2068

2069
		/*
2070
		 * Record source link-layer address
2071
		 * XXX is it dependent to ifp->if_type?
2072
		 */
2073
		if (!nd6_try_set_entry_addr(ifp, ln, lladdr)) {
2074
			/* Entry was deleted */
2075
			LLE_WUNLOCK(ln);
2076
			return;
2077
		}
2078

2079
		nd6_llinfo_setstate(ln, ND6_LLINFO_STALE);
2080

2081
		EVENTHANDLER_INVOKE(lle_event, ln, LLENTRY_RESOLVED);
2082

2083
		if (ln->la_hold != NULL)
2084
			chain = nd6_grab_holdchain(ln);
2085
	}
2086

2087
	/* Calculates new router status */
2088
	router = nd6_is_router(type, code, is_newentry, olladdr,
2089
	    lladdr != NULL ? 1 : 0, ln->ln_router);
2090

2091
	ln->ln_router = router;
2092
	/* Mark non-router redirects with special flag */
2093
	if ((type & 0xFF) == ND_REDIRECT && code != ND_REDIRECT_ROUTER)
2094
		ln->la_flags |= LLE_REDIRECT;
2095

2096
	if (flags & LLE_EXCLUSIVE)
2097
		LLE_WUNLOCK(ln);
2098
	else
2099
		LLE_RUNLOCK(ln);
2100

2101
	if (chain != NULL)
2102
		nd6_flush_holdchain(ifp, ln, chain);
2103
	if (do_update)
2104
		nd6_flush_children_holdchain(ifp, ln);
2105

2106
	/*
2107
	 * When the link-layer address of a router changes, select the
2108
	 * best router again.  In particular, when the neighbor entry is newly
2109
	 * created, it might affect the selection policy.
2110
	 * Question: can we restrict the first condition to the "is_newentry"
2111
	 * case?
2112
	 * XXX: when we hear an RA from a new router with the link-layer
2113
	 * address option, defrouter_select_fib() is called twice, since
2114
	 * defrtrlist_update called the function as well.  However, I believe
2115
	 * we can compromise the overhead, since it only happens the first
2116
	 * time.
2117
	 * XXX: although defrouter_select_fib() should not have a bad effect
2118
	 * for those are not autoconfigured hosts, we explicitly avoid such
2119
	 * cases for safety.
2120
	 */
2121
	if ((do_update || is_newentry) && router &&
2122
	    ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) {
2123
		/*
2124
		 * guaranteed recursion
2125
		 */
2126
		defrouter_select_fib(ifp->if_fib);
2127
	}
2128
}
2129

2130
static void
2131
nd6_slowtimo(void *arg)
2132
{
2133
	struct epoch_tracker et;
2134
	CURVNET_SET((struct vnet *) arg);
2135
	struct nd_ifinfo *nd6if;
2136
	struct ifnet *ifp;
2137

2138
	callout_reset(&V_nd6_slowtimo_ch, ND6_SLOWTIMER_INTERVAL * hz,
2139
	    nd6_slowtimo, curvnet);
2140
	NET_EPOCH_ENTER(et);
2141
	CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) {
2142
		if (ifp->if_afdata[AF_INET6] == NULL)
2143
			continue;
2144
		nd6if = ND_IFINFO(ifp);
2145
		if (nd6if->basereachable && /* already initialized */
2146
		    (nd6if->recalctm -= ND6_SLOWTIMER_INTERVAL) <= 0) {
2147
			/*
2148
			 * Since reachable time rarely changes by router
2149
			 * advertisements, we SHOULD insure that a new random
2150
			 * value gets recomputed at least once every few hours.
2151
			 * (RFC 2461, 6.3.4)
2152
			 */
2153
			nd6if->recalctm = V_nd6_recalc_reachtm_interval;
2154
			nd6if->reachable = ND_COMPUTE_RTIME(nd6if->basereachable);
2155
		}
2156
	}
2157
	NET_EPOCH_EXIT(et);
2158
	CURVNET_RESTORE();
2159
}
2160

2161
struct mbuf *
2162
nd6_grab_holdchain(struct llentry *ln)
2163
{
2164
	struct mbuf *chain;
2165

2166
	LLE_WLOCK_ASSERT(ln);
2167

2168
	chain = ln->la_hold;
2169
	ln->la_hold = NULL;
2170
	ln->la_numheld = 0;
2171

2172
	if (ln->ln_state == ND6_LLINFO_STALE) {
2173
		/*
2174
		 * The first time we send a packet to a
2175
		 * neighbor whose entry is STALE, we have
2176
		 * to change the state to DELAY and a sets
2177
		 * a timer to expire in DELAY_FIRST_PROBE_TIME
2178
		 * seconds to ensure do neighbor unreachability
2179
		 * detection on expiration.
2180
		 * (RFC 2461 7.3.3)
2181
		 */
2182
		nd6_llinfo_setstate(ln, ND6_LLINFO_DELAY);
2183
	}
2184

2185
	return (chain);
2186
}
2187

2188
int
2189
nd6_output_ifp(struct ifnet *ifp, struct ifnet *origifp, struct mbuf *m,
2190
    struct sockaddr_in6 *dst, struct route *ro)
2191
{
2192
	int error;
2193
	int ip6len;
2194
	struct ip6_hdr *ip6;
2195
	struct m_tag *mtag;
2196

2197
#ifdef MAC
2198
	mac_netinet6_nd6_send(ifp, m);
2199
#endif
2200

2201
	/*
2202
	 * If called from nd6_ns_output() (NS), nd6_na_output() (NA),
2203
	 * icmp6_redirect_output() (REDIRECT) or from rip6_output() (RS, RA
2204
	 * as handled by rtsol and rtadvd), mbufs will be tagged for SeND
2205
	 * to be diverted to user space.  When re-injected into the kernel,
2206
	 * send_output() will directly dispatch them to the outgoing interface.
2207
	 */
2208
	if (send_sendso_input_hook != NULL) {
2209
		mtag = m_tag_find(m, PACKET_TAG_ND_OUTGOING, NULL);
2210
		if (mtag != NULL) {
2211
			ip6 = mtod(m, struct ip6_hdr *);
2212
			ip6len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
2213
			/* Use the SEND socket */
2214
			error = send_sendso_input_hook(m, ifp, SND_OUT,
2215
			    ip6len);
2216
			/* -1 == no app on SEND socket */
2217
			if (error == 0 || error != -1)
2218
			    return (error);
2219
		}
2220
	}
2221

2222
	m_clrprotoflags(m);	/* Avoid confusing lower layers. */
2223
	IP_PROBE(send, NULL, NULL, mtod(m, struct ip6_hdr *), ifp, NULL,
2224
	    mtod(m, struct ip6_hdr *));
2225

2226
	if ((ifp->if_flags & IFF_LOOPBACK) == 0)
2227
		origifp = ifp;
2228

2229
	error = (*ifp->if_output)(origifp, m, (struct sockaddr *)dst, ro);
2230
	return (error);
2231
}
2232

2233
/*
2234
 * Lookup link headerfor @sa_dst address. Stores found
2235
 * data in @desten buffer. Copy of lle ln_flags can be also
2236
 * saved in @pflags if @pflags is non-NULL.
2237
 *
2238
 * If destination LLE does not exists or lle state modification
2239
 * is required, call "slow" version.
2240
 *
2241
 * Return values:
2242
 * - 0 on success (address copied to buffer).
2243
 * - EWOULDBLOCK (no local error, but address is still unresolved)
2244
 * - other errors (alloc failure, etc)
2245
 */
2246
int
2247
nd6_resolve(struct ifnet *ifp, int gw_flags, struct mbuf *m,
2248
    const struct sockaddr *sa_dst, u_char *desten, uint32_t *pflags,
2249
    struct llentry **plle)
2250
{
2251
	struct llentry *ln = NULL;
2252
	const struct sockaddr_in6 *dst6;
2253

2254
	NET_EPOCH_ASSERT();
2255

2256
	if (pflags != NULL)
2257
		*pflags = 0;
2258

2259
	dst6 = (const struct sockaddr_in6 *)sa_dst;
2260

2261
	/* discard the packet if IPv6 operation is disabled on the interface */
2262
	if ((ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED)) {
2263
		m_freem(m);
2264
		return (ENETDOWN); /* better error? */
2265
	}
2266

2267
	if (m != NULL && m->m_flags & M_MCAST) {
2268
		switch (ifp->if_type) {
2269
		case IFT_ETHER:
2270
		case IFT_L2VLAN:
2271
		case IFT_BRIDGE:
2272
			ETHER_MAP_IPV6_MULTICAST(&dst6->sin6_addr,
2273
						 desten);
2274
			return (0);
2275
		default:
2276
			m_freem(m);
2277
			return (EAFNOSUPPORT);
2278
		}
2279
	}
2280

2281
	int family = gw_flags >> 16;
2282
	int lookup_flags = plle ? LLE_EXCLUSIVE : LLE_UNLOCKED;
2283
	ln = nd6_lookup(&dst6->sin6_addr, LLE_SF(family, lookup_flags), ifp);
2284
	if (ln != NULL && (ln->r_flags & RLLE_VALID) != 0) {
2285
		/* Entry found, let's copy lle info */
2286
		bcopy(ln->r_linkdata, desten, ln->r_hdrlen);
2287
		if (pflags != NULL)
2288
			*pflags = LLE_VALID | (ln->r_flags & RLLE_IFADDR);
2289
		llentry_provide_feedback(ln);
2290
		if (plle) {
2291
			LLE_ADDREF(ln);
2292
			*plle = ln;
2293
			LLE_WUNLOCK(ln);
2294
		}
2295
		return (0);
2296
	} else if (plle && ln)
2297
		LLE_WUNLOCK(ln);
2298

2299
	return (nd6_resolve_slow(ifp, family, 0, m, dst6, desten, pflags, plle));
2300
}
2301

2302
/*
2303
 * Finds or creates a new llentry for @addr and @family.
2304
 * Returns wlocked llentry or NULL.
2305
 *
2306
 *
2307
 * Child LLEs.
2308
 *
2309
 * Do not have their own state machine (gets marked as static)
2310
 *  settimer bails out for child LLEs just in case.
2311
 *
2312
 * Locking order: parent lle gets locked first, chen goes the child.
2313
 */
2314
static __noinline struct llentry *
2315
nd6_get_llentry(struct ifnet *ifp, const struct in6_addr *addr, int family)
2316
{
2317
	struct llentry *child_lle = NULL;
2318
	struct llentry *lle, *lle_tmp;
2319

2320
	lle = nd6_alloc(addr, 0, ifp);
2321
	if (lle != NULL && family != AF_INET6) {
2322
		child_lle = nd6_alloc(addr, 0, ifp);
2323
		if (child_lle == NULL) {
2324
			lltable_free_entry(LLTABLE6(ifp), lle);
2325
			return (NULL);
2326
		}
2327
		child_lle->r_family = family;
2328
		child_lle->la_flags |= LLE_CHILD | LLE_STATIC;
2329
		child_lle->ln_state = ND6_LLINFO_INCOMPLETE;
2330
	}
2331

2332
	if (lle == NULL) {
2333
		char ip6buf[INET6_ADDRSTRLEN];
2334
		log(LOG_DEBUG,
2335
		    "nd6_get_llentry: can't allocate llinfo for %s "
2336
		    "(ln=%p)\n",
2337
		    ip6_sprintf(ip6buf, addr), lle);
2338
		return (NULL);
2339
	}
2340

2341
	IF_AFDATA_WLOCK(ifp);
2342
	LLE_WLOCK(lle);
2343
	/* Prefer any existing entry over newly-created one */
2344
	lle_tmp = nd6_lookup(addr, LLE_SF(AF_INET6, LLE_EXCLUSIVE), ifp);
2345
	if (lle_tmp == NULL)
2346
		lltable_link_entry(LLTABLE6(ifp), lle);
2347
	else {
2348
		lltable_free_entry(LLTABLE6(ifp), lle);
2349
		lle = lle_tmp;
2350
	}
2351
	if (child_lle != NULL) {
2352
		/* Check if child lle for the same family exists */
2353
		lle_tmp = llentry_lookup_family(lle, child_lle->r_family);
2354
		LLE_WLOCK(child_lle);
2355
		if (lle_tmp == NULL) {
2356
			/* Attach */
2357
			lltable_link_child_entry(lle, child_lle);
2358
		} else {
2359
			/* child lle already exists, free newly-created one */
2360
			lltable_free_entry(LLTABLE6(ifp), child_lle);
2361
			LLE_WLOCK(lle_tmp);
2362
			child_lle = lle_tmp;
2363
		}
2364
		LLE_WUNLOCK(lle);
2365
		lle = child_lle;
2366
	}
2367
	IF_AFDATA_WUNLOCK(ifp);
2368
	return (lle);
2369
}
2370

2371
/*
2372
 * Do L2 address resolution for @sa_dst address. Stores found
2373
 * address in @desten buffer. Copy of lle ln_flags can be also
2374
 * saved in @pflags if @pflags is non-NULL.
2375
 *
2376
 * Heavy version.
2377
 * Function assume that destination LLE does not exist,
2378
 * is invalid or stale, so LLE_EXCLUSIVE lock needs to be acquired.
2379
 *
2380
 * Set noinline to be dtrace-friendly
2381
 */
2382
static __noinline int
2383
nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m,
2384
    const struct sockaddr_in6 *dst, u_char *desten, uint32_t *pflags,
2385
    struct llentry **plle)
2386
{
2387
	struct llentry *lle = NULL;
2388
	struct in6_addr *psrc, src;
2389
	int send_ns, ll_len;
2390
	char *lladdr;
2391

2392
	NET_EPOCH_ASSERT();
2393

2394
	/*
2395
	 * Address resolution or Neighbor Unreachability Detection
2396
	 * for the next hop.
2397
	 * At this point, the destination of the packet must be a unicast
2398
	 * or an anycast address(i.e. not a multicast).
2399
	 */
2400
	lle = nd6_lookup(&dst->sin6_addr, LLE_SF(family, LLE_EXCLUSIVE), ifp);
2401
	if ((lle == NULL) && nd6_is_addr_neighbor(dst, ifp))  {
2402
		/*
2403
		 * Since nd6_is_addr_neighbor() internally calls nd6_lookup(),
2404
		 * the condition below is not very efficient.  But we believe
2405
		 * it is tolerable, because this should be a rare case.
2406
		 */
2407
		lle = nd6_get_llentry(ifp, &dst->sin6_addr, family);
2408
	}
2409

2410
	if (lle == NULL) {
2411
		m_freem(m);
2412
		return (ENOBUFS);
2413
	}
2414

2415
	LLE_WLOCK_ASSERT(lle);
2416

2417
	/*
2418
	 * The first time we send a packet to a neighbor whose entry is
2419
	 * STALE, we have to change the state to DELAY and a sets a timer to
2420
	 * expire in DELAY_FIRST_PROBE_TIME seconds to ensure do
2421
	 * neighbor unreachability detection on expiration.
2422
	 * (RFC 2461 7.3.3)
2423
	 */
2424
	if ((!(lle->la_flags & LLE_CHILD)) && (lle->ln_state == ND6_LLINFO_STALE))
2425
		nd6_llinfo_setstate(lle, ND6_LLINFO_DELAY);
2426

2427
	/*
2428
	 * If the neighbor cache entry has a state other than INCOMPLETE
2429
	 * (i.e. its link-layer address is already resolved), just
2430
	 * send the packet.
2431
	 */
2432
	if (lle->ln_state > ND6_LLINFO_INCOMPLETE) {
2433
		if (flags & LLE_ADDRONLY) {
2434
			lladdr = lle->ll_addr;
2435
			ll_len = ifp->if_addrlen;
2436
		} else {
2437
			lladdr = lle->r_linkdata;
2438
			ll_len = lle->r_hdrlen;
2439
		}
2440
		bcopy(lladdr, desten, ll_len);
2441
		if (pflags != NULL)
2442
			*pflags = lle->la_flags;
2443
		if (plle) {
2444
			LLE_ADDREF(lle);
2445
			*plle = lle;
2446
		}
2447
		LLE_WUNLOCK(lle);
2448
		return (0);
2449
	}
2450

2451
	/*
2452
	 * There is a neighbor cache entry, but no ethernet address
2453
	 * response yet.  Append this latest packet to the end of the
2454
	 * packet queue in the mbuf.  When it exceeds nd6_maxqueuelen,
2455
	 * the oldest packet in the queue will be removed.
2456
	 */
2457
	if (m != NULL) {
2458
		size_t dropped;
2459

2460
		dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen);
2461
		ICMP6STAT_ADD(icp6s_dropped, dropped);
2462
	}
2463

2464
	/*
2465
	 * If there has been no NS for the neighbor after entering the
2466
	 * INCOMPLETE state, send the first solicitation.
2467
	 * Note that for newly-created lle la_asked will be 0,
2468
	 * so we will transition from ND6_LLINFO_NOSTATE to
2469
	 * ND6_LLINFO_INCOMPLETE state here.
2470
	 */
2471
	psrc = NULL;
2472
	send_ns = 0;
2473

2474
	/* If we have child lle, switch to the parent to send NS */
2475
	if (lle->la_flags & LLE_CHILD) {
2476
		struct llentry *lle_parent = lle->lle_parent;
2477
		LLE_WUNLOCK(lle);
2478
		lle = lle_parent;
2479
		LLE_WLOCK(lle);
2480
	}
2481
	if (lle->la_asked == 0) {
2482
		lle->la_asked++;
2483
		send_ns = 1;
2484
		psrc = nd6_llinfo_get_holdsrc(lle, &src);
2485

2486
		nd6_llinfo_setstate(lle, ND6_LLINFO_INCOMPLETE);
2487
	}
2488
	LLE_WUNLOCK(lle);
2489
	if (send_ns != 0)
2490
		nd6_ns_output(ifp, psrc, NULL, &dst->sin6_addr, NULL);
2491

2492
	return (EWOULDBLOCK);
2493
}
2494

2495
/*
2496
 * Do L2 address resolution for @sa_dst address. Stores found
2497
 * address in @desten buffer. Copy of lle ln_flags can be also
2498
 * saved in @pflags if @pflags is non-NULL.
2499
 *
2500
 * Return values:
2501
 * - 0 on success (address copied to buffer).
2502
 * - EWOULDBLOCK (no local error, but address is still unresolved)
2503
 * - other errors (alloc failure, etc)
2504
 */
2505
int
2506
nd6_resolve_addr(struct ifnet *ifp, int flags, const struct sockaddr *dst,
2507
    char *desten, uint32_t *pflags)
2508
{
2509
	int error;
2510

2511
	flags |= LLE_ADDRONLY;
2512
	error = nd6_resolve_slow(ifp, AF_INET6, flags, NULL,
2513
	    (const struct sockaddr_in6 *)dst, desten, pflags, NULL);
2514
	return (error);
2515
}
2516

2517
int
2518
nd6_flush_holdchain(struct ifnet *ifp, struct llentry *lle, struct mbuf *chain)
2519
{
2520
	struct mbuf *m, *m_head;
2521
	struct sockaddr_in6 dst6;
2522
	int error = 0;
2523

2524
	NET_EPOCH_ASSERT();
2525

2526
	struct route_in6 ro = {
2527
		.ro_prepend = lle->r_linkdata,
2528
		.ro_plen = lle->r_hdrlen,
2529
	};
2530

2531
	lltable_fill_sa_entry(lle, (struct sockaddr *)&dst6);
2532
	m_head = chain;
2533

2534
	while (m_head) {
2535
		m = m_head;
2536
		m_head = m_head->m_nextpkt;
2537
		m->m_nextpkt = NULL;
2538
		error = nd6_output_ifp(ifp, ifp, m, &dst6, (struct route *)&ro);
2539
	}
2540

2541
	/*
2542
	 * XXX
2543
	 * note that intermediate errors are blindly ignored
2544
	 */
2545
	return (error);
2546
}
2547

2548
__noinline void
2549
nd6_flush_children_holdchain(struct ifnet *ifp, struct llentry *lle)
2550
{
2551
	struct llentry *child_lle;
2552
	struct mbuf *chain;
2553

2554
	NET_EPOCH_ASSERT();
2555

2556
	CK_SLIST_FOREACH(child_lle, &lle->lle_children, lle_child_next) {
2557
		LLE_WLOCK(child_lle);
2558
		chain = nd6_grab_holdchain(child_lle);
2559
		LLE_WUNLOCK(child_lle);
2560
		nd6_flush_holdchain(ifp, child_lle, chain);
2561
	}
2562
}
2563

2564
static int
2565
nd6_need_cache(struct ifnet *ifp)
2566
{
2567
	/*
2568
	 * XXX: we currently do not make neighbor cache on any interface
2569
	 * other than Ethernet and GIF.
2570
	 *
2571
	 * RFC2893 says:
2572
	 * - unidirectional tunnels needs no ND
2573
	 */
2574
	switch (ifp->if_type) {
2575
	case IFT_ETHER:
2576
	case IFT_IEEE1394:
2577
	case IFT_L2VLAN:
2578
	case IFT_INFINIBAND:
2579
	case IFT_BRIDGE:
2580
	case IFT_PROPVIRTUAL:
2581
		return (1);
2582
	default:
2583
		return (0);
2584
	}
2585
}
2586

2587
/*
2588
 * Add pernament ND6 link-layer record for given
2589
 * interface address.
2590
 *
2591
 * Very similar to IPv4 arp_ifinit(), but:
2592
 * 1) IPv6 DAD is performed in different place
2593
 * 2) It is called by IPv6 protocol stack in contrast to
2594
 * arp_ifinit() which is typically called in SIOCSIFADDR
2595
 * driver ioctl handler.
2596
 *
2597
 */
2598
int
2599
nd6_add_ifa_lle(struct in6_ifaddr *ia)
2600
{
2601
	struct ifnet *ifp;
2602
	struct llentry *ln, *ln_tmp;
2603
	struct sockaddr *dst;
2604

2605
	ifp = ia->ia_ifa.ifa_ifp;
2606
	if (nd6_need_cache(ifp) == 0)
2607
		return (0);
2608

2609
	dst = (struct sockaddr *)&ia->ia_addr;
2610
	ln = lltable_alloc_entry(LLTABLE6(ifp), LLE_IFADDR, dst);
2611
	if (ln == NULL)
2612
		return (ENOBUFS);
2613

2614
	IF_AFDATA_WLOCK(ifp);
2615
	LLE_WLOCK(ln);
2616
	/* Unlink any entry if exists */
2617
	ln_tmp = lla_lookup(LLTABLE6(ifp), LLE_SF(AF_INET6, LLE_EXCLUSIVE), dst);
2618
	if (ln_tmp != NULL)
2619
		lltable_unlink_entry(LLTABLE6(ifp), ln_tmp);
2620
	lltable_link_entry(LLTABLE6(ifp), ln);
2621
	IF_AFDATA_WUNLOCK(ifp);
2622

2623
	if (ln_tmp != NULL)
2624
		EVENTHANDLER_INVOKE(lle_event, ln_tmp, LLENTRY_EXPIRED);
2625
	EVENTHANDLER_INVOKE(lle_event, ln, LLENTRY_RESOLVED);
2626

2627
	LLE_WUNLOCK(ln);
2628
	if (ln_tmp != NULL)
2629
		llentry_free(ln_tmp);
2630

2631
	return (0);
2632
}
2633

2634
/*
2635
 * Removes either all lle entries for given @ia, or lle
2636
 * corresponding to @ia address.
2637
 */
2638
void
2639
nd6_rem_ifa_lle(struct in6_ifaddr *ia, int all)
2640
{
2641
	struct sockaddr_in6 mask, addr;
2642
	struct sockaddr *saddr, *smask;
2643
	struct ifnet *ifp;
2644

2645
	ifp = ia->ia_ifa.ifa_ifp;
2646
	memcpy(&addr, &ia->ia_addr, sizeof(ia->ia_addr));
2647
	memcpy(&mask, &ia->ia_prefixmask, sizeof(ia->ia_prefixmask));
2648
	saddr = (struct sockaddr *)&addr;
2649
	smask = (struct sockaddr *)&mask;
2650

2651
	if (all != 0)
2652
		lltable_prefix_free(AF_INET6, saddr, smask, LLE_STATIC);
2653
	else
2654
		lltable_delete_addr(LLTABLE6(ifp), LLE_IFADDR, saddr);
2655
}
2656

2657
static int
2658
nd6_sysctl_prlist(SYSCTL_HANDLER_ARGS)
2659
{
2660
	struct in6_prefix p;
2661
	struct sockaddr_in6 s6;
2662
	struct nd_prefix *pr;
2663
	struct nd_pfxrouter *pfr;
2664
	time_t maxexpire;
2665
	int error;
2666
	char ip6buf[INET6_ADDRSTRLEN];
2667

2668
	if (req->newptr)
2669
		return (EPERM);
2670

2671
	error = sysctl_wire_old_buffer(req, 0);
2672
	if (error != 0)
2673
		return (error);
2674

2675
	bzero(&p, sizeof(p));
2676
	p.origin = PR_ORIG_RA;
2677
	bzero(&s6, sizeof(s6));
2678
	s6.sin6_family = AF_INET6;
2679
	s6.sin6_len = sizeof(s6);
2680

2681
	ND6_RLOCK();
2682
	LIST_FOREACH(pr, &V_nd_prefix, ndpr_entry) {
2683
		p.prefix = pr->ndpr_prefix;
2684
		if (sa6_recoverscope(&p.prefix)) {
2685
			log(LOG_ERR, "scope error in prefix list (%s)\n",
2686
			    ip6_sprintf(ip6buf, &p.prefix.sin6_addr));
2687
			/* XXX: press on... */
2688
		}
2689
		p.raflags = pr->ndpr_raf;
2690
		p.prefixlen = pr->ndpr_plen;
2691
		p.vltime = pr->ndpr_vltime;
2692
		p.pltime = pr->ndpr_pltime;
2693
		p.if_index = pr->ndpr_ifp->if_index;
2694
		if (pr->ndpr_vltime == ND6_INFINITE_LIFETIME)
2695
			p.expire = 0;
2696
		else {
2697
			/* XXX: we assume time_t is signed. */
2698
			maxexpire = (-1) &
2699
			    ~((time_t)1 << ((sizeof(maxexpire) * 8) - 1));
2700
			if (pr->ndpr_vltime < maxexpire - pr->ndpr_lastupdate)
2701
				p.expire = pr->ndpr_lastupdate +
2702
				    pr->ndpr_vltime +
2703
				    (time_second - time_uptime);
2704
			else
2705
				p.expire = maxexpire;
2706
		}
2707
		p.refcnt = pr->ndpr_addrcnt;
2708
		p.flags = pr->ndpr_stateflags;
2709
		p.advrtrs = 0;
2710
		LIST_FOREACH(pfr, &pr->ndpr_advrtrs, pfr_entry)
2711
			p.advrtrs++;
2712
		error = SYSCTL_OUT(req, &p, sizeof(p));
2713
		if (error != 0)
2714
			break;
2715
		LIST_FOREACH(pfr, &pr->ndpr_advrtrs, pfr_entry) {
2716
			s6.sin6_addr = pfr->router->rtaddr;
2717
			if (sa6_recoverscope(&s6))
2718
				log(LOG_ERR,
2719
				    "scope error in prefix list (%s)\n",
2720
				    ip6_sprintf(ip6buf, &pfr->router->rtaddr));
2721
			error = SYSCTL_OUT(req, &s6, sizeof(s6));
2722
			if (error != 0)
2723
				goto out;
2724
		}
2725
	}
2726
out:
2727
	ND6_RUNLOCK();
2728
	return (error);
2729
}
2730
SYSCTL_PROC(_net_inet6_icmp6, ICMPV6CTL_ND6_PRLIST, nd6_prlist,
2731
	CTLTYPE_OPAQUE | CTLFLAG_RD | CTLFLAG_MPSAFE,
2732
	NULL, 0, nd6_sysctl_prlist, "S,in6_prefix",
2733
	"NDP prefix list");
2734
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_MAXQLEN, nd6_maxqueuelen,
2735
	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nd6_maxqueuelen), 1, "");
2736
SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, nd6_gctimer,
2737
	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nd6_gctimer), (60 * 60 * 24), "");
2738

2739